NRR E-mail Capture - Request for Additional Information - St. Lucie TSTF-505 Apla - MF5372 & MF5373

ML16105A456
Person / Time
Site:	Saint Lucie
Issue date:	04/13/2016
From:	Perry Buckberg Plant Licensing Branch II
To:	Frehafer K Florida Power & Light Co
References
MF5372, MF5373
Download: ML16105A456 (10)
v • d • e

Text

NRR-PMDAPEm Resource From: Buckberg, Perry Sent: Wednesday, April 13, 2016 1:09 PM To: Frehafer, Ken Cc: Snyder, Mike; Cross, William

Subject:

Request for Additional Information - St. Lucie TSTF-505 APLA - MF5372 & MF5373 Attachments: St Lucie final TSTF-505 APLA RAIs 4-13-16.pdf

Ken, By letter dated December 5, 2014 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14353A016), Florida Power and Light (FPL, the licensee) submitted a License Amendment Request (LAR) regarding St. Lucie Units 1 and 2. The proposed amendment would revise Technical Specifications (TS) to Implement TS Task Force (TSTF)-505, Revision 1, Provide Risk-Informed Extended Completion Times RITSTF [Risk Informed TSTF]

Initiative 4b.

The U.S. Nuclear Regulatory Commission Staff reviewed the submittal and identified areas where it needs additional information and clarification to complete its review. The Request for Additional Information (RAI) is attached. The NRC requests that the licensee respond to this RAI within 60 days of this email.

Thanks, Perry Buckberg Senior Project Manager phone: (301)415-1383 perry.buckberg@nrc.gov U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation Mail Stop O-8G9a Washington, DC, 20555-0001 1

Hearing Identifier: NRR_PMDA Email Number: 2775 Mail Envelope Properties (Perry.Buckberg@nrc.gov20160413130800)

Subject:

Request for Additional Information - St. Lucie TSTF-505 APLA - MF5372 &

MF5373 Sent Date: 4/13/2016 1:08:50 PM Received Date: 4/13/2016 1:08:00 PM From: Buckberg, Perry Created By: Perry.Buckberg@nrc.gov Recipients:

"Snyder, Mike" <Mike.Snyder@fpl.com>

Tracking Status: None "Cross, William" <WILLIAM.CROSS@fpl.com>

Tracking Status: None "Frehafer, Ken" <Ken.Frehafer@fpl.com>

Tracking Status: None Post Office:

Files Size Date & Time MESSAGE 1070 4/13/2016 1:08:00 PM St Lucie final TSTF-505 APLA RAIs 4-13-16.pdf 159914 Options Priority: Standard Return Notification: No Reply Requested: No Sensitivity: Normal Expiration Date:

Recipients Received: ZZZ

REQUEST FOR ADDITIONAL INFORMATION LICENSE AMENDMENT REQUEST TO IMPLEMENT TSTF-505, REVISION 1, ST LUCIE UNITS 1 AND 2 DOCKET NOS. 50-335 AND 50-389 (CAC NOS. MF5372 AND MF5373)

By letter dated December 5, 2014 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14353A016), Florida Power and Light (FPL, the licensee) submitted a License Amendment Request (LAR) regarding St. Lucie Units 1 and 2. The proposed amendment would revise Technical Specifications (TS) to implement TS Task Force (TSTF)-505, Revision 1, Provide Risk-Informed Extended Completion Times RITSTF [Risk Informed TSTF] Initiative 4b.

Based on the review of the amendment request, the U.S. Nuclear Regulatory Commission (NRC) staff has determined that additional information is required for review of the LAR.

RAI-MF5372/73-APLA-01 (Internal event probabilistic risk assessment (PRA))

a. Facts and Observations (F&Os) AS-06 from the internal events probabilistic risk assessment (IEPRA) peer review listed in Table E2-A1 of the LAR states that scenarios that involve loss of all Main Feedwater (MFW) and Auxiliary Feedwater (AFW) are conservatively modeled because use of Condensate pumps to provide low-pressure feed is not credited. Clarify how not crediting the Condensate pumps impacts the risk-informed completion time (RICT) estimates.

b. F&O IE-01 from the IEPRA peer review listed in Table E2-A1 of the LAR states that the Loss of Off-Site Power (LOSP) frequency used in the PRA was derived from early generic industry data and introduces a high degree of conservatism into the PRA. The disposition to this F&O explains that more current LOSP data published in an Electric Power Research Institute (EPRI) report of industry data from 1997 to 2008, will be considered during the cyclical maintenance and update of this calculation, and that, the downward trend of LOSP annual frequency should have improved effects on the model.

This explanation appears to indicate that the LOSP frequency has not yet been updated and therefore the LOSP frequency used in the PRA remains conservatively high. Clarify how using outdated LOSP frequency estimates impacts the RICT estimates.

c. F&O IE-04 from the IEPRA peer review listed in Table E2-A1 of the LAR states that the PRA did not address multiple 120 VAC instrument bus failure initiating events. PRA standard Supporting Requirement (SR) IE-A5 cited with the F&O states that, a systemic evaluation of each system, including support systems, should be performed to assess the possibility of an initiating event, and SR IE-A6 (cited with the F&O) states that such an assessment should include, multiple failure if the equipment failures result from a common cause. The disposition to this F&O states that, [m]ultiple instrument bus failures are judged to be a low probability, but does not justify this conclusion, particularly for RICT calculations where one or more buses may be unavailable as part

of the TS condition. Clarify how the simplified modelling of instrument busses impacts the RICT estimates.

RAI-MF5372/73-APLA-02 (Fire PRA) , page 16 of 23 in the LAR states that the estimated risk-informed completion time (RICT) will be calculated using the fire PRA (or results) from NFPA 805 (LAR Reference 5:

Report 0493060006.105 Rev. 4, St. Lucie Nuclear Plant Fire PRA Summary Report, NUREG/CR-6850 Task 16, ERIN Engineering, March 2013). This does appear to be the latest version of the Fire PRA. For example, the response to NFPA PRA RAI 21 by letter dated October 10, 2014 (ADAMs Accession Number (ADAMS) ML14296A435), summarizes a variety of method and model changes that were required to utilize only acceptable methods in the final NFPA 805 fire PRA.

a) Is the fire PRA that will be used to support the RICT calculations the same fire PRA that was determined to be acceptable for the NFPA 805 transition and future self-approval?

b) How will the maintenance and change process ensure that the latest model of record used in the RICT program reflects the as-built, as-operated plant.

RAI-MF5372/73-APLA-03 (Technical Specification (TS) Limiting (Condition of Operation) LCO 3.6.1.3, 3.6.1.7 and 3.6.3.1)

The disposition for PRA Success Criteria associated with TS LCO 3.6.1.7 (Unit 2 Containment Ventilation) presented in LAR Enclosure 1, Table E1-1 states, The PRA Model includes a large, pre-existing containment leak; this would be bounding for the risk associated with an inoperable air lock door closed, and can be used as a bounding surrogate. The disposition for PRA functionality associated with TS LCO 3.6.3.1 (Containment Isolation Valves) and TS LCO 3.6.1.3 (Containment Air Locks) also refer to use of this leak event in the PRA as a surrogate.

Explain why the leakage for a large pre-existing containment leak is a bounding surrogate for the leak events above.

RAI-MF5372/73-APLA-04 (TS LCO 3.3.1.1)

The disposition for PRA functionality associated with manual trip functions in TS LCOs 3.3.1.1 presented in LAR Enclosure 1, Table E1-1 explains that operator failures to manually initiate the trip functions will be used as surrogate events to conservatively bound the risk increase associated with [these] function[s]. Please confirm this involves setting the surrogate Human Error Probabilities (HEP) = 1.0 (or to True) to calculate RICT events.

RAI-MF5372/73-APLA-05 (Minimum Joint HEPs)

Guidance in NUREG-1792, "Good Practices for Implementing Human Reliability Analysis (HRA)," (Table 2-1) recommends joint human error probability (HEP) values should not be below 1E-05. Table 4-3 of EPRI 1021081, "Establishing Minimum Acceptable Values for Probabilities of Human Failure Events," provides a lower limiting value of 1E-06 for sequences with a very low level of dependence. F&O HG-G6-1 from the IEPRA peer review listed in LAR , Table E2-A1 states the dependency analysis that was performed did not have a reasonableness check of the combined human failures provided. The F&O noted that a number of HEP combinations from the PRA had resulted in probabilities in the 1E-10 to 1E-16 range. Based on the disposition to this F&O, it appears that minimum joint HEPs were not

applied in the PRA and that no update was made to the PRA as a result of this F&O. The NRC staff notes that underestimation of minimum joint probabilities could result in non-conservative RICTs of varying degrees for different inoperable SSCs.

Furthermore, the staff has considered the licensees response to NFPA 805, PRA RAI 21.b (October 10, 2014, ADAMS ML14296A435) which clarified the disposition of RAI 17.b.01 by discussing the minimum joint HEP value and the use of final composite analysis. The NRC concluded that the fire PRA values include an acceptable minimum joint HEP value but these changes were not reviewed for internal events.

Given that it is not clear from the F&O disposition whether or to what extent a dependency analysis was performed as part of the HRA, and whether minimum joint probabilities were applied to combinations of HEPs appearing in the same cutset, provide the following:

a) Describe the HRA dependency analysis performed in response to this F&O used in the PRA and whether it is consistent with NRC accepted guidance. In the response, specifically address how each of the issues identified by the peer review was dispositioned. If the approach to performing HRA dependency analysis is not consistent with NRC guidance, then justify this departure.

b) Also, confirm that each joint HEP value used in the internal events PRA below 1.0E-06, and each joint HEP used in the fire PRA below 1E-05, includes its own separate justification that demonstrates the inapplicability of the NUREG-1792 lower guideline values. Provide an estimate of the number of joint HEPs below the guideline values, discuss the range of values, and provide at least two different examples where justification has been developed.

c) If the assessment described in item b) has not been performed or if minimum joint probability floor was not applied or the value of the floor cannot be justified, then explain how underestimating joint human error probabilities impacts the RICT estimates.

RAI-MF5372/73-APLA-06 (Bounding Analyses for Excluded Risk Sources)

From LAR Enclosure 4, the guidance in NUREG-1855 was used in performing the bounding analysis of certain external hazards that are not included in the PRA. The dispositions in LAR , Table E4-1 state that the risks associated with external flooding, transportation accidents, extreme winds and tornados are insignificant to the calculation of configuration-specific risk on the basis that the current as-built and as-operated plant conforms to the design-basis requirements in the 1975 Standard Review Plan (SRP). A similar basis is provided for excluding seismic events in that the re-evaluated seismic hazard was shown not to exceed the current design basis. However, per NUREG-1855, conforming to design-basis requirements is insufficient justification for concluding that these external hazards are insignificant to the calculation of configuration risk. NUREG-1855 specifically cautions against placing emphasis on comparisons with the design bases of the safety-related systems and structures and further clarifies that, it may be necessary to perform some conservative estimates of the risk for both lower and higher magnitude events, given that (i) non-safety-related systems [credited in the PRA] may provide important risk contributions; (ii) the magnitude of an external event may exceed the plant design basis; and (iii) a significant risk contribution from lower magnitude

events is possible if the susceptibility of the plant to damage (fragility) is relatively insensitive to the magnitude of the event.

a) Explain how the reported evaluations for each hazard incorporate the latest available information (e.g. external flooding to reactor auxiliary building reported in NRC INSPECTION REPORT 05000335/2014010 AND 05000389/2014010, ADAMS ML14323A786). If they do not incorporate the latest available information, please update the evaluations.

b) Explain how the licensees proposal is consistent with the guidance in Section 3.3.5 of NEI 06-09, Revision 0-A.

RAI-MF5372/73-APLA-07 (Translation to Configuration Risk Management Program (CRMP)

Model)

LAR Enclosure 8 Section E8-2.0 describes the process that will be used to translate the baseline PRA models for use in the CRMP model to be used in the RICT Program. The description implies that the CRMP model has not yet been developed and, furthermore, the translation process itself does not appear to be fully developed. Specifically, some expected adjustments or changes to the baseline model are not identified, such as use of a plant availability factor for determining the average annual risk that would not be applicable to configuration-specific risk.

a) Summarize the translation process.

b) Provide a comprehensive discussion of the changes made to the baseline PRA model to produce the CRMP model and how it is assured that these changes are appropriate and comprehensive.

RAI-MF5372/73-APLA-08 (PRA Functionality)

Model Application to TSTF-505, Revision 1, Proposed Revision to the Model Application for TSTF-505, Revision 1, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b, Enclosure 1 (ADAMS ML12032A065) states:

This enclosure should provide a description of PRA functionality for each associated specified safety function that corresponds to each proposed Required Action that is applicable when all trains of equipment are inoperable as discussed in Section 2.3.1.10 of NEI 06-09.

The TSTF-505 enclosure guidance is included as part of the model application because the NRC staff seeks clarity in how PRA Functionality will be used during full power operation following, loss of a specified safety function or inoperability of all required trains or divisions of a system. Provide justification for PRA functionality for each associated specified safety function consistent with TSTF-505 as requested below:

1. To provide confidence that the defense-in-depth philosophy is maintained as the completion times (CTs) are extended, the NRC staff requests the following information for three of the defense-in-depth circumstances described in RG 1.177, An Approach

for Plant-Specific, Risk-Informed Decision-making: Technical Specifications, Revision 1, May 2011.

a. System redundancy, independence, and diversity are maintained commensurate with the expected frequency and consequences of challenges to the system (e.g.,

there are no risk outliers). The licensee should considerwhether there are appropriate restrictions in place to preclude simultaneous equipment outages that would erode the principles of redundancy and diversity.

Beyond prohibiting voluntary entry, the guidance on PRA Functionality in NEI 06-09 does not address how PRA Functionality should be defined when the systems, structures, and components (SSCs) normally relied on to perform a specified safety function are unavailable. Specifically, the PRA often includes alternative SSCs that could be used to fulfill a specified safety function when the SSCs referenced in the TSs are unavailable. Crediting alternative SSCs when the SSCs normally relied on are unavailable would represent a reduction in redundancy or diversity. Please confirm that SSCs credited in a PRA Functionality determination are the same SSCs relied upon to perform the specified safety function. If a PRA Functionality determination for a loss of a specified safety function or inoperability of all required trains or divisions of a system credits SSCs other than the SSCs covered by the TSs (e.g., crediting the Fire Protection system as an alternative water source), please summarize each such TS and justify how appropriate redundancy and diversity is maintained if alternative SSCs are credited.

b. Over-reliance on programmatic activities as compensatory measures associated with the change in the licensing basis is avoided (e.g., the change does not use high reliability estimates that are primarily based on optimistic program assumptions).

i) Please confirm that all human actions required to achieve PRA functionality upon loss of specified safety function are modeled in the PRA (i.e., they are all explicitly proceduralized; and that they all are (1) trained on or (2) not trained on because they are so simple as to be skill of the craft).

ii) If any human actions were evaluated and credited in the PRA scenarios, but not modeled in the PRA, A. Summarize the action and the evaluation.

B. Clarify why not modelling each action will have a negligible impact on core damage frequency and large early release frequency and the associated CT that will be used when the corresponding PRA Function to TS LCO/Conditions is unavailable.

C. If any other human actions are directly or indirectly credited in the CT length calculations, please provide the same information as in part A and part B.

c. The intent of the plants design criteria is maintained.

The intent of the design basis design criteria is that all design basis accident scenarios could be mitigated, i.e., the minimum specified safety function capability is available. To maintain this intent, PRA Functionality should not include any scenarios that allow any design basis accident initiator to proceed directly to core damage (e.g., Loss of Offsite Power/Loss of Coolant Accident). Please confirm that PRA Functionality does not include any scenarios that allow any design basis accident to proceed directly to core damage or containment failure, or identify the scenarios and justify that the intent of the design criteria is maintained and describe how the PRA functionality determination will verify these requirements are met.

2. To provide confidence that sufficient safety margins are maintained, NRC Staff requests the following information for the detailed circumstance described in RG 1.177.

Safety analysis acceptance criteria in the final safety analysis report (FSAR) are met or proposed revisions provide sufficient margin to account for analysis and data uncertainties (e.g., the proposed TS CT or SF change does not adversely affect any assumptions or inputs to the safety analysis, or, if such inputs are affected, justification is provided to ensure sufficient safety margin will continue to exist). For TS CT changes, an assessment should be made of the effect on the FSAR acceptance criteria assuming the plant is in the condition addressed by the proposed CT (i.e., the subject equipment is inoperable) and there are no additional failures. Such an assessment should result in the identification of all situations in which entry into the condition addressed by the proposed CT could result in failure to meet an intended safety function.

Some TS safety functions are credited in design basis accident scenarios modeled in the PRA but are also required in other design basis accident scenarios not modeled in the PRA because the other scenarios do not contribute to Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) or are not needed within the PRA mission time.

a) Please confirm that the PRA Functionality modeled in the PRA is also available and sufficient for the remaining design basis accident scenarios that are not modeled in the PRA because the un-modeled design basis accident scenarios do not affect CDF or LERF (e.g., containment spray may be credited as decay heat removal in some plants which is modeled in the PRA. It may also provide an iodine removal function for the same plants, which is not modeled in the PRA) or describe how the PRA functionality determination will provide confidence the requirements credited in the un-modeled design basis accident scenarios are met.

b) Please confirm there are no safety functions required to reach a safe and stable state but are not included in the PRA because they are only required after the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time generally used in the PRA (e.g., some alternative primary water sources may lead to excessive boron dilution after some loss-of-coolant accidents but only after at least 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, so boron is not modeled in the PRA) or describe how the PRA functionality determination will provide confidence the requirements credited in design basis accident scenarios are met.

c) In Table E1-1 of its December 5, 2014, LAR, the licensee noted differences between the design basis success criteria and the PRA success criteria for certain specified safety functions. The licensee also noted that the risk-informed Configuration Management Program (CRMP) will ensure that adequate margins of safety are maintained. The licensee also noted in the Administrative Controls section that conditions which represent a loss of function cannot be entered voluntarily.

However, the response did not address how safety margin was maintained for the case of a PRA functionality determination for a loss of a specified safety function or inoperability of all required trains or divisions of a system. For this case, please elaborate on how adequate safety margins are maintained and provide some clarifying examples of adequate safety margins for where the PRA success criteria (e.g., flow rates, temperature limits) differ from the design criteria.

3. Extended completion times are limited to no more than 30 days, i.e., a 30 day backstop. During the Audit, FPL mentioned the possibility of administratively limiting the time in total loss of function LCOs (i.e., both/all trains inoperable) to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> when using a PRA functional argument. Explain how FPL will incorporate this 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> limit into the technical specifications.

RAI-MF5372/73-APLA-09 (NFPA 805 Modification Implementation)

U.S. Nuclear Regulatory Commission (NRC) approved Topical Report (TR) NEI 06-09, Risk Informed Technical Specifications Initiative 4b: Risk Managed Technical Specification (RMTS),

Revision 0-A (ADAMS ML12286A322), includes the NRC Safety Evaluation (SE) for NEI 06-09 (ADAMS ML071200238) which approved and provided limitations and conditions for use of the TR. Section 4.0, Item 6, of the SE requires that the licensee provide the plant-specific total CDF and LERF to confirm that these are less than 1E-4/year and 1E-5/year, respectively. This is consistent with the risk acceptance guidelines in Regulatory Guide 1.174 (ADAMS ML100910006).

In Enclosure 5 of the application, the licensee states that the St. Lucie Unit 1 CDF and LERF are 6.53E-05/year and 8.66E-06/year, respectively, and that the Unit 2 CDF and LERF are 8.40E-05/year and 8.94E-06/year, respectively. The licensee also notes that, [l]isted values reflect the anticipated configuration of the plant upon full implementation of NFPA 805 and related plant modifications to resolve fire protection issues. At the time of implementation of the RICT Program, the PRA model used will reflect the existing configuration of the plant.

If the licensee receives the RICT amendment approval before the NFPA-modifications are completed and wants to implement the RICT program before the modifications are completed:

a. Provide an estimate of the total CDF and LERF for the as-built, as-operated plant at the time the RICT program will be implemented to ensure that it satisfies the limitations and conditions in Section 4.0, Item 6, of the NEI 06-09 SE.

b. Confirm that modifications that are not yet installed are not credited in the CDF and LERF calculation for each RICT calculation.

An alternative option to providing the information in parts a and b, would be for the licensee to propose a license condition that delays implementation of the RICT program until the NFPA-modifications are complete.

RAI-MF5372/73-APLA-10 (Human Action Surrogate Events)

The RICT program is equipment-oriented (e.g., SSCs may be out of service), but allows a proper surrogate to be used for the equipment not modeled in the PRA. In some instances Operator actions are used as a surrogate to conservatively bound the risk increase associated with [certain] functions. For each such surrogate in your PRA models, explain how the action fully models each different failure mode, and partial failure modes, of the equipment being represented by the action.

RAI-MF5372/73-APLA-11 (Instrumentation Models)

Instrumentation is often not modeled in detail in PRAs and in some cases is only modeled as a single, generic basic event generally representing all trains.

a. Clarify how individual instrument unavailability can be accounted for in the RICT calculations that use a single basic event (i.e., TS 3.3.1.1 (Unit1)).

b. Alternatively describe how instrumentation is modeled in sufficient detail in the PRA to appropriately model the effects of different numbers of trains (e.g., one, two, three, and four trains) unavailable in order to estimate a RICT.

c. Confirm that Function 2b - CSAS - Containment Pressure - High-High in Table E1-1, is modeled in sufficient detail in the PRA to model individual instrument and signal processing component failures as implied by the statement in the disposition and summarize how this high resolution model will be included in the RICT.

NRR-PMDAPEm Resource From: Buckberg, Perry Sent: Wednesday, April 13, 2016 1:09 PM To: Frehafer, Ken Cc: Snyder, Mike; Cross, William

Subject:

Request for Additional Information - St. Lucie TSTF-505 APLA - MF5372 & MF5373 Attachments: St Lucie final TSTF-505 APLA RAIs 4-13-16.pdf

Ken, By letter dated December 5, 2014 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14353A016), Florida Power and Light (FPL, the licensee) submitted a License Amendment Request (LAR) regarding St. Lucie Units 1 and 2. The proposed amendment would revise Technical Specifications (TS) to Implement TS Task Force (TSTF)-505, Revision 1, Provide Risk-Informed Extended Completion Times RITSTF [Risk Informed TSTF]

Initiative 4b.

The U.S. Nuclear Regulatory Commission Staff reviewed the submittal and identified areas where it needs additional information and clarification to complete its review. The Request for Additional Information (RAI) is attached. The NRC requests that the licensee respond to this RAI within 60 days of this email.

Thanks, Perry Buckberg Senior Project Manager phone: (301)415-1383 perry.buckberg@nrc.gov U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation Mail Stop O-8G9a Washington, DC, 20555-0001 1

Hearing Identifier: NRR_PMDA Email Number: 2775 Mail Envelope Properties (Perry.Buckberg@nrc.gov20160413130800)

Subject:

Request for Additional Information - St. Lucie TSTF-505 APLA - MF5372 &

MF5373 Sent Date: 4/13/2016 1:08:50 PM Received Date: 4/13/2016 1:08:00 PM From: Buckberg, Perry Created By: Perry.Buckberg@nrc.gov Recipients:

"Snyder, Mike" <Mike.Snyder@fpl.com>

Tracking Status: None "Cross, William" <WILLIAM.CROSS@fpl.com>

Tracking Status: None "Frehafer, Ken" <Ken.Frehafer@fpl.com>

Tracking Status: None Post Office:

Files Size Date & Time MESSAGE 1070 4/13/2016 1:08:00 PM St Lucie final TSTF-505 APLA RAIs 4-13-16.pdf 159914 Options Priority: Standard Return Notification: No Reply Requested: No Sensitivity: Normal Expiration Date:

Recipients Received: ZZZ

REQUEST FOR ADDITIONAL INFORMATION LICENSE AMENDMENT REQUEST TO IMPLEMENT TSTF-505, REVISION 1, ST LUCIE UNITS 1 AND 2 DOCKET NOS. 50-335 AND 50-389 (CAC NOS. MF5372 AND MF5373)

By letter dated December 5, 2014 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14353A016), Florida Power and Light (FPL, the licensee) submitted a License Amendment Request (LAR) regarding St. Lucie Units 1 and 2. The proposed amendment would revise Technical Specifications (TS) to implement TS Task Force (TSTF)-505, Revision 1, Provide Risk-Informed Extended Completion Times RITSTF [Risk Informed TSTF] Initiative 4b.

Based on the review of the amendment request, the U.S. Nuclear Regulatory Commission (NRC) staff has determined that additional information is required for review of the LAR.

RAI-MF5372/73-APLA-01 (Internal event probabilistic risk assessment (PRA))

a. Facts and Observations (F&Os) AS-06 from the internal events probabilistic risk assessment (IEPRA) peer review listed in Table E2-A1 of the LAR states that scenarios that involve loss of all Main Feedwater (MFW) and Auxiliary Feedwater (AFW) are conservatively modeled because use of Condensate pumps to provide low-pressure feed is not credited. Clarify how not crediting the Condensate pumps impacts the risk-informed completion time (RICT) estimates.

b. F&O IE-01 from the IEPRA peer review listed in Table E2-A1 of the LAR states that the Loss of Off-Site Power (LOSP) frequency used in the PRA was derived from early generic industry data and introduces a high degree of conservatism into the PRA. The disposition to this F&O explains that more current LOSP data published in an Electric Power Research Institute (EPRI) report of industry data from 1997 to 2008, will be considered during the cyclical maintenance and update of this calculation, and that, the downward trend of LOSP annual frequency should have improved effects on the model.

This explanation appears to indicate that the LOSP frequency has not yet been updated and therefore the LOSP frequency used in the PRA remains conservatively high. Clarify how using outdated LOSP frequency estimates impacts the RICT estimates.

c. F&O IE-04 from the IEPRA peer review listed in Table E2-A1 of the LAR states that the PRA did not address multiple 120 VAC instrument bus failure initiating events. PRA standard Supporting Requirement (SR) IE-A5 cited with the F&O states that, a systemic evaluation of each system, including support systems, should be performed to assess the possibility of an initiating event, and SR IE-A6 (cited with the F&O) states that such an assessment should include, multiple failure if the equipment failures result from a common cause. The disposition to this F&O states that, [m]ultiple instrument bus failures are judged to be a low probability, but does not justify this conclusion, particularly for RICT calculations where one or more buses may be unavailable as part

of the TS condition. Clarify how the simplified modelling of instrument busses impacts the RICT estimates.

RAI-MF5372/73-APLA-02 (Fire PRA) , page 16 of 23 in the LAR states that the estimated risk-informed completion time (RICT) will be calculated using the fire PRA (or results) from NFPA 805 (LAR Reference 5:

Report 0493060006.105 Rev. 4, St. Lucie Nuclear Plant Fire PRA Summary Report, NUREG/CR-6850 Task 16, ERIN Engineering, March 2013). This does appear to be the latest version of the Fire PRA. For example, the response to NFPA PRA RAI 21 by letter dated October 10, 2014 (ADAMs Accession Number (ADAMS) ML14296A435), summarizes a variety of method and model changes that were required to utilize only acceptable methods in the final NFPA 805 fire PRA.

a) Is the fire PRA that will be used to support the RICT calculations the same fire PRA that was determined to be acceptable for the NFPA 805 transition and future self-approval?

b) How will the maintenance and change process ensure that the latest model of record used in the RICT program reflects the as-built, as-operated plant.

RAI-MF5372/73-APLA-03 (Technical Specification (TS) Limiting (Condition of Operation) LCO 3.6.1.3, 3.6.1.7 and 3.6.3.1)

The disposition for PRA Success Criteria associated with TS LCO 3.6.1.7 (Unit 2 Containment Ventilation) presented in LAR Enclosure 1, Table E1-1 states, The PRA Model includes a large, pre-existing containment leak; this would be bounding for the risk associated with an inoperable air lock door closed, and can be used as a bounding surrogate. The disposition for PRA functionality associated with TS LCO 3.6.3.1 (Containment Isolation Valves) and TS LCO 3.6.1.3 (Containment Air Locks) also refer to use of this leak event in the PRA as a surrogate.

Explain why the leakage for a large pre-existing containment leak is a bounding surrogate for the leak events above.

RAI-MF5372/73-APLA-04 (TS LCO 3.3.1.1)

The disposition for PRA functionality associated with manual trip functions in TS LCOs 3.3.1.1 presented in LAR Enclosure 1, Table E1-1 explains that operator failures to manually initiate the trip functions will be used as surrogate events to conservatively bound the risk increase associated with [these] function[s]. Please confirm this involves setting the surrogate Human Error Probabilities (HEP) = 1.0 (or to True) to calculate RICT events.

RAI-MF5372/73-APLA-05 (Minimum Joint HEPs)

Guidance in NUREG-1792, "Good Practices for Implementing Human Reliability Analysis (HRA)," (Table 2-1) recommends joint human error probability (HEP) values should not be below 1E-05. Table 4-3 of EPRI 1021081, "Establishing Minimum Acceptable Values for Probabilities of Human Failure Events," provides a lower limiting value of 1E-06 for sequences with a very low level of dependence. F&O HG-G6-1 from the IEPRA peer review listed in LAR , Table E2-A1 states the dependency analysis that was performed did not have a reasonableness check of the combined human failures provided. The F&O noted that a number of HEP combinations from the PRA had resulted in probabilities in the 1E-10 to 1E-16 range. Based on the disposition to this F&O, it appears that minimum joint HEPs were not

applied in the PRA and that no update was made to the PRA as a result of this F&O. The NRC staff notes that underestimation of minimum joint probabilities could result in non-conservative RICTs of varying degrees for different inoperable SSCs.

Furthermore, the staff has considered the licensees response to NFPA 805, PRA RAI 21.b (October 10, 2014, ADAMS ML14296A435) which clarified the disposition of RAI 17.b.01 by discussing the minimum joint HEP value and the use of final composite analysis. The NRC concluded that the fire PRA values include an acceptable minimum joint HEP value but these changes were not reviewed for internal events.

Given that it is not clear from the F&O disposition whether or to what extent a dependency analysis was performed as part of the HRA, and whether minimum joint probabilities were applied to combinations of HEPs appearing in the same cutset, provide the following:

a) Describe the HRA dependency analysis performed in response to this F&O used in the PRA and whether it is consistent with NRC accepted guidance. In the response, specifically address how each of the issues identified by the peer review was dispositioned. If the approach to performing HRA dependency analysis is not consistent with NRC guidance, then justify this departure.

b) Also, confirm that each joint HEP value used in the internal events PRA below 1.0E-06, and each joint HEP used in the fire PRA below 1E-05, includes its own separate justification that demonstrates the inapplicability of the NUREG-1792 lower guideline values. Provide an estimate of the number of joint HEPs below the guideline values, discuss the range of values, and provide at least two different examples where justification has been developed.

c) If the assessment described in item b) has not been performed or if minimum joint probability floor was not applied or the value of the floor cannot be justified, then explain how underestimating joint human error probabilities impacts the RICT estimates.

RAI-MF5372/73-APLA-06 (Bounding Analyses for Excluded Risk Sources)

From LAR Enclosure 4, the guidance in NUREG-1855 was used in performing the bounding analysis of certain external hazards that are not included in the PRA. The dispositions in LAR , Table E4-1 state that the risks associated with external flooding, transportation accidents, extreme winds and tornados are insignificant to the calculation of configuration-specific risk on the basis that the current as-built and as-operated plant conforms to the design-basis requirements in the 1975 Standard Review Plan (SRP). A similar basis is provided for excluding seismic events in that the re-evaluated seismic hazard was shown not to exceed the current design basis. However, per NUREG-1855, conforming to design-basis requirements is insufficient justification for concluding that these external hazards are insignificant to the calculation of configuration risk. NUREG-1855 specifically cautions against placing emphasis on comparisons with the design bases of the safety-related systems and structures and further clarifies that, it may be necessary to perform some conservative estimates of the risk for both lower and higher magnitude events, given that (i) non-safety-related systems [credited in the PRA] may provide important risk contributions; (ii) the magnitude of an external event may exceed the plant design basis; and (iii) a significant risk contribution from lower magnitude

events is possible if the susceptibility of the plant to damage (fragility) is relatively insensitive to the magnitude of the event.

a) Explain how the reported evaluations for each hazard incorporate the latest available information (e.g. external flooding to reactor auxiliary building reported in NRC INSPECTION REPORT 05000335/2014010 AND 05000389/2014010, ADAMS ML14323A786). If they do not incorporate the latest available information, please update the evaluations.

b) Explain how the licensees proposal is consistent with the guidance in Section 3.3.5 of NEI 06-09, Revision 0-A.

RAI-MF5372/73-APLA-07 (Translation to Configuration Risk Management Program (CRMP)

Model)

LAR Enclosure 8 Section E8-2.0 describes the process that will be used to translate the baseline PRA models for use in the CRMP model to be used in the RICT Program. The description implies that the CRMP model has not yet been developed and, furthermore, the translation process itself does not appear to be fully developed. Specifically, some expected adjustments or changes to the baseline model are not identified, such as use of a plant availability factor for determining the average annual risk that would not be applicable to configuration-specific risk.

a) Summarize the translation process.

b) Provide a comprehensive discussion of the changes made to the baseline PRA model to produce the CRMP model and how it is assured that these changes are appropriate and comprehensive.

RAI-MF5372/73-APLA-08 (PRA Functionality)

Model Application to TSTF-505, Revision 1, Proposed Revision to the Model Application for TSTF-505, Revision 1, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b, Enclosure 1 (ADAMS ML12032A065) states:

This enclosure should provide a description of PRA functionality for each associated specified safety function that corresponds to each proposed Required Action that is applicable when all trains of equipment are inoperable as discussed in Section 2.3.1.10 of NEI 06-09.

The TSTF-505 enclosure guidance is included as part of the model application because the NRC staff seeks clarity in how PRA Functionality will be used during full power operation following, loss of a specified safety function or inoperability of all required trains or divisions of a system. Provide justification for PRA functionality for each associated specified safety function consistent with TSTF-505 as requested below:

1. To provide confidence that the defense-in-depth philosophy is maintained as the completion times (CTs) are extended, the NRC staff requests the following information for three of the defense-in-depth circumstances described in RG 1.177, An Approach

for Plant-Specific, Risk-Informed Decision-making: Technical Specifications, Revision 1, May 2011.

a. System redundancy, independence, and diversity are maintained commensurate with the expected frequency and consequences of challenges to the system (e.g.,

there are no risk outliers). The licensee should considerwhether there are appropriate restrictions in place to preclude simultaneous equipment outages that would erode the principles of redundancy and diversity.

Beyond prohibiting voluntary entry, the guidance on PRA Functionality in NEI 06-09 does not address how PRA Functionality should be defined when the systems, structures, and components (SSCs) normally relied on to perform a specified safety function are unavailable. Specifically, the PRA often includes alternative SSCs that could be used to fulfill a specified safety function when the SSCs referenced in the TSs are unavailable. Crediting alternative SSCs when the SSCs normally relied on are unavailable would represent a reduction in redundancy or diversity. Please confirm that SSCs credited in a PRA Functionality determination are the same SSCs relied upon to perform the specified safety function. If a PRA Functionality determination for a loss of a specified safety function or inoperability of all required trains or divisions of a system credits SSCs other than the SSCs covered by the TSs (e.g., crediting the Fire Protection system as an alternative water source), please summarize each such TS and justify how appropriate redundancy and diversity is maintained if alternative SSCs are credited.

b. Over-reliance on programmatic activities as compensatory measures associated with the change in the licensing basis is avoided (e.g., the change does not use high reliability estimates that are primarily based on optimistic program assumptions).

i) Please confirm that all human actions required to achieve PRA functionality upon loss of specified safety function are modeled in the PRA (i.e., they are all explicitly proceduralized; and that they all are (1) trained on or (2) not trained on because they are so simple as to be skill of the craft).

ii) If any human actions were evaluated and credited in the PRA scenarios, but not modeled in the PRA, A. Summarize the action and the evaluation.

B. Clarify why not modelling each action will have a negligible impact on core damage frequency and large early release frequency and the associated CT that will be used when the corresponding PRA Function to TS LCO/Conditions is unavailable.

C. If any other human actions are directly or indirectly credited in the CT length calculations, please provide the same information as in part A and part B.

c. The intent of the plants design criteria is maintained.

The intent of the design basis design criteria is that all design basis accident scenarios could be mitigated, i.e., the minimum specified safety function capability is available. To maintain this intent, PRA Functionality should not include any scenarios that allow any design basis accident initiator to proceed directly to core damage (e.g., Loss of Offsite Power/Loss of Coolant Accident). Please confirm that PRA Functionality does not include any scenarios that allow any design basis accident to proceed directly to core damage or containment failure, or identify the scenarios and justify that the intent of the design criteria is maintained and describe how the PRA functionality determination will verify these requirements are met.

2. To provide confidence that sufficient safety margins are maintained, NRC Staff requests the following information for the detailed circumstance described in RG 1.177.

Safety analysis acceptance criteria in the final safety analysis report (FSAR) are met or proposed revisions provide sufficient margin to account for analysis and data uncertainties (e.g., the proposed TS CT or SF change does not adversely affect any assumptions or inputs to the safety analysis, or, if such inputs are affected, justification is provided to ensure sufficient safety margin will continue to exist). For TS CT changes, an assessment should be made of the effect on the FSAR acceptance criteria assuming the plant is in the condition addressed by the proposed CT (i.e., the subject equipment is inoperable) and there are no additional failures. Such an assessment should result in the identification of all situations in which entry into the condition addressed by the proposed CT could result in failure to meet an intended safety function.

Some TS safety functions are credited in design basis accident scenarios modeled in the PRA but are also required in other design basis accident scenarios not modeled in the PRA because the other scenarios do not contribute to Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) or are not needed within the PRA mission time.

a) Please confirm that the PRA Functionality modeled in the PRA is also available and sufficient for the remaining design basis accident scenarios that are not modeled in the PRA because the un-modeled design basis accident scenarios do not affect CDF or LERF (e.g., containment spray may be credited as decay heat removal in some plants which is modeled in the PRA. It may also provide an iodine removal function for the same plants, which is not modeled in the PRA) or describe how the PRA functionality determination will provide confidence the requirements credited in the un-modeled design basis accident scenarios are met.

b) Please confirm there are no safety functions required to reach a safe and stable state but are not included in the PRA because they are only required after the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time generally used in the PRA (e.g., some alternative primary water sources may lead to excessive boron dilution after some loss-of-coolant accidents but only after at least 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, so boron is not modeled in the PRA) or describe how the PRA functionality determination will provide confidence the requirements credited in design basis accident scenarios are met.

c) In Table E1-1 of its December 5, 2014, LAR, the licensee noted differences between the design basis success criteria and the PRA success criteria for certain specified safety functions. The licensee also noted that the risk-informed Configuration Management Program (CRMP) will ensure that adequate margins of safety are maintained. The licensee also noted in the Administrative Controls section that conditions which represent a loss of function cannot be entered voluntarily.

However, the response did not address how safety margin was maintained for the case of a PRA functionality determination for a loss of a specified safety function or inoperability of all required trains or divisions of a system. For this case, please elaborate on how adequate safety margins are maintained and provide some clarifying examples of adequate safety margins for where the PRA success criteria (e.g., flow rates, temperature limits) differ from the design criteria.

3. Extended completion times are limited to no more than 30 days, i.e., a 30 day backstop. During the Audit, FPL mentioned the possibility of administratively limiting the time in total loss of function LCOs (i.e., both/all trains inoperable) to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> when using a PRA functional argument. Explain how FPL will incorporate this 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> limit into the technical specifications.

RAI-MF5372/73-APLA-09 (NFPA 805 Modification Implementation)

U.S. Nuclear Regulatory Commission (NRC) approved Topical Report (TR) NEI 06-09, Risk Informed Technical Specifications Initiative 4b: Risk Managed Technical Specification (RMTS),

Revision 0-A (ADAMS ML12286A322), includes the NRC Safety Evaluation (SE) for NEI 06-09 (ADAMS ML071200238) which approved and provided limitations and conditions for use of the TR. Section 4.0, Item 6, of the SE requires that the licensee provide the plant-specific total CDF and LERF to confirm that these are less than 1E-4/year and 1E-5/year, respectively. This is consistent with the risk acceptance guidelines in Regulatory Guide 1.174 (ADAMS ML100910006).

In Enclosure 5 of the application, the licensee states that the St. Lucie Unit 1 CDF and LERF are 6.53E-05/year and 8.66E-06/year, respectively, and that the Unit 2 CDF and LERF are 8.40E-05/year and 8.94E-06/year, respectively. The licensee also notes that, [l]isted values reflect the anticipated configuration of the plant upon full implementation of NFPA 805 and related plant modifications to resolve fire protection issues. At the time of implementation of the RICT Program, the PRA model used will reflect the existing configuration of the plant.

If the licensee receives the RICT amendment approval before the NFPA-modifications are completed and wants to implement the RICT program before the modifications are completed:

a. Provide an estimate of the total CDF and LERF for the as-built, as-operated plant at the time the RICT program will be implemented to ensure that it satisfies the limitations and conditions in Section 4.0, Item 6, of the NEI 06-09 SE.

b. Confirm that modifications that are not yet installed are not credited in the CDF and LERF calculation for each RICT calculation.

An alternative option to providing the information in parts a and b, would be for the licensee to propose a license condition that delays implementation of the RICT program until the NFPA-modifications are complete.

RAI-MF5372/73-APLA-10 (Human Action Surrogate Events)

The RICT program is equipment-oriented (e.g., SSCs may be out of service), but allows a proper surrogate to be used for the equipment not modeled in the PRA. In some instances Operator actions are used as a surrogate to conservatively bound the risk increase associated with [certain] functions. For each such surrogate in your PRA models, explain how the action fully models each different failure mode, and partial failure modes, of the equipment being represented by the action.

RAI-MF5372/73-APLA-11 (Instrumentation Models)

Instrumentation is often not modeled in detail in PRAs and in some cases is only modeled as a single, generic basic event generally representing all trains.

a. Clarify how individual instrument unavailability can be accounted for in the RICT calculations that use a single basic event (i.e., TS 3.3.1.1 (Unit1)).

b. Alternatively describe how instrumentation is modeled in sufficient detail in the PRA to appropriately model the effects of different numbers of trains (e.g., one, two, three, and four trains) unavailable in order to estimate a RICT.

c. Confirm that Function 2b - CSAS - Containment Pressure - High-High in Table E1-1, is modeled in sufficient detail in the PRA to model individual instrument and signal processing component failures as implied by the statement in the disposition and summarize how this high resolution model will be included in the RICT.