ML22298A012
| ML22298A012 | |
| Person / Time | |
|---|---|
| Issue date: | 10/20/2022 |
| From: | NRC/OCM |
| To: | |
| References | |
| NRC-2126 | |
| Download: ML22298A012 (1) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Stakeholder Outreach Meeting on the NRC Staff's SECT-22-0076 Regarding Expansion of Current Policy on Potential Common-Cause Failures in Digital Instrumentation and Control Systems Docket Number:
(n/a)
Location:
teleconference Date:
Thursday, October 20, 2022 Work Order No.:
NRC-2126 Pages 1-83 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1716 14th Street, N.W.
Washington, D.C. 20009 (202) 234-4433
1 UNITED STATES OF AMERICA 1
NUCLEAR REGULATORY COMMISSION 2
+ + + + +
3 STAKEHOLDER OUTREACH MEETING ON THE NRC STAFF'S 4
SECY-22-0076 REGARDING EXPANSION OF CURRENT POLICY 5
ON POTENTIAL COMMON-CAUSE FAILURES IN DIGITAL 6
INSTRUMENTATION AND CONTROL SYSTEMS 7
+ + + + +
8 PUBLIC MEETING 9
+ + + + +
10 THURSDAY 11 OCTOBER 20, 2022 12
+ + + + +
13 The Public Meeting convened via Video-14 Teleconference, at 2:00 p.m. EDT, Bhagwat Jain, 15 Moderator, presiding.
16 NRC STAFF PRESENT:
17 BHAGWAT JAIN, NRR 18 ERIC BENNER, NRR 19 NORBERT CARTE, NRR 20 SAMIR DARBALI, NRR 21 KHOI NGUYEN, NRR 22 RICHARD STATTEL, NRR 23 DINESH TANEJA, NRR 24 SHILP VASAVADA, NRR 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
2 ALSO PRESENT:
1 MOHAMMAD ALAVI 2
ALAN CAMPBELL, NEI 3
JERRY MAUCK, JLM Nuclear I&C 4
WARREN ODESS-GILLETT, Westinghouse 5
KEN SCAROLA, Nuclear Automation Engineering 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
3 CONTENTS 1
Introduction & Opening Remarks 4
2 NRC Presentation 9
3 Open Discussion................. 17 4
Opportunity for Public Comments 5
Staff's Recap of Feedback............ 76 6
Next Steps/Closing Remarks
........... 80 7
Adjourn..................... 83 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
4 P-R-O-C-E-E-D-I-N-G-S 1
2:00 p.m.
2 MR. JAIN: Hello. Good afternoon. It's 3
2 o'clock. My name is Bhagwat Jain and I'm a senior 4
project manager in NRR's Division of Operating Reactor 5
Licensing. Along with Michael Marshall, we perform 6
the project management function for all things digital 7
in NRR.
8 For the background for this meeting, this 9
is our third public outreach this year on the Staff's 10 proposed expansion of the CCF policy on SECY-22-0076.
11 That is now with the Commission for wording.
12 We have had two public meetings on CCF 13 proposed policy earlier this year. One in mid-14 February and the other one in early June. We also 15 briefed the ACRS Digital I&C Committee, once in May 16 and then in late September. The ACRS provided very 17 valuable feedback to the Staff.
18 During the last ACRS briefing in 19 September, the industry had provided some feedback on 20 some aspects of the proposed expanded CCF policy.
21 Today we will continue with that dialogue with the 22 stakeholders to hear their perspectives and feedback.
23 Today's meeting is scheduled for two 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The staff encourages stakeholders to provide 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
5 comments and the feedback. You may submit your 1
comments or feedback via email to myself or Michael 2
Marshall. Our contact information is provided in the 3
public meeting notice posted on the NRC public website 4
and on the chat.
5 With that, I'm looking if some of the key 6
part presenters are here. We will display the 7
presentation. Those who did not have access to Team 8
video portion, you can download the presentation using 9
ADAMS ML number for the presentation. Okay, the ML 10 Number for staff's presentation is ML22291A015. I 11 will repeat again. It is ML22291A015.
12 As I said before, this information is also 13 provided in the chat. And the public meeting notice 14 posted on the website. If you have comments on 15 feedback on any aspect of this meeting, please contact 16 me or Michael Marshall and we'll provide you the 17 necessary forms.
18 With that I'll go over a couple of point 19 of etiquettes. Please allow the presenter to make the 20 presentation. There will be an opportunity to ask 21 questions or provide comments after the presentation.
22 If you are not speaking, please keep your cell phone 23 on mute and turn off your video please. When you 24 speak, please identify yourself.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
6 Now with that I will then start with some 1
introductions. We have exactly from NRC in the 2
meeting Eric Benner. The director of division of 3
engineering and external hazard.
4 Today's presentation is led by Samir 5
Darbali. Samir is the I&C tech staff in the Division 6
of Engineering and External Hazards.
7 We have several other NRC staff on line.
8 As they contribute to the meeting they will introduce 9
themselves.
10 With that I will now request Eric Benner 11 to make some opening remarks. Eric, please.
12 MR. BENNER: Thanks BP. And thanks 13 everyone. Like BP said, this is the third of a series 14 of meetings on this specific topic.
15 We're in an interesting space because we 16 have provided the paper to the Commission now. So 17 it's before the Commission for voting. But there has 18 been ongoing dialogue about the contents of the paper.
19 Both, like BP said, at the ACRS. And NEI provided a 20 letter with some of their feedback.
21 So we do want to keep this dialogue open, 22 so I'm going to steal some of BP's thunder and I'm 23 going to look ahead to Slide 4 and say the purpose of 24 this meeting is to summarize what's in SECY-22-0076.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
7 We intend to do that pretty briefly 1
because going into this I thought that most of the 2
people who would be at this meeting were people who 3
were at some of our previous meetings. But I know 4
we're up to 76 participants. So I think we have some 5
additional participants on this meeting.
6 So our summary will be pretty high level, 7
but like BP said, we can go into a little more detail 8
so that everyone understands what the paper proposes 9
or doesn't propose.
10 We also want to share, because at the 11 ACRS, the latest ACRS subcommittee meeting that we 12 heard, the ACRS had some feedback and questions. And 13 we have the answer to those questions, and we've 14 provided that to the members. But we also just want 15 to make sure all the stakeholders are aware of the 16 answers to those questions.
17 We want to do a little deeper dive because 18 it seems like some of the area of concern is on what 19 we call Point 4 in the policy. And that deals with 20 manual controls and displays. And what that part of 21 the policy requires, or doesn't or, you know, how it 22 influences, how we conduct our reviews. And then, 23 like BP said, it's open dialogue.
24 It's going to be us certainly answering 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
8 any questions that people have on any of the things 1
contained in the SECY or any of our other supplemental 2
information we'll provide today. But also to hear the 3
feedback from the stakeholders on any of those items.
4 And I know that the meeting today is being 5
transcribed. Again, I might be stealing some of BP's 6
thunder because we want to have everything on the 7
record so that as we move forward, you know, either on 8
potential implementation or on any supplemental 9
communication we would want to have with the 10 Commission, we want to make sure we're getting the 11 record straight.
12 Because I will say there has been some 13 ambiguity in some of the discussions we've had. And 14 we really, we really do want to try and get it down to 15 precisely what people's concerns are, what their 16 requests are, that sort of thing. So we really know 17 exactly where there might be just areas where we need 18 to clarify things. Or are there areas where we truly 19 have disagreements with differently stakeholders and 20 why those differences exist.
21 So that's my preamble with that. I'll 22 turn it back over to BP.
23 MR. JAIN: Well, with that I think Samir 24 is going to make the presentation. Samir, would you 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
9 please?
1 MR. DARBALI: Thanks, BP. And thanks, 2
Eric. Just for awareness -- you can see the slides, 3
right?
4 MR. JAIN: Yes. We all can.
5 MR. DARBALI: Okay. Yes. And just for 6
awareness, Jerry and Tom, you have your cameras on.
7 I don't know if you intended to do so, but just so you 8
know.
9 PARTICIPANT: Are we going to record this?
10 MR. JAIN: This is being transcribed. The 11 meeting is being transcribed.
12 PARTICIPANT: Okay.
13 MR. DARBALI: Thanks, Tom. Jerry, your 14 camera is on but it's all blank. It's a black screen.
15 Just FYI.
16 So, good afternoon, everybody. Here is an 17 outline of this afternoon's presentation. So we'll 18 briefly go over the recent activities in the 19 development of SECY-22-0076.
20 Eric already covered the purpose of the 21 meeting. We'll provide a quick summary of the 22 proposed expanded policy. Which I believe most here 23 have now become familiarized with, but as BP and Eric 24 said, if we need to look at some specifics we can do 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
10 that.
1 We'll address the staff's position on the 2
questions we received during the ACRS Digital I&C 3
Subcommittee meeting.
We'll talk about the 4
applicability of Point 4
and provide some 5
clarifications. And we'll proceed with the open 6
dialogue portion of the meeting.
7 The staff recently issued SECY-22-0076 on 8
August 10th of this year. The SECY proposed an 9
expansion to the digital I&C common cause failure 10 policy. Which is contained in SRM SECY-93-087.
11 Shortly after issuing the SECY, NEI provided a letter 12 to the NRC with comments on the staff's position 13 contained in Point 4,
regarding diverse and 14 independent main control room displays and manual 15 controls.
16 The staff and NEI briefed the ACRS Digital 17 I&C Subcommittee in September of this year. And the 18 staff is scheduled to brief the full ACRS on November 19 1st.
20 The SECY is currently under Commission 21 review. And the staff is waiting for Commission 22 direction through a staff requirement memorandum, or 23 SRM.
24 We already covered the purpose of the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
11 meeting, so in Slide 5 we have the staff's key 1
messages. That the proposed expanded policy in SECY-2 22-0076 encompasses the current four points of SRM 3
SECY-93-087 with some clarifications. And expands the 4
use of risk-informed approaches in Points 2 and 3.
5 Points 1 through 3, and Point 4 of the 6
policy, address two facets needed to ensure the safe 7
operation of the plant. Points 1 through 3 ensure 8
Digital I&C systems are sufficiently robust to 9
adequately cope with a CCF. And Point 4 ensures 10 operators can manually control critical safety 11 functions, even in the event of a Digital I&C CCF.
12 Point 4 already incorporates an implicit 13 element of risk-informing, as it only focuses on those 14 critical safety functions needed to ensure the safety 15 of the facility.
16 The expanded policy is intended to be 17 technology neutral and applies to any reactors 18 licensed under 10 CFR Parts 50 and 52. And this 19 includes non-light water reactor designs.
20 We acknowledge that the critical safety 21 functions listed in SRM SECY-93-087, SECY-22-0076 and 22 Branch Technical Decision 7-19 may not be the 23 appropriate set for all reactor designs. However, the 24 SECY does provide for the use of regulatory tools, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
12 like exemptions and alternative, to accommodate for 1
reactor designs with different critical safety 2
functions.
3 And finally, if the staff encounters a 4
reactor design where the policy would not be 5
applicable, the staff will engage the Commission as 6
appropriate.
7 Here is the figure that shows the single 8
expanded policy that encompasses the current position 9
in SRM SECY-93-087. And provides for risk-informed 10 approaches in Points 2 and 3 to address Digital I&C 11 CCFs.
12 The current path on the left in green 13 allows for the use of best estimate analysis and 14 diverse means to address a potential CCF. While the 15 risk-informed path on the right allows for the use of 16 risk-informed approaches. And out of the same 17 technics for measures, other than diversity to address 18 a potential CCF.
19 The ACRS Digital I&C Subcommittee provided 20 some questions to the staff during the September 21 meeting. The first question is, would the revised 22 policy be applicable to advance reactors? And the 23 response is, Yes. The policy would be applicable to 24 advance reactors licensed under Parts 50 and 52.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
13 The second question is, Do aspects of the 1
policy for which the staff did not request a change 2
carry forward unaltered? And this question was 3
focused mostly on Point 4. Specifically the 4
Commission stated in the SRM to SECY-93-087 that the 5
requirements in the SECY-93-087 for the diverse 6
displays of manual controls to be hardwired. That 7
this requirement was highly prescriptive.
8 The ACRS noted that SECY-22-0076 was 9
silent on this matter and wanted to know the expanded 10 policy, maintain the Commission's direction for, from 11 SRM SECY-93-087. And the answer is, Yes. The staff 12 intended to maintain the Commission's direction 13 regarding this matter.
14 The last question was, Might different 15 reactor types warrant consideration of different 16 critical safety functions? And the answer is yes.
17 The expanded policy is intended to be policy neutral, 18 but it relies on the staff's licensing experience and 19 assumptions about the design of the facility. Such as 20 the presence of a main control room.
21 We recognize that the critical safety 22 functions listed in the SECY and BTP 7-19 might not be 23 appropriate, an appropriate set for all reactor 24 designs. Again, the staff has existing regulatory 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
14
- tools, like acceptance and alternatives, to 1
accommodate designs with different critical safety 2
functions.
3 If the staff encounters a reactor design 4
where the policy will not be applicable, the staff 5
will engage the Commission as appropriate.
6 On Slide 8 right now. And this slide 7
shows that Point 4 is already risk-informed because it 8
requires diverse displays and manual controls only for 9
those critical safety functions performed by the 10 Digital I&C system.
11 This means that Point 4 does not apply to 12 noncritical safety functions performed by the system.
13 And it does not apply to critical safety functions 14 that are not performed by the digital system. So you 15 can see it's only that scope of critical safety 16 functions performed by the
- system, which are 17 applicable under Point 4.
18 Point 4 is further risk-informed because 19 it does not require the display, the diverse displays 20 and manual controls for critical safety functions to 21 be safety grade.
22 Here is some background on the staff's 23 position on diverse and independent main control room 24 displays and controls. In the original SECY,93-087, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
15 the staff recommended that safety grade displays and 1
controls located in the main control room are 2
hardwired to the lowest level of the safety system 3
architecture be provided for a manual system level 4
actuation of critical safety functions and the 5
monitoring parameters that support the safe functions.
6 Those displays and controls should be independent and 7
diverse from the safety computer system identified in 8
Points 1 and 3 of the policy.
9 Now the staff made this recommendation 10 because such controls and displays provide the plant 11 operators with unambiguous information and control 12 capabilities to enable the operators to quickly 13 mitigate the effects of the postulated CCF.
14 The control room would be the center of 15 activities to safely cope with the event. And the 16 design of the plant should not require operators to 17 leave the control room for such an event. Again, this 18 is what the original SECY-93-087 proposed.
19 In its direction to the staff, the 20 Commission's SRM to SECY-93-087 modified the policy to 21 permit non-safety grade displays and controls, and 22 more flexible architecture and implementation. Such 23 as not needing the displays and controls to be 24 hardwired.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
16 But the Commission supported the staff's 1
recommendation on diverse displays and controls for 2
critical safety function. And the staff continues to 3
believe this position remains appropriate to provide 4
reasonable assurance of adequate protection.
5 Again, Point 4 already incorporates and 6
implicit element of risk-informing as it focuses only 7
on those critical safety functions needed to ensure 8
the safety of the facility. And also because it 9
allows displays and controls to not be safety grade 10 and to not have to be hardwired.
11 Requests for exemptions or alternatives 12 provide avenues for applicants to request a deviation 13 from the regulations, based on risk information on a 14 case-by-case basis. And again, if the staff 15 encounters a reactor design where the policy would not 16 be applicable, the staff will engage the Commission as 17 appropriate.
18 And here on Slide 11, this slide shows 19 that the points in SECY-22-0076, as well as the 20 original SRM SECY-93-087, are intended to address two 21 facets that are needed to ensure the safe operation of 22 the facility.
23 Points 1 through 3 address the protection 24 against Digital I&C CCFs to cope with the loss of a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
17 safety function. Whereas Point 4 allows operators to 1
take manual actions of critical safety functions when 2
needed after a Digital I&C common cause failure.
3 If a Digital I&C CCF is not properly 4
addressed, it can affect both a digital system as well 5
as the manual controls and displays. The four points 6
of the policy, when taken together, provide criteria 7
for the assessment of diversity and defense-in-depth 8
against CCF and ensure Digital I&C CCFs do not defeat 9
safety functions and do not impede operators ability 10 to take manual actions when needed.
11 And that concludes the staff's 12 presentation. And we can open it up for questions and 13 dialogue. Thank you.
14 MR. JAIN: So the floor is open for 15 discussion on NRC's presentation, so --
16 MR. DARBALI: Go ahead, Alan.
17 MR. CAMPBELL: Hey, good afternoon. This 18 is Alan Campbell with NEI. First, thank you all for 19 hosting this meeting and having this open discussion.
20 I think it will be very helpful in helping us to 21 better see the different points of views that we both 22 have.
23 When we review the presentation, I'm 24 reflecting back on the June 8th stakeholder meeting 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
18 when we were talking through the initial, I believe it 1
was the outline and initial presentation to the ACRS 2
at the time. And we had a discussion regarding Point 3
4.
4 And at the time the industry provided a 5
concern regarding a separate analysis that's needed 6
for Point 4 and how that relates to the analysis in 7
Points 1 through 3. At the time the NRC staff 8
responded with the, with a statement that it's not 9
intended to be a separate analysis, that they're meant 10 to be, Point 4 is meant to be integrated in with 11 Points 1 through 3.
12 It appears, you're showing Slide 11 here, 13 and it appears that we're back to where the industry's 14 initial concern was with this being a separate 15 analysis that's different from Points 1 through 3 and 16 Point 4.
17 MR. DARBALI: Right. So thanks for the 18 comment, Alan. And I'll take a crack at it, and 19 somebody else from the staff can also chime in.
20 So just because Point 4 is intended to 21 address a separate safety aspect doesn't mean that it 22 requires a completely different analysis. So when you 23 do the analysis for, you know, Points 1 and 2 and then 24 in Point 3 you identify how you're going to cope with 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
19 a potential CCF, in that aspect you can identify which 1
are your critical safety functions and you can 2
identify if those critical safety functions have a 3
diverse manual control and display. It doesn't 4
require an entirely different analysis.
5 And again, you're not looking at the 6
entire facility's critical safety functions, only 7
those that are modified by the digital upgrade.
8 MR. CAMPBELL: Okay. So --
9 MR. ODESS-GILLETT: Alan, this is --
10 MR. CAMPBELL: Go ahead, Warren.
11 MR. ODESS-GILLETT: Okay. So, as you 12 know, the current way in which one performs the D3 13 analysis is to analyze each safety analysis event.
14 And then to determine what you have 15 available in the plant to protect it using the 16 criteria. The relaxed criteria. And so that analysis 17 is a different, is a different set of inputs for the 18 analysis and results in a different set of outputs for 19 the analysis.
20 And then Point 4 doesn't even look really 21 at your safety analysis, so much as looking at, okay, 22 we have these critical safety functions we need to 23 maintain. So it's a different set of inputs. And 24 what manual controls we need to maintain those 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
20 critical safety functions.
1 And so in my opinion, it appears to be, it 2
ends up being two separate analyses because you come 3
up with two different sets of outputs.
4 MR. DARBALI: You're right. And thanks 5
for the question, comment, Warren. You are coming up 6
with two separate outputs or conclusions, but, and if 7
you want to call Point 4 a separate analysis, okay, 8
but it's not an analysis to the level of the analysis 9
that you're performing for the first three points.
10 Of course, you know, I think the bulk of 11 the experience, both in the licensee side and the 12 staff side, when we're looking at these digital 13 upgrades have been with operating plants. And so 14 those plants already have those diverse manual 15 controls because most of the mitigations we've seen, 16 you're not replacing the actual controls in the 17 control panels.
18 And in that sense, that point, how you're 19 addressing Point 4, it doesn't require a lot of work.
20 Because you can just say, look at our architecture.
21 We're not ripping out controls from the control panel, 22 therefore those controls still remain. And they're 23 not part of the digital mod itself so they are 24 diverse.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
21 So there are different ways in which 1
point, the information to justify Point 4 can be 2
provided or extracted from the architecture.
3 MR. ODESS-GILLETT: I --
4 (Simultaneous speaking.)
5 MR. CAMPBELL: Go ahead, Warren.
6 MR. ODESS-GILLETT: Is it okay?
7 MR. CAMPBELL: Yes.
8 MR. ODESS-GILLETT: Okay. I don't want to 9
monopolize.
10 MR. CAMPBELL: Go ahead.
11 MR. ODESS-GILLETT: But in fact, even if 12 they're hardwired controls, they still, even to meet 13 IEEE 603 they need to go down to a level of the 14 architecture. As you even point out here, that is 15 susceptible to a CCF and therefore you still need this 16 other analysis to than determine what manual, diverse 17 manuals and controls, displays and controls, I need in 18 order to maintain the critical safety functions that 19 will require a second interface to those same, let's 20 say ESFAS components that your safe system has to 21 interface with.
22 So, even if you have, so my point is, even 23 if you have manual controls, I mean hardwired 24 controls, they typically still go to a low-level 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
22 portion of your Digital I&C safety system.
1 MR. DARBALI: Understood. And I supposed 2
that's, you know, dependent on the application.
3 MR. ODESS-GILLETT: Yes.
4 MR. DARBALI: Okay. I guess, you know, 5
one clarification we've been wanting to make since, 6
you know, Alan, you pointed to that, I believe the 7
June meeting, is that we had, we thought some 8
licensees were interpreting Point 4 as to say, hey, 9
for Point 3 I'm crediting manual actions. Because I 10 have those controls, those actions can be performing 11 in a timely way so I'm crediting those.
12 And it seemed like some people were 13 interpreting Point 4 to say, well, in addition to that 14 manual control you have, you need a whole separate 15 analysis and a whole separate manual control that's 16 diverse from what you're crediting. So that's 17 probably what we intended to say back then.
18 But, I mean, if you look at the language 19 from the original SECY, on Point 4, all of the 20 background information, it's really reinforcing the 21 idea that your operators have to be able to take 22 manual actions if needed.
23 MR. CAMPBELL: So I guess that brings me 24 to my next question. You use the term, if needed.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
23 Here on the slide it says when needed.
1 MR. DARBALI: Right.
2 MR. CAMPBELL: What would, is there a 3
postulated scenario when, so we're looking at this in 4
terms of layers of failure. So we've had a plant 5
failure. A design basis event. Then we have an 6
RPS/ESFAS failure with a common cause failure.
7 Are we now to assume that, you know, in 8
Points 1 through 3 we're postulating and coming up 9
with ways that we can maintain safety functions. Are 10 we now assuming that that additionally fails?
11 A third failure here and now we have to 12 have a fourth, this next layer down of manual actions 13 to control the plant. Because Points 1 through 3 get 14 you to a hot shutdown state --
15 MR. DARBALI: Right.
16 MR. CAMPBELL: -- which that's what's 17 required for the policy.
18 MR. DARBALI: Right. And the way I'm 19 interpreting your question, no. So point, like you 20 said, Point 3 is going to provide for those. Whether 21 it's going to be diverse meanings or mitigation 22 measure or design technics or preventive measures, to 23 address or cope with that CCF.
24 You lost your safety system, Point 3 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
24 measures are going to address that. Regardless of how 1
that is addressed, you don't want your, under plants 2
that have a control room and require, you know, have 3
manual controls, you don't want to prevent your 4
operators from even being able to take manual actions 5
if they have to.
6 So, what you don't want to be is in a 7
situation where your CCF took out your digital system, 8
took out our manual controls and displays. And so 9
yes, you have your Point 3 measures or designs 10 technics addressing that CCF, but your operators are 11 blind to plant, certain plant conditions or cannot 12 perform any actions.
13 And again, for a reactor design that does 14 rely on operators taking actions, we don't see a 15 reasonable argument for having operators lose that 16 ability. And maybe that's some insights that industry 17 can provide to us. But we haven't encountered a 18 scenario where we can say it's okay for operators to 19 lose that ability.
20 MR. CARTE: Samir, can I propose we do a 21 brief digression and let Jerry Mauck say something?
22 MR. DARBALI: Sure. Go ahead.
23 MR. CARTE: Jerry, you raised your hand?
24 MR. MAUCK: I was on mute. I have a hard 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
25 time with all the buttons on this thing.
1 I just wanted to point out that, you know, 2
we're doing, pretty much have completed a D3 on Turkey 3
Point. And you only really need Point 4 if you don't 4
have success and you're pursued of Point 3.
5 But Point 4 is, I don't want to have 6
anyone oversimplify it, it's rather complex because 7
you not only have to have manual actions for the main 8
system, you have to have manual actions for the 9
systems that support the manual system. And it 10 cascades down into quite a number of manual actions.
11 And also necessary diverse manual 12 indications which can be quite large. And you can end 13 up with pages of diverse indications that are 14 reacquired. And also pages of manual actions that are 15 required. It depends on what you're digitizing at the 16 plant of what course. It can be rather complex or not 17 so complex.
18 But the point I'm trying to make is, Point 19 4 is not a simple task. That was it.
20 MR. DARBALI: Understood. And, Jerry, if 21 I can have you add to something you said. I think you 22 said, Point 4 is needed if there is an issue with 23 Point 3 or Point 3 cannot be fully addressed?
24 MR. MAUCK: Yes. That was our view that, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
26 you know, if we have automatic diverse actions at 1
Turkey Point, we didn't require any manual action.
2 Any diverse manual action to be credited.
3 But if we got to the point that there was 4
no way to get diverse automatic actions, whether from 5
a safety system or a non-safety system, or the ATWS, 6
or any control system, then we have to go to that 7
Point 4. And then when we went to that, not only did 8
we have to identify what the manual actions were and 9
what the indications were that the operator had to 10 have, we have to do the timing for it and make sure 11 that the operator has the time to take this action.
12 So it gets, it's not a simple task.
13 MR. DARBALI: So, and without getting to 14 specifics of the particular Turkey Point licensing 15 application, it seems, from what you describe as Point 16 4, really being part of Point 3.
17 MR. MAUCK: True.
18 MR. DARBALI: Right. And --
19 MR. MAUCK: Yes, true. True. Because, 20 you know, that's a blend there. If you are, meet what 21 you need to meet with your diverse manual actions, 22 then it can be part of Point 3. Yes.
23 MR. DARBALI: Right. So with Point 3 if, 24 you know, you mentioned either you have a diverse 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
27 system, ATWS or other system, or you can take --
1 MR. MAUCK: Right.
2 MR. DARBALI: -- timely manual action, 3
then you meet Point 3.
4 MR. MAUCK: Right. Right. I see what 5
you're saying now. It's kind of weird. We have to 6
have for the critical, all critical safety functions 7
we have to have diverse displays and diverse manual 8
controls that aren't part of the software.
9 MR. DARBALI: Right.
10 MR. MAUCK: Which are, is a little bit 11 different twist. It kind of goes hand-in-hand there.
12 But it is a different twist on what you're trying to 13 take manual action credit for over on Point 3. True.
14 MR. DARBALI: Right. Right.
15 MR. MAUCK: Yes.
16 MR. DARBALI: Yes, so, if you're crediting 17 manual actions in Point 3, then you're already 18 addressing Point 4. Because Point 4 doesn't --
19 MR. MAUCK: True.
20 MR. DARBALI: -- ask --
21 MR. MAUCK: Yes.
22 MR. DARBALI: Point 4 doesn't require 23 timely actuation, it doesn't require safety grade.
24 MR. MAUCK: Right.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
28 MR. DARBALI: Just that you have manual 1
for critical safety functions.
2 MR. MAUCK: Right.
3 MR. DARBALI: If you're doing it in Point 4
3 for those functions, you're already doing it for 5
Point 4.
6 MR. MAUCK: Right. Right. That's the 7
same.
8 MR. DARBALI: Yes.
9 MR. MAUCK: True.
10 MR. JAIN: Dinesh, you have raised your 11 hand. Do you want to say something? Dinesh Taneja.
12 MR. TANEJA: Yes. I was just trying to, 13 you know, these analysis, you know, we looked at a 14 number of analysis for new reactors. And the new 15 reactor designs that we have looked at, you know, 16 including API1000.
17 So the coping analysis, there were 18 scenarios where they said, you know, hey, the plant, 19 the CCF is bounded so no action needed. I can live 20 with the potential CCF concern.
21 But really your analysis kind of said, 22 hey, if it happens, so be it, I'm still bounded. You 23 know, my AOOs and my scenarios that my analysis bounds 24 it.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
29 Now, the other thing that we've seen is 1
that control systems have been used in those designs 2
to provide the diverse means of actuation and 3
indications. So they're taking credit for your plant 4
control systems to be able to do certain, if your 5
control system is available, to take the necessary 6
actions. And those are diverse means. So that was 7
your Point 3 manual actuation using control system 8
capabilities.
9 Point 4 is used in some design to bring in 10 the manual actuations in those, you know, new reactors 11 now I'm talking about. They basically designed the 12 manual actuations to meet the 603 requirement for 13 system level manual actuation and they brought them 14 into the, you know, the priorities modules as a 15 hardwired input downstream of the digital.
16 So they actually were designing it such 17 that you were actually meeting the 603 requirement, as 18 well as the recipe requirement.
19 So there are some good design solutions 20 there, but you really don't want to get caught up into 21 just doing the analysis. I think we need to think 22 about, in a good design from the get-go that meets the 23 primary objective of being able to control the plant, 24 manually as well as automatically.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
30 I just want to bring that out, that we've 1
seen those designs and we've never had any new 2
reactors come back to having any issues with trying to 3
meet the guidance or the policy statements of 93-087.
4 MR. JAIN: Thank you, Dinesh. Richard, 5
you have comments?
6 MR. STATTEL: Yes. I just wanted to say 7
that I fully agree with Jerry's interpretation that he 8
just provided.
9 And that is completely consistent with 10 previous applications and the evaluations we've 11 performed of them. It wasn't until recently when we 12 heard this new interpretation of addressing Point 4 as 13 a separate issue outside of the D3 context.
14 The only thing I would also add to what 15 Samir said was, is that Point 4, I agree. If you are 16 crediting manual actions to address Points 1 through 17 3, really you have already addressed Point 4, other 18 than the fact that Points 4 adds the requirement for 19 diversity.
20 Which really ought to go without saying, 21 because obviously if you're saying it in the presence 22 of a common cause failure it has to function, it has 23 to work. And the only way you can assure that that 24 function is going to work is if it is in fact diverse 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
31 from the digital safety system.
1 But that's what it adds. That's what 2
Point 4 brings to the table. It's basically, you can 3
use manual actions and it's allowed by Point 3. But 4
if you do that, you have to, it's almost like you also 5
have to make sure that those functions are still going 6
to work in the presence of the CCF.
7 And also, by the way, we did some research 8
and we looked at what the source of Point 4 of that 9
position is, and it was not drafted by the Commission, 10 this was the staff's language. And this was what the 11 staff put to the Commission in the SECY-93-087. And 12 the Commission simply agreed with that portion of the 13 SECY.
14 MR. JAIN: Thank you, Richard. Warren, 15 you have your hand up.
16 MR. ODESS-GILLETT: Yes. But I'd like to 17 defer to Alan, if he has any other points he wants to 18 make.
19 MR. CAMPBELL: Yes. And so, Rich, just 20 responding to what you said, I don't hear, I'm still 21 hearing two different interpretations here that, you 22 know, and please correct me if I'm wrong in 23 understanding what you just said, but Point 3, if 24 there are manual operator controls that are required 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
32 and Point 4 adds this diversity, you're saying it adds 1
the diversity.
2 When I look at Point 3 in the SRM existing 3
today, it has the diversity element in it. Point 4 4
adds in the term, critical safety functions, which 5
broadens out the scope beyond what was identified in 6
Points 1 through 3.
7 And so I think the concern is, now that 8
we've broaden the scope in Point 4 to all critical 9
safety functions, why are those needed?
10 MR. STATTEL: Well --
11 MR. CAMPBELL: Are we assuming that there 12 is a failure of what happened in Point 1 through 3.
13 We don't see it in an application where those are 14 needed because we're already postulating the system 15 fails and what do we need to do to get it into a safe 16 state.
17 MR. STATTEL: Again, it's within the 18 context of the D3 analysis. And of the scope of the 19 safety system that's being evaluated. That's being 20 analyzed.
21 So we talked at the last meeting, I think 22 we had an agreement on this interpretation going 23 forward. And we would be willing to provide 24 clarification on that interpretation to avoid 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
33 alternate interpretations of this.
1 But really we have no indication that it 2
was intended to be applied independently of a D3 3
analysis. It's one point of four points that were 4
made in this SRM. And it's all within the context of 5
the D3 analysis.
6 It was never, we have no indication, I 7
mean, I wasn't around, I didn't, I wasn't around to 8
draft it or anything, but we have no indication when 9
we research the original SRM that it was intended to 10 be applied independently as this interpretation.
11 And we don't have multiple 12 interpretations. We're just trying to understand what 13 you're saying. So we're really trying to be 14 empathetic and to understand your position on these.
15 On this.
16 And we get it. We understand how you're 17 applying this. But we don't believe it's intended to 18 be that way, and we would like to get that clarified.
19 MR. CAMPBELL: And so I think, you know, 20 that's aligned with what we're asking for, Rich. I 21 think the way that you're describing it is, unless I'm 22 misunderstanding the way that we have proposed to 23 intend it, or I'm sorry, implement it. But what I'm 24 seeing on the screen and what we've seen in the SECY 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
34 paper brings us back into this, a different 1
interpretation of what you just described.
2 MR. CARTE: So this is Norbert Carte. Let 3
me jump in for a second. And then we also have 4
another hand up that hasn't had the chance to speak 5
yet.
6 So I guess there is, we got to look at 7
this a different way because somehow we're talking 8
past each other. So if we look at the requirements of 9
279 and 603, they both require that given an event or 10 a condition in a facility that you determine whether 11 automatic protective action is required. And that for 12 every automatic protective action you have a manual 13 means of initiating that same at the division or the 14 system level.
15 So what they're saying is, you need manual 16 for every automatic action. Well, one of the problems 17 with the word safety, critical safety function, is 18 that was sort of a reaction out of TMI.
19 And so, 603 and 279 don't talk about 20 critical safety functions, and they talk about 21 protective actions. And there is more protective 22 actions then those that are needed for the critical 23 safety functions.
24 So you might have a protective action that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
35 protects the analysis. As you're analyzed for an 1
event at a particular low steam generator level, and 2
if the level goes below that, well, and that event 3
occurred, you would be in an unbounded situation 4
therefore you want to protect the analysis not 5
necessarily protect against a particular event.
6 So there are more protective actions than 7
are needed to protect the critical safety function.
8 So the idea of critical safety functions wasn't to 9
expand the scope of what's needed, it's to limit the 10 scope of where you need diversity from every single 11 protective action that's automatically initiated.
12 It's the important ones that really must 13 have displays and controls. And they use a post-TMI 14 wording to determine which ones are the important 15 ones. So I see that as a little bit of a disconnect.
16 MR. CAMPBELL: All right.
17 MR. CARTE: We're not, Point 4 is not 18 asking for new and different controls than anybody 19 else is asking for. But that's my input. Can we go 20 to Ken Scarola for a second?
21 MR. SCAROLA: Yes, Norbert, thank you.
22 Can everybody hear me okay? I'm not sure I have this 23 thing setup right.
24 MR. CARTE: Yes, we hear you.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
36 MR. SCAROLA: Okay, thanks. I listened to 1
Rich, and I listened to Norbert. And I think we are 2
beginning to recognize that there is wisdom in IEEE 3
603 and 279.
4 And the wisdom is that we design the 5
protection system for the events that we anticipate.
6 But there is always the n+1 event that we did not 7
anticipate.
8 And 603 and 279 say, we're going to 9
address this n+1 event, the one that we did not 10 anticipate, by giving the operators the ability for 11 manual initiation of the safety functions. And Rich, 12 I have to tell you, that was the intent of Point 4 in 13 SECY-93-087.
14 It was not, you only need Point 4 if Point 15 3 says you need it, it was, you need Point 4 because 16 you may not analyze everything that can possible 17 happen in Point 3. There is always the event that you 18 haven't thought of. And it's the same basis of why we 19 have this capability for manual initiation in 603 and 20 279.
21 Now that manual initiation in 603 and 279 22 also gives the operators the ability to take 23 preemptive actions. So there is really a twofold 24 purpose here. Preemptive actions and manual actions 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
37 with the event for which the automated system does not 1
actuate.
2 Now, I believe that we should not require 3
Point 4 unconditionally. If you've done your homework 4
and you've analyzed your Points 1 through 3, that you 5
don't have a potential for a CCF, or it's risk-6 insignificant, then there is no reason to have Point 7
- 4. Point 4 should not be unconditionally required.
8 On the other hand, if you have identified 9
that you do have the potential for a CCF and the CCF 10 can affect the manual initiation capability required 11 by 603 and 279, then Point 4 should be required. And 12 I think that's an important distinction.
13 So I would recommend to the staff that the 14 last phrase in the first sentence of Point 4 that 15 ends, vulnerabilities to digital CCFs have been 16 adequately identified and addressed, be clarified to 17 add, including both automatic and manual control of 18 critical safety functions. That's what we're trying 19 to do here. Make sure that we can control critical 20 safety functions both automatically, as intended by 21 the protection system, and manually as we have given 22 that capability to the operators.
23 So Point 1 needs to address the entire 24 safety function, not just the automation.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
38 Now in addition, when we get to Point 4, 1
I would recommend that this be clarified with a 2
preface that says, if Points 1 to 3 demonstrate 3
inadequate manual control of critical safety 4
functions, and then continue it as written, so the 5
only time you would need Point 4 is if Point 1 through 6
3 demonstrate that you don't have adequate protection 7
against CCF. Either through a deterministic method or 8
a risk-informed method.
9 And then I would also make another very 10 important clarification. 603 and 279 do not require 11 manual control at the actuation level. Or at the 12 component level. They require manual initiation of 13 the same functions that the safety function automates.
14 It's initiation, not actuation. And that's clarified 15 again in Reg Guide 1.62.
16 So Point 4
should make the same 17 distinction. We should be replacing the word 18 "actuation" with "initiation." We need to give the 19 operator the ability to "initiate" control of the 20 safety functions.
21 Now how you deal with longer term needs is 22 another issue. There are many ways that we can manage 23 those control functions once they're initiated. But 24 the timely problem is to initiate them.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
39 I'll leave my comment at that. I have 1
more comments that are not on the Point 4 issue, but 2
I'll save them until after this discussion. Thank 3
you.
4 MR. CARTE: Sorry, Ken, that was a little 5
long but let me just try and shorten that a little 6
bit. So what I heard you say was that if the CCF is 7
not risk-significant, as determined by Step 3 or 8
earlier, then Point 4 does not apply? That's one of 9
the points you were making?
10 MR. SCAROLA: Well, what I'm trying to 11 say, there can be two ways where Point 4 wouldn't 12 apply. One is that you've concluded that you don't 13 have a CCF.
14 MR. CARTE: Or it's risk --
15 MR. SCAROLA: Well then you already have 16 manual controls through 603 and 279, therefore you 17 don't need more manual controls. The second way, is 18 as you said, is if you demonstrate that it's not risk-19 significant.
20 MR. CARTE: But the first way is no CCF.
21 Well, yes, obviously.
22 MR. SCAROLA: Well no, not obviously 23 because the way it's written right now Point 4 is 24 unconditional.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
40 MR. STATTEL: Yes, but you're reading it 1
in isolation. If I could respond. So --
2 MR. SCAROLA: I'm not reading it in 3
isolation, I'm reading it the way it's written. There 4
is four points to the policy.
5 MR. STATTEL: It's one of four points.
6 MR. SCAROLA: Yes. But nothing in Point 7
4 says, if there is a CCF, then you need manual 8
control. All it says is, you need manual controls.
9 MR. DARBALI: Well, unlikely to be subject 10 to the same CCF assumes there is a CCF.
11 MR. STATTEL: But when do you apply these 12 four points? You apply these four points in the 13 conduct of a D3 analysis. So there is your condition.
14 So do you agree if, you know, what you 15 just said, if you go through Points 1 through 3 and 16 you conclude that you meet the criteria, right? You 17 have adequate safety, then you basically have met 18 Point 4. Even if you credit manual actions.
19 MR. SCAROLA: However, Rich, we commonly 20 conduct the Point 1 analysis, and Point 1 through 3, 21 with consideration of only the automated functions of 22 the protection system.
23 MR. STATTEL: I have never seen a, I have 24 never seen a D3 analysis that did not credit manual 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
41 actions. And I've been doing this for 30 years.
1 MR. SCAROLA: Oh. But those are only the 2
manual actions that are in Chapter 15. That's not the 3
only point of 603 and 279.
4 The manual actions that we credit in 5
Chapter 15 are for the events we thought of. And what 6
I'm trying to explain here, is that there are the 7
events we have not thought of. But the guys who wrote 8
603 and 279 did think about those events.
9 But we used to call them the n+1 event.
10 The one we didn't think of. And that is another 11 intent, not just for the credited manual actions, but 12 for the manual actions that you might have to take 13 that you never anticipated you were going to have to 14 take. Let's not forget defense-in-depth here.
15 MR. JAIN: Shilp, you raised your hand.
16 Are you still there?
17 MR. VASAVADA: Yes, I'm still here, but I 18 didn't want to stop the discussion. So if anybody 19 else had something to discuss on --
20 MR. JAIN: Great.
21 MR. VASAVADA: -- like in the same vein of 22 what was going on, I can wait. That's not too long.
23 But yes.
24 MR. JAIN: Oh, okay. All right.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
42 MR. CARTE: Warren?
1 MR. ODESS-GILLETT: Yes. So, let's give, 2
let's come up with another situation here. So if you 3
do Points 1 through 3, and my experience is that as 4
much as possible the licensee tries to credit the 5
manual actuation to cope with each event in the safety 6
analysis concurrent with a CCF. But there are those 7
cases where it's not fast enough and therefore then we 8
need the automatic diverse actuation to make sure we 9
meet the relaxed criteria.
10 Now, listening to Rich, if I also had a 11 duplicate manual control for that automatic control, 12 regardless of evaluating critical safety functions, 13 would that meet Point 4?
14 MR. STATTEL: I don't understand where 15 duplicate control comes in.
16 MR. ODESS-GILLETT: In other words, I need 17 an automatic, a diverse automatic actuation in order 18 to maintain the plant in the safe condition.
19 MR. STATTEL: Okay. So a non-safety 20 related ATWS --
21 MR. ODESS-GILLETT: Yes.
22 MR. STATTEL: -- event.
23 MR. ODESS-GILLETT: Right. So, if for 24 each one of those automatics that I had to add --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
43 MR. STATTEL: Okay.
1 MR. ODESS-GILLETT: -- for the reverse 2
actuation system --
3 MR. STATTEL: Okay, I'm following you.
4 MR. ODESS-GILLETT: -- could, if I added 5
a manual control in addition to those limited 6
automatic controls that we credit in the diverse 7
actual system, that doesn't require any analysis, it's 8
just we're giving the operator the manual control 9
capability of what we've added in the diverse 10 actuation system for the automatic.
11 MR. SCAROLA: Warren, I agree with you 100 12 percent. And that's exactly what was done in some 13 licensing applications. There was no analysis related 14 to Point 4, it was simply --
15 MR. STATTEL: That's right.
16 MR. SCAROLA: -- these are the diverse 17 actuations that we need, so we're going to have manual 18 initiation of those. And if we had other safety 19 functions, critical safety functions that had no 20 automated action, we simply added manual initiation 21 for the equipment that was needed for those.
22 There was never an analysis to demonstrate 23 that the manual controls for Point 4 were sufficient 24 for anything. Because as I said, they're for the n+1 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
44 event. They're for the event you don't know you need.
1 There was never an analysis.
2 MR. STATTEL: This has never really been 3
a contentious issue during our evaluations though.
4 Because, well, for one thing, the ability to initiate 5
manual actuations for a diverse system, I don't think 6
anyone, I have never seen anyone propose not having 7
that ability and that it's always been there. Does it 8
require an additional analysis, no. No, I wouldn't 9
think so.
10 But if all, if you are directly crediting 11 a manual actuation, then I don't think it's a lot to 12 ask that it be diverse and that it, you know. I think 13 when you read the original SRM, or the original SECY, 14 actually going back before the SECY, I think there was 15 an unwritten assumption that it was these critical 16 safety functions that would always be necessary in 17 order to bring the plant to the safe condition to meet 18 the criteria. Actual site boundary criteria.
19 But I think --
20 MR. SCAROLA: So, Rich?
21 MR. STATTEL: -- it's kind of taken, it's 22 taken on a life of its own in these different 23 interpretations. But I don't think that that much 24 thought went into those because it was assumed that if 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
45 your safety system is no longer functional, that you 1
would somehow have a reliance on manual actions and 2
those would, in turn, accomplish the critical safety 3
functions that would be needed to meet your boundary 4
conditions.
5 MR. SCAROLA: But, Rich, the analysis 6
you're referring to is a Point 3 analysis.
7 MR. STATTEL: I know.
8 MR. SCAROLA: If in Point 3 you take 9
credit for manual actions, then very clearly they have 10 to be analyzed.
11 MR. STATTEL: And they have to be diverse.
12 MR. SCAROLA: Both from a hydraulic point 13 of view and an HFE point of view.
14 MR. STATTEL: Right. And that goes down 15 to the argument that Point 4 is within the context of 16 the D3 analysis.
17 MR. DARBALI: Yes, but it's not --
18 MR. STATTEL: It's not beyond that.
19 MR. DARBALI: It's not clear.
20 MR. SCAROLA: Because let's assume that 21 for Point 3 you only need one manual action. And 22 let's say that's the initiation of emergency feedwater 23 for some reason. No, that's not a good example. Let 24 me give a good example here.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
46 Now, let's say for Point 3 that you take 1
credit for the manual closure of the main steam 2
isolation valves. Well that's one safety function.
3 You've got five or six more safety functions that you 4
never credited manual actuation.
5 And that's the intent of Point 4. Is to 6
have manual initiation capability for all the critical 7
safety functions whether you credited those manual 8
options or not.
9 MR. STATTEL: No, I don't agree. And 10 we've never applied it that way. So, in other words, 11 when we review a D3 analysis, and within the context 12 of the D3 analysis, we look at what's being credited 13 in the analysis, and we look at if those things are 14 divers and they will function. We come to a 15 reasonable assurance conclusion that they will 16 function in the presence of the CCF.
17 We don't ask, right, I mean, I can point 18 to dozens of analyses that we've evaluated, we don't 19 ask for functions that are outside of that scope. We 20 never have, right?
21 So if you want to do those analysis, if 22 you want to show that functions that are not credited 23 in the D3 analysis meet the Point 4 criteria, okay.
24 But that's not in the scope of these four points.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
47 MR. DARBALI: Well, Rich, I think --
1 MR. STATTEL: I mean, Point 4 is one of 2
four points. And it's intended only to address the 3
CCF. That's what it is.
4 MR. DARBALI: Well, Rich, I think the 5
reason we haven't --
6 MR. STATTEL: Why would we?
7 MR. DARBALI: -- gone further on Point 4 8
for previous reviews, is because we can tell, based on 9
the description of the modification and design 10 modification architecture, that they're not ripping 11 out those manual controls and displays. And they're 12 not making those part of the digital modification.
13 So in turn we know they're meeting Point 14
- 4. And that's, I think, why we haven't really asked 15 for a separate, tell us how you're meeting Point 4.
16 We can abstract that information from the design.
17 MR. SCAROLA: Rich, you said something 18 very important. I'm sorry, this is Ken Scarola again.
19 You said something very important. Point 4 is 20 intended to address the CCF.
21 The CCF that we're looking at is the CCF 22 that adversely impacts the functions required by 603 23 or 279. One of those functions is manual initiation.
24 So if the CCF adversely affects manual initiation, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
48 it's got to be addressed in Point 4.
1 MR. STATTEL: I agree. Yes, I agree.
2 MR. SCAROLA: Whether you credit that 3
manual --
4 MR. STATTEL: That puts it within scope.
5 MR. SCAROLA: -- initiation or not, 6
because all the manual initiations that are in there 7
for 603 are not necessarily credited in the accident 8
analysis. Or your D3 analysis.
9 MR. STATTEL: That's true.
10 MR. SCAROLA: Well, then you got to make 11 them all work in the presence of a CCF. That's my 12 point, that the Point 1 analysis needs to address all 13 the functions of 603 and 279. And that includes both 14 automated and manual actions. Manual initiation 15 actions.
16 I think where we run into trouble is when 17 people try to extend Point 4 to include manual 18 actuation. That's a much bigger problem.
19 MR. TANEJA: Hey, Ken, this is Dinesh.
20 603 requirements for manual actuation, you know, they 21 can be implemented in your safety related digital, in 22 a protection system, right?
23 MR. SCAROLA: They can or can't? Did you 24 say can or can't?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
49 MR. TANEJA: Can be, right?
1 MR. SCAROLA: Can be, yes.
2 MR. TANEJA: And typically are.
3 MR. SCAROLA: Yes.
4 MR. TANEJA: So those manual capabilities 5
are susceptible to potential CCF.
6 MR. SCAROLA: Certainly.
7 MR. TANEJA: Okay. So, all what we are 8
saying is that the CCF considerations, potential 9
software common cause, you know, the whole four points 10 are based on the predicament that this failure 11 mechanism is beyond design basis.
12 By design, your safety system should not 13 fail, right? You're building them to the highest 14 possible quality, and they're supposed to be available 15 under all potential hazards that you recognize.
16 Now, you n+1 argument is applied here.
17 You know, your potential CCF is an n+1 argument. Now, 18 how do you deal with it, I don't think you need to do 19 a timing analysis or anything like that for the Point 20 4.
21 If you do need to rely on a manual 22 actuation to cope with a CCF, I don't think you need 23 to worry about the timing consideration for the four 24 points.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
50 MR. SCAROLA: I agree.
1 MR.
TANEJA:
Because that timing 2
consideration is only for Chapter 15 events where you 3
take credit for a manual action.
4 MR. SCAROLA: I agree with you 100 5
percent. No analysis --
6 MR. TANEJA: So I think we are getting --
7 MR. SCAROLA: -- is needed for Point 4.
8 MR. TANEJA: So we are getting this 9
argument kind of, you know, we need to basically 10 separate these items out.
11 MR. SCAROLA: Yes, Dinesh, I agree with 12 you. I don't know why we're talking about any 13 analyses for Point 4, the analyses is Point 3.
14 If you need manual actions for complying 15 with Point 3, then you do need a timing and an HFE 16 analysis. And a thermal hydraulic analysis.
17 Point 4 needs nothing, other than you got 18 to have the control and it's an I&C design review.
19 It's not an analytical review at all.
20 MR. ODESS-GILLETT: But, Ken, you're 21 proposing that Point 4 is just a matter of replicating 22 all of your, if they are susceptible to a CCF, your 23 point is just to replicate all of your manual controls 24 again for Point 4?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
51 MR.
SCAROLA:
No.
That's an 1
overstatement, Warren. And that's what's so important 2
here. You only have to replicate the manual 3
initiation controls, not all the manual controls. You 4
don't have to replicate manual controls at the 5
actuation or the, at component level.
6 MR. ODESS-GILLETT: Well certainly not at 7
the component level, but maybe you can help me, again, 8
understand the differentiation between initiation and 9
actuation system, system level initiation versus 10 system level actuation.
11 MR. SCAROLA: Well, the initiation 12 typically refers to what would happen if a bistable 13 were to trip.
14 MR. ODESS-GILLETT: Okay.
15 MR. SCAROLA: That's initiation.
16 MR. ODESS-GILLETT: Okay.
17 MR. SCAROLA: The actuation typically 18 refers to everything downstream of the voting logic.
19 MR. ODESS-GILLETT: Okay.
20 MR. SCAROLA: That's actuation.
21 MR. ODESS-GILLETT: Okay. So you're 22 proposing --
23 MR. SCAROLA: And I can tell you that this 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
52 MR. ODESS-GILLETT: Go ahead.
1 MR. SCAROLA: -- idea of meeting Point 4 2
at the level of initiation was licensed for System 3
80+, for US-APWR, for APR-1400. That's all they had 4
for Point 4.
5 And it was, again, because you wanted to 6
give the operators the ability to take preemptive 7
actions in the presence of a CCF, or to take actions 8
for the n+1 event. That the system didn't actuate 9
automatically for.
10 MR. DARBALI: But, Ken, you're saying at 11 the initiation level that's diverse. But certainly 12 you're not saying that anything downstream would be 13 subject to the same CCF, right?
14 MR. SCAROLA: You have to address the CCF 15 at all levels. Absolutely, you have to address CCF at 16 all levels.
17 You may have a CCF at the component level 18 and no CCFs at the initiation or the actuation level.
19 Well that CCF at the component level is as 20 debilitating to the plant as a CCF at the initiation 21 level. In fact, even more debilitating to the plant.
22 So yes, you do have to address the CCF at all levels.
23 MR. DARBALI: Okay.
24 MR. CARTE: Sorry, a quick point. Somehow 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
53 I get this notice that this meeting is locked. Did 1
someone lock the meeting, no one else can join, or did 2
we just run out of slots?
3 MR. JAIN: I don't think it's been locked.
4 Not from my end.
5 MR. CARTE: Okay, so --
6 MR. DARBALI: I do want to go back to 7
something that Warren had mentioned when we were 8
talking about DAS. I just want to clarify.
9 I think, Warren, you had said, or you had 10 asked, if the DAS has a manual pushbutton. And of 11 course, the DAS is diverse from your system so it's 12 not subject to the same CCF. So if the DAS has a 13 manual pushbutton, that meets Point 4.
14 MR. ODESS-GILLETT: Understood.
15 MR. DARBALI: Okay.
16 MR. ODESS-GILLETT: My question is, how 17 many of those do you need if you can claim that I 18 have, let's say I've been able to cope with a CCF 19 using 1 through 3, and I only need, I was able to do 20 it all with manual actuations, except maybe three 21 automatic functions. And does that mean, does Point 22 4 say then, okay, I only need manual controls for 23 three of those, those three automatic functions?
24 MR. DARBALI: Point 4 says you need a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
54 diverse manual means for all critical safety 1
functions.
2 MR. ODESS-GILLETT: Yes, that's what I 3
thought. So it seems to me it's like, you've already 4
demonstrated you've coped with both automatic and 5
manual and we'll even throw in the manual to back up 6
the automatic, but that's still not good enough, we 7
still have to have diverse manual controls for all 8
critical safety functions after you've addressed the 9
coping mechanism using non-safety control systems, 10 anything else that exists and so on.
11 MR. DARBALI: Right. So you would only 12 need those manuals, right. Those manual controls you 13 credited at Point 3, they need Point 4 for critical 14 safety functions.
15 MR. ODESS-GILLETT: I got you.
16 MR. DARBALI: Any DAS you credit or any 17 diverse means that you credit in Point 3, that also 18 has an option for a manual pushbutton. Whether that 19 diverse system is digital or analog, that's going to 20 meet Point 4.
21 It would be a case where you have no 22 ability to manually perform that critical safety 23 function that you need to do something extra for Point 24
- 4. Which for an operating plant that you're not 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
55 ripping out controls, wouldn't be the case.
1 MR. ODESS-GILLETT: Yes. But, Samir, we 2
do have to take into consideration, we want to move 3
into the future and --
4 MR. DARBALI: Right.
5 MR. ODESS-GILLETT: -- have glass control 6
rooms.
7 MR. DARBALI: Yes.
8 MR. ODESS-GILLETT: But I think we're, I 9
understand what you can credit in Point 4, as part of 10 credit, doing in Parts 1 through 3. I'm just seeing 11 that, and this is also my, I don't know what the word 12 is, my concern about Ken's proposal that you 13 basically, regardless of what you have done to cope, 14 you need to add these manual controls in addition to 15 being able to demonstrate that you've been able to 16 cope with a minimum set of manual controls and a 17 minimum set of automatic controls.
18 MR. CARTE: So, Warren, let me just jump 19 in here a little bit. So I understand your concern, 20 but I think there is two parts of Ken's issue. And 21 let me try and summarize the other part.
22 So let's visualize the architecture as a 23 three-layered architecture with a bistable function 24 layer, a voting logic layer and say an implementation 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
56 layer. And I think what Ken is saying is that, so the 1
question is, those manual inputs, are those separate 2
inputs into the logic layer, because obviously they're 3
not separate inputs into the bistable layer, but are 4
they separate inputs into the logic layer where the 5
voting is done or are they separate inputs to the 6
implementation layer?
7 So your reactor trip system says trip, and 8
in parallel you have a manual system that says trip.
9 Or your ESF says containment isolation, and in 10 parallel your manual system says containment and 11 isolation. And then the implementation portion 12 received both inputs and performs all of the actuation 13 functions. Right?
14 So first I'd like a little clarification 15 on, Ken, where you're saying those manual control 16 inputs going into, do they go into the logic or they 17 go into the implementation?
18 MR. ODESS-GILLETT: The assumption is that 19 those would go into the logic.
20 MR. SCAROLA: There is no requirement for 21 that. They have to go into the place where you bypass 22 the CCF.
23 MR. ODESS-GILLETT: Okay, we're talking 24 two different things, Ken. He's asking me about the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
57 603 controls for your primary protection system.
1 MR. SCAROLA: They typically go into the 2
initiation level or the actuation level. But 3
depending upon the vendor.
4 MR. ODESS-GILLETT: Yes.
5 MR. CARTE: So I guess I'm hearing both 6
Warren and Ken agree that the logic, the manual inputs 7
go in, are inputs into the logic layer, and sometimes 8
into the implementation layer. And so the question 9
is, if you have a CCF in the logic layer, if that's 10 part of your system, then your CCF would disable the 11 manual function, but, and therefore you would need a 12 diverse function to do that?
13 MR. ODESS-GILLETT: The question is, what 14 do you need in a beyond design basis event of a CCF 15 concurrent with your safety analysis evaluation?
16 And if you're saying that in addition to 17 successfully coping, I also need to have these diverse 18 manual system controls to maintain 603, I think it is, 19 with today's technology and reliability I don't think 20 it's necessary.
21 MR. CARTE: Right. But my interpretation 22 is not that the, that SECY or the SRM is requiring 23 additional displays and controls above and beyond what 24 you have, it's putting criteria on the set that you 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
58 have. Now, if the set that you have doesn't satisfy 1
the SECY, then you may want to put in, it may be 2
easier to build diverse displays and control than to 3
make the existing ones satisfy the SECY. Right?
4 But in general I don't, and Samir's point 5
earlier was that what we've seen to date on the 6
existing power plants is they're not changing, 7
significantly, the operating interface in the control 8
room. And therefore Point 4 is not such a big deal.
9 MR. SCAROLA: Right.
10 MR. CARTE: But, Warren, your point is 11 that the new facilities want glass control rooms, but 12 the problem with a glass control room is, how do you 13 do a safety related manual control on a glass control 14 room. So that's a different set of issues than 15 they're diverse.
16 But, Rich, I see you have your hand up.
17 MR. STATTELL: Well, I just wanted to 18 respond. So in such a system that you describe, 19 Warren, I would expect the analysis itself to identify 20 the loss of those manual functions. But I would also 21 expect the analysis to identify other diverse 22 functions.
23 They could be manual, they could be a 24 diverse automatic actuation system that would 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
59 accomplish the necessary critical safety functions to 1
maintain safety for the plant. Plant safety.
2 So, you know, I don't rule that out, the 3
possibility. And I've actually seen some designs that 4
don't even make an attempt to have diverse manual 5
initiation at the system level. On the safety system.
6 But in every one of those cases I also see 7
some diverse system, and it may be performing a 8
completely different safety function. But it's 9
maintaining the critical safety functions. They're 10 all still maintained. Even if I don't have an 11 alternate means of manually actuating the primary 12 safety function itself.
13 MR. DARBALI: I want to give a chance to 14 Khoi and Mohammad who have been waiting. Khoi, go 15 ahead.
16 MR. NGUYEN: Hi. I just want to --
17 MR. ALAVI: Hi. Oh, okay.
18 MR. NGUYEN: I'm sorry.
19 MR. ALAVI: Oh, sorry. Go ahead, Khoi, he 20 didn't call me yet.
21 MR. NGUYEN: Yes, I just wanted to clarify 22 the point that we have been back and forth on.
23 Whether it's initiation or actuation.
24 So, Reg Guide 1.62, manual initiation of 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
60 the protective action, even though the title of the 1
reg guide is initiation. But the start of six and 2
seven make the statement that the point at which the 3
manual control are connected to the safety equipment 4
should be downstream of the Digital I&C safety system 5
output.
6 To me that's a actuation. You shouldn't 7
initiate the control and send the signal through 8
either bistable, processor or any voting logic, you 9
should actuate the A&D device, like pump and valve, 10 whatever. So I just wanted to clarify one thing that 11 we keep talking whether it's initiated or actuated.
12 Thank you.
13 MR. JAIN: Thank you, Khoi. Now Mohammad.
14 MR. ALAVI: Yes. Actually, so the topics 15 right now we're talking, I mean, that's -- I mean, two 16 subjects. The one is the manual, the capability of 17 the manual control by the operator, and the other one, 18 the CCF.
19 So there is an overlap between these two.
20 And maybe it's not exactly the same in all the 21 situations. So, having the manual control input to 22 the logic, that can address that event n+1 that Ken 23 was elaborating, which is the common design, loss of 24 the design I&C.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
61 But if we have a CCF in the software of 1
the safety instrument, that system, obviously that 2
manual input to the logic doesn't make sense. So that 3
has to go to the actuation.
4 So in my opinion, maybe these two points 5
have to be separated and each one, each objective 6
evaluated separately.
So having the
- manual, 7
capability of manual control ability for the operator 8
is a total different thing. And cope with the CCF, 9
that's different things that we can address in the 10 Point 3 if we go with the system, I think, assessment.
11 Going with the, all assessment, for the D3.
12 So that's what I get from this discussion 13 I wanted to point out.
14 MR. DARBALI: Thank you.
15 MR. JAIN: Thank you, Mohammad. I see 16 Ken's hand is still raised. Ken, do you have any more 17 questions or comments?
18 MR. SCAROLA: Yes, I raised it again. I 19 think we have to avoid trying to design in this 20 meeting. You know, all these architectures can be 21 very different.
22 In an operating plant you may have a 23 digital upgrade for one layer of the architecture or 24 two layers or three layers. In new plants, all three 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
62 layers are always going to be digital.
1 You know, we have to stop designing and 2
recognize the intent here. The intent is that your 3
manual control be able to initiate control of the 4
safety functions in the presence of a CCF that you 5
can't get rid of. It's that simple.
6 Regardless of where the CCF is in the 7
architecture, you have to design your manual control 8
so it's not adversely impacted by that CCF. And I 9
don't think we should be trying to design in any more 10 detail than that in this meeting.
11 MR. JAIN: Thank you, Ken. Are there 12 other questions or comments of the feedback on staff's 13 presentation?
14 MR. CARTE: Yes. My only comment would be 15 on Ken's issue. I don't think we're trying to design 16 but we're trying, I feel the need for concrete 17 examples to clarify the meaning of some of the, 18 because I think there is this impression that we're 19 talking, I get this impression we're talking past each 20 other a little bit. And it's strictly abstract you 21 may never solve the problem, as philosophers never 22 solve anything, right?
23 But if we can get the concrete real-world 24 examples, then maybe. And that's the point. I'm not 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
63 trying to design, I'm trying to concretize. Give a 1
couple examples of what would work. But I see that 2
raised a couple of issues.
3 MR. SCAROLA: Well, Norbert, the problem 4
is, regardless of what's digital, does not mean that 5
that digital thing has a CCF potential. We have many 6
examples where the digital is of sufficient simplicity 7
where we were able to preclude a CCF.
8 And that has very often occurred at the 9
lowest level in the architecture. Where the 10 implementation, or what we call component control, is 11 utilized by both the primary actuation system and the 12 backup diverse actuation system. Therefore we don't 13 postulate a CCF in that because it's sufficiently 14 simple.
15 So, you know, it's very hard to discuss 16 this on a generic basis other than to say, the CCF 17 cannot adversely affect the manual control, now go 18 design it.
19 MR. ODESS-GILLETT: And that's kind of 20 where I disagree because in a lot of aspects the 21 manual controls are a backup to the automatic 22 controls. And in your D3 analysis you have analyzed 23 how you can cope with your CCF of both your automatic 24 and your manual controls.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
64 And if there is a concern that we're 1
relying on an automatic control and it feels like the 2
need that you need to have also a manual along with 3
the automatic, that I think would be sufficient versus 4
replicating your backup manual controls. Not 5
replicating your manual controls in a backup system.
6 MR. SCAROLA: If you go that way, Warren, 7
then you're throwing out the wisdom of 603 and 279.
8 Those documents recognize that we haven't analyzed 9
everything and there could be events that the 10 operators need to take action on that we have not 11 considered.
12 And you need to think about the same 13 things when you postulate a CCF in those safety 14 systems that we're relying on that had hat manual 15 capability. And that's what Point 4 is all about. It 16 always has been from the very beginning.
17 MR. JAIN: Alan.
18 MR. CAMPBELL: Yeah, I just wanted to --
19 I think Warren summarized our points pretty well. He 20 said most of what I wanted to say. But, you know, I 21 think we're still in a position now where there's 22 confusion around this, from what I'm hearing.
23 And if we need to pull up some examples, 24 we had an example that we provided as part of the ACRS 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
65 meeting package that I can share. Or we also provided 1
a diagram to the NRC staff showing some different 2
- concepts, if it's helpful to facilitate more 3
conversation around this to be a little bit more 4
exacting in the way we're speaking.
5 MR. STATTEL: Hey, Ken, this is Rich.
6 Nothing we do here is going to impact anything that's 7
in IEEE 603 or those regulatory requirements. So I 8
don't see there being any risk at undermining any of 9
the existing protections that 603 provides.
10 MR. SCAROLA: Yes, I agree. You are not 11 going to undermine anything that's required by 603 12 through this SECY or anything the staff is doing.
13 It's the CCF that undermines the functions of 603. So 14 now the question is do you still need those functions 15 of 603 in the presence of a CCF. And I believe you 16 do. The functions of 603 are not only the automatic 17 functions but the manual functions as well.
18 MR. ODESS-GILLETT: And I guess where I'm 19 coming from is that 603 defines your design bases of 20 the plant and then, if you go into beyond design basis 21 with relaxed criteria, you don't necessarily need to 22 maintain 603 to do that.
23 MR. SCAROLA: Yeah, I guess it comes down 24 to what do you define as outside the design bases. I 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
66 believe the anticipation of the n+1 event is within 1
the design bases of 603. That's why 603 requires 2
manual action, the capability for manual actions, 3
because within the design basis you anticipate the 4
unanticipated event.
5 MS. DONAHUE: But are we not in a n+1+1 6
event now, n+2? We have the IEEE, we're saying the 7
design basis event, now a CCF. So Points 1 through 3 8
have your coping mechanisms for that, but now we're 9
adding this extra layer of manual controls and 10 displays for an extra layer. It just -- we're 11 stacking -- how many layers are sufficient here?
12 MR. SCAROLA: Well, Alan, you're not 13 adding anything. You're maintaining what was there in 14 the presence of a digital CCF. You're not adding, 15 you're maintaining.
16 (Simultaneous speaking.)
17 MS. DONAHUE: Is it okay if I share my 18 screen?
19 MR. CARTE: Yes, no objection. So I don't 20 think it's our adding, maintaining, or you're 21 designing such that. So whether you say adding or 22 maintaining, your design is such that you maintain.
23 MS. DONAHUE: So this is a slide that we 24 had as background material for the ACRS meeting in 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
67 September. This is the US-APWR, all the protection 1
system functions. So this is slightly modified. We 2
re-labeled the columns here.
3 This first or second column, rather, is 4
the automatic -- this is your IEEE 603 automatic 5
function. This is the, this third column is the IEEE 6
603 required manual function. Then we get into DAS 7
system.
8 So points one through 3 drive us into 9
these three different DAS automatic functions. And 10 then this last column are the diverse manual 11 functions. Sorry, that was the second to the last 12 column. The last column is, are those manual 13 functions actually credited in the D3 analysis?
14 So I think what Warren, the question that 15 at least I heard from Warren and, Warren, correct me 16 if I'm misstating you, is in the scenario of ECCS and 17 EFW actuation, the vendor here determined that an 18 automatic function was needed.
19 We still, the vendor still had to include 20 a diverse manual function to satisfy Point 4, but it's 21 not credited in any of the D3 analysis.
22 Warren, your question was are these 23 switches needed, right? Did I summarize that 24 correctly?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
68 MR. ODESS-GILLETT: That's right.
1 MR. DARBALI: So I want to make one point 2
clear, so this is based on the APWR which the review 3
for this design has not been completed. So the design 4
has not been approved. So we can't say here that 5
those two additional switches that you're showing 6
intended to meet Point 4.
7 If that was a decision made by the 8
Applicant, we can't say that that was in response to 9
an NRC review of the application or that the NRC had 10 determined that it met or didn't meet Point 4. So 11 let's be clear that this has not been proved.
12 MR. CAMPBELL: Yeah, understood. I think, 13 you know, the point that we're trying to -- this is 14 indicative, through my review of the different D3 15 analyses that are publicly docketed and things, this 16 is indicative of a common, I won't say the 17 interpretation but a common interpretation of how 18 Point 4 has been implemented where, regardless of 19 whether it's being credited in a D3 analysis, it's 20 still being added.
21 So the concern here, and I want to bring 22 this back to safety, the concern here is the 23 complexity at the operator, right. So now we're 24 getting into a scenario where we have three different 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
69 initiation sources for the same, I'm sorry, four 1
different initiation sources for the same function and 2
the complexity that that introduces to an operator.
3 MR. SCAROLA: Alan, this is Ken. There's 4
something important on this chart that you're missing.
5 You're pointing out that the switches for ECCS and 6
emergency feed water actuation are not credited in the 7
D3 Point 3 analysis. I agree 100 percent. They're 8
not.
9 But what you're failing to mention is, in 10 the second column where you have those same switches, 11 they are not credited in the Chapter 15 analysis. But 12 yet we still have them. And why do we have them? We 13 have them because 603 gave us the wisdom to recognize 14 that there may be another event where we need them.
15 And therefore we should give operators that 16 capability.
17 MR. CAMPBELL: And I would say that we did 18 give them that capability through the set of -- in the 19 IEEE required. And then we also gave them that 20 ability, we also gave them protection during a CCF 21 through an automatic function.
22 MR. DARBALI: But I think what Ken is 23 saying is, and correct me, Ken, if I'm wrong, that 24 you're giving the ability in that second column by 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
70 providing the switch to the digital system. So you're 1
giving the manual ability.
2 The CCF is taking away that ability, so 3
that switch on the fourth column is maintaining that 4
ability. Because the DAS, and I'm assuming the DAS 5
you're highlighting doesn't have a push-button. So by 6
adding the switch on the fourth column, you are 7
maintaining that ability. Is that correct, Ken?
8 MR. SCAROLA: Not quite. Yes, you are 9
maintaining the capability, but the way that switch 10 worked on US-APWR is it simply initiated the DAS. But 11 the initiation of the DAS was sufficient because the 12 DAS intercepted into the architecture at a very low 13 level where there was no longer a CCF concern. So it 14 was okay to initiate the DAS.
15 If the DAS didn't penetrate low enough 16 into the architecture, then you would have to do 17 something else to meet Point 4. Because then that 18 same thing would be subject to a CCF. So the DAS, in 19 this case the switch simply initiated the DAS.
20 MR. ODESS-GILLETT: So I guess our point 21 is that it seems that we're imposing 603 not only on 22 the protection system design basis, but we're imposing 23 603 on our DAS system.
24 MR. SCAROLA: Warren, functionally yes, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
71 but it can be non-safety --
1 MR. ODESS-GILLETT: Oh, yeah.
2 MR. SCAROLA: It doesn't require any 3
qualification, I mean, so don't say you're imposing 4
603.
5 MR. JAIN: Ken, this B.P. Jain. We have 6
very limited time left. And I don't think we are 7
converging at this point. So we need to get back to 8
the purpose of the meeting.
9 I think we have discussed, got a lot of 10 feedback from different stakeholders. And we'd like 11 to hear from other participants if they have other 12 thoughts or other points of view. I see a hand from 13 Shilp. Shilp?
14 MR. VASAVADA: Yeah, this is Shilp. So I 15 guess I won't take too much time, but I just -- this 16 is from maybe a different perspective and see if there 17 are any thoughts on that.
18 And looking forward, I mean, at the 19 expanded policy, the Points 1 through 3 provide, like, 20 a risk-informed alternative in terms of diverse design 21 or (audio interference). And a part of it is, like, 22 using a bounding approach and PRAs to determine the 23 risk significance, and go forward with decision-making 24 based on that.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
72 There was discussion about risk 1
significance, there was discussion about different 2
inputs and outputs. So please bear with me as I kind 3
of lay the context.
4 PRAs, old manual operator actions for 5
several sequences, the purpose over there is obviously 6
to have an integrated look if systems, safety-related, 7
non-safety related, both don't work with a certain 8
failure probability. Sorry.
9 COURT REPORTER: This is the Court 10 Reporter. Sorry to intrude. I would encourage anyone 11 not currently speaking to mute their microphones.
12 MR. VASAVADA: Thanks. The PRAs would 13 have safety related, non-safety related, and then 14 manual actions. Those manual actions go through a 15 process called human reliability analysis (audio 16 interference) does the operator even understand they 17 need to take an action.
18 The cognition piece has cues, some cues 19 that are -- C-U-E-S, cues -- that the operator needs 20 to mean that an action needs to be taken. Those need 21 displays, those need, for performing the action, 22 controls or at least switches, et cetera.
23 So then when that (audio interference) 24 made to the sequence that would be included, the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
73 determination would include that manual action. And 1
if, quote, credit, end quote, is being (audio 2
interference) determining the risk impact, then that 3
operator action would have to have the three displays 4
and controls to make sure that it is feasible and 5
valid, and that the inputs, the PRA continues to 6
remain valid.
7 So I just wanted to understand, like, I 8
mean, where does that fall in all this? Wouldn't that 9
already need something which would not be impacted by 10 the CCF, because otherwise there is no credit could be 11 taken for that action?
12 I open it up to anybody who has thoughts 13 on that. Thanks.
14 MR. DARBALI: Go ahead, Warren. You're 15 muted, Warren.
16 MR. ODESS-GILLETT: Thank you. Sorry 17 about that. And is it Shilp, is that how you 18 pronounce --
19 MR. VASAVADA: It's Shilp.
20 MR. ODESS-GILLETT: Okay, Shilp. Okay, 21 thank you. I think what -- I'm not sure if I 22 understood completely, Shilp, what you were saying.
23 But are you asking how, what Position 4 is 24 risk-informed or can be risk-informed, or is it --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
74 MR. VASAVADA: I'm trying to understand, 1
like, in the actual (audio interference) in risk 2
assessment or PRA for digital CCF analysis, one would 3
not achieve Point 4 if the manual action in the PRA is 4
being credited to determine the risk significance.
5 Does that make sense?
6 MR. ODESS-GILLETT: Well, yes. So I'm not 7
sure if it makes sense to me, but the way Point 4 is 8
written now, even with the risk informed expansion, 9
doesn't seem to take into account risk significance of 10 the manual action at all.
11 MR. VASAVADA: Okay. So the other way I'm 12 looking at it, and it may be because I'm not an expert 13 in the design aspect of it. But Point 3 has 14 information about a risk informed approach. It also 15 talks about that manual actions can be considered as 16 a form of diversity.
17 And then Point 4 says, if I'm not 18 mistaken, that anything you consider in Point 3 can be 19 used for Point 4, right. So, I mean, yeah. So again, 20 even if it doesn't explicitly talk about the 21 significance, what I'm trying to get at is while 22 you're doing Point 3, and you're using that sequence 23 from PRA in your actions, it's implicitly considering 24 the risk significance of the reaction.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
75 And then I think it is important, the 1
ability to perform the action. And then for that last 2
line, Point 4, why would you need anything else? I'm 3
unable to understand that.
4 MR. ODESS-GILLETT: Well, I have a 5
difficulty understanding why we would need -- your 6
statement about why do we need anything else. Can you 7
clarify that?
8 MR. VASAVADA: So, okay, let me back track 9
and hopefully I'm not taking too much time from next 10 steps, otherwise let's cut it short. (Audio 11 interference) have an action in it, which would need 12 cues and the ability to perform the action. So it 13 would need a display or some control to tell the 14 operator that an action needs to be taken and the way 15 to perform the action, a switch, a push button, what 16 have you.
17 And that will be included in the risk 18 significance determination. And it would have to be, 19 obviously, not impacted by the -- otherwise the 20 operator action could not occur. So, be a diverse 21 operator action which is un-impacted by the CCF, which 22 can offer a critical safety function. Because the 23 events -- the PRA would include events which would 24 require critical safety functions to be present, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
76 inventory control, decay heat removal, et cetera.
1 So, then, if that manual action is already 2
being imbedded and not impacted by the CCF, and this 3
last point in Point 4 says these main control room 4
displays and controls may be used to (audio 5
interference) lay together to address the concern that 6
has been raised (audio interference).
7 MR. ODESS-GILLETT: Shilp, you're cutting 8
out. But I think, from industry's point of view, I 9
think it's fairly -- there's consensus that there's no 10 issue with crediting what you have in remaining 11 controls and Points 1 through 3, that you can apply 12 those to Point 4.
13 MR. DARBALI: Okay. I think we can move 14 on. Shilp, that was your comment?
15 MR. VASAVADA: Yeah, I didn't have 16 anything, maybe --
17 MR. JAIN: Yeah, this is B.P. Jain, you 18 know, we are at that point that if there are other 19 questions, or comments, or feedback on the staff's 20 presentation, you can provide your feedback in writing 21 after the meeting, or by email to me or Mike Marshall.
22 With that, I would ask Samir to recap the 23 feedback if he could. Samir?
24 MR. DARBALI: Yeah, just before that, so 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
77 I don't forget, Alan, could you send B.P. the slide 1
that you shared. I believe it's the same one you 2
provided at the ACRS meeting, but just so that we can 3
make that part of the record.
4 MR. CAMPBELL: Yes, will do.
5 MR. DARBALI: Thank you. And I'll add the 6
additional slides that we showed on the four points 7
and 603 and 279.
8 So, you know, I think we were able to 9
provide clarity on the applicability of the SECY 10 22-0076 and the intention with the original Point 4 11 and how we're carrying that intention to the expanded 12 policy.
13 I think we clarified the distinction that 14 Point 4 has when compared to the previous, or the 15 first three points. I understand that some of this 16 information or how we're explaining our interpretation 17 might be new to some of the audience, so I recognize 18 that not everybody is 100 percent in alignment. But 19 hopefully we did get closer to that.
20 And I think we were able to understand a 21 little bit better industry's concerns. One thing to 22 note, and we appreciate all of the feedback and 23 suggestions we've had on ways that the language in the 24 four points could be different. Because it helps us, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
78 you know, think of things that maybe we have not 1
considered or look at the points in a different way.
2 But the process for developing SECY paper 3
doesn't really have a public comment portion to it.
4 So the SECY is with the Commission and, you know, 5
they'll review it and they'll provide direction to the 6
staff in an SRM which we're waiting on.
7 A lot of what we heard today, I think, is 8
very good discussion for when we move into the 9
implementing or developing implementing guidance. You 10 know, how do we apply the policy to advance reactors 11 that have a completely different design?
12 Maybe they have different critical safety 13 functions. They don't have the same types of manual 14 controls or, you know, they don't have a control room 15 as we're used to or we're talking about a completely 16 digital flat panel display control room.
17 So a lot of that can be addressed through 18 implementing guidance. I think the policy, as we've 19 said before, you know, we allow for alternatives and 20 exemptions that allows us to look at those different 21 reactor designs. So hopefully a lot of the concerns 22 can be addressed properly in implementing guidance.
23 And for those we will obviously have public 24 engagement. Anything that I am missing, B.P.?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
79 MR. JAIN: No. I think you covered it 1
all. Thank you very much, Samir. And I would like 2
Eric to make closing remarks before we close out the 3
meeting. Eric?
4 MR. BENNER: Yeah, I would -- another good 5
dialogue, we've had several good dialogues on this 6
topic. I will say what has been most helpful to me 7
today is we've heard some different views. We've 8
heard some more specifics. I think that gives us a 9
lot of information to chew on.
10 I agree with Samir's point that there 11 could be lot done in implementation guidance. I 12 acknowledge that we do, as the staff, have decisions 13 to make whether we would do any additional 14 communications with the Commission, you know, to 15 supplement the paper or other things.
16 So I don't want to close the door on the 17 idea that, you know, we're just waiting for the 18 Commission, because I think the Commission may also be 19 waiting for us, because we've said we're continuing 20 the dialogue on this topic.
21 So I don't quite know what the right 22 answer is. I will say I appreciate everyone.
23 Everyone came to the meeting today ready to discuss, 24 at good detail, what the concerns are in either 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
80 direction, particularly on Point 4. I think we really 1
focused on Point 4. We knew that was going to be the 2
focus of the discussion.
3 So I'm not sure what our next step is. We 4
definitely have to digest what we heard today and 5
caucus internally as to what the next step is.
6 Whatever that next step is, we commit to be 7
transparent about it, you know, regarding letting 8
stakeholders know what we're doing.
9 You know, obviously the Commission gets to 10 do what the Commission wants to do. But we want to 11 keep making sure we understand what the concerns from 12 stakeholders are here. Because, you know, we've done 13 a lot of internal dialogue and felt we were at the 14 right place from a safety standpoint.
15 But we want to continue to be open to 16 hearing stakeholder views to see if there's any things 17 that we can learn from that. So I will also just turn 18 it over to say if NEI wants to make any closing 19 remarks.
20 And I see Ken's hand is still up. So, 21 Ken, given that he provided significant input, I'd 22 also be open to hearing to see if he had any closing 23 remarks he wanted to make.
24 MR. JAIN: Ken or -- Ken is mute.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
81 MR. DARBALI: You're muted, Ken. Alan?
1 MR. CAMPBELL: Great. And thank you, I 2
appreciate the opportunity to provide some remarks 3
here at the end. Again, thank you guys again for 4
hosting this. I do believe that the discussion was 5
beneficial in helping to understand your perspectives 6
a little bit more. And then hopefully we were able to 7
communicate the industry perspectives as well.
8 I think that we're still, as Eric, I 9
believe, you acknowledged, I think we still have some 10 work to do on Point 4 regarding the language. You 11 know, some of what I heard there is some alignment in 12 the interpretation, but the language itself isn't 13 leading to that interpretation from our perspective.
14 And so we look forward to continue to be able to work 15 with you guys and engage with you on this in the 16 future.
17 MR. JAIN: Thank you, Alan. Ken, you have 18 a statement to make, closing remarks?
19 MR. SCAROLA: Yeah, thank you. We've been 20 focusing exclusively on Point 4 here. But I want to 21 raise the point that there is really a bigger issue 22 here. Industry and NRC need to recognize that the 23 cost of nuclear power is our enemy.
24 If nuclear power is going to remain 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
82 viable, there's a need for significant O&M cost 1
reduction. And the biggest part of that is operator 2
staffing. We need to reduce operator staff. And the 3
only way we're going to do that is with more complex, 4
non-safety and safety digital systems.
5 We need more automation, we need better 6
human system interfaces, and unfortunately that 7
complexity leads to a higher likelihood of a design 8
defect and therefore a higher likelihood of a CCF.
9 And I'm very concerned that our need for 10 increased complexity is going to outpace our ability 11 to prevent design defects or manage them through 12 risk-informed methods. It's just not going to happen.
13 We need the complexity. And that complexity is going 14 to be very, very difficult to overcome.
15 Therefore, diversity may be our only 16 viable solution. So I would really like to see the 17 staff and industry focusing on ways to achieve cost 18 effective diversity. You know, the diversity can be 19 very simple.
20 A
diverse actuation system can be 21 non-safety, it doesn't have to have all the same 22 functions as the primary protection system. It has to 23 be adequate. It's not the enemy. Diverse protection 24 systems facilitate more complex primary systems that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
83 are absolutely necessary to achieve cost effective 1
nuclear power.
2 So while we're focusing here on ways to 3
eliminate the need for diversity through risk-informed 4
methods, I think we're kidding ourselves. I really 5
do. I think we have to recognize that the complexity 6
of our primary systems has to grow if we're going to 7
be cost effective. And with that growth, we're not 8
going to be able to manage the potential for design 9
defects to risk-informed methods.
10 MR. JAIN: Thank you very much, Ken, 11 appreciate it. With that, I'd like to thank all the 12 participants for this meeting and providing the 13 feedback. With that, I would like the meeting 14 adjourned.
15 (Whereupon, the above-entitled matter went 16 off the record at 4:01 p.m.)
17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
Public Meeting October 20, 2022 SECY-22-0076 Expansion of Current Policy on Potential Common-Cause Failures in Digital Instrumentation and Control Systems
Presentation Outline 2
- Recent Activities and Current Status
- Purpose of Todays Meeting
- Staff Key Messages
- Summary of Proposed Expanded Policy
- Staff Position on ACRS Questions
- Point 4 Applicability and Clarifications
- Open Dialogue with Stakeholders
- The staff issued SECY-22-0076 on August 10, 2022, proposing an expansion to the digital instrumentation and control (DI&C) common cause failure (CCF) policy contained in the Staff Requirements Memorandum (SRM) to SECY-93-087
- The Nuclear Energy Institute (NEI) provided a letter to the NRC on August 26, 2022, providing comments on the staffs position contained in the SECY on diverse and independent main control room displays and manual controls
- The staff and NEI briefed the Advisory Committee on Reactor Safeguards (ACRS) DI&C Subcommittee on September 23, 2022, and the staff is scheduled to brief the full ACRS on November 1, 2022
- The SECY is currently under Commission review and the Commission will provide its direction to the staff through a Staff Requirements Memorandum Recent Activities and Current Status 3
The staff will use todays meeting to:
1)
Summarize the expanded policy contained in SECY-22-0076 2)
Share the staffs position on questions received from the ACRS 3)
Share the staffs position on diverse and independent main control room displays and manual controls, i.e., Point 4 4)
Conduct an open dialogue with stakeholders to hear their perspectives Purpose of Todays Meeting 4
The proposed expanded policy in SECY-22-0076 encompasses the current four points of SRM-SECY-93-087 (with clarifications) and expands the use of risk-informed approaches in points 2 and 3.
Points 1-3 and Point 4 of the policy address two facets needed to ensure safe operation of the plant:
- Points 1-3 ensure DI&C systems are sufficiently robust to adequately cope with CCF
- Point 4 ensures operators can manually control critical safety functions even in the event of a DI&C CCF Point 4 incorporates an implicit element of risk-informing as it focuses only on those critical safety functions needed to ensure the safety of the facility.
The expanded policy is intended to be technology neutral and applies to any reactors (including non-light-water reactors) licensed under 10 CFR Parts 50 and 52.
The staff acknowledges that the critical safety functions listed in SRM-SECY-93-087, SECY-22-0076 and Branch Technical Position (BTP) 7-19 (i.e., reactivity control, core heat removal, reactor coolant inventory, containment isolation, and containment integrity) may not be the appropriate set for all reactor designs The SECY provides for existing regulatory tools (exemptions and alternatives), if necessary, to accommodate for reactor designs with different critical safety functions If the staff encounters a reactor design where the policy would not be applicable, the staff will engage the Commission as appropriate.
5 Staff Key Messages
Summary of Proposed Expanded Policy 6
Point 2 Risk-Informed Approach Point 3 Risk-Informed Approach Point 2 SRM-SECY-93-087, Point 2 (Clarified)
Point 3 SRM-SECY-93-087, Point 3 (Clarified)
Current Path Risk-Informed Path Proposed Expanded Policy to Address Digital I&C CCFs The Current Path allows for the use of best estimate analysis and diverse means to address a potential DI&C CCF The Risk-Informed Path allows for the use of risk-informed approaches and other design techniques or measures other than diversity to address a potential DI&C CCF Point 4 SRM-SECY-93-087, Point 4 (Clarified)
Point 1 SRM-SECY-93-087, Point 1 (Clarified)
Staff Positions on ACRS Questions ACRS Question 1: Would the revised policy be applicable to advanced reactors?
Answer: The proposed expanded policy would apply to requests all nuclear power plant types licensed under 10 CFR Part 50 and 10 CFR Part 52, including advanced reactors.
ACRS Question 2: Do aspects of the policy for which the staff did not request a change carry forward unaltered?
Answer: Yes ACRS Question 3: Might different reactor types warrant consideration of different critical safety functions?
Answer: While the expansion of the policy is intended to be technology neutral it relies on the staffs licensing experience to date and assumptions about the design of the facility, such as the presence of a main control room. The staff acknowledges that the critical safety functions listed in the SECY and BTP 7-19 (reactivity control, core heat removal, reactor coolant inventory, containment isolation, and containment integrity) may not be the appropriate set for all reactor designs. The staff has existing regulatory tools (exemptions and alternatives), if necessary, to accommodate designs with different critical safety functions and, if the staff encounters a reactor design where the policy would not be applicable, the staff will engage the Commission as appropriate.
7
8 Plant Safety Functions Plant Critical Safety Functions reactivity control core heat removal reactor coolant inventory containment isolation containment integrity Scope of Point 4 Functions Performed by the Digital I&C System The diverse manual controls and displays for critical safety functions ensure the safety of the facility.
Point 4 only applies to:
The critical safety functions performed by the digital I&C system.
Point 4 does not apply to:
All safety functions performed by the digital I&C system.
Critical safety functions not performed by the digital I&C system.
Applicability of Point 4
- In SECY-93-087, the staff recommended that safety-grade displays and controls located in the main control room and hardwired to the lowest level of the safety computer system architecture, be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions and that the displays and controls should be independent and diverse from the safety computer system identified in Points 1 and 3 of the policy.
- The staff recommended this because such controls and displays provide the plant operators with unambiguous information and control capabilities to enable the operators to expeditiously mitigate the effects of the postulated common-cause software failure of the digital safety I&C system. The control room would be the center of activities to safely cope with the event, which could also involve the initiation and implementation of the plant emergency plan. The design of the plant should not require operators to leave the control room for such an event.
Staffs Position on Diverse and Independent Main Control Room Displays and Manual Controls 9
- While the Commissions Staff Requirements Memorandum to SECY-93-087 modified the policy to permit non-safety grade displays and controls and more flexible architectural implementation, the Commission supported the staffs recommendation on diverse displays and controls, and the staff continues to believe this position remains appropriate for critical safety functions to provide reasonable assurance of adequate protection.
- Point 4 incorporates an implicit element of risk-informing as it focuses only on those critical safety functions needed to ensure the safety of the facility.
- Requests for exemptions (under 10 CFR 50.12 or 52.7) or alternatives (under 10 CFR 50.55a(z)) provide avenues for applicants to request a deviation from the regulations based on risk information on a case-by-case basis.
- If the staff encounters a reactor design where the policy would not be applicable, the staff will engage the Commission as appropriate.
Staffs Position on Diverse and Independent Main Control Room Displays and Manual Controls (contd.)
10
SECY-22-0076: Addressing DI&C CCFs &
Ensuring the Ability to Perform Manual Actions Points 1-3 and Point 4 address two facets needed to ensure the safe operation of the plant If not addressed, a DI&C CCF can affect both the DI&C system and manual controls and displays The four points when taken together provide criteria for the assessment of diversity and defense in depth against CCF, and ensure DI&C CCFs do not:
- Defeat safety functions (Points 1-3)
- Impede operators ability to take manual actions when needed (Point 4) 11 Protection against DI&C CCFs to cope with the loss of a safety function
- Point 1 - Perform a D3 Assessment
- Point 2 - Ways of performing the assessment
- Point 3 - Ways of addressing a postulated DI&C CCF Allow operators to take manual actions when needed, after a DI&C CCF
- Point 4 - Diverse displays and manual controls for critical safety functions
Open Dialogue with Stakeholders
BTP Branch Technical Position CCF Common Cause Failure D3 Defense-in-Depth and Diversity DI&C Digital Instrumentation and Control ESFAS Engineered Safety Features Actuation System GDC General Design Criteria I&C Instrumentation and control NEI Nuclear Energy Institute Acronyms NRC Nuclear Regulatory Commission PRA Probabilistic Risk Assessment RG Regulatory Guide RPS Reactor Protection System SAR Safety Analysis Report SECY Commission Paper SRM Staff Requirements Memorandum
Backup Slides
SECY-22-0076: Point 1 The applicant shall assess the defense in depth and diversity of the facility incorporating the proposed digital I&C system to demonstrate that vulnerabilities to digital CCFs have been adequately identified and addressed.
The defense-in-depth and diversity assessment shall be commensurate with the risk significance of the proposed digital I&C system.
15
SECY-22-0076: Point 2 In performing the defense-in-depth and diversity assessment, the applicant shall analyze each postulated CCF. This assessment may use either best-estimate methods or a risk informed approach.
When using best-estimate methods, the applicant shall demonstrate adequate defense in depth and diversity within the facilitys design for each event evaluated in the accident analysis section of the safety analysis report.
When using a risk-informed approach, the applicant shall include an evaluation of the approach against the Commissions policy and guidance, including any applicable regulations, for risk-informed decision-making. The NRC staff will review applications that use risk-informed approaches for consistency with established NRC policy and guidance on risk-informed decision making (e.g., Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk Informed Decisions on Plant Specific Changes to the Licensing Basis).
16
SECY-22-0076: Point 3 The defense-in-depth and diversity assessment may demonstrate that a postulated CCF can be reasonably prevented or mitigated or is not risk significant. The applicant shall demonstrate the adequacy of any design techniques, prevention measures, or mitigation measures, other than diversity, that are credited in the assessment. The level of technical justification demonstrating the adequacy of these techniques or measures, other than diversity, to address potential CCFs shall be commensurate with the risk significance of each postulated CCF.
A diverse means that performs either the same function or a different function is acceptable to address a CCF, provided that the assessment includes a documented basis showing that the diverse means is unlikely to be subject to the same CCF. The diverse means may be performed by a system that is not safety-related if the system is of sufficient quality to reliably perform the necessary function under the associated event conditions. Either automatic or manual actuation within an acceptable timeframe is an acceptable means of diverse actuation.
If a postulated CCF is risk significant and the assessment does not demonstrate the adequacy of other design techniques, prevention measures, or mitigation measures, then a diverse means shall be provided.
17
SECY-22-0076: Point 4 Main control room displays and controls that are independent and diverse from the proposed digital I&C system (i.e., unlikely to be subject to the same CCF) shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. These main control room displays and controls may be used to address point 3, above.
18
- 4.17 Manual Initiation. The protection system shall include means for manual initiation of each protective action at the system level (for example, reactor trip, containment isolation, safety injection, core spray, etc). No single failure, as defined by the note following Section 4.2, within the manual, automatic, or common portions of the protection system shall prevent initiation of protective action by manual or automatic means. Manual initiation should depend upon the operation of a minimum of equipment. [emphasis added]
- 4.20 Information Read-Out. The protection system shall be designed to provide the operator with accurate, complete, and timely information pertinent to its own status and to generating station safety. The design shall minimize the development of conditions which would cause meters, annunciators, recorders, alarms, etc, to give anomalous indications confusing to the operator.
19
- 6.2 Manual Control 6.2.1 Means shall be provided in the control room to implement manual initiation at the division level of the automatically initiated protective actions. The means provided shall minimize the number of discrete operator manipulations and shall depend on the operation of a minimum of equipment consistent with the constraints of 5.6.1.
[emphasis added]
20
©2022 Nuclear Energy Institute 15 Gen IV Light Water Reactor Example Note 1: Initiated upon Manual Core Spray actuation Note 2: Initiated upon Manual Core Spray or Manual Containment Isolation Phase A actuation Note 3: Also includes Turbine Trip and Main Feedwater Isolation Note 4: Manual trip required for Steam Generator Tube Rupture. Other scenarios credit DAS automatic signal.
Protection System Function IEEE Reqd Automatic Function IEEE Reqd Manual Function SECY Points 1-3 (D3 Analysis)
Diverse Automatic Function SECY Point 4 Diverse Manual Function SECY Point 4 Manual Action Credited in D3 Analysis?
Reactor Trip RPS 1 switch/train DAS (Note 3) 1 switch Yes (Note 4)
Containment Isolation Phase A ESF 2 switches 1 switch Yes Containment Isolation Phase B ESF Note 1 Containment Purge Isolation ESF Note 2 Containment Spray Actuation ESF 2 switches/train CVCS Isolation ESF 2 switches Emergency Core Cooling System (ECCS)
ESF 1 switch/train DAS 1 switch Emergency Feedwater (EFW) Actuation ESF 1 switch/train DAS 1 switch Emergency Feedwater (EFW) Isolation ESF 2 switches/train 1 switch/SG Yes Main Feedwater Isolation ESF 2 switches Main Steam Line Isolation ESF 2 switches 1 switch/SG Yes MCR Isolation ESF 1 switch/train Main Steam Depressurization Valve 1 switch/SG Yes Safety Depressurization Valve 1 switch Yes