Meeting of the Joint Subcommittee on Reliability and Probabilistic Risk Assessment - November 18, 1999

                       UNITED STATES OF AMERICA
                     NUCLEAR REGULATORY COMMISSION
               ADVISORY COMMITTEE ON REACTOR SAFEGUARDS
                                  ***
                       MEETING:  RELIABILITY AND
                     PROBABILISTIC RISK ASSESSMENT
                                  ***
                        Conference Room 28-1
                        Two White Flint North
                        11545 Rockville Pike
                        Rockville, Maryland
                        Thursday, November 18, 1999
         The committee met, pursuant to notice, at 8:30 a.m.
     MEMBERS PRESENT:
         GEORGE APOSTOLAKIS, ACRS, Chairman
         DANA A. POWERS, Member, ACRS
         THOMAS S. KRESS, Member, ACRS
         JOHN J. BARTON, Member, ACRS
         JOHN D. SIEBER, Member, ACRS
         MARIO V. BONACA, Member, ACRS
         ROBERT E. UHRIG, Member, ACRS
         ROBERT L. SEALE, Member, ACRS.                         P R O C E E D I N G S
                                                      [8:30 a.m.]
         DR. APOSTOLAKIS:  The meeting will come now to order.  Is
     this on?  Oh, it's only for you, oh.  Oh, this is an amplified.
         This is a meeting of the ACRS subcommittee on reliability
     and probabilistic risk assessment.  I am George Apostolakis, chairman of
     the subcommittee.  ACRS members in attendance are Mario Bonaca, Tom
     Kress, Dana Powers, Robert Seale, William Shack, Jack Sieber and Graham
     Wallis.
         The purpose of this meeting is to review the staff's
     proposed low-power and shutdown operations risk insights report and
     start plans to develop an associated commission paper on this matter. 
     The subcommittee will gather information, analyze the relevant issues
     and facts and formulate proposed positions and actions as appropriate
     for deliberation by the full committee.  Michael T. Markley is the
     cognizant ACRS staff engineer for this meeting.
         The rules for participation in today's meeting have been
     announced as part of the notice of this meeting previously published in
     the Federal Register on November 1, 1999.  A transcript of the meeting
     is being kept and will be made available as stated in the Federal
     Register notice.  It is requested that the speakers first identify
     themselves and speak with sufficient clarity and volume so that they can
     be readily heard.  We have received no written comments or requests for
     time to make oral statements from members of the public.
         We will now proceed with the meeting, and I call upon Mr.
     King and Mr. Cunningham and Ms. Lois to begin.
         MR. KING:  Let me say a couple of words before we get into
     the formal presentation.  My name is Tom King from the research staff,
     by the way.  You had received probably 10 days or 2 weeks ago a draft
     report on our low power and shutdown work.  That's really a report that
     represents work in progress.  The presentation today will take it a step
     beyond the draft that you saw as we try and settle in and come up with
     the recommendations that we ultimately want to give to the commission. 
     We owe the commission a report in December on what we've found out and
     where we think we ought to go in the research area on looking again at
     additional low power and shutdown risk work.
         We would like a letter from the committee in December. 
     We're prepared to come back to the full committee at your December
     meeting and talk some more about this subject, but we would like a
     letter representing the committee's thoughts on the proposed work and
     the insights that we gained over the past year or so.
         So with that, I'm going to ask Mark and Erasmia to get into
     the presentation.
         MR. CUNNINGHAM:  Good morning.  I'm Mark Cunningham from the
     research staff.  As Tom said, I'm going to introduce this work, and
     then, Erasmia Lois will be doing the bulk of the presentation.  We've
     got support here from two contractors in this area, Sandia and
     Brookhaven people to help out, and as you'll see, we've been involved in
     a fair amount of discussions with a number of people in the public,
     individual licensees and consulting engineering groups, and between
     Erasmia and our contractor staff, I think we can give you some ideas of
     what we're seeing out there in terms of what's being done and what are
     the issues in shutdown risk.
         In terms of the presentation today, we've got two main
     parts.  The bulk of the presentation will cover what was provided to you
     a week or so ago in the insights report.  That report has some
     observations based on our review of what's going on in the industry, but
     also, later in the presentation, we will talk about some potential
     research topics that come out of our review of what's going on.  We have
     a fairly broad list of research topics, probably more than we have money
     to do, and part of this discussion today, I think, we'd be interested in
     getting comments from the committee in terms of what they see of this
     relatively long list; first of all, do you think it's a complete list? 
     Are there issues that are missing?  And also, what would seem to be --
     in your minds, what would be the more important issues to tackle first? 
     So we're trying to get some sense of priorities from the committee as
     well.
         As Tom mentioned, we will be back at the full committee
     meeting, and then, we're addressing a letter on this subject.  One topic
     we're not planning to cover today is the work that's underway in terms
     of the development of the ANS standard on shutdown risk.  It might be
     appropriate at some point for you, the subcommittee or the full
     committee, to hear from ANS in terms of what they're doing in this area,
     but we are working closely with the ANS group as we develop this -- our
     recommendations and see how that meshes with the development of the
     standard.
         Mary Drouin would have been here today to help, actually, to
     do the talking that I'm doing, but she's out at an ANS standards meeting
     in California right now.
         DR. APOSTOLAKIS:  When will the ANS have a good first draft
     for us to review?  I mean, you don't have to be precise.
         MR. KING:  It's around June.
         MR. CUNNINGHAM:  Something like that.
         DR. APOSTOLAKIS:  June?
         MR. CUNNINGHAM:  Yes.
         MR. KING:  Let me just follow up on one thing Mark said: 
     the budget.  At one point, we had had a fairly significant budget
     identified over the next 2 to 3 fiscal years to do work in the low power
     and shutdown area.  That got cut back quite a bit over the past couple
     of years.  The current budget for FY 2000, the fiscal year we're in
     right now, is about $400,000.  I can't remember the exact number, but
     it's somewhere in that neighborhood.  Beyond that, there is no money in
     our budget for continuing work on low power and shutdown risk.
         I don't want that to constrain what we think ought to be
     done.  I'd like to come up with a list of things that we think, based on
     the work to date, would be reasonable followup actions; identify how we
     would use that information and go back to the commission and request
     that money be restored to our budget to deal with these items.  You
     know, part of that is making sure we have a good, solid pace as to what
     needs to be done and how it's going to be useful to the staff.
         DR. APOSTOLAKIS:  So there is no plan to continue this next
     fiscal year?
         MR. KING:  There is no money to continue this next fiscal
     year.  What I'd like to do is come up with a plan that will be solid
     enough that we can get some money.  So, I don't want to be constrained
     by saying, well, we don't have any budget next year; therefore, we can
     only recommend a couple of things to be done this year, and that's it. 
     I'd like to really come up with a plan that says, you know, put the
     money aside; this is what makes sense to do and then see if we can get
     the budget to do it.
         So, you know, I just want to mention that at the start, that
     where we stand in budget space doesn't support a whole lot of additional
     work, but let's try and figure out what makes sense to do and see where
     we can go from there.
         DR. APOSTOLAKIS:  Okay; so, the significance of the clouds
     there in the view graphs --
         [Laughter.]
         DR. LOIS:  It's symbolic.
         [Laughter.]
         DR. APOSTOLAKIS:  Can you find software that allows you to
     have smooth transition from light barriers to dark barriers?
         [Laughter.]
         DR. APOSTOLAKIS:  You have to do that part.
         MR. CUNNINGHAM:  The bulk of the presentation, what it is
     going to do is it's going to be related to the insights report.  Within
     that, the key topics with the last three or four on this slide
     basically, what have we seen in talking broadly to people here and
     abroad about -- what do they say about the significance of shutdown
     risk, and what is the overall risk?  What do we see about what's going
     on in terms of methods, tools that are being developed and why to manage
     this risk or to use it in a regulatory framework?
         Then, we go back and start to say, well, how, given these
     methods that are out there, how are they for our purposes, which is
     basically risk-informed decision making?  And we've got some conclusions
     and observations and recommendations.
         Again, just to remind the committee, go back to our Reg. GAP
     1.174 days, and the risk that's talked about there and evaluated there
     is the total risk of the plant, consistent with the previous policy of
     the agency and the safety policies, et cetera.  So we have a statement
     in the reg guide that we have to consider shutdown risk, but we are not
     very precise as to how that should be done.  One of the key goals of the
     research program here is what can we do to help fill that gap, if you
     will, or build a more concrete statement of guidance to make it easier
     or more appropriate to consider shutdown risk when we're using -- in
     license applications, we would use 1.174.
         We should also note, though, it's probably -- when we
     started out, we were thinking in the context of 1.174.  So over the last
     years, as we've gotten into risk-informed part 50, Reg. 50, as it's
     called, I think it brings other issues to the table that we need to
     think about in terms of the requirements of the shutdown risk.  We've
     seen presentations, I believe, on the proposed new 50.69 and Appendix T,
     which bring categorizations and risk information of categorization of
     SSCs and the risk information to much more of the forefront of our
     requirements, and that has implications on what type of shutdown risk
     analysis we can need to make decisions about it.
         So that's being brought in here in terms of recommendations. 
     I've got one more slide, and then, I will turn it over to Erasmia.
         Basically, the approach of this insights report was to go
     out and do a fair amount of information collection.  We've gone out and
     reviewed NRC and industry risk studies.  We've gone out and talked to
     licensees, consulting engineering groups to see what they're doing. 
     We've also interacted with national to find out what's going on in other
     places.  The last couple of slides in the presentation will be specific
     international activity that we're involved in through our research
     program.  One of the working groups that we have there is specifically
     concerned with shutdown risk.
         So all of this -- in addition, we had a public workshop
     awhile back, trying to get information on perceptions of shutdown risk
     and the issues they saw.  So we're taking all of this and trying to say,
     now, based on all of this information, what are our observations, and
     then, what do we see as research needs.
         With that, I'll turn it over to Erasmia to talk more about
     the specific program.
         DR. POWERS:  The question that comes to mind almost
     immediately is, well, why would you think that there is a big risk
     associated with low power and shutdown operations?  We may see that it
     may be the latest sandbox for the PRA practitioners to play in, but why
     wouldn't you just assume that the risk is small?  The plant is off; I
     mean, you let it decay for a little while before you do anything to the
     plant, you can get the decay energy down quite a bit.  Anything that
     does happen, you pretty much have the easiest opportunity to detect and
     to intervene in all of the material, in the issue, so why would you
     think there have been incidents that HP LaserJet Series
     II300HPLASEII.PRShere say 10 or 12 years ago, I think the common
     knowledge at the time would have been what you said.  There doesn't seem
     to be much of an issue of shutdown risk for all of the variety of
     reasons.  There have been a series of events not involving damage of the
     fuel but certainly losses of residual heat removal, decay heat removal,
     oiling in the core and that sort of thing that I think 7 or 8 or 10
     years ago first brought this to people's attention.  Some issues at
     Diablo Canyon; the French studies; the Votgle incident of -- whenever
     that was, a few years ago.
         I think that the reason that people now see the importance
     of shutdown risk comes from a couple of -- several factors.  One is in
     some portions of shutdown operations, the amount of water that you have
     over the core is relatively small.  Even though your decay heat is down,
     we can get situations such as mid-loop operations where you don't have a
     lot of water covering the core.  Coupled with that passage, you can be
     in situations where the amount of -- the number of pieces of equipment
     available to provide water is down to perhaps a minimum.  Certainly, a
     few years ago, this was the case for shutdown people; they were doing
     maintenance; they take pieces of equipment out of service.  So, you've
     got reduced redundancy.
         In some circumstances, you also have this happening with the
     containment, so you've given up some of your barriers.  In addition,
     you've got a lot of other things going on in the plant; a lot of people
     in there doing maintenance of things, so there is potential for
     inadvertent draindowns; inadvertent human actions that can compromise
     the core.
         So I think it's the recognition that all of those things are
     coupled together in some parts of shutdown operations that have led
     people to be more concerned about shutdown risk and have led to the
     results that you'll see in a little bit, which is a lot of people seeing
     a similar type of answer, which is shutdown risk is something we have to
     seriously consider.
         DR. POWERS:  I think with every incident you say -- if I
     were an argumentative type, which I'm not --
         [Laughter.]
         DR. POWERS:  -- I would cite as that same incident as an
     example of see how easy it is to recover from these events; how easy it
     is to detect what's going on; how easy it is to reconfigure things
     promptly and get the plant back to a safe situation when you've had a
     perturbation of it.
         MR. KING:  Let me add a couple of things.  You have more
     time when you're in a shutdown condition, when the heat is down, to
     respond to whatever happens.  That's true.  But the thing that -- when
     we had the workshop, we had utilities come in and tell us that they were
     worried about some of the shutdown states, not the whole shutdown period
     but certain things that they do in that shutdown period worried them
     enough in South Texas -- who is the one that said this -- that what they
     do is they don't do anything else in the plant.  They make sure that
     they have dedicated people monitoring inventory, monitoring residual
     heat removal when they're in certain shutdown configurations, because
     they know that the risk is fairly high from the analysis they have done.
         They know -- again, they have response time, but it's not
     like days to respond.  They may have, you know, an hour to respond, and
     they don't want to let that time slip by if something would happen.  So,
     they manage to, in certain situations, because they think they are
     risky.
         The other thing that worries me a little bit is, as the
     utility industry goes into restructuring, the competition becomes more
     and more aggressive; the shutdown periods are going to be compressed
     just for economic reasons, and therefore, the advantage you buy by
     letting the decay heat drop off before you do -- the utility may not
     take advantage of that as much as they do -- they have in the past.
         DR. KRESS:  Let me ask you about that decay heat, given your
     increased response time.  I haven't looked at the decay heat curve in
     awhile, but I recall that over the time frames we're talking about for
     shutdown, your decay heat might decrease by a factor of a third.  I'm
     not sure if that's right, because I haven't looked at it in a long time. 
     That doesn't sound like a big improvement in time for, you know, for
     things to boil off and for the heat-ups.
         And so, I'm not sure you gain a lot of time over the time
     frames you're talking about for shutdown.  Is my recollection right on
     that, or do I have to go back and look at the curve?
         MR. KING:  As I recall at the workshop, what the utilities
     say was about the first 100 hours or so after shutdown is really where
     they have enough decay heat that they don't have a whole lot of response
     time, and that's the time period we're worried about.  Once you get
     beyond that, and they get a little more comfortable in having enough
     time to respond; again, I don't have the decay heat; I don't remember
     exactly either.  We can get that information for you.
         DR. KRESS:  Yes; well, it's been policies have looked at
     decay heat, and I'm not sure.
         MR. KING:  Dana, if you wanted some specifics, we could talk
     to some specific events that have occurred at shutdown if you wanted to.
         DR. POWERS:  Well, I guess maybe I could go through the
     litany of shutdown events fairly easily.  But I think in the United
     States and maybe in some of those abroad, but I still think I stand on
     my argument that I can just as easily cite these events as proof that
     we've got a handle on this, our shutdown risk, as you can cite it saying
     there should be more, because in every case, a successful outcome --
     everything was done fairly easily.
         DR. APOSTOLAKIS:  I think there is another issue here that
     perhaps changes your argument.  I noticed in the report, and I think the
     understanding here is that when we say risk from low-power shutdown
     operations, we're talking about core damage primarily, it seems to me
     that we cannot ignore the fact that the agency now has the new oversight
     process with the cornerstones, and the agency has said very explicitly
     that they worry about initiating events; they worry about the integrity
     of their mitigating systems and so on.
         So, the question I'm raising is whether we should be using
     those metrics to decide whether low-power shutdown operations are
     important rather than core damage frequency, and if I look at those,
     then, I think Dana's argument is not as strong because there have been
     initiating events.  We have lost water during those operations, right? 
     We recover from it, but the agency has said very clearly that the number
     of initiating events should be less than X, so if you have states who
     are -- you actually have initiating events, you certainly worry about
     them.  This is a defense and depth issue at the highest level, the
     structuralist approach.
         And I noticed in the report that you guys wanted to take
     back that the comparison, the comparisons are always at the core damage
     frequency, and I'm not sure that's a good thing to do anymore.
         DR. LOIS:  But even on the basis of core damage frequency, I
     guess if you look at the numbers, they are pretty comparable, and then,
     I guess the argument such as we had an initiating event, therefore we --
     but we managed it could be used also for full power.  And from a PRA
     perspective, on an hourly basis, studies show that CDF is sometimes even
     higher than at full power; that that has been demonstrated from, you
     know, almost every study.
         In addition to I'd like to kindly remind the committee that
     the staff has never thought that low-power shutdown is insignificant. 
     You remember the low-power shutdown rulemaking activities, et cetera, et
     cetera; the fact that we don't have a rule doesn't mean that we have
     considered the shutdown risk as insignificant.
         DR. APOSTOLAKIS:  I don't disagree with you, Erasmia, but
     all I'm saying is that with the new situation now, where one part of the
     agency is really relying on the cornerstones to do something that is
     extremely important, namely, to risk-inform the oversight process, it
     seems to me that it would strengthen your argument if you involved that
     one.
         DR. LOIS:  As a matter of fact, it's one of our
     recommendations here.  When I get to recommendations, you'll see that
     one of the things that we consider, since the industry has been using as
     a risk metric boiling frequency or time to boil, et cetera, we are
     thinking that probably we should look into that as one aspect.
         DR. SEALE:  May I raise another slant, if you will, on this
     question, and that is as we realize the pressures to compress out each
     times and so on, there will be greater consideration of situations in
     which you will take systems out of service; you will do maintenance when
     you're in a less than full protection systems arrangement.  The only way
     that that can be done with integrity is to be able to make a realistic
     assessment as to the safety insignificance of the systems that you've
     taken out of service under those circumstances, and you can't do that
     unless you consider the configuration of the plant in which that takes
     place, which is, in this case, the shutdown mode.
         So it's just the integrity of the process of identifying the
     safety significant and the non-safety significant systems that requires
     a reasonable assessment of the shutdown risk.
         DR. BONACA:  I'd like to also point out one thing.  I know
     the comparisons that we see in the report that was given to us; they're
     comparing the CBF alert; there is no discussion of uncertainties, and I
     do believe that certain risks for low-power and shutdown are much higher
     because I think that the actions that are dominated by other actions and
     by the fact that many of these activities, for example, are -- at times,
     there are surprises for the operator, because they are one of a kind
     activities.  They are not repeat activities that you perform at the
     time.
         For example, you can remember the -- the reason the
     generator is switching off and going out; and what is actually by
     design.  And I just wonder if, you know, we could discuss a little bit
     the insights that we have on the issue of uncertainties, because that
     uncertainty alone for me on the various things and trying to understand
     better what the risk really is.
         DR. APOSTOLAKIS:  Now, this is a very interesting
     observation, because the way we handle uncertainty is through defense
     and depths.  We are weakening defense in depth at the low-power and
     shutdown modes, and yet, we have higher uncertainty.  Now, that's
     something we should not like, don't you think?  We are affecting at
     least one of the cornerstones of the --
         DR. KRESS:  You would think those are the wrong directions.
         DR. APOSTOLAKIS:  Yes.
         DR. KRESS:  But we still haven't defined how much difference
     in depth we need for a given amount of uncertainty.
         DR. APOSTOLAKIS:  No, but if I take as a point of departure
     the power operations, and I say, well, since we operate that way, then,
     maybe that's sufficient defense in depth for this kind of uncertainty. 
     Now, I'm moving into a situation where the uncertainties increase, and
     some of my cornerstones are suffering.  So that doesn't look like a good
     way to go.
         DR. KRESS:  No; you have to keep in mind that uncertainties
     also have to be averaged over time if you're going to --
         DR. APOSTOLAKIS:  Well, we will see over that.  The average
     in process is something that we will discuss.
         DR. KRESS:  Okay; but it does.
         DR. APOSTOLAKIS:  Today.
         DR. SHACK:  Well, it also comes up in the discussion that
     you've been beating for awhile that, you know, you introduce distortions
     by introducing conservatisms.
         DR. APOSTOLAKIS:  Sure.
         DR. SHACK:  And that's one of the conservatisms I've always
     heard about the low-power shutdown PRAs is that they're unduly
     conservative, and therefore, you may distort your picture.  Again, the
     specific question was -- I somehow recall something or other that the
     91.06 guidance was sort of ignored when we did the PRAs, because it
     wasn't mandatory.  You know, everybody seems to do it because it wasn't
     required by regulation.
         DR. LOIS:  Well, as I get into the presentation, you'll see
     that currently, the industry is involved in the defense in depth and
     PRAs at the same time, and they have the capability to literally model
     this specific outage, and I don't think that's the case -- you know,
     people may help me out here -- but in actuality, they start out with a
     defense in depth and then complement the insights through the specific
     --
         DR. SHACK:  That's how I was wondering if your PRA numbers,
     which purport to cite that the risk of low-power and shutdown, in fact,
     include the 91.06.
         DR. LOIS:  But it's -- what's happening is you're getting
     into an outage-based, and you evaluate it depending on the defense in
     depth on the --
         DR. SHACK:  That's the configuration management.
         DR. LOIS:  And the same configuration is being modeled
     through your period.
         Donnie, you want to --
         MR. WHITEHEAD:  This is Donnie Whitehead from Sandia
     National Laboratories.  To answer your question, the NRC studies that
     were conducted in the early nineties were conducted before -- or
     approximately at the same time -- as the issuance of 91.06, okay?  So
     therefore, they probably do not incorporate all of the activities that
     are carried out in 91.06.  However, they were, at the time, the current
     -- you know, the current industry practices.  The analyses that are
     conducted by the utilities currently do use 91.06 as a measure of
     defense in depth, and I would expect that the probabilistic analyses
     that are part of many of the configuration risk management practices
     would involve, you know, heavily depend upon the information that's
     available from 91.06.
         What we have here is something that has evolved over time
     and currently, if you're being able to perform a PRA, it would only be
     prudent to use the information that's available from 91.06.  So I think,
     you know, I think we've evolved over time, and I think at this point,
     you know, that information would be used.
         DR. BONACA:  One observation that I would like to make
     about, you know, defense in depth, when we have defense in depth and the
     operators that use them it's time; we have time.  There is time.  If you
     go to the operators, that's what you hear about shutdown:  we don't need
     to because we have time.  And the point I want to make is the one of
     time is being shortened more and more, but we see averages which are so
     accelerated that, you know, by definition, there is an erosion of
     defense in depth.  I don't have to define another, you know, proportion
     of the specific components, but the time element, which is the one
     always invoked by the operators as available and power, you know, you
     don't have it when you have a shutdown is being eroded.
         And again, I don't know how much that drives uncertainty. 
     To me, that drives it a lot, because you begin to not understand how
     things will function or not function, and I think that's an area that I
     would like to see.  I don't think much work has been done there to
     understand it, or if I can see it in the draft new reg.
         MR. KING:  And I agree.  The mindset is we've got time, and
     now, they don't have time.  Things may not happen as rapidly as they
     should.
         DR. BONACA:  It matters if they have 40 or 50 days to 20
     days, 17 days.
         DR. APOSTOLAKIS:  Yes, but this is because they are doing
     fewer things, so it is not clear to me that that really affects this
     construct.
         DR. BONACA:  Yes, but then, you get down to the point where
     you have critical path, okay, where you can't compress anymore.  You
     see, before, you could come down and eliminate work and easily compress
     the time.  Then, you get to the point where you have essentially
     compressed time that you cannot compress any further.  And now, you have
     such a pressure on the operators.  Now, to introduce anything else there
     that, you know, now, I am voicing this because as part of the interview
     process, we have been interviewing some people in the industry.  That
     has been raised to me by two people.
         MR. KING:  It's not only reduced time; it's reduced staffs. 
     You look at what's happening as deregulation takes place; it's a lot of
     staff reductions.  In the UK, they just put out a licensing condition
     for their plants to stop the erosion of staffing on their nuclear
     plants.  They now -- any additional staffing or staffing changes have to
     be approved by the regulator, okay, because they were concerned that the
     staffing levels, not only the staffing levels were low but the people
     who were there on the staff didn't have proper training; were not
     familiar with the plant; they may be coming from another plant.  They
     weren't familiar with the responsibilities.
         So it's not only quantity; it's quality as well.  And
     there's that similar concern that that may be valid in this country.
         DR. POWERS:  Suppose that things are very hazardous during
     shutdown operations, such that the CDF for a given plant doubled; you
     calculate the CDF for operations, and it's 2 x 10-5, and when you
     include the shutdown operating modes, it's very hazardous, it doubles it
     to 4 x 10-5.  Does that change anything?
         MR. CUNNINGHAM:  I think that at least one implication it
     has is that if your people are trying to decide where best to perform
     maintenance of equipment, they make decisions to what -- is it better do
     it at shutdown, or is it better to do it at power that the insight that
     you could have isn't so much that it's doubled as it's equal, and so,
     you may find that it's better to, in terms of optimize or better
     prioritize your maintenance activities to switch it around and do it
     during different parts of -- during parts of the year, if you will.  So
     that's at least one thing to have real implications for --
         DR. SEALE:  Along those lines, it would be interesting to
     take a traditional 60-day outage; list all of the things that are done
     by way of maintenance and so forth during the outage and then take a
     current 25-day outage and look at which items were moved over into the
     online maintenance category and which ones were retained in the shutdown
     maintenance area.
         I have a suspicion that the hairy ones were the ones that
     were left in the shutdown mode, and the easy ones were the ones that
     were done in the online mode, and so, it's not just a question of the
     change in the time that's involved.  I think if you looked at it
     carefully, you'd see that the things that are left are the most likely
     big risk items.  It's a suspicion.
         DR. APOSTOLAKIS:  One last question, and I will let you go
     on.  Low-power shutdown are modes 4, 5, 6?
         DR. LOIS:  I guess 5 is the core shutdown, and 6 is the --
         DR. APOSTOLAKIS:  So why don't we let Erasmia go on with one
     more slide, and then, we will interrupt her again?
         [Laughter.]
         DR. LOIS:  I'm counting on that.  I know that you are going
     to talk amongst yourselves, and I guess the objectives here are the
     objectives of our visits and information gathering activities, and they
     are to collect information regarding the significance of low-power
     shutdown risk and what methods and tools are out there to assess it and
     then evaluate the information with respect to its usefulness for
     incorporating the risk, low-power shutdown risk into regulatory decision
     making, risk-informed regulatory decision making.
         On a high level, I guess we kind of covered that.  We even
     today, we see potentially important events, operational events, reports. 
     We have cited a few of them.  We see events in 1998, 1999, et cetera. 
     The risks are comparable, and they characterize the most risk-dominant
     plants operational states are those that have high -- the plant has
     still high -- and the reduced inventory.
         The risk contributors tend to be plant-specific, and looking
     at this, it appears that it is just plant outages and refueling outages
     may not be the only risk-significant outages.
         A little bit more detail regarding operational events.  Loss
     of outside power; loss of coolant; loss of -- what is it -- and shutdown
     cooling are the events that we see happening across plants.  Causes,
     again, tend to be plant-specific, and it appears that the biggest
     contributor is human error and procedural problems.  That's from my
     operational event point of view.
         DR. POWERS:  Still, you have these events that occur, but
     what is used to detect -- the recovery is fairly easier to occur.  I
     mean, why do they defend risk-important if they're so easy to detect? 
     It was the great quote, I think, after the River Bend event, well, it
     was just a little steam bed generator.  And it's because of that, you
     can see them easily, and you see something is wrong and correct it very
     quickly.  How come they become risk-significant?
         DR. LOIS:  I guess the -- I will let people help me out
     here.  The risk-significance comes when evaluating the event and the
     potential that if it's not detected in time, what it could have involved
     like any other initiating event.
         DR. POWERS:  It seems to me that the reason these things
     become risk-significant is because you don't give any credit for the
     heroic action in the PRA or unproceduralized actions in the PRI.
         MR. KING:  Let me ask Warren to give you a couple of
     specifics.
         DR. LOIS:  Yes; I guess here with the --
         MR. LYON:  We had an event some time ago at Hope Creek in
     which no one recognized at the time that they had a mode change.  It
     took them about two to three weeks before they really determined that
     they had had a mode change.  We had another event at Oyster Creek a few
     years before that where they went for -- as I recall -- over a day
     before they realized that they had an overtemperature issue.
         DR. POWERS:  I just take those, and they bolster my point,
     is that it if it went for two weeks, and it didn't amount to a darn
     thing.  Nothing happened.  They didn't know they had a mode change for
     two weeks, and it didn't make any difference.  Similarly, they have an
     overheating condition; it went on for a day, and they didn't recognize
     it.  It still made no difference.
         MR. LYON:  You are correct in your assessment in my two
     examples that those weren't overly risk-significant.  Let me go back for
     a moment to the one that really opened our eyes.  When I go through
     this, I want it understood that in my judgment, this would not apply
     today, but I am referring to the Diablo Canyon event, where as it
     unfolded, I afterwards calculated it would have taken about two days
     when everyone could have essentially walked away and done nothing before
     the core uncovered.
         However, had the event initiated about a half an hour later,
     in my judgment, we would have had core uncovery in about an hour and a
     half, and in my judgment, there was a very high probability that it
     would have progressed to core damage with the containment open and no
     on-site ability at that point to get the containment closed.  So that
     was a real eye-opener to us.
         DR. SEALE:  It strikes me that when we look at events, we're
     not only able but willing to identify personnel errors as contributors
     to the initiation.  When we look at recovery actions, we seem to lose
     sight of the important roles of individuals, the heroes, if you will,
     who knew the system well enough and understood the processes well enough
     to take the unproceduralized steps necessary to terminate the event.
         What we're talking about here is a climate in which more and
     more of those heroes are going to be fishing, because they're going to
     be retired, and the crew is going to be smaller and so on.  So, I guess
     when heroic intervention is a part of the response that keeps the plant
     safe, we ought to recognize that that's not necessarily a given.
         DR. APOSTOLAKIS:  Even if it were, I wouldn't want to rely
     on that.
         DR. SEALE:  That's what I mean.
         DR. APOSTOLAKIS:  Okay.
         DR. LOIS:  Another point I want to make is although we're
     talking about risk-significance here, the perspective is risk-informed
     regulation, and therefore, what we're looking at here is if licensees
     come in, and they would like to change the design basis on the basis of
     risk-significance, then, we have to have an analysis of the risk and a
     good comprehension of what's involved, and it's a little bit different,
     slightly different idea why you care about low-power shutdown, because
     you can take -- you can manage it.
         DR. APOSTOLAKIS:  If I consider the five cornerstones, those
     were initiating events, mitigating systems, pressure boundary and
     emergency preparedness, four, is it fair to say that at low-power and
     shutdown, the first three are compromised to some extent?
         DR. LOIS:  That's what the studies show.
         DR. APOSTOLAKIS:  Now, emergency preparedness probably is
     not affected.
         DR. KRESS:  It probably shouldn't be a cornerstone.
         DR. APOSTOLAKIS:  What?
         DR. KRESS:  It probably shouldn't be a cornerstone anyway.
         DR. APOSTOLAKIS:  But I'm thinking now what they're using. 
     So the pressure boundary is compromised in what way?  Sometimes --
         MR. CUNNINGHAM:  Again, you can be in a situation where the
     head is off.
         DR. APOSTOLAKIS:  The head is off and the containment is
     off.  The mitigating system is compromised?
         DR. SIEBER:  You can take a whole division out.
         DR. APOSTOLAKIS:  You can take a whole division out.
         Initiating events, we've seen many of those, so clearly,
     something is going on here.  So here is a situation, without going into
     details, where three out of the four cornerstones -- and according to
     Dr. Kress, the fourth one shouldn't even be a cornerstone -- one way or
     another are compromised.  So it seems to me it is an important problem. 
     I mean, we can't say in one place that this is important and another
     place no, because of heroic actions.
         DR. LOIS:  In fact, in South Texas, when they get in the
     middle of it, they have now -- Donnie, you can describe it better --
     they have this alertness going on all over the place.  They have signs;
     they have sirens, and everybody knows what is this idea.
         DR. APOSTOLAKIS:  That is a cost-cutting idea of human
     awareness, I guess.
         DR. LOIS:  In addition to -- in San Onofre, they take the
     CDF estimates as part of their bonuses.  If they thought that low-power
     shutdown is not an important part of it, they wouldn't include it, so I
     don't know if it has a full-blown, very detailed PRA.  So there is no
     one in the industry who would argue that low-power shutdown risk is
     insignificant.
         DR. APOSTOLAKIS:  Is it fair also to say that if they look
     at the number of initiating events over the last 10 or 15 years, most of
     them have occurred during those modes?  Except for normal transience.  I
     mean, I looked at the ATHEANA report, the ATHEANA report a year or so
     ago -- more than a year or so -- looking at the events that have
     occurred.  Most of them were low-power shutdown, weren't they?
         MR. CUNNINGHAM:  They were looking at them in a certain
     context, in a context for errors of commission.
         DR. APOSTOLAKIS:  Well, you remember well.
         MR. CUNNINGHAM:  In that sense.
         DR. APOSTOLAKIS:  In that sense, yes.
         DR. SEALE:  Several years ago, Jack Rosenthal made a
     presentation where he used the convening of an AIT as the criterion for
     significant events, and about half of the cases where AITs were convened
     involved shutdown configurations.
         DR. APOSTOLAKIS:  I don't think the criterion here should be
     the actual number that people estimate and make a decision whether to
     investigate further based on the magnitude of the number.  The fact that
     three of my most important cornerstones are compromised is sufficient
     enough reason for me to try to understand it.  I don't care what the
     numbers are.
         MR. KING:  That is, in effect, what we are doing is to try
     to understand it better to see what else needs to be done.
         DR. APOSTOLAKIS:  If anything.
         Erasmia, what else do you have to say?
         DR. LOIS:  I guess this bullet here, that some studies
     indicate that sometimes, bringing the plant, shutting down the plant for
     maintenance may not be less risky than keeping it online for performing
     maintenance in case that you lose some safety systems, et cetera; that's
     the bullet that we have uncovered.  And then, regarding the effect of
     radioactive releases, the NRC studies covered it somehow, and they came
     up to be significant, as significant as from full power, however,
     primarily, people are doing just level one analysis.  They haven't done
     a lot of level two.
         The Seabrook study had kind of inconclusive results. 
     However, one thing that comes up all the time is that the containment
     status is important.
         DR. APOSTOLAKIS:  Now, why do you claim that LERF and early
     fatalities may not be appropriate risk measures?
         DR. LOIS:  I will let Dr. John Leonard to respond to that. 
     Oh, okay.
         MR. CUNNINGHAM:  If we go back to the discussions that we
     had at the time of Reg 1174 development, what we're trying to sort out
     is what does LERF mean when you were -- you could potentially have the
     containment open.  LERF was derived, anyway, from the context of
     full-power operations, where you have an energetic pressurization for
     the containment and the potential for, if you will, structural failure
     of the containment.  How do you apply that to a situation where the
     pressure boundary may not be quite there?  I think one of the key issues
     there is do you need to rethink the definition of something for shutdown
     conditions?
         DR. APOSTOLAKIS:  Well, could it be similar to the V
     sequence there, where you bypass it?
         MR. CUNNINGHAM:  Well, again, that is involving a -- the
     circumstances are somewhat different in the sense that one, you've got a
     structural failure of the pressure boundary in the V sequences.  It's
     the valves --
         DR. APOSTOLAKIS:  Yes.
         MR. CUNNINGHAM:  -- rather than the structure itself.
         DR. APOSTOLAKIS:  Yes.
         MR. CUNNINGHAM:  But you've also got a lot of energy behind
     that, and again, in shutdown conditions, you may not quite have the
     highly disruptive forces.
         DR. WALLIS:  What is the boundary?  If you've got the
     release from containment, it doesn't really matter whether it is because
     it failed or was left open.
         MR. KING:  It does.
         DR. WALLIS:  Why?
         MR. KING:  Because the timing is different and the mix of --
         DR. WALLIS:  You're still releasing.
         DR. APOSTOLAKIS:  Yes, but is it early?  That's what you
     were questioning?
         MR. CUNNINGHAM:  It's the early aspect of it is an important
     consideration.
         DR. APOSTOLAKIS:  And why wouldn't it be early here?  I
     mean, there is no containment.
         DR. WALLIS:  Early compared with what?
         DR. APOSTOLAKIS:  Well, the definition is within 3 hours
     afterwards.
         DR. WALLIS:  Of what?
         DR. APOSTOLAKIS:  Of core damage.
         MR. CUNNINGHAM:  Core damage.
         DR. WALLIS:  Well, it's pretty damn early if the containment
     is open.
         MR. CUNNINGHAM:  The LERF definition is by and large a
     definition related to the magnitude of the source term release and the
     timing of that release fairly quickly.  The circumstances of the
     shutdown condition in terms of the combination of those effects are
     going to be different.  You might have the containment open, but you
     might not have the release occurring -- the magnitude of the release may
     be a somewhat different -- the characteristic of that release is
     somewhat different.
         DR. APOSTOLAKIS:  So it's the large that you're attacking.
         MR. CUNNINGHAM:  Maybe it's the large.
         DR. WALLIS:  I've been told many times that it doesn't
     matter how large it is, because it's large enough.
         MR. CUNNINGHAM:  The large early release definition was also
     tied into the ability to evacuate people before they are exposed.
         DR. APOSTOLAKIS:  Right.
         MR. CUNNINGHAM:  Again, the accidents you're getting here
     are different in those types of characteristics.  So you might -- it
     just, strictly speaking, that LERF definition that we came up with isn't
     really right for these circumstances, and what we're thinking is we need
     to come up with some better surrogate to be the equivalent of it.
         DR. APOSTOLAKIS:  And that will be equivalent to or a
     surrogate for prompt fatalities again?
         MR. CUNNINGHAM:  It would be a surrogate for public risk, if
     you will.
         MR. KING:  That's one of the questions.
         Well, the LERF was tied to the early fatality QHO.
         DR. APOSTOLAKIS:  Right.
         MR. KING:  That's where it was derived from.
         DR. APOSTOLAKIS:  Right.
         MR. KING:  When you get into the shutdown condition, the
     timing is different; the mix of fission products is different.  Would it
     be more appropriate to tie it to the late fatality QHO?  Because maybe
     you don't have enough release to get an early fatality, given that
     there's still emergency planning.
         So that's the question.  I don't have an answer for this,
     but those are the things that we're kicking around.
         DR. KRESS:  I think those are good questions.
         DR. APOSTOLAKIS:  Yes.
         DR. KRESS:  And I think they're legitimate.  But it seems to
     me like the fraction of time that the containment is open during low
     power and shutdown is the time when you have a LERF.  I mean, you use
     that fraction -- conditional containment failure probability is one
     during that period, and your CDF is whatever the CDF is.  So it's that
     fraction of the time that translates into a LERF.  Since it's standard
     here, you could use that fraction.  And you could probably assume things
     like the early fatalities probably just as equivalent to what they would
     be at low-power -- I mean at full power.
         The driving force is about the same, and the mix of fission
     products and the biological effectiveness, it doesn't change that much
     over the time period.
         DR. APOSTOLAKIS:  So what is your conclusion?
         DR. KRESS:  My conclusion is that you could almost use a
     LERF that's pretty much like the one you have now, using the fraction of
     time that the containment is open as your measure of when it's a large
     early release.
         MR. KING:  What you're saying is you've got to have CDF 10-5
     or lower when the containment is open.
         DR. KRESS:  That's what I'm saying, yes, exactly.
         DR. LEHNER:  Could I comment on that, just if I may?  John
     Lehner from Brookhaven National Laboratory.
         As Tom King was saying, I mean, the other issue is that
     LERF, the way it's define or sort of implied for full power involved
     prompt fatalities, and even though the containment may be open, later on
     in the shutdown accident, you're volatile to let the -- off so you're
     probably -- the standard calculations won't show you a prompt fatality,
     but you will still get latent cancers, so that's why that measure may be
     more relevant than the LERF measurement.
         DR. KRESS:  Well, you have a point there, but I think you
     have to think about our ingression accidents, too, at full power.
         DR. LEHNER:  What the composition of a -- certainly --
         DR. KRESS:  It's still up for grabs.
         DR. LEHNER:  Exactly; that's very true.
         DR. APOSTOLAKIS:  So essentially what you're saying is that
     someone has to look into it.
         MR. KING:  Yes.
         DR. BONACA:  Before you just move on, the second to last
     bullet can be misinterpreted; even in the report, it somewhat can be
     misinterpreted.  It gives the impression -- I could read it as saying
     that I could do all of my maintenance at power because there is -- which
     is not the case, except in components for which doing maintenance at
     power is equal or even less than doing it in the shutdown condition, and
     that, although it is important, what I am saying is that it is a
     component base that in general --
         DR. LOIS:  It's a generalized statement, yes.
         DR. BONACA:  And the statements I see in the NUREG also have
     the kind of confusion in it.  I could interpret that, fine, from now on,
     I'll never shut down the plant except to refuel, and I'll do all my
     maintenance at power, and that's not really what message you want to
     give there, right?
         DR. LOIS:  Exactly; it would be on the specific case.  It
     just depends --
         DR. BONACA:  For some components --
         DR. LOIS:  For example, if you lost shutdown cooling --
         DR. BONACA:  Yes.
         DR. LOIS:  -- and you have -- you are asked by the technical
     specifications, you have to have the plant shut down while you don't
     have shutdown available, and this is a kind of a strange situation, and
     there are some technical specifications that we would have to look at.
         DR. BONACA:  I was reading it, and I would say in some
     cases, in fact, they're comparable and even higher at shutdown
     condition; therefore, it's recommended that you do it, in fact, at full
     power right away.  I just wanted to point out that I was a little bit
     confused about the statements in the NUREG, and maybe you ought to
     review them for that.
         DR. APOSTOLAKIS:  Bullet number four, human actions, it
     seems to me, again, based on the analysis that I have seen from various
     NUREGs and the incidents that have occurred that these human actions and
     associated uncertainties are different from the ones one normally deals
     with during power operations.  Essentially here, what we're talking
     about is this ability of people to create initiating events during the
     various activities that they are doing, and in one of your earlier view
     graphs, you said that -- you mentioned efficient procedures.
         I am not sure that the model like ATHEANA, as it is
     currently structured, can deal with these particular actions, because
     ATHEANA starts with a human failure event and then analyzes the context
     and so on.  ATHEANA does not look at normal operation and ask what can
     go wrong.  It says given that this is wrong, now, what is it that led? 
     Yes; it doesn't start with normal operations.  So, it does not ask, for
     example, how can we create an initiating event?
         MR. CUNNINGHAM:  Well, since we're going to talk about
     ATHEANA tomorrow, this may be a good topic for that.
         DR. APOSTOLAKIS:  I will raise it tomorrow, too.
         MR. CUNNINGHAM:  Okay.
         DR. APOSTOLAKIS:  But I think the human failure event is
     given to the ATHEANA analysts from the PRA, or they participate in the
     derivation.  They are dealing primarily with recovery actions.  The
     accident sequence, how can we recover from it?  So the various failures
     to recover, you know, they analyze well.
         Now, take Wolf Creek.  They were supposed to do certain
     things on Friday; postponed into Monday; they did notify other people. 
     Other work was going on at the same time.  Valves were opened
     independently.  All of a sudden, you have a flow path to the RWST. 
     That's not an event ATHEANA right now is structured to analyze, is it?
         MR. WHITEHEAD:  John Whitehead from Sandia labs.
         My understanding of the ATHEANA process is that's exactly
     what it's structured to identify.
         DR. APOSTOLAKIS:  No.
         MR. WHITEHEAD:  Now, I will admit to you that probably, the
     past events that have been examined by the ATHEANA process have been
     more on the order of responding to events that have already occurred,
     but the process, as laid out, is very beautifully structured to allow
     one to search for those kinds of conditions that would influence the
     operators to, you know, to perform a specific action.
         DR. APOSTOLAKIS:  No, no, I don't think so.
         MR. WHITEHEAD:  That's my interpretation of it.
         DR. APOSTOLAKIS:  I think the human failure event must be
     defined, and then, ATHEANA analyzes the ways it can get there.  And
     again, tomorrow, we can ask the experts.
         So, my point is, though, and I think Erasmia touched on this
     when she said the fission procedures, I would have expanded this, and I
     think what really matters here during shutdown, especially given all the
     things that you have mentioned:  smaller staff, pressure to do things in
     a shorter period of time, if there is anywhere where management and
     organizational factors would be important, it would be here.
         MR. CUNNINGHAM:  In fact, I wanted to point out --
         DR. APOSTOLAKIS:  It's here.
         MR. CUNNINGHAM:  Yes.
         DR. APOSTOLAKIS:  Not in ATHEANA.  In ATHEANA, there would
     be one of the many things that would contribute to the error-forcing
     context, but here, I think they play the dominant -- the dominant role,
     and you really don't know what you're going to get, you see?  ATHEANA is
     not looking blindly for things to go wrong.  The human failure event
     more or less has to be defined in the context of some recovery action.
         And I know that's true.  I mean, the four reviewers say
     that; the report says that; you start with the human failure event, and
     you're looking for unsafe actions.  Then, they become, you know, pretty
     loose.
         MR. CUNNINGHAM:  One of the reviewers.
         DR. APOSTOLAKIS:  Yes.
         MR. CUNNINGHAM:  I guess the question then becomes how
     they'd react to that in the ATHEANA.
         DR. APOSTOLAKIS:  ATHEANA does not look at normal operations
     and produce a number of things that can go wrong as a result of things
     that are happening during normal operations.  It doesn't do that.  It
     starts with an event risk.
         MR. CUNNINGHAM:  Normal operational.
         DR. APOSTOLAKIS:  Yes, so if you look at normal shutdown
     operations, ATHEANA will not look for things that can go wrong.  ATHEANA
     will say ah, they are losing water.  Now, we get in; you know.
         MR. CUNNINGHAM:  There is some initiating event.
         DR. APOSTOLAKIS:  Exactly.
         MR. CUNNINGHAM:  I understand the difference.
         DR. APOSTOLAKIS:  So that is the difference.
         DR. BONACA:  One observation I want to make on this issue
     was what's the purpose of tomorrow.  I know we have ATHEANA, but what is
     the presentation -- I believe that in this particular shutdown
     condition, that's where organizational effectiveness will break down, in
     the sense that there, you have even from the balance among departments,
     how operation is controlled, the outage, who is responsible, how people
     will work together.  All those elements --
         DR. APOSTOLAKIS:  Yes.
         DR. BONACA:  -- are dominant in these issues, because
     control, of course, is a fundamental issue.
         DR. APOSTOLAKIS:  That's right; control of work and the
     timing and interfaces and who does what.
         DR. BONACA:  And that's something that, you know, it
     occurred to me as I was reading your document, that it's clear to me now
     where different things --
         DR. LOIS:  That is feedback from the industry and the people
     that we are talking is that the issue of initiating event during a
     shutdown condition needs to be more closely examined.
         DR. APOSTOLAKIS:  Yes.
         DR. LOIS:  That's an area that we have to -- it doesn't have
     too -- but we should look into; also, the issue of procedures, where you
     guard into an initiating event.
         DR. APOSTOLAKIS:  All the work processes that take place
     there, that's where you look.  I mean, the Wolf Creek event essentially
     comes down to the fact that they did not notify some central office
     there that they had postponed that work from Friday to Monday.  So those
     guys would have told them look:  don't do it because, you know, these
     other guys are going to be doing something else on Monday morning. 
     That's all, and that's not something that's within ATHEANA right now --
     without putting down ATHEANA; don't misunderstand me.
         MR. CUNNINGHAM:  When we get back to the discussion on
     research, possible research topics --
         DR. LOIS:  Yes.
         MR. CUNNINGHAM:  -- we'll talk about HRA, and it's by no
     means, in our minds, constrained to analyzing this in the context of
     ATHEANA.  It's much more open in our mind.
         DR. APOSTOLAKIS:  Right.
         MR. CUNNINGHAM:  The issue of work processes; very
     legitimate as an issue in human reliability analysis.
         DR. APOSTOLAKIS:  No, but I think it's important, and I
     really want to get the ATHEANA developers' perspectives tomorrow as to
     what exactly ATHEANA can do, what classes of events ATHEANA treats and
     what other classes it does not treat, at least in its present form, and
     I don't -- my impression is, and it's not just an impression, is that
     you have to have something going on for ATHEANA to intervene and look at
     the possibly human actions and the forcing contexts and so on, okay?
         But how that something was created, I'm not sure ATHEANA is
     the right place.
         MR. CUNNINGHAM:  It's a topic for discussion with the
     committee at some point on the future of human reliability analysis.
         DR. APOSTOLAKIS:  Yes.
         MR. CUNNINGHAM:  And again, it's much broader than ATHEANA.
         DR. APOSTOLAKIS:  Right.
         MR. CUNNINGHAM:  It's what should we be doing, and that's
     somewhere, we ought to get into that discussion anyway.
         DR. APOSTOLAKIS:  Anyway, I thought that was a point, you
     know, because of the fourth bullet there worth mentioning.
         DR. LOIS:  Almost done.
         DR. APOSTOLAKIS:  You're on 10.
         DR. LOIS:  Regarding tools that are being used, our industry
     is using to evaluate low-power shutdown risk, primarily, they do what we
     call configuration risk management, and therefore, the objective is to
     determine and evaluate your next outage, and for that purpose, they use
     the NUMARC guidelines, and utilities that do have PRAs, they augment
     their insights with the PRA.
         Now, one thing that came across is that the industry feels
     comfortable with the NUMARC guidelines.  They think that they achieve
     the safety margins they need.  However, they do get important insights
     from doing -- by using their PRA.  Primarily, the PRA is helping them to
     optimize their schedule.  They can literally feed in different kinds of
     schedules in their software and come up with CDFs or time to boil,
     whatever, and then, they compare it, and they decide which way to go.
         DR. WALLIS:  How much does this bullet augment defense in
     depth?  You mean that you use PRA as your measure of your defense in
     depth, and then, you can tell if you've augmented it?  So the defense in
     depth is now being measured through PRA?
         DR. LOIS:  What I'm trying to say here is that your basis
     for configuration control management is your defense in depth, the
     NUMARC guidelines.
         DR. WALLIS:  And because that's such a vague thing, it's
     useful to have PRA so that you know the extent of that.
         DR. LOIS:  The PRA, then, once you've identified -- the
     defense in depth approach does not allow you to compare different kinds
     of schedules to figure out which one would be more optimal.  So with a
     PRA, you can do that.  You can say I'm going to have this system, this
     system, this system and play things around so that you can come up with
     an optimal configuration, which would be optimal from both safety and
     schedule perspective.  That capability is not in defense in depth, and I
     guess it's --
         MR. WHITEHEAD:  John Whitehead.  Let me add to that.  In one
     sense, what the use of PRA does is to allow you to identify varying
     degrees in defense in depth.  The defense in depth tools that they used
     will say okay, your defense in depth is marginal, or it's adequate or
     acceptable.  Calculating the results from the PRA will give you some
     idea of which configurations, you know, may be more marginal than
     another, because you might have three configurations, both of which show
     up in the defense in depth approach as marginal, but one of them is a
     better configuration to be in, and that's the kind of information that
     you get from the PRA tool, and that's what their -- you know, most of
     the utilities are using them for is to optimize and make sure that they,
     you know, have as much safety --
         DR. APOSTOLAKIS:  But which PRA are they using?  They don't
     have much of low-power PRAs.
         MR. WHITEHEAD:  Actually, they do.  There are various levels
     of PRA now.
         DR. APOSTOLAKIS:  For a few modes.
         DR. BONACA:  But what this is, really, a PRA measured
     defense in depth; what I mean is that they evaluate changes in core
     damage probability, okay, as a sensitivity to --
         DR. APOSTOLAKIS:  But only for mid-loop operations, for
     example.
         DR. BONACA:  Yes.
         DR. APOSTOLAKIS:  In the BWRs.  They don't have PRAs for all
     the modes.
         DR. BONACA:  That's right; so what you do is you do focus --
         DR. APOSTOLAKIS:  Yes.
         DR. BONACA:  -- ATHEANA on a very limited PRA.
         DR. APOSTOLAKIS:  Very limited.
         DR. BONACA:  What I'm saying is that the PRA, it is a very
     good tool to measure defense in depth if you look at variation and core
     damage probability.
         DR. APOSTOLAKIS:  Yes.
         DR. BONACA:  It's a different kind of defense in depth from,
     you know, two trains versus non train, but I think it's actually very
     effective to do that.
         MR. WHITEHEAD:  What we have to remember here is that these
     tools primarily are being used for outage management or outage planning,
     and so, yes, they are mostly limited to cold shutdown and refueling
     states, but those are the states that are currently being examined, and
     there's, you know, so it's appropriate that they concentrate on those
     areas.  As we'll probably discuss later, there is no reason why that
     couldn't be expanded to other areas, but for configuration risk
     management, since they're only interested in those areas, they only have
     to have a PRA for those specific areas.
         DR. LOIS:  In addition to -- my comprehension is that the
     defense in depth NUMARC guidelines cover only plant outages.  Am I
     wrong?  That's my understanding.  NUMARC guidelines don't cover every
     outage there is.
         DR. APOSTOLAKIS:  Which page?  Do you remember which page of
     NUMARC 91.06 they say that PRA is only a two -- is it from the title or
     --
         DR. WALLIS:  There was only a --
         [Laughter.]
         DR. LOIS:  I will jump in --
         DR. APOSTOLAKIS:  I noticed, though, I looked at all your
     view graphs.  You don't have any numbers anywhere, and I had a comment
     on the numbers.
         DR. LOIS:  That number is --
         DR. APOSTOLAKIS:  10-3 and, you know --
         DR. LOIS:  CDFs?
         DR. APOSTOLAKIS:  CDFs.
         DR. LOIS:  No, we don't.
         DR. APOSTOLAKIS:  You tell me when would be appropriate to
     make my comment.  You will?
         DR. LOIS:  Yes, I will.
         DR. APOSTOLAKIS:  Okay.
         DR. LOIS:  But right now, what do you want me to do?
         DR. APOSTOLAKIS:  After you sit down, right?
         [Laughter.]
         DR. POWERS:  Before we go on to this view graph, I've got a
     question I would propose.  Suppose I am a resident of Brown's Ferry, and
     they're about to enter into a nuclear outage, and they have -- and I
     feel an obligation to look over their shoulders to see if they're making
     a correct decision, and in particular, they've run around, and they've
     found there are two ways to do this, the operations they want to do. 
     One of them results in two orange categories, and the rest are all green
     in one setup.  The alternative is a red category, but everything else is
     green.
         And I call up my senior reactor analyst for Region IV --
     Region II --
         [Laughter.]
         DR. POWERS:  And I say, you know, clearly, the right way to
     make the decision between two oranges and all greens versus one red and
     all greens is based on risk, so I ask the senior reactor analyst for the
     region which one of these is the more risky outcome?  How does that
     senior reactor analyst make an answer, provide an answer to me?
         [Pause.]
         DR. WALLIS:  He uses different -- because he doesn't know
     how red red is.  It could be much bigger; therefore, he knows that the
     oranges aren't reds, so that would be the decision, avoid the red.
         DR. POWERS:  See, you would have to be asking it in -- and
     they're going to make a decision, but I'm -- my job in this world is to
     assure protection of the public health and safety, and so, I feel an
     obligation to be prepared to interrogate these fellows on the answer
     that they came up with.
         MR. CUNNINGHAM:  I suppose there are two things in there. 
     One is how many oranges or yellows equals a red, which is an issue when
     you -- the oversight process in general:  when does something become --
     a combination of events become so serious that you trip some sort of
     concern?  I can't answer that.  I'm not sure.  I know people are
     thinking about that, but I don't know what's been going on.
         DR. POWERS:  Well, I think the answer is this reactor
     analyst is no more help than the guy next door.
         MR. CUNNINGHAM:  A senior reactor analyst is presumably --
     is valuable because of the broader training that he's seen and the
     broader experience that he has.  He brings together, I guess, two
     things.  The NRSRAs, there are two things that happen.  One is they're
     more trained in PRA and that sort of thing, so that that adds something
     to it.  The other part of it is they're senior people, and they are
     brought into these positions not just because they know something about
     PRA but because of the quality of the perspective that they bring to it. 
     So in that sense, in a very general sense, I think that's what the SRA
     would bring to it.  Is he going to be able to do something very
     quantitative in that area?
         DR. BONACA:  It seems to me that the only way that the
     inspector could find out that information would be to go to the PRA
     person in the utility if they have a PRA that they are using, even if it
     is -- because in parallel to ORAM, often times, they have these limited
     models, and at least -- I don't think the staff can do that.  That's an
     issue we have raised:  how is the staff able to evaluate, and the answer
     is I don't think they are.
         DR. POWERS:  What we're saying is that in this area, and I
     picked Brown's Ferry for a reason; they do have shutdowns in their PRA,
     and the staff is being outgunned --
         DR. BONACA:  Yes.
         DR. POWERS:  -- by the licensees, and, in fact, the
     licensees are perfectly capable of snowing the staff by saying yes,
     we're going to make a decision between two oranges and a red; I can go
     to two oranges because we've done this PRA, and we're not going to show
     it to you, but we've done it, and we have a quantitative analysis.  See
     this?  We're going to go this way.
         There's literally nothing that the NRC can do to protect the
     public health and safety on that kind of a decision, because they're --
         DR. BONACA:  What I'd say that, you know, the -- typically,
     when you compare two configurations, the evaluation that the plant may
     present to you is transparent enough to show you when there is a
     dependency, when there isn't a dependency that often times, it's up to
     that point; okay, here, there is a dependency, and there, there is not. 
     So, I agree with you totally that the staff cannot do that, but I'm
     saying that it's hard to snow anyone, because if you ask a question, you
     know, the dependencies come out right away, and, you know, there has to
     be a reason why you have two yellows there and a red, and it typically
     has to do with those dependencies so --
         DR. SEALE:  It does seem to me rather interesting, though,
     and I'm not trying to get you more work, Mark, although it may sound
     like it -- that in an agency which is lauding its increased dedication
     to the use of risk-informed methods in making decisions that we have
     something like the evaluation process where the question of one red
     versus two yellows and so forth is being argued, as you say, but the
     people who are involved in the PRA process don't have the slightest idea
     of what those arguments are being based on.  I mean, if risk is going to
     mean anything, and you're going to use it, then, damn it, use it.
         MR. CUNNINGHAM:  Just to be clear, this individual PRA
     person is not particularly tied into that process.  There are other PRA
     people around the agency who are, who tend to be more in NRR.
         DR. SEALE:  I'd be interested to see what the risk basis is.
         DR. POWERS:  I agree.  I think what we're doing to our
     senior reactor analysts out in the field is criminal.  We are quickly
     getting them put into the position --
         DR. SEALE:  Hanging them out to dry.
         DR. POWERS:  -- where they are being asked to make judgments
     about actions by groups of people who just have superior technology,
     vastly superior technology to them.
         MR. KING:  One of the things that's on our plate to develop
     over the next couple of years are low-power and shutdown models for the
     ASP program that the senior reactor analyst could use to analyze
     situations.  They don't have tools today to do it.
         DR. POWERS:  They cannot.  They have no way to independently
     evaluate -- even things like -- which are pretty qualitative thing, and
     yes, I can sit down and write out the criteria, and ORAM, just based on
     what's on its Website.
         DR. SHACK:  But the fact is a senior reactor analyst doesn't
     have anything equivalent to it.
         DR. POWERS:  But then, you would have to always argue that
     he's got a PRA that's at least as good as anybody else's, and I just
     don't find that as a terribly practical matter.
         DR. SHACK:  I don't know why I would have to argue that.
         DR. POWERS:  Because again, if it came down to two PRAs,
     then, which one are you going to believe?  You believe the better one,
     you know, if you have to have a number to make the decision.
         DR. SHACK:  I guess I'm still not following something.  If
     the --
         DR. POWERS:  You're going to recompute the number that the
     licensee computed.  Well, if you get a different result than he does, it
     comes down to which, you know, which number is better, which model is
     better.
         DR. SHACK:  The other thing is most of the time --
         DR. POWERS:  No, I don't think it does.  I mean, I think
     very seldom do you have any decisions made based on the discrepancies
     between two numbers.
         DR. SHACK:  Well, it sounded to me like that's what you were
     arguing for it, that you wanted to have a number.
         DR. POWERS:  No; I think I want the capability to assure
     myself that the plans that the licensees are undertaking for a shutdown
     operation do, in fact, protect the public health and safety.  And I
     think it doesn't make any difference at all whether the number is 2 x
     10-4 or 3 x 10-4 in making that decision.  It's much more than that.
         DR. SHACK:  I don't agree with that.
         DR. SIEBER:  Right now, though, we're in an area of
     deterministic regulation.  If you look from the standpoint of a resident
     inspector, he is not going to prospectively tell the utility or the
     licensee how to run his plant.  He is not in the plant management
     business.  On the other hand, the utility is required to obey all of the
     technical specifications and commitments, and under a deterministic
     framework, that's sufficient to assure the protection of the public
     health and safety.
         When you move into probabilistic types of risk-informed
     regulation, that's when the NRC needs to be able to prospectively look
     at planned events to make sure that the regulations that are
     risk-informed actually apply and do minimize risk to the public.  So
     right now, whether you have a PRA or don't have one for shutdown risk
     from the legal standpoint doesn't make any difference.
         DR. APOSTOLAKIS:  Isn't it a fundamental question, though? 
     If you have a matrix that uses colors, and based on various combinations
     leads to certain actions on the part of the utility and on the part of
     the NRC that you would like to know what is the rationale --
         DR. SIEBER:  Right.
         DR. APOSTOLAKIS:  -- behind these colors and the
     combinations?
         DR. SIEBER:  Right.
         DR. APOSTOLAKIS:  I think that's what it comes down to.
         DR. SIEBER:  Right.
         DR. BONACA:  Well, the point that you were making before is,
     however, again these protections for the licensee would have an
     explanation of why you would get the yellow or the red, and most of the
     time, I believe the question is go through the licensee.  The
     explanation is pretty -- always engineering-wide.  I mean, he is going
     to pull it out of dependency to why this component cannot be removed by
     this time, because it will happen this other way, and I know resident
     inspectors ask those questions.  They go and ask barely those questions
     about, you know, why are you doing this rather than something else?  And
     so, there is that process that is taking place now.
         It doesn't mean that the NRC, in fact, has the capability to
     influence in any way or to perform any independent assessment.  Much is
     based on the experience of the resident inspector and the person you can
     ask.
         DR. POWERS:  The problem I'm forecasting is more and more, a
     licensee is going to be able to come back to the resident inspector with
     an answer that he's not capable of interpreting.
         DR. BONACA:  And that's possible, yes.
         DR. POWERS:  And he's going to come back and say that we've
     looked at it, and we've got a Delta CDF of 2 x 10-16 or something like
     that, and the guy is going to call up his senior reactor analyst and say
     does this seem reasonable to you?  And nobody is going to have the
     capability to answer that.
         DR. BONACA:  That is correct.
         DR. APOSTOLAKIS:  That is correct.
         Have we finished with this?  Are you done?
         DR. LOIS:  Yes.
         DR. APOSTOLAKIS:  For the record, Dr. Uhrig joined us a few
     minutes ago.
         Now, the next view graph, I think, will take some
     discussion, and I propose we break now and reconvene at 10:15.
         [Recess.]
         DR. APOSTOLAKIS:  Okay; Erasmia, you want to continue there?
         [Pause.]
         DR. LOIS:  Because we were talking about tools, I just
     thought that -- do you mind if I go into this slide?  Because I'm not
     going to cover anything else about tools from now on, so I'm just --
         DR. APOSTOLAKIS:  Well, the only thing on page 11 is this
     time average CDF and condition --
         DR. LOIS:  I'm not going -- I'm going to come to page 11
     after this.
         DR. APOSTOLAKIS:  Oh, okay, okay, sure.
         DR. LOIS:  I just wanted to talk about -- because the
     statement before was that the -- we do CRM, utilities do CRM mostly, and
     they have developed tools for both the defense in depth concept and for
     quantitative analysis, and these are the tools.  ORAM was developed
     specifically for outage management, and about 65 utilities have ORAM. 
     About 40 of them have the capability to do quantitative analysis.  Now,
     safety has evolved to shutdown configuration control management from
     full power configuration control management tools, and I guess about 12
     utilities have safety oriented -- about 6 or so EOS.  So the message
     here is that clients do expand themselves to incorporate PRA modeling
     for low-power and shutdown.
         DR. APOSTOLAKIS:  So most utilities, and 65 of them do not
     use PRA?
         DR. LOIS:  About 65 have ORAM.  ORAM has two modules:  the
     defense in depth, and it has its own PRA modeling.  It's not like --
         DR. APOSTOLAKIS:  Ah.
         DR. LOIS:  -- you use the full power.  You can model your
     outage by creating your fault trees, your system dependencies from
     scratch, and about 40 utilities have that capability.
         DR. APOSTOLAKIS:  Okay.
         DR. LOIS:  Now, some people have both.  San Onofre has ORAM
     and safety module.  South Texas does the same.  So there is an overlap
     there.  But I guess what's important here to get out is that utilities
     have more and more capability to do PRA analysis on low-power and
     shutdown, specifically plant outage, refueling outage.
         DR. SEALE:  Would you help me?  Does ORAM have in it, buried
     down in the details, an assessment of the risk significance of the
     individual SSCs?
         DR. LOIS:  I will allow --
         MR. WHITEHEAD:  Donnie Whitehead.
         Generally, the level of detail to which the ORAM PSSA models
     are developed to are to train level detail; that is, they would not have
     individual components in their failure for probabilities associated; it
     would just be a model of the system based upon trains and the
     dependencies amongst the trains.  So I'm not sure that they could --
     that ORAM could provide, you know, provide individual SSC importance.
         DR. SEALE:  Okay; thank you.
         DR. LOIS:  So now, and another point that I wanted to make
     was on the tools that ideally, these tools have capability to model any
     level of detail and, I guess, any type of plant operational state, but
     that's just depending on the resources people want to -- there are no
     constraints from the software perspective.
         Going back to insights we got for the significance of
     low-power shutdown risk, now, this is your time to ask the question why
     we don't have 10-3s here, I guess.
         DR. APOSTOLAKIS:  Well, the thing that -- and I think we've
     discussed this more than a year ago, people had been struggling with the
     comparison, how best to compare the core damage frequency during these
     modes of operation with power risk, which, of course, is expressed in
     terms of number of events per year, per reactor year.  So, you see
     things like, you know, what if the plant were at mode 5, say, throughout
     the year?  Then, the core damage frequency is this, and it's comparable
     to the power core damage frequency, and people are calling it
     instantaneous and so on.
         First of all, the word instantaneous is not appropriate. 
     They are all conditional core damage frequencies.  One is conditional on
     being at power; the other is conditional at being at mode X.  Seems to
     me the best way to compare these things is -- and they are all
     time-averaged, by the way -- the best way to compare is not on a
     per-hour basis or on a per-year basis.  The best way is to find the
     probability of core damage, which I believe one of the regulatory guides
     does for the temporary conditions that we have a -- yes, 5 x 10-7, I
     believe, for the probability, not the frequency.
         So if the plant is for a number of days in this particular
     mode, then, you find its CDF, then, the product of it -- and again,
     somebody has to look whether it's fair to multiply the CDF, the
     conditional CDF by the time, because the CDF may change with time, and I
     think it's noted in the report that these conditional CDFs are indeed
     functions of time if, you know, because decay heat, for example, decays.
         But let's say roughly, one would have to multiply that CDF
     by the duration of that mode, and that should be compared with the
     probability of core damage at power operations.  It's the probabilities
     we should be comparing, because that's the only common unit.  Everything
     else is really artificial.  To say I will reduce everything or
     renormalize everything on a per-hour basis, so I take the power CDF per
     year and divide it by 8,760, whatever, hours and then take the mode 6
     CDF and divide it by the appropriate duration to say oh, now, I have two
     CDFs that are on a per-hour basis; therefore, they are comparable.
         I don't think that's right.
         DR. LOIS:  Well, George, when we come to recommended work,
     one issue is how do you develop -- how do you define what we call
     baseline model?  And we kind of have a couple of concepts here, and
     probably, we would like to have your input.
         DR. APOSTOLAKIS:  I just gave you my input.
         DR. LOIS:  Yes.
         DR. APOSTOLAKIS:  I think the probability is the appropriate
     way to do it, and the agency has recognized this in another context; the
     risk-informed guide for technical specification changes; when the outage
     time is evaluated, we have a goal of 5 x 10-7, as I understand, for the
     probability during that time.
         As I say, the thing that makes it a little more complicated
     here is that the CDF may not be constant throughout that period, so
     somehow, we have got to account for that, but that's a further epsilon,
     you know.
         DR. WALLIS:  George, there's a great opportunity for a
     cost-benefit.  I mean, the benefit to the utility of short outage time
     is economic, but if they get into a higher risk probability, you should
     put a price on it.  Then, there's a way to optimize.
         DR. APOSTOLAKIS:  Yes; I only addressed the question of
     comparison.  Now, you are going beyond that.  You are going beyond that.
         DR. WALLIS:  I think it's pretty simple what you're saying;
     it's straightforward.
         Otherwise, how do they have a way of trading off a bit more
     risk with a bit more economic benefit?
         DR. APOSTOLAKIS:  Yes.
         DR. KRESS:  If I have a core damage frequency at full power
     based on a year --
         DR. APOSTOLAKIS:  Right.
         DR. KRESS:  -- and the way I convert that to a probability
     is to multiply it by one year.
         DR. APOSTOLAKIS:  Roughly, yes.
         DR. KRESS:  If I have a core damage frequency for a
     low-power shutdown, that's manualized; the way I convert that to a
     probability is to multiply it by one year.  I don't understand the
     difference between what you're saying and using the CDF frequency.  Why
     is the probability any different with the frequency?
         DR. APOSTOLAKIS:  Because the frequency -- see, my objection
     is to annualizing the mode 5 frequent CDF you get, because that assumes
     that you're in that mode throughout the year.
         DR. KRESS:  No it doesn't.
         DR. SHACK:  It's the wrong way to average.  Nobody does it
     that way.
         DR. LOIS:  No.
         DR. APOSTOLAKIS:  No, but they compare them, though; they
     don't average them.  They compare them that way.
         DR. LOIS:  My understanding is --
         DR. APOSTOLAKIS:  Oh, yes; oh, yes.
         DR. LOIS:  My understanding is that if you are on mivelope,
     you may get into a 10-3 phase, but then, what you do is you calculate
     for how long you've been in that -- on that phase, and you divide by the
     amount of years, so you come out on a yearly frequency; if you assume
     that you're on 10-3 for a whole year there, you would be 10-3.  You
     don't have 10-3 low-power shutdown risk, because for a few hours, you
     were on that.  So actually, you do calculate probability.
         DR. APOSTOLAKIS:  No.
         DR. BONACA:  You have it on page 2-6.
         DR. APOSTOLAKIS:  Yes; 2-6 doesn't do that.
         DR. BONACA:  Per calendar year basis --
         DR. APOSTOLAKIS:  Yes.
         DR. BONACA:  -- the average risk --
         DR. APOSTOLAKIS:  Right.
         DR. BONACA:  -- as it compares to numbers.
         DR. APOSTOLAKIS:  It says CDF for pulse 5 is 2 x 10-6 per
     year; for full power, it's 4 x 10-6 per year.  So it assumes that you
     are in pulse 5 for the whole year.
         [Chorus of nos.]
         DR. APOSTOLAKIS:  What does it assume?
         DR. SEALE:  It's a year of operation.
         DR. KRESS:  It means you're in it for the amount of time
     you're in it.
         DR. SEALE:  That's right; an operation is --
         DR. APOSTOLAKIS:  No, no, no, no, no, no; what does it mean
     that you're in it -- this is per year.
         MR. WHITEHEAD:  This is Donnie Whitehead.  Let me see if I
     can explain that.  The way those numbers are calculated are based on a
     per calendar year basis.  And so, the calculations already include the
     fact that the plant is only in that particular mode for a specified
     fraction of the year, like 0.03.  That number, then, allows you to
     compare directly with a core damage frequency from full power; again,
     excuse me, making the assumption that not correcting for the fact that
     you're in full power operation for, say, 80 percent of the year doesn't
     really, you know, doesn't really significantly impact the results.
         But in reality, if you wanted to make a strict comparison,
     then, you should use the appropriate factor for the power.  But since
     it's --
         DR. APOSTOLAKIS:  No, but that's not my problem.
         MR. WHITEHEAD:  -- close to 1, it's okay.
         DR. APOSTOLAKIS:  But then, no, no, no, what you are saying
     is inconsistent with what the other report says, because the report goes
     on on page 2-7 and says to avoid overestimating the risk from being in
     pulse 5 for one year, per hour results from the pulse 5 analysis should
     not be directly scaled; in other words, one cannot simply multiply the
     per hour results by the number of hours in a year and have the correct
     estimation of either CDF or risk.
         DR. SEALE:  They don't.
         DR. KRESS:  Nobody does that.
         DR. SHACK:  But it's confusing, because it makes it sound as
     though they do.
         DR. SEALE:  Yes.
         DR. APOSTOLAKIS:  Yes.
         DR. BONACA:  It's badly written.
         DR. APOSTOLAKIS:  yes.
         DR. BONACA:  That's not the way it's explained, because I
     understood the same thing.
         DR. APOSTOLAKIS:  Yes.
         DR. BONACA:  And I was really concerned about that.
         DR. SHACK:  They get a fairly decent definition by the time
     you get to page 3-4.
         DR. APOSTOLAKIS:  Well, let's see.
         DR. BONACA:  The other thing is that look, clear on the
     front page is how many days really you are in a shutdown condition. 
     Some plants have a 12-month cycle and maybe a month outage, and some
     plants have a 2-year cycle with a 15 or 28 day outage.  So there is a
     big difference there, and I'm not sure that you can easily reflect -- I
     mean, then it may make a difference of, well, not an order of magnitude
     but close.
         DR. SHACK:  Well, that does come down to this difficulty of
     defining a baseline outage when all outages are --
         DR. BONACA:  And I agree with that.
         DR. SEALE:  Yes.
         DR. SHACK:  That's a little different.
         DR. BONACA:  But it has to be a way it has to be explained,
     because this is not clear.
         DR. SEALE:  Yes, but it's simplifying the mathematics by not
     taking into account the fraction of a year that you're in full power
     operation.
         DR. APOSTOLAKIS:  Yes.
         DR. SEALE:  You may, in fact -- you may confuse the issue as
     to what you're talking about.  It probably would be smarter to take a
     point A and --
         DR. KRESS:  That's such a simple correction.
         DR. SEALE:  Yes, right.
         DR. APOSTOLAKIS:  But that's not the issue.
         DR. SEALE:  But the fact that you don't sort of reinforces
     the idea that you're going to assume that you're in shutdown mode for a
     year, and you're not.
         DR. KRESS:  It shouldn't be.
         DR. APOSTOLAKIS:  Well, I can -- I saw those words here on
     this report on the past assuming that the thing is a whole -- in that
     mode for the whole year, and I'm objecting to that.
         DR. SHACK:  Well, I must confess, I sort of read around that
     about four times before I figured out those words were just firing for
     effect.
         DR. SEALE:  Yes.
         DR. APOSTOLAKIS:  So in any case, so what you're saying is
     that when you say that the CDF from pulse 5 is 7 x 10-9 per reactor
     year, you have already included the fact that the plant is in pulse 5
     for a fraction of that year.
         DR. LOIS:  Exactly.
         DR. APOSTOLAKIS:  Okay.
         MR. WHITEHEAD:  Yes, I thought that we had been careful to
     represent the numbers on a per calendar year basis, and I believe that,
     you know, the documentation does represent that, but you're probably
     correct.  It would be a little bit -- it could describe in the report
     better exactly how we calculate the numbers if that would be
     appreciated.
         DR. APOSTOLAKIS:  That would help me a lot.
         MR. WHITEHEAD:  Okay.
         DR. APOSTOLAKIS:  That would help.
         MR. WHITEHEAD:  That, we should be able to do.
         DR. LOIS:  But the point of the slide was that people are
     doing different things.  For example, when PLG does a low-power shutdown
     PRA, it would do for the average risk, while the plants, the utilities,
     they calculate a risk or a fuel core damage for that particular outage.
         DR. APOSTOLAKIS:  Yes.
         DR. LOIS:  That's what --
         DR. APOSTOLAKIS:  But also --
         DR. LOIS:  This tells the story for what's happened.
         DR. APOSTOLAKIS:  But all of them are time-averaged, though,
     in a different sense.  They're simply conditioned on different things.
         Now, on page 11, 2-11, it says that at River Bend, a
     cumulative risk for a 21-day outage could be as high as the yearly at
     power risk.  So this tells me that they are multiplying the 21-day CDF
     times the 21 days, and they compare that with a power CDF times the
     year, and they are comparable.  Am I doing something wrong here? 
     Because as the cumulative risk for a 21-day outage.  And the other thing
     is if in these 21 days, they go through different configurations,
     shouldn't you --
         DR. WALLIS:  You integrate.
         DR. APOSTOLAKIS:  And I think you guys are objecting to the
     integration.
         DR. WALLIS:  No.
         DR. APOSTOLAKIS:  That's why --
         [Chorus of nos.]
         DR. APOSTOLAKIS:  So what are you objecting to?
         DR. KRESS:  You're the one who is objecting.
         DR. APOSTOLAKIS:  No, I want to integrate.  I love
     integration.  You know, that funny symbol?
         DR. SHACK:  The problem is the way they organized the
     document.  They talk about that time windowing much, much later in the
     document.
         DR. APOSTOLAKIS:  But my point is you cannot take -- I mean,
     how many modes does a plant go to when it --
         DR. SHACK:  It varies.
         DR. APOSTOLAKIS:  -- goes down from power until it goes back
     up?
         MR. WHITEHEAD:  The plant operating stage?
         DR. APOSTOLAKIS:  Yes.
         MR. WHITEHEAD:  It -- somewhere between, say, 14 and 455.
         DR. APOSTOLAKIS:  Okay; okay, fine.  So for each one, now, I
     can calculate a CDF.
         MR. WHITEHEAD:  That is correct.
         DR. APOSTOLAKIS:  Okay; so, I guess what I'm saying is
     instead of taking each of the CDFs and finding the appropriate fraction
     of time and then compare with power, it seems to me a total estimate of
     the probability of something going wrong for the 21 days that would be
     the integral of time times the appropriate CDFs would be the appropriate
     probability to compare with the power probability.  Is that what is
     being done?  I know it can be done but --
         DR. WALLIS:  What else could be done to make
     this --
         DR. APOSTOLAKIS:  What else could be done, Graham, is to go
     to page 7, for example, and compare pulse 5 CDF only with the power.
         DR. SHACK:  But I think what they do as a practical matter
     is assume that most of the risk is in --
         DR. KRESS:  Because that's where it's in --
         DR. SHACK:  So, yes, that's the conception that they do what
     you do, and then, they say it's dominated by this particular fraction.
         DR. KRESS:  Yes, it's close to the area under the curve.
         DR. LOIS:  As a matter of fact, the risk for most of pulses
     is zero.  For the biggest part of the outage, the risk is zero.
         DR. WALLIS:  The risk is never zero.
         DR. APOSTOLAKIS:  Then, let me go to page 2-8.
         DR. LOIS:  Insignificant.
         DR. APOSTOLAKIS:  I agree, then, that you guys know what
     you're doing, but it's not stated well.
         DR. LOIS:  Page 8?
         DR. APOSTOLAKIS:  It says the instantaneous risk at CERI
     during mid-ploop is at least comparable to that from full power.  On a
     per-hour basis, they give numbers.
         DR. SHACK:  That's okay, too, George.
         DR. APOSTOLAKIS:  That's okay.
         DR. KRESS:  You can divide by any time limit you want to. 
     As long as you're dividing each by the same time, you can do it on a per
     hour, per year, per 10 years.
         DR. APOSTOLAKIS:  I don't think this is appropriate.
         DR. KRESS:  You're really comparing probabilities.
         DR. APOSTOLAKIS:  Yes; you should be comparing
     probabilities.
         DR. SEALE:  That's what you're doing when you do the per
     hour.
         DR. APOSTOLAKIS:  I know, but the point is if I'm in that
     state for 20 minutes and in the other state for 365 days, it seems to me
     I'm missing something major.
         DR. SEALE:  Then they may be equal per hour, but they're not
     equal when you integrate over a whole year of operation.
         DR. APOSTOLAKIS:  But this, then, is a misleading
     comparison.
         DR. KRESS:  George, I think you have a good point there.  I
     think you're saying that a high probability over a short time --
         DR. APOSTOLAKIS:  Yes.
         DR. KRESS:  When you integrate it is not the
     same --
         DR. APOSTOLAKIS:  No.
         DR. KRESS:  -- as a low probability over a long time, even
     though the error is the same; no, that's a good point.
         DR. APOSTOLAKIS:  And that's exactly what I want to use as a
     basis for comparison.
         DR. KRESS:  But I don't know -- there's no theory at the
     moment that will let you adjust those things.
         DR. APOSTOLAKIS:  I know; it's easy for them to do it,
     because they know the duration; they know the CDF; they can do it.
         DR. KRESS:  But you have to have a functional between the
     CDF and the time.
         DR. APOSTOLAKIS:  They can do it numerically.  It's not a
     problem.  Those guys can do it.
         MR. KING:  We can do it either way.  It's just a question of
     what makes more sense.
         DR. KRESS:  Add another equation in there, George.
         MR. WHITEHEAD:  Yes; I mean, you're right, George.  We can
     -- the calculations are very easy to do, and in actuality, I believe the
     utilities provide numbers in various formats.  They provide
     probabilities for each particular, you know, a slice of the outage. 
     They provide a cumulative, you know, over the entire outage and so forth
     and so on.  The question becomes what becomes the most appropriate, you
     know, measure to prepare against, and, you know, at the time most of
     these documents were written, people wanted to provide an answer based
     upon a per-year basis.
         It's not to say, you know, that we couldn't or shouldn't
     change the comparison that we -- you know, that we're going to go
     forward with, you know, from this point forward.
         DR. KRESS:  You ought to do it on a per-year basis, because
     that's what we're used to.
         DR. APOSTOLAKIS:  Well, I think there are two issues here. 
     First of all, let's not call anything instantaneous, because there's
     nothing instantaneous.  They're all conditional, okay?
         MR. WHITEHEAD:  I hope you can.
         DR. SHACK:  I don't understand you, George.  It can be
     conditional on -- it might have slipped in.
         DR. APOSTOLAKIS:  But it's not.  It's time-average then.  So
     the conditional -- what is of interest, I mean, just to summarize here,
     what is of interest may be two things:  the conditional probability, the
     unconditional probability -- sorry; the conditional probability being in
     shutdown mode; probability, okay, which means CDF times time and compare
     that with the conditional probability of power, given year of power,
     probability.
         Now, I can see how a CDF itself, on a per-hour basis, could
     be of interest in the sense that as Tom said, you know, it's really the
     integral of time times the peak, but maybe there are certain peaks you
     don't want to tolerate.
         DR. LOIS:  Exactly.
         DR. APOSTOLAKIS:  But that should be very clearly stated,
     that you are calculating now the conditional CDF on a per-hour basis,
     and if the agency decides to do something about it, that's fine.  You
     don't want to get to 0.5, for example, even for an hour, okay?
         DR. WALLIS:  Well, CDF has units of 1/T, and it doesn't
     matter what T is.  It can be continuous or variable.
         DR. KRESS:  It may matter, and that's the reason you want to
     put it.  It's the only reason you would want to catch.
         DR. APOSTOLAKIS:  Of course, it matters.
         DR. KRESS:  Well, George, let me ask you:  if I had a CDF at
     some level for one day --
         DR. APOSTOLAKIS:  Yes.
         DR. KRESS:  -- and multiply the two together --
         DR. APOSTOLAKIS:  Yes.
         DR. KRESS:  -- to get a -- and then, if I had a -- if I had
     a CDF divided by 365 level for a whole year, do you believe those two
     risks are the same?  Because the integral of the curve is exactly the
     same.
         DR. APOSTOLAKIS:  The integrals are the same.
         DR. KRESS:  Yes.
         DR. APOSTOLAKIS:  Yes.
         DR. KRESS:  I thought you were saying that the high risk for
     the short time is not the same risk as the low one at the long time and
     that therefore, you need a cap on the short risk or something, or you
     need to look at --
         DR. APOSTOLAKIS:  That was my second comment, that you may
     want to put a cap on the second risk.
         DR. KRESS:  The only reason you would want to is if you view
     those two things as different.
         MR. CUNNINGHAM:  Since they're becoming -- is for a
     short-term, high consequence or high CDF conditions, are you risk
     averse, if you will, and you want to make that a more serious condition
     than the mathematics would otherwise.
         DR. KRESS:  Yes.
         DR. APOSTOLAKIS:  You may want to do that.
         DR. WALLIS:  It is risky to have a peak, because you might
     under unexpected circumstances get stuck there.  When you're in the
     peak, you're pretty nervous, because you don't want to spoil around. 
     That really needs to be --
         DR. APOSTOLAKIS:  But on the other hand, this may be an
     artificial peak, because as the staff told us half an hour ago, at South
     Texas, for example, everybody at the plant has been alerted to the fact
     that now we are in a particular thing, and the PRA cannot include that. 
     That's a fundamental point.
         DR. SEALE:  So you tie compensatory measures --
         DR. APOSTOLAKIS:  Right.
         DR. SEALE:  -- to the level of the instantaneous risk.
         DR. APOSTOLAKIS:  Right; but it's not instantaneous!
         [Laughter.]
         DR. WALLIS:  All risk is instantaneous.
         DR. LOIS:  These peaks are calculated based on their PRA,
     not based on the defense in depth approach.
         DR. APOSTOLAKIS:  Yes, I understand that.
         So I think we're in agreement, then, that's sometimes
     violated.
         [Laughter.]
         DR. APOSTOLAKIS:  But we are in agreement.
         DR. WALLIS:  We're doing calculus I first semester.
         DR. APOSTOLAKIS:  If you go to the commission, and you want
     to argue that the contribution to risk from LPSD operations is
     comparable to that from power operations, what numbers are you going to
     show?
         MR. CUNNINGHAM:  What metric do you use?
         DR. APOSTOLAKIS:  Yes, what metric do you use?  In my view,
     you should be using the probabilities.  Then, the next step would be
     now, an additional insight, because, you know, we really don't believe
     that something that's very sharp for a short period of time is the same
     as something else; an additional insight is that the CDF, during these
     operations, perhaps is way too high, and we may want to think about it,
     whether that is acceptable, even for such a short period of time.
         These two numerical results seem to convey the message.
         DR. BONACA:  As we have done for online maintenance, where
     we said it is manager; if it is too high, don't do it --
         DR. APOSTOLAKIS:  Yes.
         DR. BONACA:  -- too much.  So, but I think in general, I
     think it's a good point.  I think we have to be very clear of two
     things:  one, what this comparison means, okay?  And I got confused,
     too, and I understand -- second, again, the issue of presenting them
     without an assessment of uncertainty at all or a brief discussion is a
     real additional problem in my mind, you know, that it didn't put them in
     the right perspective, and I was trying to compare, when I was reading
     the report; I just couldn't convince myself that there was --
         DR. KRESS:  Yes; the implied assumption is the uncertainties
     are about the same.  Otherwise, you have to do something.
         MR. WHITEHEAD:  Let me address that issue.  Currently, most
     of the utilities perform analyses -- perform analyses do not perform
     uncertainty analyses using their PRA model.  There were three studies
     that were performed that did have some uncertainty information
     associated with them.  Those were the Grand Gulf and Surrey analyses
     performed by the NRC and the Seabrook study that was performed by the
     utility, and that information could be provided, but most of the work
     that's currently done for outage management does not involve uncertainty
     calculations.
         DR. BONACA:  I'm just saying that if we go in front of the
     commission and have to plead for additional funding for low-power and
     shutdown, we'd better have a clearer presentation of what these numbers
     mean and the associated uncertainty.
         DR. APOSTOLAKIS:  I think there are two issues that I would
     raise.  One is what we just discussed, and second, I would not limit it
     just to core damage frequency.  The agency cannot do one thing in the
     oversight area and another in the low-power shutdown.  So I think it's a
     powerful argument to say that the agency has declared four cornerstones
     as being important, and three of them are compromised during these
     conditions to some extent, okay?
         So, I mean, the argument Dr. Powers raised, you know, I can
     always hand do them.  But you already have violated one of the
     cornerstones.  You've got an initiator, okay?  So, why are you going
     after the utilities in the oversight process when their initiating event
     is greater than seven per year, and here, you're losing water, and it
     doesn't really matter because you recover from it?  It's the issue of
     consistency.
         DR. BONACA:  It's like the cornerstone which is shutdown
     which is not in those cornerstones.  I mean, if I have to make a
     judgment for the value of the cornerstones right now for shutdown
     conditions, I would say a fundamental one is missing, which is time.  It
     somehow has to be translated into some attribute that I don't think is
     there right now.
         DR. APOSTOLAKIS:  Well, yes, there is an assumption of
     steady state operation in the way things have been presented.
         DR. BONACA:  There's something missing in there.  I agree
     that --
         DR. APOSTOLAKIS:  But that's not quite a cornerstone.  Time
     itself is not a cornerstone, but it's a significant determinant of the
     response.
         DR. KRESS:  George, one problem I have with this:  when you
     say you need to pay balanced attention, say, to the cornerstones, we
     don't have a good notion of what balance means.  What you're really
     saying is you need to allocate the overall risk among the cornerstones. 
     But we don't know how to make that allocation.
         DR. APOSTOLAKIS:  Correctly, I agree, but I already have a
     basis, because the staff has told me that they don't want to see more
     than seven, I believe, unplanned trips per year.
         DR. KRESS:  That's an allocation.
         DR. APOSTOLAKIS:  That's an allocation.
         DR. KRESS:  Yes.
         DR. APOSTOLAKIS:  But they're already doing it.  Now,
     whether it's right or wrong is something else.  And then, they have
     certain unavailability bounds for the various systems, and then they
     have the special -- yes.
         DR. KRESS:  They already have said what does the balance
     mean.
         DR. APOSTOLAKIS:  Exactly.  And in fact, for the initiating
     events, they say, you know, we really don't expect to see any locus, so
     we are putting a number of the transients, the trips, and here, we have
     incidents where we didn't have locus, but, I mean, water was flowing in
     the wrong direction.
         DR. KRESS:  Out instead of in.
         DR. APOSTOLAKIS:  Now, I think, Erasmia, you have to use
     your judgment as to which view graphs you want to skip.
         [Laughter.]
         DR. APOSTOLAKIS:  Because the way we're going, you would
     never finish.
         DR. LOIS:  I think in preparing, getting into what work
     we're going to --
         DR. APOSTOLAKIS:  Do you want to go to that because you have
     methods?  Number 16?
         DR. LOIS:  Okay; I can do that.
         [Pause.]
         DR. APOSTOLAKIS:  Sixteen.
         DR. LOIS:  Okay.
         DR. POWERS:  I have glanced ahead a little bit in the
     graphs.  Why are we persisting to the internal fires as an initiator
     that falls into an external event category rather than any internal
     event?
         DR. APOSTOLAKIS:  Which one is the first word?
         DR. SEALE:  Fires.
         DR. POWERS:  Fires.
         I mean, I know why this was done historically.
         DR. APOSTOLAKIS:  Yes.
         DR. POWERS:  But I don't know why we are persisting to
     maintain this fiction.
         DR. APOSTOLAKIS:  I believe it's for the same reason:  the
     ACRS wants to say that we always have the benefit of the documents
     referenced.
         [Laughter.]
         DR. APOSTOLAKIS:  That was the argument given to me for
     historical reasons.
         DR. POWERS:  I don't think so.  I think it's the nature of
     the --
         DR. APOSTOLAKIS:  Or minor --
         DR. POWERS:  In essence, it's a lot like a tornado or
     seismic event in the sense that it doesn't -- it attacks multiple -- and
     it --
         DR. APOSTOLAKIS:  No, I think --
         DR. POWERS:  I think it has features in common with external
     events.
         DR. APOSTOLAKIS:  Yes.
         DR. POWERS:  Much more than what we call internal events.
         DR. APOSTOLAKIS:  Yes, it's the way it's treated.  You have,
     in the internal events, you have the initiating events that start an
     event tree.  The so-called external events do not really act as an
     initiator that starts an event.  You take the existing event risk, and
     then, you say if I have a fire now, which one of these are affected.
         DR. POWERS:  Yes, that's the basic one.
         DR. APOSTOLAKIS:  And if I have an earthquake, which ones of
     these are affected?  So it's sort of the big potential common cause
     failures, and it's treated as such, so unfortunately, they called it
     external events.  It's really handling certain events that have the
     potential of inducing great dependencies separately, but by calling them
     external, you're right:  it's --
         DR. BONACA:  And the methodology has been driving
     disaggregation of those.
         DR. APOSTOLAKIS:  Yes.
         DR. BONACA:  But really, again, I agree with the point that,
     you know, fires and internal floods, I mean, it's something so specific
     to the plant that you can't compare it with seismicity, okay because --
         DR. APOSTOLAKIS:  But they don't initiate the sequences in
     the same way that locus do.
         DR. BONACA:  It's the dominant --
         DR. POWERS:  I bring it up in this context, and I think that
     fire is a very likely initiator during shutdown, because so much is
     taking place in a fire, and you can have wild swings, and your transient
     combustibles, and your potential igniters --
         DR. APOSTOLAKIS:  Sure.
         DR. POWERS:  And it seems to me that to exclude it when
     you're shut down risks underestimating what the significance of shutdown
     is to the plant's risk profile.
         DR. KRESS:  I don't think you want to exclude it.
         DR. APOSTOLAKIS:  It can't be excluded.
         DR. KRESS:  You can't exclude it.
         DR. APOSTOLAKIS:  Are they excluded?
         DR. POWERS:  Yes; they've universally been excluded.
         DR. APOSTOLAKIS:  No.
         DR. POWERS:  With no counterexample to it.
         DR. APOSTOLAKIS:  Except for the laboratory analysis, right?
         MR. CUNNINGHAM:  Yes.
         DR. APOSTOLAKIS:  At Seabrook.  Seabrook included external
     analysis.  I remember that explicitly.
         MR. CUNNINGHAM:  And it included fire.  And it included
     internal fires.
         DR. APOSTOLAKIS:  Yes, yes.
         DR. POWERS:  I know of no case where shutdown risk
     assessments have been done that included fire as an initiator.
         DR. LOIS:  The NRC study did.  As a matter of fact, the
     Surrey study identifies fire as a very important initiator.
         DR. POWERS:  I know of no risk analysis that's been run for
     shutdown events that includes fire as an initiator.
         DR. LOIS:  Not for shutdown?  The Surrey study did not?
         DR. POWERS:  I know of none that did.
         DR. LOIS:  Yes; low-power shutdown, the Surrey study did,
     and it proved to be one of the most important ones.
         DR. APOSTOLAKIS:  Again, it's not treated as an initiator in
     the sense that you start an event tree.  The moment you have the fire,
     you look at the event trees from the internal events and say which ones
     of these are affected, so which initiating event from the standard list
     is the one I have now?  In other words, did the fire create a loca? 
     Then, I go to the loca event tree.  Did it create a transient?  I go to
     the transient event tree.  But I will not treat it as an initiating
     event in the traditional sense.
         DR. BONACA:  Or what kind of mitigating probabilities that
     --
         DR. APOSTOLAKIS:  Yes.
         DR. BONACA:  -- in the tables.
         DR. APOSTOLAKIS:  It's a big common mode failure, because it
     affects also the -- where is the -- do you have the -- please, where is
     it?  I can't find it now but -- tell me which page.
         MR. BEARD:  Page 2-7 is where we talk about the fire events
     at Surrey, the internal fire event at Surrey.
         DR. APOSTOLAKIS:  Internal fires are the most important
     events at Surrey because of the physical separation issues.  So, they
     did include it.
         MR. WHITEHEAD:  Yes; Donnie Whitehead.  I mean, both of the
     NRC studies on low-power shutdown did analyze fire event, the internal
     fires internal to the plant.  Also, there were numerous of the
     international studies on low-power shutdown included internal fires and
     floods.  Some of those also found that those initiating events were
     important contributors to the overall core damage frequency.  So, I
     believe that, you know, there have been cases where, you know, these
     have been examined and found to be important contributors.  The question
     becomes whether or not, you know, you're proposing what to do in the
     future, whether or not you would include those type of events, and it
     would seem appropriate to at least consider those type events, because
     they have been found to be important.
         DR. LOIS:  However, in the workshop, we heard that fire and
     flooding is not important, because there is time to mitigate it, and
     it's a lot of fiddling around, and therefore, if you have fire or flood,
     it would be caught.  So the, I guess, industry perspective is that it
     may not be -- these initiators may not be as important.
         So shall i go ahead here?
         DR. APOSTOLAKIS:  Yes.
         DR. LOIS:  The Reg Guide 1174 provides for the use of
     qualitative assessments for risk informed regulation, and therefore, we
     look into the possibility of including qualitative arguments for risk in
     -- as a basis in decision making for Reg Guide 1174 purposes or Part 50.
         We thought we would start with the one that the plants are
     using, the defense in depth.  These are the weaknesses that, from a
     regulatory perspective, from a risk-informed perspective, the fact that
     you don't have calculation of -- you don't have quantitative risk
     metric, therefore, you cannot do the ranking, as Dr. Lyon pointed
     before.  You don't know how red red is.  There is a planned plant
     variability in the defense in depth.  The licensees have the flexibility
     to determine themselves the reds and the oranges, et cetera.
         And also, the utilities grade themselves for how well they
     adhere to the guidelines.  So these are some of the issues that -- the
     weaknesses that are embedded in the qualitative --
         DR. APOSTOLAKIS:  So even from the -- from what you said, I
     get the impression that you're saying that 1174 cannot be used for
     requests that involve low-power shutdown.  But wouldn't it be fair to
     say that this weakens the utilization, the degree to which 1174 can be
     utilized even for power operations?  Because an important piece is
     missing, so if I want, for example, to evaluate, to extend allowed
     outage times, and I don't have the low-power shutdown contribution,
     then, I really don't know where my CDF is, so if I go to figures three
     and four and my LERF, I already don't know what to enter as the figure. 
     And then, when I calculate the delta CDF, it's not clear to me whether
     the calculation is accurate.
         In other words, it makes the --
         MR. CUNNINGHAM:  That is correct.
         DR. APOSTOLAKIS:  -- whole risk informed regulatory approach
     much weaker now, even for cases where there is no shutdown situation.
         MR. CUNNINGHAM:  That's right.  That's where you have to go
     back and qualitatively convince yourself that the change you're talking
     about doesn't really impact -- isn't impacted by the shutdown risk and
     that that risk is somehow not going to move you up above the fuzzy areas
     on the right.
         DR. APOSTOLAKIS:  Right.
         MR. CUNNINGHAM:  Yes; that is correct.
         DR. APOSTOLAKIS:  But that's more difficult if I don't have
     a --
         MR. CUNNINGHAM:  That is correct.
         DR. APOSTOLAKIS:  -- PRA.
         MR. CUNNINGHAM:  That's kind of --
         DR. APOSTOLAKIS:  Yes.
         MR. CUNNINGHAM:  -- what Erasmia is alluding to there, that
     if we want to take a qualitative approach --
         DR. APOSTOLAKIS:  Okay.
         MR. CUNNINGHAM:  -- then you've got those weaknesses.
         DR. LOIS:  And therefore, we have to do some work on how to
     incorporate qualitative approaches into risk-informed.  However, we
     don't have any thoughts yet for the qualitative approach.
         Also, reflecting what has been done right now in the
     industry, we thought that as a first cut, we could -- what we called use
     a limited scope PRA for a risk-informed purposes, and that limited scope
     would include only plant outages, and from those plant outages would be
     those modes that have reduced the water inventory.
         However, they would include transition between code shutdown
     and refueling, because we think that transition risk may be as
     important.  Also, it would address this spent fuel risk.  So, it's a
     little bit more -- it's a limited scope, but it does not quite reflect
     what's happening in the industry right now, because I guess most of the
     plants do not assess transition or spent fuel, although the tools have
     the capability to do that.
         DR. APOSTOLAKIS:  Now, judging from our discussions with the
     various commissioners, one thing is for sure:  they don't want to see
     the staff propose a new major study ala 1150 for low power shutdown. 
     They're not convinced that this is something we need.
         I think what you need is a more focused approach, and, for
     example, you need a view graph that says this part of the problem is
     done satisfactorily right now by the laboratory work of a few years ago
     or by the Seabrook PRA or whatever.  The reason why I mention Seabrook
     is that my understanding is that it is the most complete one, external
     events and so on, goes all the way to letter three.  That's what you
     guys say here.
         So what is it I don't like about the Seabrook PRA that I
     want to improve upon and then identify those issues that you feel need
     some work?  Judging again from at least my personal impression from what
     the commissioners have been saying, that would go a long way towards
     gaining support from them.
         DR. LOIS:  So, then, that's what we do here, George?  This
     slide represents an approach, and then, we go in and say what we need if
     we are going to adopt this approach or this methodology for some parts
     of risk informed regulation, then, what do we need to do on that?
         DR. APOSTOLAKIS:  But what I'm saying, Erasmia, is it would
     strengthen this slide if you referred specifically to existing studies. 
     For example, why do you want to do plant outages only?  Nobody else has
     done it?  You may very well say and this PRA has done a pretty good job;
     all we have to do is improve it in these areas.
         DR. LOIS:  Yes.
         DR. APOSTOLAKIS:  Then, if I were to vote on this, I would
     say gee, you know, maybe it's worthwhile doing, but right now, I don't
     get that feeling that you are building on the state of the art.
         MR. CUNNINGHAM:  Erasmia's got two or three different what
     she calls approaches here, and she's building on -- because she's doing
     two or three approaches, because she's building on the two or three
     approaches that are out in the industry today:  the qualitative approach
     that she was talking about is used in outage management today.  This is
     a description of a way some utilities manage their risk in outages, but
     you're right, and what we're trying to do is exactly what you say.  If
     we want to build on that to be able to use it in risk informed
     regulation space, what do we need to do?
         DR. APOSTOLAKIS:  But I'm trying to be constructive here,
     Mark.  I'm saying it would help you a lot if you referred specifically
     to existing PRAs and said okay, there is a need for shutdown modes with
     reduced water inventory, but the French have done it; it seems to be a
     reasonable job; we'll take that.
         Now, our guys are not doing it, but the methodology is
     there.  That's what I'm saying.
         DR. LOIS:  Okay; I guess we can clarify this point if we go
     to slide 23.
         DR. POWERS:  I guess I'd like to understand, George, if you
     say gee, let's not do a big NUREG 1150 study on shutdown risk, and I say
     gee, why would George say that?  We learned an awful lot from NUREG
     1150.  Those guides are thinking an awful lot about risk.  Why wouldn't
     I be very excited about having something like NUREG 1150 applicable to
     shutdown events, applicable to fire events?  I think I would.  So why is
     it no, I don't want to do that.
         DR. APOSTOLAKIS:  Let me tell you why.  I think there are
     two reasons.  First of all, I'm not really saying don't do it.  I think
     there are two issues that I need to clarify here.  The commissioners
     will never approve that if I go there and just say that.  Second, what
     I'm saying is you can do that, but you can specify the methods that are
     ready to be used for that, so the impression that the commissioners will
     get will not be that you are starting, you know, almost from scratch,
     because then, the magnitude of the effort will be very large.
         But if you say yes, it would be great to have a new 1150 for
     these kinds of equivalents, for these kinds of modes, but look:  70
     percent of this has already been done; all we have to do is take those
     methods, those results, evaluate them, of course, make sure we are
     convinced, and then, we need development only in this 30 percent; I
     think that will go a long way towards giving you the necessary
     resources.
         DR. LOIS:  And that is not reflected in the report, I
     understand, but as Mark said, we went a little bit beyond that, and the
     issues that I'm going to discuss as proposed work, most of it is
     guidance development; for example, this is how one will use the full
     power models for shutdown risk.  Most of the utilities do use their full
     power models.  However, there are some -- there is a need for guidance
     on how you would do that on a more appropriate way.
         So that is an aspect which would need work.  However, it is
     not like doing another 1150 except --
         DR. POWERS:  I guess I'm really having trouble understanding
     why let's not do another 1150.  When I consider 1150 did a great deal to
     clarify what the risk profiles of representative classes of plants are. 
     I mean, we learned a lot.  We learned furthermore where the
     uncertainties were that would affect the outcomes.  And that seemed like
     a very, very valuable thing.
         Now, my reluctance for undertaking a big 1150 study right
     now is we have not done the equivalent of the IREP studies of shutdown
     events yet.  We've got it technically in the state that we could do
     1150.
         DR. APOSTOLAKIS:  Again, I don't think that the final goal
     is different, the way I see it and you see it.  All I'm arguing here,
     all I'm trying to do is give advice as to what the best strategy would
     be to have the commission approve the necessary resources so that the
     staff would do this.  Now, 1150, if you go back, you know, I don't think
     -- I mean, there were some studies, notably in the Zion, Indian Point
     and so on that looked a little more seriously into level two phenomena
     but nothing like what 1150 did.
         Here, you can say yes, my goal is to have an 1150 type of
     study, but with the same breath, you're saying a lot of it has already
     been done.  I'm not starting --
         DR. POWERS:  Somebody is going to have to persuade me that a
     lot of it has been done.
         DR. APOSTOLAKIS:  Because there was no discussion of it
     today.  You see, I read here that Seabrook has done a level 3 full-scope
     PRA, and that's mentioned in passing, okay?  I'm sure they've done more
     than that, okay?  It included fires; it included everything else.  So
     what is it that they did?  And what is it that you don't like?  What is
     it that you don't like about it, and you feel you have to do it from
     scratch?
         DR. POWERS:  I mean, we've had this conversation with our
     French colleagues, and I would say that they viewed their work on
     shutdown risk as scoping and exploratory and not a definitive tour de
     force of the subject.  I certainly heard the people claim a tour de
     force on their risk analysis.  I'm not sure these things bear much
     scrutiny.
         DR. APOSTOLAKIS:  Why?
         DR. POWERS:  I think we can find deficiencies.
         DR. KRESS:  I think Dana has a good point, and I think it
     would be a lot easier at this time to do an 1150, because you have the
     base that you started from for full power, and I think you can draw a
     lot to do another 1150 for shutdown.
         DR. POWERS:  I worry, because I know what people think of
     when they think of an 1150.  It's huge numbers of studies that went on
     --
         DR. KRESS:  But what are you going to put into an 1150 for
     shutdown?  You're going to put down uncertainties on the fission product
     releases?  Are you going to put in uncertainties on the initiating
     events?  You know, a lot of those uncertainty ranges are going to be
     about the same, and I think you can do a lot with what you already have,
     and you don't have to worry about uncertainties on the containment
     failure.  You approach it a different way.  So, you know, I think it
     would be a lot easier to do.  But one of the things that bothers me that
     I don't see in a thing like these approaches, and that's let's take the
     case of one kind of risk-informed regulation; that is, the 1.174 type,
     where last sea comes in and says I want to make this change.
         So you have to enter into -- one of the things you have to
     do is enter into your matrix and say what's the CDF, and what's the
     delta CDF?  And that's one of the things.  Now, in order to do that in
     terms of low-power and shutdown, you're going to include those in this
     matrix, you'll have to ask yourself what does this change to the plant
     that's being proposed do to my lifetime, my whole lifetime, 40 years, of
     shutdowns in terms of changing the risks?  You have no way at the moment
     of knowing how to account for future unplanned and planned shutdowns,
     because they're not planned more than one shutdown at a time, not for
     the lifetime.  You have to figure out some way in a risk informed world
     to account for changes to the plant that are going to affect the whole
     risk profile for its lifetime, and I don't see this in the concept
     anywhere.  And that's what bothers me.
         DR. SEALE:  What bothers me is I'm trying to figure out what
     dog will hunt in today's jungle.
         DR. APOSTOLAKIS:  Which is my problem.
         DR. SEALE:  And the one that will is risk informing Part 50. 
     That's the commitment that exists.  We ought to ask ourselves what
     elements of shutdown risk evaluation you need in order to make risk --
     make Part 50 risk-informed.  You get to the concerns about making
     comparisons, because that's integral to a 50.59 type process or things
     like that.  All of the elements are there, but I don't think you can
     call it an 1150 replication, because there's just a lot of baggage with
     that, but if you ask yourself what it takes to risk inform Part 50,
     then, you get to the pieces that you need to do the job, and you're
     doing it in a way that is consistent with the dedication -- well, with
     the marching orders that the staff has received from the commissioners.
         DR. APOSTOLAKIS:  If I read your report, page 3-2, some
     traditional LPSDPRA applications have covered planned and forced outages
     in addition to refueling outages to get the comprehensive risk profile. 
     An example of this is the industry study performed by PRG for the G”sgen
     plant in Switzerland, which consisted of a level one and two analysis
     for both internal and external events.
         Now, that intrigues me.  If I look at this, I'm willing to
     bet that with these view graphs alone, you will have three commissioners
     voting no, because there is nowhere there anything that tells me that
     there is a study for G”sgen that does all these things and that you're
     going to build on it, and I've heard it many times from Diaz and
     McGaffigan:  they don't want to start a major study.  They want to know
     what specific things the staff should do to make sure that it reaches a
     state of understanding of low-power and shutdown that will allow it to
     use it in 1174 and others.
         So when I see a sentence like this that plays no role in the
     presentation, I think you're following the wrong approach.  I think you
     should say there is this study there; we looked at it.  There are
     certain things we like; certain things we think we ought to do better,
     but to have this dynamite sentence that they looked at planned and
     unplanned outages, level one and two analysis for both internal and
     external events, so what?  We dismiss it?
         DR. LOIS:  So, then, George, I'm not quite sure what is your
     point here.
         DR. APOSTOLAKIS:  My point --
         DR. LOIS:  Whether or not we've learned that, we propose
     actually -- our approach is to --
         DR. APOSTOLAKIS:  But you are not saying anywhere there in
     your view graphs which parts of the existing studies you think are good
     enough, so you will not do any work on them.
         But most of the work that we propose is not method
     development.
         MR. CUNNINGHAM:  It's an excellent point.  We're talking
     about all of the things that are needed, but we're not talking about the
     things that are already sufficient --
         DR. APOSTOLAKIS:  That's right.
         MR. CUNNINGHAM:  -- if you will.
         DR. APOSTOLAKIS:  And maybe you did that already in your
     private deliberations.
         MR. CUNNINGHAM:  Yes, that's right.
         DR. APOSTOLAKIS:  But as a third observer now --
         MR. CUNNINGHAM:  Yes.
         DR. APOSTOLAKIS:  -- I don't get that feeling.  So what I'm
     saying is you have to make sure the commissioners understand that you
     will use a lot if, of course, you approve of what's already out there.
         MR. CUNNINGHAM:  Yes.
         DR. SHACK:  That's sort of assuming that you know what you
     want to do.  I thought the point of these view graphs was to try to
     decide what you could do if you had this.
         DR. APOSTOLAKIS:  If you had this?  What do you mean?
         DR. SHACK:  What could I do towards risk informing
     regulation if I only had qualitative stuff?  What could I do towards
     risk informing regulation if I had a limited scope understanding?  What
     could I do towards risk informing regulation if I had the whole nine
     yards?
         DR. APOSTOLAKIS:  That's a different --
         DR. SHACK:  That's a different question.
         DR. APOSTOLAKIS:  Yes.
         DR. SHACK:  But I think -- I thought that was the question
     they were trying to set up here is what could I do if I had this?
         DR. APOSTOLAKIS:  Nothing.
         DR. SHACK:  No, you want to tell me how do I get to the
     whole nine yards?  That's a whole different question, you know.  Do you
     need to get to the whole nine yards?  Can you do enough?
         DR. APOSTOLAKIS:  But if you go to the recommended work a
     few slides later, again, maybe that's where my comments belong.
         DR. SHACK:  Right.
         DR. APOSTOLAKIS:  But you don't see anywhere a recognition
     in writing, because I think Mark is right.  I mean, those guys thought
     about it.  I don't see any evidence in writing here on the view graphs
     that they will build upon what's out there.  So when I see that the PRA,
     especially for the Swiss, which consisted of level one and two analysis
     for both internal and external events, I would like to know why can't I
     pick that out?  It was done by an American contractor, anyway, and use
     that.
         DR. BONACA:  You did also for Seabrook, so already there --
         DR. APOSTOLAKIS:  There you are.
         DR. BONACA:  -- there was an understanding of, in fact,
     since the systemics of the two plants are quite different, there will be
     different lessons learned there.
         DR. APOSTOLAKIS:  For example, you say here initiating
     events.  Maybe if you --
         DR. LOIS:  I guess that's what they're going to say.  The
     key point here is guidance.  When we propose to develop guidance, the
     assumption is that we know how to do it, and therefore, what we provide
     here is how one would like standards or a NUREG that would tell how
     would you do a good job, and this is because of these insights we got
     from the studies referenced in chapter two.  So, then, there is no
     method development in this area because --
         DR. APOSTOLAKIS:  Well, I don't know that; you have to tell
     me that, you see.
         DR. LOIS:  Yes; I'm sorry.
         DR. APOSTOLAKIS:  I don't know that.
         DR. LOIS:  I mean --
         DR. APOSTOLAKIS:  And if I look at the last bullet, it says
     common cause failure analysis:  examine applicability of full-power CCF. 
     Why?  Examine applicability of the G”sgen PRA.
         DR. LOIS:  Sure.
         DR. APOSTOLAKIS:  Not full power.
         DR. LOIS:  Okay.
         DR. APOSTOLAKIS:  Then, you are telling me that you are
     already aware of this, and you are going to go and see, does this apply?
         DR. LOIS:  Yes.
         DR. APOSTOLAKIS:  And if it applies, I don't have to do
     anything.
         DR. LOIS:  So, then, for the purpose of this discussion, we
     got your point, George.  However, when we recommend work as guidance
     development, the assumption is that we feel comfortable with the methods
     existing, and therefore, we need only clarification on how it should be
     done.
         DR. APOSTOLAKIS:  For me at least.
         DR. LOIS:  I recognize that.
         DR. APOSTOLAKIS:  I strongly recommend that you use as much
     as you can from your review, and whenever you refer to something, say
     and a lot of work has been done there, or we will examine, like you say
     there, the applicability of what the Swiss did.  In other words, we are
     truly building on what's out there, and you are, of course, very free to
     disagree.
         I think it's a matter of communication, but I know of three
     commissioners who if they see this will be negative.
         DR. LOIS:  Okay.
         DR. APOSTOLAKIS:  And frankly, if I were one of them, I
     would probably be myself.
         DR. LOIS:  Okay.
         DR. APOSTOLAKIS:  Unless I talked to you in private, and you
     explained to me that -- you know, communicating is very important,
     especially when people walk into the room being on the negative side, as
     I think these three are.
         DR. LOIS:  Okay; so, here, we clarify it.  Shall we go
     ahead?
         DR. APOSTOLAKIS:  So, tell us about the next recommended
     work.
         DR. LOIS:  Okay; I guess the next recommended work is on the
     HRA, and the point that we would like to make here is that typically,
     people are using the methods that are used for full power, and we heard
     the complaint that it is not applicable, and probably, the estimates are
     all very pessimistic because the times allowed in the full-power PRAs
     are small, et cetera.
         So our feeling is that probably what needs to be done here
     is clarification, because most of these -- some of the full-power HRA
     methodologists do allow for long times that it appears that it's not
     clear in there, in people's heads, how one would use it, and the other
     is, of course, to investigate what we should do for the human error to
     initiate abnormal events and look at ATHEANA and then perform additional
     work if we find that it's necessary.
         DR. APOSTOLAKIS:  I think ATHEANA can be used very well in
     low-power shutdown operations to do what it does well for power
     operations; in other words, given the initiator, you've had human
     failure events; analyzes the hell out of them.  But as you pointed out
     earlier, the work processes here really may create unhealthy situations
     is not exactly something that ATHEANA right now does.
         In fact, one of the commentors again on ATHEANA said that
     it's hard for him to see how management and organizational factors can
     be included in this current format, and maybe they don't really belong
     there, but in this case, where, you know, a lot of things are happening
     that are not little things, that's where these things get important.
         DR. SEALE:  Could I ask a detailed question:  do we have
     available performance estimates for things done by staff who are trained
     members and so on versus contractors who come in from the outside?  Is
     that kind of distinction recognized here?  And should it be?
         DR. APOSTOLAKIS:  It should -- it will be recognized if they
     start doing what we just discussed.
         DR. SEALE:  Yes, and as a matter of fact, the thing that
     comes out of that, it seems to me, is you need supervision of a trained
     staff member overseeing anything that a contractor does.
         DR. APOSTOLAKIS:  That's one of the arguments that the
     industry has used in arguing for online maintenance.
         DR. SEALE:  Yes, oh, yes.
         DR. APOSTOLAKIS:  We could relieve our staff from a lot of
     the work that has been during outages, so we don't need as many
     contractors.  So this is one of the unquantified benefits of online
     maintenance.  But there is no quantitative, serious evaluation of this.
         DR. SEALE:  Yes.
         DR. LOIS:  So, then, going back to your point here, we have
     things that we can build upon in existing methodologies and some things
     that we probably should explore further.
         DR. APOSTOLAKIS:  Yes.
         DR. POWERS:  When you look at a plant, and you say gee, I'm
     going to do the risk assessment here on this plant, you have a pretty
     good idea of what things look like when the plant is operating, not only
     for the next operational cycle but for 20 operational cycles down the
     stream.  You have a pretty good idea of what that plant is going to look
     like when it's operating.
         That's not really the case for shutdown, it seems to me;
     that I know what the next shutdown event is going to look like pretty
     well, because people are probably working on planning it right now as we
     speak.  But I have no idea what the 19th next shutdown is going to look
     like, because there will be other, different demands on things that will
     have to be done.  I don't see how that gets factored into these things
     that you're talking about as future work on the PRA, the fact that the
     shutdown events are not carbon copies of each other, even as planned
     right now, and the unplanned shutdowns, Lord knows what they look like.
         How do you handle that?
         DR. LOIS:  I guess PRA always -- I'm sorry.
         MR. CUNNINGHAM:  I just wanted to clarify something.  I'm
     not sure I understand what you mean.  Are you talking about variability
     in outages themselves or variability of the events that occur during
     outages?
         DR. POWERS:  I'm saying that -- I may be -- what I know is
     that my planned outages right now, I'm going to take fuel out, and I'm
     going to put fuel back in; I'm pretty sure that that's going to happen,
     and I know all about that.  I know what I have to do to take fuel out,
     and I know what I have to do to take fuel in.  But while I'm doing that,
     I also tend to do maintenance on lots of things that need to be
     maintained.
         Some of those things, I know very well, because I'll do it
     every single outage.  Some of those things, I will do only every fifth
     or sixth or tenth outage, and so, any given outage is going to look
     different as far as what's available and what's not available; what
     stresses there are on one group of operators versus another group of
     operators.  Everything is going to be different.
         DR. BONACA:  And they will change as you go.
         DR. POWERS:  And they change as we go along, evolve.  I want
     to see recognition here, you know, of that difference.
         DR. APOSTOLAKIS:  I think I didn't communicate it very well. 
     That's what I meant when I said that ATHEANA is not equipped to handle
     that; that you really have to deal with the way work is being
     accomplished.  The complicating factor that you just raised is that you
     may not even know what work needs to be done for some of these, but the
     plants do not do things ad hoc.  They have work processes; they don't
     always call them that way, programs and work processes.  So if there is
     a need for something to say oh, this is what we're supposed to do, and
     they follow this sequence.
         Now, what complicates things, I think, is the timing.  But
     one of the most important things that I learned, at least from looking
     at the operating experience, is that you really have to know at any one
     time what work processes have taken place at the plant and what changes
     to the configuration have been affected precisely because they are
     trying to do this piece of work, and Wolf Creek is a good example.
         DR. BONACA:  One thing that drives clearly the risk is
     you're making a plan at the beginning, and that will involve a certain
     number of modes or configurations, okay?  If you went -- when you see a
     lot of changes happening to the original plan for whatever reason -- it
     may be management that says do it fast, so do this first and pull out
     that -- there is almost a correlation between events that occur and the
     amount of changes that you have in the -- I mean, number of modes, there
     is a correlation between what happens.  I don't know -- you know, I
     really don't know if -- I don't know if that can be or where that can be
     treated.  But anyway --
         DR. SHACK:  Coming back to the bigger picture, it seems to
     me that, you know, you're doing this request for a number of reasons. 
     One is that I think to me, when I see what they recommended here, at
     least implicitly in their head, it seems to me most of this is aimed at
     assuring themselves that the quality of the PRAs that the licensees are
     using to manage their outages are good.  So to me, most of this work
     would look like it would build towards just assuring themselves that
     what these guys are doing with their PRAs are pretty good, and so
     they're looking at those weaknesses.
         There's this question of how do I decide where I'm at in
     1174?  There's the question of how do I give the senior reactor analysts
     the ability, the tools, to judge?  To me, those are kind of almost three
     different things, and when you're recommending the work, you kind of
     have to decide which of those higher level goals you're really aiming at
     at the time.  And, you know, at the moment, I would say that what I see
     up there looks like it's focused on assuring the quality of the PRAs
     that the licensees are using, which doesn't strike me as an unreasonable
     thing to be doing.
         It doesn't address all of the questions one might ask.
         DR. APOSTOLAKIS:  But given the current situation, okay,
     funding, commissioners and so on, no matter how noble your goal is, the
     question of how you get there is critical, because if you tell them that
     you're going to do all of these things to get there without anything
     else, there is a very high probability --
         DR. SHACK:  But first, you have to know where you're going.
         DR. APOSTOLAKIS:  Yes, but they seem to know, though.  They
     seem to know.  They can rephrase it a little better.
         DR. SHACK:  To me, you know, I think I've seen us aim off at
     a couple of different roads here.  Now, a lot of what you're doing, of
     course, is useful for all three major things.
         DR. APOSTOLAKIS:  Okay; so what do we recommend, then, to
     the staff to structure -- let's say they have to make a presentation to
     some real decision makers, not advisors.  First is the goal:  what are
     you trying to do here, okay?
         DR. KRESS:  What are the benefits?
         DR. APOSTOLAKIS:  Yes; so, what are the goals?  The goals,
     as you just said, is to have a PRA.
         DR. WALLIS:  Why do you have those goals?
         DR. APOSTOLAKIS:  What?  Well, there has to be some sort of
     an ultimate achievement.
         DR. WALLIS:  A benefit.  What's the need?
         DR. APOSTOLAKIS:  Well, the need is, first of all, that the
     way 1174 is now, this is a major hole.  You can't really use 1174.
         DR. WALLIS:  And you feel that hole is important?
         DR. APOSTOLAKIS:  Well, it is the jewel of the crown of the
     regulations.
         DR. SHACK:  I'd put it the other way around.  What I want to
     be sure is when the licensee does a PRA of his shutdown, it means
     something.
         DR. APOSTOLAKIS:  Yes.
         DR. SHACK:  So, well, to me, that's the most important thing
     --
         DR. APOSTOLAKIS:  Actually, I would change it slightly to
     say when they use ORAM and all of those things, they should really know
     what they're doing, and the way to do that is with a PRA.  And Dana's
     point that the staff should have the tools to evaluate what the licensee
     is doing is a relevant point here.
         DR. BONACA:  Assume that I could make a point that the risk
     that we're talking about needs some characterization, okay?  I could
     identify some sensitivities.  I made an example before of the
     relationship between events and the numbers of mode changes that should
     take place, and I don't know if there is a basis.  I have a very strong
     suspicion.  If you have a number of characterizations of the type that
     you could draw from a study of this nature, the benefit would be very
     obvious in my mind.  I'm trying to go back to the issue of the benefit. 
     There are things we can draw upon to understand so that we can all learn
     from that, because the utilities have not done that.  The utilities are
     using it ad hoc, but they have not determined, for example, the issue,
     again, if there is one, and I believe there is one, and there is a
     correlation between the way you change modes, et cetera, so many times
     and the events that you get, right?
         And so, I think the benefit issue is very important to me.
         DR. APOSTOLAKIS:  Okay; I suspect that we're getting into
     the discussion among ourselves now, so let's stop for awhile; we'll get
     to that and give Erasmia one last chance to give one of her view graphs,
     and I think the view graph we have not talked about and introduces
     something kind of new is number 28.  Everything else, I think one way or
     another, we have discussed.
         DR. BONACA:  I also propose again that we will give the gold
     medal to Erasmia for the patience she has shown.
         DR. APOSTOLAKIS:  Especially given her heritage, being
     patient is not something --
         [Laughter.]
         DR. APOSTOLAKIS:  -- that is a clear characteristic from
     that part of the world.
         DR. LOIS:  Thank you; I accept the --
         DR. APOSTOLAKIS:  So tell us why you think transition risk
     is important, contrary to the evidence you have seen, Bob, the last few
     years.
         DR. SHACK:  I better not rush to just.
         DR. APOSTOLAKIS:  What transition?
         DR. LOIS:  I guess it was just about the discussion that --
     your discussion right now, that this is the change within, from one
     power level to another, transition, but also, as within a configuration,
     as people do the realignment, this is where the errors probably occur.
         DR. APOSTOLAKIS:  Has anybody done a transition risk
     analysis?
         DR. LOIS:  I guess -- yes?
         MR. WHITEHEAD:  Donnie Whitehead; let me address that. 
     There have been studies, and we reported a couple of them both from the
     NRC and industry studies that account for the first one that we talk
     about here; that is, modeling the risk associated with moving from one
     operational state all the way down to some lower operational state or
     from power operation down to shutdown.
         The second concept in transition risk, I believe, has not
     been examined, and at this point in time, we are unsure as to whether or
     not, you know, it is important; I mean, what we are proposing here is
     that this area be investigated; that is, where are the places where
     initiating events might occur?  This, you know, this is very likely that
     it could be in the actual physical changing of or transitioning of the
     plant from, say, train A of RHR to train B of RHR, positioning of valves
     from one state to another state, especially if there are combinations of
     actions going on.
         So that's where we're -- that's where we think that we need
     additional work to examine to see whether or not this is important.  The
     other, like I said, it has been looked at.
         DR. APOSTOLAKIS:  Do you suspect that it is important?  On
     what basis?
         MR. WHITEHEAD:  Well, because of events that have happened
     in the past, where indicate, I think you had indicated one where
     activities were postponed from one to another, and then, from one day to
     another day, and then, people come in and start in on the activities
     that they believe that they need to, you know, to perform.  I mean, what
     we're looking for here is to try to identify, you know, what are the
     interactions amongst the human events that must take place to actually
     move the plant from one state to another state, and, I mean, the answer
     is we do not know if they're important.  We suspect that it's possibly
     that they're important, and we've seen events where, you know, an
     initiating event occurred because of conditions like this.
         DR. APOSTOLAKIS:  I remember the BMW owners' group a couple
     of years ago when they were arguing, oh, what was it now?  That the
     plant should not be shut down.  They include the transition risk in
     their calculations, and what struck me then was that that number was
     pretty high, and on the basis of that, they were arguing that it's
     better to extend the AOT and do things at power rather than shut down
     because this particular piece of equipment has been down longer than the
     allowed time.
         MR. WHITEHEAD:  That's the first concept --
         DR. APOSTOLAKIS:  Right.
         MR. WHITEHEAD:  -- in transition risk, yes.
         DR. KRESS:  I'm not sure I understand.  If I'm going to do a
     risk assessment of a plant, I've got to find a configuration in that
     plant, and then, I've got to go into my PRA and put in all the failure
     rates and initiating events and come out with a number.
         There is no transition here.  If I want to do it for another
     configuration that has changed, then, I change the PRA to this new
     configuration.  If I'm going to ask myself what's the transition risk,
     it's actually embodied in one or the other in that second state, and you
     have to ask yourself the mere fact that I changed from this state to
     that one must have affected something in my PRA.  It must have said I
     either do not have this configuration like I thought I had or I have a
     different failure rate for something or a different something.
         So it ought to be -- the transition risk ought to be
     embodied some way in your look at the given --
         DR. APOSTOLAKIS:  I guess what they're saying is it's not
     the initial and final states that matter.  There is a certain period of
     time between the initial and final when things are changing.
         DR. WALLIS:  It's like landing an airplane.  Flying and
     being on the ground are very different for the pilot.
         [Laughter.]
         DR. APOSTOLAKIS:  So they are making a distinction.  This
     doesn't happen in a small delta P, when they reconfigure the plant and,
     you know, to go from one state to another, it takes a certain period of
     time.
         DR. KRESS:  PRAs are not differential equations.  You cannot
     do that in a PRA.
         DR. APOSTOLAKIS:  No.
         DR. KRESS:  You want to divide it up into little time
     increments and --
         DR. APOSTOLAKIS:  Well, we don't know what you're going to
     do, but maybe there is a period of a few hours when certain things are
     happening, and maybe the existing tools are not good enough.  I mean, we
     are into pushing event risks and fault risks to the limit.  I mean,
     there are static tools that represent logical relationships, and we're
     using them everywhere, and time is important.
         DR. BONACA:  It changes it, it may cause initiating events
     that you never consider in any other period of initial or final
     configuration, just because something is happening there; a system is
     out of service.
         DR. KRESS:  Like I said, you're changing something that --
     you fix a configuration, and you put an initiating event frequency or a
     failure frequency or a configuration.  So the research you have to do
     there doesn't have anything to do with the PRA.
         DR. APOSTOLAKIS:  But you have to look for these initiating
     events.  That's what they are saying, that somebody has to look.
         DR. WALLIS:  I don't agree that those lines -- repair really
     should be a dynamic thing in which everything is a function of time and
     so on; that's a very sophisticated PRA.
         DR. KRESS:  That is a different PRA than what we have now.
         DR. APOSTOLAKIS:  That's different; that's a second
     generation PRA.
         DR. KRESS:  You may be right; it ought to be a different
     equation.
         DR. APOSTOLAKIS:  Mike, do you want to say something?
         MR. MARKLEY:  I just was going to say something.
         DR. APOSTOLAKIS:  Come to the microphone.
         MR. MARKLEY:  Just from my inspector experience, it seems to
     me --
         DR. APOSTOLAKIS:  Who are you, Mr. Markley?
         MR. MARKLEY:  I used to be somebody else, but Mike Markley
     with the ACRS staff.
         I think it's mostly, you know, at least from, you know,
     inspector time is that the opportunities for more human errors occur,
     and that's really where it goes through the roof, that the equipment
     really hasn't changed for the most part, but the mere process of
     changing things and taking people out of their daily routine and having
     them do things that they haven't done in 18 months or so creates
     opportunities.
         I mean, just something as simple as taking the generator off
     the grid causes safety system actuation with the diesel if you don't do
     it properly and turn one wrong knob.  So there are just unique
     opportunities and things that you don't realize about the equipment as
     well.  Two rods don't fully insert in a core in post-operating cycle rod
     drop tests.  What does that mean?  They're just --
         DR. KRESS:  So figure out how much time you're in the
     transition; fix the PRA configuration at some average thing and input
     different failure.
         DR. APOSTOLAKIS:  But now, you're telling them how to do it.
         DR. KRESS:  But the problem is what are you going to input,
     and the input has to do with you don't know what these new changes to
     the failure rates and the initiating events are.
         DR. BONACA:  The big problem is that there is an issue about
     how you transition, and you can model it.  The bigger issue is you're
     doing so; you have a lot of preparation ahead of time.  You have
     literally a month and a half or two where everything is being reviewed,
     okay?
         Now, you get into with the legal staff, and the decision is
     made that something cannot be done.  You go back a step, so you can do
     something, do some work before, and now, you have narrow windows of
     evaluations; you have shift changes, and you have maybe only one
     individual reviewing something and dressing it off.  So all I'm trying
     to say is that now, that mode change that happens as a change process as
     you are in the outage triggers all of the events that Mike Markley was
     pointing to, okay?  In addition to the transition, you have unplanned
     transitions, and if really, one could understand the risk of that and
     understand the correlation that there is between those things and risks
     and how you can model it, for example, it would be a justification for
     better understanding what should not be done and ultimately what should
     not be done in that configuration.
         DR. APOSTOLAKIS:  Okay; I'm just -- I think you're almost
     done, but I'm just curious on page 31.  As part of this project, you
     plan to check a republic.  Which republic are you checking?
         [Laughter.]
         DR. LOIS:  I'm sorry about that.  I'm sorry about that.
         DR. APOSTOLAKIS:  Okay; I think we should thank Erasmia for
     her patience.
         DR. POWERS:  I think there's --
         DR. APOSTOLAKIS:  I think we should discuss it among
     ourselves now.
         DR. POWERS:  I think there are still some omissions from the
     work that has to be done.  It seems to me one of the first steps that
     one has to do in thinking about a probabilistic risk assessment, one has
     to find out what a criterion for success and failure is.  And it's not
     evident to me that the criteria for success and failure in shutdown are
     the same as they are in power operations.  And in particular, I see -- I
     look at things that go on during shutdown, and I said gee, we finally
     recovered fuel and then covered it back up, that would be okay.  I
     wouldn't have any trouble with that.
         It's not evident to me that it's okay under shutdown
     conditions, and I guess my point is --
         DR. APOSTOLAKIS:  What is the appropriate metric for that?
         DR. POWERS:  Yes; do we need to understand what the success
     criteria are for these shutdown events?
         DR. APOSTOLAKIS:  Okay.
         DR. POWERS:  Do we understand what the consequences are of
     failure for achieving a success pathway?  For instance, I guess there
     has been talk about the release pathways or the release mechanism.  A
     pressurized plant for an accident in the power, you usually conceive of
     a fairly violent release of radioactivity when the containment fails,
     and you track it as a plume, whereas with the containment open and what
     not, you are probably going through the aux buildings, for the most
     part, for a power accident, you would give no credit for decontamination
     of the aux buildings, because we knew the velocities were so high
     powered, you would probably be knocking them down anyway, and resonance
     times were going to be pretty low.
         Now, I think the resonance times are high, and
     decontamination probabilities are very high in the aux buildings.  That
     element seems to be missing from this.
         DR. APOSTOLAKIS:  Let's put some structure to this
     discussion.
         First of all, thank you very much, Erasmia.  You can sit
     down now.
         The first question is does the committee feel that the full
     committee should write a letter?  Can you turn off the -- any feeling
     that we need to write a letter or stay silent?  The staff is requesting
     a letter, by the way.
         DR. KRESS:  In December?
         DR. APOSTOLAKIS:  Yes, in December, commenting on all of
     this and maybe offering some advice.  Are the members reluctant to write
     a letter?
         DR. POWERS:  How many pages long?
         [Laughter.]
         DR. APOSTOLAKIS:  All right; so, the first answer, then, is
     yes, we will write a letter.
         Now, I want to ask you a point of procedure.
         DR. SHACK:  Is there any particular urgency to the letter? 
     I mean, if it slipped --
         DR. APOSTOLAKIS:  They are sending something in December to
     the commission.
         MR. CUNNINGHAM:  We owe a commission paper with this plan in
     December to the commission by current schedules.
         DR. APOSTOLAKIS:  So, the question is this:  shall we go
     around and have each member express his views about what ought to be in
     the letter?  Or shall we first talk about some general issues like the
     goals of the research, what are we trying to achieve, methodology and
     then give members opportunity to -- how do you want to structure this? 
     Because we don't have much time.
         DR. SHACK:  Are we going to see the commission paper before
     we write the letter?
         MR. CUNNINGHAM:  I suspect the commission paper itself will
     be just a summary of what you've got already.
         DR. SHACK:  Of this document.  And this unreleased,
     unreleasable document is actually a reasonably accurate reflection?
         MR. CUNNINGHAM:  I think the place we really need to think
     in that document is the recommendations part of it.  We've heard a lot
     of good information today, and that's the part that --
         DR. APOSTOLAKIS:  I'd like something much earlier than that.
         DR. WALLIS:  I don't think you can sell this program if you
     use what you have at the moment.  I think you've got to answer the kind
     of questions that Dana has, the kind of questions the commission is
     going to have, and all these details that we get into here are not going
     to make any difference to that.  That's my impression.
         DR. APOSTOLAKIS:  If you could get a postponement, it will
     benefit you.
         MR. CUNNINGHAM:  Okay.
         DR. APOSTOLAKIS:  Because if the report reflects the
     presentation, I'm not sure that the commission will be positive.
         DR. SEALE:  I just think you have to make the point that
     these are things you have to do in order to deliver on your commitment
     to risk-informed Part 50.
         DR. APOSTOLAKIS:  Well, okay, let's start without them. 
     What should be the goal?  What is the need for this kind of research? 
     Can we go around?
         Bill?  You can pass if you wish, but you raised the issue.
         DR. SHACK:  No, I see you'd have multiple goals for this
     one.
         DR. APOSTOLAKIS:  Okay; what are they?
         DR. SHACK:  You know, as I say, one, to assess what the risk
     management that the -- right, I mean, that's clearly directly related to
     --
         DR. APOSTOLAKIS:  Assessment and management of what?  Of the
     utilities?
         DR. SHACK:  That the utilities are performing.  I mean, that
     seems to me the absolute most direct connection to public health and
     safety.  These people are making decisions.
         DR. APOSTOLAKIS:  Okay; what's next?
         DR. SHACK:  The next is to -- you need this in order to
     continue with your risk-informing Part 50 or even 1174, you know.  And
     you do have to know where you are on the axis.
         DR. APOSTOLAKIS:  And the third?  Is there a third?
         DR. SHACK:  The third, I think is Dana's point of view that,
     you know, the commission itself needs insights and perhaps tools.  Now,
     if you can't afford all three of these, you know, then, we have a
     prioritization problem.
         DR. APOSTOLAKIS:  The commission needs insights for what?
         DR. SHACK:  They can make judgments on what the utilities
     are doing, the tools.
         DR. APOSTOLAKIS:  For what?
         DR. SHACK:  No, tools says -- you're assessing the tools
     that the utilities are using.
         DR. APOSTOLAKIS:  Yes.
         DR. SHACK:  Well, the other part is to have your own tools
     so that you can essentially do an assessment also.
         DR. APOSTOLAKIS:  Which will tell you how good what the
     utilities are doing is.
         DR. SHACK:  But you make an independent -- you know, the
     question is is this important enough that you require independent
     assessment?
         DR. APOSTOLAKIS:  I think they're related but --
         DR. SHACK:  I wouldn't say that they're independent.
         DR. APOSTOLAKIS:  No?
         DR. SIEBER:  No, the utility can -- may or may not decide to
     do shutdown risk assessment or choose whatever tools they want, and
     then, they manage risk that way.  The commission, however, needs to have
     the tools to be able to arrive at generic conclusions about certain
     phases of shutdown operations so that they can decide whether not only
     risk informing Part 50 but what's the adequacy of the deterministic
     regulations that exist right now, because it's always going to be a
     hybrid, and they need to have some kind of a risk-informed ability to
     determine whether the regulations are adequate or not.
         DR. SEALE:  Tom King mentioned the ASP program.
         DR. APOSTOLAKIS:  Yes.
         DR. SEALE:  The need to provide the inspectors with the
     tools they need in order to make reasonable judgments about risk and the
     shutdown mode.
         DR. APOSTOLAKIS:  Well, this is part of assessing the risk
     management that --
         DR. SEALE:  Yes, but that's again a commission commitment
     down the road, and in order to do that, you need risk informed
     information about shutdown.
         DR. APOSTOLAKIS:  The way I see it from what I hear is that
     there are two issues, really.  One is --
         DR. SHACK:  You've got all the way to go around the table.
         DR. APOSTOLAKIS:  But it's going to be repeated, so let me
     focus it a little bit.  One is contribute to the current efforts to
     risk-informed Part 50 and use 1174, and the other one has to do with
     what the utilities are doing right now, and that has several parts:  is
     it good enough, right?  Do we have the capability to independently
     evaluate it?  You know, all these are parts of this.  So there are two
     major goals that I heard so far.
         Tom, any comments on this?
         DR. KRESS:  I think those are the two goals.
         DR. APOSTOLAKIS:  Bob?
         DR. UHRIG:  Just that this is important, because the order
     of magnitude of the risk is comparable to normal operations.  In spite
     of the motivation --
         DR. APOSTOLAKIS:  How do I argue with that?  It's
     comparable?  There is a suspicion that it is.  There is evidence that it
     may be.
         DR. UHRIG:  Yes, but that's not a goal.
         DR. APOSTOLAKIS:  That's not a goal.
         DR. UHRIG:  No, but it is an issue that --
         DR. APOSTOLAKIS:  But it relates to -- Jack said, regarding
     the adequacy of the existing regulations --
         DR. UHRIG:  That's right.
         DR. APOSTOLAKIS:  -- that risk may be high.
         DR. UHRIG:  And the other issue is whether you want to say
     anything about the ASME effort on standardization PRAs should or should
     not include this.
         DR. APOSTOLAKIS:  That's not a goal right now.  That may be
     a little later.  It's not a goal.
         DR. UHRIG:  Okay.
         DR. APOSTOLAKIS:  Mario?
         DR. BONACA:  My problem is with the second recommendation. 
     My point is that right now, the utilities are only doing a very detailed
     evaluation when they see the big picture, lessons learned, okay?  Of
     what the drivers are of risk during shutdown.  We know that inventory is
     important; power is important.  The question is what is happening out
     there that drives risk?  And, you know, we make some discussion here
     about motivations.  There are some issues there that, you know, have not
     been looked at in a comprehensive fashion, and certainly, 1150 did that
     for power.  We don't have any equivalent.
         DR. APOSTOLAKIS:  So the insights that the PRA provides are
     --
         DR. BONACA:  Generally, insight from the lessons learned
     about all these different facts.
         DR. APOSTOLAKIS:  Dana?
         DR. POWERS:  Are we going to look at the goals?
         DR. APOSTOLAKIS:  Okay; so, I am sorry.
         DR. WALLIS:  You never asked me.
         DR. APOSTOLAKIS:  I never asked you?  Professor Wallis?
         DR. WALLIS:  Well, it seemed to me that if your goal is to
     risk-inform Part 50, if that's the goal, and I don't know if this really
     is the goal, then, what you need to do is figure out what you need for
     adequate PRAs in these situations.  I don't think, however, this is
     going to sway the commission.  I think that risk-informing Part 50 isn't
     such a wonderful thing that you do everything no matter what in order to
     risk inform everything.  You've got to figure out what matters.
         I don't think the case is really being made that this is a
     crucial place to put --
         DR. APOSTOLAKIS:  Yes; for example, the option two that the
     staff is pursuing now, which really deals with the scope of the
     regulations, clearly --
         DR. WALLIS:  You need to have the right tools if you're
     going to risk inform.  What are the tools you need in order to
     understand the PRA?
         DR. APOSTOLAKIS:  You clearly need a ranking of SSCs under
     all the configurations, so clearly, this is a major hold, yes, yes.
         DR. SIEBER:  Again, this is administrative in nature, but
     you do have an enforcement policy that's risk-informed right now, and
     most of the violations that are written are written during outages on
     different things that happen.  So if you're going to risk inform that to
     determine whether it's cited or non-cited or civil penalties, you've got
     to have a basis, and right now, you don't.
         DR. APOSTOLAKIS:  So risk inform the enforcement process.
         DR. SIEBER:  Yes or policies.
         DR. KRESS:  When you say risk-inform, the regulations are
     included in that.
         DR. APOSTOLAKIS:  I think that we can emphasize that.
         Okay; it seems to me that we are done with this.  We'll have
     another opportunity to discuss the letter; don't worry about it.  This
     is just advice to the poor fellow who has to write the first draft.
         Shall we go to the tools, or do you want to go to open
     discussion and then, after the tools, go to the open discussion, in
     other words, the various recommendations of what to do and so on?
         The floor is open for any comment you want to make.
         DR. WALLIS:  What can you do with the present tools, and
     what are you losing?
         DR. APOSTOLAKIS:  Well, that was exactly my point, that I
     want to see the --
         DR. WALLIS:  How can you make the quickest --
         DR. APOSTOLAKIS:  What can you do --
         DR. SEALE:  With what you've got.
         DR. WALLIS:  With what you've got.
         DR. SEALE:  The first question.
         DR. WALLIS:  Why are you dissatisfied, and where are you
     dissatisfied, and what is the cost of all of this?
         DR. APOSTOLAKIS:  Why do more?  Yes, justify why you need to
     do more, right?  In an explicit way.
         DR. WALLIS:  Yes.
         DR. KRESS:  See, George, we made the point in an earlier
     letter that there are two types of PRA in this context.  One is for
     configuration risk management, and the other is for risk informing the
     regulations.  In my opinion, those things are very different animals,
     very different.  I think the tools that are out there are mostly for
     configuration risk management that the industry has.  I have a problem
     with those that are the same as Dana's.  I don't think we -- the oranges
     and the reds and the greens have been well-quantified in terms of the
     risk, so I have a problem with those.
         But I don't think they help us very much at all in
     risk-informing the regulations, and I think we need a new type of tool
     for that, and it involves this comment I made about you have to know --
     you have to project the risk over the lifetime of the plant if you're
     going to risk-inform the regulations.  If you're going to project the
     risk over the lifetime of the plant for shutdown conditions, you will
     have to have some representation of what those are, and I don't know. 
     We don't have the database; we don't have the tools for analyzing them. 
     We don't have the effects of the various configurations over the
     lifetime of the plant, and I think the development of the tools in that
     area is where you really need a strong look at them.
         DR. APOSTOLAKIS:  I am not willing to make such a strong
     distinction between configuration risk management and risk informing the
     regulations.  I mean, if you -- I don't think you need a different PRA
     to do this.
         DR. KRESS:  I think you can write a shutdown risk using the
     configuration risk management tools, but I don't think you can write a
     shutdown risk rule.
         DR. APOSTOLAKIS:  Right.
         DR. KRESS:  But I don't think you can risk-inform the whole
     body of regulations with that kind of configuration.
         DR. APOSTOLAKIS:  No.
         DR. KRESS:  I don't think it's useful.
         DR. APOSTOLAKIS:  Jack?
         DR. SIEBER:  It seems to me that PRA and power operation
     versus shutdown risk are two completely different things.  From
     standpoint that the shutdown risk is dominated by human events, in my
     opinion, there are 17,000 valves in a PWR and probably an equal number
     of switches, circuit breakers and so forth.  When you shut down the
     plant and go from mode one to mode six, you're going to move about half
     of them to put on all of these clearances and so forth, and every outage
     that I've known in every plant usually has five or six valving errors in
     the process of the posting of clearances, reconfiguring the plant to
     start back up, and when you change modes, you run through places where
     you don't have a lot of margin, like steam generator level control,
     low-powers.
         I mean, how many plant trips have there been?  200?  300
     from that?  And so, I see all this transition analysis and human factors
     analysis as dominating everything as opposed to a full power PRA.
         DR. APOSTOLAKIS:  That was the genesis of ATHEANA, by the
     way, was a low-power shutdown.
         DR. WALLIS:  You have delta functions; you have
     probabilities.  Every time someone throws a switch, it might be the
     wrong switch.
         DR. SIEBER:  That is correct.
         DR. APOSTOLAKIS:  So you should use --
         DR. SIEBER:  It might even be the wrong unit.
         DR. WALLIS:  That's true.
         DR. SIEBER:  Or a wrong trend, you know.
         DR. APOSTOLAKIS:  So the nature of the beast is different,
     and it's time dependent.
         DR. SIEBER:  Yes, and you have to identify where these key
     points are, you know.  You change divisions halfway through the outage
     so you can --
         DR. APOSTOLAKIS:  Okay.
         DR. SIEBER:  -- maintain one side or the other.  And you use
     the one to stop.
         DR. POWERS:  Initially, it just really eludes me here. 
     There are huge potentials for errors, and they manifest themselves, and
     we've had lots and lots of events that have merited more discussion.  We
     haven't melted any fuel yet.  And the question that is not clear to me
     is why not?  Why haven't we melted fuel given all this potential, given
     the lack of regulations of this, safety regulations that exist in here,
     we haven't melted any fuel.  I mean, and during power operations, I have
     melted fuel at least once.
         DR. SIEBER:  I think things move fairly slow.
         DR. POWERS:  Right.
         DR. SIEBER:  They're relatively self-identifying, and there
     is no huge pressure and temperature.
         DR. BONACA:  That is a good point to be made.  As we are
     going to shorter outages, that time becomes more --
         DR. WALLIS:  Then, you need some criterion for saying when
     the time is too short.
         DR. BONACA:  I think you made this out to be --
         DR. KRESS:  That may be considered a goal right there.
         DR. BONACA:  We should put that inside the letter, too,
     because, I mean, things are changing there.
         DR. WALLIS:  I think someone should really make an estimate;
     suppose the shut time is cut in half the time?  Now, what is the risk?
         DR. BONACA:  That's not enough, because you have to really
     --
         DR. WALLIS:  I can make a case to the commission that --
         DR. APOSTOLAKIS:  That's not enough.  You have to know which
     activities have been moved to power operations.  You know, just to say I
     cut the time is not informative enough, I don't think, for a risk
     assessment.
         Okay, we agreed on that.  Any other point?
         [No response.]
         DR. APOSTOLAKIS:  There will be a point there about building
     on existing technology.
         DR. SIEBER:  Must be.
         DR. BONACA:  Yes, and by the way, that is a very important
     point, the point you were making before.  There is information.
         DR. APOSTOLAKIS:  Pardon?
         DR. BONACA:  Of course, it's all for PWRs, but I'm saying
     that, for example, even though the issue was talked about before,
     lessons learned for other drivers --
         DR. APOSTOLAKIS:  Now, regarding the goals, this issue of
     the cornerstones, should we mention it there?
         DR. KRESS:  Well, couldn't we mention the consistency?
         DR. APOSTOLAKIS:  Yes, consistency.
         DR. WALLIS:  The main goal has been --
         DR. KRESS:  Yes; I think that's what Bill Shack said.
         DR. SIEBER:  Well, there is a tradeoff between do you
     maintain the concepts of the goals, or are you willing to trade that
     because you have more time to react?  You know, you ultimately react --
         DR. SHACK:  It's almost a given.  You have to grade those
     things.
         DR. APOSTOLAKIS:  Yes, that's right.
         DR. SHACK:  That's why you shut down, I mean, because you
     want --
         DR. SIEBER:  I'm convinced that --
         DR. APOSTOLAKIS:  Yes, but I mean, you just don't dismiss it
     because you have to.  There must be something else --
         DR. KRESS:  Yes.
         DR. APOSTOLAKIS:  -- that you are doing right.
         DR. SHACK:  You're shutting it down.
         DR. KRESS:  You can maintain safety without having to shut
     down.
         DR. WALLIS:  In order to get to a safer condition.
         DR. KRESS:  But it would be nice to have one so you can, you
     know, have assured yourself of what margins, to assure yourself of what
     levels of safety you maintain.
         DR. BONACA:  A quick question about what are the
     cornerstones to the applicable, valid, to the shutdown conditions.
         DR. APOSTOLAKIS:  Should we revise the cornerstones?
         DR. SIEBER:  There may be new ones.
         DR. BONACA:  There may be new ones.
         DR. SEALE:  Are the existing ones sufficient?
         DR. BONACA:  And by definition, you are taking out certain
     cornerstones.
         DR. APOSTOLAKIS:  Good point; good point.  No, I agree,
     because I think Jack's elaboration was very good, you know, that you are
     doing a few things to the current cornerstones, but on the other hand,
     you have longer times to respond; your radioactive inventory is not as
     high, blah, blah, blah, blah, blah.
         DR. WALLIS:  What are you doing?  Are you advising the
     commission, or are you advising the staff?
         DR. APOSTOLAKIS:  We are advising, I think, the EDO at this
     point or the commission itself.
         DR. POWERS:  At our last meeting with the commission, we
     offered our low-power shutdown, we ran out of time and didn't have the
     opportunity to, so I think that -- and they indicated still an interest
     in that.  So I think even if they were written to the EDO that we have
     to recognize by answering questions that they may have had.
         DR. APOSTOLAKIS:  Are you sending a SECY?
         MR. KING:  It's a SECY.  Generally, when we give you our
     SECY to look at, you write to the EDO, but you can write to the
     commission if you want.
         DR. KRESS:  I think somewhere in there, we may have to
     discuss uncertainties, too.
         DR. APOSTOLAKIS:  Yes, yes, yes; don't worry about that.
         DR. WALLIS:  What is your expected output?  Are you writing
     a letter in order to have the commission make certain decisions?  What
     are you --
         DR. POWERS:  We have previously written to the commission,
     telling them that we thought shutdown was a significant area.
         DR. WALLIS:  And you didn't get very fa.
         DR. POWERS:  And that they should consider doing some
     examinations of their capabilities to do risk assessments during them. 
     And at the same time, we also told them that the proposed rule was not
     acceptable to us, because we didn't understand enough about the shutdown
     experience to write a useful rule.
         DR. APOSTOLAKIS:  This effort --
         DR. WALLIS:  So what we're trying to do now is support the
     staff's effort to get more information?   Is that what we're trying to
     do?
         DR. APOSTOLAKIS:  Yes.
         DR. WALLIS:  So it has to be sold.
         DR. APOSTOLAKIS:  Yes.
         Anything else?
         [No response.]
         DR. APOSTOLAKIS:  Now, regarding the staff's presentation at
     the full committee meeting, you have now what?  Two weeks?
         MR. KING:  Yes, two weeks.
         DR. APOSTOLAKIS:  Can you try to address some of these
     concerns --
         MR. KING:  Yes.
         DR. APOSTOLAKIS:  -- and not show the same presentation? 
     What are the goals?  How you build on existing information and maybe do
     some of it and say this is, for example, how we're going to do it?
         MR. KING:  We need to sharpen up our recommendations.
         DR. APOSTOLAKIS:  Yes.
         MR. KING:  Because that's really what we owe the commission: 
     what do we propose to do in the future?
         DR. APOSTOLAKIS:  What is it that's already being done
     satisfactorily, and what is it that you feel ought to be worked on?  I
     think that is really the key evidence.
         MR. KING:  Yes; try to focus the presentation that way.
         DR. APOSTOLAKIS:  Great; how much time do they have, Mike?
         MR. MARKLEY:  Hour and a half.
         DR. APOSTOLAKIS:  Hour and a half.  So we're not going to
     see any of the documents from you before we write the letter.
         MR. KING:  No.
         DR. APOSTOLAKIS:  So we will not have the benefit of the
     document listing.
         [Laughter.]
         DR. APOSTOLAKIS:  Anything else that a member wants to
     raise?
         [No response.]
         DR. APOSTOLAKIS:  The staff?
         [No response.]
         DR. APOSTOLAKIS:  Members of the public?
         [No response.]
         DR. APOSTOLAKIS:  Well, this meeting is adjourned.
         [Whereupon, at 12:11 p.m., the meeting was concluded.]
 

Page Last Reviewed/Updated Tuesday, July 12, 2016