472nd Advisory Committee on Reactor Safeguards - May 12, 2000

                       UNITED STATES OF AMERICA
                              U.S. NRC
                              Two White Flint North, Room T2-B3
                              11545 Rockville Pike
                              Rockville, MD
                              Friday, May 12, 2000
               The committee met, pursuant to notice, at 8:30
          DANA A. POWERS, Chairman
          GEORGE APOSTOLAKIS, Vice-Chairman
          JOHN J. BARTON, Member
          MARIO V. BONACA, Member
          THOMAS S. KRESS, Member
          ROBERT L. SEALE, Member
          WILLIAM J. SHACK, Member
          JOHN D. SIEBER, Member
          ROBERT E. UHRIG, Member
          GRAHAM B. WALLIS, Member.                            C O N T E N T S
     ATTACHMENT                                              PAGE
     INTRODUCTORY STATEMENT                                   269
     OVERVIEW                                                 414
     SELF-ASSESSMENT PROGRAM                                  442
     .                         P R O C E E D I N G S
                                               [8:30 a.m.]
               CHAIRMAN POWERS:  The meeting will now come to
     order.  This is the second day of the 472nd meeting of the
     Advisory Committee on Reactor Safeguards.
               During today's meeting, the committee will
     consider SECY 0000-62, risk-informed regulation
     implementation plan.
               An operating event at E.I. Hatch Nuclear Power
     Plant Unit 1 is particularly interesting to us because I
     believe Hatch will be the next plant coming in for license
     renewal.  Reconciliation of ACRS comments and
     recommendations, physical security requirements for power
     reactors, future ACRS activities, report of the Planning and
     Procedures Subcommittee, and we will examine some proposed
     ACRS reports.
               A portion of the session associated with physical
     security requirements for power reactors will be closed
     today to discuss safeguards information.  There will be some
     special procedures we will have to follow for that process.
               The meeting is being conducted in accordance with
     the provisions of the Federal Advisory Committee Act.  Mr.
     Sam Duraiswamy is the Designated Federal Official for the
     initial portion of the meeting.  We have received written
     comments and requests for time to make oral statements from
     Mr. Edwin Lyman, of the Nuclear Control Institute, regarding
     physical security requirements for power reactors.  
               A transcript of portions of the meeting is being
     kept and it is requested that speakers use one of the
     microphones, identify themselves, and speak with sufficient
     clarity and volume so they can be readily heard.
               As an item of interest, it is my understanding
     that Mr. Bohnert is now doing fine, for the members that
     might be interested.  
               With that, I will ask if any of the members have
     comments that they would like to make as an opening
     statement.  Seeing no pressure to do so, I will turn to the
     first item of our business, which is the risk-informed
     regulation implementation plan.  I believe this is a name
     change for something we used to call the PRA implementation
               Professor Apostolakis, I believe you are going to
     lead us through this.
               DR. APOSTOLAKIS:  Thank you, Mr. Chairman.  The
     staff is here, Mr. King and Mr. Cunningham, to talk about
     the comprehensive strategy, that includes the objectives,
     goals and timeframe for the transition to risk-informed
               With that, we are very anxious to hear your story. 
     Mr. King?
               MR. KING:  Though his name is not on the
     viewgraphs, we invited Mr. Holahan to join us, as well.
               DR. APOSTOLAKIS:  As long as he identifies
               MR. KING:  For the record, my name is Tom King,
     from the Office of Research.  This is Mark Cunningham, the
     PRA Branch Chief from Research, and Gary Holahan, Division
     Director from NRR.
               What we want to talk about today is sort of an
     information briefing.  We're not asking for a letter from
     the committee on this.  What we're talking about is a
     program that's work in progress right now.
               As you mentioned, this used to be called the PRA
     implementation plan, and I'll get into that a little further
     as to why we've changed the name and what the objectives and
     so forth of this document are.
               Even though there's only three of us at the table,
     this does involve all the major offices, Research, NMSS,
     NRR, and will also involve the folks in Admin, the training
     people.  We will involve their help in putting together a
     communications plan and I think certainly the international
     activities of the agency, there's a lot of international
     interest in risk-informed regulation, so this plan will also
     be of interest to them. 
               So there's more than just the three of us sitting
     up here.
               CHAIRMAN POWERS:  Let me ask you, do the senior
     reactor analysts in the regions get involved in this
     planning activity?
               MR. KING:  Say that again.
               CHAIRMAN POWERS:  Do the senior reactor analysts
     in the regions get involved in this planning activity?
               MR. KING:  So far, they have not gotten involved
     in this planning activity.  I think somehow we're going to
     have to get them involved.
               CHAIRMAN POWERS:  They seem like a very central
     component in all of this, especially with the new oversight
               MR. KING:  They've certainly been involved in the
     new oversight process and the training and communications
     that go along with that.  In terms of the option two and
     option three work, they have not been involved in the option
     three work.  I'll let Ed talk about the option two work.
               MR. BARRETT:  I don't know that we've had them
     involved at this level of planning, but we do have regular
     counterpart meetings with the SRAs to discuss issues related
     to the -- mostly to the oversight process and to the process
     for risk evaluation of events.  
               We have twice-yearly counterpart meetings with
     them and, of course, we have regular communications on a
     day-to-day basis on specifics.
               MR. KING:  I think that's a good point.  It
     probably would be worthwhile specifically getting their
     feedback and input on this.
               DR. APOSTOLAKIS:  Why don't you call these
     risk-informed, performance-based regulation implementation
     plans?  Why do you leave out performance-based?  I mean, the
     oversight process does utilize performance-based metrics.
               MR. KING:  And there is a performance component. 
     One of our five principals is performance monitoring. 
     Basically, we left it out because even though, in
     risk-informed regulation, we're going to look, if we make a
     change to a regulation or requirement, we're going to look
     and see if we can do that in a performance-based fashion.
               There is another activity taking a look at other
     things that are not risk-informed to see if they can be made
     performance-based.  So we didn't want to imply that this
     plan included the other plan that's underway, as well.
               DR. APOSTOLAKIS:  So it's a bigger issue then.
               MR. KING:  It's a bigger issue than just
     risk-informed activities.  What we've worked out with the
     folks leading the other plan, the performance plan, is that
     if we're going in and looking at a regulation to be
     risk-informed, we will also look at the performance-based
     aspects of that, so they don't have to do that.  They're
     really going to focus on the things that aren't being
     touched as part of the risk-informed activities.
               DR. SEALE:  Is there the reciprocal of that
     agreement, that if the performance-based people find a
     potential indicator that might have risk implications, that
     you will somehow coordinate with them?
               MR. KING:  I think if they find something that
     they feel we should look at in a risk-informed fashion, yes,
     they will bring that to our attention.  
               Just as far as the organizational aspects of this
     plan, Research is the keeper of the plan, but we're
     certainly not the full author of the plan.  As I said, it's
     going to involve a number of offices.
               Just by way of a little background, as you
     mentioned, the PRA implementation plan has been around since
     1995.  It basically was organized by office and it listed
     the things the office, the various offices were doing in the
     risk-informed world.  It had been updated -- 
               CHAIRMAN POWERS:  Would you call that a plan or
     would you call that a listing of activities?
               MR. KING:  I call it a catalog.  
               CHAIRMAN POWERS:  That's what I would call it.  
               MR. KING:  Part of the problem was that you could
     look it and see what was being worked on today, but you
     couldn't tell where did you want to go in the future and how
     did these things cut across the offices and how are they
     being coordinated and integrated.  
               We had an audit from GAO on the risk-informed
     regulation last year.  They issued a report that basically
     said the agency doesn't have a strategy for where it wants
     to go on risk-informed regulation.  It has a lot of
     discussion, but where do they want to go.  So they suggested
     we develop what they called a strategy.
               The Chairman, Chairman Jackson, at the time,
     agreed to do that.  We provided the Commission an outline in
     January of this year.
               Then in SECY 0062, we provided to the Commission
     some example sections of what that document might look like
     in terms of its scope and depth, and we'll talk a little bit
     more about the scope and depth and content of this thing.
               We had a Commission briefing in March.  We got an
     SRM from the Commission in April that basically said give us
     a complete draft in October of this year.  That should
     include a communications plan, it should include
     identification of those important factors that affect
     planning.  We'll talk a little bit about that, also.  And it
     also asked a question on PRA quality, which we're going to
     have to respond to in June, sort of separate from the
     implementation plan.
               What are the objectives of this document?  We
     changed the name, for one thing, to get away from -- to
     really use the terms the agency is using, risk-informed
     regulation and call it what we intend it to be, an
     implementation plan.
               The idea is that it is going to provide an
     integrated plan for the agency's risk-informed activities
     and really if you start at the top -- actually, I think what
     I will do is put on slide four and talk about how this fits
     in the overall structure of what the agency has in terms of
               They've got the strategic plan, which is sort of
     the top level document, and if you look, it has basically
     four performance goals for each of the arenas; maintain
     safety, improve public confidence, reduce unnecessary
     burden, improve effectiveness and efficiency.
               If you look at those performance goals, they use
     the word risk or risk-informed in there, that you'll do
     things in a risk-informed fashion.  But beyond that, it
     doesn't get into any details as to what does that mean.
               At a high level, the intent of this risk-informed
     regulation implementation plan is to lay out what is the
     agency going to do to implement those high level goals and
     those high level statements in the agency's strategic plan. 
     It sort of is a link between the strategic plan and the
     detailed operating plans that each of the offices has that
     covers the major arenas that the agency works in.  
               It feeds into putting together the operating plans
     for each of the arenas, just like other things feed into it. 
     The risk-informed regulation implementation plan isn't the
     only thing that drives the work of this agency.  There are
     things called program assumptions, that includes things like
     how many plants do we expect to come in for license renewal
     and so forth.  
               So when we're planning and budgeting, there's a
     number of things that are considered, and the risk-informed
     regulation implementation plan will be one of those things
     that will provide information that's considered when the
     budgets and the detailed operating plans for each office are
     put together.
               DR. KRESS:  Tom, when this gets approved, say, by
     the Commission, would it, in effect, serve the same purpose
     as if you had a Commission policy statement on risk-informed
               MR. KING:  I know you have a letter to the
     Commission suggesting such a policy statement.  I don't
     know.  But the response to that letter would be -- I can
     give you my personal opinion.  I think this document could
     go a long way to doing what you recommended in your letter,
     if not totally.  That's my personal opinion.  
               Anyway, this is how we view this implementation
     plan fitting into the larger scheme of how the agency
     decides what it's going to do.  Getting back to slide three,
     really, at a high level, what this document will do is lay
     out a process and some guidelines as to how we should take a
     look at and decide what should be risk-informed, given that
     you want to go risk-inform certain whether it's regulations
     or activities that the agency does, what do you need to do
     to accomplish that, and then that will lead to what should
     be the priority in the schedule for accomplishing that.
               DR. WALLIS:  Tom, it seems there's something long
     before this, that is, why would you want to risk-inform
     anything and what criteria would you use in deciding.
               MR. KING:  Slide five, we're going to talk about
     the guidelines or criteria.
               DR. WALLIS:  There must be some sort of motivation
     that says risk-informing is being there in order to achieve
               MR. KING:  You should risk-inform an activity,
     basically, if it's going to help you accomplish your major
     agency performance goals.  It's going to lead to helping
     maintain safety or improve effectiveness or efficiency or
     reduce unnecessary burden, then it would be a candidate to
               DR. APOSTOLAKIS:  Actually, maintaining safety
     will not be a goal.  That's a boundary condition, really. 
     If you want to maintain the established goal, why move to
     something else.  It's just that the benefits are increasing
     effectiveness and location of resources, under the condition
     that safety will be maintained.
               That's the way I would look at it.  Not that it
     really matters much.  
               MR. KING:  I would disagree a little bit.  I think
     in the sense that risk-informed is going to make you focus
     on the things that are important, and maybe today's
     regulations don't really cover those things or some of those
     things very well, I think it does help you maintain safety.
               CHAIRMAN POWERS:  When I speak to older hands in
     the design of regulations, about risk-informed regulation,
     they say we always did risk-informed regulation.  We didn't
     create regulations for things that we didn't think were
               So I think there's a question here that comes up,
     and maybe it's in your second question up there, is how
     risk-informed is risk-informed.  I mean, is it intuition
     that this is a hazardous train or an important train to
     prevent hazard or is it detailed quantitative analysis that
     gives you a specific risk achievement worth or risk
     reduction worth?
               MR. KING:  It can be both.  It doesn't always to
     have a --
               CHAIRMAN POWERS:  I guess what I'm asking is does
     this plan line that out for these various activities, on how
     risk-informed you want to be in each one of these
               MR. KING:  The intent of this plan is to lay out
     what are the goals that you're trying to achieve in
     risk-informing an activity, what are the tools, the data
     that you need to do that, guideline documents.
               DR. WALLIS:  See, now you've changed the name. 
     When it was PRA implementation plan, the question was what
     can PRA tell us about what the regulations are doing now and
     how they might be improved.  Now you've changed the name and
     it's become more nebulous what you really mean by
               DR. APOSTOLAKIS:  I think the understanding is
     that when we say risk-informing something, we mean to use
     quantitative risk information.  
               DR. WALLIS:  That wasn't the implication of Dana's
     question, though.  It seemed to be that there is another
     kind of risk-informed, which is sort of semi-intuitive.
               DR. APOSTOLAKIS:  That's not what this plan is all
     about, in my view.  I mean, yes, the regulations have always
     been risk-informed, but that's not what most people
     understand by risk-informed.  
               Risk means, in this context, quantitative
     information coming out of performance assessments or
     probabilistic risk assessments.  Otherwise, I don't see how
     this is any different from what the agency has been doing
               Do you agree with this?
               MR. KING:  I agree with that.  I wouldn't exclude
     use of qualitative information.  
               DR. APOSTOLAKIS:  That's why it's informed.
               MR. KING:  But the heart of it is going to be
               DR. APOSTOLAKIS:  That's why it's informed.
               MR. KING:  Yes.
               DR. APOSTOLAKIS:  But the new thing now is this
     quantitative information, and quantitative, let's not take
     it too literally.  I mean, having the dominant accident
     sequences in itself might not be quantitative information,
     but it comes from quantifying frequencies and ranking
               PRA and PA, that's what we mean.  
               CHAIRMAN POWERS:  My concern is that's what we
     think they mean, but do they really mean that.
               DR. APOSTOLAKIS:  He agreed, Tom agreed.
               MR. KING:  I agree.  I agree.  
               DR. WALLIS:  So without use of a PRA, it's not
     risk-informed.  It's a sine qua non.
               DR. APOSTOLAKIS:  Yes, I would say that.
               DR. WALLIS:  It is not.
               DR. APOSTOLAKIS:  Now, PRA, you include the
     performance assessment, right?  PRA is interpreted in the
     broadest sense.  I mean, if it includes statistical
     calculations and so on, you don't necessarily have to see an
     event tree, for example, to call it a PRA.
               MR. KING:  I think the main thing that such a plan
     as this will do that the PRA implementation plan didn't do
     is it's going to provide a systematic structured look at
     where does the agency want to go in risk-informing its
     activities and how does it plan to get there, what does it
     need to get there, what are the priorities of getting there.
               DR. APOSTOLAKIS:  Tom, in my mind, the most useful
     result of this activity will be this plan, will be to
     prioritize which regulations to risk-inform first and to
     identify needs for doing so, the most important needs first.
               Is that the correct perception?
               MR. KING:  Yes, I think that's true.  
               DR. APOSTOLAKIS:  I mean, goals and objectives, I
     don't know, it creates a lot of paperwork.
               MR. KING:  I think it will also be a good
     communications vehicle, too.  We talk about risk-informed
     regulation, but we don't have anything that can hold up to
     external stakeholders or internal stakeholders that really
     ties it all together and says this is what we mean by
     risk-informed and this is what we're trying to do.
               We give presentations, talk about some specifics
     that are going on, but there's no document that ties it all
               DR. APOSTOLAKIS:  So communicating the agency's
     objectives and activities, you don't necessarily mean risk
               MR. KING:  No, no.  I'm talking about the
     programmatic type things.  
               DR. KRESS:  Do you have anybody from NMSS working
     with you on this?
               MR. KING:  Yes.  NMSS is going to have the lead
     for two of the major arena chapters on this.  We'll talk a
     little bit about them.  
               DR. APOSTOLAKIS:  Are they here?
               MR. KING:  There's one NMSS person back there in
     the back row who is involved.
               MR. HOLAHAN:  And Joe Murphy and I have been
     invited to be on the steering committee for NMSS' actions to
     risk-inform their various areas of responsibility.
               DR. WALLIS:  In this first question, what should
     be risk-informed, it seems to me you're implying that
     risk-informing means changing the regulations in some way,
     and it seems to me that the first thing that's got to be
     risk-informed is the agency and the public and look at what
     the regulations are now, use the insights of risk to figure
     out what kind of risk reduction they are achieving in terms
     of the measures, PRA or whatever you're going to use.  
               That's risk-informing your knowledge about what
     you're doing now, before you try to change anything.
               MR. KING:  I agree.  You start with what you have
               DR. WALLIS:  Right.  And this would also let you
     and the public know what's sort of the real value of what
     you've been doing over all these years.
               DR. KRESS:  The risk achievement worth of a
     regulation, that's going to be pretty tough.  
               DR. WALLIS:  Do that first, before you try to
     change anything, to know what you're doing now.
               DR. KRESS:  I'm not sure we know how to do that.
               MR. KING:  But in effect, for reactors, that's
     what option three is doing.  We're looking at 50.44, for
     example, and saying do the things that it requires really
     mean much in a risk assessment.  Hydrogen recombiners were
     coming out saying, yeah, they really don't mean much in the
     risk world.  Maybe we ought to think about changing the
     requirements on those things.
               MR. HOLAHAN:  And to a certain extent, the IPE
     program and IPEEE program did the same thing.  They took the
     reactors licensed with the existing rules and the existing
     processes and tested what level of risk was a result of that
               DR. KRESS:  You could get an overall integral, but
     to take one regulation and say, now, what's the risk
     achievement worth of this particular regulation is going to
     be a little tougher, I think.  You might be able to do it
     for some of them.  
               DR. APOSTOLAKIS:  Let's go back to slide four. 
     One issue that bothers me sometimes is that we are very
     willing to use risk information in certain instances, but we
     approach it in a very prescriptive way and we get lost in
     the details.  I would say that yesterday's discussion here
     on MISSED surveillances is one example of that.  
               Where in this framework will you attempt to look
     at the whole thing from a broader perspective and say, well,
     gee, there are certain things that traditionally we have
     been regulating to extreme detail, but now in the risk
     context, maybe we should relax a little bit and not worry
     about you missed one surveillance or about other things,
     that don't come to my mind now.  
               But in other words, we are preserving, it seems to
     me, the detailed, prescriptive regulatory approach from the
     old days.  We are simply changing the tools, but what is
     applying to these is the same thing.
               Now, I'm not saying that all missed surveillances
     don't count or are risk insignificant, but some are there
     and we have to change our views how we -- it's more than
     just having a new mathematical tool or some analytical
     methodology for doing something.
               On the other hand, I can see the counter-argument
     coming that what do you do, you just look at things that are
     important to core damage frequency?  Obviously not.  Do you
     look at things that are more important to the cornerstones? 
     Well, I don't know.  Maybe we start talking now.
               So is there an activity that would address this if
     it is an issue?  It's the cultural thing that we mention all
     the time, in other words.
               MR. KING:  I'm not sure this plan would get -- my
     intent is not to have it down to the detailed level that
     we're going to be looking at surveillance requirements or
     allowable outage time requirements.  
               I mean, I would view this at the level of we want
     to risk-inform the technical specifications and we'll have
     some key milestones and infrastructure needs to go do that.
               Now, the actual work as to which technical
     specifications, does it include surveillance requirements
     and so forth would be a level of detail that would be too
     much for this plan.  That would be something that would show
     up down in the detailed operating plans that each office has
     for doing their day-to-day work.  I'm not sure.
               MR. HOLAHAN:  I agree with Tom that when you pick
     out individual issues at that level, you might not find
     them, but those issues are related to programs and missed
     surveillances are part of the oversight process, plays into
     technical specifications, and we're working on those issues.
               There's an activity to risk-inform the technical
     specifications and there's a list of things that we are
     doing in that area.  I think this plan will put some of
     those things into context.  
               They won't go out and deal with a thousand
     individual issues, but where those issues are pieces of
     other programs, this plan will touch those programs.
               MR. BARRETT:  There was an interesting discussion
     yesterday.  I'm Richard Barrett, with the NRR staff.  An
     interesting discussion from NEI about the evolution of
     configuration control, starting back in the early days of
     the industry with custom tech specs, and the basic point
     that NEI was trying to make was that we're moving gradually
     to a point where there is a risk-informed way of controlling
     configuration, which will be some sort of combination of
     50.36, the technical specifications, and the A-4.
               I think that's the kind of thinking that you want
     to have in this plan, where are you heading, but not just
     jumping to where you're heading, what are the interim steps,
     and one of the interim steps in getting to what NEI sees as
     a risk-informed configuration control is these specific
     risk-informed technical specification initiatives, including
     the one regarding missed surveillances.
               DR. APOSTOLAKIS:  Jack?
               MR. SIEBER:  I was wondering if your plan
     considers what I think is one of the fundamental things that
     ought to happen first, which is there are a bunch of rules,
     different rules that have a risk basis to them.  For
     example, the PTS rule has a risk basis to that.  ATWS has
     one.  Station blackout has one, backfit rule, Reg Guide
               They're all different than the safety goal policy
     statement and they're different from each other.
               Is there going to be some attempt someplace along
     the line to consolidate the opinion of what is risky and
     what is not and modify those rules and set the basis for
     everything else that we do or are we just going to do this
     piecemeal, one at a time, pull out a criteria that seems
     fitting at the time?
               I'm not sure if I'm clear about my question.
               MR. KING:  I understand your question.  Are we
     providing some framework to provide some consistency as to
     what risk level we're trying to achieve by the regulations
     and what changes need to be made to do that?
               MR. SIEBER:  That states my question.
               MR. KING:  And I think my view, to answer that, is
     yes.  Certainly, in the option three work on the reactors,
     we've laid out a framework that provides some risk
     guidelines as to what we would like to see for mitigating
     systems, for containment and so forth, that we would go
     through and use when we look at the regulations to see are
     they achieving that or not.
               And maybe they're over-achieving it or maybe
     they're under-achieving it, but the idea is to bring them to
     some more uniform level than they are today.  In the NMSS
     side of the house, I don't think they're that far along yet,
     but my own personal view is, yes, that's the kind of thing
     that should be done, I think it is being done in the reactor
     side, and I think this plan could certainly lay out, at a
     high level, some guidelines as to that approach ought to be
     taken across the board whenever we're risk-informing
               MR. SIEBER:  It seems to me that in some cases,
     the risk value of some rules is such that it creates a
     penalty, a licensee, whereas some other ones may not be
     tough enough.
               I think that part of this process should be to
     sort of make a level playing field.  
               MR. KING:  I agree.  I think this plan could
     certainly, at some level, put forth guidelines to do that.  
               MR. HOLAHAN:  But I'd have to say that I think
     we're already doing some things to move in that direction. 
     When we look at recent initiatives, like the oversight
     process and Reg Guide 1.174 and what Research has put
     together, the framework for risk-informing the regulations,
     there's a lot of consistency now, but the further back in
     time that you go, the less consistency you see.
               We had a meeting, for example, last week on the
     PTS rule and there is an activity, in fact, to look at the
     PTS rule and one of the issues is was the PTS rule picked to
     achieve the right level of safety, is it too high or too
               I think what we're seeing is not a clean sweep and
     starting over again.  What we see is going to each rule and
     sort of normalizing it back to - 
               MR. SIEBER:  Try to converge it.
               MR. HOLAHAN:  Right, make them converge.  
               CHAIRMAN POWERS:  I think that's one of the
     questions.  I'd maybe come back to Graham's question.  It
     suggested that you get an overall assessment of what you
     achieve with the current rules by looking at the IPEs for
     normal operating events and the IPEEEs for external events,
     including fire.  I think that's true.
               Of course, I look at that panoply and I
     immediately say, now, what's left out of that.
               MR. KING:  Like shutdown, you mean?
               CHAIRMAN POWERS:  Maybe, yes.  And that raises a
     question, in my mind, when I think back to option three, and
     I'm operating a little bit from memory, and the framework
     document, I say, gee, those things look like they're going
     through and they're looking at the current rules and they're
     looking at them kind of individually and saying what do I --
     how do I change this current rule to make it a little more
     risk-informed, things like that.   
               And I say, gee, those rules were written with a
     presumption that a shut-down reactor is a safe reactor, and
     indeed that was the staff's point when they put together a
     draft of a shutdown regulation rule.  
               I'm wondering why is it that option three doesn't
     go through and also look at those assumptions that are
     behind the current regulations.
               MR. KING:  I think option three does look at the
     assumptions behind the current regulations and you will find
     some words on shutdown in our framework document.  The piece
     that's missing is the body of risk, quantitative risk
     information to go along with the shutdown condition.
               Now, there's some, but we're not ignoring the
     shutdown condition.
               DR. APOSTOLAKIS:  This raises some interesting
               MR. HOLAHAN:  Can I go back to Dana's question? 
     Because I think the Commission spoke directly to this issue
     when it voted not to support the staff's recommended
     shutdown rule.  Clearly, the Commission intended to maintain
     safety during shutdown.  I think it wanted it done through
     the maintenance rule and other activities and it directed
     the staff to inspect and to monitor those shutdown
     activities to see whether the level of -- what level of
     safety was being achieved.
               So the new oversight process has pieces in it that
     address shutdown and a lot of those are the same issues that
     we talked about in the NEI guidance and in the proposed
     rule.  In fact, I think the Commission has left the staff
     with the -- even before there was an option three, left the
     staff with the role of, sort of on a continuous basis,
     determining whether the existing regulatory structure is
     maintaining safety during shutdown and I think that option
     three is just another opportunity to test that.
               DR. APOSTOLAKIS:  My question is related to this,
     because this raises a very interesting question.  I believe
     that one of the arguments or perhaps the main argument the
     Commission made was that the risks from shutdown and low
     power operations are managed adequately by the existing
               At the same time, there is, I think, widespread
     concern that these risks have not been quantified.  Even if
     we accept the premise that they are managed well, we still
     don't know the level of risk.
               Now, is that something that the risk-informed
     regulatory system can live with?  In other words, if you
     convince yourself, not necessarily for low power operations,
     that a particular activity is managed reasonably well, then
     you will say then I really don't care about quantifying the
     risk from that activity.
               Is that something that this system will allow?
               MR. HOLAHAN:  I think that's not enough, because
     if you go back to the strategic plan and its goals, the
     agency's goals are more than just maintaining whatever
     particular topic area it is, maintaining it to be safe.  
               I think there are other issues that the
     risk-informed approach can address and there is a public
     confidence issue, how do you know what level of safety; you
     might be satisfied, but how do you know that other people
     are satisfied?  How do you know that you're not maintaining
     that safety at an extraordinary cost that isn't worth it?
               So there are other opportunities to test the other
               DR. APOSTOLAKIS:  I find this situation very
     interesting, because why do you do a PRA?  Well, you do a
     PRA because you want to make sure that the risk is managed. 
     And now you have someone who says, well, you know, the risk
     is already managed.  So he's short-circuiting the process
     and says I don't need to do the PRA, because I know the risk
     is already managed.
               How do you know?  Well, you know, I'm convinced. 
     I'm convinced they manage their configuration, they have
     these software tools.
               So I think now it's an interesting philosophical
     question.  Do you then abandon the quantification because
     somehow you convince yourself that the risk is managed or
     you still go through the process?  I don't know myself, but
     it's an interesting question and maybe by setting the goals
     and all that stuff, you should address these questions, so
     people will be sensitized to these things.
               I don't know what the answer is myself, because -- 
               DR. KRESS:  Yes, you do.  
               MR. KING:  Well, we don't need this plan to get
     into that question.  We've got plenty on our plates with
     option three.
               DR APOSTOLAKIS:  But don't you think it's an
     important question?  
               MR. KING:  Of course it's an important question.
               DR. APOSTOLAKIS:  Let's assume that they are
     right.  I'm willing to grant that.  Then we don't do the
     PRA?  You can have pros and cons.  Some guy might say, well,
     gee, yeah, but, look, if you look at the history of PRA, we
     thought we managed certain things well and then PRA showed
     there is an interface with system LOCA or this or that, so
     there are always surprises that come out.
               On the other hand, the other side might say, look,
     it's a matter of prioritizing things.  Right now, I'm fairly
     confident I'm managing the risk reasonably well and I have
     other areas where I really don't know.  So I will use my
     resources to attack those areas first.  
               I think both arguments have merit, but it seems to
     me if we are to have a strategic plan, somehow we have to
     get into this.
               DR. WALLIS:  I was going to suggest you use PRA,
     where you can get the most leverage from it.  You don't get
     into the marginal areas where you're quibbling about whether
     or not it's going to help.  So you work on things where it's
     really going to make a difference.
               DR. APOSTOLAKIS:  Yes, but you don't know that,
     because the other side is telling you -- 
               DR. WALLIS:  You must have some idea.
               DR. APOSTOLAKIS:  Well, you have strong opinions
     on both sides.  One side says, no, I'm managing the risk and
     the other side says, well, you know, you are doing something
     very good, but I still don't know whether you're managing it
     very well.  I think both arguments have some validity.
               Anyway, I just raise the issue, because I find it
     really a very interesting question.  PRA is the way of
     managing the risk and then somebody says but I'm already
     managing it, so I don't need to go that way.  It seems to me
     a strategic plan has to some -- wherever you plan to have
     overall guidelines, objectives and so on, that question has
     to come up.
               Okay.  Why don't you go ahead?  
               MR. KING:  Moving on to slide five.  Dr. Wallis
     asked the question what are your criteria for deciding what
     you want to risk-inform or what don't you want to
     risk-inform.  There are some example criteria in the draft
     we sent, the partial draft we sent to the Commission in the
     00-62 SECY.  They basically say what we want to do is take a
     systematic look across all three arenas at the regulations,
     at the activities, like inspection program, enforcement
     program, see would risk-informing them contribute to helping
     the agency achieve any or all of its four performance goals.
               But there's also some other factors that need to
     be considered; do we have tools and data that provide
     sufficient information, where you could go risk-inform the
     activity;  is there licensee interest or capability in doing
     this; can it be done at a reasonable cost.
               DR. WALLIS:  We said in our research report that
     you kept invoking these goals, and that's fine, but a lot of
     work needs to be done if you say maintain safety.  Okay. 
     Now, first of all, we need know what kind of safety we're
     getting and all this stuff.  You need to develop that and
     see how does PRA fit in there.
               Just invoking some high level goal doesn't tell
     you very much until you begin to analyze what you would need
     to do in order to determine whether or not there is going to
     be any influence on maintaining safety by risk-informing.  A
     huge amount of structure has got to be put in there.
               So I think what we would look for is that you
     built that structure, not just invoked some high level goal,
     which is fine, but that's like saying, you know, I served in
     the U.S. and I support the Constitution or something.  
               MR. KING:  I think in the reactor area, where you
     have quantitative risk information, it gets a little easier. 
     In the NMSS area, where there's a lot of different things
     that they regulate and you don't have PRA quantitative risk
     information to look at those, it gets more difficult.
               NMSS had a two-day workshop in April where they
     brought in a number of their stakeholders and they asked
     these kinds of questions.  
               DR. WALLIS:  The biggest question on maintain
     safety is this is -- it's not clear what that means.  You
     can argue forever.  When you say if it's the existing
     regulations, well, how do they maintain safety.  It seems to
     me that risk-informing has a tremendous amount to contribute
     to determining how well the regulations maintain safety.  
               When you know that, then you can, okay, this is
     the one which is worth tweaking, because we can really gain
     something there.  
               DR. APOSTOLAKIS:  I think in connection to this
     slide and also in the context of building public confidence,
     many, many times, we hear public stakeholder groups saying
     the whole purpose for risk-informing the regulations is to
     relax regulatory burden, and people forget that for the last
     25 years, really, risk-informing the regulations meant
     increasing the burden.
               So I would suggest that whenever you talk about
     the agency performance goals, you have slides or public
     meetings or whatever in the report, you immediately show a
     few examples where you have maintained safety, like the
     station blackout rule or ATWS or whatever, as a result of
     PRA, because apparently people need to be reminded of these
     things, that you are not just changing the tech specs and
     all that. 
               We get letters from public groups that say, well,
     all they are doing is this.  And maybe give examples in
     other areas that you have improved effectiveness and so on.
               In fact, we wrote a letter, with your help, some
     time ago, how PRA has been used in the past.  It wouldn't
     take more than two or three lines to show examples like
     that; that perhaps we have done a lot on improving safety
     using PRA, and now we are also addressing issues of
     unnecessary burden.
               But let's not forget we have already done a lot of
     that, because people forget or they don't know perhaps.  In
     fact, that was a major complaint of the industry that
     happened till now, all you were doing was adding burden.
               MR. KING:  Right.  I agree with your statement and
     I think one of the things that this document could do is
     show that risk-informed is a two-edged sword.
               DR. APOSTOLAKIS:  Yes.
               MR. KING:  And you could do that with some
     specific examples.  You can also do it with talking about
     the philosophy behind risk-informed.  Just the fact that
     you're not spending resources on unimportant things does
     improve safety or at least maintains safety.
               DR. APOSTOLAKIS:  Yes.  But I think giving
     specific examples from the past will go a long way.
               MR. SEALE:  To belabor the obvious, you haven't
     made the one point here, I don't think, I didn't find it
     anyway, that the PRA provides a rational basis for ranking
     the risk and that is certainly one of the more important
     things that you are interested in if you are going to make
     your regulations efficient and attack the necessary things
     in a straightforward way.
               So sometimes you have to -- the PRA covers things
     you've already evaluated, but you didn't have that
     evaluation in the context of other risks, as well.  And now,
     with the PRA, you have a thermometer, if you will, that
     you've looked at all of these different things and now you
     have comparisons and that's important to your resource
     allocation process.
               DR. WALLIS:  In terms of public confidence, some
     of the most important public consists of your own employees. 
     If this gives a way of doing things which gives your
     employees more confidence they're doing the right thing,
     it's worthwhile, it's worth putting energy into, there's
     going to be a tremendous contribution.
               I would like to see more evidence of that, that
     people have great enthusiasm for PRA, because it makes their
     job better and so on.  
               And the other confidence is, of course, in
     industry, the whole -- that's another kind, that these
     regulations make some sense, because they have this logic of
     PRA or something behind them.
               MR. KING:  When we talk about communications in
     this plan, we're talking internal and external, and internal
     is very important.
               DR. WALLIS:  The public, and there's lots of parts
     of the public that can be really influenced by this
     initiative, it seems to me.  It's not just some public
     interest group.  Everybody with some stake in nuclear
     energy, as well.  
               DR. KRESS:  In your previous work on the
     possibility of redoing the safety goal policy statement, you
     had a number of very interesting questions or issues, things
     like should land interdiction be a goal, should you deal
     with risk spikes, are CDF and LERF the right things to use,
     should you quantify adequate protection.
               You had a number of very interesting, I thought,
     questions that seem to me to be important to the issue of
     how you risk-inform regulations.
               Will you face up to those questions and try to
     provide some sort of answers to them in this particular
     document here or will you skate around them some way?
               MR. KING:  One of the things we talked about
     having in this document were what are the risk goals that
     you're trying to achieve all of the various things you may
     want to look at in this plan in the reactor area.  I didn't
     envision this document as dealing with the land
     contamination issue or risk spike issue or some of those
               DR. KRESS:  It certainly might come up in the NMSS
     area, because that may be your risk goal there.
               MR. KING:  NMSS, they have on their plate a task
     to come up with safety goals for the things that they
     regulate.  In what form, whether that's going to be a policy
     statement or some other document, I don't know at this
     point.  I would envision whatever comes out of that effort
     will be reflected in this document, but I didn't view this
     document as the document that's going to establish those
               I do view this document, though, as providing some
     what I call guidelines, this bullet right here.  By that,
     what I had in mind was so that there's some consistency in
     the way we implement our risk-informed activities, I think
     things like the definitions from the Commission's white
     paper on risk-informed regulation ought to be in here, like
     our principles from Reg Guide 1.174 probably ought to be in
     here, maybe we ought to come up with some consistent
     definition of defense-in-depth and safety margins, what do
     we mean by performance-based, those kinds of things.
               DR. KRESS:  How do you deal with uncertainties.
               MR. KING:  How do you deal with uncertainties,
               DR. KRESS:  Those are the kinds of things I would
     assume you're looking for.  
               MR. KING:  I thought that kind of stuff, to me,
     made sense to put in here, so that everybody, when you're
     talking treatment of uncertainties, we're doing it in a
     consistent fashion.  
               DR. WALLIS:  Could you also have some vision of
     where you're going?  When you reach the delectable mountains
     of risk-informed regulation, whatever they are, what do they
     look like?  Some kind of objective out there, like
     Eisenhower is going to get to Berlin or something, some kind
     of -- where are we going, where would you like to be if
     everything works out right?
               MR. KING:  I think there's two aspects to that
     question.  One is laying out our plans for those areas in
     schedules and priorities for accomplishing risk-informed
     changes in those areas and then we have a section in the
     plan called measures of success, how do you know you achieve
     what you want to achieve.
               That's sort of a nebulous thing at this time as to
     exactly what those measures of success will be.
               DR. WALLIS:  I think if anything that's been
     planned in the past, any major human activity, then one of
     the major things is a view of where you're going.  We're
     going to climb Mt. Everest and that becomes most important. 
     The plan is very important, but unless you have this purpose
     up there, some view of what constitutes success, then all
     the plans are kind of muddled.
               MR. KING:  I agree.  
               DR. BONACA:  I'd like to throw in just one more
     thing in support of what Dr. Wallis is saying.  I believe
     that we're all looking at these plans, but I think we have
     probably all different visions of what this future would be
     out there, and when we -- we haven't discussed this and I
     think we will, probably as a committee, reflect on this at
     some point, but it seems to me that there are certainly some
     people who would think that we could have, at some point, a
     50.59 process under which you could remove, for example,
     defense-in-depth commitments by 50.59.
               Other people think that that will not be
     acceptable for their own reasons.  I mean, there are reasons
     for whatever.
               The point is that I think there is a fractured or
     maybe inexistent sense of a common vision about where we're
     going with the plan and a plan typically would have some
     elements of vision of what we envision out there that will
     resolve some of the problems that existent.
               I'm just supporting what Professor Wallis is
     saying, that that would be very useful.
               MR. KING:  You could picture it, we have the four
     big agency performance goals, you could say, well, I'm going
     to go risk-inform something because it's going to help me
     achieve those performance goals and you could go back and
     then say set a success measure, whether it's how much
     efficiency improvement did I achieve, you could put some
     monetary or staff year reduction goal for that or how much
     unnecessary burden did I reduce, whatever it may be.
               You could do that and then come back and monitor
     did I actually achieve those reductions when I risk-informed
     this activity or didn't I, and that's sort of what I had in
     mind in the success measure section, although we haven't
     come up with any firm recommendations in that area at this
               DR. WALLIS:  That's incremental.  That's so that
     when I fight this battle, what's the body count, did I gain
     something.  But it doesn't give you the overall objective
     out there somewhere which makes the whole thing worthwhile.
               DR. BONACA:  I think in the oversight area, we
     have some vision now, because we have an implementation plan
     and it's being implemented now.  We're beginning to see the
     elements of it, with the cornerstones and things of that
     kind, and we can or we have commented on individual aspects,
     maybe been critical of some elements, but, in general, we
     have a good understanding and a buying-in into a process
     that is becoming risk-informed, but it can be improved, too.
               It's just that there are so many other elements of
     regulation out there and particularly we're talking about
     with existing plants, how they are operating today, what is
     effective and what is not effective, and how risk
     information can improve the effectiveness of these plants
               I think that that's an element.  We will have a
     common vision of what is going to be.
               MR. KING:  I think the common vision is certainly
     qualitative vision, focus on the things that are important,
     that we're going to be more effective and efficient.  I
     didn't envision we would set numerical goals for that.
               But certainly we'd be interested in any thoughts
     anybody has as to how we could approach that.
               DR. BONACA:  I'll give you an example.  To me,
     50.59 is an important issue, because it's the process under
     which power plants are allowed to make changes.  So I would
     say that if I look at the existing power plants, they are
     hesitant about what they are going to do in the future; are
     they going to come under this changed regulation, under
     risk-informed or not.
               As you know, there is reluctance there.  The
     reluctance is because they don't understand, they don't know
     what's going to be.  And clearly there are big issues about
     what you would be able to change in power plants under
     risk-informed 50.59, for example.
               I think we had discussions here about
     defense-in-depth and balance, but we never -- and that's an
     important element, however.  
               MR. KING:  If you just want to set some overall
     agency goal for risk-informing 50.59, other than some
     qualitative statement that I want it to be risk-informed,
     I'm not sure what else I would say.
               DR. BONACA:  I'm not expecting that you have.  I'm
     just expressing some of the issues that I believe are
     clouding a little bit where we're going with all this.
               MR. KING:  I guess you could say I want to
     risk-inform it to the point where I only get half the number
     of license amendment requests that I normally get, you could
     set some goal like that.
               DR. KRESS:  I would try to avoid quantitative
     goals in this type of exercise.  I think you just get
     yourself in trouble.  
               MR. KING:  Yes.  But you could also say a measure
     of success would be am I getting fewer license amendment
     requests because I've risk-informed 50.59, without saying it
     has to be -- 
               DR. KRESS:  That's the way I would try to do it,
     that sort of thing.
               DR. WALLIS:  This looks like solutions for
     problems.   If someone is to create that risk-informing is a
     blessed activity, therefore, you should engage in it, then
               DR. KRESS:  I think we all believe there is a
     problem with the regulations.  
               CHAIRMAN POWERS:  They have, that has happened.
               DR. WALLIS:  But if you could say here is 50.59,
     and the reason that there's all this anxiety in industry and
     so on, and so on, and so on, and, gee whiz, risk-informing
     is the solution to those problems, that would be more
     convincing, rather than saying here we've got this tool and
     we get points for applying it, using it.
               MR. KING:  I think we should move on.
               DR. APOSTOLAKIS:  Let's move on, yes.
               MR. KING:  Slide six is just, at a high level,
     what the outline of this plan would look like and some
     executive summary.  There will be some introductory material
     that will discuss the relationship of this plan to the other
     strategic plan and other documents and processes the agency
     has.  These overall guidelines we talked about to add some
     consistency in risk-informed treatment of uncertainties and
     so forth. 
               Then there will be sections for the three major
     arenas that will get into more of the details of what's to
     be done. 
               Then on the next page, a little breakout of what
     one of those arena sections would look like.  
               Again, like I said, this is work in progress. 
     This may change as time goes on, but at this point, what I
     envisioned was for each arena, you talk about the guidelines
     that you've developed and applied to decide what are you
     going to risk-inform and what the priorities are, and then
     the results of applying those, what have you decided to
     risk-inform, what are the priorities, what have you decided
     not to risk-inform.
               And then for each thing where you've made a
     decision to go do some risk-informed work, sort of lay out
     what the major milestones are and what the -- what I call
     the infrastructure needs, the responsibilities, training
     needs, what kind of communications plan, internal and
     external.  And some of these, for each activity, a
     communications plan may be -- it may cover a number of
     activities.  It doesn't always have to be each one has to
     have its own.
               And then these measures of success, how would you
     know that what you did was an improvement.  So at a high
     level, this is sort of what I envisioned to have in there.
               DR. APOSTOLAKIS:  How would you make sure that
     certain principles that really apply to more than one arena
     are, in fact, stated clearly?  Defense-in-depth, for
     example, is one.
               MR. KING:  That was back -- where I envisioned
     that was back here in the introductory section to the entire
     plan.  That would be a lead-in to each of the three arena
     chapters and this last item, overall guidelines, that's
     where I envisioned we would talk about maybe the Reg Guide
     1.174 principles.
               DR. APOSTOLAKIS:  How do we define them?  How do
     we make sure we have all of those?  From the experience of
     trying to implement the risk-informed system or we will have
     some sort of a structured process that would identify those
     high level issues that apply to all of them?
               MR. KING:  I think at this point, we've probably
     done enough in the reactor area where we know what issues
     we've had to face, policy issues, implementation issues,
     that we could probably make a good cut at laying some of
     those things out that are applicable across the board, that
     others are going to have to face if they want to go
     risk-inform things.
               Through interactions with this committee and other
     interactions on the staff, with stakeholders, we may
     identify some more.
               DR. APOSTOLAKIS:  But there will be some high
     level body monitoring all this.  
               MR. KING:  Well, later on.
               DR. APOSTOLAKIS:  Later on.
               MR. KING:  I guess I didn't put it on the
     schedule.  The agency has a PRA steering committee and we've
     run this presentation by them in terms of what our vision is
     for this document, just to make sure we have alignment
     between the office directors and ourselves, and we continue
     to come back to them as this thing evolves.
               DR. WALLIS:  This is all internal NRC people.
               MR. KING:  It's all internal NRC people.  One
     thing you'll see when we get later on, the suggestion is
     maybe we want to take this document as a draft and go out
     and get stakeholder comment and feedback on it -- external.
               DR. WALLIS:  It would seem to me you could benefit
     from having an advocate for PRA with expertise.  You know,
     if there's another George out there, who is not tied up with
     all the regulation, all the habits of the NRC, and look at
     what you're doing, could give you good advice.
               MR. HOLAHAN:  I thought we had one of those.
               DR. WALLIS:  Apart from ACRS, but someone who
     works with you daily or whatever when you need this person.
               DR. SEALE:  More than that, I think we've all been
     impressed upon occasion that the quality of PRA work that's
     been done by some of the utilities and attaching specific
     problems, and I think we would be remiss not to try to get
     their input.  They may even have a good idea or two that
     would help out.  
               MR. KING:  I think it would be worthwhile sending
     this out as a draft once we've got the sections filled in.
               DR. WALLIS:  I was thinking actually in the
     production of it, not just the formal business of you guys
     work on it and it goes out for comment, but someone actually
     in the creative process of deciding what to do.
               CHAIRMAN POWERS:  What are you looking at them to
               DR. WALLIS:  I would look for someone like a
     George who has ideas, can be critical, can say, well, how
     about this and talk about the bigger vision than you guys
     maybe have, to contest you as you develop the thing.
               It seems to me there are lots of things here which
     are of that type.  There are creative activities involved
     and there are visions of what you might be able to achieve
     that maybe you haven't thought of.
               DR. APOSTOLAKIS:  You can use consultants.  Is
     there anything that says you can't use consultants?
               MR. KING:  No.  We can use consultants.  
               DR. APOSTOLAKIS:  Then select one or two people
     and whenever you feel you need them, give them the thing and
     say what do you think.  It doesn't have to be a big deal.  
               CHAIRMAN POWERS:  I guess I'm still struggling
     with what it's supposed to provide here.
               DR. APOSTOLAKIS:  I think Graham's point is that
     there are experts out there that can, not from the
     regulatory side of the business, but perhaps they have done
     PRAs -- like Gareth Parry, before he joined your staff, was
     out there doing good work, and these people may have -- 
               CHAIRMAN POWERS:  As opposed to now?
               DR. APOSTOLAKIS:  But these people would bring a
     different perspective, I agree with you.
               CHAIRMAN POWERS:  I agree that it would bring a
     different perspective, I agree that they may have done a
     PRA.  I don't think doing a PRA is what is necessary right
     now.  It seems to me that coming in with no knowledge of the
     regulatory process is the last thing you need.  You need to
     know exactly what the regulatory process is.
               DR. KRESS:  That's what I think.  That's much more
     important than knowing the PRA.
               DR. APOSTOLAKIS:  But, guys, we're not talking
     about turning over this activity to them.  All we're saying
     is before you finalize this, give the guy the document and
     get some comments.
               CHAIRMAN POWERS:  George, I could sit here and
     say, gee, there are an awful lot of good quantum candidates
     out there that know a lot about second quantitization. 
     Maybe you ought to show it to them.  I'm just not sure they
     would help very much.
               DR. APOSTOLAKIS:  And I would agree with you.  I
     still think that if you select the people carefully, who
     have also --
               CHAIRMAN POWERS:  I think I would be much more
     interested in talking to somebody who has attempted cultural
     change in an organization.  I'd like to get their advice on
     things much more than somebody that's just done a PRA for a
               DR. WALLIS:  That's not to say who the person is,
     but maybe we could agree that some sort of external view of
     this would give you some checks and balances and help which
     might be useful.
               DR. APOSTOLAKIS:  Yes.  We're not talking about
     the guy who does fault trees for a living.  That's not the
               DR. KRESS:  I would be interested in a guy you
     could ask questions of, like I'm concerned if one stuck with
     just LERF and CDF, for example, that you're missing
     something, and you're missing things like 10 CFR 100, which
     talks about a dose from an unfailed containment, which is
     one of your objectives, as regulatory.
               And we have other similar things like that that
     LERF -- CDF addresses to some extent, but LERF doesn't.  The
     question I might have is if I come up with some objective
     that might, for example, be the frequency, an allowed
     frequency of exceeding a certain dose, which might be
     particularly an NMSS activity, can a PRA give you that
     number and how does PRA have to be structured to give you
     that and to give you the uncertainties in it and is it
               That sort of thing you might -- 
               MR. KING:  But I think what you're talking about,
     to me, is a level of detail lower than what I envisioned
     this plan to have.  Those are certainly questions you have
     to face at some point, but I didn't view this plan as
     getting down into every technical issue that has to be dealt
     with in all the things we want to risk-inform.  
               I viewed this plan as, for example, risk-informing
     Part 50, there would be a schedule for option two, there
     would be a schedule for option three, some of the major
     milestones and deliverables and so forth, but not getting
     into the individual regulations that we're looking at in
     option three.
               That's dealt with through separate papers and
               DR. APOSTOLAKIS:  Anyway, we seem to be getting
     into management issues here.  
               MR. HOLAHAN:  Before we leave this subject, let me
     go back and say it again, since no one agreed with me when I
     said it before.  I agree completely with Professor Wallis,
     but I think we already have a group of independent, vocal,
     knowledgeable experts sitting around this table and I don't
     see any reluctance on their part for giving us good advice.
               DR. WALLIS:  We see you once every three to six
     months or something.  This is someone you could turn to as
     part of your team, it seems to me.  That might be useful.
               DR. APOSTOLAKIS:  I think we should leave it up to
               DR. WALLIS:  Leave it up to you guys.
               DR. APOSTOLAKIS:  This is a management issue. 
     Would you move on?  I mean, we've expressed our differing
     views, which we're happy to do.
               MR. KING:  The nice thing about this committee, we
     get all these differing views, we pick the one we like.  
               DR. WALLIS:  There's no sense in our expressing
     views unless some of them are useful to you.
               DR. SEALE:  There's no quality control on our
               MR. KING:  All right.  Schedule.  We need to get
     this thing done and a complete draft is due to the
     Commission the end of October.  What we had envisioned was
     NMSS has already had their workshop with stakeholders. 
     We're talking with NRR about having a similar workshop to
     take a look at what they're doing and should they be doing
     more in the risk-informed area.
               Developing some draft arena sections in August,
     coming back to this committee and the joint ACRS/ACNW
     committee in the fall to talk about those.  And then after
     the draft goes to the Commission, at least my view is we
     ought to recommend to them that that go out for public
               CHAIRMAN POWERS:  Your schedule and your need to
     get to the Commission has a problem interfacing with our
     schedule in the sense that we don't have an August meeting
     and September then becomes kind of jammed up and things like
               Let me ask, is there a time in there where we
     should -- we want to help and I think even participate and
     give you all this wonderful advice that you can pick and
     choose from in a fairly explicit fashion.
               Should we be looking to a period of time for like
     a subcommittee meeting, where we can plunge into the details
     and things like that?  Is there an appropriate time for
     doing that?  Should we look at arena papers in detail?
               MR. KING:  I think it would be worthwhile to have
     this committee look at the arena chapters once they are
     developed and I think a subcommittee would be a good idea.
               DR. APOSTALAKIS:  Timeframe.
               MR. KING:  Maybe the August timeframe.  Are you
     permitted to have subcommittees in August?
               CHAIRMAN POWERS:  Yes, we have a bunch of them. 
     We have a bunch of them in August.
               DR. APOSTOLAKIS:  August is very hard, because my
     vacation is in Europe.  
               MR. KING:  I don't want to make it too early,
     because then you're wasting -- 
               CHAIRMAN POWERS:  It's nothing that we need to
     sort out now, but it's something that I think we want to
     sort out with you as the time comes closer to that schedule,
     just because it would be nice if we could do it on the
     October meeting.
               So that when you go to the Commission on the 27th,
     they at least have our input on it.
               MR. KING:  I think clearly the October full
     committee would be a time where, if you want to write a
     letter, that would be the meeting -- 
               CHAIRMAN POWERS:  I want things pretty well --
     have an idea of what we're going to write at that October
     meeting, rather than -- 
               MR. KING:  Which means subcommittees before that.
               DR. APOSTOLAKIS:  But not a week before.
               CHAIRMAN POWERS:  Yes.  That's what I'm trying to
               DR. APOSTOLAKIS:  First of all, I'm impressed that
     ACRS' view is not followed by CRGR.  
               MR. KING:  This is not CRGR material.
               DR. APOSTOLAKIS:  Second, is the ACRS/ACNW that
     joint subcommittee?
               MR. KING:  Yes.  And maybe we need to go to the
     full ACNW.  We'll have to sort that out.
               DR. BONACA:  There will probably be an ACNW
     letter, with some input or something.
               DR. APOSTOLAKIS:  Okay.  We can work out the
               MR. KING:  Okay.  The last slide I have is what I
     call issues.  There are several things, and this list will
     probably grow as time goes on.  We got an SRM from the
     Commission in April that resulted from the briefing we gave
     them on the 0062 paper.  What they said was when we give
     them this draft at the end of October, what they want is an
     identification of those internal and external factors that
     are affecting our planning process, and they listed some
               Availability of pilot plants was one that they
     listed in their SRM.  I think there's probably some others. 
     I think licensee interest and participation in this whole
     risk-informed process is one.  
               There's questions of maybe you could go
     risk-inform some regulation, but under a voluntary system,
     if licensees aren't interested in it, why bother.  
               MR. SIEBER:  Do you have any indication at this
     point in time as to what licensee interest really is?
               MR. CUNNINGHAM:  NEI did a survey of what
     licensees were particularly interested in, I guess they --
     in the winter time.  As I recall, the top two that they were
     very interested in are changes in 50.44 on hydrogen control
     and 50.46 on ECCS requirements.
               They had a list of other things, but those are the
     two that jumped out.
               MR. KING:  But I think your question is even if we
     would make those changes, how many licensees are actually
     going to take advantage of it.
               MR. SIEBER:  Well, and beyond that, which ones are
     going to build the infrastructure that they need in order to
     participate in risk-informed regulation, because that's a --
     you're going to end up with, as I see it, two mountains. 
     One is the traditional deterministic way, the other one is a
     risk-informed way, and it's not clear to me that that
     reduces burden.  
               MR. HOLAHAN:  I think these things haven't sorted
     out yet, but I think my vision of the future is licensees
     will put the infrastructure into a risk-informed approach,
     because they need to do that because of the way the
     maintenance rule is structured and for the oversight
     process, and I think that the nature of the oversight
     process will have an enormous effect on the way licensees do
     their own work.
               And when they get to that point, at least what I'm
     imagining is, in fact, it will be those activities and not
     the examples of would you like to change 50.44 that are
     going to pull the licensees into the risk-informed world,
     and once they're there, more than they are now, some of them
     are well into this arena now, but all of them, by the very
     nature, have to participate in the oversight process.
               They need to understand the significance of their
     activities and their performance issues.  That is going to
     be the arena that gets them into this world and once they're
     there, I think that will open up to a lot more than 50.46
     and 50.44.  
               MR. SIEBER:  I sort of look at that, though, as
     like a marathon race.  There's the guys out in front and the
     guys who are walking back and there's going to be some kind
     of a distribution of degrees of participation.
               I'm not sure whether that's going to help you or
     hurt you in the process of truly risk-informing regulation.
               MR. HOLAHAN:  I think the oversight process is
     going to establish some minimum speed, which, in a practical
     way, where a licensee can continue to survive.
               DR. KRESS:  Not everybody crosses the finish line.
               MR. KING:  When I've asked this question on the
     reactor side of industry people, the answer I get back is
     there's a lot of licensees sitting on the fence.  If we get
     a few successes under our belt, that will get them off the
     fence and having a lot more step forward and want to
     participate and implement risk-informed changes.
               If we don't get some successes under our belts,
     corporate management may not be willing to support PRA
     activities at plants.  So it remains to be seen at this
               MR. SIEBER:  There's another constituency here and
     it's probably in the details that you're not wanting to
     discuss at this time, but there is a group that will be
     running with peg legs in this marathon of yours and that's
     the aspect of NMSS activities that are under the direct
     supervision or regulation by agreement states.
               I just don't see where there's very much here, at
     least at first, that's going to be attractive to those
     people at all, because there are 49 constituencies, unique,
     in a sense, that don't have the resources to build a support
               MR. KING:  Gary and I both sat in on the NMSS
     workshop, where they had state people, they had medical
     community, they had citizens groups, of course, represented,
     and I came away with the sense that most people were
     interested in this, from the NMSS side of the house, the
     licensees and the states.
               There's always some that are against it, but I
     thought that -- there was a statement made by the
     representative of the medical community, a gentleman from
     San Francisco General Hospital, that I thought was very
     enlightening in terms of what risk-informed means for them. 
     It really means protecting public health and safety in a
     much better way than it's being done now, because if it can
     reduce the cost of medical procedures and so forth, that
     means it's available to more people and that's real risk
     reduction on real health issues.
               DR. APOSTOLAKIS:  I was looking at the General
     Accounting Office report.  There are a couple things here
     that I don't understand.  Some utilities do not have current
     and accurate design information for their nuclear plants
     which is needed for the risk-informed approach.  Is that a
     big thing?
               I mean, have you found this to be a big problem?
               MR. HOLAHAN:  Did you ask me whether I agreed with
     that statement?
               DR. APOSTOLAKIS:  Yes.
               MR. HOLAHAN:  I don't agree with that statement.
               DR. APOSTOLAKIS:  I don't either.
               MR. BARTON:  Maybe that was true a few years ago.
               DR. APOSTOLAKIS:  Well, it's '99.  
               CHAIRMAN POWERS:  I think if you go back and you
     look at the kinds of things that utilities had to do for the
     fire protection functional inspection pilots, that you might
     agree better with that statement.  
               DR. APOSTOLAKIS:  But I don't consider this an
     impediment to make it number one.
               MR. HOLAHAN:  That's right.  On the contrary, what
     I've found is that getting involved in risk-informed
     activities has been helpful in identifying issues in the
     design basis and getting them sorted out. 
               It's not as though you can't do the PRA until you
     learn the design basis issues better.  In fact, it's helpful
     in addressing those issues where there are problems.
               CHAIRMAN POWERS:  I'd certainly agree with that. 
     But that there are problems in understanding the design
     basis of things becomes very clear when you look at the fire
               DR. APOSTOLAKIS:  Anyway, any other comments from
     the members on this issue?  Members of the public?
               [No response.]
               DR. APOSTOLAKIS:  Hearing none, back to you, Mr.
               CHAIRMAN POWERS:  Thank you, gentlemen.  Look
     forward to seeing your plan.  It should be most useful.
               I will recess us until 10:15.
               CHAIRMAN POWERS:  Let's come back into session. 
     We are now going to turn to a discussion of an event that
     occurred at the Hatch Unit 1.  John, you're the one that
     brings all these terrible things to us.
               MR. BARTON:  Thank you, Mr. Chairman.  The purpose
     of this session is to hear presentations and hold
     discussions with representatives of the NRC staff regarding
     the operating event at E.I. Hatch Nuclear Power Plant Unit 1
     this past January.   We will also hear from the licensee
     following the staff's briefing.
               A description of the event, on January 26 of this
     year, Hatch Unit 1 was at 100 percent power, when the
     reactor pressure vessel water level began to decrease as a
     result of a valve in the feedwater line going closed.
               The valve closure caused a large reduction in the
     feedwater flow.  Reactor water level decreased, automatic
     reactor trip occurred, as expected.
               We've been spending a lot of time on risk-informed
     regulations, where we're going in the risk arena, and
     incidents, transients, shutdowns, et cetera, effects of CDF
     and LERF, et cetera.
               Now, from a risk aspect, this event was not
     significant in that it did not result in core damage. 
     However, it was a serious event in that several areas of
     weaknesses in overall operation and programs were
     identified, and I'm sure we'll hear about them from the
               So at this point, I'd like to turn it over to the
     staff, Mr. Tad Marsh, to make introductory remarks prior to
     the staff's briefing.
               MR. MARSH:  Thank you, Mr. Barton.  Good morning. 
     My name is Tad Marsh and I'm Chief of the Events Assessment,
     Generic Communications and Non-Power Reactor Branch in NRR.
               I have with me today several representatives of
     the staff who will be presenting to you the Hatch event.  I
     would like to introduce Mr. Wert, from Region II, who is the
     team leader on the augmented inspection team, and Mr. Vern
     Hodge, from my staff, who will also discuss with you the
     generic implications and our follow-up actions.
               So, gentlemen, let's go ahead.
               MR. WERT:  As Mr. Marsh stated, I was the
     augmented inspection team leader, the Hatch scram that
     occurred in January, with some complications that occurred
     on January 26, in the year 2000.  Next slide.
               Just briefly, there's a list of our team members
     that participated in the team.  I'm not sure how much you
     want to hear about that.  But internally, as a region, we
     always review closely successes and ways that we can improve
     augmented inspection teams.
               One thing that we did note on this team is we felt
     we had the right combination of technical capabilities to
     review this.  All the inspectors were extensively
     experienced in boiling water reactors from a resident
     inspector perspective and additionally, we had Mr. Gary
     Hammer, a member of the NRR staff, who was very
     knowledgeable and aware of the SRV issues, safety relief
     valve issues.
               Just a brief outline.  This is a composition of my
     presentation today.  Overall event sequence, and I won't
     spend a lot of time with that.  You have the inspection
     report in which that sequence was laid out.  Equipment
     issues, because it's a very convenient way to talk about
     this event.
               Performance of licensed operators.  As we got into
     the event, I think you'll see that we became more concerned
     or just as concerned about performance of the licensed
     operators as we did about some of the equipment issues that
     initially were considered to be problems.  Health and safety
     assessment and NRC actions.
               Hatch Unit 1 is a GE BWR-4, with a MARK-1
     containment.  That's the light bulb-shaped dry well with the
     separate Taurus.  Commercial operation began September '97. 
     The licensed full power is 2763 megawatts thermal.  They did
     undergo two, in recent years, two upgrades to extend our
     power operation rating, full power rating.
               The event occurred with Unit 1 at 100 percent
     power.  It had operated for about 213 days continuously
     prior to this event.  The event also occurred at 6:51 a.m. 
     It was during a shift turnover, and we'll talk about that a
     little bit more.
               A feedwater heater inlet isolation valve closed
     when a control switch unexpectedly actuated, and we'll talk
     a little bit more about that switch in the presentation
     later.  And automatic scram on low reactor water level
     resulted as expected.
               High pressure coolant injection, HPCI, and reactor
     core isolation cooling initiated.  The reactor vessel water
     level was rapidly recovered.  I might add that in this
     event, both feedwater pumps were also running during this
     time.  So the water level was rapidly restored.
               High pressure coolant injection tripped about 67
     seconds after the reactor vessel high level trip set point
     was initially reached.  The RCIC and the feedwater pumps
     tripped at their set points, as expected.  Reactor vessel
     water level was high enough to cause water to enter the
     steam lines, and I'll talk a little bit more about what we
     thought contributed to that level in the steam lines.
               The operators closed the main steam isolation
     valves in accordance with the emergency operating
     procedures, and I might add that the procedures say -- I
     would phrase it as at 100 inches, shut the main steam
     isolation valves.
               The reactor operator did ask for concurrence to
     shut the valves after he noticed the level was slightly
     above 100 inches and they were actually shut at about a plus
     108 inches indicated level.
               The highest level during the transient was about
     plus 110.8 inches that we got off the data.
               DR. KRESS:  What is it about this particular valve
     closing that causes the water level to decrease?
               MR. WERT:  Sir, this valve that closed was one of
     the two -- one of two valves in the main feedwater flow
     paths to the reactor vessel.  There's two main lines coming
     into the reactor vessel.  They do tie back together into one
     line upstream of that, but where this was, that effectively
     reduced momentarily 50 percent of the feedwater flow.
               DR. KRESS:  Fifty percent of the feedwater flow.
               MR. WERT:  Initially.  Then you would have both
     feedwater pumps still injecting into the vessel through the
     remaining flow path.  But initially you get a large
     reduction in feedwater flow.
               DR. KRESS:  So it's an initial reduction.
               MR. WERT:  And even subsequently, but I wouldn't
     say 50 percent.  
               MR. BARTON:  You're still basically steaming at
     full power rate and reducing feed flow by half.
               DR. KRESS:  Steaming at full power and flowing in
     at half the flow.
               MR. BARTON:  Yes.  Feed level goes down pretty
               DR. WALLIS:  What is water level, the two-phase
     mixture?  What is the water level in the two-phase mixture? 
     Is this a collapsed level or what is it?  You have boiling
     water, but the level is not a determined thing, is it?
               DR. BONACA:  It is not the collapsed level.
               DR. WALLIS:  It's not a collapsed level.  But it's
     a level of some sort where there's a transition from mostly
     water to mostly steam.
               DR. SEALE:  This is above the separators.
               DR. WALLIS:  Yes, it's way up there.  So it's a
     two-phase mixture, but I wonder what you mean when you say
     level is 110 inches.  What detects that level?
               MR. WERT:  These are water level indication
               DR. WALLIS:  Usually that's a hydrostatic thing. 
     It's just a collapsed level measurement.  So the actual
     level where there is water is higher than that.
               MR. WERT:  I was referring to the water level
     indicated at the annulus of the vessel.
               DR. WALLIS:  I think it measures a collapsed
     level.  There's actually water higher than that.
               MR. WERT:  I think that's true in the interior of
     the vessel.
               DR. WALLIS:  There is water a lot higher than just
     110 inches probably.
               MR. WERT:  Yes, sir.
               DR. WALLIS:  Because it's bubbling and all kinds
     of stuff going on.
               MR. WERT:  Yes, sir.  We were just concentrating
     on the level that would then go into the steam lines.
               DR. WALLIS:  But we at least have a picture of
     what's going on.  There's actually a lot of water above
     that, as well, tossing around.
               MR. SUMNER:  My name is Lewis Sumner, I'm the Vice
     President for Plant Hatch.  At this point in the sequence,
     when this level was this high, the reactor has already
     scrammed.  The void collapse has already occurred and you
     are reading true level.
               DR. WALLIS:  So it is true level.
               MR. SUMNER:  Yes, true collapsed level.
               DR. WALLIS:  Thank you.  
               MR. WERT:  At this point, the operator initially
     attempted to control pressure with the safety relief valves. 
     That's in accordance with his operating procedures, to open
     a relief valve.
               You would do that because you have the reactor
     essentially isolated here and the pressure is slowly
     increasing due to decay heat.
               The expected control panel indications were not
     received.  What I'm referring to there is there's three
     lights under each control switch for these safety relief
     valves.  There is a green light that tells you there is
     power being provided to the solenoid valve that supplies
     pneumatic air to operate the valve electrically.
               There is also a yellow light that tells you that
     the pressure in the discharge pipe going to the Taurus from
     this valve has reached greater than 85 pounds, the set
     point.  It varies from plant to plant.  But it detects
     pressure in the tailpipe.  
               And the final indication is a red light that tells
     you only that the solenoid has been energized, either by
     switch operation or through operation of the low load set or
     the ADS system.
               The operator was looking for the amber or yellow
     light that told him I have a high discharge pressure in my
     discharge line, and he did not get that light at this point.
               So he then, in turn, manipulated the control
     switches for several other SRVs and then he obtained an open
     indication and the SRVs were subsequently used to control
     reactor pressure.
               Reactor pressure peaked slightly above normal
     operating pressure in this event, approximately 1,085
     pounds.  After the event, the licensee determined that the
     SRVs had actually opened when they were actuated.  The SRV
     tailpipe, and that's the discharge line to the Taurus,
     again, there's a temperature recorder on the back panel in
     the control room that showed clearly that the valves had
               There are some other indications, as well.  You
     can look at the Taurus temperatures in the area around the
     SRV discharge line spargers inside the Taurus, and we did
     that as a team.  One thing we were concerned about was
     possibly that the valve, the pilot assembly lifted and maybe
     not the main portion of the valve, and we looked at that and
     that gave us a good indication that, in fact, the main seat
     had actually opened on the valve when we expected to.
               DR. WALLIS:  So you could see this by looking at
     the record afterwards, but the operator, in order to see
     this at the time, would have to go and look at some back
               MR. WERT:  Yes, sir.
               DR. WALLIS:  So this isn't really information
     that's available to the operator at the time, unless he
     makes a big effort to go and get it.
               MR. WERT:  Unless he makes -- 
               MR. BARTON:  Not really, and especially, during
     this event, it happened at shift turnover, they had an
     abundance of people in the control room.  They also have a
     shift technical advisor who is supposed to help the
     operators through transients to understand what's going on
     in the plant. 
               So there are some questions here as to why that
     wasn't looked at, I think, and I don't think it's that.
               DR. WALLIS:  It's a question of time.  When he's
     looking for the yellow light, that's right in front of him. 
     But looking for these other indications would take more
     effort to go and look for them.
               MR. WERT:  Right.  And the other indication he's
     looking for is a reduction in pressure at the same time when
     he expects the valve to open, obviously, and he didn't see
     that either.
               MR. SIEBER:  Who is the manufacturer of the safety
     relief valve and what type of -- 
               MR. WERT:  I was going to get to that.  These are
     Target-Rock two-stage pilot initiated valves.  
               MR. SIEBER:  Thank you.
               MR. WERT:  The operators subsequently used a high
     pressure coolant injection and reactor core isolation
     coolant for inventory control.  There were several early
     attempts to restart reactor core isolation cooling, and this
     was after the initial transient, that did not succeed. 
     Approximately four times, the reactor core isolation coolant
     system was attempted to be restarted and it was unsuccessful
     and that was attributed to the procedure or the process that
     was used to restart the turbine, and we'll get into that a
     little bit later.
               DR. WALLIS:  The heat sink then is just whatever
     is coming out the relief valves.  The heat sink is the
               MR. WERT:  At this point, that's correct.  They
     have other systems that they could use.  But RCIC was
     successfully used later in the event.  They had auxiliary
     operators down in the spaces actually draining the water out
     of the steam supply lines to the reactor core isolation
     coolant system and one of our team members interviewed those
     operators and there was a significant amount of water
     obtained out of that line.
               High pressure coolant injection was manually
     operated several times and tripped properly at its high
     level set point on two occasions.  
               DR. WALLIS:  What two occasions?  Those were the
     only two occasions?  
               MR. WERT:  Yes, sir.  In this event, subsequent to
     this event.
               DR. WALLIS:  So it tripped properly every time its
     high level set point was reached.
               MR. WERT:  With the exception of the initial -- 
               DR. WALLIS:  The first one, it didn't.
               MR. WERT:  Yes, sir.
               CHAIRMAN POWERS:  Can you give me an idea of what
     the flow rate is from the high pressure injection?
               MR. WERT:  The high pressure coolant injection
     system is thousands of gallons per minute, as compared to
     the reactor core isolation cooling, which is several
               Safety relief valves, while the safety relief
     valves were passing water or a steam-water mixture, the
     pressure in the discharge line did not get high enough to
     actuate the pressure switch. 
               Our conversations with the GE and also the
     Target-Rock personnel that were there at the time, they also
     indicated that there some reliance on I'll call it impulse
     loading of this pressure switch.  So they contributed that
     also to part of the effect of why the pressure switch did
     not actuate.
               Alternative open SRV indication, and that is
     referring to the discharge line temperature recorder, was
     available, was not used.  We do know that in training, when
     we looked at the training plan, that it is described in the
     training plan, the use of this temperature recorder, as one
     indication of SRV operation.
               We'll talk about this during our discussion of
     operator issues, but the gentleman that discussed the STA's
     involvement in this event, I think that's where it properly
               DR. WALLIS:  Temperature would seem to be a more
     direct indication, because pressure depends upon the flow
     rate and how much is water and how much is steam and other
     things like that.
               MR. WERT:  Yes, sir.  I would point out that the
     indications that are available on SRV indications vary from
     plant to plant considerably.  Some of the plants have
     acoustic monitors.  Some of these indications were
     originally designed to detect SRV leakage passed.  Back in
     the early days, there was a lot of problems or a number of
     problems with SRV leakage.  So these indication systems are
     set up differently from plant to plant.  They vary
               Our understanding of a discussion about the
     acoustic monitor, not to depart too much from the
     discussion, was, with the vendor representatives, indicated
     that they would have to, in fact, also be precisely adjusted
     and set.  In other words, the water might have affected even
     those indications in this event, an acoustic indication.
               Five of the pilot actuated Target-Rock SRV
     assemblies were later satisfactorily set point tested.  This
     is the routine testing that's done at Wyle Laboratory.
               In this case, of course, it was not a routine
     test, but it's the same test that's done routinely.
               One pilot valve assembly was inspected.  It was
     totally dismantled and inspected.  The Wyle facility is
     familiar with this.  There is a corrosion bonding issue
     that's still an issue with these Target-Rock SRVs.  So
     they're pretty familiar with what these cartridges, pilot
     valve cartridges should look like when they disassemble
               We also had an NRC inspector there to watch
     disassembly who has some familiarity also with these SRVs. 
     He is assigned to the Browns Ferry facility, which is
     located within 20 minutes of this facility, so it was easy
     for us to do.
               There were no unexpected conditions found.  There
     were some indications that water level had, in fact, reached
     the SRV elevation.  You could tell this by the types of
     contamination that were found in the valve. 
               Subsequent General Electric and Target-Rock
     analysis supported operability of the safety relief valves,
     the discharge lines and the components in those discharge
     lines, and I'm referring there to the vacuum breakers that
     are located in these discharge lines and also the pressure
     switches that we had talked about before.
               Those pressure switches serve as an indication to
     the operator of pressure in the tailpipe for the valve
     lifting, but they also are used to arm a system called
     low-low set that exists at Hatch, and that system is
     designed to minimize the forces on the Taurus if you have
     repeated lifting of these SRVs.  So that pressure switch is
               MR. MARSH:  If I could add something at this
     point.  The agency was concerned that the initial parts of
     this event and up until perhaps this point about the ability
     of the SRVs to operate in this type of an environment and
     what he over-pressure analysis and the transient analysis
     remained intact, whether it would, in fact, represent what
     the plant would respond.
               In this analysis that we're discussing here showed
     the staff that the transient analysis and the over-pressure
     analysis was still valid, that the SRVs may have had a
     different type of performance, but, in fact, over-pressure
     was protected.  So this is an important key point in how the
     team was progressing through the inspection.
               MR. WERT:  I didn't go into the details there, but
     the licensee and General Electric and Target-Rock supplied a
     very conservative analysis with very conservative
     assumptions on how much water could be in these steam lines
     and how long it would delay the opening, actual operation of
     the pilot valve, and then, in turn, the main seat, and then
     relieve the function from the valve.
               They used very conservative assumptions, like I
     said before.  They assumed that only one SRV would function
     and the difference -- the ability to mitigate the pressure
     increase was very significant.  They could do it in a matter
     of just over a minute as compared to requiring several
     minutes before the pressure would become a problem.
               The next equipment issue was reactor core
     isolation cooling.  As I said before, several of the
     attempts to restart reactor core isolation cooling were not
     successful, and this was not early in the event, but
     subsequent developments during the event.
               They let the head -- the procedure left the
     reactor core isolation cooling steam emission valve fully
     open and under some plant conditions, such as water in the
     steam supply line, the turbine can over-speed if this
     restart procedure is used.
               It's not understood precisely why this occurs. 
     There's two different explanations.  One involves steam
     carry-over or water carry-over into the steam actually
     through the turbine control system and another one is that
     the water that's actually contained in the line flashes to
     steam as it goes -- as it approaches the final part of the
     turbine supply system.
               In either case, it affects the operation of the
     turbine control system and you are susceptible to over-speed
               Additionally, the licensee's event review team
     identified that the simulator training did not accurately
     reflect the reactor core isolation cooling performance, and
     what I mean by that is that this attempt could be -- this
     procedure could be used successfully in the simulator.  
               It might not have been necessarily a simulator
     modeling problem as much as just a training issue, where the
     operators could, in fact, successfully use this repeatedly
     in the simulator, but it wouldn't work in the plant.
               MR. BARTON:  Is it a training issue or is it a
     simulator fidelity issue?
               MR. WERT:  It really depends, sir, on how the
     facility decides to handle it.  I think that the facility
     has, in fact, changed the modeling of the simulator and
     Lewis could probably tell us that or not.  I know that
     they've done some corrective actions, but I don't mean to
     hedge my answer, but you could, in fact, just satisfy this
     by having your simulator training personnel, in fact, insert
     failures into the system.  You don't necessarily have to
     create the modeling to exactly perform this way.
               I believe the senior resident inspector told me
     that they have changed the modeling of the function of the
               MR. SUMNER:  The model has been changed and the
     procedures have been changed and the training has been
               MR. BARTON:  Thank you.
               MR. SUMNER:  But there are still probably other
     deeper issues than that as we look at the RCIC performance.
               MR. BARTON:  Thank you.
               MR. WERT:  And our final bullet up there, licensee
     promptly revised these reactor core isolation cooling
     procedures, and they did that prior to restart of the unit.
               There is some operating experience data available
     on this phenomenon, I call it on stream-driven turbines, but
     they largely are constrained to auxiliary feedwater systems
     in PWRs and they involve long runs of piping.  A little bit
     different than the arrangement at Hatch.
               High pressure coolant injection, the high reactor
     water level most likely resulted from the high pressure
     coolant injection system not tripping immediately when the
     high level set point was reached.  Additional factors
     contributed to the high water level and what I'm referring
     to there is that just essentially the swell of the reactor,
     of this inventory of water that is inserted at 90 to 100
     degrees, then heating up inside the vessel due to decay heat
     is significant.
               Then, also, in this event, both feedwater pumps
     were operating and early in the transient, one of the
     operators placed the master feedwater level control switch
     into manual and due to some complexities in the way the
     controller works, this resulted in the feedwater system
     operating at a very high capacity.
               MR. BARTON:  Was this by procedure?  Are operators
     allowed to take automatic functions out and go to manual? 
     Was that allowed by procedure or is that something that was
     done in violation of a procedure?
               MR. WERT:  It is permitted by procedure and we'll
     talk about that a little bit later.  The licensee has
     initiated some actions to review that.
               But I just wanted to point out that that's one of
     the factors in the high level, that it makes it difficult to
     ascertain exactly why the level got that high.
               DR. WALLIS:  You spoke about time, you said not
     immediately.  What sort of times are we talking about here
     from when it should have tripped and how long it stayed not
     tripped and how long the level was rising after it should
     have not -- what sort of times are we talking about?
               MR. WERT:  Our review of the data indicated at
     just over a minute, 67 seconds, that the system operated, it
     continued to inject after it reached high level -- 
               DR. WALLIS:  After it should have tripped.
               MR. WERT:  Yes, sir.
               MR. MARSH:  The feed pumps had tripped by that
     point, you had RCIC by that point.
               MR. WERT:  The feedwater pumps and the reactor
     core isolation coolant system had both tripped as expected
     at their trip set points.
               The operator should have manually tripped high
     pressure coolant injection when it was indicated that the
     system did not automatically trip.  The licensee did not
     conclusively determine why high pressure coolant injection
     system did not immediately trip during the initial
               Subsequent extensive testing supported the
     operability of the trip function.  I don't want to go into
     the whole logic path here.  There's essentially several
     contacts in series.  There's two sets of Agastat relays in
     series that initiate the trip.  Both of those were sealed
     functions; in other words, the Agastat relay was inside a
     sealed case.  It's not commonly a type that you see have
     problems due to intrusion from material.
               MR. BARTON:  I take it the licensee has never been
     able to repeat this failed switch since the event.
               MR. WERT:  We could not.  The licensee or our
     efforts could not conclusively identify exactly why it did
     not trip initially, and that's why I was making the point
     that it tripped twice subsequently successfully.  We think
     that affects the ability to troubleshoot the problem.
               Then after the two contacts, it goes to an HGA
     relay, in turn.  Now, one thing that also contributes to
     this is not all these contacts and relays are monitored in
     the licensee's data gathering system.  So it was difficult
     to just point out a certain relay and detect exactly how far
     the signal got through the process.  That varies from plant
     to plant.
               The feedwater valve control switch is our next
     area of discussion.  Southern Nuclear determined that a
     GE-type CR-2940 control switch failure caused the feedwater
     heater valve to close unexpectedly and the way they
     discovered this was after the scram had occurred, operations
     noted that the feedwater heater temperatures were diversion. 
     They had noted indications on their feedwater temperatures
     that they were not expecting.
               They investigated that.  They found on the local
     control switch in the turbine building the fifth stage
     feedwater heater inlet valve on the Bravo side had closed,
     and that was subsequently traced to the switch.
               The licensee did quarantine the panel.  They did
     extensively try to determine what could have happened with
     the switch.  For example, they did a lot of work in the area
     of security access records to that area and tried to
     determine if someone had, in fact, entered that area or had
     been carrying material, for example, through that area or
     had bumped the switch or bumped the panel, and they did not
     conclusively come up with an explanation of that.
               MR. BARTON:  Where is this switch located?
               MR. WERT:  The switch is actually located on a
     local control panel in the turbine building.  It's on the
     middle floor of the turbine building.  It's not in a
     particularly narrow passageway and it does not protrude into
     the passageway past other components on the same panel.
               There was a General Electric service information
     letter, commonly called a SIL, 217, which was issued in
     1977, that states that the switch contacts for these
     switches may close prematurely from slight movement of the
     selector switch and the service information letter
     recommended that the switches be replaced with a less
     sensitive model.
               This failure that we're referring to in the switch
     does not involve the contacts in the interior of the switch. 
     It involves the cam mechanism on the hand switch operator
     itself.  It's a plastic molded component.
               There is an improved model that was subsequently
     developed that has a small notch in this plastic rotating
     assembly that engages the protruding operation of the
     contactor, the portion of the switch that actually works the
               So when we say a switch failure, that's what we're
     referring to, simply the very slight movement, a very slight
     agitation, maybe even a vibration in the area would cause --
     could cause the switch to operate.
               Two of the switches had failed at Hatch in 1996. 
     They were both in non-safety-related applications, and after
     this event, this particular event, the licensee developed a
     list of all the affected switches, including the
     safety-related applications, and they made a prioritization
     list and replaced some of them.  We were satisfied that they
     had addressed the important located switches prior to plant
               MR. BARTON:  This recent startup.
               MR. WERT:  Yes, sir.
               DR. WALLIS:  How did they prioritize it?  Did they
     use some sort of risk information and select the ones that
     they ought to fix?
               MR. WERT:  They looked a lot at safety-related
     applications, and Mr. Sumner could probably address exactly
     how they prioritized it, but they also did use risk because
     they looked at what could cause a transient, which failure
     could result in a transient.
               So I'm not sure that they used risk explicitly,
     but at least that was part of their factor.
               MR. BARTON:  This switch could cause a transient.
               MR. WERT:  Yes, sir.  Main steam line
     instrumentation, another consequence of this event is that
     there were some problems with a few pressure transmitters
     connected to the main steam line.  The licensee assessed the
     potential effects of the transient, such as localized
     flashing or water hammer on the instrumentation connected to
     the main steam line.
               Obviously, there's, I think, over 40 pressure
     transmitters connected to these steam lines and the
     licensee's testing identified that four pressure
     transmitters were affected by the transient.  Two were
     significantly damaged.  Their on two assembly portion of the
     pressure transmitter was, in fact, physically deformed.
               Two other pressure transmitters were involved in a
     failure of reactor core isolation cooling to automatically
     isolate during the subsequent plant cool-down, and that was
     the subject of a separate 50.72 notification.
               DR. WALLIS:  Were these water hammer events that
     damaged the transmitters?
               MR. WERT:  We believe it could be characterized as
     a water hammer event, localized flashing of the water.
               DR. WALLIS:  Flashing is not as dramatically -- it
     doesn't produce high pressures like water hammer.  Flashing
     may lead to water hammer later on, but it's usually the
     hammer that produces the high pressure that damages
               MR. WERT:  Right.  I think we were stating that
     there was no large water hammer event occurring over the
     whole entire steam line.
               DR. UHRIG:  At what point did this occur
     time-wise, this damage?
               MR. WERT:  I don't think it's well known exactly
     when this damage to these pressure transmitters occurred. 
     I'm not sure.
               The affected transmitters were replaced prior to
     startup and the licensee did some extensive actions, as
     reviewing the application of the pressure transmitters,
     whether they were suited for the purpose that they should
     accomplish and there was no necessary corrective actions
     found in that area.  In other words, they replaced the
     switches, the pressure transmitters with a like component.
               CHAIRMAN POWERS:  Significantly damaged is often
     in the eye of the beholder.  Can you give us a good feeling
     for what you mean by significantly damaged in this case?
               DR. WALLIS:  They didn't work?
               MR. WERT:  I was referring to the two that were
     significantly damaged, I was referring to their Bordun
     assembly had been physically deformed, but, in fact, I would
     say that we said that four pressure transmitters were
     affected and by that, I mean that they were -- when tested,
     they failed calibration and they could not be placed back
     into calibration.
               MR. MARSH:  The team was convinced, I guess, and
     I'm asking the licensee, as well, through you, that these
     transmitters were damaged in this event.  There wasn't any
     question about them being inoperable prior to this event?
               MR. WERT:  I'm not aware of any question at all
     prior to the event.
               MR. SUMNER:  Let me comment on that.  It's our
     belief that of the transmitters that we're talking about,
     that the transmitters on RCIC, one clarification is that
     these transmitters isolate RCIC on low pressure, less than
     50 pounds.  So we're talking about a low pressure isolation
     of the steam supply to RCIC. 
               Now, what you also need to understand is only one
     RCIC line valve failed to isolate.  The other one isolated
     properly, like it's supposed to, just like the plant design
     would call for.  You have an in-board and an out-board
     valve.  Only one valve failed to close because of the damage
     that Len referred to on the transmitters.
               And I think Len has characterized it correctly. 
     When you pulled these transmitters out, they would not
     calibrate.  They would not reach the procedural tolerances
     for putting them back in. 
               Where they physically failed, we could see the
     Bordun-2s were physically deformed to the point where the
     transmitter would not respond properly.  Was there any
     mechanical damage outside of that?  No, there wasn't.
               We do believe that on the attempts to run RCIC,
     that the water in the RCIC supply line, and, as Len referred
     to earlier, as you tried to start it up, there probably was
     some localized flashing as the pressure was rapidly relieved
     as the turbine stop valve came open.
               And it could have happened then or when the stop
     valve went shut, when it over-speed tripped.  So in any of
     those operations there, if there is a water hammer or
     flashing, that's when we postulate when the damage to the
     transmitters occurred.
               MR. WERT:  Thanks, Lewis.  The next area of
     discussion involved the performance of the licensed
     operators, and we touched upon that several times.
               The event occurred during a shift change or a
     shift turnover.  The shift supervisors had already turned
     over, but the reactor operators were in the process of
     changing over, and the senior reactor operator was outside
     the, quote, at the controls area when the event initiated.
               And at Hatch, the turnover process involves
     largely -- it's done somewhat sequentially.  The senior
     reactor operators turnover, I'll say, independent of the
     reactor operators, and they usually turn over well ahead of
     the reactor operators.
               The oncoming watch, if you would, assumes their
     duties and then they, in turn, brief the reactor operators
     as a combined crew and then they go in and the reactor
     operators officially take over the duties from the actual
     on-watch reactor operators.
               When this event occurred, the oncoming senior
     reactor operator or unit supervisor would then, in turn, go
     into the -- went into the control room with the on-watch
     reactor operators, just after the event had initiated.
               And when I say he was not at the control areas, we
     mean he was in a room just adjacent to the controls area,
     just a few steps, but that is somewhat important in an event
     like this.
               MR. BARTON:  But the operators that were on the
     control board were the operators that were on-shift.  They
     had not been relieved.
               MR. WERT:  That's correct, sir.
               MR. BARTON:  Okay.
               MR. WERT:  The reactors did not properly monitor
     reactor vessel water level and injection system operations,
     and we've talked about that previously.  The tripping of the
     high pressure coolant injection system.  And as a team, one
     of our team members was actually a senior reactor operator
     at a boiling water reactor for several years and we reviewed
     this aspect critically from the perspective of is it a
     realistic expectation at the time with the events that were
     occurring in the control room that they should have detected
     the fact that the high pressure coolant injection system had
     not tripped off and also the main steam isolation valve
     isolation was somewhat delayed.
               In both of those decisions, our subjective
     conclusion was that they should have recognized it.  We did
     not see that there was a large number of events going on. 
     Obviously, our resident inspector was in the control room
     shortly after this event, but we didn't actually observe the
     actual sequence at this point.
               MR. BARTON:  Let me ask you a question.  At the
     time of the transient, you said that the control room
     operators had not been relieved, but yet in the AIT, so
     there was shift turnover still going on outside in an office
     or something outside at the controls area.
               The AIT report talked about an excessive number of
     people at the control area and the control room.  Now, how
     did that happen?
               MR. WERT:  What we're referring to there, sir, was
     that essentially you have almost two crews there.  You had
     the oncoming crew and the off-going crew in the control
               Now, all these people were not in the at the
     controls area.  They were immediately adjacent to the at the
     controls area at a back panel held out at a desk, I would
     say, 20 to 30 feet away, but they were not right in the at
     the controls area.
               However, there was a larger number of people in
     the at the controls area itself proper than there normally
     would be on an event like this. 
               Does that answer your question?
               MR. BARTON:  Partially.  Where did these extra
     people come from?
               MR. WERT:  Some of them were the oncoming crew.
               MR. BARTON:  So there was a mix of oncoming crew
     and the crew that was still on watch.
               MR. WERT:  Yes, sir.  Also, in addition, there are
     several operations supervisory personnel that participate in
     turnovers that were also present at the time and I think
     maybe not at this point in the event, but shortly
     thereafter, also some management personnel were also in the
     control room; again, not in the at the controls area, but
     immediately adjacent to it.
               And one of those individuals, of course, would
     also be our resident inspector.  
               The next bullet, the shift technical assistant did
     not provide timely assistance to the operators, when
     unexpected SRV indications were observed and as commented by
     one of the gentlemen earlier, we considered that to be a
               Training sessions had described the availability
     of the tailpipe temperature as an indication of SRV
     performance and we're not expecting that the operator
     necessarily would turn the switch and then run around to the
     back panel, but with all the people that were available and
     certainly the shift technical assistant.
               MR. BARTON:  Does the STA at Hatch have collateral
     duties or is he full-time STA?
               MR. WERT:  He is a full-time STA, at least --
     well, Mr. Lewis will correct me if I'm wrong.  I'm speaking
     from my knowledge of about five years ago when I was the
     senior resident there.  He was a full-time STA.  He does
     have other duties that he performs on watch.
               MR. BARTON:  But during a transient, what is his
               MR. WERT:  During a transient, his role is the
     classical shift technical assistant role, assist the
     operators and particularly analysis of indications, but
     largely constrained to reactivity and inventory issues.
               Is that how you would characterize it, Lewis?
               CHAIRMAN POWERS:  I have to admit I'm a little
     confused about who was where when.  Do we happen to have a
     diagram that could show us who was where?
               MR. WERT:  I don't have one.
               CHAIRMAN POWERS:  Maybe at some time we can.
               MR. WERT:  Yes, sir.  I can draw one shortly after
     this discussion.
               CHAIRMAN POWERS:  Sometime later.
               MR. BARTON:  Lew, do you want to address the STA
               MR. SUMNER:  Yes.  The collateral duties that Len
     was referring to is that during normal power operations, the
     STA does the classical shift technical advisor
     responsibilities, as well as he has primary responsibility
     for reactivity monitoring of the reactor core, core
               In an event, in a transient, he is the classical
     shift technical advisor, where he has no other collateral
     duties than to assist the crew and analyzing the indications
     that they are seeing when the event is transpiring.
               MR. BARTON:  So in this event, he failed to
     fulfill his STA role or, in your opinion, failed to give
     advice to the operating crew?  In other words, could the STA
     have helped the operators in helping to identify whether the
     SRVs were operating or not and why didn't he do it?
               MR. SUMNER:  I would say that I would like to
     clarify that during an event like this, the STA is looking
     at a lot of parameters, not just the operation of the safety
     relief valves.
               MR. BARTON:  I understand that.  That would be one
     of the things -- if the operators are trying to operate SRVs
     and they're not sure whether they're operating or not in
     some -- either the SRO or the STA or somebody should be able
     to see that the operators are having difficulty and provide
     some advice, guidance, assistance, how about looking at
     backup indications, et cetera, et cetera.
               MR. SUMNER:  It is reasonable to expect an STA,
     when he sees that the operator is not getting the expected
     indication, that he could go around to the back panel
     recorder and try to, from an engineering point of view,
     determine that the indications that he is seeing do indicate
     that the SRVs are operating and he could come back and
     provide that advice to the operators to continue what you're
     doing, the valves are operating, but you're not seeing the
     right indications.
               Yes, that is a reasonable expectation.  I'm not
     going to say he failed in his duties, because he had a lot
     of duties to do, but he could have assisted the crew more
     than he did in this particular activity.
               MR. BARTON:  Do you also have a management
     expectation at shift turnover, if the plant goes into a
     transient, how the transient is handled with respect to who
     takes control, who backs up and doesn't get involved?  Is
     that a management expectation written down at the station?
               MR. SUMNER:  Well, the management -- what you have
     to -- the picture you have to understand is that during the
     turnover that Len is referring to, the entire crew that is
     oncoming, as well as some members of the off-going crew, are
     turning over in an adjacent room to the control room, to
     minimize the distractions that occur as you're doing a shift
     turnover, because there is a lot of discussion about what
     occurred over the last shift, what is to be done in this
     shift, are there any conditions that need to have special
     attention paid to them.
               At that point in time, in the at the controls
     area, the operators are monitoring the operation of the
     plant.  Should an event occur, as in this case here, then
     the supervision comes out to take control of the shift and
     the expectation would be that the operators who are at the
     controls at that time would assume responsibility for
     management of the transient.
               In this event here, out of, I think, concern to
     help out other operators, we had some of the oncoming
     operators also assist in performing activities that you
     normally do to manage a transient.
               That's not the way we train, and certainly we have
     changed our management policy to require that operators now
     have to ask permission to become involved in the management
     of the event.  It has to get direct supervisor permission to
     assist in the event.
               MR. BARTON:  And this is a change you've made
     since this event.
               MR. SUMNER:  Yes, sir.
               MR. BARTON:  Yes, sir.
               MR. WERT:  Next page.  As referred to earlier, the
     operator took manual control of the feedwater flow
     controller and this affected the controller's response to
     the feedwater transient.  I think it's pretty much
     understood that the industry has made some advances over the
     recent years in controllers on these systems.
               This is, in recent years, an upgrade.  This is a
     complex digital control system, very I'll call it smart
     logic, looks for failures, looks for differences in their
     inputs and automatically drops out default inputs, that type
     of thing, and the operator took manual control of this.
               It's not against his procedures to do that, but
     the licensee is reviewing that policy and looking at that
     closely.  Certainly, an operator would be expected to take
     manual control of an automatic system if he understood what
     was happening that was incorrect with that system.
               In this case, it's not clear that what exactly had
     happened was understood at the time when he took manual
               MR. BARTON:  Is this because maybe the operator
     didn't have a lot of confidence or familiarity with this
               How long was this system installed in the plant,
     digital feedwater control?
               MR. WERT:  It had been installed for several
               Lewis, I guess, could again help with that.
               I think -- I would characterize it for at least
     four years.
               MR. BARTON:  Okay.
               MR. WERT:  So, I don't think it was a confidence
     in a new system issue.
               MR. BARTON:  Okay.
               MR. WERT:  Reactor core isolation coolant restart
     guidance and simulator training were not adequate for the
     conditions of the event, and we talked about that earlier,
     and the licensee has initiated comprehensive corrective
     actions in that area.
               I mean, as my next bullet implies, the licensee
     promptly completed several corrective actions, including a
     revision to the turnover process, and Lewis describe some of
               For example, they have revised their procedures so
     a senior reactor operator is in the control room.
               The licensee has also initiated broader corrective
     actions to address operations performance issues, and for
     example, one of those is the operation of manual and
     automatic controllers.  I think they're looking at that
     across the board.
               We noted that, during this event, there were a few
     other issues that came up with these automatic controllers. 
     The HPCI flow controller was actually taken automatic at one
     portion during the event, or placed into manual, instead of
     left in automatic and dialing back the flow set-point, for
               So, it's an area that the licensee is reviewing.
               Health and safety assessment -- we discussed that
     there was no adverse effect on public health and safety as a
     result of this event, was no radiological release, and no
     approach to operational safety limits.
               The safety-related systems remained operable,
     although there were some problems with the important plant
     equipment, were experienced, and that's like we described
     with the reactor core isolation coolant system.
               NRC actions -- Region II dispatched inspectors to
     the site and initiated -- initially we initiated a special
     team inspection on January 26th.  An augmented inspection
     team was dispatched to the site January 30th to February
     4th, and the exit was attended by several members of the
     public that we had on February 4th.
               The NRC staff contacted the BWR owners group,
     discussed the event with INPO during its weekly call, and
     also, there was a response by telephone to an informal Union
     of Concerned Scientists inquiry on this event.
               Region II continues to monitor the licensee's
     implementation of corrective actions through out baseline
     inspection activities, essentially the resident inspectors.
               On May 17th of this year, the licensee is going to
     come in and discuss corrective actions with Region II
     management in a meeting, and we suspect that there will be a
     lot of discussion of broader corrective actions in some of
     these areas that we talked about earlier.
               Next slide.
               The augmented inspection team was tasked in the
     charter to identify candidate generic issues, and we did
     identify what we considered to be some potential generic
     issues, and we initiated an information notice, and this
     information notice was issued on February 11th highlighting
     three issues.
               We talked about the fact that SRV operation is
     slowed, and the indication, depending on tailpipe pressure,
     is affected when the valve was passing water instead of
     steam.  We talked about that earlier.
               It's just information to all the licensees.  All
     the licensees' different indicating systems would depend on
     what they necessarily would do with this data.
               Procedural guidance for MSIV closure and
     set-points for the high-level trips of injection systems may
     not prevent complications due to water collecting in the
     main steam lines, and we're referring to there that we had
     noted that there was several -- there have been several
     reactor vessel over-fill events in previous years at BWRs.
               In one event, the operators, in fact, did not
     close the MSIVs, and our review has indicated that the
     guidance on closure of the main steam isolation valves is
     somewhat inconsistent between the facilities.
               At Plant Hatch, it's a note in the emergency
     operating procedures.
               We know that, at another Region II facility, it's
     in a procedure, not in the emergency operating procedures,
     and at another facility in Region II, we know that -- our
     review indicates that the operators are trained to shut the
     MSIVs, but there is no explicit procedure set up to do that.
               CHAIRMAN POWERS:  I think this is the really
     generic conclusion here; this is the really important one,
     to my mind.
               MR. WERT:  And the last issue we -- again, in the
     information notice, we wanted to highlight the reactor core
     isolation coolant performance issue.
               Next slide.
               And my last slide is that we have initiated a
     memorandum on April 14th from my Division Director to the
     Events Assessment Branch Chief here in NRR requesting review
     of two issues, and we anticipate that this will probably
     involve interaction with the BWR owners groups and maybe
     General Electric, as appropriate.
               The two principle questions:  To what degree
     should water be allowed to enter the main steam lines at
     boiling water reactors, and should -- I'm referring to it
     loosely -- universal guidance be developed for BWRs, with
     specific criteria directing when the MSIV should be closed?
               You know, for example, in this event, if you get
     all your major injection systems -- high-pressure coolant
     injection and reactor core isolation cooling systems and
     feedwater systems tripped off and you know that you're not
     injecting and the water level is just slightly increasing,
     do you want to shut the MSIVs, for example?  That's one of
     the questions.
               DR. WALLIS:  Where is the water going?  There's a
     turbine somewhere downstream, isn't there?
               MR. WERT:  Yes, sir, there is a turbine, and
     there's some other, I think, considerations also on analysis
     of the steam lines, as far as whether they can handle the
     weight and forces of the water, and we have noted that
     that's dependent on the plant, it varies from plant to
               And the other question was the significance and
     the specific impact of the water and the main steam lines
     relative to considerations in the design and licensing
     basis, and one of the major factors that we're looking at
     there is the instrumentation, the potential instrumentation
               If you get water in the steam lines, then you
     affect the instrumentation attached to those steam lines. 
     That could complicate events.
               We also know that there is variations, for
     example, in set points and the level trip systems of the
     injection systems between the different BWRs.
               We know the high-pressure coolant injection system
     at one facility is actually a one-out-of-two logic used
     twice type of thing on the high-level trip, which kind of
     sounds surprising on an injection system, but that's the way
     it is.
               So, there are some differences out there that need
     to be looked at.
               Our team could not conclusively determine if the
     design basis for the set point on the injection systems --
     whether it was based on simultaneous operation of different
     injection systems or whether it just assumed that one
     injection system was running at a time, for example.  We
     didn't get that far.
               That's all I have for my presentation.
               MR. MARSH:  The next part of the presentation is
     Vern Hodge is going to discuss the NRR safety assessment.
               MR. HODGE:  Thank you, Tad.
               I am from the Events Assessment Branch in NRR.  We
     were assisted in evaluating the risk of this event by the
     Probabilistic Safety Assessment Branch, and Mr. Dan O'Neal
     is in the room to assist in the discussion.
               The dominant sequences -- first of all, we used
     the risk model for the Hatch plant and applied it to this
     event by making some assumptions, found that the dominant
     sequences included losing the condenser as a heat sink,
     failing to provide adequate high-pressure coolant makeup,
     and failing to de-pressurize the reactor to allow
     low-pressure makeup.
               We're not saying these things happened in the
     event but that the risk is evaluated considering the
     probabilities of these events.
               The probability for losing the heat sink, the
     condenser as a heat sink, is modeled by taking little credit
     for recovering the power conversion system in relatively
     short recovery times.
               DR. WALLIS:  If you close the steam line, how does
     the condenser act as a heat sink?
               MR. HODGE:  It doesn't.
               DR. WALLIS:  So, you have lost it.
               MR. BARTON:  You take away your heat sink, there's
     no question of probability; you've actually lost it.
               MR. HODGE:  Yes.  We're talking about the
     probability of recovery.
               MR. FARRUK:  Anees Farruk from Southern Nuclear.
               You are right, you could recover the secondary
     side by opening MSIVs.
               MR. HODGE:  Concerning the HPCI and RCIC systems,
     we did not change the failure probabilities for those, but
     consider that conditional probability for HPCI failure, the
     recovery is assumed to be in the plant, not in the control
               This was in an effort to model the event that HPCI
     did not trip at the high-level set-point but tripped later,
     and the idea here was to assume that the probability would
     be increased by considering the field recovery rather than
     the control room recovery, assumed to be easier, and if the
     HPCI and RCIC system were to fail simultaneously, we did not
     consider the water coming into the reactor from the control
     rod drive pumps.
               To account for the AIT finding that the control
     room was crowded, we increased the probability for operator
     failure slightly.
               DR. WALLIS:  How do you decide how to do that?  I
     mean "slightly" doesn't sound very much.  Someone makes a
     judgement?  Does this have any effect anyway?  Does this
     probability make much difference to the conclusion?
               MR. HODGE:  I'd like to ask Dan to consider that
               MR. O'NEAL:  This is Dan O'Neal.
               There is a HRA work-sheet, a human reliability
     work-sheet that's used for these -- modeling these types of
     events, and due to the general confusion and the operator
     not being aware of their areas of responsibility, we modeled
     that as a work process -- a poor work process, where if
     operator is needed to emergency de-pressurize the reactor,
     there could be possible delays, and so, we increased the
     probability of failing to de-pressurize a reactor slightly
     due to the general confusion and lack of awareness of areas
     of responsibility.
               DR. WALLIS:  Well, "slightly" sounds as if it's a
     very small thing.  How do you decide the probability of
               MR. O'NEAL:  We use the HRA work-sheet, which
     considers --
               DR. WALLIS:  Gives you sort of a formula that you
               MR. O'NEAL:  Yes.  There's basically a process you
     follow, and we determined that we could increase the
     probability of failing to de-pressurize by a factor of two. 
     The probability is normally low, and increasing by a factor
     of two, it still remains low.
               MR. FARRUK:  This Anees Farruk again from Southern
               The way we considered that was basically, when we
     do the HRA, we take a look at all the -- you know, the
     factors which could influence an operator's action, like --
     you're talking about stress training, you know, the
     pre-conditions, post-conditions.
               So, all these things are originally looked into
     the PRA, you know, as part of the HRA.
               So, it's nothing new that you go through this. 
     That's the way we look at it, you know.
               The only time we will change anything that is in
     the PRA in terms of operator actions is if there is
     additional events which caused some of the systems to be
     degraded.  Then you would use a different operator action.
               MR. HODGE:  So, factoring in these assumptions,
     the calculated conditional core damage probability is 1.6
     times 10 to the minus 5.
               We are considering this event as a significant
     event because of several complicating factors:  water
     filling the main steam lines to the main steam isolation
     valves, also the condenser heat sink on manual closure of
     the main steam isolation valves, inadequate indication of
     safety operation, faulty operation of two steam-driven
     injection systems, unclear lines of responsibility in the
     control room, and excessive sensitivity to mechanical motion
     of the feedwater control switch.
               CHAIRMAN POWERS:  Let me ask a question about this
     "unclear lines of responsibility in the control room."  What
     precisely leads you to that concern?
               MR. HODGE:  We're depending on the AIT report.
               CHAIRMAN POWERS:  Right.  I understand.  I'm just
     asking you to remind, out of the AIT report, what leads you
     to say the words "unclear lines of responsibility."
               MR. HODGE:  We're just thinking about the large
     number of people at the controls area and the time of the
     turnover as general considerations.
               DR. WALLIS:  How about testimony from the people
               I mean if someone had actually said one reason I
     was confused was that my supervisor was not here because he
     hadn't yet taken over or something and therefore I was
     confused -- did you get testimony from individuals that
     there was reason to believe there were unclear lines of
               MR. WERT:  I can address some of that.
               First, I don't think there was any operator at the
     time that was confused.  I don't think we'd use that term.
               DR. WALLIS:  Was unclear about lines of
               MR. WERT:  Right.  It connotates a different
               I think what we're referring to there -- and I'll
     give you an example of some interviews that we had with some
     of the operators that will help bolster this, but what we're
     referring to there is normally, as Lewis said earlier, the
     on-shift crew, the dedicated crew, if the event had
     occurred, there's specific responsibilities on who's
     observing and who's watching and monitoring operator of
     injection systems, and in this case, there was some
     indications that some of the oncoming crew got involved with
     those operations, and it was an assumption on some -- the
     different members crew -- of the crew that another member
     was doing something when, in fact, they may not have been,
     and where that would have been -- I guess one of the
     indications of that -- when we initially interviewed the
     senior reactor operator, initially, before the licensee had
     time to have a detailed session in the simulator where they
     went over what they thought had happened during the event
     with the operating crew and discussed the failure of HPCI to
     trip and some of these other events that had occurred, the
     operator had indicated to myself and another team member
     that he thought they did a fairly good job of handling the
     event, and after his review in the simulator session, he
     indicated to us that he had not realized some of the things
     that had occurred during the event.
               Now, I still think they adequately controlled the
     event, but he didn't understand some of the things that had
               Now, we would expect a little bit of that to occur
     just because of how many activities are occurring at the
     time, but that would -- does that help give an indication of
     what we're talking about?
               DR. WALLIS:  That was a different subject from
     unclear lines of responsibility.
               MR. WERT:  Right.
               DR. WALLIS:  The fact that he thought things were
     fine and they weren't quite so fine -- that really has
     nothing to do with lines of responsibility.
               MR. WERT:  I was just trying to couple it to an
     actual --
               DR. WALLIS:  Line of responsibility -- it's almost
     conjecture that this might have been why someone didn't
     quite realize what was happening as much as he might have
     done, or it really is traceable to a line of responsibility?
               MR. WERT:  In answer to your question, sir, I
     don't remember an exact circumstance in which an operator
     said I assumed that someone else did that.  I think you're
               CHAIRMAN POWERS:  It seems to me that the line is
     just misstated.  I think you've got a human operational
     environment issue here, but I'm not sure that it's unclear
     lines of responsibility.  I think it has to do with
     distraction and things like that.
               You may have -- and it sounds to me like the
     corrective action that the licensee has taken to work on his
     shift change-over rule is appropriate responsibility.  He's
     not changing his lines of responsibility.
               MR. BARTON:  Do you want to address that?
               MR. LEWIS:  Well, let me give you an example, I
     think, os what Len is probably trying to refer to.
               When you train with the minimum crew members and
     you assign crew members -- one crew member has
     responsibility for reactor water level control and all the
     systems that control that.
               When you have more than the minimum number of
     people, then you have enough people to run HPCI by itself,
     to run RCIC by itself, and to run the reactor feed pumps by
               So, there can exist in a situation when you have
     more people than your normal minimum crew -- when he's
     talking about we have unclear lines of responsibility, what
     you're really saying is that probably no one operator in and
     of himself has assumed responsibility for reactor water
     level control.
               There are enough operators that one is controlling
     RCIC, one is controlling HPCI, and one is controlling the
     reactor feed pumps.
               As far as was there any question about who was in
     charge and who was directing who, there was no confusion on
     that point.
               MR. BARTON:  Now I understand better.  Thank you.
               MR. HODGE:  That's all our presentation.
               MR. MARSH:  I have a couple comments, if I can,
               Speaking from the generic standpoint, we clearly
     have some work to do to look at this event and the
     ramifications of it, the recommendations of the AIT.
               I want to point to a couple of things that have
     taken place in terms of the agency's communication to the
     industry about this event.
               We issued an information notice early which
     contained the AIT's preliminary findings and the concerns
     that were expressed at the exit.
               We have had discussions with INPO in terms of
     their actions, and we are aware that they're working on an
     SOER, which is one of their highest levels of
               We also have been in a discussion with the BWR
     owners group, and we are not yet far enough along to know
     exactly what's happening there.
               There were some preliminary plans on their part to
     communicate with the industry early.  We need to follow that
     up to find out where we are in terms of those
               Internally, we need to take the recommendations
     from the team and assess them against licensing bases
     issues, need to answer the questions about the design bases
     for the trip set-points, whether in fact it includes
     simultaneous operations of the feed pumps, the RCIC pumps,
     and the HPCI pumps, as well as answering the team's concerns
     about the design for the logic itself, the timing that's
     there, and to answer the question about the MSIVs and the
     variation around the industry for how those pieces of
     equipment are operated, and we look to help from the owners
     groups for some of those questions that may be best served
     to ask those types of questions in the industry.
               To put this event in another kind of a context,
     this was an AIT, and we don't have many AITs, okay?  In the
     last 18 months, we have had three AITs, and so, that gives
     you some sense of the significance of the event.
               MR. BARTON:  I think between that and INPO's
     anticipating an SOR kind of gives us a feel for the
     significance of the event.
               MR. MARSH:  Right.  I think so, too.
               We also looked at this in the context of the new
     oversight process.  What does this event tell us in terms of
     the veracity of the oversight process?  Would we have seen
     this, reacted the same way?
               We used -- in responding to this event, we used
     the Management Directive 8.3, the new Management Directive
     8.3, which is a risk-informed process, in order to come to
     the decision to man an AIT.
               We also asked ourselves whether the work processes
     that are involved for determining risk that the resident
     uses and in terms of inspection followup are consistent with
     the new oversight process, and they largely were.
               In other words, the new oversight process mates
     with how we reacted in this event, and that was reassuring.
               I guess the message that we want to leave with you
     is there is certainly work to do, follow-on work coming from
     this event.
               We think the team did an outstanding job in
     looking into this event and the underlying causes, and we
     look forward to more interactions with the licensee in terms
     of follow-on actions.
               MR. BARTON:  Thank you, Thad.
               At this point -- 
               DR. WALLIS:  I think the thing that struck me most
     when you were going through the whole technical description
     was your points about water in the main steam lines.  I mean
     you have this question about to what extent should water be
     allowed to enter the main steam line and what's the
     significance of having water in there.
               I would think this is something that must have
     been surely considered long ago.  I mean it's an obvious
     possibility that the water level could rise and water could
     get into the steam line and what are the consequences.  That
     must have been surely addressed by the designers of these
               I'm surprised that the question is still being
     raised now as if no one knows what the consequences might be
     of having water in the main steam line.
               MR. MARSH:  That's certainly a part of our
     follow-up action to find out to what extent this scenario
     was postulated, when and how.
               My recollection is that it was -- some of these
     trip functions were added later, that this was not part of
     the original design, some of these high-level trip
     functions, because of this possibility.
               A dead weight load has been considered in these
     lines, and that's the reason that you would block them so
     that you don't exceed any dead weight loads, but dynamic
     loads -- my impression is that you want to avoid dynamic
     loads and that's why you have these trip functions.
               Now the question is what's the bases for those
     trip set points to avoid this from occurring and should the
     MSIVs be closed, is that a good action or not a good action
     in order to ameliorate a high-level situation.
               DR. WALLIS:  Well, in defense-in-depth, one might
     decide to design the thing so even if you did get this water
     in there, no one is going to raise a question about is it
     going to be too heavy or is it going to impose loads that
     are too big, we've just designed it so it's okay.
               MR. BARTON:  That's good for the new-generation
     reactors, Graham, yeah.
               DR. SEALE:  You've got what you've got.
               MR. BARTON:  You've got what you've got.
               MR. SIEBER:  You cannot back-fit.
               MR. BARTON:  Are there any other questions of the
     staff before we hear from Licensing?
               [No response.]
               MR. BARTON:  Hearing none, Lew, would you like to
     make some comments?
               MR. LEWIS:  I've just got some brief comments.
               One would be that, on the risk assessment, we came
     to a different conclusion on the number for the risk
     assessment, and we'd like to have the opportunity, with our
     models and our assumptions, to review that with the staff to
     see why our conclusions are different.
               We came up with -- for a similar calculation -- in
     the E to the minus 7th range, not E to the minus 5th range,
     and it all depends on what assumptions you make.
               MR. BARTON:  Sure.
               MR. LEWIS:  And you come to a different conclusion
     depending on the assumptions you make.
               So, we certainly want to have the opportunity to
     sit down and review and discuss our assumptions on our risk
               The second thing is that -- concerning the
     adequacy of the high-level trips, we did have what's called
     a TRACG analysis run by GE where we made assumptions of the
     exact conditions that were present.
               One feedwater line is isolated, both pumps are
     trying at 100-percent demand, HPCI has not tripped at the
     right set-point but RCIC did, and to verify -- we were
     looking for such things as was there an asymmetric level
     condition in the vessel at the time which would explain why
     HPCI did not trip?
               Well, that analysis didn't prove that out.
               We also went to prove that -- were the trip
     set-points adequate as part of the initial design basis, and
     the TRACG analysis that we did proved that they were
               So, we believe we've got enough -- this is a
     detailed study we've had GE working on for the last six
     weeks to make sure that there are no other issues out there
     that we know of related to the adequacy of the high-level
     trip set-points.
               We talked about the fact that we weren't able to
     determine why HPCI didn't trip.  Well, there's an
     explanation for that.
               When it did trip, automatically, the first time,
     all the evidence was basically destroyed at that point of
     how to determine what component may not have worked
     correctly, but I will let you know we have put some
     compensatory actions in there that exercise that logic chain
     so that in the event that it is demanded again to operate,
     that we've tried to improve the level of assurance that that
     trip function is going to work, and we have reviewed and
     still continue to review whether or not we should change the
     logic design for the high-level trip.
               But the thing we should remember is that actual
     design basis for HPCI is to inject water into the vessel and
     make sure the core is covered under a small DBA and that it
     should trip at a high level, there's no belief that it
     shouldn't trip at a high level, but its actual safety design
     basis is to put water back in the vessel, which it did
               There are a tremendous amount of lessons learned
     that we've gotten out of this event, and Len has discussed
     some of the immediate ones that we've done as far as
     correcting some equipment problems, some procedural problems
     with RCIC, the simulator model that he referred to, but we
     continue to look at deeper issues out there.
               We look at our management processes to see, if we
     have a RCIC model that does not exactly match the plant, how
     did it come to be that way, and does that give us insight
     into looking for other models or other issues out there that
     we need to look at?
               So, we continue to look at that.
               We do have a follow-up meeting, as Len referred
     to, on May the 17th, where we're going to discuss our
     corrective actions, and we'll discuss not only the ones
     we've talked about today for the immediate stuff but some of
     the deeper issues out there that we continue to explore.
               So, we've tried to use it as a learning
     experience.  I know there are some generic issues out there.
               I don't believe determining what is the proper
     guidance for closing the MSIVs on high-level will be an easy
     thing to do, because as Len referred to, there are different
     plant designs and there are different considerations,
     depending on which plant you're at, but I believe there is
     the importance of making sure that you don't get water in
     the main steam line that was certainly brought out by some
     of the things in this event.
               MR. BARTON:  One further question I've got is how
     detailed had you looked at your corrective action system and
     the effectiveness of it, especially since the history with
     the GE SILs and information notices on these switches?
               MR. LEWIS:  The GE SIL came out in, I believe,
     1977, and we did a review in 1977 based on the guidance in
     the SIL as to what we should look for.
               We thoroughly evaluated that, and we have written
     documentation as to how we evaluate it.
               We've had one failure of one switch in 15 years,
     and that's this failure that Len referred to that happened
     in 1996, and subsequent to that, of course, we did a broader
     review with this particular even there.
               So, one of the issues we do have is when we have
     SILs that had been evaluated 20 years ago, is there a need
     to go back and re-evaluate them in today's world?  We
     haven't come to a conclusion on that.
               MR. BARTON:  I guess the question I would have
     there -- and I understand that.  I lived through the same
     thing with the GE SILs and how far do you go and how much
     equipment plant do you change out.
               But you had a subsequent failure.  Well, you had a
     failure after the SIL in '96.  Apparently, according to the
     AIT, this was classified as a significant event or a
     significant issue in your corrective action system, and yet,
     four years later, it didn't look like you did anymore
     maintenance or change-out of this style switch, and the
     reason I'm hammering you on this is, if you look at the new
     oversight process and where we're going to risk-informed
     regulations, etcetera, etcetera, you know, how robust your
     corrective action system is depends a lot on, you know, how
     the plant is going to perform and how the NRC is going to
     look at your performance down the road.
               So, again, you know, I still have a question as,
     you know, how robust is your review or your self-assessments
     of your corrective action systems?
               MR. LEWIS:  Well I think the question you ask --
     SILs is a narrow area.  When you get into other issues out
     there -- we do have categories we call significant
               We have others that are higher category we call
     event reviews, and we do try to -- like you've done with
     this event here -- this event met the criteria to have a lot
     of study done on, and event reviews meet the criteria in our
     own procedures for having a lot of study done, significant
     occurrences have less study done but more than just routine,
     you know, common occurrences that happen in the plant.
               That is an issue that we're reviewing right now. 
     Does this particular event reveal a weakness or a need for
     improvement in the way our corrective action is done, and
     for example, would you postulate that you need to create a
     self-assessment process for material you've reviewed several
     years ago to see if the conditions have changed?  We have
     not come to that conclusion yet, but it is something we're
               MR. BARTON:  I understand that.  Thank you.
               DR. SEALE:  What's the status of the plant now?
               MR. LEWIS:  The status of the plant -- both units
     are at 100-percent power.
               DR. SEALE:  How long did it take to go back to
     full power?
               MR. LEWIS:  After this event here?
               DR. SEALE:  Yes.
               MR. LEWIS:  Approximately -- we were down, I would
     say, approximately a week to do all the reviews, make the
     procedure changes, re-do the training, do a broadness review
     of -- or locate all the locations for the different switches
     of this type, categorize them to whether or not -- the worst
     postulated action from that switch and what the end result
     could be of that to decide which ones we would replace
     before we started back up.
               DR. UHRIG:  Have you replaced any of the switches
     in the other unit?
               MR. LEWIS:  Yes, sir, we have done it.  We did
     some immediately on the other unit, and then, during the
     subsequent refueling outage, then we went and changed out
     the other ones.
               MR. BARTON:  Any further questions?
               [No response.]
               MR. BARTON:  If not, I'll turn it back to you, Mr.
               CHAIRMAN POWERS:  Thank you, gentlemen.
               At this point, I want to dispense with the
               [Whereupon, at 11:35 a.m., the meeting continued
     in executive session, to reconvene in public session this
     same day, Friday, March 12, 2000, at 12:45 p.m.].                   A F T E R N O O N  S E S S I O N
                                                     [12:45 p.m.]
               CHAIRMAN POWERS:  Let's come back into order, and
     we'll move to the topic of physical security requirements
     for power reactors.
               Dr. Kress is our cognizant official on this.
               DR. KRESS:  I don't know why, but I am.
               CHAIRMAN POWERS:  Well, because you're very
     physical, I suppose.
               DR. KRESS:  I don't have a lot of introductory
     remarks to make except it's awfully hard to make a risk
     assessment of security.
               I have seen such things in the past, and what I
     recall of them are this particular area is a significant
     risk.  In fact, it may be risk dominant.
               So, it's good to pay attention to it, and it's
     generally treated in the classical way with regulations, in
     the classical sense that there are design basis threats and
     defense-in-depth philosophy, and then you use inspection and
     a test to see if your system works.
               Well, I think one of the problems is that these
     tests, challenges to the system have been done in the past
     on the sort of -- I presume a voluntary basis.
               There's no regulatory authority to require them in
     the regulations, but I think one of the things they want to
     fix when they're developing -- what they're looking at is
     developing a new rule for this area, and that's one of the
     things they want to fix.
               So, with that as sort of a minor introduction,
     I'll turn it over to the staff.
               CHAIRMAN POWERS:  Before we go to them, I'd just
     comment that, within the DOE community, we're concerned
     about terrorist-type activities not in the sense of using
     nuclear materials to threaten the public population but,
     rather, to threaten facilities themselves using -- of
     particular interest is gas and biological threat, has become
     an area of some currency within the DOE community looking at
     -- upon nuclear reactors as a public institution, along with
     airports, other government buildings and whatnot, especially
     following the Oklahoma City incident, and so, this is
     gaining more currency than maybe we had when the Cold War
     was at its peak.
               DR. KRESS:  Yeah.  Well, I think one of the things
     they're wrestling with is -- in making a rule -- is what are
     the design basis threats.  I'm not sure how much of that
     we'll hear today, but I hope we hear some.
               Let's turn it over to you guys.
               MR. ROSANO:  Good afternoon.
               I think that, at this point, most of you know
     Glenn Tracy, my boss, the Branch Chief.
               My name is Dick Rosano.  I'm the Chief of the
     Reactor Safeguards Section, and I'm going to try to address
     a couple of the concerns that you just raised in the context
     of the briefing, realizing, of course, that what I'm going
     to be talking about are the regulatory changes that we're
     proposing, that we're working on in terms of risk-informing
     the regs and that there will be a separate section
     afterwards having to do with design basis threat, and I
     think, as I go, you will see some of -- you'll pick up some
     of my comments about the risk issue and how easy it is to do
     and the fact that there are two different kinds of risk that
     we're going to talk about.
               First an overview of where we've been and what is
     driving all of this.
               I'd begin by referring to risk-informing 73.55,
     and it actually pre-dates that somewhat, because the effort
     underway right now began when we started contemplating an
     exercise rule that was designed to be the successor to the
     Operational Safeguards Response Evaluation program, the OSRE
               OSREs, for years, had conducted assessments at the
     plants -- force-on-force drills run on scenarios meant to
     test the defensive strategies or the protective strategies
     of the plants.
               We wanted to be able to replace that program with
     a requirement to do drills and exercises, and after spending
     some time looking at that, we expanded the consideration to
     include an entire look at 73.55 and other related power
     reactor regulations.
               By that, I mean there are certain others like
     50.54(p) and 50.90 that control changes to security plans
     and commitments made.  So, in the context of risk-informing
     73.55, we would want to be able to look at the other
     associated regulations.
               When we did then consider risk-informing 73.55,
     the issue of risk in essentially two forms comes up, and we
     wanted to differentiate the two types of risk.
               One is the probability of event, which I believe
     you mentioned, and that really is a very difficult thing to
               In fact, you will find that most of the sabotage
     events that have occurred through history did not come with
     a high probability or expectation that they were about to
     occur, and the community understands that the Commission,
     over the years, has understood that and made various
     proclamations relating to it.
               Our efforts are not to risk-inform that process. 
     We are not trying to -- in the context of rewriting these
     regs, we are not trying to assign a risk or probability to
     an event occurring.
               In the later presentation by Roberta Warren from
     NMSS, when she does talk about design basis threat, there's
     an element of that, and the intelligence community provides
     great assistance in understanding what probabilities there
     are, but that's not what we're trying to do when we're
     risk-informing 73.55.
               However, there is another element of
     risk-informing the regs that we can deal with, and that has
     to do with the consequences, the safety consequences of the
               Stripped down to its basics, a safeguards event or
     a sabotage event is the initiating event in a safety
     sequence, and we can do some risk-informing to better
     understand what might unfold from that event.
               There are a lot of factors.  Obviously, we have to
     be able to stabilize the systems at the plant, knowing that
     there will not be additional sabotage events within that
     context before we can then sit down and assign a
     probability, but the regulations are intended to assign some
     risk sense or probability or better safety understanding of
     what might happen.
               Perhaps one of the greatest products --
               DR. KRESS:  Could I interpret that to mean that
     you might be focusing on the conditional core damage
     frequency given the event?
               MR. ROSANO:  Yes, we are.
               What we're doing now is trying to base the
     regulation on performance criteria and safety criteria using
     the design criteria of the operational systems, using that
     as the proposed goal of a sabotage event, and then looking
     at the probability of the attack resulting in the failure of
     one of those design criteria.
               We recently wrote in a Commission paper, 00-63,
     the six design criteria that we intended to use for that.
               I know I'm getting ahead of myself a little bit. 
     I'll try to be more controlled, but we'll go back to that,
     because that's an important point that we want to discuss.
               As we began to peel back the layers in
     risk-informing the regs, we did find more and more
     fundamental issues that needed to be resolved and that we
     needed to come to better understanding of.
               One was the definition of radiological sabotage,
     which goes to your point.
               The regulations do define rad sab as an event
     which would cause a risk to the public.  I've left out a lot
     of words, but that's what it boils down to.
               Well, the level of risk was not delineated, the
     type of event, and so on.
               So, we considered -- and in fact, in a Commission
     paper, did recommend to the Commissioners that we look at
     what is defined as rad sabotage and improve upon the
               The more we worked on that, the more we decided
     that, even with a better definition of rad sabotage, we
     would still need to come up with performance criteria.
               Subsequent to that, we did advise the
     Commissioners that we had decided that the proper approach
     for beginning this rulemaking was to define the performance
     criteria that we expected the plant to maintain in the event
     of a sabotage attack and that their systems should be
     designed with a goal of maintaining those performance
               Now, when I said that the licensee or the plant
     would need to maintain, another important difference that we
     promoted and proposed was that it be a whole-plant response.
               Rather than thinking of this as a gun battle in
     the protected area, the security force against the
     attackers, we wanted to step back from it and accept that
     there are a number of other actions that can be taken by
     other members of the licensee force -- for example, the
     operational staff -- actions that could be taken to mitigate
     the consequences of the attack or, perhaps by isolating
     systems or components, perhaps defeat the attack, simply
     without even the actions of the security force, which is not
     to say that we would propose they do away with it, but we
     wanted to respect what the entire plant organization could
     do, and we took those things into account, and so, the new
     rule will consider actions by operators and operational
               MR. BARTON:  Would that entail operators leaving
     the control room?
               MR. ROSANO:  It would entail what the licensees
     believe are the best means of handling that.  In some cases,
     I understand some licensees would consider it important to
     dispatch operators to the remote shutdown panel and so on. 
     There are issues like that.  Each licensee will have their
     own answers.
               DR. BONACA:  Just a question I have.  I remember
     approximately 20 years ago there was a review of all the
     power plants to identify that you cannot disable the plant
     -- let me use the word "disable" now, and we didn't talk
     about CDF at that time, or core damage -- that you cannot
     disable the plant by one individual in one location, that
     there was sufficient separation and diversity of systems in
     different locations that you would have -- so, there are
     some elements already in place that are still -- because I
     remember that, and I remember that there was no further
     activity after that, it was the only thing that was done.
               MR. ROSANO:  That has been better applied in a
     safety arena than in safeguards, although it also applies in
     safeguards, because the principle that no single act can
     defeat the safe operation of the plant is a design feature,
     design concept that would also prevent a single act of a
     saboteur from accomplishing that purpose.  Notice I said a
     single act of a saboteur, not a single saboteur.  One
     individual could do more than one thing.
               But it would apply, and I think that that's an
     important part of looking at the whole plant response to a
     sabotage attack.
               DR. KRESS:  Does that mean that each plant might
     have to have something analogous to the emergency operating
     procedures, call it a sabotage operating procedure?
               MR. ROSANO:  Well, in fact, they already do.
               DR. KRESS:  They do?
               MR. ROSANO:  The plants have incorporated what
     they call protective strategies or tactical response
               One of the things that this rule would do would be
     to add a little bit of detail to that and encourage
     licensees to more formalize their processes for this, but
     licensees already do have procedures, and they have -- under
     Appendix C of Part 73, they're required to have a
     contingency plan, and it's for safeguards emergencies, and
     usually that results in things called tactical response
     strategies where the security force has pre-programmed
     responses to certain types of events, responses that they
     practice through drills, and it sends them to certain
     positions to respond, depending on what kind of event it is
     and what's the likely outcome.
               Going on, then, I mentioned the problem with
     definition of rad sabotage and the performance criteria, so
     now we're trying to deal again with the whole plant and
     trying to use and take credit for any of the response
     actions that might be incorporated together.
               The next item that we found in peeling away the
     layers of this issue was the design basis threat and the
     adversary characteristics.
               The rule -- there are three levels of detail.  The
     rule says that the design basis threat will include several
     persons, and it describes them in general terms.
               There is a classified -- in the case of category
     one facilities -- a classified description of the numbers of
     people, and for power reactor facilities, there is a
     description that is safeguards information that describes
     the number of people who would attempt sabotage.
               The category one facilities need to protect
     against sabotage and theft.  We consider sabotage for
     radiological purposes the only real issue at the power
     reactor facility, and the type of threat, the type of DBT
     and the size of the DBT would be different for each.
               The next layer of detail is what we found
     ourselves in while dealing with this problem today, and that
     is that these adversaries could carry a number of different
     arms or tools or items of equipment and that we needed to
     have a clear understanding from which we would work and from
     which the licensees would work in order to balance their
     protective systems and understand what they needed to deal
               This is also considered classified information for
     the fuel facilities and safeguards information for the power
               These characteristics are very important for the
     licensees to understand in order for them to comply and live
     up to the expected level and very important to guide our
     exercises to make sure that we're testing at the proper
               The difference between different poundage or
     amounts of explosives, different types of armaments needs to
     be settled.
               Now, NMSS has done extensive work on this, with
     the intelligence community and in defining these details.
               You'll hear more about that later, but this is
     another issue that we concluded needed to be solved in order
     for us to get to a more clear understanding of what the regs
     should be.
               DR. KRESS:  Does that description of adversaries
     deal with the potential for an insider at all?
               MR. ROSANO:  An insider is assumed to be part of
     the design basis threat for both sabotage and theft, yeah.
               Then the last item in terms of overview is the
     industry's interim program.
               I mentioned the OSRE program, Operational
     Safeguards Response Evaluation program.  That has been in
     place since about 1991.
               As of this month, we have completed the first full
     round of OSREs in which a headquarters-led team with
     regional assistance and contractors has gone to each of the
     power reactor facilities, conducted week-long tests,
     complete with table-top exercises and scenarios drawn up by
     both licensees and the NRC and force-on-force drills,
     several of them, not a single one, to determine the adequacy
     of protection.
               The OSRE program has completed its first full
     cycle.  Our goal was to replace the OSRE program with this
     rule-based system, which we will.
               That will take some time to do, and what we wanted
     to do was have an opportunity to pilot the new concepts,
     pilot the ideas that we would like to incorporate into the
     rule as we write the rule, and the industry offered to write
     a program that would be forward-looking rather than
     backward-looking to a new program that would include some of
     the ideas that we've been debating over the months for the
     new rule rather than simply incorporating those already used
     for the last nine years in the OSRE program.
               That program has gone through a few revisions. 
     It's called the Safeguards Performance Assessment Program --
     the title has changed a couple of times -- and that program
     has been reviewed and been subject to comment by the NRC.
               We've worked extensively with the industry through
     public meetings and members of NEI, and that is coming
     along.  That actually kind of leads us into the next couple
     of slides, I'll be able to tell you more about the status,
     but in general, the goal is to have an interim program to
     ensure that we continue evaluations of security response
     strategies, not just security, because we have an inspection
     program that evaluates security, and it does a good job of
     that, but we would also like to have evaluations of the
     response strategies.
               So, what we want to do is have a continuation of
     these exercises, allowing OSRE to sunset in favor of a
     program that looks to the future, and let that program run
     until the rule can reach its final state.
               CHAIRMAN POWERS:  I guess I don't quite
               You have this OSRE program, and now you've got a
     proposed new program that's characterized as looking to the
               I'm struggling with what's different.
               MR. ROSANO:  Well, there are several differences.
               One is that we would like to have -- the rule, for
     example, would require the licensees to develop a robust
     program of drills and exercises.
               Currently, although many of them do conduct
     drills, there's no requirement in the rule that they do so. 
     So, the voluntary program that they're offering as an
     interim program would do that.  That's one of the changes.
               CHAIRMAN POWERS:  But I mean you've done this --
     through the OSRE, you have these exercises.
               MR. ROSANO:  Yes, sir.
               CHAIRMAN POWERS:  Would they be the same or
               MR. ROSANO:  The exercises under the interim
     program and under the rule would be very similar to OSREs. 
     They would be force-on-force drills incorporating the design
     basis threat standards in those drills, but currently,
     because there's no requirement for drills or exercises, a
     lot of licensees -- there are some licensees who drill at
     different frequencies.  Some drill very often, some drill
     not so often.  It has left us with the inability to take a
     snapshot in time at any given time as to what the abilities
               The interim program, the SPA, would incorporate
     quarterly drills, which is what we're thinking about for the
     new rule.
               It would have a triennial requirement for
     extensive exercises, so that the exercises under the OSRE
     program that -- considering that the first full cycle took
     eight years, then obviously the full exercises under the
     interim program of the rule would be three times as often.
               There are some other things.
               The design criteria will be looked at.
               The OSRE program uses significant core damage as
     the goal of the attack, which if you take that and then work
     backward, then you'd assume that the licensee protective
     strategies only have to be designed to prevent significant
     core damage, and that's a very useful approach, but what
     we're trying to do is improve upon that, and so, the design
     criteria that we proposed in the recent Commission paper
     would be tested out in the new program, so there would be a
     better understanding of how this would function in the rule.
               Certain other things, including means of training
     and feedback mechanisms, so that findings in the exercises
     would be fed back through the corrective action program, all
     parts that we consider essentially to the new rule would be
     piloted in the interim program.
               DR. WALLIS:  It seems to me it's not quite so
               Adversaries, if they were able to get into a
     position where they could get control of something and cause
     some damage, probably would want to say okay, now we want
     something, and you don't know what they control, what they
     can do, how far they've gone.  
               We'd be in a very difficult position negotiating
     with people who you don't know what they're able to do, how
     far they've been able to do things, and you don't have
     information coming out that tells you what they've done.
               MR. ROSANO:  That's a very specific
     safety-oriented question.
               The goal of the response strategy should be for
     the licensee to maintain control of the operation of the
     plant, and so, for individuals to reach a point in the plant
     where they could take over control would be considered a
     loss of a system.
               DR. WALLIS:  Do you go beyond that?  I mean if
     they do reach that point, then you've still got to do
               MR. ROSANO:  You still have to do something, but
     actually -- let me try to differentiate between denial and
     defeat strategies.
               The licensees, more and more, are going to denial
     strategies, which is to keep the potential saboteurs away
     from the equipment that might allow them to take control of
     the plant, so that they -- in effect, they win, they win the
     game if the attackers are isolated or kept out of the
     critical areas of the plant.
               A defeat strategy would mean, again back to the
     notion of a gun battle, would mean killing more of them than
     they kill of the licensees.  That's not the approach.
               So, the point is for the licensee to maintain
     control through denial of the areas of the plant necessary
     to maintain safe operations.
               DR. WALLIS:  Assuming once you've lost control,
     that's the end of anything you think about?
               MR. ROSANO:  Oh, no.  Certainly we wouldn't just
     give up, but now, at this point, what we're talking about is
     the safeguards, protective strategies, and the
     responsibilities within the program to be able to defend
     against losing that control.  If the attacker gains control
     of the critical systems, there's still actions that need to
     be taken.
               DR. WALLIS:  I think you might be in a position
     where you don't know if he's gained control or not but you
     know that you happen to have lost your control, but you
     don't really know what they've been able to do.
               MR. ROSANO:  So, anyway, that is the point of the
     interim program, is, again, to be forward-looking.  What we
     want to do is take the best of the OSRE program, of which
     there is quite a lot, but to incorporate some new ideas and
     to test out where we're going.
               We also think of the interim program as an
     evolutionary thing.  It won't be static.  As we learn and
     things become obvious to the industry and the NRC, we'd like
     to be able to incorporate those.
               The second part of the presentation is on
     chronology, and in my way of going around the facts, I
     probably already covered a lot of this, but I just want to
     bring us back to where we were.
               In May of 1999, we briefed the Commission, and
     actually, what I failed to mention there was that that was a
     result of a Commission paper.
               The SPA task force, the Safeguards Performance
     Assessment Task Force, submitted in January '99 -- it was
     SECY paper 99-24, and we submitted our recommendations, and
     that had to do with creating an exercise requirement in the
               On May 5th, we briefed the Commission, the
     Commissioners, followed with an SRM dated June 29th in which
     they instructed the staff to go forward and develop these
               That was in June.
               It was during the course of the summer of 1999,
     through extensive meetings with the -- public meetings,
     including the industry, in which more was discussed about
     the possibility of opening up the door to consider all of
     the safeguards regulations.
               I wasn't with the NRC back in the '70s when we
     wrote 73.55, and I also know that, in spite of some of the
     fixes we've made to 73.55 over the years, we've never
     stepped back from it and taken a complete look.
               We believe it's time -- the staff has thought that
     it's time, and this is a good opportunity for us to
     modernize the regulations.
               In October, SECY 99-241 was proposed, and that
     included all of these concepts, risk-informing 73.55,
     including the exercise rule, so a broader look, and that was
     approved by SRM in November of '99.
               March 9th of this year, we submitted the SECY
               This was in response to the part of the November
     SRM that asked us for a definition of rad sabotage, and as I
     described earlier, we tried and could not conclude that
     simply an improved definition would solve all the problems.
               We concluded that we needed to have design
     criteria that would form the basis for the protective
     strategies and for the regulation.
               We submitted those design criteria in SECY 00-63,
     and the Commissioners adopted the recommendations in April
     of this year, telling the staff -- directing the staff to go
     forward and to work the rule.
               So, it's been taken step by step.
               In the beginning, we recommended an exercise rule. 
     After that, we recommended a broader look at 7355 to
     risk-inform it, and then, following that, we submitted a
     Commission paper in order to show how we intended to base
     the rule, on what we intended to base the rule, and that was
     the performance criteria.
               MR. TRACY:  I would also add the Commission
     directed us to incorporate the performance criteria in the
     interim program that the industry would ultimately take on.
               MR. ROSANO:  As for future, we are looking at
     summer of 2000 -- this program proposed by the industry, the
     Safeguards Performance Assessment Program -- the staff has
     spent considerable time reviewing it in several different
     versions, submitted comments to the industry, received some
     feedback from them, and it's been an iterative process.
               We hope to be able to reach final agreement and
     endorse the industry's Safeguards Performance Assessment
     Program.  That's what was referred to as the interim program
     on an earlier slide.
               That would be the program that would allow us over
     the next two to three years to test out the concepts in the
               Now, an important point before I go beyond there
     is that we intend to continue doing exercises of protective
     strategies from here through that time.  Those will probably
     be in the form of OSREs, because it's a program that's
     worked very well and it's well understood.
               We will do OSREs on a periodic basis in order to
     continue the flow of information about licensees' response
     strategies until the time -- and here it says in late 2000
     -- that we expect SPA exercises to begin.
               The endorsement needs to precede the actual
     initiation of the program by some several months to ensure
     that the licensees who come up first for the exercises are
     working -- are operating under the right rules of
               CHAIRMAN POWERS:  I guess I have -- a couple of
     questions spring to mind.
               MR. ROSANO:  Sure.
               CHAIRMAN POWERS:  The first one that springs to
     mind is I think that the licensees are excellent at running
     electrical generation facilities.  I am not sure what their
     qualifications are for designing terrorist activities.
               So, I come in and say, gee, I wonder how one looks
     -- goes about formulating and reviewing a proposed SPA
     program, what criterion one uses to say whether it's an
     adequate one or not.
               I mean I know there are other organizations -- I
     happen to work for one -- that makes a business out of doing
     these things for the military.
               Can you tell me more about how it gets designed
     and how it gets reviewed?
               MR. ROSANO:  The document that has been generated
     by the industry, that we've been reviewing -- we have
     reviewed, in the context of what we know so far today about
     OSREs, what OSREs have taught us -- now, the OSRE program
     has been -- has enjoyed the benefit of contractors that we
     use who are very experienced in this area and who have
     helped us through the years.
               The document that the industry has proposed
     incorporates a lot of those ideas, plus I happen to know
     that the licensees typically have contractors themselves who
     have backgrounds in this field.
               Now, you've reached deep into the subject and
     asked a very important question.
               It's not just a matter of evaluating the exercise
     results, it's a matter of evaluating the program itself, and
     so, in fact, that's what I think is one of the strengths of
     the new program.
               This program, SPA, as well as the rule to come out
     -- it's kind of like the difference between, you know,
     giving a man a fish and teaching a man to fish.
               If we get the opportunity to look at the
     licensee's program, the industry's program, and it's a
     robust, strong, legitimate program, we can walk away with
     greater assurance that things will be conducted properly
     even when we're gone rather than just while we're on-site,
     and that's the goal of the new initiative.
               CHAIRMAN POWERS:  The next question that comes to
     mind is that I know -- you've certainly emphasized
     force-on-force exercises, as well as table-top exercises and
     things like that.
               I also know that there's a booming cottage
     industry in developing computer codes to simulate armed
     intervention against incursions and whatnot.
               Is that -- do those figure into this program at
               MR. ROSANO:  Yes.  I'm very pleased you asked that
     question, because it turns out that, in the last two days,
     we've just finished a two-day symposium in which --
               CHAIRMAN POWERS:  I'm a great straight man.
               MR. ROSANO:  You can ask questions all day, sir.
               A gentleman on my staff in the back of the room,
     Al Tartif, put together a workshop that brought to
     headquarters here members of Department of Energy, DOD,
     Sandia, Lawrence Livermore Labs, and the subject was how do
     we risk-inform security regulations, and nearly -- probably
     half of those addressed themselves to modeling and
     computer-based systems to test it.
               There is a lot to be gained from that.  It allows
     multiple tests of the same strategy either before or after
     you run a real exercise.
               There's a lot there, and I expect that the
     industry will make use of that.  It would make a lot of
     financial sense for them to do so.
               DR. WALLIS:  You're always talking about arms and
               It seems to me that's the most unlikely thing; the
     most likely thing is intelligence sabotage, as things get
     more and more computerized in the control room, someone
     knowing something about the system, slips in some lines of
     code which screw up the control system of the reactor, so
     that when someone does something, something happens and they
     lose control because they're getting false information.
               MR. ROSANO:  Perfect issue.
               In fact, cyber-security is an essential element of
     the new rule-based program, and as an aside, I'll say that I
     fought to avoid having our group referred to as the physical
     protection group, because I think that safeguards has to
     include more than physical protection.  It could be that, in
     the next 10 years, cyber-security may be more important than
     physical security.
               I think we're near the end, in any case, with the
     exception of time for some questions.
               In May of 2001, according to SRM that's been
     generated -- and this now, I think, is a couple SRMs ago --
     I can't keep track of which one told us to do which, but by
     May of 2001 --
               DR. SEALE:  There's a snowstorm over there.
               MR. ROSANO:  Probably is.
               May of 2001, the draft or the proposed rule is
     expected to be ready for publication, and by November 2002,
     we intend to have the final rule in place.
               Now, one thing I will say that refers back and
     that is that the licensee -- this interim program includes a
     triennial cycle of exercises, and the expectation was based
     on it taking about three years for us to write the rule from
     beginning to end, and so, the licensees will actually be
     running drills on a fairly continuous flow during this
     period that we're writing the rule so that, by November
     2002, we would expect to have had a significant percentage
     of licensees who have already run through their drills.
               And that completes my presentation.
               Any questions?
               CHAIRMAN POWERS:  I think we can thank the
     gentleman for that presentation.
               DR. KRESS:  I think we have comments from Mr.
     Lyman.  This might be a good time for him.
               CHAIRMAN POWERS:  Yes.
               DR. KRESS:  Thank you, guys.  That was very, very
               CHAIRMAN POWERS:  Mr. Lyman, I have enjoyed your
     presentations in the past on MOX fuel, and I hope you're as
     informative in this area as you were in that area.
               MR. LYMAN:  I'll try to be.
               I do appreciate the opportunity to make a few
     comments here.
               My presentation, which you should have gotten a
     copy of, is based on one which I gave at the RIC a few weeks
     ago, and I am grateful to Mr. Rosano for inviting me to
     speak at that conference, since I think we're probably
     regarded as a pain in the neck.
               DR. APOSTOLAKIS:  Could you tell us who you are
     please?  Not all of us know you.
               MR. LYMAN:  My name is Edwin Lyman.  I'm a
     physicist with the Nuclear Control Institute, which is a
     nonprofit research organization which focuses on nuclear
     non-proliferation issues and also issues of nuclear
     terrorism, which carry us over into nuclear sabotage, as
     well, and radiological sabotage.
               We are a public interest group, one of the few who
     have been trying to track NRC's developments in this area,
     and I think our perspective on the history of this program
     and how we've gotten here today is somewhat different from
     Mr. Rosano's, so I'd like to at least present some of the
     background as we see it, where the issues and the
     differences with the industry's position and ours are, and
     just comment on the future.
               I'll refer most of the details to the document I
               First of all, as a public interest organization,
     we are concerned with the public confidence aspects of NRC's
               In fact, we see ourselves wanting to have
     confidence in NRC's programs, and therefore, what we see
     forms the basis for our ability to have confidence.
               In the issue of physical security and physical
     protection, I think it's especially crucial that the
     appearance of a robust system is maintained, because the
     public has less access.
               Even compared to safety issues, a lot of what goes
     on in the physical security arena is within a black box.
               So, we have to accept the assurances of NRC that
     they know what they're doing, that they can assess the
     threat accurately, and that the regulations they impose are
     appropriate for ensuring that the appropriate response to
     that threat is guaranteed, and we have to take their words
     for it in a lot of aspects, and appearance is, in the
     physical security, physical protection arena, reality to
     some extent, since the appearance of making nuclear plants
     look like hard targets is a big part of actually deterring a
     terrorist threat.
               Now, the background to the -- where we are in the
     OSRE program is that, back in the summer of 1998, it was
     terminated by staff without consulting the Commission.
               This was following a rather undistinguished
     performance by the utilities, by the licensees in the OSRE
     program, in which case almost half of them failed the OSRE
     in that they were unable to prevent an entire target set
     from being taken out, and according to OSRE, the OSRE logic,
     that would lead to significant core damage.  So, in almost
     half the plants, the mock terrorists were able to achieve
     significant core damage.
               Needless to say, this was not regarded as -- this
     is regarded as embarrassing by some of the licensees, and
     they were not happy about having to continue to comply with
     this program.
               In fact, the measures that they took greatly
     exceeded what they committed to in the security plans in
     some aspects, and in particular, an average of 80 percent of
     -- they employed more than 80 percent, on average, of
     security guards for the OSRE program, in excess of what they
     committed to in the security plans, and yet they still had
     this rather poor response.
               So, in our view, OSRE did what it set out to do,
     and it was, in fact, the very model of a performance-based
     program that NRC wants -- is looking to adopt more broadly
     in that there were a set of prescriptive regulations which
     were 10 CFR 73.55(b) through (h) giving very detailed
     instructions on what the licensees had to do, and the fact
     is that, even if they were in compliance with those, they
     still were not able to respond to the performance assessment
     appropriately, so it revealed there were weaknesses in the
     prescriptions that needed to be corrected.
               So, after the cancellation of OSRE, there was
     leaks to the press, there were different professional
     opinions on this, and it led to a rather embarrassing
     situation where the White House itself had to call Chairman
     Jackson at the time and ask her to reinstate the program,
     because major policy speeches had just been given
     recognizing the increased risk of terrorism and increased
     response by the Government.  So, NRC seemed to be out of
     step at that point.
               DR. KRESS:  Do you have any idea of why it was
     canceled, the program, in the first place?
               MR. LYMAN:  Well, there's no hard evidence there. 
     Chairman Jackson responded to Representative Markey by
     saying that there had been complaints on an informal basis
     by the industry about this program, it was too expensive. 
     They really objected to the expense of having to assemble
     the additional guards necessary, and it really was a burden
     to them.
               At the same time, I think NRC staff will say they
     were looking at revising the program from the beginning and
     this cancellation was simply a way to transition toward a
     new program, but it certainly was so abrupt that there
     didn't seem to be any kind of transition, and so, the cycle
     was not complete at the time that it was canceled.
               So, I can only speculate, but it appears,
     certainly, that after the performance record of the
     licensees at that point, they were anxious not to continue
     what seemed to be an embarrassment.
               So, going from that point on, the OSRE program was
     reinstated, but at the same time, there was an effort to
     rewrite the whole rule, as Mr. Rosano has discussed.
               The original intent -- well, there was another
     point about canceling the program, was that it was unclear
     whether there was legal authority for this.  Were the
     licensees required to endure these exercises to demonstrate
     they could deter the design basis threat against
     radiological sabotage, and our legal counsel believes there
     was authority, but it was decided that that really should be
     formalized by a new regulation.
               So, originally, I think the intent was simply to
     augment the authority in the rule to include an OSRE-like
     exercise as a requirement of the licensees, yet I believe
     the Nuclear Energy Institute wrote a letter saying it's time
     to open up the whole rule, we want to look at everything,
     and that was consented to, and we have concerns about that,
     that at least what comes out of this process should be at
     least as robust as what has happened in the past, because we
     don't think -- in contrast to maybe other performance
     measures of the licensees over the years in safety, which
     has led to the new oversight program, where there's
     confidence that, well, they're doing better in these areas,
     so we can give them more responsibility for their own
     oversight in some areas, this is not one arena where the
     performance has been that good, and I would not -- and they
     haven't earned the right to self-assessment, in our view.
               I'd just like to, as a way of background, describe
     some of the core issues that emerged at first.
               NEI proposed and the staff was willing to accept,
     it seems, changing the definition of radiological sabotage
     at the beginning, so that instead of significant core damage
     as the standard for OSRE, it would be a weaker condition
     that a Part 100 release would not have to be -- you would
     have to keep below a Part 100 release.
               So, the effect of this would be where if a
     successful -- or a failure of the OSRE program would occur
     if the entire target set was taken out and significant core
     damage would result.
               If you went to a Part 100 release, that would mean
     you would accept significant core damage.  I'd remind you
     Part 100 is the type of release consistent with, I believe,
     the substantial meltdown of the fuel.
               So, what the NEI proposal was really saying is we
     would accept enough damage to the plant that we could go to
     substantial meltdown of the fuel, but given that our
     containment, our emergency planning, and our engineered
     safeguards are designed to keep below Part 100 releases,
     then we can't afford to have greater damage and still
     satisfy protection of the public from a radiological
               Now, we found that approach somewhat extreme and
     wholly unreasonable, and from a public confidence
     standpoint, it just showed to us how out of touch we thought
     NEI was with the public, because we don't think the public
     would accept if a terrorist attack occurred at a nuclear
     plant, that terrorists were actually able to bring
     explosives into the plant, blow up safety equipment, blow up
     the -- or violate the reactor coolant system boundary, and
     yet, because the operators were able to stop this from
     becoming a holocaust, a Chernobyl, that that would be an
     acceptable and, in fact, not even -- that would be an
     acceptable outcome of their physical protection strategy.
               Just looking at what happened with the Indian
     Point 2 accident where there was no measurable radiological
     release, you looked at the public response to that, you just
     see that that is really extreme.
               I think the public believes and should believe
     that the physical protection at nuclear plants can prevent
     damage, any kind of damage, from being done to the plant,
     whether or not it's a critical safety system.
               So, we think going to a Part 100 was a mistake,
     and to NRC's credit, they arranged their SECY paper and
     their own recommendation to be based on performance
               This is closer to the way the original OSRE was
               In other words, you want to make sure that you
     have enough equipment in place so that you can bring the
     plant to safe shutdown and you maintain core cooling, though
     they were willing to go beyond that point and say that that
     was acceptable.
               However, at the same time, there are some aspects
     of the plan going forward that we are concerned about.
               This session started with the question about
     risk-informing this process.
               We don't think that it's necessarily a wise thing
     to risk-inform security, to try to link security so closely
     with safety issues when, in our view, they are really
     different animals, and that's because, when you're dealing
     with intelligent adversary, what they are capable of doing
     is completely different from a dumb equipment failure.
               You know, if you have one spontaneous equipment
     failure, you can figure out what the probability of that is
     going to be.  If you have two spontaneous failures, that's
     generally more unlikely, unless it's a common mode failure. 
     But if you have an intelligent adversary who might be an
     insider, who might have access to everything you know, to
     your severe accident management guidelines, to your
     emergency planning, they know what you're going to do, and
     it will be a chess game.
               There is no way to estimate the probability of the
     capability of that insider to bring this plant to a
     meltdown.  So, we don't think that it's really necessarily a
     wise idea to risk-inform this process in the same way.
               We're all in favor of using better knowledge of
     what the critical safety systems are, what the weak points
     of nuclear plants are in designing a protective strategy,
     but in our view, that is not going to lead to a -- that
     wouldn't lead to a relaxation of what you can protect, and I
     think it's pretty well known what you have to protect.
               Now, the other aspect of this which is related and
     came up is the increased reliance on operator actions in
     assessing the consequences of an attack.
               We do not think that it's wise to go to increased
     reliance on operator actions in this way, especially if an
     entire target set is taken out.
               If you look at the latest draft of the industry's
     self-assessment program, which has turned from SAP, which it
     was a few weeks ago, now to SPA -- it doesn't seem to be a
     self-assessment program anymore, but their own plan -- they
     were still, as a few weeks ago, saying that even if an
     entire target set is taken out, we still want to have the
     opportunity to be given credit for preventing significant
     core damage if we can show their operators would be able to
     intervene that way, and our response to that is, if you're
     willing to give operators credit for those types of actions,
     that has to be demonstrated, that capability has to be
     demonstrated either on a simulator or through a human
     reliability assessment.
               There has to be some way.  You can't just take
     their word for it.
               DR. KRESS:  Let me ask you about that.
               It seems to me like that's analogous to what we
     call severe accident management, where the operator has
     severe accident management guidelines to do whatever he can
     with the existing systems, given what he knows about how the
     accident is progressing, to try to stop it, and I think
     that's a good idea.
               Even in the case of a sabotage effect, it would be
     nice for somebody to have pre-thought out what the operator
     might be able to do, with whatever parts of the system that
     he still has control of and is functional, to be able to
     stop it.  So, to me, it's thinking out the process and
     putting down ahead of time what he might be able to do,
     which seems like a good idea, whether you take credit for
     that or not.
               MR. LYMAN:  No, I absolutely agree with that, and
     I have no complaint about thinking these things through more
     carefully, but in my view, when you are evaluating an
     exercise, that that should go into the margin and shouldn't
     be given credit --
               DR. KRESS:  Shouldn't be part of the performance
               MR. LYMAN:  Right, unless they can demonstrate it,
     because I mean if you have -- God knows what kind of
     complicated event you have and you don't know if the
     adversary, like I said before, an active insider has -- as
     someone mentioned before -- has interfered with the
     electronics, with the instrumentation systems -- maybe
     they've thought out everything that you would do.
               I mean they have these plans, and they say, you
     know, if you want to -- if you're going to scram the plant
     or you're going to de-pressurize the coolant system or
     whatever, that I'll be one step ahead of you, and so, unless
     you can really assess that appropriately, then you shouldn't
     be given credit for it unless the operators can be
     demonstrated, if they're given all these -- you know, the
     variety of scenarios, and I just think this would greatly
     complicate the evaluation, because if you tried to think
     through all the possible scenarios that an insider could
     create to confuse, I think that would increase the licensee
               I don't know why they would want to do that kind
     of exercise.
               I think it's just easier for them to show they can
     keep saboteurs from bringing explosives to a vital area.
               So, you know, if they want to go through that
     exercise, I just say they have to demonstrate it credibly or
     they shouldn't get credit.
               In the existing OSREs, for instance, if a security
     guard has some sort of fantastic shot, if their success
     depends on what might be viewed -- you know, a shot that
     requires considerable skill, they're taken out to the firing
     range and asked to demonstrate -- I understand a recent one,
     that they tried to take credit for a shot that couldn't be
               I'm just saying that has to be -- that should be
     done the same way.  You want credit for it, you demonstrate
     it, and that's why I would urge you to try to recommend that
     some sort of robust means for demonstrating that is
               I think that point's been driven home.
               The last aspect now, the design basis threat -- we
     have a few concerns with what's been going on in that area.
               One is that the adversary characteristics
     document, which is just released -- in our view, at least --
     the public can't see that, because we're not cleared for
     safeguards information, but it's our belief that this is
     based on the best intelligence judgement, information
     judgement to date, and I was under the impression that that
     document would not be sent to industry for comment.
               In fact, a few months ago, Mr. Rosano made the
     statement that it was a finished document.
               When NEI wanted to see it and comment on it, they
     were told at that time that it's not for comment, which
     seems reasonable to me, because I don't think they have the
     capability for any type of independent intelligence
     assessment of what's a reasonable threat, but I understand
     that the document was sent out, was offered to cleared NEI
     personnel for review, especially for its impact on
     operational and financial aspects of the plant's operation,
     and that troubles me, because I don't know what that
     feedback is actually going to do to the document itself.
               The other aspect of this I'm concerned about is
     the lack of a mechanism for testing at one point against the
     entire design basis threat.
               The design basis threat is a set of different
     capabilities in the industry's latest plan for their
     program.  They do not say at any point that they are going
     to run an exercise with the entire capability of the design
     basis threat at once.
               What they say is we might run different pieces,
     test different aspects of the threat, then put it all
     together, but that, to me, is not credible.
               If you have a design basis threat, then there
     should be at least one evaluated exercise where the entire
     capability is active at once, and that includes the
     possibility of an active insider, which I believe you asked
     before if insiders were evaluated in the past or were
     present in the past, and only passive insiders who could
     give information but do not actually take part in the attack
     and didn't engage in any of these other activities of trying
     to interfere with systems, and so, clearly, an active
     insider is a component which really should be brought to
     bear, and especially the impact of an active insider on the
     operators if they attempt to intervene, clearly that could
     be neutralized.
               So, another aspect of the -- of trying to bring in
     operator actions is you have to consider malevolent operator
     actions, as well, or the ability to neutralize operators,
     and that would increase the range of possible targets, I
               CHAIRMAN POWERS:  Let me ask a little question
     about that.
               Suppose I did have an operator that was in cahoots
     with an outside force, attempting to do something. 
     Wouldn't, in fact, any activity that he undertook be
     promptly detected by the rest of the operational staff?
               MR. LYMAN:  That's certainly a possibility, but
     you know --
               CHAIRMAN POWERS:  Under active supervision.
               MR. LYMAN:  Yes.  Certainly, there are mechanisms
     that -- of course, that are designed to prevent -- for it to
     be able to detect that, but I couldn't say that, in every
     instance, that would be detected, or if an operator that was
     fully aware or placed highly enough, you know, in the
     security organization of the plant couldn't bypass these.  I
     mean it depends on your assumptions, and that's something
     which is still not known to the public.
               I don't know what's assumed about the capability
     of operators, but the possibility has been raised about
     someone who prepares for this incident by walking through
     the plant, making small changes that might remain undetected
     but cumulatively would have a big effect when the actual
     attack occurred.
               So, I'm sure you could dream up scenarios.  The
     question is how do you judge which are credible and which
     aren't?  I don't think there's a way to put a numerical
     value on them.
               Finally, on the -- what was called the
     self-assessment program and is now something else, the --
     there have been concerns that, like I said before, the
     industry hasn't really earned the right to have greater
     oversight in this area, yet that's what they're asking, and
     that's why the initial phrasing was self-assessment program.
               This is one big difference between OSRE and what
     they're contemplating, is that there would be potentially
     less oversight in certain arenas, and this is what we are
     not happy about seeing.
               We think whatever comes in the future has to have
     something as stringent as OSRE.
               If they are more frequent, that's all to the good,
     but they have to have the ground rules that are at least as
     stringent, because there's no evidence that they should be
     relaxed at this point, until the industry can demonstrate
     repeatedly they've corrected the vulnerabilities that have
     been shown in the past.
               So, with that, I'd conclude.
               Thank you.
               DR. KRESS:  Well, you've certainly give us some
     good food for thought, and we appreciate you coming by.
               I might ask if anyone has any questions of Mr.
               DR. BONACA:  You had some comments in your paper
     on the process.  You did not elaborate on that.
               MR. LYMAN:  Well, this is difficult for someone
     from the public to actually say, but having sat in on the
     series of meetings since the beginning of this year, which
     are -- is part of what you might call interactive
               I would have to say that, because of the lack of
     resources of public organizations like ourselves, we can't
     participate on the same level as the industry can, and what
     I've seen in these meetings is almost like a contract
     negotiation, where the industry is writing its own
     documents, NRC has commented line by line, and the industry
     has quarreled with almost every change.
               Some of them they take, some of them they take
     back for consultation, they bring the document back the next
     time and it hasn't been changed, and it hasn't -- it doesn't
     seem to be the best or the most efficient way, first of all,
     since there was a debate for several months about
     radiological sabotage and the same arguments kept coming
     back to the fore.
               Because of this inequity, I would almost say that,
     unless the public can marshal the same resource to
     participate as equal players in this, that it might be worth
     putting more distance, again, between those writing the rule
     and those commenting on the rule, and of course, I would
     prefer more public access, more public resources, but in the
     absence of that, which doesn't seem very realistic, I don't
     know, I think it's a problem which has to be looked at.
               Other aspects like 10 CFR 70, which is also this
     interactive rulemaking -- we haven't been able to
     participate at all in that, and yet, I understand there's
     significant industry participate in the rule writing.
               DR. KRESS:  That's a very interesting comment.
               I understand that NEI would like to make a
               Than you, Mr. Lyman.  We appreciate you coming by
     and giving us your views.
               MR. DAVIS:  Good afternoon.  I'm Jim Davis from
     Nuclear Energy Institute.  I've been working security there
     for about six years.
               I noticed the NRC staff provided you three slides. 
     I handed you 13.  Don't worry, I'm not going to go through
     every one of the slides, but I thought I'd provide some of
     the information as background material, and let me refer
     just to a few of those.
               What's OSRE?  I mean it seems like that's sort of
     a magical word.
               Perhaps a way to look at it is similar to some of
     the other baseline inspection programs we've seen in the
     past, and as you approach the end of that baseline program,
     you say what have you learned and what should we do in the
     future, and I think both the NRC and the industry are at
     that point right now.
               Last week, we completed the last inspection -- the
     last of the first series of inspections.  Every facility has
     now had an OSRE.
               So, you sort of finish the baseline and you say
     what do we do next, and I think you actually will find that,
     in the last couple of years, NRC staff has done a
     significant amount of work to try to figure out where they
     want to go in the future and what's the optimum way to
     capitalize on the lessons learned in the OSRE.
               Let me emphasize that an OSRE is basically a
     facility-run exercise observed by the Nuclear Regulatory
     Commission staff.
               The adversary is provided by the facility.  The
     training of the adversary is provided by the facility.
               So, a preponderance of this is a facility-run
     exercise that's observed and critiqued and evaluated by the
               We had a whole list of SECYs earlier, but one of
     those SECYs, 99-024, very early in the process -- and this
     was the Safeguards Performance Assessment Task Force that
     did really a holistic look at the process -- is saying we
     think that there's more opportunity to integrate the
     licensee into this process and get the industry more
     involved and more responsible for the set-up, run, and doing
     these things.
               Remember, an OSRE is an eight-year cycle.  Once
     every eight years you were getting an OSRE.
               Out of that process and in discussion with the
     staff, the staff came up with what was referred to earlier
     as the exercise rule, and look at these elements.  Licensee
     develop target sets, licensee develops areas, licensee
     conducts drills and exercises, licensee evaluate, licensee
     correct the deficiencies.  It looks like a lot of licensee
     words.  Keep that in mind.
               We looked at that and said we've learned something
     from the OSRE process, too, and what we've learned, what the
     industry has learned, is if you take a deterministic rule
     and try to do performance-based evaluations against that
     rule, you're in big trouble.
               That has been our most significant issue, and in
     the discussions over the last year, we have said it is
     absolutely essential, if you are going to hold the industry
     responsible for performance instead of compliance with (b)
     through (h) in the rule, you want us to perform at a certain
     level, we must understand what the underlying criteria are
     for that performance.
               We've got to design to those criteria, we've got
     evaluate to those criteria, and we'd appreciate it if
     somebody would provide oversight to those same criteria.
               We felt it was absolutely essential that, to
     achieve this performance base, that the holistic look needed
     to be taken at the rule, and Mr. Lyman is absolutely right,
     on August 31st we sent a letter to the Chairman of the
     Commission saying the industry feels we need to completely
     rewrite the rule, and that's going to take three years, and
     we agree that we need to go on, and that's when we made the
     proposal that we would take the concepts and precepts that
     had already been developed and discussed with the NRC
     Commission and we would try to put them into an interim
     program as we move forward.
               But the biggest thing is assessment against what,
     and I think when you kick us out of here, you're going to
     discuss one of those activities, is what is the adversary
     that we are working against, because we need to understand
     that in detail just as much as anybody else, because it's a
     fundamental of the design of our program.
               But let me tell you what this core program
     contains.  It's procedures for developing target sets.  Go
     back to the first slide.  What did it say?  You wanted us to
     develop target sets, procedures for developing scenarios, a
     three-year cycle of drills and exercises, not an eight-year
     cycle, a three-year cycle, something that the licensee is
     responsible for.
               The drills are evaluated.
               Deficiencies are handled within the training and
     corrective action program, and at least once every three
     years, an evaluated exercise, a holistic look at the program
     that demonstrates the six key elements of the program, and
     those are the same key elements that the staff has been
     talking about for many years as they go through the
     discussion of what they consider important in the OSRE
     process and they try to train the -- and help people get a
     performance-based view of what they're going and the
     expectation that the NRC staff would be observing those --
     and critiquing those particular exercises.
               So, I guess what I wanted to just bring to the
     table today was that, one, the industry feels that it's time
     to rewrite the security regulation to take advantage of the
     performance insights that we have all gained from the OSRE
               We agree that a compliance-based rule is not the
     most effective way to maintain security in the current
     environment that we have today and that the program we are
     proposing, in fact, is exactly what the staff wants to put
     forward in the rule, and we think that there is an excellent
     opportunity to test these concepts over the next several
     years as the rulemaking process moves forward, so that at
     the end we put in the rule some words that in fact will work
     within the program, and I think you all are aware of several
     rulemaking efforts where we've had to come back and change a
     rule because, in fact, when you started writing the
     implementation guidance after the rule was done, you found
     out it didn't work quite the way you wanted it.
               So, we're enthusiastic about this process, and we
     think it's going to be a good effort.
               DR. KRESS:  What is the problem with you guys, the
     licensee, knowing what the design basis threat is?  Is that
     a security issue or what?
               MR. DAVIS:  No, sir.  The design basis threat or
     the characteristic -- the detailed characteristics --
               DR. KRESS:  Detailed characteristics.
               MR. DAVIS:  -- are classified safeguards, and the
     security manager at every facility is cleared for safeguards
               Clearly, the security manager has to know what
     he's working against.
               DR. KRESS:  Is there a reluctance to let you guys
     know what you're having to guard against?  Is there some
               MR. DAVIS:  I don't fully understand the history
     and what's gone on in many years.
               The problem I think we've faced is we started out
     with a deterministic rule.
               When you tell me I have to build an eight-foot
     fence and have to have .2 foot candles of light, I don't
     need to know much more than that.
               So, nobody went through the exercise of clearly
     defining what radiological sabotage meant, how Part 100 was
     applied, which is a siting criteria, how it applied and how
     we cross-connected it across the entire plant, but when we
     get into the performance base, those issues become important
     to us, and as we get to the end of the process and we look
     back and say, gee, part of the problem we've had is we have
     not understood in the field the performance criteria that
     we'd expected at the same level that some on the staff or in
     other areas had.
               Therefore, we need to -- you know, let's look
               I don't know history, but looking forward, we need
     to clearly understand what the adversary is and what the
     performance expectations are.
               With those, then we can ensure that our program is
     adequately designed, and this is not -- don't come once
     every eight years and say here is the criteria I am using to
     evaluate your performance, give them to us up front, we'll
     design our system, and you can look over our shoulders
     periodically and make sure we're performing to that
     criteria, and although -- and I don't have -- I guess I've
     got do a better job of selling that, because to me, that
     seems like, you know, an order of magnitude improvement on
     what we've been doing in the past.
               This is not the industry trying to do away with
     security regulations.
               We're not asking to do away with the guard forces
     and that kind of -- we're asking for -- to actually move,
     really move into the performance-based approach to
     evaluating the effectiveness of security that's at the
               MR. SIEBER:  Are you trying to save money?
               MR. DAVIS:  I didn't say that.
               MR. SIEBER:  All right.  I withdraw my question.
               MR. DAVIS:  Well, let me answer your question.
               The problem that we face is we have some
     performance -- some deterministic requirements that are
     levied on the plants today that, in fact, contribute
     absolutely nothing to the overall public health and safety.
               At the time they were put in place, they probably
     looked like good requirements, but they are sitting there as
               So, we, in fact, sometimes have people doing
     things that we look at now do not contribute to the overall
     capability to counter a terrorist attack or prevent a
     terrorist attack.
               By making some of those deterministic things go
     away, focusing on the performance aspect within the same
     resources, we, in fact, provide a higher level of assurance
     that our security organization is going to perform its task.
               So, it's a shift in the focus of resources, is
     what you're really looking for.
               MR. SIEBER:  I don't know if I'm allowed to ask
     this question, but could you give me some examples of things
     that you think are deterministic that don't contribute to
     the overall mission?
               MR. DAVIS:  Well, one good example is the original
     rule you have a requirement to have .2 foot candles of light
     in the perimeter zone.
               At the time that that was put in effect and the
     electronic surveillance systems that were available, that
     was probably not a bad requirement for lighting.
               As we look forward with the improvements in
     electronics, you probably don't need that high an intensity
     in lighting in all areas to provide adequate surveillance.
               What's the performance criteria?  The performance
     criteria is it is able to monitor, observe, and determine
     what is moving in that particular area, not that you have a
     certain fundamental lighting requirement.
               So, there's one example.
               MR. SIEBER:  It actually goes -- it's not only
     what is moving, but it could be something that isn't moving
     but doesn't belong there.
               MR. DAVIS:  Yes, sir.  I mean a variety of things.
               MR. SIEBER:  And so, you would give your response
     officers and your watchmen these surveillance devices in
     lieu of keeping light-bulbs lit?
               MR. DAVIS:  I think what you will find is the
     lighting requirement would be commensurate with the
     surveillance equipment that you're using in that particular
               MR. SIEBER:  So, it would be one or the other.
               MR. DAVIS:  Defining lighting in this area and
     defining the electronic equipment standards you use in
     another area.
               The issue is can you observe and categorize what's
     going on in that particular -- I mean that's one example.
               MR. SIEBER:  Do you have any others, or is that
     the most prominent?
               MR. DAVIS:  That's just one example.  There are
     lots of others.  They all run in the same arena.  I hate to
     get into details, because you end up spending five or six
     minutes trying to explain the entire background so that the
     thing is -- the relevance of the issue is a little bit -- it
     takes some technical detail to understand why something is
     or isn't important.
               I guess which brings me to one more thought, if I
     can inject this.
               I would like to make sure you understand that we
     have professionals in the industry that are managing
     security. These are security professionals.  I am not a
     security professional.
               They know what they're doing, and they came from
     the same background as all the contractors and everybody
     else that we've been talking about.
               The industry does have the knowledge and does have
     the capability to set up realistic and challenging
     exercises, and whenever the question came up, we do have our
     own contractors that we use in this business to help us get
     an independent look.
               DR. WALLIS:  Mr. Lyman spoke of a situation where
     you might find yourself in a sort of chess game with some
     intelligent intruder.  I just wonder how you figure out that
     you're going to win that chess game.  I'm not sure that
     regulations help you very much in that sort of adversarial
               MR. DAVIS:  Developing defensive strategies
     requires a lot of work.
               Table-top exercise, as mentioned earlier, is one
     of the techniques you use, and you pick a variety of
     scenarios and you start playing the what-if game -- if, what
     if; if, I will -- and you run through those various
     scenarios and you develop your defensive strategies for the
     broad case lot of what you're doing.
               You work in adversary characteristics against your
     target sets, and you run in your various scenarios, where
     your responders go in those various cases, what advantage
     you might or might not have in a particular situation, where
     your vulnerabilities are, and then changing your procedures
     to fix those cases.
               So, basically running those kind of what-if cases
     is a significant part of the development of the security
     plan and the contingency response plan for a particular
     facility.  The drills and exercises is one of the tools you
     use to validate the plan in that you run --
               DR. WALLIS:  I was more concerned with the
     intelligent adversary game, that usually security personnel
     are not chosen for superior intelligence.  You don't want
     them to have to make lots of decisions based on
     chess-game-type things.  You want them to react exactly as
     trained, and I wonder how you anticipate, then, the
     chess-game-type adversary.
               MR. DAVIS:  Management is making these decisions. 
     I guess I can't accept the statement that our security
     personnel are not very highly trained or skilled at what
     they do.
               DR. WALLIS:  No, they are.  They are very well
     trained and skilled, but it's not in the chess-game type of
     adversarial setup.
               MR. SIEBER:  Maybe I could address that a little
               I think in any job classification, you have a
     range of people from watchmen all the way up to your
     response people plus your management, but security in a
     power plant, having worked in one for many years, is a team
     between management, security, and operations, and so, you
     can't look at it just as the uniformed security force, you
     have to look at it as a broader team.
               MR. DAVIS:  I agree, it's a total team concept.
               DR. KRESS:  One more question, then we're going to
     have to move on.
               DR. BONACA:  I thought I understand -- I mean Mr.
     Lyman said that there was a significant failure rate of the
     OSRE exercises.
               If I understand what you said, it's that you trace
     back that one to the fact that there are deterministic
     criteria at the plants and the criteria used by the NRC to
     evaluate performance by the staff are not clear to the
               MR. DAVIS:  The performance criteria, in some
     cases, has not been adequately defined.
               I think Mr. Lyman likes to make a statement that
     half the people fail, but unfortunately, I think, if you go
     back and look at the situation, you'll find that there are
     very few cases where a finding, an actual violation of
     regulations was issued as a result of an OSRE inspection,
     and you have the difficulty of taking an opportunity to find
     a weakness in your program where you can take some other
     actions to improve the strength of it and you turn that into
     a -- into, gee, it must be a failure instead of here is a
     way of doing business that will improve you, and that's
     where I'd like to sort of compare this to some of the other
               Very frequently you find you're in compliance with
     regulations, but in fact, there are other ways and other
     things you can do that still comply with regulations but
     improve the performance and reduce the risk of the system.
               DR. BONACA:  You said going to performance-based
     exercises, then that would result in some other issues with
     OSRE.  That's why I was trying to understand where you saw
     these performance-based, you know, exercises being a
     resolution of the issues.
               MR. DAVIS:  I think the underlying issue is OSRE,
     in trying to look at performance, has shown that using a
     deterministic rule approach does not give you a program that
     clearly identifies and overcomes all the potential
               I thank you very much for your time.
               DR. KRESS:  Thank you.
               I guess that now is the time that we're going to
     -- we can go off the transcripts, because we're going to go
     into the closed portion of the meeting.
               [Whereupon, at 2:08 p.m., the meeting continued in
     executive session.]

Page Last Reviewed/Updated Tuesday, July 12, 2016