459th Meeting - February 4, 1999

                       UNITED STATES OF AMERICA
                        U.S. Nuclear Regulatory Commission
                                           2 White Flint North, Conf. Rm. 2B3
                        11545 Rockville Pike
                                           Rockville, Maryland
                        Thursday, February 4, 1999
         The Committee met, pursuant to notice, at 8:30 a.m.
         DANA POWERS, Chairman, ACRS
         GEORGE APOSTOLAKIS, Vice-Chairman, ACRS
         WILLIAM J. SHACK, Member, ACRS
         ROBERT E. UHRIG, Member, ACRS
         MARIO V. BONACA, Member, ACRS
         JOHN J. BARTON, Member, ACRS
         ROBERT L. SEALE, Member, ACRS
         GRAHAM B. WALLIS, Member, ACRS
         THOMAS S. KRESS, Member, ACRS
         MARIO H. FONTANA, Member, ACRS
         DON W. MILLER, Member, ACRS.                         P R O C E E D I N G S
                                                      [8:30 a.m.]
         DR. POWERS:  Let's go back into session.  This is the second
     day of the 459th meeting of the Advisory Committee on Reactor
     Safeguards.  During today's meeting the Committee will consider the
     following:  proposed final revision to 10 CFR 50.65(a)(3) of the
     maintenance rule, SECY 98-244, NRC Human Performance Plan, proposed
     resolution of Generic Safety Issue B-61, allowable ECCS equipment outage
     periods.  We will discuss some fire protection issues, proposed ACRS
         This meeting is being conducted in accordance with the
     provisions of the Federal Advisory Committee Act.  Mr. Sam Duraiswamy is
     the Designated Federal Official for the initial portion of the meeting.
         We have received no written statements from members of the
     public regarding today's session. We have received a request from Mr.
     McIntyre, Westinghouse Electric Company, for time to make oral
     statements regarding lessons learned from the review of the AP600
         A transcript of portions of the meeting is being kept and it
     is requested that speakers use one of the microphones to identify
     themselves and speak with sufficient clarity and volume so they can be
     readily heard.
         I am informed that today is the anniversary of the birth of
     Mr. Prandtl and so we will allow all thermohydraulics types a moment of
     peace and quiet to contemplate his contributions to the field.
         We plan to have a picture of the current embodiment of the
     ACRS tomorrow, so people might anticipate coming neat and pretty.
         DR. SHACK:  We are really meant as a radio show.
         DR. POWERS:  And members now have in their mailboxes copies
     of the minutes of the retreat, the meeting of the Planning and
     Procedures Committee that was held last week.  We will be discussing
     that and follow-up to the retreat tomorrow.  You might want to glance
     over the minutes and see if there are any changes, corrections, or
     additions that you have.
         Do any members have comments they would care to make at the
     opening of the meeting?
         [No response.]
         DR. POWERS:  Seeing none, let's proceed ahead with our
     discussion of revisions to the maintenance rule and Dr. Shack, I believe
     that you are the cognizant member?
         DR. SHACK:  Yes.  The original maintenance rule, and it is
     paragraph (a)(3), had a statement that reads, "In performing monitoring
     and preventive maintenance activities, an assessment of the total plant
     equipment that is out of service should be taken into account to
     determine the overall effect on the performance of safety functions, and
     it turns out of course that "should" means this is a recommendation
     rather than a requirement, and so the original discussion came over
     "should" and "shall" -- "shall" is a requirement, "should" is a
     recommendation, so we are discussing revisions to the maintenance rule
     to essentially recover the intent, which was that these performance
     assessments should be made.
         There is some additional expansion in scope that instead of
     restricting it to performing monitoring and preventive maintenance
     activities the revisions essentially now cover a wider range of planned
     maintenance activities.  Again, at least the Commission's original
     intent was that this rule was also applicable to shutdown conditions. 
     There is now a statement that makes that explicit.
         However, there is a considerable amount of adjustment in the
     actual wording of these changes and we have a September 30th, 1998
     comment -- or version that went out for public comment.  There was a
     great deal of comment from the industry basically saying that this was
     going to add a great deal of burden.  Many people have something on the
     order of 10,000 components and if all planned maintenance was to covered
     with a safety assessment, this seemed like an enormous expansion in
     scope and effort.
         There's some revision of the wording of the rule and a
     January 28th draft and for all I know there's a February 3rd or 4th
     version, so Rich Correia is going to tell us the actual current state of
     the proposed revision to the maintenance rule.
         MR. CORREIA:  Good morning.  Thank you.  My name is Rich
     Correia.  I am Acting Chief of the Quality Assurance, Vendor Inspection
     and Maintenance Branch of NRR.
     I am also the Section Chief of the Reliability and Maintenance Section
     of that branch responsible for maintenance rule programs.
         With me today is Peter Wilson from the Probabilistic Risk
     Assessment Branch of NRR and Suzanne Black, who is the Acting Director
     of the Division of Reactor Controls and Human Factors and Wayne Scott
     from the branch, principal people involved with this rule change.
         By way of background, to give you an idea of what got us to
     this point today, in a Commission briefing and Commission paper in 1997
     we briefed the Commission on the status of the implementation of the
     maintenance rule, and during that briefing and in the paper we
     mentioned, as Mr. Shack just said, that this part of the maintenance
     rule is a recommendation.  The word "should" is used instead of
     "shall" -- the safety assessments did not absolutely have to be done.  
         It was thought at the time the rule was written this was a
     fairly new concept and I think the Commissioners at the time didn't want
     to impose too much of a regulatory burden on the industry.
         As a result of that paper and meeting, the Commission asked
     the Staff to consider clarifying this part of the maintenance rule and
     to give them examples of some of the problems our inspectors had seen on
     the maintenance rule baseline inspections.
         In response, we wrote SECY 97-173 and provided the
     Commissioners with three options for (a)(3) -- leave it alone, change
     "should" to "shall" or make what we call comprehensive changes really
     was an option that would make this part of the regulation a requirement
     with the thought being it would be PRA-based instead of PRA-informed,
     which would be a considerable step forward with our regulations
     regarding the use of PRA.
         We recommended Option 2 -- "should" to "shall."  We thought
     of the three options it would be the best thing to do.  It would get us
     the requirement that would be enforceable, which was the focus of our
     concern at the time and we would be able to take actions to ensure that
     licensees actually performed these assessments.
         In response, the Commission agreed it should be Option 2,
     but they gave us a lot more than just "should" to "shall" as just
     explained.  They gave us prescribed language to change to, and it was
     similar to what the existing rule said with "shall," expansion of the
     scope of maintenance activities that would require an assessment and a
     preamble to the rule to make it clear that this rule applies during
     operation, normal operation, and shutdown conditions. I think that was
     as a result of the Staff's effort to impose a shutdown rule, but the
     Commission decided not to.  They thought the maintenance rule was
     sufficient but they wanted to make it clear that the maintenance rule
     did apply during shutdown conditions.
         They told us to do a limited regulatory analysis for Options
     1 and 3 but interestingly said to consider for future rulemaking a more
     detailed rule that would codify the existing regulatory guidance which
     endorses the industry guidance for implementing the maintenance rule.
         I think our current thinking is if the Commission decides to
     implement (a)(4) that we would look at the results and determine whether
     or not future rulemaking would be needed.
         They also told us to make sure whatever we were doing with
     the maintenance rule is consistent with other related changes to
     regulations like 50.59 and 50.71.
         The language or the SECY paper that we wrote and asked the
     Commission to allow us to put forward the proposed rule for public
     comment again basically just reiterated what the Commission told us to
     do, proposed that there be a preamble stating that the rule applies
     during all the conditions of plant operation including shutdown --
     normal shutdown conditions.  It's a clarification.
         Industry has always implemented the regulation during
     shutdown conditions.  We inspect it that way.  This is just a matter of
     making it clear.
         Again, these are the major changes to the rule.  They
     decided to delete this sentence from (a)(3) and make the safety
     assessment a separate paragraph -- (a)(4).
         Actually, the first four bullets are pretty much the same as
     the existing regulation except "should" to "shall," a minor change, an
     editorial change in changing "before performing maintenance
     activities" -- the current regulation says "in performing maintenance
     activities".  The concept of assessing the current plant configuration
     and the expected changes are pretty much the same.  
         The main difference is a new sentence that said once you do
     the assessment then you shall use the results of the assessment to do
     two things, ensure that the plant is not placed in a risk-significant
     configuration or a configuration that would degrade performance of
     safety functions to an unacceptable level.
         MR. BARTON:  Richard, are these terms defined somewhere in
     the rule?  I couldn't find them.
         MR. CORREIA:  They are not defined in the rule.  We defined
     them in the statements of consideration that went out as part of this
         DR. APOSTOLAKIS:  So what is risk-significant?
         MR. CORREIA:  Risk-significant configuration?  I believe we
     described it as a change in risk that -- that was pretty vague -- it was
     change in risk that was unacceptable, something to that nature, no
     specific numbers of values.
         The reason the Commission put these words in there, I
     believe, is this statement was in the original statements of
     consideration of the maintenance rule as the intent of the (a)(3) safety
         I think the Commission decided, well, why not put it in the
     rule to make sure that a licensee just wouldn't do an assessment but not
     do anything with it, so the thought was do the assessment and use the
     results to make sure you don't place the plant in a risk-significant
     configuration, but as we found, that was probably the most discussed or
     most commented on part of the rule that we received from the industry
     and the public.
         MR. BARTON:  I can see where it would leave a lot of
     interpretation licensee versus inspector, and this thing goes round and
     round the daisy chain and I think regardless of, you know, what the rule
     is in the implementation requirements that these words have got to be
     explicitly clear and understood by both the parties.
         MR. CORREIA:  Absolutely.
         DR. APOSTOLAKIS:  So how is that going to happen?
         MR. BARTON:  I don't know.
         DR. APOSTOLAKIS:  Do you plan to do anything about it?
         MR. CORREIA:  Yes.
         DR. WALLIS:  That is the next slide, isn't it?
         MR. CORREIA:  I'm coming to that.
         DR. APOSTOLAKIS:  Okay, and assess current plant
     configuration, again what does that mean?  It's related to the risk
         MR. CORREIA:  I think the intent is to look at the status of
     the plant, what is out of service, what is operating, what maybe the
     environmental conditions are, and in combination with that look at what
     they plan to take out of service and consider the impact.  
         Is it going to -- for example, we used the example if
     maintenance is ongoing in the switch-yard, and they want to emergency
     diesel generator maintenance, is that a smart thing to do?
         DR. APOSTOLAKIS:  So a risk monitor then would be very
         MR. CORREIA:  It would be very helpful.  Many of the
     licensees that we have inspected do use a risk monitor for those high
     safety significant SSCs and combinations that they would consider taking
     out of service simultaneously.
         DR. SHACK:  In the current rule there is the statement, you
     know, maintenance activities that take systems out of service.  The
     statement of considerations says maintenance requires removing from
     service.  The January 28th rule still just says maintenance.  It doesn't
     say anything about removing equipment from service.  I mean that would
     seem to cover polishing the decal on the -- you know, why not the
     specific phrase "out of service" anymore?
         MR. CORREIA:  We agree that the majority of the cases that
     is what we would be concerned with, equipment that would not be
     available to perform its intended function, but there are certain
     maintenance activities that don't take equipment out of service but
     could result in an initiator transient -- turbine control valve testing,
     main steam safety valve testing that is done at power that if a problem
     occurs could result in an unplanned scram or transient.
         We wanted to make sure that the assessments considered those
         DR. SHACK:  It looks like it covers those and a lot more.
         MR. CORREIA:  Well, that is a consideration that we are
     dealing with.  We believe that we can address that in the regulatory
     guidance rather than in the rule to explain all those situations.
         DR. POWERS:  I guess I am still unclear what you mean by an
     assessment.  When you discuss the issues you are interested in, it
     sounds like a fairly routine paper consideration.  When you talk about
     acceptance levels, things like that, you sound like you want a PRA.
         MR. CORREIA:  Depending on the amount of equipment being
     taken out of service, what we use in maintenance rule terminology it is
     "of risk significance" and other factors.  In some cases a PRA analysis,
     PRA is the best tool to use to determine whether or not is it
     appropriate to take the equipment out of service.
         In some cases it could be a single system or train or
     component of low risk significance where an informed decision by a
     licensed operator would be adequate so we have that range of assessments
     that we have to consider.
         DR. POWERS:  I mean what you have discussed is the range of
     possibilities.  What I am more interested in is what is the minimum
     amount to meet the requirements of the proposed rule.
         MR. CORREIA:  Well, it will have to be depending on the
     complexity of the situation.  Our expectation is and I think even the
     Commission stated in the original statements of consideration of the
     rule that as the configuration becomes more complex the expectation was
     so should the assessment.
         DR. UHRIG:  Does this assessment made by this individual
     operator you alluded to a minute ago have to be documented?
         MR. CORREIA:  We have talked about that.  It was another
     comment we received from the industry.
         What we focused on on the inspections was the process they
     used.  What we were looking for was a repeatable, scrutable process.  We
     weren't as concerned that they document everything.  What was more
     important is that they understood the implications of what they were
     doing and then made the right decisions.
         DR. UHRIG:  What about inspectability?
         MR. CORREIA:  Well, I'm going to let Pete Wilson address
     that because he did --
         DR. UHRIG:  Because if it is not documented --
         MR. CORREIA:  -- he did the majority of these inspections
     for us.
         MR. WILSON:  Yes, my name is Pete Wilson.  I have sort of
     been overseeing the PRA aspects of the maintenance rule baseline
         The way we conducted the inspection was first look at the
     process the licensee had placed in their maintenance rule implementing
     procedures, and then what we would do is recreate plant configurations
     over a period of time and then test to see if, you know, using their own
     process, if we came up with the same risk results or safety assessment
     results that they had.
         And if we found something out of the ordinary we asked them
     why did you say this was low when we think it's by your own process a
     higher-risk situation.
         DR. UHRIG:  There was a reference a minute ago to the use of
     a risk meter.  This is an acceptable approach to this?
         MR. WILSON:  Yes.  Provided that the, you know, the risk
     meter is of sufficient quality for what they're doing.  You know, just
     some of the early risk meters were basically cut set manipulators that
     if you took a lot of equipment out at once, the results were no longer
     reliable.  Some of the newer plants do requantifications of full models,
     and we find those acceptable, provided the PRA has fidelity.
         DR. MILLER:  Who makes the judgment on the quality of the
     risk meter?
         MR. WILSON:  Well, for the maintenance-rule inspections,
     given the short time, we did not delve deeply into the quality of the
     licensee's PRA that was used in the risk meter.  We did a spot check of
     certain aspects of it, but we -- I would be hard-pressed to say that we
     did an inspection of their model.
         DR. WALLIS:  Related, what do you mean by "overall effect"? 
     I mean, if you had a bullet which simply said determine effects on
     performance of safety functions -- "overall" could mean make a rough
     estimate of overall effect, or it could mean do something pretty
     comprehensive.  Why did you put in the word "overall," and is there some
     measure of "overall effect" which you can use?
         MR. CORREIA:  I think what the Commission intended by that
     word was to look at the cumulative impact of multiple pieces of
     equipment out of service simultaneously.
         DR. WALLIS:  You mean look at all the details of these or
     make some rough estimate of the overall effect?  I mean, I don't
     understand --
         MR. CORREIA:  I believe the intent was to make sure that by
     taking equipment out of service that you wouldn't jeopardize or place
     the plant in a situation where if there was an event and you needed
     certain equipment, that you would have it.
         DR. WALLIS:  I understand that.
         MR. CORREIA:  But the overall effect, again, it's a judgment
     call on conditions of the plant and what plant management had in mind,
     which makes the inspections quite interesting, because like most of what
     we do, it's a matter of judgment, theirs versus ours, since there's no
     hard and fast requirements to even use a PRA.  It was recommended, we
     encouraged it, industry embraced it.  So we followed along.
         DR. POWERS:  But it does seem like there's -- I mean,
     there's a certain amount of schizophrenia here.  You've got judgment
     calls all down through it, and acceptance criteria that seem very
     quantitative, risk-significant or not, on acceptable level.  Why don't
     you just go ahead and put in a bullet that says thou shalt use a PRA?
         MR. WILSON:  Yes.
         DR. POWERS:  I mean, I'll tell you exactly why.  It's an
     unacceptable thing.  But you're effectively requiring them.
         MR. CORREIA:  With this language, that was certainly
     implied, and the comments from the industry certainly indicated that. 
     They had also indicated that this language would prevent them from doing
     what from a safety perspective may be a high-risk situation, you know,
     putting the plant in a high-risk configuration, but for a very short
     duration, which may be a better thing to do than to take multiple steps
     over a longer period of time.  Even though the risk may be lower,
     probably the potential for something going wrong would be greater.
         DR. POWERS:  Is a PRA really suited to make judgments about
     risk over a short period of time?  I mean, huge numbers of things in
     there are annual averages.
         MR. WILSON:  Right, but the PRA in my mind is the best tool
     we have.  It's the only integrated tool we have, and you can look at
     short instances of time by looking at core damage probabilities in that
     instance of time.
         DR. POWERS:  Yes, I'm willing to concede that the PRA yields
     a core damage probability.  The statement that it's the best tool we
     have available seems to be one that would have to be bolstered by
     comparison to various tools against some objective criterion.  Do we
     have that?
         MR. WILSON:  Not that I'm aware of.
         DR. POWERS:  Okay.  Then what leads you to think that that's
     the best tool we have available?
         MR. WILSON:  Well, based on my experience in operations for
     18 years I think that when you have multiple combinations out of
     service, that's the only tool that looks at it in an integrated way. 
     You can use a barrier-type analysis, which some people used several
     years ago, where you look at key safety functions but because of
     dependencies and other things like that, your decisions could be
     incorrect using simply a barrier approach.
         MR. CORREIA:  PRA will give us one insight as part of the
     whole assessment and management process.  Certainly operator judgment,
     experience, training, understanding of the plant, how it reacts to
     certain situations, all those pieces come together to determine whether
     or not it's acceptable to remove or work on a piece of equipment for
     maintenance.  But as Pete said, certainly the integrated effect that a
     PRA gives you is at least today seems to us to be a reasonable way of
     accomplishing what the Commission intended.
         DR. WALLIS:  I don't understand why it's debatable what an
     unacceptable level is.  I noticed the industry comment said -- several
     of them said define unacceptable level.  Surely you have clear rules
     about performance of safety functions which are unequivocal, and there's
     no debate about what's acceptable and unacceptable.
         MR. CORREIA:  It was a comment we received.  What we try to
     do is, using these two phrases in that last sentence was balance the
     insight, the situation where a PRA may be the better way to evaluate or
     assess the configuration, or in some cases technical specifications for
     one piece of equipment out of service may be adequate in combination
     with operator judgment.  Then they know what the limits are on what can
     be taken out of service and for how long.  That was the thought behind
     that language, anyway.
         DR. POWERS:  Suppose that I broke my plant down, mentally,
     into a series of subsystems, did an assessment with whatever PRA I had
     available, and said okay, I can have this subsystem, which might be a
     lot -- I might break it down fairly coarsely, say into five or six --
     and said I can have this subsystem out of service for 14 days, and not
     increase the risk.  I did this all well beforehand, today, and just kept
     these things on a chart, and I might do them singly and then I might do
     them pairwise.  I doubt I would go to triples, because I'd probably
     start running into problems.  And so when my maintenance schedulers came
     up to schedule maintenance, they just looked on that chart and said
     okay, we have to do this in a certain period of time.  Does that qualify
     as an adequate assessment?
         MR. CORREIA:  I would say depending on the risk significance
     again of the equipment you're talking about, the higher the risk
     significance and whether or not you're doing it simultaneously or in
     parallel, it may be appropriate or may not be.
         DR. UHRIG:  Isn't that essentially what a risk meter does,
     except it does it concurrently?
         MR. CORREIA:  Yes.
         DR. UHRIG:  It effectively does that.
         MR. CORREIA:  Right.
         MR. WILSON:  There were a number of utilities that used
     preassessed tools where they would have either a two-by-two matrix or
     they would have different combinations preassessed, and the only caveat
     I would add that you would have to look at that block of components you
     plan to take out and then maybe consider any external factors that
     weren't there during the preassessment.
         DR. SHACK:  The current rule, and, you know, it doesn't
     require these assessments, but it certainly suggests that these
     assessments have been done, what are they using for guidance now?  How
     detailed is the guidance in 9301 on performing these assessments?  Is it
     acceptable in the intent of the new rule?
         MR. CORREIA:  The guidance was written in 1992-93 with that
     thinking at the time.  Certainly it addressed -- it mentioned risk
     monitors.  It mentions matrices.  It mentioned more deterministic
     approaches, depending on again the complexity of the configuration and
     what the situation was.  In my mind it is still adequate, but what we
     plan to do in revising the regulatory guide or if industry decides to
     revise the existing guidance, we've learned a lot since 1993.  Industry
     has in my mind come a long way with different techniques and
     methodologies that they use, and we'd like to incorporate that to expand
     the guidance.
         MR. BARTON:  Well, apparently it must have worked.
         DR. SHACK:  Does it increase the requirements or --
         MR. CORREIA:  No.  It's only guidance.  Better ideas is the
     way I look at it.
         MR. BARTON:  Well, apparently the words must have worked,
     because in your inspection program you found several utilities whose
     program was completely adequate and had no weaknesses.  So apparently
     the guidance was out there.  If licensees wrote their programs and
     procedures to comply with that guidance and followed them, obviously it
     was satisfactory.  If the problems you found where plants did not
     implement that satisfactorily and carry it through to the level where
     you did find some weaknesses or some people didn't even do it because it
     wasn't required, "should" was there instead of "shall."  But obviously
     you could have made this thing work with the old words.
         MR. CORREIA:  In the majority of plants, every plant had a
     process, and it was usually designed on their maintenance philosophy. 
     Some plants would only take one piece of equipment out of service at a
     time, and rarely during power they still would do most of their
     maintenance during outages.  Other plants did whole divisions at a time. 
     So their assessments tended to be much more complex.  So we looked at
     their situation, their philosophy, and their process to determine
     whether or not they were meeting the intent of the rule.
         DR. SHACK:  Now the industry, you know, makes an argument
     this is an enormous expansion in scope.  Now obviously the scope of
     components under the maintenance rule isn't changed by this change in
     words.  You've just told me the guidance for the assessments they're
     doing is still acceptable.  Is the expansion in scope going from, you
     know, monitoring and preventive maintenance to all planned maintenance? 
     Is that where they're seeing the enormous expansion in scope?
         MR. CORREIA:  I would argue that the only true expansion is
     adding corrective maintenance to this assessment process.  All those
     other activities, we say monitoring and preventive maintenance covers
     surveillances and postmaintenance testing.  They're already doing it.
         Correct me if I'm wrong, Pete, but I believe most plants
     also address today corrective maintenance, corrective maintenance that's
     planned versus emergent work or emergency work.  I don't believe we'd
     expect licensees to stop doing assessment and then fix a situation that
     from a safety perspective needed immediate attention.  We don't expect
     that today.  We wouldn't expect it in the future.  And that's some of
     the information that we want to put in the regulatory guidance to make
     sure that it's clear.
         I imagine that some plants that only do the assessments for
     monitoring or preventive maintenance activities and not corrective
     maintenance, it will expand or increase their burden.  I agree.  But I
     believe, as the Commission did, it's the right thing to do.
         My next few slides here will get into why we believe that,
     because the industry has changed since 1991 when this rule was written.
         DR. APOSTOLAKIS:  In the Regulatory Guide and risk-informed
     changes to the tech specs, there is a criterion regarding temporary
     changes, that the probability of core damage should be less than a
     number, and the probability of large early release should be less than a
     number.  It is a frequency, it is the integral over the time.  Could
     these criteria be relevant here, when you are trying to decide what is
     risk significant?  They refer to temporary changes.
         MR. WILSON:  We intend to put guidelines in the Reg. Guide
     that would give recommended levels for core damage probability and large
     early release probability.
         DR. WALLIS:  Is this just recommended or rules?  I mean
     suppose the inspector says --
         MR. WILSON:  Recommendations.  I think when you see how the
     -- the new proposed wording of the rule, we are looking more at
     utilities to manage risk and to give them guidelines at what point we,
     the Commission, feel you should be concerned that you are getting to a
     certain level of risk that you need to carefully manage --
         DR. WALLIS:  Eventually, it will be a rule, won't it?  I
     mean if you step over this line, then you will be cited.
         MR. CORREIA:  Again, it will be guidance, as it in the tech
     spec regulatory guidance.  But at least I believe anyway that temporary
     change guidance is what we should be doing for the maintenance rule.
         MR. BONACA:  Isn't here a key issue the fact that you are
     allowing to take equipment out of service during operation beyond tech
     specs limits.
         MR. CORREIA:  Yes -- no.  No, no.
         MR. BONACA:  Well, not beyond.  I am saying, however, there
     is equipment out there that is removed, multiple equipment, okay, that
     is not controlled by tech specs, however, it is safety significant.
         MR. WILSON:  Correct.
         MR. BONACA:  And so why wouldn't you have, you know, a
     burden on the utilities to demonstrate, in fact, that the configuration
     is not risk significant.  I mean I see a shyness on your part in
     promoting use of PRA, or whatever tool you think is appropriate, to
     support the configuration.  It seems to me that the degree to which you
     are allowing this to take place online maintenance, where multiple
     equipment is removed, you have to have -- you know, I see a shyness in
     proposing -- placing the burden on assessing risk significance, and I
     don't think you should *do that.*
         MR. CORREIA:  It is a shyness from having it in the rule
     versus in the regulatory guidance, or in the statements of consideration
     that would, at least from a Commission point of view, lay out the
     expectations on how these assessments should be conducted.  And,
     certainly, the more complex the high risk significant systems
     combinations, the expectation would be to focus more on PRAs than
     deterministic approaches, certainly.
         DR. WALLIS:  Are you shy or just not be really explicit,
     saying this, this and this are acceptable, you had better do it?  And
     why does it have to be sort of couched in sort of maybe language the way
     you seem to be doing it?
         MR. CORREIA:  The maintenance rule is intended, at least
     initially, to not be prescriptive.  In keeping with that philosophy, we
     are trying to keep the language -- I shouldn't say vague, but rather
     than prescribe precisely what a licensee would have to do, the idea is
     to tell them what results they should achieve and let them decide what
     is best for them.
         MR. BARTON:  It is supposed to be performance-based rule.
         DR. WALLIS:  That's all right.  As long as the results --
         MR. BARTON:  You can make it prescriptive very easily by
     doing the things that you are suggesting.  You can make it a
     prescriptive rule, which was not the intent of it initially.
         DR. SEALE:  Earlier, someone mentioned that there already is
     somewhere else a number for allowable risk if you take certain things
     out of service.  Have you thought about sharing that number in the
     maintenance rule as your version of what the allowable risk would be, or
     have you thought about it at all?
         MR. CORREIA:  Yes, we have.
         DR. SEALE:  Well, I mean have you thought about using that
         MR. CORREIA:  In the rule or in the guidance?
         DR. SEALE:  In the guidance.
         MR. CORREIA:  In the guidance, yes.
         DR. POWERS:  Well, I mean if is it good enough for guidance,
     it seems to me like it is good enough for rules.  The word there is an
     unacceptable --
         DR. SEALE:  I agree.  I was concerned about the earlier
     problem, namely, having more than one number in the regulations or in
     the guidance for the same process.
         DR. POWERS:  I understand.  You would like --
         DR. SEALE:  I would like consistency, even though it may be
     a hobgoblin.
         DR. POWERS:  And historically, it seems like we have avoided
     putting those numbers in rules, but here we have got a very -- I think
     it kind of perplexes me.  We have got judgmental process, judgmental
     process, judgmental process, acceptance criteria that is very, very
     quantitative.  Well, if you are going to be halfway, you might as well
     go all the way and make it quantitative.
         DR. SEALE:  Sure.
         DR. SHACK:  Well, I think you had better perhaps get on to
     what the current proposed wording of the rule is, that may change some
         DR. SEALE:  You may get out of here.
         MR. CORREIA:  Thank you.  Just briefly, and we have talked
     about some of these already, the most significant reasons why the
     Commission and we believe this rule change needs to be made.  Certainly,
     the first one is the clarification that the rule applies during shutdown
     conditions.  But the next bullet, and the fourth one, in my mind, are
     the two most significant reasons why this rule should be changed to --
     this requirement should be changed to a requirement -- recommendation be
     changed to a requirement.
         Since 1991 industry has not only increased the amount of
     maintenance they do at power, but the frequency.  You read it in the
     trade journals all the time that this plant just broke a refueling
     outage record of 20 days or 19 days.  I don't think refueling processes
     have changed that much, but I think the amount of maintenance they used
     to do during those outages has changed.  They are doing more at power.
         MR. BARTON:  What is also reduced a lot is the
     modifications, the major modifications are all done, which ate up most
     of the time in outages and masked the amount of corrective maintenance
     in most cases.  Those major mods are done at all plants because plants
     are not installing modifications anymore.  So your outage is really
     shuffle fuel, do a hydro, do your surveillances and do corrective
     maintenance that fits in that window and go.
         MR. CORREIA:  Some plants have also lengthened their run
     cycles from 12 months to 18 months, to 24 months in some cases, and I
     believe the only reason they can run that long is they are doing
     maintenance at power, to make sure the equipment continues to operate
     through this whole cycle.
         DR. MILLER:  Has that created a noticeable problem?  I mean
     have we seen things that -- where we think was plant was put in a risk
     significant position, that we -- do we have a problem we are trying to
     solve or just --
         MS. BLACK:  I would like to answer that, and remind Rich
     about, I think it was around 1995 when Bill Russell, the Office
     Director, went out to a few plants and he was concerned by what he saw
     at plants we were taking out of service.  They did a temporary
     instruction and looked at all the plants across the country and came up
     with the results that we needed to improve the guidance.  He wrote a
     letter to INPO, I think it was.
         MR. CORREIA:  Yes.
         MS. BLACK:  And INPO gave guidance to all utilities on how
     they should control their online maintenance.
         DR. MILLER:  Okay.  So INPO has guidance.  Is that --
         MR. CORREIA:  It is more of a management guidance that they
     put out on -- don't rely solely on your technical specifications as a
     reason to take equipment out of service because, as they are talking
     about here on the fourth bullet, the technical specifications weren't
     designed to address simultaneous outages, so they could be masking risk
     significant situations by just following tech specs.
         I believe this change to the maintenance rule, or this part
     of the maintenance rule is, to my mind, the most important part of the
     rule.  It is an ongoing assessment process to reasonably assure the
     plants don't set themselves up for problems.
         MR. BONACA:  The reason for the comment I made before is
     that I have seen, for those utilities that have a good PRA capability,
     the maintenance department proposes -- takes out of service some
     components, the way they have done in the past.  PRA group comes up and
     says your risk is increased by twenty-fold.  So an interaction happens
     and then maintenance is moved so that you reduce that twenty-fold to
         Now, given that perspective, it seems to me, again, that you
     have to expect the use of technology that allows you to reduce the risk,
     given that those who do not use these tools seem to have a history of
     this kind of issues.  What I mean is that maintenance department,
     believing they are doing the right thing, and yet they go into these
     kind of situations that -- with a simple risk meter or a PRA is found to
     be significant, because the relationship between, you know, independent
     components in different locations on separate trains at times are
     difficult to understand and the PRA can do it very effectively.
         So, the point I am making, again, I don't think that, given
     this increasing amount of maintenance of power, there should be an
     expectation there are adequate means out there to evaluate if you want
     to take multiple systems out of service.
         MR. CORREIA:  I don't disagree at all.
         DR. MILLER:  So there's plants that have been doing things
     like Mario is talking about, like I was walked through a plant, we had a
     risk meter, which I think, at least on record, looks good, and they
     walked me through how they were doing their maintenance.  This is three
     years ago.  And they did exactly what Mario said, they looked at the
     risk and they looked at the planning.  And so if they are doing that,
     then that is what we want to happen.
         MR. CORREIA:  Absolutely.
         DR. MILLER:  Now, my question goes back to, and it picks up
     on Dr. Uhrig's question -- if they have a risk meter, how are we going
     to judge the quality of that?  If they have a risk meter, is that the
     way to do it, and is that -- that is going to be acceptable for this
     assessment?  And the risk meter is based on the PRA and then you made
     the comment, we have to look at PRA quality.
         MR. CORREIA:  Yes.
         DR. APOSTOLAKIS:  He said yes.
         MR. CORREIA:  Yes.
         DR. APOSTOLAKIS:  I think what Dr. Bonaca is saying is that
     they should be, in fact, asked to do that.
         MR. CORREIA:  If -- in other words, in the rule itself, if
     they take out --
         DR. MILLER:  Right.
         MR. CORREIA:  -- multiple pieces of equipment, or that if
     the configurations are complex or have multiple pieces out of them, they
     should use PRA tools, they must use PRA tools?
         MR. BARTON:  Now, you are making it prescriptive.  How am I
     going to do this assessment?
         MR. BONACA:  The trouble I am having is, with complex
     configurations, because it happens so many times that people take out of
     -- you know, so, I am only saying that I understand your language there
     in the previous slide, what you are saying, essentially commensurate. 
     Essentially, that says your risk significance and the methodology you
     use is commensurate to the significance of the configuration you are
     proposing.  You know, it is I think vague, because the history is one
     where the people that don't use PRA, they are taking out other systems
     out of service, several simultaneously, and they really don't know what
     the impact is.
         Now, insofar as the methodology, you don't need such a
     complex methodology.  PRA will easily identify some dependences between
     some components on two different trains, very quickly.
         DR. APOSTOLAKIS:  I am told here, because I see John
     Barton's point that this, in a performance-based rule or approach, you
     really should not prescribe the way to achieve the performance.  In a
     Regulatory Guide, of course, you can give guidance.  On the other hand,
     of course, this involves PRA, which should be used.
         MR. WILSON:  That being the gospel you mean.
         DR. SHACK:  Shall be used or should be used.
         DR. SEALE:  The point is that this is a performance-based
     rule, but it requires the application of risk insights.
         Now, you have indicated in your third bullet that
     inadequacies were found in your A-3 assessments during baseline
     inspections.  How did you judge what the utility did to be inadequate?
         MR. WILSON:  Well, I guess I will answer that since I do a
     lot of these inspections.  First off, we had several utilities that
     didn't perform them at all.  We had some that --
         DR. SEALE:  Didn't perform what?
         MR. WILSON:  Any assessment.
         DR. SEALE:  All right.
         MR. WILSON:  They took equipment out of service without
     consideration of its risk impact or safety impact.
         DR. SEALE:  Well, that is certainly inadequate, but --
         MR. WILSON:  Right.  We had some other utilities that had
     risk tools, like a two by two matrix, where they were actually take four
     or five risk significant components out at once without considering that
     impact.  And we actually found a few that put themselves, by their own
     criteria, in risk significant configurations without knowing it.  Some
     of the people who used the tool didn't even -- you know, who were
     responsible for using the tool, didn't have any training on how to use
     it, et cetera, et cetera .
         DR. MILLER:  And those were judged adequate?  What were you
         MR. WILSON:  Well, we -- since the word adequate has -- for
     inspectors, has a regulatory meaning, meaning if it is inadequate, there
     is some violation of NRC regulations, so we would call it significant
         DR. SEALE:  A program weakness.
         MR. WILSON:  Right.  Put something in the cover letter of
     the inspection report that we had noted this in the inspection.
         DR. SEALE:  Were you able to give them hints as to what
     would have been adequate?
         MR. WILSON:  We don't give hints.
         DR. APOSTOLAKIS:  Inspected there with a T-shirt that said
         MR. CORREIA:  We can certainly tell them what we believe was
     wrong, and, hopefully --
         DR. SEALE:  Can you tell them how you decided that their
     number was not as good as the number you got, so that you judged what
     they got as being inadequate?
         MR. WILSON:  Well, --
         DR. SEALE:  Presumably, you did some sort of parallel
         MR. WILSON:  Right.  But what we don't have is our own
     independent NRC PRA model to run the quantification with a different
     model than they have.
         DR. APOSTOLAKIS:  But now you have --
         MR. WILSON:  So we have to rely on their results and see if
     they followed their process.  And, as I said earlier, given the
     maintenance rule baseline inspections, we did not verify the quality of
     their PRA that might have been used to develop their tool.
         DR. MILLER:  So we are going back to the quality, the PRA is
     an issue here.  Right?  So to be adequate, you have to have a quality
         DR. SEALE:  To put it another way, if they had done it with
     a PRA, we still don't know whether it was an adequate assessment.
         DR. MILLER:  That is another way to put it, yes.
         DR. APOSTOLAKIS:  Let's start from the top, let's follow a
     top-down approach.
         MR. CORREIA:  All right.
         DR. APOSTOLAKIS:  It seems to me that the appropriate place
     to strongly recommend the use of PRA is the Regulatory Guide, because
     that is where you are telling the industry what you find to be
     acceptable.  And then because, you know, we are saying that performance-
     based regulation should not be prescriptive, but there is also an
     additional element that the licensee should be using acceptable methods
     to demonstrate that they have met the requirements, and these acceptable
     methods have to be described someplace.
         Second, the issue of quality.  As you know, the IPEs, the
     IPE quality varies a lot, licensee to licensee.  Here you are mainly
     interested in what happens when something is out of service.  So the
     quality -- the question of quality there I'm not sure is that important,
     because all the IPEs have event trees and fault trees, so the quality
     really counts when people don't treat common-cause failures very well or
     the human error rate is underestimated.  In other words, when the
     numbers really play a role -- and in your case they might if you adopt
     the criterion that the regulatory guide on tech specs has -- but I think
     you can get most of the benefit here by just looking at what happens to
     the accident sequences when you take certain equipment out.
         And at the same time, if the IPEs are really bad in some
     cases, this would be a means for making the utility improve the IPE,
     because we discussed the question of quality of IPEs about two years
     ago, and the question then was should we go back and ask the industry to
     do them again to make sure that they all meet a certain quality
     standard, or as they use their IPEs, they will start improving them,
     depending on the situation.  And it seems to me this would be a good way
     of telling people that first, this is really the tool to use, and
     second, that tool has to meet certain minimum requirements for this
     purpose.  So it will become then part of their operations without making
     a big deal out of it.
         DR. POWERS:  Could I interject a point of clarification on
     what you're asking for here?  I guess I haven't memorized Part 50
     adequately, but I cannot remember anything in Part 50 that says the
     objective of our regulations is to have licensees produce good-quality
         DR. APOSTOLAKIS:  No.  And that's not the objective here. 
     All you are telling them is --
         DR. POWERS:  It seems to be.  If you're asking them, gee,
     this is a motivation to get them to improve the PRA, I mean, I'm
     perplexed.  I simply don't see anything in the regulations that says
     that a licensee even has to have a PRA.
         DR. APOSTOLAKIS:  Well --
         DR. POWERS:  Maybe with this there will be, but --
         MR. BONACA:  The point you made, however, George, that --
     see, the IPE may be low quality, and that would make it hard to defend a
     bottom-line number like a CDF or something of the kind.  The
     dependencies, however, as developed in the fault trees, typically are
     pretty valid.
         DR. APOSTOLAKIS:  Yes.
         MR. BONACA:  And they help you very much to see some
     dependencies which are not so obvious.  Again typically you're worrying
     about separate divisions whereby the concern is that you're taking out a
     division and inadvertently you may take out some other important element
     of the other division that is critical in some way.  So I think the
     tools are available out there, and the reason why I'm expressing this
     concern is that the only thing that allows us to support online
     maintenance where you make this significant modification in
     configuration is because it is a short time.
         But the fact is, if the risk is increased very significantly
     in a short time, this is much beyond what we are allowing to do in 50.59
     where we are talking about, you know, discussing at a grass level, you
     know, who gets the top inch of the grass.  And so that's why I think it
     is an important issue, that at least the best technology available today
     be expected -- expected -- to assess complex configuration.  We don't
     have to prescribe a PRA.
         DR. APOSTOLAKIS:  It's my turn to be perplexed, and maybe in
     an hour the whole Committee will be.
         DR. SHACK:  Well, I would say don't get too perplexed,
     George, because we have to get done by ten, and we'd like to hear their
     response to the public comments.
         DR. APOSTOLAKIS:  Wait, wait, wait -- by what Dr. Powers
     just said.  I mean, it seems to me -- are the risk-informed regulatory
     guides issued last year not part of the regulatory structure?  They are.
         DR. POWERS:  They are not requirements.  There's nothing in
     a requirement about them.
         DR. APOSTOLAKIS:  You are not requiring here.  You are
     putting it in a regulatory guide, and you're saying this is an
     acceptable way.
         DR. POWERS:  These are changes to rules.
         DR. APOSTOLAKIS:  I just suggested that the PRA reference
     should be in the regulatory guide, not in the rule.
         DR. POWERS:  I think it's effectively in the rule.
         DR. APOSTOLAKIS:  Then I don't understand how they can ask
     in the rule that the licensees should ensure that the plant is not
     placed in a risk-significant configuration.
         DR. POWERS:  That's what causes you to say this rule
     effectively requires a PRA.  There is no way to meet this rule that will
     be acceptable to the staff without a PRA.
         DR. APOSTOLAKIS:  So you're suggesting they drop this?
         DR. POWERS:  They have -- well.
         MR. CORREIA:  What the words imply.  It could be implied
     that yes, a PRA would have to be used each and every time.  We don't
     believe that's the case, but certainly that was the reaction of most of
     the comments from the comments we received.
         DR. WALLIS:  Well, when is PRA going to stop being taboo? 
     When is PRA going to be required?
         DR. APOSTOLAKIS:  I don't know.
         DR. WALLIS:  Presumably some day to make risk assessments
     you're going to have to use something like a PRA.  Maybe I'm naive to
     say -- and someday it's going to become required.  Maybe this is --
         DR. POWERS:  Well, what I knew for sure --
         DR. WALLIS:  To debate.
         DR. POWERS:  Is that I've got several examples of plants
     that have operated for almost 30 years without the assistance of a PRA. 
     Now maybe that's fortune on their part, and maybe not.  But it is clear
     that we have not granted any licenses to plants that said you must have
     a PRA.  If we're going to make that step and say you effectively have to
     have a PRA, then I think we have a serious backfit analysis to do.
         DR. MILLER:  But if we say you must have a PRA to do certain
     things with your plant that weren't planned, like online maintenance in
     complicated situations, is that a backfit?  We're talking here, they're
     talking about say taking out four or five systems simultaneously, and
     the only tool we have now to analyze the risk-significance of that is
     the PRA.  Would that be a backfit?
         DR. POWERS:  Have we done this in the past?
         DR. MILLER:  No.
         DR. POWERS:  We've not taken out four or five systems in the
         DR. MILLER:  Oh, certainly have.
         DR. POWERS:  And we somehow succeeded in analyzing it then.
         DR. MILLER:  Well, I thought there was some question of
     whether we succeeded.
         DR. POWERS:  I thought that was your question.  It's not
     evident to me that we're trying to solve a problem, I think, and it's
     evident that we're trying to solve what we think might be a problem, but
     that thing that might be a problem is not itself bolstered by the
     analysis that the licensee is required, that is, the staff's not gone
     through and said okay, look, here are some configurations that were
     permitted in the past that just have a very, very high risk number. 
     I've calculated it with a PRA that I think is quality.  We're not
     getting that kind of information.  I'm not sure we're attacking a
     problem that exists.  I think it's a --
         DR. MILLER:  Well, I'm not either.
         DR. POWERS:  Figment.  I mean, it's an imagination.  People
     have said gee, this could be a problem.  If it's a problem at 10 to the
     minus 13, that's one class of a problem.  If it's a problem at 10 to the
     minus 3, that's a different class of problem.
         DR. MILLER:  Well, have we answered that question then?  I
     don't think -- I agree, we have not.
         DR. POWERS:  I think we --
         DR. MILLER:  I thought that was the question I tried to ask
     earlier on.
         DR. POWERS:  I thought that was the question you posed.
         MR. BONACA:  Just a couple --
         DR. MILLER:  But Dr. Bonaca said he thinks there is a
         MR. BONACA:  Well, a couple of observations.  One, first of
     all, I certainly am not prescribing a PRA.  I'm only saying that there
     has to be a burden to assess risk-significance before you go into online
     maintenance.  I don't care how you do it.  You know, if PRA seems to be
     the whole issue, you could limit yourself to failure mode and defect
     analysis or whatever, whatever you do to get some basic understanding of
     the significance.
         And, second, from a perspective of the past, if you look at
     a lot of the LERs and you read them, you'll see that there are words
     such as:  The plant was in the following condition:  "Train X was out of
     service for this reason and the other component was" -- and then
     something happens.  And when you read that, you miss the fact that this
     system was out of service 4 days and the component was -- I have not
     performed an analysis to see to what degree that sums up the risk.  But
     I think, you know, again the burden of demonstrating for the operator,
     that he understands the risk-significance of the configuration that goes
     into should be there whatever tool he uses and how convincing he may be. 
     But certainly I feel that there is a shyness, the way I read it, in
     setting up an expectation, and I don't think it should be there.
         MR. CORREIA:  Correct me if I'm wrong, Lane, but I believe
     in the statements of consideration for this proposed rule we did lay out
     that expectation that the more complex combinations of equipment out of
     service, then the expectation is that so should the analysis, so should
     the assessment including tools like risk monitors, and then from there
     down to the simple low-risk one item out of service judgment by the
     operator-type assessment.
         So if the Commission agrees with that for the final rule,
     that will be in the statements of consideration, and certainly that
     would be easy to be brought into the regulatory guide.
         DR. APOSTOLAKIS:  I'm still perplexed, because I don't think
     I need an IPE.  It's not that I'm asking them to do something major.  Is
     it in Part 50 that people should use specific differential equations,
     that they should solve using Laplace transforms, that they have to do
         In other words, if there is a situation where a problem
     requires a solution of an equation using the Laplace transformation, can
     the licensee say no, that's not part of my license, so I will not do it? 
     It seems to me that's ridiculous.  So here you have a situation like Dr.
     Bonaca describes which is purely logic.  It says this system is out,
     that component is out, show me that you're still safe.  So now I know
     nothing about fault trees and event trees, but I take the combination
     and say well, gee, you know, if I take that combination, I'm this close
     -- and this extra component fails -- I'm this close to damaging my core. 
     That's not in Part 50.  That's logic.
         Now, if you expand that and give it a name, all of a sudden
     it becomes a no-no, oh, it's not in Part 50.  But if you keep it a
     couple of levels down to the mathematics, then it's okay.
         So I think we should draw a line here.  I mean, it's one
     thing to demand a PRA the way, you know, Indian Point did it several
     years ago, or 1150, which was really a major undertaking of 12 volumes
     and so on, and another to say aha, this tool is used in PRA and we have
     not demanded a PRA in Part 50, so don't use it.  That doesn't make sense
     to me.  This is just logic.  If you want to call it a minimal cut set,
     then are you committing a crime?
         DR. POWERS:  I think the question, George --
         DR. APOSTOLAKIS:  I've grown accustomed to minimal cut sets.
         DR. POWERS:  The question, Professor Apostolakis, is not can
     you use PRA to solve this, the question is must you.  And I think I
     would have no trouble with a logic that went okay, I have this system
     out, and I also have this system out, and so if there is a fault, I only
     have one protective barrier, is an acceptable solution.  But I think it
     gets denied by putting in these acceptance criteria.
         DR. WALLIS:  What other way is there?
         DR. APOSTOLAKIS:  See, that's where I'm lost.  It seems to
     me that's the logic --
         DR. WALLIS:  You're not going to use PRA.  What else are you
     going to use?
         DR. POWERS:  Oh, barrier analysis, just what he described.
         DR. WALLIS:  Is it adequate?
         DR. POWERS:  Just what he described.
         What I have to understand is what the problem is in order to
     understand whether it's adequate or not.
         DR. WALLIS:  Then I think we need to have an analysis of
     that, and if there is no other adequate method, then it will have to be
         DR. POWERS:  Then include in the rule and say thou shall use
     a PRA.
         DR. WALLIS:  I think eventually that's going to happen
     somewhere, sometime, someplace.
         DR. APOSTOLAKIS:  It seems to me they can dilute the
     language --
         DR. POWERS:  The question is, is it this place and this
         DR. APOSTOLAKIS:  They can dilute the language in the
     regulatory guide, so that does not appear you are demanding an IPE or a
     PRA.  But you can still talk about barriers and combinations that take
     the plant to unsafe conditions.  Now if they don't want to use the PRA
     and they want to deal with 100 minimal cut sets, that's their problem. 
     If they want to use the PRA and come back and say look, the dominant
     ones are two, and the probability is very low, so leave me alone, well,
     that's another story.  But we can certainly manipulate the language so
     that it doesn't appear that we're imposing logic and truth on people.
         MR. CORREIA:  Well, we would certainly recommend that in
     those situations, since PRAs are -- I think every plant has a PRA or IPE
     -- we've seen the number of plants that have risk meters or risk
     monitors increase pretty dramatically over the years since the price is
     now not prohibitive.  I think we're going to see it anyway, to be honest
     with you.
         DR. APOSTOLAKIS:  I think the message is be careful with the
     language, because it's certainly a legitimate point --
         MR. CORREIA:  Yes.
         DR. APOSTOLAKIS:  That you cannot really demand things that
     are not in the original thing.  But, again, be careful with the
     language.  That's all there is to it.
         MR. BARTON:  Moving right along.
         MR. CORREIA:  Moving right along.  Thank you.
         We've talked pretty much about all of these.  The types of
     comments we got, the terminology that wasn't defined in the rule but was
     described in the statements of consideration, that the assessment should
     only be for SSCs removed from service, the concern there is there may be
     some online surveillances that could perturbate the plant and initiate
     an event, that this (a)(4) requirement is duplicative of the
     configuration risk management program.
         I don't deny that.  The assessment should not be required
     for non- or low-safety-significant SSCs, I generally agree with that,
     but I believe there are combinations, could be combinations of low-risk
     SSCs that could give you a risk-significant situation.  And it would
     have to be addressed.  Generally for non- or low-risk safety-significant
     SSCs, a simple deterministic assessment would be adequate.
         That exists today.  I believe that would be adequate in the
         Documentation requirements are not specified.  There are no
     documentation requirements anywhere in the maintenance rule.  Being
     performance-based it is described in the regulatory guidance. What is in
     there today probably could be enhanced.  There is a lot of fear that
     this new (a)(4) requirement is going to demand volumes of documentation
     to prove to the inspector that, yes, I did the assessment.
         As Pete described, we are more interested in a process that
     can be repeated and is scrutable.  Documentation should be for the
     licensees, to convince themselves that they have done the right thing --
     and yes, we believe that the Regulatory Guide needs to be revised to
     reflect lessons learned over the last few years, some new insights that
     we have gained through inspection, ideas that industry has come up with,
     and we are working on that revision.
         DR. POWERS:  Let me come to your more interest in the
         MR. CORREIA:  Documentation?
         DR. POWERS:  Than detailed documentation, and I believe that
     true.  I have no doubt that that is exactly what you are interested in.
         Is there some assurance that each succeeding generation of
     people inspecting on this will have a similar devotion to the process
     and not the documentation?
         MR. CORREIA:  That is in our inspection guidance today.  I
     don't have any plans to change that and we have spent an enormous amount
     of resources training our inspectors -- have in the past and continue to
     do so -- and I guess it's my responsibility to see that that does not
         DR. SEALE:  But you don't see anything in these changes in
     wording that would suggest a need to temper or modify the present
     inspection guidance?
         MR. CORREIA:  Somewhat.
         DR. SEALE:  So I presume then you are planning on making
     those suggestions?
         MR. CORREIA:  Yes.
         DR. SEALE:  I have a little bit of a problem.  You indicate
     here that combinations of out-of-service -- I'm sorry, I'm on the
     next -- go ahead.
         MR. CORREIA:  That's fine.  These are all proposed responses
     to these comments.
         DR. SEALE:  I have a little bit of trouble there, because
     there aren't any "no safety significance" systems, are there?
         MR. CORREIA:  It was a comment we received, so we just --
         DR. SEALE:  No, but I have a problem.  I mean what happens
     if you are having to do some rerouting on the electrical wiring, the
     ordinary utility wiring -- not circuits that are in control systems and
     so forth -- and besides that the water cooler needs a new coil in it.
         Those are a ridiculous set, but that is an awfully wide loop
     you are swinging with that statement there and I can see where you might
     wind up nailing somebody because they had a bunch of things going on
     that didn't have a thing to do with reactor operations.
         MS. BLACK:  Could I remind you that the scope of the rule is
     defined separately and this only applies to things that are in the scope
     of the rule, so you wouldn't have that kind of inspection problem.
         DR. SEALE:  Okay.
         MR. WILSON:  We are planning in the regulatory guidance to
     have additional guidance that the licensee can screen out from all
     future assessments some of the things that have been scoped in the rule
     to make the population smaller of what they have to think about.
         DR. MILLER:  So Bullet 2 only really means within the scope
     of the rule?
         MR. CORREIA:  Yes.
         MR. SCOTT:  My name is Wayne Scott.  I am just dying to make
     this one comment, that we have been saying since the very beginning on
     these kinds of issues that in a lot of cases for alone safety
     significant issues that the thought process that a licensee, especially
     a licensed licensee, goes through to say there is no safety significance
     in this evolution is in itself an assessment.
         MR. CORREIA:  And we have accepted that.  I think the only
     item here that we haven't talked about is the fourth bullet on the
     comment we received that (a)(4) is duplicative of the configuration risk
     management program.
         I think that was by design.  The reason we have CRMP is
     because (a)(3) of the maintenance rule is not enforceable so they had to
     come up with something that would be placed in tech specs that would be
     enforceable, but the Commission has already directed us if (a)(4) does
     indeed become regulation that licensees could apply and the Staff is
     supposed to remove CRMP expeditiously from the tech specs and that
     (a)(4) serve as the requirement.
         MR. BARTON:  So I put a license amendment in and extend my
     diesel outage for four days and you say that's okay but you have to have
     a CRMP so then I have to put a license amendment in to say please remove
     my CRMP?
         MR. CORREIA:  Yes.
         DR. SHACK:  But you will expeditiously approve it?
         MR. CORREIA:  That, per direction of the Commission, yes. 
     They understand the burden there.
         Given all these comments we received and certainly a lot of
     the discussion here today will be helpful, but this is what we plan to
     send back up to the Commission as the revised (a)(4).  It is shorter but
     I believe it still meets the original intent and even the changes that
     the Commission directed us to make.
         DR. SHACK:  Now we have lost planned maintenance.
         MR. CORREIA:  We have discussed that.  We have said it
     should be in, it shouldn't be in -- matter of opinion.  It's probably a
     better thing to do than not.
         DR. WALLIS:  -- but how much risk is acceptable?  I mean
     there may be a huge risk in this to be assessed and managed.
         MR. CORREIA:  I think the management is the key here.  There
     may be situations where a large increase in risk for a very short time
     is a safer thing to do than spreading it out over a long duration, and
     that was one of the concerns of the industry where the previous language
     would prohibit them from doing that, so we wouldn't want to force the
     plants to be in an unsafe situation but I believe this language would
     give them the flexibility to make those judgments.
         DR. APOSTOLAKIS:  So if I stick to Part 50, any increase in
     risk I guess that case would have to be interpreted to any equipment
     that is out of service?  It certainly increases risk.
         MR. CORREIA:  Essentially yes.  Oh, certainly the systems
     and components in the scope of the maintenance rule.
         DR. APOSTOLAKIS:  So if I use the -- oh, any increases, even
     if use a PRA you still have to do something, right?
         MR. CORREIA:  I am still --
         DR. APOSTOLAKIS:  Does the word "risk" appear in Part 50
         MR. CORREIA:  I am not aware of that.
         DR. APOSTOLAKIS:  If not, why can you use it here?
         MR. CORREIA:  Why can we?
         DR. APOSTOLAKIS:  Yes.  I don't understand.  I am coming
     back to Dr. Powers's comment.  Is it something that is legitimate to do?
         MR. BARRETT:  My name is Richard Barrett.  The word "risk"
     does appear in several places in Part 50.
         DR. SEALE:  I'm sure it does.
         MR. BARRETT:  But I don't believe in that context it refers
     to risk as we commonly refer to it as, you know, probability times
     consequences of severe accident.  It is used more in a vague sense of
     risk to the public.
         DR. MILLER:  I need some clarification on what you mean by
     manage any increases in risk.
         Does that mean the licensee will specify what that means
     because this is performance-based or --
         MR. CORREIA:  They will describe the method that they would
     use to manage increases in risk due to maintenance.
         DR. MILLER:  And they also specify how much risk that would
     be during that management process, or will that be required?
         DR. APOSTOLAKIS:  I guess not.
         MR. CORREIA:  We won't make it a requirement.  We could
     certainly put guidance, perhaps the same numbers as used in the risk-
     informed tech spec guidelines, temporary changes.
         DR. MILLER:  So if I am a licensee I would say I am going to
     manage my risk by saying I'll be in this risk state, which is consistent
     with one of our Reg Guides on risk management -- on risk assessment for
     this amount of time, and the inspector has to accept that or not accept
     that.  Is that the way it works?
         MR. CORREIA:  The burden would be placed on the inspector --
         DR. MILLER:  Right.
         MR. CORREIA:  -- to make the case that what the licensee was
     doing did not meet this requirement.  It's a challenge.  It's like a lot
     of other regulations a matter of judgment.  Appendix B says "Conditions
     adverse to quality shall" have some function performed or what does a
     condition adverse to quality mean?  It's what the licensee describes and
     what the inspector determines is adequate or not -- a matter of training
     and guidance and mutual understanding between the NRC inspectors and the
     licensees I think is the best method to achieve that common
         MR. BONACA:  But there are some things that normally are
     done, like for example identifying the equipment to be protected during
     the particular activity, identifying the equipment that must be
     recovered first -- I mean is there going to be someplace where this
     clear -- these are principles that are important to operations where
     these are spelled out.
         I mean these are things that --
         MR. CORREIA:  Sure -- contingency planning, et cetera, yes. 
     That all belongs, in my mind, in a Regulatory Guide.
         MR. BONACA:  Yes, and I agree with that.
         DR. WALLIS:  Can I go back to a question that my colleague,
     Dr. Bonaca, asked why you were so shy about it, I think instead of being
     more specific and more assertive about what you are requiring in terms
     of risk.  Is this because you would be shot down by somebody if you did,
     and who would that person be?
         Are you frightened of the utilities?  Are you frightened of
     the Commission?  Are you frightened of the public?  What is it that
     makes you so shy?
         MR. BARTON:  I see you left ACRS out of it.
         DR. WALLIS:  We are a very friendly group -- there is
     nothing to be shy about.
         MR. CORREIA:  I guess that is a decision for the Commission
     to make --
         MS. BLACK:  And excuse me, the Commission did make that
     decision when we proposed the three options and the third option was
     doing specifically that -- specifying some level of risk in the rule
     that would be the limit of NRC acceptance, and the Commission
     specifically told us to not spend very much time assessing that option,
     to go ahead with Option 2, which is the more performance-based, gives
     licensees options.  If they don't want to use a PRA they don't have to.
         DR. WALLIS:  So it is the Commission that is trying to move
     us into this risk world of logic that is making you shy about moving in
     that direction?
         MS. BLACK:  I don't know that they were shy about moving
     towards it.  Their position when they came back in the SRM was that it
     would probably take a lot more time to do that kind of analysis and they
     wanted this rule in effect very quickly because they were concerned
     about the amount of online maintenance that was being done and the
     weaknesses we saw during the inspection.
         They did tell us in the long-run we should look at Option 3
     if we feel there is a need to after we have this rule in place to
     reassess and see if we need to go one step further and identify --
         DR. SHACK:  I also think there is too much emphasis here on
     that number.  I mean the real problem is the inadvertent -- I mean no
     licensee deliberately places himself in a situation or I think very
     rarely places himself in a situation of high risk.  What one wants to
     avoid is a process that doesn't identify an inadvertent activity or
     combination of activities that places you at risk and so arguing over
     the specific acceptance, you know, should it be five times 10 to the
     minus 5 or 10 to the minus 5, what you really want to have him analyze
     what he is doing and understand what he is doing, and I really don't
     believe there is much danger there that --
         DR. WALLIS:  The argument was given that the Commission
     wanted a quick fix, the short-term fix here.  I think when you do the
     short-term fix, you ought to have some vision of the long-term fix and
     how you are going to get there.
         MS. BLACK:  Well, the other thing is that what we saw out in
     the inspections -- we looked at this in every plant -- and what we saw
     out there is the level of risk that licensees were defining as what was
     acceptable and what wasn't was adequate.  We didn't take issue with
     that, as far as I know, and any inspection -- they all had a matrix that
     said this is a green situation, this is a yellow, this is a red, and it
     needed different levels of management approval and different
     configurations, and we found that acceptable and our goal is to define
     in the Reg Guide -- define what we saw out there or describe what we saw
     out there as acceptable so that licensees who maybe want to change their
     program can look at the Reg Guide and see what other people did.
         Correct me if I am wrong, Pete -- I think a lot of people
     use the EPRI PSA Applications Guide temporary change guidance, and we
     found that acceptable in every instance in our inspections, so we are
     not changing anything that licensees are currently doing as far as
     assessing the level of risk that they are willing to accept.  We are
     just making it an enforceable part of the regulation.
         DR. MILLER:  I think that if I were an I&C engineer in a
     plant and I saw that I would go immediately into my management and
     propose we put in a risk meter and based on a good PRA and use some of
     the concepts that George has mentioned -- minimal cut set with low cost
     PCs -- and have it in and running in a year.  I think everybody would be
         To me it's going to drive us the right way and it is better
     than trying to put down numbers.
         MR. CORREIA:  I personally agree and I think we are seeing
     industry move that way without a lot of nudging from us.
         DR. MILLER:  I'd drag my management into those places where
     they are already doing it effectively and say put out your half a
     million bucks and lets do it.
         MR. BONACA:  Yes, and insofar as the IPE, by the way, more
     of my concern with the bottom line it would be how much is the bottom
     line as represented in the limitation that you have affected by this
     online maintenance, because ultimately you have unavailabilities assumed
     in the baseline which don't correspond to reality.
         You have a lot of systems out of service and components
     there, so that is just a thought but I agree that we don't have to force
     the technology and I believe the industry will move in that direction
     because it is the proper way.
         Certainly the expectation that if you place the plant in a
     configuration which is other than licensed by taking components out of
     service they have a burden to prove that that is an acceptable
     configuration -- whatever that means.  I mean it's up to you to --
         DR. MILLER:  But you can justify this economically.
         MR. BONACA:  Oh, yes.  Very quickly.
         DR. MILLER:  And as I say, very quickly, easy to point out. 
     I think in a year or two, we will be back here and say, gee, every plant
     has these online facilities with these $2,000 PCs based systems.  Not
     quite, but almost, I think.
         MR. BONACA:  In my experience, okay, this is the last
     statement I am going to make on this, but the experience I have is that
     once the operators in the control room discover the support from the PRA
     groups, okay, they just want it.  I mean because they don't like to be
     in the responsibility of assessing whether the configuration is risky or
     not when they will have any tools to do it.  I mean they really, then --
     very quickly, they are asking for information to be on their desk on a
     daily basis.  In fact, you know, I have seen this happening in every
     case.  And so that is the issue we are talking about, importance of
     really using this kind of information to support good operation.
         MR. BARTON:  I think when the NRC did their inspection of
     the maintenance rule, that the licensees that had strong programs had
     people involved in the PRA aspects, also in good communications with the
     operator, with the licensed operators.  I think that was the strength of
     those programs, as I remember, when those programs were done.
         MR. CORREIA:  Yes, absolutely, it was.
         DR. MILLER:  We get everybody involved in PRA this way.  One
     way to get them.
         MR. CORREIA:  I think operators see it as a valuable insight
     that helps them make the decisions they have to make every day. 
         DR. POWERS:  I have not a single quibble with anything that
     has been said about the virtues of PRA.  Every -- I have no doubt that
     sooner or later operators will indeed embrace it, simply because it
     helps them and it takes a difficult burden of assessment off their
     shoulders.  The question that comes about, comes to my mind, is this
         DR. MILLER:  This doesn't make it mandatory.
         DR. POWERS:  No, this doesn't.  Actually, I have very little
     troubles with this.  But as a general debate that we are having on this,
     this -- Graham isn't saying eventually this has to happen because he
     sees no way through this forest, and I do.  I see things that have
     worked, and worked fairly well, without going to the PRA.
         The question really boils down to, should we be allowing the
     camel's nose into the tent by suggesting that it is mandatory here?  I
     think there are effective ways to run and do everything that this
     particular language, which I haven't parsed it into every single verb
     and noun and expansion that you can get.  My reaction to it is, oh, I am
     going to look at the Reg. Guide and the inspection procedure real
     carefully because -- because it is a pretty benign thing.  I think
     people can live with this.
         But this question of -- are we so persuaded that this PRA
     has all virtues, when I know -- I know for a fact that none of these
     licensees have anything that approaches a high quality PRA for shutdown
     conditions.  And I know that many of them have PRAs that are approved
     for certain kinds of activities, that they have brought in people that I
     have no doubt are good at adjudicating the adequacy of PRAs and they
     have approved them for certain activities and not for other kinds of
         I mean it is a marvelous and interesting tool, but we are so
     far away from being able to say what is an adequate tool here, whereas,
     we have good engineering practices that have at least had the benefit of
     long time use.  I think we should not be in the business of saying but
     you are denied use of those time-tested activities in place of this new
     technology that we are all very enthusiastic about.
         DR. MILLER:  Does this -- this doesn't demand that?
         DR. POWERS:  Again, Don, I have no troubles with the
     language of up here, without -- I have not parsed it.
         DR. MILLER:  I am just advocating that online this will
     drive, with the current technology, which is different than it was five
     years ago, dramatically different, it will drive people to do it that
         DR. APOSTOLAKIS:  It seems to me --
         DR. MILLER:  Now, on shutdown, that is a different question.
         DR. POWERS:  Well, shutdown is, of course, a very important
     part of this rule.
         DR. MILLER:  But they are worried about online maintenance
     of power, it is provided in the rule.
         DR. POWERS:  I think that has emerged at what the real
     question is.  It is not -- I think people will find the relatively
     qualitative techniques that EPRI developed for people, with their
     greens, and oranges, and yellows, I think we are growing in comfort with
     that.  I have troubles with them because I don't know how to interpret
         DR. MILLER:  That's the ORAM?
         DR. POWERS:  ORAM.  But that is my failing, not the failing
     of the method.  I think what has emerged is -- you are right, that it is
     the online maintenance that is really what is causing people to be
     concerned here.
         DR. APOSTOLAKIS:  It seems to me this would be a good way
     for people to start using PRA methods, including shutdown, and
     developing them, without being forced to do so.  Because I can see
     someone using the qualitative methods that you refer to, Dana, and then
     finding out that there is a PC program that does some of these things
     much faster.  Then the guy will start using it.  He doesn't care whether
     it is PRA or not.
         DR. MILLER:  Right.
         DR. APOSTOLAKIS:  In other words, if you see the benefit of
     doing something rather than satisfying a regulatory requirement, then
     you have a much higher chance of success.  So the fact that the shutdown
     PRAs are not up to the standard, perhaps by approaching the problem this
     way, not just here, but in other instances, too, and people will start
     realizing that they have to improve their understanding of the shutdown
     states and what can happen, and so similar -- use similar tools from the
     PRAs, then maybe that is a way to convince the industry that indeed
     there is value to this tool.
         MR. BONACA:  The other thing I would like to point out is
     that we all knew the day we built these plants that we would go down to
     shutdown and refuel these plants.  And I am not saying that we
     understand a lot about it, but we knew that.  Conversely, I think that
     there was an oversight regarding online maintenance.  I don't think
     there was ever put on paper a description of how we would maintain these
     plants.  And so what happened, the NRC, I believe, through the years,
     was unaware almost that online maintenance was occurring.
         And then there has been a debate at some level within the
     utilities and the NRC -- shall we do it or not do it?  And then, just
     because you have to do it, you end up doing it.  That's a true
     opportunity for oversight it seems to me, that we, as an industry, have
     missed.  And that is why I feel, you know, that this is the very issue
     that you are bringing up, that is the one of online.  That is the point
     I am making.
         DR. POWERS:  I think that has emerged as what the real
     problem to resolve here is.  And I agree with you that -- and the
     nuclear industry is not the only one that has built something and then,
     as Don said, gee, I have to maintain it.  Whoops.
         DR. MILLER:  Well, then the theory, of course, when you go
     to all these plants, the economics are dramatically different, and
     planning for 80 days outages was no big deal.  In certain part of this
     world, it is still required you have a 70 or 80 day outage.  Maybe it is
     not today, but it was a year ago.  And you can't survive with an 80 day
     outage, either -- whether you are burning uranium or natural gas.
         MR. CORREIA:  That is certainly a driver behind the
     increased frequency of online maintenance, deregulation.
         DR. WALLIS:  This is fascinating to me.  Your philosophy
     seems to be wait until industry really, across the board, feels we have
     to have PRA, and then you require it.
         DR. MILLER:  No, you are never going to require it.
         DR. WALLIS:  That's a strange way to regulate.
         DR. MILLER:  You are never going to require it.
         DR. WALLIS:  To wait until the regulatee, or whatever this
     person is, this industry is called, is dying for you to make some
     regulation, then you make it.  That is not the original way in which NRC
         DR. POWERS:  I am not even going to pursue that.
         DR. SHACK:  Maybe we had better -- we are impacting our
         MR. CORREIA:  The last slide.  Just for your information,
     these are the current plans.  Go forward with this rule language, unless
     otherwise directed, and have it back to the Commission by mid-April. 
     And as quickly as possible, complete work on the Regulatory Guide to get
     that ready and out for public comment and for the Committee's review, if
     they so wish.  And to get that Regulatory Guide out as soon thereafter
     as the rule is issued, but we are going to request that the Commission,
     if they approve this, not make this rule change effective until the
     Regulatory Guide has been published, final.  So the industry --
         DR. MILLER:  So the schedule on the Regulatory Guide, you
     say as soon as possible?
         MR. CORREIA:  We are going to shoot for a draft, hopefully,
     next month, by April certainly.
         DR. MILLER:  So we could see it in April here?
         MR. CORREIA:  Hopefully.  And then, hopefully, it will all
     be done by the June, July timeframe.
         DR. MILLER:  By the way, when I teach engineering I want to
     ban the word "hope."  That's another issue.  Hopefully.
         MR. CORREIA:  Okay.
         DR. SHACK:  Hopefully, we can get past that.
         DR. POWERS:  I want to come back to, a little bit, just the
     proposed language.  It seems like a very reasonable piece of writing
     because it says the licensee shall assess.  I mean, to my mind, that
     means sit down and think about it.
         MR. CORREIA:  Yes.
         DR. POWERS:  And manage, that is, don't make it any worse
     than it needs to be.  And it refers to risk, but it is little risk, I
     mean it is risk in a qualitative sense here, or it could be a
     quantitative sense, it is up to election.  Am I reading this correctly?
         MR. CORREIA:  Yes.  That is the intent.
         DR. POWERS:  I think you had done great here.  This looks
     like a good correction to things because it is simply, if I read it
     correctly, saying, if I come in and ask this guy, what did you do, I am
     just asking him, show me, indeed, that you thought about this, that you
     thought about ways that you could avoid very risky situations.  That
     would be desirable, Don.  Absolutely necessary.  But show me what you
     did here, and did you think about it, or is this a haphazard activity? 
     I think that is what you are asking for here.  And I think --
         MR. CORREIA:  Absolutely.  That has been the original intent
     all along.
         DR. POWERS:  And I think you have done good here.
         MR. CORREIA:  Thank you very much.
         DR. SHACK:  We had originally planned to have a presentation
     from NEI.  They were called up to the Hill today, so I don't think there
     is an official presentation.  But are there any comments from industry
     on the rule, or does anybody wish to make additional comments?
         [No response.]
         DR. SHACK:  I turn it back to you, Mr. Chairman.
         DR. POWERS:  I think at this point we are scheduled to take
     a break and I propose to break until 20 after the hour.
         DR. POWERS:  Let's come back into session.  Our next session
     deals with the Human Performance Program Plan.
         I guess I'll just turn it directly over to Mr. Apostolakis,
     who is the cognizant member.  I'll say that this has been a recurring
     theme to us and that we now have what I characterize as a two-stage
     plan, an immediate what we are going to do now, and the future, and I,
     myself, am very interested in how we go about doing the future version
     of the plan, so even if that is not part of the formal presentation, it
     would be useful to discuss what the thinking is about the development of
     the future plan.
         Mr. Apostolakis?
         DR. APOSTOLAKIS:  Steve?  Go ahead with your presentation.
         MR. ARNDT:  Okay.  As Dr. Powers mentioned, we were asked to
     come and talk a little bit about the current version of the plan, which
     is SECY 98-244, and I am going to speak very briefly about that but most
     of the presentation will be spent on what we are going to do to come up
     with the next version of the plan.
         DR. POWERS:  Steve, let me just interrupt and say that as a
     matter of background that when the ACRS examined the Research Program
     and plans for the future that it certainly felt that human performance
     was going to emerge as a major issue in the future for the NRC, and that
     is why this attacks -- attracts so much interest.
         DR. SHACK:  A Freudian slip.
         MR. ARNDT:  As some of you know me from my former life, a
     little bit of explanation of why I am standing up here, as opposed to
     other people who have been up here before, as you know --
         DR. POWERS:  Shell shock?
         MR. ARNDT:  Well, that may be the reason.  The official
     reason, however, as you know, my permanent position is in the training
     program.  I have been in Washington these past 8 months managing the
     Control and Instrumentation in Human Factors Branch for Research, who is
     the guardian of the plan.  That branch will go away in the new
     organization and the plan responsibilities will move to a new
         As part of the development of course the members of the
     Human Factors Group in that branch have been instrumental especially and
     including Dr. Persensky, who is in the audience, I think, and can help
     me out if I get above my head on some of these issues.
         Today we are going to talk a little bit about the plan and
     briefly the background, major comments and concerns that you had in the
     briefing and the notes that you sent us in the summer of last year, what
     is in the current version of the plan, and the activities we are
     currently engaged in to come up with a new version of the plan that
     addresses some of the comments and weaknesses of the current plan and
     where we are and where we are going to go.
         Short background for those people who are not familiar. 
     There's been numerous versions of the Human Performance Plan dating back
     to right after the TMI accident.  The current version started in a 1995
     document that was designed to integrate the various activities and
     coordinate between them, particularly since the activities in NRR and
     Research were perceived to be divergent at that time.
         We have had three or four versions since that time, all of
     which have had significant concerns and comments by the ACRS.
         The latest version, as I mentioned, was reviewed by the ACRS
     and commented on both by letter to the Commission and in general
     comments in the Research Review Report.
         We made some changes to that document, although not nearly
     as many as would have liked, and in that document we acknowledged the
     comments and concerns of the ACRS and that was issued as SECY 98-244.
         The last formal comments received from the ACRS were, as I
     mentioned, in July of '98.  There was a general agreement with the
     mission statement.  The mission statement was of course fairly apple
     pie, motherhood.  To refresh your memory, the mission as stated in the
     plan was, "The mission of the Human Performance Program is to ensure
     effective risk-informed and performance-based regulation and oversight
     of human performance in the design, operation and maintenance and
     decommissioning of nuclear reactor sites and other NRC-regulated
     facilities by identifying human performance issues important to public
     health and safety, increasing understanding of the causes of safety
     implications of degraded human performance and implementing the
     appropriate regulatory response to human performance issues."
         That is to say understand what is important was the first
     goal, try and increase your knowledge so you can do something about it
     and when you do know something about then, if appropriate, regulate it. 
     Again -- the Committee had very few comments on that, other than the
     fact that they did not believe the plan presented a strong, systematic
     approach to meeting those objectives.
         DR. POWERS:  Well, I think that my perception is that when I
     read that mission statement I say pretty good written mission statement. 
     I hope like crazy we're doing that, okay?
         MR. ARNDT:  Yes.
         DR. POWERS:  The next step that you need is, okay, here are
     the things that we are doing -- are there things that we are not doing
     or things that we need to do better at?
         MR. ARNDT:  Right.
         DR. POWERS:  And I think that is the step that is missing in
     there, because it is the motivation of -- the next step, which you're
     right, is the systematic approach.
         MR. ARNDT:  Right, and it is -- we understand that the
     ability to articulate why the projects we're currently doing are meeting
     those objectives or attempting to meet those objectives is something
     that is not concisely put in the plan.
         The ACRS also identified a need to more quantitatively look
     at activity identification, activity prioritization, and closure
     criteria.  That was also a general comment of many of the research
     programs in the Research Report, so we are going to be trying to do
         DR. POWERS:  But I wouldn't overplay the quantitative aspect
     of that.  I mean where you can do quantitative it's great but it is much
     more useful to have a logical tie --
         MR. ARNDT:  Right.
         DR. POWERS:  -- than just having a bunch of numbers and
     saying, okay, I weight these rankings and add them together.  It doesn't
     get that logical tie for you, and I would rather have the logical tie. 
     I think what the Committee is looking for is that logical tie rather
     than just the numbers.
         MR. ARNDT:  Right, okay.  As we stated in the SECY, the
     current version, because there's some areas in it that are simply where
     we want them to be is a work-in-progress.  We went through several
     paragraphs acknowledging the concerns both of the ACRS and others and
     made some discussion of what we were going to try and do to correct
     those and we are going to go through that in some detail today.
         The commitments were to identify a more quantitative
     identification and prioritization process.  When we say more
     quantitative, we mean just what you suggested, Dr. Powers, that where
     numbers and methods and data are available to say is this really
     important in a quantitative way, we should use them where they are
     appropriate.  There are some things that they simply are not appropriate
     for because there is no reasonable expectation that we would have
     numbers, and the example for that would be emerging technology, things
     that the plants haven't done in the past so we don't have historical
     data.  We wouldn't expect to have it.
         DR. POWERS:  One of the tactics that is being employed in
     the program may be worth thinking about, and that thinking could say,
     no, I have to discard it because it's more of a phenomenological issue
     and it may not be so applicable to things that have a strong
     sociological component to them is these phenomena identification and
     ranking tables where you try to identify what are the important
     things -- what are the things, which ones of them are important, which
     ones do I know something about and maybe even enough about, and which
     ones am I grossly ignorant on, where you rely largely on expert
     judgment, but elicited expert judgment that is scrutable.
         I can go say now why did these experts say this was
     important and this other one was not so important and I can go and say,
     oh -- well, they said it because of this.  I don't have to say, well,
     these guys are authorities in the field so surely they must know -- kind
     of set it down -- and so that I walk away saying, ah, now I know why one
     is high and one is low.
         I just toss it out as an approach that looks like it is
     going to be very helpful in one area.  Maybe it is of use to this that
     you are trying to do here.
         MR. ARNDT:  We'll investigate it.  I know we have people in
     our current division that have used that methodology extensively in the
     thermal hydraulics area --
         DR. POWERS:  It came from thermal hydraulics and they have
     their own peculiar science that may not directly translate so there is
     no reason to think that it is a one-to-one translation but maybe it's
         MR. ARNDT:  Well, I probably would have chosen specific as
     opposed to peculiar but --
         DR. POWERS:  Well, you don't have to deal with them as often
     as I do.
         DR. APOSTOLAKIS:  I think in that context that is why the
     Committee in the past has recommended the use of a high level model,
     because before you ask these questions you have to have some sort of a
     model about human performance to help you answer these questions, which
     in thermal hydraulics of course perhaps they don't need because it is
     more of a natural science and they understand what needs to be done.
         DR. POWERS:  The model is very implicit in the thinking.
         DR. APOSTOLAKIS:  Yes.
         DR. POWERS:  They are all trained in Navier-Stokes and
     things like that.
         DR. APOSTOLAKIS:  Exactly -- so in that sense that would be
     helpful.  Now this is the result -- the future plan of course will be
     the result of many people's inputs.
         MR. ARNDT:  Yes.
         DR. APOSTOLAKIS:  And again in the context of this
     discussion I was wondering whether all these people have the same mental
     model of human performance and whether that would be necessary -- in
     other words, first to explain to them a few things that maybe error
     theorists may have developed and then ask them to go through the
     exercise, or maybe that would not be appropriate because you want each
     person to have his or her own model of the plant.
         MR. ARNDT:  I think in the identification of potential
     activities where do we need improvement, where do we need to ensure that
     the plants don't get worse?  Then you need a general understanding of
     how you are defining human performance and human error rate and things
     like that.
         In the prioritization scheme I am not quite so sure that you
     need a comprehensive model that everyone agrees on, because everyone is
     going to have a slightly different perspective on what will likely come
     out of a project and I think that different perspective is useful.
         DR. APOSTOLAKIS:  That's why we go with the high level
     model.  For example, unless you think about it or read the literature,
     you will not immediately think of organizational structures as affecting
     human performance, okay, unless somebody tells you that or you see the
     data.  In that sense, I am talking about the high level without getting
     into the details of what really affects human performance -- the
     performance-shaping factors, for example.
         MR. ARNDT:  I think everyone in the community understands
     that management, organizational factors and other general areas are
         DR. APOSTOLAKIS:  Steve, is there any evidence that we have
     a problem with human performance?
         MR. ARNDT:  Well, it depends on what you consider evidence. 
     If you look at the literature both in the kinds of events that continue
     to reoccur as well as the relative importance of human action in safety,
     there is significant published information that leads one to believe
     that there is, continues to be significant issues.
         One example is that even this many years after TMI we
     still -- there have been several instances where operators have turned
     off high pressure injection during an event.  One would presume through
     the enormous amount of training procedures and everything else that that
     would not occur, but for various reasons that has.
         Other examples are at some of the PRA sensitivity studies
     that have been done looking at human performance several years ago
     NUREG-3385 looked at in essence the risk achievement worths of various
     human actions and compared them to the risk achievement worths of
     important safety features like HPSI and things like that, and they
     compared quite favorably, quite importantly to them.
         There was the B&L work that was done on risk sensitivity and
     although there's some issues as to whether or not that was done in the
     best way, the numbers turned out to be very, very significant
         One of the things we are going to be doing as part of this
     effort, and I will get to it in a second, is looking at the high
     significant events in the last five years, the things that come out high
     on the ASP reports, and looking at the risk contribution of human
     actions in those events.
         DR. MILLER:  Steve, on the human performance, there are some
     that aren't quite as visible but obviously have as much impact in the
     areas of maintenance and surveillance and those types of issues where
     training maybe is less prescribed.  You know, we have been training
     operators in a pretty well prescribed approach for many years but is
     that also an issue that needs to be addressed?
         MR. ARNDT:  It is an issue of some debate right now.  Most
     of those go to what is referred to as pre-initiator event frequencies,
     things that either cause initiating events or cause mitigating actions
     not to be able to occur.  There's some discussion about whether or not
     that is a significant problem because you capture most of that data in
     your availability frequencies because you measure the availability and
     the availability due to testing or maintenance or someone having messed
     up something is all lumped into one number, but it is certainly an
         It is certainly something that needs to be continued to be
     looked at until we determine that it is not going to be a significant
         DR. MILLER:  Now industry has, of course, equal concerns. 
     For example, I put it in my file to review in addition to what we have
     here INPO's Excellence in Human Performance, which I assume maybe has
     had some impact or maybe it has not, but that has been out for two years
         Of course they deal with far beyond operators -- everybody.
         MR. ARNDT:  They look at everybody.
         DR. MILLER:  Although they try to engender a culture, so to
     speak, of high performance throughout the plant from management on down.
         MR. ARNDT:  We, as part of the human performance activities
     in the agency, monitor what INPO is doing, what EPRI is doing.  As a
     matter of fact, we had a meeting with EPRI last week to look at some
     potential joint efforts in areas like deregulation and things like that,
     so we are involved in looking at that.
         Let me go forward, and some of this may become more obvious.
     As I mentioned, we are doing coordination with the industry and with
     advisory groups like yourselves, and we owe the Commission a progress
     report on the development of the new plan in April of this year.
         This is just a reiteration of exactly what we're going to be
     -- what we're currently working on.  We're currently pursuing activities
     in making the identification of activities for human performance work
     more risk-informed, and when I say risk-informed, I mean it that way. 
     It's not going to be risk-based, but it will be risk-informed, the
     prioritization of activities, the development of the methodology for
     closure criteria.  And I'll talk a little bit about where we are in
     that.  We're not as far along in that as we are in some of the others. 
     And then once this has all been done, an actual revision of the plan.
         DR. POWERS:  I am very excited about this idea of looking at
     past events and even just looking at in general PRAs to get some idea of
     how important/unimportant human activities have been.  Of course there
     are other issues, there are other areas that may be even more important
     that are a little harder to get a handle on.  But you can still risk-
     inform those, because in maintenance you can go look and say how
     important was a piece of equipment.  And I'm perfectly willing to
     believe then that the maintenance must be very important on that too.
         MR. ARNDT:  Right.
         DR. POWERS:  Which is a human thing, that I think almost
     deserves separate bullets here to make it clear what you're trying --
     the kinds of things you're trying to do to get this quantitative risk
     information into the process.
         I think that's exciting.  I mean, I really get excited about
     that, because that gives me an understanding of where to rank this
     relative -- the question has always been is it better to put your money
     into human performance or to refine the thermal hydraulics code to the
     next generation.  And now with risk you've got a metric that allows you
     to make that kind of tradeoff in some sort of a rational fashion where
     at least it's an input into making that kind of tradeoff.  There may be
     other reasons that you want to continue to hone thermal hydraulics
         MR. ARNDT:  Well, and there may be other reasons why you
     want to hone your knowledge of human performance as well.
         DR. POWERS:  Sure, absolutely.  Anytime you're planning
     activities, if there was a nice quantitative way to do it that gave an
     incontrovertible answer, every manager and CEO in the country would be
     out of business, right?  But we haven't found that way, but we can
     improve our knowledge.
         MR. ARNDT:  Yes.
         DR. POWERS:  It's a true example of multiutility --
     multiattribute utility theory here.
         MR. ARNDT:  Some of the things we're doing --
         DR. APOSTOLAKIS:  Multiple stakeholders.
         DR. POWERS:  Multiple stakeholders -- not involving the
         MR. ARNDT:  Some of the things we're doing in quantitative
     identification, and again, when you read "quantitative," you should read
     "more quantitative."  It's not going to be completely quantitative. 
     We're reviewing the ASP data, as I mentioned before, we're going back
     five years and looking at events with conditional core damage frequency
     above 10 to the minus 5.  That gives us between 50 and 60 events to look
         DR. POWERS:  You get access now into shutdown events as well
     in this.
         MR. ARNDT:  Some.
         DR. POWERS:  Yes, I mean, it's a cruder, but still --
         MR. ARNDT:  Much cruder, but we're starting to see those.
         DR. POWERS:  Crude counts.
         MR. ARNDT:  If crude's as good as we got, we'll use it.
         DR. POWERS:  Yes.  I mean, it's better than guessing.  Yes.
         MR. ARNDT:  We're going to go through and basically look at
     all of those events and then bin them basically into whether or not they
     had a significant human performance issue, either positive or negative. 
     In the actual paper, if you look at 98-244, in Appendix C, we started to
     do that as a justification for the events in the 10 to the minus 4
         The two things we're going to do differently now is, one,
     we're going to look at a lot more events, and we're going to do it in a
     much more systematic way.  We're going to bin them into events that had
     significant human factors and those that didn't and look at those
     ratios.  We're going to look at how much the human actually contributed
     to the events.
         The other thing is we're going to try and make a forward
     leading function.  It's not going to be we've decided our plan and this
     is how we're justifying, it's going to be this is why things are
     important, therefore we're going to look at doing things in this area.
         DR. POWERS:  This is really exciting, and I encourage you
     that once you get some insights or get the feeling that you've got
     something here useful to talk about, even if it's fairly preliminary, it
     would be fun to have you come down and tell us about it just to improve
     our own perspective in the future.
         I get the feeling that at least one member of the Committee
     has this feeling that there are people with expertise in human
     performance that have in the back of their mind a lot of things that he
     does not have in the back of his mind, and you need to educate at least
     one Member here, and this might be an effective tool to get his wheels
         MR. ARNDT:  We hope to gain some insights as well as some
     numerical indication of what are the most important things.  We're also
     going to go through and review a great deal of IPE data.  We've looked
     at the lessons -- the insights document, and as you know, there's some
     specific insights as to what are the most important human-error-type
     issues for PWRs and BWRs.  There's a wealth of knowledge there, and we
     hope to gain some -- a detailed review of that will give us some
     additional information.
         We're also looking at various other reports, some of the
     sensitivity studies, and I mentioned earlier are going to be reviewed,
     as well as some of the detailed work in specific areas.  For example,
     the AEOD systems studies.  In several of those they looked at particular
     contributors to those unavailabilities, and in some of them they looked
     at human errors and things like that.
         DR. SEALE:  Steve?
         MR. ARNDT:  Yes, sir.
         DR. SEALE:  Earlier you mentioned the INPO excellence in
     human performance activities and so forth, and I recognize that there's
     always been a desire to maintain a arm's-length arrangement between the
     NRC and INPO.  And this strikes me as an example of where the blind
     following of a doctrinaire approach can only work to your disadvantage. 
     You're not talking about sanctioning numbers that might be used in a
     data base to do statistical analyses and so forth, you're trying to gain
     insights.  And those insights may very well be embedded in some of those
     INPO activities.
         I would urge you at this stage to share with the people at
     INPO what you're going to be doing here to mine for these insights and
     ask them whether or not they have things that might contribute to this
     or if indeed they already have gained some insights from their programs
     that might help you.  You know, that's not really sharing hard data or
     anything like that.  You're just looking for insights.   And I would
     think that would be a good example of where a closer interaction would
     be both effective and very helpful.
         MR. KING:  This is Tom King from the staff.  Let me follow
     up on that.  We had a senior management meeting with INPO senior
     management probably a month or month-and-a-half ago.  This is one of the
     areas that we've agreed would benefit from some cooperation.  So we're
     working on exactly what that cooperation will be.  But it's precisely
     along the lines of the things you mentioned and seeing what they've been
     doing, what we're doing, maybe get into issues like deregulation, what
     does that mean for human performance and so forth.  So we're trying to
     lay something out to do that.
         DR. SEALE:  And they can help you get access to any
     international data that they might have through WANO.
         MR. KING:  Um-hum.
         DR. SEALE:  Which otherwise you don't really have -- you
     know, still, that's very useful, because --
         DR. POWERS:  I think it's so useful that we ought to comment
     specifically on it in any letter we write about this, because I think
     the Commission needs to understand that this is a good idea.
         DR. SEALE:  Okay.
         DR. MILLER:  I had a question on that, Tom, since you
     mentioned a meeting.  INPO, at least their human-performance plan was
     dated '97, so they've had a year-and-a-half experience with it, is there
     any feedback yet on the impact of this program or not?  Had they related
     any of that during this meeting?
         MR. KING:  No.  No, we didn't get into any details other
     than agreement in principle to cooperate in this area.
         DR. MILLER:  Okay.
         DR. APOSTOLAKIS:  In the sources of information, why don't
     you include the literature?  I mean, maybe not quantitative, but
     shouldn't somewhere there take advantage of what people have done,
     thought about, and maybe use the experience in other industries to write
     their papers and books?
         MR. ARNDT:  We are looking at both books, papers,
     literature, and all areas -- I'm sorry that this slide does not convey
     that -- both in the area of other sources of information what we're
     going to be looking at is not only reports and bases but models and
     where people are going and what they're thinking about.
         If we get down to the bottom bullet, continue to use
     traditional identification methodology, that basically means what --
     there are some areas that we get information on what could be problems
     in human performance from a number of different methodologies including
     what is going on in the literature in other areas like the FAA and the
     civilian and military aviation, the transportation industries and things
     like that.
         DR. APOSTOLAKIS:  Now one other thought occurred to me.  I
     just glanced at the INPO booklet, and there is a lot there that one
     would call safety culture, have a questioning attitude when you're about
     to do something, and this and that.  So somebody at INPO thought that
     that was important.  Would your four bullets here identify things like
     that as being important?
         MR. ARNDT:  Several of the documents we're specifically
     looking at, such as the IAEA recent documents on human performance,
     specifically call out safety culture and management and organization as
     issues that need to be addressed.
         DR. APOSTOLAKIS:  So it's really the literature that will
     tell you that.  Now maybe the INPO guys have seen it in the field --
         MR. ARNDT:  Sure.
         DR. APOSTOLAKIS:  But you need to have a questioning
     attitude.  But I don't think that data will really -- unless you really
     look carefully and you go back and find out that people did not have a
     questioning attitude.  So that's why I think reading the literature is
     very, very important.
         MR. ARNDT:  It's extremely important, and as a matter of
     fact --
         DR. APOSTOLAKIS:  Now on the second point, though, hasn't
     the Commission declared that we should not worry about these things?
         MR. ARNDT:  The Commission has indeed in a staff
     requirements memorandum last summer told the staff not to work in the
     area of management organization and spend no resources on it.
         DR. APOSTOLAKIS:  So how are you going to handle that here?
         MR. ARNDT:  Well --
         DR. APOSTOLAKIS:  It's a boundary condition for you?
         MR. ARNDT:  It is the duty of the staff to bring to the
     attention of the Commission the important priorities for doing work, and
     if they choose not to do it, that's fine.
         DR. APOSTOLAKIS:  Okay.  So at this point you don't feel
         MR. ARNDT:  Not in the identification of potential work. 
     Actually doing it, yes.
         DR. APOSTOLAKIS:  Okay.  Now also we heard yesterday from
     the team that's developing IAP, the inspection program, that safety
     culture will not be of concern to them, because they believe that if
     there is a bad safety culture, there will be evidence of it in incidents
     and so on, so they will catch it there.  Is that -- I think that's what
     they claim.
         Is that something that you believe also, or -- now again the
     safety culture they referred to was the attitudes and leadership and
     that kind of thing.  So they said well, we really don't want to worry
     about the attitudes of the people there, but if their attitude is wrong,
     they will do something wrong, and our performance indicators or our
     inspections will catch that.  So we don't worry about it.
         And they also made a distinction between the organizational
     structure and the safety culture, which makes me now wonder whether the
     Commission is making that distinction where they say don't work on these
         DR. SEALE:  I think that's just another reason to want to
     have an opportunity to look very closely at what INPO is doing, because
     the people at INPO seem to be able to come closer or to get into this
     question of safety culture without raising hackles, if you will, about
     whether or not you're monkeying around with the way people manage their
         MR. BARTON:  But they look at some indicators that are
     related to --
         DR. SEALE:  That's right.
         MR. BARTON:  Safety culture.
         DR. SEALE:  And so with that kind of information, I think
     Steve and his people will be in a much better position to make the case
     for a firmer definition of those things in the management or safety-
     culture areas that they should be looking at and those things that they
     might second to INPO or however they're going handle it.
         DR. APOSTOLAKIS:  I don't believe that we should start with
     the assumption that what INPO put down there is the result of their
     experience at the plants.  I would like to know what consultants they
     used.  I know they have a course on human error, and they use Jim Reason
         DR. SEALE:  Yes.
         DR. APOSTOLAKIS:  From England.  So I am curious now as to
     whether a lot of the stuff that's in the booklet is Jim's idea or comes
     from experience, because that would make a big difference in my
     thinking.  The assumption that everything INPO does is based on evidence
     I don't think is quite right.
         MR. ARNDT:  Right.  And part of the process of reviewing the
     various inputs is looking at the validity of the assumptions and trying
     to assess in some kind of qualitative or quantitative way how that will
     affect human performance in the United States plants.
         As some of you might have noted, there was an article in
     "Inside NRC" this week talking about some of the Canadian work.  They're
     now saying that organizational structure and safety-conscious work
     environment is extremely important, and that actually is a derivation of
     some of the work that we did in that area a couple of years ago.  So --
         DR. APOSTOLAKIS:  Which we just injected yesterday in the
         MR. ARNDT:  Yes.
         DR. MILLER:  I would think the Canadians would learn that
     the hard way.
         MR. ARNDT:  Yes.
         DR. MILLER:  Why the Canadian plants are shut down,
     primarily the bottom line is they just weren't doing things right. 
     Probably human performance is the major issue.
         DR. POWERS:  Where does -- I know the slide is titled
     "Quantitative Identification."  There seems to be a needs identification
     where you talk to some of the line organizations.  I certainly hear
     inspectors, people from the inspection program saying well, we're going
     to look and see how humans perform their activities.  And I'm wondering
     where?  Where do those people get their oar in the water in saying when
     I think about what I do, I would like to have something better than what
     I have now?  At what point in this stage do you get that kind of input,
     or does that come to you just as a matter of routine?
         MR. ARNDT:  That comes to use to some extent as a matter of
     routine from user needs and discussions with the program office, NRR. 
     What they need to do their jobs, be it better inspection procedure, more
     definitive requirements for looking at things, comes to us as part of
     the traditional methodologies that are used to identify potential
     activities.  The formal methodology is the user need, although we do a
     lot of informal discussions with our colleagues.
         DR. POWERS:  I would encourage you to mine that informal
     discussion, because we certainly find evidence of two things, that user
     needs tend to be shorter-term than what you're really looking for here,
     I think.
         MR. ARNDT:  Right.
         DR. POWERS:  And that there's a tendency to say well, I've
     got all those human-factor guys just as busy as I can.  I know I've got
     a need here.  I'm going to put it in my drawer and not tell them about
     it --
         MR. ARNDT:  Yes.
         DR. POWERS:  And just because I know they can't do anything
     about it anyway.  You need to mine those less formal contacts.
         DR. SEALE:  You have to be even a little evangelical.
         DR. POWERS:  Yes, I think you need to preach a bit.
         DR. SEALE:  Because in the recent months we've run into
     several cases where in the implementation of risk-informed regulatory
     alternatives, if that's a good way to say it, the need for an inspection
     change or supplementing of the inspection training program has been
     identified, and in fact we've been told that these inspection -- I've
     forgotten what the terminology is now -- anyway, the things that are
     used to convey these messages have been prepared.
         I realize you have a lot of other things to do, but it seems
     to me that that's a place where you need to ask is there a human
     performance piece of that inspection process, that instruction, that
     might be worth highlighting in those kinds of instructions.  So you
     ought to kind of have an idea of what's going on there that you're not
     necessarily in the mainstream for.
         MR. ARNDT:  I'll talk very briefly about where we are going
     in the prioritization process scheme.  As you know, Research is the
     coordinator for the human performance plan.  As you also probably know,
     Research is in the process right now of doing a self-assessment and
     developing an office-wide prioritization methodology.
         We have taken the easy way out, if you will, since all the
     research and what used to be AEOD activities will have to be folded in
     the research prioritization process anyway, we are working along the
     assumption that we will be able to use the research prioritization
     method for the human performance plan action items, once identified.
         That is still under development, it is based on a survey of
     approaches used by other agencies.  The team involved with that, led by
     John Craig, has gone out and looked at various methodologies that have
     been successful in prioritizing research in other areas and in other
     agencies, and they are planning on briefing you on that because you have
     had concerns on the office-wide prioritization.
         DR. POWERS:  One of the concerns, especially in this area,
     is that budgetary constraints that are real, and they have to be dealt
     with by the management of this program, can be used to have the effect
     of making one think that less is needed in an area than may actually be
     optimal.  And I think that is a step you have got to guard against in
     presenting it to decision-makers is, say, hither -- there is amount you
     can do for the number of dollars you have got, and you are going to make
     an effective prioritization on that.
         I mean you may not do the most important activity you can
     because it costs more money than the whole agency has got.  But I think
     you have got to communicate at some point that there are real needs, and
     the magnitude of those needs, so that the decision-maker is in the
     position he can say -- do I put my money into more inspection or do I do
     research so that in the future I do more effective inspection?  I mean
     you have to get that -- you don't want the prioritization to hide what
     the needs are just because the dollars aren't there today.
         MR. ARNDT:  Yes.  And I think that is one of the reasons
     that an active activity of identifying and quantifying the program needs
     before you go to the budget process and prioritization process is
         DR. POWERS:  Yes.
         MR. KING:  Yeah, maybe -- one of the ground rules, Dana,
     that we are doing on the self-assessment is to start with a clean sheet
     of paper.  Don't just prioritize what we are doing today, but what
     should we be doing to meet the goals of the office, which are supposedly
     to be meet the goals of the agency?
         DR. POWERS:  Music to our ears, because that is exactly --
         MR. KING:  Yes.  And then maybe we will find out there are
     some things we ought to be doing, we are not.  And maybe there are some
     things we are doing we could drop off the list, but that is the ground
     rule we started out with.
         DR. POWERS:  Yes.  I think you have got to -- I mean the
     problem, Tom, as you well know, is that budget constraints become such a
     barrier in front of your thinking that they drive your thinking.  I mean
     it is just -- you just can't get around them because they are there with
     you every day.  I mean they are grinding on you.  And at some points we
     have to think about what we would really like to be, you know, now. 
     Then there is a separate question -- how do we afford it, how do we get
     there from here?  But without that goal, you will never get there, that
     is the problem.
         MR. ARNDT:  The second bullet on this slide, basically, just
     is to inform you what we are currently doing, since this is not yet
     complete.  What we are basically doing is we are working the activities
     that were identified in the current version of the plan, budgeted, put
     into our operating plan with deadlines.  And we are also working both
     formal and informal user needs to understand what is necessary, what is
     going on, and, basically, the closure criteria -- the de facto closure
     criteria we are working on now is to fulfill the needs that have been
         Our budget, by the way, which is really quite small, even by
     today's standards, is -- the majority of that work is based on user
     needs from the protocols.
         DR. POWERS:  And I -- it is my impression, in reading your -
     - this current version, this interim version of the plan, that that has
     gotten sufficient of a WASH scrutiny examination that any further WASH
     scrutiny examination is going to have such diminishing returns, it is
     just pointless.  I think that -- that is the overwhelming impression I
     got, that you bounced it off everybody that is anybody, gotten their
     best shot at an opinion, and put it together and you came up with some
     numbers, but things feel under the category of -- I need it today, and
     so it is high priority; I don't need it till tomorrow, so it is low
     priority -- it looked to me.
         MR. ARNDT:  There certainly was an element of that.
         DR. SEALE:  It bled as far as you can bleed.
         MR. ARNDT:  Yes.  Thank you.  The definition of fixed
     closure criteria is a very prickly issue.  One of the things that is
     really necessary is to have that closure criteria linked back to the
     more quantitative identification.  That is to say, you identified this
     for a particular reason.  It was a problem or it could potentially
     become a problem, or if something wasn't done, it was going to be a
     problem, and the closure criteria should be linked back to why that was
     identified and are you going to get there.  Are we never going to get
     there?  If we are never going to get there, we shouldn't be doing it. 
     And are we already there?  If we are already there, we should stop doing
         What we are looking at doing is, as far as it is possible in
     a quantitative way, for those activities that can be quantified, linking
     them either to the reg. analysis guideline or to limits established in
     Reg. Guide 1.174.
         DR. APOSTOLAKIS:  I must say that I am not sure this is
     going to work.
         MR. ARNDT:  Well, --
         DR. APOSTOLAKIS:  Not because of you.  These are issues
     where, you know, it seems to me at the end, if the experts agree that
     this is as much as we can know, that's it.  Now, to look for
     quantitative measures of that, or link it to Regulatory Guides, I don't
     know whether that is a useful exercise.  I have never seen it done.
         I mean -- and I will give you an example.  When the Human
     Reliability Handbook by Swain and Guttman came out, all sorts of people
     attacked it and this and that, it is no good, how dare you, and all
     that.  Fifteen, 16 years later, that is what we are using.  People are
     saying, well, that is the best we can do.
         Now, you know, there was no quantitative information in the
     intervening years that convinced us that this is as much as we can know. 
     People just used it and they reviewed it, they criticized it, and they
     said, well, gee, you know, he is giving me two, three orders of
     magnitude uncertainty -- what am I going to do?  He says the best
     estimate is 10 to the minus 3.  Can I make it 10 to the minus 1 or 2? 
     No, because then the evidence would have been there.  So, in that sense,
     they are using the evidence, of course.
         But, so, I don't know, I mean whether we can have closure
     criteria that will say, you know, some formula or something.  If people
     that are expert in the field, in the international community and so on,
     and you present it at meetings and have peer reviewers, and they say,
     well, yeah, that's as much as you can know at this point, then I think
     it is fine.  I think the concern right now in some quarters, in many
     quarters, is that a lot of the things perhaps that are important, we are
     not even looking at.  You know, that kind of thing.
         MR. ARNDT:  Yes.  Well, and there are many things that will
     not be able to do this.  And the obvious reason is that -- one of the
     reasons we are so concerned with human performance is we don't know
     enough about it to quantify it, and we have large uncertainty. 
     Therefore, it is very hard to know whether or not we should be doing it
     because the models aren't very good.
         DR. APOSTOLAKIS:  True.
         MR. ARNDT:  But at the same time, we want to, where it is
     possible, and there have been reg. analysis done on human actions.  An
     example is NUREG-5458, which was the value impact statement on looking
     at improving the normal and abnormal procedures.  There was a
     discussion, should we go back and fix the normal, abnormal procedures
     like we fixed the emergency procedures?  And they did that study and
     they came up with a number, and they said that we probably could not
     justify it.  So that kind of thing can be done.
         And where it can be done, I think it is useful so that you
     can say we shouldn't do this anymore.  We are never going to be able to
     implement it.  It is never going to pass the backfit rule.  We need to
     understand it, but we are probably never going to actually do it.
         DR. POWERS:  And I think this is wonderful where you can do
     it, you know.  And I think I understand that there can be a lot of
     things that you are just going to say, today, where I know zip, I can't
     come up with a closure requirement because I haven't got -- all I know,
     all I have is an indication that this might be important.  And your
     closure criteria will themselves evolve.  And I think that is a point
     you need to make on this slide.
         MR. ARNDT:  Exactly.
         DR. POWERS:  That this is the objective, is to get at more
     quantitative linkage to what the mission needs of the agency are.  And
     it may not be able to do it on everything, but I will continue to look
     for opportunities, as I get smarter here, for doing it.  And, clearly,
     you have got the commitment.  You understand what you want to happen
     here, and I think that is -- anybody that asks you for more is just
     being unreasonable, I think.  For a lot of things, it is --
         MR. ARNDT:  Well, I would never accuse the ACRS of being
         DR. POWERS:  We are but studiedly.
         DR. APOSTOLAKIS:  You will just state it as a fact.
         DR. POWERS:  And probably get very few arguments.
         MR. ARNDT:  A little while ago, in preparation for this
     meeting, you sent us some additional comments, and I think we have --
     the whole purpose of this discussion is to try and ensure you that we
     will be indeed doing the things that these comments imply.
         Who is going to be doing the next revision?  That is going
     to be under the auspices of the new branch in Research, which is the
     Regulatory Effectiveness and Human Factors Branch, and the new Branch
     Chief will be Jack Rosenthal.
         Will this revision follow some disciplined effort of the
     engineering program?  As we have discussed, we are going to try and put
     some very specific engineering steps into it and try to tie the mission
     to mission needs which are specifically identified.
         Will future revisions identify mission needs?  I think I
     just talked to that.
         Will the program be developed to meet these needs and the
     quantitative requirements?  I think we are going to try to do that to
     the best of our ability, and try and tie some kinds of closure criteria
     that is at least systematic and, hopefully, quantifiable.  And we are
     going to try and keep it as scrutable as possible and make the actual
     judgments very definable and articulate those judgments in the plan when
     we write it.
         DR. POWERS:  Understand that it is my view on things, and I
     think many on the Committee is, that it is not that we don't trust
     expert judgment, especially in a field like this where there is
     expertise, it is that we are just -- you need to have that so you can
     see it.  A lot of things you are going to have to use expert judgment. 
     That's why you get the big bucks, to make judgments and whatnot, and
     nobody can fault that.  But the rationale then becomes very crucial. 
     And so don't -- don't be afraid of using expert judgment, just make it
     so that it is scrutable.
         NRC has developed some very nice techniques for making
     expert judgments scrutable.  Sometimes they are a little heavy, but --
         MR. ARNDT:  Yes.  The process in which we are going to go
     through this, we have talked through this.  We are analyzing the ASP
     events, trying to understand that.  We are looking at lots of other
     different human actions.  We are review the critical operator actions
     from various reports, CSNI, various literature.
         Those will feed into a prioritization effort that is ongoing
     for Research and will be used for the rest of the activities.  We owe a
     status report to the Commission in April '99.  That will most likely
     tell them in detail what I have told you today, as well as what we have
     accomplished to date and where we are on the various activities.  And
     then, once all that is completed, we will have a revised version of the
     human performance plan.
         And that is all I had.
         DR. POWERS:  I personally am stunned.  It's great.  I mean -
         DR. FONTANA:  When do we get to see this again?
         MR. ARNDT:  That is entirely up to you.  We would be happy
     to have your input anywhere along the process.
         MR. KING:  But I wouldn't -- I think it is going to be at
     least a couple of months before we get through the ASP data and can
     really come back with something with some substance to present to you.
         DR. FONTANA:  As far as the next cut on the plan.
         MR. ARNDT:  It really depends on what you want to see.  If
     you want to see the intermediate stages, some of the needs
     identification processes, the numbers and things like that, as Tom said,
     it will be ready in a couple of months.
         MR. KING:  It will probably be a couple of months till the
     Research prioritization scheme is all worked out and tried out and so
         DR. POWERS:  It seems that, just for educational purposes, I
     would like to see how you are doing on mining that ASP data and what
     kind of insights you are getting out of it, more from an educational
     standpoint than a review and comment standpoint, but, presumably,
     eventually, the final plan.  But I think it would help us in reviewing
     the final plan to have ahead of time some of the insights that you are
     getting out of the operational data whenever it is appropriate to do
         MR. ARNDT:  Would you like to see it as just a note to the
     Committee with the background, or would you like a Subcommittee or a --
         DR. POWERS:  I think you and the Subcommittee Chairman can
     chat about that as it --
         DR. SEALE:  Work that out.
         MR. ARNDT:  Okay.
         DR. POWERS:  I mean I don't want to presume what you have
     come out, it may come out that you find that, well, it was a good idea,
     but it just didn't work very well.  I mean that is a presumable outcome
     to it.
         MR. ARNDT:  Yeah, that is a possible outcome.
         DR. POWERS:  And it is self-information.
         DR. APOSTOLAKIS:  I have a much more detailed comment.
         MR. ARNDT:  Okay.
         DR. APOSTOLAKIS:  On the current version of the plan,
     September '98.  On page 9, it lists as an activity, under Goal 3,
     implementing the appropriate regulatory response to human performance
         MR. ARNDT:  Yes.
         DR. APOSTOLAKIS:  Develop risk communication guidelines for
     communicating risk-informed decisions to the public?
         MR. ARNDT:  Yes.
         DR. APOSTOLAKIS:  And risk analyses results to decision-
     makers.  Is that part of human performance as we understand it?  I mean
     that is an important subject, but I am not sure it belongs here.
         MR. KING:  That activity is currently funded out of the
     Human Factors budget in the branch that Steve is in.  Is it in the right
     branch?  That's another question.
         DR. APOSTOLAKIS:  Yeah, I don't think it is.
         DR. SEALE:  You have bled even harder than we thought you
     had been.
         MR. KING:  I mean there is a human aspect to it, you know,
     how you communicate to people --
         DR. APOSTOLAKIS:  Well, a human --
         MR. KING:  -- so that they get the key messages.  It is not
     just a risk issue.
         DR. APOSTOLAKIS:  To the public --
         MR. KING:  It is a communications issue, which is a Human
     Factors type issue.
         DR. APOSTOLAKIS:  It is to the public and to decision-
     makers, and that would not be the first, second or third thing that
     would come to my mind when somebody said we are working on human
     performance.  It is an important issue, so, as you say, the question is
     whether the right branch is supporting it.
         MR. KING:  Well, the work that has been done so far has been
     focused on the communications piece, not the risk piece of that work.
         DR. APOSTOLAKIS:  Among whom?  Between whom and whom?
         MR. KING:  Well, it has been -- the work that has been done
     so far has been done at the University of Wisconsin under Vicki Bier.
         DR. APOSTOLAKIS:  Yes.
         MR. KING:  And she has had some people involved, Dennis
     Bley, and some others involved.  And the idea was to come up with some
     guidelines that people that are trying to convey a message, particularly
     a message that involves risk arguments, could use to put together this
     communication.  So far -- I don't have those guidelines yet, it has
     taken longer and the first cut at that was somewhat of a disappointment,
     so we are still working on it.
         DR. APOSTOLAKIS:  Well, I mean there are many, many
     communications, right.  So that is why I was wondering, are they working
     on communicating risk results to the public, or to managers of
     emergencies, or what?
         MR. KING:  No, it is not managers of emergencies.  It is
     viewing people like the Commission, the public, the Congress.
         DR. APOSTOLAKIS:  I see, so it is --
         MR. KING:  That level.  Yes, it is not operations center
     type issues.
         DR. APOSTOLAKIS:  So it is not -- anyway, it just struck me
     as being something that I didn't expect to see in the list of activities
     under human performance.
         MR. KING:  Okay.
         DR. APOSTOLAKIS:  Without implying that it is not an
     important issue.
         MR. KING:  Okay.
         DR. POWERS:  Sufficiently important that when a non-
     disappointing output comes, it would be sure nice to hear about it.
         DR. SEALE:  Yes.  Other things?
         DR. APOSTOLAKIS:  Not on this subject, I don't.  Any member
     has any comments?
         DR. POWERS:  I will make a comment that I think that -- I
     guess I would need to ask, should we be writing a letter on this?
         DR. APOSTOLAKIS:  Well, that was my next question.
         DR. POWERS:  Okay.
         DR. APOSTOLAKIS:  We don't Steve up there.  Is there any
         DR. MILLER:  Well, maybe unless there's reason that they
     believe we should write a letter.
         DR. APOSTOLAKIS:  Oh, do you want a letter?
         MR. ARNDT:  We are not asking for a letter at this --
         DR. APOSTOLAKIS:  Judging from past experience.
         MR. ARNDT:  We are not asking for a letter at this point.
         DR. APOSTOLAKIS:  I mean do an ASP quickly.
         DR. POWERS:  Tom, my concern is that you have a briefing
     before the Commission, they are going to be familiar with less
     complimentary comments on previous versions of the plan.  I am wondering
     if -- I personally find some very exciting approaches here being
     adopted.  I am wondering if we just don't owe to them to indicate we
     think that there has been significant content put into some very
     otherwise nebulous ideas on how you plan a difficult area to plan.
     So that they're not being tarred by previous versions of our comments. 
     That's my concern.
         MR. KING:  Well, let me amend my statement.  I just had a
     whisper in my ear here.
         We didn't come down here today to ask for a letter, but it
     might be useful to have a letter to go on the record regarding your
     views on the approach we're taking and any other comments you have.  I
     think that certainly would help in proceeding with the plan, making sure
     we pick up all the points you think are important as well as when the
     Commission gets it, they'll see that it, you know, some discussion and
     some hopefully consensus has been reached on the approach that's been
     taken.  So maybe on second thought if you were willing to write a
     letter, it might be very useful.
         DR. SEALE:  As long as we --
         MR. KING:  As long as it's a good letter.
         DR. APOSTOLAKIS:  Thank you very much, Steven.
         I would like -- we have some time left.  I would like to go
     around the table and get suggestions for a possible letter.  So that
     will save us some time this afternoon.
         Who wants to start, Bob or Bill?
         DR. SEALE:  My main comment would be that you want to
     legitimatize, if that's the appropriate word, the idea that you're going
     to go out and look for data that are suggestions and so on that are
     helpful wherever they may be, including the discussions with INPO and so
     on that this is not the arm's-length kind of activity that you're
     required to do -- I don't think we have to say that, but you understand
     what I'm driving at.
         I guess the other thing is when they start interacting very
     intimately with people in the inspection area, we've seen in some of the
     recent things we've looked at like assessments and so on, where there
     are clearly individuals in the inspection area who can make very real
     contributions to the effectiveness of the delivery of ideas and concepts
     to the interaction between the NRC and the plant.  And so at some point
     down the road, it may be appropriate to try to develop a somewhat closer
     interaction with the inspection people.  And since they're coordinators
     for a Commission-wide activity in human factors, I guess I'm optimistic
     enough to say that if you do that, you're liable to get some good
     things, and that's always helpful when you have multiorganizational
     kinds of activities.  Those are my two main thoughts.
         DR. APOSTOLAKIS:  Thank you.
         Mario.  Mario F.
         DR. FONTANA:  The elder.
         DR. APOSTOLAKIS:  The elder.
         DR. FONTANA:  Well, I am real pleased with this.  I think
     the approach looks real promising, and the apparent discipline of the
     structure I think looks good.
         The other thing that I think is promising is that Steve,
     being a prior training person, would have a lot of experience in working
     with real people and their warts and what kind of performance they've
         DR. APOSTOLAKIS:  If he does it in the next month, I
     understand.  He's moving.
         DR. MILLER:  Part of the reorganization.
         DR. FONTANA:  Okay.  Work him for a month, anyway.  But the
     intent -- I think the plan looks good.  I don't have much more to say.
         DR. APOSTOLAKIS:  Don?
         DR. MILLER:  Well, I certainly concur with Bob and Mario
     both, and I think it would be valuable to follow up and, as I say, this
     plan's been in process for a couple of years almost, see if there's been
     any impact on --
         DR. APOSTOLAKIS:  The INPO.
         DR. MILLER:  The INPO, I'm sorry, the excellence in human
     performance which was issued in September '97, see if there's anything
     INPO can say about as far as the impact of this program.  But definitely
     work with INPO and others.
         DR. APOSTOLAKIS:  We always seem to like that.
         Dr. Powers.
         DR. POWERS:  Well, I think we should communicate to the
     Commission that first our intention in examining this was to examine the
     planning process and not the specifics of this year's program, which
     seems to be basically some very necessary things that just need to get
         And then I think we need to make it clear to the Commission
     that these gentlemen are trying their best to address issues that we
     have raised in the research report and in previous comments by
     introducing what I have called engineering discipline in this program
     and comment about some of the nice features about it.  But I think we
     also need to control expectations.
         Again, I think a lot of these nice engineering words sound
     good.  They probably work well if I'm inventing toasters.  They may
     require substantial adjustment and modification to apply in a research
     area that historically has defied the development of Navier-Stokes
     equations and the like.  So don't try to persuade the Commission these
     guys have a perfect approach that will definitively identify those two
     jobs that absolutely have to be done, that instead they will get out of
     an indication of areas and expert judgments will have to be drawn upon
     and that they have a pretty good strategy for drawing upon those expert
     -- putting together those expert judgments.
         So I get very enthusiastic, but you want to control
     expectations as well, because there are some of these things that just
     in the end you can't put a number on it, you have to say this looks
     important, I'm going to go look at it until I get the information I need
     or this looks important, but I just can't move myself to work in this
     area because it doesn't look like there's a payoff, and that's why these
     guys get salaries as opposed to just a man on the street making those
         DR. APOSTOLAKIS:  Mr. Barton.
         MR. BARTON:  I agree with Dana.  I don't want to get too
     enthused about this and say too much in fear of jinxing it, but the
     point that Bob Seale made I think is important.  I think from what I see
     that the utilities are doing with respect to trying to improve human
     performance utilizing the INPO model, that the inspection arm of the NRC
     could learn a lot at what's going on during their inspection activities
     to observe, you know, what's working and what's not working.
         DR. APOSTOLAKIS:  Is my understanding correct that most of
     what the utilities are doing is organizational?
         MR. BARTON:  A lot of it is --
         DR. APOSTOLAKIS:  Everything I read in the nuclear news
     about how plants got out of the watch list and so on always involves
     restructuring of processes and communication --
         MR. BARTON:  That's only a piece of it.
         DR. APOSTOLAKIS:  Awarding people with pizza parties when
     they do something right.
         MR. BARTON:  Well, you know, you could joke about parties or
     whatever, but I think, you know, there are lots of different elements
     that go into establishing, you know, human performance, and a lot of
     stuff that's real low level with reporting, things like having people
     believe that reporting a near miss that they're involved in can have an
     impact on improving human performance at the station.
         DR. SEALE:  The stuff you read about is the high-profile
     version of it.
         MR. BARTON:  Yes.
         DR. SEALE:  There are other things going on.
         DR. APOSTOLAKIS:  We should not urge the staff to have a
     research project on the impact of pizza.
         MR. BARTON:  No, I wouldn't do that.  No.
         DR. APOSTOLAKIS:  Okay.
         DR. MILLER:  Well, the key issue in the INPO plan is, I
     think as John just alluded to, is having people feel comfortable and
     also motivated to report not only near misses, things that are maybe
     less than near misses that could result in improved ability to do things
     or improvements.  Actually it's no more than just good management.
         DR. APOSTOLAKIS:  Yes, but on the other hand, I mean, I read
     that booklet.  If I wanted to be negative, I would say this is all
     motherhood and apple pie.
         DR. SEALE:  Well, what they're trying to say --
         DR. MILLER:  Yes.
         DR. APOSTOLAKIS:  And I don't know that this Agency can do
     that.  I mean, in other words, can we say as part of our research here
     that you should be careful how you run your plant and that you should be
     cautious and ask yourself am I going to do the right thing right now?  I
     don't understand that.  I don't know what that means.
         DR. SEALE:  Well, I think --
         DR. APOSTOLAKIS:  In terms of research of regulatory guides
     or rules.  It would be very nice to have a rule that says, you know, do
     the right thing.
         DR. MILLER:  Well, this is not meant to be a regulatory --
         DR. APOSTOLAKIS:  No, but, I mean, let's not get too
     enthused by advice that is more or less obvious.
         DR. SEALE:  Well, I think the thing is that they're
     demonstrating that blame and reprisal are not irrational.  You're not
     guilty because you were there.
         DR. APOSTOLAKIS:  But we have to understand that we are
     regulating, so there has to be something concrete here.
         DR. SEALE:  I agree.  I agree.
         DR. APOSTOLAKIS:  And I'm almost inclined to agree with the
     IAP guys when they say, you know, attitudes is not our business.  But,
     for example, when I hear that there are utilities that don't have
     formalized work processes, then I get concerned.  And then the answer to
     that is well, you know, Rickover didn't have them either.  Well, I
     guess.  I mean, if all the plant personnel were Rickovers, then I
     wouldn't mind it at all.
         MR. BARTON:  How about if they're Rickover-trained.
         DR. POWERS:  Unless you walked into the plant.
         DR. APOSTOLAKIS:  So I think we should focus on concrete
     things that we can do something about, okay?  Motherhood statements are
     good, too, and maybe they have their place, and I think that booklet is
     an appropriate place for them, because it gives some direction to the
         DR. SEALE:  I don't think --
         DR. POWERS:  I don't know that the regulators can get into
         DR. SEALE:  Yes, but I think we also have to verify whether
     or not they're just relying on motherhood statements.
         MR. BARTON:  I don't think they are.
         DR. POWERS:  I think the tie that Steve made in his
     presentation where they're trying to tie back to regulatory guides and
     things like that is a statement that simply sings, because it does say
     to me ah, they're looking for mission needs.
         DR. SEALE:  Yes.
         DR. POWERS:  And --
         DR. APOSTOLAKIS:  Okay.  Are you done, John?
         MR. BARTON:  Yes.
         DR. APOSTOLAKIS:  Mario the younger.
         Which is news to you, right?
         MR. BONACA:  My kids should hear that.  My kids should hear
         No, I think it's a good program, and I have no additional
     comments to the one provided by the Members.
         DR. APOSTOLAKIS:  Well, you were recently with a utility. 
     Do you think you can address Dr. Miller's question a little bit?  Have
     you seen any change as a result of INPO's booklet?  How much impact do
     you think this will have?
         MR. BONACA:  I think that the INPO involvement is much
     beyond what you see in the booklet.
         DR. APOSTOLAKIS:  And that I believe.  Yes.
         MR. BONACA:  When you read the booklet, it looks like
     motherhood.  I agree with you.  And I don't know how else they could
     format it to make it better.  But I think that there is a lot of focus
     on the utilities now even by INPO on specifics that will accomplish some
     of the motherhood.  That's why I don't feel it's as much motherhood as
     it appears on the surface.  Okay?  So, you know, the organizational
     issues are really the center of attention right now.
         DR. APOSTOLAKIS:  Well, I must say I took a slightly extreme
     position to make a point.  Let's not make a big deal out of the
         DR. MILLER:  But sometimes, George, the obvious is not
         MR. BONACA:  I agree.
         DR. APOSTOLAKIS:  The question is what can this Agency do,
     and I don't think it's our business to tell people that they should be
     careful when they do their job.
         MR. BONACA:  I agree.
         DR. APOSTOLAKIS:  Because it don't do -- they will tell you
     yes, we are careful.  They have met the regulations.
         DR. MILLER:  It's a lot better for INPO to do it than us.
         MR. BONACA:  One of the huge improvements I think in the
     recent past has been in the industry the tracking of errors.
         DR. APOSTOLAKIS:  That's good.
         MR. BONACA:  Okay?  Not only operators in the control room
     but equipment operators --
         DR. APOSTOLAKIS:  All errors.
         MR. BONACA:  All errors, engineering errors and so on and so
     on.  Which is really something totally new.
         Second, the attempt too categorize them to types of errors.
         DR. APOSTOLAKIS:  Yes.
         MR. BONACA:  Okay?  And, you know, that kind of issue in
     itself, just tracking some of these issues at the performance indicator
     level, okay, you know, just even numbering, the sheer number of errors,
     trying to categorize them in certain groups, okay?  That's an attempt
     that never happened before.  And, you know, and again the insight you
     can get, for example, from trying to separate how many misalignments you
     had, okay?
         DR. APOSTOLAKIS:  Yes.
         MR. BONACA:  In a plant in a given year, that information
     wasn't available.  And today, as soon as you bring it out, you don't
     have to do anything else, it has an effect of itself, because the
     department responsible for some function will respond to it.  It has to.
         DR. APOSTOLAKIS:  Yes.  Now I fully agree with you, and
     that's an excellent example of what I had in mind.  This is from -- the
     academics call this organizational learning, and time and time again we
     see that that is a weak point in our facilities.  So if they do
     something like that, if they close that loop, a feedback loop, so you
     are learning from your own and other people's experience, in a formal
     way, then that's definitely something that we can see.  It's a concrete
     thing that they're doing.  They have established a process for learning. 
     And that, it seems to me, is something that we should be investigating
     to understand and so on.
         In fact, I was reading a paper the other day from the
     chemical industry, and they had four figures there of excellent, good,
     and bad, and very bad organization.  The distinguishing feature was
     feedback, learning from experience.  So there is an insight.  There is
     something we can do something about and so on.  So I'm really very glad
     to hear this.
         MR. BONACA:  Yes.  The other thing I would like to point out
     is I didn't make a comment regarding the feedback from the IPEs, but,
     you know, one of the critical things that you have in determining which
     critical steps in the control room are most likely to come to an error. 
     There are reasons for that to happen.
         Now I think many utilities now have people going in the
     simulators and looking at their crews as they go through and identify
     critical procedures, steps in procedures that are critical steps, okay? 
     I'm not sure how candid utilities or how candid even the entire
     organization is with those kind of findings.  That's the only question I
         And one of the reasons is that there are so many
     sensitivities.  For example, crew levels, okay?  There are issues to do
     with unions behind and people in the control room, if they feel that
     they are put, you know, to the test, they challenge the role of looking
     at them.  All I'm trying to say is that there is an opportunity there
     really available to look at operators in the control room, how they go
     through critical functions, and if you look at some of the critical
     steps in PRAs, you can see them right there, challenges to performance. 
     I'm not sure how much of that is coming through the IPEs, but there is
     information that is available on the utility level.
         DR. MILLER:  But isn't a key issue on this getting the
     feedback that all levels of the organization feel they can give the
     feedback without being some sort of negative --
         MR. BONACA:  Without being disciplined in a negative manner.
         DR. MILLER:  Actually the tone of that has to be set at the
     top.  And again, even though this book is motherhood, I agree with it. 
     It basically promotes that tone.
         DR. APOSTOLAKIS:  That's the appropriate function of INPO.
         DR. MILLER:  I agree.  We can't regulate it.  We can't say
     okay, put a manager in there that's going to develop openness amongst
     the entire group.  That's just good management anywhere.
         DR. SEALE:  That's culture.
         DR. MILLER:  That's culture.
         DR. APOSTOLAKIS:  That's it?
         MR. BONACA:  That's it.
         DR. APOSTOLAKIS:  Bob?
         DR. SEALE:  That's old Bob, or old Bob two.
         DR. MILLER:  I think if we try to get the older and younger
     here, we'll find out they're equal.
         DR. UHRIG:  Would you like to match birthdays?
         DR. SEALE:  I've been here longer.
         DR. UHRIG:  You may not be looking for additional sources of
     information, but I would refer you to the LER work that's going on at
     Oak Ridge.  There's been a pretty thoro analysis of that.  I've not kept
     up with it recently, but the last time I talked to Steve May down there
     about it, they were looking at some data-mining techniques.  Whether
     they actually got implemented or not I don't know.
         But I do know that they do a lot of categorization.  I think
     they were responsible for identifying the fact that a large fraction of
     the problem LERs were triggered by instrument errors and this type of
     thing.  They should be able to identify those that come from human
     factors or human errors if this is what you're looking for.  And I think
     it's one you might look at in addition to the ASP data.
         DR. SHACK:  No additional comments from Dr. Bill.
         DR. KRESS:  Old Bill or young Bill?
         DR. APOSTOLAKIS:  Well, hearing none, I will turn it to you,
     Mr. Chairman, and we're almost on time.
         DR. POWERS:  I think we can go ahead and recess for lunch. 
     And we're scheduled to be back here at 12:45 to move into the resolution
     of the GSI B-61 issue.
         [Whereupon, at 11:45 a.m., the meeting was recessed, to
     reconvene at 12:45 p.m., this same day.].                   A F T E R N O O N   S E S S I O N
                                                      [1:45 p.m.]
         DR. POWERS:  Let's come back into session.  Our next topic
     is the resolution of one of the generic safety issues, GSI B-61. 
     Professor Seale, I believe you are the cognizant member.
         DR. SEALE:  Okay.  Thank you.  Is our presenter here yet? 
     Very good.
         GSI B-61 was originally classified as a medium priority and
     deals with surveillance test intervals and allowable equipment outages
     used in technical specifications for safety-related systems that are
     large -- and these original outage periods were largely based
     engineering judgment, Dr. Graham's bete noir.
         DR. POWERS:  Well, I think that maybe some of the comments
     on engineering judgment and its utility may have been ill-considered.
         DR. SEALE:  Okay.
         DR. SHACK:  Yours or his?
         DR. POWERS:  I only said some of the comments on engineering
         DR. SEALE:  In any event, these outage periods are used in
     evaluating the unavailability of the emergency core cooling system, and
     that unavailability had ranged from .3 to .8 of the total
     unavailability, that is, the part due to outages on the equipment.
         Optimization of the allowed outage periods and surveillance
     and test maintenance intervals have been shown to significantly reduce
     the equipment unavailability and, in addition to that, we should note
     that the possible need to limit the cumulative outage times in the tech
     specs was identified -- oh, gosh, some 10 years ago.
         What we want to do today is to examine the proposed
     resolution of this issue and to also learn about the relative
     significance of the online and offline maintenance parts of the
     unavailability.  The question of whether or not a limit on the
     cumulative outage time is appropriate is, I think, also going to be
     discussed by our speaker.
         I think we will let the speaker go from there, and we will
     see what we find out.
         MR. BUSLIK:  Actually, almost everything that I will be
     discussing will be cumulative outage time.
         DR. SEALE:  Okay.
         MR. BUSLIK:  I would like to argue that the other aspects
     were subsumed in other programs.
         DR. SEALE:  Okay.  Right up on the dashboard, in front.  I
     think you may need to turn that switch back on that you turned off.
         DR. SEALE:  Well, I believe you have given us handouts, so
     we can get started with those.
         MR. BUSLIK:  So now we see what the title of it is,
     "Allowable ECCS Outage Periods."  Now, you will notice that the title,
     one, has to do with ECCS equipment, and, two, only addresses allowable
     equipment outage times.  But if you look at the actual statement of the
     issue, you see that, one, it is supposed to include surveillance test
     intervals and it is for safety-related systems, not for ECCS systems.
         The TMI action item also originally was applied only to ECCS
     systems.  Basically, what that item did was to ask the utilities to
     report the dates and lengths of their ECCS outages to see what their
     cumulative outage times were, and then the staff was supposed to
     determine if a need existed for a limit on cumulative outage times.  The
     second part of it was resolved by subsuming it under B-61.
         The question is, why were ECCS systems singled out?  And I
     think the reason is that in WASH 1400, the HPSI and RCSI tested
     maintenance unavailabilities were a large proportion of the
     unavailabilities of the system and were rather large.  For HPSI it was
     .075 and for RCSI it was .069.
         Now, the question is why do you need a -- what would be the
     possible need for a control on cumulative outage times?  And the reason,
     basically, is that the risk depends on the cumulative outage times. 
     People look at it differently, it could be the expected frequency of
     performing maintenance times the needed time to repair, lambda tau, or
     it could -- you could think of it as the ratio of the expected
     cumulative outage time to the time over which the cumulative outage time
     is accumulated.
         And whatever you do, even if you are trying to determine
     single instance allowable outage times, or extensions, you have to in
     some way account for the frequency.
         DR. KRESS:  Let me ask you about that.  Are we talking about
     instantaneous risk or risk averaged over a long time?  It looks like you
     are averaging over a time.
         MR. BUSLIK:  Yes, that's correct.  Now, obviously, if you
     are interested in an instantaneous risk, to me, that is not so important
     -- to me, the risk that you are interested is in the integrated risk
     over some period of time.  I mean -- but if you are interested in the
     integrated risk, then that would be -- I mean the instantaneous risk,
     that would be independent of the time it is out, it is conditional.
         DR. KRESS:  You wouldn't have the frequency of the time at
     all in there probably.
         MR. BUSLIK:  No, no.  But --
         DR. POWERS:  Let me ask you about this.  You are not
     interested in the instantaneous risk.
         MR. BUSLIK:  I personally.  I don't think that the agency
         DR. POWERS:  If I am -- if you personally happened to be
     visiting a plant that is in a configuration for a day that has an
     instantaneous risk of 365 per year, maybe you would be concerned.
         MR. BUSLIK:  Well, instantaneous for one day, so that --
     okay.  So that would mean there's maybe two -- a chance of two out of
     three or whatever that I would have a -- well, yes, but let's take that
     a little further.  If it is two out of three for that period of time,
     what would it be in a whole lifetime in a plant?  It would be pretty
     big.  So it would also affect the integrated risk.
         What I am saying is, if it is 365 per year, and it is going
     to be in that configuration for one second, I don't care, because --
         DR. WALLIS:  The assumption there is the second.  I mean if
     you have some trouble completing the maintenance, you are putting
     yourself in a state and assuming you are going to get out of it in one
     second.  There is some kind of extra risk I think associated with that.
         MR. BUSLIK:  I exaggerated.  All right.
         DR. POWERS:  My only point is --
         MR. BUSLIK:  I didn't include the uncertainties, in other
     words, in the time you are going to be in that state.
         DR. WALLIS:  That's right.  Right.
         DR. POWERS:  There is some level of instantaneous risk. 
     Well, you would be unconcerned if it is -- if you go to, say, one per
     year for a day, an instantaneous risk that stands at one event per year
     for a day, and you put that in the integral, probably it averages out,
     it is 1/365th, maybe that will show up.  But I can get numbers, you
     know, I can keep bidding the number up until you say, whoa, I would be
     concerned at that point.
         MR. BUSLIK:  Yes.
         DR. KRESS:  But you are saying there's two separate things
     here, one of them is an instantaneous risk, one of the average, and
     right now you are interested in the average.
         MR. BUSLIK:  And that is all I have focused on.  I know that
     there are concerns about that -- temporary situations and things like
     that.  But I have -- there are some extreme cases, but even in those
     cases, I used it one second, for example, but even if I used a more
     realistic amount of time and I had some uncertainty in the allowed
     outage time, also, you could consider the fact that there may be -- if
     it is going to be too long, then perhaps you would shut down.
         DR. APOSTOLAKIS:  But let's go back to --
         DR. KRESS:  Go ahead.
         DR. APOSTOLAKIS:  Let's go back to your slide 3.
         MR. BUSLIK:  Okay.
         DR. APOSTOLAKIS:  I am trying to understand there, the
     previous one.
         MR. BUSLIK:  Yeah, right.
         DR. APOSTOLAKIS:  What you are saying in the first bullet. 
     You are saying that --
         MR. BUSLIK:  Okay.  I have got it.
         DR. APOSTOLAKIS:  U equals lambda tau.
         MR. BUSLIK:  Yes.
         DR. APOSTOLAKIS:  So, -- wait, wait.  Lambda is the failure
     rate, or is --
         MR. BUSLIK:  No.  No.  Here -- I'm sorry.  Lambda here is
     the frequency of performing maintenance.
         DR. APOSTOLAKIS:  The surveillance tests?
         MR. BUSLIK:  No.  This is -- we are not talking about
     surveillance testing here.
         DR. APOSTOLAKIS:  So, but the issue, though, was
     surveillance testing and allowable --
         MR. BUSLIK:  Outage times.  And then we -- this, I am
     talking here about why we need a control of cumulative outage time for
         DR. APOSTOLAKIS:  So you are not addressing the issue B-61?
         MR. BUSLIK:  Well, I am going to argue -- that is B-61.  The
     issue -- that is a part of B-61.
         DR. APOSTOLAKIS:  Allowable equipment outage periods, that
     is what you are referring to?
         MR. BUSLIK:  I am referring to cumulative -- whether we
     would need a limit, in a sense, an allowable cumulative outage time.
         DR. APOSTOLAKIS:  Okay.
         MR. BUSLIK:  This was a II.K.3.17 issue which was brought
     into B-61.
         DR. APOSTOLAKIS:  Now, cumulative, you mean over a period of
     a year?
         MR. BUSLIK:  Some -- a period of a year, or a period between
     refueling, something like that.
         DR. KRESS:  Whatever you have got a database for.
         MR. BUSLIK:  That's right.
         DR. APOSTOLAKIS:  No, but I am trying to understand the word
     "cumulative."  You mean if I go to do maintenance now, --
         MR. BUSLIK:  Yes.
         DR. APOSTOLAKIS:  -- it is going to be a certain duration,
     say six hours.
         MR. BUSLIK:  Okay.
         DR. APOSTOLAKIS:  Then I happen to go again next week.
         MR. BUSLIK:  That's right.
         DR. APOSTOLAKIS:  That will be five hours.
         MR. BUSLIK:  So you would have to accumulate this time.
         DR. APOSTOLAKIS:  So, 11, you are interested in 11.
         DR. KRESS:  And this has to be the same component?
         DR. APOSTOLAKIS:  Yes.
         MR. BUSLIK:  Yes.
         DR. APOSTOLAKIS:  So I would suggest that you use little "f"
     instead of lambda because my mind went immediately to the failure rate.
         MR. BUSLIK:  All right.  Okay.
         DR. KRESS:  That's funny, I thought immediately of frequency
     when I saw it.
         DR. APOSTOLAKIS:  Because you hadn't read the fault tree
         So what you are saying -- I am not done yet.  I am trying to
     understand here.
         MR. BUSLIK:  Okay.
         DR. APOSTOLAKIS:  So the core damage frequency does not
     depend only on the average time a component is out for maintenance, but
     the cumulative.
         MR. BUSLIK:  It depends --
         DR. APOSTOLAKIS:  But the average could be the average
     cumulative, because that is a random variable.  That is not what you
         DR. KRESS:  Well, that is basically what --
         MR. BUSLIK:  That is what I said, I talked about the
     expected cumulative outage time.  But --
         DR. APOSTOLAKIS:  Oh.
         DR. MILLER:  That is an interval.
         MR. BUSLIK:  Yeah, but when I talked here about the mean
     time that it is out for maintenance, the tau there, this is also,
     basically, you are just adding up the values and over --
         DR. APOSTOLAKIS:  Okay.  So your current lambda would be
     used in calculating the COT?
         MR. BUSLIK:  Your -- yes.
         DR. APOSTOLAKIS:  Right?  Otherwise it would not --
         MR. BUSLIK:  That is the conventional way of doing it.
         DR. KRESS:  Well, in order to get enough data, though, don't
     you have to have a lot of -- wouldn't you get that expected value out of
     a lot of plants for the same -- maintenance on the same type of --
         MR. BUSLIK:  You would really want to have a plant-specific
     estimate of it.
         DR. KRESS:  So you would have to do it for several years to
     get enough data to get an expected value --
         MR. BUSLIK:  If you actually do it correctly, yes.
         DR. APOSTOLAKIS:  If you had a Bayesian.
         MR. BUSLIK:  Well, that's right.  That's the other aspect.
         DR. MILLER:  Let's say, what would E of X -- E of X for one
     -- for one activity -- the way you are doing it, right?
         MR. BUSLIK:  Say again?
         DR. MILLER:  If you only had one maintenance activity of,
     say, one hour --
         MR. BUSLIK:  In a year?
         DR. MILLER:  E of X over a year, you could still do it,
         MR. BUSLIK:  Oh, sure.  Sure, you could do it.  Now, what
     was the approach I used to the issue resolution?
         By the way, the prioritization of the issue which came up
     with the 30 to 80 percent, the implication there was that if you
     decreased the amount of maintenance you did that you wouldn't
     necessarily have to move that to another period of time and as a result
     there was no cost associated with decreasing it.  In fact, there was a
     benefit.  It neglected the benefit.
         Now in actuality what I assumed was entirely different.  I
     assumed that the amount of preventive maintenance that has to be done is
     known, perhaps from a combination of vendor information and industry and
     I guess plant-specific operational feedback.
         Okay.  The thing that really has to be done is to apportion
     this preventive maintenance between power operation and the various
     shutdown plant operational states, so in this sense it's different than
     the prioritization.
         Now as far as surveillance test intervals, these have been
     addressed as far as the standard tech specs are concerned and in the
     Technical Specifications Improvement Program.  Now these of course are
     essentially voluntary actions on the part of the utilities, but I felt
     that certainly as far as surveillance test intervals that basically what
     would be done by a risk-informed approach would be relaxation.
         I didn't think I could find any case where there was not --
     that it wasn't done often enough.
         As far as allowed outage times, they are addressed in the
     standard tech specs too, on an individual basis, but to really get a
     good handle on allowed outage time, you have to address it on a
     cumulative outage time basis, it seems to me.
         Of course, even for an instantaneous risk, the single outage
     time --
         DR. APOSTOLAKIS:  Let's call it conditional outage, not
     instantaneous -- conditional.
         MR. BUSLIK:  I'm sorry.  I remember.
         DR. APOSTOLAKIS:  Conditional.
         MR. BUSLIK:  Okay.
         DR. APOSTOLAKIS:  Which bullet are you at now?
         MR. BUSLIK:  I skipped around between the third and the
         DR. APOSTOLAKIS:  I am trying to understand the second.  You
     will address that?
         MR. BUSLIK:  Okay.  That will come next.  Okay.  Basically I
     assumed -- I separated maintenance into two types, corrective and
         Scheduled I called also preventive.  This is maintenance
     which -- where you know how much you are going to do in a year. 
     Unscheduled maintenance depends on what happened to the component -- if
     there is a leak in the valve or what have you, and of course it could be
     different than the catastrophic failure frequency.
         Also I guess presumably predictive maintenance depends on
     the state of the components, so that would also be included there.
         Now you can't really -- I did at one time consider the
     possibility, and I remember I think Montomo from Finland was considering
     the possibility of a cumulative outage time which included corrective
     maintenance but it is basically unworkable.  What do you do if by some
     random fluctuation it goes above the limit in a particular time between
     refueling?  Do you borrow from the next year?  What do you do?
         So -- and the French, by the way, do have or at least at one
     time were considering a limit on cumulative outage time for scheduled
     maintenance, but didn't consider that you could do it for unscheduled.
         DR. APOSTOLAKIS:  When you say cumulative outage time, you
     really mean allowed --
         MR. BUSLIK:  Well, I talk here about a limit on cumulative
     outage time.
         DR. APOSTOLAKIS:  Right -- so why is it unworkable?  Why
     can't you tell them if you exceed 72 hours, shut down?
         MR. BUSLIK:  Well, let's say in a year you exceed 14 days. 
     Shutdown -- until you fix it --
         DR. APOSTOLAKIS:  Oh, cumulative --
         MR. BUSLIK:  -- and then the next time it fails within that
     period, a shutdown until you fix it again within six hours or whatever,
     get to hot shutdown within six hours, the problem with it is you are
     really interested in the expected value of this quantity and they're
     going to be random fluctuations and it is overly punitive.
         Assuming that you don't have a problem with transition risk,
     it may improve the safety somewhat, but it is just not worth it from a
     cost point of view.
         DR. APOSTOLAKIS:  I'll have to understand that a bit better.
         MR. BONACA:  At times, however, that is indicative of poor
         MR. BUSLIK:  Yes. What I want to say is you can't have a
     hard limit, but that kind of thing would be included in the maintenance
     rule.  The maintenance rule would look this over.  It could be poor
     equipment.  It could be poor a poor maintenance man -- a variety of
     different reasons, but this should be picked up by the maintenance rule. 
     I am going to get to that.
         DR. APOSTOLAKIS:  So you are going to put a limit on the
     expected cumulative outage time for scheduled maintenance?
         MR. BUSLIK:  I've got to consider it -- that is what I was
     going to consider, that's right, and I'll have to decide whether that
     is -- there is significant safety benefit given the current space and
     whether it is cost-effective.
         DR. APOSTOLAKIS:  And that will be in some Regulatory Guide? 
     The limit?
         DR. KRESS:  He has to give the regulatory analysis first.
         MR. BUSLIK:  I would have to go through the regulatory
     analysis and then it would have to be applied to the various plants in
     some way.  There would have to be, let's say, a risk-informed criteria
     for determining what this would be and it would have to be applied,
     perhaps on a plant-specific basis.
         DR. APOSTOLAKIS:  Now from the practical point of view
     though, how do you enforce something like that?
         MR. BUSLIK:  If it is for scheduled maintenance, conceivably
     you could do it as part of the maintenance rule.  The diesel generator
     we decided should have less than an unavailability from scheduled
     maintenance of .025 and here you have planned, this is planned
     maintenance, and here you have planned 5 percent of the time for it to
     be at power.  You wouldn't do it that way though.  You wouldn't have a
     hard limit for each plant because there are different plant designs.
         South Texas for example has a three train electrical system
     and fluid system.
         DR. APOSTOLAKIS:  Yes.  I would suggest that you talk to the
     people who developed IAP to explain to them that you shouldn't have a
     number for all the plants.  We had a long discussion yesterday about
     that.  I think it would help them by giving them that thought.
         DR. KRESS:  You might say on the other hand it might be a
     good idea now that --
         DR. APOSTOLAKIS:  There is only one hand.
         DR. APOSTOLAKIS:  This afternoon we all had one hand, but
     again maybe I am a little slow --
         DR. POWERS:  I think he can understand that one a little
         DR. APOSTOLAKIS:  On the other hand I need to understand
     it -- so because it is scheduled, the utility will plan this is how much
     time we are going to do this and this and that, so that the sum then of
     the planned time will be less than you are expected value, which means
     then that there is no need to call expected.
         MR. BUSLIK:  But I talked about expected values --
         DR. APOSTOLAKIS:  Because if it is not to exceed it, then I
     come back to my question.
         MR. BUSLIK:  Listen -- I talked about expected value before
     because I was talking about something that had fluctuations in it.  It
     was corrective.  I could argue that the expected value was identical to
     the planned outage because there is very little uncertainty -- there is
     some uncertainty --
         DR. APOSTOLAKIS:  Yes, I understand.  But -- but wait. 
     Let's say now that I have planned to do maintenance on a piece of
     equipment every three months and that will take me to 10 hours a shot. 
     The total is 40 hours and you have told me that your limit is 40 hours. 
     I am okay.
         MR. BUSLIK:  Okay.
         DR. APOSTOLAKIS:  Then when I go to do it in January I
     finish it in four hours. Can I take 16 hours next time?
         MR. BUSLIK:  Well, the implication is that there is not
     going to be a large -- if it is planned maintenance you know what you
     are going to do.  If you have to drain the oil out of the diesel
     generator or something, you pretty much know.
         DR. APOSTOLAKIS:  So the 10 hours is a pretty good number? 
     That's a good point.
         MR. BUSLIK:  Pretty much, but the limit would technically be
     of that nature, that's right -- it would helpful to do it later if you
     would be able to -- I don't know how you would do it but that is
     basically what it would be.
         DR. SEALE:  But for the moment you are saying the hours for
     a year?
         MR. BUSLIK:  A year or between two refueling outages -- it
     more sensibly would be between two refueling outages.
         We have a procedure, Regulatory Analysis Guidelines, which I
     think we are supposed to follow when we decide, when we try to resolve a
     generic issue and to see if it is consistent with the backfit rule.  Of
     course, if it is a compliance backfit, you bypass the regulatory
     analysis.  Otherwise, you have to know if there is a significant safety
         If the safety benefit is sufficiently large that you say
     there is an undue risk to the health and safety of the public, then
     perhaps you don't have to consider cost, but given it is not a
     compliance backfit, and it would be hard to argue that this is a
     compliance backfit, in order to do it you would have to argue that the
     intent of the rules for allowable outage times were for corrective
     maintenance and not preventive maintenance or something like that but
     you wouldn't be able to do it, I don't think and now so we have to use
     the regulatory analysis guidelines.
         You have to know what the core damage frequency is and
     according to the guidelines also what the conditional probability of
     early containment failure or bypass is.
         DR. KRESS:  That is the delta CDF you would get by changing
     the allowable outage time, one value to another.
         MR. BUSLIK:  This delta CDF would be making -- would be ways
     to find that which is associated with the issue, and basically if you
     had an ideal maintenance unavailability in subsets, perhaps only did
     corrective maintenance during power operation, how much would this be.
         DR. KRESS:  Now I envision when you set out to do
     maintenance that you are not only going to do maintenance on that one
     item but you are also going to fix these other items and maybe in
     shutdown condition while you are doing it and the plant configuration is
     a variable from shutdown the shutdown or from maintenance to
         My question is how can you determine CDF for a conditional
     containment failure probability when you don't know what the
     configuration of the plant is, or do you?
         MR. BUSLIK:  What I assumed was that, basically what I
     assumed -- I did calculations.  I used a code and basically what was
     done in the calculations was to assume that the maintenance
     unavailabilities for different systems occurred just as random overlap. 
     In other words, I didn't take into account the possibility that a
     utility because it was more convenient for it might work on one train at
     a time and by so doing might increase the risk.
         DR. KRESS:  Do you use the Monte Carlo selection then of
     some sort of outage times?
         MR. BUSLIK:  Just if you just do use a normal fault tree,
     event tree code.  I used part of the SAPPHIRE -- it wasn't even called
     SAPPHIRE when I did these calculations -- SAPPHIRE suite.
         The way the fault tree works, you just multiply these values
     together and treat them as independent, but since you are treating them
     as independent variables in the quantification, it is as if they
     occurred randomly.
         In other words if I have P of (a) times (b) and I write it
     as P of (a) time P of (b) or calculate it that way, it is as if the (a)
     and (b) occurred randomly.
         DR. POWERS:  You used a particular computer code for these
         MR. BUSLIK:  Yes, it is called SARA, which is a part of the
     SARA/IRRAS suite of codes and SARA -- there are -- well, I guess there
     is no longer a distinction in the Windows version, but this was long
     before Windows version and SARA was very convenient for sensitivity
     calculations, and it was actually equivalent to Version 4 of the
     SARA/IRRAS suite.
         DR. APOSTOLAKIS:  It's SAPPHIRE, right?
         MR. BUSLIK:  It's SAPPHIRE, that's right.
         DR. POWERS:  And this is one of those codes that has no
     known, no technical errors, no coding errors in it, that it is
     perfectly -- perfect in all respect?
         MR. BUSLIK:  Of course.
         DR. POWERS:  And there is a massive set of peer review
     documentation that I can go to to understand how good this code is?
         MR. BUSLIK:  All I can say is that I used the NUREG-1150
     database and that the results for the base case compared with those in
     NUREG-1150.  NUREG-1150, I believe, used a different code, the SETS
     code, so insofar as the base cases are concerned, they're great.
         One approximation that's made in the codification of the cut
     sets is called the mid-cut set upper bound approximation, and you do
     have to be careful that that approximation isn't going to affect your
         DR. KRESS:  The code goes to containment failure?
         MR. BUSLIK:  No.
         DR. KRESS:  You have to do something else?
         MR. BUSLIK:  I was using NUREG-1150 database and there was a
     letter from Tom Brown to Jim Johnson which was referenced in the writeup
     and that letter gave basically for the different plant damage states
     what the conditional --
         DR. KRESS:  Okay, you had a correlation.
         MR. BUSLIK:  I had -- and also it even gave the fatalities,
     for example --
         DR. POWERS:  You didn't need to pull that out of a letter. 
     That's actually in the NUREG-1150 documentation.
         MR. BUSLIK:  I didn't try to get it out of there, if that's
     what was what your point was.
         DR. POWERS:  It's in there.
         MR. BUSLIK:  I pulled it out every once in awhile.  It may
     be in there but for me it was a little difficult.
         DR. POWERS:  It's easier to ask Tom, yes.
         MR. BARTON:  Safety benefit -- where do we go from here?
         MR. BUSLIK:  Okay.
         DR. POWERS:  My point is that I think, I wonder, I continue
     to wonder why we use these computer codes that don't have a pedigree
     that we would expect routinely from licensees to have and especially
     when I see that the Office of Research has established such a wonderful
     peer review process for its codes that really is nice, and why don't
     they use it on the codes they are using in-house?
         MR. BUSLIK:  Well, there is something you can say.
         For something like this you examine the cut sets when you
     are finished and you see how reasonable they are.  If something weird
     occurs, and something weird could have occurred with the code I was
     using, for example --
         DR. POWERS:  It happens with sets all the time.
         MR. BUSLIK:  But you look at the results, at the cut set
     level, and you can tell usually, if you are motivated --
         DR. POWERS:  Well, that's right.  I mean it depends -- if
     you're a very capable analyst who actually is suspicious of your
     results.  I can find other people who are -- have more faith, and if the
     number is printed out to three or four significant digits, I will see it
     on the viewgraph up here.
         MR. BUSLIK:  I hope I don't have anything like that.
         Now, okay, this is the full matrix in the Regulatory
     Analysis Guideline and you will notice -- I believe that this is to
     be appropriated in that.  If core damage frequency is less than 10 to
     the minus 6 then it doesn't matter what happens to the containment. 
     You're okay.
         However, if it is between 10 to the minus 6 and 10 to the
     minus 5, the change in core damage frequency, then if the early
     containment -- or containment failure probability, or the probability of
     bypass, some of those, is greater than .1, then you have to go to a
     management decision.  If you are above 10 to the minus 5 and the
     containment failure probability is less than .1, between 10 to the minus
     5 and 10 to the minus 4, then it is supposed to be a management
     decision, and so on.
         DR. KRESS:  Since when did they make that definition of
     conditional containment failure probability an early failure?  I thought
     it was just the failure itself.
         MR. BUSLIK:  Well, this is in the regulatory analysis
     guidelines.  Now, the question is what do you mean by early?
         DR. KRESS:  It actually specifies early, though, in the
         MR. BUSLIK:  Yes.  But it is a question of what do you mean
     by early.  In the case of BWRs, it is clear, it is before or within two
     hours of vessel breach.  In the case of PWRs, there were two definitions
     used.  One was within a few minutes of vessel breach, which corresponded
     to the NUREG-1150 definition of early containment failure.  And the
     other was within a few hours, I have forgotten the exact number.
         DR. APOSTOLAKIS:  Three, I think it was.
         MR. BUSLIK:  Perhaps.  And that corresponded almost to the
     late containment failure probability.
         DR. APOSTOLAKIS:  So if it is early, then it is completely
     analogous to LERF.
         MR. BUSLIK:  Yes, the idea was to make it that way.
         DR. KRESS:  And I think the numbers are compatible, too.
         MR. BUSLIK:  But you will find that, for example, there was
     one plant, Susquehanna, where, if you talk about mean values, these
     containment failure probabilities are highly uncertain, where it was
     greater than .1.  But if you look at what the early fatality is in
     comparison to the quantitative health objective of the safety goals, it
     is less than 1/100th of that amount, it is probably 1/500th.
         I don't know, if there were fewer automobile accidents, does
     that change the quantitative health objective?  I don't really know.
         DR. KRESS:  Yes, it does.
         MR. BUSLIK:  Okay.
         DR. KRESS:  And, in fact, it has changed in the last few
     years from five down to three, it was 10 to the minus 7.
         MR. BUSLIK:  Okay.
         DR. POWERS:  And that, I think that is a socio-phenomena
     that the Commission was aware would occur when they passed that policy
         MR. BUSLIK:  That's interesting, 1/300th then.  Okay.
         DR. POWERS:  The comparison will get worse and worse the
     longer you give the presentation.
         DR. SEALE:  You had better hurry up.
         MR. BUSLIK:  Okay.  Now, the maintenance rule it seems is
     clearly pertinent.  And because it requires the monitoring of the
     performance or condition of structure systems or components against
     licensee established goals commensurate with safety, and the performance
     includes all aspects of unreliability, including maintenance
     unavailability.  So that controls both preventive and corrective
     maintenance, and they do have to track their maintenance, presumably.
         Moreover, the objective of preventing failure shall be
     appropriately balanced against the objective of minimizing maintenance
     unavailability.  This helps controls the unavailability from preventive
     maintenance.  Now, the problem of temporary states, where several
     components are out and you have a blip in the -- I am not supposed to
     use instantaneous risk, I am supposed to use conditional risk, okay.
         DR. APOSTOLAKIS:  It is not because you are supposed to,
     because you think it is the rational thing to do.
         MR. BUSLIK:  Of course.
         DR. SEALE:  That was an awful quick scrub.
         DR. POWERS:  George will find substantial resistance to his
     immediate right.
         DR. APOSTOLAKIS:  It is not instantaneous.
         MR. BUSLIK:  Okay.  Now, -- okay.  That, presumably, will be
     taken into account.  Now I think it is sort of loose because it talks
     about should be instead of shall be or something like that.  But,
     presumably, corrections to the maintenance will take that into account.
         DR. SEALE:  We heard about that this morning.
         MR. BUSLIK:  Okay.  Will they?
         MR. BUSLIK:  Okay.
         DR. APOSTOLAKIS:  This is one of the better presentations we
     have had in a long time.
         DR. SEALE:  Timely.
         DR. APOSTOLAKIS:  I mean the guy goes into the mathematical
     details of codes, I like that.  This is wonderful.
         DR. SEALE:  We will have to tell Graham he is missing out.
         DR. APOSTOLAKIS:  He is missing, yes.
         MR. BUSLIK:  All right.  Now, the rule doesn't say whether
     you should move preventive maintenance from power operation to safe
     periods and shutdown if it is results in risk reduction, so I don't
     think you could just say, okay, it is covered by the maintenance rule,
     we are done.  And you have to ask yourself, when is it safer to do
     maintenance, say, on a diesel generator out of power operation?  Well,
     it turns out that at least for Surry and Grand Gulf, there is not much
     difference in the risk, or it could even be riskier in certain periods
     of cold shutdown.  The only time you --
         DR. POWERS:  How did you decide that?
         MR. BUSLIK:  What?
         DR. POWERS:  How did discover that?
         MR. BUSLIK:  I discovered that because of some work done by
     B&L and Sandia on a comparison or risk between power --
         DR. SEALE:  I should point out to you that one of other
     changes that was mentioned this morning was to formalize the
     Commission's statement that the maintenance rule applies both to
     operation and shutdown.  So that statement has already --
         MR. BUSLIK:  That's true.
         DR. POWERS:  Well, I will hasten to --
         MR. BUSLIK:  Say again?
         DR. POWERS:  I will hasten to point out that the work by
     Brookhaven for Surry on shutdown only dealt with one phase of shutdown
         MR. BUSLIK:  Okay.  But when we did some work for actually
     doing -- for scheduled maintenance, this is work which -- well, actually
     the Brookhaven NUREG CR is out already and shortly the Sandia one will
     be out on Grand Gulf.  It was found that -- and this sort of is very
     reasonable, that if you are in the refueling plant operational state,
     where the water is very high over the reactor fuel and you have a lot of
     time, under those circumstances the risk is very low from, say, taking a
     diesel generator out for maintenance.  And, in fact, I think the Grand
     Gulf one came up with zero, essentially.  The reason is that the mission
     time is 24 hours, and in 24 --
         DR. POWERS:  It takes that long to boil the water.
         MR. BUSLIK:  That's right.  That's right.  But, you know, I
     think they changed the words to negligible, but -- okay.
         DR. APOSTOLAKIS:  Is the second bullet really part -- should
     it be part of the maintenance rule?  I thought the maintenance rule
     dealt only with monitoring.
         MR. BUSLIK:  I don't think it --
         DR. APOSTOLAKIS:  I am having the same problem I had
     yesterday with the IRAP.  We have an inspection program, a monitoring
     program which is not a monitoring program.  I thought, again, perhaps
     wrongly, that the maintenance rule did the first bullet.
         MR. BUSLIK:  All right.  Now, suppose --
         DR. APOSTOLAKIS:  The second one is monitoring.
         MR. BUSLIK:  Oh.
         DR. APOSTOLAKIS:  It does not explicitly address whether
     maintenance should be moved from power to safer periods because that is
     not the intent of the rule.
         MR. BARTON:  And it shouldn't force all preventive
     maintenance into a shutdown period because it may not be comparable to
     what the requirements are to do preventive maintenance on components
     within a train.
         DR. SHACK:  No, but it comes down to that point we discussed
     this morning.  You are supposed, under the maintenance rule, to analyze
     the effect of taking equipment out of service and analyze its impact on
         MR. BUSLIK:  Right.
         DR. SHACK:  The second bullet says, okay, it increases risk. 
     What do you now?
         MR. BUSLIK:  But it is supposed -- yeah, that's basically
         DR. APOSTOLAKIS:  Well, the second bullet does not say that,
     Bill.  The way I read it is that if it is better to do it during
     shutdown, the rule doesn't say that we should do that.  It doesn't say
     that you are already above some sort of a threshold.
         MR. BUSLIK:  No, no, it doesn't.  But what I am saying is a
     utility may, because -- let's say because it is less expensive, do
     maintenance during power operation.
         DR. APOSTOLAKIS:  Right.
         MR. BUSLIK:  During -- than during shutdown time.
         MR. BARTON:  And also do it because it is safer.
         MR. BUSLIK:  They could do it because it is safer.  But, for
     example, if you are dealing with a diesel generator, I think you can
     argue that it is going to be safer if you do it during the refueling
     plant operational state where the water is high over the reactor.
         MR. BARTON:  I don't think that that is always true.
         MR. BUSLIK:  Well, at that particular state, because you
     have so much time to recover from station blackout.  And even in -- but
         DR. POWERS:  Just go ahead.
         MR. BUSLIK:  Yeah, okay.  Fine.  Okay.  But on the other
     hand, if we -- and so, in principle, you have to consider whether we can
     impose an additional requirement on the utility and that it would be
     cost effective to do so.  The problem with doing it during that
     particular period in shutdown, the refueling plant operational state is
     that this time is getting shorter and shorter.  Refueling plant
     operational states are getting shorter and shorter.  South Texas I think
     had one 18 days or perhaps a little less.  You don't have that much
         In principle, when I am doing a regulatory analysis, I
     should take a base case which consists of the current state, which would
     be including the maintenance rule, but I did most of this analysis, I
     did all of the computer runs before 1993.  Most, I guess -- actually,
     most, I guess, were done in 1992 or all in 1992.  And I mean I could
     conceivably have collected maintenance unavailability after the rule
     came into effect, but I didn't think it was worthwhile.  Also, the
     initial resolution of this was formulated and went up to management just
     about the time the maintenance rule came into effect, so it wouldn't
     have been possible.
         So what did I use for base case maintenance
     unavailabilities, keeping in mind that I did it in 1992?  Well, I looked
     at NUREG-1150 and it had, for a diesel generator, .006.  Now, Steven
     Eide, in the PSA 1989, I would come up with a value of .022 or
     thereabouts, just looking at plant-specific -- PRAs which use plant-
     specific data.
         DR. POWERS:  Can you give me a feeling on these numbers for
     what I am looking at?  Am I looking at a mean or a median?  And the
     magnitude of the distribution, say, for convenient points, 95-5 or
     something like that?
         MR. BUSLIK:  I don't remember what the .006 was, or even
     what Eide is.  These are industry averages, or actually averages over a
     particular set of plant-specific PRAs.  The AEOD one here came from, oh,
     I don't know, a certain number of failures.  What happened is they
     looked at true demands on the diesel generators and then a certain
     fraction of those demands were -- had the diesel generator out for
     maintenance and they took that ratio and then came up with the .03.  So
     that is going to be weighted with -- or I could give you some other
     numbers, though.  That is going to be weighted with the frequency of
     demands for the diesel generators at the different plants.  The ones
     that have more demands will be weighted more.
         DR. POWERS:  But I am not far wrong if I assume these are
     mean values per demand?
         MR. BUSLIK:  These are mean values.  I am not sure, I think
     the AEOD one started with Bayesian prior and updated it with the plant-
     specific data.
         DR. POWERS:  Well, we won't hold that against them.
         DR. APOSTOLAKIS:  As I should.
         MR. BUSLIK:  What?  Say again?
         DR. APOSTOLAKIS:  As I should.
         DR. POWERS:  Could you give me a feeling for what the 95
     percentile and the 90 percentile would be?
         MR. BUSLIK:  Okay.  The only thing I remember now is that
     there was other data, which gives you the idea of how it varies from
     plant to plant, and that was Brookhaven collected some data.  And the
     only numbers I remember from that are that, from their data, only about
     19 percent were greater than .03 and around 10 percent, I believe, were
     less than .006.  So there's discretion.
         Well, me look further at this.  Now, you look at the values
     I used.  Now, I came up with .02 for a turbine-driven aux feedwater pump
     maintenance unavailability, but he recommended that you use generic
     turbine-driven values of .05, and that is, I think, why I originally
     used that.  You will see that for the turbine-driven pumps -- actually,
     if you look at the IPEs, you may get more than .01 for the RCSI, but you
     are actually -- there was actually a fair amount of conservatism for the
     turbine-driven pumps if you use nearly current data.  It is far cry from
     what it was in WASH 1400 days.  Of course, the RCSI pump itself isn't
     that reliable, but that is another story, according to the AEOD data.
         There was also an A&O IRAP study which came up years ago,
     with very low values for maintenance unavailabilities, and they said
     that they never did scheduled maintenance during power operation in
     those days.  So, what I did is I said that the NUREG-1150 values would
     be attainable and I took the no cumulative outage time control column
     was the maintenance unavailabilities before the maintenance rule.  And
     then, basically, I cut the benefit in half, and I can't really justify
     that very well, but it was just my own judgment.  And I think maybe it
     is conservative, but if it is conservative, I am still able to say that
     no action is required, so I figured I was finished.
         And just to get a feel for what .006 is, that is 1.8 days of
     corrective maintenance for 300 days of power operation and no preventive
         So, as I said earlier, I used the SARA code, part of the
     SARA IRRA suite of codes, and I did two calculations and I used, by the
     way, essentially point estimates with mean values.  I didn't do
     uncertainty calculations and then take the difference.
         DR. POWERS:  What was the reason for not doing some
     uncertainty calculations?
         MR. BUSLIK:  Well, at the time I was using a 386 20
     megahertz machine.
         DR. POWERS:  And it died before the results were done.
         MR. BUSLIK:  And the other thing is what -- you have -- you
     are taking differences between two calculations, and you have to
     correlate the uncertainties.  And if you don't do that carefully --
     well, actually -- well, if you run a sufficiently large number of
     histories, so that your mean doesn't have any uncertainty from not
     running enough histories, or not doing enough Monte Carlo, then as far
     as the mean is concerned, that is okay.  It does have to be a
     sufficiently large number.
         So, it was just -- I mean those are the reasons, basically.
         If I had to do it over today, I probably would use a more
     sophisticated method.
         DR. APOSTOLAKIS:  So when did you do all this?
         MR. BUSLIK:  1992.
         DR. APOSTOLAKIS:  So why are we hearing this today?
         DR. SEALE:  I had a question.  I said what happened between
     1992 and now?  And then I had another question, what didn't happen --
         And I guess the answer is you replaced your computer with a
     Pentium -- 286 with a Pentium II.
         MR. BUSLIK:  These were the original calculations, but after
     that, for example, I had to rework and argue away external events.  I
     had to do some other things after that.  And the decision analysis
     rationale changed somewhat.  That was part of it.  And the other was the
     fact that it wasn't given very high priority, I think.
         MR. KING:  Yes.  Generic issues for quite a while didn't get
     that high a priority.  The ones that were labeled USIs did, but
     everything else didn't.
         MR. BUSLIK:  B issues were just put on the back burner for a
     long time.
         MR. KING:  Yes.  What you're seeing now is a cleanup of some
     old things.
         DR. APOSTOLAKIS:  So Al did something more recently.
         MR. BUSLIK:  Actually --
         DR. APOSTOLAKIS:  Just, you know --
         MR. BUSLIK:  I did a little bit of editorial changes
         MR. KING:  No calculations.
         MR. BUSLIK:  No calculations.
         DR. SEALE:  It was there except for the punch line.
         DR. APOSTOLAKIS:  At least you didn't do it with
     programmable hand calculators.
         MR. BUSLIK:  Say again?
         DR. APOSTOLAKIS:  Nothing.
         MR. BUSLIK:  Okay.  So if I don't take credit for the
     maintenance rule, I get changes in core damage frequency of 2E minus 5
     for Surry, and the containment failure probabilities are okay.  They're
     less than .1 even if I take the very conservative --
         DR. APOSTOLAKIS:  What is it that you changed?  The delta
     CDF comes from what delta?
         MR. BUSLIK:  Changing the maintenance unavailabilities.  I
     assumed that -- I changed them from essentially the EIDE estimates, what
     I called the no-control estimates, to -- and I said the NUREG-1150
     estimates would be reasonable estimates that you could get if you
     controlled the scheduled maintenance and had something like -- and
     controlled appropriately the corrective maintenance by making sure that
     it was done properly the first time and things like that.
         DR. APOSTOLAKIS:  And you assumed that all the changes were
         MR. BUSLIK:  Yes, I --
         DR. APOSTOLAKIS:  Not just component --
         MR. BUSLIK:  No, I did it all at once.
         DR. APOSTOLAKIS:  All of it.
         MR. BUSLIK:  And you come up with these values, and then I'm
     going to cut them in half, and when I do that, everything's okay except
     for Sequoyah, but Sequoyah, I mean, the core damage frequencies when you
     cut them in half are like this.  And even if I gave more credit for the
     maintenance rule, there was no way I could get Sequoyah down below 1E
     minus 6.
         But that's an ice-condenser plant, and station blackout is
     important, and the hydrogen igniters don't work at station blackout.
         Now those results were for internal events only, and I have
     only qualitative arguments for external events, plus the fact that I
     looked at it for Surry, and the maintenance unavailabilities were not
     important at Surry.  You could argue for seismic that what really
     controls the seismic risk has to do with if one component fails, then
     the other component fails from the earthquake.  In other words, the
     conditional probability the second component will fail given the first
     is very close to unity.  The reason is they're mounted in the same way
     on the same floor, they see the same floor response, they are similar
     components, their fragilities are similar relative to the floor response
         There are times when you might find that this isn't the
     case, but, for example, I'm not sure it was in this country, but there
     was a plant where loss of offsite power from a seismic event and random
     failure of diesel generators was important.  But for that to be the
     case, for this to be important compared to internal events, it would
     mean that long losses of offsite power are dominated by seismic events. 
     That's not going to be -- that's not very likely.
         For fire usually the fires of importance are those that
     affect both trains and again I looked at the dominant fire sequences
     from NUREG-1150, and I didn't find matrix unavailability important at
         DR. POWERS:  Surry is not one of those units that has been
     reporting extraordinarily high CDF from fire?
         MR. BUSLIK:  No.
         DR. POWERS:  There are units --
         MR. BUSLIK:  I went to Quad Cities.  I doubt if matrix
     unavailability would be important compared to their original estimate
     either, because there the probability is you affected both trains.  That
     is why you have such a high frequency.
         So what do you do with Sequoyah?  Well, first of all, if you
     read the guidelines you have to -- it's the burden of the Staff to say
     that the imposing of the regulations imposes a significant safety
     benefit.  Because there are such large uncertainties, for that reason
     alone you couldn't make a finding of significant safety benefit, but
     also perhaps more cogently the whole reason it seems to me for
     considering early containment failure or bypass is because you get early
     fatalities, and the early fatalities that occur here are very small
     compared to the safety goal value so on that basis I assumed that no
     action was justified.
         DR. POWERS:  So you are going to conclude for ice condensers
     generically that nothing is necessary based on looking at one specific
     ice condenser?
         MR. BUSLIK:  I could certainly argue I think that the
     uncertainties in the containment failure probability are large
     generically for ice condensers, can't I?
         DR. SEALE:  And I could argue that that hacks both ways.
         MR. BUSLIK:  I know, but if you -- from the legalistic point
     of view, it hacks only one way.  You can't impose it.
         I don't even know how many ice condenser plants there are
     and where they are located as far as -- now actually individual early
     fatality risk doesn't depend very much on the population density, for
     example.  They depend on the distance to the site boundary.
         DR. POWERS:  It depends on the consequence analysis model
     that you use.
         MR. BUSLIK:  Oh, of course, of course.
         DR. POWERS:  The dispersal number that you use.
         MR. BUSLIK:  Yes, but -- there are all sorts of things that
     it could depend on -- the aerosol deposition rate, all sorts of things,
     but so what?
         DR. APOSTOLAKIS:  Is there any significance to the fact that
     the mean value for the conditional containment failure is close to the
     limit of .1 -- .13?  If it were .6 what would you do?  It's low.
         MR. BUSLIK:  It's low.  I would have to see what the
     uncertainty is and all sorts of things -- what?
         DR. POWERS:  You certainly have some indication of the
     uncertainty just by looking at the IPE insights document.
         MR. BUSLIK:  Okay.  I didn't look at that.  You could just
     look at the outstanding distribution in NUREG-1150 and see how much of
     it would --
         DR. APOSTOLAKIS:  Now remember, IPEs did not exist in '92
     but now they do.
         MR. BUSLIK:  It exists today and that is --
         DR. APOSTOLAKIS:  That's Art's problem.
         MR. BUSLIK:  But I don't think -- yes, I doubt very much if
     the uncertainty would be decreased.
         DR. APOSTOLAKIS:  You put it however there.  You mean that
     even before management takes a decision you are recommending no action?
         MR. BUSLIK:  That's right.  But really --
         DR. APOSTOLAKIS:  But there will still be a management
         MR. BUSLIK:  I think that is what is required.
         MR. KING:  And management's decision was to recommend --
     agree with Art's recommendation -- no further action on --
         DR. APOSTOLAKIS:  Who is the management in this case?
         MR. KING:  The management was the Office of Research.
         DR. APOSTOLAKIS:  You?
         MR. KING:  Yes.  I sent you the letter that ultimately what
     is going to happen is after we get your letter on this, assuming you
     agree with this recommendation, Mr. Thadani will have to send a letter
     to the EDO saying -- and he will either have to say I agree or disagree.
         DR. APOSTOLAKIS:  The EDO?
         MR. KING:  EDO.
         DR. APOSTOLAKIS:  Okay.
         DR. SEALE:  So what do you want from us?  A letter?
         MR. BUSLIK:  A letter agreeing with the resolution.
         DR. APOSTOLAKIS:  I don't know, Mark.  Do you think SAPPHIRE
     should be peer reviewed?
         MR. CUNNINGHAM:  Again, in the context of what Art was
     talking about -- in my mind codes like SAPPHIRE are somewhat different
     than, say, RELAP or something like that in the sense that the SAPPHIRE
     models you might be able to show more analytical, provide an analytical
     solution that says it is doing the right thing since it is primarily
     numerical calculations built into it.
         As Art says, there's a few assumptions built into it but by
     and large it's a numerical.  You could numerically reproduce the results
     of something like SAPPHIRE.
         DR. APOSTOLAKIS:  Something we can do analytically?
         MR. CUNNINGHAM:  I'm sorry?
         DR. APOSTOLAKIS:  It does it very quickly --
         MR. CUNNINGHAM:  Something we could do analytically -- so
     the nature of it is somewhat different and we have been going through
     though, trying to -- you know, every time we put a PRA into it or we do
     other V&V of the code, but again it's a somewhat different nature that
     our RELAP or something like that.
         MR. BUSLIK:  It is true though when you get -- yes, you have
     to know the limitations and you have to look at the results closely.
         DR. SEALE:  Is there anything else that the Staff would like
     to fill us in on at this time?
         DR. POWERS:  I guess I would really like to understand why
     we don't have an uncertainty analysis here.  I mean I understand the 386
     argument and the Monte Carlo barrier that existed in '92.  I don't
     understand the Pentium II arguments now.
         MR. BUSLIK:  Okay.
         DR. POWERS:  It is not -- had it come out that everything
     was dramatically below -- off into you lower left-hand box, I would say
     okay, yes, you can do the uncertainty analysis but it's not going to
     change the conclusions.  It's not so transparent to me that the
     conclusions don't get changed now.
         MR. BUSLIK:  Okay, first of all, the guidelines indicate you
     should make, basically you should make decisions on the mean value most
     of the time with taking into account uncertainties.
         I did have a section on uncertainties in the full write-up. 
     I don't remember what I said about it but what I did there was consider
     the uncertainties in the base case as reported in NUREG-1150, as far as
     core damage frequency is concerned, and I do have such results, and I
     don't think it would affect the results very much there.
         My recollection was it was something like a factor of three
     to five in core damage frequency.
         Of course, I may have been off as far as the mean value
     also, because I did point estimates with mean numbers, but I don't think
     that is a large effect for this type of calculation.  I don't have cases
     where I am dealing with an expected value of x-squared and it is treated
     as expected value of x quantity squared.
         MR. KING:  Plus recognize you still have a number of things
     ongoing that are going to deal with this issue between the maintenance
     rule, configuration, risk management, tech specs, talking about risk-
     informed tech spec program -- all of which directly or indirectly get at
     the allowable outage time issue, so it is not like this is the only game
     in town.
         DR. POWERS:  I have to admit that rings a lot more of a bell
     with me than this analysis -- the fact that other things are addressing
         MR. KING:  And recognize the stuff, the numbers Art came up
     with are down on the lower corner of the Reg Analysis Guideline chart. 
     If they were up in the upper corner you might say, well, maybe we better
     do something.
         DR. POWERS:  I'd say I spoke too strongly.  What this
     analysis does is persuade me that indeed the other things you mentioned
     are going to be an adequate resolution of this issue, that there is
     nothing from this analysis that would suggest that that is not going to
     be an adequate resolution.
         DR. SEALE:  Yes.
         MR. KING:  And Art took a conservative approach. Everything
     changed together -- the diesel generator, the RCSI, HPSI and those
     things all went together.
         MR. BUSLIK:  I probably gave a conservative estimate of the
     effect of the maintenance rule, although I'm not certain.
         DR. SEALE:  Any other questions from the Committee?
         I have got another one for you.  Have you got any more of
     these in the bottom drawer of somebody's desk that we can look forward
     to seeing any time soon?
         DR. MILLER:  Generic safety issues?
         DR. SEALE:  We have a report on it in March.
         MR. KING:  I am probably the wrong one to ask.  The keeper
     of the scorecard is not in my division.
         DR. SEALE:  Well, you might tell him we are looking for it.
         MR. DURAISWAMY:  Dr. Seale?
         DR. SEALE:  Yes?
         MR. DURAISWAMY:  We are supposed to get that report next
         DR. SEALE:  Thank you.  Well, if there are no other
     questions, Mr. Chairman, I will turn it back to you.
         DR. POWERS:  Good heavens.
         DR. SEALE:  We aim to please.
         DR. POWERS:  Well, I think we have a problem with our
     schedule, but I don't think anybody is going to feel it's too much of a
     problem.  I can't start the next session until 2:30, so I encourage
     members to utilize this generous break that I am offering here to
     prepare themselves for the session later this afternoon, so we are
     adjourned --
         DR. SEALE:  If anyone wants to give me any hints on what you
     all would like to include in the letter --
         DR. POWERS:  I will give you some things, Bob.
         DR. SEALE:  That's fine.
         DR. POWERS:  We are recessed until 2:30.
         DR. POWERS:  Let's come back into session.
         We had a Fire Protection Subcommittee what, two weeks ago,
     and Members have before them something called revised outline comments
     and Fire Protection Subcommittee that outlines the various topics we
     dealt with.  We dealt with a proposed regulatory guide, the fire
     protection functional inspections, circuit analysis, IPEEE insights
     program, the NFPA 805 fire protection code, and the fire research
         The fire protection functional inspection I know is a topic
     of great interest to the Committee, but my understanding is that is
     coming to the Committee separately in the next couple or three months. 
     At one time or another it will come to us.  It is an extremely
     interesting topic because it focuses or it draws attention to the
     comparison between a focused inspection versus the core inspection.  And
     it has some ramifications on the inspection process itself.  For this
     particular session we brought forward just two subjects for the full
     Committee to consider.  One is the regulatory guide, and of course the
     other is the NFPA 805 fire protection code.
         The speaker I think will give us an adequate outline of the
     reasons for the regulatory guide.  What the staff is really looking for
     on connection with the regulatory guide they're proposing is any
     thoughts we might have on how to improve and refine the outline they've
     prepared.  So it really is a question of do you have anything to
     contribute.  And if we do, then we might write a letter on that subject.
         The 805 -- the NFPA 805 fire protection code is of more
     immediate interest to the Committee.  I think I will go into the issues
     and the history of that document when we get to that section of the
     presentation.  What we have today is Mr. Madden will be giving the
     presentations.  I don't know whether it is a case that they regard him
     as the most knowledgeable and therefore can speak on all these topics or
     he just draws short straws a lot.
         MR. MADDEN:  It's probably the latter of the two.
         DR. POWERS:  But I think the Committee has heard Mr. Madden
     present and know that he's an effective presenter.  So I'll turn it over
     to you, Pat, and if you can -- and rely on you giving a proper
     introduction on why the regulatory guide.
         MR. MADDEN:  Okay.  Thank you, Dr. Powers.
         My name is Pat Madden.  I'm senior fire protection engineer
     with the Office of Nuclear Reactor Regulation.  And I'm going to try to
     brief you on the draft regulatory guide with respect to fire protection
     for operating nuclear powerplants, the reasons why we're developing that
     guide, and then after we go through the guide, we'll move on to NFPA
         The next slide purely deals with background and direction
     that we've got with respect from the Commission for developing the
     guide.  Initially we proposed in SECY-98-058 to develop this
     comprehensive guide and defer the rulemaking and work with the NFPA to
     develop a performance-based risk-informed consensus standard for
     operating nuclear powerplants.  In addition in that SECY the staff also
     proposed to delete the requirement for section M of Appendix R, which
     refers to penetration seals being noncombustible.  On May 5 a letter was
     received from NEI that supported those activities.  And then on June 30,
     1998, an SRM was written by the Commission that approved the staff
         In addition we have provided status to the Commission on the
     NFPA activities in SECY-98-247, and resolution of ten issues from SECY-
     97-127, which are a part of the research plan.
         We'll move on into the comprehensive reg guide and why the
     staff thinks it needs to develop this guide.  Currently the fire
     protection guidance that is applicable to operating reactors is
     scattered basically through about 125 different documents.  Some of that
     guidance does conflict, and, you know, I can give you examples.  The
     conflicts deal with how much flow you require or allow for effective
     hose streams, for example.
         In addition there is some conflict between do you or don't
     you need automatic suppression and detection in those areas that are
     alternative shutdown areas.  Some plants or some guidance say no, you
     don't need it, and some guidance documents say yes, you do need it.  The
     regulation says you need it, but for plants that are operating post-'79,
     it says you don't need it.  So there are some conflicts in our own
     internal guidance, and the reg guide is one way to resolve those
     conflicts and reevaluate those conflicts.
         The other aspect is that there are some areas currently not
     covered by any guidance documents whatsoever.  And part of that or
     revised or clarifications are needed to some guidance.  And some of that
     deals with compensatory measures.
         Right now the staff does not have any guidance for
     compensatory measures.  We rely on fire watches.  Those used to be
     required by the tech specs.  The tech specs for fire protection have
     been eliminated from the standard tech specs.  So therefore the fire
     watch requirements basically have been eliminated -- or I shouldn't say
     eliminated, but captured by licensees' programs which they can change
     under 50.59.
         DR. POWERS:  Now when you say that the fire protection's
     been eliminated from the tech specs, it is the case that the plants have
     been encouraged to eliminate them from the tech specs and many but not
     all have.
         MR. MADDEN:  Yes.  There is only a handful that have not,
     but many have, and basically that dealt with the operability assessments
     of fire protection systems and the testing and maintenance -- or the
     testing of those systems.  So that's all been captured by the fire-
     protection program plan which is referenced by the FSAR, which in turn
     is identified by the license condition.
         DR. WALLIS:  Can you give guidance on the integrity of the
     protection system itself, so that when you start up the pumps the pipes
     don't break as a result of water hammers and things like that?
         MR. MADDEN:  Well, that's an interesting question.  I think
     you're probably familiar with the Waterford event.  That in itself was
     probably a classical what I want to call design error where you had a
     standpipe that exceeded the height of the -- or the height of the pump
     or actually put pressure on the underground.  That in my opinion is not
     within the scope of what -- that should have been caught in the review
     phase or design phase or the design basis.
         DR. WALLIS:  I read this as the analysis after this event,
     and there was all kinds of checkoffs that they didn't do this, they
     didn't do that.  There were various things.  But none of them seemed to
     refer to the fact that the standpipe somehow was poorly designed.
         MR. MADDEN:  Right.  You're absolutely correct.
         DR. WALLIS:  So is that now something that --
         MR. MADDEN:  In the reg guide, that event would be factored
     into the design attributes for fire water system, supply system.
         Another area that there is some confusion is circuit
     analysis, and we believe that clarification or additional guidance may
     be needed in that subject area.
         How the schedule looks for this, and it's probably self-
     explanatory, but hopefully somewhere in the September '99 time frame
     we'll have this reg guide fully pulled together in some kind of final
     stage and be presented to the public for public comment.
         I don't think I want to dwell too much on schedule or
         The only thing I'd like to say about the reg guide is the
     reg guide is basically laid out in the functional aspect to explain the
     fire protection attributes that are required to maintain what we call
     the fire protection elements of defense in depth, and the structure of
     the reg guide is to try to lay that out in some kind of logical fashion
     that tells you what the program goals and objectives are with respect to
     defense in depth, explains what we call the first level, which is fire
     prevention, what our expectations are with respect to fire prevention.
         The second would be what our expectations are with respect
     to fire detection and suppression.
         And the third would be what our expectations are with
     respect to building design, passive features, and the protection of safe
     shutdown capability.
         That's about all I'd like to say on the reg guide.  Does
     anybody have any questions?
         DR. POWERS:  The Members do have in their books the outline
     of the reg guide.  I guess I have a series of some detailed questions
     just to ask about it, but I would like to invite Professor Apostolakis
     to reiterate before the full Committee some of his thoughts about the
     regulatory guide.
         Didn't catch you flat-footed, did I?
         DR. APOSTOLAKIS:  I guess my biggest concern is why this
     Guide is not risk-informed and I understand that you have an SRA, or
     guidance from the Commission -- actually, more than guidance, a
     direction to pull together all the existing requirements into one
     document.  And I saw in your schedule there that you spent about a year
     or event less preparing this Guide, from April of '98 until April of
     '99, something like that.  So -- oh, you will release it for public
     comment in --
         MR. MADDEN:  September of '99.
         DR. APOSTOLAKIS:  September '99.  So it will take the usual
     two years.  So I was wondering, even though you have this direction from
     the Commission, why can't we make this as risk-informed as we can?  I
     mean would it really take that much extra work?
         MR. MADDEN:  Well, I think you are asking the wrong person. 
     Maybe you should be asking the Commission, but I will give you my views
     on it.  I mean I think that is what you want to solicit is my views.
         DR. APOSTOLAKIS:  Yes.
         MR. MADDEN:  Okay.  You know, I can see, number one, that
     this document we are doing is in parallel with the NFPA activities, and
     I can see that this document could be risk-informed.  And let's say we
     get into these activities where we think the NFPA is not doing what we
     need it to do.  Now, I have a basis of a document where I have the
     descriptive, or what I want a description of all the fire protection
     requirements or guidance into one -- and the deterministic aspects into
     one document.
         It would be very easy now to, since I have that lined up, to
     look at each one of those elements, because it will be in some logical
     format, to ask myself which ones can be risk-informed and which ones now
     can we shift to, say, yeah, we could take a performance-based -- a
     purely performance-based approach towards implementing?  That would be
     an easy effort to revise a Reg. Guide, and the staff to revise that Reg.
         DR. APOSTOLAKIS:  So --
         MR. MADDEN:  It is a tool.  I mean it could be a tool to
     where we could go in that direction, if we decided that NFPA 805 is not
     doing what we want it to do, you know.
         DR. APOSTOLAKIS:  And if you decide that it does, you just
     adopt it?
         MR. MADDEN:  If we decide it does, then -- this is a process
     that hasn't been fully decided yet, but when we do the rulemaking, you
     can give an option.  The voluntary option would be to go 805, purely. 
     In my opinion, it should be a performance-based, risk-informed standard
     without deterministic methods in there except for some baseline, what I
     want to call baseline, you know, level of safety for plants.
         And then the other aspect would be if they want to stay with
     their current program and make changes, et cetera, et cetera, they could
     stay with the Reg. Guide tone and look at what the staff's expectations
     are and make those changes within the bounds of the deterministic
         DR. APOSTOLAKIS:  Now, you mentioned the rule, when is this
     rule coming up?
         MR. MADDEN:  Well, that rule would be -- it is down the road
     a ways, George.  And the reason it is down the road is because we have
     to get all these elements in place.  We have to satisfy not only us, but
     we have to satisfy to you, some of your concerns.  We are going to have
     to satisfy the Commission's concerns.  We are going to have to satisfy
     the public's concerns.  So it is going to be down the road a little way.
         DR. APOSTOLAKIS:  Now, I remember that someone, I think it
     was Steve, mentioned that it will take another five years before we have
     a risk-informed Regulatory Guide.
         MR. MADDEN:  That is probably optimistic.  But, yeah, you
     are right, another five years.
         DR. APOSTOLAKIS:  Five years, again, I will repeat my
     favorite statement, will be 2004.
         MR. MADDEN:  I have got it written down.
         DR. APOSTOLAKIS:  And that will be 30 years after the
     publication of draft WASH 1400.
         DR. SHACK:  A suitable anniversary present.
         DR. POWERS:  Well, I mean, in fairness, George, we are
     speaking in an area that is -- is a niche within the overall risk
     assessment, and I don't think you can claim that we have had 30 years of
     the same kind of activity in fire risk analysis that we have had in risk
     analysis of operating plants.
         DR. APOSTOLAKIS:  Okay.  I was about to correct myself.  The
     reactor safety study, it is true, did not do a fire risk analysis.  A
     more appropriate time to start counting from is 1981 when the Zion,
     Indian Point PRAs were published and they showed, using a risk based
     fire analysis -- assessment of the plant, that, indeed, fire was up
     there among the dominant contributors.  So, from '81 to 2004 is 23
     years, so we haven't hit 30 yet, so I guess it is all right.
         DR. POWERS:  So you can see how much more aggressively we
     are pursuing risk-informed regulation within the fire community.  Steve.
         MR. WEST:  Can I add something, Dr. Powers?
         DR. POWERS:  Certainly.
         MR. WEST:  I am Steven West, I am the Chief of the Fire
     Protection Engineering Section, NRR.  I think maybe Pat said this, but I
     am not sure.  Basically, we have proposed to the Commission, and they
     agreed, that we would have, really, two parallel paths.  We would have a
     deterministic path, which is today's current licensing basis, and that
     is what the Reg. Guide is designed to clarify.  And then as an
     alternative, a voluntary alternative, we would have the NFPA 805
     standard, which we would, if it is acceptable, endorse it through
     rulemaking.  So we will have the performance-based, risk-informed
     process that way.
         But it doesn't mean that, even though we have a
     deterministic Reg. Guide, it doesn't mean that licensees today can't use
     risk information to support their analysis or changes to their fire
     protection programs, and they are doing that.  And it could be that at
     some point, maybe not in the first version of the Reg. Guide, but maybe
     a later version, as the methods and tools develop, that we would have an
     appendix or something that would provide specific guidance on using risk
     information to support program changes.
         DR. POWERS:  Certainly what I understood to Mr. Madden to
     say was that, no matter what, you are going to need this Reg. Guide,
     because you fully anticipate that there are, no matter what options you
     put out there, there are some plants that are going to adhere to their
     existing fire protection programs, and that could be a sizable fraction. 
     We have had various forays by the industry and its representatives
     suggesting a move to risk-informed regulation and those haven't been
     greeted with open arms by the industry itself.  They have grown fairly
     comfortable with Appendix R, apparently, and the nearly equivalent
     branch technical position.  And so this Reg. Guide is useful regardless
     of what happens in the future.  And that seems like a very plausible
     rationale to me.  I just don't have any troubles with that.
         DR. APOSTOLAKIS:  So one could use Reg. Guide 1.174 to
     propose changes in the fire --
         MR. MADDEN:  Oh, yeah.
         MR. WEST:  Yes.
         MR. MADDEN:  Absolutely.
         DR. APOSTOLAKIS:  Nobody has done that yet, right?
         MR. MADDEN:  No, not specifically.  But, yes, they could. 
     Then we would have to consider Reg. Guide 1.174.
         MR. WEST:  Let me just add that there could be licensees out
     there applying Reg. Guide 1.174 to make changes but we don't -- we don't
     know it.
         DR. POWERS:  Sure.
         MR. WEST:  We haven't come across them yet, but it is
         DR. POWERS:  Actually, I think it is almost a little
     surprising that they haven't and it may speak to the state of
     development of some of risk analysis tools that we haven't seen more in
     that area.  Because it seems -- the delight in risk analysis and fire
     protection is there is a complete alignment between defense-in-depth and
     the risk analysis, and it should be a very straightforward task, but I
     think what we have understood from the research program is that the
     development of those tools for carrying out the risk analysis, there is
     still room for substantial development there.
         MR. WEST:  And one other thing that came up in the
     Subcommittee meeting with the -- I think probably the staff
     presentation, and also the NEI presentation on the circuit analysis
     issue is that NEI is working on developing, or using risk information to
     help deal with that issue.  So that is an issue where we expect to use
     that under today's regulation and --
         DR. POWERS:  We actually have an interesting two paths there
     as well.  We have one body of the industry looking to use risk
     information and one body looking to use the more prescriptive
     To attack circuit analysis problems.
         MR. WEST:  And hopefully they will complement one another.
         DR. POWERS:  Pat, I have a few microscopic questions here to
     ask.  Looking through the various headings in the outline, it struck me
     that there was not a heading that seemed to address the issue of what is
     and what is not a reportable fire.  Is that not something that should
     appear in a regulatory guide?
         MR. MADDEN:  That's a pretty loaded question and it's a
     pretty good debate right now.  I mean, what is reportable?  I mean,
     under the current criteria, reportability is a fire that lasts for ten
     minutes or greater.  Is that a trash can?
         You know, the severity of fires are totally different.  I
     mean, if it's a fire that involves an oil spill that's put out in two
     minutes, that may be more severe than a fire that involves a trash can
     that's put out in ten minutes.  But the fire that is a trash can fire
     that lasts longer than ten minutes would be reportable.
         So, you know, there's some fundamental questions about the
     adequacy of reportability and how you would capture that in a reg guide
     until we come to some kind of grips on what should be reported and what
     shouldn't be reported.
         So to answer your question in short, that's probably why we
     ignored it.
         DR. POWERS:  Well, I don't think -- I mean, it seems to me
     that ignoring it doesn't help.
         MR. MADDEN:  No.  No, but it's been a question that's been
     on the plate several times.  What should be reported?  Should precursors
     be reported, or should actual -- only actual fires be reported?  Should
     events that cause smoke or combustion byproducts be reported, or just
     that flames be reported.
         DR. POWERS:  Even if it's nothing more than to lay out the
     issues or to create a heading in this reg guide to be filled in at some
     future time, it seems to me a useful thing.
         MR. MADDEN:  Okay.  Well, I'll make a note of it and we'll
     consider it.
         DR. POWERS:  The outline does have, if memory serves me, a
     one-line entry dealing with the interface between the onsite and offsite
     firefighting crews.
         MR. MADDEN:  Right.
         DR. POWERS:  And I wondered if that didn't merit more
     headings in the outline, that is, I was thinking of headings that who's
     in charge, radiation safety for the offsite firefighters, things like
     that as subheadings under that category.  I mean, it is a -- it may well
     be that you intended to treat them.  I'm working from an outline trying
     to understand what's going on in here, and it struck me that those were
     important things to address specifically.
         MR. MADDEN:  Yes.  The logistics of offsite assistance would
     have to be somewhat spelled out, you know, and that -- but that's pretty
     unique to each site depending on the State laws or the local laws.
         I mean, there are laws in New Jersey, for example, that
     prohibit offsite fire departments from coming onsite.  So that's why
     Salem Hope Creek has its own fire department.  So, you know, we'd have
     to take all that into creation.
         DR. POWERS:  Yes.  I mean --
         MR. MADDEN:  Yes.
         DR. POWERS:  It's a complicated topic, and consequently it
     seems to me it deserves some attention in the reg guide.
         MR. MADDEN:  Yes.  I would agree.
         DR. POWERS:  It also struck me that -- my first reaction is
     gee, this reg guide does not address shutdown and decommissioning
     plants, permanently shut down.  But of course there's another reg guide
     that addresses that.  And I wondered if there doesn't need to be an
     applicability heading that specifically calls out that alternate -- that
     reg guide for the shutdown and decommissioning plants.
         MR. MADDEN:  Yes.  I mean, that's an easy reference.
         DR. POWERS:  Yes.  I mean, that's no more than I was looking
     for was just a -- those are the -- other than that, if Members have not
     had a chance to look at the outline, you can get a quick assessment of
     the length and the breadth of the amount of guidance that's out there by
     just paging through it, and I think it must run, what, seven pages long,
     six pages long?
         MR. MADDEN:  Yes, the outline is seven pages.
         DR. POWERS:  Yes.
         DR. MILLER:  I did have a microscopic -- a couple of them, I
         DR. POWERS:  Microscopic questions are fair here.
         MR. MADDEN:  Yes, they are.
         DR. MILLER:  Scattered throughout the reg guide are
     references to electrical issues, and we already mentioned that the NEI
     has a circuit analysis resolution program.  In there is such things as
     -- I'm going to read from just one, but under electrical raceways, fire
     barrier systems on page 29.
         It says guidance will be provided relative to design
     application of these assemblies.
         Now I see other places have the same kind of a statement,
     guidance will be provided.  Now is that guidance in the process of being
     developed or we know we're going to find it or --
         MR. MADDEN:  No, we've got it already.  It's not being
     developed, but raceway fire barrier systems and the guidance for testing
     and the development of those systems is already established.  That's
     Generic Letter 86-1 -- or 86-10, Supplement 1.
         DR. MILLER:  Are you going to use the Generic Letter 86 --
         MR. MADDEN:  Yes, we'll just bring that information forward
     and incorporate it into this reg guide.
         DR. MILLER:  The reason I'm raising that is IEEE 384 has a
     whole lot of guidance in these areas.
         MR. MADDEN:  Which IEEE standard?
         DR. MILLER:  384.
         MR. MADDEN:  384?  That's on separation, and that's barriers
     that are specifically for interdivisional fires.  And what we're looking
     at is total-room-engulfment type fires.  So there's a difference between
     the two barriers, and I think what we look at also is Reg Guide 175,
     separation and those physical barriers.
         DR. MILLER:  175 I thought endorsed an earlier version of
         MR. MADDEN:  Yes.
         DR. MILLER:  This is a later version, which has a lot more
     -- I didn't have a copy of it until recently.  It has a lot more detail.
         MR. MADDEN:  Yes, but 384 barriers do not provide the fire
     resistance that we need for a total -- what we call an exposure-type
     fire.  So we've come up with a standard that -- or a generic letter
     which provides that level of protection.
         DR. MILLER:  So you think there's enough detail in 86-10 to
     do this.
         MR. MADDEN:  For the fire protection aspects, but for
     electrical separation and what I want to call divisional fires, you
     know, electrically originated fires in cable trays, the three-foot,
     five-foot type separation and physical barriers that are used to isolate
     that, that may be something that we need to refer to another standard
     for that type --
         DR. MILLER:  So you looked at the 384 -- it's '92 version.
         MR. MADDEN:  Yes, we looked at it.
         DR. MILLER:  Because it looked to me like they were fairly
     consistent, although far more detailed in 384.
         MR. MADDEN:  Yes.  We'll take a look at it again, though.
         MR. BONACA:  Mr. Chairman, I have a question, and I don't
     know if you have the answer for me, but there have been IPEEEs performed
     for all the units, and I don't know what kind of information we get from
     those IPEEE regarding the adequacy of current fire protection.  You
     know, I don't know if anybody has an answer to that.
         DR. POWERS:  We did go over the latest status on the IPEEE
     reviews and insights program.  If you look at some of the bullets we put
     down underneath that, I guess I have to admit I was as little
     disappointed in how far along we were.  It's still a work in progress. 
     So to say have we derived the insights, I think the answer is no, we
     really -- we haven't done enough yet to do that.  But it's also equally
     true that there seems to be the intention to do that.
         We do have I guess the originally scheduled speaker for the
     IPEEE program with us today.  Nathan, would you like to add anything
     about that?
         MR. SIU:  Only to extent that there is a preliminary
     insights document that was given to the Committee a little while ago, so
     if you want to get some indication as to what's happening, the kinds of
     insights that have been generated, that is one place to look.
         DR. POWERS:  But those are fairly -- in fairness to that
     document, I think I could have written it before the IPEEEs were even
     submitted, diversity of methods, the fire can in some cases being
     important, things like that.
         I think the detailed insights are the kinds of things that
     we saw from the IPE insights document, still awaits completion of all
     the reviews.
         MR. BONACA:  Yes.  Because it seems to me the drive towards
     the risk-informed regulation in this particular area should be
     commensurate to the insights we get from this program regarding adequacy
     of current regulation.  If we found that current guidelines are
     adequate, and we get good protection for fire, then the drive to move,
     it's much less.  Conversely, you know, a list from some of the IPEEEs
     have seen, have seen a significant, you know, contribution from fires to
     risk, and so I just wonder how much of that is tied to inadequacy of
     fire regulation.
         DR. POWERS:  I agree with you, the things that you see,
     anecdotal accounts or brief descriptions on individual plants, you say
     gee, you know, I didn't really expect to have those kinds of numbers in
     the face of Appendix R.  I wonder if Appendix R is adequate.  And then I
     thought more about it, and I have come to a tentative conclusion that I
     would appreciate comments from the staff about --
         MR. CHANG:  Okay.
         DR. POWERS:  I'll get back -- let me finish here and I'll
     get back to you.
         Tentative conclusion that I can't jump to that conclusion,
     that the tools that are being used have sufficient limitations in the
     IPEEEs or sufficient doubt surrounding them that it may only reflect the
     adequacy of the tools used for the IPEEEs.
         So, you know, the initial reaction, gee, surprised that you
     do so badly with Appendix R, I think I have to temper that with well,
     maybe our tools that we used for the IPEEE aren't good enough.  That's
     my current thinking on the subject.  I would appreciate hearing from the
     staff on what they think about my thought on the subject.
         MR. CHANG:  I'm John Chang.  I am intimately familiar with
     the IPEEE program.  In regard to the IPEEE program, granted there's a
     lot of limitation in regard to what tools we have, but overall all the
     tools are sufficient for us to serve our purpose, to identify what is
     potential vulnerabilities at the plant, even though we know there's
     certain limitations.  There's also some insights we did not find in the
         The insight report did not give us the entire picture
     because that's only a very preliminary insight, that because of the
     Commission wants to see what insights, so it's barely summarized -- 25
     plants we reviewed -- but one important findings.  Probably in the past
     none of us anticipated that the fire would be such a horrendous
     contribution to the risk.  I think that is a very significant insight. 
     Without IPEEE program none of us familiar with IPEs would be able to
     know that fire contributes rather significantly.
         Second, in regard to the fire IPEEE itself there is also
     something we found out, the SISBO itself, self-induced station blackout,
     which are not appearing in other past PIs which have a very high
     potential to cause some significant core damage.
         In the evaluation Quad Cities is another one we still are
     evaluating.  We did not have the entire picture and we also know that
     Dresden is also revising their IPEEE submittals because of all those
         Aside from fire, there's a lot of things found in the
     seismic as well as high wind and flood areas.
         I think the whole thing is right now to draw the conclusion
     IPEEE did not contribute anything or would not review any insights -- I
     think it probably premature to say that.
         DR. POWERS:  I think what we learned here is that I need to
     temper my judgment on this that indeed something has come out of these
     that we didn't get, that some of the vulnerabilities appear to be real
     and not a function of the tools.  I think the speaker was absolutely
     correct about that, that the vulnerabilities or the limitations on the
     tools don't affect those kinds of conclusions, so maybe I need to temper
     my comments a little bit, and I noticed the Staff saying yes, temper
         MR. BONACA:  I still feel that it is an important point that
     these programs like IPEEE are important to identify shortcomings in the
     industry but also to identify shortcomings in regulation, and the degree
     to which we have to pursue that kind of understanding from this program
     I think we should aggressively pursue that because I think there must be
     some way in which we can evaluate current fire protection requirements
     based on the body of insights.
         I mean it is broad enough where you can eliminate the
     uncertainties and make some judgment regarding are we applying the
     proper protection where it really should be, and the conclusion may be
     that we don't.
         DR. POWERS:  It could be that we are too much on one and not
     enough on another.
         MR. BONACA:  Yes.
         DR. POWERS:  That serves as a pretty good introduction to
     the other topic that we have brought forward to the full Committee, but
     let me ask if there are any other questions concerning the Reg Guide or
     any points that the Staff wants to make about the Reg Guide?
         [No response.]
         DR. POWERS:  I will ask the members to think whether we have
     anything to communicate on the Reg Guide that has not been adequately
     communicated here, so we can decide whether we need to write a letter on
     the Reg Guide.
         We come now to the NFPA 805 and I think it is useful to go
     back into history, especially for some of the newer members -- all that
     has transpired over the years in connection with fire protection codes.
         We have had for some time the rather prescriptive Appendix R
     and we can't speak of that with disdain because Appendix R really was an
     aspect of the regulations that our former incarnation of the ACRS worked
     hard to help develop and push into the regulations.
         But it is quite a prescriptive set of regulations.  It is
     not inconsistent with fire regulations with how prescriptive it is in
     comparison to things that you find in industrial standards.
         Four or five years ago there was a proposal to have Appendix
     S that would make a risk-informed or more performance-based alternative
     to that.  That led to a promise by the Staff to investigate the
     possibility of having a performance-based alternative to Appendix R, but
     about the time work started to -- thought about being initiated on that
     there was a proposal instead to have the National Fire Protection
     Association host or sponsor or convene a group to develop what was
     advertised to be a performance-based fire protection standard -- code.
         That group from the NFPA was very generous with their time
     and appeared both before subcommittees and the full Committee to
     describe their aspirations, and in the course of those discussions the
     Committee asked that they also consider risk information and they
     certainly moved aggressively in response to our suggestions.
         There's been about nine months I guess of activity in trying
     to develop this fire protection code and we now have a draft of that
     code.  It is one of several opportunities that are made to get input
     into the code from outside the group that is actually working on it, and
     so it is by no means intended to be a final version of the NFPA 805 but
     I think we can see the general thrust of the development of that fire
     protection code.
         The Committee had been proselytized for several years that I
     am aware of by one of its members about the one-page fire protection
     code that is performance-based and what-not.  This is very definitely
     not that one-page fire protection regulation and it will not detract
     from the speaker's presentation by trying to outline it, but it is far
     from clear to me that this fire protection code meets the expectations
     we had for an alternative to the existing regulations, and I think that
     is the question that the Committee has to address in its
     deliberations that it has today on this subject is is this fire
     protection code close enough to the alternative we had in mind to be
     supportable or is it so completely off the mark that we should encourage
     people to think about a third alternative.
         I think that is the question we have to address.
         With that introduction, I will turn to our speaker.
         MR. MADDEN:  Thank you.  I will try to take you through it. 
     I am not going to get into the NFPA process or anything like that.  I am
     just going to try to take you through a little bit of the code or the
     standard I should say and what the standard is trying to do.
         The basic scope, and I have got it outlined here, it's a
     comprehensive fire protection standard to protect the safety of the
     public, environment, and plant personnel as well as limit potential for
     economic loss.  It's a pretty hefty scope.
         Some of the goals that the standards committee is focusing
     on right now is of course nuclear safety.  Our primary focus is on
     reactor fuel safety and that may be a little bit different train of
     thought than the current regulatory requirements, also, looking at
     radiological release, life safety aspects, and then, yes, the final
     attribute is property damage.
         Looking at the overall performance objectives or the
     objectives that the standard is trying to accomplish is looking at
     nuclear safety the standard is focused primarily on reactivity control
     and fuel cooling.  With respect to radiological release it's looking at
     no significant additional risk to life and health, and the other is no
     additional risk to the society as a whole in general.
         Other classical attributes of the standard will be of course
     life safety of not only plant personnel and evacuation of plant
     personnel in the event of a fire and to protect those paths for egress
     or exit from the structure, but it is also to provide some form of
     protection to operations that may have to do manual manipulations
     remotely in the plant or in close proximity to the area that may be on
         So there's discussions going on on how to accomplish that
     and what kind of performance criteria would be used to try to achieve
     that type of objective or goal.
         DR. POWERS:  Now within the regulatory context, that is,
     what the NRC does, making it possible for the operators to achieve and
     maintain shutdown of the reactor and coolability of the core of course
     is an objective of our regulations.
         MR. MADDEN:  Yes.
         DR. POWERS:  But life safety itself is not?
         MR. MADDEN:  That's correct.  Now --
         DR. POWERS:  And property damage is not?
         MR. MADDEN:  Yes, that's correct.  I mean we are driven by
     GDC-3.  Now GDC-3 says or it basically communicates that we shall
     provide protection for structures, systems, and components important to
     safety, so some of our guidance documents do look at safety-related
     components and we do provide certain minimum levels of fire protection
     for those components, and it includes not only safe shutdown components
     but accident mitigation components.
         DR. POWERS:  These two elements, life safety and property
     damage, are a major focus, important focus in the NFPA standard?
         MR. MADDEN:  Well, that's an ongoing debate in the
     committee.  There's some debate going on as to what will the regulatory
     authority adopt as a part of this standard if we -- if we endorse the
     standard, is the NRC going to endorse it in its entirety or are we just
     going to endorse it within our purview of what we currently regulate, so
     that is a big debate and where do you draw the line as far as life
     safety.  If you go to classical life safety and adopt a building code, a
     lot of these plants are not built to that form or shape -- you know,
     compliance with the building code, so there may be, you know, some
     concerns right off the bat that these plants should be exempted from
     life safety, so there's been a lot of discussion on that in the
         The other thing is the property damage.  Basically they want
     it left up to negotiation between the utility and their insurance
     company and how big a premium they want to pay, so there's some debate
     there going on.
         This slide is wrong, and George will probably correct me
     again.  The actual nuclear safety criteria that we are trying to
     accomplish is to -- main reactivity control K effective of less than
     .99, it is not one.
         Now, we are also -- we are also, you know, looking at fuel
     cooling, and this is where we kind of depart.  And we are focusing on,
     or the Committee is focusing, I am not saying the staff, but the
     Committee is focusing on the design limits of the fuel, not exceeding
     the design limits of the fuel.
         Now, where we have been in the past with Appendix R is that
     we have never gotten down to approaching the design limits of the fuel,
     we have always maintained the reactor covered with water or, you know,
     above top active fuel in a BWR and within the realm of the pressurizer
     for a PWR.
         Radioactive release, the standard right now is endorsing
     whatever the criteria is under 10 CFR Part 20, so that is where it
     stands right now.  And, of course, I, you know, gave you little insights
     on the life safety aspects and some of the debate that was going on from
     the last meeting is that we are back into debating on what is
     appropriate for life safety with respect to protecting operators, and
     what is appropriate for the NRC with respect to getting involved with
     property damage and business interruption.
         DR. WALLIS:  How does this work out with combined effects? 
     If you have a fire in containment which leads to a LOCA, you have got
     two things to worry about.
         MR. MADDEN:  Well, there is some really crazy assumptions. 
     Well, first of all, that would deal with or get into -- first of all, we
     would hope that the fire wouldn't be severe enough to cause any piping
     degradation to cause that LOCA.
         But, for example, let's say you had a condition where, you
     know, you have cables associated with PRV, and you had a fire in the
     containment, and what I am speaking of now, I am going to sit here and
     speak a little bit about current regulation and how we would perform
     that attribute, is that we would look at the severity of the fire,
     assume that the fire does occur, and if the cable is in an associated
     area, we would look at it failing into an adverse condition.  And if it
     failed into an adverse condition with significant consequence, then we
     would provide some level of protection for that cable or, in the event
     of a PRV, if it had an associated block valve, we would look for the
     routing of that block valve to make sure it is on the other side of the
     containment so that the PRV could be isolated?
         Now, how is that going to happen here?  It is still a little
     sketchy.  There may be some modeling attributes associated with it, and
     there may be some classical deterministic paths associated with the
     standard.  So it becomes -- you know, when you start looking at other
     phenomena piled on top of the fire, this standard is not very clear on
     what it does in that realm.
         Basically, -- well, I should jump back.  It will require you
     to do an analysis.  Now, I want to couch this analysis.  The standard
     will require, basically, a plant-wide analysis, and I call it a fire
     impact/safety analysis.  I don't think that is referenced that in the
     standard, but it will comprise of fire hazard analysis.  It will also be
     your safe shutdown analysis, where you would actually look at cables,
     components, systems, cable -- you know, and what is needed to put the
     plant in a safe and stable condition.
         And then after all that is done, it will also integrate this
     risk assessment, or risk-informed approach to look at the associated
     risk with that type of protection scheme or that type of cable routing,
     or for those specific compartments that may be deemed risk sensitive. 
     So, it is kind of these are integrated analysis that has to be done in
     order to prescribe the level of fire protection that you need for each
     compartment, or each area of the plant.  So that analysis is basically
     mandatory and that is the basis of -- you need that analysis to
     implement the rest of the standard.
         In the standard we will have what I want to call baseline
     fire protection where everybody will be required to have a certain level
     of fire protection in their facility, and they will be mandatory
     requirements.  And those mandatory requirements will deal with
     administrative controls, you know, controlling welding and cutting,
     controlling what I want to call design combustibles, combustibles that
     are designed.  You won't all of a sudden abandon the idea of buying
     fire-resistive or fire-retardant insulation, for example, for HVAC
     ducting.  You won't move away from some of the classical reductions in
     fire hazards through design.
         You will also be required to have a water supply system, you
     know, fire pumps and underground mains and a delivery system.  The
     plants will also have to have manual fire suppression capability.
         DR. POWERS:  What I find peculiar about this standard is it
     is not just having a water supply, it is having a water supply with
     hydrants every 265 feet located along the main.  I mean this is not just
     have a water supply, this is a fairly prescriptive --
         MR. MADDEN:  Yeah, but I can tell you, Dr. Powers, that they
     are already there.  They are not going to jerk them out.
         DR. POWERS:  Of course they are.
         MR. MADDEN:  They are not going to jerk them out, at least I
     hope they are not.  They might, yeah, I mean if --
         DR. POWERS:  It would be surprising if they did.
         MR. MADDEN:  But the other aspect is with -- you know, and I
     think Ed brought this forward the last time, is that a fire hydrant can
     only effectively hydraulically withstand like 250 feet of two-and-a-half
     inch hose.  And so if you had, you know, and I understand where you are
     coming from -- if you are out, way out in the yard somewhere, why do you
     need a hydrant if there's no other buildings around there?  But, you
     know, these sites are not stagnant.
         DR. POWERS:  That's true.
         MR. MADDEN:  So, you know, they build a building, and then
     all of a sudden we have to have a hydrant, you know.  And the hydrants
     are twofold.  I mean it is not only -- in the standard it is not only
     nuclear safety, but it is also, there is property protection, again, and
     the exposure to nuclear safety components.
         DR. POWERS:  But, fundamentally, my difficulty I have is
     this construction, and maybe I should just let you go ahead and describe
     it, because it will become clearer to the rest of the Committee that
     this NFPA has a very unusual structure.  There are these sets of
     prescriptive front-end minimal requirements --
         MR. MADDEN:  Right.
         DR. POWERS:  -- and then there are sets of options which can
     be equally prescriptive or they can be performance-based, all wrapped
     within a fire risk assessment.
         MR. MADDEN:  Well, yeah, this --
         DR. POWERS:  No, I am sorry.  This part isn't wrapped, the
     other part is wrapped.
         MR. MADDEN:  Yeah, this is mandatory, but the other parts
     are wrapped.  But the risk assessment does consider this.  I mean this
     is the baseline fire protection even that would be considered in a risk-
     informed approach.
         So, the other portion of the standard that is being
     discussed is detection and alarm capability for the facility.
         DR. WALLIS:  All the systems are designed not to be damaged
     by the water which someone is going to spray on them to put out --
         MR. MADDEN:  You mean the safety-related systems?
         DR. WALLIS:  Yes.
         MR. MADDEN:  Yeah, there -- in GDC-3, there is a requirement
     that basically says that that should be taken into consideration in
     design of the plant.
         DR. WALLIS:  So some system can be heated up by the fire and
     then suddenly quenched by the water and it will not --
         MR. MADDEN:  It may not work.  It may not work, that is why
     you need separation.
         DR. POWERS:  The more troublesome issue in that regard is
     you put the water into a room that has a fire, will it drain someplace?
         DR. WALLIS:  Yeah, where else does it go?
         DR. POWERS:  Where else is it effected?  And that has not
     been so clearly addressed by the --
         MR. MADDEN:  The other aspects, all plants will have to have
     a fire brigade, some form of fire barrier.  Right now, the minimum
     requirement is just between buildings, you know, a fire wall that
     separates buildings.  And, of course, I talked about administrative
     controls, and then, of course, the implementing procedures for not only
     the administrative controls, but the surveillance, maintenance and
     testing of the baseline fire protection systems.
         DR. POWERS:  The fire brigade is the one I would like to
     address because it is an issue that you know will never disappear, there
     will always be a fire brigade of some sort.  But what you know is that
     the most expensive thing in the world, most expensive thing at a nuclear
     power plant is probably the people.  And you can imagine someone wanting
     to come in and, let's say, I would like to make some engineering
     tradeoffs.  I would like to spend capital once instead of hiring people
     twice, especially as OSHA keeps ratcheting up the requirements on my
     fire people.  I mean they have done it once and they will keep doing it.
         So let me set up my systems and I will make a super-duper
     fire suppression detection system.  I mean it is going to be the cat's
     meow, and I am not going to need these fire brigade people anymore.
         Why shouldn't that be an alternative for a licensee?  It is
     precluded by this standard, but why shouldn't it be?  Now, we know it is
     not going to happen, but we can look at this in the abstract, from a
     theoretical point of view.
         MR. MADDEN:  Well, theoretically abstract point of view, you
     will always need somebody to do complete fire extinguishment.
         DR. POWERS:  Yeah, but, see, they are not going to have one
         MR. MADDEN:  No, you can't.
         DR. POWERS:  With my super-duper system, you can walk around
     and say, yeah, it's out.
         MR. MADDEN:  No.  As soon as you go to one guy, like you
     said, you fall back to OSHA and he is going to need more than one guy.
         DR. MILLER:  That's right.
         MR. MADDEN:  Okay.  The other aspect is that, you know, --
     yeah, you are going to need at least two.  But your are going to -- you
     never know, when you shut that isolation, or you isolate that fire
     system, if you are going to have a reflash condition or whatever.
         The real aspect with the fire brigade is that, is the fire
     brigade a burden on the utility?  It is not a separate fire brigade, it
     is usually comprised of plant operators that are already on shift, or
     plant security guards that are already on shift, or plant maintenance
     people that are already on shift.  Those people have other jobs, they
     are not there just to be fire brigade members.
         To some degree where the burden becomes is the maintaining
     of the qualifications and the training of those people.  It is not
     dealing with the actual aspects of having a fire brigade.
         Now, the real thrust of the question would be is, what kind
     of performance criteria do you do to routinely test an individual's
     proficiency in fire brigade operations or fire-fighting operations in
     the plant?  And I think that is something that in the future needs to be
     explored.  It is not the aspect of economic burden on the plant with
     respect to having or not having a fire brigade, it is how you manage
     keeping those people qualified.
         MR. BARTON:  Isn't that required now?  They are doing now
     training and drills.
         MR. MADDEN:  Yeah.  Yeah.  But they -- I don't think it is
     done in the most optimum, sensible manner that it can be done.  That is
     just my opinion.  I am not working for the utility, but I think -- you
     know, I can only relate back to my experiences as a volunteer fireman,
     and when I used to train, you know, volunteer fire departments, is that
     we had proficiency drills and that is how we gauged performance.  And
     you could -- then if the proficiency drill wasn't adequate, then you
     would look at what attributes weren't, and then you would go back to the
         DR. POWERS:  What you are saying is that there is a -- it
     would not be difficult to set up a performance indicator for the fire
         MR. MADDEN:  What I am saying is that it would not be
     difficult to set up a performance-oriented training program for the fire
     brigade which had indicators in it that would tell you how to do
     additional training, or when you would have to do additional training.
         DR. POWERS:  So we could move the brigade down into the
         MR. MADDEN:  There's ways to do it, yes.  I am not saying
     there isn't.  But I am not saying that -- I don't think it is a good --
     when you get into cutting the size, a five man brigade is really a
     minimum size.  I mean right now you can only effectively put in in-
     service one hose stream with five guys.  And, you know, to have, you
     know, two guys on a hose line dragging a hundred feet of hose is a
     pretty difficult task.  And then two guys, the other two guys would have
     to be in standby or checking peripheral areas to make sure that you
     don't have any fire extension, or you are not jeopardizing other plant
     safety equipment.  So -- and you need one guy for command and control. 
     I mean you need one guy to coordinate with the control room.  So, you
     know, you are into the minimum level of people that you need.
         DR. POWERS:  I mean I don't argue that.
         MR. MADDEN:  I am not --
         DR. POWERS:  I am taking --
         MR. MADDEN:  So, but I am taking --
         DR. POWERS:  I am questioning the structure here.
         MR. MADDEN:  Well, I am --
         MR. WEST:  Dr. Powers, could I add something, my perspective
     to your original question?
         DR. POWERS:  Sure.
         MR. WEST:  It is the kind of question you like to have about
     a week to think about before you answer.  What came immediately to my
     mind anyway was that under your approach, you are cutting significantly
     into one of the layers of defense-in-depth, virtually stripping it away. 
     I mean you still would, under your approach, presumably, have an offsite
     fire department that would get there eventually.  But if you don't have
     a fire brigade, you are really cutting deeply into one layer of defense-
         DR. POWERS:  I guess I don't see that.  What are my layers
     of defense?  My layers of defense are prevent fires from occurring,
     detect and suppress, and protect the equipment.  Now, which one of those
     layers of defense am I moving out?  I have the humdinger of detect and
     suppress system.  I mean it is the cat's meow.
         MR. WEST:  I guess you are assuming somebody's going to come
     up with a 100 percent reliable humdinger system.
         DR. POWERS:  I don't think I have to come up with a 100
     percent reliable.
         MR. MADDEN:  What happens when that system goes out of
         DR. POWERS:  Well, I have got three of them, see.  They are
     multiply redundant.
         MR. MADDEN:  All right.  Here we go.
         MR. WEST:  I guess your question was actually rhetorical
         DR. POWERS:  No, I think I am following exactly the elements
     of defense-in-depth and I am saying you are telling me how exactly I
     have to address one of those defense-in-depth, when I think I ought to
     be able to make tradeoffs.  And the example I took is outrageous, but it
     was studied to take an outrageous --
         DR. SEALE:  You are getting into defense-in-depth question.
         MR. MADDEN:  I guess my response would be is that the
     baseline program is something that we felt, in the Committee, is
     necessary in order to compensate for the uncertainties associated with
     the upper tier analysis that may be done, and that we would always have
     a minimum level of defense-in-depth applied to these plants.
         DR. POWERS:  I think that that argument just really -- I
     accept that argument when we are talking about reactor operations.  When
     I look at the way we have constructed fire protection, there is perfect
     alignment between risk analysis and defense-in-depth.  I have quoted
     already what the elements in defense-in-depth -- you are better are
     reproducing the words than I am.
         MR. MADDEN:  Yes.
         DR. POWERS:  But I have quoted what the major ones are.  And
     it is not like defense-in-depth is used as something in addition to
     compensate for uncertainties in the fire risk analysis.  It is the way
     we do fire protection.
         MR. MADDEN:  Well, in a perfect world, if you could design
     these systems, qualify them, et cetera, to the application that you want
     to apply them, I would agree with you, but right now we are taking
     store-bought stuff that is built for office buildings and low ceilings. 
     I mean like for a fire detector, for example, it is qualified by UL on a
     15 foot ceiling.  Okay.  So we are putting it on a 60 foot or a 40 foot
     ceiling.  What does that do to its ability to rapidly detect a fire?
         You know that's our defense-in-depth approach.  The other
     thing was the suppression systems.  We put them in but then we obstruct
     them with cable trays, conduits, HVAC, piping, et cetera, et cetera, so
     what is that doing to the actual what I want to call the ultimate fire
     suppression system.  I mean in a building like this, they are all at the
     ceiling, fully visible, et cetera, et cetera.  You go to a nuclear plant
     you find repetitively modifications that obstruct the fire protection
         DR. POWERS:  But you see, you are doing no more than what I
     am doing --
         MR. MADDEN:  Yes.
         DR. POWERS:  You are saying I've got all these flaws in my
     existing system and so I am going to have this back-up, human people. 
     In fact, your automatic suppression systems aren't expected to put the
     fire out.
         MR. MADDEN:  Exactly.
         DR. POWERS:  You are expected to be done by the human being.
         MR. MADDEN:  Well, it is not only that.  We are expected --
     yes, complete extinguishment is always, even in the current standard in
     our NFPA-13, complete extinguishment of a fire is expected to be done by
     human beings.
         MR. SIU:  If I may add, Dr. Powers, I think you are right
     that if one were to take a perfectly clean slate and allow yourself the
     triple redundancy system and so forth, in principle maybe you could
     develop a system that would -- or you could develop a performance-based
     approach that would address this issue.  I think the Committee has been
     much more -- tried to restrict its activities much more to what they
     felt was a practical approach where they are taking certain things that
     exist right now as basically this is the starting point and they are not
     looking at major perturbations.
         DR. POWERS:  Well, I think that is the exact -- exactly
     true.  They are not looking at a major perturbation, and the question
     this Committee has to wrestle with is were we looking for a more major
     perturbation?  Why couldn't we go in and say look here, we expect you to
     have a process for preventing fires, and it should function to this kind
     of a performance level, and we will define these performance monitors
     for it.
         Why couldn't we then say we expect you to have the
     capability to detect and suppress fires, it should work to this
     performance level and here is a monitor for it.  You should have a
     system for protecting the safety-related equipment against the effects
     of fires and it should work to this level of performance and here are
     the performance monitors, and then dispense with all this conventional
     wisdom on how to do fire protection because they can draw it from other
     sources -- it is well-known stuff -- and say that well-known stuff gives
     various alternatives with which one can achieve these performance
         Isn't that what we are looking for in a performance-based
     alternative to the existing regulations?
         MR. SIU:  I think you are also looking for something that
     people feel can be adopted practically within a relatively short
     timespan.  We don't want to wait the next 30 years before get it.
         DR. POWERS:  Well, as the speaker just pointed out, most of
     this stuff is already there.  Most of this -- they are not going to jerk
     it out.  As to quote the speaker, why can't you say look here, I have
     all of this stuff that I put in here and ask me about its performance. 
     Don't ask me if the hydrants are separated by 265 feet or not.  Does it
     do its job?
         MR. MADDEN:  I mean you could very easily write that fire
     hydrants should be distributed appropriately in order to institute an
     effective stream anywhere on site.  I mean you could do that.  That is
     the language of I think what you are going after.  I mean that could be
         DR. POWERS:  Well, I have interrupted the presentation.
         MR. MADDEN:  No, it's all been very good interaction.
         DR. SEALE:  Exciting.
         MR. MADDEN:  Yeah, really.  You're right.  Maybe I should --
     well, I'll go through this but I think what I should do is jump to that
     triangle and I think the triangle, I think I can talk around that
     triangle and that may help a little bit about briefing everybody else as
     far as I really think the thing is like this.
         DR. POWERS:  Yes, I agree with you.  It should be upside --
     it's put up the wrong way.
         MR. MADDEN:  It is put up the wrong way.  I think it is
     really like this and if you look at the flow charts in the standard,
     that is really where it is, because you start at the bottom and work
     your way up.  It is not you start at the top and work your way down.
         The elements of how this thing is going to flow is that
     every plant will be required to have this baseline fire protection
     program, as I explained.  Then after you have done your analysis and you
     look into what you need to protect with respect to the analysis and part
     of that analysis will be doing an engineering evaluation, of course
     qualitative and quantitative.  Fire modelling will go into this
     performance-based analysis, and then of course you would gather your
     risk information and do what we call a site-wide risk evaluation.
         In the middle section where it says deterministic and
     performance-based, they have a deterministic section right now in the
     draft that says if you meet this, you're done -- you don't have to do
     any more, or you can jump over here and do this performance-based part
     and do these evaluations that I just talked about, I mean in more
         You know, right now the discussion is -- part of it was
     based on the last discussion that we had here at the ACRS.  Some of the
     discussion going on is why do we have that?  If it is going to be truly
     performance-based, and we are going to accept having a baseline program,
     then the next level ought to be looking at the performance-based
     attributes and how to do that and putting down that form of criteria on
     how to satisfy the goals and objectives of the standard, and that really
     wrestling with listing another whole deterministic set of criteria that
     may conflict with the current deterministic criteria.
         So that is kind of what is going on right now in the
     committee is a discussion on that topic, specifically in the Chapter 3
     attributes which deal with baseline but they also deal with the design
     of fire protection systems to satisfy the performance-based goals and
     objectives of Chapter 4.
         DR. WALLIS:  Can I ask you about deterministic?
         MR. MADDEN:  Yes.
         DR. WALLIS:  What is the state-of-the-art of predicting how
     well a fire protection system will work?  Isn't it somewhat iffy in
     terms of analysis and modelling?
         MR. MADDEN:  The actual actuation of a suppression system,
     when it is going to actuate?
         DR. WALLIS:  No.  If you have a fire --
         MR. MADDEN:  Right.
         DR. WALLIS:  -- how much water, where do you need to put it
     out, how will the fire evolve and so on -- isn't that a fairly iffy
     area, even worse than some of the thermal hydraulic fields?
         MR. MADDEN:  As far as the models go, with respect to
     predicting fire growth based on some limited input, they are very
     limited.  It is user-defined input on fire growth right at this time so
     I would have to come up with or develop the database that would tell the
     model what to look at with respect to time and energy being put into the
     mathematical computations.
         Now with respect to like sprinklers I mean we can look at it
     based on history and various fuels and past research.  You can look at,
     like for sprinkler applications what kind of water densities that you
     would need in order to control that fire.
     And then you would hydraulically design that system to deliver that
         DR. WALLIS:  That's what you mean by "deterministic"?
         MR. MADDEN:  Right.
         DR. POWERS:  I think you'll find that many, many of these
     things are designed based on an empirical experience base of some
     magnitude, and within this field there are a variety of very, very
     knowledgeable people, including our current speaker, who just have a
     wealth of experience of what works and doesn't work.  And it's based on
     true tests.
         DR. WALLIS:  Units have changed from pounds of red oak per
     square foot --
         MR. MADDEN:  No.  No, we're still -- well, it's a mixed bag
     now.  I mean, when we're in the modeling, it's, you know, something
     else.  When we're into hydraulics, it's something else.  So it's a mixed
         Anyway, you know, I don't know what more I can communicate
     with you, but the current flux of the standard is we're still going
     through draft.  The draft that you see now will be changing.  All I can
     do is put out the schedule of where we are and what we're trying to
         Basically what's going on right now is we have a public
     comment phase for this proposal based on the draft that you have in
     front of you that will close on 2/19/99, and then we will have another
     committee meeting which will go through all those public comments and
     proposals to either accept or reject.  But this gets a little bit more
     of a difficult process, because we have to put down the reasons why we
     are either rejecting or accepting.
         And then after that we'll issue another draft.  And that
     draft will be, you know, the final draft which will go out for what we
     want to call actual public comment.  And based on that there will be
     another comment phase which will close, and that's not on this slide,
     October of '99.
         And those comments will have to be resolved before the
     standard can be brought up in front of the -- at the annual meeting for
         So right now we're in a cycle where we're going to try to
     issue this thing and have it fully voted on by the general NFPA
     membership at the annual meeting in May of 2000.
         MR. HOLAHAN:  Before we leave the 805 --
         MR. MADDEN:  Yes.
         MR. HOLAHAN:  This is Gary Holahan of the staff.
         DR. POWERS:  We are a long ways from leaving 805.
         MR. HOLAHAN:  Well, I think Pat is trying to be close to it.
         MR. MADDEN:  I'm trying.
         MR. HOLAHAN:  I'd like to address some of your concern, Dr.
     Powers, in the context of how much detail and how prescriptive the
     guidance -- this NFPA 805 is.  And if you step back from 805 and think
     about the regulatory process and how it would be used, what we're
     talking about is this is basically a standard that would be endorsed
     presumably in the regulatory guide, which would be used -- which would
     be used as the basis for a new fire protection rule, or it could be in
     fact referenced directly from a rule.
         The issues you've raised about do we need to be
     prescriptive, can we be more performance-oriented, can we have more sort
     of general higher-level requirements, I think all of those things are
     not only possible, but we think of those as what the rule requirement
     would be.  I'm imagining rather than an Appendix R where all this sort
     of level of detail finds its way into the rule, we would have a very
     simple rule.  It might in fact say there should be a fire brigade, but
     it might not say now many members.  It certainly wouldn't say 265 feet,
     you know, between --
         DR. POWERS:  Fire hydrants.
         MR. HOLAHAN:  Fire hydrants or length of fire hoses or these
     sort of issues.  So if you think of the regulatory requirements being
     more general and, you know, the industry and the fire protection
     association developing guidelines, one set of guidelines, one way to
     implement those general requirements, that's what you've got in here.
         That doesn't mean that a licensee couldn't say I don't like
     265 feet, and what I'm going to do is I'm going to meet the fundamental
     requirements in the rule in a different way.  It seems to me that places
     the burden of, you know, analysis and experimental support and all these
     other issues on the licensee.  It doesn't say you can't do those things,
     it just says this is not the standard way to do it, hasn't been
         So I'm imagining that the kind of vision that you were
     expressing is a rule vision, and that's different from what I look at as
     an implementing guidance at a, you know, more prescriptive level,
     doesn't bother me.
         DR. POWERS:  I have absolutely no difficulty with the idea
     that this might appear as an alternative way to have adequate fire
     protection in a nuclear powerplant.  One could well imagine that a reg
     guide says follow NFPA 805 and you're home free.  Those seem entirely
     plausible to me.  That's on one level.
         On another level I say I've gotten clear indications that
     the Commission is very supportive of the idea of being less prescriptive
     and more performance-based, and they would like to see an alternative to
     50.48, Appendix R, maybe even to GDC 3, and another one I can't
     remember, but in fact that affect fire protection.
         And I think the hope was this was going to be it.  My point
     is, it's not it.  Now, do we need to pursue a third leg on this to get
     to that aspiration that I think the Commission has?
         MR. HOLAHAN:  It's certainly been the staff's understanding,
     and I think the Commission's understanding, that there always needed to
     be a rule change to implement anything but the existing Appendix R,
     50.48.  In my mind that's the other leg of this, and that's where the
     less prescriptive, more analytical vision belongs.
         DR. POWERS:  What you're saying is that there's another
     thing that we haven't seen because it hasn't been written yet, which
     once this is done will come in and this will never appear as a rule. 
     There will never be a rule that says do NFPA 805 and you're home free. 
     There may be a rule, but that won't be the last of the rules.
         MR. HOLAHAN:  It might say NFPA 805 is one way to meet this
     underlying definition of, you know, what we think fire protection safety
     needs to be.
         DR. POWERS:  Okay.  You've completed your presentation?
         MR. MADDEN:  Yes, sir, unless you want the status on the
     Appendix R revision -- the revision of Appendix R on 3M penetration
     seal.  It's just a schedule.  I'll show it to you.
         DR. POWERS:  Oh.  I assume that this is happening.
         MR. MADDEN:  It is happening.  I mean --
         DR. POWERS:  Good.
         MR. MADDEN:  We're going through the process.
         DR. POWERS:  Good.
         MR. MADDEN:  And it should be hopefully published or the
     final rule should be somewhere in April 2000.
         DR. POWERS:  Good.  I think the operative thing here is that
     if we on the schedules you put up here is that there is a 2/19/99 point
     in the schedule where they would like to get comments that we might have
     on this draft standard.  We have from Professor Apostolakis a variety of
     specific comments, and I ask if he -- he's raised these at the
     subcommittee.  Did you want to raise them again?
         DR. APOSTOLAKIS:  I don't know if this is an appropriate
     time to do it.  They should be forwarded to the staff at some point, and
     if we plan to write a letter, maybe they could be attached there or -- I
     can always go over them, if you want me to.
         DR. POWERS:  Well, those that you think would be useful for
     the rest of the Committee to hear, I think you certainly should.
         DR. APOSTOLAKIS:  Okay.
         DR. POWERS:  The Members have a digest of Professor
     Apostolakis' comments as best I could digest them.
         DR. FONTANA:  All three of them?  All three?
         DR. POWERS:  It is listed under draft positions for
     consideration by the ACRS NFPA 805 standard on fire protection.  It is
     listed under specific comments.
         DR. APOSTOLAKIS:  So it's pages 2 through 95.
         MR. MADDEN:  I like that.
         MR. BARTON:  Take your time, George, so we can digest them.
         DR. APOSTOLAKIS:  Okay.  You mentioned earlier that one of
     your early slides was going to make some comments, and I have commented
     here that if you look at four areas that you are trying to protect, and
     the first one is nuclear safety, it seems to me that you are setting
     goals that are different from what other parts of this Agency are
         So I am concerned that we are seeing a proliferation of
     goals and objectives as risk-informed documents are being developed by
     various organizations.  And there is a safety goal policy of the
     Commission.  There is a document on inspection and enforcement that is
     being developed right now by a team of this agency that identifies goals
     and so on.  So it seems to me that it would be reasonable to expect 805
     to use some of that, if not all.
         MR. HOLAHAN:  Could you share a copy of the comments with
     the staff?
         DR. APOSTOLAKIS:  Want to?
         DR. POWERS:  It's at your discretion.
         DR. APOSTOLAKIS:  The first two pages are yours.
         DR. POWERS:  If they don't know my position by now, they can
     be reminded by the front.
         DR. KRESS:  The staff should be aware that these are not the
     Committee position.
         DR. POWERS:  That's right.  These are the subcommittee --
         MR. HOLAHAN:  Thank you.
         DR. POWERS:  Develops draft positions for consideration by
     the ACRS.  The ACRS has had these now for about an hour, and there has
     been no consideration of these.
         DR. APOSTOLAKIS:  So the specific comments are --
         MR. HOLAHAN:  I would thank the Committee for sharing it
     with us at this stage.
         DR. APOSTOLAKIS:  Okay.  So enough said on that.
         I don't have to go over every single one of them.
         DR. POWERS:  I think just the ones that would be of interest
     to the Committee.
         DR. APOSTOLAKIS:  Yes.  I find it interesting -- that's
     comment number 3 -- that the nuclear safety objective does not use the
     word "risk," whereas the radiological release objective, which is not
     nuclear safety related, does.  And there is more elaboration here on
         I do recommend my favorite top-down approach to defining
     objectives and performance criteria, which may be related to what Pat
     said earlier about the triangle being upside down.
         There are some different points there and number 8, I must
     tell you, was edited by Dr. Powers.  It was much stronger when I wrote
     it --
         DR. APOSTOLAKIS:  It deferred to my blood pressure, but to
     say that you will do a risk evaluation to provide additional assurance,
     you lost me.  When I see the word "additional" and "risk evaluation" in
     the same sentence, I get mildly annoyed.
         DR. POWERS:  And you will notice in the first comments,
     first page of comments, that I think a significant deficiency in the way
     this draft rule is portrayed to us is that risk assessment is used only
     to increase requirements.  I think that is a significant deficiency.
         DR. APOSTOLAKIS:  Yes and that -- if you look at the
     figure -- well, which is really like your triangle.  It is really a
     triangle where you have the deterministic requirements, the
     probabilistic and then you do a risk evaluation.  I mean that --
         DR. KRESS:  Are we looking for comments on these comments?
         DR. APOSTOLAKIS:  Not right now.
         DR. POWERS:  We will get an opportunity to discuss it.
         DR. KRESS:  This is not the time to comment?
         DR. POWERS:  I think I would pipe right in if you have
     something to contribute.
         MR. BONACA:  Oh, I'm sorry.  Go ahead.
         DR. KRESS:  Well, with respect to the proliferation of
     goals, we are dealing here with one set of initiating events in a whole
     sea of initiating events.  To start from the safety goals for example or
     even the performance objectives and try to derive what your risk goals
     might be for these is to me very problematic.  It requires an
     apportionment among sequences of your risk, and I see this as saying,
     well, if we attack it from the other end rather than top-down, and it is
     somewhat akin to looking at the cornerstones, say if our objective is to
     prevent the K from getting above one, to prevent this, this, and this,
     you can automatically assume that if these things are accomplished that
     you will not have added much risk, although if those are goals they are
     much, much more stringent than the safety goal.
         DR. APOSTOLAKIS:  And that's exactly my point.
         DR. KRESS:  But you have no way to apportion the safety
     goals among the fires.
         DR. APOSTOLAKIS:  I don't have to apportion anything.
         DR. KRESS:  You have to because this is only -- this doesn't
     count for risk --
         DR. APOSTOLAKIS:  No, no, no, no, no -- if I look at the
     cornerstones and I pick up any fire risk assessment, you will find that
     in the second page or maybe the first you will see that what we are
     doing here is we are trying to see whether a fire can cause an
     initiating event and can defeat some of the systems or mitigate a
     system, and so it seems to me that is very consistent with the
         I don't have to say that K has to be less than one because I
     don't see any reason for it.
         DR. KRESS:  Because that accomplishes that goal.
         DR. APOSTOLAKIS:  But I don't want more stringent goals
     every time somebody writes a risk-informed guide or standard.  In two
     years I am going to need another Regulatory Guide like the one that Pat
     is preparing to pull together these objectives and --
         DR. KRESS:  This is not the full goal.  This is a derivative
     within the full integrated goal and --
         DR. POWERS:  Not as we understand it.
         DR. APOSTOLAKIS:  Not as we understand it.  Not as it is
     presented in the standard.
         DR. POWERS:  Not as it is presented in the standard.
         DR. APOSTOLAKIS:  There is a difference.
         DR. POWERS:  You do a whole CDF calculation and this would
     be just one part of it -- now practically I think it is but not --
         DR. KRESS:  Well, I think that is actually the fact.  You do
     a CDF.
         DR. APOSTOLAKIS:  If you want to define more stringent
     goals, you should state so and you should show how these meet the higher
     level goals that the rest of the agency has without necessarily going to
     the safety goals.
         DR. KRESS:  I certainly didn't read it as developing new
     goals but maybe I read it wrong.
         MR. BONACA:  I would like to just add a comment that goes in
     the direction of again the point I was making before.  IPEEE has been
     available for years now as a resource and it seems hard to believe that
     some lessons learned regarding the effectiveness of fire protection that
     really in part is embedded in this new Reg Guide have not been sought.
         I mean it seems like a mindset that it has to be a
     deterministic approach and then PRA is used as a means of checking
         DR. APOSTOLAKIS:  Exactly.
         MR. BONACA:  But the lessons learned from existing programs
     should have been I think derived and learned and at least the message I
     got is that that wasn't attempted and my concern is that this is going
     to cement really much more of what is in place now with some
     modifications, and even if you have a new regulation coming in later
     with risk insights, utilities will not be willing to make additional
     changes because it is expensive to change and change and change, so the
     point is supporting of your perspective, George and Tom, but the point
     is that again I don't understand why available information hasn't been
     yet collected and provided.
         DR. APOSTOLAKIS:  And I would go even a step before that,
     before you do the IPEEEs.  There is a lot of information out there how
     to do a fire risk assessment where the emphasis is on the potential
     dependencies that the fire would introduce that may cause an initiating
     event, as I said earlier, and simultaneously defeat some of the
         I haven't seen any of that thinking here.  What Mario is
     referring to is the implementation of that thinking in the IPEEE.  The
     five methodology may differ a little bit by conceptually they are both
     looking at the same thing.  I don't see anything in the NFPA 805 that
     says this is what we are trying to do -- we are trying to prevent fires
     from becoming a common cause failure, we are trying to prevent fires --
     in other words the basis is the fault tree, event tree model that the
     standard IPE or PRA has developed.  The fire is not a separate thing. 
     It's an appendix.
         You are still working with those because if you want to
     damage the core you just still have a LOCA or you must still have one of
     the initiating events.  Fire itself won't do it.
         DR. POWERS:  Oh, yeah.  The exact example the speaker used I
     think is a good one.  If you have a fire that fails the PORV in an open
     position and it also damages the block valve on it, you've got a loss of
     coolant accident.
         DR. APOSTOLAKIS:  That's what I am saying, that a fire has
     to cause one of the initiating events that we have already identified. 
     It is not something separate.  You are just looking at -- it's like
     earthquakes.  It is an element that can act as a common cause failure,
     but the basic structure is the one that you have in the basic PRA.  I
     don't see that thinking.  I don't see it anywhere.
         MR. SIU:  If I can comment on an earlier statement, George,
     and then I will get back to this one that you are talking about.
         DR. APOSTOLAKIS:  Yes.
         MR. SIU:  As we discussed at the subcommittee meeting, risk
     assessment can be used to relax the requirements at the plant. What you
     have to realize is that the baseline program is far less than what is at
     the plants now.
         DR. APOSTOLAKIS:  But I am not referring just to the
     baseline program.  I am referring to the whole 805 that --
         MR. SIU:  No, no, no --
         DR. POWERS:  He is commenting to me.
         MR. SIU:  Okay.  Maybe I am commenting --
         DR. APOSTOLAKIS:  Okay.
         MR. SIU:  But I thought that George had also raised the same
     point, that the baseline program is a program that is far less than what
     is at most of the plants and what you do, what you can use risk
     assessment for, in addition to the sitewide risk evaluation, which does
     come at the end and which does ask are there additional things that you
     need to address, but within the performance-based part of the standard
     you can use risk assessment tools to determine whether or not you need
     to provide additional functions beyond what is provided by the baseline
         DR. POWERS:  You can increase requirements.
         MR. SIU:  From the baseline.
         DR. POWERS:  There is no mechanism to decrease.
         MR. SIU:  It is a decrease from where they are now.
         DR. APOSTOLAKIS:  It's what?
         MR. SIU:  It is a decrease from where they are now.  That's
     the point.
         DR. APOSTOLAKIS:  But if I had not worked in this area and
     read the standard, okay, I would have no idea what fire risk assessment
     does.  It is not reflected in the standard.
         MR. SIU:  Well, that's true, because Appendix B has not been
     written yet and that we understand is a major hole.
         DR. POWERS:  I mean even if it weren't a hole, I will have
     to admit I have not gone through a line by line comparison between
     Appendix R and this standard, but I think I wouldn't find many things
         MR. MADDEN:  There's quite a few things missing.
         DR. POWERS:  I will take your word for it because I haven't
     done it.
         MR. SIU:  And beyond that again, the deterministic option is
     an option.  You don't have to follow that and use the performance-based
     approaches to address the same requirements once you get out of the
     baseline program.
         You might argue where the line is drawn for the baseline
     program and how much really has to be there as opposed to how much
     should be --
         DR. POWERS:  I want to draw it at the bottom.
         MR. SIU:  Well, I understand the philosophy and you
     understand the issue of the practicality of trying to get a committee to
     come to consensus.
         DR. POWERS:  But I don't see the advantage that we have
     gained.  I mean you have to weigh two things here.
         Learned societies can prepare all the consensus standards
     they want to and that's fine, but imagining ourselves as adopting this,
     I don't see what we have gained by doing this.
         I don't see anybody going oh, wow, we've got 805 -- I'm
     going to -- heck with Appendix R, I'm going to go get this stuff right
     now.  It becomes almost an effete exercise to me.
         MR. MADDEN:  Well, let me give you just one slight view that
     I have, okay, and, true, I don't believe that anybody is just going to
     arbitrarily tear fire protection out of the plants, but I can see
     another side of that too, but I mean let's take a hypothetical case, a
     space that has one-hour barriers, suppression, detection, and you know,
     you need the one-hour barriers to complete your separation, to protect
     the train for safe shutdown.
         If you were to apply this approach, this performance-based
     approach, and in conjunction with risk tools, find out maybe the areas
     that doesn't contribute much to risk, and that the fire scenarios that
     you do model, depending on how you define them, may not cause the level
     of damage that -- maybe you were just ultra-conservative in the
     adaptation or adopting Appendix R to that space.  Maybe all you need is
     a minimum fire barrier of one hour and that is good to go.  Go don't
     need detection and suppression.
         Well, this standard will tell you that.  Now do I believe
     that they are going to take the fire protection out?  No -- but it may
     be a basis for maybe not paying so much attention to when that
     suppression system is out of service or that detection system is out of
     service and maybe the necessity for compensatory measures as we know
     them today may not be there and that may be an indicator as a result of
     going through this process.
         DR. APOSTOLAKIS:  I just would like to go back to what Dr.
     Kress -- because it's inevitable, not matter what your goal is, that you
     will face the question of apportionment.
         DR. KRESS:  Sooner or later.
         DR. APOSTOLAKIS:  Because K less than 1.  That's an
         DR. MILLER:  .99.
         DR. APOSTOLAKIS:  But there are some sequences that will not
     achieve this.  What frequency are you going to allow?  So you're back to
     square 1.  But the thinking, the basic thinking of the fire risk
     assessment, you know, starting with the initiators, the mitigating
     systems, all the cornerstones, and seeing how they affect -- the fire
     may affect those, and the importance of screening of rooms and so on,
     it's just not there.  Now it may be in Appendix B.  That's forthcoming. 
     But in the main body it is not.
         MR. MADDEN:  One real question is -- back to the Committee
     is the understanding of how fires occur --
         DR. APOSTOLAKIS:  Propagate.
         MR. MADDEN:  And propagate.
         DR. APOSTOLAKIS:  Yes.
         MR. MADDEN:  And the other aspect is how they would achieve
     the damage, as you're stating, George, to cause these initiating events. 
     Okay, but let me --
         DR. APOSTOLAKIS:  I don't doubt that, Pat.
         MR. MADDEN:  Let me -- okay, okay.  But let me --
         DR. APOSTOLAKIS:  Sure.
         MR. MADDEN:  Complete my train of thought here.  You know,
     the K effective may be in your eyes overly conservative, but in my eyes
     is that Appendix R, the basis of Appendix R was that we never considered
     fire as a design base event.  It was never included in chapter 15 as a
     design base event.  So what you're talking about is initiating
     frequencies or initiating events that get you into a severe accident or
     a design basis event.
         We've always treated fire as a routine operational event
     that should be handled and mitigated with the least amount of impact on
     the plant.  So that's where this standard is coming from, is not to get
     to that next step to where we have to go into the EOPs and do a last-
     ditch effort.
         DR. APOSTOLAKIS:  Yes.
         MR. MADDEN:  So, you know, you've got to keep that in your
     mind -- that thought in your mind when you look at the standard, because
     that's the goal it's trying to accomplish.
         DR. APOSTOLAKIS:  And I would agree that perhaps the list of
     initiating events that a standard PRA has should be examined from that
     point of view, that you may want to add something to those and expand
     the list to make sure that, you know, you're not working only in the
     severe accident space.
         But I think the basic intellectual approach is very good,
     and it's applicable, and should drive, really, what you do beyond design
     basis -- beyond the basic program.  Because I agree that you cannot have
     the whole thing centered on risk assessment.  No.  You'd want certain
     minimum requirements which your basic program will achieve.  But if I go
     beyond that, and I should go beyond that, it seems to me that basic
     approach is very good for that thing.
         In fact, to avoid this thing about additional requirements,
     maybe you can present that first and then come up with your basic
     program and say, you know, because we have these objectives here and we
     really -- we really don't want fires, for example.  We want this and
     this and that.  Anyway, I don't think we can resolve that issue now, but
     I just wanted to register my --
         DR. POWERS:  Do any Members have additional comments they'd
     like to make?
         DR. MILLER:  Yes, I have one.  It's kind of a philosophical
         DR. POWERS:  Surely not.  We haven't been discussing any of
     those up till now.
         DR. MILLER:  No, these have all been microscopic, right?
         Just not having been dealing with fire protection standards,
     but just based on my standards of experience developing some --
     developing a performance-based standard is somewhat slightly orthogonal
     to the mentality of most standards.  Most people get together and
     develop a contingent standard.  They are really developing a standard
     that says I want to tell the world based on the consensus of the best
     practice in how to do things.  That's not performance based.
         So to ask a standards group to develop a performance-based
     standard may give them some difficulty.  Maybe the fire protection group
     has experience there, but if I were in the instrumentation area, you say
     okay, develop a performance-based standard for some I&C area, I think a
     lot of my colleagues would be sitting around and scratching their heads
     and say what are we going to do, because our mentality is we're going to
     tell the world based on this group that our best estimate of how best to
     perform something is something done.  And so I see that orthogonality a
     little bit embedded in this standard here.
         MR. MADDEN:  Yes.  Absolutely.
         DR. MILLER:  The temptation is, even I had a temptation, I
     want to say okay, we have these separation criteria, I want you to tell
     me how to do that and what they are.
         MR. MADDEN:  Yes, well, I agree with you wholeheartedly.  I
     mean, that is a problem with this standard committee right now is what
     can we do in a performance-based arena and still have confidence that
     we're providing adequate protection.
         DR. MILLER:  You may be asking a standard to do something
     that it's not really meant to do.
         MR. MADDEN:  There are --
         DR. MILLER:  Be performance based.
         MR. MADDEN:  Yes, there are probably some attributes in the
     fire protection arena that don't lend itself to performance-based
         DR. MILLER:  I'm just saying generically in all standards it
     may be something is not --
         MR. MADDEN:  Well, more in the forefront.
         DR. MILLER:  It may be something that the consensus
     standards process is going to have to deal with, because obviously it's
     the right thing to do.
         MR. MADDEN:  Well, we're in the forefront with NFPA, and --
         DR. MILLER:  And you're going to tell us how to do it.
         MR. MADDEN:  Well, we're attempting, let's put it that way. 
     And I don't know if we're really going to tell you what to do.
         DR. MILLER:  Hopefully in a way there's comments that temper
     the frustration of my colleagues to the left who are saying it's not
     performance based.
         DR. POWERS:  No.  If you're looking to temper --
         It just adds fire.
         DR. MILLER:  Well, I was just saying, maybe it's not the
     right thing to do.
         MR. MADDEN:  Well, I would invite each and every one of you
     to take a look at that standard and provide us with comments.  You know,
     the NFPA and the industry is trying to move this thing as fast as
     possible, and to some degree I think maybe a set of brakes may have to
     be applied somewhere to really see if this is what we want to do and if
     it's going to achieve the goals that we believe that the Commission
         So that completes my presentation.
         DR. POWERS:  Are there any other comments people would like
     to make?
         Well, thank you very much, Pat.
         Steve has got to get in here.
         MR. WEST:  I just had a question.  Is it the Committee's
     intent to develop comments for the NFPA or --
         DR. POWERS:  It is the Committee's option now to write a
     letter.  It would be unusual for us to write to NFPA.
         MR. WEST:  Okay.
         DR. POWERS:  It would be usual for us to write either to the
     Commission or to the EDO with the anticipation that staff that are
     members of the Development Committee would carry those comments forward.
         MR. MADDEN:  Yes, that's the agreement I've already made
     with the NFPA.
         DR. POWERS:  And I think that if the Committee decides to
     write a letter, and we've not had a request for a letter from anyone,
     but if the Committee decides to write a letter, it would be to either
     the EDO or the Commission.  And I suspect just thinking about what I've
     heard that they would be comments not very useful to the NFPA.  If they
     were looking to optimize the draft they have, I think they have more
     toward suggestions to the Holahan fire-protection rule that has yet to
         That's my guess, but I've learned after four years on this
     Committee never to anticipate what the Committee does.  My batting
     average is exactly zero on that.
         MR. MADDEN:  Thank you for the clarification.
         DR. POWERS:  With that, Pat -- thank you very much, Pat,
     that was just really helpful, and always appreciate your calm and
     deliberate style and very frank presentation.  It's very helpful to us.
         MR. MADDEN:  Thank you.
         DR. POWERS:  I propose that we recess until 4:40.  I need to
     keep the recorder here, because we're going to have additional things on
     the record.  Is that correct?
         DR. POWERS:  Let's come back into session.  This is a
     session for preparation of ACRS reports.  The first of those that we
     want to discuss is the lessons learned from the review of the AP600
         Dr. Kress, I think you are the cognizant member in that
         DR. KRESS:  Am I?  I thought Dr. Wallis was.
         DR. POWERS:  My list has you as the guilty party.
         DR. WALLIS:  I may be cognizant, but you are responsible.
         DR. KRESS:  I do not want to claim responsibility.  I will
     act as the Chairman.  What I think we have the pleasure of is some words
     from Brian McIntyre, which would be a view from the other side, so to
     speak, on this.  And I think this would be very useful to us.  We
     invited Brian to do this at one time and he graciously agreed to come
     and give us some viewpoints, and I think they will be worth listening
         With that, I will just turn it over to Brian, and then we
     can discuss the letter.  Is that a good way, do you think?
         DR. POWERS:  I think absolutely that is the way to go.
         MR. McINTYRE:  It is just wonderful to be back, as you can
         MR. McINTYRE:  I understand you guys got a gold star from
     the Chairman yesterday for getting AP600 done.
         DR. POWERS:  You may be excessive when you say a gold star.
         MR. McINTYRE:  Well, I am just telling you what was related
     to me, so I thought that was very positive.  The comments that are the
     topics --
         DR. KRESS:  We attributed that to the interim Chairman of
     the Subcommittee.
         MR. McINTYRE:  I see.  Okay.
         DR. KRESS:  Sorry, go ahead.
         MR. McINTYRE:  The quality and some of the things that I
     understand are on the letter are quality and timeliness of submittals,
     code V and V, T&H code development, best estimate -- I still can't read
     this.  Determination of conservative margins, I think that was -- is
     that right?
         DR. KRESS:  Yes.
         MR. McINTYRE:  I have done this in --
         DR. KRESS:  That are things that were on the draft letter.
         MR. McINTYRE:  And then some other things about IVR and EQ
     of PARS and MCR staffing.  I just want to really talk about the first
     four, since that is where we spent most of our time.
         The quality and timeliness of submittals.  Yeah, we agree
     that the submittals were frequently rushed.  I mean there is no question
     about that, that they were large documents.  We were trying to move this
     thing along as fast as humanly possible, sometimes a little bit faster. 
     I can assure the Committee that the documents were reviewed and edited.
         It is almost the first thing we would hear was some comment
     on the poor quality of the documents and there's -- to me, quality is
     like truth and beauty, it is pretty subjective.  There's types of
     quality where you can look at the persuasiveness of your technical
     arguments, which frequently people didn't like.  I don't consider that a
     quality issue.  There were typos and errors.  These tended to be huge
     documents, four or five thousand pages in some of the cases.
         We had a process, and we did try to improve it as we went
     along.  We had editors.  What we found is that with documents this
     large, and particularly where the only people who could reasonably
     review them were the guys who had primarily written them.  I mean I
     couldn't look at it and tell you if that should have been a superscript,
     a subscript, or if things were done right.  We found that a number of
     the errors were creeping in from our word processing people, when you
     start typing out large equations and stuff, that that is a little harder
     than one would think it would be, but, evidently, it is a very complex
     process and that was a problem for us.
         If you look at the documentation, as I said, what we were
     trying to do, is we were trying to keep the staff happy.  Not that we
     weren't trying to keep you guys happy, too.  But the staff was looking
     for something on the order of sometimes thousands of pages.  The
     Commission -- the Committee here was looking for something on the order
     of three-quarters of an inch that could be read on an airplane between
     the West Coast and here.
         DR. KRESS:  Brian, I am very glad to know these causative
     factors and things, but what we would really like to hear from you,
     after you do that, and maybe you are going to do it, is do you have any
     advice --
         MR. McINTYRE:  Yes.
         DR. KRESS:  -- for both us --
         MR. McINTYRE:  Yes.
         DR. KRESS:  Okay.
         MR. McINTYRE:  Yes.  And a problem we run into, and this is
     an on the record comment, is that we are not full-time WE, you guys are
     not full-time employees, and you can't devote 80, 100, 200 hours to
     reading these documents, and so we were developing the road maps.  And I
     think that that was something that we learned out of this, is if we can
     do these large documents, make very clear where things are, and I think
     that the other Westinghouse people right now who are going through the
     Thermal-Hydraulic Subcommittee are finding the same thing.
         So, somehow, we need to find a way to bring all of these
     things together.  From a code V and V standpoint, I think we had a
     unique problem because the AP600, we were not only doing the V and V on
     the codes, but we were trying to make sure and show that we had the data
     to support it.  And we weren't just looking at one specific transient,
     we were looking at large break, small break LOCAs, the non-LOCA stuff,
     the containment, and we were doing everything at once for everything. 
     And so there were a lot of balls in the air.
         There was a determination or question of, you know, what is
     adequate?  And that was something that we really -- it is hard because
     that is -- again, that is something that is extremely subjective.
         When it gets to the things that I think we need to do
     differently in the process, improvement areas, we got caught in what I
     look at as two do loops.  We run around in a circle trying to keep the
     staff happy and then we went from there to the ACRS in a second do loop. 
     And that may be a little bit of a harsh judgment, but it did seem like
     that to us, and I think it was probably about that time that I uttered
     the infamous raise the bar statement that Dr. Seale took --
         DR. WALLIS:  Do you think there is a difference between the
     standards requested by the staff and by the ACRS?  I mean, in theory, we
     should be looking for much the same thing.
         MR. McINTYRE:  From a standards standpoint?
         DR. WALLIS:  You said there were two do loops.  Really, it
     would seem to me that we both have about the same idea of --
         MR. McINTYRE:  I would say that a different level of
     questions came out of the Committee than came out of the staff, but I
     don't think that that would happen were we to do it again.
         DR. WALLIS:  By level, how would you characterize those two
         MR. McINTYRE:  When we started in this exercise, that it was
     during the code V and V.  I don't believe, in the 1991, 1992 days, when
     we first got started in this, that the things like the PIRTs and the
     scaling were expected, at least out of us, to the level that they were
     at the end.  As a matter of fact, I am reasonably sure that if you go
     back and look at when Westinghouse was being told that we had really
     better come up with a full heighth, full pressure facility somewhere
     back in 1991, that that wasn't because of we had done a PIRT and showed
     that these things were important, it was because that the staff was
     concerned that there might be interactions between the systems at high
     pressure, and high pressure was important.
         And that next level, which I think that the staff is now at
     came out, you know, primarily from going through the D&H Committee.
         DR. POWERS:  Brian, when you get into the two do loops, some
     of that came about because we were trying to run ACRS reviews
     coincidentally or at least in some parallel with what the staff was
     doing.  That was a conscious decision to try to move this thing along
     and to stay within schedule.  Are you suggesting that we need to think
     that more carefully so that we are not having either conflicting advice
     or divergent or multiple --
         MR. McINTYRE:  Yeah, and I think you are doing that.  If I
     read what was done in the 17th, the presentation that Ralph Caruso made. 
     They are getting more into a process of the subcommittees are going to
     be more integrated into what is happening.  I think that will be a great
         DR. POWERS:  Well, it is important for us to know of this
     need so that we keep track of it and don't depend on it happening.  It
     may be happening, but it may be happening by accident.
         DR. SEALE:  Could I ask, Brian, you made a comment about the
     '60 -- or the '91, '92 timeframe and what happened later and all.  I
     think, you know, -- Tom, were you here then?
         DR. KRESS:  Yes.
         DR. SEALE:  I wasn't, that was before my time.
         DR. KRESS:  And I think he is basically right on it.
         DR. SEALE:  I don't doubt it, and I was going to ask him
     another question in that regard.  Do you believe that the -- you know,
     the basic problem with the codes is that they were put together to solve
     one set of problems, and we were trying to make them solve a different
     set of problems.  Do you believe that the difference in the physics of
     the classical PWR, the way they have been built, some 50 or so of them,
     versus the AP600 with the natural circulation and so forth, and the
     effect that that would have on the analysis was fully appreciated in
         MR. McINTYRE:  Yes.  We were going to -- or attempt -- if
     you look at the way -- I will go back and talk about what I know most
     about, which is what I did when we were licensing the upper plenum,
     upper head injection plants, that, you know, there were some tests that
     were done.  You would run the code.
         DR. SEALE:  Yes.
         MR. McINTYRE:  And you would show, yes, yea, verily, we
     matched the code, or matched the test.  And now it is -- there is -- and
     I think, I am not going to say this is wrong, but you want to make sure
     that you are getting the right answer for the right reason, that you
     don't have compensating errors, because the physics is going to, what I
     am going to call, a next level.  And I think that we understood that
     because our push in the 1991, 1992 timeframe is that we don't think high
     pressure is going to be the issue, because the phenomena are really, you
     know, fairly similar there, but the issue is going to be at low
     pressure, which is why we went to the extent of building Oregon State
     University that we did.
         Now, if we were going to -- I think this would be fair to
     say, that when we were planning that, remember that Oregon State
     University started out as a glass model that would have fit on this
     table quite nicely.     It ended up being a quarter scale, 400 PSI, $13
     million facility which really is pretty neat, so I think we understood
     that, except what we would have -- the direction we were going was to
     show that it was reasonably scaled, probably -- definitely not in the
     rigor that we ended up going to, and show that we would match the tests
     in some more mobile scale than we did.
         I think we had an understanding.  We didn't do a -- if you
     go back and look at the original Larry Hockreiter stuff it wasn't
     looking at it per se as it was done but he went through phenomenon by
     phenomenon and showed how we had selected the tests that we were going
     to run, so I think we knew where the issues were.
         Now the rigor with which you solve those issues is another
         DR. WALLIS:  I think there is another side to it too, not
     just the Staff and the ACRS levels.  It's Westinghouse's internal
     levels.  In the best world the standards that, expectations that your
     management has for I suppose the documentation, whatever it is, the
     qualitative argument, the reasons given for accepting a design and so on
     should be not very different from what other professionals such as Staff
     and ACRS would expect.
         MR. McINTYRE:  It's hard for -- I don't think you would find
     too many of the Westinghouse managers who could have sifted through the
     NOTRUMP report or the GOTHIC report and really had a lot to offer.
         DR. WALLIS:  But they are responsible for the quality.  They
     presumably sign off on it and say this is good enough to go to the NRC.
         MR. McINTYRE:  Yes.
         DR. WALLIS:  And so on -- so they are responsible.
         MR. McINTYRE:  They are responsible.  I was responsible,
     which we tried to --
         DR. WALLIS:  You had the same difficulties we had perhaps in
     figuring out which bit to read and which bit to critique.
         MR. McINTYRE:  Well, yes.  Like I said, I couldn't look at
     the equations and tell you if they were right or wrong but we did put
     the things -- you know, sitting over at that table there and hearing
     what -- let's find a good word here -- how your reports could be better,
     as the first thing out of the mouth of the people who had read them,
     wasn't really one of the high points of my career.  That's being kind.
         MR. McINTYRE:  I think there needs to be some sort of a
     standard and I think that what Ralph presented on the 17th is really a
     good first step.  It wasn't clear to me how exactly it worked but it is
     clear there is going to be more involvement.
         I am not sure how we get you guys involved and you still
     maintain your independence because at some point you can get so close
     that you are one body and your job --
         DR. WALLIS:  I thought about that, yes.
         MR. McINTYRE:  -- really is to be I think an independent
     reviewer of both what we have done and what the Staff has done.
         DR. WALLIS:  One way to do it is to keep on bringing in new
     members who don't know what happened before, so they must be
         MR. McINTYRE:  Yes.  On the thermal hydraulic code
     development, really I think the issues are pretty much the same as the
     code V&V.  I think really the PERT does help because it does focus and
     help focus the efforts and it is more of a -- goodness knows -- like we
     like our quantitative processes and it appears to make it look like it's
     a quantitative process as opposed to the Larry Hockreiter first search
     through, which was pretty much a qualitative, we don't have data in
     blowdown at low pressure and therefore we need to run a test, which is
     how Larry got where he was going.
         So I think that there is a need for a process improvement. 
     I think really that Dr. Wallis when you came on the Committee it was
     sort of a breath of fresh air, if you will.  Your question was why can't
     we just talk to you?  -- said oh, we can't do that -- I mean you have to
     talk to the Staff and they talk to us and then we talk to them and then
     they talk to you, and you really did question how we worked together,
     and that was kind of good because I have been doing this for probably 23
     years now and you sort of get ingrained in doing things the same way,
     and stuff like this, this change in the process of having you guys
     involved and the way it appears is that you are going to be either
     asking or involved in the determination of what the RAIs are going to
         DR. WALLIS:  We got to cross examine you or whatever the
     term should be, to investigate the quality of your work or whatever by
     asking questions far more than we got to ask the Staff why they did what
     they did.  You were the people who were really in the witness box.
         MR. McINTYRE:  Yes, we were, and that's our job.  We need to
     show that it's okay.
         So I think a good first step, there needs to be some, when
     you start talking about quality standards, it's got to be something that
     can be measured.  All I can do as a manager is put the process and have
     another reviewer, hire another technical editor.  If I have a document
     that big I will open it to 25 different pages and read those pages in
     detail and see what I see.  Does it look right?  Does it look not right? 
     I'll go through that because reading it for, like I said, for the
     technical content, as I am out of that area --
         DR. WALLIS:  You could subject it to review by people who
     are something like the people on the ACRS but are paid by Westinghouse
     to go over it so that it is so good in their eyes that no one else is
     going to criticize it.
         MR. McINTYRE:  Well, at Westinghouse every human being who
     could work on this problem was working on it, and I don't think -- it
     was hard to get --
         DR. WALLIS:  They are employees.  I am just saying you could
     bring in consultants who might be paid to be harsh or whatever is needed
     to make sure that someone else won't give you a harder time.
         MR. McINTYRE:  You guys have got all the good ones.
         MR. McINTYRE:  We did look for consultants.  I mean
     seriously we have tried to get people to participate in committees and
     the conflicts of interests popped up so quickly.  We did -- we had the
     EPRI, A&TRT analysis and test review group who came in and they were
     just as harsh, and we didn't have to pay them.  It was -- but they did
     go through the review of the program.
         The Department of Energy found us helpers to come in and
     look at it, but they did not sit through and review each and every
     report as we sent it in.
         I think the comment on best estimate determination of
     conservative margins is interesting.  I think that is useful and I think
     an example is what we have in Chapter 10 of the GOTHIC report, which
     went through and it looked like the normal oven calculations except when
     I asked the committee about it later on they said, gee, we never got
     that far because it was such a big report, and that might have been a
     place where us pointing things out would have been helpful.
         We tend to shy away from the best estimate label.  Those are
     to some extent fighting words of about what best estimate means -- it
     has to be perfect.  They are not going to be clearly perfect.
         We also have a perception -- this is our perception of you
     guys is that calculations like that really wouldn't, you wouldn't be
     that interested in them, trying to show how much margin there is in
     something because I am not sure what you do with how much margin there
         DR. KRESS:  It's not clear how much margin is needed.
         MR. McINTYRE:  Right.  I mean it's what would you do with it
     and I think it did help in the containment area because it eventually
     convinced people that that second hump wasn't real.
         DR. WALLIS:  I think there is a concern we have which we may
     be able to do something about is that margin should not be there to
     reflect a huge amount of uncertainty and ignorance.  If we could do a
     much better job of knowing what we are predicting, how good it is, how
     uncertain it is, then we would be in a much better position to say yes
     or no.  We are within some safety limits where there wouldn't have to be
     someone's judgment of what is an acceptable margin for one curve to lie
     on beneath something else.  It is a very subjective thing.
         I would like to get us much more objective if we can.
         MR. McINTYRE:  I think we are definitely moving -- if you
     look at -- I'll pick on the upper head injection since there is no
     license plants.  There's a place where we didn't have data and we just
     assumed to use an H of one, so you'd see the heat transfer curve go
     along --
         DR. WALLIS:  One what?
         MR. McINTYRE:  Well, that's good -- and we would be going at
     two or three thousand and you've moved slightly out of the range of the
     data and it dropped down.  We knew that was conservative and it was
     clearly covering, as you said, the gross lack of knowledge in the area.
         But we are not sure where the best estimate that we could
     prove that we were getting the right answers for the right reasons and
     so that is not something that we would, at least for the AP 600, would
     come in, because we were having the darndest time being able just to
     show whatever it is that we could show.
         DR. WALLIS:  Of course when you are comparing with data it's
     only really the best estimate which is a fair comparison with real data. 
     Data is not conservative.  It doesn't know how to be conservative.
         MR. McINTYRE:  Right, but then you can get the compensating
     errors and that's always a tough thing to explain, like we were never
     very successful and then you have to cut it down to the smaller pieces.
         I think in summary that the big thing that is needed is some
     sort of a process improvement and this may be, the thing you are going
     to be going through may be the thing that gets it there.
         This having the Committee involved at the last second isn't
     productive at all, and I think you need to be more involved as it goes
     along while still maintaining the independence.  That's probably the --
     I think the comments that we have on this.
         The risk-informed regulation, I see Dr. Powers' comment on
     risk-informed regulation.  I can't remember exactly what it was.  If
     it's going to be difficult, I think I can paraphrase, but I saw the
     trade press say your comment was -- we took two cracks at that, the
     RTNSS process, what was really I think the first, you know, step into
     that brave new world, and it was what I would call a moderately
     successful -- we showed at least that we didn't need to add these
     systems and we ended up adding them at the end.
         Our second foray into that was the containment spray system. 
     You knew it wouldn't be me being here without bringing up the
     containment spray, and that we were not as successful.
         MR. BARTON:  We would have been surprised if you didn't
     bring it up.
         MR. McINTYRE:  It's one of those things I'm obligated.  And
     then I see here's a report by the NRC saying that gee, containment
     sprays aren't very effective for containment bypass sequences, which is
     basically all the AP 600 has, or at least the significant fraction of
     the risk is from bypass.  But we've got the spray, we're big boys, we're
     putting it in.  It's going to be more than $237,000, but we've pretty
     much moved off that.
         I notice that one thing, something that was in your
     intermediate letters, was leak before break, and that's not on the list
     of things that was indicated in the letter.  Is the staff still --
         DR. SHACK:  You gave up.
         MR. BARTON:  Yes.  We were trying to fight for you, but we
     figured since you withered on the vine, we might as well wither with
     you, I guess.
         MR. McINTYRE:  Having not seen the letter, I'll reserve
     judgment on that.
         DR. KRESS:  I think we took that out of the letter.
         MR. BARTON:  Yes, I think we did too.
         DR. WALLIS:  We could always put it back in.
         MR. McINTYRE:  I think there are some things that could be
     done on the leak-before-break area that we obviously couldn't pursue,
     but there might be something there that would help the operating plants. 
     It's more of a plea for operating plants than it is for what we're going
     to do on the AP 600.
         DR. KRESS:  Well, most of this letter we're writing is
     either try to move the process in the future, application from somebody
     else, or may have application to operate.  That's the purpose of this.
         MR. McINTYRE:  Leak before break might be.  I don't --
     because I know we've pursued that before for the operating plants, and,
     you know, only if they could do some significant snubber reductions and
     support changes would they be interested in it, and nobody's ever really
     studied it for the operating plants.
         I think going back to the process improvement is just
     someone having the various subcommittees involved more in the up-front
     rather than as a second do loop, which may not be totally fair, but --
         DR. KRESS:  In our subcommittee we made a habit of before we
     let you get started with your presentation asking consultants if they
     had anything they wanted to bring out to set the tone of the meeting or
     to be sure it gets addressed.
         I after the fact thought this might be a mistake later on in
     the meeting because it always started us off on a bad foot, bad tone,
     because invariably these things become things like my sophomore students
     could see that that equation was wrong on page 3 or something.
         What do you -- have you got any words about that process?
         MR. McINTYRE:  Yes, it was pretty awful.
         DR. SEALE:  But it did get the blood circulating.
         MR. McINTYRE:  Yes, it did, and not in a positive way.  The
     problem with that is that we've prepared a presentation, we've worked
     with the subcommittee chairman, prepared a presentation, and then the
     first thing you hear from the consultants is I read your report, I've
     got the following 62 questions, live questions, three questions, usually
     which started with, "Your report is of a poor quality."
         And those may or may not have been, depending on the
     adroitness of the speaker, something that he could address just off the
     top of his head.  Mike Young, very, very good at that; some of the other
     people, maybe not quite as good at it.
         And so then you've got all these other things you're trying
     to figure out how to address, and it sort of, I think, made doing the
     presentations very difficult.  And you're right --
         DR. KRESS:  It sort of threw a wedge in right at the start.
         MR. McINTYRE:  Right.  The people at that table over there
     on that side of the room got very defensive.  I mean, right then.  And I
     don't think that was as productive.  On the other hand, in a lot of
     cases the guys had only had stuff for four days, going back to the time
     when this was submittals, so -- which they'd read on the plane, on the
     flight here, and that was their initial impression.  And so we were
     trying to deal with initial impressions.
         DR. KRESS:  Um-hum.
         DR. WALLIS:  Well, I was a bit surprised when I was a new
     Member to hear this speech by a consultant before Westinghouse got to
     say anything.  Sort of like going to a play and the New York Times
     critic gives you half an hour of why this is a lousy play before you've
     even had the chance to see it.  So that's not really the best way to set
     the stage.
         MR. McINTYRE:  We don't think so.  Just from a process
         DR. POWERS:  On the other hand, in the -- especially in more
     full committee discussions, an introduction by the cognizant Member,
     definitely not by a consultant, but by a cognizant Member, it calls to
     attention fundamental issues in the areas of dispute and uncertainty,
     gets those that have not been participants in the subcommittees --
         DR. SEALE:  Into the loop.
         DR. POWERS:  Into the loop pretty quickly.  And there's just
     no question about that.  If there is an area of dispute that's going to
     put the speaker on a defensive pathway -- because he is getting the
     introduction by the critic first -- but I don't know how to get the
     entire membership up to speed when there have been extensive
     subcommittee meetings, a lot of subcommittee water has flowed over the
     dam, typically two-thirds of the Committee has not been party to.
         MR. BARTON:  I think that was more of a problem with thermal
     hydraulics than it was with the plant operations part of the review.
         DR. POWERS:  Yes.  Plant operations went so smoothly that --
         MR. McINTYRE:  And that part of the plant wasn't new.
         MR. BARTON:  Yes.  Except the security stuff.
         DR. POWERS:  Let me ask you a technical question, Brian.  A
     couple of things, particularly in the source term area, occurred where I
     think the staff as part of their review was using what I would call
     geriatric information that they had obtained through research contracts
     long in the past, and since that time additional research had been done
     not by the NRC but by other people in the world.
         You and your fellows were aware of that additional research
     and could employ it in your analysis, but you knew the staff was going
     to read it in light of the older work that they had done, and it seems
     to me you were caught in a dilemma.
         Do you have any views on that?
         MR. McINTYRE:  We will -- we don't, you know, there's no
     question of what we are.  It's to keep, you know, to keep the staff
     happy.  If it's something that's not going to be well received, we won't
     do it even if we think there might be some better way to provide an
     answer, some new information.  We would do anything, particularly later
     in the program, we would do anything to not upset the schedule.
         DR. POWERS:  Um-hum.
         MR. McINTYRE:  For goodness' sakes, don't give anybody
     anything else to review that they didn't specifically ask for.
         DR. POWERS:  Okay.  I think it speaks to the issue of
     keeping the NRC current on these issues.  You know, as we go into
     declining research budgets, there are areas, the classic example of that
     is the high burnup fuel area where the research program had been down to
     zero for years and years and suddenly something emerged, and NRC was
     very lucky that they had knowledgeable staff that could spin up very
     quickly to start to address that.
         They won't be in that position every time as we dial
     research programs down to zero.  If there are areas where we know for
     sure that that is just part of the business, we have got to remain
     current.  Somehow I think that general thought has to appear in the
     lessons learned.  I mean here it was a specific issue, but I think it is
     a general problem when you don't have the financial capability to have
     resource personnel in the broad range of issues.
         Certification of a reactor, there is no issue that doesn't
     get touched in the certification of a reactor.
         MR. McINTYRE:  That's right.
         DR. POWERS:  Maybe we are not doing a whole lot of
     certifications, but we are still touching lots of issues.
         DR. WALLIS:  I am wondering, as I sit here, are you saying
     keeping the staff happy?  I would think that in some cases the industry
     should be ahead of the staff and should actually educate them, bring
     them up to speed and the staff would say, gee whiz, these guys really
     know what they are doing, more than we do, and we ought to catch up,
     rather than it always being the staff has to be kept happy.
         DR. POWERS:  Yes, but that's -- I think that is the problem
     he is speaking to here, is that if we comes in and educates them, the
     first response is I have got to make sure that my teacher is right.  And
     they are going to go back to the teacher's credentials and textbooks and
     additional -- requests for additional information and that slows his
         DR. WALLIS:  I am biased by being a professor, but the most
     wonderful thing in the world is when the student teaches me something
     and doesn't just look at me and try to make me happy.
         MR. McINTYRE:  We get caught up in this crass commercial
     time and money, and we did spend a lot of -- you know, several hundred
     million dollars on this program, and the money was gone at the end.  We
     spend something on the order of $40 million on the testing program.
         DR. WALLIS:  I have got a question about that.  Was there a
     problem that the NRC cut off the research funding too early?
         MR. McINTYRE:  The NRC?
         DR. WALLIS:  Whoever was funding the research necessary to
     understand the phenomena, enough to make --
         MR. BARTON:  DOE.
         DR. WALLIS:  DOE.  Whoever was sponsoring.
         MR. McINTYRE:  Actually, the biggest contributor was
     Westinghouse Electric Corporation/Company at the point -- and we thought
     we had done what was necessary.  And these are things that you can chase
     sort of forever.  And it gets back to -- what is adequate?  I know as a
     professor, this may be hard, but we are looking for a C grade.
         DR. WALLIS:  A gentleman's C.  Are you a football player?
         MR. McINTYRE:  Yeah, we -- no.  There is -- we don't get any
     extra credit in a design certification if we are getting an A.  But we
     think, as a result of this, if we look back, and we can almost do it
     rationally now, that we really did, you know, make a lot of changes in
     how the thermal-hydraulics and things are looked at.  Certainly, in
     containment analysis.  I think one of the reasons that containment
     analysis was so difficult, if you look at the way containment analyses
     are done for all these operating plants, it is P equals NRT in a two-
     and-a-half million cubic foot volume with a source in here and some heat
     sinks there, and it is something that, truly, a freshman or sophomore
     could knock out.
         DR. WALLIS:  Like the lobby of the Hyatt.
         MR. McINTYRE:  It is a lot like the lobby of the Hyatt, yes. 
     A little larger.  But it is a -- and we came in really trying to make
     some -- because we had to, and that is what -- you know, did we
     understand what was going to be important?  That's why we ran the tests
     that we ran the way that we ran them.
         Unfortunately, when you have scaled the facility as the
     largest vessel that you can get to Pittsburgh and get it under a
     railroad bridge, you know, that is kind of hard to explain, Dr. Wallis,
     based on --
         DR. WALLIS:  Bring it up the river.
         MR. McINTYRE:  -- PIRT and scale.  Well, you would still --
     there are still bridges between.  And so one-eighth scale was it.
         DR. SEALE:  By the way, I should point out, also, the staff
     is not brought up in the culture where they should feel that the
     applicant is their professor.
         DR. WALLIS:  But they could still be impressed.
         DR. SEALE:  Right.
         DR. WALLIS:  Well, maybe that is too broad a subject to get
         DR. SEALE:  I agree.
         DR. WALLIS:  The culture the staff might be brought up in.
         DR. KRESS:  Other questions the members want to ask while we
     got him here?
         MR. BARTON:  I think we have beat up on him pretty good, and
     considering he is not going to present us another design in his
         DR. KRESS:  Oh, I am disappointed.
         MR. McINTYRE:  Well, it would be nice to come back with an
     application for a COL.
         DR. KRESS:  Yes.  When are you going to get one of those, do
     you think?
         MR. McINTYRE:  That depends on who wants to build one in
     this country, or who is going to be a generator.  Some of those other --
     and when you buy an entire nuclear plant for $100 million including
     three reloads of fuel, that is pretty darn cheap, except that there is
     no new generation involved.
         DR. WALLIS:  You can't compete with that.
         MR. McINTYRE:  It's hard.
         DR. SEALE:  Mr. Chairman.
         DR. KRESS:  Yes.
         DR. SEALE:  I sat over there in that seat for two years
     while the latter part of this was going on, and I would like to make a
     personal remark that I have to say that I admired the gentlemanly and
     professional way in which Brian and his colleagues accepted, not always
     with a smile, --
         DR. KRESS:  There was occasionally steam coming out.
         DR. SEALE:  That's right.  But that made it even more
     impressive.  Accepted the criticism and reacted in a measured and
     unemotional way.  And I would just like to say truly gentleman.
         DR. FONTANA:  I agree, but you didn't see them after they
         MR. McINTYRE:  You didn't have to ride with me in the car
     back to Pittsburgh.
         DR. SEALE:  Probably true.
         MR. McINTYRE:  Well, thank you very much.  And I think in
     the words of the Chairman, I can quote her on this, "That which doesn't
     kill you, makes you stronger."
         MR. McINTYRE:  She said that on the 13th, I mean that was a
     quote.  I was surprised, but that's on the record.
         DR. KRESS:  I, too, would like to second that comment and
     also make the point that the decisions that were made with respect to
     our interim letters and questions were truly Committee decisions.  They
     were not decisions by our consultants.  Consultants were just an input
     and we discussed them at length and arrived at our own conclusion.  But
     I did want to be sure that --
         MR. McINTYRE:  Oh, no, that was always clear.  It was the
     path to those conclusions that was something very painful.  I think that
     the interim letter, since you brought that up, was very helpful, because
     that let us break up that, which would have been a horrendous effort,
     and let us get those -- and if you had questions, then we could bring
     them back the next time or even bring them back the last time.
         DR. KRESS:  Yes, I thought that was a good fix to part of
     the process.
         MR. McINTYRE:  So Noel should get a gold star for helping
     developing that to move it along.  And, also, it meant that we got the
     FDA in September rather than November, in this government fiscal year,
     which was important to us because of our sponsors.
         DR. KRESS:  Well, I would like to thank Brian and express
     our appreciation for his willingness to come and help us out with this
     and expressing his viewpoints.  Thank you once again.
         MR. McINTYRE:  Thank you.
         DR. KRESS:  With that, I will turn it back to you, Mr.
         DR. POWERS:  I think at this point we can go off the
     recorded record.
         [Whereupon, at 5:23 p.m., the meeting was concluded.]

Page Last Reviewed/Updated Tuesday, July 12, 2016