1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 NUCLEAR REGULATORY COMMISSION DALE E. KLEIN, CHAIRMAN GREGORY B. JACZKO, COMMISSIONER PETER B. LYONS, COMMISSIONER KRISTINE L. SVINICKI, COMMISSIONER UNITED STATES NUCLEAR REGULATORY COMMISSION BRIEFING ON DIGITAL INSTRUMENTATION AND CONTROL +++++ Monday April 7, 2008 +++++ The Commission convened at 9:30 a.m., Dale E. Klein, Chairman presiding.
�2 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 PANEL 2: NRC STAFF LUIS REYES, Executive Director for Operations JACK GROBE, Associate Director, Engineering and Safety Systems, Office of Nuclear Reactor Regulation RICHARD CROTEAU, Deputy Director, Division of Engineering, Office of Nuclear Regulatory Research PATRICK HILAND, Director, Division of Engineering, Nuclear Reactor Regulation MICHAEL MAYFIELD, Director, Division of Engineering, Office of New Reactors Duke Energy MITCH LUCAS, Vice President, Nuclear Engineering and Support, Luminant Power and Member, NEI New Plant Working Group . ALEX MARION, Executive Director of Nuclear Operations and Engineering, Nuclear Energy Institute PANEL 1: INDUSTRY REPRESENTATIVES AMIR SHAHKARAMI, Senior Vice President Engineering and Technical Services, Exelon and Chairman, NEI Digital I&C and Human Factors Working Group RON JONES, Senior Vice President Nuclear Operations,
�3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 P-R-O-C-E-E-D-I-N-G-S CHAIRMAN KLEIN: A lot of advancements have occurred in the Digital Instrumentation and Control. I think this is our third Commission meeting on Digital Instrumentation and Control. And since our last meeting you had about 30 public meetings on that subject in I think we have about four staff guidance documents issued so certainly, a productive period. Before we start, I would like to initially welcome our new Commissioner, Kristine Svinicki. Kristine is now an old hand, she was sworn in a week ago last Friday. So she's been here and well-established and she knows her way around. Kristine comes to us with a lot of experience, both in the Wisconsin Public Service Commission and then Department of Energy for a while. Then worked with a lot of energy and research development activities for Senator Craig and most recently on the Senate Armed Services Committee. So, she comes to our agency with a lot of experience. Welcome Kristine. COMMISSIONER SVINICKI: Thank you, Mr. Chairman. I would like to thank everyone, everyone has been very welcoming and I'm pleased to be here. Thank you. CHAIRMAN KLEIN: Before we start any comments.
�4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Commissioner Lyons. COMMISSIONER LYONS: Welcome Kristine. CHAIRMAN KLEIN: Well, Amir, it's all yours. MR. SHAHKARAMI: Good morning, Chairman Klein and Commissioners Jaczko, Lyons and Svinicki. It is my pleasure this morning to present the industry’s perspective on the application of digital technology in U.S. nuclear power plants. My name is Amir Shahkarami, Senior VP for Exelon Nuclear and I'm also the Chairman of Industry I&C Working Group. Please allow me to introduce our supporting speakers today. Mitch Lucas. Mr. Lucas is the Vice President of Engineering and Support, Luminant Power. Mr. Ron Jones next to me, Senior Vice President Nuclear Operations, Duke Energy and Mr. Alex Marion, Executive Director of Nuclear Operation, Nuclear Energy Institute. Slide two. The topics I'm going to cover today are objectives, goals, overview, status and conclusions. We will provide our thoughts today on the regulatory involvement regarding the use and application of digital technology and plan to offer our perspective on our project objectives and goals and overview on the status of our ongoing activities. Finally, I will offer some conclusion. We believe the safety focus application of digital technology is
�5 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 essential for the future of the nuclear industry. Digital technology is important for current operating units in addressing obsolescence and will enhance plant safety, availability and reliability. Digital control and protection systems are an integral part of design certification, new plant design, as well as new fuel processing facility. I just want to tell you that within Exelon about eight or nine years ago we developed a strategy for the Digital I&C and over time a lot of project moved to the right on a safety related application because of the issue we have today. So, I'm very optimistic about where we are going and trying to pull a lot of those to the left. There is a need for continued level of coordination and cooperation between the NRC and the industry to ensure consistency in the regulatory process associated with application of this technology. We have established a management structure for identifying issues and moving them to resolution in a disciplined and timely manner. We must create realistic guidance with the licensing processes of digital applications. Now, let me talk about some of the goals; the short term. The specific short-term goals are to develop interim staff guidance as you mentioned, Mr. Chairman, in time to support the submittal of licensing amendment and review of the anticipated digital applications. The ISG must be technically sound, practical to apply and contain guidance for an
�6 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 appropriate level of detail for regulatory evaluations and reviews. The long-term goals are to continue industry interactions to incorporate the ISG content into final regulatory guidance, assure consistency with applicable industry codes and standards and endorse related detailed industry guidance through established agency processes. Success of the application of digital technology with our nuclear industry will be dependent upon assuring the continued safe operation through each nuclear facility digital application. Realistic, practical guidance and cooperation must prevail. We have seen significant technical gains in other industries, especially in digital technology. This technology is undergoing continuous change and improvement. We must work together to change regulatory guidance to keep pace and technology development that can assist nuclear power generation. In our push to attain timely issuance of guidance, we must ensure changes to current positions are made in accordance with appropriate regulatory process and well communicated to all the stakeholders. Page six. The project plan is working well to define the roles and responsibilities of Digital I&C, the Steering Committee and Task Working Group. Ms. Kristine, you may not be familiar with our structure, but basically we have an industry working group, with 7 members, and NRC
�7 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 has the same format. And with the leadership of Jack Grobe and I represent industry, we routinely interact. Like Mr. Chairman said, we have had numerous meetings over time. The pilot project, Duke's license amendment request, provides the opportunity to benchmark to NRC interim staff guidance. It also will demonstrate the effectiveness of the licensing process and address industry concern of regulatory uncertainty in the timely application of Digital I&C system. We see the need to maintain the project steering committee with industry involvement and support throughout this year and into next year if necessary to support the timely implementation of future digital applications. Slide seven. Fundamentally, we are concerned about the fixed time period. This is related to manual operator actions and the 30-minute time requirement. I can tell you that we appreciate the cooperative effort between the three task working groups to develop a method for determining an acceptable time period associated with crediting manual operator action. The draft guidance is undergoing review at this time. Our principal focus is on a process that determines the time period using the plant safety analysis and best estimate methods and acceptable criteria as defined in BTP19. Our guidance should show what is to be
�8 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 submitted and when. It also should specify which document must be available, which will be reviewed and which must be docketed. Without resolution of document inventory control the review approval process will see unnecessary delays. Slide eight. An ongoing challenge is to attain an acceptable level of detail for the digital application reviewers. They remain concerned that the requested level of detailed questions suggest an independent design review/re-verification rather than attaining a reasonable assurance determination. It takes years to design, to layout, to get the material, build it and test it. So, I think what we're trying to say is that we will provide all that information and we ask them specifically what piece of that is required to do the review rather than fully independent verification. We want to avoid expanding the scope of situations that do not result in a significant safety benefit. Expanding that functionality can be very complex. Complexity can lead to a spurious actuation and adverse interaction with the primary protection system which would reduce plant safety. Slide nine. As I mentioned earlier, we see the need to maintain the project steering committee with its industry involvement and support throughout this year and possibly into next year. Its significant commitment of
�9 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 resources are critically important. The NRC and industry will be active into 2009 with oversight by the Steering Committee and Task Working Groups. Project deliverables are in use now. As announced at the Regulatory Information Conference, the ISG-04 in regard to communication was used in a staff review. Additionally, ISG-06 draft, which is licensing process, was used in licensing documents from Duke License Amendment Requests. Rollover to permanent guidance has started in ISG-01, which is Cyber Security. This is being used in draft rulemaking and regulatory guide development. Let me give you some project status. I want to make sure on page 10 this number of problem statements resolution do not reflect the effort expended nor their closeness to completion on a deliverable within the project plan. We have had several discussions several weeks before after these things were issued to you -- and we have made progress and we are close to coming to a conclusion on a lot of these items. We originally identified seven technical issues that became topic for interim staff guidance. The Task Working Group identified 25 problem statements. Three of these have been completed to date. As I said, a lot of them are coming to closure. COMMISSIONER JACZKO: Can you just specify which are the ones that are completed and which are the one --?
�10 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 MR. SHAHKARAMI: I'm sorry? COMMISSIONER JACZKO: The three that are completed? MR. SHAHKARAMI: The three - I have the list. Alex, do you remember those? MR. MARION: Yes. Bear with me a second. I'm Alex Marion. One, we have Task Working Group #4 on Communications. That's considered closed. I'm taking up valuable time here. I'm missing the other one. Bear with me a second. COMMISSIONER JACZKO: That's okay. We can move on. MR. MARION: We'll get back to that. MR. SHAHKARAMI: We are confident that we are on closure path with the remaining problem statement in 2008. Although we expect delays for the ISG for risk informing and fuel cycle facilities. Again, I want to really elaborate that the collaboration and working on this issue gives me a very optimistic view that we're going to come to closure. So, lots of progress has been made on this problem statement. We haven't done a final sign off. So, we're making progress. Let me go ahead with conclusions on page 11. We see the need to maintain the project steering committee with this industry involvement and support throughout this year and possibly into next year. It is significant commitment of resources, but critically
�11 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 important as I said earlier. The pilot project will validate the interim staff guidance and Ron Jones is going to be talking about that. This is of highest importance and significant to us. It will demonstrate the effectiveness of licensing process plus addressing the industry concern on regulatory uncertainty in the timely application of Digital I&C system. The Task Working Groups must continue to refine and enhance the ISGs until they are technically sound, practical to apply, and initiate an appropriate level of detail for regulatory evaluation and reviews. We recommend continuation of the project management structure for identifying issues and moving them to resolution to create a stable, predictable and timely licensing process with realistic guidance. And that concludes my presentation. With that, I would like to turn it over to Mr. Ron Jones. MR. JONES: Thank you. Good morning. As Amir said, my name is Ron Jones. I'm Senior VP with Duke Energy over Nuclear Operations. I have responsibility for Duke's three nuclear plants along with our centralized support organization and major modification organization. I appreciate having the opportunity to discuss our experience in pursuing the digital upgrade for Oconee's reactor protection and engineered safeguards system with you all today. Slide two.
�12 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 The Oconee units have been in operation for over 30 years. The existing analog RPS/ES systems are original plant equipment and while they're fully reliable today, we are pursuing replacement systems to preclude future problems. We've selected the AREVA TELEPERM XS digital protection system for the replacement. This is the first U.S. plant replacement; although the system has been successfully installed in European nuclear stations both in reactor protection and plant control systems. We've submitted a license amendment to obtain approval of changes to the Oconee licensing basis and technical specifications to support this new system. Page three. We plan to install the system on the first Oconee unit in the fall of 2009, with the remaining two units following in the fall of 2010 and 2011 respectively. Duke's been pursuing this upgrade for several years and the systems for the first unit are actually fabricated at this point. Parallel with the licensing submittal, we have significant work underway in preparing for the installation, testing and operational use of the systems. Factory acceptance testing will be conducted in fourth quarter of this year with system delivery in early 2009. For this reason, we need a timely review of the submittal so that we can prudently plan for the first installation in the fall of 2009. Slide four.
�13 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 This project is one of several Digital I&C upgrades that Duke is undertaking. We constantly assess the health and the reliability of our I&C systems and project the appropriate timeframe to upgrade them before they become unreliable or difficult to maintain. We've considered refurbishing some of these systems by re-engineering circuit boards and replacing other components in the systems; however, we've concluded that this will be shortsighted and that would leave us with 40 year-old technology and no real performance gains. Therefore, we've decided to pursue digital technology which we believe will enhance reliability and nuclear safety. The inherent ability of digital systems to monitor their own health, to self detect failures and operate correctly even with certain failures will provide significant improvement in the performance of these important safety functions. Slide five. We've made a substantial investment in our digital implementation strategy to address the unique technical, quality and regulatory requirements of this technology. We want to be in a position to upgrade our I&C systems across our fleet such that we stay ahead of any potential operational problems as these systems age. We've worked closely with AREVA to prepare this licensing submittal striving to be completely
�14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 responsive to the NRC guidance for digital submittals. We found that some of the advanced technical features of these systems have been a challenge to accept under the existing regulatory guidance. We applaud the work of the NRC to ensure that the regulatory guidance keeps pace with the development of innovative features that truly make these systems more reliable and safer than their analog counterparts. Slide six. We certainly appreciate the efforts of the NRC and NEI working together under the Digital I&C project plan to create a viable path forward for digital upgrades while preserving all elements of nuclear safety. Indeed, we believe the RPS/ES submittal will benefit from the interim staff guidance that has been published, particularly the ones dealing with communication issues and cyber security. We remain hopeful that the pending guidance for the licensing process will also be helpful. Frankly, so far we are still seeing a licensing process that seems to be more of a detailed design review rather than a regulatory review. In fact, we are providing information that we would not have been able to provide if we were not so far along in this project. And so I'll conclude with this point. The industry needs a stable, timely and predictable licensing process without undue burden to gain confidence in undertaking the much-needed modernization of our I&C
�15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 infrastructure. There are many folks sitting on the sideline now and monitoring Oconee's project to monitor its success before they decide to go forward with their own particular projects. We believe that continuing to operate the legacy analog systems beyond their prudent life cycle is a greater risk than upgrading to digital technology. We strongly endorse the efforts of the NRC and the industry to resolve these barriers to implementation so that we can move forward with these important safety improvements. Thank you. MR. LUCAS: Good morning. I'm Mitch Lucas, Vice President of Nuclear Engineering and Support for Luminant Power. I'm responsible for the new plant work at Comanche Peak. It is my privilege this morning to present the new plant perspective on the joint NRC and industry Digital I&C issue resolution efforts. I'll spend a few minutes discussing feedback from the new plants, including the vendors. Slide one. The last 18 months have been extremely challenging for both the NRC and the industry working in parallel on several issues. These challenges were met head on and many issues have been resolved successfully and should result in a stable and predictable licensing environment for new plants. We appreciate the ongoing proactive efforts of the NRC.
�16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Hard work by the industry and the NRC resulted in the issuance of several interim staff guidance documents to provide much-needed clarity in several Digital I&C areas and lays the foundation for future work. The industry is currently working on developing guidance documents; some for NRC endorsement to ensure consistency and interpretation. In the human factors area, industry draft guidance documents on computerized procedures, minimum inventory and the ongoing efforts on the manual operator actions are a few examples. In the diversity in depth area interim staff guidance provides much-needed clarity on adequate diversity, manual operator action and effects of common cause failure. In the highly integrated control room communication area interim staff guidance provides clarity in several key areas affecting detailed integrated control room designs. The interim staff guidance removes any guesswork on the part of the new plant vendors and provides valuable guidance. This helps the industry, both vendors and licensees. The guidance complements the Standard Review Plan in many areas by providing added clarity. This coupled with industry guidance documents will help ensure consistency and interpretation and should result in improvements in vendor and utility submittals and NRC review time.
�17 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 We do recommend that the NRC work to provide consistency in interpretations and reviews among various NRC divisions on new plants, vendor and utility submittals. Slide two. The interim staff guidance and industry white papers will help new plants better understand NRC expectations and requirements. It will also help new plants and new plant vendors be better prepared when dealing with the NRC during their design certification process and when responding to requests for additional information pertaining to new plant and vendor submittals. In general to date, new plants have not identified conflicts with issued guidance. Our industry continues to develop methodology to determine the acceptability of manual operator action times to be used in diversity and defense in depth evaluations as an alternative to the 30 minute criteria. This methodology is critical for new plants. We thank the NRC for their continuing efforts to address this issue. We, the industry, and the NRC need to work together to clearly define the requirements for Digital I&C submittals, levels of detail and ITAAC closure methods. Clear understanding and identification of the documentation necessary for ITAAC closure is important to new plants since near final Digital I&C design is a prerequisite for simulators. Slide three. As new guidance is used over the next few years, it is important
�18 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 that we continue the feedback mechanism through the joint NRC/NEI Digital I&C Steering Committee. Actual implementation of the new guidance may result in identifying the need for new or additional clarification. Pilot projects will help validate effectiveness of the issued guidance and build confidence in the process. Mitsubishi has volunteered to participate in a pilot project to validate the manual operator action times under full scope USAPWR simulator in Pittsburgh. This would be very beneficial to new plants since it would help validate the methodology for manual operator actions. We as a community of new plant vendors and owners strongly recommend that the Digital I&C Steering Committee remain in place to ensure guidance is adjusted where necessary based on industry feedback and pilot project results. Slide four. The joint NRC and industry-focused efforts will result in safe and reliable implementation of the digital technologies in new plants, improved safety, reliability and human performance in new plants and stable, predictable and timely licensing processes for new plants. Improved guidance with consistent interpretation will result in terms of resources and time for both new plants and the NRC. Efficiency improvements such as reduced number of RAIs, adequacy of vendor submitted information, a lesser number of regulatory misinterpretations,
�19 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 minimal redesigns and minimal inconsistencies among staff reviewers. This will all result in savings, both for the industry and the NRC. In conclusion, Luminant power strongly endorses the joint NRC industry efforts to identify and resolve Digital I&C issues to ensure a stable, predictable and timely licensing process for new plants. These efforts significantly help the continued development of new plants in the United States. MR. SHAHKARAMI: Mr. Chairman, this concludes our formal presentation. MR. MARION: If I may, I have the response to Commissioner Jaczko's question. The three ISGs that were completed as-COMMISSIONER JACZKO: Those are just the three ISGs? MR. MARION: Right. COMMISSIONER JACZKO: I always wondered if there were something different than those three. I guess we have that list somewhere. MR. MARION: Well, the three that were completed at the time that we developed the presentation material were cyber security, treatment of single failures as part of diversity and defense in depth and communications. Now, there are a couple -- possibly three ISGs that were
�20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 due to be issued towards the end of this month and I don't know what the current status of those are. COMMISSIONER JACZKO: We'll ask that -- the staff might be able to do that. CHAIRMAN KLEIN: Well, thank you very much for that feedback. Obviously, we'll hear from the staff a little bit later from their perspective. Thank you very much for those updates and we'll begin our questioning with Commissioner Lyons. COMMISSIONER LYONS: My thanks to all of you for excellent presentations. I think it was of the order of perhaps three years ago, maybe two and a half years ago that the Commission heard from industry really serious concerns about the status of the regulatory framework for Digital I&C. And at that point I think if I remember a quote, it was a statement that the regulatory position on Digital I&C could well be the long pole in the tent on new plant construction. I think all of you have really answered this, but I'd like to be very sure that I'm understanding correctly. Is it your view that Digital I&C is now receiving the appropriate degree of emphasis from the staff and that the working relationships between staff and industry are well established? MR. SHAHKARAMI: I'll go ahead and answer that. I think we as an industry and NRC recognize that we can't wait until we get all the
�21 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 formal documentation out there so we took on issuing the interim guidance. I think that's going to help the process, especially with the pilot plant. But I think we need to be open and if something just doesn't work because ISG said so, we need to be able to check and adjust that as appropriate. I think we should stay tuned with our project plan. I don't think we're going to have a lot of issues with keeping up with this technology. I think since a year-and-a-half ago when we started this and today there is a big difference and I'm very optimistic that staying with the project plan, resolving issues and being connected throughout this process will make us successful. COMMISSIONER LYONS: I appreciate that. Comment to the staff, too. My appreciation for their role in responding. Certainly, my appreciation to industry, too. Another question which would come from meetings of perhaps of a year or two ago. There was some suggestion at least as I interpreted it from industry - that perhaps digital systems needed to be looked at somewhat differently than traditional analog systems from the perspective of safety. I just wanted to affirm, I hope, that there is agreement on the part of industry that we still need to maintain the independence of redundant safety channels that we have demanded in the analog world. And again, I
�22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 believe that's well established now. That's for either Alex or Amir. MR. MARION: Yes, it is. It is. COMMISSIONER LYONS: A question probably to Mitch. You mentioned the need to move ahead with simulators. And that had been -- when the discussion had been of the long pole in the tent -simulators was one of the major concerns. With the progress that's being made now, do you anticipate being ready for simulator orders and roughly in what time frame do you anticipate the first simulators being ordered? MR. LUCAS: It varies with the company that's planning to build on what their time frame is for it, but I believe they're ready and I believe you'll see simulators -COMMISSIONER LYONS: Do you think you will be ready to specify those stimulators? MR. LUCAS: Yes. COMMISSIONER LYONS: That certainly positive. A question for Ron. You mentioned that the system being proposed for Oconee is used in a number of plants, particularly in Europe. Could you comment a little bit on the performance of that system? Have there been problems identified and corrected? Or has it been essentially trouble-free? MR. JONES: I don't have the most recent data on
�23 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 performance. My rough count shows that there about 13 reactor protection systems installed across the globe. There's another 14 that are in the planning process; three of those being Oconee. The data I had seen from a couple years ago when we were having some original discussions with the NRC on the Oconee submittal showed extremely high reliability from the international systems that had been installed. I don't recall that there was a single failure at that time that prevented the system from performing a safety function and there's more lower level, single channel type issues; things that the machines are designed to detect early and immediately alert the operator of and take action to remove that channel from service. Extremely high reliability. COMMISSIONER LYONS: And then finally I had a question really for any of you. I can well imagine that the training required of operators is going to have to change significantly as you move towards a fully digitized control room. And certainly, the operators need to have the same-- or I would anticipate have the same level of understanding of what's actually -- what the system functions are that are being performed. But I would think they also need a new appreciation of the digital interfaces, the types of problems that could potentially occur and the types of awareness that they need to develop. I was just curious if any of you could comment how your training programs will require modification or
�24 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 how we're looking at changes in training programs as you move toward Digital I&C? MR. LUCAS: We implemented a digital turban control system, so we have so some experience at Comanche Peak with that. We involved operators through the whole design phase and through the testing phases and then we implemented -- as you said it's different training for digital controls. One other thought -- that was our first system to go in like that. We had some concerns that maybe the operators wouldn't like that and I think maybe they were a little wary of it, but it's so much better than the analog system. In the old analog system, if they needed to adjust power and they hit the button to adjust power up a little bit, it might jump 5 megawatts. Right now, they can set a half a megawatt and it smoothly goes to that. It's far superior. In addition to that that was our most unreliable system and it's extremely reliable now. We made some mistakes going through that, too, but I think for the operators it was not a hard transition. I think what it did for them is they said, "When are we going to do everything else?" COMMISSIONER LYONS: I guess my concern, Mitch, is that, yes, as long as the system works perfectly, I would anticipate just what you described. But I would think that the operator has to have a
�25 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 slightly different sense of awareness of what could happen if the system doesn't work perfectly. MR. LUCAS: Yes, we've actually been through scenarios like that with them. They have a response plan for a problem with the control system where they manually trip the turbine and the reactor. So, they have responses planned and trained for even if the digital system didn't operate the way they expected. COMMISSIONER LYONS: I'd be interested in comments from anyone else. MR. JONES: Just commenting on Oconee, for example. Oconee is over 30 years old, all three units. It's probably one of the more digital nuclear plants out there nowadays, though, compared to other units across the United States. We've undertaken a digital automatic voltage regulator for all three units for the main generator at Oconee; digital AFIS system, automatic feed water isolation system; digital integrated control system or ICS System; digital stream mods, which basically replaces a lot of monitoring and also valve controls out on the secondary side of the plant with digital systems; digital turbine control and digital control rod drive control system. Oconee is -- and the operators at Oconee are very familiar with what digital looks like and we're also very familiar with the changes in
�26 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 training because there is a different training approach on a digital system with an operator then there was with the old analog systems that we're all familiar with in the last 30 or 40 years. Operators are trained -- I think probably one of the bigger challenges with digital systems is there so much information there and available to the operator at their fingertips. It's extremely critical to prioritize that information for them on the front end so that when they see certain alarms come in they know that's a critical and it does have something to do with the operational aspect or reliability of this machine versus some of the others, which are simply status indicators more for the engineering folks. So, we've worked through that. The Oconee digital system has been very successful with that and the operators are extremely comfortable with them. They like the digital systems much more than the old analog systems. A big part of that is just overall reliability. And then the other big part is they're very fault tolerant. If a channel fails, they know it's going to fail before it fails as opposed to being surprised by an alarm that says now it has fully and completely failed. So, a lot of the systems we put in are, of course, multiprocessor constantly comparing inputs to validate and verify them and taking steps to alert operators when something's starting to degrade well before it
�27 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 impacts any operation of the plant. MR. SHAHKARAMI: I just want to give you another insight. I think there is a difference between operating units and new units because the people that are getting educated today walk in to work with new plants all know its digital. You can't even go back and teach them the analog system. I get a new college student coming to my office and amazed with the way we used to run this unit. So, I think going forward it's easier than operating units because for current operators we need to teach them one, forget about that analog, get the system and then get them engaged. In our Exelon fleet we have gone digital EHC, digital feed water. We are in process of doing a variable speed pump on a boiler on a reactor recert. They get engaged right up front with the selection visibility and testing, but I think the fair question would be after it's done just go ask them their view on the ease of operation, the capability of monitoring and taking action. Almost every one of the system after six months or seven months will go to the control room and just challenge the chief manager and they really appreciate the system much more than they did before with analog. COMMISSIONER LYONS: I appreciate those answers. I'm out of time. The main gist of my question, though, had been what
�28 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 happens when -- is the attention to potential failure modes in the system? I think some of you addressed that. Thank you, sir. CHAIRMAN KLEIN: Commissioner Svinicki? COMMISSIONER SVINICKI: Thank you for that courtesy, Mr. Chairman. As you've indicated, I'm stepping into the middle of a dialogue that's been ongoing between the staff and the industry for some time. I appreciate the questions of Commissioner Lyons which are very informative. I know he spent a lot of time personally on this issue. I do have one question for this panel. I think all three of you, perhaps in different terms, made reference to the need to come to closure on the appropriate level of information that needs to be available. I think one of you talked about what's available, what will be reviewed and what needs to be docketed. And there was also a discussion of design verification - if I have this term right - versus the regulatory review. If any of you would like to comment on coming to closure on that issue of this what information is needed, what will be the appropriate level of review. Is there any sense that you can give of where that dialogue stands right now and where the level of agreement or disagreement might be? MR. MARION: If I may, it's an area of active dialogue. Fundamentally, the issue comes down to the extent of which the licensees
�29 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 need to provide documentation to the NRC staff reviewers so they can make a finding. And if I might take just a few seconds and walk through the process. These changes that involve Digital Instrumentation and Control affect the technical specifications at the plant. And as such, they require NRC review and approval. The licensee will submit a package of information that explains the change, the effect of that change or the impact of that change on the licensing basis of the plant and any associated regulatory commitments. The expectation from the licensee is that the NRC will review the application within the context of the plant licensing basis and the regulatory commitments that are affected and how the licensee is going to continue supporting the new changes to the licensing basis as well as the commitments. We suggest that independent design review is something that's come up because that's an observation that we have in some of our interactions with the staff. We don't have the time for an independent verification of the design. I don't think the NRC has the resources to provide that kind of a review and we need to get to a common understanding of what the expectation is from the staff relative to these submittals.
�30 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 That's something that's under active discussion and I think we're making progress, at least getting to a point of seeing a place in time where we will have an understanding, but we're not there yet. And it's critically important because it applies in all areas -- or will apply in all areas where license amendments are issued in the future. COMMISSIONER SVINICKI: Thank you. Did anyone else want to comment on that? MR. SHAHKARAMI: Ron mentioned that given that their amendment has taken so long, they would not have been able to provide information that has been asked now ahead of time and the only reason is because they haven't implemented it, but they've been working on this for years. MR. JONES: That's correct. We are to the point now where the detailed system design is fully complete and the system is actually built. It's not really practical for a utility retrofitting a plant, though, up front to make a commitment of in this case close to $100 million for three units and actually build the systems and face licensee uncertainty at that point. We've got to have some assurance - the utilities will have to have assurance early on that the process is very defined, very black and white as to what does need to be reviewed as part of the review process; what does and what can be verified afterwards for example during the
�31 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Chairman. CHAIRMAN KLEIN: Amir, I have questions in the order of presentation, so you get to go first. One of the questions I have is we've often discussed in the United States we have 104 reactors. We have 104 different ones. I guess I'd like to hear what you're doing to get standardization in the Digital I&C from the industry's perspective? MR. SHAHKARAMI: I think on certain applications we must pursue a standard design. When you look at the boiling water reactor, I don't think we have to go to five or six different vintage designs. I think the design is there, but there are some specificity to some of the unique design that we choose years back that is hard to create the communication with the existing systems. I'll just go back and give you an example in Exelon. Nine years ago when we established on our strategy toward Digital I&C, we anchored everything toward our control room being modern. That means every piece that I would upgrade it would end up communicating with the control installation of the system, during the subsequent testing that occurs. Right now, from my personal perspective, that line is not clear. It will need to be very clear for future safety related digital system upgrades by other utilities. COMMISSIONER SVINICKI: Thank you. Thank you, Mr.
�32 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 room design. And over the years, that basically vanished because the cost of doing that was so huge that we installed just going after what really meant for the ease and obsolescence issue. I think the only way we can standardize if everybody has that thought process that we would have a modernized control room to anchor that and then try to use the same standard upgrade toward that vision. Otherwise, if we wanted to do piecemeal I have a hard time to see that we're ever going to be standardized. CHAIRMAN KLEIN: I think as we go forward standardization is very important, so I would strongly encourage the industry to self-encourage standardization because my guess is -- on this side of the table if we see a diversion pattern, I would strongly encourage our staff to give guidance for standardization. I think I would strongly encourage you all to take a look at that because if you don't, we will. We really need to look at that issue. MR. LUCAS: Can I just add to that? That's one thing that we look real hard at when we're considering a digital change is we want to go with what has somebody else already done. For one thing, it's not a complete unique design for us, so we don't go through all that expense. We get to learn from the other lessons from the other plants. So, that's a
�33 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 key thing for us. CHAIRMAN KLEIN: I had a question on you later, but I'll just go ahead and ask it now. Are you getting pretty good feedback and cooperation from other countries on what they've done? MR. LUCAS: Most of the vendors are connected with some other countries and what they've done. I can tell you just personally with Mitsubishi that they're definitely looking at what they've already implemented in Japan. So, I think there's good communication there and I know with AREVA it's the same way. CHAIRMAN KLEIN: Well, Amir, you commented on when Commissioner Lyons' asked a question about inflexibility in terms of we need to stay flexible. And so I assume from your perspective are both industry and the NRC working pretty well and being flexible on interim staff guidance? MR. SHAHKARAMI: Yes. I'll tell you we're not driving at all to do administrative changes to ISG. We are more interested in – we do the pilot and we see assurance of actually making something happen so we can adjust that. In our last steering committee -- Mr. Grobe and I talked about that issue. Basically, there's a willingness to go make that change, yes. CHAIRMAN KLEIN: Well, Ron, I know on the existing fleet
�34 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 you're sort of taking the lead on Digital I&C for the Oconee plant. In looking at the Oconee plant in this instance a B&W Unit and there's not as many of those. Is there anything unique to Oconee that has any impact on that? Are the lessons being learned pretty well across the board for all the other plants? MR. JONES: I think the digital lessons learned, you can lump them into two categories. One large bucket would be the generic stuff across not just the B&W plants but the nuclear fleet as a whole in the United States. When we were talking a little bit earlier about standardization, the platform that we're using for the ES/RPS at Oconee, the TELEPERM platform is a standard platform. It's used not just for reactor protection system, but for other digital systems. In fact, we have it in some non-safety digital systems at Oconee. With the existing nuclear fleet, though, 104 reactors, it's 104 different reactors to one degree or another. A TELEPERM platform that you apply at Oconee, for example, for reactor protection system, if you take that same platform and apply it at Crystal River 3 or any other B&W unit it will look slightly different as far as the inputs that are going into it, for example. And then the demand that you have on the outputs as far as the design for that plant; what needs to be controlled and triggered. With the new plants, obviously, we have an advantage. They can look exactly
�35 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 alike. Lessons learned also have been at a very site specific level, too. With three units, for example, we talked about our first unit going in the fall of 2009. The second unit doesn't go in until a year later. That's intentional on our part so that we can take any lessons learned on the front end related to installation, improvements and test procedures, whatever. And make sure we have adequate time to build that in before we put it in on the second unit. That's the general philosophy we follow with our non-safety digital uprates also is to separate them by a period of time. CHAIRMAN KLEIN: Thanks. Commissioner Jaczko? COMMISSIONER JACZKO: I had a couple of questions. Just following up a little bit on the comment that Commissioner Svinicki made about the idea that we're doing detailed design reviews. I won't spend a lot of time on that right now, but I think I'm still not exactly clear what the issue is here that we're talking about. So, perhaps at another forum we can explore that more or if we have another round. It wasn't an issue that I intended to get into. One question that I had this 30-minute issue has been recurring since the beginning. We've been doing several of these meetings and each time we talk about the 30-minute problem and each time I think concern is expressed that industry doesn't like the 30-minute time frame
�36 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 and at the same time we hear that we really need to get these things resolved. We need to have a solution to these problems. I find that there's somewhat of a contradiction, I think, there because part of that is using the guidance that we have out there. Right now, the 30 minutes is, I guess, it's in the diversity and defense in depth issue. I think, Mr. Lucas, you mentioned that is -- resolving that issue, in other words, finding an alternate methodology to look at the 30 minutes is critical for the new reactors. So, I guess the specific question I have right now is what approach is being used in the submittals that we have right now? Is it assuming the methodology and the guidance that assumes that if you don't have an action that can be taken within 30 minutes then you have the defense in depth? MR. LUCAS: I believe the way the guidance as I understand it was 30 minutes would be kind of a point where you knew that was going -COMMISSIONER JACZKO: I don't -MR. LUCAS -- but it didn't rule out something other than 30 minutes. What we're working on is a methodology to show that anything -COMMISSIONER JACZKO: I guess my question is what is the approach that was used with - we have seven submittals in front of us
�37 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 for new reactor applications. What approach was used in those submittals? MR. LUCAS: Most of those from my understanding - I didn't see all those, but most of those are not going to have the detail on the instrument control systems as part of that. So, that's still outstanding ITAAC issue with digital. That would be my understanding. I didn't see all the applications. COMMISSIONER JACZKO: Perhaps the staff can comment on that, too, as we get to the second panel. Again, I think at some point we just need to make decisions about these and find criteria and evaluate applications based on these criteria. We have criteria out there. We have the branch technical position 19 that goes back to '97, which may have some improvements and possible improvements that we can make, but at some point we've got applications in here. We have to have criteria that we are reviewing these against. We have hearings that have been noticed whenever we notice hearings. Interveners are required to come in and file contentions right away. Any time we come in and we make a change with a position that we are reviewing something, modifications are made throughout the process that is another opportunity then for interveners to file new contentions. They have every right to do that because the process is constantly changing.
�38 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 So, having these things done up front, having these issues dealt with up front is only going to be, I think, beneficial in the process. I guess I'm somewhat concerned that we haven't really made more progress on dealing with that particular issue. MR. LUCAS: I think I left with the wrong impression on that. I think we're working very well on that. I think no matter what time you pick, there should be a methodology to show that's acceptable. I think that methodology is what we're working together on. I'm more positive than that. MR. SHAHKARAMI: I just want to add. We have three task forces that are working on that specific issue and there is a guidance we provided performance based. So, we're working through that. It's not that we -- we have a time line, but we try to put more detail and requirement in it and the staff has been very open to work with us on that. COMMISSIONER JACZKO: Well, good. That's good to hear. One question I had, Mr. Jones, perhaps you can shed some detail on this for me. As I was going through this, my staff was helping me prepare some information. One of the things that they indicated was that in the Oconee submittal was that you didn't follow the IEEE standard for validation and verification. And that has, I think, has made it a little more difficult for staff to
�39 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 review that particular submittal. Can you comment on the approach that you used for the validation and verification and why you chose to do something different than the IEEE standard? MR. JONES: I can't comment on the specifics of the approach. I'm aware of that issue, though. My understanding is we had dialogue beginning about a year or so ago with the staff to let them know that that was what was going to be used by our vendor. So, it didn't come in this submittal as a surprise to folks is the way I would put it. We can get more technical information to you if you'd like. COMMISSIONER JACZKO: Again, we often hear that we need these things to be resolved so everybody's looking at the pilot projects. And so, we generally put guidance out, develop guidance, have standards so that it can facilitate our review. If we deviate from those, it makes the reviews more complicated. So, I guess I would hope that in the future when we have these meetings that we can discuss these kind of things because I think these are the kinds of things we want to try and get resolved here so that we can move forward on this. Again, I think having standards is important and following them makes the staff reviews a lot more straightforward. I have one more quick question if we're going to do another round. CHAIRMAN KLEIN: We'll do another round. Commissioner
�40 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Lyons? COMMISSIONER LYONS: I'll pass on another round. I appreciate the answers we've heard. I appreciate the discussion and appreciate the fact that we have the strong industry Commission working groups. I'll pass. CHAIRMAN KLEIN: I guess, Mitch, I had one for you; your comment in your presentation. You commented on the consistency across NRC divisions. Could you give us some examples of where we have not been consistent? And number two; what do we need to do to fix it? MR. LUCAS: I'm not sure I can give examples on that, but there's a lot of different branches that work cyber security, new plants and then the submittals for the existing fleet. We just want to make sure that there is consistency and how the requirements are interpreted amongst those various ones. MR. MARION: If I may, I can provide an example and that was on Cyber Security. We developed an industry guidance document, NEI-0404, submitted it to the staff and we were working with the New Reactors Organization as well as the security organization within the NRC. We received approval from those two organizations and then we had to deal with the licensing process associated with how a utility would use that
�41 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 guidance document and the submittal. The effort at obtaining uniform NRC concurrence became a little more challenging at that particular point. The Office of Nuclear Reactor Regulation didn't necessarily agree with the acceptability of the document for a license application, if you will, as compared to the position we received from the other two organizational units. However, that took a little time, a little effort, a lot of discussion and we were able to work through that. But that's an example where we received different opinions, if you will, from different organizations within the NRC. CHAIRMAN KLEIN: Had - I guess, had NRR seen that? In other words, I guess you're looking at new reactors and did that impact affect the existing ones? I guess I'm not sure why -MR. MARION: I'm not familiar with the details and the timing of who was engaged or which organizational unit was engaged at what particular time. I do know that new reactors and security had the benefit of reviewing the document well in advance of NRR at the time. Why that occurred, I don't know. It's resolved now. CHAIRMAN KLEIN: Okay. Commissioner Jaczko? COMMISSIONER JACZKO: Just two questions. One, to what extent are you looking at the situation we had at Honeywell. They
�42 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 have a digital control system that was used in part of their design, part of their process control system. They had a problem there with an interruptible power supply. I'll go into some details. It provides an example of a situation in which we have a digital system that by all accounts performed properly. Now, essentially what happened was they lost power and then when the system restarted it essentially reset a series of valves because they never factored in a reboot, so to speak. Every time it rebooted it thought you're starting from the beginning, so everything goes back to some initial condition while the plant wasn't in that condition at the time. Again, it's one of those digital software failures that are the kind of things we're trying to identify. It had in the event -- it led to a small release of HF. To what extent are you looking at that and incorporating that in your operating experience and looking at those kind of examples? MR. MARION: We are in the process of developing or finalizing, I should say, a white paper that involves a comprehensive evaluation of over 300 events involving digital systems. Our current schedule is to have that paper finalized and make it available towards the end of May. COMMISSIONER JACZKO: Will Honeywell be one of them
�43 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 in there? MR. MARION: Let me introduce Ray Torok from EPRI. He has the lead in developing that paper for us. MR. TOROK: I'm Ray Torok from the Electric Power Research Institute. I'm the EPRI project manager on that project. I think the event you're talking about was actually the fuel reprocessing plant or fuel handling plant, something like that. We haven't looked specifically at that one. We've looked at - as Alex said - 322 events from operating nuclear plants. There are a number of them that are similar to this event, though, in terms of problems caused by reboots and what not. So, they are included in what we looked at. Those are, I guess, what I would consider learning curve events. We've seen a number of those and looking at those as part of pre-op testing and so on is becoming more and more standard practice. Does that answer your question? COMMISSIONER JACZKO: Sure. Thank you. Maybe you can stay because my next question I think we might need you. I was reading with tremendous interest the paper that you had done with EPRI talking about how we deal with the PRA and the perspective of digital systems. Digital systems are somewhat different from analog systems. If you happen to hit --if you do the reboot every time it's generally --
�44 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 unless there's some other kind of software problem in there, it's going to reboot the same way every time and that error you will have each time if you don't change software and change the program. So, it's somewhat of a different approach than what we've traditionally taken for dealing with the analog control system. So, I guess I have just one comment in general on where you think we are with looking at these issues and how we can incorporate this kind of thing in the PRA and what the current state of the art is right now and is this something that -- one of our working groups is on PRA and I tend to think from a risk informed perspective that may be the working group that should get the fewest resources because it will be the most difficult and the one that may not provide the most information and the most usefulness. You don't have to comment on that editorial comment, but -MR. TOROK: It turns out discussion of the issue of assigning failure probabilities to digital equipment is a very long discussion that we really don't have time for today. But as you point out, there is no accepted process for selecting a failure probability for digital equipment. However, we believe that there are still a number of valuable risk insights that can be derived from risk analysis. Even if you have to make reasonable assumptions about failure probabilities and then look at sensitivity studies to see how much difference that makes. And in the
�45 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 work we've done, it looks like there are a number of good insights you can draw even without knowing precisely what the failure probability might be. COMMISSIONER JACZKO: Is this something that you see say in the next five years; us having enough information to be able to get to the point where we can develop regulatory guidance or we can really incorporate this into our regulatory process? Or will this be interesting information that will inform design and development of systems perhaps? How do you see that moving forward? MR. TOROK: I think that -- one of the things we're working on right now is trying to relate various digital system design features which are used to improve system reliability and provide protection against digital failures and digital common cause failures and so on. We're trying to relate those types of design measures to estimates of system failure probability. And I think you can do that in a qualitative sense and that's enough to get very useful risk insight, so we're proceeding with that. The bottom line is I think we will be able to derive risk insights that are useful even without precise knowledge of failure probabilities. COMMISSIONER JACZKO: Thanks. And, certainly, if anyone else wants to comment on that. Thank you. CHAIRMAN KLEIN: Well, thank you very much for your
�46 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 PANEL 2: CHAIRMAN KLEIN: Well, as you just heard we heard a good presentation from the industry today and so now we're looking forward to hearing from the staff's perspective. Any comments before we start? Luis? MR. REYES: Good morning, Chairman and Commissioners. The staff is ready to brief the Commission on Digital Instrumentation and Control. Last time we briefed you was last July. There were several issues that the Commission had interests on at that time. One was our skills inventory in the technical subject area. We'll update you on that. We have good progress on that. The second one is written guidance. You heard this morning earlier from the presentation. you. comments. Like Commissioner Lyons indicated, when we heard the long pole in the tent might be the Digital I&C, we were all a little bit surprised. So, I'm glad we're making the progress that we are and hopefully when that first simulator may be ordered this year it will be for the right plant and for the right time and we'll keep things moving. So, thank you for your comments today. Appreciate it. MR. SHAHKARAMI: I appreciate the opportunity. Thank
�47 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 We'll go through the list of the written guidance we have. And the other one is the exchange with all the stakeholders and we're going to talk to you about how many public meetings we have had in going through this progress. We have a lot of information to cover, so I'm just going to turn it over to Jack. Jack Grobe is, among other things, the Chairman of the Digital Instrumentation and Control Steering Committee. So, with that, Jack. MR. GROBE: Thank you, Luis. Good morning, Mr. Chairman and Commissioners. We're excited to be here today to report significant progress in the area of Digital Instrumentation and Control. Slide two, please. First, I'm going to plan on discussing Steering Committee activities and summarizing some external interactions that the staff has had in the Digital I&C area. Next, Rick Croteau will briefly address the four issued interim staff guidance documents. There was a little confusion earlier between problem statements and interim staff guides. In the case of communications, there's only one interim staff guide that addresses one problem statement that's extremely complex in the diversity and defense in depth area. .
�48 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 There's one interim staff guide that addresses multiple problem statements. So, it's tough to compare problem statements in ISGs and we'll get into that in a little bit in detail. Rick's the Deputy Director of the Division of Engineering in the Office of Nuclear Regulatory Research. Then Pat Hiland will describe the use of the ISGs today in an ongoing topical report review as well as a licensing action as well as some resent operating experience including three specific events; one that Commissioner Jaczko referred to. Pat's the Director of the Division of Engineering in the Office of Nuclear Reactor Regulation. Mike Mayfield will discuss our ongoing activities in the area of risk, operator actions and fuel cycle. Mike's the Division Director for the Division of Engineering in the Office of New Reactors. And finally, I'll wrap it up and we look forward to your questions. Slide three, please. The Steering Committee is comprised of five senior executives from the Office of NRR, NRO, Research NMSS and NSIR. The role of the Steering Committee is to integrate the activities across the agency as well as to effectively interface with all our stakeholders. There's seven task working groups; six are led by managers, one by a senior staff member and there's over 50 staff and managers involved in those seven Task
�49 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Working Groups. Slide four, please. Regarding human capital. We've hired four senior level advisers since the last meeting we had with you. Those will be assigned: one in NRR, one in NRO and two in Research. One of those was an internal candidate. One was from the aerospace industry, one from naval reactors and one from the automotive industry. We're very excited about the staff that we've been able to add in this area. We're in the final stages of developing a charter for a technical advisory group and the four senior level advisers will comprise the members of that TAG. On net, we've hired more than 20 new staff in the Digital I&C area. Two-thirds of those have been experienced staff; one-third from school. We continue to recruit in this area, but we've made great progress in bringing in new staff. With respect to training, the Office of New Reactors as well as the Office of Nuclear Reactor Regulation have developed a five-day training course in conjunction with the Technical Training Center. There's been two sessions delivered of that course. Commissioner Lyons provided opening remarks at one of those sessions and the next session is in the fall of this year. In addition, we sent staff to vendor specific training on different platforms to ensure that our staff is fully aware of the technical details of
�50 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 the applications that we're receiving. In addition, in November we conducted an internal workshop on the four issued interim staff guides at that time for our staff. That workshop was attended by over 50 technical staff and managers from the headquarters as well as regional offices. With respect to the Graduate Fellowship Program, recently we've announced there were three recipients of graduate fellowships for pursuing advanced degrees. Two of those are in the Electrical Engineering area focusing on Digital Instrumentation and Control and one is in Human Factors. All three of those individuals will be contributing to this area in the future. Slide five, please. Since our last Commission meeting in July of 2007, there's been four public steering committee meetings and 28 meetings of the Task Working Groups. These are all public meetings involving all of our stakeholders. The four interim staff guides that have been issued to date present a clear, well understood and predictable regulatory position in the areas that they address. We refer to these commonly as the express lane for licensing processes. In the development of those interim staff guides, we considered the research that's been completed, the international and domestic operating experience. We had extensive industry input as well as our past
�51 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 regulatory experiences. The interim staff guides are not the only option. The staff are going to discuss the Oconee application in a little more detail later, but the Oconee application has a number of areas where it deviates from the guidance and that's fine. It's just going to take a little additional time to review the application. We've also established a fuel cycle Task Working Group. That's a significant improvement because the needs of the fuel cycle aspects of our licensing business was not clearly defined and we now have clear problem statements in that area. The project plan has been updated in March and we've considered four industry white papers in minimum inventory of controls and instrumentation, electronic procedure use, operator actions and consideration of common cause failures. Slide six, please. This slide lists the four issued interim staff guides and the dates they were issued. They resolve - these four interim staff guides resolve 10 of the 25 problem statements. We're going to discuss these in a little bit more detail later. COMMISSIONER JACZKO: We heard three earlier. Is that MR. GROBE: Three are included in that 10. COMMISSIONER JACZKO: What about the other seven?
�52 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 formal -COMMISSIONER JACZKO: We heard that there were three issues that were resolved. Now you're telling me that there are 10 issues. Am I going to hear a different answer -- I heard a different answer in the Are they resolved from the staff perspective and not from the industry perspective? MR. GROBE: There's two phases in the project plan: one is a short term phase and one is a longer term phase. In the short term, we committed to get predictable guidance out there for use by the industry in these 10 areas that guidance has been issued and is solid. We anticipate incorporating this into our regulatory infrastructure. That will take some time because that's a very public process. It involves formal Q&A, comments and responses to comments, as well as review by the Committee to Review Generic Requirements, the Advisory Committee on Reactor Safeguards. So, that's a very time-consuming process. It could be that some of the ongoing activities result in more refined guidance by the time we issue those final documents. The ISGs are solid now. COMMISSIONER JACZKO: The three that were referenced as being resolved. Those have been through kind of the full panoply of -MR. GROBE: The interim staff guides do not go through a
�53 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 first panel. I'm trying to figure out what the difference is between those. MR. GROBE: The industry would prefer additional flexibility and would prefer that we revise the interim staff guides. Flexibility is an anathema to predictability. These guides provide a clear predictable path that everybody understands. It could be that there's an opportunity to provide additional flexibility when we get to the final, it will be either Reg Guides or NUREGs or Standard Review Plan revisions; things of that nature. One good area to think about this is the area of operator actions, whether or not you can take credit for operator actions in lieu of hardware diversity attributes. We're just now developing the interim staff guide on operator actions and how to consider evaluating operator actions in a digital age, digital context. So, it would be premature to consider the applicability of operator actions as a hardware replacement until we get more comfortable with the licensing process for reviewing operator actions. This is all a process. The 10 that have been issued are solid, predictable, well understood by the industry and they're in use today. Slide seven, please. This slide lists the ongoing interim staff guides that will resolve the remainder of the problem statements. The first two listed probabilistic risk assessments that focuses for new reactor application reviews. The
�54 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 be proud. MR. GROBE: Specifically focused on digital counterpart exchanges. At this time, I'd like to turn it over to Rick Croteau and Rick's licensing process is focused on operating reactor licensing reviews. Those two are in final draft. They've been commented on extensively by the industry. Those will resolve an additional five problem statements. In all, 15 of 25 are being addressed to date. Slide eight, please. We have set up a series of regular meetings with the Advisory Committee on Reactor Safeguards Subcommittee on Digital Instrumentation and Control. That's led by Dr. Apostolakis. We've met a couple times with the full committee. Our next full committee meeting is this week. We've had a series of additional meetings with the Federal Aviation Administration, the National Aeronautic and Space Administration, the Department of Energy and Naval Reactors to discuss digital issues. Internationally, we have regular bi-laterals with our counterparts, our regulatory counterparts in other countries, to focus on digital issues as well as technical exchanges with the Nuclear Energy Agency and the International Atomic Energy Agency. Boy, it was tough not to use acronyms, let me tell you. COMMISSIONER JACZKO: Commissioner Merrifield would
�55 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 going to go through the four issued digital -- excuse me; the four issued interim staff guides. MR. CROTEAU: Thank you, Jack. Slide nine please. I will describe the four interim staff guidance documents issued for staff use and give some examples of the types of issues addressed by those guidance documents. With respect to diversity and defense in depth, the main issue is protection against common cause failures in digital systems. The same software may be used in all divisions; therefore, one error may cause a failure of all divisions of the system. It should be noted that common cause failures are not considered single failures; however, diverse means not subject to the same common cause failure is necessary to accomplish the safety function. Slide 10, please. As directed by the Commission in SRM-93-87, the applicant shall assess the diversity and defense in depth attributes of the proposed system to demonstrate that vulnerabilities to common cause failures have been adequately addressed. The guidance reflects this direction. Backup capability is necessary for digital systems to address common cause failures that may occur. The backup system could be automatic or manual. The interim staff guidance describes acceptable attributes for an automatic diverse actuation system. Manual action may
�56 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 be acceptable in lieu of automatic backup under certain circumstances. One important consideration is the time available for the operator to observe, diagnose and correct the action. The staff believes that it's reasonable to credit manual operator actions that are not required for at least the first 30 minutes. In some circumstances, it may be acceptable to credit operator actions that are necessary in less than 30 minutes. We're still working on that as it was discussed earlier and Mike Mayfield will add more detail to that in a few minutes. The interim staff guidance also gives specific examples of acceptable diversity and defense in depth approaches. For example, it states that if reactor protection system is designed with two channels of one digital system and the other two channels are using a different digital system, then that adequately addresses the diversity and defense attributes and no automatic or manual backup is necessary. Other examples are also included in the guidance. Slide 11, please. The staff has also issued two guidance documents associated with highly integrated control rooms. One document describes acceptable approaches to communications among digital devices and systems. The digital workstation will likely combine many functions, both safety and non-safety, that were previously separated. The guidance document describes how controls and indications from different divisions, either
�57 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 safety or non-safety, can be combined into a single integrated workstation while still maintaining separation, isolation and independence. It also describes command prioritization to determine which command is to be passed to the control device when conflicting multiple commands come from different sources, including conflicting commands for both safety and non-safety systems. Slide 12, please. The guidance on human factors in highly integrated control rooms provides information unacceptable approaches for the use of computer-based procedure systems. It describes either the use of paper or a safety related based backup procedure. As an example, the guidance states that the operator should select the procedure and execution of the steps. The computer system can recommend actions to the operator, but the operator must be in control. The document also provides guidance on a minimum inventory of alarms, controls and displays that are necessary in the control room and the remote shut down facility. Slide 13, please. The guidance document has also been issued regarding acceptable cyber security measures for safety systems. We already had an existing regulatory guide that described an approach that is acceptable to the staff for safety systems. There was also an NEI guidance document describing a structured process for establishing cyber security program for
�58 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 systems including safety systems, non-safety systems, security systems and systems necessary for emergency response. The interim staff guidance document includes a table comparing the Reg Guide and the NEI guidance document along with clarifying remarks in the table to provide clarifications between the two documents and show how they mesh together. The staff considers either the regulatory guide or the NEI Guide along with the comparison table notes as acceptable approaches to address cyber security for safety systems. There's also a new regulatory guide being developed to go along with the cyber security rulemaking that's ongoing. That completes my discussion on the issued interim staff guidance documents. Next, Pat Hiland will discuss experience in implementing the staff guidance and some operating experience. Thank you. MR. HILAND: Good morning, Chairman and Commissioners. I'm going to discuss as you heard some of our current uses of some interim staff guidance as well as some of the operating experience that we've gained over the past several months. Currently, we're reviewing the topical report for a Digital I&C priority actuation and control module. Through use of software and hardware logic, these devices control plant components from either safety or
�59 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 non-safety related controls. The device must ensure when command is generated from a safety system that command will have priority over non-safety commands. ISG-04 was used to clarify our reviews in the testing methodology, the treatment of unused logic pins, the interface with other components and systems and the operating experience with the device. Both the staff and the vendor have found that the interim staff guidance is providing a clear road map. Slide 15. As discussed earlier, Duke has submitted a license amendment request to replace the Oconee analog reactor trip system and engineered safeguard protective system with a digital one. While the replacement system will utilize an NRC approved microprocessor - that's the TELEPERM you heard discussed - its specific application at Oconee will be reviewed. Design features will be evaluated against regulatory requirements, the Standard Review Plan, and recently issued interim staff guidance including ISG-01, cyber security; ISG 02, diversity and defense in depth; and ISG-04, highly integrated control rooms communication issues. Our early review indicates that the digital reactor trip system and engineered safeguard protective system will meet many of the staff positions in the ISGs, which will facilitate an efficient review. However, in
�60 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 other areas the licensee has chosen not to follow the Institute of Electrical and Electronic Engineers standard endorsed by our regulatory guides which will require the staff to obtain additional information from the licensee. Past reviews of Digital I&C have necessarily involved extensive work by the staff due to the introduction of this new technology. We now have a draft licensing interim staff guidance that clarifies the in-office review, the on-site audits and regional inspections. We plan to refine the draft interim staff guidance for licensing during our review of the Oconee application. Slide 16. The NRC’s operating experience program is recognized internationally. Several years ago, we enhanced the collection, review and follow up of operating experience. Daily events are screened to evaluate the staff's response and information is disseminated to our technical review groups. We receive domestic operating experience data through the Institute of Nuclear Power Operations and international operating experience gained from the International Atomic Energy Agency and the Nuclear Energy Agency's incident reporting system. We also actively participate in the Nuclear Energy Agency's working groups on operating experience.
�61 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 In the June 2007 staff requirements memorandum, you directed the staff to develop an inventory and classification of various digital equipment and evaluate operating experience with Digital I&C in the nuclear and other industries. Both are included in project plan for diversity and defense in depth. The Office of Research has reviewed Digital I&C system failures from the nuclear, aviation, petrochemical, telecommunications and railroad industries. The purpose was to use broad industry operating experience to gain insights on diversity strategies and use and to benchmark or validate the diversity strategies within the NRC’s diversity and defense in depth guidance. Our review of the non-nuclear sector validated our concern with common cause failures and that there was a high frequency of software failures. Operating nuclear facilities provided limited information. Detailed root cause is difficult to obtain from other industries. Results are inconclusive with respect to identifying diversity strategies. There's just simply not enough detail. Failures often are repaired by simply replacing the failed component or fixing the bug. The Office of Research will continue to work on this. The Office of Research has selected a classification structure and is developing an inventory of Digital I&C systems in use and will classify
�62 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 them in terms of their complexity. The digital system classification could be used to assign diversity attributes to systems based on their complexity. Slide 17. I've selected three operational events of interest just to give some anecdotal information. One you heard Commissioner Jaczko raise. I didn't list it, but it is the second one there. It's the domestic fuel facility. But for the first two plant events that I've listed it highlights the importance of operators fully understanding the off normal response of complex digital systems. Recently, a domestic boiling water reactor had a loss of a feed water system event and subsequent reactor automatic shutdown that was initiated by loss of a power supply to their digital feed water control system. Several unexpected observations were made by the operators. First, they didn't understand that the digital system when it lost its power supply would fail, locking in a high level trip. That tripped the turbine-driven feed water pumps and subsequently caused problems in starting and running the motor driven feed water pumps. Also, complicating the event were some tan colored displays that showed up in the control room that the operators weren't trained on. It turns out that what the tan color meant was the digital feed water system had failed.
�63 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 You heard Commissioner Jaczko refer to the Honeywell uranium conversion facility and that event. Also, again, that plant event indicates the importance of operators fully understanding the off normal response. In that case due to the loss of the uninterruptible power supplies to their digital control system once restarted or returned to a cold start condition the operators were unaware that valves would close, things would happen on a hot plant. A hot plant meaning when vessels were isolated they would increase in pressure. The third event, just to highlight, demonstrates a need to have a clear understanding of the design functions that affect the safety performance. In this event, a loss of offsite power transient was complicated through replacement of the main generator protective relay with a digital relay that was phase dependent. This phase dependency resulted in a slower response. In the foreign reactor the plant turbine generator can trip offline and supply power to the station. In this case, that trip was too slow to do that. The plant lost power as well as the voltage transient was significant. Now with that, I'd like to hand it off to Mr. Mayfield and he'll discuss some ongoing activities. MR. GROBE: Mike, if I could just add one more thing on operating experience. These systems are non-safety systems. Pat and
�64 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Luis and I have spent -- I was going to say many years, many decades, several decades anyways, in the region doing operational safety day-to-day oversight. And many of these systems were installed in upwards of a decade ago and when they were installed in some cases it would take nearly an operating cycle before the system was performing adequately; feed water control systems, turbine control systems, things of that nature. The systems that we're looking at today are more complex than those systems. They're going to be applied in safety systems. We can't tolerate that kind of performance in a safety system digital control system. So, it necessitates that there's information that can be learned from these non-safety applications of digital controls systems. It necessitates a more complex and comprehensive licensing review then would be for a non-safety digital control system. CHAIRMAN KLEIN: Just a clarification. I thought this last one might have been Forsmark? MR. HILAND: It was sir. CHAIRMAN KLEIN: I though that was a safety system? MR. GROBE: The particular relay that we're talking about was in the switch yard. CHAIRMAN KLEIN: But it impacted the safety side?
�65 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 MR. GROBE: All of these are initiating events for things that don't look good, but they're not part of the safety systems. CHAIRMAN KLEIN: That's a fine line. MR. HILAND: The safety systems responded. MR. GROBE: Michael? MR. MAYFIELD: Thank you. Staff's continuing to work with the industry in a number of areas looking primarily at evolving issues. Three areas are particularly relevant to these ongoing activities: Risk informing Digital I&C, an alternative to the infamous 30-minute guidance for operator action and Digital I&C aspects in fuel cycle facilities. On slide 18, please. Looking first at Risk Informing Digital I&C. In January 2008, the staff provided draft interim staff guidance dealing with the staff review for Digital I&C in PRAs for new reactors. Let me emphasize its for new reactors. The draft interim staff guidance provides general guidance on how the staff should review Digital I&C PRAs including software failure, common cause failure and uncertainty analysis associated with new reactor Digital I&C systems. The interim staff guidance does not modify any Digital I&C related acceptance criteria or regulatory requirements. Staff continues to work with stakeholders to determine if existing risk assessment methods that
�66 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 are commonly used by the industry are adequate to risk informed decisions regarding diversity and defense in depth or manual operator actions. A public meeting was held on March 21st to discuss industry goals for diverse actuation systems and proposed industry white papers on risk informing efforts. In addition to these activities, the NRC's Office of Nuclear Regulatory Research has a program underway to study methods for assessing risks associated with Digital I&C systems. If I could have slide 19, please. Manual operator actions continues to be an area of significant interest for the industry as you heard this morning. The industry has prepared a white paper on a methodology to determine acceptability of operator actions. The staff has reviewed this paper and provided an initial set of comments to the industry. The Human Factors Task Working Group has the lead on this issue and is meeting monthly with stakeholders to discuss this and other human factor issues. The staff is working on developing an analytical method coupled with physical verification for demonstrating that manual operator actions can be reliably completed within the expected time frame in lieu of automated actions during common cause failures coincident with a design basis event.
�67 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 If this methodology is found to be acceptable, we would provide an interim staff guidance on manual operator actions by the end of July 2008. Slide 20, please. A separate Task Working Group was established to address the unique aspects of Digital I&C for fuel cycle facilities. Task Working Group 7 was formed in October 2007 and has since held six public meetings. The Task Working Group plans to make an interim staff guidance available by April 30th of 2008. Problem statements have been finalized in five areas, namely cyber security, diversity and defense in depth, independence of control measures used as items relied on for safety. That doesn't exactly roll off the tongue. Highly integrated control system communications and software quality. The ongoing Task Working Group efforts are aimed at defining independence of control measures used as items relied on for safety. Staff has benefited from the process of developing the integrated safety assessments that are now required for fuel cycle facilities in evaluating Digital I&C systems. The results of the ISAs provide an enhanced understanding by both the staff and the licensee on specific contributions of each control system application to the reduction of overall risk for the facility.
�68 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Staff is also closely following the cyber security efforts looking at the rulemaking - I'm sorry; the cyber security rulemaking for applicability to the fuel cycle facilities. With that, I'll turn it back to Jack. MR. GROBE: Thanks, Mike. Before I wrap up, I just wanted to make a comment that the three gentlemen at the table here as well as Jennifer Uhle from Research and Scott Morris from NSIR and Joe Giitter from NMSS have actually made my job quite easy leading the Steering Committee. The teamwork that's been necessary has been extraordinary and they've delivered that. Alex commented on what he perceived was a lack of teamwork between NRR and NRO in the cyber area. In fact, that wasn't a lack of teamwork. It was an issue that was driven by the differences in the licensing processes under Part 50 and Part 52. The guidance that they were working on was cyber security guidance for new reactors. The new reactor process includes the COL as well as ITAACs. There is no ITAAC concept in Part 50, so the licensing process is different and we're treating those differently. So, necessarily the standards need to be a little bit different in the two areas. We clearly have some additional interim staff guidance to issue. Concurrent with that, we're going to be converting these interim staff guides into the permanent necessary infrastructure and that results in
�69 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 different documents in different applications. In some cases, it’s industry standard. In most cases, it's our internal documents which would be NUREGs, the Standard Review Plan, Reg Guides; things of that nature. All of that work is ongoing today. If in the course of the activities on the one topical report we have under review and we have a couple of licensing actions, including Oconee under review, we identify some lack of clarity in the interim staff guides, we'll update those as necessary. But we believe right now that they're ready to move forward into the finalization in our regulatory infrastructure. With that, we're ready to answer any questions. Luis? MR. REYES: Chairman and Commissioners, those are our prepared remarks and we're looking forward to your questions. CHAIRMAN KLEIN: Well, thank you very much for a good overview and a good detailed presentation and some clarification, although I'm a little confused on Forsmark, but I'll come back and ask Jack to clarify that a little bit later. One of the things I guess I'd just like to start off is congratulate you on your human capital activities. I think all of us have been concerned about hiring and training and retraining and getting people in the human capital area. It sounds like you've done a good job on that area. So, my compliments on that. Commissioner Lyons?
�70 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 COMMISSIONER LYONS: Well, let me add my compliments, too. I think it's clear that both the staff and certainly the management has taken this area very, very seriously and made immense progress over the last year or two years. It's very evident, the number of public meetings, the issuing of the interim staff guidance. As the Chairman just mention, the hiring, the training that was discussed. All that is just very, very impressive. I was a typically interested to hear that we are using the NRC Graduate Fellowships, Pat, in a very appropriate way and I'm just very glad to hear that. Maybe a general question in this area of hiring and training. You certainly describe substantial progress. Is there a plan as to how we go into the future that's been laid out as to what types -- you made a lot of progress in staffing? Are we where you want to be? Do we need to go further? Is there a plan to get there? MR. REYES: If you look at what we did in this particular area, we saw we had a significant increase in the skills needs which we didn't have in house. We had to put a lot of effort to do that. Now, we're going to be more in our traditional process, which is a strategic workforce plan that will include these individuals. We'll have an inventory of all our skills and then we will manage like
�71 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 we manage any other inventory of skills; expected work load versus expected needs. The answer to your question is we're going to continue to hire in this area like we're doing in the others. We're very close to where we need to be. The workload will dictate the amount of skills we need there. COMMISSIONER LYONS: A question for Pat on your slide 17 which ties in with the question I was trying to ask of our industry panel, too. You talked about the importance of the operator's understanding off normal events. I know the Chairman wants to specifically discuss Forsmark, but I was trying to raise that question maybe in a clumsy way with industry as well. It seems to me that as one moves to a more digitized control room with more and more of the decisions made in a routine way within the software that you're running at least a very real problem that the operators are less prepared to deal with an off normal event. I was curious if you could expand on that a little bit more? And specifically are we taking this type of consideration into account as we look at how we will license operators moving into the future? It just seems to me we should be demanding a little bit more of operators going into the future. MR. REYES: From our previous operators.
�72 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 MR. HILAND: Well, Commissioner Lyons, I know that you're familiar with our operating experience program. I'll just talk a few minutes to try and walk a path. The events I mentioned go to our technical review groups. We have some 25 to 30 different technical review groups that consist anywhere between four to eight, 10, 12 individuals depending on the topic. We have a specific and we've had for several years now, a specific technical review group in the instrumentation and controls area. Every 12 months -- and they do one at six months, but every 12 months we go back and we look at those review groups and what their recommendations are. And you can very well have a recommendation from the technical review group on instrumentation and control, which people from our operator licensing also sit on this technical review groups that could say enhance the operator licensing program area and the instrumentation and control or possibly we could feed that back into our inspection program. All of those programs are tied together at the technical review group level, at the technical staff level. We review that on a yearly basis. That's as far as I can go. MR. REYES: Let me talk to you conceptually on the licensing for the next generation. I think there's a lot of things that are parallel with the analog instrumentation. Because you look for multiple
�73 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 sources of the parameter information to determine where the pressure is changing the way it should be, level is changing the way it should be, et cetera, et cetera. How you get there is different with the digital. We are going to have to make sure that the licensee's training and our assessment of that training covers those angles. If you look at the first event that Pat talked about on the feed water system, that's the second time it happened in this country. The same event. Two boilers had the same problem in less than a year. The same thing. Lost power to the controller. It went tan in color. The operators didn't know what that meant. You just change the location of the plant. There are some things that are starting to come up that perhaps are different in terms of the training and therefore the examination of those individuals to make sure they can handle it. But conceptually, you're looking for the same things. Information to the operator who can determine that it was the right information, instrument fails, et cetera, et cetera. How do I get the confirmation of my actions? The emergency procedures, the emergency actions are going to be similar. You just need to make sure you can assess it properly. COMMISSIONER LYONS: Well, conceptually I very much agree with you. You're just hearing my concern that as long as the digital systems are working as planned and as the industry panel said the
�74 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 operators are going to love it. It's going to make their job a lot simpler. The plant is going to run a lot more smoothly. In my mind, it's going to be almost essential that the operators understand, if you will, the analog basis of the plant as well as the digital basis and understand how the failure mechanisms, what types of failure mechanisms at least to be sensitive to. And I think we're going to have to demand a little bit more of the operators, which may be even counter intuitive. In some sense they got the digital program -- they have the digital system there in some sense do their thinking for them. But I think if they fall into that trap of letting it do their thinking for them, it will be very negative. MR. REYES: It's a different way to get the information. I think the industry this morning mentioned it. If you have four channels with four analog readouts and one fails up or down, you have the other three to check. In the digital display process they're going to be co-located, except the processor should have given you a lot of notice ahead of time that one parameter was starting to deviate. You're probably going to have more time, so we're just going to have to make sure the training and the examination process that checks those knowledges gets to that point. MR. GROBE: There's another lesson to learn here. This
�75 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 really wasn't an operator training issue. Any well-run operating organization has very close connectivity between the design organization and the operations organization, such that as a modification -modifications are being made all the time in these plants. As the modification is developed, the operating organization understands the ramifications of that modification; makes changes to the procedures, changes to the training. These were clearly designed-in features. When the system behaves in this way, these actions are going to happen. The operating organization wasn't sufficiently aware of that such that they had written it into the procedures and trained appropriately on it. The issue that we don't understand is how common cause failures will manifest themselves. That gets right to the 30-minute issue. How is the problem going to manifest itself? How long is it going to take the operator to understand what's happening to be able to discern what are the appropriate actions that he needs to take and then take the actions? So, these should have been taken care of. They should never have occurred if the relationship between design engineering and operations was healthy and effective. MR. REYES: If I could add more. If you look at the Forsmark event, a separate part of the event that you're going to ask
�76 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 about, the control room part of that event which is all updated -- that unit was updated with digital instrumentation. It raises a lot of issues about testing after installation. Testing and making sure the operators understood that. So, we have a lot of work to do. COMMISSIONER LYONS: Well, I'm over my time and I do appreciate those answers. I do understand, Jack, as you pointed out that to the extent that common cause failure modes and diversity and defense in depth are truly maintained through the design process. The type of concern that I'm raising probably shouldn't occur. I still think the operator better be aware of the possibility. MR. REYES: As you know, part of our examination is what we call casualties and how you handle casualties. So, we just have to make sure we do it the right way. MR. GROBE: Plant casualties. MR. REYES: Yes. Well, they're casualties if they don't pass. CHAIRMAN KLEIN: Commissioner Svinicki? COMMISSIONER SVINICKI: Thank you. I'd like to start by thanking the staff who spent extensive time with me last week to try to bring me up to speed on these issues. Any gaps in my knowledge from here on out are fully my own and not the staff's fault. I also want to compliment you in looking at the materials that were
�77 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 provided to me. I didn't need to be persuaded in the complexity of this issue and the challenges here, but in looking at the Task Working Groups and how they've broken out the problem set, I compliment you and your industry collaborators that it's very complete. I think you've taken something that had the potential to be of such complexity that it's difficult to think how you'll break it down and begin to embark upon the confidence-building measures that are needed to move into the digital future. So, I compliment all of you on what appears to be a complete and a very logical way of breaking this down and beginning to embark upon that. I wanted to return for a moment to the operating experience issue. Mr. Hiland, you had commented on the challenges here in building a foundational knowledge in operating experience. Root causes you mentioned specifically are very difficult to diagnose. Perhaps this is getting to Commissioner Jaczko's question of the prior panel, but it is how do we -- these are my terms now -- how do we move beyond the anecdotal when it comes to building the foundation that we need for operating experience and getting to CCFs and diagnosis? Do you have any notional construct for that? Not that the anecdotes aren't very relevant, but we need to increase our confidence to have something broader than that. Do you have a framework for moving beyond the
�78 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 anecdotal? MR. HILAND: I mentioned in response to another question the efforts that we took over the last couple of years to improve our operating experience program. That was a direct response to the events at Davis-Besse and our lessons learned. It turns out that I happen to manage that transition to the new operating experience program at the time. That program as I mentioned is held high regard in the international community. We presented it a number of times at international forum. We can take the individual items that we get or we have a partner in the Institute of Nuclear Power Operations also as far as evaluating the frequency of events and those that are more significant or more competitive that would be generic in nature and feed that back into both our inspection program, our operator licensing program, our amendment review program and industry. Of course, we share our information with the public. The operating experience has a website available to the public. They can go in and look. So, that's the main area that I'm looking at. If anyone else would like to add -- and research. MR. CROTEAU: We also have some research to go after some high value, non-nuclear data that we've identified and we're going to
�79 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 look at that a little bit more. We're also working on some guidance to help the folks evaluating the operating experience to look at what types of things they should be asking. What do you need to look at? So, yes, we are still working on that. MR. REYES: The problem is with outside the U.S. -information or outside the nuclear industry information. Within the nuclear industry, the best thing we have is the licensees, root cause evaluation and hours. Our inspection report, our inspectors will go through this in detail. Two examples on the BWRs that were discussed earlier are good examples. We, in addition to the licensee, went through a very high level of detail. We understand the whole issue. That gets collected through the operating experience inventory. Getting that kind of level of detail from non-nuclear industry events, we're going to have to seek just a few of high value to get that detailed information until we build up inventory. COMMISSIONER SVINICKI: I appreciate Mr. Hiland that you acknowledge that digital is a bit of a new frontier in operating experience. Patches are easy to do. It's something we're all very accustomed to in downloading updates to software and that the ability to capture events and then diagnose them is a challenge in digital. I appreciate that you're all focused on that. Thank you, Mr. Chairman.
�80 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 CHAIRMAN KLEIN: Well, my first question is - I'll save the Forsmark for the second one. My first one is on Human Capital. On the Human capital standpoint, first, I think we should probably thank Admiral Donald for training a good person in Digital I&C that she's gotten from naval reactors. MR. REYES: We've got FAA. We've got GM. You gave us a task and we delivered. CHAIRMAN KLEIN: I think it's really good because I think the people you've been recruiting bring a lot of information. Is there any challenge integrating them into the regulatory environment? MR. REYES: Well, Commissioner Svinicki can probably relate to this. Learning our vocabulary is, of course, something new for some of them, but none that I'm aware of. They're highly technical people who are excited about the challenge we have in front of us and they're already contributing. CHAIRMAN KLEIN: Well, my operating experience slide that Pat started off with on 17 on the foreign power reactor. Could you tell me -- that's a fine line because that system that failed directly impacted the safety system? I'm confused as to why it wasn’t a safety system. MR. GROBE: We'll go back and double check and make sure that we understand the design correctly and get that to your technical
�81 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 assistant. Almost all the systems we've been talking about today, whether it's generator control, turbine control, feed water control are direct precursors to events. They feed into the initiating event frequency. They're not actually part of the safety systems of the plant. Now, there are certain aspects in feed water control, for example, the feed water isolation valves are part of the safety system for containment, but the actual running of the pump is not part of the safety system. For example, if the feed water pump trips there's inputs to various safety control systems, but that's the limit of the extent. So, I believe this relay was not actually part of the safety system, but it fed into how rapidly the generator would trip which affected -- actually, it affected the safety analysis for the plant. CHAIRMAN KLEIN: I think we might have -MR. UHLE: Jennifer Uhle from the Office of Research. I just want to -- now that Jack said those final words, I'm pretty redundant here, but in general there was work that was going on in the switch yard that was not properly tasked out and coordinated and so there was a fault in the switch yard initiated in the switch yard which is not the licensee's area. At any rate, then there was a failure of a non-safety -- Jack's exactly right -- a non-safety relay that then caused a large voltage drop of an extended duration then propagated to the safety systems with the
�82 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 uninterruptible power supplies causing the loss of two out of four diesels. We are getting more information on this. The further information about the safety system design and lessons learned is not yet publicly available. Tom Koshy, who is the Branch Chief in the Office of Research, will be attending a lessons learned task force discussion in a couple of weeks through NEA. So, we have been engaging with NEA and as soon as we find out more information then we'll come back and brief you in more detail. MR. REYES: If I could add to that. In Europe in this particular country, those relays -- what they did is they should have put the reactor to work like an island. Generators should have provided the house loads and they would have stayed in that loop. In the U.S., it would have separated from the grid. Just different strategies because our approaches are different. But in either case, whether it was in Europe or here, those are non-safety related components that have some protective actions for protection of the equipment, not necessarily of the cooling of the core. But they do -- their failures are transients, are challenges on the safety system. No question about that. CHAIRMAN KLEIN: I guess from my perspective what I saw was a digital change system that quickly impacted a safety system.
�83 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 MR. REYES: The same thing with feed water. Feed water is non-safety related, but you lose feed water, you have a transient right there. CHAIRMAN KLEIN: Thanks. Jack, from your perspective of having worked on the Digital I&C interfaces, anything that we need to do to encourage standardization? MR. GROBE: I think it was Ron that addressed this at some level. Standardization with the current operating fleet is very complicated because the plants are designed so differently. Even the ones that are the same are different. But standardization for new plants -- maybe Mike can expand on this, but I think that's something we really need to focus on because it will dramatically streamline the process. Mike, did you have anything you wanted to add? MR. MAYFIELD: The industry has plainly gone to some lengths to bring about standardization across the particular design center. Within the staff, I have the two branches that are responsible for it. One of the earlier concerns about inconsistency across the organizations -- the branches meet regularly with their counterparts in NRR. There's a technical consistency Office Instruction that both the NRR and NRO issued jointly. So, we go to some lengths internally to make sure we're applying
�84 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 things consistently and for the new designs it's actually very straightforward because there's such a push for standardization within the design centers. MR. CROTEAU: I would add that the issuing of ISGs and updating the guidance is a form of rough standardization because it lays out exactly what we think is an acceptable approach. If someone comes in and says this is how we meet this approach, it is somewhat standardized. CHAIRMAN KLEIN: Commissioner Jaczko? COMMISSIONER JACZKO: I guess on that topic, I would say I disagree. I don't think people are. I think this is one of the fundamental challenges we always have as a regulatory body is we come up with an approach and then a licensee comes in and wants to do it differently. So, I certainly applaud the approach and I think the way to do that is to make people use the interim staff guidance and raise the threshold for what is an alternative approach. And I don't think we do a good enough job at that. I think that's where we are now. We're continuing to talk about how we're going to address issues of getting around this 30-minute criteria. That was in an interim staff guidance on diversity and defense in depth which we have put out and went through extensive discussions with industry and that approach is not,
�85 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 system. MR. GROBE: It's important to recognize that the interim staff I guess, been found to be acceptable. So, on that, I guess I would follow up with a point. Rick, I think you said when you talked about your slides. You used a term that I have not heard in this particular approach before or this issue before which was you said it may be necessary for operator actions to be credited in less than 30-minutes. Can you clarify a little bit by what you meant by "necessary" in that context? MR. CROTEAU: I guess what I intended to say is it may be acceptable to credit them in less than 30 minutes. COMMISSIONER JACZKO: There's no situation right now from a safety perspective where there's a reason why we would have to credit them? MR. CROTEAU: Not that I'm aware of. COMMISSIONER JACZKO: It's just a different approach and it may be acceptable. MR. CROTEAU: It may be acceptable and that's one of the things that we are still working on. MR. REYES: In lieu of diversity, you mean? MR. CROTEAU: Yes, in lieu of an automatic diversity
�86 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 guides are not requirements. For example, in the case of Oconee, that system has been evolving over the past couple of years. The original design of the system had three substantial operator actions in less than 30 minutes. In the latest submission, it only has one action necessary and there has been additional hardware changes made to the design. That action actually has to occur within two minutes, which is a very short period of time, but it's a very simple action. It may be acceptable. COMMISSIONER JACZKO: As I said, I think --I think, Jack, you described that there's the highway and then there's the county back roads approach. Sometimes, I guess, what we're hearing is that maybe you can get from Point A to Point B taking the back roads sometimes. But certainly it creates challenges for us sometimes. One issue that I wanted to ask specifically about. This was in the ACRS letter. They made a statement. Again, this was commenting on the interim staff guidance on the diversity and defense in depth. It seemed to raise some questions about the staff's ranking, I guess, of potential spurious trips and actuations. I'm wondering if it's an issue that may be a little bit detailed at this point, but if somebody wants to comment on where the staff -- how the staff is looking at that particular - if you're familiar with the issue. MR. CROTEAU: Well, at a high level. When we were trying
�87 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 to highlight that a failure to actuate was of more concern to us than a spurious action because a spurious actuation, the system is functioning in its safety mode. The ACRS questioned whether that was valid if you had partial spurious actuations, how would you deal with that. We are taking a look at that. It was not like we were ruling out spurious actuations as of any concern. It's just a failure to actuate was of a greater concern to us. COMMISSIONER JACZKO: And so at this point, though, the staff is examining? MR. CROTEAU: Yes, we are. COMMISSIONER JACZKO: Okay. I guess I'll go back to a comment that was made. On this issue of the interim staff guidance for the PRA and the use of Digital I&C in the PRA. Mike, you may have commented on this. You made a comment you stressed that this is really only for new reactors. I'm wondering if you could explain to me what the significant differences would be of new reactors versus incorporating these kinds of things for existing reactors. MR. MAYFIELD: I think you can do it for the existing fleet with time. The emphasis right now is for new reactors because there is a requirement in Part 52 to submit a PRA or to have a PRA. So, the staff is faced today with dealing with that. We've looked at them twice; once for the ABWR and once for the AP1000. There was concern raised by the
�88 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 industry that they were done differently. Yes, they were. We've learned from what we did with the ABWR and we applied those lessons when we reviewed the AP1000 and it took the reviewers to a somewhat different place. So, there was concern and I think legitimately from the industry that we try and be more consistent as we start looking at the rest of them. We've taken that to heart. We may not end up agreeing, but we agreed with the point. And so the staff is working with the industry to see what we can do in that area. COMMISSIONER JACZKO: I guess one of the things I always find myself somewhat confused whenever I come to these Digital I&C meetings. We heard a little bit earlier from Mr. Torok. I think I said his name correctly. What we'd be looking at trying to accomplish with the risk information is qualitative and not really getting to a level of quantitative evaluation mostly probability of failure rates or whatever; some kind of analogy for that. In that case, I guess I'm a little bit unclear as to how we're actually incorporating this kind of information into the PRAs which are inherently quantitative and not qualitative. MR. MAYFIELD: The approach is not to get down into the details of specific component failure rates. Rather, the systems are treated as a set of, if you will, black boxes and they look at the PRA and the failure of those systems to make sure they don't create a unique
�89 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 challenge that would elevate the risk from the facility. So, that you can then stay with qualitative assessments. I agree with Ray that you can draw good risk insights from that level of qualitative assessment. COMMISSIONER JACZKO: So, you assume failure of the system and what are the impacts on that? MR. MAYFIELD: What are the impacts and you look very closely at the diversity and defense in depth to make sure that the coupling of failure of that system with diverse means for dealing with it doesn't create a unique challenge. COMMISSIONER JACZKO: Okay. Thank you. CHAIRMAN KLEIN: Commissioner Lyons? COMMISSIONER LYONS: I wanted to ask a question related to the consideration, which is still ongoing at the Commission level to come up with a test facility for Digital I&C and human machine interface. Again, the Commission is still in the voting process. I have to admit I was disappointed that there was no interest from outside organizations in developing a joint facility. I was particularly very surprised that DOE did not share that interest because I thought I had been told otherwise previously. I'm surprised EPRI had no interest, but nevertheless it will be interesting to see how the Commission moves ahead on that vote. That
�90 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 also ties into another concern I've had which is how the agency will deal with the need for simulators as we move toward digitalized control rooms. I was wondering if any of you could comment on the path forward for the agency's use and development of simulators for training our own staff. MR. REYES: We have a challenge in our 2010 budget that may not help us resolve this as much as we can, but there are several options and unique opportunities that we never had before. If you go back to the current approach we have with our current staff, we used to train our staff by renting simulator time of TVA. COMMISSIONER LYONS: I know we did. MR. REYES: Then eventually after TMI we required everybody to have a simulator and, of course, we acquired some ourselves. So, now we're starting from a different place where these facilities are going to have their own simulators to start with. In fact, the simulators are being built before the facilities are being built because they have to train their people. We have several options to do that including partnering with several entities. So, we haven't come up to the Commission yet. We're brainstorming what is the best option on how to move forward. But you could envision a partnership with an entity where the simulator is used for our training, but may be used for somebody else's
�91 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 training, too. Seven days, 24 hours a day. It's a lot of time that we're probably not going to consume all the time. So, there are some leverage approaches that we're thinking about how to best do this to maximize the investment. COMMISSIONER LYONS: How soon does this decision need to be made and is there a plan to have a paper coming to the Commission proposing alternatives to meet whatever schedule is required? MR. REYES: Of course, it's being driven by how quickly the new plants are going to be operating. If you believe that the early plants being proposed are going to be on line on 2015, 2016, that brings you to the point that the utilities are going to start training -- hiring and training their staffs around the 2012 timing. You heard today that the simulators are being ordered this year. In some cases in order to have them functioning for 2012. If you believe that schedule, we should be giving you an approach on our 2010 budget. That's not in the cards right now because of some of the challenges of the work we have. So, I'm not answering your question because I don't have an answer. We're talking conceptually on how to address the issue, but we haven't -- it's not budgeted in terms of recruiting the staff or the investment.
�92 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 COMMISSIONER LYONS: Just speaking personally, I'm again out of time. I would be very interested in a Commission paper that would outline how as an agency we will move ahead including looking at options as you've described. This is to me a very, very important issue. Renting time on simulators while indeed that is an option, it would need to be obviously managed and handled carefully. CHAIRMAN KLEIN: As a follow up on the simulators, when we look at our training facility in Chattanooga. That's a very large facility. A lot of big rooms and variety. Does it look like from what you've seen today that we could have a generic simulator that you can load multiple softwares on and do the training on a smaller system than we have in Chattanooga? MR. REYES: Well, yes, because in today's environment you don't need a mainframe computer. You can have a very small computer located in a different state and you just connect to a display anywhere and you can do it. So, technology today allows us to do a lot of things. What you have to decide upon is what level of training our staff needs. What I mean by that, forget about the device driving, do we need to have identical panels. If you have five designs in the U.S. that are being proposed, do we have to have five arrangements for those five types of control rooms? Or
�93 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 does the level of knowledge you want to impart to our staff is just understanding how the systems work, et cetera, et cetera, but not a perfect understanding of the layout. You need to understand that if you have the general knowledge -- if you have the general knowledge, you will have the licensee's facility to get acquainted where all the panels are located. So, in theory, if we agree that what we need to give our staff is an SRO level knowledge, but not a specific facility knowledge in terms of the display, then you can do it with one display for a lot of designs. If we believe we need more than that, then -- so, we have to make a decision. How do we want to train our people? Do you want to train to SRO level knowledge without having to know exactly where each control is located? If that's the case, we can do a lot of leveraging. You still have the simulator from the licensee where we observe and we can use. CHAIRMAN KLEIN: Thanks. Commissioner Jaczko? COMMISSIONER JACZKO: I don't have any questions, but I would just comment on the issue of the simulators. I certainly agree with Commissioner Lyons. I think it's important for the Commission to have a paper on this and perhaps it's something we can do with the SRM for this meeting. I would say that I'm very reluctant to have an approach where we're
�94 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 renting time because I don't know that we can guarantee that there will be time available for us to rent. I think that would be the biggest drawback. While I appreciate we may wind up with a facility that's not fully utilized, everything that I hear is that facilities that would be out there that might be available will be staffed as much as they can for efficiency and cost perspectives. So, we would probably have to make sure that we do have our own capability to do that because I'm not sure that someone's going to let us use theirs or that there will be time in which to do it or will be like we did in TVA where we won't be on the hot shift. MR. REYES: They have to train more people than we do, so their time is not going to be available for anybody else. COMMISSIONER JACZKO: That was all. Thank you. CHAIRMAN KLEIN: Well, I'd like to thank you for the presentation and also the industry for their comments. Obviously, a lot of work yet to go, but on behalf of my Commissioners, I think that we have made a lot of progress and more to come, but appreciate all of your hard work. Again, it's nice to have a new Commissioner on board. Meeting adjourned. (Whereupon meeting was adjourned)
�