ML22298A012
| ML22298A012 | |
| Person / Time | |
|---|---|
| Issue date: | 10/20/2022 |
| From: | NRC/OCM |
| To: | |
| References | |
| NRC-2126 | |
| Download: ML22298A012 (1) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Stakeholder Outreach Meeting on the NRC Staff's SECT-22-0076 Regarding Expansion of Current Policy on Potential Common-Cause Failures in Digital Instrumentation and Control Systems Docket Number: (n/a)
Location: teleconference Date: Thursday, October 20, 2022 Work Order No.: NRC-2126 Pages 1-83 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1716 14th Street, N.W.
Washington, D.C. 20009 (202) 234-4433
1 1 UNITED STATES OF AMERICA 2 NUCLEAR REGULATORY COMMISSION 3 + + + + +
4 STAKEHOLDER OUTREACH MEETING ON THE NRC STAFF'S 5 SECY-22-0076 REGARDING EXPANSION OF CURRENT POLICY 6 ON POTENTIAL COMMON-CAUSE FAILURES IN DIGITAL 7 INSTRUMENTATION AND CONTROL SYSTEMS 8 + + + + +
9 PUBLIC MEETING 10 + + + + +
11 THURSDAY 12 OCTOBER 20, 2022 13 + + + + +
14 The Public Meeting convened via Video-15 Teleconference, at 2:00 p.m. EDT, Bhagwat Jain, 16 Moderator, presiding.
17 NRC STAFF PRESENT:
18 BHAGWAT JAIN, NRR 19 ERIC BENNER, NRR 20 NORBERT CARTE, NRR 21 SAMIR DARBALI, NRR 22 KHOI NGUYEN, NRR 23 RICHARD STATTEL, NRR 24 DINESH TANEJA, NRR 25 SHILP VASAVADA, NRR NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
2 1 ALSO PRESENT:
2 MOHAMMAD ALAVI 3 ALAN CAMPBELL, NEI 4 JERRY MAUCK, JLM Nuclear I&C 5 WARREN ODESS-GILLETT, Westinghouse 6 KEN SCAROLA, Nuclear Automation Engineering 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
3 1 CONTENTS 2 Introduction & Opening Remarks . . . . . . . . . 4 3 NRC Presentation . . . . . . . . . . . . . . . . 9 4 Open Discussion . . . . . . . . . . . . . . . . . 17 5 Opportunity for Public Comments 6 Staff's Recap of Feedback . . . . . . . . . . . . 76 7 Next Steps/Closing Remarks . . . . . . . . . . . 80 8 Adjourn . . . . . . . . . . . . . . . . . . . . . 83 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
4 1 P-R-O-C-E-E-D-I-N-G-S 2 2:00 p.m.
3 MR. JAIN: Hello. Good afternoon. It's 4 2 o'clock. My name is Bhagwat Jain and I'm a senior 5 project manager in NRR's Division of Operating Reactor 6 Licensing. Along with Michael Marshall, we perform 7 the project management function for all things digital 8 in NRR.
9 For the background for this meeting, this 10 is our third public outreach this year on the Staff's 11 proposed expansion of the CCF policy on SECY-22-0076.
12 That is now with the Commission for wording.
13 We have had two public meetings on CCF 14 proposed policy earlier this year. One in mid-15 February and the other one in early June. We also 16 briefed the ACRS Digital I&C Committee, once in May 17 and then in late September. The ACRS provided very 18 valuable feedback to the Staff.
19 During the last ACRS briefing in 20 September, the industry had provided some feedback on 21 some aspects of the proposed expanded CCF policy.
22 Today we will continue with that dialogue with the 23 stakeholders to hear their perspectives and feedback.
24 Today's meeting is scheduled for two 25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br />. The staff encourages stakeholders to provide NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
5 1 comments and the feedback. You may submit your 2 comments or feedback via email to myself or Michael 3 Marshall. Our contact information is provided in the 4 public meeting notice posted on the NRC public website 5 and on the chat.
6 With that, I'm looking if some of the key 7 part presenters are here. We will display the 8 presentation. Those who did not have access to Team 9 video portion, you can download the presentation using 10 ADAMS ML number for the presentation. Okay, the ML 11 Number for staff's presentation is ML22291A015. I 12 will repeat again. It is ML22291A015.
13 As I said before, this information is also 14 provided in the chat. And the public meeting notice 15 posted on the website. If you have comments on 16 feedback on any aspect of this meeting, please contact 17 me or Michael Marshall and we'll provide you the 18 necessary forms.
19 With that I'll go over a couple of point 20 of etiquettes. Please allow the presenter to make the 21 presentation. There will be an opportunity to ask 22 questions or provide comments after the presentation.
23 If you are not speaking, please keep your cell phone 24 on mute and turn off your video please. When you 25 speak, please identify yourself.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
6 1 Now with that I will then start with some 2 introductions. We have exactly from NRC in the 3 meeting Eric Benner. The director of division of 4 engineering and external hazard.
5 Today's presentation is led by Samir 6 Darbali. Samir is the I&C tech staff in the Division 7 of Engineering and External Hazards.
8 We have several other NRC staff on line.
9 As they contribute to the meeting they will introduce 10 themselves.
11 With that I will now request Eric Benner 12 to make some opening remarks. Eric, please.
13 MR. BENNER: Thanks BP. And thanks 14 everyone. Like BP said, this is the third of a series 15 of meetings on this specific topic.
16 We're in an interesting space because we 17 have provided the paper to the Commission now. So 18 it's before the Commission for voting. But there has 19 been ongoing dialogue about the contents of the paper.
20 Both, like BP said, at the ACRS. And NEI provided a 21 letter with some of their feedback.
22 So we do want to keep this dialogue open, 23 so I'm going to steal some of BP's thunder and I'm 24 going to look ahead to Slide 4 and say the purpose of 25 this meeting is to summarize what's in SECY-22-0076.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
7 1 We intend to do that pretty briefly 2 because going into this I thought that most of the 3 people who would be at this meeting were people who 4 were at some of our previous meetings. But I know 5 we're up to 76 participants. So I think we have some 6 additional participants on this meeting.
7 So our summary will be pretty high level, 8 but like BP said, we can go into a little more detail 9 so that everyone understands what the paper proposes 10 or doesn't propose.
11 We also want to share, because at the 12 ACRS, the latest ACRS subcommittee meeting that we 13 heard, the ACRS had some feedback and questions. And 14 we have the answer to those questions, and we've 15 provided that to the members. But we also just want 16 to make sure all the stakeholders are aware of the 17 answers to those questions.
18 We want to do a little deeper dive because 19 it seems like some of the area of concern is on what 20 we call Point 4 in the policy. And that deals with 21 manual controls and displays. And what that part of 22 the policy requires, or doesn't or, you know, how it 23 influences, how we conduct our reviews. And then, 24 like BP said, it's open dialogue.
25 It's going to be us certainly answering NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
8 1 any questions that people have on any of the things 2 contained in the SECY or any of our other supplemental 3 information we'll provide today. But also to hear the 4 feedback from the stakeholders on any of those items.
5 And I know that the meeting today is being 6 transcribed. Again, I might be stealing some of BP's 7 thunder because we want to have everything on the 8 record so that as we move forward, you know, either on 9 potential implementation or on any supplemental 10 communication we would want to have with the 11 Commission, we want to make sure we're getting the 12 record straight.
13 Because I will say there has been some 14 ambiguity in some of the discussions we've had. And 15 we really, we really do want to try and get it down to 16 precisely what people's concerns are, what their 17 requests are, that sort of thing. So we really know 18 exactly where there might be just areas where we need 19 to clarify things. Or are there areas where we truly 20 have disagreements with differently stakeholders and 21 why those differences exist.
22 So that's my preamble with that. I'll 23 turn it back over to BP.
24 MR. JAIN: Well, with that I think Samir 25 is going to make the presentation. Samir, would you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
9 1 please?
2 MR. DARBALI: Thanks, BP. And thanks, 3 Eric. Just for awareness -- you can see the slides, 4 right?
5 MR. JAIN: Yes. We all can.
6 MR. DARBALI: Okay. Yes. And just for 7 awareness, Jerry and Tom, you have your cameras on.
8 I don't know if you intended to do so, but just so you 9 know.
10 PARTICIPANT: Are we going to record this?
11 MR. JAIN: This is being transcribed. The 12 meeting is being transcribed.
13 PARTICIPANT: Okay.
14 MR. DARBALI: Thanks, Tom. Jerry, your 15 camera is on but it's all blank. It's a black screen.
16 Just FYI.
17 So, good afternoon, everybody. Here is an 18 outline of this afternoon's presentation. So we'll 19 briefly go over the recent activities in the 20 development of SECY-22-0076.
21 Eric already covered the purpose of the 22 meeting. We'll provide a quick summary of the 23 proposed expanded policy. Which I believe most here 24 have now become familiarized with, but as BP and Eric 25 said, if we need to look at some specifics we can do NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
10 1 that.
2 We'll address the staff's position on the 3 questions we received during the ACRS Digital I&C 4 Subcommittee meeting. We'll talk about the 5 applicability of Point 4 and provide some 6 clarifications. And we'll proceed with the open 7 dialogue portion of the meeting.
8 The staff recently issued SECY-22-0076 on 9 August 10th of this year. The SECY proposed an 10 expansion to the digital I&C common cause failure 11 policy. Which is contained in SRM SECY-93-087.
12 Shortly after issuing the SECY, NEI provided a letter 13 to the NRC with comments on the staff's position 14 contained in Point 4, regarding diverse and 15 independent main control room displays and manual 16 controls.
17 The staff and NEI briefed the ACRS Digital 18 I&C Subcommittee in September of this year. And the 19 staff is scheduled to brief the full ACRS on November 20 1st.
21 The SECY is currently under Commission 22 review. And the staff is waiting for Commission 23 direction through a staff requirement memorandum, or 24 SRM.
25 We already covered the purpose of the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
11 1 meeting, so in Slide 5 we have the staff's key 2 messages. That the proposed expanded policy in SECY-3 22-0076 encompasses the current four points of SRM 4 SECY-93-087 with some clarifications. And expands the 5 use of risk-informed approaches in Points 2 and 3.
6 Points 1 through 3, and Point 4 of the 7 policy, address two facets needed to ensure the safe 8 operation of the plant. Points 1 through 3 ensure 9 Digital I&C systems are sufficiently robust to 10 adequately cope with a CCF. And Point 4 ensures 11 operators can manually control critical safety 12 functions, even in the event of a Digital I&C CCF.
13 Point 4 already incorporates an implicit 14 element of risk-informing, as it only focuses on those 15 critical safety functions needed to ensure the safety 16 of the facility.
17 The expanded policy is intended to be 18 technology neutral and applies to any reactors 19 licensed under 10 CFR Parts 50 and 52. And this 20 includes non-light water reactor designs.
21 We acknowledge that the critical safety 22 functions listed in SRM SECY-93-087, SECY-22-0076 and 23 Branch Technical Decision 7-19 may not be the 24 appropriate set for all reactor designs. However, the 25 SECY does provide for the use of regulatory tools, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
12 1 like exemptions and alternative, to accommodate for 2 reactor designs with different critical safety 3 functions.
4 And finally, if the staff encounters a 5 reactor design where the policy would not be 6 applicable, the staff will engage the Commission as 7 appropriate.
8 Here is the figure that shows the single 9 expanded policy that encompasses the current position 10 in SRM SECY-93-087. And provides for risk-informed 11 approaches in Points 2 and 3 to address Digital I&C 12 CCFs.
13 The current path on the left in green 14 allows for the use of best estimate analysis and 15 diverse means to address a potential CCF. While the 16 risk-informed path on the right allows for the use of 17 risk-informed approaches. And out of the same 18 technics for measures, other than diversity to address 19 a potential CCF.
20 The ACRS Digital I&C Subcommittee provided 21 some questions to the staff during the September 22 meeting. The first question is, would the revised 23 policy be applicable to advance reactors? And the 24 response is, Yes. The policy would be applicable to 25 advance reactors licensed under Parts 50 and 52.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
13 1 The second question is, Do aspects of the 2 policy for which the staff did not request a change 3 carry forward unaltered? And this question was 4 focused mostly on Point 4. Specifically the 5 Commission stated in the SRM to SECY-93-087 that the 6 requirements in the SECY-93-087 for the diverse 7 displays of manual controls to be hardwired. That 8 this requirement was highly prescriptive.
9 The ACRS noted that SECY-22-0076 was 10 silent on this matter and wanted to know the expanded 11 policy, maintain the Commission's direction for, from 12 SRM SECY-93-087. And the answer is, Yes. The staff 13 intended to maintain the Commission's direction 14 regarding this matter.
15 The last question was, Might different 16 reactor types warrant consideration of different 17 critical safety functions? And the answer is yes.
18 The expanded policy is intended to be policy neutral, 19 but it relies on the staff's licensing experience and 20 assumptions about the design of the facility. Such as 21 the presence of a main control room.
22 We recognize that the critical safety 23 functions listed in the SECY and BTP 7-19 might not be 24 appropriate, an appropriate set for all reactor 25 designs. Again, the staff has existing regulatory NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
14 1 tools, like acceptance and alternatives, to 2 accommodate designs with different critical safety 3 functions.
4 If the staff encounters a reactor design 5 where the policy will not be applicable, the staff 6 will engage the Commission as appropriate.
7 On Slide 8 right now. And this slide 8 shows that Point 4 is already risk-informed because it 9 requires diverse displays and manual controls only for 10 those critical safety functions performed by the 11 Digital I&C system.
12 This means that Point 4 does not apply to 13 noncritical safety functions performed by the system.
14 And it does not apply to critical safety functions 15 that are not performed by the digital system. So you 16 can see it's only that scope of critical safety 17 functions performed by the system, which are 18 applicable under Point 4.
19 Point 4 is further risk-informed because 20 it does not require the display, the diverse displays 21 and manual controls for critical safety functions to 22 be safety grade.
23 Here is some background on the staff's 24 position on diverse and independent main control room 25 displays and controls. In the original SECY,93-087, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
15 1 the staff recommended that safety grade displays and 2 controls located in the main control room are 3 hardwired to the lowest level of the safety system 4 architecture be provided for a manual system level 5 actuation of critical safety functions and the 6 monitoring parameters that support the safe functions.
7 Those displays and controls should be independent and 8 diverse from the safety computer system identified in 9 Points 1 and 3 of the policy.
10 Now the staff made this recommendation 11 because such controls and displays provide the plant 12 operators with unambiguous information and control 13 capabilities to enable the operators to quickly 14 mitigate the effects of the postulated CCF.
15 The control room would be the center of 16 activities to safely cope with the event. And the 17 design of the plant should not require operators to 18 leave the control room for such an event. Again, this 19 is what the original SECY-93-087 proposed.
20 In its direction to the staff, the 21 Commission's SRM to SECY-93-087 modified the policy to 22 permit non-safety grade displays and controls, and 23 more flexible architecture and implementation. Such 24 as not needing the displays and controls to be 25 hardwired.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
16 1 But the Commission supported the staff's 2 recommendation on diverse displays and controls for 3 critical safety function. And the staff continues to 4 believe this position remains appropriate to provide 5 reasonable assurance of adequate protection.
6 Again, Point 4 already incorporates and 7 implicit element of risk-informing as it focuses only 8 on those critical safety functions needed to ensure 9 the safety of the facility. And also because it 10 allows displays and controls to not be safety grade 11 and to not have to be hardwired.
12 Requests for exemptions or alternatives 13 provide avenues for applicants to request a deviation 14 from the regulations, based on risk information on a 15 case-by-case basis. And again, if the staff 16 encounters a reactor design where the policy would not 17 be applicable, the staff will engage the Commission as 18 appropriate.
19 And here on Slide 11, this slide shows 20 that the points in SECY-22-0076, as well as the 21 original SRM SECY-93-087, are intended to address two 22 facets that are needed to ensure the safe operation of 23 the facility.
24 Points 1 through 3 address the protection 25 against Digital I&C CCFs to cope with the loss of a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
17 1 safety function. Whereas Point 4 allows operators to 2 take manual actions of critical safety functions when 3 needed after a Digital I&C common cause failure.
4 If a Digital I&C CCF is not properly 5 addressed, it can affect both a digital system as well 6 as the manual controls and displays. The four points 7 of the policy, when taken together, provide criteria 8 for the assessment of diversity and defense-in-depth 9 against CCF and ensure Digital I&C CCFs do not defeat 10 safety functions and do not impede operators ability 11 to take manual actions when needed.
12 And that concludes the staff's 13 presentation. And we can open it up for questions and 14 dialogue. Thank you.
15 MR. JAIN: So the floor is open for 16 discussion on NRC's presentation, so --
17 MR. DARBALI: Go ahead, Alan.
18 MR. CAMPBELL: Hey, good afternoon. This 19 is Alan Campbell with NEI. First, thank you all for 20 hosting this meeting and having this open discussion.
21 I think it will be very helpful in helping us to 22 better see the different points of views that we both 23 have.
24 When we review the presentation, I'm 25 reflecting back on the June 8th stakeholder meeting NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
18 1 when we were talking through the initial, I believe it 2 was the outline and initial presentation to the ACRS 3 at the time. And we had a discussion regarding Point 4 4.
5 And at the time the industry provided a 6 concern regarding a separate analysis that's needed 7 for Point 4 and how that relates to the analysis in 8 Points 1 through 3. At the time the NRC staff 9 responded with the, with a statement that it's not 10 intended to be a separate analysis, that they're meant 11 to be, Point 4 is meant to be integrated in with 12 Points 1 through 3.
13 It appears, you're showing Slide 11 here, 14 and it appears that we're back to where the industry's 15 initial concern was with this being a separate 16 analysis that's different from Points 1 through 3 and 17 Point 4.
18 MR. DARBALI: Right. So thanks for the 19 comment, Alan. And I'll take a crack at it, and 20 somebody else from the staff can also chime in.
21 So just because Point 4 is intended to 22 address a separate safety aspect doesn't mean that it 23 requires a completely different analysis. So when you 24 do the analysis for, you know, Points 1 and 2 and then 25 in Point 3 you identify how you're going to cope with NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
19 1 a potential CCF, in that aspect you can identify which 2 are your critical safety functions and you can 3 identify if those critical safety functions have a 4 diverse manual control and display. It doesn't 5 require an entirely different analysis.
6 And again, you're not looking at the 7 entire facility's critical safety functions, only 8 those that are modified by the digital upgrade.
9 MR. CAMPBELL: Okay. So --
10 MR. ODESS-GILLETT: Alan, this is --
11 MR. CAMPBELL: Go ahead, Warren.
12 MR. ODESS-GILLETT: Okay. So, as you 13 know, the current way in which one performs the D3 14 analysis is to analyze each safety analysis event.
15 And then to determine what you have 16 available in the plant to protect it using the 17 criteria. The relaxed criteria. And so that analysis 18 is a different, is a different set of inputs for the 19 analysis and results in a different set of outputs for 20 the analysis.
21 And then Point 4 doesn't even look really 22 at your safety analysis, so much as looking at, okay, 23 we have these critical safety functions we need to 24 maintain. So it's a different set of inputs. And 25 what manual controls we need to maintain those NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
20 1 critical safety functions.
2 And so in my opinion, it appears to be, it 3 ends up being two separate analyses because you come 4 up with two different sets of outputs.
5 MR. DARBALI: You're right. And thanks 6 for the question, comment, Warren. You are coming up 7 with two separate outputs or conclusions, but, and if 8 you want to call Point 4 a separate analysis, okay, 9 but it's not an analysis to the level of the analysis 10 that you're performing for the first three points.
11 Of course, you know, I think the bulk of 12 the experience, both in the licensee side and the 13 staff side, when we're looking at these digital 14 upgrades have been with operating plants. And so 15 those plants already have those diverse manual 16 controls because most of the mitigations we've seen, 17 you're not replacing the actual controls in the 18 control panels.
19 And in that sense, that point, how you're 20 addressing Point 4, it doesn't require a lot of work.
21 Because you can just say, look at our architecture.
22 We're not ripping out controls from the control panel, 23 therefore those controls still remain. And they're 24 not part of the digital mod itself so they are 25 diverse.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
21 1 So there are different ways in which 2 point, the information to justify Point 4 can be 3 provided or extracted from the architecture.
4 MR. ODESS-GILLETT: I --
5 (Simultaneous speaking.)
6 MR. CAMPBELL: Go ahead, Warren.
7 MR. ODESS-GILLETT: Is it okay?
8 MR. CAMPBELL: Yes.
9 MR. ODESS-GILLETT: Okay. I don't want to 10 monopolize.
11 MR. CAMPBELL: Go ahead.
12 MR. ODESS-GILLETT: But in fact, even if 13 they're hardwired controls, they still, even to meet 14 IEEE 603 they need to go down to a level of the 15 architecture. As you even point out here, that is 16 susceptible to a CCF and therefore you still need this 17 other analysis to than determine what manual, diverse 18 manuals and controls, displays and controls, I need in 19 order to maintain the critical safety functions that 20 will require a second interface to those same, let's 21 say ESFAS components that your safe system has to 22 interface with.
23 So, even if you have, so my point is, even 24 if you have manual controls, I mean hardwired 25 controls, they typically still go to a low-level NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
22 1 portion of your Digital I&C safety system.
2 MR. DARBALI: Understood. And I supposed 3 that's, you know, dependent on the application.
4 MR. ODESS-GILLETT: Yes.
5 MR. DARBALI: Okay. I guess, you know, 6 one clarification we've been wanting to make since, 7 you know, Alan, you pointed to that, I believe the 8 June meeting, is that we had, we thought some 9 licensees were interpreting Point 4 as to say, hey, 10 for Point 3 I'm crediting manual actions. Because I 11 have those controls, those actions can be performing 12 in a timely way so I'm crediting those.
13 And it seemed like some people were 14 interpreting Point 4 to say, well, in addition to that 15 manual control you have, you need a whole separate 16 analysis and a whole separate manual control that's 17 diverse from what you're crediting. So that's 18 probably what we intended to say back then.
19 But, I mean, if you look at the language 20 from the original SECY, on Point 4, all of the 21 background information, it's really reinforcing the 22 idea that your operators have to be able to take 23 manual actions if needed.
24 MR. CAMPBELL: So I guess that brings me 25 to my next question. You use the term, if needed.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
23 1 Here on the slide it says when needed.
2 MR. DARBALI: Right.
3 MR. CAMPBELL: What would, is there a 4 postulated scenario when, so we're looking at this in 5 terms of layers of failure. So we've had a plant 6 failure. A design basis event. Then we have an 7 RPS/ESFAS failure with a common cause failure.
8 Are we now to assume that, you know, in 9 Points 1 through 3 we're postulating and coming up 10 with ways that we can maintain safety functions. Are 11 we now assuming that that additionally fails?
12 A third failure here and now we have to 13 have a fourth, this next layer down of manual actions 14 to control the plant. Because Points 1 through 3 get 15 you to a hot shutdown state --
16 MR. DARBALI: Right.
17 MR. CAMPBELL: -- which that's what's 18 required for the policy.
19 MR. DARBALI: Right. And the way I'm 20 interpreting your question, no. So point, like you 21 said, Point 3 is going to provide for those. Whether 22 it's going to be diverse meanings or mitigation 23 measure or design technics or preventive measures, to 24 address or cope with that CCF.
25 You lost your safety system, Point 3 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
24 1 measures are going to address that. Regardless of how 2 that is addressed, you don't want your, under plants 3 that have a control room and require, you know, have 4 manual controls, you don't want to prevent your 5 operators from even being able to take manual actions 6 if they have to.
7 So, what you don't want to be is in a 8 situation where your CCF took out your digital system, 9 took out our manual controls and displays. And so 10 yes, you have your Point 3 measures or designs 11 technics addressing that CCF, but your operators are 12 blind to plant, certain plant conditions or cannot 13 perform any actions.
14 And again, for a reactor design that does 15 rely on operators taking actions, we don't see a 16 reasonable argument for having operators lose that 17 ability. And maybe that's some insights that industry 18 can provide to us. But we haven't encountered a 19 scenario where we can say it's okay for operators to 20 lose that ability.
21 MR. CARTE: Samir, can I propose we do a 22 brief digression and let Jerry Mauck say something?
23 MR. DARBALI: Sure. Go ahead.
24 MR. CARTE: Jerry, you raised your hand?
25 MR. MAUCK: I was on mute. I have a hard NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
25 1 time with all the buttons on this thing.
2 I just wanted to point out that, you know, 3 we're doing, pretty much have completed a D3 on Turkey 4 Point. And you only really need Point 4 if you don't 5 have success and you're pursued of Point 3.
6 But Point 4 is, I don't want to have 7 anyone oversimplify it, it's rather complex because 8 you not only have to have manual actions for the main 9 system, you have to have manual actions for the 10 systems that support the manual system. And it 11 cascades down into quite a number of manual actions.
12 And also necessary diverse manual 13 indications which can be quite large. And you can end 14 up with pages of diverse indications that are 15 reacquired. And also pages of manual actions that are 16 required. It depends on what you're digitizing at the 17 plant of what course. It can be rather complex or not 18 so complex.
19 But the point I'm trying to make is, Point 20 4 is not a simple task. That was it.
21 MR. DARBALI: Understood. And, Jerry, if 22 I can have you add to something you said. I think you 23 said, Point 4 is needed if there is an issue with 24 Point 3 or Point 3 cannot be fully addressed?
25 MR. MAUCK: Yes. That was our view that, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
26 1 you know, if we have automatic diverse actions at 2 Turkey Point, we didn't require any manual action.
3 Any diverse manual action to be credited.
4 But if we got to the point that there was 5 no way to get diverse automatic actions, whether from 6 a safety system or a non-safety system, or the ATWS, 7 or any control system, then we have to go to that 8 Point 4. And then when we went to that, not only did 9 we have to identify what the manual actions were and 10 what the indications were that the operator had to 11 have, we have to do the timing for it and make sure 12 that the operator has the time to take this action.
13 So it gets, it's not a simple task.
14 MR. DARBALI: So, and without getting to 15 specifics of the particular Turkey Point licensing 16 application, it seems, from what you describe as Point 17 4, really being part of Point 3.
18 MR. MAUCK: True.
19 MR. DARBALI: Right. And --
20 MR. MAUCK: Yes, true. True. Because, 21 you know, that's a blend there. If you are, meet what 22 you need to meet with your diverse manual actions, 23 then it can be part of Point 3. Yes.
24 MR. DARBALI: Right. So with Point 3 if, 25 you know, you mentioned either you have a diverse NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
27 1 system, ATWS or other system, or you can take --
2 MR. MAUCK: Right.
3 MR. DARBALI: -- timely manual action, 4 then you meet Point 3.
5 MR. MAUCK: Right. Right. I see what 6 you're saying now. It's kind of weird. We have to 7 have for the critical, all critical safety functions 8 we have to have diverse displays and diverse manual 9 controls that aren't part of the software.
10 MR. DARBALI: Right.
11 MR. MAUCK: Which are, is a little bit 12 different twist. It kind of goes hand-in-hand there.
13 But it is a different twist on what you're trying to 14 take manual action credit for over on Point 3. True.
15 MR. DARBALI: Right. Right.
16 MR. MAUCK: Yes.
17 MR. DARBALI: Yes, so, if you're crediting 18 manual actions in Point 3, then you're already 19 addressing Point 4. Because Point 4 doesn't --
20 MR. MAUCK: True.
21 MR. DARBALI: -- ask --
22 MR. MAUCK: Yes.
23 MR. DARBALI: Point 4 doesn't require 24 timely actuation, it doesn't require safety grade.
25 MR. MAUCK: Right.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
28 1 MR. DARBALI: Just that you have manual 2 for critical safety functions.
3 MR. MAUCK: Right.
4 MR. DARBALI: If you're doing it in Point 5 3 for those functions, you're already doing it for 6 Point 4.
7 MR. MAUCK: Right. Right. That's the 8 same.
9 MR. DARBALI: Yes.
10 MR. MAUCK: True.
11 MR. JAIN: Dinesh, you have raised your 12 hand. Do you want to say something? Dinesh Taneja.
13 MR. TANEJA: Yes. I was just trying to, 14 you know, these analysis, you know, we looked at a 15 number of analysis for new reactors. And the new 16 reactor designs that we have looked at, you know, 17 including API1000.
18 So the coping analysis, there were 19 scenarios where they said, you know, hey, the plant, 20 the CCF is bounded so no action needed. I can live 21 with the potential CCF concern.
22 But really your analysis kind of said, 23 hey, if it happens, so be it, I'm still bounded. You 24 know, my AOOs and my scenarios that my analysis bounds 25 it.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
29 1 Now, the other thing that we've seen is 2 that control systems have been used in those designs 3 to provide the diverse means of actuation and 4 indications. So they're taking credit for your plant 5 control systems to be able to do certain, if your 6 control system is available, to take the necessary 7 actions. And those are diverse means. So that was 8 your Point 3 manual actuation using control system 9 capabilities.
10 Point 4 is used in some design to bring in 11 the manual actuations in those, you know, new reactors 12 now I'm talking about. They basically designed the 13 manual actuations to meet the 603 requirement for 14 system level manual actuation and they brought them 15 into the, you know, the priorities modules as a 16 hardwired input downstream of the digital.
17 So they actually were designing it such 18 that you were actually meeting the 603 requirement, as 19 well as the recipe requirement.
20 So there are some good design solutions 21 there, but you really don't want to get caught up into 22 just doing the analysis. I think we need to think 23 about, in a good design from the get-go that meets the 24 primary objective of being able to control the plant, 25 manually as well as automatically.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
30 1 I just want to bring that out, that we've 2 seen those designs and we've never had any new 3 reactors come back to having any issues with trying to 4 meet the guidance or the policy statements of 93-087.
5 MR. JAIN: Thank you, Dinesh. Richard, 6 you have comments?
7 MR. STATTEL: Yes. I just wanted to say 8 that I fully agree with Jerry's interpretation that he 9 just provided.
10 And that is completely consistent with 11 previous applications and the evaluations we've 12 performed of them. It wasn't until recently when we 13 heard this new interpretation of addressing Point 4 as 14 a separate issue outside of the D3 context.
15 The only thing I would also add to what 16 Samir said was, is that Point 4, I agree. If you are 17 crediting manual actions to address Points 1 through 18 3, really you have already addressed Point 4, other 19 than the fact that Points 4 adds the requirement for 20 diversity.
21 Which really ought to go without saying, 22 because obviously if you're saying it in the presence 23 of a common cause failure it has to function, it has 24 to work. And the only way you can assure that that 25 function is going to work is if it is in fact diverse NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
31 1 from the digital safety system.
2 But that's what it adds. That's what 3 Point 4 brings to the table. It's basically, you can 4 use manual actions and it's allowed by Point 3. But 5 if you do that, you have to, it's almost like you also 6 have to make sure that those functions are still going 7 to work in the presence of the CCF.
8 And also, by the way, we did some research 9 and we looked at what the source of Point 4 of that 10 position is, and it was not drafted by the Commission, 11 this was the staff's language. And this was what the 12 staff put to the Commission in the SECY-93-087. And 13 the Commission simply agreed with that portion of the 14 SECY.
15 MR. JAIN: Thank you, Richard. Warren, 16 you have your hand up.
17 MR. ODESS-GILLETT: Yes. But I'd like to 18 defer to Alan, if he has any other points he wants to 19 make.
20 MR. CAMPBELL: Yes. And so, Rich, just 21 responding to what you said, I don't hear, I'm still 22 hearing two different interpretations here that, you 23 know, and please correct me if I'm wrong in 24 understanding what you just said, but Point 3, if 25 there are manual operator controls that are required NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
32 1 and Point 4 adds this diversity, you're saying it adds 2 the diversity.
3 When I look at Point 3 in the SRM existing 4 today, it has the diversity element in it. Point 4 5 adds in the term, critical safety functions, which 6 broadens out the scope beyond what was identified in 7 Points 1 through 3.
8 And so I think the concern is, now that 9 we've broaden the scope in Point 4 to all critical 10 safety functions, why are those needed?
11 MR. STATTEL: Well --
12 MR. CAMPBELL: Are we assuming that there 13 is a failure of what happened in Point 1 through 3.
14 We don't see it in an application where those are 15 needed because we're already postulating the system 16 fails and what do we need to do to get it into a safe 17 state.
18 MR. STATTEL: Again, it's within the 19 context of the D3 analysis. And of the scope of the 20 safety system that's being evaluated. That's being 21 analyzed.
22 So we talked at the last meeting, I think 23 we had an agreement on this interpretation going 24 forward. And we would be willing to provide 25 clarification on that interpretation to avoid NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
33 1 alternate interpretations of this.
2 But really we have no indication that it 3 was intended to be applied independently of a D3 4 analysis. It's one point of four points that were 5 made in this SRM. And it's all within the context of 6 the D3 analysis.
7 It was never, we have no indication, I 8 mean, I wasn't around, I didn't, I wasn't around to 9 draft it or anything, but we have no indication when 10 we research the original SRM that it was intended to 11 be applied independently as this interpretation.
12 And we don't have multiple 13 interpretations. We're just trying to understand what 14 you're saying. So we're really trying to be 15 empathetic and to understand your position on these.
16 On this.
17 And we get it. We understand how you're 18 applying this. But we don't believe it's intended to 19 be that way, and we would like to get that clarified.
20 MR. CAMPBELL: And so I think, you know, 21 that's aligned with what we're asking for, Rich. I 22 think the way that you're describing it is, unless I'm 23 misunderstanding the way that we have proposed to 24 intend it, or I'm sorry, implement it. But what I'm 25 seeing on the screen and what we've seen in the SECY NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
34 1 paper brings us back into this, a different 2 interpretation of what you just described.
3 MR. CARTE: So this is Norbert Carte. Let 4 me jump in for a second. And then we also have 5 another hand up that hasn't had the chance to speak 6 yet.
7 So I guess there is, we got to look at 8 this a different way because somehow we're talking 9 past each other. So if we look at the requirements of 10 279 and 603, they both require that given an event or 11 a condition in a facility that you determine whether 12 automatic protective action is required. And that for 13 every automatic protective action you have a manual 14 means of initiating that same at the division or the 15 system level.
16 So what they're saying is, you need manual 17 for every automatic action. Well, one of the problems 18 with the word safety, critical safety function, is 19 that was sort of a reaction out of TMI.
20 And so, 603 and 279 don't talk about 21 critical safety functions, and they talk about 22 protective actions. And there is more protective 23 actions then those that are needed for the critical 24 safety functions.
25 So you might have a protective action that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
35 1 protects the analysis. As you're analyzed for an 2 event at a particular low steam generator level, and 3 if the level goes below that, well, and that event 4 occurred, you would be in an unbounded situation 5 therefore you want to protect the analysis not 6 necessarily protect against a particular event.
7 So there are more protective actions than 8 are needed to protect the critical safety function.
9 So the idea of critical safety functions wasn't to 10 expand the scope of what's needed, it's to limit the 11 scope of where you need diversity from every single 12 protective action that's automatically initiated.
13 It's the important ones that really must 14 have displays and controls. And they use a post-TMI 15 wording to determine which ones are the important 16 ones. So I see that as a little bit of a disconnect.
17 MR. CAMPBELL: All right.
18 MR. CARTE: We're not, Point 4 is not 19 asking for new and different controls than anybody 20 else is asking for. But that's my input. Can we go 21 to Ken Scarola for a second?
22 MR. SCAROLA: Yes, Norbert, thank you.
23 Can everybody hear me okay? I'm not sure I have this 24 thing setup right.
25 MR. CARTE: Yes, we hear you.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
36 1 MR. SCAROLA: Okay, thanks. I listened to 2 Rich, and I listened to Norbert. And I think we are 3 beginning to recognize that there is wisdom in IEEE 4 603 and 279.
5 And the wisdom is that we design the 6 protection system for the events that we anticipate.
7 But there is always the n+1 event that we did not 8 anticipate.
9 And 603 and 279 say, we're going to 10 address this n+1 event, the one that we did not 11 anticipate, by giving the operators the ability for 12 manual initiation of the safety functions. And Rich, 13 I have to tell you, that was the intent of Point 4 in 14 SECY-93-087.
15 It was not, you only need Point 4 if Point 16 3 says you need it, it was, you need Point 4 because 17 you may not analyze everything that can possible 18 happen in Point 3. There is always the event that you 19 haven't thought of. And it's the same basis of why we 20 have this capability for manual initiation in 603 and 21 279.
22 Now that manual initiation in 603 and 279 23 also gives the operators the ability to take 24 preemptive actions. So there is really a twofold 25 purpose here. Preemptive actions and manual actions NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
37 1 with the event for which the automated system does not 2 actuate.
3 Now, I believe that we should not require 4 Point 4 unconditionally. If you've done your homework 5 and you've analyzed your Points 1 through 3, that you 6 don't have a potential for a CCF, or it's risk-7 insignificant, then there is no reason to have Point 8 4. Point 4 should not be unconditionally required.
9 On the other hand, if you have identified 10 that you do have the potential for a CCF and the CCF 11 can affect the manual initiation capability required 12 by 603 and 279, then Point 4 should be required. And 13 I think that's an important distinction.
14 So I would recommend to the staff that the 15 last phrase in the first sentence of Point 4 that 16 ends, vulnerabilities to digital CCFs have been 17 adequately identified and addressed, be clarified to 18 add, including both automatic and manual control of 19 critical safety functions. That's what we're trying 20 to do here. Make sure that we can control critical 21 safety functions both automatically, as intended by 22 the protection system, and manually as we have given 23 that capability to the operators.
24 So Point 1 needs to address the entire 25 safety function, not just the automation.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
38 1 Now in addition, when we get to Point 4, 2 I would recommend that this be clarified with a 3 preface that says, if Points 1 to 3 demonstrate 4 inadequate manual control of critical safety 5 functions, and then continue it as written, so the 6 only time you would need Point 4 is if Point 1 through 7 3 demonstrate that you don't have adequate protection 8 against CCF. Either through a deterministic method or 9 a risk-informed method.
10 And then I would also make another very 11 important clarification. 603 and 279 do not require 12 manual control at the actuation level. Or at the 13 component level. They require manual initiation of 14 the same functions that the safety function automates.
15 It's initiation, not actuation. And that's clarified 16 again in Reg Guide 1.62.
17 So Point 4 should make the same 18 distinction. We should be replacing the word 19 "actuation" with "initiation." We need to give the 20 operator the ability to "initiate" control of the 21 safety functions.
22 Now how you deal with longer term needs is 23 another issue. There are many ways that we can manage 24 those control functions once they're initiated. But 25 the timely problem is to initiate them.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
39 1 I'll leave my comment at that. I have 2 more comments that are not on the Point 4 issue, but 3 I'll save them until after this discussion. Thank 4 you.
5 MR. CARTE: Sorry, Ken, that was a little 6 long but let me just try and shorten that a little 7 bit. So what I heard you say was that if the CCF is 8 not risk-significant, as determined by Step 3 or 9 earlier, then Point 4 does not apply? That's one of 10 the points you were making?
11 MR. SCAROLA: Well, what I'm trying to 12 say, there can be two ways where Point 4 wouldn't 13 apply. One is that you've concluded that you don't 14 have a CCF.
15 MR. CARTE: Or it's risk --
16 MR. SCAROLA: Well then you already have 17 manual controls through 603 and 279, therefore you 18 don't need more manual controls. The second way, is 19 as you said, is if you demonstrate that it's not risk-20 significant.
21 MR. CARTE: But the first way is no CCF.
22 Well, yes, obviously.
23 MR. SCAROLA: Well no, not obviously 24 because the way it's written right now Point 4 is 25 unconditional.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
40 1 MR. STATTEL: Yes, but you're reading it 2 in isolation. If I could respond. So --
3 MR. SCAROLA: I'm not reading it in 4 isolation, I'm reading it the way it's written. There 5 is four points to the policy.
6 MR. STATTEL: It's one of four points.
7 MR. SCAROLA: Yes. But nothing in Point 8 4 says, if there is a CCF, then you need manual 9 control. All it says is, you need manual controls.
10 MR. DARBALI: Well, unlikely to be subject 11 to the same CCF assumes there is a CCF.
12 MR. STATTEL: But when do you apply these 13 four points? You apply these four points in the 14 conduct of a D3 analysis. So there is your condition.
15 So do you agree if, you know, what you 16 just said, if you go through Points 1 through 3 and 17 you conclude that you meet the criteria, right? You 18 have adequate safety, then you basically have met 19 Point 4. Even if you credit manual actions.
20 MR. SCAROLA: However, Rich, we commonly 21 conduct the Point 1 analysis, and Point 1 through 3, 22 with consideration of only the automated functions of 23 the protection system.
24 MR. STATTEL: I have never seen a, I have 25 never seen a D3 analysis that did not credit manual NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
41 1 actions. And I've been doing this for 30 years.
2 MR. SCAROLA: Oh. But those are only the 3 manual actions that are in Chapter 15. That's not the 4 only point of 603 and 279.
5 The manual actions that we credit in 6 Chapter 15 are for the events we thought of. And what 7 I'm trying to explain here, is that there are the 8 events we have not thought of. But the guys who wrote 9 603 and 279 did think about those events.
10 But we used to call them the n+1 event.
11 The one we didn't think of. And that is another 12 intent, not just for the credited manual actions, but 13 for the manual actions that you might have to take 14 that you never anticipated you were going to have to 15 take. Let's not forget defense-in-depth here.
16 MR. JAIN: Shilp, you raised your hand.
17 Are you still there?
18 MR. VASAVADA: Yes, I'm still here, but I 19 didn't want to stop the discussion. So if anybody 20 else had something to discuss on --
21 MR. JAIN: Great.
22 MR. VASAVADA: -- like in the same vein of 23 what was going on, I can wait. That's not too long.
24 But yes.
25 MR. JAIN: Oh, okay. All right.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
42 1 MR. CARTE: Warren?
2 MR. ODESS-GILLETT: Yes. So, let's give, 3 let's come up with another situation here. So if you 4 do Points 1 through 3, and my experience is that as 5 much as possible the licensee tries to credit the 6 manual actuation to cope with each event in the safety 7 analysis concurrent with a CCF. But there are those 8 cases where it's not fast enough and therefore then we 9 need the automatic diverse actuation to make sure we 10 meet the relaxed criteria.
11 Now, listening to Rich, if I also had a 12 duplicate manual control for that automatic control, 13 regardless of evaluating critical safety functions, 14 would that meet Point 4?
15 MR. STATTEL: I don't understand where 16 duplicate control comes in.
17 MR. ODESS-GILLETT: In other words, I need 18 an automatic, a diverse automatic actuation in order 19 to maintain the plant in the safe condition.
20 MR. STATTEL: Okay. So a non-safety 21 related ATWS --
22 MR. ODESS-GILLETT: Yes.
23 MR. STATTEL: -- event.
24 MR. ODESS-GILLETT: Right. So, if for 25 each one of those automatics that I had to add --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
43 1 MR. STATTEL: Okay.
2 MR. ODESS-GILLETT: -- for the reverse 3 actuation system --
4 MR. STATTEL: Okay, I'm following you.
5 MR. ODESS-GILLETT: -- could, if I added 6 a manual control in addition to those limited 7 automatic controls that we credit in the diverse 8 actual system, that doesn't require any analysis, it's 9 just we're giving the operator the manual control 10 capability of what we've added in the diverse 11 actuation system for the automatic.
12 MR. SCAROLA: Warren, I agree with you 100 13 percent. And that's exactly what was done in some 14 licensing applications. There was no analysis related 15 to Point 4, it was simply --
16 MR. STATTEL: That's right.
17 MR. SCAROLA: -- these are the diverse 18 actuations that we need, so we're going to have manual 19 initiation of those. And if we had other safety 20 functions, critical safety functions that had no 21 automated action, we simply added manual initiation 22 for the equipment that was needed for those.
23 There was never an analysis to demonstrate 24 that the manual controls for Point 4 were sufficient 25 for anything. Because as I said, they're for the n+1 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
44 1 event. They're for the event you don't know you need.
2 There was never an analysis.
3 MR. STATTEL: This has never really been 4 a contentious issue during our evaluations though.
5 Because, well, for one thing, the ability to initiate 6 manual actuations for a diverse system, I don't think 7 anyone, I have never seen anyone propose not having 8 that ability and that it's always been there. Does it 9 require an additional analysis, no. No, I wouldn't 10 think so.
11 But if all, if you are directly crediting 12 a manual actuation, then I don't think it's a lot to 13 ask that it be diverse and that it, you know. I think 14 when you read the original SRM, or the original SECY, 15 actually going back before the SECY, I think there was 16 an unwritten assumption that it was these critical 17 safety functions that would always be necessary in 18 order to bring the plant to the safe condition to meet 19 the criteria. Actual site boundary criteria.
20 But I think --
21 MR. SCAROLA: So, Rich?
22 MR. STATTEL: -- it's kind of taken, it's 23 taken on a life of its own in these different 24 interpretations. But I don't think that that much 25 thought went into those because it was assumed that if NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
45 1 your safety system is no longer functional, that you 2 would somehow have a reliance on manual actions and 3 those would, in turn, accomplish the critical safety 4 functions that would be needed to meet your boundary 5 conditions.
6 MR. SCAROLA: But, Rich, the analysis 7 you're referring to is a Point 3 analysis.
8 MR. STATTEL: I know.
9 MR. SCAROLA: If in Point 3 you take 10 credit for manual actions, then very clearly they have 11 to be analyzed.
12 MR. STATTEL: And they have to be diverse.
13 MR. SCAROLA: Both from a hydraulic point 14 of view and an HFE point of view.
15 MR. STATTEL: Right. And that goes down 16 to the argument that Point 4 is within the context of 17 the D3 analysis.
18 MR. DARBALI: Yes, but it's not --
19 MR. STATTEL: It's not beyond that.
20 MR. DARBALI: It's not clear.
21 MR. SCAROLA: Because let's assume that 22 for Point 3 you only need one manual action. And 23 let's say that's the initiation of emergency feedwater 24 for some reason. No, that's not a good example. Let 25 me give a good example here.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
46 1 Now, let's say for Point 3 that you take 2 credit for the manual closure of the main steam 3 isolation valves. Well that's one safety function.
4 You've got five or six more safety functions that you 5 never credited manual actuation.
6 And that's the intent of Point 4. Is to 7 have manual initiation capability for all the critical 8 safety functions whether you credited those manual 9 options or not.
10 MR. STATTEL: No, I don't agree. And 11 we've never applied it that way. So, in other words, 12 when we review a D3 analysis, and within the context 13 of the D3 analysis, we look at what's being credited 14 in the analysis, and we look at if those things are 15 divers and they will function. We come to a 16 reasonable assurance conclusion that they will 17 function in the presence of the CCF.
18 We don't ask, right, I mean, I can point 19 to dozens of analyses that we've evaluated, we don't 20 ask for functions that are outside of that scope. We 21 never have, right?
22 So if you want to do those analysis, if 23 you want to show that functions that are not credited 24 in the D3 analysis meet the Point 4 criteria, okay.
25 But that's not in the scope of these four points.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
47 1 MR. DARBALI: Well, Rich, I think --
2 MR. STATTEL: I mean, Point 4 is one of 3 four points. And it's intended only to address the 4 CCF. That's what it is.
5 MR. DARBALI: Well, Rich, I think the 6 reason we haven't --
7 MR. STATTEL: Why would we?
8 MR. DARBALI: -- gone further on Point 4 9 for previous reviews, is because we can tell, based on 10 the description of the modification and design 11 modification architecture, that they're not ripping 12 out those manual controls and displays. And they're 13 not making those part of the digital modification.
14 So in turn we know they're meeting Point 15 4. And that's, I think, why we haven't really asked 16 for a separate, tell us how you're meeting Point 4.
17 We can abstract that information from the design.
18 MR. SCAROLA: Rich, you said something 19 very important. I'm sorry, this is Ken Scarola again.
20 You said something very important. Point 4 is 21 intended to address the CCF.
22 The CCF that we're looking at is the CCF 23 that adversely impacts the functions required by 603 24 or 279. One of those functions is manual initiation.
25 So if the CCF adversely affects manual initiation, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
48 1 it's got to be addressed in Point 4.
2 MR. STATTEL: I agree. Yes, I agree.
3 MR. SCAROLA: Whether you credit that 4 manual --
5 MR. STATTEL: That puts it within scope.
6 MR. SCAROLA: -- initiation or not, 7 because all the manual initiations that are in there 8 for 603 are not necessarily credited in the accident 9 analysis. Or your D3 analysis.
10 MR. STATTEL: That's true.
11 MR. SCAROLA: Well, then you got to make 12 them all work in the presence of a CCF. That's my 13 point, that the Point 1 analysis needs to address all 14 the functions of 603 and 279. And that includes both 15 automated and manual actions. Manual initiation 16 actions.
17 I think where we run into trouble is when 18 people try to extend Point 4 to include manual 19 actuation. That's a much bigger problem.
20 MR. TANEJA: Hey, Ken, this is Dinesh.
21 603 requirements for manual actuation, you know, they 22 can be implemented in your safety related digital, in 23 a protection system, right?
24 MR. SCAROLA: They can or can't? Did you 25 say can or can't?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
49 1 MR. TANEJA: Can be, right?
2 MR. SCAROLA: Can be, yes.
3 MR. TANEJA: And typically are.
4 MR. SCAROLA: Yes.
5 MR. TANEJA: So those manual capabilities 6 are susceptible to potential CCF.
7 MR. SCAROLA: Certainly.
8 MR. TANEJA: Okay. So, all what we are 9 saying is that the CCF considerations, potential 10 software common cause, you know, the whole four points 11 are based on the predicament that this failure 12 mechanism is beyond design basis.
13 By design, your safety system should not 14 fail, right? You're building them to the highest 15 possible quality, and they're supposed to be available 16 under all potential hazards that you recognize.
17 Now, you n+1 argument is applied here.
18 You know, your potential CCF is an n+1 argument. Now, 19 how do you deal with it, I don't think you need to do 20 a timing analysis or anything like that for the Point 21 4.
22 If you do need to rely on a manual 23 actuation to cope with a CCF, I don't think you need 24 to worry about the timing consideration for the four 25 points.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
50 1 MR. SCAROLA: I agree.
2 MR. TANEJA: Because that timing 3 consideration is only for Chapter 15 events where you 4 take credit for a manual action.
5 MR. SCAROLA: I agree with you 100 6 percent. No analysis --
7 MR. TANEJA: So I think we are getting --
8 MR. SCAROLA: -- is needed for Point 4.
9 MR. TANEJA: So we are getting this 10 argument kind of, you know, we need to basically 11 separate these items out.
12 MR. SCAROLA: Yes, Dinesh, I agree with 13 you. I don't know why we're talking about any 14 analyses for Point 4, the analyses is Point 3.
15 If you need manual actions for complying 16 with Point 3, then you do need a timing and an HFE 17 analysis. And a thermal hydraulic analysis.
18 Point 4 needs nothing, other than you got 19 to have the control and it's an I&C design review.
20 It's not an analytical review at all.
21 MR. ODESS-GILLETT: But, Ken, you're 22 proposing that Point 4 is just a matter of replicating 23 all of your, if they are susceptible to a CCF, your 24 point is just to replicate all of your manual controls 25 again for Point 4?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
51 1 MR. SCAROLA: No. That's an 2 overstatement, Warren. And that's what's so important 3 here. You only have to replicate the manual 4 initiation controls, not all the manual controls. You 5 don't have to replicate manual controls at the 6 actuation or the, at component level.
7 MR. ODESS-GILLETT: Well certainly not at 8 the component level, but maybe you can help me, again, 9 understand the differentiation between initiation and 10 actuation system, system level initiation versus 11 system level actuation.
12 MR. SCAROLA: Well, the initiation 13 typically refers to what would happen if a bistable 14 were to trip.
15 MR. ODESS-GILLETT: Okay.
16 MR. SCAROLA: That's initiation.
17 MR. ODESS-GILLETT: Okay.
18 MR. SCAROLA: The actuation typically 19 refers to everything downstream of the voting logic.
20 MR. ODESS-GILLETT: Okay.
21 MR. SCAROLA: That's actuation.
22 MR. ODESS-GILLETT: Okay. So you're 23 proposing --
24 MR. SCAROLA: And I can tell you that this 25 --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
52 1 MR. ODESS-GILLETT: Go ahead.
2 MR. SCAROLA: -- idea of meeting Point 4 3 at the level of initiation was licensed for System 4 80+, for US-APWR, for APR-1400. That's all they had 5 for Point 4.
6 And it was, again, because you wanted to 7 give the operators the ability to take preemptive 8 actions in the presence of a CCF, or to take actions 9 for the n+1 event. That the system didn't actuate 10 automatically for.
11 MR. DARBALI: But, Ken, you're saying at 12 the initiation level that's diverse. But certainly 13 you're not saying that anything downstream would be 14 subject to the same CCF, right?
15 MR. SCAROLA: You have to address the CCF 16 at all levels. Absolutely, you have to address CCF at 17 all levels.
18 You may have a CCF at the component level 19 and no CCFs at the initiation or the actuation level.
20 Well that CCF at the component level is as 21 debilitating to the plant as a CCF at the initiation 22 level. In fact, even more debilitating to the plant.
23 So yes, you do have to address the CCF at all levels.
24 MR. DARBALI: Okay.
25 MR. CARTE: Sorry, a quick point. Somehow NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
53 1 I get this notice that this meeting is locked. Did 2 someone lock the meeting, no one else can join, or did 3 we just run out of slots?
4 MR. JAIN: I don't think it's been locked.
5 Not from my end.
6 MR. CARTE: Okay, so --
7 MR. DARBALI: I do want to go back to 8 something that Warren had mentioned when we were 9 talking about DAS. I just want to clarify.
10 I think, Warren, you had said, or you had 11 asked, if the DAS has a manual pushbutton. And of 12 course, the DAS is diverse from your system so it's 13 not subject to the same CCF. So if the DAS has a 14 manual pushbutton, that meets Point 4.
15 MR. ODESS-GILLETT: Understood.
16 MR. DARBALI: Okay.
17 MR. ODESS-GILLETT: My question is, how 18 many of those do you need if you can claim that I 19 have, let's say I've been able to cope with a CCF 20 using 1 through 3, and I only need, I was able to do 21 it all with manual actuations, except maybe three 22 automatic functions. And does that mean, does Point 23 4 say then, okay, I only need manual controls for 24 three of those, those three automatic functions?
25 MR. DARBALI: Point 4 says you need a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
54 1 diverse manual means for all critical safety 2 functions.
3 MR. ODESS-GILLETT: Yes, that's what I 4 thought. So it seems to me it's like, you've already 5 demonstrated you've coped with both automatic and 6 manual and we'll even throw in the manual to back up 7 the automatic, but that's still not good enough, we 8 still have to have diverse manual controls for all 9 critical safety functions after you've addressed the 10 coping mechanism using non-safety control systems, 11 anything else that exists and so on.
12 MR. DARBALI: Right. So you would only 13 need those manuals, right. Those manual controls you 14 credited at Point 3, they need Point 4 for critical 15 safety functions.
16 MR. ODESS-GILLETT: I got you.
17 MR. DARBALI: Any DAS you credit or any 18 diverse means that you credit in Point 3, that also 19 has an option for a manual pushbutton. Whether that 20 diverse system is digital or analog, that's going to 21 meet Point 4.
22 It would be a case where you have no 23 ability to manually perform that critical safety 24 function that you need to do something extra for Point 25 4. Which for an operating plant that you're not NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
55 1 ripping out controls, wouldn't be the case.
2 MR. ODESS-GILLETT: Yes. But, Samir, we 3 do have to take into consideration, we want to move 4 into the future and --
5 MR. DARBALI: Right.
6 MR. ODESS-GILLETT: -- have glass control 7 rooms.
8 MR. DARBALI: Yes.
9 MR. ODESS-GILLETT: But I think we're, I 10 understand what you can credit in Point 4, as part of 11 credit, doing in Parts 1 through 3. I'm just seeing 12 that, and this is also my, I don't know what the word 13 is, my concern about Ken's proposal that you 14 basically, regardless of what you have done to cope, 15 you need to add these manual controls in addition to 16 being able to demonstrate that you've been able to 17 cope with a minimum set of manual controls and a 18 minimum set of automatic controls.
19 MR. CARTE: So, Warren, let me just jump 20 in here a little bit. So I understand your concern, 21 but I think there is two parts of Ken's issue. And 22 let me try and summarize the other part.
23 So let's visualize the architecture as a 24 three-layered architecture with a bistable function 25 layer, a voting logic layer and say an implementation NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
56 1 layer. And I think what Ken is saying is that, so the 2 question is, those manual inputs, are those separate 3 inputs into the logic layer, because obviously they're 4 not separate inputs into the bistable layer, but are 5 they separate inputs into the logic layer where the 6 voting is done or are they separate inputs to the 7 implementation layer?
8 So your reactor trip system says trip, and 9 in parallel you have a manual system that says trip.
10 Or your ESF says containment isolation, and in 11 parallel your manual system says containment and 12 isolation. And then the implementation portion 13 received both inputs and performs all of the actuation 14 functions. Right?
15 So first I'd like a little clarification 16 on, Ken, where you're saying those manual control 17 inputs going into, do they go into the logic or they 18 go into the implementation?
19 MR. ODESS-GILLETT: The assumption is that 20 those would go into the logic.
21 MR. SCAROLA: There is no requirement for 22 that. They have to go into the place where you bypass 23 the CCF.
24 MR. ODESS-GILLETT: Okay, we're talking 25 two different things, Ken. He's asking me about the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
57 1 603 controls for your primary protection system.
2 MR. SCAROLA: They typically go into the 3 initiation level or the actuation level. But 4 depending upon the vendor.
5 MR. ODESS-GILLETT: Yes.
6 MR. CARTE: So I guess I'm hearing both 7 Warren and Ken agree that the logic, the manual inputs 8 go in, are inputs into the logic layer, and sometimes 9 into the implementation layer. And so the question 10 is, if you have a CCF in the logic layer, if that's 11 part of your system, then your CCF would disable the 12 manual function, but, and therefore you would need a 13 diverse function to do that?
14 MR. ODESS-GILLETT: The question is, what 15 do you need in a beyond design basis event of a CCF 16 concurrent with your safety analysis evaluation?
17 And if you're saying that in addition to 18 successfully coping, I also need to have these diverse 19 manual system controls to maintain 603, I think it is, 20 with today's technology and reliability I don't think 21 it's necessary.
22 MR. CARTE: Right. But my interpretation 23 is not that the, that SECY or the SRM is requiring 24 additional displays and controls above and beyond what 25 you have, it's putting criteria on the set that you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
58 1 have. Now, if the set that you have doesn't satisfy 2 the SECY, then you may want to put in, it may be 3 easier to build diverse displays and control than to 4 make the existing ones satisfy the SECY. Right?
5 But in general I don't, and Samir's point 6 earlier was that what we've seen to date on the 7 existing power plants is they're not changing, 8 significantly, the operating interface in the control 9 room. And therefore Point 4 is not such a big deal.
10 MR. SCAROLA: Right.
11 MR. CARTE: But, Warren, your point is 12 that the new facilities want glass control rooms, but 13 the problem with a glass control room is, how do you 14 do a safety related manual control on a glass control 15 room. So that's a different set of issues than 16 they're diverse.
17 But, Rich, I see you have your hand up.
18 MR. STATTELL: Well, I just wanted to 19 respond. So in such a system that you describe, 20 Warren, I would expect the analysis itself to identify 21 the loss of those manual functions. But I would also 22 expect the analysis to identify other diverse 23 functions.
24 They could be manual, they could be a 25 diverse automatic actuation system that would NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
59 1 accomplish the necessary critical safety functions to 2 maintain safety for the plant. Plant safety.
3 So, you know, I don't rule that out, the 4 possibility. And I've actually seen some designs that 5 don't even make an attempt to have diverse manual 6 initiation at the system level. On the safety system.
7 But in every one of those cases I also see 8 some diverse system, and it may be performing a 9 completely different safety function. But it's 10 maintaining the critical safety functions. They're 11 all still maintained. Even if I don't have an 12 alternate means of manually actuating the primary 13 safety function itself.
14 MR. DARBALI: I want to give a chance to 15 Khoi and Mohammad who have been waiting. Khoi, go 16 ahead.
17 MR. NGUYEN: Hi. I just want to --
18 MR. ALAVI: Hi. Oh, okay.
19 MR. NGUYEN: I'm sorry.
20 MR. ALAVI: Oh, sorry. Go ahead, Khoi, he 21 didn't call me yet.
22 MR. NGUYEN: Yes, I just wanted to clarify 23 the point that we have been back and forth on.
24 Whether it's initiation or actuation.
25 So, Reg Guide 1.62, manual initiation of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
60 1 the protective action, even though the title of the 2 reg guide is initiation. But the start of six and 3 seven make the statement that the point at which the 4 manual control are connected to the safety equipment 5 should be downstream of the Digital I&C safety system 6 output.
7 To me that's a actuation. You shouldn't 8 initiate the control and send the signal through 9 either bistable, processor or any voting logic, you 10 should actuate the A&D device, like pump and valve, 11 whatever. So I just wanted to clarify one thing that 12 we keep talking whether it's initiated or actuated.
13 Thank you.
14 MR. JAIN: Thank you, Khoi. Now Mohammad.
15 MR. ALAVI: Yes. Actually, so the topics 16 right now we're talking, I mean, that's -- I mean, two 17 subjects. The one is the manual, the capability of 18 the manual control by the operator, and the other one, 19 the CCF.
20 So there is an overlap between these two.
21 And maybe it's not exactly the same in all the 22 situations. So, having the manual control input to 23 the logic, that can address that event n+1 that Ken 24 was elaborating, which is the common design, loss of 25 the design I&C.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
61 1 But if we have a CCF in the software of 2 the safety instrument, that system, obviously that 3 manual input to the logic doesn't make sense. So that 4 has to go to the actuation.
5 So in my opinion, maybe these two points 6 have to be separated and each one, each objective 7 evaluated separately. So having the manual, 8 capability of manual control ability for the operator 9 is a total different thing. And cope with the CCF, 10 that's different things that we can address in the 11 Point 3 if we go with the system, I think, assessment.
12 Going with the, all assessment, for the D3.
13 So that's what I get from this discussion 14 I wanted to point out.
15 MR. DARBALI: Thank you.
16 MR. JAIN: Thank you, Mohammad. I see 17 Ken's hand is still raised. Ken, do you have any more 18 questions or comments?
19 MR. SCAROLA: Yes, I raised it again. I 20 think we have to avoid trying to design in this 21 meeting. You know, all these architectures can be 22 very different.
23 In an operating plant you may have a 24 digital upgrade for one layer of the architecture or 25 two layers or three layers. In new plants, all three NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
62 1 layers are always going to be digital.
2 You know, we have to stop designing and 3 recognize the intent here. The intent is that your 4 manual control be able to initiate control of the 5 safety functions in the presence of a CCF that you 6 can't get rid of. It's that simple.
7 Regardless of where the CCF is in the 8 architecture, you have to design your manual control 9 so it's not adversely impacted by that CCF. And I 10 don't think we should be trying to design in any more 11 detail than that in this meeting.
12 MR. JAIN: Thank you, Ken. Are there 13 other questions or comments of the feedback on staff's 14 presentation?
15 MR. CARTE: Yes. My only comment would be 16 on Ken's issue. I don't think we're trying to design 17 but we're trying, I feel the need for concrete 18 examples to clarify the meaning of some of the, 19 because I think there is this impression that we're 20 talking, I get this impression we're talking past each 21 other a little bit. And it's strictly abstract you 22 may never solve the problem, as philosophers never 23 solve anything, right?
24 But if we can get the concrete real-world 25 examples, then maybe. And that's the point. I'm not NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
63 1 trying to design, I'm trying to concretize. Give a 2 couple examples of what would work. But I see that 3 raised a couple of issues.
4 MR. SCAROLA: Well, Norbert, the problem 5 is, regardless of what's digital, does not mean that 6 that digital thing has a CCF potential. We have many 7 examples where the digital is of sufficient simplicity 8 where we were able to preclude a CCF.
9 And that has very often occurred at the 10 lowest level in the architecture. Where the 11 implementation, or what we call component control, is 12 utilized by both the primary actuation system and the 13 backup diverse actuation system. Therefore we don't 14 postulate a CCF in that because it's sufficiently 15 simple.
16 So, you know, it's very hard to discuss 17 this on a generic basis other than to say, the CCF 18 cannot adversely affect the manual control, now go 19 design it.
20 MR. ODESS-GILLETT: And that's kind of 21 where I disagree because in a lot of aspects the 22 manual controls are a backup to the automatic 23 controls. And in your D3 analysis you have analyzed 24 how you can cope with your CCF of both your automatic 25 and your manual controls.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
64 1 And if there is a concern that we're 2 relying on an automatic control and it feels like the 3 need that you need to have also a manual along with 4 the automatic, that I think would be sufficient versus 5 replicating your backup manual controls. Not 6 replicating your manual controls in a backup system.
7 MR. SCAROLA: If you go that way, Warren, 8 then you're throwing out the wisdom of 603 and 279.
9 Those documents recognize that we haven't analyzed 10 everything and there could be events that the 11 operators need to take action on that we have not 12 considered.
13 And you need to think about the same 14 things when you postulate a CCF in those safety 15 systems that we're relying on that had hat manual 16 capability. And that's what Point 4 is all about. It 17 always has been from the very beginning.
18 MR. JAIN: Alan.
19 MR. CAMPBELL: Yeah, I just wanted to --
20 I think Warren summarized our points pretty well. He 21 said most of what I wanted to say. But, you know, I 22 think we're still in a position now where there's 23 confusion around this, from what I'm hearing.
24 And if we need to pull up some examples, 25 we had an example that we provided as part of the ACRS NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
65 1 meeting package that I can share. Or we also provided 2 a diagram to the NRC staff showing some different 3 concepts, if it's helpful to facilitate more 4 conversation around this to be a little bit more 5 exacting in the way we're speaking.
6 MR. STATTEL: Hey, Ken, this is Rich.
7 Nothing we do here is going to impact anything that's 8 in IEEE 603 or those regulatory requirements. So I 9 don't see there being any risk at undermining any of 10 the existing protections that 603 provides.
11 MR. SCAROLA: Yes, I agree. You are not 12 going to undermine anything that's required by 603 13 through this SECY or anything the staff is doing.
14 It's the CCF that undermines the functions of 603. So 15 now the question is do you still need those functions 16 of 603 in the presence of a CCF. And I believe you 17 do. The functions of 603 are not only the automatic 18 functions but the manual functions as well.
19 MR. ODESS-GILLETT: And I guess where I'm 20 coming from is that 603 defines your design bases of 21 the plant and then, if you go into beyond design basis 22 with relaxed criteria, you don't necessarily need to 23 maintain 603 to do that.
24 MR. SCAROLA: Yeah, I guess it comes down 25 to what do you define as outside the design bases. I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
66 1 believe the anticipation of the n+1 event is within 2 the design bases of 603. That's why 603 requires 3 manual action, the capability for manual actions, 4 because within the design basis you anticipate the 5 unanticipated event.
6 MS. DONAHUE: But are we not in a n+1+1 7 event now, n+2? We have the IEEE, we're saying the 8 design basis event, now a CCF. So Points 1 through 3 9 have your coping mechanisms for that, but now we're 10 adding this extra layer of manual controls and 11 displays for an extra layer. It just -- we're 12 stacking -- how many layers are sufficient here?
13 MR. SCAROLA: Well, Alan, you're not 14 adding anything. You're maintaining what was there in 15 the presence of a digital CCF. You're not adding, 16 you're maintaining.
17 (Simultaneous speaking.)
18 MS. DONAHUE: Is it okay if I share my 19 screen?
20 MR. CARTE: Yes, no objection. So I don't 21 think it's our adding, maintaining, or you're 22 designing such that. So whether you say adding or 23 maintaining, your design is such that you maintain.
24 MS. DONAHUE: So this is a slide that we 25 had as background material for the ACRS meeting in NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
67 1 September. This is the US-APWR, all the protection 2 system functions. So this is slightly modified. We 3 re-labeled the columns here.
4 This first or second column, rather, is 5 the automatic -- this is your IEEE 603 automatic 6 function. This is the, this third column is the IEEE 7 603 required manual function. Then we get into DAS 8 system.
9 So points one through 3 drive us into 10 these three different DAS automatic functions. And 11 then this last column are the diverse manual 12 functions. Sorry, that was the second to the last 13 column. The last column is, are those manual 14 functions actually credited in the D3 analysis?
15 So I think what Warren, the question that 16 at least I heard from Warren and, Warren, correct me 17 if I'm misstating you, is in the scenario of ECCS and 18 EFW actuation, the vendor here determined that an 19 automatic function was needed.
20 We still, the vendor still had to include 21 a diverse manual function to satisfy Point 4, but it's 22 not credited in any of the D3 analysis.
23 Warren, your question was are these 24 switches needed, right? Did I summarize that 25 correctly?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
68 1 MR. ODESS-GILLETT: That's right.
2 MR. DARBALI: So I want to make one point 3 clear, so this is based on the APWR which the review 4 for this design has not been completed. So the design 5 has not been approved. So we can't say here that 6 those two additional switches that you're showing 7 intended to meet Point 4.
8 If that was a decision made by the 9 Applicant, we can't say that that was in response to 10 an NRC review of the application or that the NRC had 11 determined that it met or didn't meet Point 4. So 12 let's be clear that this has not been proved.
13 MR. CAMPBELL: Yeah, understood. I think, 14 you know, the point that we're trying to -- this is 15 indicative, through my review of the different D3 16 analyses that are publicly docketed and things, this 17 is indicative of a common, I won't say the 18 interpretation but a common interpretation of how 19 Point 4 has been implemented where, regardless of 20 whether it's being credited in a D3 analysis, it's 21 still being added.
22 So the concern here, and I want to bring 23 this back to safety, the concern here is the 24 complexity at the operator, right. So now we're 25 getting into a scenario where we have three different NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
69 1 initiation sources for the same, I'm sorry, four 2 different initiation sources for the same function and 3 the complexity that that introduces to an operator.
4 MR. SCAROLA: Alan, this is Ken. There's 5 something important on this chart that you're missing.
6 You're pointing out that the switches for ECCS and 7 emergency feed water actuation are not credited in the 8 D3 Point 3 analysis. I agree 100 percent. They're 9 not.
10 But what you're failing to mention is, in 11 the second column where you have those same switches, 12 they are not credited in the Chapter 15 analysis. But 13 yet we still have them. And why do we have them? We 14 have them because 603 gave us the wisdom to recognize 15 that there may be another event where we need them.
16 And therefore we should give operators that 17 capability.
18 MR. CAMPBELL: And I would say that we did 19 give them that capability through the set of -- in the 20 IEEE required. And then we also gave them that 21 ability, we also gave them protection during a CCF 22 through an automatic function.
23 MR. DARBALI: But I think what Ken is 24 saying is, and correct me, Ken, if I'm wrong, that 25 you're giving the ability in that second column by NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
70 1 providing the switch to the digital system. So you're 2 giving the manual ability.
3 The CCF is taking away that ability, so 4 that switch on the fourth column is maintaining that 5 ability. Because the DAS, and I'm assuming the DAS 6 you're highlighting doesn't have a push-button. So by 7 adding the switch on the fourth column, you are 8 maintaining that ability. Is that correct, Ken?
9 MR. SCAROLA: Not quite. Yes, you are 10 maintaining the capability, but the way that switch 11 worked on US-APWR is it simply initiated the DAS. But 12 the initiation of the DAS was sufficient because the 13 DAS intercepted into the architecture at a very low 14 level where there was no longer a CCF concern. So it 15 was okay to initiate the DAS.
16 If the DAS didn't penetrate low enough 17 into the architecture, then you would have to do 18 something else to meet Point 4. Because then that 19 same thing would be subject to a CCF. So the DAS, in 20 this case the switch simply initiated the DAS.
21 MR. ODESS-GILLETT: So I guess our point 22 is that it seems that we're imposing 603 not only on 23 the protection system design basis, but we're imposing 24 603 on our DAS system.
25 MR. SCAROLA: Warren, functionally yes, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
71 1 but it can be non-safety --
2 MR. ODESS-GILLETT: Oh, yeah.
3 MR. SCAROLA: It doesn't require any 4 qualification, I mean, so don't say you're imposing 5 603.
6 MR. JAIN: Ken, this B.P. Jain. We have 7 very limited time left. And I don't think we are 8 converging at this point. So we need to get back to 9 the purpose of the meeting.
10 I think we have discussed, got a lot of 11 feedback from different stakeholders. And we'd like 12 to hear from other participants if they have other 13 thoughts or other points of view. I see a hand from 14 Shilp. Shilp?
15 MR. VASAVADA: Yeah, this is Shilp. So I 16 guess I won't take too much time, but I just -- this 17 is from maybe a different perspective and see if there 18 are any thoughts on that.
19 And looking forward, I mean, at the 20 expanded policy, the Points 1 through 3 provide, like, 21 a risk-informed alternative in terms of diverse design 22 or (audio interference). And a part of it is, like, 23 using a bounding approach and PRAs to determine the 24 risk significance, and go forward with decision-making 25 based on that.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
72 1 There was discussion about risk 2 significance, there was discussion about different 3 inputs and outputs. So please bear with me as I kind 4 of lay the context.
5 PRAs, old manual operator actions for 6 several sequences, the purpose over there is obviously 7 to have an integrated look if systems, safety-related, 8 non-safety related, both don't work with a certain 9 failure probability. Sorry.
10 COURT REPORTER: This is the Court 11 Reporter. Sorry to intrude. I would encourage anyone 12 not currently speaking to mute their microphones.
13 MR. VASAVADA: Thanks. The PRAs would 14 have safety related, non-safety related, and then 15 manual actions. Those manual actions go through a 16 process called human reliability analysis (audio 17 interference) does the operator even understand they 18 need to take an action.
19 The cognition piece has cues, some cues 20 that are -- C-U-E-S, cues -- that the operator needs 21 to mean that an action needs to be taken. Those need 22 displays, those need, for performing the action, 23 controls or at least switches, et cetera.
24 So then when that (audio interference) 25 made to the sequence that would be included, the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
73 1 determination would include that manual action. And 2 if, quote, credit, end quote, is being (audio 3 interference) determining the risk impact, then that 4 operator action would have to have the three displays 5 and controls to make sure that it is feasible and 6 valid, and that the inputs, the PRA continues to 7 remain valid.
8 So I just wanted to understand, like, I 9 mean, where does that fall in all this? Wouldn't that 10 already need something which would not be impacted by 11 the CCF, because otherwise there is no credit could be 12 taken for that action?
13 I open it up to anybody who has thoughts 14 on that. Thanks.
15 MR. DARBALI: Go ahead, Warren. You're 16 muted, Warren.
17 MR. ODESS-GILLETT: Thank you. Sorry 18 about that. And is it Shilp, is that how you 19 pronounce --
20 MR. VASAVADA: It's Shilp.
21 MR. ODESS-GILLETT: Okay, Shilp. Okay, 22 thank you. I think what -- I'm not sure if I 23 understood completely, Shilp, what you were saying.
24 But are you asking how, what Position 4 is 25 risk-informed or can be risk-informed, or is it --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
74 1 MR. VASAVADA: I'm trying to understand, 2 like, in the actual (audio interference) in risk 3 assessment or PRA for digital CCF analysis, one would 4 not achieve Point 4 if the manual action in the PRA is 5 being credited to determine the risk significance.
6 Does that make sense?
7 MR. ODESS-GILLETT: Well, yes. So I'm not 8 sure if it makes sense to me, but the way Point 4 is 9 written now, even with the risk informed expansion, 10 doesn't seem to take into account risk significance of 11 the manual action at all.
12 MR. VASAVADA: Okay. So the other way I'm 13 looking at it, and it may be because I'm not an expert 14 in the design aspect of it. But Point 3 has 15 information about a risk informed approach. It also 16 talks about that manual actions can be considered as 17 a form of diversity.
18 And then Point 4 says, if I'm not 19 mistaken, that anything you consider in Point 3 can be 20 used for Point 4, right. So, I mean, yeah. So again, 21 even if it doesn't explicitly talk about the 22 significance, what I'm trying to get at is while 23 you're doing Point 3, and you're using that sequence 24 from PRA in your actions, it's implicitly considering 25 the risk significance of the reaction.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
75 1 And then I think it is important, the 2 ability to perform the action. And then for that last 3 line, Point 4, why would you need anything else? I'm 4 unable to understand that.
5 MR. ODESS-GILLETT: Well, I have a 6 difficulty understanding why we would need -- your 7 statement about why do we need anything else. Can you 8 clarify that?
9 MR. VASAVADA: So, okay, let me back track 10 and hopefully I'm not taking too much time from next 11 steps, otherwise let's cut it short. (Audio 12 interference) have an action in it, which would need 13 cues and the ability to perform the action. So it 14 would need a display or some control to tell the 15 operator that an action needs to be taken and the way 16 to perform the action, a switch, a push button, what 17 have you.
18 And that will be included in the risk 19 significance determination. And it would have to be, 20 obviously, not impacted by the -- otherwise the 21 operator action could not occur. So, be a diverse 22 operator action which is un-impacted by the CCF, which 23 can offer a critical safety function. Because the 24 events -- the PRA would include events which would 25 require critical safety functions to be present, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
76 1 inventory control, decay heat removal, et cetera.
2 So, then, if that manual action is already 3 being imbedded and not impacted by the CCF, and this 4 last point in Point 4 says these main control room 5 displays and controls may be used to (audio 6 interference) lay together to address the concern that 7 has been raised (audio interference).
8 MR. ODESS-GILLETT: Shilp, you're cutting 9 out. But I think, from industry's point of view, I 10 think it's fairly -- there's consensus that there's no 11 issue with crediting what you have in remaining 12 controls and Points 1 through 3, that you can apply 13 those to Point 4.
14 MR. DARBALI: Okay. I think we can move 15 on. Shilp, that was your comment?
16 MR. VASAVADA: Yeah, I didn't have 17 anything, maybe --
18 MR. JAIN: Yeah, this is B.P. Jain, you 19 know, we are at that point that if there are other 20 questions, or comments, or feedback on the staff's 21 presentation, you can provide your feedback in writing 22 after the meeting, or by email to me or Mike Marshall.
23 With that, I would ask Samir to recap the 24 feedback if he could. Samir?
25 MR. DARBALI: Yeah, just before that, so NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
77 1 I don't forget, Alan, could you send B.P. the slide 2 that you shared. I believe it's the same one you 3 provided at the ACRS meeting, but just so that we can 4 make that part of the record.
5 MR. CAMPBELL: Yes, will do.
6 MR. DARBALI: Thank you. And I'll add the 7 additional slides that we showed on the four points 8 and 603 and 279.
9 So, you know, I think we were able to 10 provide clarity on the applicability of the SECY 11 22-0076 and the intention with the original Point 4 12 and how we're carrying that intention to the expanded 13 policy.
14 I think we clarified the distinction that 15 Point 4 has when compared to the previous, or the 16 first three points. I understand that some of this 17 information or how we're explaining our interpretation 18 might be new to some of the audience, so I recognize 19 that not everybody is 100 percent in alignment. But 20 hopefully we did get closer to that.
21 And I think we were able to understand a 22 little bit better industry's concerns. One thing to 23 note, and we appreciate all of the feedback and 24 suggestions we've had on ways that the language in the 25 four points could be different. Because it helps us, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
78 1 you know, think of things that maybe we have not 2 considered or look at the points in a different way.
3 But the process for developing SECY paper 4 doesn't really have a public comment portion to it.
5 So the SECY is with the Commission and, you know, 6 they'll review it and they'll provide direction to the 7 staff in an SRM which we're waiting on.
8 A lot of what we heard today, I think, is 9 very good discussion for when we move into the 10 implementing or developing implementing guidance. You 11 know, how do we apply the policy to advance reactors 12 that have a completely different design?
13 Maybe they have different critical safety 14 functions. They don't have the same types of manual 15 controls or, you know, they don't have a control room 16 as we're used to or we're talking about a completely 17 digital flat panel display control room.
18 So a lot of that can be addressed through 19 implementing guidance. I think the policy, as we've 20 said before, you know, we allow for alternatives and 21 exemptions that allows us to look at those different 22 reactor designs. So hopefully a lot of the concerns 23 can be addressed properly in implementing guidance.
24 And for those we will obviously have public 25 engagement. Anything that I am missing, B.P.?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
79 1 MR. JAIN: No. I think you covered it 2 all. Thank you very much, Samir. And I would like 3 Eric to make closing remarks before we close out the 4 meeting. Eric?
5 MR. BENNER: Yeah, I would -- another good 6 dialogue, we've had several good dialogues on this 7 topic. I will say what has been most helpful to me 8 today is we've heard some different views. We've 9 heard some more specifics. I think that gives us a 10 lot of information to chew on.
11 I agree with Samir's point that there 12 could be lot done in implementation guidance. I 13 acknowledge that we do, as the staff, have decisions 14 to make whether we would do any additional 15 communications with the Commission, you know, to 16 supplement the paper or other things.
17 So I don't want to close the door on the 18 idea that, you know, we're just waiting for the 19 Commission, because I think the Commission may also be 20 waiting for us, because we've said we're continuing 21 the dialogue on this topic.
22 So I don't quite know what the right 23 answer is. I will say I appreciate everyone.
24 Everyone came to the meeting today ready to discuss, 25 at good detail, what the concerns are in either NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
80 1 direction, particularly on Point 4. I think we really 2 focused on Point 4. We knew that was going to be the 3 focus of the discussion.
4 So I'm not sure what our next step is. We 5 definitely have to digest what we heard today and 6 caucus internally as to what the next step is.
7 Whatever that next step is, we commit to be 8 transparent about it, you know, regarding letting 9 stakeholders know what we're doing.
10 You know, obviously the Commission gets to 11 do what the Commission wants to do. But we want to 12 keep making sure we understand what the concerns from 13 stakeholders are here. Because, you know, we've done 14 a lot of internal dialogue and felt we were at the 15 right place from a safety standpoint.
16 But we want to continue to be open to 17 hearing stakeholder views to see if there's any things 18 that we can learn from that. So I will also just turn 19 it over to say if NEI wants to make any closing 20 remarks.
21 And I see Ken's hand is still up. So, 22 Ken, given that he provided significant input, I'd 23 also be open to hearing to see if he had any closing 24 remarks he wanted to make.
25 MR. JAIN: Ken or -- Ken is mute.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
81 1 MR. DARBALI: You're muted, Ken. Alan?
2 MR. CAMPBELL: Great. And thank you, I 3 appreciate the opportunity to provide some remarks 4 here at the end. Again, thank you guys again for 5 hosting this. I do believe that the discussion was 6 beneficial in helping to understand your perspectives 7 a little bit more. And then hopefully we were able to 8 communicate the industry perspectives as well.
9 I think that we're still, as Eric, I 10 believe, you acknowledged, I think we still have some 11 work to do on Point 4 regarding the language. You 12 know, some of what I heard there is some alignment in 13 the interpretation, but the language itself isn't 14 leading to that interpretation from our perspective.
15 And so we look forward to continue to be able to work 16 with you guys and engage with you on this in the 17 future.
18 MR. JAIN: Thank you, Alan. Ken, you have 19 a statement to make, closing remarks?
20 MR. SCAROLA: Yeah, thank you. We've been 21 focusing exclusively on Point 4 here. But I want to 22 raise the point that there is really a bigger issue 23 here. Industry and NRC need to recognize that the 24 cost of nuclear power is our enemy.
25 If nuclear power is going to remain NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
82 1 viable, there's a need for significant O&M cost 2 reduction. And the biggest part of that is operator 3 staffing. We need to reduce operator staff. And the 4 only way we're going to do that is with more complex, 5 non-safety and safety digital systems.
6 We need more automation, we need better 7 human system interfaces, and unfortunately that 8 complexity leads to a higher likelihood of a design 9 defect and therefore a higher likelihood of a CCF.
10 And I'm very concerned that our need for 11 increased complexity is going to outpace our ability 12 to prevent design defects or manage them through 13 risk-informed methods. It's just not going to happen.
14 We need the complexity. And that complexity is going 15 to be very, very difficult to overcome.
16 Therefore, diversity may be our only 17 viable solution. So I would really like to see the 18 staff and industry focusing on ways to achieve cost 19 effective diversity. You know, the diversity can be 20 very simple.
21 A diverse actuation system can be 22 non-safety, it doesn't have to have all the same 23 functions as the primary protection system. It has to 24 be adequate. It's not the enemy. Diverse protection 25 systems facilitate more complex primary systems that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
83 1 are absolutely necessary to achieve cost effective 2 nuclear power.
3 So while we're focusing here on ways to 4 eliminate the need for diversity through risk-informed 5 methods, I think we're kidding ourselves. I really 6 do. I think we have to recognize that the complexity 7 of our primary systems has to grow if we're going to 8 be cost effective. And with that growth, we're not 9 going to be able to manage the potential for design 10 defects to risk-informed methods.
11 MR. JAIN: Thank you very much, Ken, 12 appreciate it. With that, I'd like to thank all the 13 participants for this meeting and providing the 14 feedback. With that, I would like the meeting 15 adjourned.
16 (Whereupon, the above-entitled matter went 17 off the record at 4:01 p.m.)
18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
SECY-22-0076 Expansion of Current Policy on Potential Common-Cause Failures in Digital Instrumentation and Control Systems Public Meeting October 20, 2022
Presentation Outline
- Recent Activities and Current Status
- Purpose of Todays Meeting
- Staff Key Messages
- Summary of Proposed Expanded Policy
- Staff Position on ACRS Questions
- Point 4 Applicability and Clarifications
- Open Dialogue with Stakeholders 2
Recent Activities and Current Status
- The staff issued SECY-22-0076 on August 10, 2022, proposing an expansion to the digital instrumentation and control (DI&C) common cause failure (CCF) policy contained in the Staff Requirements Memorandum (SRM) to SECY-93-087
- The Nuclear Energy Institute (NEI) provided a letter to the NRC on August 26, 2022, providing comments on the staffs position contained in the SECY on diverse and independent main control room displays and manual controls
- The staff and NEI briefed the Advisory Committee on Reactor Safeguards (ACRS) DI&C Subcommittee on September 23, 2022, and the staff is scheduled to brief the full ACRS on November 1, 2022
- The SECY is currently under Commission review and the Commission will provide its direction to the staff through a Staff Requirements Memorandum 3
Purpose of Todays Meeting The staff will use todays meeting to:
- 1) Summarize the expanded policy contained in SECY-22-0076
- 2) Share the staffs position on questions received from the ACRS
- 3) Share the staffs position on diverse and independent main control room displays and manual controls, i.e., Point 4
- 4) Conduct an open dialogue with stakeholders to hear their perspectives 4
Staff Key Messages
- The proposed expanded policy in SECY-22-0076 encompasses the current four points of SRM-SECY-93-087 (with clarifications) and expands the use of risk-informed approaches in points 2 and 3.
- Points 1-3 and Point 4 of the policy address two facets needed to ensure safe operation of the plant:
- Points 1-3 ensure DI&C systems are sufficiently robust to adequately cope with CCF
- Point 4 ensures operators can manually control critical safety functions even in the event of a DI&C CCF
- Point 4 incorporates an implicit element of risk-informing as it focuses only on those critical safety functions needed to ensure the safety of the facility.
- The expanded policy is intended to be technology neutral and applies to any reactors (including non-light-water reactors) licensed under 10 CFR Parts 50 and 52.
- The staff acknowledges that the critical safety functions listed in SRM-SECY-93-087, SECY-22-0076 and Branch Technical Position (BTP) 7-19 (i.e., reactivity control, core heat removal, reactor coolant inventory, containment isolation, and containment integrity) may not be the appropriate set for all reactor designs
- The SECY provides for existing regulatory tools (exemptions and alternatives), if necessary, to accommodate for reactor designs with different critical safety functions
- If the staff encounters a reactor design where the policy would not be applicable, the staff will engage the Commission as appropriate.
5
Summary of Proposed Expanded Policy Proposed Expanded Policy to Address Digital I&C CCFs Risk-Informed Current Path Path Point 1 The Risk-Informed Path allows The Current Path allows for the SRM-SECY-93-087, Point 1 for the use of risk-informed use of best estimate analysis (Clarified) approaches and other design and diverse means to address a techniques or measures other potential DI&C CCF than diversity to address a Point 2 SRM-SECY-93-087, Point 2 Point 2 potential DI&C CCF Risk-Informed Approach (Clarified)
Point 3 Point 3 SRM-SECY-93-087, Point 3 Risk-Informed Approach (Clarified)
Point 4 SRM-SECY-93-087, Point 4 (Clarified) 6
Staff Positions on ACRS Questions ACRS Question 1: Would the revised policy be applicable to advanced reactors?
Answer: The proposed expanded policy would apply to requests all nuclear power plant types licensed under 10 CFR Part 50 and 10 CFR Part 52, including advanced reactors.
ACRS Question 2: Do aspects of the policy for which the staff did not request a change carry forward unaltered?
Answer: Yes ACRS Question 3: Might different reactor types warrant consideration of different critical safety functions?
Answer: While the expansion of the policy is intended to be technology neutral it relies on the staffs licensing experience to date and assumptions about the design of the facility, such as the presence of a main control room. The staff acknowledges that the critical safety functions listed in the SECY and BTP 7-19 (reactivity control, core heat removal, reactor coolant inventory, containment isolation, and containment integrity) may not be the appropriate set for all reactor designs. The staff has existing regulatory tools (exemptions and alternatives), if necessary, to accommodate designs with different critical safety functions and, if the staff encounters a reactor design where the policy would not be applicable, 7
the staff will engage the Commission as appropriate.
Applicability of Point 4 Point 4 only applies to:
- The critical safety Plant Critical Safety Plant Safety Functions Functions functions performed
- reactivity control by the digital I&C
- core heat removal The diverse manual system.
- reactor coolant inventory controls and displays for
- containment isolation
- containment integrity critical safety functions ensure the safety of the Point 4 does not apply to: facility.
- All safety functions Functions Performed by the Digital I&C System performed by the digital I&C system.
- Critical safety Scope of functions not performed by the Point 4 digital I&C system.
8
Staffs Position on Diverse and Independent Main Control Room Displays and Manual Controls
- In SECY-93-087, the staff recommended that safety-grade displays and controls located in the main control room and hardwired to the lowest level of the safety computer system architecture, be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions and that the displays and controls should be independent and diverse from the safety computer system identified in Points 1 and 3 of the policy.
- The staff recommended this because such controls and displays provide the plant operators with unambiguous information and control capabilities to enable the operators to expeditiously mitigate the effects of the postulated common-cause software failure of the digital safety I&C system. The control room would be the center of activities to safely cope with the event, which could also involve the initiation and implementation of the plant emergency plan. The design of the plant should not require operators to leave the control room for such an event.
9
Staffs Position on Diverse and Independent Main Control Room Displays and Manual Controls (contd.)
- While the Commissions Staff Requirements Memorandum to SECY-93-087 modified the policy to permit non-safety grade displays and controls and more flexible architectural implementation, the Commission supported the staffs recommendation on diverse displays and controls, and the staff continues to believe this position remains appropriate for critical safety functions to provide reasonable assurance of adequate protection.
- Point 4 incorporates an implicit element of risk-informing as it focuses only on those critical safety functions needed to ensure the safety of the facility.
- Requests for exemptions (under 10 CFR 50.12 or 52.7) or alternatives (under 10 CFR 50.55a(z)) provide avenues for applicants to request a deviation from the regulations based on risk information on a case-by-case basis.
- If the staff encounters a reactor design where the policy would not be applicable, the staff will engage the Commission as appropriate.
10
SECY-22-0076: Addressing DI&C CCFs &
Ensuring the Ability to Perform Manual Actions Points 1-3 and Point 4 address two facets needed to ensure the safe operation of the plant Protection against DI&C CCFs Allow operators to take manual actions to cope with the loss of a safety function when needed, after a DI&C CCF
- Point 1 - Perform a D3 Assessment
- Point 4 - Diverse displays and manual controls for
- Point 2 - Ways of performing the assessment critical safety functions
- Point 3 - Ways of addressing a postulated DI&C CCF
- If not addressed, a DI&C CCF can affect both the DI&C system and manual controls and displays
- The four points when taken together provide criteria for the assessment of diversity and defense in depth against CCF, and ensure DI&C CCFs do not:
- Defeat safety functions (Points 1-3)
- Impede operators ability to take manual actions when needed (Point 4) 11
Open Dialogue with Stakeholders Acronyms BTP Branch Technical Position NRC Nuclear Regulatory Commission CCF Common Cause Failure PRA Probabilistic Risk Assessment D3 Defense-in-Depth and Diversity RG Regulatory Guide DI&C Digital Instrumentation and Control RPS Reactor Protection System ESFAS Engineered Safety Features Actuation System SAR Safety Analysis Report GDC General Design Criteria SECY Commission Paper I&C Instrumentation and control SRM Staff Requirements Memorandum NEI Nuclear Energy Institute
Backup Slides SECY-22-0076: Point 1 The applicant shall assess the defense in depth and diversity of the facility incorporating the proposed digital I&C system to demonstrate that vulnerabilities to digital CCFs have been adequately identified and addressed.
The defense-in-depth and diversity assessment shall be commensurate with the risk significance of the proposed digital I&C system.
15
SECY-22-0076: Point 2 In performing the defense-in-depth and diversity assessment, the applicant shall analyze each postulated CCF. This assessment may use either best-estimate methods or a risk informed approach.
When using best-estimate methods, the applicant shall demonstrate adequate defense in depth and diversity within the facilitys design for each event evaluated in the accident analysis section of the safety analysis report.
When using a risk-informed approach, the applicant shall include an evaluation of the approach against the Commissions policy and guidance, including any applicable regulations, for risk-informed decision-making. The NRC staff will review applications that use risk-informed approaches for consistency with established NRC policy and guidance on risk-informed decision making (e.g., Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk Informed Decisions on Plant Specific Changes to the Licensing Basis).
16
SECY-22-0076: Point 3 The defense-in-depth and diversity assessment may demonstrate that a postulated CCF can be reasonably prevented or mitigated or is not risk significant. The applicant shall demonstrate the adequacy of any design techniques, prevention measures, or mitigation measures, other than diversity, that are credited in the assessment. The level of technical justification demonstrating the adequacy of these techniques or measures, other than diversity, to address potential CCFs shall be commensurate with the risk significance of each postulated CCF.
A diverse means that performs either the same function or a different function is acceptable to address a CCF, provided that the assessment includes a documented basis showing that the diverse means is unlikely to be subject to the same CCF. The diverse means may be performed by a system that is not safety-related if the system is of sufficient quality to reliably perform the necessary function under the associated event conditions. Either automatic or manual actuation within an acceptable timeframe is an acceptable means of diverse actuation.
If a postulated CCF is risk significant and the assessment does not demonstrate the adequacy of other design techniques, prevention measures, or mitigation measures, 17 then a diverse means shall be provided.
SECY-22-0076: Point 4 Main control room displays and controls that are independent and diverse from the proposed digital I&C system (i.e., unlikely to be subject to the same CCF) shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. These main control room displays and controls may be used to address point 3, above.
18
- 4.17 Manual Initiation. The protection system shall include means for manual initiation of each protective action at the system level (for example, reactor trip, containment isolation, safety injection, core spray, etc). No single failure, as defined by the note following Section 4.2, within the manual, automatic, or common portions of the protection system shall prevent initiation of protective action by manual or automatic means. Manual initiation should depend upon the operation of a minimum of equipment. [emphasis added]
- 4.20 Information Read-Out. The protection system shall be designed to provide the operator with accurate, complete, and timely information pertinent to its own status and to generating station safety. The design shall minimize the development of conditions which would cause meters, annunciators, recorders, alarms, etc, to give anomalous indications confusing to the operator.
19
- 6.2 Manual Control
- 6.2.1 Means shall be provided in the control room to implement manual initiation at the division level of the automatically initiated protective actions. The means provided shall minimize the number of discrete operator manipulations and shall depend on the operation of a minimum of equipment consistent with the constraints of 5.6.1.
[emphasis added]
20
Gen IV Light Water Reactor Example SECY Point 4 Manual IEEE Reqd IEEE Reqd SECY Points 1-3 (D3 Analysis) SECY Point 4 Action Credited in D3 Protection System Function Automatic Function Manual Function Diverse Automatic Function Diverse Manual Function Analysis?
Reactor Trip RPS 1 switch/train DAS (Note 3) 1 switch Yes (Note 4)
Containment Isolation Phase A ESF 2 switches - 1 switch Yes Containment Isolation Phase B ESF Note 1 - - -
Containment Purge Isolation ESF Note 2 - - -
Containment Spray Actuation ESF 2 switches/train - - -
CVCS Isolation ESF 2 switches - - -
Emergency Core Cooling System (ECCS) ESF 1 switch/train DAS 1 switch -
Emergency Feedwater (EFW) Actuation ESF 1 switch/train DAS 1 switch -
Emergency Feedwater (EFW) Isolation ESF 2 switches/train - 1 switch/SG Yes Main Feedwater Isolation ESF 2 switches - - -
Main Steam Line Isolation ESF 2 switches - 1 switch/SG Yes MCR Isolation ESF 1 switch/train - - -
Main Steam Depressurization Valve - - - 1 switch/SG Yes Safety Depressurization Valve - - - 1 switch Yes Note 1: Initiated upon Manual Core Spray actuation Note 2: Initiated upon Manual Core Spray or Manual Containment Isolation Phase A actuation Note 3: Also includes Turbine Trip and Main Feedwater Isolation Note 4: Manual trip required for Steam Generator Tube Rupture. Other scenarios credit DAS automatic signal.
©2022 Nuclear Energy Institute 15