2008 Transcript[445]

Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION Title: Safeguards Advisory Committee on Reactor 551st Meeting Docket Number: (n/a) Location: Rockville, Maryland Date: Friday, April 11, 2008 Work Order No.: NRC-2115 Pages 1-122 NEAL R. GROSS AND CO., INC. Court Reporters and Transcribers 1323 Rhode Island Avenue, N.W. Washington, D.C. 20005 (202) 234-4433 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION + + + + + 551TH MEETING ADVISORY COMMITTEE ON REACTOR SAFEGUARD (ACRS) + + + + + FRIDAY APRIL 11, 2008 + + + + + ROCKVILLE, MARYLAND + + + + + The Advisory Committee met at the Nuclear Regulatory Commission, Two White Flint North, Room T2B3, 11545 Rockville Pike, at 8:30 a.m., Dr. William J. Shack, Chairman, presiding. 2 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com COMMITTEE MEMBERS: WILLIAM J. SHACK, Chairman MARIO V. BONACA, Vice-Chair SAID I. ABDEL-KHALIK, Member-at-Large GEORGE E. APOSTOLAKIS, Member J. SAM ARMIJO, Member SANJOY BANERJEE, Member DENNIS C. BLEY, Member MICHAEL CORRADINI, Member OTTO L. MAYNARD, Member DANA A. POWERS, Member JOHN D. SIEBER, Member JOHN W. STETKAR, Member 3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com I-N-D-E-X PAGE OPENING Chairman Shack INTRODUCTION Dr. Apostolakis PRESENTATIONS BY THE STAFF: Digital I&C Mr. John Grobe Steering Committee Review Mr. Mario Gareri Review of Cyber Security Mr. Paul Loeser Review of Licensing Process Mr. Glenn B. Kelly Review of New Reactor DI&C PRAs Mr. Michael E. Waterman Review of Operational Experience And Clarification of Digital Systems BY NEI: Mr. Gordon Clefton Digital Instrument & Controls Industry View 80 66 53 37 22 6 4 4 4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com BY EPRI: Industry Review of Operational Experience Mr. Ray Torok Mr. Bruce Geddes 94 104 5 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 to order. of the CHAIRMAN SHACK: P-R-O-C-E-E-D-I-N-G-S 8:30 a.m. The meeting will now come This is the second day of the 551st meeting Advisory Committee on Reactor Safeguards. During today's meeting, the Committee will consider the following: Digital I&C Interim Staff Guidance and Related Matters; Future ACRS Activities and Report of the Planning and Procedures Subcommittee; Reconciliation of ACRS Comments and Recommendations; and Preparation of ACRS Reports. This meeting is being conducted in accordance with the provisions of the Federal Advisory Committee Act. federal meeting. official Mr. Tanny Santos is the designated for the initial portion of the We have received no written comments or requests of time to make oral statements from members of the public regarding today's session. A transcript of a portion of the meeting is being kept, and it is requested that the speakers use and one of the with microphones, identify themselves, speak sufficient clarity and volume so they can be readily heard. Just passing out a daily announcement that most of you have probably already heard that Bill NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 6 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Borchard is succeeding Luis Reyes as the EDO, so a new leadership at the NRC. Our first item this morning will be the interim staff guidance and George will be leading us through that. So, George, turn it over to you. The subject is digital We had a subcommittee DR. APOSTOLAKIS: instrumentation and control. meeting on March 20th where the staff presented their work and we had detailed discussions. There are three segments that remain subject of today's meeting. There is interim staff guidance on cyber security, on the licensing process, and new reactor digital I&C PRAs. Naturally, most of the discussion was on the last one, the PRA one, but we also had some comments on the cyber security. The one on the licensing process is more or less straight forward. be We just tell the industry what they should and when. So, for a change, the submitting subcommittee didn't have much to say about that. We received a memo from the staff after the subcommittee, I don't know if everybody has that, where they list a number of the comments we made and how they plan to handle them. But they also promised to do that today, so you don't necessarily have to look at that memo. But if you want it, we will not NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 7 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 cause three ISGs. was give it to you. (Laughter.) DR. APOSTOLAKIS: discussed the most was As I said, the one that the PRA one and that shouldn't be a surprise to the Committee. By the way, the members present were Jack, John, and Dennis, and we had our consultant there, Myron Hecht, from Los Angeles. The staff is expecting a letter on the Although today, we'll also have a presentation on the operating experience review and categorization of systems. The industry will also make some comments, but I don't think we should write a letter on these items. So, without further ado, Mr. Grobe. MR. GROBE: My name is Thank you very much, George. Jack Grobe. I'm Associate Director for Engineering and Safety Systems in the Office of Nuclear Reactor Regulation. I first want to compliment the ACRS on the diversity and defense and depth in their digital video display units. pretty impressive. (Laughter.) MR. GROBE: failure during We'll see if we have a common this meeting. I want to It's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 8 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 provide introduce Stu Bailey. Belkys was an You met Belkys Sosa previously. person in providing some acting leadership for the digital activities. We determined that we needed more stability in that area, so we created a new deputy director position in the division of engineering in NRR and Stu Bailey was selected to fill that. Stu's primary responsibility is to provide leadership for the digital activities and the steering committee interface. So he's here today to answer any questions that you have and I'm going to give a little presentation. to Stu. Next slide, please. I just wanted to summarize a brief So all the tough directions go directly background since we haven't been here for a while. The steering committee was formed after a November 2006 commission meeting. At that time, it wasn't clear that we were on a success path for integrating all of the activities of the agency. So the steering committee was formed with five senior executives, one from each of NRR, NRO, research, NCER, and NMSS. The goal of the steering committee is to strategic direction to the activities, the agency, and the digital I&C area to ensure that the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 9 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 offices are properly integrating to solve the problems and to ensure and that we're having with our effective external communication interaction stakeholders on the issues. There are seven task working groups that support the activities of the steering committee. are led by managers in the various offices. led by a senior staff member. Six One is Overall, there's more than 50 staff involved in the task working groups. The industry has created a shadow organization to our organization and they've established interfaces and lead individuals so that that facilitates effective communication. Within the seven TWGs we have defined with the industry 25 specific problems. are created equally. and detailed. Not all problems Some of them are very complex Some of them are simpler. developing interim guidance to We're resolve each of those problems. To date there's been four interim staff guidance documents issued and those resolve 10 of the 25 problems. last time we met in October. You saw three of those That was the interim staff guide on diversity and defense of depth and the two interim staff guides on highly integrated control rooms, one dealing with communications and the other NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 10 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 we met, dealing with human factors. The fourth interim staff guide that was issued has not yet been reviewed by the ACRS full committee and that's the one on cyber security. We'll be talking about that today. In addition, there's two interim staff guidance that are in draft, and you'll see those also today, and those resolve an additional five problems. So 15 of 25 problems are either resolved or well on the way to being resolved. Next slide. Since last October, which is the last time we've had 18 public meetings of the task working groups, three public steering committee meetings, and we have established the seventh TWG on fuel cycle issue. progress to Fuel cycle the was not making issues sufficient clarify specific that they needed to resolve, so there's now a separate task working group. They've got their problems defined in collaboration with the industry and they're moving forward. The two draft interim staff guides, as George mentioned that we'll be discussing today, are probabilistic focused on risk assessment. because That's new primarily are new reactors, reactors required to have PRAs in their requirements for the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 11 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 letter. Part 52 for the combined operating license. The guidance is equally applicable to operating reactors, but the focus of interim staff guide is for new reactors to support the COL process as well as the licensing process. Mario Gareri is the lead of TWG 1 on cyber and he'll be discussing cyber security. Glenn Kelly was one of the principle authors of the probabilistic risk assessment guidance and he'll be presenting that material. Paul Loeser will be discussing licensing process, and then Mike Waterman will be talking about operating systems. As George mentioned, we'd appreciate a experience and classification of digital We appreciated the last letter we got after There were two actions in that the October meeting. letter that are not yet resolved. One is the issue on developing some guidance for how to evaluate operator reactions that are less than 30 minutes. on that. closure. And the other one is the spurious It's ongoing. There's been extensive work It's not yet brought to actuations question. The digital diversity in defense and depth task working group has that one for action NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 12 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 There's a to bring issue. and they're working on it. So we look forward to a letter on this I'm not sure if there'll be time, but during the PRA discussion it would be helpful if we got into a little bit of a discussion on whether or not the state of PRA would support relaxation of some of the diversity requirements. It's not on the agenda specifically, but we'd be interested in your insights on that as well. Next slide. We've revised our project plan last month more clarity to the long term actions. There's 17 long term actions which will bring the interim guidance to final guidance, and that final guidance will either take the form of a revision of an industry guide, for example, an IEEE standard or something of that nature, an issuance of a NUREG, revision of a regulatory guides, revision of the standard review plan. There's a variety of formal infrastructure documents that will be revised to deal with these issues. project plan. We've also received four industry reports. variety of industry white papers that Those are all now captured in the they're preparing. Four have been received and are NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 13 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 under review or the review has been completed. As George mentioned, we met with the subcommittee and we've met several times with the subcommittee, and we just met with the Commission I guess it was Monday, things go quickly, and got support from the Commission. The only action item they were focusing on for the staff was the need for staff training for our operations activities for the new reactors, developing our simulator training facilities. In Chattanooga we have four simulators with analog control rooms and the Commission wanted more detail on our preparation to train rooms. our operations staff on the digital control So we'll be looking at developing some plans for what could be quite large expenditures to update the technical training facility with digital control rooms. Next slide. We staff guides. about today have a number of remaining interim Licensing process you're going to hear as licensing process information for operating reactors. The Part 52 process is different than the Part 50 process. Part 52 includes design acceptance criteria and inspection tests and analysis -- analysis NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 reactions. and acceptance criteria, ITEC. That process is different. It will require some difference guidance, so we'll likely be developing a companion document for new reactors in the licensing process area. And once we finish the new requirements on security, as well as the regulatory guidance for cyber security, we'll be updating the licensing process in both areas to incorporate necessary expectations in the cyber area. I already talked about manual operator Fuel cycle facilities is just now getting And underway, so that'll be issued later this year. then I already mentioned the cyber. As we're using these interim staff guides, we have a number of activities that are underway that are using the interim staff guides. We have a topical We report on priority modules that's being reviewed. have the Oconee full retrofit application that's being reviewed, and we're applying all these interim staff guides for the first time in those areas, as well as some topical reports for new reactors. As we get feedback on the usefulness and clarity of the guidance, if necessary we'll revise those. If necessary, from industry feedback, we'll But the real focus, the goal revise the guidance. line is to get these into the formal infrastructure. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 If they're minor issues, we'll probably not revise the interim guidance. We'll just incorporate those minor issues into the final guidance. Next slide. As I mentioned, the goal, nirvana here, is to -- my screen is burping here and you're are not, so thank God for diversity. interim staff guide. The goal is to retire the We're meeting and we have been meeting regularly with the subcommittee and I think this is our third meeting with the full committee. These meeting are not required, but there are required meetings in the standard agency processes for updating standard review plans, reg guides, things of that nature, so we will be coming back to you again in each of these area. I think that completes my remarks. We'd be glad to answer any questions that you might have. Actually, Stu will answer the questions. DR. POWERS: overview you've provided. got a very the disciplined 25 issues I really appreciated this It's obvious that you've program you've moving forward on to a resolve identified relatively short term basis. My question for you is, who's your counterpart within research that's thinking about the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 20 year time frame? MR. GROBE: Interesting question. The steering committee member in research Jennifer Uhle. She's director of division of engineering and research. involved. Rick Croteau, her deputy, is very actively Right now the Office of Research is looking at the long term, and it's not 20 year, it's long term meaning five to ten year time frame, research plan. That research plan has been in existence for a number of years. We've been working on it. It's time to revisit it because we have much more clarity on our needs. to -DR. POWERS: That's what motivates the So there's an integrated effort question is it seems like you had a very clear plan for this 2009, 2010 type time frame. MR. GROBE: DR. Right. And you have seen that POWERS: there's some challenges you face in the differences between reactors and fuel facilities here that maybe was not appreciated as much -MR. GROBE: DR. POWERS: Right. -- in past as it is now. And so I'm wondering if there is any -- no. Who's paying attention to saying, well, this is all going to change NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 17 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 arena. faster than you guys can get out reg guides. And so what does that -- which would be my aiming point at 20 years. MR. GROBE: interesting issue. Two points, Dana. It's a very If the industry were applying 2000 technology to the new reactors and operating reactors, our job would be a whole lot easier. is every time something changes, What's happening there's some advancement, there's a desire to put that in with no operating experience, little understanding of the sophistication of that new change, I don't think our guidance can keep up with that. DR. POWERS: MR. GROBE: It cannot. I used a tricky phrase in the Commission meeting that complexity is an anathema to predictability. If the desire is to have a predictable licensing process, there has to be some stability in how we move forward, and this is, you know, the digital arena is one that has no stability. So that's a very difficult issue. There is clear direction in the research There's a very detailed, written, long term research plan and research has just initiated in an effort to go back and look at that and make sure it's the right plan. So that's an integrated effort NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 18 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 between research and NRR, NRO, NMSS. has a piece in that also. The updates on that. steering committee will be getting I believe NCER I think maybe in the six month time frame it might be a good idea for us to have that on the agenda for the subcommittee to look at that the long term plans are. analysis. DR. POWERS: Well, that's one of the brick The stickiest wicket is risk walls of the future to be able to do that kind of thing. MR. GROBE: DR. POWERS: Pardon me? I mean that's clearly one of the real challenges that exists out there. MR. GROBE: DR. POWERS: MS. UHLE: Well, I think enough said. Absolutely. Can I add something? This is Jennifer Uhle from research, and I think as Jack has said that with regard to the rate of change of the technology is hard to keep up from the standpoint of the regulatory process here at the NRC. However, there are other industries that are I would say more able to keep up with the change and, in fact, are motivating that change, and so part of our program in research is to go out and tap that technology NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 19 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 do. And today. MS. UHLE: as well Well, we can learn what not to as naval reactors and other Northwest contacts experience that other industries have. And so we to had go a and program identify at Pacific right to Laboratory and we are the now pursuing aggressively establish those, and I can point to high speed rail, to FAA, to various -DR. POWERS: pointing to FAA right now. (Laughter.) DR. POWERS: It may not be a good choice I don't think you want to organizations that, perhaps, have kept up on a more dynamic basis. So, we again, as Jack said, we can come and discuss the research program and what our efforts are later on as we complete the recent update that we're undergoing right now. DR. APOSTOLAKIS: It would be nice to meet I think with a with you before you complete anything. subcommittee it's a good idea. DR. POWERS: complete anything. (Laughter.) MS. UHLE: It's research. They never The word complete, obviously, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 the research plan is a dynamic document. By complete we mean to have vetted it fully within the staff to get the staff views so that what we present to you is just not one person's opinion, but it is a consensus view of the staff. process. DR. APOSTOLAKIS: I view this type of -- I I think that's more an efficient think it's very similar to what we did with regulatory guide 1.174 where we had very frequent meetings with staff. Nobody knew really where we were going, and, you know, we tried ideas, we talked about them without any expectation that the staff would get something finished. So I think this is part of the problem. This would be a good policy here as well because some ideas and so, oh, come here and -- not to the full committee, I mean the subcommittee. MS. UHLE: Yes. Talk about it and see DR. APOSTOLAKIS: what other people are thinking. DR. POWERS: It seems to me you may be I don't think that speaking to the research program. this program that Jack's outlined for us is where you want to take that kind of approach. MS. UHLE: MR. GROBE: Yes. Let me just be clear. There NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 21 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 masochistic are specific formal places where we have to come to the ACRS and we will definitely do that. substantial benefit from the insights But we get that you provide, and we've been meeting regularly with the subcommittee and it's our intention to continue that. DR. APOSTOLAKIS: This ISG, in fact, you didn't have to bring it before us, right? MR. GROBE: DR. formally review. to. MR. GROBE: DR. POWERS: -(Laughter.) DR. POWERS: The quality of our work Right. They have certain That's right. The ISG, we don't APOSTOLAKIS: They brought it because they wanted benefits the insights provided by this August body. MR. GROBE: DR. POWERS: MR. GROBE: Any other questions? No. Thank you very much. So have you gentlemen DR. APOSTOLAKIS: prepared also to tell the committee where the points of discuss were at the subcommittee and what you plan to do, or should I make sure that this happens? MR. BAILEY: The main points of discussion NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 were related to the task -DR. APOSTOLAKIS: During your presentation are you going to refer to those? MR. BAILEY: For the one that I recall the points of discussion, and that was on task working group number three, related to PRAs, yes, we will be discussing that. DR. APOSTOLAKIS: Well, for the benefit of the full committee, the fundamental point of view I think of the subcommittee, which was not necessarily shared by the staff, although they may be thinking about it, was that at this point we don't have a good understanding of the failure modes of systems that have digital instrumental control imbedded in them, and once you accept come. that, Can then you a lot really of other assign And conclusions probabilities, can you do this, can you do that? we urge the staff to think about it, to focus on identifying potential failure modes, and that was one of the main comments. And, of course, it's much more relevant to the ISG on the risk part, but, also, on the others, except for the second one which is really administrative. identification of And for cyber security it was the the threats, that there is an NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 23 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 was an the thing implicit assumption, at least in the NEI document, that the threat is coming from the outside. know if you agree with that. MR. GARERI: Yes, I'll address that. Okay, great. that we But that's don't I don't DR. APOSTOLAKIS: that was a view really understand the failure modes yet. own conclusions. So you draw your If you don't understand the failure John, you want modes, what is it tat you cannot do. to say something? MR. GROBE: No. Thank you. Okay. DR. APOSTOLAKIS: important theme So I think that the subcommittee throughout meetings. MR. GARERI: Good morning. My name is I'm Mario Gareri with NRO division of engineering. the lead for the cyber security task working group. And, actually, before I get into it, let me address that first. As far as the scope of this TWG, it was very limited. So what was just referred to is going to be addressed with the new guidance that's being developed by ANSIR and research as far as threat assessments and any kinds of risks dealing with cyber. So you will be getting briefed on that later on, but NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 24 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 issues. it's not part of this task working group, but it being looked at. DR. APOSTOLAKIS: There are always two One is the scope of the project on which a speaker is making a presentation and the other is what I would call the technical part in which the subcommittee has interest. So it's true that some of the things we said are beyond the scope of individual efforts here, but it's very important I think and that's why we have the subcommittee meetings to express our views regarding the actual technical work of at some point has to have these elements in it. MR. GARERI: Like I said, let me assure you that it's being addressed in the new guidance that's being developed. DR. STETKAR: In relation to that, I was kind of reading ahead in your slides, and the only point I wanted to make regarding specifically the cyber security, and it did come up in the subcommittee meeting, guidance was I that wanted when when to I be was sure reading that through there the was the a sensitivity assets, you're evaluating critical that you're also sensitive to things that we think about a lot in the PRA community in terms of support systems so that not only when you're NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 25 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 developing your threat assessment and evaluating your assets, expand that boundary around to include things like ventilation that may supplies, affect power supplies, assets in even and so forth, they're because several though rooms threat physically a lot of separated the cyber different and security assessment process that I saw in the document was focused more on protecting the physical assets by physical barriers and multiple locations and so forth, that that process should be sensitive to these comments. DR. APOSTOLAKIS: We will have the records of this committee in the sense of we would make all sorts of comments before you even start -DR. STETKAR: That's my name. Usually we let the guy DR. APOSTOLAKIS: present one slide. (Laughter.) DR. APOSTOLAKIS: before he starts? Go ahead. Okay. So any other comments MR. GARERI: Next slide. I'm going to be talking about basically some background. I'm going to talk about the ISG itself and then the path forward. From the first slide here, let me just NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 26 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 give you a little idea. The TWG only had one problem statement to address and the problem statement itself, like I said it was within scope, deals with two guidance documents regarding cyber security. One of them was the Reg. 1.152 Rev 2 as you can see there. And the other one is an industry guidance that was developed, NEI 04-04 Rev 1. The reg guide was issued revised in order to capture the cyber security in the design and safety systems in January of 2006 and the NEI 04-04 document was found acceptable by the NRC in December of 2005. So both documents basically came out around the same time frame. The issue here is that one document is specifically, which is the reg guide to address safety systems, and the NEI document was more of a programmatic approach to cyber security. So if we go to the next slide. The first bullet is basically about what the task of the task working group was, and, again, it was limited to basically there were concerns from the industry that the two guidance documents were in conflict and what the staff did and the task working group did, we did a gap analysis to actually determine if there were any gaps or any kind of conflicts in the two documents. And in doing that, basically the end NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 27 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 result was that there were actually no conflicts. There were some overlaps and some differences in the two documents, but that's expected because the two documents serve two different purposes. So, again, the second bullet there says that no inconsistencies were actually found as the industry had concerns and the two documents are actually complimentary to one another. Next slide. At that point the task working group could have actually closed out the item because we were finished with the problem statement. conflicts and there were no issues. committed incorporate to the revise NEI 04-04 regarding There were no But the industry to include and criteria safety systems, which was captured in the reg guide. So at that point the staff agreed that to provide additional clarification to the staff and the industry that that would not be a bad idea to continue with the effort even though, again, it went beyond what we set out to do. document, documents what were we so found So after revising the 04-04 is that, in because the and two the different structure material they were covering, it was kind of difficult to actually do a review using the NEI 04-04 document NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 28 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 approaches when you're doing licensing. So what we did is we developed a cross correlation table to basically capture the elements and the criteria in the Reg Guide 1.152 into a table that would actually show where that same information can be captured inside 04-04. DR. STETKAR: Mario, for the benefit of the rest of the committee here who were not at the subcommittee meeting, you mentioned differences in scope between NEI 04-04 and the reg guide. Could you just briefly elaborate on a few examples of those differences? MR. GARERI: Sure. Well, the differences are the reg guide itself deals more the development life cycle and incorporating cyber security throughout that life cycle when you're developing a system. And, basically, it deals specifically with safety systems. Where the NEI 04-04 looks at the actual setup of cyber security or throughout the plant, whether again, and, it's the you firewalls defensive 04-04 measures. security And, information of is related know, I can't go into the details of that. But that's the main difference is that one cyber security from a programmatic approach, which is the 04-04. NEAL R. GROSS The Reg Guide 1.152 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 29 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 does it from a design perspective and deals specifically with safety systems. Bill may want to add something. MR. KEMPER: Yes. This is Bill Kemper. For Just to illustrate maybe if I can. example, NEI 04-04 would have a requirement that says, a licensee shall within their design an engineering process, a means for securing cyber security is invoked in digital systems. Now, Reg Guide 1.152 goes beyond that and it says, the licensee shall ensure that there are no time bombs, back doors, malicious code, that sort of thing. level of detail. So in reading 04-04, it's hard to draw from that the this specificity that's needed in a license application for NRR to be able to approve that. MR. GARERI: I would say, to add to that, The reg guide looks where 04-04 looks So you see, it's a lower basically it looks into the box. really what's inside the box, outside of it. DR. APOSTOLAKIS: 04-04 deals with broader issues than just safety systems? MR. GARERI: And the Yes, it does. revised 04-04 Rev 2 has NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 30 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 in an of the way incorporated safety system based on the interaction we've had with industry. And that was issued December 31st of last year, and as of this morning I don't believe the industry has any issues with the ISG. DR. SIEBER: it should Isn't that just the reverse be, though? Shouldn't the industry guides be very specific as opposed to that and the reg guide and the reg guide be more general? MR. GARERI: In some cases the 04-04 document is very specific, and that's why it's, again, security related information as appendices, which actually gives you the details of what to do to put defensive measures in. But in some other cases, like I said, I had a different goal in mind so it does not address safety system in the design aspects of it. That's the difference in the two documents, but it does have detail. DR. SIEBER: Yes, I always picture the regulation and the underlying regulatory guidance -MR. GARERI: DR. SIEBER: Yes. -- relatively broad in nature document that the staff industry-specific accepts would be one way to comply with the overall guidance based on rule -MR. GARERI: The one thing we didn't -- NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 31 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 one thing to keep in mind is when 04-04 came out, there's still no regulations on cyber, so that was really an industry there. -And and that's submission on the of to get something way. Right, that's going to be my last slide. Next slide. The ISG itself basically provides Again, it in additional clarification to cyber security. does cover the background of cyber security general, but it specifically talks to how to use the 04-04 draft 2 revision 2 document when, you know, put in a license middle or dealing with cyber security in a safety system. Again, the ISG includes that table which makes it easier for reviewers and industry to understand exactly how to use the 04-04 document when dealing with safety systems. And, again, either the reg guide can be used or the NEI document now in conjunction with the table if someone decides to actually use that to address cyber security in safety systems. Next slide. This is the last slide and what's happening now is the ISG itself has been rolled over, is being rolled over to the draft guide 5022, which is being developed to address cyber security. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com This draft 32 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 that are guide is basically going to become a reg guide which will support the rule. DR. APOSTOLAKIS: that for security stuff? MR. GARERI: Yes. This deals with Why is it Part 73? Is physical security. As you can see in the sub-bullets there, the long term actions of the actual regulations coming out on cyber security, the regulatory guide to support the rule, and the updating or revision of the standard review plan, chapter 13, will all happen outside of really the TWG effort, even though we're still engaged with ANSIR and research. DR. APOSTOLAKIS: Can you explain the first sub-bullet, issuance of new rule 54 proposal 55? What does that mean? MR. GARERI: going to get to. So what happens is that the regulations coming out, the proposed rule was under Right. That's what I was 73.55(m) for cyber security. In taking another look at it, ANSIR has determined with research that it would be best to put it into 73.54 so that it can actually address more than just power reactors. So, officially, it's the proposed rule of 73.55(m), but it will come out as 73.54. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com It just 33 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 sorry. MR. GARERI: I almost made it. There was a on? MR. GARERI: Thank you. I have a question. I'm already, hasn't been made public yet. brackets. DR. this APOSTOLAKIS: interim guidance As has been said That's why I have it in has been issued, December 31st, '07, so any comments that we may want to put in our letter will be addressed really to this effort of developing the regulatory documents in the future? MR. GARERI: DR. Exactly. And the staff, of But APOSTOLAKIS: course, can take those under advisement or not. we are not really commenting on the guidance itself because that's final, it's out. Any questions? All right. Shall we move DR. APOSTOLAKIS: DR. APOSTOLAKIS: semi-question I think on an issue that was raised during the subcommittee and I'm not sure whether the concern is real or not. Concern, it's not a concern. Are you What is a definition of cyber security? defining it some place? NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 34 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 assisting security is it -MR. attack GARERI: would be I look at it that cyber that MR. GARERI: I'll have Dave maybe add to this if I'm incorrect in saying it, but I believe the new regulatory guide that's going to be coming out, we're making a point to actually describe it or define it in there, because, again, there is some confusion whether or not it's an outside attack or internal. DR. APOSTOLAKIS: Can you tell us today or basically something would be coming from the outside. But at the same time, if you have a trojan or something, a back door put into the software itself, that would also impact the -- it would give you a vulnerability to a cyber attack. Do you see what I'm saying? So either way, if the bug or the design itself is faulty, then you're vulnerable to an attack from the outside. add to that. DR. in RAHN: This the is David Rahn. of I'm the I'm not sure if maybe Dave wants to shepherding development regulatory guide, and the cyber security program has a two-phased approach. a facility, and There's an overall protection of protection is for potential that outside attempts to attack the facility and insiders. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 35 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 And there is a design basis threat rule which defines what are those potential threats. That's in 73.1. That document defines the overall focus of a cyber security program that a facility needs to have. Within the facility, there's a bunch of digital assets. Many of them are performing safety related, some are performing emergency preparedness functions, and some are security functions. are also systems that protect those systems. those have digital components in them And there Many of those and components have to be designed, when they put into the system, they can either have their own hardening against any potential threats which could take them down. That means that from the initial development of that digital system there would be -DR. APOSTOLAKIS: Let me interrupt. You are getting down into detail now. achieve something. DR. RAHN: Yes. This is how to DR. APOSTOLAKIS: Is there a high level definition of what cyber security is? DR. RAHN: Within the regulatory guide the focus is taken that cyber security is a portion of a security function for the whole facility. The object is security for the facility and it's how it affects NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 36 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 the coming? MS. BANERJEE: The documents are coming the digital assets within that facility. DR. APOSTOLAKIS: DR. RAHN: Period? Period. So it doesn't matter DR. APOSTOLAKIS: whether it's on the outside or inside? MR. GARERI: Exactly. It doesn't -- DR. APOSTOLAKIS: DR. RAHN: MS. -- broad definition? Yes, very broad definition. George, can I add BANERJEE: something, please? This is Maitri Banerjee. The Part 73 rule is supposed to come to us in May, the first week of May time frame. DR. APOSTOLAKIS: the full committee? MS. BANERJEE: get a copy of that. DR. APOSTOLAKIS: The documents are Actually, we are going to Coming to us means to and security subcommittee is going to take a look at it and Mario is going to make a decision how much of it we are going to review in May. VICE-CHAIR BONACA: components of the or Supposed to look at and then make a security not the determination whether committee should NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 37 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 that line. review them. DR. MAYNARD: I have got question along Is there a clear definition or division between what's being done for cyber security and the overall security, and not so much that it be separate, but that it actually fit in and not have overlap between the rest of the security requirements for a plant? MR. GARERI: as the physical security? DR. MAYNARD: Right, because like one of You're talking about as far John's first comments, he's talking about the support equipment and that's important, but I'm not sure you have to define that in cyber security if that's defined as the rest of your security plan requirements and stuff. work being I'm wondering, is there overlap, is there done to make sure that we don't have incompatible stuff here? MR. GARERI: I'm not longer with NCER and Okay, I haven't been engaged up to the last point. Bill. He's raising his hand. MR. KEMPER: Yes, Bill Kemper again. I just attended a meeting with David, as a matter of fact yesterday, to discuss draft language on 73.54. You know, the ink's still wet on this thing so we're NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 38 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 questions? MR. GARERI: MR. LOESER: Thank you. I'm Paul Loeser. I'm one of still working on it. titled protection But, yes, specifically, 73.54 is of digital computer and communication systems and networks, so it's intended to provide the specificity, if you will, so that you can differentiate this particular security attribute from the overall physical security plan. All be it, it's part and parcel of the site's physical security plan. I hope that answers your question. MR. SHUKLA: Dr. Apostolakis? Yes, sir. DR. APOSTOLAKIS: MR. SHUKLA: All these ISGs are subject to further revisions and enhancement based upon their use until they are rolled over to a permanent regulatory document. So -DR. APOSTOLAKIS: Yes, but I mean -- (Simultaneous speakers.) DR. APOSTOLAKIS: Okay. Any other the digital I&C reviewers. If you'll go to the next slide, please. Basically, chapter 7 provides guidance to the staff on how to do a digital review. BTP-14 19. However, digital systems Things like are somewhat NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 39 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 unique within our review process in that we not only look at testing for the final design, but we also need a determination of a high quality design process. This is because digital systems are complex enough that we can never test them enough to say that they are perfect. So we look at this design process and We can't do an actual this process takes too long. independent review, the equivalent of an independent V&V ourselves because this takes too long, and, frankly, we don't have the people. DR. POWERS: When you say it takes too long and it takes too many people? MR. LOESER: Typically, the rule of thumb is that it takes as long to do a thorough review of the process as is spent originally in the design. DR. POWERS: MR. LOESER: Right. And if they have five or ten people working for two or three years, we don't have five or ten people who can spend two or three years doing this, so we have to look at some lesser degree. What can we do to achieve reasonable assurance that this is really a pretty good system, was done in a pretty good way, and there is a reasonable assurance that it will operate the way it's supposed to and perform the functions it's supposed to. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 40 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 neighbor of DR. POWERS: And what I think I'm struggling for is what's a reasonable amount of time to spend on this? MR. LOESER: Well, we have been spending typically on a overall topical report on a new type of system that we've never seen before -DR. POWERS: MR. one LOESER: to two Right. -man tends years to of be in the if a effort licensee is using an approved platform in exactly the same manner it may take half of that, or if they have modified things, it would be more. One of our final products is a list of documentation that shows what type of thing we would need depending on the complexity of design. getting to that in my last slide. DR. POWERS: Okay. So I know what's too What's desirable? I'll be much, I know what you're doing now. MR. LOESER: less is desirable. Well, we thing, obviously, But the question -- that's not We really the question we were asked to address here. are addressing that. As a matter of fact, last night we had a brainstorming session on how could we modify our current process to somehow to do this faster, easier, cheaper in NASA terms. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 41 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 you're -DR. POWERS: Well, currently, you spend DR. POWERS: (Laughter.) MR. LOESER: We want equally good. It You left out better. wouldn't have to necessarily be better. have a good determination now. We think we We want to make sure that whatever we do we come up with something that's equally good. DR. POWERS: MR. LOESER: Or better. That is, it's still -- or better would be nice, but still provides us with a high degree you to of confidence to say, or reasonable this assurance, will are whatever function wish that system perform whatever safety functions specified. DR. POWERS: wanting to do this. I actually have a reason for So a brand new, unfamiliar system topical report gets submitted, and if you could do that with one man year, then that would take this off the high priority activity list or not? MR. LOESER: I'm not quite sure what you say on the order of two man years when you get a brand new system in. If you cut that in half, would that make everybody happy and they say, okay, let's -NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 42 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 matter how happier. DR. POWERS: (Laughter.) DR. POWERS: I mean at what point do you Happier. MR. LOESER: I think it would make them no longer have an action plan and things like that going on and you say, well, if you can make it better, that's great, but, otherwise, I'm not going to emphasize it? MR. LOESER: good our I would sort of hope that no is we would never be process closed to the idea that we could improve it -DR. POWERS: I'm not asking you that. I'm asking you, when do you quit making it a big priority and coming meeting regularly with George's subcommittee and things like that? MR. BAILEY: on that as we speak. I think we're making progress We're reviewing -I know you are. I'm asking DR. POWERS: you when you quit making progress. MR. LOESER: I don't think I can answer that question on any process when do you decide that it's good enough. I can't tell you that. And I also can't predict at what point management starts telling me it's taking too long or industry starts complaining NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 43 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 of an that it costs too much. I don't know that because I can't see into their minds. DR. POWERS: I'm really asking your mind. I'm not going to I'm not asking for other people's. hold you to this. head. MR. LOESER: inherently lazy. I'm not going to put a gun to your I keep telling people I'm I'd like to make it as easy as possible, but still be able to convince myself that I'm signing my name to a good product. it in 20 minutes, I would, but I can't. how. MR. BAILEY: answer, but it's I don't know that it's much our own observations and If I could do I don't know industry's observations of how the reviews are going. When we see that they are going smoothly all around, then I think we can say this needs less focus. doesn't mean we won't still be looking That for improvements. But right now we've seen that it is not always smooth. All of the documents that we would be looking for are not always available right up front. We're really trying to fine tune this so that it also fits in with the licensee's life cycle of developing and implementing one of these digital modifications. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 44 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 DR. SIEBER: I think this is a function of For example, if you don't what you want as a result. spend a lot of time and the system fails, you know, a multitude of ways, you know you haven't done a good job. And right now, since we only have one project in the industry that's full scale with protection and control and all that in there just on it's very beginnings, I think you have to look elsewhere to see where others would have failed, for example, in Europe, to determine what it is you have to do to make sure that you don't repeat those kinds of failures. MR. LOESER: That is, in fact, happening. Research has a project, you'll be hearing about it later, to look at other industries, not just the European reactors, but also -DR. SIEBER: MR. LOESER: Rails, planes. Yes, everything that uses high reliability software, MIL-SPEC. DR. APOSTOLAKIS: good idea, but anyway. DR. CORRADINI: I, just for clarification, This probably is not a Jack, you said there is one case in industry where they're doing it for, and I thought you said control and protection? DR. SIEBER: The Oconee project is pretty NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 45 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 like that. big. DR. CORRADINI: But that's including reactor protection laws. MR. LOESER: DR. SIEBER: And the SF. The other 30 or so projects, in my opinion, have been relatively small. MR. LOESER: biggest one we've had. DR. APOSTOLAKIS: Just to move it along. That is correct. This is the We had the presentation here sometime, I don't know, last year where another team within the Agency had a similar problem, namely, they during just construction cannot of a facility, everything. okay? reactor, inspect It takes too much work, too much effort, MR. LOESER: DR. Yes. So they developed a APOSTOLAKIS: methodology, it's really a sampling methodology, but a sample is not random. They use some method to risk I'm wondering whether inform the process, and so on. you should look at that and see whether you can get any help from it. MR. LOESER: Well, we actually something What we do is we do a reasonably thorough investigation on the process they use, and then we NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 46 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 sample the design outputs in our threat audit to see that the process worked correctly and that the -DR. APOSTOLAKIS: All I'm saying is that you may find the method there of approach that they use helpful. That's all. I'm not saying you are not doing anything. MR. HILAND: This is Pat Hiland. I'm the director of engineering in the Office of NRR, and let me just try to add some clarification. You're correct. The current application that we have in from Duke on the Oconee project is significantly larger than any that we've seen before. We've gone back and looked at the way we've done business before and it's not reasonable to expect us to review the Oconee application to that level. And what we've mapped out is that we're trying to define what is a licensing review, what would be an onsite review of the then, factory or the onsite would test an information, and finally, what be inspection activity. Inspection activity will likely be by the regional inspectors after the amendment is approved. We have an example in the steam generator replacements. You know those amendment requests to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 47 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 replace steam generators, I've never done one, but I believe they're approved far in advance of the actual work on site, and those who have been at a site when a generator replacement is ongoing, that's a lot of work and we have a defined inspection program that's 850 hours. So it's a sample inspection. about You can't be there all the time to do that. doing in the Oconee place. That's what we're We have given an initial estimate of how much effort and how long that effort's going to take. We're talking with the licensee, and they gave us what their desires were, and we're different. We're off by about four or five months today, so we have to go back to see if we can improve that schedule by adding more resources if that's the correct approach, or the licensee moving up some of their activities as the factory accepts its tests. You know, currently, they're scheduled to get the results in January of '09. our review to meet their schedule? Don't know. broad terms. DR. APOSTOLAKIS: The question, I'm not Will that support Maybe, maybe not. So I'm trying to answer the question in doubting that you have a plan and inspection and so on. I'm not saying that. All I'm saying is there's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 48 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 easy. MR. presentation. (Laughter.) DR. APOSTOLAKIS: MR. LOESER: We are behind schedule. LOESER: So much for the easy find out. another group within the Agency that has a similar problem. They appear to have developed a methodology for selecting the sample in a reasonable way, and all I'm saying is look at it. is helpful to you, use it. can had an approach already. I don't remember who was doing that, but we wrote a letter. So through the letter we can -I'll work with Girija and If you find something that I never doubted that you MR. HILAND: We'll get that. DR. APOSTOLAKIS: Yes, so it would be very Anyway, what we basically do is we look at what the licensee or the vendor plans to do and how this will be done. the plans and procedures. This is by reviewing And Was it actually done? this is at the vendor audit. results? And then what were the And this is looking at the design outputs and the final test procedure. This documentation and is the considerable industry decided amount that of this NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 49 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 amount of documentation not be presented to the staff and put on the docket; in particular, they were worried that once it's on the docket, any changes they make to their configuration management plan would need to be reviewed. the case. We've reassured them that this is not They would only It would be done on 50.59. be re-reviewed if the change was significant enough to change the determination that we had made that it was adequate. TWG 6 actually had four problem statements, four issues. One is the level of detail Two necessary in the review of the licensing actions. is the applicability of this guidance for operating reactors. Three was the clear licensing protocols for And four was clear guidance on cyber The fourth one we really the review. security issues for I&C. didn't look at. This is left for the cyber group. In order to do this we needed to deliver a specific clarification on what documents needed to be delivered to the staff, at what phase in the review process it was needed, which of these documents needed to be on the docket and which would be sent off the docket, and which documents don't need to be docketed or sent to the staff at all but only available onsite during the site visit. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 50 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 guidance. regulation? MR. LOESER: No. No. It's just guidance? We considered the inputs and we basically provided such a list. this list. We're still working on refining This list right now encompasses the most complex possible amendment, so licensees or the staff would delete from the list rather than trying to add things to id. This does not modify or supercede existing regulations, with one exception. That is the site activities of maintenance operation and training would be left to the region to review. We don't consider that a licensing issue, so that would be -DR. APOSTOLAKIS: Can an ISG change the DR. APOSTOLAKIS: MR. LOESER: Yes. DR. APOSTOLAKIS: requirements, can you? DR. SIEBER: MR. LOESER: You cannot introduce new You can. You're right. It changes the It changes no regulation. DR. APOSTOLAKIS: You cannot impose requirements through an ISG? MR. LOESER: That's correct. It's a softer version of DR. APOSTOLAKIS: NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 51 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 regulatory a regulatory guide. Is that true? Well, we're hoping to turn it MR. LOESER: into a regulatory guide eventually. DR. BLEY: guide, is Less of a review process than a that right, the review and approval process? DR. APOSTOLAKIS: MR. BAILEY: Exactly. Well, and you can make a less You cannot deviate -- significant change during. DR. BLEY: More flexible. I mean we're doing things MR. LOESER: like considering revising the standard review plan to account for some of these. for the the We're regions that writing to is use now a new when being inspection they're procedure at looking portion assigned. Things of that nature. But none of this goes to changing regulation or legal requirements at all. All those are still in place. DR. APOSTOLAKIS: MR. LOESER: Very good. So we have provided the ISG, which besides the explanation, also has a table 1 that shows all the documents that need to be reviewed and shows at what time during the review process or the design process they need to be reviewed. We also have a second set of tables that show for reviews of lesser NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 52 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 fact that issued when? MR. LOESER: getting fairly close. couple of months. Sometime this year. We're complexity. That is, if they're using a platform that has already been reviewed, we only then would have to look at plant specific documentation. Or if the platform has been modified at little but not totally, we'd only need to look at the changes and only to the degree necessary to realize that this doesn't change our original concept. And we're still working on refining these tables unless we have continuous dialogue with the various licensees and the licensee members of the working groups. DR. APOSTOLAKIS: So this is going to be We're hoping to have it in a But depending on how much we refine this, I can't guarantee right now. DR. APOSTOLAKIS: DR. SIEBER: the Oconee Any questions, comments? I guess I would reiterate the modification is fortuitous because it's big enough to help develop the licensee's and the industry's approach and the staff's approach to this and I would advise or recommend that you take advantage of this opportunity to think about the review you're doing in terms of regulations that you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 53 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 this. need to do future review. MR. LOESER: Yes. We are certainly doing We are using Oconee as a potential test case. If we have any new insight, we will try it out there. We're in the process of doing this and, at the I moment, we're in the early stages of the review. believe we have just sent out the acceptance letter for the review. yet to be able So we don't have enough experience to report results from the Oconee review. DR. SIEBER: Yes. You're probably going to be writing regulations before you're done with that review. On the other hand, as things evolve during the review process to the extent that you can work them into the guidance documents, I think that would be helpful. MR. BAILEY: That is our plan. Our plan is to refine the staff guidance based on what we find in Oconee. DR. SIEBER: Okay. Thank you. Okay. Let's move on. DR. APOSTOLAKIS: Hope this time we go quickly. CHAIRMAN SHACK: DR. APOSTOLAKIS: start this time? The noncontroversial one. Any questions before we NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 54 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Kelly. presenter. MR. KELLY: Yes. Very good. morning. I'm Glenn (Laughter.) DR. APOSTOLAKIS: Mr. Kelly is the DR. APOSTOLAKIS: MR. KELLY: Good I'm with NRO. I'm a senior reliability and risk analyst. I'm going to talk to you today about the review of digital I&C systems and the guidance that we're providing to the NRC analysts on how for new reactors we should review the digital I&C system PRAs. Next slide, please. The problem statement that we had was that existing guidance doesn't provide sufficient clarity to be used current, and I want to emphasize the word current, systems. it easier methods to properly evaluate digital I&C So we're asked to provide guidance to make for the staff reviewers and part for industry to see what they should be doing for new reactors. We've been asked to consider common-cause failure modeling uncertainty analysis of digital I&C systems. In looking at this I just wanted to remind the committee that 10 CFR 50.42 requires that new NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 55 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 reactor PRAs. they designs submitted under Part 52 must have The PRAs would be design and plant specific and would include models of digital I&C systems. They only need to show, though, that under Part 52 basically that they meet the safety goals. requirement for much more than that. Our short term action, then, was to And the There's no develop this interim guidance. just to bring that the we committee were We've done that. aware of some the of issues dealing with, risks assessments, we have a lack of consensus on them, how to model digital I&C systems, and we have issues associated with the robustness of the data for digital I&C systems. And as you've heard before, digital I&C systems are constantly being improved, and, in turn, that makes it hard to get data that says we've had so many years of experience with this particular What software, whatever, and it shows X, you know. happens is that the software changes so fast that, before you know it, you're onto a whole new version, and, therefore, you can't say, well, okay, I've got ten years' experience with this at 20 plants and this what I've learned from them. that. In particular, what we were looking at NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com So we're working with 56 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 outlined we're here was for new reactors for determining the very basic guidance about our analysts would do these reviews. The guidance that's in the ISG is not about how you make risk-informed decisions involving digital I&C systems. That's going to be addressed in later ISGs, but we're not dealing with that here. Next slide, please. The content of the ISG, basically, we've various attributes be able and to risk insights out of that the The hoping we'll derive information that gets provided by the utility. risk insights that we feel will be most robust and useful will be those that are at a fairly high level. And one of the reasons for that is that we have very little detail information at this point on digital I&C systems. As a matter of fact, much of information that would be needed to do a very detailed PRA review might not be available until the PRA that is going to be performed one year prior to fuel up. So at that point they'll actually already have this COL and we'd be potentially then reviewing something at that point to give us information as to whether or not they've met the DAC associated with the digital I&C system. We've provided guidance to the PRA NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 57 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 time. DR. APOSTOLAKIS: NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com reviewers for situations where we're going to have a more limited review, for situations where we're going to have a more detailed review. And, again, part of that has to do with as we go through the various stages of it, a design certification, or a COL application, or even potentially down the road that one year prior to fuel load. We have very, very different levels of information We've about an what's in a to digital the I&C system. has provided appendix ISG that captured a number of the insights that have come out of the ABWR PRA review and the AP-1000 PRA review. And this is just to give the reviewers some information on the type of things that they might be seeing or could expect to be able to develop or have the applicant develop out of their risk assessment. Next slide, please. The subcommittee was kind enough to provide us with a lot of interesting comments during the meeting that we had on the 20th. DR. APOSTOLAKIS: (Laughter.) MR. KELLY: It was a very interesting Did you say kind? That's an 58 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 understatement. MR. KELLY: What we've done in taking these comments, and, again, these are some of the key comments that we we had got on from the an subcommittee, uncertainty originally, performing analysis, we discussed specific guidance on types of sensitivity studies that we might expect a licensee to submit to us. about this. It was felt that we were too specific That a licensee might come to believe that this was all they needed to do was to do these particular ones, or that what, in essence, we were doing is creating an NRC approved methodology for this is how you perform uncertainty analysis. So what we did is we kind of backed it up and made it a higher level guidance saying we would like you to perform sensitivity studies. We think it's important and what we're going to do is we're going to list some of the areas that in the guide today are the most contentious or the most worrisome for us, or that we feel have the greatest uncertainty. and with the expectation that some of these will end up being exercise when they perform their sensitivity studies. It was also pointed out to us that some of the guidance, as I mentioned earlier, we broke our NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 59 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 guidance into less detailed/more detailed guidance for the review. The subcommittee felt that some of the guidance in the more detailed review really belonged up in the less detailed review, and, in particular, the subcommittee showed strong interest in having more information on performing how the failure modes and effects analysis was performed, and, in particular, the process because on a less detailed review, you would not have enough time to actually go into how they performed the FMEA, but you can look at the And process that they used for developing that FMEA. then if you need to, you can go into the details at some later time. So we've modified that. We also simplified the guidance on commoncause failure analysis, in part because, as George pointed out, if you don't really know how to model common-cause failure analysis, it's tough to tell them to do it right. So what we did is we basically said, we'd like you to address common-cause failure analysis and tell us basically what are you assumptions, what's the basis for why you did that, and we can look at that see how well it captures the expectations today of how one might express common-cause failure. Now, one of the things I think is very clear here is the average PRA reviewer is not going to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 60 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 reviewers have lot of knowledge about digital I&C systems, I certainly in coming to the working on this TWG. gained a lot of knowledge about digital I&C systems, and given how we've streamlined our review process, it would be very difficult for every reviewer to come in and get up to the same level of knowledge at least that I've gotten to. So will our be expectation very heavily is that the PRA their coordinating review with the digital I&C reviewer because that's where the real expertise and insights into the system itself belie in the review process. Next slide, please. So our path forward right now is I'm in the process of revising the ISG to take into account the subcommittee's comments and some other comments that we've gotten, and we're hoping in the next month or so to get the ISG out in final form. And that finishes my presentation. DR. APOSTOLAKIS: Good job. I would like to make a few comments on this. First of all, I think this is a good example of a very useful and productive interactions between the subcommittee and the staff. really contentious. It was not We I mean these are hard issues. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 61 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 to give expressed some views, the staff expressed views. not sure. I don't think we really disagreed I'm on anything and I'm very pleased that the staff, as Glenn said, is rewriting the ISG to reflect some of the conclusions, so to speak, of our interaction. This is a very hard problem. elaborate a little bit. Just to There were I believe 14 steps for the standard review in there to be supplemented by 10 steps, and these include both failure mode evaluation, or the identification of failure modes and probabilities. And this issue of sensitivity studies on the probabilities was something that was discussed a lot. As Glenn said, first of all, we don't want the impression to anybody that these probabilities are somehow meaningful and we want to do sensitivity studies to see what happens because my personal view is they're not meaningful. And I went back to AP-1000 and looked at the data they have there and all you can find is the common-cause failures of a number of digital systems. The rate is 1.2 10-6, but you find no evidence supporting arguments why that is so. And so if you take that number, then you say, I'll multiply by ten and see what happens, so NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 62 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 This is to that. 100, and, of course, the issue of sensitivity studies itself is not well defined. Do you multiply by 1,000? I mean where do you stop? Do you go all the way until you have a probability of failure rate of 3. (Laughter.) DR. CORRADINI: That would be unique. And we sort of objected DR. APOSTOLAKIS: The staff did not object to our objection. And it all comes down, as I said earlier, to the issue of the question: do we really understand how these things can fail? I don't think that the state of the art right now is such to say, yes, we have a fairly good understanding. We don't. So the focus really should be on that, and not only on this particular ISG, but also in future activities of the staff, we have to make sure we have a better understanding, we improve our understanding of failure modes. main subject of discussion and it So this was the was very good interaction, very good interaction. DR. STETKAR: kind of in I wanted to ask a question. for the upcoming preparation subcommittee meeting. There's a lot of discussion of PRA of digital I&C systems, and in kind of a simple sense one NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 63 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 majority of can separate that into the models and the quantification of those models for the hardware, the microprocessors and so forth, and the associated software recognizing that the line between those two may not be as clear as I've defined. purpose of this discussion let me do that. In your opinion, where are the larger But for the challenges these days, or the largest challenges in the risk assessment of the digital I&C? You mentioned that there isn't very much experience; there isn't very much guidance for this fuzzy thing we call digital I&C. Are you more concerned in the software area or are you more concerned in the modeling of the hardware itself? MR. the KELLY: concern I is believe in the that today the The The you software. software has some very, very unique challenges. type of challenges that you run into is that timing issues about when something fails. create loops. You can You can have dependencies on things that have happened before or things that may happen in the future. None of those things that I just mentioned are well handled by our traditional event tree, fault trees that most PRA analysts at nuclear power plants NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 64 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 routinely work with. I spent the last two days going through looking at a draft report on dynamic methods and my own personal opinion about that is that it's not clear to me that the dynamic methods offer a solution to doing a good job in a model. just a number of issues associated There are dynamic with modeling. So I just think in general at this point it's going to be very difficult to model the effect that a digital I&C system might have. And one of the major things that's associated with it, I mean the reality is that if the systems have -- if the hardware has a reasonable reliability and the if the software has a reasonable reliability, if we're just talking about single failures of components and things like that, that's really not going to be an issue. The way they've designed the systems, it's not going to cause you to go to core damage. lot of big problems. The problem is really going to come with the common-cause failure and how far does the commoncause failure propagate. the frequency with What's the probability that you actually get these It's not going to cause a which common-cause failures, there are issues with how you even handle something like that because the commonNEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 65 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 on time. MR. KELLY: DR. I'm sorry. No. Thanks for your failure cause failure itself potentially resides in the software for all time. It's there or it isn't there. And so treating that is a random variable as some issues associated with that. But even if you can get around that, then generally what you're talking about is you have some causative event, some event that's going to run you through a different loop of your software that you had before, give you different inputs that you had before that's all of a sudden is going to give you this common-cause failure. Now, exists in assuming the that the is common-cause the initiating software, event that could maybe, and this is where my knowledge gets a little fuzzy, is this something that can simultaneously lock up the computer screens and affect the ESF? Exactly how far can this thing go? What kind of failures can I really end up getting? think we really understand those very clearly. have a few uncertainties. DR. STETKAR: I don't So we Let's put it that way. Thanks. We're running short STETKAR: insights because part of what we're looking at in the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 66 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Glenn. The next one is operating experience. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com subcommittee and broader in the committee are the applicability of PRA methods to handle digital I&C problems and I wanted to be sure that when we're looking at that very, very broad problem that we're focusing our attention in the areas where we think we have the greater lack of understanding and lack of knowledge, in other words, that, if indeed, the software is the larger concern and the area where our current experience and methods may be lacking, that we should focus more in that area rather than how one models a chip, or a solder connection on a print circuit board, or wires between CPUs, or things like that. MR. KELLY: I think it's very important that we very carefully define what it is that we need to understand, determine, and then work towards that goal. DR. STETKAR: Thanks. I think next week on the DR. APOSTOLAKIS: 17th there is a subcommittee meeting on one effort to say something about the risk. issues will come up again. Any other comments, questions? Thank you, So a lot of these 67 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 out that with the MR. WATERMAN: Office of I'm Mike Waterman. in the division I'm of Research engineering, and I'm here today to talk about our review of operational experience and classification of systems. And all of this arose out of a presentation we did I think last year, or something like that, where we were talking about developing diversity strategies that a licensee could use to facilitate more rapid approval of submitted systems, and strategies that could reasonably address most of the common-cause failures that occur. I believe it was Dr. Apostolakis pointed if we're going to develop diversity strategies, we probably ought to know what kind of failures the strategies are to address, and so, therefore, we ought to go out and take a look at what kind of failures have occurred not only in the nuclear industry, but in other industries. We had actually already started a project to do that and the ACRS' recommendation just reinforced that goal. Additionally, it was recommended that we not only consider what kind of failures had occurred when we're developing diversity strategies, but what kind of systems are these diversity strategies going to fit into. A particular strategy might be great for NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 68 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 doing. diversity a reactor protection system, but it may not be so good for engineered safety features actuation system. So, therefore, we should go out and do an inventory of what kind of systems were out there, what kind of digital systems were going to be implemented, what kind of systems were already in existence, and consider those when we were developing the diversity strategies so we had strategies that would cover a gamut of things. Next slide, please. And so that's essentially what we've been And the idea is which as we come been up with the in strategies, have developed draft form by the Oak Ridge National Laboratory under the research, that we can start using that failure criteria to assess how good those strategies are. Next slide, please. Some of the things we've discovered in looking around the world are that our concerns with the possibility of software common-cause failure are valid. We've seen lots of failures. We've seen things such as the Aryan problem with the French Aryan thing. There Switching system 7 failure telecommunications. was a software error apparently in the northeast grid blackout that occurred a few years ago. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 69 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Ad infinitum. What we have found, most of the failure data that we've looked at is the failure to report a very high level system reset, software failed. kind of failure reports. You know, Those software, something happened to the system and the plane started losing altitude and we shut off the automatic pilot and turned it back on; everything worked fine. That's typically the level of detail we've been getting. Now, that's not a very good level of detail for actually developing a diversity strategy where you're considered, you know, should be use timing. DR. SIEBER: Just shut it off. That's scarce detail and MR. WATERMAN: causes of failures is making the collection of the data fairly interesting. One of the recommendations that we got out of our last subcommittee meeting is that instead of just looking at safety related systems, we ought to really be looking at systems that, if you will, are at a software integrity level 3 level instead of just at the integrity level 4. Now, integrity level 4 and 3, when we were writing IEEE 1012 -- well, I was on the working group for IEEE 1012. When we were writing that standard, we NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 70 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 introduced the idea of software integrity level so we could, if you will, parse out how much level of detail you put into a particular verification and validation project. And integrity level 4 were systems where if the systems failed lots of people died, businesses went out of business, financial institutions lost lots of money, those kind of really serious events, and integrity level 3 systems were maybe only one person dies or there's serious injuries, and business loses money, but they don't go out of business, and things like that, and Dr. Stetkar pointed out that feedwater systems, for example, at a nuclear power plant, are not safety systems. We don't regulate those. But when they fail, the company loses a lot of money, and, consequently, when they put in a digital feedwater system, they want it to be very high quality. That's an availability issue, not really safety issue because the design basis of the plant can handle that, but it's an availability. If the plant shuts down, the licensee loses lots of money, and so they put a lot of effort into that, so we should be taking a look at those systems, too, because they have good quality. So when they fail, we ought to be considering that failure data. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 71 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 As far as the root cause analysis, you get into this obsolescence thing. People are putting in digital systems because analog systems are becoming obsolete. fast. Boy, you talk about obsolescence occurring You look at digital systems and see how fast they become obsolescent. And so for root cause analysis, it's really nice to have somebody around who's familiar with a system to such a point that when a system fails they've got years of experience. They can say, yes, that component fails all the time; that's what causes it. When you've got these new digital systems coming It's certainly not in, where's the base of expertise? year and year of expertise on a 286 because nobody uses an Intel 286 any more. And so the new systems coming in for doing root cause analysis is a whole new field. As a matter of fact, IEEE had considered doing a standard on root cause analysis through the nuclear power engineering committee just to define here's how you do root cause analysis. And they're not doing that now because it's a very complicated problem. Next slide. DR. BLEY: Mike? Yes. MR. WATERMAN: NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 72 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 DR. BLEY: In going through this data, especially the common-cause failure stuff, have you been able to generalize some categories, functional categories of causes for the common-cause failures that probably would apply across all these different specific systems? MR. WATERMAN: Well, you could do the high level categorization, three classes of failure, right? You have your failures in design and specification where the main expertise, possibly, wasn't incorporated into coming up with the right specs and the right requirements. And then you've got the translation failures where, no matter how good the spec is, no matter how good the design is, when it comes to implementing it, somebody screwed up, you know, typing a Zero instead of an O, and a variable name for example, or something like that, or not doing verification validation not finding the errors that were incorporated by the coder or something like that. And then you have that last class, the operation error. You've got a system that's fault free, if you will, but nothing is fool proof because fools are so ingenious, and a CPU card is slid in on hot mode and none of the memory locations have been initialized to plant conditions for example, like the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 73 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 kind that's a system failure that we saw just recently here. So those three classes of failures there, you could subdivide it down into failures in deriving a design out of specification, failures in life cycle process if you will where verification validation But we could could have been better, and things like that. haven't got enough data right now that we actually pin it down and say, ah, timing is a big issue, for example, in software or order of execution is a big issue. We're still working on that. That kind of data would be terrific to have because that's what you need to actually develop a diversity strategy. DR. BLEY: I think until you can get that kind of functional level ordering, it's -MR. WATERMAN: But that doesn't mean we can't come up with diversity strategies right now, and we have come up with three different diversity strategies mostly focused around design, a design that incorporates completely different technologies, analog and digital for example. That kind of diversity. Or I think the second strategy is a design that incorporates digital technology for example, but the technology itself is radically different within NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 74 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 the technology, for example microprocessor versus a field programmable gate array, something like that. And then you've the third strategy where you're using microprocessors different for example, of but you're using for manufacturers microprocessors, example Intel versus AMD, for example risk reduced instruction set computer versus a complex instruction set computer. DR. SIEBER: That brings up a problem that If you I think you're going to face in the future. look at a power plant that was built to last 40 years, maybe 60 years, these digital systems are not going to have that kind of life time, and the initial failures are going to be this processor failed, that module failed, and you're going to go out to buy it and you aren't going to be able to buy it, and so there's going to be a substitution; and it's going to be done in a hurry and the compatibility and your ability to go through and do flow testing for open loops and all that kind of stuff is the plant's availability is going to pressure you to do that pretty fast, and I think you're going to be in this business a lot more than you think you are because things are going to change that fast. MR. WATERMAN: And licensees have NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 75 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 of attempted to address that by, for example, purchasing enough microprocessors, Intel 286s for example, to last 20 years. The problem with that is that a few years down the road when they go to the website to find out what new problems have come up, they find out Intel no longer supports that processor and they're not longer updating the information. And so you've got all the spare parts, but you really don't know what the performance is years down the road. And the other thing is is I've seen the case where a designer has said we're going to use the 286 chip, we even know though the faster chips been are available, it for because 286, we've using years, and, therefore, we're going to do it with the 286. And then they implement the 286 and the configuration has never been implemented in before, for example master slave microprocessors. DR. SIEBER: And the development by the manufacturers has stopped so you're dead in the water with that. DR. APOSTOLAKIS: categorizations, let's Coming back to the issue listen, please. Our consultant brought to my attention that there has been some literature where they try to create classes of failures of the processor, for example early response, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 76 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 late response, no response. I think that kind of categorization would go along with what Dennis said. I guess you agree? MR. WATERMAN: Absolutely. Okay. The only thing I'd warn DR. APOSTOLAKIS: DR. STETKAR: about that, and I think it's a good idea because it's good to have classes to throw things into, just don't make them too rigid initially. I remember in the early days of risk assessment when we started looking at events, the idea was to have a classification scheme first and then force fit everything into the boxes you had defined, and sometimes that doesn't work so well. DR. APOSTOLAKIS: No, no. But in terms of giving some broad view to the -DR. STETKAR: Right, right. -- looking for, I think DR. APOSTOLAKIS: that would be a useful thing. DR. STETKAR: I guess what I'm saying is don't codify the classification scheme and force all of the experience to fit the -DR. APOSTOLAKIS: Right. Okay, Mike. What else do you have to say? MR. WATERMAN: Next slide, please. Isn't NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 77 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 it interesting that it's my fault we're behind schedule. (Laughter.) MR. WATERMAN: We're also doing the classification where the path forward is, obviously, we're going to continue together with failure information. The type of failure is really important because you tend to think of failure, oh, just quit operating. more. You know, it doesn't work as well any Sometimes failures have the downstream effect and the failure may be the system continues to operate but it's just a little misleading. You know, if you think about Three Mile Island was not a failure of a PORV or a feedwater system, it was the operator's interpretation of what to do after it failed, right? The operator was misled, so that's a class of failures right there in the digital system, and it's just like, is the failure subtle enough that the operator is misled and how they are to respond. As you can see off of our path forward, we're working on the draft strategies now. ready for prime time. It's not I may be working with the contractor a little bit to refine those strategies. We'll continue to develop our inventory of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 78 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 regulatory on the the staff? MR. HILAND: Before we leave the NRC's new and existing digital systems so we can fit those strategies in and see how well they work, and that's it. DR. APOSTOLAKIS: MR. BAILEY: Thank you. Anything else for That's it. presentation, could I make one additional comment? DR. APOSTOLAKIS: MR. HILAND: current Sure. Regarding the dialogue we had review for the Duke licensing submittal, and I'm just going to parrot what I said to the Commission on Monday regarding that submittal is the licensee has chosen not to follow IEEE 1012 and that's an IEEE standard we've endorsed by our regulatory guides. It deals with V&V and so that's a challenge that the staff will have. In addition, that there are several IEEE other guides endorse standards involving software QA documentation, and our initial look in our acceptance review, they've taken a lot of exceptions. And so when we were talking about the length of time and the amount of effort, as you know, a licensee doesn't have to follow a regulatory guide. That's only one acceptable method and so we're going NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 79 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 those. DR. APOSTOLAKIS: Because -that the uses an that. to focus on those activities very early in our review to make sure if there's a red flag that has to up, it'll go up early. But that's just a head up. DR. STETKAR: Just I'm curious. Is that because of the particular platform that they're using and where it's coming from, or is it the decision of the licensee? Only because the licensee's personal, only because of the experience from that particular platform in applications in Europe for example. MR. KEMPER: It's basic. It seems to be rooted in It's a particular vendor that we're dealing with which is a European-based vendor. DR. STETKAR: But I was just curious because there is a lot of experience in Europe -MR. KEMPER: DR. STETKAR: Right. -- with that platform. Now, when a licensee have reviewed that DR. APOSTOLAKIS: item list, you must standard, right? MR. KEMPER: Yes, typically we endorse Agency has not reviewed? MR. KEMPER: They can, they can. They NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 80 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 effort. DR. APOSTOLAKIS: It seems to me that certainly can, they can submit that. We would evaluate that. We would evaluate the merits of the plant form itself based on that standard. For example, we got an application from Wolf Creek that used an aviation standard, DO218 I think it is, to qualify their FEGA application. of course, we don't endorse that. So the Well, first question we asked was how does that comply or comport to Reg Guide the 1. -excuse document me, IEEE we 74.32 would because use to that's primary that approve a computer-based system. And they did that. And since then we understand what they did and we've moved down the process and things are going along quite well with that application quite frankly. DR. APOSTOLAKIS: IEEE standards? MR. KEMPER: DR. STETKAR: Well, I am. It's a matter of time and Are you happy with the somebody decided that you should never be allowed to use one standard. They always refer you to another one, and the other one refers you to another one, and then you complete the cycle and come back to the original standard. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 81 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Clefton. modes. (Laughter.) DR. APOSTOLAKIS: So if you guys are DR. SIEBER: Endless loop. Endless loop. DR. APOSTOLAKIS: MR. KEMPER: DR. This is true. Speaking of failure APOSTOLAKIS: happy, we're happy. MR. KEMPER: Good to hear, thank you. Okay. So the next is, DR. APOSTOLAKIS: what, industry comments. MR. CLEFTON: I'm with NEI. Please, go ahead. Good morning. I'm Gordon The subcommittee asked us to bring a presentation of our evaluation research on operating experience that the industry's been doing. Just as a lead-in to that, I'd like to point out that I'm the lead of the shadow organization that Jack referred to earlier that I got seven TWG industry people that support the NRC. We've got probably 150 to 175 people ranging from operators to senior vice presidents assisting us to make sure that we speak as one voice and have a feeling together of how we can make the industry successful in the implementation of application of digital I&C. We really looked at the fact that that's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 82 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 package. closely. We have a need for continuing level of coordination, cooperation between the NRC and the objectives today. Just and, quick as you moments can to talk here, about our our the future of the nuclear industry. We need it for obsolescence, we need it for futures available, and we're doing everything we can to assist in the approval of the packages that we submit. Need to go on to a couple of slides here see shadow We're organization matches what the NRC is doing. looking for safety focus applications. We're looking for stable, predictable, timely licensing process and guidance. That's significant right now in the fact that the regulatory risk associated with submitting applications applications. We've The talked is about the Duke that Oconee very is threatening the submittal of industry watching one industry, and we're looking for consistency in the processes. We've got a management structure that's in We're moving them It's been place that identifies the issues. to resolution in a disciplined manner. identified earlier. With this we think we can get NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 83 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 involved regulatory realistic guidance. DR. APOSTOLAKIS: Surely You spoke not of the activities. you're implying that there are delays that are not justified on the part of the staff? in the past that I mean the industry has complained the staff is not moving quickly enough, and so on. It seems to me that the staff is dealing with very, very hard problems here, so you probably acknowledge that. MR. CLEFTON: DR. Absolutely. And are you doing APOSTOLAKIS: anything, in fact, to help this effort? In other words, they have a project or projects on how to risk inform the process. do they deal Do with you Do you have similar projects and defense have in depth parallel and diversity so issues? your projects eventually we will have some intellectual meeting of minds? Or are you just sitting back and waiting to see what the staff will do? MR. in CLEFTON: producing No. We're absolutely at projects, looking applications. Remember, we have digital in the plant. The digital that's coming to the NRC for approval now are those that would not screen out with 5059 process saying that the plant was adequate to make decisions NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 84 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 of implementation. We've had digital feedwater systems for many years that have been working successfully in the power plant. We've got secondary aspects and such that are out there that are practical in use already. VICE-CHAIR BONACA: You know, one thing that seems to be important from the presentation is the proper classification characterization of failures so that you build. build a database. MR. CLEFTON: That's true. Because you have the I mean you're the only one who can VICE-CHAIR BONACA: experience and it seems to be a critical element to me if we cannot understand the other modes and the effects, there is going to be very little progress. And, again, I mean you can support that? MR. CLEFTON: Yes. That's our presentation today. We've brought the experts of Ray We'll get and Bruce from the industry to speak to it. to that with analysis in a moment. VICE-CHAIR BONACA: But it's almost like, how do you implement within an organization procedures for sure that when issues arise they are properly characterized, evaluated so there isn't just a blip there that says something malfunctioned and that's it. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 85 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 DR. APOSTOLAKIS: MR. CLEFTON: MR. TOROK: question though. Yes. That's correct. There's another part to your I think in regard to the industry We activities supporting a number of these ISGs. provided a number of white papers on specific issues. We're continuing to work on more. talking about but depth today there and happens are to The one we're operating areas of involve in in the human experience, defense in others diversity, factors, cyber security, and risks, that's right, in the PRA area. There have been white papers submitted and more in progress. DR. APOSTOLAKIS: Girija, the committee? MR. SHUKLA: Yes. Is the committee getting Are we getting those DR. APOSTOLAKIS: those white papers? DR. SIEBER: No. DR. APOSTOLAKIS: MR. TOROK: Okay. Have you seen, for example, when a common-cause failure applicability? DR. APOSTOLAKIS: I see so many documents. MR. TOROK: So you're seeing some of I think I saw it, yes. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 86 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 conclusions. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com these. DR. APOSTOLAKIS: That's good. But as long as when you speak make it clear that we all have a common problem and we're trying to understand it. MR. TOROK: DR. Yes, absolutely. Rather than say the APOSTOLAKIS: regulatory instability and all that stuff. MR. TOROK: That's a good point. We're sharing the concerns MR. CLEFTON: that the NRC has and resource capability of handling -DR. APOSTOLAKIS: MR. CLEFTON: Good. -- so that they're aware and we are that we can't expect a detailed design review expect regulatory assurance and that's a very difficult decision for a reviewer to make is how much is enough is management pressure for schedule and such, so we're working with the industry to try and help the NRC to put our packages in order that they can be reviewed the best that's possible and that comes from good guidance. for the reviewer. the NRC has. We can go on to the next slide and talk in It's for the submitter and But the rules are the same as what 87 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 What we've got is the project plan, which Duke Oconee is RPS, ESPS, the system that's in there right now and the pilot project. We expect this to validate the ISGs that are written and available to us. This is of highest importance to us. on this. It's very significant in We're the working industry applications. Duke's is pressed by time, as we talked earlier, that they're looking at a 2009 installation into unit 1, then unit 3, then unit 2. several years of application. So they've got As you all know, we've worked outages very carefully for months and months in advance. These have to be approved so we've got a thumbs up, go ahead with it far enough in advance to implement. That's why the package went in on the 31st of January this year. We're working with the NRC to try and refine differences in schedule where we can progress on both sides effectively. again, is on good strong The emphasis, stable, guidance, predictable, and timely that's realistic, that we can use. What I'd like to do today is introduce Ray Torok and Bruce Geddes. Bruce is from -Before you do that, I'm DR. APOSTOLAKIS: NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 88 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 are us. DR. APOSTOLAKIS: with EPRI and NEI and so on? MR. CLEFTON: INPO. Yes, and INPO. But your Okay. You are working sure you addressed this to some people. You are heading a group, the shadow group? MR. CLEFTON: that match the NRC's TWGs. DR. APOSTOLAKIS: the industry, not NEI? MR. CLEFTON: That's correct. You are industry? Industry And you are representing Yes, sir. I have seven TWGs DR. APOSTOLAKIS: MR. CLEFTON: We are industry. DR. APOSTOLAKIS: group consists primarily of industry group? MR. CLEFTON: and operators and managers. DR. APOSTOLAKIS: MR. CLEFTON: Okay. It's industry and vendors It's a combined interest. Thank you. DR. APOSTOLAKIS: DR. BLEY: I think you folks told us at the subcommittee that your groups have been working very closely -MR. CLEFTON: DR. BLEY: Absolutely. -- so that you've actually had NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 89 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 activity? MR. CLEFTON: Each of the industry situation. input into these ISGs on the way? MR. CLEFTON: And that's an ongoing We've got meetings working probably three to five times a month with the different TWGs so that can interface on the assistance of the industry that we've got out there and make sure that the new plant vendors are aware of what we're creating, and, of course, the existing -DR. BLEY: And you will be commenting Is that formally on the ISGs as well, is that right? something on the schedule today? MR. CLEFTON: DR. BLEY: DR. That's not on the schedule. Okay. Who's funding this APOSTOLAKIS: participants are funding it separately. separate cash involved on it. There's no The EPRI has their own financial for some of their topical reports that come out, but the gathering is -DR. APOSTOLAKIS: Who decides that, in a particular issue you need somebody to spend some time investigating and doing some what we call research, then it's members of this group that are doing this or you are going and say, hey, you have a record of this; NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 90 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 area in parallel why don't you look at this problem? MR. CLEFTON: We have the advantage of several of the members of the group are in management positions that they can bring it from their own organizations with no extra costs, so we don't have a budget and a funded aspect associated with it. DR. APOSTOLAKIS: MR. CLEFTON: Okay. The spokesmen that typically come to our meetings or participate by teleconference, links in, or webcasts are tip of the iceberg, if you will, of resources that are available in the industry, so we haven't had to fund separate resource as such. We've had volunteers step forward with each of the topics. DR. APOSTOLAKIS: I mean do Now, you does have EPRI a have efforts? research project some place that is trying to develop something like the staff has research projects in several places? MR. TOROK: instrumentation of the We certainly have a research and control. have been Right tailored now to several activities support the NEI effort specifically. DR. APOSTOLAKIS: Right, but they are activities where you go to an organization and you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 91 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 from say, here is a problem; we'd like you to tell us what to do about it in two years or a year, or whatever, a typical research project in other words. MR. TOROK: Well, yes, we have an internal advisory structure that consists of representatives from the various utility members of EPRI, and they have to approve what we're working on. DR. mechanics of it. APOSTOLAKIS: But this is the Do you actually have such projects? Yes, and the one we're going Right? MR. TOROK: to talk about is one of those projects. MR. CLEFTON: This one has come with a It's and collection of available digital related events. of significance because we had to go through evaluate whether they were truly digital events. DR. APOSTOLAKIS: MR. CLEFTON: Southern NEI Good. And raise from EPRI versus Services this issue, and so who's it's a Engineering and EPRI on supporting representation of coming straight from the industry, the people that are out there. This represents, what do we have, a three-hour presentation that's now down to a few a minutes, or 30 minutes. DR. APOSTOLAKIS: MR. TOROK: We So this -want to apologize for NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 92 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 cooperation. DR. APOSTOLAKIS: MR. TOROK: It's brother? I would call them putting you farther behind schedule. (Laughter.) DR. APOSTOLAKIS: So this is an activity that parallels what Mr. Waterman presented on behalf of the staff? MR. CLEFTON: It's actually in Yes. complimentary, but it's certainly on the same subject. DR. APOSTOLAKIS: have 10, 20 minutes? Now why do you always I mean would you mind if in one of the subcommittee meetings you actually come and spend and hour or two? MR. TOROK: DR. We would be happy -I mean you fly from APOSTOLAKIS: California anyway. MR. TOROK: We would be happy to come and spend four hours with your subcommittee. DR. APOSTOLAKIS: Okay. Let's make sure that next we actually review what the industry is doing in more detail. We're not going to write a letter on it, but it's very informative because it would be useful I think for us, especially for a project like this to know the details, not just we are NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 93 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 something. MR. RILEY: I have something real quick. Yes. move on. DR. APOSTOLAKIS: Mr. Riley wants to say that. trying to do the best job in the world. Some of us succeed. MR. TOROK: that opportunity. We would certainly appreciate We all try. And, in fact, not just for the operating experience, but for the other areas, the human factors, defense in depth, diversity, and so on. DR. APOSTOLAKIS: I really would like I really would like that to spend serious time because usually we reserve 15, 20 minutes at the end and here is the industry to tell us, you know, they are doing something. We should get into it. That's it. We'd better CHAIRMAN SHACK: DR. APOSTOLAKIS: MR. RILEY: engineering NEI. This is Jim Riley, director I just wanted to say we'd be happy to provide or spend some more time with you folks talking about the various things we have ongoing with digital I&C. One thing that I would like to just add a minute more on because I think it's pretty important. Gordon talked about it. NRC did, too. That we are NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 94 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 using a pilot plant concept on this, that's Oconee. We have a separate task force set up within the NEI to assist Oconee in their review of the NRC RAIs and as the process goes through. The whole purpose of that task force is to assist in any issues that come up, generic issues not plant specific, during the staff's review of the license amendment request. to identify any new issues that maybe And, also, we hadn't recognized when we were doing the ISGs. The whole point in this is to try out the ISGs and see how they actually work in application and, hopefully, smooth them out so it's a much better product when we're done. And we're just getting started on that, but I think that's very important. And I know we're working, the staff's well aware of this, I think we're all working together on it and I think it should help the final product quite a bit. DR. APOSTOLAKIS: At some point it would be useful I think for us, for the subcommittee at least, to be briefed on this effort, if you don't mind? MR. RILEY: DR. Happy to do that, too. Because the actual APOSTOLAKIS: lessons learned from a practical application is really where the action is or should. Thank you very much. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 95 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 did on the manager on MR. RILEY: MR. TOROK: Thank you. Okay. Well, first of all, we'd like to thank you for the opportunity to come back and talk to you about this EPRI project that's ongoing in support of the NEI working group. I'm Ray Torok. Bruce I'm Geddes the is EPRI our project this. principal investigator supporting the project. both here. That's why we're Bruce will answer the tough questions. We, also, we presented some of the same information to the ACR subcommittee on March 20th and they were also very kind to us with suggestions about things where we could do a better job or add clarification. So we've tried to react to some of that, so we do have some new material here. a warning. That's sort of I just didn't want you to stop paying attention, think you were going to see the same thing again. We're going to briefly describe what we project, what we think the operating experience is trying to tell us, and how we arrived at those conclusions. on the And, of course, and we'll give something conclusions recommendations coming out of it. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 96 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 period of into From result of Now, an this project started to for the us as a to ACRS recommendation staff investigate operating experience and come back and use the lessons learned from it to refine the guidance, the regulatory And guidance while on we defense not in the depth staff, and of diversity. were course, we recognized that that was a good idea and we had the right mechanisms in place to pursue this ourselves, so we started doing it. The basic idea here was that we would look various NRC published means reports things with like NRC and INPO. event that licensee reports, Part 21 notifications, event notifications, and I may be forgetting some of them. From INPO, of course, there are operating experience reports. Now all of we looked at 322 reports over a about 20 years in both 1E and non-1E systems. in quotes. Now, you notice there it says digital events DR. ARMIJO: MR. TOROK: Yes. How do you define that? We want to clarify that a little bit because that caused some confusion the last time. Basically, a digital event for the purposes of this is anything that was reported that involved or affected an digital system. Doesn't necessarily have NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 97 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 year there to be a failure, might be a plant trip, might be discovering some flaw in a digital system, anything that was reported was fair game. DR. ARMIJO: was a Okay. Last Just on that point. in a digital failure feedwater control system at Perry. MR. TOROK: DR. ARMIJO: Yes. Which if you keep peeling that onion you get down to maybe a transformer failed or parts of it. MR. TOROK: DR. ARMIJO: MR. TOROK: Yes. Is that in your analysis? Yes. If it was reported -- in But we also at some that case, yes, that one is. point differentiated between events that were really digital system failures or software failures and ones that were caused by other things, and Bruce is going to explain that in a few minutes. But that's an excellent point because there are a number of definitions you'll find us using that are important to understand here. And that's one of them, what's the difference between what we call a software event and a non-software event. For this purpose, a software event is where, basically, a design flaw in the software was NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 98 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 system. involved, that sort of thing. Another way to think of it would be a problem that would affect a digital system and happened because this was a digital system, as opposed to one that would have happened the say way for an analog system like a power supply failure or an incorrect set point that would affect analog or digital the same way. So we tried to break it down that way, and, again, Bruce will show you that. There are a couple of other things I wanted to mention though. Defect is one of them. We used some other words. What's a defect? A defect is just a flaw somewhere in the For software that typically would mean what would be called a software fault or a bug. MR. GEDDES: But it would also include procedural issues or human error. MR. TOROK: way we're using it here. The word failure, something actually So it's fairly broad term the misbehaved one way or another. Now, it's important to note for software, a software failure, that needs a defect plus a trigger, and I think that was mentioned earlier. A trigger is a set of conditions that causes Now, typically, the software to do the wrong thing. in a software-based system, the kind of thing that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 99 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 there's detail. a A common does this is an unanticipated condition, something that wasn't anticipated in the design. a failure is. So that's what Now, we also talked about common defects. defect is one that occurs in multiple And Now, redundancies and can affect a redundant system. we also talked about a common-cause failure. here you need common defects plus concurrent triggers if you're talking about a software failure that can become a common-cause failure. And what you find is that not every common defect can lead to a commoncause failure, and Bruce will explain some of that later. But I wanted to make sure we were all more or less clear on those terms. Now, list at of the key back terms. of It the presentation into more goes I don't think we need to go through the rest of it now, but it's there for your reference. Another thing that I wanted to point out here was that we're only looking typically at problem reports here, so we're not talking about positive experience. there are a We tend to focus on what went wrong and number of good reasons to do that. But There's a lot more to learn there typically. we're ignoring a lot of successful operating NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 100 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 experience. Core protection calculators have been operating for a long time with not very many problems. There are many instances of digital feedwater control systems that have done a wonderful job of doing away with the analog system problems. during the first startup I know of somewhere with the new transient digital feedwater system, it was credited with paying for itself in the first startup just by being able to handle transients that they couldn't handle before, that would have let the plant trip. So there's a lot of those kinds of experiences out of there that we're not talking about. Now, in one case, one of these digital platforms that people have been talking about here, they have a lot of experience, not in the nuclear industry, but in others, in petrochem. 6,000 years. units in service for I don't They have over know how many They're saying their total service time is in excess of 450 million hours and they've never seen a failure on demand. Now the problem there is if you're trying to generate statistics for PRA, you don't have a lot to work with. So that's one of the things that makes Now, in this case, one of the first NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com it so difficult. 101 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 regard to things that comes in your head is how many demands did they have and how many failures if I'm worrying about statistics? systems like It's hard to get that data especially for these where they're designed to be extremely robust. They don't fail often, and that's one of the problems with generating a statistical argument, which drives us to consider things in regard to design features that are typically built into these systems which make them robust because they're not robust by accident. They're designed to be that way. So I just wanted to mention that. Now, for our purposes, since we're primarily trying to support the defense in depth and diversity issue, our focus is on actual common-cause failures that can disable systems or potential commoncause failures that can disable systems. Things at lower levels aren't so important for the purposes of this discussion, although we did look at them. that's an important point. We also wanted to capture insights that in So potential corrective measures make sense, depending on what we're seeing. One of them is What Or a diversity strategy like Mike talked about. kinds of diversity would have been helpful here? NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 102 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 diversity. helpful? another way of looking at it is, what kinds of And diversity prove to be helpful in these events? we've seen some of that because it turns out that there's a lot of internal diversity built into the plant systems as it is and it turns out that's a good thing, which should be a surprise. by smart people. So in regard to insights, there's They were designed What kind of diversity would have been And, also, what kinds of design in defensive So we're measures are proven to be helpful here? trying to look at those things to capture insights. I should also mention that while the focus here has been on the D3, the defense in depth and diversity issue, and common-cause failures, a lot of the insights that we get from these events, especially the non-safety ones, have a lot of value in terms of lessons learned that we can factor back into the utilities and the processes to improve the way they handle these systems. So we have another project ongoing at EPRI where we're working on that. We're taking selected cases from the same set of information and building it into our training program on digital upgrades. that's ongoing, too. So I just wanted to point that out. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 103 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 I wanted to very briefly go through what we're seeing here. In looking at these events, we were trying to look at software errors in the broader context of all the causes of potential and actual common-cause failures that have been reported. Now, when we did that, we discovered that software is a relatively been a minor of contributor. actual Although there have and number common-cause failures potential common-cause failures, 49 of our 322 events involved actual or potential common-cause failures. Of those 49, eight involved software. So software has not proven to be a big -- in practice over the last 20 years that software is not proving a major contributor. The more prevalent causes of the problems have been things like incorrect set points, incorrect system parameters, process issues, really, which, of course, systems. would be equally problematic for analog If the set points are wrong in multiple redundancies of an analog system, you had problems same as if it's in a digital system. Also, for the non-safety systems, the dominant cause was really hardware issues, and there are a number of important differences between safety and non-safety and Bruce will get into that later. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 104 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 So while the numbers of events and the numbers of common-cause failures and potential commoncause failures are not large statistically speaking, the operating experience shows no indication that the introduction of software in these systems has been particularly problematic in terms of -- compared to other factors that can degrade reliability and safety. On the contrary, the operating systems suggest -- it certainly doesn't prove, but it suggests that whatever is being done now in terms of design practices and designed in features in these digital systems, whatever is being done now to ensure that they're very robust in regard to failures and commoncause failures seems to be doing pretty well because, as I said, software has not been a major contributor. DR. ABDEL-KHALIK: Doesn't that depend on the level of complexity of the software though? MR. TOROK: That's an excellent point. And, yes, absolutely, and we'll show you a little more on that. That's an excellent point. Now, with that, I'd like to turn it over to Bruce who's going to show you how we looked at the data and drew conclusions from it. MR. GEDDES: We Thanks Ray. read, evaluated, actually NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 105 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 characterized, and built a database for almost 322 reports. You can see down the left hand side of this figure, we used this pyramid construct to separate 1E from non-1E, and we've got another slide that points out the fundamental differences between the two types of systems out there. On the 1E side we found 49 reports. Breaking that down further, 27 of them reported a common defect. a common-cause report, They did not all result, of course, in failure. and out of Twenty-two those 27 single common defects defect were reports, these are software or non-software defects that are common and multiple redundancies, four of them are related to software. The other 23 were life cycle management, parameter issues, set point issues, operator error, or procedures, other kinds of defects that can result in a failure at the system level, and what this means is a loss of safety function. We saw zero, actual common-cause failures on demand. We did see six reports that could have led to a possible system level failure. those potential CCFs. One of We are calling is software them related. The other five are non-software related, in other words, about the same ratio of software to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 106 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 non-software events. Of the remaining common defects, we saw ten single failures, in other words triggered into one channel even though the defect was common on multiple channels. We saw six spurious actuations, four subsystem level meaning a trip function or some other function of the system, could have led to a potential CCF, one subsystem level actual CCF. Next slide. On the non-1E side, we see bigger numbers, okay, and we have some fundamental differences between like a 1E and non-1E systems that tend, we believe are causing these numbers to be higher. Going, again, down the left hand side of this figure, 273 non-1E events, 77 of which contained a common defect. Sir? DR. STETKAR: Probably the largest difference is the fact that there is many, many, many more non-1E applications -MR. GEDDES: DR. STETKAR: Yes. -- than digital I&C, so it's not necessarily correct to imply that the failure rate is higher in non-1E because it's fundamentally designed differently. There's just more of them out So the there, so you're going to see more events. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 107 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 implication is that they may not be as different as you might think. MR. GEDDES: Well, we do have some backup slides on failure modes and there's been a lot of discussion. We can give you a glimpse. Time permitted, we can show you some failure modes of the non-1E systems and it's important. Those failure modes we don't believe are necessarily translatable directly to the 1E systems. DR. STETKAR: MR. GEDDES: I just wanted to make sure. That's a very good point, but we need to make both points together because there are differences. DR. BLEY: Two things on that. One, have you ever tried to normalize them for the number of systems out there? And, two, are you preparing a report on this information that we might be able to get a look at when it's done? MR. GEDDES: Absolutely, yes. We have a white paper that's coming out in May and a final EPRI technical report that's later this year. MR. TOROK: But the answer to the first And question was no, we haven't tried to normalize. to do that is a much more difficult problem. You have to go back and capture the information on all the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 108 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 other systems and all the -MR. GEDDES: MR. TOROK: DR. BLEY: Absolutely. -- moving toward. That was the hard part in doing mechanical systems for ten years. MR. TOROK: And we started talking about whether that kind of effort is feasible, but we're not doing anything there right now. DR. STETKAR: I was going to wait until the end, but you gave me a lead in and we may never get to the end anyway. You mentioned you have all of the classification and evaluation you had done is based on 332 event reports, let me call it that. You've obviously done some screening of the experience to identify these 322 events. Have you made efforts to go back to the plants and ferret out more details in terms of what actually went on? In the staff's We used presentation they mentioned some frustration. to see throughout the PRA business of finding an event report, the pump failed and the corrective action was replace pump; or software failed and we reset the processor. Did you make to actually go back to those That's the 322 events and flush out more information? first question. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 109 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 case? MR. GEDDES: Well, we found in the reports MR. GEDDES: I can elaborate on that. DR. STETKAR: Why only in a couple of Only in a couple of cases and about half of the 322 reports were licensee event reports, the other half are INPO operating experience reports. And what we've seen over the 20 years is the quality of the reporting has improved and we do see there's three specific things that we can read directly, black and white, in the reports: the cause of the event, the failure mode of the event, and the immediate corrective actions and the corrective actions to prevent recurrence. Those three pieces of information are in these reports and readily available, and we felt like that was enough for us to do this research. Now, we will go back and do some more detailed review and bring out more information in the final EPRI type of a report on selected events. DR. STETKAR: My point is that in the risk assessment experience in areas, in some of these very, very difficult areas, talking about common-cause failures now of hardware pieces of equipment, diesel generators, pumps, valves, those types of things, fire NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 110 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 we're events, human error events, in many, many cases simplistic categorization of both the failure mode, if I'll call it that, and the cause based on very, very high level summaries often does not give you the type of information that you really need to understand what happened. Now, I'll grant you that the resources, if talking about 100,000 events, the resources required to go back and delve into more details would be daunting. But we're talking about 322 events here and a lot of them, because of the history of digital control systems, probably have occurred in the last 10 to 15 years. systems That's may be where much implant better documentation than what is tracking reported in an INPO report or an LER. The reason I bring this up is that our experience from PRA is sharing the information between both the industry and the regulator at the level of a detailed oftentimes problems, narrative leads the to of what actually happened of the and better understanding of scope, definitions failures, things like that rather than tabulations of numbers of events categorized into different boxes with summary tables of numbers. MR. TOROK: Well, there's two questions NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 111 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 down. distribution question. going on here. Let me first say that a lot of the information came from INPO databases, and, of course, we, EPRI, can't release INPO information on our own to NRC or anybody else. However, we have been talking to INPO about this, what can we give to NRC and so on, and it looks like it will be feasible to just strip selected information out of the reports and then provide a lot more of the details to NRC and everybody else. So we're trying to do that and we will to the extent that we can. Now, the other question had to do with of what was seen, and that's a hard Bruce has to answer. MR. GEDDES: If I may, I've picked up a lot of discussion points listening to you all today about failure modes. does software fail? What are the failure modes? How And looking at the 20 non-1E software events, and I apologize for having to look sideways, but maybe I could stand up. CHAIRMAN SHACK: No, no. You have to stay You can't stand up and move around. MR. GEDDES: This is a simple Pareto chart of 20 software events on non-1E systems and these might be the 20 that we go after instead of 322. The first bin is eight. NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com Eight of those 112 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 events were application logic errors. In other words, in any digital you've got an operating system with fundamental core functions like accessing memory and operating certain transfer functions. At the upper end of the architecture is the application logic, the function useful. blocks These that are make errors the in system that do something at the logic application level. The next bin is buffer overflow. Those could be and probably are operating system issues. They could be an application call that does something inappropriate. didn't quite The designers the -of the didn't application maybe not understand completely how the operating system works, but these are buffer overflows. The next category is inadequate indications or alarms. Somebody mentioned operators In this trying to understand and diagnose an event. case there's three of those. Inadequate operating system issues. human machine interface In some architectures you've got a control layer, in other words, processors that interface directly with the plant, and then a layer above is a human machine interface system with a client serve arrangement, that could go dark and the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 113 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 firmware. MR. GEDDES: Incorrect exit call in An function, issue. That's a control systems keep functioning. A typical feedwater control or electrohydraulic system control might have that architecture, especially with a larger DCS type systems. So that's a case where the HMI failed, but the plant kept operating. The next bin is faulty deadband function. operating system issue where there's a function block to insert a deadband into a processor control and that function block had an error in it, that the code inside the function block itself was incorrect. The next one is a faulty communication another operating system core function The next to the last one is -MR. TOROK: Incorrect exit call in firmware, that's another operating system issue. incorrect signal range, that's an application issue. So you can see a few operating system issues and a few application issues. are interesting. We think these We think these begin to answer the question: how does software fail and how do those failure modes propagate. I would argue I think that application logic errors tend to be isolated within NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 114 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 this point slides? MR. TOROK: MR. GEDDES: Yes, yes, we will. We can be here all day. I George. DR. BLEY: You'll leave us those extra particular systems, and operating system issues can propagate across the architecture. Let's go back to where we were on the -DR. APOSTOLAKIS: DR. ARMIJO: We have six minutes. This is the interesting part, can go to the airport, find out if the FAA will let me go home or not. I don't know. It's Delta, but they've given us a heads up. Vulnerability of CCF, we do want to get across. Looking at 1E systems, independence and sharing of resources, those are the fundamental differences. The triggers of the events where there's a common defect quite often rely on that these kinds of fundamental design attributes between 1E and non-1E. In a non-1E system there's quite often a master slave architecture with some kind of a shared resource. segment, a It could be a back plane, a a network power, somebody mentioned feedwater event, the power supply issue, that was the shared NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 115 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 resource. In some case even those shared resources are redundant, but they might have diode connections, and if those aren't configured properly or tested or maintained properly, or they just fail, that can lead to an event. And that's not necessarily a fault of the digital system, but it does get involved in the event and you don't see those fundamental design attributes. Independence is maintained in 1E systems by regulation and that's a very, very important point. To try to transfer those non-1E failure modes into 1E systems, you have to transcend. account these fundamental You have to take into attributes and design understand the triggers that lead to events. very key takeaway here. DR. STETKAR: That's a However, I know in at least one of the new reactor designs that we'll be looking at for licensing in the United States you will see safety-related 1E systems with that type of diode backup sharing of things, so that for that particular type of design this experience might be relevant. That's the only point of not necessarily -MR. GEDDES: DR. STETKAR: I understand. It's not -- -- separating between 1E and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 116 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 metric? MR. GEDDES: MR. TOROK: No, qualitative. What it refers to really is complexity. DR. APOSTOLAKIS: Is it a quantitative non-1E. DR. APOSTOLAKIS: How do you define functional complexity? MR. GEDDES: This is application level that in the 1E side, the system is typically just looking at some input-censored data -MR. GEDDES: Bistable functions versus closed loop events control algorithms for feedwater -MR. TOROK: It's just a trip. It's on and off and that's all it is. Whereas, on the other side, you've got feedback control, closed feedback and so on. MR. GEDDES: I think it's important for the community to understand that 1E systems aren't always quiescent, dormant, waiting for an event. They're constantly scanning process values, comparing them to a set point and writing in a zero or a 1 on a millisecond level, constantly. They do the same thing When over and over whether there's a demand or not. there is a demand, it writes a 1 instead of a zero to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 117 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 a learning the reactor trip breakers. point. DR. SIEBER: Let me ask this question. If That's a very important you show us this chart ten years from now, what will change? For example, in ten years will there be shared resources for 1E systems? MR. GEDDES: DR. SIEBER: No. Will you have functional How is complexity, maybe become high for 1E systems? this going to change and what's going to prevent it from changing? MR. GEDDES: I think the 1E column is a function of regulation, and the non-1E column is a function of plant reliability and availability, and we're learning. You notice formal software quality assurance methods varies under -- but it's improving. There's nothing like a reactor trip to be opportunity for an I&C engineer. And We are that's what's happening in the non-1E column. improving dramatically on the non-1E side and in ten years I expect event free operation. DR. SIEBER: Well, a lot of the trips of It's too hot, the plants are pretty events, you know. you trip it. forth. Flux is too high, you trip it, and so As opposed to control systems particularly -NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 118 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Let's keep thing we do that. later. DR. APOSTOLAKIS: Tell us -MR. TOROK: need the red box here. MR. GEDDES: MR. TOROK: I think we've covered that. The 1E systems are much better There's a point down -- we Yes, I think you would them finish. DR. SIEBER: -- integrated control systems CHAIRMAN SHACK: Jack, we had better let where it's altogether different. MR. TOROK: We would be happy to come back protected for a bunch of reasons. DR. APOSTOLAKIS: MR. TOROK: said Good. Same been other Now we're there, right. software compared has to not the before, particularly problematic contributors to common-cause failure which suggests that the designers and users of these types of equipment have learned how to do pretty well. and non-1E is still apples and kumquats. The 1E It's tough to compare and we tried to explain why, although there are a lot of good lessons learned from both. Recommendation wise, we agree with Mike. looking at things, at information from NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 119 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 whatever sources we have, and let's start thinking about factoring this back into the D3 guidance as suggested earlier. Now, I was just going to point to this. We've got some other things we saw which were kind of interesting, like there are many cases where, in doing corrective actions for a non-software-related issue, a hardware failure perhaps, added features were put in in software to protect against that from happening again, which is really nice. for what it's good at. We also They're using software So that was encouraging. saw events that confirmed the effectiveness of certain kinds of diversity, in this case signal diversity and functional diversity. example, reactor protection systems have lots For of different signals. a good thing. They can all start trips. That's We don't want to do away with that. On the other hand, we saw no events where using platform diversity and redundant trains of a system seemed to be the right thing to fix the problem. Because the problems weren't coming from the platforms, they were coming the application code, set points and requirements, and things like that, not from the base platforms. I mentioned the last one already. So NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 120 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 experience. DR. ARMIJO: MR. TOROK: Right. Yes. For example, everyone's Well, that happens when examples. MR. GEDDES: Based on non-safety system may be a we're done. DR. ARMIJO: dumb This is not my area, so it These operating system question. errors, what do you do to fix them or how do you test these systems in advance to be sure these errors are not there? MR. TOROK: That's a good question. That's where I mentioned so-called defensive measures here. There's a difference between a good operating Now, 15 system or a good platform and a bad one. years ago, I'd say we didn't know that much about how to figure out which were the good ones and which were the bad ones. We know a lot more about it now. I'll give you a couple of easy And heard of the Y2K problem. operating systems try to track dates and they tangled up over that. So if you're evaluating a system before you put it into a critical application, safety or non-safety, one of the things you want to do is look inside the box and make sure it's not using dates, or NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 121 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 them can have might be if it is, it's doing it very carefully. MR. GEDDES: MR. TOROK: in a Or turn that feature off. Yes. Now, another example system for critical well-designed applications. functions transient. again. What the operating system does, it's change at all during a plant don't It just does the same thing over and over It reads data; it ships data someplace else. It can't tell that a transient's going on. The reason that's important is because you all the bugs you want in that operating So system and a plant transient can't trigger them. it eliminates the operating system as a contributor to common-cause failure. kinds of design So you're looking for those when you evaluate these features systems before you before you put them. And there are many other things. defensive measures. And from our We call standpoint that's one of my soap boxes I guess. I'd say these systems are reliable, well, in part because they have good development processes behind them, but maybe more importantly because they have good designs with lots of the right kinds of designed-in defensive measures. And so we're working more on methods to credit that. DR. APOSTOLAKIS: I think future meetings NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 122 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. (202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com have to be structured better so we have more time to go into the interesting stuff. the subcommittee meetings But let's start with you will have a where stronger presence. I'd like to thank you, gentlemen, and also the staff for very informative presentations today, and back to you, Mr. Chairman, on time. (Laughter.) MR. BAILEY: Let's take a ten minute break and then we'll try to catch up on some of that time that we've lost. (Whereupon, the foregoing matter went off the record at 11:07 a.m.)