ML20212G932
| ML20212G932 | |
| Person / Time | |
|---|---|
| Site: | South Texas  |
| Issue date: | 10/06/1997 |
| From: | Callan L NRC OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS (EDO) |
| To: | |
| References | |
| FACA, SECY-97-229, SECY-97-229-01, SECY-97-229-1, SECY-97-229-R, NUDOCS 9711070220 | |
| Download: ML20212G932 (48) | |
Text
rAnr m m m m m 7 n
n n
.n n
n n
n n
a
............e.ee.......e REl. EASED TO THE PDR s
/
,\\
j 9'9 hc) i
,S I
dato initia!s ~
- e
- %,....,/
..eesee.eeeeee e eeeeee POLICY ISSUE (NEGATIVE CONSENT)
October 6, 1997 SECY-97-229 EOR:
The Commissioners FROM:
L. Joseph Callen Executive Director for Operations
SUBJECT:
GRADED QUALITY ASSURANCE /PROBA31LISTIC RISK ASSESSMENT IMPLEMENTATION PLAN FOR THE SOUTH TEXAS PROJECT ELECTRIC GENERATING STATION PURPOSE / OVERVIEW:
This commission paper transmits the NRC staff's safety evaluation report (SER) regarding a proposed revision to the Operations Quality Assurance Program (OQAP) description applicable to the South Texas Project (STP) Electric Generating Station, Units 1 and 2. The proposal by the Houston Lighting and Power Company (the licensee), submitted on a voluntary basis, derives from the application of graded QA (GQA) controls, as permitted by NRC regulations (Title 10, Part 50, of the Code of Federal Reoulations (10 CFR Part 50),
Appendix A, General Design Criterion 1, and Appendix B, Criterion ll), and is based on a risk-informed approach including Probabilistic Risk Analysis and traditional eilgineering evaluations. On the basis of the findings documented in the attached SER, the Office of Nuclear Reactor Regulation (NRR) intends to approve the licensee's proposed revision to the OQAP description for implementation at STP.
In addition, it should be noted that the staff intends to use the safety evaluation findings determined for STP, as weil as guidance documents developed by the staff, as the basis for the conduct of the review of W,milar GQA proposals that may be voluntarily submitted by other licensees.
W)
CONTACT:
Robert Gramm, NRR NOTE: TO BE MADE PUBLICLY AVAILABLE (301) 415-1010 WHEN THE FINAL SRM IS MADE AVAILABLE Stephen Dinsmore, NRR (301) 415-8482 9711070220 971006 PDR SECY 97-229 R pyg C G L:{, ADCch. Co VMMMMMMMMMMMMMMMMA
2 BACKGROUND:
Requirements related to QA programs for nuclear power plants are set forth in Appendix B to 10 CFR Part 50. The general stctements contained in Appendix B are supplemented by industry standards and NRC regulatory guides which describe specific QA practices that have been found acceptable by the industry and the NRC staff Both Appendix B and the industry standards include provisions for the flexible application, or grading, of these QA practices commensurate with the importance to safety of the structures, systems and components
'q (SSCs) to which these practices are applied. In a risk informed environment the staff envisioned that the relative safety significance of the SSCs could be established by the use of probabilistic risk assessment (PRA) and traditional engineering evaluations. Based on the results of these evaluations, each SSC is assigned to one of several categories and an appropriate set of QA practices is identified for each category by the use of past experience and engineer,ng judgement. This process results in the establishment of a GQA program that satisfies the requirements of Apperdix B and the related industry standards.
'71995, the Commission approved the Probabilistic Risk Assessment (PRA) Implementation Plan, the main purpose of which is to develop risk-informed standards and guidance for application in the regulatory process. Task 1.2 of that plan addresses the staff processing of voluntary GQA submittals by licensees using risk-informed regulatory initiatives. The objective of that task is to evaluate PRA methodologies and to develop staff positions on risk-informed regulatory approaches. Item number 4 under Task 1.2 discusses voluntnry licensee-proposed activities related to GQA.
In its Staff Requirements Memorandum (SRM) dated May 15,1996, the Commission requested that the staff prepare a policy paper, with recommendations, addressing the resolution of the four emerging policy issues identified in the quarterly status update of th1 PRA Implementation Plan dated March 26,1996. The Commission further requested that the staff prepare that policy paper for the Commission's decision prior to the staffs issuance of any final safety evaluation report, position, or guidance, in response, the staff forwarded its recommendations conceming the four policy issues (only three of which are applicable to the GQA initiative discussed in this SER) to the Commission in SECY-96-218 dated October 11, 1996. The three emerging issues relatt.d to the GOA initiative are: the role of performance-based regulation in the PRA Implementation Plan; plant specific application of safety goals; and risk neutral vs. increases in risk.
The Commission responded to the staffs recommendations in an SRM datec' January 22, 1997 and the staff believes that its review and approval of the revised OQAP description and risk-informed GOA controls for STP is in accordance with the Commission's positions stated in the SRM of January 22,1997.
DISCUSSION:
On April 19 and May 8,1995, the NRC staff held meetings with representatives of the licensee to discuss the pctential application of risk-informed insights to grade QA controis for plant equipment and activities. This initiative is consistent with the provisions of 10 CFR Part 50, Appendix A (General Design Criterion 1) and Appendix B (Criterion ll). The licensee representatives stated their belief that plant safety could be improved by tailoring QA controls
b 3-on the basis of the relative safety significance of plant equipment. The licensee indicated its desire to work closely with the NRC staff during the development 91 stages of the initLitive.
On March 28,1996, the licensee submitted its proposed OQAP description revision for NRC review and approval in accordance with 10 CFR 50.54(a). Since that initial submittal, the licensee has submitted several revisions to the OQAP description in response to the staff's comments and requests for additionalinformation (RAls). The most recent submittal, which completed the licensee's responses to the staff's questions and concerns, was submitted on August 4,1997.
The OQAP description revision proposed by the licensee would result in a process to categorize plant structures, systems, and components (SSCs) into groups based on their relative safety significance. This process would rely on the consideration of traditional engineering enteria along with plant specific PRA insights. The licensee's approach utilizes multi-disciplinary groups of experienced and knowledgeable plant technical staff (specifically, the GOA Working Group and Comprehensive Risk Management Expert Parie') to consider the spectrum of risk informed and deterministic information to arrive at the categorization of plant equipment. The licensee's categorization process for plant SSCs is discussed further in the attached Safety Evaluation Report (SER).
The process for STP would also delineate the QA controls that are to be applied to the different categories of plant SSCs. The proposed revision to the OQAP description does not change the previous safety-related designation of the plant SSCs. In this revision, the licensee has identified two sets of QA practices; these have been designated as the FULL program and the BASIC program. The twv sets of QA practices are applied in varying degrees to four risk informed categories of plant equipment. The licensee has established FULL program controls, which constitute the full set of QA controls including commitments to industry QA standards that existed prior to the onset uf the graded QA initiative, to be applied to those safety related SSCs determined to be high-safety significant (the term cafety significant is used by the staff in the draft risk-informed guidance documents). The licensee has also established BASIC program controls, where certain FULL program QA elements will be utilized to a modified or lesser extent, to be applied to safety-related SSCs determined to be less-safety significant. For safety-related SSCs determined to be intermediate safety significant, entical attributes will be subjected to QA controls from the FULL program while other aspects will be treated under the BASIC program. The details of the FULL and BASIC program controls are also discussed in detailin the attached SER.
Finally, the licensee has established a TARGETED program, also discussed in the attached SER, in which nonsafety-related SSCs that are determined to be high safety significant, will have critical functional attributes subjected to applicable portions of either the FULL or BASIC program controls, as appropriate. In this manner, the QA controls will be applied in a graded, or tiered, manner dependent upon the safety significance of the SSCs and will be focused on y
critical functional attributes of the equipment. The licensee's terminology for the graded QA program is consistent with that used in draft RG-1064.
An integral part of the GQA initiative for STP is performance monitoring of all components, application of the Appendix B requirements for corrective action including root cause analysis of failures significant to safety, and apparent cause analyses of degraded or failed equipment I
4 that is less significant to safety. The purposes of these activities are to ascertain the contnbutors to equipment perfomiance problems and to apply appropriate corrective measures. Additionally, the GQA initiative for STP includes conducting on-going periodic evaluations of PRA information and performance / operating experience, so that appropriate adjustments can be made in the safety significance categorization process and/or the extent of applicable QA controls.
The staff evaluated the licensee's proposed OQAP description revision using both traditional engineering analysis and risk insights from the PRA. In this evaluation, the staff considered the appropriateness of the proposed methodology for determining safety significance as mil as the rigor of QA controls that would be applied to plant equipment in the various categories.
The staff reviewed the proposed revision to the OQAP description for STP in parallel with the generation of draft regulatory guidance, including DG-1061, "An Approach for Using Probabilistic Risk Assessment in Risk-informed Decisions on Plant Specific Changes to the Current Licensing Basis"; DG 1064, "An Approach for Plant Specific, Risk Informed Decision Making: Graded Quality Assurance"; and Chapter 10, "Use of Probabilistic Risk Assessment in Plant Specific, Risk Infomied Decisionmaking: General Guidance" from the NRC's
" Standard Review Plan (SRP)." The staff forwarded these draft documents to the Commission as attachments to SECY-97-077 dated April 8,1997, and the Commission approved the new regulatory guidance for release for public comment in an SRM dated June 5,1997.
On the basis of its evaluations, the staff concludes that the methodology described in the i
licensee's proposed OQAP description revision, and further amplified upon in the associated implementation procedures and other docketed information, is generally consistent with the i
l draft regulatory guidance discussed above. The staff has evaluated the areas of difference between the licensee's and staff's approaches and found that they do not detract from the technical acceptability of the approach for STP, As recognized in the draft GQA regulatory guide (DG-1064). a realistic quantitative estimate of the change in risk arising from l
implementation of graded QA is not possible, and the licensee has used a qualitative i
rationale to show that compensatory measures (primarily increased performance monitoring) ensure that implementation will result in an overall safety benefit. The staff reached the following conclusions:
the licensee has developed an acceptable methodology to determine the relative safety significance of plant equipment, the licensee has defined QA controls in an appropriate manner, considering the equipment categorization, adequate feedback mechanisms are in place to adjust the GQA provisions should operational performance dictate the need, and all regulatory requirements continue to be satisfied.
l l
l
. =
=-
5, The staff's findings are further Jescribed in the attached SER The staff intends to monitor the affectiveness of the licensee's implementation of its GQA initiative.
The staff also intends to develop an inspection procedure, consistent with the PRA implementation Plan, that will be used to evaluate the adequacy of the licensee's GQA program implementation, RESOURCES:
i The NRC budget includes the resources required to review the licensee's proposed OQAP description revisions and to contirue overseeing STP's implementation of the OQAP.
COORDINATION:
1 i
The NRC's Office of the General Counsel has no legal objection to this memorandum or the i
attached SER.
The Office of the Chief Financial Officer has reviewed this Commission Paper for resource implications and has no objections.
CONCLUSION:
The staff intends to approve the licensee's proposed GQA program for STP presented in the lice.1see's OQAP description revision as discussed in the attached SER. The staff willissue this approval to the licensee no sooner than 10 working days from the date of this memorandum unless otharwise directed by the Comm ssion.
1/H 1 L. J eph Callan Ex cutive Director for Operations
Attachment:
STP GQA Safety Evaluation Report SECY NOTE:
In the absence of instructions to the contrary. SECY will notify the staff on Thursday, October 23, 1997 that the Comission, by neFative consent, ac.sents to the action proposed in this paper.
DISTRIBUTION:
Comissioners OGC OCAA OIG OPA OCA CIO CFO EDO REGIONS SECY
SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION HQUSTON LIGHTING AND POWER COMPANY SOUTH TEXAS Pr OJECT ELECTRIC GENERATING STATION. UNITS 1 AND 2 Q&DED QUALITY AJSURANCE PROGRAM DOCKETS NOS. 50-498 & 50-499 CONTENTS
1.0 INTRODUCTION
.......... 1
2.0 PROPOSED CHANGE
S
..... 2 2.1 Scope of Plant Equipment for Which GQA Controls Apply.......
.3 2.2 Overview of Proposed Changes in QA Controls......
... 4 2.3 Review Criteria and Requirements.................
..,....5 3.0 STAFF EVALUATION......
... 6 3.1 Traditional Engineering Evaluation...,,..............
.,,. 6 3.2 Process of Categorizing SSCs by Safety Significance....
.7 3.2.1 PRA Model and Application to Categorization of Safety Significance
.. 8 3.2.2 P RA Q u ality............................................. 9 3.2.3 PRA Quality Assurance................................
.. 10 3.2.4 PRA Scope..............
.. 12 3.2.5 PRA Results and insights..
12 3.2.6 Qualitative Categorization Methodology...,...............
,..... 14 3.2.7 Conclusions Regarding the Licensee's Analysis Used to Categorize SSCs.. 15 3.3 Integrated Assessment and Monitoring Process 16 3.3.1 Working Group.
16 3.3.2 Expert Panel..............
18 3.3.3 Operational Feedback.
18 3.3.4 Conclusions Regarding the Integrated Assessment and Monitoring Process 20 3.4 Licensee's QA Element Grading and Staff's Evaluation.......
. 20 3.4.1 QA Element Grading Based on Safety Significance of SSCs
....... 21 3.4.1.1 Documentation of the Use of Design inputs.
. 21 3.4.1.2 Independent Design Verification...
, 21 3.4.1.3 Inspection of Maintenance and Modification Activities.....
... 22 3.4.1.4 Certification of Personnel Performing inspections
.23 3.4.1.6 Procurement Control of SSCs...........
... 24 3.4.1.6 Supplier Evaluation................................ 25 3.4.1.7 Auditing of Suppliers' Performance.............
.26 3.4.1.8 Other Regulatory Guide and Standerds Guidelines...........
27 3.4.1.9 Corrective Action...
.28 3.4.2 Medium Safety Significant and TARGETED CA Controls............
28 3.4.3 Corciusior.s Regarding the Licensee's Grading of QA Controls
......... 29 3.5 Results of Staff Evaluations..
...........29 3.5.1 The Proposed Change Meets the Current Regulations...............
29 i
3.5.2 Defense-in-Depth is Preserved......,.......................... 30 3.5.3 Sufficient Safety Margins are Maintained.,.......................... 31 -
3.5.4 Proposed increases in Risk, and Their Cumulative Effect Are Small and Do Not Cause the NRC Safety Goals to be Exceeded........................ 31 3.5.5 Performance Based implementation and Monitoring Strategies Address Uncertaint!es and Provide Timely Feedback and Corrective Action........ 32
4.0 CONCLUSION
S AND RECOMMENDATIONS............................. 33 5.0 REFE R ENC ES.............................
5-1 6.0 CHRONOLOGY OF EVENTS......
.61 7.0 LIST OF ACRONYMS....................
7-1 l
li
SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION HOUSTON LIGHTINU AND POWER COMPANY SOUTH TEXA3 PROJECT ELECTRIC GENERATING STATION, UNITS 1 AND 2 GRADED QUALITY ASSURANCE PROGRAM DOCKETS NOS. 50-498 & 50-499 1.0 1RTRODUCTION During early 1995, the Houston Lighting and Power Company (HL&P, the licensee) initiated efforts to modify its Operational Quality Assurance Program (OQAP) for the South Texas 1
Project Electric Generating Station (STP), Units 1 and 2, by gradinp *he application of previously approv0d quality assurance (QA) controls to safety related plant structures, systems and componer'ts (SSCs)in accordance with tueir significance to safety. The objectiva of this iriitiative, as stated by 15e licensee, was to maintain the necessary level of protection fo" the public health and safety while reducing the operating costs for the STP facility. The concept of grading QA controls applicable to SSCs consistent with their importance to safety was long ago embodied in NRC regulations (10 CFR 50, General Design Criterion 1 of Appendix A, and Criterion II of Appendix B). However, the licensee's graded QA (GQA) programmatic changes involve reduced commitraents to previously approved QA controls. This necessitated the submittal of supporting information for review and approval by the NRC staff in accordance with 10 CFR 50.54(n). The NRC staff agreed to review the licensee's 50.54(a) submittal and treat STP as a volunteer plant for the development of the GQA initiative potentially applicable for wider industry implementation. Section 6.0 details the chronology of the interactions between the licensee and the staff during the review and approval process.
In a letter to the licensee dated January 24,1996, the staff proposed ground rules that the NRC 5
and the licensee would follow for implementation of the GQA initiative. As an enclosure to the letter, the staff provided a Draft Evaluation Guide (Reference 1) to further define the framework for evaluating GQA programs. These documents described the process envisioned for development of the GQA initiative and identified four essential elements that are expected to remain as the cornerstone of the regulatory positions and future guidance. These essential
}
elements are:
- 1. A process that identifies the appropriste safety significance of structures, systems and components (SSCs) in a reasonable and consistent manner.
- 2. The implementation of appropriate QA controls for SSCs, or groups of SSCs, based on safety function and safety signitDance.
- 3. An effective root cause analye,s and corrective action program.
- 4. A means for reassessing SSC safety significance and QA controls when new information becomes available.
1 l
1
Implementation of these essential elements as well as application of the draft evaluation guidance and satisfaction of NRC regulations have governed the staffs processing of the licensee's GQA proposal, in revising its QA program, the licensee envisioned tat levels of QA controls and oversight could be applied to plant equipment and work activities based on their safety significance. In so doing, the licensee indicated that improvements in safety could be achieved by extending QA controls to nonsafety related SSCs that have been determined to be useful and useable in preventing and mitigating acchients. The development of detailed deterministic insights, probabilistic risk assessment (PRA)' analytical techniques, and extensive computer supported condition reporting and failure monitoring tools are integral components of the proposed
- approach, in parallel with the licensea's development of the implementation details associated with GQA, the NRC staff prepared several documents (contained in SECY 97 077 datea April 8,1997) to support the implementation of risk informed regulation. These documents include Draft Reguatory Guides (RGs) DG 1061 (Reference 2) and DG 1064 (Reference 3). These documents describe the staff's expectations for licensees who propose to use risk insights to make aajustments in the application of their QA program controld. The staff used these documents during its evaluation of the licensee's proposed approach, and has contrasted the approach proposed by STP for grading QA controls with the expectations contained in the draft regulatory guidance for risk informed oecision making. These draft RGs were released to the public for a 90-day comment periou by an SRM (Reference 4) from the Commission dated June 5,1997.
The licensee provided its most recent submittal on August 4,1997, which completed the 3
responses to the staff's questions and concerns. This Safety Evaluation Report (SER) presents the staffs evaluation and conclusions regarding the licensee's overall approach toward the formulation and implementation of GQA While not a consideration for the staff review and evaluation, the staff recognizes that projected cost savings for plant operations have played a key role in the licensee's decis!on to pursue this initiative. The staff based its review and determination of acceptability on regulatory requirements germane to the application of QA controls. The staff gave due consideration to recent Commission policy statements to reduce unnecessary requirements and practices.
2.0 PROPOSED CHANGFJ The licensee revised the OQAP description for STP to describe the process whereby the SSCs would be evaluated to determine the following:
e the safety significance of the SSOs 1 For the purposes of this Saf'- dvaluation, the terms Protsabilistic Risk Assessment (PRA) and Probabilistic Safety Assessment (PSA) will be used interchangeably.
2
the level of QA controls that will be applied to the various equipment categories e
(generally described in Chapter 2.0, Table I of the OQAP description),
the corrective action process that will ensure that failures of components covered by the e
less rigorous program controls will receive appropriate apparent r,ause analysis to identify failure modes of significance, and a process to review plant and industry performance information on a periodic basis to e
make necessary adjustments in either the safety significance categorization of SSCs or in the QA controls that are applied to SSCs.
In selected areas, the licensee has identified changes in QA commitments for items in the BASIC QA program that are different from the controls previously applied to all safety related equipment. The licensee refers to the latter as the FULL QA program (See Section 2.2 of this SER for a discussion of the QA controls applicable to each category), in general, the changes will eliminate the necessity to perform QA verifications to the same extent as applied in the FULL program controls. Nonetheless, the revised process should still afford a reasonable level of assurance that safety related equipment is capable of performing its safety function (s)in accordance with Appendix B to 10 CFR 50. Section 3.4 of this SER oetails QA controls associated with the grading initiative.
2.1 Scone of Plant Eauioment for Which GOA Controls Acoly The licensee has developed a methodology that can be used to determine the relative safety significance of plant equipment. For selected systems, the licensee wili evaluate all safety-related and nonsafety related SSCs with regard to the systerd functions they support using probabilistic and traditional engineering evaluations. The evaluation results in the placement of each SSC into a category of safety significance to which a predeterrrined level of QA controls will be applied.
Section 5.3.3 in Chapter 2.0 of the OQAP description contains the following statement:
" Selected systems are evaluated, at the component level, by a cross discipline Expert Panel comprised of high level station management."
Tbs licenses has also !ndicated that the GQA program is planned for implementation in a manner consister't with cost effectiveness goals. At the licensee's discretion, further systems will be evaluated for GQA program implementation in accordance with an orderly plan based on cost savings to be realized. Conservatively, for SSCs that have not yet been eva uated under the GQA program, the licensee has committed to continue the current QA treatment in accordance with the previously accepted OOAP description (i.e., the FULL program).
Thus, in a sequential fashion, the licensee will generate documentation describing the safety significance of plant equipment, the critical functional attributes of the equipment, and the level of QA controls that should be applied to each item. From this documentation, plant staff involved with line activities willidentify and apply appropriate QA controls, subject to the oversight and involvement of two standing committees comprised of senior management ano 3
=_
=
technical personnel, namely, the GQA Working Group (WG) and the Comprehensive Risk Management Expert Panel (EP).
As of this time, the licensee has only used this process to categorize plant equipment in selected systems (Radiation Monitoring, Essential Cooling Water, and DYsel Generators).
2.2 Overview of Prooosed Chances in OA Controts To implement GQA for both STP units, the licensee has established three levels of QA controls in the OQAP description. The three levels are labeled FULL, BASIC, and TARGETED. The licensee has also established categories of safety significant SSCS that are labeled High,
Medium, and Low Safety Significant (HSS, MSS, LSS), as well as non risk significant (NRS).
For those SSCs modeled in the PRA, the MSS category is further divided into two populations, referred to in this SER as MSS 1 and MSS 2, Tlie result is that five categories of safety significant SSCs have been established. Sections 3.2 and 3.4.1 of this SER, respectively, describe the categories of safety significance and levels of QA controls proposed for use in the STP GOA progiam.
The FULL program consists of CA elements that remain essentially unchanged from those implemented for safety related SSCs at STP prior to the onset of GQA. Those elements comprise alllicensee commitments to QA related regulatory guides, endorsed standards promulgated by the American National Standards Institute (ANSI), and Standard Review Plan (SRP) positions necessary to meet the requirements of Appendix B to 10 CFR 50 for SSCs that are the most significant to safety. The FULL program QA elements are defined in Chapter 2.0, Table I of the OQAP description and apply to HSS safety related SSCs.
The BASIC program includes OA elements that have been graded, relative to those elements in the FULL program, consistent with the lesser safety importance of plant equipment placed in the BASIC category. Section 3.4.1 of this SER lists the areas of grading and includes an evaluation of their compliance to Appendix B requirements. A more detailed listing of changes to QA elements for the BASIC program is given in Table I, Chapter 2.0 of the licensee's OQAP description. The BASIC program is applied to MSS 2, LSS, and NRS safety related SSCs.
The licensee recognizes that some SSCs modeled in ine PRA, while highly reliable, would result in a significant increase in nsk if they were to fail when needed. For these SSCs R
(designated MSS 1), the licensee will apply FULL program controls to those attnbutes that are relied upon to ensure a high level of confidence in the equipment performance capabilities to maintain low risk; BASIC program controls will be applied to the remaining attributes.
The TARaETED program consists of QA elements from the BASIC and FULL programs applied to those characteristics or critical attributes that render nonsafety related SSCs safety significant, but only in a forward fit manner (i.e., only future operational activities associated with previously procuted and 'nstalled equipment of this type would be subject to these requirements). More specifically, the licensee will apply FULL and BASIC program controls in a selected manner to nonsafety related SSCs that have been categorized as HSS or MSS (i.e.,
MSS 1 or MSS 2)in future activities.
4
LSS and NRS nonsafety related SSCs would continue to be subject to the licensee's administrative and quality provisions for activities such as procurement and maintenance, as is currently done.
2.3 Review Criteria and Raoulrements Regulatory requirements germane to the review of the OQAP description are contained in Appendices A and B to 10 CFR Part 50, as well as 10 CFR 50.54(a) and 10 CFR 50.34(b)(6)(ii).
Criteria related to risk informed initiatives are contair.ed in draft regulatory guidance documents DG 1061 (Reference 2), DG 1064 (Reference 3), and SRP Chapter 19 (Reference 5).
These guidance documents include the following five safety principles, which are addressed in Section 3.5 of this SER:
- 'The proposed change meets the current regulations. This principle applies unless the proposed change is explicitly related to a requested exemption or rule change.
. Defense in depth le maintained.
- Sufficient safety margins are maintained.
Proposed increases in risk, and their cumulative effect are small and do not cause the NRC Safety Goals to be exceeded.
Performance based implementation and monitoring strategies are proposed that address uncertainties in analysis models and data and provide for timely feedback and corrective action.'
The staff also used criteria from Chapters 17.1 and 17.2 of the Standard Review Plan (SRP)(Reference 6). Specifically, Section 17.1.II.2B3 (referred to by Section 17.2.ll) includes the following guidance:
"The QA organization and the necessary technical organizations participate early in the QA program oefinition stage to determine and identify the extent QA controls are to be applied to specific structures, systems, and components. This effort involves applying a defined graded approach to certain structures, systems, and components in accordance with their importance to safety and affects such disciplines as design, procurement, document control, inspection, tests, special processes, records, audits, and others described in 10 CFR [Part) 50, Appendix B."
The staff recognizes that the licensee's proposal for STP took exceptions to NRC QA regulatory guides and industry QA standards identified in SRP Chapters 17.1 and 17.2, as delineated in Table I, Chapter 2.0 of the OQAP description. However, the licensee's proposal is consistent with the following guidance from SRP Sections 17.1.11 and 17.2.11:
"The acceptance crite,.. sed... to evaluate this QA program are listed in the following
[18] subsections. The acceptance criteria include a commitment to comply with the 5
regulations, regulatory positions presented in the appropriate issue of the Regulatory Guides, and the Branch Technical Positions listed in Subsection V.... Exceptions and alternatives to these acceptance criteria may be adopted by applicants, provided adequate justification is given... When the QA program description meets the applicab!e acceptance criteria of this subsection or provides acceptable exceptions or alternatives, the program is considered to be in compliance with pertinent NRC re0ulations."
Thus, the licensee has the flexibility to propose alternatives to the SRP and regulatory guides, and the staff will evaluate these alternatives on their individual merits.
30 STAFF EVALUATION The licensee proposal to implement GQA involves categorizing component safety significance, identifying critical component attributes, assigning QA controls to the entical component attributes, and utilizing long term corrective action feedback from the condition reporting, monitoring, and trending systems. Moreover, the licensee considers these aspects to be an integrated process, not a series of independent decisions. Consequently, the staff's evaluation of each element in the process is predicated on the inter relationship between the various elements of the integrated process.
3.1 Traditional Engineerina EvaluatioD Many of the evaluations performed by the licensee in its GQA methodology, and much of the information gathered as a result of those evaluations, are similar to the traditional determination of safety related equipment, but at a greater level of detail. For example, during the licensee's process for STP, all functichs of each evaluated system are developed and documented, along with the operating functions required of each SSC Involved to support each cntical system function.
The deterministic information for each component in the system being evaluated is collected from operations, system engineering, licensing, QA, and other plant departments. as appropriate. The information is summarized in descriptive text and tables, which then become part of the report prepared for each system called the GQA Basis Document. A typical draft report (Reference 7) includes the following qualitative information:
the current design basis description, functions, and constraints on the system and e
components the licensing basis including regulatory commitments, constraints imposed by the e
updated final safety analysis report (UFSAR), Technical Specifications, and other correspondence commitments review of the operating experience as reflected in the plant specific reliability and e
condition reporting system and deficiencies reported by indust'y groups 6
use of the system components in the emergency operations or response procedures current safety-related and Maintenance Rule status e
self assessment and system healtn reports e
equipment history (successes and failures) e NRC inspection reports and systematic assessments of licensee performance (SALP) corporate and joint utihty management audits and reports e
reports issued by the Institute of Nuclear Power Operations (INPO) e This deterministic information is collected, reviewed, and evaluated by the GQA WG during the categorization of the safety significance for the SSCs, as discussed in Section 3.2.3 of this SER. The information and recommendations are documented in each system's GQA Basis Document and delivered to the EP for final review and approval, as discussed in Section 3.3 of this SER.
3.2 ENGals of Cateaorizina SSCs by Safety Sianificance The licensee's approach for categorizing SSCs in accordance with their significance to safety utilizes a combination of performance based information, risk insights, and deterministic insights regarding the safety functions of systems and components. The process relies on engineering evaluation and judgment, supplemented by certain PRA calculations (where amenable) to arrive at recommendations for SSC categorization and, eventually, the assignment of QA controls.
As discussed in Section 3.3 of this SER, the GQA WG is responsible for collecting the appropriate information and making recommendations. These recommendations are then presented to an EP. The process of categorizing SSCs by safety significance is not complete until the EP accepts or modifies the final recommendations from the WG.
The licensee evaluates each system using a comprehensive approach that addresses each component in the system. During this process, the licentee identifies and lists all functions that the system may be called upon to perform, including all support functions the system provides to other systems. The licensee assigns a safety significance to each system function based on the combination of PRA insight and deterministic evaluation as discussed in thir. section.
The licensee assigns each system component to a safety significance category. The assignment is made after determining all system functions supported by the component, and the safety significance of each of these system functions. Every component in the system is assigned to one of the five categories known as HSS, MSS-1, MSS 2, LSS, and NRS. The use 7
l
cf the NRS category has no safety implications, because the SSCs assigned to this category are treated identically to the LSS SSCs.
As discussed in Section 3.2.5 of this SER, the MSS 1 and MSS 2 categories are differentiated by the maximum potentialimpact of the SSCs failure on the core damage frequency (CDF) and the large early release frequency (LERF) risk metrics. In Chapter 2.0 of the OQAP description, i
the licensee identified the MSS 1 population components " based on their risk importance" and differentiated them from the HSS and other MSS components with parsgraph 5.3.9 which reads as follows:
" Components that are highly reliable, yet whose failure would re'; ult in a significant increase in risk, will receive FULL program coverage, or will be evaluated based on their risk importance to ensure that FULL program controls are applied to their critical attributes."
The licensee uses a single MSS category label for both MSS 1 and MSS 2 SSCs modeled in the PRA, as well as for those SSCs deterrninistically categorized MSS (where no MSS 1 and MSS 2 differentiation exist). The staff differentiates the two populations throughout this SER with the MSS 1 and MSS 2 labels. (The deterministically categorized SSCs are treated as MSS 2 SSCs). Nevertheless, the staff concurs that the distinctions between the categories are qualitatively defined in the OQAP description and, where applicable, quantitatively defined based on importance measure values in the implementing procedures. The staff accepts the licensee's use or these multiple categories and considers the categories to be an acceptable means of grouping SSC's based on safety significance.
3.2.1 PRA Model and Aeolication to Cateaorization of Safety Sionificance Changes in the application of QA controls do not lend themselves to a quantitative assessment of the change in core damage frequency (CDF) or large early release frequency (LERF) resulting from the implementation of GQA. In Draft RG DG 1001 (Reference 2), the staff recognized that, in some applications, quantitativa estimates may not bo possible. In such instances, DG 1081 allows the use of acceptable attematives such as calculated risk-importance measures, bounding estimates, or a qualitative assessment of the impact of the change on the plant's risk. These alternatives are used for GQA applications.
The licensee used PRA analytic techniques and the plant specific PRA roodel to clearly identify a group of components which, individually, are highly significant to plant safety, because they are the most important contributors to CDF and LERF (HSS), or because they would become important contributors if their reliability or availability degrades (HSS or MSS 1). Componen's that are less significant to plant safety are further subdivided to provide the WG and EP with as much guidance as can reasonably be obtained using PRA insights.
The MSS 2 category identifiec components that individually are small contributors to CDF and LERF. The LSS category includes those components with minimal or negligible individual importance to safety. The NRS category is not used for components modeled in the PRA.
l In the proposed approach, the licenseo compares component importance measures developod l
by PRA analysis against quantitative guidelines, and the components are placed into the 8
l l
u c
category consistent with each component's CDF and LERF importance measures. The PRA based safety significance c.ategories are augmented with a description of assumptions and bounding conditions that guided the modeling of the system (and its components)in the PRA.
This information is delivered to the WG for use in its deliberations, as discussed in Section 3.3.
The licensee also uses the PRA to perform sensitivity studies to bound the impact of highly uncertain modeling assumptions on the categorization, and to study the potential aggregate i
impact of the simultaneous change in reliability or availability in all components to which reduced QA controls will be applied.
3.2.2 PRA Quality The staff reviewed the PRA quality with the objective of determining the acceptability of the i
PRA, as it is used to support the present application. The licensee uses the PRA to develop risk insights by broadly caiegonzing the safety significance of all components modeled in the PRA, These estegories, along with clarifying assumptions and limitations, are used by the WG and EP for uce in their deliberations regarding which components should be affected by changes to the QA program.
1 In discussions with the li':ensee, the staff considered its observations and findings from the following NRC staff reports regarding the licensee's PRA for STP:
SER (Reference 8) prepared by the staff to assess the level 1 PRA submitted by e
i the iicensee on April 14,1939. In this SER, the staff concluded that the PRA was a state of the art level i risk ascessment.
i SER (Referente 9) prepared by the staff to assess the external events analysis in e
the level 1 PRA subrnitted by the licensee on April 14,1989. In this SER, the staff
':oncluded that the licensee carried out the external event analysis using acceptable state-of the art approaches used in many contemporary PRAs.
i Staff (RES) evaluation (Reference 10) to assess the Individual Plant Examination e
(IPE) submitted t.y the licen ee on August 28,1992. The assessment emphasized j
the level 2 enhnncements made to the 1989 PSA. In this evaluation, the staff found that the IPE submittal was complete and that the process was capable of identifying the most likely severe accidents and severe accident vulnerabilities in accordance with Generic LSter (GL) 88 20 (Reference 11).
l The staff noted any areas in the previous PRA reviews where potential areas for enhancements to the risk assessment were identified. The staff followed up each area with the licensee to assess how these topics had been considered or factored into modifications to the PRA. The licensee documented this information in responses to RAls. Tne staff also reviewed the QA proness used to assure the quality of the changes to the PRA between 1989 and the current 1997 version. Since the iriitial PRA wbmittalin 1989, the Commicslon has granted two amendments changing the plant's Technical Specifications, in part on the basis of PRA insights (References 12 and ;3). The current PRA reflects these changes.
9
The licensee performed a variety of sensitivity studies to provide additional assurance that important SSCs are not inappropriately categorized because of PRA modeling limitations and uncertainties. Toward this end, the licensee's PSA Risk Ranking procedure (Reference 14) includer the following bounding values and analyses:
equipment planned to be out of service during each of the plant's scheduled maintenance states is set to unavailable e all operator recovery actions are removed e all common cate failures (CCFs) are removed the potential degradation of availability of nominally identical components used in several systems is evaluated by studying the impact of a common increase in unavailability the effect of a possible over estimate of induced steam generator tube rupture (SGTR) overshadowing other LERF considerations is studied All components categorized in the base case as being less significant to plant safety, but categorized as HSS in any of the abov6 sensitivity studies, will be identified and described, and relevant comments prepared for special consideration by the WG and the EP, During the course of this assessment, the staff evaluated the results of previous STP PRA reviews, obtained acceptable resolution of issues raised during the previous reviews and assessed the bounding values and analyses used to support the categorization process, On that basis, the staff finds that the quality of the licensee's PRA analysis is sufficient for the assigning of SSCs (in relation to their importance to the CDF and LERF risk metrics)into broad safety significance categories for consideration by the WG and EP.
3.2.3 PPA Quality Assurance To perform the PRA analyses, the licensee uses computer software known as RISKMAN, Version 8. The licensee stated they originally procured the software from the vendor, PLG, Inc.
(Newport Beach, California), as a safety related procurement and invoked the QA requirements of Appendix B to 10 CFR Part 50. PLG performed the verification and validation (V&V) on the software, and the licensee verified the proper operation of the installed code uting the sample model provided to test the installation.
I The licensee's Purchase Order (PO) issued to PLG for PRA services included: the development of PRA system level and/or event tre? 4k models; risk model development and maintenance; plant specific data analysis; and risk md outage r:upport. For work performed at PLG facilities, PLG was directed to utilize ic QA program. For work performed onsite at STP, PLG was directed to ww in accordance with the licensee's QA program and procedures.
PLG applies QA controls to both software development and PRA model development and the licensee's staff participated in QA audits of PLG. The NRC staff then reviewed the licensee's 10
audit report 95 073 (VA), documenting the audit conducted at PLG on September 11 14,1995 (Reference 15). That audit examined the implementation of the PLG QA plan with an emphasis on the control of RISKMAN software developmsnt and changes. The audit scope included software quality assurance (SQA), procurement, document control, and QA program compliance, in reviewing the licensee's audit report, the NRC staff noted that PLG had revised two PLG quality related procedures in response to concerns identified during the licensee's audit.
Additionally, the staff examined the licensee's audit checklist (derived from an audit checklist promulgated by the Nuclear Procurement issues Committee), which documented that the audit was performed in accordance with the requirements of Appendix B 10 CFR Part 50, as well as ANSI /ASME NQA 1 (Reference 16), ANSI N45.2.12 (Reference 17), and ANSI N45.2.13 (Reference 18) and the corresponding sections of the PLG QA plan. On the basis of PLG's scope of work, some aspects of 10 CFR Part 50, Appendix B were determined not to apply. A significant number of the items on the licensee's audit checklist were concerned with SQA elemerits for software V&V, and configuration management. The audit team included a technical specialist who focused on examining computer software aspects.
While the audit did identify some nonconformances, the licensee determined that they were not significant to the procured analysis, as they had rio impact on the quality of work actually performed by PLG. By confirming the implementation of the PLG QA plan controls, the licensee's audit gives additional confidence in the adequacy of the software and services provided by PLG in support of GQA.
The licensee's independent Nuclear Safety Evaluation Department (NSED) conducted an evaluation (Licensee Report No. 96 02, Reference 19) of the licensee's own risk assessment activities associated with shutdown risk assessment during an outage and for the conduct of on line maintenance. The NRC staff considers the conduct of NSED evaluations of PRA activities appropriate and consistent Uth the manner in which the risk assessment results are used with respect to operational plant activities.
The licensee has strengthened quality control beginning with the version of the PRA issued in March 1997 through the following actions:
placing PRA documentation in the vault and under the purview of Records Management e
developing a controlled copy of the computer model, which is only modified after 9
suggested changes are reviewed and documented using the plant wide " Calculations" procedure (Reference 20) to perform PRA e
calculations The licensee has also identified the plant documentation used as a basis for the PRA analysis, and has stored the references to the supporting information in a database. Periodically, the
-l licensee's PRA staff searches the plant's doctimentation system to identify any basis documentation that has been changed. The PRA staff then reviews all changed documents and updates the working model to reflect the changed basis, as necessary, All changes to the 11
PRA model, resulting from modeling improvements or plant modifications, are verified by supervisory review before being incorporated into the model.
During the initial categorization, and during each periodic review, the WG a,1d the EP review the PRA assumptions, input, and results together with the deterministic operating and maintenance information. This review ensures an on going evaluation of the PRA by knowledgeable system and plant personnel. The staff finds the licensee's control of PRA related information acceptable and that it providea for checking and maintaining the correspondence between the plant and the PRA.
3.2.4 PRA Scone 1
The licensee's PRA is an internal and external event, full power, level 2 PRA. A shutdown risk analysis has been prepared but has not been reviewed or incorporated into the full power model. In the interim, the qualitative review of SSCs by the WG and the EP includes explicit consideration of whether a given SSC is used during shutdown. Shutdown risk contribution is minimized by appropriate administrative controls at STP, Contributions from all initiating events at full power are included in the importance measure calculations used as the basis for the PRA based categorization, and the system reports reflect PRA assumptions and boundary conditions. Therefore, the staff finds the scope of the PRA to be acceptable.
3.2.5 PRA Results and Insichts The application of PRA insights to GQA requires establishing the relationship between basic events in the PRA model and the components that will be subject to GQA controls. A basic event in the PRA model can represent the failure of a single component, a set of redundant components, an entire system, or a collection of components that perform a well-defined function. The staff finds that the licensee has clearly defined the linkage between these items using a traceable format with tables containing system functions, component versus system function, and component versus critical function attributes. The licensee includes these tables in each system's GQA Basis Document report.
During the course of the review of the proposed GQA program, the sta'f observed that the evaluation developed by the licensee to support the categorization of components by their safety significance is conceptually similar to, but more comprehensive than, the evaluation performed to support the categorization of components under the Maintenance Rule. Unlike the industry guidance document (NUMARC 93 01)(Reference 21) which is endorsed by the Maintenance Rule RG (Reference 22), Draft RG DG 1064 (Reference 3) does not specify which importance measures should be used, or the guideline values to be used for those measures.
Rather, Draft RG DG-1064 Indicates that the licensee should choose and justify appropriate measures and values as part of their GQA application.
The licensee uses the Fussell Vesely (FV) and risk achievement worth (RAW) importance measures to characterize the PRA based safety significance of basic events and thereby the associated SSCs. The FV value is the fraction of the CDF or LERF to which the failure of the 12
SSC contributes. RAW value is the factor by which the CDF or LERF would increase given that the SSC is unavailable or fails on demand. An SSC with both high RAW and low FV values is highly reliable, but its failure would lead to a major reduction in the degree of defense in depth.
The RAW and FV importance measures used to characterize a given SSC include the contnbution of all modeled failure modes for the SSC, including any common cause failures (CCF). If a CCF is modeled (resulting from plausible CCF mechanisms), the FV and RAW values reflect the importance of the system's function that would fail when subjected to a CCF event. If no CCF is modeled (resulting from diversity or reliance on only passive functions for which no plausible CCF mechanism is known), the FV and RAW values reflect the importance of the individual SSCs. The staff finds that this process conforms to the Draft RG DG 1064 (Reference 3) position that the importance of system functions should be considered when CCFs are plausible.
In general, the licensee links the safety significance category to the level of system and plant performance that could be impaired by degraded SSC performance with the following definitions.
HSS:
Degradation of components will result in unacceptable system performance, and possibly plant performance.
MSS 1:
Degradation of components could result in unacceptable system performance.
MSS 2:
Degradation of components could impair system level performance. The WG and EP should consider this potential.
LSS:
Degradation of comporents is not expected to impact system performance.
NRS:
Failure of component does not impact any safety significant system function (not applied to SSCs modeled in the PRA)
Figure i graphically illustiates the relationship between the RAW, FV, and the safety-significance categones for those SSCs modeled in the PRA. Since FV and RAW are relative measures, both CDF. and LERF related results are compared to the guidelines and the SSC assigned the highest category. The staff finds this process acceptable, and that the suggested RAW and FV values provide reasonable assurance that plant equipment will receive a level of QA control commensurate with importance to safety. Furthermore, since the licensee assigns all SSCs with elevated RAW to the HSS or MSS 1 categories, the staff finds that the licensee's proposal conforms with the Draft RG DG 1064 (Reference 3) position that high reliability alone is not sufficient for reducing QA controls.
To investigate the contribution of plant safety attributable to the successful operation of the LSS SSCs, the licensee performed sensitivity studies in which the unavbilability was simultaneously increased for all modeled SSCs which could be eventually subjected to reduced QA controls.
The calculations for these studies were performed using the PRA logic model(rather than cut-set or sequence results), so truncation errors did not require special study. The staff finds the 13
i sensitivity studies to be an acceptable method of ensuring the potential aggregate risk impact of the reduction of QA controls on the LSS SSCs is well understood.
I I
, }l
. ' ;i * ' j '. j /
i; l [
f i
y
~ '
j o
j ry.,
i c
j High (HSS)
E100 M edium (M SS 11' I 10h
^
'I' b l4
.2 j Medium IMas.nl jg.,
2. - --
4 j
Low (L$s)
M edium (M S S.26
=
L 0.005 0.01 Fussel Vesely importance run er..,.m i..pon.o i..,ni..i.nen>ui.......... wiin the high task ochievemeni w.rth
~.
Figure 1 Probabilistic Risk Importance Thresholds for input to GQA Component Classifications 3.2.6 Qualitative Ca'eaorization Methodoloay DL. ring the qualitative categorization process,IN WG compiles a system function list and component list for the system. This involves evaluating all components in the system, whether modeled in the PRA or not, using deterministic considerations to assign an appropriate safety-significance category. The WG and EP may assign categories on the basis of their knowledge and experience, but the assignment shall be justifiable. Therefore, components categorized as HSS from the PRA are generally also categorized as HSS by the WG with minimal further evaluation. The WG may scrutinize safety related SSCs categorized as MSS 1 from the PRA to determine the cause of the MSS 1 designation, and may reduce QA controls on the SSC's non critical attributes. However, as with the HSS categorization, the WG must justify reducing QA controls on critical attributes for a MSS 1 SSC.
14 k
_y--
.2-,,,,.-+-,.m
.,,y-
, _.,. - ~ -, -. -
c---
To expand the categorization to SSCs not modeled in the PRA (and accept the appropriateness of reduced QA controls on safety related MSS 2 and LSS SSCs modeled in the PRA), the WG identifies and documents every component attribute which supports any HSS system function.
For example, a normally closed motor operated valve (MOV) which must open to allow Emergency Core Cooling System (ECCS) injection would have the critical attributes of opening on demand, remaining open, and maintaining pressure boundary integrity.
The WG structures its final evaluation of the collected information by assignirig consensus weighting factors to each of the following questions for each component:
Could the SSC's failure cause an initiating event?
o Could the SSC's failure cause a risk significant system to fail?
e is the SSC used to mitigate accidents or transients?
e ls the SSC relied upon in the Emergency Operating Procedure?
ls the SSC significant to safety during mode changes or shutdown?
After assigning the weighting factors, the WG assigns a safety significance category and a corresponding level of QA controls to each component. The WG develops a record of the critical component attributes, the weighting factors, the applicable PRA category, and the assigned safety significance category, and inserts this information into the GQA Basis Document for review and approval by the EP Section 3.3 of this SER presents additional detail conceming the licensee's integrated declaion making process.
3.2.7 Conclusions Regardino the Licensee's Analysis Used to Categorize SSCs As described in previc m $1ctions of this SER, the staff evaluated the results of previous reviews of the PRA, as well as the robust QA program used by the licensee in developing and updating the PRA, and the process the licensee intends to use to maintain the PRA current and use it to evaluate future risk changes. On the basis of this review, the staff finds that the quality of the PRA analysis, which includes the PRA models and the various application specific bounding studies, is sufficient for the assigning of SSCs (in relation to their importance to the CDF and LERF risk metrics)into broad safety significance categories, in addition, the staff e
finds that the PRA assumptions and SSC categories are sufficiently well defined. When delivered to the WG and EP along with the system report, as described in the licensee's risk ranking procedure OPGP01 ZA 0304 (Reference 23), these groups of experts can render a risk informed decision conceming the safety significance of the SSCs and the appropriate level of QA controls.
As discussed in Section 3.2.5 of this SER, the staff finds that the importance measures calculated by the licensee, and the guidelines used to develop the PRA based categorization from these measures, are reasonable and consistent. Furthermore, as discussed in Section 3.2.0 of this SER, all SSCs which support HSS system functions are explicitly identified and documented by the WG, and the information is used during the assigr. ment of appropriate 15
j QA controls. Consequently, the staff finds that the licensee's proposed approach conforms with the Draft RG.1064 (Reference 3) positions that the importance of system functions should be considered when categorizing the safety. significance of the individual SSCs, and that it is not i
always necessary that every SSC supporting an HSS function be categorized HSS.
3.3 Intearated Assessment and Monitorina Process Final decisions regarding the cateporization of SSCs and assignment of appropriate QA controls are made by the EP on the basis of recommendations from the GQA WG and the knowledge and experience of the members of these groups. The EP is composed of tenior level management. The WG is composed of senior, multi disciplinary personnel with the necessity technical backgrounds to enable the rendering of logical recommendations. In addition, the EP and the WG are supported by a variety of other organizational entities, as discussed in Sections 3.3.1 and 3.3.2 of this SER.
All of the organizational entities involved with the categorization of SSCs are " standing groups."
That is, their existence is defined and responsibilities are described in plant procedures and in the OOAP description (partially). When the licensee implements its GOA program, the different entities will gather, organize, and interpret operational experience. This information will be used by the WG and EP in their periodic reviews of the program to adjust component categorization and/or QA controls, as necessary.
3.3.1 Workina Grouc The GQA process at STP involves the participation of the GQA WG. This group develops justifiable, risk informed, performance based recommendations for the categorization of SSCs and the identification of appropriate QA elements for final consideration by the EP.
The WG is comprised of representatives from Systems Engineering (chairman), Design Engineering, Quality, Risk and Reliability Analysis, Operating Experience, Licensing, Operations, and Maintenance / Work Control. in additior, the WG membership can be augmented as needed on the basis of the topics under consideration at a given time. A minimum quorum for the WG requires the p*esence and participabon of the chairman and three regular members, in developing their recommendations for the EP, the WG analyzes component and system performance information, considers available risk insights, as well as the risk related effects of processes, work activities, and organizations on SSCs, and factors in deterministic insights.
The WG then develops a GQA Basis Document for each system, which includes the recommendations and all of the supporting information.
For SSCs within the scope of the PRA, the WG accepts or modifies the categorization developed from the importance measures. To ensure that the WG (and eventually the EP) are fully aware of the strengths and limitations of the PRA raodels and results, safety significance categories developed from the PRA are augmented with supporting descriptive information. All of the information is compiled into a detailed system report that becomes part of the GQA Basis Document. In addition to the identified categories, the detailed report includes the importance l
16 l
l s
m 'asures for individual components, as well as the quantitative guidelines used to assign SSCs to tne categories, Specifically, the detailed Basis Document report (Reference 24) includes the following information :
description of the assumptions used in the PRA related to the si ttem under o
consideration, e a description of CCFs included in the model, e a description of how support systerns are included in the model, a discussion of system level failure probabilities, e
discussion of potential truncation errors applicable to the system, e
model assumptions related to repair and restoration of failed equipment, e
1 human errors and error rates for the system, o
limitations in the meaning of the importance measures applicable to the system, and e
results of any sensitivity studies indicating that the categorization of components is e
sensitive to the parameters studied.
The WG also evaluates SSCs that are not within the PSA scope, including balance of plant liems, instrumentation, mode transition, and shutdown operations. In such instances the WG evaluates deterministic attributes associated with the equipment such as seismic, environmental qualification, and electrical separation to arrive at a significance ranking of the items. (Section 3.2.6 of this SER elaborates on the set of 5 questions that guide the deterministic evaluation).
The WG then provides the EP with documented recommendations regarding the following considerations:
identification of QA controllevels for SSCs (FULL, BASIC, or TARGETED), and e
basis for categorization recommendations (PSA inputs, performance analysis, o
deterministic inputs)
The WG determines these recommendations by reaching a consensus. Any dissenting opinions tvill be forwarded to the EP for resolution.
In August 1996, the staff had the benefit of witnessing the conduct of a WG meeting concoming the evaluation of the radiation monitoring system. On that basis, the staff observed the value of a WG to develop supporting information and recommendations for use by the EP in 17.
categorizing SSCs and establish ag an appropriate level of QA controls. Th6 staff, therefore, concludes that use of a WG is an acceptable method for formulating the GQA prograin for STP, 3.3.2 Exoert Panel i
)
The EP is responsible for developing the final decisions regarding the categorization of SSCs ano the identification of applicable QA elements in accordance with the licensee's risk management procedure, OPGP02 ZA 0003 (Reference 25). This panelis compo;ad of the Managers of Design Engineering, Systems Engineering, Nuclear Licensing, Risk Management and Industry Relations (Chairman), the Administrator of Risk and Reliability Analysis, the Director of Quality, and the Geneial Manager of Generation. A minimum quorum requires the presenes and participation of the Chairman, the Administrator of Risk and Reliability Analysis, and two regular members. Records of the EP's decision must be maintained as QA records in the licensee's Record Management System for STP.
The EP uses the same criteria as the WG when raviewing recommendations from the WG.
Upon completing its review, the EP forwards the approved categorization of SSCs and assignment of QA controls to the Plant Change Committee for integration into the licensee's Business Plan for action. The EP also attempts to resolve dissenting opinions from the WG evaluaticns. Any dissentin0 opinions that are not resolved by the EP will be sent to the Senior Management Team for resolution.
The role of the EP is to perform the fohowing functions that require senior level expertise:
approve the criteria for SSC categorization, e
review and approve the categorization of SSCs, e
e approve the criteria for ascigning of QA measures to SSCs, review and approve the assignment of QA measures to SSCs, e
forward soproved SSC categorization and associated QA measures to the Plant Change e
Committee, and e appoint WG members, in August 1996, the staff had the opportunity to attend an EP meeting concerning decisions regarding the radiation monitoring and the essential cooling water systems. On that basis, the staff observed the value of the EP as a final arbiter for SSC categorization and QA element assignment. The staff, therefore, concludes that use of the EP is an acceptable method for fonnulating the GQA program for STP.
3.3.3 Ooerational Feedback The licensee has committed to provide a " feedback" loop to idcntify pertinent performance and operating experience from STP and across the industry. The purpose of this feedback is to 18 l
~.
f6cilitate assessment of the effectiveness and appropriateness of the in place quality elements and the categorization of SSCs. The Operating Experience Group (OEG)is assigned this responsibility, as described in the licensee's risk management procedure OPGP02.ZA-0003 (Reference 25). It is, furthermore, the responsibility of all STP personnel to identify performance information and forward that information to department managers. The managers, in turn, have the responsibility to provide this information to the OEG for evaluation, as described in the licensee's data collection procedure OPGP02 ZA 0004 (Reference 26). The following types of information (among others) should be collected; all problems reported in the plant's integrated Corrective Action Progrnm database, e
along with information about the resolution of those problems, independent oversight results, e
self assessment and system health reports, e
equipment history (repairs / successes / failures),
e NRC inspection reports and SALP assessments.
corporate and joint utility management audits and reports, and INPO repods.
The CEG reviews, evaluates, and categorizes the performance data into one of five groups, such as " sustained excellence,"" good with declining trend," or " poor performance." The OEG also provides a biannual report to the GQA WG to communicate the results from the current and two prior 6 month periods. For equipment assigned to either the BASIC or TARGETED controls, if the OEG performance reports indicate declining or poor performance, the WG shall review the appropriateness of the assigned QA controls. Adjustments to those controls will be made as necessary. The WG evaluations in these situations will be documented and forwarded to the EP for a final determination.
Independent of the biannual WG meetir.gs, the licensee's Risk and Reliability Analysis Department (RRAD) will update the PRA at least once every refueling cycle (and more often if necessary). This update willinclude model changes as needed, an update of the input failure parameters to reflect the observed equipment performance for the period, a calculation of the new CDF and LERF metrics, and a comparison of the SSCs' new importance measures with the previous values. After completing the updato, the results are fumished to the WG, which in turn recategorizes the safety significance of the SSCs as needed.
Additionally, the licensee moniters SSC reliability ar,d unavailability, as mandated by the industry guidance document (NUMARC 93 01) (Reference 21) which is endorsed by the Maintenance Rule RG (Reference 22). This monitoring program is currently in place, and provides for continuous evaluation of equipment failures and maintenance of the plant's Equipment History Database.
19
.m m
_ _ _ _. ~. _ - _ _ _ _ _ _.
l After rev6 ewing the licensee's established and planned feedback mechanisms, the staff concludes that these mechanisms should enable the licensee to maintain control over oquipment reliability after implementation of GQA. The periodic PRA vpdates will ensure that the licitisee's RRAD staff wiilidentify changing SSC failure parameters and plant enanges, which may impact the CDF, LERF, or the safety significance of ths GSCs; this information will be provided to the WG and EP for appropriate action. In addi: ion, the OEG's reports and trending studies are intended to identify deteriorating performance before failures occur. This proactive approach provides further confidence that SSCs will perform satisfactorily in service, and the Maintenance Rule program will ensure continuing assessment and control of SSC i
failures.
The OEG plans to search for indications of deteriorating performance among nominally identical components. Furthermore, the licensee interprets the scope of the Maintenance Rule RG (Reference 22) on monitoring for repetitive maintenance functional failures to include identification and corrective action following similar failures observed among nominally identical SSCs, and not just similar failures in the same equipment. The staff finds that these approaches are an improvement over the current practice in the licensee's ability to detect many ootential CCF failure mechanisms before they cause equipment failures, and are acceptable.
3.3.4 Conclusions Reaardina the Intearated Assessment and Monitorina Process As discussed in previous sections of this SER, the staff reviewed the licensee's process of categorizing SSCs based on their safety significance. The staff finds that the licensee's process yields acceptable results because appropriate deterministic and probabilistic insights are discussed and documented by qualified personnel.
In addition, the staff reviewed the licensee's GQA Basis Documents for the essential cooling water, radiation protection monitoring, and diesel generator during several visits to the STP facilitien. The organization and content of these documents proved very useful. ille clarifying a number of the staffs questions regarding methodology, as well as system and component function. On that basis, the staff finds that the cocuments are comprehensive, well organized, and capable of providing a scrutable record of the functional relationships linking system functions to individual component attributes for proper categorizadon and assignment nf QA controls.
Since the licensee has not yet implement 0d GQA, the staff has not observed any of the organizational entities or work products associated with operational feedback. Nonetheless, the staff finds that the licensed's commitment to performance-based monitoring and feedback will improve control, relative to current practice, over the reliability of plant equipment.
3.4 ListDam.e's QA Element Gradina and StaffsEvaluation This section of the SER discusses the licensee's approach to grading certain QA elements from the FULL program for applicability to the BASIC program. The staff % evaluation of each area of grading and overall conclusions are also presented.
20
-. _ -. _ -.. _ ~ -. - - - - _ _. - -. - -. - _ -. -.. - - -. -.
i 3,4.1 QA Element Gradina Based on Safety Sionificance of SSCs As Jart of the GQA proposal, the licensee revised the OQAP description of the QA controls to i
be implemented for SSCs based on their safety significance. The nine areas of Drading of QA i
elements for the BASIC program are discussed in the following sections. In each area, the Mit.L program requirement, and the licensee's commitment for GQA are identified; this is foilowed by an evalumbu's of each ares of grading relative to the degree of compliance to the j
guidana r,iven in RGs, industry standards, and the SRP. The licensee's listing of specific departu:as of the GQA elements from current commitments is generally given in Table I, 1
Chapter 2.0 of the OQAP description.
i dA1. ;
Documentation of the uso of Deslan Inouts j
a.
FULL Proaram Reauiremeri Section 3.2," Requirements," of j
ANSI N45.2.11 1974 (Reference 27), identifies the relevant design input i
considerations. In addition, Section 3.1," General," of thn same standard requires the documentation of applicable design inputs.
b.
STP Commitment: The licensee will require its personne.. r consider design input items 1 through 28 from Sect.sn 3.2 of ANSI N45.2.11 1974; however, a documented checklist reflecting consideration of these items shall be -
j prepared only as deemed necessary for the BASIC program.
i c.
Staff Evaluation: The licensee's commitment to consider technical aspects associated with the appl! cable (design inputs described in items 1 through 28 i
when performing design activities, and documenting such ensiderations only i
when deemed necessary, is acceptable. This alternative is consistent with the provisions contained in Draft RG DG 1064 (Reference 3).
34.1.2 Indeoendent Desian Verification i
s.
EULL Proarem Reauirement: Regulatory Position C.2 of RG 1.04 (Reference 26), Revision 2, requires the following:
"Regardless of their title, individuals performing design i
verification should not (1) have immediate supervisory responsibility for the individual performing the design. (2) have specified a singular design approach, (3) have ruled l
out certain design considerations, or (4) have established the design inputs for the particular design aspect being verified. While design verification bv the designer's immediate supervisor is encoursp1.:t should not be construed that such verification coMtu;es the requireo Independent design verification, nor should the independent design verification be construed to dilute or l
replace the clear responsibility of supervisors for the l
quality of the work performed under their supervision."
l i
21
I l
In addition, design reviews shall consider and document the 19 questions listed in Section 6.3.1, " Design Reviews," of ANSI N45.2.11 1974 (Refessnee 27) which is endorsed by RG 1.64 (Reference 28).
b.
STP Commitment: For the BASIC program, the licensee proposed to accomplish design verification in accordance with Section 6.1, " General," of ANSI N45.2.11 1974 (Reference 27), which states, in part, the following:
"This venfication may be performed by the originator's supervisor provided the supervisor did not specify a singular design approach, or rule out certain design considerations and did not establish the design inputs used in the design, or if the supervisor is the only individualin the organization competent to perform the verification. Cursory supervisory reviews do not satisfy the intent of this standard."
The licensee has committed to consider the 19 design review questions, but will document the checklist items only as deemed necessary, c.
Staff Evaluation: The licensee's exception to Regulatory Position C.2 of RG 1.64 (Reference 28) is considered acceptable since it is included in NOA 1 1983 (Reference 16) which was endorsed by the NRC in RG 1.28, Rev. 3 (Reference 29). In addition, this alternative is consistent with the provisions of Draft RG DG 1064 (Reference 3).
With regard to documentation of the 19 design review question checklist, the licensee will continue to consider the technical aspects of the 19 questions and the staff considers documentation to be implemented only as deemed necessary to be acceptable, and consistent with the provisions contained in Draft RG DG 1064 (Reference 3).
3.4.1.3 Insoection of Maintenance and Modification Activities a.
FULL ProcrantEgqvirement: Section 5.2.7, " Maintenance and Modificatic ns," of ANS 3.2/ ANSI N18.71976 (Reference 30) as endorsed by RG 1.33 (Reference 31) states, in part, the following:
"A suitable level of confidence in structures, systems, and components on which maintenance and modifications have been performed shall be attained by appropriate inspection and performance testing... "
b.
SIP commitment: The licensee proposed to perform inspections of maintenance and modification activities, for the BASIC program, as deemed necessary based on the r6lative complexity of the work.
22 l
l
c.
Staff Evaluation: The staff considers the attemative proposed by the licensee to be acceptable based on the following:
1, inspections will be performed on relatively complex maintenance and modification activities. For maintenance and modification activities that are not complex, the licensee will continue to perform post installation testing, applicable periodic surveillance testing, receiving inspections, and inservice inspections in accordance with the appropriate BASIC program controls. These testing and inspection activities are expected to produce adequate confidence that the SSCs which are less significant to safety will perform the;r intended funct!ons.
- 4. The licensee's OQAP description includes provisions to conduct an independent overview of GQA activities and evaluation of failure trends and the performance of all LSS SSCs including those that have not had inspections performed on associated maintenance and modification activities. Chapter 2.0 of the licensee's proposed GQA program provides for feedback mechanisms that would adjust QA controls on an as needed basis.
3.4.1.4 Certification of Personnel Performina insoections a.
FULL Procram Reauirements: Inspection personnel are qualified and certified in accordance with the provisions of ANSI N45.2.6-1978 (Reference 32), which has been endorsed by the NRC in RG 1.58 (Reference 33). This standard includes necific educational and experience requirements, as well as insperction activity capabilities that candidates must demonstrate in order to attain certifications for Levels I, ll, and Ill.
+
b.
STP Commitment: The licensee proposed to use the following critetia when selecting personnel to inspect maintenance and modification activities for the -
BASIC program:
'With the exception of receipt inspection, personnel may perform inspectione, examinations and tests provided they are experienced, taek qualified journeymen, or supervisors, who did not perform or directly supervise the activity being inspected, examined or tested. These individuals shall also receive training to the Quality organization's inspection procedure / process / methods in accordance with a Quality approved training program; and 23
Quality will provide periodic oversight of the inspection activities."
c.
Staff Evaluatiorr The staff considers the licensee's proposed attemative to be acceptable on the following basis:
- 1. To ensure technical adequacy and adherence to quality program requirements, inspections at STP will be performed by individuals that are knowledgeable in the area being inspected, and have also received inspection training from the Quality organization.
)
- 2. To maintain suitable independence and objectivity, personnel performing these inspections will not be the same individuals who performed or supervised the work.
- 3. The licensee's GQA program will provide periodic independent oversight of these inspections by QA personnel and results of these oversights will be evaluated to identify possible trends. In addition, Chapter 2.0 of the licensee's OQAP description provides for feedback mechanisms that would result in adjustments of QA controls on an as needed basis.
3.4.1.5 Procurement Control of SSCs a,
FULL Proaram Reauirement: Regulatory Positions C.6.alcid. in RG 1.123 (Reference 54) provide guidance for evaluating suppliers, criteria for certificates of confortnance (COC), and acceptance by receiving inspection.
These positions are as follows:
The purchaser shall evaluate the suppliefs history of providing a product that performs satisfactorily in actual use.
Where COCs are used for acceptance, the COC shallidentify the product purchased, as well as the procurement requirements that were met or not met, and a QA functionary must attest to these statements. in addition, either the purchasers or supplier's QA program must describe the procedure for issuing the COC, and shall provide a means for verifying the validity of the COC system.
Receiving inspections shall be coordinated with the review of supplier j
documentation when such documentation is furnished prior to the receiv:ng inspection, b.
STP Commitment: For the BASIC program, the licensee prowsed to follow the guidance given in Sections 4.2.a.10.2 (a through f), and 10.3.2 in 24
ANSI N45.2.13-1976 (Reference 18) rather than the positions presented in RG 1.123 (Reference 34). Specifically, the guidance in this ANSI standard permits the purchaser to meet the above requirements as deemed necessary, c.
Staff Eva_luation: The licensee's proposed alternative to the positions presented in RG 1.123 (Reference 34) is considered acceptable because the items are less significant to safety, and because the licensee has proposed a program to monitor and trend failures as a source of feedback information to guide any necessary corrective actions. In addition, this alternative is consistent with the provisions contained in Draft RG DG 1064 (Reference 3).
3 A 1.6 Sucolier EvaluatiQD a.
FULL Proaram Reauirement: In RG 1.123 (Reference 34), the NRC endorced the guidance provided in Sections 7.2.1,7.3.1,10.3.1, and 12 of ANSI N45.2.131976 (Reference 18). This guidance includes the following:
Section 7.2.1, " Source Verification Planning," requires that source venfication activity planning shall" identify the appropriate inspections, tests, prerequisites and inspection sequence, and the documentation required by the procurement document."
Section 7.3.1," Source Verification Activities," indicates that "when planning requires purchaser source surveillance, it shall be implemented to monitor, witness or observe activities. Similarly, source inspection shall be implemented in accordance with plans to perform inspections, examinations, or tests at predetermined points. Source surveillance and inspection may require the assignment of personnel to a supplier's facilities. When conformance to procurement requirements is verified by audit, such audits shall be conducted in accc: dance with established methods."
Section 10.3.1, " Acceptance by Source Venfication," indicates that
" acceptance by source verification should be considered when the item or service is vital to plant safety; or difficult to verify quality characteristics after delivery; or complex in design, manufacture, and test. The source verification activities should include but not be limited to the following as appicable:
- a. Documentation has been submitted as required and provides venfication of approvals, material, applicable inspections, and tests.
- b. Fabrication procedures and processes have been approved and complied with and the applicable qualificatiorss, process records, and certifications are available.
25 a
- c. Components and assemblies have been inspected, examined, and tested as required and applicable inspection, test and certification records are available,
- d. Nonconformances hve been dispositioned as required.
- e. Components and assemblies are cleaned, preserved, packed and identified in accordance with specified requirements.
f.
Upon purchaser acceptance by source verification, documented evidence of acceptance shall be furnished to the receiving destination of the item, to the purchaser, and to the supplier."
Section 12, " Audit of Procurement Program," indicates that " periodic or random audits shall be performed to venfy compliance with procurement activities described in this standard. The scope of planned auditing activity may cover individual operations, events, processes, or the complete quality assurance program. When deemed necessary by the purchaser, audits of subtier suppliers shall be carried out to assure that their quality assurance programs on procurement adequately translate the necessary requisites of the goveming procurement documents to the items or services involved. The audits shall be conducted in accordance with established methods."
b.
STP Commitment: The licensee proposed to implement the ANSI standard provisions (summarized above), for the BASIC program, only when deemed necessary to assure the quality of a procured item or service.
c.
Staff Evaluation: The staff considers the licensee proposal to perform the ANSI standard provisions only when deemed necessary as described above to be acceptable because the items procured in this manner are less significant to safety, and because the licensee committed to perform receipt inspections, conduct preoperational testing, and monitor and trend failures for feedback to identify any necessary corrective actions. In addition, these alternatives are consistent with the provisions contained in Draft RG DG-1064 (Reference 3). It is further noted that the licensee's identified alternative to Section 7.3.1 of the standard is considered acceptable since the language in the stcndard already makes source verification optional, and RG 1.123 (Reference 34) does not make it mandatory.
3.4.1.7 Aud.dina of Suooliers' Performance a.
FULL Proaram Reauirement: Regulatory Position C.3.b in RG 1.144 (Refere ice 35) provides guidance regarding the conduct of supplier auditing and the free ency of supplier evaluations. ANSI N45.2.12-1977 (Referenes 7) also provides guidelines regarding the conduct of extemal audits. Similarly, Section 2.4 of ANSI N45.2.2-1972 (Reference 36) which is 26 l
endorsed by RG 1.38 (Reference 37) also addresses the requirement for external audits. The RG 1.144 guidance for the auditing of suppliers is as follows:
For items that are not simple or standard in design, manufacture, o, test; are not amenable to standard or automated inspections or tests during receipt inspection; and whose integrity, function, or cleanness could be adversely affected during receipt inspection, " elements of a supplier's quality assurance program should be audited by the purchaser on a triennial basis with the audit implemented in accordance with Section 4, " Audit implementation." of ANSI /ASME N45.2.121977"(Reference 17).
In addition, RG i.144 (Reference 35) provides the following guidance on the frequency of supplier evaluation:
"A documented evaluation of the surclier should be performed annually."
b.
STP Commitment: The licensee has proposed, for the BASIC program, that suppliers of SSCs should be audited only as deemed necessary. Those audits that are conducted will be as unplanned / unscheduled audits. The licensee also took exception to Regulatory Position C.3.b with regard to the frequency of supplier evaluation. Specifica!Iy, the licensee proposed to perform such evaluations on a biennial basis, in addition, the licensee will perform overviews of suppliers based on performance monitoring and trending of feedback from receipt inspection results, post modification tests and inspections, and plant operational results.
c.
Staff Evaluation: The staff concludes that the licensee's alternative approach to evaluating suppliers is acceptable because the items to be procured from these suppliers are less significant to safety, and because cf the licensee's commitment to review the suppliers' QA programs for acceptability, perform receipt inspections by certified Quality inspectors, conduct preoperational testing, and monitor and trend component failures as a source of feedback information to guide any necessary corrective actions, in addition, this alternative is consistent with the provisions contained in Draft RG DG 1064 (Reference 3).
3.4.1,8 Other P& dory Guide and Stand 3rds Guidelines in Chapter 2.0, Table I, of the OQAP description, the licensee indicated that it will implement other RG positions and recommendations as stated if not specifically addressed in the tatfe With regard to the ANSl standards, the licensee will implement requirements (i.e., "shally')
except where the standard provides options or requires a graded approach (notwithstanding the general applicability statements typically found in Section 1.0 of many of the standards), but only in those areas to which the endorsing RG positions and recommendations do not speak.
The staff finds this acceptable because the licensee will continue to apply the FULL program 27
controls in those cases not addressed in the table. In addition, the licensee's graded application of the ANSI standard "shall" statements is in accordance with previously accepted licensee commitments.
3.4.1.g Corrective Action The OQAP description ine,udes a program for implementing appropriate corrective actions to address component failures. This program was in place before the onset of GQA and will continue for all safety related and nonsafety related SSCs addressed by b?th the FULL and BASIC programs, in addition, this corrective action program includes provisions for identifying and tracking conditions adverse to quality for management review to assess their significance.
For those conditions determined to be significant to safety, root cause analysis and corrective action to preclude repetition will De conduct 1d; the entire process will be monitored by managtment. In addition, the licensee will evaluate and trend conditions adverse to quality.
As part of the BASIC program, the licensee has committed to continue implementing the current corrective action program with the addition of one facet discussed below. In so doing, one of the licensee's purposes is to evaluate operating experiences and the performance history of all components. Such evaluations enable the licensee to determine the r,eed for programmatic modifications, such as a change in QA controls applied to the item, or a change in its safety significance categorization, if a weakness is identified. Criterion XVI of Appendix B to 10 CFR Part 50 requires such a program, but limits the need for root cause analysis of component failures to those that could cause a significant condition adverse to quality. Since the failures of SSCs that are addressed by the BASIC program will not generally rise to that level of significance, the licensee has additionally committed to perform cause determinations of such component failures. Based on trunding analyses, the licensee con then identify and take appropriate ccrrective action. The licensee has indicated this may result in the need for more detailed root cause analyses in the event of repeated failures or failures with generic implications for items addressed by the FULL orogram. The staff finds that the licensee's application of these corrective action controls conforms to Draft RG DG-1064 (Reference 3).
3.4.2 Medium Safety Sianificant and TARGETED QA Controls The QA controls anplicable to safety related SSCs determined to be of medium safety significance (namely, the MSS-1 category. and nonsafety related SSCs determined to be of safety significance (namely, the HSS, MSS t and MSS 2 categories) will be selectea from the FULL and BASIC programs as follows*
The critical attributes of safety-related SSCs in the MSS-1 category will be subjected to the QA controls in the FULL program, and the remaining attributes subjected to QA controls in the BASIC program.
3afety related SSCs in the MSS 2 category will be subjected to QA controls in the BASIC program unless modified by the WG.
- The critical attributes of nonsafety related SSCs in the HSS, MSS 1 and PASS 2 categories will be subject to the QA controls in the FULL and BASIC programs in a 28
forward fit manner (i.e., only future operational activities associated with previously procured and installed equipment of this type would be subject to this requirement).
3.4.3 Conclusions Regardina the Licensee's Gradina of OA Controls in light of the findings discussed previously, the staff concludes that the licensee's proposed BASIC program, for grading the applicability of QA elements for activities conducted on safety-related SSCs consistent with their importance to safety, continues to be in conformance with the requirements of Appendix B to 10 CFR Part M. Further, the licensee's proposed GQA program for safety related SSCs in the LSS, MSS 1 (where FULL controls are also applied to critical attributes) and MSS 2 categories is in general agreement with the provisions contained in the staff's Draft RG DG 1064 (Roference 3). The staff draws these conclusions primarily on the basis of the medium and low safety significance of the SSCs to which the BASIC program applies, and because of the licensee's commitment to perform receipt inspections, conduct preoperational testing, and monitor and trend failures as a direct source of feedback to assist in developing any necessary corrective actions. In addition, licensee management will monitor the adequacy of the program on a semi-annual basis, and programmatic changes in responce to failure cause determinations wi;l be implemented as necessary. The OQAP description for STP also provided an adequate identification of the QA elements that the licensee willimplement for both the FULL and BASIC programs to satisfy the requirements of 10 CFR 50.34(b)(6)(ii).
3.5 Reiglts of Staff Evaluations As discussed in Section 2.3 of this SER and described in Draft RD DG 1061 (Reference 2),
changes arising from risk-informed applications are expected to meet a set of five key principles. During r iumber of internal meetings, the staff discussed how the licensee's proposal addressed each of the five principles with NRC management. Issues rained during these meetings were communicated back to the licensee and resulted in changes to the submittal. Allissues wero rasolved as documented in the SER. Because this was the first GQA application, increased management attention was applied to the pilot submittal even though the staff does not expect the GQA process for STP to result in a risk increase corrnponding to the region of the acceptance guidelines in Draft RG DG-1061 (Reference 2) that calls for " increased management attention *. Each pinciple is discussed below.
3.5.1 The Prooosed Chance Meets the Current Reaulations Criterion 1 in Appendix A to 10 CFR Part 50, permits GQA as indicted by the following excerpt:
"Structuret systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.'
29 t
l Criterion 11 in Appendix B to 10 CFR Part 50, permits GQA, as indicated by the following excerpt:
l "The quality assurance program shall provide control over activities affecting the quality of the identfed structures, systems, and components, to an extent consistent with their importance to safety."
Therefore, an exemption or rule change is not required to implement GQA. The staff finds that the licensee's proposed GQA program initiative is consistent with the current regulations.
3.5.2 Defense-in-Deoth is Preserved The level of defense-in-depth at STP is a result of deterministic factors such as the plant's design basis, safety limits, and operating margins. No change will be made to any design characteristics of any SSC under the GQA program. The changes to the QA program will only adapt the control over activities affecting the quality of the categorized SSCs to an extent consistent with their importance to safety.
Defense-in-depth consists of a number of elements that can be used rs guidelines for making the assessment that the philosophy of defense-in-depth is maintained. The staff finds that the licensee's process preserves defense against each element as discussed below.
- A reasonable balance is oreserved amona orevention of core damace. orevention of containment failure..and conseauence mitiaatiori implementation of GQA does not of itself alter the plant's response to transients or other initiators and will not alter the preventive or mitigative capability of station equipment.
Characterizing the safety significance of SSCs on the basis of PRA insights reflects the balance between preventing core damage and consequence mitigation by directly addressing concerns regarding both CDF and LERF. Additionally, all SSCs in the system, whether modeled in the PRA or not, are deterministically evaluated by the WG and EP. These deterministic evaluations consider each SSC's ability to cause initiating h
events, its potential use in mitigating det,ign base accidents (CBAs), and its use in supporting EOPs.
The licensee's GQA program should improve this balance by incorporating nonsafety-related SSCs in the TARGETED QA program. This can prove particularly usefulin prevent;ng or mitigating transients outside of the traditional DBAs, since the enhanced application of QA controls should result in a higher degree of confidence in the capability of these SSCs to perform their design function (s).
e Over-reliance on croarammatic activities to comoensate for weaknesses in olant desian is avoided The licensee's GQA program will not reduce design margins or defense-in-depth based on compensating programmatic activities. For example, the licensee will not develop new operator actions to compenstte for any perceived design weaknesses.
30
e System redundanev. Indeoendence. and diversity are creserved commensurate with the exoected freagency and consequ2DC11i.of challences to the systems The licensee determines the safety significance of SSCs from the expected frequency and consequences of challenges to the systems, including nonsafety related SSCs that have been determined to provide a useful function for preventing or mitigating reactor accidents. SSCs modeled in the PRA receive explicit frequency ar"i consequence characterizations. SSCs not modeled in the PRA are characterized with a set of deterministic questions addressing the frequency and consequences of challenges.
Therefore, the licensee's implementation of GQA should not degrade, and may improve, the balance betwv3n each system's redundancy, independence, and diversity and the expected frequency and consequences of challenges to the system.
e Indeoendence of barriers is not dearaded The licensee's implementation of GOA will neither remove nor alter existing physical barriers. Moreover, the current levels of system redundancy and diversity in the plant's design will not be changed as a result of the implementation of GQA. Less rigorous QA controls, which might reduce independence because of an increased possibility of CCFs, will only be applied with due consideration of the safety significance of such a reduction. In addition, the licensee proposed a monitoring and corrective action program capable of identifying unacceptable reductions.
e Defenses aaainst human errors are creserved Less rigorous QA controls, which might lead to increased maintenance errors, will only be applied with due considetation of the safety significance of such a reduction.
Furthermore, no new post-transient operational errors will be introduced, since no changes to SSC design or abnormal operating procedures (AOPs) or EOPs are associated with GQA.
3.5.3 Sufficient Safetv Marains are Maintained As proposed, the licensee's implementation of GQA does not involve changing any acceptance criteria in the current licensing basis. Codes and standards relative to equipment qualification are also not changed; however, the program will enttdl the use of certain alternatives to codes and standards that implement Appendix B to 10 CFR Part 50, with regard to the application of QA controls. This SER ducuments the staffs evaluation of these altematives and the staffs conclusion that GQA will maintain sufficient safety margins.
3.5.4 Prooosed Increases in Risk. and Their Cumulative Effect Are Small and Do Not Cause the NRC Safetv Goals to be Exceeded The licensee's proposed GQA approach does not provide a quantitative estimate of the change in risk resulting from the change in QA controls over SSCs because no data or models are 31
available to luantify the impact on SSC reliability. However, the staff noted the following obervation4 with regard to the risk associated with the licensee's GQA initiative.
1 The categorizatiun process is sufficiently robust to provide reasonable confidence that safety related SSCs which are significant to plant safety will receive FULL QA controls.
The continued application of BASIC controls to MSS 2 and LSS safety related SSCs ensures that the quality of all safety related SSCs continues to receive appropriate attention (as a measure of defense in-depth).
The increased QA controls on HSS and MSS nonsafety-related SSC5 will improve' the confidence that these SSCs will perform satisfactorily.
The licensee's (excluding only shutdown risk) estimated CDF ci slightly less than 1.0E 5/yr and estimated LERF of slightly more than 1.0E-7/yr compare favorably with the 1.0E-4/yr CDF and 1.0E-5/yr LERF guidelines in Draft RG DG-1061 (Reference 2).
The licensee implementation of GQA includes a variety of periciic and comprehensive monitoring, evaluation, and feedback mechanisms to permit trending of component performance. These mechanisms provide confidence that SSC degradation and failures i
throughout the plant will be evaluated in an integrated manner, a6 ' that actions will be taken on the insights from the evaluations as appropriate.
The staff expects that the increased performance monitoring coupled with the increased QA controls on HSS and MSS nonsafety-related SSCs should compensate for any potential risk increase due to applying the BASIC program to safety related SSCs of less safety significance.
Although it could result in a decrease in reliability of some LSS and MSS-2 SSCs, based on increased QA controls en HSS and MSS nonsafety-related SSCs and appropriate monitoring of equipment performance, the staff expects that the GQA process would likely result in an overall decrease in risk and is thus consistent with principle 4.
3.5.5 Performance-Based imolementation and Monitorina Strateoies Address Uncertainties and Provide Timelv Feedback and Corrective Action As discussed in Section 3.3 of this SER, the staff finds that the proposed feedback mechanisms provide confidence that the licensee will be able to maintain control over equipment reliability after implementing the GQA program. These mechanisms also explicitly provide for monitoring possible increases in CCF after implementation of GQA.
Specifically, short-term monitoring of failed equipment will include weekly estimates of risk profiles; additional information is also provided by the SSC failure evaluation process used to implement the Maintenance Rule. Long-term monitoring willinclude both the periodic PRA updates and the OEG's trending studies, which are intended to detect increases in the number of deteriorating conditions, even when such conditions are repaired before outright failures occur.
32 l
C_______
a
4.0 CONCLUSION
S AND RECOMMENDATIONS The staff concludes that the licensee has pruposed an acceptable methodology for the GQA initiative in the OQAP description for STP which is further amplified upon in the associated implementation procedures and other docketed information. The licensee has developed procedures for the categorization of SSCs, and committed to control changes to these procedures in accordance with the requirements of 10 CFR 50.59. The staff further concludes that the proposed methodology is generally consistent with the applicable regulatory review criteria in: Draft RGs DG-1061 (Reference 2) and DG-1064 (Reference 3); SRP Chapters 17.1 and 17.2 (Reference 6); and dratt SRP Chapter 19 (Reference 5). The staff has evaluated the differences between the licensee's approach and the pertinent reguletory guidance and found that these differences are technically acceptable. On the basis of this safety evaluation, the staff reached the following additional conclusions:
The licensee has developed an acceptable methodology to determine the relative safety significance of plant SSCs.
The licensee has defined appropriate QA controls for applicability to the categories of e
plant SSCs.
The licensee has adequate feedback mechanisms in place to adjust the GQA provisions if operational performance should dictate the need, All pertinent regulatory requirements continue to be satist ed.
e The staff has concluded that the licensee's proposed Revision 13 of the OQAP description for GQA at STP (comprised of change QA-028, dated 5/22/97, change OA-032, dated 6/10/97, and change QA 033, dated 7/16/97) continues to meet the requirements of Appendix B to 10 CFR Part 50. The staff's conclusions are based on the review and evaluation of documented information provided by the licensee beginning with the initial GQA submittal of the proposed OQAP description dated March 28,1996 (Change QA-028), and the final submittal of information dated August 4,1997. Allinformation submittals are listed in Section 6.0 of this SER and include OQAP description changes QA-028, QA 032, and QA 033 (Revision 13),
responses to the staff's RAls, procedures addressing the PRA process for categorizing SSCs, and revisions to Chapter 13.0 of the FSAR. To provide continued assurance of the effectiveness of the licensee's OQAP, the staff intends to monitor the licensee's implementation of the GQA program for STP.
33
m o
l
5.0 REFERENCES
- 1. Draft Evaluation Guide, Revision 5," Development of Graded Quality Assurance Programs,"
i l-January 1996.
- 2. Draft RG DG 1061, "An Approach for Using Fisbabilistic Risk Assessment in Risk-Informed Decisions on Plant Specific Changes to the Current Licensing Basis," March 28,1997.
3
Graded Quality Assurance," March 24,1997.
)
i
- 4. NRC SRM, SECY 97-077, " Draft Regulatory Guides, Standard Review Plans and NUREG Document in Support of Rist: Informed Regulation for Power Reactors," June 5,1997 i
l
- 5. Draft SRP, Chapter 19, NUREG-0800, "Use of Probabilistic P' k Assessment in Plant-Specific, Risk informed Decisionmaking: General Guidance,' Wlarch 27,1997.
i
- 6. SRP, Chapters 17.1 and 17.2, NUREG-0800," Quality Assurance Duririg the Design and Construction Phases" and " Quality Assurance During the Operations Phase," July 1981
' 7. Draft licensee document, " Radiation Monitoring System Graded Quality Assurance Basis l
document," included as attachment to NRC Meeting Summary issued 11/7/96.
- 8. " Safety Evaluation by the Office of Nuc! ear Reactor Regulation Related to the Probabilistic Safety Analysis Evaluation," sent to the Houston Lighting & Power Company under cover letter dated January 21,1992.
- 9. -" Safety Evaluation by the Office of Nuclear Reactor Regulation Related to the Probabilistic i-Safety Assessment - Extemal Events," sent to the Houston Lighting & Power Company.
under cover letter dated August 31,1993, t
- 10.. Staff Evaluation of South Texas Project Individual Plant Examiration (Intemal Events l-Only)," sent to the Houstori Lighting & Power Company under cover letter dated August 9, i
1995.
i 11, Generic Letter 88-20, " Individual Plant Examination for Severe Accident Vulnerabilities -
i-10 CFR $50.54(f)," November 23,1988
- 12. STP, Units 1 and 2, Amendment Nos. 59 and 47 to Facility Operating Licenso Nos. NPF-76 and NPF-80, February 17,1994.
i
and NPF-80, October 31,1996.
d
]
- 14. OPGP01-ZA-0304, Rev.1, STP procedure "Probabilistic Safety Assessment Risk Ranking",
Addendum 2, May 20,1997.
5-1 1
k 1
i
15.
HL&P audit report of PLG, Auciit No.95-073(VA), conduded on September 11 14,1995 16.
ANSI /ASME NQA-11983 Edition," Quality Assurance Program Requirements for Nuclear Facilities" 17.
ANSI /ASME N45.2.12-1977," Requirements for Auditing of Quality Assurance Programs for Nuclear Power Plants" 18.
ANSI N45.2.131976," Quality Assurance Requirements for Control of Procurement of iterns and Services for Nuclear Power Plants" 19.
HL&P Nuclear Safety Evaluation Report, NSE 96-02, July 3,1996 20.
OPGP03-ZE-0002, Rev. 3, " Station Procedure - Safety Related Calculations" 21.
NUMARC 93-01, Rev. 2 (4/9G), ' Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants 22.
RG 1.160, Rev. 2 (3/97),' Monitoring the Effectiveness of Maintenance at Nuclear Power Plants.
23.
OPGP01-ZA-0304, Rev.1, "Probabi!istic Safety Assessment Risk Ranking, Addendum 2, Graded Quality Assurance" 24.
" Radiation Monitoring System Graded Quality Assurance Basis Document," draft report, August 21,1996 25.
OPGP02-ZA-0003, Rev. 2, " Comprehensive Risk Managament Procedure" 26.
OPGP02-ZA 0004, Rev. O, draft," Station Performance Data Collection, Categorization, and Reporting Procedure" 27.
ANSI N45.2.11-1974, " Quality Assurance Requirements for the Design of Nuclear Power Plants" 28.
RG 1.64, Rev 2 (6/76), " Quality Assurance Requirements for the Design of Nuclear Power Plants" 29.
RG 1.28, Rev 0 (6/72), " Quality Assurance Program Requirements (Design and Construction)"
30.
ANS-3.2/ ANSI N18.7-1976, " Administrative Controls and Quality Assurance for the Operational Phase of Nuclear Power Plants" 31.
RG 1.33, Rev 2 (2/78), " Quality Assurance Program Requirements (Operation)"
5-2
32.
ANSI /ASME N45.2.6-1978, " Qualifications of Inspection, Examination, and Testing Personnel for Nuclear Power Plants" 33.
RG 1.58, Rev 1 (9/80)," Qualification of Nuclear Power Plant inspection, Examination, and Testing Personnel" 34.
RG 1,123, Rev 1 (7R7), " Quality Assurance Requirements for Control of Procurement of items and Services for Nuclear Power Plants" 35.
RG 1.144-1980, Rev 1," Auditing of Quality Assurance Programs for Nuclear Power Plants" 36.
ANSI N45.2.2-1972, " Packaging, Shipping, Receiving, Storage and Handling of items for Nuclear Power Plants" 37.
RG 1.38, Rev 2 (SU7), " Quality Assurance Requirements for Packaging, Shipping, Receiving, Storage, ana Handling of Itenis for Water Cooled Nuclear Power Plants" t
5.3
6.0
' CHROMOLOGY OF EVENTS L
Significant corresponde7ce and other mejor everits related to the licensee's submittal and the-staffs review cf the revised OQAP in support of GQA for STP are listed below:
4/19/95 HL&PiNRC initial meeting to discuss GQA overview Mtg. summary dated 4/20/95 5/8/95 HL&P/NRC meeting to discuss GQA concepts Mtg. summary issued 6/9/05 7/17/95 HL&P/NRC meeting on planned GQA submittals Mtg. summary issued 7/27/95 10/3/95 HL&P/NRC meeting on draft GQA procedures Mtg. summary issued 11/7/95 12/7/95 HL&P/NRC meeting on updated draft procedures Mtg. summary issued on 2/2/96 1/24/96 NRC ltr. to HL&P, GQA initiative 3/28/96 HL&P ltr. submitted OQAP, change QA-028 and the following documents:
a draft implementation procedure " Comprehensive Risk Management" (OPG02 ZA-0003),-
- draft implementation procedure "Probabilistic Safety Assessment Risk Ranking
"(OPG01 ZA-0304),
e draft implementation procedure "Probabil;stic Safety Assessment Program" (OPG04 ZA-0604),
- draft implementation procedure " Configuration Control of the Probabilistic Safety Assessment"(OPE 01-ZA-0303),
e draft implementation procedure " Station Performance Data Collection, Categorization, and Reporting"(OPGP02 ZA-0004), and e a draft Charter for the Graded QA Expert Panel.
4/11/96 NRC/ industry mtg. on NRC evaluation guide Mtg. summary issued 5/1/96 4/16/96 NRC ltr., supplemental information on GQA initiative (CBLA) 6-1 0
___._.__.._..__m.._.
I 4/17/96 HL&P ltr. comments on NRC GQA evaluation guide '
1 4/25/96 Meeting on Schedular Aspects, j
Mtg. summary issued on 5/8/96-5/1/96 NRC itr. to HL&P on review schedule s
6/19/96 HL&P/NRC meeting on draft RAls for GQA Mtg. summary issued 7/24/96 f
7/31/96 NRC ltr. to HL&P transmitting Palo Verde trip report 8/16/96 NRC letter to HL&P transmitting RAls 8/21/96 HL&PINRC mig, at STP site to observe GQA aspects j
Mtg. summary issued 11/7/96 i
10/15/96 HL&P/NRC manacement meeting on PRA efforts Mtg. summary issued 10/28/96 10/30/96 HL&P ltr. responding to PRA RAI questions 1/21/97 HL&P submittal of revised OQAP s
j 3/31/97-HL&P/NRC meeting on GQA topics Mtg. summary issued 4/9/97 l
4/14/97 NRC str. transmitting 2nd set of RAls t
[
4/21/97 HL&P/NRC mtg. on the RAI and GQA content f-Mtg. summary issued 5/8/97 5/6-8/97 HL&P/NRC mtg. at STP site on GQA and PRA aspects Mtg. summary issued 7/10/97 5/8/97 HL&P ltr. on preliminary 2nd RAI response 5/21/97 HL&P ltr. submitted draft OQAP revision responding to 2nd RAI i
5/22/97.
HL&P ltr. submitted finalized OQAP revision 5/22/97 HL&P ltr., comments on 4/14/97 RAI J
5/22/97 HL&P ltr. submitted updated GQA procedures
-5/29/97 HL&P/NRC telecon on draft OQAP content i 2
6/10/97 HL&P ltr. submitted OQAP change QA-032, Revision 13 6/13/97 NRC itr transmitting 3rd RAI 6/26/97 HL&P ltr. submitted response to 3rd RAI 7/16/97 HL&P ltr. submitted OQAP change QA-033, Revision 13 7/31/97 HL&P ltr. transmitting additionalinformation regarding GQA procedure use and change control 8/4/97 HL&P ltr submitted response to final RAI l
I
)
l t
- 4 1
l i
6-3 i
o.
a 7.0 LIST OF ACRONYMS l
AOP,... Abnormal Operating Procedure ANSI... American National Standards Institute 4
ASME, American Society of Mechanical Engineers CCF,.. Common Cause Failure -
CDF..., Core Damage Frequency CFR,... Code of Federal Regulations COC,... Certificate of Conformance DBA.... Design Basis Accident DRG,.. Draft Regulatory Guide ECCS
. Emergency Core Cooling System j
EOP.... Emergency Operating Procedure EP.....
Expert Panel FV.....
Fussell-Vesely GQA.. Graded Quality Assurance HL&P,.. Houston Lighting & Power Company HSS.... High Safety Significant INPO.,. Institute of Nuclear Power Operations LERF..,. Large Early Release Frequency LSS..... Low Safety Significant MOV.... Motor Operefsd Valve MSS-1... Medium Safety Significant (high) -
' MSS-2..
Medium Safety Significant (low) 7-1 f
1
~
4 NUMARC Nuclear Management and Resources Council NRC.... Nuclear Regulatory Commission NRR,... Nuclear Reactor Regulation NRS.... Non-Risk-Significant NSED..
Nuclear Safety Evalua' ion Departmer..
NQA Nuclear Quality Assurance OEG,,, Operational Experience Group OOAP
. Operational Quality Assurance Program FO
.... Purchase Order PRA
.. Probabilistic Risk Assessment PSA... Probabilistic Safety Assessment QA.
.. Quality Assurance RAI.
Request for AdditionalInformation RAW... Risk Achievement Worth RG.
. Regulatory Guide RRAD Risk and Reliability Analysis Department SALP.
Safety Assessment of Licensee Performance SER.
. Safety Evaluation Report SGTR Steam Generator Tube Rupture SQA.
Software Quality Assurance SRM.
. Staff Requirements Memorandum SSC.
. Structures, Systems and Components SRP.... Standard Review Plan STP....
South Texas Project 7-2
o :-
_a.
4 4 '
UFSAR.. Updated Final Safety Analysis Report i
V&V,... Verification and Validation WG.... Working Group i
I
(-
4 d
d 4
i 4
l t
i i
1.
1 1
f i
4 f
E I
1 4
4 4
i a
1 4
h 5
t k
?
4 A
i 73 4
i O
I 1
4 C
I e
9 mi i
1 r
3 4'
-