Text

1 UNITED STATES NUCLEAR REGULATORY COMMISSION

+++++

BRIEFING ON DIGITAL INSTRUMENTATION AND CONTROL

+++++

TUESDAY, MAY 14, 2019

+++++

ROCKVILLE, MARYLAND

+++++

The Commission met in the Commissioners' Hearing Room at the Nuclear Regulatory Commission, One White Flint North, 11555 Rockville Pike, at 9:00 a.m., Kristine L. Svinicki, Chairman, presiding.

COMMISSION MEMBERS:

KRISTINE L. SVINICKI, Chairman JEFF BARAN, Commissioner ANNIE CAPUTO, Commissioner DAVID A. WRIGHT, Commissioner ALSO PRESENT:

ANNETTE VIETTI-COOK, Secretary of the Commission MARIAN ZOBLER, General Counsel

2 3

NRC STAFF:

ERIC BENNER, Director, Division of Engineering, Office of Research MARGARET DOANE, Executive Director for Operations HO NIEH, Director, Office of Nuclear Reactor Regulations BRIAN THOMAS, Director, Division of Engineering, Office of Research ALSO PRESENT:

MATT GIBSON, Electric Power Research Institute DAN STODDARD, Senior Vice President and Chief Nuclear Officer, Dominion Energy DOUG TRUE, Chief Nuclear Officer and Senior Vice President, Generation and Suppliers, Nuclear Energy Institute NEIL WILMSHURST, Chief Nuclear Officer, Electric Power Research Institute

4 1 PROCEEDINGS 2 9:02 a.m.

3 CHAIRMAN SVINICKI: Good morning, everyone, I call the 4 Commission's meeting to order today and offer a good morning and welcome to 5 everyone. Thank you for coming here, tuning in online if you're doing that. This 6 morning the Commission convenes in public session to receive views from two panels, a 7 group of external experts, followed by a brief break, and then a staff panel.

8 The topic is plans for implementing digital instrumentation and control 9 systems. Over the years, the Commission has had a number of periodic meetings, 10 public meetings, on this topic. It is a very important topic, and the Commission has 11 taken a consistent interest, both in the industry's plans and also the NRC staff plans and 12 progress towards what is likely to be a larger penetration of digital systems at US 13 nuclear power plants and other regulated facilities.

14 So, again, we will begin with an external panel of experts. Before I 15 recognize them, however, do my colleagues wish to make any opening comment?

16 Okay, hearing none, we will begin with three panelists this morning. And again, I 17 welcome you all.

18 I'm going to go in the order in which our published scheduling note has 19 you, unless you have arrived at some other agreement among yourselves. Okay, so we 20 will begin then with Mr. Doug True, who is the Chief Nuclear Officer and Senior Vice 21 President for Generation and Suppliers at the Nuclear Energy Institute.

22 And I apologize for those in the room. I'm sure it's not picked up on 23 the microphone, but there's apparently some landscaping or work being done outside,

5 1 and all of us are hearing a loud distraction. But it won't be, it won't come through the --

2 okay. And I'm hearing from the Secretary of the Commission that we have sent 3 someone to perhaps get that to stop if we can.

4 But please, Mr. True, please proceed.

5 MR. TRUE: Thank you, Chairman, and Commissioners for having us 6 here today. So I'm going to give you some industry perspectives on digital I&C. It's at 7 the high level, and maybe some discussion and some paths forward that I think are 8 available to us.

9 I'll start with the first slide. So obviously we live in a digital world. We 10 all personally at home. Other high risk industries, whether it's medical or a process 11 industry, oil and gas, high speed rail, air and space, all use digital systems.

12 The US nuclear industry, however, had been very slow in adopting 13 that. They had a number of fits and starts at this and a lot of delays and cost overruns 14 that's kind of led to a situation where the industry is kind of not moving forward and not 15 knowing whether there's a predictable path to go forward.

16 And I think we're on a path that can probably get us to that predictable 17 path, and I think that's what we're here to talk about today. It is urgent that we get on 18 with this, though. We have plants that are aging, we have plants that are making 19 decisions about moving into subsequent license renewal where digital controls are 20 important.

21 And they're also an important enabler to a lot of the cost savings that 22 we want to see across the industry and giving us better means to monitor equipment and 23 respond to malfunctions. Next slide, please.

6 1 So I think I'm here to say that the finish line seems to be within sight.

2 And I would define that finish line as being enhanced safety. The reliability 3 improvements and operational improvements associated with digital systems are 4 substantial, and we'd like to see those implemented in plants in order to obtain those 5 reliability and control benefits.

6 We've had some recent successes. I think the Supplement 1 to the 7 RIS 2002-22 has been beneficial. It's gotten a number of utilities interested in digital 8 modification, minor digital modifications. And the ISG-06, Revision 2, has been helpful 9 in defining a path when a License Amendment Request is required.

10 We do have a couple of other areas that are still open that need to be 11 resolved. The first involves the 50.59 guidance that's contained in NEI 96-07. NEI 12 submitted that late last year, and we believe that it can be endorsed. We have some 13 differences of opinions with the staff that we need to work through on how to interpret 14 the guidance. But I'm pretty confident we can get through that to a point where that can 15 be endorsed in the future.

16 The bigger issue is this common cause failure issue that's been 17 around since an inception of this issue back in the 90s, and mostly that's what I want to 18 kind of focus on here today. Next slide, please.

19 I want to start with a note that common cause is not unique to digital 20 systems. Our analog systems that we have installed in plants, they have common 21 cause potential. We experience common cause failures rarely. But, and it's important 22 that we keep that out of the design basis. If we go down a path of introducing common 23 cause failure as a design-basis issue, then it complicates many things about our

7 1 regulatory processes.

2 And so we see that, we'd like to see a parallel kind of process for 3 digital that we use with analog where we address analog common cause failures through 4 special treatment requirements. Those that being engineering processes, design 5 requirements, testing requirements, a suite of activities that make sure that the potential 6 for that common cause is low, rather than having to assume that the common cause 7 occurred -- occurs. Next slide, please.

8 So in addressing common cause, our challenge is to create a clear, 9 predictable technical path on major digital upgrades. These would be RPS and ESFAS 10 and the major digital systems or control systems in plants. Currently, the guidance is 11 focused on testing and diversity as the means to address that.

12 And what I think we're trying to work towards is a clear third path that 13 allows these special treatments to be applied, in lieu of having to have testing of 14 everything or 100% or diversity for of signals. And I think we're making progress in that 15 area, but there's still more work to be done. Next slide, please.

16 Two key issues that need to be resolved through regulatory guidance 17 are when can the likelihood of common cause failure be considered sufficiently low?

18 We can't be in a situation where a licensee is asked to provide an analysis and then it's 19 judged independently by the regulator on whether that's sufficient or not.

20 We need clear guidance up front so that the utilities can plan, know 21 what they're going to be delivering, and have that be assessed. And that still remains to 22 be documented. We think that the Branch Technical Position 7-19 is a reasonable 23 place to locate that, but there is still work to be done so that it's clear to the industry

8 1 when we have done enough to make that likelihood sufficiently low that it needn't be 2 considered.

3 And then in cases where those, where the defenses are not sufficient 4 to be considered sufficiently low, what other defenses can be credited. For example, 5 can operator backups be credited, can other coping mechanisms be credited.

6 Understanding those two issues of when it's low enough and then what we can do when 7 it's not low enough is really what we're, what the path needs to focus on going forward.

8 We think that can all be done through reliance on robust engineering 9 practices, a quality design process, both the hardware and the software side of things, 10 and the adoption of appropriated software design attributes are the keys to that success.

11 And also incorporating operating experience.

12 The industry has a long history of sharing and using operating 13 experience proactively to address the issues. And in this case maybe I'll bring up a 14 non-nuclear operating experience. But the, I've heard people connect the Boeing 737 15 Max issue to this digital I&C question. Certainly, there's not a complete publically 16 available analysis of that that we have, but we're watching closely to see what that says.

17 Today, it appears that that was not a digital software common cause 18 problem but more of a design problem of being relying on a single sensor that failed and 19 led to the erroneous reaction by the control system, something that we would never have 20 in a nuclear plant because we always rely on multiple sensors and actually diverse 21 inputs through those sensors.

22 So I don't see the parallel there. Also, a control system is 23 substantially different than an actuation system, which is what we're really talking about

9 1 here, whether it's an actuation of a reactor trip or a actuation of emergency systems, 2 which is simply and on-off not trying to control a plane.

3 But so far it doesn't look like software was the problem. Software may 4 be the solution in the end, but it's not, it doesn't appear that that was the problem. We'll 5 follow that no matter where it leads, and we'll make sure we address those lessons 6 learned as we go forward.

7 Finally, as we define this third path, and as I said, we're on our way to 8 doing that, I think it's really important that we keep in mind three things. We need to 9 make sure we have clarity of the expectations, so that the utilities know what they need 10 to do. We need to have demonstrated an efficient and predictable regulatory process.

11 That's something that's been a challenge is this area for a long time, 12 and it's going to be necessary in order to re-establish the confidence that we can do 13 these digital mods in a predictable manner under the cost controls that we need in order 14 to make them viable for the industry.

15 That's the end of my remarks.

16 CHAIRMAN SVINICKI: Thank you very much, Mr. True. Next the 17 Commission will hear from Mr. Dan Stoddard, who is the Senior Vice President and 18 Chief Nuclear Officer at Dominion Energy. But I believe he may also be presenting 19 here today in his capacity as an industry leader on this topical area, and maybe you can 20 enlighten me and just make sure I have that right before you start, Dan.

21 Thank you, please proceed.

22 MR. STODDARD: All right, thank you, Madam Chairman, I appreciate 23 the opportunity to come speak with you today, both as you said in my role as Chief

10 1 Nuclear Officer for Dominion Energy and representing my peers in the industry as a 2 leader of a working group on digital I&C.

3 Starting off with the first actual slide there, what I want to talk about 4 today briefly is why are we doing this at all, with digital I&C. What some of the main 5 drivers are, what some of the main benefits are. Where we see the current state of 6 progress, some of the challenges that we have ahead, and then some thoughts on next 7 steps.

8 I won't go through all the drivers and benefits of digital I&C. They are 9 many. Doug talked about the significant safety benefit that comes with these systems.

10 But I will highlight a few.

11 First off, obsolescence. I mean, we all know these plants came online 12 in the 70s and 80s. Much of the technology was developed in the 1960s and installed 13 in the 1970s. Although it has proven highly reliable over time, we're talking about these 14 plants with subsequent license renewal going past mid-century.

15 And if you think about plants that could go into the, licenses into the 16 2060s, we're talking about technology that from its initial design until it's, until while the 17 plants are still operating being a hundred years old.

18 There have been numerous improvements in technology over time.

19 These systems need to be replaced, need to be replaced with current modern digital 20 systems. We have a lot of strategies to keep them operating reliably, and as I said, the 21 plants have an admirable record of reliability. But this would be a significant 22 enhancement.

23 So not just dealing with obsolescence, but improvements in reliability,

11 1 which has a nexus to safety as well as in addition to cost. Digital systems have proven 2 significantly more reliable over time. And one of the things that has great benefit is 3 elimination of single point vulnerability.

4 We have, in the protection and control systems at these plants, 5 hundreds of circuit cards that have thousands of individual components. We replace a 6 substantial part of that and eliminate much of the hardware associated with that by going 7 to digital upgrades. Software doesn't age, software doesn't wear out. Software has a 8 lot of flexibility associated with it. Next slide, please.

9 So there's significantly lower failure rates with digital systems. From 10 an engineering standpoint, the ability do self-diagnostics, plant monitoring, get 11 information from the system to allow improvements in engineering and improvements in 12 plant reliability is substantial.

13 And the level of, and preciseness of control that these systems allow 14 the operators, the operational flexibility, the ease of operation are also substantial 15 benefits to that that we can realize if we are able to do larger scale digital modifications.

16 Next slide, please.

17 Just some examples about the reliability, and I believe you have seen 18 this graph before. This comes from a peer utility and shows graphically the 19 improvements in reliability that come from transitioning certain systems from analog 20 systems to digital systems. You see a significant improvement in reactor scram rates 21 from going to digital systems.

22 And that's just one example, and I think Neil is going to talk about 23 broader digital systems and improvements in digital systems, not just through the

12 1 nuclear industry but through other industries as well.

2 So what's the, next slide, please, what's the current state? There are 3 a number of digital projects ongoing in the industry. We did a survey, roughly 40 digital 4 upgrades that are in progress across the industry. And as Doug talked about, 5 Supplement 1 to RIS 2002-22 has helped facilitate some of those projects.

6 Roughly half of those projects are relying upon or using the qualitative 7 assessment guidance in the RIS to help move those projects forward. So that has been 8 a positive step, it is progress.

9 Just some of the examples of what we are seeing in systems. I have 10 those listed here. Diesel generator controls, radiation monitors. Some are working on 11 rod control, safety-related chiller controls. So those are good, but you will see, and 12 again I think this is something that Doug alluded to, some of the simpler, lower-level 13 safety systems, not large digital upgrades. So progress on that front. Next slide, 14 please.

15 But one thing we are not seeing in the industry is any current plans or 16 any changes in progress with large safety-related systems, such as reactor protection 17 systems or engineered safeguards actuations systems. So why is that?

18 Well, I mean these systems are costly and complicated to install. So 19 as, and I can speak to this personally as well, any uncertainty around the ability to have 20 a predictable path to install these systems adds another significant hurdle when you 21 have a system that is costly, a system that takes significant advance planning and 22 outage scheduling to install.

23 Adding a layer of uncertainty in the ability to get it licensed in a timely

13 1 manner, an ability to install it on a predictable path leads to great hesitation to move 2 forward. So that's one of the big, that's one of the major challenges and the major 3 hurdles that we need to overcome.

4 So where do we go on next steps? And again, some of these things 5 Doug talked about already. In the works, Appendix D to NEI 96-07, getting that 6 approved. It seems to, from what I can gather, that seems to have stalled on the 7 five-yard line. We have one major sticking point that is left that absolutely needs to be 8 resolved before that can, in a reasonable manner, before that can be resolved.

9 Getting the approval of a Branch Technical Position on Diversity and 10 Defense-in-Depth analysis, that will help with some of the potential common cause 11 issues.

12 There's one I don't have on here, and that's approval of guidance for 13 using third-party certifications for digital I&C systems. That's important also. There's 14 some work that the industry needs to do. This is not a Commission issue, but approval 15 of design engineering guides that will help the process of developing these digital mods.

16 So there's work that the industry needs to do exclusive of what needs to happen with 17 NRC.

18 Continuing to work collaboratively. I think we in general would say 19 that the relationship has been pretty collaborative, with a strong focus on safety between 20 the industry and the staff. You know, to summarize, just a predictable regulatory path 21 based not on absolute assurance.

22 You know, one of the things we talked about goes back to some policy 23 from the early 90s is for addressing common cause failure is simple systems with 100%

14 1 testing or diversity. We have to get, we have to be able to get beyond that to have a 2 predictable path based, again, not on absolute assurance but on reasonable assurance.

3 Once we get that, I think we will see some things continue to move.

4 So, Madam Chairman, that concludes my remarks. Thank you.

5 CHAIRMAN SVINICKI: Thank you, Mr. Stoddard. And as the third 6 presenter on this external panel of experts, we will hear from Mr. Neil Wilmshurst, who 7 joins us from the Electric Power Research Institute, where he is the Chief Nuclear 8 Officer.

9 And I know the institute does, I'll call it both scholarly and experiential 10 exploration of a number of topics for the US nuclear industry and others, one of which is 11 digital I&C.

12 Mr. Wilmshurst, please. Thank you for being here and please 13 proceed.

14 MR. WILMSHURST: Thank you. I want to thank the Commission for 15 inviting me to speak on this important topic. First slide, please.

16 So you might wonder why I put this slide up about the footprint of EPRI 17 in our funding. The point I want to make is this is, shows the diversity of our 18 membership. And if I focus just on the nuclear part of EPRI, we have about 50% of our 19 funding comes from outside the US. And we have participation from almost 90% of the 20 commercial plants in the world.

21 And this issue we're here to talk about today is not just a US issue, it's 22 an issue for all the nuclear plants around the world. And we're interacting with those 23 plants, at one level or another, to try and help them navigate this issue. So we're very

15 1 glad to work with the US utilities, but this does have a global impact.

2 Some of the issues people are seeing is the regulatory approach, 3 supply chain, dealing with cyber, and all those issues that my colleagues brought up.

4 Nuclear traditionally has moved slowly to adopt new technologies. This is one area 5 where there's a global push to try and unlock the potential of digital control systems. So 6 we're actually able to have that global perspective on this issue. Next slide, please.

7 So I think it was Dan mentioned about our perspective on digital 8 reliability. This is outside of nuclear. Our team looked at the reliability data for digital 9 I&C in other safety-related applications, looking at the software common cause history 10 for platforms certified by the International Electrotechnical Commission.

11 And looking at over two billion hours of operation, and saw no platform 12 level software common cause issues. So what that shows is by application of existing 13 certifications of what's called safety integrity-level certifications, at the platform level, 14 those internationally accepted design processes and acceptance and testing processes 15 have proved to be effective in other industries.

16 Then moving on to nuclear, we have these touchpoints of that wide 17 cross-section of the global fleet. We've looked at the OE from places like Korea, 18 France, and China, who have to some extent deployed digital I&C. And what it shows 19 is software common cause failure, from what the OE says, is no more problematic than 20 non-software common cause failures, as Doug mentioned.

21 There've really been no issues identified in the OE where diverse 22 platforms would have been effective in preventing those common cause failures. And 23 actually, several events showed that the signal and functional diversity actually

16 1 protected. Which again goes back to Doug's point when he referenced other industries, 2 that nuclear does have a very strong history in having diverse signal and functional 3 diversity.

4 So this all builds up a perspective looking at is there a third path to get 5 through to deploy digital I&C. A hundred percent testing has been tried in many 6 countries. Diversity has been a path taken in many countries.

7 But if you look at other industries, and using these existing 8 certifications, the platform level shows that in other safety-related industries, those 9 certifications have been effective at demonstrating the performance of those platforms.

10 So we were asked by our members within the US, so next slide 11 please, to look at what it would take to add to the existing standard design process, 12 which specifically excluded digital I&C, look at what it would take to develop a digital 13 engineering design guide to actually standardize the approach to developing digital 14 modifications.

15 And this is what this slide shows. The orange box shows those 16 international standards which are accepted by other safety-related industries as 17 demonstrating safety reliability. Then on the left-hand side, it shows all the inputs in a 18 system engineering framework which are being input into this design engineering guide 19 involves a process which we refer to as HAZCATs, which is a universal tool to look at all 20 digital hazards.

21 Based on something our colleague who was going to be here today is 22 an expert in, is system theoretic process analysis. Put very simply, that is looking at 23 something as a system, not looking at the components. Then actually looking at the

17 1 hazards generated by the system rather than looking at the reliability of individual 2 components.

3 So all these things together, be it procurement, human factors in 4 engineering, cyber security, which is really important, have all been thoroughly 5 considered, guidelines and guidance documents developed. They come together as 6 what we're referring to as the EPRI Digital Engineering Guide, DEG.

7 And that is being incorporated within the US industry as a standard 8 process to develop and deploy digital modifications. And also this is being looked at 9 across the world by our members as an approach to make that design engineering 10 process very robust. Next slide, please.

11 So to really amplify those comments, what does this framework that 12 we have developed working with our members really show? It's a comprehensive 13 engineering process using experiences from other industries and modern methods to 14 actually deploy safety systems.

15 Element one, use of industry standards. Those are demonstrably 16 effective at assuring reliability in other industries. It has the other benefit of it opens up 17 a supply chain broader than just nuclear. Opens up a supply chain which gets more 18 experience and more diversity in that supply chain by embracing comprehensive 19 international standards.

20 Element two, a very comprehensive system engineering process 21 leveraging all the engineering techniques and all the tools which have been developed to 22 look at hazards, digital reliability, cyber, and other things. And then clearly, within that 23 process, risk-informing everything to make sure the right attention is paid to the right

18 1 hazards developed and designed through the process.

2 So final slide, please. So this pictorial really illustrates where I think 3 we are. The bottom green box is all those documents EPRI has delivered in 4 collaboration with our members around the world. And those deliver a design. I think 5 the challenge in front of everyone is looking at how the policy and the design output 6 connect.

7 And we've illustrated this here by the criteria by which the output is 8 judged and assessed. Really, there's objective criteria for how human factors engineer 9 it. Those are I believe in a relatively good place. Electromagnetic compatibility, same 10 way. Cyber, I think so.

11 I think the challenge in front of the industry and the Commission is 12 really coming into alignment around those objective criteria for software common cause 13 failures.

14 And one final comment here. This Design Engineering Guideline, it 15 will undoubtedly learn from experience going forward. As Doug mentioned, it will learn 16 I'm sure from the output from the Boeing investigation and others. So this is high quality 17 process, but I'm sure it's going to learn and improve as time goes forward.

18 Those are the ends of my comments. Thank you.

19 CHAIRMAN SVINICKI: All right, well, thank you, Mr. Wilmshurst.

20 And thank you to all three presenters. Under our practice of rotating the order of 21 questioning, it is my turn to go first today.

22 So, I've been coming, as I think I made reference to when I opened the 23 meeting, I've been coming to meetings on this topic as a member of this Commission for

19 1 some time now. And so I always find them a benefit, because we can look at where we 2 are today. If we reflected on the long path to even to get today, it might be a little 3 discouraging, so it's good that maybe we just kind of focus on what lies ahead.

4 And so I thought about a series of questions that would for me kind of 5 frame up a comprehensive snapshot of where we are and where we're trying to get and 6 what would be indicators of near-term progress along that path. And so what I'd like to 7 do is just read this sequence of questions.

8 And I'm not asking that each of you respond to each one, but you'll get 9 the theme of kind of what I'm trying, the picture I'm trying to help myself, to have you 10 have help me create in my mind so I could get some clarity on this. And then just in any 11 order, I would like to give each of you an opportunity to share with me what you think 12 would help enlighten me on these points.

13 So the first question I thought of in getting a snapshot of where we are 14 is, you know, and where we're going, is what is the next critical path item to resolve in 15 order to reach kind of our next substantial milestone of progress? And in order to 16 resolve whatever that thing is or that issue is, kind of what obstacles exist to resolving it.

17 And are they more in the nature of like aligning on common philosophy 18 or viewpoint of the treatment of a system or something? You know, is it more like we 19 need to come to common understandings, or is there actual testing of something or 20 testing of a process for reviewing something?

21 That, you know, is it more kind of in thought space, or it is more like we 22 have more actual work to do with, you know, multi-year research plans?

23 And then the third topic would be what would be, need to be in place

20 1 then in order for a utility to submit for review like, what we might consider however you 2 define it, a major digital upgrade that would safety significant systems at a US NPP?

3 So kind of is this the key issue that we're talking about that would lead 4 us at least to being closer to having a US utility or nuclear plant operator to cross that 5 kind of gap or leap of faith.

6 And then when do you forecast in terms of a range of years we would 7 get there, given the current integrated plan that NRC has and the current pace of 8 progress that we've been making. So, and then I guess as a part of that, do you see 9 that as timely in need, which I just mean generally kind of in terms of obsolescence and 10 other things. If all of these steps before that fell into place, would we get there?

11 And then if you did have any thoughts on, you know, US NRC has of 12 course certified the AP1000. We've just, as a commission, affirmed publication of a 13 potentially direct final rule for certification of the APR-1400. Of course, these are digital 14 control rooms.

15 So do you think that there's some disconnect at US, so this is a 16 provocative question because I'm asking you to be a little critical of NRC, do you think 17 that there's some sort of misalignment or disconnect from NRC's treatment of like these, 18 the designs for the future and the way, if a utility submits something today for an 19 upgrade, the treatments it gets in array from a regulatory standpoint?

20 So I don't know who would like to share some thoughts on that, and 21 we don't have to go in the order of Mr. True if he wants to go first. Doug, go ahead.

22 MR. TRUE: Yeah, I'll go first and try and hit on things and then let my 23 colleagues amplify.

21 1 So I think the next critical path step is getting this Appendix D 50.59 2 guidance resolved. That, and that is an issue of getting to a common understanding, I 3 think. So there's not research necessary, it's a matter of getting people to sit down and 4 resolve what the technical issues are. Identify what the technical issues are and come 5 up with resolutions. I think that's possible.

6 The next thing after that, though, for major digital mods is getting to 7 what Neil referred to as the objective criteria for software common cause in this so we 8 can know what is necessary to make the likelihood of common cause sufficiently low so 9 it doesn't have to be assumed in the analysis.

10 So those are the two next steps I think need to be taken. I don't think 11 there's a ton of research that's necessary for that, but there is some work to be done.

12 And I think the staff has been working in that direction, and we're, we think it'll be, it's 13 resolvable.

14 I think the second, if I kind of blended in what the obstacles are there, I 15 think of this is we're on a path that could be resolved in the next year or so in terms of 16 the technical aspects of this. It would take some work to do that, but I don't think we're 17 on a decades journey to get to that point.

18 I think the biggest challenge that we have is kind of what I got to in my 19 presentation, which is, and Dan did too, is getting that confidence back that this is going 20 to be a predictable process. We've done this before, we carry that baggage with us, 21 whether we like it or not. It's there, it's in the back of the industry --

22 CHAIRMAN SVINICKI: Do you think a pilot would help? Sometimes 23 NRC and the industry have used, like on license or like somebody goes first and it's kind

22 1 of a, maybe considered a pilot?

2 MR. TRUE: I think a pilot is probably essential, in a sense. Whether 3 it's efficient, we'll know at the end of the pilot. And we've had various kinds of pilots in 4 the industry, some of have been successful. But I think that's a good first step, yes, to 5 move that forward.

6 And I guess the only thing I would say about the new plants and in 7 contrasting them is that I was down at Vogtle a few months ago looking at the simulator 8 for the new AP1000, and their digital control system has a completely diverse backup.

9 And that's, we're trying to not go in that direction. That was the 1990s 10 solution to this problem. We think that we can get there through this third path without 11 having to have the diverse system in place.

12 CHAIRMAN SVINICKI: That was very helpful. Would anyone like to 13 augment that? Dan?

14 MR. STODDARD: Certainly. No, I think, I mean Doug addressed it 15 very well. And my comments will be very much in parallel to him. And when we have 16 some of the near-term products that we talked about that we'll move some, make it 17 easier to move forward with some digital modifications but still not get us to the larger 18 digital modifications.

19 The critical path for that is, again, some assurance on how we can 20 address the software common cause issues. And I recognize that we're in a little bit of 21 a difficult situation is no one's going to step out and say we're moving forward until we 22 have some more predictability.

23 And are we going to spend a lot of time and energy revising guidance

23 1 until we know someone's going to move forward. So that's where I think that --

2 CHAIRMAN SVINICKI: Well, and can we have confidence until 3 someone tries? Sorry, that's --

4 MR. STODDARD: So that, I mean, that does get back to the concept 5 of a pilot is, okay, let's show that we can, that there is a path to move this forward on 6 some kind of confidence. That would open up the perspectives to go further.

7 You know, and as far as the timeline, as many of us are station to 8 move forward with subsequent license renewal and putting in our planning phase the 9 modifications to ensure the safe, reliable operations of these plants out to 80 years, I 10 mean, we're at the point where we'll be making decisions in the near term.

11 So before we would go forward with a decision, we would have to have 12 some predictability. So I mean, the timeframe in which we need to do this is in the next, 13 certainly in the next, yeah right, next year, it's now to get that done.

14 And then you know, I'd just agree again with Doug's comment on the 15 AP1000 certification. Why do we, for a highly reliable system, why do we need a 16 complete different system to back it up? Under any scenario, we are going to have 17 some measure of diversity, and that's the ability of an operator, independent of the 18 software, to actuate safety systems.

19 Beyond that, any level of diversity I think is unnecessary, adds to cost, 20 adds to complexity, adds delay, and keeps us from realizing the significant safety benefit 21 of these systems.

22 CHAIRMAN SVINICKI: Thank you. Neil, would you like to add 23 anything?

24 1 MR. WILMSHURST: Just very briefly, just to add on. Back to your 2 first question, I think it's a philosophical shift that the nuclear industry needs to look at 3 the benefit of experience from non-nuclear safety-related industries. And actually 4 leverage that and see the benefits of that supply chain being opened up to the benefit of 5 the nuclear industry. And that requires that new and maybe different perspective on 6 common cause failure.

7 From the outside looking in, have we all been trying to drive to 8 eliminate common cause failures in software, and is there a need to recognize that every 9 engineered system will have potential common cause failures. But there's a need for an 10 engineering system to understand and mitigate the impact of those, rather than just 11 eliminate them completely.

12 CHAIRMAN SVINICKI: Well, thank you for that. And again, thank 13 you all for being here. I will just end with that thought, Neil, and I think you made 14 reference to a possible additional perspective on the panel, which we can seek at a 15 future meeting.

16 But before coming here, my experience on this and parallel issues was 17 working with highly complex military systems, and they have some of the same, you 18 know, urgent imperatives, like high reliability and supply chain issues, and other things.

19 So I appreciate and will just close with the thought that nuclear is of 20 course not the only industrial sector that deals with this or has equivalent imperatives on 21 it. So I appreciate that, and with that, I will turn to Commissioner Baran.

22 COMMISSIONER BARAN: Thanks. Well, thank you for being here.

23 This is an important and complex topic, so I'm just going to dive right in. Doug

25 1 mentioned the two completed NRC guidance documents related to digital I&C, the RIS 2 and ISG-06. Dan talked about some of the digital upgrades that are proceeding under 3 this guidance.

4 My sense is that the toughest remaining digital I&C issue is common 5 cause failure. Is that how you see it?

6 MR. STODDARD: Yes.

7 MR. TRUE: Yeah, all the issues revolve around that.

8 COMMISSIONER BARAN: Do you think there is a basic 9 disagreement between the NRC staff and industry about whether common cause failure 10 is credible?

11 MR. TRUE: I think the part we have not resolved, and I don't know 12 whether it's a fundamental disagreement or not, but what we haven't resolved is what 13 needs to be done to make the likelihood of that sufficiently low. And getting a bead on 14 what that looks like, what sufficiently low likelihood looks like is what the final issue is 15 going to revolve around.

16 COMMISSIONER BARAN: And is that where the conversation is, or 17 do you think there is some kind of broader philosophical disagreement?

18 MR. TRUE: No, I think it's, I think we're on the track to resolve the.

19 COMMISSIONER BARAN: When the staff presents on the next 20 panel, they have a slide, which is slide 9, I'm going to present it for them. It goes 21 through some of the perceptions of what is required to address common cause failure, 22 compared to how the NRC staff actually views the issues. It's referred to as perceptions 23 versus reality.

26 1 On this slide the staff states that a diverse analog system is not 2 mandatory, 100% testing is not required, and Branch Technical Position 7-19 is not 3 applicable to digital modifications made under 50.59. Do you agree with those staff 4 statements, and are any of those statements a surprise to you?

5 MR. TRUE: I think that one of the challenges is the way that some of 6 those perceptions are written is that they sort of hyperbolic. And then they're like all, 7 and I think that, I believe that the reality exists on the right-hand side. I don't think that's 8 a false reality. Perceptions may not be exactly as they're characterized, so I think --

9 COMMISSIONER BARAN: How would you, if you were going to offer 10 your corrections to that slide, how would you, what are the actual common perceptions 11 on, among the stakeholders?

12 MR. TRUE: I think that there's I think the perception would be that a 13 diverse system is the safest way to go in terms of getting regulatory assurance. And 14 that not beyond that, it's not clear what's needed on the first one.

15 A hundred percent testing isn't even feasible in a lot of cases because 16 of the spectrum of possible situations that would have to be tested. So I think nobody 17 thinks that 100% testing is the solution. In maybe some cases, I think some of the 18 SMRs are heading down a path of 100% testing being their solution because they're 19 simple. But for our systems, that's not even really an option, so that's the second one.

20 And I do not think the industry agrees that BTP 7-19 is applicable to all 21 modifications. Maybe some of them would follow that.

22 MR. STODDARD: Yeah, I would just add I would go to the first reality 23 up there, and this kind of gets to the concern. Okay, there are many options to

27 1 accomplish the intended safety function. So if we submit a license and then a 2 application to put in a digital I&C system, what exactly, what options are we going to be 3 driven to implement?

4 So we can say there are multiple options, but some of those options 5 may be unnecessary and unpalatable to implement without some degree of certainty on 6 what those options, what we might have to do that leads to the hesitation.

7 COMMISSIONER BARAN: All right, so it sounds like I take from both 8 your comments that, at least on some of these points, it's not so much that there's a 9 perception out there that it has to be done exactly this way and that's mandatory. But 10 rather there's really uncertainty about what's going to fly or not, and that leads to 11 hesitance to proceed if there's uncertainty about what's being okay or not.

12 MR. TRUE: Yeah, they're kind of a third path, what's the third path 13 look like.

14 COMMISSIONER BARAN: On common cause failure, the staff has 15 planned really the two guidance documents, reviewing NEI 16-16 for possible 16 endorsement, and revising Branch Technical Position 7-19. The first document would 17 be guidance for licensees on common cause failure, and the second document would be 18 guidance for the NRC staff.

19 Can you talk a little about the current status of NEI 16-16?

20 MR. TRUE: We are not working on NEI 16-16 at the moment.

21 COMMISSIONER BARAN: Okay.

22 MR. TRUE: And don't currently believe it needs to be taken to 23 endorsement.

28 1 COMMISSIONER BARAN: Okay. On the next panel, we'll hear 2 about the staff's vision for the Branch Technical Position. It involves a graded approach 3 to the level of analysis required based on whether a digital system is safety-significant or 4 not and safety-related or not.

5 You've mentioned, Doug, several times, you know, a third path of 6 special treatment requirements. Do you see these two approaches as compatible or 7 are they different visions of this guidance document?

8 MR. TRUE: The two approaches?

9 COMMISSIONER BARAN: Well, so you've been talking about the 10 third path.

11 MR. TRUE: Yeah.

12 COMMISSIONER BARAN: And then again, I'm presenting the staff 13 slides on the next panel. You know, the slide 8 has the grid safety-related, safety 14 significance, and the different analysis you'd have at each, there it is. Is this compatible 15 with what you're talking about in terms of a third path, or are these different approaches?

16 MR. TRUE: I think it can be a means to a third path, absolutely. But 17 we still don't, we still need to see what that path looks like. So I don't think there's 18 anything incompatible, but it's not there yet.

19 COMMISSIONER BARAN: Okay.

20 MR. TRUE: It's my view.

21 MR. STODDARD: No, I would agree with that. It's what, you know, 22 when you get into the safety-significant, safety-related, what exactly has to go into the 23 D3 analysis, and what's an acceptable range of things that can be inputs into that.

29 1 COMMISSIONER BARAN: Okay, and how kind of in-depth have the 2 conversations been to date about what's involved in a D3 analysis versus a 3 defense-in-depth qualitative assessment?

4 MR. TRUE: There's been one public meeting on the BTP 7-19 5 concept, this quadrant chart that I understand was very, I wasn't actually there, but I 6 understand it was a very productive discussion. I think we found frankly that the gap 7 between us was smaller than we thought going into it. So I view that as a positive. But 8 there's still a lot of work to do to get to the clear, predictable path, we think.

9 COMMISSIONER BARAN: Separate from common cause failure 10 there's the question about whether and under what circumstances commercially 11 available digital hardware and software could be used in nuclear power plants. NEI has 12 been working on a guidance document for potential NRC endorsement, NEI 17-06.

13 Can you talk a little bit about the current status of that guidance document?

14 MR. TRUE: I don't have a good status for you on that. I'm sure I'll 15 get back to you on that, though.

16 COMMISSIONER BARAN: We'll mark it as a little bit lower priority 17 than some of these other issues we've been talking about.

18 MR. TRUE: Yeah.

19 COMMISSIONER BARAN: All right, thanks, that's all I had.

20 CHAIRMAN SVINICKI: Thank you very much, Commissioner Baran.

21 Next we will recognize Commissioner Caputo. Please proceed.

22 COMMISSIONER CAPUTO: Good morning. Thank you all for being 23 here. In the last Commission on this topic, I reflected how the Commission direction to

30 1 the staff in 2015 was strikingly similar to the Commission direction given in 2006.

2 In preparation for this meeting, I noticed that several of the themes 3 we're hearing about today are reminiscent of a Commission meeting in 2015, including 4 regulatory uncertainty; licensee reluctance to be the first review, given past experience; 5 misinterpretation and miscommunication between industry and the staff; and common 6 cause failures, just to a name a few.

7 Seems to me like resolving the miscommunication and breaking the 8 logjam on common cause failures are key to making progress, so that's where I'm going 9 to focus today. And I'm going to follow on to some of Commissioner Baran's 10 questioning on slide 9 from the staff.

11 And I'm going to start with sort of refreshing our memory on Bridge 12 Technical Position 7-19 as it currently stands today states, If a postulated common 13 cause failure could disable a safety function that's credited in the safety analysis to 14 respond to a design basis event being analyzed, a diverse means of effective response 15 and documented basis is necessary.

16 So Mr. True, with regard to license amendments for significant digital 17 upgrades, is it your understanding that this Branch Technical Position does require a 18 diverse analog system to back up digital I&C systems or 100% testing to prevent 19 common cause failures?

20 MR. TRUE: I am assuming when you refer to the current BTP 7-19 21 it's the one that's in place now --

22 COMMISSIONER CAPUTO: It's the one that's in place today.

23 MR. TRUE: Not the one that we talked about in the public meeting a

31 1 few weeks ago.

2 COMMISSIONER CAPUTO: Right.

3 MR. TRUE: Yeah, that's my understanding.

4 COMMISSIONER CAPUTO: Okay. So this means, given the 5 infeasibility of 100% testing, the only path for a licensee to pursue a significant digital 6 upgrade is to provide an analog backup at this point.

7 MR. TRUE: That's the path that everyone has taken except for an 8 advanced. I think an advanced reactor has a 100% testing approach.

9 COMMISSIONER CAPUTO: Okay, so that wouldn't solve the 10 challenge of obsolescence with regard to analog components.

11 MR. TRUE: Not for the current fleet.

12 COMMISSIONER CAPUTO: So to be clear, when the staff says the 13 diverse analog backups and 100% testing are not required, it's in the context of digital 14 upgrades more or less done under 50.59, sort of lesser digital upgrades.

15 MR. TRUE: Currently. Yeah, the RIS will enable that qualitative 16 assessment to allow that to proceed.

17 COMMISSIONER CAPUTO: Okay, well, and my next question to 18 both you and Mr. Stoddard, do you think the staff's proposed revision of the Branch 19 Technical Position is going to solve this impasse on common cause failures?

20 MR. TRUE: I think it'd be speculating. I'm hopeful and confident, I 21 think. I think I believe we have narrowed the gap. I think we have made progress 22 since 2015. I don't think we're there yet. I can't see that finish line exactly, but I 23 believe that it can be resolved through an update of 7-19.

32 1 COMMISSIONER CAPUTO: Okay, so this gets back to the 2 Chairman's question of is this a philosophical difference or a difference that requires just 3 sharpening of pencils and executing work?

4 MR. TRUE: I'd like to believe that it's a matter of just getting to work 5 and resolving the criteria that Neil called for that provided the objective criteria for 6 software common cause.

7 MR. STODDARD: I would just, you know, I would add that, you know, 8 we still need to wait and see what the final product looks like. Could we resolve it 9 through the final wording in the Branch Technical Position? Yes, I mean, the policy 10 guidance is still out there.

11 I know it's dated, but can we get the details in the Branch Technical 12 Position that get us past that and get us past some philosophical issues? Yes. It's just 13 there's a question mark to it, what does it finally look like?

14 COMMISSIONER CAPUTO: So Mr. True and Mr. Stoddard, with 15 regard to the staff's review of NEI 96-07 Appendix D, there's currently a disagreement 16 between the staff and the industry over how to treat changes that create a possibility of 17 malfunctions with different results. This is known as NRC slide 6, giving a preview 18 again of staff slides. Is that correct?

19 MR. TRUE: Yeah, there's one remaining issue. I think we have, we 20 haven't had any formal interaction on that since it was submitted, but I think we have 21 some general understanding of what the issue is. And I think, I believe if we sit down 22 and work our way through that we can find an appropriate interpretation.

23 MR. STODDARD: I would just add that that is an issue that we do

33 1 need to get to common ground on. The industry, I mean, not the industry, but to move 2 forward on that guidance which will facilitate developing the 50.59 reviews, to get the 3 benefits of these systems, we need a clean endorsement, a clean endorsement of that 4 Appendix D is needed.

5 COMMISSIONER CAPUTO: So this language in the slide about the 6 possibility of malfunctions, is this the nature of whether we are assuming a common 7 cause failure will exist? Is that how we're calculating? When we try to put a number on 8 the possibility, is this sort of the crux to the issue at solving common cause failures?

9 MR. TRUE: I think that, I don't want to get, drag us too far into 50.59 10 space, but I think the issue is this applies in a case where the qualitative assessment 11 has not judged the likelihood of common cause failure to be sufficiently low. So we go 12 into the 50.59 process, and the question here is how are you interpreting the malfunction 13 of an SSC and its impact on the FSAR?

14 COMMISSIONER CAPUTO: Okay.

15 MR. TRUE: It's how you make that link from a common, the SSC 16 malfunction to the FSAR, that is what is being discussed between the industry and staff.

17 COMMISSIONER CAPUTO: And how the Agency makes that 18 interpretation more or less sets the threshold for what can be analyzed under 50.59 19 versus the license amendment.

20 MR. TRUE: Yes.

21 COMMISSIONER CAPUTO: Okay. Mr. Stoddard, considering the 22 regulatory uncertainty created by this disagreement and the impasse on common cause 23 failures, do you believe any licensees are going to pursue license amendments for

34 1 significant digital upgrades under those conditions?

2 MR. STODDARD: No, I can't say with certainty. You know, I have, 3 we have our cases that we're working on for subsequent license renewal, which I talked 4 about before. I have reached out to my colleagues in the industry. So I can't say with 5 a certainty what people will do a year from now, two years from now.

6 But I don't know of anyone who is willing to move forward with a digital 7 upgrade involving reactor protection system engineered safeguards actuation systems, 8 or even large similar significant systems, until there is a greater degree of regulatory 9 confidence that we can get there in a reasonable fashion.

10 COMMISSIONER CAPUTO: Mr. Wilmshurst, on slide 3 you list 11 observations from nuclear operating experience, including how, quote, Several events 12 confirmed effectiveness of signal and function diversity in protecting against software 13 common cause failures.

14 Could you please elaborate on this operating experience and how 15 could it be used to risk-inform how the NRC assesses the risk of common cause failures.

16 MR. WILMSHURST: I'm very fortunate, I have my phone-a-friend 17 here today, Matt Gibson, who is one of my staff. I'd like to ask Matt to come to the 18 microphone and address that one please.

19 MR. GIBSON: Hello, greetings.

20 COMMISSIONER CAPUTO: Good morning.

21 MR. GIBSON: So to that question, if you could put the slide up, I just 22 want to talk a little bit --

23 CHAIRMAN SVINICKI: Could I just ask that you, other than knowing

35 1 that you're Neil's friend, could you just state your name and your affiliation, please.

2 MR. GIBSON: Well, I was hoping to remain secret. My name is Matt 3 Gibson with the Electric Power Research Institute. So if we look at the slide, what we're 4 really talking about is that the reliability of a digital system really is stratified in basically 5 three levels, platform, integration, and application.

6 So, many times, when we talk about software common cause failure, 7 what we're really talking about is implementation errors in the platform. That's been a 8 big focus, you know, testing, you know, at greater levels of decomposition.

9 So what this OE, though, tells us is that most of the common cause 10 failure, and there are common cause failures, happen at the application level, where 11 someone has mis-selected their sensor inventory, or they've programmed their 12 application, a design problem, not to properly account for the different built-in 13 application-level redundancies.

14 So this is what is this OE is telling us. When we look at it we do see 15 common cause failures in a common sense of that term. But they're really not down in 16 the platform, they're typically in the integration and application level. And that's where 17 your functional diversity really helps you. So that's, so any other elaboration on that?

18 COMMISSIONER CAPUTO: No, I guess I have no further questions.

19 MR. GIBSON: Thanks.

20 COMMISSIONER CAPUTO: Thank you.

21 CHAIRMAN SVINICKI: Thank you very much, Commissioner. And 22 next we will turn to Commission Wright. Please proceed.

23 COMMISSIONER WRIGHT: Thank you. Good morning. This is a

36 1 really great topic, I mean it's very interesting. I mean, you've gone to some of the plants 2 out there, the old ones. I think you were at, you even ran Robinson at one time, I 3 believe, didn't you, Mr. Stoddard?

4 MR. STODDARD: I did, that's correct.

5 COMMISSIONER WRIGHT: Yeah. And you don't look old enough 6 to have run it. It's an old plant and I'm also at Peach Bottom as well last week. And I 7 mean, they're old, and so we know they're, they can be run safely and stuff.

8 What amazed me about those is, I mean, they're analog and you've 9 got young kids coming in there out of college, you know, becoming operators, and 10 they're running an analog system. And you know, they're in a digital world. So, for the 11 future, we really need to get there, you know, to attract people to come to this, to work 12 and to run these plants safely.

13 So since there are some questions that already have been asked and 14 answered, I'm going to go back to a previous meeting that we had here. And it was in 15 last fall, Dr. Thomas from MIT came and he spoke very passionately about the need for 16 testing.

17 And he pointed to a real world example where engineers were given a 18 digital system with a known flaw but they weren't told about it. It was a bit of a blind 19 test. They analyzed the system using a specific tool designed for it to catch the errors.

20 And not only did they find them, they found them quickly.

21 So in my mind, when you're talking about tools designed for, to find 22 problems with digital I&C, as a regulator, I can get on board a whole lot quicker if you 23 can show me real world examples where those tools have been used effectively.

37 1 So my question would be, to you, is this type of approach being used 2 actively by industry currently? And can you point to some actual examples?

3 MR. STODDARD: Well, I mean, you know, we have installed digital 4 modifications. I mean, I've installed digital turbine controls at my power plants. And we 5 do extensive factory acceptance testing used recognized methodologies to go in and 6 make sure there are no, not only hardware flaws but software flaws. And those have 7 proven very effective, and we've had no software-related failures associated with those, 8 so we have used that.

9 When we talk about testing, the testing that is done is extensive, the 10 methodologies are very proven. What we're talking about is for some of these major 11 systems, is 100% testing under an infinite range of hypothetical conditions. I mean you 12 do sufficient testing to get the probability of failure down to almost an immeasurably low 13 level, and we do that.

14 Neil can talk in probably more detail.

15 MR. WILMSHURST: On the design aspect, I mentioned briefly in my 16 presentation a process we refer to as HAZCATs, which actually embodies the 17 systematic approach you just mentioned, Commissioner. And Mr. Gibson, who has 18 answered a question earlier, has actually been leading that work.

19 He's been working with our members in industry and NRC staff to 20 actually spread the understanding of the thoroughness and the detail within that 21 HAZCATs approach. And it is very much designed to do just what you mentioned, 22 actually getting people to look at the system and identify where those common cause 23 failures could credibly be. And then identify what actions, if needed, are taken beyond

38 1 that.

2 COMMISSIONER WRIGHT: Thank you. And I'm going to stay with 3 you for a minute, Neil. The -- we -- other countries have undergone digital -- extensive 4 digital I&C upgrades. I actually was in Japan and saw a plant and went and did it on 5 their own, the Takahama plant. And so based on your experience what's the biggest 6 difference between the NRC and some of our foreign counterparts in terms of how 7 they've assessed the safety of -- the safety case for digital I&C? Are there any best 8 practices that maybe you could share with us or something?

9 MR. WILMSHURST: That's a really good question, but a tough 10 question to answer. I think in some instances the regulator is just philosophically more 11 open to understanding the software issues and the need to move in a timely fashion 12 because of the issues you brought up about supply chain, the workforce issues and 13 maybe more embracing of just the broader software liability in other industries. And 14 particularly in Japan that's what we see, this kind of a culture which is more open to the 15 software.

16 But what we are seeing is even those countries are looking at what is 17 being developed with this Design Engineering Guide and asking us to come back and 18 help them re-look at their systems using this documented methodology because they 19 see that what is being developed can probably help them increase the thoroughness of 20 what they're already doing.

21 COMMISSIONER WRIGHT: So our mission is reasonable assurance 22 of adequate safety? And at -- where do you see that? In this arena in digital I&C 23 where is that sweet spot? Because I've heard you saying 100 percent. I've heard you

39 1 saying things -- and we know we're going to have common-cause failures. We're going 2 to have that in everything. I suffer from common-cause failures every day.

3 (Laughter.)

4 COMMISSIONER WRIGHT: So can you maybe help me a little bit 5 there. And I'm going to add onto the question a little bit while you think about it.

6 So risk people love data. They really love data. Is there enough run 7 time on digital equipment in areas that you've talked about to collect software 8 common-cause failure rates? And I ask because EPRI has played a key role in 9 collecting and analyzing failure rates in things like pipe rupture and mechanical 10 equipment. So are you, have you or can you be doing something like that in digital I&C 11 as well?

12 MR. WILMSHURST: In the digital I&C world there is very limited OE 13 from nuclear, and that OE which is there could sometimes be difficult to access because 14 of some of the sensitivity in some countries' let's say less than 100 percent reporting of 15 some events that potentially occur. That is why we went and looked at the 16 safety-related industry broader scope and came up with the data on reliability there.

17 Back to the issue of the common-cause failures, you're right, 18 everything will have a common -- every system will have potential common-cause 19 failures, and that's really where I'll defer to Doug maybe to get more of a -- in depth with 20 this. There comes a point where that assessment of common-cause failures needs to 21 be risk-informed so that the risk of that common-cause failure can be ranked against all 22 the other potentials so the resources and the actions are put in the right place rather 23 than just chasing to ground every common-cause failure.

40 1 MR. STODDARD: I'll just take that and then let Doug kind of wrap up 2 on that. You asked about the sweet spot and tied it to reasonable assurance. I mean, 3 it is exactly that third path that Doug talked about where in the totality of the way we 4 design, test, use, experience in these systems we get to the point where the probability 5 of any failure is reduced to such a low level that we have hit that sweet spot of 6 reasonable assurance.

7 MR. TRUE: Yes, and so I think I agree with everything that Neil and 8 Dan said. I think that if you think about 100 percent testing, by definition would say 9 you've eliminated. Diversity would eliminate a common-cause by having a diverse path 10 that would be -- wouldn't be subject to those things. So it's all about finding that 11 reasonableness of the third path.

12 And I think that we have a lot of experience. I think that some of the 13 EPRI work from operating experience and NRC work in this area have given us the tools 14 we need. And that's the whole point of needing to divine what we've done that's 15 sufficient to make the likelihood low enough in this guidance. And that can be BTP 7-19 16 or it can be some other guidance, but it's about defining what that reasonable level is.

17 And I think the tools are there. I think the methods are there. I think 18 the expertise is there in the industry and the NRC to do that, but our job is to get that 19 down on paper so it becomes a predictable path.

20 COMMISSIONER WRIGHT: If I might, I want to -- I'm going to take 21 the opportunity. I need to ask one other question, Madam Chair.

22 So we talked about the pilot; the Chairman brought it up, and in a way 23 to me it's almost like making a Reese's Cup. You all are -- you got the chocolate; we

41 1 got the peanut butter. Trying to figure it out. So in a pilot situation how do you -- how 2 would you foresee that coming together? Because I know on -- from a licensee's point 3 of view and position you're looking for certainty and you're looking for not being drug out 4 and cost and all those kind of things. So how would you see that partnership taking 5 place in a pilot, because it would have to be a partnership I would think of some kind.

6 MR. TRUE: Yes, it would have to be a -- I think somebody used the 7 term collaboration, and I think we have -- we're in a good place for doing that. I think 8 the challenge is finding the licensee that's in a position where they are willing to go 9 forward and willing to take the resource risk associated with going forward in that pilot.

10 That resource risk might be able to be offset by some sort of external funding or it might 11 be able to be offset by a need from that utility. I would depend upon the circumstances.

12 I think on the other side I think having NRC resources focused on this 13 so there's some clarity about how long this is going to take, because our experience has 14 been this could be a very -- it has been a very long iterative process.

15 So I think those are the two kind of pieces we have to come together.

16 I don't have a formula I'm ready to speak to how that actually works, but finding the 17 willing utility and a way to make sure that they're not just pouring more money into 18 something that ultimately could fail I think is going to be one of the challenges 19 associated with that.

20 MR. STODDARD: And I would just agree absolutely with what Doug 21 said being one of those utilities potentially in that position who has an interest in moving 22 forward with major digital I&C upgrades for subsequent license renewal. I think he's 23 kind of hit the nail on the head there.

42 1 COMMISSIONER WRIGHT: Thank you.

2 CHAIRMAN SVINICKI: Well, thank you again to all our panelists. I'll 3 just -- I'll say this because I don't want to lose the thought, but my audience is really my 4 colleagues on the Commission. As I prepared for this meeting I had the same thought 5 that I might have benefitted from flipping the panel order. So I'm sorry I didn't talk to 6 anybody, but we should keep an open mind, because often we set these in advance.

7 But when you prepare for the meeting, you have a different view, like maybe I'd rather 8 have the NRC staff go first. So we should always maybe be open because it would just 9 perhaps be an inconvenience on the external panelists to sit in the room a little longer.

10 But other than that, it shouldn't cause too much disruption. So I just wanted to say that.

11 So we will take a break until 10:16 and we will resume promptly. We 12 will reset for the other panel. Thank you, all.

13 (Whereupon, the above-entitled matter went off the record at 10:11 14 a.m. and resumed at 10:15 a.m.)

15 CHAIRMAN SVINICKI: I would like to call our meeting back to order.

16 And if the staff presenters would please take their seats at the table and others would 17 resume their seats as well?

18 So we will now hear from the NRC staff on related topics that we just 19 heard from our external presenters. And I will begin by turning it over to our Executive 20 Director for Operations who's still paging through her pages, so I'll talk very slowly, 21 Margie Doane. But then she will -- the staff will just please hand off to each other in the 22 order in which they've agreed amongst themselves.

23 So, Margie, please kick us off.

43 1 MS. DOANE: Okay. Good morning, Chairman and Commissioners.

2 Thank you for the opportunity to share with you the actions we are taking to develop a 3 better regulatory approach to digital instrumentation and controls, or digital I&C.

4 So first I want to -- I think I can cut short my introduction because I 5 think that the first panel -- the discussions were -- we're largely aligned and in the sense 6 that we think that we are -- I think Mr. Stoddard, he said we're near the finish line. They 7 feel like there is a stall. We see that as predictable, in any very difficult challenge that 8 you are going to move along and you're going to have issues that come up.

9 And the main thing that we want to show today is that we have a 10 different mindset and a different -- a more focused approach to looking at areas where 11 we can build upon experience and that this is going to help us find solutions that were 12 not available to us before. And I liked that I heard near the finish line. So maybe I'm a 13 glass-kind-of-full kind of person, but that's how I approach it.

14 And on the particular issue that was raised several times about the 15 common-cause failure, you're going to hear today from the speakers about those issues.

16 So I'm not going to take a lot of time in my introduction, but I do want to make sure that 17 I have made the point that we do have a new mind set and that we understand the 18 sense of urgency and that we have leadership focused on this issue, from me, from the 19 team that you see here and I know on behalf of the Commission.

20 Okay. So now let me introduce the staff who's at the table. We have 21 Ho Nieh, Director of the Office of Nuclear Reactor Regulation. Ho will be discussing 22 recent accomplishments and you will hear several of the issues that were raised in the 23 last panel. And that's probably obvious since some of the staff slides were shown.

44 1 (Laughter.)

2 MS. DOANE: So we understand where the Commission is focused, 3 so that will be helpful to moving the issues along.

4 Eric Benner. He's the Director of NRR's Division of Engineering, or 5 DE, as you'll hear us refer to it. And he's going to discuss the detailed priorities and 6 again touch on some of these issues.

7 And then we have Brian Thomas. He's the Director of Research's DE, 8 Division of Engineering and he'll discuss the supporting research activities.

9 So I'm going to turn the presentation over to Ho.

10 MR. NIEH: Thank you very much, Margie. Good 11 morning, Chairman. Good morning, Commissioners. I thought since we presented 12 most of the staff slides already we could go right to questions, but I guess we're not that 13 fortunate.

14 So I'll be speaking from slide 4, if you could put that on the screen 15 here.

16 The NRC staff have been working and engaging with the industry to 17 address the high priority challenges and improving the digital I&C regulatory framework.

18 And this is a top priority for NRR and we are approach this, as Margie said, with a 19 risk-informed mind set and an enabling mind set to further enable the safe use of digital 20 technologies at nuclear power plants. And it's very clear that our mission is focused on 21 reasonable assurance. This is not a zero-risk activity that we're moving forward on 22 here.

23 So since we last briefed you in October of last year the NRC staff had

45 1 revised ISG-06, and Revision 2 to ISG-06 contains an alternate review process that we 2 think offers greater clarity and predictability as well as improved efficiency in the review 3 of a major digital upgrade such as what you might see for a reactor protection system or 4 an engineered safeguard features actuation system.

5 So what I'm showing on the slide here is an overview of the alternate 6 process compared against the traditional process, which the traditional process is still 7 available to be used. And I'll just highlight some of the key points on the alternate 8 review process.

9 So I'd first like to note that the alternate review process would have a 10 one-step submittal to the Agency rather than having two separate submittals. And we 11 would receive that submittal at a more mature stage of the design process. And this will 12 help minimize the necessity to deal with any complex design issues during the licensing 13 review.

14 The other thing I'd like to point out here is that the process is more 15 performance-based. We would be leveraging NRC vendor and regional inspection 16 activities to do confirmatory checks during the implementation and installation phase 17 after the regulatory decision is issued. So we really think that this alternate process 18 here would afford much more timely regulatory decision. We think it is providing the 19 clarity and predictability that you heard is desired from the external panelists here. We 20 just need the opportunity to test this. And we really want to exercise this process at 21 some point in time in the future and I think something like a pilot that was discussed in 22 the previous panel makes sense to me.

23 If we can go to the next slide, please? As noted in the earlier panel,

46 1 there was success with the supplement to RIS 2002-22 which provided information on 2 how to apply 50.59 for digital mods, specifically in the area of doing evaluations for 3 common-cause failure likelihood. The NRC staff is aware that many licensees are 4 using that guidance today to make modifications to systems at their sites to improve the 5 reliability of those systems and also to combat obsolescence.

6 I had some examples shown on the slide with pictures. Licensees are 7 installing digital systems to improve their control functions for safety-related chillers as 8 well as voltage regulator controls for emergency diesel generators. And also they're 9 making digital modifications to many secondary side systems, all using the RIS 10 information.

11 Last year we had mentioned to you that we had done over a dozen 12 workshops to help train folks on using the RIS. We did those all across the country and 13 we think that's paid benefits now. Right now the current focus on the RIS is to provide 14 training to our Regional inspectors so that we have consistent oversight in the 15 application of 50.59 for digital modifications.

16 Go to the next slide, please? As noted in the earlier panel, there is an 17 issue related to the Nuclear Energy Institute's guidance document for applying 50.59.

18 this is Appendix Delta to NEI 69-07. They had submitted that to the NRC for review and 19 endorsement back in December of last year. We provided formal comments to the NEI 20 on this document. We do think the document provides a clear and flexible framework 21 for going through the 50.59 screening process. We also think that the content of the 22 guidance document does provide a very effective way to evaluate the potential for 23 common-cause likelihood. There is that one exception that was noted earlier. This is

47 1 where we're at the five-yard line. We do want to get the ball across the goal at some 2 point in time and we're treating that issue, that exception with that specific criterion with a 3 very high priority.

4 I do want to note that this exception that we have on that issue in 5 Appendix Delta of the NEI guidance document doesn't affect at all implementation of the 6 RIS. I mean, we think the RIS can still be used effectively to do 50.59. It's just, as Mr.

7 True mentioned, the interpretation of that criterion that was shown on the slide.

8 Next slide, please? This is my final slide. The picture up here, it's 9 very busy and it's intentionally busy because it's to show you the complexity of the 10 regulatory framework for digital instrumentation and control. You can see on the screen 11 there there's a lot of regulations and guidance documents that are in this framework here 12 and the things that are highlighted in green are all the regulatory guidance documents 13 associated with software control and testing.

14 As we keep looking for ways to improve the framework, this is just one 15 possibility of another area where we can potentially consolidate some guidance, reduce 16 some duplication in the guidance to help smooth out that pathway to further enabling the 17 safe use of digital technologies.

18 Now we haven't taken steps to do this. We're working on some other 19 high-priority areas here. So the point just here is just to show you that there is room for 20 further improvement in the regulatory framework and we're open to feedback on the 21 areas that we would consider high priority to work on going forward.

22 So that would conclude my part of the staff's presentation. I'd like to 23 turn it over to Eric Benner.

48 1 MR. BENNER: Thank you, Ho.

2 Good morning, Chairman and Commissioners. So with our 50.59 3 guidance updates nearing completion, and as Ho said, the ISG-06 providing a 4 streamlined review process for license amendments, we're now focused on updating our 5 core technical guidance, BTP 7-19, to incorporate a more risk-informed graded approach 6 and evaluating common-cause failures and associated defense-in-depth and diversity 7 analyses, commonly called D3 analyses.

8 Our concept for this approach leverages a categorization scheme that 9 considers whether systems are safety-related or not and their safety significance, and as 10 depicted on this chart, which you've seen before.

11 We expect that using this categorization scheme would result in 12 license amendments required only for systems that are both safety-related and 13 safety-significant identified as A1, and we would consider the logic portion of the reactor 14 protection system to fall into this category. While the categorization doesn't require 15 PRA inputs, it would be flexible enough to allow licensees to incorporate PRA inputs.

16 We had public meetings on this topic as referenced by the industry in 17 January and April to discuss our approach and get stakeholder feedback. As a result, 18 one significant change we made to our proposal was for the systems that D3 analyses 19 would be required for. We had originally had talked with industry that D3 analyses were 20 required for a broad range of systems, but they could be graded based on safety 21 significance, and the feedback we got, particularly in the April meeting, was; and again, I 22 think this aligns with the comments you heard from the panel on increased clarity is 23 important, that gradation -- it was not clear how a licensee when doing that analysis

49 1 would really grade their D3 analysis.

2 So with that feedback we aligned with the industry that D3 analyses 3 would only be needed for the A1 systems. And for the other systems, particularly since 4 they likely could be done under 50.59, the qualitative assessment as documented in the 5 RIS would be sufficient. And even if through some quirk of the individual plant's 6 licensing basis they had to come in for a license amendment, that would still be the right 7 level of detail and analysis to approve the request.

8 So and regarding the third way that NEI mentioned, what we heard in 9 our April meeting and today's presentation; and I think as you poked on this the 10 messaging was similar, we do think our proposal on the BTP and what we've heard from 11 about the third way are compatible and we specifically think that the third way could 12 provide for a finer gradation of what analysis would be needed in that A1 category.

13 Next slide, please. This slide also got attention and that was by 14 design. We understood that this would be somewhat provocative, but I do want to talk 15 about these items.

16 So through interaction with our stakeholders we were aware of what 17 we would call some mis-perceptions on what is required by the staff for digital upgrades.

18 So we've taken on the additional responsibility to clarify these items, so I list three here, 19 and I would just say that the staff does not require a diverse actuation system, either 20 analog or digital. Licensees' D3 analyses can and have taken credit for any available 21 means to address the potential for common-cause failure, including manual operator 22 actions or reliance on other existing systems such as ATWS systems required under 23 50.62.

50 1 We do not require 100 percent testability to address common-cause 2 failure. The BTP allows for this, and this was particularly put in place as an option for 3 very simple systems. So it is not way related to complex system. And the BTP 4 explicitly allows for segmentation of systems, so there may be some parts of systems 5 that are simple enough that 100 percent testability would be adequate.

6 And the BTP 7-19 is technical guidance for us in conducting our 7 licensing reviews, so we don't have any linkage to it for 50.59. We understand that 8 there is a reference to the BTP in NEI-0101, which could cause some confusion, but I 9 think particularly with the advent of the RIS, the most recent version of the RIS, I think 10 we make it more clear what level of analysis is required for a 50.59. So we intend to 11 further clarify these positions in the revision to the BTP and as we have our continuing 12 dialogues with stakeholders.

13 Next slide, please. I was pleased to hear all the dialog about the use 14 of IEC standards. Shifting gears we continue to support the use of IEEE standards, but 15 consistent with our messaging in a recent congressional report we're open to other 16 approaches. One such approach is greater use of the International Electrotechnical 17 Commission, or IEC standards. We note that IEEE also supports this through issuance 18 of joint logo standards under both the IEEE and IEC banners.

19 So our initial thought was to do a broad endorsement of the IEC 20 standards. This was also a subject of our April 4th meeting. But as we dialoged with 21 stakeholders the feedback we got is it would be better to pick a particular more finite 22 problem and try to address that problem. So with that, particularly with vendor feedback 23 that the IEEE standards in the area of software reliability and development may be too

51 1 restrictive and that the IEC standards may provide a better approach to reasonable 2 assurance, we're looking at a tighter project to endorse a subset of the IEC standards 3 that would be related to software development.

4 Additionally, we heard a lot about what was called third-party 5 certifications. It's also called safety integrity level certifications. That's also embodied 6 in the IEC standards and that would be an area that since vendors go through those 7 certifications, particularly for the products they sell internationally, if licensees could 8 leverage those certifications as they do commercial-grade dedication of equipment, that 9 would likely open up the door to different pieces of equipment being used by industry.

10 So we believe that industry is going to be ready to meet with us in the 11 next two months on that topic and we look forward to that discussion. And with that, I'll 12 turn it over to Brian.

13 MR. THOMAS: Thank you, Eric. Good morning, Chairman and 14 Commissioners. Thank you.

15 The Office of Regulatory Research is fully supporting the Agency's 16 effort to improve the digital I&C regulatory infrastructure. Our staff has been imbedded 17 within the activities that were addressed by Hoe and Eric. The approach has been very 18 beneficial for Research staff to understand firsthand licensing challenges which help 19 shape our research program and ensure our resources are judicially used.

20 Our goal is to support effective regulatory decisions for new digital 21 technologies and new licensing approaches as the industry pursues plant modernization 22 for operations up to 80 years. As shown here on this slide, we are actively supporting 23 NRR on user need requests to address key issues related to digital I&C. These

52 1 research activities are intended to provide a strong technical foundation for future 2 improvements and transformation of the regulatory infrastructure.

3 For example, we are currently examining the use of emergent 4 technology such as imbedded digital devices. Our current regulatory guidance is 5 predominantly based on computer systems and software. Imbedded digital devices are 6 here now. These are small special purpose I&C components that may be contained 7 within larger ones including electromechanical components such as pumps and valves.

8 You can find them in common day household items like coffee makers and washing 9 machines. They're used in I&C replacement parts at nuclear power plants and in the 10 newer monitoring equipment installed in the plant. As part of our research we are 11 surveying the scope of the use of nuclear power plant equipment, evaluating their 12 benefits and improved reliability and identifying any unique regulatory challenges 13 associated with their use. This will lead to opportunities to improve our regulatory 14 infrastructure for digital I&C as this technology becomes more prevalent.

15 In our research on common-cause failure we are canvasing the 16 industry to gather information on CCF events experienced. We will examine root 17 causes of such events and determine what can we use as potential acceptance criteria 18 for evaluating licensees' and applicants' proposals for addressing vulnerabilities to CCF 19 on digital systems? Our research will identify and evaluate and digital I&C failure 20 modes and mechanisms, CCF operating experience, and use of defense-in-depth and 21 diversity, as well as other methods to reduce digital I&C CCF likelihood or impact.

22 We're also working with NRR to develop a new research activity to 23 evaluate software and digital I&C operational experience, which we heard so much

53 1 about from the external panel. Specifically, we will evaluate various types of software 2 used in the various digital systems installed in nuclear facilities. Then we will examine 3 the scope, nature and trends of any associated events to determine whether there are 4 any insights to enhancing our regulatory infrastructure.

5 Next slide, please? NRC staff also coordinates with other 6 organizations' research activities as appropriate within our regulatory responsibility. We 7 remain cognizant of DOE's Light Water Reactor Sustainability Program and their efforts 8 to address plant modernization with digital technologies. DOE is focused on 9 state-of-the-art common control room -- state-of-the-art control rooms for improved 10 operator reliability.

11 This is a picture of Idaho National Laboratory's human systems 12 simulation laboratory. Staff from Research and NRR recently visited the laboratory.

13 We provided insights on regulatory issues and DOE's strategic research plans for plant 14 modernization.

15 DOE is also focused on deployment of digital equipment for effective 16 monitoring. For example, DOE is sponsoring work to maximize the benefits of online 17 monitoring and I&C systems. This work could be used by licensees to reduce 18 surveillance activities and extend calibration intervals of I&C equipment. NRC will be 19 ready to review topical reports that may be produced from DOE research and has begun 20 to engage industry officials on future plans.

21 In summary, we will coordinate with DOE research efforts as 22 appropriate and will stand ready to address regulatory issues that arise from DOE's plant 23 modernization efforts.

54 1 Next slide, please? Collaboration with international research 2 organizations and standard development authorities is also critical to a modernized 3 regulatory infrastructure. Shown on the left of this picture we collaborate with Halden 4 Research Project digital research activities. This is led by a large consortium of 5 international participants with a strong focus on I&C designs and human interfaces with 6 digital.

7 We participated in a Halden international workshop held here during 8 the RIC. We focused on common-cause failure challenges and various approaches of 9 regulators in making the safety cases for digital implementation.

10 We hope to further engage the Halden Consortium to define additional 11 research in the areas of digital architecture and human factors to directly benefit NRC's 12 oversight of the next generation of digital designs.

13 Finally, NRC staff engages with the International Atomic Energy 14 Agency in the development of standards and guidance. NRR staff also chairs the 15 NEA/CNRA Working Group on digital instrumentation and control. These activities are 16 becoming increasingly important. Plants are undergoing modernization in several 17 countries as was spoken to earlier and digital I&C is of course a global business.

18 Licensees of the U.S. plants seek options for using a global supply 19 chain that relies upon internationally-accepted design practices and approaches.

20 Regulatory efficiencies can be gained by all countries to the extent we can follow 21 common design approaches and standards for ensuring safety.

22 I will now turn it over to Ho.

23 MR. NIEH: Okay. Thank you, Brian.

55 1 I think there's a next slide, please? So what does success look like?

2 I think we've heard certainly from external stakeholders and even underscored by the 3 staff's presentation that there are some key issues that we're trying to address in the 4 regulatory framework. And we're putting things in place that will help us get to success 5 in the future. So when I think of what success looks like, we're showing some slides 6 here of the Shippingport reactor circa 1957.

7 And, Commissioner Wright, you mentioned you've been to some 8 plants recently that look old. Plants that were designed in the '60s licensed in the '70s, 9 which is the majority of our fleet today, they don't look that different from the 10 Shippingport plant. So in my mind what success would look like if we can leverage the 11 things that we've done today, all the effort and energy that's been put into the 12 coordination between NRC and the industry to see plants looking more like the plant on 13 the right. But as pointed out in the earlier discussions, we need the opportunity to be 14 able to test what we've put in place to be able to do things like that.

15 So with that I'd like to turn it over to our Executive Director for 16 Operations to close out the meeting.

17 MS. DOANE: Slide 15, please? So let me wrap up by saying that 18 making progress on digital I&C issues remains a very high priority for me and the NRC.

19 We continue to make progress, but we will continue to interact with the industry and 20 public to ensure our guidance documents are clear and can enable the use of digital I&C 21 systems in a manner that protects public health and safety.

22 We'll carry out the digital I&C Action Plan. Thus, at the same time we 23 are making progress on the shorter-term tactical activities that you heard about in the

56 1 presentations. We're planning for a more thorough modernization effort of our digital 2 I&C regulatory infrastructure. I'm confident that our renewed focus will drive our 3 success in finding safe and secure solutions today that were not available before.

4 Our progress has been a concerted agency effort. I would like to 5 thank the staff in the Office of NRR, NRO, Research, the regions and the Office of the 6 General Counsel who have worked diligently on these issues, and I think we've 7 demonstrated progress even from our meeting that we last had in October of 2018. So 8 I'd like to thank all of these offices for helping us move this along with the urgency that I 9 opened up with.

10 This concludes our presentation and we look forward to your 11 questions.

12 CHAIRMAN SVINICKI: Well, my thanks to each of the staff 13 presenters and to all of our colleagues who helped you to prepare for our meeting here 14 today.

15 Ho, I'm going to go back to one of your popular slides here, slide 4.

16 And if we'd put it up, that's fine, but let me just say that when you were verbally 17 describing, Ho, the change between this alternative review process and the traditional 18 review process one of the things that you stated was that the concept is that NRC would 19 receive the licensee submittal at a stage of greater maturity, and I assume that to mean 20 kind of maturity in terms of design detail about the proposed modification or digital 21 upgrade.

22 Now there's always in large engineering projects this tension between 23 kind of finalizing a lot of things before you go through approval processes. Often things

57 1 have like 30 percent design complete and 60 percent -- there's different kind of project 2 management concepts about how to move forward.

3 If the regulator receives something that has a lot more fidelity on it, of 4 course I would view that as then the person submitting it; the licensee in this case, would 5 be the one to have taken on the risk of perhaps having in a design sense gone far down 6 the road on some concept that the regulator has not reacted to and might have an issue 7 with.

8 How would the staff -- if you agree that that is the tension that exits 9 here, how would the NRC staff propose to kind of address that dynamic tension?

10 MR. NIEH: So I would agree that that tension and dynamic does 11 exist. And the detail I didn't go into in the ISG is that there would be a significant 12 amount of preapplication discussions with the applicant that would help kind of resolve 13 some of these issues before the application comes in.

14 And also another detail that I didn't point out in looking at the 15 comparative processes is that we would still look to have an applicant reference an 16 approved topical report. And so going through a topical report review would provide a 17 significant amount of technical discussion and dialog. And then that in combination with 18 the pre-application discussions hope to get us to the point where we receive a somewhat 19 more mature licensing amendment application at a later stage in the process.

20 CHAIRMAN SVINICKI: That's very helpful and I just -- because you 21 didn't mention it I know things like referencing approved or reviewed NRC -- or topical 22 reports that NRC has reviewed and concurred in and having pre-application engagement 23 are certainly practices that we use on other complex licensing matters that come before

58 1 us. And I appreciate the staff thinking that those would need to be operative here as 2 well.

3 I could even envision a concept or a time in the future when there 4 would be enough approved topical reports that they could be -- there would be a generic 5 body of work on this that multiple vendors of digital I&C would have available and could 6 know -- or in a regulatory sense acceptable concepts too so that over time you could 7 grow that into a very significant I think enabler of the ability to design these systems and 8 maybe some of the tension and the risk shifting between the licensee and the regulator 9 would become less of an issue over the course of time.

10 So thank you for that.

11 Eric, on your slide 9, which was also a very, very popular slide, one of 12 the statements you made as that Branch Technical Position 7-19 is technical guidance 13 for the staff, and it isn't binding in the way a regulation is, but would you acknowledge 14 that some of the complexity of that though is that if you are submitting something for 15 review by a regulator, if they've published something and said this is acceptable, that if it 16 doesn't drive you towards that kind of proposal, it certainly gives you a considerable 17 notion that if you proceed in some alternate way things will be at risk?

18 And particularly if something -- if I were submitting something -- I just 19 recently renewed my driver's license, so I went in, and you always feel a little at risk, like 20 they're going to find some flaw, even though I have a -- I would hope would be 21 comparatively a pretty good driving record, but you just never know. It's the vagaries of 22 that person at the counter when you go up there. So if you knew that that individual had 23 a checklist of things that you -- would pass you or fail you in terms of renewing your

59 1 driver's license, you sure would pay a lot of attention to the instructions that person was 2 working from.

3 So I just -- from you do you acknowledge kind of that where we can 4 provide additional clarity even in documents that aren't binding to regulated entities it's a 5 key indicator for them of kind of minimizing their risk?

6 MR. BENNER: Absolutely, Chairman, and I would say that -- I would 7 make two points to emphasize that: One was the 50.59 or not? So a 50.59 wouldn't 8 be submitted to the NRC. So we wanted to make that point that that's a dividing line on 9 the BTP, right? It's -- for whatever it's used for, it's only for submittals. And we did try 10 to reemphasize that in the RIS to say here's what you would need to do for 50.59. So 11 we -- like I alluded to, we accept our complicity in the mis-communications, right? We 12 realize clarifying and reinforcing and understanding how people may be misinterpreting 13 our words and refining our words to avoid those misinterpretations is on us.

14 CHAIRMAN SVINICKI: Okay. And I appreciate that and I wasn't in 15 particular picking that scab. This is just something that's been on my mind because as I 16 think about our transformation efforts and I think about the NRC staff people that maybe 17 in the not too distant future would have submitted an advanced reactor design, I think we 18 have kind of processes and methods that have served us so well when we're regulating 19 100 of very similar things. But the future for NRC might look a lot like we're regulating a 20 handful of 50 different designs that present us with a lot of novelty.

21 One of the things that has served us so well is Standard Review Plans 22 as guidance. And again, I think that the resources we pour into that when we're 23 regulating 100 large light water reactors or 100 things that have a lot of commonalities,

60 1 guidance is such an efficiency gain.

2 But I've been thinking about going forward. Do we have the luxury 3 always of trying to have exquisite guidance when we might only have to make a handful 4 of threshold determinations about how some novel system operates in an integrated 5 system that also looks very different? So both the component and its function within a 6 design that looks really different than what we're familiar with. If we only have to do that 7 a handful of times over the course of five years, maybe putting a lot of effort into 8 guidance -- and again, it's not -- I'm not condemning guidance. Guidance plays a very 9 important role.

10 But these are the moments when I realize how substantial the 11 transformation work is, because you really even need to look at the things that made you 12 successful in the past. You might want to invest in other tools and things and people 13 may need different training and different ways of going about things. So that's just a 14 moment of profundity about transformation, I guess.

15 And so getting to that, Brian, I wanted to note that you touched on a 16 topic that has also kind of been on my mind. And I always have these very folksy 17 examples, but you talked about imbedded digital devices and then special purpose I&C 18 components.

19 Now my folksy example is that I'm nerdy enough to work here; and 20 here's my qualification card, is that I like having an atomic clock at home. You know 21 those ones that synchronize to the standard? So I'm very, very precise on what time it 22 is.

23 But I went to replace one that had kind of faded and I found out that I

61 1 had to get all this functionality that I didn't want. I wanted one that performed the 2 function that I wanted and I ended up having to compromise and accept one that has 3 -- displays the phases of the moon. And I remember sitting there on Amazon and going 4 I'm not like a mariner in the 1800s. I don't really operate my day based on the phase of 5 the moon. I'm not a werewolf. So it's not really all that important for me.

6 (Laughter.)

7 CHAIRMAN SVINICKI: But the point was you couldn't get just the 8 things you wanted. And so to be serious for a moment, I think that a key supply chain 9 issue is this issue of you want something, you're a nuclear power plant operator, you 10 don't want the phases of the moon. But they -- and I think in industrial supply chains 11 they might actually hide that function. It might be in there, but it won't be -- because you 12 didn't put it on the spec sheet so they're not going to tell you it's in there.

13 And so this is -- is that something the staff's thinking about, because 14 supply chain to me is like it's obsolescence and then it's trusted suppliers, which the 15 military has really had to deal with that, and that gets into some cyber space. But then 16 there's also this extraneous functionality that you didn't want. Could you talk about that 17 for just a second?

18 MR. THOMAS: Right. Exactly. The technology, as I think you 19 alluded to, is advancing so rapidly and there are impacts with the supplier in terms of 20 advances and in technology. There are changes with respect to the vendors that are 21 marketing these different devices. And then of course you have changes in terms of 22 these devices being implemented and how they're used in the plant. So looking at 23 those three functions, if you will. But all to say there is a rapidly advance -- rapid

62 1 advancements in the technology. We are not -- we don't have a definitive sense of how 2 they're being utilized throughout the plants and then what -- and what components.

3 And so part of our effort is to canvas the industry, canvas other 4 industries to get a sense of what is that? How are these digital devices being utilized?

5 What are the -- what's the population of devices that we need to focus on that are more 6 frequently utilized in the plants? And then to look to see what's -- if there's any impact 7 on reliability of the function of the systems within a plant, that would be the population of 8 devices that we would focus on.

9 But we recently embarked on this effort. I think it's been going on now 10 -- this user need request work has been going on for close to nine months, maybe a 11 year. So we -- in fact we have one draft report from the -- from Oak Ridge, in fact, that's 12 working on this with us that we just received and we're in the review process with that.

13 CHAIRMAN SVINICKI: Okay. Well, thank you for that and I think 14 this will continue to be an interesting area for us as we move forward. And I would just 15 note that I've not found any reliability issues with the phases of the moon other that I just 16 have to look at it every time I check the clock and go, oh, I wonder if that means 17 anything in terms of an ache in my knee or anything else, just very unscientific.

18 And with that we will turn it over to Commissioner Baran.

19 COMMISSIONER BARAN: Thanks. It sounds like common-cause 20 failure is the toughest remaining digital I&C issue. We've talked about the effort to 21 revise Branch Technical Position 7-19. Can someone talk about the current status of 22 that effort, revising the BTP? Is the goal still to issue the revision next May?

23 MR. BENNER: Yes, we -- our plan is to have a draft available for

63 1 public comment by September of this year and the final by May of next year.

2 COMMISSIONER BARAN: And the January version of the action 3 plan discussed NRC reviewing NEI 16-16 for possible endorsement. Sounds like NEI is 4 not proceeding with 16-16, which was also guidance on common-cause failure. How if 5 at all does that impact your work on the Branch Technical Position?

6 MR. BENNER: It really doesn't. We had heard for some time that 7 NEI may make that choice. As I alluded to, we know there were changes we wanted to 8 make to the BTP. We have some comments from industry on changes they'd like to 9 make. We haven't seen a detailed documentation of their third way, but we believe that 10 some of the elements of 16-16 would be embodied in that document. And like I alluded 11 to, we believe that could provide for greater gradation on the level of analysis needed for 12 A1 systems. So we definitely can move forward with the BTP and we believe that from 13 everything we've heard on the industry's planned proposal that we kind of know how 14 those two things would sync up.

15 COMMISSIONER BARAN: Okay. So if we look at slide 8, which I've 16 presented, you've presented; it's a great slide --

17 (Laughter.)

18 COMMISSIONER BARAN: -- getting into kind of the envisioned 19 Branch Technical Position's graded approach to the level of analysis required, how far 20 along are you on understanding what would be involved in each of these boxes or 21 starting to think through kind of the staff's current views about what a D3 analysis would 22 involve versus a defense-in-depth qualitative assessment? Do you -- at this stage can 23 you talk about what you think the practical difference between those two levels of

64 1 analysis would be or are we not --

2 MR. BENNER: I would say the easy stuff is easy and the hard stuff is 3 hard. A little more meat on the bones of that. B2, where it says assessment may be 4 needed is really just about a case where a licensee would combine a lot of functions. In 5 all likelihood there would be no assessment needed there, but if there is a large 6 combination of functions, something more may be needed.

7 A2 and B1, like I alluded to, those would likely be all -- A1 or A2, B1 8 and B2 would likely be able to be done under 50.59, so we think something like the 9 qualitative assessment in the RIS Is the adequate level of analysis for those items.

10 A1, right, we've narrowed the scope for what a D3 analysis would be 11 needed for. So that is one change we're making, but even within the D3 analysis, 12 particularly with some of what we've been recently hearing and heard today, it's clear 13 that there needs to be clarity in what's a sufficient D3 analysis so we don't get analysis 14 by paralysis. It's easy to say, oh, you just need to do an analysis, but if there's not 15 clarity on what's good enough, that's an area that I believe we need to have some more 16 detailed discussions with stakeholders on to get clarity, potentially create some 17 templates, anything we can do to clarify what would meet the expectations in that 18 regard.

19 COMMISSIONER BARAN: So looking this chart, it sounds like you 20 think A2 and B1, the defense-in-depth qualitative assessment, that's really something 21 laid out in the 50.59 RIS?

22 MR. BENNER: Yes.

23 COMMISSIONER BARAN: And you're not envisioning the Branch

65 1 Technical Position doing something different there?

2 MR. BENNER: No.

3 COMMISSIONER BARAN: Okay.

4 MR. BENNER: There's some question whether we would even have 5 reference to that. In the BTP we explicitly asked industry to say, hey, if we just really 6 limit this to A1, should the guidance just be on A1? And if there's a unique licensee's 7 licensing basis that causes something to come over the threshold, we'll deal with that.

8 We don't need guidance. We'll deal with that on a case-by-case basis. Or would you 9 like the confidence of knowing for those lower safety-significant systems there is a lower 10 standard of review? We haven't definitively heard back yet which of those options 11 industry prefers. We're open to either.

12 COMMISSIONER BARAN: Okay. And so then I guess the open 13 question then really in terms of the current development of this Branch Technical 14 Position is what constitutes an acceptable D3 analysis?

15 MR. BENNER: Yes.

16 COMMISSIONER BARAN: And so if a licensee wanted to do a full 17 reactor protector system digital upgrade, that would put them in box 1.

18 MR. BENNER: Yes.

19 COMMISSIONER BARAN: Presumably. And what you're trying to 20 figure out now is how would the staff's analysis of that application under the revised 21 Branch Technical Position be different than the analysis you would do today?

22 MR. BENNER: I would say it's two parts. It's what clarity would 23 licensees have as to what to put in their --

66 1 COMMISSIONER BARAN: Okay.

2 MR. BENNER: -- application? And going back to what the Chairman 3 said, if the licensee knows there's a checklist the staff is using, they're probably looking 4 at that to say, oh, what do I need? So it is that coherence between clarity on what the 5 staff would use to make its finding and what we would expect to see in a licensee's 6 application --

7 COMMISSIONER BARAN: Okay.

8 MR. BENNER: -- including the D3.

9 COMMISSIONER BARAN: And before there was -- the idea was the 10 Branch Technical Position would be revised, and that's really the guidance to the staff, 11 your checklist, or however you want to call it. And then there was this idea that NEI 12 16-16 might be out there, which would be more guidance for licensees.

13 MR. BENNER: Yes.

14 COMMISSIONER BARAN: Is the idea now if there is no NEI 16-16 15 that this is really the guidance document for both Agency reviewers and licensee 16 submitters?

17 MR. BENNER: Strictly speaking it's still guidance for the staff, but as 18 the Chairman noted, anyone would look at it. We have in some of the interactions 19 talked to industry of if it would help, would there be benefit to doing a companion Reg.

20 Guide to make it very clear what the -- and again, I think that's still open to dialog 21 because if the NEI third way is the clear guidance for industry and they're going to use 22 that, it's again how many resources do you invest in just creating guidance documents if 23 the -- what you're putting together is adequate?

67 1 COMMISSIONER BARAN: Okay. And as you -- and I don't want to 2 get too into the weeds on this, but as you all are trying to figure out, well, what are you 3 -- what constitutes an adequate diversity and defense-in-depth analysis, what do you 4 see as the biggest challenges to figuring that out over the next 12 months? I mean, are 5 there obvious sticking points there? Are there philosophical disagreements? Are there 6 --

7 MR. BENNER: I don't think there are philosophical disagreements, 8 and particularly with what we heard today I think this is a matter of segmenting the 9 problem, because as the D3 analysis is now constructed it has you go through different 10 accident scenarios. And I think it's a matter of having -- and a pilot would be very 11 helpful in this regard because we could step through that methodically. Because for 12 each of those scenarios it may be a different answer.

13 It may be manual operator actions is how -- why this scenario isn't a 14 problem. It may be that testability is why this scenario isn't a problem. It may be why 15 even the consequences of a failure of the system in this scenario isn't a problem. And I 16 think as we -- when we generalize and try and lump it all together as a D3 analysis, we 17 don't get to have that dialog. But if we could step through what are the different 18 scenarios and what is the way to address common-cause failure for that scenario, it 19 would allow for some good learnings for both the staff reviewing, the industry proposing 20 and the guidance documents under development.

21 COMMISSIONER BARAN: Separately you talked about potentially 22 endorsing IEC standards. How would that work with the IEEE standards that are 23 currently incorporated in NRC's regulations?

68 1 MR. BENNER: The short-term plan would be a Reg. Guide, which 2 could show that the IEC standard could be an alternative to the standards currently 3 incorporated by reference.

4 COMMISSIONER BARAN: And is that basically the idea behind a 5 Reg. Guide like that? It would say if you meet the IEC standard, that means you meet 6 the IEEE standard because X, Y and Z given that the IEEE standard --

7 (Simultaneous speaking.)

8 MR. BENNER: You'd have the benefit of an alternative in -- the 9 alternative provisions in the reg --

10 COMMISSIONER BARAN: I see.

11 MR. BENNER: -- is you don't have to be quite that definitive.

12 COMMISSIONER BARAN: Okay.

13 MR. BENNER: It gives us some latitude to weave in more 14 higher-level reasonable assurance concepts instead of just making a one-for-one 15 correlation.

16 COMMISSIONER BARAN: So as currently written, the regulation you 17 think has sufficient flexibility for you to find --

18 MR. BENNER: Yes.

19 COMMISSIONER BARAN: -- IEC standard acceptable for use?

20 MR. BENNER: Yes.

21 COMMISSIONER BARAN: Okay. And then just briefly because I'm 22 running out of time; and maybe this is just something that can't be done briefly and we 23 just save it for a different set of questions, but can someone briefly just walk us through

69 1 the issue of disagreement on NEI 96-07, Appendix D? What is the sticky -- people have 2 said there's a sticky point. What is briefly the sticking point on that, the area of 3 disagreement?

4 MR. NIEH: I'll take a stab at it. I do think Mr. True in the previous 5 panel summarized the different point of view very clearly. It's exactly how I see it. It's 6 how you assess the malfunction of the system, structure, or component in terms of its 7 impact to what's analyzed in the FSAR. So to maybe go down into another level of 8 detail, it's talking about whether that malfunction effects what was analyzed in Chapter 9 15, the result of the failure, or the failure of the component itself.

10 So what we think is an appropriate next step to be able to see eye to 11 eye on how we're interpreting this Criterion No. 6 in 50.59 is to really sit down and walk 12 through some specific examples of what type of digitally-induced malfunctions we're 13 talking about and to get an understanding of how they're seeing that criterion in 50.59 14 versus how we're seeing it.

15 So I do agree that we can get there. It's just a matter of taking the 16 time and having more dialog on it. So I hope that helps.

17 COMMISSIONER BARAN: Sure. Thank you.

18 CHAIRMAN SVINICKI : Thank you very much. Next we'll hear from 19 Commissioner Caputo. Please proceed.

20 CHAIRMAN SVINICKI: I'd like to start by thanking the staff. This is a 21 complex issue with a complicated history and obviously takes a lot to prepare for a 22 commission meeting like this for yourselves and those that support you, so thank you for 23 that. I also want to thank Ho for his definition of success. I'm a firm believer and begin

70 1 with the end in mind, and I think the definition of success being the implementation, 2 predictable implementation, of major digital upgrades is clearly what I hope to see.

3 But in keeping with that definition of success, Mr. Stoddard on the 4 earlier panel mentioned the 1993 policy statement a couple times in the context of being 5 a hindrance. So Ho, is that a hindrance to actually achieving success? Is that 6 something that you believe you can reach success under that policy statement, or is that 7 something that needs to be revisited?

8 MR. NIEH: Thank you, Commissioner. I read the policy statement last 9 night, and it had five guiding principles for addressing common cause failures, and when 10 I read through each one of them, in fact I spoke with Eric after reading them again, I 11 didn't view those guiding principles as being constraints in achieving success.

12 In fact, I actually read it in a way that would suggest that we can look 13 at alternate means to address common cause failures, that it was very clear in those 14 principles that the level of analysis that we're asking for needs to be commensurate with 15 the safety significance.

16 That rung very clear to me in those five principles, so I don't really see 17 that as a hindrance to getting to that success in the future where we have a clear, 18 predictable framework that can get to more digital modifications, particularly in the 19 grander scale rather than some of the smaller mods being done under 50.59.

20 COMMISSIONER CAPUTO: Okay. Ho and Eric, In his presentation 21 Mr. True indicates path forward on common cause failures remains a challenge for major 22 digital upgrades, proposes a third path, includes two elements - resolving when the 23 likelihood of common cause failures can be considered sufficiently low, and the

71 1 incorporation of operating experience.

2 These two elements also here to be addressed by Mr. Wimshurst. He 3 indicated that recent research using field failure data revealed no platform failures over 4 two billion hours of operation, and that cumulative nuclear operating experience from 5 across the world indicates a very high degree of nuclear digital system reliability.

6 So the status seems to inform at least in part, the likelihood of common 7 cause failure as well as providing operating experience. To what extent is it possible to 8 use this data in modernizing our decision-making?

9 MR. BENNER: I think it's very possible. I think start with the risks, 10 which admittedly is for lower safety significance systems that allows licensees to use 11 operating experience as part of the basis for, and defensive measures as a basis for 12 saying the likelihood of common cause failures sufficiently low. We haven't tackled that 13 for the highest safety-significant systems and we haven't seen in detail the research that 14 provided, so we would look at that.

15 I will say that for the highest safety-significant systems, I think there is 16 a desire for confidence and to understand even with that, in the presence of the 17 possibility of a CCF, what would happen next? So that, I mean the idea that you have 18 to have a DAS or testability, we don't believe that's the case but I think the D3 analysis 19 should look at what would happen if you had a common cause failure.

20 COMMISSIONER CAPUTO: I'm sorry, I guess I'm a little bit confused.

21 You mentioned that there's research that's missing in this area that you haven't seen?

22 MR. BENNER: Yes.

23 MR. THOMAS: If I can speak to that. We, though our research, we

72 1 are looking at operating experience. Through all the user needs requests that I've 2 identified, the embedded digital and the CCF and so forth, we are aware that EPRI has 3 some data, we're aware that INL is in custody of some data, we are collaborating with 4 them to look at the data, to look at the results of their analysis with respect to the data.

5 But particularly we want to look at it from the standpoint of what in 6 science could we glean in terms of establishing criteria for the evaluation of common 7 cause failure with respect a submittal, a LAR or any other venue that's addressed.

8 So it's sort of, from a research standpoint it's a trust but verify 9 approach. I do believe that after EPRI has done some work, INLs done some work, and 10 as I said we only recently embarked on this research, so that's part of the journey going 11 forward over the next year or so, just to acquire the data, look at the data, evaluate how 12 we can utilize the results of that data to help ensure our regulatory infrastructure.

13 COMMISSIONER CAPUTO: So we're only now starting to look at 14 operational experience?

15 MR. BENNER: With respect to digital I&C, from a research standpoint 16 we have been predominantly focused on the near-term, what I call the near-term tactical 17 activities, which is as Ho and Eric spoke about before, most of the resources have been 18 focused in that direction. So, yes, it's, with respect to digital I&C, and with respect to 19 those specific types of issues and concerns, we're only recently looking at the data.

20 What I've learned in this briefing too, from what I understand, there's 21 limited operational experience data out there with respect to CCF, is part of what I heard 22 from Neil, which was somewhat surprising but it's yet to be looked into.

23 COMMISSIONER CAPUTO: Okay, Brian, I'll stick with you because I

73 1 have other questions on research. Three years is a longtime for the NRC to start 2 looking at an issue like digital I&C and not reach resolution. Obviously research will have 3 been a heavy component during this time. Do you have any sense of how much money 4 has been spent on research?

5 Digital I&C?

6 MR. THOMAS: Over the 30 years, no. But I would say more recently 7 under the IAP, and with respect to the user needs requested I discussed, so far it's been 8 on the order of half a million dollars. That's what's been allocated to a specific user 9 needs request that we're focusing in on.

10 And my newly, the one on risk --

11 COMMISSIONER CAPUTO: Half a million?

12 MR. THOMAS: Yes.

13 COMMISSIONER CAPUTO: What, per year? Per --

14 MR. THOMAS: No, that's, excuse me, yeah. That's the total 15 allocation for both imbedded digital devices and CCF over a two-year period, so the 16 anticipation is we would complete this research by the end of FY 2020. And so that 17 amount is just for that time frame.

18 Now there was a user needs data that was identified in terms of risk 19 informing our regulatory reviews --

20 COMMISSIONER CAPUTO: Okay, I'm starting to run out of time, so I 21 guess I'm wrestling a little bit now with the fact of, given the size of the research budget 22 and given the importance of this issue, that sounds like a very, very small number, and it 23 sounds like we're pretty late in terms of looking at operation experience.

74 1 So I guess my question for you, Brian, is given Ho's definition of 2 success, do you have a plan for the research necessary to reach success, and do you 3 have any idea what that'll cost?

4 MR. THOMAS: So the plan for the work under current user needs only 5 extend through FY 2020. And it's from the standpoint of development of technical basis, 6 sufficient technical basis to inform any continued enhancements by regulatory 7 infrastructure. So at that time we would be, in my view, we would be better positioned 8 to establish criteria that can then be utilized for any future reviews. And then I say 9 criteria in terms of our guidance, red guides, SRP and so forth.

10 COMMISSIONER CAPUTO: All right, I'm going to shift gears. I have 11 one last question. Ho, as you mentioned, I think there's been other references to this by 12 the previous panel, there's often a race to be second, to implement something new when 13 it comes to nuclear. It's also been noted the industry has a lack of confidence with it 14 comes to pursuing license amendments for major digital upgrades. What's your plan to 15 rebuild that confidence?

16 MR. NIEH: Simply put, Commissioner, the plan now is to really have 17 the opportunity to exercise the processes we've put in place and building a little bit from 18 the conversation just before on research, my feeling at this point is that while the 19 research would certainly be helpful, I think we can make real progress with exercising 20 the process for a major upgrade without necessarily having the result of the research 21 that I think Brian was referring to. I think it would be helpful to have some better 22 technical data and information to deal with operating experience and common cause 23 failure. My personal view is the OpE, there's a lot out there and so on the external slides,

75 1 there was one bullet that talked about two billion hours worth of digital data that's out 2 there. It's almost obvious.

3 At this point I think really getting to the success is exercising the things 4 that we've already done, some of the things that Eric had discusses in using a graded 5 approach for BTP-719. We can do that. Going to a comment earlier, I think, from the 6 Chairman that talked about looking at different ways to conduct our reviews. I look at 7 what we did in the new reactor areas where we put a design-specific review standard in 8 place for the platform for New Scale.

9 These are things we need to be doing now, if we're going to be at the 10 precipice of receiving a major regulatory review application for a digital upgrade, we 11 need to be thinking differently in how we do our work and defining what the standards 12 are to meet the regulatory requirements, and that standard is reasonable assurance.

13 I think we have the capability to do that and the mindset to do that, we 14 just need the opportunity.

15 COMMISSIONER CAPUTO: Okay. So in your estimation, is the 16 research that's going on now and planned, I guess, through 2020, is it actually 17 necessary for you to make your regulatory decisions or is it superfluous?

18 MR. NIEH: I think it would be helpful to have that technical data, 19 particularly on common cause failure, and some technical analysis of the operating 20 experience.

21 COMMISSIONER CAPUTO: Okay. Thank you very much, and we 22 will next hear from Commissioner Wright, please take us home.

23 COMMISSIONER WRIGHT: Looking at my sundial. Thank you so

76 1 much for your, what you're doing in this area and for what you do for the NRC every day.

2 I appreciate you very much.

3 We haven't talked about the Purdue reactor, and I thought somebody 4 might have talked about it. We recently approved the license amendment for that 5 research reactor, approving the first ever all-digital system. Did we, were there any 6 lessons learned there? Have we learned anything from that, in reviewing the 7 application and how can we maybe apply some of this to the power reactors?

8 MR. NIEH: I'll take a crack at that and then maybe Eric can 9 supplement too. We looked at the Purdue review and it was done under a very different 10 regulatory framework. We use a NUREG-1537 for a lot of the licensing activities, so 11 then the level of complexity and the risk, quite frankly, was, they're very different than 12 what we would to employ at a commercial nuclear power plant.

13 COMMISSIONER WRIGHT: Right. Okay. I'm going to go back and 14 kind of follow up on Commissioner Caputo's line of questioning. We referred to Neil 15 Wilmshurst's slide from EPRI about the two billion hours of run time, and asking the 16 question about run time. Have we specifically tasked INL or one of the other national 17 labs to track this, or to build the data case for this, because it sounded like we're just 18 getting into it. Is that the case?

19 MR. THOMAS: So, yes it is. We've separated the task, the 20 embedded digital devices task is being orchestrated by Oak Ridge, but they are working 21 in concert with INL. The CCF task is an INL task, and so, yes, we are counting on INL 22 and Oak Ridge to access this data, wherever it is, of course in collaboration with EPRI 23 and also with some of the international entities also, to access the data and to do an

77 1 assessment of that data.

2 COMMISSIONER WRIGHT: So, to follow up on that criteria you just 3 mentioned the international partners and the people that are doing things outside the 4 U.S., are we making any concerted effort to learn from their experiences, because it 5 seems like they're outpacing us in a way. That's the feeling you get, so are we actively 6 looking at what's worked and what hasn't worked, and applying some of those things 7 that can be learned from their experience? I guess, are we documenting that?

8 MR. THOMAS: Yes, the answer is yes. We tasked Halden, through 9 its consortium, to be our outreach arm, if you will, through the international community.

10 And so that's a work in progress, we only recently received a draft report from them.

11 They've held a couple of workshops with several of the bigger 12 countries, if you will, to look at, similar to what we did in terms of respondent in the 13 Congressional report, on how do other industries do their licensing and their permitting.

14 Sort of a similar approach here. How do these other countries do their permitting?

15 Part of that task, too, is to then gather up all that information and help 16 us do a comparison with respect to how we do it, so we can look to see what nuggets, if 17 any, that we can extract from how the different countries do it and to what extent is it 18 applicable in our regime.

19 MR. BENNER: And I just want to add something about the CCF 20 research, because the pure quantification of the likelihood of a software CCF hasn't 21 been a priority. I mean, I think it's been more like in the RIS, I think what I've heard 22 about the third way, it's been more qualitative application of operating experience.

23 So this idea that maybe the quantification of that could assist, I would

78 1 agree with Ho's characterization. It's not necessary, because I think the paths we're 2 looking at really would rely on a pure quantification of a software CCF failure, but if that 3 data did show something that would be helpful, then it would be helpful.

4 COMMISSIONER WRIGHT: So in the first panel, I asked this question 5 and I'm able to kind of paraphrase it again. Ho, you mentioned what success looks like.

6 Where is the sweet spot on reasonable assurance of adequate protection? Where is 7 it? At what point do we achieve it?

8 I mean, do we, because it seems like we just keep incrementally 9 adding things, adding things, adding things. If we had that information it would inform 10 us a little bit, or it might help. At what point do we know, can we move forward? We 11 say we're close but then we're 31 years.

12 MR. NIEH: I can try that. Reasonable assurance, as you know, 13 Commissioner, the Agency has never defined it explicitly. It's something you feel, I 14 guess, in some ways, and we're, I would think that when we arrive at the sweet spot it's 15 going to be the point where we know, the industry knows, that 100 percent testing of 16 every single line of coded in the software program isn't required, a manual system or 17 analog system is not required in every single instance.

18 I think when everybody know that, when we're aligned on what we 19 think is reasonable, and I hate to use a definition to define the term, but that's kind of 20 when I think we get there, is when we have applicants that are willing to test our 21 regulatory review. They have the confidence in us that we can do a review that isn't 22 focused on finding the ghost in the machine and that's recognizing it's not a zero risk 23 activity that we're taking, but we've taken steps to eliminate with the best confidence we

79 1 can something that we don't want to happen in the failure of one of these systems.

2 So I think we get there when we kind of put to rest some of the 3 perceptions that we've been talking around today, and when we actually see the 4 applicants wanting to use our regulatory review process to grade their plants.

5 COMMISSIONER WRIGHT: So --

6 MS. DOANE: I just want to build upon that a little, because I think one 7 thing we keep chipping around at the edges is that a lot of this -- We're talking about 8 perceptions. We should turn that back and really, I take from this that we need clarity 9 on how much we need to know in advance and, because we keep touching on this 10 issue, how much of the design has to be done, how much will we work on, how much will 11 we require the licensee to provide to us in order to enable us to make that adequate 12 assurance finding?

13 So the path forward is putting in that process that clarifies those issues 14 where we have some confusion. And the confusion is partly, you touched on it when 15 you touched on the Purdue reactor, because we talk about some 100 percent testing 16 that has been done with platforms that aren't as complex.

17 And then so the suggestion, because it goes back to the question the 18 Chairman was asking about, can't you see when the licensee, the industry is seeing 19 BTP-7-19, well it's talking about license amendments and design certifications, can't you 20 see how this other discussion on 50.59 that talks about say, for example, 100 percent 21 testing, can bleed into that and cause confusion.

22 So I would say we need to define success but we need to put an 23 emphasis on clarifying where the areas are that we don't know, so I think Mr. True said,

80 1 he was talking about where the risks are not sufficiently low, and then what other 2 systems we can rely on, and it's going to be that work that will establish, I think, the 3 standards that you can go forward and at least have a threshold that the licensees can 4 see, okay, this is the threshold that we're trying to meet. We're trying to answer those 5 questions.

6 So I don't think we're going to have certainty but we'll have a process 7 that has thresholds that are easily understood.

8 MR. BENNER: And I would say that getting to the sweet spot is a 9 series of facts so the fact that the RIS opened up what could be done under 50.59, that 10 helped say okay, doing something less there still provides reasonable assurance.

11 Clarifying that the BTP would only be for the A1 system, so that you would only need to 12 do this detailed analysis for a small subset.

13 That peels away more that, okay, so we're just targeting down to the 14 most safety-significant of the systems and even there now we're trying to tackle, is there, 15 what are the alternatives we can look at to make our reasonable assurance findings?

16 I see these as all steps to getting to that sweet spot and then within 17 those things, that would still need a D3 analysis and maybe some scenarios that need 18 some mitigation, it's what level of mitigation is necessary. And to that extent, manual 19 operator actions has been talked about a lot here.

20 I will say that a lot of what plays into the efficacy of manual operator 21 actions is how much time do you have? And another realization from our public 22 meeting is a licensee said well, will you consider if we propose leak before break 23 considerations to give the operators time? And we hadn't thought about that but we

81 1 said we would certainly consider that.

2 Now that hasn't been proposed in the past, but I think once you start 3 getting people to think about this holistically, you can start creating solutions that allow 4 us to make our safety finding and that the applicant would find palatable.

5 COMMISSIONER WRIGHT: Thank you very much.

6 CHAIRMAN SVINICKI: Thank you.

7 Commissioner Baran?

8 COMMISSIONER BARAN: I know we've been at it for a while, but I do 9 want to ask because I'm genuinely confused at this point, I have one question or one 10 issue, which is for this box 1, where we're talking about the A1 and we're talking about a 11 diversity and defense in depth analysis, is this fundamentally a quantitative analysis 12 we're talking about?

13 Is the idea here that we will set a quantitative level where we say, this 14 is what it takes to show that a common cause failure is sufficiently unlikely that we're 15 satisfied that there's adequate protection, and that's based on data showing that there's 16 common cause failure, digital systems is at this level, and if you do a, b, and c testing 17 and engineering and etc., that it will drive it to the level that it would be acceptable to us?

18 Or is this not quantitative and we're just saying, we don't really know 19 how common this is but if you did a, b, and c that would be great, and sounds like it 20 would be good in the end. I mean, is this a quantitative?

21 MR. BENNER: What we've, what our proposal is isn't really 22 quantitative in that regard. Again, it looks at different scenarios. Even within that box a 23 D3 analysis looks at different acts and scenarios and then says, if you had a CCF, are

82 1 the consequences significant? Yes or no. How would you mitigate it? Could you 2 mitigate it through, an operator takes an action or an existing diversity, like your ATWS 3 system will take care of it?

4 Or, as one of the presenters mentioned, is there a sensory or 5 functional diversity? I mean, if you want to get a trip, there's all, if things are happening 6 in the plant there are multiple ways that a trip might occur. In all likelihood even in the 7 digital system there would be other parts of the system that could cause the trip.

8 So it's really analyzing to say okay, here's what the outcome would be.

9 And that's where I say, the idea of a pure quantification of common cause failure has 10 not been something we've discussed with industry. We're not opposed to having that 11 discussion but we haven't gone there and to date, that isn't what industry has asked for 12 from us.

13 So it's just an open book as to whether, how much of a solution that 14 would provide.

15 COMMISSIONER BARAN: I guess I'm just trying to figure, typically at 16 this agency we're trying to figure out what is the sweet spot, what do we think is 17 necessary for adequate protection, there's a quantification around that. Not always, but 18 oftentimes. It sounds like that's not the way we're looking at this issue. Ho is shaking 19 his head no. Okay. Thank you.

20 CHAIRMAN SVINICKI: Okay. Well, once again I want to thank our 21 prior panel and also the staff. I began the meeting by saying that I've had the 22 opportunity to sit in a lot of these digital I&C meetings over the course of over ten years, 23 and I know sometimes if you focus too much on the time when we weren't maybe

83 1 making the kind of progress that we had hoped, it's easy to get distracted by that.

2 But what I take away from today's meeting and maybe even arguably 3 the meeting that the Commission had last year, is that we've done a lot of foundational 4 work, and I think that the NRC is really on, they're at that point where we can begin to 5 see maybe some of the collective benefits of bringing together all that we've done.

6 I don't want to make any kind of forecasts that we're on the verge of 7 suddenly having real breakthroughs in progress, but I think actually, candidly, I'm 8 somewhere close to that. I think that we have kind of, at least, was it Eric who said 9 problems can be broken down, they can be segmented, we can reconstruct them and 10 then figure out how to get the certainty we need on the various pieces and bring them 11 back together.

12 So I am candidly optimistic about where we are on this. I think there's 13 also parallels in history for someone, you know, the first person through license renewal, 14 which if I have my history right that didn't go so well. The first time around there was a 15 regrouping by the agency, with some motivation by the Congress, and then there was, 16 you know, if someone else came in, it might have been Calvert Cliffs, and it went a little 17 bit better.

18 So maybe we are at a point where it will be the doing of it, as either 19 Eric or Ho said, at some point we're going to prove out the processes because I think 20 we're getting close to the point where the next big learnings come in trying to animate 21 this process and I'll close with transformation again. I'm not trying to make everything 22 about that, but I think there's a reason why under former EDO McCree, his task force, 23 his transformation task force, came up with risk-informed decision-making.

84 1 Because that's really at the heart, a lot of people are talking about 2 finding a sweet spot for that, if that were a formula, this agency could have, we could 3 have all gone to working half-time and our jobs wouldn't be nearly as complicated. So 4 we have to keep finding that, but I, as a longtime observer I'm impressed with the recent 5 history on this and where we're headed. I think that we're really driving towards, and I 6 don't want to, the most trite statement is it's always darkest before the dawn, and I didn't 7 want to say that but I just said it.

8 But the point is your progress is not the most obvious at that point at 9 which you're kind of tired, you've been at it a longtime but you're ready to kind of really 10 break through to something. I think if we're not there to that point, we're close, and this 11 is not the time to let our energy flag on any of this. I think we might be able to be pretty 12 satisfied with some things that will happen in the coming times.

13 Again, thank you all, and with that we are adjourned.

14 (Whereupon the above-entitled matter went off the record at 11:34 15 a.m.)