ML023220125

From kanterella
Jump to navigation Jump to search
Part 1 of 2, South Texas, Revised Request to Implement a Risk-Informed Inservice Testing Program for Pumps and Valves Beginning the Second 10-Year Interval (Relief Request RR-ENG-IST-2-01), Attachments 1 - 3
ML023220125
Person / Time
Site: South Texas  STP Nuclear Operating Company icon.png
Issue date: 11/12/2002
From: Jordan T
South Texas
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
G25, NOC-AE-02001339
Download: ML023220125 (132)
v  d  e


Text

ATTACHMENT 1 RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION REGARDING THE STP RISK-INFORMED INSERVICE TESTING PROGRAM

Attachment 1 NOC-AE-02001339 Page 1 of 18 SOUTH TEXAS PROJECT UNITS 1 &2 RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION REGARDING THE STP RISK-INFORMED INSERVICE TESTING PROGRAM

1. Section 1.0 of the Engineering Analysis mentions "enhanced common cause failure modeling" (page 1-3). What does this mean [other than as described on page 2-33]? Is it the proposed methodology of dividing the common cause importance value into the individual elements (page 2-11) as opposed to conservatively assuming that a common cause event in the cutsets should have its entire risk significance assigned to all components represented by the event (page 2-26)? How is the potential for inter-system common cause failure addressed by the licensee's categorization process and assessment of the overall change in risk associated with the proposed risk-informed inservice testing (RI-IST) Program?

Response to RAI 1:

Enhanced common cause refers to including common cause failure terms (using the Multiple Greek Letter method) for all active components and failure modes. The importance measures calculated for the components in the Inservice Testing program used the recognized approach for calculating the common cause that was previously approved for the Graded Quality Assurance (GQA) Program. As stated on page 2-11 of the RI-IST Program submittal, STP uses the more conservative method in the PRA measures used by the RI-IST Working Group.

Inter-system common cause is not included for active components in mechanical/fluid systems. These systems have different operating cycles and performance characteristics.

The components in these systems include pumps, motor-operated valves, check valves, etc. Common cause is included for AC breakers demanded to open following a loss-of offsite power event. This issue was previously addressed in the Safety Evaluation on Exemption Requests from Special Treatment Requirements of 10 CFR Parts 21, 50, and 100 (TAC Nos. MA6057 AND MA6058), dated August 3, 2001:

In its August 31, 2000, submittal, STPNOC states that common-cause failure in multiple train systems (intra-system effects) is explicitly modeled in the PRA system analyses for all active components within a system. However, STPNOC explicitly modeled potential common-mode failures in diverse systems in its PRA for only certain basic events.

STPNOC states that, for other types of equipment (such as motor-operated valves),

potential changes in the basic event failure data were not carried across diverse systems (intersystem effects) because STPNOC believes that the unique operating condition for diverse systems affects the failure rates for their applicable components.

The staff considers that the treatment processes could affect SSC reliability across multiple plant systems within the scope of the exemption. In Section 3.0 of this SE, the staff discusses the sensitivity study performed by STPNOC that increased the failure rates of modeled LSS SSCs and their common-cause relationship by a factor of 10. As noted in Section 3.0 of this SE, the staff considers STPNOC's assertion that the assumed increase in failure rate in the sensitivity study bounds the failure rate that might result from the reduction in treatment to be reasonable only if treatment processes for safety-related LSS and NRS SSCs described in the proposed FSAR Section are

Attachment 1 NOC-AE-02001339 Page 2 of 18 effectively implemented such that the functionality of these SSCs is maintained.

NUREG/CR-5485, "Guidelines on Modeling Common-Cause Failures in Probabilistic Risk Assessment," indicates that defense strategies for common-cause failures typically include design control; use of qualified equipment; testing and preventive maintenance programs; procedure review; personnel training; quality control; barriers; diversity (functional, staff, equipment); and staggered testing and maintenance. Effective implementation of the treatment processes for safety-related LSS and NRS SSCs is necessary to ensure that common cause failures are minimized.

The defense strategies described above are in place at STP so that common cause failures are minimized.

2. Section 2.3.2 of the Engineering Analysis states that "during the RI-IST Working Group meetings, members deterministically addressed the issue of common cause to ensure that the final component categorization adequately considers the effect of common cause failures."

"* How was this done and what specific effect did it have on the categorization of components?

"* How was this different than the Expert Panel's shift in the ranking of 25 check valves based on inclusion of common-cause failure basic events in the risk-assessment worth (RAW) risk metric (page 2-18)?

Response to RAI 2:

The working group evaluated the valves independent of the quantitative Probabilistic Risk Assessment (PRA). The working group considered several factors including the effect of the 12-week work process and new check valve failure data. The staggered testing and maintenance work process at STP results in maintenance and return-to-service of only one train at a time during normal operations. The working group decided that increasing the risk ranking due to common cause is not necessary because risk ranking associated with common cause in the PRA is conservative.

Actual failure rate data for check valves in clean systems show that the values previously used for check valve failure rates are no longer accurate. The failure rate for these check valves is in fact much lower than previously assumed. The working group evaluation of the risk importance of the IST safety function of the component was then compared to the PRA and GQA risk ranking. This method either validated the PRA assessment or raised questions on the basis for the PRA ranking. The working group evaluation of these check valves resulted in a ranking for some IST valve groups that was lower than the PRA ranking for the IST-tested safety functions. As a conservative measure, the Expert Panel recommended that the working group not use the new check valve failure rate information until the data is incorporated into the PRA model. The RI-IST working group agreed with the Expert Panel recommendation to take the more conservative ranking between the PRA quantitative assessment and the deterministic qualitative evaluation. The effect was to move the IST final rank to IST Medium or IST High to match current PRA results. When the PRA model is updated with the new failure rate, this datum is included in the PRA input for the RI-IST Program periodic reassessment by the working group.

Attachment 1 NOC-AE-02001339 Page 3 of 18

3. Section 2.0 states that component corrective maintenance evaluations were used to establish a baseline for future monitorinq that is needed to compensate for some of the components whose testing requirements are reduced (page 2-1).

"* Please elaborate on what this means (e.g., were they used to establish unavailability thresholds).

"* What specifically will be monitored and how often?

Response to RAI 3:

Maintenance history over the period of years prior to the test interval extensions is used as a baseline for comparison to the maintenance history following RI-IST implementation.

Changes in failure rate or type of failure are considered during Condition Report evaluations and periodic reassessments. CR evaluation process is described in paragraph 3.4 of the submittal and the periodic reassessment of the program is described in paragraph 3.5.

These commitments are also captured in the Program Description Summary shown in attachment 3, Sections 7 and 8, respectively.

In addition to the periodic evaluations of component performance described in the RI-IST program description, the UFSAR has been updated as a result of the Special Treatments Exemption to require evaluations of component performance. This requirement is stated in UFSAR Section 13.7.4, "Continuing Evaluations and Assessments". Specifically, paragraph 13.7.4.2 states in part:

... At least once per cycle, performance data is compiled for review, which is performed for each system that has been categorized in accordance with Section 13.7.2.

Performance and reliability data are generally obtained from sources such as the Maintenance Rule Program and Operating Experience Review.

The corrective action program ensures that the necessary actions are taken to maintain acceptable performance levels.

4. Section 2.1.2 of the Engineering Analysis states that "[f]or the high risk significant components that are not within the scope of the current IST program, it is not practicable to perform Code testing." Section 2.3.2.2 states that while a handful of pumps and valves (e.g., main steam dump valves, start-up feedwater pumps) are considered important to the operation of South Texas Project, none of these components have been designated by the RI-IST Working Group as RI-IST High. Section 2.3.2.2 also states that certain fans (33),

chillers (6), and dampers (22) are highly risk significant and that while Code testing is not practicable, the components are tested frequently and adequately (page 2-25).

At San Onofre Generating Station (SONGS), Southern California Edison Company (SCE) stated that they would add additional monitoring and trending to ensure continued availability and operability of the high safety significance (HSS) chillers. In addition, SCE stated that the chillers would be diagnostically tested on a periodic basis. While the specific chiller parameters to be monitored were not identified by the licensee, the staff found that the licensee's plans were acceptable because they would provide reasonable assurance of the operational readiness of the chillers and would ensure timely identification of degradation in chiller performance (i.e., degradation associated with failure modes identified as important in the licensee's probabilistic risk assessment [PRA]).

Attachment 1 NOC-AE-02001339 Page 4 of 18 While STP's RI-IST Program Description Summary contains an identical section to that in the SONGS RI-IST Program Description with regard to high-risk PRA components not in the IST Program, the description of the treatment STP will provide to these components doesn't meet the acceptance criteria used by the staff to evaluate similar components at SONGS.

STP's RI-IST Program Description should include a description of the activities that will: (1) provide reasonable assurance of the operational readiness of the non-Code HSS components, and (2) ensure timely identification of degradation in their performance (i.e.,

degradation associated with failure modes identified as important in the licensee's PRA).

Response to RAI 4:

STP classifies the component functions using evaluation methods provided in the Graded Quality Assurance Working Group Process and/or Plant Generation Risk Process administration guideline. The GQA process assigns a risk ranking relative to nuclear safety and the Plant Generation Risk (PGR) process assigns a classification focusing on the risk relative to power production and economic impact. According to the Equipment Reliability Process at STP, when either of these two ranks is determined to be High or Medium for a system function supported by the component, performance criteria and monitoring parameters are established for the critical attributes identified for the component.

The Equipment Reliability Process also includes requirements for the required corrective actions and implementation of preventive maintenance activities to support the critical attributes of the component supporting high risk and medium risk system functions. The Equipment Reliability Process directs the focus of plant resources available for preventive maintenance and component trending to ensure the operational readiness of components that support either GQA or PGR high and medium risk system functions.

Additionally, the Maintenance Rule, 10 CFR 50.65(b), requires monitoring of maintenance activity effectiveness for safety significant plant equipment, and that timely and appropriate corrective action, where necessary, be taken to ensure the continuing effectiveness of maintenance for the life of the plant. STP applies the requirements of the Maintenance Rule to High and Medium risk components as categorized by the GQA and PGR classification process mentioned above. Low and non-risk significant components are monitored at the plant/system/train level, as appropriate, by tracking Maintenance Rule Functional Failures (MRFF) in which failure results in the loss of a High or Medium function.

When performance criteria for the scoped components/functions are not satisfied, STP performs evaluations to determine the cause and corrective action, as appropriate.

The Main Steam Dump Valves are classified by the GQA process as Low Risk for contributions to plant safety risk. However, the Plant Generation Risk for these valves is Medium; therefore, the processes described above will ensure that maintenance and monitoring activities for these valves are identified. Cause determination and corrective actions are performed whenever failures occur.

The Start-Up Steam Generator Feed Pump is classified by the GQA process as Non-Risk Significant for contributions to plant safety risk. However, the Plant Generation Risk for this pump is Medium; therefore, the processes described above ensure that maintenance and monitoring activities are identified for this pump. Cause determination and corrective actions are performed whenever failures occur in accordance with the Equipment Reliability and Condition Reporting processes.

Attachment 1 NOC-AE-02001339 Page 5 of 18 The two component groups described above are not identified as High Risk Significant and therefore, IST controls will not be implemented for these components.

Chillers, Fans and Dampers Chillers Plant design change has removed three 150-ton chillers from service. Essential Chiller Performance Test is performed every 18 months on each of the three 300-ton chillers as an activity in the Preventive Maintenance Program. This testing provides data for performance trending. Comprehensive maintenance is scheduled, performed and controlled by the Preventive Maintenance Program. The maintenance activities are controlled and documented with plant maintenance procedures. Maintenance is performed at frequencies optimized by operating experience to preclude equipment failures.

STP's Maintenance Rule Program effectively trends functional failures and unavailability times. The maintenance rule process is adequate to assure the continued reliability of these components. The testing and maintenance performed on the essential chillers ensures that the components are capable of performing their intended design function under design basis conditions. The processes described above ensure that maintenance and monitoring activities are identified for these components. Cause determination and corrective actions are performed whenever failures occur. No other program controls are required.

The above described performance testing, trending, comprehensive maintenance activities, and Maintenance Rule program controls are adequate to provide assurance of the operational readiness and to ensure timely identification of performance degradation.

Information from these activities will be collected and periodically assessed by the IST Program coordinator. Trending of this information will be used to determine if special testing requirements should be implemented. During periodic reassessments, the RI-IST working group will verify that these activities remain effective or take action to implement additional RI-IST program requirements, as needed. This requirement has been added to the Program Description Summary in attachment 3, section 8.

Fans and Dampers Area fans start automatically when a high temperature setpoint is reached or during pump starts. During normal operation, area high temperature alarms provide indication of the failure of the fans or dampers. The Condition Reporting process is used to capture failures, and maintenance rule functional failure evaluations are performed when a high-risk function is lost. Fan operation is verified by Operations as directed by normal operating procedures every time a pump is started. Fan operation is verified during Technical Specification required actuation tests and pump inservice tests as follows:

" AFW Pump Cubicle Fans (4) are verified to start during operability tests performed on Auxiliary Feedwater Pumps, Slave relay tests, and inservice tests.

" EAB Main Area Return Fans (3) are verified to start during ESF Load Sequencer tests.

"* EAB Main Area Supply Fans (3) verified to start during ESF Load Sequencer tests.

Attachment 1 NOC-AE-02001339 Page 6 of 18

"* LHSI/HHSI/CSS pump cubicle cooler fans (6 total, 2 per cubicle) are verified to start when HHSI/LHSI/CSS pumps are started during inservice tests.

"* Diesel Generator Emergency Supply Fans (3) are verified to start during diesel operability tests.

"* Component Cooling Water Pump Supply AHU Supply Fans (9) are verified to start during ESF Actuation Tests and during CCW pump inservice tests.

"* ECW Intake Building Vent Fans (6) are verified to start during ECW pump inservice tests.

"* EAB Main Area Ventilation Dampers are verified to be in the correct positions during system operation as directed by normal operating procedures.

Vibration monitoring and trending are performed for these fans. Maintenance is scheduled, performed and controlled by the Preventive Maintenance Program. Maintenance intervals are consistent with EPRI maintenance recommendations and any failure history for these components.

STP's Maintenance Rule Program effectively trends functional failures and unavailability times. The maintenance rule process is adequate to assure the continued reliability of these components. The testing and maintenance performed on the fans ensure that the fans are capable of performing their intended design function under design basis conditions.

The processes described above ensure that maintenance and monitoring activities are identified for these components. Cause determination and corrective actions are performed whenever failures occur in accordance with the Equipment Reliability and Condition Reporting processes. No other program controls are required.

The above described performance testing, trending, comprehensive maintenance activities, and Maintenance Rule program controls are adequate to provide assurance of the operational readiness and to ensure timely identification of performance degradation.

Information from these activities will be collected and periodically assessed by the IST Program coordinator. Trending of this information will be used to determine if special testing requirements should be implemented. During periodic reassessments, the RI-IST working group will verify that these activities remain effective or take action to implement additional RI-IST program requirements. This requirement has been added to the Program Description Summary in attachment 3, section 8.

5. In discussing the qualitative method used to categorize unmodeled components (page 2-7),

the Engineering Analysis states: "The qualitative method is consistent with the principle of defense-in-depth because it preserves the distinction between those components that have high relative redundancy and those that have only high relative reliability." What does this mean and how is it accomplished?

Response to RAI 5:

The qualitative assessment performed by the working group identified the safety functions tested by the Inservice Testing Program. The working group identified the importance of the component based on the safety functions performed by the component. If the component is ranked Medium, the test interval is eligible for extension; however, due to the component's relative importance, a compensatory measure is required to assure that the

Attachment 1 NOC-AE-02001339 Page 7 of 18 component remains reliable. If the component history identifies marginal reliability, the test interval is not eligible for extension. Even though the component may have greater than average redundancy, the component reliability is still maintained by the compensatory measure. The amount of redundancy doesn't matter if the component is not proven reliable. Defense in depth is maintained by requiring that components have both adequate functional redundancy and assurance of reliable performance to be eligible for test interval extension.

6. Section 2.3.1.2 of the Engineering Analysis states that the level of detail of the PRA supports a completely quantitative analysis of the impact of proposed test interval extensions on plant risk.

"* For LSS and medium safety significance (MSS) components, did STP use the RI-IST frequency specified in the table attached to the Engineering Analysis to calculate the overall change in core damage frequency (CDF) and large early release frequency (LERF)?

"* Section 2.3.2.4 of the Engineering Analysis (page 2-28) states that "Upon issuance of regulatory acceptance of this relief request, STP plans to implement the RI-IST program evaluated in this document and outlined in Attachments 2 and 3. When the NRC issues its final acceptance of the exemption request, STP will, at that time, implement the program as outlined in the exemption request. However, the remaining components will receive the programmatic treatment described in Attachment 3." This will presumably remove the RI-IST low components from the scope of the licensee's RI-IST program.

What is the change in CDF and LERF associated with the revised test strategy for the RI-IST low components?

"* If STP relies on the sensitivity study performed in support of the exemption request (that increased the unavailability of these components simultaneously by a factor of 10), how does STP know that this sensitivity study bounds the potential increase in CDF and LERF?

Response to RAI 6:

Frequencies in the table were used except where other technical specification testing exercises the component on a more frequent basis. Many of the IST components (including those ranked IST Low) are exercised/operated frequently as a result of Technical Specification testing. Slave relay testing, actuation logic testing, and response time testing are examples of how the component's operational readiness is verified.

Appropriate testing strategy for components exempted from IST requirements is determined based on GQA risk rank of LSS or NRS. Determination of the method of reasonable assurance is documented using the condition reporting process and referenced in the IST Program Bases Document. The NRC has already concluded that the potential aggregate risk impact is only slightly impacted by significant changes in the SSC failure rates that could potentially occur with relaxation of the special treatment requirements. However, significant increases in the failure rates are very unlikely since the identified testing strategy provides reasonable assurance that the exempted components will continue to perform their intended safety function during design basis conditions for the life of the plant. This is validated during each periodic reassessment as described in the Program Description, Section B.

Attachment 1 NOC-AE-02001339 Page 8 of 18 As described in RAI 21 for the Special Treatments Exemption, a ten-fold increase in the failure rates of low risk components results in a change of 2.45E-7 in the Core Damage Frequency, which meets the requirement of Regulatory Guide 1.174 for risk-based applications (less than 1 E-6).

7. Section 2.3.2 of the Engineering Analysis contains a PRA Ranking category of "Medium (Further Evaluation is Required)" (page 2-15).

"* What is the purpose of this category and what components fell into this category?

"* Why isn't one of the RI-IST medium ranking threshold FV<0.005 and RAW between 2 and 100 [as opposed to between 2 and 10]?

"* STP's RAW thresholds are significantly higher than were used in Comanche Peak's and SONGS' RI-IST Programs. Does having a RAW threshold greater than 10 invalidate the adequacy of their (factor of 10 increase in unavailability) sensitivity study?

"* Which IST components had RAW risk metric scores greater than 10 and what was the final ranking for these components?

Response to RAI 7:

Medium (Further Evaluation Required) is used in the Graded Quality Assurance risk ranking process for those components with a FV less than 0.005 and RAW between 10 and 100.

These PRA ranking categories were used for the PRA ranking in RI-IST to maintain internal consistency for risk-based processes at STP. These categories were discussed in detail with the NRC during the GQA ranking process and were determined to be appropriate.

For the purposes of RI-IST, these components were treated as having a Medium IST rank.

Compensatory measures, where practicable, were assigned prior to allowing frequency extensions for these components.

There is no impact on the Comanche Peak and San Onofre RI-IST programs. The South Texas Project sensitivity study is applicable only to low and no-risk pumps and valves. It does not apply to Medium ranked pumps and valves.

IST Valve Groups ranked IST Medium in this PRA categorization are Residual Heat Removal System valves RH04 and RH08, and Safety Injection valves S107, SI13, SI14, and S121. The Low Head Safety Injection Pumps are also in the Medium rank. See Attachment 4 for details.

8. Section 2.3.2 of the Engineering Analysis states that "As a result of the Expert Panel review, the risk ranking for several components was revised to ensure consistency with risk-ranking developed to support the GQA Program." Which components had their ranking adjusted by the Expert Panel, how were they adjusted, and on what specific basis. Please provide a copy of the RI-IST Working Group decision narrative bases for these components.

Response to RAI 8:

The IST rank for 20 groups was revised to the higher, more conservative risk ranking level, including nine groups whose rank was changed for the check valve, common cause issue.

Most of the remaining changes were made so that the IST rank was in agreement with the PRA rank for IST active functions.

Attachment 1 NOC-AE-02001339 Page 9 of 18 The narrative bases for each group are attached (Attachment 5). Also included are the narratives for groups where the IST Rank was different from the GQA risk rank. The narratives include justification for the differences between the GQA and IST ranks. Analysis section 2.3.1 on pages 2-17 through 2-20 also provides some of the reasoning for the inherent differences in component ranking.

9. Section 2.3.2.3 of the Engineering Analysis states that "Components with operational concerns were considered more risk significant by the RI-IST Working Group." Other than the main steam power-operated relief valves (page 2-44), were any other valves elevated by the RI-IST Working Group? Why weren't the main steam dump valves (which have a plan of action to improve their reliability) elevated and included in the RI-IST program (page 2 25)? Please provide a copy of the RI-IST Working Group decision narrative bases for the main steam dump valves.

Response to RAI 9:

The following IST valve groups have adverse maintenance histories that the working group determined warranted maintaining the Code periodicity:

IST Group HC03 - Normal Purge Supply and Exhaust MOVs MS02 - Main Steam Safety Valves MS03 - Main Steam Power Operated Relief Valves RC03 - Reactor Coolant System Safety Relief Valves S116 - SI Accumulator Nitrogen Vent Valves (Maintenance Rule (a)(1))

The GQA rank for the main steam dump valves is Low. These valves do not meet the scoping criteria for risk-informed inservice testing requirements. The processes described above in the response to RAI 4 ensure that maintenance and monitoring activities are identified for these components.

The narrative basis for the main steam dump valve group is attached (Attachment 5).

10. Section 2.3.2.3 of the Engineering Analysis states that "The sensitivity studies performed in support of STP's GQA Program considered most [emphasis added] of the issues addressed by both the ASME Code Case and the NRC-approved RI-IST projects (i.e., TXU's Comanche Peak and SCE's San Onofre Nuclear Generating Station)." Please list which issues or sensitivity studies were not addressed or performed and state why.

Response to RAI 10:

With the exception of defense-in-depth, which is identified as a sensitivity evaluation in RG 1.175, all other sensitivity analyses are performed in order to determine risk significance in accordance with STP's GQA program. Defense-in-depth is addressed during the qualitative risk ranking process in the questions that are asked of each component.

11. Section 2.2.1 (page 2-4) and Section 2.3.3.1 (page 2-33) of the Engineering Analysis states that the STP PRA takes into account the fact that the essential cooling water and

Attachment 1 NOC-AE-02001339 Page 10 of 18 component cooling water systems are rotated weekly for maintenance activities and therefore, no changes in test frequency or method modeled by the PRA are proposed for these systems. [The test frequency for the CCW pumps is extended from quarterly to once every 54 months as part of the RI-IST Program.] This seems inconsistent with STP's decision not to include compensatory measures that are not regulatory driven (e.g., by technical specifications) (pages 2-30 and 2-34) when assessing the potential change in risk associated with RI-IST program changes. Please clarify this apparent inconsistency.

Response to RAI 11:

The CCW pumps are verified to start every 18 months during the ESF Actuation Test.

In the RI-IST submittal, only surveillance testing is proposed for compensatory measures so that periodicity changes are identified through a proceduralized change process. In retrospect, using only regulation-driven compensatory measures is unnecessarily restrictive.

The twelve-week work schedule is used at STP to control maintenance activities, assuring that the required safety trains are protected, with no more than one train being out of service at the same time. Additionally, staggered testing of some safety equipment requires rotation of the inservice trains to allow for testing. The need to satisfy Technical Specification testing on each train assures the start up of each train periodically even without a specific requirement or interval for train rotation. Train rotation occurs weekly at STP to meet the twelve-week work schedule so that each safety train (including a required CCW pump) is started at least once each quarter. This activity adequately compensates for relaxation of the surveillance test interval in that it will identify failure of the pump to start on demand, which is the component function modeled in the PRA.

12. Section 2.3.3.1 of the Engineering Analysis (page 2-35) discusses the direct safety benefits of the proposed RI-IST program at STP. Specifically, it states that "Possibly the most important effect of the proposed RI-IST program will likely be the reliability improvements for RI-IST High components in the IST program, as it is expected that increased attention and reduced manipulation of these components [emphasis added] will improve reliability and decrease unavailability due to human errors." How is it that there will be less manipulation of the RI-IST high components?

Response to RAI 12:

The testing requirements for high-risk components will not be reduced. However, as plant resources become focused on the components most important to plant safety, it is likely that the reliability of these components will improve. Improved reliability results in fewer failures, thus reducing the need to remove these components from service and reducing the potential for maintenance-induced failures. Reduced manipulation for corrective maintenance is considered a direct benefit of the RI-IST program.

13. Section 2.4.1 of the licensee's RI-IST Engineering Analysis discusses STP's component corrective maintenance evaluation. This evaluation included RI-IST Working Group review of Operating Experience Group (OEG) reports and an independent component maintenance history review. "Conclusions about component performance were based on the tested IST function(s) for a given component. That is, if an event involved a failure of a

Attachment 1 NOC-AE-02001339 Page 11 of 18 valve to open, but IST tests the reliability of the valve to close (i.e., not to open), then the event was not considered to be an IST failure." How would the results of STP's performance review changed if all failures were evaluated (i.e., as opposed to just those that resulted in the loss of a safety function tested by the IST program)?

Response to RAI 13:

The table below provides the failures identified in the maintenance history review that are not failures of the IST-tested safety function. Inclusion of these non-IST failures does not change the reliability determination by the working group.

JGROUP '1TAGTPNS<- *CAUSE~

CC24 B1CCFV0862 Air regulator broken, valve failed closed per design, IST function is to Close CSPP 2N1O1NPA101A Red running light does not illuminate in Control Room.

Open resistor, replaced resistor.

CV13 A1CVFCV0205 Valve leaks by seat. IST function is to Open. Valve plug eroded where holes in trim are located EWPP 3R281NPA101C Computer point for motor lower bearing temp shows bad data. ICS termination made incorrectly. Relanded correctly-.

FP02 C1FPMOV0756 Close torque switch was found open due to a loose screw located in the switch.

MS02 N1MSPSV7410 Exhaust shroud drain line clogged. Unclogged drain.

MS02 N1MSPSV7410A Exhaust shroud drain line clogged. Unclogged drain.

PS01 B1PSFV4450 Valve would not open. Safety function is in the closed direction. Valve fails close per design. Defective solenoid coil connections.

RC06 B1RCHV3658B Computer point indicates not closed when control room lights indicate closed. Cause - wiring discrepancy and blown capacitor.

S102 A1SIFV3983 Valve would not open. Safety function is in the closed direction. Valve fails close per design. Defective solenoid coil connections.

14. Section 2.4.1 of the Engineering Analysis states that "the RI-IST Working Group determined that components classified as Maintenance Rule category (a)(1) should not be eligible for test interval extension until they are no longer in (a)(1).... In general, should a Maintenance Rule evaluation place a component with an extended IST in category (a)(1), the RI-IST program will test that component at the Code-prescribed frequency until such time that the component's performance history merits removal from (a)(1) status." This commitment should be included in the licensee's RI-IST Program Description Summary.

Attachment 1 NOC-AE-02001339 Page 12 of 18 Response to RAI 14:

The following commitment will be added to the RI-IST Program Description Summary:

If multiple failures of an IST component for a safety function tested by the IST program result in a system becoming (a)(1), then the test frequency for the component will be per ASME code requirements until such time that the component's performance history merits removal from (a)(1) status.

15. a) Valve group CV29 should list both RCP seal water containment isolation MOVs (page15 of 32).

b) The main steam safeties (MS02) should be included on the list of IST valve groups (page 21 of 32).

c) Should there be an IST test description for valve group CV31, CVCS alternate immediate boration manual isolation valve (page 9 of 21)?

Response to RAI 15:

a) Valve 2R171XCV0077 has been added to the Valve list for group CV29.

b) Main Steam Safety Valves have been added to the report as IST Valve Group MS02.

c) Valve CV0221 does not meet the scoping requirements for inservice testing. This valve is not a part of the emergency boration flow paths required to be operable per the Technical Requirements Manual. These flow paths are not used to meet the accident analysis assumptions for boration capability and are therefore excluded from the IST program. Additionally, this valve does not perform a specific function in shutting down a reactor to the safe shutdown condition, in maintaining the safe shutdown condition, or in mitigating the consequences of an accident. Per NUREG-1482, Section 4.4.6 Manual Valves, "If the valve is included in actions of emergency procedures, but is not credited in the safety analysis, it does not fall within the scope of the IST program." The GQA risk ranking for this valve is Low.

16. For valve group S125, Safety Injection Pump Suction Check Valves, why was the disassembly and inspection test/function ranked high and yet the frequency has been extended from once each refueling outage to once every 54 months?

Response to RAI 16:

The testing frequency information shown in the submittal is not displayed correctly. The close exercise of these check valves is now performed once per quarter. The report has been revised to show the Open exercise performed every refueling and Close exercise test performed quarterly. STP has also removed the check valve close exercise test from the scope of the refueling outage justification.

STP provides this clarification of the testing requirements for valve group S125, Safety Injection Pump Suction Check Valves. As described in the refueling outage justification, the

Attachment 1 NOC-AE-02001339 Page 13 of 18 Open exercise of these check valves is performed during full flow testing which occurs during refueling outages. Previously, the Close exercise test was performed using a sample disassembly and inspection program. One check valve was opened and inspected each refueling outage so that all three valves in the group was inspected once every 54 months. However, using improved diagnostic equipment and continuing acoustic data for several minutes following pump coast-down, STP is now confident that closure of these check valves can be verified using non-intrusive methods on a quarterly test interval.

Disassembly of these valves will be performed only as a contingency, as needed, or as directed by the Check Valve Program.

17. In a safety evaluation dated July 23, 1999, the NRC approved a risk-informed relief request for STP to extend the Code-required leakage rate test for selected CCW and SI system containment isolation check valves (i.e., based on a bounding calculation using STP's ISLOCA analysis).

"* How has the change in LERF associated with this earlier RI-IST program change been considered in assessing the acceptability of the proposed RI-IST program?

" For the purpose of calculating the overall potential change in risk associated with the RI IST program changes, why was 30 months used as the current IST frequency for the leakage rate test (e.g., instead of once each refueling outage)?

" Do any other RI-IST program changes affect STP's interfacing systems loss-of-coolant accident analysis?

Response to RAI 17:

The relief request approved by the NRC allows performance of the check valve close exercise test on the same interval as the Appendix J leakage rate test. As a result of the approved relief request, the current frequency for the CCW and SI check valve closure exercise should be shown as "App J". The testing requirements for these check valves are the same in the proposed program as the requirements were before the change. Therefore, there is no difference in the LERF.

The frequency of once per 30 months is the base frequency for Appendix J, Option B leakage rate testing. In order to avoid confusion and improve accuracy (since the interval can be extended to 60 months as a result of good performance), "App J" would be a better designation for both the current and the proposed frequencies for the leakage test and the close exercise. The close exercise test for IST group CC28 should also reference valve relief request VRR-03, which is included at the end of the submittal.

The containment isolation valves in question are assumed to be open in a bounding analysis that used the interfacing systems LOCA model to evaluate changes in LERF with the valves open. The interfacing systems LOCA is initiated by failure of multiple valve discs under normal reactor coolant system pressures. The failure rates assumed in the interfacing systems LOCA analysis for the interfacing systems valves in the safety injection and residual heat removal systems are not affected by RI-IST program changes. The component cooling water containment check valve is also not affected by RI-IST program changes.

Attachment 1 NOC-AE-02001339 Page 14 of 18

18. Why isn't a valve relief request for valve group CC28 included as part of Attachment 3?

These valves were included in relief request RR-56 for Unit 1 and in relief request RR-52 for Unit 2 and approved by the NRC in a safety evaluation dated July 23, 1999 (as indicated above). The other 9 valves in those relief requests were addressed in Attachment 3. The staff acknowledges that failure of the valves in group CC28 would not contribute to a LERF (whereas failure of the other 9 valves could).

Response to RAI 18:

All four of the valve groups are included in Valve Relief Request VRR-03. However, Valve Group CC28 was omitted in error and the database report used to create the table in Attachment 4 has been revised to include Valve Group CC28.

19. If a potentially generic problem is identified during a test, will all components in the group in that unit be inspected or tested (reference NRC Generic Letter 89-04, Position 2 for check valves and Supplement 6 to Generic Letter 89-10, "Safety-Related Motor-Operated Valve Testing and Surveillance," for motor-operated valves [MOVs])? While Section 7, Corrective Action, of the licensee's RI-IST Program Description Summary will determine whether failures (including IST program failures) are generic and initiate corrective actions for all components in the affected group when the failure has generic implications, it does not specifically require the testing or evaluation of the other components in the group. Such testing or evaluation is particularly important for components in a group whose testing is staggered over an extended interval. Therefore, Section 5.0, Program Implementation of the licensee's RI-IST Program Description Summary should state:

If a component in a group fails or reveals adverse performance during testing or operations, STPNOC will evaluate the applicability of that information to each component in the group.

Response to RAI 19:

The following statement will be added to the implementation section of the RI-IST Program Description and will be incorporated into implementing procedures:

If a component failure is determined to have generic implications, a plan of action for inspection/testing of the remaining components in the group will be developed utilizing the Condition Reporting Process and the guidance provided in Generic Letter 91-18.

This plan of action will take into account the potential failure modes and their associated plant impacts and will be implemented in a timeframe commensurate with their safety significance.

20. In discussing the effects of shutdown configurations on component categorization (RI-IST Engineering Analysis, page 2-19) the licensee stated that main steam power-operated relief valves (PORVs, RI-IST group MS03) performed a dominant role in achieving safe shutdown. Therefore, the Working Group indicated this in its narrative basis, and in so doing, they elevated the importance of the PORVs. In the following paragraph, the licensee states that no component groups shifted categories from RI-IST Low or RI-IST Medium to RI-IST High based solely on the impact of component failure on achieving or maintaining safe shutdown. The licensee should clarify this apparent inconsistency.

Attachment 1 NOC-AE-02001339 Page 15 of 18 Response to RAI 20:

The evaluation of this valve group is an example of how achieving safe shutdown was considered by the RI-IST working group. If the RI-IST working group considered safe shutdown as the only criterion for importance determination, then the Main Steam PORVs would have been shifted to a higher category solely on that basis. However, the Main Steam PORVs are safety significant for several reasons. The RI-IST working group noted that the valves are credited in multiple Emergency Operating Procedures, which is one of the five questions used for importance determination. The valves are also considered important because failure could result in a plant transient. And finally, the maintenance history of the Main Steam PORVs was highlighted as reason for maintaining the Code testing requirements as described in the RI-IST submittal page 2-44. The combination of all these considerations resulted in the final IST Rank of IST High.

21. Section 3.0, Testing Philosophy of the licensee's RI-IST Program Description Summary for HSS and MSS structures, systems and components (SSCs) should:

a) Commit to using either the ASME Code Case OMN-1 for MOVs subject to the conditions listed in 10 CFR 50.55a(3)(iii) or to the MOV program that was reviewed and approved by the staff in response to Generic Letters 89-10 and 96-05, "Periodic Verification of Design-Basis Capability of Safety-Related Power-Operated Valves."

b) Commit to using either condition monitoring for check valves (i.e., Appendix II of the OM Code, 1995 Edition with the 1996 Addenda subject to the limitations listed in 10 CFR 50.55a(3)(iv)) or to an alternative that will provide the staff with reasonable confidence that adequate component capability (margin) will exist, above that required during design-basis conditions, such that component operating characteristics over time do not result in reaching a point of insufficient margin before the next scheduled test activity

[reference, Section 3.1 of Regulatory Guide 1.175, "An Approach for Plant-Specific Risk-Informed Decisionmaking Inservice Testing"].

c) Commit to testing at least one pump in each RI-IST medium pump group each refueling outage (as opposed to testing one pump every other refueling outage for a 3-pump group).

Response to RAI 21:

a) The RI-IST testing strategy for MOVs is described in Attachment 2, paragraph 3.1.1.1, which includes diagnostic testing in accordance with the STP MOV Periodic Verification Program which was developed in accordance with Generic Letters 89-10 and 96-05, and approved by the NRC. STP diagnostic testing of MOVs is performed in accordance with the approved MOV Periodic Verification Program, with the exception that MOV stroke time testing required by the ASME Code IST program will be continued only for valves ranked IST High.

Where MOV and IST program scopes are different, stroke time testing will continue for those MOVs not in the MOV program scope. The IST valve groups not included in the MOV Program are RA01 and S124. IST Group RA01 consists of 1" ball valves with motor operators. MOV diagnostic testing would not validate any MOV parameters for

Attachment 1 NOC-AE-02001339 Page 16 of 18 valves in this group. The RA01 valves are in an air handling application and cannot be dynamically tested. IST group S124, Safety Injection Accumulator Discharge Isolation valves, are open during modes 1-4 with their power supply locked out. These valves are closed when entering mode 5 with their power supply again locked out. The IST valve group S124 will be re-evaluated to determine if these valves meet IST scoping requirements.

b) When STP agreed to submit a RI-IST program, 10CFR 50.55a endorsed the 1989 ASME Code. The need for continuing the requirement for the ten-year update to a newer code edition was being debated within the NRC. STP requested and was granted approval to use the 1989 ASME Code, which references the 1987 Edition and 1988 addenda to the OM Code for inservice testing of pumps and valves, as a baseline for the RI-IST program. The use of a specific Code Edition was requested so that programmatic requirements could be identified and implemented during the RI-IST process. Therefore, the second ten-year interval code of record is the 1989 Section XI Code for inservice testing of check valves. The RI-IST program was under development before endorsement of the 1995-96 OM Code requirements by the NRC. Condition monitoring for check valves is not a requirement of the OMa-1988 Code. Condition monitoring for specific check valve groups may be developed as determined by STP for specific plant reliability issues. The performance of inservice testing in accordance with the requirements of the ASME Code of record at STP provides reasonable confidence that adequate component capability (margin) will exist, such that operating characteristics over time do not result in reaching a point of insufficient margin before the next scheduled test activity.

However, for check valve groups that are ranked IST High, the requirements of Appendix II of the 1995 Edition of the OM Code with the 1996 Addenda, as accepted with conditions by the NRC will be implemented as an improved test strategy. Check valve groups ranked IST High include AF01, AF07, EW08, SI19, S123, and S125.

c) RI-IST program description will include a statement that "at least one pump in each RI IST medium pump group will be tested each refueling cycle." Testing will be performed during refueling outages or at power as determined by STP.

22. The testing philosophy for air-operated valves (AOVs) in the licensee's RI-IST Program Description Summary states that STPNOC has committed to work with the Joint Owners Group (JOG) for AOVs to develop an enhanced AOV testing program. The JOG AOV "Core Group" has since disbanded. Revision 1 of the JOG AOV Program Document was published December 13, 2000 (reference NEI Project Number 689). The staff notes that the "elements of STPNOC's enhanced AOV testing program" simply lists the major headings from the JOG AOV Program Document (with the exception of Documentation/Data Management). The licensee's RI-IST Program Description Summary should either commit to implement the JOG AOV Program or describe its alternative AOV testing program.

Response to RAI 22:

The South Texas Project will continue to implement stroke time testing for air-operated valves within the scope of the RI-IST Program. As an improved test strategy for high risk

Attachment 1 NOC-AE-02001339 Page 17of 18 AOVs, preventive maintenance tasks will be used to gather sufficient information (i.e. AOV program) to ensure that the health of the valve can be adequately assessed. See RAI 23 Response for additional description of the AOV testing strategy for the RI-IST Program.

23. The licensee's RI-IST AOV program appears to be limited to Category 1 AOVs. Are the licensee's RI-IST medium AOVs considered to be Category 1 AOVs? Provide a list of all Category 1 and 2 AOVs.

Valve Risk Ranking AOV Category RHR Heat Exchanger CCW Outlet Valves (CC04)

RI-IST High Reactor Coolant Auxiliary Spray Valve (CV01)

RI-IST Medium RCS Charging Flow Control Valve (CV13)

RI-IST Medium RCB Supplementary Purge Supply & Return Outside CIVs (HC02)

RI-IST Medium All other AOVs at STP were categorized as RI-IST Low and will therefore be excluded from the licensee's RI-IST Program.

Response to RAI 23:

A listing of all Category 1 AOVs at STP and all Category 2 AOVs in the IST Program is attached. See attachment 6.

Categorization of AOVs was performed by a separate and distinct AOV program working group using the GQA risk rank. Category 1 AOVs are safety-related, active and high risk based on the GQA risk rank. GQA risk rank, plant trip potential, and megawatt impacts are factors considered to determine the category for AOVs that are not GQA High risk. The RI IST rank is not considered in the categorization process for the AOV Program. The STPNOC AOV Program has been developed to follow the intent of the JOG AOV Program Document (Revision 1, dated 12/2000) and is being implemented and administered independently of the RI-IST Program.

The AOV Program uses preventive maintenance tasks to perform maintenance and diagnostic testing on all Category 1 AOVs. Diagnostic testing of Category 1 AOVs includes design stroke time as part of a more comprehensive set of test criteria, such as stroke length, bench set, air set, and other parameters designed to determine overall health of the AOV. The STPNOC AOV Program focuses on High Risk AOVs, and also on AOVs that could have an impact on plant reliability. AOV Program diagnostic testing stroke times are based on original design requirements. Engineering guidelines have been established for the trending of AOV data obtained during testing activities. Trend results are used to adjust PM frequencies, as needed.

The AOV diagnostic testing, trending, and other maintenance activities identified above for High Risk AOVs are adequate to provide assurance of the operational readiness and to

Attachment 1 NOC-AE-02001339 Page 18 of 18 ensure timely identification of performance degradation. The IST coordinator will periodically assess the information from the above activities to determine if other special testing requirements are needed. Additionally, during periodic reassessments, the RI-IST working group will verify that these activities remain effective or take action to implement additional RI-IST program requirements. These requirements have been added to the Program Description Summary.

24. The testing philosophy for AOVs in the licensee's RI-IST Program Description Summary states that: "Design basis evaluations will be performed for AOV Program Category 1 valves." The JOG AOV Program Document classifies AOVs into two categories:

Category 1: AOVs that are safety-related, active, and have high safety significance, OR AOVs that are non-safety-related, active, and have high safety significance.

Category 2: AOVs that are safety-related and active but do not have safety significance.

AOVs not in Categories 1 or 2 are considered outside the scope of the JOG AOV program, as they were deemed to be not critical to plant safety.

Category 2 AOVs as described above are analogous to RISC-3 SSCs under Option 2 of risk-informing the NRC's regulations. As such, the licensee still needs to have reasonable confidence of functionality of Category 2 AOVs under design-basis conditions throughout their service life. The licensee's RI-IST Program Description Summary should be revised to describe the periodic testing that will be performed on Category 2 AOVs (e.g., reference proposed Final Safety Analysis Report Section 13.7.3.3.5 in support of STP's risk-informed exemption request). For example, STPNOC's test program for Category 2 AOVs should obtain data or information that will allow evaluation of operating characteristics to support STPNOC's determination that these SSCs will remain capable of performing their safety related functions under design-basis conditions throughout the service life of the SSC.

Response for RAI 24:

Components that are safety-related and active, but do not have safety-significance (analogous to RISC-3 under Option 2, as described in SECY-98-300) are exempt from the requirements of the IST program as approved in the special treatment exemption for STP.

Implementation of the exemption allowances will document STP's reasonable assurance that RISC-3 components exempted from the IST Program will continue to perform their safety function. The RI-IST program description summary provides the testing philosophy for components in the IST program. The RI-IST Program Description Summary will not be revised to include measures providing reasonable assurance of design function capability for components that are not within the RI-IST program scope.

ATTACHMENT 2 RISK-INFORMED INSERVICE TESTING PROGRAM FOR PUMPS AND VALVES ENGINEERING ANALYSIS - REVISED

RISK-INFORMED INSERVICE TESTING PROGRAM FOR PUMPS AND VALVES ENGINEERING ANALYSIS - REVISED Inservice Testinoro ram Coordinator Bate Supegor, Te rogramsEngineering Date

.11

TABLE OF CONTENTS TABLE O F CONTENTS ..................................................................................................................... I ACRONYM S ......................................................................................................... iii EXECUTIVE SUM MARY ................................................................................................................... V BACKGROUND ...................................................................................................................................... vi PROJECT SCOPE ................................................................................................................................ vii PROJECT APPROACH .......................................................................................................................... Vii CONFORMANCE W ITH KEY SAFETY PRINCIPLES ..................................................................................... iX Direct Safety Enhancem ents ...................................................................................... x Indirect Safety Enhancem ents ..................................................................................... xi RI-IST PROJECT RESULTS ................................................................................................................... xi

1.0 PROPOSED CHANGE

S ......................................................................................................... 1-1

1.1 DESCRIPTION

OF PROPOSED CHANGES ............................................................................... 1-1 1.1.1 Basis for Alternative Test Strategy .................................................................................... 1-2 1.2 INSERVICE TESTING PROGRAM SCOPE ................................................................................ 1-4 1.3 RI-IST PROGRAM CHANGES AFTER INITIAL APPROVAL ........................................................ 1-4 2.0 ENGINEERING ANALYSIS .................................................................................................... 2-1 2.1 LICENSING CONSIDERATIONS .............................................................................................. 2-2 2.1.1 Evaluation of Proposed Changes to Licensing Basis ...................................................... 2-2 2.1.2 Relief Requests and Technical Specification Changes ................................................... 2-3 2.2 TRADITIONAL ENGINEERING EVALUATION ............................................................................ 2-4 2.2.1 Defense-in-Depth Evaluation ........................................................................................... 2-4 2.2.1.1 The Use of Multiple Risk Metrics to Ensure Defense-in-Depth ............................. 2-9 2.2.2 Safety M argin Evaluation ............................................................................................... 2-11 2.3 PROBABILISTIC RISK ASSESSMENT .................................................................................... 2-13 2.3.1 Scope, Level of Detail, and Quality of the PRA for RI-IST Application .......................... 2-13 2.3.1.1 PRA Scope .......................................................................................................... 2-13 2.3.1.2 Level of Detail ...................................................................................................... 2-15 2.3.1.3 PRA Quality ......................................................................................................... 2-15 2.3.2 Categorization of Components ...................................................................................... 2-17 2.3.2.1 Qualitative Analysis of Lim itations in the PRA ..................................................... 2-24 2.3.2.1.1 Truncated Com ponents ................................................................................. 2-24 2.3.2.1.2 Com ponents Not M odeled in the PRA ........................................................... 2-25 i

2.3.2.2 High Risk Components Not in the IST Program .......................................... 2-29 2.3.2.3 Completeness Issues (Sensitivity Studies) ................................................ 2-30 2.3.2.4 Integration with Other STP Risk-Informed Applications ................................ 2-32 2.3.3 Use of the PRA to Evaluate Effects of Proposed Changes on Risk .......................... 2-33 2.3.3.1 Modeling the Impact of Changes in the IST Program ................................... 2-34 2.3.3.2 Evaluating the Change in CDF and LERF .................................................. 2-39 2.3.3.2.1 Bounding Estimate of the Change in CDF and LERF .............................. 2-39 2.3.3.2.2 Estimate of the Change in Risk Due to Direct and Indirect Safety Benefits...2-40 2.3.3.3 Comparison with Acceptance Guidelines .................................................. 2-45 2.4 INTEGRATED DECISIONMAKING PROCESS .................................................................. 2-46 2.4.1 Corrective Maintenance Evaluation ................................................................... 2-49 3.0 IMPLEMENTATION AND MONITORING PROGRAM ................................................. 3-1 3.1 Inservice Testing Program Changes ................................................................... 3-1 3.1.1 Testing Strategy .............................................................................................. 3-2 3.1.1.1 Motor-Operated Valves (MOVs) ............................................................... 3-4 3.1.1.2 Relief Valves ........................................................................................ 3-5 3.1.1.3 Check Valves ....................................................................................... 3-6 3.1.1.4 Air-Operated Valves ............................................................................... 3-7 3.1.1.5 Hydraulic Valves (HOVs), Solenoid Valves (SOVs), And Others (Manual Valves, Etc) .............................................................................. 3-8 3.1.1.6 Pumps ................................................................................................ 3-8 3.1.2 Non-IST High Risk Components .......................................................................... 3-9 3.2 Program Implementation .................................................................................. 3-10 3.2.1 Grouping ....................................................................................................... 3-10 3.3 Performance Monitoring Of IST Components ........................................................ 3-12 3.4 Feedback And Corrective Action Program ............................................................ 3-16 3.5 Periodic Reassessment .................................................................................... 3-18

4.0 CONCLUSION

S ...................................................................................................................... 4-1 5.0 NOTES AND REFERENCES .................................................................................................. 5-1 ii

ACRONYMS ACRONYM DESCRIPTION AFW Auxiliary Feedwater System AOV Air or Pneumatic Valve ASME American Society of Mechanical Engineers B&PV Boiler and Pressure Vessel Code BAT Boric Acid Transfer [pump]

CAP Corrective Action Program CCF Common Cause Failure CCW Component Cooling Water System CDF Core Damage Frequency CFR Code of Federal Regulations CPSES Comanche Peak Steam Electric Station (TU Electric)

CR Condition Report CV Check Valve CVP Check Valve Program ECW Essential Cooling Water System EP Expert Panel FV Fussell-Vesely GQA Graded Quality Assurance HHSI High Head Safety Injection HSSC High Safety Significant Component- High Fussell-Vesely IDP Integrated Decisionmaking Process IPE Individual Plant Examination IPEEE Individual Plant External Events Examination IST Inservice Testing JOG Joint Owners Group LERF Large Early Release Frequency LHSI Low Head Safety Injection LOCA Loss of Coolant Accident LSSC Lower Safety Significant Component- Low Fussell-Vesely and Low Risk Achievement Worth MGL Multiple Greek Letter MOV Motor-Operated Valve MS Main Steam System NPRDS Nuclear Plant Reliability Data System NRC Nuclear Regulatory Commission OEG Operating Experience Group PORV Power-Operated Relief Valve PRA Probabilistic Risk Assessment RAW Risk Achievement Worth RHR Residual Heat Removal System Mio

ACRONYM DESCRIPTION RI-IST Risk-Informed Inservice Testing RV Relief Valve SBO Station Blackout SER Safety Evaluation Report SI Safety Injection System SONGS San Onofre Nuclear Generating Station (Southern California Edison)

SGTR Steam Generator Tube Rupture STP South Texas Project SSC Structure, System, or Component TS Technical Specifications TXU Texas Utilities UFSAR Updated Final Safety Analysis Report WG Working Group WOG Westinghouse Owners Group iv

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT EXECUTIVE

SUMMARY

EXECUTIVE

SUMMARY

The South Texas Project (STP) submits this report to the U.S. Nuclear Regulatory Commission (NRC) for approval of a Risk-Informed Inservice Testing (RI-IST) program for pumps and valves at STP Units 1 and 2. The program outline conforms to the NRC-approved methods and Regulatory Guides (References 1 and 2). The methodology employed in the development of this program bears close resemblance to that implemented by the NRC-approved RI-IST pilot program at Texas Utilities' (TXU) Comanche Peak Steam Electric Station (CPSES) and the NRC approved program at Southern California Edison's San Onofre Nuclear Generating Station (SONGS). Furthermore, this program incorporates insights from the Safety Evaluation Reports (SERs) for both programs (References 3 and 4).

Given the reliance on insights derived from the Probabilistic Risk Assessment (PRA), the risk assessment satisfies industry standards associated with PRA. The PRA has been used in support of other risk-informed applications at STP and has been deemed to be of a quality consistent with that required to perform accurate, thorough, and comprehensive evaluations for a RI-IST application. The inclusion of inservice testing (IST) program effects on cumulative plant risk is comprehensive. This quantitative evaluation of key RI-IST program elements includes the effects of compensatory measures, the influence of staggered testing on common cause failure (CCF), and the beneficial effect of enhanced IST testing strategies on risk.

A key element of the RI-IST program is the Integrated Decision-making Process (IDP). STP's IDP is comprehensive, ensuring that key safety principles such as defense-in-depth and safety margins are maintained. The process considered relevant component-specific information, including design-basis safety functions, PRA risk importance, and a detailed analysis of component corrective maintenance history. Therefore, the Integrated Decision-making Process assures a detailed evaluation and panel approval by Working Group and Expert Panel of component categorization results and supporting studies.

Further, insights from the Integrated Decisionmaking Process support the conclusion that several safety enhancements to a plant IST program can be derived, both directly and indirectly, by implementing the results of the probabilistic and deterministic approach presented in this report. These safety benefits have been treated both quantitatively and qualitatively, providing a reasonable and justifiable basis for implementing the program discussed herein.

V

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT EXECUTIVE

SUMMARY

=

Background===

The intent of current IST programs is to include all active, safety-related pumps and valves that are credited in the plant design-basis safety analysis. In general, the IST equipment lists are developed by review of plant drawings showing ASME Code Class 1, 2, and 3 classification boundaries. All components within the boundaries are then reviewed to determine whether or not they have been credited with an active safety function under the plant licensing basis. The Updated Final Safety Analysis Report (UFSAR) analyses and other design-basis documentation provide the primary bases for these determinations.

After publication of its policy statement (Reference 5) on the use of probabilistic risk assessment (PRA) in nuclear regulatory activities, the Commission directed the NRC staff to develop regulatory guidance that incorporates risk insights. Concurrently, industry risk-informed pilot projects explored the process for supplementing traditional engineering approaches in reactor regulation with probabilistic information. This effort has culminated in several relevant and extremely significant regulatory advances in the area of risk-informed applications:

1. Issuance of Regulatory Guide (RG) 1.174 (Reference 1) and companion regulatory guidance (including RG 1.175 (Reference 2)), which provide the regulatory framework to fashion an inservice testing program that focuses resources on risk-significant pumps and valves,
2. NRC acceptance of TXU's CPSES relief request (Reference 3), one of the industry risk informed IST pilot projects,
3. NRC acceptance of SCE's SONGS relief request (Reference 4), one of the follow-on risk-informed IST projects,
4. NRC acceptance of STP's graded quality assurance (GQA) program (Reference 6), and
5. NRC draft acceptance of some aspects of STP's request for exemption from special treatment requirements (Reference 7).

As has been demonstrated during the CPSES and SONGS RI-IST projects, improvements to IST programs using a risk-informed approach can reduce operating costs while maintaining a high level of plant safety. Possible benefits from improved IST programs include reduced costs associated with inservice testing, as well as:

vi

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT EXECUTIVE

SUMMARY

"* Less time required to perform the tests and analyze results;

"* Reduced costs of specialized test equipment or vendor services;

"* Fewer possible effects on critical path outage duration; and

"* Less radiation exposure.

For these reasons it is advantageous for utilities to pursue IST program improvements. The impact of changes on plant safety is of primary interest and is the controlling factor in implementing such changes. However, changes that negligibly affect plant safety should not be ruled out, especially if such changes can lead to significant plant performance improvements in other areas.

Project Scope The scope of this project is to build a RI-IST program for STP Units 1 and 2, one which optimizes safety benefits in ensuring pump and valve performance. The project applies a risk informed approach for performing a comprehensive IST program review and for proposing program enhancements. The principal results of the project are recommendations for adjustments to test frequency intervals for a large percentage of IST components. The project focuses on optimizing the overall component test schedule by applying resources commensurate with the component safety function, performance, and relative risk. In this study, all components within the scope of the IST program were examined. However, only those determined to be less safety significant have been considered for Code relief. The more safety significant components have been reviewed by component experts to ensure that the appropriate tests have been identified and are performed on those components for their respective failure modes.

Project Approach The STP risk-informed IST project was developed and implemented by Nuclear Engineering's Testing/Programs Engineering Division with PRA support provided by the Risk and Reliability Analysis Group. A multi-discipline RI-IST Working Group served as integrated decision makers, assessing information provided by the project team (i.e., risk measures and component performance history), and considering component categorization information produced by other plant risk-informed programs to arrive at an overall RI-IST rank and supporting narrative basis for each component group analyzed. In addition, a cross-functional plant Expert Panel, as well as industry experts who participated in both the TXU and SCE risk-informed IST projects, worked to facilitate and guide the process to ensure a consistent and scrutable outcome. The vii

RISK-INFORMED lST PROGRAM FOR SOUTH TEXAS PROJECT EXECUTIVE

SUMMARY

STP project employed a method that blended probabilistic and traditional engineering insights to identify opportunities to reduce those IST-related regulatory requirements and commitments that require significant resources for compliance and/or implementation, but contribute insignificantly to safe and reliable operation. Using risk-informed technologies, the project determined the safety significance of IST components, as well as components not in the IST program. A combination of deterministic and risk-informed methods was applied to determine testing intervals and compensatory measures that correspond to each component's safety significance. The results of the project provide the basis for this request to the NRC to approve implementation of an alternate testing strategy.

Overall project objectives and milestones were established by key risk-informed IST project members. The project was divided into the five major tasks listed below:

"* Component Function Evaluation

"* Component Corrective Maintenance Evaluation

"* Calculation of Risk Measures Using the STP PRA

"* Component Risk Categorization by Working Group and Review by Expert Panel

"* Cumulative Risk Evaluation Using the STP PRA The component function evaluation established the design basis safety functions of IST components and related these functions to component failure modes modeled by the PRA.

Modeling implications were also identified, including the component or system-level assumptions that affect the level of credit the PRA affords an IST component's safety function.

The component corrective maintenance evaluation validated the basis for the PRA reliability assessment and demonstrated how it compared to generic and plant-specific experience. It also established a baseline for future monitoring that is needed to compensate for some of the components whose testing frequency requirements are reduced.

The PRA was then used in a variety of ways to evaluate the safety significance of components and their functions. Sensitivity studies demonstrated the robustness of the methods and the results. This process was followed by the RI-IST Working Group review and validation of the PRA risk measure, a process that ensured an integrated effort through active technology transfer. The Working Group consisted of members with expertise in the areas of power plant operations, plant maintenance, PRA, nuclear safety analysis, systems engineering, design basis engineering, quality assurance, licensing, and Inservice Testing (including ASME B&PV Code Section XA and ASME Code Cases). In addition to considering the basis for the PRA risk Viii

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT EXECUTIVE

SUMMARY

measure for modeled components, the Working Group qualitatively assessed the following for each component group:

", The degree to which component failure leads to an increase in the frequency of initiating events,

"* The degree to which component failure leads to the failure of another safety system,

"* The degree to which component failure causes a transient,

"* The role of the component in the plant Emergency Operating Procedures (EOPs), and

"* The role of the component in plant shutdown.

As part of the process, the Working Group authored a narrative basis to support the final RI-IST categorization of each component group.

Subsequent to the Working Group initial RI-IST categorization of components, the STP plant Expert Panel considered and ultimately validated the results of all Working Group activities and studies performed by the IST project members. The Expert Panel consisted of members with expertise in the areas of power plant operations, plant maintenance, PRA, nuclear safety analysis, design basis engineering, and quality assurance. The Expert Panel served as the central point of decision-making for major technical issues and offered guidance to risk informed IST project members in performing their work.

It was concluded that the strength of this risk-informed IST program and the integrity of its results lie both in the robustness of the methodology and in the quality and work of the RI-IST Working Group and plant Expert Panel. This integrated decision-making process was implemented according to clear guidelines and operated directly from documentation produced in earlier tasks.

All project tasks were conducted with reproducibility and retrievability in mind. The project deliverables -including tables of IST functions, PRA functions, PRA risk measures, component ranking outcomes, component functional failures, RI-IST Working Group decision bases, valve groups, test interval information, and monitoring requirements--are housed in a database from which the IST engineer may administer the risk-informed IST program.

Conformance with Key Safety Principles The proposed RI-IST program meets all acceptance criteria and guidance specified in RG 1.174 and RG 1.175, including the four element approach to evaluating proposed changes in Section 2 of RG 1.174. These acceptance criteria include the five principles of integrated ix

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAs PROJECT EXECUTIVE

SUMMARY

decision-making discussed in Figure 1 of RG 1.174, such as maintaining defense-in-depth and safety margins. In addition, several safety benefits to the plant IST program can be derived both directly and indirectly.

Direct Safety Enhancements Possibly the most important safety benefit resulting from application of the RI-IST methodology at STP is the promotion of an environment in which participants are encouraged to evaluate current testing strategies and, in particular, the effectiveness of those strategies to detect potential challenges to safety. If another testing strategy exists for a highly safety significant or medium safety significant component, participants feel obliged to consider whether this strategy provides an enhanced understanding of the component's ability to perform its safety function during a design basis accident scenario. For example, a revised testing strategy for the Low Head Safety Injection (LHSI) pumps will have an important safety effect due to the potential core damage frequency (CDF) improvement value of these components. Currently, these components are tested in a mini-flow configuration, which can be potentially damaging to components on the line over a sustained period of time (i.e., with regard to vibration tests). STP proposes to replace the quarterly mini-flow test with a test performed at full flow conditions during refueling outages. This test is generally considered to be much more effective at detecting degradation that could potentially lead to failure of the component to perform its safety function than the current test. Furthermore, as the full flow test requires that components perform their functions under design or near design conditions (i.e., the optimum testing environment), this test is generally considered by industry experts to be less damaging to active components. If inclusion of the full flow test leads to better knowledge of the capability of the pump, one could conservatively postulate an improvement in the CDF resulting from this enhanced test strategy.

In general, relaxing IST intervals for many lower priority components allows STP to focus greater attention and resources on high priority IST components. A resource reallocation of this nature could translate into direct safety enhancements. Test requirements associated with the high priority group of IST components are expected to be more rigorous and demanding in nature than for the other groups. These requirements provide added assurance that any problems that may impact the functionality of the components will be identified and resolved expeditiously.

Second, the resulting risk-informed IST program will consider whether some risk-significant components that are outside the scope of ASME Code Classes 1, 2, and 3 should be added to the IST program to improve safety. Finally, because extensive testing can have adverse safety x

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT EXECUTIVE

SUMMARY

and operational consequences, reduction of testing may reduce component wear-out and operator burden. These changes are expected to improve safety.

Indirect Safety Enhancements There are other indirect safety benefits to this approach that are as important. Risk-informed prioritization efforts identify the safety-significant IST components and the impact of their potential failures on plant safety. In addition, these analyses identify important scenarios that provide information with respect to the operational demand that may be placed on a given component. Such information is valuable because it relates the performance of the IST component to the broader context of plant safety. This allows more rational decision-making, more efficient use of resources, and is central to optimizing safety benefits.

RI-IST Project Results Component categorization of Unit 1 IST valves and pumps yielded the following results:

RISK RANKING PERCENTAGE OF COMPONENTS (REFERENCE 8)

(UNIT 1)

IST High 10.3% (56 components)

IST Medium 15.5% (84 components)

IST Low 69.2% (375 components)

According to the above table, 84.7% of the ranked components are eligible for interval extension. Although the engineering analysis was performed for components in both Units 1 and 2, the tabular reports in Attachment 4 (e.g., "Valves in the IST Program" and "RI-IST Component Categorizations and Test Frequencies") list only Unit 1 components. Unit 1 component functions mirror Unit 2 component functions, so the tables display information that applies to components in both units. When the performance history of a component group on one unit dictated a more conservative extension, that extension was applied to both units.

Upon implementation of the program, safety enhancements are expected from focusing resources on IST High components and reducing the testing frequency on IST Medium and IST Low components, as discussed above. Because extensive testing on IST Medium and IST Low components may adversely impact safety, reduction of testing should reduce component wear out, operator burden, system unavailability, cost of testing, and radiation exposure. Reduced testing could also achieve an optimum balance between the positive impacts of testing and the xi

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT EXECUTIVE

SUMMARY

negative effects of removing equipment from service and entering a less-than-optimum plant configuration, with the potential to result in valve misalignments. Focusing of resources on IST High and Medium components includes improved testing of LHSI pumps and enhanced testing of selected components, such as motor-operated valves (MOVs) (diagnostic testing) and pumps (including performance monitoring activities, such as spectral analysis and thermography), beyond Code testing requirements. The cumulative effects from reduced testing of IST Low and IST Medium components and enhanced testing of selected iST High components are tangible risk benefits that were not used in quantifying the risk impact of the risk-informed IST program.

Given the relaxation of test intervals, the addition of components to the program and the non quantified tangible risk benefits, the impact of the proposed RI-IST program will be risk neutral.

xii

RISK-INFORMED ST PROGRAM FOR SOUTH TEXAS PROJECT PROPOSEDCHANGES

1.0 PROPOSED CHANGE

S 1.1 Description Of Proposed Changes STP Technical Specification (TS) 4.0.5 requires that inservice testing of ASME Code Class 1, 2, and 3 pumps and valves be performed in accordance with Section XI of the ASME Boiler and Pressure Vessel Code (ASME Code) and applicable Addenda as required by 10CFR50.55a(f).

Additionally, 10CFR50.55a(f)(4)(ii) requires that the Inservice Testing program be updated during successive 120-month intervals to comply with the new code of record incorporated by reference in paragraph (b) of the regulation. As previously submitted and approved (Reference 9), the South Texas Project has updated the Inservice Testing Program and is now testing pumps and valves in accordance with the 1989 Edition of the Section XI Code, which references the 1987 Edition and 1988 Addenda of the O&M Code. The South Texas Project will continue testing in accordance with the 1989 Section XI Code for pumps and valves. This submittal requests approval to implement an alternative method for the determination of test intervals. This alternative method is consistent with acceptance criteria and guidance contained in Regulatory Guides 1.174 and 1.175, and provides an acceptable level of quality and safety in accordance with 10CFR50.55a(a)(3)(i).

STP's proposed RI-IST program addresses the majority of the 1376 pumps and valves in the current Code-required IST program, including MOVs, check valves (CVs), air-operated valves (AOVs), manual valves, Main Steam Safety Valves, and Reactor Coolant System Pressurizer Safety Valves. STP has updated the IST program to include the testing of relief valves pursuant to the 1989 Section XI Code. Specifically, 90 relief valves in each unit have been added to the program and will be tested in accordance with ASME/ANSI OM-1987 Part 1 with the associated 10-year staggered testing interval commitment. The new relief valves and skid mounted valves were excluded from the risk-ranking process because STP plans to continue to test these components at current Code-prescribed test intervals. The skid-mounted valves are tested in accordance with ASME/ANSI OM 1987, OMa 1988 Addenda, Part 10, in concert with the guidance presented in NUREG-1482 relative to skid-mounted components. For example, the Diesel Generator skid-mounted valves are tested monthly according to current diesel generator testing protocol.

In lieu of performing inservice tests on pumps and valves whose function is required for safety at frequencies specified in the ASME Code, as required by 10CFR50.55a(f)(4)(ii) for the second 120-month interval, STP presents an alternative testing strategy. The alternative would allow the inservice test strategies of those pumps and valves to be determined in accordance with the following guidelines, which are consistent with the guidelines established in recently approved 1-1

RiSK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT PROPOSEDCHANGES RI-IST programs at Texas Utilities' Comanche Peak Steam Electric Station and Southern California Edison's San Onofre Nuclear Generating Station:

1. The safety significance of pumps and valves whose function is required for safety will be classified as either High Safety Significant (IST High) Components, Medium Safety Significant (IST Medium) Components, or Low Safety Significant (IST-Low)

Components. Inservice testing of IST High Components will (nominally) be conducted at the Code-specified frequency using approved Code methods. The inservice testing of those components that have been categorized as IST Medium Components will be performed at extended test frequencies determined in accordance with the RI-IST program description. Additionally, IST Medium Components will be assigned a compensatory measure, as determined in accordance with the RI-IST program description, to assure the continued reliability of the component. The inservice testing of those components that have been categorized as IST Low Components will be performed at extended test frequencies determined in accordance with the RI-IST program description. Unless otherwise specified in the RI-IST program description, inservice test methods for all pumps and valves whose function is important to safety will continue to be performed in accordance with the ASME Code.

2. The safety significance assessment of pumps and valves will be updated every 3 years (plus a 25% margin), as specified in this report.

This alternative testing strategy will also apply to successive 120-month intervals as discussed in 10 CFR 50.55a(f)(4)(ii).

A review was performed to identify aspects of the plant's design, operation, or other programmatic activities that would be changed by the proposed RI-IST program. No changes are required as a result of the proposed alternative testing strategy.

[Removed reference to Technical Specification change approved since first submittal.]

1.1.1 Basis for Alternative Test Strategy Current Code-prescribed test intervals are based on a deterministic approach that considers a set of challenges to safety and determines how those challenges should be mitigated. This approach considers elements of probability, such as the selection of accidents to be analyzed as design basis accidents (e.g., the reactor vessel rupture is considered too improbable to be included) and the requirements for emergency core cooling (e.g., redundancy of trains). The alternative testing strategy presented here incorporates a probabilistic approach to regulation 1-2

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT PROPOSEDCHANGES that enhances and extends this traditional, deterministic approach by:

"* Allowing consideration of a broader set of potential challenges to safety,

"* Providing a logical means for prioritizing safety challenges based on risk significance,

"* Encouraging the evaluation of current testing strategies and their efficacy in detecting potential challenges to safety, and

" Allowing consideration of a broader set of resources to defend against safety challenges.

First, the PRA model has identified a broader set of challenges to safety. In particular, the RI-IST project team has identified important components that were not in the ASME Section XI IST Program. Even though these components are outside the traditional ASME component eligibility requirements, they will be evaluated to determine if these components are being tested commensurate with their safety significance. If inclusion of the component will reduce plant risk as measured by the change in CDF, then the components will be tested as described below.

Where the ASME Section XI testing is practical, the components added to the RI-IST Program will be tested in accordance with the ASME/ANSI 1987 edition of the OM Code with the OMa 1988 Addenda. Where the ASME Section Xl testing is not practical or does not apply, alternative methods will be developed to ensure operational readiness.

Second, the RI-IST Testing program prioritizes safety challenges based on the results of the STP PRA, which includes effects from both external event initiators (e.g., flood, tornadoes, fires, and seismic events) and from enhanced common cause failure modeling. The ranking process also considers risk impacts of other operating modes, specifically the most risk significant plant shutdown configurations. These rankings consider importance with respect to both prevention of core damage and prevention of large early releases of radiation to the public.

Section 2 of this engineering analysis describes the methodology used in arriving at RI-IST ranking categorizations.

Third, the RI-IST methodology promotes the evaluation of current testing strategies. If another testing strategy exists (especially for IST High or IST Medium components), RI-IST working group members will consider whether this new test provides an enhanced understanding of a component's ability to perform its safety function during a design basis accident scenario.

Moreover, if the test currently included in the program either tests the function of the component in a nonstandard plant configuration, or places the component(s) involved in the test under increased stresses that, over time, potentially decrease the reliability of the component, then STP should endeavor to find an improved testing strategy.

1-3

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT PROPOSEDCHANGES Finally, an IDP allows a broader set of resources to be considered for defense against challenges to safety. The IDP includes a group of experienced individuals with expertise in the areas of ASME Code requirements and testing methodology, plant operations, maintenance, safety analysis engineering, system engineering, design engineering, and probabilistic risk assessment. The IDP ensures that the risk ranking inputs are consistent with plant design, operating procedures, and plant-specific operating experience. More importantly, an integrated decision-making process that incorporates risk insights assures that a defense-in-depth philosophy is maintained (Section 2.4).

1.2 Inservice Testing Program Scope Aside from exceptions noted in the RI-IST program description contained in Attachment 3, components in the traditional ASME Section Xl IST program that are determined to be IST High will continue to be tested in accordance with the current program, which meets the requirements of Section XI of the ASME Boiler and Pressure Vessel Code (except where specific written relief has been granted). Similarly, components in the traditional ASME Section XI IST program which are determined to be IST Low or IST Medium will also be tested in accordance with the ASME Section XI IST program. However, the component's test interval may initially be extended as detailed in Attachment 3, Program Description Summary. The extended test frequency will be staggered over the respective test interval as described in the RI-IST program description (Attachment 3). The RI-IST program scope for the second 120 month interval includes the valves and pumps listed in tabular reports contained in Attachment

4. The IST Plan document may be found in Attachment 4 of this submittal.

1.3 Ri-Ist Program Changes After Initial Approval Currently, the risk-informed process has categorized and developed a testing strategy for 1138 of the 1376 STP IST components. As a living process, components are reassessed periodically as stated in Section 1.1 to reflect changes in plant configuration, component performance, test results, industry experience, and other factors. When significant changes that do not require prior regulatory approval occur, those changes are provided to the NRC in a program update.

All potential future changes will be evaluated against the change mechanisms described in the regulations (e.g., 10CFR50.55a, 10CFR50.59) prior to implementation. Further, any future changes will consider the cumulative risk impact of all RI-IST program changes (i.e., initial approval plus later changes) and the compliance of this calculated risk impact with acceptance guidelines discussed in RG 1.174 and RG 1.175.

1-4

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS 2.0 ENGINEERING ANALYSIS The STP RI-IST project employed a method that blended probabilistic and traditional engineering insights to identify opportunities to reduce those IST-related regulatory requirements and commitments that require significant resources to comply with and/or implement, but contribute insignificantly to safe and reliable operation. The engineering evaluation provides the core information required to support decision-making and risk quantification for a risk-informed IST application of this nature.

The engineering evaluation was divided into the five major tasks listed below:

"* Component Function Evaluation

"* Component Corrective Maintenance Evaluation

"* Calculation of Risk Measures Using the STP PRA

"* Component Risk Categorization by Working Group and Review by Expert Panel

"* Cumulative Risk Evaluation Using the STP PRA The component function evaluation established the design basis safety functions of IST components and related these functions to component failure modes modeled by the PRA.

Modeling implications were also identified, including the component or system-level assumptions that affect the level of credit the PRA affords an IST component's safety function.

The component corrective maintenance evaluation validated the basis for the PRA reliability assessment and demonstrated how it compared to generic and plant-specific experience. It also established a baseline for future monitoring that is needed to compensate for some of the components whose testing requirements are reduced. Specifically, the maintenance history over the period of years prior to the test interval extensions proposed in this submittal will be compared to the maintenance history following the implementation of this RI-IST program.

Changes in failure rates or failure types are considered during condition report evaluations and periodic reassessments as described in Section 3 of this report. (RAI 3)

The PRA was then used in a variety of ways to evaluate the importance of components and their functions. In this evaluation, calculated risk measures (Section 2.3.2), sensitivity studies, and a cumulative risk evaluation (Section 2.3.3) were used to demonstrate completeness of the risk evaluation. This process was followed by the RI-IST Working Group review and validation of the PRA risk measure, a process that ensured an integrated effort through active technology transfer. The RI-IST Working Group consisted of members with expertise in the areas of power plant operations, plant maintenance, PRA, nuclear safety analysis, systems engineering, design basis engineering, quality assurance, licensing, and Inservice Testing (including ASME B&PV 2-1

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS Code Section XI and ASME Code Cases). In addition to considering the basis for the PRA risk measure for modeled components, the RI-IST Working Group qualitatively assessed the following for each component group:

"* The degree to which component failure leads to an increase in the frequency of initiating events,

"* The degree to which component failure leads to the failure of another safety system,

"* The degree to which component failure causes a transient,

"* The role of the component in the plant EOPs, and

"* The role of the component in plant shutdown.

As part of the process, the RI-IST Working Group authored a narrative basis to support the final RI-IST categorization of each component group.

Subsequent to Working Group initial RI-IST categorization of components, the STP plant Expert Panel (EP) considered and ultimately validated the results of all Working Group activities and studies performed by the IST project members. The Expert Panel consisted of members with expertise in the areas of power plant operations, plant maintenance, PRA, nuclear safety analysis, design basis engineering, and quality assurance. The Expert Panel served as the central point of decision-making for major technical issues and offered guidance to risk informed IST project members in performing their work.

The strength of this risk-informed IST program and the integrity of its results lie both in the comprehensiveness of the methodology and in the work of both the Working Group and the plant Expert Panel. The IDP presented in Section 2.4 was implemented according to clear guidelines and operated directly from documentation produced in earlier tasks.

Results of the engineering evaluation are discussed in the following subsections.

2.1 Licensing Considerations 2.1.1 Evaluation of Proposed Changes to Licensing Basis The risk-informed project team reviewed plant programs to identify STP component-related procedures and programs that credit current IST test intervals. In addition, plant licensing reviewed licensing-related commitments that credit current IST test intervals. No commitments were identified as being adversely affected by the proposed RI-IST program. As part of the RI IST update, a similar review will be performed to ensure consistency with other plant programs.

Consideration of the original acceptance conditions, criteria, limits, risk significance of the component, diversity, redundancy, defense-in-depth, and other aspects of the General Design 2-2

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS Criteria, are addressed by the RI-IST Working Group risk categorization process.

2.1.2 Relief Requests and Technical Specification Changes Review of existing relief requests, Technical Specifications, and licensee-controlled specifications determined that no new relief requests or exemptions beyond the currently approved relief requests and this submittal are needed to implement the proposed alternative testing strategy and the RI-IST program at this time.

[Removed reference to Technical Specification change approved since first submittal.]

STP does not plan to resubmit previously approved relief requests for components ranked as IST High, as the existing relief requests were evaluated as part of the Working Group deliberations and were therefore incorporated into the decision-making process. However, Cold Shutdown Justifications, Refueling Outage Justifications, and approved Relief Requests are shown in Attachment 4 of this submittal as a part of the second 120-month interval IST Plan.

This submittal requires no new relief requests or exemptions beyond those currently approved for either risk categorization, as the program implementation plan contained in Attachment 3 does not seek to extend the test intervals for these components more than is allowed by Regulatory Guide 1.175. Therefore, these components will continue to be tested at their Code prescribed intervals, unless justified based on plant conditions required for testing.

STP's RI-IST program results in the testing of IST High components in accordance with the Code test frequency and method requirements or enhanced test methods and corresponding frequencies that have been previously approved. Similarly, STP will test IST Low and IST Medium components in accordance with the Code test method requirements (although at an extended interval) or using previously approved enhanced testing methods and corresponding frequencies. STP concludes that additional relief requests are not required to implement test methods that are in accordance with ASME Code requirements or ASME Code Cases approved by the NRC.

For the high-risk significant components that are not within the scope of the current IST program, it is not practicable to perform Code testing. However, as these components are highly safety significant, STP is considering the efficacy and practicality of either adding these components to the RI-IST program, or adding RI-IST monitoring and trending to ensure their continued operability. Section 2.3.2.2 discusses these components and the plant activities already being performed to ensure their continued reliability.

2-3

RISK-INFORMED /ST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS 2.2 Traditional Engineering Evaluation This part of the evaluation utilizes traditional engineering methods to evaluate the potential effect of the proposed RI-IST program on defense-in-depth attributes and safety margins.

Because of its importance to reactor safety and to the health and safety of the public, the concept of defense-in-depth is considered to be one of the key safety principles to be addressed by any risk-informed application. The maintenance of safety margins is also a very important part of ensuring continued reactor safety and is included in the list of key safety principles to consider.

2.2.1 Defense-in-Depth Evaluation The STP RI-IST program has been developed consistent with the RG 1.174 guidelines for maintaining defense-in-depth. RG 1.174 lists seven acceptance guidelines for determining whether defense-in-depth has been addressed adequately by a risk-informed program:

"* A reasonable balance is preserved among prevention of core damage, prevention of containment failure, and consequence mitigation.

"* Over-reliance on programmatic activities to compensate for weaknesses in plant design is avoided.

"* System redundancy, independence, and diversity are preserved commensurate with the expected frequency and consequences of challenges to the system (e.g., no risk outliers).

"* Defenses against potential common cause failures are preserved and the potential for introduction of new common cause failure mechanisms is assessed.

"* Independence of barriers is not degraded.

"* Defenses against human errors are preserved.

"* The intent of the General Design Criteria in 10 CFR Part 50, Appendix A is maintained.

The following indicates how the STP RI-IST program specifically meets this definition of defense-in-depth. Finally, this section discusses how the use of multiple PRA importance measures and the complementary risk metrics of CDF and large early release frequency (LERF) provide additional assurance that defense-in-depth is maintained.

A reasonable balance among prevention of core damage, prevention of containment failure, and consequence mitigation is preserved.

The use of multiple risk metrics, including CDF and LERF, ensures a reasonable balance 2-4

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS between risk prevention methods (e.g., testing strategies). The basis for this statement is provided in further detail in Section 2.2.1.1.

The STP RI-IST program results further demonstrate that such a reasonable balance exists.

The components whose failure can most affect that balance are categorized as IST High. For example, important reactor coolant system power-operated relief valves and block valves are among the components categorized as IST High. It is these components whose failure can not only contribute to the loss of core cooling, but also cause a failure in one of the boundaries for radiation release and limit the effectiveness of consequence mitigation.

The STP RI-IST program actually improves the balance in prevention methods (e.g., testing strategies) by adjusting the IST program to further enhance safety. Specifically, the RI-IST program reduces unintended adverse impacts of ISTs on components by replacing the current LHSI pump test with a full flow test.

Over-reliance on programmaticactivities to compensate for weaknesses in plant design is avoided.

The STP RI-IST does not introduce reliance on new programmatic activities. The compensatory measures used to ensure that degradations in equipment performance can be quickly detected are chosen from either normal plant operational activities (e.g., swapping the trains in operation) or existing preventive maintenance activities, both of which are existing plant program elements. These compensatory measures help to more clearly communicate which plant programmatic actions are important to ensure that uncertainties in equipment performance are minimized.

System redundancy, independence, and diversity are preserved commensurate with the expected frequency and consequences of challenges to the system (e.g., no risk outliers).

The preservation of system redundancy, independence, and diversity is a natural outcome of PRA if the plant risk profile contains a balance of core damage risk sources. The IDP process can ensure these conditions are met by understanding the reasons why components are categorized as IST High, IST Medium, or IST Low.

The STP PRA models a balance in sources of core damage risk. The sources of risk in turn include severe accidents that result from design basis accident initiators such as large break loss of coolant accidents (LOCAs) and steam generator tube ruptures. The balance in risk causes the categorization of components using PRA to be done on an evenhanded basis 2-5

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS covering the full scope of safety functions.

The STP risk profile includes important risk considerations from a wide spectrum of sources.

Stated simply, risk is relatively well balanced. There are important risk contributions from internal event initiators as well as location-dependent, external event initiators. For example, besides station blackout and other internal event risk sources, location dependent risk sources such as flood play important roles. In the internal event sources, contributions from transients, support system failures, offsite power interruptions, Anticipated Transient Without Scram (ATWS), LOCAs, and steam generator tube ruptures all make contributions to the risk profile.

As a result, the components which mitigate the spectrum of accidents are not ranked low solely because of initiating event frequency. Further, sensitivity studies performed for human actions ensure that components which mitigate the spectrum of accidents are not ranked low solely because of the reliability of a human action. The implication of these findings is that uncertainty in initiating events or human errors does not play an important role in component categorization.

In addition, no single safety function was found to be insignificant, a situation that would have caused all components within that function to be insignificant. For example, the safety functions that uniquely mitigate LOCAs, provide reactivity control, and mitigate steam generator tube ruptures all make important contributions to the risk profile. Thus for STP, components which support these functions are represented in the risk profile.

After selecting numerical importance criteria and applying them to the components, the RI-IST Working Group and Expert Panel developed an understanding of the basic reasons why components were categorized IST High, IST Medium, or IST Low. This effort included reviewing importance measures in the P&ID format and understanding the way that component reliability and redundancy impact component categorization. This understanding was a fundamental part of the Integrated Decision-making Process.

When the component categorization method is applied to IST pumps and valves using a PRA whose sources of risk are well balanced, the following observations can be made.

Observation number 1: The level of redundancy within each safety function greatly influences component categorization. Table 2.2-1 indicates how participants in the integrated decision making used the concept of "average redundancy" in the STP plant design to draw conclusions regarding component categorization.

2-6

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS Table 2.2-1: Relationship of Defense-in-Depth to Component Categorization DEGREE OF REDUNDANCY CLASSIFICATION TO ADDITIONAL RESTRICTIONS ENSURE DEFENSE-IN-DEPTH IS MAINTAINED Less than average redundancy all components assigned N/A IST High Average redundancy Assigned IST Medium; poorly performing only reliable components components classified as are treated like IST Low IST High, components provided these important to CCF classified components are as IST High assigned a compensatory measure Greater than average redundancy typical treatment for IST poorly performing Low components components classified as IST High, components important to CCF classified as IST High As the table shows, the most restrictive aspects of the RI-IST program apply to those elements with the least amount of redundancy. Relaxation in the STP RI-IST program occurs only when the relative level of redundancy is increased. The highest level of relaxation occurs only when there is greater than average redundancy.

However, merely having multiple trains of a component available in a system does not automatically result in a lower risk categorization for a component. When considering whether component redundancy or diversity is a factor, the RI-IST methodology evaluates redundancy based on system operating configuration, reliability history, recovery time available, and other factors. The process necessitates an examination of the effect of the component failure on each system function supported by that component. The primary consideration is whether failure of the component will fail or severely degrade the function. If that is not the case, then participants may factor in component redundancy, as long as the component's reliability and that of its 2-7

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS redundant counterpart have been satisfactory.

In addition to ensuring redundancy is preserved, the STP method also ensures that diversity is maintained. Again, this outcome depends on the well-balanced nature of risk and some specific attributes (redundancy and reliability) as the IDP process confirmed it.

Observation number 2: A system that has less diversity is more subject to CCF. Said another way, when like components (i.e., not diverse) can cause failure of the system, common cause methods predict an increased CCF contribution. When more diverse components are included, for example a mixture of turbine-driven and motor-driven pumps, the CCF contribution is lower.

The Expert Panel concluded that components that had significant contributions to CCF were IST High components. This action had the effect of avoiding relaxation of requirements on those components with the lowest level of diversity within the system.

Defenses against potential common cause failure are preserved and the potential for introductionof new common cause failure mechanisms is assessed.

The preservation of defenses against CCF is partially addressed above when it is indicated that components important to CCF are ranked IST High. More importantly however, the implementation and monitoring method discussed in the RI-IST Program Description (Attachment 3) both preserve defenses and ensure that potential increases in CCF are quickly detected. Regarding implementation, staggering of testing provides additional assurance against CCFs. Regarding monitoring, the STP Condition Reporting Process investigates failures to determine if the potential exists for like component failures.

Independence of barriersis not degraded.

The multiple barriers to loss of core cooling, containment integrity and release mitigation are preserved as described above. No new dependencies are introduced and the potential for CCF across barriers is minimized by the approach to implementation and monitoring.

Defenses againsthuman errorsarepreserved.

The sensitivity studies for the human reliability analysis show no changes to component categorization. During development of the program, no procedure changes were made to increase the reliance on operator actions. Probably most important, by reducing the number of ISTs and therefore, requiring less off-normal alignments to perform them, operator burden is reduced by the RI-IST program. Finally, Operations' input is a key part of the integrated decision-making process.

2-8

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS The intent of 10CFR50 Appendix A is maintained.

When the PRA does not explicitly model a component, function, or mode of operation, a qualitative method is used to classify the component as IST High, IST Medium, or IST Low and to determine whether a compensatory measure is required to assure the continued reliability of the component. The qualitative method is consistent with the principle of defense-in-depth because it preserves the distinction between those components that have high relative redundancy and those that have only high relative reliability. Defense-in-depth is maintained by requiring that components have both adequate functional redundancy and assurance of reliability to be eligible for interval extension. (RAI 5)

The design and function (i.e. setpoints, procedures) of all components defined by the scoping statement of the ASME Code of Record (including components that may be exempted from IST requirements by the Special Treatments exemption) are not changed. The design basis requirements identified in the licensing basis for these components will continue to be verified.

The safety margin verification will be performed as identified by the RI-IST Program for components that have not been exempted. For exempted components data and/or information will be obtained that allows evaluation of the operating characteristics to support STP's determination that these components will remain capable of performing their safety-related functions under design-basis conditions throughout the life of the component. It does, however, change the interval of ISTs. When the basis for the change in interval is reliable equipment performance, compensatory measures are used to ensure the performance is well known and that timely feedback of operational performance will occur.

These efforts ensure that the intent of GDC 10 CFR 50 Appendix A is maintained by applying key safety principles (regardless of whether the PRA explicitly models the component), and by not changing the design or function (i.e. setpoints, procedures) of components defined by the scoping statement of the ASME Code of Record.

2.2.1.1 The Use of Multiple Risk Metrics to Ensure Defense-in-Depth The following describes how the use of multiple risk metrics, namely CDF and LERF, provides an initial basis for ensuring defense-in-depth. The traditional defense-in-depth concept as used in the STP UFSAR is to maintain multiple barriers that restrict or limit the transport of radioactive material from the nuclear fuel to the public. These barriers are:

"* Fuel pellet matrix

"* Cladding 2-9

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS

"* Reactor Coolant System (RCS)

"* Containment building PRAs analyze the integrity of all these barriers, although the first two tend to be implicitly modeled and the last two explicitly modeled. CDF is a measure of the first three barriers. The containment building integrity is measured in terms of LERF. As long as these two parameters (i.e., CDF and LERF) are maintained at reasonably low frequencies, then it should be concluded that these two barriers (i.e., reactor coolant system and containment building) are most likely capable of performing their functions, when needed. This, in turn, means that the defense-in depth capabilities are well controlled and maintained.

CDF:

The STP RI-IST program used Fussell-Vesely (FV) and Risk Achievement Worth (RAW) importance measures to initially prioritize the IST components based on their risk significance.

Since these two importance measures may have some limitations, various sensitivity studies were conducted along with other considerations to ensure the completeness of the approach.

When a nuclear plant has an acceptable CDF, it means that plant components are reliable and/or there is enough redundant equipment available to perform the required accident mitigating function when needed. The redundancy could be at the component level, train level, system level, or function level. For example, at the function level, if all trains of the Auxiliary Feedwater system (AF) fail, the secondary heat transfer function will be lost. All components necessary to provide the AF flow path function are included in the IST High category. For other functions with more redundancy, fewer components are included in the IST High category but an equal or greater measure of safety is maintained.

Therefore, the STP ranking results demonstrate that, in effect, defense-in-depth is inherently assured. If the risk importance values of the IST components have been properly evaluated, and sufficient sensitivity studies have been performed (Reference 10), and their cumulative impact on total CDF has been calculated to be low, and the resulting CDF is still low, then there are still adequate redundancies at different levels available to mitigate the consequences of a severe accident. This, in turn, leads to the fact that the defense-in-depth capabilities are adequately maintained even with all the proposed changes to the test intervals of the low ranked components. In addition, testing and maintenance strategies that assure the reliability of components will be either maintained or optimized in the proposed RI-IST program.

2-10

RISK-INFORMED 1ST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS LERF:

The same risk importance approach used for CDF was applied to LERF. Similar sensitivity studies (Reference 10) were conducted to compensate for the limitations of FV and RAW importance measure techniques. In addition, in order to ensure that the containment integrity is always maintained, the following issues were also considered in the study:

"* Containment isolation features that may not directly impact the value of LERF.

"* Interfacing systems LOCA that provides a direct release path to the outside containment.

Furthermore, similar to the CDF impact evaluation, another study was performed to evaluate the cumulative impact of the requested changes to the current IST program on total LERF. The results of this study for STP demonstrated that modifying the test frequencies of the IST components in the less safety significant category to every 54 months is reasonable. When total LERF is low, it means that containment safeguards features are reliable and/or there are enough redundant components available to perform similar functions, when required. This leads to the fact that the defense-in-depth capabilities are adequately maintained with the proposed changes to the test intervals of the low-ranked components.

2.2.2 Safety Margin Evaluation The STP RI-IST program assures that sufficient safety margin is maintained. The basis for this conclusion is that the RI-IST program merely extends the test interval for certain IST components. For these interval extensions, corresponding program actions to monitor component performance are taken to ensure the overall safety margin does not degrade.

(Refer to the Performance Monitoring and Feedback And Corrective Action discussions in the RI-IST Program Description, Attachment 3.) The design and function (i.e. setpoints, procedures) of all components defined by the scoping statement of the ASME Code of Record (including components that may be exempted from IST requirements by the Special Treatments exemption) are not changed. The design basis requirements identified in the licensing basis for these components will continue to be verified. The safety margin verification will be performed as identified by the RI-IST Program for components that have not been exempted. For exempted components, data and/or information will be obtained that allows evaluation of the operating characteristics to support STP's determination that these components will remain capable of performing their safety-related functions under design-basis conditions throughout the life of the component. Safety analysis acceptance criteria (e.g., UFSAR, supporting analyses) will continue to be met as before.

2-11

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS In fact, the RI-IST program considers increases to the IST program scope. The RI-IST program does not remove any components from the current IST program; however, it considers adding highly risk significant components, such as dampers, that are outside traditional Code class boundaries. Additionally, the program does not remove any safety functions. It builds an awareness of risk functions by identifying them side by side with safety functions. Finally, there are no degradations in the effectiveness of test methods. Indeed, this program proposes to enhance test methods, in particular that associated with the LHSI pumps. Consequently, these program improvements should tangibly enhance the safety margin.

In addition to tangible scope enhancements, the safety margin is also enhanced because the RI-IST program includes three changes that should improve the understanding of component performance:

(1) For IST Medium components, the program includes compensatory measures that are effective fault finding tasks. The observed performance during these fault-finding tasks is now linked directly to the IST program performance, providing a more integrated view of safety margin and the ways that different plant programs affect and monitor it.

(2) The program uses a phased implementation approach so that a change in performance of structures, systems and components (SSCs) resulting from extending the interval can be identified and fed back to the program via the plant-wide corrective action program (i.e., STP's Condition Reporting Process). This improved understanding of how component performance relates to test interval may provide insights that in turn could even improve the process for maintaining the design margin of IST High components.

(3) There are PRA-important components not in the current IST program (ASME and non ASME components) that are potential long-term additions to the program (e.g., pumps, chillers, fans, and dampers). Not only could this potentially reduce the overall CDF, but it will also provide insight into the value of IST programs in maintaining and improving component margin. That is, the change in performance and margin can be measured for the case when a component is brought into the IST program.

When these three items are taken together with component performance changes from enhanced test methods, the uncertainty associated with component failure rates as a function of time should be reduced. This reduction in uncertainty should further improve safety margins.

The proposed RI-IST program will improve IST High component availability and ensure that changes to the reliability of IST Medium and IST Low components will not be significant.

2-12

RISK-INFORMED /ST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS Overall, as discussed in Section 2.3.3, the RI-IST program will be safety neutral.

2.3 Probabilistic Risk Assessment The PRA study for STP fully satisfies the requirements of a full-scope level 2 PRA and includes the effects of external events and fires. The PRA was primarily developed to support changes to the plant technical specifications to allow full credit for the plant's unique three-train design.

One of the main objectives of the PRA development was to be able to utilize its results and insights toward the enhancement of plant safety through risk-informed applications. With this objective in mind, the PRA elements were developed in detail and integrated in a manner sufficient to satisfy both the NRC Generic Letter 88-20 requirements and support future plant applications, such as the risk-informed application evaluated in this report.

The STP RI-IST program presented in this submittal meets the objectives outlined in the Commission's PRA Policy Statement in that the evaluation demonstrates that the proposed changes do not compromise the principles of defense in depth, nor do they degrade safety margins.

2.3.1 Scope, Level of Detail, and Quality of the PRA for RI-IST Application 2.3.1.1 PRA Scope The original STP PRA model was a level 1 analysis that included a full range of external events, including detailed fire analysis. This model was completed about the same time that Generic Letter 88-20 was issued. The level 1 model was submitted for NRC review to support proposed technical specification changes while a level 2 model was developed in order to satisfy the Generic Letter requirement. The final IPE was submitted in 1992 (Reference 11). The SER for the level 1 PRA is documented in NUREG/CR-5606 (Reference 12). The NRC acceptance of the external events analysis is documented in a letter dated December 15, 1998 (Reference 13).

Additional reviews of the STP PRA have been performed to support subsequent technical specification changes and the Graded Quality Assurance Program (References 14, 15).

The current STP PRA, documented as STP-1997 (Reference 16), includes all external events and is a complete level 2 analysis of core damage frequency and large early release frequency of the South Texas Project Electric Generating Station. Some of the external events that are addressed in the STP PRA include:

"* External floods from main cooling reservoir breach,

"* Tornado that fails offsite power and the essential cooling pond,

"* Seismic events from 0.1 to 0.6g (Reference 17), and 2-13

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS

. Internal fires.

The evaluation of seismic events and other external events are well beyond the design basis external events. All of these external events are included in the STP PRA results and are explicitly included in all risk categorizations that are based on the PRA.

In addition, the PRA accounts for common cause failures of all active components. STP believes the proposed methodology of dividing the common cause importance value into the individual elements is an innovative approach and is a more technically correct method to account for common cause within a single importance measure. However, due to issues associated with this methodology and the time necessary to gain consensus on this approach, the STP PRA has reverted to the recognized approach for PRA risk rankings from the GQA SER (Reference 6).

Reverting to the GQA SER common cause methodology is documented and tracked under STP's corrective action program. The corrective actions to address this condition include the following activities:

1. Revising the risk ranking analysis, and
2. Identifying components requiring re-categorization.

PRA representatives have completed this analysis for IST components and have identified those components affected by this decision. Affected components have been conservatively shifted from lower risk categorizations to IST High, signifying that these components will not be eligible for test interval extension.

Finally, the PRA includes planned and unplanned maintenance configurations, and test configurations that affect train line-up or operability. The model reflects the as-built and as maintained plant and is consistent with the definition of a full-scope model described in RG 1.174. The model supports the STP-developed on-line risk monitor, RasCal (Reference 18),

which is used to control on-line maintenance at STP.

With respect to the scope of the specific IST components modeled by the PRA, pumps and valves that are important to systems required to prevent core damage and radioactivity release are explicitly modeled. Categorization of the risk significance of the modeled equipment is based on risk importance metrics generated from this full scope PRA, integrated with the deterministic knowledge of the RI-IST Working Group. Pumps and valves that are in the In Service Testing Program, but are not modeled in the PRA have been categorized by the RI-IST Working Group, which considered the following factors when determining the categorization of 2-14

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS each IST component:

"* Core damage frequency,

"* Radioactivity release prevention,

"* Level of redundancy,

"* Operational requirements,

"* Use in the plant emergency procedures,

"* Shutdown configurations, and

"* Prevention of a plant initiating event.

2.3.1.2 Level of Detail The STP PRA models the specific failure modes of the pumps and valves. In some cases, the pumps and valves have more than one failure mode. For valves, these failure modes may include failure to open, failure to close, failure to operate, failure on demand (open or reseating), or failure to transfer to the failed position. For pumps, the PRA models failure to start and failure to run. Mapping of these failure modes to the associated component permits calculation of component-specific FV and RAW importance values, which is consistent with the requirements of RG 1.174. Given mapping of this nature, this full-scale application of the PRA establishes a cause-effect relationship that identifies the portions of the PRA affected by a proposed test interval extension. Therefore, the level of detail of the PRA supports a completely quantitative analysis of the impact of proposed test interval extensions on plant risk.

2.3.1.3 PRA Quality STP has a level 1/level 2 PRA which includes external events. The external events portion contains both a Fire PRA (with Spatial Interactions analysis) and Seismic PRA analysis. The STP PRA has been structured to have a comprehensive treatment of common cause failures and plant configurations. A detailed human reliability analysis is also included.

Previous Reviews Results of reviews of the STP PRA are documented by the following:

" "A Review of the South Texas Probabilistic Safety Analysis for Accident Frequency Estimates and Containment Binning" contracted through Sandia National Laboratories.

NUREG/CR 5606;

" "Safety Evaluation by the Office of Nuclear Reactor Regulation Related to the Probabilistic Safety Analysis Evaluation," sent to the Houston Lighting & Power Company under cover letter dated January 21, 1992; 2-15

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS "Safety Evaluation by the Office of Nuclear Reactor Regulation Related to the Probabilistic Safety Assessment - External Events," sent to the Houston Lighting &

Power Company under cover letter dated August 31, 1993; "Issuance of Amendment Nos. 59 and 47 to Facility Operating License Nos. NPF-76 and NPF-80 and Related Relief Requests - South Texas Project, Units 1 and 2 (TAC Nos.

M76048 and M76049)" sent to Houston Lighting & Power Company February 17, 1994; "Individual Plant Examination (IPE) - Internal Events, South Texas Project, Units 1 And 2 (STP) (TAC Nos. M74471 and M74472)" dated August 9, 1995 (Included equipment survivability analysis);

"South Texas Project, Units 1 and 2 - Amendment Nos. 85 and 72 to Facility Operating License Nos. NPF-76 and NPF-80 (TAC Nos. M92169 and M92170)" sent to Houston Lighting & Power Company under a cover letter dated October 31, 1996. This amendment allows extension of the standby diesel generator allowed outage time to 14 days, and extension of the essential cooling water and essential chilled water allowed outage time to 7 days; "Graded Quality Assurance, Operations Quality Assurance Plan (Revision 13), South Texas Project, Units 1 and 2 (STP)(TAC Nos. M92450 and M92451) dated November 6, 1997.

PRA Maintenance STP's PRA Configuration and Control program is structured to ensure changes in plant design and equipment performance are reflected in the PRA as appropriate. The PRA Configuration and Control process is administered by procedures and guidelines that ensure proper control of all changes to the models by persons independent from the person making the change and approved by the PRA supervisor. STP's PRA will undergo a PRA certification under the Westinghouse Owner's Group Peer Review Process (Reference 19) and is expected to be in compliance with the ASME PRA standard for risk-informed applications.

PRA Self-Assessment A self-assessment of the overall control process was performed using the guidance from the BWR Owner's Group Peer Certification Process. All findings from this self-assessment were documented in the corrective action program and have been corrected. The conclusions from the self-assessment indicate that the methods used to control the PRA satisfy the appropriate requirements of Appendix B to 10CFR50. Given the current state-of-the-art in PRA analyses 2-16

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS and techniques, as well as the control of the processes used to make changes to the model, the quality of the PRA is sufficient to achieve reliable results for this relief request.

In summary, the STP PRA has been subjected to extensive peer and regulatory review. The PRA model, assumptions, database changes and improvements, and computer code are controlled and documented by administrative procedure. The model and database reflect the as-built plan and the most recent historical data. Finally, in its review of the PRA in support of STP's request to implement a graded quality assurance (GQA) program, the staff stated that the process STP intends to use to maintain the PRA and to evaluate future risk changes is adequate, and that, "...on the basis of this review, [the staff finds that] the quality of the PRA analysis, which includes the PRA models and the various application specific bounding studies, is sufficient for the assigning of SSCs (in relation to their importance to the CDF and LERF metrics) into broad safety-significance categories. In addition, the staff finds that the PRA assumptions and SSC categories are sufficiently well defined" (Reference 20). Therefore, the STP PRA is of a quality consistent with that required to perform accurate, thorough, and comprehensive evaluations for a risk-informed IST application.

2.3.2 Categorization of Components This section provides a more detailed description of the technical details which support the component categorization process used for the STP RI-IST program, with emphasis placed on issues that were addressed to successfully implement the process, as well as the risk ranking results.

The STP RI-IST program implemented the same methodology that was applied in recent years during other risk-informed efforts at STP, including the NRC-approved GQA program (Reference 6) and the recently-submitted request for exemption from special treatment requirements. As was indicated in the NRC SER for the GQA program, "...the staff finds that the importance measures calculated by the licensee, and the guidelines used to develop the PRA-based categorization from these measures, are reasonable and consistent"(Reference 20). The major exception to the GQA ranking process was the elimination of passive failures for the components included in the IST program. The IST program as implemented does not test for passive failure modes of components (i.e., the IST does not perform test activities aimed at verifying that components remain in safety positions). For this reason, as described earlier, based on the mapping of the component functions tested in the IST program, the component specific FV and RAW importance values for the inservice testing program evaluation will be different from the FV and RAW importance values determined for the GQA 2-17

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS ranking process. (RAI 8)

The development of risk importance measures for ranking required selecting the measures to be used, selecting the number of categories and ranges for each importance measure, and determining the implication of each category to inservice testing. This risk-informed application employed the FV and the RAW probabilistic risk importance measures. Because the RI-IST initiative endeavors to reduce existing regulatory burden rather than focus on new regulatory initiatives, this methodology applies these risk measures in a manner intended to ensure a safety neutral outcome.

Fussell-Vesely provides a measure of incremental change in total CDF that indicates the importance of incremental changes in reliability that might result from changing inservice test intervals. Risk Achievement Worth provides an indicator of the importance of degradations in component reliability and is, in essence, a measure of functional importance. That is, two components having the same functional role, e.g., in the same "functional train", will have the same RAW. Risk ranking results generally indicated that such functionally similar components could have sufficiently different Fussell-Vesely measures. Often the differences were such that one could be ranked high and another low. This finding implies that the analyst must be relatively certain of a component's failure probability to draw reliable insights from the FV measure.

These measures were combined into the component categorization decision criteria described in the following table:

PRA RANKING CRITERIA High RAW > 100.0 or FV> 0.01 or FV > 0.005 and RAW > 2.0 Medium (Further Evaluation is Required) FV < 0.005 and 100.0 > RAW > 10.0 Medium 0.01 > FV >_0.005 and RAW < 2.0 or FV < 0.005 and 10.0 > RAW >_2.0 Low FV < 0.005 and RAW < 2.0 As the table indicates, components with a significant FV (FV > 0.01, or FV > 0.005 when RAW is also >_ 2.0) and/or RAW (RAW > 100.0) were considered "highly risk-significant".

2-18

RISK-INFORMED /ST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANAL YSIS Components with an insignificant FV (FV < 0.005) were considered "less risk-significant".

However, it was important to ensure that a reduction in test intervals did not allow unintended consequences, i.e., a compromise in safety resulting from degradation in reliability. Therefore, the ranking process adapted the RAW to compensate for the weakness in the FV measure. If FV was insignificant (FV < 0.005), it was also required that RAW be small (2.0 < RAW < 10.0),

or the RAW had to be insignificant (RAW < 2.0) if the FV were greater than the "insignificant" threshold (FV > 0.005) for a component to be classified as "less risk-significant". If RAW was significant, the Working Group considered the component for placement in the high category. If the Working Group decided the component could be ranked low, an additional requirement was imposed before a component could be classified as "less risk-significant". A compensatory measure is selected by the Working Group to limit degradations in reliability. For the purposes of this study, a compensatory measure is an equivalent stroke of the valve or the equivalent pump start.

Rankinq Thresholds The IST components were divided into three importance categories based on the risk metrics discussed above, FV and RAW. Metric thresholds were chosen such that completeness issues were addressed, and such that each category is accompanied by distinct test requirements.

The risk thresholds established for the purposes of component categorization relied upon engineering judgement and were based on a three-category structure according to the following criteria:

CATEGORY CRITERIA TEST REQUIREMENTS IST High RAW > 100.0 or Current Code-prescnbed test(s) or enhanced test(s)

FV1Ž*0.01 or FV > 0.005 and RAW > 2.0 IST Medium 0.01 > FV > 0.005 and RAW < 2 0 or Current Code-prescribed test(s) or enhanced tests if FV < 0.005 and 10.0 > RAW;> 2.0 practicable, relaxed test interval (based upon staggered testing model), Compensatory measure as practicable IST Low FV < 0 005 and RAW < 2.0 Current Code-prescribed test(s), relaxed test interval (based upon staggered testing model)

In general, the Working Group agreed with the risk categorization suggested by the FV and RAW ranking criteria discussed in the above table. As a matter of process, the RI-IST Working Group considers several component attributes - system operating configuration, reliability 2-19

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAs PROJECT ENGINEERING ANALYSIS history, recovery time available, and other factors - when assigning an overall RI-IST ranking categorization. Regardless, per the STP Comprehensive Risk Management Program (CRMP),

OPGP02-ZA-0003, in all cases, a component's final categorization cannot be lower than the risk categorization based on PRA information if the component is explicitly modeled in the PRA.

After the RI-IST Working Group completed its component categorization effort, the Expert Panel reviewed the preliminary results. As a result of the Expert Panel review, the risk ranking for several components was revised to ensure consistency with risk-rankings developed to support the GQA Program. Specifically, the Expert Panel required that the RI-IST working group verify that all IST ranks are consistent with the ranking criteria (IST High, IST Medium and IST Low) for the component specific PRA importance measures calculated for the IST ranking process.

Additionally, the Expert Panel requested that the RI-IST working group review each group where there were differences between the GQA risk rank and the IST rank. For each one of these groups the direction from the Expert Panel was to verify that the difference was reasonable and document the outcome in the narrative bases for each group. (RAI 8)

The ranking criteria established for the STP RI-IST program were found to be practical to implement, generally consistent with the deterministic insights of the Working Group and plant Expert Panel, and effective in producing a safety neutral outcome. Section 2.3.3 contains a discussion of the cumulative risk impact of extending test intervals for IST Medium and IST Low components according to the ranking guidelines suggested by the above criteria.

Results of Component Categorization A correct application of the component categorization technique described above depends on comparing and establishing a clear relationship between the component function tested within the IST program tests and that function modeled in the PRA.

The initial risk importance determination was performed using the at-power PRA, which includes the effects of both internal and external initiating events, and of common cause modeling. The ranking methods described above were used to establish preliminary component rankings for modeled components. The IDP component ranking categorization, which considers the results of the risk measure calculations at the component level, are contained in a report titled, "RI-IST Component Categorizations and Test Frequencies," which is part of Attachment 4 of this submittal.

2-20

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS The final results of the IDP ranking process are shown below:

RISK RANKING PERCENTAGE OF COMPONENTS (UNITS 1)

IST High 10.3% (56 components)

IST Medium 15.5% (84 components)

IST Low 69.2% (375 components)

Components with only Appendix J testing(will 5% (27 components) be dealt with under Appendix J, Option B)

Of the components considered for risk categorization, 84.7% (including both the IST Low components and the IST Medium components) are eligible for interval extension. The remaining IST components, including additional relief valves and skid-mounted valves, such as those in the Diesel Generator system, will not be categorized by the RI-IST working group at this time.

Instead, they will continue to be tested at the applicable Code-prescribed test intervals.

Effects of External Events on Component Categorization The effects of external event initiators (which include fire, external flood, high winds, and seismic events) on the IST components modeled by the PRA did not shift the importance of components. STP has recently provided the NRC with estimates of SSC importance for different categories of external events. The estimates were developed for fires, floods, and seismic initiating events. A full quantification of the PRA model was performed for each calculation of the external event importance measures. The same PRA ranking methodology used to calculate the composite component importance was used for these studies.

STP reported that for each case, the component's risk rank resulting from the external event calculations was never higher than the composite PRA risk rank. In other words, no component increased in risk rank category when only the external event categories were analyzed. In general, fires, floods, and seismic events guarantee failure of affected components.

Components failed by external events do not influence the mitigation of accident/transient events and have no calculated importance measures. Based on its evaluation, STP concluded that its PRA risk ranking process is not sensitive to the influence of external events and that it appropriately factors in the impacts of external events.

Effects of Common Cause Failureon Component Categorization Common cause failure is included in the STP PRA for all active components. The common cause method uses the Multiple Greek Letter (MGL) model. The MGL terms are updated on 2-21

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS the same frequency as other plant-specific database variables. The FV and RAW risk importance measures include the rank of the associated common cause terms in the determination of all basic event importance measures. Moreover, during the RI-IST Working Group meetings, members deterministically addressed the issue of common cause to ensure that the final component categorization adequately considers the effects of common case failures. In this process the RI-IST working group evaluated the valves independent of the PRA quantitative assessment. The working group considered several factors including the affect of the 12-week work process and new check valve failure data. The staggered maintenance scheduling and work process at STP results in the maintenance and return to service of only one train at a time during normal operations. The working group decided that increasing the risk ranking due to common cause was not necessary since risk ranking associated with common cause in the PRA was conservative. (RAI 2)

Inclusion of CCF modeling in the at-power risk metrics further affected the risk categorization of IST components. The Expert Panel shifted the rank of 25 check valves in each unit from lower RI-IST ranking categories to higher categories based solely on inclusion of CCF basic events in the RAW risk metric. The following table shows the valve groups that changed ranking categorizations once revised CCF impacts were included in the risk metrics:

GROUP GROUP DESCRIPTION AF01 Auxiliary Feedwater Supply to Steam Generator Inside Containment Isolation Check Valves AF07 Auxiliary Feedwater Auto Recirculation Valves CC29 CCW Supply to RHR Pump and Heat Exchanger Inside Containment Isolation Check Valve (Trains A, B, and C)

EW08 Essential Cooling Water Pump Discharge Check Valve (Trains A, B, and C)

RH06 Residual Heat Removal Pump Discharge Check Valves (Trains A, B, and C)

S118 High Head Safety Injection Pump Discharge Inside Containment Isolation Valves (Trains A, B, and C)

S119 High Head Safety Injection Pump Discharge Check to Cold Leg (Class 1 Boundary) (Trains A, B, and C)

S121 Low Head Safety Injection Pump Discharge Inside Containment Isolation Valves (Trains A, B, and C)

S123 Accumulator to Cold Leg Inboard Check Valves (Trains A, B, and C)

S125 Safety Injection Pumps Suction Check Valves (Trains A, B, and C)

This is a more conservative approach than ranking each component based upon its 2-22

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS independent event and subsequently looking at common cause as a sensitivity study. The result is that more components affecting PRA are ranked as IST High, with fewer components ranked as IST Medium or IST Low.

Effects of Shutdown Confiqurationson Component Categorization The STP PRA does not yet extend to refueling/shutdown conditions. However, STP currently uses an outage tracking tool (ORAM/Sentinel) to provide useful insights into plant risk during shutdown conditions. The RI-IST Working Group explicitly considered the role of each component in shutdown scenarios and deterministically assessed how the failure of the component to perform its safety function would impact the ability of plant operators to achieve and maintain safe shutdown. For example, the RI-IST Working Group indicated that failure of the Main Steam power-operated relief valves (PORVs, RI-IST group MS03) did have a dominant role in achieving safe shutdown. The PORVs must open to remove decay heat. PRA credits the opening of one of four available PORVs. If the PORVs fail to open, there are twenty available safety valves that can help remove decay heat. The ability to remove decay heat is extremely important; hence, the plant is designed with several available flow paths to provide decay heat removal. Nevertheless, to achieve safe shutdown, this function is particularly important. Therefore, the Working Group indicated this in its narrative basis, and in so doing, they elevated the importance of the PORVs.

No component groups shifted categories from IST Low or IST Medium to IST High as a result of the RI-IST Working Group review based solely on the impact of component failure on achieving or maintaining safe shutdown. It is important to note that the Main Steam PORVs are safety significant for several reasons. The RI-IST working group noted that the valves are credited in multiple Emergency Operating Procedures, which is one of the five questions used for importance determination. (RAI 20) However, as the above example illustrates, shutdown risk scenarios were adequately considered during the component categorization process, especially for those components providing required boron injection capability during shutdown.

Summary The purpose of ranking IST components according to their importance lay in assigning specific testing requirements according to safety significance. In order to achieve a safety neutral outcome, the process for component categorization must be scrutable. The preceding discussion demonstrates that this is indeed the case for this risk-informed application.

The following sections further describe the methodology and results, providing additional detail to facilitate a more in-depth understanding of the body of this RI-IST effort. Specifically, 2-23

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS important quantitative and qualitative aspects of the probabilistic risk assessment are addressed, followed by discussions of the completeness and adequacy of the risk models. A thorough treatment of the cumulative impact of extending inservice test intervals of IST Medium and IST Low components on plant risk is also included. This discourse provides technical justification for proposed test intervals for less risk-significant components in the existing IST and demonstrates how these risk impacts compare to the quantitative CDF and LERF risk increases specified in RG 1.174. Finally, a review of the integrated decision-making process demonstrates the RI-IST Working Group and Expert Panel members' knowledge of plant risk, plant design, plant operations, and plant performance, and further illustrates the finer aspects of the integrated decision-making model as it was applied during the STP RI-IST project.

2.3.2.1 Qualitative Analysis of Limitations in the PRA 2.3.2.1.1 Truncated components STP understands the significance of truncation limits set at inappropriately high levels. In the STP PSA, truncation limits are set at both the fault tree (i.e., system level) and event tree (i.e.,

plant level) levels. User-defined truncation thresholds are used for complex systems to facilitate the analysis relating to computer software limitations and run times. At the fault tree level, the user-defined threshold is referred to as the "cutset truncation." At the plant level, the user-defined threshold is referred to as the "sequence truncation."

Cutset truncation is the means of capturing enough cutsets from the fault tree to adequately describe the system for analysis purposes. The cutset truncation level is dependent upon the complexity of the system. For simple fault tree analysis, the cutset truncation does not require a truncation level to be established. That is, all cutsets for the fault tree are quantified and saved in the system analysis database. For large fault tree analysis with a cutset truncation limit set at zero, a portion of the captured cutset information will not significantly contribute to the overall failure probability of the system (i.e., this constitutes a large number of cutsets each with extremely low contributions). Clearly, a cutset truncation is sometimes desired for computer limitations like hard drive space and run time. In addition, the computer code imposes a cutset limit of approximately 11,000 cutsets for system level uncertainty calculation.

In practical terms, the limit was set as low as possible while maintaining the uncertainty calculation cutset limit. In all cases, the analysis results in a cutset truncation limit which is less than or equal to 1 E-12 (Reference 21).

STP has set the "sequence truncation" limit to 1 E-1 2. The sequence truncation limit represents the frequency at which individual accident sequences at the plant level are saved to the 2-24

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS sequence database. The sequence database is used for computing the risk metrics (e.g., FV and RAW).

STP has set the sequence truncation for the On-Line Maintenance Program 1E-10. This truncation level is adequate for establishing the risk significance of plant configurations, while still allowing for a manageable quantification time to appropriately facilitate the program.

Finally, the truncation limits for sensitivity studies performed in support of risk-informed applications are the same as those used for the overall plant quantification.

2.3.2.1.2 Components Not Modeled In The PRA A significant fraction of IST components or component functions are not modeled by the PRA (over 50% of the components considered for test interval extension). While it is likely that such components are not risk significant, the RI-IST Working Group evaluated each component and its associated design basis functions addressed by the IST program. Most components that are not in the PRA were found to be implicitly modeled by the study. That is, the PRA found that the components either were not required for the system to prevent severe accidents, were in systems that provided a highly redundant function, or performed functions that were unlikely to be required. The systematic review of these components by the RI-IST Working Group used quantitative and qualitative insights to determine whether components should be considered more or less risk significant and whether risk insights implied that compensatory actions should be considered. The narrative bases authored for each component group capture these insights. The bases reside in the RI-IST database.

The unmodeled components and functions were reviewed to determine their risk significance considering their potential roles in preventing core damage and/or large early release. If their function was considered to be important in this regard, these components and their associated functions were carefully documented and will be added to the PRA if appropriate via the PRA change process. Their equivalent importance was determined using insights gained from implementing the ranking methods discussed previously.

The first effort in assuring completeness in the ranking process was to compare PRA failure modes to IST component design basis function. To facilitate a general understanding of how the two types of functions compare, a detailed component and function level comparison was performed. This comparison essentially linked the PRA to the design basis, thereby allowing probabilistic and deterministic insights to be integrated in a traceable format.

There are two basic types of IST functions. The first maintains the integrity of fission product 2-25

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS boundaries (generally, a closing function, often classified as a flow path boundary or isolation function), and the second ensures safety system operability (generally, an opening function, usually denoted as a "flow path" or sometimes as a "venting" function). A report in Attachment 4, "RI-IST Component Categorizations and Test Frequencies," lists IST functions (equivalent to IST tests, e.g., testing open or testing closed) for each component group, along with the RI-IST ranking categorization for that grouping.

The first type of IST safety functions ensures the integrity of the primary and secondary systems and provides containment isolation. Often these components are excluded because they mitigate highly unlikely scenarios. For example, the PRA often makes assumptions based on the low likelihood of certain scenarios that exclude from explicit models the possibility of IST valves failing to function. Examples of this include system pipe breaks occurring coincidentally with an accident, followed by an IST valve failure, or multiple failure of fail-safe valves.

The PRA also explicitly models most safety system operability functions. For example, most if not all components in the system flow path are modeled by the PRA. Exceptions to this, that is where system flow path is not modeled, include IST functions that are assumed to have low significance due to ample opportunity for operator action to recover, restore or establish an alternative. The following flow path functions assessed by the RI-IST Working Group to have low significance are:

1. Component Cooling Water (CCW) heat exchanger outlet flow path [CC07];
2. Air sampling flow path for the Containment Hydrogen Monitoring system [CM01];
3. Boric acid transfer (BAT) pump recirculation flow path [CV05];
4. Alternate boric acid makeup supply flow path [CV24 and CV41];
5. Charging pump discharge bypass flow path [CV32];
6. Essential Cooling Water (ECW) screen wash flow paths [EW03, EW09 and booster pumps];
7. Residual Heat Removal (RHR) heat exchanger return to hot leg [Silll]; and
8. Safety Injection (SI) accumulator vent flow paths [SI16, S117, and S126].

While in most cases IST functions for system flow path are modeled in the PRA, the PRA often does not explicitly model IST components that are intended to function to ensure the system flow path boundary is maintained. Such components are often implicitly modeled via PRA assumptions.

Given the development of this basic understanding of IST and PRA safety functions, a process was developed for evaluating components not explicitly modeled by the PRA. The process for 2-26

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS evaluating such components depended heavily on two sources of information. One of the most important sources was the Risk Significance Basis Documents, which contain assumptions and system success criteria that indicate why some components or component functions are not required to mitigate certain accident scenarios.

The second source of information was the RI-IST Working Group knowledge of plant operations and design. Plant operations support and engineering support from the panel was used to rank a number of components, such as those associated the ECW screen wash and self-cleaning emergency backflush function [EW04, EW06, and EW07]. In this case for example, the frequency of planned use of the components, which depends upon an upstream dam failure event causing a need for the components in the system, was an important factor in the ranking. In other cases, the RI-IST Working Group served as an expedient source for understanding system operation and verifying the component failure modes that would have to occur and redundant components required to fail for the IST function to be needed. In these cases, documentation was provided which demonstrated that system failure modes were unlikely enough that components should be ranked low. The following table contains valve group discussions that illustrate the types of bases developed by the RI-IST Working Group for components that are not modeled.

2-27

RISK-INFORMED iST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS VALVE GROUP SAFETY FUNCTION BASIS FOR RANKING IST Low GROUP DESCRIPTION CCO5 CCW Common These valves must open to This valve is normally open. Upon failure, Suction Header provide a return path from the this valve will remain in its failure position.

Isolation MOVs - Spent Fuel Pool Heat The greatest risk is associated with the Trains A, B, and C Exchangers, RCP thermal open function to provide CCW flow. Since barrier heat exchangers, these valves are normally open, this bearing lube oil coolers, and function is satisfied without operation of motor air coolers to the Train the valve. Reopening of the valve B pump if it is operating for presupposes a previous need for closure accident conditions. [as described in the safety functions for this valve], meaning that a failure has In addition, these valves must already occurred in addition to the close to isolatheSpreturn flow postulated failure of this valve to perform path from the Spent Fuel Pool its function, an unlikely event. Moreover, Heat Exchangers, RCP there are three trains available to supply thermal barrier heat CCW flow, each with the same system exchangers, bearing lube oil configuration. Therefore, there is coolers, and motor air coolers adequate redundancy in the capability of if the surge tank level is low components to perform this safety function or the pump has stopped. if called upon to do so.

CC1 0 CCW Supply The valves must remain This valve is a normally open motor (OCIV) to RHR open to provide flow path for operated valve. Since these valves are Pump and Heat CCW through RHR pump normally open, the opening function is Exchanger - seal cooler and RHR heat satisfied without operation of the valve.

Trains A, B, and exchanger for accident Reopening of the valve presupposes a C conditions. previous need for closure [as described These valves should close in the safety functions for this valve],

(remote manual) in response meaning that a failure has already to a tube rupture inntethe RHR occurred in addition to the postulated heato heat exchaer rpture exchanger per UFSARR failure of an function, thisunlikely perform its valve toevent.

6.2.4.2.1, Item 1.b Section and leak tight (CAT A) in A downstream check valve provides accordance with UFSAR redundancy for the closing function. The commitment (Section 6.2.6.3 MOV is designed with greater margin and Figure 6.2.4-1, Sheet than needed to close against the higher

35) to provide containment pressure of the RHR system to isolate integrity, the system in the event of an RHR heat exchanger tube rupture. From an ISLOCA standpoint, the quantity of release from one tube failure is small.

The likelihood of an event failing multiple tubes without failing the shell is extremely small. Additionally, the valve is in a physically closed system in which the piping has a higher design pressure than containment pressure and it is not connected to the reactor coolant pressure boundary. Finally, each train of RHR is functionally redundant, and only one train is required.

2-28

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS The evaluation was documented in the form of meeting minutes and in the form of component categorization narrative bases that reside in the RI-IST database. The RI-IST Working Group component bases identify the component group, the IST function(s), the RI-IST component categorization, compensatory actions (for potentially high components), and deterministic comments that often clarified the technical basis for the ranking.

2.3.2.2 High Risk Components Not in the IST Program The IST ranking process identified many components for inclusion in the proposed RI-IST program. A handful of these components are non-safety-related pumps and valves, and are considered important to the operation of South Texas Project. However, none of these components are high risk significant, therefore, none have been designated by the RI-IST Working Group as IST High. (RAI 4) The RI-IST Working Group evaluated the following components:

" Main Steam Dump Valves. These valves are classified by the GQA process as Low Safety Significant for contributions to plant safety risk. However, the Plant Generation Risk for these valves is Medium; therefore the Equipment Reliability Process will ensure that maintenance and monitoring activities for these valves are identified. (RAI 4)

" Start-up Steam Generator Feed Pump. This pump is classified by the GQA process as Non-Risk Significant for contributions to plant safety risk. However, the Plant Generation Risk for these valves is Medium; therefore, the Equipment Reliability Process ensures that maintenance and monitoring activities for these valves are identified. (RAI 4)

In the process, the team also identified for evaluation several safety-related components that are not considered to be traditional Code components, such as fans, dampers, and chillers.

The PRA models these components. Their contribution to.the plant's total risk spectrum suggests they warrant high risk rankings and an appropriate testing or performance monitoring strategy that ensures their continued reliability. Because of this recommendation, the RI-IST Working Group evaluated these components for inclusion in the RI-IST program. Each group of components considered for inclusion in the RI-IST program is described below, along with a strategy that should result in the continued or improved reliability of these key components.

The RI-IST Working Group reviewed the Electrical Auxiliary Building Main Area Cooling system, which provides cooling to the area that includes the relay cabinets for the Solid State Protection System. PRA risk measures indicate that components in the system--such as fans, chillers, and dampers--are highly risk significant. It is not practicable to perform Code testing on these 2-29

RISK-INFORMED 1ST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS types of components. However, because of their risk significance, STP will collect sufficient data on this equipment during testing and maintenance activities to ensure that the health of the components can be adequately assured. Trending of the data will enable the timely identification of degradation in their performance. Examples of the testing performed on this equipment include vibration measurements, operability verifications, and, in some cases, Technical Specification slave relay testing. (RAI 4) 2.3.2.3 Completeness Issues (Sensitivity Studies)

"Quantitative risk models have limitations associated with the structure of the models and the assumptions and the input data used. The limitations were compensated for by evaluating truncation limits, identifying IST components masked by the PRA, applying a conservative treatment of common cause failures, requiring an RI-IST Working Group to identify components with operational concerns, and performing selected sensitivity studies.

The risk ranking process described above used the FV and RAW importance measures. The values for these importance measures are calculated based on cutsets. The cumulative effects analysis described below also is based on cutsets. Cutsets are obtained by solving the model with a truncation limit. Experience has shown that setting the truncation limit arbitrarily low creates inefficiencies such that analysis costs quickly exceed the value of risk insights gained.

This project evaluated the truncation limit used in the STP PRA and found it to be sufficient for both risk ranking and estimating cumulative effects.

The PRA model may "mask" certain components because they are associated with supercomponents (components which are internal to or mounted upon other components, e.g.,

pump internal check valves), human events, or initiating events but not explicitly identified.

Masking occurs when the masking event (e.g., operator action) has an artificially high importance, potentially obscuring the importance of another component function. The components masked by the PRA model are typically small contributors to the overall probability of the event.

Risk ranking results can be strongly affected by the contribution of common cause failure. The approach taken in the project was to conservatively assume that a common cause event in the cutsets should have its entire risk significance assigned to all components represented by the event. This approach lead to the inclusion of a significant number of components in the more risk significant category which otherwise would have been considered less risk significant. The Expert Panel confirmed that the approach identified potentially important components.

2-30

RISK-INFORMED lST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS Both risk ranking measures used are influenced by the reliability data assigned to the component. The STP PRA uses generic and plant-specific data since a previous study had indicated that STP component failure history on the whole is consistent with failure data reported to Nuclear Plant Reliability Data System (NPRDS). The Expert Panel considered whether or not plant-specific operational insights indicated component reliability problems that might affect the ranking of an individual component or small group of components. Components with operational concerns were considered more risk significant by the RI-IST Working Group.

Finally, the completeness of the models, assumptions and input data was tested by sensitivity studies. The sensitivity studies performed in support of STP's GQA Program considered most of the issues addressed by both the ASME Code Case and the NRC-approved RI-IST projects (i.e.,

TXU's Comanche Peak and SCE's San Onofre Nuclear Generating Station). With the exception of defense-in-depth, which is identified as a sensitivity evaluation in RG 1.175, all other sensitivity analyses are performed in order to determine risk significance in accordance with STP's GQA program. Defense-in-depth is addressed during the qualitative risk ranking process in the questions that are asked for each component. (RAI 10)

In the analysis phase of the GQA risk-informed application, STP performed a variety of sensitivity studies to provide additional assurance that important SSCs are not inappropriately categorized because of PRA modeling limitations and uncertainties. Toward this end, STP performed the following bounding values and analyses:

"* Removal of all CCFs,

"* Studying the potential degradation of availability of nominally identical components used in several systems, evaluated by assessing the impact of a common increase in unavailability,

"* Setting equipment planned to be out of service during each of the plant's scheduled maintenance states to an unavailable state,

"* Removal of all operator recovery actions, and

"* Studying the effect of a possible over-estimate of induced steam generator tube rupture (SGTR) overshadowing other LERF considerations.

For CCFs, the sensitivity study considered the influence of CCF on component categorization.

First, because CCF dominates risk, its contribution can mask individual component failure modes. No masking was found. Second, the results of the CCF analysis can be sensitive to the selection of CCF groups. In this case, it was assumed that every IST component group was a logical common cause group. This assumption was deemed reasonable because the 2-31

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS IST component grouping methodology considers the most important factors related to CCF, namely component design and service condition. The CCF study provided further evidence of both the quality of the STP PRA and the robustness of the categorization method. When the potential degradation of availability of nominally identical components used in several systems was evaluated, the results indicated no change to the component categorization.

For maintenance unavailabilities and removal of operator recovery actions, the issue was again the possibility of masking. The sensitivity results indicated no potential for masking.

Finally, induced steam generator tube rupture contributes greatly to LERF in the STP PSA. To determine the effect of SGTR event assumptions on risk ranking, STP performed a sensitivity study that reduced the assumed probability of an induced SGTR by one half. The sensitivity results indicated no potential for masking due to uncertainties associated with this postulated event.

In conclusion, the sensitivity studies performed were comprehensive and addressed the intent, if not the form, of the sensitivity studies recommended by the ASME OMN-3 Code Case addressing the component categorization process. Moreover, after assessing the bounding values and analyses used to support the categorization process, the NRC has deemed the sensitivity studies to be adequate for the purpose of assigning components "(in relation to their importance to the CDF and LERF risk metrics) into broad safety-significance categories for consideration by the RI-IST working group and Expert Panel" (Reference 6).

2.3.2.4 Integration with Other STP Risk-Informed Applications A linkage exists between the categorization of RI-IST components and the categorization of these same components in GQA, Maintenance Rule, and other plant risk-informed programs.

In general, the risk rankings for these applications should be similar because the PRA is used for all component categorization efforts at STP. However, IST tests only for active failure modes. Therefore, the PRA risk measures used in the RI-IST component categorization effort include only active failure modes. As expected, this circumstance results in occasional differences in component categorizations across plant programs because other programs may consider additional failure modes, such as passive failure modes. Moreover, programmatic efforts may place slightly different emphases on factors contributing to the component categorization process, or some may consider attributes that do not logically lend themselves to inclusion in other programs. For instance, the GQA program incorporates elements of organizational performance (i.e., plant organizational effectiveness versus maintenance effectiveness) that is not an element of either the Maintenance Rule or IST. Nevertheless, in its 2-32

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS deliberations, both the RI-IST Working Group and the plant Expert Panel made every effort to remain consistent with component categorizations associated with other programmatic activities, and to understand differences in the component rankings.

In addition to risk-informing programmatic activities, STP has recently received approval to exempt some components from the scope of special treatments required by regulations. That exemption includes low-ranked components from IST program requirements. Pumps and valves with a Graded Quality Assurance Risk Significance of High or Medium remain in the scope of the IST Program. Testing of components that are exempted from the IST program will be controlled in accordance with Section 13.7 of the Updated Final Safety Analysis Report as amended by the requirements of the Special Treatments Exemption. The testing strategy identified for the exempted components provides reasonable assurance that the component will continue to perform its safety function during design-basis conditions. Therefore, all components tested in STP's current IST program will be provided a testing strategy that is commensurate with the determination of its risk significance. (RAI 24)

However, this RI-IST program submittal was written to delineate a RI-IST program that complies with guidance outlined in RG 1.175. Upon issuance of regulatory acceptance of this relief request, STP plans to implement the RI-IST program evaluated in this document on all components that remain in the scope of the IST Program and outlined in Attachment 3. With the NRC acceptance of the exemption request, STP is implementing the requirements as outlined in the UFSAR for special treatment exemption and the NRC's Safety Evaluation. That is, those components ranked GQA Low and not risk significant (NRS) are not included in the scope of the RI-IST. For the exempted components, data and information will be gathered that allow evaluation of the operating characteristics to support STP's determination that these components will remain capable of performing their safety-related functions under design-basis conditions throughout the service life of the component. As discussed in Section 2.3.3, based on the nature of the risk changes--namely that postulated risk increases are very small; the direct and indirect safety benefits, which are widespread, possibly substantial and on their own should reduce uncertainty; and then finally on the consistent level of conservatism and justification provided for assumptions used in the calculations -- the conclusion is that implementation of the RI-IST program will be either risk beneficial, or at worst risk neutral.

2.3.3 Use of the PRA to Evaluate Effects of Proposed Changes on Risk The final component categorization does not necessarily guarantee that acceptable levels of risk will result from the RI-IST program. Changes to many components simultaneously may 2-33

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS cause unintended increases in risk, despite meeting the conservative risk-ranking measures selected. Therefore, an analysis was performed to determine the effect of all RI-IST program changes on total plant risk. This analysis is intended to:

"* Model the impact of various RI-IST program changes (i.e., interval extensions and compensatory measures),

"* Evaluate the resulting effect on total plant risk (i.e., total core damage frequency and total large early release frequency), and then

"* Compare the effect of RI-IST program changes to acceptance criteria in RG 1.174.

The impact of program changes was modeled considering available information on how changes in test intervals can change component performance. Uncertainty in this input information, together with the complexity required for modeling such an approach, dictated that a number of assumptions and judgements be used.

The effect on total plant risk was evaluated using a full re-quantification of the STP RISKMAN model. The model includes quantitative estimates for external events. This calculation was complemented with judgement for items not directly represented by the PRA.

Finally, the discussion shows how the STP RI-IST program satisfies acceptance criteria from RG 1.174 and RG 1.175.

The following sections describe the assumptions, calculations, and judgements made.

2.3.3.1 Modeling the Impact of Changes in the IST Program An analysis was performed to determine the potential risk impact of increasing in-service testing intervals simultaneously on all less risk-significant components. Consideration was given to available information on how changes in test intervals change component failure probabilities, common cause failure probabilities, and initiating event frequencies.

Component Failure Probabilities. Uncertainty in the available information, together with the complexity required to model such an approach, dictated the use of a number of assumptions for calculating changes in component failure probabilities:

"* It is assumed that any increase in test intervals would simultaneously impact the reliability of all IST components in the IST Medium and IST Low categories.

"* Consistent with the PRA techniques, the component failure on demand, QD, is assumed to be:

QD = fs*Qs + (1-fs)*(AT)/2 2-34

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS where, f, = fraction of total failure rate assigned to demand failures Qs= the component failure due to change in state (shock),

A = the component standby failure rate per hour, and, T = the interval between tests (hours) that verify operability of the component.

" The component failure on demand is assumed to increase by the same factor as the increase in the test interval (i.e., linearly increases with the time between tests). This is accomplished in the RISKMAN models by setting the fraction f, to 0. For example, a change in the test interval from quarterly to semi-annually is assumed to increase QD by a factor of two.

" Decrease in wearout due to less frequent testing is assumed to be negligible although frequent testing has been seen to cause components to be less available due to wearout.

"* It is conservatively assumed that all IST tests are fully effective in finding the causes of component unavailability.

The following discussion reviews the potentially non-conservative assumptions used in modeling the effects of RI-IST program changes and justifies why they are not considered significant. Those assumptions are:

"* Fully effective compensatory measures

"* Constant failure rate, namely no impact from aging The calculation assumes that compensatory measures are fully effective or otherwise equivalent to the IST. The compensatory measure that is most relevant is the slave relay test for MOVs and AOVs. The assumption presumes that the fault finding capability of the relay test is equivalent to the IST. This assumption is consistent with both traditional and probabilistic techniques.

Regarding traditional considerations, the MOV or AOV must function for the relay to pass its Technical Specification surveillance. The compensatory measure consequently determines whether the MOV or AOV functionally fails. Regarding probabilistic factors, the measure is essentially equivalent to a surveillance test. In PRAs, a surveillance test interval would typically be credited as the test interval in a failure probability calculation. (In the case of the slave relay test, the compensatory measure was credited at its Technical Specification prescribed three month interval for applicable components. Hence, the failure probability for an IST Medium 2-35

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS component with this compensatory measure was not increased.)

[Paragraph deleted] (RAI 11)

The constant failure rate assumption considers no impact from aging. In a critique of the ASME approach to risk-informed IST (Reference 22), Dr. William Vesely states that the component importance should be determined using failure probabilities (unavailabilities) that depend on the age of the plant, even if constant failure rates are assumed. He further states that large variations in the failure probabilities can occur when plants are categorized according to their age.

In PRAs, the component failure probability is usually assumed to be constant based on the assumption that the changes in component failure probabilities follow the bathtub curve. That is, the failure probabilities are constant for the majority of the plant life before they start deteriorating due to aging. The STP RI-IST program considered the effect of aging. However, no major evaluation was judged to be necessary for the following three reasons.

First, one of the major elements of the RI-IST program is performance monitoring. If any changes to the IST program lead to gradual equipment degradation and a resulting performance problem, the problem will be quickly identified through root cause analysis and the corrective action program. The RI-IST program requires periodic updates and necessary modifications to correct any performance problems due to either aging or any other plant specific operating practices. Therefore, the program itself will identify and correct potential age related performance degradation.

Second, the STP RI-IST program recommends that the test intervals of the IST components in the low risk significance category be extended to every 18 months to 6 years depending on IST group size. Consequently, the monitoring program will yield component performance data for many different test intervals. The understanding of component performance under the effect of aging should actually improve under the RI-IST program.

Third, a study was done by Dr. Vesely to show the unavailability changes for check valves versus IST intervals for various valve aging rates (Reference 23). The results collectively showed that, up to approximately a 10-year test interval, the unavailabilities stayed at or below the component unavailability at the test interval of once per quarter. This study seems to support the test intervals of 2 to 8 years for low safety significant check valves.

Since the tests on the components will be staggered, and since component performance will be monitored (in some cases with enhanced test methods), corrective action can be taken to 2-36

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS effectively remove or correct for any degradation mechanisms such as aging. Hence, the assumption of constant failure rates is justified.

Uncertainty in aging effects from extended test intervals is offset somewhat by the conservative assumption that there is no impact from testing-induced wearout effects. In performing this study, we did not comprehensively review and evaluate existing studies on wearout or test induced unavailability. However, studies lend credence to the possibility of negative influences of testing on total component failure probability (Reference 24). Conclusions of these studies suggest that "too frequent testing" is a stronger negative influence on component failure probabilities than "too infrequent testing". These observations imply that it is conservative to extend intervals when uncertainty exists.

IST may be particularly sensitive to this effect because of its focus on component performance degradations. One of the important contributors to negative impacts on unavailability from testing occurs when a test or preventive maintenance (PM) finds a degradation which is not a functional failure, but which causes the component to be removed from service for corrective maintenance. In other words, unavailability in this case is assured because the component is "prematurely" removed from service.

Moreover, for much of the factor increase in test intervals from the current test interval, data on "aging" does exist. Since many ISTs are now done on a refueling cycle basis, the RI-IST program benefits from this existing test experience when extending test intervals from 3 months to 2 years. The paucity of data on aging relates to the 2-year to 8-year portion of the change.

In the case of 2 to 8-year interval changes, many older plants have valves in power piping code systems that are identical to or at least similar to Code Class 3 valves that are subject to IST.

To our knowledge, data that compares the reliability of these valves have not been published.

However, indications from plant-to-plant variability in generic valve failure data apparently contradict our conservative assumption of large factor increases in some component failure probabilities. A valve initially assumed to fail at 3E-03 per demand on a quarterly test interval is assumed in our calculations to have a 0.1/demand failure rate if the RI-IST program specifies an 8-year staggered test and no compensatory measure. However, plant-to-plant variability in generic data indicates that, assuming an error factor of 10, an initial 3E-03 has a 95% upper bound of 0.01, and a 99% upper bound of 0.03. Typically, IST components exhibit error factors less than 10, so the upper bound is much closer to the mean value. Consequently, present generic data do not support valve failure probabilities as large as those assumed in our calculations.

2-37

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS While PRA methods guidance is typically silent on the topic of infrequently tested components, what guidance does exist suggests that our calculations are conservative. For example, the IREP PRA Guidance documents suggest using the 95% upper bound value for an infrequently tested component.

In summary, the two potentially non-conservative assumptions - those associated with fully effective compensatory measures and a constant component failure rate - are justified by the arguments above. Potential non-conservatisms are further compensated for by programmatic elements in the RI-IST program, such as staggered testing and performance monitoring.

Therefore, the [(\T)/2] model can be considered adequate for application to component failure probabilities.

Common Cause Failures. As discussed above, the common cause failure probabilities can also increase with IST interval changes. The most conservative time between testing was assumed for the CCF value estimate for the factor increase in failure rate. The following examples illustrate how common cause values were increased to model IST interval increases:

1. A CCF group with valves originally tested on a quarterly basis, now tested once every 6 years with one valve in the group of four tested every 18 months (also referred to as 18 month staggered testing) - the associated common cause failure on demand probability is effectively increased by a factor of 8 to reflect the 18-month interval using the basic event probabilities described previously.
2. A CCF group including valves whose interval was not extended and valves whose interval was extended - the CCF probability was generally not changed. Since some of the valves are still tested on the same test schedule, the common cause group test interval is generally unaffected. However, the test schedule was reviewed to ensure the time between tests for components in the group remained unchanged.
3. A CCF group including valves whose RI-IST intervals are different (e.g., one tested every 2 years and one tested every 6 years), was based upon the shortest time between tests (in this case, 2 years).
4. A CCF group whose group interval remained the same, but the component tests were staggered, did not have the common cause changed. Consider, for example, a valve group that was originally tested every 18 months during shutdown, i.e., each valve in the group tested every 18 months. If the RI-IST program incorporated staggered testing such that one of the valves was tested every 18 months, the common cause failure 2-38

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS probability was not increased.

Accordingly, the modeling of CCF changes due to IST program changes reflects the significant risk benefit that can result from implementing the staggered testing philosophy suggested by RG 1.175.

Initiating Events. The RI-IST program is not expected to have a significant effect on the initiating events included in the South Texas PRA. Two systems containing components subject to IST are modeled as Support System initiating events. These systems, essential cooling water system (EW) and the component cooling water system (CC), contain components which are ranked High and Medium respectively. These two systems are rotated weekly for maintenance activities and as a result, each train is challenged. The EW and CC system pumps perform their required safety function (i.e. start on demand) and valves in these systems are repositioned. The PRA takes into account these demands on system performance; therefore, no changes in test frequency or method modeled by the PRA are proposed for these systems. (RAI 11)

Conclusion. Modeling the effects of changes in the RI-iST program requires changes to individual component failure probabilities, which in turn affect common cause failure probabilities and initiating event frequencies. The [(AT)/2] model can be considered adequate for these applications because conservatisms and programmatic elements such as staggered testing and performance monitoring compensate for potential non-conservatisms in the model.

2.3.3.2 Evaluating the Change in CDF and LERF Evaluating the change in CDF and LERF was done in a two-step process. First, using certain assumptions, a comprehensive bounding calculation was performed using the STP PRA software. Second, the evaluation included an estimate of the impact of other safety benefits, including those that result both directly and indirectly from the RI-IST program. The following describes the STP PRA scope and the bounding calculations. This section then describes the other safety benefits and reaches the conclusion that the RI-IST program will result in safety neutrality.

2.3.3.2.1 Bounding estimate of the change in CDF and LERF STP PRA Scope. The current STP PRA, documented as STP_1997, includes all external events and is a complete level 2 analysis of core damage frequency and large early release frequency for the South Texas Project. Total plant risk has been evaluated in a comprehensive manner. For this reason, the impact of IST program changes on CDF and LERF were calculated directly without making approximations for most risk sources.

2-39

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS It is worthy of note that the total plant risk is at a favorable level compared to the acceptance criteria in RG 1.174. The total change in plant CDF is 1E-7 per year and total change in plant LERF is 1 E-9 per year. Both changes in CDF and LERF are well below their respective RG 1.174 acceptance criteria of 1E-6 per year and 1E-7 per year, respectively.

Bounding Calculations. The calculations indicate that, using bounding assumptions, the CDF and LERF risk increases are small (0.9% and 0.2%, respectively).

Average Maintenance Bounding Analysis RISK METRIC AND CDF CHANGES CDF LERF CHANGES LERF MAGNITUDE FRACTIONAL FRACTIONAL CHANGE (%) CHANGE (%)

Increases due to 1.E-07 0.9 1.OE-09 0.2 interval extensions The impact of the remaining safety benefits were estimated, rather than calculated. Their impact is discussed in the next section.

2.3.3.2.2 Estimate of the change in risk due to direct and indirect safety benefits The bounding risk estimates conservatively do not consider many of the safety benefits from the proposed program. This is significant and necessary for the calculation because:

"* Some uncertainties exist in the impact the safety benefits would have on model parameters,

"* Some of the benefits are qualitative in nature and are very difficult to quantify, and

"* Some aspects of program implementation that affect the safety benefits have not yet been finalized.

The following describes the important safety benefits and estimates their significance.

The STP RI-IST program will provide the following safety benefits as a direct result of IST programmatic changes:

"* Enhanced testing methods for IST components with IST High ranking. (RAIs 21 & 23)

"* Added trending for selected components not in the IST program. (RAI 4)

"* Reliability improvements for IST High components in the IST program:

2-40

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS

1. Reduction in exposure to potential system re-alignment errors
2. Improved performance resulting from improving the quantity and quality of plant personnel time devoted to IST High components
  • Reliability improvements for IST Medium components (i.e., the LHSI pumps) in the IST program.

The STP RI-IST program will also provide indirect safety benefits such as:

"* Reduction in human errors due to a reduction in operator burden

"* Improved system failure probabilities upon demand due to fewer off-normal operational line-ups

"* Other safety impacts related to improvement in safety culture:

1. Improved understanding of component level importance
2. Monitoring of CCF components
3. Operator awareness of important PRA failure modes for IST components The following estimates the potential risk impact of direct safety benefits that are not accounted for in the PRA calculation for the reasons mentioned above. Possible impacts from the indirect safety benefits are subsequently noted.

Combining the bounding estimate using the STP PRA calculation tool with the more limited quantification of direct safety benefits indicates that total plant CDF and LERF could potentially be reduced as a result of changes to be implemented in the RI-IST program. The estimated reductions in CDF and LERF are on the order of 5%.

Direct Safety Benefits. Possibly the most important effect of the proposed RI-IST program will likely be the reliability improvements for IST High components in the IST program. Increased attention and the addition of diagnostic testing where practical are expected to improve reliability. As the reliability of the IST High components improves, the number of corrective maintenance activities is expected to decline. With fewer manipulations of the component including system realignments for equipment clearances to facilitate maintenance, it is reasonable to expect a decrease in system unavailability due to human errors. (RAI 12) For example, it is estimated that since the total pump unavailability (not including latent human error) is in the range of 5E-3, performance improvements might range from a few percent to tens of percent. The system realignment with the most impact on train unavailability due to 2-41

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANAL YSIS latent human error is often the pump alignment. Pump alignment typically remains unchanged when the pump is categorized as an IST High component (systems AFW, ECW, and HHSI).

Hence, the improvement to a typical IST High component due to this safety benefit might be less than one percent.

Improved safety margins should result by focusing resources on high-risk components and reducing the testing frequency on low risk components. One can make the assumption that there is a limited amount of Operations and Maintenance (O&M) resources available for programs such as IST. Then, any reduction in the IST program activities assures that the O&M resources that are available are spent in an increased fraction on the IST High components and not diluted by work activities that have an insignificant impact on risk. In this sense, the IST O&M resources are focused on the IST High components. For example, the IST engineer and system engineers will have more time available to analyze trends in component and system performance data. Because more types of data will be available to trend or compare (e.g.,

components with varying IST intervals, or possibly components added to the IST program in the future), this increased time may further develop into a better understanding of the factors which influence component performance and reliability. The former is discussed in Section 2.3.2 under safety margins.

Added trending for selected components not in the IST program is another very important safety effect due to potential CDF improvement value of these components. Several high FV components not currently in the IST program will be trended by the IST program. These components are tested and maintained by activities outside the program to improve their reliability. Even though these components are outside the scope of the IST program, they are tested in a manner commensurate with their safety significance. The addition of IST program trending of the resulting data will allow periodic assessment of the operational readiness and ensure timely identification of performance degradation. (RAI 4)

The Electrical Auxiliary Building (EAB) HVAC system is relied upon to maintain the environment for the Solid State Protection System relay cabinets. The additional trending of the EAB main chillers and dampers may not directly affect the calculated Core Damage Frequency; however, trending of critical parameters may identify degrading performance so that maintenance can be scheduled to minimize unavailability time and avoid unanticipated failures. In a similar manner, the trending of parameters for high-risk fans associated with various safety-related pumps may improve the overall reliability and availability of these components.

The impact of this improvement in safety margin is hard to measure, but generic data on plant 2-42

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS variability indicates the performance of the best performing high-risk components could easily be better by a factor of three or more than poorly performing high-risk components (in terms of individual component contributions). A few percent increase in the reliability of IST High components is extremely plausible in the near term, with possibly additional increases in the longer term.

Regarding component reliability improvements due to testing enhancements to be proposed by ASME, there is some hope that these improvements could be significant. ASME has devoted considerable research to the causes of pump failures in particular. The NRC has sponsored research through Oak Ridge National Laboratory (ORNL) that is attempting to measure the effectiveness of certain test methods, including pump testing at or near the design point. This can result in a few percent increase in component reliability, especially for pumps.

For example, a revised testing strategy for the LHSI pumps will be an important safety effect due to the potential CDF improvement value of these components. Currently, these components are tested in a mini-flow configuration, which can be potentially damaging to components on the line over a sustained period of time (i.e., with regard to vibration tests).

STP proposes to replace the quarterly mini-flow test with a full flow test performed during refueling outages. This test is generally considered to be much more effective at detecting degradation that could potentially lead to failure of the component to perform its safety function than the current test. Furthermore, as the full flow test requires that components perform their functions at design or near design conditions (i.e., the optimum testing environment), this test is generally considered by industry experts to be less damaging to active components. Were inclusion of the full flow test to lead to better knowledge of the capability of the pump, one could conservatively postulate an improvement in the CDF resulting from this enhanced test strategy.

The impact of inservice testing on component reliability is not well known. However, one can assume that the amount of improved reliability due to testing enhancements would be similar to the factor of degradation assumed for components for which test intervals are increased.

Comparing FV measures is equivalent to this assumption. The summed FV of the LHSI pumps (0.4% of CDF) is on the same order of magnitude as the "equivalent FV" for all IST Medium and IST Low components whose test interval has increased. Therefore, it is possible that test improvements in the RI-IST program from the LHSI pumps alone could ensure the program is at least safety neutral, or very close to safety neutral.

It is also worth noting that changes to IST intervals and the scope of components included will provide more information with which to identify the most effective testing methods. Therefore, 2-43

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS the STP implementation of RI-IST may eventually provide further improvements to ASME's efforts.

Indirect Safety Benefits. The following indirect safety benefits are not accompanied by estimates of quantitative improvements. Taken as a whole, however, the benefits could be substantial since they deal with plant-wide improvements in safety.

Perhaps the most difficult safety benefit to measure is the amount of reduction in human errors that can result from a reduction in operator burden. STP has noted that senior reactor operators (SROs) and reactor operators (ROs) spend fewer man-hours performing system line ups for testing and realignments after testing and performing work package reviews. Since human errors are involved in almost every important cutset in a PRA, improvements in average operator failure probabilities may cause a similar reduction in CDF and LERF.

STP also expects that improved system failure probabilities upon demand could result due to fewer off-normal system alignments. PRAs generally assume normal system alignments.

Traditional safety programs often make the same assumption. Such conditions (i.e., systems not in their normal alignment) have the potential to cause unanticipated problems, mostly due to less experience with them. Generally a normal alignment will require fewer components to actuate. In particular, a normal alignment will require fewer "less frequently functioning" valves to operate; e.g., system boundary isolation valves, manual valves, and test return line valves.

Also, operators will need to operate manual valves less frequently in demand situations, if the time in off-normal conditions is reduced.

Another important indirect safety benefit that will result from implementation of RI-IST is the improvement in safety culture that can result from a site-wide improvement in understanding of the important contributors to risk, including:

"* Improved understanding of component level importance,

"* Monitoring of CCF components, and

"* Operator awareness of important failure modes in IST components.

It could be argued that such improvements are already occurring as a result of increased awareness of the PRA, implementation of the Maintenance Rule, and use of risk management during outages and on-line maintenance activities. However, the improved understanding of component level importance and the increased emphasis on monitoring for common cause failure could result in important safety improvements. The more such improvements are integrated into the safety culture by changing common plant programs such as IST, the more 2-44

RISK-INFORMED /ST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS these benefits will be realized.

Summary. In conclusion, implementation of the STP RI-IST program will result in at least risk neutrality, if not a net safety benefit. Further, both the direct and indirect benefits are potentially larger and more widespread than the limited risk changes indicated by the bounding analysis.

2.3.3.3 Comparison with Acceptance Guidelines The RG 1.174 acceptance criteria depend on the total risk estimate and the estimated risk change. Because both CDF and LERF are well below the RG 1.174 acceptance criteria, a risk increase is permitted. However, as the discussion below indicates, the RI-IST program is safety neutral.

Using judgement to estimate safety benefits for the above-mentioned factors, the following table estimates the change in risk associated with the proposed program changes:

PROGRAM CHANGE CHANGE IN MODEL ESTiMATED TOTAL SAFETY ELEMENT APPLICABLE IMPROVEMENT FRACTION OF ASSUMED CUTSETS enhanced testing for selected Improvement in 4E-03 4E-03 components (e.g., LHSI pumps) reliability is likely the same as degradation in low risk components reduction in system re-alignment <1% 8E-01" 5E-03 errors improved performance resulting few % 8E-01* 2E-02 from improving the quantity and quality of plant personnel time devoted to IST High components component reliability few % 8E-01* 2E-02 improvements due to testing enhancements to be proposed byASME reduction in human errors due to not estimated -1.0** Not estimated a reduction in operator burden improved system failure not estimated 8E-01" Not estimated probabilities upon demand due to fewer off-normal operational line ups other safety impacts related to not estimated -1.0** Not estimated improvement in safety culture Total Program Improvement > 5E-02 2-45

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS

  • estimated
    • assumes the issue is applicable to essentially all cutsets The table indicates that it is reasonable to estimate that about a 5% improvement in CDF and LERF will result from the proposed program changes (since the bounding estimate yielded a less than 1% increase for CDF and LERF).

While this evaluation did not include a comprehensive uncertainty analysis such as that suggested by RG 1.174, the results of the assessment have been consistent. This conclusion is based on the nature of the risk changes, namely that postulated risk increases are very small; the indirect safety benefits, which are widespread, possibly substantial and on their own should reduce uncertainty; and then finally on the consistent level of conservatism and justification provided for assumptions used in the calculations. The STP PRA has been demonstrated to be of a quality consistent with the requirements for this application and has been reviewed by the NRC for other risk informed plant applications. Finally, the program of monitoring, feedback, and corrective action is an important factor in addressing uncertainties related to the impact of degradation mechanisms and aging effects.

Consequently, the results show that the STP RI-IST program satisfies the acceptance criteria of Regulatory Guide 1.174. When combined with the tangible, qualitative risk benefits of enhanced testing of selected components and reduced testing of low risk components, the overall impact of the STP RI-IST is either risk beneficial, or at the very least, risk neutral.

2.4 Integrated Decision-Making Process (IDP)

The role of the STP's IDP was crucial in ensuring that the results presented in this submittal are comprehensive. At STP, the RI-IST integrated decision-making process requires the participation of two member groups:

1. A plant Expert Panel, which is a multi-disciplinary group of individuals whose purpose is to guide the implementation of Comprehensive Risk Management activities at STP, and
2. An RI-IST Working Group, which is a multi-disciplinary group of individuals who provide risk-informed, performance-based recommendations to the plant Expert Panel.

The RI-IST Working Group members are senior level personnel whose membership has been endorsed by the Expert Panel. The RI-IST Working Group consists of members with expertise in the areas of :

9 Power plant operations*,

2-46

RISK-INFORMED 1ST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS

"* Plant maintenance*,

"* PRA and nuclear safety analysis*,

"* Systems engineering,

"* Design basis engineering*,

"* Safety analysis (Chapter 15)*,

"* Quality assurance,

"* Licensing, and

"* Inservice testing (including ASME B&PV Code Section XI and ASME Code Cases)*.

"*Denotes voting members. Five voting members are required for quorum.

All the members of the RI-IST Working Group have at least ten years experience in nuclear power.

The IDP effort entailed RI-IST Working Group review and validation of the PRA risk measure, a process that ensured an integrated effort through active technology transfer. In addition to considering the basis for the PRA risk measure for modeled components, the RI-IST Working Group qualitatively assessed the following for each component group:

"* The degree to which component failure leads to an increase in the frequency of initiating events,

"* The degree to which component failure leads to the failure of another safety system,

"* The degree to which component failure causes a transient,

"* The role of the component in the plant EOPs or SAMGs, and

"* The role of the component in plant shutdown.

As part of the process, the RI-IST Working Group authored a narrative basis to support the final RI-IST categorization of each component group.

Subsequent to Working Group initial RI-IST categorization of components, the STP plant Expert Panel considered and ultimately validated the results of all Working Group activities and studies performed by the IST project members. The Expert Panel consisted of members with expertise in the areas of power plant operations, plant maintenance, PRA and nuclear safety analysis, design engineering, and quality assurance. The Expert Panel served as the central point of decision-making for major technical issues and offered guidance to risk-informed IST project members in performing their work.

The strength of this risk-informed IST program and the integrity of its results lie both in the comprehensiveness of the methodology and in the work of both the RI-IST Working Group and 2-47

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS the plant Expert Panel.

RI-IST Workinq Group Charter To prepare for the Expert Panel review, the RI-IST project team used a process similar to that employed by TXU and SCE during their RI-IST projects. The PRA risk categories were displayed on simplified P&IDs to help illustrate for the RI-IST Working Group the roles redundancy and reliability play in risk categorization. Additionally, design basis functions were compared to PRA failure modes to clearly establish the relationship between PRA and the design basis.

The RI-IST Working Group used plant knowledge, operating experience, and engineering judgment to perform the following tasks:

"* Verify component functional failure modes

"* Establish risk-informed categorizations for components not modeled in the PRA

"* Assess or provide qualitative deterministic criteria

"* Consider and/or provide insight concerning the component performance history.

Specific attention was afforded to areas of poor or declining performance.

"* Address all significant safety and operational concerns

"* Validate component categorizations

"* Resolve questions relative to PRA model completeness

"* Resolve all questions raised during the review process The RI-IST Working Group considered the following factors in addition to the combination of risk significance and deterministic insights discussed above:

"* Important design basis functions not reflected in the risk categorizations

"* Impact of PRA scope limitations, assumptions, and model simplifications, such as exclusion of shutdown states

"* Importance of release states less severe than large early releases that are not explicitly reflected in the risk categorization scheme The RI-IST Working Group included in their evaluation the uncertainties caused by:

"* PRA model assumptions

"* Common cause or common mode failure rates

"* Treatment of support systems

"* Level of definition of cutsets and cutset truncation 2-48

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS

"* Model assumptions relative to repair and restoration of failed equipment

"* Human error rates used in the PRA

"* Limitations in the meaning of importance measures Based on the process outlined above, the Working Group made a qualitative assessment of the RI-IST importance categories that were developed for the components using the PRA results and deterministic insights, plant-specific history, engineering judgements, and probabilistic risk analysis insights. The Working Group reviewed the PRA component risk rankings, compared the PRA and IST functions to ensure consistency with plant design, and analyzed applicable deterministic information in its effort to resolve the final safety significance categorizations for all the IST components scrutinized.

Documented recommendations developed by the RI-IST Working Group and forwarded to the Expert Panel included:

" RI-IST categorization and proposed test interval (i.e., no extension, extension with compensatory measures, or extension without compensatory measures)

" The bases for making those recommendations (i.e., including PRA inputs, performance analysis results, details regarding any other deterministic inputs)

" Identification of components not within the scope of the PRA, including components supporting balance of plant operations, mode transition and shutdown operations The Expert Panel approved the final IST categorization (and, hence, the test interval for which the component is eligible) and proposed changes to the IST test program by reviewing and concurring with the recommendations of the RI-IST Working Group.

2.4.1 Corrective Maintenance Evaluation A significant deterministic input to the decision-making process proved to be the component corrective maintenance evaluation performed by the RI-IST project team members. To facilitate the evaluation, the RI-IST project team took advantage of reports produced by STP's Operating Experience Group (OEG), which compiles and analyzes performance of plant equipment and activities. Data for the reports is compiled from various sources, including the Corrective Action Program (CAP) database and an equipment history database. The data is analyzed for performance trend changes. Components with a poor performance record or whose performance is on a declining trend are highlighted for evaluation.

In addition to analyzing OEG reports, the RI-IST project team performed an independent component maintenance history review, spanning several years (encompassing at the very 2-49

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANAL YSIS least the period of time between January 1995 and May 2000). Conclusions about component performance were based on the tested IST function(s) for a given component. That is, if an event involved a failure of a valve to open, but IST tests the reliability of the valve to close (i.e.,

not to open), then the event was not considered to be an IST failure. However, the inclusion of these non-IST failures does not change the reliability determination of the RI-IST working group. (RAI 13)

Example of a Performance History Review for the Auxiliary FeedwaterSystem To support the GQA Program risk-informed effort, the OEG conducted a review of the Auxiliary Feedwater (AF) system and subsystem events captured in NPRDS, the STP Corrective Action Program (CAP) database, and the AF Reliability History. The conclusions of their review are as follows:

" The Operating Experience Group reviewed the reliability history for the Auxiliary Feedwater System from January 1, 1995 through October 31, 1998. They identified five failures, two of which did not involve a valid equipment failure of Auxiliary Feedwater components. The other three failures consisted of electrical failures associated with motor-operated valves. These failures shared no commonality.

" The Condition Report (CR) database documents 430 documented conditions between January 1, 1995 and December 31, 1998 for the AF system. Of these 430 Condition Reports, the OEG determined that 160 involved valid component failures. The OEG identified no commonalities between these failures, with the exception of 22 that were directly attributed to human performance errors.

" The Institute of Nuclear Plant Operations NPRDS was evaluated for failures meeting the NPRDS reporting criteria. Of the 154 component failures documented between January 1, 1995, and December 31, 1997, the South Texas Project did not incur any component failures that met the reporting criteria.

Therefore, based on this review, the OEG agrees that the components in the system have adequate performance histories and are eligible for downgraded quality assurance activities.

To verify the results of the OEG review for the RI-IST Program, the RI-IST project team performed a corrective maintenance history review on AFW pumps and valves within the scope of the IST Program. A search identified 329 preventive and corrective maintenance activities performed since January 1, 1995. Of these activities, the team identified five failures, with four of these failures resulting in the loss of a safety function tested by the IST Program. The 2-50

RISK-INFORMED 1ST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS failures are listed in the following table.

COMPONENT FAILURE CAUSE ClAFMOV0085 Failed to open Motor burned up, cause unknown D2AFMOV0019 Failed to open Oil film on electrical contacts D1AFFV7526 Failed to open Limit switch was not closed, adjusted switch finger to make contact D2AFMOV0514 Closed, but did not Failure could not be duplicated, cleaned torque switch re-latch contacts and bypass contacts.

The paucity of events in the above table indicates that failures have been infrequent for IST components in the Auxiliary Feedwater system. The identified failure cause of these events is different for each case, indicating that a common deficiency or inherent flaw in the design of the components does not exist.

Based on the above information, the Auxiliary Feedwater system components at the South Texas Project have performed reliably and can be tested at an extended frequency as determined by their RI-IST safety significance.

PoorPerformers Once the corrective maintenance history had been fully reviewed for a component, a summary of failure events or particularly eventful corrective maintenance histories was reported to the RI IST Working Group for their consideration during the risk categorization process. This was useful in facilitating the determination of contentious performers (i.e., those components for which the IST Low categorization merits assigning either a compensatory measure, retaining the current test interval, or changing the ranking to IST High). The RI-IST Working Group changed the rankings of only one component group, MS03, the power-operated relief valves, to IST High as a result of this maintenance history review process.

In addition, the RI-IST Working Group determined that components classified as Maintenance Rule category (a)(1) should not be eligible for test interval extension until they are no longer in (a)(1). Presently, the accumulator nitrogen supply vent valves are in (a)(1). Therefore, testing of these components will remain at the current Code frequency. In general, should a Maintenance Rule evaluation place a component with an extended IST in category (a)(1), the RI-IST program will test that component at the Code-prescribed frequency until such time that the component's performance history merits removal from (a)(1) status.

2-51

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT ENGINEERING ANALYSIS Summary In summary, to blend deterministic and probabilistic information, the RI-IST Working Group deliberated on the limitations of PRA when it applied and made use of both plant-specific and generic information, as well as industry operating experience as applicable. At the end of the integrated decision-making process, every component eligible for test interval relaxation in the STP IST program was systematically reviewed and evaluated by the RI-IST Working Group and Expert Panel members.

The integrated decision-making process employed in support of this risk-informed application is assumed to be repeatable by another group consisting of members of similar technical knowledge. This position is based upon the availability of detailed technical bases for all sources of risk and the use of consistent ranking criteria applicable to both modeled and non modeled components.

2-52

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM 3.0 IMPLEMENTATION AND MONITORING PROGRAM 3.1 Inservice Testing Pro-gram Changes Testing for components in the IST program classified as IST High continues per the current IST program, which meets the requirements of the 1989 Edition of the ASME Boiler and Pressure Vessel Code,Section XI, except where specific written relief has been granted. The STP RI-IST evaluation process concluded that the monitoring mandated by the current IST program for all components ranked as IST High is adequate. Where the ASME Section Xl testing is practical, IST High ranked valves or pumps not in the current ASME Section XI IST Program Plan will be tested in accordance with OM-1 for safety relief valves, OM-10 for active valves and OM-6 for pumps. Where the ASME Section XI testing is not practical, alternative methods will be developed to ensure operational readiness.

Note that there are two distinct groups based on RAW ranking. Those components with a high RAW (2<RAW<100) and a low Fussell-Vesely (O.001<FV< 0.005) are described as IST Medium while those components with a low Fussell-Vesely and a low RAW (< 2) are described as IST Low.

As modified by the testing strategy described below, components in the current IST program determined to be IST Low will also be tested in accordance with the ASME Code,Section XI requirements, except that the test frequency will initially be extended from quarterly (or cold shutdown/refueling as applicable) to a maximum of once every 6 years plus a 25% margin, depending on the number of valves in the group and their design, service condition, risk insights and ranking, performance history, and any compensatory measures. The extended test frequency will be staggered up to six years as described in Section 3.2 below. All other Code testing methods, corrective actions, documentation, and other requirements will remain in effect. Note that the testing strategies identified in this section apply to components that have not been exempted from the IST Program requirements by the Special Treatment Exemption approved for STP in letter ST-AE-NOC-01000845 dated August 3, 2001. Pumps and valves with a Graded Quality Assurance Risk Significance of High or Medium remain in the scope of the IST Program. The IST Rank is based only on the component safety function tested by the IST program. The Graded Quality Assurance risk significance rank is based on all attributes that make up the risk significance of the component including pressure boundary, which is a safety function that is not tested in the IST program. The IST program tests active safety functions. Where pressure boundary is identified as a seat leakage function, the pressure boundary function is considered in the IST Rank. There are differences in the evaluation of the 3-1

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM components from these two perspectives that may result in a difference in rank. This is reasonable and should be expected. The reasons for the differences are identified in the integrated decision-making documents. Testing of components that are exempt from the IST program are controlled in accordance with Section 13.7 of the Updated Final Safety Analysis Report as amended by the requirements of the Special Treatments Exemption. The testing strategy identified for the exempted components provides reasonable assurance that the component will continue to perform its safety function during design basis conditions.

Therefore, all components tested in STP's current IST program will be provided a testing strategy that is commensurate with the determination of its risk significance.

By using PRA methods, a maximum test interval was determined for the IST Medium and IST Low components. This information was provided to the RI-IST working group for their consideration during component categorization deliberations. During periodic reassessments, the maximum test interval will be verified or modified as dictated by the integrated decision making process. STP will continue to consider other test methods, such as non-intrusive testing and disassembly/inspection.

3.1.1 Testing Strategy STP's proposed RI-IST testing strategy for each component group will ensure to the extent practicable that adequate component capability margin exists above that required during design basis conditions. As such, component operating characteristics will not be allowed to degrade to a point of insufficient margin before the next scheduled test activity. On this basis, the testing strategies are deemed acceptable.

STP's proposed RI-IST program identifies components that are candidates for an improved test strategy (i.e., frequency, methods, or both) as well as components for which the test strategy may be relaxed. The information contained in and derived from the STP PRA was used to help construct the testing strategy for components. Components with high safety significance will be tested in ways that are at least as effective as the current Code-required test at detecting their risk-important failure modes and causes (e.g., at least as effective at detecting failure, detecting conditions that are precursors to failure, or predicting end of service life). Components categorized as IST Medium and IST Low will generally be tested less rigorously than components categorized as IST High (e.g., less frequent tests).

The proposed component IST test intervals have not been extended beyond once every 6 years plus a 25% margin. With the exception of relief valves and check valves, IST components will be exercised or operated at least once every refueling cycle.

3-2

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM Test strategies were essentially augmented by leaving them as-is for all IST High components in the IST program and adding diagnostic methods where possible. In some cases, one IST tested safety function had a greater risk-significant classification than another tested function; nevertheless, the components were conservatively maintained at the higher ranking as a result of the more risk-significant function. There are two notable exceptions where the close safety function cannot be tested at the Code interval. Relief request VRR-03 describes the alternative testing for two Safety Injection check valve groups (SI18 and S121). This relief request has been approved for use in the current IST program as relief request RR-56. Since the alternative test can only be performed at a longer interval, STP has indicated in the Valve Plan that the test is considered IST Low. The testing strategy for the open function will be assigned using the higher IST ranking for the component.

Multiple failures of an IST component could result in a system requiring additional monitoring per 10CFR50.65(a)(1). If IST testing is performed for the safety function that was lost as result of these failures, then the component will be tested per the ASME Code of Record requirements until such time that the component's performance history merits removal of the component from (a)(1) status. (RAI 14)

STP considered component design, service condition, and performance history, as well as risk insights, in establishing the technical basis for the test strategy and interval assigned to each component as illustrated by the following examples:

1. A component was considered IST High if the component had, in the opinion of the RI-IST Working Group, a poor performance record. By categorizing the component as IST High, the test strategies were left as-is and the test intervals were not extended. In the case of insufficient history (i.e., new component, either new to the program or new style), the component ranking considered PRA risk metrics, component safety function redundancy, and other relevant inputs from the RI-IST Working Group, but for these cases the RI-IST Working Group opted to retain the current test frequency until sufficient performance history has accumulated to justify a future test interval extension.
2. The STP RI-IST Working Group also considered the impact of service condition on component performance. If the service condition had no impact on performance, the PRA results were unchanged Technical Specification surveillance testing is sometimes noted as a compensatory measure for the IST interval extensions associated with IST Medium and IST Low ranked components. An example is the slave relay testing which is currently performed quarterly and exercises 3-3

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM numerous IST components. Other compensatory measures include exercising components during plant scheduled activities, such as equipment rotation required to support maintenance and surveillance testing during the normal twelve week work schedule.

Components that were the subject of a previously NRC-approved relief request are summarized in Section 2.1.2. As discussed therein, the current NRC-authorized relief (or alternative) remains appropriate and will continue in concert with this request. As Section 2.1.2 indicates, two current program relief requests relate to pumps, and three relief requests for valves.

The following describes the proposed testing strategy for each group of components and is considered consistent with the existing NRC positions on component test strategies. The strategy also appears to agree with the general direction that the NRC is encouraging the ASME Code groups to take in defining test strategies for components categorized as being either high or low safety significant.

3.1.1.1 Motor-Operated Valves (MOVs)

"*ISTHigh Diagnostic testing will be performed in accordance with NRC Generic Letter 89-10 and 96 05 commitments as described in the Joint Owners Group Periodic Verification Program (JOG PV Program). Testing will include stroke time testing per the Code of Record and diagnostically testing these MOVs in accordance with STP commitments to the JOG PV Program.

" IST Medium Testing will include exercising all valves in each group at least once per refueling cycle and diagnostically testing these MOVs in accordance with STP commitments to the JOG PV Program. MOVs with safety functions not tested in accordance with the above GNL requirements are tested per the Code of Record, except, based on evaluation of design, service condition, performance history, and compensatory actions, at a test frequency not to exceed 6 years (plus a 25% margin) and exercised at least once during a refueling cycle.

"* IST Low Testing will include exercising all valves in each group at least once per refueling cycle and diagnostically testing these MOVs in accordance with STP commitments to the JOG PV Program. MOVs with safety functions not tested in accordance with the above GNL requirements are tested per the Code of Record, except, based on evaluation of design, 3-4

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM service condition, and performance history, at a test frequency not to exceed 6 years (plus a 25% margin) and exercised at least once during a refueling cycle.

Seat leakage testing, if required, will be per the Code of Record.

STP will ensure procedurally that the potential benefits (such as identification of decreased force output and increased force requirements) and potential adverse effects (such as accelerated degradation due to aging or valve damage) are considered when determining the appropriate testing for each MOV.

RI-IST program and MOV trend procedures will contain guidance to ensure performance and test experience from previous tests are evaluated to justify the periodic verification interval.

STP will develop and proceduralize a method to determine an MOV test interval that is based on IDP final risk ranking, available valve margin, and valve performance history. The method will be comprised of an evaluation of risk ranking, relative margin, and group as well as individual valve performance.

The result of the evaluation determines the testing interval with the most frequent testing interval applied to high risk, low margin valves with poor, or questionable performance history.

Stepwise increases in interval out to the maximum allowable interval depend on the combination of risk rank, margin, and performance history.

The motor-operated valve testing strategy described above is consistent with the guidance provided in Section 3.1 of RG 1.175.

3.1.1.2 Relief Valves Testing of relief valves will continue to be conducted in accordance with the Code of Record (OM-1) with no change in test interval. Should performance history change, STP will rank valves per the Integrated Decision-making Process (IDP) and extend intervals accordingly. The initial testing strategy will be:

"*ISTHigh Testing will be performed in accordance with the Code of Record as defined in 10CFR50.55a.

"*ISTMedium Testing will be performed in accordance with the Code of Record as defined in 10CFR50.55a.

3-5

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM IIST Low Testing will be performed in accordance with the Code of Record as defined in 10CFR50.55a.

3.1.1.3 Check Valves Check valves will be tested in accordance with the Code of Record (OM-10) with the exception that the test frequency will be in accordance with the component risk categorization defined below:

" IST High Testing will be performed in accordance with the ASME Code of Record as defined by 10CFR50.55a. Check valves will also be included in a Condition Monitoring program as defined by Appendix Xl of the 1995 edition of the OM Code with the 1996 Addenda as accepted with conditions by the NRC. (RAI 21B)

"*IST Medium Testing will be performed in accordance with the ASME Code of Record as required by 10CFR50.55a except, based on evaluation of design, service condition, performance history, and compensatory measures, the test interval may be extended not to exceed 6 years (plus a 25% margin).

"*IST Low Testing will be performed in accordance with the ASME Code of Record as defined by 10CFR50.55a except, based on evaluation of design, service condition, and performance history, the test interval may be extended not to exceed 6 years (plus a 25% margin).

IST High, IST Medium, and IST Low check valves at STP are included in the Check Valve Program (CVP), which has been developed to provide confidence that check valves will perform as designed. Station procedure(s) establish testlexam frequencies, methods, and acceptance criteria and provide performance-monitoring requirements for check valves in the CVP. Check valves in the CVP include check valves that are in the IST program, check valves identified as susceptible to unusually high wear, fatigue, or corrosion, and special valves used for personnel safety. The CVP includes approaches for identification of existing and incipient check valve failures using non-intrusive (e.g., radiography, acoustic emission (AE), magnetic flux (MF),

and/or ultrasonic examination (UT) testing methods) and disassembly examination. Test data will be used (e.g., trended as appropriate) to provide confidence that check valves in the CVP 3-6

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM will be capable of performing their intended function until the next scheduled test activity.

Check valves may be added to or deleted from the CVP based on non-intrusive testing, disassembly examination results, component replacement, or site maintenance history. The CVP is assessed and updated as appropriate with new design and operational information, and incorporates any applicable site or industry lessons learned.

The check valve testing strategy described above is consistent with the guidance provided in Section 3.1 of RG 1.175.

3.1.1.4 Air-Operated Valves (AOVs)

"*IST High Testing will include stroke time testing per the Code of Record as required by 10CFR50.55a. For high-risk air-operated valves, sufficient information will be gathered (i.e.

AOV program) to ensure that the health of the valve can be adequately assessed. (RAI 22)

"* IST Medium Testing will be performed in accordance with the Code of Record as required by 10CFR50.55a, except based on evaluation of design, service condition, performance history, and compensatory actions, the test interval may be extended not to exceed 6 years (plus a 25% margin). Additionally IST Medium AOVs will be stroked at least once during each operating cycle.

"* IST Low Testing will be performed in accordance with the Code of Record as defined by 10CFR50.55a, except based on evaluation of design, service condition, and performance history, the test interval may be extended not to exceed 6 years (plus a 25% margin).

Additionally, IST Low AOVs will be stroked once during the operating cycle.

Diagnostic testing, trending, and other maintenance activities performed for high-risk AOVs are adequate to provide assurance of the operational readiness and to ensure timely identification of performance degradation. The IST coordinator will periodically assess the information from these activities to determine if other special testing requirements are needed. During periodic reassessments, the RI-IST working group will verify that these activities remain effective or take action to implement additional RI-IST program requirements.

(RAI 23)

The AOV testing strategy described above is consistent with the guidance provided in Section 3-7

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM 3.1 of RG 1.175.

3.1.1.5 Hydraulic Valves (HOVs), Solenoid Valves (SOVs), and Others (Manual Valves, etc.)

STP proposes to test these valves in accordance with the Code of Record (OM-10) with the exception that the test frequency will be in accordance with the component risk categorization defined below:

"*ISTHigh Testing will be performed in accordance with the Code of Record as required by 10CFR50.55a.

"* IST Medium Testing will be performed in accordance with the Code of Record as required by 10 CFR 50.55a except, based on evaluation of design, service condition, performance history, and compensatory actions, the test interval may be extended not to exceed 6 years (plus a 25%

margin). Additionally, IST Medium HOVs and SOVs will be stroked once during the operating cycle.

" IST Low Testing will be performed in accordance with the Code of Record as required by 10CFR50.55a except, based on evaluation of design, service condition, and performance history, the test interval may be extended not to exceed 6 years (plus a 25% margin).

Additionally, IST Low HOVs and SOVs will be stroked once during the operating cycle.

The testing strategy described above is consistent with the guidance provided in Section 3.1 of RG 1.175.

3.1.1.6 Pumps Pumps will be tested in accordance with the Code of Record (OM-6) with the exception that the test frequency may be in accordance with the component risk categorization defined below:

I1ST High Testing will be performed in accordance with the Code of Record as required by 10CFR50.55a.

3-8

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM "ISTMedium Testing will be performed in accordance with the Code of Record as required by 10CFR50.55a except based on evaluation of design, service condition, performance history, and compensatory actions, the test interval may be extended not exceed 6 years (plus a 25% margin). At least one pump in each IST group will be tested each refueling cycle.

(RAI 21)

" IST Low Testing will be performed in accordance with the Code of Record as required by 10CFR50.55a except, based on evaluation of design, service condition, and performance history, the test interval may be extended not to exceed 6 years (plus a 25% margin).

All pumps receive:

"* Periodic thermography of their driver,

"* Lube oil analysis,

"* Alignment checks performed following major pump maintenance (using vibration analysis methods to confirm alignment),

"* Motor current testing (when the motor current testing program is implemented),

" Vibration monitoring (required by the current Code), and

"* Flange loading checks of connected piping (note that this flange-loading test is not periodic, but is performed after major maintenance/overhauls that require disassembly of any flange in a safety-related system).

Additional tests (e.g., thermography of the driver, or motor current testing) are predictive in nature and involve trending of parameters that need to be compared more frequently in order to provide meaningful results. This augmented testing program for pumps provides reasonable assurance that adequate pump capacity margin exists such that pump operating characteristics over time do not degrade to a point of insufficient margin before the next scheduled test activity.

3.1.2 Non-IST High Risk Components Performance testing, trending, comprehensive maintenance activities, and Maintenance Rule program controls are adequate to provide assurance of the operational readiness and to ensure timely identification of performance degradation for these high risk components. These components will be tracked in the IST program and information from these activities will be 3-9

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM collected and periodically assessed by the IST Program coordinator. Trending of this information will be used to determine if additional testing requirements should be implemented.

During periodic reassessments, the RI-IST working group will verify that these activities remain effective or take action to implement additional RI-IST program requirements. (RAI 4) 3.2 Program Implementation Implementation of STP's RI-IST Program consists of grouping components and then staggering the testing of the group over the extended test interval for those components ranked IST Medium or IST Low.

3.2.1 Grouping STP performed a rigorous grouping analysis that involved several component attributes. The results of the grouping analysis are presented in Attachment 4. The groups share the following distinct characteristics:

"* System

"* Component type (MOV, AOV, Check Valve, etc.)

"* Manufacturer

" Size

" Style (globe, gate, swing check, tilt disk, etc.)

" Application (pump discharge, flow path, orientation, etc).

The grouping attributes selected and listed above satisfy NRC criteria provided in NUREG 1482. The required sampling techniques described in NUREG-1482/Generic Letter 89-04, Position 2 are design, service condition, and valve orientation.

Groups have been populated and testing has been scheduled such that the entire group will be tested over a range of quarterly to 6 years plus a 25% margin, depending on the size, safety and risk significance, and past performance of valves in the group. The population of the group proved to be dependent upon the total available population of the component, as well as consideration of the testing schedule that the program seeks to maintain.

The staggered test model allows trending and monitoring of the performance of components in the group to ensure that the selected test frequency is appropriate. Grouping components in this manner and testing on a staggered basis over the test frequency will reduce the importance of common cause failure modes, as selected components in the same staggered failure mode 3-10

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM group are periodically tested over the group's extended test interval, ensuring that component capability will be maintained over the test interval. The sequence of testing will be repeated to ensure the maximum amount of time between testing of a component does not exceed the six year test interval plus a 25% margin.

In some instances during diagnostic testing of MOVs, adjustments are made which could result in a change in the design margin for the valve. The testing interval as determined by the MOV program is dependent on the component ranking and margin. MOV testing procedures include a method to make adjustments to the interval as a result of any changes to the component's margin. The interval change will be evaluated for impact to the staggered testing schedule.

Whenever staggered testing is not practical as a result of the different intervals within the MOV group, then testing will be scheduled to the extent possible to maintain the intent of the staggered testing philosophy.

If a component failure is determined to have generic implications, a plan of action for inspection/testing of the remaining components in the group will be developed utilizing the Condition Reporting Process and the guidance provided in Generic Letter 91-18. This plan of action will take into account the potential failure modes and their associated plant impacts and will be implemented in a time frame commensurate with their safety significance. (RAI 19)

The valve group designators are composed of the system and a sequential number. Since Units 1 and 2 are essentially identical, the IST program will only describe one group that is typical for both units. History from both units is included in the integrated decision-making process.

In summary, the IST Medium or IST Low valves in any group may have the testing staggered over an extended period (e.g., up to 6-years, plus 25% margin) based on design, service condition, performance history, risk ranking, compensatory actions (for IST Medium valves),

and the number of valves in a group. Testing will be scheduled on a staggered test basis to ensure:

"* All valves in the group are tested at least once during the staggered test interval and,

"* Not all components are tested at one time.

Generally, extensions for IST Medium and IST Low ranked components adhere to the following model (Attachment 4 contains the staggered test interval):

3-11

RIsK-INFoRMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM VALVES PER GROUP FINAL TEST INTERVAL 1 18 months 2 (or multiples of 2) 3yr - 3YR(S) 3 (or multiples of 3) 54 months - 54M0(S) 4 (or multiples of 4) 6 yr - 6YR (S)

Note: The "(S)" indicates a staggered test 3.3 Performance Monitoring of IST Components In addition to the specific inservice testing proposed for each component group discussed in Section 3.1.1 above, the RI-IST program will perform the following additional monitoring for each component group. The additional performance monitoring activities listed below by component type are applicable to all components within a given group regardless of individual ranking.

The proposed monitoring plan is sufficient to detect component degradation in a timely manner.

Further, the monitoring activities identified for each component group ensure that the following criteria are met:

" Sufficient tests are conducted to provide meaningful data.

" The inservice tests are conducted such that incipient degradation can reasonably be expected to be detected.

" Appropriate parameters are trended to provide reasonable assurance that the component will remain operable over the test interval.

The proposed performance monitoring plan is sufficient to ensure that degradation is not significant for components placed on an extended test interval, and that failure rates assumed for these components are not significantly compromised. The proposed performance monitoring, when coupled with STP's corrective action program (discussed in Section 2.4.1),

ensures corrective actions are taken and timely adjustments are made to individual component test strategies and intervals where appropriate.

The STP RI-IST Program is reassessed at a frequency not to exceed once every three years (plus a 25% margin), to reflect changes in plant configuration, component performance test 3-12

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM results, industry experience, and other inputs to the process. Configuration changes are assessed in concert with the current design change process. Therefore, the monitoring process for RI-IST is adequately coordinated with existing programs (e.g., Condition Reporting program, Maintenance Rule monitoring, and design change process) for monitoring component performance and other operating experience on this site and, where appropriate, throughout the industry. Although the monitoring of reliability and unavailability goals for operating and standby systems/trains is required by the Maintenance Rule, it alone might not be sufficient to ensure operational readiness of components in the RI-IST program. The STP Condition Reporting program requires timely operability assessment for component performance issues detected outside the auspices of the IST program. This process, coupled with the evaluations performed in accordance with the Maintenance Rule, and in concert with IST trending, ensures continued operational readiness of RI-IST components.

Preventive maintenance activities are dictated by the individual component procedures.

Intervals range from one to five refueling cycles depending on component type, application, and individual performance history. The periodicity may be altered as accumulated data and industry experience warrant via site procedures, the IDP, and the 10CFR50.59 change process.

The specific inspection points may vary as dictated by inspection and diagnostic test results.

The preventive maintenance activities currently include the items listed below:

Motor-OperatedValves (MOVs)

"* Actuator electrical inspections Limit switch assemblies Torque switch assemblies Leads, jumpers, lugs, caps, tape, space heaters, environmentally qualified (EQ) wire splices and cable ties Inspect terminal blocks, motor T-drains Assess motor overheating indication Perform motor megger

" Actuator lubrication inspection Inspect for weeping, grease relief function, grease level in main gear and clutch housing, and grease quality 3-13

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM Add grease to stem reservoir Lubricate upper drive sleeve bearing Lubricate valve bushing via grease fitting, stem threads, and yoke legs/anti-rotation plate on WKM globes

"* Inspect stem nut for tightness and staking, actuator type SB compensator spring housing for cracks, and stem protective cover

"* Valve PM activities

"* Other activities Perform handwheel operation Visual inspection for gross irregularities, upper bearing housing cover for warping on SMB-000, Remove springpack/worm to inspect spring pack, worm, worm gear, torque switch roller, grease in main housing Remove motor to inspect motor pinion, worm shaft gear, declutch mechanism, and grease in motor compartment Verify/tighten actuator mounting bolts, anti-lock rotation plat jam nuts Verify/adjust actuator stop nuts and monitor stem nut thread condition Relief Valves

"* Test results trended

"* New valves tested prior to installation

"* Valves set as close to nominal as practical Check Valves

"* Combination of acoustic, magnetic, and/or ultrasonic testing methods are used as appropriate

"* Data retrieved from these methods are compared with previous results and the differences evaluated

"* Open and close testing

"* Check valve disassembly inspections are performed where other testing is not practicable 3-14

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM

"* Leak rate testing is performed by 10 CFR 50, Appendix J program

"* Leak testing for check valve closed exercise testing where appropriate Air-OperatedValves (AOVs)

"* Static diagnostic testing performed following valve or actuator overhaul or corrective maintenance that could impact valve function or as requested

"* Routine overhauls

"* Disassembly, cleaning, inspection

"* Replacement of elastomers

"* Re-assembly and testing

"* Response time testing

"* Valves exposed to extreme environmental conditions will have repetitive maintenance orders for actuator replacement Dynamic testing (the following testing parameters as applicable)

"* Bench set, maximum pneumatic pressure, seat load, spring rate, stroke time, actual travel, total friction

" Setpoint of pressure switch(s) relief valve, regulator, etc.

" Minimum pneumatic pressure to accomplish safety function of valve assembly

" Pneumatic pressure at appropriate point in operation

"* Others as applicable Pumps

"* Margin to safety limit deviations - head curves

"* Lube oil analysis

"* Alignment checks

"* Motor current testing

"* Vibration monitoring

"* Thermography 3-15

RIsK-INFoRMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM 3.4 Feedback and Corrective Action Program When a component with an extended test interval fails to meet established test criteria, corrective actions will be taken in accordance with the STP Condition Reporting (CR) Program (the basic initiator for the corrective action program) as described below for the RI-IST program.

The STP CR program is initiated by component failures that are detected by the IST program, as well as by other mechanisms, such as normal plant operation, or inspections. For components not meeting any acceptance criteria, a CR is generated. This document initiates the corrective action process.

For example, during a pump IST, the discharge check valve is effectively tested during the course of the pump test. Since the pump test can not be considered satisfactory if the check valve fails to perform its risk-significant function (i.e., open), a test failure would be recorded and a CR would be initiated. The recorded information could then be used to assess whether a significant change in component reliability has occurred such that the component would merit a change in test interval.

Note, however, that the initiating CR event may be derived from causes other than an unacceptable IST test. In fact, the initiating event could be any other indication that the component is in a non-conforming condition. When an unsatisfactory condition occurs, it is evaluated to fulfill the following objectives:

(1) Determine the impact on system operability and take appropriate action; (2) Review the previous test data for the component and all components in the group; (3) Perform a root cause analysis, as appropriate; (4) Determine if the event is a generic failure. If it is a generic failure whose implications affect a group of components, initiate corrective action for all components in the affected group; (5) Initiate corrective action for failed IST components; and (6) Evaluate the adequacy of the test strategy. If a change is required, review the IST test schedule and change as appropriate.

As is apparent from the CR process outlined above, the STP corrective action guidance and procedures achieve the following objectives:

3-16

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM

"* The procedures comply with Criterion XVI, "Corrective Action" as specified by Appendix B to 10 CFR Part 50.

" The procedures institute a process that determines the impact of the failure or nonconforming condition on system/train operability. STP refers to the appropriate Technical Specification when component capability cannot be demonstrated.

" The procedures determine and correct the apparent or root cause of the failure or nonconforming condition (e.g., improve testing practices, repair or replace the component).

" The procedures assess the applicability of the failure or nonconforming condition to other components in the IST program (including any test population expansion that may be required for grouped components such as relief valves).

"* The procedures correct other susceptible similar IST components as necessary.

" The procedures consider the effectiveness of the component's test strategy (i.e.,

frequency and methods) in detecting the failure or nonconforming condition. They adjust the test frequency or methods or both, as appropriate, where the component (or group of components) experiences repeated or age-related failures or nonconforming conditions.

Corrective actions affecting the design and operation of the plant are reviewed by the PRA group during regular PRA updates so that necessary model changes and PRA component re categorization are incorporated as appropriate.

Performance history and data, including the adequacy of compensatory measures, are fed back through the site processes to the IST Coordinator and the RI-IST Working Group. In this way, any unacceptable performance is detected early and can be factored into the program. If an ineffective test interval is detected, it is evaluated through the corrective action program and resolved through appropriate changes to the IST Program.

Additionally, as part of the corrective action process, the IST Coordinator evaluates the necessity of increasing the test frequency (i.e., decreasing the time between tests) of a component (or group of components) if the cause of failure is determined to be age-related.

Furthermore, the STP Inservice Testing Program procedure will be modified to require the evaluation of the effects of a component failure or degradation for common causes across other plant systems. Therefore, the RI-IST feedback and corrective action process is consistent with he acceptance guidelines contained in Section 3.4 of RG1.175.

3-17

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM 3.5 Periodic Reassessment As a living process, components will be reassessed at a frequency of three years (plus 25%

grace) to reflect changes in plant configuration, component performance test results, industry experience, and other inputs to the process. The RI-IST reassessment will be completed within nine months of completion of the three-year interval. Significant changes in plant configuration may require a more expedient assessment. One or more such emergent modifications resulting in significant changes in the PRA model is an example that would require a more expedient assessment.

During periodic reassessments, the RI-IST working group will verify that other program activities relied upon for the initial determination of RI-IST program scope and testing methodologies remain effective or take action to implement additional RI-IST program requirements. Specific areas to consider are components that are high risk but not traditionally tested within IST Programs. (RAI 4) Also, the RI-IST working group will evaluate the effectiveness of the STPNOC AOV program for category 1 AOVs and take action to implement additional RI-IST program requirements if necessary. (RAI 23)

Part of this periodic reassessment will involve feedback to the PRA group. This includes information such as components tested since the last reassessment, number and type of tests, number of failures, corrective actions taken including generic implication and changed test frequencies. Once the PRA has been reassessed, risk information will be re-introduced to the Integrated Decision-making Process (IDP) for RI-IST Working Group deliberation and confirmation of the existing lists of IST Highs, IST Mediums and IST Lows or modification of these lists based on the new data. As part of the IDP, confirmatory measures previously used to categorize components as IST Medium or IST Low will be validated. Additionally, the maximum test interval will be verified or modified as dictated by the IDP.

The risk analysis performed for the initial Risk-informed IST Program is updated every three years. As part of the update, plant-specific performance histories are analyzed by the PRA analysts and incorporated into the PRA models, then component importance is recalculated.

The Expert Panel then reviews the performance histories and PRA inputs and determines if any IST Medium or IST Low groups should be re-categorized as IST High because of plant-specific performance, or vice versa. This approach is considered to be both prudent and conservative, since it ensures that the RI-IST process evaluates any new IST components before its ASME Code test requirements are relaxed.

3-18

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT IMPLEMENTATION AND MONITORING PROGRAM For each IST Medium, the RI-IST Working Group either selected a compensatory measure or provided justification, based on model and performance considerations, why a compensatory measure was not required. Compensatory measures are tests and other activities that could be credited to reduce the increase in core damage frequency associated with test interval changes (e.g., pump operability test or pump IST for pump discharge check valves, slave relay test for MOVs, normal instrumentation monitoring, locked valve program, actuation logic testing).

Compensatory measures used as part of the IDP process to qualitatively justify the extension of a test interval will be re-verified during the IDP process update.

3-19

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT CONCLUSIONS

4.0 CONCLUSION

S The Executive Summary outlines the project scope, provides a succinct picture of STP's approach to addressing these issues, describes a basis for this approach, and identifies key project results and the most significant benefits derived from this project. The STP RI-IST team garnered insights from the experience of previous RI-IST projects and enhanced the proposed STP RI-IST program utilizing the latest regulatory insights and key experts within the STP organization as well as the industry at large. The result is a significantly enhanced program that more clearly delineates the importance of key plant equipment while optimizing the existing testing program to ensure acceptable equipment performance and safety margins are maintained. STP has confidence in these results based on insights from the PRA risk evaluations, equipment performance history, and comprehensive evaluations by key plant and industry experts.

The benefits of the STP integrated decision-making process -- inclusive of the RI-IST Working Group and plant Expert Panel -- may not be directly evident to the casual observer, but they are far reaching in their overall impact. The entire process not only improves the IST program but, as with any comprehensive cross-functional program, it also raises the awareness across departmental boundaries, identified strengths and weaknesses in the IST and related programs, and reinforced the importance of teamwork within the organization. Key operations, maintenance, and engineering personnel involved in the RI-IST process have improved their understanding of the importance of equipment within the IST program.

4-1

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT NOTES AND REFERENCES 5.0 NOTES AND REFERENCES

1. Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk informed Decisions on Plant-specific Changes to the Licensing Basis," July 1998.
2. Regulatory Guide 1.175, "An Approach for Plant-specific, Risk-informed Decisionmaking:

Inservice Testing," August 1998.

3. "Safety Evaluation by the Office of Nuclear Reactor Regulation Related to the TU Electric Request to Implement a Risk-informed Inservice Testing Program at Comanche Peak Steam Electric Station (CPSES), Units 1 And 2, Docket Numbers 50-445 And 50-446."
4. "Safety Evaluation by the Office of Nuclear Reactor Regulation Related to the Southern Califomia Edison Request to Implement a Risk-informed Inservice Testing Program at San Onofre Nuclear Generating Station, Units 2 and 3, Docket Numbers 50-361 and 50-362."
5. Nuclear Regulatory Commission, "Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities; Final Policy Statement," Federal Register, Vol. 60, No. 158, August 16, 1995.
6. "Safety Evaluation by the Office of Nuclear Reactor Regulation [Related to the] Houston Lighting and Power Company South Texas Project, Units 1 and 2, Graded Quality Assurance Program, Docket Numbers 50-498 and 50-499."
7. "Safety Evaluation by the Office of Nuclear Reactor Regulation, Risk-informed Exemptions from Special Treatment Requirements, STP Nuclear Operating Company, South Texas Project Electric Generation Station, Units 1 and 2, Docket Nos. 50-498 and 50-499."
8. Containment isolation valves to be tested per 10 CFR 50, Appendix J, Option B account for less than 5% (27 components) of the Unit 1 IST components.
9. NRC Correspondence dated March 15,1999, Inservice Testing Program Relief Request RR 17, South Texas Project, Units 1 and 2.
10. The RI-IST program study employs the results of the risk-informed GQA program study.
11. NRC's (Office of Nuclear Reactor Regulation) January 21, 1992 safety evaluation report on the Level I PSA submitted on April 14, 1989.
12. NRC's (Office of Nuclear Reactor Regulation) August 31, 1993 safety evaluation on the external events analysis in the Level 1 PSA submitted on April 14, 1989.
13. NRC's (Office of Nuclear Regulatory Research) June 27, 1995 staff evaluation of the Level 2 enhancements made to the 1989 PSA and submitted as the licensee's Individual Plant Examination (IPE) on August 28,1992.
14. South Texas Project Electric Generating Station Level 2 Probabilistic Safety Assessment and 5-1

RISK-INFORMED IST PROGRAM FOR SOUTH TEXAS PROJECT NOTES AND REFERENCES Individual Plant Examination, August 1992.

15. A Review of the South Texas Project Probabilistic Safety Analysis for Accident Frequency Estimates and Containment Binning, NUREG/CR-5606, August 1991.
16. Review of South Texas Project Units 1 and 2 Individual Plant Examination of External Events (IPEEE) Submittal NRC letter, dated 12/15/98.
17. The safe shutdown earthquake for STP is 0.1g.
18. Notice of Consideration of Issuance of Amendments - South Texas Project, Units 1 and 2 (Tac Nos. M92169 and M92170), Safety Evaluation Report of Diesel Generator Extended Allowed Outage Time, NRC letter dated February 2, 1996.
19. The Westinghouse Owners Group (WOG) Certification of the South Texas Project PRA is currently scheduled for April 2002
20. "Safety Evaluation by the Office of Nuclear Reactor Regulation [Related to the] Houston Lighting and Power Company South Texas Project, Units 1 and 2, Graded Quality Assurance Program, Docket Numbers 50-498 and 50-499," section 3.2.6.
21. Containment isolation valves to be tested per 10 CFR 50, Appendix J, Option B account for less than 5% (27 components) of the Unit 1IST components.
22. All system level truncation levels are less than 1E-1 1 and only one systems analysis is equal to 1E-11.
23. Memorandum from Dr. William E. Vesely of SAIC to Mr. Mark Cunningham of NRC, "Reservations with ASME Risk-based Inservice Inspection and Testing," April 17' 1996.
24. NUREG/CR-6508, "Component Unavailability versus Inservice Test (IST) Interval: Evaluations of Component Aging Effects with Applications to Check Valves," developed by Oak Ridge National Laboratory for the NRC's Division of Engineering Technology Office of Nuclear Regulatory Research, July 1997.
25. E.V. Lofgren, et al., "Nuclear Power Plants Standby and Demand Stress Component Failure Modes: Methodology, Database, and Risk Implications," prepared by SAIC for US NRC Divisions of Systems Research Probabilistic Risk Analysis Branch, February 1992.

5-2

ATTACHMENT 3 RISK-INFORMED INSERVICE TESTING PROGRAM DESCRIPTION

SUMMARY

- REVISED

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

RISK-INFORMED INSERVICE TESTING PROGRAM DESCRIPTION

SUMMARY

- REVISED The document presents a proposed alternative to the ASME Section Xl Inservice Testing Program at the South Texas Project. It is a risk-informed process which determines the safety significance and testing strategy of components in the ASME Section Xl Inservice Testing (IST) Program, and identifies non ASME IST components (pumps & valves) modeled in the Probabilistic Risk Assessment (PRA) determined to be High Safety Significant Components (HSSCs). The risk-informed inservice testing (RI IST) process consists of the following elements:

1. Categorize components by Fussell-Vesely (FV) and Risk Achievement Worth (RAW) importance measures based on the STP Living PRA. (PRA Process)
2. Blend deterministic and probabilistic data to perform a final importance categorization of components as either IST Low (Low), IST Medium (Medium), or IST High (High). (Integrated Decision-making Process - IDP)
3. Develop/Determine Test Frequencies and Test Methodologies for the ranked components.

(Testing Philosophy)

4. Evaluate cumulative risk impact of new test frequencies and test methodologies to ensure risk reduction or risk neutrality. (Cumulative Risk Impact)
5. Develop an implementation plan. (Implementation)
6. Develop a performance monitoring plan for RI-IST Components. (Monitoring)
7. Develop a corrective action plan. (Corrective Action)
8. Perform periodic reassessments. (Periodic Reassessment)
9. Develop a methodology for making changes to the Risk-informed Inservice Testing (RI-IST) program. (Changes to RI-IST)

With these elements and their implementation, the key safety principle discussed in the Basis for Acceptance is maintained.

Page 1 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

1.0 PRA PROCESS PRA methodology facilitates determination of the risk significance of components based on end states of interest, such as core damage frequency (CDF) and release of radioactivity (e.g., large early release frequency (LERF)).

The PRA used to develop the importance measures is adequate for this application, and is complemented by the Integrated Decision-making Process (IDP), which includes an RI-IST Working Group and plant Expert Panel performance and review of the component categorization process, respectively. Evaluation of initiating events also includes loss of support systems and other special events such as Loss of Coolant Accident (LOCA), Steam Generator Tube Rupture (SGTR), Station Blackout (SBO), and Anticipated Transient Without Scram (ATWS).

The STP living PRA is used to initially categorize components based on risk importance and also used to calculate changes in core damage frequency and large early release frequency. The initial categorization and change in CDF and LERF is provided to the working group as part of the IDP. The quality of the Living PRA is maintained under a formal PRA change and review process to ensure that the component importance measures and CDF/LERF calculations accurately reflect the as-built design and operation of STP.

The PRA is updated periodically (See Section 8.0) to reflect the current plant design, procedures, and programs.

Component Rankinq Two figures of merit are used to initially categorize components: Fussell-Vesely (FV) and Risk Achievement Worth (RAW). For the RI-IST Program, the following criteria are used to initially rank components for review by the Integrated Decision-making Process (IDP).

Category Criteria RAW > 100.0 OR IST High FV > 0.01 OR FV > 0.005 and RAW >2.0 FV < 0.005 and 100.0> RAW >10.0 IST Medium 0.01 > FV >0.005 and RAW < 2.0 OR FV < 0.005 and 10.0 > RAW >2.0 IST Low FV<0.005 and RAW<2 Page 2 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

These CDF and LERF thresholds, coupled with the cumulative risk impact evaluation detailed in Section 4.0, ensure that the cumulative risk impact due to changes in test frequencies are within the acceptance guidelines of Regulatory Guides 1.174.

Methodology/Decision Criteria for PRA The following describes a methodology that will be used to categorize components in the RI-IST when the program is reassessed. However, only those elements that are significantly affected by the model changes (e.g., design modifications or procedural changes) need to be reviewed in detail using this process. The scope of the review and the justification for it is documented as part of the IDP. The following steps are applied by the IDP:

1. Review FV and RAW importance measures for pumps and valves considered in the PRA against the classification criteria.
2. Review component importance measures to ensure that their bases are well understood and are consistent with the STP specific levels of redundancy, diversity, and reliability.

PRA Limitations To address limitations in the PRA, STP PRA analysts apply the following treatments:

a) Address the sensitivity of the results to common cause failures (CCF), assuming all/none of the CCF importance is assigned to the associated component.

b) Evaluate other sensitivity studies (e.g., a study that evaluates the effects due to human action modeling). Identify/evaluate proceduralized operator recovery actions omitted by the PRA that can reduce the ranking of a component.

c) Consider industry history for particular IST components. Review such sources as NRC Generic Letters, Significant Operating Event Reports (SOERs), and Technical Bulletins and rank accordingly.

d) For components with high RAW and low FV, ensure that other compensatory measures are available to maintain the reliability of the component.

e) Identify and evaluate components whose performance shows a history of causing entry into limiting conditions for operation (LCO) conditions. To ensure that safety margins are maintained, consider retaining the ASME test frequency for these components.

Level II(LERF)

Consider components/systems that are potential contributors to large, early release. Determine LERF FV and RAW for components and/or determine which would have the equivalent of a high FV or low FV and high RAW with respect to LERF and rank accordingly. Also, in order to ensure that containment integrity continues to be maintained, consider:

"* Containment isolation features that may not directly impact the value of LERF, and

"* Interfacing systems LOCA that may provide a direct release path outside containment.

Page 3 of 20

RISK-INFORMED /ST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

IST Components Not in the PRA Review scenarios involving the "not-modeled" IST components to validate that the components are in fact low risk.

High-Risk PRA Components Not in the IST Program

"* Identify, if any, other high risk pumps and valves (or, possibly non-Code components) in the PRA that are not in the IST program but should be tested commensurate with their importance.

"* Determine whether current plant testing is commensurate with the importance of these components. If not, determine what test, e.g., the IST test, would be the most appropriate.

Other Considerations Review the PRA to determine that sensitivity studies for cumulative effects and defense in depth have been adequately addressed in the determination of component importance factors.

2.0 Integrated Decisionmaking Process The purpose of using the IDP is to confirm or adjust the initial risk ranking developed from the PRA results, and to provide a qualitative assessment based on engineering judgement and expert experience.

This qualitative assessment compensates for limitations of the PRA, including cases where adequate quantitative data is not available.

The IDP uses deterministic insights, engineering judgement, experience, and regulatory requirements as detailed in this section. The IDP will review the initial PRA risk ranking, evaluate applicable deterministic information, and determine the final safety significance categories. The IDP considerations will be documented for each individual component to allow for future repeatability and scrutiny of the categorization process.

The scope of the IDP includes both categorization and application. The IDP is to provide deterministic insights that might influence categorization. The IDP will identify components whose performance justifies a higher categorization.

The IDP determines appropriate changes to testing strategies. The IDP identifies compensatory measures for medium safety significant components, or justify the final categorization. The IDP also concurs on the test interval for components categorized as a Low Safety Significant Component (LSSC).

The end product of the IDP is components categorized as IST Low, IST Medium, or IST High.

In making these determinations, the IDP ensures that key safety principles (namely defense-in-depth and safety margins), are maintained. It also ensures the changes in risk for both CDF and LERF are acceptable per the guidelines discussed in Section 1.0 above. The key safety principles are described below.

Defense-in-Depth The STP RI-IST program ensures consistent defense-in-depth by maintaining strict adherence to seven objectives of the defense-in-depth philosophy described in Regulatory Guides 1.174 and 1.175. The Page 4 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

review and documentation of these objectives are an integral feature of the IDP for future changes to the program. Those objectives are:

1) A reasonable balance is preserved among prevention of core damage, prevention of containment failure, and consequence mitigation. Multiple risk metrics, including CDF and LERF, will be used to ensure reasonable balance between risk end states (Objective 1).
2) No change to the plant design or operations procedures will be made as part of the RI-IST program which either significantly reduces defense-in-depth, barrier independence or places strong reliance on any particular plant feature, human action, or programmatic activity (Objective 2, 5).
3) The methodology for component categorization --namely the selection of importance measures and how they are applied and understanding the basic reasons why components are categorized IST Low, Medium, or High-- is reviewed to ensure that redundancy and diversity are preserved as the more important principles. Component reliability can be used to categorize a component IST Low or IST Medium only when:

a) plant performance has been good, and b) a compensatory measure or feedback mechanism is available to ensure adverse trends in equipment performance can be detected in a timely manner.

Reviews will ensure that test frequency relaxation in the RI-IST program occurs only when the level of redundancy or diversity in the plant design or operation supports it. In this regard, all components that have significant contributions to common cause failure are reviewed to avoid relaxation of requirements on those components with the lowest level of diversity within the system (Objective 3, 4).

4) Performing sensitivity studies preserves defenses against human errors. Sensitivity studies are performed for human actions to ensure that components which mitigate the spectrum of accidents are not ranked low solely because of the reliability of a human action (Objective 6).
5) The intent of the General Design Criteria in 10CFRPart 50, Appendix A will be maintained (Objective 7).

Other Considerations Related To Defense-In-Depth When the PRA does not explicitly model a component, function, or mode of operation, a qualitative method may be used to classify the component IST High, IST Medium, or IST Low and to determine whether a compensatory measure is required. The qualitative method is consistent with the principles of defense-in-depth because it preserves the distinction between those components which have high relative redundancy and those which have only high relative reliability.

Page 5 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

Maintain Sufficient Safety Margin The IDP performs reviews consistent with Regulatory Guides 1.174 and 1.175 to ensure that sufficient safety margin is maintained when compared to the deterministic IST program. In performing this review, the IDP will consider such things as proposed changes to test intervals and, where appropriate, test methods. The IDP ensures that the proposed compensatory measures, when required by the program, are effective in maintaining adequate safety margin. To enhance the safety margin, the IDP also reviews PRA important components not in the current IST program for potential inclusion in the RI-IST program.

Categorization Guidelines Working Group Structure and Role The role of the RI-IST Working Group is crucial in ensuring that the results presented in this submittal are comprehensive. The Working Group not only considers the basis for the PRA risk measure for modeled components, but also qualitatively assesses the following for each component group:

"* The degree to which component failure leads to an increase in the frequency of initiating events,

"* The degree to which component failure leads to the failure of another safety system,

"* The degree to which component failure causes a transient,

"* The role of the component in the plant Emergency Operating Procedures (EOPs), and

"* The role of the component in plant shutdown.

As part of the process, the Working Group authors a narrative basis to support the final RI-IST categorization of each component group.

The Working Group consists of members with expertise in the following disciplines:

"* Power plant operations*,

"* Plant maintenance*,

"* PRA and nuclear safety analysis*,

"* Systems engineering,

"* Design basis engineering*,

"* Safety analysis (Chapter 15)*,

"* Quality assurance,

"* Licensing, and

"* Inservice testing (including ASME B&PV Code Section Xl and ASME Code Cases)*.

  • Denotes voting members. Five voting members are required for quorum.

Periodic participation by a plant licensing expert and other component or system experts is on an as required basis. Each core member of the Working Group shall have at least ten years experience in nuclear power and at least five years site-specific experience.

Page 6 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

The RI-IST Working Group uses plant knowledge, operating experience, and engineering judgment to perform the following tasks:

"* Verify component functional failure modes

"* Establish risk-informed categorizations for components not modeled in the PRA

"* Assess or provide qualitative deterministic criteria

"* Consider and/or provide insight concerning the component performance history. Specific attention was afforded to areas of poor or declining performance.

"* Address all significant safety and operational concerns

"* Validate component categorizations

"* Resolve questions relative to PRA model completeness

"* Resolve all questions raised during the review process The RI-IST Working Group considers the following factors in addition to the combination of risk significance and deterministic insights discussed above:

"* Important design basis functions not reflected in the risk categorizations

"* Impact of PRA scope limitations, assumptions, and model simplifications, such as exclusion of shutdown states

"* Importance of release states less severe than large early releases that are not explicitly reflected in the risk categorization scheme The RI-IST Working Group also considers as part of their evaluation the uncertainties caused by:

"* PRA model assumptions

"* Common cause or common mode failure rates

"* Treatment of support systems "a Level of definition of cutsets and cutset truncation

"* Model assumptions relative to repair and restoration of failed equipment

"* Human error rates used in the PRA

"* Limitations in the meaning of importance measures Based on the process outlined above, the Working Group makes a qualitative assessment of the RI-IST importance categories that were developed for the components using the PRA results and deterministic insights, plant-specific history, engineering judgements, and probabilistic risk analysis insights. The Working Group reviews the PRA component risk rankings, compares the PRA and IST functions to ensure consistency with plant design, and analyzes applicable deterministic information in its effort to resolve the final safety significance categorizations for all the IST components scrutinized.

Expert Panel Structure and Role Subsequent to Working Group initial RI-IST categorization of components, the STP Expert Panel considers and ultimately validates the results of all Working Group activities and studies performed by the Page 7 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

IST project members. The Expert Panel consists of members with expertise in the areas of power plant operations, plant maintenance, PRA and nuclear safety analysis, design engineering, and quality assurance. The Expert Panel serves as the central point of decision-making for major technical issues and offers guidance to risk-informed IST project members in performing their work. Because STP requires that the Expert Panel perform this very function for all plant risk-informed programs, consistency in decision bases and management of commitments across plant programs is assured.

Modeled Components/Functions RAW > 100.0 OR IST High FV_> 0.01 OR FV > 0.005 and RAW >2.0 IST Medium FV < 0.005 and 100.0> RAW >10.0 0.01 > FV >0.005 and RAW < 2.0 OR FV < 0.005 and 10.0 > RAW >2.0 IST Low FV<0.005 and RAW<2 For modeled components/functions with a FV > 0.01, or a FV > .005 and a RAW > 2, or a RAW greater than 100, the IDP confirms the component categorization as IST High.

For modeled components/functions with a FV between 0.01 and 0.005 and a RAW < 2, or a FV < 0.005 and a RAW between 2 and 100, the IDP will rank the component as IST Medium. The component may effectively be considered IST Low, provided a compensatory measure exists that ensures operational readiness and the component's performance is acceptable. If a compensatory measure is not available or the component has a history of poor performance, the component will not be considered for test interval extension and will be considered for potential test method enhancement.

For modeled components/functions with a FV < 0.005 and a RAW < 2.0, the component will be categorized as IST Low, provided the component's performance has been acceptable. Components with a history of poor performance will only be considered for test interval extension if a compensatory measure is identified to ensure operational readiness.

Non-Modeled Components/Functions For components not modeled or the safety function not modeled in the PRA, the categorization is as follows:

"* If the sister train is modeled, then the component assumes that final categorization.

"* If the component is implicitly modeled in the PRA, the FV and RAW are estimated and the Page 8 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

deliberation is as discussed for modeled components/functions.

If the component is not implicitly modeled, the component performance history will be reviewed.

For acceptable performance history the component will be categorized as IST Low. For poor performance history, a compensatory measure will be identified to ensure operational readiness and the component will be categorized as IST Low. If no compensatory measures are available, the component will not be considered for test interval extension until performance is improved.

Documentation Documentation of the IDP is available for review at the plant site. The basis for risk ranking and component grouping is entered in the IST data system.

3.0 Testing Philosophy Motor-Operated Valves (MOVs)

" IST High Diagnostic testing is performed in accordance with NRC Generic Letter 89-10 and 96-05 commitments as described in the Joint Owners Group Periodic Verification Program (JOG PV Program). Testing will include stroke time testing per the Code of Record and diagnostically testing these MOVs in accordance with STP commitments to the JOG PV Program.

" IST Medium Testing includes exercising all valves in each group at least once per refueling cycle and diagnostically testing these MOVs in accordance with STP commitments to the JOG PV Program. MOVs with safety functions not tested in accordance with the above GNL requirements are be tested per the Code of Record except, based on evaluation of design, service condition, and performance history, and compensatory actions, at a test frequency not to exceed 6 years (plus a 25% margin) and exercised at least once during a refueling cycle.

" IST Low Testing includes exercising all valves in each group at least once per refueling cycle and diagnostically testing these MOVs in accordance with STP commitments to the JOG PV Program. MOVs with safety functions not tested in accordance with the above GNL requirements are tested per the Code of Record, except, based on evaluation of design, service condition, and performance history, at a test frequency not to exceed 6 years (plus a 25% margin) and exercised at least once during a refueling cycle.

Seat leakage testing, if required, will be per the Code of Record.

STP ensures procedurally that the potential benefits (such as identification of decreased force output and increased force requirements) and potential adverse effects (such as accelerated degradation due to aging or valve damage) are considered when determining the appropriate testing for each MOV.

Page 9 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

RI-IST program and MOV trend procedures contain guidance to ensure performance and experience from previous tests are evaluated to justify the periodic verification interval.

STP has developed and proceduralized a method to determine an MOV test interval that is based on IDP final risk ranking, available valve margin, and valve performance history. The method is comprised of an evaluation of risk ranking, relative margin, and group as well as individual valve performance.

The result of the evaluation determines the testing interval with the most frequent testing interval applied to high risk, low margin valves with poor, or questionable performance history. Stepwise increases in interval out to the maximum allowable interval depend on the combination of risk rank, margin, and performance history.

The motor-operated valve testing strategy described above is consistent with the guidance provided in Section 3.1 of RG 1.175 Relief Valves Testing of relief valves continues to be conducted in accordance with the Code of Record (OM-1) with no change in test interval. Should performance history change, STP will rank valves per the Integrated Decision-making Process (IDP) and extend intervals accordingly. The initial testing strategy will be:

"* IST High Testing is performed in accordance with the Code of Record as defined in 10CFR50.55a.

"* IST Medium Testing is performed in accordance with the Code of Record as defined in 10CFR50.55a.

"* IST Low Testing is performed in accordance with the Code of Record as defined in 10CFR50.55a.

Check Valves Check valves are tested in accordance with the Code of Record (OM-10) with the exception that the test frequency is in accordance with the component risk categorization defined below:

IST High Testing is performed in accordance with the ASME Code of Record as defined by 10CFR50.55a.

Check valves are also included in a Condition Monitoring program as defined by Appendix II of the 1995 edition of the OM Code with 1996 Addenda as accepted with conditions by the NRC.

Page 10 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

"* IST Medium Testing is performed in accordance with the ASME Code of Record as required by 10CFR50.55a except, based on evaluation of design, service condition, performance history, and compensatory measures, the test interval may be extended not to exceed 6 years (plus a 25% margin).

"* IST Low Testing is performed in accordance with the ASME Code of Record as defined by 10CFR50.55a except, based on evaluation of design, service condition, and performance history, the test interval may be extended not to exceed 6 years (plus a 25% margin).

IST High, IST Medium, and IST Low check valves at STP are included in the Check Valve Program (CVP), which has been developed to provide confidence that check valves perform as designed. Station procedure(s) establish test/exam frequencies, methods, and acceptance criteria and provide performance-monitoring requirements for check valves in the CVP. Check valves in the CVP include check valves that are in the IST program, check valves identified as susceptible to unusually high wear, fatigue, or corrosion, and special valves used for personnel safety. The CVP includes approaches for identification of existing and incipient check valve failures using non-intrusive (e.g., radiography, acoustic emission (AE), magnetic flux (MF), and/or ultrasonic examination (UT) testing methods) and disassembly examination. Test data are used (e.g., trended as appropriate) to provide confidence that check valves in the CVP are capable of performing their intended function until the next scheduled test activity. Check valves may be added to or deleted from the CVP based on non-intrusive testing, disassembly examination results, component replacement, or site maintenance history. The CVP is assessed and updated as appropriate with new design and operational information, and incorporates any applicable site or industry lessons learned.

The check valve testing strategy described above is consistent with the guidance provided in Section 3.1 of RG 1.175.

Air-Operated Valves (AOVs)

"* IST High Testing includes stroke time testing per the Code of Record as required by 10CFR50.55a. For high risk air operated valves, sufficient information will be gathered (i.e. AOV program) to ensure that the health of the valve can be adequately assessed.

"*ISTMedium Testing are performed in accordance with the Code of Record as required by 10CFR50.55a, except based on evaluation of design, service condition, performance history, and compensatory actions, the Page 11 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

test interval may be extended not to exceed 6 years (plus a 25% margin). Additionally IST Medium AOVs are stroked at least once during each operating cycle.

I1ST Low Testing are performed in accordance with the Code of Record as defined by 10CFR50.55a, except based on evaluation of design, service condition, and performance history, the test interval may be extended not to exceed 6 years (plus a 25% margin). Additionally, IST Low AOVs are stroked once during the operating cycle.

The AOV diagnostic testing, trending, and other maintenance activities performed for High Risk AOVs are adequate to provide assurance of the operational readiness and to ensure timely identification of performance degradation. The IST coordinator will periodically assess the information from these activities to determine if other special testing requirements are needed. Additionally, during periodic reassessments, the RI-IST working group will verify that these activities remain effective or take action to implement additional RI-IST program requirements. (RAI 23)

The AOV testing strategy described above is consistent with the guidance provided in Section 3.1 of RG 1.175.

Hydraulic Valves (HOVs), Solenoid Valves (SOVs), and Others (Manual Valves, etc.)

STP proposes to test these valves in accordance with the Code of Record (OM-10) with the exception that the test frequency will be in accordance with the component risk categorization defined below:

"*IST High Testing is performed in accordance with the Code of Record as required by 10CFR50.55a. Where appropriate, additional trending will be performed on data obtained during preventive maintenance tasks performed on the hydraulic valve actuators to ensure that the health of the valve can be adequately assessed.

"* IST Medium Testing is performed in accordance with the Code of Record as required by 10 CFR 50.55a except, based on evaluation of design, service condition, performance history, and compensatory actions, the test interval may be extended not to exceed 6 years (plus a 25% margin). Additionally, IST Medium HOVs and SOVs are stroked once during the operating cycle.

"* IST Low Testing is performed in accordance with the Code of Record as required by 10CFR50.55a except, based on evaluation of design, service condition, and performance history, the test interval may be Page 12 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

extended not to exceed 6 years (plus a 25% margin). Additionally, iST Low HOVs and SOVs are stroked once during the operating cycle.

The testing strategy described above is consistent with the guidance provided in Section 3.1 of RG 1.175.

Pumps Pumps are tested in accordance with the Code of Record (OM-6) with the exception that the test frequency may be in accordance with the component risk categorization defined below:

"* IST High Testing is performed in accordance with the Code of Record as required by 10CFR50.55a.

"*IST Medium Testing is performed in accordance with the Code of Record as required by 10CFR50.55a except based on evaluation of design, service condition, performance history, and compensatory actions, the test interval may be extended not exceed 6 years (plus a 25% margin). At least one pump in each IST group will be tested each refueling cycle. (RAI 21)

"*IST Low Testing is performed in accordance with the Code of Record as required by 10CFR50.55a except, based on evaluation of design, service condition, and performance history, the test interval may be extended not to exceed 6 years (plus a 25% margin).

All pumps receive:

"* Periodic thermography of their driver,

"* Lube oil analysis,

"* Alignment checks performed following major pump maintenance (using vibration analysis methods to confirm alignment),

"* Motor current testing (when the motor current testing program is implemented),

"* Vibration monitoring (required by the current Code), and

"* Flange loading checks of connected piping.

Note that flange loading test is not periodic, but is performed after major maintenance/overhauls that require the disassembly of any flange in a safety-related system. Additional tests (e.g., thermography of the driver, or motor current testing) are predictive in nature and involve trending of parameters that are Page 13 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

compared more frequently in order to provide meaningful results. This augmented testing program for pumps provides reasonable assurance that adequate pump capacity margin exists such that pump operating characteristics over time do not degrade to a point of insufficient margin before the next scheduled test activity.

The testing strategy described above is consistent with the guidance provided in Section 3.1 of RG 1.175.

Non-IST Hiqh Risk Components Performance testing, trending, comprehensive maintenance activities, and Maintenance Rule program controls are adequate to provide assurance of the operational readiness and to ensure timely identification of performance degradation for these high risk components. These components will be tracked in the IST program and information from these activities will be collected and periodically assessed by the IST Program coordinator. Trending of this information will be used to determine if additional testing requirements should be implemented. During periodic reassessments, the RI-IST working group will verify that these activities remain effective or take action to implement additional RI-IST program requirements. (RAI 4) 4.0 CUMULATIVE RISK IMPACT As part of the IDP review, the change in CDF and LERF will be calculated. The change in CDF and LERF will account for (but may not be limited to) changes in component availability, reliability, test intervals, and implemented test strategies (e.g., staggered testing, enhanced testing). The change in CDF and LERF will also be calculated for proposed changes to component test strategies and test intervals and their impact on component reliability, initiating event frequency and common-cause failure probabilities. This review ensures that the incremental CDF and LERF change of 1) the implemented risk-informed program from the deterministic IST program and 2) the risk-informed program until the next IDP review (two fuel cycles) remain within the risk change guidelines of Regulatory Guides 1.174 and 1.175.

5.0 IMPLEMENTATION Implementation of the RI-IST -- including components ranked either IST Low or IST Medium -- will consist of grouping components and then staggering the testing of the group over the test frequency.

Grouping:

Components will generally be grouped based on:

"* System

"* Component type (MOV, AOV, Check Valve, etc.)

"* Manufacturer

"* Size

"* Style (globe, gate, swing check, tilt disk, etc.)

"* Application (pump discharge, flow path, orientation, etc).

Page 14 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

The population of the group will be dependent on:

"* Total population available

"* Maintaining current testing schedule Grouping components in this manner and testing on a staggered basis over the test interval reduces the importance of common cause failure modes since at least one valve in the group is tested on a subinterval determined by the number of valves in the group. If a component failure is determined to have generic implications, a plan of action for inspection/testing of the remaining components in the group will be developed utilizing the Condition Reporting Process and the guidance provided in Generic Letter 91-18.

This plan of action will take into account the potential failure modes and their associated plant impacts and will be implemented in a timeframe commensurate with their safety significance. (RAI 19)

Testing of components within the defined group will be staggered over the test interval, typically 6 years.

Testing will be scheduled on regular sub-intervals over the test interval to ensure all components in the group are tested at least once during the test interval, the same component is not tested repeatedly, while deferring others in the group, and not all components are tested at one time. The staggering allows the trending of components in the group to ensure the test frequency selected is appropriate. A test interval extension of 25% of the fundamental stagger interval (i.e. 1 refueling cycle or 2 years) accommodates operational circumstances that may interfere with establishing the plant conditions to meet the baseline test schedule. For component groups that are insufficient in size to test one component each refueling cycle, the implementation of interval extensions will be accomplished in a step-wise manner.

Additionally, both STP units are essentially identical and the IST integrated decision-making process considered operational experience and maintenance history from both units. Following the guidance of NUREG-1482 for grouping of components, valves with like design and construction in both units can be grouped for staggered testing as described above.

6.0 PERFORMANCE MONITORING OF RI-IST COMPONENTS In addition to the specific inservice testing proposed for each component group discussed in Section 3.0 above, the following additional monitoring for each component group is currently in place per existing site procedures. The additional performance monitoring activities listed by component type are applicable to all components regardless of individual ranking (IST High, IST Medium, or IST Low).

The proposed monitoring plan is sufficient to detect component degradation in a timely manner. Further, the monitoring activities identified for each component group ensure that the following criteria are met:

"* Sufficient tests are conducted to provide meaningful data.

"* The inservice tests are conducted such that the probability of detecting incipient degradation is high.

"* Appropriate parameters are trended to provide reasonable assurance that the component will remain operable over the test interval.

The proposed performance-monitoring plan is sufficient to ensure that degradation is not significant for Page 15 of 20

RISK-INFORMED /ST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

components placed on an extended test interval, and that failure rates assumed for these components will not be significantly compromised. The proposed performance monitoring, when coupled with STP's corrective action program (discussed in Section 7), ensures corrective actions are taken and timely adjustments are made to individual component test strategies where appropriate.

Components that do not warrant test frequency extension based on limited, poor, or marginal performance histories will be monitored through the Corrective Action and Integrated Decisionmaking Processes and reviewed during the program periodic reassessment as described in Section 8. If multiple failures of an IST component for a safety function tested by the IST program result in a system becoming (a)(1), then the test frequency for the component will be per ASME code requirements until such time that the component's performance history merits removal from (a)(1) status. (RAI 14)

The STP RI-IST Program will be reassessed at a frequency not to exceed once every other refueling outage (approximately 3 years), following Unit 1 refueling outage, to reflect changes in plant configuration, component performance test results, industry experience, and other inputs to the process. Configuration changes will be assessed in concert with the current design change process. Therefore, the monitoring process for RI-IST is adequately coordinated with existing programs (e.g., Corrective Action Program, Maintenance Rule monitoring, and design change process) for monitoring component performance and other operating experience on this site and, where appropriate, throughout the industry. Although the monitoring of reliability and unavailability goals for some operating and standby systems/trains is required by the Maintenance Rule, it will not be relied upon by itself to ensure operational readiness of components in the RI-IST program. The STP Corrective Action Program requires timely operability assessment for component performance issues detected outside the auspices of the IST program. This process, coupled with the evaluations performed under the Maintenance Rule in concert with IST trending, ensures continued operational readiness of RI-IST components. Site procedures and the 10CFR50.59 change process govern the individual condition monitoring points for each component type.

Preventive maintenance activities are dictated by the individual component procedures. Intervals range from one to five refueling cycles depending on component type, application, and individual performance history. The periodicity may be altered as accumulated data and industry experience warrant via site procedures, the IDP, and the 10CFR50.59 change process. The specific inspection points may vary as dictated by inspection and diagnostic test results. The preventive maintenance activities currently include the items listed below:

Motor-Operated Valves (MOVs)

  • Actuator electrical visual inspections

+ Torque switch assemblies

  • Wiring
  • Motor T-drains Page 16 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

  • Motor condition

"* Actuator mechanical visual inspection

+ Inspect fasteners, gaskets, and packing

+ Inspect stem protective cover

  • Inspect for lubrication leaks
  • Document other observable damages

"* Actuator lubrication inspection

+ Inspect for lubrication condition

  • Add lubrication to stem
  • Lubricate main gearbox

+ Lubricate motor gearbox

"* Inspect stem nut for tightness and staking

"* Other activities

  • Perform hand wheel operation

+ Visual inspection for gross irregularities, upper bearing housing cover for warping on SMB 000,

+ Verify/tighten actuator mounting bolts, anti-lock rotation plate jam nuts

+ Monitor stem nut thread condition Relief Valves

"* Test results trended

"* New valves tested prior to installation

"* Valves set as close to nominal as practical Check Valves

"* Combination of acoustic, magnetic, and/or ultrasonic testing methods are used as appropriate

"* Data retrieved from these methods will be compared with previous results and the differences evaluated

"* Open and close exercise testing

"* Check valve disassembly inspections are performed where other testing is not practicable

"* Leak rate testing is performed by 10CFR50, Appendix J program where appropriate

"* Leak testing for check valve closed exercise testing where appropriate Air-Operated Valves (AOVs)

  • Routine overhauls that include:

+ Disassembly, cleaning, inspection

  • Replacement of elastomers

+ Replacement of air filter / pressure regulator assembly

  • Re-assembly and testing Page 17 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

+ Response time testing

  • Diagnostic testing as outlined below.

" Valves exposed to extreme environmental conditions will have repetitive maintenance orders for actuator replacement consistent with the service conditions.

" Static diagnostic testing performed following valve or actuator overhaul (Preventive Maintenance) or corrective maintenance that could impact valve function, or as requested.

" Diagnostic testing of the following testing parameters, as applicable

  • Bench set

+ Maximum available pneumatic pressure

  • Seat load

+ Spring rate

+ Stroke time

  • Actual travel
  • Total friction
  • Minimum pneumatic pressure required to accomplish the safety function(s) of the valve assembly (under development)
  • Pneumatic pressure at appropriate point in operation
  • Set point of pressure switch(s), relief valve, regulator, etc

"* Others as dictated by the specific valve/actuator style and application.

Pumps

"* Margin to safety limit deviations - head curves

"* Lube oil analysis

"* Alignment checks

"* Motor current testing

"* Vibration monitoring

"* Thermography 7.0 CORRECTIVE ACTION When an IST Low or IST Medium component on the extended test interval fails to meet established test criteria, corrective actions will be taken in accordance with the STP corrective action program as described below for the RI-IST.

For all components not meeting the acceptance criteria, a Condition Report (CR) is generated. This document initiates the corrective action process. A CR may result from activities other than IST that identify degradation in performance.

The initiating event could be any other indications that the component is in a non-conforming condition.

Unsatisfactory condition will be evaluated to:

a) Determine the impact on system operability since the previous test.

Page 18 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

b) Review the previous test data for the component and all components in the group.

c) Perform an apparent cause analysis and/or a root cause analysis as applicable.

d) Determine if this is a generic failure. If it is a generic failure whbse implications affect a group of components, initiate corrective action for all components in the affected group.

e) Initiate corrective action for failed IST components.

f) Evaluate the adequacy of the test interval. If a change is required, review the IST test schedule and change as appropriate.

Additionally, as part of the corrective action process, the IST Coordinator will evaluate the necessity of increasing the test frequency (i.e., decreasing the time between tests) of a component (or group of components) if the cause of failure is determined to be age-related. Furthermore, the STP Inservice Testing Program procedure will be modified to require evaluation of the effects of a component failure or degradation for common causes across other plant systems.

The results of component testing will be provided to and reviewed by the PRA group for potential impact to a PRA model update. The PRA model is updated as necessary with changes tracked and documented per the PRA Change Process Program.

For an emergent plant modification, any new IST component added will initially be included at the current Code of Record test frequency. Only after evaluation of the component through the RI-IST Program (i.e.,

PRA model update if applicable and IDP review) will this be considered IST Low or IST Medium with an extended test interval.

8.0 PERIODIC REASSESSMENT As a living process, components will be reassessed at an interval not to exceed three years (plus a 25%

margin) to reflect changes in plant configuration, component performance test results, industry experience, and other inputs to the process. The RI-IST reassessment will be completed within 9 months of completion of the outage.

Part of this periodic reassessment will be a feedback loop of information to the PRA. This will include information such as components tested since the last reassessment, number and type of tests, number of failures, corrective actions taken including generic implication, and changed test frequencies. Once the PRA has been reassessed, the information will be brought back through the IDP for deliberation and confirmation of the existing lists of IST High components, IST Medium components, and IST Low components, or modification of these lists based on the new data, if required. As part of the IDP, confirmatory measures previously used to categorize components as IST Low, as well as compensatory measures used to justify the extension of IST Medium component test intervals, will be validated.

During the periodic reassessment, IST Low and IST Medium components whose performance history did not justify extension will be reviewed. The review will focus on the adequacy and effectiveness of corrective actions, as well as the performance of similar components in similar applications. If the Working Group judges the performance warrants a test interval extension based on the combination of Page 19 of 20

RISK-INFORMED IST RELIEF REQUEST FOR STP PROGRAM DESCRIPTION

SUMMARY

risk metrics, available margin, and successive satisfactory performance, then with Working Group consensus the test interval may be adjusted.

Additionally, the maximum test interval for each component or component group will be verified or modified as dictated by the IDP.

During periodic reassessments, the RI-IST working group will verify that other program activities relied upon for the initial determination of RI-IST program scope and testing methodologies remain effective or take action to implement additional RI-IST program requirements. Specific areas to consider are components that are high risk but not traditionally tested within IST Programs. (RAI 4) Also the RI-IST working group should evaluate the effectiveness of the STPNOC AOV program for category 1 AOVs or take action to implement additional RI-IST program requirements. (RAI 23) 9.0 CHANGES TO RI-IST Changes to the process described above (such as acceptance guidelines used for the IDP) as well as changes in test methodology issues that involve deviation from NRC-endorsed Code requirements, NRC endorsed Code Case, or published NRC guidance are subject to NRC review and approval prior to implementation. Other changes using the process detailed above (such as relative ranking, risk categorization, and grouping) are subject to site procedures and the associated change process pursuant to 10CFR50.59. STP will periodically submit changes to the NRC for their information.

Page 20 of 20

Retrieved from "https://kanterella.com/w/index.php?title=ML023220125&oldid=2685110"