472nd Advisory Committee on Reactor Safeguards - May 12, 2000
UNITED STATES OF AMERICA
NUCLEAR REGULATORY COMMISSION
***
MEETING: 472ND ADVISORY COMMITTEE ON REACTOR SAFEGUARDS
U.S. NRC
Two White Flint North, Room T2-B3
11545 Rockville Pike
Rockville, MD
Friday, May 12, 2000
The committee met, pursuant to notice, at 8:30
a.m.
MEMBERS PRESENT:
DANA A. POWERS, Chairman
GEORGE APOSTOLAKIS, Vice-Chairman
JOHN J. BARTON, Member
MARIO V. BONACA, Member
THOMAS S. KRESS, Member
ROBERT L. SEALE, Member
WILLIAM J. SHACK, Member
JOHN D. SIEBER, Member
ROBERT E. UHRIG, Member
GRAHAM B. WALLIS, Member. C O N T E N T S
ATTACHMENT PAGE
INTRODUCTORY STATEMENT 269
HATCH UNIT 1 SCRAM WITH COMPLICATIONS (AIT) 326
RISK-INFORMED REGULATION - IMPLEMENTATION PLAN 270
OVERVIEW 414
SELF-ASSESSMENT PROGRAM 442
. P R O C E E D I N G S
[8:30 a.m.]
CHAIRMAN POWERS: The meeting will now come to
order. This is the second day of the 472nd meeting of the
Advisory Committee on Reactor Safeguards.
During today's meeting, the committee will
consider SECY 0000-62, risk-informed regulation
implementation plan.
An operating event at E.I. Hatch Nuclear Power
Plant Unit 1 is particularly interesting to us because I
believe Hatch will be the next plant coming in for license
renewal. Reconciliation of ACRS comments and
recommendations, physical security requirements for power
reactors, future ACRS activities, report of the Planning and
Procedures Subcommittee, and we will examine some proposed
ACRS reports.
A portion of the session associated with physical
security requirements for power reactors will be closed
today to discuss safeguards information. There will be some
special procedures we will have to follow for that process.
The meeting is being conducted in accordance with
the provisions of the Federal Advisory Committee Act. Mr.
Sam Duraiswamy is the Designated Federal Official for the
initial portion of the meeting. We have received written
comments and requests for time to make oral statements from
Mr. Edwin Lyman, of the Nuclear Control Institute, regarding
physical security requirements for power reactors.
A transcript of portions of the meeting is being
kept and it is requested that speakers use one of the
microphones, identify themselves, and speak with sufficient
clarity and volume so they can be readily heard.
As an item of interest, it is my understanding
that Mr. Bohnert is now doing fine, for the members that
might be interested.
With that, I will ask if any of the members have
comments that they would like to make as an opening
statement. Seeing no pressure to do so, I will turn to the
first item of our business, which is the risk-informed
regulation implementation plan. I believe this is a name
change for something we used to call the PRA implementation
plan.
Professor Apostolakis, I believe you are going to
lead us through this.
DR. APOSTOLAKIS: Thank you, Mr. Chairman. The
staff is here, Mr. King and Mr. Cunningham, to talk about
the comprehensive strategy, that includes the objectives,
goals and timeframe for the transition to risk-informed
regulation.
With that, we are very anxious to hear your story.
Mr. King?
MR. KING: Though his name is not on the
viewgraphs, we invited Mr. Holahan to join us, as well.
DR. APOSTOLAKIS: As long as he identifies
himself.
MR. KING: For the record, my name is Tom King,
from the Office of Research. This is Mark Cunningham, the
PRA Branch Chief from Research, and Gary Holahan, Division
Director from NRR.
What we want to talk about today is sort of an
information briefing. We're not asking for a letter from
the committee on this. What we're talking about is a
program that's work in progress right now.
As you mentioned, this used to be called the PRA
implementation plan, and I'll get into that a little further
as to why we've changed the name and what the objectives and
so forth of this document are.
Even though there's only three of us at the table,
this does involve all the major offices, Research, NMSS,
NRR, and will also involve the folks in Admin, the training
people. We will involve their help in putting together a
communications plan and I think certainly the international
activities of the agency, there's a lot of international
interest in risk-informed regulation, so this plan will also
be of interest to them.
So there's more than just the three of us sitting
up here.
CHAIRMAN POWERS: Let me ask you, do the senior
reactor analysts in the regions get involved in this
planning activity?
MR. KING: Say that again.
CHAIRMAN POWERS: Do the senior reactor analysts
in the regions get involved in this planning activity?
MR. KING: So far, they have not gotten involved
in this planning activity. I think somehow we're going to
have to get them involved.
CHAIRMAN POWERS: They seem like a very central
component in all of this, especially with the new oversight
process.
MR. KING: They've certainly been involved in the
new oversight process and the training and communications
that go along with that. In terms of the option two and
option three work, they have not been involved in the option
three work. I'll let Ed talk about the option two work.
MR. BARRETT: I don't know that we've had them
involved at this level of planning, but we do have regular
counterpart meetings with the SRAs to discuss issues related
to the -- mostly to the oversight process and to the process
for risk evaluation of events.
We have twice-yearly counterpart meetings with
them and, of course, we have regular communications on a
day-to-day basis on specifics.
MR. KING: I think that's a good point. It
probably would be worthwhile specifically getting their
feedback and input on this.
DR. APOSTOLAKIS: Why don't you call these
risk-informed, performance-based regulation implementation
plans? Why do you leave out performance-based? I mean, the
oversight process does utilize performance-based metrics.
MR. KING: And there is a performance component.
One of our five principals is performance monitoring.
Basically, we left it out because even though, in
risk-informed regulation, we're going to look, if we make a
change to a regulation or requirement, we're going to look
and see if we can do that in a performance-based fashion.
There is another activity taking a look at other
things that are not risk-informed to see if they can be made
performance-based. So we didn't want to imply that this
plan included the other plan that's underway, as well.
DR. APOSTOLAKIS: So it's a bigger issue then.
MR. KING: It's a bigger issue than just
risk-informed activities. What we've worked out with the
folks leading the other plan, the performance plan, is that
if we're going in and looking at a regulation to be
risk-informed, we will also look at the performance-based
aspects of that, so they don't have to do that. They're
really going to focus on the things that aren't being
touched as part of the risk-informed activities.
DR. SEALE: Is there the reciprocal of that
agreement, that if the performance-based people find a
potential indicator that might have risk implications, that
you will somehow coordinate with them?
MR. KING: I think if they find something that
they feel we should look at in a risk-informed fashion, yes,
they will bring that to our attention.
Just as far as the organizational aspects of this
plan, Research is the keeper of the plan, but we're
certainly not the full author of the plan. As I said, it's
going to involve a number of offices.
Just by way of a little background, as you
mentioned, the PRA implementation plan has been around since
1995. It basically was organized by office and it listed
the things the office, the various offices were doing in the
risk-informed world. It had been updated --
CHAIRMAN POWERS: Would you call that a plan or
would you call that a listing of activities?
MR. KING: I call it a catalog.
CHAIRMAN POWERS: That's what I would call it.
MR. KING: Part of the problem was that you could
look it and see what was being worked on today, but you
couldn't tell where did you want to go in the future and how
did these things cut across the offices and how are they
being coordinated and integrated.
We had an audit from GAO on the risk-informed
regulation last year. They issued a report that basically
said the agency doesn't have a strategy for where it wants
to go on risk-informed regulation. It has a lot of
discussion, but where do they want to go. So they suggested
we develop what they called a strategy.
The Chairman, Chairman Jackson, at the time,
agreed to do that. We provided the Commission an outline in
January of this year.
Then in SECY 0062, we provided to the Commission
some example sections of what that document might look like
in terms of its scope and depth, and we'll talk a little bit
more about the scope and depth and content of this thing.
We had a Commission briefing in March. We got an
SRM from the Commission in April that basically said give us
a complete draft in October of this year. That should
include a communications plan, it should include
identification of those important factors that affect
planning. We'll talk a little bit about that, also. And it
also asked a question on PRA quality, which we're going to
have to respond to in June, sort of separate from the
implementation plan.
What are the objectives of this document? We
changed the name, for one thing, to get away from -- to
really use the terms the agency is using, risk-informed
regulation and call it what we intend it to be, an
implementation plan.
The idea is that it is going to provide an
integrated plan for the agency's risk-informed activities
and really if you start at the top -- actually, I think what
I will do is put on slide four and talk about how this fits
in the overall structure of what the agency has in terms of
documents.
They've got the strategic plan, which is sort of
the top level document, and if you look, it has basically
four performance goals for each of the arenas; maintain
safety, improve public confidence, reduce unnecessary
burden, improve effectiveness and efficiency.
If you look at those performance goals, they use
the word risk or risk-informed in there, that you'll do
things in a risk-informed fashion. But beyond that, it
doesn't get into any details as to what does that mean.
At a high level, the intent of this risk-informed
regulation implementation plan is to lay out what is the
agency going to do to implement those high level goals and
those high level statements in the agency's strategic plan.
It sort of is a link between the strategic plan and the
detailed operating plans that each of the offices has that
covers the major arenas that the agency works in.
It feeds into putting together the operating plans
for each of the arenas, just like other things feed into it.
The risk-informed regulation implementation plan isn't the
only thing that drives the work of this agency. There are
things called program assumptions, that includes things like
how many plants do we expect to come in for license renewal
and so forth.
So when we're planning and budgeting, there's a
number of things that are considered, and the risk-informed
regulation implementation plan will be one of those things
that will provide information that's considered when the
budgets and the detailed operating plans for each office are
put together.
DR. KRESS: Tom, when this gets approved, say, by
the Commission, would it, in effect, serve the same purpose
as if you had a Commission policy statement on risk-informed
regulation?
MR. KING: I know you have a letter to the
Commission suggesting such a policy statement. I don't
know. But the response to that letter would be -- I can
give you my personal opinion. I think this document could
go a long way to doing what you recommended in your letter,
if not totally. That's my personal opinion.
Anyway, this is how we view this implementation
plan fitting into the larger scheme of how the agency
decides what it's going to do. Getting back to slide three,
really, at a high level, what this document will do is lay
out a process and some guidelines as to how we should take a
look at and decide what should be risk-informed, given that
you want to go risk-inform certain whether it's regulations
or activities that the agency does, what do you need to do
to accomplish that, and then that will lead to what should
be the priority in the schedule for accomplishing that.
DR. WALLIS: Tom, it seems there's something long
before this, that is, why would you want to risk-inform
anything and what criteria would you use in deciding.
MR. KING: Slide five, we're going to talk about
the guidelines or criteria.
DR. WALLIS: There must be some sort of motivation
that says risk-informing is being there in order to achieve
something.
MR. KING: You should risk-inform an activity,
basically, if it's going to help you accomplish your major
agency performance goals. It's going to lead to helping
maintain safety or improve effectiveness or efficiency or
reduce unnecessary burden, then it would be a candidate to
--
DR. APOSTOLAKIS: Actually, maintaining safety
will not be a goal. That's a boundary condition, really.
If you want to maintain the established goal, why move to
something else. It's just that the benefits are increasing
effectiveness and location of resources, under the condition
that safety will be maintained.
That's the way I would look at it. Not that it
really matters much.
MR. KING: I would disagree a little bit. I think
in the sense that risk-informed is going to make you focus
on the things that are important, and maybe today's
regulations don't really cover those things or some of those
things very well, I think it does help you maintain safety.
CHAIRMAN POWERS: When I speak to older hands in
the design of regulations, about risk-informed regulation,
they say we always did risk-informed regulation. We didn't
create regulations for things that we didn't think were
risky.
So I think there's a question here that comes up,
and maybe it's in your second question up there, is how
risk-informed is risk-informed. I mean, is it intuition
that this is a hazardous train or an important train to
prevent hazard or is it detailed quantitative analysis that
gives you a specific risk achievement worth or risk
reduction worth?
MR. KING: It can be both. It doesn't always to
have a --
CHAIRMAN POWERS: I guess what I'm asking is does
this plan line that out for these various activities, on how
risk-informed you want to be in each one of these
activities?
MR. KING: The intent of this plan is to lay out
what are the goals that you're trying to achieve in
risk-informing an activity, what are the tools, the data
that you need to do that, guideline documents.
DR. WALLIS: See, now you've changed the name.
When it was PRA implementation plan, the question was what
can PRA tell us about what the regulations are doing now and
how they might be improved. Now you've changed the name and
it's become more nebulous what you really mean by
risk-informed.
DR. APOSTOLAKIS: I think the understanding is
that when we say risk-informing something, we mean to use
quantitative risk information.
DR. WALLIS: That wasn't the implication of Dana's
question, though. It seemed to be that there is another
kind of risk-informed, which is sort of semi-intuitive.
DR. APOSTOLAKIS: That's not what this plan is all
about, in my view. I mean, yes, the regulations have always
been risk-informed, but that's not what most people
understand by risk-informed.
Risk means, in this context, quantitative
information coming out of performance assessments or
probabilistic risk assessments. Otherwise, I don't see how
this is any different from what the agency has been doing
before.
Do you agree with this?
MR. KING: I agree with that. I wouldn't exclude
use of qualitative information.
DR. APOSTOLAKIS: That's why it's informed.
MR. KING: But the heart of it is going to be
quantitative.
DR. APOSTOLAKIS: That's why it's informed.
MR. KING: Yes.
DR. APOSTOLAKIS: But the new thing now is this
quantitative information, and quantitative, let's not take
it too literally. I mean, having the dominant accident
sequences in itself might not be quantitative information,
but it comes from quantifying frequencies and ranking
things.
PRA and PA, that's what we mean.
CHAIRMAN POWERS: My concern is that's what we
think they mean, but do they really mean that.
DR. APOSTOLAKIS: He agreed, Tom agreed.
MR. KING: I agree. I agree.
DR. WALLIS: So without use of a PRA, it's not
risk-informed. It's a sine qua non.
DR. APOSTOLAKIS: Yes, I would say that.
DR. WALLIS: It is not.
DR. APOSTOLAKIS: Now, PRA, you include the
performance assessment, right? PRA is interpreted in the
broadest sense. I mean, if it includes statistical
calculations and so on, you don't necessarily have to see an
event tree, for example, to call it a PRA.
MR. KING: I think the main thing that such a plan
as this will do that the PRA implementation plan didn't do
is it's going to provide a systematic structured look at
where does the agency want to go in risk-informing its
activities and how does it plan to get there, what does it
need to get there, what are the priorities of getting there.
DR. APOSTOLAKIS: Tom, in my mind, the most useful
result of this activity will be this plan, will be to
prioritize which regulations to risk-inform first and to
identify needs for doing so, the most important needs first.
Is that the correct perception?
MR. KING: Yes, I think that's true.
DR. APOSTOLAKIS: I mean, goals and objectives, I
don't know, it creates a lot of paperwork.
MR. KING: I think it will also be a good
communications vehicle, too. We talk about risk-informed
regulation, but we don't have anything that can hold up to
external stakeholders or internal stakeholders that really
ties it all together and says this is what we mean by
risk-informed and this is what we're trying to do.
We give presentations, talk about some specifics
that are going on, but there's no document that ties it all
together.
DR. APOSTOLAKIS: So communicating the agency's
objectives and activities, you don't necessarily mean risk
communication.
MR. KING: No, no. I'm talking about the
programmatic type things.
DR. KRESS: Do you have anybody from NMSS working
with you on this?
MR. KING: Yes. NMSS is going to have the lead
for two of the major arena chapters on this. We'll talk a
little bit about them.
DR. APOSTOLAKIS: Are they here?
MR. KING: There's one NMSS person back there in
the back row who is involved.
MR. HOLAHAN: And Joe Murphy and I have been
invited to be on the steering committee for NMSS' actions to
risk-inform their various areas of responsibility.
DR. WALLIS: In this first question, what should
be risk-informed, it seems to me you're implying that
risk-informing means changing the regulations in some way,
and it seems to me that the first thing that's got to be
risk-informed is the agency and the public and look at what
the regulations are now, use the insights of risk to figure
out what kind of risk reduction they are achieving in terms
of the measures, PRA or whatever you're going to use.
That's risk-informing your knowledge about what
you're doing now, before you try to change anything.
MR. KING: I agree. You start with what you have
today.
DR. WALLIS: Right. And this would also let you
and the public know what's sort of the real value of what
you've been doing over all these years.
DR. KRESS: The risk achievement worth of a
regulation, that's going to be pretty tough.
DR. WALLIS: Do that first, before you try to
change anything, to know what you're doing now.
DR. KRESS: I'm not sure we know how to do that.
MR. KING: But in effect, for reactors, that's
what option three is doing. We're looking at 50.44, for
example, and saying do the things that it requires really
mean much in a risk assessment. Hydrogen recombiners were
coming out saying, yeah, they really don't mean much in the
risk world. Maybe we ought to think about changing the
requirements on those things.
MR. HOLAHAN: And to a certain extent, the IPE
program and IPEEE program did the same thing. They took the
reactors licensed with the existing rules and the existing
processes and tested what level of risk was a result of that
process.
DR. KRESS: You could get an overall integral, but
to take one regulation and say, now, what's the risk
achievement worth of this particular regulation is going to
be a little tougher, I think. You might be able to do it
for some of them.
DR. APOSTOLAKIS: Let's go back to slide four.
One issue that bothers me sometimes is that we are very
willing to use risk information in certain instances, but we
approach it in a very prescriptive way and we get lost in
the details. I would say that yesterday's discussion here
on MISSED surveillances is one example of that.
Where in this framework will you attempt to look
at the whole thing from a broader perspective and say, well,
gee, there are certain things that traditionally we have
been regulating to extreme detail, but now in the risk
context, maybe we should relax a little bit and not worry
about you missed one surveillance or about other things,
that don't come to my mind now.
But in other words, we are preserving, it seems to
me, the detailed, prescriptive regulatory approach from the
old days. We are simply changing the tools, but what is
applying to these is the same thing.
Now, I'm not saying that all missed surveillances
don't count or are risk insignificant, but some are there
and we have to change our views how we -- it's more than
just having a new mathematical tool or some analytical
methodology for doing something.
On the other hand, I can see the counter-argument
coming that what do you do, you just look at things that are
important to core damage frequency? Obviously not. Do you
look at things that are more important to the cornerstones?
Well, I don't know. Maybe we start talking now.
So is there an activity that would address this if
it is an issue? It's the cultural thing that we mention all
the time, in other words.
MR. KING: I'm not sure this plan would get -- my
intent is not to have it down to the detailed level that
we're going to be looking at surveillance requirements or
allowable outage time requirements.
I mean, I would view this at the level of we want
to risk-inform the technical specifications and we'll have
some key milestones and infrastructure needs to go do that.
Now, the actual work as to which technical
specifications, does it include surveillance requirements
and so forth would be a level of detail that would be too
much for this plan. That would be something that would show
up down in the detailed operating plans that each office has
for doing their day-to-day work. I'm not sure.
MR. HOLAHAN: I agree with Tom that when you pick
out individual issues at that level, you might not find
them, but those issues are related to programs and missed
surveillances are part of the oversight process, plays into
technical specifications, and we're working on those issues.
There's an activity to risk-inform the technical
specifications and there's a list of things that we are
doing in that area. I think this plan will put some of
those things into context.
They won't go out and deal with a thousand
individual issues, but where those issues are pieces of
other programs, this plan will touch those programs.
MR. BARRETT: There was an interesting discussion
yesterday. I'm Richard Barrett, with the NRR staff. An
interesting discussion from NEI about the evolution of
configuration control, starting back in the early days of
the industry with custom tech specs, and the basic point
that NEI was trying to make was that we're moving gradually
to a point where there is a risk-informed way of controlling
configuration, which will be some sort of combination of
50.36, the technical specifications, and the A-4.
I think that's the kind of thinking that you want
to have in this plan, where are you heading, but not just
jumping to where you're heading, what are the interim steps,
and one of the interim steps in getting to what NEI sees as
a risk-informed configuration control is these specific
risk-informed technical specification initiatives, including
the one regarding missed surveillances.
DR. APOSTOLAKIS: Jack?
MR. SIEBER: I was wondering if your plan
considers what I think is one of the fundamental things that
ought to happen first, which is there are a bunch of rules,
different rules that have a risk basis to them. For
example, the PTS rule has a risk basis to that. ATWS has
one. Station blackout has one, backfit rule, Reg Guide
1.174.
They're all different than the safety goal policy
statement and they're different from each other.
Is there going to be some attempt someplace along
the line to consolidate the opinion of what is risky and
what is not and modify those rules and set the basis for
everything else that we do or are we just going to do this
piecemeal, one at a time, pull out a criteria that seems
fitting at the time?
I'm not sure if I'm clear about my question.
MR. KING: I understand your question. Are we
providing some framework to provide some consistency as to
what risk level we're trying to achieve by the regulations
and what changes need to be made to do that?
MR. SIEBER: That states my question.
MR. KING: And I think my view, to answer that, is
yes. Certainly, in the option three work on the reactors,
we've laid out a framework that provides some risk
guidelines as to what we would like to see for mitigating
systems, for containment and so forth, that we would go
through and use when we look at the regulations to see are
they achieving that or not.
And maybe they're over-achieving it or maybe
they're under-achieving it, but the idea is to bring them to
some more uniform level than they are today. In the NMSS
side of the house, I don't think they're that far along yet,
but my own personal view is, yes, that's the kind of thing
that should be done, I think it is being done in the reactor
side, and I think this plan could certainly lay out, at a
high level, some guidelines as to that approach ought to be
taken across the board whenever we're risk-informing
something.
MR. SIEBER: It seems to me that in some cases,
the risk value of some rules is such that it creates a
penalty, a licensee, whereas some other ones may not be
tough enough.
I think that part of this process should be to
sort of make a level playing field.
MR. KING: I agree. I think this plan could
certainly, at some level, put forth guidelines to do that.
MR. HOLAHAN: But I'd have to say that I think
we're already doing some things to move in that direction.
When we look at recent initiatives, like the oversight
process and Reg Guide 1.174 and what Research has put
together, the framework for risk-informing the regulations,
there's a lot of consistency now, but the further back in
time that you go, the less consistency you see.
We had a meeting, for example, last week on the
PTS rule and there is an activity, in fact, to look at the
PTS rule and one of the issues is was the PTS rule picked to
achieve the right level of safety, is it too high or too
low.
I think what we're seeing is not a clean sweep and
starting over again. What we see is going to each rule and
sort of normalizing it back to -
MR. SIEBER: Try to converge it.
MR. HOLAHAN: Right, make them converge.
CHAIRMAN POWERS: I think that's one of the
questions. I'd maybe come back to Graham's question. It
suggested that you get an overall assessment of what you
achieve with the current rules by looking at the IPEs for
normal operating events and the IPEEEs for external events,
including fire. I think that's true.
Of course, I look at that panoply and I
immediately say, now, what's left out of that.
MR. KING: Like shutdown, you mean?
CHAIRMAN POWERS: Maybe, yes. And that raises a
question, in my mind, when I think back to option three, and
I'm operating a little bit from memory, and the framework
document, I say, gee, those things look like they're going
through and they're looking at the current rules and they're
looking at them kind of individually and saying what do I --
how do I change this current rule to make it a little more
risk-informed, things like that.
And I say, gee, those rules were written with a
presumption that a shut-down reactor is a safe reactor, and
indeed that was the staff's point when they put together a
draft of a shutdown regulation rule.
I'm wondering why is it that option three doesn't
go through and also look at those assumptions that are
behind the current regulations.
MR. KING: I think option three does look at the
assumptions behind the current regulations and you will find
some words on shutdown in our framework document. The piece
that's missing is the body of risk, quantitative risk
information to go along with the shutdown condition.
Now, there's some, but we're not ignoring the
shutdown condition.
DR. APOSTOLAKIS: This raises some interesting
questions.
MR. HOLAHAN: Can I go back to Dana's question?
Because I think the Commission spoke directly to this issue
when it voted not to support the staff's recommended
shutdown rule. Clearly, the Commission intended to maintain
safety during shutdown. I think it wanted it done through
the maintenance rule and other activities and it directed
the staff to inspect and to monitor those shutdown
activities to see whether the level of -- what level of
safety was being achieved.
So the new oversight process has pieces in it that
address shutdown and a lot of those are the same issues that
we talked about in the NEI guidance and in the proposed
rule. In fact, I think the Commission has left the staff
with the -- even before there was an option three, left the
staff with the role of, sort of on a continuous basis,
determining whether the existing regulatory structure is
maintaining safety during shutdown and I think that option
three is just another opportunity to test that.
DR. APOSTOLAKIS: My question is related to this,
because this raises a very interesting question. I believe
that one of the arguments or perhaps the main argument the
Commission made was that the risks from shutdown and low
power operations are managed adequately by the existing
tools.
At the same time, there is, I think, widespread
concern that these risks have not been quantified. Even if
we accept the premise that they are managed well, we still
don't know the level of risk.
Now, is that something that the risk-informed
regulatory system can live with? In other words, if you
convince yourself, not necessarily for low power operations,
that a particular activity is managed reasonably well, then
you will say then I really don't care about quantifying the
risk from that activity.
Is that something that this system will allow?
MR. HOLAHAN: I think that's not enough, because
if you go back to the strategic plan and its goals, the
agency's goals are more than just maintaining whatever
particular topic area it is, maintaining it to be safe.
I think there are other issues that the
risk-informed approach can address and there is a public
confidence issue, how do you know what level of safety; you
might be satisfied, but how do you know that other people
are satisfied? How do you know that you're not maintaining
that safety at an extraordinary cost that isn't worth it?
So there are other opportunities to test the other
objectives.
DR. APOSTOLAKIS: I find this situation very
interesting, because why do you do a PRA? Well, you do a
PRA because you want to make sure that the risk is managed.
And now you have someone who says, well, you know, the risk
is already managed. So he's short-circuiting the process
and says I don't need to do the PRA, because I know the risk
is already managed.
How do you know? Well, you know, I'm convinced.
I'm convinced they manage their configuration, they have
these software tools.
So I think now it's an interesting philosophical
question. Do you then abandon the quantification because
somehow you convince yourself that the risk is managed or
you still go through the process? I don't know myself, but
it's an interesting question and maybe by setting the goals
and all that stuff, you should address these questions, so
people will be sensitized to these things.
I don't know what the answer is myself, because --
DR. KRESS: Yes, you do.
MR. KING: Well, we don't need this plan to get
into that question. We've got plenty on our plates with
option three.
DR APOSTOLAKIS: But don't you think it's an
important question?
MR. KING: Of course it's an important question.
DR. APOSTOLAKIS: Let's assume that they are
right. I'm willing to grant that. Then we don't do the
PRA? You can have pros and cons. Some guy might say, well,
gee, yeah, but, look, if you look at the history of PRA, we
thought we managed certain things well and then PRA showed
there is an interface with system LOCA or this or that, so
there are always surprises that come out.
On the other hand, the other side might say, look,
it's a matter of prioritizing things. Right now, I'm fairly
confident I'm managing the risk reasonably well and I have
other areas where I really don't know. So I will use my
resources to attack those areas first.
I think both arguments have merit, but it seems to
me if we are to have a strategic plan, somehow we have to
get into this.
DR. WALLIS: I was going to suggest you use PRA,
where you can get the most leverage from it. You don't get
into the marginal areas where you're quibbling about whether
or not it's going to help. So you work on things where it's
really going to make a difference.
DR. APOSTOLAKIS: Yes, but you don't know that,
because the other side is telling you --
DR. WALLIS: You must have some idea.
DR. APOSTOLAKIS: Well, you have strong opinions
on both sides. One side says, no, I'm managing the risk and
the other side says, well, you know, you are doing something
very good, but I still don't know whether you're managing it
very well. I think both arguments have some validity.
Anyway, I just raise the issue, because I find it
really a very interesting question. PRA is the way of
managing the risk and then somebody says but I'm already
managing it, so I don't need to go that way. It seems to me
a strategic plan has to some -- wherever you plan to have
overall guidelines, objectives and so on, that question has
to come up.
Okay. Why don't you go ahead?
MR. KING: Moving on to slide five. Dr. Wallis
asked the question what are your criteria for deciding what
you want to risk-inform or what don't you want to
risk-inform. There are some example criteria in the draft
we sent, the partial draft we sent to the Commission in the
00-62 SECY. They basically say what we want to do is take a
systematic look across all three arenas at the regulations,
at the activities, like inspection program, enforcement
program, see would risk-informing them contribute to helping
the agency achieve any or all of its four performance goals.
But there's also some other factors that need to
be considered; do we have tools and data that provide
sufficient information, where you could go risk-inform the
activity; is there licensee interest or capability in doing
this; can it be done at a reasonable cost.
DR. WALLIS: We said in our research report that
you kept invoking these goals, and that's fine, but a lot of
work needs to be done if you say maintain safety. Okay.
Now, first of all, we need know what kind of safety we're
getting and all this stuff. You need to develop that and
see how does PRA fit in there.
Just invoking some high level goal doesn't tell
you very much until you begin to analyze what you would need
to do in order to determine whether or not there is going to
be any influence on maintaining safety by risk-informing. A
huge amount of structure has got to be put in there.
So I think what we would look for is that you
built that structure, not just invoked some high level goal,
which is fine, but that's like saying, you know, I served in
the U.S. and I support the Constitution or something.
MR. KING: I think in the reactor area, where you
have quantitative risk information, it gets a little easier.
In the NMSS area, where there's a lot of different things
that they regulate and you don't have PRA quantitative risk
information to look at those, it gets more difficult.
NMSS had a two-day workshop in April where they
brought in a number of their stakeholders and they asked
these kinds of questions.
DR. WALLIS: The biggest question on maintain
safety is this is -- it's not clear what that means. You
can argue forever. When you say if it's the existing
regulations, well, how do they maintain safety. It seems to
me that risk-informing has a tremendous amount to contribute
to determining how well the regulations maintain safety.
When you know that, then you can, okay, this is
the one which is worth tweaking, because we can really gain
something there.
DR. APOSTOLAKIS: I think in connection to this
slide and also in the context of building public confidence,
many, many times, we hear public stakeholder groups saying
the whole purpose for risk-informing the regulations is to
relax regulatory burden, and people forget that for the last
25 years, really, risk-informing the regulations meant
increasing the burden.
So I would suggest that whenever you talk about
the agency performance goals, you have slides or public
meetings or whatever in the report, you immediately show a
few examples where you have maintained safety, like the
station blackout rule or ATWS or whatever, as a result of
PRA, because apparently people need to be reminded of these
things, that you are not just changing the tech specs and
all that.
We get letters from public groups that say, well,
all they are doing is this. And maybe give examples in
other areas that you have improved effectiveness and so on.
In fact, we wrote a letter, with your help, some
time ago, how PRA has been used in the past. It wouldn't
take more than two or three lines to show examples like
that; that perhaps we have done a lot on improving safety
using PRA, and now we are also addressing issues of
unnecessary burden.
But let's not forget we have already done a lot of
that, because people forget or they don't know perhaps. In
fact, that was a major complaint of the industry that
happened till now, all you were doing was adding burden.
MR. KING: Right. I agree with your statement and
I think one of the things that this document could do is
show that risk-informed is a two-edged sword.
DR. APOSTOLAKIS: Yes.
MR. KING: And you could do that with some
specific examples. You can also do it with talking about
the philosophy behind risk-informed. Just the fact that
you're not spending resources on unimportant things does
improve safety or at least maintains safety.
DR. APOSTOLAKIS: Yes. But I think giving
specific examples from the past will go a long way.
MR. SEALE: To belabor the obvious, you haven't
made the one point here, I don't think, I didn't find it
anyway, that the PRA provides a rational basis for ranking
the risk and that is certainly one of the more important
things that you are interested in if you are going to make
your regulations efficient and attack the necessary things
in a straightforward way.
So sometimes you have to -- the PRA covers things
you've already evaluated, but you didn't have that
evaluation in the context of other risks, as well. And now,
with the PRA, you have a thermometer, if you will, that
you've looked at all of these different things and now you
have comparisons and that's important to your resource
allocation process.
DR. WALLIS: In terms of public confidence, some
of the most important public consists of your own employees.
If this gives a way of doing things which gives your
employees more confidence they're doing the right thing,
it's worthwhile, it's worth putting energy into, there's
going to be a tremendous contribution.
I would like to see more evidence of that, that
people have great enthusiasm for PRA, because it makes their
job better and so on.
And the other confidence is, of course, in
industry, the whole -- that's another kind, that these
regulations make some sense, because they have this logic of
PRA or something behind them.
MR. KING: When we talk about communications in
this plan, we're talking internal and external, and internal
is very important.
DR. WALLIS: The public, and there's lots of parts
of the public that can be really influenced by this
initiative, it seems to me. It's not just some public
interest group. Everybody with some stake in nuclear
energy, as well.
DR. KRESS: In your previous work on the
possibility of redoing the safety goal policy statement, you
had a number of very interesting questions or issues, things
like should land interdiction be a goal, should you deal
with risk spikes, are CDF and LERF the right things to use,
should you quantify adequate protection.
You had a number of very interesting, I thought,
questions that seem to me to be important to the issue of
how you risk-inform regulations.
Will you face up to those questions and try to
provide some sort of answers to them in this particular
document here or will you skate around them some way?
MR. KING: One of the things we talked about
having in this document were what are the risk goals that
you're trying to achieve all of the various things you may
want to look at in this plan in the reactor area. I didn't
envision this document as dealing with the land
contamination issue or risk spike issue or some of those
things.
DR. KRESS: It certainly might come up in the NMSS
area, because that may be your risk goal there.
MR. KING: NMSS, they have on their plate a task
to come up with safety goals for the things that they
regulate. In what form, whether that's going to be a policy
statement or some other document, I don't know at this
point. I would envision whatever comes out of that effort
will be reflected in this document, but I didn't view this
document as the document that's going to establish those
goals.
I do view this document, though, as providing some
what I call guidelines, this bullet right here. By that,
what I had in mind was so that there's some consistency in
the way we implement our risk-informed activities, I think
things like the definitions from the Commission's white
paper on risk-informed regulation ought to be in here, like
our principles from Reg Guide 1.174 probably ought to be in
here, maybe we ought to come up with some consistent
definition of defense-in-depth and safety margins, what do
we mean by performance-based, those kinds of things.
DR. KRESS: How do you deal with uncertainties.
MR. KING: How do you deal with uncertainties,
yes.
DR. KRESS: Those are the kinds of things I would
assume you're looking for.
MR. KING: I thought that kind of stuff, to me,
made sense to put in here, so that everybody, when you're
talking treatment of uncertainties, we're doing it in a
consistent fashion.
DR. WALLIS: Could you also have some vision of
where you're going? When you reach the delectable mountains
of risk-informed regulation, whatever they are, what do they
look like? Some kind of objective out there, like
Eisenhower is going to get to Berlin or something, some kind
of -- where are we going, where would you like to be if
everything works out right?
MR. KING: I think there's two aspects to that
question. One is laying out our plans for those areas in
schedules and priorities for accomplishing risk-informed
changes in those areas and then we have a section in the
plan called measures of success, how do you know you achieve
what you want to achieve.
That's sort of a nebulous thing at this time as to
exactly what those measures of success will be.
DR. WALLIS: I think if anything that's been
planned in the past, any major human activity, then one of
the major things is a view of where you're going. We're
going to climb Mt. Everest and that becomes most important.
The plan is very important, but unless you have this purpose
up there, some view of what constitutes success, then all
the plans are kind of muddled.
MR. KING: I agree.
DR. BONACA: I'd like to throw in just one more
thing in support of what Dr. Wallis is saying. I believe
that we're all looking at these plans, but I think we have
probably all different visions of what this future would be
out there, and when we -- we haven't discussed this and I
think we will, probably as a committee, reflect on this at
some point, but it seems to me that there are certainly some
people who would think that we could have, at some point, a
50.59 process under which you could remove, for example,
defense-in-depth commitments by 50.59.
Other people think that that will not be
acceptable for their own reasons. I mean, there are reasons
for whatever.
The point is that I think there is a fractured or
maybe inexistent sense of a common vision about where we're
going with the plan and a plan typically would have some
elements of vision of what we envision out there that will
resolve some of the problems that existent.
I'm just supporting what Professor Wallis is
saying, that that would be very useful.
MR. KING: You could picture it, we have the four
big agency performance goals, you could say, well, I'm going
to go risk-inform something because it's going to help me
achieve those performance goals and you could go back and
then say set a success measure, whether it's how much
efficiency improvement did I achieve, you could put some
monetary or staff year reduction goal for that or how much
unnecessary burden did I reduce, whatever it may be.
You could do that and then come back and monitor
did I actually achieve those reductions when I risk-informed
this activity or didn't I, and that's sort of what I had in
mind in the success measure section, although we haven't
come up with any firm recommendations in that area at this
point.
DR. WALLIS: That's incremental. That's so that
when I fight this battle, what's the body count, did I gain
something. But it doesn't give you the overall objective
out there somewhere which makes the whole thing worthwhile.
DR. BONACA: I think in the oversight area, we
have some vision now, because we have an implementation plan
and it's being implemented now. We're beginning to see the
elements of it, with the cornerstones and things of that
kind, and we can or we have commented on individual aspects,
maybe been critical of some elements, but, in general, we
have a good understanding and a buying-in into a process
that is becoming risk-informed, but it can be improved, too.
It's just that there are so many other elements of
regulation out there and particularly we're talking about
with existing plants, how they are operating today, what is
effective and what is not effective, and how risk
information can improve the effectiveness of these plants
today.
I think that that's an element. We will have a
common vision of what is going to be.
MR. KING: I think the common vision is certainly
qualitative vision, focus on the things that are important,
that we're going to be more effective and efficient. I
didn't envision we would set numerical goals for that.
But certainly we'd be interested in any thoughts
anybody has as to how we could approach that.
DR. BONACA: I'll give you an example. To me,
50.59 is an important issue, because it's the process under
which power plants are allowed to make changes. So I would
say that if I look at the existing power plants, they are
hesitant about what they are going to do in the future; are
they going to come under this changed regulation, under
risk-informed or not.
As you know, there is reluctance there. The
reluctance is because they don't understand, they don't know
what's going to be. And clearly there are big issues about
what you would be able to change in power plants under
risk-informed 50.59, for example.
I think we had discussions here about
defense-in-depth and balance, but we never -- and that's an
important element, however.
MR. KING: If you just want to set some overall
agency goal for risk-informing 50.59, other than some
qualitative statement that I want it to be risk-informed,
I'm not sure what else I would say.
DR. BONACA: I'm not expecting that you have. I'm
just expressing some of the issues that I believe are
clouding a little bit where we're going with all this.
MR. KING: I guess you could say I want to
risk-inform it to the point where I only get half the number
of license amendment requests that I normally get, you could
set some goal like that.
DR. KRESS: I would try to avoid quantitative
goals in this type of exercise. I think you just get
yourself in trouble.
MR. KING: Yes. But you could also say a measure
of success would be am I getting fewer license amendment
requests because I've risk-informed 50.59, without saying it
has to be --
DR. KRESS: That's the way I would try to do it,
that sort of thing.
DR. WALLIS: This looks like solutions for
problems. If someone is to create that risk-informing is a
blessed activity, therefore, you should engage in it, then
--
DR. KRESS: I think we all believe there is a
problem with the regulations.
CHAIRMAN POWERS: They have, that has happened.
DR. WALLIS: But if you could say here is 50.59,
and the reason that there's all this anxiety in industry and
so on, and so on, and so on, and, gee whiz, risk-informing
is the solution to those problems, that would be more
convincing, rather than saying here we've got this tool and
we get points for applying it, using it.
MR. KING: I think we should move on.
DR. APOSTOLAKIS: Let's move on, yes.
MR. KING: Slide six is just, at a high level,
what the outline of this plan would look like and some
executive summary. There will be some introductory material
that will discuss the relationship of this plan to the other
strategic plan and other documents and processes the agency
has. These overall guidelines we talked about to add some
consistency in risk-informed treatment of uncertainties and
so forth.
Then there will be sections for the three major
arenas that will get into more of the details of what's to
be done.
Then on the next page, a little breakout of what
one of those arena sections would look like.
Again, like I said, this is work in progress.
This may change as time goes on, but at this point, what I
envisioned was for each arena, you talk about the guidelines
that you've developed and applied to decide what are you
going to risk-inform and what the priorities are, and then
the results of applying those, what have you decided to
risk-inform, what are the priorities, what have you decided
not to risk-inform.
And then for each thing where you've made a
decision to go do some risk-informed work, sort of lay out
what the major milestones are and what the -- what I call
the infrastructure needs, the responsibilities, training
needs, what kind of communications plan, internal and
external. And some of these, for each activity, a
communications plan may be -- it may cover a number of
activities. It doesn't always have to be each one has to
have its own.
And then these measures of success, how would you
know that what you did was an improvement. So at a high
level, this is sort of what I envisioned to have in there.
DR. APOSTOLAKIS: How would you make sure that
certain principles that really apply to more than one arena
are, in fact, stated clearly? Defense-in-depth, for
example, is one.
MR. KING: That was back -- where I envisioned
that was back here in the introductory section to the entire
plan. That would be a lead-in to each of the three arena
chapters and this last item, overall guidelines, that's
where I envisioned we would talk about maybe the Reg Guide
1.174 principles.
DR. APOSTOLAKIS: How do we define them? How do
we make sure we have all of those? From the experience of
trying to implement the risk-informed system or we will have
some sort of a structured process that would identify those
high level issues that apply to all of them?
MR. KING: I think at this point, we've probably
done enough in the reactor area where we know what issues
we've had to face, policy issues, implementation issues,
that we could probably make a good cut at laying some of
those things out that are applicable across the board, that
others are going to have to face if they want to go
risk-inform things.
Through interactions with this committee and other
interactions on the staff, with stakeholders, we may
identify some more.
DR. APOSTOLAKIS: But there will be some high
level body monitoring all this.
MR. KING: Well, later on.
DR. APOSTOLAKIS: Later on.
MR. KING: I guess I didn't put it on the
schedule. The agency has a PRA steering committee and we've
run this presentation by them in terms of what our vision is
for this document, just to make sure we have alignment
between the office directors and ourselves, and we continue
to come back to them as this thing evolves.
DR. WALLIS: This is all internal NRC people.
MR. KING: It's all internal NRC people. One
thing you'll see when we get later on, the suggestion is
maybe we want to take this document as a draft and go out
and get stakeholder comment and feedback on it -- external.
DR. WALLIS: It would seem to me you could benefit
from having an advocate for PRA with expertise. You know,
if there's another George out there, who is not tied up with
all the regulation, all the habits of the NRC, and look at
what you're doing, could give you good advice.
MR. HOLAHAN: I thought we had one of those.
DR. WALLIS: Apart from ACRS, but someone who
works with you daily or whatever when you need this person.
DR. SEALE: More than that, I think we've all been
impressed upon occasion that the quality of PRA work that's
been done by some of the utilities and attaching specific
problems, and I think we would be remiss not to try to get
their input. They may even have a good idea or two that
would help out.
MR. KING: I think it would be worthwhile sending
this out as a draft once we've got the sections filled in.
DR. WALLIS: I was thinking actually in the
production of it, not just the formal business of you guys
work on it and it goes out for comment, but someone actually
in the creative process of deciding what to do.
CHAIRMAN POWERS: What are you looking at them to
do?
DR. WALLIS: I would look for someone like a
George who has ideas, can be critical, can say, well, how
about this and talk about the bigger vision than you guys
maybe have, to contest you as you develop the thing.
It seems to me there are lots of things here which
are of that type. There are creative activities involved
and there are visions of what you might be able to achieve
that maybe you haven't thought of.
DR. APOSTOLAKIS: You can use consultants. Is
there anything that says you can't use consultants?
MR. KING: No. We can use consultants.
DR. APOSTOLAKIS: Then select one or two people
and whenever you feel you need them, give them the thing and
say what do you think. It doesn't have to be a big deal.
CHAIRMAN POWERS: I guess I'm still struggling
with what it's supposed to provide here.
DR. APOSTOLAKIS: I think Graham's point is that
there are experts out there that can, not from the
regulatory side of the business, but perhaps they have done
PRAs -- like Gareth Parry, before he joined your staff, was
out there doing good work, and these people may have --
CHAIRMAN POWERS: As opposed to now?
DR. APOSTOLAKIS: But these people would bring a
different perspective, I agree with you.
CHAIRMAN POWERS: I agree that it would bring a
different perspective, I agree that they may have done a
PRA. I don't think doing a PRA is what is necessary right
now. It seems to me that coming in with no knowledge of the
regulatory process is the last thing you need. You need to
know exactly what the regulatory process is.
DR. KRESS: That's what I think. That's much more
important than knowing the PRA.
DR. APOSTOLAKIS: But, guys, we're not talking
about turning over this activity to them. All we're saying
is before you finalize this, give the guy the document and
get some comments.
CHAIRMAN POWERS: George, I could sit here and
say, gee, there are an awful lot of good quantum candidates
out there that know a lot about second quantitization.
Maybe you ought to show it to them. I'm just not sure they
would help very much.
DR. APOSTOLAKIS: And I would agree with you. I
still think that if you select the people carefully, who
have also --
CHAIRMAN POWERS: I think I would be much more
interested in talking to somebody who has attempted cultural
change in an organization. I'd like to get their advice on
things much more than somebody that's just done a PRA for a
plant.
DR. WALLIS: That's not to say who the person is,
but maybe we could agree that some sort of external view of
this would give you some checks and balances and help which
might be useful.
DR. APOSTOLAKIS: Yes. We're not talking about
the guy who does fault trees for a living. That's not the
issue.
DR. KRESS: I would be interested in a guy you
could ask questions of, like I'm concerned if one stuck with
just LERF and CDF, for example, that you're missing
something, and you're missing things like 10 CFR 100, which
talks about a dose from an unfailed containment, which is
one of your objectives, as regulatory.
And we have other similar things like that that
LERF -- CDF addresses to some extent, but LERF doesn't. The
question I might have is if I come up with some objective
that might, for example, be the frequency, an allowed
frequency of exceeding a certain dose, which might be
particularly an NMSS activity, can a PRA give you that
number and how does PRA have to be structured to give you
that and to give you the uncertainties in it and is it
possible.
That sort of thing you might --
MR. KING: But I think what you're talking about,
to me, is a level of detail lower than what I envisioned
this plan to have. Those are certainly questions you have
to face at some point, but I didn't view this plan as
getting down into every technical issue that has to be dealt
with in all the things we want to risk-inform.
I viewed this plan as, for example, risk-informing
Part 50, there would be a schedule for option two, there
would be a schedule for option three, some of the major
milestones and deliverables and so forth, but not getting
into the individual regulations that we're looking at in
option three.
That's dealt with through separate papers and
discussion.
DR. APOSTOLAKIS: Anyway, we seem to be getting
into management issues here.
MR. HOLAHAN: Before we leave this subject, let me
go back and say it again, since no one agreed with me when I
said it before. I agree completely with Professor Wallis,
but I think we already have a group of independent, vocal,
knowledgeable experts sitting around this table and I don't
see any reluctance on their part for giving us good advice.
DR. WALLIS: We see you once every three to six
months or something. This is someone you could turn to as
part of your team, it seems to me. That might be useful.
DR. APOSTOLAKIS: I think we should leave it up to
them.
DR. WALLIS: Leave it up to you guys.
DR. APOSTOLAKIS: This is a management issue.
Would you move on? I mean, we've expressed our differing
views, which we're happy to do.
MR. KING: The nice thing about this committee, we
get all these differing views, we pick the one we like.
DR. WALLIS: There's no sense in our expressing
views unless some of them are useful to you.
DR. SEALE: There's no quality control on our
suggestions.
MR. KING: All right. Schedule. We need to get
this thing done and a complete draft is due to the
Commission the end of October. What we had envisioned was
NMSS has already had their workshop with stakeholders.
We're talking with NRR about having a similar workshop to
take a look at what they're doing and should they be doing
more in the risk-informed area.
Developing some draft arena sections in August,
coming back to this committee and the joint ACRS/ACNW
committee in the fall to talk about those. And then after
the draft goes to the Commission, at least my view is we
ought to recommend to them that that go out for public
comment.
CHAIRMAN POWERS: Your schedule and your need to
get to the Commission has a problem interfacing with our
schedule in the sense that we don't have an August meeting
and September then becomes kind of jammed up and things like
that.
Let me ask, is there a time in there where we
should -- we want to help and I think even participate and
give you all this wonderful advice that you can pick and
choose from in a fairly explicit fashion.
Should we be looking to a period of time for like
a subcommittee meeting, where we can plunge into the details
and things like that? Is there an appropriate time for
doing that? Should we look at arena papers in detail?
MR. KING: I think it would be worthwhile to have
this committee look at the arena chapters once they are
developed and I think a subcommittee would be a good idea.
DR. APOSTALAKIS: Timeframe.
MR. KING: Maybe the August timeframe. Are you
permitted to have subcommittees in August?
CHAIRMAN POWERS: Yes, we have a bunch of them.
We have a bunch of them in August.
DR. APOSTOLAKIS: August is very hard, because my
vacation is in Europe.
MR. KING: I don't want to make it too early,
because then you're wasting --
CHAIRMAN POWERS: It's nothing that we need to
sort out now, but it's something that I think we want to
sort out with you as the time comes closer to that schedule,
just because it would be nice if we could do it on the
October meeting.
So that when you go to the Commission on the 27th,
they at least have our input on it.
MR. KING: I think clearly the October full
committee would be a time where, if you want to write a
letter, that would be the meeting --
CHAIRMAN POWERS: I want things pretty well --
have an idea of what we're going to write at that October
meeting, rather than --
MR. KING: Which means subcommittees before that.
DR. APOSTOLAKIS: But not a week before.
CHAIRMAN POWERS: Yes. That's what I'm trying to
avoid.
DR. APOSTOLAKIS: First of all, I'm impressed that
ACRS' view is not followed by CRGR.
MR. KING: This is not CRGR material.
DR. APOSTOLAKIS: Second, is the ACRS/ACNW that
joint subcommittee?
MR. KING: Yes. And maybe we need to go to the
full ACNW. We'll have to sort that out.
DR. BONACA: There will probably be an ACNW
letter, with some input or something.
DR. APOSTOLAKIS: Okay. We can work out the
details.
MR. KING: Okay. The last slide I have is what I
call issues. There are several things, and this list will
probably grow as time goes on. We got an SRM from the
Commission in April that resulted from the briefing we gave
them on the 0062 paper. What they said was when we give
them this draft at the end of October, what they want is an
identification of those internal and external factors that
are affecting our planning process, and they listed some
examples.
Availability of pilot plants was one that they
listed in their SRM. I think there's probably some others.
I think licensee interest and participation in this whole
risk-informed process is one.
There's questions of maybe you could go
risk-inform some regulation, but under a voluntary system,
if licensees aren't interested in it, why bother.
MR. SIEBER: Do you have any indication at this
point in time as to what licensee interest really is?
MR. CUNNINGHAM: NEI did a survey of what
licensees were particularly interested in, I guess they --
in the winter time. As I recall, the top two that they were
very interested in are changes in 50.44 on hydrogen control
and 50.46 on ECCS requirements.
They had a list of other things, but those are the
two that jumped out.
MR. KING: But I think your question is even if we
would make those changes, how many licensees are actually
going to take advantage of it.
MR. SIEBER: Well, and beyond that, which ones are
going to build the infrastructure that they need in order to
participate in risk-informed regulation, because that's a --
you're going to end up with, as I see it, two mountains.
One is the traditional deterministic way, the other one is a
risk-informed way, and it's not clear to me that that
reduces burden.
MR. HOLAHAN: I think these things haven't sorted
out yet, but I think my vision of the future is licensees
will put the infrastructure into a risk-informed approach,
because they need to do that because of the way the
maintenance rule is structured and for the oversight
process, and I think that the nature of the oversight
process will have an enormous effect on the way licensees do
their own work.
And when they get to that point, at least what I'm
imagining is, in fact, it will be those activities and not
the examples of would you like to change 50.44 that are
going to pull the licensees into the risk-informed world,
and once they're there, more than they are now, some of them
are well into this arena now, but all of them, by the very
nature, have to participate in the oversight process.
They need to understand the significance of their
activities and their performance issues. That is going to
be the arena that gets them into this world and once they're
there, I think that will open up to a lot more than 50.46
and 50.44.
MR. SIEBER: I sort of look at that, though, as
like a marathon race. There's the guys out in front and the
guys who are walking back and there's going to be some kind
of a distribution of degrees of participation.
I'm not sure whether that's going to help you or
hurt you in the process of truly risk-informing regulation.
MR. HOLAHAN: I think the oversight process is
going to establish some minimum speed, which, in a practical
way, where a licensee can continue to survive.
DR. KRESS: Not everybody crosses the finish line.
MR. KING: When I've asked this question on the
reactor side of industry people, the answer I get back is
there's a lot of licensees sitting on the fence. If we get
a few successes under our belt, that will get them off the
fence and having a lot more step forward and want to
participate and implement risk-informed changes.
If we don't get some successes under our belts,
corporate management may not be willing to support PRA
activities at plants. So it remains to be seen at this
point.
MR. SIEBER: There's another constituency here and
it's probably in the details that you're not wanting to
discuss at this time, but there is a group that will be
running with peg legs in this marathon of yours and that's
the aspect of NMSS activities that are under the direct
supervision or regulation by agreement states.
I just don't see where there's very much here, at
least at first, that's going to be attractive to those
people at all, because there are 49 constituencies, unique,
in a sense, that don't have the resources to build a support
structure.
MR. KING: Gary and I both sat in on the NMSS
workshop, where they had state people, they had medical
community, they had citizens groups, of course, represented,
and I came away with the sense that most people were
interested in this, from the NMSS side of the house, the
licensees and the states.
There's always some that are against it, but I
thought that -- there was a statement made by the
representative of the medical community, a gentleman from
San Francisco General Hospital, that I thought was very
enlightening in terms of what risk-informed means for them.
It really means protecting public health and safety in a
much better way than it's being done now, because if it can
reduce the cost of medical procedures and so forth, that
means it's available to more people and that's real risk
reduction on real health issues.
DR. APOSTOLAKIS: I was looking at the General
Accounting Office report. There are a couple things here
that I don't understand. Some utilities do not have current
and accurate design information for their nuclear plants
which is needed for the risk-informed approach. Is that a
big thing?
I mean, have you found this to be a big problem?
MR. HOLAHAN: Did you ask me whether I agreed with
that statement?
DR. APOSTOLAKIS: Yes.
MR. HOLAHAN: I don't agree with that statement.
DR. APOSTOLAKIS: I don't either.
MR. BARTON: Maybe that was true a few years ago.
DR. APOSTOLAKIS: Well, it's '99.
CHAIRMAN POWERS: I think if you go back and you
look at the kinds of things that utilities had to do for the
fire protection functional inspection pilots, that you might
agree better with that statement.
DR. APOSTOLAKIS: But I don't consider this an
impediment to make it number one.
MR. HOLAHAN: That's right. On the contrary, what
I've found is that getting involved in risk-informed
activities has been helpful in identifying issues in the
design basis and getting them sorted out.
It's not as though you can't do the PRA until you
learn the design basis issues better. In fact, it's helpful
in addressing those issues where there are problems.
CHAIRMAN POWERS: I'd certainly agree with that.
But that there are problems in understanding the design
basis of things becomes very clear when you look at the fire
protection.
DR. APOSTOLAKIS: Anyway, any other comments from
the members on this issue? Members of the public?
[No response.]
DR. APOSTOLAKIS: Hearing none, back to you, Mr.
Chairman.
CHAIRMAN POWERS: Thank you, gentlemen. Look
forward to seeing your plan. It should be most useful.
I will recess us until 10:15.
[Recess.]
CHAIRMAN POWERS: Let's come back into session.
We are now going to turn to a discussion of an event that
occurred at the Hatch Unit 1. John, you're the one that
brings all these terrible things to us.
MR. BARTON: Thank you, Mr. Chairman. The purpose
of this session is to hear presentations and hold
discussions with representatives of the NRC staff regarding
the operating event at E.I. Hatch Nuclear Power Plant Unit 1
this past January. We will also hear from the licensee
following the staff's briefing.
A description of the event, on January 26 of this
year, Hatch Unit 1 was at 100 percent power, when the
reactor pressure vessel water level began to decrease as a
result of a valve in the feedwater line going closed.
The valve closure caused a large reduction in the
feedwater flow. Reactor water level decreased, automatic
reactor trip occurred, as expected.
We've been spending a lot of time on risk-informed
regulations, where we're going in the risk arena, and
incidents, transients, shutdowns, et cetera, effects of CDF
and LERF, et cetera.
Now, from a risk aspect, this event was not
significant in that it did not result in core damage.
However, it was a serious event in that several areas of
weaknesses in overall operation and programs were
identified, and I'm sure we'll hear about them from the
staff.
So at this point, I'd like to turn it over to the
staff, Mr. Tad Marsh, to make introductory remarks prior to
the staff's briefing.
MR. MARSH: Thank you, Mr. Barton. Good morning.
My name is Tad Marsh and I'm Chief of the Events Assessment,
Generic Communications and Non-Power Reactor Branch in NRR.
I have with me today several representatives of
the staff who will be presenting to you the Hatch event. I
would like to introduce Mr. Wert, from Region II, who is the
team leader on the augmented inspection team, and Mr. Vern
Hodge, from my staff, who will also discuss with you the
generic implications and our follow-up actions.
So, gentlemen, let's go ahead.
MR. WERT: As Mr. Marsh stated, I was the
augmented inspection team leader, the Hatch scram that
occurred in January, with some complications that occurred
on January 26, in the year 2000. Next slide.
Just briefly, there's a list of our team members
that participated in the team. I'm not sure how much you
want to hear about that. But internally, as a region, we
always review closely successes and ways that we can improve
augmented inspection teams.
One thing that we did note on this team is we felt
we had the right combination of technical capabilities to
review this. All the inspectors were extensively
experienced in boiling water reactors from a resident
inspector perspective and additionally, we had Mr. Gary
Hammer, a member of the NRR staff, who was very
knowledgeable and aware of the SRV issues, safety relief
valve issues.
Just a brief outline. This is a composition of my
presentation today. Overall event sequence, and I won't
spend a lot of time with that. You have the inspection
report in which that sequence was laid out. Equipment
issues, because it's a very convenient way to talk about
this event.
Performance of licensed operators. As we got into
the event, I think you'll see that we became more concerned
or just as concerned about performance of the licensed
operators as we did about some of the equipment issues that
initially were considered to be problems. Health and safety
assessment and NRC actions.
Hatch Unit 1 is a GE BWR-4, with a MARK-1
containment. That's the light bulb-shaped dry well with the
separate Taurus. Commercial operation began September '97.
The licensed full power is 2763 megawatts thermal. They did
undergo two, in recent years, two upgrades to extend our
power operation rating, full power rating.
The event occurred with Unit 1 at 100 percent
power. It had operated for about 213 days continuously
prior to this event. The event also occurred at 6:51 a.m.
It was during a shift turnover, and we'll talk about that a
little bit more.
A feedwater heater inlet isolation valve closed
when a control switch unexpectedly actuated, and we'll talk
a little bit more about that switch in the presentation
later. And automatic scram on low reactor water level
resulted as expected.
High pressure coolant injection, HPCI, and reactor
core isolation cooling initiated. The reactor vessel water
level was rapidly recovered. I might add that in this
event, both feedwater pumps were also running during this
time. So the water level was rapidly restored.
High pressure coolant injection tripped about 67
seconds after the reactor vessel high level trip set point
was initially reached. The RCIC and the feedwater pumps
tripped at their set points, as expected. Reactor vessel
water level was high enough to cause water to enter the
steam lines, and I'll talk a little bit more about what we
thought contributed to that level in the steam lines.
The operators closed the main steam isolation
valves in accordance with the emergency operating
procedures, and I might add that the procedures say -- I
would phrase it as at 100 inches, shut the main steam
isolation valves.
The reactor operator did ask for concurrence to
shut the valves after he noticed the level was slightly
above 100 inches and they were actually shut at about a plus
108 inches indicated level.
The highest level during the transient was about
plus 110.8 inches that we got off the data.
DR. KRESS: What is it about this particular valve
closing that causes the water level to decrease?
MR. WERT: Sir, this valve that closed was one of
the two -- one of two valves in the main feedwater flow
paths to the reactor vessel. There's two main lines coming
into the reactor vessel. They do tie back together into one
line upstream of that, but where this was, that effectively
reduced momentarily 50 percent of the feedwater flow.
DR. KRESS: Fifty percent of the feedwater flow.
MR. WERT: Initially. Then you would have both
feedwater pumps still injecting into the vessel through the
remaining flow path. But initially you get a large
reduction in feedwater flow.
DR. KRESS: So it's an initial reduction.
MR. WERT: And even subsequently, but I wouldn't
say 50 percent.
MR. BARTON: You're still basically steaming at
full power rate and reducing feed flow by half.
DR. KRESS: Steaming at full power and flowing in
at half the flow.
MR. BARTON: Yes. Feed level goes down pretty
fast.
DR. WALLIS: What is water level, the two-phase
mixture? What is the water level in the two-phase mixture?
Is this a collapsed level or what is it? You have boiling
water, but the level is not a determined thing, is it?
DR. BONACA: It is not the collapsed level.
DR. WALLIS: It's not a collapsed level. But it's
a level of some sort where there's a transition from mostly
water to mostly steam.
DR. SEALE: This is above the separators.
DR. WALLIS: Yes, it's way up there. So it's a
two-phase mixture, but I wonder what you mean when you say
level is 110 inches. What detects that level?
MR. WERT: These are water level indication
systems.
DR. WALLIS: Usually that's a hydrostatic thing.
It's just a collapsed level measurement. So the actual
level where there is water is higher than that.
MR. WERT: I was referring to the water level
indicated at the annulus of the vessel.
DR. WALLIS: I think it measures a collapsed
level. There's actually water higher than that.
MR. WERT: I think that's true in the interior of
the vessel.
DR. WALLIS: There is water a lot higher than just
110 inches probably.
MR. WERT: Yes, sir.
DR. WALLIS: Because it's bubbling and all kinds
of stuff going on.
MR. WERT: Yes, sir. We were just concentrating
on the level that would then go into the steam lines.
DR. WALLIS: But we at least have a picture of
what's going on. There's actually a lot of water above
that, as well, tossing around.
MR. SUMNER: My name is Lewis Sumner, I'm the Vice
President for Plant Hatch. At this point in the sequence,
when this level was this high, the reactor has already
scrammed. The void collapse has already occurred and you
are reading true level.
DR. WALLIS: So it is true level.
MR. SUMNER: Yes, true collapsed level.
DR. WALLIS: Thank you.
MR. WERT: At this point, the operator initially
attempted to control pressure with the safety relief valves.
That's in accordance with his operating procedures, to open
a relief valve.
You would do that because you have the reactor
essentially isolated here and the pressure is slowly
increasing due to decay heat.
The expected control panel indications were not
received. What I'm referring to there is there's three
lights under each control switch for these safety relief
valves. There is a green light that tells you there is
power being provided to the solenoid valve that supplies
pneumatic air to operate the valve electrically.
There is also a yellow light that tells you that
the pressure in the discharge pipe going to the Taurus from
this valve has reached greater than 85 pounds, the set
point. It varies from plant to plant. But it detects
pressure in the tailpipe.
And the final indication is a red light that tells
you only that the solenoid has been energized, either by
switch operation or through operation of the low load set or
the ADS system.
The operator was looking for the amber or yellow
light that told him I have a high discharge pressure in my
discharge line, and he did not get that light at this point.
So he then, in turn, manipulated the control
switches for several other SRVs and then he obtained an open
indication and the SRVs were subsequently used to control
reactor pressure.
Reactor pressure peaked slightly above normal
operating pressure in this event, approximately 1,085
pounds. After the event, the licensee determined that the
SRVs had actually opened when they were actuated. The SRV
tailpipe, and that's the discharge line to the Taurus,
again, there's a temperature recorder on the back panel in
the control room that showed clearly that the valves had
opened.
There are some other indications, as well. You
can look at the Taurus temperatures in the area around the
SRV discharge line spargers inside the Taurus, and we did
that as a team. One thing we were concerned about was
possibly that the valve, the pilot assembly lifted and maybe
not the main portion of the valve, and we looked at that and
that gave us a good indication that, in fact, the main seat
had actually opened on the valve when we expected to.
DR. WALLIS: So you could see this by looking at
the record afterwards, but the operator, in order to see
this at the time, would have to go and look at some back
panel.
MR. WERT: Yes, sir.
DR. WALLIS: So this isn't really information
that's available to the operator at the time, unless he
makes a big effort to go and get it.
MR. WERT: Unless he makes --
MR. BARTON: Not really, and especially, during
this event, it happened at shift turnover, they had an
abundance of people in the control room. They also have a
shift technical advisor who is supposed to help the
operators through transients to understand what's going on
in the plant.
So there are some questions here as to why that
wasn't looked at, I think, and I don't think it's that.
DR. WALLIS: It's a question of time. When he's
looking for the yellow light, that's right in front of him.
But looking for these other indications would take more
effort to go and look for them.
MR. WERT: Right. And the other indication he's
looking for is a reduction in pressure at the same time when
he expects the valve to open, obviously, and he didn't see
that either.
MR. SIEBER: Who is the manufacturer of the safety
relief valve and what type of --
MR. WERT: I was going to get to that. These are
Target-Rock two-stage pilot initiated valves.
MR. SIEBER: Thank you.
MR. WERT: The operators subsequently used a high
pressure coolant injection and reactor core isolation
coolant for inventory control. There were several early
attempts to restart reactor core isolation cooling, and this
was after the initial transient, that did not succeed.
Approximately four times, the reactor core isolation coolant
system was attempted to be restarted and it was unsuccessful
and that was attributed to the procedure or the process that
was used to restart the turbine, and we'll get into that a
little bit later.
DR. WALLIS: The heat sink then is just whatever
is coming out the relief valves. The heat sink is the
steam.
MR. WERT: At this point, that's correct. They
have other systems that they could use. But RCIC was
successfully used later in the event. They had auxiliary
operators down in the spaces actually draining the water out
of the steam supply lines to the reactor core isolation
coolant system and one of our team members interviewed those
operators and there was a significant amount of water
obtained out of that line.
High pressure coolant injection was manually
operated several times and tripped properly at its high
level set point on two occasions.
DR. WALLIS: What two occasions? Those were the
only two occasions?
MR. WERT: Yes, sir. In this event, subsequent to
this event.
DR. WALLIS: So it tripped properly every time its
high level set point was reached.
MR. WERT: With the exception of the initial --
DR. WALLIS: The first one, it didn't.
MR. WERT: Yes, sir.
CHAIRMAN POWERS: Can you give me an idea of what
the flow rate is from the high pressure injection?
MR. WERT: The high pressure coolant injection
system is thousands of gallons per minute, as compared to
the reactor core isolation cooling, which is several
hundred.
Safety relief valves, while the safety relief
valves were passing water or a steam-water mixture, the
pressure in the discharge line did not get high enough to
actuate the pressure switch.
Our conversations with the GE and also the
Target-Rock personnel that were there at the time, they also
indicated that there some reliance on I'll call it impulse
loading of this pressure switch. So they contributed that
also to part of the effect of why the pressure switch did
not actuate.
Alternative open SRV indication, and that is
referring to the discharge line temperature recorder, was
available, was not used. We do know that in training, when
we looked at the training plan, that it is described in the
training plan, the use of this temperature recorder, as one
indication of SRV operation.
We'll talk about this during our discussion of
operator issues, but the gentleman that discussed the STA's
involvement in this event, I think that's where it properly
involves.
DR. WALLIS: Temperature would seem to be a more
direct indication, because pressure depends upon the flow
rate and how much is water and how much is steam and other
things like that.
MR. WERT: Yes, sir. I would point out that the
indications that are available on SRV indications vary from
plant to plant considerably. Some of the plants have
acoustic monitors. Some of these indications were
originally designed to detect SRV leakage passed. Back in
the early days, there was a lot of problems or a number of
problems with SRV leakage. So these indication systems are
set up differently from plant to plant. They vary
considerably.
Our understanding of a discussion about the
acoustic monitor, not to depart too much from the
discussion, was, with the vendor representatives, indicated
that they would have to, in fact, also be precisely adjusted
and set. In other words, the water might have affected even
those indications in this event, an acoustic indication.
Five of the pilot actuated Target-Rock SRV
assemblies were later satisfactorily set point tested. This
is the routine testing that's done at Wyle Laboratory.
In this case, of course, it was not a routine
test, but it's the same test that's done routinely.
One pilot valve assembly was inspected. It was
totally dismantled and inspected. The Wyle facility is
familiar with this. There is a corrosion bonding issue
that's still an issue with these Target-Rock SRVs. So
they're pretty familiar with what these cartridges, pilot
valve cartridges should look like when they disassemble
them.
We also had an NRC inspector there to watch
disassembly who has some familiarity also with these SRVs.
He is assigned to the Browns Ferry facility, which is
located within 20 minutes of this facility, so it was easy
for us to do.
There were no unexpected conditions found. There
were some indications that water level had, in fact, reached
the SRV elevation. You could tell this by the types of
contamination that were found in the valve.
Subsequent General Electric and Target-Rock
analysis supported operability of the safety relief valves,
the discharge lines and the components in those discharge
lines, and I'm referring there to the vacuum breakers that
are located in these discharge lines and also the pressure
switches that we had talked about before.
Those pressure switches serve as an indication to
the operator of pressure in the tailpipe for the valve
lifting, but they also are used to arm a system called
low-low set that exists at Hatch, and that system is
designed to minimize the forces on the Taurus if you have
repeated lifting of these SRVs. So that pressure switch is
important.
MR. MARSH: If I could add something at this
point. The agency was concerned that the initial parts of
this event and up until perhaps this point about the ability
of the SRVs to operate in this type of an environment and
what he over-pressure analysis and the transient analysis
remained intact, whether it would, in fact, represent what
the plant would respond.
In this analysis that we're discussing here showed
the staff that the transient analysis and the over-pressure
analysis was still valid, that the SRVs may have had a
different type of performance, but, in fact, over-pressure
was protected. So this is an important key point in how the
team was progressing through the inspection.
MR. WERT: I didn't go into the details there, but
the licensee and General Electric and Target-Rock supplied a
very conservative analysis with very conservative
assumptions on how much water could be in these steam lines
and how long it would delay the opening, actual operation of
the pilot valve, and then, in turn, the main seat, and then
relieve the function from the valve.
They used very conservative assumptions, like I
said before. They assumed that only one SRV would function
and the difference -- the ability to mitigate the pressure
increase was very significant. They could do it in a matter
of just over a minute as compared to requiring several
minutes before the pressure would become a problem.
The next equipment issue was reactor core
isolation cooling. As I said before, several of the
attempts to restart reactor core isolation cooling were not
successful, and this was not early in the event, but
subsequent developments during the event.
They let the head -- the procedure left the
reactor core isolation cooling steam emission valve fully
open and under some plant conditions, such as water in the
steam supply line, the turbine can over-speed if this
restart procedure is used.
It's not understood precisely why this occurs.
There's two different explanations. One involves steam
carry-over or water carry-over into the steam actually
through the turbine control system and another one is that
the water that's actually contained in the line flashes to
steam as it goes -- as it approaches the final part of the
turbine supply system.
In either case, it affects the operation of the
turbine control system and you are susceptible to over-speed
trips.
Additionally, the licensee's event review team
identified that the simulator training did not accurately
reflect the reactor core isolation cooling performance, and
what I mean by that is that this attempt could be -- this
procedure could be used successfully in the simulator.
It might not have been necessarily a simulator
modeling problem as much as just a training issue, where the
operators could, in fact, successfully use this repeatedly
in the simulator, but it wouldn't work in the plant.
MR. BARTON: Is it a training issue or is it a
simulator fidelity issue?
MR. WERT: It really depends, sir, on how the
facility decides to handle it. I think that the facility
has, in fact, changed the modeling of the simulator and
Lewis could probably tell us that or not. I know that
they've done some corrective actions, but I don't mean to
hedge my answer, but you could, in fact, just satisfy this
by having your simulator training personnel, in fact, insert
failures into the system. You don't necessarily have to
create the modeling to exactly perform this way.
I believe the senior resident inspector told me
that they have changed the modeling of the function of the
valve.
MR. SUMNER: The model has been changed and the
procedures have been changed and the training has been
changed.
MR. BARTON: Thank you.
MR. SUMNER: But there are still probably other
deeper issues than that as we look at the RCIC performance.
MR. BARTON: Thank you.
MR. WERT: And our final bullet up there, licensee
promptly revised these reactor core isolation cooling
procedures, and they did that prior to restart of the unit.
There is some operating experience data available
on this phenomenon, I call it on stream-driven turbines, but
they largely are constrained to auxiliary feedwater systems
in PWRs and they involve long runs of piping. A little bit
different than the arrangement at Hatch.
High pressure coolant injection, the high reactor
water level most likely resulted from the high pressure
coolant injection system not tripping immediately when the
high level set point was reached. Additional factors
contributed to the high water level and what I'm referring
to there is that just essentially the swell of the reactor,
of this inventory of water that is inserted at 90 to 100
degrees, then heating up inside the vessel due to decay heat
is significant.
Then, also, in this event, both feedwater pumps
were operating and early in the transient, one of the
operators placed the master feedwater level control switch
into manual and due to some complexities in the way the
controller works, this resulted in the feedwater system
operating at a very high capacity.
MR. BARTON: Was this by procedure? Are operators
allowed to take automatic functions out and go to manual?
Was that allowed by procedure or is that something that was
done in violation of a procedure?
MR. WERT: It is permitted by procedure and we'll
talk about that a little bit later. The licensee has
initiated some actions to review that.
But I just wanted to point out that that's one of
the factors in the high level, that it makes it difficult to
ascertain exactly why the level got that high.
DR. WALLIS: You spoke about time, you said not
immediately. What sort of times are we talking about here
from when it should have tripped and how long it stayed not
tripped and how long the level was rising after it should
have not -- what sort of times are we talking about?
MR. WERT: Our review of the data indicated at
just over a minute, 67 seconds, that the system operated, it
continued to inject after it reached high level --
DR. WALLIS: After it should have tripped.
MR. WERT: Yes, sir.
MR. MARSH: The feed pumps had tripped by that
point, you had RCIC by that point.
MR. WERT: The feedwater pumps and the reactor
core isolation coolant system had both tripped as expected
at their trip set points.
The operator should have manually tripped high
pressure coolant injection when it was indicated that the
system did not automatically trip. The licensee did not
conclusively determine why high pressure coolant injection
system did not immediately trip during the initial
operation.
Subsequent extensive testing supported the
operability of the trip function. I don't want to go into
the whole logic path here. There's essentially several
contacts in series. There's two sets of Agastat relays in
series that initiate the trip. Both of those were sealed
functions; in other words, the Agastat relay was inside a
sealed case. It's not commonly a type that you see have
problems due to intrusion from material.
MR. BARTON: I take it the licensee has never been
able to repeat this failed switch since the event.
MR. WERT: We could not. The licensee or our
efforts could not conclusively identify exactly why it did
not trip initially, and that's why I was making the point
that it tripped twice subsequently successfully. We think
that affects the ability to troubleshoot the problem.
Then after the two contacts, it goes to an HGA
relay, in turn. Now, one thing that also contributes to
this is not all these contacts and relays are monitored in
the licensee's data gathering system. So it was difficult
to just point out a certain relay and detect exactly how far
the signal got through the process. That varies from plant
to plant.
The feedwater valve control switch is our next
area of discussion. Southern Nuclear determined that a
GE-type CR-2940 control switch failure caused the feedwater
heater valve to close unexpectedly and the way they
discovered this was after the scram had occurred, operations
noted that the feedwater heater temperatures were diversion.
They had noted indications on their feedwater temperatures
that they were not expecting.
They investigated that. They found on the local
control switch in the turbine building the fifth stage
feedwater heater inlet valve on the Bravo side had closed,
and that was subsequently traced to the switch.
The licensee did quarantine the panel. They did
extensively try to determine what could have happened with
the switch. For example, they did a lot of work in the area
of security access records to that area and tried to
determine if someone had, in fact, entered that area or had
been carrying material, for example, through that area or
had bumped the switch or bumped the panel, and they did not
conclusively come up with an explanation of that.
MR. BARTON: Where is this switch located?
MR. WERT: The switch is actually located on a
local control panel in the turbine building. It's on the
middle floor of the turbine building. It's not in a
particularly narrow passageway and it does not protrude into
the passageway past other components on the same panel.
There was a General Electric service information
letter, commonly called a SIL, 217, which was issued in
1977, that states that the switch contacts for these
switches may close prematurely from slight movement of the
selector switch and the service information letter
recommended that the switches be replaced with a less
sensitive model.
This failure that we're referring to in the switch
does not involve the contacts in the interior of the switch.
It involves the cam mechanism on the hand switch operator
itself. It's a plastic molded component.
There is an improved model that was subsequently
developed that has a small notch in this plastic rotating
assembly that engages the protruding operation of the
contactor, the portion of the switch that actually works the
contacts.
So when we say a switch failure, that's what we're
referring to, simply the very slight movement, a very slight
agitation, maybe even a vibration in the area would cause --
could cause the switch to operate.
Two of the switches had failed at Hatch in 1996.
They were both in non-safety-related applications, and after
this event, this particular event, the licensee developed a
list of all the affected switches, including the
safety-related applications, and they made a prioritization
list and replaced some of them. We were satisfied that they
had addressed the important located switches prior to plant
startup.
MR. BARTON: This recent startup.
MR. WERT: Yes, sir.
DR. WALLIS: How did they prioritize it? Did they
use some sort of risk information and select the ones that
they ought to fix?
MR. WERT: They looked a lot at safety-related
applications, and Mr. Sumner could probably address exactly
how they prioritized it, but they also did use risk because
they looked at what could cause a transient, which failure
could result in a transient.
So I'm not sure that they used risk explicitly,
but at least that was part of their factor.
MR. BARTON: This switch could cause a transient.
MR. WERT: Yes, sir. Main steam line
instrumentation, another consequence of this event is that
there were some problems with a few pressure transmitters
connected to the main steam line. The licensee assessed the
potential effects of the transient, such as localized
flashing or water hammer on the instrumentation connected to
the main steam line.
Obviously, there's, I think, over 40 pressure
transmitters connected to these steam lines and the
licensee's testing identified that four pressure
transmitters were affected by the transient. Two were
significantly damaged. Their on two assembly portion of the
pressure transmitter was, in fact, physically deformed.
Two other pressure transmitters were involved in a
failure of reactor core isolation cooling to automatically
isolate during the subsequent plant cool-down, and that was
the subject of a separate 50.72 notification.
DR. WALLIS: Were these water hammer events that
damaged the transmitters?
MR. WERT: We believe it could be characterized as
a water hammer event, localized flashing of the water.
DR. WALLIS: Flashing is not as dramatically -- it
doesn't produce high pressures like water hammer. Flashing
may lead to water hammer later on, but it's usually the
hammer that produces the high pressure that damages
something.
MR. WERT: Right. I think we were stating that
there was no large water hammer event occurring over the
whole entire steam line.
DR. UHRIG: At what point did this occur
time-wise, this damage?
MR. WERT: I don't think it's well known exactly
when this damage to these pressure transmitters occurred.
I'm not sure.
The affected transmitters were replaced prior to
startup and the licensee did some extensive actions, as
reviewing the application of the pressure transmitters,
whether they were suited for the purpose that they should
accomplish and there was no necessary corrective actions
found in that area. In other words, they replaced the
switches, the pressure transmitters with a like component.
CHAIRMAN POWERS: Significantly damaged is often
in the eye of the beholder. Can you give us a good feeling
for what you mean by significantly damaged in this case?
DR. WALLIS: They didn't work?
MR. WERT: I was referring to the two that were
significantly damaged, I was referring to their Bordun
assembly had been physically deformed, but, in fact, I would
say that we said that four pressure transmitters were
affected and by that, I mean that they were -- when tested,
they failed calibration and they could not be placed back
into calibration.
MR. MARSH: The team was convinced, I guess, and
I'm asking the licensee, as well, through you, that these
transmitters were damaged in this event. There wasn't any
question about them being inoperable prior to this event?
MR. WERT: I'm not aware of any question at all
prior to the event.
MR. SUMNER: Let me comment on that. It's our
belief that of the transmitters that we're talking about,
that the transmitters on RCIC, one clarification is that
these transmitters isolate RCIC on low pressure, less than
50 pounds. So we're talking about a low pressure isolation
of the steam supply to RCIC.
Now, what you also need to understand is only one
RCIC line valve failed to isolate. The other one isolated
properly, like it's supposed to, just like the plant design
would call for. You have an in-board and an out-board
valve. Only one valve failed to close because of the damage
that Len referred to on the transmitters.
And I think Len has characterized it correctly.
When you pulled these transmitters out, they would not
calibrate. They would not reach the procedural tolerances
for putting them back in.
Where they physically failed, we could see the
Bordun-2s were physically deformed to the point where the
transmitter would not respond properly. Was there any
mechanical damage outside of that? No, there wasn't.
We do believe that on the attempts to run RCIC,
that the water in the RCIC supply line, and, as Len referred
to earlier, as you tried to start it up, there probably was
some localized flashing as the pressure was rapidly relieved
as the turbine stop valve came open.
And it could have happened then or when the stop
valve went shut, when it over-speed tripped. So in any of
those operations there, if there is a water hammer or
flashing, that's when we postulate when the damage to the
transmitters occurred.
MR. WERT: Thanks, Lewis. The next area of
discussion involved the performance of the licensed
operators, and we touched upon that several times.
The event occurred during a shift change or a
shift turnover. The shift supervisors had already turned
over, but the reactor operators were in the process of
changing over, and the senior reactor operator was outside
the, quote, at the controls area when the event initiated.
And at Hatch, the turnover process involves
largely -- it's done somewhat sequentially. The senior
reactor operators turnover, I'll say, independent of the
reactor operators, and they usually turn over well ahead of
the reactor operators.
The oncoming watch, if you would, assumes their
duties and then they, in turn, brief the reactor operators
as a combined crew and then they go in and the reactor
operators officially take over the duties from the actual
on-watch reactor operators.
When this event occurred, the oncoming senior
reactor operator or unit supervisor would then, in turn, go
into the -- went into the control room with the on-watch
reactor operators, just after the event had initiated.
And when I say he was not at the control areas, we
mean he was in a room just adjacent to the controls area,
just a few steps, but that is somewhat important in an event
like this.
MR. BARTON: But the operators that were on the
control board were the operators that were on-shift. They
had not been relieved.
MR. WERT: That's correct, sir.
MR. BARTON: Okay.
MR. WERT: The reactors did not properly monitor
reactor vessel water level and injection system operations,
and we've talked about that previously. The tripping of the
high pressure coolant injection system. And as a team, one
of our team members was actually a senior reactor operator
at a boiling water reactor for several years and we reviewed
this aspect critically from the perspective of is it a
realistic expectation at the time with the events that were
occurring in the control room that they should have detected
the fact that the high pressure coolant injection system had
not tripped off and also the main steam isolation valve
isolation was somewhat delayed.
In both of those decisions, our subjective
conclusion was that they should have recognized it. We did
not see that there was a large number of events going on.
Obviously, our resident inspector was in the control room
shortly after this event, but we didn't actually observe the
actual sequence at this point.
MR. BARTON: Let me ask you a question. At the
time of the transient, you said that the control room
operators had not been relieved, but yet in the AIT, so
there was shift turnover still going on outside in an office
or something outside at the controls area.
The AIT report talked about an excessive number of
people at the control area and the control room. Now, how
did that happen?
MR. WERT: What we're referring to there, sir, was
that essentially you have almost two crews there. You had
the oncoming crew and the off-going crew in the control
area.
Now, all these people were not in the at the
controls area. They were immediately adjacent to the at the
controls area at a back panel held out at a desk, I would
say, 20 to 30 feet away, but they were not right in the at
the controls area.
However, there was a larger number of people in
the at the controls area itself proper than there normally
would be on an event like this.
Does that answer your question?
MR. BARTON: Partially. Where did these extra
people come from?
MR. WERT: Some of them were the oncoming crew.
MR. BARTON: So there was a mix of oncoming crew
and the crew that was still on watch.
MR. WERT: Yes, sir. Also, in addition, there are
several operations supervisory personnel that participate in
turnovers that were also present at the time and I think
maybe not at this point in the event, but shortly
thereafter, also some management personnel were also in the
control room; again, not in the at the controls area, but
immediately adjacent to it.
And one of those individuals, of course, would
also be our resident inspector.
The next bullet, the shift technical assistant did
not provide timely assistance to the operators, when
unexpected SRV indications were observed and as commented by
one of the gentlemen earlier, we considered that to be a
problem.
Training sessions had described the availability
of the tailpipe temperature as an indication of SRV
performance and we're not expecting that the operator
necessarily would turn the switch and then run around to the
back panel, but with all the people that were available and
certainly the shift technical assistant.
MR. BARTON: Does the STA at Hatch have collateral
duties or is he full-time STA?
MR. WERT: He is a full-time STA, at least --
well, Mr. Lewis will correct me if I'm wrong. I'm speaking
from my knowledge of about five years ago when I was the
senior resident there. He was a full-time STA. He does
have other duties that he performs on watch.
MR. BARTON: But during a transient, what is his
role?
MR. WERT: During a transient, his role is the
classical shift technical assistant role, assist the
operators and particularly analysis of indications, but
largely constrained to reactivity and inventory issues.
Is that how you would characterize it, Lewis?
CHAIRMAN POWERS: I have to admit I'm a little
confused about who was where when. Do we happen to have a
diagram that could show us who was where?
MR. WERT: I don't have one.
CHAIRMAN POWERS: Maybe at some time we can.
MR. WERT: Yes, sir. I can draw one shortly after
this discussion.
CHAIRMAN POWERS: Sometime later.
MR. BARTON: Lew, do you want to address the STA
issue?
MR. SUMNER: Yes. The collateral duties that Len
was referring to is that during normal power operations, the
STA does the classical shift technical advisor
responsibilities, as well as he has primary responsibility
for reactivity monitoring of the reactor core, core
management.
In an event, in a transient, he is the classical
shift technical advisor, where he has no other collateral
duties than to assist the crew and analyzing the indications
that they are seeing when the event is transpiring.
MR. BARTON: So in this event, he failed to
fulfill his STA role or, in your opinion, failed to give
advice to the operating crew? In other words, could the STA
have helped the operators in helping to identify whether the
SRVs were operating or not and why didn't he do it?
MR. SUMNER: I would say that I would like to
clarify that during an event like this, the STA is looking
at a lot of parameters, not just the operation of the safety
relief valves.
MR. BARTON: I understand that. That would be one
of the things -- if the operators are trying to operate SRVs
and they're not sure whether they're operating or not in
some -- either the SRO or the STA or somebody should be able
to see that the operators are having difficulty and provide
some advice, guidance, assistance, how about looking at
backup indications, et cetera, et cetera.
MR. SUMNER: It is reasonable to expect an STA,
when he sees that the operator is not getting the expected
indication, that he could go around to the back panel
recorder and try to, from an engineering point of view,
determine that the indications that he is seeing do indicate
that the SRVs are operating and he could come back and
provide that advice to the operators to continue what you're
doing, the valves are operating, but you're not seeing the
right indications.
Yes, that is a reasonable expectation. I'm not
going to say he failed in his duties, because he had a lot
of duties to do, but he could have assisted the crew more
than he did in this particular activity.
MR. BARTON: Do you also have a management
expectation at shift turnover, if the plant goes into a
transient, how the transient is handled with respect to who
takes control, who backs up and doesn't get involved? Is
that a management expectation written down at the station?
MR. SUMNER: Well, the management -- what you have
to -- the picture you have to understand is that during the
turnover that Len is referring to, the entire crew that is
oncoming, as well as some members of the off-going crew, are
turning over in an adjacent room to the control room, to
minimize the distractions that occur as you're doing a shift
turnover, because there is a lot of discussion about what
occurred over the last shift, what is to be done in this
shift, are there any conditions that need to have special
attention paid to them.
At that point in time, in the at the controls
area, the operators are monitoring the operation of the
plant. Should an event occur, as in this case here, then
the supervision comes out to take control of the shift and
the expectation would be that the operators who are at the
controls at that time would assume responsibility for
management of the transient.
In this event here, out of, I think, concern to
help out other operators, we had some of the oncoming
operators also assist in performing activities that you
normally do to manage a transient.
That's not the way we train, and certainly we have
changed our management policy to require that operators now
have to ask permission to become involved in the management
of the event. It has to get direct supervisor permission to
assist in the event.
MR. BARTON: And this is a change you've made
since this event.
MR. SUMNER: Yes, sir.
MR. BARTON: Yes, sir.
MR. WERT: Next page. As referred to earlier, the
operator took manual control of the feedwater flow
controller and this affected the controller's response to
the feedwater transient. I think it's pretty much
understood that the industry has made some advances over the
recent years in controllers on these systems.
This is, in recent years, an upgrade. This is a
complex digital control system, very I'll call it smart
logic, looks for failures, looks for differences in their
inputs and automatically drops out default inputs, that type
of thing, and the operator took manual control of this.
It's not against his procedures to do that, but
the licensee is reviewing that policy and looking at that
closely. Certainly, an operator would be expected to take
manual control of an automatic system if he understood what
was happening that was incorrect with that system.
In this case, it's not clear that what exactly had
happened was understood at the time when he took manual
control.
MR. BARTON: Is this because maybe the operator
didn't have a lot of confidence or familiarity with this
system?
How long was this system installed in the plant,
digital feedwater control?
MR. WERT: It had been installed for several
years.
Lewis, I guess, could again help with that.
I think -- I would characterize it for at least
four years.
MR. BARTON: Okay.
MR. WERT: So, I don't think it was a confidence
in a new system issue.
MR. BARTON: Okay.
MR. WERT: Reactor core isolation coolant restart
guidance and simulator training were not adequate for the
conditions of the event, and we talked about that earlier,
and the licensee has initiated comprehensive corrective
actions in that area.
I mean, as my next bullet implies, the licensee
promptly completed several corrective actions, including a
revision to the turnover process, and Lewis describe some of
that.
For example, they have revised their procedures so
a senior reactor operator is in the control room.
The licensee has also initiated broader corrective
actions to address operations performance issues, and for
example, one of those is the operation of manual and
automatic controllers. I think they're looking at that
across the board.
We noted that, during this event, there were a few
other issues that came up with these automatic controllers.
The HPCI flow controller was actually taken automatic at one
portion during the event, or placed into manual, instead of
left in automatic and dialing back the flow set-point, for
example.
So, it's an area that the licensee is reviewing.
Health and safety assessment -- we discussed that
there was no adverse effect on public health and safety as a
result of this event, was no radiological release, and no
approach to operational safety limits.
The safety-related systems remained operable,
although there were some problems with the important plant
equipment, were experienced, and that's like we described
with the reactor core isolation coolant system.
NRC actions -- Region II dispatched inspectors to
the site and initiated -- initially we initiated a special
team inspection on January 26th. An augmented inspection
team was dispatched to the site January 30th to February
4th, and the exit was attended by several members of the
public that we had on February 4th.
The NRC staff contacted the BWR owners group,
discussed the event with INPO during its weekly call, and
also, there was a response by telephone to an informal Union
of Concerned Scientists inquiry on this event.
Region II continues to monitor the licensee's
implementation of corrective actions through out baseline
inspection activities, essentially the resident inspectors.
On May 17th of this year, the licensee is going to
come in and discuss corrective actions with Region II
management in a meeting, and we suspect that there will be a
lot of discussion of broader corrective actions in some of
these areas that we talked about earlier.
Next slide.
The augmented inspection team was tasked in the
charter to identify candidate generic issues, and we did
identify what we considered to be some potential generic
issues, and we initiated an information notice, and this
information notice was issued on February 11th highlighting
three issues.
We talked about the fact that SRV operation is
slowed, and the indication, depending on tailpipe pressure,
is affected when the valve was passing water instead of
steam. We talked about that earlier.
It's just information to all the licensees. All
the licensees' different indicating systems would depend on
what they necessarily would do with this data.
Procedural guidance for MSIV closure and
set-points for the high-level trips of injection systems may
not prevent complications due to water collecting in the
main steam lines, and we're referring to there that we had
noted that there was several -- there have been several
reactor vessel over-fill events in previous years at BWRs.
In one event, the operators, in fact, did not
close the MSIVs, and our review has indicated that the
guidance on closure of the main steam isolation valves is
somewhat inconsistent between the facilities.
At Plant Hatch, it's a note in the emergency
operating procedures.
We know that, at another Region II facility, it's
in a procedure, not in the emergency operating procedures,
and at another facility in Region II, we know that -- our
review indicates that the operators are trained to shut the
MSIVs, but there is no explicit procedure set up to do that.
CHAIRMAN POWERS: I think this is the really
generic conclusion here; this is the really important one,
to my mind.
MR. WERT: And the last issue we -- again, in the
information notice, we wanted to highlight the reactor core
isolation coolant performance issue.
Next slide.
And my last slide is that we have initiated a
memorandum on April 14th from my Division Director to the
Events Assessment Branch Chief here in NRR requesting review
of two issues, and we anticipate that this will probably
involve interaction with the BWR owners groups and maybe
General Electric, as appropriate.
The two principle questions: To what degree
should water be allowed to enter the main steam lines at
boiling water reactors, and should -- I'm referring to it
loosely -- universal guidance be developed for BWRs, with
specific criteria directing when the MSIV should be closed?
You know, for example, in this event, if you get
all your major injection systems -- high-pressure coolant
injection and reactor core isolation cooling systems and
feedwater systems tripped off and you know that you're not
injecting and the water level is just slightly increasing,
do you want to shut the MSIVs, for example? That's one of
the questions.
DR. WALLIS: Where is the water going? There's a
turbine somewhere downstream, isn't there?
MR. WERT: Yes, sir, there is a turbine, and
there's some other, I think, considerations also on analysis
of the steam lines, as far as whether they can handle the
weight and forces of the water, and we have noted that
that's dependent on the plant, it varies from plant to
plant.
And the other question was the significance and
the specific impact of the water and the main steam lines
relative to considerations in the design and licensing
basis, and one of the major factors that we're looking at
there is the instrumentation, the potential instrumentation
effects.
If you get water in the steam lines, then you
affect the instrumentation attached to those steam lines.
That could complicate events.
We also know that there is variations, for
example, in set points and the level trip systems of the
injection systems between the different BWRs.
We know the high-pressure coolant injection system
at one facility is actually a one-out-of-two logic used
twice type of thing on the high-level trip, which kind of
sounds surprising on an injection system, but that's the way
it is.
So, there are some differences out there that need
to be looked at.
Our team could not conclusively determine if the
design basis for the set point on the injection systems --
whether it was based on simultaneous operation of different
injection systems or whether it just assumed that one
injection system was running at a time, for example. We
didn't get that far.
That's all I have for my presentation.
MR. MARSH: The next part of the presentation is
Vern Hodge is going to discuss the NRR safety assessment.
MR. HODGE: Thank you, Tad.
I am from the Events Assessment Branch in NRR. We
were assisted in evaluating the risk of this event by the
Probabilistic Safety Assessment Branch, and Mr. Dan O'Neal
is in the room to assist in the discussion.
The dominant sequences -- first of all, we used
the risk model for the Hatch plant and applied it to this
event by making some assumptions, found that the dominant
sequences included losing the condenser as a heat sink,
failing to provide adequate high-pressure coolant makeup,
and failing to de-pressurize the reactor to allow
low-pressure makeup.
We're not saying these things happened in the
event but that the risk is evaluated considering the
probabilities of these events.
The probability for losing the heat sink, the
condenser as a heat sink, is modeled by taking little credit
for recovering the power conversion system in relatively
short recovery times.
DR. WALLIS: If you close the steam line, how does
the condenser act as a heat sink?
MR. HODGE: It doesn't.
DR. WALLIS: So, you have lost it.
MR. BARTON: You take away your heat sink, there's
no question of probability; you've actually lost it.
MR. HODGE: Yes. We're talking about the
probability of recovery.
MR. FARRUK: Anees Farruk from Southern Nuclear.
You are right, you could recover the secondary
side by opening MSIVs.
MR. HODGE: Concerning the HPCI and RCIC systems,
we did not change the failure probabilities for those, but
consider that conditional probability for HPCI failure, the
recovery is assumed to be in the plant, not in the control
room.
This was in an effort to model the event that HPCI
did not trip at the high-level set-point but tripped later,
and the idea here was to assume that the probability would
be increased by considering the field recovery rather than
the control room recovery, assumed to be easier, and if the
HPCI and RCIC system were to fail simultaneously, we did not
consider the water coming into the reactor from the control
rod drive pumps.
To account for the AIT finding that the control
room was crowded, we increased the probability for operator
failure slightly.
DR. WALLIS: How do you decide how to do that? I
mean "slightly" doesn't sound very much. Someone makes a
judgement? Does this have any effect anyway? Does this
probability make much difference to the conclusion?
MR. HODGE: I'd like to ask Dan to consider that
question.
MR. O'NEAL: This is Dan O'Neal.
There is a HRA work-sheet, a human reliability
work-sheet that's used for these -- modeling these types of
events, and due to the general confusion and the operator
not being aware of their areas of responsibility, we modeled
that as a work process -- a poor work process, where if
operator is needed to emergency de-pressurize the reactor,
there could be possible delays, and so, we increased the
probability of failing to de-pressurize a reactor slightly
due to the general confusion and lack of awareness of areas
of responsibility.
DR. WALLIS: Well, "slightly" sounds as if it's a
very small thing. How do you decide the probability of
failure?
MR. O'NEAL: We use the HRA work-sheet, which
considers --
DR. WALLIS: Gives you sort of a formula that you
apply?
MR. O'NEAL: Yes. There's basically a process you
follow, and we determined that we could increase the
probability of failing to de-pressurize by a factor of two.
The probability is normally low, and increasing by a factor
of two, it still remains low.
MR. FARRUK: This Anees Farruk again from Southern
Nuclear.
The way we considered that was basically, when we
do the HRA, we take a look at all the -- you know, the
factors which could influence an operator's action, like --
you're talking about stress training, you know, the
pre-conditions, post-conditions.
So, all these things are originally looked into
the PRA, you know, as part of the HRA.
So, it's nothing new that you go through this.
That's the way we look at it, you know.
The only time we will change anything that is in
the PRA in terms of operator actions is if there is
additional events which caused some of the systems to be
degraded. Then you would use a different operator action.
MR. HODGE: So, factoring in these assumptions,
the calculated conditional core damage probability is 1.6
times 10 to the minus 5.
We are considering this event as a significant
event because of several complicating factors: water
filling the main steam lines to the main steam isolation
valves, also the condenser heat sink on manual closure of
the main steam isolation valves, inadequate indication of
safety operation, faulty operation of two steam-driven
injection systems, unclear lines of responsibility in the
control room, and excessive sensitivity to mechanical motion
of the feedwater control switch.
CHAIRMAN POWERS: Let me ask a question about this
"unclear lines of responsibility in the control room." What
precisely leads you to that concern?
MR. HODGE: We're depending on the AIT report.
CHAIRMAN POWERS: Right. I understand. I'm just
asking you to remind, out of the AIT report, what leads you
to say the words "unclear lines of responsibility."
MR. HODGE: We're just thinking about the large
number of people at the controls area and the time of the
turnover as general considerations.
DR. WALLIS: How about testimony from the people
there?
I mean if someone had actually said one reason I
was confused was that my supervisor was not here because he
hadn't yet taken over or something and therefore I was
confused -- did you get testimony from individuals that
there was reason to believe there were unclear lines of
responsibility?
MR. WERT: I can address some of that.
First, I don't think there was any operator at the
time that was confused. I don't think we'd use that term.
DR. WALLIS: Was unclear about lines of
responsibility.
MR. WERT: Right. It connotates a different
understanding.
I think what we're referring to there -- and I'll
give you an example of some interviews that we had with some
of the operators that will help bolster this, but what we're
referring to there is normally, as Lewis said earlier, the
on-shift crew, the dedicated crew, if the event had
occurred, there's specific responsibilities on who's
observing and who's watching and monitoring operator of
injection systems, and in this case, there was some
indications that some of the oncoming crew got involved with
those operations, and it was an assumption on some -- the
different members crew -- of the crew that another member
was doing something when, in fact, they may not have been,
and where that would have been -- I guess one of the
indications of that -- when we initially interviewed the
senior reactor operator, initially, before the licensee had
time to have a detailed session in the simulator where they
went over what they thought had happened during the event
with the operating crew and discussed the failure of HPCI to
trip and some of these other events that had occurred, the
operator had indicated to myself and another team member
that he thought they did a fairly good job of handling the
event, and after his review in the simulator session, he
indicated to us that he had not realized some of the things
that had occurred during the event.
Now, I still think they adequately controlled the
event, but he didn't understand some of the things that had
occurred.
Now, we would expect a little bit of that to occur
just because of how many activities are occurring at the
time, but that would -- does that help give an indication of
what we're talking about?
DR. WALLIS: That was a different subject from
unclear lines of responsibility.
MR. WERT: Right.
DR. WALLIS: The fact that he thought things were
fine and they weren't quite so fine -- that really has
nothing to do with lines of responsibility.
MR. WERT: I was just trying to couple it to an
actual --
DR. WALLIS: Line of responsibility -- it's almost
conjecture that this might have been why someone didn't
quite realize what was happening as much as he might have
done, or it really is traceable to a line of responsibility?
MR. WERT: In answer to your question, sir, I
don't remember an exact circumstance in which an operator
said I assumed that someone else did that. I think you're
correct.
CHAIRMAN POWERS: It seems to me that the line is
just misstated. I think you've got a human operational
environment issue here, but I'm not sure that it's unclear
lines of responsibility. I think it has to do with
distraction and things like that.
You may have -- and it sounds to me like the
corrective action that the licensee has taken to work on his
shift change-over rule is appropriate responsibility. He's
not changing his lines of responsibility.
MR. BARTON: Do you want to address that?
MR. LEWIS: Well, let me give you an example, I
think, os what Len is probably trying to refer to.
When you train with the minimum crew members and
you assign crew members -- one crew member has
responsibility for reactor water level control and all the
systems that control that.
When you have more than the minimum number of
people, then you have enough people to run HPCI by itself,
to run RCIC by itself, and to run the reactor feed pumps by
themselves.
So, there can exist in a situation when you have
more people than your normal minimum crew -- when he's
talking about we have unclear lines of responsibility, what
you're really saying is that probably no one operator in and
of himself has assumed responsibility for reactor water
level control.
There are enough operators that one is controlling
RCIC, one is controlling HPCI, and one is controlling the
reactor feed pumps.
As far as was there any question about who was in
charge and who was directing who, there was no confusion on
that point.
MR. BARTON: Now I understand better. Thank you.
MR. HODGE: That's all our presentation.
MR. MARSH: I have a couple comments, if I can,
please.
Speaking from the generic standpoint, we clearly
have some work to do to look at this event and the
ramifications of it, the recommendations of the AIT.
I want to point to a couple of things that have
taken place in terms of the agency's communication to the
industry about this event.
We issued an information notice early which
contained the AIT's preliminary findings and the concerns
that were expressed at the exit.
We have had discussions with INPO in terms of
their actions, and we are aware that they're working on an
SOER, which is one of their highest levels of
communications.
We also have been in a discussion with the BWR
owners group, and we are not yet far enough along to know
exactly what's happening there.
There were some preliminary plans on their part to
communicate with the industry early. We need to follow that
up to find out where we are in terms of those
communications.
Internally, we need to take the recommendations
from the team and assess them against licensing bases
issues, need to answer the questions about the design bases
for the trip set-points, whether in fact it includes
simultaneous operations of the feed pumps, the RCIC pumps,
and the HPCI pumps, as well as answering the team's concerns
about the design for the logic itself, the timing that's
there, and to answer the question about the MSIVs and the
variation around the industry for how those pieces of
equipment are operated, and we look to help from the owners
groups for some of those questions that may be best served
to ask those types of questions in the industry.
To put this event in another kind of a context,
this was an AIT, and we don't have many AITs, okay? In the
last 18 months, we have had three AITs, and so, that gives
you some sense of the significance of the event.
MR. BARTON: I think between that and INPO's
anticipating an SOR kind of gives us a feel for the
significance of the event.
MR. MARSH: Right. I think so, too.
We also looked at this in the context of the new
oversight process. What does this event tell us in terms of
the veracity of the oversight process? Would we have seen
this, reacted the same way?
We used -- in responding to this event, we used
the Management Directive 8.3, the new Management Directive
8.3, which is a risk-informed process, in order to come to
the decision to man an AIT.
We also asked ourselves whether the work processes
that are involved for determining risk that the resident
uses and in terms of inspection followup are consistent with
the new oversight process, and they largely were.
In other words, the new oversight process mates
with how we reacted in this event, and that was reassuring.
I guess the message that we want to leave with you
is there is certainly work to do, follow-on work coming from
this event.
We think the team did an outstanding job in
looking into this event and the underlying causes, and we
look forward to more interactions with the licensee in terms
of follow-on actions.
MR. BARTON: Thank you, Thad.
At this point --
DR. WALLIS: I think the thing that struck me most
when you were going through the whole technical description
was your points about water in the main steam lines. I mean
you have this question about to what extent should water be
allowed to enter the main steam line and what's the
significance of having water in there.
I would think this is something that must have
been surely considered long ago. I mean it's an obvious
possibility that the water level could rise and water could
get into the steam line and what are the consequences. That
must have been surely addressed by the designers of these
systems.
I'm surprised that the question is still being
raised now as if no one knows what the consequences might be
of having water in the main steam line.
MR. MARSH: That's certainly a part of our
follow-up action to find out to what extent this scenario
was postulated, when and how.
My recollection is that it was -- some of these
trip functions were added later, that this was not part of
the original design, some of these high-level trip
functions, because of this possibility.
A dead weight load has been considered in these
lines, and that's the reason that you would block them so
that you don't exceed any dead weight loads, but dynamic
loads -- my impression is that you want to avoid dynamic
loads and that's why you have these trip functions.
Now the question is what's the bases for those
trip set points to avoid this from occurring and should the
MSIVs be closed, is that a good action or not a good action
in order to ameliorate a high-level situation.
DR. WALLIS: Well, in defense-in-depth, one might
decide to design the thing so even if you did get this water
in there, no one is going to raise a question about is it
going to be too heavy or is it going to impose loads that
are too big, we've just designed it so it's okay.
MR. BARTON: That's good for the new-generation
reactors, Graham, yeah.
DR. SEALE: You've got what you've got.
MR. BARTON: You've got what you've got.
MR. SIEBER: You cannot back-fit.
MR. BARTON: Are there any other questions of the
staff before we hear from Licensing?
[No response.]
MR. BARTON: Hearing none, Lew, would you like to
make some comments?
MR. LEWIS: I've just got some brief comments.
One would be that, on the risk assessment, we came
to a different conclusion on the number for the risk
assessment, and we'd like to have the opportunity, with our
models and our assumptions, to review that with the staff to
see why our conclusions are different.
We came up with -- for a similar calculation -- in
the E to the minus 7th range, not E to the minus 5th range,
and it all depends on what assumptions you make.
MR. BARTON: Sure.
MR. LEWIS: And you come to a different conclusion
depending on the assumptions you make.
So, we certainly want to have the opportunity to
sit down and review and discuss our assumptions on our risk
assessment.
The second thing is that -- concerning the
adequacy of the high-level trips, we did have what's called
a TRACG analysis run by GE where we made assumptions of the
exact conditions that were present.
One feedwater line is isolated, both pumps are
trying at 100-percent demand, HPCI has not tripped at the
right set-point but RCIC did, and to verify -- we were
looking for such things as was there an asymmetric level
condition in the vessel at the time which would explain why
HPCI did not trip?
Well, that analysis didn't prove that out.
We also went to prove that -- were the trip
set-points adequate as part of the initial design basis, and
the TRACG analysis that we did proved that they were
adequate.
So, we believe we've got enough -- this is a
detailed study we've had GE working on for the last six
weeks to make sure that there are no other issues out there
that we know of related to the adequacy of the high-level
trip set-points.
We talked about the fact that we weren't able to
determine why HPCI didn't trip. Well, there's an
explanation for that.
When it did trip, automatically, the first time,
all the evidence was basically destroyed at that point of
how to determine what component may not have worked
correctly, but I will let you know we have put some
compensatory actions in there that exercise that logic chain
so that in the event that it is demanded again to operate,
that we've tried to improve the level of assurance that that
trip function is going to work, and we have reviewed and
still continue to review whether or not we should change the
logic design for the high-level trip.
But the thing we should remember is that actual
design basis for HPCI is to inject water into the vessel and
make sure the core is covered under a small DBA and that it
should trip at a high level, there's no belief that it
shouldn't trip at a high level, but its actual safety design
basis is to put water back in the vessel, which it did
successfully.
There are a tremendous amount of lessons learned
that we've gotten out of this event, and Len has discussed
some of the immediate ones that we've done as far as
correcting some equipment problems, some procedural problems
with RCIC, the simulator model that he referred to, but we
continue to look at deeper issues out there.
We look at our management processes to see, if we
have a RCIC model that does not exactly match the plant, how
did it come to be that way, and does that give us insight
into looking for other models or other issues out there that
we need to look at?
So, we continue to look at that.
We do have a follow-up meeting, as Len referred
to, on May the 17th, where we're going to discuss our
corrective actions, and we'll discuss not only the ones
we've talked about today for the immediate stuff but some of
the deeper issues out there that we continue to explore.
So, we've tried to use it as a learning
experience. I know there are some generic issues out there.
I don't believe determining what is the proper
guidance for closing the MSIVs on high-level will be an easy
thing to do, because as Len referred to, there are different
plant designs and there are different considerations,
depending on which plant you're at, but I believe there is
the importance of making sure that you don't get water in
the main steam line that was certainly brought out by some
of the things in this event.
MR. BARTON: One further question I've got is how
detailed had you looked at your corrective action system and
the effectiveness of it, especially since the history with
the GE SILs and information notices on these switches?
MR. LEWIS: The GE SIL came out in, I believe,
1977, and we did a review in 1977 based on the guidance in
the SIL as to what we should look for.
We thoroughly evaluated that, and we have written
documentation as to how we evaluate it.
We've had one failure of one switch in 15 years,
and that's this failure that Len referred to that happened
in 1996, and subsequent to that, of course, we did a broader
review with this particular even there.
So, one of the issues we do have is when we have
SILs that had been evaluated 20 years ago, is there a need
to go back and re-evaluate them in today's world? We
haven't come to a conclusion on that.
MR. BARTON: I guess the question I would have
there -- and I understand that. I lived through the same
thing with the GE SILs and how far do you go and how much
equipment plant do you change out.
But you had a subsequent failure. Well, you had a
failure after the SIL in '96. Apparently, according to the
AIT, this was classified as a significant event or a
significant issue in your corrective action system, and yet,
four years later, it didn't look like you did anymore
maintenance or change-out of this style switch, and the
reason I'm hammering you on this is, if you look at the new
oversight process and where we're going to risk-informed
regulations, etcetera, etcetera, you know, how robust your
corrective action system is depends a lot on, you know, how
the plant is going to perform and how the NRC is going to
look at your performance down the road.
So, again, you know, I still have a question as,
you know, how robust is your review or your self-assessments
of your corrective action systems?
MR. LEWIS: Well I think the question you ask --
SILs is a narrow area. When you get into other issues out
there -- we do have categories we call significant
occurrences.
We have others that are higher category we call
event reviews, and we do try to -- like you've done with
this event here -- this event met the criteria to have a lot
of study done on, and event reviews meet the criteria in our
own procedures for having a lot of study done, significant
occurrences have less study done but more than just routine,
you know, common occurrences that happen in the plant.
That is an issue that we're reviewing right now.
Does this particular event reveal a weakness or a need for
improvement in the way our corrective action is done, and
for example, would you postulate that you need to create a
self-assessment process for material you've reviewed several
years ago to see if the conditions have changed? We have
not come to that conclusion yet, but it is something we're
studying.
MR. BARTON: I understand that. Thank you.
DR. SEALE: What's the status of the plant now?
MR. LEWIS: The status of the plant -- both units
are at 100-percent power.
DR. SEALE: How long did it take to go back to
full power?
MR. LEWIS: After this event here?
DR. SEALE: Yes.
MR. LEWIS: Approximately -- we were down, I would
say, approximately a week to do all the reviews, make the
procedure changes, re-do the training, do a broadness review
of -- or locate all the locations for the different switches
of this type, categorize them to whether or not -- the worst
postulated action from that switch and what the end result
could be of that to decide which ones we would replace
before we started back up.
DR. UHRIG: Have you replaced any of the switches
in the other unit?
MR. LEWIS: Yes, sir, we have done it. We did
some immediately on the other unit, and then, during the
subsequent refueling outage, then we went and changed out
the other ones.
MR. BARTON: Any further questions?
[No response.]
MR. BARTON: If not, I'll turn it back to you, Mr.
Chairman.
CHAIRMAN POWERS: Thank you, gentlemen.
At this point, I want to dispense with the
transcription.
[Whereupon, at 11:35 a.m., the meeting continued
in executive session, to reconvene in public session this
same day, Friday, March 12, 2000, at 12:45 p.m.]. A F T E R N O O N S E S S I O N
[12:45 p.m.]
CHAIRMAN POWERS: Let's come back into order, and
we'll move to the topic of physical security requirements
for power reactors.
Dr. Kress is our cognizant official on this.
DR. KRESS: I don't know why, but I am.
CHAIRMAN POWERS: Well, because you're very
physical, I suppose.
DR. KRESS: I don't have a lot of introductory
remarks to make except it's awfully hard to make a risk
assessment of security.
I have seen such things in the past, and what I
recall of them are this particular area is a significant
risk. In fact, it may be risk dominant.
So, it's good to pay attention to it, and it's
generally treated in the classical way with regulations, in
the classical sense that there are design basis threats and
defense-in-depth philosophy, and then you use inspection and
a test to see if your system works.
Well, I think one of the problems is that these
tests, challenges to the system have been done in the past
on the sort of -- I presume a voluntary basis.
There's no regulatory authority to require them in
the regulations, but I think one of the things they want to
fix when they're developing -- what they're looking at is
developing a new rule for this area, and that's one of the
things they want to fix.
So, with that as sort of a minor introduction,
I'll turn it over to the staff.
CHAIRMAN POWERS: Before we go to them, I'd just
comment that, within the DOE community, we're concerned
about terrorist-type activities not in the sense of using
nuclear materials to threaten the public population but,
rather, to threaten facilities themselves using -- of
particular interest is gas and biological threat, has become
an area of some currency within the DOE community looking at
-- upon nuclear reactors as a public institution, along with
airports, other government buildings and whatnot, especially
following the Oklahoma City incident, and so, this is
gaining more currency than maybe we had when the Cold War
was at its peak.
DR. KRESS: Yeah. Well, I think one of the things
they're wrestling with is -- in making a rule -- is what are
the design basis threats. I'm not sure how much of that
we'll hear today, but I hope we hear some.
Let's turn it over to you guys.
MR. ROSANO: Good afternoon.
I think that, at this point, most of you know
Glenn Tracy, my boss, the Branch Chief.
My name is Dick Rosano. I'm the Chief of the
Reactor Safeguards Section, and I'm going to try to address
a couple of the concerns that you just raised in the context
of the briefing, realizing, of course, that what I'm going
to be talking about are the regulatory changes that we're
proposing, that we're working on in terms of risk-informing
the regs and that there will be a separate section
afterwards having to do with design basis threat, and I
think, as I go, you will see some of -- you'll pick up some
of my comments about the risk issue and how easy it is to do
and the fact that there are two different kinds of risk that
we're going to talk about.
First an overview of where we've been and what is
driving all of this.
I'd begin by referring to risk-informing 73.55,
and it actually pre-dates that somewhat, because the effort
underway right now began when we started contemplating an
exercise rule that was designed to be the successor to the
Operational Safeguards Response Evaluation program, the OSRE
program.
OSREs, for years, had conducted assessments at the
plants -- force-on-force drills run on scenarios meant to
test the defensive strategies or the protective strategies
of the plants.
We wanted to be able to replace that program with
a requirement to do drills and exercises, and after spending
some time looking at that, we expanded the consideration to
include an entire look at 73.55 and other related power
reactor regulations.
By that, I mean there are certain others like
50.54(p) and 50.90 that control changes to security plans
and commitments made. So, in the context of risk-informing
73.55, we would want to be able to look at the other
associated regulations.
When we did then consider risk-informing 73.55,
the issue of risk in essentially two forms comes up, and we
wanted to differentiate the two types of risk.
One is the probability of event, which I believe
you mentioned, and that really is a very difficult thing to
estimate.
In fact, you will find that most of the sabotage
events that have occurred through history did not come with
a high probability or expectation that they were about to
occur, and the community understands that the Commission,
over the years, has understood that and made various
proclamations relating to it.
Our efforts are not to risk-inform that process.
We are not trying to -- in the context of rewriting these
regs, we are not trying to assign a risk or probability to
an event occurring.
In the later presentation by Roberta Warren from
NMSS, when she does talk about design basis threat, there's
an element of that, and the intelligence community provides
great assistance in understanding what probabilities there
are, but that's not what we're trying to do when we're
risk-informing 73.55.
However, there is another element of
risk-informing the regs that we can deal with, and that has
to do with the consequences, the safety consequences of the
event.
Stripped down to its basics, a safeguards event or
a sabotage event is the initiating event in a safety
sequence, and we can do some risk-informing to better
understand what might unfold from that event.
There are a lot of factors. Obviously, we have to
be able to stabilize the systems at the plant, knowing that
there will not be additional sabotage events within that
context before we can then sit down and assign a
probability, but the regulations are intended to assign some
risk sense or probability or better safety understanding of
what might happen.
Perhaps one of the greatest products --
DR. KRESS: Could I interpret that to mean that
you might be focusing on the conditional core damage
frequency given the event?
MR. ROSANO: Yes, we are.
What we're doing now is trying to base the
regulation on performance criteria and safety criteria using
the design criteria of the operational systems, using that
as the proposed goal of a sabotage event, and then looking
at the probability of the attack resulting in the failure of
one of those design criteria.
We recently wrote in a Commission paper, 00-63,
the six design criteria that we intended to use for that.
I know I'm getting ahead of myself a little bit.
I'll try to be more controlled, but we'll go back to that,
because that's an important point that we want to discuss.
As we began to peel back the layers in
risk-informing the regs, we did find more and more
fundamental issues that needed to be resolved and that we
needed to come to better understanding of.
One was the definition of radiological sabotage,
which goes to your point.
The regulations do define rad sab as an event
which would cause a risk to the public. I've left out a lot
of words, but that's what it boils down to.
Well, the level of risk was not delineated, the
type of event, and so on.
So, we considered -- and in fact, in a Commission
paper, did recommend to the Commissioners that we look at
what is defined as rad sabotage and improve upon the
definition.
The more we worked on that, the more we decided
that, even with a better definition of rad sabotage, we
would still need to come up with performance criteria.
Subsequent to that, we did advise the
Commissioners that we had decided that the proper approach
for beginning this rulemaking was to define the performance
criteria that we expected the plant to maintain in the event
of a sabotage attack and that their systems should be
designed with a goal of maintaining those performance
criteria.
Now, when I said that the licensee or the plant
would need to maintain, another important difference that we
promoted and proposed was that it be a whole-plant response.
Rather than thinking of this as a gun battle in
the protected area, the security force against the
attackers, we wanted to step back from it and accept that
there are a number of other actions that can be taken by
other members of the licensee force -- for example, the
operational staff -- actions that could be taken to mitigate
the consequences of the attack or, perhaps by isolating
systems or components, perhaps defeat the attack, simply
without even the actions of the security force, which is not
to say that we would propose they do away with it, but we
wanted to respect what the entire plant organization could
do, and we took those things into account, and so, the new
rule will consider actions by operators and operational
staff.
MR. BARTON: Would that entail operators leaving
the control room?
MR. ROSANO: It would entail what the licensees
believe are the best means of handling that. In some cases,
I understand some licensees would consider it important to
dispatch operators to the remote shutdown panel and so on.
There are issues like that. Each licensee will have their
own answers.
DR. BONACA: Just a question I have. I remember
approximately 20 years ago there was a review of all the
power plants to identify that you cannot disable the plant
-- let me use the word "disable" now, and we didn't talk
about CDF at that time, or core damage -- that you cannot
disable the plant by one individual in one location, that
there was sufficient separation and diversity of systems in
different locations that you would have -- so, there are
some elements already in place that are still -- because I
remember that, and I remember that there was no further
activity after that, it was the only thing that was done.
MR. ROSANO: That has been better applied in a
safety arena than in safeguards, although it also applies in
safeguards, because the principle that no single act can
defeat the safe operation of the plant is a design feature,
design concept that would also prevent a single act of a
saboteur from accomplishing that purpose. Notice I said a
single act of a saboteur, not a single saboteur. One
individual could do more than one thing.
But it would apply, and I think that that's an
important part of looking at the whole plant response to a
sabotage attack.
DR. KRESS: Does that mean that each plant might
have to have something analogous to the emergency operating
procedures, call it a sabotage operating procedure?
MR. ROSANO: Well, in fact, they already do.
DR. KRESS: They do?
MR. ROSANO: The plants have incorporated what
they call protective strategies or tactical response
strategies.
One of the things that this rule would do would be
to add a little bit of detail to that and encourage
licensees to more formalize their processes for this, but
licensees already do have procedures, and they have -- under
Appendix C of Part 73, they're required to have a
contingency plan, and it's for safeguards emergencies, and
usually that results in things called tactical response
strategies where the security force has pre-programmed
responses to certain types of events, responses that they
practice through drills, and it sends them to certain
positions to respond, depending on what kind of event it is
and what's the likely outcome.
Going on, then, I mentioned the problem with
definition of rad sabotage and the performance criteria, so
now we're trying to deal again with the whole plant and
trying to use and take credit for any of the response
actions that might be incorporated together.
The next item that we found in peeling away the
layers of this issue was the design basis threat and the
adversary characteristics.
The rule -- there are three levels of detail. The
rule says that the design basis threat will include several
persons, and it describes them in general terms.
There is a classified -- in the case of category
one facilities -- a classified description of the numbers of
people, and for power reactor facilities, there is a
description that is safeguards information that describes
the number of people who would attempt sabotage.
The category one facilities need to protect
against sabotage and theft. We consider sabotage for
radiological purposes the only real issue at the power
reactor facility, and the type of threat, the type of DBT
and the size of the DBT would be different for each.
The next layer of detail is what we found
ourselves in while dealing with this problem today, and that
is that these adversaries could carry a number of different
arms or tools or items of equipment and that we needed to
have a clear understanding from which we would work and from
which the licensees would work in order to balance their
protective systems and understand what they needed to deal
with.
This is also considered classified information for
the fuel facilities and safeguards information for the power
reactors.
These characteristics are very important for the
licensees to understand in order for them to comply and live
up to the expected level and very important to guide our
exercises to make sure that we're testing at the proper
level.
The difference between different poundage or
amounts of explosives, different types of armaments needs to
be settled.
Now, NMSS has done extensive work on this, with
the intelligence community and in defining these details.
You'll hear more about that later, but this is
another issue that we concluded needed to be solved in order
for us to get to a more clear understanding of what the regs
should be.
DR. KRESS: Does that description of adversaries
deal with the potential for an insider at all?
MR. ROSANO: An insider is assumed to be part of
the design basis threat for both sabotage and theft, yeah.
Then the last item in terms of overview is the
industry's interim program.
I mentioned the OSRE program, Operational
Safeguards Response Evaluation program. That has been in
place since about 1991.
As of this month, we have completed the first full
round of OSREs in which a headquarters-led team with
regional assistance and contractors has gone to each of the
power reactor facilities, conducted week-long tests,
complete with table-top exercises and scenarios drawn up by
both licensees and the NRC and force-on-force drills,
several of them, not a single one, to determine the adequacy
of protection.
The OSRE program has completed its first full
cycle. Our goal was to replace the OSRE program with this
rule-based system, which we will.
That will take some time to do, and what we wanted
to do was have an opportunity to pilot the new concepts,
pilot the ideas that we would like to incorporate into the
rule as we write the rule, and the industry offered to write
a program that would be forward-looking rather than
backward-looking to a new program that would include some of
the ideas that we've been debating over the months for the
new rule rather than simply incorporating those already used
for the last nine years in the OSRE program.
That program has gone through a few revisions.
It's called the Safeguards Performance Assessment Program --
the title has changed a couple of times -- and that program
has been reviewed and been subject to comment by the NRC.
We've worked extensively with the industry through
public meetings and members of NEI, and that is coming
along. That actually kind of leads us into the next couple
of slides, I'll be able to tell you more about the status,
but in general, the goal is to have an interim program to
ensure that we continue evaluations of security response
strategies, not just security, because we have an inspection
program that evaluates security, and it does a good job of
that, but we would also like to have evaluations of the
response strategies.
So, what we want to do is have a continuation of
these exercises, allowing OSRE to sunset in favor of a
program that looks to the future, and let that program run
until the rule can reach its final state.
CHAIRMAN POWERS: I guess I don't quite
understand.
You have this OSRE program, and now you've got a
proposed new program that's characterized as looking to the
future.
I'm struggling with what's different.
MR. ROSANO: Well, there are several differences.
One is that we would like to have -- the rule, for
example, would require the licensees to develop a robust
program of drills and exercises.
Currently, although many of them do conduct
drills, there's no requirement in the rule that they do so.
So, the voluntary program that they're offering as an
interim program would do that. That's one of the changes.
CHAIRMAN POWERS: But I mean you've done this --
through the OSRE, you have these exercises.
MR. ROSANO: Yes, sir.
CHAIRMAN POWERS: Would they be the same or
different?
MR. ROSANO: The exercises under the interim
program and under the rule would be very similar to OSREs.
They would be force-on-force drills incorporating the design
basis threat standards in those drills, but currently,
because there's no requirement for drills or exercises, a
lot of licensees -- there are some licensees who drill at
different frequencies. Some drill very often, some drill
not so often. It has left us with the inability to take a
snapshot in time at any given time as to what the abilities
are.
The interim program, the SPA, would incorporate
quarterly drills, which is what we're thinking about for the
new rule.
It would have a triennial requirement for
extensive exercises, so that the exercises under the OSRE
program that -- considering that the first full cycle took
eight years, then obviously the full exercises under the
interim program of the rule would be three times as often.
There are some other things.
The design criteria will be looked at.
The OSRE program uses significant core damage as
the goal of the attack, which if you take that and then work
backward, then you'd assume that the licensee protective
strategies only have to be designed to prevent significant
core damage, and that's a very useful approach, but what
we're trying to do is improve upon that, and so, the design
criteria that we proposed in the recent Commission paper
would be tested out in the new program, so there would be a
better understanding of how this would function in the rule.
Certain other things, including means of training
and feedback mechanisms, so that findings in the exercises
would be fed back through the corrective action program, all
parts that we consider essentially to the new rule would be
piloted in the interim program.
DR. WALLIS: It seems to me it's not quite so
simple.
Adversaries, if they were able to get into a
position where they could get control of something and cause
some damage, probably would want to say okay, now we want
something, and you don't know what they control, what they
can do, how far they've gone.
We'd be in a very difficult position negotiating
with people who you don't know what they're able to do, how
far they've been able to do things, and you don't have
information coming out that tells you what they've done.
MR. ROSANO: That's a very specific
safety-oriented question.
The goal of the response strategy should be for
the licensee to maintain control of the operation of the
plant, and so, for individuals to reach a point in the plant
where they could take over control would be considered a
loss of a system.
DR. WALLIS: Do you go beyond that? I mean if
they do reach that point, then you've still got to do
something.
MR. ROSANO: You still have to do something, but
actually -- let me try to differentiate between denial and
defeat strategies.
The licensees, more and more, are going to denial
strategies, which is to keep the potential saboteurs away
from the equipment that might allow them to take control of
the plant, so that they -- in effect, they win, they win the
game if the attackers are isolated or kept out of the
critical areas of the plant.
A defeat strategy would mean, again back to the
notion of a gun battle, would mean killing more of them than
they kill of the licensees. That's not the approach.
So, the point is for the licensee to maintain
control through denial of the areas of the plant necessary
to maintain safe operations.
DR. WALLIS: Assuming once you've lost control,
that's the end of anything you think about?
MR. ROSANO: Oh, no. Certainly we wouldn't just
give up, but now, at this point, what we're talking about is
the safeguards, protective strategies, and the
responsibilities within the program to be able to defend
against losing that control. If the attacker gains control
of the critical systems, there's still actions that need to
be taken.
DR. WALLIS: I think you might be in a position
where you don't know if he's gained control or not but you
know that you happen to have lost your control, but you
don't really know what they've been able to do.
MR. ROSANO: So, anyway, that is the point of the
interim program, is, again, to be forward-looking. What we
want to do is take the best of the OSRE program, of which
there is quite a lot, but to incorporate some new ideas and
to test out where we're going.
We also think of the interim program as an
evolutionary thing. It won't be static. As we learn and
things become obvious to the industry and the NRC, we'd like
to be able to incorporate those.
The second part of the presentation is on
chronology, and in my way of going around the facts, I
probably already covered a lot of this, but I just want to
bring us back to where we were.
In May of 1999, we briefed the Commission, and
actually, what I failed to mention there was that that was a
result of a Commission paper.
The SPA task force, the Safeguards Performance
Assessment Task Force, submitted in January '99 -- it was
SECY paper 99-24, and we submitted our recommendations, and
that had to do with creating an exercise requirement in the
rules.
On May 5th, we briefed the Commission, the
Commissioners, followed with an SRM dated June 29th in which
they instructed the staff to go forward and develop these
recommendations.
That was in June.
It was during the course of the summer of 1999,
through extensive meetings with the -- public meetings,
including the industry, in which more was discussed about
the possibility of opening up the door to consider all of
the safeguards regulations.
I wasn't with the NRC back in the '70s when we
wrote 73.55, and I also know that, in spite of some of the
fixes we've made to 73.55 over the years, we've never
stepped back from it and taken a complete look.
We believe it's time -- the staff has thought that
it's time, and this is a good opportunity for us to
modernize the regulations.
In October, SECY 99-241 was proposed, and that
included all of these concepts, risk-informing 73.55,
including the exercise rule, so a broader look, and that was
approved by SRM in November of '99.
March 9th of this year, we submitted the SECY
00-63.
This was in response to the part of the November
SRM that asked us for a definition of rad sabotage, and as I
described earlier, we tried and could not conclude that
simply an improved definition would solve all the problems.
We concluded that we needed to have design
criteria that would form the basis for the protective
strategies and for the regulation.
We submitted those design criteria in SECY 00-63,
and the Commissioners adopted the recommendations in April
of this year, telling the staff -- directing the staff to go
forward and to work the rule.
So, it's been taken step by step.
In the beginning, we recommended an exercise rule.
After that, we recommended a broader look at 7355 to
risk-inform it, and then, following that, we submitted a
Commission paper in order to show how we intended to base
the rule, on what we intended to base the rule, and that was
the performance criteria.
MR. TRACY: I would also add the Commission
directed us to incorporate the performance criteria in the
interim program that the industry would ultimately take on.
MR. ROSANO: As for future, we are looking at
summer of 2000 -- this program proposed by the industry, the
Safeguards Performance Assessment Program -- the staff has
spent considerable time reviewing it in several different
versions, submitted comments to the industry, received some
feedback from them, and it's been an iterative process.
We hope to be able to reach final agreement and
endorse the industry's Safeguards Performance Assessment
Program. That's what was referred to as the interim program
on an earlier slide.
That would be the program that would allow us over
the next two to three years to test out the concepts in the
rule.
Now, an important point before I go beyond there
is that we intend to continue doing exercises of protective
strategies from here through that time. Those will probably
be in the form of OSREs, because it's a program that's
worked very well and it's well understood.
We will do OSREs on a periodic basis in order to
continue the flow of information about licensees' response
strategies until the time -- and here it says in late 2000
-- that we expect SPA exercises to begin.
The endorsement needs to precede the actual
initiation of the program by some several months to ensure
that the licensees who come up first for the exercises are
working -- are operating under the right rules of
engagement.
CHAIRMAN POWERS: I guess I have -- a couple of
questions spring to mind.
MR. ROSANO: Sure.
CHAIRMAN POWERS: The first one that springs to
mind is I think that the licensees are excellent at running
electrical generation facilities. I am not sure what their
qualifications are for designing terrorist activities.
So, I come in and say, gee, I wonder how one looks
-- goes about formulating and reviewing a proposed SPA
program, what criterion one uses to say whether it's an
adequate one or not.
I mean I know there are other organizations -- I
happen to work for one -- that makes a business out of doing
these things for the military.
Can you tell me more about how it gets designed
and how it gets reviewed?
MR. ROSANO: The document that has been generated
by the industry, that we've been reviewing -- we have
reviewed, in the context of what we know so far today about
OSREs, what OSREs have taught us -- now, the OSRE program
has been -- has enjoyed the benefit of contractors that we
use who are very experienced in this area and who have
helped us through the years.
The document that the industry has proposed
incorporates a lot of those ideas, plus I happen to know
that the licensees typically have contractors themselves who
have backgrounds in this field.
Now, you've reached deep into the subject and
asked a very important question.
It's not just a matter of evaluating the exercise
results, it's a matter of evaluating the program itself, and
so, in fact, that's what I think is one of the strengths of
the new program.
This program, SPA, as well as the rule to come out
-- it's kind of like the difference between, you know,
giving a man a fish and teaching a man to fish.
If we get the opportunity to look at the
licensee's program, the industry's program, and it's a
robust, strong, legitimate program, we can walk away with
greater assurance that things will be conducted properly
even when we're gone rather than just while we're on-site,
and that's the goal of the new initiative.
CHAIRMAN POWERS: The next question that comes to
mind is that I know -- you've certainly emphasized
force-on-force exercises, as well as table-top exercises and
things like that.
I also know that there's a booming cottage
industry in developing computer codes to simulate armed
intervention against incursions and whatnot.
Is that -- do those figure into this program at
all?
MR. ROSANO: Yes. I'm very pleased you asked that
question, because it turns out that, in the last two days,
we've just finished a two-day symposium in which --
CHAIRMAN POWERS: I'm a great straight man.
MR. ROSANO: You can ask questions all day, sir.
A gentleman on my staff in the back of the room,
Al Tartif, put together a workshop that brought to
headquarters here members of Department of Energy, DOD,
Sandia, Lawrence Livermore Labs, and the subject was how do
we risk-inform security regulations, and nearly -- probably
half of those addressed themselves to modeling and
computer-based systems to test it.
There is a lot to be gained from that. It allows
multiple tests of the same strategy either before or after
you run a real exercise.
There's a lot there, and I expect that the
industry will make use of that. It would make a lot of
financial sense for them to do so.
DR. WALLIS: You're always talking about arms and
weapons.
It seems to me that's the most unlikely thing; the
most likely thing is intelligence sabotage, as things get
more and more computerized in the control room, someone
knowing something about the system, slips in some lines of
code which screw up the control system of the reactor, so
that when someone does something, something happens and they
lose control because they're getting false information.
MR. ROSANO: Perfect issue.
In fact, cyber-security is an essential element of
the new rule-based program, and as an aside, I'll say that I
fought to avoid having our group referred to as the physical
protection group, because I think that safeguards has to
include more than physical protection. It could be that, in
the next 10 years, cyber-security may be more important than
physical security.
Okay.
I think we're near the end, in any case, with the
exception of time for some questions.
In May of 2001, according to SRM that's been
generated -- and this now, I think, is a couple SRMs ago --
I can't keep track of which one told us to do which, but by
May of 2001 --
DR. SEALE: There's a snowstorm over there.
MR. ROSANO: Probably is.
May of 2001, the draft or the proposed rule is
expected to be ready for publication, and by November 2002,
we intend to have the final rule in place.
Now, one thing I will say that refers back and
that is that the licensee -- this interim program includes a
triennial cycle of exercises, and the expectation was based
on it taking about three years for us to write the rule from
beginning to end, and so, the licensees will actually be
running drills on a fairly continuous flow during this
period that we're writing the rule so that, by November
2002, we would expect to have had a significant percentage
of licensees who have already run through their drills.
And that completes my presentation.
Any questions?
CHAIRMAN POWERS: I think we can thank the
gentleman for that presentation.
DR. KRESS: I think we have comments from Mr.
Lyman. This might be a good time for him.
CHAIRMAN POWERS: Yes.
DR. KRESS: Thank you, guys. That was very, very
interesting.
CHAIRMAN POWERS: Mr. Lyman, I have enjoyed your
presentations in the past on MOX fuel, and I hope you're as
informative in this area as you were in that area.
MR. LYMAN: I'll try to be.
I do appreciate the opportunity to make a few
comments here.
My presentation, which you should have gotten a
copy of, is based on one which I gave at the RIC a few weeks
ago, and I am grateful to Mr. Rosano for inviting me to
speak at that conference, since I think we're probably
regarded as a pain in the neck.
DR. APOSTOLAKIS: Could you tell us who you are
please? Not all of us know you.
MR. LYMAN: My name is Edwin Lyman. I'm a
physicist with the Nuclear Control Institute, which is a
nonprofit research organization which focuses on nuclear
non-proliferation issues and also issues of nuclear
terrorism, which carry us over into nuclear sabotage, as
well, and radiological sabotage.
We are a public interest group, one of the few who
have been trying to track NRC's developments in this area,
and I think our perspective on the history of this program
and how we've gotten here today is somewhat different from
Mr. Rosano's, so I'd like to at least present some of the
background as we see it, where the issues and the
differences with the industry's position and ours are, and
just comment on the future.
I'll refer most of the details to the document I
distributed.
First of all, as a public interest organization,
we are concerned with the public confidence aspects of NRC's
programs.
In fact, we see ourselves wanting to have
confidence in NRC's programs, and therefore, what we see
forms the basis for our ability to have confidence.
In the issue of physical security and physical
protection, I think it's especially crucial that the
appearance of a robust system is maintained, because the
public has less access.
Even compared to safety issues, a lot of what goes
on in the physical security arena is within a black box.
So, we have to accept the assurances of NRC that
they know what they're doing, that they can assess the
threat accurately, and that the regulations they impose are
appropriate for ensuring that the appropriate response to
that threat is guaranteed, and we have to take their words
for it in a lot of aspects, and appearance is, in the
physical security, physical protection arena, reality to
some extent, since the appearance of making nuclear plants
look like hard targets is a big part of actually deterring a
terrorist threat.
Now, the background to the -- where we are in the
OSRE program is that, back in the summer of 1998, it was
terminated by staff without consulting the Commission.
This was following a rather undistinguished
performance by the utilities, by the licensees in the OSRE
program, in which case almost half of them failed the OSRE
in that they were unable to prevent an entire target set
from being taken out, and according to OSRE, the OSRE logic,
that would lead to significant core damage. So, in almost
half the plants, the mock terrorists were able to achieve
significant core damage.
Needless to say, this was not regarded as -- this
is regarded as embarrassing by some of the licensees, and
they were not happy about having to continue to comply with
this program.
In fact, the measures that they took greatly
exceeded what they committed to in the security plans in
some aspects, and in particular, an average of 80 percent of
-- they employed more than 80 percent, on average, of
security guards for the OSRE program, in excess of what they
committed to in the security plans, and yet they still had
this rather poor response.
So, in our view, OSRE did what it set out to do,
and it was, in fact, the very model of a performance-based
program that NRC wants -- is looking to adopt more broadly
in that there were a set of prescriptive regulations which
were 10 CFR 73.55(b) through (h) giving very detailed
instructions on what the licensees had to do, and the fact
is that, even if they were in compliance with those, they
still were not able to respond to the performance assessment
appropriately, so it revealed there were weaknesses in the
prescriptions that needed to be corrected.
So, after the cancellation of OSRE, there was
leaks to the press, there were different professional
opinions on this, and it led to a rather embarrassing
situation where the White House itself had to call Chairman
Jackson at the time and ask her to reinstate the program,
because major policy speeches had just been given
recognizing the increased risk of terrorism and increased
response by the Government. So, NRC seemed to be out of
step at that point.
DR. KRESS: Do you have any idea of why it was
canceled, the program, in the first place?
MR. LYMAN: Well, there's no hard evidence there.
Chairman Jackson responded to Representative Markey by
saying that there had been complaints on an informal basis
by the industry about this program, it was too expensive.
They really objected to the expense of having to assemble
the additional guards necessary, and it really was a burden
to them.
At the same time, I think NRC staff will say they
were looking at revising the program from the beginning and
this cancellation was simply a way to transition toward a
new program, but it certainly was so abrupt that there
didn't seem to be any kind of transition, and so, the cycle
was not complete at the time that it was canceled.
So, I can only speculate, but it appears,
certainly, that after the performance record of the
licensees at that point, they were anxious not to continue
what seemed to be an embarrassment.
So, going from that point on, the OSRE program was
reinstated, but at the same time, there was an effort to
rewrite the whole rule, as Mr. Rosano has discussed.
The original intent -- well, there was another
point about canceling the program, was that it was unclear
whether there was legal authority for this. Were the
licensees required to endure these exercises to demonstrate
they could deter the design basis threat against
radiological sabotage, and our legal counsel believes there
was authority, but it was decided that that really should be
formalized by a new regulation.
So, originally, I think the intent was simply to
augment the authority in the rule to include an OSRE-like
exercise as a requirement of the licensees, yet I believe
the Nuclear Energy Institute wrote a letter saying it's time
to open up the whole rule, we want to look at everything,
and that was consented to, and we have concerns about that,
that at least what comes out of this process should be at
least as robust as what has happened in the past, because we
don't think -- in contrast to maybe other performance
measures of the licensees over the years in safety, which
has led to the new oversight program, where there's
confidence that, well, they're doing better in these areas,
so we can give them more responsibility for their own
oversight in some areas, this is not one arena where the
performance has been that good, and I would not -- and they
haven't earned the right to self-assessment, in our view.
I'd just like to, as a way of background, describe
some of the core issues that emerged at first.
NEI proposed and the staff was willing to accept,
it seems, changing the definition of radiological sabotage
at the beginning, so that instead of significant core damage
as the standard for OSRE, it would be a weaker condition
that a Part 100 release would not have to be -- you would
have to keep below a Part 100 release.
So, the effect of this would be where if a
successful -- or a failure of the OSRE program would occur
if the entire target set was taken out and significant core
damage would result.
If you went to a Part 100 release, that would mean
you would accept significant core damage. I'd remind you
Part 100 is the type of release consistent with, I believe,
the substantial meltdown of the fuel.
So, what the NEI proposal was really saying is we
would accept enough damage to the plant that we could go to
substantial meltdown of the fuel, but given that our
containment, our emergency planning, and our engineered
safeguards are designed to keep below Part 100 releases,
then we can't afford to have greater damage and still
satisfy protection of the public from a radiological
release.
Now, we found that approach somewhat extreme and
wholly unreasonable, and from a public confidence
standpoint, it just showed to us how out of touch we thought
NEI was with the public, because we don't think the public
would accept if a terrorist attack occurred at a nuclear
plant, that terrorists were actually able to bring
explosives into the plant, blow up safety equipment, blow up
the -- or violate the reactor coolant system boundary, and
yet, because the operators were able to stop this from
becoming a holocaust, a Chernobyl, that that would be an
acceptable and, in fact, not even -- that would be an
acceptable outcome of their physical protection strategy.
Just looking at what happened with the Indian
Point 2 accident where there was no measurable radiological
release, you looked at the public response to that, you just
see that that is really extreme.
I think the public believes and should believe
that the physical protection at nuclear plants can prevent
damage, any kind of damage, from being done to the plant,
whether or not it's a critical safety system.
So, we think going to a Part 100 was a mistake,
and to NRC's credit, they arranged their SECY paper and
their own recommendation to be based on performance
criteria.
This is closer to the way the original OSRE was
structured.
In other words, you want to make sure that you
have enough equipment in place so that you can bring the
plant to safe shutdown and you maintain core cooling, though
they were willing to go beyond that point and say that that
was acceptable.
However, at the same time, there are some aspects
of the plan going forward that we are concerned about.
This session started with the question about
risk-informing this process.
We don't think that it's necessarily a wise thing
to risk-inform security, to try to link security so closely
with safety issues when, in our view, they are really
different animals, and that's because, when you're dealing
with intelligent adversary, what they are capable of doing
is completely different from a dumb equipment failure.
You know, if you have one spontaneous equipment
failure, you can figure out what the probability of that is
going to be. If you have two spontaneous failures, that's
generally more unlikely, unless it's a common mode failure.
But if you have an intelligent adversary who might be an
insider, who might have access to everything you know, to
your severe accident management guidelines, to your
emergency planning, they know what you're going to do, and
it will be a chess game.
There is no way to estimate the probability of the
capability of that insider to bring this plant to a
meltdown. So, we don't think that it's really necessarily a
wise idea to risk-inform this process in the same way.
We're all in favor of using better knowledge of
what the critical safety systems are, what the weak points
of nuclear plants are in designing a protective strategy,
but in our view, that is not going to lead to a -- that
wouldn't lead to a relaxation of what you can protect, and I
think it's pretty well known what you have to protect.
Now, the other aspect of this which is related and
came up is the increased reliance on operator actions in
assessing the consequences of an attack.
We do not think that it's wise to go to increased
reliance on operator actions in this way, especially if an
entire target set is taken out.
If you look at the latest draft of the industry's
self-assessment program, which has turned from SAP, which it
was a few weeks ago, now to SPA -- it doesn't seem to be a
self-assessment program anymore, but their own plan -- they
were still, as a few weeks ago, saying that even if an
entire target set is taken out, we still want to have the
opportunity to be given credit for preventing significant
core damage if we can show their operators would be able to
intervene that way, and our response to that is, if you're
willing to give operators credit for those types of actions,
that has to be demonstrated, that capability has to be
demonstrated either on a simulator or through a human
reliability assessment.
There has to be some way. You can't just take
their word for it.
DR. KRESS: Let me ask you about that.
It seems to me like that's analogous to what we
call severe accident management, where the operator has
severe accident management guidelines to do whatever he can
with the existing systems, given what he knows about how the
accident is progressing, to try to stop it, and I think
that's a good idea.
Even in the case of a sabotage effect, it would be
nice for somebody to have pre-thought out what the operator
might be able to do, with whatever parts of the system that
he still has control of and is functional, to be able to
stop it. So, to me, it's thinking out the process and
putting down ahead of time what he might be able to do,
which seems like a good idea, whether you take credit for
that or not.
MR. LYMAN: No, I absolutely agree with that, and
I have no complaint about thinking these things through more
carefully, but in my view, when you are evaluating an
exercise, that that should go into the margin and shouldn't
be given credit --
DR. KRESS: Shouldn't be part of the performance
evaluation.
MR. LYMAN: Right, unless they can demonstrate it,
because I mean if you have -- God knows what kind of
complicated event you have and you don't know if the
adversary, like I said before, an active insider has -- as
someone mentioned before -- has interfered with the
electronics, with the instrumentation systems -- maybe
they've thought out everything that you would do.
I mean they have these plans, and they say, you
know, if you want to -- if you're going to scram the plant
or you're going to de-pressurize the coolant system or
whatever, that I'll be one step ahead of you, and so, unless
you can really assess that appropriately, then you shouldn't
be given credit for it unless the operators can be
demonstrated, if they're given all these -- you know, the
variety of scenarios, and I just think this would greatly
complicate the evaluation, because if you tried to think
through all the possible scenarios that an insider could
create to confuse, I think that would increase the licensee
burden.
I don't know why they would want to do that kind
of exercise.
I think it's just easier for them to show they can
keep saboteurs from bringing explosives to a vital area.
So, you know, if they want to go through that
exercise, I just say they have to demonstrate it credibly or
they shouldn't get credit.
In the existing OSREs, for instance, if a security
guard has some sort of fantastic shot, if their success
depends on what might be viewed -- you know, a shot that
requires considerable skill, they're taken out to the firing
range and asked to demonstrate -- I understand a recent one,
that they tried to take credit for a shot that couldn't be
demonstrated.
I'm just saying that has to be -- that should be
done the same way. You want credit for it, you demonstrate
it, and that's why I would urge you to try to recommend that
some sort of robust means for demonstrating that is
implemented.
I think that point's been driven home.
The last aspect now, the design basis threat -- we
have a few concerns with what's been going on in that area.
One is that the adversary characteristics
document, which is just released -- in our view, at least --
the public can't see that, because we're not cleared for
safeguards information, but it's our belief that this is
based on the best intelligence judgement, information
judgement to date, and I was under the impression that that
document would not be sent to industry for comment.
In fact, a few months ago, Mr. Rosano made the
statement that it was a finished document.
When NEI wanted to see it and comment on it, they
were told at that time that it's not for comment, which
seems reasonable to me, because I don't think they have the
capability for any type of independent intelligence
assessment of what's a reasonable threat, but I understand
that the document was sent out, was offered to cleared NEI
personnel for review, especially for its impact on
operational and financial aspects of the plant's operation,
and that troubles me, because I don't know what that
feedback is actually going to do to the document itself.
The other aspect of this I'm concerned about is
the lack of a mechanism for testing at one point against the
entire design basis threat.
The design basis threat is a set of different
capabilities in the industry's latest plan for their
program. They do not say at any point that they are going
to run an exercise with the entire capability of the design
basis threat at once.
What they say is we might run different pieces,
test different aspects of the threat, then put it all
together, but that, to me, is not credible.
If you have a design basis threat, then there
should be at least one evaluated exercise where the entire
capability is active at once, and that includes the
possibility of an active insider, which I believe you asked
before if insiders were evaluated in the past or were
present in the past, and only passive insiders who could
give information but do not actually take part in the attack
and didn't engage in any of these other activities of trying
to interfere with systems, and so, clearly, an active
insider is a component which really should be brought to
bear, and especially the impact of an active insider on the
operators if they attempt to intervene, clearly that could
be neutralized.
So, another aspect of the -- of trying to bring in
operator actions is you have to consider malevolent operator
actions, as well, or the ability to neutralize operators,
and that would increase the range of possible targets, I
think.
CHAIRMAN POWERS: Let me ask a little question
about that.
Suppose I did have an operator that was in cahoots
with an outside force, attempting to do something.
Wouldn't, in fact, any activity that he undertook be
promptly detected by the rest of the operational staff?
MR. LYMAN: That's certainly a possibility, but
you know --
CHAIRMAN POWERS: Under active supervision.
MR. LYMAN: Yes. Certainly, there are mechanisms
that -- of course, that are designed to prevent -- for it to
be able to detect that, but I couldn't say that, in every
instance, that would be detected, or if an operator that was
fully aware or placed highly enough, you know, in the
security organization of the plant couldn't bypass these. I
mean it depends on your assumptions, and that's something
which is still not known to the public.
I don't know what's assumed about the capability
of operators, but the possibility has been raised about
someone who prepares for this incident by walking through
the plant, making small changes that might remain undetected
but cumulatively would have a big effect when the actual
attack occurred.
So, I'm sure you could dream up scenarios. The
question is how do you judge which are credible and which
aren't? I don't think there's a way to put a numerical
value on them.
Finally, on the -- what was called the
self-assessment program and is now something else, the --
there have been concerns that, like I said before, the
industry hasn't really earned the right to have greater
oversight in this area, yet that's what they're asking, and
that's why the initial phrasing was self-assessment program.
This is one big difference between OSRE and what
they're contemplating, is that there would be potentially
less oversight in certain arenas, and this is what we are
not happy about seeing.
We think whatever comes in the future has to have
something as stringent as OSRE.
If they are more frequent, that's all to the good,
but they have to have the ground rules that are at least as
stringent, because there's no evidence that they should be
relaxed at this point, until the industry can demonstrate
repeatedly they've corrected the vulnerabilities that have
been shown in the past.
So, with that, I'd conclude.
Thank you.
DR. KRESS: Well, you've certainly give us some
good food for thought, and we appreciate you coming by.
I might ask if anyone has any questions of Mr.
Lyman.
DR. BONACA: You had some comments in your paper
on the process. You did not elaborate on that.
MR. LYMAN: Well, this is difficult for someone
from the public to actually say, but having sat in on the
series of meetings since the beginning of this year, which
are -- is part of what you might call interactive
rulemaking.
I would have to say that, because of the lack of
resources of public organizations like ourselves, we can't
participate on the same level as the industry can, and what
I've seen in these meetings is almost like a contract
negotiation, where the industry is writing its own
documents, NRC has commented line by line, and the industry
has quarreled with almost every change.
Some of them they take, some of them they take
back for consultation, they bring the document back the next
time and it hasn't been changed, and it hasn't -- it doesn't
seem to be the best or the most efficient way, first of all,
since there was a debate for several months about
radiological sabotage and the same arguments kept coming
back to the fore.
Because of this inequity, I would almost say that,
unless the public can marshal the same resource to
participate as equal players in this, that it might be worth
putting more distance, again, between those writing the rule
and those commenting on the rule, and of course, I would
prefer more public access, more public resources, but in the
absence of that, which doesn't seem very realistic, I don't
know, I think it's a problem which has to be looked at.
Other aspects like 10 CFR 70, which is also this
interactive rulemaking -- we haven't been able to
participate at all in that, and yet, I understand there's
significant industry participate in the rule writing.
DR. KRESS: That's a very interesting comment.
I understand that NEI would like to make a
comment.
Than you, Mr. Lyman. We appreciate you coming by
and giving us your views.
MR. DAVIS: Good afternoon. I'm Jim Davis from
Nuclear Energy Institute. I've been working security there
for about six years.
I noticed the NRC staff provided you three slides.
I handed you 13. Don't worry, I'm not going to go through
every one of the slides, but I thought I'd provide some of
the information as background material, and let me refer
just to a few of those.
What's OSRE? I mean it seems like that's sort of
a magical word.
Perhaps a way to look at it is similar to some of
the other baseline inspection programs we've seen in the
past, and as you approach the end of that baseline program,
you say what have you learned and what should we do in the
future, and I think both the NRC and the industry are at
that point right now.
Last week, we completed the last inspection -- the
last of the first series of inspections. Every facility has
now had an OSRE.
So, you sort of finish the baseline and you say
what do we do next, and I think you actually will find that,
in the last couple of years, NRC staff has done a
significant amount of work to try to figure out where they
want to go in the future and what's the optimum way to
capitalize on the lessons learned in the OSRE.
Let me emphasize that an OSRE is basically a
facility-run exercise observed by the Nuclear Regulatory
Commission staff.
The adversary is provided by the facility. The
training of the adversary is provided by the facility.
So, a preponderance of this is a facility-run
exercise that's observed and critiqued and evaluated by the
staff.
We had a whole list of SECYs earlier, but one of
those SECYs, 99-024, very early in the process -- and this
was the Safeguards Performance Assessment Task Force that
did really a holistic look at the process -- is saying we
think that there's more opportunity to integrate the
licensee into this process and get the industry more
involved and more responsible for the set-up, run, and doing
these things.
Remember, an OSRE is an eight-year cycle. Once
every eight years you were getting an OSRE.
Out of that process and in discussion with the
staff, the staff came up with what was referred to earlier
as the exercise rule, and look at these elements. Licensee
develop target sets, licensee develops areas, licensee
conducts drills and exercises, licensee evaluate, licensee
correct the deficiencies. It looks like a lot of licensee
words. Keep that in mind.
We looked at that and said we've learned something
from the OSRE process, too, and what we've learned, what the
industry has learned, is if you take a deterministic rule
and try to do performance-based evaluations against that
rule, you're in big trouble.
That has been our most significant issue, and in
the discussions over the last year, we have said it is
absolutely essential, if you are going to hold the industry
responsible for performance instead of compliance with (b)
through (h) in the rule, you want us to perform at a certain
level, we must understand what the underlying criteria are
for that performance.
We've got to design to those criteria, we've got
evaluate to those criteria, and we'd appreciate it if
somebody would provide oversight to those same criteria.
We felt it was absolutely essential that, to
achieve this performance base, that the holistic look needed
to be taken at the rule, and Mr. Lyman is absolutely right,
on August 31st we sent a letter to the Chairman of the
Commission saying the industry feels we need to completely
rewrite the rule, and that's going to take three years, and
we agree that we need to go on, and that's when we made the
proposal that we would take the concepts and precepts that
had already been developed and discussed with the NRC
Commission and we would try to put them into an interim
program as we move forward.
But the biggest thing is assessment against what,
and I think when you kick us out of here, you're going to
discuss one of those activities, is what is the adversary
that we are working against, because we need to understand
that in detail just as much as anybody else, because it's a
fundamental of the design of our program.
But let me tell you what this core program
contains. It's procedures for developing target sets. Go
back to the first slide. What did it say? You wanted us to
develop target sets, procedures for developing scenarios, a
three-year cycle of drills and exercises, not an eight-year
cycle, a three-year cycle, something that the licensee is
responsible for.
The drills are evaluated.
Deficiencies are handled within the training and
corrective action program, and at least once every three
years, an evaluated exercise, a holistic look at the program
that demonstrates the six key elements of the program, and
those are the same key elements that the staff has been
talking about for many years as they go through the
discussion of what they consider important in the OSRE
process and they try to train the -- and help people get a
performance-based view of what they're going and the
expectation that the NRC staff would be observing those --
and critiquing those particular exercises.
So, I guess what I wanted to just bring to the
table today was that, one, the industry feels that it's time
to rewrite the security regulation to take advantage of the
performance insights that we have all gained from the OSRE
process.
We agree that a compliance-based rule is not the
most effective way to maintain security in the current
environment that we have today and that the program we are
proposing, in fact, is exactly what the staff wants to put
forward in the rule, and we think that there is an excellent
opportunity to test these concepts over the next several
years as the rulemaking process moves forward, so that at
the end we put in the rule some words that in fact will work
within the program, and I think you all are aware of several
rulemaking efforts where we've had to come back and change a
rule because, in fact, when you started writing the
implementation guidance after the rule was done, you found
out it didn't work quite the way you wanted it.
So, we're enthusiastic about this process, and we
think it's going to be a good effort.
DR. KRESS: What is the problem with you guys, the
licensee, knowing what the design basis threat is? Is that
a security issue or what?
MR. DAVIS: No, sir. The design basis threat or
the characteristic -- the detailed characteristics --
DR. KRESS: Detailed characteristics.
MR. DAVIS: -- are classified safeguards, and the
security manager at every facility is cleared for safeguards
information.
Clearly, the security manager has to know what
he's working against.
DR. KRESS: Is there a reluctance to let you guys
know what you're having to guard against? Is there some
reluctance?
MR. DAVIS: I don't fully understand the history
and what's gone on in many years.
The problem I think we've faced is we started out
with a deterministic rule.
When you tell me I have to build an eight-foot
fence and have to have .2 foot candles of light, I don't
need to know much more than that.
So, nobody went through the exercise of clearly
defining what radiological sabotage meant, how Part 100 was
applied, which is a siting criteria, how it applied and how
we cross-connected it across the entire plant, but when we
get into the performance base, those issues become important
to us, and as we get to the end of the process and we look
back and say, gee, part of the problem we've had is we have
not understood in the field the performance criteria that
we'd expected at the same level that some on the staff or in
other areas had.
Therefore, we need to -- you know, let's look
forward.
I don't know history, but looking forward, we need
to clearly understand what the adversary is and what the
performance expectations are.
With those, then we can ensure that our program is
adequately designed, and this is not -- don't come once
every eight years and say here is the criteria I am using to
evaluate your performance, give them to us up front, we'll
design our system, and you can look over our shoulders
periodically and make sure we're performing to that
criteria, and although -- and I don't have -- I guess I've
got do a better job of selling that, because to me, that
seems like, you know, an order of magnitude improvement on
what we've been doing in the past.
This is not the industry trying to do away with
security regulations.
We're not asking to do away with the guard forces
and that kind of -- we're asking for -- to actually move,
really move into the performance-based approach to
evaluating the effectiveness of security that's at the
plants.
MR. SIEBER: Are you trying to save money?
MR. DAVIS: I didn't say that.
MR. SIEBER: All right. I withdraw my question.
MR. DAVIS: Well, let me answer your question.
The problem that we face is we have some
performance -- some deterministic requirements that are
levied on the plants today that, in fact, contribute
absolutely nothing to the overall public health and safety.
At the time they were put in place, they probably
looked like good requirements, but they are sitting there as
requirements.
So, we, in fact, sometimes have people doing
things that we look at now do not contribute to the overall
capability to counter a terrorist attack or prevent a
terrorist attack.
By making some of those deterministic things go
away, focusing on the performance aspect within the same
resources, we, in fact, provide a higher level of assurance
that our security organization is going to perform its task.
So, it's a shift in the focus of resources, is
what you're really looking for.
MR. SIEBER: I don't know if I'm allowed to ask
this question, but could you give me some examples of things
that you think are deterministic that don't contribute to
the overall mission?
MR. DAVIS: Well, one good example is the original
rule you have a requirement to have .2 foot candles of light
in the perimeter zone.
At the time that that was put in effect and the
electronic surveillance systems that were available, that
was probably not a bad requirement for lighting.
As we look forward with the improvements in
electronics, you probably don't need that high an intensity
in lighting in all areas to provide adequate surveillance.
What's the performance criteria? The performance
criteria is it is able to monitor, observe, and determine
what is moving in that particular area, not that you have a
certain fundamental lighting requirement.
So, there's one example.
MR. SIEBER: It actually goes -- it's not only
what is moving, but it could be something that isn't moving
but doesn't belong there.
MR. DAVIS: Yes, sir. I mean a variety of things.
MR. SIEBER: And so, you would give your response
officers and your watchmen these surveillance devices in
lieu of keeping light-bulbs lit?
MR. DAVIS: I think what you will find is the
lighting requirement would be commensurate with the
surveillance equipment that you're using in that particular
case.
MR. SIEBER: So, it would be one or the other.
MR. DAVIS: Defining lighting in this area and
defining the electronic equipment standards you use in
another area.
The issue is can you observe and categorize what's
going on in that particular -- I mean that's one example.
MR. SIEBER: Do you have any others, or is that
the most prominent?
MR. DAVIS: That's just one example. There are
lots of others. They all run in the same arena. I hate to
get into details, because you end up spending five or six
minutes trying to explain the entire background so that the
thing is -- the relevance of the issue is a little bit -- it
takes some technical detail to understand why something is
or isn't important.
I guess which brings me to one more thought, if I
can inject this.
I would like to make sure you understand that we
have professionals in the industry that are managing
security. These are security professionals. I am not a
security professional.
They know what they're doing, and they came from
the same background as all the contractors and everybody
else that we've been talking about.
The industry does have the knowledge and does have
the capability to set up realistic and challenging
exercises, and whenever the question came up, we do have our
own contractors that we use in this business to help us get
an independent look.
DR. WALLIS: Mr. Lyman spoke of a situation where
you might find yourself in a sort of chess game with some
intelligent intruder. I just wonder how you figure out that
you're going to win that chess game. I'm not sure that
regulations help you very much in that sort of adversarial
confrontation.
MR. DAVIS: Developing defensive strategies
requires a lot of work.
Table-top exercise, as mentioned earlier, is one
of the techniques you use, and you pick a variety of
scenarios and you start playing the what-if game -- if, what
if; if, I will -- and you run through those various
scenarios and you develop your defensive strategies for the
broad case lot of what you're doing.
You work in adversary characteristics against your
target sets, and you run in your various scenarios, where
your responders go in those various cases, what advantage
you might or might not have in a particular situation, where
your vulnerabilities are, and then changing your procedures
to fix those cases.
So, basically running those kind of what-if cases
is a significant part of the development of the security
plan and the contingency response plan for a particular
facility. The drills and exercises is one of the tools you
use to validate the plan in that you run --
DR. WALLIS: I was more concerned with the
intelligent adversary game, that usually security personnel
are not chosen for superior intelligence. You don't want
them to have to make lots of decisions based on
chess-game-type things. You want them to react exactly as
trained, and I wonder how you anticipate, then, the
chess-game-type adversary.
MR. DAVIS: Management is making these decisions.
I guess I can't accept the statement that our security
personnel are not very highly trained or skilled at what
they do.
DR. WALLIS: No, they are. They are very well
trained and skilled, but it's not in the chess-game type of
adversarial setup.
MR. SIEBER: Maybe I could address that a little
bit.
I think in any job classification, you have a
range of people from watchmen all the way up to your
response people plus your management, but security in a
power plant, having worked in one for many years, is a team
between management, security, and operations, and so, you
can't look at it just as the uniformed security force, you
have to look at it as a broader team.
MR. DAVIS: I agree, it's a total team concept.
DR. KRESS: One more question, then we're going to
have to move on.
DR. BONACA: I thought I understand -- I mean Mr.
Lyman said that there was a significant failure rate of the
OSRE exercises.
If I understand what you said, it's that you trace
back that one to the fact that there are deterministic
criteria at the plants and the criteria used by the NRC to
evaluate performance by the staff are not clear to the
staff.
MR. DAVIS: The performance criteria, in some
cases, has not been adequately defined.
I think Mr. Lyman likes to make a statement that
half the people fail, but unfortunately, I think, if you go
back and look at the situation, you'll find that there are
very few cases where a finding, an actual violation of
regulations was issued as a result of an OSRE inspection,
and you have the difficulty of taking an opportunity to find
a weakness in your program where you can take some other
actions to improve the strength of it and you turn that into
a -- into, gee, it must be a failure instead of here is a
way of doing business that will improve you, and that's
where I'd like to sort of compare this to some of the other
inspections.
Very frequently you find you're in compliance with
regulations, but in fact, there are other ways and other
things you can do that still comply with regulations but
improve the performance and reduce the risk of the system.
DR. BONACA: You said going to performance-based
exercises, then that would result in some other issues with
OSRE. That's why I was trying to understand where you saw
these performance-based, you know, exercises being a
resolution of the issues.
MR. DAVIS: I think the underlying issue is OSRE,
in trying to look at performance, has shown that using a
deterministic rule approach does not give you a program that
clearly identifies and overcomes all the potential
vulnerabilities.
I thank you very much for your time.
DR. KRESS: Thank you.
I guess that now is the time that we're going to
-- we can go off the transcripts, because we're going to go
into the closed portion of the meeting.
[Whereupon, at 2:08 p.m., the meeting continued in
executive session.]
Page Last Reviewed/Updated Tuesday, July 12, 2016
Page Last Reviewed/Updated Tuesday, July 12, 2016