Text

UNITED STATES NUCLEAR REGULATORY COMMISSION

+++++

BRIEFING ON DIGITAL INSTRUMENTATION AND CONTROL

+++++

THURSDAY, OCTOBER 25, 2018

+++++

ROCKVILLE, MARYLAND

+++++

The Commission met in the Commissioners' Hearing Room at the Nuclear Regulatory Commission, One White Flint North, 11555 Rockville Pike, at 9:00 a.m., Kristine L. Svinicki, Chairman, presiding.

COMMISSION MEMBERS:

KRISTINE L. SVINICKI, Chairman JEFF BARAN, Commissioner STEPHEN G. BURNS, Commissioner ANNIE CAPUTO, Commissioner DAVID A. WRIGHT, Commissioner ALSO PRESENT:

ANNETTE VIETTI-COOK, Secretary of the Commission MARIAN L. ZOBLER, General Counsel

2 NRC STAFF:

ROSSNYEV ALVARADO, Digital I&C Engineer, NRR ERIC BENNER, Director, Division of Engineering, NRR MARGARET DOANE, Executive Director for Operations HO NIEH, Director, Office of Nuclear Reactor (NRR)

Regulation DINESH TANEJA, Senior Electronics Engineer, NRO MICHAEL WATERS, Chief, Instrumentation and Control Branch, NRR ALSO PRESENT:

FRANK NOVAK, Senior Systems Engineer, GE Hitachi Nuclear Energy, Instrumentation and Control Group; Chair, IEEE Nuclear Power Engineering Committee Working Group 6.3 BILL PITESA, Chief Nuclear Officer, Nuclear Energy Institute GEORGE ROMANSKI, Chief Scientific and Technical Advisor for Aircraft Computer Software, Federal Aviation Administration CLAYTON SCOTT, Senior Vice President - Deputy, Global I&C Business, Framatome Inc.

DR. JOHN P. THOMAS, Professor, Massachusetts Institute of Technology

3 1 PROCEEDINGS 2 (9:02 a.m.)

3 CHAIRMAN SVINICKI: Good morning, everyone. I call 4 the Commission's meeting to order.

5 We convene this morning in a public session to discuss the 6 progress of the NRC in implementing the regulatory infrastructure for digital 7 instrumentation and control systems and also to hear from a panel of 8 external stakeholders regarding initiatives in implementing digital I&C in 9 various capacities across the U.S. nuclear enterprise and in other 10 applications. So I welcome all of our panelists here this morning.

11 I would note, given my long service on the Commission, 12 that I've participated in a number of meetings on the agency's progress on 13 digital instrumentation and control.

14 I would characterize that over the course of time there has 15 been frustration, I think, on the part of everyone including the NRC staff 16 themselves.

17 I don't want to use the term defeated but at times I think 18 the complexity of the issue has caused NRC to get, you know, a little bit 19 overwhelmed by it.

20 But we have - as a commission we have intervened 21 intermittently with direction things we thought would be helpful direction to 22 the agency as it approaches the issue so that we could break through some 23 of the things that were bogging us down.

24 I think today we will hear from the staff panel about their 25 hard work on the direction that we issued a couple of years ago and I think 26 we will hear from external stakeholders that it's a mixed review.

4 1 I think we will get some praise for things that we have been 2 doing recently but that a lot of hard work remains as well.

3 So I think this is an important meeting and I know that the 4 agency, the Commission, and external stakeholders all share a view that we 5 can continue to move forward and make progress on this issue.

6 The pace hasn't always been what I as an individual 7 member of the Commission would have liked to have seen.

8 But this meeting is important and I think the Commission 9 will hear these views and then assess whether or not there is any additional 10 direction that we could provide that would be helpful, maybe any 11 prioritization we could give to the agency's consideration of any open issues.

12 So I will certainly be listening in that capacity to see if there 13 is any helpful intervention the Commission can make here or any that is 14 necessary today.

15 Before we hear from our external panel, would any other 16 member of the Commission like to make any opening comments?

17 Okay. Hearing none, we will begin with a panel of invited 18 external views. We will begin with Mr. Bill Pitesa, who is the chief nuclear 19 officer of the Nuclear Energy Institute, I believe just for a little while now 20 because his successor has been named and he will be returning to Duke.

21 He's been here as a loaned executive to NEI.

22 I want to thank you, Bill, for the engagement you've had 23 with NRC on any number of issues and I wish you well as you go home to 24 colleagues and family and also I look forward to working with your 25 successor.

26 MR. PITESA: Thank you.

5 1 CHAIRMAN SVINICKI: And please begin.

2 MR. PITESA: Thank you. I assume we are going to start 3 the slides.

4 CHAIRMAN SVINICKI: And if you just - as you need them 5 to switch slides if you'd just say next slide or something they will take care of 6 it in the booth.

7 Thank you.

8 MR. PITESA: Perfect. Thank you.

9 So we will go ahead to the next slide, please.

10 So, ultimately, digital I&C has been paramount to the 11 future of the nuclear industry and the Transformation SECY actually did a 12 very good job of characterizing the challenges we have seen within the 13 industry.

14 The current processes are just too cumbersome to 15 incentivize or even allow digital implementation. A compliance-based 16 approach at a component level which the Transformation SECY talked about 17 precludes recognizing the broader benefits of digital controls to overall plant 18 performance.

19 Simply put, digital is strangling from an absolute certainty 20 or there may be a ghost in the machine mentality versus reasonable 21 assurance.

22 Personally having lived through the decade-long process 23 of approval and installation of a reactor protection system at Oconee, I've 24 really got firsthand experience on the challenges we have seen.

25 Next slide, please.

26 But all evidence still points to digital implementation

6 1 improving performance and safety, as you can see from these slides. The 2 data shows that when we have analog systems versus digital systems, the 3 digital systems far outperform the analog systems.

4 Plant transients reduce significantly following 5 implementation of digital controls. Where we have mostly implemented 6 digital controls on the nonsafety-related side, we have seen much better 7 performance by the systems.

8 The systems are self-diagnostic and constantly monitoring 9 signal inputs and feedback loops to ensure that any questionable inputs are 10 disregarded and/or alarmed.

11 The Oconee reactor protection system is working 12 magnificently. It was a great installation and this has to be our future when 13 we think of all the things going on in our industry.

14 Next slide, please.

15 In this year we have seen progress. As you can see, the 16 digital RIS 2002-22 has eased the uncertainty with a 50.59 common cause 17 failure analysis for low safety significant systems.

18 So we are very appreciative that this was issued and it's an 19 important step. The ISG-06, an endorsement of NEI 96-07 Appendix D is 20 imminent. We believe it's going to happen this year.

21 We are looking forward to that, and we are working with 22 EPRI to move additional guidance forward so that third party or commercial 23 grade certifications can move the ball further on common cause failure 24 concerns that we have across the board.

25 Next slide.

26 So ongoing industry workshops and NRC participation are

7 1 using case studies now to clarify available opportunities utilizing the RIS.

2 We have had training going on at Exelon, at Duke, at other 3 utilities and ultimately it's been very beneficial, and there has been very 4 positive feedback that the NRC has participated - staff has participated in 5 these - not training sessions but workshops.

6 And these workshops have helped open everybody's eyes 7 to the possibilities with digital that probably aren't being utilized currently.

8 We plan to use the same format when NEI 96-07 is 9 endorsed and we anticipate that we will see the same positive outcome that 10 we have seen before.

11 Next slide.

12 And, of course, this movement is very important right now.

13 On the slide you can see that there are a large number of areas where the 14 appetite for digital is still out there, and particularly on low safety significant 15 systems like control room instrumentation, recorders, chillers - circuit 16 breakers are a big one for the industry, digital controls, things - I mean, 17 diesel controls, there is an appetite for these low safety significant systems.

18 But as the bottom bullets show, there is also, we believe, 19 going to be a growing appetite for large digital systems that's really been 20 suppressed for the last five years or so and we think that's going to really be 21 tied to subsequent license renewal with the SLR applications coming in now 22 and we expect almost half of our industry will ultimately submit for a second 23 license, and we think that those companies will make decisions around 24 digital that previously had been considered probably financially challenging.

25 Next slide.

26 So you can see here that the total number of folks that we

8 1 have done some informal surveys within the industry on who is planning on 2 movement with the subsequent license renewal, second license renewal, 3 and you can see it's over half of the existing fleet that we anticipate to apply 4 ultimately.

5 We were very pleased to see the most recent application 6 being the third application from the industry and we anticipate there will be 7 many more to come.

8 Next slide, please.

9 Of course, whenever you talk about digital concerns can 10 be raised about cyber security - what is the cyber vulnerability associated 11 with digital.

12 And, fundamentally, we maintain one of the most robust 13 and inspected cyber security platforms used with any technology on this 14 planet.

15 I mean, we have a very robust system. It's a proven 16 approach of isolation and lots of other controls that we have in place.

17 But overall, we have to stay diligent to make sure that we 18 maintain what I call an unassailable cyber defense with the upgrades in 19 digital that we will be making.

20 Next slide, please.

21 Going forward, we are very pleased with the RIS and the 22 proposed interim guidance. But digital really is not across the finish line.

23 Ultimately, there are some things that we still need to do.

24 We need to risk inform common cause failures. I think that's very important 25 and absolutely a necessity.

26 We need to recognize international standards and EPRI

9 1 studies. We need to incorporate accepted design guides, allow mitigation 2 of effects, and get more approval on the front end of an application than on 3 the back end of an application.

4 There is too much risk for almost any utility to take if the 5 approvals don't come until the installation is fully installed.

6 Next slide.

7 And it's not just technical. I would tell you that digital also 8 has some cultural baggage within our industry. Ultimately, there was a 9 SECY that was issued last month, and I believe Marge is going to speak 10 more to that later in the discussion on digital.

11 But when that SECY was issued, I think the intentions 12 were appropriate. But ultimately, when it referred back and said essentially 13 that the SECY from '93 was adequate and addressed CCF and things, the 14 industry read it and said, hey, you're saying the world of 25 years ago is a 15 perfectly good world now, and we don't believe that is true.

16 I don't think that was the intent. But it does create or it 17 does manifest that there is some misunderstanding still going on between 18 staff and the industry and we need to develop a relationship such that there 19 is a level of trust that we have a very common goal, going forward.

20 I hope we can bring a very fresh perspective and just leave 21 the past challenges where they belong, in the past.

22 Next slide.

23 So when you look at the transformation, the 24 recommendations that Dan Dorman's team put together, I think they are very 25 strong.

26 We absolutely think that we need to implement those

10 1 recommendations. We need to get rid of outdated guidance. We need to 2 codify the RIS and the ISG. I mean, when you use a term like interim staff 3 guidance, ultimately, it needs to get into a reg guide.

4 It needs to get into something more permanent that 5 everyone has confidence will last forever, and we absolutely need to allow 6 these internationally accepted standards into our guidance.

7 Next slide.

8 So basically moving digital reviews to a risk-informed 9 performance-based approach will enable reasonable assurance but not 10 necessarily absolute certainty. This is a paradigm shift but it's essential 11 and, obviously, it'll take leadership.

12 When I look at what this leadership team has done both 13 within the staff and the Commission around backfit, I think it set the stage of 14 what can be done to change the culture in an organization, and I think if we 15 use that same kind of impetus then we can make even faster moves with 16 digital.

17 Last slide, please.

18 So, in summary, what we really need more than anything 19 else is a tangible, useable, and endorsed guidance that utilities can count on 20 and have a level of confidence that if they follow this path they will have an 21 outcome that can be assured in a way that they will make the necessary 22 financial investments.

23 That's all I've got. Thank you.

24 CHAIRMAN SVINICKI: Thank you, Mr. Pitesa.

25 Next, the Commission will hear from Mr. Frank Novak, who 26 is a senior systems engineer with GE Hitachi Nuclear Energy,

11 1 Instrumentation and Control Group and he is also chair of the IEEE Nuclear 2 Power Engineering Committee Working Group 6.3.

3 And although he chairs the IEEE Committee 603 it's my 4 understanding he doesn't strictly speak in that capacity today.

5 MR. NOVAK: Yes, ma'am. Thank you.

6 CHAIRMAN SVINICKI: Please proceed, Mr. Novak.

7 MR. NOVAK: Okay. Well, thank you, Chairman, and 8 thank you, commissioners, for this opportunity to speak on such an important 9 topic.

10 Next slide, please.

11 This slide shows my outline that aligns closely with the 12 topics that appear in the agenda except the second major bullet. I included 13 a slide that provides the status of 603.

14 Next slide, please.

15 Okay. Slide 3 covers the recent experiences with 16 licensing of digital modifications. GEH provided the same digital 17 safety-related product based on the same approved licensing topical report 18 to various sites in the U.S., some before and some after ISG-06. So we can 19 quantify the impact of ISG-06.

20 The second bullet to the left describes some of the ways 21 that ISG-06 affected the scope of the amendment request and the graph to 22 the right shows how the review times increased.

23 Everyone here is aware that licensing digital products 24 became difficult. So I don't think I need to belabor these points.

25 Instead, I'd just like to highlight what's under the third bullet 26 over to the left about the causes.

12 1 First, the increased scrutiny on software development was 2 a major factor. Based on the guidance the licensees had to provide a lot of 3 information about the software development process that we, as their 4 vendor, was going to use and then the NRC reviewers, also based on the 5 guidance, not only had to review that information but also check our 6 adherence to the process and the creative coupling between the project 7 schedule and the licensing schedule.

8 And it basically ensured the negative outcome that you 9 could not get approval until after the project would otherwise be completely 10 done. So this requires a lot of calendar time and created risk during the 11 projects. I am going to return to this during slide 5.

12 The second bullet is about the IEEE standards. At least 13 during our experience we did not find that meeting the criteria in the 14 standards caused the licensing difficulties.

15 I bring this up because SECY 18- 16 could lead a leader 16 to believe that the IEEE standards are what caused the difficulty. But we do 17 not find this to be the case.

18 In fact, we were using basically the same IEEE standards 19 prior to ISG-06 when licensing was not viewed as a major project risk.

20 After ISG-06 we had to show compliance with some newer 21 versions of the same standards and we also had to show compliance with 22 IEEE 603 instead of 279. But the effort was reasonable.

23 So based on our experience, it was the scrutiny of the 24 software development, not the IEEE standards that introduced the difficulty.

25 And the last comment I'd like to make is what appears at 26 the bottom of the slide. We really appreciate what's going on with the

13 1 initiative to revise ISG-06. We look forward to some positive outcomes and 2 appreciate the sense of urgency.

3 Next slide, please.

4 Slide 4 gives the perspective on the staff recommendation 5 to endorse alternatives to IEEE and I think I am basically just going to echo 6 the previous speaker here.

7 We strongly support the idea. The graphic gives them 8 thoughts on how alternatives could benefit potential users and the graphic 9 draws a distinction between the existing plants in the operating fleet and also 10 new plants.

11 So for new plants the alternative process could be 12 especially appealing if it becomes unnecessary to create multiple designs 13 and regulatory justification packages.

14 Vendors could leverage their work in multiple locations 15 and, as a result, there would be efficiency and competitive prices for the 16 licensees and similarly, for the operating fleet down at the component level 17 replacements endorsed alternatives would be very appealing. It could 18 streamline the process for installing high-quality components including those 19 from vendors who currently do not pursue business in the U.S. nuclear 20 market.

21 So the yellow box in the upper right is about system 22 modifications at operating plants. It is yellow because it could be difficult to 23 justify the cost of the transition to an alternative.

24 The plants are already familiar with their licensing basis 25 and most of the vendors' approved development processes, as far as I 26 know, are based on the current standards.

14 1 Also, I mentioned in the previous slides that we did not see 2 that meeting the IEEE standards was a source of the problem. So a 3 transition to something different would be possible but it would come with 4 cost and risk at least in the initial projects.

5 So, overall though, we definitely do welcome very much 6 having endorsed alternatives.

7 There is just a few more bullets under the graphic I'd like to 8 touch on, though we would not expect quality or safety to go up or down 9 because of the alternatives. They are both excellent. Second, when we 10 say it's appealing this presumes that the alternative standards will have 11 clean endorsements.

12 If they are cumbersome, like the current ones, it's also not 13 going to be easy to use. And the third is since we will continue to use the 14 current process for a while it remains very important to get ISG-06 revised.

15 Next slide, please.

16 Slide 5 covers two related topics in digital I&C licensing 17 and the first is right from SECY 18-0060. It has to do with transitioning the 18 review of the software development process out from the NRC I&C branch 19 and into the QA branch.

20 And if I understand correctly, the software development 21 would be treated more like other aspects of an NRC-approved QA program.

22 This really could go a long way to remedy the problems 23 that I was discussing earlier with all of the scrutiny on the software 24 development process and the effect on schedule.

25 It isn't so much who's doing the review but the fact that 26 you're taking it out of the project by project basis to get your software

15 1 process reviewed and approved.

2 This could really reduce significantly the schedule pressure 3 that projects feel and also the risk that it might ultimately not get approved.

4 ISG-06 revision is taking some good steps in this direction 5 so I would encourage the NRC to implement this idea fully and I'd take a 6 page out of what Bill Pitesa said and codify it in something besides an ISG.

7 Also SECY 18-0060 seemed to describe this as something 8 that's associated with rulemaking and endorsing alternatives. But I would 9 encourage you to disassociate it from those potentially time-consuming 10 initiatives and pursue it in parallel.

11 The second topic on this slide is about harmonization of 12 standards. The industry is already driving an initiative to close the gaps 13 between IEEE and IEC standards.

14 We are doing this for the same reasons we would welcome 15 alternatives. Harmonized standards enable leveraging and should lead to 16 more competitive pricing.

17 Several nuclear standards already are issued with the joint 18 IEEE and IEC logo. I've listed some of them there and others are in 19 progress.

20 So now that the NRC is considering endorsing alternative 21 standards such as IEC standards, it seems like it would be in their interests 22 also to support harmonization between IEEE and IEC. It should lead to 23 efficiency within the NRC because a single endorsement would apply to both 24 IEEE and IEC.

25 And this also - this supporting harmonization could begin 26 essentially immediately without waiting for rulemaking or endorsement of

16 1 alternatives.

2 Next slide, please.

3 Okay. Slide 6 provides a status of IEEE 603. We are 4 very close to issuing the next revision. It should bear the year 2018 and get 5 issued.

6 It addresses the concerns that the NRC communicated to 7 IEEE after the rulemaking effort. So if you do decide to revise the rule, then 8 continue to leave 603 incorporated by reference. At least those issues are 9 not a concern.

10 We did not address or even consider the issues raised in 11 the SECY because they were not known to us at the time.

12 Next slide, please.

13 Okay. In summary, I discussed the recent difficultly with 14 licensing digital - the licensing of digital modifications and, from our 15 perspective, it was not the IEEE standards but it was the scrutiny in the 16 software development process that made it difficult and time consuming.

17 I discussed the staff recommendation to endorse 18 alternatives such as IEC. I think it's a great idea. It would be a great 19 benefit to the industry especially for new plants and for component-level 20 replacement at our operating plants.

21 I also urge the NRC to proceed with their own idea to 22 transfer the review of software development into QA and consider supporting 23 standards harmonization.

24 And finally, I just gave the status of 603. That concludes 25 my presentation and thank you again for the time.

26 CHAIRMAN SVINICKI: Thank you very much, Mr. Novak.

17 1 Next we will hear from Mr. Clayton Scott. Mr. Scott is 2 senior vice president and deputy for global I&C business for Framatome, Inc.

3 Please proceed, Mr. Scott.

4 MR. SCOTT: Thank you, Chairman and Commissioners, 5 for allowing me to be here and speak.

6 I am going to take a little bit of different view on some of 7 this. I know that Bill and company have focused a lot on what we have 8 done on the standards perspective.

9 I am going to talk a little bit more about technology and 10 what's been done and what we could be doing, et cetera 11 Clearly, digital has been used in the nuclear sector for a 12 long time. I came under the Pickering fleet in Canada so in '79, '80s we 13 were using digital systems. So it's nothing new, right.

14 So a lot of agencies, a lot of industries have a lot of 15 publications. There is a lot of substantiated licensing positions that have 16 already been developed.

17 A lot of plants are using digital worldwide. Even in the 18 U.S. we are seeing a substantial amount of upgrades, not necessarily on the 19 safety-related side but on the nonsafety-related side.

20 Next slide, please. Continue.

21 Just showing a representation. This is just some plants 22 that we recently have completed. One of the things I wanted to point out is 23 that even though we have performed work in these units in China, a lot of 24 that regulatory basis was based off NRC guidance.

25 Matter of fact, one of the individuals that we worked with at 26 CNNC actually did significant amount of training with the staff. He spent a

18 1 six-month stint here.

2 So the view and the respect of what the NRC brings as a 3 guidance perspective is used globally and we seem to struggle here in our 4 own position. So it's a little bit of an interesting aspect. So I just wanted to 5 kind of point that out.

6 The other thing I think is important and I think we are not 7 really focusing and giving credit to technology.

8 Technology is very strong and I think, when I listen and I 9 sit on the commissions and the different committees that we have to discuss 10 over the years, there is been a lot of focus on the technology itself and the 11 lack of its performance or the worry of some of its performance. And to me, 12 I think we are missing some of that aspect.

13 Technology is very strong. Technology is strong in all 14 tech sectors. It doesn't really matter whether it's nuclear or whether it's not 15 nuclear. It's technology.

16 I think we are missing some of that. We have got - we 17 have got platforms out there that have over billions hours of operation 18 without failure on demand.

19 So there is a strong basis for us to be focused on what's 20 available. There is significant PRA space with some of the technologies 21 that's being utilized.

22 So I think we need to move towards more of a risk 23 informed position and maybe not be so focused on what is the - what is the 24 widget able to do or not do.

25 Next slide.

26 Okay. Just as an example, not nuclear but, again,

19 1 focused on technology, Reliance Petroleum is the largest control room 2 operation system in the world. It's 180,000 I/O points.

3 It's operated with a very small staff but it's very critical 4 systems. Even though it's not a nuclear plant, it's one of the most volatile oil 5 and gas plants in the world and it's been reliant on technology for years.

6 So it's just - I just think, again, you know, there is a lot of 7 developments. We are not buying - you know, the suppliers that are in this 8 industry are providing products that are satisfactory to other regulatory 9 positions.

10 They've gone through TUV, SIL4 applications. They are 11 used for safety-related systems in other sectors. So I just think we need to 12 understand that.

13 Next slide.

14 Outside the U.S., as Bill mentioned, there is a lot of 15 regulations based on IAEA, IEC, IEEE, NRC guidance all combined. But it 16 seems that we are not necessarily taking the benefit of some of those 17 positions as well and I think we need to look at what's being more globally 18 utilized.

19 And I know MDEP was looking at harmonizing a lot of 20 regulation. But I think we just need to have a little bit more focus on what's 21 being done elsewhere - how can we apply it here. A little bit more focus.

22 Common cause failure - it's not common. It's a little play 23 on the words. Sorry. But I understand this has been a very challenging 24 subject over the years.

25 It seems to be the main technology subject that we seem 26 to focus on a lot of times. But in reality there really hasn't been any

20 1 significant common cause failure events across different sectors. I mean, 2 there have been some. But it's not something that I think is to the alarm of 3 concern it should be.

4 I think there is measures that we can be putting in place to 5 mitigate against it that are sufficient. So I think we - I think we need to step 6 back on common cause failure discussion.

7 There is a lot of diverse technologies in place and how we 8 apply those diverse technologies I think we can satisfy some of those risk 9 mitigations around CCF.

10 Next slide.

11 So I think we have done a lot of things. I think Bill has 12 pointed out we have - you know, I think the NRC and the industry we have 13 moved quite a bit in the last few years and that's encouraging.

14 But I do think we need to figure out a more expedited way 15 to allow for modernization and I think the new guidance should be structured 16 to benefit the technologies so that we can get these systems in because 17 then we can mitigate trips.

18 We can mitigate entering LCO space. I mean, there is a 19 lot of benefits to having these in the plant. We can reduce surveillances so 20 you're not putting your plant at risk.

21 You're not putting it in a position where it could potentially 22 trip. So you're actually allowing your plant to be cycled less and put 23 yourself in a much safer operation, from that perspective.

24 We have got a strong amount of knowledge and design 25 processes that are well advanced. As far as I am concerned, I think a lot of 26 the standards in place are sufficient and are very strong.

21 1 I just think that we get diverted sometimes on some of 2 these topics that allow us to derail some of the progress. But I think, 3 overall, we should be focusing on final design, not necessarily trying to have 4 the staff drive detailed design processes. I think we should be looking more 5 at what's the end game and how is it truly going to operate in a safe manner.

6 Next slide.

7 Again, I think we talked about it earlier. I think we need 8 more leveraging of different standards practices. We need to incorporate 9 more into the regulatory framework.

10 Again, I think we should more risk insights into I&C 11 regulations. I think there is a lot of emphasis placed on software life cycle 12 and, you know, I just think, to Frank's point, we need to look at that again.

13 And I think it's pretty clear in industry that digital is really 14 not the dominant contributor of any failure.

15 I mean, I think there is - I think if you look at digital systems 16 and the plants that use digital systems you'll find that their operations are 17 very safe and efficiencies are very strong, and the benefits that digital brings 18 to the plant from keeping it in a more reliable operation perspective mitigates 19 any risk of cycling it from an accident perspective. So I think we need to 20 focus on that.

21 And then the last slide - we clearly need digital. I think 22 with the SLRs, you know, you're expanding a license. You've got to have 23 something that's sustainable.

24 It's interesting to me when people say digital is out of - you 25 know, you put a digital system in it's immediately obsolete. Well, that's not 26 really the case. I mean, we put digital systems in.

22 1 Digital systems can stay in for a significant period of time 2 and there is upgrade strategies. There is modernization strategies and they 3 are not significant impacts to the plant.

4 So I really do think that we need to be able to find a 5 framework that allows the industry to have the confidence to come forward 6 and implement the designs.

7 So thank you.

8 CHAIRMAN SVINICKI: Thank you very much, Mr. Scott, 9 for that presentation.

10 We will pivot our focus a bit with the next presenter. Our 11 next presenter is Mr. George Romanski, who is chief scientific and technical 12 advisor for aircraft computer software at the Federal Aviation Administration.

13 He will discuss with us approaches for software reliability 14 in critical safety systems and experiences in the aviation sector.

15 Thank you very much for being here today, Mr. Romanski.

16 Please proceed.

17 MR. ROMANSKI: Thank you.

18 We have a proud record in that there has been no hull loss 19 due to software in the aviation sector. There might have been plenty of 20 accidents, unfortunately, last year, which wasn't software related, but we 21 have never had a software-related hull loss.

22 However, we are not complacent. We have various 23 sectors. We have the Part 25, which is the transport planes. We have Part 24 23, which are the smaller planes. We have unmanned vehicles, which are 25 growing very quickly right now.

26 We see - so while we have a good record, we have

23 1 tremendous pressure to try and reduce cost. People are saying it's too 2 expensive to certify software and software safety systems are not being 3 installed on the small aircraft because they are too expensive due to 4 software certification.

5 So now we have this safety continuum where we have, on 6 one side, the notion that we can install a safety feature on the plane, but it's 7 too expensive under current regulations. So people are leaving it off, and 8 we are trying to address that.

9 So while keeping the safety record, we are looking at 10 streamlining the software certification process.

11 The FAA started an initiative about two years ago with a 12 small team, and now growing slightly larger, where we are looking at the 13 essence of certification we call overarching properties, and we know that 14 when developing software we need to understand the intent of the software, 15 we want to understand its correct implementation, and we want to ensure 16 that we have acceptability.

17 By that I mean that the software doesn't introduce or 18 doesn't introduce - doesn't produce any function which is contrary to - which 19 is unintended and affects the safety.

20 We are looking at building assurance cases. We have a 21 number of research projects and case studies going on. We are working 22 with Europeans on this.

23 On the other side, we have EASA, which is our counterpart 24 in Europe, that are looking at the problem differently.

25 They see a bottom-up approach and they are looking at a 26 definition of an abstraction layer where you extract the essence of

24 1 certification of software and map that onto existing standards.

2 Their view is that we know and understand. We trust in 3 the current standards - IEC 61508, ISO 26262 and so on. So why not map 4 to those standards and take the benefits of those and just understand what 5 the essence is and make sure that it's covered.

6 We need to harmonize so we have started meetings with 7 them and hopefully we will meet somewhere in between. But it's still - we 8 still have a ways to go.

9 The FAA and EASA are also looking at process 10 harmonization and acceptance. We know that when we go in to audit a 11 project, normally there is so much information in there that our auditors will 12 only sample less than .1 percent of all artifacts produced. It just takes too 13 long to go through everything so we sample.

14 So we take a very, very small sample and when we take 15 the sample what can we do? We can look at the process plans and see 16 how did you produce this.

17 Do you have a defined process? Do you have quality 18 assurance records that you follow this process in its entirety? And then we 19 take a small sample.

20 And if that small sample is perfect, then we have a leap of 21 faith. We believe that if you've produced the rest of the system using the 22 same mechanisms, and we have evidence that you have, and we like the 23 process that you used and the sample is good, we have a leap of faith and 24 assume that the rest of it is to the same quality.

25 So we are trying to build trust in the applicant in the way 26 we approach applicant approval. We have had a lot of success with what

25 1 we call integrated modular avionics.

2 This is the notion that instead of having lots of different 3 computers doing their own separate functions we start building central boxes 4 basically like servers and these servers are certified and these servers will 5 host many different applications.

6 This has been extremely successful and it is how most of 7 the - actually all of the new transport aircraft are being built and certified.

8 The idea now is that applicants build applications and they 9 host their applications on a hosted platform. It means that we can isolate 10 what the application does. We can configure how the applications work 11 together. And we can start doing what we call incremental certification.

12 We certify the host box and we can certify the applications 13 one at a time, and if someone wants to replace an application they replace 14 the application. They don't have to retest the whole box because the whole 15 box has already been approved.

16 This has been used extremely successfully. It's not 17 moving to the smaller aircraft and it's also moving to some of the larger 18 unmanned vehicles.

19 Of course, technology moves on. We are looking at 20 distributed IMA systems in the future now and we are doing some research 21 to see if we can have distributed IMA systems in addition.

22 The last most difficult area that we are studying, of course, 23 is artificial intelligence in neural networks. We find that many of our 24 systems are now based on AI and machine learning.

25 We have one example where an applicant built a fuel 26 management system - a fuel measurement system. Measuring fuel is quite

26 1 hard because the fuel sloshes around. The tanks are different shapes 2 around the aircraft.

3 So the applicant built a system and it worked well. Then 4 they built another system using machine learning using exactly the same 5 models to teach the machine learning algorithm how to measure the fuel.

6 The resulting system was smaller, faster, and produced 7 better results. We couldn't use it because we don't know how to certify it 8 just yet.

9 We have a similar example with collision avoidance system 10 where we have an ACAS XU system where we can measure or do collision 11 avoidance systems. System works, performs better. We don't have 12 certification evidence for it.

13 So we are struggling with this. There are working groups 14 that are working on achieving this but that's our goal for the future.

15 Thank you.

16 CHAIRMAN SVINICKI: Thank you very much for that 17 presentation.

18 For the final presentation for this panel, we will hear from 19 Dr. John Thomas, who is a professor at the Massachusetts Institute of 20 Technology, and he will provide expert views on addressing common cause 21 failure, evolving digital technologies, and perspectives on regulatory 22 acceptance of digital technologies.

23 Dr. Thomas, please proceed.

24 DR. THOMAS: Well, thank you.

25 I am a researcher at MIT. I want to talk about lessons 26 learned across industries in implementing digital I&C.

27 1 Next, please.

2 To solve this problem, we have got to understand the 3 problem that we are solving. That's the biggest issue that I see a lot of 4 misunderstanding about what the problem is.

5 We have got to understand there are two basic types of 6 accidents and they are both affected by the introduction of digital 7 components.

8 We have got accidents caused by component failures at 9 the bottom here. Traditionally, this hasn't - this is very well understood, well 10 recognized.

11 For the engineers in the audience, I am using the 12 engineering definition of failure where a component does not perform - does 13 not operate as specified or does not perform its intended functionality.

14 Basically, components break. That could cause an 15 accident. We know that. This is under our belt, very well understood. We 16 have very good methods to deal with component failures and component 17 faults and rigorously analyze the system.

18 There is another type of accident that we should be 19 concerned about. This is a non-failure accident, particularly devious in the 20 system.

21 Traditionally, 50 years ago it hasn't been a very big 22 problem. But this can occur. It is possible. It happens when every 23 component behaves exactly the way it was designed, exactly the way we 24 required it and exactly the way every one of us intended that component to 25 work, but we still had an accident.

26 This is particularly devious because it slips through the

28 1 crack sometimes. Now, 50 years ago this wasn't a very big problem 2 because what happens is systems were not very complex and it worked.

3 We can basically get these out by inspection.

4 We can do things like hire smart people, do design 5 reviews. We have subject matter experts do a careful assessment. We do 6 some basic things like a requirements traceability matrix.

7 But as long as the systems are sufficiently simple, as long 8 as we don't have too much digital I&C we can basically flush these out 9 almost by inspection.

10 The critical thing is though in every industry that has had 11 an influx in digital components - I understand nuclear is a little behind other 12 industries when it comes to this - what we have seen is a fundamental shift.

13 Next slide, please.

14 These two kinds of - sorry, previous - there has been a 15 fundamental shift in the type of accidents that we are seeing. We have 16 gotten so good at the component failure problem virtually all of our methods 17 today are targeted at this problem and do a great job.

18 But what's happening more and more of these systems are 19 having non-failure accidents, particularly when we have introduction of digital 20 I&C. This is directly related to the complexity of the digital software and 21 computer systems that we are introducing.

22 This is the problem that we have got to solve if we are 23 going to move forward and this is what other industries have been struggling 24 for a lot longer than we have.

25 Next slide.

26 This is very well understood in academia and in industry.

29 1 For example, Fred Brooks, the world famous computer scientists, writes the 2 single hardest part of building a computer system is not actually building it.

3 It is deciding precisely what to build. That is the problem 4 we have got to solve.

5 Lots of studies have been done in the last 20 years to look 6 at the causes of accidents due to computer digital systems and software and 7 they have found that the vast majority of accidents in these systems have 8 been caused not by a software bug or an error in the logic in the digital 9 system or the system doing something bad but a system that perfectly 10 satisfied the wrong requirements.

11 It did exactly what we thought it should do and we were 12 wrong. That's the problem.

13 Go back to the slide, please.

14 And the last thing that we found is from Daniel Jackson.

15 He said as is well known, at least in the software engineering community, by 16 far the largest class of problems arises from errors made in the listening, 17 recording, and analysis of requirements.

18 It is not these software bugs. It is the fact that it did what 19 we told it to do and we were wrong. That's the problem we have got to 20 solve. It's directly related to complexity.

21 Next slide.

22 We also get the same thing from Joe Miller. He says - by 23 the way, he's a chairperson for Functional Safety Standard World. We used 24 internationally worldwide in the automotive industry. You cannot buy a car 25 that has not followed this standard. He recently retired.

26 He said, in my experience requirements are much more

30 1 important in today's systems than preventing hardware failures. Recalls -

2 safety recalls in modern systems are rarely due to component failures 3 anymore.

4 Typically, it's due to missed requirements, requirements 5 never verified and missed interaction with the supplier.

6 This is the future of digital I&C if we are not careful. We 7 should learn from these other industries and what they've found.

8 The FAA - next slide - has found in their top five list of 9 common pitfalls in the safety analysis is paying more attention to crunching 10 probabilities than to the physics of the problem. This is fundamental, a well 11 learned lesson in this industry.

12 I think you can spend all day crunching the probabilities 13 but if you made a bad assumption and you don't recognize that you're 14 missing a requirement it's never going to show up in the analysis methods.

15 That's the problem that we have got to solve. Now the 16 good news is we do have solutions to this. I am going to get there in a 17 moment.

18 But I think for a moment I need to talk just a moment about 19 nuclear. I've been talking a lot about other industries.

20 Already we have digital components in the nuclear industry and 21 already with the meager attempts that we have made we have - are seeing 22 the exact same patterns and trends in this industry.

23 Forgive me, I am going to put on the engineer hat just for a 24 moment. Then I'll come back.

25 Next slide.

26 This is a HPCI flow control system that I want to talk about.

31 1 I think it's really important to understand the type of problem that we are 2 having.

3 HPCI, as you know, is a critical system in nuclear power 4 plants that provides emergency water cooling systems. It simply has to 5 work on demand and that's the way it's designed.

6 By the way, this is a real event. It happened - a real OE in 7 the U.S. I am not going to tell you where it was. I am not going to tell you 8 enough information to figure it out. That's not what matters.

9 What matters is we have got to understand the problem.

10 This operator sends a system initiation signal on the right. It comes down, it 11 kicks the blue part, which is the digital upgrade in this system, to start 12 opening valves and you get your emergency cooling. Works great.

13 Next slide.

14 One of the considerations when this thing was designed is 15 ramping up the turbine is a concern. If we ramp it up, open the valves too 16 quickly - ramp that thing up too quickly we can cause damage. There is a 17 safety implication.

18 So on purpose we put protective functions in place in the 19 digital system to make sure that never ever happens. Did a great job with 20 that.

21 Next slide. Click four times, in fact.

22 What happened is this thing was implemented on day one, 23 tested, of course, and it worked beautifully.

24 Now, we have to - these don't get used very often - we 25 have to test them every year. A year later it was tested and we found that 26 there was a flaw in the design of the system that would prevent it from

32 1 working that nobody had recognized.

2 On this day there was a rolling start. You see the blue 3 line and the turbines start. Click a couple more times, please - I think three 4 times.

5 You see - once more - you see the blue line. We had a 6 rolling start. In that situation if you hit the button to do an emergency 7 cooling in a rolling start - and this was what was never conceived - what 8 happened that the system initiation signals that gets sent - what happens is 9 the valves start opening and we hit a trip set point at a thousand RPM. That 10 digital system uses that trip set point - click once more - uses that trip set 11 point to figure out if we are ramping up too quickly. If you hit that trip set 12 point too quickly it says oh no, you're going to cause a problem - we are 13 going to shut down the digital system.

14 Now, what was never conceived was that this could 15 happen during a rolling start. And so the rolling start meant that we hit this 16 trip set point quicker than usual.

17 Now, it turns out nothing - there was no problem with the 18 system. It's perfectly fine, perfectly within tolerances. Could have started 19 up just fine. But the digital system didn't know any better because it was 20 never designed with the understanding that there could be a rolling start.

21 All it was looking for is did we hit the trip set point too 22 quickly. The safety feature that we put in there on purpose was having this 23 unanticipated effect.

24 Of course, everything I am telling you is not what the 25 operator knew. All the operator knows is I need emergency cooling - I am 26 hitting the button and the digital system comes up and overrides and shuts

33 1 the thing down.

2 The operator hits it again, to emergency cooling. This 3 thing tries and the digital system immediately comes up and shuts the thing 4 off, and you try it again and you try it a hundred times, you get the same 5 result because we designed it to work that way every time. But it was a 6 failure of foresight on our part, not a failure of the digital component.

7 This is the problem that we have that we need to solve if 8 we are going to introduce digital I&C.

9 Now, I have great news for you. The problem has been 10 solved.

11 Next slide.

12 The group at EPRI has done great work on this. There 13 are number of methods. One of them is called STPA, which I am 14 particularly partial to. But EPRI did an experiment about three years ago.

15 They took an OE - a real OE in a real system with real 16 complexity of things that this - the exact example. Gave it to a couple 17 students. Didn't tell them what the problem was.

18 Just gave them a basic description of the system and 19 wanted to test whether this method could uncover the flaw early and in fact it 20 did. A couple of students with virtually no experience in less than a week 21 working part time found it.

22 Next slide. Click twice.

23 Pinpointed exactly this flaw. Very little work needed. So 24 this is great news. We have solutions to this problem.

25 Next slide.

26 And here's some other standards that also solved this that

34 1 has been introduced in other industries we should take a look at. You can 2 see STPA is particularly popular. As I've said, I am very partial to that but 3 it's not the only method out there.

4 Look, here's the bottom line. If you didn't hear anything I 5 just said, listen to this. The danger in the path forward is - the problem is 6 that we have got a number - everybody's got a method and they've got a 7 proposal to fix this problem.

8 We have got to do a proper test. Good news is there are 9 some solutions out there already that are working, that are tested and being 10 adopted in other industries.

11 The bad news is there are lots of proposals being made 12 that have never been tested and that, frankly, do not work. We have got to 13 do a proper test.

14 What does a proper test look like of these methods before 15 we make any recommendation of policy or standard, right?

16 Well, this has been done in other industries and we should 17 follow EPRI's lead. What a proper test is not is we do not take a problem in 18 hindsight and stuff it into a fault tree and say look, our existing process 19 already works - there it is.

20 You do not take it and stuff it into a CCF and you don't take 21 it and stuff it into an STPA in hindsight because we do not have a problem.

22 We are writing things down in hindsight. We have a fundamental problem 23 of foresight.

24 That's the nature of the problem. We have got to do a 25 proper test and we have got to take a couple of engineers who don't know 26 what the problem is.

35 1 We have got to see if they can learn and use the method.

2 You can have the best method in the world but if it's not - and presented by 3 people with impressive credentials from MIT - but if it's the best method in 4 the world and people can't learn it and can't use it it's useless.

5 So we have got to take real engineers. We have got a 6 rich set of OE in this industry of things that have already slipped through the 7 cracks that we know are not being caught and have undergone all the 8 processes that we have - take engineers, try these methods and we will find 9 out very quickly, I think, what works and what doesn't work and that needs to 10 be the basis for the policy and recommendations of standards that we 11 produce.

12 EPRI has done great work. As I've said, we need to 13 follow their lead, in my opinion. I am not against technology at all. In fact, I 14 am completely in line with what has been said.

15 We need to make risk informed decisions and the risk is if 16 we don't make an informed decision we have just employed a method - a 17 crazy proposal. Just change the semantics. Just redefine the word failure 18 and then the existing method is going to work.

19 No, we need to do a proper test and find out what works 20 and what doesn't, in my opinion.

21 Thank you.

22 CHAIRMAN SVINICKI: Thank you very much, Dr.

23 Thomas, and thank you to all the presenters. I think it was very interesting 24 presentations today.

25 As is the practice of our Commission, we rotate to the 26 order of recognition for questions and we begin today with Commissioner

36 1 Baran.

2 Please proceed.

3 COMMISSIONER BARAN: Thank you all for being here.

4 We really appreciate it.

5 As a few of you referred to in your presentations, as part of 6 that staff's transformation initiative the staff recommended moving away from 7 the IEEE standards and initiating a rulemaking to define high level of 8 performance-based digital instrumentation and control safety design 9 principles.

10 Initially, I saw digital I&C as a strong candidate for taking a 11 whole new approach from what we have been doing because it has proven 12 to be so challenging in this regulatory area.

13 But recently I've had several stakeholders express their 14 concern that a rulemaking could shift focus away from the current efforts to 15 improve key guidance documents just when significant progress is being 16 made on them.

17 I think slide 4 - Bill's presentation - provides a pretty good 18 overview of these efforts. It has the six of them there.

19 All my questions are for anyone on the panel who wants to 20 express a view, and my first question is do you share this concern that I've 21 been hearing from some about losing momentum on the guidance updates if 22 we initiate a rulemaking in the near term.

23 Do folks have thoughts about that?

24 MR. NOVAK: Yes, I'll talk to that. That's actually one of 25 the things I was - maybe I didn't articulate it clearly, but I am concerned that 26 if there is a lot of emphasis on the rulemaking and all this, you know, the

37 1 rulemaking endorsing alternatives, that the other stuff is going to sort of die 2 on the vines and, you know, I said it's going to be very important to get 3 ISG-06 out and get some - get some run time with that.

4 So yes, I think we need to keep - you know, keep making 5 the existing process better while we are trying to develop something that's 6 completely different is what I would say.

7 COMMISSIONER BARAN: Do others have thoughts 8 about that?

9 MR. SCOTT: I agree.

10 COMMISSIONER BARAN: You agree? Okay.

11 MR. PITESA: The piece I would just echo, again, is as we 12 move forward with ISG-06 and moving the approval to earlier in the process 13 versus later in the process but also reflect back, because I am not sure I am 14 the technical person to address all aspects of your question, but at the same 15 time what we can do more with international standards and looking at how 16 our standards compare to those.

17 The experience we had at Oconee particularly was we had 18 - we used technology that had been really accepted all over the world except 19 here and then we modified that program to the extent that it became 20 untenable to almost - to install.

21 And so I think we have to be so careful on the path forward 22 with regulation that ultimately it leads to a better outcome and doesn't have 23 the unintended consequences.

24 COMMISSIONER BARAN: Part of what I am trying to 25 figure out is when I look at the list of these guidance document efforts, trying 26 to unpack that a little bit and understand if all five of these on the - you know,

38 1 this transforming culture - to put that aside for a minute and look at the five 2 guidance document efforts - if these five were all completed, do we think that 3 effectively resolves the key issues or does that provide the regulatory 4 certainty the licensees are looking for to do an upgrade or do we see those 5 guidance documents as more of a short-term fix?

6 MR. ROMANSKI: In our experience, technology moves 7 too fast. While we had DO-178C, which is our guiding document for a long 8 time, we upgraded it.

9 It took seven years to update it to DO-178C and we 10 produced four supplements - you know, one to cover model based, one to 11 cover object oriented and one to cover former methods, and as new 12 proposals for additional standards or additional supplements to cover 13 technology that is coming up. So technology moves and we need 14 supplements to keep going. Not rewrite what we have but make it 15 additional.

16 COMMISSIONER BARAN: Do others have thoughts 17 about this - about whether these - you know, is this the - are all the effort 18 being expended on these guidance documents, here everyone is saying it's 19 very valuable.

20 I am trying to understand how valuable is it? Is it - is it 21 basically going to solve the problem or is it - it's a Band-Aid?

22 MR. NOVAK: I would say it is very valuable but you still 23 would want to go ahead with endorsing alternatives and so forth. I would 24 look at it as not the end - the end solution.

25 I look at it as making digital more viable in the near term as 26 the way I would look at the current initiatives.

39 1 COMMISSIONER BARAN: Okay.

2 MR. PITESA: And I would echo the exact same thing. I 3 believe all aspects of what you see here are going to be principally under the 4 control of the staff.

5 But if you look at the transformation papers some of the 6 additional activities that are being discussed there under Dan Dorman's 7 paper indicate that we have just got to advance further on the acceptance of 8 more standards and international standards that have such an amount of run 9 time that we just don't have here in the states.

10 MR. SCOTT: The other thing too is that bringing in that 11 harmonization across that helps the supply chain, right, because the supply 12 chain - if they can - if they can satisfy to something that is more consistent 13 then you have less risk of differentiation on platforms.

14 COMMISSIONER BARAN: One of the things I am trying 15 to think through is the sequencing of all this and when it makes sense to 16 make a decision about whether to initiate a rulemaking.

17 One option is all these efforts are going on and we decide 18 now we are going to initiate a rulemaking but not actually do the rulemaking 19 in the short term.

20 That strikes me as somewhat odd but I guess we could do 21 it. Another approach would be we focus on completing these guidance 22 documents. We see how far that gets us and then we make a decision 23 about whether to proceed with the rulemaking and what the rulemaking 24 would look like.

25 Do folks have views about kind of the sequencing of how 26 we would address these things?

40 1 DR. THOMAS: I've got a very strong view.

2 COMMISSIONER BARAN: Yeah.

3 DR. THOMAS: I think baked into this process that we 4 need to include some kind of test and evaluation to see if it really works.

5 I don't know all the details. Maybe someone here could 6 tell me. But typically these things get put into practice either based on 7 expert opinion or by arguing that it will work.

8 We need to do an evaluation. We need test it. We have 9 a really rich set of OE - of things that went wrong that nobody anticipated 10 and whatever we propose we need to have real evidence. Not an opinion, 11 we need to have evidence.

12 I think it's very easy to do but it's often not included to 13 collect that evidence. We need something to collect that evidence and try 14 them.

15 COMMISSIONER BARAN: Thanks.

16 Other thoughts on sequencing and - or not so much?

17 MR. PITESA: I think it's a great question and I was just 18 reaching to a friend in the audience, Dan Dorman.

19 But, ultimately, on - I think the next panel's going to maybe 20 have the opportunity to discuss this a little bit more on the intricacies of what 21 this will provide versus what rulemaking will provide.

22 COMMISSIONER BARAN: Part of what I am trying to do 23 is peer into the future a little bit and imagine a world where over the next 24 couple of years we make very good progress on these guidance documents 25 and they end up being good guidance documents and they provide both 26 applicants, licensees, and the staff with a clear path about how do we make

41 1 sure digital upgrades have a framework that ensures safety but provides 2 people regulatory certainty.

3 And if you kind of think for a moment, okay, let's say we 4 achieve that goal, part of me does have a hard time imagining someone 5 wanting to be first in line for then adopting a whole new system - you know, 6 to me that first application under a whole new system under a new 7 rulemaking.

8 Maybe if it's, you know, a purely voluntary thing and we are 9 contemplating different standards someone would want to give up the 10 certainty that has been obtained over those years.

11 But given the struggles we have had, I wonder whether 12 that would really happen.

13 Do people have thoughts about that?

14 MR. PITESA: You know, I think the reality is, speaking 15 from a utility perspective, no one wants to be first in line, particularly on 16 things like this.

17 We experienced that with Oconee and it was very, very 18 challenging. So I think we are going to be looking at international 19 implementation that's been going on, new reactor implementation, and, you 20 know, what has Vogtle installed, how well is it doing, and I think that 21 operating experience will give the confidence to consider implementation.

22 And so ultimately what we have got to agree to is things 23 that are used in advanced nuclear, in other plants in other countries that we 24 can look at that operating experience and say this is tangible, it's real.

25 We know about what cost is and when we bring it to the 26 United States it's not going to explode in cost in ways that we have seen in

42 1 the past, and I think that will be very important.

2 But I don't necessarily know that we - that the existing 3 operating fleet is going to be the very first in line for absolute new aspects.

4 COMMISSIONER BARAN: I was - I read the staff's 5 Transformation paper I think the same way Mr. Novak did in terms of saying 6 the staff's view was that the IEEE standard is too prescriptive and that's 7 causing a lot of problems.

8 You've kind of expressed a different view, which is maybe 9 it's more the guidance in what the - not so much the standard itself but the 10 staff's kind of approach under the guidance that's created.

11 Do folks have a view about that? I mean, if we are kind of 12 looking at what's the - what's the challenge here, is it something about the 13 IEEE standard itself? Is it the staff's guidance being too prescriptive?

14 What's gone wrong?

15 MR. NOVAK: Yeah. Well, the modification that we did 16 was much more narrow than something like our reactor protection system.

17 So maybe that is something take into consideration.

18 But no, we definitely did not see the standards themselves.

19 You know, I did mention on one of the slides that, you know, looking for 20 clean endorsements on the - you know, these other - whatever these 21 alternatives are, IEC or whatever, for example, not taking exception to the 22 standards in - you know, when the reg guides are written not taking 23 exceptions would be helpful so that you're not changing should to shall and 24 things like that.

25 And also I would say a less rigid attachment to the - to 26 specific versions of the standards would help. You know, a new standard

43 1 comes out and people design things to the new standard and then - but 2 you've got to go back and show how it complies with an old version because 3 that's the one that happens to be endorsed.

4 It does get cumbersome trying to show all of that.

5 COMMISSIONER BARAN: Well, so what I glean from this 6 is for the folks who are kind of knee deep in this on the nuclear side you do 7 think there is some value in doing a rule. Not clear when but, you know, 8 doing something more transformative here.

9 And it sounds like the basic vision for that rule in your mind 10 is a rule that allows a licensee to use any one of a number of established 11 standards in this area rather than just the IEEE standard.

12 Is that the basic vision for the rule you're -

13 MR. NOVAK: Yes.

14 COMMISSIONER BARAN: Okay.

15 MR. NOVAK: Flexibility.

16 DR. THOMAS: That's what's usually done in other 17 industries.

18 COMMISSIONER BARAN: Okay.

19 MR. PITESA: And I think we are very hopeful around 20 what ISG-06 is going to say. We don't know for sure what it's going to say 21 and I think that's creating some of the hesitation.

22 But moving the approval to earlier in the process is going 23 to be a game changer, I think, for the industry.

24 When I think back on Oconee, we were - we had probably 25 already spent over $100 million and still didn't have approval to say, you can 26 install this widget, and because we weren't checking all the software until the

44 1 end of the process and we were incredibly concerned that we had gone out 2 on a limb too far.

3 And there was a serious discussion of, even at that point, 4 cutting it off because without that early approval you had zero confidence 5 you're going to get to an outcome.

6 COMMISSIONER BARAN: Okay.

7 MR. NOVAK: Utilities need to have that confidence.

8 Otherwise, they are not going step forward.

9 COMMISSIONER BARAN: Thank you very much.

10 CHAIRMAN SVINICKI: Thank you, Commissioner Baran.

11 Next, we will recognize Commissioner Burns. Please 12 proceed.

13 COMMISSIONER BURNS: Thank you, and thank you all 14 for being here and for the presentations.

15 It's interesting. I think this is maybe not as many as 16 Chairman Svinicki but in some capacity, either sitting in that seat or here or 17 there, you know, I've heard the digital thing and I tell you, every time I hear it 18 it's, like - and again, because I am not a technical person, a theme I've 19 emphasized a number of times - but it becomes sort of a veil over my eyes 20 that says what the heck have we been doing for whatever.

21 And I know we should move forward but there are sort of 22 glimmers of hope for my understanding in what you've - what you've said 23 today.

24 One of the things just maybe to build off of what Bill Pitesa 25 just said and also, I think, Mr. Novak said, this looking at how the staff 26 approaches it - that this - and maybe you can help me out - understand that

45 1 better.

2 So what I seem to hear both from Mr. Novak and Mr.

3 Pitesa is that the focus on the software is something that pushes out so, oh, 4 all right, we got to be there - you got to be able - ready to turn on your 5 machine at the very end, and that focus versus maybe a quality - and I think, 6 Mr. Novak, you mentioned a quality assurance focus would help.

7 But help me understand what - how that - how the problem 8 - what the problem looks like in that way if I - if I've been clear at all in terms 9 of my question.

10 MR. PITESA: Let me start, and I am going to use the 11 anecdotal Oconee example.

12 So we had completely brought all the equipment on site 13 and everything and started working through our factory acceptance testing, 14 and at that point is when really in the process the software was being 15 reviewed.

16 So many things were being reviewed that we thought we 17 were going to be able to install it in a subsequent outage. We ended up 18 having to delay it one if not two outages because of the review time that was 19 still needed.

20 We had a hard time with a vendor on whose cost is this of 21 just sitting here with this product just sitting on the shelf waiting. And I think 22 so much of that was available earlier in the process and if there had been 23 more acceptance of this followed a level of standards and our QA program 24 verified those standards that we could have probably been much more 25 seamless in our installation at that point.

26 COMMISSIONER BURNS: Okay. Mr. Novak.

46 1 MR. NOVAK: Yes, I would sort of echo what he said. If 2 you could picture, you know, you get to a point in the project where you've 3 manufactured the system - you know, the vendor has tested it, you've tested 4 it, did the acceptance test.

5 And then, you know, then the reviewer is following the 6 guidance, reviewed the software process that had been used all along and 7 that takes - you know, can take about a year or so to do that and get the final 8 approval.

9 So now, you know, it's a full year after the system is 10 complete before you can install it and everyone wants to have, you know, 11 sometime in between approval and getting into their design change package 12 and so forth.

13 So it definitely pushes things out - a refueling outage 14 typically. And so I think it would help, you know, that if the review - if you're 15 reviewing as sort of a periodic ongoing QA type of activity, I am not saying 16 make it easier but just make it - just do it differently and not tie it so closely to 17 the individual project.

18 You know, we are using the projects as the context to 19 approve the software development and that - then that - it just makes it 20 necessary. If that's the approach that it's really necessary that the approval 21 is going to come very late and it's really - it makes it very expensive and the 22 perceived risk that you're going to get there and a year after the system is 23 built and tested and everyone's ready to install it that something comes up 24 and you got to go back and rework a whole bunch of things and, you know, 25 add a few more years, it just - it's a very large perceived risk.

26 COMMISSIONER BURNS: Dr. Thomas, does this kind of

47 1 get to your point - I don't know if it does or not - about if you're so focused on 2 - if you're so focused on the software but you're not focused on what the 3 outcomes you're looking for - I don't know. I am just trying -

4 DR. THOMAS: Yeah, it's a tricky problem because the 5 challenge we have in building a digital system or building a computer system 6 with software it's not actually understanding the software.

7 Software folks are brilliant at understanding the software.

8 The problem is they don't understand the rest of the system. And the same 9 thing is true for the hardware engineers and for the other engineers.

10 So we need - this is what we have systems engineering 11 for. I think it's very slow to be adopted in the nuclear industry. But in the 12 FAA, in aviation and in automotive and other industries they have been 13 much quicker to adopt system engineering.

14 I think that's the solution. We need - we need methods 15 that don't just apply to component failures, don't just apply to software, don't 16 just apply to digital, or non-digital systems.

17 We need an overarching method that can handle the 18 interactions between all these because the interactions are what get you.

19 COMMISSIONER BURNS: Yeah. Yeah. Mr.

20 Romanski.

21 MR. ROMANSKI: It kind of blows my mind a system can 22 be developed and then submitted for review. On FAA project - on a project 23 by project basis we have four what we call stages of involvement - the start 24 of the project before the software is developed you develop the plans - the 25 process you're going to use to develop and verify your application.

26 That is submitted for approval and it's at that stage you

48 1 then say yeah, this works or no, you have to change this a little bit.

2 Then later on we are halfway through the requirement 3 process and we submit 50 percent of the requirements and the code, and 4 then the auditors look at this and said yeah, this looks good - if you carry on 5 like this we should be okay or no, you need to make some adjustment.

6 We do the same thing when you're halfway through the 7 testing. By the time you've finished the project, the processes you've been 8 following and the mechanisms that you've been using should be sound.

9 So the approval should be a foregone conclusion. There 10 should be little risk.

11 COMMISSIONER BURNS: Okay. Mr. Scott.

12 MR. SCOTT: That's a very similar process that we are 13 experiencing in Finland or that we have experienced in Finland with STUK.

14 COMMISSIONER BURNS: With STUK?

15 MR. SCOTT: Yeah. So they follow a very similar 16 process. So by the time you actually get ready to implement all of that's 17 pretty much done and reviewed and ready to go.

18 So it's fundamentally similar.

19 COMMISSIONER BURNS: Yeah. And for those who 20 don't know, STUK - the reference to STUK it's the Finnish regulator - the 21 nuclear regulator.

22 Thanks, Mr. Scott.

23 Bill, did you want to say one more thing?

24 MR. PITESA: Yeah, I was just going to echo what Mr.

25 Romanski was talking earlier about - through the QA process achieving 26 confidence in your processes and then doing some limited sampling.

49 1 That really resonated with me because I think right now it 2 takes a difference between what I view as absolute certainty which is review 3 every line of code which is review every aspect of the modification versus 4 look at the processes being used and create a level of confidence, and I 5 think that confidence should resonate with us as reasonable assurance.

6 COMMISSIONER BURNS: And the other thing, and this 7 is one I actually - I step back and I will - I may embarrass myself - well, why 8 don't you know that, Mr. Burns.

9 But I am sort of a little bit at a loss, and make sure I 10 understand - what's the disharmony between being able to rely on 11 something other than the IEEE standard? So the recognition within our 12 system at this point.

13 I guess I didn't really fully appreciate that, and again, 14 because I understand fully the ability to look to other standards. I mean, 15 this is much - you know, I started the agency 40 years ago - this is a much 16 more internationally driven industry in terms of supply chain and things like 17 that than it was even back then, you know, in terms of operation and all that -

18 all those types of things.

19 So that's why I am having a little bit - I am trying to 20 understand what's the hurdle, the wall, we have to crawl over here and the 21 difficulty?

22 Mr. Novak.

23 MR. NOVAK: You know, right now, as I am sure you're 24 aware, IEEE 603 is incorporated by reference in the rule -

25 COMMISSIONER BURNS: Yeah.

26 MR. NOVAK: - and then so all of the - the whole - you

50 1 know, how do you meet this, you know, in the reg guides is all - it's all lined 2 up with IEEE. I mean -

3 COMMISSIONER BURNS: So I - yeah, I didn't mean to -

4 so otherwise if you're going to deviate from that you're going to have to get 5 an exemption or something like that.

6 MR. NOVAK: Exactly. Yes.

7 COMMISSIONER BURNS: Mr. Scott.

8 MR. SCOTT: Yeah. I mean, NRC guidance has been 9 predominantly IEEE driven. That's historical.

10 COMMISSIONER BURNS: Yeah.

11 MR. SCOTT: And within recent years they started to look 12 at some of the IEC standards as part of some of the IEEE associations.

13 And then as standards in the industry we are looking at 14 dual coding standards, right, so that we can have, you know, the dual label 15 on IEEE and IEC.

16 But, unfortunately, that takes - the process to get - it takes 17 a long time to get those things mixed together.

18 But I just think that there is just been this fundamental DNA 19 that it's an IEEE-based driven regulatory premise that we just need 20 acceleration or openness to see how much more we can pull in from the 21 other standard bases.

22 COMMISSIONER BURNS: All right. Mr. - Dr. Thomas.

23 DR. THOMAS: There are lots of IEEE standards. I just 24 looked up the one you referenced, IEEE 603 - it appears to establish criteria 25 - single failure criterion for digital systems. I mean, I am not going to say it's 26 a bad standard. We should do all that stuff.

51 1 But I am not convinced that that's the core problem that we 2 have. The core problem is about the requirements about what should the 3 behavior of the digital system be.

4 There is lots of effort and standards about what's called 5 verification, which is making real sure that it absolutely meets the 6 requirements we wrote.

7 We kind of have that under our belt. There are many, 8 many standards that do a good job with that. But what we need to get a 9 handle on is that's not good enough.

10 Making sure it does what we wrote is not good enough.

11 We have got to make sure what we wrote is right. That's called validation.

12 That's very much - it's not just a digital problem. It's not a checklist problem.

13 It's a problem of - it's a lack of foresight, like I was saying.

14 So we need - I think we need to go outside that standard 15 and identify methods of getting the requirements right - getting a really 16 robust process - and they exist out there but I don't think they are in that 17 particular standard.

18 COMMISSIONER BURNS: All right. Thank you very 19 much.

20 Thank you, Chairman.

21 CHAIRMAN SVINICKI: Thank you very much.

22 Next we will hear from Commissioner Caputo. Please 23 proceed.

24 COMMISSIONER CAPUTO: Thank you.

25 I'll start by associating myself with my colleague's remarks 26 about just the duration of this issue - the frustration and struggling with this

52 1 issue.

2 Commissioner Burns, your eyes may glaze over. So do 3 mine, and I am a technical person. I think, particularly as a new 4 commissioner, it's a challenge to dive into this issue because it's a 30-year 5 history. All the questions have probably been asked before. I shouldn't 6 even say probably. We have been at this a long time.

7 So predecessors that have sat in these chairs have 8 wrestled with this issue before and so it's a challenge for me. So my 9 questions, I am sure, are not original. But I think in tackling this issue, for 10 me, I need to begin with what's important here - why is it important that we 11 pursue digital I&C - why is it important for the agency to reach beyond its 12 comfort zone with analog and wrestle with this issue.

13 So in that vein, Mr. Scott, Mr. Pitesa had a slide that was 14 pretty compelling about digital being more dependable than analog and 15 posing fewer plant challenges which can be interpreted that digital is safer.

16 Can you describe in more detail some additional examples 17 of how digital I&C can improve safety?

18 MR. SCOTT: Okay. So it's a good question.

19 So I am not going to completely say that analog isn't 20 supporting safety. I think analog, as it operates, is a sufficient product.

21 Digital is just as sufficient but it also brings the ability to 22 add multiple layers of safety protection into your system whereas in analog 23 you can't necessarily have dual redundancy or triplication, et cetera.

24 So you can design -

25 COMMISSIONER CAPUTO: So would offer some 26 defense in depth?

53 1 MR. SCOTT: Yes. So you can offer a lot more defense 2 in depth for the digital system versus an analog system.

3 The biggest issue, I think, is that digital offers a lot of 4 benefits that can improve the operation of the plant to keep it more stable.

5 But the biggest challenge with analog is it's a component issue of being able 6 to get at the supply chain. That's the challenge.

7 I mean, when we look at getting components you've got 8 two parts - A, finding the component is a challenge. The second part is 9 finding engineers that understand how to do critical characteristics of the 10 component that you find when you want to go and upgrade your analog 11 system.

12 We support an analog system. We have been supporting 13 it for 40 years, and we are getting to the point now where it's very difficult for 14 us to find components with that product - you know, transistor material that's 15 even fabricated - and then when we go to make a change on those particular 16 cards finding people that understand how to do those characteristic analysis 17 is a challenge.

18 So it's a sustainability issue as well as yes, it's a 19 performance and you can do defense in depth and et cetera. But, really, 20 there is a sustainability issue around analog versus digital.

21 COMMISSIONER CAPUTO: Well, that's a natural segue 22 to my next question.

23 Mr. Pitesa, I believe you stated in discussing how 24 important digital instrumentation and control is to the long term viability of 25 plants.

26 I believe, if I heard you right, you used the term imperative

54 1 and particularly for subsequent license renewal and the long-term viability of 2 our nation's nuclear plants.

3 Could you please discuss that in a little bit more detail?

4 MR. PITESA: Certainly. I mean, when I think about 5 plants that are going to be operating in the 2050s, the 2060s, the people that 6 are going to be running that plant aren't even born today, and to say I am 7 going to bring them in and teach them analog technology is just so foreign 8 to, I think, the realities of the future.

9 We have to migrate to a technology that they are going to 10 learn through their educational system, that they are going to learn and be 11 able to operate these plants in a way that supports their knowledge base 12 coming to the program.

13 COMMISSIONER CAPUTO: Okay.

14 Mr. Scott, back to you. You stated in your slides that what 15 is missing in digital I&C is trust in technology and you make the point that 16 technology platforms have billions of hours of operation without failure.

17 What is your view about how we can take that information 18 and incorporate it into a risk-informed approach?

19 MR. SCOTT: You know, I think - I think EPRI's doing 20 some efforts towards that and I think other groups have looked at that.

21 You know, it's an interesting question because we have 22 had this debate from as long as I can remember. I mean, it's been many, 23 many years that we keep looking at it.

24 So we have looked at other industries. I remember sitting 25 on some of the original committees with the NRC looking at other industries 26 and saying well, you know, FAA has been doing this or gas - oil and gas has

55 1 been doing it - why don't we take credit for it.

2 And there just seems to be a nervousness to truly embrace 3 what's out there, and when you look around, I mean, everything today is 4 digital regardless of what you're more or less involved in.

5 And in all of those other industries, all of those other critical 6 operations - and there is a lot of critical operations that are far more 7 impactful than a nuclear plant, in some respects -that have been reliant on 8 digital technology for years.

9 And I just think we need to understand and accept the fact 10 that technology is not the challenge. I think John has stated it very well that 11 how we understand what needs to be designed to go into the system is 12 critical and I think that's the important focus is that we need to understand 13 what the functional requirements are, how we interpret those, how we 14 implement them.

15 The technology is going to work. Software works. I 16 mean, hardware works. I mean, there are some failures on hardware side.

17 But when you look at how much technology is out there, it's really a robust 18 solution.

19 And I just think we are not giving it the credit that it needs.

20 COMMISSIONER CAPUTO: So I am going to back up a 21 little bit. My fundamental understanding at this point, which is very 22 fundamental, was that the industry was making some low safety significant 23 upgrades in 2012.

24 Those efforts stopped. There have been some 25 subsequent efforts on license amendments but not many. Mr. Pitesa talked 26 about regulatory uncertainty.

56 1 So I guess to Mr. Pitesa and Mr. Novak -Mr. Novak, you 2 made a statement about how significant positive impacts can be achieved 3 without waiting for rulemaking.

4 Can you talk about how you think we should do that? And 5 Mr. Pitesa, your ideas on how you think we should do that in order to work at 6 reducing the regulatory uncertainty?

7 MR. NOVAK: I think what they are doing with the revision 8 to ISG-06 is going to go a long way in this direction of making a very positive 9 difference.

10 You know, I meant - we talked earlier about how a project 11 needs to basically be complete and then the review of the software 12 development process that had been used all along kicks in and that just 13 takes time.

14 What the ISG-06 revision is doing is it's - the NRC would 15 review and approve the overall process for developing a software but the 16 review of the actual product is they are going to rely on a combination of the 17 licensee's vendor oversight and also NRC inspections.

18 And the details are still to be worked out, but I think that 19 would help a lot to eliminate and to make a lot of positive impact with our 20 rulemaking.

21 COMMISSIONER CAPUTO: Okay.

22 MR. PITESA: And I agree completely.

23 The RIS for low safety significant systems and ISG-06 for 24 more safety significant systems, quite frankly, you're looking at an industry 25 that's just been kind of held back for so long.

26 We are trying to really understand what's going to be the

57 1 opportunity out of those changes, and it goes back to Mr. Baran's question.

2 Mr. Baran's question is until we fully internalize how much 3 relief we have been given on the ability to implement digital in low safety 4 significant and high safety significant systems, which will require better 5 understanding of what ISG-06 ultimately is I think then we will be able to 6 weigh better on what is next and what more do we need to go forward from 7 here.

8 COMMISSIONER CAPUTO: Okay. Because I guess - I 9 guess when I look at it and I think we have been at this for 30 years we are 10 still in the domain of RIS and interim staff guidance - multiple versions of 11 interim staff guidance. We are revising action plans.

12 I guess I am kind of struggling with how much are we 13 continuing to revise how we are going to do this but not actually getting to 14 the point where we actually do it and that's the path forward that I am looking 15 for here.

16 Thank you.

17 CHAIRMAN SVINICKI: Thank you, Commissioner 18 Caputo.

19 Next we will hear from Commissioner Wright.

20 Please proceed.

21 COMMISSIONER WRIGHT: Good morning, and I am 22 going to join my colleagues in thanking you for your presentation this 23 morning.

24 And Dr. Thomas, whatever you had for breakfast -

25 [Laughter.]

26 MALE PARTICIPANT: I want the address of his

58 1 Starbucks.

2 COMMISSIONER WRIGHT: You're one passionate guy 3 and I appreciate what you bring to the table today.

4 So like Commissioner Caputo, I am new and many of the 5 questions that have been circled around this table for the last three decades 6 have been probably asked multiple times.

7 So I am probably going to go a little different direction, 8 being new, and anybody can answer this question, you know, that I am 9 going to pose.

10 But I am going to pose it to Bill. You talked about the 11 need to modernize, you know, to the regulatory framework and you talked 12 about the transformation team's recommendations in that area.

13 But the mission of the NRC is, you know, the reasonable 14 assurance of adequate safety. Do you think that this whole digital I&C 15 process has been following that path or has it been more toward a zero risk 16 initiative?

17 And I'd like to hear your comments about that.

18 MR. PITESA: I feel like there has been a desire to create 19 absolute certainty and zero risk because I think people have been afraid of 20 the ghost in the machine that they just don't know about.

21 So we just need to look at everything to ensure there are 22 not ghosts in that machine, and I think what we have seen in the 23 advancement of digital in other fields of industry proves that you don't have 24 to search every single line of code looking for that ghost in the machine.

25 You can achieve reasonable assurance by following - I still 26 go back to the example the FAA used that says you're following processes

59 1 that I endorse and when I do check in limited ways that check confirms that 2 you're doing that appropriately. And I think that would be a great movement 3 for our industry to consider.

4 COMMISSIONER WRIGHT: Yeah.

5 Scott.

6 MR. SCOTT: I would agree. I think it's a - we are trying 7 to what-if it to a perfect ideology, which is not going to - it's not going to get 8 us there and I think that's where we are stuck is we are just trying to get it to 9 a zero position.

10 MR. ROMANSKI: So the industry in the aviation side 11 pushed differently. What the big guys - people like Boeing - what they said 12 is that we need a mechanism to know when to stop - when to stop testing.

13 Airplane crashes - everybody's going to sue us. If we say 14 we have tested it, they say, well, clearly, you didn't test it enough, if the 15 accident was caused by a software failure.

16 So they said we need a stopping criteria. So we put that 17 into the regulations and we said, well, if you do a requirement-based test 18 and you measure how much code you've covered and if you've covered the 19 code then you're done. You don't have to do anymore.

20 And we have different measures of coverage, depending 21 on the criticality or design assurance level. But it was really driven by 22 industry knowing that they need a mechanism by which they can stop.

23 Is it perfect? It's not. Errors can still get through. But at 24 least we have a stopping criteria, which is - which gives you a good measure 25 that you've done enough.

26 COMMISSIONER WRIGHT: I believe you used the word

60 1 faith - a leap of faith. Was that you or - one of you used it.

2 [Laughter.]

3 MR. PITESA: But I think - I mean, I think there is an 4 aspect of trying to discern what the difference is between perfect zero or 5 perfect assurance versus reasonable assurance.

6 COMMISSIONER WRIGHT: Correct.

7 MR. PITESA: And I think that's been a huge challenge for 8 our industry and that is the path forward that we have got to achieve is how 9 do we just dissect those in a way that this is what reasonable assurance 10 truly looks like in digital.

11 COMMISSIONER WRIGHT: Do you - do you see the 12 transition team's recommendation moving more toward reasonable 13 assurance or do you have a comment or is it still the same?

14 MR. SCOTT: I think we are moving more towards that 15 direction. I just don't know if it's aggressive enough to get there.

16 COMMISSIONER WRIGHT: Okay, another question here 17 and this is going to go towards standardization. I was at Naval reactors a 18 few weeks ago and I watched the -- I was really intrigued the way they did 19 things.

20 The Navy is a benevolent dictator so they own a little bit 21 more of the process and the vendors and all, but I saw the way they 22 leverage standardization and what they do and you mentioned the aviation 23 industry a while ago.

24 Has the industry looked at ways to maybe standardize 25 digital I&C across -- you've got a lot of different types of plants and all that 26 kind of stuff. But have you looked at that?

61 1 Because one of the things, everything is one off, that's the 2 most expensive way to do things.

3 MR. PITESA: You're exactly right. And I look at 4 TELEPERM, it was a proven technology that Oconee brought from Areva at 5 the time, and it had been used internationally.

6 It was kind of a standard technology, we had to turn 7 around to apply it through IEEE standards and everything else, customize it 8 to the point where it's a complete one-off now. So I think standardization of 9 the rules will create standardization of the products.

10 MR. SCOTT: We've tried to take commercial off-the-shelf 11 technologies the best that we can, trying to choose the most robust COTS 12 products so we can bring them into the industry.

13 And I think that's a view that a lot of utilities are looking for, 14 to find a supplier that can provide a COTS product that's sector-wide so it's 15 not a one-off.

16 The challenge is, obviously, it's difficult for suppliers to all 17 have a common-type goal because they're all competitive in nature in certain 18 ways but I think to Bill's point, the more common and the more standardized 19 we are globally, then there's a basis for us from a financial perspective to 20 say, okay, well, it makes sense to make a platform that satisfies a lot of 21 different regions.

22 Because right now, we're in situations where different 23 regulatory bodies drive different requirements so you have to look at certain 24 markets and saying, well, okay, if I'm only going to satisfy two or three plants 25 in that regulatory regime then does it make sense for me as a business to 26 focus on that?

62 1 So then you step back and you make decisions driven on 2 that. So I really think harmonization of the standards really helps the supply 3 chain levelize that a little bit.

4 COMMISSIONER WRIGHT: Do you have any comment 5 about that?

6 And I guess, really, you talked about the IEEE and IEC 7 standards and I'm trying to harmonize that stuff too. What are the biggest 8 challenges the you see going forward in trying to do that?

9 MR. NOVAK: What's the biggest challenge with changing 10 over to something else?

11 COMMISSIONER WRIGHT: Yes, what would be the 12 biggest?

13 MR. NOVAK: We'll have to start with the rulemaking and 14 the writing guidance on how to and with the endorsement of all of the 15 subordinate standards because it's going to be a time-consuming process.

16 COMMISSIONER WRIGHT: So one of the things that 17 concerns me just in the five months I've been here is that it seems like 18 sometimes maybe we're standing in our own way and standing in the way of 19 some real beneficiary safety improvements that would takeaway human 20 error factors as well.

21 And I see this as possibly being one of those, it seems to 22 be what I heard George talking about and you too, Doctor. I'm just trying to 23 find a way to get it done cleaner, better, more efficient, and keep in our 24 mission.

25 DR. THOMAS: I've got a comment along those lines.

26 I've heard standards mentioned a number of times. I'm on standard

63 1 committees for aviation and automotive and other industries and I've seen 2 the sausage-making.

3 And standards are good but they're not perfect and we've 4 got to be a little careful here. The answer to this problem is not to copy a 5 standard that exists.

6 My biggest fear, what keeps me up at night, is there are 7 some standards that are very good for this problem and there are a lot of 8 standards that, frankly, are not very good. The standards are not created 9 through a nice, scientific process.

10 They haven't even been tested. They're created by a 11 bunch of experts that sit at a table like this and say what should we write 12 down?

13 And that's why we have different standards even within the 14 same industry that conflict with each other and things like that, right? So 15 don't just copy a standard because it exists. That should not be our criteria.

16 The criteria is actually very simple, it's a little revolutionary, but it's very 17 simple.

18 We need to test, we need to do a proper test, not taking 19 something in hindsight and seeing if it will stuff in a box and not proving by 20 theory that it can fit. Do a proper test with real engineers, try it out.

21 Some of these tests have been done, some of these have 22 not. Whatever standard you're looking at I suggest that we should put 23 somewhere in here a gateway that says let's define a proper test and make 24 sure it's really going to work for our problem, and then your decision is easy.

25 26 You have the evidence you need, we're trying to make a

64 1 decision without the evidence and that's the problem. Let's make sure we 2 collect the right evidence and the decision will be easy I think.

3 COMMISSIONER WRIGHT: Thank you, thank you very much.

4 MR. SCOTT: I guess an interesting thing that might be 5 thought about is supply chain has done a lot of significant digital 6 modifications, either new plants or modernizations around the world.

7 There's a lot of history, there's a lot of data, there's a lot of already tested, 8 proven, documented basis.

9 But if that were to be submitted, for example, let's say a 10 utility wants to do an upgrade of the United States and they bring in a 11 supplier that's done similar-type upgrades in four or five different other 12 countries or plants and submit that along as a base of support and get credit 13 for that, we've got to look at different ways.

14 Because I do think we're losing a lot of value in what's 15 been done in other similar environments.

16 COMMISSIONER WRIGHT: Thank you very much.

17 MR. ROMANSKI: The approach that the FAA has taken 18 is that we have started a number of projects where we are partnering with 19 the Applicants. So this is new technology, new techniques that people are 20 proposing, and they come to the FAA and have said, well, would you accept 21 this?

22 And we said we don't know, however, let's have a project 23 where you put your people on board, we'll put our people on board and we 24 will work the problems together so that we learn from them and they learn 25 from us and they get early approval.

26 So we have a number of these partnership programs,

65 1 especially in the new technologies like the unmanned air systems.

2 Thank you.

3 CHAIRMAN SVINICKI: Well, thank you all again for your 4 presentations.

5 As someone who has been watching the NRC activities in 6 this area for over ten years now, some of what I've heard in your 7 presentations and response that you gave to the questions of my colleagues 8 added validation in some instances to a series of observations that I've been 9 adding to over the years. And maybe I'll share some of that and if 10 time remains, offer the opportunity for any of the panelists to take exception 11 to anything I've said or to add some additional thoughts about it.

12 Let me just say that I think the first meeting that I attended 13 on digital I&C as a Member of the Commission, I haven't looked this up but I 14 was thinking about it as I sat here, it might have been 2008.

15 And two regulated companies were on the external panel 16 because they were representing two attempts at adoption of digital I&C 17 projects at plants.

18 One was Wolf Creek and it wasn't a terribly ambitious 19 project so they were considered the applicant who had a limited complexity 20 to what they were trying to do. The other might have been Oconee but I'm 21 really not sure so I don't want to say that I don't think Bill was at the table.

22 But I asked the two representatives of companies that had 23 engaged the NRC, again this was ten years ago, some sort of limited 24 non-safety-related project, and one of the presenters said that he felt as if he 25 were attempting to swim the English Channel and that he got to a point 26 where he regretted that his company had ever, ever decided to engage the

66 1 NRC in this process.

2 But he knew that he had to proceed because he drowned 3 and didn't have the energy to go backwards. And so I'm sure no Member of 4 the Commission ever wants to hear someone describe their engagement 5 with the NRC in such stark and life and death terms, but as I've watched this 6 evolve, I think some of the challenge is that -- well, first of all, let me talk 7 about something which is publicly known which is that NRC experts are not 8 of one set of philosophies on this.

9 I don't say that to reveal our dirty laundry but I think it is 10 well-known that in the new reactor area, there has for whatever reason been 11 a greater ease around fully digital systems that is not evidenced in other 12 groups of the Agency's experts who are working more with the current 13 technology.

14 So that does leave one with a conclusion that there is a 15 certain kind of mindset or paradigm that the various experts may be bringing 16 to the issue that cause, in some cases, there to be a regulatory exceptions 17 of something than in other cases.

18 And so I tried to think about why that is and I wonder if in 19 some instances we are expecting digital systems to make a demonstration of 20 providing safety in the same way that analog systems, the same way that we 21 would assess their ability to do it.

22 And until you come to some sort of acceptance that digital 23 systems will not provide a basis for a safety conclusion with the same means 24 and methods that analog systems do, then you are trying to force-fit digital 25 systems into providing you with an assurance in the same way that analog 26 does.

67 1 And they fundamentally perform differently, they are just 2 different at birth and at origin and the notion that you can force-fit one into 3 giving you the same confidence and safety demonstration in the exact same 4 way.

5 I think the notion that one is more safe than the other, I 6 think that whole question, you've kind of failed at the starting gate because 7 that's very, very difficult to say if I allow digital systems on safety-related 8 things at nuclear power-plants, have I diminished safety? Have I 9 relinquished some sort of safety?

10 And I think that's the really the wrong way to look at it.

11 Engineers for some years now have been required to take the rudiments of 12 some sort of programming, this was true even in the antiquated days when I 13 was in engineering school. And that was always the most difficult thing.

14 But the lines of code will do -- I mean, it's math and it's just 15 a functionality but the problem was if you didn't understand the system, that 16 is always why the rudimentary programming that I would have had to do in 17 engineering school, it was that I failed to understand the problem because 18 the code does what the code does.

19 And I think that any of us that went through that humble 20 experience -- so I think another challenge has been what we need to do is 21 weigh the benefits of how digital provides safety assurances against any 22 complexities that it might pose, any uncertainties that it might pose.

23 And if we don't look at the nuclear power-plant as an 24 integrated system that has these digital systems, it's very difficult to weigh 25 the benefits of what digital brings against the risk that it brings if you're not 26 looking at a fully integrated system.

68 1 And there's been some discussion of systems engineering 2 here today and I think that, again, if we neck down and get a narrow focus 3 just on digital being like analog, then I think we're not going to adequately 4 understand the massive redundancies that digital can offer in the defense 5 in-depth.

6 I think that term was used and that's a term we use here 7 but I think it can provide enhancements. So I view that in the ten years I've 8 been watching this issue, we have definitely foregone benefits that digital 9 could have been providing in that timeframe.

10 I do agree that the Agency coming to some greater ease 11 and structure around this is an imperative, that term was mentioned as well.

12 This is not an optional thing. I've been asked by people who do only 13 cybersecurity, can't you just force nuclear power-plants to continue to have 14 analog?

15 And I said we could require that but I think as a result, the 16 nation will forego nuclear power because they don't believe that it's 17 sustainable. So we've also talked a lot about codes and standards and I 18 want to take the counterpoint, I'm not going to malign codes and standards.

19 By the way, as a Government Agency, we're required 20 under law to refer to and adopt standard industry codes and standards and 21 not develop our own ad hoc ones, again, because that's just viewed as 22 something that enables commerce and makes a lot of sense because we 23 shouldn't sit back and have our own. We can endorse them, we can cite to 24 them, and I understand that, but we're constructing two nuclear power-plants 25 in this country down in Georgia right now and the American Concrete 26 institute has codes and standards.

69 1 So this is concrete so let's stipulate that's not as 2 complicated as digital systems and software. We were engaged in 3 protracted, interpretive engagement with the constructors as to whether or 4 not what they were doing in the field complied with the ACI standards.

5 So I think the notion that codes and standards can solve 6 this is true. But people get to interpret whether or not what is happening 7 meets the code or the standard and so let's not forget that has been a very 8 important part of this dialog.

9 We can take IEEE 603 but then NRC has to agree that 10 what we think meeting that standard looks like is the same thing that the 11 vendor thinks, is the same thing that the operator thinks.

12 One last thing that I'll mention that I had not thought about 13 but based on our colleague from the FAA, it was very interesting to hear him 14 talk about what he called an incremental review or engagement on the 15 development of this system.

16 And I believe that you even commented that you found it 17 somewhat astonishing that you could take a fully completed digital system, 18 take that design and review it post-hoc after it's already been completed.

19 The NRC has been engaged a lot in the advanced reactor realm 20 about taking the regulatory framework we have now, which is 21 performance-based and I'm going to conclude by making some comments.

22 We've hear a lot about risk-informed, the other thing we're 23 supposed to be is performance-based and I think that's another element that 24 we need to get clarity of thinking about when it comes to digital adoption and 25 nuclear power-plants.

26 But with the advanced reactor community, we've come to

70 1 understand that they don't want to invest the money to have a fully 2 completed design before some of the very different concepts that they're 3 thinking about for various aspects of the design, before they know that those 4 things have any snowball's chance in you know what of getting approval by 5 the regulator. So what we have done is we've said we're not changing 6 what you have to demonstrate to get your design approved but we're going 7 to have a regulatory engagement plan with you that will set up an advance, 8 you will tell us how you want to evolve and finalize aspects of what you're 9 talking about, we will agree to have touch-points along the way as you're 10 developing it, and we can't give you approval per se but we can give you 11 something that is a very valuable reaction. If you were indifferent on the 12 alloy you were choosing for a component and I said this one we know really 13 well, if you could pick this alloy we wouldn't have to engage in a lot of testing 14 and other things, and they might say I'm indifferent on that, that's great, 15 that's very helpful to know that upfront.

16 Maybe we would benefit from having the Staff think about it 17 and make a decision, but having the Staff think about is there something 18 akin to the regulatory engagement plan development that we've been having 19 with advanced reactor vendors, none of whom have come in for review yet, 20 would that benefit? Would the designers of digital I&C systems, would a 21 parallel system be helpful? They could have an understanding upfront, a 22 kind of compact if you will, to say I'm going to come in and get regulatory 23 reactions, if not approvals to things at various steps along the way.

24 Maybe we need to learn more about what the FAA has 25 done there and see if that's something that we should have been doing all 26 along for very complex digital upgrades or systems.

71 1 Because we've approved whole platforms, which has not 2 been discussed today, but we've got some advanced reactor digital I&C 3 platforms that we've approved. And let me conclude with 4 performance-based because I think that's the other element here.

5 We've talked about a rulemaking versus continued 6 progress on the guidance documents. I'm not certain that I want to yield 7 today to the notion that it has to be either/or and that may have been some 8 of what the staff was talking about in the transformation paper.

9 Maybe a separate transformation activity that would look at 10 -- the rulemaking is supposed to be about what do you need to 11 demonstrate?

12 The guidance is about possible versions of what that could 13 look like and so I think the other thing we struggle with in digital I&C, at some 14 point we do need an enduring place where we have enshrined the 15 paradigms and the prisms through which we are viewing the showing or 16 demonstration that is required for a digital I&C system that we assess meets 17 reasonable assurance of adequate protection, as my colleague mentioned.

18 I think at some point you do need to have a 19 performance-based articulation of that in a regulation and that would give 20 enduring flexibility. Because we've talked a lot about the NRC Staff having 21 adequate flexibility and looking at digital I&C systems.

22 The other thing that people want out of a regulatory 23 framework is predictability and if it's too flexible and too ad hoc in saying, 24 well, just bring a system that's fully designed and after you're done designing 25 it, I'll tell you if it meets reasonable assurance of adequate protection and I 26 can't articulate for you upfront what that demonstration or showing is going

72 1 to require, then I think we end up with these extremely protracted review 2 schedules and we add complexity because we haven't defined upfront 3 exactly what are you required to convince me of?

4 And if knew what that was and I knew how digital systems 5 did it and I didn't make them try to show me that and give me that same 6 confidence in that exact way that the analog systems did, but I leaned into 7 the uniquenesses and benefit of digital systems. So that's my overall sense 8 of what we're struggling with. I don't know the best methods for us to get 9 there. I think Congress has asked NRC to go look at the military, to look at 10 aviation, to look at medical I think was in there as well.

11 We haven't talked about that today, we're all putting our 12 lives on the line with a lot of medical technologies that are extremely 13 dependent on digital systems, but I think they've asked us to look at the 14 philosophical approaches there because digital I&C is so much more 15 absorbed into those areas of commerce and to say why is it that those 16 approaches that have provided acceptability to regulators in those sectors, 17 why is it that they don't work for nuclear.

18 So I think we have a report due to Congress on that but I 19 think that might be interested as well. But again, I've gone over but I 20 appreciate your time here today and I'm of a mind, I haven't made any 21 decision until after the Staff panel goes but I'm of a mind that maybe the 22 Commission should set another meeting in X number of months.

23 I might propose that to my colleagues that in this meeting, 24 the direction on this meeting, we say that we should have another of these 25 meetings. Because maybe it needs a more consistent attention from the 26 Commission. It's been getting episodic attention but not consistent

73 1 attention.

2 So I've run over so I would ask if my colleagues have any 3 just brief additional thoughts or anything they would like to share. With that, 4 I think we will take a very modest break of five minutes while we reset the 5 table for the staff panel.

6 So that would take us to 10:55 a.m. Sometimes the 7 clocks in here are wrong so let me see. Yes, 10:55 a.m. or perhaps even a 8 little bit longer. But thank you all again for your presentations and we'll 9 recess.

10 (Whereupon, the above-entitled matter went off the record 11 at 10:50 a.m. and resumed at 11:00 a.m.)

12 CHAIRMAN SVINICKI: I call the meeting back to order.

13 If everyone will please take their seats for our second 14 panel, we will now hear from the NRC Staff on digital I&C activities 15 underway, in progress, and probably a little bit of the history of how they got 16 to where they are today.

17 And to lead of the Staff presentation, I will turn to the 18 Executive Director for operations, Margie Doane.

19 Margie?

20 MS. DOANE: Okay, good morning, Chairman and 21 Commissioners. That was a lively discussion that you had with the last 22 panel and we're looking forward to giving you our presentation on digital 23 instrumentation and controls or digital I&C.

24 I too have been sitting at this table for a long time, I sat in 25 that seat for six years and saw a Commission Meeting on digital I&C and I've 26 also heard through numerous other Commission Meetings how this topic is

74 1 vexing for us.

2 It's been complicated, so I share your perspective, and so 3 does the Staff. What I can tell you that's different today and I'm comfortable 4 saying that from my observation I see progress, but what I can tell us 5 different today is that I believe that we're working with these various 6 communities to set goals, we're putting a reasonable milestone schedule in 7 place and we're meeting those milestones that we have set.

8 And we're striving, we've told ourselves we're striving, to 9 make sure that we're not an unnecessary impediment to safety 10 improvements. And we have heard the same thing you heard on the last 11 panel, that there are real benefits to this technology and that we need to 12 make progress and we need to move this forward.

13 I believe that what spearheaded our more recent progress 14 is the direction that the Commission gave us in SRM-15-0106 where it 15 motivated us to come up with an integrated action plan and that's where 16 we've actually set out these milestone schedules and we can work with the 17 community, various communities, to come up with this schedule.

18 And so I think that provided a framework that has 19 precipitated this progress. Let me step back a second. Commissioner 20 Caputo I think has touched on this and so did other Commissioners that 21 progress is relative to the journey and I get that.

22 It's relative to the journey. If you're going 3000 miles and 23 you've made progress and you've gone 1500 miles, it's halfway but you still 24 have a long journey, a lot of time and effort to go. If you have a short 25 journey, ten miles, and you've gone halfway you're almost there.

26 So when people say we've made progress, I understand

75 1 what you're saying. You've made progress but where is it relative to the 2 goal line? And we're hearing you.

3 And I think we've identified the key issues and I think we 4 have a very good engagement schedule that I am confident that we are 5 going to continue to make progress.

6 And as you heard also on the other panel, there are three 7 distinct communities that are giving us a lot of feedback. It's operating 8 reactors, advanced reactors, and also the vendor community that's providing 9 the digital equipment.

10 And they're all coming at it different directions and so we 11 are engaging in numerous public meetings and have put a lot of resources 12 into understanding those issues to move forward.

13 And so along this milestone schedule, one of the final 14 milestones is to look at -- so we're making improvements in our regulatory 15 approach and we look at those improvements and I look forward to a lot of 16 discussion.

17 I expect we'll have some similar questions about the old 18 system or the old regulatory approach versus a brand-new regulatory 19 approach but what I'd like to say is that we can definitely make innovative 20 changes with the old regulatory approach.

21 But what that final milestone talks about is real 22 transformative changes, things that would cause you to do the process in a 23 completely different way. And like the Chairman was saying, when you 24 talked about putting principles in place that were kind of nailed down, a 25 rethinking.

26 Now, when you should do that and all that, obviously

76 1 you're going to hear from us and I'm sure we'll have a good discussion about 2 that but I just want to talk about innovation versus transformation in that 3 regard.

4 As you know, the Staff proposed their transformation in 5 this topic. We propose that in the paper in SECY 18-0060 achieving 6 mod-and-risk-informed regulation, which we call the transformation paper 7 and I don't want there to be any misimpression that, or I want to emphasize 8 that we're continuing to do a lot of effort that would lead us to being able to 9 work toward that final milestone which would be maybe perhaps a 10 completely different regulatory schedule.

11 We're doing things now that will actually help us to 12 advance progress on doing a rulemaking because some of that work is 13 being fed into these innovative approaches to even using the existing 14 regulatory approach.

15 So while it will be very important to hear the Commission's 16 views on that transformation paper, it's not slowing our progress in any way 17 because we have so many things to do right now and also as we think of 18 innovating the process going forward.

19 So, with those introductory remarks, I'd like to now, next 20 slide, please, I want to give you a brief introduction of who we have at the 21 table and what topic they're going to present.

22 So, by now you all know Ho Nieh, the Director of Office of 23 NRR. Ho will be discussing the priority the NRC has placed on making 24 progress on digital I&C issues so that potential safety benefits can be 25 realized by properly implementing digital I&C upgrades.

26 And Eric Benner, Director of NRR's Division of

77 1 engineering, and you'll hear this referred to as DE throughout the 2 presentation, will discuss the staff's detailed priorities, their incorporation into 3 the integrated action plan or the IEP that I was referring to earlier, and the 4 factors that have enabled our recent successes.

5 Rossnyev Alvarado, an electronics engineer in the Division 6 of Engineering will discuss issues surrounding common cause failures of 7 digital I&C systems. Let me take a break here for a second.

8 I just want to let you know that Mr. Pitesa on the previous 9 panel from NEI mentioned that I would discuss one of the topics that he had 10 referred to in SECY 18-0090 that had to do with common cause failure and it 11 really had to do with the issue of how that paper took into consideration 12 risk-informed approaches.

13 And I think the paper did not speak to that directly and so 14 Ms. Alvarado will be able to put more specifics on that matter.

15 Mike Waters, Chief of DE's instrumentation and controls 16 branch will discuss our progress, especially over the last year, in working 17 with the industry and public settings with the goal to provide clarity to the 18 digital I&C regulatory infrastructure. And Dinesh Taneja, a senior 19 electronics engineer in DE will discuss commercial grade dedication issues 20 and the longer-term modernization of the NRC's digital I&C regulatory 21 framework.

22 So, again, we appreciate the opportunity to discuss these 23 important issues and now I'd like to hand the presentation over to Ho.

24 MR. NIEH: Thank you very much, Margie. Good 25 morning, Chairman, good morning Commissioners. I'm very happy to be 26 here this morning. I might not be as happy as Dr. John Thomas from MIT

78 1 but I'm pretty darn happy to be here.

2 I'm really glad to be here with my colleagues to talk to you 3 about the actions we've taken in enabling the broader use of digital 4 technologies at our nation's nuclear power-plants.

5 As you know, this is my second month on the job and I'm 6 fortunate enough to have a second opportunity to be here before you at this 7 table. I suppose I'm lucky in that regard.

8 I mentioned in September last month at the business line 9 meeting that I've been drinking from this fire hose. I kind of still am but the 10 diameter of the hose is a bit smaller so that's really a good thing.

11 So, after being back for about two months, I've really had 12 to quickly come up to speed on this topical area and had to go back and look 13 at the record and look at information coming from the staff.

14 And I have to say, on the one hand, it feels kind of strange 15 to sit here and talk to you about enabling digital, especially in this age where 16 digital technologies are ubiquitous in many industrial applications as well as 17 our everyday lives.

18 And we all know that the digital revolution started many 19 decades ago so it is quite strange to have this conversation. But on the 20 other hand, I also think that I have a much better appreciation of the 21 challenges we faced just to get to where we are today.

22 And again, after speaking with the Staff and reviewing their 23 record, it's evident to me that since the beginning of this year, we did make 24 some progress in enabling the use of digital.

25 For example, we clarified the guidance and the risk on the 26 use of 50.59 for digital upgrades, we went out proactively and did workshops

79 1 with industry and our regional staff to better increase the understanding of 2 how to apply the guidance and doing upgrades under 50.59.

3 And it's my understanding now that many of our licensees 4 are using that guidance to make modifications today, using digital systems in 5 their plants. So to me, I think that's a very positive sign of moving progress 6 in this area.

7 In my previous position at the Nuclear Energy Agency 8 working internationally, I had the opportunity to see how digital systems can 9 be used in both safety-related and non-safety-related applications in nuclear 10 power-plants around the world. I also had the opportunity to engage with 11 many of our international regulatory counterparts to better understand how 12 they address some of the challenges that we'll be talking about to you today.

13 And for sure, common cause failure was a main concern 14 for many of the regulatory bodies and through testing, operating experience, 15 and flexible regulatory approaches, we do see that digital systems are used 16 in nuclear plants and other safety-critical industries around the world today.

17 In listening to the conversation in the industry external 18 panel, I think operating experience is one area that I'd like to further explore 19 with our staff on how we're better incorporating lessons from other industries 20 and other countries into how we're conducting our regulatory reviews.

21 Another takeaway that I had from the international 22 experience was that among many of the nuclear regulators abroad, there's a 23 very positive attitude towards enabling innovative and new technologies in 24 nuclear power-plants, and in fact, there's a growing recognition that new 25 technologies like digital systems can improve plant performance, reliability, 26 and also safety.

80 1 And I think that's particularly relevant if we're looking at 2 nuclear power-plants operating in the longer term, particularly as older 3 equipment and analog systems become harder to find in the supply chain 4 and become more and more obsolete.

5 So turning back to looking at NRC, what I found really 6 interesting was that we have been able to, as you mentioned, Chairman, to 7 make regulatory reviews and decisions for major digital platforms and new 8 reactors like the AP1000, APR1400.

9 We even took an adaptive approach and used a 10 design-specific review standard to look at the digital platform for the NuScale 11 small modular reactor.

12 And in exploring my curiosity about this asymmetry in how 13 we look at digital I&C for new reactors versus operating reactors which, oh, 14 by the way, we're using the same requirements and regulatory guidance, I 15 reached two conclusions.

16 The first was that we have the technical capability and 17 expertise to do these reviews successfully and timely. We can do this and 18 we've shown that we can.

19 And the second conclusion I reached was that with a shift 20 in our mindset and our culture towards innovation and new technologies, I 21 think we can greatly make even more progress on broadening the use of 22 digital systems in nuclear power-plants.

23 As you know, the courses have been set for the merger of 24 NRR and NRO and 2020. In fact, this month we've already made some 25 pre-merger consolidate efforts.

26 We took the digital I&C functions from both offices and

81 1 combined them into one under NRR and the vision for how we're going to 2 look at these reviews of new technologies including digital systems is a 3 vision where we're going to ask ourselves the questions, how can we do this 4 while ensuring safety, rather than why we shouldn't do this?

5 I think that's a real important aspect of this transformation.

6 So, in looking at the journey we've been on with digital I&C, now against the 7 backdrop against the Agency's efforts to transform itself, I really think we 8 have a real opportunity here.

9 The story we want to leave with you today is that we're on 10 a positive trend and I think the more things we can do to be more 11 risk-informed, if we receive direction from the Commission on having more 12 performance-based framework and focusing our efforts on reasonable 13 assurance, I think that's going to help us continue on this positive trend of 14 progress.

15 So with that, Chairman and Commissioner, I'd like to 16 conclude my remarks and turn it over to Eric Benner who will talk to you 17 about the progress we've made on the integrated action plan.

18 Thank you.

19 MR. BENNER: Thank you, Ho. Slide 4, please.

20 Morning, Chairman and Commissioners.

21 The Staff continues to be focused on addressing the most 22 significant regulatory challenges that we've identified through our 23 stakeholder engagement, including engagement with our international 24 counterparts and other domestic regulatory Agencies.

25 Those challenges fall into two broad categories. The first 26 is near-term issues that our stakeholders have identified as impediments to

82 1 implementing digital technologies today and the second is broader 2 modernization improvements that can longer-term make our review efforts 3 more effective, agile, and performance-based for all technologies.

4 So, my slide has some of these particular items, I'm not 5 going to go through the list because Rossnyev, Mike, and Dinesh are going 6 to discuss each of them in more detail.

7 Next slide, please.

8 So, Margie referenced the IEPs, let me provide a brief 9 background. In the SRM to SECY 15-0106, the Commission directed the 10 Staff to develop an integrated strategy to modernize the NRC's digital I&C 11 regulatory infrastructure.

12 The SRM indicated that requirements in this area should 13 be performance-based and technology-neutral and apply to both operating 14 and new reactors but acknowledge that guidance could be tailored to the 15 different communities.

16 The SRM also directed us to hold frequent stakeholder 17 interactions to reach a common understanding of regulatory challenges, 18 priorities, and potential solutions to address them.

19 The Staff developed the IEP to fulfil this direction, which 20 was provided to the Commission in May of 2016 and the Commission 21 approved in October of that year. The Staff periodically updates the IEP to 22 reflect our progress and evolving priorities.

23 Given our recent accomplishments, we're currently 24 finalizing a more extensive re-baselining of the IEP developed with 25 significant input from our stakeholders which we will provide to you next 26 month and which provides more detail to the activities described in SECY

83 1 18-0100.

2 Next slide, please. We've had some recent significant 3 successes which you'll hear about in more detail, but I'd like to set the stage 4 for the mindset changes that enabled those successes and put us on a path 5 to continued success.

6 This gets back to some of what we feel is different today.

7 First, we committed to look hard in the mirror to see how our behaviors were 8 contributing to the challenges identified by our stakeholders.

9 That look revealed that as we implemented requirements and policy 10 in this area, we sometimes introduced additional unnecessary burdens. An 11 example of this was our evaluation of the digital I&C common cause failure 12 policy described in the SRM to SECY 93-0807.

13 So we've heard a little bit here about, wow, the Staff 14 determined that the policy didn't need to be modernized in that Commission 15 paper. And I'd like to change the characterization of that because as we 16 started our evaluation of the policy, we initially focused on whether a policy 17 change was needed.

18 But as we got into the history, we revised our focus to ask 19 the question is the policy truly a barrier to us implementing any proposed 20 regulatory improvements that our stakeholders have challenges us to adopt?

21 22 And with this change in focus, it became clear to us that 23 the existing policy had plenty of flexibility to adopt things like risk-informing 24 other alternative standards and some of the things that were mentioned 25 today, but that our implementation of the policy, as we translated that to our 26 guidance documents, maybe made things more restrictive than they needed

84 1 to be.

2 So, second, we realized that no guidance document, no 3 matter how good, can succeed on its own. And I would extrapolate this to 4 no guidance document, no standard, no rulemaking. None of those are 5 going to be a panacea for any of the challenges we've faced.

6 Rather, for any of those things we do, we have to ensure we have 7 the appropriate companion support network to ensure its success. As we 8 like to past efforts, it was clear that sometimes in a guidance document we 9 devoted a lot of energy in conjunction with stakeholders to develop a good 10 guidance document, and then for whatever reason, that guidance document 11 sat on the shelf for some period of time.

12 When it was picked up to be used, implementation issues 13 were identified, some of the originators were no longer available so we 14 struggled with working through those implementation issues and at the end 15 of the day, the guidance document got billed as a failure.

16 So what we're trying to do differently today is in working 17 with our stakeholders we've identified these priorities, one of the priorities 18 was the risk to better enable 50.59 modifications.

19 We subsequently worked with industry to develop these 20 workshops which we've supported. We've made sure we've had attendance 21 at those workshops from both technical and oversight staff and management 22 from the NRC so that we're all hearing the same questions and answers.

23 We're aligning on regulatory expectations. Now we've 24 seen that seemingly has enabled the use of the risk to do digital 25 modifications so now we have inspection staff who are more plugged in.

26 We're taking all the questions and answers from those

85 1 workshops and those will be filtered into our more detailed training that we 2 do to our inspectors who will be overseeing these 50.59 mods.

3 So we're looking to leverage that same approach as we 4 keep rolling out these new guidance documents.

5 Lastly, we've revisited what information is necessary to 6 make regulatory decisions. So for operating reactors, this most manifested 7 itself in our ongoing revision to ISG-06.

8 And as was talked about by several of the industry 9 stakeholders, the revision we're working on now will provide a regulatory 10 approval sooner than originally and previously anticipated, with the idea that 11 they'll get that regulatory approval before their final design and software 12 development is complete. But it'll lock down the most important attributes 13 that we've relied on to make our regulatory finding and then it'll be primarily 14 the licensee's responsibility in conjunction with oversight of their vendor to 15 convince themselves that the system as designed meets those requirements 16 and will obviously have some amount of oversight of that activity.

17 And as also was mentioned for new reactors, this 18 manifested itself most recently in the use of the design-specific review 19 standard for the NuScale review by which we did identify some higher level 20 safety principles for the I&C review which allowed us to expedite and simplify 21 our technical review.

22 So with that, I'll now turn it over Rossnyev.

23 MS. ALVARADO: Thanks, Eric. Good morning, 24 Chairman and the Commission.

25 I'd like to talk about what we are doing to try to find 26 expectations regarding CCF, common cause failure, but before I do that, I

86 1 think it will be good to set up or provide a little bit of the background of what 2 is a digital system and why we're here and why this is an issue.

3 So digital systems offer many advantages over the existing 4 analog system. The use of digital technology continues to be a key industry 5 strategy for addressing obsolescence and improving plan flexibility and 6 reliability, and therefore, reducing maintenance cost.

7 The Staff recognizes that digital technology can provide 8 many advantages but it also creates the possibility for new vulnerabilities.

9 In particular, there is wide consensus that the potential for 10 non-faults that can be introduced during the design and implementation of 11 the system could result in a common cause failure, which could challenge 12 redundant trains that use identical software or that use shared devices, for 13 example, communication networks.

14 Like analog systems, digital technology cannot be 15 completely tested so software design errors can be present in the system 16 and this will have effects until certain trigger events are present. To 17 manage this uncertainty, licensees generally consider the defense in-depth 18 and ability to cope against common cause failure.

19 I'd like to highlight that common cause failure events are of 20 concern to both safety systems and non-safety systems. So this is not only 21 an issue for safety systems. For non-safety systems, Staff is seeing more 22 aggregation of control functions into one platform or one system.

23 Also, they're using the same platform for different control 24 functions. In this case, a common cause failure of the system could lead to 25 new type of accidents or malfunctions that were not previously analyzed in 26 the plan's safety analysis report.

87 1 For this reason, both stakeholders and Staff recognize that 2 common cause failure is the highest technical priority to resolve for using 3 digital technology.

4 Also, common cause failure due to software underpins 5 many of the regulatory challenges and efforts to use digital technology as we 6 listen to the first panel this morning.

7 For example, I want to provide this example in which 8 industry stakeholders have identified challenges when determining the 9 likelihood of a common cause failure due to software when they perform 10 evaluations under Section 50.59. This is because there is not an accepted 11 method for quantifying the likelihood of a failure. So licensees have to use 12 qualitative assessment.

13 The question is how do you translate those qualitative 14 assessments to answer the questions in 50.59? The Commission's policy 15 to address common cause failure in digital systems is in the Staff record 16 memorandum to SECY 93-0087.

17 The Staff this year completed an evaluation on this 18 Commission's policy and its impact on licensees' activities. This evaluation 19 considered insights derived from the development of the RIS supplement 20 which Mike will describe in detail, significant interactions with industry 21 stakeholders, industry standards, EPRI and NEI documents, as well as other 22 Federal Agency regulations.

23 We also look at the lessons learned from all regulatory 24 reviews. This evaluation led us to the conclusion that common cause failure 25 due to software should be considered.

26 But all regulatory guidance should be improved to be made

88 1 more clear and consistent. The Staff believes that the Commission's 2 direction in the SRM SECY is still adequate.

3 That position provides flexibility for accepting new digital 4 technology and support regulatory modernization activities for near-term 5 improvement, including the use of a graded approach and the use of 6 alternative industry standards.

7 Also, the Staff believe the Commission policy is 8 technology-neutral and allows for the use of risk insight. During our 9 evaluation, we determined that implementation of NRC policy has not been 10 consistent.

11 Eric alluded to this in his talking points, therefore, to 12 improve clarity, consistency and regulatory stability, the Staff identified 13 guiding principles that will be reflected in all common-cause-failure-related 14 regulatory guidance.

15 Our views are summarized in SECY 18-0090 which also 16 includes a brief plan for implementing these guidance principles and the 17 Commission's policy.

18 Next slide, please.

19 This slide summarizes these guiding principles which are 20 described in the SECY paper. In particular, these guiding principles are 21 continue to address potential vulnerabilities to common cause failure, 22 continue to perform diversity and defense in-depth analysis for reactor 23 protection system and engineer system features actuation system to address 24 vulnerabilities to a common cause failure.

25 This analysis can be either a best estimate or a design 26 basis analysis as appropriate. For other systems, we want the licensee to

89 1 continue to use a graded approach for performing a diversity and defense 2 in-depth analysis, which should be commensurate with the safety 3 significance of the system.

4 The next item is to clarify the use of alternative means to 5 address vulnerabilities to common cause failure and the last item that I want 6 to talk about is the use of certain design attributes to address common 7 cause failures.

8 But the use of these design attributes, we consider that 9 they should be commensurate with the safety significance of the system.

10 This proposed guiding principles are meant to ensure consistent application 11 of the Commission's policy as I mentioned before, and they will be used to 12 clarify NRC requirements for addressing vulnerabilities to common cause 13 failure.

14 The RIS supplement that Eric mentioned and that Mike will 15 provide, the detailed description about it, is consistent with these guiding 16 principles. For example, one of the guiding principles is the use of a graded 17 approach.

18 In the RIS, we recognize this but using a graded analysis 19 and the commendation in relationship to the system safety significant to 20 determine the likelihood of our common cause failure.

21 Further, the use of a graded approach will be consistent 22 with the Agency-wide effort for implementing a risk-informed regulatory 23 approach. These guiding principles will be incorporated into Branch 24 Technical Position 7-19 which provides guidance to implement the 25 Commission's policy.

26 And specifically, this BTP provides guidance for performing

90 1 diversity and defense in-depth analysis to demonstrate that vulnerabilities to 2 common-cause failures are addressed.

3 In addition, we will resolve comments provided by 4 stakeholders including industry on the current version of BTP 7-19. In 5 particular, to clarify the scope of applicability, consideration of design 6 features to eliminate common cause failure from further consideration and 7 the overall need for diverse actuation.

8 In addition, we're also going to use these principles to 9 evaluate industry-developed guidance. In particular, NEI is developing NEI 10 16-16 which the title is Guidance for Addressing Digital Common Cause 11 Failure, to provide guidance on using design attributes to reduce the 12 likelihood of a common cause failure or to eliminate common cause failure 13 from further consideration.

14 NEI provided a draft version for the NRC review and 15 potential endorsement, however, NEI's suspended work on this document to 16 focus its resources on the development of the RIS.

17 And because EPRI is revising the design guidance that is 18 incorporated into NEI 16-16, the Staff is ready to resume review of NEI 19 16-16 upon request by NEI.

20 As we address product modernization activities, we expect 21 that other common cause failure questions and challenges will arise.

22 A particular example is with regards to integration and 23 connectivity of I&C systems. The ease of connectivity within digital system 24 architecture makes it easy for a single failure or a common cause failure to 25 occurring within one system to propagate to other systems.

26 This kind of event can create a malfunction or create a

91 1 problem that will prevent the system for recovering for a transient for 2 example, or to mitigate an accident.

3 Some of those systems were previously analyzed as an 4 independent or standalone systems with independent failure consequences 5 but as they get integrated, we don't know how they're going to behave so 6 this is something we need to consider. Consequently, we will evaluate 7 the extent to which the Commission's policy needs to be modernized to 8 address new challenges or support potential changes to all regulatory 9 infrastructure. I will now turn it over to Mike.

10 MR. WATERS: Good morning. The majority of digital 11 upgrades to our operating fleet have been and will be implemented under 10 12 CFR 50.59. This regulation provides conditions under which licensees can 13 make changes about prior NRC approval. Some key criteria in the rule 14 include other proposed changes, increases the likelihood of a malfunction 15 previously evaluated, or creates the possibility of a malfunction with a 16 different result. For digital I&C licensees who have faced past challenges in 17 answering these questions that involve potential common-cause failures.

18 We issued Supplement 1 to RIS 2002-22 in May of 2018 to 19 address this challenge. The RIS primarily addresses auxiliary safety 20 support systems, non-safety systems and replacement of individual 21 components ensured to identify these modifications as higher priority.

22 Supplement 1 to the RIS provides clarification to determine 23 a more likelihood of a common-cause failure is sufficiently low to support a 24 change under 50.59. The quality of assessment approach considers three 25 factors: the design attributes of the system; quality of the design process and 26 any relevant operating history with the proposed system. To support this

92 1 assessment, the supplement also addresses key aspects of the engineering 2 failure analysis to identify CCF vulnerabilities.

3 The completion of the RIS was very challenging, but it was 4 ultimately successful because of significant interactions with industry experts 5 and the use of tabletop workshops to test the practicality of the guidance.

6 As you heard from the panel this morning, industry plans to complete a 7 number of upgrades using the RIS.

8 On a separate track NRC is currently engaging NEI on a 9 proposed Appendix D to NEI 96-07 for 50.59 evaluations. Appendix D is 10 intended to address specific digital technology issues and complement the 11 base guidance in 96-07. It will apply to all types of digital modifications and 12 it contains additional guidance for screening.

13 NEI is currently incorporating NRC comments and 14 observations that we provided in several public meetings. They plan to 15 provide Appendix D to us this December for formal endorsement to 16 Regulatory Guide 1.187.

17 Slide 10, please. Let me now transition to digital I&C 18 licensing. We have made good progress on licensing certification reviews 19 of new digital systems. This slide lists a few examples. We successfully 20 reviewed and licensed the Hope Creek Digital Power Range Neutron 21 Monitoring System. It is now up and running. We've also completed the 22 technical review of the NuScale digital I&C system that's part of the overall 23 digital -- overall design certification process.

24 Staff used an innovative design-specific review standard to 25 emphasize its fundamental design principles. We've also made good 26 progress in digital I&C licensing activities for research and test reactors.

93 1 For example, we've completed the safety evaluation of the license 2 amendment for the Purdue-1 reactor. As shown in the picture, this would 3 be a complete digital modification to all other safety and non-safety systems.

4 We expect to make a determination on the application very soon.

5 We highlight these to note they were continually examining 6 the insights and lessons from both site-specific licensing and the design 7 certification reviews to instill greater efficiency and predictability into our 8 guidance.

9 Slide 11, please. A key example is a revision to staff 10 licensing guidance in ISG-06 to address the near-term needs of the U.S.

11 operating reactor fleet. We expect to finalize the guidance this December.

12 The revision is focused on providing an alternative process for regulatory 13 approval of a major upgrade before a licensee makes a significant 14 investment in the development of the proposed system.

15 We added the alternative review process which shortens 16 review when a licensee uses an improved topical -- approved digital I&C 17 platform. This process is based on a single submittal that includes 18 information on the final system architecture, human system interface and 19 software requirements. It eliminates a license review of the detailed 20 software verification outcomes and factory acceptance testing results.

21 Therefore, our review will have greater focus on licensee software quality 22 assurance planning and oversight of their activities.

23 The staff review process also incorporate the evaluation of 24 fundamental design principles of independence, redundancy, repeatability, 25 and defense-in-depth. These approaches are consistent with the 26 Transformation Team recommendations on use of design principles in our

94 1 guidance and oversight of digital I&C quality.

2 This activity has been successful because of our 3 significant action again of vendor and utility licensing experts. For several 4 months we have dedicated public meetings with the working group to 5 discuss each part of the revamped guidance. We also conducted a tabletop 6 exercise to test the the draft language in the ISG with past examples from 7 past licensing applications.

8 Slide 12, please. So this graphic depicts the difference 9 between the original two-phase licensing submittal process and the new 10 alternative review process. Both will be acceptable approaches in the 11 revised ISG. The blue portion in the middle shows licensing activities aren't 12 -- with respect to typical life cycle development process of a new digital 13 system from design concept to installation. The red line and green line 14 depict NRC's review time -- shorter review time with the alternative review 15 process. As shown, approval would be granted at the time when licensee 16 begins final implementation including software validation and fabrication.

17 The NRC may translate some of these -- some of the 18 licensee's commitments regarding software quality development and vendor 19 oversight into license conditions and subsequent NRC vendor regional 20 inspection oversight will be focused on the final design activities including 21 software quality, factory accepting testing, and site installation.

22 It is important to note that industry is developing guidance 23 for standardizing digital engineering and guidance for developing license 24 applications based on the new alternative review process. While we are not 25 involved in these efforts, we encourage this approach. This can be a very 26 important element in ensuring high-quality applications and contributing to

95 1 the consistency of our reviews for the next set of digital I&C license 2 amendments.

3 I will now turn it over to Dinesh.

4 MR. TANEJA: Thank you, Mike. Good morning, 5 Chairman and Commissioners. Improving our review and oversight of the 6 commercial grade dedication process for digital equipment is another very 7 important area we're working on. The nuclear industry relies on equipment 8 for the majority of the I&C systems. Many vendors often design equipment 9 using non-nuclear international safety standards.

10 Staff is evaluating potential use of third-party safety 11 certification based on an international industry standard to accept 12 commercial grade equipment. In particular, NEI is developing guidance to 13 use safety integrity level certification to supplement the commercial grade 14 dedication of digital equipment.

15 So NEI is developing a guidance document based on EPRI 16 research in this area and they're also working with NUPIC to establish a 17 process for the oversight of these third-party self-certifying entities. NEI will 18 be submitting a guidance based on their work for NRC's approval.

19 Staff believes that this use of third-party certification could 20 establish a streamlined commercial grade dedication process and facilitate 21 expanded use of commercial digital systems in nuclear safety application.

22 Slide 14, please. While working on the activities already 23 described, staff is assessing our regulatory framework to look for innovative 24 ways to address challenges and make broader strategic improvements 25 benefitting all stakeholders.

26 Staff is performing a strategic assessment to identify

96 1 impactful improvements activities consistent with Commission direction in 2 SRM-15-0106 and associated recommendation by the Transformation Team 3 on digital I&C. In doing so the staff will continue to consider the challenges 4 and potential impediments that may be unique to specific digital I&C 5 stakeholder communities.

6 We also continually engage the International Community of 7 Regulators to enhance our regulatory framework. We are working with the 8 international experts within -- through NEA, IAEA to develop consensus 9 standards and guidance based on the best practices.

10 In accordance with the Commission direction, staff 11 developed a design-specific review standard, DSRS, for NuScale design 12 review that is safety-focused and uses risk insights. For the I&C design 13 review the staff took into consideration all the lessons learned during 14 licensing reviews of the new large light water reactor designs and 15 emphasized the review focus on the fundamental I&C design principles of 16 independence, redundancy, predictability and repeatability, and diversity and 17 defense-in-depth.

18 Emphasis was also placed on a simple design that embraces the 19 fundamental I&C design principles to most efficiently and effectively 20 demonstrate compliance with the NRC regulation.

21 Building on these successes and lessons learned from the 22 NuScale I&C design review, staff is embarking on developing design review 23 guidance for the advanced non-light water reactor designs that is consistent 24 with the NRC's principles of good regulation and statutory requirements.

25 And it's performance-based, technology-inclusive, risk-informed, 26 safety-focused and allows for use of reactor design-specific principle design

97 1 criteria.

2 Finally, we continue to look for improved approaches to 3 incorporate risk insights into our decision making on digital I&C for licensing, 4 design certification, and inspections. In support of modernizing the 5 regulatory infrastructure staff has initiated important digital I&C research in 6 the areas of risk-informing licensing, certification and oversight activities, 7 research on technical basis for addressing common-cause failure concerns, 8 and research on use of emergent digital technologies.

9 And to conclude our presentation I'll just turn it back to 10 Margie.

11 MS. DOANE: Okay. So I'll wrap up quickly because I 12 see we're a few minutes over.

13 So I just want to make it clear that digital I&C is a priority, a 14 very high priority for me and for, as you can see the staff, and we recognize 15 the need to bring a risk-informed mind set to these issues and to continue to 16 look for new ways to embrace what the challenges are and to continue to 17 look for new ways to address these issues. We want to enable the use of 18 digital I&C in a manner that protects public health and safety.

19 And then I'd like to just conclude by thanking -- well, first of 20 all, I'd like to thank all of these guys at the table, but also the other staff that 21 have helped me get up to speed as the various perspectives on the 22 Commission, talking about glazed eyes and things like that, you can imagine 23 where I came to this issue. I've been drinking from a fire hose. This is just 24 many issues and they've done a terrific job bringing me up to speed to give 25 me confidence to ask a lot of -- I've been asking a lot of very hard questions, 26 and I'm getting great answers. And I think we'll be able to look at this

98 1 program holistically and continue to make progress.

2 I'd also like to thank the staff of NRR, Research, NRO, the 3 regions, and OGC who have worked diligently on these issues. And with 4 that, we're looking forward to your questions.

5 CHAIRMAN SVINICKI: All right. Thank you. Yes, 6 everyone on the staff panel and all those NRC staff who helped prepare the 7 information you presented today. We'll begin questioning again with 8 Commissioner Baran.

9 COMMISSIONER BARAN: Well, thank you all for your 10 presentations and for all your hard work. I know these are tough issues.

11 Some of my questions at least initially are going to be pretty similar to the 12 ones that I asked on the first panel because I want to hear the staff's views 13 on some of those same issues.

14 You all went into a pretty good amount of detail on these 15 five guidance documents that are being worked on. And I want to get the 16 staff's sense of if those five guidance documents are completed, how far 17 does that get us? Do we see that as effectively resolving the key issues, or 18 is it more of a short-term fix?

19 MR. BENNER: Thank you, Commissioner. I would say 20 that the guidance documents address mainly these key near-term 21 challenges. So opening up the aperture for using 50.59, writing some 22 streamlined licensing guidance. The one area where I think it goes a little 23 further is we are -- once we get the NEI submittal on commercial grade 24 dedication and the adoption of an IEC standard in that area, that goes a little 25 further.

26 So those are key things we need to do. The broader

99 1 activities that were already envisioned in the IEP and some of the things that 2 are envisioned in the rulemaking for transformation do go further because 3 they would further open the aperture for how we would use international 4 standards more broadly. It would go somewhat further in particularly for an 5 advance reactor licensee to start with a much more clean sheet approach.

6 It would better enable that.

7 But I think there are other ways we could do some of that 8 in the near term. But those other things would need to be done. There's 9 still work to be done for if we wanted to adopt the IC standards, if we want to 10 focus more on safety principles, we'll need to do that work. And whether we 11 do that in guidance space or do that in rulemaking space is one of the areas 12 where we would want to engage with stakeholders as to say, like you were 13 asking, what's the best way to sequence some of those activities.

14 COMMISSIONER BARAN: I'm asking that right now in 15 fact. When you're looking at it now, what is the best way to sequence those 16 activities? I mean, I have heard this concern and I can see it that basically 17 right now the staff is focused on these guidance documents. And that if we 18 launch a rulemaking right now, we could lose focus on the progress we're 19 making.

20 Do you share that concern? Are you envisioning initiating 21 a rulemaking in the near term? Is that what you'd like the Commission to 22 decide? Or do you see it being further down the road after we get a sense 23 of how far we've gotten with the guidance documents?

24 MR. BENNER: We wouldn't push a rulemaking near term 25 because I think particularly for this idea of -- I think you've heard from many 26 of the stakeholders and I talked about in what's enabled our success.

100 1 IEEE-603 is a fine standard. Some of our implementation of it has provided 2 challenges. If a licensee or industry or a particular vendor wants to 3 leverage a different standard, particularly one of the IEC standards, there is 4 a built-in provision in the regulations today in 10 CFR 50.55(a) to use an 5 alternative.

6 So given how we're trying to look at these issues, we could 7 open that aperture today without a rulemaking. So from the sequencing 8 standpoint, could it be better to do that way now using that alternative path?

9 And then once we've demonstrated how that could be done, there could be a 10 longer-term rulemaking to really institutionalize that. Sure.

11 So I think we have resources for the strategic initiative that, 12 in all likelihood if we started doing a rulemaking sooner rather than later, we 13 still have resources focused on the near-term guidance documents. It 14 would be more on reshaping and reprioritizing those efforts we were going to 15 do in the broader strategic modernization that we would devote to the 16 rulemaking.

17 COMMISSIONER BARAN: It sounds like Ho might want 18 to chime in. Or maybe it's less in sound and more in appearance. So what 19 I'm trying to figure out is why I'm voting on this transformation paper, one of 20 the recommendations is do a rulemaking end of July and see to set 21 high-level performance criteria rather than bind us to IEEE. And I'm trying 22 to figure out that's before us now.

23 Should I vote to say, yes, let's do a rulemaking. Or should 24 I vote to say let's finish all these guidance documents, see where that gets 25 us, and then decide whether to do a rulemaking. Does the staff have a view 26 about which of those two sequences makes more sense?

101 1 MS. DOANE: Okay. So let me -- yes. Well, and the 2 view is we want to do both. Okay? Because we put this proposal before 3 the Commission and we said this is something that we think would be 4 transformative. So the sequencing of it is I think that we will lose progress 5 on the five guidance documents if we were to say, stop doing this and do 6 this, or if we were to divert resources to do these two separate things.

7 That's exactly right.

8 So what we need to do is if we were to do both, what we 9 would need to do is what we have done is we've put this as the last 10 milestone. And so we see it as a sequencing of already in the existing plan.

11 We see the restructuring as a last milestone. So we see certain things that 12 we're doing that will answer both questions. It would help us inform us how 13 to create these high-level principles that we would put in this rule. But it'll 14 also help us create a more flexible approach to our existing regulatory 15 process. Okay?

16 So some of these things will be done at the same time and 17 already are being done because some things support both efforts, some of 18 the things that you learn. So those aren't the type of things that I'm talking 19 about.

20 But if we were to have something where we just threw out 21 all the rules and we try to come up with these high-level principles, at some 22 point in this journey, and I can't give you an exact, precise place where we 23 would do it. But because a rulemaking takes into consideration, as you 24 know, you have to set up the rulemaking. We would have to think about 25 how we would go about approaching it.

26 And a lot of things that aren't necessary for the technical

102 1 staff itself that are working on these five guidance documents, they wouldn't 2 necessarily have to be engaged. But at some point, you have to integrate 3 the resources so that you have the right people testing your approaches.

4 So the way I would envision a rulemaking is toward the end of this process, 5 okay, in the individual action plan, a step 4 where it is right now, where it's 6 contemplated right now, and taking advantage of what we've already known.

7 But to me, what we had contemplated -- and Dan is here if 8 you want further comments on this. It's throwing this out and it would be --

9 not throwing out. That's not really a good word now that I just said we 10 would build upon it. But it would be really trying to get ourselves to think 11 about an approach in a whole different way.

12 And yes, there are alternatives in 50.55(a). But they're 13 measured against IEEE-603. So you can continue to build flexibilities. But 14 when we put this in the transformation paper, we believed that there was an 15 approach that, like Eric was saying, that would broaden the aperture.

16 So yes, we want a rule. The timing of it would be toward 17 the end of the action plan. And we would not do it in such a way to risk the 18 resource of that.

19 COMMISSIONER BARAN: If the vision of the rule is that 20 it would essentially allow licensees and vendors to use any number of 21 approved standards as long as those standards meet the high-level 22 performance criteria, does the staff foresee any major challenges with that 23 approach? I mean, and Dr. Thomas, for example, in the first panel said, not 24 all standards are created equal. Some standards are good; some 25 standards are not so good.

26 Are we putting ourselves in a position where this kind of

103 1 rule that we would have to have guidance on or affirmatively approve a large 2 number of standards. And would that prove to be challenging or is that not 3 how you envision this going?

4 MR. NIEH: I'll take a crack at that one, Commissioner.

5 So I think in terms of looking at using different standards in the context of a 6 broader rulemaking, to me, I've been trying to myself understand what this 7 rule might look like. In fact, I wrote down a couple ideas down in my mind.

8 Again, I'm not going to share them with you here but of what a performance 9 based high-level rule could look like.

10 And I do think the concept you just described is possible to 11 have, again, a high-level set of performance criteria. And if a standard does 12 meet that, with the right guidance from the staff, I think it's possible to have 13 that type of framework.

14 But what I wanted to point out, I guess, tying back to your 15 other questions as well in terms of what we're doing now. I see what we're 16 doing now is complementary to a broader rulemaking effort should the 17 Commission decide to go down that path.

18 Moreover, if you did go down the path of approving a 19 rulemaking to establish a higher level performance based framework, my 20 feeling is we're still going to need to develop some implementing guidance 21 so the staff can use it and the industry can use it in guiding their work.

22 In terms of the resources, from my perspective here, if 23 there's a demand from the industry to conduct license amendment reviews 24 to do major modifications to their facilities, that's a priority I would see for the 25 operating reactor business line. And we're going to figure out how to do 26 that first.

104 1 And again, as Margie says, we think we can do both. But 2 I would not envision any situation where if I've got a demand for regulatory 3 guidance and activity to introduce more digital systems in nuclear power 4 plants, I would prioritize that over sort of the rulemaking efforts in terms of 5 where am I shifting the technical resources to get the work done.

6 So I think, again, it's possible to do both. I would consider 7 as the director of NRR that real time, real life upgrades using digital systems, 8 that would certainly where I would focus my priority. And at the same time, 9 we'd have to figure out how to continue through the rulemaking process too.

10 COMMISSIONER BARAN: I appreciate that. And I don't 11 want to go too much over my time. But I thought the chairman made a good 12 point about a lot of energy goes to, at NRC, trying to figure out whether we 13 agree with a licensee that they've met a particular code and standard. And 14 that's one of the reasons why we have a lot of guidance, right, to provide 15 clarity to both our reviewers and to licensees or applicants about what do we 16 think is going to be adequate to meet a particular standard.

17 And part of -- and this isn't -- I don't mean this as a 18 negative concept about this concept or the rule. But I wonder whether if 19 folks come in with 20 different standards under a rule, are we in a situation 20 where to make this work in the real world, we've got to do 20 giant guidance 21 document efforts to explain what would satisfy us under any of these 22 standards? And is that going to be really hard?

23 MR. BENNER: Yes, I think our hope would be that 24 because there are a number of different standards out there that people 25 could use. Our hope would be that we could have some engagement with 26 the stakeholders to narrow those things that they would most like to use.

105 1 And you've heard IEC here a lot. There are areas where we agree that the 2 IEC standards are very sound and we could do something to look at that and 3 embrace that it would meet safety standards so that licensees could 4 leverage that.

5 COMMISSIONER BARAN: It's probably manageable.

6 MR. BENNER: Yes. Well, that would be our hope.

7 Truly, if all of a sudden everyone comes in because as you've heard there 8 are standards in FAA, standards in automotive, international standards. So 9 if everyone picked a different one and tried to come in with licensing actions 10 to use all different ones at the same time, that would be an unmanageable 11 situation.

12 MR. NIEH: Just one additional point, sir. This is already 13 happening today in other technical areas, in other regulatory programs. So 14 the concept is in my view not really foreign is I've looked at what other 15 international regulators are looking at in terms of allowing different standards 16 to meet high-level performance criteria.

17 Again, I think about what the chairman said in the external 18 panel about having too much flexibility. That's something we need to be on 19 guard for. But having the right performance criteria, like, what are we really 20 looking for the standard to meet. Then it's on us to do our review to see if 21 the standard does indeed meet that.

22 So to me, I see people are already doing it, maybe not so 23 much in the United States in the nuclear industry. But I think it is done and 24 it's possible.

25 COMMISSIONER BARAN: I've gone well over. Thank 26 you.

106 1 CHAIRMAN SVINICKI: All right. Thank you.

2 Commissioner Burns?

3 COMMISSIONER BURNS: Oh, it is on. Okay. So I still 4 have the veil and I think I'll always have the veil on this issue. So this is 5 how I would characterize what I've heard in some respects is that we see our 6 ability to make progress in this is to be what I'll call a little bit of pretzel 7 twisting. And that is we sort of twist ourselves -- stand there and twist 8 ourselves into a pretzel to be able to make progress because we feel 9 confined by either existing guidance, existing regulations and all that.

10 So the objective might be, and it might be through the 11 transformation paper, to make us standing up straight again and doing it.

12 Now, that's a rough metaphor, analogy, whatever you want to say. But then 13 I hear that in areas like the APR-1400 and NuScale and some of the other 14 things, we sort of made that progress.

15 So if you can, tell me what it is that would make -- what 16 would be the regulatory change you would make that -- how would that 17 regulatory change improve the way we've gotten there today? Now, maybe 18 it eliminates, as I say, the pretzel twisting and the contortions we have to do.

19 But that's what I'm trying to understand here. Because at one level, what I 20 hear is, it's hard, it's hard, it's hard. But we can get there. And anyway, 21 have at it.

22 (Laughter.)

23 MR. TANEJA: Okay. So to answer your question, the 24 DSRS that we did for NuScale, it was a paradigm shift. Same regulation.

25 The only thing that we changed was how we look at these things. The 26 paradigm shift was our current practices are if a design meets regulation

107 1 equals safety.

2 Here what we said was, is the design safe? If the design 3 is safe, then demonstrating regulatory compliance is very easy. So that 4 paradigm shift really streamlined the way that work progressed. It was the 5 applicant embraced the concept so they really came in and they 6 demonstrated how their design was safe. And so the complying with 7 regulation was demonstrated. It was much easier to go around that way.

8 So maybe it is part regulation, the way they are structured.

9 And maybe it's culture, the way we have been practicing how we do our 10 business. So there is some of that was a mindset change and culture 11 change that was helpful in that area. So it's a combination of things.

12 MS. ALVARADO: I just want to add one thing, and maybe 13 this will help you see the pretzel untwist is that we need to really understand.

14 And this we learn as we were working on this, like, the different 15 communities that we need to serve. So for new reactors, we have our 16 regulations, right?

17 So if I'm coming with a new design, I can do anything to 18 meet that regulation, right? Like, if I require you to perform a D3 analysis 19 for all your system, you can do it because you don't need to stop operation, 20 you don't need to change anything. It's a blank sheet. You can start from 21 zero.

22 The problem is for operating reactors is that they have a 23 licensing basis that they need to meet. They have systems that are 24 operating. They have regulations that they need to meet. So for them is 25 where you see all these pretzel twisting trying to -- I want to change this 26 system, but I have to fit in this box that we have set up by the regulation.

108 1 So that's something that has created the flexibility, 2 innovation, transformation that we have seen in the new reactors that maybe 3 we are not there.

4 MR. NIEH: Thank you, Commissioner. D3 is Diversity 5 and Defense-in-Depth just for people following here. To get at your 6 question on what regulatory change is needed, I think Dinesh raised a point 7 that is very near and dear to me because I do feel that the way we're 8 approaching these reviews can significantly have an impact on how much 9 time we're spending and where we end up in the end and how long it takes 10 us to get there. And from my perspective, I think it came up in the external 11 panel the idea of reasonable assurance: trying to find every single ghost in 12 the machine, eliminating all risk.

13 I think from what I've seen in the two months I've started to 14 study this issue to look at how NRO is approached and how NRR is 15 approached is I see that the mindset attribute is pretty significant. So I 16 would not want to let that one fall off the table. And I feel that that falls onto 17 the leadership of the people at the NRC staff in trying to guide this idea of 18 enabling technologies and focusing on reasonable assurance.

19 But in terms of regulatory changes, Commissioner, I think 20 other things that we're moving toward in doing now today are things that we 21 could consider building into our framework such as early engagement with 22 vendors and the industry at the design phase.

23 Again, you heard that before that that's a key element. I 24 see it happening in other areas. Look at what we're doing in accident 25 tolerant fuels. We're engaging with vendors up front, okay, and the 26 licensees that are thinking about using those fuels. Again, that's all to have

109 1 a more efficient review process. And I think we need to apply that 2 philosophy in digital I&C.

3 And as I mentioned in the earlier remarks, I think, again, I 4 don't know if this is rulemaking or not, but leveraging experience from other 5 industries and technologies. I mean, we heard it very clearly this morning 6 that a lot of industries are using these systems. And again, maybe they're 7 not seeing as many common cause failures as we think that are really that 8 likely.

9 So to me, as the director of NRR, I'd like to understand that 10 better and to see to what extent that operating experience could be fed into 11 the knowledge that we're trying to use in making a regulatory decision.

12 COMMISSIONER BURNS: Another question, there's a lot 13 of talk of an old SECY paper which is kind of interesting, SECY-93 -- thank 14 you -- 93-0087. And I got sort of mixed feelings from hearing some of the 15 presentations and I think the staff is trying to, I think, build from it. But I 16 almost got in some of the early presentations, I'll paraphrase Shakespeare, I 17 come here not to praise 93-0087 -- thank you. I come here not to praise 18 93-0087 but to bury it.

19 How would you react to that? I'm just trying to put that in 20 sort of context about where we're going. I'm going to Shakespeare Theater 21 tonight anyway. But I hate to say it. It's a Comedy of Errors which I don't 22 think is appropriate for this meeting. Anyway --

23 (Laughter.)

24 MS. DOANE: Maybe I shouldn't be the one going on top 25 of that, Comedy of Errors. I would tell you that what we are trying to do so 26 that we can get some efficiencies is not rework everything, okay, at this

110 1 point. We're trying to make progress by using what we have and then 2 seeing if it can propel us forward.

3 So the question we were asking about 93-0087 was 4 whether we needed to go to the Commission to get some policy changes so 5 that we could continue working. And that would've slowed us down just 6 because we would've had to write a paper, right? We all would've had to 7 look at this in a different way.

8 So when we say that it works for us, it works enough for 9 us, what we're trying to say is -- and I think Eric did a good job or maybe he 10 might want to say something in addition. What we're trying to say is these 11 basic principles are good. But we have to bring this risk informed mindset, 12 this culture change that is happening at the agency. I'm seeing it in many 13 different areas.

14 We have to bring that to the principles in 93-0087. And 15 we believe that we can, that it allows enough flexibility and it provides the 16 basic framework that we need, that we don't need -- there's no policy issue.

17 That was really the question. Is there a policy issue that needs to be 18 resolved? And we don't see that.

19 So I hope that's -- so it's an answer. It's a "yes" and a 20 "no". It's not -- if we use the same approach we were using in 93, that 21 wouldn't be the right way to go. We know that. But if we use those 22 high-level principles, those five guiding principles and our new mindset, we 23 think that's a good path forward.

24 Eric, did you --

25 MR. BENNER: I would just echo that, that the strict 26 language in the policy provides adequate flexibility and us looking at, okay,

111 1 how can we more risk inform? How can we more use a graded approach?

2 How can we more leverage international standards? We just need to do 3 that. We don't need a change to the policy to enable that.

4 COMMISSIONER BURNS: Okay, okay. Last question 5 I'm going to ask Ho having come back from NEA. And you've noted it a 6 couple times. So who out there would you look to? I mean, we had the 7 example of STUK in terms of their approaches. And I talked to Mr. Scott 8 after the presentation. And it's not just about Olkiluoto. It's about other 9 things they're doing. But maybe if you could give some more perspective 10 on what you're seeing or where you think some of our perhaps learning 11 might come from.

12 MR. NIEH: Thank you, Commissioner. So building on 13 some other comments on the international experience, I still think there are 14 opportunities to learn. It was mentioned in the earlier panel and perhaps 15 briefly on this one too that there are some activities related to digital I&C 16 bringing the international regulators together to look at what frameworks 17 they're using to address common cause, what type of standards they're 18 using.

19 And the playing field is not even in all countries. Some 20 countries have more readily welcomed digitalization. We heard from an 21 external panelist this morning. He was working at Pickering in 1979.

22 Canada, it's interesting. You go north of the border, digital seems okay.

23 You come down here, there's some challenges.

24 So I think learning from those experiences are really good 25 in the case of Finland and Olkiluoto with their APR. The regulator at the 26 time when they made the licensing decision, I guess it was some time ago,

112 1 they did ask for an analog backup system to be installed. But having 2 spoken with the head of the regulatory body more recently, I understand that 3 the Finnish regulator, they've learned a lot more through the operating 4 experience. And they might make a different decision today if faced with 5 the same application.

6 So I think our continued participation in some of these 7 international working groups will help us see the picture better.

8 COMMISSIONER BURNS: Okay. Thanks.

9 CHAIRMAN SVINICKI: Thank you. Commissioner 10 Caputo.

11 COMMISSIONER CAPUTO: Hi. I'm going to start by 12 thanking the staff. I know it takes a lot of time and effort to prepare for this 13 kind of a meeting, particularly for those of us who have our eyes glazed over.

14 So let me just start by paying you the compliment for putting the time and 15 effort into today's meeting that you clearly have.

16 But as I was preparing for the meeting, I read a SRM from 17 a Commission meeting in 2006. And the SRM Commission directed senior 18 managers to; engage industry and establish an NRC project plan with 19 specific milestones and deliverables to address deployment of digital I&C, 20 short term milestones. And the plan should address critical path actions.

21 The long-term objective of the plan should be to establish regulatory 22 requirements, standards, and guidelines as appropriate that allow licensees 23 to implement digital enhancements without undo necessary regulatory 24 burden.

25 Now, to me, this sounds a lot like the guidance that the 26 Commission gave the staff in 15-106, the basis for the current integrated

113 1 action plan that the staff has developed. So being new to the Commission, I 2 obviously have to consider this issue from this new vantage point. But I will 3 also make an observation that I made to the earlier panel.

4 From my previous position working in oversight of the 5 NRC, I saw previous commissioners dedicate significant time, effort, energy, 6 very earnestly believing that they wanted to solve this problem. And 7 likewise, I'm sure previous NRC staff were just as confident that their plans 8 would achieve a successful resolution of the issue. But here we are, 30 9 years into this issue, still meeting.

10 And so given the history here, I find it very hard to believe 11 that this is a matter of resources. I find it difficult to think that this is really 12 an area where we need to be spending a lot of research time because we've 13 clearly been studying this for quite some time. I'm certainly confident we 14 have the skills and expertise to solve this problem if we choose to.

15 So I guess that leads me to a question of leadership.

16 Margie and Ho, you're new to your positions. Do you believe we have the 17 will as an agency to solve this problem?

18 MS. DOANE: So thank you for that question because 19 maybe it's the most important issue that we have to come to grips with 20 because we do have the technical expertise. And I'm going to tell you, like I 21 said -- and I understand where you're coming from. I sat in that seat. And 22 before that, I was in an international position seeing just what Ho is seeing 23 where our international counterparts are making progress on this issue.

24 And I believe that we are different today than we were in 25 2006. And here is the difference that I see all across the agency. We have 26 a transformation mindset, an innovative mindset. And it's being embraced.

114 1 And maybe it was sparked because we had to license to be a good 2 regulator, right? We had to be reliable. We had to be predictable. We 3 had to be efficient. Those are our principles of good regulation, and we did 4 that with new reactors.

5 And we now know that we can bring that new mindset to 6 these old problems and get through it. And I believe that that culture shift 7 was what was missing. So that's part of it. That's part of it. And then I 8 think part of it will be that once you get to that point that when you engage 9 with these communities, you'll start to see some of these challenges as 10 surmountable because we will be able to embrace the risk in a different way.

11 But I will tell you I'm seeing it all throughout my leadership 12 here so far, it's difficult. We are good at putting things in place because we 13 say, oh, there's a safety issue. I'm going to address it. I feel good. I 14 addressed it. It's very difficult for us to then pare back from that. And that's 15 what Eric was talking a little bit about.

16 It's harder for us. I'm just saying as a cultural problem --

17 not a problem but a cultural challenge. It's harder for us to then take things 18 away and convince ourselves that we're too safe. So we did not have this 19 culture shift. We didn't have behind us these new technologies that we 20 have licensed. We didn't have this concerted effort going throughout the 21 agency. And I see this as fundamental.

22 As leaders, we are going to have to continue to press this 23 and make sure that we stay focused, maintain public health and safety, 24 common defense and security. Stay focused but introduce these risk 25 insights and this risk informed mindset. It's always been the goal of the 26 Commission. I absolutely agree with you. What's different now is we're

115 1 really concentrated on the mindset. And we are coming at that with training 2 and tools and really thinking about, how do you really get there. I see that 3 as the difference.

4 Ho, did you --

5 MR. NIEH: To answer your question, yes, I do believe the 6 will is there. As Margie pointed out, there's a leadership issue and then 7 there's also this mindset issue. And that's where the leaders come into play 8 is to help bring the agency into a place where it can fulfill its mission for 9 reasonable assurance of adequate protection and again look at its function 10 in trying to enable these technologies. Because I do feel that we also as a 11 regulator need to look at our role in nuclear.

12 Not in terms of promoting because we don't promote the 13 technology. That's not our job. But if we're doing our jobs in a way that 14 takes nuclear off the table for the private industry and policymakers to see if 15 nuclear is an option going forward in the future, then I would say then we 16 failed because we haven't conducted our control activities in accordance 17 with the Atomic Energy Act to maximize the general welfare of this 18 technology.

19 So kind of looking at things through that lens. And I think 20 again trying to shift this mindset in terms of enabling while it's safe. How 21 can we do this to make sure it's implemented safely? To me, I think this is 22 an important part of the leadership challenge we have at the NRC.

23 COMMISSIONER CAPUTO: So I guess I'll start my next 24 question by saying sometimes it's destination and sometimes it's a journey.

25 In looking forward to the staff's revision of the integrated action plan, is it 26 going to have a defined endpoint and are you confident that we will achieve

116 1 a successful result instead of just progress? Is there an end to this 2 journey?

3 MR. BENNER: Yes. It's not defined in the upcoming 4 revision to the IEP. But Commissioner, myself, I'm somewhat new to this 5 program. And I've been asking that question, what does the end look like?

6 So we do need to have that discussion because we'll always be doing some 7 process improvements. But I think for me a key factor in what will the end 8 look like needs to be more stakeholder engagement because I think it goes 9 back to what Commissioner Baran said.

10 We're doing a lot of stuff at one level. And once that stuff 11 is out and is being used and we're verifying it's being used effectively and 12 there's no implementation issues, that's a time we have to take a hard look 13 at both what's left to do, and that could take the form of a rulemaking or 14 policy change or whatever broader activity, and then what is the endpoint?

15 So I'm sorry to say the endpoint isn't currently defined.

16 But I believe that particularly now that these tactical efforts are nearing 17 completion and we'll get some runtime with them with the industry. That will 18 put us in a much better place to align on what done looks like.

19 COMMISSIONER CAPUTO: Well, I'm a strong believer of 20 beginning with the end in mind. So I'm glad to hear that. I guess the last 21 question I would have is, with the end in mind, once it's defined, how are you 22 going to measure progress in terms of, well, progress and results?

23 MR. NIEH: I'll take a shot at that one. Okay. Because I 24 thinking about what success might look like and how --

25 COMMISSIONER CAPUTO: How do you know you're 26 going to make it.

117 1 MR. NIEH: -- do you know. So I would make one point 2 first that the fact that things are happening in the power plants today under 3 50.59. That, to me, is a step in the right direction. It's a positive trend. So 4 things are happening. That's a good thing.

5 But in terms of what we're looking at here more broadly 6 and what is success for digital I&C and my mind as I was thinking about your 7 question, Commissioner, success would mean to me that we have a level of 8 proficiency in doing DI&C license amendment requests and reviews and 9 digital is not, quote, a special topic anymore. Okay? We're proficient at it.

10 We've got it built into the systems. The licensees, applicants have a 11 framework that they clearly understand. They have a good sense of what 12 the expected review time would be like.

13 So in my mind, as we're developing and doing these things 14 that are making our guidance more clearer, our expectations more clearer, 15 the engagement we're having with the industry. Once we start seeing more 16 licensing activity coming in, I think that's what we're going to need to 17 measure ourselves. Again, are we doing these consistently on time? Are 18 they predictable? Are we looking at different systems that are generally the 19 same and asking a bunch of different questions?

20 So those are the types of things in my mind that I would 21 look at in terms of trying to figure out are we having success? And I do 22 want to point out that we do have some technical work ongoing in NRR with 23 digital systems. We have a number of topical reports that we're looking at.

24 And we've all pointed out at the table today there's things that we've done in 25 the office of new reactors as well.

26 So I think once we start getting more proficient again. If

118 1 the industry has the confidence in us that we do have this new mindset and 2 we do have clearer understanding of the expectations, once we see the 3 increased activity in the licensing work, I think that's what we're going to 4 need to measure.

5 COMMISSIONER CAPUTO: Thank you.

6 CHAIRMAN SVINICKI: Thank you. Commissioner 7 Wright, please proceed.

8 COMMISSIONER WRIGHT: Wow. Thank you, 9 everybody. It's been very interesting, a little deep. And I'm coming away 10 with more questions than I came in with. And Margie, I appreciate the 11 comments you made. And the transformation thing, one of the things I'm 12 struggling with is, what are we transforming to? It just seems like -- I mean, 13 I know we're trying to make progress. And what's the endpoint? I hope it's 14 not 30 years more.

15 We've already heard from the first panel that the industry 16 doesn't really want to be -- the licensee doesn't want to be the first up 17 because of the experience that we heard that Oconee had. And I asked the 18 question earlier how and you've talked to it a little bit a couple of times here 19 already when I was asking about the reasonable assurance of adequate 20 safety versus zero risk.

21 And we heard in the first panel that they felt like it had 22 been leaning more toward zero risk thing looking for the ghosts everywhere.

23 But they did say that the transformation team that was working on this stuff 24 that it seemed like there was some progress being made.

25 Can you speak a little bit more to that, either one of you, 26 anybody really?

119 1 MS. DOANE: Okay. So I'm going to start at the higher 2 level obviously because -- and maybe I'm fortunate in that I don't understand 3 the complexities at the level that these very smart people that are flanking 4 me on both sides have. So I'm coming at it more from a process 5 perspective.

6 But what I will tell you is that I don't think any of us sitting 7 here would say that our approach over the last few decades because, right, 8 the military has been using digital I&C equipment since I heard the '50s. I 9 don't know if that's true, but I hear different things all the time.

10 So we wouldn't defend that some of the approach, while 11 we call it risk informed regulation, that some of our approaches had really 12 been risk informed. Nobody is sitting here defending that. In fact, it's just 13 the opposite.

14 So what the transformation effort is doing is it's trying to --

15 that's right -- it's trying to reeducate the staff at a fundamental level. I don't 16 know if you had an opportunity to see a letter that Fred Brown had sent to 17 his staff and NRO about adequate protection. And just the fundamental 18 rethinking of what adequate protection means versus zero risk. And it's 19 complex to discuss these issues, but we have to continue to do that because 20 that's how we're going to get this shift.

21 And so what you'll hear now very commonly when you 22 come into meetings is you'll hear, okay, before we start this endeavor and 23 we start all this big project and we put all these resources in, what's the risk?

24 And then once we get to that, we start to unpeel what's the action that we 25 should take. And that is very real in this group.

26 So we aren't there from an agency. We're not there. But

120 1 we have a lot of people who already are. And we're continuing to work on 2 these issues, and it takes a different forum and a different presence 3 depending on what the area is. And for something like this which is very 4 complex, many different communities, many different perspectives. You've 5 heard Mr. Thomas, he had a completely different perspective.

6 So I think that when you say, where do we want to be? I 7 was thinking last week, I want to be where the airline industry is. There's all 8 these planes flying around. They're all digital. We're saying, that's where I 9 want to be. But then Mr. Romanski came up today and he said, well, we 10 have some software. Yes, we have this. But then there are these other 11 few items that we haven't cracked the nut yet. And I thought, oh, okay.

12 So what that tells you is you need a framework that not 13 only solves the issues for today but that may be at a high principled level. I 14 don't remember exactly what he said. I think he said that addresses 15 overarching properties and lets us work within that.

16 But on your philosophical question about where are we 17 transforming to. We're transforming to a place where we can be -- we 18 understand. There are new issues coming in from existing licensees, 19 advanced reactors. Now, they have questions from the vendor community.

20 We're transforming to a place where we can answer these questions in a 21 predictable, reliable, and effective and efficient way.

22 Those are all words I'm throwing out. But what I'm trying 23 to create as a vision for you is that we will get more comfortable as we 24 challenge ourselves to really start with this question of, well, where is the risk 25 here? Where is the gap? What are we really trying to fill?

26 We're going to get to that, that high-level vision that we can

121 1 get these very vexing questions, very hard questions in and we can resolve 2 them. And they really do take risk insights into consideration. We make 3 good decisions that maintain public health and safety. But you're right, they 4 aren't directed at zero risk which we know we can't achieve anyway.

5 COMMISSIONER WRIGHT: Do you have anything to add 6 at all, Ho?

7 MR. NIEH: Maybe just one point. I was also going to 8 mention the memo that my colleague, Fred Brown, issued. I thought that 9 was a great memo. In fact, we even talked about that's something that 10 should've gone to both business lines. And so reemphasizing those things 11 were really good.

12 I just would add one point that came up in the early panel 13 about the what ifs and what FAA had talked about is we defined when you 14 stop the testing process. And I think that's what we need to do here, sir, 15 quite frankly is that we can keep asking what if, what if, what if. Okay. I 16 was a former inspector. I mean, my mantra was go out -- they told me to go 17 out and find problems.

18 And I think you can go out and find problems. But not all 19 problems are the same size. And I think that philosophy applies to sort of 20 the what ifs. I mean, you can keep asking what ifs to the nth degree. But 21 some of those what ifs are not going to -- even if you get the answer, it really 22 isn't going to improve the whole safety review process.

23 So I think there's that mindset to say that you know what?

24 What we have is sufficient to make a regulatory decision. There are a few 25 what ifs left of the table. Let's move on from that. Again, that's where the 26 leadership comes in. That's where the first-line supervisor comes in. And

122 1 it's a discipline that we have to apply in the process. It's the same thing with 2 the refocus on backfit. I kind of see if very similar.

3 COMMISSIONER WRIGHT: Yes. Well, and Dinesh had 4 mentioned it and the other technology, the paradigm shift. If it was proved 5 safe, then the rest of it could be done. So I'm hoping that we can get there 6 when the operating reactor side of things because I know that's where it's 7 stuck.

8 I want to go to one other thing. And Eric, while I've got the 9 time left here. On the software side of things, I've heard -- and Dinesh was 10 speaking more of third-party certification in relation to the commercial grade 11 dedication stuff. So when we're looking at third-party verification or 12 certification, would it help in the software part to have third-party certification 13 in the development process of this?

14 MR. BENNER: I think it would. I mean, that's one 15 component of it. I think this whole idea of what level of quality control and 16 quality assurance is necessary is also built in to the certification process.

17 So I think that would be a contributor to giving us -- I mean, you've heard a 18 lot here of we have the standard of reasonable assurance. And you heard a 19 lot of stakeholders talk about adequate confidence.

20 And those obviously aren't the same two phrases. But at 21 the end of the day, that's where the convergence needs to come. Do we 22 have confidence that software was developed in an environment that allows 23 us to say, yes, that's good enough and that allows us to make a reasonable 24 assurance finding.

25 COMMISSIONER WRIGHT: So what do you think we 26 would need to leverage that approach?

123 1 MR. BENNER: Well, right. On the particular aspect of 2 the self-certification being envisioned, EPRI is currently evaluating that. NEI 3 is going to take the results of EPRI's research and make a proposal to the 4 NRC. So we're just waiting for that. Instead of us independently figuring 5 that out, industry has said, here's how we want to approach it. And we've 6 said, wonderful. That's in the IEP with really a placeholder for getting that 7 product and doing a review.

8 But I mean, the staff is pretty energized about that aspect 9 because we agree. There are these vendors making good stuff out there 10 that are doing it under the auspices of IEC. And anything we can do to 11 allow that good stuff to be used by our domestic licensees, we want to try to 12 --

13 COMMISSIONER WRIGHT: Good.

14 MR. BENNER: -- enable that.

15 COMMISSIONER WRIGHT: Okay. Thank you.

16 CHAIRMAN SVINICKI: Well, thank you all again. It's 17 been, I know, a long morning. It's been a really interesting morning. I just 18 want to share a few thoughts on some narrow things and then make some 19 observations. On the break, as we reset between the panels, I had 20 mentioned earlier that the FAA had talked about some sort of staged 21 engagement that they found really useful with vendors of digital 22 technologies. And I compared it to our regulatory engagement process with 23 advanced reactors.

24 I was informed, though, that -- and I want to give the staff 25 credit for this. I was informed that something akin to that does happen in 26 terms of pre-application meetings with the software vendors and the

124 1 designers of these platforms and that there's also topical reports. I think it 2 was mentioned to me but then I thought of that later. So I think we have 3 some surrogate things. So I didn't mean to depict that there was no 4 concept that was akin to this that was happening.

5 Also was commented to me by one of our vendor 6 presenters on the prior panel that it's extremely useful, both of those things, 7 that opportunity for topical reports and the pre-application engagement is 8 something that can really help make success of a much greater probability.

9 I want state that I'm still kind of going back and forth. My 10 colleague, Commissioner Baran, has asked good questions about 11 rulemaking versus what should we prioritize. The human capital aspect of 12 this is we tend to forget. We think that we have legions of people doing this.

13 We don't. The industry doesn't. So we do need to approach that with 14 thoughtfulness. And I don't know that Commissioner Baran got answers 15 that allowed him to take a firm view as he walks away from the meeting 16 either. There's a lot to think about there.

17 I would note, though, that the staff requested a number of 18 years ago to create different centers departing from the kind of office 19 structure and program structure that we have. One of those is the center for 20 rulemaking. And the concept behind that, as I understood it, might align 21 really well with what we've been talking about today. It was, as I 22 understood it, to say, okay, you have deep experts that are going to be the 23 subject matter people on something on which we want to engage a 24 rulemaking process.

25 But they're probably doing other things. They're probably 26 doing day-to-day safety reviews, reviewing topical reports, doing

125 1 pre-application engagement. How could we take the mechanical processes 2 of rulemaking and have a center where people were truly expert in 3 rulemaking itself and they could be kind of harvesting things from the 4 ongoing work of the experts, plugging that in, maybe not doing every 5 provision of a draft rule. But they could be easing some of that for the 6 people who are the pure subject matter experts. And it was kind of a 7 specialization to let some people focus on rulemaking.

8 That may be actually be something that could be a key 9 enabler for us here if we wanted to walk and chew gum at the same time. I 10 didn't want to use that parallel. But if we wanted to at least begin the 11 beginning mechanical stages of a rulemaking to capture whatever are going 12 to be the high-level performance based objectives for the new paradigm 13 shift, we could do that. We could keep the experts focused on completing 14 the other documents and maybe just be extracting the learnings.

15 I think either Ho or Margie talked about, we're going to 16 draw from the guidance work and the other things. And we would put that 17 into a rulemaking. So we may be able to keep some things in parallel and 18 not have to do everything in series.

19 And I just wanted to -- I think -- as I prepared for this 20 meeting, I thought that it may be that the staff, all their hard work of all the 21 years that I've been watching them struggle with a lot of this, they may just 22 be turning the corner. And in some ways, it's the worst possible time to sit 23 in EDO on a Commission and others and we have to opine and all the 24 struggles. And we draw a lot of attention in the rearview mirror, like, where 25 have we been and how hard it was.

26 I share the view of the director of NRR, of the executive

126 1 director for operations. I do see things happening here. Two papers I'm 2 working on right now as the staff has before the Commission, kind of a 3 paradigm shift, new thinking or the recognition that new thinking is possible 4 on physical security for advanced reactors. And I'm not going to remember 5 the SECY numbers of these papers. It doesn't matter.

6 Another one is a concept called functional containment 7 meaning, is there something about new fuels and new reactor designs that 8 would allow us to think very differently about something that is such a 9 touchstone that we do, that concept being containment? Could we think 10 differently about that?

11 So I don't want the staff -- I think it was really valuable for 12 the Commission to focus on digital I&C today. But I see the same kinds of 13 things that when the staff says, we're in a different place today. I see it as 14 well. It's not just this topic or the two I just mentioned. It's a lot of different 15 things that we're doing.

16 And I think the other difficult thing about transformation is 17 that there's this optic that somehow it means that you were wrong before.

18 You were misguided or you had some sort of enlightenment. I think it 19 comes from Alice in Wonderland where she says to the Cheshire cat or 20 somebody. She's like, it's no use talking about yesterday because I'm a 21 different person today than I was yesterday.

22 Because we're all having experiences and we're learning 23 things. And I think at NRC, the concept of continuous improvement may 24 sound a little trite. But it is part of the culture here. And so we can 25 fundamentally look at something differently today. It doesn't mean that the 26 fact that we candidly wrap ourselves in the warm blanket of a lot of our

127 1 prescriptive deterministic types of approaches of the past. As a result, the 2 United States has an amazing nuclear power safety record. So obviously, 3 those efforts were not misguided in every dimension.

4 But that, I'd also note that I think people at NRC are more 5 aware today that the world has not only been changing outside our doors 6 and the nuclear technology, the enterprise, the knowledge base. It's 7 changing at a pace that is quicker. Whether or not -- I came here when 8 NRO, the New Reactors Office, just had been stood up. We were 9 populating that with all kinds of competencies. We were bringing and hiring 10 a lot of people from the outside.

11 We find ourselves in a different place today due to things 12 that are outside of NRC's control. But I think that the merger of NRO and 13 NRR is, of course, a product of the fact that we do not, in the United States, 14 have the kind of nuclear renaissance that we were preparing ourselves for.

15 But whatever the cause of that merger, I think that the 16 result is going to be a further strengthening of our core capabilities. It may 17 be that the reason we're doing it is a changed circumstance outside our 18 doors. But I think when I hear that we're going to be bringing together 19 experts who worked on digital I&C and new reactors and the experts, their 20 colleagues who worked in a different office in the operating reactor venue. I 21 think that we're going to have the reinforcing and the multiplier of bringing 22 them together, and there's going to be a lot of positive, synergistic things that 23 will come from that.

24 They're going to get to compare of why did you come at it 25 that way and I came at it this way. But I think at the end of the day we're 26 going to bring together the experts that we have in these areas. And I think

128 1 it's going to just amplify and strengthen our progress on a lot of different 2 things we're working on.

3 And I'm going to maybe pick on Ho on just one thing. You 4 were mentioning, when do we stop the testing process. I know you're 5 drinking from a fire hose. But could I suggest to you that you look at 6 something called GSI-191 which has also been going on for the entire 7 tenancy of my time here.

8 Now, the inspector general is doing a review of our generic 9 issues program. I suggested that we look at how do we define an issue 10 when we start. Let's begin with the end in mind. When will we have settled 11 the question? If you learn new things along the way, you can always open 12 another generic issue.

13 But we have generic issues in this agency that have 14 decadal time frames. And I think it doesn't serve us well and it doesn't 15 serve us in terms of the confidence that the American public should have in 16 us if we have a question and we can't answer it in 10, 15, or 20 years.

17 I think it reflects inaccurately that we don't have enough 18 knowledge and confidence about what we're doing. That's not true. But it 19 sure is going to look that way when you can't answer a question after all that 20 time. We can't keep redefining the question along the way or we're going to 21 have these very, very prolonged types of open issues.

22 So I think the GSI-191 digital alliance, a lot of these things 23 are transformative paradigm shift is going to bring I think enhanced progress 24 to a lot of things that we're doing. And I think once you kind of step back 25 and the culture changes a little bit and people start having a feeling that they 26 have the freedom to step back and look at what they're working on in a new

129 1 way. I think that you begin to see that you don't have to keep doing all the 2 steps individually because it just becomes sort of an atmospheric and it 3 helps you on a lot of different things.

4 So again, I know that I even began by talking about what a 5 struggle this digital I&C thing has been for NRC. But I'd like to just end with 6 a note that we are -- I think maybe we are at a point where the progress is 7 going to not continue to move linearly on digital I&C. We're going to start 8 having some step change in making progress on issues. I think that's true 9 with other things we're working on.

10 Dan Dorman's name came out a lot because he ended up 11 hearing about his transformation work. We will have as soon as next week 12 a Commission meeting on a lot of the transformative ideas that the staff had 13 but other ideas as well. So we will be taking Dan's name in vain on Monday 14 morning. So tune in if you care to hear about that.

15 But again, I thank staff for all the work we're doing for the 16 progress that I also see that we're making on any number of topics. And I 17 think going forward the Commission hopes that its interest in the matter will 18 be helpful. If there are things that we can do, please be letting us know 19 because I do think that we want to enable your success on this in any way 20 that we can as a Commission.

21 And if there is nothing else from any of my colleagues, with 22 that, we are adjourned. Thank you.

23 (Whereupon, the above-entitled matter went off the record 24 at 12:42 p.m.)