Meeting of the Joint Subcommittee on Reliability and Probabilistic Risk Assessment and Regulatory Policies and Practices - September 23, 1999

                       UNITED STATES OF AMERICA
                             Room T-2B3
                              11545 Rockville Pike
                              Rockville, Maryland
                              Thursday, September 23, 1999
          The subcommittees met, pursuant to notice, at 1:00 p.m.
          GEORGE APOSTOLAKIS, Chairman, Subcommittee on       Reliability and
     Probabilistic Risk Assessment
          THOMAS S. KRESS, Chairman, Subcommittee on
            Regulatory Policies and Practices     
          WILLIAM J. SHACK, ACRS Member
          MARIO V. BONACA, ACRS ember
          JOHN J. BARTON, ACRS Member
          ROBERT E. UHRIG, ACRS Member
          JOHN D. SIEBER, ACRS Member.                   P R O C E E D I N G S
                                               [1:01 p.m.]
          DR. APOSTOLAKIS:  The meeting will now come to order.  This is the
     first day of the joint meeting of the ACRS Subcommittees on Reliability
     and Probabilistic Risk Assessment and on Regulatory Policies and
          I am George Apostolakis, Chairman of the Subcommittee on
     Reliability and PRA.  Dr. Kress is the Chairman of the Subcommittee on
     Regulatory Policies and Practices.
          ACRS members in attendance are John Barton, Mario Bonaca, William
     Shack, Jack Sieber, and Robert Uhrig.
          The purpose of this meeting is to review proposed revisions to the
     NRC PRA plan.  Tomorrow, September 24, the subcommittees will review the
     proposal-making plan and study for development of risk-informed
     revisions to 10 CFR Part 50, domestic licensing of production and
     utilization facilities.
          The subcommittees will gather information, analyze relevant issues
     and facts, and formulate proposed positions and actions, as appropriate,
     for deliberation by the full committee.
     Michael T. Markley is the cognizant ACRS staff engineer for this
          The rules for participation in today's meeting have been announced
     as the notice of this meeting previously published in the Federal
     Register on September 3, 1999.
          A transcript of the meeting is being kept and will be made
     available as stated in the Federal Register notice.  It is requested
     that speakers first identify themselves and speak with sufficient
     clarity and volume so that they can be readily heard.
          We have received no written comments or requests for time to make
     oral statements from members of the public.
          The key document for today's meeting is SECY-99-211, status report
     on the PRA implementation plan, issued August 18, 1999.  The staff has
     made substantial revisions to this update, in part, to address comments
     in the General Accounting Office report, dated March 19, 1999.
          The staff also briefed the Commission on the SECY-99-211 on
     September 7, 1999.
          We will now proceed with the meeting and I call upon Mr. Barrett,
     Mr. King, and Ms. Drouin to begin.
          MR. KING:  For the record, I'm Tom King, from the Office of
     Research.  With me is Mary Drouin, also from the Office of Research, and
     Rich Barrett, from NRR.
          The agenda today had two topics, basically; a status report on the
     quarterly update of the PRA implementation plan and then what are we
     doing in response to the GAO recommendation to develop a strategy.
          What I thought we'd do in the presentation is we've picked a few
     key items from the PRA implementation plan and we wanted to update you
     on the status on those items.  I think those are some of the more
     visible items that maybe you haven't heard about in a while.  Then the
     second half of the presentation to talk about what are we doing in
     response to GAO recommendation.
          So you will see on slide two is the list of things that we've
     picked out to talk specifically about.  There are seven of them.  There
     are some other things that we could have discussed, but we know there
     are separate briefings coming up at the subcommittee, like the ATHENA
     project, so we're not going to talk about that today.
          The first one on the list is the PRA standard.  That's the ASME
     effort, the ANS effort, and the NFPA effort, and with that, I'm going to
     let Mary and Rich talk a little bit about where we stand on those
          DR. APOSTOLAKIS:  Wouldn't it be better to start with the safety
     goal revision or the standard is sort of a stand-alone issue?
          MR. KING:  I think the standard is a stand-alone issue.
          DR. APOSTOLAKIS:  Let's go with it.
          MS. DROUIN:  Mary Drouin, with Office of Research.  As you're
     aware, ASME is developing the PRA standard for level one full power
     internal events, excluding fire, and a partial level, and what I mean by
     a partial level two, they're only looking at large early release
     frequency, just that part of the level two.
          They issued a draft standard in February of this year.  They went
     out for a 90-day public comment and review period.  They received, I
     believe, comments from around 40 organizations.
          So currently they are working on the next revision.  That was
     revision -- what they call revision ten.  That went out in February and
     so they are now working on revision 11 and it is my understanding that
     they plan to, in the January timeframe, and it's a tentative date, to go
     out for public review and comment again.
          We do have some concerns here that going from Rev. 10 to Rev. 11,
     that they have so dramatically restructured the standard, that it's
     going to probably, in my opinion, add probably another nine months to a
     year to the schedule, and it may not include the detail that we would
     like to see in the standard.
          DR. APOSTOLAKIS:  Is it time well spent, you think?  Are they
     revising it for the better?
          MS. DROUIN:  I think that in terms of the technical stuff that's
     in there, some of it is being watered down.  They're making the
     requirements more high level, which adds more room for interpretation. 
     In my opinion, I don't think Rev. 10 was prescriptive at all.  It tended
     to say what should be in a PRA.  It did not go into detail how you
     should do it.
          But even the little bit of detail, which I don't remember very
     much in, I think some of that is being removed.
          DR. APOSTOLAKIS:  So revision 11 will be substantially different
     from what we saw which was ten.
          MS. DROUIN:  It's going to be very different.
          DR. APOSTOLAKIS:  Is the ACRS going to review it again?
          MS. DROUIN:  That's between you and ASME.
          MR. BARTON:  It sounds like we should.
          MR. MARKLEY:  It's currently on the December schedule, but I'm
     waiting for a call back from ASME.
          DR. APOSTOLAKIS:  But we should, I think.
          MR. BARTON: Yes.  It sounds like it's the new document.
          DR. APOSTOLAKIS:  It's a new document, yes.
          MR. MARKLEY:  You recall, the industry -- maybe not the industry,
     but some selected participants wanted to -- instead of have a standard
     that focused in on one level of scope and detail of quality of PRA, they
     wanted to break it up to say, well, if you're having a PRA that's just
     going to be used for risk categorization or risk ranking, here is the
     standard, if you want one, for risk-informed submittals, here is the
     standard if you want one for risk-based submittals, here is the
          So they sort of have a three-column format now on the standard and
     I think there has been some -- it's not coming out as straightforward as
     we had hoped.
          In concept, it sounded like a good idea, but in practice, it may
     not be.  So that's another issue.
          DR. APOSTOLAKIS:  See, that's my concern, because I hear, also,
     through the grapevine, that there are drastic changes and some people
     are unhappy.  So I think we should have an opportunity to review it.  In
     fact, starting with the subcommittee meeting, if it's a really new
     document, where we can go into more detail and then, of course, give our
     opinion to the full committee.
          So now, Mike, you say that in December, we may -- in other words,
     we may review it before they issue it for public comment or at the same
          MR. MARKLEY:  Well, the last time I discussed it with them, we
     were talking about it being a pre-consensus voting process.  Now, the
     public comment issuance is a new issue, to my knowledge, and I haven't
     had a chance to discuss that.  I was not aware of it from talking to
     Jerry Eisenberg, but he did, in his phone message he left me, say there
     is a possibility of the schedule sliding.  So that's confirmed basically
     by what Mary is saying here.
          MS. DROUIN:  As I said, ASME is just looking at the level one and
     the level two for full power internal.  Also, ANS is involved in this in
     that they are developing the PRA standard for low power shutdown and for
     seismic.  Rich sits on that.  You might want to --
          MR. BARRETT:  Yes.  We had the first meeting of what's referred to
     by ANS as the risk-informed standards committee.  This is a consensus
     committee that's been formed by the American Nuclear Society for the
     purpose of developing these two consensus standards, one for external
     events or external hazards and the other one for low power and shutdown.
          But the concept is that this standards committee might be involved
     in future efforts, as well, and there is some preliminary thinking about
          The standards committee is a large group, approximately 30 people,
     representing a wide variety of organizations, government, industry,
     vendors, academic community, and, in addition, they have put together
     panels; one for the -- I guess you would call it the working group or
     the writing group for external hazards, and one for low power and
          Both groups have started preliminary work.
          DR. KRESS:  Do you know whether or not the focus on low power
     shutdown is the type of PRA that's used for configuration control during
     shutdown events or is it one that's addressing a broader need than that?
          MS. DROUIN:  Let me, because I sit on the writing group for the
     low power shutdown, and we had our meeting.  Right now, there are three
     approaches that we're -- I shouldn't say three.  There's really
     basically two approaches; one that actually looks at, for the PRA, how
     you're going to quantify the risk.
          Another one --
          DR. KRESS:  Over the full lifetime of a plant.
          MS. DROUIN:  Yes.
          DR. KRESS:  Not just instantaneous.
          MS. DROUIN:  Yes.  Full lifetime of the plant.  But they're also
     looking at configuration control in writing that, because that's more
     from a utility desire, where it's looking for something.  So we are
     considering writing something in that area, too.
          DR. KRESS:  Thank you.  That answers it.
          MR. BARRETT:  The only thing I'd like to add is that there is a
     sense that developing a standard for external hazards is going to be a
     simpler task than for low power and shutdown and that's primarily
     because, for one thing, the external hazards does not include fire. 
     Fire is being handled separately by the NFPA.  So it's primarily a
     seismic issue and seismic PRAs, the sense is that we have a lot of
     experience with them.
          It's a relatively well developed methodology, with a lot of
     consensus built around it, and that a standard would be simpler to deal
     with than the lower power and shutdown, which has so many facets to it.
          MR. KING:  Nilesh Chokshi is the staff person on the seismic
     writing group.
          DR. KRESS:  Who?
          MR. KING:  Nilesh Chokshi.
          MR. BARRETT:  Mark Cunningham and I are both on the standards
          MR. KING:  And as Mary said, she's on the low power shutdown
     writing group.
          DR. APOSTOLAKIS:  Okay.
          MR. KING:  All right.  Safety goals.  Back in July, there was a
     paper that went to the Commission -- in fact, we discussed it with the
     committee before it went -- that talked about two things.  One was the
     status report on the 11 safety goal issues that had been identified last
     year and the second was a recommendation to the Commission to let us go
     forward and do a feasibility study on what we called high level safety
          We haven't received an SRM yet from the Commission on the high
     level safety principles piece.  The safety goal piece was just a status
     report, so we're not waiting for any Commission input at this point.
          So we have not actually done anything on the feasibility study of
     the high level safety principles, but I thought it might be worthwhile
     just bringing you up-to-date on our current thinking on some of the more
     key safety goal issues, because we have continued to think about that,
     had some discussions.  We haven't reached consensus on the real key
     ones, the real tough ones yet.
          Some of the things that we recommended were pretty
     straightforward, cleanup items, and those are -- we're not going to talk
     about those today, but I did want to talk about the things that are more
     controversial and are going to be tougher to deal with.
          So let me go to the next slide.
          We start off with elevation of CDF as a fundamental goal, which
     the committee recommended a couple of years ago.  We've had a lot of
     discussions on this and our current thinking is that we ought to add
     some qualitative high level words in about accident prevention, just
     like there are qualitative words in right now that deal with individual
     and societal protection.  We think accident prevention deserves similar
     stature in the qualitative sense.
          The safety goal --
          DR. APOSTOLAKIS:  Let me understand the meaning of the words
     accident prevention.  If you have a CDF subsidiary goal and a LERF goal,
     aren't you preventing accidents?
          MR. KING:  Yes.
          DR. APOSTOLAKIS:  Why do you need an additional statement?
          MR. KING:  You recall what we have now is that we have qualitative
     statements on protecting individuals and protecting society, and below
     that we have QHOs, which define what do we mean by protection.
          DR. APOSTOLAKIS:  I see.  So you're referring to the qualitative
          MR. KING:  Right.
          DR. APOSTOLAKIS:  So there will still be a qualitative statement.
          MR. KING:  Yes.  Because I think it's important not just to say
     protect the public and let people decide how much of that they want to
     do by mitigation versus prevention.  I think we ought to emphasize
     prevention.  I think that's an important statement for the Commission to
          What we're thinking about now is then going in and adding the
     subsidiary CDF and LERF objectives into the policy statement as
     subsidiary objectives, but will provide some guidelines as to what do we
     mean by this balance between prevention and mitigation.
          DR. APOSTOLAKIS:  So would then a statement on how important
     accident prevention is result in a reduction in funding severe accident
          MR. KING:  No, I don't think so.  I think we still have the
     mitigation piece, which is severe accidents.
          DR. APOSTOLAKIS:  But it seems to me that one can make a
     reasonable argument that if the emphasis of the Commission is on
     prevention, let's see how much money you're spending on level two
     phenomena versus what you're spending on level one.
          And if the difference is the other way, I think it's a legitimate
     question, why are you doing it this way.
          MR. KING:  I think if there were a big difference, it might be a
     legitimate question, but that's not the case today.
          DR. APOSTOLAKIS:  I understand that, but, I mean, the reason why
     I'm asking is because the industry, as you know, for years now, has been
     very cool to any research that goes beyond core damage and they are
     claiming that what really matters is level one, because that's where we
     see the return, we understand what's going on, it's something we can put
     our hands on.
          So I think this would give them further ammunition along these
          Is that an -- I don't know, what's the word.
          DR. KRESS:  George, if this is the right thing to do, I don't
     think we ought to worry about that.  This is the right thing from a
     regulatory objective to do.
          DR. APOSTOLAKIS:  But before we put forth revisions of such
     important documents, I think we should understand all the possible
     consequences.  I'm not arguing against it, because I think it's okay.
          DR. KRESS:  I'm sorry.  I thought you were arguing against it.
          DR. APOSTOLAKIS:  It would be a very dull afternoon if we just
     didn't say anything, so I have to say something.
          DR. KRESS:  I see.  I understand.  It's worthwhile understanding
     the ramifications, and I agree with you, that is a likely ramification.
          DR. APOSTOLAKIS:  Clearly we are emphasizing prevention even now,
     if you look at the numbers we're using.
          DR. KRESS:  Sure.
          DR. APOSTOLAKIS:  Okay.
          DR. SHACK:  On that, the safety goal already has qualitative
     statements that preventing core damage is important.
          MR. KING:  I think the words prevention of core damage show up in
     there, but they don't show up as prominently as the other qualitative
     statements.  They're just sort of thrown in the discussion somewhere.
          DR. KRESS:  Would the subsidiary goals on CDF and LERF, would they
     have equal status to what we have out for the quantitative health
     objectives now or would they be --
          MR. KING:  My view is they would not.  They'd be the next level
          DR. KRESS:  Next level down.
          MR. KING:  The QHOs really try to put some number on what do we
     mean by protecting the public and then the next level down, the CDF and
     LERF would be some actual practical guidelines that you can use in
     running and designing your plant to try and implement that.
          The next item is definition of adequate protection.  There was, at
     one time, a recommendation from the committee to try and use the safety
     goal policy to come up with some quantitative definition of adequate
     protection.  There's also been a lot of discussion from external
     stakeholders about what do we mean by external or adequate protection.
          The Commission nor the staff neither one has, at this point,
     decided, yes, we want to go define adequate protection.  We're wrestling
     with that question in the context of the safety goal policy, but really
     it's a broader question, because the concept of adequate protection
     applies not just to reactors, it applies to every licensed activity that
     we regulate.
          So one of the things we had thought about with these high level
     safety principles was going in and trying to qualitatively lay out what
     does the agency mean when it says adequate protection and then maybe you
     could, for reactors, come up with something a little more specific to
     reactors to implement that.
          Whether that's going to happen or not I don't know.  But I think
     we've clearly decided you can't quantitatively define adequate
     protection.  It's not a number.  It's not a group of numbers.
          Some people think it's a process, that you go through the process
     of good engineering and QA and corrective actions and inspection and all
     of that stuff, you end up with something called adequate protection. 
     Other people think it's more -- it could be defined in more engineering
     terms or lines of defense terms without maybe putting a number on it,
     but it's not a process.  It's a physical attribute or some defined
     attributes that you've got to have.
          DR. APOSTOLAKIS:  Would it be easier to talk about adequate
     protection without necessarily defining it quantitatively?  If the new
     safety goal statement clearly identified the objectives of regulation by
     this agency, the ACRS has written at least two letters, that I can think
     of, where we keep coming back to it and saying -- well, the last one, I
     read it yesterday, was in the package you sent me on Part 50, revising
     Part 50, where we came back to it and said if you had developed this, a
     set of objectives, stated explicitly, then the revision of Part 50 would
     be easier.
          Is this a time to think about that perhaps?  That in addition to
     the health objectives and so on -- now I remember.  In that letter, we
     also said that in the draft document we saw, I think Mary was here and
     made the presentation some time ago on revisions to Part 50 a long time
     ago, the letter was from last December.
          MS. DROUIN:  50.59.
          DR. APOSTOLAKIS:  Okay, 50.59.  Anyway, we said there are terms
     like defense-in-depth and adequate protection, safety-related or
     something, safety-significant, that were not defined anywhere and yet
     they were used in sort of a routine way and on page 26, at the bottom,
     you might say, well, but this is not a good option because of such and
     such, and this such and such had never been defined up front as being
     one of the objectives of the agency.
          I think what we saw there is the result or a reflection of the
     culture that has evolved within the agency as to what's important and
     what's not important.  So two people from NRR, when they speak to each
     other, they more or less agree, yes, this is important, this is.
          And I guess what the committee is saying is that it might make all
     these efforts easier if somebody took the time to put these things up
     front and discuss them with us and other stakeholders and say this what
     we really want to do.
          MR. KING:  That's, in effect, what we had in mind when we proposed
     these high level safety principles, to try and lay that out; what is it
     we're trying to achieve with all these regulatory programs, what level
     of protection.
          DR. APOSTOLAKIS:  And that has not started yet because you don't
     have an SRM.
          MR. KING:  Right.  And I agree, I mean I personally agree with you
     that if we had such a statement of objectives, it would make defining
     adequate protection easier, it would probably make some of these other
     decisions easier, what do we mean by safety-related and that kind of
          DR. APOSTOLAKIS:  Now, when you say consider a zone, what exactly
     do you mean?  A zone where, on the risk lane?
          MR. KING:  Well, this was a concept that our legal folks gave us
     to think about and as I understand it, instead of defining adequate
     protection in some fashion, what you would do is you'd say, okay, I'm
     not sure exactly where adequate protection is, but I know if I'm in this
     range up here, that I've got adequate protection and they call this a
          DR. APOSTOLAKIS:  But up here where?  Are you talking about
          MR. KING:  I think they would be more comfortable if you put
     numbers on defining such a zone.  Like, for example, Reg Guide 1174, we
     have numbers in there.  Everybody says if you meet those, if you come in
     with a change that meets those numbers, there is not an adequate
     protection concern.  So that's a zone that we're comfortable in and we
     don't have an adequate protection concern as long as we're in that zone.
          What we had talked about was recognizing that that zone is pretty
     -- only deals with small changes, it's obvious you're not going to worry
     about adequate protection, when you're dealing with small and very small
     changes, isn't there really some region below that you can also not
     worry about adequate protection and could we define that presumptive
     zone so that if people come in and they're beyond the 1174 guidelines,
     we can at least know whether there is an adequate protection concern or
          So that when you have to make decisions on backfit, for example,
     you know you're allowed to backfit on an adequate protection
     determination and if you're above adequate protection, then you have to
     use cost-benefit.
          Well, this presumptive zone would help you figure out where you
     are in backfit space.
          So they're not comfortable with defining adequate protection in
     some precise fashion, but they are comfortable with saying, well, if
     you're up here in this zone, then you've got adequate protection.
          DR. APOSTOLAKIS:  Is it easier to define where you don't have it?
          MR. KING:  I'm not sure.
          MR. BARRETT:  That's an interesting question, because if you
     define it as a point, then you have to be right there at the point.  If
     you define it very sharply and the licensee is to the correct side of
     that point, then they have adequate protection and that's -- and if
     they're to the wrong side of that point, they don't have adequate
          If they're to the wrong side and they don't have adequate
     protection, they can't operate.  If they're to the right, to the correct
     side of that point, then they have adequate protection and the
     regulatory really has no business dealing with that issue anymore.
          I don't think we want to be in either one of those places.  One of
     the proposals --
          DR. SHACK:  If you have George's three-zone model, where you have
     a place where you're clearly in trouble, a place where you're clearly
     safe, and then --
          MR. BARTON:  A fuzzy place.
          DR. SHACK:  -- a fuzzy place.
          MR. BARRETT:  One of the proposals is to have a combination of
     criteria and processes, to think of it that way.  For instance --
          DR. KRESS:  Or more than just two dimensions.
          MR. BARRETT:  In dimensions.  For instance, you've got a bunch of
     parameters that are controlled by the license amendment process.  These
     are your safety limits, DNBR 1.2, and PSH, all of these detailed
     engineering criteria, plant design basis criteria, and they are
     controlled by 50.59 and 50.90 and 50.92, the licensing process.
          We've got some risk parameters that we've developed over some past
     several years and you could say that in some sense, they're controlled
     also by the same process, but through Reg Guide 1.174, and some of the
     other guidance that we've developed, along with some of the guidance we
     talked to you last month about.
          So if you have a combination of some criteria or guidelines like
     that, in dimensions, and each one has associated with it a process to
     control it, not necessarily to control it at exactly that point, but to
     at least make reasoned judgments about whether it's in the right range.
          And then if you combine that with a process to take remedial
     actions, if it's in an unacceptable area, then all of that combined will
     give you adequate protection.  And another example would be if you
     suddenly found out that there was some new piece of operational
     experience that took you outside where you thought you should be.
          You have 51.09, which is a process to control that and to bring it
     back into balance.  So that's a view of adequate protection in the
     compliance process with numerical values.
          MR. KING:  Another way to look at it, too, is, in effect, the new
     plant oversight process has defined this zone, used this zone concept
     where they have the green all the way down to the red zone.  Down in the
     red zone, they don't say the red zone is adequate protection, but what
     they do is say is, hey, we're getting close enough to whatever adequate
     protection is that we don't want the plant to operate anymore.
          That's another way to look at it, another example of applying that
     zone concept.
          DR. APOSTOLAKIS:  So you are now working on these issues?
          MR. KING:  We are now, from time to time, discussing these issues,
     trying to settle in on what is it we want to recommend to the
     Commission.  One of the things we are going to do very shortly is issue
     a Federal Register notice and have a workshop on November 9 to get
     stakeholder input on these issues, all the ones we're talking about
          DR. KRESS:  If you went with a green to a red type system, would
     that be defining adequate protection in terms of performance indicators,
     or you just use the concept and use something besides those that are in
     the oversight?
          MR. KING:  Remember, the plant oversight process is a combination
     of indicators and inspection findings.  So it's not just numerical
          DR. APOSTOLAKIS:  I think, though, that the factor, again, and we
     do have an idea of where we are, if the core damage frequency, as
     estimated today, the average long-term core damage frequency, if the
     approach is ten-to-the-minus-three per year, it seems to me that the
     staff is concerned about adequate protection, and something happens.
          Now, that something may include a number of things.  The licensee
     may decide to try to put down, the staff may look at it and say, as Rich
     said, that there are other measures, other protective measures that
     compensate for this high value and so on, but I don't think that even a
     licensee who finds an accident sequence with frequency more than
     ten-to-the-minus-three, that that licensee would do nothing.
          MR. BARRETT:  We've had examples where licensees have calculated
     total core damage frequencies in excess of ten-to-the-minus-three and
     have implemented corrective action programs to gradually bring it into
     more reasonable ranges.  Yes.
          DR. APOSTOLAKIS:  So I think we have an idea of where the zone is,
     but I guess that doesn't help very much when you actually have to put on
     paper where the zone begins, right?  The numerical definition is a
          MR. KING:  People can get uncomfortable at ten-to-the-minus-three
     CDF, but if your containment wasn't operable, you'd probably be
     uncomfortable, too, even if your CDF was ten-to-the-minus-four or
     ten-to-the-minus five.
          If you were finding programmatic breakdowns in your plant, even
     though an accident hadn't occurred yet, you'd probably get
     uncomfortable, too.  People are not qualified, they were on drugs,
     whatever, you wouldn't be too comfortable.
          So there's a lot of things you've got to consider.
          DR. APOSTOLAKIS:  Is people taking drugs part of the safety
     culture of the plant?
          MR. KING:  Well, I would think so.
          MR. BARRETT:  Hopefully, it's an aberration.
          DR. APOSTOLAKIS:  Okay.
          MR. KING:  The second item on that page is defense-in-depth.  It's
     mentioned in the safety goal policy that exists today, but it's not
     defined, it's not described how we use it.  What it means, we took a
     stab at that in Reg Guide 1.174.  We thought since it is such an
     important concept, the safety goal policy ought to say more about it.
          We also recognize these high level safety principles.  It's a
     concept that applies across the agency, as well.  Should we step back
     and, from an agency perspective, talk about defense-in-depth?
          To me, this is a fairly key item.  To me, this is more key than
     the adequate protection.  I think we can risk-inform Part 50 without
     having a good definition of adequate protection.  I don't think we can
     do it without thinking hard about defense-in-depth and what do we mean
     by it.
          So if you had to prioritize the two, I'd put my effort on
     defense-in-depth in the near term to try and settle out what we mean by
          Again, you know, we read the paper that was provided attached to a
     committee letter about the structuralist and the rationalist approach. 
     We had a workshop last week on risk-informing Part 50, the option three
     piece, and there was a guy from the UK there that talked about their
     definition of defense-in-depth.  It was an interesting concept.
          So we're gathering some information.
          DR. KRESS:  Is there a paper on that or anything we could look at?
          MR. KING:  They have those documents, tolerability of risk, and
     there is another one that came out recently, but I don't know if that
     talks defense-in-depth.  He did not hand out a paper.
          DR. APOSTOLAKIS:  So what did he say?
          MR. KING:  He basically said what they do is define lines of
     defense and what they want -- for accident prevention, core damage, they
     want two what they call strong lines of defense and the strong line of
     defense is a capability to terminate the accident that also can
     withstand a single failure.  So they want two of those.
          Then they want a weak line of defense for mitigation, assuming the
     accident has occurred, the core damage has occurred, and they want a
     weak line of defense.  And then they combine that with probabilistic
     goals on core damage and LERF, essentially, and that makes up there
     ensemble of high level requirements for what they want to achieve in
     terms of safety.
          I thought it was interesting.  But what he said was even if this
     plant calculates a good CDF, they still want those lines of defense,
     regardless of what your CDF says.
          DR. SHACK:  Sounds good to me, George.
          DR. APOSTOLAKIS:  Yeah, right.  So now we start agonizing over
     what is a strong line and what is a weak line and all that stuff. 
     That's why PRA was invented, to give you numbers for these things.
          So I'm unimpressed.
          MR. KING:  You don't think there should be some floor on features
     that you want in the plant, regardless of what your numbers say.
          DR. APOSTOLAKIS:  That's a very different question.
          MR. KING:  It's the same question, to me.
          DR. APOSTOLAKIS:  I'm unimpressed by what you've described.  I
     thought the other way.  I don't think -- I think defense-in-depth --
     defense-in-depth is insurance.  Isn't it insurance?
          MR. KING:  Assurance or insurance?
          DR. APOSTOLAKIS:  Insurance.
          DR. KRESS:  Insurance.
          MR. KING:  I'd rather call it assurance.
          DR. APOSTOLAKIS:  I think it's really very similar to the idea of
     insurance.  When all is said and done, I'd really feel better if you put
     that thing there.
          DR. KRESS:  We really do think it's intimately related to the
          DR. APOSTOLAKIS:  Sure.
          DR. KRESS:  In your CDF and LERF, for example.  And in that sense,
     it's insurance.  Somehow the definition, in my mind, has to draw in that
     relationship to the uncertainties some way.
          MR. KING:  But if you had this floor of things, you say I'm going
     to have these, and then beyond that, where you've got uncertainties,
     maybe you want to add more for defense-in-depth purposes.  That sounds
     like a reasonable approach, to me.
          DR. APOSTOLAKIS:  Which is what we proposed in the combination. 
     The floor there is the high level structuralist approach.  But no matter
     what, you must have a containment, you must -- it's not a floor.  It's a
     ceiling.  And then you go -- and by the way, there's a lot of people who
     are unhappy with that and I'm -- they're developing this pebble bed
     reactor.  Now they're talking about there is no need -- about not
     needing a containment.
          MR. KING:  They proposed that ten years ago.
          DR. APOSTOLAKIS:  I thank God this is an MIT project, so I have a
     conflict of interest.
          MR. KING:  What they say is the little fuel particles are --
          DR. APOSTOLAKIS:  I'll let you guys resolve it.
          DR. KRESS:  There has been one member of the committee who has
     said that it is rational to think about a system, a design that doesn't
     need a containment.
          DR. APOSTOLAKIS:  Rational?
          DR. KRESS:  Right.
          MR. BARRETT:  In Reg Guide 1.174, we talk about defense-in-depth
     and margin separately.  It could very well be that for the pebble bed,
     the two might be related in terms of the thermal inertia and --
          DR. APOSTOLAKIS:  But it's a separate issue.
          MR. KING:  The pebble bed said they had a trillion containment, so
     these little fuel particles in there.  Triple-coated, can withstand high
          DR. APOSTOLAKIS:  That's where my idea of insurance comes in,
     because I think we're probably going to have a very hard time agreeing
     that you don't need a containment, but that's my first reaction.
          DR. KRESS:  And it depends on the uncertainties and how well those
     things function.
          DR. APOSTOLAKIS:  That's right.
          DR. KRESS:  Then the insurance inertia definitely is a good term
     for that.
          DR. APOSTOLAKIS:  Anyway, we agree that the British approach is
     not impressive.
          DR. KRESS:  At least on first glance.
          DR. APOSTOLAKIS:  Yes.  As conveyed to us by Mr. King.  Insurance,
     insurance of a different kind.
          MR. KING:  I'll get a call from my colleagues in the UK.
          DR. KRESS:  Who was the British guy on this?
          MR. KING:  Nigel -- what was his last name?
          DR. KRESS:  Buttery?
          MR. BARRETT:  Holloway.
          DR. APOSTOLAKIS:  Holloway, Nigel Holloway.
          MR. KING:  The other --
          DR. APOSTOLAKIS:  I thought he was in weapons right now.
          MR. KING:  Yes.  He's working on weapons now, but he's sort of
     like a --
          DR. BONACA:  Trying to design a weapon to see if he can defeat
          MR. KING:  It sounded sort of like an ombudsman for that program
     over there, that when people disagree on do we provide adequate
     protection or not, he comes in and listens to the arguments and tries to
     sort out what the right answer is.
          DR. APOSTOLAKIS:  Anyway.
          MR. KING:  Societal risk and land contamination, those were the
     other two big issues, open issues in the safety goal policy list.
          DR. APOSTOLAKIS:  Yes.  And we've -- sorry, go ahead.
          MR. KING:  We've talked about the societal risk when it had to do
     with the way we calculate the current QHOs.  They're both calculated,
     whether it's early or latent fatalities, they're calculated on an
     individual risk basis.  We have reg analysis guidelines that calculate a
     person rem to society and makes decisions based upon that.
          They also have different distances out to which you make those
     calculations.  So the amount of society that's affected is different in
     those cases.
          And then we don't have anything that protects the environment, so
     we talked about should there be some lane contamination, but we haven't
     settled anything on either one of these issues.  I think we are
     exploring two things now.
          One, we're looking at maybe it would be -- make more sense to deal
     with both of these issues by looking at should we have a goal on the
     amount of material released from a reactor.
          DR. KRESS:  FC curves.  Frequency.
          MR. KING:  Not the large early release that was in the original
     safety goal policy at ten-to-the-minus-six, but some --
          DR. KRESS:  Some say release of any given --
          MR. KING:  Right, right.
          DR. APOSTOLAKIS:  Which are being produced by 1150 and other
          MR. KING:  Yes.  But that would cover --
          DR. APOSTOLAKIS:  Which the Swiss are using, by the way.
          MR. KING:  Yes.  But that would cover both of these issues.  It
     would protect society, it would protect land, and be irregardless of how
     many people are around the site that --
          DR. KRESS:  It also implicitly incorporates LERF and explicitly
     incorporates CDF.
          MR. KING:  Yes.  So we're looking at that now.  I don't know what
     the answer is going to be.
          DR. APOSTOLAKIS:  The penalty is that you will probably need more
     than one set of curves to satisfy Dr. Powers.
          MR. KING:  The other thing we're doing is looking at make the
     distance -- the evaluation distance the same.  Safety goals is ten
     miles, reg analysis guidelines is 50 miles; shouldn't the population at
     risk be the same, how did we decide ten miles, how did we decide 50
     miles, why shouldn't they be the same.
          I don't know, again, I'm not sure what the answer is going to be,
     but those are the two things we're focusing in on now in dealing with
     these issues.
          I suspect the ten miles is because that was where the evacuation
     distance is today that's specified in the regulations, which is based
     upon risk analysis that was done a long time ago that shows that beyond
     ten miles, you don't really get exposures to people that cause acute
     health effects.
          DR. KRESS:  But one of your goals ought to include something other
     than acute health effects.
          MR. KING:  Excuse me.  Say that again.
          DR. KRESS:  It seems to me like one of your regulatory objectives
     are to prevent releases even though they're not big enough to cause
     acute health effects.
          So you probably -- that calls for looking at the full range of
     transport out to 50, 100 miles or whatever, it seems to me, because
     although you don't have acute effects, you have other types of effects
     that you -- I think rightly so, you have a regulatory objective to
     prevent those.
          I think you could deal with those all in FC curve space, frequency
     consequence of release of given amounts.  So that --
          DR. APOSTOLAKIS:  Is anybody looking into FC curves seriously?
          DR. KRESS:  That's why we sort of advocated those a little bit in
     the first place, because they seemed to encompass, to some extent, all
     of your objectives in one set.
          MR. KING:  Joe Murphy has got the lead for this.  He's looking at
     them.  He's pulled some out and we've gone through them.
          DR. APOSTOLAKIS:  So full circle, back to what Ridge Farmer said
     in '67, that's interesting, if we do.
          MR. KING:  If we do this.
          DR. APOSTOLAKIS:  Now, this workshop on the ninth, what day is the
     ninth, does anybody know?
          MR. KING:  I think it's a Tuesday.  The workshop is going to be at
          MR. BARTON:  November 9 is a Tuesday.
          MR. KING:  It's going to be up the street here at the Double Tree.
          DR. KRESS:  Is that the week we're here?
          MR. MARKLEY:  No, the week before.
          MR. KING:  But what we want to do in this Federal Register notice
          DR. APOSTOLAKIS:  Oh, I know what I'm doing, yes.  Okay.  I'm up
     in the air, so I can't come.
          MR. KING:  We want to lay out the options, the pros and cons, some
     questions, so that people have something to chew on before they come to
     the workshop.
          DR. APOSTOLAKIS:  So this is only on the safety goal revision.
          MR. KING:  Only on the safety goal revision and it's going to
     focus on these issues we just talked about.
          DR. KRESS:  Do we have to have a special invitation to come?
          DR. APOSTOLAKIS:  No.  It's NRC.
          DR. KRESS:  It's here?
          MR. KING:  It's up the street at the Double Tree Hotel.
          DR. APOSTOLAKIS:  So these overarching principals, the objectives
     that we keep asking in our letters, you are not working on that right
     now, because for that you want to have a separate SRM.
          MR. KING:  We asked Commission permission to do the feasibility
     study.  We have not gotten permission yet.  We're not doing anything on
          DR. APOSTOLAKIS:  So Murphy working on this is not actually
     thinking about the overarching principals, also, because you are waiting
     for --
          MR. KING:  He may be thinking about them, but he's not writing
     anything down.
          DR. APOSTOLAKIS:  But that's an important point, though, because I
     think having those objectives is really -- in fact, if I can read one
     sentence from the letter dated December 14 to Dr. Travers, articulation
     of the regulatory objectives should be a restatement of the NRC's
     mission related to what it may consider to be the complete definition of
     safety, as contrasted to risk.
          So clearly this committee feels this is extremely important and
     that seems to be left out of the writing.  I don't know what else we can
     do.  The Commission is obviously thinking about it.
          Wasn't it a question by Commissioner McGaffigan at the last
     meeting regarding cost of doing all this stuff?
          MR. BARTON:  Yes.
          DR. KRESS:  He didn't think it was --
          MR. BARTON:  He didn't think it was worth it and it would be too
     long and too costly or something, is the comment he made.  It's in the
     writing there someplace.
          DR. APOSTOLAKIS:  So who would be addressing this concern, the
          MR. BARTON:  I guess so.
          DR. APOSTOLAKIS:  Or should we do something, if we feel --
          DR. KRESS:  That might be part of our meeting with the Commission.
          DR. APOSTOLAKIS:  That's a good idea.  Maybe we should do that.
          MR. BARTON:  This item is on the Commission briefing.
          DR. APOSTOLAKIS:  It is?
          MR. BARTON:  I think so, risk-informed Part 50.
          DR. APOSTOLAKIS:  Okay.  So we can raise it ourselves.
          MR. BARTON:  You can raise it at that time.
          DR. APOSTOLAKIS:  That's not the same thing, though.
          DR. KRESS:  I don't think the policy, the safety goal policy.
          DR. APOSTOLAKIS:  No, it was not.
          MR. MARKLEY:  I think that discussion is more focused on the Part
     50 rather than necessarily the goals.
          DR. APOSTOLAKIS:  Unless we bring it up.
          MR. MARKLEY:  Yes.
          DR. KRESS:  We could include it.
          DR. APOSTOLAKIS:  This is really an important issue.
          DR. KRESS:  Yes.
          MR. KING:  Let's move on.
          DR. APOSTOLAKIS:  One question.  This is a report from the PRA
     implementation plan.
          MR. KING:  Right.
          DR. APOSTOLAKIS:  And as you know, there has been criticism of the
     plan, I believe, also, criticism of the agency by the CSIS, is that the
     acronym?  That we don't appear to have a strategy.
          MR. KING:  GAO made that.
          DR. APOSTOLAKIS:  GAO said that.
          MR. KING:  We're going to talk about that.
          DR. APOSTOLAKIS:  I thought the CSIS said the same thing.
          MR. KING:  The CSIS said we don't have a good definition of what
     our safety --
          DR. APOSTOLAKIS:  That's definitely one of the things they said. 
     Anyway, independent --
          MR. KING:  Slide 19 and beyond is where we're going to talk about
     the GAO recommendations.
          DR. APOSTOLAKIS:  But I wonder whether what you are presenting
     here, Tom, is really a plan.  Is it really a plan?
          MR. KING:  That's part of the problem.  What we have in today's
     PRA implementation plan is a catalog.  It's not a plan and it's arranged
     by office and here is what each office is doing in the PRA area.
          DR. APOSTOLAKIS:  So you will address that when you come to the
     GAO report.
          MR. KING:  Yes.  Next item, Rich is going to talk a little bit
     about the risk-informed licensing actions that have been taking place.
          MR. BARRETT:  When we briefed the Commission in early September,
     we had a section on risk-informed licensing actions.  So we include it
     here, but, in fact, I don't think we should spend much time on it today. 
     We had a very extensive briefing for the ACRS back in April.  Mark Rubin
     went through it in quite a bit of detail for this subcommittee, as well
     as for the full committee.
          And in large measure, nothing has changed in terms of where we're
     going and what we're trying to accomplish.  I would like to say that
     this is an ongoing program.  It's a healthy program.  We continue to get
     submittals from the industry, we continue to turn them around at a
     healthy rate.
          Right now, what we're trying to do, more than anything else, is to
     focus on making this type of licensing action as much -- as close --
     resemble as much as possible every other licensing action we do. 
     Specifically, quantitatively, in terms of the timelines with which we
     can turn these things around and the resource burden associated with
     reviewing these licensing actions.
          We're trying to get to the point where we can essentially do these
     in the same -- with the same amount of effort and with the same
     timeliness as with other licensing actions.
          We think we're doing pretty well on that, but one of the things
     we're trying to do is to develop the capability to monitor both those
     parameters, so that we can have a quantitative measure of how well we're
          So I really would propose not to dwell very much on this
     particular aspect of the PRA implementation plan.  I think it's
     something we've discussed a great deal in front of the committee in the
     recent past.
          MR. KING:  The risk-informed reg guides.  When the Commission
     approved issuing those as final guides, they also said do an annual
     review of those guides to see what needs to be updated to keep them
          That annual review came due over the summer.  We issued two memos
     to the Commission, one in June and one in August, that said based upon
     the experience to date, here are some areas that we think need to be
     updated and we proposed a schedule to go update the guides.
          What I've listed here is just a quick summary of the areas that we
     feel right now are candidates for revision in the regulatory guides. 
     These revisions would start sometime early next calendar year.
          Reg Guide 1.174, if we get a PRA standard, we certainly want to
     endorse it.  We had said, when we issued the guide originally, that we
     needed to think about additional guidelines for the shutdown condition,
     because right now it's just CDF, based upon the low power and shutdown
     work that Mary is going to talk about later, that comes out of that, we
     may propose some additional more specific guidelines for the shutdown
          And then it was pointed out that we have risk guidelines in 1.174,
     particularly a lot of plants, like half the plants doing the IPEEE
     didn't use seismic PRA, they used seismic margin; should we put
     something in that deals with that methodology and allows -- provides
     some guidelines.
          So those are the three main areas in 1.174.
          DR. KRESS:  Do you recall Rick Sherry's paper on that subject?
          MR. KING:  On seismic margins?
          DR. KRESS:  Yes, and how to convert them into risk numbers.
          MR. KING:  No, I don't remember that.
          DR. KRESS:  There is such a paper.  You'd probably want to look at
          MR. KING:  I'd like to see that.
          DR. KRESS:  I don't know -- I don't want to endorse it, but it's
     something you might want to look at.
          MR. KING:  Mike can get us that?
          DR. APOSTOLAKIS:  Regarding 1.174, a I remember, it's been a while
     since I looked at it, but as I remember, there isn't really very much in
     1.174 on importance measures and it turns out that very important
     risk-informed decisions are based on the use of importance measures.
          In fact, risk-informed ISI, risk-informed GQA, the regulatory
     guides deal exclusively with importance measures.  It seems to me there
     is a disconnect between the general guidance and the applications.  It
     would be nice, when you revise 1.174, to give it -- to pay attention to
     the importance measures, the attention they deserve, and offer astute
     comments as to how, by using that, does one really -- it's not clear how
     one complies with -- whether one complies with 1.174 delta CDF and delta
     LERF guidelines, because we don't have the models to calculate delta CDF
     and delta LERF.
          And we take it on faith that if you categorize the components
     according to RAW and Fussel-Vesley, it makes sense then to relax some of
     the requirements.
          Tomorrow we'll have more on that, but I think it's an important
     omission because if you -- if a new reader reads only 1.174, that person
     will have no idea that these very important activities are taking place
     in the name of 1.174 without really having a direct connection to 1.174.
          So I think a good discussion there, right after you have figure 3
     and 4, delta CDF and delta LERF, would be really very appropriate,
     because that will give you the opportunity also to think again about the
     connection between the two.
          DR. KRESS:  I suspect if you ever get around to including these
     other objectives in the policy statement, those might have to show up in
     future version 1.174.
          MR. KING:  Yes, that's true.
          DR. KRESS:  But that's sometime in the future.
          DR. APOSTOLAKIS:  Now, regarding the importance measures, I was
     doing some simple calculations on the plane and I must say I got very
     perplexed.  And tomorrow, again, we'll see that basically what the
     revision to Part 50 is, at this point, is really a reclassification of
     components and systems and structures to some new category that will be
     safety-significant, not safety-related.
          And the basis for those things are really the importance measures. 
     So I'm wondering whether we have really thought about importance
     measures and what they mean and I'm toying with the idea, Mike tells me
     I can do it, so I may do it.  Tomorrow morning I will use a slide or two
     to show you why I am perplexed.
          But I can give you the flavor of it right now, if you want.
          MR. KING:  Sure.
          DR. APOSTOLAKIS:  Take a simple system, where you only have one
     accident sequence, just one, and it has three elements, one, two and
     three.  One can be the initiating event and the other two the
     unavailability of systems.
          So the product or the three frequencies are unavailabilities is
     the ultimate bad thing, the core damage.
          DR. KRESS:  The contribution.
          DR. APOSTOLAKIS:  Yes, but there is only one sequence in this
     fault experiment.  So I ask myself what is wrong for each of the
     elements.  And if I take them as having the same unavailability, if you
     do the calculation, it's one-over-Q.  So if the unavailability is
     ten-to-the-minus-two, RAW is 100, because RAW says take the
     unavailability, the baseline availability, set Q equal to one for that
     component, and divide by the total.
          Now, the total is the product of the three.  In the top, you have
     the product of the remaining two.  So it's one-over-Q1.  And
     Fussel-Vesley is one, because there is only one minimal cut set.  So the
     numerator and the denominator are the same.  Right?
          So now it appears -- well, okay.  So now, what do I have?  I have
     a RAW of one-over-Q and a Fussel-Vesley of one.  Now, I'm saying, well,
     gee, I really want to improve my system.  I'll go out of my way to
     improve my system.
          So I had only two components to save me and now I'm adding 100. 
     Defense-in-depth at the extreme, right?  One after the other, all of
     them must fail.  So now I have a huge accident sequence that must --
     that has 100 plus 303 elements.
          Calculate RAW again.  Still 100.  Calculate Fussel-Vesley. Still
     one.  Nothing happened.
          DR. KRESS:  So you've got 100 things and I'll have a RAW of 100.
          DR. APOSTOLAKIS:  That's one observation.  The other observation
     is that I went through this extraordinary expense and I have not
     affected RAW, I have not affected Fussel-Vesley for the original
     component, and I don't know.  I mean, it was just two hours ago.  I
     don't know what the consequences of that are.
          I think what's missing here, Tom, is the absolute value of the
     core damage frequency.  We are working only with relative stuff.  So in
     a relative RAW sense, it's still 100.  The fact that you spent five
     million to improve the system is completely irrelevant, and that bothers
          Then I go to another case.  Suppose now there are two accident
     sequences, the original one plus another one.  The system must be worse,
     right?  Because now there are two ways it can fail, two minimal cut
          And I recalculate the RAWs and now they are smaller.  Do the
     calculations.  It's not one-over-Q anymore.  It's smaller.  So because I
     have a new way of failing the system, the importance of the original
     component went down.
          DR. KRESS:  Because of parallel paths.
          DR. APOSTOLAKIS:  Yes.  But isn't that crazy?  That's crazy.  But
     by making the system worse, the individual risk must go down, and
     Fussel-Vesley.  It goes down.  It's not one anymore.
          So I'm able to put those in a viewgraph for tomorrow morning,
     because I don't have the answers myself.  But I think what happened is
     that people developed these things in the past and now just use them,
     it's simple to use, and say, well, gee, that's great.  But I'm not sure
     that anybody really has sat down to think about what exactly these
     things mean.
          I don't understand why, by having an additional accident sequence,
     it diminishes the importance of the original components.
          MR. BARTON:  It sounds like you're perplexed, George.
          DR. APOSTOLAKIS:  I am completely perplexed.  So tomorrow morning
     you may get it in writing, but that's essentially the essence of it.
          MR. KING:  Okay.  All right.  Let me just quickly go through the
     rest of these reg guides.  The one on tech specs, we had this tier one,
     two and three concept in there.  Tier two was really a configuration
     risk management program.  With the maintenance rule now requiring that,
     we don't need the tech spec reg guide to put the same thing on.  So
     that's a change we propose.
          DR. APOSTOLAKIS:  Let me understand what this is.  Reviews of the
     tech spec AEOD request indicates the tier two.  What is tier two?
          MR. KING:  Remember, that was the configuration risk management
     that they had to analyze.
          MR. BARTON:  That they put in their tech specs.  They went for an
     extended period of time.
          MR. KING:  With an extended allowable outage time.
          DR. APOSTOLAKIS:  I'll go back and -- that's fine.
          MR. BARRETT:  I think it's actually tier three.
          DR. APOSTOLAKIS:  Now, regarding the allowed outage time, you will
     still have that five-ten-to-the-minus seven probability.
          MR. KING:  That is, yes, probability, that is still in there.
          DR. APOSTOLAKIS:  Still in there.  It's interesting.  I was
     reading a paper written by three guys from Southern California, Don Hook
     being one, on their risk monitor and they say something interesting
     there.  They say that when they have -- when they are in these temporary
     conditions, they have also a limit on the -- an upper bound on the
     condition of core damage probability, like everybody else does, but then
     they go on and say but we are really believers in conservative risk
     management, so we also have a bound on the condition of core damage
     frequency, which is such and such.
          So they don't only look at the integral over time, but they also
     want the CCDF never to exceed that bound, which is interesting.  It's
     more conservative than this regulatory guide and, again, the question is
     whether the staff has thought about these things.
          MR. KING:  That's one of the safety goal issues.  I didn't put it
     on the slide, because I didn't think it was at the magnitude of the
     others, but should we have some guidelines on temporary risk conditions.
          DR. APOSTOLAKIS:  Okay.
          MR. KING:  So that's one of them.
          DR. APOSTOLAKIS:  Fine.  But I thought it was interesting that the
     licensee was doing something more conservative.
          MR. KING:  The other thing that's being thought about now is those
     same conditional probabilities that are in the tech spec reg guide are
     being considered for implementing the new maintenance rule A-4
     requirement.  So it would be the same numbers.
          The Reg Guide 1.175, the IST guide, there has been some feedback
     about even though things are categorized as low safety significance, we
     still require too much testing.  So the staff is thinking about ways to
     relax that in the revision and, also, if the ASME code cases on
     risk-informed IST ever get approved, we'd go ahead and reference those,
     as well.
          GQA is sort of on hold at this point.  We don't have any specific
     recommendations.  So there was a rule that was issued in April of this
     year that allows plants to make changes to their QA programs on a 50.59
     type process.  If another plant had been approved to make those changes,
     similar plants are allowed to come in and put them in without any prior
     staff review and approval.  So that may take care of a lot of the
     problem.  I don't know if Rich wants to talk anymore about that.
          Then Reg Guide 178, the ISI one, remember, we issued for trial use
     or scheduled to incorporate experience and issue it as a final in June.
          DR. APOSTOLAKIS:  Tom, it appears to me that you are halfway
     through your presentation.  You have 24 viewgraphs.  Shall we take a
     break here?
          MR. KING:  Whatever you want to do.
          DR. APOSTOLAKIS:  Okay.  Recess for 15 minutes.  Be back at 2:25.
          DR. APOSTOLAKIS:  We're back in session.  So we're on viewgraph
          MR. KING:  Number 12.  Number 12 is something that was discussed
     in a SECY paper, 99-182, but I'm not sure how much the committee saw it
     or discussed it.  I thought it was an important piece of work and that
     we had been asked by the Commission to look at the risk impact of
     exemptions to Appendix R.
          We approached that by taking nine plants whose IPEEEs said that
     the fire risk from those was at the high end of the list.  We excluded
     Quad Cities because that had been looked at separately and they were off
     doing things as a result of that.  But we looked at nine others and came
     out with results.
          There were 169 exemptions that were looked at.  Most of them
     turned out to be non-risk-significant, but there were several that were
     risk-significant, and I've asked Alan Rubin, if you wanted more detail
     on what was done and what they came up with, he's here to -- he did the
     study and he's here to talk to you about it.
          But there is going to be some follow-up action by NRR on the ones
     that they found that were risk significant.
          DR. APOSTOLAKIS:  So can you give us one example, Alan?
          MR. RUBIN:  Let me just make a general observation now.  We based
     our analysis on IPEEE results and we felt that the overall big picture
     was very robust, the conclusions that the large majority of the
     exemptions were not risk-significant, were either small or
          For the plant-specific results, we need to follow up to verify the
     analysis.  So an example is at one plant, in an area where there was a
     high core damage frequency or high contributor to core damage frequency
     for that plant, the cable vault area, the lack of automatic fire
     suppression covering the entire area and also lack of a one-hour fire
          So we're following up to see whether or not indeed the data that
     we've got in the IPEEE submittal, in our analysis, bears out when we go
     back and talk to the utility.
          DR. APOSTOLAKIS:  So the utility had requested an exemption.
          MR. RUBIN:  This was going back historically, in the past, had
     requested an exemption.  Yes.
          DR. APOSTOLAKIS:  They didn't have an automatic suppression
          MR. RUBIN:  Not complete coverage in this case, yes.
          DR. APOSTOLAKIS:  Now, it turns out, what, that not having that
     makes the CDF high?
          MR. RUBIN:  By definition, we looked at high risk significance as
     a potentially -- we call them potentially risk significant, it's greater
     than ten-to-the-minus-fifth contributor to CDF.  It was consistent with
     Reg Guide 1.174 definitions.
          DR. APOSTOLAKIS:  So the exemption there -- I mean, if I were to
     submit an application, a request, following 1.174, I would say I don't
     want to put in an automatic suppression system in this particular room,
     and here is the reason, and then it wouldn't pass.  That's what you're
          MR. RUBIN:  What I'm saying, one of the -- Tom mentioned the
     follow-up activity that we're doing is on the specific plants that we
     found potential risk significant exemptions.  I think it's particularly
          Another follow-up action is that in the future, we're going to
     encourage licensees to make exemption requests risk significant, provide
     information in the Appendix R area that, as a basis, looking at their
     IPEEE results to see whether the exemption effects scenario, that high
     risk contributor, for example, provide that information in their
     exemption request.
          DR. APOSTOLAKIS:  When they requested the exemption, what
     arguments did they give you?
          MR. RUBIN:  Pretty much, it's deterministic.
          DR. APOSTOLAKIS:  Yes.  But I'm curious to know, because it's
     interesting that on a deterministic basis, their request was approved
     and now we find that in a probabilistic basis, it might not have been
          Is there anything we can read to understand better what --
          MR. RUBIN:  We'd have to go back.  That's one of the follow-up
     actions we're doing, to look at those specific exemptions.  And it's a
     relatively small number.  Only -- there are really only five exemptions
     out of 169 that were in this category of potentially risk significant.
          DR. APOSTOLAKIS:  Could you send us anything to read?
          MR. RUBIN:  Yes.  There's a SECY paper that's available.
          DR. APOSTOLAKIS:  On this particular issue?
          MR. RUBIN:  On this, yes.
          MR. KING:  And the numbers are on the viewgraph there.
          MR. RUBIN:  SECY-99-182.
          DR. APOSTOLAKIS:  I'd like to look at that.
          MR. KING:  But I think the answer to your question is yes.  If
     this had been a risk-informed exemption request, it would have been
          DR. APOSTOLAKIS:  And I want to understand better why.  That's an
     interesting situation.
          MR. BARRETT:  What's interesting, from our perspective in NRR, is
     that the SECY paper gives some guidance as to the characteristics of the
     types of exemptions that might be risk-significant versus the types, the
     vast majority of the exemptions which are not risk-significant.
          So what we're planning -- what we're doing right now is developing
     guidance for how to screen these Appendix R exemptions so that we can
     decide which ones to kick up for risk look, and then if, upon
     examination, it looks like it might be risk significant, we would open a
     dialogue with the licensee on that.
          DR. APOSTOLAKIS:  Last time we had a presentation here, I believe
     you were here, Rich, discussing the authority of the staff to invoke
     risk arguments when the licensee does not use them.
          MR. BARRETT:  Right.
          DR. APOSTOLAKIS:  This would be a good case, right?  The licensee
     comes, thinks they have a good case and a deterministic basis not to do
     something, then you come back and say, no, on a risk basis, you can't,
     there goes the two-tier system.
          MR. BARRETT:  This is a little different from a regulatory
     perspective because this is a case where a licensee proposes not to meet
     the rule, whereas the paper we discussed last month was what to do if
     they meet the rule and yet you think there is a risk issue.
          But technically, it is still the same problem.
          DR. APOSTOLAKIS:  Conceptually.
          MR. BARRETT:  Yes, right.  So what we're planning on doing is
     implementing this guidance informally and then after we've identified
     the first case, then I think we'll be developing general guidance on how
     to deal with these things and put out some guidance to the industry.
          And as Alan said, we would like to encourage certain types of
     Appendix R exemptions to be risk-informed.
          DR. SHACK:  Just out of curiosity, what are your tools for doing
     this risk impact assessment of the Appendix R exemptions?
          MR. BARRETT:  Well, if we identify one that looks like it's
     risk-significant, the first thing we would ask is for the licensee to
     use their risk model to address it, which, in this case, would be their
          If the licensee chooses not to do that, then we would have to go
     and look at -- I really don't know where we would go at that point.  We
     might have to actually look at their IPEEE.
          MR. RUBIN:  Let me give you an example of what we did as our
     study, and, again, with limited resources, we had a lot of exemptions to
     look at.  We would take a case where there was an exemption and look at
     the IPEEE and if that was in an area that was a dominant risk
     contributor, generally that was listed as what contribution that was to
     core damage frequency for the plant in the fire area.
          We would then go and say, okay, if the exemption were not granted
     and there were a different -- automatic fire suppression was included at
     the plant, how would that affect the overall results for that particular
     area and the overall contribution to CDF, and we find a delta of
     ten-to-the-minus-fifth or greater, we considered that potentially
          Less than ten-to-the-minus-sixth, we said small or very small,
     basically a non-contributor to risk.  So we're relying on the best
     information we have.  There are limitations that are discussed in the
     Commission paper and using IPEEEs, but it really is probably the best
     and most solid information that we have available to do this kind of
          MR. BARRETT:  The ground rules for this kind of a licensing action
     are different than for, say, a license amendment.  10 CFR 50.12 gives
     the criteria under which the staff may consider granting an exemption
     and those criteria are different than the finding you would make for
     approving a license amendment.
          It's a somewhat higher hurdle to cross.
          MR. KING:  Okay.  Fire risk methods, just quickly.  We'll talk
     about three risk methods.  First, fires.  We had issued, back in June, a
     program plan on fire risk research, and I know we've got a -- I believe
     there is a meeting scheduled with the subcommittee in November, so you
     will hear more about it then. But that started about nine months ago,
     the work on fire risk.
          It still has a long way to go, but it has, to date, helped out on
     developing, for example, in the IPEEE, developing the questions to ask
     licensees, providing some information on how to evaluate their heat loss
     factors, for example.
          So it's feeding into IPEEE at this point.  It's developing
     information for model validation, but there's still quite a few areas
     that need to be done.  And I don't intend to go into this in detail,
     since you'll get a separate briefing on it.
          DR. APOSTOLAKIS:  We will be briefed in a month, is that what you
          MR. KING:  November, I understand.  I don't know the day.
          DR. APOSTOLAKIS:  The full committee or the subcommittee?
          MR. BARTON:  It's a subcommittee meeting, I think, in November.
          DR. APOSTOLAKIS:  Subcommittee.  But then there will be a full
     committee meeting.
          MR. KING:  We would like to get your letter on the plan we sent
     you back in June.
          Methods to address aging, the risk of aging.  We had done a
     feasibility study, the draft report has been issued, that looked at one
     aging mechanism, flow accelerated corrosion.  It looked at the
     application of that Surry plant to determine the practicality of
     implementing such a model.
          DR. APOSTOLAKIS:  These two bullets there, who did that work?
          MR. KING:  A contractor did this work.  I think it originally
     started at INEL and they had a subcontractor.
          DR. APOSTOLAKIS:  Yes.  I have a conflict of interest with this,
          MR. KING:  I'm not sure it's a subcontract with you or the
     university, but you're involved in this.
          DR. SHACK:  You have to ask, George?
          MR. BARTON:  Guilty by association, George.
          DR. APOSTOLAKIS:  The third bullet there was a little bit of a red
     flag to me.  I gave a paper on that up here.  So Dr. Kress is chairing
          MR. KING:  We're still looking at the feasibility, whether we
     ought to continue this program, extend it to other aging mechanisms, how
     practical is it to implement, and how do you treat uncertainties given
     that, in some cases, if your model works really well, you're not talking
     about random failures, you're talking about being able to predict when
     something will fail due to aging mechanisms, whether it's flow
     accelerated corrosion or thermal fatigue or whatever.
          If you do a good job, it's not a random effect anymore.  It's a
     failure prediction.  So in the next few months --
          DR. SHACK:  Does this try to include the effect of, say, your
     inspection program to prevent the failure?
          MR. KING:  I'm not sure I can answer that level of detail.
          DR. APOSTOLAKIS:  So far, no.
          MR. KING:  We'd certainly -- if the committee wanted to be briefed
     on this, I don't think we have any separate briefing schedule for the
     subcommittee on this program, but it could be arranged if you felt you
     wanted to hear more about it.
          DR. KRESS:  Speaking as the Chairman, I think it's definitely an
     area we'd want to hear about later, whenever it's ready.
          MR. KING:  Okay.
          DR. APOSTOLAKIS:  Do you want him to bring the contractor?
          DR. KRESS:  Yes, and you can bring your contractor along.
          MR. KING:  All right.  Low power and shutdown work is underway. 
     Mary can talk briefly about it.  There is a separate briefing schedule,
     again, in November to the subcommittee, so we won't spend much time on
     it.  But I know there have been a number of plant visits and visits to
     EPRI and so forth after our workshop that we had back in April.
          DR. APOSTOLAKIS:  So what is the consensus?  It says here -- am I
     back on?  Yes, I'm back on the subcommittee.
          The last bullet says that there is consensus that it maybe
     significant.  In fact, I think from the studies we have seen, there
     should have been consensus view that LPSD risk is significant.
          It may be significant for an individual plant, but it's agreed it
     is significant, is it not?  Several PRAs have showed that.
          MS. DROUIN:  All that bullet was trying to say, George, is that
     prior to the workshop, in terms of the NRC, we had looked at strictly
     Surry and Grand Gulf and can you extrapolate that to the industry.
          So we had the workshop.  Industry is coming in and they're just
     saying yes, when you look at lower power shutdown, you need to be
     concerned about the risk, it is comparable to full power.  So there is
     not a debate there, is all I'm trying to say.
          DR. APOSTOLAKIS:  That's, in fact, why I'm raising the question. 
     The question, as I recall, when we met, was should -- and I think the
     Commission is very much interested in this -- should the agency start
     from scratch, so to speak, or from the two studies that the two national
     labs did and take it from there and then the concern is that that may be
     too expensive, or has the industry or other parts of the world made
     significant strides in this area, so we don't have to reinvent the wheel
          So what is it that you learned from these site visits and meetings
     with the developers?  Did you find out that they went beyond what
     Brookhaven and Sandia did or they are simply copying those methods?
          MS. DROUIN:  What you have seen is a complete range going from one
     extreme to the other, where some utilities have done nothing to some
     utilities who have developed very detailed low power shutdown PRAs.
          DR. APOSTOLAKIS:  But have they gone beyond what BNL and SNL have
          MS. DROUIN:  No.
          DR. APOSTOLAKIS:  No.
          MS. DROUIN:  No.
          DR. APOSTOLAKIS:  So the state-of-the-art is still those NUREG
          MS. DROUIN:  Right.  And if you go to the next slide -- and we're
     going to come in, like I said, in November and give you a detailed
     briefing of what we've learned from those site visits and from other
          But everyone agrees -- and when I say everyone, both at the NRC
     and as we went to the site visits, also, people who were at the workshop
     who weren't necessarily licensees that we visited, are issues that need
     further work and the issues are all over the place, also.
          So everyone agrees that additional work needs to be done in this
     area and supports the idea of that, because everyone is agreeing that,
     yes, you need to be concerned with the risk from low power shutdown.
          DR. APOSTOLAKIS:  So that confirms suspicion.  Now, I think this
     is a very sensitive issue.  I don't think that some Commissioners and
     perhaps other senior managers of this agency really want to do another
     1150 on this.
          I don't think that by just saying that low power shutdown risk may
     be a significant contributor that is a reason that people will feel is
     compelling enough to start the research project here.
          I think an additional argument, which is very strong, in my
     opinion, is that the industry is doing certain things to manage low
     power shutdown risk.  They use ORAM, SENTINEL and so on, which is a
     mixture of risk insights and deterministic, say, defense-in-depth kind
     of things; do you have means to cool the core, that kind of thing.
          And the argument that has been made on our side is that the staff
     right now really doesn't have the analytical tools to be able to
     evaluate the validity of what the industry is doing.  Would you agree to
     investigate that?  You may be able to investigate part of it based on
     what BNL and SNL have done, but overall, I think that's a true
          And the need then to look at low power shutdown risk really should
     be anchored on that rather than the fact that it's important, because
     they may tell you it is important, but we are controlling it this way. 
     But if you say, okay, that may be great, but I really can't tell, that's
     the whole idea of doing the research in these matters, to be able to
     convince yourself that, yes, what ORAM and SENTINEL does makes sense to
          DR. KRESS:  George, I agree, but I wouldn't want to put all my
     eggs in that basket either, because as I mentioned before, there are two
     distinct types of low power shutdown risks.  One of them is to manage
     outages and it's an instantaneous risk meter, and that's what you're
     talking about.  I personally think that's in fairly good shape.
          DR. APOSTOLAKIS:  Yes.
          DR. KRESS:  But you do need a way to monitor it, like George says. 
     The other part of that is what contribution does this make to the
     average overall risk over the lifetime of a given plant for putting into
     your risk-informed regulatory procedures has nothing to do with
     instantaneous risk.  Well, it does, but not much.  And that's an
     entirely different application --
          MS. DROUIN:  I agree.
          DR. KRESS:  -- that takes a different PRA and --
          DR. APOSTOLAKIS:  You're right.
          DR. KRESS:  -- for use in that, I think that's another strong
          DR. APOSTOLAKIS:  I agree.
          MS. DROUIN:  And that's the one, because what you see when you do
     look at ORAM and all of these, they are exactly that.  They are
     configuration control management tools.  They don't go in and calculate
     the risk of the plant.  And in doing that --
          DR. KRESS:  It's an instantaneous risk.
          DR. APOSTOLAKIS:  Let's call it conditional.  No, I fully agree. 
     I fully agree that for risk-informed applications, we have to have a
     good number from there.  So that's a third argument.
          MS. DROUIN:  And a good model.
          DR. APOSTOLAKIS:  But it seems to me, based on my impression now,
     and talking to various groups, the only argument that really flies at
     this point is the ability of the -- the lack of the tools, the ability
     of the staff to really look at what the industry is doing and say, yes,
     we like it, or maybe you should change this.
          I notice the Commissioners are much more willing to listen if you
     tell them that than if you say no, it's important, we have to
          MR. KING:  Isn't it really more than that, though?  Right now we
     have 1.174 that doesn't say much about how do you deal with a shutdown,
     what's important, what should you look for.  We don't need a full
     benchmark PRA every time somebody wants to go in and do something that
     affects the shutdown condition.
          If we can get some insights out of work that's been done by
     industry, by overseas, wherever, that says these are the plant
     conditions that are important, some are relative or ballpark idea of how
     important they are, and then just use that as some sort of checklist or
     evaluation tool for looking at licensee submittals, so if they're not in
     this condition, we don't worry about it; if they are, we do worry about
          DR. APOSTOLAKIS:  Submittals for what?
          DR. KRESS:  License amendments.
          MR. KING:  License amendments.
          DR. APOSTOLAKIS:  License amendments.
          MR. KING:  We've also had operating experience that says things,
     risky things happen in plant configurations that were not analyzed in
     the Brookhaven and Sandia studies.  They focused in on a couple of
     specific plant operating states, but they're not the ones that always
     pop up as the risky ones.
          DR. APOSTOLAKIS:  And I think this, again, brings up the issue of
     objectives.  I keep coming back.  Because some people make the argument
     that the risks simply cannot be comparable because the hazard is lower.
          On the other hand, perhaps if you look at it from the public risk
     perspective, maybe there's some point there.  But can you really afford
     an incident, you know, start spilling radioactive water into containment
     and so on and there is panic and emergency and so on, even though
     nothing happens outside?  No, I don't think we can afford that.
          And I think, again, that comes back -- that's the first
     cornerstone of the staff oversight process.  We don't want initiating
     events.  But we are not really stating that as an overarching principle
          So, again, I think people are talking in different wave lengths
     there.  One person says, well, gee, from the public health and safety
     perspective, I really don't think this is that important.  But then
     others worry about it, and I think that there is this intermediate
     objective that people are concerned.
          So really we need those principles somewhere.
          MR. KING:  I agree.
          DR. APOSTOLAKIS:  You don't always have to kill people outside the
          MR. KING:  No.
          DR. APOSTOLAKIS:  In order to worry about it.
          MR. KING:  No.  We just have to get them excited and that's
          DR. UHRIG:  We've already had one incident with -- I think it was
     Vermont Yankee, went critical with the lid off, about 20 years ago, 15
     years ago.  They had a criticality.
          DR. APOSTOLAKIS:  For how long?
          DR. UHRIG:  It was up in the -- I don't remember.  Was it kilowatt
     power up in the -- then they got to megawatt.  It went critical with the
     lid off.  Somebody moved something and, of course, it brings you back to
     the SL-1 accident.
          DR. KRESS:  That went critical, didn't it?
          DR. APOSTOLAKIS:  Prompt.
          DR. UHRIG:  I don't think it was prompt critical, but it went
          MR. BARTON:  SL-1 was.
          DR. UHRIG:  SL-1 was prompt critical.
          MR. KING:  But anyway, I think the standards effort will go a long
     way toward trying to give us a tool by which to evaluate submittals.
          DR. APOSTOLAKIS:  But how can the standard be written when the
     basic work has not been done or is the staff happy with the two studies
     that the laboratories did?  My understanding is that they only looked at
     limited number of data.
          MR. KING:  The standard could be written saying this is what ought
     to be done.  Maybe there aren't PRAs that have done all of that yet, but
     there's probably been enough work done that you could say, gee, if I had
     to do it again, this is how I'd like to do it.
          Now, speaking for myself here, I'll let Mary correct me.
          MS. DROUIN:  We have in our writing group for the standard
     identified areas that are going to be needing work.  You just can't
     write the standard there yet because the work, the technology is not
     there.  So we have recognized that, but I don't think because there are
     areas that need some further work, that doesn't mean you can't write a
     standard.  You just don't write a standard for that particular area.
          DR. APOSTOLAKIS:  Well, if the standard simply says additional
     work is needed, sure, you can write it.
          DR. KRESS:  This is going to take a different kind of PRA. This is
     going to have to be some technology developed.
          DR. APOSTOLAKIS:  Yes, that's what I'm saying, that you have to do
     this basic stuff first.
          DR. KRESS:  You can't do it.  You don't have the technology.  We
     can't wait till then to write the standard.
          DR. APOSTOLAKIS:  What's what I'm saying.  I agree with you. 
     Maybe I didn't say it in so many words, but.
          DR. KRESS:  Yes.
          MR. KING:  Anyway, this culminates in a report to the Commission
     in December that is going to lay out where do we go from here, and
     that's what we want to talk to you about in November, and get your
          DR. APOSTOLAKIS:  Incidentally, I was looking at some of the risk
     monitoring, a paper that described what was in the risk monitor the
     other day, and this is -- they claim that they also put or they will put
     shortly the low power shutdown model.
          I think there is a problem there and I think it applies also to
     the maintenance configurations.  If you take out a particular component,
     they go to the baseline PRA and they say component A is out, let's put
     its unavailability code to one, simple enough.  Try and count the
     numbers again and now we have the new numbers and do whatever we want to
          Well, it turns out it's not as simple as that.  It really is not
     as simple as that.  If you really look at the PRA -- let me give you an
          Let's say I have two trains in parallel.  In the PRA, I'm going to
     put various terms about the unavailability of the system.  One term is
     the random, so-called random failure contribution, which is the product,
     right?  Then there will be a common cause failure contribution.  That
     will be the unavailability of one times beta.
          And there may be others, human errors, that's the maintenance, he
     forgets to do it here and then does it again there.
          Now I'm going to a situation, a maintenance situation where train
     A is down and I go to my PRA and I say, well, Q for that train is one. 
     What happens is that that affects only the random failure of the two
     trains.  Instead of Q-square, they will put Q.  Are you still going to
     keep Q beta, the common cause failure probability?  What common cause is
          That should be eliminated, it shouldn't be there anymore.  Are you
     still going to use the same human error probabilities for forgetting to
     re-close valves?  No.  Because that has a probability that they forget
     to do it in one and a conditional probability they will repeat the
          Well, there isn't any possibility like that anymore, so that
     should be modified.
          And in the case of recovery actions, now they know that train A is
     down.  So it's not like it's hitting them -- an initiator is hitting
     them Christmas Eve and they're trying to recover and so on and that's
     what the PRA analyzes.
          Now they know this is out.  Maybe there is more vigilance.  I
     don't know.  Maybe people are more aware of what's going on.  So the
     probabilities that were used there are not valid anymore.
          The net result of all of this is by taking systems out or trains
     out, and it's not a simple matter to modify the PRA, it's not a simple
     matter of saying Q is one, and I'm not sure that many people realize
          DR. KRESS:  But, George, when you do that, you get an effect on,
     say, the CDF that is conservative.
          DR. APOSTOLAKIS:  For some of them.
          DR. KRESS:  I would have thought all of them.
          DR. APOSTOLAKIS:  Maybe, maybe.  Because I said that you should
     eliminate some terms.
          MS. DROUIN:  I agree with you, absolutely.  I certainly haven't
     looked at all the -- there aren't that many, but all the ones who have
     created low power shutdown models.  The ones that I have looked at are
     aware that even though they might start with their full power model, all
     they're doing is taking the essence of the fault trees.     
          They do know to go in and change the data appropriately, because
     you have to go in and you have to look at your test and maintenance,
     because that all changes, your common cause does change.
          DR. APOSTOLAKIS:  Right.
          MS. DROUIN:  But you made a statement of risk monitor --
          DR. APOSTOLAKIS:  But they don't do that.
          MS. DROUIN:  No.  The ones I've seen have done it.  I think that's
     just a lack --
          DR. APOSTOLAKIS:  The risk monitor does it?
          MS. DROUIN:  Risk monitor -- that's not a feature of the software. 
     That's a feature of the analyst.  I wouldn't put that on risk monitor.
          DR. APOSTOLAKIS:  Right.  No, but --
          MS. DROUIN:  The risk monitor is just taking the physical model. 
     It's the analyst who has decided what data to put in there.
          DR. APOSTOLAKIS:  Right.  But what I'm saying is the analysts have
     not made those provisions.  I'm sure they are aware of it, but when the
     utility uses the monitor and we say now we're going to take this out
     because we're not going to do on-line maintenance on train A of the
     emergency core cooling system, and then they put that down and now you
     see the core damage frequency going up.
          I think that's the result of a calculation where only their
     hardware and availability of that train was one.
          DR. KRESS:  I think they made a judgment that that because it's
     conservative, that's all that's worth doing to it.
          DR. APOSTOLAKIS:  That's speculation.
          DR. BONACA:  I think -- no.  I know that more than that is done. 
     All the considerations that you're making are being taken into
     consideration.  That's why you have a guy applied full-time to doing
     those kind of evaluations.  He just goes through the model and you have
     really guidelines, in fact, very specific about going back and checking
     that, for example, if there are certain cut sets where you had some
     measure that you made, you take back the sequences and you look at them,
     because those considerations are being taken.
          MS. DROUIN:  I am sure --
          DR. BONACA:  Yes, because there is a big impact -- you're sure.
          MS. DROUIN:  I am sure that you have utilities who have not done
     it properly.  I am aware of some that have done it properly.  But I
     would say that this is a very good argument for a standard, because it
     would get into those kinds of things.
          DR. APOSTOLAKIS:  Nobody is arguing against it, but I have not
     seen evidence, written evidence that this is being done.  Now, if you
     tell me that some people are doing it, sure.
          DR. BONACA:  And when you go to two components out of service, it
     makes an additional complication.  In fact, you cannot take the same
     model.  You have to really go back in and do -- so it's very
     time-consuming and when we talked about the issue of evaluating two or
     more components out of service, recognize that this is --
          DR. APOSTOLAKIS:  My point, Mario, is that if they do this and
     they have an analyst doing it, maybe they do it for some cases, but it's
     hard for me to see how a computerized system, like a risk monitor, does
     it exactly.
          DR. BONACA:  I agree.
          MR. BARTON:  I don't think the risk monitor does.  I think an
     analyst looks at it.  You've got certain standard configurations that
     analyst has looked at and considered what the risk is and if you deviate
     from that and you go back and re-look at it, the deviation from that
     previously analyzed configuration, that's what they do.
          DR. BONACA:  I don't know who uses blindly a risk monitor, because
     you're absolutely right, it doesn't work that way.  You're right.
          MS. DROUIN:  That's a decision made by the analyst, not by the
          DR. APOSTOLAKIS:  I understand that.
          DR. SHACK:  The question is what is the software doing.
          DR. APOSTOLAKIS:  What is the software, that's what I'm asking.  I
     have no doubt that people will sit down and do this if asked.  But what
     I have difficulty accepting is that the risk monitors, as they are now,
     have all these separate analyses.
          DR. KRESS:  It's not just the input that matters.
          DR. APOSTOLAKIS:  It's not just the input.  It's a structural --
     they may do it, they may do it.  I'm not making a blanket statement.
          DR. BONACA:  I'm sure, in several cases, the issue of bounding is
     one that is taken into consideration, because ultimately you're not --
     but the -- and there are a lot of approximations that you make.  For
     example, if you have -- I mean, if you have -- if they're asking you to
     perform a sensitivity on risk by having two components out of service at
     the same time or separate times and do it separately.
          I remember we used to make just one evaluation.  And having both
     of them simultaneously, that gives you a bound.  Now, you know that if
     you take them separately, then it's less risk.  But the other thing is
     that you communicate the bound of having both simultaneously out and
     typically you do it because you know that if they do it one after the
     other, there is a chance that they will, in fact, be simultaneously out
     of service.
          So there are a lot of things that are being done to simplify the
     task and it's being done by the analyst, you're right.
          DR. APOSTOLAKIS:  That's my concern.
          DR. BONACA:  I know.
          DR. APOSTOLAKIS:  That I know that the analyst can do it.  Analyst
     intervention is required.
          MS. DROUIN:  Yes.
          DR. APOSTOLAKIS:  So I would -- now, if you give me a risk
     monitor, I have serious doubts that they have all these ultimate
     analysis there, but I may be wrong.
          MS. DROUIN:  To my knowledge, they don't.
          DR. APOSTOLAKIS:  That's my point.
          MS. DROUIN:  I think you have a valid concern, George.  I think
     you have a valid concern.  I was just trying to differentiate that it
     was the analyst problem, not the software problem.
          DR. APOSTOLAKIS:  Sure.  In fact, that's why I have the concern. 
     Precisely because it's an analyst issue, not just a user issue.
          MS. DROUIN:  Yes.
          DR. APOSTOLAKIS:  Okay.  Where we are?
          MR. KING:  Let's move on.
          DR. APOSTOLAKIS:  We are developing insights, no?
          MR. KING:  We are bringing you up to speed on important things.
          DR. APOSTOLAKIS:  SPAR looks like a Roman acronym.  Wasn't there a
     Roman thing, SB --
          DR. BONACA:  QR.
          DR. APOSTOLAKIS:  QR.  That's why I said looks like.  I didn't say
     it is.  What does it mean, SPQR?  It means accident sequence precursor.
          MR. KING:  This is the last item we thought might be of interest
     to you, before we get into the GAO stuff.  The accident sequence
     precursor program, usually you start out with looking at events, it then
     occurs, and you go in and you calculate what was the conditional core
     damage probability of that event.
          But we're also using those same models for other things and one
     that's kind of prominent right now is looking at D.C. Cook, where a
     number of design and configuration issues were identified, almost a
     couple of years ago, and the plant has been shut down for a long time,
     and they're facing a restart decision in January.
          DR. APOSTOLAKIS:  Let me ask again here.  When did the Cook plant
     do an IPE?
          MR. KING:  Cook did an IPE.
          DR. APOSTOLAKIS:  And how did they find those design problems?
          MR. KING:  Through inspection, as I understand it.  Maybe Rich
     could answer that.
          MR. BARRETT:  There was -- I guess almost two years ago now, there
     was an architectural engineering inspection at Cook.  It was one of the
     design basis inspections and that inspection uncovered some problems
     with the way in which the design of the ice condenser containment was
     being controlled.
          That led the licensee to shut the plant down and begin an
     internally initiated set of inspections, which identified, I believe, in
     excess of 100 design basis problems.
          DR. APOSTOLAKIS:  When was the IPE done, before this happened?
          MR. KING:  Yes.
          DR. APOSTOLAKIS:  And the IPE does not reflect any of this.
          MS. DROUIN:  The IPE on D.C. Cook was not one of the better ones. 
     In fact, this was one that we did a site visit and we wrote -- when we
     wrote the staff evaluation report on it, we only blessed it with a lot
     of caveats.
          The caveats being that D.C. Cook was going to come in and make all
     these changes to their PRA.
          DR. APOSTOLAKIS:  The reason why I'm raising the point is I'm
     wondering to what extent this particular experience supports the Union
     of Concerned Scientists' argument that we can't have risk-informed
     regulation because your PRAs don't have design errors.
          MR. KING:  Well, I think --
          MS. DROUIN:  I would be real --
          MR. KING:  On the surface, you can make that argument, but I think
     what the results of this study is going to show is that when you look at
     those 114 issues, there's only one that's risk-significant and that's
     from looking at them individually.  There's also going to be -- try and
     group them and look at more of a cumulative effect, which hasn't been
     done yet, but will be done between now and December.
          But to me, what this study says is in terms of corrective actions
     at the plant, what should be focused on.  Well, it should be focused on
     the one that really pops out as risk-significant and maybe not worry
     about the others so much.
          DR. APOSTOLAKIS:  When we claim that our PRAs are for the plant as
     it is, not as designed, are there any lessons from this that one can use
     in future PRAs to make sure that indeed that what the PRA analyst puts
     down really reflects the real thing?
          MR. KING:  I think that's the flip-side of this.  In theory, the
     IPE should have recognized these things and included them in their
     model, and they didn't, and how many other plants out there have similar
          MS. DROUIN:  I don't think this is a good --
          MR. BARRETT:  The issues that have been raised at D.C. Cook and in
     other places where there have been design basis problems, by and large,
     are issues that fall below the radar screen of the PRA.  In other words,
     these are issues regarding whether the design basis of a particular
     piece of equipment is being met, and that may or may not affect the
     reliability and availability of that piece of equipment.
          But the kind of issues we're talking about here would not be
     modeled in a PRA, by and large.  Some of them might, but --
          DR. APOSTOLAKIS:  Because they are risk-significant.
          MR. BARRETT:  Because PRAs don't necessarily know how to deal with
     them.  For instance, the issue that was found to be significant was one
     that had to do with environmental qualification and it's difficult to
     systematically evaluate the effect of environmental qualification on
     reliability and availability.  I don't believe it's generally done in
          MS. DROUIN:  Well, what is done in a PRA is that you look at the
     accident scenario and see if an adverse environment has been created and
     then if it's been created, typically what has happened, then you assume
          What happens with many people is that they neglect to look at
     that.  They don't look to see if there's adverse environments.  It's not
     that the PRA can't do it.  It's mainly the analyst didn't do it.
          MR. BARRETT:  I think that's what happened here.
          DR. BONACA:  Let me say that we have some experience to evaluate,
     at Millstone, for example.  At Millstone-3, a very specific equipment
     example was the RSS NPSH issue.  Now, since we found a condition of very
     low pressure, assuming a full failure of containment, where NPSH could
     be challenged, that you could have cavitation, the assumption is, from
     the design standpoint, that the pump, that the RSS doesn't work.  You
     would not be able to do that because you have an NPSH problem.
          In reality, what we're addressing is a very narrow spread
     condition.  Again, full open containment with atmospheric conditions and
     certain others, they will challenge your NPSH.
          Under other conditions, your NPSH will be available and you will
     be available to recalculate.  The issue I'm trying to say is that when
     we looked at it and quantified it, from a PRA standpoint, contribution
     to risk was minimal, because it was a hypothetical failure of delivering
     that function and even then an assessment was done to show that those
     pumps may cavitate, but not fail.
          From a design standpoint, that's categorized as a failure, because
     you don't deliver, under all conditions, what you're supposed to
          So the PRA is such a more complete model because it allows -- it
     is much more robust in the sense that it takes into consideration all
     the other scenarios under which a system will function, will be
          Furthermore, conditions where you don't deliver your design
     objective, but you're still operable or functional, functional, are
     considered a PRA success, not considered in design failure.
          I mean, we did the evaluation and wrote, in fact, to Lochbaum,
     because he asked questions regarding that, and it's interesting how the
     PRA was still fundamentally valid for those plants.
          DR. APOSTOLAKIS:  But the argument that UCS is using is that this
     is a fatal flaw of risk-informed regulation.  Design problems that your
     PRA does not reflect, and there is a need for a rational argument for or
     against this position.
          DR. BONACA:  But, in fact, it is a strength of the risk-informed
     approach that is able to truly put into perspective what the failure of
     a system means.  It means under certain conditions, in a very narrow
     scenario, and what is the contribution to risk resulting from that
     specific deficiency that you may have, which may even not affect your
     functionality.  It may affect your operability from a licensing
     standpoint, but it may not affect functionality.
          DR. APOSTOLAKIS:  Sure, you can do that if you know that there is
     something that's called a design error.  You can evaluate its
          But the argument they make is not that.  The argument they make is
     I have a PRA, I have the core damage frequency distribution and so on,
     and I really don't believe it, because I don't think those guys looked
     for these errors, possible errors.
          DR. SHACK:  But the deterministic is no better.  If the wall is
     half the thickness that you think it is --
          DR. APOSTOLAKIS:  That's the argument I would use, too, but the
     fact that I'm repeating the concern does not mean I agree.
          DR. BONACA:  But I think we have documented very important basis
     upon which the risk evaluation is much more robust and credible, because
     it gives you a full measure of it.  If you're saying that a piping
     system is not designed to withstand 200 degrees Fahrenheit, what does it
     mean?  It may mean the support systems may be banned in the one time in
     which you use that system for recirculating, for example, inside
          Piping would be unaffected, any evaluation will tell you that. 
     From a licensing standpoint, you will say that the system has failed
     because it doesn't deliver it's licensing intent, which is the one of
     being fully compliant with the temperature requirements which were
     imposed in the design.
          So you see, deterministic is very myopic.  It doesn't tell you if
     it works or not.  The PRA will say that's another issue, because when
     called upon to operate, it will function, there will be no leakage, and
     so they will be functional.
          DR. APOSTOLAKIS:  Anyway, this is the argument and --
          DR. BONACA:  I understand that.  I'm only saying that --
          DR. APOSTOLAKIS:  And 1.174, by the way, is not -- has not been
     promulgated as an alternative.  Let's go on.
          MR. KING:  I view this as good news.  You've got a bunch of design
     errors and not much comes out of them in terms of risk.
          DR. APOSTOLAKIS:  Except for one.
          MR. KING:  Except for one.
          DR. APOSTOLAKIS:  And even that is not one.
          MR. KING:  I just thought that -- I don't think you're aware that
     we're using the models in this fashion.
          DR. APOSTOLAKIS:  I remember many years ago, Diablo Canyon had
     similar problems and PRAs had not been developed at that time.  I got a
     bit involved in that and one of the Bechtel guys took me on the side and
     gave me a lecture about what it means to design a nuclear power plant,
     that you expect to have these deviations, just because the regulations
     and the standards say you do this and that.  It's such a complex
     facility, that there will be all sorts of deviations here and there and
     that's why you have such a conservative design, to make sure that these
     will not be significant.
          So you're confirming this.  I mean, the naive approach of an
     academic might be, gee, you really violated the regulations, you know,
     when you built the thing, and the guy says, well, let me give you the
     real story here, yeah, we do that all the time; not all the time, but if
     you look carefully, you'll find a lot of them.
          MR. BARTON:  You'll find a lot of these, yes.
          DR. APOSTOLAKIS:  You will find a lot of them.  But the system is
     still robust because of the extreme conservatism that's everywhere.
          MR. KING:  Should we have defense-in-depth to account for design
     and construction --
          DR. APOSTOLAKIS:  That's what defense-in-depth did, yes.
          MR. KING:  Okay.  GAO.
          DR. APOSTOLAKIS:  I can see structurally written all over you,
     Tom.  Is not Tom asking?  Now I know.
          DR. KRESS:  Tom L. King.
          DR. APOSTOLAKIS:  Oh, it's L.
          MR. KING:  It's L.  GAO, as George mentioned in his opening
     remarks, put a report out in March that basically had one recommendation
     in it and that was the agency ought to develop a strategy for where we
     want to go in risk-informing our activities and how do we get there,
     because they came in and interviewed a number of people, found out what
     we were doing, but it wasn't clear to them, beyond what we were doing
     today, what were our goals in terms of how much of this -- what the
     agency does, do they want to risk-inform, how practical it is to do it,
     when are we going to do it, what are the resource implications and so
          And at least we in Research felt that they had a point in that the
     PRA implementation plan only really told you what you were doing today
     and what you had accomplished in the past.
          So we had prepared a response and the Chairman signed it out back
     to GAO that said we will go ahead and pursue this recommendation and
     since that letter has gone out, I've gotten a number of calls from GAO
     folks saying, you know, how far have you made it, can we have something
     to look at.
          DR. APOSTOLAKIS:  Why are they interested so much?  Who is the
     force behind this?
          MR. KING:  I'm not sure.  I mean, GAO doesn't really do anything
     unless some Congressman or Senator asks them to do something, and I'm
     not sure who originally kicked off their audit where they came in and
     looked at risk-informed regulation.
          But they had told -- they had said that the -- there were supposed
     to be Congressional hearings, in fact, today.  They've been postponed,
     but the focus of GAO's testimony at those hearings, they told us, was
     going to be what have we done about their recommendation to develop this
          So it's fairly important that we make some progress and we decide
     what we're going to do and make them aware of it.  Otherwise, it's going
     to come back and we'll be criticized again.
          Anyway, what we've done is we've been working on an outline as to
     what this document would look like and it's raised a lot of questions
     regarding how it fits into the overall structure of other agency
     documents that exist, what's really its purpose, how much detail is it
     going to have and so forth.
          So what we're talking about is work in progress.  We're still
     debating a number of these questions.  But the next few viewgraphs sort
     of lay out at least a concept that's on the table now for discussion and
     we're hoping to have this sorted out and have a first cut at this
     document by February 2000.
          What we basically envision is that we will take today's PRA
     implementation plan and turn it into what we call a risk-informed
     regulation implementation plan.  It will have this front end to it that
     talks about what are the agency's goals and objectives for risk-informed
          DR. APOSTOLAKIS:  That's not what you have here, right?  When you
     say objectives to describe what, how and when the NRC decides to
     risk-inform an activity, that's really a much lower level objective.
          MR. KING:  The agency's strategic plan has these high level
     objectives that we will pursue risk-informed initiatives.
          DR. APOSTOLAKIS:  So you believe that is responsive to the GAO
          MR. KING:  No, I don't think that is.  I think what's needed is a
     document that says, okay, your high level goal is to risk-inform your
     activities, what are you going to do, how do you decide and how do you
     make those decisions as to what you're going do, and I view this
     document as --
          DR. APOSTOLAKIS:  So the question of why you want to risk-inform
     is not raised.  I thought -- if I look at --
          MR. KING:  I think it is.  It is.
          DR. APOSTOLAKIS:  It says scope, objectives, goals.  Somewhere
     there maybe there is a word vision, but they are not interested in that. 
     In other words, if the agency were completely risk-informed, what would
     the agency be doing, how do you see that.  I thought that was part of
     the question.  And then having established that, the question is now
     what strategies do you have to get there.  Maybe I misunderstood.
          MR. BARRETT:  I think part of the problem that GAO had was that we
     were -- we had a strategic statement, we have a policy statement that we
     think this is a good thing to do, and then we -- you kind of -- when you
     look at all the documents that we have, you jump right to the PRA
     implementation plan and what you see is a catalog of things we're doing
     and it looks -- from an outsider's perspective, it looks like we just
     found some targets of opportunity and we went and started doing it and
     that we really didn't have a strategy, that we didn't know -- we didn't
     have a statement of where we wanted to arrive and how much we were
     willing to spend to get there and how we were going to set our
          So this document is meant to be that middle document that takes
     those high minded goals and the strategic goal and says here is how
     we're going to make decisions as to prioritize our activities and
     allocate our resources and measure our progress, and make a statement of
     where we want to go, how far, how fast.
          DR. APOSTOLAKIS:  So the GAO then did not question the wisdom of
     going to a risk-informed system.
          MR. BARRETT:  No, I don't believe so.
          DR. APOSTOLAKIS:  They took that as a granted and they just
     complained that they don't see a plan to get there.
          MR. KING:  In fact, I think it's probably the opposite.  I think
     they support risk-informed and they'd like to see us go as far as we can
     go in that area, but they don't see us laying out a plan to do that.
          DR. APOSTOLAKIS:  And, in fact, you agree with them, from what
     you're saying.
          MR. KING:  We agree with that.  It's not evident as to where we
     want to go and when we want to go there.  All the strategic plan says
     today, for example, in the reactor area is we will develop and implement
     risk-informed and, where appropriate, performance-based regulatory
     approaches.  That's all it says.  So it doesn't help you very much.
          DR. APOSTOLAKIS:  Now, the first sub-bullet there, I think, is a
     bit misleading to describe what, how and when you decide to risk-inform
     an activity.  I get the impression, and I'm sure it's not correct, but I
     get the impression that, again, you're looking at individual things and
     saying I'm going to risk-inform this and that.
          I would expect to see something more global, more noble, you know. 
     Attack the whole thing and look at it and --
          MR. BARTON:  They're not going to attack the whole thing.
          DR. APOSTOLAKIS:  Attack is the wrong word.
          MR. BARTON:  What is an activity is really your question.
          MR. KING:  That's right.
          DR. APOSTOLAKIS:  But risk-informing Part 50, you would call that
     an activity?
          MR. KING:  Yes.  Risk-informing the inspection program.
          DR. APOSTOLAKIS:  Come on.  Really?
          MR. KING:  Risk-inform the inspection program, risk-inform the
     enforcement program, risk-inform the NMSS activities, risk-inform the
     regulations for fuel cycle facilities.
          DR. APOSTOLAKIS:  That smells of a bottom-up approach and a
     bottom-up approach is never really -- I mean, they can be -- that can be
     your implementation, but your strategic thinking should be top-down. 
     That's my objection to that.
          MR. BARRETT:  Let's take the example of the oversight process, the
     inspection, enforcement, and plant assessment process.
          DR. APOSTOLAKIS:  Yes.
          MR. BARRETT:  The agency made the decision to risk-inform that and
     we are risk-informing it at a couple of different levels.  But suppose
     you came back two or three years from now and you took a look at it. 
     How would you evaluate whether or not you had sufficiently risk-informed
     it, whether you had really gotten as far as you wanted to get?
          For instance, we know that we're using -- we're trying to use
     risk-informed indicators, we're trying to use a risk-informed inspection
     process.  Two or three years from now, when we look at the results of
     this thing, will we be able to say whether or not it accomplished what
     we set out to accomplish?
          I'm not sure that we've written down enough today to make that
     determination.  I think that we'll be able to evaluate the program in a
     year or two when we look back on it and make adjustments as we go along. 
     I don't think we're wandering in the desert here.  But this kind of a
     document would force you to start out by saying what your goal is and
     how you're going to judge yourself.
          MR. KING:  You're saying let's start at the top.  Let's look at
     reactors and then everything under regulating reactors.  Then let's look
     at power reactors, non-power reactors, fuel cycle facilities, enrichment
     facilities, radiographers, the whole --
          DR. APOSTOLAKIS:  And then within the power reactors --
          MR. KING:  Then there's regulations, there's reg guides.
          DR. APOSTOLAKIS:  -- I have oversight, I have enforcement, I have
     other things, and I'm making a judgment now which one to attack first or
     maybe a combination.
          MR. KING:  Or not to attack any of them.
          DR. APOSTOLAKIS:  Or not to attack any of them, yes.  And maybe
     that's what you meant, but it didn't come across.
          MR. KING:  That's what I meant.  That's what I meant.
          DR. APOSTOLAKIS:  Activity, to me, is down here.  If you call the
     oversight program an activity, then --
          MR. BARRETT:  In risk-informing Part 50, we chose to go forward
     with the scoping regulations and hold back with the option three and
     study it more.  We could have done just the opposite.  We had reasons
     for making that decision.
          DR. APOSTOLAKIS:  sure.
          MR. BARRETT:  And we laid those reasons out in 98-300.
          DR. APOSTOLAKIS:  Anyway, I think it's a matter of communication. 
     I'm pretty sure you've done this kind of thing.  So these words I would
     change, if I were you.
          MR. KING:  The idea is to start at that top, work your way down to
     some level.
          DR. APOSTOLAKIS:  Make sure that people understand that, that's
     all I'm saying.
          MR. KING:  But not get down to the level that these are these are
     the words we're going to change in Part 50.  You get down and say, hey,
     we want to risk-inform Part 50 and that's where this document would
     stop, and then the details of actually figuring out what pieces of Part
     50 you want to change would be done through our normal operating plans
     and other documents.
          DR. APOSTOLAKIS:  Yes.  So we will see a first draft next
     February, that's what you're saying here.
          MR. KING:  We hope to have an outline developed soon, in the next
     couple of weeks.  We're going to send it to the Commission.  We owe the
     Commission an outline.
          DR. APOSTOLAKIS:  So when are we going to see you again on this
          MR. KING:  We haven't really talked about that.  The next February
     date is when the next update of the PRA implementation plan is due and
     our view was let's turn that PRA implementation plan into this higher
     level strategy document, call it a risk-informed regulation
     implementation plan, and take a first cut at that in February.
          I think a lot of the reactor stuff you can fill in and you might
     have placeholders in there for a lot of the NMSS stuff, but at least
     with a placeholder, you'll know that, hey, I've got to look at that and
     figure out what we want to do there.  And don't organize it by office,
     like it's currently organized.  Organize it by reactors, non-power
     reactors, however, whatever makes sense.
          DR. APOSTOLAKIS:  Why is the GAO interested only in risk-informed
     and not risk-informed performance-based?
          MR. KING:  I can't answer that.  I think performance-based is
     clearly, to me, an implementation alternative.  If you decide you want
     to risk-inform a regulation, when you end up with this new thing looks
     like, can you specify it some performance-based fashion.  That's what
     we're thinking about in the Part 50 work that we will hear about
          Anyway, certain elements we viewed as being part of this document. 
     One is how do you decide what you want to risk-inform, there needs to be
     some criteria or set of guidance that you'd go through systematically
     and the agency could decide these are the things that I want to
          It could deal with items like stakeholders that indicate a need
     for change.  You can clearly see removing an unnecessary burden if you
     do this.  It might improve the NRC's effectiveness and efficiency if you
     do this.  Would it improve public confidence?
          We were trying to develop sort of the set of criteria that you
     could then go through and test all the things we do against and make
     some decision that, yes, that's a candidate to be risk-informed and then
     if it's a candidate to be risk-informed, is it feasible to risk-inform
     it.  Are there methods, are there data available that you can actually
     apply to risk-inform this stuff?  Are the licensees in a condition to
     actually be able to implement risk-informed regulation, some
     radiographers, for example, if it would take some sophisticated
     knowledge of PRAs to implement it, then it's not going to be practical
     for them.
          Costs, maybe it's feasible to implement it, but the costs are just
     out of line.  So those kinds of considerations.  And that would be costs
     to licensees, as well as costs to NRC.
          So we're working on what are these factors and then at some point
     we'd have to go and actually start applying those to what the agency
     does and I view this sort of as an iterative process.  We take a crack
     at this document, first crack in February 2000, we'll have a lot of
     holes in it, then we'll continue to look at other areas and start to
     fill in the holes as time goes on.
          Then once you decide --
          DR. APOSTOLAKIS:  How about if we change the words principles
     there to maybe objectives or something like that?  These things are not
     really principles.  Like the principle of conservation of momentum.  I
     think they are just objectives.
          DR. KRESS:  You could call them regulatory objectives.
          DR. APOSTOLAKIS:  Yes.  Because that's what bothers me about
     defense-in-depth, when it's called principle.  It gives it a prestige
     that it does not deserve.
          MR. KING:  Maybe it does deserve that prestige.  All right.
          DR. APOSTOLAKIS:  There are only three or four great conservation
     principles.  Defense-in-depth is not one.
          MR. KING:  The conservation of defense-in-depth?
          DR. KRESS:  The principle of conservation of uncertainty.
          DR. APOSTOLAKIS:  It's energy mass, momentum, and difficulty,
     that's all.  The last one probably is unfamiliar to you, but it's a true
          MR. KING:  All right.  Once you would go through and select an
     area that would make sense to risk-inform, then you've got to bring in
     the concept of risk, and we've done that in reactors through the safety
     goal policy, but there's a lot of places where we haven't brought that
          So the thought here was to lay out what are these high level -- I
     call them principles, call them whatever you want -- but what are the
     guidelines that need to be followed if you're going to actually
     implement a risk-informed approach.
          These are the kinds of things we talked about that high level
     safety principles address.
          DR. APOSTOLAKIS:  In fact, you know we had a workshop recently
     where we asked experts on these things.  The first results are coming
     out.  Overwhelmingly, worker and public protection are up there, you
     better make sure you protect the worker and public health and safety.
          Then environment sometimes comes close, sometimes it doesn't. 
     Everything else is at the bottom, like political considerations,
     economic and all that.  But I found that surprising, because the
     stakeholders that were present, a couple of them really were not nuclear
     people and I thought those guys would elevate the political concerns or
     other issues.
          No, that's way at the bottom.  So your first three -- well, two,
     the way you have them, worker and public protection, environmental
     protection, those are the ones that evidently the experts really care
          DR. SHACK:  Well, those are really incommensurate sorts of things.
          DR. APOSTOLAKIS:  They're incommensurate and in the language of
     decision analysis, the first two are fundamental objectives,
     defense-in-depth is really a means objective.  It's a means for
     achieving a fundamental objective.  So we are mixing objectives here.
          But for the present purposes, it's fine.  I'm just telling you
     there were some interesting insights from that.
          But I think the distinction between fundamental objectives and
     means objectives is an important one, and we'll just put it in different
     words, that they are not commensurate, because defense-in-depth
     certainly is a way of making sure that you're protecting worker and
     public health and safety.
          Okay.  We don't disagree with this.
          MR. KING:  Okay.  And then the actual implementation phase, what
     are you going to do to risk-inform that activity, would be going in and
     identifying the regulation, the reg guide, the SRP, the inspection
     program, what are the things that you're going to work on, and then what
     do you need to develop to actually work on those things, is there
     methods that have to be developed, data standards, guidance, training.
          Not to get into the details of, like I said, what the new words
     would be in the regulation, but just to identify those things and then
     you can have a schedule and have a priority associated with it, and then
     this could feed into your normal operating plans and budget process that
     take place to make sure this work gets done.
          So as Rich said, that in between document, between the strategic
     plan and the actual operating plans that put people and dollars on
     projects and help you to make those decisions as to what you're going to
          So that's how -- at least that's how I view it.  That's what we're
     talking about.  I'd be glad to come back and discuss it with the
     subcommittee at some future point, if you want.
          DR. APOSTOLAKIS:  I'm sure that is something that the members
     would be very much interested in, because this is really a critical
          MR. KING:  And I think the reactor folks are way out ahead of
     everybody else.
          DR. APOSTOLAKIS:  Sure.
          MR. KING:  The NMSS folks, when they heard about this idea, were
     very interested in it, because they're sort of sitting there with a
     whole slate of things in front of them that the Commission said go
     risk-inform and they're struggling with what do we do.  They're very
     interested in getting this put in place so they can use it.
          DR. APOSTOLAKIS:  Well, when the joint subcommittee, the joint
     ACNW/ACRS met with them, that was about the only recommendation, that
     they should develop these objectives.
          MR. KING:  Maybe that's the joint committee we ought to come back,
     not just with the reactor orientation, but get the --
          DR. KRESS:  The joint committee was only looking at NMSS
          DR. APOSTOLAKIS:  This is bigger.
          MR. KING:  Yes, this is bigger.
          DR. APOSTOLAKIS:  It should come to the ACRS.
          MR. KING:  All right.
          DR. APOSTOLAKIS:  Because the joint subcommittee letters have to
     be approved by each committee separately.  You're better off coming
          DR. KRESS:  You'll never get a letter out.
          MR. KING:  Okay.
          DR. APOSTOLAKIS:  So this is it.  So first of all, we are
     interested and, as you know, we are willing to listen to half-baked or
     quarter-baked ideas and offer suggestions.  So whenever you feel you
     have done enough and there is any question as to how to proceed, it
     would be easy to schedule a subcommittee meeting, half a day, a day,
     whatever it takes.
          MR. KING:  But clearly we ought to do it before February.
          DR. APOSTOLAKIS:  Yes, that's what I'm saying.  I would rather do
     that than receive a document and read it and then us --
          MR. MARKLEY:  I just wanted to ask a few questions.  When we were
     talking about fire, you had mentioned a subcommittee, and then when we
     got into shutdown, you mentioned a subcommittee again.  I guess the
     October subcommittee, what did you have in mind?
          MR. KING:  I thought these were November subcommittees.
          MR. MARKLEY:  November?
          MR. KING:  Yes.
          MR. BARTON:  November.
          MR. MARKLEY:  Are you working through one of the other engineers
     on that particular one?  Because I'm not aware of it.
          MR. KING:  The lower power shutdown?
          MS. DROUIN:  I'm sorry.  What was the question?
          MR. KING:  You scheduled the low power shutdown subcommittee
     meeting for November?
          MS. DROUIN:  My understanding, it is scheduled.
          MR. MARKLEY:  For when?
          MS. DROUIN:  November.
          MR. MARKLEY:  When?  I don't have a date.  I have a general time
     slot that we talked about many, many months ago, but we haven't worked
     toward --
          MS. DROUIN:  Because I was contacted yesterday or two days ago by
     Glen Tracy and he said it was on the agenda.
          MR. MARKLEY:  Okay.  I'll follow up.
          MR. BARTON:  It's probably under future activities.  But there is
     a spot on here for -- and it's an open date.  It's just open, it's date
     to be determined.
          MR. MARKLEY:  We have a November for briefing the full committee
     for the low power and shutdown risk insights report, but I don't know --
     I'd have to look.  That's another engineer, clearly.  I'll check outside
     the context of the meeting.
          MS. DROUIN:  Okay.  Well, I'm confused.  You're saying you do have
     it on the agenda, November.
          MR. KING:  Full committee only, you mean.
          MR. MARKLEY:  Yes.
          MR. KING:  No subcommittee.
          MR. MARKLEY:  I'd have to check.  I don't have a subcommittee list
     with us.
          DR. APOSTOLAKIS:  Okay.  Now, the plan here is that the two
     gentlemen and the lady will not come back next week?
          MR. MARKLEY:  Right.  All we have scheduled right now is the
     subcommittee chairman's report for you to talk about what was discussed.
          DR. APOSTOLAKIS:  How long is that?
          MR. MARKLEY:  However long you want to make it, five, ten minutes.
          DR. APOSTOLAKIS:  How much time do we have in there?
          MR. MARKLEY:  Well, it's grouped with several others from 11:30 to
     12:15 on the last day of the meeting.
          DR. APOSTOLAKIS:  So I would just summarize what was presented
          MR. MARKLEY:  Yes.
          DR. APOSTOLAKIS:  Without using viewgraphs.  All right.
          MR. MARKLEY:  So that the other half of the answer is that we're
     not expecting a briefing at the full committee and we're not expecting
     to prepare a report.
          DR. APOSTOLAKIS:  Do I also have to prepare a written document or
     oral is good enough?
          DR. KRESS:  Oral is good enough.
          DR. APOSTOLAKIS:  I think it would be a good idea to give
     everybody this at the meeting.
          MR. MARKLEY:  That could be the context of whatever it is.
          DR. APOSTOLAKIS:  And I can walk them --
          MR. BARTON:  You can hand that out and walk people through it.
          DR. APOSTOLAKIS:  I will walk them through it.
          MR. BARTON:  And that will take care of it.
          DR. APOSTOLAKIS:  That will take care of it.  Sure.  Do any of you
     plan to be here in case of any questions?
          MR. BARTON:  Or in case George says something wrong.
          MR. KING:  We'd better be here.
          MR. BARTON:  When is it?
          DR. BONACA:  It's a Saturday.
          MR. BARTON:  It's a Saturday?
          DR. APOSTOLAKIS:  No, no.
          DR. BONACA:  No.
          MR. MARKLEY:  The actual subcommittee report is scheduled for
     Saturday, so I'm not sure you want to be here, 11:30 to 12:15.
          DR. APOSTOLAKIS:  I have free reign then.
          MR. BARTON:  Read the transcript.
          DR. APOSTOLAKIS:  There will be no transcript.
          MR. MARKLEY:  No transcript on Saturday.
          DR. APOSTOLAKIS:  On Saturdays, there are no transcripts.
          MS. DROUIN:  Which Saturday?
          MR. MARKLEY:  October 2nd.
          DR. APOSTOLAKIS:  Next week.
          DR. KRESS:  Next Saturday.
          MR. MARKLEY:  Right.
          DR. APOSTOLAKIS:  What time?
          MR. MARKLEY:  11:30 to 12:15.  If, for some reason, it does get
     moved up, because that's one of the items that can be moved around a
     little bit, I'll give you a call and let you know.  That's the best we
     can do.
          DR. APOSTOLAKIS:  At 12:00 Saturday a meeting.
          DR. UHRIG:  Have you cleared that with Dana?
          DR. APOSTOLAKIS:  The Vice Chairman is elected separately.  I have
     the power of the people with me.
          Anything else?  No?  Well, thank you very much.  This was very
     informative, as usual.  See you next time.
          MR. KING:  We'll see you tomorrow.  Thank you.
          [Whereupon, at 3:43 p.m., the meeting was recessed, to reconvene
     at 8:30 a.m., Friday, September 24, 1999.]

Page Last Reviewed/Updated Tuesday, July 12, 2016