ML051570016

From kanterella
Jump to navigation Jump to search
Rmts Initiative 4b RAI
ML051570016
Person / Time
Issue date: 05/31/2005
From: Tjader T
NRC/NRR/DIPM/IROB
To: Bradley B
Nuclear Energy Institute
Tjader T., NRC/IROB, 415-1187
References
Download: ML051570016 (20)


Text

May 31, 2005 Mr. Biff Bradley Nuclear Energy Institute Suite 400 1776 I Street, NW Washington, DC 20006-3708

Dear Mr. Bradley:

The Nuclear Regulatory Commission (NRC) has continued its review of the South Texas Project (STP) complete plant proposed pilot for RMTS Initiative 4b, dated March 18, 2003.

Enclosed are staff comments and requests for additional information (RAIs) on the STP proposed pilot. Note that some RAIs are requests to clarify the prior RAIs, as noted. Some RAIs are system-specific RAIs based on the scope of the STP submittal, especially with regards to application to loss of function conditions. Other RAIs are based on reviews of the RG 1.200 pilot results and other, STP-specific, technical questions. Additional RAIs can be expected with regards to RG 1.200 since the STP submittal does not contain all of the required information, which is now being requested. Upon review, there could be additional clarifications needed.

We are prepared to meet with you to further discuss these comments and RAIs to ensure that progress continues on Initiative 4b.

Please contact me at (301) 415-1187 or e-mail trt@nrc.gov if you have any questions or need further information on these proposed changes.

Sincerely,

/RA/

T. R. Tjader, Senior Reactor Engineer Technical Specifications Section Reactor Operations Branch Division of Inspection Program Management Office of Nuclear Reactor Regulation

Enclosures:

As stated cc: w/encl: See next page

ML051570016 DOCUMENT NAME:E:\Filenet\ML051570016.wpd NAME TSS:SRE TSS:SC NAME TRTjader THBoyce DATE 05/26/05 05/31/05/05 Mr. Biff Bradley cc: STP Nuclear Operating Company P. O. Box 289 Senior Resident Inspector Wadsworth, TX 77483 U.S. Nuclear Regulatory Commission P. O. Box 910 S. M. Head, Manager, Licensing Bay City, TX 77414 STP Nuclear Operating Company P. O. Box 289, Mail Code: N5014 C. Kirksey/C. M. Canady Wadsworth, TX 77483 City of Austin Electric Utility Department Environmental and Natural Resources 721 Barton Springs Road Policy Director Austin, TX 78704 P. O. Box 12428 Austin, TX 78711-3189 Mr. J. J. Nesrsta Mr. R. K. Temple Jon C. Wood City Public Service Board Cox Smith Matthews P. O. Box 1771 112 East Pecan, Suite 1800 San Antonio, TX 78296 San Antonio, TX 78205 Mr. C. A. Johnson/ R. P. Powers Director AEP Texas Central Company Division of Compliance & Inspection P. O. Box 289 Bureau of Radiation Control Mail Code: N5022 Texas Department of State Health Services Wadsworth, TX 77483 1100 West 49th Street Austin, TX 78756 INPO Records Center Brian Almon 700 Galleria Parkway Public Utility Commission Atlanta, GA 30339-3064 William B. Travis Building P. O. Box 13326 Regional Administrator, Region IV 1701 North Congress Avenue U.S. Nuclear Regulatory Commission Austin, TX 78701-3326 611 Ryan Plaza Drive, Suite 400 Arlington, TX 76011 Susan M. Jablonski Office of Permitting, Remediation Jack A. Fusco/Michael A. Reed and Registration Texas Genco, LP Texas Commission on 12301 Kurland Drive Environmental Quality Houston, TX 77034 MC-122 P.O. Box 13087 Judge, Matagorda County Austin, TX 78711-3087 Matagorda County Courthouse 1700 Seventh Street Mr. Terry Parks, Chief Inspector Bay City, TX 77414 Texas Department of Licensing and Regulation A. H. Gutterman, Esq. Boiler Division Morgan, Lewis & Bockius P. O. Box 12157 1111 Pennsylvania Avenue, NW Austin, TX 78711 Washington, DC 20004 Mr. Ted Enos 4200 South Hulen E. D. Halpin Suite 630 Vice President Oversight Ft. Worth, Texas 76109

cc via e-mail:

Mr. Wayne Harrison STP Mr. Rick Grantom STP Mr. Drew Richards STP Mr. John Gaertner EPRI Mr. Frank Rahn EPRI Mr. Jim Liming ABSG/EPRI Mr. Alan Hackerott, Chairman Omaha Public Power District Mr. Ray Schneider Westinghouse Electric Company Mr. Gabe Salamon PSEG Nuclear

DISTRIBUTION:

ADAMS PUBLIC IROB R/F TSS Staff BBoger/CCarpenter (RidsNrrDipmDpr)

SCBlack (RidsNrrDssaDpr)

WDBeckner (RidsNrrDipmIrob)

TRQuay (RidsNrrDipmlehb)

MDTschiltz (RidsNrrDssaSpsb)

JNHannon (RidsNrrDssaSplb)

ACRS/ACNW (RidsAcrsAcnwMailCenter)

OGC (RidsOgcRp)

FMReinhart (FMR)

NSaltos (NTS)

MLWohl (MLW1)

GSShukla (GSS)

SPWall (SPW)

WDReckley (WDR)

DGHarrison (DGH)

CKDoutt (CKD)]

DFThatcher (DFT)

SDAlexander (SDA)

PFPrescott (PFP)

KCoyne (KXC)

MDrouin (MXD)

MCThadani (MCT)

GWMorris (GWM2)

YGHsii (YGH)

DHShum (DHS)

RKMathew (RKM)

GWParry (GWP)

ABWang (ABW)

BMPham (BMP)

AJHowe (AJH1)

TWAlexion (TWA)

MAStutzkie (MAS7)

DHJaffe (DHJ)

Request for Additional Information - Technical Review of STP RMTS Initiative 4B Full Plant Pilot

1. RAI #1 requested clarification of the risk calculations planned for the RMTS program to assure Regulatory Guide 1.174 criteria for acceptably small risk increases was being met.

The response stated that the total ICCDP and ICLERP would be automatically determined as the risk is being accumulated. Please provide additional detail as to how this automatic calculation is physically accomplished.

It is the staffs understanding that the accumulated risk, tracked from the point when the front stop CT is first exceeded until all extended CTs are exited, and based on actual plant configurations, will be cumulatively tracked and periodically reviewed to determine that the overall RITS program application meets the criteria in Regulatory Guide 1.174 for small risk increases. Please confirm.

Further, it is the staffs understanding that the actual integrated risk (either ICDP or ILERP) will be tracked during use of the RICT and will be used to determine the amount of time available to reach the integrated risk limits for the RICTs (i.e., 10-6/10-7 ICDP/ICLERP for RMA threshold RICT, 10-5/10-6 ICDP/ICLERP for the maximum safety limit RICT). That is, the calculated RICT is dependent upon the actual configuration which currently exists, and on the actual accumulation of risk which has occurred from the point the equipment was declared inoperable. Please clarify.

Finally, it is also the staffs understanding that once the RICT is entered, accumulation of risk toward the 10-5/10-6 ICDP/ICLERP for the maximum safety limit RICT continues until all LCOs for which the front stop CTs have been exceeded have been restored to a MET status (components fully operable). Please confirm.

2. RAI #3, in part, requested the requirements for crediting compensatory measures and contingency actions in risk assessments performed for RICT calculations. In response, it was stated that only actions in the PRA model would be credited, typically, and that special emergent conditions would require procedural and administrative controls. This seems to contradict the guidance provided in Attachment 3 of the licensees August 2, 2004 submittal, used by the operators to determine functionality, which implies that SSCs can be considered functional with manual operator actions contained in approved written instructions (item 1), and that realignment from surveillance testing can be credited if included in the test procedure. Considering such equipment functional appears to be the expected outcome of the guidance, and effectively assigns an HEP of zero to those manual actions. The staff believes that credit should be taken in accordance with the applicable PRA standards after a realistic or bounding human reliability analysis is used to quantify the action, and an assessment of potential dependencies with other actions is considered. Further, the relevant procedures should be part of the expected plant response to accidents or transients (i.e., emergency or abnormal operating procedures), or to component failure (alarm response procedures), to assure that a direct cue is available which directs the operator to the applicable procedure. The mere existence of written instructions does not assure timely implementation of recovery actions. Please discuss in detail how manual actions are credited for functionality determinations for RICT calculations.

Enclosure

3. RAI #4 asked for clarification of the STP process for assessing common cause failure potential. Additional information is required for the staff to understand how STP assesses CCF within the context of a RMTS program.
a. STP identified their Corrective Action Program as providing guidance for the CCF assessment. Please discuss the specific technical guidance provided to the operators which would apply to an emergent failure or condition of components within the scope of the RMTS. Does the CCF assessment require testing, inspections, or other activities to reach a determination? How is the time frame for this assessment determined within the Corrective Action Program (i.e., within the front stop CT?).
b. From Attachment 3 of the licensees August 2, 2004 submittal, it is stated that SSCs are considered functional if it is reasonably assured that they can perform intended functions. If an emergent failure of one of three redundant components occurs, would all trains be declared inoperable, but the unfailed components be considered reasonably assured of being functional unless they specifically exhibited symptoms of the failure mode?
c. It is stated that if a CCF issue is determined to exist, it will be accounted for in the operability determination. Please clarify - does this mean that the components will be considered inoperable or non-functional?
d. It is stated that the PRA and CRMP are used to provide safety significance insights for components that might affect more than one train or function. Please clarify -

should this refer to component failure modes instead of components? How are the insights used in the RMTS program for RICT calculation?

e. It is stated that the PRA includes the effect of a component failure in the CCF of similar components, but then states that the failure rate of cross-train components is not adjusted. Please clarify exactly what the PRA calculation is doing for CCF rates when an emergent SSC failure occurs.
f. It is stated that the CRMP requires consideration of risk reduction actions including plant shutdown if the risk crosses the 1E-5 threshold. It is understood that the 1E-5 risk is the RICT limit, which would require applicable TS shutdown actions.

How could such actions only be considered in a RMTS program?

4. RAI #7 requested clarification of the assessment of LERF within the RMTS program. In response, it was stated that CDF is the only required metric for nearly all evaluations, then described the capability to perform such assessments with the PRA model. Please clarify under what configurations would a LERF assessment be performed. The RMTS guidelines require the LERF evaluation for all RICT calculations, so it is not clear how LERF could not be required.
5. RAI #8 requested clarification of the RMTS program treatment of planned vs. emergent configurations. In response, it was stated that a threshold CDF of 10-6 was established for planned configurations, consistent with the generic guidelines, but then identified that a higher risk level could be used by duty manager approval. It was not stated if this approval is used only to address emergent conditions or if it could be part of the normal planned maintenance practices. It is the staffs understanding that planned use of RICTs would be applicable to preventive as well as emergent corrective maintenance, and will not exceed

thresholds of 10-6 for CDF and 10-7 for LERF. It is also the staffs understanding that the use of the higher RICT limits would only be used for emergent failures of equipment or other unanticipated conditions which occur during implementation of an RICT. Please clarify.

6. RAI #9 requested clarifications of the risk assessments documented in Table 2 of the licensees August 2, 2004 submittal. Table 2 includes the column Risk Basis Calculated STP AOT Before Backstop (base case) which is further clarified in footnote 1 as the calculated time to reach an ICDP of 1E-5. Each of the technical specification LCOs includes actions for one or more of the redundant trains being inoperable, but only a few of the table entries provide the corresponding RICT for each separate configuration. Please provide an expansion of this table to provide the calculated RICT for each number of trains being inoperable within the proposed scope of the submittal. If there is a significant difference in the RICT depending upon which train(s) is inoperable, identify each RICT and provide the basis for the asymmetry in the calculated RICT.
7. The staff has no additional questions regarding RAI #10, except to confirm our interest in seeing the STP program demonstrate application of the RMTS for several plant configurations.
8. RAI #12 requested further explanation of the distinction between inoperable and non-functional components within the RMTS process. In response, Attachment 3 of the licensees August 2, 2004 submittal was referenced. The staff requests additional clarification of the use of functionality to determine RICTS for TS.
a. The licensee submittal identifies a differentiation between the definition of OPERABILITY applied to the technical specification LCOs, and the term functionality, which is not defined in technical specifications, to be applied to components for calculating RICTs. When a component is INOPERABLE, due to the inability to perform a limited portion of its intended functions, and these functions are distinguishable in the PRA model and can therefore be quantified while taking credit for those functions which the component is still able to perform, it may be acceptable for the RICT to be longer than would otherwise be calculated if the component is assumed to be completely non-functional. However, if one or more components are determined to be INOPERABLE, but the loss of functionality is (1) not known or uncertain, or (2) not capable of being addressed in the PRA model, then the component should be assumed to be non-functional for purpose of calculating a RICT.

This would typically arise with emergent issues associated with design issues of components which impact all safety trains, and would currently require entry into TS 3.0.3. Please discuss in detail how components which are inoperable may be evaluated as fully or partially functional in the calculation of RICTs. Several examples which cover the spectrum of possible conditions may be beneficial to the staffs understanding of this issue.

b. With regards to functionality vs. operability, it is understood that functionality will only address requirements modeled in the PRA. Some mitigating functions are reviewed and screened out in the development of a PRA model due to low frequency of demand for the particular function, or the low probability of failure of the function. For specific configurations which may be encountered during planned maintenance or testing, combined with possible emergent conditions, these screened functions could become more important, and would potentially impact the calculation of a RICT. For each of

the TS LCOs for which the RMTS will apply, (1) identify the PRA function(s) which are modeled including success criteria if different than the design basis, and (2) identify any design basis functions not modeled, and (3) justify that these should not significantly impact the calculated RICT under configurations covered by the RMTS.

c. Further with regards to functionality vs. operability, Attachment 3 of the licensees submittal identified procedural requirements for functionality. The staff requests additional clarifications of the application of these requirements in RMTS:

Item 1 states that a component is functional without automatic actuation if prompt restoration by the control room operator or a dedicated local operator is available, with written instructions provided for actions not involving complex repairs or diagnostics. Similarly, item 9 allows actions in surveillance procedures to be similarly credited. The staff assumes that such recovery actions would not normally be part of the baseline PRA model, but would be specific to the configuration. Crediting such manual recovery actions, without a quantitative consideration of the human error probability, or of dependencies on other actions which may be required in specific sequences, would not be appropriate for calculation of RICTs. This also appears to conflict with responses made to NRC RAI 3, that only PRA modeled actions are typically credited in the RICT calculations.

Item 4 identifies examples of alterations which affect functionality. Some can be directly evaluated as to impact (i.e., jumpers or lifting electrical leads), but the others are somewhat uncertain as to the impact on functionality.

Item 5 allows an SSC to be functional if there is reasonable assurance that it can perform its intended functions. The staff is concerned that two standards are being applied with regards to the operators confidence in assessing the status of SSCs, one to determine operability and a lesser standard to determine functionality.

Items 5 and 8 identify that, if the functionality determination is later determined to be in error, non-functional time will be corrected accordingly. This implies that the determination of functionality need not be rigorous and can have some degree of uncertainty, since it can be later modified if found to be incorrect. This would not be appropriate for RICT determination.

9. RAI #24 requested justification of proposed changes which involved application of the RMTS to loss of function conditions. The staff requests additional discussion of these configurations, and refers to new RAIs #25 through #38.
10. The licensee proposes to apply a RICT to the reactor trip breakers (TS 3.3.1.20) and to the automatic trip and interlock logic (TS 3.3.1.21). It is therefore critical to this application that the PRA modeling and success criteria for ATWS sequences be thorough and comprehensive, unless bounding analyses are applicable.
a. In the development of accident sequences, it is not unusual to screen out failure to trip the reactor for some initiating events, such as LOCAs, steamline breaks, or SGTRs, since the combination of the low frequency initiator and the failure of the reactor trip

system, as well as the potential for adequate negative reactivity from ECCS flow, make these sequences very low frequency. However for this application, such a screening process may not be appropriate. Please discuss.

b. The success criteria for mitigation of an ATWS event is dependent upon the specific point in each operating cycle, as well as the cycle-specific core reactivity design characteristics (i.e., moderator temperature coefficient and the unfavorable exposure time). It is not unusual that the risk calculations performed to support the CRMP for Maintenance Rule a(4) would not specifically account for the time in the operating cycle, but instead use a cycle-average risk calculation. In order to support the calculation of a RICT for these TS, such an average calculation may not be appropriate, and the configuration-specific risk should account for this time-dependent impact. Please discuss.
c. The existing technical specifications do not address the operability of the AMSAC.

Since the AOT is only six hours when the reactor trip function is unavailable, it is not critical that AMSAC be considered. However, if a RICT is implemented, then the operability of AMSAC should be required so that there is some mitigation immediately available in the event of a demand for a reactor trip. Please discuss how AMSAC is addressed in the PRA model, and whether a new TS for AMSAC should be required given the proposed modifications to these TS requirements.

d. The emergency boration system (EBS) was deleted from the STP design based on acceptable fuel performance in the event of a return to criticality for a steamline break accident. STP is proposing to apply a RICT to the trip logic and breakers, and the MSIVs and actuation logic. How does the STP PRA model address steamline break accidents with regards to the synergies between reactor trip and steamline isolation functions? Is the model detail able to distinguish concurrent unavailability of these related functions with regards to the potential for core damage due to return to criticality?
11. The licensee proposes to apply a RICT to the steam line isolation actuation logic and relays (TS 3.3.2.4.b), to the turbine trip and feed water isolation actuation logic and relays (TS 3.3.2.5.a), to the main steam line isolation valves (TS 3.7.1.5), and to the main feedwater isolation valves (TS 3.7.1.7). These LCOs exist to limit the reactor cooldown transient, and such events are not typically modeled in PRAs as being relevant to core damage. Please describe how the STP PRA models these functions such that an RICT is appropriate.
12. The licensee proposes to apply a RICT to the pressurizer code safety valves (TS 3.4.2.2).

There are no tests or maintenance performed on these valves during operation, and no challenges occur which would reveal an INOPERABILITY. Therefore, the only application of the RICT would be to allow extended time to deal with an emergent issue causing INOPERABILITY of all three valves.

a. Does the scope of the STP PRA model include all design basis events which result in a challenge to the code safety valves? If not, please identify those events not modeled, discuss the plant response to the event under these conditions, discuss why continued plant operation is appropriate with no code safety valves OPERABLE to mitigate those events, and identify what compensatory measures would be applicable during such operation.
b. The submittal states that the pressurizer PORVs and sprays provide overpressure protection. Is the mitigating capability of these components (e.g., capacity, response time, availability during design basis events) equivalent to the code safety valves? Are these components able to provide equivalent overpressure protection to the reactor coolant system pressure boundary for the spectrum of design basis events which challenge the code safety valves? The pressurizer spray valves are not included in the scope of technical specifications, and indefinite power operation with both PORVs isolated is permitted under TS 3.4.4; should this specification include a requirement for OPERABILITY of one or both PORVs and/or the pressurizer spray valves? Does the STP PRA model include both the PORVs and spray valves as an alternative to the code safety valves?
c. The proposed changes to TS 3.4.2.2 do not include any assurance of the OPERABILITY of any component(s) which are capable of providing overpressure protection to the reactor coolant system pressure boundary to assure that the safety limit for maximum RCS pressure is not exceeded. Please identify how the integrity of the RCS as a fission product barrier is assured under such operations.
13. The licensee proposes to apply a RICT to the pressurizer power-operated relief valves and their associated block valves (TS 3.4.4). The submittal identifies a RICT of 352 days with one PORV inoperable, and 349 days with both PORVs inoperable. It is not clear why these RICTs are so similar. Please clarify:
a. What accident sequences take credit for operation of the PORVs?
b. What is the success criteria for the PORVs for each accident sequence?
c. If the PORVs are credited for overpressure protection of the RCS, as a redundant capability to the code safety valves, discuss if operator action is credited in the event of (1) the failure of the automatic function or (2) if the PORV is isolated due to seat leakage.
14. The licensee proposes to apply a RICT to the safety injection system accumulators (TS 3.5.1).
a. Confirm that the success criteria and the required accident sequences for the accumulators is consistent with the design basis analyses, or provide a sensitivity study of the calculated RICTs for one or more accumulators inoperable using the design basis criteria.
b. For action b when boron concentration is not within limits, the submittal states that the RICTs presented for action a apply. This seems inconsistent with other parts of the submittal where it is stated that the functionality of the INOPERABLE components is used to determine the RICT. Please discuss how the RICT would be applied to action b.
15. For TS 3.5.2 for ECCS, with two or more subsystems INOPERABLE, the proposed change requires restoration of at least one ECCS train to OPERABLE status within one hour. In

Table 2 for this LCO, it states that a risk-informed AOT is appropriate with no OPERABLE trains. However, the RICT could not apply since the proposed action requirement is to restore one train within one hour. Is this the intent of the changes to TS 3.5.2? Please clarify.

16. For TS 3.6.2.3 for the reactor containment fan coolers, the calculated RICT is stated to be based on CDF and there was no impact on LERF. Please clarify how the fan coolers are credited in the PRA model for mitigation of core damage given that the design basis function is containment heat removal, and identify the basis for the success criteria (i.e.,

judgment or specific calculations).

17. For TS 3.7.1.5 and 3.7.1.7, the wording of the action requirement includes a note which states: Separate condition entry is permitted for each MSIV (MFIV). This wording is inconsistent with other action statements being revised, as is noted in Table 2. Introducing a new phrasing would seem to be an unnecessary complication and distraction to the operators applying the technical specifications. Further, as worded the proposed action could be interpreted to allow a new 30 day backstop AOT to be constantly applicable without restoration of all MSIVs or MFIVs to OPERABLE status. Please confirm that inclusion of this note is not intended to create any unique interpretation of the application of a RICT for these specifications, with regards to applying the 30 day backstop. Specifically, confirm that it is not intended to have a separate 30 day backstop for each individual MSIV or MFIV, but only a single 30 day backstop applicable to all valves.
18. For TS 3.7.14 for chilled water, which supplies room cooling to safety-related equipment, it is typical that the PRA model would only include a subset of the components supported, based on room heatup evaluations. It is also typical to include time-of-year flag events to turn off the ventilation models when cooler outside temperatures exist. These PRA model conventions would result in a 30 day LCO for large portions of the system, and during winter months. Please discuss STP plans in this regard.
19. For TS 3.8.1.1 for AC sources, Table 2 states that the STP switchyard is served by 8 incoming lines. However, there is no control in the technical specifications requiring these 8 separate lines. Please describe how the STP PRA model accounts for the unavailability of one or more incoming lines. Describe also the plant configuration controls on the incoming lines.
20. For TS 3.8.1.1, Action d, which applies concurrently with actions b and c, is inconsistent with those actions with regards to the application of 3.13.1. Specifically, action d requires that 3.13.1 be applied within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The requirement to apply 3.13.1 at 14 days (action b) is unnecessary since 3.13.1 was already in effect from action d. Similarly, the requirement to apply 3.13.1 at 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (action c) renders action d unnecessary.
21. For TS 3.8.1.1 Action d, the defense-in-depth requirement that, for a loss of offsite power, at least one safety train of equipment is OPERABLE and powered from an OPERABLE EDG is eliminated, as is the requirement for OPERABILITY of the steam driven AFW pump for station blackout mitigation. In response to related RAI #20, STP stated that existing procedures require very similar compensatory actions. It is not clear why an existing requirement is proposed to be eliminated from TS control within the context of RMTS 4b initiative. Please discuss, and provide examples of the RICT for cases involving EDGs and other supported equipment.
22. For TS 3.8.1.1 Action e, which applies when two of the two required offsite AC circuits are INOPERABLE, Table 2 of the submittal states that STP will maintain in this configuration at least one ESF bus with offsite power. This requirement is not found in the technical specifications. Please confirm if this is intended as a commitment.
23. For TS 3.8.3.1 (onsite power distribution), Table 2 states that the loss of a single ESF bus does not result in a plant trip. If the ESF bus is de-energized, the battery chargers for that train would be lost, and after a period of time the batteries would deplete. Does the loss of one DC train cause a plant trip? If so, wouldnt the application of 3.13.1 for this LCO (and for TS 3.8.2.1 for batteries and chargers) potentially lead to a plant transient?

RG 1.200 PRA Quality NOTE: During the staff review of Regulatory Guide 1.200 conducted at STP, the reviewers encountered difficulty in assessing how the STP PRA complied with the elements of the standard. This was based in part on the staffs unfamiliarity with the support state methodology; however, it was also attributed to the lack of adequate documentation. The staff is currently assessing how to assure a thorough review and assessment of STP PRA quality per the requirements of Regulatory Guide 1.200, and considers the following RAIs to be gathering preliminary information leading to a more detailed assessment.

24. Regulatory Guide 1.200 sections 1.2.4 and 1.2.5, and section 1.3 Table 3, identify attributes of a fire PRA and external events PRA, which are not addressed by existing PRA standards. The licensee is requested to describe the scope and quality of their fire and external events PRA models, addressing the attributes identified in the guide.
25. Regulatory Guide 1.200 section 4.2 requires the licensee to submit a discussion of the resolution of the peer review comments that are applicable to the parts of the PRA required for the application. Two options are identified, one to provide a discussion of how the PRA model has been changed, and the second to provide a sensitivity study that demonstrates the particular issue does not impact the significant accident sequences or contributors. The licensee has provided only the numerical identification of their peer review facts and observations, and identified which were categorized as level A or B (Attachment 5, Resolution of Peer Review Comments, to submittal letter dated 10/28/2004). Therefore, the licensee is requested to submit the information required by the guide to address the resolution of peer review comments.
26. Regulatory Guide 1.200 section 4.2 requires the licensee to submit the identification of the key assumptions and approximations relevant to the results used in the decision-making process, along with the peer reviewers assessment of those assumptions. Reference is made to Regulatory Guide 1.174 in section 3.3 for applicable guidance on addressing the impact of these assumptions on uncertainty as it relates to the decision-making process.

Only four areas were identified by the licensee, and the peer review assessment was not provided (Attachment 4, Key Assumptions and Approximations, to submittal letter dated 10/28/2004). Since this is a whole plant application of risk-informed TS initiative 4B, it is expected that there would be something more than four key assumptions/approximations applicable. Therefore, the licensee is requested to submit additional information regarding the key assumptions and approximations in their PRA model, along with the peer reviewer assessments.

27. Regulatory Guide 1.200 section 4.2 requires the licensee to submit documentation that the PRA is consistent with the standard as endorsed in the appendices to the guide, and the identification of the parts of the PRA that conform to the less detailed capability categories and the limitations which this imposes. The licensee did not identify how their PRA model conforms to the capability categories identified in the ASME Standard as endorsed by the appendices to Regulatory Guide 1.200 (Attachment 3, Conformance to Standards, to submittal letter dated 10/28/2004). Further, during the NRC staff review of the STP PRA for the Regulatory Guide 1.200 pilot, the reviewers noted that the STP self assessment documentation was difficult to discern their conclusions about their PRA. Therefore, the licensee is requested to submit the information required by the guide, and their plans and schedules (if applicable) to address identified deficiencies which are relevant to this application.
28. Regulatory Guide 1.200 section 1.2.6 describes the characteristics of PRA model documentation. During the NRC staff review of the STP PRA for the Regulatory Guide 1.200 pilot, deficiencies in the documentation were specifically noted, and it was further identified that STP placed excess reliance on one particular experienced staff member. Because the nature of this application is to place ongoing reliance on the accuracy and quality of the PRA model to calculate RICTs for the technical specifications, robust documentation of the PRA model is essential to assure the capability of the licensee to properly maintain the fidelity of the model, without undue reliance on specific staff members. The licensee is therefore requested to describe the current capability of their PRA model documentation, and to identify a schedule for updates and upgrades to assure their documentation is adequate to permit ongoing maintenance of their PRA models for the following key areas:
a. Key assumptions and approximations applicable to system and event tree models.
b. Screening of sequences or failure modes from the model.
c. Quantification instructions, including recovery rules and their bases, mutually exclusive event combinations and their bases, and truncation levels.

PRA Technical Questions

29. During the NRC staff review of the STP PRA for the Regulatory Guide 1.200 pilot, issues with the adequacy of the common cause failure modeling were noted during very brief reviews of system modeling. The methods were not using the most recent available information, and some CCF modes were not considered (i.e., batteries, chargers). The licensee is requested to describe the development of CCF models for their PRA, and provide a listing of the CCF modes considered, the components which are modeled for CCF, and the sources of data used.
30. For use in the configuration risk management program, the baseline PRA model requires changes to account for the real time nature of the calculations, compared to the average annual risk calculation of the baseline model. The licensee is requested to describe the process of making changes to the baseline PRA model for the CRMP, including the following key areas in their discussion:
a. Alignment of operating train(s), including swing or spare components.
b. Disallowed maintenance (i.e., multiple trains in maintenance typically removed from final results, should be retained in CRMP model).
c. Maintenance impact on initiating events for systems.
d. Adjustment of initiator frequencies (i.e., average CDF model includes unit availability factor, not applicable to CRMP model).
e. Seasonal dependencies, or point-in-cycle dependencies (e.g., seasonal HVAC requirements, ATWS success criteria).
f. Repairs of failed components (should be removed in CRMP model).
31. During the NRC staff review of the STP PRA for the Regulatory Guide 1.200 pilot, issues with the adequacy of the LERF model were identified and require resolution:
a. The STPNOC self-assessment of LERF did not include an explicit review of the LERF elements of the PRA. Rather, reliance was placed on results of the independent peer review and an STPNOC contractors proposal for addressing the peer review comments. However, the technical issues and criteria used to conduct the peer review do not fully cover the areas addressed in the ASME standard. As a result, the assessment of PRA capability in the area of LERF is incomplete. Please complete the self assessment of LERF, and identify the results and corrective actions from that assessment.
b. The attributes used to distinguish large, early releases from other source terms is insufficient to discern a potential for early health effects as required by the Standard.

With the exception of containment bypass and induced steam generator tube rupture (ISGTR), the sole characteristic of large early release (LER) sequences is the size of the opening in the containment pressure boundary. Although this attribute is typically an important contributor, it is not the only one. Some of the sequences assigned to the LER category involved long-term operation of containment sprays and have wet cavities (i.e., quenched debris ex-vessel). Conversely, some of the small early release (SER) sequences involve dry containments (no sprays and dry cavities). A technical basis for this counter-intuitive grouping scheme is not offered in PRA documentation.

Further, the simplistic method of assigning release categories does not appear to be supported by results of plant-specific MAAP calculations of radionuclide release.

Consider the following two damage states:

- SGTR (fast station blackout with induced SGTR during core damage).

- 07SU (fast station blackout with pre-existing containment leakage).

According to the attributes used to assign accident sequences to release categories, the first of these is allocated to LER (RC-I), whereas the second is classified as SER

(RC-II). However, the MAAP results indicate the following actual release fractions within the first 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> of the event:

Percent of Core Inventory Fission product Released to Environment group ISGTR R07SU Xe, Kr 20 50 I 9 3 Cs 8 2

c. A systematic search for, and evaluation of, plant-specific containment failure modes was not evident in PRA documentation. As assessment of containment failure modes was performed as part of the STP IPE. However, much of the IPE analysis relied on adapting the structural evaluation of the Zion containment.

Although adaptation of reference plant analysis is acceptable for determining the ultimate strength of the containment pressure boundary under quasi-static loads, a plant-specific evaluation of alternative failure modes was not found in PRA documentation.

d. Actions to mitigate the effects of core damage recommended in the STP severe accident guidelines (SAGs) are not addressed in the PRA. For example, successful implementation of the guidelines offered in SCG-1 could alter the magnitude of radiological releases.
e. The effects of major assumptions, simplification and uncertainties on LERF have not been evaluated.
f. The effects of adverse environmental conditions in containment and physical effects of structural failure(s) of the containment pressure boundary on long-term spray recirculation operation are not addressed. STPNOC documentation provided during the review indicates the minimum NPSH required by containment spray pumps (operating in recirculation mode) is 20 ft-H2O.

Additional Electrical Questions

32. This is a followup question on the STP response to RAI 19 on compensatory measures, as it would apply to Technical Specification (TS) 3.8.2.1, DC Sources,. Following the December 15, 2004 public meeting at NRC, the licensee provided a copy of procedure 0POP01-ZO-0006, Extended Allowed Outage Time.

The risk informed completion time (RICT) for two out-of-service battery chargers for this TS is 140-1042 days with a proposed 30 day back-stop. A backstop time of 30 days by itself is not acceptable for the following reasons:

a. The battery, without a battery charger, will continue to discharge at a rate related to the normal dc operating load. This may result in a deep discharge damaging the connected battery cells by a reverse polarity to the weakest cells. This could be irreversible.
b. The battery is sized for a limited time discharge of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. If a battery charger is not restored within that time, loss of a complete protection channel will result.

Also, possible loss of a complete ac power train could result because dc control is required for the ac power system to be operable.

c. Typical battery manufacturer's operating manuals state that damage may occur to an open circuited (unloaded) after some time (months) without the battery being on charge.
33. Procedure 0POP01-ZO-0006, Extended Allowed Outage Time, does not address the DC system. Please identify all compensatory measures for the DC system when removing a required battery charger from service. Also, please address how the following items, including required action time, will be accomplished when battery charging capability is not available:
a. Limit the immediate discharge of the affected battery.
b. Recharge the affected battery to float voltage conditions using a spare battery charger.
c. Confirm that the partially discharged battery has sufficient capacity remaining to perform its safety function.
d. Periodically verify battery float voltage is equal to or greater than the minimum required float voltage.
34. The original allowed outage times (AOTs)/completion times (CTs) established in the technical specifications were, in part, based on realistic industry standards for maintenance time intervals for equipment under test or maintenance. It is the staffs understanding that the additional optional extended AOTs based on the risk management techniques will not be entered as a standard operating practice but will only be entered when the maintenance or test conditions can not be completed because of some extraordinary circumstance. This being the case;
a. Please identify those electrical components where you believe this extended AOT/CT may be necessary, identify the length of the extended AOT/CT and provide justification why such an extended AOT/CT would be required. A 30 day extended outage should not be required based upon past industry experience for the following equipment: Circuit breakers and other switchgear components, transformers, motors, cables, battery chargers, inverters, control and protective relays and associated circuits.
b. In as much as an extended AOT/CT based on risk management techniques would be the exception rather than the rule, please describe the record keeping system identifying the following items to verify application for the risk-informed process: (1) each application of risk management techniques to extend the AOT/CT, (2) any contingency actions or compensatory measures used during the extended time, and (3) the analysis that justified the extension.
c. Will the risk-informed extension of the AOT result in a 30 day extension to a 10 CFR 50.72 or 50.73 reporting requirements if the 30 day backstop is invoked?
35. 10 CFR 50, Appendix B, states that:

This appendix establishes quality assurance requirements for the design, construction, and operation of those structures, systems, and components. The pertinent requirements of this appendix apply to all activities affecting the safety-related functions of those structures, systems, and components; these activities include designing, purchasing, fabricating, handling, shipping, storing, cleaning, erecting, installing, inspecting, testing, operating, maintaining, repairing, refueling, and modifying.

As used in this appendix, "quality assurance" comprises all those planned and systematic actions necessary to provide adequate confidence that a structure, system, or component will perform satisfactorily in service.

Please confirm that the STP Configuration Risk Management Program (CRMP) and associated procedures fall under the 10 CFR 50 Appendix B. If STP believes these programs and procedures are not subject to the Appendix B requirements, please justify any exceptions to those requirements.

36. In Table 2, Specifications 3.3.2.8.a-c, new Action 20.A.b states, with the number of operable channels more than one less than the Total Number of Channels, within one hour apply the requirements of specification 3.13.1, or be in at least Hot Standby within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and be in at least Hot Shutdown within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and be in Cold Shutdown within the subsequent 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
a. How long does it take to update the CRMP database regarding plant equipment configuration changes? Is it credible that the implementation of T.S. 3.13.1 can be accurately accomplished within one hour? Would not the loss of the second channel fall into the emergent conditions that would not be expected to require an extension of the AOT (page 2 of license submittal dated August 2, 2004)?
b. During the five year history of the use of the CRMP to make risk assessments, has there been any instances where the initial assessment significantly differed from the final assessment?
c. The primary function of the loss-of-power instrumentation system is to assure the independence between offsite and onsite systems. This independence, pursuant to GDC 17 of 10 CFR Part 50, Appendix A, minimizes the probability of losing electric power from the onsite electric supplies as a result of, or coincident with, the loss of power from the offsite power supply. Loss-of-power instrumentation initiates load shedding to prevent overloading of the stand-by diesel generators (SDGs). It also supports independence between redundant ac systems and, together with automatic load sequencing, assures the capacity and capability of the offsite and onsite ac power supplies. Please confirm that the proposed changes in T.S. 3.2.2.8.b and .c will not reduce this independence between power sources.
37. In Table 2, Specification 3.8.1.1, New Action Requirement, specifies restoration of at least one SDG to operable status within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> whereas the existing Action

requirement calls for restoration of at least one standby diesel generator within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and two standby diesel generators within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Please explain why this change was not submitted separately in accordance with Regulatory Guides 1.174 and 1.177 since the technical basis provided does not justify this change.

38. New Action Requirement 3.8.2.1 implies that one battery bank and one battery charge can be inoperable indefinitely. Please clarify whether Action is initiated only if multiple components are inoperable. In addition, please address concerns stated in question 36 for Specification 3.8.2.1.
39. New Action Requirement 3.8.3.1.a implies that one battery bank and one battery charge can be inoperable indefinitely. Please clarify Action if only one train of the AC power ESF buses is inoperable. In addition, please address concerns stated in question 36 for Specification 3.8.3.1.a.
40. Please address concerns stated in question 36 for Specifications 3.8.3.1.b and 3.8.3.1.c (Re. the one hour risk assessment.)
41. Please clarify how the proposed changes will differentiate between degraded vs.

inoperable systems, trains, channels or components.

General Questions

42. LCO 3.13.1 specifies that when referred to this specification, equipment that has been declared inoperable shall be evaluated for its impact on risk and AOT determined accordingly. The first two actions require the determination of the acceptability of the configuration for AOT beyond the frontstop AOT when an equipment is declared inoperable, and for the continued operation beyond the frontstop AOT whenever the configuration changes, respectively. In response to previous RAI 22 to specify the allowable time to complete the required determination process, the licensee stated that this time will be defined in the implementing procedure for the Configuration Risk Management Program and will be consistent with the generic industry guidance.

However, each referencing Action specifies that within a specific frontstop completion time (e.g., 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />) ... apply the requirements of Specification 3.13.1. Also Section 1 of Attachment 1 (Description of Changes and Safety Evaluation) stated that the frontstop time also provides the operator sufficient time to determine and apply an appropriate extended time from the application of the CRMP for those situations where it is determined that an extended AOT is necessary.

a. Explain and justify why it is acceptable to specify the allowable time in the implementing procedure for the CRMP, rather than in TS 3.13.1 or the referencing TSs?
b. Clarify whether the frontstop time specified in the referencing TS is also the allowable time to complete the required determination process in Specification 3.13.1.
43. Some ACTION statements are revised and some new ACTION statements are created to deal with cases with more than one channel, component, train, or subsystem inoperable, which currently do not have a associated ACTION statement and would be subject to TS 3.0.3. These revised or new Action statements generally require that

within one hour restore at least one inoperable channel, component, train, or subsystem to OPERABLE status or apply the requirements of Specification 3.13.1, or be in HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. Examples of these revised or new ACTION statements are Action 3.4.2.2 (pressurizer code safety valves), 3.4.4 Actions c and e (PORVs), 3.5.1.a and b (Accumulators), 3.5.2.b (ECCS subsystems), 3.6.2.1.b (containment spray systems),3.6.2.3.b (containment fan coolers), Table 3.3-1 (RTS Instrumentation)

Actions 9, and 9A.b, Table 3.3-3 (ESFAS Instrumentation) Action14.b, 17.b, 19.b, 20A.b, and 22.b.

a. Since these revised or new Action statements have a frontstop AOT of only one hour, is one hour sufficient to apply LCO 3.13.1 requirements, which include the use of CRMP to determine AOT extension and the need for corrective or compensatory actions?
b. Could there be cases where it takes longer than one hour to determine that an AOT extension for the configuration is not acceptable, and therefore the frontstop AOT is exceeded without implementing subsequent actions?
44. For these conditions that could result in the loss of the required safety function, compensatory actions are most likely required as a defense-in-depth consideration.

Section 4 of Attachment 1 (Description of Changes and Safety Evaluation) discussed the use of the CRMP to determine the safety implications associated with multiple inoperable components, and to assist the operator in identifying effective corrective or compensatory actions for various plant configurations to maintain and manage acceptable risk levels. It is said that these compensatory actions may be incorporated in procedures, work instructions, or other station media. To support this TS amendment, please identify all TS changes (especially for those conditions where two or more channels or trains are inoperable) that require compensatory actions to reduce risk significance, describe each compensatory action and where it is incorporated.

45. In WCAP-15773-P, Rev. 0, supporting TSTF-424, it is stated in Section B3.2, Scope and Structure of the Flexible AOT Concept, that typically, AOTs/CTs less than one day are associated with loss of system function and extension beyond the existing AOT may incur significant risks. Therefore, shorter term Action Statements, such as those associated with complete system inoperability or loss of an entire safety function will retain an Action Statement with a fixed AOT/CT value based on the systems or functions risk importance. ... The flexible AOT concept would also not apply to TS associated with plant operational limits. However, in the STPs application of LCO 3.13.1 for AOT extension, many referencing TSs have 24-hour frontstop AOT (e.g., Table 3.3-1, Actions 9A.a) and some have one-hour frontstop AOT (e.g., TS 3.5.1 Actions a and b, TS 3.5.2 Action b). Explain why the application of LCO 3.13.1 for those TSs with frontstop AOT of one and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is not contradictory to TSTF-424.
46. In TS Table 3.3-3, Action 19.a specifies the action with the number of OPERABLE channels less than the Minimum Channels OPERABLE requirement, and therefore appears to cover Action 19.b, which specifies the action with the number of OPERABLE channels more than one less than the Minimum Channels OPERABLE requirement. Is there a typographic error in Action 19.a in that it is intended for the number of operable channels one less than the minimum channels operable requirement?