ACRS/ACNW Joint Subcommittee Meeting, January 14, 2000

                       UNITED STATES OF AMERICA

                        White Flint II
                        Room T-2B3
                        11545 Rockville Pike
                        Rockville, Maryland

         The subcommittee met, pursuant to notice, at 8:30 a.m.

         THOMAS KRESS, Co-chairman, ACRS Member
         JOHN GARRICK, Co-Chairman, ACNW Chairman
         RAYMOND WYMER, ACNW Member
                   P R O C E E D I N G S
                                               [8:33 a.m.]
         DR. KRESS:  Let's please come to order.
         This is the second day of the meeting of the Joint
     Subcommittee of the Advisory Committee on Reactor Safeguards and the
     Advisory Committee on Nuclear Waste.
         Once again, I'm Thomas Kress, Co-Chairman of the
     subcommittee, and on my right is Dr. John Garrick, also Co-Chairman of
     the joint subcommittee.
         Joint subcommittee members in attendance are George
     Apostolakis of the ACRS and Dr. Ray Wymer of Oak Ridge, Tennessee, and
     the ACNW.  Also present is Dr. Milton Levenson, consultant to the ACNW.
     I guess we have two invited experts left, Dr. Robert Budnitz and Dr.
     Robert Bernero, Mr. Robert Bernero.
         DR. APOSTOLAKIS:  Is Tom coming?
         DR. KRESS:  I don't know.  That's why I stumbled over this.
         This meeting is going to continue the discussions we had
     yesterday on defense-in-depth in the regulatory process and particularly
     focus on its role in licensing a high level waste repository, but also
     its role in revising the regulatory structure for nuclear reactors that
     make it more risk-informed, and how the two are related to each other,
     if at all.
         The subcommittee will gather information, analyze relevant
     issues and facts, and formulate proposed positions and actions, as
     appropriate, for deliberation by the full committees.  We always have to
     read that.
         Michael Markley is the Designated Federal Official for the
     initial portion of this meeting, that's Mike over there.
         Rules for participation in today's meeting have been
     announced as part of the notice of this meeting previously published in
     the Federal Register on December 21, 1999.
         A transcript of the meeting is being kept and it is
     requested that speakers first identify themselves, name and affiliation,
     and speak with sufficient clarity and volume so they can be readily
         With that out of the way, our agenda says we're going to
     continue our general discussions and that Tom Kress and John Garrick
     will review the goals and objectives of this meeting.
         John, do you have anything?
         DR. GARRICK:  Let me just comment a little bit about some of
     the thoughts that we had when we were planning this meeting; that if we
     could achieve those, it would be very constructive.
         It was pretty obvious from yesterday's proceedings that from
     an implementation standpoint, there are vast differences between the
     reactor problem and the materials problem, and we also know there is a
     vast difference between different categories of materials problems.
         Much of what we have been talking about and discussing has
     been narrowed to the high level waste repository issue and the reactor
     safety issue, but we can't forget that on the materials side, there are
     all these other categories of things that we have to be concerned about
     and be prepared to offer advice to the Commission on how
     defense-in-depth might apply to those.
         So maybe one of the things that we can discuss a little more
     today are the non-high level waste issues and what the role of
     defense-in-depth is.
         The other thing that I would hope maybe we can discuss is
     that we had a bit of a vision coming into this that what we would like
     to do would be to agree on some overarching issues and philosophy about
     the application of defense-in-depth that would be applied regardless of
     the application, and then realize that when we start talking about how
     it's done and we start focusing on implementation, that we need to
     specialize to the areas that we're going to apply it to.
         So I would hope that one of the things that might come out
     of our discussion today would be some overarching things that we could
     agree on as to what we mean by defense-in-depth that are applicable
     regardless of application, and then recognize that we've got to split it
     up into the two primary issues and deal with it accordingly.
         So that's it.
         DR. KRESS:  That's a good suggestion, I like both of those.
     George, do you have any thoughts on what we should be doing this
         DR. APOSTOLAKIS:  I agree with John.  Are we going to write
     a letter?
         DR. KRESS:  That's probably something we need to decide.
         DR. APOSTOLAKIS:  Because if we are going to write a letter,
     I think we should spend -- we should structure the discussion this
     morning around specific points we want to make, not just general
     discussion of defense-in-depth.
         DR. KRESS:  Absolutely.  Does the joint subcommittee, at
     this point, actually see a need for a letter?  What would -- I'm sorry.
         DR. BUDNITZ:  I just want to comment about something.  John,
     your remarks seem to assume, as a predicate, that it's possible to come
     up with something that would be agency-wide and, more to the point, that
     it's desirable and useful to do so, and I think, the best I can tell,
     that's still an open question for discussion.
         DR. GARRICK:  You always have to have a goal.
         DR. BUDNITZ:  I understand.  I've been thinking about this a
     lot and it's more than not clear to me.  It's pretty clear that to try
     to do that may impede what the various arenas individually need.
         DR. GARRICK:  I know Bob has --
         DR. BUDNITZ:  Without arguing that I'm -- I have an open
     mind about some suggestions that might overcome those difficulties.
         DR. GARRICK:  Right.
         MR. BERNERO:  I would suggest -- in fact, I put together a
     brief outline of topics for discussion framed in such a way as to
     discern whether or not there is some kind of growing or evident
     consensus on the overarching philosophy and on particular applications
     of that overarching philosophy.
         Put simply, I would suggest that an approach of discussion
     that if it merits going to a letter or whatever format, fine, because
     ultimately that would be desirable, but start with what I would call the
     characterization of defense-in-depth.
         There was a lot of discussion yesterday of is it a policy,
     is it a strategy, is it a philosophy, is it an approach, to really
     discuss that carefully, so that one has the bounds of what it is and can
     establish that.
         Then in my own thinking, it goes to a policy of no undue
     release rather than multiple barriers as a definition, and then the
     relationship of defense-in-depth to risk-informed regulation.  They are
     two different concepts and I think that has to be very clear.
         Risk-informed actions are appropriate to the consideration
     of defense-in-depth approach or philosophy, and I think we should
     discuss that, and what are the implications of applying risk
     information; in other words, willingness to reconsider either the
     existence or the modification of traditional barriers, things like we
     discussed yesterday with the AP-600.
         Then having discussed the overarching, go to application in
     specific fields, in reactors, materials regulation, low level waste or
     decommissioning, and high level waste, because those last two are quite
     different.  So that's what I would suggest.
         DR. APOSTOLAKIS:  I think that's an excellent suggestion.
         DR. GARRICK:  I think it's an extension of just what we've
     been talking about.
         DR. APOSTOLAKIS:  Yes.
         DR. BUDNITZ:  Just to amplify what I said two minutes ago in
     another field, I've never been on a code committee to try to develop
     regulations to design public facilities against earthquakes, but I have
     had discussions with those that have wrestled with that for years.
         For a long time, those code committees and the people who
     are involved in such policies thought about whether they could come up
     with some overarching philosophical approach to such design, design,
     again, public facilities, buildings, bridges and so on, refineries,
     against earthquakes.
         It turns out that while you can do it, it's not terribly
     beneficial to do that, and the reason is that the design problems are so
     different in California, coastal California, than they are in, let's
     say, Florida.  And why is that?  It's because the Bay Bridge, which I go
     across from time to time, earthquakes are the principal threat.  But a
     comparable bridge in Florida, they are by no means the principal threat.
     They're something you've got to do anyway, also.
         And whether something is a principal threat or not governs
     the design philosophy in important ways, and that could be the case
     here.  Certainly I couldn't see necessarily the same philosophy applying
     to smoke detectors as I would to a nuclear power reactor, just to use a
     couple extremes.
         You have to be careful about whether, in striving for that,
     you do a disservice to all of it.  That's to support my skepticism,
     without saying that I have open ears to some ideas.
         MR. HOLAHAN:  This is Gary Holahan, on the staff.  If I may
     add a thought.  Back in March, after some discussion with the ACRS and
     the ACNW, the Commission issued a white paper with a bunch of
     definitions in it and one of them is this thing we talked about
     yesterday, which is, in effect, the definition of defense-in-depth.
         I think if the committees say nothing, then that definition
     is left in place.  So I think one of the things that needs to be
     addressed is the fact that we already have an expression by the
     Commission of a sort of philosophy and definition of defense-in-depth
     and if the committee likes it, that's one thing; if the committee
     doesn't like it, then I think that frames the issue that the committee
     or staff or someone needs to tell the Commission that a change is in
         So in part, the fact that that is an existing document
     frames part of this issue.
         DR. GARRICK:  Not only that, Gary, we reviewed that document
     in its preparation and one could take that review as our endorsing that
         MR. HOLAHAN:  Yes.  And I think if the committee says
     nothing or the staff says nothing, it ought to be interpreted as a
     re-endorsement or at least not an argument against leaving that
         DR. GARRICK:  Maybe it's a good idea to put that definition
     back up on the screen.
         DR. KRESS:  Yes, I was going to suggest that.
         MR. MARKLEY:  It's in your books, tab ten.
         DR. KRESS:  I don't have a notebook.
         DR. APOSTOLAKIS:  There was one transparency.  Would it help
     to put it up there?  I believe Norm had it.
         DR. GARRICK:  Here it is.
         DR. APOSTOLAKIS:  We should also be able to see it.
         MR. BERNERO:  The second bullet is my own words.
         DR. KRESS:  I personally don't have any problems with that
     definition.  It just lacks quantification, which most definitions do,
     but as a concept, I don't have any problem with it.
         DR. APOSTOLAKIS:  I don't know why I should disagree with
         MR. BERNERO:  There are a couple of things that you really
     ought to think about.  This is a definition that -- and as I said when I
     put it up, I don't quarrel with it, but what does it mean and how is it
     applied.  The rest of the sheet music isn't written yet.
         So the purpose of this dialogue and further dialogue would
     be, okay, what are the implications of this, not wholly dependent.
         DR. APOSTOLAKIS:  I think there is more to it than just the
     implications.  The more I think about it now, I'm coming up with ways to
     modify it.
         I think a fundamental issue here is the fact that
     defense-in-depth, which is what it says there, has the intent of
     managing uncertainty.  Unless we say that, unless we bring uncertainty
     in the issue here, we can't really go very far.
         The reason why that's important is because when this was put
     together 40 years ago, the uncertainty in the probabilities of
     accidents, frequencies of accidents was not quantified.  This is a key
     element.  And now a part of it, a good part of it is quantifiable and
     that's why we're revisiting the issue.
         DR. GARRICK:  Yes.  It should be pointed out, George, and,
     of course, you know this, that in that same paper, they did offer a
     definition of risk that did make reference to uncertainty and
     quantification and what have you.
         DR. APOSTOLAKIS:  But this defense-in-depth should do the
         DR. GARRICK:  Right.  There is one thing about this, and I
     kind of like the definition, too, with the interpretation that we're
     giving to it regarding risk.  But I think one word, key word is missing
     in that sentence that talks about the net effect of incorporating
     defense-in-depth into design, construction, maintenance and operation,
     and that's the word management.
         I think most of the cleanup and the strides that have been
     made in elevating the U.S. plants into the top ten group of the world
     recently has been principally driven by a change in the culture, a
     change in the management, and attitude of the people at the plants.
         So I would just make the simple addition there that the net
     effect of incorporating defense-in-depth in the design, construction,
     maintenance, management and operation --
         DR. APOSTOLAKIS:  I guess operation is implied.
         DR. GARRICK:  I think it's more than operation, because the
     one thing the nuclear plants learned is that there's got to be much more
     at the plant than just the plant manager and the operations manager.
     The plant is very strongly dependent upon support services, on
     engineering, on a whole bunch of other things, and so I think that would
     embrace that concept.
         DR. KRESS:  I would have narrowed that and just said design,
     construction and operation.  Those are parallel activities that
     incorporate both management and maintenance and it's just different
     phases of the reactor life.
         DR. BUDNITZ:  George, I want to amplify your notion about
     uncertainty, because I think you might have missed something.  If have
     it wrong, you'll tell me.
         Let me postulate for a minute that for a large facility, it
     might be a gaseous diffusion plant or something, that actually, in the
     analysis, in the PRA analysis, all important uncertainties are
     quantified; that is, we know them, which really means that they're
     dominated by something that we really know and there are some
     unquantified things that we don't know, but they're known to be less
         I don't think that the fact that you and I and others around
     this table could say that with confidence is necessarily enough for the
     general public.  The general public are skeptical of engineers and
     scientists.  The phrase intellectual arrogance comes to mind, because
     from time to time, assurances have been given in other arenas and, in
     fact, in the '50s and '60s and even in the '70s, just go see what Dixie
     said after WASH-1400, they were said in this arena.
         That mistrust means that the general public may seek
     additional assurance in the defense-in-depth arena, even if the
     uncertainties are quantified well and we really know what they are.
         DR. APOSTOLAKIS:  Yes, but that's a separate issue.  That's
     what to do when you have quantified.  All I'm saying is --
         DR. BUDNITZ:  Wait, wait.  But I want to argue to you that
     in that arena, a driver for a defense-in-depth approach to design and
     operation could be to provide that assurance to the public over and
     above our need for it as engineers.
         DR. APOSTOLAKIS:  Right, over and above.
         DR. KRESS:  That's one of the reasons I came up with the
     allocation concept in my definition.
         DR. APOSTOLAKIS:  I think that's the next issue.  We're
     discussing now the definition.  I mean, somebody wants to find out what
     is defense-in-depth and I think this doesn't tell that person that the
     whole intent of the philosophy is to manage the uncertainty associated
     with reactor safety.
         DR. BUDNITZ:  Because, in fact, I argue that that may not be
     the whole intent.
         DR. APOSTOLAKIS:  No.
         DR. BUDNITZ:  Yes.  Now, let me just argue.  An important
     objective could be, and I argue that it ought to be --
         DR. APOSTOLAKIS:  Convince the public.
         DR. BUDNITZ:  -- to make transparent to the public --
         DR. APOSTOLAKIS:  That you have managed the uncertainty.
         DR. BUDNITZ:  No, no.
         DR. APOSTOLAKIS:  Yes.
         DR. BUDNITZ:  No, no.  That notwithstanding the above, we
     have an additional barrier, notwithstanding the above.  In other words,
     even if we convinced ourselves we didn't need a containment, not
     withstanding the above, we give you this additional thing, because
     people can understand what --
         DR. APOSTOLAKIS:  But the whole driver of this is the
     uncertainty.  The public also has uncertainty, they don't believe us.
         DR. BUDNITZ:  In which case, that doesn't capture that
     either.  I'm just trying to make a point that --
         DR. APOSTOLAKIS:  I understand the point.
         DR. BUDNITZ:  -- if, in fact, the technical community has
     understood its uncertainty and know what it's doing and really don't
     think we need this thing, it may be that that's the only way to get the
     public to accept technology that they believe is dangerous.
         DR. APOSTOLAKIS:  But I don't think the definition should
     say we're doing this in order to convince the public.
         DR. BUDNITZ:  I didn't say to convince them.  I said that an
     objective could be, and I propose that you think about whatever it
     should be --
         DR. APOSTOLAKIS:  It's ensure.  Ensures.  Defense-in-depth
     philosophy ensure that safety will not be -- you want to put the words
         DR. BUDNITZ:  I'm not a wordsmith here, although I could try
     it.  I'm just trying to make a point about --
         DR. APOSTOLAKIS:  And that's a good point.
         DR. BUDNITZ:  I'm trying to say that it's more than just
     managing what we engineers and scientists think is unquantified
         DR. KRESS:  George, I am always reluctant to disagree with
     you, but let me throw this out to you.  I think, as a technical activity
     that's hazardous, society values both preventing the accident from
     happening in the first place.  They value being able to stop it before
     it gets very far.  They value protection in case these things fail and
     it goes so far that you've got to mitigate it, and they value being able
     to have alternative means to protect themselves.
         And I say that defense-in-depth is just providing those
     multiple layers because that's what we value, and not because there's
     lots of uncertainty in each step.  And at the same time, it turns out to
     be a way to manage the uncertainty as a byproduct.
         DR. APOSTOLAKIS:  And I think about it in the complete
         DR. BUDNITZ:  I understand.
         DR. APOSTOLAKIS:  That the driver here is the uncertainty
     and the reason why we value these things, and I agree with you, is
     because we believe that that's a reasonable way, a convincing way of
     handling that uncertainty.  If you didn't have that uncertainty, the
     public would not be asking you for all these.
         DR. BUDNITZ:  I don't agree with that.  That's what I don't
     agree with.
         DR. APOSTOLAKIS:  Why aren't they asking for
     defense-in-depth when it comes to an airliner?
         DR. BUDNITZ:  Because we've got data.
         DR. APOSTOLAKIS:  And the public is convinced that it's
         DR. BUDNITZ:  Because we have data for airliners.
         DR. APOSTOLAKIS:  And what does that mean because we have
     data?  That we have eliminated a lot of the uncertainty.  That's the
     driver, that's the fundamental issue.
         DR. BUDNITZ:  The data are acceptable.
         DR. APOSTOLAKIS:  The fundamental issue is the uncertainty
     and if the public has uncertainty, some people have lied or misguided
     the public in the past.  So now other things come from it.  But the
     fundamental reason why we had this was to manage the uncertainty
     associated with reactor accidents.
         MR. BERNERO:  Could I interrupt with a thought?  This is a
     joint subcommittee meeting of two committees.  This dialogue betrays
     that this definition is essentially a reactor safety approach.
         DR. APOSTOLAKIS:  It is.
         MR. BERNERO:  And it basically falls apart seriously when
     you try to apply it to the materials side or the waste management side.
     I think that's an important point for the committee to consider.
         DR. APOSTOLAKIS:  Yes.
         MR. BERNERO:  My understanding of the white paper is it was
     intended to be an overarching one.
         DR. APOSTOLAKIS:  Yes.
         DR. KRESS:  Yes.
         DR. GARRICK:  I'm certainly a disciple of uncertainty being
     a highly visible part of the process and that it is the keystone, if you
     wish, of the whole issue of risk.
         On the other hand, the reason I kind of like this definition
     is that I think it communicates well.  I think it's absent of a lot of
     esoteric terms and a lot of systemese language that sometimes offends
         Sometimes the whole notion of risk and uncertainty
     unfortunately does that.  So I don't have a big problem with it.  I
     wouldn't have a big problem either with modifying it to put some
     emphasis on that.
         DR. APOSTOLAKIS:  Yes.  It's not an issue of rejecting this.
         DR. GARRICK:  Right.
         DR. APOSTOLAKIS:  So how about if defense-in-depth is an
     element of the NRC safety philosophy that employs successful
     compensatory measures to manage the uncertainty associated with
     accidents in nuclear facilities, and then go on to say that you prevent
     accidents, bla, bla, bla, bla, bla.
         DR. GARRICK:  Well, the only thought I have about that is
     the public might say I don't care about managing uncertainty, I care
     about ensuring my safety.
         DR. APOSTOLAKIS:  What's the difference?
         DR. GARRICK:  You and I understand that.
         DR. BUDNITZ:  But, George, let me just go to the repository
     for a minute.
         DR. APOSTOLAKIS:  But aren't we arguing for the public?
         DR. BUDNITZ:  But let's talk about the repository for a
     minute.  We all know that it's going to be a non-trivial job for the
     Department to demonstrate, to their satisfaction and to the NRC's, that
     they can meet the 10,000 year thing, right?  But I think most of us
     would have no problem with the Department saying we got high assurance
     for 1,000 years that nothing is going to come out.  You do that with a
     can, right?
         And that's high assurance.  But I know members of the public
     that think that a thousand years is an awfully long time and that it's
     arrogant beyond credibility for any scientist to claim a thousand years
     for something that hasn't lasted a thousand years and no one has built a
     can in the year 1000.  These are, in fact, then extrapolations.  So we
     have to recognize there are people out there, thinking members, not just
     unthinking, thinking members of the public, who don't trust our
     extrapolations, even though we have very little uncertainty.
         DR. APOSTOLAKIS:  Look, I'm having a problem here what we're
     trying to do.  This is becoming a risk communication session.
         DR. BUDNITZ:  No, no, no.
         DR. APOSTOLAKIS:  I am not saying that it's not important to
     communicate to the public, but let's not forge the technical community,
     too.  We are trying to define a concept that has been hailed as the
     cornerstone of the safety philosophy of this agency.
         DR. BUDNITZ:  Sure.
         DR. APOSTOLAKIS:  And if I manage to communicate both to the
     public and the staff what that philosophy is, then I'm a great guy.  But
     let's first try technically to define it and understand what it means
     ourselves and then worry about communicating to laymen.  I don't think
     that's a secondary --
         DR. BUDNITZ:  I'm not talking about communication.  I would
     argue to you that if Yucca Mountain only had a thousand year thing, we
     still might want to have multiple barriers, even though we had
     confidence you didn't need them.
         DR. KRESS:  George, as a pure rationalist, do you not have
     trouble with the second sentence?
         DR. APOSTOLAKIS:  The second sentence.
         DR. KRESS:  A pure rationalist has trouble with it.
         DR. APOSTOLAKIS:  I have a -- sure.  I'm willing to give a
     little bit for this, because this is an overarching principal, but the
     -- what I'm trying to say here is there are certain fundamental things
     that have to be mentioned and the fundamental reason why this approach
     was developed by the pioneers before the NRC, before anybody else, was
     the recognition that there was a lot of uncertainty in what we're doing.
     We cannot quantify it.  Here is a way to make sure that it's managed,
     that the frequency of the accidents is indeed small.
         This is how the whole thing started and the reason why we're
     going back to it now is because that uncertainty is quantified, or a
     good part of it, as I keep saying.
         Unless that is here, I don't see why we bother to put this
     up there.  Now, whether that is meaningful to the public is a good
     question, but an equally good question is, first, let's make sure that
     the two committees, the staff and all offices and so on agree that this
     is a reasonable definition, so we all speak the same language, and then
     worry about how to communicate it to other people.
         MR. BERNERO:  I think the real issue is not -- I share your
     feeling, that later worry about communication.  What you have to focus
     on here is agree on the language and how to apply it in the scientific
         DR. APOSTOLAKIS:  Absolutely right.  You're absolutely
         DR. KRESS:  In effect, I don't like value judgments placed
     in definitions and I would have marked out the second and third
     sentence, and because the first sentence is the definition.  The second
     and third just throw in things that give people some warm feeling, but
     it's not part of the definition.  It's a value judgment and description.
         MR. BERNERO:  Do you want to go back and rewrite this or do
     you want to decide whether you can live with it and apply it?  That's
     the basic point.
         DR. KRESS:  All I'm saying is I think we ought to
     concentrate on the first sentence only, because that's the definition.
     Those other things are just riders that go along and have no essential
     impact on what you do.
         DR. APOSTOLAKIS:  How about if we end the first sentence,
     you know, after "a nuclear facility," put a comma, so that the
     probability of accidents remains acceptably low or something to that
         DR. GARRICK:  Or the likelihood of accidents remains.
         DR. APOSTOLAKIS:  Or likelihood.  Wordsmithing is okay, but
     the thought.  So you're doing all these things in order to make sure the
     probability is low.  Now, Ray disagrees.
         DR. WYMER:  I do disagree.
         DR. APOSTOLAKIS:  Okay.  Why is that?
         DR. WYMER:  I think that's off the point.  It seems to me
     that even if the uncertainty is very small or negligible, you still want
     to do what it says in that first sentence.
         DR. APOSTOLAKIS:  And I would argue that you can never get
     to low probabilities unless you do what's in the first sentence.
         I don't know.  I can make such a strong containment that I
     can get there without doing too much about CDF and other things.
         I don't know what that means.
         DR. BUDNITZ:  You see, again, I'm not arguing about
     wordsmithing here, but something about, in the last sentence, it says
     "such that the net effect is the facility tends to be more tolerant and
     is demonstrably so."  There is this point here.  It's not just that it's
     so, but it's demonstrably so.  And demonstrably, I'm not sure whether I
     like that word or not, but the idea is to be able to convey to smart
     people who aren't risk engineers.
         DR. GARRICK:  I think we've made a lot of progress if we can
     agree on the first sentence, because I do think that -- what I like
     about this definition is that it communicates well and the second and
     third sentence are helpful to people not in the business, because it
     tells us a little more of what it means.
         DR. APOSTOLAKIS:  Make them separate bullets perhaps.
         DR. GARRICK:  Yes, yes.  But I agree that as a guiding
     overarching definition, that if we could agree that the first sentence
     does that, then we've made one important step.
         DR. APOSTOLAKIS:  Not as it is.  I disagree.
         MR. LEVENSON:  John, might I suggest that this is already
     out.  So diddling with these words is an interesting exercise, but I'm
     not sure what it means.
         DR. GARRICK:  Well, what it means --
         MR. LEVENSON:  Well, let me finish my thought.  That is that
     the thing -- the problem I have with this definition that nobody has
     mentioned is that it lumps all nuclear facilities in the same bag, and
     that, I think, is a big mistake, and that it might be more valuable if,
     rather than worrying about these words, this definition is out, it might
     be more profitable to work on a statement as to how this overarching
     statement applies to different facilities and make it very clear that it
     applies completely differently to reactors than it does to repositories.
         DR. KRESS:  In application, certainly.
         MR. LEVENSON:  Well, let me read you a couple of words I
     diddled down here while everybody was talking.  Presently,
     defense-in-depth is a concept utilized in nuclear reactor design and
     licensing to help assure the safety of a dynamic high energy system.  It
     is utilized as one of the tools to deal with uncertainties and factors
     that have time constants shorter than practical intervention times.
         A repository, on the other hand, is not a high energy
     system, does not contain large amounts of stored energy, and has
     extremely long time constants.  Therefore, defense-in-depth, as applied
     to reactors, is not appropriate for application to a repository.
         The use of passive multiple barriers may be a more
     appropriate method of coping with repository uncertainties than is DID.
         DR. KRESS:  I think that's a good statement.
         DR. GARRICK:  Except that last, than is DID.
         DR. APOSTOLAKIS:  Passive barriers are DID.
         DR. GARRICK:  That's what I mean.
         MR. LEVENSON:  I'm saying I think it is a form of, but I
     think if you don't dissociate these two, the repository is continually
     going to be hung up with things coming from the reactor side of the
     house.  You have to dissociate them.  You can use whatever words you
         DR. APOSTOLAKIS:  But the first sentence has both.
         DR. KRESS:  It would fit that very well, the first sentence
         DR. APOSTOLAKIS:  You don't want to say accidents, though.
         DR. BUDNITZ:  At the end, you shuck DID, whereas you might
     instead say it means this for the repository, rather than just shuck it.
         MR. KING:  Can I jump here a little bit, too?
         DR. KRESS:  Yes, sure.
         MR. KING:  This is Tom King, from the staff.  I think Mr.
     Levenson's suggestion is a very good one.  Gary and I were just talking
     also that this came out a year ago, this definition.  If you use the
     analogy that consider this the rule and what you guys ought to be
     working on is the reg guide and how do you apply this and why shouldn't
     you be talking about, okay, given this definition, what are all the
     points that ought to be addressed in an application.
         The application can vary across the regulated activity.
     It's an attempt to manage risk, as George said, prevention versus
     mitigation, all these points that you think are important that aren't
     really covered very well in this broader definition, but you think ought
     to be addressed if somebody went to apply it.
         To me, those would be the things you ought to be focusing on
     in this committee and then once you get those identified, then the next
     question would be how should those be communicated; should we go back
     and modify the white paper to put some sort of application statements in
     there, should you recommend a separate policy on defense-in-depth, what
     is the right vehicle to put this down and communicate it to the staff
     and to the public.
         But I wouldn't go back and fool with the definition at this
         DR. WYMER:  I agree with that.  I think that there is a big
     difference --
         DR. APOSTOLAKIS:  What if the definition bothers you?
         DR. WYMER:  Let me finish.  There is a big difference
     between a definition and implementation of the concept, and I think that
     we ought not to mix the two up.
         DR. APOSTOLAKIS:  I still think that we are embracing the
     notion of successive compensatory measures without asking why that has
     to be there.
         DR. KRESS:  It's because we value prevention and mitigation
         DR. APOSTOLAKIS:  And we value those because we are
         DR. KRESS:  No, no.  We value them in the absence of
         DR. APOSTOLAKIS:  Absence of uncertainty?
         DR. KRESS:  You're never going to have an absence of
     uncertainty, but even with very small uncertainty, we would still do
     this, because we want to prevent accidents and we want to mitigate
     accidents.  We would still do this.
         DR. GARRICK:  The truth of the matter is that
     defense-in-depth has been in the gospel of how the NRC assures safety or
     reaches a finding of reasonable assurance of safety has been in the
     context of successive compensatory measures.  The earliest discussions
     about defense-in-depth were synonymously associated with successive
     measures of protection.
         So I don't know.  If we wanted to do surgery on it and
     change what it fundamentally means, sure, we could do that, but I think
     as a concept that has been discussed and found its way into print, that
     has been so well documented for us for this meeting, it has been in that
         DR. APOSTOLAKIS:  Right.  But the point is that now we want
     to look at it again under the current state of knowledge and
     understanding why it was put together that way is fundamental to this.
     There is nothing magical about successive compensatory measures.  We are
     not doing it because we like successive compensatory measures.  We do it
     because we are not confident enough that the risk has been managed.
         DR. GARRICK:  I think maybe we're overplaying the
     compensatory measure issue because even if you think of a single
     barrier, it isn't a single barrier, because we have monitoring, we have
     maintenance, we have all kinds of things that give us insight into the
     performance of that single barrier.
         So I don't get too hung up on this single element thing
     because a single element could be a transducer.  It could be any one of
     a number of things.
         DR. BUDNITZ:  I have a suggestion for how to overcome --
         DR. APOSTOLAKIS:  Speak into the microphone, Bob.
         DR. BUDNITZ:  Excuse me.  I have a suggestion for how to
     overcome some of this cross-talking a little in the conversation.  It
     seems to me that the title of that shouldn't be what is
     defense-in-depth, but it really answers two questions; what is
     defense-in-depth and what does it accomplish.
         The first sentence defines what is, the second sentence is
     what does it accomplish, and there is a third thing you people ought to
     be doing, which is how is it applied.
         DR. APOSTOLAKIS:  Sure.
         DR. BUDNITZ:  So if you said to yourselves the white paper
     says what it is, sentence number one; the white paper says what it
     accomplishes, it ensures and it does, right?  Then you can say what's
     needed is now how is it applied in the different arenas and you could
     make a major contribution by writing down arena by arena what you think
     would be a useful agency policy on how is defense-in-depth to be applied
     in these arenas.
         And there, the sort of things that Milt read to us are a
     jumping-off point for the difference, for the rationale for why there is
     a difference; there's a lot of high energy, maybe there isn't, there's a
     lot of time, maybe there isn't, which then drives how it's applied.
         So if you think about it in that way, you shouldn't be --
     and playing with this doesn't talk about how it's applied.  It's not
     intended.  It only talks about what it is and what it does.
         DR. KRESS:  It also restricts its application to nuclear
     facilities.  I would be hard-pressed to call some things, like an X-ray
     machine at a nuclear facility --
         MR. BERNERO:  You have to be careful.  Legally, facilities
     are, production or utilization facilities, under Part 50 and now under
     Part 76.  But the -- what John said earlier, even if you take an extreme
     case, the one I mentioned was the spent fuel shipping cask, that is
     nominally just one barrier.
         DR. BUDNITZ:  It's not a facility.
         MR. BERNERO:  And I -- but never mind, it's a nuclear
     practice or it's a nuclear situation, call it what you will.  I don't
     have gas pains with facilities with lower case "f."  But the point is
     it's not just a single barrier.  It is a very high quality barrier.  You
     are depending on a massive, robust mechanical containment and that's it.
         You go out in any environment, ship it, we do modal or NRC
     does modal studies to see if it got caught in the Caldecot tunnel fire,
     that it would have melted or not and that kind of consideration, but I
     would feel more comfortable if it were unduly dependent on a single
     barrier or a barrier.
         But the key to it is you have to have a systematic
     consideration and not have, yes, it's a barrier, I'll walk away and
     forget about it, unless there are -- and if you go to smoke detectors,
     you'll find buried in the analysis, it's not a single barrier.
         DR. GARRICK:  Yes.  And I think that the crafters of this
     definition knew all of that and discussed all of that when they did it
     and it's probably why you don't find the word barrier following single
     up there, and the more strategic choice of the word element, because
     that gives us a great deal of freedom and flexibility.  An element could
     even be the issue of uncertainty.
         MR. BERNERO:  It could be a model.
         DR. WYMER:  It could be a monitoring system.
         MR. BERNERO:  It could be an initiating event.  It could be
     any number of things.
         DR. APOSTOLAKIS:  Well, the ACRS wrote a letter May 19th of
     last year and it says this philosophy has been invoked primarily to
     compensate for uncertainty in our knowledge of the progression of
     accidents at nuclear power plants.  Later on it says when
     defense-in-depth is applied, a justification is needed that is as
     quantitative as possible for both the necessity and sufficiency, not
     just the sufficiency, both the necessity and sufficiency of the
     defense-in-depth measures.
         If you question the necessity, then you cannot make it part
     of the definition that you will have successive compensatory measures.
         DR. KRESS:  Because that says it's necessary.
         DR. APOSTOLAKIS:  That's right, it says it's necessary.  I
     don't think that this is a definition.  It's a definition of what used
     to be defense-in-depth.  The word uncertainty has to be there in the
     first sentence.  First of all, the first sentence, I agree, has to be a
     separate bullet, but this is really the key.  It was developed primarily
     to compensate for uncertainty in our knowledge of the progression of
     accidents at nuclear power plants.
         Now, it goes on to say improved capability to analyze
     nuclear power plants as integrated systems is leading us to reconsider
     the role of defense-in-depth.  Now, this is a little broader than what I
     was saying about uncertainty, as integrated systems.
         Defense-in-depth can still provide needed safety assurance
     in areas not treated or poorly treated by modern analysis or when
     results of the analysis are quite uncertain.
         So I hope this letter is not going to go against several
     letters that the committees have written independently.
         MR. LEVENSON:  Yes.  But, George, I don't think that's at
     all in conflict in the sense that this is a definition and the statement
     that when this is applied, it should be applied only when there are
     indications that it is necessary.
         So I don't think you have to put that in the definition.
         DR. APOSTOLAKIS:  But the issue of necessity, if you make it
     part of the definition that successive compensatory measures are part of
     the definition, then automatically they are necessary.  The burden is on
     the staff or the licensee to argue why they don't need them.
         DR. GARRICK:  But, George, I think the point that I'm trying
     to make, and not very well, is that I can't think of a situation where
     there aren't successive compensatory measures.
         DR. APOSTOLAKIS:  I can't either.  But can you put the word
     uncertainty in the first sentence, John?  Then you satisfy me and I shut
     up.  Just put the word uncertainty there.
         DR. GARRICK:  Okay.
         DR. APOSTOLAKIS:  Because that's the reason --
         DR. GARRICK:  Well, I'm as much a disciple of that as you
         DR. KRESS:  Is that enough of a concern to you, George, that
     we need to make a big deal of it in a letter to the Commissioners?
         DR. APOSTOLAKIS:  Yes, because otherwise this whole meeting
     doesn't make sense to me.  This whole meeting, this whole effort of
     writing a new letter is meaningless to me unless I recognize that here
     is a practice, a philosophy that was developed to manage uncertainty and
     what's new now is I can quantify that uncertainty.  Otherwise, I don't
     understand why we are revisiting it or visiting the issue.
         DR. GARRICK:  It's not out of order or out of the question
     to take something like this and evolve it with new ideas and time and
     what have you.  So I don't -- I think if we are pretty much in agreement
     that this is a definition that, with minor surgery, would satisfy us
     all, if we limit it to pretty much one sentence, that we could address
         MR. BERNERO:  You don't have the freedom to do that, I
     think.  I think you ought to forward with the dialogue and say there are
     misgivings about this or that, the lack of the word uncertainty or
     whatever, but this is certainly not a statute.  But the committee is
     facing a need to talk about the philosophy of safety control or safety
     regulation and this is sort of a given.
         The committee had a shot at it before.
         DR. GARRICK:  Yes, we did.
         DR. APOSTOLAKIS:  At least the ACRS said that this is
     something that's evolving, don't put anything down on it.  So it's not
     that we have blessed it in the past implicitly.
         MR. BERNERO:  I'm not saying that it's blessed.  I think for
     any progress to be made, there ought to be a focus on are there general
     principles here and amplify on them for an overarching philosophy that's
     applicable to all practices that the NRC authorizes.
         DR. APOSTOLAKIS:  And I guess that's my problem, Bob, that I
     don't see the rest of you recognizing that a general principle here is
     that we are trying to manage uncertainty.
         DR. WYMER:  Maybe that's a clue.
         MR. BERNERO:  But, George, are you recognizing the principle
     that successive elements, not successive mechanical barriers, not
     successive design controls, but successive elements is a fundamental
     principle; that the fuel shipping cask, I think, is a golden example
     because mechanically it's one barrier, a highly complex, robust, high
     quality barrier.
         But the elements are the quality is a separate element.  The
     design, the management.
         DR. APOSTOLAKIS:  Sure, sure, sure.
         MR. BERNERO:  The restrictions are --
         DR. GARRICK:  I think he just wants recognition of
     uncertainty as a key element of the whole process.
         MR. BERNERO:  And there's nothing wrong with saying that.
         DR. BUDNITZ:  George, I think I can make another
     distinction.  Defense-in-depth is, in fact, a tool.  Let me say to you,
     what's a screwdriver?  A screwdriver is a piece of metal this long
     that's got a point on this end and a handle or something, right?  Why do
     we need the tool to manage uncertainty?  That's a why, it's not a
         So this doesn't bother me.  If you then want to go why do I
     need it, that's a perfectly appropriate thing for you, the ACRS/ACNW to
     discuss.  You need it for -- there is a different "why" for a low level
     repository versus a high level.
         DR. APOSTOLAKIS:  I gave Holahan a thought experiment some
     time ago.  I asked the following question.  If we were absolutely
     certain that you would have a core damage event if you tossed six dice
     and they all came up with sixes, would you still put a containment
     around it.  His answer was make them seven dice and I will not.  That,
     to me, says there is absolutely no epistemic uncertainty.  Right?
         DR. BUDNITZ:  Right, sure.
         DR. APOSTOLAKIS:  In fact, I made sure that the seven dice
     were thrown independently in Los Angeles, San Francisco, another one in
     Paris.  So there is absolute independence.
         If they are all sixes, now, you can calculate it, it's one
     over six to the seventh, this is the frequency of core damage, there is
     no uncertainty about it, he might consider not putting a containment.
         So that tells me --
         MR. BERNERO:  Who said this?
         DR. APOSTOLAKIS:  Gary here.  He made them seven.
         MR. BERNERO:  Guilty as charged.
         DR. APOSTOLAKIS:  So isn't that the fundamental thing?  Now,
     in order to settle this, another way of doing it is we can accept this
     and I can write separate comments.
         DR. BUDNITZ:  But of course.  That's why we don't need five
     barriers for a smoke detector.
         DR. APOSTOLAKIS:  Somehow we don't want to say that.  That's
     what I am perplexed about.
         DR. BUDNITZ:  No, no.  The question is the screwdriver looks
     like this.  Then later on you say why do I have it, how do I use it,
     when do I use it and for what?
         DR. APOSTOLAKIS:  That's next, that's next.  I agree that's
         DR. GARRICK:  John?
         DR. LARKINS:  Might I suggest that you probably would have
     more impact of value to the Commission if you could talk about
     implementation of the defense-in-depth philosophy and then afterwards,
     if you feel it's totally inconsistent with the definition, you can come
     back and review the definition.
         But I think with the Commission recently debating this
     definition and going through several iterations, that unless there is a
     vehement objection to the current wording, I would suggest that you try
     to --
         DR. APOSTOLAKIS:  John, that is a vehement objection, I
         DR. LARKINS:  I understand.
         DR. APOSTOLAKIS:  We are talking about communicating to the
     public, we should be communicating to the stakeholders.
         DR. LARKINS:  I think you need to do both.
         DR. APOSTOLAKIS:  The most important stakeholders for us are
     the Commissioners.
         DR. LARKINS:  But I think the Commission has already made a
     point that you need both.  I mean, the Commission has raised the issue
     of risk communication.
     DR. APOSTOLAKIS:  I believe that it's of extreme importance for all five
     Commissioners to understand -- not that they cannot understand it, but
     to make sure that we are all speaking the same language and that
     defense-in-depth was developed to manage uncertainty.  We all have to
     agree to that.
         MR. MARKLEY:  But, George, couldn't that be clarified in a
     policy statement or something?
         DR. APOSTOLAKIS:  Sure it could.
         MR. MARKLEY:  As opposed to revisiting the definition?
     Because this is --
         DR. APOSTOLAKIS:  I have no problem with that.
         MR. MARKLEY:  -- a losing battle.  You're not going to get
     much value-added from it, that you couldn't do the same in a policy
         DR. APOSTOLAKIS:  Yes.  I'm not arguing for going to the
     Commission and say change the white paper.  But since we all seem to
     agree on this, we can take this and put it in our letter and let the
     Commission decide how they want to proceed.
         DR. LARKINS:  I'm not sure you have a majority position on
     that right now.
         DR. GARRICK:  The way we can do that, because -- to get off
     this subject, if we can -- is that we can put it in the context with
     this definition, if it's interpreted as follows, this is how we support
         MR. MARKLEY:  Yes, and you could customize it for the
     various applications in that respect, with elements or sub-elements,
     however it would be uniquely applied.
         DR. GARRICK:  Well, I think if we can do that, then we've
     done the one thing that at least I commented about earlier this morning,
     is what can we agree on that is overarching in terms of widespread
     application for nuclear applications.
         Now, we may still want to talk a little bit about the
     non-high level waste component of the materials, of the materials side,
     and what we need to do there and whether the concept really is even
         MR. BERNERO:  I think you've got to agree to the overarching
     principle that risk-informed application of defense-in-depth is a key to
     intelligent use of it, and if it's risk-informed, it addresses what are
     your uncertainties, have you improved them or do you have a basis to --
     it actually -- I don't know the facts on the AP-600 containment spray,
     but a risk-informed application should at least make it possible to say
     I don't need a containment spray.
         DR. GARRICK:  Yes.  I think the point of view of
     risk-informed defense-in-depth is something we'd want to talk about.
         MR. BERNERO:  Yes.  But it's key to applying
         DR. APOSTOLAKIS:  It seems that we almost came to a
     consensus earlier.  I said use the word uncertainty there and Ray
     objected.  Now, the ACRS said primarily to compensate.  If we put the
     word primarily, would you agree?
         DR. GARRICK:  Why don't we, George, try to do in the context
     of --
         DR. WYMER:  That's moving in the right direction.
         DR. GARRICK:  -- implementation and how this is interpreted,
     as a first step?
         DR. KRESS:  We can go back to see whether to put the -- yes.
     In terms of application to the reactor side, I certainly think we ought
     to call it or refer to it as a risk-informed defense-in-depth and maybe
     even risk-informed design defense-in-depth, and I think what was
     presented yesterday to us by Gary and Tom King was a great step in the
     right direction of having a risk-informed defense-in-depth in the
     reactor side of the house and it fits this definition, because what they
     do is they look at prevention and mitigation and they decided how much
     of each they needed and how to apply it to the different sequences and
     how -- and George has made a suggestion on how to deal with the
     uncertainties and that is not just have one line, one area, but three
     areas, and I think that's a great step and is in the right direction for
     risk-informing the reactors.
         So that would be how I would proceed from here to the
     reactors area.
         DR. GARRICK:  Right.
         DR. KRESS:  And then we have to do something about how would
     we proceed from here to the Yucca Mountain and the others.
         DR. APOSTOLAKIS:  Well, there is more than reactors, because
     there is the issue also of the unquantified uncertainties.
         DR. GARRICK:  But the other thing I would like to say about
     that, and I think it's another supporting reason for why we don't want
     to talk about the quantification of subsystems as a part of this in the
     waste field, and that is one of the reasons that Gary and Tom can put
     those numbers up there is that we have approximately 100 Parse to work
         We have lots of experience that has helped us calibrate what
     we can expect to receive out of the performance of these systems.
         DR. KRESS:  I think the main reason they can put them up
     there is we already have the numbers.
         DR. GARRICK:  That's what I'm getting at.  We don't have
     those numbers in the waste field and I think that our strategy has been
     that we ought to be pushing the Commission, given that we're supposed to
     be moving in the direction of a performance-based and risk-informed
     philosophy of keeping focused on whatever we've decided is the measure
     of performance, and not on surrogates of that measure.
         It might well be that as we do more PA work, as we learn
     more about how to analyze these systems, that some sort of yardstick
     where that's calibrated will surface and then we can talk maybe about
     what kind of possible thresholds make sense for a given application.
         But I fundamentally think that that's not the way to go
     because it's too site-specific, it's too design-specific, A, and, B, we
     don't have the experience in the calculation of those systems that we
     have in the reactor side.
         So I think this position that we've taken on subsystems is
     the right position and I would like to think that that might be one of
     the areas where the two problems are very different, and they're
     different because of the implementation, not because of a violation of
     an overarching, underlying philosophy, which we should agree on.
         DR. APOSTOLAKIS:  Well, I guess what you're saying is that
     we don't know enough; therefore, we have large uncertainty regarding the
     performance of each of the barriers and so on.  I think what is
     happening here is that you will end up with words like unduly, not
     wholly dependent or something to that effect, and you are postponing the
         And eventually, at some point, which may be a wise decision
     at this time, because maybe we don't know enough, somebody will have to
     say, yeah, because of these results, I am not relying on a single
         DR. GARRICK:  As you know, George, we continue to emphasize,
     much more than in the past, that we need to quantify the performance of
     these barriers.
         DR. APOSTOLAKIS:  Sure.
         DR. GARRICK:  So how can we make a dumb decision if we have
     before us good knowledge about how these particular barriers perform?
     We're not going to make a dumb decision.
         DR. APOSTOLAKIS:  No, nobody is saying you're going to make
     a dumb decision.  You're just postponing the decision as to what is the
     right allocation.
         DR. GARRICK:  Yes.  Right.
         DR. APOSTOLAKIS:  That's all.
         DR. GARRICK:  Right.
         MR. LEVENSON:  Let me introduce an additional slight
     thought, and that is I think we all agree that the uncertainty is
     extremely important, but it's important only if the consequences of that
     uncertainty are serious consequences.  We've got to be very careful
     about focusing entirely on the uncertainties.  It's only uncertainties
     that have big consequences.
         DR. BUDNITZ:  Yes.  A way of putting that in a different
     light is I don't know whether a low level waste burial ground under Part
     61 is a facility, but let's define it as one for these purposes and
     let's assume here for the moment that the Commission had such a Part 61
     facility in mind when they wrote this.
         I'm not arguing for smoke detectors, but let's talk about a
     Part 61 low level waste burial ground, like Barnwell, which is operating
     today under Part 61.
         Now, the question is how much defense-in-depth do you need?
     It's not just to manage the unquantified uncertainty.  You also have to
     recognize the total risk, if the whole thing went to hell in a
     handbasket, is only this much compared to a reactor and, therefore, only
     this much is necessary, even if you were really very unsure of the
         DR. APOSTOLAKIS:  See, that brings up the issue of --
         DR. BUDNITZ:  So there is more to it than just that.
         DR. APOSTOLAKIS:  Let's clarify my position here.  There are
     two or three different ideas that are floating around, so let me tell
     you.  The first idea is that fundamentally, regardless of
     quantification, this philosophy was developed to manage the uncertainty.
     That means keep the probabilities low and the epistemic uncertainties
     reasonably small, fundamentally.
         The second point now that I was arguing yesterday, and I'm
     willing to go away from it a little bit, the implementation issue.  When
     you have quantified the uncertainties, you still use successive
     compensatory measures and so on, but now you have a way of limiting and
     deciding the necessity and sufficiency.
         If you don't have quantified the uncertainty, then you are
     invoking this principle again and say thou shall do this and this and
     that, sorry if I'm imposing on you, but that's life.
         DR. BUDNITZ:  That's right.  In fact --
         DR. APOSTOLAKIS:  So defense-in-depth is -- I try to keep
     the term only for the unquantified uncertainties.  I see today it's a
     losing battle, so I'm willing to concede the point.
         DR. BUDNITZ:  That's right.
         DR. APOSTOLAKIS:  If you call it risk-informed
     defense-in-depth, when you have quantified, I'm happy.
         DR. BUDNITZ:  That's right.  To talk about Part 61, we know,
     even if we -- even though I argued we were ignorant about certain --
         DR. APOSTOLAKIS:  I'm ignorant?
         DR. BUDNITZ:  No, no.  I'm sorry.  Even though I was arguing
     -- let's postulate that we were ignorant in Part 61 about Barnwell's
     performance or something, that was in the context that I know what all
     the radioactivity is in there and I have a -- we, the community, has a
     handle on what's the worst it could be, and that -- it's in that light
     that we're never really ignorant, so ignorant.
         MR. BERNERO:  There is one part of defense-in-depth that I
     think gets lost here.  In reactor safety and in nuclear facility, like
     fuel cycle facility, safety, there is a concern about accidental
     outcome, the risk of accident.
         As you go into material distribution licensing or go to
     waste management, Part 61 or Part 63, you're concerned with routine
     release, expected outcome, and it raises a different element of risk,
     the tolerability of uncertainty or of lack of knowledge of what you
         DR. APOSTOLAKIS:  But here we had Dana Powers yesterday
     sending us a message that because we have lots of data for these
     activities, there is no need for defense-in-depth.
         DR. GARRICK:  Another way of saying that, George, is --
         DR. APOSTOLAKIS:  Is uncertainty.
         DR. GARRICK:  If we have lots of -- in fact, there is -- if
     we have enough data, we don't need to do risk analysis, because we know
     what the risk is.
         DR. APOSTOLAKIS:  Which supports my earlier point.  I also
     want to make a request, Mr. Chairman, that the subcommittee members have
     been at it since 8:00.  Would you consider taking a break soon for a cup
     of coffee or something?
         DR. KRESS:  I will take that under consideration.
         MR. BERNERO:  Give him the credit for conceding points.
         DR. KRESS:  We are scheduled to have one at 10:00.  Would
     you like to have one now, George?
         DR. APOSTOLAKIS:  I would, yes.
         DR. KRESS:  My target for today, George, is to shoot to end
     this at 11:00 or thereabouts.
         DR. APOSTOLAKIS:  Fine with me.
         DR. KRESS:  So let's keep it to a ten-minute break maybe and
     get started again.  So let's take a ten-minute break.
         DR. KRESS:  We are going to try and end this meeting at
     11:15, so let's get started again.
         Before we start back into the roundtable discussion, I've
     had a request from Norm Eisenberg to make a few statements.  Is he here?
         MR. EISENBERG:  I just wanted to mention a couple of points.
     In considering the white paper definition of defense-in-depth, please
     recall this was in the context of the white paper, which is
     risk-informed performance-based regulation.  This is not necessarily a
     general exposition on defense-in-depth.
         A more important point is there was a lot of discussion
     about what was in or what was not in the particular definition, and
     there was a lot of focus on uncertainty and whether or not it treated
         The other part of the question, which is very important for
     the materials activities, is that it also talks about safety and perhaps
     you should give some consideration to what the white paper and what you
     mean by safety, because as Mr. Bernero alluded to, for a lot of
     materials activities, we're talking about very small quantities, very
     low levels of activity, very small risks, and we're essentially talking
     about environmental degradation, not essentially immediate threat to a
     person's health and safety.
         In thinking about an approach for both the high level waste
     program and for materials in general, this is a crucial consideration.
     You do not want to have the same types of provisions to prevent an
     excess dose of between 25 millirem and 26 millirem that you want
     between, say, up to 500 rem.  If you're talking about 500 rem, then you
     have a real safety problem.
         DR. KRESS:  Right.  I think those are really good comments
     and that's why, actually, in my definition that I proposed yesterday, I
     had the words it's a strategy to achieve acceptable risk and you define
     what acceptable risk your target is and if it's -- and if your
     acceptable -- if the number you're dealing with is just a degradation of
     the environment to a small extent and not a risk to the health and
     safety of the public, your strategy is different, because it wouldn't
     have to involve so many measures and to such extent.
         So I would have actually added that into my definition.
     That's another place where I kind of disagree with the definition a
         MR. EISENBERG:  So I wanted to at least bring that up.  I'm
     certainly for some materials, say you had a truckload of ore, the
     consequences of an accident and throwing it all over the highway are not
     very significant.
         You would not expect the same kinds of multiple barriers or
     defense-in-depth there that you would expect for a nuclear power plant.
     It just doesn't make sense.
         Somehow this needs to be included in whatever conclusions
     you all come to, I believe, because I think it's very important in
     materials.  Not to belabor the point.
         DR. APOSTOLAKIS:  The driver is the risk.
         DR. KRESS:  We're glad you're feeling better today.
         MR. EISENBERG:  Thank you.
         DR. GARRICK:  A quick recovery, I must say.
         DR. KRESS:  And also before we continue the roundtable
     discussion, Ray Wymer had a few thoughts that I think we ought to get
     onto the record before it's time to call it quits.
         DR. WYMER:  Thank you, Tom.  I think since we've had all
     these high powered people around the table here and in the audience for
     a day and a half, it would be nice to think about producing a product of
     all of this effort, and I personally am in favor of seeing if we can't
     draft some kind of a letter based on these discussions.
         In my view, the letter should start with a general statement
     of what we mean by defense-in-depth, kind of along the lines of this
     definition, and maybe some other principles, as George has mentioned,
     and then split it cleanly into two parts, one relating to reactors and
     DID as it applies to a reactor situation, and then the other part as it
     applies to the high level waste and other nuclear materials.
         And with some trepidation, I have prepared a half a dozen
     comments that I think might form the basis for the ACNW half of this
     letter, which I will pass around here.
         DR. APOSTOLAKIS:  That actually raises an issue.  I wonder
     whether -- how much can both committees say and how much should be left
     up to the individual committees.  For example, the material that Tom and
     Gary presented yesterday I'm sure will come before the ACRS at some
     point, so the ACRS will write a letter on this.
         Do we really need to bother to comment in detail here and
     request approval from the ACNW?  The same thing applies perhaps to high
     level waste.  Maybe we can say something, but then leave the bulk of it
     up to the ACNW, so that the ACRS will not have to bother reading that
     part of the letter.
         I think we have to do it in whatever way --
         DR. WYMER:  I think that's John's decision for the ACNW, but
     my personal view is to separate them into two separately conceived and
     approved sections.
         DR. APOSTOLAKIS:  Right.
         DR. WYMER:  That would be the right way to go.
         DR. APOSTOLAKIS:  And maybe send a message to the Commission
     that they are indeed separate and this is appropriately the function of
     this subcommittee, and both committees should agree, but I wouldn't get
     too much into the details of managing --
         DR. WYMER:  That would certainly expedite getting them out.
         DR. APOSTOLAKIS:  -- Yucca Mountain or you shouldn't get
     much into the Gary and Tom presentation, which I'm sure the ACRS will
     have to write a separate letter on.
         DR. WYMER:  What I would like to do next is, I have these
     half a dozen things, for the benefit of people who don't have them, I'd
     like to read these.
         MR. LEVENSON:  Ray, just one second.  I want to comment on
     George's comment.  Again, an important part of this letter could be not
     that it's done separately, but it sends the message to the Commission
     that both committees agree that the issues are quite different.
         DR. APOSTOLAKIS:  Yes.  Yes.
         DR. LARKINS:  I think, George, if you can -- that this joint
     subcommittee can agree, as much as possible, on both areas, it would be
     very good, because you're sending a message to the Commission that there
     is some coherency in your thoughts.  So there is some agreement
     basically on some of these ideas.
         Where there are some specifics that you may want to get into
     further at separate committees, that's fine, but if you could reach some
         DR. WYMER:  That's the introductory part, the overarching
         DR. APOSTOLAKIS:  Yes.  I think we're in agreement, but I
     wouldn't want the ACRS to get into the details, for example, of why, for
     the high level waste repository, we are not giving subsystem
         DR. WYMER:  The same thing is true in the other direction.
         DR. APOSTOLAKIS:  And in the other direction, as well.
         DR. WYMER:  Now, let me go to this now.  I want to read
     these off and I'd like to read them all with as little interruption as
     possible, and then we can talk about it.
         DR. KRESS:  Are you asking us to keep our mouths shut?
         DR. WYMER:  I want to say one other thing.  We've been
     looking at this issue sort of through an electron microscope for the
     last day and a half.  I'd like to back off.  This is more or less a
     handheld magnifying glass approach to the whole thing, and they're
     pretty simple statements.  So I will read them.
         I have entitled this "Defense-in-depth Issues," emphasizing
     the Yucca Mountain repository.  That puts the emphasis on the ACNW.
     Number one, we hold these truths to be self-evident.  There are
     uncertainties in Pas.  There is much less experience or data with waste
     repositories than with reactors, so uncertainties in repository system
     performance are larger for waste repositories.  That's number one.
         Number two, performance and risk assessment requirements are
     not as well understood for waste repositories as for reactors.  We need
     to elucidate and explain these many differences and recognize them in
     the defense-in-depth philosophy statements.
         Number three, there should be several lines of defense, and
     that's defense-in-depth, against release of radioisotopes and the
     resultant radiation exposures.  The types and numbers of lines of
     defense should be directly related to the uncertainties and relative
     hazards of system performance.
         Number four, defense-in-depth requirements for waste and
     nuclear materials are different in very important ways from
     defense-in-depth for nuclear reactors.  For example, in the case of the
     Yucca Mountain repository, after closure, there is little probability of
     an accident of the type that reactors may have, and this is related to
     the physical nature of the systems and to the fact that there are very
     large time dependent and potential energy differences.
         Number five, this -- now we're getting to Bob Budnitz's
     point.  NRC should specify clearly how the performance assessment and
     probability risk assessment should be done by DOE in its license
     application for the Yucca Mountain repository and what it should
     include.  If the NRC guidance is good, then the assessment should be
     able to be done well, without further specific NRC guidance.  So I
     wouldn't go quite as far, Bob.
         And finally, again to Bob's point, because of the nature of
     the interactions between NRC and licensed applications for complex
     systems, there will always be a strong possibility of an iterative
     licensing process.  That is, there will always be overtones of "bring me
     another rock."
         I think we can talk about those, but that's a starting point
     for what we might put --
         DR. APOSTOLAKIS:  I see a strong underlying theme here about
         DR. WYMER:  Nobody questions that there's uncertainties,
     George, and I deliberately put that in.  I just didn't want it in the
         DR. KRESS:  One of the things, I think, that ties into all
     of this, and it was sort of pointed out to me by Joe Murphy during the
     break, is that this definition we've been referring to was really not in
     the main document of the white paper, but a footnote in the white paper,
     and that the text that was in the main document, in fact, does risk and
     uncertainty and some of the language is that the concept of
     defense-in-depth has always been and will continue to be a fundamental
     tenet of regulatory practice in the nuclear field, particularly
     regarding nuclear facilities.
         And risk insights can make the elements, risk-insights can
     make the elements of defense-in-depth more clear by quantifying them, to
     the extent practical, although the uncertainties associated with the
     importance of some elements of defense may be substantial.
         The fact that these elements and uncertainties have been
     quantified can aid in determining how much defense makes regulatory
         That's very logical and that's kind of what we have been
     saying where the emphasis ought to be is on the quantification of these
     so-called lines of defense.
         Decisions on the adequacy of or the necessity for elements
     of defense should reflect risk insights gained through identification of
     the individual performance of each defense system in relation to overall
     performance.  It's almost as if I wrote it myself.
         So I think that is a perspective that, in the preoccupation
     with the footnote --
         DR. APOSTOLAKIS:  I am completely perplexed now, but I will
     not say anything else.  So let's go on.  I'm lost, because the whole
     discussion clearly support my point that the whole business here is one
     of managing uncertainty.
         DR. KRESS:  Sure.
         DR. APOSTOLAKIS:  And the fact that you guys feel it's not
     important enough to put it in the so-called definition leaves me at a
         DR. WYMER:  It isn't that, George.  It's the fact that
     defense-in-depth, in my view, has a very strong element of uncertainty,
     but it goes beyond that in some ways.
         DR. APOSTOLAKIS:  I understand that.  I'm willing to put
         DR. WYMER:  That's a big help.
         DR. APOSTOLAKIS:  But I think we should move on, because
     we'll never do anything else.
         DR. GARRICK:  Yes, right.
         DR. KRESS:  Let's move on.  What direction would you like to
     go in?
         DR. APOSTOLAKIS:  The implementation, and I still don't know
     what we're going to say about the non-repository facilities.
         DR. GARRICK:  Well, it seems to me that a couple of things
     have been identified.  I think that if we are genuine about the concept
     of a risk-informed approach, I think the notion of risk has always got
     to be the prevailing notion.  So it just seems that it's more of a
     matter of degree than kind here, that you certainly don't need to have
     more defense-in-depth for sealed sources than make sense from a risk
         DR. APOSTOLAKIS:  Exactly, and that is kind of the letter
     that I had in mind.  It would start out by saying that the main idea
     here is to manage risk.  Remember, we have to wordsmith all this, but
     manage risk.  And the diagram that Norm showed yesterday did that very
         For cases where the risk is high, and that includes the
     timing issue, energetics and so on, you clearly have to do something.
     So we have all these activities in the reactor area.  Then you move on
     to the waste repository.  Now, you don't have accidents as energetic and
     they're happening in long time-scales and so on.  So defense-in-depth
     takes a different flavor.
         Then you have the other NMSS activities, where the risks now
     are low.  You don't -- you have the issue of voluntary risk, that's very
     important there in some medical applications.  The magnitude of the
     consequence is not as high.  So defense-in-depth now takes a different
     flavor from the other two.
         So, you see, that would give some coherence to the letter, a
     common theme, and it would make very clear the point that the
     implementation is really an important element and it's very different in
     these different areas.
         DR. WYMER:  I tried to capture that in item number three
         DR. APOSTOLAKIS:  Right.
         DR. KRESS:  I thought three was your best item.
         MR. LEVENSON:  George, I would have -- I would quarrel with
     one word.  Since no matter what we say, we need to consider
     communications with the public, manage risk is really an unfortunate
     choice of words.  What we really want to use is minimize risk.
         DR. APOSTOLAKIS:  Minimize --
         DR. KRESS:  We banned the word minimize from our letters.
     Reach acceptable risk levels is a possibility.
         DR. APOSTOLAKIS:  Assure that the risks are --
         MR. LEVENSON:  Because manage has no connotation of attempt
     to minimize.
         DR. APOSTOLAKIS:  I understand.  The reason I use manage is
     to send a message that it will be low enough, but also the uncertainties
     about it.
         MR. LEVENSON:  I accept that.
         DR. APOSTOLAKIS:  So let's go on then.
         MR. BERNERO:  I would just like to add, for the practices,
     material licenses, it's important to understand the concept.  There is a
     deliberate radiation exposure, deliberate placement of radioactive
     material in the biosphere, and the defense-in-depth or management is to
     ensure that you don't significantly exceed the deliberate exposure.
         DR. APOSTOLAKIS:  Yes.
         MR. BERNERO:  In other words, that the release, whether it's
     an industrial gauge, you make sure the worker can't get inside of it to
     get very serious radiation doses and sealed sources have to have a
     certain robust character, so that the machine doesn't break them open
     and unduly contaminate.
         And it becomes very complex to use the terminology
     carefully.  For instance, you will frequently find, instead of the word
     facilities, you will find practices, radioactive material usages or
     uses, practices, things like that.  Activities is another good word for
     it, too.
         DR. KRESS:  As a way to focus, I don't know if this is
     appropriate or not, but I was going to ask our invited experts and our
     consultant if I would be out of line in asking -- going around the
     table, as a way to end this thing, and say what are your impressions
     today, what thoughts do you have of what might be in the letter, and
     maybe even ask you later on if you could put this down in writing for
         I don't know if I -- we do that with consultants, but with
     invited experts, why, it would be a big help to us.
         DR. APOSTOLAKIS:  If you say "we beg you," maybe they will
     do it.
         DR. KRESS:  I think right now, since you have the floor,
     Bob.  I haven't given you time to gather your thoughts maybe, but if
     you're ready.
         MR. BERNERO:  I am prepared and I'd be happy to document
     this afterwards.
         DR. KRESS:  Okay.  Great.  Why don't we do that right now
         MR. BERNERO:  Basically, as I see it, I see the white paper
     as the appropriate starting point and that the overall agreement that at
     least I believe is discernable is it is a policy, a strategy, a
     philosophy and approach, it's a sense of direction and it's not a
     specific exact requirement.
         I think George has some excellent arguments about it is
     dealing with uncertainty in a sensible way or a sufficient way, but at
     the same time, there is the recognition of diverse elements, alternative
     elements of defense that is in defense-in-depth, because there is a
     virtual commitment that one will never achieve the level of certainty
     that allows wholly dependent reliance on one element.
         So I think a very important thing is to have an evaluation
     mechanism in applying this that there is not undue reliance on any
     single element, and element in the broad sense, not just barrier.  The
     risk-informed application of it does require a balance, a scale, not too
     close, not too far, not too much, not too little.
         An evaluation that would leave open -- and, again, I repeat,
     I don't know the facts on the AP-600 containment spray, but it should
     leave open the possibility of either removing a traditional or expected
     barrier and it should also leave open resistance to application in a new
     field of a traditional barrier, such as emergency preparedness.
         You don't apply emergency preparedness to a repository
     because it doesn't apply.  It's irrelevant.
         The application to reactors is, I think, appropriately done
     as a balance, a review, and I would suggest that siting is an element
     that is -- at least doesn't appear to me to get that kind of treatment.
         The materials, the principles of this apply, but the
     application for materials licensing is quite different.  I think a very
     good example to illustrate material licensing issues for risk-informed
     application of defense-in-depth is the spent fuel shipping cask.
     Practically everyone knows it, practically everyone understands it.
         On its face, it is a single mechanical barrier, but the
     elements of defense-in-depth are diverse.
         For waste management, I think the committee, and this, of
     course, is directed to ACNW, the committee should be careful that it is
     not applying defense-in-depth, risk-informed application and all that to
     the high budget, high activity, intense performance assessment
     atmosphere of the high level waste repository.
         There is a very large population of what I would call
     decommissioning activities, DOE sites, licensed sites elsewhere,
     burials, near-surface, near-biosphere, including institutional controls,
     where the stuff -- if you ever get into uranium mill tailings, you will
     find stabilized tailings piles that are remote, isolated, that have very
     little risk associated with failure, and yet they are under perpetual
     custody and active maintenance with NRC oversight.
         So you will find very great disparities in the low level or
     near-surface disposal and the disparities are profound between
     radioactive near-surface disposal or management and hazardous waste,
     RCRA, CERCLA hazardous waste management.
         So I think the committee should be very careful about
     defense-in-depth applied with the risk-informed approach on things like
     low level, which are very different from high level.
         That's basically it.
         DR. BUDNITZ:  Where is that slide with the definitions?
         MR. BERNERO:  I put it back.
         DR. BUDNITZ:  I'm going to take a different tact, and try to
     turn this on its head.  I think it is an error for these committees to
     take an approach that would elevate defense-in-depth to a higher level
     than a lot of people in the agency and elsewhere think.  I think it
     would be a better strategy to see if you can figure out a way to
     downplay it, and downplay, its role is a principle of one of the ten
     commandments or whatever.
         Its evolution, as we learned -- just go back to Cliff Beck
     -- is that sound engineering principles were used in the original
     concepts that led to the early reactors, and people in the agency at the
     time and in the industry, the General Electric and Westinghouse,
     explained those sound engineering principles in terms of this phrase.
         And then WASH-1250, Joe Hendrie wrote WASH-1250 -- it never
     was issued in final, it's only -- I still have the draft from 1973.
     WASH-1250 said it was attempting to explain -- it was that yellow book
     -- attempting to explain it to the public and it was a wonderful piece
     of work -- said that -- go read it -- that the sort of things that sound
     engineering practice had led to lead to these multiple barriers which
     make sound engineering sense, and we call it defense-in-depth.
         Now, that was 27 years ago.  I was here just 20 years ago
     and defense-in-depth certainly hadn't been elevated to a principle at
     that time.  It was more an explanatory thing.  And I think it is an
     error that the agency, at the highest level, and this all -- it's an
     error that happened in the context of risk-informed, you know, 1174 and
     those discussions, in error that these ideas have been elevated to the
     point where after you've done the rest of what you ought to be doing,
     you go back and make sure this gets done, too.
         It's an error that Part 63 has used the phrase
     defense-in-depth for what it's trying to do, as opposed to not saying
     that and saying what we're really going to do in Part 63 is we're going
     to do that analysis and the bottom line Amergosa Valley doses, and,
     besides that, we're going to do some multiple barrier stuff, but let's
     not call it defense-in-depth, because it ain't.
         So I think that what I would recommend that the committee
     would do, if I was writing your letter for you -- thank God I don't have
     the responsibility, though -- would be to downplay the connotation that
     it's some sort of a principle, but instead to explain that it emerges in
     different arenas, low level waste is very different than high level
     waste, never minding transportation or a fab facility or a reactor, it
     emerges in different manifestations as different facilities use sound
     engineering practices, analysis, design, monitoring or whatever, to
     accomplish managing the risk to an acceptable level in light of the
     uncertainties, bla, bla, bla.
         And if you then see it as emerging from sound engineering
     practice, which the agency always wants to make sure its licensees use
     and which it wants embedded in its things, then it doesn't come down
     from the top.  It emerges from activities which you're doing anyway.
         I would like to then hope that through such an approach,
     those who don't understand what I just said would understand it better
     and not invoke it as a separate principle, but use it as a way of
     explaining to themselves and to their colleagues and, of course, to the
     applicants and licensees and the public, that it's a way of explaining
     an element of sound engineering practice, which, by the way, goes far
     beyond this arena.
         That way, the fact that it's a policy or a strategy or a
     philosophy is in light of a thousand years of engineering practice and
     history and not in light of something special for radiation or the role
     of this agency.
         If you accept that, then as a practical matter, and not
     arguing about the definition for a moment, the way to approach that here
     could be for this committee, these committees together, to explain that
     in application, and the applications vary by arena, in application, in
     each arena where it's applied, it manifests these sound engineering
     practices and principle in a different way, because, of course, the
     arenas are different.
         They may have all the different characters or different --
     as we know they are.  And in each one, it's a way of explaining rather
     than a way of designing or operating.
         That's the thing that bothers me, and so maybe I'll just
     quit with that.  The thing that bothers me is I don't see that you can
     operate, design even, design using engineering principles, then you
     observe that, of course, this is a way of explaining that kind of in an
     overarching way.
         It's almost as if you can't design a reactor to assure
     adequate protection, which is, by the way, what the original statute in
     1954 asked the AEC to do, which remains the fundamental charter of the
     Nuclear Regulatory Commission's activities in this area, which they
     can't design with an adequate protection, but adequate protection is a
     way of explaining what you are trying to think about when you were doing
     what you're actually doing.
         And if you think about it that way, you will adopt an
     approach in your letter that could diffuse rather than amplify
     possibilities that elevating into a principle could cause the havoc that
     we don't want.
         DR. APOSTOLAKIS:  Ode to Joy ought to be playing while you
     are talking.
     DR. BUDNITZ:  I'd prefer Springstein myself, but you can vote for Ode to
     Joy if you want.  Excuse me.
         DR. KRESS:  Very good.  Milt, do you have a few words of
     advice for us?
         MR. EISENBERG:  I think I've already expressed most of my
     thoughts.  I think it's very, very important to separate the reactor --
     I was going to change that to say not the reactor field, because as I
     think about it, it's related to the characteristics of the reactor, not
     because it's a reactor.
         We ought to be careful, because for instance, somebody might
     come in with some off-the-wall accelerator application which, as
     radioactive stuff at 2000 psi and a lot of other things, so we should
     differentiate on a basis of two things, the uncertainty and the
     potential risk to the public to separate, but that if that is done right
     up front, I'm not very optimistic that you're going to get rid of the
     term defense-in-depth, with all of its baggage.
         But it seems to me that this letter might be a useful device
     to present proliferation of defense-in-depth to fields other than the
         And whatever kind of words we want to use, that the
     defense-in-depth, as presently understood and utilized, applies to high
     energy, high risk facilities and that the generic concept of not
     depending on a single failure for other facilities, like a repository,
     is provided by having multiple passive barriers or something equivalent.
         But I strongly urge that you try to prevent the
     proliferation of this to other facilities.
         It's also very important that it not just be a two-part
     split, reactors and Yucca Mountain, because there's a large number of
     other facilities, clearly more in number than either of these, but if
     the -- if basically we say it's tied to how significant is the risk,
     then that allows you to have different rules for lesser facilities.
         MR. BERNERO:  Could I add just one element?  There has been
     an undertone for the day and a half of risk assessment or performance
     assessment embracing the element, so that there is a -- I'll call it an
     assessment result that comprises the basis of judgment on adequate
     One of the points that I had buried in my slides was that the
     performance assessment is one part of the body of information upon which
     one judges the acceptability of a high level waste repository.
         As demonstrated in the WIPP, the intrusion scenario is a
     real consideration.  It's part of the body of information in judging
     acceptability and it does not lend itself to analytical performance
     assessment treatment.
         Similarly, in reactor safety, we now have some terrorist
     threat in the United States.  We now have a design threat for reactors
     that takes into account the possibility of a vehicle bomb getting close
     enough to cause core melt, large containment release, and so forth, and
     that does not lend itself to the typical PRA assessment either.
         So there is a large body of judgment of acceptable safety
     and safeguards and in this particular case, it's more safeguards, that
     is outside the performance assessment or PRA arena and shouldn't be
         DR. GARRICK:  I think the comment I would make to that is
     what you're talking about is scope.  That as we have done performance
     assessments and as we have done PRAs, there has emerged a certain scope
     of things that we consider.  But I would not want to have the record
     suggest that you can't include those kinds of things in a risk
     assessment or a performance assessment, because anything you can think
     of you ought to be able to include, as long as it's relevant to what
     you're trying to analyze.
         DR. BUDNITZ:  I could comment that what Bob just said
     compliments what I said very nicely.  The fact is that in the vehicle
     threat arena, the approach has been to take the facts and the problems
     and the potentials and use sound engineering principles of various
     kinds, so that the agency carries out its mission of -- by the way,
     that's part of the common defense and security part of the agency's
     mission.  There is more than just public health and safety.  There's
     common defense and security and the environment.  All those words are
         All of those things apply commonly accepted engineering
     principles of different kinds, one of which is risk assessment, but it
     is not the only, and in some arenas, it's the principle, but in some
     arenas, it's not even the principle method used.
         That then goes along with my -- and this very much
     compliments my notion that this should be downplayed as sort of a ten
     commandments principle.
         MR. LEVENSON:  Let me just comment.  I did not use the word
     risk assessment, Bob.  I used the word risk --
         DR. BUDNITZ:  I know you did.
         MR. LEVENSON:  -- and that is --
         DR. BUDNITZ:  I agree with you.
         MR. LEVENSON:  -- for the large number of things, the
     hospitals, the sources, et cetera, we don't want any implication that
     they need to do a PRA, no matter how simple it is.  But there are ways
     of -- risk, as a generic term, includes both what Bob Bernero was
     mentioning and --
         DR. APOSTOLAKIS:  Now, there is one other point I want to
     make, since we are talking about differences between reactors and other
     areas.  You are using the term performance and performance assessment
     for something that we would never use the word for, like the release or
     the dose after so many years and so on.
         I guess that's a performance measure for the waste area.
     Core damage frequency of the quantitative health objectives are never
     called performance measures in the reactor area.  The reason -- although
     they are used perhaps in the same way, I think the reason is that we
     reserve the term for performance indicators, which, by their very
     definition, mean that you are measuring real data from the plant, you
     are collecting real data, do some simple calculations, and compare
     against the performance measure at that level, a threshold.
         That's the process that was presented yesterday, the new
     oversight process and so on relies heavily on those.  So this word is
     used in different contexts, I think, in the two areas, and I don't know
     whether we want to say that in this letter.
         DR. BUDNITZ:  George, you've just made a point that, again,
     I think compliments what I was trying to say.  Look, the reactor has
     what we call normal operation every day and then there's a spectrum of
     upsets from, you know, little things to the larger things.
         And what has consumed NRR for all this time, and
     appropriately, is to assure that the biggest upsets don't occur or occur
     with manageable consequences or are kept at very low probabilities per
         Now, at a low level waste burial ground, a Part 61 facility
     like Barnwell or certainly at Yucca Mountain, we use the word
     performance because you don't think of it in sort of it has normal
     performance and then an accident comes along.
         What you're trying to do at a Barnwell is trying to figure
     out, for the next 50 or 150 or 400 years, what the normally expected
     behavior, which they call performance, is, as opposed to what the normal
     things with accidents put on top.
         DR. GARRICK:  Yes, but they do mean safety performance.
         DR. BUDNITZ:  Yes, they do.  They do mean safety
     performance, but because the upsets are of a different character -- by
     the way, you could have -- the analog of an accident is, you know, a
     plane lands on Barnwell 200 years hence.  That's an accident, right?
     And that is considered in the design in terms of probability and
     consequence.  So it is considered.
         But the word performance is used because in the other area,
     really the way one thinks about these things is in that more different
         DR. KRESS:  Now, I don't want to put anybody on the spot,
     but we would welcome some summary comments from the staff, if you care
     to make them, and both on the NMSS side and the reactor side.
         MR. HOLAHAN:  This is Gary Holahan.  I guess I could say a
     few things and then if Tom and Norm would like to say something, I guess
     they could speak for themselves.
         I think a lot of the things that have been said in the last
     day or so are helpful in shedding some more light on a concept that's
     been around for a long time, and I think if the committee were to write
     some of these things down, not necessarily in the context of rewriting
     the white paper or rewriting the definition, but in more of an
     explanatory sense, I think it would be helpful to the staff and the
     Commission, because we do have a number of activities going forward.
         Certainly, in the reactor area, the concept is being used in
     our license amendments, in risk informing the regulations in various
     processes.  And to the extent that we can have a clearer understanding
     of what it is and what it's not, I think we're probably better off.
         One of the things that -- I think Bob Budnitz expressed it,
     sort of in the strongest sense I've heard, but we had other sort of
     versions of it, and that is that defense-in-depth is not an absolute,
     and I think when we talk through a number of examples, defense-in-depth
     is a way of addressing uncertainties where that is important.
         We have examples where either the consequences are very low
     or the frequency of events are very low and the staff has never applied
     defense-in-depth in those cases, and you can go and you can sort of work
     those examples out.
         So I don't object to the idea that we should shed a little
     more light on defense-in-depth and make people aware that it is not a
     fundamental concept.  It is a way of addressing uncertainties.  The fact
     that you are addressing uncertainties is a more fundamental concept.  If
     it's a principle, it's a derived principle, it's not a fundamental
         And I think that would be helpful.  Whether it's designed in
     or explained afterwards, I think those are interesting thoughts, but I
     don't -- I'd have to think about it a while before I would rewrite
     anything on that point.
         But the point that uncertainties are the more important
     issue and that as we move forward, we're using this tool, where
     appropriate, and if the committee would shed some light on the
     state-of-the-art and the appropriateness of defense, of where
     defense-in-depth has its largest role, that would be of some value.
         Now, whether those thoughts would be reflected in an edited
     white paper or just some other arena, I think, I don't know and maybe
     that's a matter for the Commission to decide.
         DR. KRESS:  Thank you, Gary.  Tom?
         MR. KING:  Let me add to what Gary said.  I think a lot of
     what Budnitz said, at one time, I thought maybe this was a subject that
     was worthy of a Commission policy statement, but after the discussion, I
     don't think that's the case.
         I think what we're talking about is a practice that the
     Commission has employed over the years.  Policy statements, to me, are
     more to state Commission expectations, not to document practices.  I
     think the issue that really needs to be addressed is how should this
     practice be applied, so that it's applied consistently, recognizing the
     various -- it may vary depending on the regulated activity you're
     talking about, but there probably are some elements of consistency, what
     is its purpose and so forth.
         We have other practices that the agency employs, just like
     defense-in-depth.  They employ safety margins, they employ use of codes
     and standards and so forth.  We don't have policies for those things.
         To me, the real question is not so much -- I think you've
     talked about a lot of the various elements of application that would be
     worthy of writing down.  The question to me is where do you write them
     down.  Should it be a separate white paper, should it be a modification
     of the existing white paper, should it be something else?  I think
     that's -- any light the committee could shed on that would be useful,
     but I think it's worth writing them down somewhere, if we find the
     appropriate place to write them down.
         MR. EISENBERG:  This is Norman Eisenberg.  I think one of
     our big concerns is that there not be some overarching principle that
     would be geared toward reactor regulation and imposed on materials
     regulation.  Everybody understands our concerns and has responded
     positively to that.  So that's very good.
         NMSS is going to move further into risk-informing its
     regulations and risk-informing its regulatory practices.  This is not an
     easy thing to do necessarily and some of the traditional concepts of
     safety and defense-in-depth, I believe, is one such concept, have to
     change in that environment.
         And some of the things that I've talked about would be, I
     think, helpful if the subcommittee could endorse to some degree.  For
     example, how do you handle uncertainties in a risk-informed
     performance-based regulatory environment and how does the degree of
     hazard or the degree of risk play into those decisions.
         So that, for example, in a deterministic environment, you
     want your expected performance, the load bearing capacity of the crane
     to be above the load, the expected load.  When you do a probabilistic
     calculation, the question is how do you do the comparison and do you
     still need the same amount of margin or if the consequences of exceeding
     the limit -- for example, if the limit is 25 millirem, can we use the
     mean value of a dose distribution to demonstrate compliance.
         This is something that I think is a difficult policy issue
     that the staff grapples with every day, that demonstration of compliance
     with a standard, does that have no relationship to what the standard is
     protecting against and do you need the same degree of assurance for
     lower risk activities as you do for higher risk activities.
         This certainly plays into all the discussion that I've heard
     about uncertainty.  But this -- maybe this is not the letter that this
     should be addressed in, but this certainly is an issue that this
     subcommittee is going to be involved in, because as NMSS moves to
     risk-inform its regulatory activities, we're going to confront this
     again and again.
         So I would bring that up as something to think about.
         DR. KRESS:  Thank you.  I'd like Steve Hanauer to make a few
     comments for us.
         MR. HANAUER:  Mr. Chairman, ladies and gentlemen.  For the
     record, my name is Steve Hanauer.  I've served as a member and Chairman
     of the ACRS, as a staff member in the Atomic Energy Commission, and NRC
     regulatory staff.  I am now an employee of the Department of Energy, in
     the Yucca Mountain program.
         But what I'm going to say is my own opinion and I do not
     speak for DOE.
         I've been listening to the discussion particularly today.
     In my opinion, the various discussions over-estimate the state of
     knowledge and, therefore, under-estimate the contribution that
     defense-in-depth and multiple barriers, whatever you want to call it,
     make to achieving acceptable levels of safety.
         I think performance assessment and probabilistic risk
     assessment are very important and very useful.  They are the only way to
     deal with rare events or with 10,000 years of projected performance.
         But the uncertainties involved, I believe, are greater than
     risk analysts generally believe.  The unanticipated challenges, the
     unexpected behavior and failure modes and the bizarre human behaviors
     continue to occur and should be acknowledged.
         It seems to me that defense-in-depth and multiple barriers
     or whatever you would like to call them is necessary to achieve
     acceptable levels of safety for some applications.  I think the public
     understands this.
         That the public skepticism for some pronouncements from the
     technical community is justified and that defense-in-depth and multiple
     barriers are a legitimate technical response to this legitimate
         I would observe, I would recommend a certain acknowledgment
     of the real uncertainties involved as we proceed with our analyses of
     these things.
         Thank you.
         DR. KRESS:  Steve, while we have you up there, could I ask a
     couple of questions about that?  You seem to be very receptive of the
     concept that defense-in-depth in terms of multiple barriers is a good
     way to compensate for large and basically unquantified uncertainties and
     that, therefore, it would be very appropriate to apply defense-in-depth
     principles to Yucca Mountain, which is a little different than what I
     heard from some of the other people.
         MR. HANAUER:  That's why I asked to address the
         DR. KRESS:  Where do you think the assessment of the
     potential risk that is associated with Yucca Mountain ought to fit into
     the thinking on how much defense-in-depth is necessary or how good the
     barriers have to be or whatever?
         MR. HANAUER:  Well, I've been looking at calculations like
     that in the last few weeks.  To the extent that one has defense-in-depth
     and to the extent that the models represent what will happen, then when
     you do the calculations, you find that the results are very low or even
     zero risk, because of the overlapping protection provided by the
     multiple barriers or the defense-in-depth or whatever you want to call
         And therefore, it's rather difficult to use probabilistic
     risk assessment to give a quantitative estimate of defense-in-depth,
     although Norm Eisenberg's suggestion of a year or more ago on barrier
     neutralization, if carried beyond single barriers, enables one to
     evaluate where the design is strong and weak, again, to the extent that
     the models represent reality, and to tell you where to spend your money.
         The recent addition of the drip shield to the proposed Yucca
     Mountain design is an example of this.  It turned out that we were, in
     many people's opinion, including mine, becoming overly dependent on the
     performance of the waste package and even on the details of this
     performance, and the drip shield was, therefore, added to decrease the
     dependence of the overall performance of the repository on this one
         So that you can use this as a tool.  You mustn't believe
     everything you get, but you get insights from it and both the risk
     assessment and the defense-in-depth I view as tools to achieve using
     somewhat different approaches, the necessary high degree of safety.
         DR. APOSTOLAKIS:  If I could make a comment, Tom.  I think
     what Steve is telling us is consistent with what seems to be the
     consensus of the subcommittee.  I think that his point is that the
     unquantified uncertainties are still very large.  So that
     defense-in-depth, a risk-informed defense-in-depth is something that
     cannot play a major role right now, that you have to apply it almost as
     a principle, because the unquantified uncertainties are very large.
         I don't know enough about the repository, but for reactors,
     I'm not sure that's the case.  I think a compromise has to be found
     because it is true that people do stupid things, still it is true that
     every now and then something happens that we hadn't thought of, but its
     risk significance, I would argue, is not such that it would make me
     worry about the validity of the PRAs.
         And I think as I mentioned yesterday, the work that the
     former AEOD is doing collecting data and so on goes a long way towards
     convincing me that a good part of the PRA, in fact, do represent what
     happens out there.  And it's too bad that the AEOD has not figured out a
     way to advertise, to publicize what they are doing, because most of the
     community are not aware of it, including PRA analysts.
         So I think the words that you are giving us can serve as a
     caution, so we don't become too enthusiastic about PRA and its results.
     But I do believe that in the reactor arena, for example, putting a
     defense-in-depth, applying defense-in-depth at the level that Gary and
     Tom presented yesterday, and maybe some other levels, is a reasonable
     way to proceed.
         In other words, I would give more credence to the results of
     risk assessment for reactors, because we have been doing them around the
     world.  We've been collecting data, and there seems to be a consensus
     there that this is it.
         DR. KRESS:  I would certainly agree.
         DR. APOSTOLAKIS:  Now, when it comes to severe accidents, I
     think you are right.  I think your words acquire more weight as we move
     into those exotic areas where experience is not very strong.
         DR. KRESS:  Bob?
         DR. BUDNITZ:  Can I ask Steve a question?
         DR. KRESS:  Yes.
         DR. BUDNITZ:  Steve, I wonder what your reaction is to the
     following thought.  Gary Holahan said something a few minutes ago I
     thought rung a very nice bell with me.  He said that defense-in-depth
     is, to him, not a fundamental principle, but it's a derived principle.
         Let me just postulate something.  Imagine, Steve, that you
     are in control of the design, which you're not, but you're part of the
     senior management of the project at Yucca Mountain, and you and your
     colleagues observed that a great reliance on that canister was being
     placed in the earlier design and you and they felt nervous that maybe
     you didn't have as much confidence as you'd like to have, so the drip
     shield was evolved as a means of your achieving more confidence.
         Now, if the principle of defense-in-depth had never been
     enunciated by us or anybody else for reactors, I suspect you would have
     done that anyway.  But now you have observed that it is, in fact, for
     you, a manifestation of this defense-in-depth idea that I know you've
     known about for 40 years in your previous life as one of the great
     experts on reactor safety.
         So I'm going to ask the question.  Do you see it, also, what
     Gary said, as it's derived or it's sort of a manifestation of sound --
     what I was saying, sound engineering approaches, or does it rise to a
     higher level?
         MR. HANAUER:  I don't really think that those words matter.
     It's almost angels on the head of a pin.
         DR. BUDNITZ:  That's a fair comment.
         MR. HANAUER:  Whether it's a fundamental or derived, I think
     it's a tool, a very useful tool.
         DR. BUDNITZ:  Okay.  Well, the reason why I think the
     distinction does matter is that not everybody either in the design
     organizations of the licensees and applicants, nor on the staff, have
     the experience and wisdom of a Steve Hanauer.
         DR. APOSTOLAKIS:  But they do matter, Steve, because you
     just said it's a tool.  You downgraded it.  De facto, by declaring it a
     tool, you downgraded it.  See, when we were writing four years ago the
     risk-informed guides, we had long discussion around this table as to
     whether the principle of defense-in-depth should be preserved, and we
     settled with philosophy.
         So it does matter.  I think it doesn't matter because, in
     your mind, it's just a tool.
         DR. BUDNITZ:  No, no.  It doesn't matter to Steve because
     Steve -- forgive me, Steve -- has experience and knowledge.  By the way,
     he's not unique in this, but Steve has experience and knowledge which
     isn't -- and understanding, which, by the way, is not unique, but
     certainly is greater than your average designer out in the field
     somewhere or your average regulatory staffer.
         DR. GARRICK:  I think we're quibbling now.  I don't think
     this is --
         DR. APOSTOLAKIS:  I think Steve made his point very well.
         DR. BUDNITZ:  I'm just worried about it being elevated.
         DR. APOSTOLAKIS:  It would not be, unless I'm removed from
     this committee.
         DR. KRESS:  I also worry, though, Steve, that another person
     with equal experience, but a different perspective, might come in and
     say I am still uncomfortable with all the uncertainty, particularly when
     the stuff gets into the ground and travels through the ground water and
     so forth, and I want more defense-in-depth.  I want you to put another
     barrier, I want you to fill the cask with depleted uranium and I want
     better diagnostics to know what's going on and I want a controlled
     environment inside my cask.  I want to be sure there's no moisture in
     there when I seal it in the first place.
         There are all sorts of things that I can postulate that
     would give me a more comfortable feeling, and those are all in the name
     of defense-in-depth.  Where do I stop this process and how do I know
     when to quit?
         MR. HANAUER:  In fact, such proposals, as you must know, are
     made every day and I don't think -- you can use PRA as a tool to work on
     this question and you can use defense-in-depth as a tool to work on this
     question, but in answering such things, the result is determined by
     judgment, and not necessarily technical judgment.
         These are social and political problems and, in fact,
     theological problems, and I'm not licensed to practice sociology,
     politics or theology, and, therefore, one has to apply judgment.  There
     is no substitute.  There are prominent and influential people pushing
     depleted uranium and so forth.
         The project decision-makers, the program decision-makers
     may, in fact, decide to do it and the decision will not be entirely
         DR. KRESS:  Thank you.  We have one other speaker I'd like
     to call on.  Janet, would you like to make a few words?
         MS. KOTRA:  Thank you.
         DR. KRESS:  Please identify yourself for the record.
         MS. KOTRA:  My name is Janet Kotra, and I would like to
     speak as an earnest, average regulatory staffer, who is speaking as a
     member of the team preparing the draft final rule for Part 63.
         And I want to address specifically Dr. Budnitz's comment
     about the need not to invoke defense-in-depth in Part 63.  I want to
     note here that an earlier Commission in 1983, in promulgating the
     generic regulations for a repository, already invoked defense-in-depth
     and went so far as to say that the imposition of quantitative subsystem
     performance criteria were essential to the insurance of
     defense-in-depth, and that one example, which, as far as I'm aware, is
     now 17 years old, is unique, where this equation has been made in the
     context of a rulemaking.
         We've been discussing it in the context of my colleagues
     from NRR, in the context of a practice and the discussion here has
     circulated on how that practice or principle or philosophy is
     implemented.  But the Commission, in promulgating that generic rule,
     said that it was incumbent upon them in order to ensure defense-in-depth
     to make this additional test.
         The Commission more recently, a different Commission, has
     now said it wants to go a different direction.  So it is incumbent upon
     those of us in the staff to provide the Commission with a justification
     for that.
         So I don't believe that it is possible for us not to -- to
     walk away from that argument and we have to justify why we believe
     health and safety and protection of the environment are ensured, and I
     think we also have to recognize, as Mr. Bernero has pointed out
     repeatedly, that the Congress has said that our criteria have to include
     requirements not for defense-in-depth, but for multiple barriers.
         And we have discussed and Norm has laid the groundwork for
     why the use of multiple barriers is a way to implement a philosophy of
     defense-in-depth, but I'm kind of at a loss as to how, with a straight
     face, we can put forward a final rule that does not address this issue
     and we would certainly -- you know, and in that regard, guidance
     wherever we can find it on how to implement defense-in-depth and a
     multiple barrier provision in the context of high level waste disposal
     is certainly of interest to us.
         Thank you.
         DR. KRESS:  Thank you.
         DR. APOSTOLAKIS:  Okay.  That's it.
         DR. KRESS:  I guess before I close, I will ask the
     subcommittee members if they would like to make any closing remarks.
     You're welcome to do it or not to.  We've already said a lot.
         DR. APOSTOLAKIS:  Who is writing the letter?
         DR. KRESS:  So this is not a requirement.  Who is writing
     the letter, I don't know.  Do you want to write it, George?  I think we
     can discuss this off-line and come up with some process to write a
         DR. APOSTOLAKIS:  We can write pieces and send them to one
         DR. KRESS:  Send them to each other or send them to one
     person.  Are there any closing comments from the subcommittee members?
         DR. GARRICK:  The only thing I wanted to say was one way to
     get a sense of who agrees with you and disagrees with you is to write
     something down.  I did that, passed it around to my colleagues, and much
     to my expectation, I got some disagreement, but also got some
         And what I was trying to do is nurture this idea of what can
     we agree on of a broad-based nature, and what I was hearing was -- and
     what I put through my logic engine and came out with was things like
     supporting the notion that defense-in-depth is a philosophy for assuring
     safety.  It should not be converted to an algorithm or an analytical
     process, do not support making DID a formal requirement, that's my view.
         I guess I would continue to strongly encourage that the
     emphasis be on trying to quantify defense-in-depth.  I think the
     advantage the reactor side has that the waste side does not have, the
     repository side does not have, is they have a basis for calibrating that
     measurement.  We don't have much of a basis for doing that, but we sure
     have a basis for trying to improve our measurements.
         Let's get our yardsticks out there before we decide what the
     levels should be, except for the overall performance.
         On this issue of allocation, which is a red button for me,
     because I don't believe in reliability allocation, based primarily on my
     reliability analysis experience, it's not just on my risk experience, it
     has not worked very well.  But if we mean by allocation guidance on the
     quantification of protection system, our lines of defense, and if we
     mean by allocation being more specific about form of PRA and PPA
     results, probabilistic performance assessment results, then I'm favor of
         I do not favor prescribing individual system performance,
     for reasons that you've heard us talk.  I continue to believe that we
     should put the emphasis on understanding what that contribution is, but
     in context of the performance measures that we're obligated to
         I think that one of the things that we as technical people
     should always strive to do, because we do that better than anything
     else, is try to calculate what we're doing.  Tom Pickford has always --
     his answer is always the same, well, what do you do about that, his
     answer is, well, we try to calculate it, and I'm a great believer in
     that, that we have to, in the spirit of what Steve Hanauer and others
     have said, recognize that our calculations are just calculations.
         In addition to the uncertainties, there are other things
     that have to be considered in making decisions, that risk assessment is
     not a decision analysis.
         So anyway, that's a few of the things.  I think that one of
     the things that I'm concerned about if we attempt to define
     defense-in-depth, that it will be narrower than we want it to be as soon
     as we think about it.
         I think in serving on several nuclear plant safety
     committees, one of things that has impressed me just absolutely greatly
     is the impact that improving people performance has had on the
     performance of plants, without any changes in the performance of
         And to me, there is an element of defense-in-depth that is
     quite fundamental and extremely important and to the extent that we can
     begin to bring that into the process of the quantification exercise, we
     ought to try to do that, as well.
         But I, as the Co-Chairman, appreciate what we have done in
     the last two days.  There are some views that I have that have certainly
     been affected by what we've heard and we will do our best to see if we
     can provide some sort of documentation of this in a manner that is
     constructive for the Commission.
         DR. APOSTOLAKIS:  Maybe next time the ACNW meets with the
     Commission, you should mention the word safety culture.
         DR. KRESS:  Good idea.  As Co-Chairman of this, I would like
     to express our appreciation to all the participants for this very
     interesting and stimulating discussion and, I think, very useful one.
     I'm anxious, and that's the right word, anxious to see what we may --
     how me make use of all this when we put something down on paper.  It
     certainly has been stimulating to me and quite a good discussion, I
         So with that as the final thing, I am going to declare this
     subcommittee closed, adjourned.
         [Whereupon, at 11:06 a.m., the meeting was concluded.]

Page Last Reviewed/Updated Monday, October 02, 2017