459th Meeting - February 4, 1999
UNITED STATES OF AMERICA
NUCLEAR REGULATORY COMMISSION
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS
***
459TH ADVISORY COMMITTEE ON REACTOR SAFEGUARDS
***
U.S. Nuclear Regulatory Commission
2 White Flint North, Conf. Rm. 2B3
11545 Rockville Pike
Rockville, Maryland
Thursday, February 4, 1999
The Committee met, pursuant to notice, at 8:30 a.m.
MEMBERS PRESENT:
DANA POWERS, Chairman, ACRS
GEORGE APOSTOLAKIS, Vice-Chairman, ACRS
WILLIAM J. SHACK, Member, ACRS
ROBERT E. UHRIG, Member, ACRS
MARIO V. BONACA, Member, ACRS
JOHN J. BARTON, Member, ACRS
ROBERT L. SEALE, Member, ACRS
GRAHAM B. WALLIS, Member, ACRS
THOMAS S. KRESS, Member, ACRS
MARIO H. FONTANA, Member, ACRS
DON W. MILLER, Member, ACRS. P R O C E E D I N G S
[8:30 a.m.]
DR. POWERS: Let's go back into session. This is the second
day of the 459th meeting of the Advisory Committee on Reactor
Safeguards. During today's meeting the Committee will consider the
following: proposed final revision to 10 CFR 50.65(a)(3) of the
maintenance rule, SECY 98-244, NRC Human Performance Plan, proposed
resolution of Generic Safety Issue B-61, allowable ECCS equipment outage
periods. We will discuss some fire protection issues, proposed ACRS
reports.
This meeting is being conducted in accordance with the
provisions of the Federal Advisory Committee Act. Mr. Sam Duraiswamy is
the Designated Federal Official for the initial portion of the meeting.
We have received no written statements from members of the
public regarding today's session. We have received a request from Mr.
McIntyre, Westinghouse Electric Company, for time to make oral
statements regarding lessons learned from the review of the AP600
design.
A transcript of portions of the meeting is being kept and it
is requested that speakers use one of the microphones to identify
themselves and speak with sufficient clarity and volume so they can be
readily heard.
I am informed that today is the anniversary of the birth of
Mr. Prandtl and so we will allow all thermohydraulics types a moment of
peace and quiet to contemplate his contributions to the field.
We plan to have a picture of the current embodiment of the
ACRS tomorrow, so people might anticipate coming neat and pretty.
DR. SHACK: We are really meant as a radio show.
[Laughter.]
DR. POWERS: And members now have in their mailboxes copies
of the minutes of the retreat, the meeting of the Planning and
Procedures Committee that was held last week. We will be discussing
that and follow-up to the retreat tomorrow. You might want to glance
over the minutes and see if there are any changes, corrections, or
additions that you have.
Do any members have comments they would care to make at the
opening of the meeting?
[No response.]
DR. POWERS: Seeing none, let's proceed ahead with our
discussion of revisions to the maintenance rule and Dr. Shack, I believe
that you are the cognizant member?
DR. SHACK: Yes. The original maintenance rule, and it is
paragraph (a)(3), had a statement that reads, "In performing monitoring
and preventive maintenance activities, an assessment of the total plant
equipment that is out of service should be taken into account to
determine the overall effect on the performance of safety functions, and
it turns out of course that "should" means this is a recommendation
rather than a requirement, and so the original discussion came over
"should" and "shall" -- "shall" is a requirement, "should" is a
recommendation, so we are discussing revisions to the maintenance rule
to essentially recover the intent, which was that these performance
assessments should be made.
There is some additional expansion in scope that instead of
restricting it to performing monitoring and preventive maintenance
activities the revisions essentially now cover a wider range of planned
maintenance activities. Again, at least the Commission's original
intent was that this rule was also applicable to shutdown conditions.
There is now a statement that makes that explicit.
However, there is a considerable amount of adjustment in the
actual wording of these changes and we have a September 30th, 1998
comment -- or version that went out for public comment. There was a
great deal of comment from the industry basically saying that this was
going to add a great deal of burden. Many people have something on the
order of 10,000 components and if all planned maintenance was to covered
with a safety assessment, this seemed like an enormous expansion in
scope and effort.
There's some revision of the wording of the rule and a
January 28th draft and for all I know there's a February 3rd or 4th
version, so Rich Correia is going to tell us the actual current state of
the proposed revision to the maintenance rule.
MR. CORREIA: Good morning. Thank you. My name is Rich
Correia. I am Acting Chief of the Quality Assurance, Vendor Inspection
and Maintenance Branch of NRR.
I am also the Section Chief of the Reliability and Maintenance Section
of that branch responsible for maintenance rule programs.
With me today is Peter Wilson from the Probabilistic Risk
Assessment Branch of NRR and Suzanne Black, who is the Acting Director
of the Division of Reactor Controls and Human Factors and Wayne Scott
from the branch, principal people involved with this rule change.
By way of background, to give you an idea of what got us to
this point today, in a Commission briefing and Commission paper in 1997
we briefed the Commission on the status of the implementation of the
maintenance rule, and during that briefing and in the paper we
mentioned, as Mr. Shack just said, that this part of the maintenance
rule is a recommendation. The word "should" is used instead of
"shall" -- the safety assessments did not absolutely have to be done.
It was thought at the time the rule was written this was a
fairly new concept and I think the Commissioners at the time didn't want
to impose too much of a regulatory burden on the industry.
As a result of that paper and meeting, the Commission asked
the Staff to consider clarifying this part of the maintenance rule and
to give them examples of some of the problems our inspectors had seen on
the maintenance rule baseline inspections.
In response, we wrote SECY 97-173 and provided the
Commissioners with three options for (a)(3) -- leave it alone, change
"should" to "shall" or make what we call comprehensive changes really
was an option that would make this part of the regulation a requirement
with the thought being it would be PRA-based instead of PRA-informed,
which would be a considerable step forward with our regulations
regarding the use of PRA.
We recommended Option 2 -- "should" to "shall." We thought
of the three options it would be the best thing to do. It would get us
the requirement that would be enforceable, which was the focus of our
concern at the time and we would be able to take actions to ensure that
licensees actually performed these assessments.
In response, the Commission agreed it should be Option 2,
but they gave us a lot more than just "should" to "shall" as just
explained. They gave us prescribed language to change to, and it was
similar to what the existing rule said with "shall," expansion of the
scope of maintenance activities that would require an assessment and a
preamble to the rule to make it clear that this rule applies during
operation, normal operation, and shutdown conditions. I think that was
as a result of the Staff's effort to impose a shutdown rule, but the
Commission decided not to. They thought the maintenance rule was
sufficient but they wanted to make it clear that the maintenance rule
did apply during shutdown conditions.
They told us to do a limited regulatory analysis for Options
1 and 3 but interestingly said to consider for future rulemaking a more
detailed rule that would codify the existing regulatory guidance which
endorses the industry guidance for implementing the maintenance rule.
I think our current thinking is if the Commission decides to
implement (a)(4) that we would look at the results and determine whether
or not future rulemaking would be needed.
They also told us to make sure whatever we were doing with
the maintenance rule is consistent with other related changes to
regulations like 50.59 and 50.71.
The language or the SECY paper that we wrote and asked the
Commission to allow us to put forward the proposed rule for public
comment again basically just reiterated what the Commission told us to
do, proposed that there be a preamble stating that the rule applies
during all the conditions of plant operation including shutdown --
normal shutdown conditions. It's a clarification.
Industry has always implemented the regulation during
shutdown conditions. We inspect it that way. This is just a matter of
making it clear.
Again, these are the major changes to the rule. They
decided to delete this sentence from (a)(3) and make the safety
assessment a separate paragraph -- (a)(4).
Actually, the first four bullets are pretty much the same as
the existing regulation except "should" to "shall," a minor change, an
editorial change in changing "before performing maintenance
activities" -- the current regulation says "in performing maintenance
activities". The concept of assessing the current plant configuration
and the expected changes are pretty much the same.
The main difference is a new sentence that said once you do
the assessment then you shall use the results of the assessment to do
two things, ensure that the plant is not placed in a risk-significant
configuration or a configuration that would degrade performance of
safety functions to an unacceptable level.
MR. BARTON: Richard, are these terms defined somewhere in
the rule? I couldn't find them.
MR. CORREIA: They are not defined in the rule. We defined
them in the statements of consideration that went out as part of this
package.
DR. APOSTOLAKIS: So what is risk-significant?
MR. CORREIA: Risk-significant configuration? I believe we
described it as a change in risk that -- that was pretty vague -- it was
change in risk that was unacceptable, something to that nature, no
specific numbers of values.
The reason the Commission put these words in there, I
believe, is this statement was in the original statements of
consideration of the maintenance rule as the intent of the (a)(3) safety
assessments.
I think the Commission decided, well, why not put it in the
rule to make sure that a licensee just wouldn't do an assessment but not
do anything with it, so the thought was do the assessment and use the
results to make sure you don't place the plant in a risk-significant
configuration, but as we found, that was probably the most discussed or
most commented on part of the rule that we received from the industry
and the public.
MR. BARTON: I can see where it would leave a lot of
interpretation licensee versus inspector, and this thing goes round and
round the daisy chain and I think regardless of, you know, what the rule
is in the implementation requirements that these words have got to be
explicitly clear and understood by both the parties.
MR. CORREIA: Absolutely.
DR. APOSTOLAKIS: So how is that going to happen?
MR. BARTON: I don't know.
DR. APOSTOLAKIS: Do you plan to do anything about it?
MR. CORREIA: Yes.
DR. WALLIS: That is the next slide, isn't it?
MR. CORREIA: I'm coming to that.
DR. APOSTOLAKIS: Okay, and assess current plant
configuration, again what does that mean? It's related to the risk
significance?
MR. CORREIA: I think the intent is to look at the status of
the plant, what is out of service, what is operating, what maybe the
environmental conditions are, and in combination with that look at what
they plan to take out of service and consider the impact.
Is it going to -- for example, we used the example if
maintenance is ongoing in the switch-yard, and they want to emergency
diesel generator maintenance, is that a smart thing to do?
DR. APOSTOLAKIS: So a risk monitor then would be very
helpful?
MR. CORREIA: It would be very helpful. Many of the
licensees that we have inspected do use a risk monitor for those high
safety significant SSCs and combinations that they would consider taking
out of service simultaneously.
DR. SHACK: In the current rule there is the statement, you
know, maintenance activities that take systems out of service. The
statement of considerations says maintenance requires removing from
service. The January 28th rule still just says maintenance. It doesn't
say anything about removing equipment from service. I mean that would
seem to cover polishing the decal on the -- you know, why not the
specific phrase "out of service" anymore?
MR. CORREIA: We agree that the majority of the cases that
is what we would be concerned with, equipment that would not be
available to perform its intended function, but there are certain
maintenance activities that don't take equipment out of service but
could result in an initiator transient -- turbine control valve testing,
main steam safety valve testing that is done at power that if a problem
occurs could result in an unplanned scram or transient.
We wanted to make sure that the assessments considered those
situations.
DR. SHACK: It looks like it covers those and a lot more.
MR. CORREIA: Well, that is a consideration that we are
dealing with. We believe that we can address that in the regulatory
guidance rather than in the rule to explain all those situations.
DR. POWERS: I guess I am still unclear what you mean by an
assessment. When you discuss the issues you are interested in, it
sounds like a fairly routine paper consideration. When you talk about
acceptance levels, things like that, you sound like you want a PRA.
MR. CORREIA: Depending on the amount of equipment being
taken out of service, what we use in maintenance rule terminology it is
"of risk significance" and other factors. In some cases a PRA analysis,
PRA is the best tool to use to determine whether or not is it
appropriate to take the equipment out of service.
In some cases it could be a single system or train or
component of low risk significance where an informed decision by a
licensed operator would be adequate so we have that range of assessments
that we have to consider.
DR. POWERS: I mean what you have discussed is the range of
possibilities. What I am more interested in is what is the minimum
amount to meet the requirements of the proposed rule.
MR. CORREIA: Well, it will have to be depending on the
complexity of the situation. Our expectation is and I think even the
Commission stated in the original statements of consideration of the
rule that as the configuration becomes more complex the expectation was
so should the assessment.
DR. UHRIG: Does this assessment made by this individual
operator you alluded to a minute ago have to be documented?
MR. CORREIA: We have talked about that. It was another
comment we received from the industry.
What we focused on on the inspections was the process they
used. What we were looking for was a repeatable, scrutable process. We
weren't as concerned that they document everything. What was more
important is that they understood the implications of what they were
doing and then made the right decisions.
DR. UHRIG: What about inspectability?
MR. CORREIA: Well, I'm going to let Pete Wilson address
that because he did --
DR. UHRIG: Because if it is not documented --
MR. CORREIA: -- he did the majority of these inspections
for us.
MR. WILSON: Yes, my name is Pete Wilson. I have sort of
been overseeing the PRA aspects of the maintenance rule baseline
inspections.
The way we conducted the inspection was first look at the
process the licensee had placed in their maintenance rule implementing
procedures, and then what we would do is recreate plant configurations
over a period of time and then test to see if, you know, using their own
process, if we came up with the same risk results or safety assessment
results that they had.
And if we found something out of the ordinary we asked them
why did you say this was low when we think it's by your own process a
higher-risk situation.
DR. UHRIG: There was a reference a minute ago to the use of
a risk meter. This is an acceptable approach to this?
MR. WILSON: Yes. Provided that the, you know, the risk
meter is of sufficient quality for what they're doing. You know, just
some of the early risk meters were basically cut set manipulators that
if you took a lot of equipment out at once, the results were no longer
reliable. Some of the newer plants do requantifications of full models,
and we find those acceptable, provided the PRA has fidelity.
DR. MILLER: Who makes the judgment on the quality of the
risk meter?
MR. WILSON: Well, for the maintenance-rule inspections,
given the short time, we did not delve deeply into the quality of the
licensee's PRA that was used in the risk meter. We did a spot check of
certain aspects of it, but we -- I would be hard-pressed to say that we
did an inspection of their model.
DR. WALLIS: Related, what do you mean by "overall effect"?
I mean, if you had a bullet which simply said determine effects on
performance of safety functions -- "overall" could mean make a rough
estimate of overall effect, or it could mean do something pretty
comprehensive. Why did you put in the word "overall," and is there some
measure of "overall effect" which you can use?
MR. CORREIA: I think what the Commission intended by that
word was to look at the cumulative impact of multiple pieces of
equipment out of service simultaneously.
DR. WALLIS: You mean look at all the details of these or
make some rough estimate of the overall effect? I mean, I don't
understand --
MR. CORREIA: I believe the intent was to make sure that by
taking equipment out of service that you wouldn't jeopardize or place
the plant in a situation where if there was an event and you needed
certain equipment, that you would have it.
DR. WALLIS: I understand that.
MR. CORREIA: But the overall effect, again, it's a judgment
call on conditions of the plant and what plant management had in mind,
which makes the inspections quite interesting, because like most of what
we do, it's a matter of judgment, theirs versus ours, since there's no
hard and fast requirements to even use a PRA. It was recommended, we
encouraged it, industry embraced it. So we followed along.
DR. POWERS: But it does seem like there's -- I mean,
there's a certain amount of schizophrenia here. You've got judgment
calls all down through it, and acceptance criteria that seem very
quantitative, risk-significant or not, on acceptable level. Why don't
you just go ahead and put in a bullet that says thou shalt use a PRA?
MR. WILSON: Yes.
DR. POWERS: I mean, I'll tell you exactly why. It's an
unacceptable thing. But you're effectively requiring them.
MR. CORREIA: With this language, that was certainly
implied, and the comments from the industry certainly indicated that.
They had also indicated that this language would prevent them from doing
what from a safety perspective may be a high-risk situation, you know,
putting the plant in a high-risk configuration, but for a very short
duration, which may be a better thing to do than to take multiple steps
over a longer period of time. Even though the risk may be lower,
probably the potential for something going wrong would be greater.
DR. POWERS: Is a PRA really suited to make judgments about
risk over a short period of time? I mean, huge numbers of things in
there are annual averages.
MR. WILSON: Right, but the PRA in my mind is the best tool
we have. It's the only integrated tool we have, and you can look at
short instances of time by looking at core damage probabilities in that
instance of time.
DR. POWERS: Yes, I'm willing to concede that the PRA yields
a core damage probability. The statement that it's the best tool we
have available seems to be one that would have to be bolstered by
comparison to various tools against some objective criterion. Do we
have that?
MR. WILSON: Not that I'm aware of.
DR. POWERS: Okay. Then what leads you to think that that's
the best tool we have available?
MR. WILSON: Well, based on my experience in operations for
18 years I think that when you have multiple combinations out of
service, that's the only tool that looks at it in an integrated way.
You can use a barrier-type analysis, which some people used several
years ago, where you look at key safety functions but because of
dependencies and other things like that, your decisions could be
incorrect using simply a barrier approach.
MR. CORREIA: PRA will give us one insight as part of the
whole assessment and management process. Certainly operator judgment,
experience, training, understanding of the plant, how it reacts to
certain situations, all those pieces come together to determine whether
or not it's acceptable to remove or work on a piece of equipment for
maintenance. But as Pete said, certainly the integrated effect that a
PRA gives you is at least today seems to us to be a reasonable way of
accomplishing what the Commission intended.
DR. WALLIS: I don't understand why it's debatable what an
unacceptable level is. I noticed the industry comment said -- several
of them said define unacceptable level. Surely you have clear rules
about performance of safety functions which are unequivocal, and there's
no debate about what's acceptable and unacceptable.
MR. CORREIA: It was a comment we received. What we try to
do is, using these two phrases in that last sentence was balance the
insight, the situation where a PRA may be the better way to evaluate or
assess the configuration, or in some cases technical specifications for
one piece of equipment out of service may be adequate in combination
with operator judgment. Then they know what the limits are on what can
be taken out of service and for how long. That was the thought behind
that language, anyway.
DR. POWERS: Suppose that I broke my plant down, mentally,
into a series of subsystems, did an assessment with whatever PRA I had
available, and said okay, I can have this subsystem, which might be a
lot -- I might break it down fairly coarsely, say into five or six --
and said I can have this subsystem out of service for 14 days, and not
increase the risk. I did this all well beforehand, today, and just kept
these things on a chart, and I might do them singly and then I might do
them pairwise. I doubt I would go to triples, because I'd probably
start running into problems. And so when my maintenance schedulers came
up to schedule maintenance, they just looked on that chart and said
okay, we have to do this in a certain period of time. Does that qualify
as an adequate assessment?
MR. CORREIA: I would say depending on the risk significance
again of the equipment you're talking about, the higher the risk
significance and whether or not you're doing it simultaneously or in
parallel, it may be appropriate or may not be.
DR. UHRIG: Isn't that essentially what a risk meter does,
except it does it concurrently?
MR. CORREIA: Yes.
DR. UHRIG: It effectively does that.
MR. CORREIA: Right.
MR. WILSON: There were a number of utilities that used
preassessed tools where they would have either a two-by-two matrix or
they would have different combinations preassessed, and the only caveat
I would add that you would have to look at that block of components you
plan to take out and then maybe consider any external factors that
weren't there during the preassessment.
DR. SHACK: The current rule, and, you know, it doesn't
require these assessments, but it certainly suggests that these
assessments have been done, what are they using for guidance now? How
detailed is the guidance in 9301 on performing these assessments? Is it
acceptable in the intent of the new rule?
MR. CORREIA: The guidance was written in 1992-93 with that
thinking at the time. Certainly it addressed -- it mentioned risk
monitors. It mentions matrices. It mentioned more deterministic
approaches, depending on again the complexity of the configuration and
what the situation was. In my mind it is still adequate, but what we
plan to do in revising the regulatory guide or if industry decides to
revise the existing guidance, we've learned a lot since 1993. Industry
has in my mind come a long way with different techniques and
methodologies that they use, and we'd like to incorporate that to expand
the guidance.
MR. BARTON: Well, apparently it must have worked.
DR. SHACK: Does it increase the requirements or --
MR. CORREIA: No. It's only guidance. Better ideas is the
way I look at it.
MR. BARTON: Well, apparently the words must have worked,
because in your inspection program you found several utilities whose
program was completely adequate and had no weaknesses. So apparently
the guidance was out there. If licensees wrote their programs and
procedures to comply with that guidance and followed them, obviously it
was satisfactory. If the problems you found where plants did not
implement that satisfactorily and carry it through to the level where
you did find some weaknesses or some people didn't even do it because it
wasn't required, "should" was there instead of "shall." But obviously
you could have made this thing work with the old words.
MR. CORREIA: In the majority of plants, every plant had a
process, and it was usually designed on their maintenance philosophy.
Some plants would only take one piece of equipment out of service at a
time, and rarely during power they still would do most of their
maintenance during outages. Other plants did whole divisions at a time.
So their assessments tended to be much more complex. So we looked at
their situation, their philosophy, and their process to determine
whether or not they were meeting the intent of the rule.
DR. SHACK: Now the industry, you know, makes an argument
this is an enormous expansion in scope. Now obviously the scope of
components under the maintenance rule isn't changed by this change in
words. You've just told me the guidance for the assessments they're
doing is still acceptable. Is the expansion in scope going from, you
know, monitoring and preventive maintenance to all planned maintenance?
Is that where they're seeing the enormous expansion in scope?
MR. CORREIA: I would argue that the only true expansion is
adding corrective maintenance to this assessment process. All those
other activities, we say monitoring and preventive maintenance covers
surveillances and postmaintenance testing. They're already doing it.
Correct me if I'm wrong, Pete, but I believe most plants
also address today corrective maintenance, corrective maintenance that's
planned versus emergent work or emergency work. I don't believe we'd
expect licensees to stop doing assessment and then fix a situation that
from a safety perspective needed immediate attention. We don't expect
that today. We wouldn't expect it in the future. And that's some of
the information that we want to put in the regulatory guidance to make
sure that it's clear.
I imagine that some plants that only do the assessments for
monitoring or preventive maintenance activities and not corrective
maintenance, it will expand or increase their burden. I agree. But I
believe, as the Commission did, it's the right thing to do.
My next few slides here will get into why we believe that,
because the industry has changed since 1991 when this rule was written.
DR. APOSTOLAKIS: In the Regulatory Guide and risk-informed
changes to the tech specs, there is a criterion regarding temporary
changes, that the probability of core damage should be less than a
number, and the probability of large early release should be less than a
number. It is a frequency, it is the integral over the time. Could
these criteria be relevant here, when you are trying to decide what is
risk significant? They refer to temporary changes.
MR. WILSON: We intend to put guidelines in the Reg. Guide
that would give recommended levels for core damage probability and large
early release probability.
DR. WALLIS: Is this just recommended or rules? I mean
suppose the inspector says --
MR. WILSON: Recommendations. I think when you see how the
-- the new proposed wording of the rule, we are looking more at
utilities to manage risk and to give them guidelines at what point we,
the Commission, feel you should be concerned that you are getting to a
certain level of risk that you need to carefully manage --
DR. WALLIS: Eventually, it will be a rule, won't it? I
mean if you step over this line, then you will be cited.
MR. CORREIA: Again, it will be guidance, as it in the tech
spec regulatory guidance. But at least I believe anyway that temporary
change guidance is what we should be doing for the maintenance rule.
MR. BONACA: Isn't here a key issue the fact that you are
allowing to take equipment out of service during operation beyond tech
specs limits.
MR. CORREIA: Yes -- no. No, no.
MR. BONACA: Well, not beyond. I am saying, however, there
is equipment out there that is removed, multiple equipment, okay, that
is not controlled by tech specs, however, it is safety significant.
MR. WILSON: Correct.
MR. BONACA: And so why wouldn't you have, you know, a
burden on the utilities to demonstrate, in fact, that the configuration
is not risk significant. I mean I see a shyness on your part in
promoting use of PRA, or whatever tool you think is appropriate, to
support the configuration. It seems to me that the degree to which you
are allowing this to take place online maintenance, where multiple
equipment is removed, you have to have -- you know, I see a shyness in
proposing -- placing the burden on assessing risk significance, and I
don't think you should *do that.*
MR. CORREIA: It is a shyness from having it in the rule
versus in the regulatory guidance, or in the statements of consideration
that would, at least from a Commission point of view, lay out the
expectations on how these assessments should be conducted. And,
certainly, the more complex the high risk significant systems
combinations, the expectation would be to focus more on PRAs than
deterministic approaches, certainly.
DR. WALLIS: Are you shy or just not be really explicit,
saying this, this and this are acceptable, you had better do it? And
why does it have to be sort of couched in sort of maybe language the way
you seem to be doing it?
MR. CORREIA: The maintenance rule is intended, at least
initially, to not be prescriptive. In keeping with that philosophy, we
are trying to keep the language -- I shouldn't say vague, but rather
than prescribe precisely what a licensee would have to do, the idea is
to tell them what results they should achieve and let them decide what
is best for them.
MR. BARTON: It is supposed to be performance-based rule.
DR. WALLIS: That's all right. As long as the results --
MR. BARTON: You can make it prescriptive very easily by
doing the things that you are suggesting. You can make it a
prescriptive rule, which was not the intent of it initially.
DR. SEALE: Earlier, someone mentioned that there already is
somewhere else a number for allowable risk if you take certain things
out of service. Have you thought about sharing that number in the
maintenance rule as your version of what the allowable risk would be, or
have you thought about it at all?
MR. CORREIA: Yes, we have.
DR. SEALE: Well, I mean have you thought about using that
number.
MR. CORREIA: In the rule or in the guidance?
DR. SEALE: In the guidance.
MR. CORREIA: In the guidance, yes.
DR. POWERS: Well, I mean if is it good enough for guidance,
it seems to me like it is good enough for rules. The word there is an
unacceptable --
DR. SEALE: I agree. I was concerned about the earlier
problem, namely, having more than one number in the regulations or in
the guidance for the same process.
DR. POWERS: I understand. You would like --
DR. SEALE: I would like consistency, even though it may be
a hobgoblin.
DR. POWERS: And historically, it seems like we have avoided
putting those numbers in rules, but here we have got a very -- I think
it kind of perplexes me. We have got judgmental process, judgmental
process, judgmental process, acceptance criteria that is very, very
quantitative. Well, if you are going to be halfway, you might as well
go all the way and make it quantitative.
DR. SEALE: Sure.
DR. SHACK: Well, I think you had better perhaps get on to
what the current proposed wording of the rule is, that may change some
things.
DR. SEALE: You may get out of here.
MR. CORREIA: Thank you. Just briefly, and we have talked
about some of these already, the most significant reasons why the
Commission and we believe this rule change needs to be made. Certainly,
the first one is the clarification that the rule applies during shutdown
conditions. But the next bullet, and the fourth one, in my mind, are
the two most significant reasons why this rule should be changed to --
this requirement should be changed to a requirement -- recommendation be
changed to a requirement.
Since 1991 industry has not only increased the amount of
maintenance they do at power, but the frequency. You read it in the
trade journals all the time that this plant just broke a refueling
outage record of 20 days or 19 days. I don't think refueling processes
have changed that much, but I think the amount of maintenance they used
to do during those outages has changed. They are doing more at power.
MR. BARTON: What is also reduced a lot is the
modifications, the major modifications are all done, which ate up most
of the time in outages and masked the amount of corrective maintenance
in most cases. Those major mods are done at all plants because plants
are not installing modifications anymore. So your outage is really
shuffle fuel, do a hydro, do your surveillances and do corrective
maintenance that fits in that window and go.
MR. CORREIA: Some plants have also lengthened their run
cycles from 12 months to 18 months, to 24 months in some cases, and I
believe the only reason they can run that long is they are doing
maintenance at power, to make sure the equipment continues to operate
through this whole cycle.
DR. MILLER: Has that created a noticeable problem? I mean
have we seen things that -- where we think was plant was put in a risk
significant position, that we -- do we have a problem we are trying to
solve or just --
MS. BLACK: I would like to answer that, and remind Rich
about, I think it was around 1995 when Bill Russell, the Office
Director, went out to a few plants and he was concerned by what he saw
at plants we were taking out of service. They did a temporary
instruction and looked at all the plants across the country and came up
with the results that we needed to improve the guidance. He wrote a
letter to INPO, I think it was.
MR. CORREIA: Yes.
MS. BLACK: And INPO gave guidance to all utilities on how
they should control their online maintenance.
DR. MILLER: Okay. So INPO has guidance. Is that --
MR. CORREIA: It is more of a management guidance that they
put out on -- don't rely solely on your technical specifications as a
reason to take equipment out of service because, as they are talking
about here on the fourth bullet, the technical specifications weren't
designed to address simultaneous outages, so they could be masking risk
significant situations by just following tech specs.
I believe this change to the maintenance rule, or this part
of the maintenance rule is, to my mind, the most important part of the
rule. It is an ongoing assessment process to reasonably assure the
plants don't set themselves up for problems.
MR. BONACA: The reason for the comment I made before is
that I have seen, for those utilities that have a good PRA capability,
the maintenance department proposes -- takes out of service some
components, the way they have done in the past. PRA group comes up and
says your risk is increased by twenty-fold. So an interaction happens
and then maintenance is moved so that you reduce that twenty-fold to
three-fold.
Now, given that perspective, it seems to me, again, that you
have to expect the use of technology that allows you to reduce the risk,
given that those who do not use these tools seem to have a history of
this kind of issues. What I mean is that maintenance department,
believing they are doing the right thing, and yet they go into these
kind of situations that -- with a simple risk meter or a PRA is found to
be significant, because the relationship between, you know, independent
components in different locations on separate trains at times are
difficult to understand and the PRA can do it very effectively.
So, the point I am making, again, I don't think that, given
this increasing amount of maintenance of power, there should be an
expectation there are adequate means out there to evaluate if you want
to take multiple systems out of service.
MR. CORREIA: I don't disagree at all.
DR. MILLER: So there's plants that have been doing things
like Mario is talking about, like I was walked through a plant, we had a
risk meter, which I think, at least on record, looks good, and they
walked me through how they were doing their maintenance. This is three
years ago. And they did exactly what Mario said, they looked at the
risk and they looked at the planning. And so if they are doing that,
then that is what we want to happen.
MR. CORREIA: Absolutely.
DR. MILLER: Now, my question goes back to, and it picks up
on Dr. Uhrig's question -- if they have a risk meter, how are we going
to judge the quality of that? If they have a risk meter, is that the
way to do it, and is that -- that is going to be acceptable for this
assessment? And the risk meter is based on the PRA and then you made
the comment, we have to look at PRA quality.
MR. CORREIA: Yes.
DR. APOSTOLAKIS: He said yes.
MR. CORREIA: Yes.
DR. APOSTOLAKIS: I think what Dr. Bonaca is saying is that
they should be, in fact, asked to do that.
MR. CORREIA: If -- in other words, in the rule itself, if
they take out --
DR. MILLER: Right.
MR. CORREIA: -- multiple pieces of equipment, or that if
the configurations are complex or have multiple pieces out of them, they
should use PRA tools, they must use PRA tools?
MR. BARTON: Now, you are making it prescriptive. How am I
going to do this assessment?
MR. BONACA: The trouble I am having is, with complex
configurations, because it happens so many times that people take out of
-- you know, so, I am only saying that I understand your language there
in the previous slide, what you are saying, essentially commensurate.
Essentially, that says your risk significance and the methodology you
use is commensurate to the significance of the configuration you are
proposing. You know, it is I think vague, because the history is one
where the people that don't use PRA, they are taking out other systems
out of service, several simultaneously, and they really don't know what
the impact is.
Now, insofar as the methodology, you don't need such a
complex methodology. PRA will easily identify some dependences between
some components on two different trains, very quickly.
DR. APOSTOLAKIS: I am told here, because I see John
Barton's point that this, in a performance-based rule or approach, you
really should not prescribe the way to achieve the performance. In a
Regulatory Guide, of course, you can give guidance. On the other hand,
of course, this involves PRA, which should be used.
MR. WILSON: That being the gospel you mean.
DR. SHACK: Shall be used or should be used.
DR. SEALE: The point is that this is a performance-based
rule, but it requires the application of risk insights.
Now, you have indicated in your third bullet that
inadequacies were found in your A-3 assessments during baseline
inspections. How did you judge what the utility did to be inadequate?
MR. WILSON: Well, I guess I will answer that since I do a
lot of these inspections. First off, we had several utilities that
didn't perform them at all. We had some that --
DR. SEALE: Didn't perform what?
MR. WILSON: Any assessment.
DR. SEALE: All right.
MR. WILSON: They took equipment out of service without
consideration of its risk impact or safety impact.
DR. SEALE: Well, that is certainly inadequate, but --
MR. WILSON: Right. We had some other utilities that had
risk tools, like a two by two matrix, where they were actually take four
or five risk significant components out at once without considering that
impact. And we actually found a few that put themselves, by their own
criteria, in risk significant configurations without knowing it. Some
of the people who used the tool didn't even -- you know, who were
responsible for using the tool, didn't have any training on how to use
it, et cetera, et cetera .
DR. MILLER: And those were judged adequate? What were you
doing?
MR. WILSON: Well, we -- since the word adequate has -- for
inspectors, has a regulatory meaning, meaning if it is inadequate, there
is some violation of NRC regulations, so we would call it significant
weakness.
DR. SEALE: A program weakness.
MR. WILSON: Right. Put something in the cover letter of
the inspection report that we had noted this in the inspection.
DR. SEALE: Were you able to give them hints as to what
would have been adequate?
MR. WILSON: We don't give hints.
DR. APOSTOLAKIS: Inspected there with a T-shirt that said
PRA.
MR. CORREIA: We can certainly tell them what we believe was
wrong, and, hopefully --
DR. SEALE: Can you tell them how you decided that their
number was not as good as the number you got, so that you judged what
they got as being inadequate?
MR. WILSON: Well, --
DR. SEALE: Presumably, you did some sort of parallel
assessment.
MR. WILSON: Right. But what we don't have is our own
independent NRC PRA model to run the quantification with a different
model than they have.
DR. APOSTOLAKIS: But now you have --
MR. WILSON: So we have to rely on their results and see if
they followed their process. And, as I said earlier, given the
maintenance rule baseline inspections, we did not verify the quality of
their PRA that might have been used to develop their tool.
DR. MILLER: So we are going back to the quality, the PRA is
an issue here. Right? So to be adequate, you have to have a quality
PRA?
DR. SEALE: To put it another way, if they had done it with
a PRA, we still don't know whether it was an adequate assessment.
DR. MILLER: That is another way to put it, yes.
DR. APOSTOLAKIS: Let's start from the top, let's follow a
top-down approach.
MR. CORREIA: All right.
DR. APOSTOLAKIS: It seems to me that the appropriate place
to strongly recommend the use of PRA is the Regulatory Guide, because
that is where you are telling the industry what you find to be
acceptable. And then because, you know, we are saying that performance-
based regulation should not be prescriptive, but there is also an
additional element that the licensee should be using acceptable methods
to demonstrate that they have met the requirements, and these acceptable
methods have to be described someplace.
Second, the issue of quality. As you know, the IPEs, the
IPE quality varies a lot, licensee to licensee. Here you are mainly
interested in what happens when something is out of service. So the
quality -- the question of quality there I'm not sure is that important,
because all the IPEs have event trees and fault trees, so the quality
really counts when people don't treat common-cause failures very well or
the human error rate is underestimated. In other words, when the
numbers really play a role -- and in your case they might if you adopt
the criterion that the regulatory guide on tech specs has -- but I think
you can get most of the benefit here by just looking at what happens to
the accident sequences when you take certain equipment out.
And at the same time, if the IPEs are really bad in some
cases, this would be a means for making the utility improve the IPE,
because we discussed the question of quality of IPEs about two years
ago, and the question then was should we go back and ask the industry to
do them again to make sure that they all meet a certain quality
standard, or as they use their IPEs, they will start improving them,
depending on the situation. And it seems to me this would be a good way
of telling people that first, this is really the tool to use, and
second, that tool has to meet certain minimum requirements for this
purpose. So it will become then part of their operations without making
a big deal out of it.
DR. POWERS: Could I interject a point of clarification on
what you're asking for here? I guess I haven't memorized Part 50
adequately, but I cannot remember anything in Part 50 that says the
objective of our regulations is to have licensees produce good-quality
PRAs.
DR. APOSTOLAKIS: No. And that's not the objective here.
All you are telling them is --
DR. POWERS: It seems to be. If you're asking them, gee,
this is a motivation to get them to improve the PRA, I mean, I'm
perplexed. I simply don't see anything in the regulations that says
that a licensee even has to have a PRA.
DR. APOSTOLAKIS: Well --
DR. POWERS: Maybe with this there will be, but --
MR. BONACA: The point you made, however, George, that --
see, the IPE may be low quality, and that would make it hard to defend a
bottom-line number like a CDF or something of the kind. The
dependencies, however, as developed in the fault trees, typically are
pretty valid.
DR. APOSTOLAKIS: Yes.
MR. BONACA: And they help you very much to see some
dependencies which are not so obvious. Again typically you're worrying
about separate divisions whereby the concern is that you're taking out a
division and inadvertently you may take out some other important element
of the other division that is critical in some way. So I think the
tools are available out there, and the reason why I'm expressing this
concern is that the only thing that allows us to support online
maintenance where you make this significant modification in
configuration is because it is a short time.
But the fact is, if the risk is increased very significantly
in a short time, this is much beyond what we are allowing to do in 50.59
where we are talking about, you know, discussing at a grass level, you
know, who gets the top inch of the grass. And so that's why I think it
is an important issue, that at least the best technology available today
be expected -- expected -- to assess complex configuration. We don't
have to prescribe a PRA.
DR. APOSTOLAKIS: It's my turn to be perplexed, and maybe in
an hour the whole Committee will be.
DR. SHACK: Well, I would say don't get too perplexed,
George, because we have to get done by ten, and we'd like to hear their
response to the public comments.
DR. APOSTOLAKIS: Wait, wait, wait -- by what Dr. Powers
just said. I mean, it seems to me -- are the risk-informed regulatory
guides issued last year not part of the regulatory structure? They are.
DR. POWERS: They are not requirements. There's nothing in
a requirement about them.
DR. APOSTOLAKIS: You are not requiring here. You are
putting it in a regulatory guide, and you're saying this is an
acceptable way.
DR. POWERS: These are changes to rules.
DR. APOSTOLAKIS: I just suggested that the PRA reference
should be in the regulatory guide, not in the rule.
DR. POWERS: I think it's effectively in the rule.
DR. APOSTOLAKIS: Then I don't understand how they can ask
in the rule that the licensees should ensure that the plant is not
placed in a risk-significant configuration.
DR. POWERS: That's what causes you to say this rule
effectively requires a PRA. There is no way to meet this rule that will
be acceptable to the staff without a PRA.
DR. APOSTOLAKIS: So you're suggesting they drop this?
DR. POWERS: They have -- well.
MR. CORREIA: What the words imply. It could be implied
that yes, a PRA would have to be used each and every time. We don't
believe that's the case, but certainly that was the reaction of most of
the comments from the comments we received.
DR. WALLIS: Well, when is PRA going to stop being taboo?
When is PRA going to be required?
DR. APOSTOLAKIS: I don't know.
DR. WALLIS: Presumably some day to make risk assessments
you're going to have to use something like a PRA. Maybe I'm naive to
say -- and someday it's going to become required. Maybe this is --
DR. POWERS: Well, what I knew for sure --
DR. WALLIS: To debate.
DR. POWERS: Is that I've got several examples of plants
that have operated for almost 30 years without the assistance of a PRA.
Now maybe that's fortune on their part, and maybe not. But it is clear
that we have not granted any licenses to plants that said you must have
a PRA. If we're going to make that step and say you effectively have to
have a PRA, then I think we have a serious backfit analysis to do.
DR. MILLER: But if we say you must have a PRA to do certain
things with your plant that weren't planned, like online maintenance in
complicated situations, is that a backfit? We're talking here, they're
talking about say taking out four or five systems simultaneously, and
the only tool we have now to analyze the risk-significance of that is
the PRA. Would that be a backfit?
DR. POWERS: Have we done this in the past?
DR. MILLER: No.
DR. POWERS: We've not taken out four or five systems in the
past.
DR. MILLER: Oh, certainly have.
DR. POWERS: And we somehow succeeded in analyzing it then.
DR. MILLER: Well, I thought there was some question of
whether we succeeded.
DR. POWERS: I thought that was your question. It's not
evident to me that we're trying to solve a problem, I think, and it's
evident that we're trying to solve what we think might be a problem, but
that thing that might be a problem is not itself bolstered by the
analysis that the licensee is required, that is, the staff's not gone
through and said okay, look, here are some configurations that were
permitted in the past that just have a very, very high risk number.
I've calculated it with a PRA that I think is quality. We're not
getting that kind of information. I'm not sure we're attacking a
problem that exists. I think it's a --
DR. MILLER: Well, I'm not either.
DR. POWERS: Figment. I mean, it's an imagination. People
have said gee, this could be a problem. If it's a problem at 10 to the
minus 13, that's one class of a problem. If it's a problem at 10 to the
minus 3, that's a different class of problem.
DR. MILLER: Well, have we answered that question then? I
don't think -- I agree, we have not.
DR. POWERS: I think we --
DR. MILLER: I thought that was the question I tried to ask
earlier on.
DR. POWERS: I thought that was the question you posed.
MR. BONACA: Just a couple --
DR. MILLER: But Dr. Bonaca said he thinks there is a
problem.
MR. BONACA: Well, a couple of observations. One, first of
all, I certainly am not prescribing a PRA. I'm only saying that there
has to be a burden to assess risk-significance before you go into online
maintenance. I don't care how you do it. You know, if PRA seems to be
the whole issue, you could limit yourself to failure mode and defect
analysis or whatever, whatever you do to get some basic understanding of
the significance.
And, second, from a perspective of the past, if you look at
a lot of the LERs and you read them, you'll see that there are words
such as: The plant was in the following condition: "Train X was out of
service for this reason and the other component was" -- and then
something happens. And when you read that, you miss the fact that this
system was out of service 4 days and the component was -- I have not
performed an analysis to see to what degree that sums up the risk. But
I think, you know, again the burden of demonstrating for the operator,
that he understands the risk-significance of the configuration that goes
into should be there whatever tool he uses and how convincing he may be.
But certainly I feel that there is a shyness, the way I read it, in
setting up an expectation, and I don't think it should be there.
MR. CORREIA: Correct me if I'm wrong, Lane, but I believe
in the statements of consideration for this proposed rule we did lay out
that expectation that the more complex combinations of equipment out of
service, then the expectation is that so should the analysis, so should
the assessment including tools like risk monitors, and then from there
down to the simple low-risk one item out of service judgment by the
operator-type assessment.
So if the Commission agrees with that for the final rule,
that will be in the statements of consideration, and certainly that
would be easy to be brought into the regulatory guide.
DR. APOSTOLAKIS: I'm still perplexed, because I don't think
I need an IPE. It's not that I'm asking them to do something major. Is
it in Part 50 that people should use specific differential equations,
that they should solve using Laplace transforms, that they have to do
that?
In other words, if there is a situation where a problem
requires a solution of an equation using the Laplace transformation, can
the licensee say no, that's not part of my license, so I will not do it?
It seems to me that's ridiculous. So here you have a situation like Dr.
Bonaca describes which is purely logic. It says this system is out,
that component is out, show me that you're still safe. So now I know
nothing about fault trees and event trees, but I take the combination
and say well, gee, you know, if I take that combination, I'm this close
-- and this extra component fails -- I'm this close to damaging my core.
That's not in Part 50. That's logic.
Now, if you expand that and give it a name, all of a sudden
it becomes a no-no, oh, it's not in Part 50. But if you keep it a
couple of levels down to the mathematics, then it's okay.
So I think we should draw a line here. I mean, it's one
thing to demand a PRA the way, you know, Indian Point did it several
years ago, or 1150, which was really a major undertaking of 12 volumes
and so on, and another to say aha, this tool is used in PRA and we have
not demanded a PRA in Part 50, so don't use it. That doesn't make sense
to me. This is just logic. If you want to call it a minimal cut set,
then are you committing a crime?
DR. POWERS: I think the question, George --
DR. APOSTOLAKIS: I've grown accustomed to minimal cut sets.
[Laughter.]
DR. POWERS: The question, Professor Apostolakis, is not can
you use PRA to solve this, the question is must you. And I think I
would have no trouble with a logic that went okay, I have this system
out, and I also have this system out, and so if there is a fault, I only
have one protective barrier, is an acceptable solution. But I think it
gets denied by putting in these acceptance criteria.
DR. WALLIS: What other way is there?
DR. APOSTOLAKIS: See, that's where I'm lost. It seems to
me that's the logic --
DR. WALLIS: You're not going to use PRA. What else are you
going to use?
DR. POWERS: Oh, barrier analysis, just what he described.
DR. WALLIS: Is it adequate?
DR. POWERS: Just what he described.
What I have to understand is what the problem is in order to
understand whether it's adequate or not.
DR. WALLIS: Then I think we need to have an analysis of
that, and if there is no other adequate method, then it will have to be
used.
DR. POWERS: Then include in the rule and say thou shall use
a PRA.
DR. WALLIS: I think eventually that's going to happen
somewhere, sometime, someplace.
DR. APOSTOLAKIS: It seems to me they can dilute the
language --
DR. POWERS: The question is, is it this place and this
time?
DR. APOSTOLAKIS: They can dilute the language in the
regulatory guide, so that does not appear you are demanding an IPE or a
PRA. But you can still talk about barriers and combinations that take
the plant to unsafe conditions. Now if they don't want to use the PRA
and they want to deal with 100 minimal cut sets, that's their problem.
If they want to use the PRA and come back and say look, the dominant
ones are two, and the probability is very low, so leave me alone, well,
that's another story. But we can certainly manipulate the language so
that it doesn't appear that we're imposing logic and truth on people.
MR. CORREIA: Well, we would certainly recommend that in
those situations, since PRAs are -- I think every plant has a PRA or IPE
-- we've seen the number of plants that have risk meters or risk
monitors increase pretty dramatically over the years since the price is
now not prohibitive. I think we're going to see it anyway, to be honest
with you.
DR. APOSTOLAKIS: I think the message is be careful with the
language, because it's certainly a legitimate point --
MR. CORREIA: Yes.
DR. APOSTOLAKIS: That you cannot really demand things that
are not in the original thing. But, again, be careful with the
language. That's all there is to it.
MR. BARTON: Moving right along.
MR. CORREIA: Moving right along. Thank you.
We've talked pretty much about all of these. The types of
comments we got, the terminology that wasn't defined in the rule but was
described in the statements of consideration, that the assessment should
only be for SSCs removed from service, the concern there is there may be
some online surveillances that could perturbate the plant and initiate
an event, that this (a)(4) requirement is duplicative of the
configuration risk management program.
I don't deny that. The assessment should not be required
for non- or low-safety-significant SSCs, I generally agree with that,
but I believe there are combinations, could be combinations of low-risk
SSCs that could give you a risk-significant situation. And it would
have to be addressed. Generally for non- or low-risk safety-significant
SSCs, a simple deterministic assessment would be adequate.
That exists today. I believe that would be adequate in the
future.
Documentation requirements are not specified. There are no
documentation requirements anywhere in the maintenance rule. Being
performance-based it is described in the regulatory guidance. What is in
there today probably could be enhanced. There is a lot of fear that
this new (a)(4) requirement is going to demand volumes of documentation
to prove to the inspector that, yes, I did the assessment.
As Pete described, we are more interested in a process that
can be repeated and is scrutable. Documentation should be for the
licensees, to convince themselves that they have done the right thing --
and yes, we believe that the Regulatory Guide needs to be revised to
reflect lessons learned over the last few years, some new insights that
we have gained through inspection, ideas that industry has come up with,
and we are working on that revision.
DR. POWERS: Let me come to your more interest in the
process.
MR. CORREIA: Documentation?
DR. POWERS: Than detailed documentation, and I believe that
true. I have no doubt that that is exactly what you are interested in.
Is there some assurance that each succeeding generation of
people inspecting on this will have a similar devotion to the process
and not the documentation?
MR. CORREIA: That is in our inspection guidance today. I
don't have any plans to change that and we have spent an enormous amount
of resources training our inspectors -- have in the past and continue to
do so -- and I guess it's my responsibility to see that that does not
change.
DR. SEALE: But you don't see anything in these changes in
wording that would suggest a need to temper or modify the present
inspection guidance?
MR. CORREIA: Somewhat.
DR. SEALE: So I presume then you are planning on making
those suggestions?
MR. CORREIA: Yes.
DR. SEALE: I have a little bit of a problem. You indicate
here that combinations of out-of-service -- I'm sorry, I'm on the
next -- go ahead.
MR. CORREIA: That's fine. These are all proposed responses
to these comments.
DR. SEALE: I have a little bit of trouble there, because
there aren't any "no safety significance" systems, are there?
MR. CORREIA: It was a comment we received, so we just --
DR. SEALE: No, but I have a problem. I mean what happens
if you are having to do some rerouting on the electrical wiring, the
ordinary utility wiring -- not circuits that are in control systems and
so forth -- and besides that the water cooler needs a new coil in it.
Those are a ridiculous set, but that is an awfully wide loop
you are swinging with that statement there and I can see where you might
wind up nailing somebody because they had a bunch of things going on
that didn't have a thing to do with reactor operations.
MS. BLACK: Could I remind you that the scope of the rule is
defined separately and this only applies to things that are in the scope
of the rule, so you wouldn't have that kind of inspection problem.
DR. SEALE: Okay.
MR. WILSON: We are planning in the regulatory guidance to
have additional guidance that the licensee can screen out from all
future assessments some of the things that have been scoped in the rule
to make the population smaller of what they have to think about.
DR. MILLER: So Bullet 2 only really means within the scope
of the rule?
MR. CORREIA: Yes.
MR. SCOTT: My name is Wayne Scott. I am just dying to make
this one comment, that we have been saying since the very beginning on
these kinds of issues that in a lot of cases for alone safety
significant issues that the thought process that a licensee, especially
a licensed licensee, goes through to say there is no safety significance
in this evolution is in itself an assessment.
MR. CORREIA: And we have accepted that. I think the only
item here that we haven't talked about is the fourth bullet on the
comment we received that (a)(4) is duplicative of the configuration risk
management program.
I think that was by design. The reason we have CRMP is
because (a)(3) of the maintenance rule is not enforceable so they had to
come up with something that would be placed in tech specs that would be
enforceable, but the Commission has already directed us if (a)(4) does
indeed become regulation that licensees could apply and the Staff is
supposed to remove CRMP expeditiously from the tech specs and that
(a)(4) serve as the requirement.
MR. BARTON: So I put a license amendment in and extend my
diesel outage for four days and you say that's okay but you have to have
a CRMP so then I have to put a license amendment in to say please remove
my CRMP?
MR. CORREIA: Yes.
DR. SHACK: But you will expeditiously approve it?
MR. CORREIA: That, per direction of the Commission, yes.
They understand the burden there.
Given all these comments we received and certainly a lot of
the discussion here today will be helpful, but this is what we plan to
send back up to the Commission as the revised (a)(4). It is shorter but
I believe it still meets the original intent and even the changes that
the Commission directed us to make.
DR. SHACK: Now we have lost planned maintenance.
MR. CORREIA: We have discussed that. We have said it
should be in, it shouldn't be in -- matter of opinion. It's probably a
better thing to do than not.
DR. WALLIS: -- but how much risk is acceptable? I mean
there may be a huge risk in this to be assessed and managed.
MR. CORREIA: I think the management is the key here. There
may be situations where a large increase in risk for a very short time
is a safer thing to do than spreading it out over a long duration, and
that was one of the concerns of the industry where the previous language
would prohibit them from doing that, so we wouldn't want to force the
plants to be in an unsafe situation but I believe this language would
give them the flexibility to make those judgments.
DR. APOSTOLAKIS: So if I stick to Part 50, any increase in
risk I guess that case would have to be interpreted to any equipment
that is out of service? It certainly increases risk.
MR. CORREIA: Essentially yes. Oh, certainly the systems
and components in the scope of the maintenance rule.
DR. APOSTOLAKIS: So if I use the -- oh, any increases, even
if use a PRA you still have to do something, right?
MR. CORREIA: I am still --
DR. APOSTOLAKIS: Does the word "risk" appear in Part 50
anywhere?
MR. CORREIA: I am not aware of that.
DR. APOSTOLAKIS: If not, why can you use it here?
MR. CORREIA: Why can we?
DR. APOSTOLAKIS: Yes. I don't understand. I am coming
back to Dr. Powers's comment. Is it something that is legitimate to do?
MR. BARRETT: My name is Richard Barrett. The word "risk"
does appear in several places in Part 50.
DR. SEALE: I'm sure it does.
MR. BARRETT: But I don't believe in that context it refers
to risk as we commonly refer to it as, you know, probability times
consequences of severe accident. It is used more in a vague sense of
risk to the public.
DR. MILLER: I need some clarification on what you mean by
manage any increases in risk.
Does that mean the licensee will specify what that means
because this is performance-based or --
MR. CORREIA: They will describe the method that they would
use to manage increases in risk due to maintenance.
DR. MILLER: And they also specify how much risk that would
be during that management process, or will that be required?
DR. APOSTOLAKIS: I guess not.
MR. CORREIA: We won't make it a requirement. We could
certainly put guidance, perhaps the same numbers as used in the risk-
informed tech spec guidelines, temporary changes.
DR. MILLER: So if I am a licensee I would say I am going to
manage my risk by saying I'll be in this risk state, which is consistent
with one of our Reg Guides on risk management -- on risk assessment for
this amount of time, and the inspector has to accept that or not accept
that. Is that the way it works?
MR. CORREIA: The burden would be placed on the inspector --
DR. MILLER: Right.
MR. CORREIA: -- to make the case that what the licensee was
doing did not meet this requirement. It's a challenge. It's like a lot
of other regulations a matter of judgment. Appendix B says "Conditions
adverse to quality shall" have some function performed or what does a
condition adverse to quality mean? It's what the licensee describes and
what the inspector determines is adequate or not -- a matter of training
and guidance and mutual understanding between the NRC inspectors and the
licensees I think is the best method to achieve that common
understanding.
MR. BONACA: But there are some things that normally are
done, like for example identifying the equipment to be protected during
the particular activity, identifying the equipment that must be
recovered first -- I mean is there going to be someplace where this
clear -- these are principles that are important to operations where
these are spelled out.
I mean these are things that --
MR. CORREIA: Sure -- contingency planning, et cetera, yes.
That all belongs, in my mind, in a Regulatory Guide.
MR. BONACA: Yes, and I agree with that.
DR. WALLIS: Can I go back to a question that my colleague,
Dr. Bonaca, asked why you were so shy about it, I think instead of being
more specific and more assertive about what you are requiring in terms
of risk. Is this because you would be shot down by somebody if you did,
and who would that person be?
Are you frightened of the utilities? Are you frightened of
the Commission? Are you frightened of the public? What is it that
makes you so shy?
MR. BARTON: I see you left ACRS out of it.
[Laughter.]
DR. WALLIS: We are a very friendly group -- there is
nothing to be shy about.
MR. CORREIA: I guess that is a decision for the Commission
to make --
MS. BLACK: And excuse me, the Commission did make that
decision when we proposed the three options and the third option was
doing specifically that -- specifying some level of risk in the rule
that would be the limit of NRC acceptance, and the Commission
specifically told us to not spend very much time assessing that option,
to go ahead with Option 2, which is the more performance-based, gives
licensees options. If they don't want to use a PRA they don't have to.
DR. WALLIS: So it is the Commission that is trying to move
us into this risk world of logic that is making you shy about moving in
that direction?
MS. BLACK: I don't know that they were shy about moving
towards it. Their position when they came back in the SRM was that it
would probably take a lot more time to do that kind of analysis and they
wanted this rule in effect very quickly because they were concerned
about the amount of online maintenance that was being done and the
weaknesses we saw during the inspection.
They did tell us in the long-run we should look at Option 3
if we feel there is a need to after we have this rule in place to
reassess and see if we need to go one step further and identify --
DR. SHACK: I also think there is too much emphasis here on
that number. I mean the real problem is the inadvertent -- I mean no
licensee deliberately places himself in a situation or I think very
rarely places himself in a situation of high risk. What one wants to
avoid is a process that doesn't identify an inadvertent activity or
combination of activities that places you at risk and so arguing over
the specific acceptance, you know, should it be five times 10 to the
minus 5 or 10 to the minus 5, what you really want to have him analyze
what he is doing and understand what he is doing, and I really don't
believe there is much danger there that --
DR. WALLIS: The argument was given that the Commission
wanted a quick fix, the short-term fix here. I think when you do the
short-term fix, you ought to have some vision of the long-term fix and
how you are going to get there.
MS. BLACK: Well, the other thing is that what we saw out in
the inspections -- we looked at this in every plant -- and what we saw
out there is the level of risk that licensees were defining as what was
acceptable and what wasn't was adequate. We didn't take issue with
that, as far as I know, and any inspection -- they all had a matrix that
said this is a green situation, this is a yellow, this is a red, and it
needed different levels of management approval and different
configurations, and we found that acceptable and our goal is to define
in the Reg Guide -- define what we saw out there or describe what we saw
out there as acceptable so that licensees who maybe want to change their
program can look at the Reg Guide and see what other people did.
Correct me if I am wrong, Pete -- I think a lot of people
use the EPRI PSA Applications Guide temporary change guidance, and we
found that acceptable in every instance in our inspections, so we are
not changing anything that licensees are currently doing as far as
assessing the level of risk that they are willing to accept. We are
just making it an enforceable part of the regulation.
DR. MILLER: I think that if I were an I&C engineer in a
plant and I saw that I would go immediately into my management and
propose we put in a risk meter and based on a good PRA and use some of
the concepts that George has mentioned -- minimal cut set with low cost
PCs -- and have it in and running in a year. I think everybody would be
happy.
To me it's going to drive us the right way and it is better
than trying to put down numbers.
MR. CORREIA: I personally agree and I think we are seeing
industry move that way without a lot of nudging from us.
DR. MILLER: I'd drag my management into those places where
they are already doing it effectively and say put out your half a
million bucks and lets do it.
MR. BONACA: Yes, and insofar as the IPE, by the way, more
of my concern with the bottom line it would be how much is the bottom
line as represented in the limitation that you have affected by this
online maintenance, because ultimately you have unavailabilities assumed
in the baseline which don't correspond to reality.
You have a lot of systems out of service and components
there, so that is just a thought but I agree that we don't have to force
the technology and I believe the industry will move in that direction
because it is the proper way.
Certainly the expectation that if you place the plant in a
configuration which is other than licensed by taking components out of
service they have a burden to prove that that is an acceptable
configuration -- whatever that means. I mean it's up to you to --
DR. MILLER: But you can justify this economically.
MR. BONACA: Oh, yes. Very quickly.
DR. MILLER: And as I say, very quickly, easy to point out.
I think in a year or two, we will be back here and say, gee, every plant
has these online facilities with these $2,000 PCs based systems. Not
quite, but almost, I think.
MR. BONACA: In my experience, okay, this is the last
statement I am going to make on this, but the experience I have is that
once the operators in the control room discover the support from the PRA
groups, okay, they just want it. I mean because they don't like to be
in the responsibility of assessing whether the configuration is risky or
not when they will have any tools to do it. I mean they really, then --
very quickly, they are asking for information to be on their desk on a
daily basis. In fact, you know, I have seen this happening in every
case. And so that is the issue we are talking about, importance of
really using this kind of information to support good operation.
MR. BARTON: I think when the NRC did their inspection of
the maintenance rule, that the licensees that had strong programs had
people involved in the PRA aspects, also in good communications with the
operator, with the licensed operators. I think that was the strength of
those programs, as I remember, when those programs were done.
MR. CORREIA: Yes, absolutely, it was.
DR. MILLER: We get everybody involved in PRA this way. One
way to get them.
MR. CORREIA: I think operators see it as a valuable insight
that helps them make the decisions they have to make every day.
Absolutely.
DR. POWERS: I have not a single quibble with anything that
has been said about the virtues of PRA. Every -- I have no doubt that
sooner or later operators will indeed embrace it, simply because it
helps them and it takes a difficult burden of assessment off their
shoulders. The question that comes about, comes to my mind, is this
mandatory?
DR. MILLER: This doesn't make it mandatory.
DR. POWERS: No, this doesn't. Actually, I have very little
troubles with this. But as a general debate that we are having on this,
this -- Graham isn't saying eventually this has to happen because he
sees no way through this forest, and I do. I see things that have
worked, and worked fairly well, without going to the PRA.
The question really boils down to, should we be allowing the
camel's nose into the tent by suggesting that it is mandatory here? I
think there are effective ways to run and do everything that this
particular language, which I haven't parsed it into every single verb
and noun and expansion that you can get. My reaction to it is, oh, I am
going to look at the Reg. Guide and the inspection procedure real
carefully because -- because it is a pretty benign thing. I think
people can live with this.
But this question of -- are we so persuaded that this PRA
has all virtues, when I know -- I know for a fact that none of these
licensees have anything that approaches a high quality PRA for shutdown
conditions. And I know that many of them have PRAs that are approved
for certain kinds of activities, that they have brought in people that I
have no doubt are good at adjudicating the adequacy of PRAs and they
have approved them for certain activities and not for other kinds of
activities.
I mean it is a marvelous and interesting tool, but we are so
far away from being able to say what is an adequate tool here, whereas,
we have good engineering practices that have at least had the benefit of
long time use. I think we should not be in the business of saying but
you are denied use of those time-tested activities in place of this new
technology that we are all very enthusiastic about.
DR. MILLER: Does this -- this doesn't demand that?
DR. POWERS: Again, Don, I have no troubles with the
language of up here, without -- I have not parsed it.
DR. MILLER: I am just advocating that online this will
drive, with the current technology, which is different than it was five
years ago, dramatically different, it will drive people to do it that
way.
DR. APOSTOLAKIS: It seems to me --
DR. MILLER: Now, on shutdown, that is a different question.
DR. POWERS: Well, shutdown is, of course, a very important
part of this rule.
DR. MILLER: But they are worried about online maintenance
of power, it is provided in the rule.
DR. POWERS: I think that has emerged at what the real
question is. It is not -- I think people will find the relatively
qualitative techniques that EPRI developed for people, with their
greens, and oranges, and yellows, I think we are growing in comfort with
that. I have troubles with them because I don't know how to interpret
them.
DR. MILLER: That's the ORAM?
DR. POWERS: ORAM. But that is my failing, not the failing
of the method. I think what has emerged is -- you are right, that it is
the online maintenance that is really what is causing people to be
concerned here.
DR. APOSTOLAKIS: It seems to me this would be a good way
for people to start using PRA methods, including shutdown, and
developing them, without being forced to do so. Because I can see
someone using the qualitative methods that you refer to, Dana, and then
finding out that there is a PC program that does some of these things
much faster. Then the guy will start using it. He doesn't care whether
it is PRA or not.
DR. MILLER: Right.
DR. APOSTOLAKIS: In other words, if you see the benefit of
doing something rather than satisfying a regulatory requirement, then
you have a much higher chance of success. So the fact that the shutdown
PRAs are not up to the standard, perhaps by approaching the problem this
way, not just here, but in other instances, too, and people will start
realizing that they have to improve their understanding of the shutdown
states and what can happen, and so similar -- use similar tools from the
PRAs, then maybe that is a way to convince the industry that indeed
there is value to this tool.
MR. BONACA: The other thing I would like to point out is
that we all knew the day we built these plants that we would go down to
shutdown and refuel these plants. And I am not saying that we
understand a lot about it, but we knew that. Conversely, I think that
there was an oversight regarding online maintenance. I don't think
there was ever put on paper a description of how we would maintain these
plants. And so what happened, the NRC, I believe, through the years,
was unaware almost that online maintenance was occurring.
And then there has been a debate at some level within the
utilities and the NRC -- shall we do it or not do it? And then, just
because you have to do it, you end up doing it. That's a true
opportunity for oversight it seems to me, that we, as an industry, have
missed. And that is why I feel, you know, that this is the very issue
that you are bringing up, that is the one of online. That is the point
I am making.
DR. POWERS: I think that has emerged as what the real
problem to resolve here is. And I agree with you that -- and the
nuclear industry is not the only one that has built something and then,
as Don said, gee, I have to maintain it. Whoops.
DR. MILLER: Well, then the theory, of course, when you go
to all these plants, the economics are dramatically different, and
planning for 80 days outages was no big deal. In certain part of this
world, it is still required you have a 70 or 80 day outage. Maybe it is
not today, but it was a year ago. And you can't survive with an 80 day
outage, either -- whether you are burning uranium or natural gas.
MR. CORREIA: That is certainly a driver behind the
increased frequency of online maintenance, deregulation.
DR. WALLIS: This is fascinating to me. Your philosophy
seems to be wait until industry really, across the board, feels we have
to have PRA, and then you require it.
DR. MILLER: No, you are never going to require it.
DR. WALLIS: That's a strange way to regulate.
DR. MILLER: You are never going to require it.
DR. WALLIS: To wait until the regulatee, or whatever this
person is, this industry is called, is dying for you to make some
regulation, then you make it. That is not the original way in which NRC
operated.
DR. POWERS: I am not even going to pursue that.
DR. SHACK: Maybe we had better -- we are impacting our
schedule.
MR. CORREIA: The last slide. Just for your information,
these are the current plans. Go forward with this rule language, unless
otherwise directed, and have it back to the Commission by mid-April.
And as quickly as possible, complete work on the Regulatory Guide to get
that ready and out for public comment and for the Committee's review, if
they so wish. And to get that Regulatory Guide out as soon thereafter
as the rule is issued, but we are going to request that the Commission,
if they approve this, not make this rule change effective until the
Regulatory Guide has been published, final. So the industry --
DR. MILLER: So the schedule on the Regulatory Guide, you
say as soon as possible?
MR. CORREIA: We are going to shoot for a draft, hopefully,
next month, by April certainly.
DR. MILLER: So we could see it in April here?
MR. CORREIA: Hopefully. And then, hopefully, it will all
be done by the June, July timeframe.
DR. MILLER: By the way, when I teach engineering I want to
ban the word "hope." That's another issue. Hopefully.
MR. CORREIA: Okay.
DR. SHACK: Hopefully, we can get past that.
DR. POWERS: I want to come back to, a little bit, just the
proposed language. It seems like a very reasonable piece of writing
because it says the licensee shall assess. I mean, to my mind, that
means sit down and think about it.
MR. CORREIA: Yes.
DR. POWERS: And manage, that is, don't make it any worse
than it needs to be. And it refers to risk, but it is little risk, I
mean it is risk in a qualitative sense here, or it could be a
quantitative sense, it is up to election. Am I reading this correctly?
MR. CORREIA: Yes. That is the intent.
DR. POWERS: I think you had done great here. This looks
like a good correction to things because it is simply, if I read it
correctly, saying, if I come in and ask this guy, what did you do, I am
just asking him, show me, indeed, that you thought about this, that you
thought about ways that you could avoid very risky situations. That
would be desirable, Don. Absolutely necessary. But show me what you
did here, and did you think about it, or is this a haphazard activity?
I think that is what you are asking for here. And I think --
MR. CORREIA: Absolutely. That has been the original intent
all along.
DR. POWERS: And I think you have done good here.
MR. CORREIA: Thank you very much.
DR. SHACK: We had originally planned to have a presentation
from NEI. They were called up to the Hill today, so I don't think there
is an official presentation. But are there any comments from industry
on the rule, or does anybody wish to make additional comments?
[No response.]
DR. SHACK: I turn it back to you, Mr. Chairman.
DR. POWERS: I think at this point we are scheduled to take
a break and I propose to break until 20 after the hour.
[Recess.]
DR. POWERS: Let's come back into session. Our next session
deals with the Human Performance Program Plan.
I guess I'll just turn it directly over to Mr. Apostolakis,
who is the cognizant member. I'll say that this has been a recurring
theme to us and that we now have what I characterize as a two-stage
plan, an immediate what we are going to do now, and the future, and I,
myself, am very interested in how we go about doing the future version
of the plan, so even if that is not part of the formal presentation, it
would be useful to discuss what the thinking is about the development of
the future plan.
Mr. Apostolakis?
DR. APOSTOLAKIS: Steve? Go ahead with your presentation.
MR. ARNDT: Okay. As Dr. Powers mentioned, we were asked to
come and talk a little bit about the current version of the plan, which
is SECY 98-244, and I am going to speak very briefly about that but most
of the presentation will be spent on what we are going to do to come up
with the next version of the plan.
DR. POWERS: Steve, let me just interrupt and say that as a
matter of background that when the ACRS examined the Research Program
and plans for the future that it certainly felt that human performance
was going to emerge as a major issue in the future for the NRC, and that
is why this attacks -- attracts so much interest.
DR. SHACK: A Freudian slip.
MR. ARNDT: As some of you know me from my former life, a
little bit of explanation of why I am standing up here, as opposed to
other people who have been up here before, as you know --
DR. POWERS: Shell shock?
[Laughter.]
MR. ARNDT: Well, that may be the reason. The official
reason, however, as you know, my permanent position is in the training
program. I have been in Washington these past 8 months managing the
Control and Instrumentation in Human Factors Branch for Research, who is
the guardian of the plan. That branch will go away in the new
organization and the plan responsibilities will move to a new
organization.
As part of the development of course the members of the
Human Factors Group in that branch have been instrumental especially and
including Dr. Persensky, who is in the audience, I think, and can help
me out if I get above my head on some of these issues.
Today we are going to talk a little bit about the plan and
briefly the background, major comments and concerns that you had in the
briefing and the notes that you sent us in the summer of last year, what
is in the current version of the plan, and the activities we are
currently engaged in to come up with a new version of the plan that
addresses some of the comments and weaknesses of the current plan and
where we are and where we are going to go.
Short background for those people who are not familiar.
There's been numerous versions of the Human Performance Plan dating back
to right after the TMI accident. The current version started in a 1995
document that was designed to integrate the various activities and
coordinate between them, particularly since the activities in NRR and
Research were perceived to be divergent at that time.
We have had three or four versions since that time, all of
which have had significant concerns and comments by the ACRS.
The latest version, as I mentioned, was reviewed by the ACRS
and commented on both by letter to the Commission and in general
comments in the Research Review Report.
We made some changes to that document, although not nearly
as many as would have liked, and in that document we acknowledged the
comments and concerns of the ACRS and that was issued as SECY 98-244.
The last formal comments received from the ACRS were, as I
mentioned, in July of '98. There was a general agreement with the
mission statement. The mission statement was of course fairly apple
pie, motherhood. To refresh your memory, the mission as stated in the
plan was, "The mission of the Human Performance Program is to ensure
effective risk-informed and performance-based regulation and oversight
of human performance in the design, operation and maintenance and
decommissioning of nuclear reactor sites and other NRC-regulated
facilities by identifying human performance issues important to public
health and safety, increasing understanding of the causes of safety
implications of degraded human performance and implementing the
appropriate regulatory response to human performance issues."
That is to say understand what is important was the first
goal, try and increase your knowledge so you can do something about it
and when you do know something about then, if appropriate, regulate it.
Again -- the Committee had very few comments on that, other than the
fact that they did not believe the plan presented a strong, systematic
approach to meeting those objectives.
DR. POWERS: Well, I think that my perception is that when I
read that mission statement I say pretty good written mission statement.
I hope like crazy we're doing that, okay?
MR. ARNDT: Yes.
DR. POWERS: The next step that you need is, okay, here are
the things that we are doing -- are there things that we are not doing
or things that we need to do better at?
MR. ARNDT: Right.
DR. POWERS: And I think that is the step that is missing in
there, because it is the motivation of -- the next step, which you're
right, is the systematic approach.
MR. ARNDT: Right, and it is -- we understand that the
ability to articulate why the projects we're currently doing are meeting
those objectives or attempting to meet those objectives is something
that is not concisely put in the plan.
The ACRS also identified a need to more quantitatively look
at activity identification, activity prioritization, and closure
criteria. That was also a general comment of many of the research
programs in the Research Report, so we are going to be trying to do
that.
DR. POWERS: But I wouldn't overplay the quantitative aspect
of that. I mean where you can do quantitative it's great but it is much
more useful to have a logical tie --
MR. ARNDT: Right.
DR. POWERS: -- than just having a bunch of numbers and
saying, okay, I weight these rankings and add them together. It doesn't
get that logical tie for you, and I would rather have the logical tie.
I think what the Committee is looking for is that logical tie rather
than just the numbers.
MR. ARNDT: Right, okay. As we stated in the SECY, the
current version, because there's some areas in it that are simply where
we want them to be is a work-in-progress. We went through several
paragraphs acknowledging the concerns both of the ACRS and others and
made some discussion of what we were going to try and do to correct
those and we are going to go through that in some detail today.
The commitments were to identify a more quantitative
identification and prioritization process. When we say more
quantitative, we mean just what you suggested, Dr. Powers, that where
numbers and methods and data are available to say is this really
important in a quantitative way, we should use them where they are
appropriate. There are some things that they simply are not appropriate
for because there is no reasonable expectation that we would have
numbers, and the example for that would be emerging technology, things
that the plants haven't done in the past so we don't have historical
data. We wouldn't expect to have it.
DR. POWERS: One of the tactics that is being employed in
the program may be worth thinking about, and that thinking could say,
no, I have to discard it because it's more of a phenomenological issue
and it may not be so applicable to things that have a strong
sociological component to them is these phenomena identification and
ranking tables where you try to identify what are the important
things -- what are the things, which ones of them are important, which
ones do I know something about and maybe even enough about, and which
ones am I grossly ignorant on, where you rely largely on expert
judgment, but elicited expert judgment that is scrutable.
I can go say now why did these experts say this was
important and this other one was not so important and I can go and say,
oh -- well, they said it because of this. I don't have to say, well,
these guys are authorities in the field so surely they must know -- kind
of set it down -- and so that I walk away saying, ah, now I know why one
is high and one is low.
I just toss it out as an approach that looks like it is
going to be very helpful in one area. Maybe it is of use to this that
you are trying to do here.
MR. ARNDT: We'll investigate it. I know we have people in
our current division that have used that methodology extensively in the
thermal hydraulics area --
DR. POWERS: It came from thermal hydraulics and they have
their own peculiar science that may not directly translate so there is
no reason to think that it is a one-to-one translation but maybe it's
helpful.
MR. ARNDT: Well, I probably would have chosen specific as
opposed to peculiar but --
DR. POWERS: Well, you don't have to deal with them as often
as I do.
DR. APOSTOLAKIS: I think in that context that is why the
Committee in the past has recommended the use of a high level model,
because before you ask these questions you have to have some sort of a
model about human performance to help you answer these questions, which
in thermal hydraulics of course perhaps they don't need because it is
more of a natural science and they understand what needs to be done.
DR. POWERS: The model is very implicit in the thinking.
DR. APOSTOLAKIS: Yes.
DR. POWERS: They are all trained in Navier-Stokes and
things like that.
DR. APOSTOLAKIS: Exactly -- so in that sense that would be
helpful. Now this is the result -- the future plan of course will be
the result of many people's inputs.
MR. ARNDT: Yes.
DR. APOSTOLAKIS: And again in the context of this
discussion I was wondering whether all these people have the same mental
model of human performance and whether that would be necessary -- in
other words, first to explain to them a few things that maybe error
theorists may have developed and then ask them to go through the
exercise, or maybe that would not be appropriate because you want each
person to have his or her own model of the plant.
MR. ARNDT: I think in the identification of potential
activities where do we need improvement, where do we need to ensure that
the plants don't get worse? Then you need a general understanding of
how you are defining human performance and human error rate and things
like that.
In the prioritization scheme I am not quite so sure that you
need a comprehensive model that everyone agrees on, because everyone is
going to have a slightly different perspective on what will likely come
out of a project and I think that different perspective is useful.
DR. APOSTOLAKIS: That's why we go with the high level
model. For example, unless you think about it or read the literature,
you will not immediately think of organizational structures as affecting
human performance, okay, unless somebody tells you that or you see the
data. In that sense, I am talking about the high level without getting
into the details of what really affects human performance -- the
performance-shaping factors, for example.
MR. ARNDT: I think everyone in the community understands
that management, organizational factors and other general areas are
important.
DR. APOSTOLAKIS: Steve, is there any evidence that we have
a problem with human performance?
MR. ARNDT: Well, it depends on what you consider evidence.
If you look at the literature both in the kinds of events that continue
to reoccur as well as the relative importance of human action in safety,
there is significant published information that leads one to believe
that there is, continues to be significant issues.
One example is that even this many years after TMI we
still -- there have been several instances where operators have turned
off high pressure injection during an event. One would presume through
the enormous amount of training procedures and everything else that that
would not occur, but for various reasons that has.
Other examples are at some of the PRA sensitivity studies
that have been done looking at human performance several years ago
NUREG-3385 looked at in essence the risk achievement worths of various
human actions and compared them to the risk achievement worths of
important safety features like HPSI and things like that, and they
compared quite favorably, quite importantly to them.
There was the B&L work that was done on risk sensitivity and
although there's some issues as to whether or not that was done in the
best way, the numbers turned out to be very, very significant
One of the things we are going to be doing as part of this
effort, and I will get to it in a second, is looking at the high
significant events in the last five years, the things that come out high
on the ASP reports, and looking at the risk contribution of human
actions in those events.
DR. MILLER: Steve, on the human performance, there are some
that aren't quite as visible but obviously have as much impact in the
areas of maintenance and surveillance and those types of issues where
training maybe is less prescribed. You know, we have been training
operators in a pretty well prescribed approach for many years but is
that also an issue that needs to be addressed?
MR. ARNDT: It is an issue of some debate right now. Most
of those go to what is referred to as pre-initiator event frequencies,
things that either cause initiating events or cause mitigating actions
not to be able to occur. There's some discussion about whether or not
that is a significant problem because you capture most of that data in
your availability frequencies because you measure the availability and
the availability due to testing or maintenance or someone having messed
up something is all lumped into one number, but it is certainly an
issue.
It is certainly something that needs to be continued to be
looked at until we determine that it is not going to be a significant
contribution.
DR. MILLER: Now industry has, of course, equal concerns.
For example, I put it in my file to review in addition to what we have
here INPO's Excellence in Human Performance, which I assume maybe has
had some impact or maybe it has not, but that has been out for two years
now.
Of course they deal with far beyond operators -- everybody.
MR. ARNDT: They look at everybody.
DR. MILLER: Although they try to engender a culture, so to
speak, of high performance throughout the plant from management on down.
MR. ARNDT: We, as part of the human performance activities
in the agency, monitor what INPO is doing, what EPRI is doing. As a
matter of fact, we had a meeting with EPRI last week to look at some
potential joint efforts in areas like deregulation and things like that,
so we are involved in looking at that.
Let me go forward, and some of this may become more obvious.
As I mentioned, we are doing coordination with the industry and with
advisory groups like yourselves, and we owe the Commission a progress
report on the development of the new plan in April of this year.
This is just a reiteration of exactly what we're going to be
-- what we're currently working on. We're currently pursuing activities
in making the identification of activities for human performance work
more risk-informed, and when I say risk-informed, I mean it that way.
It's not going to be risk-based, but it will be risk-informed, the
prioritization of activities, the development of the methodology for
closure criteria. And I'll talk a little bit about where we are in
that. We're not as far along in that as we are in some of the others.
And then once this has all been done, an actual revision of the plan.
DR. POWERS: I am very excited about this idea of looking at
past events and even just looking at in general PRAs to get some idea of
how important/unimportant human activities have been. Of course there
are other issues, there are other areas that may be even more important
that are a little harder to get a handle on. But you can still risk-
inform those, because in maintenance you can go look and say how
important was a piece of equipment. And I'm perfectly willing to
believe then that the maintenance must be very important on that too.
MR. ARNDT: Right.
DR. POWERS: Which is a human thing, that I think almost
deserves separate bullets here to make it clear what you're trying --
the kinds of things you're trying to do to get this quantitative risk
information into the process.
I think that's exciting. I mean, I really get excited about
that, because that gives me an understanding of where to rank this
relative -- the question has always been is it better to put your money
into human performance or to refine the thermal hydraulics code to the
next generation. And now with risk you've got a metric that allows you
to make that kind of tradeoff in some sort of a rational fashion where
at least it's an input into making that kind of tradeoff. There may be
other reasons that you want to continue to hone thermal hydraulics
codes.
MR. ARNDT: Well, and there may be other reasons why you
want to hone your knowledge of human performance as well.
DR. POWERS: Sure, absolutely. Anytime you're planning
activities, if there was a nice quantitative way to do it that gave an
incontrovertible answer, every manager and CEO in the country would be
out of business, right? But we haven't found that way, but we can
improve our knowledge.
MR. ARNDT: Yes.
DR. POWERS: It's a true example of multiutility --
multiattribute utility theory here.
MR. ARNDT: Some of the things we're doing --
DR. APOSTOLAKIS: Multiple stakeholders.
DR. POWERS: Multiple stakeholders -- not involving the
hierarchy.
MR. ARNDT: Some of the things we're doing in quantitative
identification, and again, when you read "quantitative," you should read
"more quantitative." It's not going to be completely quantitative.
We're reviewing the ASP data, as I mentioned before, we're going back
five years and looking at events with conditional core damage frequency
above 10 to the minus 5. That gives us between 50 and 60 events to look
at.
DR. POWERS: You get access now into shutdown events as well
in this.
MR. ARNDT: Some.
DR. POWERS: Yes, I mean, it's a cruder, but still --
MR. ARNDT: Much cruder, but we're starting to see those.
DR. POWERS: Crude counts.
MR. ARNDT: If crude's as good as we got, we'll use it.
DR. POWERS: Yes. I mean, it's better than guessing. Yes.
MR. ARNDT: We're going to go through and basically look at
all of those events and then bin them basically into whether or not they
had a significant human performance issue, either positive or negative.
In the actual paper, if you look at 98-244, in Appendix C, we started to
do that as a justification for the events in the 10 to the minus 4
range.
The two things we're going to do differently now is, one,
we're going to look at a lot more events, and we're going to do it in a
much more systematic way. We're going to bin them into events that had
significant human factors and those that didn't and look at those
ratios. We're going to look at how much the human actually contributed
to the events.
The other thing is we're going to try and make a forward
leading function. It's not going to be we've decided our plan and this
is how we're justifying, it's going to be this is why things are
important, therefore we're going to look at doing things in this area.
DR. POWERS: This is really exciting, and I encourage you
that once you get some insights or get the feeling that you've got
something here useful to talk about, even if it's fairly preliminary, it
would be fun to have you come down and tell us about it just to improve
our own perspective in the future.
I get the feeling that at least one member of the Committee
has this feeling that there are people with expertise in human
performance that have in the back of their mind a lot of things that he
does not have in the back of his mind, and you need to educate at least
one Member here, and this might be an effective tool to get his wheels
aligned.
MR. ARNDT: We hope to gain some insights as well as some
numerical indication of what are the most important things. We're also
going to go through and review a great deal of IPE data. We've looked
at the lessons -- the insights document, and as you know, there's some
specific insights as to what are the most important human-error-type
issues for PWRs and BWRs. There's a wealth of knowledge there, and we
hope to gain some -- a detailed review of that will give us some
additional information.
We're also looking at various other reports, some of the
sensitivity studies, and I mentioned earlier are going to be reviewed,
as well as some of the detailed work in specific areas. For example,
the AEOD systems studies. In several of those they looked at particular
contributors to those unavailabilities, and in some of them they looked
at human errors and things like that.
DR. SEALE: Steve?
MR. ARNDT: Yes, sir.
DR. SEALE: Earlier you mentioned the INPO excellence in
human performance activities and so forth, and I recognize that there's
always been a desire to maintain a arm's-length arrangement between the
NRC and INPO. And this strikes me as an example of where the blind
following of a doctrinaire approach can only work to your disadvantage.
You're not talking about sanctioning numbers that might be used in a
data base to do statistical analyses and so forth, you're trying to gain
insights. And those insights may very well be embedded in some of those
INPO activities.
I would urge you at this stage to share with the people at
INPO what you're going to be doing here to mine for these insights and
ask them whether or not they have things that might contribute to this
or if indeed they already have gained some insights from their programs
that might help you. You know, that's not really sharing hard data or
anything like that. You're just looking for insights. And I would
think that would be a good example of where a closer interaction would
be both effective and very helpful.
MR. KING: This is Tom King from the staff. Let me follow
up on that. We had a senior management meeting with INPO senior
management probably a month or month-and-a-half ago. This is one of the
areas that we've agreed would benefit from some cooperation. So we're
working on exactly what that cooperation will be. But it's precisely
along the lines of the things you mentioned and seeing what they've been
doing, what we're doing, maybe get into issues like deregulation, what
does that mean for human performance and so forth. So we're trying to
lay something out to do that.
DR. SEALE: And they can help you get access to any
international data that they might have through WANO.
MR. KING: Um-hum.
DR. SEALE: Which otherwise you don't really have -- you
know, still, that's very useful, because --
DR. POWERS: I think it's so useful that we ought to comment
specifically on it in any letter we write about this, because I think
the Commission needs to understand that this is a good idea.
DR. SEALE: Okay.
DR. MILLER: I had a question on that, Tom, since you
mentioned a meeting. INPO, at least their human-performance plan was
dated '97, so they've had a year-and-a-half experience with it, is there
any feedback yet on the impact of this program or not? Had they related
any of that during this meeting?
MR. KING: No. No, we didn't get into any details other
than agreement in principle to cooperate in this area.
DR. MILLER: Okay.
DR. APOSTOLAKIS: In the sources of information, why don't
you include the literature? I mean, maybe not quantitative, but
shouldn't somewhere there take advantage of what people have done,
thought about, and maybe use the experience in other industries to write
their papers and books?
MR. ARNDT: We are looking at both books, papers,
literature, and all areas -- I'm sorry that this slide does not convey
that -- both in the area of other sources of information what we're
going to be looking at is not only reports and bases but models and
where people are going and what they're thinking about.
If we get down to the bottom bullet, continue to use
traditional identification methodology, that basically means what --
there are some areas that we get information on what could be problems
in human performance from a number of different methodologies including
what is going on in the literature in other areas like the FAA and the
civilian and military aviation, the transportation industries and things
like that.
DR. APOSTOLAKIS: Now one other thought occurred to me. I
just glanced at the INPO booklet, and there is a lot there that one
would call safety culture, have a questioning attitude when you're about
to do something, and this and that. So somebody at INPO thought that
that was important. Would your four bullets here identify things like
that as being important?
MR. ARNDT: Several of the documents we're specifically
looking at, such as the IAEA recent documents on human performance,
specifically call out safety culture and management and organization as
issues that need to be addressed.
DR. APOSTOLAKIS: So it's really the literature that will
tell you that. Now maybe the INPO guys have seen it in the field --
MR. ARNDT: Sure.
DR. APOSTOLAKIS: But you need to have a questioning
attitude. But I don't think that data will really -- unless you really
look carefully and you go back and find out that people did not have a
questioning attitude. So that's why I think reading the literature is
very, very important.
MR. ARNDT: It's extremely important, and as a matter of
fact --
DR. APOSTOLAKIS: Now on the second point, though, hasn't
the Commission declared that we should not worry about these things?
MR. ARNDT: The Commission has indeed in a staff
requirements memorandum last summer told the staff not to work in the
area of management organization and spend no resources on it.
DR. APOSTOLAKIS: So how are you going to handle that here?
MR. ARNDT: Well --
DR. APOSTOLAKIS: It's a boundary condition for you?
MR. ARNDT: It is the duty of the staff to bring to the
attention of the Commission the important priorities for doing work, and
if they choose not to do it, that's fine.
DR. APOSTOLAKIS: Okay. So at this point you don't feel
constrained?
MR. ARNDT: Not in the identification of potential work.
Actually doing it, yes.
DR. APOSTOLAKIS: Okay. Now also we heard yesterday from
the team that's developing IAP, the inspection program, that safety
culture will not be of concern to them, because they believe that if
there is a bad safety culture, there will be evidence of it in incidents
and so on, so they will catch it there. Is that -- I think that's what
they claim.
Is that something that you believe also, or -- now again the
safety culture they referred to was the attitudes and leadership and
that kind of thing. So they said well, we really don't want to worry
about the attitudes of the people there, but if their attitude is wrong,
they will do something wrong, and our performance indicators or our
inspections will catch that. So we don't worry about it.
And they also made a distinction between the organizational
structure and the safety culture, which makes me now wonder whether the
Commission is making that distinction where they say don't work on these
issues.
DR. SEALE: I think that's just another reason to want to
have an opportunity to look very closely at what INPO is doing, because
the people at INPO seem to be able to come closer or to get into this
question of safety culture without raising hackles, if you will, about
whether or not you're monkeying around with the way people manage their
company.
MR. BARTON: But they look at some indicators that are
related to --
DR. SEALE: That's right.
MR. BARTON: Safety culture.
DR. SEALE: And so with that kind of information, I think
Steve and his people will be in a much better position to make the case
for a firmer definition of those things in the management or safety-
culture areas that they should be looking at and those things that they
might second to INPO or however they're going handle it.
DR. APOSTOLAKIS: I don't believe that we should start with
the assumption that what INPO put down there is the result of their
experience at the plants. I would like to know what consultants they
used. I know they have a course on human error, and they use Jim Reason
--
DR. SEALE: Yes.
DR. APOSTOLAKIS: From England. So I am curious now as to
whether a lot of the stuff that's in the booklet is Jim's idea or comes
from experience, because that would make a big difference in my
thinking. The assumption that everything INPO does is based on evidence
I don't think is quite right.
MR. ARNDT: Right. And part of the process of reviewing the
various inputs is looking at the validity of the assumptions and trying
to assess in some kind of qualitative or quantitative way how that will
affect human performance in the United States plants.
As some of you might have noted, there was an article in
"Inside NRC" this week talking about some of the Canadian work. They're
now saying that organizational structure and safety-conscious work
environment is extremely important, and that actually is a derivation of
some of the work that we did in that area a couple of years ago. So --
DR. APOSTOLAKIS: Which we just injected yesterday in the
IAP.
MR. ARNDT: Yes.
DR. MILLER: I would think the Canadians would learn that
the hard way.
MR. ARNDT: Yes.
DR. MILLER: Why the Canadian plants are shut down,
primarily the bottom line is they just weren't doing things right.
Probably human performance is the major issue.
DR. POWERS: Where does -- I know the slide is titled
"Quantitative Identification." There seems to be a needs identification
where you talk to some of the line organizations. I certainly hear
inspectors, people from the inspection program saying well, we're going
to look and see how humans perform their activities. And I'm wondering
where? Where do those people get their oar in the water in saying when
I think about what I do, I would like to have something better than what
I have now? At what point in this stage do you get that kind of input,
or does that come to you just as a matter of routine?
MR. ARNDT: That comes to use to some extent as a matter of
routine from user needs and discussions with the program office, NRR.
What they need to do their jobs, be it better inspection procedure, more
definitive requirements for looking at things, comes to us as part of
the traditional methodologies that are used to identify potential
activities. The formal methodology is the user need, although we do a
lot of informal discussions with our colleagues.
DR. POWERS: I would encourage you to mine that informal
discussion, because we certainly find evidence of two things, that user
needs tend to be shorter-term than what you're really looking for here,
I think.
MR. ARNDT: Right.
DR. POWERS: And that there's a tendency to say well, I've
got all those human-factor guys just as busy as I can. I know I've got
a need here. I'm going to put it in my drawer and not tell them about
it --
MR. ARNDT: Yes.
DR. POWERS: And just because I know they can't do anything
about it anyway. You need to mine those less formal contacts.
DR. SEALE: You have to be even a little evangelical.
DR. POWERS: Yes, I think you need to preach a bit.
DR. SEALE: Because in the recent months we've run into
several cases where in the implementation of risk-informed regulatory
alternatives, if that's a good way to say it, the need for an inspection
change or supplementing of the inspection training program has been
identified, and in fact we've been told that these inspection -- I've
forgotten what the terminology is now -- anyway, the things that are
used to convey these messages have been prepared.
I realize you have a lot of other things to do, but it seems
to me that that's a place where you need to ask is there a human
performance piece of that inspection process, that instruction, that
might be worth highlighting in those kinds of instructions. So you
ought to kind of have an idea of what's going on there that you're not
necessarily in the mainstream for.
MR. ARNDT: I'll talk very briefly about where we are going
in the prioritization process scheme. As you know, Research is the
coordinator for the human performance plan. As you also probably know,
Research is in the process right now of doing a self-assessment and
developing an office-wide prioritization methodology.
We have taken the easy way out, if you will, since all the
research and what used to be AEOD activities will have to be folded in
the research prioritization process anyway, we are working along the
assumption that we will be able to use the research prioritization
method for the human performance plan action items, once identified.
That is still under development, it is based on a survey of
approaches used by other agencies. The team involved with that, led by
John Craig, has gone out and looked at various methodologies that have
been successful in prioritizing research in other areas and in other
agencies, and they are planning on briefing you on that because you have
had concerns on the office-wide prioritization.
DR. POWERS: One of the concerns, especially in this area,
is that budgetary constraints that are real, and they have to be dealt
with by the management of this program, can be used to have the effect
of making one think that less is needed in an area than may actually be
optimal. And I think that is a step you have got to guard against in
presenting it to decision-makers is, say, hither -- there is amount you
can do for the number of dollars you have got, and you are going to make
an effective prioritization on that.
I mean you may not do the most important activity you can
because it costs more money than the whole agency has got. But I think
you have got to communicate at some point that there are real needs, and
the magnitude of those needs, so that the decision-maker is in the
position he can say -- do I put my money into more inspection or do I do
research so that in the future I do more effective inspection? I mean
you have to get that -- you don't want the prioritization to hide what
the needs are just because the dollars aren't there today.
MR. ARNDT: Yes. And I think that is one of the reasons
that an active activity of identifying and quantifying the program needs
before you go to the budget process and prioritization process is
necessary.
DR. POWERS: Yes.
MR. KING: Yeah, maybe -- one of the ground rules, Dana,
that we are doing on the self-assessment is to start with a clean sheet
of paper. Don't just prioritize what we are doing today, but what
should we be doing to meet the goals of the office, which are supposedly
to be meet the goals of the agency?
DR. POWERS: Music to our ears, because that is exactly --
MR. KING: Yes. And then maybe we will find out there are
some things we ought to be doing, we are not. And maybe there are some
things we are doing we could drop off the list, but that is the ground
rule we started out with.
DR. POWERS: Yes. I think you have got to -- I mean the
problem, Tom, as you well know, is that budget constraints become such a
barrier in front of your thinking that they drive your thinking. I mean
it is just -- you just can't get around them because they are there with
you every day. I mean they are grinding on you. And at some points we
have to think about what we would really like to be, you know, now.
Then there is a separate question -- how do we afford it, how do we get
there from here? But without that goal, you will never get there, that
is the problem.
MR. ARNDT: The second bullet on this slide, basically, just
is to inform you what we are currently doing, since this is not yet
complete. What we are basically doing is we are working the activities
that were identified in the current version of the plan, budgeted, put
into our operating plan with deadlines. And we are also working both
formal and informal user needs to understand what is necessary, what is
going on, and, basically, the closure criteria -- the de facto closure
criteria we are working on now is to fulfill the needs that have been
identified.
Our budget, by the way, which is really quite small, even by
today's standards, is -- the majority of that work is based on user
needs from the protocols.
DR. POWERS: And I -- it is my impression, in reading your -
- this current version, this interim version of the plan, that that has
gotten sufficient of a WASH scrutiny examination that any further WASH
scrutiny examination is going to have such diminishing returns, it is
just pointless. I think that -- that is the overwhelming impression I
got, that you bounced it off everybody that is anybody, gotten their
best shot at an opinion, and put it together and you came up with some
numbers, but things feel under the category of -- I need it today, and
so it is high priority; I don't need it till tomorrow, so it is low
priority -- it looked to me.
MR. ARNDT: There certainly was an element of that.
DR. SEALE: It bled as far as you can bleed.
MR. ARNDT: Yes. Thank you. The definition of fixed
closure criteria is a very prickly issue. One of the things that is
really necessary is to have that closure criteria linked back to the
more quantitative identification. That is to say, you identified this
for a particular reason. It was a problem or it could potentially
become a problem, or if something wasn't done, it was going to be a
problem, and the closure criteria should be linked back to why that was
identified and are you going to get there. Are we never going to get
there? If we are never going to get there, we shouldn't be doing it.
And are we already there? If we are already there, we should stop doing
it.
What we are looking at doing is, as far as it is possible in
a quantitative way, for those activities that can be quantified, linking
them either to the reg. analysis guideline or to limits established in
Reg. Guide 1.174.
DR. APOSTOLAKIS: I must say that I am not sure this is
going to work.
MR. ARNDT: Well, --
DR. APOSTOLAKIS: Not because of you. These are issues
where, you know, it seems to me at the end, if the experts agree that
this is as much as we can know, that's it. Now, to look for
quantitative measures of that, or link it to Regulatory Guides, I don't
know whether that is a useful exercise. I have never seen it done.
I mean -- and I will give you an example. When the Human
Reliability Handbook by Swain and Guttman came out, all sorts of people
attacked it and this and that, it is no good, how dare you, and all
that. Fifteen, 16 years later, that is what we are using. People are
saying, well, that is the best we can do.
Now, you know, there was no quantitative information in the
intervening years that convinced us that this is as much as we can know.
People just used it and they reviewed it, they criticized it, and they
said, well, gee, you know, he is giving me two, three orders of
magnitude uncertainty -- what am I going to do? He says the best
estimate is 10 to the minus 3. Can I make it 10 to the minus 1 or 2?
No, because then the evidence would have been there. So, in that sense,
they are using the evidence, of course.
But, so, I don't know, I mean whether we can have closure
criteria that will say, you know, some formula or something. If people
that are expert in the field, in the international community and so on,
and you present it at meetings and have peer reviewers, and they say,
well, yeah, that's as much as you can know at this point, then I think
it is fine. I think the concern right now in some quarters, in many
quarters, is that a lot of the things perhaps that are important, we are
not even looking at. You know, that kind of thing.
MR. ARNDT: Yes. Well, and there are many things that will
not be able to do this. And the obvious reason is that -- one of the
reasons we are so concerned with human performance is we don't know
enough about it to quantify it, and we have large uncertainty.
Therefore, it is very hard to know whether or not we should be doing it
because the models aren't very good.
DR. APOSTOLAKIS: True.
MR. ARNDT: But at the same time, we want to, where it is
possible, and there have been reg. analysis done on human actions. An
example is NUREG-5458, which was the value impact statement on looking
at improving the normal and abnormal procedures. There was a
discussion, should we go back and fix the normal, abnormal procedures
like we fixed the emergency procedures? And they did that study and
they came up with a number, and they said that we probably could not
justify it. So that kind of thing can be done.
And where it can be done, I think it is useful so that you
can say we shouldn't do this anymore. We are never going to be able to
implement it. It is never going to pass the backfit rule. We need to
understand it, but we are probably never going to actually do it.
DR. POWERS: And I think this is wonderful where you can do
it, you know. And I think I understand that there can be a lot of
things that you are just going to say, today, where I know zip, I can't
come up with a closure requirement because I haven't got -- all I know,
all I have is an indication that this might be important. And your
closure criteria will themselves evolve. And I think that is a point
you need to make on this slide.
MR. ARNDT: Exactly.
DR. POWERS: That this is the objective, is to get at more
quantitative linkage to what the mission needs of the agency are. And
it may not be able to do it on everything, but I will continue to look
for opportunities, as I get smarter here, for doing it. And, clearly,
you have got the commitment. You understand what you want to happen
here, and I think that is -- anybody that asks you for more is just
being unreasonable, I think. For a lot of things, it is --
MR. ARNDT: Well, I would never accuse the ACRS of being
unreasonable.
DR. POWERS: We are but studiedly.
DR. APOSTOLAKIS: You will just state it as a fact.
[Laughter.]
DR. POWERS: And probably get very few arguments.
MR. ARNDT: A little while ago, in preparation for this
meeting, you sent us some additional comments, and I think we have --
the whole purpose of this discussion is to try and ensure you that we
will be indeed doing the things that these comments imply.
Who is going to be doing the next revision? That is going
to be under the auspices of the new branch in Research, which is the
Regulatory Effectiveness and Human Factors Branch, and the new Branch
Chief will be Jack Rosenthal.
Will this revision follow some disciplined effort of the
engineering program? As we have discussed, we are going to try and put
some very specific engineering steps into it and try to tie the mission
to mission needs which are specifically identified.
Will future revisions identify mission needs? I think I
just talked to that.
Will the program be developed to meet these needs and the
quantitative requirements? I think we are going to try to do that to
the best of our ability, and try and tie some kinds of closure criteria
that is at least systematic and, hopefully, quantifiable. And we are
going to try and keep it as scrutable as possible and make the actual
judgments very definable and articulate those judgments in the plan when
we write it.
DR. POWERS: Understand that it is my view on things, and I
think many on the Committee is, that it is not that we don't trust
expert judgment, especially in a field like this where there is
expertise, it is that we are just -- you need to have that so you can
see it. A lot of things you are going to have to use expert judgment.
That's why you get the big bucks, to make judgments and whatnot, and
nobody can fault that. But the rationale then becomes very crucial.
And so don't -- don't be afraid of using expert judgment, just make it
so that it is scrutable.
NRC has developed some very nice techniques for making
expert judgments scrutable. Sometimes they are a little heavy, but --
MR. ARNDT: Yes. The process in which we are going to go
through this, we have talked through this. We are analyzing the ASP
events, trying to understand that. We are looking at lots of other
different human actions. We are review the critical operator actions
from various reports, CSNI, various literature.
Those will feed into a prioritization effort that is ongoing
for Research and will be used for the rest of the activities. We owe a
status report to the Commission in April '99. That will most likely
tell them in detail what I have told you today, as well as what we have
accomplished to date and where we are on the various activities. And
then, once all that is completed, we will have a revised version of the
human performance plan.
And that is all I had.
DR. POWERS: I personally am stunned. It's great. I mean -
-
DR. FONTANA: When do we get to see this again?
MR. ARNDT: That is entirely up to you. We would be happy
to have your input anywhere along the process.
MR. KING: But I wouldn't -- I think it is going to be at
least a couple of months before we get through the ASP data and can
really come back with something with some substance to present to you.
DR. FONTANA: As far as the next cut on the plan.
MR. ARNDT: It really depends on what you want to see. If
you want to see the intermediate stages, some of the needs
identification processes, the numbers and things like that, as Tom said,
it will be ready in a couple of months.
MR. KING: It will probably be a couple of months till the
Research prioritization scheme is all worked out and tried out and so
forth.
DR. POWERS: It seems that, just for educational purposes, I
would like to see how you are doing on mining that ASP data and what
kind of insights you are getting out of it, more from an educational
standpoint than a review and comment standpoint, but, presumably,
eventually, the final plan. But I think it would help us in reviewing
the final plan to have ahead of time some of the insights that you are
getting out of the operational data whenever it is appropriate to do
that.
MR. ARNDT: Would you like to see it as just a note to the
Committee with the background, or would you like a Subcommittee or a --
DR. POWERS: I think you and the Subcommittee Chairman can
chat about that as it --
DR. SEALE: Work that out.
MR. ARNDT: Okay.
DR. POWERS: I mean I don't want to presume what you have
come out, it may come out that you find that, well, it was a good idea,
but it just didn't work very well. I mean that is a presumable outcome
to it.
MR. ARNDT: Yeah, that is a possible outcome.
DR. POWERS: And it is self-information.
DR. APOSTOLAKIS: I have a much more detailed comment.
MR. ARNDT: Okay.
DR. APOSTOLAKIS: On the current version of the plan,
September '98. On page 9, it lists as an activity, under Goal 3,
implementing the appropriate regulatory response to human performance
issues.
MR. ARNDT: Yes.
DR. APOSTOLAKIS: Develop risk communication guidelines for
communicating risk-informed decisions to the public?
MR. ARNDT: Yes.
DR. APOSTOLAKIS: And risk analyses results to decision-
makers. Is that part of human performance as we understand it? I mean
that is an important subject, but I am not sure it belongs here.
MR. KING: That activity is currently funded out of the
Human Factors budget in the branch that Steve is in. Is it in the right
branch? That's another question.
DR. APOSTOLAKIS: Yeah, I don't think it is.
DR. SEALE: You have bled even harder than we thought you
had been.
MR. KING: I mean there is a human aspect to it, you know,
how you communicate to people --
DR. APOSTOLAKIS: Well, a human --
MR. KING: -- so that they get the key messages. It is not
just a risk issue.
DR. APOSTOLAKIS: To the public --
MR. KING: It is a communications issue, which is a Human
Factors type issue.
DR. APOSTOLAKIS: It is to the public and to decision-
makers, and that would not be the first, second or third thing that
would come to my mind when somebody said we are working on human
performance. It is an important issue, so, as you say, the question is
whether the right branch is supporting it.
MR. KING: Well, the work that has been done so far has been
focused on the communications piece, not the risk piece of that work.
DR. APOSTOLAKIS: Among whom? Between whom and whom?
MR. KING: Well, it has been -- the work that has been done
so far has been done at the University of Wisconsin under Vicki Bier.
DR. APOSTOLAKIS: Yes.
MR. KING: And she has had some people involved, Dennis
Bley, and some others involved. And the idea was to come up with some
guidelines that people that are trying to convey a message, particularly
a message that involves risk arguments, could use to put together this
communication. So far -- I don't have those guidelines yet, it has
taken longer and the first cut at that was somewhat of a disappointment,
so we are still working on it.
DR. APOSTOLAKIS: Well, I mean there are many, many
communications, right. So that is why I was wondering, are they working
on communicating risk results to the public, or to managers of
emergencies, or what?
MR. KING: No, it is not managers of emergencies. It is
viewing people like the Commission, the public, the Congress.
DR. APOSTOLAKIS: I see, so it is --
MR. KING: That level. Yes, it is not operations center
type issues.
DR. APOSTOLAKIS: So it is not -- anyway, it just struck me
as being something that I didn't expect to see in the list of activities
under human performance.
MR. KING: Okay.
DR. APOSTOLAKIS: Without implying that it is not an
important issue.
MR. KING: Okay.
DR. POWERS: Sufficiently important that when a non-
disappointing output comes, it would be sure nice to hear about it.
DR. SEALE: Yes. Other things?
DR. APOSTOLAKIS: Not on this subject, I don't. Any member
has any comments?
DR. POWERS: I will make a comment that I think that -- I
guess I would need to ask, should we be writing a letter on this?
DR. APOSTOLAKIS: Well, that was my next question.
DR. POWERS: Okay.
DR. APOSTOLAKIS: We don't Steve up there. Is there any
questions?
DR. MILLER: Well, maybe unless there's reason that they
believe we should write a letter.
DR. APOSTOLAKIS: Oh, do you want a letter?
MR. ARNDT: We are not asking for a letter at this --
DR. APOSTOLAKIS: Judging from past experience.
MR. ARNDT: We are not asking for a letter at this point.
DR. APOSTOLAKIS: I mean do an ASP quickly.
DR. POWERS: Tom, my concern is that you have a briefing
before the Commission, they are going to be familiar with less
complimentary comments on previous versions of the plan. I am wondering
if -- I personally find some very exciting approaches here being
adopted. I am wondering if we just don't owe to them to indicate we
think that there has been significant content put into some very
otherwise nebulous ideas on how you plan a difficult area to plan.
So that they're not being tarred by previous versions of our comments.
That's my concern.
MR. KING: Well, let me amend my statement. I just had a
whisper in my ear here.
[Laughter.]
We didn't come down here today to ask for a letter, but it
might be useful to have a letter to go on the record regarding your
views on the approach we're taking and any other comments you have. I
think that certainly would help in proceeding with the plan, making sure
we pick up all the points you think are important as well as when the
Commission gets it, they'll see that it, you know, some discussion and
some hopefully consensus has been reached on the approach that's been
taken. So maybe on second thought if you were willing to write a
letter, it might be very useful.
DR. SEALE: As long as we --
MR. KING: As long as it's a good letter.
[Laughter.]
DR. APOSTOLAKIS: Thank you very much, Steven.
I would like -- we have some time left. I would like to go
around the table and get suggestions for a possible letter. So that
will save us some time this afternoon.
Who wants to start, Bob or Bill?
DR. SEALE: My main comment would be that you want to
legitimatize, if that's the appropriate word, the idea that you're going
to go out and look for data that are suggestions and so on that are
helpful wherever they may be, including the discussions with INPO and so
on that this is not the arm's-length kind of activity that you're
required to do -- I don't think we have to say that, but you understand
what I'm driving at.
I guess the other thing is when they start interacting very
intimately with people in the inspection area, we've seen in some of the
recent things we've looked at like assessments and so on, where there
are clearly individuals in the inspection area who can make very real
contributions to the effectiveness of the delivery of ideas and concepts
to the interaction between the NRC and the plant. And so at some point
down the road, it may be appropriate to try to develop a somewhat closer
interaction with the inspection people. And since they're coordinators
for a Commission-wide activity in human factors, I guess I'm optimistic
enough to say that if you do that, you're liable to get some good
things, and that's always helpful when you have multiorganizational
kinds of activities. Those are my two main thoughts.
DR. APOSTOLAKIS: Thank you.
Thomas?
Mario. Mario F.
DR. FONTANA: The elder.
DR. APOSTOLAKIS: The elder.
[Laughter.]
DR. FONTANA: Well, I am real pleased with this. I think
the approach looks real promising, and the apparent discipline of the
structure I think looks good.
The other thing that I think is promising is that Steve,
being a prior training person, would have a lot of experience in working
with real people and their warts and what kind of performance they've
done.
DR. APOSTOLAKIS: If he does it in the next month, I
understand. He's moving.
DR. MILLER: Part of the reorganization.
DR. FONTANA: Okay. Work him for a month, anyway. But the
intent -- I think the plan looks good. I don't have much more to say.
DR. APOSTOLAKIS: Don?
DR. MILLER: Well, I certainly concur with Bob and Mario
both, and I think it would be valuable to follow up and, as I say, this
plan's been in process for a couple of years almost, see if there's been
any impact on --
DR. APOSTOLAKIS: The INPO.
DR. MILLER: The INPO, I'm sorry, the excellence in human
performance which was issued in September '97, see if there's anything
INPO can say about as far as the impact of this program. But definitely
work with INPO and others.
DR. APOSTOLAKIS: We always seem to like that.
Dr. Powers.
DR. POWERS: Well, I think we should communicate to the
Commission that first our intention in examining this was to examine the
planning process and not the specifics of this year's program, which
seems to be basically some very necessary things that just need to get
done.
And then I think we need to make it clear to the Commission
that these gentlemen are trying their best to address issues that we
have raised in the research report and in previous comments by
introducing what I have called engineering discipline in this program
and comment about some of the nice features about it. But I think we
also need to control expectations.
Again, I think a lot of these nice engineering words sound
good. They probably work well if I'm inventing toasters. They may
require substantial adjustment and modification to apply in a research
area that historically has defied the development of Navier-Stokes
equations and the like. So don't try to persuade the Commission these
guys have a perfect approach that will definitively identify those two
jobs that absolutely have to be done, that instead they will get out of
an indication of areas and expert judgments will have to be drawn upon
and that they have a pretty good strategy for drawing upon those expert
-- putting together those expert judgments.
So I get very enthusiastic, but you want to control
expectations as well, because there are some of these things that just
in the end you can't put a number on it, you have to say this looks
important, I'm going to go look at it until I get the information I need
or this looks important, but I just can't move myself to work in this
area because it doesn't look like there's a payoff, and that's why these
guys get salaries as opposed to just a man on the street making those
decisions.
DR. APOSTOLAKIS: Mr. Barton.
MR. BARTON: I agree with Dana. I don't want to get too
enthused about this and say too much in fear of jinxing it, but the
point that Bob Seale made I think is important. I think from what I see
that the utilities are doing with respect to trying to improve human
performance utilizing the INPO model, that the inspection arm of the NRC
could learn a lot at what's going on during their inspection activities
to observe, you know, what's working and what's not working.
DR. APOSTOLAKIS: Is my understanding correct that most of
what the utilities are doing is organizational?
MR. BARTON: A lot of it is --
DR. APOSTOLAKIS: Everything I read in the nuclear news
about how plants got out of the watch list and so on always involves
restructuring of processes and communication --
MR. BARTON: That's only a piece of it.
DR. APOSTOLAKIS: Awarding people with pizza parties when
they do something right.
MR. BARTON: Well, you know, you could joke about parties or
whatever, but I think, you know, there are lots of different elements
that go into establishing, you know, human performance, and a lot of
stuff that's real low level with reporting, things like having people
believe that reporting a near miss that they're involved in can have an
impact on improving human performance at the station.
DR. SEALE: The stuff you read about is the high-profile
version of it.
MR. BARTON: Yes.
DR. SEALE: There are other things going on.
DR. APOSTOLAKIS: We should not urge the staff to have a
research project on the impact of pizza.
MR. BARTON: No, I wouldn't do that. No.
DR. APOSTOLAKIS: Okay.
DR. MILLER: Well, the key issue in the INPO plan is, I
think as John just alluded to, is having people feel comfortable and
also motivated to report not only near misses, things that are maybe
less than near misses that could result in improved ability to do things
or improvements. Actually it's no more than just good management.
DR. APOSTOLAKIS: Yes, but on the other hand, I mean, I read
that booklet. If I wanted to be negative, I would say this is all
motherhood and apple pie.
DR. SEALE: Well, what they're trying to say --
DR. MILLER: Yes.
DR. APOSTOLAKIS: And I don't know that this Agency can do
that. I mean, in other words, can we say as part of our research here
that you should be careful how you run your plant and that you should be
cautious and ask yourself am I going to do the right thing right now? I
don't understand that. I don't know what that means.
DR. SEALE: Well, I think --
DR. APOSTOLAKIS: In terms of research of regulatory guides
or rules. It would be very nice to have a rule that says, you know, do
the right thing.
DR. MILLER: Well, this is not meant to be a regulatory --
DR. APOSTOLAKIS: No, but, I mean, let's not get too
enthused by advice that is more or less obvious.
DR. SEALE: Well, I think the thing is that they're
demonstrating that blame and reprisal are not irrational. You're not
guilty because you were there.
DR. APOSTOLAKIS: But we have to understand that we are
regulating, so there has to be something concrete here.
DR. SEALE: I agree. I agree.
DR. APOSTOLAKIS: And I'm almost inclined to agree with the
IAP guys when they say, you know, attitudes is not our business. But,
for example, when I hear that there are utilities that don't have
formalized work processes, then I get concerned. And then the answer to
that is well, you know, Rickover didn't have them either. Well, I
guess. I mean, if all the plant personnel were Rickovers, then I
wouldn't mind it at all.
MR. BARTON: How about if they're Rickover-trained.
DR. POWERS: Unless you walked into the plant.
DR. APOSTOLAKIS: So I think we should focus on concrete
things that we can do something about, okay? Motherhood statements are
good, too, and maybe they have their place, and I think that booklet is
an appropriate place for them, because it gives some direction to the
industry.
DR. SEALE: I don't think --
DR. POWERS: I don't know that the regulators can get into
that.
DR. SEALE: Yes, but I think we also have to verify whether
or not they're just relying on motherhood statements.
MR. BARTON: I don't think they are.
DR. POWERS: I think the tie that Steve made in his
presentation where they're trying to tie back to regulatory guides and
things like that is a statement that simply sings, because it does say
to me ah, they're looking for mission needs.
DR. SEALE: Yes.
DR. POWERS: And --
DR. APOSTOLAKIS: Okay. Are you done, John?
MR. BARTON: Yes.
DR. APOSTOLAKIS: Mario the younger.
Which is news to you, right?
[Laughter.]
MR. BONACA: My kids should hear that. My kids should hear
that.
No, I think it's a good program, and I have no additional
comments to the one provided by the Members.
DR. APOSTOLAKIS: Well, you were recently with a utility.
Do you think you can address Dr. Miller's question a little bit? Have
you seen any change as a result of INPO's booklet? How much impact do
you think this will have?
MR. BONACA: I think that the INPO involvement is much
beyond what you see in the booklet.
DR. APOSTOLAKIS: And that I believe. Yes.
MR. BONACA: When you read the booklet, it looks like
motherhood. I agree with you. And I don't know how else they could
format it to make it better. But I think that there is a lot of focus
on the utilities now even by INPO on specifics that will accomplish some
of the motherhood. That's why I don't feel it's as much motherhood as
it appears on the surface. Okay? So, you know, the organizational
issues are really the center of attention right now.
DR. APOSTOLAKIS: Well, I must say I took a slightly extreme
position to make a point. Let's not make a big deal out of the
motherhood.
DR. MILLER: But sometimes, George, the obvious is not
obvious.
MR. BONACA: I agree.
DR. APOSTOLAKIS: The question is what can this Agency do,
and I don't think it's our business to tell people that they should be
careful when they do their job.
MR. BONACA: I agree.
DR. APOSTOLAKIS: Because it don't do -- they will tell you
yes, we are careful. They have met the regulations.
DR. MILLER: It's a lot better for INPO to do it than us.
MR. BONACA: One of the huge improvements I think in the
recent past has been in the industry the tracking of errors.
DR. APOSTOLAKIS: That's good.
MR. BONACA: Okay? Not only operators in the control room
but equipment operators --
DR. APOSTOLAKIS: All errors.
MR. BONACA: All errors, engineering errors and so on and so
on. Which is really something totally new.
Second, the attempt too categorize them to types of errors.
DR. APOSTOLAKIS: Yes.
MR. BONACA: Okay? And, you know, that kind of issue in
itself, just tracking some of these issues at the performance indicator
level, okay, you know, just even numbering, the sheer number of errors,
trying to categorize them in certain groups, okay? That's an attempt
that never happened before. And, you know, and again the insight you
can get, for example, from trying to separate how many misalignments you
had, okay?
DR. APOSTOLAKIS: Yes.
MR. BONACA: In a plant in a given year, that information
wasn't available. And today, as soon as you bring it out, you don't
have to do anything else, it has an effect of itself, because the
department responsible for some function will respond to it. It has to.
DR. APOSTOLAKIS: Yes. Now I fully agree with you, and
that's an excellent example of what I had in mind. This is from -- the
academics call this organizational learning, and time and time again we
see that that is a weak point in our facilities. So if they do
something like that, if they close that loop, a feedback loop, so you
are learning from your own and other people's experience, in a formal
way, then that's definitely something that we can see. It's a concrete
thing that they're doing. They have established a process for learning.
And that, it seems to me, is something that we should be investigating
to understand and so on.
In fact, I was reading a paper the other day from the
chemical industry, and they had four figures there of excellent, good,
and bad, and very bad organization. The distinguishing feature was
feedback, learning from experience. So there is an insight. There is
something we can do something about and so on. So I'm really very glad
to hear this.
MR. BONACA: Yes. The other thing I would like to point out
is I didn't make a comment regarding the feedback from the IPEs, but,
you know, one of the critical things that you have in determining which
critical steps in the control room are most likely to come to an error.
There are reasons for that to happen.
Now I think many utilities now have people going in the
simulators and looking at their crews as they go through and identify
critical procedures, steps in procedures that are critical steps, okay?
I'm not sure how candid utilities or how candid even the entire
organization is with those kind of findings. That's the only question I
have.
And one of the reasons is that there are so many
sensitivities. For example, crew levels, okay? There are issues to do
with unions behind and people in the control room, if they feel that
they are put, you know, to the test, they challenge the role of looking
at them. All I'm trying to say is that there is an opportunity there
really available to look at operators in the control room, how they go
through critical functions, and if you look at some of the critical
steps in PRAs, you can see them right there, challenges to performance.
I'm not sure how much of that is coming through the IPEs, but there is
information that is available on the utility level.
DR. MILLER: But isn't a key issue on this getting the
feedback that all levels of the organization feel they can give the
feedback without being some sort of negative --
MR. BONACA: Without being disciplined in a negative manner.
DR. MILLER: Actually the tone of that has to be set at the
top. And again, even though this book is motherhood, I agree with it.
It basically promotes that tone.
DR. APOSTOLAKIS: That's the appropriate function of INPO.
DR. MILLER: I agree. We can't regulate it. We can't say
okay, put a manager in there that's going to develop openness amongst
the entire group. That's just good management anywhere.
DR. SEALE: That's culture.
DR. MILLER: That's culture.
DR. APOSTOLAKIS: That's it?
MR. BONACA: That's it.
DR. APOSTOLAKIS: Bob?
DR. SEALE: That's old Bob, or old Bob two.
[Laughter.]
DR. MILLER: I think if we try to get the older and younger
here, we'll find out they're equal.
DR. UHRIG: Would you like to match birthdays?
[Laughter.]
DR. SEALE: I've been here longer.
DR. UHRIG: You may not be looking for additional sources of
information, but I would refer you to the LER work that's going on at
Oak Ridge. There's been a pretty thoro analysis of that. I've not kept
up with it recently, but the last time I talked to Steve May down there
about it, they were looking at some data-mining techniques. Whether
they actually got implemented or not I don't know.
But I do know that they do a lot of categorization. I think
they were responsible for identifying the fact that a large fraction of
the problem LERs were triggered by instrument errors and this type of
thing. They should be able to identify those that come from human
factors or human errors if this is what you're looking for. And I think
it's one you might look at in addition to the ASP data.
DR. SHACK: No additional comments from Dr. Bill.
DR. KRESS: Old Bill or young Bill?
DR. APOSTOLAKIS: Well, hearing none, I will turn it to you,
Mr. Chairman, and we're almost on time.
DR. POWERS: I think we can go ahead and recess for lunch.
And we're scheduled to be back here at 12:45 to move into the resolution
of the GSI B-61 issue.
[Whereupon, at 11:45 a.m., the meeting was recessed, to
reconvene at 12:45 p.m., this same day.]. A F T E R N O O N S E S S I O N
[1:45 p.m.]
DR. POWERS: Let's come back into session. Our next topic
is the resolution of one of the generic safety issues, GSI B-61.
Professor Seale, I believe you are the cognizant member.
DR. SEALE: Okay. Thank you. Is our presenter here yet?
Very good.
GSI B-61 was originally classified as a medium priority and
deals with surveillance test intervals and allowable equipment outages
used in technical specifications for safety-related systems that are
large -- and these original outage periods were largely based
engineering judgment, Dr. Graham's bete noir.
DR. POWERS: Well, I think that maybe some of the comments
on engineering judgment and its utility may have been ill-considered.
DR. SEALE: Okay.
DR. SHACK: Yours or his?
DR. POWERS: I only said some of the comments on engineering
judgment.
DR. SEALE: In any event, these outage periods are used in
evaluating the unavailability of the emergency core cooling system, and
that unavailability had ranged from .3 to .8 of the total
unavailability, that is, the part due to outages on the equipment.
Optimization of the allowed outage periods and surveillance
and test maintenance intervals have been shown to significantly reduce
the equipment unavailability and, in addition to that, we should note
that the possible need to limit the cumulative outage times in the tech
specs was identified -- oh, gosh, some 10 years ago.
What we want to do today is to examine the proposed
resolution of this issue and to also learn about the relative
significance of the online and offline maintenance parts of the
unavailability. The question of whether or not a limit on the
cumulative outage time is appropriate is, I think, also going to be
discussed by our speaker.
I think we will let the speaker go from there, and we will
see what we find out.
MR. BUSLIK: Actually, almost everything that I will be
discussing will be cumulative outage time.
DR. SEALE: Okay.
MR. BUSLIK: I would like to argue that the other aspects
were subsumed in other programs.
DR. SEALE: Okay. Right up on the dashboard, in front. I
think you may need to turn that switch back on that you turned off.
[Pause.]
DR. SEALE: Well, I believe you have given us handouts, so
we can get started with those.
[Pause.]
MR. BUSLIK: So now we see what the title of it is,
"Allowable ECCS Outage Periods." Now, you will notice that the title,
one, has to do with ECCS equipment, and, two, only addresses allowable
equipment outage times. But if you look at the actual statement of the
issue, you see that, one, it is supposed to include surveillance test
intervals and it is for safety-related systems, not for ECCS systems.
The TMI action item also originally was applied only to ECCS
systems. Basically, what that item did was to ask the utilities to
report the dates and lengths of their ECCS outages to see what their
cumulative outage times were, and then the staff was supposed to
determine if a need existed for a limit on cumulative outage times. The
second part of it was resolved by subsuming it under B-61.
The question is, why were ECCS systems singled out? And I
think the reason is that in WASH 1400, the HPSI and RCSI tested
maintenance unavailabilities were a large proportion of the
unavailabilities of the system and were rather large. For HPSI it was
.075 and for RCSI it was .069.
Now, the question is why do you need a -- what would be the
possible need for a control on cumulative outage times? And the reason,
basically, is that the risk depends on the cumulative outage times.
People look at it differently, it could be the expected frequency of
performing maintenance times the needed time to repair, lambda tau, or
it could -- you could think of it as the ratio of the expected
cumulative outage time to the time over which the cumulative outage time
is accumulated.
And whatever you do, even if you are trying to determine
single instance allowable outage times, or extensions, you have to in
some way account for the frequency.
DR. KRESS: Let me ask you about that. Are we talking about
instantaneous risk or risk averaged over a long time? It looks like you
are averaging over a time.
MR. BUSLIK: Yes, that's correct. Now, obviously, if you
are interested in an instantaneous risk, to me, that is not so important
-- to me, the risk that you are interested is in the integrated risk
over some period of time. I mean -- but if you are interested in the
integrated risk, then that would be -- I mean the instantaneous risk,
that would be independent of the time it is out, it is conditional.
DR. KRESS: You wouldn't have the frequency of the time at
all in there probably.
MR. BUSLIK: No, no. But --
DR. POWERS: Let me ask you about this. You are not
interested in the instantaneous risk.
MR. BUSLIK: I personally. I don't think that the agency
isn't.
DR. POWERS: If I am -- if you personally happened to be
visiting a plant that is in a configuration for a day that has an
instantaneous risk of 365 per year, maybe you would be concerned.
MR. BUSLIK: Well, instantaneous for one day, so that --
okay. So that would mean there's maybe two -- a chance of two out of
three or whatever that I would have a -- well, yes, but let's take that
a little further. If it is two out of three for that period of time,
what would it be in a whole lifetime in a plant? It would be pretty
big. So it would also affect the integrated risk.
What I am saying is, if it is 365 per year, and it is going
to be in that configuration for one second, I don't care, because --
okay.
DR. WALLIS: The assumption there is the second. I mean if
you have some trouble completing the maintenance, you are putting
yourself in a state and assuming you are going to get out of it in one
second. There is some kind of extra risk I think associated with that.
MR. BUSLIK: I exaggerated. All right.
DR. POWERS: My only point is --
MR. BUSLIK: I didn't include the uncertainties, in other
words, in the time you are going to be in that state.
DR. WALLIS: That's right. Right.
DR. POWERS: There is some level of instantaneous risk.
Well, you would be unconcerned if it is -- if you go to, say, one per
year for a day, an instantaneous risk that stands at one event per year
for a day, and you put that in the integral, probably it averages out,
it is 1/365th, maybe that will show up. But I can get numbers, you
know, I can keep bidding the number up until you say, whoa, I would be
concerned at that point.
MR. BUSLIK: Yes.
DR. KRESS: But you are saying there's two separate things
here, one of them is an instantaneous risk, one of the average, and
right now you are interested in the average.
MR. BUSLIK: And that is all I have focused on. I know that
there are concerns about that -- temporary situations and things like
that. But I have -- there are some extreme cases, but even in those
cases, I used it one second, for example, but even if I used a more
realistic amount of time and I had some uncertainty in the allowed
outage time, also, you could consider the fact that there may be -- if
it is going to be too long, then perhaps you would shut down.
DR. APOSTOLAKIS: But let's go back to --
DR. KRESS: Go ahead.
DR. APOSTOLAKIS: Let's go back to your slide 3.
MR. BUSLIK: Okay.
DR. APOSTOLAKIS: I am trying to understand there, the
previous one.
MR. BUSLIK: Yeah, right.
DR. APOSTOLAKIS: What you are saying in the first bullet.
You are saying that --
MR. BUSLIK: Okay. I have got it.
DR. APOSTOLAKIS: U equals lambda tau.
MR. BUSLIK: Yes.
DR. APOSTOLAKIS: So, -- wait, wait. Lambda is the failure
rate, or is --
MR. BUSLIK: No. No. Here -- I'm sorry. Lambda here is
the frequency of performing maintenance.
DR. APOSTOLAKIS: The surveillance tests?
MR. BUSLIK: No. This is -- we are not talking about
surveillance testing here.
DR. APOSTOLAKIS: So, but the issue, though, was
surveillance testing and allowable --
MR. BUSLIK: Outage times. And then we -- this, I am
talking here about why we need a control of cumulative outage time for
maintenance.
DR. APOSTOLAKIS: So you are not addressing the issue B-61?
MR. BUSLIK: Well, I am going to argue -- that is B-61. The
issue -- that is a part of B-61.
DR. APOSTOLAKIS: Allowable equipment outage periods, that
is what you are referring to?
MR. BUSLIK: I am referring to cumulative -- whether we
would need a limit, in a sense, an allowable cumulative outage time.
DR. APOSTOLAKIS: Okay.
MR. BUSLIK: This was a II.K.3.17 issue which was brought
into B-61.
DR. APOSTOLAKIS: Now, cumulative, you mean over a period of
a year?
MR. BUSLIK: Some -- a period of a year, or a period between
refueling, something like that.
DR. KRESS: Whatever you have got a database for.
MR. BUSLIK: That's right.
DR. APOSTOLAKIS: No, but I am trying to understand the word
"cumulative." You mean if I go to do maintenance now, --
MR. BUSLIK: Yes.
DR. APOSTOLAKIS: -- it is going to be a certain duration,
say six hours.
MR. BUSLIK: Okay.
DR. APOSTOLAKIS: Then I happen to go again next week.
MR. BUSLIK: That's right.
DR. APOSTOLAKIS: That will be five hours.
MR. BUSLIK: So you would have to accumulate this time.
DR. APOSTOLAKIS: So, 11, you are interested in 11.
DR. KRESS: And this has to be the same component?
DR. APOSTOLAKIS: Yes.
MR. BUSLIK: Yes.
DR. APOSTOLAKIS: So I would suggest that you use little "f"
instead of lambda because my mind went immediately to the failure rate.
MR. BUSLIK: All right. Okay.
DR. KRESS: That's funny, I thought immediately of frequency
when I saw it.
DR. APOSTOLAKIS: Because you hadn't read the fault tree
handbook.
So what you are saying -- I am not done yet. I am trying to
understand here.
MR. BUSLIK: Okay.
DR. APOSTOLAKIS: So the core damage frequency does not
depend only on the average time a component is out for maintenance, but
the cumulative.
MR. BUSLIK: It depends --
DR. APOSTOLAKIS: But the average could be the average
cumulative, because that is a random variable. That is not what you
mean.
DR. KRESS: Well, that is basically what --
MR. BUSLIK: That is what I said, I talked about the
expected cumulative outage time. But --
DR. APOSTOLAKIS: Oh.
DR. MILLER: That is an interval.
MR. BUSLIK: Yeah, but when I talked here about the mean
time that it is out for maintenance, the tau there, this is also,
basically, you are just adding up the values and over --
DR. APOSTOLAKIS: Okay. So your current lambda would be
used in calculating the COT?
MR. BUSLIK: Your -- yes.
DR. APOSTOLAKIS: Right? Otherwise it would not --
MR. BUSLIK: That is the conventional way of doing it.
DR. KRESS: Well, in order to get enough data, though, don't
you have to have a lot of -- wouldn't you get that expected value out of
a lot of plants for the same -- maintenance on the same type of --
MR. BUSLIK: You would really want to have a plant-specific
estimate of it.
DR. KRESS: So you would have to do it for several years to
get enough data to get an expected value --
MR. BUSLIK: If you actually do it correctly, yes.
DR. APOSTOLAKIS: If you had a Bayesian.
MR. BUSLIK: Well, that's right. That's the other aspect.
DR. MILLER: Let's say, what would E of X -- E of X for one
-- for one activity -- the way you are doing it, right?
MR. BUSLIK: Say again?
DR. MILLER: If you only had one maintenance activity of,
say, one hour --
MR. BUSLIK: In a year?
DR. MILLER: E of X over a year, you could still do it,
right?
MR. BUSLIK: Oh, sure. Sure, you could do it. Now, what
was the approach I used to the issue resolution?
By the way, the prioritization of the issue which came up
with the 30 to 80 percent, the implication there was that if you
decreased the amount of maintenance you did that you wouldn't
necessarily have to move that to another period of time and as a result
there was no cost associated with decreasing it. In fact, there was a
benefit. It neglected the benefit.
Now in actuality what I assumed was entirely different. I
assumed that the amount of preventive maintenance that has to be done is
known, perhaps from a combination of vendor information and industry and
I guess plant-specific operational feedback.
Okay. The thing that really has to be done is to apportion
this preventive maintenance between power operation and the various
shutdown plant operational states, so in this sense it's different than
the prioritization.
Now as far as surveillance test intervals, these have been
addressed as far as the standard tech specs are concerned and in the
Technical Specifications Improvement Program. Now these of course are
essentially voluntary actions on the part of the utilities, but I felt
that certainly as far as surveillance test intervals that basically what
would be done by a risk-informed approach would be relaxation.
I didn't think I could find any case where there was not --
that it wasn't done often enough.
As far as allowed outage times, they are addressed in the
standard tech specs too, on an individual basis, but to really get a
good handle on allowed outage time, you have to address it on a
cumulative outage time basis, it seems to me.
Of course, even for an instantaneous risk, the single outage
time --
DR. APOSTOLAKIS: Let's call it conditional outage, not
instantaneous -- conditional.
MR. BUSLIK: I'm sorry. I remember.
DR. APOSTOLAKIS: Conditional.
MR. BUSLIK: Okay.
DR. APOSTOLAKIS: Which bullet are you at now?
MR. BUSLIK: I skipped around between the third and the
first.
DR. APOSTOLAKIS: I am trying to understand the second. You
will address that?
MR. BUSLIK: Okay. That will come next. Okay. Basically I
assumed -- I separated maintenance into two types, corrective and
scheduled.
Scheduled I called also preventive. This is maintenance
which -- where you know how much you are going to do in a year.
Unscheduled maintenance depends on what happened to the component -- if
there is a leak in the valve or what have you, and of course it could be
different than the catastrophic failure frequency.
Also I guess presumably predictive maintenance depends on
the state of the components, so that would also be included there.
Now you can't really -- I did at one time consider the
possibility, and I remember I think Montomo from Finland was considering
the possibility of a cumulative outage time which included corrective
maintenance but it is basically unworkable. What do you do if by some
random fluctuation it goes above the limit in a particular time between
refueling? Do you borrow from the next year? What do you do?
So -- and the French, by the way, do have or at least at one
time were considering a limit on cumulative outage time for scheduled
maintenance, but didn't consider that you could do it for unscheduled.
DR. APOSTOLAKIS: When you say cumulative outage time, you
really mean allowed --
MR. BUSLIK: Well, I talk here about a limit on cumulative
outage time.
DR. APOSTOLAKIS: Right -- so why is it unworkable? Why
can't you tell them if you exceed 72 hours, shut down?
MR. BUSLIK: Well, let's say in a year you exceed 14 days.
Shutdown -- until you fix it --
DR. APOSTOLAKIS: Oh, cumulative --
MR. BUSLIK: -- and then the next time it fails within that
period, a shutdown until you fix it again within six hours or whatever,
get to hot shutdown within six hours, the problem with it is you are
really interested in the expected value of this quantity and they're
going to be random fluctuations and it is overly punitive.
Assuming that you don't have a problem with transition risk,
it may improve the safety somewhat, but it is just not worth it from a
cost point of view.
DR. APOSTOLAKIS: I'll have to understand that a bit better.
MR. BONACA: At times, however, that is indicative of poor
equipment.
MR. BUSLIK: Yes. What I want to say is you can't have a
hard limit, but that kind of thing would be included in the maintenance
rule. The maintenance rule would look this over. It could be poor
equipment. It could be poor a poor maintenance man -- a variety of
different reasons, but this should be picked up by the maintenance rule.
I am going to get to that.
DR. APOSTOLAKIS: So you are going to put a limit on the
expected cumulative outage time for scheduled maintenance?
MR. BUSLIK: I've got to consider it -- that is what I was
going to consider, that's right, and I'll have to decide whether that
is -- there is significant safety benefit given the current space and
whether it is cost-effective.
DR. APOSTOLAKIS: And that will be in some Regulatory Guide?
The limit?
DR. KRESS: He has to give the regulatory analysis first.
MR. BUSLIK: I would have to go through the regulatory
analysis and then it would have to be applied to the various plants in
some way. There would have to be, let's say, a risk-informed criteria
for determining what this would be and it would have to be applied,
perhaps on a plant-specific basis.
DR. APOSTOLAKIS: Now from the practical point of view
though, how do you enforce something like that?
MR. BUSLIK: If it is for scheduled maintenance, conceivably
you could do it as part of the maintenance rule. The diesel generator
we decided should have less than an unavailability from scheduled
maintenance of .025 and here you have planned, this is planned
maintenance, and here you have planned 5 percent of the time for it to
be at power. You wouldn't do it that way though. You wouldn't have a
hard limit for each plant because there are different plant designs.
South Texas for example has a three train electrical system
and fluid system.
DR. APOSTOLAKIS: Yes. I would suggest that you talk to the
people who developed IAP to explain to them that you shouldn't have a
number for all the plants. We had a long discussion yesterday about
that. I think it would help them by giving them that thought.
DR. KRESS: You might say on the other hand it might be a
good idea now that --
DR. APOSTOLAKIS: There is only one hand.
[Laughter.]
DR. APOSTOLAKIS: This afternoon we all had one hand, but
again maybe I am a little slow --
DR. POWERS: I think he can understand that one a little
better.
DR. APOSTOLAKIS: On the other hand I need to understand
it -- so because it is scheduled, the utility will plan this is how much
time we are going to do this and this and that, so that the sum then of
the planned time will be less than you are expected value, which means
then that there is no need to call expected.
MR. BUSLIK: But I talked about expected values --
DR. APOSTOLAKIS: Because if it is not to exceed it, then I
come back to my question.
MR. BUSLIK: Listen -- I talked about expected value before
because I was talking about something that had fluctuations in it. It
was corrective. I could argue that the expected value was identical to
the planned outage because there is very little uncertainty -- there is
some uncertainty --
DR. APOSTOLAKIS: Yes, I understand. But -- but wait.
Let's say now that I have planned to do maintenance on a piece of
equipment every three months and that will take me to 10 hours a shot.
The total is 40 hours and you have told me that your limit is 40 hours.
I am okay.
MR. BUSLIK: Okay.
DR. APOSTOLAKIS: Then when I go to do it in January I
finish it in four hours. Can I take 16 hours next time?
MR. BUSLIK: Well, the implication is that there is not
going to be a large -- if it is planned maintenance you know what you
are going to do. If you have to drain the oil out of the diesel
generator or something, you pretty much know.
DR. APOSTOLAKIS: So the 10 hours is a pretty good number?
That's a good point.
MR. BUSLIK: Pretty much, but the limit would technically be
of that nature, that's right -- it would helpful to do it later if you
would be able to -- I don't know how you would do it but that is
basically what it would be.
DR. SEALE: But for the moment you are saying the hours for
a year?
MR. BUSLIK: A year or between two refueling outages -- it
more sensibly would be between two refueling outages.
We have a procedure, Regulatory Analysis Guidelines, which I
think we are supposed to follow when we decide, when we try to resolve a
generic issue and to see if it is consistent with the backfit rule. Of
course, if it is a compliance backfit, you bypass the regulatory
analysis. Otherwise, you have to know if there is a significant safety
benefit.
If the safety benefit is sufficiently large that you say
there is an undue risk to the health and safety of the public, then
perhaps you don't have to consider cost, but given it is not a
compliance backfit, and it would be hard to argue that this is a
compliance backfit, in order to do it you would have to argue that the
intent of the rules for allowable outage times were for corrective
maintenance and not preventive maintenance or something like that but
you wouldn't be able to do it, I don't think and now so we have to use
the regulatory analysis guidelines.
You have to know what the core damage frequency is and
according to the guidelines also what the conditional probability of
early containment failure or bypass is.
DR. KRESS: That is the delta CDF you would get by changing
the allowable outage time, one value to another.
MR. BUSLIK: This delta CDF would be making -- would be ways
to find that which is associated with the issue, and basically if you
had an ideal maintenance unavailability in subsets, perhaps only did
corrective maintenance during power operation, how much would this be.
DR. KRESS: Now I envision when you set out to do
maintenance that you are not only going to do maintenance on that one
item but you are also going to fix these other items and maybe in
shutdown condition while you are doing it and the plant configuration is
a variable from shutdown the shutdown or from maintenance to
maintenance.
My question is how can you determine CDF for a conditional
containment failure probability when you don't know what the
configuration of the plant is, or do you?
MR. BUSLIK: What I assumed was that, basically what I
assumed -- I did calculations. I used a code and basically what was
done in the calculations was to assume that the maintenance
unavailabilities for different systems occurred just as random overlap.
In other words, I didn't take into account the possibility that a
utility because it was more convenient for it might work on one train at
a time and by so doing might increase the risk.
DR. KRESS: Do you use the Monte Carlo selection then of
some sort of outage times?
MR. BUSLIK: Just if you just do use a normal fault tree,
event tree code. I used part of the SAPPHIRE -- it wasn't even called
SAPPHIRE when I did these calculations -- SAPPHIRE suite.
The way the fault tree works, you just multiply these values
together and treat them as independent, but since you are treating them
as independent variables in the quantification, it is as if they
occurred randomly.
In other words if I have P of (a) times (b) and I write it
as P of (a) time P of (b) or calculate it that way, it is as if the (a)
and (b) occurred randomly.
DR. POWERS: You used a particular computer code for these
analyses?
MR. BUSLIK: Yes, it is called SARA, which is a part of the
SARA/IRRAS suite of codes and SARA -- there are -- well, I guess there
is no longer a distinction in the Windows version, but this was long
before Windows version and SARA was very convenient for sensitivity
calculations, and it was actually equivalent to Version 4 of the
SARA/IRRAS suite.
DR. APOSTOLAKIS: It's SAPPHIRE, right?
MR. BUSLIK: It's SAPPHIRE, that's right.
DR. POWERS: And this is one of those codes that has no
known, no technical errors, no coding errors in it, that it is
perfectly -- perfect in all respect?
[Laughter.]
MR. BUSLIK: Of course.
DR. POWERS: And there is a massive set of peer review
documentation that I can go to to understand how good this code is?
MR. BUSLIK: All I can say is that I used the NUREG-1150
database and that the results for the base case compared with those in
NUREG-1150. NUREG-1150, I believe, used a different code, the SETS
code, so insofar as the base cases are concerned, they're great.
One approximation that's made in the codification of the cut
sets is called the mid-cut set upper bound approximation, and you do
have to be careful that that approximation isn't going to affect your
results.
DR. KRESS: The code goes to containment failure?
MR. BUSLIK: No.
DR. KRESS: You have to do something else?
MR. BUSLIK: I was using NUREG-1150 database and there was a
letter from Tom Brown to Jim Johnson which was referenced in the writeup
and that letter gave basically for the different plant damage states
what the conditional --
DR. KRESS: Okay, you had a correlation.
MR. BUSLIK: I had -- and also it even gave the fatalities,
for example --
DR. POWERS: You didn't need to pull that out of a letter.
That's actually in the NUREG-1150 documentation.
MR. BUSLIK: I didn't try to get it out of there, if that's
what was what your point was.
DR. POWERS: It's in there.
MR. BUSLIK: I pulled it out every once in awhile. It may
be in there but for me it was a little difficult.
DR. POWERS: It's easier to ask Tom, yes.
MR. BARTON: Safety benefit -- where do we go from here?
MR. BUSLIK: Okay.
DR. POWERS: My point is that I think, I wonder, I continue
to wonder why we use these computer codes that don't have a pedigree
that we would expect routinely from licensees to have and especially
when I see that the Office of Research has established such a wonderful
peer review process for its codes that really is nice, and why don't
they use it on the codes they are using in-house?
MR. BUSLIK: Well, there is something you can say.
For something like this you examine the cut sets when you
are finished and you see how reasonable they are. If something weird
occurs, and something weird could have occurred with the code I was
using, for example --
DR. POWERS: It happens with sets all the time.
MR. BUSLIK: But you look at the results, at the cut set
level, and you can tell usually, if you are motivated --
DR. POWERS: Well, that's right. I mean it depends -- if
you're a very capable analyst who actually is suspicious of your
results. I can find other people who are -- have more faith, and if the
number is printed out to three or four significant digits, I will see it
on the viewgraph up here.
MR. BUSLIK: I hope I don't have anything like that.
Now, okay, this is the full matrix in the Regulatory
Analysis Guideline and you will notice -- I believe that this is to
be appropriated in that. If core damage frequency is less than 10 to
the minus 6 then it doesn't matter what happens to the containment.
You're okay.
However, if it is between 10 to the minus 6 and 10 to the
minus 5, the change in core damage frequency, then if the early
containment -- or containment failure probability, or the probability of
bypass, some of those, is greater than .1, then you have to go to a
management decision. If you are above 10 to the minus 5 and the
containment failure probability is less than .1, between 10 to the minus
5 and 10 to the minus 4, then it is supposed to be a management
decision, and so on.
DR. KRESS: Since when did they make that definition of
conditional containment failure probability an early failure? I thought
it was just the failure itself.
MR. BUSLIK: Well, this is in the regulatory analysis
guidelines. Now, the question is what do you mean by early?
DR. KRESS: It actually specifies early, though, in the
guideline?
MR. BUSLIK: Yes. But it is a question of what do you mean
by early. In the case of BWRs, it is clear, it is before or within two
hours of vessel breach. In the case of PWRs, there were two definitions
used. One was within a few minutes of vessel breach, which corresponded
to the NUREG-1150 definition of early containment failure. And the
other was within a few hours, I have forgotten the exact number.
DR. APOSTOLAKIS: Three, I think it was.
MR. BUSLIK: Perhaps. And that corresponded almost to the
late containment failure probability.
DR. APOSTOLAKIS: So if it is early, then it is completely
analogous to LERF.
MR. BUSLIK: Yes, the idea was to make it that way.
DR. KRESS: And I think the numbers are compatible, too.
MR. BUSLIK: But you will find that, for example, there was
one plant, Susquehanna, where, if you talk about mean values, these
containment failure probabilities are highly uncertain, where it was
greater than .1. But if you look at what the early fatality is in
comparison to the quantitative health objective of the safety goals, it
is less than 1/100th of that amount, it is probably 1/500th.
I don't know, if there were fewer automobile accidents, does
that change the quantitative health objective? I don't really know.
DR. KRESS: Yes, it does.
MR. BUSLIK: Okay.
DR. KRESS: And, in fact, it has changed in the last few
years from five down to three, it was 10 to the minus 7.
MR. BUSLIK: Okay.
DR. POWERS: And that, I think that is a socio-phenomena
that the Commission was aware would occur when they passed that policy
statement.
MR. BUSLIK: That's interesting, 1/300th then. Okay.
DR. POWERS: The comparison will get worse and worse the
longer you give the presentation.
DR. SEALE: You had better hurry up.
[Laughter.]
MR. BUSLIK: Okay. Now, the maintenance rule it seems is
clearly pertinent. And because it requires the monitoring of the
performance or condition of structure systems or components against
licensee established goals commensurate with safety, and the performance
includes all aspects of unreliability, including maintenance
unavailability. So that controls both preventive and corrective
maintenance, and they do have to track their maintenance, presumably.
Moreover, the objective of preventing failure shall be
appropriately balanced against the objective of minimizing maintenance
unavailability. This helps controls the unavailability from preventive
maintenance. Now, the problem of temporary states, where several
components are out and you have a blip in the -- I am not supposed to
use instantaneous risk, I am supposed to use conditional risk, okay.
DR. APOSTOLAKIS: It is not because you are supposed to,
because you think it is the rational thing to do.
MR. BUSLIK: Of course.
DR. SEALE: That was an awful quick scrub.
DR. POWERS: George will find substantial resistance to his
immediate right.
DR. APOSTOLAKIS: It is not instantaneous.
MR. BUSLIK: Okay. Now, -- okay. That, presumably, will be
taken into account. Now I think it is sort of loose because it talks
about should be instead of shall be or something like that. But,
presumably, corrections to the maintenance will take that into account.
DR. SEALE: We heard about that this morning.
MR. BUSLIK: Okay. Will they?
[Laughter.]
MR. BUSLIK: Okay.
DR. APOSTOLAKIS: This is one of the better presentations we
have had in a long time.
DR. SEALE: Timely.
DR. APOSTOLAKIS: I mean the guy goes into the mathematical
details of codes, I like that. This is wonderful.
DR. SEALE: We will have to tell Graham he is missing out.
DR. APOSTOLAKIS: He is missing, yes.
MR. BUSLIK: All right. Now, the rule doesn't say whether
you should move preventive maintenance from power operation to safe
periods and shutdown if it is results in risk reduction, so I don't
think you could just say, okay, it is covered by the maintenance rule,
we are done. And you have to ask yourself, when is it safer to do
maintenance, say, on a diesel generator out of power operation? Well,
it turns out that at least for Surry and Grand Gulf, there is not much
difference in the risk, or it could even be riskier in certain periods
of cold shutdown. The only time you --
DR. POWERS: How did you decide that?
MR. BUSLIK: What?
DR. POWERS: How did discover that?
MR. BUSLIK: I discovered that because of some work done by
B&L and Sandia on a comparison or risk between power --
DR. SEALE: I should point out to you that one of other
changes that was mentioned this morning was to formalize the
Commission's statement that the maintenance rule applies both to
operation and shutdown. So that statement has already --
MR. BUSLIK: That's true.
DR. POWERS: Well, I will hasten to --
MR. BUSLIK: Say again?
DR. POWERS: I will hasten to point out that the work by
Brookhaven for Surry on shutdown only dealt with one phase of shutdown
operation.
MR. BUSLIK: Okay. But when we did some work for actually
doing -- for scheduled maintenance, this is work which -- well, actually
the Brookhaven NUREG CR is out already and shortly the Sandia one will
be out on Grand Gulf. It was found that -- and this sort of is very
reasonable, that if you are in the refueling plant operational state,
where the water is very high over the reactor fuel and you have a lot of
time, under those circumstances the risk is very low from, say, taking a
diesel generator out for maintenance. And, in fact, I think the Grand
Gulf one came up with zero, essentially. The reason is that the mission
time is 24 hours, and in 24 --
DR. POWERS: It takes that long to boil the water.
MR. BUSLIK: That's right. That's right. But, you know, I
think they changed the words to negligible, but -- okay.
DR. APOSTOLAKIS: Is the second bullet really part -- should
it be part of the maintenance rule? I thought the maintenance rule
dealt only with monitoring.
MR. BUSLIK: I don't think it --
DR. APOSTOLAKIS: I am having the same problem I had
yesterday with the IRAP. We have an inspection program, a monitoring
program which is not a monitoring program. I thought, again, perhaps
wrongly, that the maintenance rule did the first bullet.
MR. BUSLIK: All right. Now, suppose --
DR. APOSTOLAKIS: The second one is monitoring.
MR. BUSLIK: Oh.
DR. APOSTOLAKIS: It does not explicitly address whether
maintenance should be moved from power to safer periods because that is
not the intent of the rule.
MR. BARTON: And it shouldn't force all preventive
maintenance into a shutdown period because it may not be comparable to
what the requirements are to do preventive maintenance on components
within a train.
DR. SHACK: No, but it comes down to that point we discussed
this morning. You are supposed, under the maintenance rule, to analyze
the effect of taking equipment out of service and analyze its impact on
safety.
MR. BUSLIK: Right.
DR. SHACK: The second bullet says, okay, it increases risk.
What do you now?
MR. BUSLIK: But it is supposed -- yeah, that's basically
it.
DR. APOSTOLAKIS: Well, the second bullet does not say that,
Bill. The way I read it is that if it is better to do it during
shutdown, the rule doesn't say that we should do that. It doesn't say
that you are already above some sort of a threshold.
MR. BUSLIK: No, no, it doesn't. But what I am saying is a
utility may, because -- let's say because it is less expensive, do
maintenance during power operation.
DR. APOSTOLAKIS: Right.
MR. BUSLIK: During -- than during shutdown time.
MR. BARTON: And also do it because it is safer.
MR. BUSLIK: They could do it because it is safer. But, for
example, if you are dealing with a diesel generator, I think you can
argue that it is going to be safer if you do it during the refueling
plant operational state where the water is high over the reactor.
MR. BARTON: I don't think that that is always true.
MR. BUSLIK: Well, at that particular state, because you
have so much time to recover from station blackout. And even in -- but
--
DR. POWERS: Just go ahead.
MR. BUSLIK: Yeah, okay. Fine. Okay. But on the other
hand, if we -- and so, in principle, you have to consider whether we can
impose an additional requirement on the utility and that it would be
cost effective to do so. The problem with doing it during that
particular period in shutdown, the refueling plant operational state is
that this time is getting shorter and shorter. Refueling plant
operational states are getting shorter and shorter. South Texas I think
had one 18 days or perhaps a little less. You don't have that much
time.
In principle, when I am doing a regulatory analysis, I
should take a base case which consists of the current state, which would
be including the maintenance rule, but I did most of this analysis, I
did all of the computer runs before 1993. Most, I guess -- actually,
most, I guess, were done in 1992 or all in 1992. And I mean I could
conceivably have collected maintenance unavailability after the rule
came into effect, but I didn't think it was worthwhile. Also, the
initial resolution of this was formulated and went up to management just
about the time the maintenance rule came into effect, so it wouldn't
have been possible.
So what did I use for base case maintenance
unavailabilities, keeping in mind that I did it in 1992? Well, I looked
at NUREG-1150 and it had, for a diesel generator, .006. Now, Steven
Eide, in the PSA 1989, I would come up with a value of .022 or
thereabouts, just looking at plant-specific -- PRAs which use plant-
specific data.
DR. POWERS: Can you give me a feeling on these numbers for
what I am looking at? Am I looking at a mean or a median? And the
magnitude of the distribution, say, for convenient points, 95-5 or
something like that?
MR. BUSLIK: I don't remember what the .006 was, or even
what Eide is. These are industry averages, or actually averages over a
particular set of plant-specific PRAs. The AEOD one here came from, oh,
I don't know, a certain number of failures. What happened is they
looked at true demands on the diesel generators and then a certain
fraction of those demands were -- had the diesel generator out for
maintenance and they took that ratio and then came up with the .03. So
that is going to be weighted with -- or I could give you some other
numbers, though. That is going to be weighted with the frequency of
demands for the diesel generators at the different plants. The ones
that have more demands will be weighted more.
DR. POWERS: But I am not far wrong if I assume these are
mean values per demand?
MR. BUSLIK: These are mean values. I am not sure, I think
the AEOD one started with Bayesian prior and updated it with the plant-
specific data.
DR. POWERS: Well, we won't hold that against them.
DR. APOSTOLAKIS: As I should.
MR. BUSLIK: What? Say again?
DR. APOSTOLAKIS: As I should.
DR. POWERS: Could you give me a feeling for what the 95
percentile and the 90 percentile would be?
MR. BUSLIK: Okay. The only thing I remember now is that
there was other data, which gives you the idea of how it varies from
plant to plant, and that was Brookhaven collected some data. And the
only numbers I remember from that are that, from their data, only about
19 percent were greater than .03 and around 10 percent, I believe, were
less than .006. So there's discretion.
Well, me look further at this. Now, you look at the values
I used. Now, I came up with .02 for a turbine-driven aux feedwater pump
maintenance unavailability, but he recommended that you use generic
turbine-driven values of .05, and that is, I think, why I originally
used that. You will see that for the turbine-driven pumps -- actually,
if you look at the IPEs, you may get more than .01 for the RCSI, but you
are actually -- there was actually a fair amount of conservatism for the
turbine-driven pumps if you use nearly current data. It is far cry from
what it was in WASH 1400 days. Of course, the RCSI pump itself isn't
that reliable, but that is another story, according to the AEOD data.
There was also an A&O IRAP study which came up years ago,
with very low values for maintenance unavailabilities, and they said
that they never did scheduled maintenance during power operation in
those days. So, what I did is I said that the NUREG-1150 values would
be attainable and I took the no cumulative outage time control column
was the maintenance unavailabilities before the maintenance rule. And
then, basically, I cut the benefit in half, and I can't really justify
that very well, but it was just my own judgment. And I think maybe it
is conservative, but if it is conservative, I am still able to say that
no action is required, so I figured I was finished.
And just to get a feel for what .006 is, that is 1.8 days of
corrective maintenance for 300 days of power operation and no preventive
maintenance.
So, as I said earlier, I used the SARA code, part of the
SARA IRRA suite of codes, and I did two calculations and I used, by the
way, essentially point estimates with mean values. I didn't do
uncertainty calculations and then take the difference.
DR. POWERS: What was the reason for not doing some
uncertainty calculations?
MR. BUSLIK: Well, at the time I was using a 386 20
megahertz machine.
DR. POWERS: And it died before the results were done.
MR. BUSLIK: And the other thing is what -- you have -- you
are taking differences between two calculations, and you have to
correlate the uncertainties. And if you don't do that carefully --
well, actually -- well, if you run a sufficiently large number of
histories, so that your mean doesn't have any uncertainty from not
running enough histories, or not doing enough Monte Carlo, then as far
as the mean is concerned, that is okay. It does have to be a
sufficiently large number.
So, it was just -- I mean those are the reasons, basically.
If I had to do it over today, I probably would use a more
sophisticated method.
DR. APOSTOLAKIS: So when did you do all this?
MR. BUSLIK: 1992.
DR. APOSTOLAKIS: So why are we hearing this today?
DR. SEALE: I had a question. I said what happened between
1992 and now? And then I had another question, what didn't happen --
[Laughter.]
And I guess the answer is you replaced your computer with a
Pentium -- 286 with a Pentium II.
MR. BUSLIK: These were the original calculations, but after
that, for example, I had to rework and argue away external events. I
had to do some other things after that. And the decision analysis
rationale changed somewhat. That was part of it. And the other was the
fact that it wasn't given very high priority, I think.
MR. KING: Yes. Generic issues for quite a while didn't get
that high a priority. The ones that were labeled USIs did, but
everything else didn't.
MR. BUSLIK: B issues were just put on the back burner for a
long time.
MR. KING: Yes. What you're seeing now is a cleanup of some
old things.
DR. APOSTOLAKIS: So Al did something more recently.
MR. BUSLIK: Actually --
DR. APOSTOLAKIS: Just, you know --
MR. BUSLIK: I did a little bit of editorial changes
recently.
MR. KING: No calculations.
MR. BUSLIK: No calculations.
DR. SEALE: It was there except for the punch line.
DR. APOSTOLAKIS: At least you didn't do it with
programmable hand calculators.
MR. BUSLIK: Say again?
DR. APOSTOLAKIS: Nothing.
MR. BUSLIK: Okay. So if I don't take credit for the
maintenance rule, I get changes in core damage frequency of 2E minus 5
for Surry, and the containment failure probabilities are okay. They're
less than .1 even if I take the very conservative --
DR. APOSTOLAKIS: What is it that you changed? The delta
CDF comes from what delta?
MR. BUSLIK: Changing the maintenance unavailabilities. I
assumed that -- I changed them from essentially the EIDE estimates, what
I called the no-control estimates, to -- and I said the NUREG-1150
estimates would be reasonable estimates that you could get if you
controlled the scheduled maintenance and had something like -- and
controlled appropriately the corrective maintenance by making sure that
it was done properly the first time and things like that.
DR. APOSTOLAKIS: And you assumed that all the changes were
effective.
MR. BUSLIK: Yes, I --
DR. APOSTOLAKIS: Not just component --
MR. BUSLIK: No, I did it all at once.
DR. APOSTOLAKIS: All of it.
MR. BUSLIK: And you come up with these values, and then I'm
going to cut them in half, and when I do that, everything's okay except
for Sequoyah, but Sequoyah, I mean, the core damage frequencies when you
cut them in half are like this. And even if I gave more credit for the
maintenance rule, there was no way I could get Sequoyah down below 1E
minus 6.
But that's an ice-condenser plant, and station blackout is
important, and the hydrogen igniters don't work at station blackout.
Now those results were for internal events only, and I have
only qualitative arguments for external events, plus the fact that I
looked at it for Surry, and the maintenance unavailabilities were not
important at Surry. You could argue for seismic that what really
controls the seismic risk has to do with if one component fails, then
the other component fails from the earthquake. In other words, the
conditional probability the second component will fail given the first
is very close to unity. The reason is they're mounted in the same way
on the same floor, they see the same floor response, they are similar
components, their fragilities are similar relative to the floor response
factor.
There are times when you might find that this isn't the
case, but, for example, I'm not sure it was in this country, but there
was a plant where loss of offsite power from a seismic event and random
failure of diesel generators was important. But for that to be the
case, for this to be important compared to internal events, it would
mean that long losses of offsite power are dominated by seismic events.
That's not going to be -- that's not very likely.
For fire usually the fires of importance are those that
affect both trains and again I looked at the dominant fire sequences
from NUREG-1150, and I didn't find matrix unavailability important at
all.
DR. POWERS: Surry is not one of those units that has been
reporting extraordinarily high CDF from fire?
MR. BUSLIK: No.
DR. POWERS: There are units --
MR. BUSLIK: I went to Quad Cities. I doubt if matrix
unavailability would be important compared to their original estimate
either, because there the probability is you affected both trains. That
is why you have such a high frequency.
So what do you do with Sequoyah? Well, first of all, if you
read the guidelines you have to -- it's the burden of the Staff to say
that the imposing of the regulations imposes a significant safety
benefit. Because there are such large uncertainties, for that reason
alone you couldn't make a finding of significant safety benefit, but
also perhaps more cogently the whole reason it seems to me for
considering early containment failure or bypass is because you get early
fatalities, and the early fatalities that occur here are very small
compared to the safety goal value so on that basis I assumed that no
action was justified.
DR. POWERS: So you are going to conclude for ice condensers
generically that nothing is necessary based on looking at one specific
ice condenser?
MR. BUSLIK: I could certainly argue I think that the
uncertainties in the containment failure probability are large
generically for ice condensers, can't I?
DR. SEALE: And I could argue that that hacks both ways.
MR. BUSLIK: I know, but if you -- from the legalistic point
of view, it hacks only one way. You can't impose it.
I don't even know how many ice condenser plants there are
and where they are located as far as -- now actually individual early
fatality risk doesn't depend very much on the population density, for
example. They depend on the distance to the site boundary.
DR. POWERS: It depends on the consequence analysis model
that you use.
MR. BUSLIK: Oh, of course, of course.
DR. POWERS: The dispersal number that you use.
MR. BUSLIK: Yes, but -- there are all sorts of things that
it could depend on -- the aerosol deposition rate, all sorts of things,
but so what?
DR. APOSTOLAKIS: Is there any significance to the fact that
the mean value for the conditional containment failure is close to the
limit of .1 -- .13? If it were .6 what would you do? It's low.
MR. BUSLIK: It's low. I would have to see what the
uncertainty is and all sorts of things -- what?
DR. POWERS: You certainly have some indication of the
uncertainty just by looking at the IPE insights document.
MR. BUSLIK: Okay. I didn't look at that. You could just
look at the outstanding distribution in NUREG-1150 and see how much of
it would --
DR. APOSTOLAKIS: Now remember, IPEs did not exist in '92
but now they do.
MR. BUSLIK: It exists today and that is --
DR. APOSTOLAKIS: That's Art's problem.
MR. BUSLIK: But I don't think -- yes, I doubt very much if
the uncertainty would be decreased.
[Laughter.]
DR. APOSTOLAKIS: You put it however there. You mean that
even before management takes a decision you are recommending no action?
MR. BUSLIK: That's right. But really --
DR. APOSTOLAKIS: But there will still be a management
decision.
MR. BUSLIK: I think that is what is required.
MR. KING: And management's decision was to recommend --
agree with Art's recommendation -- no further action on --
DR. APOSTOLAKIS: Who is the management in this case?
MR. KING: The management was the Office of Research.
DR. APOSTOLAKIS: You?
MR. KING: Yes. I sent you the letter that ultimately what
is going to happen is after we get your letter on this, assuming you
agree with this recommendation, Mr. Thadani will have to send a letter
to the EDO saying -- and he will either have to say I agree or disagree.
DR. APOSTOLAKIS: The EDO?
MR. KING: EDO.
DR. APOSTOLAKIS: Okay.
DR. SEALE: So what do you want from us? A letter?
MR. BUSLIK: A letter agreeing with the resolution.
[Laughter.]
DR. APOSTOLAKIS: I don't know, Mark. Do you think SAPPHIRE
should be peer reviewed?
MR. CUNNINGHAM: Again, in the context of what Art was
talking about -- in my mind codes like SAPPHIRE are somewhat different
than, say, RELAP or something like that in the sense that the SAPPHIRE
models you might be able to show more analytical, provide an analytical
solution that says it is doing the right thing since it is primarily
numerical calculations built into it.
As Art says, there's a few assumptions built into it but by
and large it's a numerical. You could numerically reproduce the results
of something like SAPPHIRE.
DR. APOSTOLAKIS: Something we can do analytically?
MR. CUNNINGHAM: I'm sorry?
DR. APOSTOLAKIS: It does it very quickly --
MR. CUNNINGHAM: Something we could do analytically -- so
the nature of it is somewhat different and we have been going through
though, trying to -- you know, every time we put a PRA into it or we do
other V&V of the code, but again it's a somewhat different nature that
our RELAP or something like that.
MR. BUSLIK: It is true though when you get -- yes, you have
to know the limitations and you have to look at the results closely.
DR. SEALE: Is there anything else that the Staff would like
to fill us in on at this time?
DR. POWERS: I guess I would really like to understand why
we don't have an uncertainty analysis here. I mean I understand the 386
argument and the Monte Carlo barrier that existed in '92. I don't
understand the Pentium II arguments now.
MR. BUSLIK: Okay.
DR. POWERS: It is not -- had it come out that everything
was dramatically below -- off into you lower left-hand box, I would say
okay, yes, you can do the uncertainty analysis but it's not going to
change the conclusions. It's not so transparent to me that the
conclusions don't get changed now.
MR. BUSLIK: Okay, first of all, the guidelines indicate you
should make, basically you should make decisions on the mean value most
of the time with taking into account uncertainties.
I did have a section on uncertainties in the full write-up.
I don't remember what I said about it but what I did there was consider
the uncertainties in the base case as reported in NUREG-1150, as far as
core damage frequency is concerned, and I do have such results, and I
don't think it would affect the results very much there.
My recollection was it was something like a factor of three
to five in core damage frequency.
Of course, I may have been off as far as the mean value
also, because I did point estimates with mean numbers, but I don't think
that is a large effect for this type of calculation. I don't have cases
where I am dealing with an expected value of x-squared and it is treated
as expected value of x quantity squared.
MR. KING: Plus recognize you still have a number of things
ongoing that are going to deal with this issue between the maintenance
rule, configuration, risk management, tech specs, talking about risk-
informed tech spec program -- all of which directly or indirectly get at
the allowable outage time issue, so it is not like this is the only game
in town.
DR. POWERS: I have to admit that rings a lot more of a bell
with me than this analysis -- the fact that other things are addressing
this.
MR. KING: And recognize the stuff, the numbers Art came up
with are down on the lower corner of the Reg Analysis Guideline chart.
If they were up in the upper corner you might say, well, maybe we better
do something.
DR. POWERS: I'd say I spoke too strongly. What this
analysis does is persuade me that indeed the other things you mentioned
are going to be an adequate resolution of this issue, that there is
nothing from this analysis that would suggest that that is not going to
be an adequate resolution.
DR. SEALE: Yes.
MR. KING: And Art took a conservative approach. Everything
changed together -- the diesel generator, the RCSI, HPSI and those
things all went together.
MR. BUSLIK: I probably gave a conservative estimate of the
effect of the maintenance rule, although I'm not certain.
DR. SEALE: Any other questions from the Committee?
I have got another one for you. Have you got any more of
these in the bottom drawer of somebody's desk that we can look forward
to seeing any time soon?
DR. MILLER: Generic safety issues?
DR. SEALE: We have a report on it in March.
MR. KING: I am probably the wrong one to ask. The keeper
of the scorecard is not in my division.
DR. SEALE: Well, you might tell him we are looking for it.
MR. DURAISWAMY: Dr. Seale?
DR. SEALE: Yes?
MR. DURAISWAMY: We are supposed to get that report next
week.
DR. SEALE: Thank you. Well, if there are no other
questions, Mr. Chairman, I will turn it back to you.
DR. POWERS: Good heavens.
DR. SEALE: We aim to please.
DR. POWERS: Well, I think we have a problem with our
schedule, but I don't think anybody is going to feel it's too much of a
problem. I can't start the next session until 2:30, so I encourage
members to utilize this generous break that I am offering here to
prepare themselves for the session later this afternoon, so we are
adjourned --
DR. SEALE: If anyone wants to give me any hints on what you
all would like to include in the letter --
DR. POWERS: I will give you some things, Bob.
DR. SEALE: That's fine.
DR. POWERS: We are recessed until 2:30.
[Recess.]
DR. POWERS: Let's come back into session.
We had a Fire Protection Subcommittee what, two weeks ago,
and Members have before them something called revised outline comments
and Fire Protection Subcommittee that outlines the various topics we
dealt with. We dealt with a proposed regulatory guide, the fire
protection functional inspections, circuit analysis, IPEEE insights
program, the NFPA 805 fire protection code, and the fire research
program.
The fire protection functional inspection I know is a topic
of great interest to the Committee, but my understanding is that is
coming to the Committee separately in the next couple or three months.
At one time or another it will come to us. It is an extremely
interesting topic because it focuses or it draws attention to the
comparison between a focused inspection versus the core inspection. And
it has some ramifications on the inspection process itself. For this
particular session we brought forward just two subjects for the full
Committee to consider. One is the regulatory guide, and of course the
other is the NFPA 805 fire protection code.
The speaker I think will give us an adequate outline of the
reasons for the regulatory guide. What the staff is really looking for
on connection with the regulatory guide they're proposing is any
thoughts we might have on how to improve and refine the outline they've
prepared. So it really is a question of do you have anything to
contribute. And if we do, then we might write a letter on that subject.
The 805 -- the NFPA 805 fire protection code is of more
immediate interest to the Committee. I think I will go into the issues
and the history of that document when we get to that section of the
presentation. What we have today is Mr. Madden will be giving the
presentations. I don't know whether it is a case that they regard him
as the most knowledgeable and therefore can speak on all these topics or
he just draws short straws a lot.
MR. MADDEN: It's probably the latter of the two.
DR. POWERS: But I think the Committee has heard Mr. Madden
present and know that he's an effective presenter. So I'll turn it over
to you, Pat, and if you can -- and rely on you giving a proper
introduction on why the regulatory guide.
MR. MADDEN: Okay. Thank you, Dr. Powers.
My name is Pat Madden. I'm senior fire protection engineer
with the Office of Nuclear Reactor Regulation. And I'm going to try to
brief you on the draft regulatory guide with respect to fire protection
for operating nuclear powerplants, the reasons why we're developing that
guide, and then after we go through the guide, we'll move on to NFPA
805.
The next slide purely deals with background and direction
that we've got with respect from the Commission for developing the
guide. Initially we proposed in SECY-98-058 to develop this
comprehensive guide and defer the rulemaking and work with the NFPA to
develop a performance-based risk-informed consensus standard for
operating nuclear powerplants. In addition in that SECY the staff also
proposed to delete the requirement for section M of Appendix R, which
refers to penetration seals being noncombustible. On May 5 a letter was
received from NEI that supported those activities. And then on June 30,
1998, an SRM was written by the Commission that approved the staff
proposals.
In addition we have provided status to the Commission on the
NFPA activities in SECY-98-247, and resolution of ten issues from SECY-
97-127, which are a part of the research plan.
We'll move on into the comprehensive reg guide and why the
staff thinks it needs to develop this guide. Currently the fire
protection guidance that is applicable to operating reactors is
scattered basically through about 125 different documents. Some of that
guidance does conflict, and, you know, I can give you examples. The
conflicts deal with how much flow you require or allow for effective
hose streams, for example.
In addition there is some conflict between do you or don't
you need automatic suppression and detection in those areas that are
alternative shutdown areas. Some plants or some guidance say no, you
don't need it, and some guidance documents say yes, you do need it. The
regulation says you need it, but for plants that are operating post-'79,
it says you don't need it. So there are some conflicts in our own
internal guidance, and the reg guide is one way to resolve those
conflicts and reevaluate those conflicts.
The other aspect is that there are some areas currently not
covered by any guidance documents whatsoever. And part of that or
revised or clarifications are needed to some guidance. And some of that
deals with compensatory measures.
Right now the staff does not have any guidance for
compensatory measures. We rely on fire watches. Those used to be
required by the tech specs. The tech specs for fire protection have
been eliminated from the standard tech specs. So therefore the fire
watch requirements basically have been eliminated -- or I shouldn't say
eliminated, but captured by licensees' programs which they can change
under 50.59.
DR. POWERS: Now when you say that the fire protection's
been eliminated from the tech specs, it is the case that the plants have
been encouraged to eliminate them from the tech specs and many but not
all have.
MR. MADDEN: Yes. There is only a handful that have not,
but many have, and basically that dealt with the operability assessments
of fire protection systems and the testing and maintenance -- or the
testing of those systems. So that's all been captured by the fire-
protection program plan which is referenced by the FSAR, which in turn
is identified by the license condition.
DR. WALLIS: Can you give guidance on the integrity of the
protection system itself, so that when you start up the pumps the pipes
don't break as a result of water hammers and things like that?
MR. MADDEN: Well, that's an interesting question. I think
you're probably familiar with the Waterford event. That in itself was
probably a classical what I want to call design error where you had a
standpipe that exceeded the height of the -- or the height of the pump
or actually put pressure on the underground. That in my opinion is not
within the scope of what -- that should have been caught in the review
phase or design phase or the design basis.
DR. WALLIS: I read this as the analysis after this event,
and there was all kinds of checkoffs that they didn't do this, they
didn't do that. There were various things. But none of them seemed to
refer to the fact that the standpipe somehow was poorly designed.
MR. MADDEN: Right. You're absolutely correct.
DR. WALLIS: So is that now something that --
MR. MADDEN: In the reg guide, that event would be factored
into the design attributes for fire water system, supply system.
Another area that there is some confusion is circuit
analysis, and we believe that clarification or additional guidance may
be needed in that subject area.
How the schedule looks for this, and it's probably self-
explanatory, but hopefully somewhere in the September '99 time frame
we'll have this reg guide fully pulled together in some kind of final
stage and be presented to the public for public comment.
I don't think I want to dwell too much on schedule or
activities.
The only thing I'd like to say about the reg guide is the
reg guide is basically laid out in the functional aspect to explain the
fire protection attributes that are required to maintain what we call
the fire protection elements of defense in depth, and the structure of
the reg guide is to try to lay that out in some kind of logical fashion
that tells you what the program goals and objectives are with respect to
defense in depth, explains what we call the first level, which is fire
prevention, what our expectations are with respect to fire prevention.
The second would be what our expectations are with respect
to fire detection and suppression.
And the third would be what our expectations are with
respect to building design, passive features, and the protection of safe
shutdown capability.
That's about all I'd like to say on the reg guide. Does
anybody have any questions?
DR. POWERS: The Members do have in their books the outline
of the reg guide. I guess I have a series of some detailed questions
just to ask about it, but I would like to invite Professor Apostolakis
to reiterate before the full Committee some of his thoughts about the
regulatory guide.
Didn't catch you flat-footed, did I?
[Laughter.]
DR. APOSTOLAKIS: I guess my biggest concern is why this
Guide is not risk-informed and I understand that you have an SRA, or
guidance from the Commission -- actually, more than guidance, a
direction to pull together all the existing requirements into one
document. And I saw in your schedule there that you spent about a year
or event less preparing this Guide, from April of '98 until April of
'99, something like that. So -- oh, you will release it for public
comment in --
MR. MADDEN: September of '99.
DR. APOSTOLAKIS: September '99. So it will take the usual
two years. So I was wondering, even though you have this direction from
the Commission, why can't we make this as risk-informed as we can? I
mean would it really take that much extra work?
MR. MADDEN: Well, I think you are asking the wrong person.
Maybe you should be asking the Commission, but I will give you my views
on it. I mean I think that is what you want to solicit is my views.
DR. APOSTOLAKIS: Yes.
MR. MADDEN: Okay. You know, I can see, number one, that
this document we are doing is in parallel with the NFPA activities, and
I can see that this document could be risk-informed. And let's say we
get into these activities where we think the NFPA is not doing what we
need it to do. Now, I have a basis of a document where I have the
descriptive, or what I want a description of all the fire protection
requirements or guidance into one -- and the deterministic aspects into
one document.
It would be very easy now to, since I have that lined up, to
look at each one of those elements, because it will be in some logical
format, to ask myself which ones can be risk-informed and which ones now
can we shift to, say, yeah, we could take a performance-based -- a
purely performance-based approach towards implementing? That would be
an easy effort to revise a Reg. Guide, and the staff to revise that Reg.
Guide.
DR. APOSTOLAKIS: So --
MR. MADDEN: It is a tool. I mean it could be a tool to
where we could go in that direction, if we decided that NFPA 805 is not
doing what we want it to do, you know.
DR. APOSTOLAKIS: And if you decide that it does, you just
adopt it?
MR. MADDEN: If we decide it does, then -- this is a process
that hasn't been fully decided yet, but when we do the rulemaking, you
can give an option. The voluntary option would be to go 805, purely.
In my opinion, it should be a performance-based, risk-informed standard
without deterministic methods in there except for some baseline, what I
want to call baseline, you know, level of safety for plants.
And then the other aspect would be if they want to stay with
their current program and make changes, et cetera, et cetera, they could
stay with the Reg. Guide tone and look at what the staff's expectations
are and make those changes within the bounds of the deterministic
analysis.
DR. APOSTOLAKIS: Now, you mentioned the rule, when is this
rule coming up?
MR. MADDEN: Well, that rule would be -- it is down the road
a ways, George. And the reason it is down the road is because we have
to get all these elements in place. We have to satisfy not only us, but
we have to satisfy to you, some of your concerns. We are going to have
to satisfy the Commission's concerns. We are going to have to satisfy
the public's concerns. So it is going to be down the road a little way.
DR. APOSTOLAKIS: Now, I remember that someone, I think it
was Steve, mentioned that it will take another five years before we have
a risk-informed Regulatory Guide.
MR. MADDEN: That is probably optimistic. But, yeah, you
are right, another five years.
DR. APOSTOLAKIS: Five years, again, I will repeat my
favorite statement, will be 2004.
MR. MADDEN: I have got it written down.
DR. APOSTOLAKIS: And that will be 30 years after the
publication of draft WASH 1400.
DR. SHACK: A suitable anniversary present.
DR. POWERS: Well, I mean, in fairness, George, we are
speaking in an area that is -- is a niche within the overall risk
assessment, and I don't think you can claim that we have had 30 years of
the same kind of activity in fire risk analysis that we have had in risk
analysis of operating plants.
DR. APOSTOLAKIS: Okay. I was about to correct myself. The
reactor safety study, it is true, did not do a fire risk analysis. A
more appropriate time to start counting from is 1981 when the Zion,
Indian Point PRAs were published and they showed, using a risk based
fire analysis -- assessment of the plant, that, indeed, fire was up
there among the dominant contributors. So, from '81 to 2004 is 23
years, so we haven't hit 30 yet, so I guess it is all right.
DR. POWERS: So you can see how much more aggressively we
are pursuing risk-informed regulation within the fire community. Steve.
MR. WEST: Can I add something, Dr. Powers?
DR. POWERS: Certainly.
MR. WEST: I am Steven West, I am the Chief of the Fire
Protection Engineering Section, NRR. I think maybe Pat said this, but I
am not sure. Basically, we have proposed to the Commission, and they
agreed, that we would have, really, two parallel paths. We would have a
deterministic path, which is today's current licensing basis, and that
is what the Reg. Guide is designed to clarify. And then as an
alternative, a voluntary alternative, we would have the NFPA 805
standard, which we would, if it is acceptable, endorse it through
rulemaking. So we will have the performance-based, risk-informed
process that way.
But it doesn't mean that, even though we have a
deterministic Reg. Guide, it doesn't mean that licensees today can't use
risk information to support their analysis or changes to their fire
protection programs, and they are doing that. And it could be that at
some point, maybe not in the first version of the Reg. Guide, but maybe
a later version, as the methods and tools develop, that we would have an
appendix or something that would provide specific guidance on using risk
information to support program changes.
DR. POWERS: Certainly what I understood to Mr. Madden to
say was that, no matter what, you are going to need this Reg. Guide,
because you fully anticipate that there are, no matter what options you
put out there, there are some plants that are going to adhere to their
existing fire protection programs, and that could be a sizable fraction.
We have had various forays by the industry and its representatives
suggesting a move to risk-informed regulation and those haven't been
greeted with open arms by the industry itself. They have grown fairly
comfortable with Appendix R, apparently, and the nearly equivalent
branch technical position. And so this Reg. Guide is useful regardless
of what happens in the future. And that seems like a very plausible
rationale to me. I just don't have any troubles with that.
DR. APOSTOLAKIS: So one could use Reg. Guide 1.174 to
propose changes in the fire --
MR. MADDEN: Oh, yeah.
MR. WEST: Yes.
MR. MADDEN: Absolutely.
DR. APOSTOLAKIS: Nobody has done that yet, right?
MR. MADDEN: No, not specifically. But, yes, they could.
Then we would have to consider Reg. Guide 1.174.
MR. WEST: Let me just add that there could be licensees out
there applying Reg. Guide 1.174 to make changes but we don't -- we don't
know it.
DR. POWERS: Sure.
MR. WEST: We haven't come across them yet, but it is
possible.
DR. POWERS: Actually, I think it is almost a little
surprising that they haven't and it may speak to the state of
development of some of risk analysis tools that we haven't seen more in
that area. Because it seems -- the delight in risk analysis and fire
protection is there is a complete alignment between defense-in-depth and
the risk analysis, and it should be a very straightforward task, but I
think what we have understood from the research program is that the
development of those tools for carrying out the risk analysis, there is
still room for substantial development there.
MR. WEST: And one other thing that came up in the
Subcommittee meeting with the -- I think probably the staff
presentation, and also the NEI presentation on the circuit analysis
issue is that NEI is working on developing, or using risk information to
help deal with that issue. So that is an issue where we expect to use
that under today's regulation and --
DR. POWERS: We actually have an interesting two paths there
as well. We have one body of the industry looking to use risk
information and one body looking to use the more prescriptive
information.
To attack circuit analysis problems.
MR. WEST: And hopefully they will complement one another.
DR. POWERS: Pat, I have a few microscopic questions here to
ask. Looking through the various headings in the outline, it struck me
that there was not a heading that seemed to address the issue of what is
and what is not a reportable fire. Is that not something that should
appear in a regulatory guide?
MR. MADDEN: That's a pretty loaded question and it's a
pretty good debate right now. I mean, what is reportable? I mean,
under the current criteria, reportability is a fire that lasts for ten
minutes or greater. Is that a trash can?
You know, the severity of fires are totally different. I
mean, if it's a fire that involves an oil spill that's put out in two
minutes, that may be more severe than a fire that involves a trash can
that's put out in ten minutes. But the fire that is a trash can fire
that lasts longer than ten minutes would be reportable.
So, you know, there's some fundamental questions about the
adequacy of reportability and how you would capture that in a reg guide
until we come to some kind of grips on what should be reported and what
shouldn't be reported.
So to answer your question in short, that's probably why we
ignored it.
DR. POWERS: Well, I don't think -- I mean, it seems to me
that ignoring it doesn't help.
MR. MADDEN: No. No, but it's been a question that's been
on the plate several times. What should be reported? Should precursors
be reported, or should actual -- only actual fires be reported? Should
events that cause smoke or combustion byproducts be reported, or just
that flames be reported.
DR. POWERS: Even if it's nothing more than to lay out the
issues or to create a heading in this reg guide to be filled in at some
future time, it seems to me a useful thing.
MR. MADDEN: Okay. Well, I'll make a note of it and we'll
consider it.
DR. POWERS: The outline does have, if memory serves me, a
one-line entry dealing with the interface between the onsite and offsite
firefighting crews.
MR. MADDEN: Right.
DR. POWERS: And I wondered if that didn't merit more
headings in the outline, that is, I was thinking of headings that who's
in charge, radiation safety for the offsite firefighters, things like
that as subheadings under that category. I mean, it is a -- it may well
be that you intended to treat them. I'm working from an outline trying
to understand what's going on in here, and it struck me that those were
important things to address specifically.
MR. MADDEN: Yes. The logistics of offsite assistance would
have to be somewhat spelled out, you know, and that -- but that's pretty
unique to each site depending on the State laws or the local laws.
I mean, there are laws in New Jersey, for example, that
prohibit offsite fire departments from coming onsite. So that's why
Salem Hope Creek has its own fire department. So, you know, we'd have
to take all that into creation.
DR. POWERS: Yes. I mean --
MR. MADDEN: Yes.
DR. POWERS: It's a complicated topic, and consequently it
seems to me it deserves some attention in the reg guide.
MR. MADDEN: Yes. I would agree.
DR. POWERS: It also struck me that -- my first reaction is
gee, this reg guide does not address shutdown and decommissioning
plants, permanently shut down. But of course there's another reg guide
that addresses that. And I wondered if there doesn't need to be an
applicability heading that specifically calls out that alternate -- that
reg guide for the shutdown and decommissioning plants.
MR. MADDEN: Yes. I mean, that's an easy reference.
DR. POWERS: Yes. I mean, that's no more than I was looking
for was just a -- those are the -- other than that, if Members have not
had a chance to look at the outline, you can get a quick assessment of
the length and the breadth of the amount of guidance that's out there by
just paging through it, and I think it must run, what, seven pages long,
six pages long?
MR. MADDEN: Yes, the outline is seven pages.
DR. POWERS: Yes.
DR. MILLER: I did have a microscopic -- a couple of them, I
guess.
DR. POWERS: Microscopic questions are fair here.
MR. MADDEN: Yes, they are.
DR. MILLER: Scattered throughout the reg guide are
references to electrical issues, and we already mentioned that the NEI
has a circuit analysis resolution program. In there is such things as
-- I'm going to read from just one, but under electrical raceways, fire
barrier systems on page 29.
It says guidance will be provided relative to design
application of these assemblies.
Now I see other places have the same kind of a statement,
guidance will be provided. Now is that guidance in the process of being
developed or we know we're going to find it or --
MR. MADDEN: No, we've got it already. It's not being
developed, but raceway fire barrier systems and the guidance for testing
and the development of those systems is already established. That's
Generic Letter 86-1 -- or 86-10, Supplement 1.
DR. MILLER: Are you going to use the Generic Letter 86 --
MR. MADDEN: Yes, we'll just bring that information forward
and incorporate it into this reg guide.
DR. MILLER: The reason I'm raising that is IEEE 384 has a
whole lot of guidance in these areas.
MR. MADDEN: Which IEEE standard?
DR. MILLER: 384.
MR. MADDEN: 384? That's on separation, and that's barriers
that are specifically for interdivisional fires. And what we're looking
at is total-room-engulfment type fires. So there's a difference between
the two barriers, and I think what we look at also is Reg Guide 175,
separation and those physical barriers.
DR. MILLER: 175 I thought endorsed an earlier version of
384.
MR. MADDEN: Yes.
DR. MILLER: This is a later version, which has a lot more
-- I didn't have a copy of it until recently. It has a lot more detail.
MR. MADDEN: Yes, but 384 barriers do not provide the fire
resistance that we need for a total -- what we call an exposure-type
fire. So we've come up with a standard that -- or a generic letter
which provides that level of protection.
DR. MILLER: So you think there's enough detail in 86-10 to
do this.
MR. MADDEN: For the fire protection aspects, but for
electrical separation and what I want to call divisional fires, you
know, electrically originated fires in cable trays, the three-foot,
five-foot type separation and physical barriers that are used to isolate
that, that may be something that we need to refer to another standard
for that type --
DR. MILLER: So you looked at the 384 -- it's '92 version.
MR. MADDEN: Yes, we looked at it.
DR. MILLER: Because it looked to me like they were fairly
consistent, although far more detailed in 384.
MR. MADDEN: Yes. We'll take a look at it again, though.
MR. BONACA: Mr. Chairman, I have a question, and I don't
know if you have the answer for me, but there have been IPEEEs performed
for all the units, and I don't know what kind of information we get from
those IPEEE regarding the adequacy of current fire protection. You
know, I don't know if anybody has an answer to that.
DR. POWERS: We did go over the latest status on the IPEEE
reviews and insights program. If you look at some of the bullets we put
down underneath that, I guess I have to admit I was as little
disappointed in how far along we were. It's still a work in progress.
So to say have we derived the insights, I think the answer is no, we
really -- we haven't done enough yet to do that. But it's also equally
true that there seems to be the intention to do that.
We do have I guess the originally scheduled speaker for the
IPEEE program with us today. Nathan, would you like to add anything
about that?
MR. SIU: Only to extent that there is a preliminary
insights document that was given to the Committee a little while ago, so
if you want to get some indication as to what's happening, the kinds of
insights that have been generated, that is one place to look.
DR. POWERS: But those are fairly -- in fairness to that
document, I think I could have written it before the IPEEEs were even
submitted, diversity of methods, the fire can in some cases being
important, things like that.
I think the detailed insights are the kinds of things that
we saw from the IPE insights document, still awaits completion of all
the reviews.
MR. BONACA: Yes. Because it seems to me the drive towards
the risk-informed regulation in this particular area should be
commensurate to the insights we get from this program regarding adequacy
of current regulation. If we found that current guidelines are
adequate, and we get good protection for fire, then the drive to move,
it's much less. Conversely, you know, a list from some of the IPEEEs
have seen, have seen a significant, you know, contribution from fires to
risk, and so I just wonder how much of that is tied to inadequacy of
fire regulation.
DR. POWERS: I agree with you, the things that you see,
anecdotal accounts or brief descriptions on individual plants, you say
gee, you know, I didn't really expect to have those kinds of numbers in
the face of Appendix R. I wonder if Appendix R is adequate. And then I
thought more about it, and I have come to a tentative conclusion that I
would appreciate comments from the staff about --
MR. CHANG: Okay.
DR. POWERS: I'll get back -- let me finish here and I'll
get back to you.
Tentative conclusion that I can't jump to that conclusion,
that the tools that are being used have sufficient limitations in the
IPEEEs or sufficient doubt surrounding them that it may only reflect the
adequacy of the tools used for the IPEEEs.
So, you know, the initial reaction, gee, surprised that you
do so badly with Appendix R, I think I have to temper that with well,
maybe our tools that we used for the IPEEE aren't good enough. That's
my current thinking on the subject. I would appreciate hearing from the
staff on what they think about my thought on the subject.
MR. CHANG: I'm John Chang. I am intimately familiar with
the IPEEE program. In regard to the IPEEE program, granted there's a
lot of limitation in regard to what tools we have, but overall all the
tools are sufficient for us to serve our purpose, to identify what is
potential vulnerabilities at the plant, even though we know there's
certain limitations. There's also some insights we did not find in the
past.
The insight report did not give us the entire picture
because that's only a very preliminary insight, that because of the
Commission wants to see what insights, so it's barely summarized -- 25
plants we reviewed -- but one important findings. Probably in the past
none of us anticipated that the fire would be such a horrendous
contribution to the risk. I think that is a very significant insight.
Without IPEEE program none of us familiar with IPEs would be able to
know that fire contributes rather significantly.
Second, in regard to the fire IPEEE itself there is also
something we found out, the SISBO itself, self-induced station blackout,
which are not appearing in other past PIs which have a very high
potential to cause some significant core damage.
In the evaluation Quad Cities is another one we still are
evaluating. We did not have the entire picture and we also know that
Dresden is also revising their IPEEE submittals because of all those
findings.
Aside from fire, there's a lot of things found in the
seismic as well as high wind and flood areas.
I think the whole thing is right now to draw the conclusion
IPEEE did not contribute anything or would not review any insights -- I
think it probably premature to say that.
DR. POWERS: I think what we learned here is that I need to
temper my judgment on this that indeed something has come out of these
that we didn't get, that some of the vulnerabilities appear to be real
and not a function of the tools. I think the speaker was absolutely
correct about that, that the vulnerabilities or the limitations on the
tools don't affect those kinds of conclusions, so maybe I need to temper
my comments a little bit, and I noticed the Staff saying yes, temper
yourself.
MR. BONACA: I still feel that it is an important point that
these programs like IPEEE are important to identify shortcomings in the
industry but also to identify shortcomings in regulation, and the degree
to which we have to pursue that kind of understanding from this program
I think we should aggressively pursue that because I think there must be
some way in which we can evaluate current fire protection requirements
based on the body of insights.
I mean it is broad enough where you can eliminate the
uncertainties and make some judgment regarding are we applying the
proper protection where it really should be, and the conclusion may be
that we don't.
DR. POWERS: It could be that we are too much on one and not
enough on another.
MR. BONACA: Yes.
DR. POWERS: That serves as a pretty good introduction to
the other topic that we have brought forward to the full Committee, but
let me ask if there are any other questions concerning the Reg Guide or
any points that the Staff wants to make about the Reg Guide?
[No response.]
DR. POWERS: I will ask the members to think whether we have
anything to communicate on the Reg Guide that has not been adequately
communicated here, so we can decide whether we need to write a letter on
the Reg Guide.
We come now to the NFPA 805 and I think it is useful to go
back into history, especially for some of the newer members -- all that
has transpired over the years in connection with fire protection codes.
We have had for some time the rather prescriptive Appendix R
and we can't speak of that with disdain because Appendix R really was an
aspect of the regulations that our former incarnation of the ACRS worked
hard to help develop and push into the regulations.
But it is quite a prescriptive set of regulations. It is
not inconsistent with fire regulations with how prescriptive it is in
comparison to things that you find in industrial standards.
Four or five years ago there was a proposal to have Appendix
S that would make a risk-informed or more performance-based alternative
to that. That led to a promise by the Staff to investigate the
possibility of having a performance-based alternative to Appendix R, but
about the time work started to -- thought about being initiated on that
there was a proposal instead to have the National Fire Protection
Association host or sponsor or convene a group to develop what was
advertised to be a performance-based fire protection standard -- code.
That group from the NFPA was very generous with their time
and appeared both before subcommittees and the full Committee to
describe their aspirations, and in the course of those discussions the
Committee asked that they also consider risk information and they
certainly moved aggressively in response to our suggestions.
There's been about nine months I guess of activity in trying
to develop this fire protection code and we now have a draft of that
code. It is one of several opportunities that are made to get input
into the code from outside the group that is actually working on it, and
so it is by no means intended to be a final version of the NFPA 805 but
I think we can see the general thrust of the development of that fire
protection code.
The Committee had been proselytized for several years that I
am aware of by one of its members about the one-page fire protection
code that is performance-based and what-not. This is very definitely
not that one-page fire protection regulation and it will not detract
from the speaker's presentation by trying to outline it, but it is far
from clear to me that this fire protection code meets the expectations
we had for an alternative to the existing regulations, and I think that
is the question that the Committee has to address in its
deliberations that it has today on this subject is is this fire
protection code close enough to the alternative we had in mind to be
supportable or is it so completely off the mark that we should encourage
people to think about a third alternative.
I think that is the question we have to address.
With that introduction, I will turn to our speaker.
MR. MADDEN: Thank you. I will try to take you through it.
I am not going to get into the NFPA process or anything like that. I am
just going to try to take you through a little bit of the code or the
standard I should say and what the standard is trying to do.
The basic scope, and I have got it outlined here, it's a
comprehensive fire protection standard to protect the safety of the
public, environment, and plant personnel as well as limit potential for
economic loss. It's a pretty hefty scope.
Some of the goals that the standards committee is focusing
on right now is of course nuclear safety. Our primary focus is on
reactor fuel safety and that may be a little bit different train of
thought than the current regulatory requirements, also, looking at
radiological release, life safety aspects, and then, yes, the final
attribute is property damage.
Looking at the overall performance objectives or the
objectives that the standard is trying to accomplish is looking at
nuclear safety the standard is focused primarily on reactivity control
and fuel cooling. With respect to radiological release it's looking at
no significant additional risk to life and health, and the other is no
additional risk to the society as a whole in general.
Other classical attributes of the standard will be of course
life safety of not only plant personnel and evacuation of plant
personnel in the event of a fire and to protect those paths for egress
or exit from the structure, but it is also to provide some form of
protection to operations that may have to do manual manipulations
remotely in the plant or in close proximity to the area that may be on
fire.
So there's discussions going on on how to accomplish that
and what kind of performance criteria would be used to try to achieve
that type of objective or goal.
DR. POWERS: Now within the regulatory context, that is,
what the NRC does, making it possible for the operators to achieve and
maintain shutdown of the reactor and coolability of the core of course
is an objective of our regulations.
MR. MADDEN: Yes.
DR. POWERS: But life safety itself is not?
MR. MADDEN: That's correct. Now --
DR. POWERS: And property damage is not?
MR. MADDEN: Yes, that's correct. I mean we are driven by
GDC-3. Now GDC-3 says or it basically communicates that we shall
provide protection for structures, systems, and components important to
safety, so some of our guidance documents do look at safety-related
components and we do provide certain minimum levels of fire protection
for those components, and it includes not only safe shutdown components
but accident mitigation components.
DR. POWERS: These two elements, life safety and property
damage, are a major focus, important focus in the NFPA standard?
MR. MADDEN: Well, that's an ongoing debate in the
committee. There's some debate going on as to what will the regulatory
authority adopt as a part of this standard if we -- if we endorse the
standard, is the NRC going to endorse it in its entirety or are we just
going to endorse it within our purview of what we currently regulate, so
that is a big debate and where do you draw the line as far as life
safety. If you go to classical life safety and adopt a building code, a
lot of these plants are not built to that form or shape -- you know,
compliance with the building code, so there may be, you know, some
concerns right off the bat that these plants should be exempted from
life safety, so there's been a lot of discussion on that in the
committee.
The other thing is the property damage. Basically they want
it left up to negotiation between the utility and their insurance
company and how big a premium they want to pay, so there's some debate
there going on.
This slide is wrong, and George will probably correct me
again. The actual nuclear safety criteria that we are trying to
accomplish is to -- main reactivity control K effective of less than
.99, it is not one.
Now, we are also -- we are also, you know, looking at fuel
cooling, and this is where we kind of depart. And we are focusing on,
or the Committee is focusing, I am not saying the staff, but the
Committee is focusing on the design limits of the fuel, not exceeding
the design limits of the fuel.
Now, where we have been in the past with Appendix R is that
we have never gotten down to approaching the design limits of the fuel,
we have always maintained the reactor covered with water or, you know,
above top active fuel in a BWR and within the realm of the pressurizer
for a PWR.
Radioactive release, the standard right now is endorsing
whatever the criteria is under 10 CFR Part 20, so that is where it
stands right now. And, of course, I, you know, gave you little insights
on the life safety aspects and some of the debate that was going on from
the last meeting is that we are back into debating on what is
appropriate for life safety with respect to protecting operators, and
what is appropriate for the NRC with respect to getting involved with
property damage and business interruption.
DR. WALLIS: How does this work out with combined effects?
If you have a fire in containment which leads to a LOCA, you have got
two things to worry about.
MR. MADDEN: Well, there is some really crazy assumptions.
Well, first of all, that would deal with or get into -- first of all, we
would hope that the fire wouldn't be severe enough to cause any piping
degradation to cause that LOCA.
But, for example, let's say you had a condition where, you
know, you have cables associated with PRV, and you had a fire in the
containment, and what I am speaking of now, I am going to sit here and
speak a little bit about current regulation and how we would perform
that attribute, is that we would look at the severity of the fire,
assume that the fire does occur, and if the cable is in an associated
area, we would look at it failing into an adverse condition. And if it
failed into an adverse condition with significant consequence, then we
would provide some level of protection for that cable or, in the event
of a PRV, if it had an associated block valve, we would look for the
routing of that block valve to make sure it is on the other side of the
containment so that the PRV could be isolated?
Now, how is that going to happen here? It is still a little
sketchy. There may be some modeling attributes associated with it, and
there may be some classical deterministic paths associated with the
standard. So it becomes -- you know, when you start looking at other
phenomena piled on top of the fire, this standard is not very clear on
what it does in that realm.
Basically, -- well, I should jump back. It will require you
to do an analysis. Now, I want to couch this analysis. The standard
will require, basically, a plant-wide analysis, and I call it a fire
impact/safety analysis. I don't think that is referenced that in the
standard, but it will comprise of fire hazard analysis. It will also be
your safe shutdown analysis, where you would actually look at cables,
components, systems, cable -- you know, and what is needed to put the
plant in a safe and stable condition.
And then after all that is done, it will also integrate this
risk assessment, or risk-informed approach to look at the associated
risk with that type of protection scheme or that type of cable routing,
or for those specific compartments that may be deemed risk sensitive.
So, it is kind of these are integrated analysis that has to be done in
order to prescribe the level of fire protection that you need for each
compartment, or each area of the plant. So that analysis is basically
mandatory and that is the basis of -- you need that analysis to
implement the rest of the standard.
In the standard we will have what I want to call baseline
fire protection where everybody will be required to have a certain level
of fire protection in their facility, and they will be mandatory
requirements. And those mandatory requirements will deal with
administrative controls, you know, controlling welding and cutting,
controlling what I want to call design combustibles, combustibles that
are designed. You won't all of a sudden abandon the idea of buying
fire-resistive or fire-retardant insulation, for example, for HVAC
ducting. You won't move away from some of the classical reductions in
fire hazards through design.
You will also be required to have a water supply system, you
know, fire pumps and underground mains and a delivery system. The
plants will also have to have manual fire suppression capability.
DR. POWERS: What I find peculiar about this standard is it
is not just having a water supply, it is having a water supply with
hydrants every 265 feet located along the main. I mean this is not just
have a water supply, this is a fairly prescriptive --
MR. MADDEN: Yeah, but I can tell you, Dr. Powers, that they
are already there. They are not going to jerk them out.
DR. POWERS: Of course they are.
MR. MADDEN: They are not going to jerk them out, at least I
hope they are not. They might, yeah, I mean if --
DR. POWERS: It would be surprising if they did.
MR. MADDEN: But the other aspect is with -- you know, and I
think Ed brought this forward the last time, is that a fire hydrant can
only effectively hydraulically withstand like 250 feet of two-and-a-half
inch hose. And so if you had, you know, and I understand where you are
coming from -- if you are out, way out in the yard somewhere, why do you
need a hydrant if there's no other buildings around there? But, you
know, these sites are not stagnant.
DR. POWERS: That's true.
MR. MADDEN: So, you know, they build a building, and then
all of a sudden we have to have a hydrant, you know. And the hydrants
are twofold. I mean it is not only -- in the standard it is not only
nuclear safety, but it is also, there is property protection, again, and
the exposure to nuclear safety components.
DR. POWERS: But, fundamentally, my difficulty I have is
this construction, and maybe I should just let you go ahead and describe
it, because it will become clearer to the rest of the Committee that
this NFPA has a very unusual structure. There are these sets of
prescriptive front-end minimal requirements --
MR. MADDEN: Right.
DR. POWERS: -- and then there are sets of options which can
be equally prescriptive or they can be performance-based, all wrapped
within a fire risk assessment.
MR. MADDEN: Well, yeah, this --
DR. POWERS: No, I am sorry. This part isn't wrapped, the
other part is wrapped.
MR. MADDEN: Yeah, this is mandatory, but the other parts
are wrapped. But the risk assessment does consider this. I mean this
is the baseline fire protection even that would be considered in a risk-
informed approach.
So, the other portion of the standard that is being
discussed is detection and alarm capability for the facility.
DR. WALLIS: All the systems are designed not to be damaged
by the water which someone is going to spray on them to put out --
MR. MADDEN: You mean the safety-related systems?
DR. WALLIS: Yes.
MR. MADDEN: Yeah, there -- in GDC-3, there is a requirement
that basically says that that should be taken into consideration in
design of the plant.
DR. WALLIS: So some system can be heated up by the fire and
then suddenly quenched by the water and it will not --
MR. MADDEN: It may not work. It may not work, that is why
you need separation.
DR. POWERS: The more troublesome issue in that regard is
you put the water into a room that has a fire, will it drain someplace?
DR. WALLIS: Yeah, where else does it go?
DR. POWERS: Where else is it effected? And that has not
been so clearly addressed by the --
MR. MADDEN: The other aspects, all plants will have to have
a fire brigade, some form of fire barrier. Right now, the minimum
requirement is just between buildings, you know, a fire wall that
separates buildings. And, of course, I talked about administrative
controls, and then, of course, the implementing procedures for not only
the administrative controls, but the surveillance, maintenance and
testing of the baseline fire protection systems.
DR. POWERS: The fire brigade is the one I would like to
address because it is an issue that you know will never disappear, there
will always be a fire brigade of some sort. But what you know is that
the most expensive thing in the world, most expensive thing at a nuclear
power plant is probably the people. And you can imagine someone wanting
to come in and, let's say, I would like to make some engineering
tradeoffs. I would like to spend capital once instead of hiring people
twice, especially as OSHA keeps ratcheting up the requirements on my
fire people. I mean they have done it once and they will keep doing it.
So let me set up my systems and I will make a super-duper
fire suppression detection system. I mean it is going to be the cat's
meow, and I am not going to need these fire brigade people anymore.
Why shouldn't that be an alternative for a licensee? It is
precluded by this standard, but why shouldn't it be? Now, we know it is
not going to happen, but we can look at this in the abstract, from a
theoretical point of view.
MR. MADDEN: Well, theoretically abstract point of view, you
will always need somebody to do complete fire extinguishment.
DR. POWERS: Yeah, but, see, they are not going to have one
guy.
MR. MADDEN: No, you can't.
DR. POWERS: With my super-duper system, you can walk around
and say, yeah, it's out.
MR. MADDEN: No. As soon as you go to one guy, like you
said, you fall back to OSHA and he is going to need more than one guy.
DR. MILLER: That's right.
MR. MADDEN: Okay. The other aspect is that, you know, --
yeah, you are going to need at least two. But your are going to -- you
never know, when you shut that isolation, or you isolate that fire
system, if you are going to have a reflash condition or whatever.
The real aspect with the fire brigade is that, is the fire
brigade a burden on the utility? It is not a separate fire brigade, it
is usually comprised of plant operators that are already on shift, or
plant security guards that are already on shift, or plant maintenance
people that are already on shift. Those people have other jobs, they
are not there just to be fire brigade members.
To some degree where the burden becomes is the maintaining
of the qualifications and the training of those people. It is not
dealing with the actual aspects of having a fire brigade.
Now, the real thrust of the question would be is, what kind
of performance criteria do you do to routinely test an individual's
proficiency in fire brigade operations or fire-fighting operations in
the plant? And I think that is something that in the future needs to be
explored. It is not the aspect of economic burden on the plant with
respect to having or not having a fire brigade, it is how you manage
keeping those people qualified.
MR. BARTON: Isn't that required now? They are doing now
training and drills.
MR. MADDEN: Yeah. Yeah. But they -- I don't think it is
done in the most optimum, sensible manner that it can be done. That is
just my opinion. I am not working for the utility, but I think -- you
know, I can only relate back to my experiences as a volunteer fireman,
and when I used to train, you know, volunteer fire departments, is that
we had proficiency drills and that is how we gauged performance. And
you could -- then if the proficiency drill wasn't adequate, then you
would look at what attributes weren't, and then you would go back to the
basics.
DR. POWERS: What you are saying is that there is a -- it
would not be difficult to set up a performance indicator for the fire
brigade.
MR. MADDEN: What I am saying is that it would not be
difficult to set up a performance-oriented training program for the fire
brigade which had indicators in it that would tell you how to do
additional training, or when you would have to do additional training.
DR. POWERS: So we could move the brigade down into the
performance-based?
MR. MADDEN: There's ways to do it, yes. I am not saying
there isn't. But I am not saying that -- I don't think it is a good --
when you get into cutting the size, a five man brigade is really a
minimum size. I mean right now you can only effectively put in in-
service one hose stream with five guys. And, you know, to have, you
know, two guys on a hose line dragging a hundred feet of hose is a
pretty difficult task. And then two guys, the other two guys would have
to be in standby or checking peripheral areas to make sure that you
don't have any fire extension, or you are not jeopardizing other plant
safety equipment. So -- and you need one guy for command and control.
I mean you need one guy to coordinate with the control room. So, you
know, you are into the minimum level of people that you need.
DR. POWERS: I mean I don't argue that.
MR. MADDEN: I am not --
DR. POWERS: I am taking --
MR. MADDEN: So, but I am taking --
DR. POWERS: I am questioning the structure here.
MR. MADDEN: Well, I am --
MR. WEST: Dr. Powers, could I add something, my perspective
to your original question?
DR. POWERS: Sure.
MR. WEST: It is the kind of question you like to have about
a week to think about before you answer. What came immediately to my
mind anyway was that under your approach, you are cutting significantly
into one of the layers of defense-in-depth, virtually stripping it away.
I mean you still would, under your approach, presumably, have an offsite
fire department that would get there eventually. But if you don't have
a fire brigade, you are really cutting deeply into one layer of defense-
in-depth.
DR. POWERS: I guess I don't see that. What are my layers
of defense? My layers of defense are prevent fires from occurring,
detect and suppress, and protect the equipment. Now, which one of those
layers of defense am I moving out? I have the humdinger of detect and
suppress system. I mean it is the cat's meow.
MR. WEST: I guess you are assuming somebody's going to come
up with a 100 percent reliable humdinger system.
DR. POWERS: I don't think I have to come up with a 100
percent reliable.
MR. MADDEN: What happens when that system goes out of
service?
DR. POWERS: Well, I have got three of them, see. They are
multiply redundant.
MR. MADDEN: All right. Here we go.
MR. WEST: I guess your question was actually rhetorical
then.
DR. POWERS: No, I think I am following exactly the elements
of defense-in-depth and I am saying you are telling me how exactly I
have to address one of those defense-in-depth, when I think I ought to
be able to make tradeoffs. And the example I took is outrageous, but it
was studied to take an outrageous --
DR. SEALE: You are getting into defense-in-depth question.
MR. MADDEN: I guess my response would be is that the
baseline program is something that we felt, in the Committee, is
necessary in order to compensate for the uncertainties associated with
the upper tier analysis that may be done, and that we would always have
a minimum level of defense-in-depth applied to these plants.
DR. POWERS: I think that that argument just really -- I
accept that argument when we are talking about reactor operations. When
I look at the way we have constructed fire protection, there is perfect
alignment between risk analysis and defense-in-depth. I have quoted
already what the elements in defense-in-depth -- you are better are
reproducing the words than I am.
MR. MADDEN: Yes.
DR. POWERS: But I have quoted what the major ones are. And
it is not like defense-in-depth is used as something in addition to
compensate for uncertainties in the fire risk analysis. It is the way
we do fire protection.
MR. MADDEN: Well, in a perfect world, if you could design
these systems, qualify them, et cetera, to the application that you want
to apply them, I would agree with you, but right now we are taking
store-bought stuff that is built for office buildings and low ceilings.
I mean like for a fire detector, for example, it is qualified by UL on a
15 foot ceiling. Okay. So we are putting it on a 60 foot or a 40 foot
ceiling. What does that do to its ability to rapidly detect a fire?
You know that's our defense-in-depth approach. The other
thing was the suppression systems. We put them in but then we obstruct
them with cable trays, conduits, HVAC, piping, et cetera, et cetera, so
what is that doing to the actual what I want to call the ultimate fire
suppression system. I mean in a building like this, they are all at the
ceiling, fully visible, et cetera, et cetera. You go to a nuclear plant
you find repetitively modifications that obstruct the fire protection
systems.
DR. POWERS: But you see, you are doing no more than what I
am doing --
MR. MADDEN: Yes.
DR. POWERS: You are saying I've got all these flaws in my
existing system and so I am going to have this back-up, human people.
In fact, your automatic suppression systems aren't expected to put the
fire out.
MR. MADDEN: Exactly.
DR. POWERS: You are expected to be done by the human being.
MR. MADDEN: Well, it is not only that. We are expected --
yes, complete extinguishment is always, even in the current standard in
our NFPA-13, complete extinguishment of a fire is expected to be done by
human beings.
MR. SIU: If I may add, Dr. Powers, I think you are right
that if one were to take a perfectly clean slate and allow yourself the
triple redundancy system and so forth, in principle maybe you could
develop a system that would -- or you could develop a performance-based
approach that would address this issue. I think the Committee has been
much more -- tried to restrict its activities much more to what they
felt was a practical approach where they are taking certain things that
exist right now as basically this is the starting point and they are not
looking at major perturbations.
DR. POWERS: Well, I think that is the exact -- exactly
true. They are not looking at a major perturbation, and the question
this Committee has to wrestle with is were we looking for a more major
perturbation? Why couldn't we go in and say look here, we expect you to
have a process for preventing fires, and it should function to this kind
of a performance level, and we will define these performance monitors
for it.
Why couldn't we then say we expect you to have the
capability to detect and suppress fires, it should work to this
performance level and here is a monitor for it. You should have a
system for protecting the safety-related equipment against the effects
of fires and it should work to this level of performance and here are
the performance monitors, and then dispense with all this conventional
wisdom on how to do fire protection because they can draw it from other
sources -- it is well-known stuff -- and say that well-known stuff gives
various alternatives with which one can achieve these performance
indicators.
Isn't that what we are looking for in a performance-based
alternative to the existing regulations?
MR. SIU: I think you are also looking for something that
people feel can be adopted practically within a relatively short
timespan. We don't want to wait the next 30 years before get it.
DR. POWERS: Well, as the speaker just pointed out, most of
this stuff is already there. Most of this -- they are not going to jerk
it out. As to quote the speaker, why can't you say look here, I have
all of this stuff that I put in here and ask me about its performance.
Don't ask me if the hydrants are separated by 265 feet or not. Does it
do its job?
MR. MADDEN: I mean you could very easily write that fire
hydrants should be distributed appropriately in order to institute an
effective stream anywhere on site. I mean you could do that. That is
the language of I think what you are going after. I mean that could be
done.
DR. POWERS: Well, I have interrupted the presentation.
MR. MADDEN: No, it's all been very good interaction.
DR. SEALE: Exciting.
MR. MADDEN: Yeah, really. You're right. Maybe I should --
well, I'll go through this but I think what I should do is jump to that
triangle and I think the triangle, I think I can talk around that
triangle and that may help a little bit about briefing everybody else as
far as I really think the thing is like this.
DR. POWERS: Yes, I agree with you. It should be upside --
it's put up the wrong way.
MR. MADDEN: It is put up the wrong way. I think it is
really like this and if you look at the flow charts in the standard,
that is really where it is, because you start at the bottom and work
your way up. It is not you start at the top and work your way down.
The elements of how this thing is going to flow is that
every plant will be required to have this baseline fire protection
program, as I explained. Then after you have done your analysis and you
look into what you need to protect with respect to the analysis and part
of that analysis will be doing an engineering evaluation, of course
qualitative and quantitative. Fire modelling will go into this
performance-based analysis, and then of course you would gather your
risk information and do what we call a site-wide risk evaluation.
In the middle section where it says deterministic and
performance-based, they have a deterministic section right now in the
draft that says if you meet this, you're done -- you don't have to do
any more, or you can jump over here and do this performance-based part
and do these evaluations that I just talked about, I mean in more
detail.
You know, right now the discussion is -- part of it was
based on the last discussion that we had here at the ACRS. Some of the
discussion going on is why do we have that? If it is going to be truly
performance-based, and we are going to accept having a baseline program,
then the next level ought to be looking at the performance-based
attributes and how to do that and putting down that form of criteria on
how to satisfy the goals and objectives of the standard, and that really
wrestling with listing another whole deterministic set of criteria that
may conflict with the current deterministic criteria.
So that is kind of what is going on right now in the
committee is a discussion on that topic, specifically in the Chapter 3
attributes which deal with baseline but they also deal with the design
of fire protection systems to satisfy the performance-based goals and
objectives of Chapter 4.
DR. WALLIS: Can I ask you about deterministic?
MR. MADDEN: Yes.
DR. WALLIS: What is the state-of-the-art of predicting how
well a fire protection system will work? Isn't it somewhat iffy in
terms of analysis and modelling?
MR. MADDEN: The actual actuation of a suppression system,
when it is going to actuate?
DR. WALLIS: No. If you have a fire --
MR. MADDEN: Right.
DR. WALLIS: -- how much water, where do you need to put it
out, how will the fire evolve and so on -- isn't that a fairly iffy
area, even worse than some of the thermal hydraulic fields?
MR. MADDEN: As far as the models go, with respect to
predicting fire growth based on some limited input, they are very
limited. It is user-defined input on fire growth right at this time so
I would have to come up with or develop the database that would tell the
model what to look at with respect to time and energy being put into the
mathematical computations.
Now with respect to like sprinklers I mean we can look at it
based on history and various fuels and past research. You can look at,
like for sprinkler applications what kind of water densities that you
would need in order to control that fire.
And then you would hydraulically design that system to deliver that
water.
DR. WALLIS: That's what you mean by "deterministic"?
MR. MADDEN: Right.
DR. POWERS: I think you'll find that many, many of these
things are designed based on an empirical experience base of some
magnitude, and within this field there are a variety of very, very
knowledgeable people, including our current speaker, who just have a
wealth of experience of what works and doesn't work. And it's based on
true tests.
DR. WALLIS: Units have changed from pounds of red oak per
square foot --
MR. MADDEN: No. No, we're still -- well, it's a mixed bag
now. I mean, when we're in the modeling, it's, you know, something
else. When we're into hydraulics, it's something else. So it's a mixed
bag.
Anyway, you know, I don't know what more I can communicate
with you, but the current flux of the standard is we're still going
through draft. The draft that you see now will be changing. All I can
do is put out the schedule of where we are and what we're trying to
achieve.
Basically what's going on right now is we have a public
comment phase for this proposal based on the draft that you have in
front of you that will close on 2/19/99, and then we will have another
committee meeting which will go through all those public comments and
proposals to either accept or reject. But this gets a little bit more
of a difficult process, because we have to put down the reasons why we
are either rejecting or accepting.
And then after that we'll issue another draft. And that
draft will be, you know, the final draft which will go out for what we
want to call actual public comment. And based on that there will be
another comment phase which will close, and that's not on this slide,
October of '99.
And those comments will have to be resolved before the
standard can be brought up in front of the -- at the annual meeting for
vote.
So right now we're in a cycle where we're going to try to
issue this thing and have it fully voted on by the general NFPA
membership at the annual meeting in May of 2000.
MR. HOLAHAN: Before we leave the 805 --
MR. MADDEN: Yes.
MR. HOLAHAN: This is Gary Holahan of the staff.
DR. POWERS: We are a long ways from leaving 805.
MR. HOLAHAN: Well, I think Pat is trying to be close to it.
MR. MADDEN: I'm trying.
MR. HOLAHAN: I'd like to address some of your concern, Dr.
Powers, in the context of how much detail and how prescriptive the
guidance -- this NFPA 805 is. And if you step back from 805 and think
about the regulatory process and how it would be used, what we're
talking about is this is basically a standard that would be endorsed
presumably in the regulatory guide, which would be used -- which would
be used as the basis for a new fire protection rule, or it could be in
fact referenced directly from a rule.
The issues you've raised about do we need to be
prescriptive, can we be more performance-oriented, can we have more sort
of general higher-level requirements, I think all of those things are
not only possible, but we think of those as what the rule requirement
would be. I'm imagining rather than an Appendix R where all this sort
of level of detail finds its way into the rule, we would have a very
simple rule. It might in fact say there should be a fire brigade, but
it might not say now many members. It certainly wouldn't say 265 feet,
you know, between --
DR. POWERS: Fire hydrants.
MR. HOLAHAN: Fire hydrants or length of fire hoses or these
sort of issues. So if you think of the regulatory requirements being
more general and, you know, the industry and the fire protection
association developing guidelines, one set of guidelines, one way to
implement those general requirements, that's what you've got in here.
That doesn't mean that a licensee couldn't say I don't like
265 feet, and what I'm going to do is I'm going to meet the fundamental
requirements in the rule in a different way. It seems to me that places
the burden of, you know, analysis and experimental support and all these
other issues on the licensee. It doesn't say you can't do those things,
it just says this is not the standard way to do it, hasn't been
preapproved.
So I'm imagining that the kind of vision that you were
expressing is a rule vision, and that's different from what I look at as
an implementing guidance at a, you know, more prescriptive level,
doesn't bother me.
DR. POWERS: I have absolutely no difficulty with the idea
that this might appear as an alternative way to have adequate fire
protection in a nuclear powerplant. One could well imagine that a reg
guide says follow NFPA 805 and you're home free. Those seem entirely
plausible to me. That's on one level.
On another level I say I've gotten clear indications that
the Commission is very supportive of the idea of being less prescriptive
and more performance-based, and they would like to see an alternative to
50.48, Appendix R, maybe even to GDC 3, and another one I can't
remember, but in fact that affect fire protection.
And I think the hope was this was going to be it. My point
is, it's not it. Now, do we need to pursue a third leg on this to get
to that aspiration that I think the Commission has?
MR. HOLAHAN: It's certainly been the staff's understanding,
and I think the Commission's understanding, that there always needed to
be a rule change to implement anything but the existing Appendix R,
50.48. In my mind that's the other leg of this, and that's where the
less prescriptive, more analytical vision belongs.
DR. POWERS: What you're saying is that there's another
thing that we haven't seen because it hasn't been written yet, which
once this is done will come in and this will never appear as a rule.
There will never be a rule that says do NFPA 805 and you're home free.
There may be a rule, but that won't be the last of the rules.
MR. HOLAHAN: It might say NFPA 805 is one way to meet this
underlying definition of, you know, what we think fire protection safety
needs to be.
DR. POWERS: Okay. You've completed your presentation?
MR. MADDEN: Yes, sir, unless you want the status on the
Appendix R revision -- the revision of Appendix R on 3M penetration
seal. It's just a schedule. I'll show it to you.
DR. POWERS: Oh. I assume that this is happening.
MR. MADDEN: It is happening. I mean --
DR. POWERS: Good.
MR. MADDEN: We're going through the process.
DR. POWERS: Good.
MR. MADDEN: And it should be hopefully published or the
final rule should be somewhere in April 2000.
DR. POWERS: Good. I think the operative thing here is that
if we on the schedules you put up here is that there is a 2/19/99 point
in the schedule where they would like to get comments that we might have
on this draft standard. We have from Professor Apostolakis a variety of
specific comments, and I ask if he -- he's raised these at the
subcommittee. Did you want to raise them again?
DR. APOSTOLAKIS: I don't know if this is an appropriate
time to do it. They should be forwarded to the staff at some point, and
if we plan to write a letter, maybe they could be attached there or -- I
can always go over them, if you want me to.
DR. POWERS: Well, those that you think would be useful for
the rest of the Committee to hear, I think you certainly should.
DR. APOSTOLAKIS: Okay.
DR. POWERS: The Members have a digest of Professor
Apostolakis' comments as best I could digest them.
DR. FONTANA: All three of them? All three?
DR. POWERS: It is listed under draft positions for
consideration by the ACRS NFPA 805 standard on fire protection. It is
listed under specific comments.
DR. APOSTOLAKIS: So it's pages 2 through 95.
MR. MADDEN: I like that.
MR. BARTON: Take your time, George, so we can digest them.
DR. APOSTOLAKIS: Okay. You mentioned earlier that one of
your early slides was going to make some comments, and I have commented
here that if you look at four areas that you are trying to protect, and
the first one is nuclear safety, it seems to me that you are setting
goals that are different from what other parts of this Agency are
setting.
So I am concerned that we are seeing a proliferation of
goals and objectives as risk-informed documents are being developed by
various organizations. And there is a safety goal policy of the
Commission. There is a document on inspection and enforcement that is
being developed right now by a team of this agency that identifies goals
and so on. So it seems to me that it would be reasonable to expect 805
to use some of that, if not all.
MR. HOLAHAN: Could you share a copy of the comments with
the staff?
DR. APOSTOLAKIS: Want to?
DR. POWERS: It's at your discretion.
DR. APOSTOLAKIS: The first two pages are yours.
DR. POWERS: If they don't know my position by now, they can
be reminded by the front.
DR. KRESS: The staff should be aware that these are not the
Committee position.
DR. POWERS: That's right. These are the subcommittee --
MR. HOLAHAN: Thank you.
DR. POWERS: Develops draft positions for consideration by
the ACRS. The ACRS has had these now for about an hour, and there has
been no consideration of these.
DR. APOSTOLAKIS: So the specific comments are --
MR. HOLAHAN: I would thank the Committee for sharing it
with us at this stage.
DR. APOSTOLAKIS: Okay. So enough said on that.
I don't have to go over every single one of them.
DR. POWERS: I think just the ones that would be of interest
to the Committee.
DR. APOSTOLAKIS: Yes. I find it interesting -- that's
comment number 3 -- that the nuclear safety objective does not use the
word "risk," whereas the radiological release objective, which is not
nuclear safety related, does. And there is more elaboration here on
this.
I do recommend my favorite top-down approach to defining
objectives and performance criteria, which may be related to what Pat
said earlier about the triangle being upside down.
There are some different points there and number 8, I must
tell you, was edited by Dr. Powers. It was much stronger when I wrote
it --
[Laughter.]
DR. APOSTOLAKIS: It deferred to my blood pressure, but to
say that you will do a risk evaluation to provide additional assurance,
you lost me. When I see the word "additional" and "risk evaluation" in
the same sentence, I get mildly annoyed.
DR. POWERS: And you will notice in the first comments,
first page of comments, that I think a significant deficiency in the way
this draft rule is portrayed to us is that risk assessment is used only
to increase requirements. I think that is a significant deficiency.
DR. APOSTOLAKIS: Yes and that -- if you look at the
figure -- well, which is really like your triangle. It is really a
triangle where you have the deterministic requirements, the
probabilistic and then you do a risk evaluation. I mean that --
DR. KRESS: Are we looking for comments on these comments?
DR. APOSTOLAKIS: Not right now.
DR. POWERS: We will get an opportunity to discuss it.
DR. KRESS: This is not the time to comment?
DR. POWERS: I think I would pipe right in if you have
something to contribute.
MR. BONACA: Oh, I'm sorry. Go ahead.
DR. KRESS: Well, with respect to the proliferation of
goals, we are dealing here with one set of initiating events in a whole
sea of initiating events. To start from the safety goals for example or
even the performance objectives and try to derive what your risk goals
might be for these is to me very problematic. It requires an
apportionment among sequences of your risk, and I see this as saying,
well, if we attack it from the other end rather than top-down, and it is
somewhat akin to looking at the cornerstones, say if our objective is to
prevent the K from getting above one, to prevent this, this, and this,
you can automatically assume that if these things are accomplished that
you will not have added much risk, although if those are goals they are
much, much more stringent than the safety goal.
DR. APOSTOLAKIS: And that's exactly my point.
DR. KRESS: But you have no way to apportion the safety
goals among the fires.
DR. APOSTOLAKIS: I don't have to apportion anything.
DR. KRESS: You have to because this is only -- this doesn't
count for risk --
DR. APOSTOLAKIS: No, no, no, no, no -- if I look at the
cornerstones and I pick up any fire risk assessment, you will find that
in the second page or maybe the first you will see that what we are
doing here is we are trying to see whether a fire can cause an
initiating event and can defeat some of the systems or mitigate a
system, and so it seems to me that is very consistent with the
cornerstones.
I don't have to say that K has to be less than one because I
don't see any reason for it.
DR. KRESS: Because that accomplishes that goal.
DR. APOSTOLAKIS: But I don't want more stringent goals
every time somebody writes a risk-informed guide or standard. In two
years I am going to need another Regulatory Guide like the one that Pat
is preparing to pull together these objectives and --
DR. KRESS: This is not the full goal. This is a derivative
within the full integrated goal and --
DR. POWERS: Not as we understand it.
DR. APOSTOLAKIS: Not as we understand it. Not as it is
presented in the standard.
DR. POWERS: Not as it is presented in the standard.
DR. APOSTOLAKIS: There is a difference.
DR. POWERS: You do a whole CDF calculation and this would
be just one part of it -- now practically I think it is but not --
DR. KRESS: Well, I think that is actually the fact. You do
a CDF.
DR. APOSTOLAKIS: If you want to define more stringent
goals, you should state so and you should show how these meet the higher
level goals that the rest of the agency has without necessarily going to
the safety goals.
DR. KRESS: I certainly didn't read it as developing new
goals but maybe I read it wrong.
MR. BONACA: I would like to just add a comment that goes in
the direction of again the point I was making before. IPEEE has been
available for years now as a resource and it seems hard to believe that
some lessons learned regarding the effectiveness of fire protection that
really in part is embedded in this new Reg Guide have not been sought.
I mean it seems like a mindset that it has to be a
deterministic approach and then PRA is used as a means of checking
something.
DR. APOSTOLAKIS: Exactly.
MR. BONACA: But the lessons learned from existing programs
should have been I think derived and learned and at least the message I
got is that that wasn't attempted and my concern is that this is going
to cement really much more of what is in place now with some
modifications, and even if you have a new regulation coming in later
with risk insights, utilities will not be willing to make additional
changes because it is expensive to change and change and change, so the
point is supporting of your perspective, George and Tom, but the point
is that again I don't understand why available information hasn't been
yet collected and provided.
DR. APOSTOLAKIS: And I would go even a step before that,
before you do the IPEEEs. There is a lot of information out there how
to do a fire risk assessment where the emphasis is on the potential
dependencies that the fire would introduce that may cause an initiating
event, as I said earlier, and simultaneously defeat some of the
safeguards.
I haven't seen any of that thinking here. What Mario is
referring to is the implementation of that thinking in the IPEEE. The
five methodology may differ a little bit by conceptually they are both
looking at the same thing. I don't see anything in the NFPA 805 that
says this is what we are trying to do -- we are trying to prevent fires
from becoming a common cause failure, we are trying to prevent fires --
in other words the basis is the fault tree, event tree model that the
standard IPE or PRA has developed. The fire is not a separate thing.
It's an appendix.
You are still working with those because if you want to
damage the core you just still have a LOCA or you must still have one of
the initiating events. Fire itself won't do it.
DR. POWERS: Oh, yeah. The exact example the speaker used I
think is a good one. If you have a fire that fails the PORV in an open
position and it also damages the block valve on it, you've got a loss of
coolant accident.
DR. APOSTOLAKIS: That's what I am saying, that a fire has
to cause one of the initiating events that we have already identified.
It is not something separate. You are just looking at -- it's like
earthquakes. It is an element that can act as a common cause failure,
but the basic structure is the one that you have in the basic PRA. I
don't see that thinking. I don't see it anywhere.
MR. SIU: If I can comment on an earlier statement, George,
and then I will get back to this one that you are talking about.
DR. APOSTOLAKIS: Yes.
MR. SIU: As we discussed at the subcommittee meeting, risk
assessment can be used to relax the requirements at the plant. What you
have to realize is that the baseline program is far less than what is at
the plants now.
DR. APOSTOLAKIS: But I am not referring just to the
baseline program. I am referring to the whole 805 that --
MR. SIU: No, no, no --
DR. POWERS: He is commenting to me.
MR. SIU: Okay. Maybe I am commenting --
DR. APOSTOLAKIS: Okay.
MR. SIU: But I thought that George had also raised the same
point, that the baseline program is a program that is far less than what
is at most of the plants and what you do, what you can use risk
assessment for, in addition to the sitewide risk evaluation, which does
come at the end and which does ask are there additional things that you
need to address, but within the performance-based part of the standard
you can use risk assessment tools to determine whether or not you need
to provide additional functions beyond what is provided by the baseline
program.
DR. POWERS: You can increase requirements.
MR. SIU: From the baseline.
DR. POWERS: There is no mechanism to decrease.
MR. SIU: It is a decrease from where they are now.
DR. APOSTOLAKIS: It's what?
MR. SIU: It is a decrease from where they are now. That's
the point.
DR. APOSTOLAKIS: But if I had not worked in this area and
read the standard, okay, I would have no idea what fire risk assessment
does. It is not reflected in the standard.
MR. SIU: Well, that's true, because Appendix B has not been
written yet and that we understand is a major hole.
DR. POWERS: I mean even if it weren't a hole, I will have
to admit I have not gone through a line by line comparison between
Appendix R and this standard, but I think I wouldn't find many things
missing.
MR. MADDEN: There's quite a few things missing.
DR. POWERS: I will take your word for it because I haven't
done it.
MR. SIU: And beyond that again, the deterministic option is
an option. You don't have to follow that and use the performance-based
approaches to address the same requirements once you get out of the
baseline program.
You might argue where the line is drawn for the baseline
program and how much really has to be there as opposed to how much
should be --
DR. POWERS: I want to draw it at the bottom.
MR. SIU: Well, I understand the philosophy and you
understand the issue of the practicality of trying to get a committee to
come to consensus.
DR. POWERS: But I don't see the advantage that we have
gained. I mean you have to weigh two things here.
Learned societies can prepare all the consensus standards
they want to and that's fine, but imagining ourselves as adopting this,
I don't see what we have gained by doing this.
I don't see anybody going oh, wow, we've got 805 -- I'm
going to -- heck with Appendix R, I'm going to go get this stuff right
now. It becomes almost an effete exercise to me.
MR. MADDEN: Well, let me give you just one slight view that
I have, okay, and, true, I don't believe that anybody is just going to
arbitrarily tear fire protection out of the plants, but I can see
another side of that too, but I mean let's take a hypothetical case, a
space that has one-hour barriers, suppression, detection, and you know,
you need the one-hour barriers to complete your separation, to protect
the train for safe shutdown.
If you were to apply this approach, this performance-based
approach, and in conjunction with risk tools, find out maybe the areas
that doesn't contribute much to risk, and that the fire scenarios that
you do model, depending on how you define them, may not cause the level
of damage that -- maybe you were just ultra-conservative in the
adaptation or adopting Appendix R to that space. Maybe all you need is
a minimum fire barrier of one hour and that is good to go. Go don't
need detection and suppression.
Well, this standard will tell you that. Now do I believe
that they are going to take the fire protection out? No -- but it may
be a basis for maybe not paying so much attention to when that
suppression system is out of service or that detection system is out of
service and maybe the necessity for compensatory measures as we know
them today may not be there and that may be an indicator as a result of
going through this process.
DR. APOSTOLAKIS: I just would like to go back to what Dr.
Kress -- because it's inevitable, not matter what your goal is, that you
will face the question of apportionment.
DR. KRESS: Sooner or later.
DR. APOSTOLAKIS: Because K less than 1. That's an
objective.
DR. MILLER: .99.
DR. APOSTOLAKIS: But there are some sequences that will not
achieve this. What frequency are you going to allow? So you're back to
square 1. But the thinking, the basic thinking of the fire risk
assessment, you know, starting with the initiators, the mitigating
systems, all the cornerstones, and seeing how they affect -- the fire
may affect those, and the importance of screening of rooms and so on,
it's just not there. Now it may be in Appendix B. That's forthcoming.
But in the main body it is not.
MR. MADDEN: One real question is -- back to the Committee
is the understanding of how fires occur --
DR. APOSTOLAKIS: Propagate.
MR. MADDEN: And propagate.
DR. APOSTOLAKIS: Yes.
MR. MADDEN: And the other aspect is how they would achieve
the damage, as you're stating, George, to cause these initiating events.
Okay, but let me --
DR. APOSTOLAKIS: I don't doubt that, Pat.
MR. MADDEN: Let me -- okay, okay. But let me --
DR. APOSTOLAKIS: Sure.
MR. MADDEN: Complete my train of thought here. You know,
the K effective may be in your eyes overly conservative, but in my eyes
is that Appendix R, the basis of Appendix R was that we never considered
fire as a design base event. It was never included in chapter 15 as a
design base event. So what you're talking about is initiating
frequencies or initiating events that get you into a severe accident or
a design basis event.
We've always treated fire as a routine operational event
that should be handled and mitigated with the least amount of impact on
the plant. So that's where this standard is coming from, is not to get
to that next step to where we have to go into the EOPs and do a last-
ditch effort.
DR. APOSTOLAKIS: Yes.
MR. MADDEN: So, you know, you've got to keep that in your
mind -- that thought in your mind when you look at the standard, because
that's the goal it's trying to accomplish.
DR. APOSTOLAKIS: And I would agree that perhaps the list of
initiating events that a standard PRA has should be examined from that
point of view, that you may want to add something to those and expand
the list to make sure that, you know, you're not working only in the
severe accident space.
But I think the basic intellectual approach is very good,
and it's applicable, and should drive, really, what you do beyond design
basis -- beyond the basic program. Because I agree that you cannot have
the whole thing centered on risk assessment. No. You'd want certain
minimum requirements which your basic program will achieve. But if I go
beyond that, and I should go beyond that, it seems to me that basic
approach is very good for that thing.
In fact, to avoid this thing about additional requirements,
maybe you can present that first and then come up with your basic
program and say, you know, because we have these objectives here and we
really -- we really don't want fires, for example. We want this and
this and that. Anyway, I don't think we can resolve that issue now, but
I just wanted to register my --
DR. POWERS: Do any Members have additional comments they'd
like to make?
DR. MILLER: Yes, I have one. It's kind of a philosophical
comment.
DR. POWERS: Surely not. We haven't been discussing any of
those up till now.
DR. MILLER: No, these have all been microscopic, right?
[Laughter.]
Just not having been dealing with fire protection standards,
but just based on my standards of experience developing some --
developing a performance-based standard is somewhat slightly orthogonal
to the mentality of most standards. Most people get together and
develop a contingent standard. They are really developing a standard
that says I want to tell the world based on the consensus of the best
practice in how to do things. That's not performance based.
So to ask a standards group to develop a performance-based
standard may give them some difficulty. Maybe the fire protection group
has experience there, but if I were in the instrumentation area, you say
okay, develop a performance-based standard for some I&C area, I think a
lot of my colleagues would be sitting around and scratching their heads
and say what are we going to do, because our mentality is we're going to
tell the world based on this group that our best estimate of how best to
perform something is something done. And so I see that orthogonality a
little bit embedded in this standard here.
MR. MADDEN: Yes. Absolutely.
DR. MILLER: The temptation is, even I had a temptation, I
want to say okay, we have these separation criteria, I want you to tell
me how to do that and what they are.
MR. MADDEN: Yes, well, I agree with you wholeheartedly. I
mean, that is a problem with this standard committee right now is what
can we do in a performance-based arena and still have confidence that
we're providing adequate protection.
DR. MILLER: You may be asking a standard to do something
that it's not really meant to do.
MR. MADDEN: There are --
DR. MILLER: Be performance based.
MR. MADDEN: Yes, there are probably some attributes in the
fire protection arena that don't lend itself to performance-based
approaches.
DR. MILLER: I'm just saying generically in all standards it
may be something is not --
MR. MADDEN: Well, more in the forefront.
DR. MILLER: It may be something that the consensus
standards process is going to have to deal with, because obviously it's
the right thing to do.
MR. MADDEN: Well, we're in the forefront with NFPA, and --
DR. MILLER: And you're going to tell us how to do it.
MR. MADDEN: Well, we're attempting, let's put it that way.
And I don't know if we're really going to tell you what to do.
DR. MILLER: Hopefully in a way there's comments that temper
the frustration of my colleagues to the left who are saying it's not
performance based.
DR. POWERS: No. If you're looking to temper --
[Laughter.]
It just adds fire.
DR. MILLER: Well, I was just saying, maybe it's not the
right thing to do.
MR. MADDEN: Well, I would invite each and every one of you
to take a look at that standard and provide us with comments. You know,
the NFPA and the industry is trying to move this thing as fast as
possible, and to some degree I think maybe a set of brakes may have to
be applied somewhere to really see if this is what we want to do and if
it's going to achieve the goals that we believe that the Commission
wants.
So that completes my presentation.
DR. POWERS: Are there any other comments people would like
to make?
Well, thank you very much, Pat.
Steve has got to get in here.
MR. WEST: I just had a question. Is it the Committee's
intent to develop comments for the NFPA or --
DR. POWERS: It is the Committee's option now to write a
letter. It would be unusual for us to write to NFPA.
MR. WEST: Okay.
DR. POWERS: It would be usual for us to write either to the
Commission or to the EDO with the anticipation that staff that are
members of the Development Committee would carry those comments forward.
MR. MADDEN: Yes, that's the agreement I've already made
with the NFPA.
DR. POWERS: And I think that if the Committee decides to
write a letter, and we've not had a request for a letter from anyone,
but if the Committee decides to write a letter, it would be to either
the EDO or the Commission. And I suspect just thinking about what I've
heard that they would be comments not very useful to the NFPA. If they
were looking to optimize the draft they have, I think they have more
toward suggestions to the Holahan fire-protection rule that has yet to
appear.
That's my guess, but I've learned after four years on this
Committee never to anticipate what the Committee does. My batting
average is exactly zero on that.
MR. MADDEN: Thank you for the clarification.
DR. POWERS: With that, Pat -- thank you very much, Pat,
that was just really helpful, and always appreciate your calm and
deliberate style and very frank presentation. It's very helpful to us.
MR. MADDEN: Thank you.
DR. POWERS: I propose that we recess until 4:40. I need to
keep the recorder here, because we're going to have additional things on
the record. Is that correct?
[Recess.]
DR. POWERS: Let's come back into session. This is a
session for preparation of ACRS reports. The first of those that we
want to discuss is the lessons learned from the review of the AP600
design.
Dr. Kress, I think you are the cognizant member in that
area.
DR. KRESS: Am I? I thought Dr. Wallis was.
DR. POWERS: My list has you as the guilty party.
DR. WALLIS: I may be cognizant, but you are responsible.
DR. KRESS: I do not want to claim responsibility. I will
act as the Chairman. What I think we have the pleasure of is some words
from Brian McIntyre, which would be a view from the other side, so to
speak, on this. And I think this would be very useful to us. We
invited Brian to do this at one time and he graciously agreed to come
and give us some viewpoints, and I think they will be worth listening
to.
With that, I will just turn it over to Brian, and then we
can discuss the letter. Is that a good way, do you think?
DR. POWERS: I think absolutely that is the way to go.
MR. McINTYRE: It is just wonderful to be back, as you can
imagine.
[Laughter.]
MR. McINTYRE: I understand you guys got a gold star from
the Chairman yesterday for getting AP600 done.
DR. POWERS: You may be excessive when you say a gold star.
MR. McINTYRE: Well, I am just telling you what was related
to me, so I thought that was very positive. The comments that are the
topics --
DR. KRESS: We attributed that to the interim Chairman of
the Subcommittee.
MR. McINTYRE: I see. Okay.
DR. KRESS: Sorry, go ahead.
MR. McINTYRE: The quality and some of the things that I
understand are on the letter are quality and timeliness of submittals,
code V and V, T&H code development, best estimate -- I still can't read
this. Determination of conservative margins, I think that was -- is
that right?
DR. KRESS: Yes.
MR. McINTYRE: I have done this in --
DR. KRESS: That are things that were on the draft letter.
MR. McINTYRE: And then some other things about IVR and EQ
of PARS and MCR staffing. I just want to really talk about the first
four, since that is where we spent most of our time.
The quality and timeliness of submittals. Yeah, we agree
that the submittals were frequently rushed. I mean there is no question
about that, that they were large documents. We were trying to move this
thing along as fast as humanly possible, sometimes a little bit faster.
I can assure the Committee that the documents were reviewed and edited.
It is almost the first thing we would hear was some comment
on the poor quality of the documents and there's -- to me, quality is
like truth and beauty, it is pretty subjective. There's types of
quality where you can look at the persuasiveness of your technical
arguments, which frequently people didn't like. I don't consider that a
quality issue. There were typos and errors. These tended to be huge
documents, four or five thousand pages in some of the cases.
We had a process, and we did try to improve it as we went
along. We had editors. What we found is that with documents this
large, and particularly where the only people who could reasonably
review them were the guys who had primarily written them. I mean I
couldn't look at it and tell you if that should have been a superscript,
a subscript, or if things were done right. We found that a number of
the errors were creeping in from our word processing people, when you
start typing out large equations and stuff, that that is a little harder
than one would think it would be, but, evidently, it is a very complex
process and that was a problem for us.
If you look at the documentation, as I said, what we were
trying to do, is we were trying to keep the staff happy. Not that we
weren't trying to keep you guys happy, too. But the staff was looking
for something on the order of sometimes thousands of pages. The
Commission -- the Committee here was looking for something on the order
of three-quarters of an inch that could be read on an airplane between
the West Coast and here.
DR. KRESS: Brian, I am very glad to know these causative
factors and things, but what we would really like to hear from you,
after you do that, and maybe you are going to do it, is do you have any
advice --
MR. McINTYRE: Yes.
DR. KRESS: -- for both us --
MR. McINTYRE: Yes.
DR. KRESS: Okay.
MR. McINTYRE: Yes. And a problem we run into, and this is
an on the record comment, is that we are not full-time WE, you guys are
not full-time employees, and you can't devote 80, 100, 200 hours to
reading these documents, and so we were developing the road maps. And I
think that that was something that we learned out of this, is if we can
do these large documents, make very clear where things are, and I think
that the other Westinghouse people right now who are going through the
Thermal-Hydraulic Subcommittee are finding the same thing.
So, somehow, we need to find a way to bring all of these
things together. From a code V and V standpoint, I think we had a
unique problem because the AP600, we were not only doing the V and V on
the codes, but we were trying to make sure and show that we had the data
to support it. And we weren't just looking at one specific transient,
we were looking at large break, small break LOCAs, the non-LOCA stuff,
the containment, and we were doing everything at once for everything.
And so there were a lot of balls in the air.
There was a determination or question of, you know, what is
adequate? And that was something that we really -- it is hard because
that is -- again, that is something that is extremely subjective.
When it gets to the things that I think we need to do
differently in the process, improvement areas, we got caught in what I
look at as two do loops. We run around in a circle trying to keep the
staff happy and then we went from there to the ACRS in a second do loop.
And that may be a little bit of a harsh judgment, but it did seem like
that to us, and I think it was probably about that time that I uttered
the infamous raise the bar statement that Dr. Seale took --
DR. WALLIS: Do you think there is a difference between the
standards requested by the staff and by the ACRS? I mean, in theory, we
should be looking for much the same thing.
MR. McINTYRE: From a standards standpoint?
DR. WALLIS: You said there were two do loops. Really, it
would seem to me that we both have about the same idea of --
MR. McINTYRE: I would say that a different level of
questions came out of the Committee than came out of the staff, but I
don't think that that would happen were we to do it again.
DR. WALLIS: By level, how would you characterize those two
levels?
MR. McINTYRE: When we started in this exercise, that it was
during the code V and V. I don't believe, in the 1991, 1992 days, when
we first got started in this, that the things like the PIRTs and the
scaling were expected, at least out of us, to the level that they were
at the end. As a matter of fact, I am reasonably sure that if you go
back and look at when Westinghouse was being told that we had really
better come up with a full heighth, full pressure facility somewhere
back in 1991, that that wasn't because of we had done a PIRT and showed
that these things were important, it was because that the staff was
concerned that there might be interactions between the systems at high
pressure, and high pressure was important.
And that next level, which I think that the staff is now at
came out, you know, primarily from going through the D&H Committee.
DR. POWERS: Brian, when you get into the two do loops, some
of that came about because we were trying to run ACRS reviews
coincidentally or at least in some parallel with what the staff was
doing. That was a conscious decision to try to move this thing along
and to stay within schedule. Are you suggesting that we need to think
that more carefully so that we are not having either conflicting advice
or divergent or multiple --
MR. McINTYRE: Yeah, and I think you are doing that. If I
read what was done in the 17th, the presentation that Ralph Caruso made.
They are getting more into a process of the subcommittees are going to
be more integrated into what is happening. I think that will be a great
help.
DR. POWERS: Well, it is important for us to know of this
need so that we keep track of it and don't depend on it happening. It
may be happening, but it may be happening by accident.
DR. SEALE: Could I ask, Brian, you made a comment about the
'60 -- or the '91, '92 timeframe and what happened later and all. I
think, you know, -- Tom, were you here then?
DR. KRESS: Yes.
DR. SEALE: I wasn't, that was before my time.
DR. KRESS: And I think he is basically right on it.
DR. SEALE: I don't doubt it, and I was going to ask him
another question in that regard. Do you believe that the -- you know,
the basic problem with the codes is that they were put together to solve
one set of problems, and we were trying to make them solve a different
set of problems. Do you believe that the difference in the physics of
the classical PWR, the way they have been built, some 50 or so of them,
versus the AP600 with the natural circulation and so forth, and the
effect that that would have on the analysis was fully appreciated in
'91?
MR. McINTYRE: Yes. We were going to -- or attempt -- if
you look at the way -- I will go back and talk about what I know most
about, which is what I did when we were licensing the upper plenum,
upper head injection plants, that, you know, there were some tests that
were done. You would run the code.
DR. SEALE: Yes.
MR. McINTYRE: And you would show, yes, yea, verily, we
matched the code, or matched the test. And now it is -- there is -- and
I think, I am not going to say this is wrong, but you want to make sure
that you are getting the right answer for the right reason, that you
don't have compensating errors, because the physics is going to, what I
am going to call, a next level. And I think that we understood that
because our push in the 1991, 1992 timeframe is that we don't think high
pressure is going to be the issue, because the phenomena are really, you
know, fairly similar there, but the issue is going to be at low
pressure, which is why we went to the extent of building Oregon State
University that we did.
Now, if we were going to -- I think this would be fair to
say, that when we were planning that, remember that Oregon State
University started out as a glass model that would have fit on this
table quite nicely. It ended up being a quarter scale, 400 PSI, $13
million facility which really is pretty neat, so I think we understood
that, except what we would have -- the direction we were going was to
show that it was reasonably scaled, probably -- definitely not in the
rigor that we ended up going to, and show that we would match the tests
in some more mobile scale than we did.
I think we had an understanding. We didn't do a -- if you
go back and look at the original Larry Hockreiter stuff it wasn't
looking at it per se as it was done but he went through phenomenon by
phenomenon and showed how we had selected the tests that we were going
to run, so I think we knew where the issues were.
Now the rigor with which you solve those issues is another
question.
DR. WALLIS: I think there is another side to it too, not
just the Staff and the ACRS levels. It's Westinghouse's internal
levels. In the best world the standards that, expectations that your
management has for I suppose the documentation, whatever it is, the
qualitative argument, the reasons given for accepting a design and so on
should be not very different from what other professionals such as Staff
and ACRS would expect.
MR. McINTYRE: It's hard for -- I don't think you would find
too many of the Westinghouse managers who could have sifted through the
NOTRUMP report or the GOTHIC report and really had a lot to offer.
DR. WALLIS: But they are responsible for the quality. They
presumably sign off on it and say this is good enough to go to the NRC.
MR. McINTYRE: Yes.
DR. WALLIS: And so on -- so they are responsible.
MR. McINTYRE: They are responsible. I was responsible,
which we tried to --
DR. WALLIS: You had the same difficulties we had perhaps in
figuring out which bit to read and which bit to critique.
MR. McINTYRE: Well, yes. Like I said, I couldn't look at
the equations and tell you if they were right or wrong but we did put
the things -- you know, sitting over at that table there and hearing
what -- let's find a good word here -- how your reports could be better,
as the first thing out of the mouth of the people who had read them,
wasn't really one of the high points of my career. That's being kind.
[Laughter.]
MR. McINTYRE: I think there needs to be some sort of a
standard and I think that what Ralph presented on the 17th is really a
good first step. It wasn't clear to me how exactly it worked but it is
clear there is going to be more involvement.
I am not sure how we get you guys involved and you still
maintain your independence because at some point you can get so close
that you are one body and your job --
DR. WALLIS: I thought about that, yes.
MR. McINTYRE: -- really is to be I think an independent
reviewer of both what we have done and what the Staff has done.
DR. WALLIS: One way to do it is to keep on bringing in new
members who don't know what happened before, so they must be
independent.
[Laughter.]
MR. McINTYRE: Yes. On the thermal hydraulic code
development, really I think the issues are pretty much the same as the
code V&V. I think really the PERT does help because it does focus and
help focus the efforts and it is more of a -- goodness knows -- like we
like our quantitative processes and it appears to make it look like it's
a quantitative process as opposed to the Larry Hockreiter first search
through, which was pretty much a qualitative, we don't have data in
blowdown at low pressure and therefore we need to run a test, which is
how Larry got where he was going.
So I think that there is a need for a process improvement.
I think really that Dr. Wallis when you came on the Committee it was
sort of a breath of fresh air, if you will. Your question was why can't
we just talk to you? -- said oh, we can't do that -- I mean you have to
talk to the Staff and they talk to us and then we talk to them and then
they talk to you, and you really did question how we worked together,
and that was kind of good because I have been doing this for probably 23
years now and you sort of get ingrained in doing things the same way,
and stuff like this, this change in the process of having you guys
involved and the way it appears is that you are going to be either
asking or involved in the determination of what the RAIs are going to
be.
DR. WALLIS: We got to cross examine you or whatever the
term should be, to investigate the quality of your work or whatever by
asking questions far more than we got to ask the Staff why they did what
they did. You were the people who were really in the witness box.
MR. McINTYRE: Yes, we were, and that's our job. We need to
show that it's okay.
So I think a good first step, there needs to be some, when
you start talking about quality standards, it's got to be something that
can be measured. All I can do as a manager is put the process and have
another reviewer, hire another technical editor. If I have a document
that big I will open it to 25 different pages and read those pages in
detail and see what I see. Does it look right? Does it look not right?
I'll go through that because reading it for, like I said, for the
technical content, as I am out of that area --
DR. WALLIS: You could subject it to review by people who
are something like the people on the ACRS but are paid by Westinghouse
to go over it so that it is so good in their eyes that no one else is
going to criticize it.
MR. McINTYRE: Well, at Westinghouse every human being who
could work on this problem was working on it, and I don't think -- it
was hard to get --
DR. WALLIS: They are employees. I am just saying you could
bring in consultants who might be paid to be harsh or whatever is needed
to make sure that someone else won't give you a harder time.
MR. McINTYRE: You guys have got all the good ones.
[Laughter.]
MR. McINTYRE: We did look for consultants. I mean
seriously we have tried to get people to participate in committees and
the conflicts of interests popped up so quickly. We did -- we had the
EPRI, A&TRT analysis and test review group who came in and they were
just as harsh, and we didn't have to pay them. It was -- but they did
go through the review of the program.
The Department of Energy found us helpers to come in and
look at it, but they did not sit through and review each and every
report as we sent it in.
I think the comment on best estimate determination of
conservative margins is interesting. I think that is useful and I think
an example is what we have in Chapter 10 of the GOTHIC report, which
went through and it looked like the normal oven calculations except when
I asked the committee about it later on they said, gee, we never got
that far because it was such a big report, and that might have been a
place where us pointing things out would have been helpful.
We tend to shy away from the best estimate label. Those are
to some extent fighting words of about what best estimate means -- it
has to be perfect. They are not going to be clearly perfect.
We also have a perception -- this is our perception of you
guys is that calculations like that really wouldn't, you wouldn't be
that interested in them, trying to show how much margin there is in
something because I am not sure what you do with how much margin there
is.
DR. KRESS: It's not clear how much margin is needed.
MR. McINTYRE: Right. I mean it's what would you do with it
and I think it did help in the containment area because it eventually
convinced people that that second hump wasn't real.
DR. WALLIS: I think there is a concern we have which we may
be able to do something about is that margin should not be there to
reflect a huge amount of uncertainty and ignorance. If we could do a
much better job of knowing what we are predicting, how good it is, how
uncertain it is, then we would be in a much better position to say yes
or no. We are within some safety limits where there wouldn't have to be
someone's judgment of what is an acceptable margin for one curve to lie
on beneath something else. It is a very subjective thing.
I would like to get us much more objective if we can.
MR. McINTYRE: I think we are definitely moving -- if you
look at -- I'll pick on the upper head injection since there is no
license plants. There's a place where we didn't have data and we just
assumed to use an H of one, so you'd see the heat transfer curve go
along --
DR. WALLIS: One what?
MR. McINTYRE: Well, that's good -- and we would be going at
two or three thousand and you've moved slightly out of the range of the
data and it dropped down. We knew that was conservative and it was
clearly covering, as you said, the gross lack of knowledge in the area.
But we are not sure where the best estimate that we could
prove that we were getting the right answers for the right reasons and
so that is not something that we would, at least for the AP 600, would
come in, because we were having the darndest time being able just to
show whatever it is that we could show.
DR. WALLIS: Of course when you are comparing with data it's
only really the best estimate which is a fair comparison with real data.
Data is not conservative. It doesn't know how to be conservative.
MR. McINTYRE: Right, but then you can get the compensating
errors and that's always a tough thing to explain, like we were never
very successful and then you have to cut it down to the smaller pieces.
I think in summary that the big thing that is needed is some
sort of a process improvement and this may be, the thing you are going
to be going through may be the thing that gets it there.
This having the Committee involved at the last second isn't
productive at all, and I think you need to be more involved as it goes
along while still maintaining the independence. That's probably the --
I think the comments that we have on this.
The risk-informed regulation, I see Dr. Powers' comment on
risk-informed regulation. I can't remember exactly what it was. If
it's going to be difficult, I think I can paraphrase, but I saw the
trade press say your comment was -- we took two cracks at that, the
RTNSS process, what was really I think the first, you know, step into
that brave new world, and it was what I would call a moderately
successful -- we showed at least that we didn't need to add these
systems and we ended up adding them at the end.
Our second foray into that was the containment spray system.
You knew it wouldn't be me being here without bringing up the
containment spray, and that we were not as successful.
MR. BARTON: We would have been surprised if you didn't
bring it up.
MR. McINTYRE: It's one of those things I'm obligated. And
then I see here's a report by the NRC saying that gee, containment
sprays aren't very effective for containment bypass sequences, which is
basically all the AP 600 has, or at least the significant fraction of
the risk is from bypass. But we've got the spray, we're big boys, we're
putting it in. It's going to be more than $237,000, but we've pretty
much moved off that.
I notice that one thing, something that was in your
intermediate letters, was leak before break, and that's not on the list
of things that was indicated in the letter. Is the staff still --
DR. SHACK: You gave up.
MR. BARTON: Yes. We were trying to fight for you, but we
figured since you withered on the vine, we might as well wither with
you, I guess.
MR. McINTYRE: Having not seen the letter, I'll reserve
judgment on that.
DR. KRESS: I think we took that out of the letter.
MR. BARTON: Yes, I think we did too.
DR. WALLIS: We could always put it back in.
MR. McINTYRE: I think there are some things that could be
done on the leak-before-break area that we obviously couldn't pursue,
but there might be something there that would help the operating plants.
It's more of a plea for operating plants than it is for what we're going
to do on the AP 600.
DR. KRESS: Well, most of this letter we're writing is
either try to move the process in the future, application from somebody
else, or may have application to operate. That's the purpose of this.
MR. McINTYRE: Leak before break might be. I don't --
because I know we've pursued that before for the operating plants, and,
you know, only if they could do some significant snubber reductions and
support changes would they be interested in it, and nobody's ever really
studied it for the operating plants.
I think going back to the process improvement is just
someone having the various subcommittees involved more in the up-front
rather than as a second do loop, which may not be totally fair, but --
DR. KRESS: In our subcommittee we made a habit of before we
let you get started with your presentation asking consultants if they
had anything they wanted to bring out to set the tone of the meeting or
to be sure it gets addressed.
I after the fact thought this might be a mistake later on in
the meeting because it always started us off on a bad foot, bad tone,
because invariably these things become things like my sophomore students
could see that that equation was wrong on page 3 or something.
What do you -- have you got any words about that process?
MR. McINTYRE: Yes, it was pretty awful.
[Laughter.]
DR. SEALE: But it did get the blood circulating.
MR. McINTYRE: Yes, it did, and not in a positive way. The
problem with that is that we've prepared a presentation, we've worked
with the subcommittee chairman, prepared a presentation, and then the
first thing you hear from the consultants is I read your report, I've
got the following 62 questions, live questions, three questions, usually
which started with, "Your report is of a poor quality."
And those may or may not have been, depending on the
adroitness of the speaker, something that he could address just off the
top of his head. Mike Young, very, very good at that; some of the other
people, maybe not quite as good at it.
And so then you've got all these other things you're trying
to figure out how to address, and it sort of, I think, made doing the
presentations very difficult. And you're right --
DR. KRESS: It sort of threw a wedge in right at the start.
MR. McINTYRE: Right. The people at that table over there
on that side of the room got very defensive. I mean, right then. And I
don't think that was as productive. On the other hand, in a lot of
cases the guys had only had stuff for four days, going back to the time
when this was submittals, so -- which they'd read on the plane, on the
flight here, and that was their initial impression. And so we were
trying to deal with initial impressions.
DR. KRESS: Um-hum.
DR. WALLIS: Well, I was a bit surprised when I was a new
Member to hear this speech by a consultant before Westinghouse got to
say anything. Sort of like going to a play and the New York Times
critic gives you half an hour of why this is a lousy play before you've
even had the chance to see it. So that's not really the best way to set
the stage.
MR. McINTYRE: We don't think so. Just from a process
standpoint.
DR. POWERS: On the other hand, in the -- especially in more
full committee discussions, an introduction by the cognizant Member,
definitely not by a consultant, but by a cognizant Member, it calls to
attention fundamental issues in the areas of dispute and uncertainty,
gets those that have not been participants in the subcommittees --
DR. SEALE: Into the loop.
DR. POWERS: Into the loop pretty quickly. And there's just
no question about that. If there is an area of dispute that's going to
put the speaker on a defensive pathway -- because he is getting the
introduction by the critic first -- but I don't know how to get the
entire membership up to speed when there have been extensive
subcommittee meetings, a lot of subcommittee water has flowed over the
dam, typically two-thirds of the Committee has not been party to.
MR. BARTON: I think that was more of a problem with thermal
hydraulics than it was with the plant operations part of the review.
DR. POWERS: Yes. Plant operations went so smoothly that --
MR. McINTYRE: And that part of the plant wasn't new.
MR. BARTON: Yes. Except the security stuff.
DR. POWERS: Let me ask you a technical question, Brian. A
couple of things, particularly in the source term area, occurred where I
think the staff as part of their review was using what I would call
geriatric information that they had obtained through research contracts
long in the past, and since that time additional research had been done
not by the NRC but by other people in the world.
You and your fellows were aware of that additional research
and could employ it in your analysis, but you knew the staff was going
to read it in light of the older work that they had done, and it seems
to me you were caught in a dilemma.
Do you have any views on that?
MR. McINTYRE: We will -- we don't, you know, there's no
question of what we are. It's to keep, you know, to keep the staff
happy. If it's something that's not going to be well received, we won't
do it even if we think there might be some better way to provide an
answer, some new information. We would do anything, particularly later
in the program, we would do anything to not upset the schedule.
DR. POWERS: Um-hum.
MR. McINTYRE: For goodness' sakes, don't give anybody
anything else to review that they didn't specifically ask for.
DR. POWERS: Okay. I think it speaks to the issue of
keeping the NRC current on these issues. You know, as we go into
declining research budgets, there are areas, the classic example of that
is the high burnup fuel area where the research program had been down to
zero for years and years and suddenly something emerged, and NRC was
very lucky that they had knowledgeable staff that could spin up very
quickly to start to address that.
They won't be in that position every time as we dial
research programs down to zero. If there are areas where we know for
sure that that is just part of the business, we have got to remain
current. Somehow I think that general thought has to appear in the
lessons learned. I mean here it was a specific issue, but I think it is
a general problem when you don't have the financial capability to have
resource personnel in the broad range of issues.
Certification of a reactor, there is no issue that doesn't
get touched in the certification of a reactor.
MR. McINTYRE: That's right.
DR. POWERS: Maybe we are not doing a whole lot of
certifications, but we are still touching lots of issues.
DR. WALLIS: I am wondering, as I sit here, are you saying
keeping the staff happy? I would think that in some cases the industry
should be ahead of the staff and should actually educate them, bring
them up to speed and the staff would say, gee whiz, these guys really
know what they are doing, more than we do, and we ought to catch up,
rather than it always being the staff has to be kept happy.
DR. POWERS: Yes, but that's -- I think that is the problem
he is speaking to here, is that if we comes in and educates them, the
first response is I have got to make sure that my teacher is right. And
they are going to go back to the teacher's credentials and textbooks and
additional -- requests for additional information and that slows his
schedule.
DR. WALLIS: I am biased by being a professor, but the most
wonderful thing in the world is when the student teaches me something
and doesn't just look at me and try to make me happy.
MR. McINTYRE: We get caught up in this crass commercial
time and money, and we did spend a lot of -- you know, several hundred
million dollars on this program, and the money was gone at the end. We
spend something on the order of $40 million on the testing program.
DR. WALLIS: I have got a question about that. Was there a
problem that the NRC cut off the research funding too early?
MR. McINTYRE: The NRC?
DR. WALLIS: Whoever was funding the research necessary to
understand the phenomena, enough to make --
MR. BARTON: DOE.
DR. WALLIS: DOE. Whoever was sponsoring.
MR. McINTYRE: Actually, the biggest contributor was
Westinghouse Electric Corporation/Company at the point -- and we thought
we had done what was necessary. And these are things that you can chase
sort of forever. And it gets back to -- what is adequate? I know as a
professor, this may be hard, but we are looking for a C grade.
DR. WALLIS: A gentleman's C. Are you a football player?
MR. McINTYRE: Yeah, we -- no. There is -- we don't get any
extra credit in a design certification if we are getting an A. But we
think, as a result of this, if we look back, and we can almost do it
rationally now, that we really did, you know, make a lot of changes in
how the thermal-hydraulics and things are looked at. Certainly, in
containment analysis. I think one of the reasons that containment
analysis was so difficult, if you look at the way containment analyses
are done for all these operating plants, it is P equals NRT in a two-
and-a-half million cubic foot volume with a source in here and some heat
sinks there, and it is something that, truly, a freshman or sophomore
could knock out.
DR. WALLIS: Like the lobby of the Hyatt.
MR. McINTYRE: It is a lot like the lobby of the Hyatt, yes.
A little larger. But it is a -- and we came in really trying to make
some -- because we had to, and that is what -- you know, did we
understand what was going to be important? That's why we ran the tests
that we ran the way that we ran them.
Unfortunately, when you have scaled the facility as the
largest vessel that you can get to Pittsburgh and get it under a
railroad bridge, you know, that is kind of hard to explain, Dr. Wallis,
based on --
DR. WALLIS: Bring it up the river.
MR. McINTYRE: -- PIRT and scale. Well, you would still --
there are still bridges between. And so one-eighth scale was it.
DR. SEALE: By the way, I should point out, also, the staff
is not brought up in the culture where they should feel that the
applicant is their professor.
DR. WALLIS: But they could still be impressed.
DR. SEALE: Right.
DR. WALLIS: Well, maybe that is too broad a subject to get
into.
DR. SEALE: I agree.
DR. WALLIS: The culture the staff might be brought up in.
DR. KRESS: Other questions the members want to ask while we
got him here?
MR. BARTON: I think we have beat up on him pretty good, and
considering he is not going to present us another design in his
lifetime.
DR. KRESS: Oh, I am disappointed.
MR. McINTYRE: Well, it would be nice to come back with an
application for a COL.
DR. KRESS: Yes. When are you going to get one of those, do
you think?
MR. McINTYRE: That depends on who wants to build one in
this country, or who is going to be a generator. Some of those other --
and when you buy an entire nuclear plant for $100 million including
three reloads of fuel, that is pretty darn cheap, except that there is
no new generation involved.
DR. WALLIS: You can't compete with that.
MR. McINTYRE: It's hard.
DR. SEALE: Mr. Chairman.
DR. KRESS: Yes.
DR. SEALE: I sat over there in that seat for two years
while the latter part of this was going on, and I would like to make a
personal remark that I have to say that I admired the gentlemanly and
professional way in which Brian and his colleagues accepted, not always
with a smile, --
DR. KRESS: There was occasionally steam coming out.
DR. SEALE: That's right. But that made it even more
impressive. Accepted the criticism and reacted in a measured and
unemotional way. And I would just like to say truly gentleman.
DR. FONTANA: I agree, but you didn't see them after they
left.
MR. McINTYRE: You didn't have to ride with me in the car
back to Pittsburgh.
DR. SEALE: Probably true.
MR. McINTYRE: Well, thank you very much. And I think in
the words of the Chairman, I can quote her on this, "That which doesn't
kill you, makes you stronger."
[Laughter.]
MR. McINTYRE: She said that on the 13th, I mean that was a
quote. I was surprised, but that's on the record.
DR. KRESS: I, too, would like to second that comment and
also make the point that the decisions that were made with respect to
our interim letters and questions were truly Committee decisions. They
were not decisions by our consultants. Consultants were just an input
and we discussed them at length and arrived at our own conclusion. But
I did want to be sure that --
MR. McINTYRE: Oh, no, that was always clear. It was the
path to those conclusions that was something very painful. I think that
the interim letter, since you brought that up, was very helpful, because
that let us break up that, which would have been a horrendous effort,
and let us get those -- and if you had questions, then we could bring
them back the next time or even bring them back the last time.
DR. KRESS: Yes, I thought that was a good fix to part of
the process.
MR. McINTYRE: So Noel should get a gold star for helping
developing that to move it along. And, also, it meant that we got the
FDA in September rather than November, in this government fiscal year,
which was important to us because of our sponsors.
DR. KRESS: Well, I would like to thank Brian and express
our appreciation for his willingness to come and help us out with this
and expressing his viewpoints. Thank you once again.
MR. McINTYRE: Thank you.
DR. KRESS: With that, I will turn it back to you, Mr.
Chairman.
DR. POWERS: I think at this point we can go off the
recorded record.
[Whereupon, at 5:23 p.m., the meeting was concluded.]
Page Last Reviewed/Updated Tuesday, July 12, 2016