Meeting of the Joint Subcommittee on Reliability and Probabilistic Risk Assessment - November 18, 1999
UNITED STATES OF AMERICA
NUCLEAR REGULATORY COMMISSION
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS
***
MEETING: RELIABILITY AND
PROBABILISTIC RISK ASSESSMENT
***
Conference Room 28-1
Two White Flint North
11545 Rockville Pike
Rockville, Maryland
Thursday, November 18, 1999
The committee met, pursuant to notice, at 8:30 a.m.
MEMBERS PRESENT:
GEORGE APOSTOLAKIS, ACRS, Chairman
DANA A. POWERS, Member, ACRS
THOMAS S. KRESS, Member, ACRS
JOHN J. BARTON, Member, ACRS
JOHN D. SIEBER, Member, ACRS
MARIO V. BONACA, Member, ACRS
ROBERT E. UHRIG, Member, ACRS
ROBERT L. SEALE, Member, ACRS. P R O C E E D I N G S
[8:30 a.m.]
DR. APOSTOLAKIS: The meeting will come now to order. Is
this on? Oh, it's only for you, oh. Oh, this is an amplified.
This is a meeting of the ACRS subcommittee on reliability
and probabilistic risk assessment. I am George Apostolakis, chairman of
the subcommittee. ACRS members in attendance are Mario Bonaca, Tom
Kress, Dana Powers, Robert Seale, William Shack, Jack Sieber and Graham
Wallis.
The purpose of this meeting is to review the staff's
proposed low-power and shutdown operations risk insights report and
start plans to develop an associated commission paper on this matter.
The subcommittee will gather information, analyze the relevant issues
and facts and formulate proposed positions and actions as appropriate
for deliberation by the full committee. Michael T. Markley is the
cognizant ACRS staff engineer for this meeting.
The rules for participation in today's meeting have been
announced as part of the notice of this meeting previously published in
the Federal Register on November 1, 1999. A transcript of the meeting
is being kept and will be made available as stated in the Federal
Register notice. It is requested that the speakers first identify
themselves and speak with sufficient clarity and volume so that they can
be readily heard. We have received no written comments or requests for
time to make oral statements from members of the public.
We will now proceed with the meeting, and I call upon Mr.
King and Mr. Cunningham and Ms. Lois to begin.
MR. KING: Let me say a couple of words before we get into
the formal presentation. My name is Tom King from the research staff,
by the way. You had received probably 10 days or 2 weeks ago a draft
report on our low power and shutdown work. That's really a report that
represents work in progress. The presentation today will take it a step
beyond the draft that you saw as we try and settle in and come up with
the recommendations that we ultimately want to give to the commission.
We owe the commission a report in December on what we've found out and
where we think we ought to go in the research area on looking again at
additional low power and shutdown risk work.
We would like a letter from the committee in December.
We're prepared to come back to the full committee at your December
meeting and talk some more about this subject, but we would like a
letter representing the committee's thoughts on the proposed work and
the insights that we gained over the past year or so.
So with that, I'm going to ask Mark and Erasmia to get into
the presentation.
MR. CUNNINGHAM: Good morning. I'm Mark Cunningham from the
research staff. As Tom said, I'm going to introduce this work, and
then, Erasmia Lois will be doing the bulk of the presentation. We've
got support here from two contractors in this area, Sandia and
Brookhaven people to help out, and as you'll see, we've been involved in
a fair amount of discussions with a number of people in the public,
individual licensees and consulting engineering groups, and between
Erasmia and our contractor staff, I think we can give you some ideas of
what we're seeing out there in terms of what's being done and what are
the issues in shutdown risk.
In terms of the presentation today, we've got two main
parts. The bulk of the presentation will cover what was provided to you
a week or so ago in the insights report. That report has some
observations based on our review of what's going on in the industry, but
also, later in the presentation, we will talk about some potential
research topics that come out of our review of what's going on. We have
a fairly broad list of research topics, probably more than we have money
to do, and part of this discussion today, I think, we'd be interested in
getting comments from the committee in terms of what they see of this
relatively long list; first of all, do you think it's a complete list?
Are there issues that are missing? And also, what would seem to be --
in your minds, what would be the more important issues to tackle first?
So we're trying to get some sense of priorities from the committee as
well.
As Tom mentioned, we will be back at the full committee
meeting, and then, we're addressing a letter on this subject. One topic
we're not planning to cover today is the work that's underway in terms
of the development of the ANS standard on shutdown risk. It might be
appropriate at some point for you, the subcommittee or the full
committee, to hear from ANS in terms of what they're doing in this area,
but we are working closely with the ANS group as we develop this -- our
recommendations and see how that meshes with the development of the
standard.
Mary Drouin would have been here today to help, actually, to
do the talking that I'm doing, but she's out at an ANS standards meeting
in California right now.
DR. APOSTOLAKIS: When will the ANS have a good first draft
for us to review? I mean, you don't have to be precise.
MR. KING: It's around June.
MR. CUNNINGHAM: Something like that.
DR. APOSTOLAKIS: June?
MR. CUNNINGHAM: Yes.
MR. KING: Let me just follow up on one thing Mark said:
the budget. At one point, we had had a fairly significant budget
identified over the next 2 to 3 fiscal years to do work in the low power
and shutdown area. That got cut back quite a bit over the past couple
of years. The current budget for FY 2000, the fiscal year we're in
right now, is about $400,000. I can't remember the exact number, but
it's somewhere in that neighborhood. Beyond that, there is no money in
our budget for continuing work on low power and shutdown risk.
I don't want that to constrain what we think ought to be
done. I'd like to come up with a list of things that we think, based on
the work to date, would be reasonable followup actions; identify how we
would use that information and go back to the commission and request
that money be restored to our budget to deal with these items. You
know, part of that is making sure we have a good, solid pace as to what
needs to be done and how it's going to be useful to the staff.
DR. APOSTOLAKIS: So there is no plan to continue this next
fiscal year?
MR. KING: There is no money to continue this next fiscal
year. What I'd like to do is come up with a plan that will be solid
enough that we can get some money. So, I don't want to be constrained
by saying, well, we don't have any budget next year; therefore, we can
only recommend a couple of things to be done this year, and that's it.
I'd like to really come up with a plan that says, you know, put the
money aside; this is what makes sense to do and then see if we can get
the budget to do it.
So, you know, I just want to mention that at the start, that
where we stand in budget space doesn't support a whole lot of additional
work, but let's try and figure out what makes sense to do and see where
we can go from there.
DR. APOSTOLAKIS: Okay; so, the significance of the clouds
there in the view graphs --
[Laughter.]
DR. LOIS: It's symbolic.
[Laughter.]
DR. APOSTOLAKIS: Can you find software that allows you to
have smooth transition from light barriers to dark barriers?
[Laughter.]
DR. APOSTOLAKIS: You have to do that part.
MR. CUNNINGHAM: The bulk of the presentation, what it is
going to do is it's going to be related to the insights report. Within
that, the key topics with the last three or four on this slide
basically, what have we seen in talking broadly to people here and
abroad about -- what do they say about the significance of shutdown
risk, and what is the overall risk? What do we see about what's going
on in terms of methods, tools that are being developed and why to manage
this risk or to use it in a regulatory framework?
Then, we go back and start to say, well, how, given these
methods that are out there, how are they for our purposes, which is
basically risk-informed decision making? And we've got some conclusions
and observations and recommendations.
Again, just to remind the committee, go back to our Reg. GAP
1.174 days, and the risk that's talked about there and evaluated there
is the total risk of the plant, consistent with the previous policy of
the agency and the safety policies, et cetera. So we have a statement
in the reg guide that we have to consider shutdown risk, but we are not
very precise as to how that should be done. One of the key goals of the
research program here is what can we do to help fill that gap, if you
will, or build a more concrete statement of guidance to make it easier
or more appropriate to consider shutdown risk when we're using -- in
license applications, we would use 1.174.
We should also note, though, it's probably -- when we
started out, we were thinking in the context of 1.174. So over the last
years, as we've gotten into risk-informed part 50, Reg. 50, as it's
called, I think it brings other issues to the table that we need to
think about in terms of the requirements of the shutdown risk. We've
seen presentations, I believe, on the proposed new 50.69 and Appendix T,
which bring categorizations and risk information of categorization of
SSCs and the risk information to much more of the forefront of our
requirements, and that has implications on what type of shutdown risk
analysis we can need to make decisions about it.
So that's being brought in here in terms of recommendations.
I've got one more slide, and then, I will turn it over to Erasmia.
Basically, the approach of this insights report was to go
out and do a fair amount of information collection. We've gone out and
reviewed NRC and industry risk studies. We've gone out and talked to
licensees, consulting engineering groups to see what they're doing.
We've also interacted with national to find out what's going on in other
places. The last couple of slides in the presentation will be specific
international activity that we're involved in through our research
program. One of the working groups that we have there is specifically
concerned with shutdown risk.
So all of this -- in addition, we had a public workshop
awhile back, trying to get information on perceptions of shutdown risk
and the issues they saw. So we're taking all of this and trying to say,
now, based on all of this information, what are our observations, and
then, what do we see as research needs.
With that, I'll turn it over to Erasmia to talk more about
the specific program.
DR. POWERS: The question that comes to mind almost
immediately is, well, why would you think that there is a big risk
associated with low power and shutdown operations? We may see that it
may be the latest sandbox for the PRA practitioners to play in, but why
wouldn't you just assume that the risk is small? The plant is off; I
mean, you let it decay for a little while before you do anything to the
plant, you can get the decay energy down quite a bit. Anything that
does happen, you pretty much have the easiest opportunity to detect and
to intervene in all of the material, in the issue, so why would you
think there have been incidents that HP LaserJet Series
II300HPLASEII.PRShere say 10 or 12 years ago, I think the common
knowledge at the time would have been what you said. There doesn't seem
to be much of an issue of shutdown risk for all of the variety of
reasons. There have been a series of events not involving damage of the
fuel but certainly losses of residual heat removal, decay heat removal,
oiling in the core and that sort of thing that I think 7 or 8 or 10
years ago first brought this to people's attention. Some issues at
Diablo Canyon; the French studies; the Votgle incident of -- whenever
that was, a few years ago.
I think that the reason that people now see the importance
of shutdown risk comes from a couple of -- several factors. One is in
some portions of shutdown operations, the amount of water that you have
over the core is relatively small. Even though your decay heat is down,
we can get situations such as mid-loop operations where you don't have a
lot of water covering the core. Coupled with that passage, you can be
in situations where the amount of -- the number of pieces of equipment
available to provide water is down to perhaps a minimum. Certainly, a
few years ago, this was the case for shutdown people; they were doing
maintenance; they take pieces of equipment out of service. So, you've
got reduced redundancy.
In some circumstances, you also have this happening with the
containment, so you've given up some of your barriers. In addition,
you've got a lot of other things going on in the plant; a lot of people
in there doing maintenance of things, so there is potential for
inadvertent draindowns; inadvertent human actions that can compromise
the core.
So I think it's the recognition that all of those things are
coupled together in some parts of shutdown operations that have led
people to be more concerned about shutdown risk and have led to the
results that you'll see in a little bit, which is a lot of people seeing
a similar type of answer, which is shutdown risk is something we have to
seriously consider.
DR. POWERS: I think with every incident you say -- if I
were an argumentative type, which I'm not --
[Laughter.]
DR. POWERS: -- I would cite as that same incident as an
example of see how easy it is to recover from these events; how easy it
is to detect what's going on; how easy it is to reconfigure things
promptly and get the plant back to a safe situation when you've had a
perturbation of it.
MR. KING: Let me add a couple of things. You have more
time when you're in a shutdown condition, when the heat is down, to
respond to whatever happens. That's true. But the thing that -- when
we had the workshop, we had utilities come in and tell us that they were
worried about some of the shutdown states, not the whole shutdown period
but certain things that they do in that shutdown period worried them
enough in South Texas -- who is the one that said this -- that what they
do is they don't do anything else in the plant. They make sure that
they have dedicated people monitoring inventory, monitoring residual
heat removal when they're in certain shutdown configurations, because
they know that the risk is fairly high from the analysis they have done.
They know -- again, they have response time, but it's not
like days to respond. They may have, you know, an hour to respond, and
they don't want to let that time slip by if something would happen. So,
they manage to, in certain situations, because they think they are
risky.
The other thing that worries me a little bit is, as the
utility industry goes into restructuring, the competition becomes more
and more aggressive; the shutdown periods are going to be compressed
just for economic reasons, and therefore, the advantage you buy by
letting the decay heat drop off before you do -- the utility may not
take advantage of that as much as they do -- they have in the past.
DR. KRESS: Let me ask you about that decay heat, given your
increased response time. I haven't looked at the decay heat curve in
awhile, but I recall that over the time frames we're talking about for
shutdown, your decay heat might decrease by a factor of a third. I'm
not sure if that's right, because I haven't looked at it in a long time.
That doesn't sound like a big improvement in time for, you know, for
things to boil off and for the heat-ups.
And so, I'm not sure you gain a lot of time over the time
frames you're talking about for shutdown. Is my recollection right on
that, or do I have to go back and look at the curve?
MR. KING: As I recall at the workshop, what the utilities
say was about the first 100 hours or so after shutdown is really where
they have enough decay heat that they don't have a whole lot of response
time, and that's the time period we're worried about. Once you get
beyond that, and they get a little more comfortable in having enough
time to respond; again, I don't have the decay heat; I don't remember
exactly either. We can get that information for you.
DR. KRESS: Yes; well, it's been policies have looked at
decay heat, and I'm not sure.
MR. KING: Dana, if you wanted some specifics, we could talk
to some specific events that have occurred at shutdown if you wanted to.
DR. POWERS: Well, I guess maybe I could go through the
litany of shutdown events fairly easily. But I think in the United
States and maybe in some of those abroad, but I still think I stand on
my argument that I can just as easily cite these events as proof that
we've got a handle on this, our shutdown risk, as you can cite it saying
there should be more, because in every case, a successful outcome --
everything was done fairly easily.
DR. APOSTOLAKIS: I think there is another issue here that
perhaps changes your argument. I noticed in the report, and I think the
understanding here is that when we say risk from low-power shutdown
operations, we're talking about core damage primarily, it seems to me
that we cannot ignore the fact that the agency now has the new oversight
process with the cornerstones, and the agency has said very explicitly
that they worry about initiating events; they worry about the integrity
of their mitigating systems and so on.
So, the question I'm raising is whether we should be using
those metrics to decide whether low-power shutdown operations are
important rather than core damage frequency, and if I look at those,
then, I think Dana's argument is not as strong because there have been
initiating events. We have lost water during those operations, right?
We recover from it, but the agency has said very clearly that the number
of initiating events should be less than X, so if you have states who
are -- you actually have initiating events, you certainly worry about
them. This is a defense and depth issue at the highest level, the
structuralist approach.
And I noticed in the report that you guys wanted to take
back that the comparison, the comparisons are always at the core damage
frequency, and I'm not sure that's a good thing to do anymore.
DR. LOIS: But even on the basis of core damage frequency, I
guess if you look at the numbers, they are pretty comparable, and then,
I guess the argument such as we had an initiating event, therefore we --
but we managed it could be used also for full power. And from a PRA
perspective, on an hourly basis, studies show that CDF is sometimes even
higher than at full power; that that has been demonstrated from, you
know, almost every study.
In addition to I'd like to kindly remind the committee that
the staff has never thought that low-power shutdown is insignificant.
You remember the low-power shutdown rulemaking activities, et cetera, et
cetera; the fact that we don't have a rule doesn't mean that we have
considered the shutdown risk as insignificant.
DR. APOSTOLAKIS: I don't disagree with you, Erasmia, but
all I'm saying is that with the new situation now, where one part of the
agency is really relying on the cornerstones to do something that is
extremely important, namely, to risk-inform the oversight process, it
seems to me that it would strengthen your argument if you involved that
one.
DR. LOIS: As a matter of fact, it's one of our
recommendations here. When I get to recommendations, you'll see that
one of the things that we consider, since the industry has been using as
a risk metric boiling frequency or time to boil, et cetera, we are
thinking that probably we should look into that as one aspect.
DR. SEALE: May I raise another slant, if you will, on this
question, and that is as we realize the pressures to compress out each
times and so on, there will be greater consideration of situations in
which you will take systems out of service; you will do maintenance when
you're in a less than full protection systems arrangement. The only way
that that can be done with integrity is to be able to make a realistic
assessment as to the safety insignificance of the systems that you've
taken out of service under those circumstances, and you can't do that
unless you consider the configuration of the plant in which that takes
place, which is, in this case, the shutdown mode.
So it's just the integrity of the process of identifying the
safety significant and the non-safety significant systems that requires
a reasonable assessment of the shutdown risk.
DR. BONACA: I'd like to also point out one thing. I know
the comparisons that we see in the report that was given to us; they're
comparing the CBF alert; there is no discussion of uncertainties, and I
do believe that certain risks for low-power and shutdown are much higher
because I think that the actions that are dominated by other actions and
by the fact that many of these activities, for example, are -- at times,
there are surprises for the operator, because they are one of a kind
activities. They are not repeat activities that you perform at the
time.
For example, you can remember the -- the reason the
generator is switching off and going out; and what is actually by
design. And I just wonder if, you know, we could discuss a little bit
the insights that we have on the issue of uncertainties, because that
uncertainty alone for me on the various things and trying to understand
better what the risk really is.
DR. APOSTOLAKIS: Now, this is a very interesting
observation, because the way we handle uncertainty is through defense
and depths. We are weakening defense in depth at the low-power and
shutdown modes, and yet, we have higher uncertainty. Now, that's
something we should not like, don't you think? We are affecting at
least one of the cornerstones of the --
DR. KRESS: You would think those are the wrong directions.
DR. APOSTOLAKIS: Yes.
DR. KRESS: But we still haven't defined how much difference
in depth we need for a given amount of uncertainty.
DR. APOSTOLAKIS: No, but if I take as a point of departure
the power operations, and I say, well, since we operate that way, then,
maybe that's sufficient defense in depth for this kind of uncertainty.
Now, I'm moving into a situation where the uncertainties increase, and
some of my cornerstones are suffering. So that doesn't look like a good
way to go.
DR. KRESS: No; you have to keep in mind that uncertainties
also have to be averaged over time if you're going to --
DR. APOSTOLAKIS: Well, we will see over that. The average
in process is something that we will discuss.
DR. KRESS: Okay; but it does.
DR. APOSTOLAKIS: Today.
DR. SHACK: Well, it also comes up in the discussion that
you've been beating for awhile that, you know, you introduce distortions
by introducing conservatisms.
DR. APOSTOLAKIS: Sure.
DR. SHACK: And that's one of the conservatisms I've always
heard about the low-power shutdown PRAs is that they're unduly
conservative, and therefore, you may distort your picture. Again, the
specific question was -- I somehow recall something or other that the
91.06 guidance was sort of ignored when we did the PRAs, because it
wasn't mandatory. You know, everybody seems to do it because it wasn't
required by regulation.
DR. LOIS: Well, as I get into the presentation, you'll see
that currently, the industry is involved in the defense in depth and
PRAs at the same time, and they have the capability to literally model
this specific outage, and I don't think that's the case -- you know,
people may help me out here -- but in actuality, they start out with a
defense in depth and then complement the insights through the specific
--
DR. SHACK: That's how I was wondering if your PRA numbers,
which purport to cite that the risk of low-power and shutdown, in fact,
include the 91.06.
DR. LOIS: But it's -- what's happening is you're getting
into an outage-based, and you evaluate it depending on the defense in
depth on the --
DR. SHACK: That's the configuration management.
DR. LOIS: And the same configuration is being modeled
through your period.
Donnie, you want to --
MR. WHITEHEAD: This is Donnie Whitehead from Sandia
National Laboratories. To answer your question, the NRC studies that
were conducted in the early nineties were conducted before -- or
approximately at the same time -- as the issuance of 91.06, okay? So
therefore, they probably do not incorporate all of the activities that
are carried out in 91.06. However, they were, at the time, the current
-- you know, the current industry practices. The analyses that are
conducted by the utilities currently do use 91.06 as a measure of
defense in depth, and I would expect that the probabilistic analyses
that are part of many of the configuration risk management practices
would involve, you know, heavily depend upon the information that's
available from 91.06.
What we have here is something that has evolved over time
and currently, if you're being able to perform a PRA, it would only be
prudent to use the information that's available from 91.06. So I think,
you know, I think we've evolved over time, and I think at this point,
you know, that information would be used.
DR. BONACA: One observation that I would like to make
about, you know, defense in depth, when we have defense in depth and the
operators that use them it's time; we have time. There is time. If you
go to the operators, that's what you hear about shutdown: we don't need
to because we have time. And the point I want to make is the one of
time is being shortened more and more, but we see averages which are so
accelerated that, you know, by definition, there is an erosion of
defense in depth. I don't have to define another, you know, proportion
of the specific components, but the time element, which is the one
always invoked by the operators as available and power, you know, you
don't have it when you have a shutdown is being eroded.
And again, I don't know how much that drives uncertainty.
To me, that drives it a lot, because you begin to not understand how
things will function or not function, and I think that's an area that I
would like to see. I don't think much work has been done there to
understand it, or if I can see it in the draft new reg.
MR. KING: And I agree. The mindset is we've got time, and
now, they don't have time. Things may not happen as rapidly as they
should.
DR. BONACA: It matters if they have 40 or 50 days to 20
days, 17 days.
DR. APOSTOLAKIS: Yes, but this is because they are doing
fewer things, so it is not clear to me that that really affects this
construct.
DR. BONACA: Yes, but then, you get down to the point where
you have critical path, okay, where you can't compress anymore. You
see, before, you could come down and eliminate work and easily compress
the time. Then, you get to the point where you have essentially
compressed time that you cannot compress any further. And now, you have
such a pressure on the operators. Now, to introduce anything else there
that, you know, now, I am voicing this because as part of the interview
process, we have been interviewing some people in the industry. That
has been raised to me by two people.
MR. KING: It's not only reduced time; it's reduced staffs.
You look at what's happening as deregulation takes place; it's a lot of
staff reductions. In the UK, they just put out a licensing condition
for their plants to stop the erosion of staffing on their nuclear
plants. They now -- any additional staffing or staffing changes have to
be approved by the regulator, okay, because they were concerned that the
staffing levels, not only the staffing levels were low but the people
who were there on the staff didn't have proper training; were not
familiar with the plant; they may be coming from another plant. They
weren't familiar with the responsibilities.
So it's not only quantity; it's quality as well. And
there's that similar concern that that may be valid in this country.
DR. POWERS: Suppose that things are very hazardous during
shutdown operations, such that the CDF for a given plant doubled; you
calculate the CDF for operations, and it's 2 x 10-5, and when you
include the shutdown operating modes, it's very hazardous, it doubles it
to 4 x 10-5. Does that change anything?
MR. CUNNINGHAM: I think that at least one implication it
has is that if your people are trying to decide where best to perform
maintenance of equipment, they make decisions to what -- is it better do
it at shutdown, or is it better to do it at power that the insight that
you could have isn't so much that it's doubled as it's equal, and so,
you may find that it's better to, in terms of optimize or better
prioritize your maintenance activities to switch it around and do it
during different parts of -- during parts of the year, if you will. So
that's at least one thing to have real implications for --
DR. SEALE: Along those lines, it would be interesting to
take a traditional 60-day outage; list all of the things that are done
by way of maintenance and so forth during the outage and then take a
current 25-day outage and look at which items were moved over into the
online maintenance category and which ones were retained in the shutdown
maintenance area.
I have a suspicion that the hairy ones were the ones that
were left in the shutdown mode, and the easy ones were the ones that
were done in the online mode, and so, it's not just a question of the
change in the time that's involved. I think if you looked at it
carefully, you'd see that the things that are left are the most likely
big risk items. It's a suspicion.
DR. APOSTOLAKIS: One last question, and I will let you go
on. Low-power shutdown are modes 4, 5, 6?
DR. LOIS: I guess 5 is the core shutdown, and 6 is the --
DR. APOSTOLAKIS: So why don't we let Erasmia go on with one
more slide, and then, we will interrupt her again?
[Laughter.]
DR. LOIS: I'm counting on that. I know that you are going
to talk amongst yourselves, and I guess the objectives here are the
objectives of our visits and information gathering activities, and they
are to collect information regarding the significance of low-power
shutdown risk and what methods and tools are out there to assess it and
then evaluate the information with respect to its usefulness for
incorporating the risk, low-power shutdown risk into regulatory decision
making, risk-informed regulatory decision making.
On a high level, I guess we kind of covered that. We even
today, we see potentially important events, operational events, reports.
We have cited a few of them. We see events in 1998, 1999, et cetera.
The risks are comparable, and they characterize the most risk-dominant
plants operational states are those that have high -- the plant has
still high -- and the reduced inventory.
The risk contributors tend to be plant-specific, and looking
at this, it appears that it is just plant outages and refueling outages
may not be the only risk-significant outages.
A little bit more detail regarding operational events. Loss
of outside power; loss of coolant; loss of -- what is it -- and shutdown
cooling are the events that we see happening across plants. Causes,
again, tend to be plant-specific, and it appears that the biggest
contributor is human error and procedural problems. That's from my
operational event point of view.
DR. POWERS: Still, you have these events that occur, but
what is used to detect -- the recovery is fairly easier to occur. I
mean, why do they defend risk-important if they're so easy to detect?
It was the great quote, I think, after the River Bend event, well, it
was just a little steam bed generator. And it's because of that, you
can see them easily, and you see something is wrong and correct it very
quickly. How come they become risk-significant?
DR. LOIS: I guess the -- I will let people help me out
here. The risk-significance comes when evaluating the event and the
potential that if it's not detected in time, what it could have involved
like any other initiating event.
DR. POWERS: It seems to me that the reason these things
become risk-significant is because you don't give any credit for the
heroic action in the PRA or unproceduralized actions in the PRI.
MR. KING: Let me ask Warren to give you a couple of
specifics.
DR. LOIS: Yes; I guess here with the --
MR. LYON: We had an event some time ago at Hope Creek in
which no one recognized at the time that they had a mode change. It
took them about two to three weeks before they really determined that
they had had a mode change. We had another event at Oyster Creek a few
years before that where they went for -- as I recall -- over a day
before they realized that they had an overtemperature issue.
DR. POWERS: I just take those, and they bolster my point,
is that it if it went for two weeks, and it didn't amount to a darn
thing. Nothing happened. They didn't know they had a mode change for
two weeks, and it didn't make any difference. Similarly, they have an
overheating condition; it went on for a day, and they didn't recognize
it. It still made no difference.
MR. LYON: You are correct in your assessment in my two
examples that those weren't overly risk-significant. Let me go back for
a moment to the one that really opened our eyes. When I go through
this, I want it understood that in my judgment, this would not apply
today, but I am referring to the Diablo Canyon event, where as it
unfolded, I afterwards calculated it would have taken about two days
when everyone could have essentially walked away and done nothing before
the core uncovered.
However, had the event initiated about a half an hour later,
in my judgment, we would have had core uncovery in about an hour and a
half, and in my judgment, there was a very high probability that it
would have progressed to core damage with the containment open and no
on-site ability at that point to get the containment closed. So that
was a real eye-opener to us.
DR. SEALE: It strikes me that when we look at events, we're
not only able but willing to identify personnel errors as contributors
to the initiation. When we look at recovery actions, we seem to lose
sight of the important roles of individuals, the heroes, if you will,
who knew the system well enough and understood the processes well enough
to take the unproceduralized steps necessary to terminate the event.
What we're talking about here is a climate in which more and
more of those heroes are going to be fishing, because they're going to
be retired, and the crew is going to be smaller and so on. So, I guess
when heroic intervention is a part of the response that keeps the plant
safe, we ought to recognize that that's not necessarily a given.
DR. APOSTOLAKIS: Even if it were, I wouldn't want to rely
on that.
DR. SEALE: That's what I mean.
DR. APOSTOLAKIS: Okay.
DR. LOIS: Another point I want to make is although we're
talking about risk-significance here, the perspective is risk-informed
regulation, and therefore, what we're looking at here is if licensees
come in, and they would like to change the design basis on the basis of
risk-significance, then, we have to have an analysis of the risk and a
good comprehension of what's involved, and it's a little bit different,
slightly different idea why you care about low-power shutdown, because
you can take -- you can manage it.
DR. APOSTOLAKIS: If I consider the five cornerstones, those
were initiating events, mitigating systems, pressure boundary and
emergency preparedness, four, is it fair to say that at low-power and
shutdown, the first three are compromised to some extent?
DR. LOIS: That's what the studies show.
DR. APOSTOLAKIS: Now, emergency preparedness probably is
not affected.
DR. KRESS: It probably shouldn't be a cornerstone.
DR. APOSTOLAKIS: What?
DR. KRESS: It probably shouldn't be a cornerstone anyway.
DR. APOSTOLAKIS: But I'm thinking now what they're using.
So the pressure boundary is compromised in what way? Sometimes --
MR. CUNNINGHAM: Again, you can be in a situation where the
head is off.
DR. APOSTOLAKIS: The head is off and the containment is
off. The mitigating system is compromised?
DR. SIEBER: You can take a whole division out.
DR. APOSTOLAKIS: You can take a whole division out.
Initiating events, we've seen many of those, so clearly,
something is going on here. So here is a situation, without going into
details, where three out of the four cornerstones -- and according to
Dr. Kress, the fourth one shouldn't even be a cornerstone -- one way or
another are compromised. So it seems to me it is an important problem.
I mean, we can't say in one place that this is important and another
place no, because of heroic actions.
DR. LOIS: In fact, in South Texas, when they get in the
middle of it, they have now -- Donnie, you can describe it better --
they have this alertness going on all over the place. They have signs;
they have sirens, and everybody knows what is this idea.
DR. APOSTOLAKIS: That is a cost-cutting idea of human
awareness, I guess.
DR. LOIS: In addition to -- in San Onofre, they take the
CDF estimates as part of their bonuses. If they thought that low-power
shutdown is not an important part of it, they wouldn't include it, so I
don't know if it has a full-blown, very detailed PRA. So there is no
one in the industry who would argue that low-power shutdown risk is
insignificant.
DR. APOSTOLAKIS: Is it fair also to say that if they look
at the number of initiating events over the last 10 or 15 years, most of
them have occurred during those modes? Except for normal transience. I
mean, I looked at the ATHEANA report, the ATHEANA report a year or so
ago -- more than a year or so -- looking at the events that have
occurred. Most of them were low-power shutdown, weren't they?
MR. CUNNINGHAM: They were looking at them in a certain
context, in a context for errors of commission.
DR. APOSTOLAKIS: Well, you remember well.
MR. CUNNINGHAM: In that sense.
DR. APOSTOLAKIS: In that sense, yes.
DR. SEALE: Several years ago, Jack Rosenthal made a
presentation where he used the convening of an AIT as the criterion for
significant events, and about half of the cases where AITs were convened
involved shutdown configurations.
DR. APOSTOLAKIS: I don't think the criterion here should be
the actual number that people estimate and make a decision whether to
investigate further based on the magnitude of the number. The fact that
three of my most important cornerstones are compromised is sufficient
enough reason for me to try to understand it. I don't care what the
numbers are.
MR. KING: That is, in effect, what we are doing is to try
to understand it better to see what else needs to be done.
DR. APOSTOLAKIS: If anything.
Erasmia, what else do you have to say?
DR. LOIS: I guess this bullet here, that some studies
indicate that sometimes, bringing the plant, shutting down the plant for
maintenance may not be less risky than keeping it online for performing
maintenance in case that you lose some safety systems, et cetera; that's
the bullet that we have uncovered. And then, regarding the effect of
radioactive releases, the NRC studies covered it somehow, and they came
up to be significant, as significant as from full power, however,
primarily, people are doing just level one analysis. They haven't done
a lot of level two.
The Seabrook study had kind of inconclusive results.
However, one thing that comes up all the time is that the containment
status is important.
DR. APOSTOLAKIS: Now, why do you claim that LERF and early
fatalities may not be appropriate risk measures?
DR. LOIS: I will let Dr. John Leonard to respond to that.
Oh, okay.
MR. CUNNINGHAM: If we go back to the discussions that we
had at the time of Reg 1174 development, what we're trying to sort out
is what does LERF mean when you were -- you could potentially have the
containment open. LERF was derived, anyway, from the context of
full-power operations, where you have an energetic pressurization for
the containment and the potential for, if you will, structural failure
of the containment. How do you apply that to a situation where the
pressure boundary may not be quite there? I think one of the key issues
there is do you need to rethink the definition of something for shutdown
conditions?
DR. APOSTOLAKIS: Well, could it be similar to the V
sequence there, where you bypass it?
MR. CUNNINGHAM: Well, again, that is involving a -- the
circumstances are somewhat different in the sense that one, you've got a
structural failure of the pressure boundary in the V sequences. It's
the valves --
DR. APOSTOLAKIS: Yes.
MR. CUNNINGHAM: -- rather than the structure itself.
DR. APOSTOLAKIS: Yes.
MR. CUNNINGHAM: But you've also got a lot of energy behind
that, and again, in shutdown conditions, you may not quite have the
highly disruptive forces.
DR. WALLIS: What is the boundary? If you've got the
release from containment, it doesn't really matter whether it is because
it failed or was left open.
MR. KING: It does.
DR. WALLIS: Why?
MR. KING: Because the timing is different and the mix of --
DR. WALLIS: You're still releasing.
DR. APOSTOLAKIS: Yes, but is it early? That's what you
were questioning?
MR. CUNNINGHAM: It's the early aspect of it is an important
consideration.
DR. APOSTOLAKIS: And why wouldn't it be early here? I
mean, there is no containment.
DR. WALLIS: Early compared with what?
DR. APOSTOLAKIS: Well, the definition is within 3 hours
afterwards.
DR. WALLIS: Of what?
DR. APOSTOLAKIS: Of core damage.
MR. CUNNINGHAM: Core damage.
DR. WALLIS: Well, it's pretty damn early if the containment
is open.
MR. CUNNINGHAM: The LERF definition is by and large a
definition related to the magnitude of the source term release and the
timing of that release fairly quickly. The circumstances of the
shutdown condition in terms of the combination of those effects are
going to be different. You might have the containment open, but you
might not have the release occurring -- the magnitude of the release may
be a somewhat different -- the characteristic of that release is
somewhat different.
DR. APOSTOLAKIS: So it's the large that you're attacking.
MR. CUNNINGHAM: Maybe it's the large.
DR. WALLIS: I've been told many times that it doesn't
matter how large it is, because it's large enough.
MR. CUNNINGHAM: The large early release definition was also
tied into the ability to evacuate people before they are exposed.
DR. APOSTOLAKIS: Right.
MR. CUNNINGHAM: Again, the accidents you're getting here
are different in those types of characteristics. So you might -- it
just, strictly speaking, that LERF definition that we came up with isn't
really right for these circumstances, and what we're thinking is we need
to come up with some better surrogate to be the equivalent of it.
DR. APOSTOLAKIS: And that will be equivalent to or a
surrogate for prompt fatalities again?
MR. CUNNINGHAM: It would be a surrogate for public risk, if
you will.
MR. KING: That's one of the questions.
Well, the LERF was tied to the early fatality QHO.
DR. APOSTOLAKIS: Right.
MR. KING: That's where it was derived from.
DR. APOSTOLAKIS: Right.
MR. KING: When you get into the shutdown condition, the
timing is different; the mix of fission products is different. Would it
be more appropriate to tie it to the late fatality QHO? Because maybe
you don't have enough release to get an early fatality, given that
there's still emergency planning.
So that's the question. I don't have an answer for this,
but those are the things that we're kicking around.
DR. KRESS: I think those are good questions.
DR. APOSTOLAKIS: Yes.
DR. KRESS: And I think they're legitimate. But it seems to
me like the fraction of time that the containment is open during low
power and shutdown is the time when you have a LERF. I mean, you use
that fraction -- conditional containment failure probability is one
during that period, and your CDF is whatever the CDF is. So it's that
fraction of the time that translates into a LERF. Since it's standard
here, you could use that fraction. And you could probably assume things
like the early fatalities probably just as equivalent to what they would
be at low-power -- I mean at full power.
The driving force is about the same, and the mix of fission
products and the biological effectiveness, it doesn't change that much
over the time period.
DR. APOSTOLAKIS: So what is your conclusion?
DR. KRESS: My conclusion is that you could almost use a
LERF that's pretty much like the one you have now, using the fraction of
time that the containment is open as your measure of when it's a large
early release.
MR. KING: What you're saying is you've got to have CDF 10-5
or lower when the containment is open.
DR. KRESS: That's what I'm saying, yes, exactly.
DR. LEHNER: Could I comment on that, just if I may? John
Lehner from Brookhaven National Laboratory.
As Tom King was saying, I mean, the other issue is that
LERF, the way it's define or sort of implied for full power involved
prompt fatalities, and even though the containment may be open, later on
in the shutdown accident, you're volatile to let the -- off so you're
probably -- the standard calculations won't show you a prompt fatality,
but you will still get latent cancers, so that's why that measure may be
more relevant than the LERF measurement.
DR. KRESS: Well, you have a point there, but I think you
have to think about our ingression accidents, too, at full power.
DR. LEHNER: What the composition of a -- certainly --
DR. KRESS: It's still up for grabs.
DR. LEHNER: Exactly; that's very true.
DR. APOSTOLAKIS: So essentially what you're saying is that
someone has to look into it.
MR. KING: Yes.
DR. BONACA: Before you just move on, the second to last
bullet can be misinterpreted; even in the report, it somewhat can be
misinterpreted. It gives the impression -- I could read it as saying
that I could do all of my maintenance at power because there is -- which
is not the case, except in components for which doing maintenance at
power is equal or even less than doing it in the shutdown condition, and
that, although it is important, what I am saying is that it is a
component base that in general --
DR. LOIS: It's a generalized statement, yes.
DR. BONACA: And the statements I see in the NUREG also have
the kind of confusion in it. I could interpret that, fine, from now on,
I'll never shut down the plant except to refuel, and I'll do all my
maintenance at power, and that's not really what message you want to
give there, right?
DR. LOIS: Exactly; it would be on the specific case. It
just depends --
DR. BONACA: For some components --
DR. LOIS: For example, if you lost shutdown cooling --
DR. BONACA: Yes.
DR. LOIS: -- and you have -- you are asked by the technical
specifications, you have to have the plant shut down while you don't
have shutdown available, and this is a kind of a strange situation, and
there are some technical specifications that we would have to look at.
DR. BONACA: I was reading it, and I would say in some
cases, in fact, they're comparable and even higher at shutdown
condition; therefore, it's recommended that you do it, in fact, at full
power right away. I just wanted to point out that I was a little bit
confused about the statements in the NUREG, and maybe you ought to
review them for that.
DR. APOSTOLAKIS: Bullet number four, human actions, it
seems to me, again, based on the analysis that I have seen from various
NUREGs and the incidents that have occurred that these human actions and
associated uncertainties are different from the ones one normally deals
with during power operations. Essentially here, what we're talking
about is this ability of people to create initiating events during the
various activities that they are doing, and in one of your earlier view
graphs, you said that -- you mentioned efficient procedures.
I am not sure that the model like ATHEANA, as it is
currently structured, can deal with these particular actions, because
ATHEANA starts with a human failure event and then analyzes the context
and so on. ATHEANA does not look at normal operation and ask what can
go wrong. It says given that this is wrong, now, what is it that led?
Yes; it doesn't start with normal operations. So, it does not ask, for
example, how can we create an initiating event?
MR. CUNNINGHAM: Well, since we're going to talk about
ATHEANA tomorrow, this may be a good topic for that.
DR. APOSTOLAKIS: I will raise it tomorrow, too.
MR. CUNNINGHAM: Okay.
DR. APOSTOLAKIS: But I think the human failure event is
given to the ATHEANA analysts from the PRA, or they participate in the
derivation. They are dealing primarily with recovery actions. The
accident sequence, how can we recover from it? So the various failures
to recover, you know, they analyze well.
Now, take Wolf Creek. They were supposed to do certain
things on Friday; postponed into Monday; they did notify other people.
Other work was going on at the same time. Valves were opened
independently. All of a sudden, you have a flow path to the RWST.
That's not an event ATHEANA right now is structured to analyze, is it?
MR. WHITEHEAD: John Whitehead from Sandia labs.
My understanding of the ATHEANA process is that's exactly
what it's structured to identify.
DR. APOSTOLAKIS: No.
MR. WHITEHEAD: Now, I will admit to you that probably, the
past events that have been examined by the ATHEANA process have been
more on the order of responding to events that have already occurred,
but the process, as laid out, is very beautifully structured to allow
one to search for those kinds of conditions that would influence the
operators to, you know, to perform a specific action.
DR. APOSTOLAKIS: No, no, I don't think so.
MR. WHITEHEAD: That's my interpretation of it.
DR. APOSTOLAKIS: I think the human failure event must be
defined, and then, ATHEANA analyzes the ways it can get there. And
again, tomorrow, we can ask the experts.
So, my point is, though, and I think Erasmia touched on this
when she said the fission procedures, I would have expanded this, and I
think what really matters here during shutdown, especially given all the
things that you have mentioned: smaller staff, pressure to do things in
a shorter period of time, if there is anywhere where management and
organizational factors would be important, it would be here.
MR. CUNNINGHAM: In fact, I wanted to point out --
DR. APOSTOLAKIS: It's here.
MR. CUNNINGHAM: Yes.
DR. APOSTOLAKIS: Not in ATHEANA. In ATHEANA, there would
be one of the many things that would contribute to the error-forcing
context, but here, I think they play the dominant -- the dominant role,
and you really don't know what you're going to get, you see? ATHEANA is
not looking blindly for things to go wrong. The human failure event
more or less has to be defined in the context of some recovery action.
And I know that's true. I mean, the four reviewers say
that; the report says that; you start with the human failure event, and
you're looking for unsafe actions. Then, they become, you know, pretty
loose.
MR. CUNNINGHAM: One of the reviewers.
DR. APOSTOLAKIS: Yes.
MR. CUNNINGHAM: I guess the question then becomes how
they'd react to that in the ATHEANA.
DR. APOSTOLAKIS: ATHEANA does not look at normal operations
and produce a number of things that can go wrong as a result of things
that are happening during normal operations. It doesn't do that. It
starts with an event risk.
MR. CUNNINGHAM: Normal operational.
DR. APOSTOLAKIS: Yes, so if you look at normal shutdown
operations, ATHEANA will not look for things that can go wrong. ATHEANA
will say ah, they are losing water. Now, we get in; you know.
MR. CUNNINGHAM: There is some initiating event.
DR. APOSTOLAKIS: Exactly.
MR. CUNNINGHAM: I understand the difference.
DR. APOSTOLAKIS: So that is the difference.
DR. BONACA: One observation I want to make on this issue
was what's the purpose of tomorrow. I know we have ATHEANA, but what is
the presentation -- I believe that in this particular shutdown
condition, that's where organizational effectiveness will break down, in
the sense that there, you have even from the balance among departments,
how operation is controlled, the outage, who is responsible, how people
will work together. All those elements --
DR. APOSTOLAKIS: Yes.
DR. BONACA: -- are dominant in these issues, because
control, of course, is a fundamental issue.
DR. APOSTOLAKIS: That's right; control of work and the
timing and interfaces and who does what.
DR. BONACA: And that's something that, you know, it
occurred to me as I was reading your document, that it's clear to me now
where different things --
DR. LOIS: That is feedback from the industry and the people
that we are talking is that the issue of initiating event during a
shutdown condition needs to be more closely examined.
DR. APOSTOLAKIS: Yes.
DR. LOIS: That's an area that we have to -- it doesn't have
too -- but we should look into; also, the issue of procedures, where you
guard into an initiating event.
DR. APOSTOLAKIS: All the work processes that take place
there, that's where you look. I mean, the Wolf Creek event essentially
comes down to the fact that they did not notify some central office
there that they had postponed that work from Friday to Monday. So those
guys would have told them look: don't do it because, you know, these
other guys are going to be doing something else on Monday morning.
That's all, and that's not something that's within ATHEANA right now --
without putting down ATHEANA; don't misunderstand me.
MR. CUNNINGHAM: When we get back to the discussion on
research, possible research topics --
DR. LOIS: Yes.
MR. CUNNINGHAM: -- we'll talk about HRA, and it's by no
means, in our minds, constrained to analyzing this in the context of
ATHEANA. It's much more open in our mind.
DR. APOSTOLAKIS: Right.
MR. CUNNINGHAM: The issue of work processes; very
legitimate as an issue in human reliability analysis.
DR. APOSTOLAKIS: No, but I think it's important, and I
really want to get the ATHEANA developers' perspectives tomorrow as to
what exactly ATHEANA can do, what classes of events ATHEANA treats and
what other classes it does not treat, at least in its present form, and
I don't -- my impression is, and it's not just an impression, is that
you have to have something going on for ATHEANA to intervene and look at
the possibly human actions and the forcing contexts and so on, okay?
But how that something was created, I'm not sure ATHEANA is
the right place.
MR. CUNNINGHAM: It's a topic for discussion with the
committee at some point on the future of human reliability analysis.
DR. APOSTOLAKIS: Yes.
MR. CUNNINGHAM: And again, it's much broader than ATHEANA.
DR. APOSTOLAKIS: Right.
MR. CUNNINGHAM: It's what should we be doing, and that's
somewhere, we ought to get into that discussion anyway.
DR. APOSTOLAKIS: Anyway, I thought that was a point, you
know, because of the fourth bullet there worth mentioning.
DR. LOIS: Almost done.
DR. APOSTOLAKIS: You're on 10.
DR. LOIS: Regarding tools that are being used, our industry
is using to evaluate low-power shutdown risk, primarily, they do what we
call configuration risk management, and therefore, the objective is to
determine and evaluate your next outage, and for that purpose, they use
the NUMARC guidelines, and utilities that do have PRAs, they augment
their insights with the PRA.
Now, one thing that came across is that the industry feels
comfortable with the NUMARC guidelines. They think that they achieve
the safety margins they need. However, they do get important insights
from doing -- by using their PRA. Primarily, the PRA is helping them to
optimize their schedule. They can literally feed in different kinds of
schedules in their software and come up with CDFs or time to boil,
whatever, and then, they compare it, and they decide which way to go.
DR. WALLIS: How much does this bullet augment defense in
depth? You mean that you use PRA as your measure of your defense in
depth, and then, you can tell if you've augmented it? So the defense in
depth is now being measured through PRA?
DR. LOIS: What I'm trying to say here is that your basis
for configuration control management is your defense in depth, the
NUMARC guidelines.
DR. WALLIS: And because that's such a vague thing, it's
useful to have PRA so that you know the extent of that.
DR. LOIS: The PRA, then, once you've identified -- the
defense in depth approach does not allow you to compare different kinds
of schedules to figure out which one would be more optimal. So with a
PRA, you can do that. You can say I'm going to have this system, this
system, this system and play things around so that you can come up with
an optimal configuration, which would be optimal from both safety and
schedule perspective. That capability is not in defense in depth, and I
guess it's --
MR. WHITEHEAD: John Whitehead. Let me add to that. In one
sense, what the use of PRA does is to allow you to identify varying
degrees in defense in depth. The defense in depth tools that they used
will say okay, your defense in depth is marginal, or it's adequate or
acceptable. Calculating the results from the PRA will give you some
idea of which configurations, you know, may be more marginal than
another, because you might have three configurations, both of which show
up in the defense in depth approach as marginal, but one of them is a
better configuration to be in, and that's the kind of information that
you get from the PRA tool, and that's what their -- you know, most of
the utilities are using them for is to optimize and make sure that they,
you know, have as much safety --
DR. APOSTOLAKIS: But which PRA are they using? They don't
have much of low-power PRAs.
MR. WHITEHEAD: Actually, they do. There are various levels
of PRA now.
DR. APOSTOLAKIS: For a few modes.
DR. BONACA: But what this is, really, a PRA measured
defense in depth; what I mean is that they evaluate changes in core
damage probability, okay, as a sensitivity to --
DR. APOSTOLAKIS: But only for mid-loop operations, for
example.
DR. BONACA: Yes.
DR. APOSTOLAKIS: In the BWRs. They don't have PRAs for all
the modes.
DR. BONACA: That's right; so what you do is you do focus --
DR. APOSTOLAKIS: Yes.
DR. BONACA: -- ATHEANA on a very limited PRA.
DR. APOSTOLAKIS: Very limited.
DR. BONACA: What I'm saying is that the PRA, it is a very
good tool to measure defense in depth if you look at variation and core
damage probability.
DR. APOSTOLAKIS: Yes.
DR. BONACA: It's a different kind of defense in depth from,
you know, two trains versus non train, but I think it's actually very
effective to do that.
MR. WHITEHEAD: What we have to remember here is that these
tools primarily are being used for outage management or outage planning,
and so, yes, they are mostly limited to cold shutdown and refueling
states, but those are the states that are currently being examined, and
there's, you know, so it's appropriate that they concentrate on those
areas. As we'll probably discuss later, there is no reason why that
couldn't be expanded to other areas, but for configuration risk
management, since they're only interested in those areas, they only have
to have a PRA for those specific areas.
DR. LOIS: In addition to -- my comprehension is that the
defense in depth NUMARC guidelines cover only plant outages. Am I
wrong? That's my understanding. NUMARC guidelines don't cover every
outage there is.
DR. APOSTOLAKIS: Which page? Do you remember which page of
NUMARC 91.06 they say that PRA is only a two -- is it from the title or
--
DR. WALLIS: There was only a --
[Laughter.]
DR. LOIS: I will jump in --
DR. APOSTOLAKIS: I noticed, though, I looked at all your
view graphs. You don't have any numbers anywhere, and I had a comment
on the numbers.
DR. LOIS: That number is --
DR. APOSTOLAKIS: 10-3 and, you know --
DR. LOIS: CDFs?
DR. APOSTOLAKIS: CDFs.
DR. LOIS: No, we don't.
DR. APOSTOLAKIS: You tell me when would be appropriate to
make my comment. You will?
DR. LOIS: Yes, I will.
DR. APOSTOLAKIS: Okay.
DR. LOIS: But right now, what do you want me to do?
DR. APOSTOLAKIS: After you sit down, right?
[Laughter.]
DR. POWERS: Before we go on to this view graph, I've got a
question I would propose. Suppose I am a resident of Brown's Ferry, and
they're about to enter into a nuclear outage, and they have -- and I
feel an obligation to look over their shoulders to see if they're making
a correct decision, and in particular, they've run around, and they've
found there are two ways to do this, the operations they want to do.
One of them results in two orange categories, and the rest are all green
in one setup. The alternative is a red category, but everything else is
green.
And I call up my senior reactor analyst for Region IV --
Region II --
[Laughter.]
DR. POWERS: And I say, you know, clearly, the right way to
make the decision between two oranges and all greens versus one red and
all greens is based on risk, so I ask the senior reactor analyst for the
region which one of these is the more risky outcome? How does that
senior reactor analyst make an answer, provide an answer to me?
[Pause.]
DR. WALLIS: He uses different -- because he doesn't know
how red red is. It could be much bigger; therefore, he knows that the
oranges aren't reds, so that would be the decision, avoid the red.
DR. POWERS: See, you would have to be asking it in -- and
they're going to make a decision, but I'm -- my job in this world is to
assure protection of the public health and safety, and so, I feel an
obligation to be prepared to interrogate these fellows on the answer
that they came up with.
MR. CUNNINGHAM: I suppose there are two things in there.
One is how many oranges or yellows equals a red, which is an issue when
you -- the oversight process in general: when does something become --
a combination of events become so serious that you trip some sort of
concern? I can't answer that. I'm not sure. I know people are
thinking about that, but I don't know what's been going on.
DR. POWERS: Well, I think the answer is this reactor
analyst is no more help than the guy next door.
MR. CUNNINGHAM: A senior reactor analyst is presumably --
is valuable because of the broader training that he's seen and the
broader experience that he has. He brings together, I guess, two
things. The NRSRAs, there are two things that happen. One is they're
more trained in PRA and that sort of thing, so that that adds something
to it. The other part of it is they're senior people, and they are
brought into these positions not just because they know something about
PRA but because of the quality of the perspective that they bring to it.
So in that sense, in a very general sense, I think that's what the SRA
would bring to it. Is he going to be able to do something very
quantitative in that area?
DR. BONACA: It seems to me that the only way that the
inspector could find out that information would be to go to the PRA
person in the utility if they have a PRA that they are using, even if it
is -- because in parallel to ORAM, often times, they have these limited
models, and at least -- I don't think the staff can do that. That's an
issue we have raised: how is the staff able to evaluate, and the answer
is I don't think they are.
DR. POWERS: What we're saying is that in this area, and I
picked Brown's Ferry for a reason; they do have shutdowns in their PRA,
and the staff is being outgunned --
DR. BONACA: Yes.
DR. POWERS: -- by the licensees, and, in fact, the
licensees are perfectly capable of snowing the staff by saying yes,
we're going to make a decision between two oranges and a red; I can go
to two oranges because we've done this PRA, and we're not going to show
it to you, but we've done it, and we have a quantitative analysis. See
this? We're going to go this way.
There's literally nothing that the NRC can do to protect the
public health and safety on that kind of a decision, because they're --
DR. BONACA: What I'd say that, you know, the -- typically,
when you compare two configurations, the evaluation that the plant may
present to you is transparent enough to show you when there is a
dependency, when there isn't a dependency that often times, it's up to
that point; okay, here, there is a dependency, and there, there is not.
So, I agree with you totally that the staff cannot do that, but I'm
saying that it's hard to snow anyone, because if you ask a question, you
know, the dependencies come out right away, and, you know, there has to
be a reason why you have two yellows there and a red, and it typically
has to do with those dependencies so --
DR. SEALE: It does seem to me rather interesting, though,
and I'm not trying to get you more work, Mark, although it may sound
like it -- that in an agency which is lauding its increased dedication
to the use of risk-informed methods in making decisions that we have
something like the evaluation process where the question of one red
versus two yellows and so forth is being argued, as you say, but the
people who are involved in the PRA process don't have the slightest idea
of what those arguments are being based on. I mean, if risk is going to
mean anything, and you're going to use it, then, damn it, use it.
MR. CUNNINGHAM: Just to be clear, this individual PRA
person is not particularly tied into that process. There are other PRA
people around the agency who are, who tend to be more in NRR.
DR. SEALE: I'd be interested to see what the risk basis is.
DR. POWERS: I agree. I think what we're doing to our
senior reactor analysts out in the field is criminal. We are quickly
getting them put into the position --
DR. SEALE: Hanging them out to dry.
DR. POWERS: -- where they are being asked to make judgments
about actions by groups of people who just have superior technology,
vastly superior technology to them.
MR. KING: One of the things that's on our plate to develop
over the next couple of years are low-power and shutdown models for the
ASP program that the senior reactor analyst could use to analyze
situations. They don't have tools today to do it.
DR. POWERS: They cannot. They have no way to independently
evaluate -- even things like -- which are pretty qualitative thing, and
yes, I can sit down and write out the criteria, and ORAM, just based on
what's on its Website.
DR. SHACK: But the fact is a senior reactor analyst doesn't
have anything equivalent to it.
DR. POWERS: But then, you would have to always argue that
he's got a PRA that's at least as good as anybody else's, and I just
don't find that as a terribly practical matter.
DR. SHACK: I don't know why I would have to argue that.
DR. POWERS: Because again, if it came down to two PRAs,
then, which one are you going to believe? You believe the better one,
you know, if you have to have a number to make the decision.
DR. SHACK: I guess I'm still not following something. If
the --
DR. POWERS: You're going to recompute the number that the
licensee computed. Well, if you get a different result than he does, it
comes down to which, you know, which number is better, which model is
better.
DR. SHACK: The other thing is most of the time --
DR. POWERS: No, I don't think it does. I mean, I think
very seldom do you have any decisions made based on the discrepancies
between two numbers.
DR. SHACK: Well, it sounded to me like that's what you were
arguing for it, that you wanted to have a number.
DR. POWERS: No; I think I want the capability to assure
myself that the plans that the licensees are undertaking for a shutdown
operation do, in fact, protect the public health and safety. And I
think it doesn't make any difference at all whether the number is 2 x
10-4 or 3 x 10-4 in making that decision. It's much more than that.
DR. SHACK: I don't agree with that.
DR. SIEBER: Right now, though, we're in an area of
deterministic regulation. If you look from the standpoint of a resident
inspector, he is not going to prospectively tell the utility or the
licensee how to run his plant. He is not in the plant management
business. On the other hand, the utility is required to obey all of the
technical specifications and commitments, and under a deterministic
framework, that's sufficient to assure the protection of the public
health and safety.
When you move into probabilistic types of risk-informed
regulation, that's when the NRC needs to be able to prospectively look
at planned events to make sure that the regulations that are
risk-informed actually apply and do minimize risk to the public. So
right now, whether you have a PRA or don't have one for shutdown risk
from the legal standpoint doesn't make any difference.
DR. APOSTOLAKIS: Isn't it a fundamental question, though?
If you have a matrix that uses colors, and based on various combinations
leads to certain actions on the part of the utility and on the part of
the NRC that you would like to know what is the rationale --
DR. SIEBER: Right.
DR. APOSTOLAKIS: -- behind these colors and the
combinations?
DR. SIEBER: Right.
DR. APOSTOLAKIS: I think that's what it comes down to.
DR. SIEBER: Right.
DR. BONACA: Well, the point that you were making before is,
however, again these protections for the licensee would have an
explanation of why you would get the yellow or the red, and most of the
time, I believe the question is go through the licensee. The
explanation is pretty -- always engineering-wide. I mean, he is going
to pull it out of dependency to why this component cannot be removed by
this time, because it will happen this other way, and I know resident
inspectors ask those questions. They go and ask barely those questions
about, you know, why are you doing this rather than something else? And
so, there is that process that is taking place now.
It doesn't mean that the NRC, in fact, has the capability to
influence in any way or to perform any independent assessment. Much is
based on the experience of the resident inspector and the person you can
ask.
DR. POWERS: The problem I'm forecasting is more and more, a
licensee is going to be able to come back to the resident inspector with
an answer that he's not capable of interpreting.
DR. BONACA: And that's possible, yes.
DR. POWERS: And he's going to come back and say that we've
looked at it, and we've got a Delta CDF of 2 x 10-16 or something like
that, and the guy is going to call up his senior reactor analyst and say
does this seem reasonable to you? And nobody is going to have the
capability to answer that.
DR. BONACA: That is correct.
DR. APOSTOLAKIS: That is correct.
Have we finished with this? Are you done?
DR. LOIS: Yes.
DR. APOSTOLAKIS: For the record, Dr. Uhrig joined us a few
minutes ago.
Now, the next view graph, I think, will take some
discussion, and I propose we break now and reconvene at 10:15.
[Recess.]
DR. APOSTOLAKIS: Okay; Erasmia, you want to continue there?
[Pause.]
DR. LOIS: Because we were talking about tools, I just
thought that -- do you mind if I go into this slide? Because I'm not
going to cover anything else about tools from now on, so I'm just --
DR. APOSTOLAKIS: Well, the only thing on page 11 is this
time average CDF and condition --
DR. LOIS: I'm not going -- I'm going to come to page 11
after this.
DR. APOSTOLAKIS: Oh, okay, okay, sure.
DR. LOIS: I just wanted to talk about -- because the
statement before was that the -- we do CRM, utilities do CRM mostly, and
they have developed tools for both the defense in depth concept and for
quantitative analysis, and these are the tools. ORAM was developed
specifically for outage management, and about 65 utilities have ORAM.
About 40 of them have the capability to do quantitative analysis. Now,
safety has evolved to shutdown configuration control management from
full power configuration control management tools, and I guess about 12
utilities have safety oriented -- about 6 or so EOS. So the message
here is that clients do expand themselves to incorporate PRA modeling
for low-power and shutdown.
DR. APOSTOLAKIS: So most utilities, and 65 of them do not
use PRA?
DR. LOIS: About 65 have ORAM. ORAM has two modules: the
defense in depth, and it has its own PRA modeling. It's not like --
DR. APOSTOLAKIS: Ah.
DR. LOIS: -- you use the full power. You can model your
outage by creating your fault trees, your system dependencies from
scratch, and about 40 utilities have that capability.
DR. APOSTOLAKIS: Okay.
DR. LOIS: Now, some people have both. San Onofre has ORAM
and safety module. South Texas does the same. So there is an overlap
there. But I guess what's important here to get out is that utilities
have more and more capability to do PRA analysis on low-power and
shutdown, specifically plant outage, refueling outage.
DR. SEALE: Would you help me? Does ORAM have in it, buried
down in the details, an assessment of the risk significance of the
individual SSCs?
DR. LOIS: I will allow --
MR. WHITEHEAD: Donnie Whitehead.
Generally, the level of detail to which the ORAM PSSA models
are developed to are to train level detail; that is, they would not have
individual components in their failure for probabilities associated; it
would just be a model of the system based upon trains and the
dependencies amongst the trains. So I'm not sure that they could --
that ORAM could provide, you know, provide individual SSC importance.
DR. SEALE: Okay; thank you.
DR. LOIS: So now, and another point that I wanted to make
was on the tools that ideally, these tools have capability to model any
level of detail and, I guess, any type of plant operational state, but
that's just depending on the resources people want to -- there are no
constraints from the software perspective.
Going back to insights we got for the significance of
low-power shutdown risk, now, this is your time to ask the question why
we don't have 10-3s here, I guess.
DR. APOSTOLAKIS: Well, the thing that -- and I think we've
discussed this more than a year ago, people had been struggling with the
comparison, how best to compare the core damage frequency during these
modes of operation with power risk, which, of course, is expressed in
terms of number of events per year, per reactor year. So, you see
things like, you know, what if the plant were at mode 5, say, throughout
the year? Then, the core damage frequency is this, and it's comparable
to the power core damage frequency, and people are calling it
instantaneous and so on.
First of all, the word instantaneous is not appropriate.
They are all conditional core damage frequencies. One is conditional on
being at power; the other is conditional at being at mode X. Seems to
me the best way to compare these things is -- and they are all
time-averaged, by the way -- the best way to compare is not on a
per-hour basis or on a per-year basis. The best way is to find the
probability of core damage, which I believe one of the regulatory guides
does for the temporary conditions that we have a -- yes, 5 x 10-7, I
believe, for the probability, not the frequency.
So if the plant is for a number of days in this particular
mode, then, you find its CDF, then, the product of it -- and again,
somebody has to look whether it's fair to multiply the CDF, the
conditional CDF by the time, because the CDF may change with time, and I
think it's noted in the report that these conditional CDFs are indeed
functions of time if, you know, because decay heat, for example, decays.
But let's say roughly, one would have to multiply that CDF
by the duration of that mode, and that should be compared with the
probability of core damage at power operations. It's the probabilities
we should be comparing, because that's the only common unit. Everything
else is really artificial. To say I will reduce everything or
renormalize everything on a per-hour basis, so I take the power CDF per
year and divide it by 8,760, whatever, hours and then take the mode 6
CDF and divide it by the appropriate duration to say oh, now, I have two
CDFs that are on a per-hour basis; therefore, they are comparable.
I don't think that's right.
DR. LOIS: Well, George, when we come to recommended work,
one issue is how do you develop -- how do you define what we call
baseline model? And we kind of have a couple of concepts here, and
probably, we would like to have your input.
DR. APOSTOLAKIS: I just gave you my input.
DR. LOIS: Yes.
DR. APOSTOLAKIS: I think the probability is the appropriate
way to do it, and the agency has recognized this in another context; the
risk-informed guide for technical specification changes; when the outage
time is evaluated, we have a goal of 5 x 10-7, as I understand, for the
probability during that time.
As I say, the thing that makes it a little more complicated
here is that the CDF may not be constant throughout that period, so
somehow, we have got to account for that, but that's a further epsilon,
you know.
DR. WALLIS: George, there's a great opportunity for a
cost-benefit. I mean, the benefit to the utility of short outage time
is economic, but if they get into a higher risk probability, you should
put a price on it. Then, there's a way to optimize.
DR. APOSTOLAKIS: Yes; I only addressed the question of
comparison. Now, you are going beyond that. You are going beyond that.
DR. WALLIS: I think it's pretty simple what you're saying;
it's straightforward.
Otherwise, how do they have a way of trading off a bit more
risk with a bit more economic benefit?
DR. APOSTOLAKIS: Yes.
DR. KRESS: If I have a core damage frequency at full power
based on a year --
DR. APOSTOLAKIS: Right.
DR. KRESS: -- and the way I convert that to a probability
is to multiply it by one year.
DR. APOSTOLAKIS: Roughly, yes.
DR. KRESS: If I have a core damage frequency for a
low-power shutdown, that's manualized; the way I convert that to a
probability is to multiply it by one year. I don't understand the
difference between what you're saying and using the CDF frequency. Why
is the probability any different with the frequency?
DR. APOSTOLAKIS: Because the frequency -- see, my objection
is to annualizing the mode 5 frequent CDF you get, because that assumes
that you're in that mode throughout the year.
DR. KRESS: No it doesn't.
DR. SHACK: It's the wrong way to average. Nobody does it
that way.
DR. LOIS: No.
DR. APOSTOLAKIS: No, but they compare them, though; they
don't average them. They compare them that way.
DR. LOIS: My understanding is --
DR. APOSTOLAKIS: Oh, yes; oh, yes.
DR. LOIS: My understanding is that if you are on mivelope,
you may get into a 10-3 phase, but then, what you do is you calculate
for how long you've been in that -- on that phase, and you divide by the
amount of years, so you come out on a yearly frequency; if you assume
that you're on 10-3 for a whole year there, you would be 10-3. You
don't have 10-3 low-power shutdown risk, because for a few hours, you
were on that. So actually, you do calculate probability.
DR. APOSTOLAKIS: No.
DR. BONACA: You have it on page 2-6.
DR. APOSTOLAKIS: Yes; 2-6 doesn't do that.
DR. BONACA: Per calendar year basis --
DR. APOSTOLAKIS: Yes.
DR. BONACA: -- the average risk --
DR. APOSTOLAKIS: Right.
DR. BONACA: -- as it compares to numbers.
DR. APOSTOLAKIS: It says CDF for pulse 5 is 2 x 10-6 per
year; for full power, it's 4 x 10-6 per year. So it assumes that you
are in pulse 5 for the whole year.
[Chorus of nos.]
DR. APOSTOLAKIS: What does it assume?
DR. SEALE: It's a year of operation.
DR. KRESS: It means you're in it for the amount of time
you're in it.
DR. SEALE: That's right; an operation is --
DR. APOSTOLAKIS: No, no, no, no, no, no; what does it mean
that you're in it -- this is per year.
MR. WHITEHEAD: This is Donnie Whitehead. Let me see if I
can explain that. The way those numbers are calculated are based on a
per calendar year basis. And so, the calculations already include the
fact that the plant is only in that particular mode for a specified
fraction of the year, like 0.03. That number, then, allows you to
compare directly with a core damage frequency from full power; again,
excuse me, making the assumption that not correcting for the fact that
you're in full power operation for, say, 80 percent of the year doesn't
really, you know, doesn't really significantly impact the results.
But in reality, if you wanted to make a strict comparison,
then, you should use the appropriate factor for the power. But since
it's --
DR. APOSTOLAKIS: No, but that's not my problem.
MR. WHITEHEAD: -- close to 1, it's okay.
DR. APOSTOLAKIS: But then, no, no, no, what you are saying
is inconsistent with what the other report says, because the report goes
on on page 2-7 and says to avoid overestimating the risk from being in
pulse 5 for one year, per hour results from the pulse 5 analysis should
not be directly scaled; in other words, one cannot simply multiply the
per hour results by the number of hours in a year and have the correct
estimation of either CDF or risk.
DR. SEALE: They don't.
DR. KRESS: Nobody does that.
DR. SHACK: But it's confusing, because it makes it sound as
though they do.
DR. SEALE: Yes.
DR. APOSTOLAKIS: Yes.
DR. BONACA: It's badly written.
DR. APOSTOLAKIS: yes.
DR. BONACA: That's not the way it's explained, because I
understood the same thing.
DR. APOSTOLAKIS: Yes.
DR. BONACA: And I was really concerned about that.
DR. SHACK: They get a fairly decent definition by the time
you get to page 3-4.
DR. APOSTOLAKIS: Well, let's see.
DR. BONACA: The other thing is that look, clear on the
front page is how many days really you are in a shutdown condition.
Some plants have a 12-month cycle and maybe a month outage, and some
plants have a 2-year cycle with a 15 or 28 day outage. So there is a
big difference there, and I'm not sure that you can easily reflect -- I
mean, then it may make a difference of, well, not an order of magnitude
but close.
DR. SHACK: Well, that does come down to this difficulty of
defining a baseline outage when all outages are --
DR. BONACA: And I agree with that.
DR. SEALE: Yes.
DR. SHACK: That's a little different.
DR. BONACA: But it has to be a way it has to be explained,
because this is not clear.
DR. SEALE: Yes, but it's simplifying the mathematics by not
taking into account the fraction of a year that you're in full power
operation.
DR. APOSTOLAKIS: Yes.
DR. SEALE: You may, in fact -- you may confuse the issue as
to what you're talking about. It probably would be smarter to take a
point A and --
DR. KRESS: That's such a simple correction.
DR. SEALE: Yes, right.
DR. APOSTOLAKIS: But that's not the issue.
DR. SEALE: But the fact that you don't sort of reinforces
the idea that you're going to assume that you're in shutdown mode for a
year, and you're not.
DR. KRESS: It shouldn't be.
DR. APOSTOLAKIS: Well, I can -- I saw those words here on
this report on the past assuming that the thing is a whole -- in that
mode for the whole year, and I'm objecting to that.
DR. SHACK: Well, I must confess, I sort of read around that
about four times before I figured out those words were just firing for
effect.
DR. SEALE: Yes.
DR. APOSTOLAKIS: So in any case, so what you're saying is
that when you say that the CDF from pulse 5 is 7 x 10-9 per reactor
year, you have already included the fact that the plant is in pulse 5
for a fraction of that year.
DR. LOIS: Exactly.
DR. APOSTOLAKIS: Okay.
MR. WHITEHEAD: Yes, I thought that we had been careful to
represent the numbers on a per calendar year basis, and I believe that,
you know, the documentation does represent that, but you're probably
correct. It would be a little bit -- it could describe in the report
better exactly how we calculate the numbers if that would be
appreciated.
DR. APOSTOLAKIS: That would help me a lot.
MR. WHITEHEAD: Okay.
DR. APOSTOLAKIS: That would help.
MR. WHITEHEAD: That, we should be able to do.
DR. LOIS: But the point of the slide was that people are
doing different things. For example, when PLG does a low-power shutdown
PRA, it would do for the average risk, while the plants, the utilities,
they calculate a risk or a fuel core damage for that particular outage.
DR. APOSTOLAKIS: Yes.
DR. LOIS: That's what --
DR. APOSTOLAKIS: But also --
DR. LOIS: This tells the story for what's happened.
DR. APOSTOLAKIS: But all of them are time-averaged, though,
in a different sense. They're simply conditioned on different things.
Now, on page 11, 2-11, it says that at River Bend, a
cumulative risk for a 21-day outage could be as high as the yearly at
power risk. So this tells me that they are multiplying the 21-day CDF
times the 21 days, and they compare that with a power CDF times the
year, and they are comparable. Am I doing something wrong here?
Because as the cumulative risk for a 21-day outage. And the other thing
is if in these 21 days, they go through different configurations,
shouldn't you --
DR. WALLIS: You integrate.
DR. APOSTOLAKIS: And I think you guys are objecting to the
integration.
DR. WALLIS: No.
DR. APOSTOLAKIS: That's why --
[Chorus of nos.]
DR. APOSTOLAKIS: So what are you objecting to?
DR. KRESS: You're the one who is objecting.
DR. APOSTOLAKIS: No, I want to integrate. I love
integration. You know, that funny symbol?
DR. SHACK: The problem is the way they organized the
document. They talk about that time windowing much, much later in the
document.
DR. APOSTOLAKIS: But my point is you cannot take -- I mean,
how many modes does a plant go to when it --
DR. SHACK: It varies.
DR. APOSTOLAKIS: -- goes down from power until it goes back
up?
MR. WHITEHEAD: The plant operating stage?
DR. APOSTOLAKIS: Yes.
MR. WHITEHEAD: It -- somewhere between, say, 14 and 455.
DR. APOSTOLAKIS: Okay; okay, fine. So for each one, now, I
can calculate a CDF.
MR. WHITEHEAD: That is correct.
DR. APOSTOLAKIS: Okay; so, I guess what I'm saying is
instead of taking each of the CDFs and finding the appropriate fraction
of time and then compare with power, it seems to me a total estimate of
the probability of something going wrong for the 21 days that would be
the integral of time times the appropriate CDFs would be the appropriate
probability to compare with the power probability. Is that what is
being done? I know it can be done but --
DR. WALLIS: What else could be done to make
this --
DR. APOSTOLAKIS: What else could be done, Graham, is to go
to page 7, for example, and compare pulse 5 CDF only with the power.
DR. SHACK: But I think what they do as a practical matter
is assume that most of the risk is in --
DR. KRESS: Because that's where it's in --
DR. SHACK: So, yes, that's the conception that they do what
you do, and then, they say it's dominated by this particular fraction.
DR. KRESS: Yes, it's close to the area under the curve.
DR. LOIS: As a matter of fact, the risk for most of pulses
is zero. For the biggest part of the outage, the risk is zero.
DR. WALLIS: The risk is never zero.
DR. APOSTOLAKIS: Then, let me go to page 2-8.
DR. LOIS: Insignificant.
DR. APOSTOLAKIS: I agree, then, that you guys know what
you're doing, but it's not stated well.
DR. LOIS: Page 8?
DR. APOSTOLAKIS: It says the instantaneous risk at CERI
during mid-ploop is at least comparable to that from full power. On a
per-hour basis, they give numbers.
DR. SHACK: That's okay, too, George.
DR. APOSTOLAKIS: That's okay.
DR. KRESS: You can divide by any time limit you want to.
As long as you're dividing each by the same time, you can do it on a per
hour, per year, per 10 years.
DR. APOSTOLAKIS: I don't think this is appropriate.
DR. KRESS: You're really comparing probabilities.
DR. APOSTOLAKIS: Yes; you should be comparing
probabilities.
DR. SEALE: That's what you're doing when you do the per
hour.
DR. APOSTOLAKIS: I know, but the point is if I'm in that
state for 20 minutes and in the other state for 365 days, it seems to me
I'm missing something major.
DR. SEALE: Then they may be equal per hour, but they're not
equal when you integrate over a whole year of operation.
DR. APOSTOLAKIS: But this, then, is a misleading
comparison.
DR. KRESS: George, I think you have a good point there. I
think you're saying that a high probability over a short time --
DR. APOSTOLAKIS: Yes.
DR. KRESS: When you integrate it is not the
same --
DR. APOSTOLAKIS: No.
DR. KRESS: -- as a low probability over a long time, even
though the error is the same; no, that's a good point.
DR. APOSTOLAKIS: And that's exactly what I want to use as a
basis for comparison.
DR. KRESS: But I don't know -- there's no theory at the
moment that will let you adjust those things.
DR. APOSTOLAKIS: I know; it's easy for them to do it,
because they know the duration; they know the CDF; they can do it.
DR. KRESS: But you have to have a functional between the
CDF and the time.
DR. APOSTOLAKIS: They can do it numerically. It's not a
problem. Those guys can do it.
MR. KING: We can do it either way. It's just a question of
what makes more sense.
DR. KRESS: Add another equation in there, George.
MR. WHITEHEAD: Yes; I mean, you're right, George. We can
-- the calculations are very easy to do, and in actuality, I believe the
utilities provide numbers in various formats. They provide
probabilities for each particular, you know, a slice of the outage.
They provide a cumulative, you know, over the entire outage and so forth
and so on. The question becomes what becomes the most appropriate, you
know, measure to prepare against, and, you know, at the time most of
these documents were written, people wanted to provide an answer based
upon a per-year basis.
It's not to say, you know, that we couldn't or shouldn't
change the comparison that we -- you know, that we're going to go
forward with, you know, from this point forward.
DR. KRESS: You ought to do it on a per-year basis, because
that's what we're used to.
DR. APOSTOLAKIS: Well, I think there are two issues here.
First of all, let's not call anything instantaneous, because there's
nothing instantaneous. They're all conditional, okay?
MR. WHITEHEAD: I hope you can.
DR. SHACK: I don't understand you, George. It can be
conditional on -- it might have slipped in.
DR. APOSTOLAKIS: But it's not. It's time-average then. So
the conditional -- what is of interest, I mean, just to summarize here,
what is of interest may be two things: the conditional probability, the
unconditional probability -- sorry; the conditional probability being in
shutdown mode; probability, okay, which means CDF times time and compare
that with the conditional probability of power, given year of power,
probability.
Now, I can see how a CDF itself, on a per-hour basis, could
be of interest in the sense that as Tom said, you know, it's really the
integral of time times the peak, but maybe there are certain peaks you
don't want to tolerate.
DR. LOIS: Exactly.
DR. APOSTOLAKIS: But that should be very clearly stated,
that you are calculating now the conditional CDF on a per-hour basis,
and if the agency decides to do something about it, that's fine. You
don't want to get to 0.5, for example, even for an hour, okay?
DR. WALLIS: Well, CDF has units of 1/T, and it doesn't
matter what T is. It can be continuous or variable.
DR. KRESS: It may matter, and that's the reason you want to
put it. It's the only reason you would want to catch.
DR. APOSTOLAKIS: Of course, it matters.
DR. KRESS: Well, George, let me ask you: if I had a CDF at
some level for one day --
DR. APOSTOLAKIS: Yes.
DR. KRESS: -- and multiply the two together --
DR. APOSTOLAKIS: Yes.
DR. KRESS: -- to get a -- and then, if I had a -- if I had
a CDF divided by 365 level for a whole year, do you believe those two
risks are the same? Because the integral of the curve is exactly the
same.
DR. APOSTOLAKIS: The integrals are the same.
DR. KRESS: Yes.
DR. APOSTOLAKIS: Yes.
DR. KRESS: I thought you were saying that the high risk for
the short time is not the same risk as the low one at the long time and
that therefore, you need a cap on the short risk or something, or you
need to look at --
DR. APOSTOLAKIS: That was my second comment, that you may
want to put a cap on the second risk.
DR. KRESS: The only reason you would want to is if you view
those two things as different.
MR. CUNNINGHAM: Since they're becoming -- is for a
short-term, high consequence or high CDF conditions, are you risk
averse, if you will, and you want to make that a more serious condition
than the mathematics would otherwise.
DR. KRESS: Yes.
DR. APOSTOLAKIS: You may want to do that.
DR. WALLIS: It is risky to have a peak, because you might
under unexpected circumstances get stuck there. When you're in the
peak, you're pretty nervous, because you don't want to spoil around.
That really needs to be --
DR. APOSTOLAKIS: But on the other hand, this may be an
artificial peak, because as the staff told us half an hour ago, at South
Texas, for example, everybody at the plant has been alerted to the fact
that now we are in a particular thing, and the PRA cannot include that.
That's a fundamental point.
DR. SEALE: So you tie compensatory measures --
DR. APOSTOLAKIS: Right.
DR. SEALE: -- to the level of the instantaneous risk.
DR. APOSTOLAKIS: Right; but it's not instantaneous!
[Laughter.]
DR. WALLIS: All risk is instantaneous.
DR. LOIS: These peaks are calculated based on their PRA,
not based on the defense in depth approach.
DR. APOSTOLAKIS: Yes, I understand that.
So I think we're in agreement, then, that's sometimes
violated.
[Laughter.]
DR. APOSTOLAKIS: But we are in agreement.
DR. WALLIS: We're doing calculus I first semester.
DR. APOSTOLAKIS: If you go to the commission, and you want
to argue that the contribution to risk from LPSD operations is
comparable to that from power operations, what numbers are you going to
show?
MR. CUNNINGHAM: What metric do you use?
DR. APOSTOLAKIS: Yes, what metric do you use? In my view,
you should be using the probabilities. Then, the next step would be
now, an additional insight, because, you know, we really don't believe
that something that's very sharp for a short period of time is the same
as something else; an additional insight is that the CDF, during these
operations, perhaps is way too high, and we may want to think about it,
whether that is acceptable, even for such a short period of time.
These two numerical results seem to convey the message.
DR. BONACA: As we have done for online maintenance, where
we said it is manager; if it is too high, don't do it --
DR. APOSTOLAKIS: Yes.
DR. BONACA: -- too much. So, but I think in general, I
think it's a good point. I think we have to be very clear of two
things: one, what this comparison means, okay? And I got confused,
too, and I understand -- second, again, the issue of presenting them
without an assessment of uncertainty at all or a brief discussion is a
real additional problem in my mind, you know, that it didn't put them in
the right perspective, and I was trying to compare, when I was reading
the report; I just couldn't convince myself that there was --
DR. KRESS: Yes; the implied assumption is the uncertainties
are about the same. Otherwise, you have to do something.
MR. WHITEHEAD: Let me address that issue. Currently, most
of the utilities perform analyses -- perform analyses do not perform
uncertainty analyses using their PRA model. There were three studies
that were performed that did have some uncertainty information
associated with them. Those were the Grand Gulf and Surrey analyses
performed by the NRC and the Seabrook study that was performed by the
utility, and that information could be provided, but most of the work
that's currently done for outage management does not involve uncertainty
calculations.
DR. BONACA: I'm just saying that if we go in front of the
commission and have to plead for additional funding for low-power and
shutdown, we'd better have a clearer presentation of what these numbers
mean and the associated uncertainty.
DR. APOSTOLAKIS: I think there are two issues that I would
raise. One is what we just discussed, and second, I would not limit it
just to core damage frequency. The agency cannot do one thing in the
oversight area and another in the low-power shutdown. So I think it's a
powerful argument to say that the agency has declared four cornerstones
as being important, and three of them are compromised during these
conditions to some extent, okay?
So, I mean, the argument Dr. Powers raised, you know, I can
always hand do them. But you already have violated one of the
cornerstones. You've got an initiator, okay? So, why are you going
after the utilities in the oversight process when their initiating event
is greater than seven per year, and here, you're losing water, and it
doesn't really matter because you recover from it? It's the issue of
consistency.
DR. BONACA: It's like the cornerstone which is shutdown
which is not in those cornerstones. I mean, if I have to make a
judgment for the value of the cornerstones right now for shutdown
conditions, I would say a fundamental one is missing, which is time. It
somehow has to be translated into some attribute that I don't think is
there right now.
DR. APOSTOLAKIS: Well, yes, there is an assumption of
steady state operation in the way things have been presented.
DR. BONACA: There's something missing in there. I agree
that --
DR. APOSTOLAKIS: But that's not quite a cornerstone. Time
itself is not a cornerstone, but it's a significant determinant of the
response.
DR. KRESS: George, one problem I have with this: when you
say you need to pay balanced attention, say, to the cornerstones, we
don't have a good notion of what balance means. What you're really
saying is you need to allocate the overall risk among the cornerstones.
But we don't know how to make that allocation.
DR. APOSTOLAKIS: Correctly, I agree, but I already have a
basis, because the staff has told me that they don't want to see more
than seven, I believe, unplanned trips per year.
DR. KRESS: That's an allocation.
DR. APOSTOLAKIS: That's an allocation.
DR. KRESS: Yes.
DR. APOSTOLAKIS: But they're already doing it. Now,
whether it's right or wrong is something else. And then, they have
certain unavailability bounds for the various systems, and then they
have the special -- yes.
DR. KRESS: They already have said what does the balance
mean.
DR. APOSTOLAKIS: Exactly. And in fact, for the initiating
events, they say, you know, we really don't expect to see any locus, so
we are putting a number of the transients, the trips, and here, we have
incidents where we didn't have locus, but, I mean, water was flowing in
the wrong direction.
DR. KRESS: Out instead of in.
DR. APOSTOLAKIS: Now, I think, Erasmia, you have to use
your judgment as to which view graphs you want to skip.
[Laughter.]
DR. APOSTOLAKIS: Because the way we're going, you would
never finish.
DR. LOIS: I think in preparing, getting into what work
we're going to --
DR. APOSTOLAKIS: Do you want to go to that because you have
methods? Number 16?
DR. LOIS: Okay; I can do that.
[Pause.]
DR. APOSTOLAKIS: Sixteen.
DR. LOIS: Okay.
DR. POWERS: I have glanced ahead a little bit in the
graphs. Why are we persisting to the internal fires as an initiator
that falls into an external event category rather than any internal
event?
DR. APOSTOLAKIS: Which one is the first word?
DR. SEALE: Fires.
DR. POWERS: Fires.
I mean, I know why this was done historically.
DR. APOSTOLAKIS: Yes.
DR. POWERS: But I don't know why we are persisting to
maintain this fiction.
DR. APOSTOLAKIS: I believe it's for the same reason: the
ACRS wants to say that we always have the benefit of the documents
referenced.
[Laughter.]
DR. APOSTOLAKIS: That was the argument given to me for
historical reasons.
DR. POWERS: I don't think so. I think it's the nature of
the --
DR. APOSTOLAKIS: Or minor --
DR. POWERS: In essence, it's a lot like a tornado or
seismic event in the sense that it doesn't -- it attacks multiple -- and
it --
DR. APOSTOLAKIS: No, I think --
DR. POWERS: I think it has features in common with external
events.
DR. APOSTOLAKIS: Yes.
DR. POWERS: Much more than what we call internal events.
DR. APOSTOLAKIS: Yes, it's the way it's treated. You have,
in the internal events, you have the initiating events that start an
event tree. The so-called external events do not really act as an
initiator that starts an event. You take the existing event risk, and
then, you say if I have a fire now, which one of these are affected.
DR. POWERS: Yes, that's the basic one.
DR. APOSTOLAKIS: And if I have an earthquake, which ones of
these are affected? So it's sort of the big potential common cause
failures, and it's treated as such, so unfortunately, they called it
external events. It's really handling certain events that have the
potential of inducing great dependencies separately, but by calling them
external, you're right: it's --
DR. BONACA: And the methodology has been driving
disaggregation of those.
DR. APOSTOLAKIS: Yes.
DR. BONACA: But really, again, I agree with the point that,
you know, fires and internal floods, I mean, it's something so specific
to the plant that you can't compare it with seismicity, okay because --
DR. APOSTOLAKIS: But they don't initiate the sequences in
the same way that locus do.
DR. BONACA: It's the dominant --
DR. POWERS: I bring it up in this context, and I think that
fire is a very likely initiator during shutdown, because so much is
taking place in a fire, and you can have wild swings, and your transient
combustibles, and your potential igniters --
DR. APOSTOLAKIS: Sure.
DR. POWERS: And it seems to me that to exclude it when
you're shut down risks underestimating what the significance of shutdown
is to the plant's risk profile.
DR. KRESS: I don't think you want to exclude it.
DR. APOSTOLAKIS: It can't be excluded.
DR. KRESS: You can't exclude it.
DR. APOSTOLAKIS: Are they excluded?
DR. POWERS: Yes; they've universally been excluded.
DR. APOSTOLAKIS: No.
DR. POWERS: With no counterexample to it.
DR. APOSTOLAKIS: Except for the laboratory analysis, right?
MR. CUNNINGHAM: Yes.
DR. APOSTOLAKIS: At Seabrook. Seabrook included external
analysis. I remember that explicitly.
MR. CUNNINGHAM: And it included fire. And it included
internal fires.
DR. APOSTOLAKIS: Yes, yes.
DR. POWERS: I know of no case where shutdown risk
assessments have been done that included fire as an initiator.
DR. LOIS: The NRC study did. As a matter of fact, the
Surrey study identifies fire as a very important initiator.
DR. POWERS: I know of no risk analysis that's been run for
shutdown events that includes fire as an initiator.
DR. LOIS: Not for shutdown? The Surrey study did not?
DR. POWERS: I know of none that did.
DR. LOIS: Yes; low-power shutdown, the Surrey study did,
and it proved to be one of the most important ones.
DR. APOSTOLAKIS: Again, it's not treated as an initiator in
the sense that you start an event tree. The moment you have the fire,
you look at the event trees from the internal events and say which ones
of these are affected, so which initiating event from the standard list
is the one I have now? In other words, did the fire create a loca?
Then, I go to the loca event tree. Did it create a transient? I go to
the transient event tree. But I will not treat it as an initiating
event in the traditional sense.
DR. BONACA: Or what kind of mitigating probabilities that
--
DR. APOSTOLAKIS: Yes.
DR. BONACA: -- in the tables.
DR. APOSTOLAKIS: It's a big common mode failure, because it
affects also the -- where is the -- do you have the -- please, where is
it? I can't find it now but -- tell me which page.
MR. BEARD: Page 2-7 is where we talk about the fire events
at Surrey, the internal fire event at Surrey.
DR. APOSTOLAKIS: Internal fires are the most important
events at Surrey because of the physical separation issues. So, they
did include it.
MR. WHITEHEAD: Yes; Donnie Whitehead. I mean, both of the
NRC studies on low-power shutdown did analyze fire event, the internal
fires internal to the plant. Also, there were numerous of the
international studies on low-power shutdown included internal fires and
floods. Some of those also found that those initiating events were
important contributors to the overall core damage frequency. So, I
believe that, you know, there have been cases where, you know, these
have been examined and found to be important contributors. The question
becomes whether or not, you know, you're proposing what to do in the
future, whether or not you would include those type of events, and it
would seem appropriate to at least consider those type events, because
they have been found to be important.
DR. LOIS: However, in the workshop, we heard that fire and
flooding is not important, because there is time to mitigate it, and
it's a lot of fiddling around, and therefore, if you have fire or flood,
it would be caught. So the, I guess, industry perspective is that it
may not be -- these initiators may not be as important.
So shall i go ahead here?
DR. APOSTOLAKIS: Yes.
DR. LOIS: The Reg Guide 1174 provides for the use of
qualitative assessments for risk informed regulation, and therefore, we
look into the possibility of including qualitative arguments for risk in
-- as a basis in decision making for Reg Guide 1174 purposes or Part 50.
We thought we would start with the one that the plants are
using, the defense in depth. These are the weaknesses that, from a
regulatory perspective, from a risk-informed perspective, the fact that
you don't have calculation of -- you don't have quantitative risk
metric, therefore, you cannot do the ranking, as Dr. Lyon pointed
before. You don't know how red red is. There is a planned plant
variability in the defense in depth. The licensees have the flexibility
to determine themselves the reds and the oranges, et cetera.
And also, the utilities grade themselves for how well they
adhere to the guidelines. So these are some of the issues that -- the
weaknesses that are embedded in the qualitative --
DR. APOSTOLAKIS: So even from the -- from what you said, I
get the impression that you're saying that 1174 cannot be used for
requests that involve low-power shutdown. But wouldn't it be fair to
say that this weakens the utilization, the degree to which 1174 can be
utilized even for power operations? Because an important piece is
missing, so if I want, for example, to evaluate, to extend allowed
outage times, and I don't have the low-power shutdown contribution,
then, I really don't know where my CDF is, so if I go to figures three
and four and my LERF, I already don't know what to enter as the figure.
And then, when I calculate the delta CDF, it's not clear to me whether
the calculation is accurate.
In other words, it makes the --
MR. CUNNINGHAM: That is correct.
DR. APOSTOLAKIS: -- whole risk informed regulatory approach
much weaker now, even for cases where there is no shutdown situation.
MR. CUNNINGHAM: That's right. That's where you have to go
back and qualitatively convince yourself that the change you're talking
about doesn't really impact -- isn't impacted by the shutdown risk and
that that risk is somehow not going to move you up above the fuzzy areas
on the right.
DR. APOSTOLAKIS: Right.
MR. CUNNINGHAM: Yes; that is correct.
DR. APOSTOLAKIS: But that's more difficult if I don't have
a --
MR. CUNNINGHAM: That is correct.
DR. APOSTOLAKIS: -- PRA.
MR. CUNNINGHAM: That's kind of --
DR. APOSTOLAKIS: Yes.
MR. CUNNINGHAM: -- what Erasmia is alluding to there, that
if we want to take a qualitative approach --
DR. APOSTOLAKIS: Okay.
MR. CUNNINGHAM: -- then you've got those weaknesses.
DR. LOIS: And therefore, we have to do some work on how to
incorporate qualitative approaches into risk-informed. However, we
don't have any thoughts yet for the qualitative approach.
Also, reflecting what has been done right now in the
industry, we thought that as a first cut, we could -- what we called use
a limited scope PRA for a risk-informed purposes, and that limited scope
would include only plant outages, and from those plant outages would be
those modes that have reduced the water inventory.
However, they would include transition between code shutdown
and refueling, because we think that transition risk may be as
important. Also, it would address this spent fuel risk. So, it's a
little bit more -- it's a limited scope, but it does not quite reflect
what's happening in the industry right now, because I guess most of the
plants do not assess transition or spent fuel, although the tools have
the capability to do that.
DR. APOSTOLAKIS: Now, judging from our discussions with the
various commissioners, one thing is for sure: they don't want to see
the staff propose a new major study ala 1150 for low power shutdown.
They're not convinced that this is something we need.
I think what you need is a more focused approach, and, for
example, you need a view graph that says this part of the problem is
done satisfactorily right now by the laboratory work of a few years ago
or by the Seabrook PRA or whatever. The reason why I mention Seabrook
is that my understanding is that it is the most complete one, external
events and so on, goes all the way to letter three. That's what you
guys say here.
So what is it I don't like about the Seabrook PRA that I
want to improve upon and then identify those issues that you feel need
some work? Judging again from at least my personal impression from what
the commissioners have been saying, that would go a long way towards
gaining support from them.
DR. LOIS: So, then, that's what we do here, George? This
slide represents an approach, and then, we go in and say what we need if
we are going to adopt this approach or this methodology for some parts
of risk informed regulation, then, what do we need to do on that?
DR. APOSTOLAKIS: But what I'm saying, Erasmia, is it would
strengthen this slide if you referred specifically to existing studies.
For example, why do you want to do plant outages only? Nobody else has
done it? You may very well say and this PRA has done a pretty good job;
all we have to do is improve it in these areas.
DR. LOIS: Yes.
DR. APOSTOLAKIS: Then, if I were to vote on this, I would
say gee, you know, maybe it's worthwhile doing, but right now, I don't
get that feeling that you are building on the state of the art.
MR. CUNNINGHAM: Erasmia's got two or three different what
she calls approaches here, and she's building on -- because she's doing
two or three approaches, because she's building on the two or three
approaches that are out in the industry today: the qualitative approach
that she was talking about is used in outage management today. This is
a description of a way some utilities manage their risk in outages, but
you're right, and what we're trying to do is exactly what you say. If
we want to build on that to be able to use it in risk informed
regulation space, what do we need to do?
DR. APOSTOLAKIS: But I'm trying to be constructive here,
Mark. I'm saying it would help you a lot if you referred specifically
to existing PRAs and said okay, there is a need for shutdown modes with
reduced water inventory, but the French have done it; it seems to be a
reasonable job; we'll take that.
Now, our guys are not doing it, but the methodology is
there. That's what I'm saying.
DR. LOIS: Okay; I guess we can clarify this point if we go
to slide 23.
DR. POWERS: I guess I'd like to understand, George, if you
say gee, let's not do a big NUREG 1150 study on shutdown risk, and I say
gee, why would George say that? We learned an awful lot from NUREG
1150. Those guides are thinking an awful lot about risk. Why wouldn't
I be very excited about having something like NUREG 1150 applicable to
shutdown events, applicable to fire events? I think I would. So why is
it no, I don't want to do that.
DR. APOSTOLAKIS: Let me tell you why. I think there are
two reasons. First of all, I'm not really saying don't do it. I think
there are two issues that I need to clarify here. The commissioners
will never approve that if I go there and just say that. Second, what
I'm saying is you can do that, but you can specify the methods that are
ready to be used for that, so the impression that the commissioners will
get will not be that you are starting, you know, almost from scratch,
because then, the magnitude of the effort will be very large.
But if you say yes, it would be great to have a new 1150 for
these kinds of equivalents, for these kinds of modes, but look: 70
percent of this has already been done; all we have to do is take those
methods, those results, evaluate them, of course, make sure we are
convinced, and then, we need development only in this 30 percent; I
think that will go a long way towards giving you the necessary
resources.
DR. LOIS: And that is not reflected in the report, I
understand, but as Mark said, we went a little bit beyond that, and the
issues that I'm going to discuss as proposed work, most of it is
guidance development; for example, this is how one will use the full
power models for shutdown risk. Most of the utilities do use their full
power models. However, there are some -- there is a need for guidance
on how you would do that on a more appropriate way.
So that is an aspect which would need work. However, it is
not like doing another 1150 except --
DR. POWERS: I guess I'm really having trouble understanding
why let's not do another 1150. When I consider 1150 did a great deal to
clarify what the risk profiles of representative classes of plants are.
I mean, we learned a lot. We learned furthermore where the
uncertainties were that would affect the outcomes. And that seemed like
a very, very valuable thing.
Now, my reluctance for undertaking a big 1150 study right
now is we have not done the equivalent of the IREP studies of shutdown
events yet. We've got it technically in the state that we could do
1150.
DR. APOSTOLAKIS: Again, I don't think that the final goal
is different, the way I see it and you see it. All I'm arguing here,
all I'm trying to do is give advice as to what the best strategy would
be to have the commission approve the necessary resources so that the
staff would do this. Now, 1150, if you go back, you know, I don't think
-- I mean, there were some studies, notably in the Zion, Indian Point
and so on that looked a little more seriously into level two phenomena
but nothing like what 1150 did.
Here, you can say yes, my goal is to have an 1150 type of
study, but with the same breath, you're saying a lot of it has already
been done. I'm not starting --
DR. POWERS: Somebody is going to have to persuade me that a
lot of it has been done.
DR. APOSTOLAKIS: Because there was no discussion of it
today. You see, I read here that Seabrook has done a level 3 full-scope
PRA, and that's mentioned in passing, okay? I'm sure they've done more
than that, okay? It included fires; it included everything else. So
what is it that they did? And what is it that you don't like? What is
it that you don't like about it, and you feel you have to do it from
scratch?
DR. POWERS: I mean, we've had this conversation with our
French colleagues, and I would say that they viewed their work on
shutdown risk as scoping and exploratory and not a definitive tour de
force of the subject. I certainly heard the people claim a tour de
force on their risk analysis. I'm not sure these things bear much
scrutiny.
DR. APOSTOLAKIS: Why?
DR. POWERS: I think we can find deficiencies.
DR. KRESS: I think Dana has a good point, and I think it
would be a lot easier at this time to do an 1150, because you have the
base that you started from for full power, and I think you can draw a
lot to do another 1150 for shutdown.
DR. POWERS: I worry, because I know what people think of
when they think of an 1150. It's huge numbers of studies that went on
--
DR. KRESS: But what are you going to put into an 1150 for
shutdown? You're going to put down uncertainties on the fission product
releases? Are you going to put in uncertainties on the initiating
events? You know, a lot of those uncertainty ranges are going to be
about the same, and I think you can do a lot with what you already have,
and you don't have to worry about uncertainties on the containment
failure. You approach it a different way. So, you know, I think it
would be a lot easier to do. But one of the things that bothers me that
I don't see in a thing like these approaches, and that's let's take the
case of one kind of risk-informed regulation; that is, the 1.174 type,
where last sea comes in and says I want to make this change.
So you have to enter into -- one of the things you have to
do is enter into your matrix and say what's the CDF, and what's the
delta CDF? And that's one of the things. Now, in order to do that in
terms of low-power and shutdown, you're going to include those in this
matrix, you'll have to ask yourself what does this change to the plant
that's being proposed do to my lifetime, my whole lifetime, 40 years, of
shutdowns in terms of changing the risks? You have no way at the moment
of knowing how to account for future unplanned and planned shutdowns,
because they're not planned more than one shutdown at a time, not for
the lifetime. You have to figure out some way in a risk informed world
to account for changes to the plant that are going to affect the whole
risk profile for its lifetime, and I don't see this in the concept
anywhere. And that's what bothers me.
DR. SEALE: What bothers me is I'm trying to figure out what
dog will hunt in today's jungle.
DR. APOSTOLAKIS: Which is my problem.
DR. SEALE: And the one that will is risk informing Part 50.
That's the commitment that exists. We ought to ask ourselves what
elements of shutdown risk evaluation you need in order to make risk --
make Part 50 risk-informed. You get to the concerns about making
comparisons, because that's integral to a 50.59 type process or things
like that. All of the elements are there, but I don't think you can
call it an 1150 replication, because there's just a lot of baggage with
that, but if you ask yourself what it takes to risk inform Part 50,
then, you get to the pieces that you need to do the job, and you're
doing it in a way that is consistent with the dedication -- well, with
the marching orders that the staff has received from the commissioners.
DR. APOSTOLAKIS: If I read your report, page 3-2, some
traditional LPSDPRA applications have covered planned and forced outages
in addition to refueling outages to get the comprehensive risk profile.
An example of this is the industry study performed by PRG for the G”sgen
plant in Switzerland, which consisted of a level one and two analysis
for both internal and external events.
Now, that intrigues me. If I look at this, I'm willing to
bet that with these view graphs alone, you will have three commissioners
voting no, because there is nowhere there anything that tells me that
there is a study for G”sgen that does all these things and that you're
going to build on it, and I've heard it many times from Diaz and
McGaffigan: they don't want to start a major study. They want to know
what specific things the staff should do to make sure that it reaches a
state of understanding of low-power and shutdown that will allow it to
use it in 1174 and others.
So when I see a sentence like this that plays no role in the
presentation, I think you're following the wrong approach. I think you
should say there is this study there; we looked at it. There are
certain things we like; certain things we think we ought to do better,
but to have this dynamite sentence that they looked at planned and
unplanned outages, level one and two analysis for both internal and
external events, so what? We dismiss it?
DR. LOIS: So, then, George, I'm not quite sure what is your
point here.
DR. APOSTOLAKIS: My point --
DR. LOIS: Whether or not we've learned that, we propose
actually -- our approach is to --
DR. APOSTOLAKIS: But you are not saying anywhere there in
your view graphs which parts of the existing studies you think are good
enough, so you will not do any work on them.
But most of the work that we propose is not method
development.
MR. CUNNINGHAM: It's an excellent point. We're talking
about all of the things that are needed, but we're not talking about the
things that are already sufficient --
DR. APOSTOLAKIS: That's right.
MR. CUNNINGHAM: -- if you will.
DR. APOSTOLAKIS: And maybe you did that already in your
private deliberations.
MR. CUNNINGHAM: Yes, that's right.
DR. APOSTOLAKIS: But as a third observer now --
MR. CUNNINGHAM: Yes.
DR. APOSTOLAKIS: -- I don't get that feeling. So what I'm
saying is you have to make sure the commissioners understand that you
will use a lot if, of course, you approve of what's already out there.
MR. CUNNINGHAM: Yes.
DR. SHACK: That's sort of assuming that you know what you
want to do. I thought the point of these view graphs was to try to
decide what you could do if you had this.
DR. APOSTOLAKIS: If you had this? What do you mean?
DR. SHACK: What could I do towards risk informing
regulation if I only had qualitative stuff? What could I do towards
risk informing regulation if I had a limited scope understanding? What
could I do towards risk informing regulation if I had the whole nine
yards?
DR. APOSTOLAKIS: That's a different --
DR. SHACK: That's a different question.
DR. APOSTOLAKIS: Yes.
DR. SHACK: But I think -- I thought that was the question
they were trying to set up here is what could I do if I had this?
DR. APOSTOLAKIS: Nothing.
DR. SHACK: No, you want to tell me how do I get to the
whole nine yards? That's a whole different question, you know. Do you
need to get to the whole nine yards? Can you do enough?
DR. APOSTOLAKIS: But if you go to the recommended work a
few slides later, again, maybe that's where my comments belong.
DR. SHACK: Right.
DR. APOSTOLAKIS: But you don't see anywhere a recognition
in writing, because I think Mark is right. I mean, those guys thought
about it. I don't see any evidence in writing here on the view graphs
that they will build upon what's out there. So when I see that the PRA,
especially for the Swiss, which consisted of level one and two analysis
for both internal and external events, I would like to know why can't I
pick that out? It was done by an American contractor, anyway, and use
that.
DR. BONACA: You did also for Seabrook, so already there --
DR. APOSTOLAKIS: There you are.
DR. BONACA: -- there was an understanding of, in fact,
since the systemics of the two plants are quite different, there will be
different lessons learned there.
DR. APOSTOLAKIS: For example, you say here initiating
events. Maybe if you --
DR. LOIS: I guess that's what they're going to say. The
key point here is guidance. When we propose to develop guidance, the
assumption is that we know how to do it, and therefore, what we provide
here is how one would like standards or a NUREG that would tell how
would you do a good job, and this is because of these insights we got
from the studies referenced in chapter two. So, then, there is no
method development in this area because --
DR. APOSTOLAKIS: Well, I don't know that; you have to tell
me that, you see.
DR. LOIS: Yes; I'm sorry.
DR. APOSTOLAKIS: I don't know that.
DR. LOIS: I mean --
DR. APOSTOLAKIS: And if I look at the last bullet, it says
common cause failure analysis: examine applicability of full-power CCF.
Why? Examine applicability of the G”sgen PRA.
DR. LOIS: Sure.
DR. APOSTOLAKIS: Not full power.
DR. LOIS: Okay.
DR. APOSTOLAKIS: Then, you are telling me that you are
already aware of this, and you are going to go and see, does this apply?
DR. LOIS: Yes.
DR. APOSTOLAKIS: And if it applies, I don't have to do
anything.
DR. LOIS: So, then, for the purpose of this discussion, we
got your point, George. However, when we recommend work as guidance
development, the assumption is that we feel comfortable with the methods
existing, and therefore, we need only clarification on how it should be
done.
DR. APOSTOLAKIS: For me at least.
DR. LOIS: I recognize that.
DR. APOSTOLAKIS: I strongly recommend that you use as much
as you can from your review, and whenever you refer to something, say
and a lot of work has been done there, or we will examine, like you say
there, the applicability of what the Swiss did. In other words, we are
truly building on what's out there, and you are, of course, very free to
disagree.
I think it's a matter of communication, but I know of three
commissioners who if they see this will be negative.
DR. LOIS: Okay.
DR. APOSTOLAKIS: And frankly, if I were one of them, I
would probably be myself.
DR. LOIS: Okay.
DR. APOSTOLAKIS: Unless I talked to you in private, and you
explained to me that -- you know, communicating is very important,
especially when people walk into the room being on the negative side, as
I think these three are.
DR. LOIS: Okay; so, here, we clarify it. Shall we go
ahead?
DR. APOSTOLAKIS: So, tell us about the next recommended
work.
DR. LOIS: Okay; I guess the next recommended work is on the
HRA, and the point that we would like to make here is that typically,
people are using the methods that are used for full power, and we heard
the complaint that it is not applicable, and probably, the estimates are
all very pessimistic because the times allowed in the full-power PRAs
are small, et cetera.
So our feeling is that probably what needs to be done here
is clarification, because most of these -- some of the full-power HRA
methodologists do allow for long times that it appears that it's not
clear in there, in people's heads, how one would use it, and the other
is, of course, to investigate what we should do for the human error to
initiate abnormal events and look at ATHEANA and then perform additional
work if we find that it's necessary.
DR. APOSTOLAKIS: I think ATHEANA can be used very well in
low-power shutdown operations to do what it does well for power
operations; in other words, given the initiator, you've had human
failure events; analyzes the hell out of them. But as you pointed out
earlier, the work processes here really may create unhealthy situations
is not exactly something that ATHEANA right now does.
In fact, one of the commentors again on ATHEANA said that
it's hard for him to see how management and organizational factors can
be included in this current format, and maybe they don't really belong
there, but in this case, where, you know, a lot of things are happening
that are not little things, that's where these things get important.
DR. SEALE: Could I ask a detailed question: do we have
available performance estimates for things done by staff who are trained
members and so on versus contractors who come in from the outside? Is
that kind of distinction recognized here? And should it be?
DR. APOSTOLAKIS: It should -- it will be recognized if they
start doing what we just discussed.
DR. SEALE: Yes, and as a matter of fact, the thing that
comes out of that, it seems to me, is you need supervision of a trained
staff member overseeing anything that a contractor does.
DR. APOSTOLAKIS: That's one of the arguments that the
industry has used in arguing for online maintenance.
DR. SEALE: Yes, oh, yes.
DR. APOSTOLAKIS: We could relieve our staff from a lot of
the work that has been during outages, so we don't need as many
contractors. So this is one of the unquantified benefits of online
maintenance. But there is no quantitative, serious evaluation of this.
DR. SEALE: Yes.
DR. LOIS: So, then, going back to your point here, we have
things that we can build upon in existing methodologies and some things
that we probably should explore further.
DR. APOSTOLAKIS: Yes.
DR. POWERS: When you look at a plant, and you say gee, I'm
going to do the risk assessment here on this plant, you have a pretty
good idea of what things look like when the plant is operating, not only
for the next operational cycle but for 20 operational cycles down the
stream. You have a pretty good idea of what that plant is going to look
like when it's operating.
That's not really the case for shutdown, it seems to me;
that I know what the next shutdown event is going to look like pretty
well, because people are probably working on planning it right now as we
speak. But I have no idea what the 19th next shutdown is going to look
like, because there will be other, different demands on things that will
have to be done. I don't see how that gets factored into these things
that you're talking about as future work on the PRA, the fact that the
shutdown events are not carbon copies of each other, even as planned
right now, and the unplanned shutdowns, Lord knows what they look like.
How do you handle that?
DR. LOIS: I guess PRA always -- I'm sorry.
MR. CUNNINGHAM: I just wanted to clarify something. I'm
not sure I understand what you mean. Are you talking about variability
in outages themselves or variability of the events that occur during
outages?
DR. POWERS: I'm saying that -- I may be -- what I know is
that my planned outages right now, I'm going to take fuel out, and I'm
going to put fuel back in; I'm pretty sure that that's going to happen,
and I know all about that. I know what I have to do to take fuel out,
and I know what I have to do to take fuel in. But while I'm doing that,
I also tend to do maintenance on lots of things that need to be
maintained.
Some of those things, I know very well, because I'll do it
every single outage. Some of those things, I will do only every fifth
or sixth or tenth outage, and so, any given outage is going to look
different as far as what's available and what's not available; what
stresses there are on one group of operators versus another group of
operators. Everything is going to be different.
DR. BONACA: And they will change as you go.
DR. POWERS: And they change as we go along, evolve. I want
to see recognition here, you know, of that difference.
DR. APOSTOLAKIS: I think I didn't communicate it very well.
That's what I meant when I said that ATHEANA is not equipped to handle
that; that you really have to deal with the way work is being
accomplished. The complicating factor that you just raised is that you
may not even know what work needs to be done for some of these, but the
plants do not do things ad hoc. They have work processes; they don't
always call them that way, programs and work processes. So if there is
a need for something to say oh, this is what we're supposed to do, and
they follow this sequence.
Now, what complicates things, I think, is the timing. But
one of the most important things that I learned, at least from looking
at the operating experience, is that you really have to know at any one
time what work processes have taken place at the plant and what changes
to the configuration have been affected precisely because they are
trying to do this piece of work, and Wolf Creek is a good example.
DR. BONACA: One thing that drives clearly the risk is
you're making a plan at the beginning, and that will involve a certain
number of modes or configurations, okay? If you went -- when you see a
lot of changes happening to the original plan for whatever reason -- it
may be management that says do it fast, so do this first and pull out
that -- there is almost a correlation between events that occur and the
amount of changes that you have in the -- I mean, number of modes, there
is a correlation between what happens. I don't know -- you know, I
really don't know if -- I don't know if that can be or where that can be
treated. But anyway --
DR. SHACK: Coming back to the bigger picture, it seems to
me that, you know, you're doing this request for a number of reasons.
One is that I think to me, when I see what they recommended here, at
least implicitly in their head, it seems to me most of this is aimed at
assuring themselves that the quality of the PRAs that the licensees are
using to manage their outages are good. So to me, most of this work
would look like it would build towards just assuring themselves that
what these guys are doing with their PRAs are pretty good, and so
they're looking at those weaknesses.
There's this question of how do I decide where I'm at in
1174? There's the question of how do I give the senior reactor analysts
the ability, the tools, to judge? To me, those are kind of almost three
different things, and when you're recommending the work, you kind of
have to decide which of those higher level goals you're really aiming at
at the time. And, you know, at the moment, I would say that what I see
up there looks like it's focused on assuring the quality of the PRAs
that the licensees are using, which doesn't strike me as an unreasonable
thing to be doing.
It doesn't address all of the questions one might ask.
DR. APOSTOLAKIS: But given the current situation, okay,
funding, commissioners and so on, no matter how noble your goal is, the
question of how you get there is critical, because if you tell them that
you're going to do all of these things to get there without anything
else, there is a very high probability --
DR. SHACK: But first, you have to know where you're going.
DR. APOSTOLAKIS: Yes, but they seem to know, though. They
seem to know. They can rephrase it a little better.
DR. SHACK: To me, you know, I think I've seen us aim off at
a couple of different roads here. Now, a lot of what you're doing, of
course, is useful for all three major things.
DR. APOSTOLAKIS: Okay; so what do we recommend, then, to
the staff to structure -- let's say they have to make a presentation to
some real decision makers, not advisors. First is the goal: what are
you trying to do here, okay?
DR. KRESS: What are the benefits?
DR. APOSTOLAKIS: Yes; so, what are the goals? The goals,
as you just said, is to have a PRA.
DR. WALLIS: Why do you have those goals?
DR. APOSTOLAKIS: What? Well, there has to be some sort of
an ultimate achievement.
DR. WALLIS: A benefit. What's the need?
DR. APOSTOLAKIS: Well, the need is, first of all, that the
way 1174 is now, this is a major hole. You can't really use 1174.
DR. WALLIS: And you feel that hole is important?
DR. APOSTOLAKIS: Well, it is the jewel of the crown of the
regulations.
DR. SHACK: I'd put it the other way around. What I want to
be sure is when the licensee does a PRA of his shutdown, it means
something.
DR. APOSTOLAKIS: Yes.
DR. SHACK: So, well, to me, that's the most important thing
--
DR. APOSTOLAKIS: Actually, I would change it slightly to
say when they use ORAM and all of those things, they should really know
what they're doing, and the way to do that is with a PRA. And Dana's
point that the staff should have the tools to evaluate what the licensee
is doing is a relevant point here.
DR. BONACA: Assume that I could make a point that the risk
that we're talking about needs some characterization, okay? I could
identify some sensitivities. I made an example before of the
relationship between events and the numbers of mode changes that should
take place, and I don't know if there is a basis. I have a very strong
suspicion. If you have a number of characterizations of the type that
you could draw from a study of this nature, the benefit would be very
obvious in my mind. I'm trying to go back to the issue of the benefit.
There are things we can draw upon to understand so that we can all learn
from that, because the utilities have not done that. The utilities are
using it ad hoc, but they have not determined, for example, the issue,
again, if there is one, and I believe there is one, and there is a
correlation between the way you change modes, et cetera, so many times
and the events that you get, right?
And so, I think the benefit issue is very important to me.
DR. APOSTOLAKIS: Okay; I suspect that we're getting into
the discussion among ourselves now, so let's stop for awhile; we'll get
to that and give Erasmia one last chance to give one of her view graphs,
and I think the view graph we have not talked about and introduces
something kind of new is number 28. Everything else, I think one way or
another, we have discussed.
DR. BONACA: I also propose again that we will give the gold
medal to Erasmia for the patience she has shown.
DR. APOSTOLAKIS: Especially given her heritage, being
patient is not something --
[Laughter.]
DR. APOSTOLAKIS: -- that is a clear characteristic from
that part of the world.
DR. LOIS: Thank you; I accept the --
DR. APOSTOLAKIS: So tell us why you think transition risk
is important, contrary to the evidence you have seen, Bob, the last few
years.
DR. SHACK: I better not rush to just.
DR. APOSTOLAKIS: What transition?
DR. LOIS: I guess it was just about the discussion that --
your discussion right now, that this is the change within, from one
power level to another, transition, but also, as within a configuration,
as people do the realignment, this is where the errors probably occur.
DR. APOSTOLAKIS: Has anybody done a transition risk
analysis?
DR. LOIS: I guess -- yes?
MR. WHITEHEAD: Donnie Whitehead; let me address that.
There have been studies, and we reported a couple of them both from the
NRC and industry studies that account for the first one that we talk
about here; that is, modeling the risk associated with moving from one
operational state all the way down to some lower operational state or
from power operation down to shutdown.
The second concept in transition risk, I believe, has not
been examined, and at this point in time, we are unsure as to whether or
not, you know, it is important; I mean, what we are proposing here is
that this area be investigated; that is, where are the places where
initiating events might occur? This, you know, this is very likely that
it could be in the actual physical changing of or transitioning of the
plant from, say, train A of RHR to train B of RHR, positioning of valves
from one state to another state, especially if there are combinations of
actions going on.
So that's where we're -- that's where we think that we need
additional work to examine to see whether or not this is important. The
other, like I said, it has been looked at.
DR. APOSTOLAKIS: Do you suspect that it is important? On
what basis?
MR. WHITEHEAD: Well, because of events that have happened
in the past, where indicate, I think you had indicated one where
activities were postponed from one to another, and then, from one day to
another day, and then, people come in and start in on the activities
that they believe that they need to, you know, to perform. I mean, what
we're looking for here is to try to identify, you know, what are the
interactions amongst the human events that must take place to actually
move the plant from one state to another state, and, I mean, the answer
is we do not know if they're important. We suspect that it's possibly
that they're important, and we've seen events where, you know, an
initiating event occurred because of conditions like this.
DR. APOSTOLAKIS: I remember the BMW owners' group a couple
of years ago when they were arguing, oh, what was it now? That the
plant should not be shut down. They include the transition risk in
their calculations, and what struck me then was that that number was
pretty high, and on the basis of that, they were arguing that it's
better to extend the AOT and do things at power rather than shut down
because this particular piece of equipment has been down longer than the
allowed time.
MR. WHITEHEAD: That's the first concept --
DR. APOSTOLAKIS: Right.
MR. WHITEHEAD: -- in transition risk, yes.
DR. KRESS: I'm not sure I understand. If I'm going to do a
risk assessment of a plant, I've got to find a configuration in that
plant, and then, I've got to go into my PRA and put in all the failure
rates and initiating events and come out with a number.
There is no transition here. If I want to do it for another
configuration that has changed, then, I change the PRA to this new
configuration. If I'm going to ask myself what's the transition risk,
it's actually embodied in one or the other in that second state, and you
have to ask yourself the mere fact that I changed from this state to
that one must have affected something in my PRA. It must have said I
either do not have this configuration like I thought I had or I have a
different failure rate for something or a different something.
So it ought to be -- the transition risk ought to be
embodied some way in your look at the given --
DR. APOSTOLAKIS: I guess what they're saying is it's not
the initial and final states that matter. There is a certain period of
time between the initial and final when things are changing.
DR. WALLIS: It's like landing an airplane. Flying and
being on the ground are very different for the pilot.
[Laughter.]
DR. APOSTOLAKIS: So they are making a distinction. This
doesn't happen in a small delta P, when they reconfigure the plant and,
you know, to go from one state to another, it takes a certain period of
time.
DR. KRESS: PRAs are not differential equations. You cannot
do that in a PRA.
DR. APOSTOLAKIS: No.
DR. KRESS: You want to divide it up into little time
increments and --
DR. APOSTOLAKIS: Well, we don't know what you're going to
do, but maybe there is a period of a few hours when certain things are
happening, and maybe the existing tools are not good enough. I mean, we
are into pushing event risks and fault risks to the limit. I mean,
there are static tools that represent logical relationships, and we're
using them everywhere, and time is important.
DR. BONACA: It changes it, it may cause initiating events
that you never consider in any other period of initial or final
configuration, just because something is happening there; a system is
out of service.
DR. KRESS: Like I said, you're changing something that --
you fix a configuration, and you put an initiating event frequency or a
failure frequency or a configuration. So the research you have to do
there doesn't have anything to do with the PRA.
DR. APOSTOLAKIS: But you have to look for these initiating
events. That's what they are saying, that somebody has to look.
DR. WALLIS: I don't agree that those lines -- repair really
should be a dynamic thing in which everything is a function of time and
so on; that's a very sophisticated PRA.
DR. KRESS: That is a different PRA than what we have now.
DR. APOSTOLAKIS: That's different; that's a second
generation PRA.
DR. KRESS: You may be right; it ought to be a different
equation.
DR. APOSTOLAKIS: Mike, do you want to say something?
MR. MARKLEY: I just was going to say something.
DR. APOSTOLAKIS: Come to the microphone.
MR. MARKLEY: Just from my inspector experience, it seems to
me --
DR. APOSTOLAKIS: Who are you, Mr. Markley?
MR. MARKLEY: I used to be somebody else, but Mike Markley
with the ACRS staff.
I think it's mostly, you know, at least from, you know,
inspector time is that the opportunities for more human errors occur,
and that's really where it goes through the roof, that the equipment
really hasn't changed for the most part, but the mere process of
changing things and taking people out of their daily routine and having
them do things that they haven't done in 18 months or so creates
opportunities.
I mean, just something as simple as taking the generator off
the grid causes safety system actuation with the diesel if you don't do
it properly and turn one wrong knob. So there are just unique
opportunities and things that you don't realize about the equipment as
well. Two rods don't fully insert in a core in post-operating cycle rod
drop tests. What does that mean? They're just --
DR. KRESS: So figure out how much time you're in the
transition; fix the PRA configuration at some average thing and input
different failure.
DR. APOSTOLAKIS: But now, you're telling them how to do it.
DR. KRESS: But the problem is what are you going to input,
and the input has to do with you don't know what these new changes to
the failure rates and the initiating events are.
DR. BONACA: The big problem is that there is an issue about
how you transition, and you can model it. The bigger issue is you're
doing so; you have a lot of preparation ahead of time. You have
literally a month and a half or two where everything is being reviewed,
okay?
Now, you get into with the legal staff, and the decision is
made that something cannot be done. You go back a step, so you can do
something, do some work before, and now, you have narrow windows of
evaluations; you have shift changes, and you have maybe only one
individual reviewing something and dressing it off. So all I'm trying
to say is that now, that mode change that happens as a change process as
you are in the outage triggers all of the events that Mike Markley was
pointing to, okay? In addition to the transition, you have unplanned
transitions, and if really, one could understand the risk of that and
understand the correlation that there is between those things and risks
and how you can model it, for example, it would be a justification for
better understanding what should not be done and ultimately what should
not be done in that configuration.
DR. APOSTOLAKIS: Okay; I'm just -- I think you're almost
done, but I'm just curious on page 31. As part of this project, you
plan to check a republic. Which republic are you checking?
[Laughter.]
DR. LOIS: I'm sorry about that. I'm sorry about that.
DR. APOSTOLAKIS: Okay; I think we should thank Erasmia for
her patience.
DR. POWERS: I think there's --
DR. APOSTOLAKIS: I think we should discuss it among
ourselves now.
DR. POWERS: I think there are still some omissions from the
work that has to be done. It seems to me one of the first steps that
one has to do in thinking about a probabilistic risk assessment, one has
to find out what a criterion for success and failure is. And it's not
evident to me that the criteria for success and failure in shutdown are
the same as they are in power operations. And in particular, I see -- I
look at things that go on during shutdown, and I said gee, we finally
recovered fuel and then covered it back up, that would be okay. I
wouldn't have any trouble with that.
It's not evident to me that it's okay under shutdown
conditions, and I guess my point is --
DR. APOSTOLAKIS: What is the appropriate metric for that?
DR. POWERS: Yes; do we need to understand what the success
criteria are for these shutdown events?
DR. APOSTOLAKIS: Okay.
DR. POWERS: Do we understand what the consequences are of
failure for achieving a success pathway? For instance, I guess there
has been talk about the release pathways or the release mechanism. A
pressurized plant for an accident in the power, you usually conceive of
a fairly violent release of radioactivity when the containment fails,
and you track it as a plume, whereas with the containment open and what
not, you are probably going through the aux buildings, for the most
part, for a power accident, you would give no credit for decontamination
of the aux buildings, because we knew the velocities were so high
powered, you would probably be knocking them down anyway, and resonance
times were going to be pretty low.
Now, I think the resonance times are high, and
decontamination probabilities are very high in the aux buildings. That
element seems to be missing from this.
DR. APOSTOLAKIS: Let's put some structure to this
discussion.
First of all, thank you very much, Erasmia. You can sit
down now.
The first question is does the committee feel that the full
committee should write a letter? Can you turn off the -- any feeling
that we need to write a letter or stay silent? The staff is requesting
a letter, by the way.
DR. KRESS: In December?
DR. APOSTOLAKIS: Yes, in December, commenting on all of
this and maybe offering some advice. Are the members reluctant to write
a letter?
DR. POWERS: How many pages long?
[Laughter.]
DR. APOSTOLAKIS: All right; so, the first answer, then, is
yes, we will write a letter.
Now, I want to ask you a point of procedure.
DR. SHACK: Is there any particular urgency to the letter?
I mean, if it slipped --
DR. APOSTOLAKIS: They are sending something in December to
the commission.
MR. CUNNINGHAM: We owe a commission paper with this plan in
December to the commission by current schedules.
DR. APOSTOLAKIS: So, the question is this: shall we go
around and have each member express his views about what ought to be in
the letter? Or shall we first talk about some general issues like the
goals of the research, what are we trying to achieve, methodology and
then give members opportunity to -- how do you want to structure this?
Because we don't have much time.
DR. SHACK: Are we going to see the commission paper before
we write the letter?
MR. CUNNINGHAM: I suspect the commission paper itself will
be just a summary of what you've got already.
DR. SHACK: Of this document. And this unreleased,
unreleasable document is actually a reasonably accurate reflection?
MR. CUNNINGHAM: I think the place we really need to think
in that document is the recommendations part of it. We've heard a lot
of good information today, and that's the part that --
DR. APOSTOLAKIS: I'd like something much earlier than that.
DR. WALLIS: I don't think you can sell this program if you
use what you have at the moment. I think you've got to answer the kind
of questions that Dana has, the kind of questions the commission is
going to have, and all these details that we get into here are not going
to make any difference to that. That's my impression.
DR. APOSTOLAKIS: If you could get a postponement, it will
benefit you.
MR. CUNNINGHAM: Okay.
DR. APOSTOLAKIS: Because if the report reflects the
presentation, I'm not sure that the commission will be positive.
DR. SEALE: I just think you have to make the point that
these are things you have to do in order to deliver on your commitment
to risk-informed Part 50.
DR. APOSTOLAKIS: Well, okay, let's start without them.
What should be the goal? What is the need for this kind of research?
Can we go around?
Bill? You can pass if you wish, but you raised the issue.
DR. SHACK: No, I see you'd have multiple goals for this
one.
DR. APOSTOLAKIS: Okay; what are they?
DR. SHACK: You know, as I say, one, to assess what the risk
management that the -- right, I mean, that's clearly directly related to
--
DR. APOSTOLAKIS: Assessment and management of what? Of the
utilities?
DR. SHACK: That the utilities are performing. I mean, that
seems to me the absolute most direct connection to public health and
safety. These people are making decisions.
DR. APOSTOLAKIS: Okay; what's next?
DR. SHACK: The next is to -- you need this in order to
continue with your risk-informing Part 50 or even 1174, you know. And
you do have to know where you are on the axis.
DR. APOSTOLAKIS: And the third? Is there a third?
DR. SHACK: The third, I think is Dana's point of view that,
you know, the commission itself needs insights and perhaps tools. Now,
if you can't afford all three of these, you know, then, we have a
prioritization problem.
DR. APOSTOLAKIS: The commission needs insights for what?
DR. SHACK: They can make judgments on what the utilities
are doing, the tools.
DR. APOSTOLAKIS: For what?
DR. SHACK: No, tools says -- you're assessing the tools
that the utilities are using.
DR. APOSTOLAKIS: Yes.
DR. SHACK: Well, the other part is to have your own tools
so that you can essentially do an assessment also.
DR. APOSTOLAKIS: Which will tell you how good what the
utilities are doing is.
DR. SHACK: But you make an independent -- you know, the
question is is this important enough that you require independent
assessment?
DR. APOSTOLAKIS: I think they're related but --
DR. SHACK: I wouldn't say that they're independent.
DR. APOSTOLAKIS: No?
DR. SIEBER: No, the utility can -- may or may not decide to
do shutdown risk assessment or choose whatever tools they want, and
then, they manage risk that way. The commission, however, needs to have
the tools to be able to arrive at generic conclusions about certain
phases of shutdown operations so that they can decide whether not only
risk informing Part 50 but what's the adequacy of the deterministic
regulations that exist right now, because it's always going to be a
hybrid, and they need to have some kind of a risk-informed ability to
determine whether the regulations are adequate or not.
DR. SEALE: Tom King mentioned the ASP program.
DR. APOSTOLAKIS: Yes.
DR. SEALE: The need to provide the inspectors with the
tools they need in order to make reasonable judgments about risk and the
shutdown mode.
DR. APOSTOLAKIS: Well, this is part of assessing the risk
management that --
DR. SEALE: Yes, but that's again a commission commitment
down the road, and in order to do that, you need risk informed
information about shutdown.
DR. APOSTOLAKIS: The way I see it from what I hear is that
there are two issues, really. One is --
DR. SHACK: You've got all the way to go around the table.
DR. APOSTOLAKIS: But it's going to be repeated, so let me
focus it a little bit. One is contribute to the current efforts to
risk-informed Part 50 and use 1174, and the other one has to do with
what the utilities are doing right now, and that has several parts: is
it good enough, right? Do we have the capability to independently
evaluate it? You know, all these are parts of this. So there are two
major goals that I heard so far.
Tom, any comments on this?
DR. KRESS: I think those are the two goals.
DR. APOSTOLAKIS: Bob?
DR. UHRIG: Just that this is important, because the order
of magnitude of the risk is comparable to normal operations. In spite
of the motivation --
DR. APOSTOLAKIS: How do I argue with that? It's
comparable? There is a suspicion that it is. There is evidence that it
may be.
DR. UHRIG: Yes, but that's not a goal.
DR. APOSTOLAKIS: That's not a goal.
DR. UHRIG: No, but it is an issue that --
DR. APOSTOLAKIS: But it relates to -- Jack said, regarding
the adequacy of the existing regulations --
DR. UHRIG: That's right.
DR. APOSTOLAKIS: -- that risk may be high.
DR. UHRIG: And the other issue is whether you want to say
anything about the ASME effort on standardization PRAs should or should
not include this.
DR. APOSTOLAKIS: That's not a goal right now. That may be
a little later. It's not a goal.
DR. UHRIG: Okay.
DR. APOSTOLAKIS: Mario?
DR. BONACA: My problem is with the second recommendation.
My point is that right now, the utilities are only doing a very detailed
evaluation when they see the big picture, lessons learned, okay? Of
what the drivers are of risk during shutdown. We know that inventory is
important; power is important. The question is what is happening out
there that drives risk? And, you know, we make some discussion here
about motivations. There are some issues there that, you know, have not
been looked at in a comprehensive fashion, and certainly, 1150 did that
for power. We don't have any equivalent.
DR. APOSTOLAKIS: So the insights that the PRA provides are
--
DR. BONACA: Generally, insight from the lessons learned
about all these different facts.
DR. APOSTOLAKIS: Dana?
DR. POWERS: Are we going to look at the goals?
DR. APOSTOLAKIS: Okay; so, I am sorry.
DR. WALLIS: You never asked me.
DR. APOSTOLAKIS: I never asked you? Professor Wallis?
DR. WALLIS: Well, it seemed to me that if your goal is to
risk-inform Part 50, if that's the goal, and I don't know if this really
is the goal, then, what you need to do is figure out what you need for
adequate PRAs in these situations. I don't think, however, this is
going to sway the commission. I think that risk-informing Part 50 isn't
such a wonderful thing that you do everything no matter what in order to
risk inform everything. You've got to figure out what matters.
I don't think the case is really being made that this is a
crucial place to put --
DR. APOSTOLAKIS: Yes; for example, the option two that the
staff is pursuing now, which really deals with the scope of the
regulations, clearly --
DR. WALLIS: You need to have the right tools if you're
going to risk inform. What are the tools you need in order to
understand the PRA?
DR. APOSTOLAKIS: You clearly need a ranking of SSCs under
all the configurations, so clearly, this is a major hold, yes, yes.
DR. SIEBER: Again, this is administrative in nature, but
you do have an enforcement policy that's risk-informed right now, and
most of the violations that are written are written during outages on
different things that happen. So if you're going to risk inform that to
determine whether it's cited or non-cited or civil penalties, you've got
to have a basis, and right now, you don't.
DR. APOSTOLAKIS: So risk inform the enforcement process.
DR. SIEBER: Yes or policies.
DR. KRESS: When you say risk-inform, the regulations are
included in that.
DR. APOSTOLAKIS: I think that we can emphasize that.
Okay; it seems to me that we are done with this. We'll have
another opportunity to discuss the letter; don't worry about it. This
is just advice to the poor fellow who has to write the first draft.
Shall we go to the tools, or do you want to go to open
discussion and then, after the tools, go to the open discussion, in
other words, the various recommendations of what to do and so on?
The floor is open for any comment you want to make.
DR. WALLIS: What can you do with the present tools, and
what are you losing?
DR. APOSTOLAKIS: Well, that was exactly my point, that I
want to see the --
DR. WALLIS: How can you make the quickest --
DR. APOSTOLAKIS: What can you do --
DR. SEALE: With what you've got.
DR. WALLIS: With what you've got.
DR. SEALE: The first question.
DR. WALLIS: Why are you dissatisfied, and where are you
dissatisfied, and what is the cost of all of this?
DR. APOSTOLAKIS: Why do more? Yes, justify why you need to
do more, right? In an explicit way.
DR. WALLIS: Yes.
DR. KRESS: See, George, we made the point in an earlier
letter that there are two types of PRA in this context. One is for
configuration risk management, and the other is for risk informing the
regulations. In my opinion, those things are very different animals,
very different. I think the tools that are out there are mostly for
configuration risk management that the industry has. I have a problem
with those that are the same as Dana's. I don't think we -- the oranges
and the reds and the greens have been well-quantified in terms of the
risk, so I have a problem with those.
But I don't think they help us very much at all in
risk-informing the regulations, and I think we need a new type of tool
for that, and it involves this comment I made about you have to know --
you have to project the risk over the lifetime of the plant if you're
going to risk-inform the regulations. If you're going to project the
risk over the lifetime of the plant for shutdown conditions, you will
have to have some representation of what those are, and I don't know.
We don't have the database; we don't have the tools for analyzing them.
We don't have the effects of the various configurations over the
lifetime of the plant, and I think the development of the tools in that
area is where you really need a strong look at them.
DR. APOSTOLAKIS: I am not willing to make such a strong
distinction between configuration risk management and risk informing the
regulations. I mean, if you -- I don't think you need a different PRA
to do this.
DR. KRESS: I think you can write a shutdown risk using the
configuration risk management tools, but I don't think you can write a
shutdown risk rule.
DR. APOSTOLAKIS: Right.
DR. KRESS: But I don't think you can risk-inform the whole
body of regulations with that kind of configuration.
DR. APOSTOLAKIS: No.
DR. KRESS: I don't think it's useful.
DR. APOSTOLAKIS: Jack?
DR. SIEBER: It seems to me that PRA and power operation
versus shutdown risk are two completely different things. From
standpoint that the shutdown risk is dominated by human events, in my
opinion, there are 17,000 valves in a PWR and probably an equal number
of switches, circuit breakers and so forth. When you shut down the
plant and go from mode one to mode six, you're going to move about half
of them to put on all of these clearances and so forth, and every outage
that I've known in every plant usually has five or six valving errors in
the process of the posting of clearances, reconfiguring the plant to
start back up, and when you change modes, you run through places where
you don't have a lot of margin, like steam generator level control,
low-powers.
I mean, how many plant trips have there been? 200? 300
from that? And so, I see all this transition analysis and human factors
analysis as dominating everything as opposed to a full power PRA.
DR. APOSTOLAKIS: That was the genesis of ATHEANA, by the
way, was a low-power shutdown.
DR. WALLIS: You have delta functions; you have
probabilities. Every time someone throws a switch, it might be the
wrong switch.
DR. SIEBER: That is correct.
DR. APOSTOLAKIS: So you should use --
DR. SIEBER: It might even be the wrong unit.
DR. WALLIS: That's true.
DR. SIEBER: Or a wrong trend, you know.
DR. APOSTOLAKIS: So the nature of the beast is different,
and it's time dependent.
DR. SIEBER: Yes, and you have to identify where these key
points are, you know. You change divisions halfway through the outage
so you can --
DR. APOSTOLAKIS: Okay.
DR. SIEBER: -- maintain one side or the other. And you use
the one to stop.
DR. POWERS: Initially, it just really eludes me here.
There are huge potentials for errors, and they manifest themselves, and
we've had lots and lots of events that have merited more discussion. We
haven't melted any fuel yet. And the question that is not clear to me
is why not? Why haven't we melted fuel given all this potential, given
the lack of regulations of this, safety regulations that exist in here,
we haven't melted any fuel. I mean, and during power operations, I have
melted fuel at least once.
DR. SIEBER: I think things move fairly slow.
DR. POWERS: Right.
DR. SIEBER: They're relatively self-identifying, and there
is no huge pressure and temperature.
DR. BONACA: That is a good point to be made. As we are
going to shorter outages, that time becomes more --
DR. WALLIS: Then, you need some criterion for saying when
the time is too short.
DR. BONACA: I think you made this out to be --
DR. KRESS: That may be considered a goal right there.
DR. BONACA: We should put that inside the letter, too,
because, I mean, things are changing there.
DR. WALLIS: I think someone should really make an estimate;
suppose the shut time is cut in half the time? Now, what is the risk?
DR. BONACA: That's not enough, because you have to really
--
DR. WALLIS: I can make a case to the commission that --
DR. APOSTOLAKIS: That's not enough. You have to know which
activities have been moved to power operations. You know, just to say I
cut the time is not informative enough, I don't think, for a risk
assessment.
Okay, we agreed on that. Any other point?
[No response.]
DR. APOSTOLAKIS: There will be a point there about building
on existing technology.
DR. SIEBER: Must be.
DR. BONACA: Yes, and by the way, that is a very important
point, the point you were making before. There is information.
DR. APOSTOLAKIS: Pardon?
DR. BONACA: Of course, it's all for PWRs, but I'm saying
that, for example, even though the issue was talked about before,
lessons learned for other drivers --
DR. APOSTOLAKIS: Now, regarding the goals, this issue of
the cornerstones, should we mention it there?
DR. KRESS: Well, couldn't we mention the consistency?
DR. APOSTOLAKIS: Yes, consistency.
DR. WALLIS: The main goal has been --
DR. KRESS: Yes; I think that's what Bill Shack said.
DR. SIEBER: Well, there is a tradeoff between do you
maintain the concepts of the goals, or are you willing to trade that
because you have more time to react? You know, you ultimately react --
DR. SHACK: It's almost a given. You have to grade those
things.
DR. APOSTOLAKIS: Yes, that's right.
DR. SHACK: That's why you shut down, I mean, because you
want --
DR. SIEBER: I'm convinced that --
DR. APOSTOLAKIS: Yes, but I mean, you just don't dismiss it
because you have to. There must be something else --
DR. KRESS: Yes.
DR. APOSTOLAKIS: -- that you are doing right.
DR. SHACK: You're shutting it down.
DR. KRESS: You can maintain safety without having to shut
down.
DR. WALLIS: In order to get to a safer condition.
DR. KRESS: But it would be nice to have one so you can, you
know, have assured yourself of what margins, to assure yourself of what
levels of safety you maintain.
DR. BONACA: A quick question about what are the
cornerstones to the applicable, valid, to the shutdown conditions.
DR. APOSTOLAKIS: Should we revise the cornerstones?
DR. SIEBER: There may be new ones.
DR. BONACA: There may be new ones.
DR. SEALE: Are the existing ones sufficient?
DR. BONACA: And by definition, you are taking out certain
cornerstones.
DR. APOSTOLAKIS: Good point; good point. No, I agree,
because I think Jack's elaboration was very good, you know, that you are
doing a few things to the current cornerstones, but on the other hand,
you have longer times to respond; your radioactive inventory is not as
high, blah, blah, blah, blah, blah.
DR. WALLIS: What are you doing? Are you advising the
commission, or are you advising the staff?
DR. APOSTOLAKIS: We are advising, I think, the EDO at this
point or the commission itself.
DR. POWERS: At our last meeting with the commission, we
offered our low-power shutdown, we ran out of time and didn't have the
opportunity to, so I think that -- and they indicated still an interest
in that. So I think even if they were written to the EDO that we have
to recognize by answering questions that they may have had.
DR. APOSTOLAKIS: Are you sending a SECY?
MR. KING: It's a SECY. Generally, when we give you our
SECY to look at, you write to the EDO, but you can write to the
commission if you want.
DR. KRESS: I think somewhere in there, we may have to
discuss uncertainties, too.
DR. APOSTOLAKIS: Yes, yes, yes; don't worry about that.
DR. WALLIS: What is your expected output? Are you writing
a letter in order to have the commission make certain decisions? What
are you --
DR. POWERS: We have previously written to the commission,
telling them that we thought shutdown was a significant area.
DR. WALLIS: And you didn't get very fa.
DR. POWERS: And that they should consider doing some
examinations of their capabilities to do risk assessments during them.
And at the same time, we also told them that the proposed rule was not
acceptable to us, because we didn't understand enough about the shutdown
experience to write a useful rule.
DR. APOSTOLAKIS: This effort --
DR. WALLIS: So what we're trying to do now is support the
staff's effort to get more information? Is that what we're trying to
do?
DR. APOSTOLAKIS: Yes.
DR. WALLIS: So it has to be sold.
DR. APOSTOLAKIS: Yes.
Anything else?
[No response.]
DR. APOSTOLAKIS: Now, regarding the staff's presentation at
the full committee meeting, you have now what? Two weeks?
MR. KING: Yes, two weeks.
DR. APOSTOLAKIS: Can you try to address some of these
concerns --
MR. KING: Yes.
DR. APOSTOLAKIS: -- and not show the same presentation?
What are the goals? How you build on existing information and maybe do
some of it and say this is, for example, how we're going to do it?
MR. KING: We need to sharpen up our recommendations.
DR. APOSTOLAKIS: Yes.
MR. KING: Because that's really what we owe the commission:
what do we propose to do in the future?
DR. APOSTOLAKIS: What is it that's already being done
satisfactorily, and what is it that you feel ought to be worked on? I
think that is really the key evidence.
MR. KING: Yes; try to focus the presentation that way.
DR. APOSTOLAKIS: Great; how much time do they have, Mike?
MR. MARKLEY: Hour and a half.
DR. APOSTOLAKIS: Hour and a half. So we're not going to
see any of the documents from you before we write the letter.
MR. KING: No.
DR. APOSTOLAKIS: So we will not have the benefit of the
document listing.
[Laughter.]
DR. APOSTOLAKIS: Anything else that a member wants to
raise?
[No response.]
DR. APOSTOLAKIS: The staff?
[No response.]
DR. APOSTOLAKIS: Members of the public?
[No response.]
DR. APOSTOLAKIS: Well, this meeting is adjourned.
[Whereupon, at 12:11 p.m., the meeting was concluded.]
Page Last Reviewed/Updated Tuesday, July 12, 2016
Page Last Reviewed/Updated Tuesday, July 12, 2016