472nd Advisory Committee on Reactor Safeguards - May 12, 2000
UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION *** MEETING: 472ND ADVISORY COMMITTEE ON REACTOR SAFEGUARDS U.S. NRC Two White Flint North, Room T2-B3 11545 Rockville Pike Rockville, MD Friday, May 12, 2000 The committee met, pursuant to notice, at 8:30 a.m. MEMBERS PRESENT: DANA A. POWERS, Chairman GEORGE APOSTOLAKIS, Vice-Chairman JOHN J. BARTON, Member MARIO V. BONACA, Member THOMAS S. KRESS, Member ROBERT L. SEALE, Member WILLIAM J. SHACK, Member JOHN D. SIEBER, Member ROBERT E. UHRIG, Member GRAHAM B. WALLIS, Member. C O N T E N T S ATTACHMENT PAGE INTRODUCTORY STATEMENT 269 HATCH UNIT 1 SCRAM WITH COMPLICATIONS (AIT) 326 RISK-INFORMED REGULATION - IMPLEMENTATION PLAN 270 OVERVIEW 414 SELF-ASSESSMENT PROGRAM 442 . P R O C E E D I N G S [8:30 a.m.] CHAIRMAN POWERS: The meeting will now come to order. This is the second day of the 472nd meeting of the Advisory Committee on Reactor Safeguards. During today's meeting, the committee will consider SECY 0000-62, risk-informed regulation implementation plan. An operating event at E.I. Hatch Nuclear Power Plant Unit 1 is particularly interesting to us because I believe Hatch will be the next plant coming in for license renewal. Reconciliation of ACRS comments and recommendations, physical security requirements for power reactors, future ACRS activities, report of the Planning and Procedures Subcommittee, and we will examine some proposed ACRS reports. A portion of the session associated with physical security requirements for power reactors will be closed today to discuss safeguards information. There will be some special procedures we will have to follow for that process. The meeting is being conducted in accordance with the provisions of the Federal Advisory Committee Act. Mr. Sam Duraiswamy is the Designated Federal Official for the initial portion of the meeting. We have received written comments and requests for time to make oral statements from Mr. Edwin Lyman, of the Nuclear Control Institute, regarding physical security requirements for power reactors. A transcript of portions of the meeting is being kept and it is requested that speakers use one of the microphones, identify themselves, and speak with sufficient clarity and volume so they can be readily heard. As an item of interest, it is my understanding that Mr. Bohnert is now doing fine, for the members that might be interested. With that, I will ask if any of the members have comments that they would like to make as an opening statement. Seeing no pressure to do so, I will turn to the first item of our business, which is the risk-informed regulation implementation plan. I believe this is a name change for something we used to call the PRA implementation plan. Professor Apostolakis, I believe you are going to lead us through this. DR. APOSTOLAKIS: Thank you, Mr. Chairman. The staff is here, Mr. King and Mr. Cunningham, to talk about the comprehensive strategy, that includes the objectives, goals and timeframe for the transition to risk-informed regulation. With that, we are very anxious to hear your story. Mr. King? MR. KING: Though his name is not on the viewgraphs, we invited Mr. Holahan to join us, as well. DR. APOSTOLAKIS: As long as he identifies himself. MR. KING: For the record, my name is Tom King, from the Office of Research. This is Mark Cunningham, the PRA Branch Chief from Research, and Gary Holahan, Division Director from NRR. What we want to talk about today is sort of an information briefing. We're not asking for a letter from the committee on this. What we're talking about is a program that's work in progress right now. As you mentioned, this used to be called the PRA implementation plan, and I'll get into that a little further as to why we've changed the name and what the objectives and so forth of this document are. Even though there's only three of us at the table, this does involve all the major offices, Research, NMSS, NRR, and will also involve the folks in Admin, the training people. We will involve their help in putting together a communications plan and I think certainly the international activities of the agency, there's a lot of international interest in risk-informed regulation, so this plan will also be of interest to them. So there's more than just the three of us sitting up here. CHAIRMAN POWERS: Let me ask you, do the senior reactor analysts in the regions get involved in this planning activity? MR. KING: Say that again. CHAIRMAN POWERS: Do the senior reactor analysts in the regions get involved in this planning activity? MR. KING: So far, they have not gotten involved in this planning activity. I think somehow we're going to have to get them involved. CHAIRMAN POWERS: They seem like a very central component in all of this, especially with the new oversight process. MR. KING: They've certainly been involved in the new oversight process and the training and communications that go along with that. In terms of the option two and option three work, they have not been involved in the option three work. I'll let Ed talk about the option two work. MR. BARRETT: I don't know that we've had them involved at this level of planning, but we do have regular counterpart meetings with the SRAs to discuss issues related to the -- mostly to the oversight process and to the process for risk evaluation of events. We have twice-yearly counterpart meetings with them and, of course, we have regular communications on a day-to-day basis on specifics. MR. KING: I think that's a good point. It probably would be worthwhile specifically getting their feedback and input on this. DR. APOSTOLAKIS: Why don't you call these risk-informed, performance-based regulation implementation plans? Why do you leave out performance-based? I mean, the oversight process does utilize performance-based metrics. MR. KING: And there is a performance component. One of our five principals is performance monitoring. Basically, we left it out because even though, in risk-informed regulation, we're going to look, if we make a change to a regulation or requirement, we're going to look and see if we can do that in a performance-based fashion. There is another activity taking a look at other things that are not risk-informed to see if they can be made performance-based. So we didn't want to imply that this plan included the other plan that's underway, as well. DR. APOSTOLAKIS: So it's a bigger issue then. MR. KING: It's a bigger issue than just risk-informed activities. What we've worked out with the folks leading the other plan, the performance plan, is that if we're going in and looking at a regulation to be risk-informed, we will also look at the performance-based aspects of that, so they don't have to do that. They're really going to focus on the things that aren't being touched as part of the risk-informed activities. DR. SEALE: Is there the reciprocal of that agreement, that if the performance-based people find a potential indicator that might have risk implications, that you will somehow coordinate with them? MR. KING: I think if they find something that they feel we should look at in a risk-informed fashion, yes, they will bring that to our attention. Just as far as the organizational aspects of this plan, Research is the keeper of the plan, but we're certainly not the full author of the plan. As I said, it's going to involve a number of offices. Just by way of a little background, as you mentioned, the PRA implementation plan has been around since 1995. It basically was organized by office and it listed the things the office, the various offices were doing in the risk-informed world. It had been updated -- CHAIRMAN POWERS: Would you call that a plan or would you call that a listing of activities? MR. KING: I call it a catalog. CHAIRMAN POWERS: That's what I would call it. MR. KING: Part of the problem was that you could look it and see what was being worked on today, but you couldn't tell where did you want to go in the future and how did these things cut across the offices and how are they being coordinated and integrated. We had an audit from GAO on the risk-informed regulation last year. They issued a report that basically said the agency doesn't have a strategy for where it wants to go on risk-informed regulation. It has a lot of discussion, but where do they want to go. So they suggested we develop what they called a strategy. The Chairman, Chairman Jackson, at the time, agreed to do that. We provided the Commission an outline in January of this year. Then in SECY 0062, we provided to the Commission some example sections of what that document might look like in terms of its scope and depth, and we'll talk a little bit more about the scope and depth and content of this thing. We had a Commission briefing in March. We got an SRM from the Commission in April that basically said give us a complete draft in October of this year. That should include a communications plan, it should include identification of those important factors that affect planning. We'll talk a little bit about that, also. And it also asked a question on PRA quality, which we're going to have to respond to in June, sort of separate from the implementation plan. What are the objectives of this document? We changed the name, for one thing, to get away from -- to really use the terms the agency is using, risk-informed regulation and call it what we intend it to be, an implementation plan. The idea is that it is going to provide an integrated plan for the agency's risk-informed activities and really if you start at the top -- actually, I think what I will do is put on slide four and talk about how this fits in the overall structure of what the agency has in terms of documents. They've got the strategic plan, which is sort of the top level document, and if you look, it has basically four performance goals for each of the arenas; maintain safety, improve public confidence, reduce unnecessary burden, improve effectiveness and efficiency. If you look at those performance goals, they use the word risk or risk-informed in there, that you'll do things in a risk-informed fashion. But beyond that, it doesn't get into any details as to what does that mean. At a high level, the intent of this risk-informed regulation implementation plan is to lay out what is the agency going to do to implement those high level goals and those high level statements in the agency's strategic plan. It sort of is a link between the strategic plan and the detailed operating plans that each of the offices has that covers the major arenas that the agency works in. It feeds into putting together the operating plans for each of the arenas, just like other things feed into it. The risk-informed regulation implementation plan isn't the only thing that drives the work of this agency. There are things called program assumptions, that includes things like how many plants do we expect to come in for license renewal and so forth. So when we're planning and budgeting, there's a number of things that are considered, and the risk-informed regulation implementation plan will be one of those things that will provide information that's considered when the budgets and the detailed operating plans for each office are put together. DR. KRESS: Tom, when this gets approved, say, by the Commission, would it, in effect, serve the same purpose as if you had a Commission policy statement on risk-informed regulation? MR. KING: I know you have a letter to the Commission suggesting such a policy statement. I don't know. But the response to that letter would be -- I can give you my personal opinion. I think this document could go a long way to doing what you recommended in your letter, if not totally. That's my personal opinion. Anyway, this is how we view this implementation plan fitting into the larger scheme of how the agency decides what it's going to do. Getting back to slide three, really, at a high level, what this document will do is lay out a process and some guidelines as to how we should take a look at and decide what should be risk-informed, given that you want to go risk-inform certain whether it's regulations or activities that the agency does, what do you need to do to accomplish that, and then that will lead to what should be the priority in the schedule for accomplishing that. DR. WALLIS: Tom, it seems there's something long before this, that is, why would you want to risk-inform anything and what criteria would you use in deciding. MR. KING: Slide five, we're going to talk about the guidelines or criteria. DR. WALLIS: There must be some sort of motivation that says risk-informing is being there in order to achieve something. MR. KING: You should risk-inform an activity, basically, if it's going to help you accomplish your major agency performance goals. It's going to lead to helping maintain safety or improve effectiveness or efficiency or reduce unnecessary burden, then it would be a candidate to -- DR. APOSTOLAKIS: Actually, maintaining safety will not be a goal. That's a boundary condition, really. If you want to maintain the established goal, why move to something else. It's just that the benefits are increasing effectiveness and location of resources, under the condition that safety will be maintained. That's the way I would look at it. Not that it really matters much. MR. KING: I would disagree a little bit. I think in the sense that risk-informed is going to make you focus on the things that are important, and maybe today's regulations don't really cover those things or some of those things very well, I think it does help you maintain safety. CHAIRMAN POWERS: When I speak to older hands in the design of regulations, about risk-informed regulation, they say we always did risk-informed regulation. We didn't create regulations for things that we didn't think were risky. So I think there's a question here that comes up, and maybe it's in your second question up there, is how risk-informed is risk-informed. I mean, is it intuition that this is a hazardous train or an important train to prevent hazard or is it detailed quantitative analysis that gives you a specific risk achievement worth or risk reduction worth? MR. KING: It can be both. It doesn't always to have a -- CHAIRMAN POWERS: I guess what I'm asking is does this plan line that out for these various activities, on how risk-informed you want to be in each one of these activities? MR. KING: The intent of this plan is to lay out what are the goals that you're trying to achieve in risk-informing an activity, what are the tools, the data that you need to do that, guideline documents. DR. WALLIS: See, now you've changed the name. When it was PRA implementation plan, the question was what can PRA tell us about what the regulations are doing now and how they might be improved. Now you've changed the name and it's become more nebulous what you really mean by risk-informed. DR. APOSTOLAKIS: I think the understanding is that when we say risk-informing something, we mean to use quantitative risk information. DR. WALLIS: That wasn't the implication of Dana's question, though. It seemed to be that there is another kind of risk-informed, which is sort of semi-intuitive. DR. APOSTOLAKIS: That's not what this plan is all about, in my view. I mean, yes, the regulations have always been risk-informed, but that's not what most people understand by risk-informed. Risk means, in this context, quantitative information coming out of performance assessments or probabilistic risk assessments. Otherwise, I don't see how this is any different from what the agency has been doing before. Do you agree with this? MR. KING: I agree with that. I wouldn't exclude use of qualitative information. DR. APOSTOLAKIS: That's why it's informed. MR. KING: But the heart of it is going to be quantitative. DR. APOSTOLAKIS: That's why it's informed. MR. KING: Yes. DR. APOSTOLAKIS: But the new thing now is this quantitative information, and quantitative, let's not take it too literally. I mean, having the dominant accident sequences in itself might not be quantitative information, but it comes from quantifying frequencies and ranking things. PRA and PA, that's what we mean. CHAIRMAN POWERS: My concern is that's what we think they mean, but do they really mean that. DR. APOSTOLAKIS: He agreed, Tom agreed. MR. KING: I agree. I agree. DR. WALLIS: So without use of a PRA, it's not risk-informed. It's a sine qua non. DR. APOSTOLAKIS: Yes, I would say that. DR. WALLIS: It is not. DR. APOSTOLAKIS: Now, PRA, you include the performance assessment, right? PRA is interpreted in the broadest sense. I mean, if it includes statistical calculations and so on, you don't necessarily have to see an event tree, for example, to call it a PRA. MR. KING: I think the main thing that such a plan as this will do that the PRA implementation plan didn't do is it's going to provide a systematic structured look at where does the agency want to go in risk-informing its activities and how does it plan to get there, what does it need to get there, what are the priorities of getting there. DR. APOSTOLAKIS: Tom, in my mind, the most useful result of this activity will be this plan, will be to prioritize which regulations to risk-inform first and to identify needs for doing so, the most important needs first. Is that the correct perception? MR. KING: Yes, I think that's true. DR. APOSTOLAKIS: I mean, goals and objectives, I don't know, it creates a lot of paperwork. MR. KING: I think it will also be a good communications vehicle, too. We talk about risk-informed regulation, but we don't have anything that can hold up to external stakeholders or internal stakeholders that really ties it all together and says this is what we mean by risk-informed and this is what we're trying to do. We give presentations, talk about some specifics that are going on, but there's no document that ties it all together. DR. APOSTOLAKIS: So communicating the agency's objectives and activities, you don't necessarily mean risk communication. MR. KING: No, no. I'm talking about the programmatic type things. DR. KRESS: Do you have anybody from NMSS working with you on this? MR. KING: Yes. NMSS is going to have the lead for two of the major arena chapters on this. We'll talk a little bit about them. DR. APOSTOLAKIS: Are they here? MR. KING: There's one NMSS person back there in the back row who is involved. MR. HOLAHAN: And Joe Murphy and I have been invited to be on the steering committee for NMSS' actions to risk-inform their various areas of responsibility. DR. WALLIS: In this first question, what should be risk-informed, it seems to me you're implying that risk-informing means changing the regulations in some way, and it seems to me that the first thing that's got to be risk-informed is the agency and the public and look at what the regulations are now, use the insights of risk to figure out what kind of risk reduction they are achieving in terms of the measures, PRA or whatever you're going to use. That's risk-informing your knowledge about what you're doing now, before you try to change anything. MR. KING: I agree. You start with what you have today. DR. WALLIS: Right. And this would also let you and the public know what's sort of the real value of what you've been doing over all these years. DR. KRESS: The risk achievement worth of a regulation, that's going to be pretty tough. DR. WALLIS: Do that first, before you try to change anything, to know what you're doing now. DR. KRESS: I'm not sure we know how to do that. MR. KING: But in effect, for reactors, that's what option three is doing. We're looking at 50.44, for example, and saying do the things that it requires really mean much in a risk assessment. Hydrogen recombiners were coming out saying, yeah, they really don't mean much in the risk world. Maybe we ought to think about changing the requirements on those things. MR. HOLAHAN: And to a certain extent, the IPE program and IPEEE program did the same thing. They took the reactors licensed with the existing rules and the existing processes and tested what level of risk was a result of that process. DR. KRESS: You could get an overall integral, but to take one regulation and say, now, what's the risk achievement worth of this particular regulation is going to be a little tougher, I think. You might be able to do it for some of them. DR. APOSTOLAKIS: Let's go back to slide four. One issue that bothers me sometimes is that we are very willing to use risk information in certain instances, but we approach it in a very prescriptive way and we get lost in the details. I would say that yesterday's discussion here on MISSED surveillances is one example of that. Where in this framework will you attempt to look at the whole thing from a broader perspective and say, well, gee, there are certain things that traditionally we have been regulating to extreme detail, but now in the risk context, maybe we should relax a little bit and not worry about you missed one surveillance or about other things, that don't come to my mind now. But in other words, we are preserving, it seems to me, the detailed, prescriptive regulatory approach from the old days. We are simply changing the tools, but what is applying to these is the same thing. Now, I'm not saying that all missed surveillances don't count or are risk insignificant, but some are there and we have to change our views how we -- it's more than just having a new mathematical tool or some analytical methodology for doing something. On the other hand, I can see the counter-argument coming that what do you do, you just look at things that are important to core damage frequency? Obviously not. Do you look at things that are more important to the cornerstones? Well, I don't know. Maybe we start talking now. So is there an activity that would address this if it is an issue? It's the cultural thing that we mention all the time, in other words. MR. KING: I'm not sure this plan would get -- my intent is not to have it down to the detailed level that we're going to be looking at surveillance requirements or allowable outage time requirements. I mean, I would view this at the level of we want to risk-inform the technical specifications and we'll have some key milestones and infrastructure needs to go do that. Now, the actual work as to which technical specifications, does it include surveillance requirements and so forth would be a level of detail that would be too much for this plan. That would be something that would show up down in the detailed operating plans that each office has for doing their day-to-day work. I'm not sure. MR. HOLAHAN: I agree with Tom that when you pick out individual issues at that level, you might not find them, but those issues are related to programs and missed surveillances are part of the oversight process, plays into technical specifications, and we're working on those issues. There's an activity to risk-inform the technical specifications and there's a list of things that we are doing in that area. I think this plan will put some of those things into context. They won't go out and deal with a thousand individual issues, but where those issues are pieces of other programs, this plan will touch those programs. MR. BARRETT: There was an interesting discussion yesterday. I'm Richard Barrett, with the NRR staff. An interesting discussion from NEI about the evolution of configuration control, starting back in the early days of the industry with custom tech specs, and the basic point that NEI was trying to make was that we're moving gradually to a point where there is a risk-informed way of controlling configuration, which will be some sort of combination of 50.36, the technical specifications, and the A-4. I think that's the kind of thinking that you want to have in this plan, where are you heading, but not just jumping to where you're heading, what are the interim steps, and one of the interim steps in getting to what NEI sees as a risk-informed configuration control is these specific risk-informed technical specification initiatives, including the one regarding missed surveillances. DR. APOSTOLAKIS: Jack? MR. SIEBER: I was wondering if your plan considers what I think is one of the fundamental things that ought to happen first, which is there are a bunch of rules, different rules that have a risk basis to them. For example, the PTS rule has a risk basis to that. ATWS has one. Station blackout has one, backfit rule, Reg Guide 1.174. They're all different than the safety goal policy statement and they're different from each other. Is there going to be some attempt someplace along the line to consolidate the opinion of what is risky and what is not and modify those rules and set the basis for everything else that we do or are we just going to do this piecemeal, one at a time, pull out a criteria that seems fitting at the time? I'm not sure if I'm clear about my question. MR. KING: I understand your question. Are we providing some framework to provide some consistency as to what risk level we're trying to achieve by the regulations and what changes need to be made to do that? MR. SIEBER: That states my question. MR. KING: And I think my view, to answer that, is yes. Certainly, in the option three work on the reactors, we've laid out a framework that provides some risk guidelines as to what we would like to see for mitigating systems, for containment and so forth, that we would go through and use when we look at the regulations to see are they achieving that or not. And maybe they're over-achieving it or maybe they're under-achieving it, but the idea is to bring them to some more uniform level than they are today. In the NMSS side of the house, I don't think they're that far along yet, but my own personal view is, yes, that's the kind of thing that should be done, I think it is being done in the reactor side, and I think this plan could certainly lay out, at a high level, some guidelines as to that approach ought to be taken across the board whenever we're risk-informing something. MR. SIEBER: It seems to me that in some cases, the risk value of some rules is such that it creates a penalty, a licensee, whereas some other ones may not be tough enough. I think that part of this process should be to sort of make a level playing field. MR. KING: I agree. I think this plan could certainly, at some level, put forth guidelines to do that. MR. HOLAHAN: But I'd have to say that I think we're already doing some things to move in that direction. When we look at recent initiatives, like the oversight process and Reg Guide 1.174 and what Research has put together, the framework for risk-informing the regulations, there's a lot of consistency now, but the further back in time that you go, the less consistency you see. We had a meeting, for example, last week on the PTS rule and there is an activity, in fact, to look at the PTS rule and one of the issues is was the PTS rule picked to achieve the right level of safety, is it too high or too low. I think what we're seeing is not a clean sweep and starting over again. What we see is going to each rule and sort of normalizing it back to - MR. SIEBER: Try to converge it. MR. HOLAHAN: Right, make them converge. CHAIRMAN POWERS: I think that's one of the questions. I'd maybe come back to Graham's question. It suggested that you get an overall assessment of what you achieve with the current rules by looking at the IPEs for normal operating events and the IPEEEs for external events, including fire. I think that's true. Of course, I look at that panoply and I immediately say, now, what's left out of that. MR. KING: Like shutdown, you mean? CHAIRMAN POWERS: Maybe, yes. And that raises a question, in my mind, when I think back to option three, and I'm operating a little bit from memory, and the framework document, I say, gee, those things look like they're going through and they're looking at the current rules and they're looking at them kind of individually and saying what do I -- how do I change this current rule to make it a little more risk-informed, things like that. And I say, gee, those rules were written with a presumption that a shut-down reactor is a safe reactor, and indeed that was the staff's point when they put together a draft of a shutdown regulation rule. I'm wondering why is it that option three doesn't go through and also look at those assumptions that are behind the current regulations. MR. KING: I think option three does look at the assumptions behind the current regulations and you will find some words on shutdown in our framework document. The piece that's missing is the body of risk, quantitative risk information to go along with the shutdown condition. Now, there's some, but we're not ignoring the shutdown condition. DR. APOSTOLAKIS: This raises some interesting questions. MR. HOLAHAN: Can I go back to Dana's question? Because I think the Commission spoke directly to this issue when it voted not to support the staff's recommended shutdown rule. Clearly, the Commission intended to maintain safety during shutdown. I think it wanted it done through the maintenance rule and other activities and it directed the staff to inspect and to monitor those shutdown activities to see whether the level of -- what level of safety was being achieved. So the new oversight process has pieces in it that address shutdown and a lot of those are the same issues that we talked about in the NEI guidance and in the proposed rule. In fact, I think the Commission has left the staff with the -- even before there was an option three, left the staff with the role of, sort of on a continuous basis, determining whether the existing regulatory structure is maintaining safety during shutdown and I think that option three is just another opportunity to test that. DR. APOSTOLAKIS: My question is related to this, because this raises a very interesting question. I believe that one of the arguments or perhaps the main argument the Commission made was that the risks from shutdown and low power operations are managed adequately by the existing tools. At the same time, there is, I think, widespread concern that these risks have not been quantified. Even if we accept the premise that they are managed well, we still don't know the level of risk. Now, is that something that the risk-informed regulatory system can live with? In other words, if you convince yourself, not necessarily for low power operations, that a particular activity is managed reasonably well, then you will say then I really don't care about quantifying the risk from that activity. Is that something that this system will allow? MR. HOLAHAN: I think that's not enough, because if you go back to the strategic plan and its goals, the agency's goals are more than just maintaining whatever particular topic area it is, maintaining it to be safe. I think there are other issues that the risk-informed approach can address and there is a public confidence issue, how do you know what level of safety; you might be satisfied, but how do you know that other people are satisfied? How do you know that you're not maintaining that safety at an extraordinary cost that isn't worth it? So there are other opportunities to test the other objectives. DR. APOSTOLAKIS: I find this situation very interesting, because why do you do a PRA? Well, you do a PRA because you want to make sure that the risk is managed. And now you have someone who says, well, you know, the risk is already managed. So he's short-circuiting the process and says I don't need to do the PRA, because I know the risk is already managed. How do you know? Well, you know, I'm convinced. I'm convinced they manage their configuration, they have these software tools. So I think now it's an interesting philosophical question. Do you then abandon the quantification because somehow you convince yourself that the risk is managed or you still go through the process? I don't know myself, but it's an interesting question and maybe by setting the goals and all that stuff, you should address these questions, so people will be sensitized to these things. I don't know what the answer is myself, because -- DR. KRESS: Yes, you do. MR. KING: Well, we don't need this plan to get into that question. We've got plenty on our plates with option three. DR APOSTOLAKIS: But don't you think it's an important question? MR. KING: Of course it's an important question. DR. APOSTOLAKIS: Let's assume that they are right. I'm willing to grant that. Then we don't do the PRA? You can have pros and cons. Some guy might say, well, gee, yeah, but, look, if you look at the history of PRA, we thought we managed certain things well and then PRA showed there is an interface with system LOCA or this or that, so there are always surprises that come out. On the other hand, the other side might say, look, it's a matter of prioritizing things. Right now, I'm fairly confident I'm managing the risk reasonably well and I have other areas where I really don't know. So I will use my resources to attack those areas first. I think both arguments have merit, but it seems to me if we are to have a strategic plan, somehow we have to get into this. DR. WALLIS: I was going to suggest you use PRA, where you can get the most leverage from it. You don't get into the marginal areas where you're quibbling about whether or not it's going to help. So you work on things where it's really going to make a difference. DR. APOSTOLAKIS: Yes, but you don't know that, because the other side is telling you -- DR. WALLIS: You must have some idea. DR. APOSTOLAKIS: Well, you have strong opinions on both sides. One side says, no, I'm managing the risk and the other side says, well, you know, you are doing something very good, but I still don't know whether you're managing it very well. I think both arguments have some validity. Anyway, I just raise the issue, because I find it really a very interesting question. PRA is the way of managing the risk and then somebody says but I'm already managing it, so I don't need to go that way. It seems to me a strategic plan has to some -- wherever you plan to have overall guidelines, objectives and so on, that question has to come up. Okay. Why don't you go ahead? MR. KING: Moving on to slide five. Dr. Wallis asked the question what are your criteria for deciding what you want to risk-inform or what don't you want to risk-inform. There are some example criteria in the draft we sent, the partial draft we sent to the Commission in the 00-62 SECY. They basically say what we want to do is take a systematic look across all three arenas at the regulations, at the activities, like inspection program, enforcement program, see would risk-informing them contribute to helping the agency achieve any or all of its four performance goals. But there's also some other factors that need to be considered; do we have tools and data that provide sufficient information, where you could go risk-inform the activity; is there licensee interest or capability in doing this; can it be done at a reasonable cost. DR. WALLIS: We said in our research report that you kept invoking these goals, and that's fine, but a lot of work needs to be done if you say maintain safety. Okay. Now, first of all, we need know what kind of safety we're getting and all this stuff. You need to develop that and see how does PRA fit in there. Just invoking some high level goal doesn't tell you very much until you begin to analyze what you would need to do in order to determine whether or not there is going to be any influence on maintaining safety by risk-informing. A huge amount of structure has got to be put in there. So I think what we would look for is that you built that structure, not just invoked some high level goal, which is fine, but that's like saying, you know, I served in the U.S. and I support the Constitution or something. MR. KING: I think in the reactor area, where you have quantitative risk information, it gets a little easier. In the NMSS area, where there's a lot of different things that they regulate and you don't have PRA quantitative risk information to look at those, it gets more difficult. NMSS had a two-day workshop in April where they brought in a number of their stakeholders and they asked these kinds of questions. DR. WALLIS: The biggest question on maintain safety is this is -- it's not clear what that means. You can argue forever. When you say if it's the existing regulations, well, how do they maintain safety. It seems to me that risk-informing has a tremendous amount to contribute to determining how well the regulations maintain safety. When you know that, then you can, okay, this is the one which is worth tweaking, because we can really gain something there. DR. APOSTOLAKIS: I think in connection to this slide and also in the context of building public confidence, many, many times, we hear public stakeholder groups saying the whole purpose for risk-informing the regulations is to relax regulatory burden, and people forget that for the last 25 years, really, risk-informing the regulations meant increasing the burden. So I would suggest that whenever you talk about the agency performance goals, you have slides or public meetings or whatever in the report, you immediately show a few examples where you have maintained safety, like the station blackout rule or ATWS or whatever, as a result of PRA, because apparently people need to be reminded of these things, that you are not just changing the tech specs and all that. We get letters from public groups that say, well, all they are doing is this. And maybe give examples in other areas that you have improved effectiveness and so on. In fact, we wrote a letter, with your help, some time ago, how PRA has been used in the past. It wouldn't take more than two or three lines to show examples like that; that perhaps we have done a lot on improving safety using PRA, and now we are also addressing issues of unnecessary burden. But let's not forget we have already done a lot of that, because people forget or they don't know perhaps. In fact, that was a major complaint of the industry that happened till now, all you were doing was adding burden. MR. KING: Right. I agree with your statement and I think one of the things that this document could do is show that risk-informed is a two-edged sword. DR. APOSTOLAKIS: Yes. MR. KING: And you could do that with some specific examples. You can also do it with talking about the philosophy behind risk-informed. Just the fact that you're not spending resources on unimportant things does improve safety or at least maintains safety. DR. APOSTOLAKIS: Yes. But I think giving specific examples from the past will go a long way. MR. SEALE: To belabor the obvious, you haven't made the one point here, I don't think, I didn't find it anyway, that the PRA provides a rational basis for ranking the risk and that is certainly one of the more important things that you are interested in if you are going to make your regulations efficient and attack the necessary things in a straightforward way. So sometimes you have to -- the PRA covers things you've already evaluated, but you didn't have that evaluation in the context of other risks, as well. And now, with the PRA, you have a thermometer, if you will, that you've looked at all of these different things and now you have comparisons and that's important to your resource allocation process. DR. WALLIS: In terms of public confidence, some of the most important public consists of your own employees. If this gives a way of doing things which gives your employees more confidence they're doing the right thing, it's worthwhile, it's worth putting energy into, there's going to be a tremendous contribution. I would like to see more evidence of that, that people have great enthusiasm for PRA, because it makes their job better and so on. And the other confidence is, of course, in industry, the whole -- that's another kind, that these regulations make some sense, because they have this logic of PRA or something behind them. MR. KING: When we talk about communications in this plan, we're talking internal and external, and internal is very important. DR. WALLIS: The public, and there's lots of parts of the public that can be really influenced by this initiative, it seems to me. It's not just some public interest group. Everybody with some stake in nuclear energy, as well. DR. KRESS: In your previous work on the possibility of redoing the safety goal policy statement, you had a number of very interesting questions or issues, things like should land interdiction be a goal, should you deal with risk spikes, are CDF and LERF the right things to use, should you quantify adequate protection. You had a number of very interesting, I thought, questions that seem to me to be important to the issue of how you risk-inform regulations. Will you face up to those questions and try to provide some sort of answers to them in this particular document here or will you skate around them some way? MR. KING: One of the things we talked about having in this document were what are the risk goals that you're trying to achieve all of the various things you may want to look at in this plan in the reactor area. I didn't envision this document as dealing with the land contamination issue or risk spike issue or some of those things. DR. KRESS: It certainly might come up in the NMSS area, because that may be your risk goal there. MR. KING: NMSS, they have on their plate a task to come up with safety goals for the things that they regulate. In what form, whether that's going to be a policy statement or some other document, I don't know at this point. I would envision whatever comes out of that effort will be reflected in this document, but I didn't view this document as the document that's going to establish those goals. I do view this document, though, as providing some what I call guidelines, this bullet right here. By that, what I had in mind was so that there's some consistency in the way we implement our risk-informed activities, I think things like the definitions from the Commission's white paper on risk-informed regulation ought to be in here, like our principles from Reg Guide 1.174 probably ought to be in here, maybe we ought to come up with some consistent definition of defense-in-depth and safety margins, what do we mean by performance-based, those kinds of things. DR. KRESS: How do you deal with uncertainties. MR. KING: How do you deal with uncertainties, yes. DR. KRESS: Those are the kinds of things I would assume you're looking for. MR. KING: I thought that kind of stuff, to me, made sense to put in here, so that everybody, when you're talking treatment of uncertainties, we're doing it in a consistent fashion. DR. WALLIS: Could you also have some vision of where you're going? When you reach the delectable mountains of risk-informed regulation, whatever they are, what do they look like? Some kind of objective out there, like Eisenhower is going to get to Berlin or something, some kind of -- where are we going, where would you like to be if everything works out right? MR. KING: I think there's two aspects to that question. One is laying out our plans for those areas in schedules and priorities for accomplishing risk-informed changes in those areas and then we have a section in the plan called measures of success, how do you know you achieve what you want to achieve. That's sort of a nebulous thing at this time as to exactly what those measures of success will be. DR. WALLIS: I think if anything that's been planned in the past, any major human activity, then one of the major things is a view of where you're going. We're going to climb Mt. Everest and that becomes most important. The plan is very important, but unless you have this purpose up there, some view of what constitutes success, then all the plans are kind of muddled. MR. KING: I agree. DR. BONACA: I'd like to throw in just one more thing in support of what Dr. Wallis is saying. I believe that we're all looking at these plans, but I think we have probably all different visions of what this future would be out there, and when we -- we haven't discussed this and I think we will, probably as a committee, reflect on this at some point, but it seems to me that there are certainly some people who would think that we could have, at some point, a 50.59 process under which you could remove, for example, defense-in-depth commitments by 50.59. Other people think that that will not be acceptable for their own reasons. I mean, there are reasons for whatever. The point is that I think there is a fractured or maybe inexistent sense of a common vision about where we're going with the plan and a plan typically would have some elements of vision of what we envision out there that will resolve some of the problems that existent. I'm just supporting what Professor Wallis is saying, that that would be very useful. MR. KING: You could picture it, we have the four big agency performance goals, you could say, well, I'm going to go risk-inform something because it's going to help me achieve those performance goals and you could go back and then say set a success measure, whether it's how much efficiency improvement did I achieve, you could put some monetary or staff year reduction goal for that or how much unnecessary burden did I reduce, whatever it may be. You could do that and then come back and monitor did I actually achieve those reductions when I risk-informed this activity or didn't I, and that's sort of what I had in mind in the success measure section, although we haven't come up with any firm recommendations in that area at this point. DR. WALLIS: That's incremental. That's so that when I fight this battle, what's the body count, did I gain something. But it doesn't give you the overall objective out there somewhere which makes the whole thing worthwhile. DR. BONACA: I think in the oversight area, we have some vision now, because we have an implementation plan and it's being implemented now. We're beginning to see the elements of it, with the cornerstones and things of that kind, and we can or we have commented on individual aspects, maybe been critical of some elements, but, in general, we have a good understanding and a buying-in into a process that is becoming risk-informed, but it can be improved, too. It's just that there are so many other elements of regulation out there and particularly we're talking about with existing plants, how they are operating today, what is effective and what is not effective, and how risk information can improve the effectiveness of these plants today. I think that that's an element. We will have a common vision of what is going to be. MR. KING: I think the common vision is certainly qualitative vision, focus on the things that are important, that we're going to be more effective and efficient. I didn't envision we would set numerical goals for that. But certainly we'd be interested in any thoughts anybody has as to how we could approach that. DR. BONACA: I'll give you an example. To me, 50.59 is an important issue, because it's the process under which power plants are allowed to make changes. So I would say that if I look at the existing power plants, they are hesitant about what they are going to do in the future; are they going to come under this changed regulation, under risk-informed or not. As you know, there is reluctance there. The reluctance is because they don't understand, they don't know what's going to be. And clearly there are big issues about what you would be able to change in power plants under risk-informed 50.59, for example. I think we had discussions here about defense-in-depth and balance, but we never -- and that's an important element, however. MR. KING: If you just want to set some overall agency goal for risk-informing 50.59, other than some qualitative statement that I want it to be risk-informed, I'm not sure what else I would say. DR. BONACA: I'm not expecting that you have. I'm just expressing some of the issues that I believe are clouding a little bit where we're going with all this. MR. KING: I guess you could say I want to risk-inform it to the point where I only get half the number of license amendment requests that I normally get, you could set some goal like that. DR. KRESS: I would try to avoid quantitative goals in this type of exercise. I think you just get yourself in trouble. MR. KING: Yes. But you could also say a measure of success would be am I getting fewer license amendment requests because I've risk-informed 50.59, without saying it has to be -- DR. KRESS: That's the way I would try to do it, that sort of thing. DR. WALLIS: This looks like solutions for problems. If someone is to create that risk-informing is a blessed activity, therefore, you should engage in it, then -- DR. KRESS: I think we all believe there is a problem with the regulations. CHAIRMAN POWERS: They have, that has happened. DR. WALLIS: But if you could say here is 50.59, and the reason that there's all this anxiety in industry and so on, and so on, and so on, and, gee whiz, risk-informing is the solution to those problems, that would be more convincing, rather than saying here we've got this tool and we get points for applying it, using it. MR. KING: I think we should move on. DR. APOSTOLAKIS: Let's move on, yes. MR. KING: Slide six is just, at a high level, what the outline of this plan would look like and some executive summary. There will be some introductory material that will discuss the relationship of this plan to the other strategic plan and other documents and processes the agency has. These overall guidelines we talked about to add some consistency in risk-informed treatment of uncertainties and so forth. Then there will be sections for the three major arenas that will get into more of the details of what's to be done. Then on the next page, a little breakout of what one of those arena sections would look like. Again, like I said, this is work in progress. This may change as time goes on, but at this point, what I envisioned was for each arena, you talk about the guidelines that you've developed and applied to decide what are you going to risk-inform and what the priorities are, and then the results of applying those, what have you decided to risk-inform, what are the priorities, what have you decided not to risk-inform. And then for each thing where you've made a decision to go do some risk-informed work, sort of lay out what the major milestones are and what the -- what I call the infrastructure needs, the responsibilities, training needs, what kind of communications plan, internal and external. And some of these, for each activity, a communications plan may be -- it may cover a number of activities. It doesn't always have to be each one has to have its own. And then these measures of success, how would you know that what you did was an improvement. So at a high level, this is sort of what I envisioned to have in there. DR. APOSTOLAKIS: How would you make sure that certain principles that really apply to more than one arena are, in fact, stated clearly? Defense-in-depth, for example, is one. MR. KING: That was back -- where I envisioned that was back here in the introductory section to the entire plan. That would be a lead-in to each of the three arena chapters and this last item, overall guidelines, that's where I envisioned we would talk about maybe the Reg Guide 1.174 principles. DR. APOSTOLAKIS: How do we define them? How do we make sure we have all of those? From the experience of trying to implement the risk-informed system or we will have some sort of a structured process that would identify those high level issues that apply to all of them? MR. KING: I think at this point, we've probably done enough in the reactor area where we know what issues we've had to face, policy issues, implementation issues, that we could probably make a good cut at laying some of those things out that are applicable across the board, that others are going to have to face if they want to go risk-inform things. Through interactions with this committee and other interactions on the staff, with stakeholders, we may identify some more. DR. APOSTOLAKIS: But there will be some high level body monitoring all this. MR. KING: Well, later on. DR. APOSTOLAKIS: Later on. MR. KING: I guess I didn't put it on the schedule. The agency has a PRA steering committee and we've run this presentation by them in terms of what our vision is for this document, just to make sure we have alignment between the office directors and ourselves, and we continue to come back to them as this thing evolves. DR. WALLIS: This is all internal NRC people. MR. KING: It's all internal NRC people. One thing you'll see when we get later on, the suggestion is maybe we want to take this document as a draft and go out and get stakeholder comment and feedback on it -- external. DR. WALLIS: It would seem to me you could benefit from having an advocate for PRA with expertise. You know, if there's another George out there, who is not tied up with all the regulation, all the habits of the NRC, and look at what you're doing, could give you good advice. MR. HOLAHAN: I thought we had one of those. DR. WALLIS: Apart from ACRS, but someone who works with you daily or whatever when you need this person. DR. SEALE: More than that, I think we've all been impressed upon occasion that the quality of PRA work that's been done by some of the utilities and attaching specific problems, and I think we would be remiss not to try to get their input. They may even have a good idea or two that would help out. MR. KING: I think it would be worthwhile sending this out as a draft once we've got the sections filled in. DR. WALLIS: I was thinking actually in the production of it, not just the formal business of you guys work on it and it goes out for comment, but someone actually in the creative process of deciding what to do. CHAIRMAN POWERS: What are you looking at them to do? DR. WALLIS: I would look for someone like a George who has ideas, can be critical, can say, well, how about this and talk about the bigger vision than you guys maybe have, to contest you as you develop the thing. It seems to me there are lots of things here which are of that type. There are creative activities involved and there are visions of what you might be able to achieve that maybe you haven't thought of. DR. APOSTOLAKIS: You can use consultants. Is there anything that says you can't use consultants? MR. KING: No. We can use consultants. DR. APOSTOLAKIS: Then select one or two people and whenever you feel you need them, give them the thing and say what do you think. It doesn't have to be a big deal. CHAIRMAN POWERS: I guess I'm still struggling with what it's supposed to provide here. DR. APOSTOLAKIS: I think Graham's point is that there are experts out there that can, not from the regulatory side of the business, but perhaps they have done PRAs -- like Gareth Parry, before he joined your staff, was out there doing good work, and these people may have -- CHAIRMAN POWERS: As opposed to now? DR. APOSTOLAKIS: But these people would bring a different perspective, I agree with you. CHAIRMAN POWERS: I agree that it would bring a different perspective, I agree that they may have done a PRA. I don't think doing a PRA is what is necessary right now. It seems to me that coming in with no knowledge of the regulatory process is the last thing you need. You need to know exactly what the regulatory process is. DR. KRESS: That's what I think. That's much more important than knowing the PRA. DR. APOSTOLAKIS: But, guys, we're not talking about turning over this activity to them. All we're saying is before you finalize this, give the guy the document and get some comments. CHAIRMAN POWERS: George, I could sit here and say, gee, there are an awful lot of good quantum candidates out there that know a lot about second quantitization. Maybe you ought to show it to them. I'm just not sure they would help very much. DR. APOSTOLAKIS: And I would agree with you. I still think that if you select the people carefully, who have also -- CHAIRMAN POWERS: I think I would be much more interested in talking to somebody who has attempted cultural change in an organization. I'd like to get their advice on things much more than somebody that's just done a PRA for a plant. DR. WALLIS: That's not to say who the person is, but maybe we could agree that some sort of external view of this would give you some checks and balances and help which might be useful. DR. APOSTOLAKIS: Yes. We're not talking about the guy who does fault trees for a living. That's not the issue. DR. KRESS: I would be interested in a guy you could ask questions of, like I'm concerned if one stuck with just LERF and CDF, for example, that you're missing something, and you're missing things like 10 CFR 100, which talks about a dose from an unfailed containment, which is one of your objectives, as regulatory. And we have other similar things like that that LERF -- CDF addresses to some extent, but LERF doesn't. The question I might have is if I come up with some objective that might, for example, be the frequency, an allowed frequency of exceeding a certain dose, which might be particularly an NMSS activity, can a PRA give you that number and how does PRA have to be structured to give you that and to give you the uncertainties in it and is it possible. That sort of thing you might -- MR. KING: But I think what you're talking about, to me, is a level of detail lower than what I envisioned this plan to have. Those are certainly questions you have to face at some point, but I didn't view this plan as getting down into every technical issue that has to be dealt with in all the things we want to risk-inform. I viewed this plan as, for example, risk-informing Part 50, there would be a schedule for option two, there would be a schedule for option three, some of the major milestones and deliverables and so forth, but not getting into the individual regulations that we're looking at in option three. That's dealt with through separate papers and discussion. DR. APOSTOLAKIS: Anyway, we seem to be getting into management issues here. MR. HOLAHAN: Before we leave this subject, let me go back and say it again, since no one agreed with me when I said it before. I agree completely with Professor Wallis, but I think we already have a group of independent, vocal, knowledgeable experts sitting around this table and I don't see any reluctance on their part for giving us good advice. DR. WALLIS: We see you once every three to six months or something. This is someone you could turn to as part of your team, it seems to me. That might be useful. DR. APOSTOLAKIS: I think we should leave it up to them. DR. WALLIS: Leave it up to you guys. DR. APOSTOLAKIS: This is a management issue. Would you move on? I mean, we've expressed our differing views, which we're happy to do. MR. KING: The nice thing about this committee, we get all these differing views, we pick the one we like. DR. WALLIS: There's no sense in our expressing views unless some of them are useful to you. DR. SEALE: There's no quality control on our suggestions. MR. KING: All right. Schedule. We need to get this thing done and a complete draft is due to the Commission the end of October. What we had envisioned was NMSS has already had their workshop with stakeholders. We're talking with NRR about having a similar workshop to take a look at what they're doing and should they be doing more in the risk-informed area. Developing some draft arena sections in August, coming back to this committee and the joint ACRS/ACNW committee in the fall to talk about those. And then after the draft goes to the Commission, at least my view is we ought to recommend to them that that go out for public comment. CHAIRMAN POWERS: Your schedule and your need to get to the Commission has a problem interfacing with our schedule in the sense that we don't have an August meeting and September then becomes kind of jammed up and things like that. Let me ask, is there a time in there where we should -- we want to help and I think even participate and give you all this wonderful advice that you can pick and choose from in a fairly explicit fashion. Should we be looking to a period of time for like a subcommittee meeting, where we can plunge into the details and things like that? Is there an appropriate time for doing that? Should we look at arena papers in detail? MR. KING: I think it would be worthwhile to have this committee look at the arena chapters once they are developed and I think a subcommittee would be a good idea. DR. APOSTALAKIS: Timeframe. MR. KING: Maybe the August timeframe. Are you permitted to have subcommittees in August? CHAIRMAN POWERS: Yes, we have a bunch of them. We have a bunch of them in August. DR. APOSTOLAKIS: August is very hard, because my vacation is in Europe. MR. KING: I don't want to make it too early, because then you're wasting -- CHAIRMAN POWERS: It's nothing that we need to sort out now, but it's something that I think we want to sort out with you as the time comes closer to that schedule, just because it would be nice if we could do it on the October meeting. So that when you go to the Commission on the 27th, they at least have our input on it. MR. KING: I think clearly the October full committee would be a time where, if you want to write a letter, that would be the meeting -- CHAIRMAN POWERS: I want things pretty well -- have an idea of what we're going to write at that October meeting, rather than -- MR. KING: Which means subcommittees before that. DR. APOSTOLAKIS: But not a week before. CHAIRMAN POWERS: Yes. That's what I'm trying to avoid. DR. APOSTOLAKIS: First of all, I'm impressed that ACRS' view is not followed by CRGR. MR. KING: This is not CRGR material. DR. APOSTOLAKIS: Second, is the ACRS/ACNW that joint subcommittee? MR. KING: Yes. And maybe we need to go to the full ACNW. We'll have to sort that out. DR. BONACA: There will probably be an ACNW letter, with some input or something. DR. APOSTOLAKIS: Okay. We can work out the details. MR. KING: Okay. The last slide I have is what I call issues. There are several things, and this list will probably grow as time goes on. We got an SRM from the Commission in April that resulted from the briefing we gave them on the 0062 paper. What they said was when we give them this draft at the end of October, what they want is an identification of those internal and external factors that are affecting our planning process, and they listed some examples. Availability of pilot plants was one that they listed in their SRM. I think there's probably some others. I think licensee interest and participation in this whole risk-informed process is one. There's questions of maybe you could go risk-inform some regulation, but under a voluntary system, if licensees aren't interested in it, why bother. MR. SIEBER: Do you have any indication at this point in time as to what licensee interest really is? MR. CUNNINGHAM: NEI did a survey of what licensees were particularly interested in, I guess they -- in the winter time. As I recall, the top two that they were very interested in are changes in 50.44 on hydrogen control and 50.46 on ECCS requirements. They had a list of other things, but those are the two that jumped out. MR. KING: But I think your question is even if we would make those changes, how many licensees are actually going to take advantage of it. MR. SIEBER: Well, and beyond that, which ones are going to build the infrastructure that they need in order to participate in risk-informed regulation, because that's a -- you're going to end up with, as I see it, two mountains. One is the traditional deterministic way, the other one is a risk-informed way, and it's not clear to me that that reduces burden. MR. HOLAHAN: I think these things haven't sorted out yet, but I think my vision of the future is licensees will put the infrastructure into a risk-informed approach, because they need to do that because of the way the maintenance rule is structured and for the oversight process, and I think that the nature of the oversight process will have an enormous effect on the way licensees do their own work. And when they get to that point, at least what I'm imagining is, in fact, it will be those activities and not the examples of would you like to change 50.44 that are going to pull the licensees into the risk-informed world, and once they're there, more than they are now, some of them are well into this arena now, but all of them, by the very nature, have to participate in the oversight process. They need to understand the significance of their activities and their performance issues. That is going to be the arena that gets them into this world and once they're there, I think that will open up to a lot more than 50.46 and 50.44. MR. SIEBER: I sort of look at that, though, as like a marathon race. There's the guys out in front and the guys who are walking back and there's going to be some kind of a distribution of degrees of participation. I'm not sure whether that's going to help you or hurt you in the process of truly risk-informing regulation. MR. HOLAHAN: I think the oversight process is going to establish some minimum speed, which, in a practical way, where a licensee can continue to survive. DR. KRESS: Not everybody crosses the finish line. MR. KING: When I've asked this question on the reactor side of industry people, the answer I get back is there's a lot of licensees sitting on the fence. If we get a few successes under our belt, that will get them off the fence and having a lot more step forward and want to participate and implement risk-informed changes. If we don't get some successes under our belts, corporate management may not be willing to support PRA activities at plants. So it remains to be seen at this point. MR. SIEBER: There's another constituency here and it's probably in the details that you're not wanting to discuss at this time, but there is a group that will be running with peg legs in this marathon of yours and that's the aspect of NMSS activities that are under the direct supervision or regulation by agreement states. I just don't see where there's very much here, at least at first, that's going to be attractive to those people at all, because there are 49 constituencies, unique, in a sense, that don't have the resources to build a support structure. MR. KING: Gary and I both sat in on the NMSS workshop, where they had state people, they had medical community, they had citizens groups, of course, represented, and I came away with the sense that most people were interested in this, from the NMSS side of the house, the licensees and the states. There's always some that are against it, but I thought that -- there was a statement made by the representative of the medical community, a gentleman from San Francisco General Hospital, that I thought was very enlightening in terms of what risk-informed means for them. It really means protecting public health and safety in a much better way than it's being done now, because if it can reduce the cost of medical procedures and so forth, that means it's available to more people and that's real risk reduction on real health issues. DR. APOSTOLAKIS: I was looking at the General Accounting Office report. There are a couple things here that I don't understand. Some utilities do not have current and accurate design information for their nuclear plants which is needed for the risk-informed approach. Is that a big thing? I mean, have you found this to be a big problem? MR. HOLAHAN: Did you ask me whether I agreed with that statement? DR. APOSTOLAKIS: Yes. MR. HOLAHAN: I don't agree with that statement. DR. APOSTOLAKIS: I don't either. MR. BARTON: Maybe that was true a few years ago. DR. APOSTOLAKIS: Well, it's '99. CHAIRMAN POWERS: I think if you go back and you look at the kinds of things that utilities had to do for the fire protection functional inspection pilots, that you might agree better with that statement. DR. APOSTOLAKIS: But I don't consider this an impediment to make it number one. MR. HOLAHAN: That's right. On the contrary, what I've found is that getting involved in risk-informed activities has been helpful in identifying issues in the design basis and getting them sorted out. It's not as though you can't do the PRA until you learn the design basis issues better. In fact, it's helpful in addressing those issues where there are problems. CHAIRMAN POWERS: I'd certainly agree with that. But that there are problems in understanding the design basis of things becomes very clear when you look at the fire protection. DR. APOSTOLAKIS: Anyway, any other comments from the members on this issue? Members of the public? [No response.] DR. APOSTOLAKIS: Hearing none, back to you, Mr. Chairman. CHAIRMAN POWERS: Thank you, gentlemen. Look forward to seeing your plan. It should be most useful. I will recess us until 10:15. [Recess.] CHAIRMAN POWERS: Let's come back into session. We are now going to turn to a discussion of an event that occurred at the Hatch Unit 1. John, you're the one that brings all these terrible things to us. MR. BARTON: Thank you, Mr. Chairman. The purpose of this session is to hear presentations and hold discussions with representatives of the NRC staff regarding the operating event at E.I. Hatch Nuclear Power Plant Unit 1 this past January. We will also hear from the licensee following the staff's briefing. A description of the event, on January 26 of this year, Hatch Unit 1 was at 100 percent power, when the reactor pressure vessel water level began to decrease as a result of a valve in the feedwater line going closed. The valve closure caused a large reduction in the feedwater flow. Reactor water level decreased, automatic reactor trip occurred, as expected. We've been spending a lot of time on risk-informed regulations, where we're going in the risk arena, and incidents, transients, shutdowns, et cetera, effects of CDF and LERF, et cetera. Now, from a risk aspect, this event was not significant in that it did not result in core damage. However, it was a serious event in that several areas of weaknesses in overall operation and programs were identified, and I'm sure we'll hear about them from the staff. So at this point, I'd like to turn it over to the staff, Mr. Tad Marsh, to make introductory remarks prior to the staff's briefing. MR. MARSH: Thank you, Mr. Barton. Good morning. My name is Tad Marsh and I'm Chief of the Events Assessment, Generic Communications and Non-Power Reactor Branch in NRR. I have with me today several representatives of the staff who will be presenting to you the Hatch event. I would like to introduce Mr. Wert, from Region II, who is the team leader on the augmented inspection team, and Mr. Vern Hodge, from my staff, who will also discuss with you the generic implications and our follow-up actions. So, gentlemen, let's go ahead. MR. WERT: As Mr. Marsh stated, I was the augmented inspection team leader, the Hatch scram that occurred in January, with some complications that occurred on January 26, in the year 2000. Next slide. Just briefly, there's a list of our team members that participated in the team. I'm not sure how much you want to hear about that. But internally, as a region, we always review closely successes and ways that we can improve augmented inspection teams. One thing that we did note on this team is we felt we had the right combination of technical capabilities to review this. All the inspectors were extensively experienced in boiling water reactors from a resident inspector perspective and additionally, we had Mr. Gary Hammer, a member of the NRR staff, who was very knowledgeable and aware of the SRV issues, safety relief valve issues. Just a brief outline. This is a composition of my presentation today. Overall event sequence, and I won't spend a lot of time with that. You have the inspection report in which that sequence was laid out. Equipment issues, because it's a very convenient way to talk about this event. Performance of licensed operators. As we got into the event, I think you'll see that we became more concerned or just as concerned about performance of the licensed operators as we did about some of the equipment issues that initially were considered to be problems. Health and safety assessment and NRC actions. Hatch Unit 1 is a GE BWR-4, with a MARK-1 containment. That's the light bulb-shaped dry well with the separate Taurus. Commercial operation began September '97. The licensed full power is 2763 megawatts thermal. They did undergo two, in recent years, two upgrades to extend our power operation rating, full power rating. The event occurred with Unit 1 at 100 percent power. It had operated for about 213 days continuously prior to this event. The event also occurred at 6:51 a.m. It was during a shift turnover, and we'll talk about that a little bit more. A feedwater heater inlet isolation valve closed when a control switch unexpectedly actuated, and we'll talk a little bit more about that switch in the presentation later. And automatic scram on low reactor water level resulted as expected. High pressure coolant injection, HPCI, and reactor core isolation cooling initiated. The reactor vessel water level was rapidly recovered. I might add that in this event, both feedwater pumps were also running during this time. So the water level was rapidly restored. High pressure coolant injection tripped about 67 seconds after the reactor vessel high level trip set point was initially reached. The RCIC and the feedwater pumps tripped at their set points, as expected. Reactor vessel water level was high enough to cause water to enter the steam lines, and I'll talk a little bit more about what we thought contributed to that level in the steam lines. The operators closed the main steam isolation valves in accordance with the emergency operating procedures, and I might add that the procedures say -- I would phrase it as at 100 inches, shut the main steam isolation valves. The reactor operator did ask for concurrence to shut the valves after he noticed the level was slightly above 100 inches and they were actually shut at about a plus 108 inches indicated level. The highest level during the transient was about plus 110.8 inches that we got off the data. DR. KRESS: What is it about this particular valve closing that causes the water level to decrease? MR. WERT: Sir, this valve that closed was one of the two -- one of two valves in the main feedwater flow paths to the reactor vessel. There's two main lines coming into the reactor vessel. They do tie back together into one line upstream of that, but where this was, that effectively reduced momentarily 50 percent of the feedwater flow. DR. KRESS: Fifty percent of the feedwater flow. MR. WERT: Initially. Then you would have both feedwater pumps still injecting into the vessel through the remaining flow path. But initially you get a large reduction in feedwater flow. DR. KRESS: So it's an initial reduction. MR. WERT: And even subsequently, but I wouldn't say 50 percent. MR. BARTON: You're still basically steaming at full power rate and reducing feed flow by half. DR. KRESS: Steaming at full power and flowing in at half the flow. MR. BARTON: Yes. Feed level goes down pretty fast. DR. WALLIS: What is water level, the two-phase mixture? What is the water level in the two-phase mixture? Is this a collapsed level or what is it? You have boiling water, but the level is not a determined thing, is it? DR. BONACA: It is not the collapsed level. DR. WALLIS: It's not a collapsed level. But it's a level of some sort where there's a transition from mostly water to mostly steam. DR. SEALE: This is above the separators. DR. WALLIS: Yes, it's way up there. So it's a two-phase mixture, but I wonder what you mean when you say level is 110 inches. What detects that level? MR. WERT: These are water level indication systems. DR. WALLIS: Usually that's a hydrostatic thing. It's just a collapsed level measurement. So the actual level where there is water is higher than that. MR. WERT: I was referring to the water level indicated at the annulus of the vessel. DR. WALLIS: I think it measures a collapsed level. There's actually water higher than that. MR. WERT: I think that's true in the interior of the vessel. DR. WALLIS: There is water a lot higher than just 110 inches probably. MR. WERT: Yes, sir. DR. WALLIS: Because it's bubbling and all kinds of stuff going on. MR. WERT: Yes, sir. We were just concentrating on the level that would then go into the steam lines. DR. WALLIS: But we at least have a picture of what's going on. There's actually a lot of water above that, as well, tossing around. MR. SUMNER: My name is Lewis Sumner, I'm the Vice President for Plant Hatch. At this point in the sequence, when this level was this high, the reactor has already scrammed. The void collapse has already occurred and you are reading true level. DR. WALLIS: So it is true level. MR. SUMNER: Yes, true collapsed level. DR. WALLIS: Thank you. MR. WERT: At this point, the operator initially attempted to control pressure with the safety relief valves. That's in accordance with his operating procedures, to open a relief valve. You would do that because you have the reactor essentially isolated here and the pressure is slowly increasing due to decay heat. The expected control panel indications were not received. What I'm referring to there is there's three lights under each control switch for these safety relief valves. There is a green light that tells you there is power being provided to the solenoid valve that supplies pneumatic air to operate the valve electrically. There is also a yellow light that tells you that the pressure in the discharge pipe going to the Taurus from this valve has reached greater than 85 pounds, the set point. It varies from plant to plant. But it detects pressure in the tailpipe. And the final indication is a red light that tells you only that the solenoid has been energized, either by switch operation or through operation of the low load set or the ADS system. The operator was looking for the amber or yellow light that told him I have a high discharge pressure in my discharge line, and he did not get that light at this point. So he then, in turn, manipulated the control switches for several other SRVs and then he obtained an open indication and the SRVs were subsequently used to control reactor pressure. Reactor pressure peaked slightly above normal operating pressure in this event, approximately 1,085 pounds. After the event, the licensee determined that the SRVs had actually opened when they were actuated. The SRV tailpipe, and that's the discharge line to the Taurus, again, there's a temperature recorder on the back panel in the control room that showed clearly that the valves had opened. There are some other indications, as well. You can look at the Taurus temperatures in the area around the SRV discharge line spargers inside the Taurus, and we did that as a team. One thing we were concerned about was possibly that the valve, the pilot assembly lifted and maybe not the main portion of the valve, and we looked at that and that gave us a good indication that, in fact, the main seat had actually opened on the valve when we expected to. DR. WALLIS: So you could see this by looking at the record afterwards, but the operator, in order to see this at the time, would have to go and look at some back panel. MR. WERT: Yes, sir. DR. WALLIS: So this isn't really information that's available to the operator at the time, unless he makes a big effort to go and get it. MR. WERT: Unless he makes -- MR. BARTON: Not really, and especially, during this event, it happened at shift turnover, they had an abundance of people in the control room. They also have a shift technical advisor who is supposed to help the operators through transients to understand what's going on in the plant. So there are some questions here as to why that wasn't looked at, I think, and I don't think it's that. DR. WALLIS: It's a question of time. When he's looking for the yellow light, that's right in front of him. But looking for these other indications would take more effort to go and look for them. MR. WERT: Right. And the other indication he's looking for is a reduction in pressure at the same time when he expects the valve to open, obviously, and he didn't see that either. MR. SIEBER: Who is the manufacturer of the safety relief valve and what type of -- MR. WERT: I was going to get to that. These are Target-Rock two-stage pilot initiated valves. MR. SIEBER: Thank you. MR. WERT: The operators subsequently used a high pressure coolant injection and reactor core isolation coolant for inventory control. There were several early attempts to restart reactor core isolation cooling, and this was after the initial transient, that did not succeed. Approximately four times, the reactor core isolation coolant system was attempted to be restarted and it was unsuccessful and that was attributed to the procedure or the process that was used to restart the turbine, and we'll get into that a little bit later. DR. WALLIS: The heat sink then is just whatever is coming out the relief valves. The heat sink is the steam. MR. WERT: At this point, that's correct. They have other systems that they could use. But RCIC was successfully used later in the event. They had auxiliary operators down in the spaces actually draining the water out of the steam supply lines to the reactor core isolation coolant system and one of our team members interviewed those operators and there was a significant amount of water obtained out of that line. High pressure coolant injection was manually operated several times and tripped properly at its high level set point on two occasions. DR. WALLIS: What two occasions? Those were the only two occasions? MR. WERT: Yes, sir. In this event, subsequent to this event. DR. WALLIS: So it tripped properly every time its high level set point was reached. MR. WERT: With the exception of the initial -- DR. WALLIS: The first one, it didn't. MR. WERT: Yes, sir. CHAIRMAN POWERS: Can you give me an idea of what the flow rate is from the high pressure injection? MR. WERT: The high pressure coolant injection system is thousands of gallons per minute, as compared to the reactor core isolation cooling, which is several hundred. Safety relief valves, while the safety relief valves were passing water or a steam-water mixture, the pressure in the discharge line did not get high enough to actuate the pressure switch. Our conversations with the GE and also the Target-Rock personnel that were there at the time, they also indicated that there some reliance on I'll call it impulse loading of this pressure switch. So they contributed that also to part of the effect of why the pressure switch did not actuate. Alternative open SRV indication, and that is referring to the discharge line temperature recorder, was available, was not used. We do know that in training, when we looked at the training plan, that it is described in the training plan, the use of this temperature recorder, as one indication of SRV operation. We'll talk about this during our discussion of operator issues, but the gentleman that discussed the STA's involvement in this event, I think that's where it properly involves. DR. WALLIS: Temperature would seem to be a more direct indication, because pressure depends upon the flow rate and how much is water and how much is steam and other things like that. MR. WERT: Yes, sir. I would point out that the indications that are available on SRV indications vary from plant to plant considerably. Some of the plants have acoustic monitors. Some of these indications were originally designed to detect SRV leakage passed. Back in the early days, there was a lot of problems or a number of problems with SRV leakage. So these indication systems are set up differently from plant to plant. They vary considerably. Our understanding of a discussion about the acoustic monitor, not to depart too much from the discussion, was, with the vendor representatives, indicated that they would have to, in fact, also be precisely adjusted and set. In other words, the water might have affected even those indications in this event, an acoustic indication. Five of the pilot actuated Target-Rock SRV assemblies were later satisfactorily set point tested. This is the routine testing that's done at Wyle Laboratory. In this case, of course, it was not a routine test, but it's the same test that's done routinely. One pilot valve assembly was inspected. It was totally dismantled and inspected. The Wyle facility is familiar with this. There is a corrosion bonding issue that's still an issue with these Target-Rock SRVs. So they're pretty familiar with what these cartridges, pilot valve cartridges should look like when they disassemble them. We also had an NRC inspector there to watch disassembly who has some familiarity also with these SRVs. He is assigned to the Browns Ferry facility, which is located within 20 minutes of this facility, so it was easy for us to do. There were no unexpected conditions found. There were some indications that water level had, in fact, reached the SRV elevation. You could tell this by the types of contamination that were found in the valve. Subsequent General Electric and Target-Rock analysis supported operability of the safety relief valves, the discharge lines and the components in those discharge lines, and I'm referring there to the vacuum breakers that are located in these discharge lines and also the pressure switches that we had talked about before. Those pressure switches serve as an indication to the operator of pressure in the tailpipe for the valve lifting, but they also are used to arm a system called low-low set that exists at Hatch, and that system is designed to minimize the forces on the Taurus if you have repeated lifting of these SRVs. So that pressure switch is important. MR. MARSH: If I could add something at this point. The agency was concerned that the initial parts of this event and up until perhaps this point about the ability of the SRVs to operate in this type of an environment and what he over-pressure analysis and the transient analysis remained intact, whether it would, in fact, represent what the plant would respond. In this analysis that we're discussing here showed the staff that the transient analysis and the over-pressure analysis was still valid, that the SRVs may have had a different type of performance, but, in fact, over-pressure was protected. So this is an important key point in how the team was progressing through the inspection. MR. WERT: I didn't go into the details there, but the licensee and General Electric and Target-Rock supplied a very conservative analysis with very conservative assumptions on how much water could be in these steam lines and how long it would delay the opening, actual operation of the pilot valve, and then, in turn, the main seat, and then relieve the function from the valve. They used very conservative assumptions, like I said before. They assumed that only one SRV would function and the difference -- the ability to mitigate the pressure increase was very significant. They could do it in a matter of just over a minute as compared to requiring several minutes before the pressure would become a problem. The next equipment issue was reactor core isolation cooling. As I said before, several of the attempts to restart reactor core isolation cooling were not successful, and this was not early in the event, but subsequent developments during the event. They let the head -- the procedure left the reactor core isolation cooling steam emission valve fully open and under some plant conditions, such as water in the steam supply line, the turbine can over-speed if this restart procedure is used. It's not understood precisely why this occurs. There's two different explanations. One involves steam carry-over or water carry-over into the steam actually through the turbine control system and another one is that the water that's actually contained in the line flashes to steam as it goes -- as it approaches the final part of the turbine supply system. In either case, it affects the operation of the turbine control system and you are susceptible to over-speed trips. Additionally, the licensee's event review team identified that the simulator training did not accurately reflect the reactor core isolation cooling performance, and what I mean by that is that this attempt could be -- this procedure could be used successfully in the simulator. It might not have been necessarily a simulator modeling problem as much as just a training issue, where the operators could, in fact, successfully use this repeatedly in the simulator, but it wouldn't work in the plant. MR. BARTON: Is it a training issue or is it a simulator fidelity issue? MR. WERT: It really depends, sir, on how the facility decides to handle it. I think that the facility has, in fact, changed the modeling of the simulator and Lewis could probably tell us that or not. I know that they've done some corrective actions, but I don't mean to hedge my answer, but you could, in fact, just satisfy this by having your simulator training personnel, in fact, insert failures into the system. You don't necessarily have to create the modeling to exactly perform this way. I believe the senior resident inspector told me that they have changed the modeling of the function of the valve. MR. SUMNER: The model has been changed and the procedures have been changed and the training has been changed. MR. BARTON: Thank you. MR. SUMNER: But there are still probably other deeper issues than that as we look at the RCIC performance. MR. BARTON: Thank you. MR. WERT: And our final bullet up there, licensee promptly revised these reactor core isolation cooling procedures, and they did that prior to restart of the unit. There is some operating experience data available on this phenomenon, I call it on stream-driven turbines, but they largely are constrained to auxiliary feedwater systems in PWRs and they involve long runs of piping. A little bit different than the arrangement at Hatch. High pressure coolant injection, the high reactor water level most likely resulted from the high pressure coolant injection system not tripping immediately when the high level set point was reached. Additional factors contributed to the high water level and what I'm referring to there is that just essentially the swell of the reactor, of this inventory of water that is inserted at 90 to 100 degrees, then heating up inside the vessel due to decay heat is significant. Then, also, in this event, both feedwater pumps were operating and early in the transient, one of the operators placed the master feedwater level control switch into manual and due to some complexities in the way the controller works, this resulted in the feedwater system operating at a very high capacity. MR. BARTON: Was this by procedure? Are operators allowed to take automatic functions out and go to manual? Was that allowed by procedure or is that something that was done in violation of a procedure? MR. WERT: It is permitted by procedure and we'll talk about that a little bit later. The licensee has initiated some actions to review that. But I just wanted to point out that that's one of the factors in the high level, that it makes it difficult to ascertain exactly why the level got that high. DR. WALLIS: You spoke about time, you said not immediately. What sort of times are we talking about here from when it should have tripped and how long it stayed not tripped and how long the level was rising after it should have not -- what sort of times are we talking about? MR. WERT: Our review of the data indicated at just over a minute, 67 seconds, that the system operated, it continued to inject after it reached high level -- DR. WALLIS: After it should have tripped. MR. WERT: Yes, sir. MR. MARSH: The feed pumps had tripped by that point, you had RCIC by that point. MR. WERT: The feedwater pumps and the reactor core isolation coolant system had both tripped as expected at their trip set points. The operator should have manually tripped high pressure coolant injection when it was indicated that the system did not automatically trip. The licensee did not conclusively determine why high pressure coolant injection system did not immediately trip during the initial operation. Subsequent extensive testing supported the operability of the trip function. I don't want to go into the whole logic path here. There's essentially several contacts in series. There's two sets of Agastat relays in series that initiate the trip. Both of those were sealed functions; in other words, the Agastat relay was inside a sealed case. It's not commonly a type that you see have problems due to intrusion from material. MR. BARTON: I take it the licensee has never been able to repeat this failed switch since the event. MR. WERT: We could not. The licensee or our efforts could not conclusively identify exactly why it did not trip initially, and that's why I was making the point that it tripped twice subsequently successfully. We think that affects the ability to troubleshoot the problem. Then after the two contacts, it goes to an HGA relay, in turn. Now, one thing that also contributes to this is not all these contacts and relays are monitored in the licensee's data gathering system. So it was difficult to just point out a certain relay and detect exactly how far the signal got through the process. That varies from plant to plant. The feedwater valve control switch is our next area of discussion. Southern Nuclear determined that a GE-type CR-2940 control switch failure caused the feedwater heater valve to close unexpectedly and the way they discovered this was after the scram had occurred, operations noted that the feedwater heater temperatures were diversion. They had noted indications on their feedwater temperatures that they were not expecting. They investigated that. They found on the local control switch in the turbine building the fifth stage feedwater heater inlet valve on the Bravo side had closed, and that was subsequently traced to the switch. The licensee did quarantine the panel. They did extensively try to determine what could have happened with the switch. For example, they did a lot of work in the area of security access records to that area and tried to determine if someone had, in fact, entered that area or had been carrying material, for example, through that area or had bumped the switch or bumped the panel, and they did not conclusively come up with an explanation of that. MR. BARTON: Where is this switch located? MR. WERT: The switch is actually located on a local control panel in the turbine building. It's on the middle floor of the turbine building. It's not in a particularly narrow passageway and it does not protrude into the passageway past other components on the same panel. There was a General Electric service information letter, commonly called a SIL, 217, which was issued in 1977, that states that the switch contacts for these switches may close prematurely from slight movement of the selector switch and the service information letter recommended that the switches be replaced with a less sensitive model. This failure that we're referring to in the switch does not involve the contacts in the interior of the switch. It involves the cam mechanism on the hand switch operator itself. It's a plastic molded component. There is an improved model that was subsequently developed that has a small notch in this plastic rotating assembly that engages the protruding operation of the contactor, the portion of the switch that actually works the contacts. So when we say a switch failure, that's what we're referring to, simply the very slight movement, a very slight agitation, maybe even a vibration in the area would cause -- could cause the switch to operate. Two of the switches had failed at Hatch in 1996. They were both in non-safety-related applications, and after this event, this particular event, the licensee developed a list of all the affected switches, including the safety-related applications, and they made a prioritization list and replaced some of them. We were satisfied that they had addressed the important located switches prior to plant startup. MR. BARTON: This recent startup. MR. WERT: Yes, sir. DR. WALLIS: How did they prioritize it? Did they use some sort of risk information and select the ones that they ought to fix? MR. WERT: They looked a lot at safety-related applications, and Mr. Sumner could probably address exactly how they prioritized it, but they also did use risk because they looked at what could cause a transient, which failure could result in a transient. So I'm not sure that they used risk explicitly, but at least that was part of their factor. MR. BARTON: This switch could cause a transient. MR. WERT: Yes, sir. Main steam line instrumentation, another consequence of this event is that there were some problems with a few pressure transmitters connected to the main steam line. The licensee assessed the potential effects of the transient, such as localized flashing or water hammer on the instrumentation connected to the main steam line. Obviously, there's, I think, over 40 pressure transmitters connected to these steam lines and the licensee's testing identified that four pressure transmitters were affected by the transient. Two were significantly damaged. Their on two assembly portion of the pressure transmitter was, in fact, physically deformed. Two other pressure transmitters were involved in a failure of reactor core isolation cooling to automatically isolate during the subsequent plant cool-down, and that was the subject of a separate 50.72 notification. DR. WALLIS: Were these water hammer events that damaged the transmitters? MR. WERT: We believe it could be characterized as a water hammer event, localized flashing of the water. DR. WALLIS: Flashing is not as dramatically -- it doesn't produce high pressures like water hammer. Flashing may lead to water hammer later on, but it's usually the hammer that produces the high pressure that damages something. MR. WERT: Right. I think we were stating that there was no large water hammer event occurring over the whole entire steam line. DR. UHRIG: At what point did this occur time-wise, this damage? MR. WERT: I don't think it's well known exactly when this damage to these pressure transmitters occurred. I'm not sure. The affected transmitters were replaced prior to startup and the licensee did some extensive actions, as reviewing the application of the pressure transmitters, whether they were suited for the purpose that they should accomplish and there was no necessary corrective actions found in that area. In other words, they replaced the switches, the pressure transmitters with a like component. CHAIRMAN POWERS: Significantly damaged is often in the eye of the beholder. Can you give us a good feeling for what you mean by significantly damaged in this case? DR. WALLIS: They didn't work? MR. WERT: I was referring to the two that were significantly damaged, I was referring to their Bordun assembly had been physically deformed, but, in fact, I would say that we said that four pressure transmitters were affected and by that, I mean that they were -- when tested, they failed calibration and they could not be placed back into calibration. MR. MARSH: The team was convinced, I guess, and I'm asking the licensee, as well, through you, that these transmitters were damaged in this event. There wasn't any question about them being inoperable prior to this event? MR. WERT: I'm not aware of any question at all prior to the event. MR. SUMNER: Let me comment on that. It's our belief that of the transmitters that we're talking about, that the transmitters on RCIC, one clarification is that these transmitters isolate RCIC on low pressure, less than 50 pounds. So we're talking about a low pressure isolation of the steam supply to RCIC. Now, what you also need to understand is only one RCIC line valve failed to isolate. The other one isolated properly, like it's supposed to, just like the plant design would call for. You have an in-board and an out-board valve. Only one valve failed to close because of the damage that Len referred to on the transmitters. And I think Len has characterized it correctly. When you pulled these transmitters out, they would not calibrate. They would not reach the procedural tolerances for putting them back in. Where they physically failed, we could see the Bordun-2s were physically deformed to the point where the transmitter would not respond properly. Was there any mechanical damage outside of that? No, there wasn't. We do believe that on the attempts to run RCIC, that the water in the RCIC supply line, and, as Len referred to earlier, as you tried to start it up, there probably was some localized flashing as the pressure was rapidly relieved as the turbine stop valve came open. And it could have happened then or when the stop valve went shut, when it over-speed tripped. So in any of those operations there, if there is a water hammer or flashing, that's when we postulate when the damage to the transmitters occurred. MR. WERT: Thanks, Lewis. The next area of discussion involved the performance of the licensed operators, and we touched upon that several times. The event occurred during a shift change or a shift turnover. The shift supervisors had already turned over, but the reactor operators were in the process of changing over, and the senior reactor operator was outside the, quote, at the controls area when the event initiated. And at Hatch, the turnover process involves largely -- it's done somewhat sequentially. The senior reactor operators turnover, I'll say, independent of the reactor operators, and they usually turn over well ahead of the reactor operators. The oncoming watch, if you would, assumes their duties and then they, in turn, brief the reactor operators as a combined crew and then they go in and the reactor operators officially take over the duties from the actual on-watch reactor operators. When this event occurred, the oncoming senior reactor operator or unit supervisor would then, in turn, go into the -- went into the control room with the on-watch reactor operators, just after the event had initiated. And when I say he was not at the control areas, we mean he was in a room just adjacent to the controls area, just a few steps, but that is somewhat important in an event like this. MR. BARTON: But the operators that were on the control board were the operators that were on-shift. They had not been relieved. MR. WERT: That's correct, sir. MR. BARTON: Okay. MR. WERT: The reactors did not properly monitor reactor vessel water level and injection system operations, and we've talked about that previously. The tripping of the high pressure coolant injection system. And as a team, one of our team members was actually a senior reactor operator at a boiling water reactor for several years and we reviewed this aspect critically from the perspective of is it a realistic expectation at the time with the events that were occurring in the control room that they should have detected the fact that the high pressure coolant injection system had not tripped off and also the main steam isolation valve isolation was somewhat delayed. In both of those decisions, our subjective conclusion was that they should have recognized it. We did not see that there was a large number of events going on. Obviously, our resident inspector was in the control room shortly after this event, but we didn't actually observe the actual sequence at this point. MR. BARTON: Let me ask you a question. At the time of the transient, you said that the control room operators had not been relieved, but yet in the AIT, so there was shift turnover still going on outside in an office or something outside at the controls area. The AIT report talked about an excessive number of people at the control area and the control room. Now, how did that happen? MR. WERT: What we're referring to there, sir, was that essentially you have almost two crews there. You had the oncoming crew and the off-going crew in the control area. Now, all these people were not in the at the controls area. They were immediately adjacent to the at the controls area at a back panel held out at a desk, I would say, 20 to 30 feet away, but they were not right in the at the controls area. However, there was a larger number of people in the at the controls area itself proper than there normally would be on an event like this. Does that answer your question? MR. BARTON: Partially. Where did these extra people come from? MR. WERT: Some of them were the oncoming crew. MR. BARTON: So there was a mix of oncoming crew and the crew that was still on watch. MR. WERT: Yes, sir. Also, in addition, there are several operations supervisory personnel that participate in turnovers that were also present at the time and I think maybe not at this point in the event, but shortly thereafter, also some management personnel were also in the control room; again, not in the at the controls area, but immediately adjacent to it. And one of those individuals, of course, would also be our resident inspector. The next bullet, the shift technical assistant did not provide timely assistance to the operators, when unexpected SRV indications were observed and as commented by one of the gentlemen earlier, we considered that to be a problem. Training sessions had described the availability of the tailpipe temperature as an indication of SRV performance and we're not expecting that the operator necessarily would turn the switch and then run around to the back panel, but with all the people that were available and certainly the shift technical assistant. MR. BARTON: Does the STA at Hatch have collateral duties or is he full-time STA? MR. WERT: He is a full-time STA, at least -- well, Mr. Lewis will correct me if I'm wrong. I'm speaking from my knowledge of about five years ago when I was the senior resident there. He was a full-time STA. He does have other duties that he performs on watch. MR. BARTON: But during a transient, what is his role? MR. WERT: During a transient, his role is the classical shift technical assistant role, assist the operators and particularly analysis of indications, but largely constrained to reactivity and inventory issues. Is that how you would characterize it, Lewis? CHAIRMAN POWERS: I have to admit I'm a little confused about who was where when. Do we happen to have a diagram that could show us who was where? MR. WERT: I don't have one. CHAIRMAN POWERS: Maybe at some time we can. MR. WERT: Yes, sir. I can draw one shortly after this discussion. CHAIRMAN POWERS: Sometime later. MR. BARTON: Lew, do you want to address the STA issue? MR. SUMNER: Yes. The collateral duties that Len was referring to is that during normal power operations, the STA does the classical shift technical advisor responsibilities, as well as he has primary responsibility for reactivity monitoring of the reactor core, core management. In an event, in a transient, he is the classical shift technical advisor, where he has no other collateral duties than to assist the crew and analyzing the indications that they are seeing when the event is transpiring. MR. BARTON: So in this event, he failed to fulfill his STA role or, in your opinion, failed to give advice to the operating crew? In other words, could the STA have helped the operators in helping to identify whether the SRVs were operating or not and why didn't he do it? MR. SUMNER: I would say that I would like to clarify that during an event like this, the STA is looking at a lot of parameters, not just the operation of the safety relief valves. MR. BARTON: I understand that. That would be one of the things -- if the operators are trying to operate SRVs and they're not sure whether they're operating or not in some -- either the SRO or the STA or somebody should be able to see that the operators are having difficulty and provide some advice, guidance, assistance, how about looking at backup indications, et cetera, et cetera. MR. SUMNER: It is reasonable to expect an STA, when he sees that the operator is not getting the expected indication, that he could go around to the back panel recorder and try to, from an engineering point of view, determine that the indications that he is seeing do indicate that the SRVs are operating and he could come back and provide that advice to the operators to continue what you're doing, the valves are operating, but you're not seeing the right indications. Yes, that is a reasonable expectation. I'm not going to say he failed in his duties, because he had a lot of duties to do, but he could have assisted the crew more than he did in this particular activity. MR. BARTON: Do you also have a management expectation at shift turnover, if the plant goes into a transient, how the transient is handled with respect to who takes control, who backs up and doesn't get involved? Is that a management expectation written down at the station? MR. SUMNER: Well, the management -- what you have to -- the picture you have to understand is that during the turnover that Len is referring to, the entire crew that is oncoming, as well as some members of the off-going crew, are turning over in an adjacent room to the control room, to minimize the distractions that occur as you're doing a shift turnover, because there is a lot of discussion about what occurred over the last shift, what is to be done in this shift, are there any conditions that need to have special attention paid to them. At that point in time, in the at the controls area, the operators are monitoring the operation of the plant. Should an event occur, as in this case here, then the supervision comes out to take control of the shift and the expectation would be that the operators who are at the controls at that time would assume responsibility for management of the transient. In this event here, out of, I think, concern to help out other operators, we had some of the oncoming operators also assist in performing activities that you normally do to manage a transient. That's not the way we train, and certainly we have changed our management policy to require that operators now have to ask permission to become involved in the management of the event. It has to get direct supervisor permission to assist in the event. MR. BARTON: And this is a change you've made since this event. MR. SUMNER: Yes, sir. MR. BARTON: Yes, sir. MR. WERT: Next page. As referred to earlier, the operator took manual control of the feedwater flow controller and this affected the controller's response to the feedwater transient. I think it's pretty much understood that the industry has made some advances over the recent years in controllers on these systems. This is, in recent years, an upgrade. This is a complex digital control system, very I'll call it smart logic, looks for failures, looks for differences in their inputs and automatically drops out default inputs, that type of thing, and the operator took manual control of this. It's not against his procedures to do that, but the licensee is reviewing that policy and looking at that closely. Certainly, an operator would be expected to take manual control of an automatic system if he understood what was happening that was incorrect with that system. In this case, it's not clear that what exactly had happened was understood at the time when he took manual control. MR. BARTON: Is this because maybe the operator didn't have a lot of confidence or familiarity with this system? How long was this system installed in the plant, digital feedwater control? MR. WERT: It had been installed for several years. Lewis, I guess, could again help with that. I think -- I would characterize it for at least four years. MR. BARTON: Okay. MR. WERT: So, I don't think it was a confidence in a new system issue. MR. BARTON: Okay. MR. WERT: Reactor core isolation coolant restart guidance and simulator training were not adequate for the conditions of the event, and we talked about that earlier, and the licensee has initiated comprehensive corrective actions in that area. I mean, as my next bullet implies, the licensee promptly completed several corrective actions, including a revision to the turnover process, and Lewis describe some of that. For example, they have revised their procedures so a senior reactor operator is in the control room. The licensee has also initiated broader corrective actions to address operations performance issues, and for example, one of those is the operation of manual and automatic controllers. I think they're looking at that across the board. We noted that, during this event, there were a few other issues that came up with these automatic controllers. The HPCI flow controller was actually taken automatic at one portion during the event, or placed into manual, instead of left in automatic and dialing back the flow set-point, for example. So, it's an area that the licensee is reviewing. Health and safety assessment -- we discussed that there was no adverse effect on public health and safety as a result of this event, was no radiological release, and no approach to operational safety limits. The safety-related systems remained operable, although there were some problems with the important plant equipment, were experienced, and that's like we described with the reactor core isolation coolant system. NRC actions -- Region II dispatched inspectors to the site and initiated -- initially we initiated a special team inspection on January 26th. An augmented inspection team was dispatched to the site January 30th to February 4th, and the exit was attended by several members of the public that we had on February 4th. The NRC staff contacted the BWR owners group, discussed the event with INPO during its weekly call, and also, there was a response by telephone to an informal Union of Concerned Scientists inquiry on this event. Region II continues to monitor the licensee's implementation of corrective actions through out baseline inspection activities, essentially the resident inspectors. On May 17th of this year, the licensee is going to come in and discuss corrective actions with Region II management in a meeting, and we suspect that there will be a lot of discussion of broader corrective actions in some of these areas that we talked about earlier. Next slide. The augmented inspection team was tasked in the charter to identify candidate generic issues, and we did identify what we considered to be some potential generic issues, and we initiated an information notice, and this information notice was issued on February 11th highlighting three issues. We talked about the fact that SRV operation is slowed, and the indication, depending on tailpipe pressure, is affected when the valve was passing water instead of steam. We talked about that earlier. It's just information to all the licensees. All the licensees' different indicating systems would depend on what they necessarily would do with this data. Procedural guidance for MSIV closure and set-points for the high-level trips of injection systems may not prevent complications due to water collecting in the main steam lines, and we're referring to there that we had noted that there was several -- there have been several reactor vessel over-fill events in previous years at BWRs. In one event, the operators, in fact, did not close the MSIVs, and our review has indicated that the guidance on closure of the main steam isolation valves is somewhat inconsistent between the facilities. At Plant Hatch, it's a note in the emergency operating procedures. We know that, at another Region II facility, it's in a procedure, not in the emergency operating procedures, and at another facility in Region II, we know that -- our review indicates that the operators are trained to shut the MSIVs, but there is no explicit procedure set up to do that. CHAIRMAN POWERS: I think this is the really generic conclusion here; this is the really important one, to my mind. MR. WERT: And the last issue we -- again, in the information notice, we wanted to highlight the reactor core isolation coolant performance issue. Next slide. And my last slide is that we have initiated a memorandum on April 14th from my Division Director to the Events Assessment Branch Chief here in NRR requesting review of two issues, and we anticipate that this will probably involve interaction with the BWR owners groups and maybe General Electric, as appropriate. The two principle questions: To what degree should water be allowed to enter the main steam lines at boiling water reactors, and should -- I'm referring to it loosely -- universal guidance be developed for BWRs, with specific criteria directing when the MSIV should be closed? You know, for example, in this event, if you get all your major injection systems -- high-pressure coolant injection and reactor core isolation cooling systems and feedwater systems tripped off and you know that you're not injecting and the water level is just slightly increasing, do you want to shut the MSIVs, for example? That's one of the questions. DR. WALLIS: Where is the water going? There's a turbine somewhere downstream, isn't there? MR. WERT: Yes, sir, there is a turbine, and there's some other, I think, considerations also on analysis of the steam lines, as far as whether they can handle the weight and forces of the water, and we have noted that that's dependent on the plant, it varies from plant to plant. And the other question was the significance and the specific impact of the water and the main steam lines relative to considerations in the design and licensing basis, and one of the major factors that we're looking at there is the instrumentation, the potential instrumentation effects. If you get water in the steam lines, then you affect the instrumentation attached to those steam lines. That could complicate events. We also know that there is variations, for example, in set points and the level trip systems of the injection systems between the different BWRs. We know the high-pressure coolant injection system at one facility is actually a one-out-of-two logic used twice type of thing on the high-level trip, which kind of sounds surprising on an injection system, but that's the way it is. So, there are some differences out there that need to be looked at. Our team could not conclusively determine if the design basis for the set point on the injection systems -- whether it was based on simultaneous operation of different injection systems or whether it just assumed that one injection system was running at a time, for example. We didn't get that far. That's all I have for my presentation. MR. MARSH: The next part of the presentation is Vern Hodge is going to discuss the NRR safety assessment. MR. HODGE: Thank you, Tad. I am from the Events Assessment Branch in NRR. We were assisted in evaluating the risk of this event by the Probabilistic Safety Assessment Branch, and Mr. Dan O'Neal is in the room to assist in the discussion. The dominant sequences -- first of all, we used the risk model for the Hatch plant and applied it to this event by making some assumptions, found that the dominant sequences included losing the condenser as a heat sink, failing to provide adequate high-pressure coolant makeup, and failing to de-pressurize the reactor to allow low-pressure makeup. We're not saying these things happened in the event but that the risk is evaluated considering the probabilities of these events. The probability for losing the heat sink, the condenser as a heat sink, is modeled by taking little credit for recovering the power conversion system in relatively short recovery times. DR. WALLIS: If you close the steam line, how does the condenser act as a heat sink? MR. HODGE: It doesn't. DR. WALLIS: So, you have lost it. MR. BARTON: You take away your heat sink, there's no question of probability; you've actually lost it. MR. HODGE: Yes. We're talking about the probability of recovery. MR. FARRUK: Anees Farruk from Southern Nuclear. You are right, you could recover the secondary side by opening MSIVs. MR. HODGE: Concerning the HPCI and RCIC systems, we did not change the failure probabilities for those, but consider that conditional probability for HPCI failure, the recovery is assumed to be in the plant, not in the control room. This was in an effort to model the event that HPCI did not trip at the high-level set-point but tripped later, and the idea here was to assume that the probability would be increased by considering the field recovery rather than the control room recovery, assumed to be easier, and if the HPCI and RCIC system were to fail simultaneously, we did not consider the water coming into the reactor from the control rod drive pumps. To account for the AIT finding that the control room was crowded, we increased the probability for operator failure slightly. DR. WALLIS: How do you decide how to do that? I mean "slightly" doesn't sound very much. Someone makes a judgement? Does this have any effect anyway? Does this probability make much difference to the conclusion? MR. HODGE: I'd like to ask Dan to consider that question. MR. O'NEAL: This is Dan O'Neal. There is a HRA work-sheet, a human reliability work-sheet that's used for these -- modeling these types of events, and due to the general confusion and the operator not being aware of their areas of responsibility, we modeled that as a work process -- a poor work process, where if operator is needed to emergency de-pressurize the reactor, there could be possible delays, and so, we increased the probability of failing to de-pressurize a reactor slightly due to the general confusion and lack of awareness of areas of responsibility. DR. WALLIS: Well, "slightly" sounds as if it's a very small thing. How do you decide the probability of failure? MR. O'NEAL: We use the HRA work-sheet, which considers -- DR. WALLIS: Gives you sort of a formula that you apply? MR. O'NEAL: Yes. There's basically a process you follow, and we determined that we could increase the probability of failing to de-pressurize by a factor of two. The probability is normally low, and increasing by a factor of two, it still remains low. MR. FARRUK: This Anees Farruk again from Southern Nuclear. The way we considered that was basically, when we do the HRA, we take a look at all the -- you know, the factors which could influence an operator's action, like -- you're talking about stress training, you know, the pre-conditions, post-conditions. So, all these things are originally looked into the PRA, you know, as part of the HRA. So, it's nothing new that you go through this. That's the way we look at it, you know. The only time we will change anything that is in the PRA in terms of operator actions is if there is additional events which caused some of the systems to be degraded. Then you would use a different operator action. MR. HODGE: So, factoring in these assumptions, the calculated conditional core damage probability is 1.6 times 10 to the minus 5. We are considering this event as a significant event because of several complicating factors: water filling the main steam lines to the main steam isolation valves, also the condenser heat sink on manual closure of the main steam isolation valves, inadequate indication of safety operation, faulty operation of two steam-driven injection systems, unclear lines of responsibility in the control room, and excessive sensitivity to mechanical motion of the feedwater control switch. CHAIRMAN POWERS: Let me ask a question about this "unclear lines of responsibility in the control room." What precisely leads you to that concern? MR. HODGE: We're depending on the AIT report. CHAIRMAN POWERS: Right. I understand. I'm just asking you to remind, out of the AIT report, what leads you to say the words "unclear lines of responsibility." MR. HODGE: We're just thinking about the large number of people at the controls area and the time of the turnover as general considerations. DR. WALLIS: How about testimony from the people there? I mean if someone had actually said one reason I was confused was that my supervisor was not here because he hadn't yet taken over or something and therefore I was confused -- did you get testimony from individuals that there was reason to believe there were unclear lines of responsibility? MR. WERT: I can address some of that. First, I don't think there was any operator at the time that was confused. I don't think we'd use that term. DR. WALLIS: Was unclear about lines of responsibility. MR. WERT: Right. It connotates a different understanding. I think what we're referring to there -- and I'll give you an example of some interviews that we had with some of the operators that will help bolster this, but what we're referring to there is normally, as Lewis said earlier, the on-shift crew, the dedicated crew, if the event had occurred, there's specific responsibilities on who's observing and who's watching and monitoring operator of injection systems, and in this case, there was some indications that some of the oncoming crew got involved with those operations, and it was an assumption on some -- the different members crew -- of the crew that another member was doing something when, in fact, they may not have been, and where that would have been -- I guess one of the indications of that -- when we initially interviewed the senior reactor operator, initially, before the licensee had time to have a detailed session in the simulator where they went over what they thought had happened during the event with the operating crew and discussed the failure of HPCI to trip and some of these other events that had occurred, the operator had indicated to myself and another team member that he thought they did a fairly good job of handling the event, and after his review in the simulator session, he indicated to us that he had not realized some of the things that had occurred during the event. Now, I still think they adequately controlled the event, but he didn't understand some of the things that had occurred. Now, we would expect a little bit of that to occur just because of how many activities are occurring at the time, but that would -- does that help give an indication of what we're talking about? DR. WALLIS: That was a different subject from unclear lines of responsibility. MR. WERT: Right. DR. WALLIS: The fact that he thought things were fine and they weren't quite so fine -- that really has nothing to do with lines of responsibility. MR. WERT: I was just trying to couple it to an actual -- DR. WALLIS: Line of responsibility -- it's almost conjecture that this might have been why someone didn't quite realize what was happening as much as he might have done, or it really is traceable to a line of responsibility? MR. WERT: In answer to your question, sir, I don't remember an exact circumstance in which an operator said I assumed that someone else did that. I think you're correct. CHAIRMAN POWERS: It seems to me that the line is just misstated. I think you've got a human operational environment issue here, but I'm not sure that it's unclear lines of responsibility. I think it has to do with distraction and things like that. You may have -- and it sounds to me like the corrective action that the licensee has taken to work on his shift change-over rule is appropriate responsibility. He's not changing his lines of responsibility. MR. BARTON: Do you want to address that? MR. LEWIS: Well, let me give you an example, I think, os what Len is probably trying to refer to. When you train with the minimum crew members and you assign crew members -- one crew member has responsibility for reactor water level control and all the systems that control that. When you have more than the minimum number of people, then you have enough people to run HPCI by itself, to run RCIC by itself, and to run the reactor feed pumps by themselves. So, there can exist in a situation when you have more people than your normal minimum crew -- when he's talking about we have unclear lines of responsibility, what you're really saying is that probably no one operator in and of himself has assumed responsibility for reactor water level control. There are enough operators that one is controlling RCIC, one is controlling HPCI, and one is controlling the reactor feed pumps. As far as was there any question about who was in charge and who was directing who, there was no confusion on that point. MR. BARTON: Now I understand better. Thank you. MR. HODGE: That's all our presentation. MR. MARSH: I have a couple comments, if I can, please. Speaking from the generic standpoint, we clearly have some work to do to look at this event and the ramifications of it, the recommendations of the AIT. I want to point to a couple of things that have taken place in terms of the agency's communication to the industry about this event. We issued an information notice early which contained the AIT's preliminary findings and the concerns that were expressed at the exit. We have had discussions with INPO in terms of their actions, and we are aware that they're working on an SOER, which is one of their highest levels of communications. We also have been in a discussion with the BWR owners group, and we are not yet far enough along to know exactly what's happening there. There were some preliminary plans on their part to communicate with the industry early. We need to follow that up to find out where we are in terms of those communications. Internally, we need to take the recommendations from the team and assess them against licensing bases issues, need to answer the questions about the design bases for the trip set-points, whether in fact it includes simultaneous operations of the feed pumps, the RCIC pumps, and the HPCI pumps, as well as answering the team's concerns about the design for the logic itself, the timing that's there, and to answer the question about the MSIVs and the variation around the industry for how those pieces of equipment are operated, and we look to help from the owners groups for some of those questions that may be best served to ask those types of questions in the industry. To put this event in another kind of a context, this was an AIT, and we don't have many AITs, okay? In the last 18 months, we have had three AITs, and so, that gives you some sense of the significance of the event. MR. BARTON: I think between that and INPO's anticipating an SOR kind of gives us a feel for the significance of the event. MR. MARSH: Right. I think so, too. We also looked at this in the context of the new oversight process. What does this event tell us in terms of the veracity of the oversight process? Would we have seen this, reacted the same way? We used -- in responding to this event, we used the Management Directive 8.3, the new Management Directive 8.3, which is a risk-informed process, in order to come to the decision to man an AIT. We also asked ourselves whether the work processes that are involved for determining risk that the resident uses and in terms of inspection followup are consistent with the new oversight process, and they largely were. In other words, the new oversight process mates with how we reacted in this event, and that was reassuring. I guess the message that we want to leave with you is there is certainly work to do, follow-on work coming from this event. We think the team did an outstanding job in looking into this event and the underlying causes, and we look forward to more interactions with the licensee in terms of follow-on actions. MR. BARTON: Thank you, Thad. At this point -- DR. WALLIS: I think the thing that struck me most when you were going through the whole technical description was your points about water in the main steam lines. I mean you have this question about to what extent should water be allowed to enter the main steam line and what's the significance of having water in there. I would think this is something that must have been surely considered long ago. I mean it's an obvious possibility that the water level could rise and water could get into the steam line and what are the consequences. That must have been surely addressed by the designers of these systems. I'm surprised that the question is still being raised now as if no one knows what the consequences might be of having water in the main steam line. MR. MARSH: That's certainly a part of our follow-up action to find out to what extent this scenario was postulated, when and how. My recollection is that it was -- some of these trip functions were added later, that this was not part of the original design, some of these high-level trip functions, because of this possibility. A dead weight load has been considered in these lines, and that's the reason that you would block them so that you don't exceed any dead weight loads, but dynamic loads -- my impression is that you want to avoid dynamic loads and that's why you have these trip functions. Now the question is what's the bases for those trip set points to avoid this from occurring and should the MSIVs be closed, is that a good action or not a good action in order to ameliorate a high-level situation. DR. WALLIS: Well, in defense-in-depth, one might decide to design the thing so even if you did get this water in there, no one is going to raise a question about is it going to be too heavy or is it going to impose loads that are too big, we've just designed it so it's okay. MR. BARTON: That's good for the new-generation reactors, Graham, yeah. DR. SEALE: You've got what you've got. MR. BARTON: You've got what you've got. MR. SIEBER: You cannot back-fit. MR. BARTON: Are there any other questions of the staff before we hear from Licensing? [No response.] MR. BARTON: Hearing none, Lew, would you like to make some comments? MR. LEWIS: I've just got some brief comments. One would be that, on the risk assessment, we came to a different conclusion on the number for the risk assessment, and we'd like to have the opportunity, with our models and our assumptions, to review that with the staff to see why our conclusions are different. We came up with -- for a similar calculation -- in the E to the minus 7th range, not E to the minus 5th range, and it all depends on what assumptions you make. MR. BARTON: Sure. MR. LEWIS: And you come to a different conclusion depending on the assumptions you make. So, we certainly want to have the opportunity to sit down and review and discuss our assumptions on our risk assessment. The second thing is that -- concerning the adequacy of the high-level trips, we did have what's called a TRACG analysis run by GE where we made assumptions of the exact conditions that were present. One feedwater line is isolated, both pumps are trying at 100-percent demand, HPCI has not tripped at the right set-point but RCIC did, and to verify -- we were looking for such things as was there an asymmetric level condition in the vessel at the time which would explain why HPCI did not trip? Well, that analysis didn't prove that out. We also went to prove that -- were the trip set-points adequate as part of the initial design basis, and the TRACG analysis that we did proved that they were adequate. So, we believe we've got enough -- this is a detailed study we've had GE working on for the last six weeks to make sure that there are no other issues out there that we know of related to the adequacy of the high-level trip set-points. We talked about the fact that we weren't able to determine why HPCI didn't trip. Well, there's an explanation for that. When it did trip, automatically, the first time, all the evidence was basically destroyed at that point of how to determine what component may not have worked correctly, but I will let you know we have put some compensatory actions in there that exercise that logic chain so that in the event that it is demanded again to operate, that we've tried to improve the level of assurance that that trip function is going to work, and we have reviewed and still continue to review whether or not we should change the logic design for the high-level trip. But the thing we should remember is that actual design basis for HPCI is to inject water into the vessel and make sure the core is covered under a small DBA and that it should trip at a high level, there's no belief that it shouldn't trip at a high level, but its actual safety design basis is to put water back in the vessel, which it did successfully. There are a tremendous amount of lessons learned that we've gotten out of this event, and Len has discussed some of the immediate ones that we've done as far as correcting some equipment problems, some procedural problems with RCIC, the simulator model that he referred to, but we continue to look at deeper issues out there. We look at our management processes to see, if we have a RCIC model that does not exactly match the plant, how did it come to be that way, and does that give us insight into looking for other models or other issues out there that we need to look at? So, we continue to look at that. We do have a follow-up meeting, as Len referred to, on May the 17th, where we're going to discuss our corrective actions, and we'll discuss not only the ones we've talked about today for the immediate stuff but some of the deeper issues out there that we continue to explore. So, we've tried to use it as a learning experience. I know there are some generic issues out there. I don't believe determining what is the proper guidance for closing the MSIVs on high-level will be an easy thing to do, because as Len referred to, there are different plant designs and there are different considerations, depending on which plant you're at, but I believe there is the importance of making sure that you don't get water in the main steam line that was certainly brought out by some of the things in this event. MR. BARTON: One further question I've got is how detailed had you looked at your corrective action system and the effectiveness of it, especially since the history with the GE SILs and information notices on these switches? MR. LEWIS: The GE SIL came out in, I believe, 1977, and we did a review in 1977 based on the guidance in the SIL as to what we should look for. We thoroughly evaluated that, and we have written documentation as to how we evaluate it. We've had one failure of one switch in 15 years, and that's this failure that Len referred to that happened in 1996, and subsequent to that, of course, we did a broader review with this particular even there. So, one of the issues we do have is when we have SILs that had been evaluated 20 years ago, is there a need to go back and re-evaluate them in today's world? We haven't come to a conclusion on that. MR. BARTON: I guess the question I would have there -- and I understand that. I lived through the same thing with the GE SILs and how far do you go and how much equipment plant do you change out. But you had a subsequent failure. Well, you had a failure after the SIL in '96. Apparently, according to the AIT, this was classified as a significant event or a significant issue in your corrective action system, and yet, four years later, it didn't look like you did anymore maintenance or change-out of this style switch, and the reason I'm hammering you on this is, if you look at the new oversight process and where we're going to risk-informed regulations, etcetera, etcetera, you know, how robust your corrective action system is depends a lot on, you know, how the plant is going to perform and how the NRC is going to look at your performance down the road. So, again, you know, I still have a question as, you know, how robust is your review or your self-assessments of your corrective action systems? MR. LEWIS: Well I think the question you ask -- SILs is a narrow area. When you get into other issues out there -- we do have categories we call significant occurrences. We have others that are higher category we call event reviews, and we do try to -- like you've done with this event here -- this event met the criteria to have a lot of study done on, and event reviews meet the criteria in our own procedures for having a lot of study done, significant occurrences have less study done but more than just routine, you know, common occurrences that happen in the plant. That is an issue that we're reviewing right now. Does this particular event reveal a weakness or a need for improvement in the way our corrective action is done, and for example, would you postulate that you need to create a self-assessment process for material you've reviewed several years ago to see if the conditions have changed? We have not come to that conclusion yet, but it is something we're studying. MR. BARTON: I understand that. Thank you. DR. SEALE: What's the status of the plant now? MR. LEWIS: The status of the plant -- both units are at 100-percent power. DR. SEALE: How long did it take to go back to full power? MR. LEWIS: After this event here? DR. SEALE: Yes. MR. LEWIS: Approximately -- we were down, I would say, approximately a week to do all the reviews, make the procedure changes, re-do the training, do a broadness review of -- or locate all the locations for the different switches of this type, categorize them to whether or not -- the worst postulated action from that switch and what the end result could be of that to decide which ones we would replace before we started back up. DR. UHRIG: Have you replaced any of the switches in the other unit? MR. LEWIS: Yes, sir, we have done it. We did some immediately on the other unit, and then, during the subsequent refueling outage, then we went and changed out the other ones. MR. BARTON: Any further questions? [No response.] MR. BARTON: If not, I'll turn it back to you, Mr. Chairman. CHAIRMAN POWERS: Thank you, gentlemen. At this point, I want to dispense with the transcription. [Whereupon, at 11:35 a.m., the meeting continued in executive session, to reconvene in public session this same day, Friday, March 12, 2000, at 12:45 p.m.]. A F T E R N O O N S E S S I O N [12:45 p.m.] CHAIRMAN POWERS: Let's come back into order, and we'll move to the topic of physical security requirements for power reactors. Dr. Kress is our cognizant official on this. DR. KRESS: I don't know why, but I am. CHAIRMAN POWERS: Well, because you're very physical, I suppose. DR. KRESS: I don't have a lot of introductory remarks to make except it's awfully hard to make a risk assessment of security. I have seen such things in the past, and what I recall of them are this particular area is a significant risk. In fact, it may be risk dominant. So, it's good to pay attention to it, and it's generally treated in the classical way with regulations, in the classical sense that there are design basis threats and defense-in-depth philosophy, and then you use inspection and a test to see if your system works. Well, I think one of the problems is that these tests, challenges to the system have been done in the past on the sort of -- I presume a voluntary basis. There's no regulatory authority to require them in the regulations, but I think one of the things they want to fix when they're developing -- what they're looking at is developing a new rule for this area, and that's one of the things they want to fix. So, with that as sort of a minor introduction, I'll turn it over to the staff. CHAIRMAN POWERS: Before we go to them, I'd just comment that, within the DOE community, we're concerned about terrorist-type activities not in the sense of using nuclear materials to threaten the public population but, rather, to threaten facilities themselves using -- of particular interest is gas and biological threat, has become an area of some currency within the DOE community looking at -- upon nuclear reactors as a public institution, along with airports, other government buildings and whatnot, especially following the Oklahoma City incident, and so, this is gaining more currency than maybe we had when the Cold War was at its peak. DR. KRESS: Yeah. Well, I think one of the things they're wrestling with is -- in making a rule -- is what are the design basis threats. I'm not sure how much of that we'll hear today, but I hope we hear some. Let's turn it over to you guys. MR. ROSANO: Good afternoon. I think that, at this point, most of you know Glenn Tracy, my boss, the Branch Chief. My name is Dick Rosano. I'm the Chief of the Reactor Safeguards Section, and I'm going to try to address a couple of the concerns that you just raised in the context of the briefing, realizing, of course, that what I'm going to be talking about are the regulatory changes that we're proposing, that we're working on in terms of risk-informing the regs and that there will be a separate section afterwards having to do with design basis threat, and I think, as I go, you will see some of -- you'll pick up some of my comments about the risk issue and how easy it is to do and the fact that there are two different kinds of risk that we're going to talk about. First an overview of where we've been and what is driving all of this. I'd begin by referring to risk-informing 73.55, and it actually pre-dates that somewhat, because the effort underway right now began when we started contemplating an exercise rule that was designed to be the successor to the Operational Safeguards Response Evaluation program, the OSRE program. OSREs, for years, had conducted assessments at the plants -- force-on-force drills run on scenarios meant to test the defensive strategies or the protective strategies of the plants. We wanted to be able to replace that program with a requirement to do drills and exercises, and after spending some time looking at that, we expanded the consideration to include an entire look at 73.55 and other related power reactor regulations. By that, I mean there are certain others like 50.54(p) and 50.90 that control changes to security plans and commitments made. So, in the context of risk-informing 73.55, we would want to be able to look at the other associated regulations. When we did then consider risk-informing 73.55, the issue of risk in essentially two forms comes up, and we wanted to differentiate the two types of risk. One is the probability of event, which I believe you mentioned, and that really is a very difficult thing to estimate. In fact, you will find that most of the sabotage events that have occurred through history did not come with a high probability or expectation that they were about to occur, and the community understands that the Commission, over the years, has understood that and made various proclamations relating to it. Our efforts are not to risk-inform that process. We are not trying to -- in the context of rewriting these regs, we are not trying to assign a risk or probability to an event occurring. In the later presentation by Roberta Warren from NMSS, when she does talk about design basis threat, there's an element of that, and the intelligence community provides great assistance in understanding what probabilities there are, but that's not what we're trying to do when we're risk-informing 73.55. However, there is another element of risk-informing the regs that we can deal with, and that has to do with the consequences, the safety consequences of the event. Stripped down to its basics, a safeguards event or a sabotage event is the initiating event in a safety sequence, and we can do some risk-informing to better understand what might unfold from that event. There are a lot of factors. Obviously, we have to be able to stabilize the systems at the plant, knowing that there will not be additional sabotage events within that context before we can then sit down and assign a probability, but the regulations are intended to assign some risk sense or probability or better safety understanding of what might happen. Perhaps one of the greatest products -- DR. KRESS: Could I interpret that to mean that you might be focusing on the conditional core damage frequency given the event? MR. ROSANO: Yes, we are. What we're doing now is trying to base the regulation on performance criteria and safety criteria using the design criteria of the operational systems, using that as the proposed goal of a sabotage event, and then looking at the probability of the attack resulting in the failure of one of those design criteria. We recently wrote in a Commission paper, 00-63, the six design criteria that we intended to use for that. I know I'm getting ahead of myself a little bit. I'll try to be more controlled, but we'll go back to that, because that's an important point that we want to discuss. As we began to peel back the layers in risk-informing the regs, we did find more and more fundamental issues that needed to be resolved and that we needed to come to better understanding of. One was the definition of radiological sabotage, which goes to your point. The regulations do define rad sab as an event which would cause a risk to the public. I've left out a lot of words, but that's what it boils down to. Well, the level of risk was not delineated, the type of event, and so on. So, we considered -- and in fact, in a Commission paper, did recommend to the Commissioners that we look at what is defined as rad sabotage and improve upon the definition. The more we worked on that, the more we decided that, even with a better definition of rad sabotage, we would still need to come up with performance criteria. Subsequent to that, we did advise the Commissioners that we had decided that the proper approach for beginning this rulemaking was to define the performance criteria that we expected the plant to maintain in the event of a sabotage attack and that their systems should be designed with a goal of maintaining those performance criteria. Now, when I said that the licensee or the plant would need to maintain, another important difference that we promoted and proposed was that it be a whole-plant response. Rather than thinking of this as a gun battle in the protected area, the security force against the attackers, we wanted to step back from it and accept that there are a number of other actions that can be taken by other members of the licensee force -- for example, the operational staff -- actions that could be taken to mitigate the consequences of the attack or, perhaps by isolating systems or components, perhaps defeat the attack, simply without even the actions of the security force, which is not to say that we would propose they do away with it, but we wanted to respect what the entire plant organization could do, and we took those things into account, and so, the new rule will consider actions by operators and operational staff. MR. BARTON: Would that entail operators leaving the control room? MR. ROSANO: It would entail what the licensees believe are the best means of handling that. In some cases, I understand some licensees would consider it important to dispatch operators to the remote shutdown panel and so on. There are issues like that. Each licensee will have their own answers. DR. BONACA: Just a question I have. I remember approximately 20 years ago there was a review of all the power plants to identify that you cannot disable the plant -- let me use the word "disable" now, and we didn't talk about CDF at that time, or core damage -- that you cannot disable the plant by one individual in one location, that there was sufficient separation and diversity of systems in different locations that you would have -- so, there are some elements already in place that are still -- because I remember that, and I remember that there was no further activity after that, it was the only thing that was done. MR. ROSANO: That has been better applied in a safety arena than in safeguards, although it also applies in safeguards, because the principle that no single act can defeat the safe operation of the plant is a design feature, design concept that would also prevent a single act of a saboteur from accomplishing that purpose. Notice I said a single act of a saboteur, not a single saboteur. One individual could do more than one thing. But it would apply, and I think that that's an important part of looking at the whole plant response to a sabotage attack. DR. KRESS: Does that mean that each plant might have to have something analogous to the emergency operating procedures, call it a sabotage operating procedure? MR. ROSANO: Well, in fact, they already do. DR. KRESS: They do? MR. ROSANO: The plants have incorporated what they call protective strategies or tactical response strategies. One of the things that this rule would do would be to add a little bit of detail to that and encourage licensees to more formalize their processes for this, but licensees already do have procedures, and they have -- under Appendix C of Part 73, they're required to have a contingency plan, and it's for safeguards emergencies, and usually that results in things called tactical response strategies where the security force has pre-programmed responses to certain types of events, responses that they practice through drills, and it sends them to certain positions to respond, depending on what kind of event it is and what's the likely outcome. Going on, then, I mentioned the problem with definition of rad sabotage and the performance criteria, so now we're trying to deal again with the whole plant and trying to use and take credit for any of the response actions that might be incorporated together. The next item that we found in peeling away the layers of this issue was the design basis threat and the adversary characteristics. The rule -- there are three levels of detail. The rule says that the design basis threat will include several persons, and it describes them in general terms. There is a classified -- in the case of category one facilities -- a classified description of the numbers of people, and for power reactor facilities, there is a description that is safeguards information that describes the number of people who would attempt sabotage. The category one facilities need to protect against sabotage and theft. We consider sabotage for radiological purposes the only real issue at the power reactor facility, and the type of threat, the type of DBT and the size of the DBT would be different for each. The next layer of detail is what we found ourselves in while dealing with this problem today, and that is that these adversaries could carry a number of different arms or tools or items of equipment and that we needed to have a clear understanding from which we would work and from which the licensees would work in order to balance their protective systems and understand what they needed to deal with. This is also considered classified information for the fuel facilities and safeguards information for the power reactors. These characteristics are very important for the licensees to understand in order for them to comply and live up to the expected level and very important to guide our exercises to make sure that we're testing at the proper level. The difference between different poundage or amounts of explosives, different types of armaments needs to be settled. Now, NMSS has done extensive work on this, with the intelligence community and in defining these details. You'll hear more about that later, but this is another issue that we concluded needed to be solved in order for us to get to a more clear understanding of what the regs should be. DR. KRESS: Does that description of adversaries deal with the potential for an insider at all? MR. ROSANO: An insider is assumed to be part of the design basis threat for both sabotage and theft, yeah. Then the last item in terms of overview is the industry's interim program. I mentioned the OSRE program, Operational Safeguards Response Evaluation program. That has been in place since about 1991. As of this month, we have completed the first full round of OSREs in which a headquarters-led team with regional assistance and contractors has gone to each of the power reactor facilities, conducted week-long tests, complete with table-top exercises and scenarios drawn up by both licensees and the NRC and force-on-force drills, several of them, not a single one, to determine the adequacy of protection. The OSRE program has completed its first full cycle. Our goal was to replace the OSRE program with this rule-based system, which we will. That will take some time to do, and what we wanted to do was have an opportunity to pilot the new concepts, pilot the ideas that we would like to incorporate into the rule as we write the rule, and the industry offered to write a program that would be forward-looking rather than backward-looking to a new program that would include some of the ideas that we've been debating over the months for the new rule rather than simply incorporating those already used for the last nine years in the OSRE program. That program has gone through a few revisions. It's called the Safeguards Performance Assessment Program -- the title has changed a couple of times -- and that program has been reviewed and been subject to comment by the NRC. We've worked extensively with the industry through public meetings and members of NEI, and that is coming along. That actually kind of leads us into the next couple of slides, I'll be able to tell you more about the status, but in general, the goal is to have an interim program to ensure that we continue evaluations of security response strategies, not just security, because we have an inspection program that evaluates security, and it does a good job of that, but we would also like to have evaluations of the response strategies. So, what we want to do is have a continuation of these exercises, allowing OSRE to sunset in favor of a program that looks to the future, and let that program run until the rule can reach its final state. CHAIRMAN POWERS: I guess I don't quite understand. You have this OSRE program, and now you've got a proposed new program that's characterized as looking to the future. I'm struggling with what's different. MR. ROSANO: Well, there are several differences. One is that we would like to have -- the rule, for example, would require the licensees to develop a robust program of drills and exercises. Currently, although many of them do conduct drills, there's no requirement in the rule that they do so. So, the voluntary program that they're offering as an interim program would do that. That's one of the changes. CHAIRMAN POWERS: But I mean you've done this -- through the OSRE, you have these exercises. MR. ROSANO: Yes, sir. CHAIRMAN POWERS: Would they be the same or different? MR. ROSANO: The exercises under the interim program and under the rule would be very similar to OSREs. They would be force-on-force drills incorporating the design basis threat standards in those drills, but currently, because there's no requirement for drills or exercises, a lot of licensees -- there are some licensees who drill at different frequencies. Some drill very often, some drill not so often. It has left us with the inability to take a snapshot in time at any given time as to what the abilities are. The interim program, the SPA, would incorporate quarterly drills, which is what we're thinking about for the new rule. It would have a triennial requirement for extensive exercises, so that the exercises under the OSRE program that -- considering that the first full cycle took eight years, then obviously the full exercises under the interim program of the rule would be three times as often. There are some other things. The design criteria will be looked at. The OSRE program uses significant core damage as the goal of the attack, which if you take that and then work backward, then you'd assume that the licensee protective strategies only have to be designed to prevent significant core damage, and that's a very useful approach, but what we're trying to do is improve upon that, and so, the design criteria that we proposed in the recent Commission paper would be tested out in the new program, so there would be a better understanding of how this would function in the rule. Certain other things, including means of training and feedback mechanisms, so that findings in the exercises would be fed back through the corrective action program, all parts that we consider essentially to the new rule would be piloted in the interim program. DR. WALLIS: It seems to me it's not quite so simple. Adversaries, if they were able to get into a position where they could get control of something and cause some damage, probably would want to say okay, now we want something, and you don't know what they control, what they can do, how far they've gone. We'd be in a very difficult position negotiating with people who you don't know what they're able to do, how far they've been able to do things, and you don't have information coming out that tells you what they've done. MR. ROSANO: That's a very specific safety-oriented question. The goal of the response strategy should be for the licensee to maintain control of the operation of the plant, and so, for individuals to reach a point in the plant where they could take over control would be considered a loss of a system. DR. WALLIS: Do you go beyond that? I mean if they do reach that point, then you've still got to do something. MR. ROSANO: You still have to do something, but actually -- let me try to differentiate between denial and defeat strategies. The licensees, more and more, are going to denial strategies, which is to keep the potential saboteurs away from the equipment that might allow them to take control of the plant, so that they -- in effect, they win, they win the game if the attackers are isolated or kept out of the critical areas of the plant. A defeat strategy would mean, again back to the notion of a gun battle, would mean killing more of them than they kill of the licensees. That's not the approach. So, the point is for the licensee to maintain control through denial of the areas of the plant necessary to maintain safe operations. DR. WALLIS: Assuming once you've lost control, that's the end of anything you think about? MR. ROSANO: Oh, no. Certainly we wouldn't just give up, but now, at this point, what we're talking about is the safeguards, protective strategies, and the responsibilities within the program to be able to defend against losing that control. If the attacker gains control of the critical systems, there's still actions that need to be taken. DR. WALLIS: I think you might be in a position where you don't know if he's gained control or not but you know that you happen to have lost your control, but you don't really know what they've been able to do. MR. ROSANO: So, anyway, that is the point of the interim program, is, again, to be forward-looking. What we want to do is take the best of the OSRE program, of which there is quite a lot, but to incorporate some new ideas and to test out where we're going. We also think of the interim program as an evolutionary thing. It won't be static. As we learn and things become obvious to the industry and the NRC, we'd like to be able to incorporate those. The second part of the presentation is on chronology, and in my way of going around the facts, I probably already covered a lot of this, but I just want to bring us back to where we were. In May of 1999, we briefed the Commission, and actually, what I failed to mention there was that that was a result of a Commission paper. The SPA task force, the Safeguards Performance Assessment Task Force, submitted in January '99 -- it was SECY paper 99-24, and we submitted our recommendations, and that had to do with creating an exercise requirement in the rules. On May 5th, we briefed the Commission, the Commissioners, followed with an SRM dated June 29th in which they instructed the staff to go forward and develop these recommendations. That was in June. It was during the course of the summer of 1999, through extensive meetings with the -- public meetings, including the industry, in which more was discussed about the possibility of opening up the door to consider all of the safeguards regulations. I wasn't with the NRC back in the '70s when we wrote 73.55, and I also know that, in spite of some of the fixes we've made to 73.55 over the years, we've never stepped back from it and taken a complete look. We believe it's time -- the staff has thought that it's time, and this is a good opportunity for us to modernize the regulations. In October, SECY 99-241 was proposed, and that included all of these concepts, risk-informing 73.55, including the exercise rule, so a broader look, and that was approved by SRM in November of '99. March 9th of this year, we submitted the SECY 00-63. This was in response to the part of the November SRM that asked us for a definition of rad sabotage, and as I described earlier, we tried and could not conclude that simply an improved definition would solve all the problems. We concluded that we needed to have design criteria that would form the basis for the protective strategies and for the regulation. We submitted those design criteria in SECY 00-63, and the Commissioners adopted the recommendations in April of this year, telling the staff -- directing the staff to go forward and to work the rule. So, it's been taken step by step. In the beginning, we recommended an exercise rule. After that, we recommended a broader look at 7355 to risk-inform it, and then, following that, we submitted a Commission paper in order to show how we intended to base the rule, on what we intended to base the rule, and that was the performance criteria. MR. TRACY: I would also add the Commission directed us to incorporate the performance criteria in the interim program that the industry would ultimately take on. MR. ROSANO: As for future, we are looking at summer of 2000 -- this program proposed by the industry, the Safeguards Performance Assessment Program -- the staff has spent considerable time reviewing it in several different versions, submitted comments to the industry, received some feedback from them, and it's been an iterative process. We hope to be able to reach final agreement and endorse the industry's Safeguards Performance Assessment Program. That's what was referred to as the interim program on an earlier slide. That would be the program that would allow us over the next two to three years to test out the concepts in the rule. Now, an important point before I go beyond there is that we intend to continue doing exercises of protective strategies from here through that time. Those will probably be in the form of OSREs, because it's a program that's worked very well and it's well understood. We will do OSREs on a periodic basis in order to continue the flow of information about licensees' response strategies until the time -- and here it says in late 2000 -- that we expect SPA exercises to begin. The endorsement needs to precede the actual initiation of the program by some several months to ensure that the licensees who come up first for the exercises are working -- are operating under the right rules of engagement. CHAIRMAN POWERS: I guess I have -- a couple of questions spring to mind. MR. ROSANO: Sure. CHAIRMAN POWERS: The first one that springs to mind is I think that the licensees are excellent at running electrical generation facilities. I am not sure what their qualifications are for designing terrorist activities. So, I come in and say, gee, I wonder how one looks -- goes about formulating and reviewing a proposed SPA program, what criterion one uses to say whether it's an adequate one or not. I mean I know there are other organizations -- I happen to work for one -- that makes a business out of doing these things for the military. Can you tell me more about how it gets designed and how it gets reviewed? MR. ROSANO: The document that has been generated by the industry, that we've been reviewing -- we have reviewed, in the context of what we know so far today about OSREs, what OSREs have taught us -- now, the OSRE program has been -- has enjoyed the benefit of contractors that we use who are very experienced in this area and who have helped us through the years. The document that the industry has proposed incorporates a lot of those ideas, plus I happen to know that the licensees typically have contractors themselves who have backgrounds in this field. Now, you've reached deep into the subject and asked a very important question. It's not just a matter of evaluating the exercise results, it's a matter of evaluating the program itself, and so, in fact, that's what I think is one of the strengths of the new program. This program, SPA, as well as the rule to come out -- it's kind of like the difference between, you know, giving a man a fish and teaching a man to fish. If we get the opportunity to look at the licensee's program, the industry's program, and it's a robust, strong, legitimate program, we can walk away with greater assurance that things will be conducted properly even when we're gone rather than just while we're on-site, and that's the goal of the new initiative. CHAIRMAN POWERS: The next question that comes to mind is that I know -- you've certainly emphasized force-on-force exercises, as well as table-top exercises and things like that. I also know that there's a booming cottage industry in developing computer codes to simulate armed intervention against incursions and whatnot. Is that -- do those figure into this program at all? MR. ROSANO: Yes. I'm very pleased you asked that question, because it turns out that, in the last two days, we've just finished a two-day symposium in which -- CHAIRMAN POWERS: I'm a great straight man. MR. ROSANO: You can ask questions all day, sir. A gentleman on my staff in the back of the room, Al Tartif, put together a workshop that brought to headquarters here members of Department of Energy, DOD, Sandia, Lawrence Livermore Labs, and the subject was how do we risk-inform security regulations, and nearly -- probably half of those addressed themselves to modeling and computer-based systems to test it. There is a lot to be gained from that. It allows multiple tests of the same strategy either before or after you run a real exercise. There's a lot there, and I expect that the industry will make use of that. It would make a lot of financial sense for them to do so. DR. WALLIS: You're always talking about arms and weapons. It seems to me that's the most unlikely thing; the most likely thing is intelligence sabotage, as things get more and more computerized in the control room, someone knowing something about the system, slips in some lines of code which screw up the control system of the reactor, so that when someone does something, something happens and they lose control because they're getting false information. MR. ROSANO: Perfect issue. In fact, cyber-security is an essential element of the new rule-based program, and as an aside, I'll say that I fought to avoid having our group referred to as the physical protection group, because I think that safeguards has to include more than physical protection. It could be that, in the next 10 years, cyber-security may be more important than physical security. Okay. I think we're near the end, in any case, with the exception of time for some questions. In May of 2001, according to SRM that's been generated -- and this now, I think, is a couple SRMs ago -- I can't keep track of which one told us to do which, but by May of 2001 -- DR. SEALE: There's a snowstorm over there. MR. ROSANO: Probably is. May of 2001, the draft or the proposed rule is expected to be ready for publication, and by November 2002, we intend to have the final rule in place. Now, one thing I will say that refers back and that is that the licensee -- this interim program includes a triennial cycle of exercises, and the expectation was based on it taking about three years for us to write the rule from beginning to end, and so, the licensees will actually be running drills on a fairly continuous flow during this period that we're writing the rule so that, by November 2002, we would expect to have had a significant percentage of licensees who have already run through their drills. And that completes my presentation. Any questions? CHAIRMAN POWERS: I think we can thank the gentleman for that presentation. DR. KRESS: I think we have comments from Mr. Lyman. This might be a good time for him. CHAIRMAN POWERS: Yes. DR. KRESS: Thank you, guys. That was very, very interesting. CHAIRMAN POWERS: Mr. Lyman, I have enjoyed your presentations in the past on MOX fuel, and I hope you're as informative in this area as you were in that area. MR. LYMAN: I'll try to be. I do appreciate the opportunity to make a few comments here. My presentation, which you should have gotten a copy of, is based on one which I gave at the RIC a few weeks ago, and I am grateful to Mr. Rosano for inviting me to speak at that conference, since I think we're probably regarded as a pain in the neck. DR. APOSTOLAKIS: Could you tell us who you are please? Not all of us know you. MR. LYMAN: My name is Edwin Lyman. I'm a physicist with the Nuclear Control Institute, which is a nonprofit research organization which focuses on nuclear non-proliferation issues and also issues of nuclear terrorism, which carry us over into nuclear sabotage, as well, and radiological sabotage. We are a public interest group, one of the few who have been trying to track NRC's developments in this area, and I think our perspective on the history of this program and how we've gotten here today is somewhat different from Mr. Rosano's, so I'd like to at least present some of the background as we see it, where the issues and the differences with the industry's position and ours are, and just comment on the future. I'll refer most of the details to the document I distributed. First of all, as a public interest organization, we are concerned with the public confidence aspects of NRC's programs. In fact, we see ourselves wanting to have confidence in NRC's programs, and therefore, what we see forms the basis for our ability to have confidence. In the issue of physical security and physical protection, I think it's especially crucial that the appearance of a robust system is maintained, because the public has less access. Even compared to safety issues, a lot of what goes on in the physical security arena is within a black box. So, we have to accept the assurances of NRC that they know what they're doing, that they can assess the threat accurately, and that the regulations they impose are appropriate for ensuring that the appropriate response to that threat is guaranteed, and we have to take their words for it in a lot of aspects, and appearance is, in the physical security, physical protection arena, reality to some extent, since the appearance of making nuclear plants look like hard targets is a big part of actually deterring a terrorist threat. Now, the background to the -- where we are in the OSRE program is that, back in the summer of 1998, it was terminated by staff without consulting the Commission. This was following a rather undistinguished performance by the utilities, by the licensees in the OSRE program, in which case almost half of them failed the OSRE in that they were unable to prevent an entire target set from being taken out, and according to OSRE, the OSRE logic, that would lead to significant core damage. So, in almost half the plants, the mock terrorists were able to achieve significant core damage. Needless to say, this was not regarded as -- this is regarded as embarrassing by some of the licensees, and they were not happy about having to continue to comply with this program. In fact, the measures that they took greatly exceeded what they committed to in the security plans in some aspects, and in particular, an average of 80 percent of -- they employed more than 80 percent, on average, of security guards for the OSRE program, in excess of what they committed to in the security plans, and yet they still had this rather poor response. So, in our view, OSRE did what it set out to do, and it was, in fact, the very model of a performance-based program that NRC wants -- is looking to adopt more broadly in that there were a set of prescriptive regulations which were 10 CFR 73.55(b) through (h) giving very detailed instructions on what the licensees had to do, and the fact is that, even if they were in compliance with those, they still were not able to respond to the performance assessment appropriately, so it revealed there were weaknesses in the prescriptions that needed to be corrected. So, after the cancellation of OSRE, there was leaks to the press, there were different professional opinions on this, and it led to a rather embarrassing situation where the White House itself had to call Chairman Jackson at the time and ask her to reinstate the program, because major policy speeches had just been given recognizing the increased risk of terrorism and increased response by the Government. So, NRC seemed to be out of step at that point. DR. KRESS: Do you have any idea of why it was canceled, the program, in the first place? MR. LYMAN: Well, there's no hard evidence there. Chairman Jackson responded to Representative Markey by saying that there had been complaints on an informal basis by the industry about this program, it was too expensive. They really objected to the expense of having to assemble the additional guards necessary, and it really was a burden to them. At the same time, I think NRC staff will say they were looking at revising the program from the beginning and this cancellation was simply a way to transition toward a new program, but it certainly was so abrupt that there didn't seem to be any kind of transition, and so, the cycle was not complete at the time that it was canceled. So, I can only speculate, but it appears, certainly, that after the performance record of the licensees at that point, they were anxious not to continue what seemed to be an embarrassment. So, going from that point on, the OSRE program was reinstated, but at the same time, there was an effort to rewrite the whole rule, as Mr. Rosano has discussed. The original intent -- well, there was another point about canceling the program, was that it was unclear whether there was legal authority for this. Were the licensees required to endure these exercises to demonstrate they could deter the design basis threat against radiological sabotage, and our legal counsel believes there was authority, but it was decided that that really should be formalized by a new regulation. So, originally, I think the intent was simply to augment the authority in the rule to include an OSRE-like exercise as a requirement of the licensees, yet I believe the Nuclear Energy Institute wrote a letter saying it's time to open up the whole rule, we want to look at everything, and that was consented to, and we have concerns about that, that at least what comes out of this process should be at least as robust as what has happened in the past, because we don't think -- in contrast to maybe other performance measures of the licensees over the years in safety, which has led to the new oversight program, where there's confidence that, well, they're doing better in these areas, so we can give them more responsibility for their own oversight in some areas, this is not one arena where the performance has been that good, and I would not -- and they haven't earned the right to self-assessment, in our view. I'd just like to, as a way of background, describe some of the core issues that emerged at first. NEI proposed and the staff was willing to accept, it seems, changing the definition of radiological sabotage at the beginning, so that instead of significant core damage as the standard for OSRE, it would be a weaker condition that a Part 100 release would not have to be -- you would have to keep below a Part 100 release. So, the effect of this would be where if a successful -- or a failure of the OSRE program would occur if the entire target set was taken out and significant core damage would result. If you went to a Part 100 release, that would mean you would accept significant core damage. I'd remind you Part 100 is the type of release consistent with, I believe, the substantial meltdown of the fuel. So, what the NEI proposal was really saying is we would accept enough damage to the plant that we could go to substantial meltdown of the fuel, but given that our containment, our emergency planning, and our engineered safeguards are designed to keep below Part 100 releases, then we can't afford to have greater damage and still satisfy protection of the public from a radiological release. Now, we found that approach somewhat extreme and wholly unreasonable, and from a public confidence standpoint, it just showed to us how out of touch we thought NEI was with the public, because we don't think the public would accept if a terrorist attack occurred at a nuclear plant, that terrorists were actually able to bring explosives into the plant, blow up safety equipment, blow up the -- or violate the reactor coolant system boundary, and yet, because the operators were able to stop this from becoming a holocaust, a Chernobyl, that that would be an acceptable and, in fact, not even -- that would be an acceptable outcome of their physical protection strategy. Just looking at what happened with the Indian Point 2 accident where there was no measurable radiological release, you looked at the public response to that, you just see that that is really extreme. I think the public believes and should believe that the physical protection at nuclear plants can prevent damage, any kind of damage, from being done to the plant, whether or not it's a critical safety system. So, we think going to a Part 100 was a mistake, and to NRC's credit, they arranged their SECY paper and their own recommendation to be based on performance criteria. This is closer to the way the original OSRE was structured. In other words, you want to make sure that you have enough equipment in place so that you can bring the plant to safe shutdown and you maintain core cooling, though they were willing to go beyond that point and say that that was acceptable. However, at the same time, there are some aspects of the plan going forward that we are concerned about. This session started with the question about risk-informing this process. We don't think that it's necessarily a wise thing to risk-inform security, to try to link security so closely with safety issues when, in our view, they are really different animals, and that's because, when you're dealing with intelligent adversary, what they are capable of doing is completely different from a dumb equipment failure. You know, if you have one spontaneous equipment failure, you can figure out what the probability of that is going to be. If you have two spontaneous failures, that's generally more unlikely, unless it's a common mode failure. But if you have an intelligent adversary who might be an insider, who might have access to everything you know, to your severe accident management guidelines, to your emergency planning, they know what you're going to do, and it will be a chess game. There is no way to estimate the probability of the capability of that insider to bring this plant to a meltdown. So, we don't think that it's really necessarily a wise idea to risk-inform this process in the same way. We're all in favor of using better knowledge of what the critical safety systems are, what the weak points of nuclear plants are in designing a protective strategy, but in our view, that is not going to lead to a -- that wouldn't lead to a relaxation of what you can protect, and I think it's pretty well known what you have to protect. Now, the other aspect of this which is related and came up is the increased reliance on operator actions in assessing the consequences of an attack. We do not think that it's wise to go to increased reliance on operator actions in this way, especially if an entire target set is taken out. If you look at the latest draft of the industry's self-assessment program, which has turned from SAP, which it was a few weeks ago, now to SPA -- it doesn't seem to be a self-assessment program anymore, but their own plan -- they were still, as a few weeks ago, saying that even if an entire target set is taken out, we still want to have the opportunity to be given credit for preventing significant core damage if we can show their operators would be able to intervene that way, and our response to that is, if you're willing to give operators credit for those types of actions, that has to be demonstrated, that capability has to be demonstrated either on a simulator or through a human reliability assessment. There has to be some way. You can't just take their word for it. DR. KRESS: Let me ask you about that. It seems to me like that's analogous to what we call severe accident management, where the operator has severe accident management guidelines to do whatever he can with the existing systems, given what he knows about how the accident is progressing, to try to stop it, and I think that's a good idea. Even in the case of a sabotage effect, it would be nice for somebody to have pre-thought out what the operator might be able to do, with whatever parts of the system that he still has control of and is functional, to be able to stop it. So, to me, it's thinking out the process and putting down ahead of time what he might be able to do, which seems like a good idea, whether you take credit for that or not. MR. LYMAN: No, I absolutely agree with that, and I have no complaint about thinking these things through more carefully, but in my view, when you are evaluating an exercise, that that should go into the margin and shouldn't be given credit -- DR. KRESS: Shouldn't be part of the performance evaluation. MR. LYMAN: Right, unless they can demonstrate it, because I mean if you have -- God knows what kind of complicated event you have and you don't know if the adversary, like I said before, an active insider has -- as someone mentioned before -- has interfered with the electronics, with the instrumentation systems -- maybe they've thought out everything that you would do. I mean they have these plans, and they say, you know, if you want to -- if you're going to scram the plant or you're going to de-pressurize the coolant system or whatever, that I'll be one step ahead of you, and so, unless you can really assess that appropriately, then you shouldn't be given credit for it unless the operators can be demonstrated, if they're given all these -- you know, the variety of scenarios, and I just think this would greatly complicate the evaluation, because if you tried to think through all the possible scenarios that an insider could create to confuse, I think that would increase the licensee burden. I don't know why they would want to do that kind of exercise. I think it's just easier for them to show they can keep saboteurs from bringing explosives to a vital area. So, you know, if they want to go through that exercise, I just say they have to demonstrate it credibly or they shouldn't get credit. In the existing OSREs, for instance, if a security guard has some sort of fantastic shot, if their success depends on what might be viewed -- you know, a shot that requires considerable skill, they're taken out to the firing range and asked to demonstrate -- I understand a recent one, that they tried to take credit for a shot that couldn't be demonstrated. I'm just saying that has to be -- that should be done the same way. You want credit for it, you demonstrate it, and that's why I would urge you to try to recommend that some sort of robust means for demonstrating that is implemented. I think that point's been driven home. The last aspect now, the design basis threat -- we have a few concerns with what's been going on in that area. One is that the adversary characteristics document, which is just released -- in our view, at least -- the public can't see that, because we're not cleared for safeguards information, but it's our belief that this is based on the best intelligence judgement, information judgement to date, and I was under the impression that that document would not be sent to industry for comment. In fact, a few months ago, Mr. Rosano made the statement that it was a finished document. When NEI wanted to see it and comment on it, they were told at that time that it's not for comment, which seems reasonable to me, because I don't think they have the capability for any type of independent intelligence assessment of what's a reasonable threat, but I understand that the document was sent out, was offered to cleared NEI personnel for review, especially for its impact on operational and financial aspects of the plant's operation, and that troubles me, because I don't know what that feedback is actually going to do to the document itself. The other aspect of this I'm concerned about is the lack of a mechanism for testing at one point against the entire design basis threat. The design basis threat is a set of different capabilities in the industry's latest plan for their program. They do not say at any point that they are going to run an exercise with the entire capability of the design basis threat at once. What they say is we might run different pieces, test different aspects of the threat, then put it all together, but that, to me, is not credible. If you have a design basis threat, then there should be at least one evaluated exercise where the entire capability is active at once, and that includes the possibility of an active insider, which I believe you asked before if insiders were evaluated in the past or were present in the past, and only passive insiders who could give information but do not actually take part in the attack and didn't engage in any of these other activities of trying to interfere with systems, and so, clearly, an active insider is a component which really should be brought to bear, and especially the impact of an active insider on the operators if they attempt to intervene, clearly that could be neutralized. So, another aspect of the -- of trying to bring in operator actions is you have to consider malevolent operator actions, as well, or the ability to neutralize operators, and that would increase the range of possible targets, I think. CHAIRMAN POWERS: Let me ask a little question about that. Suppose I did have an operator that was in cahoots with an outside force, attempting to do something. Wouldn't, in fact, any activity that he undertook be promptly detected by the rest of the operational staff? MR. LYMAN: That's certainly a possibility, but you know -- CHAIRMAN POWERS: Under active supervision. MR. LYMAN: Yes. Certainly, there are mechanisms that -- of course, that are designed to prevent -- for it to be able to detect that, but I couldn't say that, in every instance, that would be detected, or if an operator that was fully aware or placed highly enough, you know, in the security organization of the plant couldn't bypass these. I mean it depends on your assumptions, and that's something which is still not known to the public. I don't know what's assumed about the capability of operators, but the possibility has been raised about someone who prepares for this incident by walking through the plant, making small changes that might remain undetected but cumulatively would have a big effect when the actual attack occurred. So, I'm sure you could dream up scenarios. The question is how do you judge which are credible and which aren't? I don't think there's a way to put a numerical value on them. Finally, on the -- what was called the self-assessment program and is now something else, the -- there have been concerns that, like I said before, the industry hasn't really earned the right to have greater oversight in this area, yet that's what they're asking, and that's why the initial phrasing was self-assessment program. This is one big difference between OSRE and what they're contemplating, is that there would be potentially less oversight in certain arenas, and this is what we are not happy about seeing. We think whatever comes in the future has to have something as stringent as OSRE. If they are more frequent, that's all to the good, but they have to have the ground rules that are at least as stringent, because there's no evidence that they should be relaxed at this point, until the industry can demonstrate repeatedly they've corrected the vulnerabilities that have been shown in the past. So, with that, I'd conclude. Thank you. DR. KRESS: Well, you've certainly give us some good food for thought, and we appreciate you coming by. I might ask if anyone has any questions of Mr. Lyman. DR. BONACA: You had some comments in your paper on the process. You did not elaborate on that. MR. LYMAN: Well, this is difficult for someone from the public to actually say, but having sat in on the series of meetings since the beginning of this year, which are -- is part of what you might call interactive rulemaking. I would have to say that, because of the lack of resources of public organizations like ourselves, we can't participate on the same level as the industry can, and what I've seen in these meetings is almost like a contract negotiation, where the industry is writing its own documents, NRC has commented line by line, and the industry has quarreled with almost every change. Some of them they take, some of them they take back for consultation, they bring the document back the next time and it hasn't been changed, and it hasn't -- it doesn't seem to be the best or the most efficient way, first of all, since there was a debate for several months about radiological sabotage and the same arguments kept coming back to the fore. Because of this inequity, I would almost say that, unless the public can marshal the same resource to participate as equal players in this, that it might be worth putting more distance, again, between those writing the rule and those commenting on the rule, and of course, I would prefer more public access, more public resources, but in the absence of that, which doesn't seem very realistic, I don't know, I think it's a problem which has to be looked at. Other aspects like 10 CFR 70, which is also this interactive rulemaking -- we haven't been able to participate at all in that, and yet, I understand there's significant industry participate in the rule writing. DR. KRESS: That's a very interesting comment. I understand that NEI would like to make a comment. Than you, Mr. Lyman. We appreciate you coming by and giving us your views. MR. DAVIS: Good afternoon. I'm Jim Davis from Nuclear Energy Institute. I've been working security there for about six years. I noticed the NRC staff provided you three slides. I handed you 13. Don't worry, I'm not going to go through every one of the slides, but I thought I'd provide some of the information as background material, and let me refer just to a few of those. What's OSRE? I mean it seems like that's sort of a magical word. Perhaps a way to look at it is similar to some of the other baseline inspection programs we've seen in the past, and as you approach the end of that baseline program, you say what have you learned and what should we do in the future, and I think both the NRC and the industry are at that point right now. Last week, we completed the last inspection -- the last of the first series of inspections. Every facility has now had an OSRE. So, you sort of finish the baseline and you say what do we do next, and I think you actually will find that, in the last couple of years, NRC staff has done a significant amount of work to try to figure out where they want to go in the future and what's the optimum way to capitalize on the lessons learned in the OSRE. Let me emphasize that an OSRE is basically a facility-run exercise observed by the Nuclear Regulatory Commission staff. The adversary is provided by the facility. The training of the adversary is provided by the facility. So, a preponderance of this is a facility-run exercise that's observed and critiqued and evaluated by the staff. We had a whole list of SECYs earlier, but one of those SECYs, 99-024, very early in the process -- and this was the Safeguards Performance Assessment Task Force that did really a holistic look at the process -- is saying we think that there's more opportunity to integrate the licensee into this process and get the industry more involved and more responsible for the set-up, run, and doing these things. Remember, an OSRE is an eight-year cycle. Once every eight years you were getting an OSRE. Out of that process and in discussion with the staff, the staff came up with what was referred to earlier as the exercise rule, and look at these elements. Licensee develop target sets, licensee develops areas, licensee conducts drills and exercises, licensee evaluate, licensee correct the deficiencies. It looks like a lot of licensee words. Keep that in mind. We looked at that and said we've learned something from the OSRE process, too, and what we've learned, what the industry has learned, is if you take a deterministic rule and try to do performance-based evaluations against that rule, you're in big trouble. That has been our most significant issue, and in the discussions over the last year, we have said it is absolutely essential, if you are going to hold the industry responsible for performance instead of compliance with (b) through (h) in the rule, you want us to perform at a certain level, we must understand what the underlying criteria are for that performance. We've got to design to those criteria, we've got evaluate to those criteria, and we'd appreciate it if somebody would provide oversight to those same criteria. We felt it was absolutely essential that, to achieve this performance base, that the holistic look needed to be taken at the rule, and Mr. Lyman is absolutely right, on August 31st we sent a letter to the Chairman of the Commission saying the industry feels we need to completely rewrite the rule, and that's going to take three years, and we agree that we need to go on, and that's when we made the proposal that we would take the concepts and precepts that had already been developed and discussed with the NRC Commission and we would try to put them into an interim program as we move forward. But the biggest thing is assessment against what, and I think when you kick us out of here, you're going to discuss one of those activities, is what is the adversary that we are working against, because we need to understand that in detail just as much as anybody else, because it's a fundamental of the design of our program. But let me tell you what this core program contains. It's procedures for developing target sets. Go back to the first slide. What did it say? You wanted us to develop target sets, procedures for developing scenarios, a three-year cycle of drills and exercises, not an eight-year cycle, a three-year cycle, something that the licensee is responsible for. The drills are evaluated. Deficiencies are handled within the training and corrective action program, and at least once every three years, an evaluated exercise, a holistic look at the program that demonstrates the six key elements of the program, and those are the same key elements that the staff has been talking about for many years as they go through the discussion of what they consider important in the OSRE process and they try to train the -- and help people get a performance-based view of what they're going and the expectation that the NRC staff would be observing those -- and critiquing those particular exercises. So, I guess what I wanted to just bring to the table today was that, one, the industry feels that it's time to rewrite the security regulation to take advantage of the performance insights that we have all gained from the OSRE process. We agree that a compliance-based rule is not the most effective way to maintain security in the current environment that we have today and that the program we are proposing, in fact, is exactly what the staff wants to put forward in the rule, and we think that there is an excellent opportunity to test these concepts over the next several years as the rulemaking process moves forward, so that at the end we put in the rule some words that in fact will work within the program, and I think you all are aware of several rulemaking efforts where we've had to come back and change a rule because, in fact, when you started writing the implementation guidance after the rule was done, you found out it didn't work quite the way you wanted it. So, we're enthusiastic about this process, and we think it's going to be a good effort. DR. KRESS: What is the problem with you guys, the licensee, knowing what the design basis threat is? Is that a security issue or what? MR. DAVIS: No, sir. The design basis threat or the characteristic -- the detailed characteristics -- DR. KRESS: Detailed characteristics. MR. DAVIS: -- are classified safeguards, and the security manager at every facility is cleared for safeguards information. Clearly, the security manager has to know what he's working against. DR. KRESS: Is there a reluctance to let you guys know what you're having to guard against? Is there some reluctance? MR. DAVIS: I don't fully understand the history and what's gone on in many years. The problem I think we've faced is we started out with a deterministic rule. When you tell me I have to build an eight-foot fence and have to have .2 foot candles of light, I don't need to know much more than that. So, nobody went through the exercise of clearly defining what radiological sabotage meant, how Part 100 was applied, which is a siting criteria, how it applied and how we cross-connected it across the entire plant, but when we get into the performance base, those issues become important to us, and as we get to the end of the process and we look back and say, gee, part of the problem we've had is we have not understood in the field the performance criteria that we'd expected at the same level that some on the staff or in other areas had. Therefore, we need to -- you know, let's look forward. I don't know history, but looking forward, we need to clearly understand what the adversary is and what the performance expectations are. With those, then we can ensure that our program is adequately designed, and this is not -- don't come once every eight years and say here is the criteria I am using to evaluate your performance, give them to us up front, we'll design our system, and you can look over our shoulders periodically and make sure we're performing to that criteria, and although -- and I don't have -- I guess I've got do a better job of selling that, because to me, that seems like, you know, an order of magnitude improvement on what we've been doing in the past. This is not the industry trying to do away with security regulations. We're not asking to do away with the guard forces and that kind of -- we're asking for -- to actually move, really move into the performance-based approach to evaluating the effectiveness of security that's at the plants. MR. SIEBER: Are you trying to save money? MR. DAVIS: I didn't say that. MR. SIEBER: All right. I withdraw my question. MR. DAVIS: Well, let me answer your question. The problem that we face is we have some performance -- some deterministic requirements that are levied on the plants today that, in fact, contribute absolutely nothing to the overall public health and safety. At the time they were put in place, they probably looked like good requirements, but they are sitting there as requirements. So, we, in fact, sometimes have people doing things that we look at now do not contribute to the overall capability to counter a terrorist attack or prevent a terrorist attack. By making some of those deterministic things go away, focusing on the performance aspect within the same resources, we, in fact, provide a higher level of assurance that our security organization is going to perform its task. So, it's a shift in the focus of resources, is what you're really looking for. MR. SIEBER: I don't know if I'm allowed to ask this question, but could you give me some examples of things that you think are deterministic that don't contribute to the overall mission? MR. DAVIS: Well, one good example is the original rule you have a requirement to have .2 foot candles of light in the perimeter zone. At the time that that was put in effect and the electronic surveillance systems that were available, that was probably not a bad requirement for lighting. As we look forward with the improvements in electronics, you probably don't need that high an intensity in lighting in all areas to provide adequate surveillance. What's the performance criteria? The performance criteria is it is able to monitor, observe, and determine what is moving in that particular area, not that you have a certain fundamental lighting requirement. So, there's one example. MR. SIEBER: It actually goes -- it's not only what is moving, but it could be something that isn't moving but doesn't belong there. MR. DAVIS: Yes, sir. I mean a variety of things. MR. SIEBER: And so, you would give your response officers and your watchmen these surveillance devices in lieu of keeping light-bulbs lit? MR. DAVIS: I think what you will find is the lighting requirement would be commensurate with the surveillance equipment that you're using in that particular case. MR. SIEBER: So, it would be one or the other. MR. DAVIS: Defining lighting in this area and defining the electronic equipment standards you use in another area. The issue is can you observe and categorize what's going on in that particular -- I mean that's one example. MR. SIEBER: Do you have any others, or is that the most prominent? MR. DAVIS: That's just one example. There are lots of others. They all run in the same arena. I hate to get into details, because you end up spending five or six minutes trying to explain the entire background so that the thing is -- the relevance of the issue is a little bit -- it takes some technical detail to understand why something is or isn't important. I guess which brings me to one more thought, if I can inject this. I would like to make sure you understand that we have professionals in the industry that are managing security. These are security professionals. I am not a security professional. They know what they're doing, and they came from the same background as all the contractors and everybody else that we've been talking about. The industry does have the knowledge and does have the capability to set up realistic and challenging exercises, and whenever the question came up, we do have our own contractors that we use in this business to help us get an independent look. DR. WALLIS: Mr. Lyman spoke of a situation where you might find yourself in a sort of chess game with some intelligent intruder. I just wonder how you figure out that you're going to win that chess game. I'm not sure that regulations help you very much in that sort of adversarial confrontation. MR. DAVIS: Developing defensive strategies requires a lot of work. Table-top exercise, as mentioned earlier, is one of the techniques you use, and you pick a variety of scenarios and you start playing the what-if game -- if, what if; if, I will -- and you run through those various scenarios and you develop your defensive strategies for the broad case lot of what you're doing. You work in adversary characteristics against your target sets, and you run in your various scenarios, where your responders go in those various cases, what advantage you might or might not have in a particular situation, where your vulnerabilities are, and then changing your procedures to fix those cases. So, basically running those kind of what-if cases is a significant part of the development of the security plan and the contingency response plan for a particular facility. The drills and exercises is one of the tools you use to validate the plan in that you run -- DR. WALLIS: I was more concerned with the intelligent adversary game, that usually security personnel are not chosen for superior intelligence. You don't want them to have to make lots of decisions based on chess-game-type things. You want them to react exactly as trained, and I wonder how you anticipate, then, the chess-game-type adversary. MR. DAVIS: Management is making these decisions. I guess I can't accept the statement that our security personnel are not very highly trained or skilled at what they do. DR. WALLIS: No, they are. They are very well trained and skilled, but it's not in the chess-game type of adversarial setup. MR. SIEBER: Maybe I could address that a little bit. I think in any job classification, you have a range of people from watchmen all the way up to your response people plus your management, but security in a power plant, having worked in one for many years, is a team between management, security, and operations, and so, you can't look at it just as the uniformed security force, you have to look at it as a broader team. MR. DAVIS: I agree, it's a total team concept. DR. KRESS: One more question, then we're going to have to move on. DR. BONACA: I thought I understand -- I mean Mr. Lyman said that there was a significant failure rate of the OSRE exercises. If I understand what you said, it's that you trace back that one to the fact that there are deterministic criteria at the plants and the criteria used by the NRC to evaluate performance by the staff are not clear to the staff. MR. DAVIS: The performance criteria, in some cases, has not been adequately defined. I think Mr. Lyman likes to make a statement that half the people fail, but unfortunately, I think, if you go back and look at the situation, you'll find that there are very few cases where a finding, an actual violation of regulations was issued as a result of an OSRE inspection, and you have the difficulty of taking an opportunity to find a weakness in your program where you can take some other actions to improve the strength of it and you turn that into a -- into, gee, it must be a failure instead of here is a way of doing business that will improve you, and that's where I'd like to sort of compare this to some of the other inspections. Very frequently you find you're in compliance with regulations, but in fact, there are other ways and other things you can do that still comply with regulations but improve the performance and reduce the risk of the system. DR. BONACA: You said going to performance-based exercises, then that would result in some other issues with OSRE. That's why I was trying to understand where you saw these performance-based, you know, exercises being a resolution of the issues. MR. DAVIS: I think the underlying issue is OSRE, in trying to look at performance, has shown that using a deterministic rule approach does not give you a program that clearly identifies and overcomes all the potential vulnerabilities. I thank you very much for your time. DR. KRESS: Thank you. I guess that now is the time that we're going to -- we can go off the transcripts, because we're going to go into the closed portion of the meeting. [Whereupon, at 2:08 p.m., the meeting continued in executive session.]
Page Last Reviewed/Updated Tuesday, July 12, 2016
Page Last Reviewed/Updated Tuesday, July 12, 2016