ACRS/ACNW Joint Subcommittee Meeting, January 14, 2000
UNITED STATES OF AMERICA
NUCLEAR REGULATORY COMMISSION
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS
MEETING: ACRS/ACNW JOINT SUBCOMMITTEE
White Flint II
11545 Rockville Pike
The subcommittee met, pursuant to notice, at 8:30 a.m.
THOMAS KRESS, Co-chairman, ACRS Member
JOHN GARRICK, Co-Chairman, ACNW Chairman
GEORGE APOSTOLAKIS, ACRS Member
RAYMOND WYMER, ACNW Member
P R O C E E D I N G S
DR. KRESS: Let's please come to order.
This is the second day of the meeting of the Joint
Subcommittee of the Advisory Committee on Reactor Safeguards and the
Advisory Committee on Nuclear Waste.
Once again, I'm Thomas Kress, Co-Chairman of the
subcommittee, and on my right is Dr. John Garrick, also Co-Chairman of
the joint subcommittee.
Joint subcommittee members in attendance are George
Apostolakis of the ACRS and Dr. Ray Wymer of Oak Ridge, Tennessee, and
the ACNW. Also present is Dr. Milton Levenson, consultant to the ACNW.
I guess we have two invited experts left, Dr. Robert Budnitz and Dr.
Robert Bernero, Mr. Robert Bernero.
DR. APOSTOLAKIS: Is Tom coming?
DR. KRESS: I don't know. That's why I stumbled over this.
This meeting is going to continue the discussions we had
yesterday on defense-in-depth in the regulatory process and particularly
focus on its role in licensing a high level waste repository, but also
its role in revising the regulatory structure for nuclear reactors that
make it more risk-informed, and how the two are related to each other,
if at all.
The subcommittee will gather information, analyze relevant
issues and facts, and formulate proposed positions and actions, as
appropriate, for deliberation by the full committees. We always have to
Michael Markley is the Designated Federal Official for the
initial portion of this meeting, that's Mike over there.
Rules for participation in today's meeting have been
announced as part of the notice of this meeting previously published in
the Federal Register on December 21, 1999.
A transcript of the meeting is being kept and it is
requested that speakers first identify themselves, name and affiliation,
and speak with sufficient clarity and volume so they can be readily
With that out of the way, our agenda says we're going to
continue our general discussions and that Tom Kress and John Garrick
will review the goals and objectives of this meeting.
John, do you have anything?
DR. GARRICK: Let me just comment a little bit about some of
the thoughts that we had when we were planning this meeting; that if we
could achieve those, it would be very constructive.
It was pretty obvious from yesterday's proceedings that from
an implementation standpoint, there are vast differences between the
reactor problem and the materials problem, and we also know there is a
vast difference between different categories of materials problems.
Much of what we have been talking about and discussing has
been narrowed to the high level waste repository issue and the reactor
safety issue, but we can't forget that on the materials side, there are
all these other categories of things that we have to be concerned about
and be prepared to offer advice to the Commission on how
defense-in-depth might apply to those.
So maybe one of the things that we can discuss a little more
today are the non-high level waste issues and what the role of
The other thing that I would hope maybe we can discuss is
that we had a bit of a vision coming into this that what we would like
to do would be to agree on some overarching issues and philosophy about
the application of defense-in-depth that would be applied regardless of
the application, and then realize that when we start talking about how
it's done and we start focusing on implementation, that we need to
specialize to the areas that we're going to apply it to.
So I would hope that one of the things that might come out
of our discussion today would be some overarching things that we could
agree on as to what we mean by defense-in-depth that are applicable
regardless of application, and then recognize that we've got to split it
up into the two primary issues and deal with it accordingly.
So that's it.
DR. KRESS: That's a good suggestion, I like both of those.
George, do you have any thoughts on what we should be doing this
DR. APOSTOLAKIS: I agree with John. Are we going to write
DR. KRESS: That's probably something we need to decide.
DR. APOSTOLAKIS: Because if we are going to write a letter,
I think we should spend -- we should structure the discussion this
morning around specific points we want to make, not just general
discussion of defense-in-depth.
DR. KRESS: Absolutely. Does the joint subcommittee, at
this point, actually see a need for a letter? What would -- I'm sorry.
DR. BUDNITZ: I just want to comment about something. John,
your remarks seem to assume, as a predicate, that it's possible to come
up with something that would be agency-wide and, more to the point, that
it's desirable and useful to do so, and I think, the best I can tell,
that's still an open question for discussion.
DR. GARRICK: You always have to have a goal.
DR. BUDNITZ: I understand. I've been thinking about this a
lot and it's more than not clear to me. It's pretty clear that to try
to do that may impede what the various arenas individually need.
DR. GARRICK: I know Bob has --
DR. BUDNITZ: Without arguing that I'm -- I have an open
mind about some suggestions that might overcome those difficulties.
DR. GARRICK: Right.
MR. BERNERO: I would suggest -- in fact, I put together a
brief outline of topics for discussion framed in such a way as to
discern whether or not there is some kind of growing or evident
consensus on the overarching philosophy and on particular applications
of that overarching philosophy.
Put simply, I would suggest that an approach of discussion
that if it merits going to a letter or whatever format, fine, because
ultimately that would be desirable, but start with what I would call the
characterization of defense-in-depth.
There was a lot of discussion yesterday of is it a policy,
is it a strategy, is it a philosophy, is it an approach, to really
discuss that carefully, so that one has the bounds of what it is and can
Then in my own thinking, it goes to a policy of no undue
release rather than multiple barriers as a definition, and then the
relationship of defense-in-depth to risk-informed regulation. They are
two different concepts and I think that has to be very clear.
Risk-informed actions are appropriate to the consideration
of defense-in-depth approach or philosophy, and I think we should
discuss that, and what are the implications of applying risk
information; in other words, willingness to reconsider either the
existence or the modification of traditional barriers, things like we
discussed yesterday with the AP-600.
Then having discussed the overarching, go to application in
specific fields, in reactors, materials regulation, low level waste or
decommissioning, and high level waste, because those last two are quite
different. So that's what I would suggest.
DR. APOSTOLAKIS: I think that's an excellent suggestion.
DR. GARRICK: I think it's an extension of just what we've
been talking about.
DR. APOSTOLAKIS: Yes.
DR. BUDNITZ: Just to amplify what I said two minutes ago in
another field, I've never been on a code committee to try to develop
regulations to design public facilities against earthquakes, but I have
had discussions with those that have wrestled with that for years.
For a long time, those code committees and the people who
are involved in such policies thought about whether they could come up
with some overarching philosophical approach to such design, design,
again, public facilities, buildings, bridges and so on, refineries,
It turns out that while you can do it, it's not terribly
beneficial to do that, and the reason is that the design problems are so
different in California, coastal California, than they are in, let's
say, Florida. And why is that? It's because the Bay Bridge, which I go
across from time to time, earthquakes are the principal threat. But a
comparable bridge in Florida, they are by no means the principal threat.
They're something you've got to do anyway, also.
And whether something is a principal threat or not governs
the design philosophy in important ways, and that could be the case
here. Certainly I couldn't see necessarily the same philosophy applying
to smoke detectors as I would to a nuclear power reactor, just to use a
You have to be careful about whether, in striving for that,
you do a disservice to all of it. That's to support my skepticism,
without saying that I have open ears to some ideas.
MR. HOLAHAN: This is Gary Holahan, on the staff. If I may
add a thought. Back in March, after some discussion with the ACRS and
the ACNW, the Commission issued a white paper with a bunch of
definitions in it and one of them is this thing we talked about
yesterday, which is, in effect, the definition of defense-in-depth.
I think if the committees say nothing, then that definition
is left in place. So I think one of the things that needs to be
addressed is the fact that we already have an expression by the
Commission of a sort of philosophy and definition of defense-in-depth
and if the committee likes it, that's one thing; if the committee
doesn't like it, then I think that frames the issue that the committee
or staff or someone needs to tell the Commission that a change is in
So in part, the fact that that is an existing document
frames part of this issue.
DR. GARRICK: Not only that, Gary, we reviewed that document
in its preparation and one could take that review as our endorsing that
MR. HOLAHAN: Yes. And I think if the committee says
nothing or the staff says nothing, it ought to be interpreted as a
re-endorsement or at least not an argument against leaving that
DR. GARRICK: Maybe it's a good idea to put that definition
back up on the screen.
DR. KRESS: Yes, I was going to suggest that.
MR. MARKLEY: It's in your books, tab ten.
DR. KRESS: I don't have a notebook.
DR. APOSTOLAKIS: There was one transparency. Would it help
to put it up there? I believe Norm had it.
DR. GARRICK: Here it is.
DR. APOSTOLAKIS: We should also be able to see it.
MR. BERNERO: The second bullet is my own words.
DR. KRESS: I personally don't have any problems with that
definition. It just lacks quantification, which most definitions do,
but as a concept, I don't have any problem with it.
DR. APOSTOLAKIS: I don't know why I should disagree with
MR. BERNERO: There are a couple of things that you really
ought to think about. This is a definition that -- and as I said when I
put it up, I don't quarrel with it, but what does it mean and how is it
applied. The rest of the sheet music isn't written yet.
So the purpose of this dialogue and further dialogue would
be, okay, what are the implications of this, not wholly dependent.
DR. APOSTOLAKIS: I think there is more to it than just the
implications. The more I think about it now, I'm coming up with ways to
I think a fundamental issue here is the fact that
defense-in-depth, which is what it says there, has the intent of
managing uncertainty. Unless we say that, unless we bring uncertainty
in the issue here, we can't really go very far.
The reason why that's important is because when this was put
together 40 years ago, the uncertainty in the probabilities of
accidents, frequencies of accidents was not quantified. This is a key
element. And now a part of it, a good part of it is quantifiable and
that's why we're revisiting the issue.
DR. GARRICK: Yes. It should be pointed out, George, and,
of course, you know this, that in that same paper, they did offer a
definition of risk that did make reference to uncertainty and
quantification and what have you.
DR. APOSTOLAKIS: But this defense-in-depth should do the
DR. GARRICK: Right. There is one thing about this, and I
kind of like the definition, too, with the interpretation that we're
giving to it regarding risk. But I think one word, key word is missing
in that sentence that talks about the net effect of incorporating
defense-in-depth into design, construction, maintenance and operation,
and that's the word management.
I think most of the cleanup and the strides that have been
made in elevating the U.S. plants into the top ten group of the world
recently has been principally driven by a change in the culture, a
change in the management, and attitude of the people at the plants.
So I would just make the simple addition there that the net
effect of incorporating defense-in-depth in the design, construction,
maintenance, management and operation --
DR. APOSTOLAKIS: I guess operation is implied.
DR. GARRICK: I think it's more than operation, because the
one thing the nuclear plants learned is that there's got to be much more
at the plant than just the plant manager and the operations manager.
The plant is very strongly dependent upon support services, on
engineering, on a whole bunch of other things, and so I think that would
embrace that concept.
DR. KRESS: I would have narrowed that and just said design,
construction and operation. Those are parallel activities that
incorporate both management and maintenance and it's just different
phases of the reactor life.
DR. BUDNITZ: George, I want to amplify your notion about
uncertainty, because I think you might have missed something. If have
it wrong, you'll tell me.
Let me postulate for a minute that for a large facility, it
might be a gaseous diffusion plant or something, that actually, in the
analysis, in the PRA analysis, all important uncertainties are
quantified; that is, we know them, which really means that they're
dominated by something that we really know and there are some
unquantified things that we don't know, but they're known to be less
I don't think that the fact that you and I and others around
this table could say that with confidence is necessarily enough for the
general public. The general public are skeptical of engineers and
scientists. The phrase intellectual arrogance comes to mind, because
from time to time, assurances have been given in other arenas and, in
fact, in the '50s and '60s and even in the '70s, just go see what Dixie
said after WASH-1400, they were said in this arena.
That mistrust means that the general public may seek
additional assurance in the defense-in-depth arena, even if the
uncertainties are quantified well and we really know what they are.
DR. APOSTOLAKIS: Yes, but that's a separate issue. That's
what to do when you have quantified. All I'm saying is --
DR. BUDNITZ: Wait, wait. But I want to argue to you that
in that arena, a driver for a defense-in-depth approach to design and
operation could be to provide that assurance to the public over and
above our need for it as engineers.
DR. APOSTOLAKIS: Right, over and above.
DR. KRESS: That's one of the reasons I came up with the
allocation concept in my definition.
DR. APOSTOLAKIS: I think that's the next issue. We're
discussing now the definition. I mean, somebody wants to find out what
is defense-in-depth and I think this doesn't tell that person that the
whole intent of the philosophy is to manage the uncertainty associated
with reactor safety.
DR. BUDNITZ: Because, in fact, I argue that that may not be
the whole intent.
DR. APOSTOLAKIS: No.
DR. BUDNITZ: Yes. Now, let me just argue. An important
objective could be, and I argue that it ought to be --
DR. APOSTOLAKIS: Convince the public.
DR. BUDNITZ: -- to make transparent to the public --
DR. APOSTOLAKIS: That you have managed the uncertainty.
DR. BUDNITZ: No, no.
DR. APOSTOLAKIS: Yes.
DR. BUDNITZ: No, no. That notwithstanding the above, we
have an additional barrier, notwithstanding the above. In other words,
even if we convinced ourselves we didn't need a containment, not
withstanding the above, we give you this additional thing, because
people can understand what --
DR. APOSTOLAKIS: But the whole driver of this is the
uncertainty. The public also has uncertainty, they don't believe us.
DR. BUDNITZ: In which case, that doesn't capture that
either. I'm just trying to make a point that --
DR. APOSTOLAKIS: I understand the point.
DR. BUDNITZ: -- if, in fact, the technical community has
understood its uncertainty and know what it's doing and really don't
think we need this thing, it may be that that's the only way to get the
public to accept technology that they believe is dangerous.
DR. APOSTOLAKIS: But I don't think the definition should
say we're doing this in order to convince the public.
DR. BUDNITZ: I didn't say to convince them. I said that an
objective could be, and I propose that you think about whatever it
should be --
DR. APOSTOLAKIS: It's ensure. Ensures. Defense-in-depth
philosophy ensure that safety will not be -- you want to put the words
DR. BUDNITZ: I'm not a wordsmith here, although I could try
it. I'm just trying to make a point about --
DR. APOSTOLAKIS: And that's a good point.
DR. BUDNITZ: I'm trying to say that it's more than just
managing what we engineers and scientists think is unquantified
DR. KRESS: George, I am always reluctant to disagree with
you, but let me throw this out to you. I think, as a technical activity
that's hazardous, society values both preventing the accident from
happening in the first place. They value being able to stop it before
it gets very far. They value protection in case these things fail and
it goes so far that you've got to mitigate it, and they value being able
to have alternative means to protect themselves.
And I say that defense-in-depth is just providing those
multiple layers because that's what we value, and not because there's
lots of uncertainty in each step. And at the same time, it turns out to
be a way to manage the uncertainty as a byproduct.
DR. APOSTOLAKIS: And I think about it in the complete
DR. BUDNITZ: I understand.
DR. APOSTOLAKIS: That the driver here is the uncertainty
and the reason why we value these things, and I agree with you, is
because we believe that that's a reasonable way, a convincing way of
handling that uncertainty. If you didn't have that uncertainty, the
public would not be asking you for all these.
DR. BUDNITZ: I don't agree with that. That's what I don't
DR. APOSTOLAKIS: Why aren't they asking for
defense-in-depth when it comes to an airliner?
DR. BUDNITZ: Because we've got data.
DR. APOSTOLAKIS: And the public is convinced that it's
DR. BUDNITZ: Because we have data for airliners.
DR. APOSTOLAKIS: And what does that mean because we have
data? That we have eliminated a lot of the uncertainty. That's the
driver, that's the fundamental issue.
DR. BUDNITZ: The data are acceptable.
DR. APOSTOLAKIS: The fundamental issue is the uncertainty
and if the public has uncertainty, some people have lied or misguided
the public in the past. So now other things come from it. But the
fundamental reason why we had this was to manage the uncertainty
associated with reactor accidents.
MR. BERNERO: Could I interrupt with a thought? This is a
joint subcommittee meeting of two committees. This dialogue betrays
that this definition is essentially a reactor safety approach.
DR. APOSTOLAKIS: It is.
MR. BERNERO: And it basically falls apart seriously when
you try to apply it to the materials side or the waste management side.
I think that's an important point for the committee to consider.
DR. APOSTOLAKIS: Yes.
MR. BERNERO: My understanding of the white paper is it was
intended to be an overarching one.
DR. APOSTOLAKIS: Yes.
DR. KRESS: Yes.
DR. GARRICK: I'm certainly a disciple of uncertainty being
a highly visible part of the process and that it is the keystone, if you
wish, of the whole issue of risk.
On the other hand, the reason I kind of like this definition
is that I think it communicates well. I think it's absent of a lot of
esoteric terms and a lot of systemese language that sometimes offends
Sometimes the whole notion of risk and uncertainty
unfortunately does that. So I don't have a big problem with it. I
wouldn't have a big problem either with modifying it to put some
emphasis on that.
DR. APOSTOLAKIS: Yes. It's not an issue of rejecting this.
DR. GARRICK: Right.
DR. APOSTOLAKIS: So how about if defense-in-depth is an
element of the NRC safety philosophy that employs successful
compensatory measures to manage the uncertainty associated with
accidents in nuclear facilities, and then go on to say that you prevent
accidents, bla, bla, bla, bla, bla.
DR. GARRICK: Well, the only thought I have about that is
the public might say I don't care about managing uncertainty, I care
about ensuring my safety.
DR. APOSTOLAKIS: What's the difference?
DR. GARRICK: You and I understand that.
DR. BUDNITZ: But, George, let me just go to the repository
for a minute.
DR. APOSTOLAKIS: But aren't we arguing for the public?
DR. BUDNITZ: But let's talk about the repository for a
minute. We all know that it's going to be a non-trivial job for the
Department to demonstrate, to their satisfaction and to the NRC's, that
they can meet the 10,000 year thing, right? But I think most of us
would have no problem with the Department saying we got high assurance
for 1,000 years that nothing is going to come out. You do that with a
And that's high assurance. But I know members of the public
that think that a thousand years is an awfully long time and that it's
arrogant beyond credibility for any scientist to claim a thousand years
for something that hasn't lasted a thousand years and no one has built a
can in the year 1000. These are, in fact, then extrapolations. So we
have to recognize there are people out there, thinking members, not just
unthinking, thinking members of the public, who don't trust our
extrapolations, even though we have very little uncertainty.
DR. APOSTOLAKIS: Look, I'm having a problem here what we're
trying to do. This is becoming a risk communication session.
DR. BUDNITZ: No, no, no.
DR. APOSTOLAKIS: I am not saying that it's not important to
communicate to the public, but let's not forge the technical community,
too. We are trying to define a concept that has been hailed as the
cornerstone of the safety philosophy of this agency.
DR. BUDNITZ: Sure.
DR. APOSTOLAKIS: And if I manage to communicate both to the
public and the staff what that philosophy is, then I'm a great guy. But
let's first try technically to define it and understand what it means
ourselves and then worry about communicating to laymen. I don't think
that's a secondary --
DR. BUDNITZ: I'm not talking about communication. I would
argue to you that if Yucca Mountain only had a thousand year thing, we
still might want to have multiple barriers, even though we had
confidence you didn't need them.
DR. KRESS: George, as a pure rationalist, do you not have
trouble with the second sentence?
DR. APOSTOLAKIS: The second sentence.
DR. KRESS: A pure rationalist has trouble with it.
DR. APOSTOLAKIS: I have a -- sure. I'm willing to give a
little bit for this, because this is an overarching principal, but the
-- what I'm trying to say here is there are certain fundamental things
that have to be mentioned and the fundamental reason why this approach
was developed by the pioneers before the NRC, before anybody else, was
the recognition that there was a lot of uncertainty in what we're doing.
We cannot quantify it. Here is a way to make sure that it's managed,
that the frequency of the accidents is indeed small.
This is how the whole thing started and the reason why we're
going back to it now is because that uncertainty is quantified, or a
good part of it, as I keep saying.
Unless that is here, I don't see why we bother to put this
up there. Now, whether that is meaningful to the public is a good
question, but an equally good question is, first, let's make sure that
the two committees, the staff and all offices and so on agree that this
is a reasonable definition, so we all speak the same language, and then
worry about how to communicate it to other people.
MR. BERNERO: I think the real issue is not -- I share your
feeling, that later worry about communication. What you have to focus
on here is agree on the language and how to apply it in the scientific
DR. APOSTOLAKIS: Absolutely right. You're absolutely
DR. KRESS: In effect, I don't like value judgments placed
in definitions and I would have marked out the second and third
sentence, and because the first sentence is the definition. The second
and third just throw in things that give people some warm feeling, but
it's not part of the definition. It's a value judgment and description.
MR. BERNERO: Do you want to go back and rewrite this or do
you want to decide whether you can live with it and apply it? That's
the basic point.
DR. KRESS: All I'm saying is I think we ought to
concentrate on the first sentence only, because that's the definition.
Those other things are just riders that go along and have no essential
impact on what you do.
DR. APOSTOLAKIS: How about if we end the first sentence,
you know, after "a nuclear facility," put a comma, so that the
probability of accidents remains acceptably low or something to that
DR. GARRICK: Or the likelihood of accidents remains.
DR. APOSTOLAKIS: Or likelihood. Wordsmithing is okay, but
the thought. So you're doing all these things in order to make sure the
probability is low. Now, Ray disagrees.
DR. WYMER: I do disagree.
DR. APOSTOLAKIS: Okay. Why is that?
DR. WYMER: I think that's off the point. It seems to me
that even if the uncertainty is very small or negligible, you still want
to do what it says in that first sentence.
DR. APOSTOLAKIS: And I would argue that you can never get
to low probabilities unless you do what's in the first sentence.
I don't know. I can make such a strong containment that I
can get there without doing too much about CDF and other things.
I don't know what that means.
DR. BUDNITZ: You see, again, I'm not arguing about
wordsmithing here, but something about, in the last sentence, it says
"such that the net effect is the facility tends to be more tolerant and
is demonstrably so." There is this point here. It's not just that it's
so, but it's demonstrably so. And demonstrably, I'm not sure whether I
like that word or not, but the idea is to be able to convey to smart
people who aren't risk engineers.
DR. GARRICK: I think we've made a lot of progress if we can
agree on the first sentence, because I do think that -- what I like
about this definition is that it communicates well and the second and
third sentence are helpful to people not in the business, because it
tells us a little more of what it means.
DR. APOSTOLAKIS: Make them separate bullets perhaps.
DR. GARRICK: Yes, yes. But I agree that as a guiding
overarching definition, that if we could agree that the first sentence
does that, then we've made one important step.
DR. APOSTOLAKIS: Not as it is. I disagree.
MR. LEVENSON: John, might I suggest that this is already
out. So diddling with these words is an interesting exercise, but I'm
not sure what it means.
DR. GARRICK: Well, what it means --
MR. LEVENSON: Well, let me finish my thought. That is that
the thing -- the problem I have with this definition that nobody has
mentioned is that it lumps all nuclear facilities in the same bag, and
that, I think, is a big mistake, and that it might be more valuable if,
rather than worrying about these words, this definition is out, it might
be more profitable to work on a statement as to how this overarching
statement applies to different facilities and make it very clear that it
applies completely differently to reactors than it does to repositories.
DR. KRESS: In application, certainly.
MR. LEVENSON: Well, let me read you a couple of words I
diddled down here while everybody was talking. Presently,
defense-in-depth is a concept utilized in nuclear reactor design and
licensing to help assure the safety of a dynamic high energy system. It
is utilized as one of the tools to deal with uncertainties and factors
that have time constants shorter than practical intervention times.
A repository, on the other hand, is not a high energy
system, does not contain large amounts of stored energy, and has
extremely long time constants. Therefore, defense-in-depth, as applied
to reactors, is not appropriate for application to a repository.
The use of passive multiple barriers may be a more
appropriate method of coping with repository uncertainties than is DID.
DR. KRESS: I think that's a good statement.
DR. GARRICK: Except that last, than is DID.
DR. APOSTOLAKIS: Passive barriers are DID.
DR. GARRICK: That's what I mean.
MR. LEVENSON: I'm saying I think it is a form of, but I
think if you don't dissociate these two, the repository is continually
going to be hung up with things coming from the reactor side of the
house. You have to dissociate them. You can use whatever words you
DR. APOSTOLAKIS: But the first sentence has both.
DR. KRESS: It would fit that very well, the first sentence
DR. APOSTOLAKIS: You don't want to say accidents, though.
DR. BUDNITZ: At the end, you shuck DID, whereas you might
instead say it means this for the repository, rather than just shuck it.
MR. KING: Can I jump here a little bit, too?
DR. KRESS: Yes, sure.
MR. KING: This is Tom King, from the staff. I think Mr.
Levenson's suggestion is a very good one. Gary and I were just talking
also that this came out a year ago, this definition. If you use the
analogy that consider this the rule and what you guys ought to be
working on is the reg guide and how do you apply this and why shouldn't
you be talking about, okay, given this definition, what are all the
points that ought to be addressed in an application.
The application can vary across the regulated activity.
It's an attempt to manage risk, as George said, prevention versus
mitigation, all these points that you think are important that aren't
really covered very well in this broader definition, but you think ought
to be addressed if somebody went to apply it.
To me, those would be the things you ought to be focusing on
in this committee and then once you get those identified, then the next
question would be how should those be communicated; should we go back
and modify the white paper to put some sort of application statements in
there, should you recommend a separate policy on defense-in-depth, what
is the right vehicle to put this down and communicate it to the staff
and to the public.
But I wouldn't go back and fool with the definition at this
DR. WYMER: I agree with that. I think that there is a big
DR. APOSTOLAKIS: What if the definition bothers you?
DR. WYMER: Let me finish. There is a big difference
between a definition and implementation of the concept, and I think that
we ought not to mix the two up.
DR. APOSTOLAKIS: I still think that we are embracing the
notion of successive compensatory measures without asking why that has
to be there.
DR. KRESS: It's because we value prevention and mitigation
DR. APOSTOLAKIS: And we value those because we are
DR. KRESS: No, no. We value them in the absence of
DR. APOSTOLAKIS: Absence of uncertainty?
DR. KRESS: You're never going to have an absence of
uncertainty, but even with very small uncertainty, we would still do
this, because we want to prevent accidents and we want to mitigate
accidents. We would still do this.
DR. GARRICK: The truth of the matter is that
defense-in-depth has been in the gospel of how the NRC assures safety or
reaches a finding of reasonable assurance of safety has been in the
context of successive compensatory measures. The earliest discussions
about defense-in-depth were synonymously associated with successive
measures of protection.
So I don't know. If we wanted to do surgery on it and
change what it fundamentally means, sure, we could do that, but I think
as a concept that has been discussed and found its way into print, that
has been so well documented for us for this meeting, it has been in that
DR. APOSTOLAKIS: Right. But the point is that now we want
to look at it again under the current state of knowledge and
understanding why it was put together that way is fundamental to this.
There is nothing magical about successive compensatory measures. We are
not doing it because we like successive compensatory measures. We do it
because we are not confident enough that the risk has been managed.
DR. GARRICK: I think maybe we're overplaying the
compensatory measure issue because even if you think of a single
barrier, it isn't a single barrier, because we have monitoring, we have
maintenance, we have all kinds of things that give us insight into the
performance of that single barrier.
So I don't get too hung up on this single element thing
because a single element could be a transducer. It could be any one of
a number of things.
DR. BUDNITZ: I have a suggestion for how to overcome --
DR. APOSTOLAKIS: Speak into the microphone, Bob.
DR. BUDNITZ: Excuse me. I have a suggestion for how to
overcome some of this cross-talking a little in the conversation. It
seems to me that the title of that shouldn't be what is
defense-in-depth, but it really answers two questions; what is
defense-in-depth and what does it accomplish.
The first sentence defines what is, the second sentence is
what does it accomplish, and there is a third thing you people ought to
be doing, which is how is it applied.
DR. APOSTOLAKIS: Sure.
DR. BUDNITZ: So if you said to yourselves the white paper
says what it is, sentence number one; the white paper says what it
accomplishes, it ensures and it does, right? Then you can say what's
needed is now how is it applied in the different arenas and you could
make a major contribution by writing down arena by arena what you think
would be a useful agency policy on how is defense-in-depth to be applied
in these arenas.
And there, the sort of things that Milt read to us are a
jumping-off point for the difference, for the rationale for why there is
a difference; there's a lot of high energy, maybe there isn't, there's a
lot of time, maybe there isn't, which then drives how it's applied.
So if you think about it in that way, you shouldn't be --
and playing with this doesn't talk about how it's applied. It's not
intended. It only talks about what it is and what it does.
DR. KRESS: It also restricts its application to nuclear
facilities. I would be hard-pressed to call some things, like an X-ray
machine at a nuclear facility --
MR. BERNERO: You have to be careful. Legally, facilities
are, production or utilization facilities, under Part 50 and now under
Part 76. But the -- what John said earlier, even if you take an extreme
case, the one I mentioned was the spent fuel shipping cask, that is
nominally just one barrier.
DR. BUDNITZ: It's not a facility.
MR. BERNERO: And I -- but never mind, it's a nuclear
practice or it's a nuclear situation, call it what you will. I don't
have gas pains with facilities with lower case "f." But the point is
it's not just a single barrier. It is a very high quality barrier. You
are depending on a massive, robust mechanical containment and that's it.
You go out in any environment, ship it, we do modal or NRC
does modal studies to see if it got caught in the Caldecot tunnel fire,
that it would have melted or not and that kind of consideration, but I
would feel more comfortable if it were unduly dependent on a single
barrier or a barrier.
But the key to it is you have to have a systematic
consideration and not have, yes, it's a barrier, I'll walk away and
forget about it, unless there are -- and if you go to smoke detectors,
you'll find buried in the analysis, it's not a single barrier.
DR. GARRICK: Yes. And I think that the crafters of this
definition knew all of that and discussed all of that when they did it
and it's probably why you don't find the word barrier following single
up there, and the more strategic choice of the word element, because
that gives us a great deal of freedom and flexibility. An element could
even be the issue of uncertainty.
MR. BERNERO: It could be a model.
DR. WYMER: It could be a monitoring system.
MR. BERNERO: It could be an initiating event. It could be
any number of things.
DR. APOSTOLAKIS: Well, the ACRS wrote a letter May 19th of
last year and it says this philosophy has been invoked primarily to
compensate for uncertainty in our knowledge of the progression of
accidents at nuclear power plants. Later on it says when
defense-in-depth is applied, a justification is needed that is as
quantitative as possible for both the necessity and sufficiency, not
just the sufficiency, both the necessity and sufficiency of the
If you question the necessity, then you cannot make it part
of the definition that you will have successive compensatory measures.
DR. KRESS: Because that says it's necessary.
DR. APOSTOLAKIS: That's right, it says it's necessary. I
don't think that this is a definition. It's a definition of what used
to be defense-in-depth. The word uncertainty has to be there in the
first sentence. First of all, the first sentence, I agree, has to be a
separate bullet, but this is really the key. It was developed primarily
to compensate for uncertainty in our knowledge of the progression of
accidents at nuclear power plants.
Now, it goes on to say improved capability to analyze
nuclear power plants as integrated systems is leading us to reconsider
the role of defense-in-depth. Now, this is a little broader than what I
was saying about uncertainty, as integrated systems.
Defense-in-depth can still provide needed safety assurance
in areas not treated or poorly treated by modern analysis or when
results of the analysis are quite uncertain.
So I hope this letter is not going to go against several
letters that the committees have written independently.
MR. LEVENSON: Yes. But, George, I don't think that's at
all in conflict in the sense that this is a definition and the statement
that when this is applied, it should be applied only when there are
indications that it is necessary.
So I don't think you have to put that in the definition.
DR. APOSTOLAKIS: But the issue of necessity, if you make it
part of the definition that successive compensatory measures are part of
the definition, then automatically they are necessary. The burden is on
the staff or the licensee to argue why they don't need them.
DR. GARRICK: But, George, I think the point that I'm trying
to make, and not very well, is that I can't think of a situation where
there aren't successive compensatory measures.
DR. APOSTOLAKIS: I can't either. But can you put the word
uncertainty in the first sentence, John? Then you satisfy me and I shut
up. Just put the word uncertainty there.
DR. GARRICK: Okay.
DR. APOSTOLAKIS: Because that's the reason --
DR. GARRICK: Well, I'm as much a disciple of that as you
DR. KRESS: Is that enough of a concern to you, George, that
we need to make a big deal of it in a letter to the Commissioners?
DR. APOSTOLAKIS: Yes, because otherwise this whole meeting
doesn't make sense to me. This whole meeting, this whole effort of
writing a new letter is meaningless to me unless I recognize that here
is a practice, a philosophy that was developed to manage uncertainty and
what's new now is I can quantify that uncertainty. Otherwise, I don't
understand why we are revisiting it or visiting the issue.
DR. GARRICK: It's not out of order or out of the question
to take something like this and evolve it with new ideas and time and
what have you. So I don't -- I think if we are pretty much in agreement
that this is a definition that, with minor surgery, would satisfy us
all, if we limit it to pretty much one sentence, that we could address
MR. BERNERO: You don't have the freedom to do that, I
think. I think you ought to forward with the dialogue and say there are
misgivings about this or that, the lack of the word uncertainty or
whatever, but this is certainly not a statute. But the committee is
facing a need to talk about the philosophy of safety control or safety
regulation and this is sort of a given.
The committee had a shot at it before.
DR. GARRICK: Yes, we did.
DR. APOSTOLAKIS: At least the ACRS said that this is
something that's evolving, don't put anything down on it. So it's not
that we have blessed it in the past implicitly.
MR. BERNERO: I'm not saying that it's blessed. I think for
any progress to be made, there ought to be a focus on are there general
principles here and amplify on them for an overarching philosophy that's
applicable to all practices that the NRC authorizes.
DR. APOSTOLAKIS: And I guess that's my problem, Bob, that I
don't see the rest of you recognizing that a general principle here is
that we are trying to manage uncertainty.
DR. WYMER: Maybe that's a clue.
MR. BERNERO: But, George, are you recognizing the principle
that successive elements, not successive mechanical barriers, not
successive design controls, but successive elements is a fundamental
principle; that the fuel shipping cask, I think, is a golden example
because mechanically it's one barrier, a highly complex, robust, high
But the elements are the quality is a separate element. The
design, the management.
DR. APOSTOLAKIS: Sure, sure, sure.
MR. BERNERO: The restrictions are --
DR. GARRICK: I think he just wants recognition of
uncertainty as a key element of the whole process.
MR. BERNERO: And there's nothing wrong with saying that.
DR. BUDNITZ: George, I think I can make another
distinction. Defense-in-depth is, in fact, a tool. Let me say to you,
what's a screwdriver? A screwdriver is a piece of metal this long
that's got a point on this end and a handle or something, right? Why do
we need the tool to manage uncertainty? That's a why, it's not a
So this doesn't bother me. If you then want to go why do I
need it, that's a perfectly appropriate thing for you, the ACRS/ACNW to
discuss. You need it for -- there is a different "why" for a low level
repository versus a high level.
DR. APOSTOLAKIS: I gave Holahan a thought experiment some
time ago. I asked the following question. If we were absolutely
certain that you would have a core damage event if you tossed six dice
and they all came up with sixes, would you still put a containment
around it. His answer was make them seven dice and I will not. That,
to me, says there is absolutely no epistemic uncertainty. Right?
DR. BUDNITZ: Right, sure.
DR. APOSTOLAKIS: In fact, I made sure that the seven dice
were thrown independently in Los Angeles, San Francisco, another one in
Paris. So there is absolute independence.
If they are all sixes, now, you can calculate it, it's one
over six to the seventh, this is the frequency of core damage, there is
no uncertainty about it, he might consider not putting a containment.
So that tells me --
MR. BERNERO: Who said this?
DR. APOSTOLAKIS: Gary here. He made them seven.
MR. BERNERO: Guilty as charged.
DR. APOSTOLAKIS: So isn't that the fundamental thing? Now,
in order to settle this, another way of doing it is we can accept this
and I can write separate comments.
DR. BUDNITZ: But of course. That's why we don't need five
barriers for a smoke detector.
DR. APOSTOLAKIS: Somehow we don't want to say that. That's
what I am perplexed about.
DR. BUDNITZ: No, no. The question is the screwdriver looks
like this. Then later on you say why do I have it, how do I use it,
when do I use it and for what?
DR. APOSTOLAKIS: That's next, that's next. I agree that's
DR. GARRICK: John?
DR. LARKINS: Might I suggest that you probably would have
more impact of value to the Commission if you could talk about
implementation of the defense-in-depth philosophy and then afterwards,
if you feel it's totally inconsistent with the definition, you can come
back and review the definition.
But I think with the Commission recently debating this
definition and going through several iterations, that unless there is a
vehement objection to the current wording, I would suggest that you try
DR. APOSTOLAKIS: John, that is a vehement objection, I
DR. LARKINS: I understand.
DR. APOSTOLAKIS: We are talking about communicating to the
public, we should be communicating to the stakeholders.
DR. LARKINS: I think you need to do both.
DR. APOSTOLAKIS: The most important stakeholders for us are
DR. LARKINS: But I think the Commission has already made a
point that you need both. I mean, the Commission has raised the issue
of risk communication.
DR. APOSTOLAKIS: I believe that it's of extreme importance for all five
Commissioners to understand -- not that they cannot understand it, but
to make sure that we are all speaking the same language and that
defense-in-depth was developed to manage uncertainty. We all have to
agree to that.
MR. MARKLEY: But, George, couldn't that be clarified in a
policy statement or something?
DR. APOSTOLAKIS: Sure it could.
MR. MARKLEY: As opposed to revisiting the definition?
Because this is --
DR. APOSTOLAKIS: I have no problem with that.
MR. MARKLEY: -- a losing battle. You're not going to get
much value-added from it, that you couldn't do the same in a policy
DR. APOSTOLAKIS: Yes. I'm not arguing for going to the
Commission and say change the white paper. But since we all seem to
agree on this, we can take this and put it in our letter and let the
Commission decide how they want to proceed.
DR. LARKINS: I'm not sure you have a majority position on
that right now.
DR. GARRICK: The way we can do that, because -- to get off
this subject, if we can -- is that we can put it in the context with
this definition, if it's interpreted as follows, this is how we support
MR. MARKLEY: Yes, and you could customize it for the
various applications in that respect, with elements or sub-elements,
however it would be uniquely applied.
DR. GARRICK: Well, I think if we can do that, then we've
done the one thing that at least I commented about earlier this morning,
is what can we agree on that is overarching in terms of widespread
application for nuclear applications.
Now, we may still want to talk a little bit about the
non-high level waste component of the materials, of the materials side,
and what we need to do there and whether the concept really is even
MR. BERNERO: I think you've got to agree to the overarching
principle that risk-informed application of defense-in-depth is a key to
intelligent use of it, and if it's risk-informed, it addresses what are
your uncertainties, have you improved them or do you have a basis to --
it actually -- I don't know the facts on the AP-600 containment spray,
but a risk-informed application should at least make it possible to say
I don't need a containment spray.
DR. GARRICK: Yes. I think the point of view of
risk-informed defense-in-depth is something we'd want to talk about.
MR. BERNERO: Yes. But it's key to applying
DR. APOSTOLAKIS: It seems that we almost came to a
consensus earlier. I said use the word uncertainty there and Ray
objected. Now, the ACRS said primarily to compensate. If we put the
word primarily, would you agree?
DR. GARRICK: Why don't we, George, try to do in the context
DR. WYMER: That's moving in the right direction.
DR. GARRICK: -- implementation and how this is interpreted,
as a first step?
DR. KRESS: We can go back to see whether to put the -- yes.
In terms of application to the reactor side, I certainly think we ought
to call it or refer to it as a risk-informed defense-in-depth and maybe
even risk-informed design defense-in-depth, and I think what was
presented yesterday to us by Gary and Tom King was a great step in the
right direction of having a risk-informed defense-in-depth in the
reactor side of the house and it fits this definition, because what they
do is they look at prevention and mitigation and they decided how much
of each they needed and how to apply it to the different sequences and
how -- and George has made a suggestion on how to deal with the
uncertainties and that is not just have one line, one area, but three
areas, and I think that's a great step and is in the right direction for
risk-informing the reactors.
So that would be how I would proceed from here to the
DR. GARRICK: Right.
DR. KRESS: And then we have to do something about how would
we proceed from here to the Yucca Mountain and the others.
DR. APOSTOLAKIS: Well, there is more than reactors, because
there is the issue also of the unquantified uncertainties.
DR. GARRICK: But the other thing I would like to say about
that, and I think it's another supporting reason for why we don't want
to talk about the quantification of subsystems as a part of this in the
waste field, and that is one of the reasons that Gary and Tom can put
those numbers up there is that we have approximately 100 Parse to work
We have lots of experience that has helped us calibrate what
we can expect to receive out of the performance of these systems.
DR. KRESS: I think the main reason they can put them up
there is we already have the numbers.
DR. GARRICK: That's what I'm getting at. We don't have
those numbers in the waste field and I think that our strategy has been
that we ought to be pushing the Commission, given that we're supposed to
be moving in the direction of a performance-based and risk-informed
philosophy of keeping focused on whatever we've decided is the measure
of performance, and not on surrogates of that measure.
It might well be that as we do more PA work, as we learn
more about how to analyze these systems, that some sort of yardstick
where that's calibrated will surface and then we can talk maybe about
what kind of possible thresholds make sense for a given application.
But I fundamentally think that that's not the way to go
because it's too site-specific, it's too design-specific, A, and, B, we
don't have the experience in the calculation of those systems that we
have in the reactor side.
So I think this position that we've taken on subsystems is
the right position and I would like to think that that might be one of
the areas where the two problems are very different, and they're
different because of the implementation, not because of a violation of
an overarching, underlying philosophy, which we should agree on.
DR. APOSTOLAKIS: Well, I guess what you're saying is that
we don't know enough; therefore, we have large uncertainty regarding the
performance of each of the barriers and so on. I think what is
happening here is that you will end up with words like unduly, not
wholly dependent or something to that effect, and you are postponing the
And eventually, at some point, which may be a wise decision
at this time, because maybe we don't know enough, somebody will have to
say, yeah, because of these results, I am not relying on a single
DR. GARRICK: As you know, George, we continue to emphasize,
much more than in the past, that we need to quantify the performance of
DR. APOSTOLAKIS: Sure.
DR. GARRICK: So how can we make a dumb decision if we have
before us good knowledge about how these particular barriers perform?
We're not going to make a dumb decision.
DR. APOSTOLAKIS: No, nobody is saying you're going to make
a dumb decision. You're just postponing the decision as to what is the
DR. GARRICK: Yes. Right.
DR. APOSTOLAKIS: That's all.
DR. GARRICK: Right.
MR. LEVENSON: Let me introduce an additional slight
thought, and that is I think we all agree that the uncertainty is
extremely important, but it's important only if the consequences of that
uncertainty are serious consequences. We've got to be very careful
about focusing entirely on the uncertainties. It's only uncertainties
that have big consequences.
DR. BUDNITZ: Yes. A way of putting that in a different
light is I don't know whether a low level waste burial ground under Part
61 is a facility, but let's define it as one for these purposes and
let's assume here for the moment that the Commission had such a Part 61
facility in mind when they wrote this.
I'm not arguing for smoke detectors, but let's talk about a
Part 61 low level waste burial ground, like Barnwell, which is operating
today under Part 61.
Now, the question is how much defense-in-depth do you need?
It's not just to manage the unquantified uncertainty. You also have to
recognize the total risk, if the whole thing went to hell in a
handbasket, is only this much compared to a reactor and, therefore, only
this much is necessary, even if you were really very unsure of the
DR. APOSTOLAKIS: See, that brings up the issue of --
DR. BUDNITZ: So there is more to it than just that.
DR. APOSTOLAKIS: Let's clarify my position here. There are
two or three different ideas that are floating around, so let me tell
you. The first idea is that fundamentally, regardless of
quantification, this philosophy was developed to manage the uncertainty.
That means keep the probabilities low and the epistemic uncertainties
reasonably small, fundamentally.
The second point now that I was arguing yesterday, and I'm
willing to go away from it a little bit, the implementation issue. When
you have quantified the uncertainties, you still use successive
compensatory measures and so on, but now you have a way of limiting and
deciding the necessity and sufficiency.
If you don't have quantified the uncertainty, then you are
invoking this principle again and say thou shall do this and this and
that, sorry if I'm imposing on you, but that's life.
DR. BUDNITZ: That's right. In fact --
DR. APOSTOLAKIS: So defense-in-depth is -- I try to keep
the term only for the unquantified uncertainties. I see today it's a
losing battle, so I'm willing to concede the point.
DR. BUDNITZ: That's right.
DR. APOSTOLAKIS: If you call it risk-informed
defense-in-depth, when you have quantified, I'm happy.
DR. BUDNITZ: That's right. To talk about Part 61, we know,
even if we -- even though I argued we were ignorant about certain --
DR. APOSTOLAKIS: I'm ignorant?
DR. BUDNITZ: No, no. I'm sorry. Even though I was arguing
-- let's postulate that we were ignorant in Part 61 about Barnwell's
performance or something, that was in the context that I know what all
the radioactivity is in there and I have a -- we, the community, has a
handle on what's the worst it could be, and that -- it's in that light
that we're never really ignorant, so ignorant.
MR. BERNERO: There is one part of defense-in-depth that I
think gets lost here. In reactor safety and in nuclear facility, like
fuel cycle facility, safety, there is a concern about accidental
outcome, the risk of accident.
As you go into material distribution licensing or go to
waste management, Part 61 or Part 63, you're concerned with routine
release, expected outcome, and it raises a different element of risk,
the tolerability of uncertainty or of lack of knowledge of what you
DR. APOSTOLAKIS: But here we had Dana Powers yesterday
sending us a message that because we have lots of data for these
activities, there is no need for defense-in-depth.
DR. GARRICK: Another way of saying that, George, is --
DR. APOSTOLAKIS: Is uncertainty.
DR. GARRICK: If we have lots of -- in fact, there is -- if
we have enough data, we don't need to do risk analysis, because we know
what the risk is.
DR. APOSTOLAKIS: Which supports my earlier point. I also
want to make a request, Mr. Chairman, that the subcommittee members have
been at it since 8:00. Would you consider taking a break soon for a cup
of coffee or something?
DR. KRESS: I will take that under consideration.
MR. BERNERO: Give him the credit for conceding points.
DR. KRESS: We are scheduled to have one at 10:00. Would
you like to have one now, George?
DR. APOSTOLAKIS: I would, yes.
DR. KRESS: My target for today, George, is to shoot to end
this at 11:00 or thereabouts.
DR. APOSTOLAKIS: Fine with me.
DR. KRESS: So let's keep it to a ten-minute break maybe and
get started again. So let's take a ten-minute break.
DR. KRESS: We are going to try and end this meeting at
11:15, so let's get started again.
Before we start back into the roundtable discussion, I've
had a request from Norm Eisenberg to make a few statements. Is he here?
MR. EISENBERG: I just wanted to mention a couple of points.
In considering the white paper definition of defense-in-depth, please
recall this was in the context of the white paper, which is
risk-informed performance-based regulation. This is not necessarily a
general exposition on defense-in-depth.
A more important point is there was a lot of discussion
about what was in or what was not in the particular definition, and
there was a lot of focus on uncertainty and whether or not it treated
The other part of the question, which is very important for
the materials activities, is that it also talks about safety and perhaps
you should give some consideration to what the white paper and what you
mean by safety, because as Mr. Bernero alluded to, for a lot of
materials activities, we're talking about very small quantities, very
low levels of activity, very small risks, and we're essentially talking
about environmental degradation, not essentially immediate threat to a
person's health and safety.
In thinking about an approach for both the high level waste
program and for materials in general, this is a crucial consideration.
You do not want to have the same types of provisions to prevent an
excess dose of between 25 millirem and 26 millirem that you want
between, say, up to 500 rem. If you're talking about 500 rem, then you
have a real safety problem.
DR. KRESS: Right. I think those are really good comments
and that's why, actually, in my definition that I proposed yesterday, I
had the words it's a strategy to achieve acceptable risk and you define
what acceptable risk your target is and if it's -- and if your
acceptable -- if the number you're dealing with is just a degradation of
the environment to a small extent and not a risk to the health and
safety of the public, your strategy is different, because it wouldn't
have to involve so many measures and to such extent.
So I would have actually added that into my definition.
That's another place where I kind of disagree with the definition a
MR. EISENBERG: So I wanted to at least bring that up. I'm
certainly for some materials, say you had a truckload of ore, the
consequences of an accident and throwing it all over the highway are not
You would not expect the same kinds of multiple barriers or
defense-in-depth there that you would expect for a nuclear power plant.
It just doesn't make sense.
Somehow this needs to be included in whatever conclusions
you all come to, I believe, because I think it's very important in
materials. Not to belabor the point.
DR. APOSTOLAKIS: The driver is the risk.
DR. KRESS: We're glad you're feeling better today.
MR. EISENBERG: Thank you.
DR. GARRICK: A quick recovery, I must say.
DR. KRESS: And also before we continue the roundtable
discussion, Ray Wymer had a few thoughts that I think we ought to get
onto the record before it's time to call it quits.
DR. WYMER: Thank you, Tom. I think since we've had all
these high powered people around the table here and in the audience for
a day and a half, it would be nice to think about producing a product of
all of this effort, and I personally am in favor of seeing if we can't
draft some kind of a letter based on these discussions.
In my view, the letter should start with a general statement
of what we mean by defense-in-depth, kind of along the lines of this
definition, and maybe some other principles, as George has mentioned,
and then split it cleanly into two parts, one relating to reactors and
DID as it applies to a reactor situation, and then the other part as it
applies to the high level waste and other nuclear materials.
And with some trepidation, I have prepared a half a dozen
comments that I think might form the basis for the ACNW half of this
letter, which I will pass around here.
DR. APOSTOLAKIS: That actually raises an issue. I wonder
whether -- how much can both committees say and how much should be left
up to the individual committees. For example, the material that Tom and
Gary presented yesterday I'm sure will come before the ACRS at some
point, so the ACRS will write a letter on this.
Do we really need to bother to comment in detail here and
request approval from the ACNW? The same thing applies perhaps to high
level waste. Maybe we can say something, but then leave the bulk of it
up to the ACNW, so that the ACRS will not have to bother reading that
part of the letter.
I think we have to do it in whatever way --
DR. WYMER: I think that's John's decision for the ACNW, but
my personal view is to separate them into two separately conceived and
DR. APOSTOLAKIS: Right.
DR. WYMER: That would be the right way to go.
DR. APOSTOLAKIS: And maybe send a message to the Commission
that they are indeed separate and this is appropriately the function of
this subcommittee, and both committees should agree, but I wouldn't get
too much into the details of managing --
DR. WYMER: That would certainly expedite getting them out.
DR. APOSTOLAKIS: -- Yucca Mountain or you shouldn't get
much into the Gary and Tom presentation, which I'm sure the ACRS will
have to write a separate letter on.
DR. WYMER: What I would like to do next is, I have these
half a dozen things, for the benefit of people who don't have them, I'd
like to read these.
MR. LEVENSON: Ray, just one second. I want to comment on
George's comment. Again, an important part of this letter could be not
that it's done separately, but it sends the message to the Commission
that both committees agree that the issues are quite different.
DR. APOSTOLAKIS: Yes. Yes.
DR. LARKINS: I think, George, if you can -- that this joint
subcommittee can agree, as much as possible, on both areas, it would be
very good, because you're sending a message to the Commission that there
is some coherency in your thoughts. So there is some agreement
basically on some of these ideas.
Where there are some specifics that you may want to get into
further at separate committees, that's fine, but if you could reach some
DR. WYMER: That's the introductory part, the overarching
DR. APOSTOLAKIS: Yes. I think we're in agreement, but I
wouldn't want the ACRS to get into the details, for example, of why, for
the high level waste repository, we are not giving subsystem
DR. WYMER: The same thing is true in the other direction.
DR. APOSTOLAKIS: And in the other direction, as well.
DR. WYMER: Now, let me go to this now. I want to read
these off and I'd like to read them all with as little interruption as
possible, and then we can talk about it.
DR. KRESS: Are you asking us to keep our mouths shut?
DR. WYMER: I want to say one other thing. We've been
looking at this issue sort of through an electron microscope for the
last day and a half. I'd like to back off. This is more or less a
handheld magnifying glass approach to the whole thing, and they're
pretty simple statements. So I will read them.
I have entitled this "Defense-in-depth Issues," emphasizing
the Yucca Mountain repository. That puts the emphasis on the ACNW.
Number one, we hold these truths to be self-evident. There are
uncertainties in Pas. There is much less experience or data with waste
repositories than with reactors, so uncertainties in repository system
performance are larger for waste repositories. That's number one.
Number two, performance and risk assessment requirements are
not as well understood for waste repositories as for reactors. We need
to elucidate and explain these many differences and recognize them in
the defense-in-depth philosophy statements.
Number three, there should be several lines of defense, and
that's defense-in-depth, against release of radioisotopes and the
resultant radiation exposures. The types and numbers of lines of
defense should be directly related to the uncertainties and relative
hazards of system performance.
Number four, defense-in-depth requirements for waste and
nuclear materials are different in very important ways from
defense-in-depth for nuclear reactors. For example, in the case of the
Yucca Mountain repository, after closure, there is little probability of
an accident of the type that reactors may have, and this is related to
the physical nature of the systems and to the fact that there are very
large time dependent and potential energy differences.
Number five, this -- now we're getting to Bob Budnitz's
point. NRC should specify clearly how the performance assessment and
probability risk assessment should be done by DOE in its license
application for the Yucca Mountain repository and what it should
include. If the NRC guidance is good, then the assessment should be
able to be done well, without further specific NRC guidance. So I
wouldn't go quite as far, Bob.
And finally, again to Bob's point, because of the nature of
the interactions between NRC and licensed applications for complex
systems, there will always be a strong possibility of an iterative
licensing process. That is, there will always be overtones of "bring me
I think we can talk about those, but that's a starting point
for what we might put --
DR. APOSTOLAKIS: I see a strong underlying theme here about
DR. WYMER: Nobody questions that there's uncertainties,
George, and I deliberately put that in. I just didn't want it in the
DR. KRESS: One of the things, I think, that ties into all
of this, and it was sort of pointed out to me by Joe Murphy during the
break, is that this definition we've been referring to was really not in
the main document of the white paper, but a footnote in the white paper,
and that the text that was in the main document, in fact, does risk and
uncertainty and some of the language is that the concept of
defense-in-depth has always been and will continue to be a fundamental
tenet of regulatory practice in the nuclear field, particularly
regarding nuclear facilities.
And risk insights can make the elements, risk-insights can
make the elements of defense-in-depth more clear by quantifying them, to
the extent practical, although the uncertainties associated with the
importance of some elements of defense may be substantial.
The fact that these elements and uncertainties have been
quantified can aid in determining how much defense makes regulatory
That's very logical and that's kind of what we have been
saying where the emphasis ought to be is on the quantification of these
so-called lines of defense.
Decisions on the adequacy of or the necessity for elements
of defense should reflect risk insights gained through identification of
the individual performance of each defense system in relation to overall
performance. It's almost as if I wrote it myself.
So I think that is a perspective that, in the preoccupation
with the footnote --
DR. APOSTOLAKIS: I am completely perplexed now, but I will
not say anything else. So let's go on. I'm lost, because the whole
discussion clearly support my point that the whole business here is one
of managing uncertainty.
DR. KRESS: Sure.
DR. APOSTOLAKIS: And the fact that you guys feel it's not
important enough to put it in the so-called definition leaves me at a
DR. WYMER: It isn't that, George. It's the fact that
defense-in-depth, in my view, has a very strong element of uncertainty,
but it goes beyond that in some ways.
DR. APOSTOLAKIS: I understand that. I'm willing to put
DR. WYMER: That's a big help.
DR. APOSTOLAKIS: But I think we should move on, because
we'll never do anything else.
DR. GARRICK: Yes, right.
DR. KRESS: Let's move on. What direction would you like to
DR. APOSTOLAKIS: The implementation, and I still don't know
what we're going to say about the non-repository facilities.
DR. GARRICK: Well, it seems to me that a couple of things
have been identified. I think that if we are genuine about the concept
of a risk-informed approach, I think the notion of risk has always got
to be the prevailing notion. So it just seems that it's more of a
matter of degree than kind here, that you certainly don't need to have
more defense-in-depth for sealed sources than make sense from a risk
DR. APOSTOLAKIS: Exactly, and that is kind of the letter
that I had in mind. It would start out by saying that the main idea
here is to manage risk. Remember, we have to wordsmith all this, but
manage risk. And the diagram that Norm showed yesterday did that very
For cases where the risk is high, and that includes the
timing issue, energetics and so on, you clearly have to do something.
So we have all these activities in the reactor area. Then you move on
to the waste repository. Now, you don't have accidents as energetic and
they're happening in long time-scales and so on. So defense-in-depth
takes a different flavor.
Then you have the other NMSS activities, where the risks now
are low. You don't -- you have the issue of voluntary risk, that's very
important there in some medical applications. The magnitude of the
consequence is not as high. So defense-in-depth now takes a different
flavor from the other two.
So, you see, that would give some coherence to the letter, a
common theme, and it would make very clear the point that the
implementation is really an important element and it's very different in
these different areas.
DR. WYMER: I tried to capture that in item number three
DR. APOSTOLAKIS: Right.
DR. KRESS: I thought three was your best item.
MR. LEVENSON: George, I would have -- I would quarrel with
one word. Since no matter what we say, we need to consider
communications with the public, manage risk is really an unfortunate
choice of words. What we really want to use is minimize risk.
DR. APOSTOLAKIS: Minimize --
DR. KRESS: We banned the word minimize from our letters.
Reach acceptable risk levels is a possibility.
DR. APOSTOLAKIS: Assure that the risks are --
MR. LEVENSON: Because manage has no connotation of attempt
DR. APOSTOLAKIS: I understand. The reason I use manage is
to send a message that it will be low enough, but also the uncertainties
MR. LEVENSON: I accept that.
DR. APOSTOLAKIS: So let's go on then.
MR. BERNERO: I would just like to add, for the practices,
material licenses, it's important to understand the concept. There is a
deliberate radiation exposure, deliberate placement of radioactive
material in the biosphere, and the defense-in-depth or management is to
ensure that you don't significantly exceed the deliberate exposure.
DR. APOSTOLAKIS: Yes.
MR. BERNERO: In other words, that the release, whether it's
an industrial gauge, you make sure the worker can't get inside of it to
get very serious radiation doses and sealed sources have to have a
certain robust character, so that the machine doesn't break them open
and unduly contaminate.
And it becomes very complex to use the terminology
carefully. For instance, you will frequently find, instead of the word
facilities, you will find practices, radioactive material usages or
uses, practices, things like that. Activities is another good word for
DR. KRESS: As a way to focus, I don't know if this is
appropriate or not, but I was going to ask our invited experts and our
consultant if I would be out of line in asking -- going around the
table, as a way to end this thing, and say what are your impressions
today, what thoughts do you have of what might be in the letter, and
maybe even ask you later on if you could put this down in writing for
I don't know if I -- we do that with consultants, but with
invited experts, why, it would be a big help to us.
DR. APOSTOLAKIS: If you say "we beg you," maybe they will
DR. KRESS: I think right now, since you have the floor,
Bob. I haven't given you time to gather your thoughts maybe, but if
MR. BERNERO: I am prepared and I'd be happy to document
DR. KRESS: Okay. Great. Why don't we do that right now
MR. BERNERO: Basically, as I see it, I see the white paper
as the appropriate starting point and that the overall agreement that at
least I believe is discernable is it is a policy, a strategy, a
philosophy and approach, it's a sense of direction and it's not a
specific exact requirement.
I think George has some excellent arguments about it is
dealing with uncertainty in a sensible way or a sufficient way, but at
the same time, there is the recognition of diverse elements, alternative
elements of defense that is in defense-in-depth, because there is a
virtual commitment that one will never achieve the level of certainty
that allows wholly dependent reliance on one element.
So I think a very important thing is to have an evaluation
mechanism in applying this that there is not undue reliance on any
single element, and element in the broad sense, not just barrier. The
risk-informed application of it does require a balance, a scale, not too
close, not too far, not too much, not too little.
An evaluation that would leave open -- and, again, I repeat,
I don't know the facts on the AP-600 containment spray, but it should
leave open the possibility of either removing a traditional or expected
barrier and it should also leave open resistance to application in a new
field of a traditional barrier, such as emergency preparedness.
You don't apply emergency preparedness to a repository
because it doesn't apply. It's irrelevant.
The application to reactors is, I think, appropriately done
as a balance, a review, and I would suggest that siting is an element
that is -- at least doesn't appear to me to get that kind of treatment.
The materials, the principles of this apply, but the
application for materials licensing is quite different. I think a very
good example to illustrate material licensing issues for risk-informed
application of defense-in-depth is the spent fuel shipping cask.
Practically everyone knows it, practically everyone understands it.
On its face, it is a single mechanical barrier, but the
elements of defense-in-depth are diverse.
For waste management, I think the committee, and this, of
course, is directed to ACNW, the committee should be careful that it is
not applying defense-in-depth, risk-informed application and all that to
the high budget, high activity, intense performance assessment
atmosphere of the high level waste repository.
There is a very large population of what I would call
decommissioning activities, DOE sites, licensed sites elsewhere,
burials, near-surface, near-biosphere, including institutional controls,
where the stuff -- if you ever get into uranium mill tailings, you will
find stabilized tailings piles that are remote, isolated, that have very
little risk associated with failure, and yet they are under perpetual
custody and active maintenance with NRC oversight.
So you will find very great disparities in the low level or
near-surface disposal and the disparities are profound between
radioactive near-surface disposal or management and hazardous waste,
RCRA, CERCLA hazardous waste management.
So I think the committee should be very careful about
defense-in-depth applied with the risk-informed approach on things like
low level, which are very different from high level.
That's basically it.
DR. BUDNITZ: Where is that slide with the definitions?
MR. BERNERO: I put it back.
DR. BUDNITZ: I'm going to take a different tact, and try to
turn this on its head. I think it is an error for these committees to
take an approach that would elevate defense-in-depth to a higher level
than a lot of people in the agency and elsewhere think. I think it
would be a better strategy to see if you can figure out a way to
downplay it, and downplay, its role is a principle of one of the ten
commandments or whatever.
Its evolution, as we learned -- just go back to Cliff Beck
-- is that sound engineering principles were used in the original
concepts that led to the early reactors, and people in the agency at the
time and in the industry, the General Electric and Westinghouse,
explained those sound engineering principles in terms of this phrase.
And then WASH-1250, Joe Hendrie wrote WASH-1250 -- it never
was issued in final, it's only -- I still have the draft from 1973.
WASH-1250 said it was attempting to explain -- it was that yellow book
-- attempting to explain it to the public and it was a wonderful piece
of work -- said that -- go read it -- that the sort of things that sound
engineering practice had led to lead to these multiple barriers which
make sound engineering sense, and we call it defense-in-depth.
Now, that was 27 years ago. I was here just 20 years ago
and defense-in-depth certainly hadn't been elevated to a principle at
that time. It was more an explanatory thing. And I think it is an
error that the agency, at the highest level, and this all -- it's an
error that happened in the context of risk-informed, you know, 1174 and
those discussions, in error that these ideas have been elevated to the
point where after you've done the rest of what you ought to be doing,
you go back and make sure this gets done, too.
It's an error that Part 63 has used the phrase
defense-in-depth for what it's trying to do, as opposed to not saying
that and saying what we're really going to do in Part 63 is we're going
to do that analysis and the bottom line Amergosa Valley doses, and,
besides that, we're going to do some multiple barrier stuff, but let's
not call it defense-in-depth, because it ain't.
So I think that what I would recommend that the committee
would do, if I was writing your letter for you -- thank God I don't have
the responsibility, though -- would be to downplay the connotation that
it's some sort of a principle, but instead to explain that it emerges in
different arenas, low level waste is very different than high level
waste, never minding transportation or a fab facility or a reactor, it
emerges in different manifestations as different facilities use sound
engineering practices, analysis, design, monitoring or whatever, to
accomplish managing the risk to an acceptable level in light of the
uncertainties, bla, bla, bla.
And if you then see it as emerging from sound engineering
practice, which the agency always wants to make sure its licensees use
and which it wants embedded in its things, then it doesn't come down
from the top. It emerges from activities which you're doing anyway.
I would like to then hope that through such an approach,
those who don't understand what I just said would understand it better
and not invoke it as a separate principle, but use it as a way of
explaining to themselves and to their colleagues and, of course, to the
applicants and licensees and the public, that it's a way of explaining
an element of sound engineering practice, which, by the way, goes far
beyond this arena.
That way, the fact that it's a policy or a strategy or a
philosophy is in light of a thousand years of engineering practice and
history and not in light of something special for radiation or the role
of this agency.
If you accept that, then as a practical matter, and not
arguing about the definition for a moment, the way to approach that here
could be for this committee, these committees together, to explain that
in application, and the applications vary by arena, in application, in
each arena where it's applied, it manifests these sound engineering
practices and principle in a different way, because, of course, the
arenas are different.
They may have all the different characters or different --
as we know they are. And in each one, it's a way of explaining rather
than a way of designing or operating.
That's the thing that bothers me, and so maybe I'll just
quit with that. The thing that bothers me is I don't see that you can
operate, design even, design using engineering principles, then you
observe that, of course, this is a way of explaining that kind of in an
It's almost as if you can't design a reactor to assure
adequate protection, which is, by the way, what the original statute in
1954 asked the AEC to do, which remains the fundamental charter of the
Nuclear Regulatory Commission's activities in this area, which they
can't design with an adequate protection, but adequate protection is a
way of explaining what you are trying to think about when you were doing
what you're actually doing.
And if you think about it that way, you will adopt an
approach in your letter that could diffuse rather than amplify
possibilities that elevating into a principle could cause the havoc that
we don't want.
DR. APOSTOLAKIS: Ode to Joy ought to be playing while you
DR. BUDNITZ: I'd prefer Springstein myself, but you can vote for Ode to
Joy if you want. Excuse me.
DR. KRESS: Very good. Milt, do you have a few words of
advice for us?
MR. EISENBERG: I think I've already expressed most of my
thoughts. I think it's very, very important to separate the reactor --
I was going to change that to say not the reactor field, because as I
think about it, it's related to the characteristics of the reactor, not
because it's a reactor.
We ought to be careful, because for instance, somebody might
come in with some off-the-wall accelerator application which, as
radioactive stuff at 2000 psi and a lot of other things, so we should
differentiate on a basis of two things, the uncertainty and the
potential risk to the public to separate, but that if that is done right
up front, I'm not very optimistic that you're going to get rid of the
term defense-in-depth, with all of its baggage.
But it seems to me that this letter might be a useful device
to present proliferation of defense-in-depth to fields other than the
And whatever kind of words we want to use, that the
defense-in-depth, as presently understood and utilized, applies to high
energy, high risk facilities and that the generic concept of not
depending on a single failure for other facilities, like a repository,
is provided by having multiple passive barriers or something equivalent.
But I strongly urge that you try to prevent the
proliferation of this to other facilities.
It's also very important that it not just be a two-part
split, reactors and Yucca Mountain, because there's a large number of
other facilities, clearly more in number than either of these, but if
the -- if basically we say it's tied to how significant is the risk,
then that allows you to have different rules for lesser facilities.
MR. BERNERO: Could I add just one element? There has been
an undertone for the day and a half of risk assessment or performance
assessment embracing the element, so that there is a -- I'll call it an
assessment result that comprises the basis of judgment on adequate
One of the points that I had buried in my slides was that the
performance assessment is one part of the body of information upon which
one judges the acceptability of a high level waste repository.
As demonstrated in the WIPP, the intrusion scenario is a
real consideration. It's part of the body of information in judging
acceptability and it does not lend itself to analytical performance
Similarly, in reactor safety, we now have some terrorist
threat in the United States. We now have a design threat for reactors
that takes into account the possibility of a vehicle bomb getting close
enough to cause core melt, large containment release, and so forth, and
that does not lend itself to the typical PRA assessment either.
So there is a large body of judgment of acceptable safety
and safeguards and in this particular case, it's more safeguards, that
is outside the performance assessment or PRA arena and shouldn't be
DR. GARRICK: I think the comment I would make to that is
what you're talking about is scope. That as we have done performance
assessments and as we have done PRAs, there has emerged a certain scope
of things that we consider. But I would not want to have the record
suggest that you can't include those kinds of things in a risk
assessment or a performance assessment, because anything you can think
of you ought to be able to include, as long as it's relevant to what
you're trying to analyze.
DR. BUDNITZ: I could comment that what Bob just said
compliments what I said very nicely. The fact is that in the vehicle
threat arena, the approach has been to take the facts and the problems
and the potentials and use sound engineering principles of various
kinds, so that the agency carries out its mission of -- by the way,
that's part of the common defense and security part of the agency's
mission. There is more than just public health and safety. There's
common defense and security and the environment. All those words are
All of those things apply commonly accepted engineering
principles of different kinds, one of which is risk assessment, but it
is not the only, and in some arenas, it's the principle, but in some
arenas, it's not even the principle method used.
That then goes along with my -- and this very much
compliments my notion that this should be downplayed as sort of a ten
MR. LEVENSON: Let me just comment. I did not use the word
risk assessment, Bob. I used the word risk --
DR. BUDNITZ: I know you did.
MR. LEVENSON: -- and that is --
DR. BUDNITZ: I agree with you.
MR. LEVENSON: -- for the large number of things, the
hospitals, the sources, et cetera, we don't want any implication that
they need to do a PRA, no matter how simple it is. But there are ways
of -- risk, as a generic term, includes both what Bob Bernero was
mentioning and --
DR. APOSTOLAKIS: Now, there is one other point I want to
make, since we are talking about differences between reactors and other
areas. You are using the term performance and performance assessment
for something that we would never use the word for, like the release or
the dose after so many years and so on.
I guess that's a performance measure for the waste area.
Core damage frequency of the quantitative health objectives are never
called performance measures in the reactor area. The reason -- although
they are used perhaps in the same way, I think the reason is that we
reserve the term for performance indicators, which, by their very
definition, mean that you are measuring real data from the plant, you
are collecting real data, do some simple calculations, and compare
against the performance measure at that level, a threshold.
That's the process that was presented yesterday, the new
oversight process and so on relies heavily on those. So this word is
used in different contexts, I think, in the two areas, and I don't know
whether we want to say that in this letter.
DR. BUDNITZ: George, you've just made a point that, again,
I think compliments what I was trying to say. Look, the reactor has
what we call normal operation every day and then there's a spectrum of
upsets from, you know, little things to the larger things.
And what has consumed NRR for all this time, and
appropriately, is to assure that the biggest upsets don't occur or occur
with manageable consequences or are kept at very low probabilities per
Now, at a low level waste burial ground, a Part 61 facility
like Barnwell or certainly at Yucca Mountain, we use the word
performance because you don't think of it in sort of it has normal
performance and then an accident comes along.
What you're trying to do at a Barnwell is trying to figure
out, for the next 50 or 150 or 400 years, what the normally expected
behavior, which they call performance, is, as opposed to what the normal
things with accidents put on top.
DR. GARRICK: Yes, but they do mean safety performance.
DR. BUDNITZ: Yes, they do. They do mean safety
performance, but because the upsets are of a different character -- by
the way, you could have -- the analog of an accident is, you know, a
plane lands on Barnwell 200 years hence. That's an accident, right?
And that is considered in the design in terms of probability and
consequence. So it is considered.
But the word performance is used because in the other area,
really the way one thinks about these things is in that more different
DR. KRESS: Now, I don't want to put anybody on the spot,
but we would welcome some summary comments from the staff, if you care
to make them, and both on the NMSS side and the reactor side.
MR. HOLAHAN: This is Gary Holahan. I guess I could say a
few things and then if Tom and Norm would like to say something, I guess
they could speak for themselves.
I think a lot of the things that have been said in the last
day or so are helpful in shedding some more light on a concept that's
been around for a long time, and I think if the committee were to write
some of these things down, not necessarily in the context of rewriting
the white paper or rewriting the definition, but in more of an
explanatory sense, I think it would be helpful to the staff and the
Commission, because we do have a number of activities going forward.
Certainly, in the reactor area, the concept is being used in
our license amendments, in risk informing the regulations in various
processes. And to the extent that we can have a clearer understanding
of what it is and what it's not, I think we're probably better off.
One of the things that -- I think Bob Budnitz expressed it,
sort of in the strongest sense I've heard, but we had other sort of
versions of it, and that is that defense-in-depth is not an absolute,
and I think when we talk through a number of examples, defense-in-depth
is a way of addressing uncertainties where that is important.
We have examples where either the consequences are very low
or the frequency of events are very low and the staff has never applied
defense-in-depth in those cases, and you can go and you can sort of work
those examples out.
So I don't object to the idea that we should shed a little
more light on defense-in-depth and make people aware that it is not a
fundamental concept. It is a way of addressing uncertainties. The fact
that you are addressing uncertainties is a more fundamental concept. If
it's a principle, it's a derived principle, it's not a fundamental
And I think that would be helpful. Whether it's designed in
or explained afterwards, I think those are interesting thoughts, but I
don't -- I'd have to think about it a while before I would rewrite
anything on that point.
But the point that uncertainties are the more important
issue and that as we move forward, we're using this tool, where
appropriate, and if the committee would shed some light on the
state-of-the-art and the appropriateness of defense, of where
defense-in-depth has its largest role, that would be of some value.
Now, whether those thoughts would be reflected in an edited
white paper or just some other arena, I think, I don't know and maybe
that's a matter for the Commission to decide.
DR. KRESS: Thank you, Gary. Tom?
MR. KING: Let me add to what Gary said. I think a lot of
what Budnitz said, at one time, I thought maybe this was a subject that
was worthy of a Commission policy statement, but after the discussion, I
don't think that's the case.
I think what we're talking about is a practice that the
Commission has employed over the years. Policy statements, to me, are
more to state Commission expectations, not to document practices. I
think the issue that really needs to be addressed is how should this
practice be applied, so that it's applied consistently, recognizing the
various -- it may vary depending on the regulated activity you're
talking about, but there probably are some elements of consistency, what
is its purpose and so forth.
We have other practices that the agency employs, just like
defense-in-depth. They employ safety margins, they employ use of codes
and standards and so forth. We don't have policies for those things.
To me, the real question is not so much -- I think you've
talked about a lot of the various elements of application that would be
worthy of writing down. The question to me is where do you write them
down. Should it be a separate white paper, should it be a modification
of the existing white paper, should it be something else? I think
that's -- any light the committee could shed on that would be useful,
but I think it's worth writing them down somewhere, if we find the
appropriate place to write them down.
MR. EISENBERG: This is Norman Eisenberg. I think one of
our big concerns is that there not be some overarching principle that
would be geared toward reactor regulation and imposed on materials
regulation. Everybody understands our concerns and has responded
positively to that. So that's very good.
NMSS is going to move further into risk-informing its
regulations and risk-informing its regulatory practices. This is not an
easy thing to do necessarily and some of the traditional concepts of
safety and defense-in-depth, I believe, is one such concept, have to
change in that environment.
And some of the things that I've talked about would be, I
think, helpful if the subcommittee could endorse to some degree. For
example, how do you handle uncertainties in a risk-informed
performance-based regulatory environment and how does the degree of
hazard or the degree of risk play into those decisions.
So that, for example, in a deterministic environment, you
want your expected performance, the load bearing capacity of the crane
to be above the load, the expected load. When you do a probabilistic
calculation, the question is how do you do the comparison and do you
still need the same amount of margin or if the consequences of exceeding
the limit -- for example, if the limit is 25 millirem, can we use the
mean value of a dose distribution to demonstrate compliance.
This is something that I think is a difficult policy issue
that the staff grapples with every day, that demonstration of compliance
with a standard, does that have no relationship to what the standard is
protecting against and do you need the same degree of assurance for
lower risk activities as you do for higher risk activities.
This certainly plays into all the discussion that I've heard
about uncertainty. But this -- maybe this is not the letter that this
should be addressed in, but this certainly is an issue that this
subcommittee is going to be involved in, because as NMSS moves to
risk-inform its regulatory activities, we're going to confront this
again and again.
So I would bring that up as something to think about.
DR. KRESS: Thank you. I'd like Steve Hanauer to make a few
comments for us.
MR. HANAUER: Mr. Chairman, ladies and gentlemen. For the
record, my name is Steve Hanauer. I've served as a member and Chairman
of the ACRS, as a staff member in the Atomic Energy Commission, and NRC
regulatory staff. I am now an employee of the Department of Energy, in
the Yucca Mountain program.
But what I'm going to say is my own opinion and I do not
speak for DOE.
I've been listening to the discussion particularly today.
In my opinion, the various discussions over-estimate the state of
knowledge and, therefore, under-estimate the contribution that
defense-in-depth and multiple barriers, whatever you want to call it,
make to achieving acceptable levels of safety.
I think performance assessment and probabilistic risk
assessment are very important and very useful. They are the only way to
deal with rare events or with 10,000 years of projected performance.
But the uncertainties involved, I believe, are greater than
risk analysts generally believe. The unanticipated challenges, the
unexpected behavior and failure modes and the bizarre human behaviors
continue to occur and should be acknowledged.
It seems to me that defense-in-depth and multiple barriers
or whatever you would like to call them is necessary to achieve
acceptable levels of safety for some applications. I think the public
That the public skepticism for some pronouncements from the
technical community is justified and that defense-in-depth and multiple
barriers are a legitimate technical response to this legitimate
I would observe, I would recommend a certain acknowledgment
of the real uncertainties involved as we proceed with our analyses of
DR. KRESS: Steve, while we have you up there, could I ask a
couple of questions about that? You seem to be very receptive of the
concept that defense-in-depth in terms of multiple barriers is a good
way to compensate for large and basically unquantified uncertainties and
that, therefore, it would be very appropriate to apply defense-in-depth
principles to Yucca Mountain, which is a little different than what I
heard from some of the other people.
MR. HANAUER: That's why I asked to address the
DR. KRESS: Where do you think the assessment of the
potential risk that is associated with Yucca Mountain ought to fit into
the thinking on how much defense-in-depth is necessary or how good the
barriers have to be or whatever?
MR. HANAUER: Well, I've been looking at calculations like
that in the last few weeks. To the extent that one has defense-in-depth
and to the extent that the models represent what will happen, then when
you do the calculations, you find that the results are very low or even
zero risk, because of the overlapping protection provided by the
multiple barriers or the defense-in-depth or whatever you want to call
And therefore, it's rather difficult to use probabilistic
risk assessment to give a quantitative estimate of defense-in-depth,
although Norm Eisenberg's suggestion of a year or more ago on barrier
neutralization, if carried beyond single barriers, enables one to
evaluate where the design is strong and weak, again, to the extent that
the models represent reality, and to tell you where to spend your money.
The recent addition of the drip shield to the proposed Yucca
Mountain design is an example of this. It turned out that we were, in
many people's opinion, including mine, becoming overly dependent on the
performance of the waste package and even on the details of this
performance, and the drip shield was, therefore, added to decrease the
dependence of the overall performance of the repository on this one
So that you can use this as a tool. You mustn't believe
everything you get, but you get insights from it and both the risk
assessment and the defense-in-depth I view as tools to achieve using
somewhat different approaches, the necessary high degree of safety.
DR. APOSTOLAKIS: If I could make a comment, Tom. I think
what Steve is telling us is consistent with what seems to be the
consensus of the subcommittee. I think that his point is that the
unquantified uncertainties are still very large. So that
defense-in-depth, a risk-informed defense-in-depth is something that
cannot play a major role right now, that you have to apply it almost as
a principle, because the unquantified uncertainties are very large.
I don't know enough about the repository, but for reactors,
I'm not sure that's the case. I think a compromise has to be found
because it is true that people do stupid things, still it is true that
every now and then something happens that we hadn't thought of, but its
risk significance, I would argue, is not such that it would make me
worry about the validity of the PRAs.
And I think as I mentioned yesterday, the work that the
former AEOD is doing collecting data and so on goes a long way towards
convincing me that a good part of the PRA, in fact, do represent what
happens out there. And it's too bad that the AEOD has not figured out a
way to advertise, to publicize what they are doing, because most of the
community are not aware of it, including PRA analysts.
So I think the words that you are giving us can serve as a
caution, so we don't become too enthusiastic about PRA and its results.
But I do believe that in the reactor arena, for example, putting a
defense-in-depth, applying defense-in-depth at the level that Gary and
Tom presented yesterday, and maybe some other levels, is a reasonable
way to proceed.
In other words, I would give more credence to the results of
risk assessment for reactors, because we have been doing them around the
world. We've been collecting data, and there seems to be a consensus
there that this is it.
DR. KRESS: I would certainly agree.
DR. APOSTOLAKIS: Now, when it comes to severe accidents, I
think you are right. I think your words acquire more weight as we move
into those exotic areas where experience is not very strong.
DR. KRESS: Bob?
DR. BUDNITZ: Can I ask Steve a question?
DR. KRESS: Yes.
DR. BUDNITZ: Steve, I wonder what your reaction is to the
following thought. Gary Holahan said something a few minutes ago I
thought rung a very nice bell with me. He said that defense-in-depth
is, to him, not a fundamental principle, but it's a derived principle.
Let me just postulate something. Imagine, Steve, that you
are in control of the design, which you're not, but you're part of the
senior management of the project at Yucca Mountain, and you and your
colleagues observed that a great reliance on that canister was being
placed in the earlier design and you and they felt nervous that maybe
you didn't have as much confidence as you'd like to have, so the drip
shield was evolved as a means of your achieving more confidence.
Now, if the principle of defense-in-depth had never been
enunciated by us or anybody else for reactors, I suspect you would have
done that anyway. But now you have observed that it is, in fact, for
you, a manifestation of this defense-in-depth idea that I know you've
known about for 40 years in your previous life as one of the great
experts on reactor safety.
So I'm going to ask the question. Do you see it, also, what
Gary said, as it's derived or it's sort of a manifestation of sound --
what I was saying, sound engineering approaches, or does it rise to a
MR. HANAUER: I don't really think that those words matter.
It's almost angels on the head of a pin.
DR. BUDNITZ: That's a fair comment.
MR. HANAUER: Whether it's a fundamental or derived, I think
it's a tool, a very useful tool.
DR. BUDNITZ: Okay. Well, the reason why I think the
distinction does matter is that not everybody either in the design
organizations of the licensees and applicants, nor on the staff, have
the experience and wisdom of a Steve Hanauer.
DR. APOSTOLAKIS: But they do matter, Steve, because you
just said it's a tool. You downgraded it. De facto, by declaring it a
tool, you downgraded it. See, when we were writing four years ago the
risk-informed guides, we had long discussion around this table as to
whether the principle of defense-in-depth should be preserved, and we
settled with philosophy.
So it does matter. I think it doesn't matter because, in
your mind, it's just a tool.
DR. BUDNITZ: No, no. It doesn't matter to Steve because
Steve -- forgive me, Steve -- has experience and knowledge. By the way,
he's not unique in this, but Steve has experience and knowledge which
isn't -- and understanding, which, by the way, is not unique, but
certainly is greater than your average designer out in the field
somewhere or your average regulatory staffer.
DR. GARRICK: I think we're quibbling now. I don't think
this is --
DR. APOSTOLAKIS: I think Steve made his point very well.
DR. BUDNITZ: I'm just worried about it being elevated.
DR. APOSTOLAKIS: It would not be, unless I'm removed from
DR. KRESS: I also worry, though, Steve, that another person
with equal experience, but a different perspective, might come in and
say I am still uncomfortable with all the uncertainty, particularly when
the stuff gets into the ground and travels through the ground water and
so forth, and I want more defense-in-depth. I want you to put another
barrier, I want you to fill the cask with depleted uranium and I want
better diagnostics to know what's going on and I want a controlled
environment inside my cask. I want to be sure there's no moisture in
there when I seal it in the first place.
There are all sorts of things that I can postulate that
would give me a more comfortable feeling, and those are all in the name
of defense-in-depth. Where do I stop this process and how do I know
when to quit?
MR. HANAUER: In fact, such proposals, as you must know, are
made every day and I don't think -- you can use PRA as a tool to work on
this question and you can use defense-in-depth as a tool to work on this
question, but in answering such things, the result is determined by
judgment, and not necessarily technical judgment.
These are social and political problems and, in fact,
theological problems, and I'm not licensed to practice sociology,
politics or theology, and, therefore, one has to apply judgment. There
is no substitute. There are prominent and influential people pushing
depleted uranium and so forth.
The project decision-makers, the program decision-makers
may, in fact, decide to do it and the decision will not be entirely
DR. KRESS: Thank you. We have one other speaker I'd like
to call on. Janet, would you like to make a few words?
MS. KOTRA: Thank you.
DR. KRESS: Please identify yourself for the record.
MS. KOTRA: My name is Janet Kotra, and I would like to
speak as an earnest, average regulatory staffer, who is speaking as a
member of the team preparing the draft final rule for Part 63.
And I want to address specifically Dr. Budnitz's comment
about the need not to invoke defense-in-depth in Part 63. I want to
note here that an earlier Commission in 1983, in promulgating the
generic regulations for a repository, already invoked defense-in-depth
and went so far as to say that the imposition of quantitative subsystem
performance criteria were essential to the insurance of
defense-in-depth, and that one example, which, as far as I'm aware, is
now 17 years old, is unique, where this equation has been made in the
context of a rulemaking.
We've been discussing it in the context of my colleagues
from NRR, in the context of a practice and the discussion here has
circulated on how that practice or principle or philosophy is
implemented. But the Commission, in promulgating that generic rule,
said that it was incumbent upon them in order to ensure defense-in-depth
to make this additional test.
The Commission more recently, a different Commission, has
now said it wants to go a different direction. So it is incumbent upon
those of us in the staff to provide the Commission with a justification
So I don't believe that it is possible for us not to -- to
walk away from that argument and we have to justify why we believe
health and safety and protection of the environment are ensured, and I
think we also have to recognize, as Mr. Bernero has pointed out
repeatedly, that the Congress has said that our criteria have to include
requirements not for defense-in-depth, but for multiple barriers.
And we have discussed and Norm has laid the groundwork for
why the use of multiple barriers is a way to implement a philosophy of
defense-in-depth, but I'm kind of at a loss as to how, with a straight
face, we can put forward a final rule that does not address this issue
and we would certainly -- you know, and in that regard, guidance
wherever we can find it on how to implement defense-in-depth and a
multiple barrier provision in the context of high level waste disposal
is certainly of interest to us.
DR. KRESS: Thank you.
DR. APOSTOLAKIS: Okay. That's it.
DR. KRESS: I guess before I close, I will ask the
subcommittee members if they would like to make any closing remarks.
You're welcome to do it or not to. We've already said a lot.
DR. APOSTOLAKIS: Who is writing the letter?
DR. KRESS: So this is not a requirement. Who is writing
the letter, I don't know. Do you want to write it, George? I think we
can discuss this off-line and come up with some process to write a
DR. APOSTOLAKIS: We can write pieces and send them to one
DR. KRESS: Send them to each other or send them to one
person. Are there any closing comments from the subcommittee members?
DR. GARRICK: The only thing I wanted to say was one way to
get a sense of who agrees with you and disagrees with you is to write
something down. I did that, passed it around to my colleagues, and much
to my expectation, I got some disagreement, but also got some
And what I was trying to do is nurture this idea of what can
we agree on of a broad-based nature, and what I was hearing was -- and
what I put through my logic engine and came out with was things like
supporting the notion that defense-in-depth is a philosophy for assuring
safety. It should not be converted to an algorithm or an analytical
process, do not support making DID a formal requirement, that's my view.
I guess I would continue to strongly encourage that the
emphasis be on trying to quantify defense-in-depth. I think the
advantage the reactor side has that the waste side does not have, the
repository side does not have, is they have a basis for calibrating that
measurement. We don't have much of a basis for doing that, but we sure
have a basis for trying to improve our measurements.
Let's get our yardsticks out there before we decide what the
levels should be, except for the overall performance.
On this issue of allocation, which is a red button for me,
because I don't believe in reliability allocation, based primarily on my
reliability analysis experience, it's not just on my risk experience, it
has not worked very well. But if we mean by allocation guidance on the
quantification of protection system, our lines of defense, and if we
mean by allocation being more specific about form of PRA and PPA
results, probabilistic performance assessment results, then I'm favor of
I do not favor prescribing individual system performance,
for reasons that you've heard us talk. I continue to believe that we
should put the emphasis on understanding what that contribution is, but
in context of the performance measures that we're obligated to
I think that one of the things that we as technical people
should always strive to do, because we do that better than anything
else, is try to calculate what we're doing. Tom Pickford has always --
his answer is always the same, well, what do you do about that, his
answer is, well, we try to calculate it, and I'm a great believer in
that, that we have to, in the spirit of what Steve Hanauer and others
have said, recognize that our calculations are just calculations.
In addition to the uncertainties, there are other things
that have to be considered in making decisions, that risk assessment is
not a decision analysis.
So anyway, that's a few of the things. I think that one of
the things that I'm concerned about if we attempt to define
defense-in-depth, that it will be narrower than we want it to be as soon
as we think about it.
I think in serving on several nuclear plant safety
committees, one of things that has impressed me just absolutely greatly
is the impact that improving people performance has had on the
performance of plants, without any changes in the performance of
And to me, there is an element of defense-in-depth that is
quite fundamental and extremely important and to the extent that we can
begin to bring that into the process of the quantification exercise, we
ought to try to do that, as well.
But I, as the Co-Chairman, appreciate what we have done in
the last two days. There are some views that I have that have certainly
been affected by what we've heard and we will do our best to see if we
can provide some sort of documentation of this in a manner that is
constructive for the Commission.
DR. APOSTOLAKIS: Maybe next time the ACNW meets with the
Commission, you should mention the word safety culture.
DR. KRESS: Good idea. As Co-Chairman of this, I would like
to express our appreciation to all the participants for this very
interesting and stimulating discussion and, I think, very useful one.
I'm anxious, and that's the right word, anxious to see what we may --
how me make use of all this when we put something down on paper. It
certainly has been stimulating to me and quite a good discussion, I
So with that as the final thing, I am going to declare this
subcommittee closed, adjourned.
[Whereupon, at 11:06 a.m., the meeting was concluded.]
Page Last Reviewed/Updated Monday, October 02, 2017