Plant Operations and Reliability and Probabilistic Risk Assessment - April 28, 2000

                       UNITED STATES OF AMERICA
                              U.S. NRC
                              TWFN 2B3
                              11545 Rockville Pike
                              Rockville, MD  
                              Friday, April 28, 2000
               The committee met, pursuant to notice, at 8:30
               JACK SIEBER, Chairman, ACRS
               GEORGE APOSTOLAKIS, Chairman, ACRS
               JOHN BARTON, Member, ACRS
               MARIO BONACA, Member, ACRS
               THOMAS KRESS, Member, ACRS
               ROBERT SEALE, Member, ACRS
               WILLIAM SHACK, Member, ACRS
               ROBERT UHRIG, Member, ACRS.                            C O N T E N T S
     NUMBER                                                  PAGE
     1         AGENDA                                          3 
               AND ON RELIABILITY AND PRA                      3 
     4         BWR OWNERS' GROUP                              63 
               INITIATIVES 2 AND 3                            63 
               INITIATIVES                                    63 
               SPECIFICATIONS                                 63 
     8         INITIATIVE 2 - MISSED SURVEILLANCES            66 
               PRA PERSPECTIVE                               100 
     10        ENGINEERING EVALUATION SONGS                  126 .                         P R O C E E D I N G S
                                                      [8:30 a.m.]
               CHAIRMAN SIEBER:  The meeting will now come to
               This is a meeting of the ACRS Subcommittees on
     Plant Operation and on Reliability and Probabilistic Rick
               I'm Jack Sieber, Vice-Chairman of the Subcommittee
     on Plant Operations.
               To my left is George Apostolakis, who is Chairman
     of the Subcommittee on Reliability and PRA.
               ACRS members in attendance are John Barton, Mario
     Bonaca, Thomas Kress, Robert Seale, William Shack, Robert
     Uhrig, and hopefully Graham Wallis.
               The purpose of this meeting is to discuss NRC
     staff and industry initiatives related to risk-informed
     technical specifications.
               The subcommittees will gather information, analyze
     relevant issues and facts, and formulate proposed positions
     and actions, as appropriate, for deliberation by the full
               Michael T. Markley is the cognizant ACRS staff
     engineer for this meeting.
               The rules for participation in today's meeting
     have been announced as part of the notice of the meeting
     previously published in the Federal Register on April 5,
     2000.  A transcript of the meeting is being kept and will be
     made available as stated in the Federal Register notice.
               It is requested that speakers first identify
     themselves and speak with sufficient clarity and volume so
     that they may be readily heard.
               Also, we request that all speakers use the
     microphones, so that the court report can hear and
     understand them.
               We have receive no written comments or requests
     for time to make oral statements from members of the public.
               Reliability and Probabilistic Risk Assessment
     Subcommittee met on December 16, 1999, to discuss
     initiatives proposed by the Risk-Informed Technical
     Specification Task Force.
               Today, the subcommittees will discuss Initiative 2
     on technical specifications of surveillance requirements,
     Initiative 3 on mode restraint flexibility, and plans for
     submittal and review of other Risk-Informed Technical
     Specification Task Force initiatives.
               Before we begin, I would like to ask Dr.
     Apostolakis to summarize the issues identified in the
     December 16th meeting.
               DR. APOSTOLAKIS:  Thank you, Jack.
               As Jack mentioned, we met on December 16th, and we
     were presented with a very ambitious program for
     risk-informing technical specifications, consisting of seven
     initiatives, some that, in fact, have A's and B's, more than
               There were many comments made by members in the
     meeting, as usual.
               A couple of the comments that seemed to be of
     relative importance are that the public participation in the
     process, public involvement and participation should be
     increased, especially after we had a statement read by me,
     statement from Public Citizen that they feel that they don't
     have adequate information to comment on these things in a
     timely manner.
               The subcommittee also requested or suggested that
     perhaps a vision statement for risk-informed technical
     specifications should be developed and a clear statement of
     the objectives of these initiatives should also be given.
               Then the perennial issue of how much to rely on
     quantitative analysis and how much on qualitative insights
     came up.
               We've faced this problem in the past in other
     situations, in other contexts, but I think we're going to
     see it again here.
               To what extent can one rely on expert panel
     deliberations and not try to quantify the impact of the
     proposed changes on CDF or maybe the cornerstones
               So, this will be an interesting issue to pursue, I
               And that pretty much covers it, I believe.
               There were other comments, but I'm sure we will
     see what the staff and the industry present today and maybe
     come back to those, and of course, the quality of the PRA is
     a perennial issue, you know, do we need a Cadillac or a
               So, Jack, back to you.
               CHAIRMAN SIEBER:  I'd like now to proceed with the
     NRC presentation and introduce Scott Newberry to introduce
     the speakers from the staff.
               MR. NEWBERRY:  Thanks, Mr. Chairman.
               I'm Scott Newberry.  I'm Deputy Director of the
     Division of Regulatory Improvement in NRR.
               There is am ambitious agenda as well as an
     ambitious program here, Mr. Chairman, so I'm not going to
     talk very long but just introduce staff at the table.
               A couple of comments, though.
               I was looking at our budget last night on
     regulatory improvements, and there's a long list of
     activities, where we are modifying the process, working to
     improve the process.  We've been over here talking on FSAR,
     design basis, 50.59 reporting requirements, more and more on
     risk-informing Part 50 -- I expect that to increase --
     license renewal process, license transfers, and on.
               Considerable resources in the Office of NRR are
     being devoted to improving the process.
               We are increasing the focus on this program that
     you're going to hear about today -- I wanted to make that
     point -- more resources and more leadership on the activity
     to risk-inform tech specs, because we believe it's
               A second point I wanted to make was, in the past
     month or so, I have heard a comment or been asked a question
     about our view on tech specs and, because something may be
     not as important as another, does -- you know, what is our
     expectation on tech specs?
               We expect requirements to be met.  We expect
     surveillances to be performed as they're listed in the tech
               We're going to be talking about tools today to
     inform the tech spec process so they could be changed, but
     our expectation from the NRC point of view is that
     requirements be met, and sometimes that gets a bit muddled,
     and I wanted to make that second point.
               And the last point is I hope we're responsive to
     the comments from the last meeting.
               You reminded me, Dr. Apostolakis, about the public
     participation point.
               After that meeting, we initiated a communication
     activity with that individual and it was very informative
     and made sure he had additional information, and we had a
     good chat with him on the phone.  So, I hope we improved on
     that point.
               At the table from the staff are Bob Dennig and
     Jack Foster from the tech spec branch of the NRR division. 
     They're the tech spec experts, and Bob will talk to you a
     little bit about technical specification philosophy, and
     Mark Reinhart, from the PRA branch, will talk about the
     tools used to inform the integrated decision-making process.
               So, without further ado, gentlemen.
               MR. DENNIG:  I'm Bob Dennig, Section Chief in the
     tech spec branch.
               I wanted to give Biff Bradley, from NEI, an
     opportunity at this time to make an opening remark or
     introduce the support folks that we have here from the
     industry, if you'd like to do that, put him on the spot
     here.  He just came in the door.
               MR. BRADLEY:  This is a surprise move here.  Sure,
     I'll be happy to.
               I'm Biff Bradley from NEI.  I'm in the regulatory
     reform group at NEI.
               With us today, we have a representative from one
     of our lead plants, San Onofre, Dr. Parviz Moeni, and Rick
     Hill from the GE owners group is here, and also we have,
     sitting on the NRC side of the room, Don Hoffman, who is a
     consultant that's been very involved in all the industry
     tech spec activities.
               MR. DENNIG:  Now, on the staff side, we also have
     Millard Wohl here, who is one of the key reviewers involved
     in looking at these initiatives.  Nick Saltos is also here. 
     He's another key reviewer.
               We're pleased to be here to continue the dialogue
     that we began back in December with the Reliability and
     Probabilistic Risk Assessment Subcommittee, and as has been
     mentioned, at that time, we introduced the general scope of
     what the package that we're calling risk-informed tech specs
     consists of, how it dated back to some activities that began
     in July of 1998, the seven initiatives, and some overview
     about how they fit together.
               We received some very valuable feedback, as has
     been mentioned at that meeting, as to how we could better
     present our program and how we could better make our points,
     and we hope that this presentation is reflective of that
     feedback, and I guess we'll see when we get through it how
     well we've done.
               As part of acting on that feedback, my job this
     morning is to go a little bit into the background of
     technical specifications, their history, content, how they
     work, and where we are, and how they've evolved.
               So, we can look at the title slide for a moment
     and confirm that that's what we're talking about today, and
     then let me begin.
               Tech specs are explicitly required by the Atomic
     Energy Act and are a part of the license.  They are derived
     from the safety analysis.  They, thus, constitute that
     portion of the safety analysis that is a part of the license
     and can only be changed by amendment and, thus, through
     staff review.  They have been characterized as, quote, "a
     central feature of the continuing relationship between the
     licensee and the Commission."
               Tech specs are a work in progress.  The initial
     rule was in 1962.  There were revisions in 1968 and 1995. 
     Over that time period, we have worked with custom technical
     specifications, basically paragraphs and words that were
     derived in performing the safety analysis as you go through
     chapter by chapter and organize by those chapters.  We then
     progressed, in the early '70s, to improved standard -- to
     standard technical specifications, following the structure
     laid down in the 1968 rule, rule change, and then in the
     '90s to improved standard technical specifications.
               Conversions to improved standard technical
     specifications have been ongoing since 1993 and are
               Forty conversions have been reviewed and approved
     or in process, 17 are planned, covering a total of 89
               Just as technical specifications are a work in
     progress, risk-informing technical specifications is a work
     in progress.  It's not a new subject.
               For example, in 1975, ECCS completion times, as we
     now call them, often known as allowed outage times, were
     extended based on WASH-1400 insights.
               In 1983, the staff reviewed an extensive WCAP
     dealing with surveillance frequencies and out-of-service
     times that use reliability analysis techniques.
               In 1983, also, there was a task group that was put
     together to look at improvements that could be made to
     technical specifications.
               It issued a report entitled "Technical
     Specifications:  Enhancing the Safety Impact."  That report
     pointed at -- in a lot of the directions that are being
     followed through on the seven initiatives that we're talking
     about now, in particular using risk and risk insights to
     improve technical specifications.
               Most recently we have Reg. Guide 1.177, in 1998,
     and that provides a basic approach for risk-informing
     allowed outage times and surveillance test intervals.
               Thus, risk-informing tech specs is not a new
     subject, it is a work in progress, and we're here to discuss
     how we're continuing that progress.
               If I could have the next slide, please.
               By way of basic structure and to explain how tech
     specs work, I thought it would be easier to use a visual.
               The outer ring indicates the safety analysis, and
     the arrow indicates that we derive the specs from that
     safety analysis.
               Over time, a lot of the effort -- a lot of effort
     has gone into determining exactly how large that green ring
     should be, what is the scope of technical specifications. 
     We're not particularly focused on talking about that scope
     issue today.
               Going inward, we see two categories of what tech
     specs should cover, specific characteristics, in quotes, and
     conditions for operation.
               In the current structure, we have some standard
     tech specs and continuing to improve standard tech specs. 
     Per the 1968 rule, we have, under specific characteristics
     -- I parsed this out this way; I thought this was the best
     fit -- we have safety limits, limiting safety system
     settings, and design features.
               We also have what are called conditions for
     operation, and I have parsed into that area limiting
     conditions for operation, with their conditions, their
     completion times, and their action statements,
     surveillances, with their surveillance test intervals, and
     administrative issues.
               The purpose functionally for the conditions of
     operation is to make sure that the plant maintains those
     specific characteristics, those safety limits, those
     limiting safety system settings and design features.
               Interestingly, if you go back to the safety
     analysis, you'll find a lot of documentation and bases for
     things like safety limits and limiting safety system
     settings and so on.
               You'll not find much by way of analytical basis
     for things like surveillance test intervals, action
     statements, completion times, and so on and so forth.
               If I could have the next slide, please.
               For purposes of summary and to lead into the next
     phase of the discussion, I thought these three points
     captured the basic features of what tech specs are expected
     to do.
               They establish values of important parameters to
     preserve barriers, barriers to radiation release.
               They also establish a design basis equipment
     configuration or plant configuration that we expect to have
     in place.
               They also contain and require predetermined
     actions to restore that design basis when there is a
     degradation or to change the plant state so that the
     equipment that has been affected is no longer considered
     important or needed.
               I would emphasize the predetermined and
     prescripted aspect of that, and I would also emphasize that
     the way the tech specs have evolved from the safety
     analysis, arranged pretty much by chapter by chapter in the
     safety analysis, that they don't integrate across the plant
     and in managing the plant's state.
               If I could have the next slide, please.
               So, what we find today is that the tech specs,
     because of their evolution, where they come from, largely,
     do not manage risk of the overall plant configuration.  They
     look system by system, LCO by LCO.  Instrumentation has its
     own place.  Support systems, plant system have their plant,
     electrical systems, ECCS, their own silos or bins.
               They don't manage risk in restoring the design
     basis configuration or changing the plant's state.  By that,
     we mean that the way that specs were constructed was area by
     area, what's a reasonable time, given a random single
     failure, to either fix that single failure or begin shutting
     down the plant?
               Now, I don't know to what extent we've been able
     to carefully weigh the benefits of maneuvering the plant
     with that inoperable equipment or staying up a little bit
     longer and not maneuvering the plant.
               And finally, they don't take advantage of advances
     in risk and reliability analysis techniques to determine
     surveillance frequencies and completion times.
               If I could go to the next slide, please.
               I hope this is a crisp vision statement, and
     certainly continue to help us with this, but this was our --
     again, our response to your feedback.
               We thought that this got where we were trying to
     go and said it succinctly enough, basically maintain or
     improve safety by risk-informing technical specifications
     requirements that govern operation, including incorporation
     of integrated decision-making to restore the design basis
     configuration when we have a degradation.
               The next slide, please.
               In summary, before I hand off to Mark Reinhart,
     what we're working on and what we're not -- we're leaving
     alone, in general, things like safety limits, limiting
     safety system settings, design features, and administrative
     controls.  We're not risk-informing tech specs in the
     current scheme of things, not operating on those aspects of
     tech specs.
               Where we are operating is on the LCOs and the
     surveillance requirements, particularly in how best to
     restore the design basis using risk insights when there is a
     degradation from the expected configuration and providing
     flexibility as to what is done by way of surveillance test
     intervals and where those intervals and the specifics of
     surveillance might be located, whether inside tech specs or
     outside tech specs.
               Let me then turn --
               DR. SEALE:  Could I ask a question?
               MR. DENNIG:  Sure.
               DR. SEALE:  Back on one of your earlier slides,
     the one on standard technical specification issues, there is
     a bullet that indicates that you do not take advantage of
     advances in risk and reliability analysis techniques to
     determine surveillance frequencies and completion times.
               Do you mean -- are you implying that, in fact,
     there is a technology available that would allow you to do
     that, and I guess if the answer to that is yes, what
     specific input would you need in order to make that
     assessment, and to what extent does that input exist?
               Do you follow my question?
               MR. DENNIG:  I think so.
               MR. REINHART:  I think the answer is that's the
     whole point of what we're doing.
               We're working with the industry to do that, and
     the next part is really going to focus on the tool we're
     looking for and how we're looking for a licensee to use that
     tool to handle, really, the plant configuration, the
     flexibility of the configuration.
               DR. SEALE:  Okay.
               CHAIRMAN SIEBER:  Just to follow on to Dr. Seale's
     question, should you not have the tools available first to
     perform the analysis, rather than take steps to change
     technical specifications, for example, to lengthen the
     allowed time for missed surveillance or mode changes or how
     fast one has to go to hot shutdown or cold shutdown or what
     have you?
               Shouldn't those analytical tools be available and
               MR. REINHART:  Yes, they should, and to the extent
     that a given licensee has those tools, that's the limit or
     the extent that will allow the flexibility, or if there's
     some generic insights that we can get from a spectrum of
     tools, we've tried to use those, also, but certainly we've
     had to have tools to precede decisions.
               CHAIRMAN SIEBER:  Okay.  That includes some kind
     of shutdown and transient PRA technology, shutdown risk
               MR. REINHART:  Bob kept talking about a work in
               There are some plants that have those, others do
     not, and again, depending on what insights we can get from
     the general spectrum, we can use those, but on a given plant
     by plant, if they have a very specific situation, we would
     look for them to have the tool to accommodate it.
               CHAIRMAN SIEBER:  And the staff does not have
     those tools that they could apply independently of the
               MR. REINHART:  We have some tools, like we're
     developing what's called a SPAR3 model.  That's not
               We're trying to make it as plant-specific as we
     can, but to some extent we can use that.  But in this
     application, I think we really need to have the licensee
     having a quality tool to really apply there.
               CHAIRMAN SIEBER:  So, that will be prerequisite to
     granting any risk-informed tech spec that's different from
     the standard tech specs that is -- that everybody has right
               MR. REINHART:  Yes, it is.
               MR. DENNIG:  The general approach is that, if you
     want to do this, you have to have this.
               CHAIRMAN SIEBER:  Okay.  Thank you very much.
               DR. APOSTOLAKIS:  Shall we go to 5, the next one? 
     I'd like to understand it a little better.  Would you
     elaborate on that a little bit, what that means?
               MR. DENNIG:  That harkens back to the issue of
     placing in tech specs a -- in the place of prescripted or
     predetermined actions that one is to take based on some
     notion of the set of plant states that we'll encounter, one
     puts in place an approach where you look at the plant state,
     the actual plant state that you have, and you make a
     decision as to where you go next based on that state and
     based on your level of risk information that tells you
     what's my best move given where I am, instead of following a
               So, I think that's basically what we're trying to
               CHAIRMAN SIEBER:  I guess one final question. 
     Back in the days when I worked in power plants, in
     licensing, and we needed or wanted a tech spec change, we
     would hunt for some other plant that was granted a tech spec
     change like the one we wanted, and we would submit ours and
     say this is okay because plant XYZ has it.
               Now, with regard to the tools that you said were a
     prerequisite to risk-informing tech specs, once one licensee
     develops the tools and you grant them a tech spec and 50
     other licensees get on the bandwagon and say I want one just
     like that, you already have a precedent.
               MR. REINHART:  We're going to need to look at how
     that particular licensee qualifies with what was set in the
               If he has the appropriate tools, if the analysis
     performed fits his design, if all those things line up, we
     have a way to go, but we still have to review it on a
     plant-specific basis for his application.
               CHAIRMAN SIEBER:  So, your expectation is that
     each licensee should possess the tools to demonstrate that
     the risk information used to develop that licensee's tech
     specs is valid for that plant.
               MR. REINHART:  Sure.
               DR. BARTON:  I think you almost need that, Jack.
               CHAIRMAN SIEBER:  Yeah, I know you do, but you
     know and I know that -- how the tech spec business has
     worked in the past, right?
               DR. BARTON:  Is it prerequisite to play in this
     risk-informed tech spec arena that you have a standard tech
               MR. DENNIG:  No, it's not, but it certainly makes
     it a lot easier.
               Along with adopting the precedent notion, you
     certainly get a lot more mileage out of something that's
     been formulated in terms of the standard -- improved
     standard tech spec than if you're trying to do something
     with a custom spec.
               DR. BARTON:  Okay.
               MR. DENNIG:  And then, with a custom spec, you
     know, you have to make sure that there aren't other things
     out there that were coordinated in improved standard tech
     specs that aren't coordinated in the custom spec that were
     assumed to be there.
               DR. BARTON:  Right.
               MR. DENNIG:  And so, it gets more complicated and
     it gets more expensive, but you know, you don't have to.
               DR. BARTON:  Increases the burden.
               MR. DENNIG:  Yes, sir.
               MR. REINHART:  I think I'll stand up, if it's okay
     with you all.
               CHAIRMAN SIEBER:  You have the little mike.
               MR. REINHART:  I have it.  Can you hear me?
               CHAIRMAN SIEBER:  Yes.
               DR. SEALE:  He can keep moving.  It's much harder
     to hit him.
               MR. REINHART:  Right.  There you go.
               In, really, answer to some of the questions you've
     asked and in follow-on to Bob's comment of the tools to
     support the vision, to support the flexibility in the
     configuration control of the plant, we are looking for a
     quality tool, and really, the thought is, to the extent that
     a given licensee has the necessary quality in his PSA, it's
     to that extent that we'll grant the additional flexibility.
               Now, if you want to say, the entire vision will be
     supported by a PSA that was a Level 1/Level 2,
     internal/external events like fire, flood, seismic, we would
     be looking for an operations, a shutdown, and a transient
               Some licensees have that; not all do.
               DR. APOSTOLAKIS:  Do any licensees have a PRA for
     transition mode?
               MR. REINHART:  It's my understanding that -- I
     believe San Onofre does.
               MR. MOENI:  This is Parviz Moeni.
               To answer the question, George, yes.  I think a
     couple of years ago, CEOG developed transition risk models. 
     It's in a technical report by CEOG, and we have adopted that
               DR. APOSTOLAKIS:  Can I have a copy of that?
               MR. MOENI:  I don't know if you have a copy, but I
     can definitely find a copy for you, but I know, if you do
     have a copy, this is by CEOG.
               DR. APOSTOLAKIS:  Yeah, would you please send a
     copy to Mr. Markley?
               MR. MOENI:  Sure.  Absolutely.
               DR. APOSTOLAKIS:  Thank you.
               MR. REINHART:  And it's also my understanding that
     the CEOG is taking their transition model and their
     shut-down model and providing a template for other plants
     that could adopt that.
               MR. MOENI:  Yes.
               MR. REINHART:  Okay.  So, we see some plants have
     this, with the provision to share that information so that
     others can use it.
               Longer-term, if you will, and maybe beyond the
     tech spec piece we're talking about, is a Level 3 PSA, and
     my branch is looking at that as an additional long-term
               But one of the things we want to say about this
     PSA -- we're looking for a standard.  It will be some
     standard that the staff and the industry agreed on.
               We're looking for a PSA that's living, that's
     maintained, consistent with the contemporary plant, and
     again, the higher the quality, the increased the flexibility
     that a licensee would be granted.
               Could I go to the next one, please?
               CHAIRMAN SIEBER:  Before you remove that --
               MR. REINHART:  Sure.
               CHAIRMAN SIEBER:  Items that are on this slide are
     very important to me, and I would consider this set of
     attributes for a licensee as almost a minimum set for
     risk-informing tech specs.
               DR. UHRIG:  But right now, there aren't many
     plants that would meet those requirements, are there?
               MR. REINHART:  There are not many that meet them
     all.  There are more that meet a good number of them. 
     Probably almost everybody meets some of them.
               So, there's certain pieces that we could grant
     based on the quality PSA that particular plant has, but it
     kind of gets back to the quality that was asked earlier.
               If one plant says, oh, well, this plant got it,
     why can't I have it, what does that plant have in its PSA
     and what does this plant have in its PSA?  What's the
     quality, what is the pedigree of the review, how do we have
     the confidence?
               DR. BONACA:  But you're going to require this --
     let me call them characteristics, because you need them to
     support the evaluation, not just because you make it a
     requirement, a pre-condition, right?
               The reason why I'm asking the question is that, if
     I go back to your initial slide, where you translate your
     safety analysis into the tech specs, you're not changing
     anything about the safety analysis, you're not changing
     anything about your setting, you're not changing anything
     about anything except you're allowing surveillances and LCOs
     to be changed, and I would expect that, for many of them,
     you don't need a Level 3.
               MR. REINHART:  Yes, absolutely.
               DR. BONACA:  So, I'm saying that you're not
     prescribing -- go ahead.
               MR. REINHART:  We're really dealing in this yellow
     sphere now.
               DR. BONACA:  And it makes sense.
               MR. REINHART:  Yes.
               DR. APOSTOLAKIS:  So, under what circumstances
     would you need a Level 3 PSA?
               MR. REINHART:  I threw that up there to say that's
     a goal my branch has.  There are some areas, particularly
     doses, off-site doses, control room doses, that we're
     looking at in that area, may not impact what we're doing in
     tech specs.
               CHAIRMAN SIEBER:  You can continue now.
               MR. REINHART:  Okay.
               The next slide, please?
               A licensee would take the tool they have, that we
     have approved, that is compatible with whatever relaxation
     they have, but Reg. Guide 1.174 really gives five key things
     that they have to do, that we're looking for, and I'll point
     out what Scott Newberry said at the beginning.
               We expect licensees to meet their technical
     specifications.  So, we're looking at them to comply with
     regulations, to maintain a defense in depth, to maintain
     safety margins.
               The flexibility Reg. Guide 1.174, along with
     1.177, gives is we're looking for changes that would be
     risk-decreased, risk-neutral, or a small increase.  When we
     talk about a small increase, we get into some charts and
     graphs that the reg. guides have.
               Ideally, a licensee could make a case that, given
     this configuration, to go here, the safest path is X, Y, or
     Z, and he could maintain himself risk-neutral or a decrease
     in risk from where he is to where he's trying to go.
               So, that's the type of thinking we're looking for,
     and while that might be on an immediate timeframe, we're
     also looking for a long-term type of feature that would
     monitor subsequent performance for that licensee and
     something we could tell about the industry in general.
               So, if we go to the next slide, please, we're
     looking for an integrated, risk-informed technical
     specifications that we can make progress, a lot of progress
     within the rule we have today, 10 CFR 50.36.
               Likely we'll identify some improvements as we go
     along, but we feel we can make a lot of progress with the
     rule we have, and again, what we're looking for, given the
     situation the licensee is in to where he wants to go,
     restore the design basis, restore the LCO, we're looking for
     a path that has an integrated acceptably low-risk locus.
               He would compare, depending upon what he has in
     his PSA and what flexibility he's granted, the at-power
     risk, the transition risk, the mode-specific risk, depending
     upon where the tech specs could possibly be driving him,
     balance those three pieces, incorporate compensatory
     actions, and here's where we're taking insights, and when
     we're talking about insights, we're saying what do we see by
     looking into the PSA, what did the cut-set analysis tell us,
     what are the boundary conditions, what are the assumptions,
     what have we said we have to do to get to this result, use
     those insights to develop a success path of least risk or
     most risk-reducing path, and at the same time maybe identify
     some potholes along the way, if you will, areas of high risk
     to avoid, and a licensee that can be doing that, we feel,
     will -- while he'll have flexibility, we have a confidence
     of really reduced risk.
               If we go to the next slide, what we're expecting a
     licensee to do, they have the tool, now they have a program
     to use that tool, a formal process that would evaluate the
     configuration and make some risk-informed decisions, some
     criteria level, maybe a criteria level that would say this
     is an appropriate level of risk for this configuration we're
     intending to go into or that we are into, maybe somewhat
     higher level they would start to dig a little deeper to get
     some of those insights, maybe at some point they bring in an
     expert panel, maybe at some other point they bring in
     higher-level management for decision.
               So, they have some sort of hierarchy that tells
     them what they have to do given the configuration, helps
     them derive those compensatory measures that we've talked
     about before.
               CHAIRMAN SIEBER:  How extensive do you believe
     that expert panels will be used in lieu of analysis?
               MR. REINHART:  I don't think that they would be
     used in lieu of, like in ignorance of analysis.
               I would think those expert panels would have the
     knowledge of that analysis, along with their other expert
     thoughts, to merge those or integrate together to come up
     with a proper decision.
               CHAIRMAN SIEBER:  See, I asked that question
     because I think that the tech specs, to be risk-informed,
     ought to be based on analysis rather than the opinion of
     expert panels, and so, to me, the preponderance of the
     quantitative information that goes into formulating a
     risk-informed tech spec ought to come from analysis, as
     opposed to the qualitative kinds of things that expert
     panels would give you.
               MR. REINHART:  But would the panel take that
     qualitative part and maybe have to think a little bit about
     really what that means to them, given the situation they're
               CHAIRMAN SIEBER:  I think that the value of an
     expert panel is to look at the quantitative analytical
     results and say does this really make sense for this plant,
     and that's how I feel they should be used, as opposed to
     being part and parcel of coming up with did the risk
     increase or did it go down?
               DR. BONACA:  Are you saying that the tech specs
     may include some provisions for having decisions made ad hoc
     based on an expert panel analysis?
               MR. REINHART:  No.  I'm saying a licensee has a
     program, and again, the work in progress -- we're looking at
     what some licensees have done, and some have some criteria
     set up, and depending on what the change in risk is for the
     configuration, they get more and more individuals involved. 
     They have some predetermined configurations they can go to,
     they have some levels that are normal, but as things get
     more complicated, they want to get more minds on the problem
     to start to put the pieces together, and at some level,
     they'll have a panel set up that they bring to bear.  At
     other levels, they say we're not going to do this work
     unless we have some compelling reason, but that compelling
     reason has to go to a higher level of management to say,
     yeah, this is really compelling.
               That's what I'm trying to get at, a flexible
     responsible licensee program that puts this all together.
               CHAIRMAN SIEBER:  Yeah, but that program will have
     to be carefully crafted, because you know, you're dealing
     with not just one licensee but all of the licensees, and
     there are some that are vastly superior to the minimum
     standard for safety, and there are some that are sort of
     marginal, perhaps, at least hypothetically that way, and so,
     whatever you do and whatever you craft has to be
     sufficiently strong so that everybody fully understands what
     the expectations are.
               MR. REINHART:  Excellent comment.  I appreciate
               DR. BONACA:  Let me go back to the comment I made. 
     I was thinking of one of the examples that were provided to
     us.  It was 358, I believe, the 358 example of missed
               There is a philosophy being proposed there, it
     seems to me, although it's not as presently proposed, that
     says, if I miss a surveillance, I can go all the way to the
     next interval, but I can make a decision in between, and
     that may be a long time, what is the optimal time to do the
     surveillance again.
               That implies a decision-making process that
     includes some elements of that.
               MR. REINHART:  Yes.
               DR. BONACA:  There is already a seed being planted
     there of that kind of process, and that's the reason why I
     ask that, because you know, to some degree, you would be
     confronted with some proposals that will take you in that
               MR. REINHART:  Here is how I am hearing that, as
     industry proposes it.
               They have a surveillance.  We expect them to
     perform the surveillances when scheduled, and we expect them
     to have a program to do that, but in the unusual -- and we
     expect it to be unusual circumstance that they've missed one
     and they've started up but it would, say, require a mode
     change to go back and perform that surveillance, the
     licensee now has to tell us.
               Let's say the licensee has performed this
     surveillance over the past X years and it's always been
               So, their data shows a high reliability of that
               They can go in and either do part of the
     surveillance or, through other means, come close to giving
     themselves confidence that they have met the surveillance
     but either there's a piece they can't complete or they can't
     complete it to the full.
               With that level of confidence, given that usually
     this surveillance just verifies that, yeah, it's okay, the
     general thinking is the risk incurred by taking the plant
     through a transient to perform the surveillance and back up
     again outweighs the risk of continuing with that particular
               CHAIRMAN SIEBER:  So, for a 19-month surveillance
     interval, could be another whole cycle before the
     surveillance is completed.
               MR. REINHART:  It could be.  Part of their
     proposal, I think, is that, however, if they come upon an
     opportunity to do it in that period of time, they should do
     it at that first opportunity.
               DR. BONACA:  That's why I'm saying if you go from
     a prescriptive approach to the tech specs to one in which
     you have an ongoing management process within that span of
     18 months or 24 months, that's a fundamental change in the
               MR. REINHART:  Yes, definitely.
               DR. BONACA:  You have to think about how you're
     going to handle that.
               MR. REINHART:  Definitely.
               CHAIRMAN SIEBER:  Now, how would the NRC know,
     because the surveillances won't be reportable, right?  So,
     you wouldn't know what that situation is other than the
     resident inspector paying attention to what's going on at
     the daily meetings and looking in the corrective action
     program.  Is that correct?
               MR. REINHART:  It's the resident -- the resident
     is the one that we would be relying on to have that
     information, primarily.
               CHAIRMAN SIEBER:  So, that's a pretty healthy
     transfer of trust from the days that I recall when, if you
     missed a surveillance, it was a Level 4 right then, and that
     went into an NRC tracking system, and if you missed it and
     you had to shut down and get it, you shut down to get it. 
     That's quite a departure.
               MR. DENNIG:  Yes, it is a change, and I think
     we'll get more into these kinds of issues as we talk about
     Initiative 2 later in the morning.
               CHAIRMAN SIEBER:  You may want to think about --
     and I'd sort of like to know about how you would enforce a
     situation where surveillances were being missed on a more
     routine basis.
               If you don't watch the baby, the baby will do lots
     of things.
               MR. DENNIG:  Again, to jump ahead to the
     discussion we'll have on Initiative 2, we have spoken with
     the oversight people, in the oversight program.
               It's our understanding that there is a track for
     repetitive occurrences of things like a missed surveillance,
     so that that will be noticed, identified, and treated in the
     oversight arena.
               Those repetitive instances, in and of themselves,
     regardless of their individual significance, will be treated
     as a -- hey, this is a pattern of behavior, which goes back
     to our expectation that requirements will be met and the
     premise underlying Initiative 2 that these are rare and
     unusual circumstances.
               If that changes, then this doesn't work.  If that
     situation changes, then this doesn't work.
               CHAIRMAN SIEBER:  And so, how would you figure out
     where the threshold was?  Are you going to have a
     performance indicator?  What's good enough?  Only miss one
     or two a year or 10 a year?  See, I don't know.
               MR. REINHART:  This last item here really gets to
     the performance indicator.
               There's two things, the reactor oversight program
     that Bob addressed, and we're looking for some sort of a --
     some of this part is going to be for the immediate
     situation, we'd have or expect some performance indicator
     that would show us, over a period of time, that licensee --
     maybe its accumulated incremental core damage probability
     over a year, over a cycle, there's a certain goal or a
     certain expectation.
               If that licensee is accumulating more than
     expected, his program needs to direct him to go back and
     figure out what's wrong with his program and fix it, so that
     he's not incurring that accumulated core damage probability.
               CHAIRMAN SIEBER:  Okay.  Thank you.
               Will you have the tool to evaluate how the
     long-term core damage probability changes with regard to
     licensee behavior as far as missed surveillances or other
     operations problems?  Are you going to know or you're just
     going to say, well, I think it is?
               MR. REINHART:  I think we're a bit in the work in
     progress here on that aspect.
               We would have to look at what his program does for
     us.  We'd have to look at what the reactor oversight program
     does for us.
               CHAIRMAN SIEBER:  Well, there's two ways you can
     go.  One is to say -- which is sort of the new oversight
     process -- well, from a risk standpoint, it's not
     significant, or the other way is you can say we expect you
     to obey your tech specs, obey all the rules and your license
     conditions, and so, go to it or we are going to clamp down. 
     There's two ways.
               MR. REINHART:  I understand.
               CHAIRMAN SIEBER:  Okay.
               MR. REINHART:  If I could go to the next --
               DR. KRESS:  Before we leave it, could you go back
     to this concept of accumulated core damage probability and
     explain it to me a little bit?  I'm not sure I know what an
     accumulated probability is.
               MR. REINHART:  Okay.
               A licensee has a configuration, say a baseline
     configuration, or it might be his no-maintenance
     configuration, would be the base, but something changes in
     the plant, whether it's a change in configuration or an
     unknown, like a missed surveillance, there would be some
     level of calculated core damage frequency change that,
     integrated over time --
               DR. KRESS:  You're going to integrate that over
               MR. REINHART:  -- would give you the incurred
     conditional core damage probability for that situation, and
     so, you take that and you put that in the hopper.
               DR. KRESS:  George, you're a PRA guy.  Does that
     integration have any meaning at all?
               DR. APOSTOLAKIS:  Integrating the frequency of
     core damage given those circumstances over time, right, for
     the duration of the situation.
               MR. REINHART:  Right.
               DR. APOSTOLAKIS:  Yeah.
               DR. KRESS:  This is time past, not time in future.
               DR. APOSTOLAKIS:  It's time past?
               MR. REINHART:  Well, over a year, you would add up
     the core damage probability that was accumulated during the
     various situations.
               DR. KRESS:  It's time past, George.
               DR. APOSTOLAKIS:  To do what?  After you add them
     up, what do you do with it?  You will have a limit?
               DR. SHACK:  It would tell you whether you needed
     to improve your program or not.
               MR. REINHART:  Right.
               DR. SHACK:  You couldn't put a limit on things
     that already happened, but it would tell you that your
     program needed improvement if, in fact, the number was going
               DR. KRESS:  It's a performance indicator of sorts.
               DR. APOSTOLAKIS:  Yeah.
               DR. KRESS:  Okay.  It could have meaning in that
               DR. APOSTOLAKIS:  Yeah, in that sense it's
     meaningful, yeah.
               DR. KRESS:  Okay.
               MR. REINHART:  We have a comment from the audience
               Please come to the microphone and tell us again
     who you are, please.
               MR. MOENI:  Yes.  Parviz Moeni.
               I think George answered the question correctly,
     but let me explain what we have.
               We have a number of key performance indicators. 
     One of them is -- we call it safety performance indicators,
     and this is basically the cumulative core damage probability
     over one year.
               So, what that means, the management, with the help
     of the PRA group, of course, has set up a value for the
     plant risk, which is CDP, and we monitor this.
               This is basically monitored daily, and we're
     making sure, at the end of the year, this goal has not been
     exceeded, and how do we do this, basically the plant people
     who operate the plant and maintain the plant, the SDAs and
     the maintenance people at some level -- they have the safety
               So, they always track this thing, the plant risk,
     to make sure that we don't exceed, basically, that level
     that the management has set, and this performance indicator
     also tied up to the bonus for the people, so basically to
     make sure that this performance goal would be met.
               DR. APOSTOLAKIS:  So, the performance level, then,
     is on the CDP.
               MR. MOENI:  On the CDP.
               DR. APOSTOLAKIS:  Not the CDF.
               MR. MOENI:  No.  It's accumulative over the year.
               MR. REINHART:  The CDF integrated over time.
               MR. MOENI:  Sure.
               DR. APOSTOLAKIS:  You don't have, then, any other
     requirement regarding the spikes?  It's just a total
     integrated over time?
               MR. MOENI:  Sure, but you don't want to basically
               DR. APOSTOLAKIS:  You do or you don't?
               MR. MOENI:  No.  The thing is that you cannot have
     even -- you cannot have spikes either, but the overall goal
     is still the CDP.
               So, you may -- again, the thing is not to have
     spikes, but if you have spikes for a very short period of
     time -- I will give you an example for shut-down events.
               Mid-loop is a very risky situation, but the timing
     interval for mid-loop operation is very low.  We are talking
     about maybe a day or sometimes less than a day.  So, the
     cumulative probability, again, for that specific plant
     operation makes the CDP low.
               But forgetting a mid-loop, you don't want to have
     a spike.
               DR. BONACA:  You do a line maintenance.
               MR. MOENI:  Yes.
               DR. BONACA:  And that will give you spikes.
               MR. MOENI:  Yes, absolutely, but again, you keep
     track of the timing and the CDF to make sure that the goal,
     which is CDP, would not be exceeded.
               DR. BONACA:  I understand.
               MR. REINHART:  Is it true that you would look at
     the spikes for the immediate situation but the accumulated
     CDP for program evaluation over the year?
               MR. MOENI:  Over the year, yes, annual.
               CHAIRMAN SIEBER:  The issue is the chronic
     mis-administration of a program that you're concerned about
     for these issues.
               MR. REINHART:  Yes.
               DR. APOSTOLAKIS:  So, this is a management tool,
     and basically, you cannot really prescribe what the
     management should do given a particular profile, but
     presumably, if they see something very unusual, they would
     catch it.
               MR. MOENI:  Yes.
               Every week -- I think now it's monthly, it used to
     be weekly -- you have a management meeting in the morning. 
     So, somebody from the PRA group goes there and represents
     the core damage frequency over the month or the week.  Now
     it's monthly.  It's monthly.
               So, it shows the plant CDF for every day, and if
     there are spikes for some reason, especially if it goes over
     the baseline CDF, then they have to explain -- the PRA group
     has to explain what happened there and what was the reason
     that you had a spike there, this is because the diesel
     generator was under maintenance or something was taken out,
     whatever the reason was.
               So, the management is always aware of things that
     are done to the plant that makes the CDF go up and down.
               CHAIRMAN SIEBER:  We're running a little late
     right now.
               MR. REINHART:  I have one -- just one illustration
     I would like to use in conclusion to try to put the risk
     we're concerned with into three different time periods.
               I'd like to use an illustration of just crossing
     the street.
               If you think about it, there is before you cross,
     while you're crossing, and after you've crossed.
               As you come up to an intersection, obviously there
     was some design, somebody decided to put a light, a signal
     there, but you look, you look at the condition, the weather,
     the traffic, you make a decision.
               You start to cross the street.  As you're
     crossing, you have to be aware of what's going on now.
               It might have been great when you started, but
     what if a car comes through a light?  What if you have a
     child by the hand?
               You have to be ready to address those situations
     as they come.
               When you get to the other side of the street,
     you're safe now, you might say, hey, that was a close call,
     I need to think about this a little more.
               In the same sense, we are applying risk before we
     go into a configuration; we analyze, we calculate what's
     going to change, what's the change in our core damage
     frequency as we go in, how long do we plan to be there, do
     we have the tools, the people, the procedures lined up.  We
     make that decision.
               Once we start the actual work or we're in the
     configuration and something changes, we have to be ready to
     take compensatory action right now in a fluid dynamic sense
     to handle that situation, but once we're through it, we're
     not going to forget it.
               We either had a good experience, a not-so-good
     experience, a horrible experience, but we want to take that
     and accumulate it over some period of time, whether it's a
     month, a year, a cycle, and go back and evaluate.
               DR. APOSTOLAKIS:  It's like crossing the Rockville
     Pike, right?
               MR. REINHART:  Right.  There you go, exactly.
               DR. APOSTOLAKIS:  The key is you remember.
               MR. REINHART:  That's what we're looking for a
     licensee to do.
               I say the as-good-as-new principle.  If you think
     of crossing a street, you're in the crosswalk, and you're
     90-percent there, and it dawns upon you, you know what, this
     was a mistake, this was a dumb idea, are you going to go
     back?  No.  Hop up on that curb, the other 10 percent.
               And so, what we're trying to do is say maybe we've
     had some on-line maintenance, maybe we've stayed at power. 
     Once we're at that 11th hour and we decide we really didn't
     quite evaluate that right, don't shut down now, finish it,
     get back in a stable configuration, do the risk-safe thing
     to do, the risk-informed safest thing to do, and evaluate it
     for next time.
               Thank you.
               CHAIRMAN SIEBER:  Thank you very much.
               Mr. Bradley?
               MR. BRADLEY:  Good morning.
               I am Biff Bradley of NEI, and with me at the table
     is Rick Hill of GE and the BWR owners group.
               We did have a number of last-minute crises trying
     to get industry support for this presentation.
               So, Don Hoffman will be supporting the second part
     of the presentation on the individual initiatives, and also,
     I didn't mention earlier, but Ray Schneider from CE and the
     CE owners group is here, as well, as part of the industry
     presentation, and he will also be involved in the
     initiatives presentation.
               I wanted to spend a few minutes and just talk bout
     -- I think NRC gave a version of their vision in the last
     presentation, of where we can ultimately go with tech specs,
     and I'd like to give industry's version of that vision,
     which I don't think is that fundamentally different, and
     also offer that we've already done much of the ground work
     for accomplishing that in the work we've put into the
     maintenance rule over the last couple of years.
               As you know, tech specs has a number of functions,
     but one of the predominant functions and the one that we
     really discuss in terms of risk-informing tech specs, making
     improvements, is plant configuration control, and there has
     been a long evolution of configuration control requirements
     over the years, starting with the custom tech specs,
     standard tech specs, NUMARC 91-06 which is shut-down
     configuration management guidance which was issued about --
     nearly 10 years ago now, and then we have had the ITS
     approved standard tech specs that are still a work in
     progress and continually evolving.
               There are actually hundreds of proposed changes in
     the pipeline to those, and over the last couple of years, we
     have had some success with risk-informed line item
               Those are AOT extensions and other types of
     improvements on a plant-specific basis, and then the most
     significantly, I think, later this year, fall of this year,
     final rule-making to the maintenance rule will be
     implemented, 50.65(a)(4), which establishes a regulatory
     requirement to assess and manage risk resulting from
     maintenance activities, which essentially incur just about
     all of the equipment unavailabilities that we deal with in
     tech spec space.
               I might also mention that we spent the better part
     of last year working with the NRC staff to develop
     regulatory guidance to implement 50.65(a)(4).
               That will be issued in the form, I believe, as
     Reg. Guide 1.182, soon to be a final reg. guide that will
     endorse the industry guidance without exception.
               There is a significant opportunity before the
     industry now to begin work to comport tech specs and the new
     (a)(4) requirement.  When I say it presents a conflict with
     existing tech specs, I'll talk a little more about what I
     mean by that.
               The industry's goal, then, is to effect regulatory
     changes that can make tech specs and (a)(4) complementary. 
     That doesn't necessarily mean that there would be no tech
     spec or that the -- there may be ways to pragmatically
     address the scope of the -- and content of the existing tech
     specs to make it compatible with (a)(4), and I'll talk a
     little more about what we think are ways we can do that.
               We have identified this to the Commission.  We had
     a Commission briefing a couple of weeks ago.  This is a
     major industry priority for risk-informed regulation, and we
     want to proceed on a parallel path with the Option 2 and 3
     activities and really make this -- break this out as a
     separate activity, because we do think there is a fairly
     near-term benefit to be had.
               I mentioned the (a)(4) requirement is to assess
     and manage risk resulting from maintenance activities. 
     Another change to the maintenance rule makes it explicitly
     applicable to on-line and shut-down configuration
     management.  That's another change that was made to the
               In reality, the (a)(4) approach, which is a
     risk-informed approach, is much better at addressing the
     multiple component outages the tech specs endeavor to
     address.  The scope and process of (a)(4) are risk-informed. 
     You're looking at a larger scope of components in the plant
     in terms of determining the risk impact and what you're
     taking out of service in relation to what's already out of
     service or what will be coming out of service.
               Scope and process of tech specs are deterministic;
     that is, you're basically limited to the scope of components
     that contribute to the design basis accident mitigation, and
     the process is basically there trying to ensure that you can
     meet your design basis.  It's not really looking at other
     risk impacts that may result from your configuration
               CHAIRMAN SIEBER:  So, are you suggesting you would
     expand the tech specs and generalize them to include more
     components as risk significant?
               MR. BRADLEY:  I'll talk about that.
               As you know, 50.36, which is the tech spec rule,
     already -- Criteria 4 of that rule already allows that the
     tech specs can include in their scope the existing tech
     specs, SSCs that are risk significant, even though they
     don't contribute to the design basis, but generally, I think
     most of the tech specs that are out there -- you don't see a
     lot of that right now.
               But let me try to get to that question.
               The (a)(4) guidance -- some of this is pertinent
     to what we discussed this morning.  It does address both the
     risk spike, the temporary increase in the CDF or the LERF,
     as well as the aggregate impact, and the overall objective
     of (a)(4) which we articulate in the guidance is to manage
     the risk so that, in incurring on-line maintenance and
     equipment unavailabilities, you're not changing your
     baseline risk; that is, from year one to year two, there
     shouldn't be a significant or greater than insignificant
     delta in the risk of the plant.
               What we get into is that we're essentially, in
     terms of configuration control, once (a)(4) becomes
     effective later this year, essentially there is a dual
     regulatory regime that will be in place, because you'll have
     to meet the tech specs as well as (a)(4).
               The staff included in Reg. Guide 1.182 an explicit
     allowance that you still must meet tech specs, which is
     probably a good idea, because there may be some confusion
     once we have these two things in place, but it's not
     unlikely that you will get into situations where your tech
     spec AOT may -- it might be seven days, but when you do an
     (a)(4) evaluation, looking at the other things you have out
     of service, that tech specs may not even be covering, you
     will find that, you know, a three-day AOT is really a more
     risk-appropriate thing to be doing, and of course, you could
     have the other way around, too, where you may have a short
     AOT in tech specs, but if you look at the (a)(4) evaluation,
     you would be allowed a very -- a longer AOT.
               So, there will be many situations, once this rule
     comes into place, where you're going to be limited,
     basically, to the more conservative of the two.
               50.65(a)(4) doesn't address all the component of
     tech specs, but it does address some of the major issues
     relative to configuration control; that is, AOTs, mode
     changes, and end states.
               The PRA subcommittees already looked at the (a)(4)
     guidance, and you're familiar with it, but it does require
     risk management actions as a function of the result of your
     assessment, and those can -- and it also treats emergent
     conditions, which can include mode changes, new equipment
     going out of service.
               It also can really get at end states, because the
     risk management actions may include mode changes to take you
     to a safer configuration, and again, that end state might be
     different from what tech specs would tell you to go to.
               So, really, all these things are what constitute
     the action requirements of tech specs.
               There are also a number of things in tech specs
     that aren't addressed -- safety systems, limiting safety
     system settings, even surveillances are really not addressed
     by (a)(4) other than the fact that, if you take something
     out of service for surveillance, that's another way to incur
     unavailability, and there are other aspects of tech specs,
     as well.
               You have the administrative aspects, power flow
     maps, various other things that probably wouldn't change.
               CHAIRMAN SIEBER:  Are you expecting that, since
     (a)(4) -- with an (a)(4) evaluation, you can come up with a
     risk number that is -- it's dependent on the outage time,
     but it could be longer or shorter than the tech spec allowed
     outage time.
               Do you anticipate a risk-informed tech spec to
     recognize a new configuration and extend the outage time as
     a number or to have one written in such a way that you can
     do anything you want, depending on whatever the (a)(4)
     evaluation comes out to be?
               MR. BRADLEY:  I think that it would be more the
               I think the (a)(4) evaluation is -- and the rule
     requirement is assessment and management of risk, and it's
     fairly flexible in the actions you can take.
               The tech specs are much more specific,
     prescriptive, and say, you know, you will shut down the
     plant under certain situations, and when I -- our goal would
     be to take both those elements and put them together, and I
     think it would require more specificity in terms of the risk
     management actions.
               I'm not suggesting that we could take the existing
     (a)(4) guidance and replace tech specs.  It would be a
     combination of the two.
               I'll give you an example of how it might work. 
     This is just one way it -- there are many ways this could
     work.  One way it could work is that you could take your
     annual unavailability targets for components and make that a
     back-stop on an annual basis, and then you could take the
     existing tech spec AOT, make that a front stop, and as long
     as you're within -- between those two values over the course
     of a year and you're managing your risk around the baseline
     through that -- that's just one way you could do it.
               But basically, it would involve taking elements of
     the existing tech specs and (a)(4) and bringing them
     together.  You know, the more radical ways you could do it
     would basically be just to manage, you know, using a safety
     monitor approach, just manage such that -- to a certain CDF,
     but I'm not -- I think that's a fairly large step, and we're
     looking more for a pragmatic kind of evolutionary step here.
               CHAIRMAN SIEBER:  Well, I'm thinking in terms of
     an operator, having been one.
               MR. BRADLEY:  Yes.
               CHAIRMAN SIEBER:  And operator is happiest when he
     lives in a box and somebody shows him where the edges are
     and he says to himself and to his crew this is where we have
     to be and these are the things we have to do, as opposed to
     getting into this fuzzy boundary kind of thing that says,
     well, I'm going to take this analyst who, by the way, might
     be off-site or at least outside the fence and not there in
     the middle of the night, and he'll tell me how much fuzz I
     have to maneuver around in.
               I'd be uncomfortable with that.
               MR. BRADLEY:  I agree with you.
               The fundamental purpose of tech specs up to now
     has been an operator tool, and you know, I think there are
     ways to address that rule.
               You're right, and ultimately, the procedures and
     the instructions the operators use, I think, can still be
     developed to do what you say, to have, you know, the black
     line, but you can still make the tech specs, which is part
     of your license, more flexible to back that up.
               That is something that would have to be
     considered.  Clearly, you can't just have a tech spec that
     says, you know, take some risk -- you know, it leaves the
     operator having to determine what that action is.  The
     operator's burden is big enough already.
               CHAIRMAN SIEBER:  Even outside the operator's
     hands, in the upper levels of management, I think that
     moving toward a sort of a sliding scale kind of a license
     condition or technical specification is -- for me, it takes
     longer to be able to accept it than it would be to be able
     to accept analytical analysis that comes up with an answer
     and says here we are, this is the box you live in.
               MR. BRADLEY:  Yeah, but just, you know, recall
     that once (a)(4) becomes a rule, the operators and everyone
     else making configuration decisions are going to have to
     look -- you know, they're going to have to meet (a)(4), not
     just tech specs, going forward.  That's the predicament.
               CHAIRMAN SIEBER:  That's correct.
               MR. BRADLEY:  And that's why we need to do what I
     am discussing here today, as it could lead to -- you know,
     the operator is not only going to have to worry about tech
     specs, he's going to have to worry about the (a)(4) piece of
     configuration control.
               CHAIRMAN SIEBER:  I think an operator can live in
     two boxes, one smaller than the other one.
               MR. BRADLEY:  As you're aware -- I think we've
     presented these before, but there are seven initiatives now
     underway to basically risk-inform elements of tech specs,
     the existing ITS, and some of these are going to get
     discussed today.
               The point is that the seven initiatives basically
     represent an incremental step toward what I'm discussing in
     making (a)(4) and tech specs compatible, and the -- in my
     view, as we move forward with these initiatives, we've got
     to make the (a)(4) process integral to the way these tech
     spec initiatives would work.
               I want to give you an example, Initiative 2,
     missed surveillance.
               You're managing the configuration of the plant,
     you're taking things in and out of service, and then you
     discover that you've missed a surveillance.
               Now, the right way to treat that is to roll that
     into your ongoing configuration management program, like any
     other emergent condition.  It's like a piece of equipment
     going out of service.  It's something you now have to take
     into account, okay, do I want to take the other train out of
     service knowing that I've missed this?  Those are the kinds
     of things you have to address, and the (a)(4) guidance
     directly gets at that.
               It talks about, before you take a train out of
     service, you've got to look at the other -- you know, not
     only at the CDP and ICDP and the integrated, you know,
     aggregate risk and everything else, but you've got to look
     at the other -- you know, is there something about the other
     train that would tell me I shouldn't be taking this train
     out of service, and this is just one example of a thing
     you'd like at, is, well, gee, I missed the surveillance on
     this, so I have some higher level of uncertainty about its
               But this is just an example of how the types of
     initiatives we're working on fit right into the (a)(4)
     framework, and you can make the same kind of argument for
     mode changes, outage times, and some of the others, 303.
               CHAIRMAN SIEBER:  Okay.  And today we're going to
     look at numbers 2 and 3.
               MR. BRADLEY:  Right.
               I think Scott mentioned earlier that NRC was
     looking at their structure internally and how to support
     tech specs and these initiatives.
               Industry has been doing the same thing.  We
     recognize there are many ongoing activities on tech specs. 
     We have -- actually, there are about seven NEI task forces
     right now that have some relationship to tech specs, and you
     get into some interesting issues when we start looking at
     risk-informing tech specs, especially if we start looking at
     sort of the visionary place we can go to comport tech specs
     with (a)(4).
               It requires that these activities be integrated as
     an industry, so that we're not -- tech specs represent --
     license change requests represent a significant chunk of
     NRC's resource burden, as well as the industry's, and we may
     be able to obviate some of the incremental types of changes
     we've been making by adapting -- adopting these more
     risk-informed-type changes, driving toward an (a)(4)-type
               So, there is going to be a new executive-level
     working group at NEI, tech spec working group.  Our intent
     here is not to just encumber the bureaucracy by adding
     another layer, you know, to all the layers we've got
     already, but it's a coordination function, and it's a
     function to look at how do we coordinate the big picture
     change of moving toward (a)(4) with all the existing
     activities we have going on.
               Initiative 4, which is AOTs -- as you know,
     there's a 4(a) and 4(b).  4(a) is individual AOTs.  4(b) is
     sort of a global way to replace AOTs with an (a)(4)-type
     process.  That's basically the first initiative, I think,
     that the working group that we're forming will want to
     really get their hands around and look at how do we go about
               The thing I mentioned earlier about the front stop
     and back stop -- that's just one of many ways you could
     actually effect that type of change, and the -- so, we will
     be looking at that, and the working group's mission will be
     to try to bring tech specs and (a)(4) into some -- at least
     so they're not inconsistent in the future.
               I will say, I guess, with regard to some of the
     slides that NRC just presented, the issue of PRA quality is
     clearly an issue for being able to do this, and I do want to
     mention again that we're not suggesting that the existing
     (a)(4) guidance as it stands would be adequate once we went
     forward to replace or move into a single configuration
     control approach with tech specs.
               Whether you would need full quantification of
     things such as shut-down and transition risk, I think, is a
     function of how you set up back stops.
               If you go to a fully risk-informed approach where
     there really are no back stops, then you might have a pretty
     strong argument to do that, but there may be more pragmatic
     ways to do that, to use PRAs along with qualitative insights
     and establish back stops to address that.
               That's basically the way (a)(4) works now.  You do
     have to have an internal events and a simplified Level 2,
     but in terms of having to quantify everything, that may not
     really be necessary, depending on how you do this.
               So, those are just some thoughts, and this is
     something NEI and the industry are going to put a major
     effort into, starting now and going forward.
               We've done a lot of work on Option 2 and 3 of
     regulatory reform, and the more we look at it, we think this
     piece has more potential benefit and is more do-able in
     terms of -- there's a success path there that we think we
     and the staff can work to -- really, than some of the other
     elements of regulatory reform.
               So, we want to break this off in a parallel path
     and move forward with it.
               DR. APOSTOLAKIS:  Let me understand here.  I don't
     remember the staff referring to (a)(4) earlier.  Am I
     missing something here?  Do you disagree?
               MR. DENNIG:  Not at all.  In our last presentation
     to your group, I believe we talked about part of what we
     understood we were heading for was bringing (a)(4) machinery
     and approach into -- what was your word, Biff? -- to comport
     with technical specifications.
               We recognize the dual regulatory scheme, the
     potential for collisions, and from an operator's standpoint,
     it would be a lot easier to have one approach, one set of
     books, one way of doing things, and so, we did -- I think if
     we look back at the transcript -- brought up (a)(4) at that
     time, and we have briefed that idea to our own senior
     management and gotten -- you know, that sounds reasonable
     thing to do approach.
               So, we're in basic agreement, but we did realize
     that the industry presentation today was going to spend time
     on (a)(4), and rather than us talk about (a)(4) and have
     them talk about (a)(4) and you hear (a)(4), (a)(4), (a)(4),
     we just kind of broke it up this way.
               DR. APOSTOLAKIS:  So, what you call next step,
     technical specification configuration control elements
     globally replaced by (a)(4)-type evaluation -- maybe you
     said that and I missed it, but this would give much more
     flexibility to the licensee, would it not, to manage the
               MR. BRADLEY:  Yes.  It would give flexibility,
     although as I said earlier, we recognize there would have to
     be some rigor in the approach that probably goes beyond
     what's in (a)(4) now.
               DR. APOSTOLAKIS:  Okay.
               MR. BRADLEY:  For instance, right now, plant
     shutdown is just one of about 20 risk-management actions we
     have in (a)(4).
               There are all kinds of other things you can do,
     and I think, right now, (a)(4) sort of gives the licensee
     flexibility to pick and choose those, as long as he can show
     he's managing risk, temporary and aggregate risk, but to go
     to a tech spec -- replace tech specs, you would probably
     have to have more explicit conditions for, you know, when
     you have to invoke those certain actions.
               CHAIRMAN SIEBER:  Well, but then you get yourself
     to the situation you have to invoke (a)(4) for every
     maintenance activity that involves safety-related equipment.
               MR. BRADLEY:  It's not just safety-related; it's
     the whole scope of your PSA.
               CHAIRMAN SIEBER:  Or important to safety or
     whatever the term is.
               On the other hand, my impression of what I know
     about (a)(4) and how it will be implemented is that -- and I
     think I recall this from one of our meetings -- is that the
     tools don't exist for some sub-components to adequately
     evaluate risk, and if that's the case, this is where the
     reliance on expert panels come in, okay, and it seems to me
     that, if you replace the tech spec requirements with an
     (a)(4)-type evaluation, there is the opportunity to move
     away from the analytical approach which I would think is
     what's necessary to support the rule, the tech spec rule,
     and move into this sort of judgmental expert panel.
               You know, this is what I call the fuzz, okay?  And
     I don't -- if I have the wrong impression, please tell me
     what the right way is.
               MR. BRADLEY:  (a)(4) doesn't -- there is nothing
     in (a)(4) about the use of an expert panel.
               There's an expert panel you use in the maintenance
     rule to do your initial categorization of components, but
     (a)(4) itself doesn't defer to, you know, some expert panel
     to make the judgement on what's the risk management action
     you take.
               It establishes the ground rules for how you can
     quantitatively -- and you also have to have a qualitative
     element, because it's addressing shutdown -- it's addressing
     areas that most plants don't have models for, but it
     basically has how you do that, how you do the quantitative
     or qualitative approach, so it really is analytical.
               CHAIRMAN SIEBER:  Yeah.  On the other hand -- and
     it was just part of your answer -- a lot of plants don't
     have the analytical tools in their transients or in
     shutdown.  So, in the sum of it, it has to go to some kind
     of expert or manager decision.
               MR. BRADLEY:  This really goes back to what I said
     earlier on the question of how complete a PRA you need to do
     this, and I think it's an open question, but my belief is
     that shutdown management -- it's possible to do that
     qualitatively in a very risk-informed way, by preserving the
     key safety shutdown functions with an adequate degree of
     defense-in-depth, and you don't necessarily have to quantify
     your entire, you know, outage, which is a relatively
     difficult thing in itself, to do that.
               We're managing shutdown risk today under 91-06
     very effectively through quantitative approaches.
               So, clearly -- I mean, you know, I'm not trying to
     say we're going to do this with some half-baked PSA, but
     whether you need to have quantitative -- and even when we
     start talking about these seven initiatives, I think you'll
     see that there are many things you can do without
     quantitative information.
               You know, missed surveillance is a great example. 
     You know, you don't have to do a lot of quantification to
     know that shutting the plant down because you missed a
     surveillance is generally not going to be a risk-smart thing
     to do.
               Of course, it may get tougher once we get into the
     whole ball of wax, but you know, it's just a matter of
     determining what's the appropriate level, and you know, we
     have to do that work.
               MR. NEWBERRY:  Maybe I could add a thought.
               When we talk about, you know, the fuzziness of
     going to the component level, really, if you look at the
     tech spec, they're really at the train level.
               So, you might have a component and you have to get
     into sometime seeing what supports what, etcetera, before
     you can get to that train-level approach.
               CHAIRMAN SIEBER:  On the other hand, a tech spec
     requirement that's placed on a train says that all the
     components necessary for that train to operate have to be
               MR. NEWBERRY:  That's right.  And, say, if a fault
     tree is modeled to the component level but the top event is
     the train, then you're comporting, if you will.
               CHAIRMAN SIEBER:  Yes, sir.
               MR. BRADLEY:  Rick Hill -- unless there are
     anymore questions for me, I was going to turn it over to
               CHAIRMAN SIEBER:  Yeah, I think that would be
               MR. BRADLEY:  He's just going to give the PWR
     owners group perspective on the activity.
               CHAIRMAN SIEBER:  Okay.
               MR. HILL:  Good morning.  I'm Rick Hill with GE,
     and I'm the Project Manager for our risk-informed tech spec
               I noticed from the agenda that you have
     Initiatives 2 and 3 split out, but with your permission, I'd
     like to address the BWR owners group perspective at one time
               CHAIRMAN SIEBER:  On both of them?
               MR. HILL:  -- on both of them, yes.
               CHAIRMAN SIEBER:  Okay.  That will be fine.
               MR. HILL:  There was some history provided earlier
     about tech specs.
               The BWR owners group is a relative late-comer for
     the owners groups into the risk-informed tech spec arena. 
     We had gone through in the middle '80s a very extensive
     reliability-based tech spec program where revisions were
     approved and made by the utilities, and as a result, there
     was some reluctance to want to get involved in further
     looking at the tech specs due to the resources that would be
     required, but we have joined in with the rest of the
     industry, at least at this point in time, and as we've seen
     the NRC's vision and NEI's vision or industry's vision --
     everybody needs a vision -- our vision is stated in this
     slide, basically, and what we consider the purpose of the
     committee that we have involved here, and that's to enhance
     the tech specs so that they reflect the safety significance
     of the condition or the requirement and thereby gain
     operational flexibility.
               I note that it's a generic committee.  That means
     all of the BWR owners are participating in this particular
     activity, as opposed to just a subgroup.
               We are actively pursuing these three initiatives
     out of the seven, and I should actually say that we're
     actively pursuing one, Initiative 1.  That's where all of
     our resources have been put into for the early part of this
               Initiatives 2 and 3 -- we are supporting the
     industry by trying to provide information that is needed for
     approval by the NRC, but we're not doing any specific work. 
     That's one of the reasons why I want to bring in both
     Initiatives 2 and 3 and mention Initiative 1.
               Initiative 1 is basically our perspective
     formulated to test the risk-informed process on an
     analytical-type basis.  As a result, we have committed and
     we are in the process and nearly finished with building a
     BWR/4 transition risk model.  It's our hope that, when we
     finish that transition risk model, it will be generic for
     all BWR/4's, we'll be able to use sensitivity analysis for
     BWR/2's and 3's, as well as 5's and 6's, to cover their
               That model that we're developing is fairly
     sophisticated for the needs of Initiative 1, but we believe
     that further initiatives that the industry will have and
     that we will have ourselves will need that sophistication,
     and so, we're building it in at this particular time.
               Initiatives 2 and 3 -- as I said, we're in the
     process of supporting that.
               We do support the draft of the TSTF that will be
     talked about later, I'm sure, by Mr. Hoffman, where the risk
     evaluations will be done on all surveillances that are
     missed and delayed greater than 24 hours.
               Initiative 3 -- we're supporting that in the sense
     that we do not have a generic approach to it.  You'll
     probably hear later that there is a -- Combustion
     Engineering plants have a generic approach to it that will
     fit all of their plants.
               Since we do not have our model complete, we are
     not able to analyze the -- quantitatively the effect on the
     plants, and so, each plant will use that on a case-by-case
     basis, if needed.
               What's in it for us?  What are the opportunities? 
     Why are we doing this?  And I think we've heard a lot of
     this already, but certainly improved decisions in favor of
     safety, and I've listed a few reasons here, in avoiding the
     transition risk of plant shutdowns when you have
     configuration changes for non-safety significant problems,
     as well as missed surveillances force urgent plant
               In some cases, when it's appropriate, longer AOTs
     for repairs, focus on safety significant systems,
     structures, and components, and on the next view-graph here,
     mentioned improved decisions on safety when multiple
     components or LCOs are impacted.
               We believe that all of these things work in favor
     of safety.
               It also will help reduce the burden both on the
     NRC and the utilities as far as less paperwork, NOEDs,
     start-up delays.
               Those kinds of things will be certainly to our
     benefit, but as with anything, there's a cost.  What are the
     challenges?  What are the things that we're nervous about in
     proceeding down this path?
               Since Initiative 1 for BWRs is not as beneficial
     as it is PWRs -- and I start that sentence with "since," as
     if you already knew it, but it's fairly obvious that staying
     in a hot shutdown condition for a BWR is not as easy as
     staying in a hot shutdown condition for a PWR.
               If you're in that condition too long, we might as
     well just go to cold shutdown.  So, there is not a large
     benefit in that for us.
               There would be some, we hope, but we would prefer
     to have this as a stepping stone to look at staying in a hot
     standby-type condition if it is justified, remaining in a
     Mode 2-type condition versus Mode 3.
               That's a challenge.  That's not on the drawing
     boards at this time.
               Will the BWR/4 model plus sensitivity analysis be
     sufficient, or will we have to develop generic models for
     each of the plant types?
               Will each utility have to develop their own model? 
     This is a significant impact on utility resources since most
     of their PRA people are very busy right now with a
     significance determination process, they are busy with
     (a)(4), and many plants will not want to develop their own
     model.  Some may.
               Will sufficient progress be made in the near term
     so that, when our executives meet in May, we'll be
     authorized to continue working, and that's not an
     inconsequential concept, since I started off the discussion
     by mentioning that we were reluctant to get in in the first
     place, and we may be not very reluctant to get out if we
     don't see that the expenditure of resources on the models
     and where we're headed -- if it's fraught with more
     difficulties than it is opportunities.
               But in summary, we try to look on the optimistic
     side and say that we see a window of opportunity here where
     we can increase overall plant safety, we can reduce
     regulatory burden, and hopefully reduce the cost of doing
     the correct thing for non-risk-significant issues.
               That concludes what I have to say for the BWR
     owners group.
               DR. APOSTOLAKIS:  How would you measure the
     sufficient progress?  I don't understand that bullet.  It
     sounds like a threat to me.
               MR. HILL:  Well, I would measure the sufficient
     progress by whether or not we are funded to continue, and
     that's a decision that our owners group executives will make
     in May.
               DR. APOSTOLAKIS:  You have to demonstrate
     sufficient progress in order to get --
               MR. HILL:  I think, in a very practical sense, if
     we had an approval to proceed with Initiative 2 by the NRC,
     that would certainly signal that there is light at the end
     of the tunnel.
               MR. BRADLEY:  This is the classic low-hanging
     fruit issue where, you know, you always prioritize these
     things with something that looks easy, at least going in.
               MR. HILL:  I wasn't intending to make a threat.  I
     was stating the reality of our situation.
               DR. APOSTOLAKIS:  And the NRC staff has its own
               CHAIRMAN SIEBER:  Your slides six and seven, which
     are the reasons why you would want to pursue this -- I don't
     disagree with them, but I find them intriguing, because
     missed surveillances are usually the fault of people not
     doing their job right, in my opinion, and it seems strange
     to punish the inanimate object, which is the plant.
               People are the ones that made the mistake, but
     there was an element that caused a lot of anguish and
     hardship because you had to maneuver the plant, go back and
     do things, you got delayed, you lost money, which kept
     management's attention on not missing surveillances, okay,
     and that was, in my day, a big sin, to miss surveillances,
     and because you got punished just by your own tech specs.
               On the other hand, as we move into a regime where,
     gee, it's really not all that bad, you don't have to
     maneuver the plant, you can delay it, just look at the risk,
     and if the risk is okay, the compulsion to not miss
     surveillances dims, and it also worries me, then, that if
     you aren't reporting them, it just goes into your corrective
     action program, you know, all of the sudden, the motivation
     to run absolutely a top-notch plant seems to be dimming, in
     my view.
               I think, to me, that's a concern.
               MR. BRADLEY:  The revised oversight process, which
     I'm sure all of you are familiar with --
               CHAIRMAN SIEBER:  Right.
               MR. BRADLEY:  -- I think will serve as a
     significant incentive not to miss surveillances, because if
     you miss a surveillance and then you ultimately, when you do
     perform it, find out that the equipment has been unavailable
     for a lengthy period of time, you will be hammered.
               You're going to be in so many white boxes over the
     past year, when you go back and take -- on top of all the
     configurations you've been in, take this thing out of
     service that you didn't -- you know, didn't think was out of
     service, that believe me, I don't -- you know, I think
     that's -- will be effective.
               CHAIRMAN SIEBER:  Is that an incentive, then, if
     you miss a surveillance, to say, well, I actually have all
     this leeway, but I don't want all those white boxes, so I'm
     going to do it as soon as I possibly could and maybe
     maneuver the plant to do it, to make sure that it's really
               MR. HILL:  I would like to try to frame the
     concept of the missed surveillance here, and I may be the
     least likely in the room to do it, and I think Mr. Hoffman
     probably has the data on the missed surveillances, but these
     are not things that happen on a routine basis, they happen
     on a once-every-few-years basis, and typically they happen
     because you made a design change and you've modified the
     procedure for doing the surveillance, and when you end up
     targeting the surveillance, there's a piece of it that you
     probably haven't done in a proper fashion, and it's
     something new.
               So it's not something that happens on a real
     routine basis.
               I don't have the numbers at my fingertips, but we
     did do a industry survey, looking in the LER database as to
     how many missed surveillances there have actually been, and
     it's astounding how small they are.
               CHAIRMAN SIEBER:  Thank you.
               Are we ready to move on?
               MR. BRADLEY:  I believe the next thing on the
     agenda is a break.
               CHAIRMAN SIEBER:  Is that it?  Okay.
               Why don't we take a break?  Actually, we're on
     time.  Why don't we come back at 10:30?
               CHAIRMAN SIEBER:  The meeting is now back in
     session, and I'd like to ask Biff Bradley to introduce the
     remainder of the industry speakers.
               MR. BRADLEY:  We're going to start -- at the table
     with me now, I have Don Hoffman from Etcel Services and Ray
     Schneider from ABB/CE, and the way we'd like to work this is
     Don is going to talk a little bit about the situations with
     the current tech specs that led to the need for these
     initiatives and some of the background as to -- that led to
     their development.
               Actually, these types of things have been in the
     works even before they took on the risk-informed name-plate,
     and then I'm going to talk just a little bit about the basis
     for the Initiative 2 on missed surveillances, and then Ray
     Schneider is going to do likewise and talk about the risk
     analysis and how you do that work for Initiative 3 on mode
               So, I'll go ahead and turn it over to Don at this
               MR. HOFFMAN:  This first slide -- I will just
     indicate which package I'm going to be speaking from, which
     is set up, as you can see, for us to discuss both
     Initiatives 2 and 3, which as Biff indicated, I'll discuss
     portions of 2 and then come back to 3, and we'll do them
     separately, as indicated.
               The reason I have the opportunity to speak to you
     today is I'm the Technical Coordinator for the Technical
     Specification Task Force, which is the group of all the four
     owners groups which has currently developed the ITS, the
     improved technical specification NUREGs, and all the changes
     thereto, working with the NRC and all of its branches with
     developing Revision 1 and, now very soon, Revision 2.
               So, we've been working very diligently in a lot of
     the deterministic aspects and, to some extent, actually
     broaching into some risk-informed aspects of the technical
     specifications, acknowledging that it's very hard to keep
     them separate as much as sometimes we want to, and in doing
     that, we've been addressing AOTs and other activities, as
     Biff indicated.
               That is what led to -- when we first began
     discovering or deciding which initiatives would be
     appropriate initiatives for us to begin with in the
     risk-informed arena, we selected the initial seven that you
     see before you, or that you had discussed, at least, earlier
     this morning.
               The Initiatives 2 and 3 that we're going to be
     discussing during the course of the morning and the early
     part of the afternoon were the two initiatives that we felt
     would -- were ones that were -- should be simpler to do. 
     They were more policy issues, if you will, than
     hard-and-fast risk-informed issues.
               We believe they would require the last amount of
     risk insight to justify their approval, and with that in
     mind, we considered all these initiatives in the aggregate,
     in considering what we were doing in the deterministic space
     and what we were doing in the overall risk space.
               One of the comments I heard this morning -- I want
     to make clear it is not our intent to change the definition
     of operability but only to change some of the tools utilized
     around it to determine the best course of action when we
     have levels of degradation.
               But we are in total agreement with you.  It's our
     intent to structure these such that the tech spec
     requirements are expected in all cases to be met.
               One of the comments that were made at the end of
     this morning's session that I would like to address is the
     issue of the number of times that we have actually missed
     surveillances before I go into it.
               As was stated this morning, we did a review of the
     LER database from 1995 to 1998, and we discovered there were
     11,393 LERs that were associated with these kinds of
     activities -- sorry -- only a total of 11,393 LERs.  Of
     that, 170 were related to missed surveillances.
               Of that 170, we discovered that there were only 12
     cases where, once the surveillance that had been missed was
     subsequently performed, that the surveillance failed, and in
     all of those 12 cases, the subsequent failure was due to the
     fact that -- one of three things -- either the surveillance
     had never been performed before or, two, there was a design
     change that was not aware of when the surveillance was
     subsequently performed or, three, there was an inappropriate
     procedure that was utilized.
               DR. BARTON:  It sounds like I shouldn't do any
     surveillances, because the more I do, the more I fail, but I
     don't do them, I don't fail them.  That's what that sounds
     like, to me.  I've failed more surveillances doing them than
     this history shows you have failed by not doing them,
     whatever that means.
               MR. HOFFMAN:  What that means, sir, is that --
     what we believe that means is that the NRC and the industry
     determined in the middle '80s that the greatest likelihood
     of performing a surveillance is that a surveillance is going
     to do nothing more than confirm operability or actually be
     passed when performed.
               That has been the greatest likelihood when we've
     gone back and done the evaluation.
               Nonetheless, there are, obviously, surveillances
     that are failed when initially performed within their
     specified frequency, for a number of different reasons, and
     I'm sure you're very familiar with those, sir.
               CHAIRMAN SIEBER:  It also seems as though, in
     those instances that you cite, that there's a breakdown in
     some other program.
               For example, if you do a design change and fail to
     adjust the surveillance procedures to reflect that design
     change, then there's something wrong with your design
     change, or if you have an inappropriate procedure, how can
     you do a surveillance year after year after year with an
     inadequate procedure?
               I think most tech specs require procedure reviews
     by somebody every three years or thereabouts.
               DR. BARTON:  Annual reviews.
               CHAIRMAN SIEBER:  You know, there's breakdowns in
     programs that cause these kinds of things to happen.
               MR. HOFFMAN:  Absolutely, sir, and I do want to
     clarify that the portion of the surveillances, the 12 again,
     only 12 of the 170 that failed -- when I say due to
     programmatic issues, there were the fact -- well, you're
     certainly aware that the NRC sent out Generic Letter 96-01
     which required the industry to go back and evaluate the
     performance of surveillances with regard to ECCS and other
     instrumentation systems, because they determined that, in
     some cases, some of the surveillances were inadequate to
     address all of the contacts, components, and relays, and in
     some of these cases -- in three, to be exact -- the reason
     those surveillances failed were not because what they tested
     didn't pass but that they did not test all of the things
     they should have tested, and that constituted a failure on
     the part of the complete surveillance.
               So, there are a multitude of issues here that
     really address what we constituted or packaged as failure,
     these 12.
               CHAIRMAN SIEBER:  Do you have any data that shows
     whether the equipment was not functional because of the
     failed surveillance?
               MR. HOFFMAN:  When we went back to these 12, in
     every one of these cases except two, the equipment would
     have still performed its intended safety function.  There
     were only two in which there was a portion of it because of
     the failure that they would not have had a sufficient pump
     flow or the valve would not have stroked in the time it was
     required to, sir.
               CHAIRMAN SIEBER:  Okay.
               So, basically what you're saying, it was
     inoperable but functional in 10 out of 12 cases.
               MR. HOFFMAN:  Yes, sir.  In fact, you'll notice
     that we have an Initiative 7 which addresses inoperable but
               CHAIRMAN SIEBER:  We'd rather not deal with that
               MR. HOFFMAN:  I understand, sir.
               CHAIRMAN SIEBER:  But I did read it.
               MR. HOFFMAN:  What I wanted to do was just to go
     back a little bit and start back with how we came to the
     conclusion that we needed to make some changes to SR 3.0.3,
     which subsequently became Initiative 2 and is what we call
     TSTF 358, which is a numbering system we utilize for generic
     changes made to the improved technical specification NUREGs.
               As most of you know, the standard technical
     specifications which were developed in the mid-1970s
     established 3.0 and 4.0 requirements that were generic
     requirements that applied throughout and they were more
     appropriate to be discussed at the front of the technical
     specifications rather than repeated in each individual LCO.
               This SR 3.0.3 change was previously called 4.0.3. 
     With the change to the improved technical specifications,
     there were a number of numbering changes.  This is one of
               The 4.0.3, now SR 3.0.3, initially required all
     LCOs to be met by performance of surveillances prior to
     entering into the mode of applicability of the LCO, which
     meant that if you did not perform the surveillances in that
     specified interval, then the LCO was to be declared not met
     and the SRs were then to be performed subsequently, but at
     the time equal zero, upon discovery that you did not perform
     the surveillance, the LCO was to be declared not met and you
     would enter into its action statement and to take whatever
     the appropriate actions were.
               In 1987, the NRC issued Generic Letter 87-09. 
     Generic Letter 87-09 was issued with working with the
     industry and the NRC addressing a number of different issues
     that they felt had become overly conservative over the
               One of these was SR 3.0.3, which was where we
     determined -- you, the NRC, and the industry -- that it was
     overly conservative to require a shutdown or some other
     punitive action from missed surveillance requirements,
     because the greatest likelihood when you performed a
     surveillance requirement, is that operability would be
     demonstrated or confirmed, and that was as a result of a
     great deal of evaluation and doing data gathering on the
     part of the industry and the NRC.
               At that time, the NRC determined that 24 hours
     seemed an appropriate timeframe, but during that 24 hours,
     in Generic Letter 87-09, you were required to declare the
     LCO not met, and you just were not taking its required
     actions during that period of time.
               When we came to the improved technical
     specifications in the late 1980s and early 1990s, we
     developed Revision 011, and now we're working on Revision 2. 
     We actually did some enhance and improvement to SR 3.0.3,
     where we allowed the delaying of declaring the LCO not met
     when we missed a surveillance.
               Because of the information that had been gathered,
     because we had determined that the greatest likelihood is
     that a surveillance would be passed and satisfied
     operability when performed, we made the determination that
     we should be able to delay declaring the LCO not met and
     that, at the end of that 24 hours, we must have performed
     one of the three following things:
               Either, one, we performed the surveillance and it
     passed or, two, we performed the surveillance and it failed,
     and at the time of its failure, we then declared the LCO not
     met and took its actions, regardless of when during that
     24-hour timeframe that may have occurred, or three, at the
     end of the 24 hours, if we've done nothing, then we declare
     the LCO not met.
               That determination was utilized up through and
     including all the ITS through Revision 1.
               When it came time for us to evaluate and look at
     some of the initiatives I said for the risk-informed
     technical specifications, this initiative became one because
     we were realizing that there were several plants who had to
     ask for regulatory relief because they had missed
     surveillances, albeit on a very unusual situation, on a very
     -- when I say a very minor situation, as far as the number
     of times, it did occur, and in many cases, if not all cases,
     we continued to discover that the surveillance was passed
     when performed, and yet, the particular surveillances where,
     if we missed them, we had to change the mode of the plant or
     the condition of the operating plant to perform them, that
     we determined, in many cases, we thought there would be more
     risk during the transition or more impact to the plant to
     take it to another condition to perform the surveillance
     than to take other compensatory measures.
               So, the Initiative 2 that we have before you in
     TSTF 358 was to propose to allow the surveillance interval
     to be 24 hours or up to the next interval, whichever is
               Now, the first reaction would be, well, gee, if I
     have a one that's established on a refueling interval, then
     I could go to the next refueling interval, and it's
     established from a regulatory standpoint, yes, that's true.
               However, there are a number of things in this TSTF
     which would preclude that from occurring unless it was an
     absolute necessity.
               First, it would be required to be performed at the
     next reasonable opportunity and that there would have to be
     an evaluation by management, and we're going to come to some
     of the risk insights that would be utilized for that, to
     evaluate the acceptability of, one, not performing the
     surveillance within that 24 hours, and that evaluation would
     have to include the impact on plant risk, the impact of,
     one, performing the SR and what kind of conditions we may
     have to establish and, two, the impact of not performing the
               It would have to evaluate the analysis assumptions
     with regard to the overall systems, what other things were
     inoperable, what was the condition of the plant with regard
     to meeting the assumptions of the safety analysis.
               It would have to evaluate the current unit
     conditions, the planning, the availability of personnel, and
     obviously the time to perform the surveillance requirement.
               So, those are the types of things, in addition to
     the risk insights that you're going to hear shortly, that we
     established would be required by each plant, utilizing this
     flexibility, to evaluate.
               The issue this actually addresses is it reduces
     the need for regulatory relief for those SRs which require,
     as I said, a change to the actual mode or condition of plant
     to perform the surveillance.
               As you also heard earlier, this missed SRs would
     be put into the corrective action program, and as I heard
     discussed earlier this morning, we feel that, because of the
     corrective action program, maintenance rule (a)(4), and the
     new reactor oversight process, that there is an incentive to
     perform these in the specified interval, on the specified
     frequency, and do so appropriately.
               We expect that these will be an exception, not the
     rule.  We believe that the greatest likelihood, as has been
     demonstrated, that it will be demonstrated -- the system
     test, it will be demonstrated operable, and since we are
     performing a risk evaluation for all those extended beyond
     the 24 hours -- and you're going to hear that that could be
     a portion of a qualitative or quantitative -- that we feel
     that there will be appropriate evaluation to establish the
     acceptability thereof.
               This slide just only indicates some of the things
     that I've already discussed with you.
               DR. BONACA:  I have a question.
               MR. HOFFMAN:  Certainly, sir.
               DR. BONACA:  I completely support the thought
     process behind this, but the question I have is regarding
     the delay period to the surveillance frequency interval. 
     What, for example -- one could have proposed to the next
     surveillance frequency interval or the next shutdown,
     whichever comes first, okay, which give an intent of doing
     it as fast as possible.
               Now, clearly, in many cases, the surveillance
     frequency may be shorter than the next outage, and that's
               In some cases, however, you may have an outage,
     and that would at least put some sense of urgency, you know,
     management, for doing it.
               Now, that outage may be the next outage, I agree
     with that, may be the refueling outage, but still, you know,
     just going in with a surveillance frequency interval -- it
     gives a different kind of message.
               It gives a message almost that surveillance is not
     important; you can go for two terms, you know, the time
     element is not important.
               MR. HOFFMAN:  Certainly, sir.
               We considered that.
               It was not our intent to give rise to anyone to
     think that the surveillances were not important, and we
     actually considered putting in a timeframe "or the next
     shutdown," but as you stated, recognizing that many of the
     surveillances have shorter intervals than the next shutdown,
     we didn't want to give rise to something that was due in the
     next 92 days that they could take to the next shutdown,
     which may be 120 days, to perform it.  Hence, that's why we
     established the next frequency.
               For the very ones I believe you're speaking to,
     which are the ones that would require you to be in a
     condition of shutdown to perform that surveillance, we
     established they would be required to be performed at the
     reasonable opportunity, such that the next shutdown, when
     you were in a condition to perform the surveillance, would
     be deemed in all cases, in our opinion, based on our
     establishment of the criteria, to be the next reasonable
     opportunity, so that if I missed a surveillance and
     discovered, let's say, one month after I started up and the
     next time I'm supposed to perform it is 18 months and I shut
     down two months from now and I'm in a condition to perform
     that surveillance, that may be the first reasonable
     opportunity, but that's absolutely the longest I would be
     allowed to not perform that surveillance.
               DR. BARTON:  What do you mean "in a condition"?
               MR. HOFFMAN:  The plant condition.  The condition
     of the plant may be required -- certain of these
     surveillances, as I'm sure you're well aware, require the
     plant to be in a condition other than -- that you cannot do
     in an operating condition --
               DR. BARTON:  Right.
               MR. HOFFMAN:  -- because of the impact on all the
     other systems.
               DR. BARTON:  So, in shutdown, in a forced outage
     that I can come back from in two days and the surveillance
     that I missed takes two days to do and it requires going in
     the drywell, but yet, the thing that caused me to go down
     does not require me to be inert and go in the drywell, now
     what do we do?
               MR. HOFFMAN:  Absolutely.  I knew you'd ask that
     question, sir.
               We talked to the plants when we were developing
     this and stated that, if there was a determination by a
     plant that they felt that they could not perform the
     surveillance, that was not the first reasonable opportunity,
     then they would have to justify through management
     evaluation of the acceptability to go ahead and delay that
     surveillance even further.
               DR. BARTON:  But you already gave me the okay to
     go 24 months.
               MR. HOFFMAN:  I gave you the okay to go to the
     next frequency, providing you did an evaluation of the
     acceptability of going to the next frequency and that you
     performed it at the next reasonable opportunity and that the
     next reasonable opportunity included one of those things,
     sir, of the plant conditions available to perform that
     surveillance, which would mean that in order for me as a
     plant to explain to myself, to my management, or to you, the
     NRC, that I had made the appropriate determination, I would
     have to be able to justify not performing that surveillance,
     not taking the additional time during that forced outage to
     enter that drywell to perform that surveillance.
               There may very well be extenuating circumstances
     and information I could bring to bear to do that.
               DR. SHACK:  Would it make a difference if you
     changed the wording to say 24 hours or longer, or at the
     next opportunity, and then put a statement that said
     absolutely no longer than the next surveillance frequency
               That would seem to me to put the emphasis in the
     right place but wouldn't change anything.
               MR. HOFFMAN:  We evaluated some aspect of that. 
     The reason we were concerned -- and I hear what you're
     saying -- about establishing in the tech spec itself
     reasonable opportunity but no later than is that we wanted
     them to be a little more explicit, at the very latest,
     because obviously tech specs are prescriptive and supposed
     to give you an establishment, if you will, of timeframes.
               So, we wanted the tech spec requirement to be no
     later than the next surveillance interval but certainly at
     the very next opportunity.
               We could restructure the words, possibly, to make
     it more clear, or at least the bases and the justification
     to enhance the rationale.
               We're certainly open to improvements that will
     enable you to feel comfortable with the process we believe
     we're following.
               CHAIRMAN SIEBER:  I think it would be better if
     you folks and the staff worked out the words, rather than
     have this committee do that.
               MR. HOFFMAN:  Yes, sir.
               CHAIRMAN SIEBER:  That's, to me, more of a process
     issue than a technical issue.
               MR. HOFFMAN:  I certainly understand your concern,
     and I believe that we could do some things at least on the
     bases and the justification to further address that, sir.
               DR. BONACA:  I have another question.
               MR. HOFFMAN:  Yes, sir.
               DR. BONACA:  The 24 hours -- it's meaningful in
     the current tech specs.
               MR. HOFFMAN:  Yes.
               DR. BONACA:  The two end points compete. 
     Twenty-four hours is not meaningful in the new tech spec,
     because you know, you say, you know, 24 hours or the next
     refueling outage, whichever comes after.  Why do you need to
     retain the 24 hours?
               MR. HOFFMAN:  The reason we chose to retain the 24
     hours, sir, was for it to be a break point at which point we
     did the risk evaluation of not performing the surveillance. 
     In the current tech spec requirements, we're allowed the 24
     hours without doing any kind of risk evaluation,
     notwithstanding what (a)(4) will require us.
               So, if we miss a surveillance and we discover that
     and we can set up and perform the surveillance within 24
     hours and it passes, we're fine.
               So, we maintain that just saying that, okay, at
     some point, we have to do a further evaluation of the
     acceptability of not having performed that surveillance.
               So, we selected the current 24 hours as the break
     point, after which we would do a risk evaluation, sir.
               DR. BONACA:  Can you do it in 24 hours?
               MR. HOFFMAN:  Excuse me, sir?
               DR. BONACA:  Can you do that evaluation in 24
     hours in all cases?
               MR. HOFFMAN:  We would have to do the evaluation
     if the surveillance was going to be extended beyond 24
     hours.  The timeframe for the actual --
               DR. BONACA:  You're making this change to be more
     realistic, you know, and the question is can you make a
     realistic evaluation in 24 hours.  I'm only questioning the
     24 hours specifically.
               If you have a certain objective for it, then make
     sure that it fits the need.
               MR. HOFFMAN:  Certainly, sir.
               At the T equals zero -- once we discover that we
     have missed a surveillance, we begin the 24-hour clock.  So,
     at time equals zero, we discover we've missed the
     surveillance, the 24-hour clock begins.
               During that 24 hours, we have to make the
     determination of a number of different things.
               One, can we perform the surveillance?
               Two, can we structure everything up, to get
     everything set up?  What is it going to require?  Do we have
     to change the plant condition?  Can we bring in whatever
     needs to be done and, after that, determine, if it's going
     to go beyond 24 hours, then we would begin to perform the
     risk evaluation.
               Now, I can't tell you, in all cases, the risk
     evaluation would be completed by the end of that 24-hour
               CHAIRMAN SIEBER:  That would just put you in the
     action statement.
               MR. HOFFMAN:  Well, at the end of the 24-hour
     clock, yes, sir.
               DR. BONACA:  I think you should revisit the hour
               I mean the restrictions in the current tech specs
     are meaningful.
               In the new tech spec, you are changing it to
     accommodate certain considerations which make sense.
               I think you should look at the other one, too,
     because I think you want to make sure that you have a
     process by which you can exercise the tools that you need to
     perform an evaluation to assess it and to determine, you
     know, that, in fact, you can do it without starting a clock.
               CHAIRMAN SIEBER:  Well, the clock always starts
     Friday around seven p.m.
               DR. BONACA:  That's right.
               CHAIRMAN SIEBER:  That's just the way the world
               On the other hand, if we're in risk-informed tech
     specs, we heard this morning that there is a whole
     infrastructure of analytical tools, processes, procedures to
     be able to accomplish these things and not in back of some
     panel in the middle of the night by a couple of guys that
     happen to be on-shift.
               So, if that expectation is met, then I think you
     can perform an adequate risk assessment.
               The problem is, does the risk assessment get cut
     short or is it less thorough than it should be because you
     only have 24 hours to do it, and I can't answer that
               MR. BRADLEY:  I think that once the -- clearly,
     once (a)(4) is effective, you will have the infrastructure
     in place, because this won't be any different from any other
     emergent condition, you know, that happens on the back shift
     or anywhere else, and you're going to have to have both the
     normal and the off-normal, you know, procedures there to
     deal with that, and I think that, especially for this one,
     which is fairly simple, that you could do that in 24 hours.
               CHAIRMAN SIEBER:  I'm counting on what the staff
     told us this morning as being the way it's going to be and,
     notwithstanding (a)(4), you know, those tools are going to
     be in place, and so, I'm relying on that as saying that this
     is okay, and if you're telling us 24 hours is adequate, then
     that's okay with me, too.
               MR. HOFFMAN:  Well, what we're telling you is that
     24 hours is the break point, at which point, if we knew it
     was going to go beyond 24, we would have to perform a risk
     evaluation in addition to the other evaluations that we
     would normally perform.
               We have not currently restricted the timeframe to
     perform the evaluation to 24 hours.
               As written, TSTF 358 does not place that
               We have just stated that we would perform the
     evaluation prior to going beyond the 24 hours.
               DR. BARTON:  You're saying if you can perform it
     within the 24 hours, you'd have to perform it?
               MR. HOFFMAN:  Yes, sir, that's what I'm saying. 
     I'm saying that, before you would go beyond the 24 hours,
     you should know what the impact of doing that is, and as
     structured, the TSTF and the associated tech specs and their
     bases and all the corresponding information that I believe
     the NRC intends to put in their safety evaluation for the
     acceptability of 258 for SR 3.0.3 would require those types
     of evaluations.
               DR. BARTON:  If I can perform it, I have to
     perform it.
               MR. HOFFMAN:  Yes, sir, if you can perform it, you
     should perform it.
               DR. BARTON:  You have to perform it.
               Let me give you a hypothetical.
               This things happens on a Friday night.  In order
     to perform this thing, I've got to call in six I&C
     technicians and pay them overtime and a meal, etcetera,
     etcetera, or slip the surveillance to the next forced outage
     or next refueling outage.
               You're in a competitive environment.  That costs
     me money to bring all these guys in to do the thing.
               Do I have to do it within the 24 hours if I can
     get the I&C techs in there to do it, or because it's an
     economic burden on me, I'm going to slip it to the next
     convenient time.
               MR. HOFFMAN:  As we've currently structured TSTF
     358, you would not be able to utilize economics as a
     justification or rationale for extending the surveillance
               It does take into place the availability of
     personnel such that if you can't perform it because you're
     just not physically able to get all the people available to
     do so, not because you don't want to pay them overtime or
     you don't have to bring them in for lunch but because they
     are just not available for whatever reason.
               So, you have a very valid point.
               DR. BARTON:  All I have to do is tell my I&C guys,
     if you get called in, refuse the overtime, so I don't have
     to do the surveillance.  Okay.
               CHAIRMAN SIEBER:  Well, I don't recall reading
     anyplace where it actually said that in the documents that
     we got, that the economic incentives are not a factor.  Does
     it say that someplace?
               MR. HOFFMAN:  Well, it doesn't say the economic
     incentives are not a factor, but the factors that it does
     address do not include economic incentives as the types of
     evaluations that you utilize to determine that
               CHAIRMAN SIEBER:  Where do I find that?
               MR. HOFFMAN:  That's in the actual TSTF 358
     package, in the justification part.
               DR. KRESS:  The risk assessment that you make --
     do you assume that piece of equipment that was supposed to
     be surveiled is inoperable in the risk assessment, or do you
     put in a -- some sort of a reliability or availability?
               MR. BRADLEY:  There are multiple ways you could do
               As a screening measure, you could just look at the
     Fussel-Vesely component, which is basically assuming it's
     unavailable, and you can screen many things out as being
     risk-insignificant in that regard.
               You could adjust the failure rate of the component
     based on the fact that you missed the surveillance.
               DR. KRESS:  Based on the fact that you know it's
     probably operable.
               MR. BRADLEY:  Right.  So, that would be a good
               DR. KRESS:  And you would project that over some
     time period --
               MR. BRADLEY:  Right.
               DR. KRESS:  -- and have a criteria to say, well,
     if that --
               DR. APOSTOLAKIS:  That's on the basis of at this
               CHAIRMAN SIEBER:  Instantaneous.
               DR. KRESS:  Instantaneous.
               DR. APOSTOLAKIS:  You can't project.
               DR. KRESS:  But you're going to decide how long to
     wait before you make the surveillance.
               DR. APOSTOLAKIS:  This is a very unreal -- well, I
     guess you can take the -- you can assume the equipment is
     down, calculate a new CDF, and do what Dr. Moeni says
     they're doing at Southern California Edison.
               MR. BRADLEY:  That's just a screen.
               In reality, you're going to have to look at your
     actual plant -- I think this is a perfect fit with (a)(4),
     because if you're just looking at the -- I mean that's
     assuming a static situation, and in reality, you're having
     dynamic plant configurations, but this really perfectly fits
     the approach of (a)(4), and I think it's the exact same
     things you've got to look at.
               You've got to look at what you're planning, how
     that could be affected by the fact that this is missed and
     you've made some assumption about an increased failure rate
     or that it's unavailable, and you factor all that into your
     work planning process and you look at your ICDP and your
     integrated risk impact exactly like you'd do it in the
     (a)(4) guidance, and as a matter of fact, if I was writing
     this traveler or the TSTF, I would actually try to
     explicitly reference, I think, Reg. Guide 1.182, which it
     doesn't right now, but to me, that's the simplest way to
     consider it.
               MR. DENNIG:  This is Bob Dennig from the staff.
               The basic premise here is that the surveillance --
     the missed surveillance -- what we've lost out on is
     confirmation of operability.
               The presumption is that it is operable.
               If you have any information that it is not
     operable, will not perform its function, you have to do a
     continuous operability determination.  Under tech specs,
     that is your obligation.
               If you have any information that tells you that
     there is something wrong with this, you're out of there and
     you're into the action statement.  That's the end of that.
               DR. KRESS:  The assumption it is operable gives
     you no delta risk unless you change --
               CHAIRMAN SIEBER:  That's right.
               MR. DENNIG:  So, what goes into the evaluation, as
     Dr. Apostolakis mentioned, is an importance measure.  The
     importance of this equipment gets factored into --
               DR. KRESS:  Which is not an assumption of
     operability, then, in terms of criteria.
               MR. DENNIG:  Right.  I'm just saying that to
     assume that it's broken and then do a risk evaluation of
     what we're accumulating with the broken equipment is not
     consistent with the premise of the initiative.
               DR. KRESS:  Yeah, but I don't know how else you're
     going to do anything.
               MR. BRADLEY:  As a screen, I think, you know, it's
     a bounding assumption to assume that it's unavailable.
               DR. KRESS:  You don't have a technical basis for
     any other unless you use something like this LER data to get
     a different -- I don't know how you get a different
     availability number out of the reliability -- if you
     increase the failure rate -- but you have no technical basis
     for doing that.  You can't take that out of the LER --
               MR. HOFFMAN:  Maybe I didn't make this clear. 
     Part of the evaluation -- and to support what Bob said -- is
     obviously there's a continuous operability determination in
     all the systems ongoing, and if for some other reason you
     knew it was inoperable or degraded in any way, shape, or
     form, you'd have to take the appropriate action, but the
     surveillance -- the particular surveillance that you have
     missed -- one of the evaluation aspects -- and I didn't go
     into this in greater detail initially -- is that you'd have
     to evaluate how has that surveillance fared over the course
     of the last several performances?
               Has it passed the last five, six, seven, eight,
     nine, ten times?  Have you had difficulty with any aspects
     of it?
               Does this particular surveillance perform
     something that you've seen some concerns with anyplace else?
               Is there generic -- any generic information from
     either your type of owners group or from the NRC that would
     give rise to make you think that, well, even though I have
     no reason to believe the surveillance wouldn't pass if
     performed, there are other informations out there that would
     cause me to consider those, and if those gave rise to
     concern, then you have to consider this -- you'd have to
     take a different kind of action.
               DR. KRESS:  You really don't have enough data to
     do that on a plant-specific basis.  You would have to rely
     on generic data from the whole fleet of plants, and I don't
     know that the number value you get out of that would be
     different than its original reliability number anyway.
               CHAIRMAN SIEBER:  It's not clear to me how you
     evaluate the change in risk if you can't ascertain the
     condition of the equipment.  You can make all kinds of
               DR. KRESS:  That's basically my problem with it. 
     You can make the assumption of inoperability and evaluate --
     have a screen.
               CHAIRMAN SIEBER:  That's going to come out, in a
     lot of trains, pretty risky.
               DR. KRESS:  It could very well be.  I don't know.
               MR. NEWBERRY:  I think I heard the gentleman from
     the industry say this.  Do you have the capability to go in
     in your PSA where you have your failure rates, your lambda-T
     over 2, and adjust that T for twice the surveillance now? 
     Is that part of your approach?
               MR. SCHNEIDER:  That will be part of it.
               You could either look at increasing the failure
     rate, you could look at taking the equipment out of service,
     but the one thing you also want to recognize is that, while
     there's -- there's actually another incentive for the
     industry to basically be sure it does it properly for
     high-risk components, because with the oversight process, if
     I'm going to start doing (a)(4) maintenance and not have the
     -- and not have a good assessment of -- a good belief that
     the equipment is operable and I then start taking equipment
     out that might amplify the effect of that piece of equipment
     and then, when I do that surveillance, find out that the
     equipment wasn't -- you know, didn't pass, under those rare
     instances you'd have to go back and double-check the
     prudence of your decision process, and through oversight and
     performance-based regulation you'd be held accountable for
     not -- basically taking a potentially high-risk system and
     not really doing the surveillance in the 24-hour timeframe,
     and that's probably more of an economic impact than the
     impact of not doing it most of the time.
               CHAIRMAN SIEBER:  There's too many performance
     indicators -- there are too many safety-related pieces of
     equipment that are not in the performance indicators that
     would trigger a white or any other color.
               For example, let's say that the surveillance in a
     PWR that you forgot to do was the flow test on a recirc
     spray heat exchanger.  There's no little window for that
     that I can recall, okay?  And it usually degrades over time,
     as silt builds up and fish and clams and stuff start to live
     in there, and it only operates when -- you can't test it
     because you see it operating like a high-head safety
     injection pump.  It only operates when you either test it or
     in a big accident mode where you've got to spray down
     containment, and so, here's a situation where, you know,
     it's very difficult to tell whether the system is operable
     or not, because you haven't flushed it out and you haven't
     tested it and you don't know whether it's degraded or not,
     and the functionality and operability are different, and you
     say, well, if I get some flow, it's okay, and I don't have
     to read the tech specs.
               The old type of tech specs said I'm not exactly
     sure where you are with respect to what you put in there for
     a failure probability to do a risk assessment.
               DR. BONACA:  Unavailability is a function of time. 
     You can -- can you put consideration of that?
               I mean you have unavailability that is dependent
     on time and failure rate for that particular component, and
     now you're going to extend from 24 months -- you've assumed
     in the example, 24 months, you did not perform the
     surveillance, you go another 24 months.  You're compounding,
     essentially, unavailability rate, right?
               MR. SCHNEIDER:  Right.  You can look at the
     unavailability increasing as a function of time.
               DR. BONACA:  I mean your PRA is making certain
     assumptions of unavailability based on the surveillance
     intervals that you have.
               MR. SCHNEIDER:  Right.
               DR. BONACA:  And so, therefore, if you extend
     those, you can account for those and get the sense of what
     the impact is.
               MR. SCHNEIDER:  Right.
               CHAIRMAN SIEBER:  It gets back to the discussion
     that we had this morning when we talked about are the tools
     available, and not only do the tools have to be available
     but the data that you put into the tools to arrive at the
     answer or the conclusion has to be available and reasonable.
               MR. SCHNEIDER:  I think the real issue is also
     part of the risk-informed decision process.  It's not just a
     number-generating process.
               If you really missed -- if you're missing a
     surveillance on a risk-important component, the incentive is
     going to be to basically perform that surveillance as soon
     as possible, and the goal here is not basically to see how
     much you can get away with and try -- the goal here is to
     try to use prudence in trying to figure out which of the
     surveillances that are a lot less significant, that if they
     are missed won't contribute to the risk of plant operation,
     even if your decision process was wrong, and so, you could
     look at by bounding and look at, you know, what happens if
     the component is pulled out of service, what happens if you
     increase the failure rates and do some sensitivities, but
     the idea is to come out with a combined decision process
     that drives you into performing the right set of decisions,
     whether it's to control maybe the other train, to make sure
     the other train's fully operable and make sure the other
     train's not pulled out of service, to control other kind of
     maintenance, look at other back-up equipment, to look at
     other contingency actions, at compensatory measures.
               It's not just the number that you're looking at,
     and I think that, by and large, the majority of these, the
     plant has a pretty good handle on what its importance will
               CHAIRMAN SIEBER:  Yeah, well, the plant is not a
     homogenous thing.
               MR. SCHNEIDER:  I understand.
               CHAIRMAN SIEBER:  The operators in the middle of
     the night, somewhere in their ultimate training they become
     amateur lawyers, and so, they read those tech specs like you
     would not believe, okay, and then they say do I have to do
     it, and then they read it over and over again, and the way I
     read it is, no, I don't have to do it.  So, they write an
     engineering memorandum that says do a risk analysis on this
     and I'm going to go eat lunch.
               MR. HOFFMAN:  I think your point is well taken,
     but I would like to believe that the kinds of things you
     discussed -- and certainly, they did exist -- many of them
     were clarified and resolved in the improved technical
     specifications, where we took those very kinds of issues and
     attempted to resolve them so there weren't tech spec
     interpretations and memorandums to engineering and
     operations and establish clear-cut, specific, finite
     requirements in the specs themselves, with detailed
     explanations of what that meant and the bases, so it was
     very clear to an operator when, where, how, and why he or
     she needed to do whatever that was, and based on what Ray
     also said, we believe that the robustness of this process
     lends a great deal of credibility to the acceptability of
               One, we don't believe it's going to happen very
     often, and we think we have data that would support that.
               Two, we think that, when it does happen, the
     greatest likelihood of performing that surveillance is it's
     going to pass.
               Three, we believe the tech specs are currently
     structured that if there is any reason for you to believe
     that that SR would not be met or for any other reason that
     LCO was not met or that equipment is inoperable, you have to
     take the appropriate actions under SR 3.0.1.
               This SR 3.0.3 change would give you no flexibility
     in that arena.
               And four, we also believe that, because we have
     established for part of the robustness of that process
     specific issues that have to be considered by the plant in
     regards to its evaluation of the acceptability of this,
     which takes into account how the surveillance has been
     performed in the past, what the equipment is, what the other
     condition of the plant and so on and so forth is, we believe
     that these kinds of things will be appropriately and
     adequately addressed.
               Now, again, if this becomes an issue where the
     surveillance is being missed, as stated this morning by Mr.
     Dennig, became chronically missed, then that's an entire
     other issue.
               The entire premise, as he stated this morning,
     that this is a very unlikely situation and that, because of
     the unlikeliness, it's acceptable.
               In fact, we went back and discovered that, over
     the course of the last five or six years, there were 10
     NOEDs issued regarding this, and we looked at NOEDs.
               Every one of them were approved for plants to go
     beyond the 24 hours, and in almost all cases, it was because
     the greatest likelihood the surveillance, when performed,
     will be passed, the use of this flexibility has been small
     or insignificant, and three, that the timeframe in which
     they're going to perform it is a reasonable timeframe, so
     those being the basis.
               DR. BONACA:  However, you're referring to a
     statistic that is based on a history where, if you miss the
     surveillance, you have tremendous penalties.  I mean you
     could go for an exception, but you've got big problems, and
     people went to heroic measures to meet that.
               So, I'm not saying that we shouldn't do this.  I'm
     only saying that those statistics are going to change, and
     so, I think that, as a minimum, in the oversight process, I
     think the staff should look at what does it mean, for
     example, if you're to take that one up by a factor of five?
               MR. HOFFMAN:  We actually think the number of
     surveillances missed is going to go down, not up?  If you
     look at the 170 over that course of five years, think about
     that, many of those were discovered and reported as a result
     of Generic Letter 96-01, where plants went back and
     discovered that there were portions of their
     instrumentation, RPS and ECCS systems, they had not tested,
     and that constituted a fair portion of that population.
               I can't tell you exactly how many it was, but I
     think I could go back and get that information.
               But I agree with you, the statistics -- those are
     in the past.  They are only something that we utilized to
     give us some idea of where we thought we would be in the
               So, we tried to use those appropriately and went
     out to all the plants and talked to them about what do you
     find when this usually happens, and that was part of our
     data collection process, to determine the acceptability of
     such a proposed change, and given the fact that the NRC and
     the industry had also done this in 1987.
               CHAIRMAN SIEBER:  I think we're dancing around two
     issues here.
               One of them is that there appears to be some
     incentive for the erosion of the safety culture, because now
     things appear to be more lax than they used to be.
               MR. HOFFMAN:  Right.
               CHAIRMAN SIEBER:  To me, as an ACRS member, what
     happens to the safety culture is a concern and is indirectly
     related to safety, but it's a management issue, and I think
     that that's for the NRC and licensees to determine how they
     will manage that particular impact.
               There is another impact, though, that I wonder
     about a little bit.
               You know, adequate protection of the public health
     and safety depends and is based upon the compliance with
     essentially all the regulations and the license conditions
     for a plant, okay, and now we are saying that, you know, a
     license condition, the operability of the various safety
     systems of the plant are specified, and the way that you
     basically guarantee that you meet those license conditions
     is to perform surveillances.
               If, now, you have a blanket tech spec in Section 3
     that says, you know, here is some leeway in the performance
     of surveillances and we're going to base that on risk, where
     do we stand in the space of adequate protection of the
     public health and safety?
               DR. KRESS:  We're going to have that issue every
     time we talk about this.
               CHAIRMAN SIEBER:  Well, this is one of the
     problems with risk-informed anything.
               DR. KRESS:  Yeah.
               CHAIRMAN SIEBER:  You have to have a set of
     standards that say I'm in the right space here, and sooner
     or later, we're going to have to answer that question.
               MR. BRADLEY:  I think adequate protection would be
     increased by the approval of this, because what we're doing
     -- it is absolutely not the intent of this to allow willful
     missed surveillances or to at all increase the number of
     missed surveillances, and what we're dealing with here is
     just a paradigm shift from the previous history, being you
     shut down the plant -- that was your dis-incentive.
               Now we're moving to -- you have an oversight
     process that's looking at unavailability, and there's also
     very special provisions in that oversight process about
     willful violations.
               This is a missed surveillance.  It's not, gee, do
     I, you know, want to do this surveillance, and maybe, you
     know, it's -- it's a surveillance you discover is missed
     after the fact.
               CHAIRMAN SIEBER:  It's almost unthinkable to
     believe that any of them are willful.
               MR. BRADLEY:  The intent of this is to do the
     thing that's right in risk space, and that is to remove a
     plant transient as the result of what may be an
     insignificant missed surveillance.
               CHAIRMAN SIEBER:  Well, getting back to my remarks
     -- and maybe we won't need to talk about it or comment on it
     anymore -- the issue of safety culture and whether it's
     eroded or not is a management issue that the NRC and
     licensees need to deal with.
               The issue of adequate protection is troublesome
     from the technical standpoint, because you need to have some
               On the other hand, it's partially a legal issue,
     and the NRC can deal with that, too.
               I guess the third issue that pops out here,
     though, is are the tools adequate, what do you do to alter
     the failure rate if you don't do a surveillance, and I think
     that is our issue.
               MR. BRADLEY:  On the first half of your question,
     I think that's a very good question, you know, how do you --
     you know, is the tool adequate, and I guess, in my view,
     prior to (a)(4), I would have maybe had my own question
     about that.
               I think that is the tool and, in fall of this
     year, when that rule is implemented, you will have all the
     procedures in place to do this.
               Now, the mechanics of how you deal with the fact
     that you've missed this, whether you assume the component is
     unavailable or increase the failure rate or, you know, how
     you want to deal with that, that's the second issue I think
     you're raising, but in terms of the infrastructure, the
     procedures, and the process being in place to accomplish
     this, that will not be an issue as soon as the (a)(4)
     programs are in place.
               CHAIRMAN SIEBER:  I guess I'm just not familiar
     enough with what all the tools are and what infrastructure
     is in place, and maybe sometime in the future you could tell
               DR. KRESS:  I think the issue of adequate
     protection is a non-issue, because basically you could say
     it's meeting the rules that are in existence at the time,
     and if you change the rule, which is what we're doing,
     you're still providing adequate protection, because you're
     meeting the new rule.
               MR. HOFFMAN:  Absolutely.
               DR. KRESS:  I don't think it's an issue.
               MR. BRADLEY:  There's a little caveat on that
     definition, though.
               There's meeting all the rules plus -- and there's
     this other little sort of nebulous wording that goes with it
     that can be invoked.
               MR. HOFFMAN:  And there's some important
     information that needs to be brought to bear.
               When you look back, notice that we've been
     improving the technical specifications over the years.  Biff
     put up a slide this morning that talked about custom tech
     specs, standard tech specs, the improved technical
     specifications, NUMARC 96-01, a number of things that have
     been put in place that have constantly enhanced and improved
     that product and document, which is the means of ensuring --
     part of the means of ensuring public health and safety in
     that legal framework between the NRC and the licensee as far
     as a license in the Appendix A as the tech specs to it.
               But one of the things we did in ITS was we removed
     a number of the surveillances from the improved technical
     specifications which were deemed to be unnecessary to
     demonstrate operability, in addition to which we altered
     some of the surveillance intervals, because we determined
     that they weren't appropriate in the frequency which they
     were currently established, and if you go back to the very
     premise of surveillance interval establishment, which you
     all are probably more familiar with than most, in the early
     years, even back to the 1970s, a lot of that information was
     utilized by the NRC and the industry, from mean failure rate
     date information, LERs, manufacturer's recommendation, the
     time that plant could be in the condition, how long it took
     to perform the surveillance.
               So, the surveillance intervals themselves are not
     a science, if you will, and if you will notice, we have
     Initiative 5, which has two pieces, 5(a) and 5(b), and 5(a)
     is to remove the remaining surveillances which we feel don't
     demonstrate operability, and 5(b) is to relocate all of the
     surveillance intervals to a licensee control program to be
     evaluated by us to determine the appropriate interval, and
     if that occurred, then we wouldn't need SR 3.0.3, because
     we'd be evaluating that on a continuous basis anyway.
               So, I guess all I wanted to say, sir, is that we
     feel that what we're establishing here is not counter to
     public health and safety and not counter to the safety
     culture at the plant.
               CHAIRMAN SIEBER:  Well, I agree with Dr. Kress
     that it's following the rules that exist at the moment, and
     so, you're right.
               DR. BARTON:  The definition in here -- part of the
     previous slide -- "Any missed surveillance requiring a
     change in mode or plant conditions for performance would be
     performed at the first reasonable opportunity."
               Somewhere are we going to define a change in plant
     condition, because I can play games with that, too. 
     Anything I change other than where I am right now is a
     change in plant condition.
               Are we going to say something like, you know, less
     than 20-percent change in power or something like that?
               MR. HOFFMAN:  The way we're defining the plant
     conditions is a pure physical change, like into a mode or
     other specified condition such as core alterations, things
     of that nature, or not so much as to percentage power
               Now, for surveillance, as you know, we have some
     LCOs whose applicability are Mode 1, greater than 50-percent
               DR. BARTON:  Right.
               MR. HOFFMAN:  Well, I can go down to Mode 1, less
     than 50-percent power, and I leave the applicability -- the
     surveillance isn't even required to be performed, but yes,
     sir, to answer your question, our intent is to attempt to
     establish what that means, so it's not misused.
               DR. BARTON:  Thank you.
               MR. HOFFMAN:  You're welcome, sir.
               MR. BRADLEY:  Are there any other questions on
     Initiative 2?
               If not, we can move on to Initiative 3.
               CHAIRMAN SIEBER:  That will be fine.
               MR. BRADLEY:  Okay.
               MR. HOFFMAN:  Moving into Initiative 3, when we
     began to identify initiatives for the risk-informed tech
     spec task force, Initiative 3, like Initiative 2, at that
     time, was determined to be one of those ones which we felt
     was more of a policy issue than it was a risk-informed issue
     and it would have less risk insights than the majority of
     the other issues which we have determined already but
     possibly more, and I think that's the case than, say,
     Initiative 2 with SR 3.0.3.
               We currently have LCO 3.0.4.
               LCO 3.0.4 is the concept which is established in
     the technical specifications which states that you cannot
     change modes while relying upon the actions to satisfy the
     LCO.  The initial intent was that it was to preclude you
     from starting a plant up with inoperable equipment.  That
     was its initial intent in years gone by.
               Over the course of time and especially in 1987,
     Generic Letter 87-09, it was recognized that, in many cases,
     there was no reason to restrict the mode changes to allow
     the startup of the plant with certain equipment inoperable
     because of their impact on the overall safety of the plant.
               So, the NRC established, also again in Generic
     Letter 87-09, the allowance that you could change modes or
     relying upon the action statements for those equipments
     where the timeframe and the action was continuous; in other
     words, you were allowed continued operation such that, if
     you had an inoperable piece of equipment, that you were
     never required to change modes or leave the mode of
     applicability, you had some other compensatory action.
               In addition to that, the NRC has continued to
     establish, as they had before that, and expanded that
     thought process, there were certain LCOs whose uniqueness
     was such that LCO 3.0.4 could be not applicable or accepted
     in those particular cases.
               We went back and evaluated all of the current
     improved technical specification NUREGs, looking at all the
     different ones, and determined that, for the most part, the
     majority of those systems and components who had 30 days or
     longer allowed outage times had an individual LCO 3.0.4 not
     applicable allowance in the tech specs.  Many of the
     seven-day allowed outage times did, and some of the 24 hours
     and less did, also.
               But the unique thing that we found was that it was
     not all that consistent, and we found in some cases similar
     types of equipments from one owners group or one design to
     the next had the LCO 3.0.4 exception and the other one may
     not, and there was no immediate indication of what the
     rationale or reason may be.
               Now, as you know, in Generic Letter 87-09, the NRC
     required that the plant, when they were going to utilize the
     allowance to change modes, to start up the plant with
     inoperable equipment, while relying upon the actions -- and
     that's a very important premise of this -- had to do a plant
               That plant evaluation at the time obviously didn't
     include risk, but it was a plant evaluation nonetheless,
     where in many cases a subcommittee of the on-site safety
     review committee, PORC or whatever the name happened to be,
     did, in many cases, a pre-evaluation of the acceptability
     and/or an evaluation at the particular time before that
     allowance to change modes was granted, and with that
     information in hand, we went and talked to a number of P and
     BWR plants to try to bring that to bear and we utilized to
     determine what would be appropriate for TSTF 359.
               As we began developing TSTF 359, we talked to a
     number of plants to find out what kinds or problems had they
     experienced, and the types of problems they experienced at
     the systems that did not have the LCO 3.0.4 exception had in
     many cases caused them significant schedule problems, where
     startup -- where they were performing a major surveillance
     process or doing a major maintenance activity and they were
     almost finished but not quite and it was critical path and
     that, yet, they knew they were very close to being finished
     and could be done within the timeframe and wanted,
     therefore, to utilize that timeframe when they were
     proceeding up, that they had no reason to believe it
     wouldn't be operable and so on and so forth, much the way
     that -- well, I won't get into that right now.
               So, with that in mind, when we went to look at LCO
     3.0.4, we tried to decide, well, where is the appropriate
     cut-off point?
               Since we're already identified that the 30 days
     and longer almost all have an LCO 3.0.4 exception, since all
     of the allowed outage times that are continuous operation
     already, by definition, have a LCO 3.0.4 exception, where
     should the cut-off be?  Seven days?  Twenty-four hours?
               So, as we began looking at the systems and going
     down, it was somewhat arbitrary in our determination as to
     where we might be.
               We really realized that it was not so much the
     allowed outage time that should dictate what we did but the
     type of process we utilized to determine the acceptability
     of changing modes or relying upon the action to satisfy the
     limiting condition for operation.
               So, we chose in TSTF 359 to -- Initiative 3 -- to
     allow all LCOs the flexibility of changing mode, providing
     there is an appropriate management review and approval of
     the acceptability thereof.
               Now, I -- we're going to come to a moment -- to
     what those risk insights would be and how that would be
     done, and Mr. Schneider and Mr. Bradley are going to address
     that, but there's several important parts of this I want to
     bring to your attention.
               One, this is only acceptable if you rely upon the
     actions to satisfy the requirements of the LCO, which would
     mean that if you went into changing modes and to startup
     with a system that was inoperable, if that system's required
     action was for you to restore the system in seven days or
     shut down, that you only had that seven-day allowed time,
     that if you did not feel you could restore its operable
     status or finish whatever you were doing to ensure it was
     operable within that seven-day timeframe, prudence would
     dictate that you wouldn't want to start the plant up, get
     into Mode 1, only to discover that you didn't make it
     operable as you anticipated and then have to comply with
     your action and shut right down again.
               So, we have tried to stress that in the TSTF 359,
     explaining in the process, one, the significance of
     complying with the actions; two, ensuring that you know the
     status of what you believe will be able to be determined in
     that timeframe so that plants don't inappropriately start up
     with equipment that's inoperable when they are not in a
     position to be able to restore it in that timeframe.
               So, with that, I was going to then allow you to
     discuss some of the risk things, unless you all have some
     questions about the particular proposed TSTF.
               MR. SCHNEIDER:  I'm Ray Schneider from the ABB/CE
     owners group.
               The presentation was prepared by myself and Dennis
     Henke from San Onofre.
               As Don discussed, we went through the background
     of the Initiative 3.  I think I'd like to go into purpose
     from our perspective and just kind of summarize some of the
     key points.
               The intent here to modify the LCO 3.0.4 so that
     you can allow the entry into specific modes, generally going
     up in power, into the higher-mode action statement when the
     tech spec components or trains are inoperable, but the
     expectation is that the entries are expected to generally be
     individual entries where entry is limited to a low or
     negligible incremental plant risk.
               In many cases, the risk will actually be offset --
     any of the operational risks will actually be offset by the
     benefits of going to the desired mode, and this is
     particularly true of going from Mode 5 to Mode 4, and the
     expectation is you don't enter this unless the component
     train that you've entered it for is expected to be reparable
     in the time allotted.
               A little bit about the history basis, as was
     reviewed by Don, so some of this is repetitive.
               Mode change restraints really provide the -- were
     intended to provide the design basis -- provide that design
     basis is met prior to mode entry, and for the CEOG, about
     half of the existing tech spec equipment is already not
     subject to mode change requests, mode change restraints.
               Most of the existing mode change restraints may be
     removed without significant contributions to plant risk. 
     We've looked at a number of the AOTs that are involved, and
     they have -- because of the duration and significance of the
     component, the impact of the mode change restraint removal
     for the duration will generate very low risk values or low
     impacts of core damage probability.
               CHAIRMAN SIEBER:  Is that instantaneous or
     cumulative risk?
               MR. SCHNEIDER:  Over the period of the AOT --
               CHAIRMAN SIEBER:  Instantaneous.
               MR. SCHNEIDER:  Instantaneous.  But it's
     integrated over a small spike.
               CHAIRMAN SIEBER:  What do you assume for the
     purpose of the PRA the operability or availability of the
     equipment is?
               MR. SCHNEIDER:  Unavailable.  I mean just
               CHAIRMAN SIEBER:  Okay.
               DR. KRESS:  Do you have a criterion for how big
     that integral can be before you say it's significant?
               MR. SCHNEIDER:  Well, we'll give you the
               The tech specs are typically designed -- and it's
     in Reg. Guide 1.174 -- 1.177 -- it's typically designed such
     that a typical one component out of service at power should
     generally have a risk number less than about 5 times 10 to
     the minus 7th for that full AOT.
               In here, as we'll talk about, you're generally
     going up in the modes from cold conditions, the amount of
     decay heat is a lot lower, the amount of time to respond is
     a lot greater, the amount of equipment needed is generally a
     lot less.
               So, even for the more important equipment, you're
     probably dealing with something of the order of 10 to the
     minus 7th, the lower 10 to the minus 7th range, and for the
     less important equipment, you're probably dealing with stuff
     that could actually be, if you, you know, go through the
     calculations, something of the order of 10 to the minus 8th
     and 10 to the minus 9th for the interval, because remember,
     you're restricted by time, you're restricted by significance
     of the component, and you're restricted by the number of
     things that you're allowed out of service during these
     things, because you're not -- this is not meant to be a --
     the intent to basically schedule all your maintenance during
     this period.  I mean it's just basically for those one or
     two items that somehow got caught.
               MR. BRADLEY:  At the risk of sounding like a
     broken record, again, this is a perfect fit with the (a)(4)
     guidance, because you basically have an equipment out of
     service, you're coming up in mode, and you're going to have
     to -- there is in the (a)(4) guidance ICDP numbers, and
     there are also discussion of aggregate risk, and this is
     like any other equipment of service condition.
               You're going to have to manage all your other
     maintenance activities around it and meet those guidelines
     that are in the reg. guide, and the number is -- are
     generally consistent with Reg. Guide 1.177 that Ray was
     talking about.
               CHAIRMAN SIEBER:  The number that you choose is
     whatever the company decides to choose, right?
               MR. BRADLEY:  Well, no.  There are guidelines --
     we don't have hard criteria in the reg. guide on (a)(4), but
     there are guidelines, and basically if you're using some
     other number, we don't expect people to be using other
     numbers, and if you are, you're going to have to justify why
     that number is appropriate.
               I do think that, if you look back at the (a)(4)
     guidance, you'll see all the things you need to consider
     here that Ray is talking about, including the criteria.
               MR. SCHNEIDER:  For the case of mode restraints,
     you're generally dealing with one, typically, or possibly a
     couple of discrete components, so that it's not quite as --
     there's not quite -- there's an interaction among a number
     of the systems, and the guidance that initially generated
     the tech spec allowed outage time will already ensure a very
     low risk.
               DR. KRESS:  I guess the answer to my question was
               My question was do you have a number for deciding
     when that interval is significant or not, and I didn't hear
     a number come out.
               MR. SCHNEIDER:  I think, order of magnitude,
     there's probably a fuzzy line when you start crossing 10 to
     the minus 6 that you have to start doing -- looking at it a
     little more carefully.
               DR. KRESS:  Ten to the minus 6 might be in that
     sort of an ad hoc --
               MR. BRADLEY:  Ten to the minus 6 delta ICDP.
               Remember, this will be governed by (a)(4). 
     Whatever you do in this isn't just what tech specs, but
     (a)(4) is also going to govern whatever you do here.
               DR. KRESS:  What that does is changes the delta
     risk you would have got because of all these other
     provisions you have to put on it.
               MR. BRADLEY:  Right.
               MR. SCHNEIDER:  But there are other ancillary
     issues, and as we'll talk about in a minute, there are
     instances where the target mode actually will be a
     lower-risk mode than the mode you're in.
               So, the equipment unavailability is dwarfed by the
     fact that you may be going to a mode with more heat removal
               And then one other bullet I probably should talk
     about is the fact that, in the past, they found that
     relatively risk-negligible component being out of service
     have caused several-day delays in plant startup, has cost
     utilities millions of dollars, with no risk benefit to the
     public and no risk benefit to anyone, just basically a net
               The expected -- go to the next slide.
               It's not part of the presentation, but just to
     give you a rough idea of mode impacts, for one of the other
     initiatives, Initiative 1, which looked at end state
     impacts, we did an analysis of the relative risks of being
     in various mode end states for various different -- we
     looked at actually five-and-a-half or six modes, two
     different kinds of Mode 5's, one with a vented condition, we
     may have to vent for containment spray backup, and what you
     can see is that, as you move from different -- as you move
     into different modes, like Mode 5 vented, Mode 5 un-vented,
     or Mode 4 in shutdown cooling, you'll see risk reductions,
     and as you go into Mode 4 on aux feedwater, where you both
     have shutdown --
               DR. APOSTOLAKIS:  Let me understand what that
               First of all, can you read the horizontal axis,
     because I can't read it.  What does it say?  Mode 1?
               MR. SCHNEIDER:  Okay.  Mode 1, yeah, starts --
               DR. APOSTOLAKIS:  Why don't we give him the
     portable mike so he can stand up and point?
               MR. SCHNEIDER:  This work was initially done for
     the Initiative 1 for the mode end states, and the CEOG and
     Southern Cal looked at some representative modes for a
     representative plant, and what we've looked at is the
     relative risk to being in Mode 1 operation, Mode 2, initial
     low-power operation, Mode 3, initial shutdown, Mode 4, when
     you have -- on AFW, where you have both AFW available and
     the ability to get onto shut-down cooling, Mode 4, when
     you're already on shut-down cooling, and Mode 5, un-vented,
     which is also basically a shut-down cooling mode, and then
     Mode 5, where you vent for the capability of doing -- of
     having your containment sprays as backups, and these are the
     various kinds of modes.
               DR. APOSTOLAKIS:  But again, the title says
     transition risk mode.  There is nothing that's transitional
               MR. SCHNEIDER:  Right.
               DR. APOSTOLAKIS:  This is the risk being there.
               Now, is it possible that, when I go from 4 to 5, I
     have a spike in between?
               That's the whole point of all these human
     manipulations that are required.
               So, it seems to me calling it transition is a
               MR. SCHNEIDER:  It's a discussion that --
               DR. APOSTOLAKIS:  Different states.
               MR. SCHNEIDER:  What SONGS did when they did the
     analysis is -- right -- there is a portion of this that does
     represent the transition of going from -- going into
     shut-down cooling itself, but even if you subtracted out
     that portion, you would have the shut-down cooling mode
     higher than the aux feedwater mode primarily because you
     don't have the steam generators from heat removal, the same
     basic dependencies.
               The levels change a little bit, and -- but you're
     right, this was initially developed for going the other way.
               This was initially developed when we were looking
     at the issue of which mode do we want to be in when we're
     moving down from power, and then you look at the effect of
     the transition and the effect of the mode, and what we found
     was basically the effect of the transition is not large as
     you go down to about -- aux feedwater -- it's the order of
     10 to the minus 6th.
               What you're really seeing here are the mode
     changes and the changes in equipment availability or the
     loss of equipment as you go down from various modes, with
     aux feedwater being a relatively reliable feed source at
     lower power or at shutdown and the fact that you have
     turbine-driven aux feed possibility, and here you have the
     ability of steam generator heat removal as well as, if an
     event occurs, you could always move down to shut-down
               So, one way of viewing this is basically that --
     is the number of residual core heat removal capabilities and
     the reliability of the heat removal capability, but
     generally going from Mode 5 to Mode 4, you're picking up
     your steam generators to be able to remove heat, you're
     getting a potentially independent source of heat removal by
     getting the turbine-driven aux feedwater pumps more
               So, that contributes to the risk.
               The absolute levels are representative, and again,
     they were generated going the other way, down, where there
     is a transition spike in this one, primarily in this region,
     and there is a different kind of spike due to going into a
     vented condition here, but the typical kind of transition
     you're going to end up seeing is a transition from Mode 4 on
     shut-down cooling or Mode 5, un-vented, to Mode 4 in
     shut-down cooling, then you get off the LTOPS, and
     ultimately you'll be going down to aux feedwater, Mode 4 in
     aux feedwater, and the types of incremental risks that
     you're picking up by having the equipment out of service are
     of the order of less than 1 times 10 to the minus 6th.
               DR. APOSTOLAKIS:  Now, we don't know that, because
     those equipment may affect the transition itself, which we
     have not quantified.
               MR. SCHNEIDER:  The main components that we're
     expecting to be used -- we have already -- okay, we'll talk
     about it in a minute, but what we will do is we will
     subtract out the high-risk components in the various modes.
               We'll look at what makes this mode safe, what
     equipment is needed to make this mode safe, what pieces of
     equipment are needed to make this mode safer, and those
     wouldn't be allowed to be out of service as you moved into
     the new mode, but there's a large amount of equipment that
     really has no direct impact on the heat removal capability
     and the potential trip capability, and those won't have any
     interaction with the modes per se, and those are the order
     of 10 to the minus 6.
               So, we will first screen out the important
     equipment mode to mode.
               DR. APOSTOLAKIS:  So, you're talking basically
     going from 5 to 4 and from one 4 to the other 4?  Is that
     really what we're talking about here?
               MR. SCHNEIDER:  Most of it.  The bulk of the
     transitions are going to be in this direction.
               DR. APOSTOLAKIS:  From 4 to 4.
               MR. SCHNEIDER:  Actually, it will be 5, un-vented,
     to 4.
               DR. APOSTOLAKIS:  And then what happens?
               MR. SCHNEIDER:  Then, basically, that takes you --
               DR. APOSTOLAKIS:  Then you fix it.
               CHAIRMAN SIEBER:  Let me ask a question before it
     escapes our attention here.
               This chart looks like it's laid out with regard to
     going from full power to cold shutdown.
               MR. SCHNEIDER:  Right.
               CHAIRMAN SIEBER:  If you drew the chart from cold
     shutdown up to full power, which really matches your
     Initiative 3 --
               MR. SCHNEIDER:  Right.
               CHAIRMAN SIEBER:  -- would it be the same chart
     upside down?
               MR. SCHNEIDER:  No.  There would be a few
     differences.  There's a transition that occurs here.  This
     would be lower because of the transition going this way to
     get -- which causes your plant to basically realign itself
     onto shutdown cooling, and it's less likely you'll run into
     the problem on the way down.
               CHAIRMAN SIEBER:  Have you done the heatup/startup
     set of charts?  Have you performed those in support of
     Initiative 3?
               MR. SCHNEIDER:  We've qualitative looked at the
     issues and the insights gained from doing this analysis.  We
     haven't generated a full set of new numbers, because what
     will happen is all the numbers will be depressed because
     you're starting with much lower power levels.
               CHAIRMAN SIEBER:  Right.
               MR. SCHNEIDER:  So, what you'd see is
     qualitatively the same.
               We felt that the qualitative insights to identify
     the key components, you know, are valid, and any additional
     quantification wasn't deemed necessary for this level of
     evaluation because of the low relative risks involved in
     getting into the mode.
               CHAIRMAN SIEBER:  Well, it would help me, I guess,
     if I actually saw a chart that showed what Initiative 3 is
     talking about, which is starting up, along with some
     analytical work that showed the risk increment associated
     with having a mode restraint removed for a few pieces of
     equipment who had importance measures that said they were
     significant to risk.
               Then I'd be able to tell whether this is a good
     idea or not.
               Has that kind of work been done?  Can you tell us
     about it?
               MR. SCHNEIDER:  What we have done -- maybe we'll
     go to the next slide.
               What we did do is we looked at components that
     weren't important -- okay, two things.
               Let me start off -- the expected use is, again,
     for infrequent -- generally the low-risk components and for
     short-duration repair, so that infrequent will basically
     mean that, if you integrate it out over a long period of
     time, you're not going to have a large accumulated risk,
     because this isn't going to happen very often.
               The low-risk portion is that we're only going to
     enter this -- if it's a high-risk component, we're not going
     to enter it without doing a detailed risk evaluation to find
     out why the system is inoperable.
               So, we will identify certain systems where we're
     not going to be using this tech spec unless a full risk
     assessment is done where we look at the mode we're in and
     the mode we're going to, and then the short-duration repair
     controls the amount of accumulated risk you could have in
     that rectangle.
               CHAIRMAN SIEBER:  And why is accumulated risk
     important, as opposed to instantaneous risk?
               For example, I could have a CDF of .9 for 15
     seconds, and I wouldn't want to be there.
               MR. SCHNEIDER:  Right.
               With the short-duration repair, what we're talking
     about is -- you're still doing the integral, but the
     integral is only over like three days.  So, it's still a
     small accumulated risk in this case, but it's really the
     integral risk over the time you could have the equipment out
     of service.
               CHAIRMAN SIEBER:  Okay.  But the instantaneous
     risk gives me more risk insight than cumulative risk.
               MR. SCHNEIDER:  Well, this is the instantaneous
     risk times the duration.
               CHAIRMAN SIEBER:  Right.
               MR. SCHNEIDER:  Yeah, I see what you're saying,
     but we're not going to enter this with high-risk components
     to begin with, and for example, the types of situations that
     have occurred or that may be more likely are like one
     inoperable containment spray has happened in the past, and
     for most of our plants with diverse and redundant
     containment heat removal capability, with fan coolers and
     containment sprays, the impact of one train inoperable is
     negligible and is in the order of a 10 to the minus 9th kind
     of value and doesn't have any substantial LERF impact, as
     well, and that's when you look at the -- even the at-power
     risks associated with this component, as opposed to the
     risks that would be when the decay heats are much lower.
               One SIT unavailable might be a reason for a short
     time to basically --
               DR. APOSTOLAKIS:  What's SIT?
               MR. SCHNEIDER:  Safety injection tank accumulator,
     something like that, or possibly some filter or HVAC systems
     having some inoperability or some containment penetration,
     valve closure maybe not being completed or some MOVAT test
     not being done, but there's a lot of very low-risk issues
     that can develop.
               DR. APOSTOLAKIS:  So, these will be identified in
     advance or the analysis will be done -- yeah, we discussed
               MR. SCHNEIDER:  Okay.  Typical risks are going to
     be low.  Risks will even be lower because they'll be during
               But what we're recommending, kind of --
               DR. APOSTOLAKIS:  Okay.  This is good.
               MR. SCHNEIDER:  Okay.
               What we're recommending is a risk-informed
     administrative control where -- not necessarily -- you're
     not going to look at necessarily all the -- you're not going
     to identify all the lower-risk stuff and basically catalog
     it, but you're likely going to identify all the higher-risk
     stuff at the various modes to recognize the stuff you should
     be concerned about.
               So, you identify those that are big contributors
     to safety, basically, and you hold those to one level of
     importance, and typically, what we'll find is that, in Mode
     4, AFWs and -- aux feedwater pumps and diesel generators are
     going to be extremely important, and you wouldn't do
     anything with this equipment without a clear risk
               DR. APOSTOLAKIS:  Let me understand this.  1.174
     deals with permanent changes to the licensing basis.  What
     does it have to do with this?  This is a temporary thing,
     isn't it?
               MR. SCHNEIDER:  Exactly.  When we talk about tech
     specs, there's always a question -- because we're changing
     the tech spec, is that permanent or is it temporary?
               DR. APOSTOLAKIS:  But you will not know what kinds
     of equipment may be out.
               It seems to me that this is wonderful for someone
     like Southern California Edison that will have this -- that
     has this monitor that they can do these calculations
     quickly. What will the other guys do?  Do you have lists of
               MR. SCHNEIDER:  Well, yes, essentially.  We'll
     expect that what will happen is the plants that basically
     have risk matrices or other methods of dealing with risk --
     you still a priori -- like the COG will identify the
     higher-risk components for the group in the various modes,
     and then, once those are identified, the remaining
     components will be confirmed to be low-risk.
               DR. APOSTOLAKIS:  Now, is this consistent with the
     new oversight process that tells you to worry about
     initiating events, the integrity of the primary system, and
     so on?  You're talking in terms of CDF here, but the new
     oversight process identifies other cornerstones, as well.
               MR. SCHNEIDER:  What we really should be doing is
     talking about a risk-informed process that looks at is the
     action you're going to do, the trip initiator, consistent
     with (a)(4)?
               Are you doing anything that's going to basically
     breach a barrier?
               It's a process.
               I think that we've got to be careful that it's not
     just -- you're not running by the numbers.
               What you're doing is you're getting an
     understanding of where you are, what's important to what --
     why the components that aren't important aren't.
               DR. APOSTOLAKIS:  I'm a firm believer of rewarding
     somebody who has done some good.
               Would Southern California Edison have an advantage
     over the other people?
               MR. SCHNEIDER:  They would be able to do this,
     because they can do these assessments -- they can deal with
     the higher-risk components, because they could do a full
     assessment of the risk at lower modes, while the other ones
     would basically have to say -- they may not be able to do
     it, because they may not -- if they don't have a shut-down
     analysis, they may not be able to say, well, for the real
     high-risk stuff, they have to take a conservative -- maybe a
     more conservative approach.
               So, the better your models, the more robust your
     models, the more flexibility you have in making a decision. 
     It's a decision process.
               MR. DENNIG:  George, the answer that we've divined
     from previous conversations on this subject is that someone
     like Southern California Edison can maneuver in all of their
     specs, mode changes, they'll have that capability to do an
     adequate assessment.
               Other folks are going to rely on pre-analyzed
     situations.  That's it.  That's all they got.  Anything
     falls outside of that, sorry, you can't do it, you don't
     have that flexibility.
               DR. APOSTOLAKIS:  And that should be made very
     clear, I think.
               MR. DENNIG:  I think that was the feedback that we
     gave at the last meeting, and I think that's being cranked
     into the next proposal.
               DR. APOSTOLAKIS:  Okay.
               MR. SCHNEIDER:  And so, in addition, we expect
     that multiple simultaneous mode entries will also be
     restricted, because you basically want to control the risks
     that you're dealing with, particularly for -- the only
     plants that are more robust, have more flexibility in
     dealing with some of these specific items, but it will be
     more defined for those that have less robust methods.
               Compensatory contingency actions to expedite
     repair, control risk, commensurate with what seems to be the
     level of entry, of the level of risk, will also be put in
     place to make sure that this is all being done prudently.
               A lot of this stuff is already embedded within
     (a)(4), we believe, that (a)(4) requires that you really
     understand the risk picture of your plant at all modes, and
     you shouldn't be taking action without -- and equipment out
     of service without really understanding what the impact is,
     and in addition, there will be a tracking process to
     identify if this is being repetitively entered or abused.
               DR. APOSTOLAKIS:  When do you decide it is abused? 
     Maybe we're asking for too much quantitative input here, but
     at which point do you decide that something is abused?
               MR. SCHNEIDER:  The expectation is it's not going
     to be.
               I mean the thing is --
               MR. BRADLEY:  This is a little different from
     missed surveillances.
               Missed surveillances is clearly something where --
     you don't want to miss surveillances, but in the event you
     do, you want to do the smart thing, which may not be to shut
     down the plant, and I think here we are looking for more
     operational flexibility.
               I don't view this as something that would
     necessarily be abused, you know.
               As long as you're doing this within the
     constraints of your (a)(4) process and you're managing the
     risk, you're not abusing it, whereas with missed
     surveillance, I'd say yeah, you know, if you're routinely
     doing that, that is wrong, that is not the intent of what
     we're doing, but here, given -- you've already got 3.0.4
     exceptions on over half the LCOs in tech specs.
               CHAIRMAN SIEBER:  There is a limit on the risk
     duration because of the LCO.
               DR. SEALE:  Could I ask the staff, perhaps -- have
     you thought about -- would there be appropriate performance
     indicators that would come out of concerns for the number of
     these actions or the duration of them that might be added to
     the surveillance process to help you keep tabs on any
               MR. NEWBERRY:  We don't have the experts in that
     program here, but having met with them last week -- Scott
     Newberry, staff -- and asked similar questions, I'll try to
     formulate an answer.
               Most of these issues, including missed
     surveillances, as indicated before, would end up in the
     corrective action program.
               DR. SEALE:  Okay.
               MR. NEWBERRY:  That seems to be an answer to many
     of these issues, it goes into the corrective action program.
               My understanding is that there are no performance
     indicators coming out of the corrective action program, but
     it will become a very important emphasis of the
     risk-informed baseline inspection, so that every plant will
     have their corrective action program, which is judged to be
     very important, inspected regularly as part of that program.
               Insights from that would, you know, be fed into
     the significance determination process, as I understand it,
     such that issues that are significant would be given the
     proper perspective, which I think is a better situation than
     where we were.
               CHAIRMAN SIEBER:  The CAP program, though, as I
     understand it, and the baseline inspection is still a
     sampling of 20 percent and was done by the resident, right? 
     And so, it's not comprehensive.  It can give you some idea
     of the extent to which the CAP covers many thousands of
     items that pass through it in a given year, but I don't
     think that it will capture discrete numbers of these mode
     changes or missed surveillances, because they represent such
     a small part of the overall CAP content.
               Nonetheless, you are relying, in a lot of cases,
     on CAP as the overall system to make corrective actions
     within the plant, as opposed to writing violations and
     keeping your own tracking lists and doing that kind of
               Are we ready to conclude?
               MR. SCHNEIDER:  Okay.
               Implementation of this -- of the risk-informed
     mode restraint action is basically -- we believe is a first
     small step towards the development of a risk-informed tech
               It's beginning to provide some degree of
     flexibility for the plant to make risk-informed decisions
     and take control a little bit of its operation, a little bit
     more of its operation, ensures the risk -- it will ensure
     the risk of the plant operation is appropriately managed, as
     well, and this is consistent with what (a)(4) would be
     requiring, as well.
               It allows limited flexibility with controls for
     the plant staff to perform and make its risk-informed
     decisions, as we just said, and we believe it's consistent
     with performance-based oversight process.
               So, we believe this is a really good first step of
     being able to have the plant basically review its own risk
     status and make risk-informed decisions to basically operate
     in a risk-informed manner.
               CHAIRMAN SIEBER:  Could I ask the staff if they
     have any comments?
               MR. DENNIG:  Certainly.
               To say where we are on these two issues, we have
     had them in for review, a formal review, and we have
     provided questions back on both issues and then met to
     discuss the answers to those questions -- that was just
     fairly recently -- and in that meeting provided some
     feedback on both issues.  Let me try to characterize what
     that feedback was.
               On Initiative 2, the staff emphasized the need for
     specificity in the decision-making process that would be
     used to assess the risk of a missed surveillance requirement
     involving such issues as use of important measures, a screen
     process that utilizes PRA or (a)(4) processes, alternative
     qualitative methods for surveillance requirements that are
     not modeled in PRA, and the fact that a missed surveillance
     requirement of significance requires a licensee to take the
     safest course of action.
               As part of our comfort level with Initiative 2, we
     are pointing to the oversight process wherein, as we've
     discussed previously, missed surveillances will be put in
     the corrective action program, there is a continuous
     operability determination that's incumbent on licensees
     under technical specifications, and that failed/missed
     surveillance requirement is reportable and evaluated using
     the significance determination process.
               We think we're making good progress on Initiative
     2, and we're looking forward to look at the revision and
     think that we may be able to move forward on that.
               MR. REINHART:  I'd just add two points to what Bob
               I agree we're in general agreement.
               I think, based on the comments today and just what
     we've talked about before, we need to reiterate our look at
     the adequacy of the model, just have to reiterate that
     that's an important point and reiterate that we need to
     understand fully the capability and the meaning of the
     development of the risk of the reduced reliability for a
     missed surveillance and how sensitive that shows up to us.
               MR. DENNIG:  Quickly, on Initiative 3, in
     comparison to Initiative 2, we think that the PRA
     capability, requirements, are more than for Initiative 2,
     and we discussed at some length the need and the ability to
     assess system importance in all modes.
               I believe that the owners groups are going to
     provide a qualitative PRA basis for some generic level of
     maneuvering that will apply to most plants.
               Again, in line with my answer to George before, if
     you want to have more flexibility to make mode changes, you
     have to have more PRA capability, and individual plants will
     be able to establish that they have a capability beyond the
     de minimis to do certain mode changes.
               And then, as -- from an oversight perspective,
     (a)(4), when it kicks in, is going to require evaluation of
     the acceptability of mode changes, and there's a level of
     oversight on that (a)(4) process that we'll rely on to
     ensure that this is being done appropriately.
               And again, I think the industry is in process of
     providing another iteration, and again, I think we're making
               MR. REINHART:  I would add on issue 3 that, when
     we talk about a qualitative analysis, we need to understand
     exactly what do we mean by a qualitative analysis, that we
     actually manipulate and use a plant-specific model to get
     and apply the insights that are required.
               CHAIRMAN SIEBER:  Is there any other comments?
               [No response.]
               CHAIRMAN SIEBER:  What I'd like to do now is to
     break for lunch.
               After lunch, we will review Initiatives 1, 4, 5,
     6, and 7.
               So, why don't we return at one o'clock?
               So, at this time, we'll break for lunch.
               [Whereupon, at 12:08 p.m., the meeting was
     recessed, to reconvene at 1:00 p.m., this same day.]
                   A F T E R N O O N  S E S S I O N
                                                      [1:01 p.m.]
               CHAIRMAN SIEBER:  I'd like to reconvene the
     meeting for this afternoon's session.
               This afternoon, we're going to briefly discuss
     Initiatives 1, 4, 5, 6 and 7.
               I also notice that I have more slides than we had
     slides shown.
               So, if there are any pertinent parts of your
     presentation from this morning that you would like to give
     us briefly or reiterate anything, this would be a good
     opportunity, during this afternoon's session, to do so.
               Following the discussion of the other five
     initiatives, we will have a general discussion of the
     committee concerning our comments, because I do plan to at
     least prepare a draft letter for the May 11th meeting.
               The full committee will meet on May 11th from 8:30
     until 10 for an hour-and-a-half to discuss this same issue
     for additional discussion with the full committee.  Turns
     out that, between the two subcommittees, we have the full
     committee minus two members.  So, the presentation, unless
     we think of new things over the next 10 days, should be
     easier than this one.
               DR. KRESS:  Will the main committee focus on just
     Initiatives 2 and 3?
               CHAIRMAN SIEBER:  Initiatives 2 and 3.  I think
     all of us are enough up to date on risk-informing technical
     specifications that we do not need a lot of background
     information on that.
               I would rather concentrate on the issues at hand
     rather than go through everything at that time.
               On the other hand, the presentations that you gave
     today were a good refresher for me and, I'm sure, for all of
     the members here.
               With that, I'd like to ask Biff Bradley if he
     would lead this afternoon's discussion.
               MR. BRADLEY:  Sure.
               First of all, with regard to the excessive
     presentations that you noticed that we didn't give this
     morning, we had to do some last-minute planning for this
     session, and we ended up sort of duplicating some
     presentations, so we just chose not to give the one I think
     you're referring to, and I don't believe, speaking for
     myself, that there is any point in that that was missed or
     that we need to bring up this afternoon, but it's just
     informational, and it's basically -- it's very similar to
     the presentation that was given at the previous ACRS meeting
     back in December of last year, I believe, and our intent
     this afternoon was really just to give a pretty high-level
     overview of the status of the other initiatives.
               That was our understanding of what we were going
     to do given the time.
               CHAIRMAN SIEBER:  Right.
               MR. BRADLEY:  So, Don Hoffman is going to lead
     that discussion and just give us a brief status and schedule
     and plans on the remaining initiatives.
               CHAIRMAN SIEBER:  I did want to give you the
     opportunity to fill in anything that you felt was missed,
     that you might want on the record, and since there are no
     things, we can continue on with Mr. Hoffman's presentation.
               MR. BRADLEY:  Thank you.
               CHAIRMAN SIEBER:  Thank you.
               MR. HOFFMAN:  Certainly, sir.
               As you said, we were going to give you an overview
     and status of Initiatives 1, 4, 5, 6, and 7, and what we're
     just going to do is describe what the initiative is and
     maybe say a word or two about it and then tell you where we
     are and what we're doing in our current schedule and see if
     you or the -- I believe the staff is very well aware of this
     -- see if the NRC staff has any comments on that.
               Initiative 1, as you know, is referred to end
     states, often called safe end states, but it's the
     initiative which is making a determination as to what the
     appropriate end state is to go to when you have a level of
     degradation that would tell you to leave the mode of
     applicability of a particular LCO, and you will recall that
     from our presentation December 16th.
               We currently have a technical justification for
     the risk-informed modification to selected action end states
     document which has been completed by the CE owners group and
     was distributed on March 17th.
               The other three owners groups and the TSTF and
     RITSTF are currently reviewing that to determine the
     appropriate level for each of the other owners groups to
     perform in addition to what CEOG has done so that we can
     provide a consistent approach and come back to the staff
     telling them what we will provide.
               Our current schedule for doing that is by the end
     of May, with the CEOG and TSTF developing a CEOG traveler to
     go out for review concurrently, also at the end of May, with
     the intent of providing a TSTF to the NRC sometime by the
     end of June of this year, 6/30/00.
               I'm not hearing any comments.  I'll move on to
     Initiative 4.
               Initiative 4 has two portions, 4(a) and 4(b), 4(a)
     being individual risk-informed allowed outage times, which
     is actually an ongoing effort where the tech spec task force
     and the other owners groups are continuing to develop
     proposed changes to individual AOTs and groups of AOTs with
     both deterministic and risk insights.
               The owners groups are continuing to work together
     to share information and provide for generic applicability
     where possibility, but we're continuing that effort in
     several parallel paths.
               So, the risk-informed tech spec task force will
     continue to interface with this process to ensure maximum
     generic benefit, but we currently don't have a specific date
     for the Initiative 4-alpha.
               Initiative 4-bravo is the risk-informed allowed
     outage times with the configuration risk management programs
     and maintenance rule (a)(4)-type back stops, is a term
     that's been used quite often.
               We're still working as our risk-informed tech spec
     task force with the TSTF and the other owners groups to
     determine the best course of action utilizing the risk
     management process and maintenance rule (a)(4) as a basis,
     and currently, we're scheduled to determine this course of
     action and set the process in schedule by July so that we
     could advise you, the NRC, at that particular time what we
     will be doing.
               The CEOG, along with the risk-informed tech spec
     task force, currently plans to submit a 4-bravo pilot
     sometime in December of this year, with the other allowed
     outage time extension sometime after the first of the year.
               Concurrent with that, EPRI is working with
     Westinghouse owners group and portions of the risk-informed
     tech spec task force to issue what they call a risk-informed
     tech spec report that current is scheduled to come out in
     September of 2000.
               So, on the 4-bravo portion, we're still
     identifying our specific course of action.  As I said, we
     should be letting you know sometime in July the specifics of
     our course of action and the schedule for that course of
               DR. SEALE:  In your slides here, going through the
     package you had that had 4 listed in it, you talk about a
     not to exceed time limit as being the basis for essentially
     the 4(b) decisions.
               Any rationale for that not to exceed that you guys
     are coming up with that you want to talk about now?
               MR. BRADLEY:  Well, the obvious one would be your
     maintenance rule unavailability target for the component,
     would be the not to exceed.  That's the initial thinking on
               MR. SCHNEIDER:  You need a not to exceed not so
     much for risk, also, but also for -- just to make sure that
     plants should be returned to a design basis in a fixed
     amount of time.
               So, there's reasons for having it.
               DR. SEALE:  Okay.
               MR. HOFFMAN:  If there are no further questions,
     then I'll move on to Initiative 5.
               Like Initiative 4, Initiative 5 also has two
               5(a) -- I think we mentioned this this morning --
     5(a) is to relocate surveillance requirements which are not
     related to safety.
               During the development of the improved technical
     specifications and the conversions from the old standards to
     the ITS NUREGs, we identified a number of surveillances that
     were not appropriate to be retained in the technical
     specifications, and they were eliminated appropriately.
               However, there were some that we were not
     successful with at that time, and we didn't go after them
     all as a particular group.
               As a result, we have gone back and re-evaluated
     that, looking through each of the sections to determine if
     there are surveillance requirements either in individual
     LCOs as a individual SR or as a group of surveillance
     requirements which we feel are not -- do not demonstrate
     operability but, rather, are there for other requirements
     such as reliability, availability, and something of that
     nature, and as a result, we are pursuing that under 5(a).
               As I said, the tech spec task force identified
     some individual SRs and groups of SRs as candidates, and
     we're going to be pursuing those.
               It's our intent to provide a traveler, a TSTF, to
     the NRC to address 5(a) in November of this year.
               MR. NEWBERRY:  Don, my understanding of what you
     just said there is, in your view, 5(a) is really not a
     risk-informed initiative, it's more of a scope initiative.
               MR. HOFFMAN:  Yes, sir, that's true.  Like
     Initiatives 2 and 3, it has less risk insight than the
     majority of them.
               We were going to exercise some risk insights as to
     the acceptability of taking those SRs out of the tech specs.
               Now, many of them in reliability and availability
     space, like, let's say, for the diesel generators, would
     only be relocated and probably retained in either a
     maintenance rule-type procedure or in maybe a diesel
     generator reliability program.
               So, they won't be eliminated in their entirety;
     they just won't be a part of tech specs requiring us to
     consider operability when they're not impacted.
               But yes, sir, your point is well taken.  This is
     not a purely risk initiative by any stretch.
               The second portion of Initiative 5 is 5(b), which
     is relocated surveillance test intervals to licensee
               We had -- in 1999, one of the owners groups of the
     tech spec task force had developed a traveler and a process
     to try to identify a means by which selected surveillance
     test intervals could be relocated to licensee control.
               We have now looked at that on a more global basis
     and are currently developing a basic program for licensee
     control of all the STIs and working with the utilities to
     finalize supporting information for such a process, and then
     we'll be working with the PRA folks to get risk insights to
     support this particular activity, and currently, we're
     scheduled to provide a TSTF to the NRC sometime in early
               And if I'm not clear, a TSTF is called a tech spec
     task force traveler.  It's just a colloquial term for a
     traveler which proposes a change to the ITS generic NUREGs. 
     I wasn't sure if I'd been clear.
               DR. UHRIG:  Let me ask a question here.
               MR. HOFFMAN:  Certainly, Dr. Uhrig.
               DR. UHRIG:  There are a couple of initiatives
     around to go to continuous monitoring.  I believe EPRI has
     one.  There has been some discussion.  At least one utility
     -- we've done some work on fossil plants, where we've just
     put a system into TVA -- one of their fossil plants has a
     front-end monitor on their performance system.
               Is any consideration being given to that, where
     you basically deal with the correlation between the various
     quantities that you're measuring here as an alternative to
     the surveillance?
               MR. HOFFMAN:  When we originally started the
     initiative, we had not considered that, but subsequently, we
     have teamed up with the folks at Arkansas and EPRI on this
     continuous monitoring process and initiative, and we are
     interfacing with them now to see if there's any insights we
     can gain from what they're doing that can be brought to bear
     to support what we're doing.  So, there is a continuous
     share of information.
               At our last full owners group, where we have a
     combined -- all four owners groups meeting on technical
     specifications and licensing issues, we had several
     presentations on continuous on-line monitoring and brought
     that to bear to try to identify to the different groups that
     we were, indeed, interfacing with that group and getting
     information and support.
               DR. UHRIG:  So, this basically would be an
     alternative approach to the whole issue of surveillance.
               MR. HOFFMAN:  It is a consideration.  Right now,
     we're not sure how far it's going to go, and as a result of
     that, we're going to continue in a parallel path to look at
     the surveillances, acknowledging that that may someday
     replace that or may be an alternative, as you stated, that
     if I have the surveillance test intervals and/or a portion
     of the surveillances under licensee control, this on-line
     monitor may be a mechanism by which I'd just do on-line
     monitoring instead of surveillances, yes, sir.
               DR. UHRIG:  Thank you.
               MR. HOFFMAN:  Okay.  I'll move on to Initiative 6,
               Initiative 6 has three parts.
               Initiative 6 started off being a initiative to
     address the fact that we currently have one hour once we
     exit an individual limiting condition for operation and get
     into LCO 3.0.3 to begin the plant shutdown.
               There was an acknowledgement that there were
     several situations which were creating that which were
     inappropriate or maybe not necessary from the beginning, and
     so, we're trying to address that in its full breadth.  So,
     there's actually three pieces to it.
               One is to modify the actual LCO 3.0.3 actions and
     timing, where we would increase the one hour to 24 hours,
     which was the initial scope of Initiative 6 when it began,
     and then there are the other two pieces which, if
     successful, will make the need for doing the 6(a) portion of
     Initiative 6 lessened, and that is, one, to provide
     conditions in those LCOs where there are levels of
     degradation where no condition currently exists.
               As you know, the way that you get to LCO 3.0.3 is
     typically through two ways.
               One, you have a level of degradation where there's
     no condition, you have no action in an individual LCO, hence
     you go to LCO 3.0.3, or you exhaust the required action and
     completion times in the individual LCO and then you go to
               Well, the former of that, we felt that there were
     places where, in individual LCOs, there should be conditions
     and required actions which would negate the need to go to
               The second part is that we have identified through
     the improved technical specifications NUREGs places where we
     actually instruct the individual to go to LCO 3.0.3, where
     we have put a condition for a level of degradation which has
     been termed to be a loss of safety function and its required
     action is enter LCO 3.0.3 immediately.
               We believe, in many cases, that may be also overly
     conservative and punitive, and we are re-addressing that as
     part of 6(c).
               So, we believe that if we are successful with 6(b)
     and 6(c) under Initiative 6 that the need to modify the LCO
     3.0.3 timing under 6(a) from 1 to 24 hours may be lessened
               We're currently scheduled to provide -- we're
     working with the CEOG now to provide a draft for 6(b) and
     6(c) in June of this year, and our current plan is to
     provide a TSTF to the NRC in October of this year.
               And the last on our list is Initiative 7, which
     you spoke the morning about, sir, about defining actions to
     be taken when equipment is not operable but still
               The tech spec task force and the Westinghouse
     owners group have taken the lead on this and are currently
     working to develop a course of action and an attempt to
     bring the configuration risk management program, maintenance
     rule (a)(4), safety function determination program, and
     operable functional available into alignment such that we
     can identify the differences, understand the significance of
     them, and provide a definitive -- I will call it definitive
     tech spec requirement to address that, and our current
     schedule is to provide a traveler TSTF to the NRC in early
               CHAIRMAN SIEBER:  Is this an attempt to redefine
     what operability is?
               MR. HOFFMAN:  No, sir.
               CHAIRMAN SIEBER:  Tell me what the difference
     between operability and functionality are, so I can
     understand it.
               MR. HOFFMAN:  I'll certainly make a feeble attempt
     given the fact that we haven't completed all of our
     evaluation and work in this arena.
               As you know, we have a definition of operability
     which currently requires a number of things, and you're
     obviously very familiar with that, as you've stated this
     morning, and all dependent functions, whether it be oil,
     cooling, instrumentation, whatever it may be, in order to
     facilitate the capability of performing the intended safety
               There's also an acknowledgement in Generic Letter
     91-18 that there are certain aspects to operability that
     don't really -- quote/unquote, "operability" -- which might
     be some kind of pedigree or qualification, possibly, like
     seismic, EQ, and other actions or activities.
               What we have attempted to do is to acknowledge
     that, many times, we will have a situation where we don't
     meet a particular tech spec requirement, through a
     surveillance or any other case, but yet we have
     functionality but we may not have operability.
               One of the examples that has been currently
     discussed is where a safety analysis assumes 5,000 gallons
     per minute, let's say, for a HPSE pump on a boiling water
     reactor and that's assumed to be into the vessel itself.  We
     do a surveillance and we find that we're getting 4,800
     gallons per minute into the vessel.
               We certainly may not have operability, but one
     would argue that 4,800 gallons is better than zero gallons,
     so we may have some level of, quote/unquote, "availability"
     or functionality.
               So, we're currently trying to decide if the
     current conditions and required actions are too punitive for
     that level of degradation and trying to attempt to define a
     different course of action that would give us some
     additional time or additional compensatory measures to
     enable us to have something that doesn't meet operability
     yet does meet some level of functionality, and bear with me,
     because that's not completely defined yet.
               CHAIRMAN SIEBER:  I can remember instances where
     emergency tech spec changes have been given after analysis
     of situations like that, where you're able, through
     engineering analysis, to show that 4,800 or 7,000 or
     whatever it is you're supposed to have, minus 2 percent, was
     good enough.  That was a fairly rare occurrence, as I
     recall, you know, once every five years for a given plant.
               I presume that you want to somehow or other write
     into the tech specs the fact that a licensee on its own
     initiative and under its own authority could determine that
     4,800 gpm or whatever number you've analyzed and justified
     is good enough to call the equipment operable, and by that,
     I mean not enter the action statement, okay, and without
     interchange and approval by the NRC.
               Is this really what you're talking about?
               MR. HOFFMAN:  Yes, sir, to some extent, except we
     wouldn't consider it operable, we would only consider it
               So, we would declare it inoperable, but its
     required action and completion time would not necessarily be
     as punitive as inoperable would normally have you do.
               So, in other words, we would put some
     contingencies and some compensatory measures and some
     limitations on how that could be used, yet allow the plant
     to maneuver within some limited means of being not operable
     yet still providing some level of functionality.
               CHAIRMAN SIEBER:  To me, that's a redefinition of
     what operable means, because if it isn't operable, you go to
     the action statement.
               MR. HOFFMAN:  I couldn't agree more.  Actually,
     sir, as I said, we don't intend to redefine operability.  If
     it didn't meet operability, it would be declared inoperable,
     but if it could be declared inoperable and yet still
     declared functional, its level of action would be different
     than if it was inoperable and declared not functional.
               CHAIRMAN SIEBER:  Does this put in a new layer of
     action statements that apply when items of equipment or
     components are functional and not operable?  I mean it could
     double the size of the tech specs.
               MR. HOFFMAN:  This particular initiative's level
     of effort to date is less than all of the other initiatives. 
     So, I would be presumptuous to state that that's our intent.
               I will tell you that we're considering a number of
     different options and welcome comments from anyone who would
     like to provide some insight.
               It's an initiative that was brought up because we
     have seen examples and occurrences of situations where the
     action required to be taken for inoperable but still
     functional were perceived to be -- even in risk space -- to
     be overly conservative and, in some cases, even contrary to
               So, given that, we felt we needed to take on the
     initiative to determine what is an appropriate course of
     action.  We obviously haven't gone deep enough into that to
     explore all the different impacts that there might be from
     it, sir.
               DR. BONACA:  One thing I think is beneficial about
     this initiative is that the perception we have always
     communicated to ourselves and to the public is that, if you
     do not meet the requirement, it doesn't matter if you're
     functional, you have a failure, and therefore, we have had
     so many examples in the press, for example, of, you know,
     the plant did not have a system, therefore it lived for 20
     years without a system, and that wasn't the case, you had
     functionality all along, maybe.
               A better example than simply partial functionality
     is not meeting a code requirement.  Okay.
               A code requirement is a specific pedigree, and I
     think that have been a lot of examples where you have a
     system that everybody will agree will function, provide a
     function, but did not meet a certain pedigree or a certain
     specific attribute of the pedigree.
               So, to some degree, that's an important step, that
     at some point we want to -- I am supportive of.
               CHAIRMAN SIEBER:  Well, I think when we get to
     Initiative 7, we'll be more than happy to learn what you
     folks have come up with.
               MR. HOFFMAN:  And I'm sure we will be more than
     happy to gain your insights to assist us with that, sir.
               CHAIRMAN SIEBER:  Thank you.
               MR. BRADLEY:  That completes the industry's
     presentation, if there are no more questions.
               CHAIRMAN SIEBER:  Does anyone have any questions
     they'd like to ask at this time of industry representatives
     or the NRC staff?
               [No response.]
               CHAIRMAN SIEBER:  Well, I felt today's
     presentations were very good and very informative and --
     both on the part of the staff and on the part of NEI and the
     industry representatives, and I appreciate that.
               We will meet again to have a short discussion,
     similar to today's, at the full committee meet on May 11th,
     and this topic is currently schedule for May 30 until 10
     o'clock in the morning, which is not a very long
     presentation, but as I said before, most of the members are
     here, and so, cutting it down will not represent any kind of
     a loss of content on our part.
               So, with that, I thank you all for coming here. 
     You're welcome to stay.
               Our next step on the agenda is our own discussion,
     and for that portion of the discussion -- that will help me
     write a draft letter should we decide to send one to
     whomever we decide to send it to.
               It will help me incorporate the comments and the
     feelings of the members.
               So, I think, at this time --
               DR. APOSTOLAKIS:  Is the staff requesting a
               Are you requesting a letter?
               MR. NEWBERRY:  No, we are not.
               CHAIRMAN SIEBER:  They're not demanding a letter.
               DR. APOSTOLAKIS:  They're not requesting, not
               MR. NEWBERRY:  No.  These are licensing activities
     that we are in process for and we'll continue to proceed on,
     but of course it's an important activity, and if the
     committee has some comments, we'd be glad to have them.
               CHAIRMAN SIEBER:  I would think that, if we wrote
     a letter, it would be to the EDO saying, you know, we've
     listened to the presentations and we have these comments,
     and so, what I'd like to do now is go off the record.
               [Whereupon, at 1:27 p.m., the meeting was

Page Last Reviewed/Updated Tuesday, July 12, 2016