ML18303A390
| ML18303A390 | |
| Person / Time | |
|---|---|
| Issue date: | 10/25/2018 |
| From: | NRC/SECY |
| To: | |
| References | |
| Download: ML18303A390 (129) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION
+ + + + +
BRIEFING ON DIGITAL INSTRUMENTATION AND CONTROL
+ + + + +
- THURSDAY, OCTOBER 25, 2018
+ + + + +
ROCKVILLE, MARYLAND
+ + + + +
The Commission met in the Commissioners' Hearing Room at the Nuclear Regulatory Commission, One White Flint North, 11555 Rockville Pike, at 9:00 a.m., Kristine L. Svinicki, Chairman, presiding.
COMMISSION MEMBERS:
KRISTINE L. SVINICKI, Chairman JEFF BARAN, Commissioner STEPHEN G. BURNS, Commissioner ANNIE CAPUTO, Commissioner DAVID A. WRIGHT, Commissioner ALSO PRESENT:
ANNETTE VIETTI-COOK, Secretary of the Commission MARIAN L. ZOBLER, General Counsel
2 NRC STAFF:
ROSSNYEV ALVARADO, Digital I&C Engineer, NRR ERIC BENNER, Director, Division of Engineering, NRR MARGARET DOANE, Executive Director for Operations HO NIEH, Director, Office of Nuclear Reactor (NRR)
Regulation DINESH TANEJA, Senior Electronics Engineer, NRO MICHAEL WATERS, Chief, Instrumentation and Control Branch, NRR ALSO PRESENT:
FRANK NOVAK, Senior Systems Engineer, GE Hitachi Nuclear Energy, Instrumentation and Control Group; Chair, IEEE Nuclear Power Engineering Committee Working Group 6.3 BILL PITESA, Chief Nuclear Officer, Nuclear Energy Institute GEORGE ROMANSKI, Chief Scientific and Technical Advisor for Aircraft Computer Software, Federal Aviation Administration CLAYTON SCOTT, Senior Vice President - Deputy, Global I&C Business, Framatome Inc.
DR. JOHN P. THOMAS, Professor, Massachusetts Institute of Technology
3 P R O C E E D I N G S 1
(9:02 a.m.)
2 CHAIRMAN SVINICKI: Good morning, everyone. I call 3
the Commission's meeting to order.
4 We convene this morning in a public session to discuss the 5
progress of the NRC in implementing the regulatory infrastructure for digital 6
instrumentation and control systems and also to hear from a panel of 7
external stakeholders regarding initiatives in implementing digital I&C in 8
various capacities across the U.S. nuclear enterprise and in other 9
applications. So I welcome all of our panelists here this morning.
10 I would note, given my long service on the Commission, 11 that I've participated in a number of meetings on the agency's progress on 12 digital instrumentation and control.
13 I would characterize that over the course of time there has 14 been frustration, I think, on the part of everyone including the NRC staff 15 themselves.
16 I don't want to use the term defeated but at times I think 17 the complexity of the issue has caused NRC to get, you know, a little bit 18 overwhelmed by it.
19 But we have - as a commission we have intervened 20 intermittently with direction things we thought would be helpful direction to 21 the agency as it approaches the issue so that we could break through some 22 of the things that were bogging us down.
23 I think today we will hear from the staff panel about their 24 hard work on the direction that we issued a couple of years ago and I think 25 we will hear from external stakeholders that it's a mixed review.
26
4 I think we will get some praise for things that we have been 1
doing recently but that a lot of hard work remains as well.
2 So I think this is an important meeting and I know that the 3
agency, the Commission, and external stakeholders all share a view that we 4
can continue to move forward and make progress on this issue.
5 The pace hasn't always been what I as an individual 6
member of the Commission would have liked to have seen.
7 But this meeting is important and I think the Commission 8
will hear these views and then assess whether or not there is any additional 9
direction that we could provide that would be helpful, maybe any 10 prioritization we could give to the agency's consideration of any open issues.
11 So I will certainly be listening in that capacity to see if there 12 is any helpful intervention the Commission can make here or any that is 13 necessary today.
14 Before we hear from our external panel, would any other 15 member of the Commission like to make any opening comments?
16 Okay. Hearing none, we will begin with a panel of invited 17 external views. We will begin with Mr. Bill Pitesa, who is the chief nuclear 18 officer of the Nuclear Energy Institute, I believe just for a little while now 19 because his successor has been named and he will be returning to Duke.
20 He's been here as a loaned executive to NEI.
21 I want to thank you, Bill, for the engagement you've had 22 with NRC on any number of issues and I wish you well as you go home to 23 colleagues and family and also I look forward to working with your 24 successor.
25 MR. PITESA: Thank you.
26
5 CHAIRMAN SVINICKI: And please begin.
1 MR. PITESA: Thank you. I assume we are going to start 2
the slides.
3 CHAIRMAN SVINICKI: And if you just - as you need them 4
to switch slides if you'd just say next slide or something they will take care of 5
it in the booth.
6 Thank you.
7 MR. PITESA: Perfect. Thank you.
8 So we will go ahead to the next slide, please.
9 So, ultimately, digital I&C has been paramount to the 10 future of the nuclear industry and the Transformation SECY actually did a 11 very good job of characterizing the challenges we have seen within the 12 industry.
13 The current processes are just too cumbersome to 14 incentivize or even allow digital implementation. A compliance-based 15 approach at a component level which the Transformation SECY talked about 16 precludes recognizing the broader benefits of digital controls to overall plant 17 performance.
18 Simply put, digital is strangling from an absolute certainty 19 or there may be a ghost in the machine mentality versus reasonable 20 assurance.
21 Personally having lived through the decade-long process 22 of approval and installation of a reactor protection system at Oconee, I've 23 really got firsthand experience on the challenges we have seen.
24 Next slide, please.
25 But all evidence still points to digital implementation 26
6 improving performance and safety, as you can see from these slides. The 1
data shows that when we have analog systems versus digital systems, the 2
digital systems far outperform the analog systems.
3 Plant transients reduce significantly following 4
implementation of digital controls. Where we have mostly implemented 5
digital controls on the nonsafety-related side, we have seen much better 6
performance by the systems.
7 The systems are self-diagnostic and constantly monitoring 8
signal inputs and feedback loops to ensure that any questionable inputs are 9
disregarded and/or alarmed.
10 The Oconee reactor protection system is working 11 magnificently. It was a great installation and this has to be our future when 12 we think of all the things going on in our industry.
13 Next slide, please.
14 In this year we have seen progress. As you can see, the 15 digital RIS 2002-22 has eased the uncertainty with a 50.59 common cause 16 failure analysis for low safety significant systems.
17 So we are very appreciative that this was issued and it's an 18 important step. The ISG-06, an endorsement of NEI 96-07 Appendix D is 19 imminent. We believe it's going to happen this year.
20 We are looking forward to that, and we are working with 21 EPRI to move additional guidance forward so that third party or commercial 22 grade certifications can move the ball further on common cause failure 23 concerns that we have across the board.
24 Next slide.
25 So ongoing industry workshops and NRC participation are 26
7 using case studies now to clarify available opportunities utilizing the RIS.
1 We have had training going on at Exelon, at Duke, at other 2
utilities and ultimately it's been very beneficial, and there has been very 3
positive feedback that the NRC has participated - staff has participated in 4
these - not training sessions but workshops.
5 And these workshops have helped open everybody's eyes 6
to the possibilities with digital that probably aren't being utilized currently.
7 We plan to use the same format when NEI 96-07 is 8
endorsed and we anticipate that we will see the same positive outcome that 9
we have seen before.
10 Next slide.
11 And, of course, this movement is very important right now.
12 On the slide you can see that there are a large number of areas where the 13 appetite for digital is still out there, and particularly on low safety significant 14 systems like control room instrumentation, recorders, chillers - circuit 15 breakers are a big one for the industry, digital controls, things - I mean, 16 diesel controls, there is an appetite for these low safety significant systems.
17 But as the bottom bullets show, there is also, we believe, 18 going to be a growing appetite for large digital systems that's really been 19 suppressed for the last five years or so and we think that's going to really be 20 tied to subsequent license renewal with the SLR applications coming in now 21 and we expect almost half of our industry will ultimately submit for a second 22 license, and we think that those companies will make decisions around 23 digital that previously had been considered probably financially challenging.
24 Next slide.
25 So you can see here that the total number of folks that we 26
8 have done some informal surveys within the industry on who is planning on 1
movement with the subsequent license renewal, second license renewal, 2
and you can see it's over half of the existing fleet that we anticipate to apply 3
ultimately.
4 We were very pleased to see the most recent application 5
being the third application from the industry and we anticipate there will be 6
many more to come.
7 Next slide, please.
8 Of course, whenever you talk about digital concerns can 9
be raised about cyber security - what is the cyber vulnerability associated 10 with digital.
11 And, fundamentally, we maintain one of the most robust 12 and inspected cyber security platforms used with any technology on this 13 planet.
14 I mean, we have a very robust system. It's a proven 15 approach of isolation and lots of other controls that we have in place.
16 But overall, we have to stay diligent to make sure that we 17 maintain what I call an unassailable cyber defense with the upgrades in 18 digital that we will be making.
19 Next slide, please.
20 Going forward, we are very pleased with the RIS and the 21 proposed interim guidance. But digital really is not across the finish line.
22 Ultimately, there are some things that we still need to do.
23 We need to risk inform common cause failures. I think that's very important 24 and absolutely a necessity.
25 We need to recognize international standards and EPRI 26
9 studies. We need to incorporate accepted design guides, allow mitigation 1
of effects, and get more approval on the front end of an application than on 2
the back end of an application.
3 There is too much risk for almost any utility to take if the 4
approvals don't come until the installation is fully installed.
5 Next slide.
6 And it's not just technical. I would tell you that digital also 7
has some cultural baggage within our industry. Ultimately, there was a 8
SECY that was issued last month, and I believe Marge is going to speak 9
more to that later in the discussion on digital.
10 But when that SECY was issued, I think the intentions 11 were appropriate. But ultimately, when it referred back and said essentially 12 that the SECY from '93 was adequate and addressed CCF and things, the 13 industry read it and said, hey, you're saying the world of 25 years ago is a 14 perfectly good world now, and we don't believe that is true.
15 I don't think that was the intent. But it does create or it 16 does manifest that there is some misunderstanding still going on between 17 staff and the industry and we need to develop a relationship such that there 18 is a level of trust that we have a very common goal, going forward.
19 I hope we can bring a very fresh perspective and just leave 20 the past challenges where they belong, in the past.
21 Next slide.
22 So when you look at the transformation, the 23 recommendations that Dan Dorman's team put together, I think they are very 24 strong.
25 We absolutely think that we need to implement those 26
10 recommendations. We need to get rid of outdated guidance. We need to 1
codify the RIS and the ISG. I mean, when you use a term like interim staff 2
guidance, ultimately, it needs to get into a reg guide.
3 It needs to get into something more permanent that 4
everyone has confidence will last forever, and we absolutely need to allow 5
these internationally accepted standards into our guidance.
6 Next slide.
7 So basically moving digital reviews to a risk-informed 8
performance-based approach will enable reasonable assurance but not 9
necessarily absolute certainty. This is a paradigm shift but it's essential 10 and, obviously, it'll take leadership.
11 When I look at what this leadership team has done both 12 within the staff and the Commission around backfit, I think it set the stage of 13 what can be done to change the culture in an organization, and I think if we 14 use that same kind of impetus then we can make even faster moves with 15 digital.
16 Last slide, please.
17 So, in summary, what we really need more than anything 18 else is a tangible, useable, and endorsed guidance that utilities can count on 19 and have a level of confidence that if they follow this path they will have an 20 outcome that can be assured in a way that they will make the necessary 21 financial investments.
22 That's all I've got. Thank you.
23 CHAIRMAN SVINICKI: Thank you, Mr. Pitesa.
24 Next, the Commission will hear from Mr. Frank Novak, who 25 is a senior systems engineer with GE Hitachi Nuclear Energy, 26
11 Instrumentation and Control Group and he is also chair of the IEEE Nuclear 1
Power Engineering Committee Working Group 6.3.
2 And although he chairs the IEEE Committee 603 it's my 3
understanding he doesn't strictly speak in that capacity today.
4 MR. NOVAK: Yes, ma'am. Thank you.
5 CHAIRMAN SVINICKI: Please proceed, Mr. Novak.
6 MR. NOVAK: Okay. Well, thank you, Chairman, and 7
thank you, commissioners, for this opportunity to speak on such an important 8
topic.
9 Next slide, please.
10 This slide shows my outline that aligns closely with the 11 topics that appear in the agenda except the second major bullet. I included 12 a slide that provides the status of 603.
13 Next slide, please.
14 Okay. Slide 3 covers the recent experiences with 15 licensing of digital modifications. GEH provided the same digital 16 safety-related product based on the same approved licensing topical report 17 to various sites in the U.S., some before and some after ISG-06. So we can 18 quantify the impact of ISG-06.
19 The second bullet to the left describes some of the ways 20 that ISG-06 affected the scope of the amendment request and the graph to 21 the right shows how the review times increased.
22 Everyone here is aware that licensing digital products 23 became difficult. So I don't think I need to belabor these points.
24 Instead, I'd just like to highlight what's under the third bullet 25 over to the left about the causes.
26
12 First, the increased scrutiny on software development was 1
a major factor. Based on the guidance the licensees had to provide a lot of 2
information about the software development process that we, as their 3
vendor, was going to use and then the NRC reviewers, also based on the 4
guidance, not only had to review that information but also check our 5
adherence to the process and the creative coupling between the project 6
schedule and the licensing schedule.
7 And it basically ensured the negative outcome that you 8
could not get approval until after the project would otherwise be completely 9
done. So this requires a lot of calendar time and created risk during the 10 projects. I am going to return to this during slide 5.
11 The second bullet is about the IEEE standards. At least 12 during our experience we did not find that meeting the criteria in the 13 standards caused the licensing difficulties.
14 I bring this up because SECY 18-16 could lead a leader 15 to believe that the IEEE standards are what caused the difficulty. But we do 16 not find this to be the case.
17 In fact, we were using basically the same IEEE standards 18 prior to ISG-06 when licensing was not viewed as a major project risk.
19 After ISG-06 we had to show compliance with some newer 20 versions of the same standards and we also had to show compliance with 21 IEEE 603 instead of 279. But the effort was reasonable.
22 So based on our experience, it was the scrutiny of the 23 software development, not the IEEE standards that introduced the difficulty.
24 And the last comment I'd like to make is what appears at 25 the bottom of the slide. We really appreciate what's going on with the 26
13 initiative to revise ISG-06. We look forward to some positive outcomes and 1
appreciate the sense of urgency.
2 Next slide, please.
3 Slide 4 gives the perspective on the staff recommendation 4
to endorse alternatives to IEEE and I think I am basically just going to echo 5
the previous speaker here.
6 We strongly support the idea. The graphic gives them 7
thoughts on how alternatives could benefit potential users and the graphic 8
draws a distinction between the existing plants in the operating fleet and also 9
new plants.
10 So for new plants the alternative process could be 11 especially appealing if it becomes unnecessary to create multiple designs 12 and regulatory justification packages.
13 Vendors could leverage their work in multiple locations 14 and, as a result, there would be efficiency and competitive prices for the 15 licensees and similarly, for the operating fleet down at the component level 16 replacements endorsed alternatives would be very appealing. It could 17 streamline the process for installing high-quality components including those 18 from vendors who currently do not pursue business in the U.S. nuclear 19 market.
20 So the yellow box in the upper right is about system 21 modifications at operating plants. It is yellow because it could be difficult to 22 justify the cost of the transition to an alternative.
23 The plants are already familiar with their licensing basis 24 and most of the vendors' approved development processes, as far as I 25 know, are based on the current standards.
26
14 Also, I mentioned in the previous slides that we did not see 1
that meeting the IEEE standards was a source of the problem. So a 2
transition to something different would be possible but it would come with 3
cost and risk at least in the initial projects.
4 So, overall though, we definitely do welcome very much 5
having endorsed alternatives.
6 There is just a few more bullets under the graphic I'd like to 7
touch on, though we would not expect quality or safety to go up or down 8
because of the alternatives. They are both excellent. Second, when we 9
say it's appealing this presumes that the alternative standards will have 10 clean endorsements.
11 If they are cumbersome, like the current ones, it's also not 12 going to be easy to use. And the third is since we will continue to use the 13 current process for a while it remains very important to get ISG-06 revised.
14 Next slide, please.
15 Slide 5 covers two related topics in digital I&C licensing 16 and the first is right from SECY 18-0060. It has to do with transitioning the 17 review of the software development process out from the NRC I&C branch 18 and into the QA branch.
19 And if I understand correctly, the software development 20 would be treated more like other aspects of an NRC-approved QA program.
21 This really could go a long way to remedy the problems 22 that I was discussing earlier with all of the scrutiny on the software 23 development process and the effect on schedule.
24 It isn't so much who's doing the review but the fact that 25 you're taking it out of the project by project basis to get your software 26
15 process reviewed and approved.
1 This could really reduce significantly the schedule pressure 2
that projects feel and also the risk that it might ultimately not get approved.
3 ISG-06 revision is taking some good steps in this direction 4
so I would encourage the NRC to implement this idea fully and I'd take a 5
page out of what Bill Pitesa said and codify it in something besides an ISG.
6 Also SECY 18-0060 seemed to describe this as something 7
that's associated with rulemaking and endorsing alternatives. But I would 8
encourage you to disassociate it from those potentially time-consuming 9
initiatives and pursue it in parallel.
10 The second topic on this slide is about harmonization of 11 standards. The industry is already driving an initiative to close the gaps 12 between IEEE and IEC standards.
13 We are doing this for the same reasons we would welcome 14 alternatives. Harmonized standards enable leveraging and should lead to 15 more competitive pricing.
16 Several nuclear standards already are issued with the joint 17 IEEE and IEC logo. I've listed some of them there and others are in 18 progress.
19 So now that the NRC is considering endorsing alternative 20 standards such as IEC standards, it seems like it would be in their interests 21 also to support harmonization between IEEE and IEC. It should lead to 22 efficiency within the NRC because a single endorsement would apply to both 23 IEEE and IEC.
24 And this also - this supporting harmonization could begin 25 essentially immediately without waiting for rulemaking or endorsement of 26
16 alternatives.
1 Next slide, please.
2 Okay. Slide 6 provides a status of IEEE 603. We are 3
very close to issuing the next revision. It should bear the year 2018 and get 4
issued.
5 It addresses the concerns that the NRC communicated to 6
IEEE after the rulemaking effort. So if you do decide to revise the rule, then 7
continue to leave 603 incorporated by reference. At least those issues are 8
not a concern.
9 We did not address or even consider the issues raised in 10 the SECY because they were not known to us at the time.
11 Next slide, please.
12 Okay. In summary, I discussed the recent difficultly with 13 licensing digital - the licensing of digital modifications and, from our 14 perspective, it was not the IEEE standards but it was the scrutiny in the 15 software development process that made it difficult and time consuming.
16 I discussed the staff recommendation to endorse 17 alternatives such as IEC. I think it's a great idea. It would be a great 18 benefit to the industry especially for new plants and for component-level 19 replacement at our operating plants.
20 I also urge the NRC to proceed with their own idea to 21 transfer the review of software development into QA and consider supporting 22 standards harmonization.
23 And finally, I just gave the status of 603. That concludes 24 my presentation and thank you again for the time.
25 CHAIRMAN SVINICKI: Thank you very much, Mr. Novak.
26
17 Next we will hear from Mr. Clayton Scott. Mr. Scott is 1
senior vice president and deputy for global I&C business for Framatome, Inc.
2 Please proceed, Mr. Scott.
3 MR. SCOTT: Thank you, Chairman and Commissioners, 4
for allowing me to be here and speak.
5 I am going to take a little bit of different view on some of 6
this. I know that Bill and company have focused a lot on what we have 7
done on the standards perspective.
8 I am going to talk a little bit more about technology and 9
what's been done and what we could be doing, et cetera 10 Clearly, digital has been used in the nuclear sector for a 11 long time. I came under the Pickering fleet in Canada so in '79, '80s we 12 were using digital systems. So it's nothing new, right.
13 So a lot of agencies, a lot of industries have a lot of 14 publications. There is a lot of substantiated licensing positions that have 15 already been developed.
16 A lot of plants are using digital worldwide. Even in the 17 U.S. we are seeing a substantial amount of upgrades, not necessarily on the 18 safety-related side but on the nonsafety-related side.
19 Next slide, please. Continue.
20 Just showing a representation. This is just some plants 21 that we recently have completed. One of the things I wanted to point out is 22 that even though we have performed work in these units in China, a lot of 23 that regulatory basis was based off NRC guidance.
24 Matter of fact, one of the individuals that we worked with at 25 CNNC actually did significant amount of training with the staff. He spent a 26
18 six-month stint here.
1 So the view and the respect of what the NRC brings as a 2
guidance perspective is used globally and we seem to struggle here in our 3
own position. So it's a little bit of an interesting aspect. So I just wanted to 4
kind of point that out.
5 The other thing I think is important and I think we are not 6
really focusing and giving credit to technology.
7 Technology is very strong and I think, when I listen and I 8
sit on the commissions and the different committees that we have to discuss 9
over the years, there is been a lot of focus on the technology itself and the 10 lack of its performance or the worry of some of its performance. And to me, 11 I think we are missing some of that aspect.
12 Technology is very strong. Technology is strong in all 13 tech sectors. It doesn't really matter whether it's nuclear or whether it's not 14 nuclear. It's technology.
15 I think we are missing some of that. We have got - we 16 have got platforms out there that have over billions hours of operation 17 without failure on demand.
18 So there is a strong basis for us to be focused on what's 19 available. There is significant PRA space with some of the technologies 20 that's being utilized.
21 So I think we need to move towards more of a risk 22 informed position and maybe not be so focused on what is the - what is the 23 widget able to do or not do.
24 Next slide.
25 Okay. Just as an example, not nuclear but, again, 26
19 focused on technology, Reliance Petroleum is the largest control room 1
operation system in the world. It's 180,000 I/O points.
2 It's operated with a very small staff but it's very critical 3
systems. Even though it's not a nuclear plant, it's one of the most volatile oil 4
and gas plants in the world and it's been reliant on technology for years.
5 So it's just - I just think, again, you know, there is a lot of 6
developments. We are not buying - you know, the suppliers that are in this 7
industry are providing products that are satisfactory to other regulatory 8
positions.
9 They've gone through TUV, SIL4 applications. They are 10 used for safety-related systems in other sectors. So I just think we need to 11 understand that.
12 Next slide.
13 Outside the U.S., as Bill mentioned, there is a lot of 14 regulations based on IAEA, IEC, IEEE, NRC guidance all combined. But it 15 seems that we are not necessarily taking the benefit of some of those 16 positions as well and I think we need to look at what's being more globally 17 utilized.
18 And I know MDEP was looking at harmonizing a lot of 19 regulation. But I think we just need to have a little bit more focus on what's 20 being done elsewhere - how can we apply it here. A little bit more focus.
21 Common cause failure - it's not common. It's a little play 22 on the words. Sorry. But I understand this has been a very challenging 23 subject over the years.
24 It seems to be the main technology subject that we seem 25 to focus on a lot of times. But in reality there really hasn't been any 26
20 significant common cause failure events across different sectors. I mean, 1
there have been some. But it's not something that I think is to the alarm of 2
concern it should be.
3 I think there is measures that we can be putting in place to 4
mitigate against it that are sufficient. So I think we - I think we need to step 5
back on common cause failure discussion.
6 There is a lot of diverse technologies in place and how we 7
apply those diverse technologies I think we can satisfy some of those risk 8
mitigations around CCF.
9 Next slide.
10 So I think we have done a lot of things. I think Bill has 11 pointed out we have - you know, I think the NRC and the industry we have 12 moved quite a bit in the last few years and that's encouraging.
13 But I do think we need to figure out a more expedited way 14 to allow for modernization and I think the new guidance should be structured 15 to benefit the technologies so that we can get these systems in because 16 then we can mitigate trips.
17 We can mitigate entering LCO space. I mean, there is a 18 lot of benefits to having these in the plant. We can reduce surveillances so 19 you're not putting your plant at risk.
20 You're not putting it in a position where it could potentially 21 trip. So you're actually allowing your plant to be cycled less and put 22 yourself in a much safer operation, from that perspective.
23 We have got a strong amount of knowledge and design 24 processes that are well advanced. As far as I am concerned, I think a lot of 25 the standards in place are sufficient and are very strong.
26
21 I just think that we get diverted sometimes on some of 1
these topics that allow us to derail some of the progress. But I think, 2
overall, we should be focusing on final design, not necessarily trying to have 3
the staff drive detailed design processes. I think we should be looking more 4
at what's the end game and how is it truly going to operate in a safe manner.
5 Next slide.
6 Again, I think we talked about it earlier. I think we need 7
more leveraging of different standards practices. We need to incorporate 8
more into the regulatory framework.
9 Again, I think we should more risk insights into I&C 10 regulations. I think there is a lot of emphasis placed on software life cycle 11 and, you know, I just think, to Frank's point, we need to look at that again.
12 And I think it's pretty clear in industry that digital is really 13 not the dominant contributor of any failure.
14 I mean, I think there is - I think if you look at digital systems 15 and the plants that use digital systems you'll find that their operations are 16 very safe and efficiencies are very strong, and the benefits that digital brings 17 to the plant from keeping it in a more reliable operation perspective mitigates 18 any risk of cycling it from an accident perspective. So I think we need to 19 focus on that.
20 And then the last slide - we clearly need digital. I think 21 with the SLRs, you know, you're expanding a license. You've got to have 22 something that's sustainable.
23 It's interesting to me when people say digital is out of - you 24 know, you put a digital system in it's immediately obsolete. Well, that's not 25 really the case. I mean, we put digital systems in.
26
22 Digital systems can stay in for a significant period of time 1
and there is upgrade strategies. There is modernization strategies and they 2
are not significant impacts to the plant.
3 So I really do think that we need to be able to find a 4
framework that allows the industry to have the confidence to come forward 5
and implement the designs.
6 So thank you.
7 CHAIRMAN SVINICKI: Thank you very much, Mr. Scott, 8
for that presentation.
9 We will pivot our focus a bit with the next presenter. Our 10 next presenter is Mr. George Romanski, who is chief scientific and technical 11 advisor for aircraft computer software at the Federal Aviation Administration.
12 He will discuss with us approaches for software reliability 13 in critical safety systems and experiences in the aviation sector.
14 Thank you very much for being here today, Mr. Romanski.
15 Please proceed.
16 MR. ROMANSKI: Thank you.
17 We have a proud record in that there has been no hull loss 18 due to software in the aviation sector. There might have been plenty of 19 accidents, unfortunately, last year, which wasn't software related, but we 20 have never had a software-related hull loss.
21 However, we are not complacent. We have various 22 sectors. We have the Part 25, which is the transport planes. We have Part 23 23, which are the smaller planes. We have unmanned vehicles, which are 24 growing very quickly right now.
25 We see - so while we have a good record, we have 26
23 tremendous pressure to try and reduce cost. People are saying it's too 1
expensive to certify software and software safety systems are not being 2
installed on the small aircraft because they are too expensive due to 3
software certification.
4 So now we have this safety continuum where we have, on 5
one side, the notion that we can install a safety feature on the plane, but it's 6
too expensive under current regulations. So people are leaving it off, and 7
we are trying to address that.
8 So while keeping the safety record, we are looking at 9
streamlining the software certification process.
10 The FAA started an initiative about two years ago with a 11 small team, and now growing slightly larger, where we are looking at the 12 essence of certification we call overarching properties, and we know that 13 when developing software we need to understand the intent of the software, 14 we want to understand its correct implementation, and we want to ensure 15 that we have acceptability.
16 By that I mean that the software doesn't introduce or 17 doesn't introduce - doesn't produce any function which is contrary to - which 18 is unintended and affects the safety.
19 We are looking at building assurance cases. We have a 20 number of research projects and case studies going on. We are working 21 with Europeans on this.
22 On the other side, we have EASA, which is our counterpart 23 in Europe, that are looking at the problem differently.
24 They see a bottom-up approach and they are looking at a 25 definition of an abstraction layer where you extract the essence of 26
24 certification of software and map that onto existing standards.
1 Their view is that we know and understand. We trust in 2
the current standards - IEC 61508, ISO 26262 and so on. So why not map 3
to those standards and take the benefits of those and just understand what 4
the essence is and make sure that it's covered.
5 We need to harmonize so we have started meetings with 6
them and hopefully we will meet somewhere in between. But it's still - we 7
still have a ways to go.
8 The FAA and EASA are also looking at process 9
harmonization and acceptance. We know that when we go in to audit a 10 project, normally there is so much information in there that our auditors will 11 only sample less than.1 percent of all artifacts produced. It just takes too 12 long to go through everything so we sample.
13 So we take a very, very small sample and when we take 14 the sample what can we do? We can look at the process plans and see 15 how did you produce this.
16 Do you have a defined process? Do you have quality 17 assurance records that you follow this process in its entirety? And then we 18 take a small sample.
19 And if that small sample is perfect, then we have a leap of 20 faith. We believe that if you've produced the rest of the system using the 21 same mechanisms, and we have evidence that you have, and we like the 22 process that you used and the sample is good, we have a leap of faith and 23 assume that the rest of it is to the same quality.
24 So we are trying to build trust in the applicant in the way 25 we approach applicant approval. We have had a lot of success with what 26
25 we call integrated modular avionics.
1 This is the notion that instead of having lots of different 2
computers doing their own separate functions we start building central boxes 3
basically like servers and these servers are certified and these servers will 4
host many different applications.
5 This has been extremely successful and it is how most of 6
the - actually all of the new transport aircraft are being built and certified.
7 The idea now is that applicants build applications and they 8
host their applications on a hosted platform. It means that we can isolate 9
what the application does. We can configure how the applications work 10 together. And we can start doing what we call incremental certification.
11 We certify the host box and we can certify the applications 12 one at a time, and if someone wants to replace an application they replace 13 the application. They don't have to retest the whole box because the whole 14 box has already been approved.
15 This has been used extremely successfully. It's not 16 moving to the smaller aircraft and it's also moving to some of the larger 17 unmanned vehicles.
18 Of course, technology moves on. We are looking at 19 distributed IMA systems in the future now and we are doing some research 20 to see if we can have distributed IMA systems in addition.
21 The last most difficult area that we are studying, of course, 22 is artificial intelligence in neural networks. We find that many of our 23 systems are now based on AI and machine learning.
24 We have one example where an applicant built a fuel 25 management system - a fuel measurement system. Measuring fuel is quite 26
26 hard because the fuel sloshes around. The tanks are different shapes 1
around the aircraft.
2 So the applicant built a system and it worked well. Then 3
they built another system using machine learning using exactly the same 4
models to teach the machine learning algorithm how to measure the fuel.
5 The resulting system was smaller, faster, and produced 6
better results. We couldn't use it because we don't know how to certify it 7
just yet.
8 We have a similar example with collision avoidance system 9
where we have an ACAS XU system where we can measure or do collision 10 avoidance systems. System works, performs better. We don't have 11 certification evidence for it.
12 So we are struggling with this. There are working groups 13 that are working on achieving this but that's our goal for the future.
14 Thank you.
15 CHAIRMAN SVINICKI: Thank you very much for that 16 presentation.
17 For the final presentation for this panel, we will hear from 18 Dr. John Thomas, who is a professor at the Massachusetts Institute of 19 Technology, and he will provide expert views on addressing common cause 20 failure, evolving digital technologies, and perspectives on regulatory 21 acceptance of digital technologies.
22 Dr. Thomas, please proceed.
23 DR. THOMAS: Well, thank you.
24 I am a researcher at MIT. I want to talk about lessons 25 learned across industries in implementing digital I&C.
26
27 Next, please.
1 To solve this problem, we have got to understand the 2
problem that we are solving. That's the biggest issue that I see a lot of 3
misunderstanding about what the problem is.
4 We have got to understand there are two basic types of 5
accidents and they are both affected by the introduction of digital 6
components.
7 We have got accidents caused by component failures at 8
the bottom here. Traditionally, this hasn't - this is very well understood, well 9
recognized.
10 For the engineers in the audience, I am using the 11 engineering definition of failure where a component does not perform - does 12 not operate as specified or does not perform its intended functionality.
13 Basically, components break. That could cause an 14 accident. We know that. This is under our belt, very well understood. We 15 have very good methods to deal with component failures and component 16 faults and rigorously analyze the system.
17 There is another type of accident that we should be 18 concerned about. This is a non-failure accident, particularly devious in the 19 system.
20 Traditionally, 50 years ago it hasn't been a very big 21 problem. But this can occur. It is possible. It happens when every 22 component behaves exactly the way it was designed, exactly the way we 23 required it and exactly the way every one of us intended that component to 24 work, but we still had an accident.
25 This is particularly devious because it slips through the 26
28 crack sometimes. Now, 50 years ago this wasn't a very big problem 1
because what happens is systems were not very complex and it worked.
2 We can basically get these out by inspection.
3 We can do things like hire smart people, do design 4
reviews. We have subject matter experts do a careful assessment. We do 5
some basic things like a requirements traceability matrix.
6 But as long as the systems are sufficiently simple, as long 7
as we don't have too much digital I&C we can basically flush these out 8
almost by inspection.
9 The critical thing is though in every industry that has had 10 an influx in digital components - I understand nuclear is a little behind other 11 industries when it comes to this - what we have seen is a fundamental shift.
12 Next slide, please.
13 These two kinds of - sorry, previous - there has been a 14 fundamental shift in the type of accidents that we are seeing. We have 15 gotten so good at the component failure problem virtually all of our methods 16 today are targeted at this problem and do a great job.
17 But what's happening more and more of these systems are 18 having non-failure accidents, particularly when we have introduction of digital 19 I&C. This is directly related to the complexity of the digital software and 20 computer systems that we are introducing.
21 This is the problem that we have got to solve if we are 22 going to move forward and this is what other industries have been struggling 23 for a lot longer than we have.
24 Next slide.
25 This is very well understood in academia and in industry.
26
29 For example, Fred Brooks, the world famous computer scientists, writes the 1
single hardest part of building a computer system is not actually building it.
2 It is deciding precisely what to build. That is the problem 3
we have got to solve.
4 Lots of studies have been done in the last 20 years to look 5
at the causes of accidents due to computer digital systems and software and 6
they have found that the vast majority of accidents in these systems have 7
been caused not by a software bug or an error in the logic in the digital 8
system or the system doing something bad but a system that perfectly 9
satisfied the wrong requirements.
10 It did exactly what we thought it should do and we were 11 wrong. That's the problem.
12 Go back to the slide, please.
13 And the last thing that we found is from Daniel Jackson.
14 He said as is well known, at least in the software engineering community, by 15 far the largest class of problems arises from errors made in the listening, 16 recording, and analysis of requirements.
17 It is not these software bugs. It is the fact that it did what 18 we told it to do and we were wrong. That's the problem we have got to 19 solve. It's directly related to complexity.
20 Next slide.
21 We also get the same thing from Joe Miller. He says - by 22 the way, he's a chairperson for Functional Safety Standard World. We used 23 internationally worldwide in the automotive industry. You cannot buy a car 24 that has not followed this standard. He recently retired.
25 He said, in my experience requirements are much more 26
30 important in today's systems than preventing hardware failures. Recalls -
1 safety recalls in modern systems are rarely due to component failures 2
anymore.
3 Typically, it's due to missed requirements, requirements 4
never verified and missed interaction with the supplier.
5 This is the future of digital I&C if we are not careful. We 6
should learn from these other industries and what they've found.
7 The FAA - next slide - has found in their top five list of 8
common pitfalls in the safety analysis is paying more attention to crunching 9
probabilities than to the physics of the problem. This is fundamental, a well 10 learned lesson in this industry.
11 I think you can spend all day crunching the probabilities 12 but if you made a bad assumption and you don't recognize that you're 13 missing a requirement it's never going to show up in the analysis methods.
14 That's the problem that we have got to solve. Now the 15 good news is we do have solutions to this. I am going to get there in a 16 moment.
17 But I think for a moment I need to talk just a moment about 18 nuclear. I've been talking a lot about other industries.
19 Already we have digital components in the nuclear industry and 20 already with the meager attempts that we have made we have - are seeing 21 the exact same patterns and trends in this industry.
22 Forgive me, I am going to put on the engineer hat just for a 23 moment. Then I'll come back.
24 Next slide.
25 This is a HPCI flow control system that I want to talk about.
26
31 I think it's really important to understand the type of problem that we are 1
having.
2 HPCI, as you know, is a critical system in nuclear power 3
plants that provides emergency water cooling systems. It simply has to 4
work on demand and that's the way it's designed.
5 By the way, this is a real event. It happened - a real OE in 6
the U.S. I am not going to tell you where it was. I am not going to tell you 7
enough information to figure it out. That's not what matters.
8 What matters is we have got to understand the problem.
9 This operator sends a system initiation signal on the right. It comes down, it 10 kicks the blue part, which is the digital upgrade in this system, to start 11 opening valves and you get your emergency cooling. Works great.
12 Next slide.
13 One of the considerations when this thing was designed is 14 ramping up the turbine is a concern. If we ramp it up, open the valves too 15 quickly - ramp that thing up too quickly we can cause damage. There is a 16 safety implication.
17 So on purpose we put protective functions in place in the 18 digital system to make sure that never ever happens. Did a great job with 19 that.
20 Next slide. Click four times, in fact.
21 What happened is this thing was implemented on day one, 22 tested, of course, and it worked beautifully.
23 Now, we have to - these don't get used very often - we 24 have to test them every year. A year later it was tested and we found that 25 there was a flaw in the design of the system that would prevent it from 26
32 working that nobody had recognized.
1 On this day there was a rolling start. You see the blue 2
line and the turbines start. Click a couple more times, please - I think three 3
times.
4 You see - once more - you see the blue line. We had a 5
rolling start. In that situation if you hit the button to do an emergency 6
cooling in a rolling start - and this was what was never conceived - what 7
happened that the system initiation signals that gets sent - what happens is 8
the valves start opening and we hit a trip set point at a thousand RPM. That 9
digital system uses that trip set point - click once more - uses that trip set 10 point to figure out if we are ramping up too quickly. If you hit that trip set 11 point too quickly it says oh no, you're going to cause a problem - we are 12 going to shut down the digital system.
13 Now, what was never conceived was that this could 14 happen during a rolling start. And so the rolling start meant that we hit this 15 trip set point quicker than usual.
16 Now, it turns out nothing - there was no problem with the 17 system. It's perfectly fine, perfectly within tolerances. Could have started 18 up just fine. But the digital system didn't know any better because it was 19 never designed with the understanding that there could be a rolling start.
20 All it was looking for is did we hit the trip set point too 21 quickly. The safety feature that we put in there on purpose was having this 22 unanticipated effect.
23 Of course, everything I am telling you is not what the 24 operator knew. All the operator knows is I need emergency cooling - I am 25 hitting the button and the digital system comes up and overrides and shuts 26
33 the thing down.
1 The operator hits it again, to emergency cooling. This 2
thing tries and the digital system immediately comes up and shuts the thing 3
off, and you try it again and you try it a hundred times, you get the same 4
result because we designed it to work that way every time. But it was a 5
failure of foresight on our part, not a failure of the digital component.
6 This is the problem that we have that we need to solve if 7
we are going to introduce digital I&C.
8 Now, I have great news for you. The problem has been 9
solved.
10 Next slide.
11 The group at EPRI has done great work on this. There 12 are number of methods. One of them is called STPA, which I am 13 particularly partial to. But EPRI did an experiment about three years ago.
14 They took an OE - a real OE in a real system with real 15 complexity of things that this - the exact example. Gave it to a couple 16 students. Didn't tell them what the problem was.
17 Just gave them a basic description of the system and 18 wanted to test whether this method could uncover the flaw early and in fact it 19 did. A couple of students with virtually no experience in less than a week 20 working part time found it.
21 Next slide. Click twice.
22 Pinpointed exactly this flaw. Very little work needed. So 23 this is great news. We have solutions to this problem.
24 Next slide.
25 And here's some other standards that also solved this that 26
34 has been introduced in other industries we should take a look at. You can 1
see STPA is particularly popular. As I've said, I am very partial to that but 2
it's not the only method out there.
3 Look, here's the bottom line. If you didn't hear anything I 4
just said, listen to this. The danger in the path forward is - the problem is 5
that we have got a number - everybody's got a method and they've got a 6
proposal to fix this problem.
7 We have got to do a proper test. Good news is there are 8
some solutions out there already that are working, that are tested and being 9
adopted in other industries.
10 The bad news is there are lots of proposals being made 11 that have never been tested and that, frankly, do not work. We have got to 12 do a proper test.
13 What does a proper test look like of these methods before 14 we make any recommendation of policy or standard, right?
15 Well, this has been done in other industries and we should 16 follow EPRI's lead. What a proper test is not is we do not take a problem in 17 hindsight and stuff it into a fault tree and say look, our existing process 18 already works - there it is.
19 You do not take it and stuff it into a CCF and you don't take 20 it and stuff it into an STPA in hindsight because we do not have a problem.
21 We are writing things down in hindsight. We have a fundamental problem 22 of foresight.
23 That's the nature of the problem. We have got to do a 24 proper test and we have got to take a couple of engineers who don't know 25 what the problem is.
26
35 We have got to see if they can learn and use the method.
1 You can have the best method in the world but if it's not - and presented by 2
people with impressive credentials from MIT - but if it's the best method in 3
the world and people can't learn it and can't use it it's useless.
4 So we have got to take real engineers. We have got a 5
rich set of OE in this industry of things that have already slipped through the 6
cracks that we know are not being caught and have undergone all the 7
processes that we have - take engineers, try these methods and we will find 8
out very quickly, I think, what works and what doesn't work and that needs to 9
be the basis for the policy and recommendations of standards that we 10 produce.
11 EPRI has done great work. As I've said, we need to 12 follow their lead, in my opinion. I am not against technology at all. In fact, I 13 am completely in line with what has been said.
14 We need to make risk informed decisions and the risk is if 15 we don't make an informed decision we have just employed a method - a 16 crazy proposal. Just change the semantics. Just redefine the word failure 17 and then the existing method is going to work.
18 No, we need to do a proper test and find out what works 19 and what doesn't, in my opinion.
20 Thank you.
21 CHAIRMAN SVINICKI: Thank you very much, Dr.
22 Thomas, and thank you to all the presenters. I think it was very interesting 23 presentations today.
24 As is the practice of our Commission, we rotate to the 25 order of recognition for questions and we begin today with Commissioner 26
36 Baran.
1 Please proceed.
2 COMMISSIONER BARAN: Thank you all for being here.
3 We really appreciate it.
4 As a few of you referred to in your presentations, as part of 5
that staff's transformation initiative the staff recommended moving away from 6
the IEEE standards and initiating a rulemaking to define high level of 7
performance-based digital instrumentation and control safety design 8
principles.
9 Initially, I saw digital I&C as a strong candidate for taking a 10 whole new approach from what we have been doing because it has proven 11 to be so challenging in this regulatory area.
12 But recently I've had several stakeholders express their 13 concern that a rulemaking could shift focus away from the current efforts to 14 improve key guidance documents just when significant progress is being 15 made on them.
16 I think slide 4 - Bill's presentation - provides a pretty good 17 overview of these efforts. It has the six of them there.
18 All my questions are for anyone on the panel who wants to 19 express a view, and my first question is do you share this concern that I've 20 been hearing from some about losing momentum on the guidance updates if 21 we initiate a rulemaking in the near term.
22 Do folks have thoughts about that?
23 MR. NOVAK: Yes, I'll talk to that. That's actually one of 24 the things I was - maybe I didn't articulate it clearly, but I am concerned that 25 if there is a lot of emphasis on the rulemaking and all this, you know, the 26
37 rulemaking endorsing alternatives, that the other stuff is going to sort of die 1
on the vines and, you know, I said it's going to be very important to get 2
ISG-06 out and get some - get some run time with that.
3 So yes, I think we need to keep - you know, keep making 4
the existing process better while we are trying to develop something that's 5
completely different is what I would say.
6 COMMISSIONER BARAN: Do others have thoughts 7
about that?
8 MR. SCOTT: I agree.
9 COMMISSIONER BARAN: You agree? Okay.
10 MR. PITESA: The piece I would just echo, again, is as we 11 move forward with ISG-06 and moving the approval to earlier in the process 12 versus later in the process but also reflect back, because I am not sure I am 13 the technical person to address all aspects of your question, but at the same 14 time what we can do more with international standards and looking at how 15 our standards compare to those.
16 The experience we had at Oconee particularly was we had 17
- we used technology that had been really accepted all over the world except 18 here and then we modified that program to the extent that it became 19 untenable to almost - to install.
20 And so I think we have to be so careful on the path forward 21 with regulation that ultimately it leads to a better outcome and doesn't have 22 the unintended consequences.
23 COMMISSIONER BARAN: Part of what I am trying to 24 figure out is when I look at the list of these guidance document efforts, trying 25 to unpack that a little bit and understand if all five of these on the - you know, 26
38 this transforming culture - to put that aside for a minute and look at the five 1
guidance document efforts - if these five were all completed, do we think that 2
effectively resolves the key issues or does that provide the regulatory 3
certainty the licensees are looking for to do an upgrade or do we see those 4
guidance documents as more of a short-term fix?
5 MR. ROMANSKI: In our experience, technology moves 6
too fast. While we had DO-178C, which is our guiding document for a long 7
time, we upgraded it.
8 It took seven years to update it to DO-178C and we 9
produced four supplements - you know, one to cover model based, one to 10 cover object oriented and one to cover former methods, and as new 11 proposals for additional standards or additional supplements to cover 12 technology that is coming up. So technology moves and we need 13 supplements to keep going. Not rewrite what we have but make it 14 additional.
15 COMMISSIONER BARAN: Do others have thoughts 16 about this - about whether these - you know, is this the - are all the effort 17 being expended on these guidance documents, here everyone is saying it's 18 very valuable.
19 I am trying to understand how valuable is it? Is it - is it 20 basically going to solve the problem or is it - it's a Band-Aid?
21 MR. NOVAK: I would say it is very valuable but you still 22 would want to go ahead with endorsing alternatives and so forth. I would 23 look at it as not the end - the end solution.
24 I look at it as making digital more viable in the near term as 25 the way I would look at the current initiatives.
26
39 COMMISSIONER BARAN: Okay.
1 MR. PITESA: And I would echo the exact same thing. I 2
believe all aspects of what you see here are going to be principally under the 3
control of the staff.
4 But if you look at the transformation papers some of the 5
additional activities that are being discussed there under Dan Dorman's 6
paper indicate that we have just got to advance further on the acceptance of 7
more standards and international standards that have such an amount of run 8
time that we just don't have here in the states.
9 MR. SCOTT: The other thing too is that bringing in that 10 harmonization across that helps the supply chain, right, because the supply 11 chain - if they can - if they can satisfy to something that is more consistent 12 then you have less risk of differentiation on platforms.
13 COMMISSIONER BARAN: One of the things I am trying 14 to think through is the sequencing of all this and when it makes sense to 15 make a decision about whether to initiate a rulemaking.
16 One option is all these efforts are going on and we decide 17 now we are going to initiate a rulemaking but not actually do the rulemaking 18 in the short term.
19 That strikes me as somewhat odd but I guess we could do 20 it. Another approach would be we focus on completing these guidance 21 documents. We see how far that gets us and then we make a decision 22 about whether to proceed with the rulemaking and what the rulemaking 23 would look like.
24 Do folks have views about kind of the sequencing of how 25 we would address these things?
26
40 DR. THOMAS: I've got a very strong view.
1 COMMISSIONER BARAN: Yeah.
2 DR. THOMAS: I think baked into this process that we 3
need to include some kind of test and evaluation to see if it really works.
4 I don't know all the details. Maybe someone here could 5
tell me. But typically these things get put into practice either based on 6
expert opinion or by arguing that it will work.
7 We need to do an evaluation. We need test it. We have 8
a really rich set of OE - of things that went wrong that nobody anticipated 9
and whatever we propose we need to have real evidence. Not an opinion, 10 we need to have evidence.
11 I think it's very easy to do but it's often not included to 12 collect that evidence. We need something to collect that evidence and try 13 them.
14 COMMISSIONER BARAN: Thanks.
15 Other thoughts on sequencing and - or not so much?
16 MR. PITESA: I think it's a great question and I was just 17 reaching to a friend in the audience, Dan Dorman.
18 But, ultimately, on - I think the next panel's going to maybe 19 have the opportunity to discuss this a little bit more on the intricacies of what 20 this will provide versus what rulemaking will provide.
21 COMMISSIONER BARAN: Part of what I am trying to do 22 is peer into the future a little bit and imagine a world where over the next 23 couple of years we make very good progress on these guidance documents 24 and they end up being good guidance documents and they provide both 25 applicants, licensees, and the staff with a clear path about how do we make 26
41 sure digital upgrades have a framework that ensures safety but provides 1
people regulatory certainty.
2 And if you kind of think for a moment, okay, let's say we 3
achieve that goal, part of me does have a hard time imagining someone 4
wanting to be first in line for then adopting a whole new system - you know, 5
to me that first application under a whole new system under a new 6
rulemaking.
7 Maybe if it's, you know, a purely voluntary thing and we are 8
contemplating different standards someone would want to give up the 9
certainty that has been obtained over those years.
10 But given the struggles we have had, I wonder whether 11 that would really happen.
12 Do people have thoughts about that?
13 MR. PITESA: You know, I think the reality is, speaking 14 from a utility perspective, no one wants to be first in line, particularly on 15 things like this.
16 We experienced that with Oconee and it was very, very 17 challenging. So I think we are going to be looking at international 18 implementation that's been going on, new reactor implementation, and, you 19 know, what has Vogtle installed, how well is it doing, and I think that 20 operating experience will give the confidence to consider implementation.
21 And so ultimately what we have got to agree to is things 22 that are used in advanced nuclear, in other plants in other countries that we 23 can look at that operating experience and say this is tangible, it's real.
24 We know about what cost is and when we bring it to the 25 United States it's not going to explode in cost in ways that we have seen in 26
42 the past, and I think that will be very important.
1 But I don't necessarily know that we - that the existing 2
operating fleet is going to be the very first in line for absolute new aspects.
3 COMMISSIONER BARAN: I was - I read the staff's 4
Transformation paper I think the same way Mr. Novak did in terms of saying 5
the staff's view was that the IEEE standard is too prescriptive and that's 6
causing a lot of problems.
7 You've kind of expressed a different view, which is maybe 8
it's more the guidance in what the - not so much the standard itself but the 9
staff's kind of approach under the guidance that's created.
10 Do folks have a view about that? I mean, if we are kind of 11 looking at what's the - what's the challenge here, is it something about the 12 IEEE standard itself? Is it the staff's guidance being too prescriptive?
13 What's gone wrong?
14 MR. NOVAK: Yeah. Well, the modification that we did 15 was much more narrow than something like our reactor protection system.
16 So maybe that is something take into consideration.
17 But no, we definitely did not see the standards themselves.
18 You know, I did mention on one of the slides that, you know, looking for 19 clean endorsements on the - you know, these other - whatever these 20 alternatives are, IEC or whatever, for example, not taking exception to the 21 standards in - you know, when the reg guides are written not taking 22 exceptions would be helpful so that you're not changing should to shall and 23 things like that.
24 And also I would say a less rigid attachment to the - to 25 specific versions of the standards would help. You know, a new standard 26
43 comes out and people design things to the new standard and then - but 1
you've got to go back and show how it complies with an old version because 2
that's the one that happens to be endorsed.
3 It does get cumbersome trying to show all of that.
4 COMMISSIONER BARAN: Well, so what I glean from this 5
is for the folks who are kind of knee deep in this on the nuclear side you do 6
think there is some value in doing a rule. Not clear when but, you know, 7
doing something more transformative here.
8 And it sounds like the basic vision for that rule in your mind 9
is a rule that allows a licensee to use any one of a number of established 10 standards in this area rather than just the IEEE standard.
11 Is that the basic vision for the rule you're -
12 MR. NOVAK: Yes.
13 COMMISSIONER BARAN: Okay.
14 MR. NOVAK: Flexibility.
15 DR. THOMAS: That's what's usually done in other 16 industries.
17 COMMISSIONER BARAN: Okay.
18 MR. PITESA: And I think we are very hopeful around 19 what ISG-06 is going to say. We don't know for sure what it's going to say 20 and I think that's creating some of the hesitation.
21 But moving the approval to earlier in the process is going 22 to be a game changer, I think, for the industry.
23 When I think back on Oconee, we were - we had probably 24 already spent over $100 million and still didn't have approval to say, you can 25 install this widget, and because we weren't checking all the software until the 26
44 end of the process and we were incredibly concerned that we had gone out 1
on a limb too far.
2 And there was a serious discussion of, even at that point, 3
cutting it off because without that early approval you had zero confidence 4
you're going to get to an outcome.
5 COMMISSIONER BARAN: Okay.
6 MR. NOVAK: Utilities need to have that confidence.
7 Otherwise, they are not going step forward.
8 COMMISSIONER BARAN: Thank you very much.
9 CHAIRMAN SVINICKI: Thank you, Commissioner Baran.
10 Next, we will recognize Commissioner Burns. Please 11 proceed.
12 COMMISSIONER BURNS: Thank you, and thank you all 13 for being here and for the presentations.
14 It's interesting. I think this is maybe not as many as 15 Chairman Svinicki but in some capacity, either sitting in that seat or here or 16 there, you know, I've heard the digital thing and I tell you, every time I hear it 17 it's, like - and again, because I am not a technical person, a theme I've 18 emphasized a number of times - but it becomes sort of a veil over my eyes 19 that says what the heck have we been doing for whatever.
20 And I know we should move forward but there are sort of 21 glimmers of hope for my understanding in what you've - what you've said 22 today.
23 One of the things just maybe to build off of what Bill Pitesa 24 just said and also, I think, Mr. Novak said, this looking at how the staff 25 approaches it - that this - and maybe you can help me out - understand that 26
45 better.
1 So what I seem to hear both from Mr. Novak and Mr.
2 Pitesa is that the focus on the software is something that pushes out so, oh, 3
all right, we got to be there - you got to be able - ready to turn on your 4
machine at the very end, and that focus versus maybe a quality - and I think, 5
Mr. Novak, you mentioned a quality assurance focus would help.
6 But help me understand what - how that - how the problem 7
- what the problem looks like in that way if I - if I've been clear at all in terms 8
of my question.
9 MR. PITESA: Let me start, and I am going to use the 10 anecdotal Oconee example.
11 So we had completely brought all the equipment on site 12 and everything and started working through our factory acceptance testing, 13 and at that point is when really in the process the software was being 14 reviewed.
15 So many things were being reviewed that we thought we 16 were going to be able to install it in a subsequent outage. We ended up 17 having to delay it one if not two outages because of the review time that was 18 still needed.
19 We had a hard time with a vendor on whose cost is this of 20 just sitting here with this product just sitting on the shelf waiting. And I think 21 so much of that was available earlier in the process and if there had been 22 more acceptance of this followed a level of standards and our QA program 23 verified those standards that we could have probably been much more 24 seamless in our installation at that point.
25 COMMISSIONER BURNS: Okay. Mr. Novak.
26
46 MR. NOVAK: Yes, I would sort of echo what he said. If 1
you could picture, you know, you get to a point in the project where you've 2
manufactured the system - you know, the vendor has tested it, you've tested 3
it, did the acceptance test.
4 And then, you know, then the reviewer is following the 5
guidance, reviewed the software process that had been used all along and 6
that takes - you know, can take about a year or so to do that and get the final 7
approval.
8 So now, you know, it's a full year after the system is 9
complete before you can install it and everyone wants to have, you know, 10 sometime in between approval and getting into their design change package 11 and so forth.
12 So it definitely pushes things out - a refueling outage 13 typically. And so I think it would help, you know, that if the review - if you're 14 reviewing as sort of a periodic ongoing QA type of activity, I am not saying 15 make it easier but just make it - just do it differently and not tie it so closely to 16 the individual project.
17 You know, we are using the projects as the context to 18 approve the software development and that - then that - it just makes it 19 necessary. If that's the approach that it's really necessary that the approval 20 is going to come very late and it's really - it makes it very expensive and the 21 perceived risk that you're going to get there and a year after the system is 22 built and tested and everyone's ready to install it that something comes up 23 and you got to go back and rework a whole bunch of things and, you know, 24 add a few more years, it just - it's a very large perceived risk.
25 COMMISSIONER BURNS: Dr. Thomas, does this kind of 26
47 get to your point - I don't know if it does or not - about if you're so focused on 1
- if you're so focused on the software but you're not focused on what the 2
outcomes you're looking for - I don't know. I am just trying -
3 DR. THOMAS: Yeah, it's a tricky problem because the 4
challenge we have in building a digital system or building a computer system 5
with software it's not actually understanding the software.
6 Software folks are brilliant at understanding the software.
7 The problem is they don't understand the rest of the system. And the same 8
thing is true for the hardware engineers and for the other engineers.
9 So we need - this is what we have systems engineering 10 for. I think it's very slow to be adopted in the nuclear industry. But in the 11 FAA, in aviation and in automotive and other industries they have been 12 much quicker to adopt system engineering.
13 I think that's the solution. We need - we need methods 14 that don't just apply to component failures, don't just apply to software, don't 15 just apply to digital, or non-digital systems.
16 We need an overarching method that can handle the 17 interactions between all these because the interactions are what get you.
18 COMMISSIONER BURNS:
Yeah.
Yeah.
Mr.
19 Romanski.
20 MR. ROMANSKI: It kind of blows my mind a system can 21 be developed and then submitted for review. On FAA project - on a project 22 by project basis we have four what we call stages of involvement - the start 23 of the project before the software is developed you develop the plans - the 24 process you're going to use to develop and verify your application.
25 That is submitted for approval and it's at that stage you 26
48 then say yeah, this works or no, you have to change this a little bit.
1 Then later on we are halfway through the requirement 2
process and we submit 50 percent of the requirements and the code, and 3
then the auditors look at this and said yeah, this looks good - if you carry on 4
like this we should be okay or no, you need to make some adjustment.
5 We do the same thing when you're halfway through the 6
testing. By the time you've finished the project, the processes you've been 7
following and the mechanisms that you've been using should be sound.
8 So the approval should be a foregone conclusion. There 9
should be little risk.
10 COMMISSIONER BURNS: Okay. Mr. Scott.
11 MR. SCOTT: That's a very similar process that we are 12 experiencing in Finland or that we have experienced in Finland with STUK.
13 COMMISSIONER BURNS: With STUK?
14 MR. SCOTT: Yeah. So they follow a very similar 15 process. So by the time you actually get ready to implement all of that's 16 pretty much done and reviewed and ready to go.
17 So it's fundamentally similar.
18 COMMISSIONER BURNS: Yeah. And for those who 19 don't know, STUK - the reference to STUK it's the Finnish regulator - the 20 nuclear regulator.
21 Thanks, Mr. Scott.
22 Bill, did you want to say one more thing?
23 MR. PITESA: Yeah, I was just going to echo what Mr.
24 Romanski was talking earlier about - through the QA process achieving 25 confidence in your processes and then doing some limited sampling.
26
49 That really resonated with me because I think right now it 1
takes a difference between what I view as absolute certainty which is review 2
every line of code which is review every aspect of the modification versus 3
look at the processes being used and create a level of confidence, and I 4
think that confidence should resonate with us as reasonable assurance.
5 COMMISSIONER BURNS: And the other thing, and this 6
is one I actually - I step back and I will - I may embarrass myself - well, why 7
don't you know that, Mr. Burns.
8 But I am sort of a little bit at a loss, and make sure I 9
understand - what's the disharmony between being able to rely on 10 something other than the IEEE standard? So the recognition within our 11 system at this point.
12 I guess I didn't really fully appreciate that, and again, 13 because I understand fully the ability to look to other standards. I mean, 14 this is much - you know, I started the agency 40 years ago - this is a much 15 more internationally driven industry in terms of supply chain and things like 16 that than it was even back then, you know, in terms of operation and all that -
17 all those types of things.
18 So that's why I am having a little bit - I am trying to 19 understand what's the hurdle, the wall, we have to crawl over here and the 20 difficulty?
21 Mr. Novak.
22 MR. NOVAK: You know, right now, as I am sure you're 23 aware, IEEE 603 is incorporated by reference in the rule -
24 COMMISSIONER BURNS: Yeah.
25 MR. NOVAK: - and then so all of the - the whole - you 26
50 know, how do you meet this, you know, in the reg guides is all - it's all lined 1
up with IEEE. I mean -
2 COMMISSIONER BURNS: So I - yeah, I didn't mean to -
3 so otherwise if you're going to deviate from that you're going to have to get 4
an exemption or something like that.
5 MR. NOVAK: Exactly. Yes.
6 COMMISSIONER BURNS: Mr. Scott.
7 MR. SCOTT: Yeah. I mean, NRC guidance has been 8
predominantly IEEE driven. That's historical.
9 COMMISSIONER BURNS: Yeah.
10 MR. SCOTT: And within recent years they started to look 11 at some of the IEC standards as part of some of the IEEE associations.
12 And then as standards in the industry we are looking at 13 dual coding standards, right, so that we can have, you know, the dual label 14 on IEEE and IEC.
15 But, unfortunately, that takes - the process to get - it takes 16 a long time to get those things mixed together.
17 But I just think that there is just been this fundamental DNA 18 that it's an IEEE-based driven regulatory premise that we just need 19 acceleration or openness to see how much more we can pull in from the 20 other standard bases.
21 COMMISSIONER BURNS: All right. Mr. - Dr. Thomas.
22 DR. THOMAS: There are lots of IEEE standards. I just 23 looked up the one you referenced, IEEE 603 - it appears to establish criteria 24
- single failure criterion for digital systems. I mean, I am not going to say it's 25 a bad standard. We should do all that stuff.
26
51 But I am not convinced that that's the core problem that we 1
have. The core problem is about the requirements about what should the 2
behavior of the digital system be.
3 There is lots of effort and standards about what's called 4
verification, which is making real sure that it absolutely meets the 5
requirements we wrote.
6 We kind of have that under our belt. There are many, 7
many standards that do a good job with that. But what we need to get a 8
handle on is that's not good enough.
9 Making sure it does what we wrote is not good enough.
10 We have got to make sure what we wrote is right. That's called validation.
11 That's very much - it's not just a digital problem. It's not a checklist problem.
12 It's a problem of - it's a lack of foresight, like I was saying.
13 So we need - I think we need to go outside that standard 14 and identify methods of getting the requirements right - getting a really 15 robust process - and they exist out there but I don't think they are in that 16 particular standard.
17 COMMISSIONER BURNS: All right. Thank you very 18 much.
19 Thank you, Chairman.
20 CHAIRMAN SVINICKI: Thank you very much.
21 Next we will hear from Commissioner Caputo. Please 22 proceed.
23 COMMISSIONER CAPUTO: Thank you.
24 I'll start by associating myself with my colleague's remarks 25 about just the duration of this issue - the frustration and struggling with this 26
52 issue.
1 Commissioner Burns, your eyes may glaze over. So do 2
mine, and I am a technical person. I think, particularly as a new 3
commissioner, it's a challenge to dive into this issue because it's a 30-year 4
history. All the questions have probably been asked before. I shouldn't 5
even say probably. We have been at this a long time.
6 So predecessors that have sat in these chairs have 7
wrestled with this issue before and so it's a challenge for me. So my 8
questions, I am sure, are not original. But I think in tackling this issue, for 9
me, I need to begin with what's important here - why is it important that we 10 pursue digital I&C - why is it important for the agency to reach beyond its 11 comfort zone with analog and wrestle with this issue.
12 So in that vein, Mr. Scott, Mr. Pitesa had a slide that was 13 pretty compelling about digital being more dependable than analog and 14 posing fewer plant challenges which can be interpreted that digital is safer.
15 Can you describe in more detail some additional examples 16 of how digital I&C can improve safety?
17 MR. SCOTT: Okay. So it's a good question.
18 So I am not going to completely say that analog isn't 19 supporting safety. I think analog, as it operates, is a sufficient product.
20 Digital is just as sufficient but it also brings the ability to 21 add multiple layers of safety protection into your system whereas in analog 22 you can't necessarily have dual redundancy or triplication, et cetera.
23 So you can design -
24 COMMISSIONER CAPUTO: So would offer some 25 defense in depth?
26
53 MR. SCOTT: Yes. So you can offer a lot more defense 1
in depth for the digital system versus an analog system.
2 The biggest issue, I think, is that digital offers a lot of 3
benefits that can improve the operation of the plant to keep it more stable.
4 But the biggest challenge with analog is it's a component issue of being able 5
to get at the supply chain. That's the challenge.
6 I mean, when we look at getting components you've got 7
two parts - A, finding the component is a challenge. The second part is 8
finding engineers that understand how to do critical characteristics of the 9
component that you find when you want to go and upgrade your analog 10 system.
11 We support an analog system. We have been supporting 12 it for 40 years, and we are getting to the point now where it's very difficult for 13 us to find components with that product - you know, transistor material that's 14 even fabricated - and then when we go to make a change on those particular 15 cards finding people that understand how to do those characteristic analysis 16 is a challenge.
17 So it's a sustainability issue as well as yes, it's a 18 performance and you can do defense in depth and et cetera. But, really, 19 there is a sustainability issue around analog versus digital.
20 COMMISSIONER CAPUTO: Well, that's a natural segue 21 to my next question.
22 Mr. Pitesa, I believe you stated in discussing how 23 important digital instrumentation and control is to the long term viability of 24 plants.
25 I believe, if I heard you right, you used the term imperative 26
54 and particularly for subsequent license renewal and the long-term viability of 1
our nation's nuclear plants.
2 Could you please discuss that in a little bit more detail?
3 MR. PITESA: Certainly. I mean, when I think about 4
plants that are going to be operating in the 2050s, the 2060s, the people that 5
are going to be running that plant aren't even born today, and to say I am 6
going to bring them in and teach them analog technology is just so foreign 7
to, I think, the realities of the future.
8 We have to migrate to a technology that they are going to 9
learn through their educational system, that they are going to learn and be 10 able to operate these plants in a way that supports their knowledge base 11 coming to the program.
12 COMMISSIONER CAPUTO: Okay.
13 Mr. Scott, back to you. You stated in your slides that what 14 is missing in digital I&C is trust in technology and you make the point that 15 technology platforms have billions of hours of operation without failure.
16 What is your view about how we can take that information 17 and incorporate it into a risk-informed approach?
18 MR. SCOTT: You know, I think - I think EPRI's doing 19 some efforts towards that and I think other groups have looked at that.
20 You know, it's an interesting question because we have 21 had this debate from as long as I can remember. I mean, it's been many, 22 many years that we keep looking at it.
23 So we have looked at other industries. I remember sitting 24 on some of the original committees with the NRC looking at other industries 25 and saying well, you know, FAA has been doing this or gas - oil and gas has 26
55 been doing it - why don't we take credit for it.
1 And there just seems to be a nervousness to truly embrace 2
what's out there, and when you look around, I mean, everything today is 3
digital regardless of what you're more or less involved in.
4 And in all of those other industries, all of those other critical 5
operations - and there is a lot of critical operations that are far more 6
impactful than a nuclear plant, in some respects -that have been reliant on 7
digital technology for years.
8 And I just think we need to understand and accept the fact 9
that technology is not the challenge. I think John has stated it very well that 10 how we understand what needs to be designed to go into the system is 11 critical and I think that's the important focus is that we need to understand 12 what the functional requirements are, how we interpret those, how we 13 implement them.
14 The technology is going to work. Software works. I 15 mean, hardware works. I mean, there are some failures on hardware side.
16 But when you look at how much technology is out there, it's really a robust 17 solution.
18 And I just think we are not giving it the credit that it needs.
19 COMMISSIONER CAPUTO: So I am going to back up a 20 little bit. My fundamental understanding at this point, which is very 21 fundamental, was that the industry was making some low safety significant 22 upgrades in 2012.
23 Those efforts stopped. There have been some 24 subsequent efforts on license amendments but not many. Mr. Pitesa talked 25 about regulatory uncertainty.
26
56 So I guess to Mr. Pitesa and Mr. Novak -Mr. Novak, you 1
made a statement about how significant positive impacts can be achieved 2
without waiting for rulemaking.
3 Can you talk about how you think we should do that? And 4
Mr. Pitesa, your ideas on how you think we should do that in order to work at 5
reducing the regulatory uncertainty?
6 MR. NOVAK: I think what they are doing with the revision 7
to ISG-06 is going to go a long way in this direction of making a very positive 8
difference.
9 You know, I meant - we talked earlier about how a project 10 needs to basically be complete and then the review of the software 11 development process that had been used all along kicks in and that just 12 takes time.
13 What the ISG-06 revision is doing is it's - the NRC would 14 review and approve the overall process for developing a software but the 15 review of the actual product is they are going to rely on a combination of the 16 licensee's vendor oversight and also NRC inspections.
17 And the details are still to be worked out, but I think that 18 would help a lot to eliminate and to make a lot of positive impact with our 19 rulemaking.
20 COMMISSIONER CAPUTO: Okay.
21 MR. PITESA: And I agree completely.
22 The RIS for low safety significant systems and ISG-06 for 23 more safety significant systems, quite frankly, you're looking at an industry 24 that's just been kind of held back for so long.
25 We are trying to really understand what's going to be the 26
57 opportunity out of those changes, and it goes back to Mr. Baran's question.
1 Mr. Baran's question is until we fully internalize how much 2
relief we have been given on the ability to implement digital in low safety 3
significant and high safety significant systems, which will require better 4
understanding of what ISG-06 ultimately is I think then we will be able to 5
weigh better on what is next and what more do we need to go forward from 6
here.
7 COMMISSIONER CAPUTO: Okay. Because I guess - I 8
guess when I look at it and I think we have been at this for 30 years we are 9
still in the domain of RIS and interim staff guidance - multiple versions of 10 interim staff guidance. We are revising action plans.
11 I guess I am kind of struggling with how much are we 12 continuing to revise how we are going to do this but not actually getting to 13 the point where we actually do it and that's the path forward that I am looking 14 for here.
15 Thank you.
16 CHAIRMAN SVINICKI: Thank you, Commissioner 17 Caputo.
18 Next we will hear from Commissioner Wright.
19 Please proceed.
20 COMMISSIONER WRIGHT: Good morning, and I am 21 going to join my colleagues in thanking you for your presentation this 22 morning.
23 And Dr. Thomas, whatever you had for breakfast -
24
[Laughter.]
25 MALE PARTICIPANT: I want the address of his 26
58 Starbucks.
1 COMMISSIONER WRIGHT: You're one passionate guy 2
and I appreciate what you bring to the table today.
3 So like Commissioner Caputo, I am new and many of the 4
questions that have been circled around this table for the last three decades 5
have been probably asked multiple times.
6 So I am probably going to go a little different direction, 7
being new, and anybody can answer this question, you know, that I am 8
going to pose.
9 But I am going to pose it to Bill. You talked about the 10 need to modernize, you know, to the regulatory framework and you talked 11 about the transformation team's recommendations in that area.
12 But the mission of the NRC is, you know, the reasonable 13 assurance of adequate safety. Do you think that this whole digital I&C 14 process has been following that path or has it been more toward a zero risk 15 initiative?
16 And I'd like to hear your comments about that.
17 MR. PITESA: I feel like there has been a desire to create 18 absolute certainty and zero risk because I think people have been afraid of 19 the ghost in the machine that they just don't know about.
20 So we just need to look at everything to ensure there are 21 not ghosts in that machine, and I think what we have seen in the 22 advancement of digital in other fields of industry proves that you don't have 23 to search every single line of code looking for that ghost in the machine.
24 You can achieve reasonable assurance by following - I still 25 go back to the example the FAA used that says you're following processes 26
59 that I endorse and when I do check in limited ways that check confirms that 1
you're doing that appropriately. And I think that would be a great movement 2
for our industry to consider.
3 COMMISSIONER WRIGHT: Yeah.
4 Scott.
5 MR. SCOTT: I would agree. I think it's a - we are trying 6
to what-if it to a perfect ideology, which is not going to - it's not going to get 7
us there and I think that's where we are stuck is we are just trying to get it to 8
a zero position.
9 MR. ROMANSKI: So the industry in the aviation side 10 pushed differently. What the big guys - people like Boeing - what they said 11 is that we need a mechanism to know when to stop - when to stop testing.
12 Airplane crashes - everybody's going to sue us. If we say 13 we have tested it, they say, well, clearly, you didn't test it enough, if the 14 accident was caused by a software failure.
15 So they said we need a stopping criteria. So we put that 16 into the regulations and we said, well, if you do a requirement-based test 17 and you measure how much code you've covered and if you've covered the 18 code then you're done. You don't have to do anymore.
19 And we have different measures of coverage, depending 20 on the criticality or design assurance level. But it was really driven by 21 industry knowing that they need a mechanism by which they can stop.
22 Is it perfect? It's not. Errors can still get through. But at 23 least we have a stopping criteria, which is - which gives you a good measure 24 that you've done enough.
25 COMMISSIONER WRIGHT: I believe you used the word 26
60 faith - a leap of faith. Was that you or - one of you used it.
1
[Laughter.]
2 MR. PITESA: But I think - I mean, I think there is an 3
aspect of trying to discern what the difference is between perfect zero or 4
perfect assurance versus reasonable assurance.
5 COMMISSIONER WRIGHT: Correct.
6 MR. PITESA: And I think that's been a huge challenge for 7
our industry and that is the path forward that we have got to achieve is how 8
do we just dissect those in a way that this is what reasonable assurance 9
truly looks like in digital.
10 COMMISSIONER WRIGHT: Do you - do you see the 11 transition team's recommendation moving more toward reasonable 12 assurance or do you have a comment or is it still the same?
13 MR. SCOTT: I think we are moving more towards that 14 direction. I just don't know if it's aggressive enough to get there.
15 COMMISSIONER WRIGHT: Okay, another question here 16 and this is going to go towards standardization. I was at Naval reactors a 17 few weeks ago and I watched the -- I was really intrigued the way they did 18 things.
19 The Navy is a benevolent dictator so they own a little bit 20 more of the process and the vendors and all, but I saw the way they 21 leverage standardization and what they do and you mentioned the aviation 22 industry a while ago.
23 Has the industry looked at ways to maybe standardize 24 digital I&C across -- you've got a lot of different types of plants and all that 25 kind of stuff. But have you looked at that?
26
61 Because one of the things, everything is one off, that's the 1
most expensive way to do things.
2 MR. PITESA: You're exactly right. And I look at 3
TELEPERM, it was a proven technology that Oconee brought from Areva at 4
the time, and it had been used internationally.
5 It was kind of a standard technology, we had to turn 6
around to apply it through IEEE standards and everything else, customize it 7
to the point where it's a complete one-off now. So I think standardization of 8
the rules will create standardization of the products.
9 MR. SCOTT: We've tried to take commercial off-the-shelf 10 technologies the best that we can, trying to choose the most robust COTS 11 products so we can bring them into the industry.
12 And I think that's a view that a lot of utilities are looking for, 13 to find a supplier that can provide a COTS product that's sector-wide so it's 14 not a one-off.
15 The challenge is, obviously, it's difficult for suppliers to all 16 have a common-type goal because they're all competitive in nature in certain 17 ways but I think to Bill's point, the more common and the more standardized 18 we are globally, then there's a basis for us from a financial perspective to 19 say, okay, well, it makes sense to make a platform that satisfies a lot of 20 different regions.
21 Because right now, we're in situations where different 22 regulatory bodies drive different requirements so you have to look at certain 23 markets and saying, well, okay, if I'm only going to satisfy two or three plants 24 in that regulatory regime then does it make sense for me as a business to 25 focus on that?
26
62 So then you step back and you make decisions driven on 1
that. So I really think harmonization of the standards really helps the supply 2
chain levelize that a little bit.
3 COMMISSIONER WRIGHT: Do you have any comment 4
about that?
5 And I guess, really, you talked about the IEEE and IEC 6
standards and I'm trying to harmonize that stuff too. What are the biggest 7
challenges the you see going forward in trying to do that?
8 MR. NOVAK: What's the biggest challenge with changing 9
over to something else?
10 COMMISSIONER WRIGHT: Yes, what would be the 11 biggest?
12 MR. NOVAK: We'll have to start with the rulemaking and 13 the writing guidance on how to and with the endorsement of all of the 14 subordinate standards because it's going to be a time-consuming process.
15 COMMISSIONER WRIGHT: So one of the things that 16 concerns me just in the five months I've been here is that it seems like 17 sometimes maybe we're standing in our own way and standing in the way of 18 some real beneficiary safety improvements that would takeaway human 19 error factors as well.
20 And I see this as possibly being one of those, it seems to 21 be what I heard George talking about and you too, Doctor. I'm just trying to 22 find a way to get it done cleaner, better, more efficient, and keep in our 23 mission.
24 DR. THOMAS: I've got a comment along those lines.
25 I've heard standards mentioned a number of times. I'm on standard 26
63 committees for aviation and automotive and other industries and I've seen 1
the sausage-making.
2 And standards are good but they're not perfect and we've 3
got to be a little careful here. The answer to this problem is not to copy a 4
standard that exists.
5 My biggest fear, what keeps me up at night, is there are 6
some standards that are very good for this problem and there are a lot of 7
standards that, frankly, are not very good. The standards are not created 8
through a nice, scientific process.
9 They haven't even been tested. They're created by a 10 bunch of experts that sit at a table like this and say what should we write 11 down?
12 And that's why we have different standards even within the 13 same industry that conflict with each other and things like that, right? So 14 don't just copy a standard because it exists. That should not be our criteria.
15 The criteria is actually very simple, it's a little revolutionary, but it's very 16 simple.
17 We need to test, we need to do a proper test, not taking 18 something in hindsight and seeing if it will stuff in a box and not proving by 19 theory that it can fit. Do a proper test with real engineers, try it out.
20 Some of these tests have been done, some of these have 21 not. Whatever standard you're looking at I suggest that we should put 22 somewhere in here a gateway that says let's define a proper test and make 23 sure it's really going to work for our problem, and then your decision is easy.
24 25 You have the evidence you need, we're trying to make a 26
64 decision without the evidence and that's the problem. Let's make sure we 1
collect the right evidence and the decision will be easy I think.
2 COMMISSIONER WRIGHT: Thank you, thank you very much.
3 MR. SCOTT: I guess an interesting thing that might be 4
thought about is supply chain has done a lot of significant digital 5
modifications, either new plants or modernizations around the world.
6 There's a lot of history, there's a lot of data, there's a lot of already tested, 7
proven, documented basis.
8 But if that were to be submitted, for example, let's say a 9
utility wants to do an upgrade of the United States and they bring in a 10 supplier that's done similar-type upgrades in four or five different other 11 countries or plants and submit that along as a base of support and get credit 12 for that, we've got to look at different ways.
13 Because I do think we're losing a lot of value in what's 14 been done in other similar environments.
15 COMMISSIONER WRIGHT: Thank you very much.
16 MR. ROMANSKI: The approach that the FAA has taken 17 is that we have started a number of projects where we are partnering with 18 the Applicants. So this is new technology, new techniques that people are 19 proposing, and they come to the FAA and have said, well, would you accept 20 this?
21 And we said we don't know, however, let's have a project 22 where you put your people on board, we'll put our people on board and we 23 will work the problems together so that we learn from them and they learn 24 from us and they get early approval.
25 So we have a number of these partnership programs, 26
65 especially in the new technologies like the unmanned air systems.
1 Thank you.
2 CHAIRMAN SVINICKI: Well, thank you all again for your 3
presentations.
4 As someone who has been watching the NRC activities in 5
this area for over ten years now, some of what I've heard in your 6
presentations and response that you gave to the questions of my colleagues 7
added validation in some instances to a series of observations that I've been 8
adding to over the years.
And maybe I'll share some of that and if 9
time remains, offer the opportunity for any of the panelists to take exception 10 to anything I've said or to add some additional thoughts about it.
11 Let me just say that I think the first meeting that I attended 12 on digital I&C as a Member of the Commission, I haven't looked this up but I 13 was thinking about it as I sat here, it might have been 2008.
14 And two regulated companies were on the external panel 15 because they were representing two attempts at adoption of digital I&C 16 projects at plants.
17 One was Wolf Creek and it wasn't a terribly ambitious 18 project so they were considered the applicant who had a limited complexity 19 to what they were trying to do. The other might have been Oconee but I'm 20 really not sure so I don't want to say that I don't think Bill was at the table.
21 But I asked the two representatives of companies that had 22 engaged the NRC, again this was ten years ago, some sort of limited 23 non-safety-related project, and one of the presenters said that he felt as if he 24 were attempting to swim the English Channel and that he got to a point 25 where he regretted that his company had ever, ever decided to engage the 26
66 NRC in this process.
1 But he knew that he had to proceed because he drowned 2
and didn't have the energy to go backwards. And so I'm sure no Member of 3
the Commission ever wants to hear someone describe their engagement 4
with the NRC in such stark and life and death terms, but as I've watched this 5
evolve, I think some of the challenge is that -- well, first of all, let me talk 6
about something which is publicly known which is that NRC experts are not 7
of one set of philosophies on this.
8 I don't say that to reveal our dirty laundry but I think it is 9
well-known that in the new reactor area, there has for whatever reason been 10 a greater ease around fully digital systems that is not evidenced in other 11 groups of the Agency's experts who are working more with the current 12 technology.
13 So that does leave one with a conclusion that there is a 14 certain kind of mindset or paradigm that the various experts may be bringing 15 to the issue that cause, in some cases, there to be a regulatory exceptions 16 of something than in other cases.
17 And so I tried to think about why that is and I wonder if in 18 some instances we are expecting digital systems to make a demonstration of 19 providing safety in the same way that analog systems, the same way that we 20 would assess their ability to do it.
21 And until you come to some sort of acceptance that digital 22 systems will not provide a basis for a safety conclusion with the same means 23 and methods that analog systems do, then you are trying to force-fit digital 24 systems into providing you with an assurance in the same way that analog 25 does.
26
67 And they fundamentally perform differently, they are just 1
different at birth and at origin and the notion that you can force-fit one into 2
giving you the same confidence and safety demonstration in the exact same 3
way.
4 I think the notion that one is more safe than the other, I 5
think that whole question, you've kind of failed at the starting gate because 6
that's very, very difficult to say if I allow digital systems on safety-related 7
things at nuclear power-plants, have I diminished safety? Have I 8
relinquished some sort of safety?
9 And I think that's the really the wrong way to look at it.
10 Engineers for some years now have been required to take the rudiments of 11 some sort of programming, this was true even in the antiquated days when I 12 was in engineering school. And that was always the most difficult thing.
13 But the lines of code will do -- I mean, it's math and it's just 14 a functionality but the problem was if you didn't understand the system, that 15 is always why the rudimentary programming that I would have had to do in 16 engineering school, it was that I failed to understand the problem because 17 the code does what the code does.
18 And I think that any of us that went through that humble 19 experience -- so I think another challenge has been what we need to do is 20 weigh the benefits of how digital provides safety assurances against any 21 complexities that it might pose, any uncertainties that it might pose.
22 And if we don't look at the nuclear power-plant as an 23 integrated system that has these digital systems, it's very difficult to weigh 24 the benefits of what digital brings against the risk that it brings if you're not 25 looking at a fully integrated system.
26
68 And there's been some discussion of systems engineering 1
here today and I think that, again, if we neck down and get a narrow focus 2
just on digital being like analog, then I think we're not going to adequately 3
understand the massive redundancies that digital can offer in the defense 4
in-depth.
5 I think that term was used and that's a term we use here 6
but I think it can provide enhancements. So I view that in the ten years I've 7
been watching this issue, we have definitely foregone benefits that digital 8
could have been providing in that timeframe.
9 I do agree that the Agency coming to some greater ease 10 and structure around this is an imperative, that term was mentioned as well.
11 This is not an optional thing. I've been asked by people who do only 12 cybersecurity, can't you just force nuclear power-plants to continue to have 13 analog?
14 And I said we could require that but I think as a result, the 15 nation will forego nuclear power because they don't believe that it's 16 sustainable. So we've also talked a lot about codes and standards and I 17 want to take the counterpoint, I'm not going to malign codes and standards.
18 By the way, as a Government Agency, we're required 19 under law to refer to and adopt standard industry codes and standards and 20 not develop our own ad hoc ones, again, because that's just viewed as 21 something that enables commerce and makes a lot of sense because we 22 shouldn't sit back and have our own. We can endorse them, we can cite to 23 them, and I understand that, but we're constructing two nuclear power-plants 24 in this country down in Georgia right now and the American Concrete 25 institute has codes and standards.
26
69 So this is concrete so let's stipulate that's not as 1
complicated as digital systems and software. We were engaged in 2
protracted, interpretive engagement with the constructors as to whether or 3
not what they were doing in the field complied with the ACI standards.
4 So I think the notion that codes and standards can solve 5
this is true. But people get to interpret whether or not what is happening 6
meets the code or the standard and so let's not forget that has been a very 7
important part of this dialog.
8 We can take IEEE 603 but then NRC has to agree that 9
what we think meeting that standard looks like is the same thing that the 10 vendor thinks, is the same thing that the operator thinks.
11 One last thing that I'll mention that I had not thought about 12 but based on our colleague from the FAA, it was very interesting to hear him 13 talk about what he called an incremental review or engagement on the 14 development of this system.
15 And I believe that you even commented that you found it 16 somewhat astonishing that you could take a fully completed digital system, 17 take that design and review it post-hoc after it's already been completed.
18 The NRC has been engaged a lot in the advanced reactor realm 19 about taking the regulatory framework we have now, which is 20 performance-based and I'm going to conclude by making some comments.
21 We've hear a lot about risk-informed, the other thing we're 22 supposed to be is performance-based and I think that's another element that 23 we need to get clarity of thinking about when it comes to digital adoption and 24 nuclear power-plants.
25 But with the advanced reactor community, we've come to 26
70 understand that they don't want to invest the money to have a fully 1
completed design before some of the very different concepts that they're 2
thinking about for various aspects of the design, before they know that those 3
things have any snowball's chance in you know what of getting approval by 4
the regulator. So what we have done is we've said we're not changing 5
what you have to demonstrate to get your design approved but we're going 6
to have a regulatory engagement plan with you that will set up an advance, 7
you will tell us how you want to evolve and finalize aspects of what you're 8
talking about, we will agree to have touch-points along the way as you're 9
developing it, and we can't give you approval per se but we can give you 10 something that is a very valuable reaction. If you were indifferent on the 11 alloy you were choosing for a component and I said this one we know really 12 well, if you could pick this alloy we wouldn't have to engage in a lot of testing 13 and other things, and they might say I'm indifferent on that, that's great, 14 that's very helpful to know that upfront.
15 Maybe we would benefit from having the Staff think about it 16 and make a decision, but having the Staff think about is there something 17 akin to the regulatory engagement plan development that we've been having 18 with advanced reactor vendors, none of whom have come in for review yet, 19 would that benefit? Would the designers of digital I&C systems, would a 20 parallel system be helpful? They could have an understanding upfront, a 21 kind of compact if you will, to say I'm going to come in and get regulatory 22 reactions, if not approvals to things at various steps along the way.
23 Maybe we need to learn more about what the FAA has 24 done there and see if that's something that we should have been doing all 25 along for very complex digital upgrades or systems.
26
71 Because we've approved whole platforms, which has not 1
been discussed today, but we've got some advanced reactor digital I&C 2
platforms that we've approved.
And let me conclude with 3
performance-based because I think that's the other element here.
4 We've talked about a rulemaking versus continued 5
progress on the guidance documents. I'm not certain that I want to yield 6
today to the notion that it has to be either/or and that may have been some 7
of what the staff was talking about in the transformation paper.
8 Maybe a separate transformation activity that would look at 9
-- the rulemaking is supposed to be about what do you need to 10 demonstrate?
11 The guidance is about possible versions of what that could 12 look like and so I think the other thing we struggle with in digital I&C, at some 13 point we do need an enduring place where we have enshrined the 14 paradigms and the prisms through which we are viewing the showing or 15 demonstration that is required for a digital I&C system that we assess meets 16 reasonable assurance of adequate protection, as my colleague mentioned.
17 I think at some point you do need to have a 18 performance-based articulation of that in a regulation and that would give 19 enduring flexibility. Because we've talked a lot about the NRC Staff having 20 adequate flexibility and looking at digital I&C systems.
21 The other thing that people want out of a regulatory 22 framework is predictability and if it's too flexible and too ad hoc in saying, 23 well, just bring a system that's fully designed and after you're done designing 24 it, I'll tell you if it meets reasonable assurance of adequate protection and I 25 can't articulate for you upfront what that demonstration or showing is going 26
72 to require, then I think we end up with these extremely protracted review 1
schedules and we add complexity because we haven't defined upfront 2
exactly what are you required to convince me of?
3 And if knew what that was and I knew how digital systems 4
did it and I didn't make them try to show me that and give me that same 5
confidence in that exact way that the analog systems did, but I leaned into 6
the uniquenesses and benefit of digital systems. So that's my overall sense 7
of what we're struggling with. I don't know the best methods for us to get 8
there. I think Congress has asked NRC to go look at the military, to look at 9
aviation, to look at medical I think was in there as well.
10 We haven't talked about that today, we're all putting our 11 lives on the line with a lot of medical technologies that are extremely 12 dependent on digital systems, but I think they've asked us to look at the 13 philosophical approaches there because digital I&C is so much more 14 absorbed into those areas of commerce and to say why is it that those 15 approaches that have provided acceptability to regulators in those sectors, 16 why is it that they don't work for nuclear.
17 So I think we have a report due to Congress on that but I 18 think that might be interested as well. But again, I've gone over but I 19 appreciate your time here today and I'm of a mind, I haven't made any 20 decision until after the Staff panel goes but I'm of a mind that maybe the 21 Commission should set another meeting in X number of months.
22 I might propose that to my colleagues that in this meeting, 23 the direction on this meeting, we say that we should have another of these 24 meetings. Because maybe it needs a more consistent attention from the 25 Commission. It's been getting episodic attention but not consistent 26
73 attention.
1 So I've run over so I would ask if my colleagues have any 2
just brief additional thoughts or anything they would like to share. With that, 3
I think we will take a very modest break of five minutes while we reset the 4
table for the staff panel.
5 So that would take us to 10:55 a.m. Sometimes the 6
clocks in here are wrong so let me see. Yes, 10:55 a.m. or perhaps even a 7
little bit longer. But thank you all again for your presentations and we'll 8
recess.
9 (Whereupon, the above-entitled matter went off the record 10 at 10:50 a.m. and resumed at 11:00 a.m.)
11 CHAIRMAN SVINICKI: I call the meeting back to order.
12 If everyone will please take their seats for our second 13 panel, we will now hear from the NRC Staff on digital I&C activities 14 underway, in progress, and probably a little bit of the history of how they got 15 to where they are today.
16 And to lead of the Staff presentation, I will turn to the 17 Executive Director for operations, Margie Doane.
18 Margie?
19 MS. DOANE: Okay, good morning, Chairman and 20 Commissioners. That was a lively discussion that you had with the last 21 panel and we're looking forward to giving you our presentation on digital 22 instrumentation and controls or digital I&C.
23 I too have been sitting at this table for a long time, I sat in 24 that seat for six years and saw a Commission Meeting on digital I&C and I've 25 also heard through numerous other Commission Meetings how this topic is 26
74 vexing for us.
1 It's been complicated, so I share your perspective, and so 2
does the Staff. What I can tell you that's different today and I'm comfortable 3
saying that from my observation I see progress, but what I can tell us 4
different today is that I believe that we're working with these various 5
communities to set goals, we're putting a reasonable milestone schedule in 6
place and we're meeting those milestones that we have set.
7 And we're striving, we've told ourselves we're striving, to 8
make sure that we're not an unnecessary impediment to safety 9
improvements. And we have heard the same thing you heard on the last 10 panel, that there are real benefits to this technology and that we need to 11 make progress and we need to move this forward.
12 I believe that what spearheaded our more recent progress 13 is the direction that the Commission gave us in SRM-15-0106 where it 14 motivated us to come up with an integrated action plan and that's where 15 we've actually set out these milestone schedules and we can work with the 16 community, various communities, to come up with this schedule.
17 And so I think that provided a framework that has 18 precipitated this progress. Let me step back a second. Commissioner 19 Caputo I think has touched on this and so did other Commissioners that 20 progress is relative to the journey and I get that.
21 It's relative to the journey. If you're going 3000 miles and 22 you've made progress and you've gone 1500 miles, it's halfway but you still 23 have a long journey, a lot of time and effort to go. If you have a short 24 journey, ten miles, and you've gone halfway you're almost there.
25 So when people say we've made progress, I understand 26
75 what you're saying. You've made progress but where is it relative to the 1
goal line? And we're hearing you.
2 And I think we've identified the key issues and I think we 3
have a very good engagement schedule that I am confident that we are 4
going to continue to make progress.
5 And as you heard also on the other panel, there are three 6
distinct communities that are giving us a lot of feedback. It's operating 7
reactors, advanced reactors, and also the vendor community that's providing 8
the digital equipment.
9 And they're all coming at it different directions and so we 10 are engaging in numerous public meetings and have put a lot of resources 11 into understanding those issues to move forward.
12 And so along this milestone schedule, one of the final 13 milestones is to look at -- so we're making improvements in our regulatory 14 approach and we look at those improvements and I look forward to a lot of 15 discussion.
16 I expect we'll have some similar questions about the old 17 system or the old regulatory approach versus a brand-new regulatory 18 approach but what I'd like to say is that we can definitely make innovative 19 changes with the old regulatory approach.
20 But what that final milestone talks about is real 21 transformative changes, things that would cause you to do the process in a 22 completely different way. And like the Chairman was saying, when you 23 talked about putting principles in place that were kind of nailed down, a 24 rethinking.
25 Now, when you should do that and all that, obviously 26
76 you're going to hear from us and I'm sure we'll have a good discussion about 1
that but I just want to talk about innovation versus transformation in that 2
regard.
3 As you know, the Staff proposed their transformation in 4
this topic. We propose that in the paper in SECY 18-0060 achieving 5
mod-and-risk-informed regulation, which we call the transformation paper 6
and I don't want there to be any misimpression that, or I want to emphasize 7
that we're continuing to do a lot of effort that would lead us to being able to 8
work toward that final milestone which would be maybe perhaps a 9
completely different regulatory schedule.
10 We're doing things now that will actually help us to 11 advance progress on doing a rulemaking because some of that work is 12 being fed into these innovative approaches to even using the existing 13 regulatory approach.
14 So while it will be very important to hear the Commission's 15 views on that transformation paper, it's not slowing our progress in any way 16 because we have so many things to do right now and also as we think of 17 innovating the process going forward.
18 So, with those introductory remarks, I'd like to now, next 19 slide, please, I want to give you a brief introduction of who we have at the 20 table and what topic they're going to present.
21 So, by now you all know Ho Nieh, the Director of Office of 22 NRR. Ho will be discussing the priority the NRC has placed on making 23 progress on digital I&C issues so that potential safety benefits can be 24 realized by properly implementing digital I&C upgrades.
25 And Eric
- Benner, Director of NRR's Division of 26
77 engineering, and you'll hear this referred to as DE throughout the 1
presentation, will discuss the staff's detailed priorities, their incorporation into 2
the integrated action plan or the IEP that I was referring to earlier, and the 3
factors that have enabled our recent successes.
4 Rossnyev Alvarado, an electronics engineer in the Division 5
of Engineering will discuss issues surrounding common cause failures of 6
digital I&C systems. Let me take a break here for a second.
7 I just want to let you know that Mr. Pitesa on the previous 8
panel from NEI mentioned that I would discuss one of the topics that he had 9
referred to in SECY 18-0090 that had to do with common cause failure and it 10 really had to do with the issue of how that paper took into consideration 11 risk-informed approaches.
12 And I think the paper did not speak to that directly and so 13 Ms. Alvarado will be able to put more specifics on that matter.
14 Mike Waters, Chief of DE's instrumentation and controls 15 branch will discuss our progress, especially over the last year, in working 16 with the industry and public settings with the goal to provide clarity to the 17 digital I&C regulatory infrastructure.
And Dinesh Taneja, a senior 18 electronics engineer in DE will discuss commercial grade dedication issues 19 and the longer-term modernization of the NRC's digital I&C regulatory 20 framework.
21 So, again, we appreciate the opportunity to discuss these 22 important issues and now I'd like to hand the presentation over to Ho.
23 MR. NIEH: Thank you very much, Margie. Good 24 morning, Chairman, good morning Commissioners. I'm very happy to be 25 here this morning. I might not be as happy as Dr. John Thomas from MIT 26
78 but I'm pretty darn happy to be here.
1 I'm really glad to be here with my colleagues to talk to you 2
about the actions we've taken in enabling the broader use of digital 3
technologies at our nation's nuclear power-plants.
4 As you know, this is my second month on the job and I'm 5
fortunate enough to have a second opportunity to be here before you at this 6
table. I suppose I'm lucky in that regard.
7 I mentioned in September last month at the business line 8
meeting that I've been drinking from this fire hose. I kind of still am but the 9
diameter of the hose is a bit smaller so that's really a good thing.
10 So, after being back for about two months, I've really had 11 to quickly come up to speed on this topical area and had to go back and look 12 at the record and look at information coming from the staff.
13 And I have to say, on the one hand, it feels kind of strange 14 to sit here and talk to you about enabling digital, especially in this age where 15 digital technologies are ubiquitous in many industrial applications as well as 16 our everyday lives.
17 And we all know that the digital revolution started many 18 decades ago so it is quite strange to have this conversation. But on the 19 other hand, I also think that I have a much better appreciation of the 20 challenges we faced just to get to where we are today.
21 And again, after speaking with the Staff and reviewing their 22 record, it's evident to me that since the beginning of this year, we did make 23 some progress in enabling the use of digital.
24 For example, we clarified the guidance and the risk on the 25 use of 50.59 for digital upgrades, we went out proactively and did workshops 26
79 with industry and our regional staff to better increase the understanding of 1
how to apply the guidance and doing upgrades under 50.59.
2 And it's my understanding now that many of our licensees 3
are using that guidance to make modifications today, using digital systems in 4
their plants. So to me, I think that's a very positive sign of moving progress 5
in this area.
6 In my previous position at the Nuclear Energy Agency 7
working internationally, I had the opportunity to see how digital systems can 8
be used in both safety-related and non-safety-related applications in nuclear 9
power-plants around the world. I also had the opportunity to engage with 10 many of our international regulatory counterparts to better understand how 11 they address some of the challenges that we'll be talking about to you today.
12 And for sure, common cause failure was a main concern 13 for many of the regulatory bodies and through testing, operating experience, 14 and flexible regulatory approaches, we do see that digital systems are used 15 in nuclear plants and other safety-critical industries around the world today.
16 In listening to the conversation in the industry external 17 panel, I think operating experience is one area that I'd like to further explore 18 with our staff on how we're better incorporating lessons from other industries 19 and other countries into how we're conducting our regulatory reviews.
20 Another takeaway that I had from the international 21 experience was that among many of the nuclear regulators abroad, there's a 22 very positive attitude towards enabling innovative and new technologies in 23 nuclear power-plants, and in fact, there's a growing recognition that new 24 technologies like digital systems can improve plant performance, reliability, 25 and also safety.
26
80 And I think that's particularly relevant if we're looking at 1
nuclear power-plants operating in the longer term, particularly as older 2
equipment and analog systems become harder to find in the supply chain 3
and become more and more obsolete.
4 So turning back to looking at NRC, what I found really 5
interesting was that we have been able to, as you mentioned, Chairman, to 6
make regulatory reviews and decisions for major digital platforms and new 7
reactors like the AP1000, APR1400.
8 We even took an adaptive approach and used a 9
design-specific review standard to look at the digital platform for the NuScale 10 small modular reactor.
11 And in exploring my curiosity about this asymmetry in how 12 we look at digital I&C for new reactors versus operating reactors which, oh, 13 by the way, we're using the same requirements and regulatory guidance, I 14 reached two conclusions.
15 The first was that we have the technical capability and 16 expertise to do these reviews successfully and timely. We can do this and 17 we've shown that we can.
18 And the second conclusion I reached was that with a shift 19 in our mindset and our culture towards innovation and new technologies, I 20 think we can greatly make even more progress on broadening the use of 21 digital systems in nuclear power-plants.
22 As you know, the courses have been set for the merger of 23 NRR and NRO and 2020. In fact, this month we've already made some 24 pre-merger consolidate efforts.
25 We took the digital I&C functions from both offices and 26
81 combined them into one under NRR and the vision for how we're going to 1
look at these reviews of new technologies including digital systems is a 2
vision where we're going to ask ourselves the questions, how can we do this 3
while ensuring safety, rather than why we shouldn't do this?
4 I think that's a real important aspect of this transformation.
5 So, in looking at the journey we've been on with digital I&C, now against the 6
backdrop against the Agency's efforts to transform itself, I really think we 7
have a real opportunity here.
8 The story we want to leave with you today is that we're on 9
a positive trend and I think the more things we can do to be more 10 risk-informed, if we receive direction from the Commission on having more 11 performance-based framework and focusing our efforts on reasonable 12 assurance, I think that's going to help us continue on this positive trend of 13 progress.
14 So with that, Chairman and Commissioner, I'd like to 15 conclude my remarks and turn it over to Eric Benner who will talk to you 16 about the progress we've made on the integrated action plan.
17 Thank you.
18 MR. BENNER: Thank you, Ho. Slide 4, please.
19 Morning, Chairman and Commissioners.
20 The Staff continues to be focused on addressing the most 21 significant regulatory challenges that we've identified through our 22 stakeholder engagement, including engagement with our international 23 counterparts and other domestic regulatory Agencies.
24 Those challenges fall into two broad categories. The first 25 is near-term issues that our stakeholders have identified as impediments to 26
82 implementing digital technologies today and the second is broader 1
modernization improvements that can longer-term make our review efforts 2
more effective, agile, and performance-based for all technologies.
3 So, my slide has some of these particular items, I'm not 4
going to go through the list because Rossnyev, Mike, and Dinesh are going 5
to discuss each of them in more detail.
6 Next slide, please.
7 So, Margie referenced the IEPs, let me provide a brief 8
background. In the SRM to SECY 15-0106, the Commission directed the 9
Staff to develop an integrated strategy to modernize the NRC's digital I&C 10 regulatory infrastructure.
11 The SRM indicated that requirements in this area should 12 be performance-based and technology-neutral and apply to both operating 13 and new reactors but acknowledge that guidance could be tailored to the 14 different communities.
15 The SRM also directed us to hold frequent stakeholder 16 interactions to reach a common understanding of regulatory challenges, 17 priorities, and potential solutions to address them.
18 The Staff developed the IEP to fulfil this direction, which 19 was provided to the Commission in May of 2016 and the Commission 20 approved in October of that year. The Staff periodically updates the IEP to 21 reflect our progress and evolving priorities.
22 Given our recent accomplishments, we're currently 23 finalizing a more extensive re-baselining of the IEP developed with 24 significant input from our stakeholders which we will provide to you next 25 month and which provides more detail to the activities described in SECY 26
83 18-0100.
1 Next slide, please. We've had some recent significant 2
successes which you'll hear about in more detail, but I'd like to set the stage 3
for the mindset changes that enabled those successes and put us on a path 4
to continued success.
5 This gets back to some of what we feel is different today.
6 First, we committed to look hard in the mirror to see how our behaviors were 7
contributing to the challenges identified by our stakeholders.
8 That look revealed that as we implemented requirements and policy 9
in this area, we sometimes introduced additional unnecessary burdens. An 10 example of this was our evaluation of the digital I&C common cause failure 11 policy described in the SRM to SECY 93-0807.
12 So we've heard a little bit here about, wow, the Staff 13 determined that the policy didn't need to be modernized in that Commission 14 paper. And I'd like to change the characterization of that because as we 15 started our evaluation of the policy, we initially focused on whether a policy 16 change was needed.
17 But as we got into the history, we revised our focus to ask 18 the question is the policy truly a barrier to us implementing any proposed 19 regulatory improvements that our stakeholders have challenges us to adopt?
20 21 And with this change in focus, it became clear to us that 22 the existing policy had plenty of flexibility to adopt things like risk-informing 23 other alternative standards and some of the things that were mentioned 24 today, but that our implementation of the policy, as we translated that to our 25 guidance documents, maybe made things more restrictive than they needed 26
84 to be.
1 So, second, we realized that no guidance document, no 2
matter how good, can succeed on its own. And I would extrapolate this to 3
no guidance document, no standard, no rulemaking. None of those are 4
going to be a panacea for any of the challenges we've faced.
5 Rather, for any of those things we do, we have to ensure we have 6
the appropriate companion support network to ensure its success. As we 7
like to past efforts, it was clear that sometimes in a guidance document we 8
devoted a lot of energy in conjunction with stakeholders to develop a good 9
guidance document, and then for whatever reason, that guidance document 10 sat on the shelf for some period of time.
11 When it was picked up to be used, implementation issues 12 were identified, some of the originators were no longer available so we 13 struggled with working through those implementation issues and at the end 14 of the day, the guidance document got billed as a failure.
15 So what we're trying to do differently today is in working 16 with our stakeholders we've identified these priorities, one of the priorities 17 was the risk to better enable 50.59 modifications.
18 We subsequently worked with industry to develop these 19 workshops which we've supported. We've made sure we've had attendance 20 at those workshops from both technical and oversight staff and management 21 from the NRC so that we're all hearing the same questions and answers.
22 We're aligning on regulatory expectations. Now we've 23 seen that seemingly has enabled the use of the risk to do digital 24 modifications so now we have inspection staff who are more plugged in.
25 We're taking all the questions and answers from those 26
85 workshops and those will be filtered into our more detailed training that we 1
do to our inspectors who will be overseeing these 50.59 mods.
2 So we're looking to leverage that same approach as we 3
keep rolling out these new guidance documents.
4 Lastly, we've revisited what information is necessary to 5
make regulatory decisions. So for operating reactors, this most manifested 6
itself in our ongoing revision to ISG-06.
7 And as was talked about by several of the industry 8
stakeholders, the revision we're working on now will provide a regulatory 9
approval sooner than originally and previously anticipated, with the idea that 10 they'll get that regulatory approval before their final design and software 11 development is complete. But it'll lock down the most important attributes 12 that we've relied on to make our regulatory finding and then it'll be primarily 13 the licensee's responsibility in conjunction with oversight of their vendor to 14 convince themselves that the system as designed meets those requirements 15 and will obviously have some amount of oversight of that activity.
16 And as also was mentioned for new reactors, this 17 manifested itself most recently in the use of the design-specific review 18 standard for the NuScale review by which we did identify some higher level 19 safety principles for the I&C review which allowed us to expedite and simplify 20 our technical review.
21 So with that, I'll now turn it over Rossnyev.
22 MS. ALVARADO: Thanks, Eric. Good morning, 23 Chairman and the Commission.
24 I'd like to talk about what we are doing to try to find 25 expectations regarding CCF, common cause failure, but before I do that, I 26
86 think it will be good to set up or provide a little bit of the background of what 1
is a digital system and why we're here and why this is an issue.
2 So digital systems offer many advantages over the existing 3
analog system. The use of digital technology continues to be a key industry 4
strategy for addressing obsolescence and improving plan flexibility and 5
reliability, and therefore, reducing maintenance cost.
6 The Staff recognizes that digital technology can provide 7
many advantages but it also creates the possibility for new vulnerabilities.
8 In particular, there is wide consensus that the potential for 9
non-faults that can be introduced during the design and implementation of 10 the system could result in a common cause failure, which could challenge 11 redundant trains that use identical software or that use shared devices, for 12 example, communication networks.
13 Like analog systems, digital technology cannot be 14 completely tested so software design errors can be present in the system 15 and this will have effects until certain trigger events are present. To 16 manage this uncertainty, licensees generally consider the defense in-depth 17 and ability to cope against common cause failure.
18 I'd like to highlight that common cause failure events are of 19 concern to both safety systems and non-safety systems. So this is not only 20 an issue for safety systems. For non-safety systems, Staff is seeing more 21 aggregation of control functions into one platform or one system.
22 Also, they're using the same platform for different control 23 functions. In this case, a common cause failure of the system could lead to 24 new type of accidents or malfunctions that were not previously analyzed in 25 the plan's safety analysis report.
26
87 For this reason, both stakeholders and Staff recognize that 1
common cause failure is the highest technical priority to resolve for using 2
digital technology.
3 Also, common cause failure due to software underpins 4
many of the regulatory challenges and efforts to use digital technology as we 5
listen to the first panel this morning.
6 For example, I want to provide this example in which 7
industry stakeholders have identified challenges when determining the 8
likelihood of a common cause failure due to software when they perform 9
evaluations under Section 50.59. This is because there is not an accepted 10 method for quantifying the likelihood of a failure. So licensees have to use 11 qualitative assessment.
12 The question is how do you translate those qualitative 13 assessments to answer the questions in 50.59? The Commission's policy 14 to address common cause failure in digital systems is in the Staff record 15 memorandum to SECY 93-0087.
16 The Staff this year completed an evaluation on this 17 Commission's policy and its impact on licensees' activities. This evaluation 18 considered insights derived from the development of the RIS supplement 19 which Mike will describe in detail, significant interactions with industry 20 stakeholders, industry standards, EPRI and NEI documents, as well as other 21 Federal Agency regulations.
22 We also look at the lessons learned from all regulatory 23 reviews. This evaluation led us to the conclusion that common cause failure 24 due to software should be considered.
25 But all regulatory guidance should be improved to be made 26
88 more clear and consistent. The Staff believes that the Commission's 1
direction in the SRM SECY is still adequate.
2 That position provides flexibility for accepting new digital 3
technology and support regulatory modernization activities for near-term 4
improvement, including the use of a graded approach and the use of 5
alternative industry standards.
6 Also, the Staff believe the Commission policy is 7
technology-neutral and allows for the use of risk insight. During our 8
evaluation, we determined that implementation of NRC policy has not been 9
consistent.
10 Eric alluded to this in his talking points, therefore, to 11 improve clarity, consistency and regulatory stability, the Staff identified 12 guiding principles that will be reflected in all common-cause-failure-related 13 regulatory guidance.
14 Our views are summarized in SECY 18-0090 which also 15 includes a brief plan for implementing these guidance principles and the 16 Commission's policy.
17 Next slide, please.
18 This slide summarizes these guiding principles which are 19 described in the SECY paper. In particular, these guiding principles are 20 continue to address potential vulnerabilities to common cause failure, 21 continue to perform diversity and defense in-depth analysis for reactor 22 protection system and engineer system features actuation system to address 23 vulnerabilities to a common cause failure.
24 This analysis can be either a best estimate or a design 25 basis analysis as appropriate. For other systems, we want the licensee to 26
89 continue to use a graded approach for performing a diversity and defense 1
in-depth analysis, which should be commensurate with the safety 2
significance of the system.
3 The next item is to clarify the use of alternative means to 4
address vulnerabilities to common cause failure and the last item that I want 5
to talk about is the use of certain design attributes to address common 6
cause failures.
7 But the use of these design attributes, we consider that 8
they should be commensurate with the safety significance of the system.
9 This proposed guiding principles are meant to ensure consistent application 10 of the Commission's policy as I mentioned before, and they will be used to 11 clarify NRC requirements for addressing vulnerabilities to common cause 12 failure.
13 The RIS supplement that Eric mentioned and that Mike will 14 provide, the detailed description about it, is consistent with these guiding 15 principles. For example, one of the guiding principles is the use of a graded 16 approach.
17 In the RIS, we recognize this but using a graded analysis 18 and the commendation in relationship to the system safety significant to 19 determine the likelihood of our common cause failure.
20 Further, the use of a graded approach will be consistent 21 with the Agency-wide effort for implementing a risk-informed regulatory 22 approach. These guiding principles will be incorporated into Branch 23 Technical Position 7-19 which provides guidance to implement the 24 Commission's policy.
25 And specifically, this BTP provides guidance for performing 26
90 diversity and defense in-depth analysis to demonstrate that vulnerabilities to 1
common-cause failures are addressed.
2 In addition, we will resolve comments provided by 3
stakeholders including industry on the current version of BTP 7-19. In 4
particular, to clarify the scope of applicability, consideration of design 5
features to eliminate common cause failure from further consideration and 6
the overall need for diverse actuation.
7 In addition, we're also going to use these principles to 8
evaluate industry-developed guidance. In particular, NEI is developing NEI 9
16-16 which the title is Guidance for Addressing Digital Common Cause 10 Failure, to provide guidance on using design attributes to reduce the 11 likelihood of a common cause failure or to eliminate common cause failure 12 from further consideration.
13 NEI provided a draft version for the NRC review and 14 potential endorsement, however, NEI's suspended work on this document to 15 focus its resources on the development of the RIS.
16 And because EPRI is revising the design guidance that is 17 incorporated into NEI 16-16, the Staff is ready to resume review of NEI 18 16-16 upon request by NEI.
19 As we address product modernization activities, we expect 20 that other common cause failure questions and challenges will arise.
21 A particular example is with regards to integration and 22 connectivity of I&C systems. The ease of connectivity within digital system 23 architecture makes it easy for a single failure or a common cause failure to 24 occurring within one system to propagate to other systems.
25 This kind of event can create a malfunction or create a 26
91 problem that will prevent the system for recovering for a transient for 1
example, or to mitigate an accident.
2 Some of those systems were previously analyzed as an 3
independent or standalone systems with independent failure consequences 4
but as they get integrated, we don't know how they're going to behave so 5
this is something we need to consider.
Consequently, we will evaluate 6
the extent to which the Commission's policy needs to be modernized to 7
address new challenges or support potential changes to all regulatory 8
infrastructure. I will now turn it over to Mike.
9 MR. WATERS: Good morning. The majority of digital 10 upgrades to our operating fleet have been and will be implemented under 10 11 CFR 50.59. This regulation provides conditions under which licensees can 12 make changes about prior NRC approval. Some key criteria in the rule 13 include other proposed changes, increases the likelihood of a malfunction 14 previously evaluated, or creates the possibility of a malfunction with a 15 different result. For digital I&C licensees who have faced past challenges in 16 answering these questions that involve potential common-cause failures.
17 We issued Supplement 1 to RIS 2002-22 in May of 2018 to 18 address this challenge. The RIS primarily addresses auxiliary safety 19 support systems, non-safety systems and replacement of individual 20 components ensured to identify these modifications as higher priority.
21 Supplement 1 to the RIS provides clarification to determine 22 a more likelihood of a common-cause failure is sufficiently low to support a 23 change under 50.59. The quality of assessment approach considers three 24 factors: the design attributes of the system; quality of the design process and 25 any relevant operating history with the proposed system. To support this 26
92 assessment, the supplement also addresses key aspects of the engineering 1
failure analysis to identify CCF vulnerabilities.
2 The completion of the RIS was very challenging, but it was 3
ultimately successful because of significant interactions with industry experts 4
and the use of tabletop workshops to test the practicality of the guidance.
5 As you heard from the panel this morning, industry plans to complete a 6
number of upgrades using the RIS.
7 On a separate track NRC is currently engaging NEI on a 8
proposed Appendix D to NEI 96-07 for 50.59 evaluations. Appendix D is 9
intended to address specific digital technology issues and complement the 10 base guidance in 96-07. It will apply to all types of digital modifications and 11 it contains additional guidance for screening.
12 NEI is currently incorporating NRC comments and 13 observations that we provided in several public meetings. They plan to 14 provide Appendix D to us this December for formal endorsement to 15 Regulatory Guide 1.187.
16 Slide 10, please. Let me now transition to digital I&C 17 licensing. We have made good progress on licensing certification reviews 18 of new digital systems. This slide lists a few examples. We successfully 19 reviewed and licensed the Hope Creek Digital Power Range Neutron 20 Monitoring System. It is now up and running. We've also completed the 21 technical review of the NuScale digital I&C system that's part of the overall 22 digital -- overall design certification process.
23 Staff used an innovative design-specific review standard to 24 emphasize its fundamental design principles. We've also made good 25 progress in digital I&C licensing activities for research and test reactors.
26
93 For example, we've completed the safety evaluation of the license 1
amendment for the Purdue-1 reactor. As shown in the picture, this would 2
be a complete digital modification to all other safety and non-safety systems.
3 We expect to make a determination on the application very soon.
4 We highlight these to note they were continually examining 5
the insights and lessons from both site-specific licensing and the design 6
certification reviews to instill greater efficiency and predictability into our 7
guidance.
8 Slide 11, please. A key example is a revision to staff 9
licensing guidance in ISG-06 to address the near-term needs of the U.S.
10 operating reactor fleet. We expect to finalize the guidance this December.
11 The revision is focused on providing an alternative process for regulatory 12 approval of a major upgrade before a licensee makes a significant 13 investment in the development of the proposed system.
14 We added the alternative review process which shortens 15 review when a licensee uses an improved topical -- approved digital I&C 16 platform. This process is based on a single submittal that includes 17 information on the final system architecture, human system interface and 18 software requirements. It eliminates a license review of the detailed 19 software verification outcomes and factory acceptance testing results.
20 Therefore, our review will have greater focus on licensee software quality 21 assurance planning and oversight of their activities.
22 The staff review process also incorporate the evaluation of 23 fundamental design principles of independence, redundancy, repeatability, 24 and defense-in-depth. These approaches are consistent with the 25 Transformation Team recommendations on use of design principles in our 26
94 guidance and oversight of digital I&C quality.
1 This activity has been successful because of our 2
significant action again of vendor and utility licensing experts. For several 3
months we have dedicated public meetings with the working group to 4
discuss each part of the revamped guidance. We also conducted a tabletop 5
exercise to test the the draft language in the ISG with past examples from 6
past licensing applications.
7 Slide 12, please. So this graphic depicts the difference 8
between the original two-phase licensing submittal process and the new 9
alternative review process. Both will be acceptable approaches in the 10 revised ISG. The blue portion in the middle shows licensing activities aren't 11
-- with respect to typical life cycle development process of a new digital 12 system from design concept to installation. The red line and green line 13 depict NRC's review time -- shorter review time with the alternative review 14 process. As shown, approval would be granted at the time when licensee 15 begins final implementation including software validation and fabrication.
16 The NRC may translate some of these -- some of the 17 licensee's commitments regarding software quality development and vendor 18 oversight into license conditions and subsequent NRC vendor regional 19 inspection oversight will be focused on the final design activities including 20 software quality, factory accepting testing, and site installation.
21 It is important to note that industry is developing guidance 22 for standardizing digital engineering and guidance for developing license 23 applications based on the new alternative review process. While we are not 24 involved in these efforts, we encourage this approach. This can be a very 25 important element in ensuring high-quality applications and contributing to 26
95 the consistency of our reviews for the next set of digital I&C license 1
amendments.
2 I will now turn it over to Dinesh.
3 MR. TANEJA: Thank you, Mike. Good morning, 4
Chairman and Commissioners. Improving our review and oversight of the 5
commercial grade dedication process for digital equipment is another very 6
important area we're working on. The nuclear industry relies on equipment 7
for the majority of the I&C systems. Many vendors often design equipment 8
using non-nuclear international safety standards.
9 Staff is evaluating potential use of third-party safety 10 certification based on an international industry standard to accept 11 commercial grade equipment. In particular, NEI is developing guidance to 12 use safety integrity level certification to supplement the commercial grade 13 dedication of digital equipment.
14 So NEI is developing a guidance document based on EPRI 15 research in this area and they're also working with NUPIC to establish a 16 process for the oversight of these third-party self-certifying entities. NEI will 17 be submitting a guidance based on their work for NRC's approval.
18 Staff believes that this use of third-party certification could 19 establish a streamlined commercial grade dedication process and facilitate 20 expanded use of commercial digital systems in nuclear safety application.
21 Slide 14, please. While working on the activities already 22 described, staff is assessing our regulatory framework to look for innovative 23 ways to address challenges and make broader strategic improvements 24 benefitting all stakeholders.
25 Staff is performing a strategic assessment to identify 26
96 impactful improvements activities consistent with Commission direction in 1
SRM-15-0106 and associated recommendation by the Transformation Team 2
on digital I&C. In doing so the staff will continue to consider the challenges 3
and potential impediments that may be unique to specific digital I&C 4
stakeholder communities.
5 We also continually engage the International Community of 6
Regulators to enhance our regulatory framework. We are working with the 7
international experts within -- through NEA, IAEA to develop consensus 8
standards and guidance based on the best practices.
9 In accordance with the Commission direction, staff 10 developed a design-specific review standard, DSRS, for NuScale design 11 review that is safety-focused and uses risk insights. For the I&C design 12 review the staff took into consideration all the lessons learned during 13 licensing reviews of the new large light water reactor designs and 14 emphasized the review focus on the fundamental I&C design principles of 15 independence, redundancy, predictability and repeatability, and diversity and 16 defense-in-depth.
17 Emphasis was also placed on a simple design that embraces the 18 fundamental I&C design principles to most efficiently and effectively 19 demonstrate compliance with the NRC regulation.
20 Building on these successes and lessons learned from the 21 NuScale I&C design review, staff is embarking on developing design review 22 guidance for the advanced non-light water reactor designs that is consistent 23 with the NRC's principles of good regulation and statutory requirements.
24 And it's performance-based, technology-inclusive, risk-informed, 25 safety-focused and allows for use of reactor design-specific principle design 26
97 criteria.
1 Finally, we continue to look for improved approaches to 2
incorporate risk insights into our decision making on digital I&C for licensing, 3
design certification, and inspections. In support of modernizing the 4
regulatory infrastructure staff has initiated important digital I&C research in 5
the areas of risk-informing licensing, certification and oversight activities, 6
research on technical basis for addressing common-cause failure concerns, 7
and research on use of emergent digital technologies.
8 And to conclude our presentation I'll just turn it back to 9
Margie.
10 MS. DOANE: Okay. So I'll wrap up quickly because I 11 see we're a few minutes over.
12 So I just want to make it clear that digital I&C is a priority, a 13 very high priority for me and for, as you can see the staff, and we recognize 14 the need to bring a risk-informed mind set to these issues and to continue to 15 look for new ways to embrace what the challenges are and to continue to 16 look for new ways to address these issues. We want to enable the use of 17 digital I&C in a manner that protects public health and safety.
18 And then I'd like to just conclude by thanking -- well, first of 19 all, I'd like to thank all of these guys at the table, but also the other staff that 20 have helped me get up to speed as the various perspectives on the 21 Commission, talking about glazed eyes and things like that, you can imagine 22 where I came to this issue. I've been drinking from a fire hose. This is just 23 many issues and they've done a terrific job bringing me up to speed to give 24 me confidence to ask a lot of -- I've been asking a lot of very hard questions, 25 and I'm getting great answers. And I think we'll be able to look at this 26
98 program holistically and continue to make progress.
1 I'd also like to thank the staff of NRR, Research, NRO, the 2
regions, and OGC who have worked diligently on these issues. And with 3
that, we're looking forward to your questions.
4 CHAIRMAN SVINICKI: All right. Thank you. Yes, 5
everyone on the staff panel and all those NRC staff who helped prepare the 6
information you presented today. We'll begin questioning again with 7
Commissioner Baran.
8 COMMISSIONER BARAN: Well, thank you all for your 9
presentations and for all your hard work. I know these are tough issues.
10 Some of my questions at least initially are going to be pretty similar to the 11 ones that I asked on the first panel because I want to hear the staff's views 12 on some of those same issues.
13 You all went into a pretty good amount of detail on these 14 five guidance documents that are being worked on. And I want to get the 15 staff's sense of if those five guidance documents are completed, how far 16 does that get us? Do we see that as effectively resolving the key issues, or 17 is it more of a short-term fix?
18 MR. BENNER: Thank you, Commissioner. I would say 19 that the guidance documents address mainly these key near-term 20 challenges. So opening up the aperture for using 50.59, writing some 21 streamlined licensing guidance. The one area where I think it goes a little 22 further is we are -- once we get the NEI submittal on commercial grade 23 dedication and the adoption of an IEC standard in that area, that goes a little 24 further.
25 So those are key things we need to do. The broader 26
99 activities that were already envisioned in the IEP and some of the things that 1
are envisioned in the rulemaking for transformation do go further because 2
they would further open the aperture for how we would use international 3
standards more broadly. It would go somewhat further in particularly for an 4
advance reactor licensee to start with a much more clean sheet approach.
5 It would better enable that.
6 But I think there are other ways we could do some of that 7
in the near term. But those other things would need to be done. There's 8
still work to be done for if we wanted to adopt the IC standards, if we want to 9
focus more on safety principles, we'll need to do that work. And whether we 10 do that in guidance space or do that in rulemaking space is one of the areas 11 where we would want to engage with stakeholders as to say, like you were 12 asking, what's the best way to sequence some of those activities.
13 COMMISSIONER BARAN: I'm asking that right now in 14 fact. When you're looking at it now, what is the best way to sequence those 15 activities? I mean, I have heard this concern and I can see it that basically 16 right now the staff is focused on these guidance documents. And that if we 17 launch a rulemaking right now, we could lose focus on the progress we're 18 making.
19 Do you share that concern? Are you envisioning initiating 20 a rulemaking in the near term? Is that what you'd like the Commission to 21 decide? Or do you see it being further down the road after we get a sense 22 of how far we've gotten with the guidance documents?
23 MR. BENNER: We wouldn't push a rulemaking near term 24 because I think particularly for this idea of -- I think you've heard from many 25 of the stakeholders and I talked about in what's enabled our success.
26
100 IEEE-603 is a fine standard. Some of our implementation of it has provided 1
challenges. If a licensee or industry or a particular vendor wants to 2
leverage a different standard, particularly one of the IEC standards, there is 3
a built-in provision in the regulations today in 10 CFR 50.55(a) to use an 4
alternative.
5 So given how we're trying to look at these issues, we could 6
open that aperture today without a rulemaking. So from the sequencing 7
standpoint, could it be better to do that way now using that alternative path?
8 And then once we've demonstrated how that could be done, there could be a 9
longer-term rulemaking to really institutionalize that. Sure.
10 So I think we have resources for the strategic initiative that, 11 in all likelihood if we started doing a rulemaking sooner rather than later, we 12 still have resources focused on the near-term guidance documents. It 13 would be more on reshaping and reprioritizing those efforts we were going to 14 do in the broader strategic modernization that we would devote to the 15 rulemaking.
16 COMMISSIONER BARAN: It sounds like Ho might want 17 to chime in. Or maybe it's less in sound and more in appearance. So what 18 I'm trying to figure out is why I'm voting on this transformation paper, one of 19 the recommendations is do a rulemaking end of July and see to set 20 high-level performance criteria rather than bind us to IEEE. And I'm trying 21 to figure out that's before us now.
22 Should I vote to say, yes, let's do a rulemaking. Or should 23 I vote to say let's finish all these guidance documents, see where that gets 24 us, and then decide whether to do a rulemaking. Does the staff have a view 25 about which of those two sequences makes more sense?
26
101 MS. DOANE: Okay. So let me -- yes. Well, and the 1
view is we want to do both. Okay? Because we put this proposal before 2
the Commission and we said this is something that we think would be 3
transformative. So the sequencing of it is I think that we will lose progress 4
on the five guidance documents if we were to say, stop doing this and do 5
this, or if we were to divert resources to do these two separate things.
6 That's exactly right.
7 So what we need to do is if we were to do both, what we 8
would need to do is what we have done is we've put this as the last 9
milestone. And so we see it as a sequencing of already in the existing plan.
10 We see the restructuring as a last milestone. So we see certain things that 11 we're doing that will answer both questions. It would help us inform us how 12 to create these high-level principles that we would put in this rule. But it'll 13 also help us create a more flexible approach to our existing regulatory 14 process. Okay?
15 So some of these things will be done at the same time and 16 already are being done because some things support both efforts, some of 17 the things that you learn. So those aren't the type of things that I'm talking 18 about.
19 But if we were to have something where we just threw out 20 all the rules and we try to come up with these high-level principles, at some 21 point in this journey, and I can't give you an exact, precise place where we 22 would do it. But because a rulemaking takes into consideration, as you 23 know, you have to set up the rulemaking. We would have to think about 24 how we would go about approaching it.
25 And a lot of things that aren't necessary for the technical 26
102 staff itself that are working on these five guidance documents, they wouldn't 1
necessarily have to be engaged. But at some point, you have to integrate 2
the resources so that you have the right people testing your approaches.
3 So the way I would envision a rulemaking is toward the end of this process, 4
okay, in the individual action plan, a step 4 where it is right now, where it's 5
contemplated right now, and taking advantage of what we've already known.
6 But to me, what we had contemplated -- and Dan is here if 7
you want further comments on this. It's throwing this out and it would be --
8 not throwing out. That's not really a good word now that I just said we 9
would build upon it. But it would be really trying to get ourselves to think 10 about an approach in a whole different way.
11 And yes, there are alternatives in 50.55(a). But they're 12 measured against IEEE-603. So you can continue to build flexibilities. But 13 when we put this in the transformation paper, we believed that there was an 14 approach that, like Eric was saying, that would broaden the aperture.
15 So yes, we want a rule. The timing of it would be toward 16 the end of the action plan. And we would not do it in such a way to risk the 17 resource of that.
18 COMMISSIONER BARAN: If the vision of the rule is that 19 it would essentially allow licensees and vendors to use any number of 20 approved standards as long as those standards meet the high-level 21 performance criteria, does the staff foresee any major challenges with that 22 approach? I mean, and Dr. Thomas, for example, in the first panel said, not 23 all standards are created equal. Some standards are good; some 24 standards are not so good.
25 Are we putting ourselves in a position where this kind of 26
103 rule that we would have to have guidance on or affirmatively approve a large 1
number of standards. And would that prove to be challenging or is that not 2
how you envision this going?
3 MR. NIEH: I'll take a crack at that one, Commissioner.
4 So I think in terms of looking at using different standards in the context of a 5
broader rulemaking, to me, I've been trying to myself understand what this 6
rule might look like. In fact, I wrote down a couple ideas down in my mind.
7 Again, I'm not going to share them with you here but of what a performance 8
based high-level rule could look like.
9 And I do think the concept you just described is possible to 10 have, again, a high-level set of performance criteria. And if a standard does 11 meet that, with the right guidance from the staff, I think it's possible to have 12 that type of framework.
13 But what I wanted to point out, I guess, tying back to your 14 other questions as well in terms of what we're doing now. I see what we're 15 doing now is complementary to a broader rulemaking effort should the 16 Commission decide to go down that path.
17 Moreover, if you did go down the path of approving a 18 rulemaking to establish a higher level performance based framework, my 19 feeling is we're still going to need to develop some implementing guidance 20 so the staff can use it and the industry can use it in guiding their work.
21 In terms of the resources, from my perspective here, if 22 there's a demand from the industry to conduct license amendment reviews 23 to do major modifications to their facilities, that's a priority I would see for the 24 operating reactor business line. And we're going to figure out how to do 25 that first.
26
104 And again, as Margie says, we think we can do both. But 1
I would not envision any situation where if I've got a demand for regulatory 2
guidance and activity to introduce more digital systems in nuclear power 3
plants, I would prioritize that over sort of the rulemaking efforts in terms of 4
where am I shifting the technical resources to get the work done.
5 So I think, again, it's possible to do both. I would consider 6
as the director of NRR that real time, real life upgrades using digital systems, 7
that would certainly where I would focus my priority. And at the same time, 8
we'd have to figure out how to continue through the rulemaking process too.
9 COMMISSIONER BARAN: I appreciate that. And I don't 10 want to go too much over my time. But I thought the chairman made a good 11 point about a lot of energy goes to, at NRC, trying to figure out whether we 12 agree with a licensee that they've met a particular code and standard. And 13 that's one of the reasons why we have a lot of guidance, right, to provide 14 clarity to both our reviewers and to licensees or applicants about what do we 15 think is going to be adequate to meet a particular standard.
16 And part of -- and this isn't -- I don't mean this as a 17 negative concept about this concept or the rule. But I wonder whether if 18 folks come in with 20 different standards under a rule, are we in a situation 19 where to make this work in the real world, we've got to do 20 giant guidance 20 document efforts to explain what would satisfy us under any of these 21 standards? And is that going to be really hard?
22 MR. BENNER: Yes, I think our hope would be that 23 because there are a number of different standards out there that people 24 could use. Our hope would be that we could have some engagement with 25 the stakeholders to narrow those things that they would most like to use.
26
105 And you've heard IEC here a lot. There are areas where we agree that the 1
IEC standards are very sound and we could do something to look at that and 2
embrace that it would meet safety standards so that licensees could 3
leverage that.
4 COMMISSIONER BARAN: It's probably manageable.
5 MR. BENNER: Yes. Well, that would be our hope.
6 Truly, if all of a sudden everyone comes in because as you've heard there 7
are standards in FAA, standards in automotive, international standards. So 8
if everyone picked a different one and tried to come in with licensing actions 9
to use all different ones at the same time, that would be an unmanageable 10 situation.
11 MR. NIEH: Just one additional point, sir. This is already 12 happening today in other technical areas, in other regulatory programs. So 13 the concept is in my view not really foreign is I've looked at what other 14 international regulators are looking at in terms of allowing different standards 15 to meet high-level performance criteria.
16 Again, I think about what the chairman said in the external 17 panel about having too much flexibility. That's something we need to be on 18 guard for. But having the right performance criteria, like, what are we really 19 looking for the standard to meet. Then it's on us to do our review to see if 20 the standard does indeed meet that.
21 So to me, I see people are already doing it, maybe not so 22 much in the United States in the nuclear industry. But I think it is done and 23 it's possible.
24 COMMISSIONER BARAN: I've gone well over. Thank 25 you.
26
106 CHAIRMAN SVINICKI:
All right.
Thank you.
1 Commissioner Burns?
2 COMMISSIONER BURNS: Oh, it is on. Okay. So I still 3
have the veil and I think I'll always have the veil on this issue. So this is 4
how I would characterize what I've heard in some respects is that we see our 5
ability to make progress in this is to be what I'll call a little bit of pretzel 6
twisting. And that is we sort of twist ourselves -- stand there and twist 7
ourselves into a pretzel to be able to make progress because we feel 8
confined by either existing guidance, existing regulations and all that.
9 So the objective might be, and it might be through the 10 transformation paper, to make us standing up straight again and doing it.
11 Now, that's a rough metaphor, analogy, whatever you want to say. But then 12 I hear that in areas like the APR-1400 and NuScale and some of the other 13 things, we sort of made that progress.
14 So if you can, tell me what it is that would make -- what 15 would be the regulatory change you would make that -- how would that 16 regulatory change improve the way we've gotten there today? Now, maybe 17 it eliminates, as I say, the pretzel twisting and the contortions we have to do.
18 But that's what I'm trying to understand here. Because at one level, what I 19 hear is, it's hard, it's hard, it's hard. But we can get there. And anyway, 20 have at it.
21 (Laughter.)
22 MR. TANEJA: Okay. So to answer your question, the 23 DSRS that we did for NuScale, it was a paradigm shift. Same regulation.
24 The only thing that we changed was how we look at these things. The 25 paradigm shift was our current practices are if a design meets regulation 26
107 equals safety.
1 Here what we said was, is the design safe? If the design 2
is safe, then demonstrating regulatory compliance is very easy. So that 3
paradigm shift really streamlined the way that work progressed. It was the 4
applicant embraced the concept so they really came in and they 5
demonstrated how their design was safe. And so the complying with 6
regulation was demonstrated. It was much easier to go around that way.
7 So maybe it is part regulation, the way they are structured.
8 And maybe it's culture, the way we have been practicing how we do our 9
business. So there is some of that was a mindset change and culture 10 change that was helpful in that area. So it's a combination of things.
11 MS. ALVARADO: I just want to add one thing, and maybe 12 this will help you see the pretzel untwist is that we need to really understand.
13 And this we learn as we were working on this, like, the different 14 communities that we need to serve. So for new reactors, we have our 15 regulations, right?
16 So if I'm coming with a new design, I can do anything to 17 meet that regulation, right? Like, if I require you to perform a D3 analysis 18 for all your system, you can do it because you don't need to stop operation, 19 you don't need to change anything. It's a blank sheet. You can start from 20 zero.
21 The problem is for operating reactors is that they have a 22 licensing basis that they need to meet. They have systems that are 23 operating. They have regulations that they need to meet. So for them is 24 where you see all these pretzel twisting trying to -- I want to change this 25 system, but I have to fit in this box that we have set up by the regulation.
26
108 So that's something that has created the flexibility, 1
innovation, transformation that we have seen in the new reactors that maybe 2
we are not there.
3 MR. NIEH: Thank you, Commissioner. D3 is Diversity 4
and Defense-in-Depth just for people following here. To get at your 5
question on what regulatory change is needed, I think Dinesh raised a point 6
that is very near and dear to me because I do feel that the way we're 7
approaching these reviews can significantly have an impact on how much 8
time we're spending and where we end up in the end and how long it takes 9
us to get there. And from my perspective, I think it came up in the external 10 panel the idea of reasonable assurance: trying to find every single ghost in 11 the machine, eliminating all risk.
12 I think from what I've seen in the two months I've started to 13 study this issue to look at how NRO is approached and how NRR is 14 approached is I see that the mindset attribute is pretty significant. So I 15 would not want to let that one fall off the table. And I feel that that falls onto 16 the leadership of the people at the NRC staff in trying to guide this idea of 17 enabling technologies and focusing on reasonable assurance.
18 But in terms of regulatory changes, Commissioner, I think 19 other things that we're moving toward in doing now today are things that we 20 could consider building into our framework such as early engagement with 21 vendors and the industry at the design phase.
22 Again, you heard that before that that's a key element. I 23 see it happening in other areas. Look at what we're doing in accident 24 tolerant fuels. We're engaging with vendors up front, okay, and the 25 licensees that are thinking about using those fuels. Again, that's all to have 26
109 a more efficient review process. And I think we need to apply that 1
philosophy in digital I&C.
2 And as I mentioned in the earlier remarks, I think, again, I 3
don't know if this is rulemaking or not, but leveraging experience from other 4
industries and technologies. I mean, we heard it very clearly this morning 5
that a lot of industries are using these systems. And again, maybe they're 6
not seeing as many common cause failures as we think that are really that 7
likely.
8 So to me, as the director of NRR, I'd like to understand that 9
better and to see to what extent that operating experience could be fed into 10 the knowledge that we're trying to use in making a regulatory decision.
11 COMMISSIONER BURNS: Another question, there's a lot 12 of talk of an old SECY paper which is kind of interesting, SECY-93 -- thank 13 you -- 93-0087. And I got sort of mixed feelings from hearing some of the 14 presentations and I think the staff is trying to, I think, build from it. But I 15 almost got in some of the early presentations, I'll paraphrase Shakespeare, I 16 come here not to praise 93-0087 -- thank you. I come here not to praise 17 93-0087 but to bury it.
18 How would you react to that? I'm just trying to put that in 19 sort of context about where we're going. I'm going to Shakespeare Theater 20 tonight anyway. But I hate to say it. It's a Comedy of Errors which I don't 21 think is appropriate for this meeting. Anyway --
22 (Laughter.)
23 MS. DOANE: Maybe I shouldn't be the one going on top 24 of that, Comedy of Errors. I would tell you that what we are trying to do so 25 that we can get some efficiencies is not rework everything, okay, at this 26
110 point. We're trying to make progress by using what we have and then 1
seeing if it can propel us forward.
2 So the question we were asking about 93-0087 was 3
whether we needed to go to the Commission to get some policy changes so 4
that we could continue working. And that would've slowed us down just 5
because we would've had to write a paper, right? We all would've had to 6
look at this in a different way.
7 So when we say that it works for us, it works enough for 8
us, what we're trying to say is -- and I think Eric did a good job or maybe he 9
might want to say something in addition. What we're trying to say is these 10 basic principles are good. But we have to bring this risk informed mindset, 11 this culture change that is happening at the agency. I'm seeing it in many 12 different areas.
13 We have to bring that to the principles in 93-0087. And 14 we believe that we can, that it allows enough flexibility and it provides the 15 basic framework that we need, that we don't need -- there's no policy issue.
16 That was really the question. Is there a policy issue that needs to be 17 resolved? And we don't see that.
18 So I hope that's -- so it's an answer. It's a "yes" and a 19 "no". It's not -- if we use the same approach we were using in 93, that 20 wouldn't be the right way to go. We know that. But if we use those 21 high-level principles, those five guiding principles and our new mindset, we 22 think that's a good path forward.
23 Eric, did you --
24 MR. BENNER: I would just echo that, that the strict 25 language in the policy provides adequate flexibility and us looking at, okay, 26
111 how can we more risk inform? How can we more use a graded approach?
1 How can we more leverage international standards? We just need to do 2
that. We don't need a change to the policy to enable that.
3 COMMISSIONER BURNS: Okay, okay. Last question 4
I'm going to ask Ho having come back from NEA. And you've noted it a 5
couple times. So who out there would you look to? I mean, we had the 6
example of STUK in terms of their approaches. And I talked to Mr. Scott 7
after the presentation. And it's not just about Olkiluoto. It's about other 8
things they're doing. But maybe if you could give some more perspective 9
on what you're seeing or where you think some of our perhaps learning 10 might come from.
11 MR. NIEH: Thank you, Commissioner. So building on 12 some other comments on the international experience, I still think there are 13 opportunities to learn. It was mentioned in the earlier panel and perhaps 14 briefly on this one too that there are some activities related to digital I&C 15 bringing the international regulators together to look at what frameworks 16 they're using to address common cause, what type of standards they're 17 using.
18 And the playing field is not even in all countries. Some 19 countries have more readily welcomed digitalization. We heard from an 20 external panelist this morning. He was working at Pickering in 1979.
21 Canada, it's interesting. You go north of the border, digital seems okay.
22 You come down here, there's some challenges.
23 So I think learning from those experiences are really good 24 in the case of Finland and Olkiluoto with their APR. The regulator at the 25 time when they made the licensing decision, I guess it was some time ago, 26
112 they did ask for an analog backup system to be installed. But having 1
spoken with the head of the regulatory body more recently, I understand that 2
the Finnish regulator, they've learned a lot more through the operating 3
experience. And they might make a different decision today if faced with 4
the same application.
5 So I think our continued participation in some of these 6
international working groups will help us see the picture better.
7 COMMISSIONER BURNS: Okay. Thanks.
8 CHAIRMAN SVINICKI: Thank you. Commissioner 9
Caputo.
10 COMMISSIONER CAPUTO: Hi. I'm going to start by 11 thanking the staff. I know it takes a lot of time and effort to prepare for this 12 kind of a meeting, particularly for those of us who have our eyes glazed over.
13 So let me just start by paying you the compliment for putting the time and 14 effort into today's meeting that you clearly have.
15 But as I was preparing for the meeting, I read a SRM from 16 a Commission meeting in 2006. And the SRM Commission directed senior 17 managers to; engage industry and establish an NRC project plan with 18 specific milestones and deliverables to address deployment of digital I&C, 19 short term milestones. And the plan should address critical path actions.
20 The long-term objective of the plan should be to establish regulatory 21 requirements, standards, and guidelines as appropriate that allow licensees 22 to implement digital enhancements without undo necessary regulatory 23 burden.
24 Now, to me, this sounds a lot like the guidance that the 25 Commission gave the staff in 15-106, the basis for the current integrated 26
113 action plan that the staff has developed. So being new to the Commission, I 1
obviously have to consider this issue from this new vantage point. But I will 2
also make an observation that I made to the earlier panel.
3 From my previous position working in oversight of the 4
NRC, I saw previous commissioners dedicate significant time, effort, energy, 5
very earnestly believing that they wanted to solve this problem. And 6
likewise, I'm sure previous NRC staff were just as confident that their plans 7
would achieve a successful resolution of the issue. But here we are, 30 8
years into this issue, still meeting.
9 And so given the history here, I find it very hard to believe 10 that this is a matter of resources. I find it difficult to think that this is really 11 an area where we need to be spending a lot of research time because we've 12 clearly been studying this for quite some time. I'm certainly confident we 13 have the skills and expertise to solve this problem if we choose to.
14 So I guess that leads me to a question of leadership.
15 Margie and Ho, you're new to your positions. Do you believe we have the 16 will as an agency to solve this problem?
17 MS. DOANE: So thank you for that question because 18 maybe it's the most important issue that we have to come to grips with 19 because we do have the technical expertise. And I'm going to tell you, like I 20 said -- and I understand where you're coming from. I sat in that seat. And 21 before that, I was in an international position seeing just what Ho is seeing 22 where our international counterparts are making progress on this issue.
23 And I believe that we are different today than we were in 24 2006. And here is the difference that I see all across the agency. We have 25 a transformation mindset, an innovative mindset. And it's being embraced.
26
114 And maybe it was sparked because we had to license to be a good 1
regulator, right? We had to be reliable. We had to be predictable. We 2
had to be efficient. Those are our principles of good regulation, and we did 3
that with new reactors.
4 And we now know that we can bring that new mindset to 5
these old problems and get through it. And I believe that that culture shift 6
was what was missing. So that's part of it. That's part of it. And then I 7
think part of it will be that once you get to that point that when you engage 8
with these communities, you'll start to see some of these challenges as 9
surmountable because we will be able to embrace the risk in a different way.
10 But I will tell you I'm seeing it all throughout my leadership 11 here so far, it's difficult. We are good at putting things in place because we 12 say, oh, there's a safety issue. I'm going to address it. I feel good. I 13 addressed it. It's very difficult for us to then pare back from that. And that's 14 what Eric was talking a little bit about.
15 It's harder for us. I'm just saying as a cultural problem --
16 not a problem but a cultural challenge. It's harder for us to then take things 17 away and convince ourselves that we're too safe. So we did not have this 18 culture shift. We didn't have behind us these new technologies that we 19 have licensed. We didn't have this concerted effort going throughout the 20 agency. And I see this as fundamental.
21 As leaders, we are going to have to continue to press this 22 and make sure that we stay focused, maintain public health and safety, 23 common defense and security. Stay focused but introduce these risk 24 insights and this risk informed mindset. It's always been the goal of the 25 Commission. I absolutely agree with you. What's different now is we're 26
115 really concentrated on the mindset. And we are coming at that with training 1
and tools and really thinking about, how do you really get there. I see that 2
as the difference.
3 Ho, did you --
4 MR. NIEH: To answer your question, yes, I do believe the 5
will is there. As Margie pointed out, there's a leadership issue and then 6
there's also this mindset issue. And that's where the leaders come into play 7
is to help bring the agency into a place where it can fulfill its mission for 8
reasonable assurance of adequate protection and again look at its function 9
in trying to enable these technologies. Because I do feel that we also as a 10 regulator need to look at our role in nuclear.
11 Not in terms of promoting because we don't promote the 12 technology. That's not our job. But if we're doing our jobs in a way that 13 takes nuclear off the table for the private industry and policymakers to see if 14 nuclear is an option going forward in the future, then I would say then we 15 failed because we haven't conducted our control activities in accordance 16 with the Atomic Energy Act to maximize the general welfare of this 17 technology.
18 So kind of looking at things through that lens. And I think 19 again trying to shift this mindset in terms of enabling while it's safe. How 20 can we do this to make sure it's implemented safely? To me, I think this is 21 an important part of the leadership challenge we have at the NRC.
22 COMMISSIONER CAPUTO: So I guess I'll start my next 23 question by saying sometimes it's destination and sometimes it's a journey.
24 In looking forward to the staff's revision of the integrated action plan, is it 25 going to have a defined endpoint and are you confident that we will achieve 26
116 a successful result instead of just progress? Is there an end to this 1
journey?
2 MR. BENNER: Yes. It's not defined in the upcoming 3
revision to the IEP. But Commissioner, myself, I'm somewhat new to this 4
program. And I've been asking that question, what does the end look like?
5 So we do need to have that discussion because we'll always be doing some 6
process improvements. But I think for me a key factor in what will the end 7
look like needs to be more stakeholder engagement because I think it goes 8
back to what Commissioner Baran said.
9 We're doing a lot of stuff at one level. And once that stuff 10 is out and is being used and we're verifying it's being used effectively and 11 there's no implementation issues, that's a time we have to take a hard look 12 at both what's left to do, and that could take the form of a rulemaking or 13 policy change or whatever broader activity, and then what is the endpoint?
14 So I'm sorry to say the endpoint isn't currently defined.
15 But I believe that particularly now that these tactical efforts are nearing 16 completion and we'll get some runtime with them with the industry. That will 17 put us in a much better place to align on what done looks like.
18 COMMISSIONER CAPUTO: Well, I'm a strong believer of 19 beginning with the end in mind. So I'm glad to hear that. I guess the last 20 question I would have is, with the end in mind, once it's defined, how are you 21 going to measure progress in terms of, well, progress and results?
22 MR. NIEH: I'll take a shot at that one. Okay. Because I 23 thinking about what success might look like and how --
24 COMMISSIONER CAPUTO: How do you know you're 25 going to make it.
26
117 MR. NIEH: -- do you know. So I would make one point 1
first that the fact that things are happening in the power plants today under 2
50.59. That, to me, is a step in the right direction. It's a positive trend. So 3
things are happening. That's a good thing.
4 But in terms of what we're looking at here more broadly 5
and what is success for digital I&C and my mind as I was thinking about your 6
question, Commissioner, success would mean to me that we have a level of 7
proficiency in doing DI&C license amendment requests and reviews and 8
digital is not, quote, a special topic anymore. Okay? We're proficient at it.
9 We've got it built into the systems. The licensees, applicants have a 10 framework that they clearly understand. They have a good sense of what 11 the expected review time would be like.
12 So in my mind, as we're developing and doing these things 13 that are making our guidance more clearer, our expectations more clearer, 14 the engagement we're having with the industry. Once we start seeing more 15 licensing activity coming in, I think that's what we're going to need to 16 measure ourselves. Again, are we doing these consistently on time? Are 17 they predictable? Are we looking at different systems that are generally the 18 same and asking a bunch of different questions?
19 So those are the types of things in my mind that I would 20 look at in terms of trying to figure out are we having success? And I do 21 want to point out that we do have some technical work ongoing in NRR with 22 digital systems. We have a number of topical reports that we're looking at.
23 And we've all pointed out at the table today there's things that we've done in 24 the office of new reactors as well.
25 So I think once we start getting more proficient again. If 26
118 the industry has the confidence in us that we do have this new mindset and 1
we do have clearer understanding of the expectations, once we see the 2
increased activity in the licensing work, I think that's what we're going to 3
need to measure.
4 COMMISSIONER CAPUTO: Thank you.
5 CHAIRMAN SVINICKI: Thank you. Commissioner 6
Wright, please proceed.
7 COMMISSIONER WRIGHT:
Wow.
Thank
- you, 8
everybody. It's been very interesting, a little deep. And I'm coming away 9
with more questions than I came in with. And Margie, I appreciate the 10 comments you made. And the transformation thing, one of the things I'm 11 struggling with is, what are we transforming to? It just seems like -- I mean, 12 I know we're trying to make progress. And what's the endpoint? I hope it's 13 not 30 years more.
14 We've already heard from the first panel that the industry 15 doesn't really want to be -- the licensee doesn't want to be the first up 16 because of the experience that we heard that Oconee had. And I asked the 17 question earlier how and you've talked to it a little bit a couple of times here 18 already when I was asking about the reasonable assurance of adequate 19 safety versus zero risk.
20 And we heard in the first panel that they felt like it had 21 been leaning more toward zero risk thing looking for the ghosts everywhere.
22 But they did say that the transformation team that was working on this stuff 23 that it seemed like there was some progress being made.
24 Can you speak a little bit more to that, either one of you, 25 anybody really?
26
119 MS. DOANE: Okay. So I'm going to start at the higher 1
level obviously because -- and maybe I'm fortunate in that I don't understand 2
the complexities at the level that these very smart people that are flanking 3
me on both sides have. So I'm coming at it more from a process 4
perspective.
5 But what I will tell you is that I don't think any of us sitting 6
here would say that our approach over the last few decades because, right, 7
the military has been using digital I&C equipment since I heard the '50s. I 8
don't know if that's true, but I hear different things all the time.
9 So we wouldn't defend that some of the approach, while 10 we call it risk informed regulation, that some of our approaches had really 11 been risk informed. Nobody is sitting here defending that. In fact, it's just 12 the opposite.
13 So what the transformation effort is doing is it's trying to --
14 that's right -- it's trying to reeducate the staff at a fundamental level. I don't 15 know if you had an opportunity to see a letter that Fred Brown had sent to 16 his staff and NRO about adequate protection. And just the fundamental 17 rethinking of what adequate protection means versus zero risk. And it's 18 complex to discuss these issues, but we have to continue to do that because 19 that's how we're going to get this shift.
20 And so what you'll hear now very commonly when you 21 come into meetings is you'll hear, okay, before we start this endeavor and 22 we start all this big project and we put all these resources in, what's the risk?
23 And then once we get to that, we start to unpeel what's the action that we 24 should take. And that is very real in this group.
25 So we aren't there from an agency. We're not there. But 26
120 we have a lot of people who already are. And we're continuing to work on 1
these issues, and it takes a different forum and a different presence 2
depending on what the area is. And for something like this which is very 3
complex, many different communities, many different perspectives. You've 4
heard Mr. Thomas, he had a completely different perspective.
5 So I think that when you say, where do we want to be? I 6
was thinking last week, I want to be where the airline industry is. There's all 7
these planes flying around. They're all digital. We're saying, that's where I 8
want to be. But then Mr. Romanski came up today and he said, well, we 9
have some software. Yes, we have this. But then there are these other 10 few items that we haven't cracked the nut yet. And I thought, oh, okay.
11 So what that tells you is you need a framework that not 12 only solves the issues for today but that may be at a high principled level. I 13 don't remember exactly what he said. I think he said that addresses 14 overarching properties and lets us work within that.
15 But on your philosophical question about where are we 16 transforming to. We're transforming to a place where we can be -- we 17 understand. There are new issues coming in from existing licensees, 18 advanced reactors. Now, they have questions from the vendor community.
19 We're transforming to a place where we can answer these questions in a 20 predictable, reliable, and effective and efficient way.
21 Those are all words I'm throwing out. But what I'm trying 22 to create as a vision for you is that we will get more comfortable as we 23 challenge ourselves to really start with this question of, well, where is the risk 24 here? Where is the gap? What are we really trying to fill?
25 We're going to get to that, that high-level vision that we can 26
121 get these very vexing questions, very hard questions in and we can resolve 1
them. And they really do take risk insights into consideration. We make 2
good decisions that maintain public health and safety. But you're right, they 3
aren't directed at zero risk which we know we can't achieve anyway.
4 COMMISSIONER WRIGHT: Do you have anything to add 5
at all, Ho?
6 MR. NIEH: Maybe just one point. I was also going to 7
mention the memo that my colleague, Fred Brown, issued. I thought that 8
was a great memo. In fact, we even talked about that's something that 9
should've gone to both business lines. And so reemphasizing those things 10 were really good.
11 I just would add one point that came up in the early panel 12 about the what ifs and what FAA had talked about is we defined when you 13 stop the testing process. And I think that's what we need to do here, sir, 14 quite frankly is that we can keep asking what if, what if, what if. Okay. I 15 was a former inspector. I mean, my mantra was go out -- they told me to go 16 out and find problems.
17 And I think you can go out and find problems. But not all 18 problems are the same size. And I think that philosophy applies to sort of 19 the what ifs. I mean, you can keep asking what ifs to the nth degree. But 20 some of those what ifs are not going to -- even if you get the answer, it really 21 isn't going to improve the whole safety review process.
22 So I think there's that mindset to say that you know what?
23 What we have is sufficient to make a regulatory decision. There are a few 24 what ifs left of the table. Let's move on from that. Again, that's where the 25 leadership comes in. That's where the first-line supervisor comes in. And 26
122 it's a discipline that we have to apply in the process. It's the same thing with 1
the refocus on backfit. I kind of see if very similar.
2 COMMISSIONER WRIGHT: Yes. Well, and Dinesh had 3
mentioned it and the other technology, the paradigm shift. If it was proved 4
safe, then the rest of it could be done. So I'm hoping that we can get there 5
when the operating reactor side of things because I know that's where it's 6
stuck.
7 I want to go to one other thing. And Eric, while I've got the 8
time left here. On the software side of things, I've heard -- and Dinesh was 9
speaking more of third-party certification in relation to the commercial grade 10 dedication stuff. So when we're looking at third-party verification or 11 certification, would it help in the software part to have third-party certification 12 in the development process of this?
13 MR. BENNER: I think it would. I mean, that's one 14 component of it. I think this whole idea of what level of quality control and 15 quality assurance is necessary is also built in to the certification process.
16 So I think that would be a contributor to giving us -- I mean, you've heard a 17 lot here of we have the standard of reasonable assurance. And you heard a 18 lot of stakeholders talk about adequate confidence.
19 And those obviously aren't the same two phrases. But at 20 the end of the day, that's where the convergence needs to come. Do we 21 have confidence that software was developed in an environment that allows 22 us to say, yes, that's good enough and that allows us to make a reasonable 23 assurance finding.
24 COMMISSIONER WRIGHT: So what do you think we 25 would need to leverage that approach?
26
123 MR. BENNER: Well, right. On the particular aspect of 1
the self-certification being envisioned, EPRI is currently evaluating that. NEI 2
is going to take the results of EPRI's research and make a proposal to the 3
NRC. So we're just waiting for that. Instead of us independently figuring 4
that out, industry has said, here's how we want to approach it. And we've 5
said, wonderful. That's in the IEP with really a placeholder for getting that 6
product and doing a review.
7 But I mean, the staff is pretty energized about that aspect 8
because we agree. There are these vendors making good stuff out there 9
that are doing it under the auspices of IEC. And anything we can do to 10 allow that good stuff to be used by our domestic licensees, we want to try to 11 12 COMMISSIONER WRIGHT: Good.
13 MR. BENNER: -- enable that.
14 COMMISSIONER WRIGHT: Okay. Thank you.
15 CHAIRMAN SVINICKI: Well, thank you all again. It's 16 been, I know, a long morning. It's been a really interesting morning. I just 17 want to share a few thoughts on some narrow things and then make some 18 observations. On the break, as we reset between the panels, I had 19 mentioned earlier that the FAA had talked about some sort of staged 20 engagement that they found really useful with vendors of digital 21 technologies. And I compared it to our regulatory engagement process with 22 advanced reactors.
23 I was informed, though, that -- and I want to give the staff 24 credit for this. I was informed that something akin to that does happen in 25 terms of pre-application meetings with the software vendors and the 26
124 designers of these platforms and that there's also topical reports. I think it 1
was mentioned to me but then I thought of that later. So I think we have 2
some surrogate things. So I didn't mean to depict that there was no 3
concept that was akin to this that was happening.
4 Also was commented to me by one of our vendor 5
presenters on the prior panel that it's extremely useful, both of those things, 6
that opportunity for topical reports and the pre-application engagement is 7
something that can really help make success of a much greater probability.
8 I want state that I'm still kind of going back and forth. My 9
colleague, Commissioner Baran, has asked good questions about 10 rulemaking versus what should we prioritize. The human capital aspect of 11 this is we tend to forget. We think that we have legions of people doing this.
12 We don't. The industry doesn't. So we do need to approach that with 13 thoughtfulness. And I don't know that Commissioner Baran got answers 14 that allowed him to take a firm view as he walks away from the meeting 15 either. There's a lot to think about there.
16 I would note, though, that the staff requested a number of 17 years ago to create different centers departing from the kind of office 18 structure and program structure that we have. One of those is the center for 19 rulemaking. And the concept behind that, as I understood it, might align 20 really well with what we've been talking about today. It was, as I 21 understood it, to say, okay, you have deep experts that are going to be the 22 subject matter people on something on which we want to engage a 23 rulemaking process.
24 But they're probably doing other things. They're probably 25 doing day-to-day safety
- reviews, reviewing topical
- reports, doing 26
125 pre-application engagement. How could we take the mechanical processes 1
of rulemaking and have a center where people were truly expert in 2
rulemaking itself and they could be kind of harvesting things from the 3
ongoing work of the experts, plugging that in, maybe not doing every 4
provision of a draft rule. But they could be easing some of that for the 5
people who are the pure subject matter experts. And it was kind of a 6
specialization to let some people focus on rulemaking.
7 That may be actually be something that could be a key 8
enabler for us here if we wanted to walk and chew gum at the same time. I 9
didn't want to use that parallel. But if we wanted to at least begin the 10 beginning mechanical stages of a rulemaking to capture whatever are going 11 to be the high-level performance based objectives for the new paradigm 12 shift, we could do that. We could keep the experts focused on completing 13 the other documents and maybe just be extracting the learnings.
14 I think either Ho or Margie talked about, we're going to 15 draw from the guidance work and the other things. And we would put that 16 into a rulemaking. So we may be able to keep some things in parallel and 17 not have to do everything in series.
18 And I just wanted to -- I think -- as I prepared for this 19 meeting, I thought that it may be that the staff, all their hard work of all the 20 years that I've been watching them struggle with a lot of this, they may just 21 be turning the corner. And in some ways, it's the worst possible time to sit 22 in EDO on a Commission and others and we have to opine and all the 23 struggles. And we draw a lot of attention in the rearview mirror, like, where 24 have we been and how hard it was.
25 I share the view of the director of NRR, of the executive 26
126 director for operations. I do see things happening here. Two papers I'm 1
working on right now as the staff has before the Commission, kind of a 2
paradigm shift, new thinking or the recognition that new thinking is possible 3
on physical security for advanced reactors. And I'm not going to remember 4
the SECY numbers of these papers. It doesn't matter.
5 Another one is a concept called functional containment 6
meaning, is there something about new fuels and new reactor designs that 7
would allow us to think very differently about something that is such a 8
touchstone that we do, that concept being containment? Could we think 9
differently about that?
10 So I don't want the staff -- I think it was really valuable for 11 the Commission to focus on digital I&C today. But I see the same kinds of 12 things that when the staff says, we're in a different place today. I see it as 13 well. It's not just this topic or the two I just mentioned. It's a lot of different 14 things that we're doing.
15 And I think the other difficult thing about transformation is 16 that there's this optic that somehow it means that you were wrong before.
17 You were misguided or you had some sort of enlightenment. I think it 18 comes from Alice in Wonderland where she says to the Cheshire cat or 19 somebody. She's like, it's no use talking about yesterday because I'm a 20 different person today than I was yesterday.
21 Because we're all having experiences and we're learning 22 things. And I think at NRC, the concept of continuous improvement may 23 sound a little trite. But it is part of the culture here. And so we can 24 fundamentally look at something differently today. It doesn't mean that the 25 fact that we candidly wrap ourselves in the warm blanket of a lot of our 26
127 prescriptive deterministic types of approaches of the past. As a result, the 1
United States has an amazing nuclear power safety record. So obviously, 2
those efforts were not misguided in every dimension.
3 But that, I'd also note that I think people at NRC are more 4
aware today that the world has not only been changing outside our doors 5
and the nuclear technology, the enterprise, the knowledge base. It's 6
changing at a pace that is quicker. Whether or not -- I came here when 7
NRO, the New Reactors Office, just had been stood up. We were 8
populating that with all kinds of competencies. We were bringing and hiring 9
a lot of people from the outside.
10 We find ourselves in a different place today due to things 11 that are outside of NRC's control. But I think that the merger of NRO and 12 NRR is, of course, a product of the fact that we do not, in the United States, 13 have the kind of nuclear renaissance that we were preparing ourselves for.
14 But whatever the cause of that merger, I think that the 15 result is going to be a further strengthening of our core capabilities. It may 16 be that the reason we're doing it is a changed circumstance outside our 17 doors. But I think when I hear that we're going to be bringing together 18 experts who worked on digital I&C and new reactors and the experts, their 19 colleagues who worked in a different office in the operating reactor venue. I 20 think that we're going to have the reinforcing and the multiplier of bringing 21 them together, and there's going to be a lot of positive, synergistic things that 22 will come from that.
23 They're going to get to compare of why did you come at it 24 that way and I came at it this way. But I think at the end of the day we're 25 going to bring together the experts that we have in these areas. And I think 26
128 it's going to just amplify and strengthen our progress on a lot of different 1
things we're working on.
2 And I'm going to maybe pick on Ho on just one thing. You 3
were mentioning, when do we stop the testing process. I know you're 4
drinking from a fire hose. But could I suggest to you that you look at 5
something called GSI-191 which has also been going on for the entire 6
tenancy of my time here.
7 Now, the inspector general is doing a review of our generic 8
issues program. I suggested that we look at how do we define an issue 9
when we start. Let's begin with the end in mind. When will we have settled 10 the question? If you learn new things along the way, you can always open 11 another generic issue.
12 But we have generic issues in this agency that have 13 decadal time frames. And I think it doesn't serve us well and it doesn't 14 serve us in terms of the confidence that the American public should have in 15 us if we have a question and we can't answer it in 10, 15, or 20 years.
16 I think it reflects inaccurately that we don't have enough 17 knowledge and confidence about what we're doing. That's not true. But it 18 sure is going to look that way when you can't answer a question after all that 19 time. We can't keep redefining the question along the way or we're going to 20 have these very, very prolonged types of open issues.
21 So I think the GSI-191 digital alliance, a lot of these things 22 are transformative paradigm shift is going to bring I think enhanced progress 23 to a lot of things that we're doing. And I think once you kind of step back 24 and the culture changes a little bit and people start having a feeling that they 25 have the freedom to step back and look at what they're working on in a new 26
129 way. I think that you begin to see that you don't have to keep doing all the 1
steps individually because it just becomes sort of an atmospheric and it 2
helps you on a lot of different things.
3 So again, I know that I even began by talking about what a 4
struggle this digital I&C thing has been for NRC. But I'd like to just end with 5
a note that we are -- I think maybe we are at a point where the progress is 6
going to not continue to move linearly on digital I&C. We're going to start 7
having some step change in making progress on issues. I think that's true 8
with other things we're working on.
9 Dan Dorman's name came out a lot because he ended up 10 hearing about his transformation work. We will have as soon as next week 11 a Commission meeting on a lot of the transformative ideas that the staff had 12 but other ideas as well. So we will be taking Dan's name in vain on Monday 13 morning. So tune in if you care to hear about that.
14 But again, I thank staff for all the work we're doing for the 15 progress that I also see that we're making on any number of topics. And I 16 think going forward the Commission hopes that its interest in the matter will 17 be helpful. If there are things that we can do, please be letting us know 18 because I do think that we want to enable your success on this in any way 19 that we can as a Commission.
20 And if there is nothing else from any of my colleagues, with 21 that, we are adjourned. Thank you.
22 (Whereupon, the above-entitled matter went off the record 23 at 12:42 p.m.)
24