Plant Operations and Reliability and Probabilistic Risk Assessment - April 28, 2000
UNITED STATES OF AMERICA
NUCLEAR REGULATORY COMMISSION
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS
***
PLANT OPERATIONS AND RELIABILITY AND
PROBABILISTIC RISK ASSESSMENT
U.S. NRC
TWFN 2B3
11545 Rockville Pike
Rockville, MD
Friday, April 28, 2000
The committee met, pursuant to notice, at 8:30
a.m.
MEMBERS PRESENT:
JACK SIEBER, Chairman, ACRS
GEORGE APOSTOLAKIS, Chairman, ACRS
JOHN BARTON, Member, ACRS
MARIO BONACA, Member, ACRS
THOMAS KRESS, Member, ACRS
ROBERT SEALE, Member, ACRS
WILLIAM SHACK, Member, ACRS
ROBERT UHRIG, Member, ACRS. C O N T E N T S
NUMBER PAGE
1 AGENDA 3
2 INTRODUCTORY STATEMENT BY THE CHAIRMAN
OF THE SUBCOMMITTEES ON PLANT OPERATIONS
AND ON RELIABILITY AND PRA 3
3 RISK-INFORMED TECHNICAL SPECIFICATIONS 8
4 BWR OWNERS' GROUP 63
5 RISK INFORMED TECHNICAL SPECIFICATIONS
INITIATIVES 2 AND 3 63
6 RISK INFORMED TECHNICAL SPECIFICATIONS
INITIATIVES 63
7 INDUSTRY INITIATIVES ON TECHNICAL
SPECIFICATIONS 63
8 INITIATIVE 2 - MISSED SURVEILLANCES 66
9 INITIATIVE 3 - MODE CHANGE RESTRAINTS
PRA PERSPECTIVE 100
10 ENGINEERING EVALUATION SONGS 126 . P R O C E E D I N G S
[8:30 a.m.]
CHAIRMAN SIEBER: The meeting will now come to
order.
This is a meeting of the ACRS Subcommittees on
Plant Operation and on Reliability and Probabilistic Rick
Assessment.
I'm Jack Sieber, Vice-Chairman of the Subcommittee
on Plant Operations.
To my left is George Apostolakis, who is Chairman
of the Subcommittee on Reliability and PRA.
ACRS members in attendance are John Barton, Mario
Bonaca, Thomas Kress, Robert Seale, William Shack, Robert
Uhrig, and hopefully Graham Wallis.
The purpose of this meeting is to discuss NRC
staff and industry initiatives related to risk-informed
technical specifications.
The subcommittees will gather information, analyze
relevant issues and facts, and formulate proposed positions
and actions, as appropriate, for deliberation by the full
committee.
Michael T. Markley is the cognizant ACRS staff
engineer for this meeting.
The rules for participation in today's meeting
have been announced as part of the notice of the meeting
previously published in the Federal Register on April 5,
2000. A transcript of the meeting is being kept and will be
made available as stated in the Federal Register notice.
It is requested that speakers first identify
themselves and speak with sufficient clarity and volume so
that they may be readily heard.
Also, we request that all speakers use the
microphones, so that the court report can hear and
understand them.
We have receive no written comments or requests
for time to make oral statements from members of the public.
Reliability and Probabilistic Risk Assessment
Subcommittee met on December 16, 1999, to discuss
initiatives proposed by the Risk-Informed Technical
Specification Task Force.
Today, the subcommittees will discuss Initiative 2
on technical specifications of surveillance requirements,
Initiative 3 on mode restraint flexibility, and plans for
submittal and review of other Risk-Informed Technical
Specification Task Force initiatives.
Before we begin, I would like to ask Dr.
Apostolakis to summarize the issues identified in the
December 16th meeting.
DR. APOSTOLAKIS: Thank you, Jack.
As Jack mentioned, we met on December 16th, and we
were presented with a very ambitious program for
risk-informing technical specifications, consisting of seven
initiatives, some that, in fact, have A's and B's, more than
seven.
There were many comments made by members in the
meeting, as usual.
A couple of the comments that seemed to be of
relative importance are that the public participation in the
process, public involvement and participation should be
increased, especially after we had a statement read by me,
statement from Public Citizen that they feel that they don't
have adequate information to comment on these things in a
timely manner.
The subcommittee also requested or suggested that
perhaps a vision statement for risk-informed technical
specifications should be developed and a clear statement of
the objectives of these initiatives should also be given.
Then the perennial issue of how much to rely on
quantitative analysis and how much on qualitative insights
came up.
We've faced this problem in the past in other
situations, in other contexts, but I think we're going to
see it again here.
To what extent can one rely on expert panel
deliberations and not try to quantify the impact of the
proposed changes on CDF or maybe the cornerstones
themselves?
So, this will be an interesting issue to pursue, I
think.
And that pretty much covers it, I believe.
There were other comments, but I'm sure we will
see what the staff and the industry present today and maybe
come back to those, and of course, the quality of the PRA is
a perennial issue, you know, do we need a Cadillac or a
Volkswagen?
So, Jack, back to you.
CHAIRMAN SIEBER: I'd like now to proceed with the
NRC presentation and introduce Scott Newberry to introduce
the speakers from the staff.
MR. NEWBERRY: Thanks, Mr. Chairman.
I'm Scott Newberry. I'm Deputy Director of the
Division of Regulatory Improvement in NRR.
There is am ambitious agenda as well as an
ambitious program here, Mr. Chairman, so I'm not going to
talk very long but just introduce staff at the table.
A couple of comments, though.
I was looking at our budget last night on
regulatory improvements, and there's a long list of
activities, where we are modifying the process, working to
improve the process. We've been over here talking on FSAR,
design basis, 50.59 reporting requirements, more and more on
risk-informing Part 50 -- I expect that to increase --
license renewal process, license transfers, and on.
Considerable resources in the Office of NRR are
being devoted to improving the process.
We are increasing the focus on this program that
you're going to hear about today -- I wanted to make that
point -- more resources and more leadership on the activity
to risk-inform tech specs, because we believe it's
important.
A second point I wanted to make was, in the past
month or so, I have heard a comment or been asked a question
about our view on tech specs and, because something may be
not as important as another, does -- you know, what is our
expectation on tech specs?
We expect requirements to be met. We expect
surveillances to be performed as they're listed in the tech
specs.
We're going to be talking about tools today to
inform the tech spec process so they could be changed, but
our expectation from the NRC point of view is that
requirements be met, and sometimes that gets a bit muddled,
and I wanted to make that second point.
And the last point is I hope we're responsive to
the comments from the last meeting.
You reminded me, Dr. Apostolakis, about the public
participation point.
After that meeting, we initiated a communication
activity with that individual and it was very informative
and made sure he had additional information, and we had a
good chat with him on the phone. So, I hope we improved on
that point.
At the table from the staff are Bob Dennig and
Jack Foster from the tech spec branch of the NRR division.
They're the tech spec experts, and Bob will talk to you a
little bit about technical specification philosophy, and
Mark Reinhart, from the PRA branch, will talk about the
tools used to inform the integrated decision-making process.
So, without further ado, gentlemen.
MR. DENNIG: I'm Bob Dennig, Section Chief in the
tech spec branch.
I wanted to give Biff Bradley, from NEI, an
opportunity at this time to make an opening remark or
introduce the support folks that we have here from the
industry, if you'd like to do that, put him on the spot
here. He just came in the door.
MR. BRADLEY: This is a surprise move here. Sure,
I'll be happy to.
I'm Biff Bradley from NEI. I'm in the regulatory
reform group at NEI.
With us today, we have a representative from one
of our lead plants, San Onofre, Dr. Parviz Moeni, and Rick
Hill from the GE owners group is here, and also we have,
sitting on the NRC side of the room, Don Hoffman, who is a
consultant that's been very involved in all the industry
tech spec activities.
Thanks.
MR. DENNIG: Now, on the staff side, we also have
Millard Wohl here, who is one of the key reviewers involved
in looking at these initiatives. Nick Saltos is also here.
He's another key reviewer.
We're pleased to be here to continue the dialogue
that we began back in December with the Reliability and
Probabilistic Risk Assessment Subcommittee, and as has been
mentioned, at that time, we introduced the general scope of
what the package that we're calling risk-informed tech specs
consists of, how it dated back to some activities that began
in July of 1998, the seven initiatives, and some overview
about how they fit together.
We received some very valuable feedback, as has
been mentioned at that meeting, as to how we could better
present our program and how we could better make our points,
and we hope that this presentation is reflective of that
feedback, and I guess we'll see when we get through it how
well we've done.
As part of acting on that feedback, my job this
morning is to go a little bit into the background of
technical specifications, their history, content, how they
work, and where we are, and how they've evolved.
So, we can look at the title slide for a moment
and confirm that that's what we're talking about today, and
then let me begin.
Tech specs are explicitly required by the Atomic
Energy Act and are a part of the license. They are derived
from the safety analysis. They, thus, constitute that
portion of the safety analysis that is a part of the license
and can only be changed by amendment and, thus, through
staff review. They have been characterized as, quote, "a
central feature of the continuing relationship between the
licensee and the Commission."
Tech specs are a work in progress. The initial
rule was in 1962. There were revisions in 1968 and 1995.
Over that time period, we have worked with custom technical
specifications, basically paragraphs and words that were
derived in performing the safety analysis as you go through
chapter by chapter and organize by those chapters. We then
progressed, in the early '70s, to improved standard -- to
standard technical specifications, following the structure
laid down in the 1968 rule, rule change, and then in the
'90s to improved standard technical specifications.
Conversions to improved standard technical
specifications have been ongoing since 1993 and are
continuing.
Forty conversions have been reviewed and approved
or in process, 17 are planned, covering a total of 89
plants.
Just as technical specifications are a work in
progress, risk-informing technical specifications is a work
in progress. It's not a new subject.
For example, in 1975, ECCS completion times, as we
now call them, often known as allowed outage times, were
extended based on WASH-1400 insights.
In 1983, the staff reviewed an extensive WCAP
dealing with surveillance frequencies and out-of-service
times that use reliability analysis techniques.
In 1983, also, there was a task group that was put
together to look at improvements that could be made to
technical specifications.
It issued a report entitled "Technical
Specifications: Enhancing the Safety Impact." That report
pointed at -- in a lot of the directions that are being
followed through on the seven initiatives that we're talking
about now, in particular using risk and risk insights to
improve technical specifications.
Most recently we have Reg. Guide 1.177, in 1998,
and that provides a basic approach for risk-informing
allowed outage times and surveillance test intervals.
Thus, risk-informing tech specs is not a new
subject, it is a work in progress, and we're here to discuss
how we're continuing that progress.
If I could have the next slide, please.
By way of basic structure and to explain how tech
specs work, I thought it would be easier to use a visual.
The outer ring indicates the safety analysis, and
the arrow indicates that we derive the specs from that
safety analysis.
Over time, a lot of the effort -- a lot of effort
has gone into determining exactly how large that green ring
should be, what is the scope of technical specifications.
We're not particularly focused on talking about that scope
issue today.
Going inward, we see two categories of what tech
specs should cover, specific characteristics, in quotes, and
conditions for operation.
In the current structure, we have some standard
tech specs and continuing to improve standard tech specs.
Per the 1968 rule, we have, under specific characteristics
-- I parsed this out this way; I thought this was the best
fit -- we have safety limits, limiting safety system
settings, and design features.
We also have what are called conditions for
operation, and I have parsed into that area limiting
conditions for operation, with their conditions, their
completion times, and their action statements,
surveillances, with their surveillance test intervals, and
administrative issues.
The purpose functionally for the conditions of
operation is to make sure that the plant maintains those
specific characteristics, those safety limits, those
limiting safety system settings and design features.
Interestingly, if you go back to the safety
analysis, you'll find a lot of documentation and bases for
things like safety limits and limiting safety system
settings and so on.
You'll not find much by way of analytical basis
for things like surveillance test intervals, action
statements, completion times, and so on and so forth.
If I could have the next slide, please.
For purposes of summary and to lead into the next
phase of the discussion, I thought these three points
captured the basic features of what tech specs are expected
to do.
They establish values of important parameters to
preserve barriers, barriers to radiation release.
They also establish a design basis equipment
configuration or plant configuration that we expect to have
in place.
They also contain and require predetermined
actions to restore that design basis when there is a
degradation or to change the plant state so that the
equipment that has been affected is no longer considered
important or needed.
I would emphasize the predetermined and
prescripted aspect of that, and I would also emphasize that
the way the tech specs have evolved from the safety
analysis, arranged pretty much by chapter by chapter in the
safety analysis, that they don't integrate across the plant
and in managing the plant's state.
If I could have the next slide, please.
So, what we find today is that the tech specs,
because of their evolution, where they come from, largely,
do not manage risk of the overall plant configuration. They
look system by system, LCO by LCO. Instrumentation has its
own place. Support systems, plant system have their plant,
electrical systems, ECCS, their own silos or bins.
They don't manage risk in restoring the design
basis configuration or changing the plant's state. By that,
we mean that the way that specs were constructed was area by
area, what's a reasonable time, given a random single
failure, to either fix that single failure or begin shutting
down the plant?
Now, I don't know to what extent we've been able
to carefully weigh the benefits of maneuvering the plant
with that inoperable equipment or staying up a little bit
longer and not maneuvering the plant.
And finally, they don't take advantage of advances
in risk and reliability analysis techniques to determine
surveillance frequencies and completion times.
If I could go to the next slide, please.
I hope this is a crisp vision statement, and
certainly continue to help us with this, but this was our --
again, our response to your feedback.
We thought that this got where we were trying to
go and said it succinctly enough, basically maintain or
improve safety by risk-informing technical specifications
requirements that govern operation, including incorporation
of integrated decision-making to restore the design basis
configuration when we have a degradation.
The next slide, please.
In summary, before I hand off to Mark Reinhart,
what we're working on and what we're not -- we're leaving
alone, in general, things like safety limits, limiting
safety system settings, design features, and administrative
controls. We're not risk-informing tech specs in the
current scheme of things, not operating on those aspects of
tech specs.
Where we are operating is on the LCOs and the
surveillance requirements, particularly in how best to
restore the design basis using risk insights when there is a
degradation from the expected configuration and providing
flexibility as to what is done by way of surveillance test
intervals and where those intervals and the specifics of
surveillance might be located, whether inside tech specs or
outside tech specs.
Let me then turn --
DR. SEALE: Could I ask a question?
MR. DENNIG: Sure.
DR. SEALE: Back on one of your earlier slides,
the one on standard technical specification issues, there is
a bullet that indicates that you do not take advantage of
advances in risk and reliability analysis techniques to
determine surveillance frequencies and completion times.
Do you mean -- are you implying that, in fact,
there is a technology available that would allow you to do
that, and I guess if the answer to that is yes, what
specific input would you need in order to make that
assessment, and to what extent does that input exist?
Do you follow my question?
MR. DENNIG: I think so.
MR. REINHART: I think the answer is that's the
whole point of what we're doing.
We're working with the industry to do that, and
the next part is really going to focus on the tool we're
looking for and how we're looking for a licensee to use that
tool to handle, really, the plant configuration, the
flexibility of the configuration.
DR. SEALE: Okay.
CHAIRMAN SIEBER: Just to follow on to Dr. Seale's
question, should you not have the tools available first to
perform the analysis, rather than take steps to change
technical specifications, for example, to lengthen the
allowed time for missed surveillance or mode changes or how
fast one has to go to hot shutdown or cold shutdown or what
have you?
Shouldn't those analytical tools be available and
used?
MR. REINHART: Yes, they should, and to the extent
that a given licensee has those tools, that's the limit or
the extent that will allow the flexibility, or if there's
some generic insights that we can get from a spectrum of
tools, we've tried to use those, also, but certainly we've
had to have tools to precede decisions.
CHAIRMAN SIEBER: Okay. That includes some kind
of shutdown and transient PRA technology, shutdown risk
assessment.
MR. REINHART: Bob kept talking about a work in
progress.
There are some plants that have those, others do
not, and again, depending on what insights we can get from
the general spectrum, we can use those, but on a given plant
by plant, if they have a very specific situation, we would
look for them to have the tool to accommodate it.
CHAIRMAN SIEBER: And the staff does not have
those tools that they could apply independently of the
licensing?
MR. REINHART: We have some tools, like we're
developing what's called a SPAR3 model. That's not
plant-specific.
We're trying to make it as plant-specific as we
can, but to some extent we can use that. But in this
application, I think we really need to have the licensee
having a quality tool to really apply there.
CHAIRMAN SIEBER: So, that will be prerequisite to
granting any risk-informed tech spec that's different from
the standard tech specs that is -- that everybody has right
now.
MR. REINHART: Yes, it is.
MR. DENNIG: The general approach is that, if you
want to do this, you have to have this.
CHAIRMAN SIEBER: Okay. Thank you very much.
DR. APOSTOLAKIS: Shall we go to 5, the next one?
I'd like to understand it a little better. Would you
elaborate on that a little bit, what that means?
MR. DENNIG: That harkens back to the issue of
placing in tech specs a -- in the place of prescripted or
predetermined actions that one is to take based on some
notion of the set of plant states that we'll encounter, one
puts in place an approach where you look at the plant state,
the actual plant state that you have, and you make a
decision as to where you go next based on that state and
based on your level of risk information that tells you
what's my best move given where I am, instead of following a
script.
So, I think that's basically what we're trying to
say.
CHAIRMAN SIEBER: I guess one final question.
Back in the days when I worked in power plants, in
licensing, and we needed or wanted a tech spec change, we
would hunt for some other plant that was granted a tech spec
change like the one we wanted, and we would submit ours and
say this is okay because plant XYZ has it.
Now, with regard to the tools that you said were a
prerequisite to risk-informing tech specs, once one licensee
develops the tools and you grant them a tech spec and 50
other licensees get on the bandwagon and say I want one just
like that, you already have a precedent.
MR. REINHART: We're going to need to look at how
that particular licensee qualifies with what was set in the
precedent.
If he has the appropriate tools, if the analysis
performed fits his design, if all those things line up, we
have a way to go, but we still have to review it on a
plant-specific basis for his application.
CHAIRMAN SIEBER: So, your expectation is that
each licensee should possess the tools to demonstrate that
the risk information used to develop that licensee's tech
specs is valid for that plant.
MR. REINHART: Sure.
DR. BARTON: I think you almost need that, Jack.
CHAIRMAN SIEBER: Yeah, I know you do, but you
know and I know that -- how the tech spec business has
worked in the past, right?
DR. BARTON: Is it prerequisite to play in this
risk-informed tech spec arena that you have a standard tech
spec?
MR. DENNIG: No, it's not, but it certainly makes
it a lot easier.
Along with adopting the precedent notion, you
certainly get a lot more mileage out of something that's
been formulated in terms of the standard -- improved
standard tech spec than if you're trying to do something
with a custom spec.
DR. BARTON: Okay.
MR. DENNIG: And then, with a custom spec, you
know, you have to make sure that there aren't other things
out there that were coordinated in improved standard tech
specs that aren't coordinated in the custom spec that were
assumed to be there.
DR. BARTON: Right.
MR. DENNIG: And so, it gets more complicated and
it gets more expensive, but you know, you don't have to.
DR. BARTON: Increases the burden.
MR. DENNIG: Yes, sir.
MR. REINHART: I think I'll stand up, if it's okay
with you all.
CHAIRMAN SIEBER: You have the little mike.
MR. REINHART: I have it. Can you hear me?
CHAIRMAN SIEBER: Yes.
DR. SEALE: He can keep moving. It's much harder
to hit him.
MR. REINHART: Right. There you go.
In, really, answer to some of the questions you've
asked and in follow-on to Bob's comment of the tools to
support the vision, to support the flexibility in the
configuration control of the plant, we are looking for a
quality tool, and really, the thought is, to the extent that
a given licensee has the necessary quality in his PSA, it's
to that extent that we'll grant the additional flexibility.
Now, if you want to say, the entire vision will be
supported by a PSA that was a Level 1/Level 2,
internal/external events like fire, flood, seismic, we would
be looking for an operations, a shutdown, and a transient
model.
Some licensees have that; not all do.
DR. APOSTOLAKIS: Do any licensees have a PRA for
transition mode?
MR. REINHART: It's my understanding that -- I
believe San Onofre does.
MR. MOENI: This is Parviz Moeni.
To answer the question, George, yes. I think a
couple of years ago, CEOG developed transition risk models.
It's in a technical report by CEOG, and we have adopted that
model.
DR. APOSTOLAKIS: Can I have a copy of that?
MR. MOENI: I don't know if you have a copy, but I
can definitely find a copy for you, but I know, if you do
have a copy, this is by CEOG.
DR. APOSTOLAKIS: Yeah, would you please send a
copy to Mr. Markley?
MR. MOENI: Sure. Absolutely.
DR. APOSTOLAKIS: Thank you.
MR. REINHART: And it's also my understanding that
the CEOG is taking their transition model and their
shut-down model and providing a template for other plants
that could adopt that.
MR. MOENI: Yes.
MR. REINHART: Okay. So, we see some plants have
this, with the provision to share that information so that
others can use it.
Longer-term, if you will, and maybe beyond the
tech spec piece we're talking about, is a Level 3 PSA, and
my branch is looking at that as an additional long-term
goal.
But one of the things we want to say about this
PSA -- we're looking for a standard. It will be some
standard that the staff and the industry agreed on.
We're looking for a PSA that's living, that's
maintained, consistent with the contemporary plant, and
again, the higher the quality, the increased the flexibility
that a licensee would be granted.
Could I go to the next one, please?
CHAIRMAN SIEBER: Before you remove that --
MR. REINHART: Sure.
CHAIRMAN SIEBER: Items that are on this slide are
very important to me, and I would consider this set of
attributes for a licensee as almost a minimum set for
risk-informing tech specs.
DR. UHRIG: But right now, there aren't many
plants that would meet those requirements, are there?
MR. REINHART: There are not many that meet them
all. There are more that meet a good number of them.
Probably almost everybody meets some of them.
So, there's certain pieces that we could grant
based on the quality PSA that particular plant has, but it
kind of gets back to the quality that was asked earlier.
If one plant says, oh, well, this plant got it,
why can't I have it, what does that plant have in its PSA
and what does this plant have in its PSA? What's the
quality, what is the pedigree of the review, how do we have
the confidence?
DR. BONACA: But you're going to require this --
let me call them characteristics, because you need them to
support the evaluation, not just because you make it a
requirement, a pre-condition, right?
The reason why I'm asking the question is that, if
I go back to your initial slide, where you translate your
safety analysis into the tech specs, you're not changing
anything about the safety analysis, you're not changing
anything about your setting, you're not changing anything
about anything except you're allowing surveillances and LCOs
to be changed, and I would expect that, for many of them,
you don't need a Level 3.
MR. REINHART: Yes, absolutely.
DR. BONACA: So, I'm saying that you're not
prescribing -- go ahead.
MR. REINHART: We're really dealing in this yellow
sphere now.
DR. BONACA: And it makes sense.
MR. REINHART: Yes.
DR. APOSTOLAKIS: So, under what circumstances
would you need a Level 3 PSA?
MR. REINHART: I threw that up there to say that's
a goal my branch has. There are some areas, particularly
doses, off-site doses, control room doses, that we're
looking at in that area, may not impact what we're doing in
tech specs.
CHAIRMAN SIEBER: You can continue now.
MR. REINHART: Okay.
The next slide, please?
A licensee would take the tool they have, that we
have approved, that is compatible with whatever relaxation
they have, but Reg. Guide 1.174 really gives five key things
that they have to do, that we're looking for, and I'll point
out what Scott Newberry said at the beginning.
We expect licensees to meet their technical
specifications. So, we're looking at them to comply with
regulations, to maintain a defense in depth, to maintain
safety margins.
The flexibility Reg. Guide 1.174, along with
1.177, gives is we're looking for changes that would be
risk-decreased, risk-neutral, or a small increase. When we
talk about a small increase, we get into some charts and
graphs that the reg. guides have.
Ideally, a licensee could make a case that, given
this configuration, to go here, the safest path is X, Y, or
Z, and he could maintain himself risk-neutral or a decrease
in risk from where he is to where he's trying to go.
So, that's the type of thinking we're looking for,
and while that might be on an immediate timeframe, we're
also looking for a long-term type of feature that would
monitor subsequent performance for that licensee and
something we could tell about the industry in general.
So, if we go to the next slide, please, we're
looking for an integrated, risk-informed technical
specifications that we can make progress, a lot of progress
within the rule we have today, 10 CFR 50.36.
Likely we'll identify some improvements as we go
along, but we feel we can make a lot of progress with the
rule we have, and again, what we're looking for, given the
situation the licensee is in to where he wants to go,
restore the design basis, restore the LCO, we're looking for
a path that has an integrated acceptably low-risk locus.
He would compare, depending upon what he has in
his PSA and what flexibility he's granted, the at-power
risk, the transition risk, the mode-specific risk, depending
upon where the tech specs could possibly be driving him,
balance those three pieces, incorporate compensatory
actions, and here's where we're taking insights, and when
we're talking about insights, we're saying what do we see by
looking into the PSA, what did the cut-set analysis tell us,
what are the boundary conditions, what are the assumptions,
what have we said we have to do to get to this result, use
those insights to develop a success path of least risk or
most risk-reducing path, and at the same time maybe identify
some potholes along the way, if you will, areas of high risk
to avoid, and a licensee that can be doing that, we feel,
will -- while he'll have flexibility, we have a confidence
of really reduced risk.
If we go to the next slide, what we're expecting a
licensee to do, they have the tool, now they have a program
to use that tool, a formal process that would evaluate the
configuration and make some risk-informed decisions, some
criteria level, maybe a criteria level that would say this
is an appropriate level of risk for this configuration we're
intending to go into or that we are into, maybe somewhat
higher level they would start to dig a little deeper to get
some of those insights, maybe at some point they bring in an
expert panel, maybe at some other point they bring in
higher-level management for decision.
So, they have some sort of hierarchy that tells
them what they have to do given the configuration, helps
them derive those compensatory measures that we've talked
about before.
CHAIRMAN SIEBER: How extensive do you believe
that expert panels will be used in lieu of analysis?
MR. REINHART: I don't think that they would be
used in lieu of, like in ignorance of analysis.
I would think those expert panels would have the
knowledge of that analysis, along with their other expert
thoughts, to merge those or integrate together to come up
with a proper decision.
CHAIRMAN SIEBER: See, I asked that question
because I think that the tech specs, to be risk-informed,
ought to be based on analysis rather than the opinion of
expert panels, and so, to me, the preponderance of the
quantitative information that goes into formulating a
risk-informed tech spec ought to come from analysis, as
opposed to the qualitative kinds of things that expert
panels would give you.
MR. REINHART: But would the panel take that
qualitative part and maybe have to think a little bit about
really what that means to them, given the situation they're
in?
CHAIRMAN SIEBER: I think that the value of an
expert panel is to look at the quantitative analytical
results and say does this really make sense for this plant,
and that's how I feel they should be used, as opposed to
being part and parcel of coming up with did the risk
increase or did it go down?
DR. BONACA: Are you saying that the tech specs
may include some provisions for having decisions made ad hoc
based on an expert panel analysis?
MR. REINHART: No. I'm saying a licensee has a
program, and again, the work in progress -- we're looking at
what some licensees have done, and some have some criteria
set up, and depending on what the change in risk is for the
configuration, they get more and more individuals involved.
They have some predetermined configurations they can go to,
they have some levels that are normal, but as things get
more complicated, they want to get more minds on the problem
to start to put the pieces together, and at some level,
they'll have a panel set up that they bring to bear. At
other levels, they say we're not going to do this work
unless we have some compelling reason, but that compelling
reason has to go to a higher level of management to say,
yeah, this is really compelling.
That's what I'm trying to get at, a flexible
responsible licensee program that puts this all together.
CHAIRMAN SIEBER: Yeah, but that program will have
to be carefully crafted, because you know, you're dealing
with not just one licensee but all of the licensees, and
there are some that are vastly superior to the minimum
standard for safety, and there are some that are sort of
marginal, perhaps, at least hypothetically that way, and so,
whatever you do and whatever you craft has to be
sufficiently strong so that everybody fully understands what
the expectations are.
MR. REINHART: Excellent comment. I appreciate
that.
DR. BONACA: Let me go back to the comment I made.
I was thinking of one of the examples that were provided to
us. It was 358, I believe, the 358 example of missed
surveillance.
There is a philosophy being proposed there, it
seems to me, although it's not as presently proposed, that
says, if I miss a surveillance, I can go all the way to the
next interval, but I can make a decision in between, and
that may be a long time, what is the optimal time to do the
surveillance again.
That implies a decision-making process that
includes some elements of that.
MR. REINHART: Yes.
DR. BONACA: There is already a seed being planted
there of that kind of process, and that's the reason why I
ask that, because you know, to some degree, you would be
confronted with some proposals that will take you in that
direction.
MR. REINHART: Here is how I am hearing that, as
industry proposes it.
They have a surveillance. We expect them to
perform the surveillances when scheduled, and we expect them
to have a program to do that, but in the unusual -- and we
expect it to be unusual circumstance that they've missed one
and they've started up but it would, say, require a mode
change to go back and perform that surveillance, the
licensee now has to tell us.
Okay.
Let's say the licensee has performed this
surveillance over the past X years and it's always been
successful.
So, their data shows a high reliability of that
system.
They can go in and either do part of the
surveillance or, through other means, come close to giving
themselves confidence that they have met the surveillance
but either there's a piece they can't complete or they can't
complete it to the full.
With that level of confidence, given that usually
this surveillance just verifies that, yeah, it's okay, the
general thinking is the risk incurred by taking the plant
through a transient to perform the surveillance and back up
again outweighs the risk of continuing with that particular
issue.
CHAIRMAN SIEBER: So, for a 19-month surveillance
interval, could be another whole cycle before the
surveillance is completed.
MR. REINHART: It could be. Part of their
proposal, I think, is that, however, if they come upon an
opportunity to do it in that period of time, they should do
it at that first opportunity.
DR. BONACA: That's why I'm saying if you go from
a prescriptive approach to the tech specs to one in which
you have an ongoing management process within that span of
18 months or 24 months, that's a fundamental change in the
philosophy.
MR. REINHART: Yes, definitely.
DR. BONACA: You have to think about how you're
going to handle that.
MR. REINHART: Definitely.
CHAIRMAN SIEBER: Now, how would the NRC know,
because the surveillances won't be reportable, right? So,
you wouldn't know what that situation is other than the
resident inspector paying attention to what's going on at
the daily meetings and looking in the corrective action
program. Is that correct?
MR. REINHART: It's the resident -- the resident
is the one that we would be relying on to have that
information, primarily.
CHAIRMAN SIEBER: So, that's a pretty healthy
transfer of trust from the days that I recall when, if you
missed a surveillance, it was a Level 4 right then, and that
went into an NRC tracking system, and if you missed it and
you had to shut down and get it, you shut down to get it.
That's quite a departure.
MR. DENNIG: Yes, it is a change, and I think
we'll get more into these kinds of issues as we talk about
Initiative 2 later in the morning.
CHAIRMAN SIEBER: You may want to think about --
and I'd sort of like to know about how you would enforce a
situation where surveillances were being missed on a more
routine basis.
If you don't watch the baby, the baby will do lots
of things.
MR. DENNIG: Again, to jump ahead to the
discussion we'll have on Initiative 2, we have spoken with
the oversight people, in the oversight program.
It's our understanding that there is a track for
repetitive occurrences of things like a missed surveillance,
so that that will be noticed, identified, and treated in the
oversight arena.
Those repetitive instances, in and of themselves,
regardless of their individual significance, will be treated
as a -- hey, this is a pattern of behavior, which goes back
to our expectation that requirements will be met and the
premise underlying Initiative 2 that these are rare and
unusual circumstances.
If that changes, then this doesn't work. If that
situation changes, then this doesn't work.
CHAIRMAN SIEBER: And so, how would you figure out
where the threshold was? Are you going to have a
performance indicator? What's good enough? Only miss one
or two a year or 10 a year? See, I don't know.
MR. REINHART: This last item here really gets to
the performance indicator.
There's two things, the reactor oversight program
that Bob addressed, and we're looking for some sort of a --
some of this part is going to be for the immediate
situation, we'd have or expect some performance indicator
that would show us, over a period of time, that licensee --
maybe its accumulated incremental core damage probability
over a year, over a cycle, there's a certain goal or a
certain expectation.
If that licensee is accumulating more than
expected, his program needs to direct him to go back and
figure out what's wrong with his program and fix it, so that
he's not incurring that accumulated core damage probability.
CHAIRMAN SIEBER: Okay. Thank you.
Will you have the tool to evaluate how the
long-term core damage probability changes with regard to
licensee behavior as far as missed surveillances or other
operations problems? Are you going to know or you're just
going to say, well, I think it is?
MR. REINHART: I think we're a bit in the work in
progress here on that aspect.
We would have to look at what his program does for
us. We'd have to look at what the reactor oversight program
does for us.
CHAIRMAN SIEBER: Well, there's two ways you can
go. One is to say -- which is sort of the new oversight
process -- well, from a risk standpoint, it's not
significant, or the other way is you can say we expect you
to obey your tech specs, obey all the rules and your license
conditions, and so, go to it or we are going to clamp down.
There's two ways.
MR. REINHART: I understand.
CHAIRMAN SIEBER: Okay.
MR. REINHART: If I could go to the next --
DR. KRESS: Before we leave it, could you go back
to this concept of accumulated core damage probability and
explain it to me a little bit? I'm not sure I know what an
accumulated probability is.
MR. REINHART: Okay.
A licensee has a configuration, say a baseline
configuration, or it might be his no-maintenance
configuration, would be the base, but something changes in
the plant, whether it's a change in configuration or an
unknown, like a missed surveillance, there would be some
level of calculated core damage frequency change that,
integrated over time --
DR. KRESS: You're going to integrate that over
time.
MR. REINHART: -- would give you the incurred
conditional core damage probability for that situation, and
so, you take that and you put that in the hopper.
DR. KRESS: George, you're a PRA guy. Does that
integration have any meaning at all?
DR. APOSTOLAKIS: Integrating the frequency of
core damage given those circumstances over time, right, for
the duration of the situation.
MR. REINHART: Right.
DR. APOSTOLAKIS: Yeah.
DR. KRESS: This is time past, not time in future.
DR. APOSTOLAKIS: It's time past?
MR. REINHART: Well, over a year, you would add up
the core damage probability that was accumulated during the
various situations.
DR. KRESS: It's time past, George.
DR. APOSTOLAKIS: To do what? After you add them
up, what do you do with it? You will have a limit?
DR. SHACK: It would tell you whether you needed
to improve your program or not.
MR. REINHART: Right.
DR. SHACK: You couldn't put a limit on things
that already happened, but it would tell you that your
program needed improvement if, in fact, the number was going
up.
DR. KRESS: It's a performance indicator of sorts.
DR. APOSTOLAKIS: Yeah.
DR. KRESS: Okay. It could have meaning in that
sense.
DR. APOSTOLAKIS: Yeah, in that sense it's
meaningful, yeah.
DR. KRESS: Okay.
MR. REINHART: We have a comment from the audience
here.
Please come to the microphone and tell us again
who you are, please.
MR. MOENI: Yes. Parviz Moeni.
I think George answered the question correctly,
but let me explain what we have.
We have a number of key performance indicators.
One of them is -- we call it safety performance indicators,
and this is basically the cumulative core damage probability
over one year.
So, what that means, the management, with the help
of the PRA group, of course, has set up a value for the
plant risk, which is CDP, and we monitor this.
This is basically monitored daily, and we're
making sure, at the end of the year, this goal has not been
exceeded, and how do we do this, basically the plant people
who operate the plant and maintain the plant, the SDAs and
the maintenance people at some level -- they have the safety
monitor.
So, they always track this thing, the plant risk,
to make sure that we don't exceed, basically, that level
that the management has set, and this performance indicator
also tied up to the bonus for the people, so basically to
make sure that this performance goal would be met.
DR. APOSTOLAKIS: So, the performance level, then,
is on the CDP.
MR. MOENI: On the CDP.
DR. APOSTOLAKIS: Not the CDF.
MR. MOENI: No. It's accumulative over the year.
MR. REINHART: The CDF integrated over time.
MR. MOENI: Sure.
DR. APOSTOLAKIS: You don't have, then, any other
requirement regarding the spikes? It's just a total
integrated over time?
MR. MOENI: Sure, but you don't want to basically
--
DR. APOSTOLAKIS: You do or you don't?
MR. MOENI: No. The thing is that you cannot have
even -- you cannot have spikes either, but the overall goal
is still the CDP.
So, you may -- again, the thing is not to have
spikes, but if you have spikes for a very short period of
time -- I will give you an example for shut-down events.
Mid-loop is a very risky situation, but the timing
interval for mid-loop operation is very low. We are talking
about maybe a day or sometimes less than a day. So, the
cumulative probability, again, for that specific plant
operation makes the CDP low.
But forgetting a mid-loop, you don't want to have
a spike.
DR. BONACA: You do a line maintenance.
MR. MOENI: Yes.
DR. BONACA: And that will give you spikes.
MR. MOENI: Yes, absolutely, but again, you keep
track of the timing and the CDF to make sure that the goal,
which is CDP, would not be exceeded.
DR. BONACA: I understand.
MR. REINHART: Is it true that you would look at
the spikes for the immediate situation but the accumulated
CDP for program evaluation over the year?
MR. MOENI: Over the year, yes, annual.
CHAIRMAN SIEBER: The issue is the chronic
mis-administration of a program that you're concerned about
for these issues.
MR. REINHART: Yes.
DR. APOSTOLAKIS: So, this is a management tool,
and basically, you cannot really prescribe what the
management should do given a particular profile, but
presumably, if they see something very unusual, they would
catch it.
MR. MOENI: Yes.
Every week -- I think now it's monthly, it used to
be weekly -- you have a management meeting in the morning.
So, somebody from the PRA group goes there and represents
the core damage frequency over the month or the week. Now
it's monthly. It's monthly.
So, it shows the plant CDF for every day, and if
there are spikes for some reason, especially if it goes over
the baseline CDF, then they have to explain -- the PRA group
has to explain what happened there and what was the reason
that you had a spike there, this is because the diesel
generator was under maintenance or something was taken out,
whatever the reason was.
So, the management is always aware of things that
are done to the plant that makes the CDF go up and down.
CHAIRMAN SIEBER: We're running a little late
right now.
MR. REINHART: I have one -- just one illustration
I would like to use in conclusion to try to put the risk
we're concerned with into three different time periods.
I'd like to use an illustration of just crossing
the street.
If you think about it, there is before you cross,
while you're crossing, and after you've crossed.
As you come up to an intersection, obviously there
was some design, somebody decided to put a light, a signal
there, but you look, you look at the condition, the weather,
the traffic, you make a decision.
You start to cross the street. As you're
crossing, you have to be aware of what's going on now.
It might have been great when you started, but
what if a car comes through a light? What if you have a
child by the hand?
You have to be ready to address those situations
as they come.
When you get to the other side of the street,
you're safe now, you might say, hey, that was a close call,
I need to think about this a little more.
In the same sense, we are applying risk before we
go into a configuration; we analyze, we calculate what's
going to change, what's the change in our core damage
frequency as we go in, how long do we plan to be there, do
we have the tools, the people, the procedures lined up. We
make that decision.
Once we start the actual work or we're in the
configuration and something changes, we have to be ready to
take compensatory action right now in a fluid dynamic sense
to handle that situation, but once we're through it, we're
not going to forget it.
We either had a good experience, a not-so-good
experience, a horrible experience, but we want to take that
and accumulate it over some period of time, whether it's a
month, a year, a cycle, and go back and evaluate.
DR. APOSTOLAKIS: It's like crossing the Rockville
Pike, right?
MR. REINHART: Right. There you go, exactly.
DR. APOSTOLAKIS: The key is you remember.
MR. REINHART: That's what we're looking for a
licensee to do.
I say the as-good-as-new principle. If you think
of crossing a street, you're in the crosswalk, and you're
90-percent there, and it dawns upon you, you know what, this
was a mistake, this was a dumb idea, are you going to go
back? No. Hop up on that curb, the other 10 percent.
And so, what we're trying to do is say maybe we've
had some on-line maintenance, maybe we've stayed at power.
Once we're at that 11th hour and we decide we really didn't
quite evaluate that right, don't shut down now, finish it,
get back in a stable configuration, do the risk-safe thing
to do, the risk-informed safest thing to do, and evaluate it
for next time.
Thank you.
CHAIRMAN SIEBER: Thank you very much.
Mr. Bradley?
MR. BRADLEY: Good morning.
I am Biff Bradley of NEI, and with me at the table
is Rick Hill of GE and the BWR owners group.
We did have a number of last-minute crises trying
to get industry support for this presentation.
So, Don Hoffman will be supporting the second part
of the presentation on the individual initiatives, and also,
I didn't mention earlier, but Ray Schneider from CE and the
CE owners group is here, as well, as part of the industry
presentation, and he will also be involved in the
initiatives presentation.
I wanted to spend a few minutes and just talk bout
-- I think NRC gave a version of their vision in the last
presentation, of where we can ultimately go with tech specs,
and I'd like to give industry's version of that vision,
which I don't think is that fundamentally different, and
also offer that we've already done much of the ground work
for accomplishing that in the work we've put into the
maintenance rule over the last couple of years.
As you know, tech specs has a number of functions,
but one of the predominant functions and the one that we
really discuss in terms of risk-informing tech specs, making
improvements, is plant configuration control, and there has
been a long evolution of configuration control requirements
over the years, starting with the custom tech specs,
standard tech specs, NUMARC 91-06 which is shut-down
configuration management guidance which was issued about --
nearly 10 years ago now, and then we have had the ITS
approved standard tech specs that are still a work in
progress and continually evolving.
There are actually hundreds of proposed changes in
the pipeline to those, and over the last couple of years, we
have had some success with risk-informed line item
improvements.
Those are AOT extensions and other types of
improvements on a plant-specific basis, and then the most
significantly, I think, later this year, fall of this year,
final rule-making to the maintenance rule will be
implemented, 50.65(a)(4), which establishes a regulatory
requirement to assess and manage risk resulting from
maintenance activities, which essentially incur just about
all of the equipment unavailabilities that we deal with in
tech spec space.
I might also mention that we spent the better part
of last year working with the NRC staff to develop
regulatory guidance to implement 50.65(a)(4).
That will be issued in the form, I believe, as
Reg. Guide 1.182, soon to be a final reg. guide that will
endorse the industry guidance without exception.
There is a significant opportunity before the
industry now to begin work to comport tech specs and the new
(a)(4) requirement. When I say it presents a conflict with
existing tech specs, I'll talk a little more about what I
mean by that.
The industry's goal, then, is to effect regulatory
changes that can make tech specs and (a)(4) complementary.
That doesn't necessarily mean that there would be no tech
spec or that the -- there may be ways to pragmatically
address the scope of the -- and content of the existing tech
specs to make it compatible with (a)(4), and I'll talk a
little more about what we think are ways we can do that.
We have identified this to the Commission. We had
a Commission briefing a couple of weeks ago. This is a
major industry priority for risk-informed regulation, and we
want to proceed on a parallel path with the Option 2 and 3
activities and really make this -- break this out as a
separate activity, because we do think there is a fairly
near-term benefit to be had.
I mentioned the (a)(4) requirement is to assess
and manage risk resulting from maintenance activities.
Another change to the maintenance rule makes it explicitly
applicable to on-line and shut-down configuration
management. That's another change that was made to the
rule.
In reality, the (a)(4) approach, which is a
risk-informed approach, is much better at addressing the
multiple component outages the tech specs endeavor to
address. The scope and process of (a)(4) are risk-informed.
You're looking at a larger scope of components in the plant
in terms of determining the risk impact and what you're
taking out of service in relation to what's already out of
service or what will be coming out of service.
Scope and process of tech specs are deterministic;
that is, you're basically limited to the scope of components
that contribute to the design basis accident mitigation, and
the process is basically there trying to ensure that you can
meet your design basis. It's not really looking at other
risk impacts that may result from your configuration
control.
CHAIRMAN SIEBER: So, are you suggesting you would
expand the tech specs and generalize them to include more
components as risk significant?
MR. BRADLEY: I'll talk about that.
As you know, 50.36, which is the tech spec rule,
already -- Criteria 4 of that rule already allows that the
tech specs can include in their scope the existing tech
specs, SSCs that are risk significant, even though they
don't contribute to the design basis, but generally, I think
most of the tech specs that are out there -- you don't see a
lot of that right now.
But let me try to get to that question.
The (a)(4) guidance -- some of this is pertinent
to what we discussed this morning. It does address both the
risk spike, the temporary increase in the CDF or the LERF,
as well as the aggregate impact, and the overall objective
of (a)(4) which we articulate in the guidance is to manage
the risk so that, in incurring on-line maintenance and
equipment unavailabilities, you're not changing your
baseline risk; that is, from year one to year two, there
shouldn't be a significant or greater than insignificant
delta in the risk of the plant.
What we get into is that we're essentially, in
terms of configuration control, once (a)(4) becomes
effective later this year, essentially there is a dual
regulatory regime that will be in place, because you'll have
to meet the tech specs as well as (a)(4).
The staff included in Reg. Guide 1.182 an explicit
allowance that you still must meet tech specs, which is
probably a good idea, because there may be some confusion
once we have these two things in place, but it's not
unlikely that you will get into situations where your tech
spec AOT may -- it might be seven days, but when you do an
(a)(4) evaluation, looking at the other things you have out
of service, that tech specs may not even be covering, you
will find that, you know, a three-day AOT is really a more
risk-appropriate thing to be doing, and of course, you could
have the other way around, too, where you may have a short
AOT in tech specs, but if you look at the (a)(4) evaluation,
you would be allowed a very -- a longer AOT.
So, there will be many situations, once this rule
comes into place, where you're going to be limited,
basically, to the more conservative of the two.
50.65(a)(4) doesn't address all the component of
tech specs, but it does address some of the major issues
relative to configuration control; that is, AOTs, mode
changes, and end states.
The PRA subcommittees already looked at the (a)(4)
guidance, and you're familiar with it, but it does require
risk management actions as a function of the result of your
assessment, and those can -- and it also treats emergent
conditions, which can include mode changes, new equipment
going out of service.
It also can really get at end states, because the
risk management actions may include mode changes to take you
to a safer configuration, and again, that end state might be
different from what tech specs would tell you to go to.
So, really, all these things are what constitute
the action requirements of tech specs.
There are also a number of things in tech specs
that aren't addressed -- safety systems, limiting safety
system settings, even surveillances are really not addressed
by (a)(4) other than the fact that, if you take something
out of service for surveillance, that's another way to incur
unavailability, and there are other aspects of tech specs,
as well.
You have the administrative aspects, power flow
maps, various other things that probably wouldn't change.
CHAIRMAN SIEBER: Are you expecting that, since
(a)(4) -- with an (a)(4) evaluation, you can come up with a
risk number that is -- it's dependent on the outage time,
but it could be longer or shorter than the tech spec allowed
outage time.
Do you anticipate a risk-informed tech spec to
recognize a new configuration and extend the outage time as
a number or to have one written in such a way that you can
do anything you want, depending on whatever the (a)(4)
evaluation comes out to be?
MR. BRADLEY: I think that it would be more the
former.
I think the (a)(4) evaluation is -- and the rule
requirement is assessment and management of risk, and it's
fairly flexible in the actions you can take.
The tech specs are much more specific,
prescriptive, and say, you know, you will shut down the
plant under certain situations, and when I -- our goal would
be to take both those elements and put them together, and I
think it would require more specificity in terms of the risk
management actions.
I'm not suggesting that we could take the existing
(a)(4) guidance and replace tech specs. It would be a
combination of the two.
I'll give you an example of how it might work.
This is just one way it -- there are many ways this could
work. One way it could work is that you could take your
annual unavailability targets for components and make that a
back-stop on an annual basis, and then you could take the
existing tech spec AOT, make that a front stop, and as long
as you're within -- between those two values over the course
of a year and you're managing your risk around the baseline
through that -- that's just one way you could do it.
But basically, it would involve taking elements of
the existing tech specs and (a)(4) and bringing them
together. You know, the more radical ways you could do it
would basically be just to manage, you know, using a safety
monitor approach, just manage such that -- to a certain CDF,
but I'm not -- I think that's a fairly large step, and we're
looking more for a pragmatic kind of evolutionary step here.
CHAIRMAN SIEBER: Well, I'm thinking in terms of
an operator, having been one.
MR. BRADLEY: Yes.
CHAIRMAN SIEBER: And operator is happiest when he
lives in a box and somebody shows him where the edges are
and he says to himself and to his crew this is where we have
to be and these are the things we have to do, as opposed to
getting into this fuzzy boundary kind of thing that says,
well, I'm going to take this analyst who, by the way, might
be off-site or at least outside the fence and not there in
the middle of the night, and he'll tell me how much fuzz I
have to maneuver around in.
I'd be uncomfortable with that.
MR. BRADLEY: I agree with you.
The fundamental purpose of tech specs up to now
has been an operator tool, and you know, I think there are
ways to address that rule.
You're right, and ultimately, the procedures and
the instructions the operators use, I think, can still be
developed to do what you say, to have, you know, the black
line, but you can still make the tech specs, which is part
of your license, more flexible to back that up.
That is something that would have to be
considered. Clearly, you can't just have a tech spec that
says, you know, take some risk -- you know, it leaves the
operator having to determine what that action is. The
operator's burden is big enough already.
CHAIRMAN SIEBER: Even outside the operator's
hands, in the upper levels of management, I think that
moving toward a sort of a sliding scale kind of a license
condition or technical specification is -- for me, it takes
longer to be able to accept it than it would be to be able
to accept analytical analysis that comes up with an answer
and says here we are, this is the box you live in.
MR. BRADLEY: Yeah, but just, you know, recall
that once (a)(4) becomes a rule, the operators and everyone
else making configuration decisions are going to have to
look -- you know, they're going to have to meet (a)(4), not
just tech specs, going forward. That's the predicament.
CHAIRMAN SIEBER: That's correct.
MR. BRADLEY: And that's why we need to do what I
am discussing here today, as it could lead to -- you know,
the operator is not only going to have to worry about tech
specs, he's going to have to worry about the (a)(4) piece of
configuration control.
CHAIRMAN SIEBER: I think an operator can live in
two boxes, one smaller than the other one.
MR. BRADLEY: As you're aware -- I think we've
presented these before, but there are seven initiatives now
underway to basically risk-inform elements of tech specs,
the existing ITS, and some of these are going to get
discussed today.
The point is that the seven initiatives basically
represent an incremental step toward what I'm discussing in
making (a)(4) and tech specs compatible, and the -- in my
view, as we move forward with these initiatives, we've got
to make the (a)(4) process integral to the way these tech
spec initiatives would work.
I want to give you an example, Initiative 2,
missed surveillance.
Okay.
You're managing the configuration of the plant,
you're taking things in and out of service, and then you
discover that you've missed a surveillance.
Okay.
Now, the right way to treat that is to roll that
into your ongoing configuration management program, like any
other emergent condition. It's like a piece of equipment
going out of service. It's something you now have to take
into account, okay, do I want to take the other train out of
service knowing that I've missed this? Those are the kinds
of things you have to address, and the (a)(4) guidance
directly gets at that.
It talks about, before you take a train out of
service, you've got to look at the other -- you know, not
only at the CDP and ICDP and the integrated, you know,
aggregate risk and everything else, but you've got to look
at the other -- you know, is there something about the other
train that would tell me I shouldn't be taking this train
out of service, and this is just one example of a thing
you'd like at, is, well, gee, I missed the surveillance on
this, so I have some higher level of uncertainty about its
performance.
But this is just an example of how the types of
initiatives we're working on fit right into the (a)(4)
framework, and you can make the same kind of argument for
mode changes, outage times, and some of the others, 303.
CHAIRMAN SIEBER: Okay. And today we're going to
look at numbers 2 and 3.
MR. BRADLEY: Right.
I think Scott mentioned earlier that NRC was
looking at their structure internally and how to support
tech specs and these initiatives.
Industry has been doing the same thing. We
recognize there are many ongoing activities on tech specs.
We have -- actually, there are about seven NEI task forces
right now that have some relationship to tech specs, and you
get into some interesting issues when we start looking at
risk-informing tech specs, especially if we start looking at
sort of the visionary place we can go to comport tech specs
with (a)(4).
It requires that these activities be integrated as
an industry, so that we're not -- tech specs represent --
license change requests represent a significant chunk of
NRC's resource burden, as well as the industry's, and we may
be able to obviate some of the incremental types of changes
we've been making by adapting -- adopting these more
risk-informed-type changes, driving toward an (a)(4)-type
approach.
So, there is going to be a new executive-level
working group at NEI, tech spec working group. Our intent
here is not to just encumber the bureaucracy by adding
another layer, you know, to all the layers we've got
already, but it's a coordination function, and it's a
function to look at how do we coordinate the big picture
change of moving toward (a)(4) with all the existing
activities we have going on.
Initiative 4, which is AOTs -- as you know,
there's a 4(a) and 4(b). 4(a) is individual AOTs. 4(b) is
sort of a global way to replace AOTs with an (a)(4)-type
process. That's basically the first initiative, I think,
that the working group that we're forming will want to
really get their hands around and look at how do we go about
that.
The thing I mentioned earlier about the front stop
and back stop -- that's just one of many ways you could
actually effect that type of change, and the -- so, we will
be looking at that, and the working group's mission will be
to try to bring tech specs and (a)(4) into some -- at least
so they're not inconsistent in the future.
I will say, I guess, with regard to some of the
slides that NRC just presented, the issue of PRA quality is
clearly an issue for being able to do this, and I do want to
mention again that we're not suggesting that the existing
(a)(4) guidance as it stands would be adequate once we went
forward to replace or move into a single configuration
control approach with tech specs.
Whether you would need full quantification of
things such as shut-down and transition risk, I think, is a
function of how you set up back stops.
If you go to a fully risk-informed approach where
there really are no back stops, then you might have a pretty
strong argument to do that, but there may be more pragmatic
ways to do that, to use PRAs along with qualitative insights
and establish back stops to address that.
That's basically the way (a)(4) works now. You do
have to have an internal events and a simplified Level 2,
but in terms of having to quantify everything, that may not
really be necessary, depending on how you do this.
So, those are just some thoughts, and this is
something NEI and the industry are going to put a major
effort into, starting now and going forward.
We've done a lot of work on Option 2 and 3 of
regulatory reform, and the more we look at it, we think this
piece has more potential benefit and is more do-able in
terms of -- there's a success path there that we think we
and the staff can work to -- really, than some of the other
elements of regulatory reform.
So, we want to break this off in a parallel path
and move forward with it.
DR. APOSTOLAKIS: Let me understand here. I don't
remember the staff referring to (a)(4) earlier. Am I
missing something here? Do you disagree?
MR. DENNIG: Not at all. In our last presentation
to your group, I believe we talked about part of what we
understood we were heading for was bringing (a)(4) machinery
and approach into -- what was your word, Biff? -- to comport
with technical specifications.
We recognize the dual regulatory scheme, the
potential for collisions, and from an operator's standpoint,
it would be a lot easier to have one approach, one set of
books, one way of doing things, and so, we did -- I think if
we look back at the transcript -- brought up (a)(4) at that
time, and we have briefed that idea to our own senior
management and gotten -- you know, that sounds reasonable
thing to do approach.
So, we're in basic agreement, but we did realize
that the industry presentation today was going to spend time
on (a)(4), and rather than us talk about (a)(4) and have
them talk about (a)(4) and you hear (a)(4), (a)(4), (a)(4),
we just kind of broke it up this way.
DR. APOSTOLAKIS: So, what you call next step,
technical specification configuration control elements
globally replaced by (a)(4)-type evaluation -- maybe you
said that and I missed it, but this would give much more
flexibility to the licensee, would it not, to manage the
configuration?
MR. BRADLEY: Yes. It would give flexibility,
although as I said earlier, we recognize there would have to
be some rigor in the approach that probably goes beyond
what's in (a)(4) now.
DR. APOSTOLAKIS: Okay.
MR. BRADLEY: For instance, right now, plant
shutdown is just one of about 20 risk-management actions we
have in (a)(4).
There are all kinds of other things you can do,
and I think, right now, (a)(4) sort of gives the licensee
flexibility to pick and choose those, as long as he can show
he's managing risk, temporary and aggregate risk, but to go
to a tech spec -- replace tech specs, you would probably
have to have more explicit conditions for, you know, when
you have to invoke those certain actions.
CHAIRMAN SIEBER: Well, but then you get yourself
to the situation you have to invoke (a)(4) for every
maintenance activity that involves safety-related equipment.
MR. BRADLEY: It's not just safety-related; it's
the whole scope of your PSA.
CHAIRMAN SIEBER: Or important to safety or
whatever the term is.
On the other hand, my impression of what I know
about (a)(4) and how it will be implemented is that -- and I
think I recall this from one of our meetings -- is that the
tools don't exist for some sub-components to adequately
evaluate risk, and if that's the case, this is where the
reliance on expert panels come in, okay, and it seems to me
that, if you replace the tech spec requirements with an
(a)(4)-type evaluation, there is the opportunity to move
away from the analytical approach which I would think is
what's necessary to support the rule, the tech spec rule,
and move into this sort of judgmental expert panel.
You know, this is what I call the fuzz, okay? And
I don't -- if I have the wrong impression, please tell me
what the right way is.
MR. BRADLEY: (a)(4) doesn't -- there is nothing
in (a)(4) about the use of an expert panel.
There's an expert panel you use in the maintenance
rule to do your initial categorization of components, but
(a)(4) itself doesn't defer to, you know, some expert panel
to make the judgement on what's the risk management action
you take.
It establishes the ground rules for how you can
quantitatively -- and you also have to have a qualitative
element, because it's addressing shutdown -- it's addressing
areas that most plants don't have models for, but it
basically has how you do that, how you do the quantitative
or qualitative approach, so it really is analytical.
CHAIRMAN SIEBER: Yeah. On the other hand -- and
it was just part of your answer -- a lot of plants don't
have the analytical tools in their transients or in
shutdown. So, in the sum of it, it has to go to some kind
of expert or manager decision.
MR. BRADLEY: This really goes back to what I said
earlier on the question of how complete a PRA you need to do
this, and I think it's an open question, but my belief is
that shutdown management -- it's possible to do that
qualitatively in a very risk-informed way, by preserving the
key safety shutdown functions with an adequate degree of
defense-in-depth, and you don't necessarily have to quantify
your entire, you know, outage, which is a relatively
difficult thing in itself, to do that.
We're managing shutdown risk today under 91-06
very effectively through quantitative approaches.
So, clearly -- I mean, you know, I'm not trying to
say we're going to do this with some half-baked PSA, but
whether you need to have quantitative -- and even when we
start talking about these seven initiatives, I think you'll
see that there are many things you can do without
quantitative information.
You know, missed surveillance is a great example.
You know, you don't have to do a lot of quantification to
know that shutting the plant down because you missed a
surveillance is generally not going to be a risk-smart thing
to do.
Of course, it may get tougher once we get into the
whole ball of wax, but you know, it's just a matter of
determining what's the appropriate level, and you know, we
have to do that work.
MR. NEWBERRY: Maybe I could add a thought.
When we talk about, you know, the fuzziness of
going to the component level, really, if you look at the
tech spec, they're really at the train level.
So, you might have a component and you have to get
into sometime seeing what supports what, etcetera, before
you can get to that train-level approach.
CHAIRMAN SIEBER: On the other hand, a tech spec
requirement that's placed on a train says that all the
components necessary for that train to operate have to be
operable.
MR. NEWBERRY: That's right. And, say, if a fault
tree is modeled to the component level but the top event is
the train, then you're comporting, if you will.
CHAIRMAN SIEBER: Yes, sir.
MR. BRADLEY: Rick Hill -- unless there are
anymore questions for me, I was going to turn it over to
Rick.
CHAIRMAN SIEBER: Yeah, I think that would be
great.
MR. BRADLEY: He's just going to give the PWR
owners group perspective on the activity.
CHAIRMAN SIEBER: Okay.
MR. HILL: Good morning. I'm Rick Hill with GE,
and I'm the Project Manager for our risk-informed tech spec
activity.
I noticed from the agenda that you have
Initiatives 2 and 3 split out, but with your permission, I'd
like to address the BWR owners group perspective at one time
--
CHAIRMAN SIEBER: On both of them?
MR. HILL: -- on both of them, yes.
CHAIRMAN SIEBER: Okay. That will be fine.
MR. HILL: There was some history provided earlier
about tech specs.
The BWR owners group is a relative late-comer for
the owners groups into the risk-informed tech spec arena.
We had gone through in the middle '80s a very extensive
reliability-based tech spec program where revisions were
approved and made by the utilities, and as a result, there
was some reluctance to want to get involved in further
looking at the tech specs due to the resources that would be
required, but we have joined in with the rest of the
industry, at least at this point in time, and as we've seen
the NRC's vision and NEI's vision or industry's vision --
everybody needs a vision -- our vision is stated in this
slide, basically, and what we consider the purpose of the
committee that we have involved here, and that's to enhance
the tech specs so that they reflect the safety significance
of the condition or the requirement and thereby gain
operational flexibility.
I note that it's a generic committee. That means
all of the BWR owners are participating in this particular
activity, as opposed to just a subgroup.
We are actively pursuing these three initiatives
out of the seven, and I should actually say that we're
actively pursuing one, Initiative 1. That's where all of
our resources have been put into for the early part of this
year.
Initiatives 2 and 3 -- we are supporting the
industry by trying to provide information that is needed for
approval by the NRC, but we're not doing any specific work.
That's one of the reasons why I want to bring in both
Initiatives 2 and 3 and mention Initiative 1.
Initiative 1 is basically our perspective
formulated to test the risk-informed process on an
analytical-type basis. As a result, we have committed and
we are in the process and nearly finished with building a
BWR/4 transition risk model. It's our hope that, when we
finish that transition risk model, it will be generic for
all BWR/4's, we'll be able to use sensitivity analysis for
BWR/2's and 3's, as well as 5's and 6's, to cover their
needs.
That model that we're developing is fairly
sophisticated for the needs of Initiative 1, but we believe
that further initiatives that the industry will have and
that we will have ourselves will need that sophistication,
and so, we're building it in at this particular time.
Initiatives 2 and 3 -- as I said, we're in the
process of supporting that.
We do support the draft of the TSTF that will be
talked about later, I'm sure, by Mr. Hoffman, where the risk
evaluations will be done on all surveillances that are
missed and delayed greater than 24 hours.
Initiative 3 -- we're supporting that in the sense
that we do not have a generic approach to it. You'll
probably hear later that there is a -- Combustion
Engineering plants have a generic approach to it that will
fit all of their plants.
Since we do not have our model complete, we are
not able to analyze the -- quantitatively the effect on the
plants, and so, each plant will use that on a case-by-case
basis, if needed.
What's in it for us? What are the opportunities?
Why are we doing this? And I think we've heard a lot of
this already, but certainly improved decisions in favor of
safety, and I've listed a few reasons here, in avoiding the
transition risk of plant shutdowns when you have
configuration changes for non-safety significant problems,
as well as missed surveillances force urgent plant
shutdowns.
In some cases, when it's appropriate, longer AOTs
for repairs, focus on safety significant systems,
structures, and components, and on the next view-graph here,
mentioned improved decisions on safety when multiple
components or LCOs are impacted.
We believe that all of these things work in favor
of safety.
It also will help reduce the burden both on the
NRC and the utilities as far as less paperwork, NOEDs,
start-up delays.
Those kinds of things will be certainly to our
benefit, but as with anything, there's a cost. What are the
challenges? What are the things that we're nervous about in
proceeding down this path?
Since Initiative 1 for BWRs is not as beneficial
as it is PWRs -- and I start that sentence with "since," as
if you already knew it, but it's fairly obvious that staying
in a hot shutdown condition for a BWR is not as easy as
staying in a hot shutdown condition for a PWR.
If you're in that condition too long, we might as
well just go to cold shutdown. So, there is not a large
benefit in that for us.
There would be some, we hope, but we would prefer
to have this as a stepping stone to look at staying in a hot
standby-type condition if it is justified, remaining in a
Mode 2-type condition versus Mode 3.
That's a challenge. That's not on the drawing
boards at this time.
Will the BWR/4 model plus sensitivity analysis be
sufficient, or will we have to develop generic models for
each of the plant types?
Will each utility have to develop their own model?
This is a significant impact on utility resources since most
of their PRA people are very busy right now with a
significance determination process, they are busy with
(a)(4), and many plants will not want to develop their own
model. Some may.
Will sufficient progress be made in the near term
so that, when our executives meet in May, we'll be
authorized to continue working, and that's not an
inconsequential concept, since I started off the discussion
by mentioning that we were reluctant to get in in the first
place, and we may be not very reluctant to get out if we
don't see that the expenditure of resources on the models
and where we're headed -- if it's fraught with more
difficulties than it is opportunities.
But in summary, we try to look on the optimistic
side and say that we see a window of opportunity here where
we can increase overall plant safety, we can reduce
regulatory burden, and hopefully reduce the cost of doing
the correct thing for non-risk-significant issues.
That concludes what I have to say for the BWR
owners group.
DR. APOSTOLAKIS: How would you measure the
sufficient progress? I don't understand that bullet. It
sounds like a threat to me.
MR. HILL: Well, I would measure the sufficient
progress by whether or not we are funded to continue, and
that's a decision that our owners group executives will make
in May.
DR. APOSTOLAKIS: You have to demonstrate
sufficient progress in order to get --
MR. HILL: I think, in a very practical sense, if
we had an approval to proceed with Initiative 2 by the NRC,
that would certainly signal that there is light at the end
of the tunnel.
MR. BRADLEY: This is the classic low-hanging
fruit issue where, you know, you always prioritize these
things with something that looks easy, at least going in.
MR. HILL: I wasn't intending to make a threat. I
was stating the reality of our situation.
DR. APOSTOLAKIS: And the NRC staff has its own
reality.
CHAIRMAN SIEBER: Your slides six and seven, which
are the reasons why you would want to pursue this -- I don't
disagree with them, but I find them intriguing, because
missed surveillances are usually the fault of people not
doing their job right, in my opinion, and it seems strange
to punish the inanimate object, which is the plant.
People are the ones that made the mistake, but
there was an element that caused a lot of anguish and
hardship because you had to maneuver the plant, go back and
do things, you got delayed, you lost money, which kept
management's attention on not missing surveillances, okay,
and that was, in my day, a big sin, to miss surveillances,
and because you got punished just by your own tech specs.
On the other hand, as we move into a regime where,
gee, it's really not all that bad, you don't have to
maneuver the plant, you can delay it, just look at the risk,
and if the risk is okay, the compulsion to not miss
surveillances dims, and it also worries me, then, that if
you aren't reporting them, it just goes into your corrective
action program, you know, all of the sudden, the motivation
to run absolutely a top-notch plant seems to be dimming, in
my view.
I think, to me, that's a concern.
MR. BRADLEY: The revised oversight process, which
I'm sure all of you are familiar with --
CHAIRMAN SIEBER: Right.
MR. BRADLEY: -- I think will serve as a
significant incentive not to miss surveillances, because if
you miss a surveillance and then you ultimately, when you do
perform it, find out that the equipment has been unavailable
for a lengthy period of time, you will be hammered.
You're going to be in so many white boxes over the
past year, when you go back and take -- on top of all the
configurations you've been in, take this thing out of
service that you didn't -- you know, didn't think was out of
service, that believe me, I don't -- you know, I think
that's -- will be effective.
CHAIRMAN SIEBER: Is that an incentive, then, if
you miss a surveillance, to say, well, I actually have all
this leeway, but I don't want all those white boxes, so I'm
going to do it as soon as I possibly could and maybe
maneuver the plant to do it, to make sure that it's really
operable.
MR. HILL: I would like to try to frame the
concept of the missed surveillance here, and I may be the
least likely in the room to do it, and I think Mr. Hoffman
probably has the data on the missed surveillances, but these
are not things that happen on a routine basis, they happen
on a once-every-few-years basis, and typically they happen
because you made a design change and you've modified the
procedure for doing the surveillance, and when you end up
targeting the surveillance, there's a piece of it that you
probably haven't done in a proper fashion, and it's
something new.
So it's not something that happens on a real
routine basis.
I don't have the numbers at my fingertips, but we
did do a industry survey, looking in the LER database as to
how many missed surveillances there have actually been, and
it's astounding how small they are.
CHAIRMAN SIEBER: Thank you.
Are we ready to move on?
MR. BRADLEY: I believe the next thing on the
agenda is a break.
CHAIRMAN SIEBER: Is that it? Okay.
Why don't we take a break? Actually, we're on
time. Why don't we come back at 10:30?
[Recess.]
CHAIRMAN SIEBER: The meeting is now back in
session, and I'd like to ask Biff Bradley to introduce the
remainder of the industry speakers.
MR. BRADLEY: We're going to start -- at the table
with me now, I have Don Hoffman from Etcel Services and Ray
Schneider from ABB/CE, and the way we'd like to work this is
Don is going to talk a little bit about the situations with
the current tech specs that led to the need for these
initiatives and some of the background as to -- that led to
their development.
Actually, these types of things have been in the
works even before they took on the risk-informed name-plate,
and then I'm going to talk just a little bit about the basis
for the Initiative 2 on missed surveillances, and then Ray
Schneider is going to do likewise and talk about the risk
analysis and how you do that work for Initiative 3 on mode
restraints.
So, I'll go ahead and turn it over to Don at this
point.
MR. HOFFMAN: This first slide -- I will just
indicate which package I'm going to be speaking from, which
is set up, as you can see, for us to discuss both
Initiatives 2 and 3, which as Biff indicated, I'll discuss
portions of 2 and then come back to 3, and we'll do them
separately, as indicated.
The reason I have the opportunity to speak to you
today is I'm the Technical Coordinator for the Technical
Specification Task Force, which is the group of all the four
owners groups which has currently developed the ITS, the
improved technical specification NUREGs, and all the changes
thereto, working with the NRC and all of its branches with
developing Revision 1 and, now very soon, Revision 2.
So, we've been working very diligently in a lot of
the deterministic aspects and, to some extent, actually
broaching into some risk-informed aspects of the technical
specifications, acknowledging that it's very hard to keep
them separate as much as sometimes we want to, and in doing
that, we've been addressing AOTs and other activities, as
Biff indicated.
That is what led to -- when we first began
discovering or deciding which initiatives would be
appropriate initiatives for us to begin with in the
risk-informed arena, we selected the initial seven that you
see before you, or that you had discussed, at least, earlier
this morning.
The Initiatives 2 and 3 that we're going to be
discussing during the course of the morning and the early
part of the afternoon were the two initiatives that we felt
would -- were ones that were -- should be simpler to do.
They were more policy issues, if you will, than
hard-and-fast risk-informed issues.
We believe they would require the last amount of
risk insight to justify their approval, and with that in
mind, we considered all these initiatives in the aggregate,
in considering what we were doing in the deterministic space
and what we were doing in the overall risk space.
One of the comments I heard this morning -- I want
to make clear it is not our intent to change the definition
of operability but only to change some of the tools utilized
around it to determine the best course of action when we
have levels of degradation.
But we are in total agreement with you. It's our
intent to structure these such that the tech spec
requirements are expected in all cases to be met.
One of the comments that were made at the end of
this morning's session that I would like to address is the
issue of the number of times that we have actually missed
surveillances before I go into it.
As was stated this morning, we did a review of the
LER database from 1995 to 1998, and we discovered there were
11,393 LERs that were associated with these kinds of
activities -- sorry -- only a total of 11,393 LERs. Of
that, 170 were related to missed surveillances.
Of that 170, we discovered that there were only 12
cases where, once the surveillance that had been missed was
subsequently performed, that the surveillance failed, and in
all of those 12 cases, the subsequent failure was due to the
fact that -- one of three things -- either the surveillance
had never been performed before or, two, there was a design
change that was not aware of when the surveillance was
subsequently performed or, three, there was an inappropriate
procedure that was utilized.
DR. BARTON: It sounds like I shouldn't do any
surveillances, because the more I do, the more I fail, but I
don't do them, I don't fail them. That's what that sounds
like, to me. I've failed more surveillances doing them than
this history shows you have failed by not doing them,
whatever that means.
MR. HOFFMAN: What that means, sir, is that --
what we believe that means is that the NRC and the industry
determined in the middle '80s that the greatest likelihood
of performing a surveillance is that a surveillance is going
to do nothing more than confirm operability or actually be
passed when performed.
That has been the greatest likelihood when we've
gone back and done the evaluation.
Nonetheless, there are, obviously, surveillances
that are failed when initially performed within their
specified frequency, for a number of different reasons, and
I'm sure you're very familiar with those, sir.
CHAIRMAN SIEBER: It also seems as though, in
those instances that you cite, that there's a breakdown in
some other program.
For example, if you do a design change and fail to
adjust the surveillance procedures to reflect that design
change, then there's something wrong with your design
change, or if you have an inappropriate procedure, how can
you do a surveillance year after year after year with an
inadequate procedure?
I think most tech specs require procedure reviews
by somebody every three years or thereabouts.
DR. BARTON: Annual reviews.
CHAIRMAN SIEBER: You know, there's breakdowns in
programs that cause these kinds of things to happen.
MR. HOFFMAN: Absolutely, sir, and I do want to
clarify that the portion of the surveillances, the 12 again,
only 12 of the 170 that failed -- when I say due to
programmatic issues, there were the fact -- well, you're
certainly aware that the NRC sent out Generic Letter 96-01
which required the industry to go back and evaluate the
performance of surveillances with regard to ECCS and other
instrumentation systems, because they determined that, in
some cases, some of the surveillances were inadequate to
address all of the contacts, components, and relays, and in
some of these cases -- in three, to be exact -- the reason
those surveillances failed were not because what they tested
didn't pass but that they did not test all of the things
they should have tested, and that constituted a failure on
the part of the complete surveillance.
So, there are a multitude of issues here that
really address what we constituted or packaged as failure,
these 12.
CHAIRMAN SIEBER: Do you have any data that shows
whether the equipment was not functional because of the
failed surveillance?
MR. HOFFMAN: When we went back to these 12, in
every one of these cases except two, the equipment would
have still performed its intended safety function. There
were only two in which there was a portion of it because of
the failure that they would not have had a sufficient pump
flow or the valve would not have stroked in the time it was
required to, sir.
CHAIRMAN SIEBER: Okay.
So, basically what you're saying, it was
inoperable but functional in 10 out of 12 cases.
MR. HOFFMAN: Yes, sir. In fact, you'll notice
that we have an Initiative 7 which addresses inoperable but
functional.
CHAIRMAN SIEBER: We'd rather not deal with that
today.
MR. HOFFMAN: I understand, sir.
CHAIRMAN SIEBER: But I did read it.
MR. HOFFMAN: What I wanted to do was just to go
back a little bit and start back with how we came to the
conclusion that we needed to make some changes to SR 3.0.3,
which subsequently became Initiative 2 and is what we call
TSTF 358, which is a numbering system we utilize for generic
changes made to the improved technical specification NUREGs.
As most of you know, the standard technical
specifications which were developed in the mid-1970s
established 3.0 and 4.0 requirements that were generic
requirements that applied throughout and they were more
appropriate to be discussed at the front of the technical
specifications rather than repeated in each individual LCO.
This SR 3.0.3 change was previously called 4.0.3.
With the change to the improved technical specifications,
there were a number of numbering changes. This is one of
them.
The 4.0.3, now SR 3.0.3, initially required all
LCOs to be met by performance of surveillances prior to
entering into the mode of applicability of the LCO, which
meant that if you did not perform the surveillances in that
specified interval, then the LCO was to be declared not met
and the SRs were then to be performed subsequently, but at
the time equal zero, upon discovery that you did not perform
the surveillance, the LCO was to be declared not met and you
would enter into its action statement and to take whatever
the appropriate actions were.
In 1987, the NRC issued Generic Letter 87-09.
Generic Letter 87-09 was issued with working with the
industry and the NRC addressing a number of different issues
that they felt had become overly conservative over the
years.
One of these was SR 3.0.3, which was where we
determined -- you, the NRC, and the industry -- that it was
overly conservative to require a shutdown or some other
punitive action from missed surveillance requirements,
because the greatest likelihood when you performed a
surveillance requirement, is that operability would be
demonstrated or confirmed, and that was as a result of a
great deal of evaluation and doing data gathering on the
part of the industry and the NRC.
At that time, the NRC determined that 24 hours
seemed an appropriate timeframe, but during that 24 hours,
in Generic Letter 87-09, you were required to declare the
LCO not met, and you just were not taking its required
actions during that period of time.
When we came to the improved technical
specifications in the late 1980s and early 1990s, we
developed Revision 011, and now we're working on Revision 2.
We actually did some enhance and improvement to SR 3.0.3,
where we allowed the delaying of declaring the LCO not met
when we missed a surveillance.
Because of the information that had been gathered,
because we had determined that the greatest likelihood is
that a surveillance would be passed and satisfied
operability when performed, we made the determination that
we should be able to delay declaring the LCO not met and
that, at the end of that 24 hours, we must have performed
one of the three following things:
Either, one, we performed the surveillance and it
passed or, two, we performed the surveillance and it failed,
and at the time of its failure, we then declared the LCO not
met and took its actions, regardless of when during that
24-hour timeframe that may have occurred, or three, at the
end of the 24 hours, if we've done nothing, then we declare
the LCO not met.
That determination was utilized up through and
including all the ITS through Revision 1.
When it came time for us to evaluate and look at
some of the initiatives I said for the risk-informed
technical specifications, this initiative became one because
we were realizing that there were several plants who had to
ask for regulatory relief because they had missed
surveillances, albeit on a very unusual situation, on a very
-- when I say a very minor situation, as far as the number
of times, it did occur, and in many cases, if not all cases,
we continued to discover that the surveillance was passed
when performed, and yet, the particular surveillances where,
if we missed them, we had to change the mode of the plant or
the condition of the operating plant to perform them, that
we determined, in many cases, we thought there would be more
risk during the transition or more impact to the plant to
take it to another condition to perform the surveillance
than to take other compensatory measures.
So, the Initiative 2 that we have before you in
TSTF 358 was to propose to allow the surveillance interval
to be 24 hours or up to the next interval, whichever is
longer.
Now, the first reaction would be, well, gee, if I
have a one that's established on a refueling interval, then
I could go to the next refueling interval, and it's
established from a regulatory standpoint, yes, that's true.
However, there are a number of things in this TSTF
which would preclude that from occurring unless it was an
absolute necessity.
First, it would be required to be performed at the
next reasonable opportunity and that there would have to be
an evaluation by management, and we're going to come to some
of the risk insights that would be utilized for that, to
evaluate the acceptability of, one, not performing the
surveillance within that 24 hours, and that evaluation would
have to include the impact on plant risk, the impact of,
one, performing the SR and what kind of conditions we may
have to establish and, two, the impact of not performing the
SR.
It would have to evaluate the analysis assumptions
with regard to the overall systems, what other things were
inoperable, what was the condition of the plant with regard
to meeting the assumptions of the safety analysis.
It would have to evaluate the current unit
conditions, the planning, the availability of personnel, and
obviously the time to perform the surveillance requirement.
So, those are the types of things, in addition to
the risk insights that you're going to hear shortly, that we
established would be required by each plant, utilizing this
flexibility, to evaluate.
The issue this actually addresses is it reduces
the need for regulatory relief for those SRs which require,
as I said, a change to the actual mode or condition of plant
to perform the surveillance.
As you also heard earlier, this missed SRs would
be put into the corrective action program, and as I heard
discussed earlier this morning, we feel that, because of the
corrective action program, maintenance rule (a)(4), and the
new reactor oversight process, that there is an incentive to
perform these in the specified interval, on the specified
frequency, and do so appropriately.
We expect that these will be an exception, not the
rule. We believe that the greatest likelihood, as has been
demonstrated, that it will be demonstrated -- the system
test, it will be demonstrated operable, and since we are
performing a risk evaluation for all those extended beyond
the 24 hours -- and you're going to hear that that could be
a portion of a qualitative or quantitative -- that we feel
that there will be appropriate evaluation to establish the
acceptability thereof.
This slide just only indicates some of the things
that I've already discussed with you.
DR. BONACA: I have a question.
MR. HOFFMAN: Certainly, sir.
DR. BONACA: I completely support the thought
process behind this, but the question I have is regarding
the delay period to the surveillance frequency interval.
What, for example -- one could have proposed to the next
surveillance frequency interval or the next shutdown,
whichever comes first, okay, which give an intent of doing
it as fast as possible.
Now, clearly, in many cases, the surveillance
frequency may be shorter than the next outage, and that's
fine.
In some cases, however, you may have an outage,
and that would at least put some sense of urgency, you know,
management, for doing it.
Now, that outage may be the next outage, I agree
with that, may be the refueling outage, but still, you know,
just going in with a surveillance frequency interval -- it
gives a different kind of message.
It gives a message almost that surveillance is not
important; you can go for two terms, you know, the time
element is not important.
MR. HOFFMAN: Certainly, sir.
We considered that.
It was not our intent to give rise to anyone to
think that the surveillances were not important, and we
actually considered putting in a timeframe "or the next
shutdown," but as you stated, recognizing that many of the
surveillances have shorter intervals than the next shutdown,
we didn't want to give rise to something that was due in the
next 92 days that they could take to the next shutdown,
which may be 120 days, to perform it. Hence, that's why we
established the next frequency.
For the very ones I believe you're speaking to,
which are the ones that would require you to be in a
condition of shutdown to perform that surveillance, we
established they would be required to be performed at the
reasonable opportunity, such that the next shutdown, when
you were in a condition to perform the surveillance, would
be deemed in all cases, in our opinion, based on our
establishment of the criteria, to be the next reasonable
opportunity, so that if I missed a surveillance and
discovered, let's say, one month after I started up and the
next time I'm supposed to perform it is 18 months and I shut
down two months from now and I'm in a condition to perform
that surveillance, that may be the first reasonable
opportunity, but that's absolutely the longest I would be
allowed to not perform that surveillance.
DR. BARTON: What do you mean "in a condition"?
MR. HOFFMAN: The plant condition. The condition
of the plant may be required -- certain of these
surveillances, as I'm sure you're well aware, require the
plant to be in a condition other than -- that you cannot do
in an operating condition --
DR. BARTON: Right.
MR. HOFFMAN: -- because of the impact on all the
other systems.
DR. BARTON: So, in shutdown, in a forced outage
that I can come back from in two days and the surveillance
that I missed takes two days to do and it requires going in
the drywell, but yet, the thing that caused me to go down
does not require me to be inert and go in the drywell, now
what do we do?
MR. HOFFMAN: Absolutely. I knew you'd ask that
question, sir.
We talked to the plants when we were developing
this and stated that, if there was a determination by a
plant that they felt that they could not perform the
surveillance, that was not the first reasonable opportunity,
then they would have to justify through management
evaluation of the acceptability to go ahead and delay that
surveillance even further.
DR. BARTON: But you already gave me the okay to
go 24 months.
MR. HOFFMAN: I gave you the okay to go to the
next frequency, providing you did an evaluation of the
acceptability of going to the next frequency and that you
performed it at the next reasonable opportunity and that the
next reasonable opportunity included one of those things,
sir, of the plant conditions available to perform that
surveillance, which would mean that in order for me as a
plant to explain to myself, to my management, or to you, the
NRC, that I had made the appropriate determination, I would
have to be able to justify not performing that surveillance,
not taking the additional time during that forced outage to
enter that drywell to perform that surveillance.
There may very well be extenuating circumstances
and information I could bring to bear to do that.
DR. SHACK: Would it make a difference if you
changed the wording to say 24 hours or longer, or at the
next opportunity, and then put a statement that said
absolutely no longer than the next surveillance frequency
interval?
That would seem to me to put the emphasis in the
right place but wouldn't change anything.
MR. HOFFMAN: We evaluated some aspect of that.
The reason we were concerned -- and I hear what you're
saying -- about establishing in the tech spec itself
reasonable opportunity but no later than is that we wanted
them to be a little more explicit, at the very latest,
because obviously tech specs are prescriptive and supposed
to give you an establishment, if you will, of timeframes.
So, we wanted the tech spec requirement to be no
later than the next surveillance interval but certainly at
the very next opportunity.
We could restructure the words, possibly, to make
it more clear, or at least the bases and the justification
to enhance the rationale.
We're certainly open to improvements that will
enable you to feel comfortable with the process we believe
we're following.
CHAIRMAN SIEBER: I think it would be better if
you folks and the staff worked out the words, rather than
have this committee do that.
MR. HOFFMAN: Yes, sir.
CHAIRMAN SIEBER: That's, to me, more of a process
issue than a technical issue.
MR. HOFFMAN: I certainly understand your concern,
and I believe that we could do some things at least on the
bases and the justification to further address that, sir.
DR. BONACA: I have another question.
MR. HOFFMAN: Yes, sir.
DR. BONACA: The 24 hours -- it's meaningful in
the current tech specs.
MR. HOFFMAN: Yes.
DR. BONACA: The two end points compete.
Twenty-four hours is not meaningful in the new tech spec,
because you know, you say, you know, 24 hours or the next
refueling outage, whichever comes after. Why do you need to
retain the 24 hours?
MR. HOFFMAN: The reason we chose to retain the 24
hours, sir, was for it to be a break point at which point we
did the risk evaluation of not performing the surveillance.
In the current tech spec requirements, we're allowed the 24
hours without doing any kind of risk evaluation,
notwithstanding what (a)(4) will require us.
So, if we miss a surveillance and we discover that
and we can set up and perform the surveillance within 24
hours and it passes, we're fine.
So, we maintain that just saying that, okay, at
some point, we have to do a further evaluation of the
acceptability of not having performed that surveillance.
So, we selected the current 24 hours as the break
point, after which we would do a risk evaluation, sir.
DR. BONACA: Can you do it in 24 hours?
MR. HOFFMAN: Excuse me, sir?
DR. BONACA: Can you do that evaluation in 24
hours in all cases?
MR. HOFFMAN: We would have to do the evaluation
if the surveillance was going to be extended beyond 24
hours. The timeframe for the actual --
DR. BONACA: You're making this change to be more
realistic, you know, and the question is can you make a
realistic evaluation in 24 hours. I'm only questioning the
24 hours specifically.
If you have a certain objective for it, then make
sure that it fits the need.
MR. HOFFMAN: Certainly, sir.
At the T equals zero -- once we discover that we
have missed a surveillance, we begin the 24-hour clock. So,
at time equals zero, we discover we've missed the
surveillance, the 24-hour clock begins.
During that 24 hours, we have to make the
determination of a number of different things.
One, can we perform the surveillance?
Two, can we structure everything up, to get
everything set up? What is it going to require? Do we have
to change the plant condition? Can we bring in whatever
needs to be done and, after that, determine, if it's going
to go beyond 24 hours, then we would begin to perform the
risk evaluation.
Now, I can't tell you, in all cases, the risk
evaluation would be completed by the end of that 24-hour
clock.
CHAIRMAN SIEBER: That would just put you in the
action statement.
MR. HOFFMAN: Well, at the end of the 24-hour
clock, yes, sir.
DR. BONACA: I think you should revisit the hour
itself.
I mean the restrictions in the current tech specs
are meaningful.
In the new tech spec, you are changing it to
accommodate certain considerations which make sense.
I think you should look at the other one, too,
because I think you want to make sure that you have a
process by which you can exercise the tools that you need to
perform an evaluation to assess it and to determine, you
know, that, in fact, you can do it without starting a clock.
CHAIRMAN SIEBER: Well, the clock always starts
Friday around seven p.m.
DR. BONACA: That's right.
CHAIRMAN SIEBER: That's just the way the world
works.
On the other hand, if we're in risk-informed tech
specs, we heard this morning that there is a whole
infrastructure of analytical tools, processes, procedures to
be able to accomplish these things and not in back of some
panel in the middle of the night by a couple of guys that
happen to be on-shift.
So, if that expectation is met, then I think you
can perform an adequate risk assessment.
The problem is, does the risk assessment get cut
short or is it less thorough than it should be because you
only have 24 hours to do it, and I can't answer that
question.
MR. BRADLEY: I think that once the -- clearly,
once (a)(4) is effective, you will have the infrastructure
in place, because this won't be any different from any other
emergent condition, you know, that happens on the back shift
or anywhere else, and you're going to have to have both the
normal and the off-normal, you know, procedures there to
deal with that, and I think that, especially for this one,
which is fairly simple, that you could do that in 24 hours.
CHAIRMAN SIEBER: I'm counting on what the staff
told us this morning as being the way it's going to be and,
notwithstanding (a)(4), you know, those tools are going to
be in place, and so, I'm relying on that as saying that this
is okay, and if you're telling us 24 hours is adequate, then
that's okay with me, too.
MR. HOFFMAN: Well, what we're telling you is that
24 hours is the break point, at which point, if we knew it
was going to go beyond 24, we would have to perform a risk
evaluation in addition to the other evaluations that we
would normally perform.
We have not currently restricted the timeframe to
perform the evaluation to 24 hours.
As written, TSTF 358 does not place that
restriction.
We have just stated that we would perform the
evaluation prior to going beyond the 24 hours.
DR. BARTON: You're saying if you can perform it
within the 24 hours, you'd have to perform it?
MR. HOFFMAN: Yes, sir, that's what I'm saying.
I'm saying that, before you would go beyond the 24 hours,
you should know what the impact of doing that is, and as
structured, the TSTF and the associated tech specs and their
bases and all the corresponding information that I believe
the NRC intends to put in their safety evaluation for the
acceptability of 258 for SR 3.0.3 would require those types
of evaluations.
DR. BARTON: If I can perform it, I have to
perform it.
MR. HOFFMAN: Yes, sir, if you can perform it, you
should perform it.
DR. BARTON: You have to perform it.
Let me give you a hypothetical.
This things happens on a Friday night. In order
to perform this thing, I've got to call in six I&C
technicians and pay them overtime and a meal, etcetera,
etcetera, or slip the surveillance to the next forced outage
or next refueling outage.
You're in a competitive environment. That costs
me money to bring all these guys in to do the thing.
Do I have to do it within the 24 hours if I can
get the I&C techs in there to do it, or because it's an
economic burden on me, I'm going to slip it to the next
convenient time.
MR. HOFFMAN: As we've currently structured TSTF
358, you would not be able to utilize economics as a
justification or rationale for extending the surveillance
requirement.
It does take into place the availability of
personnel such that if you can't perform it because you're
just not physically able to get all the people available to
do so, not because you don't want to pay them overtime or
you don't have to bring them in for lunch but because they
are just not available for whatever reason.
So, you have a very valid point.
DR. BARTON: All I have to do is tell my I&C guys,
if you get called in, refuse the overtime, so I don't have
to do the surveillance. Okay.
CHAIRMAN SIEBER: Well, I don't recall reading
anyplace where it actually said that in the documents that
we got, that the economic incentives are not a factor. Does
it say that someplace?
MR. HOFFMAN: Well, it doesn't say the economic
incentives are not a factor, but the factors that it does
address do not include economic incentives as the types of
evaluations that you utilize to determine that
acceptability.
CHAIRMAN SIEBER: Where do I find that?
MR. HOFFMAN: That's in the actual TSTF 358
package, in the justification part.
DR. KRESS: The risk assessment that you make --
do you assume that piece of equipment that was supposed to
be surveiled is inoperable in the risk assessment, or do you
put in a -- some sort of a reliability or availability?
MR. BRADLEY: There are multiple ways you could do
that.
As a screening measure, you could just look at the
Fussel-Vesely component, which is basically assuming it's
unavailable, and you can screen many things out as being
risk-insignificant in that regard.
You could adjust the failure rate of the component
based on the fact that you missed the surveillance.
DR. KRESS: Based on the fact that you know it's
probably operable.
MR. BRADLEY: Right. So, that would be a good
screen.
DR. KRESS: And you would project that over some
time period --
MR. BRADLEY: Right.
DR. KRESS: -- and have a criteria to say, well,
if that --
DR. APOSTOLAKIS: That's on the basis of at this
time.
CHAIRMAN SIEBER: Instantaneous.
DR. KRESS: Instantaneous.
DR. APOSTOLAKIS: You can't project.
DR. KRESS: But you're going to decide how long to
wait before you make the surveillance.
DR. APOSTOLAKIS: This is a very unreal -- well, I
guess you can take the -- you can assume the equipment is
down, calculate a new CDF, and do what Dr. Moeni says
they're doing at Southern California Edison.
MR. BRADLEY: That's just a screen.
In reality, you're going to have to look at your
actual plant -- I think this is a perfect fit with (a)(4),
because if you're just looking at the -- I mean that's
assuming a static situation, and in reality, you're having
dynamic plant configurations, but this really perfectly fits
the approach of (a)(4), and I think it's the exact same
things you've got to look at.
You've got to look at what you're planning, how
that could be affected by the fact that this is missed and
you've made some assumption about an increased failure rate
or that it's unavailable, and you factor all that into your
work planning process and you look at your ICDP and your
integrated risk impact exactly like you'd do it in the
(a)(4) guidance, and as a matter of fact, if I was writing
this traveler or the TSTF, I would actually try to
explicitly reference, I think, Reg. Guide 1.182, which it
doesn't right now, but to me, that's the simplest way to
consider it.
MR. DENNIG: This is Bob Dennig from the staff.
The basic premise here is that the surveillance --
the missed surveillance -- what we've lost out on is
confirmation of operability.
The presumption is that it is operable.
If you have any information that it is not
operable, will not perform its function, you have to do a
continuous operability determination. Under tech specs,
that is your obligation.
If you have any information that tells you that
there is something wrong with this, you're out of there and
you're into the action statement. That's the end of that.
DR. KRESS: The assumption it is operable gives
you no delta risk unless you change --
CHAIRMAN SIEBER: That's right.
MR. DENNIG: So, what goes into the evaluation, as
Dr. Apostolakis mentioned, is an importance measure. The
importance of this equipment gets factored into --
DR. KRESS: Which is not an assumption of
operability, then, in terms of criteria.
MR. DENNIG: Right. I'm just saying that to
assume that it's broken and then do a risk evaluation of
what we're accumulating with the broken equipment is not
consistent with the premise of the initiative.
DR. KRESS: Yeah, but I don't know how else you're
going to do anything.
MR. BRADLEY: As a screen, I think, you know, it's
a bounding assumption to assume that it's unavailable.
DR. KRESS: You don't have a technical basis for
any other unless you use something like this LER data to get
a different -- I don't know how you get a different
availability number out of the reliability -- if you
increase the failure rate -- but you have no technical basis
for doing that. You can't take that out of the LER --
MR. HOFFMAN: Maybe I didn't make this clear.
Part of the evaluation -- and to support what Bob said -- is
obviously there's a continuous operability determination in
all the systems ongoing, and if for some other reason you
knew it was inoperable or degraded in any way, shape, or
form, you'd have to take the appropriate action, but the
surveillance -- the particular surveillance that you have
missed -- one of the evaluation aspects -- and I didn't go
into this in greater detail initially -- is that you'd have
to evaluate how has that surveillance fared over the course
of the last several performances?
Has it passed the last five, six, seven, eight,
nine, ten times? Have you had difficulty with any aspects
of it?
Does this particular surveillance perform
something that you've seen some concerns with anyplace else?
Is there generic -- any generic information from
either your type of owners group or from the NRC that would
give rise to make you think that, well, even though I have
no reason to believe the surveillance wouldn't pass if
performed, there are other informations out there that would
cause me to consider those, and if those gave rise to
concern, then you have to consider this -- you'd have to
take a different kind of action.
DR. KRESS: You really don't have enough data to
do that on a plant-specific basis. You would have to rely
on generic data from the whole fleet of plants, and I don't
know that the number value you get out of that would be
different than its original reliability number anyway.
CHAIRMAN SIEBER: It's not clear to me how you
evaluate the change in risk if you can't ascertain the
condition of the equipment. You can make all kinds of
assumptions.
DR. KRESS: That's basically my problem with it.
You can make the assumption of inoperability and evaluate --
have a screen.
CHAIRMAN SIEBER: That's going to come out, in a
lot of trains, pretty risky.
DR. KRESS: It could very well be. I don't know.
MR. NEWBERRY: I think I heard the gentleman from
the industry say this. Do you have the capability to go in
in your PSA where you have your failure rates, your lambda-T
over 2, and adjust that T for twice the surveillance now?
Is that part of your approach?
MR. SCHNEIDER: That will be part of it.
You could either look at increasing the failure
rate, you could look at taking the equipment out of service,
but the one thing you also want to recognize is that, while
there's -- there's actually another incentive for the
industry to basically be sure it does it properly for
high-risk components, because with the oversight process, if
I'm going to start doing (a)(4) maintenance and not have the
-- and not have a good assessment of -- a good belief that
the equipment is operable and I then start taking equipment
out that might amplify the effect of that piece of equipment
and then, when I do that surveillance, find out that the
equipment wasn't -- you know, didn't pass, under those rare
instances you'd have to go back and double-check the
prudence of your decision process, and through oversight and
performance-based regulation you'd be held accountable for
not -- basically taking a potentially high-risk system and
not really doing the surveillance in the 24-hour timeframe,
and that's probably more of an economic impact than the
impact of not doing it most of the time.
CHAIRMAN SIEBER: There's too many performance
indicators -- there are too many safety-related pieces of
equipment that are not in the performance indicators that
would trigger a white or any other color.
For example, let's say that the surveillance in a
PWR that you forgot to do was the flow test on a recirc
spray heat exchanger. There's no little window for that
that I can recall, okay? And it usually degrades over time,
as silt builds up and fish and clams and stuff start to live
in there, and it only operates when -- you can't test it
because you see it operating like a high-head safety
injection pump. It only operates when you either test it or
in a big accident mode where you've got to spray down
containment, and so, here's a situation where, you know,
it's very difficult to tell whether the system is operable
or not, because you haven't flushed it out and you haven't
tested it and you don't know whether it's degraded or not,
and the functionality and operability are different, and you
say, well, if I get some flow, it's okay, and I don't have
to read the tech specs.
The old type of tech specs said I'm not exactly
sure where you are with respect to what you put in there for
a failure probability to do a risk assessment.
DR. BONACA: Unavailability is a function of time.
You can -- can you put consideration of that?
I mean you have unavailability that is dependent
on time and failure rate for that particular component, and
now you're going to extend from 24 months -- you've assumed
in the example, 24 months, you did not perform the
surveillance, you go another 24 months. You're compounding,
essentially, unavailability rate, right?
MR. SCHNEIDER: Right. You can look at the
unavailability increasing as a function of time.
DR. BONACA: I mean your PRA is making certain
assumptions of unavailability based on the surveillance
intervals that you have.
MR. SCHNEIDER: Right.
DR. BONACA: And so, therefore, if you extend
those, you can account for those and get the sense of what
the impact is.
MR. SCHNEIDER: Right.
CHAIRMAN SIEBER: It gets back to the discussion
that we had this morning when we talked about are the tools
available, and not only do the tools have to be available
but the data that you put into the tools to arrive at the
answer or the conclusion has to be available and reasonable.
MR. SCHNEIDER: I think the real issue is also
part of the risk-informed decision process. It's not just a
number-generating process.
If you really missed -- if you're missing a
surveillance on a risk-important component, the incentive is
going to be to basically perform that surveillance as soon
as possible, and the goal here is not basically to see how
much you can get away with and try -- the goal here is to
try to use prudence in trying to figure out which of the
surveillances that are a lot less significant, that if they
are missed won't contribute to the risk of plant operation,
even if your decision process was wrong, and so, you could
look at by bounding and look at, you know, what happens if
the component is pulled out of service, what happens if you
increase the failure rates and do some sensitivities, but
the idea is to come out with a combined decision process
that drives you into performing the right set of decisions,
whether it's to control maybe the other train, to make sure
the other train's fully operable and make sure the other
train's not pulled out of service, to control other kind of
maintenance, look at other back-up equipment, to look at
other contingency actions, at compensatory measures.
It's not just the number that you're looking at,
and I think that, by and large, the majority of these, the
plant has a pretty good handle on what its importance will
be.
CHAIRMAN SIEBER: Yeah, well, the plant is not a
homogenous thing.
MR. SCHNEIDER: I understand.
CHAIRMAN SIEBER: The operators in the middle of
the night, somewhere in their ultimate training they become
amateur lawyers, and so, they read those tech specs like you
would not believe, okay, and then they say do I have to do
it, and then they read it over and over again, and the way I
read it is, no, I don't have to do it. So, they write an
engineering memorandum that says do a risk analysis on this
and I'm going to go eat lunch.
MR. HOFFMAN: I think your point is well taken,
but I would like to believe that the kinds of things you
discussed -- and certainly, they did exist -- many of them
were clarified and resolved in the improved technical
specifications, where we took those very kinds of issues and
attempted to resolve them so there weren't tech spec
interpretations and memorandums to engineering and
operations and establish clear-cut, specific, finite
requirements in the specs themselves, with detailed
explanations of what that meant and the bases, so it was
very clear to an operator when, where, how, and why he or
she needed to do whatever that was, and based on what Ray
also said, we believe that the robustness of this process
lends a great deal of credibility to the acceptability of
this.
One, we don't believe it's going to happen very
often, and we think we have data that would support that.
Two, we think that, when it does happen, the
greatest likelihood of performing that surveillance is it's
going to pass.
Three, we believe the tech specs are currently
structured that if there is any reason for you to believe
that that SR would not be met or for any other reason that
LCO was not met or that equipment is inoperable, you have to
take the appropriate actions under SR 3.0.1.
This SR 3.0.3 change would give you no flexibility
in that arena.
And four, we also believe that, because we have
established for part of the robustness of that process
specific issues that have to be considered by the plant in
regards to its evaluation of the acceptability of this,
which takes into account how the surveillance has been
performed in the past, what the equipment is, what the other
condition of the plant and so on and so forth is, we believe
that these kinds of things will be appropriately and
adequately addressed.
Now, again, if this becomes an issue where the
surveillance is being missed, as stated this morning by Mr.
Dennig, became chronically missed, then that's an entire
other issue.
The entire premise, as he stated this morning,
that this is a very unlikely situation and that, because of
the unlikeliness, it's acceptable.
In fact, we went back and discovered that, over
the course of the last five or six years, there were 10
NOEDs issued regarding this, and we looked at NOEDs.
Every one of them were approved for plants to go
beyond the 24 hours, and in almost all cases, it was because
the greatest likelihood the surveillance, when performed,
will be passed, the use of this flexibility has been small
or insignificant, and three, that the timeframe in which
they're going to perform it is a reasonable timeframe, so
those being the basis.
DR. BONACA: However, you're referring to a
statistic that is based on a history where, if you miss the
surveillance, you have tremendous penalties. I mean you
could go for an exception, but you've got big problems, and
people went to heroic measures to meet that.
So, I'm not saying that we shouldn't do this. I'm
only saying that those statistics are going to change, and
so, I think that, as a minimum, in the oversight process, I
think the staff should look at what does it mean, for
example, if you're to take that one up by a factor of five?
MR. HOFFMAN: We actually think the number of
surveillances missed is going to go down, not up? If you
look at the 170 over that course of five years, think about
that, many of those were discovered and reported as a result
of Generic Letter 96-01, where plants went back and
discovered that there were portions of their
instrumentation, RPS and ECCS systems, they had not tested,
and that constituted a fair portion of that population.
I can't tell you exactly how many it was, but I
think I could go back and get that information.
But I agree with you, the statistics -- those are
in the past. They are only something that we utilized to
give us some idea of where we thought we would be in the
future.
So, we tried to use those appropriately and went
out to all the plants and talked to them about what do you
find when this usually happens, and that was part of our
data collection process, to determine the acceptability of
such a proposed change, and given the fact that the NRC and
the industry had also done this in 1987.
CHAIRMAN SIEBER: I think we're dancing around two
issues here.
One of them is that there appears to be some
incentive for the erosion of the safety culture, because now
things appear to be more lax than they used to be.
MR. HOFFMAN: Right.
CHAIRMAN SIEBER: To me, as an ACRS member, what
happens to the safety culture is a concern and is indirectly
related to safety, but it's a management issue, and I think
that that's for the NRC and licensees to determine how they
will manage that particular impact.
There is another impact, though, that I wonder
about a little bit.
You know, adequate protection of the public health
and safety depends and is based upon the compliance with
essentially all the regulations and the license conditions
for a plant, okay, and now we are saying that, you know, a
license condition, the operability of the various safety
systems of the plant are specified, and the way that you
basically guarantee that you meet those license conditions
is to perform surveillances.
If, now, you have a blanket tech spec in Section 3
that says, you know, here is some leeway in the performance
of surveillances and we're going to base that on risk, where
do we stand in the space of adequate protection of the
public health and safety?
DR. KRESS: We're going to have that issue every
time we talk about this.
CHAIRMAN SIEBER: Well, this is one of the
problems with risk-informed anything.
DR. KRESS: Yeah.
CHAIRMAN SIEBER: You have to have a set of
standards that say I'm in the right space here, and sooner
or later, we're going to have to answer that question.
MR. BRADLEY: I think adequate protection would be
increased by the approval of this, because what we're doing
-- it is absolutely not the intent of this to allow willful
missed surveillances or to at all increase the number of
missed surveillances, and what we're dealing with here is
just a paradigm shift from the previous history, being you
shut down the plant -- that was your dis-incentive.
Now we're moving to -- you have an oversight
process that's looking at unavailability, and there's also
very special provisions in that oversight process about
willful violations.
This is a missed surveillance. It's not, gee, do
I, you know, want to do this surveillance, and maybe, you
know, it's -- it's a surveillance you discover is missed
after the fact.
CHAIRMAN SIEBER: It's almost unthinkable to
believe that any of them are willful.
MR. BRADLEY: The intent of this is to do the
thing that's right in risk space, and that is to remove a
plant transient as the result of what may be an
insignificant missed surveillance.
CHAIRMAN SIEBER: Well, getting back to my remarks
-- and maybe we won't need to talk about it or comment on it
anymore -- the issue of safety culture and whether it's
eroded or not is a management issue that the NRC and
licensees need to deal with.
The issue of adequate protection is troublesome
from the technical standpoint, because you need to have some
standard.
On the other hand, it's partially a legal issue,
and the NRC can deal with that, too.
I guess the third issue that pops out here,
though, is are the tools adequate, what do you do to alter
the failure rate if you don't do a surveillance, and I think
that is our issue.
MR. BRADLEY: On the first half of your question,
I think that's a very good question, you know, how do you --
you know, is the tool adequate, and I guess, in my view,
prior to (a)(4), I would have maybe had my own question
about that.
I think that is the tool and, in fall of this
year, when that rule is implemented, you will have all the
procedures in place to do this.
Now, the mechanics of how you deal with the fact
that you've missed this, whether you assume the component is
unavailable or increase the failure rate or, you know, how
you want to deal with that, that's the second issue I think
you're raising, but in terms of the infrastructure, the
procedures, and the process being in place to accomplish
this, that will not be an issue as soon as the (a)(4)
programs are in place.
CHAIRMAN SIEBER: I guess I'm just not familiar
enough with what all the tools are and what infrastructure
is in place, and maybe sometime in the future you could tell
us.
DR. KRESS: I think the issue of adequate
protection is a non-issue, because basically you could say
it's meeting the rules that are in existence at the time,
and if you change the rule, which is what we're doing,
you're still providing adequate protection, because you're
meeting the new rule.
MR. HOFFMAN: Absolutely.
DR. KRESS: I don't think it's an issue.
MR. BRADLEY: There's a little caveat on that
definition, though.
There's meeting all the rules plus -- and there's
this other little sort of nebulous wording that goes with it
that can be invoked.
MR. HOFFMAN: And there's some important
information that needs to be brought to bear.
When you look back, notice that we've been
improving the technical specifications over the years. Biff
put up a slide this morning that talked about custom tech
specs, standard tech specs, the improved technical
specifications, NUMARC 96-01, a number of things that have
been put in place that have constantly enhanced and improved
that product and document, which is the means of ensuring --
part of the means of ensuring public health and safety in
that legal framework between the NRC and the licensee as far
as a license in the Appendix A as the tech specs to it.
But one of the things we did in ITS was we removed
a number of the surveillances from the improved technical
specifications which were deemed to be unnecessary to
demonstrate operability, in addition to which we altered
some of the surveillance intervals, because we determined
that they weren't appropriate in the frequency which they
were currently established, and if you go back to the very
premise of surveillance interval establishment, which you
all are probably more familiar with than most, in the early
years, even back to the 1970s, a lot of that information was
utilized by the NRC and the industry, from mean failure rate
date information, LERs, manufacturer's recommendation, the
time that plant could be in the condition, how long it took
to perform the surveillance.
So, the surveillance intervals themselves are not
a science, if you will, and if you will notice, we have
Initiative 5, which has two pieces, 5(a) and 5(b), and 5(a)
is to remove the remaining surveillances which we feel don't
demonstrate operability, and 5(b) is to relocate all of the
surveillance intervals to a licensee control program to be
evaluated by us to determine the appropriate interval, and
if that occurred, then we wouldn't need SR 3.0.3, because
we'd be evaluating that on a continuous basis anyway.
So, I guess all I wanted to say, sir, is that we
feel that what we're establishing here is not counter to
public health and safety and not counter to the safety
culture at the plant.
CHAIRMAN SIEBER: Well, I agree with Dr. Kress
that it's following the rules that exist at the moment, and
so, you're right.
DR. BARTON: The definition in here -- part of the
previous slide -- "Any missed surveillance requiring a
change in mode or plant conditions for performance would be
performed at the first reasonable opportunity."
Somewhere are we going to define a change in plant
condition, because I can play games with that, too.
Anything I change other than where I am right now is a
change in plant condition.
Are we going to say something like, you know, less
than 20-percent change in power or something like that?
MR. HOFFMAN: The way we're defining the plant
conditions is a pure physical change, like into a mode or
other specified condition such as core alterations, things
of that nature, or not so much as to percentage power
decrease.
Now, for surveillance, as you know, we have some
LCOs whose applicability are Mode 1, greater than 50-percent
power.
DR. BARTON: Right.
MR. HOFFMAN: Well, I can go down to Mode 1, less
than 50-percent power, and I leave the applicability -- the
surveillance isn't even required to be performed, but yes,
sir, to answer your question, our intent is to attempt to
establish what that means, so it's not misused.
DR. BARTON: Thank you.
MR. HOFFMAN: You're welcome, sir.
MR. BRADLEY: Are there any other questions on
Initiative 2?
If not, we can move on to Initiative 3.
CHAIRMAN SIEBER: That will be fine.
MR. BRADLEY: Okay.
MR. HOFFMAN: Moving into Initiative 3, when we
began to identify initiatives for the risk-informed tech
spec task force, Initiative 3, like Initiative 2, at that
time, was determined to be one of those ones which we felt
was more of a policy issue than it was a risk-informed issue
and it would have less risk insights than the majority of
the other issues which we have determined already but
possibly more, and I think that's the case than, say,
Initiative 2 with SR 3.0.3.
We currently have LCO 3.0.4.
LCO 3.0.4 is the concept which is established in
the technical specifications which states that you cannot
change modes while relying upon the actions to satisfy the
LCO. The initial intent was that it was to preclude you
from starting a plant up with inoperable equipment. That
was its initial intent in years gone by.
Over the course of time and especially in 1987,
Generic Letter 87-09, it was recognized that, in many cases,
there was no reason to restrict the mode changes to allow
the startup of the plant with certain equipment inoperable
because of their impact on the overall safety of the plant.
So, the NRC established, also again in Generic
Letter 87-09, the allowance that you could change modes or
relying upon the action statements for those equipments
where the timeframe and the action was continuous; in other
words, you were allowed continued operation such that, if
you had an inoperable piece of equipment, that you were
never required to change modes or leave the mode of
applicability, you had some other compensatory action.
In addition to that, the NRC has continued to
establish, as they had before that, and expanded that
thought process, there were certain LCOs whose uniqueness
was such that LCO 3.0.4 could be not applicable or accepted
in those particular cases.
We went back and evaluated all of the current
improved technical specification NUREGs, looking at all the
different ones, and determined that, for the most part, the
majority of those systems and components who had 30 days or
longer allowed outage times had an individual LCO 3.0.4 not
applicable allowance in the tech specs. Many of the
seven-day allowed outage times did, and some of the 24 hours
and less did, also.
But the unique thing that we found was that it was
not all that consistent, and we found in some cases similar
types of equipments from one owners group or one design to
the next had the LCO 3.0.4 exception and the other one may
not, and there was no immediate indication of what the
rationale or reason may be.
Now, as you know, in Generic Letter 87-09, the NRC
required that the plant, when they were going to utilize the
allowance to change modes, to start up the plant with
inoperable equipment, while relying upon the actions -- and
that's a very important premise of this -- had to do a plant
evaluation.
That plant evaluation at the time obviously didn't
include risk, but it was a plant evaluation nonetheless,
where in many cases a subcommittee of the on-site safety
review committee, PORC or whatever the name happened to be,
did, in many cases, a pre-evaluation of the acceptability
and/or an evaluation at the particular time before that
allowance to change modes was granted, and with that
information in hand, we went and talked to a number of P and
BWR plants to try to bring that to bear and we utilized to
determine what would be appropriate for TSTF 359.
As we began developing TSTF 359, we talked to a
number of plants to find out what kinds or problems had they
experienced, and the types of problems they experienced at
the systems that did not have the LCO 3.0.4 exception had in
many cases caused them significant schedule problems, where
startup -- where they were performing a major surveillance
process or doing a major maintenance activity and they were
almost finished but not quite and it was critical path and
that, yet, they knew they were very close to being finished
and could be done within the timeframe and wanted,
therefore, to utilize that timeframe when they were
proceeding up, that they had no reason to believe it
wouldn't be operable and so on and so forth, much the way
that -- well, I won't get into that right now.
So, with that in mind, when we went to look at LCO
3.0.4, we tried to decide, well, where is the appropriate
cut-off point?
Since we're already identified that the 30 days
and longer almost all have an LCO 3.0.4 exception, since all
of the allowed outage times that are continuous operation
already, by definition, have a LCO 3.0.4 exception, where
should the cut-off be? Seven days? Twenty-four hours?
So, as we began looking at the systems and going
down, it was somewhat arbitrary in our determination as to
where we might be.
We really realized that it was not so much the
allowed outage time that should dictate what we did but the
type of process we utilized to determine the acceptability
of changing modes or relying upon the action to satisfy the
limiting condition for operation.
So, we chose in TSTF 359 to -- Initiative 3 -- to
allow all LCOs the flexibility of changing mode, providing
there is an appropriate management review and approval of
the acceptability thereof.
Now, I -- we're going to come to a moment -- to
what those risk insights would be and how that would be
done, and Mr. Schneider and Mr. Bradley are going to address
that, but there's several important parts of this I want to
bring to your attention.
One, this is only acceptable if you rely upon the
actions to satisfy the requirements of the LCO, which would
mean that if you went into changing modes and to startup
with a system that was inoperable, if that system's required
action was for you to restore the system in seven days or
shut down, that you only had that seven-day allowed time,
that if you did not feel you could restore its operable
status or finish whatever you were doing to ensure it was
operable within that seven-day timeframe, prudence would
dictate that you wouldn't want to start the plant up, get
into Mode 1, only to discover that you didn't make it
operable as you anticipated and then have to comply with
your action and shut right down again.
So, we have tried to stress that in the TSTF 359,
explaining in the process, one, the significance of
complying with the actions; two, ensuring that you know the
status of what you believe will be able to be determined in
that timeframe so that plants don't inappropriately start up
with equipment that's inoperable when they are not in a
position to be able to restore it in that timeframe.
So, with that, I was going to then allow you to
discuss some of the risk things, unless you all have some
questions about the particular proposed TSTF.
MR. SCHNEIDER: I'm Ray Schneider from the ABB/CE
owners group.
The presentation was prepared by myself and Dennis
Henke from San Onofre.
As Don discussed, we went through the background
of the Initiative 3. I think I'd like to go into purpose
from our perspective and just kind of summarize some of the
key points.
The intent here to modify the LCO 3.0.4 so that
you can allow the entry into specific modes, generally going
up in power, into the higher-mode action statement when the
tech spec components or trains are inoperable, but the
expectation is that the entries are expected to generally be
individual entries where entry is limited to a low or
negligible incremental plant risk.
In many cases, the risk will actually be offset --
any of the operational risks will actually be offset by the
benefits of going to the desired mode, and this is
particularly true of going from Mode 5 to Mode 4, and the
expectation is you don't enter this unless the component
train that you've entered it for is expected to be reparable
in the time allotted.
A little bit about the history basis, as was
reviewed by Don, so some of this is repetitive.
Mode change restraints really provide the -- were
intended to provide the design basis -- provide that design
basis is met prior to mode entry, and for the CEOG, about
half of the existing tech spec equipment is already not
subject to mode change requests, mode change restraints.
Most of the existing mode change restraints may be
removed without significant contributions to plant risk.
We've looked at a number of the AOTs that are involved, and
they have -- because of the duration and significance of the
component, the impact of the mode change restraint removal
for the duration will generate very low risk values or low
impacts of core damage probability.
CHAIRMAN SIEBER: Is that instantaneous or
cumulative risk?
MR. SCHNEIDER: Over the period of the AOT --
CHAIRMAN SIEBER: Instantaneous.
MR. SCHNEIDER: Instantaneous. But it's
integrated over a small spike.
CHAIRMAN SIEBER: What do you assume for the
purpose of the PRA the operability or availability of the
equipment is?
MR. SCHNEIDER: Unavailable. I mean just
inoperable.
CHAIRMAN SIEBER: Okay.
DR. KRESS: Do you have a criterion for how big
that integral can be before you say it's significant?
MR. SCHNEIDER: Well, we'll give you the
expectation.
The tech specs are typically designed -- and it's
in Reg. Guide 1.174 -- 1.177 -- it's typically designed such
that a typical one component out of service at power should
generally have a risk number less than about 5 times 10 to
the minus 7th for that full AOT.
In here, as we'll talk about, you're generally
going up in the modes from cold conditions, the amount of
decay heat is a lot lower, the amount of time to respond is
a lot greater, the amount of equipment needed is generally a
lot less.
So, even for the more important equipment, you're
probably dealing with something of the order of 10 to the
minus 7th, the lower 10 to the minus 7th range, and for the
less important equipment, you're probably dealing with stuff
that could actually be, if you, you know, go through the
calculations, something of the order of 10 to the minus 8th
and 10 to the minus 9th for the interval, because remember,
you're restricted by time, you're restricted by significance
of the component, and you're restricted by the number of
things that you're allowed out of service during these
things, because you're not -- this is not meant to be a --
the intent to basically schedule all your maintenance during
this period. I mean it's just basically for those one or
two items that somehow got caught.
MR. BRADLEY: At the risk of sounding like a
broken record, again, this is a perfect fit with the (a)(4)
guidance, because you basically have an equipment out of
service, you're coming up in mode, and you're going to have
to -- there is in the (a)(4) guidance ICDP numbers, and
there are also discussion of aggregate risk, and this is
like any other equipment of service condition.
You're going to have to manage all your other
maintenance activities around it and meet those guidelines
that are in the reg. guide, and the number is -- are
generally consistent with Reg. Guide 1.177 that Ray was
talking about.
CHAIRMAN SIEBER: The number that you choose is
whatever the company decides to choose, right?
MR. BRADLEY: Well, no. There are guidelines --
we don't have hard criteria in the reg. guide on (a)(4), but
there are guidelines, and basically if you're using some
other number, we don't expect people to be using other
numbers, and if you are, you're going to have to justify why
that number is appropriate.
I do think that, if you look back at the (a)(4)
guidance, you'll see all the things you need to consider
here that Ray is talking about, including the criteria.
MR. SCHNEIDER: For the case of mode restraints,
you're generally dealing with one, typically, or possibly a
couple of discrete components, so that it's not quite as --
there's not quite -- there's an interaction among a number
of the systems, and the guidance that initially generated
the tech spec allowed outage time will already ensure a very
low risk.
DR. KRESS: I guess the answer to my question was
no?
My question was do you have a number for deciding
when that interval is significant or not, and I didn't hear
a number come out.
MR. SCHNEIDER: I think, order of magnitude,
there's probably a fuzzy line when you start crossing 10 to
the minus 6 that you have to start doing -- looking at it a
little more carefully.
DR. KRESS: Ten to the minus 6 might be in that
sort of an ad hoc --
MR. BRADLEY: Ten to the minus 6 delta ICDP.
Remember, this will be governed by (a)(4).
Whatever you do in this isn't just what tech specs, but
(a)(4) is also going to govern whatever you do here.
DR. KRESS: What that does is changes the delta
risk you would have got because of all these other
provisions you have to put on it.
MR. BRADLEY: Right.
MR. SCHNEIDER: But there are other ancillary
issues, and as we'll talk about in a minute, there are
instances where the target mode actually will be a
lower-risk mode than the mode you're in.
So, the equipment unavailability is dwarfed by the
fact that you may be going to a mode with more heat removal
capability.
And then one other bullet I probably should talk
about is the fact that, in the past, they found that
relatively risk-negligible component being out of service
have caused several-day delays in plant startup, has cost
utilities millions of dollars, with no risk benefit to the
public and no risk benefit to anyone, just basically a net
cost.
The expected -- go to the next slide.
It's not part of the presentation, but just to
give you a rough idea of mode impacts, for one of the other
initiatives, Initiative 1, which looked at end state
impacts, we did an analysis of the relative risks of being
in various mode end states for various different -- we
looked at actually five-and-a-half or six modes, two
different kinds of Mode 5's, one with a vented condition, we
may have to vent for containment spray backup, and what you
can see is that, as you move from different -- as you move
into different modes, like Mode 5 vented, Mode 5 un-vented,
or Mode 4 in shutdown cooling, you'll see risk reductions,
and as you go into Mode 4 on aux feedwater, where you both
have shutdown --
DR. APOSTOLAKIS: Let me understand what that
means.
First of all, can you read the horizontal axis,
because I can't read it. What does it say? Mode 1?
MR. SCHNEIDER: Okay. Mode 1, yeah, starts --
DR. APOSTOLAKIS: Why don't we give him the
portable mike so he can stand up and point?
MR. SCHNEIDER: This work was initially done for
the Initiative 1 for the mode end states, and the CEOG and
Southern Cal looked at some representative modes for a
representative plant, and what we've looked at is the
relative risk to being in Mode 1 operation, Mode 2, initial
low-power operation, Mode 3, initial shutdown, Mode 4, when
you have -- on AFW, where you have both AFW available and
the ability to get onto shut-down cooling, Mode 4, when
you're already on shut-down cooling, and Mode 5, un-vented,
which is also basically a shut-down cooling mode, and then
Mode 5, where you vent for the capability of doing -- of
having your containment sprays as backups, and these are the
various kinds of modes.
DR. APOSTOLAKIS: But again, the title says
transition risk mode. There is nothing that's transitional
here.
MR. SCHNEIDER: Right.
DR. APOSTOLAKIS: This is the risk being there.
Now, is it possible that, when I go from 4 to 5, I
have a spike in between?
That's the whole point of all these human
manipulations that are required.
So, it seems to me calling it transition is a
misnomer.
MR. SCHNEIDER: It's a discussion that --
DR. APOSTOLAKIS: Different states.
MR. SCHNEIDER: What SONGS did when they did the
analysis is -- right -- there is a portion of this that does
represent the transition of going from -- going into
shut-down cooling itself, but even if you subtracted out
that portion, you would have the shut-down cooling mode
higher than the aux feedwater mode primarily because you
don't have the steam generators from heat removal, the same
basic dependencies.
The levels change a little bit, and -- but you're
right, this was initially developed for going the other way.
This was initially developed when we were looking
at the issue of which mode do we want to be in when we're
moving down from power, and then you look at the effect of
the transition and the effect of the mode, and what we found
was basically the effect of the transition is not large as
you go down to about -- aux feedwater -- it's the order of
10 to the minus 6th.
What you're really seeing here are the mode
changes and the changes in equipment availability or the
loss of equipment as you go down from various modes, with
aux feedwater being a relatively reliable feed source at
lower power or at shutdown and the fact that you have
turbine-driven aux feed possibility, and here you have the
ability of steam generator heat removal as well as, if an
event occurs, you could always move down to shut-down
cooling.
So, one way of viewing this is basically that --
is the number of residual core heat removal capabilities and
the reliability of the heat removal capability, but
generally going from Mode 5 to Mode 4, you're picking up
your steam generators to be able to remove heat, you're
getting a potentially independent source of heat removal by
getting the turbine-driven aux feedwater pumps more
available.
So, that contributes to the risk.
The absolute levels are representative, and again,
they were generated going the other way, down, where there
is a transition spike in this one, primarily in this region,
and there is a different kind of spike due to going into a
vented condition here, but the typical kind of transition
you're going to end up seeing is a transition from Mode 4 on
shut-down cooling or Mode 5, un-vented, to Mode 4 in
shut-down cooling, then you get off the LTOPS, and
ultimately you'll be going down to aux feedwater, Mode 4 in
aux feedwater, and the types of incremental risks that
you're picking up by having the equipment out of service are
of the order of less than 1 times 10 to the minus 6th.
DR. APOSTOLAKIS: Now, we don't know that, because
those equipment may affect the transition itself, which we
have not quantified.
MR. SCHNEIDER: The main components that we're
expecting to be used -- we have already -- okay, we'll talk
about it in a minute, but what we will do is we will
subtract out the high-risk components in the various modes.
We'll look at what makes this mode safe, what
equipment is needed to make this mode safe, what pieces of
equipment are needed to make this mode safer, and those
wouldn't be allowed to be out of service as you moved into
the new mode, but there's a large amount of equipment that
really has no direct impact on the heat removal capability
and the potential trip capability, and those won't have any
interaction with the modes per se, and those are the order
of 10 to the minus 6.
So, we will first screen out the important
equipment mode to mode.
DR. APOSTOLAKIS: So, you're talking basically
going from 5 to 4 and from one 4 to the other 4? Is that
really what we're talking about here?
MR. SCHNEIDER: Most of it. The bulk of the
transitions are going to be in this direction.
DR. APOSTOLAKIS: From 4 to 4.
MR. SCHNEIDER: Actually, it will be 5, un-vented,
to 4.
DR. APOSTOLAKIS: And then what happens?
MR. SCHNEIDER: Then, basically, that takes you --
DR. APOSTOLAKIS: Then you fix it.
CHAIRMAN SIEBER: Let me ask a question before it
escapes our attention here.
This chart looks like it's laid out with regard to
going from full power to cold shutdown.
MR. SCHNEIDER: Right.
CHAIRMAN SIEBER: If you drew the chart from cold
shutdown up to full power, which really matches your
Initiative 3 --
MR. SCHNEIDER: Right.
CHAIRMAN SIEBER: -- would it be the same chart
upside down?
MR. SCHNEIDER: No. There would be a few
differences. There's a transition that occurs here. This
would be lower because of the transition going this way to
get -- which causes your plant to basically realign itself
onto shutdown cooling, and it's less likely you'll run into
the problem on the way down.
CHAIRMAN SIEBER: Have you done the heatup/startup
set of charts? Have you performed those in support of
Initiative 3?
MR. SCHNEIDER: We've qualitative looked at the
issues and the insights gained from doing this analysis. We
haven't generated a full set of new numbers, because what
will happen is all the numbers will be depressed because
you're starting with much lower power levels.
CHAIRMAN SIEBER: Right.
MR. SCHNEIDER: So, what you'd see is
qualitatively the same.
We felt that the qualitative insights to identify
the key components, you know, are valid, and any additional
quantification wasn't deemed necessary for this level of
evaluation because of the low relative risks involved in
getting into the mode.
CHAIRMAN SIEBER: Well, it would help me, I guess,
if I actually saw a chart that showed what Initiative 3 is
talking about, which is starting up, along with some
analytical work that showed the risk increment associated
with having a mode restraint removed for a few pieces of
equipment who had importance measures that said they were
significant to risk.
Then I'd be able to tell whether this is a good
idea or not.
Has that kind of work been done? Can you tell us
about it?
MR. SCHNEIDER: What we have done -- maybe we'll
go to the next slide.
What we did do is we looked at components that
weren't important -- okay, two things.
Let me start off -- the expected use is, again,
for infrequent -- generally the low-risk components and for
short-duration repair, so that infrequent will basically
mean that, if you integrate it out over a long period of
time, you're not going to have a large accumulated risk,
because this isn't going to happen very often.
The low-risk portion is that we're only going to
enter this -- if it's a high-risk component, we're not going
to enter it without doing a detailed risk evaluation to find
out why the system is inoperable.
So, we will identify certain systems where we're
not going to be using this tech spec unless a full risk
assessment is done where we look at the mode we're in and
the mode we're going to, and then the short-duration repair
controls the amount of accumulated risk you could have in
that rectangle.
CHAIRMAN SIEBER: And why is accumulated risk
important, as opposed to instantaneous risk?
For example, I could have a CDF of .9 for 15
seconds, and I wouldn't want to be there.
MR. SCHNEIDER: Right.
With the short-duration repair, what we're talking
about is -- you're still doing the integral, but the
integral is only over like three days. So, it's still a
small accumulated risk in this case, but it's really the
integral risk over the time you could have the equipment out
of service.
CHAIRMAN SIEBER: Okay. But the instantaneous
risk gives me more risk insight than cumulative risk.
MR. SCHNEIDER: Well, this is the instantaneous
risk times the duration.
CHAIRMAN SIEBER: Right.
MR. SCHNEIDER: Yeah, I see what you're saying,
but we're not going to enter this with high-risk components
to begin with, and for example, the types of situations that
have occurred or that may be more likely are like one
inoperable containment spray has happened in the past, and
for most of our plants with diverse and redundant
containment heat removal capability, with fan coolers and
containment sprays, the impact of one train inoperable is
negligible and is in the order of a 10 to the minus 9th kind
of value and doesn't have any substantial LERF impact, as
well, and that's when you look at the -- even the at-power
risks associated with this component, as opposed to the
risks that would be when the decay heats are much lower.
One SIT unavailable might be a reason for a short
time to basically --
DR. APOSTOLAKIS: What's SIT?
MR. SCHNEIDER: Safety injection tank accumulator,
something like that, or possibly some filter or HVAC systems
having some inoperability or some containment penetration,
valve closure maybe not being completed or some MOVAT test
not being done, but there's a lot of very low-risk issues
that can develop.
DR. APOSTOLAKIS: So, these will be identified in
advance or the analysis will be done -- yeah, we discussed
this.
MR. SCHNEIDER: Okay. Typical risks are going to
be low. Risks will even be lower because they'll be during
shutdown.
But what we're recommending, kind of --
DR. APOSTOLAKIS: Okay. This is good.
MR. SCHNEIDER: Okay.
What we're recommending is a risk-informed
administrative control where -- not necessarily -- you're
not going to look at necessarily all the -- you're not going
to identify all the lower-risk stuff and basically catalog
it, but you're likely going to identify all the higher-risk
stuff at the various modes to recognize the stuff you should
be concerned about.
So, you identify those that are big contributors
to safety, basically, and you hold those to one level of
importance, and typically, what we'll find is that, in Mode
4, AFWs and -- aux feedwater pumps and diesel generators are
going to be extremely important, and you wouldn't do
anything with this equipment without a clear risk
assessment.
DR. APOSTOLAKIS: Let me understand this. 1.174
deals with permanent changes to the licensing basis. What
does it have to do with this? This is a temporary thing,
isn't it?
MR. SCHNEIDER: Exactly. When we talk about tech
specs, there's always a question -- because we're changing
the tech spec, is that permanent or is it temporary?
DR. APOSTOLAKIS: But you will not know what kinds
of equipment may be out.
It seems to me that this is wonderful for someone
like Southern California Edison that will have this -- that
has this monitor that they can do these calculations
quickly. What will the other guys do? Do you have lists of
components?
MR. SCHNEIDER: Well, yes, essentially. We'll
expect that what will happen is the plants that basically
have risk matrices or other methods of dealing with risk --
you still a priori -- like the COG will identify the
higher-risk components for the group in the various modes,
and then, once those are identified, the remaining
components will be confirmed to be low-risk.
DR. APOSTOLAKIS: Now, is this consistent with the
new oversight process that tells you to worry about
initiating events, the integrity of the primary system, and
so on? You're talking in terms of CDF here, but the new
oversight process identifies other cornerstones, as well.
MR. SCHNEIDER: What we really should be doing is
talking about a risk-informed process that looks at is the
action you're going to do, the trip initiator, consistent
with (a)(4)?
Are you doing anything that's going to basically
breach a barrier?
It's a process.
I think that we've got to be careful that it's not
just -- you're not running by the numbers.
What you're doing is you're getting an
understanding of where you are, what's important to what --
why the components that aren't important aren't.
DR. APOSTOLAKIS: I'm a firm believer of rewarding
somebody who has done some good.
Would Southern California Edison have an advantage
over the other people?
MR. SCHNEIDER: They would be able to do this,
because they can do these assessments -- they can deal with
the higher-risk components, because they could do a full
assessment of the risk at lower modes, while the other ones
would basically have to say -- they may not be able to do
it, because they may not -- if they don't have a shut-down
analysis, they may not be able to say, well, for the real
high-risk stuff, they have to take a conservative -- maybe a
more conservative approach.
So, the better your models, the more robust your
models, the more flexibility you have in making a decision.
It's a decision process.
MR. DENNIG: George, the answer that we've divined
from previous conversations on this subject is that someone
like Southern California Edison can maneuver in all of their
specs, mode changes, they'll have that capability to do an
adequate assessment.
Other folks are going to rely on pre-analyzed
situations. That's it. That's all they got. Anything
falls outside of that, sorry, you can't do it, you don't
have that flexibility.
DR. APOSTOLAKIS: And that should be made very
clear, I think.
MR. DENNIG: I think that was the feedback that we
gave at the last meeting, and I think that's being cranked
into the next proposal.
DR. APOSTOLAKIS: Okay.
MR. SCHNEIDER: And so, in addition, we expect
that multiple simultaneous mode entries will also be
restricted, because you basically want to control the risks
that you're dealing with, particularly for -- the only
plants that are more robust, have more flexibility in
dealing with some of these specific items, but it will be
more defined for those that have less robust methods.
Compensatory contingency actions to expedite
repair, control risk, commensurate with what seems to be the
level of entry, of the level of risk, will also be put in
place to make sure that this is all being done prudently.
A lot of this stuff is already embedded within
(a)(4), we believe, that (a)(4) requires that you really
understand the risk picture of your plant at all modes, and
you shouldn't be taking action without -- and equipment out
of service without really understanding what the impact is,
and in addition, there will be a tracking process to
identify if this is being repetitively entered or abused.
DR. APOSTOLAKIS: When do you decide it is abused?
Maybe we're asking for too much quantitative input here, but
at which point do you decide that something is abused?
MR. SCHNEIDER: The expectation is it's not going
to be.
I mean the thing is --
MR. BRADLEY: This is a little different from
missed surveillances.
Missed surveillances is clearly something where --
you don't want to miss surveillances, but in the event you
do, you want to do the smart thing, which may not be to shut
down the plant, and I think here we are looking for more
operational flexibility.
I don't view this as something that would
necessarily be abused, you know.
As long as you're doing this within the
constraints of your (a)(4) process and you're managing the
risk, you're not abusing it, whereas with missed
surveillance, I'd say yeah, you know, if you're routinely
doing that, that is wrong, that is not the intent of what
we're doing, but here, given -- you've already got 3.0.4
exceptions on over half the LCOs in tech specs.
CHAIRMAN SIEBER: There is a limit on the risk
duration because of the LCO.
DR. SEALE: Could I ask the staff, perhaps -- have
you thought about -- would there be appropriate performance
indicators that would come out of concerns for the number of
these actions or the duration of them that might be added to
the surveillance process to help you keep tabs on any
abuses?
MR. NEWBERRY: We don't have the experts in that
program here, but having met with them last week -- Scott
Newberry, staff -- and asked similar questions, I'll try to
formulate an answer.
Most of these issues, including missed
surveillances, as indicated before, would end up in the
corrective action program.
DR. SEALE: Okay.
MR. NEWBERRY: That seems to be an answer to many
of these issues, it goes into the corrective action program.
My understanding is that there are no performance
indicators coming out of the corrective action program, but
it will become a very important emphasis of the
risk-informed baseline inspection, so that every plant will
have their corrective action program, which is judged to be
very important, inspected regularly as part of that program.
Insights from that would, you know, be fed into
the significance determination process, as I understand it,
such that issues that are significant would be given the
proper perspective, which I think is a better situation than
where we were.
CHAIRMAN SIEBER: The CAP program, though, as I
understand it, and the baseline inspection is still a
sampling of 20 percent and was done by the resident, right?
And so, it's not comprehensive. It can give you some idea
of the extent to which the CAP covers many thousands of
items that pass through it in a given year, but I don't
think that it will capture discrete numbers of these mode
changes or missed surveillances, because they represent such
a small part of the overall CAP content.
Nonetheless, you are relying, in a lot of cases,
on CAP as the overall system to make corrective actions
within the plant, as opposed to writing violations and
keeping your own tracking lists and doing that kind of
thing.
Are we ready to conclude?
MR. SCHNEIDER: Okay.
Implementation of this -- of the risk-informed
mode restraint action is basically -- we believe is a first
small step towards the development of a risk-informed tech
spec.
It's beginning to provide some degree of
flexibility for the plant to make risk-informed decisions
and take control a little bit of its operation, a little bit
more of its operation, ensures the risk -- it will ensure
the risk of the plant operation is appropriately managed, as
well, and this is consistent with what (a)(4) would be
requiring, as well.
It allows limited flexibility with controls for
the plant staff to perform and make its risk-informed
decisions, as we just said, and we believe it's consistent
with performance-based oversight process.
So, we believe this is a really good first step of
being able to have the plant basically review its own risk
status and make risk-informed decisions to basically operate
in a risk-informed manner.
CHAIRMAN SIEBER: Could I ask the staff if they
have any comments?
MR. DENNIG: Certainly.
To say where we are on these two issues, we have
had them in for review, a formal review, and we have
provided questions back on both issues and then met to
discuss the answers to those questions -- that was just
fairly recently -- and in that meeting provided some
feedback on both issues. Let me try to characterize what
that feedback was.
On Initiative 2, the staff emphasized the need for
specificity in the decision-making process that would be
used to assess the risk of a missed surveillance requirement
involving such issues as use of important measures, a screen
process that utilizes PRA or (a)(4) processes, alternative
qualitative methods for surveillance requirements that are
not modeled in PRA, and the fact that a missed surveillance
requirement of significance requires a licensee to take the
safest course of action.
As part of our comfort level with Initiative 2, we
are pointing to the oversight process wherein, as we've
discussed previously, missed surveillances will be put in
the corrective action program, there is a continuous
operability determination that's incumbent on licensees
under technical specifications, and that failed/missed
surveillance requirement is reportable and evaluated using
the significance determination process.
We think we're making good progress on Initiative
2, and we're looking forward to look at the revision and
think that we may be able to move forward on that.
Mark.
MR. REINHART: I'd just add two points to what Bob
said.
I agree we're in general agreement.
I think, based on the comments today and just what
we've talked about before, we need to reiterate our look at
the adequacy of the model, just have to reiterate that
that's an important point and reiterate that we need to
understand fully the capability and the meaning of the
development of the risk of the reduced reliability for a
missed surveillance and how sensitive that shows up to us.
MR. DENNIG: Quickly, on Initiative 3, in
comparison to Initiative 2, we think that the PRA
capability, requirements, are more than for Initiative 2,
and we discussed at some length the need and the ability to
assess system importance in all modes.
I believe that the owners groups are going to
provide a qualitative PRA basis for some generic level of
maneuvering that will apply to most plants.
Again, in line with my answer to George before, if
you want to have more flexibility to make mode changes, you
have to have more PRA capability, and individual plants will
be able to establish that they have a capability beyond the
de minimis to do certain mode changes.
And then, as -- from an oversight perspective,
(a)(4), when it kicks in, is going to require evaluation of
the acceptability of mode changes, and there's a level of
oversight on that (a)(4) process that we'll rely on to
ensure that this is being done appropriately.
And again, I think the industry is in process of
providing another iteration, and again, I think we're making
progress.
MR. REINHART: I would add on issue 3 that, when
we talk about a qualitative analysis, we need to understand
exactly what do we mean by a qualitative analysis, that we
actually manipulate and use a plant-specific model to get
and apply the insights that are required.
CHAIRMAN SIEBER: Is there any other comments?
[No response.]
CHAIRMAN SIEBER: What I'd like to do now is to
break for lunch.
After lunch, we will review Initiatives 1, 4, 5,
6, and 7.
So, why don't we return at one o'clock?
So, at this time, we'll break for lunch.
[Whereupon, at 12:08 p.m., the meeting was
recessed, to reconvene at 1:00 p.m., this same day.]
A F T E R N O O N S E S S I O N
[1:01 p.m.]
CHAIRMAN SIEBER: I'd like to reconvene the
meeting for this afternoon's session.
This afternoon, we're going to briefly discuss
Initiatives 1, 4, 5, 6 and 7.
I also notice that I have more slides than we had
slides shown.
So, if there are any pertinent parts of your
presentation from this morning that you would like to give
us briefly or reiterate anything, this would be a good
opportunity, during this afternoon's session, to do so.
Following the discussion of the other five
initiatives, we will have a general discussion of the
committee concerning our comments, because I do plan to at
least prepare a draft letter for the May 11th meeting.
The full committee will meet on May 11th from 8:30
until 10 for an hour-and-a-half to discuss this same issue
for additional discussion with the full committee. Turns
out that, between the two subcommittees, we have the full
committee minus two members. So, the presentation, unless
we think of new things over the next 10 days, should be
easier than this one.
DR. KRESS: Will the main committee focus on just
Initiatives 2 and 3?
CHAIRMAN SIEBER: Initiatives 2 and 3. I think
all of us are enough up to date on risk-informing technical
specifications that we do not need a lot of background
information on that.
I would rather concentrate on the issues at hand
rather than go through everything at that time.
On the other hand, the presentations that you gave
today were a good refresher for me and, I'm sure, for all of
the members here.
With that, I'd like to ask Biff Bradley if he
would lead this afternoon's discussion.
MR. BRADLEY: Sure.
First of all, with regard to the excessive
presentations that you noticed that we didn't give this
morning, we had to do some last-minute planning for this
session, and we ended up sort of duplicating some
presentations, so we just chose not to give the one I think
you're referring to, and I don't believe, speaking for
myself, that there is any point in that that was missed or
that we need to bring up this afternoon, but it's just
informational, and it's basically -- it's very similar to
the presentation that was given at the previous ACRS meeting
back in December of last year, I believe, and our intent
this afternoon was really just to give a pretty high-level
overview of the status of the other initiatives.
That was our understanding of what we were going
to do given the time.
CHAIRMAN SIEBER: Right.
MR. BRADLEY: So, Don Hoffman is going to lead
that discussion and just give us a brief status and schedule
and plans on the remaining initiatives.
CHAIRMAN SIEBER: I did want to give you the
opportunity to fill in anything that you felt was missed,
that you might want on the record, and since there are no
things, we can continue on with Mr. Hoffman's presentation.
MR. BRADLEY: Thank you.
CHAIRMAN SIEBER: Thank you.
MR. HOFFMAN: Certainly, sir.
As you said, we were going to give you an overview
and status of Initiatives 1, 4, 5, 6, and 7, and what we're
just going to do is describe what the initiative is and
maybe say a word or two about it and then tell you where we
are and what we're doing in our current schedule and see if
you or the -- I believe the staff is very well aware of this
-- see if the NRC staff has any comments on that.
Initiative 1, as you know, is referred to end
states, often called safe end states, but it's the
initiative which is making a determination as to what the
appropriate end state is to go to when you have a level of
degradation that would tell you to leave the mode of
applicability of a particular LCO, and you will recall that
from our presentation December 16th.
We currently have a technical justification for
the risk-informed modification to selected action end states
document which has been completed by the CE owners group and
was distributed on March 17th.
The other three owners groups and the TSTF and
RITSTF are currently reviewing that to determine the
appropriate level for each of the other owners groups to
perform in addition to what CEOG has done so that we can
provide a consistent approach and come back to the staff
telling them what we will provide.
Our current schedule for doing that is by the end
of May, with the CEOG and TSTF developing a CEOG traveler to
go out for review concurrently, also at the end of May, with
the intent of providing a TSTF to the NRC sometime by the
end of June of this year, 6/30/00.
I'm not hearing any comments. I'll move on to
Initiative 4.
Initiative 4 has two portions, 4(a) and 4(b), 4(a)
being individual risk-informed allowed outage times, which
is actually an ongoing effort where the tech spec task force
and the other owners groups are continuing to develop
proposed changes to individual AOTs and groups of AOTs with
both deterministic and risk insights.
The owners groups are continuing to work together
to share information and provide for generic applicability
where possibility, but we're continuing that effort in
several parallel paths.
So, the risk-informed tech spec task force will
continue to interface with this process to ensure maximum
generic benefit, but we currently don't have a specific date
for the Initiative 4-alpha.
Initiative 4-bravo is the risk-informed allowed
outage times with the configuration risk management programs
and maintenance rule (a)(4)-type back stops, is a term
that's been used quite often.
We're still working as our risk-informed tech spec
task force with the TSTF and the other owners groups to
determine the best course of action utilizing the risk
management process and maintenance rule (a)(4) as a basis,
and currently, we're scheduled to determine this course of
action and set the process in schedule by July so that we
could advise you, the NRC, at that particular time what we
will be doing.
The CEOG, along with the risk-informed tech spec
task force, currently plans to submit a 4-bravo pilot
sometime in December of this year, with the other allowed
outage time extension sometime after the first of the year.
Concurrent with that, EPRI is working with
Westinghouse owners group and portions of the risk-informed
tech spec task force to issue what they call a risk-informed
tech spec report that current is scheduled to come out in
September of 2000.
So, on the 4-bravo portion, we're still
identifying our specific course of action. As I said, we
should be letting you know sometime in July the specifics of
our course of action and the schedule for that course of
action.
DR. SEALE: In your slides here, going through the
package you had that had 4 listed in it, you talk about a
not to exceed time limit as being the basis for essentially
the 4(b) decisions.
Any rationale for that not to exceed that you guys
are coming up with that you want to talk about now?
MR. BRADLEY: Well, the obvious one would be your
maintenance rule unavailability target for the component,
would be the not to exceed. That's the initial thinking on
that.
MR. SCHNEIDER: You need a not to exceed not so
much for risk, also, but also for -- just to make sure that
plants should be returned to a design basis in a fixed
amount of time.
So, there's reasons for having it.
DR. SEALE: Okay.
MR. HOFFMAN: If there are no further questions,
then I'll move on to Initiative 5.
Like Initiative 4, Initiative 5 also has two
portions.
5(a) -- I think we mentioned this this morning --
5(a) is to relocate surveillance requirements which are not
related to safety.
During the development of the improved technical
specifications and the conversions from the old standards to
the ITS NUREGs, we identified a number of surveillances that
were not appropriate to be retained in the technical
specifications, and they were eliminated appropriately.
However, there were some that we were not
successful with at that time, and we didn't go after them
all as a particular group.
As a result, we have gone back and re-evaluated
that, looking through each of the sections to determine if
there are surveillance requirements either in individual
LCOs as a individual SR or as a group of surveillance
requirements which we feel are not -- do not demonstrate
operability but, rather, are there for other requirements
such as reliability, availability, and something of that
nature, and as a result, we are pursuing that under 5(a).
As I said, the tech spec task force identified
some individual SRs and groups of SRs as candidates, and
we're going to be pursuing those.
It's our intent to provide a traveler, a TSTF, to
the NRC to address 5(a) in November of this year.
MR. NEWBERRY: Don, my understanding of what you
just said there is, in your view, 5(a) is really not a
risk-informed initiative, it's more of a scope initiative.
MR. HOFFMAN: Yes, sir, that's true. Like
Initiatives 2 and 3, it has less risk insight than the
majority of them.
We were going to exercise some risk insights as to
the acceptability of taking those SRs out of the tech specs.
Now, many of them in reliability and availability
space, like, let's say, for the diesel generators, would
only be relocated and probably retained in either a
maintenance rule-type procedure or in maybe a diesel
generator reliability program.
So, they won't be eliminated in their entirety;
they just won't be a part of tech specs requiring us to
consider operability when they're not impacted.
But yes, sir, your point is well taken. This is
not a purely risk initiative by any stretch.
The second portion of Initiative 5 is 5(b), which
is relocated surveillance test intervals to licensee
control.
We had -- in 1999, one of the owners groups of the
tech spec task force had developed a traveler and a process
to try to identify a means by which selected surveillance
test intervals could be relocated to licensee control.
We have now looked at that on a more global basis
and are currently developing a basic program for licensee
control of all the STIs and working with the utilities to
finalize supporting information for such a process, and then
we'll be working with the PRA folks to get risk insights to
support this particular activity, and currently, we're
scheduled to provide a TSTF to the NRC sometime in early
2001.
And if I'm not clear, a TSTF is called a tech spec
task force traveler. It's just a colloquial term for a
traveler which proposes a change to the ITS generic NUREGs.
I wasn't sure if I'd been clear.
DR. UHRIG: Let me ask a question here.
MR. HOFFMAN: Certainly, Dr. Uhrig.
DR. UHRIG: There are a couple of initiatives
around to go to continuous monitoring. I believe EPRI has
one. There has been some discussion. At least one utility
-- we've done some work on fossil plants, where we've just
put a system into TVA -- one of their fossil plants has a
front-end monitor on their performance system.
Is any consideration being given to that, where
you basically deal with the correlation between the various
quantities that you're measuring here as an alternative to
the surveillance?
MR. HOFFMAN: When we originally started the
initiative, we had not considered that, but subsequently, we
have teamed up with the folks at Arkansas and EPRI on this
continuous monitoring process and initiative, and we are
interfacing with them now to see if there's any insights we
can gain from what they're doing that can be brought to bear
to support what we're doing. So, there is a continuous
share of information.
At our last full owners group, where we have a
combined -- all four owners groups meeting on technical
specifications and licensing issues, we had several
presentations on continuous on-line monitoring and brought
that to bear to try to identify to the different groups that
we were, indeed, interfacing with that group and getting
information and support.
DR. UHRIG: So, this basically would be an
alternative approach to the whole issue of surveillance.
MR. HOFFMAN: It is a consideration. Right now,
we're not sure how far it's going to go, and as a result of
that, we're going to continue in a parallel path to look at
the surveillances, acknowledging that that may someday
replace that or may be an alternative, as you stated, that
if I have the surveillance test intervals and/or a portion
of the surveillances under licensee control, this on-line
monitor may be a mechanism by which I'd just do on-line
monitoring instead of surveillances, yes, sir.
DR. UHRIG: Thank you.
MR. HOFFMAN: Okay. I'll move on to Initiative 6,
then.
Initiative 6 has three parts.
Initiative 6 started off being a initiative to
address the fact that we currently have one hour once we
exit an individual limiting condition for operation and get
into LCO 3.0.3 to begin the plant shutdown.
There was an acknowledgement that there were
several situations which were creating that which were
inappropriate or maybe not necessary from the beginning, and
so, we're trying to address that in its full breadth. So,
there's actually three pieces to it.
One is to modify the actual LCO 3.0.3 actions and
timing, where we would increase the one hour to 24 hours,
which was the initial scope of Initiative 6 when it began,
and then there are the other two pieces which, if
successful, will make the need for doing the 6(a) portion of
Initiative 6 lessened, and that is, one, to provide
conditions in those LCOs where there are levels of
degradation where no condition currently exists.
As you know, the way that you get to LCO 3.0.3 is
typically through two ways.
One, you have a level of degradation where there's
no condition, you have no action in an individual LCO, hence
you go to LCO 3.0.3, or you exhaust the required action and
completion times in the individual LCO and then you go to
3.0.3.
Well, the former of that, we felt that there were
places where, in individual LCOs, there should be conditions
and required actions which would negate the need to go to
3.0.3.
The second part is that we have identified through
the improved technical specifications NUREGs places where we
actually instruct the individual to go to LCO 3.0.3, where
we have put a condition for a level of degradation which has
been termed to be a loss of safety function and its required
action is enter LCO 3.0.3 immediately.
We believe, in many cases, that may be also overly
conservative and punitive, and we are re-addressing that as
part of 6(c).
So, we believe that if we are successful with 6(b)
and 6(c) under Initiative 6 that the need to modify the LCO
3.0.3 timing under 6(a) from 1 to 24 hours may be lessened
significantly.
We're currently scheduled to provide -- we're
working with the CEOG now to provide a draft for 6(b) and
6(c) in June of this year, and our current plan is to
provide a TSTF to the NRC in October of this year.
And the last on our list is Initiative 7, which
you spoke the morning about, sir, about defining actions to
be taken when equipment is not operable but still
functional.
The tech spec task force and the Westinghouse
owners group have taken the lead on this and are currently
working to develop a course of action and an attempt to
bring the configuration risk management program, maintenance
rule (a)(4), safety function determination program, and
operable functional available into alignment such that we
can identify the differences, understand the significance of
them, and provide a definitive -- I will call it definitive
tech spec requirement to address that, and our current
schedule is to provide a traveler TSTF to the NRC in early
2001.
CHAIRMAN SIEBER: Is this an attempt to redefine
what operability is?
MR. HOFFMAN: No, sir.
CHAIRMAN SIEBER: Tell me what the difference
between operability and functionality are, so I can
understand it.
MR. HOFFMAN: I'll certainly make a feeble attempt
given the fact that we haven't completed all of our
evaluation and work in this arena.
As you know, we have a definition of operability
which currently requires a number of things, and you're
obviously very familiar with that, as you've stated this
morning, and all dependent functions, whether it be oil,
cooling, instrumentation, whatever it may be, in order to
facilitate the capability of performing the intended safety
function.
There's also an acknowledgement in Generic Letter
91-18 that there are certain aspects to operability that
don't really -- quote/unquote, "operability" -- which might
be some kind of pedigree or qualification, possibly, like
seismic, EQ, and other actions or activities.
What we have attempted to do is to acknowledge
that, many times, we will have a situation where we don't
meet a particular tech spec requirement, through a
surveillance or any other case, but yet we have
functionality but we may not have operability.
One of the examples that has been currently
discussed is where a safety analysis assumes 5,000 gallons
per minute, let's say, for a HPSE pump on a boiling water
reactor and that's assumed to be into the vessel itself. We
do a surveillance and we find that we're getting 4,800
gallons per minute into the vessel.
We certainly may not have operability, but one
would argue that 4,800 gallons is better than zero gallons,
so we may have some level of, quote/unquote, "availability"
or functionality.
So, we're currently trying to decide if the
current conditions and required actions are too punitive for
that level of degradation and trying to attempt to define a
different course of action that would give us some
additional time or additional compensatory measures to
enable us to have something that doesn't meet operability
yet does meet some level of functionality, and bear with me,
because that's not completely defined yet.
CHAIRMAN SIEBER: I can remember instances where
emergency tech spec changes have been given after analysis
of situations like that, where you're able, through
engineering analysis, to show that 4,800 or 7,000 or
whatever it is you're supposed to have, minus 2 percent, was
good enough. That was a fairly rare occurrence, as I
recall, you know, once every five years for a given plant.
I presume that you want to somehow or other write
into the tech specs the fact that a licensee on its own
initiative and under its own authority could determine that
4,800 gpm or whatever number you've analyzed and justified
is good enough to call the equipment operable, and by that,
I mean not enter the action statement, okay, and without
interchange and approval by the NRC.
Is this really what you're talking about?
MR. HOFFMAN: Yes, sir, to some extent, except we
wouldn't consider it operable, we would only consider it
functional.
So, we would declare it inoperable, but its
required action and completion time would not necessarily be
as punitive as inoperable would normally have you do.
So, in other words, we would put some
contingencies and some compensatory measures and some
limitations on how that could be used, yet allow the plant
to maneuver within some limited means of being not operable
yet still providing some level of functionality.
CHAIRMAN SIEBER: To me, that's a redefinition of
what operable means, because if it isn't operable, you go to
the action statement.
MR. HOFFMAN: I couldn't agree more. Actually,
sir, as I said, we don't intend to redefine operability. If
it didn't meet operability, it would be declared inoperable,
but if it could be declared inoperable and yet still
declared functional, its level of action would be different
than if it was inoperable and declared not functional.
CHAIRMAN SIEBER: Does this put in a new layer of
action statements that apply when items of equipment or
components are functional and not operable? I mean it could
double the size of the tech specs.
MR. HOFFMAN: This particular initiative's level
of effort to date is less than all of the other initiatives.
So, I would be presumptuous to state that that's our intent.
I will tell you that we're considering a number of
different options and welcome comments from anyone who would
like to provide some insight.
It's an initiative that was brought up because we
have seen examples and occurrences of situations where the
action required to be taken for inoperable but still
functional were perceived to be -- even in risk space -- to
be overly conservative and, in some cases, even contrary to
risk.
So, given that, we felt we needed to take on the
initiative to determine what is an appropriate course of
action. We obviously haven't gone deep enough into that to
explore all the different impacts that there might be from
it, sir.
DR. BONACA: One thing I think is beneficial about
this initiative is that the perception we have always
communicated to ourselves and to the public is that, if you
do not meet the requirement, it doesn't matter if you're
functional, you have a failure, and therefore, we have had
so many examples in the press, for example, of, you know,
the plant did not have a system, therefore it lived for 20
years without a system, and that wasn't the case, you had
functionality all along, maybe.
A better example than simply partial functionality
is not meeting a code requirement. Okay.
A code requirement is a specific pedigree, and I
think that have been a lot of examples where you have a
system that everybody will agree will function, provide a
function, but did not meet a certain pedigree or a certain
specific attribute of the pedigree.
So, to some degree, that's an important step, that
at some point we want to -- I am supportive of.
CHAIRMAN SIEBER: Well, I think when we get to
Initiative 7, we'll be more than happy to learn what you
folks have come up with.
MR. HOFFMAN: And I'm sure we will be more than
happy to gain your insights to assist us with that, sir.
CHAIRMAN SIEBER: Thank you.
MR. BRADLEY: That completes the industry's
presentation, if there are no more questions.
CHAIRMAN SIEBER: Does anyone have any questions
they'd like to ask at this time of industry representatives
or the NRC staff?
[No response.]
CHAIRMAN SIEBER: Well, I felt today's
presentations were very good and very informative and --
both on the part of the staff and on the part of NEI and the
industry representatives, and I appreciate that.
We will meet again to have a short discussion,
similar to today's, at the full committee meet on May 11th,
and this topic is currently schedule for May 30 until 10
o'clock in the morning, which is not a very long
presentation, but as I said before, most of the members are
here, and so, cutting it down will not represent any kind of
a loss of content on our part.
So, with that, I thank you all for coming here.
You're welcome to stay.
Our next step on the agenda is our own discussion,
and for that portion of the discussion -- that will help me
write a draft letter should we decide to send one to
whomever we decide to send it to.
It will help me incorporate the comments and the
feelings of the members.
So, I think, at this time --
DR. APOSTOLAKIS: Is the staff requesting a
letter?
Are you requesting a letter?
MR. NEWBERRY: No, we are not.
CHAIRMAN SIEBER: They're not demanding a letter.
DR. APOSTOLAKIS: They're not requesting, not
demanding.
MR. NEWBERRY: No. These are licensing activities
that we are in process for and we'll continue to proceed on,
but of course it's an important activity, and if the
committee has some comments, we'd be glad to have them.
CHAIRMAN SIEBER: I would think that, if we wrote
a letter, it would be to the EDO saying, you know, we've
listened to the presentations and we have these comments,
and so, what I'd like to do now is go off the record.
[Whereupon, at 1:27 p.m., the meeting was
concluded.]
Page Last Reviewed/Updated Tuesday, July 12, 2016