ML20237C406
| ML20237C406 | |
| Person / Time | |
|---|---|
| Site: | Comanche Peak  |
| Issue date: | 08/14/1998 |
| From: | NRC (Affiliation Not Assigned) |
| To: | |
| Shared Package | |
| ML20237C399 | List: |
| References | |
| FACA, NUDOCS 9808210138 | |
| Download: ML20237C406 (105) | |
Text
. - _ - _ _ - _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ - - - _ _ _ _ _ _ _ - _ _ - _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ - _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ - - _ _ - _ _ _ _ _ _ - _ _ _ _ _ - _ _ _
! SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO THE TU ELECTRIC REQUEST TO IMPLEMENT A RISK-INFORMED INSERVICE TESTING PROGRAM AT COMANCHE PEAK STEAM ELECTRIC STATION (CPSES), UNITS 1 AND 2 DOCKET NUMBERS 50-445 AND 50-446 i
i l
9808210138 980814 PDR ADOCK 05000445 PDR P
l TABLE OF CONTENTS Eage 1.0 I NTRO DU CTIO N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2.0 BACKGRO U N D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
'3.0' GENERAL DESCRIPTION OF TU ELECTRIC'S PROPOSED RI-IST PROGRAM . . . 2 4.0 REVIEW OF THE LICENSEE'S ENGINEERING EVALUATION . . . . . . . . . . . . . . . . . 8 4.1 Evaluation of Proposed Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.2 IST Program Scope . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 4.3 Relief Requests and Technical Specification Amendments . . . . . . . . . . . . . . . . 12 4,4 Scope Level of Detail, and Quality of the PRA for lST Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.4.1 Scope of the PRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 l 4.4.2 Level of Detall of the PRA . . . 4 .............................. 15 4.4.3 ' Quality of the PRA .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 '
4.5 Categorization of Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.6 Evaluating the Effect of Proposed Changes ]
on Overall Plant Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.6.1. Modeling of the Effects of IST on PRA Basic Events . . . . . . . . . . . . . . 28 4.6.2 Evaluation of Change in Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.7 ' Integrated Decisionmaking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 4.7.1 . Integrated Decisionmaking Process . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 4.7.2 Defense-in-Depth Philosophy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 4.7.3 Safety Margin Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . 39 5.0 REVIEW OF IMPLEMENTATION, PERFORMANCE MONITORING, AND CORRECTIVE ACTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 5.1 Changes to Component Test Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 5.2 Program implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 9 5.3 Performance Monitoring of IST Components . . . . . . . . . . . . . . . . . . . . . . . . . . 52 5.4 Feedback and Corrective Action Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 l- 5.5 ' Periodic Reassessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
' 5.6 RI-IST Program Changes After initial Approval . . . . . .. . . . . . . . . . . . . . . . . . . . 59 i - 6.0 OVERALL CONCLU SIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 l 7.0 RE FE RE NCE S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 l
t l APPENDIX A: REVIEW OF THE COMANCHE PEAK PRA USED IN SUPPORT OF THE ,
j RISK-INFORMED INSERVICE TESTING SUBMITTAL . . . . . . . . . . . . . . . A-1 u
~ APPENDIX B: EVALUATION OF RELIEF REQUEST V-8 (REVISION 2) ON MOTOR-OPERATED VALVE INSERVICE TESTING , . . . . . . . . . . . . . . . . . . . . . . . B-1
.l.
i i
pm20 9
[ k UNITED STATES s
j NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 2066H001
....+
[ l SAFETY EVALUATION BY THE OFFICE OF NUCl EAR REACTOR REGULATION l
ret ATED TO THE TU ELECTRIC REQUEST TO IMPLEMENT A RISK-INFORMED INSERVICE TESTING PROGRAM AT j COMANCHE PEAK STEAM ELECTRIC STATION (CPSES1, UNITS 1 AND 2 DOCKET NUMBERS 50-445 AND 50-446
1.0 INTRODUCTION
Title 10, Section 50.55a, of the Code of Federal Regulations (10 CFR 50.55a), requires that licensees perform inservice testing (IST) of certain punps and valves designated as Code Class 1,2, or 3 under the Boiler and Pressure Vessel Code promulgated by the American Society of Mechanical Engineers (ASME). Furthermore,10 CFR 50.55a requires that licensees perform '
this testing in accordance with Section XI of the ASME Code and applicable addenda, except l where the U.G. Nuclear Regulatory Commission (NRC) has granted relief requested by the l licensee, o; where the NRC has authorized the use of proposed alternatives pursuant to 10 CFR 50.55a(f)(6)(i), (a)(3)(i), or (a)(3)(li). In order to obtain such relief or authorization, .,
licens9e must demonstrate that (1) conformance is impractical for the given facility, (2) the i proposed attemative provides an acceptable level of quality and safety, or (3) compliance would l result in a hardship or unusual difficulty without a compensating increase in the level of quality and safety. Furthermore,10 CFR 50.55a(f)(4)(iv) provides that inservice tests of pumps and valves may meet the requirements set forth in subsequent editions and addenda that are ;
incorporated by reference in 10 CFR 50 55a(b), subject to the limitations and modifications listed, and subject to Commission approval.
In preparing this safety evaluation of the licensee's proposed risk-informed inservice testing (RI-lST) program, the staff used the acceptance guidelines contained in the risk-informed regulatory guides (i.e., RG 1.174 and RG 1.175) and the review procedures contained in the risk-informed standard review plans (i.e., SRP Chapter 19 and Section 3.9.7) as contained in SECY-98-015 and SECY-98-067, respectively.
10 CFR 50.55a authorizes the Commission to grant relief from ASME Code requirements or to approve proposed alternatives upon making the necessary findings. This safety evaluation (SE) presents the findings of the staff with respect to authorizing the licensee's proposed attemative RI-IST program. A description of the staff's findings associated with the review of the CPSES PRA is presented in Appendix A of this SE. The staff's safety evaluation of TU Electric's IST Relief Request V-8 is included as Appendix B, whereby motor-operated valves at CPSES would i
be tested in accordance with ASME Code Case OMN-1,"Altemate Rules for Preservice and inservice Testing of Certain Electric Motor-Operated Valve Assemblies in Light-Water Reactor Power Plants, OM Code-1995 Edition, Subsection ISTC "in lieu of ASME O&M Code Part 10 paragraph 4.2.1.
U_________-______
! 2
2.0 BACKGROUND
a The Inservice Testing Plan for Pumps and Valves at CPSES Units 1 and 2 utilizes the 1989 Edition of ASME Section XI (i.e., OM-1 for relief valves, OM-6 for pumps and OM-10 for valves) which is required by rulemaking effective September 8,1992 (reference 57 Federal Register 152,34666, August 6,1992). CPSES Unit 1 began commercial operation on August 13,1990.
CPSES Unit 2 began commercial operation on August 3,1993. The 120-month interval for CPSES Unit 1 was extended approximately 36 months so that the current IST Plan will remain in i effect for both units until August 2,2003. !
The ASME Code of record for CPSES is the 1989 Edition of ASME Code,Section XI, No Addenda. The Code specifies the following test frequencies:
Test Type Test Frequency Code (nominal) Reference :
Pump Test 3 months OM Part 6 l Valve Position Indication 2 years OM Part 10 I Verification Valve Exercising Test 3 months OM Part 10 l Valve Fail-Safe Test 3 months OM Part 10 Valve Leak Rate Test 2 years OM Part 10 (Non-Containment Isolation Valves)
Frequency per 10 CFR Part 50 Appendix J App. J (Containment isolation Valves)
Check Valve Exercise Test 3 months OM Part 10 Safety / Relief Valve Set Point Test 5 years OM Part 1 (class 1, class 2, MSSV) 10 years (class 2,3) OM Part 1 3.0 GENERAL DESCRIPTION OF TU ELECTRIC'S PROPOSED RI-IST PROGRAM The following sections provide a general description of TU Electric's proposed RI-IST program, ,
TU Electric's basis for proposing this attemative, as well as a general description of the staffs i evaluation of TU Electric's proposed RI-IST program.
3.1 Licensr'sPcxmad Anoroach CPSES Technical Specification (TS) 4.0.5.a requires that inservice testing of ASME Code Class 1,2, and 3 pumps and valves shall be performed in accordance with Section XI of the ASME Boiler and Pressure Vessel Code (ASME Code) and applicable Addenda as required by 10 CFR 50.55a(f).
I 3
in a letter dated May 21,1998 (TXX-98134), TU Electric requested NRC approval to implement a Risk. Informed Inservice Testing (RI IST) Program as an attemative to the requirements of 10 1 CFR 50.55a(f). This regulation requires that inservice testing of pumps and valves, whose )
function is required for safety, must meet the requirements of Section XI of the ASME Code. TU Electric initially requested approval to utilize a risk-informed inservice testing program to determine inservice test frequencies for valves and pumps that are identified as low safety significant, in lieu of testing those components at the frequencies specified in the ASME Code (TXX-95260). As the staff's review of TU Electric's initial RI-IST proposal progressed, TU Electric's RI-IST Program Description was expanded to include altemative test methods (as we!!
as test frequencies) and performance-based concepts. TU Electric stated that use of the RI-IST Program Description, as contained in Relief Request A-1 (TXX-98134) is intended to provide an acceptable level of quality and safety.
In addition to components (e.g., pumps or valves) in the current code-prescribed program, TU Electric's proposed RI-IST program includes pumps and valves categorized as High Safety Significant Components (HSSCs) that were identified as such as part of the PRA. Components in TU Electric's proposed Rl-IST program include motor-operated valves (MOVs), relief valves, check valves (CVs), air-operated valves (AOVs), and pumps. Rl IST of dynamic restraints (snubbers) was not included as a part of this program.
In lieu of performing inservice tests on pumps and va!ves whose function is required for safety at frequencies specified in the ASME Code, as required by 10 CFR 50.55a(f)(4)(i) for the initial 120-month interval, this alternative would allow the inservice test strategies of those pumps and valves to be determined in accordance with an NRC-approved RI-IST Program Description at CPSES, as follows:
(1) The safety significance of pumps and valves whose function is required for safety will be assessed in accordance with the NRC-approved RI-IST Program Description. These components will be classified as either HSSCs or Low Safety Significant Components (LSSCs). Inservice testing of HSSCs will(nominally) be conducted at the Code-specified frequency using approved Code methods. The inservice testing of those components classified as LSSC will be performed at extended test frequencies determined in accordance with the RI-IST Program Description. Unless otherwise specified in the RI-IST Program Description, inservice test methods for all pumps and valves whose function is important to safety will continue to be performed in accordance with the ASME Code.
(2) The safety significance assessment of pumps and valves will be updated, as specified in the RI-IST Program Description.
This alternative will also apply to successive 120-month intervals as discussed in 10 CFR 50.55a(f)(4)(ii).
3.2 Basis for Altemative As stated by TU Electric in Relief Request A-1 (TXX-98134), the basis for the proposed alternative is as follows:
1 L____-___-______
4
- The current Code is based on a deterministic approach which considers a set of '
! challenges to safety and determines how those challenges should be mitigated. The deterministic approach contains elements of probability, such as the selection of accidents to be analyzed as design basis accidents (e.g., the reactor vessel rupture is
. considered too improbable to be included) and the requirements for emergency core cooling (e.g., safety train redundancy).
The Risk-Informed IST Program that would be implemented with this attemative incorporates a probabilistic approach to regulation which enhances and extends this i traditional, deterministic approach, by:
(1) allowing consideration of a broader set of potential challenges to safety, l (2) providing a logical means for prioritizing these challenges based oa risk l significance, and I
(3) allowing consideration of a broader set of resources to defend againct these challenges.
First, the Probabilistic Risk Analysis (PRA) model has identified a broader set of challenges to safety. The Risk-Informed Inservice Testing Program has identified High ,
Safety Significant Components (HSSCs) which were not in the ASME Section XI IST I Program. Even though the components are outside the ASME Code class boundary, they will be tested commensurate with their safety significance. Where the ASME Section XI testing is practical, HSSCs not in the current ASME Section XI IST Program Plan will be tested in accordance with OM-1 for safety relief valves, OM-10 for active l valves and OM-6 for pumps. _Where the ASME Section XI testing is not practical, alternative methods will be developed to ensure operational readiness.
Except as specified in TU Electric's proposed RI-IST Program Description, components ,
in the current ASME Section XI IST Program which are determined to be HSSCs will continue to be tested in accordance with the current Program, which meets the requirements of Section XI of the ASME Boiler and Pressure Vessel Code (except where +
specific written relief has been granted). Similarly, components in the current ASME Section XI IST Program which are determined to be LSSC will also be tested in accordance with the ASME Section XI IST Program, except that the test frequency will initially be extended to a maximum of once every 6 years. The extended test frequency will be staggered over 6 years as described in Attachment 1 [see Section 5.2.1 below).
l Second, the Risk-Informed inservice Testing Program prioritizes these challenges based on the results of the CPSES PRA. The risk rankings are then complemented with
! rankings based on consideration of other accident initiators (e.g. fires, tomados, and earthquakes) and plant operating modes. These rankings considered importance with respect to core damage prevention, and prevention of large ectly releases of radiation to i
the public. Attachment 1 (pages 5 through 20) of Enclosure 1 to TXX-98134 describes the program methodology. Enclosure 3 to reference 3 [TU Electric letter TXX-96371 dated June 3,1996) provides the current list of LSSCs from the initial implementation of that methodology.
l L
L ___________-___
5 Third, an integrated Decisionmaking Process (lDP) allows a broader set of resources to be considered to defend against challenges to safety. The IDP is composed of experienced individuals with expertise in the areas of ASME Code, plant operations, maintenance engineering, system engineering, design engineering, and probabilistic risk assessment. The IDP is responsible to ensure the risk ranking input information is consistent with plant design, operating procedures, and with plant-specific operating experience. At the end of the IDP review process every component in the CPSES ASME Section XI IST Program is reviewed. The risk-informed process will assure that a defense-in-depth philosophy is maintained [see Section 4.7.2 below).
As a living process, components will be reassessed periodically to reflect changes in plant configuration, component performance, test results, industry experience, and other factors. When the list of components is affected, changes will be provided to the NRC in regular Program updates.
There could be safety enhancements obtained by focussing resources on HSSCs and reducing the testing frequency on LSSCs. Extensive testing on LSSCs could have an adverse effect on safety. Reduction of testing should reduce component wear-out, operator burden, system unavailability, cost of testing, and radiation exposure. Reduced testing could also achieve a more optimum balance between the positive impacts of testing and the negative effects of disturbing equipment from service and entering a less than optimum plant configuration, such as valve misalignments.
TU Electric stated that the proposed RI-IST program will provide a safety benefit for the plant (Attachment 2 to TXX-97189, page 94 of 148). That is, despite the fact that an evaluation of change in risk associated with this proposed RI-IST program indicates small increases in core damage frequency (CDF) and large early release frequency (LERF), TU Electric believes a reduction in risk and improvement in safety will result from this proposed program. TU Electric identified the following safety benefits of the proposed RI-IST program:
. added testing for HSSC components not within the scope of the current IST program e reliability improvements for HSSCs in the IST program:
component performance improvements resulting from enhanced testing of selected HSSCs beyond that required by the current Code (e.g., OMN-1 type testing of MOVs as described in section 5.1 of this SE below) reduction in system re-alignment errors
- improved performance resulting from improving the quantity and quality of plant personnel time devoted to HSSCs e reduction in human errors as a result of a reduction in operator burden e improved system failure probabilities upon demand as a result of fewer off-normal operationalline-ups
= other safety impacts related to improvement in safety culture:
- improved understanding of component-levelimportance
- monitoring of common cause failure (CCF) components operator awareness of important " passive" failure modes in IST components
7 l
1 f 6 l 3.3 General Description of the Staff's Evaluation
(
l The test frequency (and methods) requirements specified in OM-6 for pumps and in OM-10 for valves depend on the type and ASME Code Class of the component. The licensee proposed a risk-informed alternative, or methodology, for defining the test requirements for pumps and valves. The licensee proposed that the test requirements be based on a risk assessment and safety categorization of components, as described in the RI-IST Program Description.
Traditionally, when licensees have proposed attematives to ASME Code requirements pursuant to 10 CFR 50.55a(a)(3)(i), it has been to specific provisions of the Code for a discrete component or group of components (e.g., authorizing use of the change in tank level over time to calculate the flow rate of a specified pump (s) when there is not a " rate or quantity meter installed in the pump test circuit" as specified by the Code). In contrast, the licensee's proposed RI-IST program would apply 10 CFR 50.55a(a)(3)(i) more broadly. The licensee's RI-IST program applies to all of the pumps and valves in the current Code-required IST program.
Furthermore, the licensee's RI-IST Program Description is not described in terms of discrete alternatives to specific Code test requirements. Consequently, the staff's review of the licensee's Rl-IST Program Description focused on an integrated use of PRA and deterministic considerations to help define IST requirements as well as to establish implementation, performance monitoring, and corrective action strategies.
All components in the current Code-required IST program (as well as selected non-Code components categorized as HSSC) will be included in the licensee's proposed RI-IST program and therefore could have their testing strategy (i.e., test frequency, test method, or both) changed. The actual test strategy to which a particular component is subjected, may or may not change as a result ofimplementing the licensee's RI-IST program (e.g., certain components categorized as HSSC may continue to be tested in accordance with the current ASME Code test frequency and methods).
The proposed alternative is a risk-informed process to determine the safety significance and testing strategy of components in the ASME Section XI IST program, and to identify non-ASME IST components (pumps and valves) modeled in the PRA that are determined to be HSSCs.
The process consists of the following elements:
(1) Categorization of Components - utilization of PRA techniques to categorize components on the basis of importance measures (2) Integrated Decisionmaking - blending of deterministic and probabilistic data to obtain a final categorization of components as either LSSC or HSSC (3) Changes to Component Test Requirements - development / determination of test frequencies and test methodologies for the IST components (4) Evaluation of Change in Risk-evaluation of the cumulative impact of the test frequency changes on total plant risk (i.e., CDF and LERF) to ensure that the l change in risk is within the acceptable range (as defined in RG 1.174)
(5) Program implementation - development of an implementation plan i
J l
l 7
(6) Corrective Action - development of a corrective action plan l (7) Periodic Reassessments - performance of periodic reassessments l
(8) RI-IST F'rogram Changes After initial Approval- methodology for making changes to the RI-IST process The licensee's proposed RI-IST program involves the following plant systems:
. Pumps
- Reactor Coolant (RC)
- Diesel Generator Fuel Oil Auxiliary (DO)
, - Vent and Drain (VD)
- Spent Fuel Pool Cooling (SF)
. Valves
- Component Cooling Water (CC) ,
- Chilled Water (Safety)(CH) 1
- Chemical and Volume Control (CS)
- Containment Spray (CT)
- Control Room Air Conditioning (VA)
- Demineralized and Reactor Makeup Water (DD)
- Diesel Generator Auxiliaries (DO)
- Main Steam (MS) !
- Reactor Coolant (RC)
- Residual Heat Removal (RH)
- Safety injection (SI)
- Spent Fuel Pool Cooling (SF) 1
- Service Water (SW)
- Vents and Drains (VD)
- Miscellaneous Containment isolation Valves (CIV)
The physical change in testing strategy for components in the licensee's proposed RI-IST program will vary. Components that are categorized as HSSC will either be tested in accordance with the current ASME Code (frequency and methods), tested in accordance with an " enhanced" test strategy that is described in an NRC approved Code case, or tested in accordance with an alternative test strategy that has been explicitly reviewed and approved by the NRC staff. Components that are categorized as LSSC will either be tested in accordance with the current ASME Code at some reduced frequency, tested in accordance with some, possibly, less rigorous test strategy that is described in an NRC approved Code case (i.e., less rigorous test method than that performed on components categorized as HSSC and at a reduced test frequency), or tested in accordance with an attemative test strategy that has been explicitly reviewed and approved by the NRC staff (Note that, at this time, only Code Case OMN-1 has been approved with limitations for use in the CPSES RI-IST program).
In the following sections, the staff's review of TU Electric's proposed RI-IST program is described using the acceptance guidelines contained in RG 1.174 and RG 1.175, and the review
8 L
l procedures contained in SRP Chapter 19 and RI-IST SRP Section 3.9.7 (reference SECY I l 015 and SECY-98-067).
l 4.0 REVIEW OF THE LICENSEE'S ENGINFFRING EVALUATION j The staff's review of the licensee's proposed RI-IST program included:
. Review of Pining and Instrumentation Diagrams (PAIDs)
The staff conducted a detailed review of piping and instrumentation diagrams (P&lDs) for the affected systems at CPSES. Pumps and valves on these diagrams were coded as being categorized either high or low safety significant. If there was a particular reason why the licensee's expert panel categorized a component a certain way, this was annotated on the diagram. Changes to individual component
' testing strategies were also annotated on the diagrams. The diagrams were then reviewed to see if components appeared to be categorized in a logical and consistent manner. Apparent anomalies were the subject of a staff request for additional information (RAl), were discussed with the licensee during a public meeting, and were formally responded to by the licensee in docketed submittals.
e Review of Nucinar Plant Reliability Data System (NPRDS)
Oak Ridge National Laboratory (ORNL) conducted several NPRDS studies in
. support of the staff's review of the proposed Rl-IST program for Comanche Peak.
l The purpose of the NPRDS studies was to evaluate the failure histories and performance data of components for which the licensee proposed to extend the test interval from quarterly to every 6 years:
. ORNL searched for reported failures of the following pumps at Comanche Peak and none were found (reference ORNL letter report to J. Jackson, NRC dated October 15,1996):
- Reactor coolant system - reactor makeup water pumps
- Diesel generator fuel oil auxiliary system - fuel oil transfer pump
- Spent fuel pool cooling system - spent fuel pool cooling water pumps
- Vent and drains system - safeguard: h !! ding floor drain sump pumps !
. ORNL also performed a more general study of pump and related equipment failures in the nuclear power industry for the period from 1990 through 1995, i inclusive (reference ORNL letter report to J. Jackson, NRC, November 22,1996).
. ORNL studied MOV failures at TU Electric's CPSES Units 1 and 2 for the period from 1990 (initial criticality for Unit 1) through 1995 inclusive (reference ORNL letter l report to J. Jackson, NRC, January 8,1997).
l . ORNL studied check valve failures at TU Electric's CPSES Units 1 and 2 for the period 1990 through 1995 inclusive (reference ORNL letter report to J. Jackson, NRC, January 9,1997) i i
1
9 The results of the ORNL NPRDS studies were presented to TU Electric in the form of RAls. TU Electric responded to the conclusions presented in these studies in Attachment 1 to reference 9 (pages 13 through 20). Where component failures were identified, they had either been corrected by the licensee or determined to be statistically inalgnificant. The staff found the licensee's responses to these RAls to be complete and l responsive to the request.
I
. Onnita Review of the Comanche Paak PRA A staff review team spent one week on site (July 14-18,1997) at the Comanche Peak l' Steam Electric Station (CPSES) to evaluate the PRA models, backup calculations, and data. . A limited-scope plant walkdown was also carried out. This review was aimed at determining whether the CPSES PRA is of sufficient quality and scope to support the RI-IST submittal.
l The quality of the CPSES PRA was found to be adequate for the RI-IST application and L backup calculations were well documented in most areas. Major review areas included initiating event analysis; accident sequence analysis; mission success criteria; fault tree )
analysis; data analysis; dependent failure analysis including consideration of common !
cause failures; human reliability analysis; sequence quantification; internal flooding, fire, !
l and tornado analysis; analysis and interpretation of results; and outage safety function j
! guidelines. While the review team identified some minor problems with the CPSES PRA l
. for the RI-IST application, the team concluded that these issues could be addressed l through the licensee's expert panel process. A more detailed description of the findings L of this PRA review effort is presented in Appendix A of this SER. !
l \
. in-Death Evaluation of RI-IST Proaram lmolementation. Performance Monitorina.
Corrective Actinn Plans !
! The staff reviewed the testing (method and frequency) planned for each component or l group of components in the proposed RI-IST program. As discussed in section 5 below, actual component groups were reviewed and the resulting staggered test approach was evaluated to ensure that potential common cause failures would be promptly identified l and that appropriate corrective action would be taken (e.g., testing the other components ,
l in the group and possibly decreasing the test interval for the er: tire group). l 4.1 EvalAntion of Pronomed Channae -
l )
4.1.1 I leannee's Prooncarl Acornach l r
l TU Electric stated that its current program for processing changes to a licensing-basis document 1 l (IST Program Plan) ensures that any previous or new commitments are consistent with the l' licensing basis.
TU Electric stated that its commitment management program establishes the processes, guidelines, and activities used to manage the development, review and implementation of commitments generated from regulatory, non-regulatory and self-imposed requirements. The commitment tracking system (CTS) database is a tool used in conjunction with other information sources to address and track established commitments within this program. Incoming and
~____-____-_________._______ _-
10 outgoing correspondence are reviewed to identify possible commitments for TU Electric. Any I commitments identified are maintained in the CTS.
TU Electric indicated that licensing document change requests (LDCRs) are used to make changes to licensing basis documents at CPSES. This process includes a review of the CTS and a consistency review of the licensing-basis documents. The Comanche Peak Electronic j Library (CPEL) contains most of Comanche Peak's licensing-basis documents (e.g., FSAR, I Technical Specifications). The CPEL is a tool used to perform a consistency review for LDCRs.
For example, a consistency review for the risk-informed inservice Testing Plan would include electronic searches of CTS and CPEL. The searches would identify any commitments which relied on, for example, a component's inservice testing frequency as the basis for a component's acceptability. The source and nature of any commitments identified would then be reviewed to ensure that the basis for the commitment is unaffected. i TU Electric stated that consideration of the original acceptance conditions, criteria, limits, risk significance of the component, diversity, redundancy, defense in depth, and other aspects of the ,
General Design Criteria, are addressed by the expert panel process.
TU Electric also stated that the method for incorporating the risk-informed relief request into the licensing-busts documents would be the licensing document change request (LDCR). The LDCR process includes a consistency review of the CPSES licensing-basis documents. No commitments were identified as being affected by the proposed RI-IST program. j i
4.1.2 Staff Evaluation The licensee described the program it uses to process changes to licensing-basis documents i including its commitment management program. The licensee's program includes the use of l LDCRs and the supporting CPEL as well as the CTS. The use of these tools should ensure that !
TU Electric identifies any commitments for which the licensee relied on a component's inservice !
test as the basis for acceptability. The source and nature of any identified commitments would then be reviewed by the licensee to ensure that the basis for the commitment is unaffected. In ;
evaluating the acceptability of proposed changes to regulatory requirements and docketed !
commitments, the licensee indicated that its expert panel process would consider the original acceptance conditions, criteria, limits, risk significance of the component, diversity, redundancy, j defense in depth, and other aspects of the General Design Critena.
l The licensee stated that no docketed commitments (e.g., responses to NRC generic letters such i as GL 89-10 and GL 96-05) or regulatory requirements (e.g., Technicai Specifications, license l conditions) were identified as being affected by the proposed RI-IST program. Therefore, the licensee does not need to identify the source and nature of any changed requirements or ;
commitments, and does not need to document the basis for the acceptability of the proposed requirement changes. Similarly, because no docketed commitments are being changed, the )
staff does not need to evaluate the acceptability of any changes to docketed commitments associated with the proposed RI-IST program.
4.1.3 Conclusion TU Electric indicated that its proposed RI-IST program changes will not affect the design, operation, and other activities at Comanche Peak other than the IST program itself. Hence,
11 other regulatory requirements or docketed commitments will remain unaffected. There are no component-specific changes that need to be identified by the licensee and evaluated by the j staff. Therefore, the staff finds that the RI-IST program changes proposed by the licensee are consistent with the acceptance guidelines contained in Section 4.1.1 of RG 1.175 (as contained in SECY-98-067) and are acceptable. The staff further concludes that the licensee's program, as described above, for processing changes to licensing-basis requirements and docketed l commitments associated with future changes to the approved RI IST program at Comanche
! Peak (also see Section 5.6 below) is acceptable.
4.2 IST Program Scone 4.2.1 Licensee's Procosed Anoroach TU Electric noted that the current ASME Code,Section XI philosophy is based on a deterministic approach which considers a set of challenges (i.e., design-basis transients and accidents) to safety and determines how those challenges should be mitigated.
CPSES's proposed RI-IST program incorporates a probabilistic approach which enhances and extends this traditional, deterministic approach, used to determine the scope of current IST programs,in the following ways:
i (1) allowing consideration of a broader set of potential challenges to safety )
l (2) providing a logical means for prioritizing these challenges based on risk j l significance l (3) allowing consideration of a broader set of resources to defend against these challenges Thus, the RI-IST proposed for CPSES has identified several HSSCs that were not in the scope of ASME Section XI. Even though these components are outside the ASME Code class boundary, they will be tested commensurate with their safety significance (e.g., in accordance l with OM-1 for safety relief valves, OM-10 for active valves, and OM-6 for pumps where practical l (see Section 5.1 below)).
TU Electric stated that no components categorized as LSSC (i.e., that are currently in the ASME Section XI program) will be deleted from its RI-IST program.
4.2.2 . Staff Evaluation Three systems, auxiliary feedwater, safety injection, and residual heat removal, were selected to assess the scops of the licensee's RI-IST program. The reviewers examined the licensee's RI-IST program submit'.al, including responses to the staff's requests for additional information (RAls), Comanche Peak's final safety analysis report, piping and instrument diagrams (P&lDs),
and the licensee's current IST program. Each system was evaluated to verify that (1) i components that perform safety-related functions are included in the proposed RI-IST program; and (2) components categorized as HSSC are included in the RI-IST program, regardless of their status in the licensee's current IST program. ,
1 The licensee's risk-informed IST program submittal of November 27,1995, included all the I valves in the previously approved Comanche Peak IST program in the selected systems.
u _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ J
12 1
However, the IST program did not include a number of relief valves which appeared to provide overpressure protection to safety systems which shutdown the reactor, maintain the reactor in the shutdown condition, or mitigate the consequences of an accident. The licensee was questioned atut this apparent omission in the public meeting at Comanche Peak on April 25, 1996. In Revision 8 of the Comanche Peak Inservice Testing Program, dated January 31,1997, the licensee added approximately 40 ASME Code Class 2 and 3 relief valves to its current IST l program. These relief valves have not yet been explicitly included in the licensee's Rl-IST l program. For completeness, the licensee's RI-IST program scope should include all components in the current code-prescribed IST program. This apparent omission is inconsequential, however, because the licensee will continue to test both HSSC and LSSC relief valves in accordance with the Code of record as defined in 10 CFR 50.55a (see Section 5.1 below). That is, the test intervais for relief valves categorized as LSSC will not be extended by l the licensee's proposed RI-IST program.
1 In addition, the scope should include those non-code components that the licensee's integrated decisionmaking process categorized as HSSC. The licensee has used its PRA to identify l
additional components that should be included within the scope of its RI-IST program. In the licensee's submittal of November 27,1995 Table 4.1-7 listed 25 components categorized as HSSC that were not included in the licensee's current IST program. Included in this list were locked-open manual valves (not motor-operated butterfly valves as indicated Table 3 of Enclosure 3 to TXX-96371) from the condensate storage tank to the motor- and turbine-driven auxiliary feedwater pumps. No other components reviewed in the selected systems were
, determined to be high safety significant and, consequently, there were no other non-Code
! components from these systems included in the licensee's RI-IST program.
The staff verified that all other components categorized by the licensee's integrated decisionmaking process as HSSC were included in the RI-IST program for CPSES, regardless of their status in the licensee's current IST program, in addition, the staff verified that the RI-IST Program Description will continue to ensure that any components that are recategorized as j HSSC (e.g., as a result of periodic reassessments of the licensee's RI-IST program) will be '
tested commensurate with their safety significance.
l l 4.2.3 Conclusion l The staff concludes that the scope of the licensee's RI-IST program is consistent with the acceptance guidelines contained in Section 3.2 of RG 1.175 (as contained in SECY-98-067) and
! is acceptable. This conclusion is based on the licensee having proposed a test program that includes, in addition to components in the current code-prescribed program, any other components categorized HSSC that were identified as such as part of the PRA or licensee's integrated decisionmaking process.
4.3 Relief Requests and Technical Specification Amendments 4.3.1 t_icensee's Proposed Acoroach TU Electric stated that it did not need any exemption from regulations, technical specification amendments, or relief from regulatory requirements in order to implement its proposed RI-IST program at Comanche Peak. In Attachment 1 to TXX-97189, TU Electric stated "No new relief l
I I
13 l requests or exemptions beyond the currently approved relief requests and this submittal are needed to implement the RI-IST Program at this time."
TU Electric did not resubmit relief requests for components that were categorized as high safety significant, instead, the existing relief requests were evaluated as part of the expert panel deliberations.
l l
4.3.2 Staff Evaluation TU Electric indicated that no exemptions from regulations, technical specification amendments, or new relief requests were necessary to implement its proposed RI-IST program.
TU Electric did not resubmit relief requests for HSSC that were the subject of previously approved relief requests. The staff had suggested that these relief requests should be resubmitted to the NRC and reevaluated in light of the safety significance of the component.
Rather, TU Electric provided a list of all of the relief requests in the current CPSES IST program.
This list identified the nature of the relief (e.g., alternative time frame for preservice testing, alternative check valve test that allows the verification of closure of a single che,ck valve in a paired configuration) and specified each component's categorization (i.e., HSSC or LSSC). In !
this way, the reviewer could determine whether a previously approved relief request, for a component categorized as HSSC, was still appropriate in light of the safety significance of the component. The relief requests and the staff's evaluation of their applicability to the RI-IST program are discussed in the following paragraphs.
The pressurizer sdety valves (valves 2-8010 A through C) were determined to be HSSC.
These valves had been granted an alternative time frame for performing preservice testing in NUREG-0797, Supplement 25 (September 1992), Safety Evaluation Report related to the i Operation of Comanche Peak Steam Electric Station, Unit 2. The RI-IST program is concemed with periodic inservice testing of these valves, so the authorized attemative preservice testing time frame is not relevant to the proposed RI-IST program or its approval by the staff.
The control room A/C accumulator upstream and downstream air supply check valves (1Cl-0644 through 0647) and the pressurizer power-operated relief valve (PORV) nitrogen accumulator upstream and downstream check valves (1SI-0166 through 0169 and 2SI-0166 through 0169) were also determined to be HSSC. These are paired check valves forming the boundary between a nonsafety instrument air or nitrogen supply and a safety-related accumulator or receiver tank. The staff review and approval of this relief request are documented in a safety evaluation dated January 29,1993. The relief relates to the leakage testing of these series check valves. The Code requires periodic verification of a check valve's leak-tight capability to ensure that the plant operates within its safety analyses. For series check L valves when only one of a pair is required to meet safety analysis assumptions, the staff has determined that it is acceptable to leak-test the ca r as a single valve with the following provisions:
(1) Both valves must be subject to comparable quality assurance requirements.
(2) Acceptance criteria for the leakage of the pair of valves must be established.
(3) If the acceptance criteria are not met, both valves shall be declared inoperable and corrective actions initiated for both valves, including a retest before retuming the pair of valves to service.
l
l 1 14 The relief request included these stipulations. The alternative is acceptable for either HSSC or ;
LSSC because the leakage test verifies the requirements of the plant's safety analysis for the l valves and meets the intent of the Code requirements. Additionaljustification is based on the corrective actions required for both valves when acceptance criteria are not met to ensure that at least one of two valves continues to function to meet safety analysis assumptions. Therefore, l 15e proposed attemative continues to provide an acceptable level of quality and safety. This staff position is consistent with the guidance provided by the staff in Supplement 1 to Generic Letter 89-04 (NUREG-1482, Section 4.1.1).
Individual component relief requests are not required to adjust the test interval of individual components that are categorized as having low safety significance because the licensee %
implementation plan for extending specific component test intervals was reviewed as part of the licensee's RI-IST program submittal. Similarly, because the proposed alternative includes improved test strategies to enhance the test effectiveness of components, such as the use of ASME Code Case OMN-1," Alternate Rules for Preservice and Inservice Testing of Certain l Electric Motor Operated Valve Assemblies in LWR Power Plants, OM-Code - 1995 Edition; Subsection ISTC," additional relief from the Code requirements (i.e., beyond staff approval of l the licensee's RI-IST program describing the licensee's intention to adopt such a Code case)is not required.
TU Electric indicated that almost all of the components in the proposed RI-IST p'ogram will be tested in accordance with the ASME Code test method requirements. Relief is not required to implement test methods that are in accordance with ASME Code requirements. For certain HSSC and LSSC MOVs, the licensee proposed to use Code Case OMN-1 which is not an ASME Code requirement. Until this code case is approved by the NRC in the regulations or RG 1.147, licensees may propose to use it as an alternative to Code requirements pursuant to 10 CFR 50.55a(a)(3). The staff's authorization for TU Electric to use Code Case OMN-1 at Comanche Peak is documented in Appendix B to this SER.
For a few HSSC components, that are not within the scope of the current IST program, it is not practicable to perform Code testing. TU Electric's expert panel addressed these components.
For example, the normally open manual valves (the TD AFW pump suction isolation valve (AF-0006), the MD AFW pump suction isolation valve (AF-0007), and the PMP/CCP suction cross tie valve (8341)) will be " tested" by the quarterly IST pump test which will verify the valve is open.
In addition, the licensee will ensure that the valve remains in the open position by relying on either the locked valve program or position surveillance performed every 30 days per technical specifications. RG 1.175 suggests that alternative test methods should be reviewed and approved by the NRC before implementation of the RI-IST program. While TU Electric did not submit relief requests for these components, the regulations do not require inservice testing of non-Code pumps and valves, and the licensee has described a test strategy for these components that provides reasonable assurance of the components' operational readiness. As stated in Enclosure 1 to TXX-98134, where ASME Code,Section XI testing is practical, HSSCs not in the current ASME Code,Section XI IST Program Plan will be tested in accordance with OM-1 for pressure relief valves, OM-10 for active valves, and OM-6 for pumps.
l
! 4.3.3 Conclusion The licensee's RI-IST program results in the testing of high safety significant components in accordance with the Code test frequency and method requirements, in accordance with an l
l l
l 15 NRC-approved Code case, or in accordance with an attemative test strategy that has been authorized by the staff as a part of the RI-!ST program review (see Section 5.1 below).
Similarly, the licensee will test low safety significant components in accordance with the Code test method requirements (although at an extended interval). The licensee has not identified any exemptions, technical specification amendments, or relief from other Code requirements which would require review and approval before the implementation of its RI lST program.
Therefore, the staff finds this aspect of TU Electric's proposed RI-IST program to be acceptable because it is consistent with the acceptance guidelines contained in Section 4.1.2 of RG 1.175 (as contained in SECY-98-067).
4.4 Scope, leval of Detail. and Quality of the PRA for IST Acolication Note: Details of the Comanche Peak PRA and the staff's review are contained in Appendix A to this SER.
4.4.1 Scope of the P"4 4.4.1.1 Licensee's Procosed Anoroach As stated in TU Electric's proposed RI-IST Program Description (Enclosure 1 to TXX-98134):
A full-scope PRA is not required. However, any limitations (e.g., missing initiating events) will be addressed by the IDP...
4.4.1.2 Staff Evaluation The CPSES PRA has modeled internal initiating events (including internal flooding), and events initiated by tornadoes, high winds and fires. Of the potentially significant contributors to risk, seismic events, and the low- power and shutdown (LP&S) modes of operation are not modeled.
The licensee has, however, considered these missing contributors in the categorization of components and in the determination of risk. Applicable information from the existing PRAs and qualitative risk insights were used as part of the IDP for this purpose.
4.4.1.3 Conclusion The PRA addresses most of the potentially significant risk contributors and is adequate to provide insights on the plant risk and to provide input to the component categorization process used in the RI-IST submittal. Potentially important risk contributors from seismic events and from the LP&S mode of operation are adequately addressed in the integrated decisionmaking process (see Sections 4.5,4.6 and Apper' dix A).
4.4.2 Level of Detail of the PRA 4.4.2.1 Licensee's Pronosed Anoroach The PRAs performed as part of the licensee's Individual Plant Examination (IPE) and Individual Plant Examination of Externally initiated Events (IPEEE) were used in support of this application.
j The pumps and valves and the associated failure modes that were determined to be important in terms of core damage frequency were included in the PRAs. For IST components not L ____ _ _____ __ _
16 l modeled in the PRA, the licensee performed a detailed evaluation on each component by
! comparing the IST functions to potential functions in the PRA, and the risk significance of such components was determined by the expert panel.
4.4.2.2 Staff Evaluation A review of the PRA showed that the models are sufficiently detailed to include pumps and valves (and the important failure modes) required to prevent or mitigate the effects of the initiating events modeled. In addition, the PRA is of sufficient detail that system and operator dependencies important to the plant risk are included. This is further discussed in the evaluation of PRA quality in Section A.3 of Appendix A.
In the submittal, the PRA is used for two purposes, to provide input to the categorization of components, and to evaluate the change in risk. Staff review has determined that components categorized as LSSC that are not modeled in the PRA have been treated appropriately by the expert panei and that there are qualitative arguments as to why an increase in test intervals for these components will only result in a very smallincrease in risk. Section A.4.1.4 of Appendix A discusses this further. In addition, Section A.3.1.7 discusses the staff's findings regarding the effects of excluding of pumps and valves as a result of truncating components during PRA model quantification and as a result of omitting components through the PRA screening process.
(
When evaluating the impact of the proposed RI lST program on plant risk, it was judged that the licensee's PRA model is sufficiently detailed that the impact of the IST change on individual components can be accommodated. Section A.4.2 discusses review findings on the mapping of the proposed test interval extension onto the PRA model elements.
4.4.2.3 Conclusion The level of detail of the PRA is such that the IST components (and relevant failure modes) that contribute most significantly to the plant's estimated risk are included, and that the system and operator dependencies important to the plant risk are included. IST components not included in the model have been appropriately dispositioned by the expert panel.
4.4.3 Quality of the PRA 4.4.3.1 Licensee's Pronosed Ancroach in Attachment 2 of TXX-97189, the licensee proposes the following:
In this section, the following points require assurance by the CPSES submittal:
- the process to ensure quality of the PRA
- the quality as it specifically relates to the application l
- a review of the assumptions and elements of the PRA model that drive the results and conclusions The following describes the process to ensure quality of the PRA during its initial development. In general, the IPE study for CPSES fully satisfies the requirements of a full-scope Level-l and Level-ll PRA. The major elements of the IPE study were L____---------_.-
! 17 l
developed and reviewed in a manner consistent with and in excess of the good practices of the time. One of the main objectives of the IPE development was to be able to utilize its results and insights toward the enhancement of plant safety through risk-informed applications. With this objective in mind, the IPE elements were developed in detail and integrated in a manner sufficient to satisfy both the NRC Generic Letter 88-20 guidelines and to support future plant applications.
To ensure a high-quality IPE and to provide quality control to the IPE process, two types of independent reviews were conducted to determine if the IPE effort met its objectives.
One was performed intomally by TU Electric staff, and the other was performed externally by outside PRA experts, in general, both reviews were applied to the entire examination process except when it was not possible due to the availability of resources or required skills. In those few cases, as a minimum, each task was reviewed thoroughly by either an internal or extemal independent reviewer. Furthermore, a final independent review was performed after the IPE study was completed. A team of PRA experts was selected from the industry to independently review the entire IPE study and its supporting analyses. The review team spent one week at the TU Electric offices where documents, procedures and supporting calculations and analyses were available for use.
The results of all independent review activities performed by intemal and extemal reviewers were well documented as part of the IPE documentation requirements.
It should also be noted that the NRC has completed its review of the IPE and deemed it acceptable. Further, two expert panel processes, one for the maintenance rule and one for this application have found the quality of the PRA to be acceptable.
Regarding the quality of the PRA as it relates to the specific application, there have been a variety of activities conducted by both TU Electric and the NRC to ensure the quality of the PRA as it relates to the pilot plant application. TU Electric initiated a review of the adequacy of its PRA for the IST application using the EPRI PSA Applications Guide, the first guide developed specifically for this process.
The Engineering Report contains a review of the PRA's adequacy for application to IST.
This review was conducted in accordance with the methods developed by EPRI for the PSA Applications Guide. Two separate analyses were conducted, one for compliance with the principles outlined in sections 2,3 and 4 of the PSA Applications Guide, one for the checklist of questions in Appendix B. To do this evaluation, the specific questions identified in the PSA Applications Guide were answered based on a review of the CPSES IPE and the RI-IST program considerations. These questions included problem definition, scope, figures of merit, analysis, decision criteria, initiating events, success criteria, event trees, system reliability models, parameter databases, dependent failure analysis, human reliability analysis, quantification, analysis of results, plant damage state classification, containment analysis, extemal events PSA hazards analysis, and shutdown PSA considerations. The results of this evaluation show that the CPSES IPE is
. appropriate for use in the CPSES RI-IST program.
Appendix B of the PSA Applications Guide, entitled " Checklist for Technical Consistency in a PSA Model," discusses several issues that have been found in various PRAs to be
. significant in determining the risk profile. This checklist was used to demonstrate that the CPSES IPE conforms to the state-of-the-art with regard to completeness of coverage of l
18 PRA methodology. The results of this evaluation show that the CPSES IPE meets or exceeds the quality standards suggested by the PSA Applications Guide and is j appropriate for use in the CPSES RI-IST Program.
4.4.3.2 Staff Evaluation A staff review was carried out to determine whether the CPSES PRA is of sufficient quality to support the RI-IST process. It should be noted that,in accordance with RG 1.174, the required 1 PRA quality should be commensurate with the application for which it is applied and the role the PRA results play in the IDP. Since the proposed RI-IST process results in only a small risk increase (as discussed in Section 4.6 of this SER) and since this risk increase could be argued to be even smaller in light of qualitative arguments regarding the benefits of the improved testing methods adopted as part of this process (see Section 4.6.2 below), the importance of the demonstration of PRA quality is reduced. However, since this submittal was part of a pilot project, a larger (than required) staff review of the PRA scope was carried out to assist the staff in developing review procedures in assessing PRA quality for RI-IST submittals that may result j in larger risk increases. l 1
in assessing PRA quality, the staff reviewed the licensee's process to ensure quality and evaluated the results and conclusions from the licensee-sponsored independent peer reviews of the IPE/PRA. This podion of the review took into account the process used in the licensee's internal review and the external peer review, the review scope, and the qualification and makeup of the review teams. Results, findings, resolutions to the findings, and conclusions from staff reviews of the IPE and from the ongoing IPEEE reviews were also utilized.
A staff review team spent one week (July 14-18,1997) at the plant site to evaluate the PRA models, backup calculations, and data. A limited-scope plant walkdown was also carried out.
Review areas included initiating event analysis; accident sequence analysis; mission success criteria; fault tree analysis; data analysis; dependent failure analysis including consideration of common cause failures; human reliability analysis; sequence quantification; intemal flooding, fire, and tornado analysis; and analysis and interpretation of results. The focus of the review was to determine if the PRA models reflect the as-built and as-operated plant, and if the evaluations were performed in a manner that is consistent with accepted practices. In addition, to reach specific findings regarding the quality of the PRA for the RI-IST application, reviewers performed a focused-scope evaluation thst concentrated on IST specific attributes of the PRA and on the assumptions and elements of the PRA model that drive the results and conclusions.
Although the review team identified some minor problems with the CPSES PRA (e.g., some missing success paths, inadequate documentation of human error probabilities, optimistic recovery factors for equipment repair, plant-specific performance data not having already been incorporated into the PRA), the team concluded that these issues could be addressed through l
the licensee's expert panel process. Details of review findings are included in Appendix A to this SER.
4.4.3.3 Conclusion There is reasonable assurance of PRA adequacy, as shown by the licensee's process to ensure quality, and by a focused-scope review by the staff which shows that the components affected i
O_______-________-.._____-_-_.
19
, by the RI-IST process and those that are important to the decisionmaking are appropriately l modeled.
4.5 Categorization of Cornoonents 4,5.1 Licensee's Procosed Anoroach in its RI-IST program, TU Electric categorized components based on the results of the CPSES IPE. An expert panel blended the insights provided by the PRA methods with deterministic data (such as plant specific equipment history and industry events) to rank components as HSSC or LSSC. The risk rankings were then complemented with rankings based on consideration of other accident initiators (e.g., fires, tornados, and earthquakes) and plant operating modes.
These rankings considered importance with respect to core damage prevention, and prevention of large early releases of radiation from the containment. The licensee used two importance measures, Fussell-Vesely (FV) and risk achievement worth (RAW), to categorize its components into two groups, HSSC and LSSC An expert panel process allowed a broader set of resources to be considered to defend against challenges to safety. The expert panel is composed of experienced individuals with expertise in the areas of ASME Codes, plant operations, maintenance engineering, systems engineering, design engineering, and PRA. The expert panel is responsible to ensure that the risk ranking input information is consistent with plant design, operating procedures, and with plant-specific operating experience. At the end of the expert panel review process every component in the CPSES ASME Section XI IST program was reviewed and categorized.
The specifics of the component categorization process are described in TU Electric's proposed RI-IST Program Description (Enclosure 1 to TXX-98134):
Two figures of merit [PRA importance measures] will be used to initially determine the risk categories of IST components. These two methods are Fussell-Vesely (FV) and l Risk Achievement Worth (RAW). For the RI-IST program, the following criteria will be used to initially rank components for review by the Integrated Decision Process (IDP).
Category Criterion High FV > 0.001 Potentially High FV < 0.001 and RAW > 2 Low FV < 0.001 and RAW < 2 l The ACDF and 6LERF for the change are within the acceptance guidelines of l Regulatory Guide 1.174.
1 Anolv Imoortance Criteria to PRA and Review Review FV and RAW importance measures for pumps and valves considered in the PRA against the criteria and determine if the grouping of components is logical.
Review component importance measures to make oure that their bases are well understood.
1 i
t____.___________
20 Robustna==/Validatinn of Rannita Address the sensitivity of the results to common cause failures (CCF), assuming all/none of the CCF importance is assigried to the associated component.
Evaluate the sensitivity due to human action modeling. Identify / evaluate operator actions omitted by the PRA that can change the ranking of a component. The omitted recovery actions are those not credited because they are not important to the ODF.
- Consider industry history for particular IST components. Review such sources as NRC Generic Letters, SOERs, IOERs and Technical Bu;letins and rank accordingly.
For components with low FV/high RAW ensure that other compensatory measures' are available to maintain the reliability of the component.
' identify and evaluate components whose performance shows a history of causing entry into LCO conditions. To ensure that safety margins are maintained, c asider retaining the ASME test frequency for these components.
. Ensure that truncated components have been eliminated due to redu.dancy of function rather than solely due to reliability. If they are truncated due to their high reliability, then those components should be qualitatively re-evaluated and re-categorized appropriately.
Validate or change the PRA-based . component ranking. If the validated PRA ranking is high, rank the component high; if the PRA ranking is low and the other factors such as the operating performance of the componsnt validate the ranking, rank as low.
Fire. Tornado and Seismic ConsideratinDS Consider the following for risk ranking components for extemal events.
. Calculate risk importance measures for components in the fire and tomado cutsets.
Compare these calculated values and the PRA values to identify those components ;
that are low risk significant for the PRA but high risk significant for fire and tornado. !
i
'A compensatory measure is described as a test or other measure that could be credited to reduce the increase in core damage frequency associated with test interva! changes. .
Compensatory measures selected for LSSC are other system tests, such as pump operability !
- tests or pump IST for pump discharge check valves, slave relay test for MOVs and normal instrumentation monitoring. These tests were selected by the expert panel because it was determined that they could be relied upon to detect degradation of the component function.
1
l l
t l l l I
! 21 i
! l l . Review component importance measures and the PRA limitations for fire and l
! tomado in a manner similar to that described for internal events discussed above l and adjust the rankings of the components accordingly.
L
( .
For those components on the Safe Shutdown Equipment List (SSEL) and the l l containment systems list, review their risk categories to ensure that those l l
components important to seismic and containment integrity are appropriately categorized.
Outage Risk imoortance A qualitative assessment of PRA systems modeled for shutdown modes will be performed to determine the impact of shutdown modes on IST rankings. To perform this analysis a three step process will be used. First, using existing PRA system models as the basis, components and system configurations that are unique to the shutdown modes from the at po;ver PRA will be identified. Second, using a qualitative set of rules, components in key trains will be ranked into three categories:
1
- 1. Category 1: High safety significant components (high FV) !
- 2. Category 2: Potentially high safety significant components (Iow FV, moderate to I
! high RAW).
Third, support systems that are unique to shutdown configurations will also be identified and ranked accordingly.
There are several safety functions important to shutdown. These are Over-Pressure Protection, Shutdown Cooling, Spent Fuel Pool Cooling, inventory Control, Reactivity Control, AC Power, and Containment Integrity. Rather than snalyzing each function
- separately, the systems required for the shutdown accident sequences will be analyzed I
and ranked with respect to their shutdown configurations. This will provide a comprehensive review of the shutdown systems and their unique configurations.
The risk profile for an outage changes as maintenance activities start and stop and plant I states change. Therefore, the importance of components can also change during the outage, depending on the plant configuration as govemed by the outage schedule.
There can be times when almost any component can become more risk significant depending upon the outage scenario. If the plant is in a configuration of increased risk, and an IST component must operate to respond to an accident, that component will be more risk significant for that time period, if that period of time is extended, then the component on average will be more risk s'gnificant.
A major difference between at power and shutdown is that safety systems are in a l standby mode at power and active components must start or reposition automatically for l
success. Since actuation failure is much more likely than failure to continue to operate, a reliability-oriented risk importance measure like Fussell-Vesely is lower for outage than at power. However, since functional importance is similar, the RAW value is likely to be the same and its FV is correspondingly lower. Also, during shutdown, automatic actuations are usually blocked and pumps and valves are actuated by manual operation l
f 22 only. Since the failure probability for human action may at times be more likely than ,
l automatic actuation, the contribution of equipment failure is relatively less likely. <
l Therefore, in most cases the ranking of components at power is higher than during shutdown, although the system configuration must still be compared to determine if there are unique differences for the shutdown mode. Based upon the insights discussed above, the approach to risk ranking is as follows:
- If a component performs the same function and is in the same initial state as at power, the at power ranking is assumed to bound the outage ranking.
i e if a component performs a different function or is in a different initial state than at i power, then the outage ranking must be evaluated. 1 The latter evaluation involves cases where a different system is used, i.e., spent fuel pool '
cooling, or where a different function is performed by a component in a system "used" at power or during an outage. Additionally the following guidelines are used for risk ranking for shutdown.
Categorv 1 - High Safety Significant Comoonents (High FVP l l Pumps that must start to perform function (assume all pumps in systems that cycle operating trains)(High FV)
Motor Operated Valve (MOV) or Air Operated Valve (AOV) that must change state to perform function (but not portions with redundant paths, e.g. two supply sources to one pump)(High FV) l
. MOV or AOV that must change state to prevent flow diversion that can fail redundant trains (high FV, extremely high RAW)
. Pressure relief valves (safety or power operated) needed to control pressure so that redundant trains of systems can perform function (high FV or low FV, high RAW)
Categorv 2 - PotentinHy High Safetv Significant Comoonents (Iow FV & moderate to high RAWP e Pumps that must continue running (low FV, moderate RAW)
. Valves in single path portions of redundant systems that are not required to change state (RHR outlet valves)(usually low FV, moderate or high RAW) l
. Check valve plus MOV or AOV that must remain as is if they are in the trains only flow path (low FV, moderate RAW)
. Check valves for which reverse flow can fail redundant trains simultaneously (Iow FV, extremely high RAW)
23 MOV or AOV which if they change state can cause flow diversion that can fait redundant trains (low FV, extremely high RAW)
Control components that need to function to prevent system degradation (e.g. AFW flow control valves to the Steam Generators that can fail the Turbine Driven AFW
Catagory 3 - Low Safety Significant Comoonents dow FV & low RAW);
I
=
All other components that do not fall into Category 1 or 2 were ranked low.
I These rules will be applied to the systems that support the safety functions described herein.
Rack-end Risk imoortance It is equally important to identify those pumps and valves that prevent containment failure or bypass that could result in an unacceptable release. Examples might include the valves that provide the boundary between the reactor coolant system and low-pressure systems _ located outside containment. Various analyses have shown that large releases, though infrequent and of low probability, tend to dominate offsite consequences.
Therefore, those IST components identified by back-end analyses will be ranked according to their importance to large early release frequency only.
Containment isolation failures or containment bypass events can, in some accident
. scenarios, cause a large, early release. The associated valves represent a substantial ,
I fraction of components treated by the IST program. However, their importance varies 1 i significantly depending on their initial position, their size, the leak path they are in, etc. ;
These factors will be evaluated with a simple model consistent with the PRA back-end l analysis. Risk importances of containment functions will be measured by deve!oping '
quantitative importance measures for accidents contributing to large, early releases. !
l The large, early releases are more likely to result from accidents with the following attributes:
l I
. A failure in containment exists at the time of the accident, either because the .
l containment fails to isolate or it is bypassed, or
- A high-pressure core meltdown occurs with containment heat removal (sprays) unavailable at the time of core melting.
One cause of a large, early release is a steam generator tube rupture, with immediate failure of core cooling, and failure of the main steam system to isolate. A large but not early release can also occur if the same scenario occurs except that core cooling fails late in the accident rather than immediately. This latter scenario is the most likely source of a large release. However, because adequate time would be available to implement emergency response measures, this source of a large release will not be considered in the importance measure calculation. Instead, the most important sources of main steam L'
l i
24 l isolation failure are considered potentially important and will be reviewed by the IDP to {
determine if the associated valves should be categorized as high. i IST Comoonants Not in PRA Review components not explicitly modeled in the PRA to ensure an IST component is, in i fact, low risk.
Hioh-Risk PRA Comoonents Not in the IST Prooram
' ~
l \
f Identify other high risk pumps and valves that are not in the IST program but should be l l
tested commensurate with their risk importance.
l . Evaluate the PRA modeling assumptions, component failure modes, operator
! actions, recoveries and any other effects that could substantiate the components risk category as "high risk" even if they are not in the IST program.
- Determine whether current plant testing is commensurate with the importance of these valves. If not, determine what test, e.g., the IST test, would be the most appropriate.
i
~
l Other Considerations j Perform sensitivity studies, as needed, to evaluate the cumulative impact of changes in the IST program test strategies on the total Core Damage Frequency (CDF). j Attachment 6 to TXX-96371 is TU Electric's CPSES Risk-Based inservice Testing Program i Expert Panel Guidance Document. This attachment includes the following statement:
The purpose of utilizing an expert panel (EP) for the CPSES Risk-Based in-t Service Testing (RB-IST) Program is to confirm or adjust the risk importance measures developed using the individual plant examination (IPE) results and l Insights and to provide a qualitative assessment where necessary based on the l engineering judgement of the EP. This qualitative assessment compensates for l limitations of the iPE Study, including those cases where adequate quantitative ,
' risk information is not available. l The expert panel evaluation is based on deterministic insights, engineering judgement i and regulatory requirements. The expert panel will review the IPE component risk !
I ranking, analyze applicable deterministic information, and determine the final safety l l significance categorizations for all the IST Components. These expert panel l considerations should be well documented for each individual component to allow for future repeatability of the risk ranking process of the IST components.
The panel will be a living panel and will participate in periodic updates to the ranking at intervals corresponding to the periodic IPE/PRA update planned by TU Electric.
The scope of the expert panel activities includes both risk ranking and application. The !
panel's principal responsibility is to provide deterministic insights that might influence l
l l 25 ranking. The expert panel should identify cases where a component's poor performance justifies changing its ranking from low to high.
! The expert panel should determine the appropriate changes to testing. The panel should l identify compensatory measures for potentially important components and also select the test interval for less-safety significant components. The panel should determine the test strategies for more safety significant components not currently in the IST program.
Attachment 1 to TXX-97189 states that if a components RAW is significant, the expert panel l could rank a component LSSC if a compensatory measure was selected that would ensure that degradations were properly identified. Thus, for each LSSC that has a high RAW, the expert panel either selected a compensatory measure or provided justification, based on model l considerations, why a compensatory measure was not required. The enclosure to TXX-98086
- indicates that "[a]s part of the IDP, confirmatory measures previously utilized to categorize l components as LSSC will be validated. Additionally, the maximum test interval will be verified or modified as dictated by the IDP."
Attachment 4 to TXX-96371 provides the methodology and decision criteria that were userl by the expert panel in developing the CPSES Risk-Based [ Risk-Informed] IST Program. It provides an overview of the expert panel deliberative process as fd'ows:
The expert panells provided a discussion on the goals and objectives of the RB-IST [RI-IST) program. They are also provided a discussion of the existing IST program and its requirements. Next, the expert panel is briefed on PRA, what it is, what's involved, what's not and why, and how PRA can be used to help rank the components. The l expert panel is briefed on the limitation of the PRA model. l The expert panel deliberations begin with those components that are modeled. For modeled components / functions, if the components FV 2 0.001, the expert panel either confirms the component is HSSC orjustification of the conservatism of the PRA model must be developed and agreed upon by the expert panel.
For modeled components / functions with a FV < 0.001 but a RAW 2 2.0, the expert panel must concur that the component can be final ranked LSSC and identify a compensatory measure that ensure operational readiness. For these components, the expert panel discusses the design-basis function, the PRA modeled function and why the model determined FV was low and RAW was high. Next the expert panel considers site-specific performance history, any known industry history associated with that particular model (NRC Generic Letter, SOER, IOER, Technical Bulletin, etc.), service condition, and the ASME Section XI test requirements. Next the expert panel determines that a l compensatory measure is available to ensure operational readiness. Typically this is associated with a pump run or a Technical Specification required Surveillance. Once the component reliability is ensured and a compensatory measure is available, the component is final ranked LSSC. If both these items are not acceptable the component is ranked HSSC.
For modeled components / functions with FV s 0.001 and RAW < 2.0, the expert panel discusses those items above associated with component reliability, if the reliability is acceptable, the component is ranked LSSC. If the reliability is unacceptable, the expert I
i I l
l
t 26 panel tries to identify a compensatory measure, if one is located the component is final ranked LSSC, if not the component is final ranked HSSC.
For a component not modeled or the IST function is not modeled, the following is the course of action for the EP. If the sister train is modeled then the component takes that final ranking. If the component is implicitly modeled, the FV and RAW are estimated and the deliberation is as previously discussed.
If the component is not implicitly modeled, the. expert panel confirms the system ranking associated with the Maintenance Rule. If the expert panel finds disagreement, then the PRA model requires revision (however, this was not the case for CPSES). Once the expert panel confirms the system ranking, the component performance history, service-condition, etc. are reviewed to ensure component reliability, and if so, the component is final ranked LSSC. If not, but compensatory measures are available, the final rank is LSSC. If compensatory measures are not available the component is ranked HSSC, and the PRA model is reviewed for a necessary update.
As part of the RI-IST process, performance history was considered in the determination of a j component's safety significant classification. With regard to the use of component performance information to categorize components, TU Electric stated in Attachment 1 to TXX-96371 (response to question E3-5):
The reliability of the component was then considered based on CPSES operating experience. When the panel's knowledge of component performance indicated the component might be noticeably less reliable than its " peers", the component was ranked high. The criteria used by the panel was that if one member of the panel was aware of such poor performance, the component was ranked high. In general, the members of
! the panel providing input for this evaluation included engineers from systems and l maintenance engineering and the IST coordinator. [ Components whose categorization l were changed to HSSC due to historical incidences of poor performance include:
l
! feedwater isolation valves HV-2134 through HV-2137, the containment spray pumps due
- to vibration problems, boric acid transfer pump due to steady and gradual wear of the l carbon bearings, and the CIV bonnet relief valves for 1-8811 A/B].
l 4.5.2 Staff Evaluation L A review of the licensee's component categorization process was carried out by evaluating the l PRA risk ranking process and results, the sensitivity studies carried out to demonstrate the robustness of the ranking results, considerations of the limitations h the PRA used in the ranking process, and considerations of plant operatinc 04mience. Section A.4.1 of Appendix A ;
l ' discusses the staff review activities and evaluation findings in these areas. A summary of the staff evaluation is presented in this section. The integration of deterministic engineering factors into the categorization process is discussed in Section 4.7 of this SER.
The component risk ranking using the FV and RAW measures was reviewed and found to be reasonable and consistent with the as-built and as-operated plant. To show robustness of the results (i.e., the components classified as LSSC will remain LSSC for other plausible scenarios),
the licensee included evaluations to demonstrate the sensitivity of the risk importance results to the important PRA modeling techniques, assumptions, and data. Issues that were addressed
l 27 included: truncation limit used, different risk metrics (i.e., CDF and LERF), different component failure modes, multiple component considerations, and sensitivity studies on contributions from common-cause failures and recovery actions. As discussed in Appendix A of this SER, several pumps and valves were added to the HSSC category based on the results of these studies.
One of the ways the licensee addressed the impact of the RI-IST program on multiple components is through the confirmatory assessment of the change in risk metrics, as will be discussed in Section 4.6. Therefore, the numerical values used for the FV and RAW criteria are shown to be appropriate for this RI-IST application since the calculated change in risk is shown l- to be acceptable. However, this should not be taken as a generic endorsement of these values for other applications or for other plants since these values are dependent on the base CDF and LERF of the plant, and the evaluation of the change in risk is application-dependent. In addition, this CPSES RI-IST categorization is also dependent, in part, on the use of compensatory measures for potentially risk-significant components, and these measures are plant- and application-specific.
As part of the licensee's process, the initial component categorization was revised to take into account shortcomings of the PRA model. For example, asymmetries introduced into the model for calculational convenience were identified and corrected. Also, the expert panel used component-specific operating history in the course of the categorization process to supplement
- the PRA ranking which was derived using generic data. Because this approach is in l accordance with Section 4.4 of RG 1.175, the staff finds the use of the expert panel for these l purposes to be acceptable.
In addition, since the PRA-derived categorization only addresses the contributions to risk from the internal event initiators, and those from fires and tornadoes, the licensee relied on the expert panel process to determine the categorization on the basis of seismic risk and risk from LP&S :
operations. Based on its review of the qualitative guidelines used by the expert panel, the staff 1 l finds the process provides a logical and appropriate method to determine the risk significance of ;
l components under seismic and LP&S conditions, and is therefore acceptable. One exception is !
a guideline used to help in the categorization of components for plant risk from the low power and shutdown mode of operation. The guideline that states that "if a component performs the i
! same function and is in the same initial state as at power, the at power ranking is assumed to 4 bound the outage ranking"is judged to be inappropriate, in part because of the potential for reduced redundancy in the shutdown case. However, the other guidelines used for categorizing components for the LP&S mode are appropriate and the licensee guidance that "...the system configuration must still be compared to determine if there are unique differences for the shutdown mode" should preclude potential mis-categorizations resulting from the above
! statement. A staff review of the results of the expert panel deliberations on the LP&S operating l
mode shows that components that are expected to be safety significant have been classified as such, and that the overall results are reasonable.
Finally, when categorizing components that are not modeled in the PRA, the licensee took into account the reasons why these components were omitted in the first place. For example, some components are not modeled because certain initiating events are not modeled (e.g., LP&S I
events, or some external events); in other cases, components are not directly modeled because '
they are grouped together with events that are modeled (e.g., initiating events, operator recovery events, or within other system or function boundaries); and in some cases, components are screened out from the analysis because of assumed inherent reliability, or
28 failure modes are screened out because of their insignificant contribution to risk (e.g., spurious closure of a valve). The licensee has either provided qualitative arguments that the proposed RI-IST changes to the unmodeled components do not result in an increase in risk, or has categorized (maintained) the components as HSSC.
'4.5.3 Conclusion The licensee's process on the determination of risk importance of components in the Rl-IST program is robust in terms of the important PRA modeling techniques, assumptions, and data.
, Expert panel deliberations have been appropriately used to account for traditional engineering considerations, plant operating experience and PRA limitations. The categorization of components as low safety significant (and therefore, eligible for extension in test intervals) is backed by calculations which show that the risk increase is acceptable given this increase in test interval.
4.6 Evaluating the Effect of Pronosed Changes on Overall Plant Risk 4.6.1 Modeling of the Effects of IST on PRA Basic Events 4.6.1.1 Licensee's Pronosed Anoroach As stated in TU Electric's proposed RI-IST Program Description (Enc'osure 1 to TXX-98134):
Due to uncertainty in how test interval changes will actually affect the component unavailabilities, a number of conservative assumptions are made as summarized below:
e it is assumed that any increase in test intervals would simultaneously impact the reliability of all IST components in the low safety-significant component (LSSC) category.
- Consistent with the PRA techniques, the component unavailability required to change state,is assumed to be:
O = b + A(T/2)
Q = total component unavailability Where: b = Component unavailability on demand A = Component failure rate per hour T = Interval between tests that verify operability of the component
. The component unavailability is assumed to increase by the same factor as the increase in the test inteNal. For example, a change in the test interval from quarterly to semi-annually is assumed to increase the total component unavailability by a factor of two. This is a very conservative assumption because it assumes that not only the A(T/2) term would be increased by a factor of two, but also the failure on demand term (Q) term is assumed to be directly impacted by the change in the test interval.
I l
29 Decrease in wearout due to less frequent testing is assumed to be negligible although frequent testing has been seen to cause components to be less available due to wearout.
It is conservatively assumed that all IST tests are fully effective in finding the causes of component unavailabilities.
4.6.1.2 Staff Evaluation The evaluation of the change on CDF and LERF is made by assuming that the probabilities of failure of the HSSCs are unchanged, while that of the LSSCs is changed because of the extending of the test interval. The effect of extending the test interval on a component's failure probability is obtained by prorating the failure probability by the ratio of the new to the old test interval. This is equivalent to assuming a constant (i.e., non-time-dependent) standby failure rate A, and estimating the basic event probability using AT/2, where T is the time between tests.
l There are no data to either support or reject this model. However, as it is applied, there is an assumption that the components are retumed to the " good as new" state following a test. If there is no significant active degradation mechanism, including those resulting from intermittent use of the component, and the failures are primarily caused by random extemal influences, this formula is appropriate. Since the tests on the components will be staggered, and since component performance will be monitored with the help of enhanced test methods (see Section 5.1 below) which are designed to identify significant degradation mechanisms, corrective action can be taken to effectively remove or correct for these degradation mechanisms including those caused by aging. Therefore, the AT/2 model can be considered to be adequate for this i application.
In this context, a test that demonstrates functional success can be regarded as a
" compensatory" measure, since it limits the exposure time to the failed state. In the framework of the model used by the licensee, credit taken for a compensatory test would require that the
' test be performed at the same frequency as the original test (usually 3 months). This condition ,
would hold true for the majority of the time when compensatory measures proposed in the RI- '
IST program are associated with pump tests, which are expected to be performed at three month intervals. This intervalis also consistent with the generic data which was used in the
. CPSES PRA where a test interval of 3 months is universally assumed for those cases where the failure probabilities are given in terms of failure on demand.
4.6.1.3 Conclusion A model for unavailability in terms of fault exposure time was used in the PRA for evaluating the risk significance of extending the selected component test intervals. Fault exposure time f' !ST components was modeled appropriately and is either linked to the proposed IST intervals or to
" compensatory tests" which are required as part of IST activities on other components or as part of the plant's technical specifications. The effects of aging and environmental stresses (time dependent degradation of the failure rates) have been addressed as part of the licensee's integrated decisionmaking process which adopted improved test methods as documented in Section 5.1 below.
1 30 4.6.2 Evaluatinn of Change in Risk 1 4.6.2.1 Licennan's Prnnnead Annroach As stated in Attachment 2 to TXX-97189:
Assuming full credit for the compensatory measures for the LSSC components with significant RAW results in an increase in the CDF to about 1.5% and the same increase in LERF, namely about 1.5%. The change in CDF and LERF is then these percentage values times the base CDF and LERF respectively. The change in CDF is 1.3E-6/yr.
The change in LERF is 1.4E-8/yr. l The above results apply to a proposed 6-year test interval for LSSCs and it assumes credit for compensatory measures where these are applicable. Sensitivity studies provided in Figures 4-4 i through 4-7 of Enclosure 4 to TXX-95260 established that without credit for compensatory measures, CDF increases by 15% and LERF increases by 13% over the base PRA values when test intervals for all LSSCs are extended to 6 years.
- The licensee states that the calculated risk increases as documented above included many l
conservatism, and furthermore, did not account for the safety benefits of the RI-IST program.
The conservatism include no credit for possible compensatory actions for LSSCs with low RAW values; conservatism in the constant failure rate assumptior ' earout due to testing, reductions in component unavailability due to testing); phased implerr ateo and staggered testing; and the increase of all component failure probabilities as if they 4 tith 3-month intervals when many began with 18-month intervals. With regard to credit for safety benefits, Attachment 2 to
.TXX-97189 states The bounding estimates do not consider any safety benefits from the proposed program.
WS assumption is significant, but was deemed necessary for the calculation because:
- some uncertainties exist in what impact the safety benefits would have on model parameters,
.- some of the benefits are very difficult to quantify, or qualitative in nature, and a' some aspects of program implementation that affect the safety benefits have not j yet been finalized. j TU Electric identified the following safety benefits for the proposed Rl-IST program:
. - added testing for HSSC components not in the IST p'ogram r l l
. reduction in system re-alignment errors j
- improved performance resulting from improving the quantity and quality of plant i personnel time devoted to HSSCs j
- component performance improvements due to testing enhancements to be ;
proposed by ASME
- . reduction in human errors due to a reduction in operator burden j i
L--_-_-__.-__.-__-_-_-_._.-.__.._ ---L_.- _ . - . _ - . __ :
i l
31
. Improved system failure probabilities upon demand due to fewer off-normal operationalline-ups
.- other safety impacts related to improvement in safety culture:
improved understanding of component levelimportance monitoring of CCF components I operator awareness of important " passive" failure modes in IST components The licensee estimated the potential risk impact of the safety benefits by identifying and l summing the FV contributions from different groups of components that could be affected by the quantified safety benefits. The conclusions of the evaluation (from Attachment 2 to TXX-97189) {
are as fo!!ows:
Combining the bounding astimate of risk increases with the limited quantification of safety benefits indicates hat CDF and LERF will both probably go down as a result of the proposed program changes. For CDF, we expect at least a 5% reduction. For LERF, we also expect at least a 5% reduction.
Consequently, we conclude that the CPSES RI-IST program is risk neutral and the [RG 1.174] acceptance guidelines are therefore satisfied.
The licensee's conclusions on meeting the acceptance guidelines for risk impacts are as follows (from Attachment 2 of TXX-97189):
The effect of the proposed change on plant risk has been estimated using a bounding calculation and the IPE model. The calculation has been extended to include external j events and all plant operational modes. The bases for the assumptions in the calculation l have been justified. The calculated change from the bounding estimate easily meets the numerical acceptance criteria for LERF. The CDF increase barely eWeeds the limit requiring detailed technical and management review by NRC staff.-
The effect of the proposed change on improving safety has also been estimated using insights from the IPE model. The improvements to safety outweigh the effects of increase in risk. Therefore, CPSES RI-IST program meets the acceptance criteria as a risk neutral application. ;
I The program also should meet the acceptance criteria as a risk increase, if only the bounding estimate is considered in the risk quantification. Those criteria apply to ;
CPSES since its total CDF (8.5E-5/yr) and total LERF (9.3E-7/yr) are below the limits for which only safety neutral changes can be considered. Also, the technical and management factors requiring management review are favorable.
.Regarding the approach for calculating the above estimates, the PRA has been subjected to quality control (e.g., via a technical peer review); compliance is discussed in Section 4.2.1 of this document [TXX-97189]. Uncertainties have been considered (compliance is discussed in Section 4.2.4.3 of this document [TXX-97189]). The calculation of change considers the necessary variety of issues (compliance is discussed in Section 4.2.2 of this document [TXX-97189]).
4
l 32 Therefore, the program is acceptable and methods used to show it is acceptable comport with the guidance in the Draft Guides and Standard Review Plan Chapters.
4.6.2.2 Staff Evaluation
.The staff review of the evaluation of the change in risk was performed using guidance provided in Section lll.2.2 and Appendix A of SRP Chapter 19. Review focus was placed in the areas of component failure rates, initiating event analysis, modeling of common cause failures, human reliability analysis, and the quantificat. ion of risk impact. Section A.3 of the Appendix to this SER contains evaluation findings on the effects of the RI-IST program on the PRA model elements, and Section A.4 of the Appendix to this SER contains the discussion of the staff evaluation of the licensee's calculation of the risk impact.
- 4.6.2.3 conclusion l
l On the basis of bounding calculations, the impact on plant risk from the proposed RI-IST program was estimated to be an increase in CDF of 1.3E-6/yr and an increase in LERF was estimated to be 1.4E-8/yr. This calculated increase can be argued to be smaller (o cerhaps negated) on the basis of qualitative risk arguments regardig the safety benefits of us.ng l improved test methods and in light of the added testing for high safety significant non-IST !
components. Therefore, it can be concluded that this application will, at worst, result in risk j increases that are small, and thus this submittal meets the guidelines provided in RG 1.174 in terms of risk considerations.
4.7 Integrated Decisionmaking l
4.7.1 Integrated Decisionmaking Process 4.7.1.1 t_icensee's Prooosed Anoroach As stated in TU Electric's proposed RI-IST Program Description (Enclosure 1 to TXX-98134):
The PRA techniques are used in conjunction with the Integrated Decision Process (IDP) to ensure that all of the available information is accounted for in developing the importance measures.
The purpose of utilizing the Integrated Decision Process (IDP) is to confirm or adjust the initial risk ranking developed from the PRA results, and to provide qualitative assessment i based on engineering judgement and experience. This qualitative assessment I
compensates for limitations of the PRA, including cases where adequate quantitative data is not available.
l The licensee's approach to using the IDP in component categorization is discussed in Section 4.5.1. In this process, the lDP utilizes deterministic insights, engineering judgement, experience and regulatory requirements as a supplement to PRA risk ranking to determine the final safety significance categories. In addition, the IDP will determine appropriate changes to testing strategies and will identify compensatory measures for potentially high safety significant components. The IDP will also concur on the test interval for components categorized as low.
l
l l
! 33 l In making the final decisions on the acceptability of the RI-IST program, Enclosure 1 to TXX-l 98134 states that "the IDP will ensure that key safety principles, namely defense-in-depth and l safety margins, are maintained and that the changes in risk for both CDF and LERF are
! acceptable."
As part of the integrated decision process and in terms of factors related to RG 1.174 that may be important for NRC technical and management consideration, Attachment 2 to TXX-97189 l includes the following notes:
1 The scope, quality and robustness of the analysis, including consideration of uncertainties have been documented in Sections 4.2.1,4.3 and 4.2.4.3 [of Attachment 2 to TXX-97189].
The base CDF (8.5E-5/yr)is less than 1E-4/yr and includes all initiator types and modes of operation. The base LERF (9.3E-7/yr) is well below the limit of 1E-5.
The cumulative impact of prior changes does not apply and the NRC staff's safety goal screening criteria are well above even the bounding estimate of the risk increase.
The proposed change is a particularly beneficial change for operational complexity, burden on the operating staff and overall safety practices.
Both TU Electric's and CPSES's performance and other factors are positive. The site is in a remote location. Inspection findings relative to the plant's current IST program are good. CPSES plant performance has been steadily increasing as measured by the
! aggregate of INPO performance indicators and NRC SALP ratings. In the past year, the I
site was rated SALP 1 in all categories. The plant has not experienced any significant precursor events or other indications of operational problems.
4.7.1.2 Staff Evaluation l
The licensee utilized an expert panel to ensure integrated decisionmaking. As described above, TU Electric's expert panel used the PRA, deterministic insights, engineering judgement, and regulatory requirements to categorize components as HSSC or LSSC.
The staff reviewed tne records of TU Electric's integrated decisionmaking process (IDP) including the following documents:
l . Expert Panel Methodology (Attachment 4 to TXX-96371)
. Flow Diagram of Expert Panel Deliberations (Attachment 1 to TXX-97189) l
. Expert Panel Guidance Document (Attachment 6 to TXX-96371) l
. Risk-Based Inservice Test;ng Program Risk Ranking Determination Study, ER-EA-009 (Enclosure 4 to TXX-95260)
Expert Panet Meeting Minutes (Tab!es 4.4-1 and 4.4-2)
- Results of Expert Panet Evaluation of IPE/IST Components and Final Ranking l
of All IST Components (Table 4.4-3)
.~ Responses to staff Requests for Additional Information (Attachment 1 to TXX-96371 and Attachments 1 and 2 to TXX-97189
. RI-IST Program Description (Attachment 1 to Enclosure 1 to TXX-98134) l l
34 These records identify the factors considered by the expert panel at Comanche Peak and provide the basis for the expert panel's conclusions. They include the reasons why certain components with poor performance histories were categorized as LSSC (with compensatory actions identified) as opposed to being categorized as HSSC. The staff's review of l compensatory actions for individual components is addressed in Sections 4.5 and 4.6 above.
Based on the staff's review of TU Electric's expert panel guidance documents (e.g., Attachment 6 to TXX-96371) and TU Electric's commitment provided in TXX-98134, the staff understands that a summary of the IDP "for each individual component [will be prepared) to allow for future repeatability and scrutiny of the categorization process." The factors considered by the i
licensee's IDP, as well as the basis for the licensee's IDP conclusion, should be clearly documented in these summaries. These component-specific summaries will be utilized by subsequent expert panels when assessing that component's categorization. The documentation
( of the licensee's IDP is consistent with the guidance provided in Section 6 of RG 1.175 and is l
therefore acceptable. In Enclosure 1 to TXX-98134, TU Electric indicated that " Documentation of the IDP will be available for review at the plant site." Review of the IDP records, including the component-specific summaries, and their consistency with the RI-IST Program Description will be subject to NRC inspection.
As discussed in Sections 4.5 and 4.6, the staff finds the role of the IDP in the component categorization process and in the assessment of the risk impact of the proposed Rl IST program to be acceptable. In addition, the IDP's consideration of the defense in depth philosophy and
- the maintenance of sufficient safety margins was also found to be adequate (see Sections 4.7.2
! and 4.7.3 below).
i l In Attachment 1 to TXX-97189 (response to RAI 7), TU Electric indicated that "For past performance history and service condition, the information available was the individual expertise of the panel members, including representatives of operations and maintenance as well as the IST Engineer." As indicated in RG 1.175, the staff expects licensees to conduct a systematic search to evaluate the performance history of each LSSC and the results of this search should be presented to the expert panel. It is generally not acceptable to merely rely on the collective memories of the expert panel members to assess component performance histories. In general, decision criteria for use in evaluating component performance should be developed by the
- licensee and considered in categorizing components. However, as discussed in.Section 4.0 of l this SER, the staff and its contractor (ORNL) conducted a systematic assessment of plant-
! specific component performance data at CPSES. As a result of this assessment, the staff issued RAls 7 through 11 in a letter dated June 9,1998, conceming the use of plant-specific operating data. In Attachment i to TXX-97189, the licensee responded to the staff's RAls 7 through 11 concerning the use of plant-specific operating data. The staff found these responses to be consistent with the guidance provided in RG 1.175 and, thus, concludes that plant-specific performance information was appropriately reflected in the CPSES RI-IST program.
The staff evaluated the licensee's proposed implementation, monitoring and corrective action programs (see Section 5.2,5.3, and 5.4 below). These programs complement the risk analysis j
(by monitoring for unexpected failure mechanisms), the defense in depth analysis (by promptly identifying and correcting common cause failures), and the analysis of safety margins (by trending component performance relative to the margins to failure).
i
)
35 Finally, the staff finds that the licensee's IDP evaluated the safety impact of the proposed RI-IST program as part of an overall risk management approach where risk analysis is used to improve
( operational and engineering decisions broadly and not just to eliminate requirements that were considered to be undesirable. Specifically, the lDP identified areas where inservice testing requirements should be added or improved, as well as areas where they could be reduced.
4.7.1.3 Condmainn The staff conducted an assessment of TU Electric's integrated decisionmaking process (lDP) l_ and found it to be acceptable. The IDP is well defined, systematic, and scrutable. The l licensee's IDP is technicd!y defensible and sufficiently detailed to allow an independent party to reproduce the major results. The licensee's IDP (i.e., expert panet) was effective in identifying components whose testing strategy could be reduced as well as components whose testing l strategy should be improved. The staff finds that the licensee's RI-IST program conforms with l
the principles of risk-informed regulation as specified in RG 1.174 and RG 1.175, and thus concludes that the program provides an acceptable level of quality and safety. The staff's conclusion is based on the following:
. The proposed change is consistent with the defense-in-depth philosophy (see Section 4.7.2 below).
. The proposed change maintains sufficient safety margins. Proposed test intervals will be significantly less than the expected time to failure of the component and the licensee will ensure that adequate component capability (i.e., margin) exists, above that required during plant design-basis conditions, such that component operating characteristics over time will not result in reaching a point of insufficient margin before the next scheduled test activity (see Section 4.7.3 for more discussion).
. The overall process used by TU Electric to categorize components is acceptable ,
l (see Section 4.5 above). Specifically, the information provided to the integrated l decisionmaking process with regard to determining the risk importance of contributors for inservice testing is robust in terms of model inputs and assumptions including issues like the use of both CDF and LERF, completeness of the risk model, and sensitivity of the results to common cause failure modeling, modeling of human reliability, and truncation limits used. The categorization addressed the effects of the RI-IST program changes on groups of components in a way that is compatible with the risk acceptance guidelines.
. Potentialincreases in estimated CDF and LERF resulting from proposed RI-IST program changes are small and consistent with the intent of the Commissian's Safety Goal Policy Statement.
l l . The scope and quality of the traditional and probabilistic analyses conducted to justify the proposed Rl-IST change are appropriate and are based on the as-built, as-operated and maintained plant, including plant operating experience. ;
- The plant-specific PRA used to support the application has been subjected to quality controls.
l l
36 While the licensee did not perform a comprehensive uncertainty analysis, the staff found that the results of the assessment are relatively robust. The licensee's program of mori*oring, feedback and corrective action is an important factor in addressing unc;.:rtainties related to the impact of degradation mechanisms and aging effects.
l .
Data, methods, and assessment criteria used to support regulatory decisionmaking l are clearly documented and available for review.
The impact of the proposed change will be monitored using performance measurement strategies.' The extension of test intervals will be implemented in a l step-wise manner; performance monitoring will be conducted to ensure that degradation is not significant for components that are placed on an extended test interval; and the licensee's corrective action procedures will ensure that test ,
strategies are adjusted when a component, or group of components, experi2nce !
repeated failures or nonconforming conditions (see Sections 5.1 through 5.5 below).
All safety impacts of the proposed change were evaluated in an integrated manner as part of an overall risk management approach where risk analysis was used to improve operational and engineering decisions broadly by identifying and taking advantage of opportunities for reducing risk, and not just to eliminate requirements that were considered undesirable.
4.7.2 Defense-in-Death Philoscohy 4.7.2.1 Licensee's Pronosed Acoroach As stated in TU Electric's RI-IST Program Description (Enclosure 1 to TXX-98134):
To ensure that defense-in-depth is maintained by the CPSES RI-IST program, adherence to four basic principles will be reviewed and documented as part of the IDP for any future changes to the program. The following describes these four basic principles:
- 1. No changes to the plant design or operation's procedures will be made as part of the RI-IST program, which either significantly reduce defense-in-depth or place strong reliance on any particular plant featura, human action, or programmatic activity.
- 2. The results and dominant contributors to core damage risk will be reviewed to ensure that the categorization of components using PRA is done on an evenhanded basis covering the full scope of safety functions. A review will be done to ensure that components which mitigate the spectrum of accidents are not ranked l
low solely because of initiating event frequency. Further, sensitivity studies will be performed for human actions to ensure that components which mitigate the spectrum of accidents are not ranked low solely because of the reliability of a human action.
l
I I
37
- 3. The methodology for component categorization, namely the selection of importance measures and how they are applied and understanding the basic reasons why components are categorized HSSC or LSSC, will be reviewed to ensure that redundancy and diversity are preserved as the more important principles. If a component is categorized as LSSC solely due to its high reliability, then it must be confirmed that: 1) plant performance has been good and 2) a compensatory measure or feedback mechanism is available to ensure adverse trends in i equipment performance can be detected in a timely manner. A review will be done to ensure that relaxation in the Rl-IST program occurs only when the level of
!. redundancy or diversity in the plant design or operation supports it. In this regard, f
all components that have significant contributions to common cause failure will be l reviewed to avoid relaxation of requirements on those components with the lowest l level of diversity within the system.
- 4. The use of multiple risk metrics, including core damage frequency (CDF) and large early release frequency (LERF), with additional checks for largs but late releases and consequence mitigation, will be done to ensure a reasonable balance between
- risk reduction methods.
L Other Considerations Related To Defense-in-Death, i
When the PRA does not explicitly model a component, function or mode of operation, a l qualitative method may be used to classify the component HSSC or LSSC and to i determine whether a compensatory measure is required. j 4.7.2.2 Staff Evaluation TU Electric constructed its proposed RI-IST program using four principles and committed to i
these principles for future changes to its RI-IST program.
l This commitment will ensure that there is not an over-reliance on any human action or ;
programmatic activity to compensate for relaxations in IST strategies.
l The component categorization process used for the RI-IST process will ensure that redundancy and diversity of plant functions are preserved. In Attachment 2 to TXX-97189, the licensee indicated that two rules are applicable in these areas. The first is that, it is the level of redundancy within each safety function which is the principal criterion upon which classification
- is based. The table below indicates how the level of redundancy influenced TU Electric's expert panel when categorizing components and how compensatory measures were assigned.
l
l 38 Degree of Redundancy Classification to Additional Restrictions Within Each Safety ensure defense in Function denth is main *=Med i less than average all components assigned N/A redundancy HSSC l
, average redundancy only reliable components poorly performing l
are assigned to LSSC; components classified as i these LSSC components HSSC, components i are assigned a important to CCF compensatory measure classified as HSSC l
greater than average typical treatment for poorly performing l redundancy LSSCs components classified as HSSC, components important to CCF l classified as HSSC The second rule indicated that a system which has less diversity is more vulnerable to common cause failure (CCF). As a result, TU Electric's expert panel concluded that all components that i had significant contributions to CCF should be ranked HSSC. This action had the effect of
! avoiding relaxation of requirements on those components with the lowest level of diversity within t
the system. In addition to ensuring that all components important to CCF are ranked HSSC, it is l- noted that the proposed implementation and monitoring strategies ensure that potential J l increases in CCF are detected in a timely manner. As part of the implementation program
! (Section 5.2 below), the step-wise implementation strategy and the staggering of testing by
. component groups provide assurance that potential CCF mechanisms are detected before multiple components are affected. The monitoring and corrective action programs (Section 5.4 l - below) will be used to determine if the potential exists for like-component failures.
l
. As part of this submittal, TU Electric performed a sensitivity study to determine the contributions to risk importance from failures of multiple components.' By calculating importance measures of i components taken two-at-a-time, the licensee identified several areas which were vulnerable to l failures of like components and therefore areas where diversity was most limited. Consistent l with the two rules specified above, for component combinations with high RAW values, the l licensee's expert panel identified compensatory measures to ensure that any adverse trend in
- equipment performance would be detected in a timely manner.
l The staff finds that the major components of the licensee's RI-IST program (compocent categorization, expert panel, implementation, monitoring and corrective action programs) are consistent with the guidance provided in Sections 4 and 5 of RG 1.175 and provide reasonable assurance that adequate redundancy and diversity are maintained.
By using multiple risk metrics, including CDF and LERF, with additional considerations for large
.but late releases and consequence mitigation, there should be a reasonable balance between risk reduction methods. As a general rule, components important (in terms of either .
containment integrity or release mitigation) to LERF were categorized as HSSC and components important to large late release were provided with a compensatory measure. For example, components which significantly contributed to main steam line isolation failure following a steam generator tube rupture had compensatory measures added to ensure that any
_ _ _ - _ - _ _ _ - - . . _ - _ _ _ _ - _ _ - _ _ - _ _ . _____ . _ _ _ _ _ - _ _ _ __ _ - _ =_____ - __- ___ _- -___-_-__
l l l 39 I l
adverse trend in equipment performance would be detected in a timely manner. Similarly, TU Electric's expert panel categorized containment spray pumps as HSSC to help ensure the mitigation of a release of fission products into containment and because of previous problems ;
- with spray pump performance. MOVs in the containment spray system that had to actuate were categorized LSSC, but compensatory measures were provided to ensure that any adverse trend in equipment performance would be detected in a timely manner.
l Finally, consistent with the principles of defense in depth, the licensee's process distinguishes l
between those components categorized as LSSC which have high relative redundancy and ,
those which have only high relative reliability. When the basis for the extension in a test interval !
was reliable equipment performance, compensatory measures were identified to ensure that the performance would be well known and that timely feedback of operational performance would occur.
4.7.2.3 Conclusion I
TU Electric's proposed RI-IST program is consistent with the defense-in-depth philosophy as discussed in RG 1.174 and RG 1.175. The staffs conclusions that the defense-in-depth philosophy is preserved are based on the following:
. The risk analysis shows that a reasonable balance is maintained between prevention of core damage, prevention of containment failure, and consequence mitigation.
l
. System redundancy, independence, and diversity are preserved commensurate l with the expected frequency and consequences of challenges to the system.
l . Potential common cause failures that could result from IST changes are addressed l
as part of the risk quantification and/or as part of the implementation and monitoring strategies associated with the IST change.
! . Defenses against human errors are preserved and no credit is taken for operator j actions to compensate for relaxations in IST strategies.
. Independence of barriers to the release of radioactivity is not degraded.
4.7.3 Safetv Margin Evaluation
, 4.7.3.1 l_icensee's Procosed Anoroach l
As stated in TU Electric's proposed RI-IST Program Description (Enclosure 1 to TXX-98134): (
l l The IDP will perform reviews to ensure that sufficient safety margin is maintair.ad when I compared to the existing IST program. In performing this review, the IDP will consider ,
such things as proposed changes to test intervals and, where appropriate, test methods. i The IDP will ensure that the proposed compensatory measures are effective fault finding l tasks, where this is required in the program, to assure safety margin is maintained. To I enhance the safety margin, the IDP will also review PRA-important components not in the current IST program for potential inclusion in the RI-IST program. ,
l i
I
40 4.7.2.2 Staff Evaluation An element of the integrated decisionmaking is the assurance that sufficient safety margins are maintained. Because TU Electric's proposed Rl-IST program relaxes certain ASME Code requirements for IST, safety margins could be decreased. The level of justification required for any changes in margin should depend on the uncertainty associated with the component failure rate as a function of time when test intervals are being extended, the availability of altematives to compensate for any adverse component performance, and the consequences of functional failure of the affected components.
j In Attachment 2 to TXX-97189, TU Electric stated that its RI-IST program ensures that sufficient j safety margins are maintained to those in its existing IST program. The basis for this statement l is that its RI-IST program does not remove any components from the current IST program (it i
only extends the test interval for certain components) and there are no changes to test methods.
Consequently, TU Electric contends that testing of design functions for the design-basis
( accidents and the associated margins in those functions are, therefore, unchanged. The staff notes that TU Electric has in fact proposed to test certain components using test methods that are more effective than current Code requirements at detecting important failure modes of
, - components (see Section 5.1 below). These improved test methods reduce the uncertainty l associated with the component failure rates as a function of time and will tend to improve safety margins.
i l TU Electric also indicated in Attachment 2 to TXX-97189 that " safety margin is in many ways i enhanced because the integrated decisionmaking process has identified additional program l changes which should improve the understanding of component performance." TU Electric -
- identified three reasons why component performance will be better understood and safety margins will be improved:
i For the LSSCs with a high RAW, the program includes compensatory measures (1) which are effective fault finding tasks. The observed performance during these fault finding tasks is now linked directly to the IST program performance, providing a more integrated view of safety margin and how different programs affect and monitor it.
(2) The program uses a phased implementation approach so that a change in performance of structures, systems and components (SSCs) resulting from extending the interval can be identified and fed back to the program via the plant wide corrective action program (see Section 5.4 below). This improved understanding of how component performance relates to test interval may provide insights which in tum could even improve the process for maintaining the design margin of HSSCs.
(3) There are several IPE-important components not in the current IST program (non-ASME Components) that are proposed to be added to the program. Not only will this reduce the overall CDF, but it again will provide insight into the value of IST programs in maintaining and improving component margin. That is, the change in performance and margin can be measured for the case when a component is brought into the IST program.
I j
41 ,
1 For the above-mentioned reasons the staff also believes that safety margins will improve. The proposed RI-IST program will not only improve HSSC availability, it also ensures that changes to the reliability of LSSCs will not be significant.
4.7.3.3 Conchminn i l
The staff concludes that TU Electric's proposed RI-IST program maintains safety margins on the !
l basis of the following: !
l ASME Code requirements or improved attematives authorized for use by the NRC will be used.
! =
Safety analysis acceptance criteria (e.g., USAR, supporting analyses) will continue
- to be met.
l i
i Component degradation is accounted for, either by quantitative methods (analysis l l and data) or by qualitative arguments which show that significant degradation will l not occur. Component degradation will be addressed by the use of enhanced l testing methods and by the trending of appropriate performance parameters to !
determine an acceptable test interval. !
.. The component categorization process is robust (see Section 4.5 above), and the components identified for relaxation in IST because of their low safety significance as determined by this categorization will only have a small effect on plant risk (see !
Section 4.6 above). In addition, test intervals will be derived on the basis of margin !
to failure (by trending of appropriate performance characteristics) commensurate I with the risk significance of the components.
5.0 REVIEW OF IMPLEMENTATION. PERFORMANCE MONITORING. AND CORRECTIVE ACTION i 5.1 Changes to Comoonent Test Requirements 5.1.1 Licensen's Pronosed Anornach As modified by the testing philosophy described below, components in the current IST program which are determined to be HSSCs will continue to be tested in accordance with the current IST program, which meets the requirements of the 1989 Edition of the ASME Boiler and Pressure Vessel Code,Section XI except where specific written relief has been gran,ted.
As stated in the " Relief Request A-1 for Inservice Testing" portion of Attachment 1 to TXX-98134, where the ASME Section XI testing is practical, HSSCs not in the current ASME Section XI IST Program Plan will be tested in accordance with OM-1 for safety relief valves, OM-10 for active valves and OM-6 for pumps. Where the ASME Section XI testing is not pracScal, attemative methods will be developed to ensure operational readiness. Initially, the licensee noted in Attachment 2 to TXX-97189 (page 26 of 34) that " Administrative requirements of ASME Section XI will not be invoked for these components (e.g., ANil involvement)." However, this limitation on the implementation of the administrative requirements of the Code (i.e., for i components outside the scope of the current ASME Code) was removed from later versions of i l the licensee's Rl-IST Program Description. As stated in Attachment 1 to reference 9 (page 27 of I
J
42 L 34),"For these and future components, when ASME Code requirements cannot be met, a Relief 3
l Request will be submitted to the NRC for approval."
As modified by the testing philosophy described below, components in the current IST program which are determined to be LSSC will also be tested in accordance with the ASME Code,Section XI requirements, except that the test frequency will initially be extended to a maximum i > of once every 6 years. The extended test frequency will be staggered over 6 years as described i
in Section 5.2 below. All other Code testing methods, corrective actions, documentation, and other requirements will remain in effect. No LSSCs will be deleted from the ASME Code,Section XI IST program.
< By using PRA methods, a maximum test interval was determined for LSSCs. This test l frequency was determined to be a maximum of 6 years (with 25% margin), This information was made available to the expert panel and was considered during its deliberations. During periodic reassessments, the maximum test interval will be verified or modified as dictated by the integrated decisionmaking process.
In response to question G-3 (NRC letter dated June 3,1996), TU Electric provided the following statement in Attachment 1 to TXX-96371:
We will continue to consider other test methods, such as non-intrusive testing and disassembly / inspection. We anticipate ASME will develop enhanced test methods in future code cases associated with Risk-Based IST. At such time TU Electric will evaluate these Code Cases and if they are not adopted, develop written technical justification.
As stated in the proposed Rl-IST Program Description (Enclosure 1 to TXX-98134), TU Electric's RI-IST testing philosophy for each component group is specified below. Additional monitoring proposed by TU Electric for components in each group is specified in Section 5.3.1 below. ,
! Motor-Ooerated Valves (MOVs)
(
i HSSC Tasting will be performed in accordance with Code Case OMN-1 (as ,
described in Relief Request V-8), and NRC Generic Letter 89-10 and I 96-05 commitments, i- LSSC Testing will be performed in accordance with Code Case OMN-1 (as i described in Relief Request V-8), and NRC Generic Letter 89-10 and i
96-05 commitments. j Relief Valves 1 HSSC & Testing will be performed in accordance with the Code LSSC of Record as defined in 10 CFR 50.55a.
l.
Check Valve Testing Strategy HSSC Testing will be performed in accordance with the ASME Code of Record as required by 10 CFR 50.55a(b).
- _ - _ _ - _ _ _ = _ - _ _ _ _ _ . _ _ _ _ _ . _ _ _ .
l' 43 LSSC Testing will be performed in accordance with the ASME Code of Record u as required by 10 CFR 50.55a(b) except at a test frequency not to j exceed 6 years (with 25% margin).
I Certain LSSC check valves will be tested in accordance with the check valve reliability program (CVRP) as necessary.
HSSC and LSSC check valves at CPSES are candidates for inclusion in the check valve reliability program (CVRP) which has been developed to provide confidence j that check valves will perform as designed. Station procedure (s) will establish 1 test / exam frequencies, methods, and acceptance criteria and provide performance j
monitoring requirements for check valves in the CVRP. HSSC and LSSC check j valves that are susceptible to unusually high wear, fatigue, or corrosion will be l included in the CVRP. The CVRP includes approaches for identification of existing and incipient check valve failures using non-intrudve (e.g., acoustic emission (AE) testing, magnetic flux (MF) testing) and disassembly examination. Test data will be j used (e.g., trended) to provide confidence that check valves in the CVRP will be capable of performing their intended function until the next scheduled test activity.
Check valves may be added to or deleted from the CVRP based on non-intrusive - l testing, disassembly examination results, or site maintenance history, i l
l Air-Ocarated Valves (AOVs) l l 1 i
i HSSC Testing will be performed in accordance with the Code of Record as j required by 10 CFR 50.55a(b). l
)
LSSC Testing will be performed in accordance with the Code of Record as i required by.10 CFR 50.55a(b) except with a test frequency not to l exceed 6 years (with 25% margin). Additionally LSSC AOVs will be stroked at least once during the operating cycle. j Note: TU Electric is participating in a tailored collaboration project with EPRI to -
develop an AOV program similar to the MOV Program mandated by GL 89-10 and 96-05. This program will evaluate the valve / operator characteristics I and capabilities and the design conditions under which the valve is ;
expected to operate. Once this information is developed the valves will be i tested and modified as necessary to meet their safety function. AOVs which are being evaluated by the EPRI Tailored Collaboration are:
- 2) an LSSC AOV from other groups not included from (1) above Pumps HSSC Testing will be performed in accordance with the Code of Record as required by 10 CFR 50.55a(b).
(
44
, LSSC Testing will be performed in accordance with the Code of Record as L
required by 10 CFR 50.55a(b) except with a test frequency not to exceed S years (with 25% margin).
l 5.1.2 Staff Evaluation l The specific testing to be done on each component or group of components is expected to be documented in the licensee's IST Program Plan and is subject 5 NRC inspection. The licensee's IST Program Plan is still required to be updated every 120 months and Code requirements determined to be impractical shall be submitted to the staff for review pursuant to 10 CFR 50.55a(f)(5). The updated IST Program Plan should provide the specific test frequencies and test methods for each pump and valve (or group) authorized by the NRC staff as par 1 of the RI-IST program.
TU Electric's proposed RI-IST program identified components that are candidates for an improved test strategy (i.e., frequency, methods, or both) as well as LSSC components for which the test strategy may be relaxed. The proposed RI-IST program also identified components categorized HSSC that are not included in the current IST program. The information contained in, and derived from, the licensee's PRA was used to help construct the testing strategy for components. Given the testing philosophy described in the licensee's RI-IST Program Description, components with high safety significance will be tested in ways that are at least as effective as the current Code-required test at detecting their risk-important failure
- modes and causes (e.g., at least as effective at detecting failure, detecting conditions that are i precursors to failure, or predicting end of service life). Components categorized as LSSC will generally be tested less rigorously than components categorized as HSSC (e.g., less frequent tests).
TU Electric's integrated decisionmaking process identified (Enclosure 3 to TXX-96371) 34 valves that were categorized as HSSC that are not in the current CPSES Section XI IST l program. Table 3 of Enclosure 3 to TXX-96371 indicates that, to the extent practical, these valves will be tested in accordance with the applicable portion of the OM Code (OM-1 or OM-
- 10) including associated administrative requirements. Where ASME Section XI or OM Code testing is not practical,' attemative test methods were developed by the licensee. The staff l reviewed a summary of altemative test methods and compensatory measures for these l l components (see Table 4.4-2a in TXX-95260) and fe .ind the licensee's plans to be acceptable l because they provide reasonable assurance for ensaring ope uonal readiness of the l component and detecting degradation of the component's performance (i.e., degradation associated with failure modes identified as being important in the licensee's PRA). The l l adequacy of the compensatory measures associated with any particular component is subject to NRC inspection.
l The licensee considered component design, service condition, and performance, as well as risk insights, in establishing the technical basis for the test interval assigned to each component (or group of components) (see Attachment 1 to TXX-97189, response to RAI 7), as illustrated by the !
following examples:
. The safety significance of a component was considered "high"if the component had, in the opinion of the licensee's expert panel, a poor performance record. By
I b
L 45 categorizing the component as "HSSC," the test strategies were left as-is, and the test intervals were not extended.
.- The licensee's expert panel also considered the impact of service condition on component performance. If the service condition had no impact on performance, the PRA results were unchanged. In a few cases (e.g., the accumulator discharge 1 l check valves), service condition was considered to be the likely cause of observed poor performance. Because no test was available as a means of compensatory measure, the expert panel evaluated the service condition of the components to determine whether or not degradation would be likely to be noticed before failure. !
For example, in the CCW retum from the RCP thermal barrier coolers, the ;
compensatory measure was to manually exercise these valves. !
l
. For design, test strategies were " essentially augmented" by leaving them as is for all HSSCs in the IST program. In a number of cases, only one IST function was risk significant, nevertheless, testing was conservatively maintained for all IST i functions even though the PRA would have indicated that some of the test intervals could have been extended.
The staffs review of the proposed testing philosophy described by the licensee for each ,
component group (see Section 5.1.1 above) finds it to be consistent with existing staff positions on component test strategies as well as with the general direction that the staff is encouraging the ASME Code groups to take in defining test strategies for components categorized as being either high or low safety significant. For example, the licensee's proposed test strategies for MOVs are consistent with NRC approval of ASME Code case OMN-1 in GL 96-05 for use in implementing that generic letter (see Appendix B of this SER).
The licensee used generic data from the database documented in NUREG/CR-2815 to consider the effect of aging. The licensee stated that the mean time between failures (MTBF) for components, with the exception of relief valves, was approximately 10 years. Therefore, the proposed test intervals (e.g., exercising MOVs and AOVs at least once each refueling cycle) are significantly less than the expected time to failure of the components in question and are, thus, acceptable _ to the staff.
The testing strategy, described by TU Electric for each component group in Section 5.1.1 above, will also ensure to the extent practicable that adequate component capability margin exists above that required during design-basis conditions. As such, component operating characteristics will not be allowed to degrade to a point of insufficient margin before the next scheduled test activity. On this basis, the testing strategy is acceptable to the staff.
The component test intervals proposed by TU Electric were not extended beyond once every 6 years or 3 refueling outages (whichever is longer), except for motor-operated valves which were allowed a maximum diagnostic test interval of 10 years as discussed in Appendix B to the SER.
l The licensee has provided sufficient information (i.e., in the Attachment to TXX-96458, and Attachment 1 to TXX-98134) to indicate that IST components, with the exception of relief valves and check valves, are exercised or operated at least once every refueling cycle, l
I
46 Because the licensee has not submitted any technical specification amendments in conjunction with its risk-informed IST program submittal, all surveillance testing required by the technical specifications will continue to be conducted. Technical specification surveillance testing is sometimes noted as compensatory actions for low safety significant components. An example is the diesel fuel oil transfer pumps which have been classified as low safety significant, but are tested monthly in accordance with technical specifications.
For components categorized as HSSC that were the subject of a previously NRC-approved relief request (or an NRC-authorized alternative test) the licensee has summarized the relief requests, identified the components involved and their categorization (i.e., as HSSC or LSSC),
and described any altemative testing to be conducted (see Section 4.3 above). As discussed in Section 4.3.2 above, in each instance, the NRC-authorized relief (or altemative) was found to be still appropriate because of the safety significance of the component (see Section 4.3.2 above).
j The testing strategy for each component (or group of components) in the licensee's RI-IST l
program was described in the licensee's RI-IST Program Description (TXX-98134). The proposed RI-IST Program Description for Comanche Peak summarizes all testing to be performed on each group of components, in evaluating the acceptability of the testing strategy l for each group of components, consideration was given to the implementation plans for that group of components (see Section 5.2 below) as well as the feedback and corrective action program proposed by the licensee (see Section 5.4 below).
The staff's evaluation of the testing philosophy for each group of components follows.
Motor-Onerated Valves (MOVs) ,
l TU Electric's RI-IST Program Description (TXX-98134) indicates C et MOV testing will be in accordance with ASME Code Case OMN-1," Alternate Rules for ereservice and Inservice Testing of Certain Electric Motor-Operated Valve Assemblies in Light-Water Reactor Power Plants, OM Code-1995 Edition, Subsection ISTC " (as described in Relief Request V-8) and its commitments to NRC Generic Letter (GL) 89-10, " Safety-Related Motor-Operated Valve Testing and Surveillance," and GL 96-05, " Periodic Verification of Design-Basis Capability of Safety-Related Motor-Operated Valves."
In Revision 2 to Relief Request V-8 (TXX-98153), TU Electric indicated that MOV performance will be verified in accordance with GL 96-05. The CPSES commitment for satisfying GL 96-05 is ;
described in TU Electric's response to GL 96-05 (TXX-98154). Furthermore, CPSES's MOV periodic verification testing will comply with the provisions of ASME Code Case OMN-1 with certain limitations and exceptions imposed by the staff. The staff's safety evaluation of TU i Electric's Relief Request V-8 is included as Appendix B to this SER.
As discussed in Appendix B, the NRC staff has determined that the licensee's proposed use of ASME Code Case OMN-1 described in Relief Request V-8 (Revision 2), together with the specified conditions, provides an acceptable level of quality and safety in assuring the operational readiness of MOVs. Therefore, the NRC staff concludes that the licensee's proposed attemative in Relief Request V-8 (Revision 2) to implement OMN-1 at Comanche Peak with the specified conditions is authorized pursuant to 10 CFR 50.55a(a)(3)(i). The licensee is being requested to notify the NRC when the procedures for implementing OMN-1 are available such that the NRC staff may review the procedures during an on-site inspection prior
____-_-_-_a_-_ _ _ _ _ _ _ - _ _ . _ _ _ _ _ _ _ _ - - - _ _ _ _ _________-_--_____--________________--___--___-_____-______-_L
l l
! j
!- 47 to implementation of the alternative MOV program at Comanche Peak. Relief Request V-8 )
(Revision 2)is being approved until such time as the NRC staff's generic position on OMN-1 is i.ssued through rulemaking or some other means. At that time, if the licensee intends to continue to implement this relief request, the licensee is to follow the provisions of OMN-1 with any limitations or conditions specified in the NRC staff endorsement. j
! Rehef Valves Testing of relief valves will continue to be conducted in accordance with the licensee's code of l record (OM-1) with no change of test interval for either HSSC or LSSC relief valves. This is l acceptable to the staff because TU Electric will continue to test all relief valves in accordance with !ts Code of record which is the ASME Code currently referenced in 10 CFR 50.55a.
Check Valves (CVs) l' TU Electric proposes to test check valves in accordance with the licensee's code of record (OM-
.10) with the exception that the test interval for CVs categorized as LSSC will be extended up to as much as once every 6 years (with 25% margin). TU Electric indicated that certain check valves (in both the HSSC and LSSC categories) will also be tested in accordance with the licensee's CVRP. The purpose of the licensee's CVRP is to provide confidence that selected
, check valves perform as designed. StEtion procedure (s) will establish test / exam frequencies, l methods, and acceptance criteria and provide performance monitoring requirements. Check valves included in the CVRP are those which have been evaluated as being susceptible to unusually high wear, fatigue, or corrosion. The CVRP includes approaches for identifying existing and incipient check valve failures using non-intrusive methods such as acoustic emission (AE) testing or magnetic flux (MF) testing, and disassembly examination. Test data will be trended to provide confidence that check valves in the CVRP will be capable of performing their intended function until the next scheduled test activity. The adequacy of the licensee's CVRP in support of proposed RI-IST program is subject to NRC inspection.
As discussed in Section 5.2 below, the licensee will group its check valves and then stagger the :
j testing of the check valves in the group over the extended (e.g.,6-year) test interval. Testing i
- will be scheduled on regular intervals over the 6-year period to ensure that all check valves in the group are tested at least once during the 6-year test interval and not all components are l tested at one time. Testing will be scheduled / planned such that there is no more than one cycle L between tests of components in a group.
The testing proposed by TU Electric for check valves (described above) is consistent with the guidance provided in Section 5.1 of RG 1.175 and is therefore acceptable.
Air-Onerated Valves (AOVs)
TU Electric proposes to test AOVs in accordance with the licensee's code of record (OM-10) with the exception that the test interval for AOVs categorized as LSSCs will be extended up to as much as once every 6 years (with 25% margin).' TU Electric indicated that all AOVs will be tested using diagnostic equipment, will be response-time tested, and will undergo periodic elastomer replacement. In addition, all AOVs will be exercised at least once during each operating cycle. The specific testing to be done on AOVs is subject to NRC inspection.
48 TU Electric committed to work with EPRI to develop an enhanced AOV testing program similar to the MOV test program established in response to GL 89-10 and GL 96-05 (described above).
, When design-basis test information is developed by EPRI, TU Electric will modify and test its l AOVs as necessary to ensure that they will perform their safety function. This will ensure that I adequate AOV capability margin exists, above that required during design-basis conditions, such that AOV operating characteristics over time do not result in reaching a point of insufficient l margin before the next scheduled test activity. TU Electric's calculations to ensure that I
adequate AOV capability exists should be retained by the licensee on site and available for inspection.
l The licensee's proposed testing program and planned test activities for AOVs (described above) l are consistent with the guidance provided in Sections 5.1 and 5.2 of RG 1.175 and are therefore j acceptable to the staff.
l Pumps TU Electric proposes to test HSSC and LSSC pumps in accordance with the licensee's code of record (i.e., OM-6) with the exception that the test interval for pumps categorized as LSSC will l
be extended up to as much as once every 6 years (with 25% margin), in addition, TU Electric indicated that all HSSC and LSSC pumps will get periodic thermography of their driver, lube oil analysis, alignment checks, motor current testing, vibration monitoring (required by the current code), and flange loading checks of connected piping. While the periodicity of this augmented i testing is not specified in TU Electric's proposed RI-IST Program Description, the staff notes that some of these additional tests (e.g., thermography of their driver, motor current testing) are
! predictive in natura and involve trending of parameters that need to be compared more frequently than once every six years in order to provide meaningful results. Thus, this augmented testing program for pumps is consistent with the guidance provided in RG 1.175, and provides reasonable assurance that adequate pump capability margin exists such that i pump operating characteristics over time do not degrade to a point of insufficient margin before I the next scheduled test activity. ,
l l i As indicated in Attachment 4 to TXX-97189, there are four groups of LSSC pumps at CPSES, i l that is, the reactor makeup pump group, the diesel fuel oil transfer pump group, the spent fuel pool cooling pump group, and the safeguards building floor drain sump pump group. As I described in Section 5.2 below, LSSC pumps will be grouped and their testing will be staggered l In regular intervals over the extended test interval. The staggering allows the trending of l components in the group to ensure the test frequency selected is appropriate. As stated in TU l Electric's RI-IST Program Description, "[t]esting will be scheduled such that there is no more l than one cycle between tests of components in a Group." For groups consisting of two or three l pumps, such as the reactor makeup pump group and spent fuel pool cooling pump group, the staff understands that this will require testing of each pump in that group more frequently than once every six years.
l The staff notes that all of the pumps in each group are periodically run during the course of normal plant operation (more frequently than once every refueling cycle). The staff also notes '
that Code-required testing performed on the LSSC pumps at CPSES is conducted at full-flow l
conditions.
1 w_-__-___________________
49 The licensee's proposed testing program for pumps (described above) is consistent with the guidance provided in Section 5.1 of RG 1.175 and is therefore acceptable to the staff.
5.1.3 Conclusion I
The licensee considered component design, service condition, and performance, as well as risk insights, in establishing the test strategy for components. The proposed test inten/als for components were less than the expected time to failure of the components. In addition, the l
licensee will ensure that adequate component capability exists such that component operating characteristics over time will not result in reaching a point of insufficient margin before the next scheduled test activity. The RI-IST intervals for components were not extended beyond once every 6 years or once every 3 refueling outages (whichever is longer), except for MOVs which l were allowed a maximum diagnostic test interval of 10 years as discussed in Appendix B to the SER. If the licensee intends to develop longer intervals, the licensee will be required to submit a
, request to the NRC staff for review.
The licensee provided the staff with the factors to be considered by the licensee's expert panel in determining the appropriate test strategy for components of high safety significance that were not in the licensee's current IST program (TXX-98134 pages 3 - 4 of 20: Enclosure 4 to i TXX-95260 Table 4.4-2a: and Expert Panel Guidance Document ER-EA-010, pages 9 - 10 l and 94 - 96). The staff reviewed these factors and found them to be acceptable because they produced results that were consistent with the guidance provided in RG 1.175. That is, these components were tested in accordance with the licensee's code of record (where practicable) or !
an acceptable attemative was proposed to the staff (as described above).
i The licensee has made a commitment to exercise MOVs and AOVs at least once every i refueling cycle, where practical.
t For the above reasons, which are consistent with the acceptance guidelines contained in Section 5.1 of RG 1.175 (as contained in SECY-98-067), the staff finds TU Electric's proposed changes to component test requirements to be acceptable.
l 5.2 Program implementation 5.2.1 Licensee's Procosed Anoroach i
As stated in TU Electric's RI-IST Program Description (Enclosure 1 to TXX-98134):
l Implementation of the RI-IST to LSSC will consist of grouping components and then staggering the testing of the group over the test frequency.
l Grouping:
i l Components will be grouped based on l
- manufacturer
- rnodel
- service condition
- size L__--____________-_______
t i l
50 l
The population of the group will be dependent on:
- total population available
- maintaining current testing schedule i
Grouping components in this manner and testing on a staggered basis over the test frequency will reduce the importance of common cause failure modes as components in the same staggered failure mode group are continually being tested. This ensures that the component capability will be maintained over the test interval (6 years).
Testing of components within the defined group will be staggered over the test interval, typically 6 years. Testing will be scheduled on regular intervals over the 6-year period to ensure that all components in the group are tested at least once during the 6-year test '
interval and not all components are tested at one time. The staggering allows the i trending of components in the group to ensure that the selected test frequency is l appropriate.
Testing will be scheduled / planned such that there is no more than one [ refuel) cycle between tests of components in a group.
TU Electric also stated (in part) in Attachment 1 to TXX-96371 (response to question E2-3):
Grouping will be based on NRC criteria provided in NUREG-1482. The required sampling techniques described in NUREG-1482/ Generic Letter 89-04, Position 2 are design, service condition, and valve orientation. Groups will be populated and tested such that the entire group will have been tested within 6 years. The sequence of testing will be repeated to ensure the maximum amount of time between testing of a component does not exceed the 6 year test interval (with 25 % margin). Expansion criteria will be as described in NUREG-1482 which states,"...[l]f a potentially generic problem is identified during [a test), all valves in the group in that unit must be inspected [ tested) during the i refueling outage." When these groups are identified, the documentation will be made available at the site for review.
TU Electric stated (in part)in Attachment 4 to TXX-97189 that the performance history of the spent fuel pool cooling pumps is such that it does not merit the 6-year staggered test interval; therefore, the surveillance interval will remain qucrterly (92 days). When the issue is resolved and proven to be corrected (approximately 1 year's worth of supporting data), then a longer test interval will be considered. Specifically, TU Electric stated that when A.2 status is achieved pursuant to the Maintenance Rule, these pumps will be evaluated for 6-year test intervals.
5.2.2 Staff Evaluation l
The staff reviewed the licensee's integrated decisionmaking process (see Section 4.7 above).
The process utilizes both probabilistic and deterministic information to determine an appropriate test interval for each component or group of components. TU Electric proposes to group similar components and stagger the testing of components in the group as equally as possible over the extended test interval. Testing will be scheduled / planned such that there is no more than one cycle between tests of components in a group. TU Electric's proposed implementation plans (discussed above) will reduce the potential risk associated with common cause failure of LSSC l
l _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ . _ _ _ _ . _ _ _ _ . _ . _ _ . _ _ _ _ _ _ _
l l
l 51 and are consistent with the guidance provided in RG 1.175. On this basis, the staff finds the licensee's process for determining LSSC test intervals to be acceptable (see Sections 4.6 and 4.7 above).
A general description of the testing planned for a particular component, or group of components, is described in TU Eectric's RI-IST Program Description (Enclosure to TXX-98134). General guidelines for grouping of components and tesiing on a staggered basis were also provided by the licensee in its RI-IST Program Description. The licensee's IST Program Plan will be revised (after the RI-IST Program Description is authorized by the NRC) to identify the specific type and frequency of testing to be conducted on each component. In addition, the revised IST Program Plan will specify each component's grouping. These details of the licensee's RI-IST program will be subject to NRC inspection.
As stated in the RI IST Program Description, the licensee plans to increase the test interval for low safety significant componer.ts in a step-wise manner. The licensee's corrective action and feedback plans, as described in the RI-IST Program Description, will ensure that testing failures are evaluated to determine whether adjustment to the component's grouping and test strategy are appropriate. For example, the corrective action section of the RI-IST Program Description indicates that component failures will be evaluated to determine if they are generic. If the failure is a generic failure whose implications affect a group of components, TU Electric wlIl initiate corrective action for all components in the affected group. Component corrective action procedures (see Section 5.4 below) need to be in place before any test intervals are extended on components categorized as LSSC.
High and low safety significant components that will continue to be testeo U Muency and method)in accordance with the licensee's ASME Code of record (or ASME Code Cases that have already been approved by the NRC) were not specifically reviewed as part of the RI-IST program review but are subject to site-specific inspections (e.g., relief valves at CPSES).
In Attachment 4 to TXX-97189, TU Electric stated that the performance history of the spent fuel pool cooling pumps does not merit the 6-year staggered test interval and that the test interval would, therefore, remain quarterly (92 days). TU Electric also indicated that "[w] hen A.2 status is achieved in Maintenance Rule, these pumps will be evaluated ... for six year test intervals."
The staff agrees with TU Electric that it is appropriate to wait until A.2 status under the Maintenance Rule is achieved before evaluating whether (and the extent to which) the spent fuel pool cooling pump test interval can be adjusted. In performing this evaluation, the staff expects that TU Electric will consider the guidance contained in Sections 5.1 and 5.2 of RG 1.175 (as contained in SECY-98-067)in addition to the Maintenance Rule monitoring and goals and will follow the process for changing component test intervals described in its RI-IST Program Description, 5.2.3 Conclusion l For components that the licensee's integrated decisionmaking process categorized as HSSC, j the licensee will either continue to test these components in accordance with the current ASME Code of record for the facility (i.e., test frequency and method requirements) or has proposed an alternative test strategy that is acceptable to the staff. Testing strategies are adequately described in the licensee's RI-IST Program Description and were found to be acceptable (see Section 5.1 above).
I l 52 For components that the licensee's integrated decisionmaking process categorized as LSSC, the licensee will either continue to test these components in accordance with the current ASME Code of record for the facility or has proposed an alternative test strategy that is acceptable to the staff. The test interval for components categorized as LSSC may be beyond that specified in the licensee's Code of record. Testing methods are adequately described in the licensee's RI-
, IST Program Description and were found to be acceptable (see Section 5.1 above).
LSSCs that will be tested less often than required by the current Code may be tested at an extended interval, in a step-wise manner, only if the interval can be justified on the basis of previous component performance. The licensee will group similar components and test them on a staggered basis Corrective action procedures will ensure that the licensee evaluates and i
corrects failures or nonconforming conditions that may apply to other components in the group.
The staff finds that component grouping is consistent with the guidance provided in NRC Generic Letter 89-04, Position 2, for check valves and Supplement 6 to NRC Generic Letter 89-10 for MOVs.
The licensee has identified plant corrective action and feedback plans to ensure that testing failures are evaluated for possible adjustment to the component's grouping and test strategy.
As described above, the program implementation aspects of TU Electric's proposed RI-IST program are consistent with the acceptance guidelines contained in Section 5.2 of RG 1.175 (as ,
contained in SECY-98-067) and are acceptable.
i 5.3 Perforrnance Monitorino of IST Comoonents 5.3.1 Licensee's Pronosed Anoroach As stated in the proposed RI-IST Program Description (Enclosure 1 to TXX-98134), in addition to the specific inservice testing proposed by the licensee for each component group (see Section 5.1.1 above), TU Electric proposed the following additional monitoring for each component group. This additional performance monitoring is applicable to both HSSCs and LSSCs in the component group.
Motor-Onerated Valves (MOVs)
= termination inspection
. stem threads re-lube e actuator gear box grease inspection
. T-drain inspection
. limit switch gear box grease inspection I . visualinspection of housings
. stem nut staked and secure Relief Valves t
. test results trended a new valves tested prior to installation
. valves set as close to nominal as practical
l' I'
53 Check Valvan
= acoustic monitoring data when taken is trended e
check valve disassembly inspections where necessary Air-Operated Valvan (AOVs) l
. diagnostic testing l = elastomer replacement
- response time testing
. Pumps j . thermography of the drivers l . lube oil analysis j . alignment checks l = motor current testing l . vibration monitoring L . flange loading checks of connected piping in Attachment 1 to TXX-97189 (page 21 of 34), TU Electric stated that "In general, meaningful failure data to validate the PRA inputs will be gained from the existing plant monitoring programs (e.g. Maintenance Rule) for these components. Any significant component failures will be investigated and a determination will be made as to whether these failures are consistent with assumptions of the RI-IST program. If not, adjustments will be made to the program. This
- investigation can include both quantitative and qualitative means." Attachment 2 to TXX-97189 l (page 12 of 148) defines significant as " component failures that affect the system / train level performance."
l l 5.3.2 Staff Evaluation TU Electric's performance monitoring plans for each group of components are adequately described in its RI-IST Program Description. The proposed performance monitoring, in l conjunction wi+.h the proposed inservice tests specified in the RI-IST Program Description, is sufficicMo detect component degradation in a timely manner. !
l l TU Electric's picpased perforrnance monitoring plan will ensure that the following criteria are i met:
. Sufficient tests are conducted to provide meaningful data.
- The inservice tests are conducted such that incipient degradation can reasonably be expected to be detected.
- The licensee will trend appropriate parameters to provide reasonable assurance j that the component will remain operable over the test interval.
The proposed performance monitoring plan is sufficient to ensure that degradation is not significant for components placed on an extended test interval, and that failure rates assumed for these components will not be significantly compromised. The proposed performance
i r ."t & ~
g monitoring when coupled with TU Electric's corrective action program (see Section 5.4.1 below) will ensure that corrective actions are taken and timely adjustments are made to individual component (or group of components) test strategies where appropriate. Specifically, the i corrective action section of TU Electric's RI-IST Program Description (TXX-98134) states that unsatisfactory conditions will be evaluated to " Evaluate the adequacy of the test strategy. If a l change is required, review the IST test schedule and change as appropriate."
l TU Electric stated in its RI-IST Program Description that components will be reassessed at a ;
frequency not to exceed once every other refueling outage to reflect changes in plant
! configuration, component performance test results, industry experience, and other inputs to the process. Therefore, the licensee's monitoring process for RI-IST is adequately coordinated with existing programs (e.g., corrective action program, operating experience program, Maintenance Rule monitoring) for monitoring components performance and other operating experience on its site and, where appropriate, throughout the industry. On this basis, the component-level monitoring described by TU Electric in its RI-IST Program Description (TXX-98134)is i acceptable to the staff. It should be noted that although the monitoring of reliability and !
unavailability goals for operating and standby systems / trains is required by the Maintenance Rule, it alone might not be sufficient to ensure operational readiness of enrnoonents in the RI-lST program. (Also see Section 5.4 below on the licensee's feedback and corrective action program.)
l 5.3.3 Conclusion !
TU Electric's proposed RI-IST program contains a performance monitoring plan that covers all
- components in the RI-IST program. The proposed monitoring plan is capable of adequately i tracking the performance of components which when degraded could alter the conclusions that ;
l were key to supporting the acceptance of the RI-IST program. TU Electric has committed to i maintain the performance monitoring program as part of its overall RI-IST program.
As described above, the performance monitoring aspects of TU Electric's proposed RI-IST program are consistent with the acceptance guidelines contained in Section 5.3 of RG 1.175 (as contained in SECY-98-067) and are acceptable.
l 5.4 Feedback and Corrective Action Prooram '
l 5.4.1 I leanmaa's Pronosed Anornach As stated in TU Electric's proposed RI-IST Program Description (Enclosure 1 to fXX-98134): ;
When a component on the extended test interval fails to meet established test criteria, corrective actions will be taken in accordance with the CPSES corrective action program as described below for the RI-IST.
For components not meeting the acceptance criteria, an Operation Notification and Evaluation (ONE) Form or equivalent will be generated. This document initiates the F corrective action process. Also, the initiating event for a ONE Form may be from causa other than an unacceptable IST test. Programs exist that provide timely information to the IST coordinator that the performance of a reliable component has degraded. For example, a common compensatory action for pump discharge check valves would be the
l.
55 )
IST pump test.' Since this test can not be considered satisfactory if the check valve fails to perform its risk significant function, a test failure would be recorded and a ONE Form !
initiated. The recorded information could then be used to assess whether a significant i change in component reliability has occurrod su+ that the component would merit a i l change in test interval. ;
l !
l The initiating event [for the preparation of a ONE Form) could be any other indication that l the component is in a non-conforming condition. The unsatisfactory condition will be j evaluated to achieve the following objectives:
(1) Determine the impact on system operability and take appropriate action.
p (2) Review the previous test data for the component and all components in the group.
(3) Perform a root cause analysis.
(4) Determine if this is a generic failure. If it is a generic failure whose implications j affect a group of components, initiate corrective action for all components in the affected group. l (5) Initiate corrective action for failed IST components.
- (6) Evaluate the adequacy of the test strategy, if a change is required, review the IST test schedule and change as appropriate.
l l The resuits of component testing will be provided to the PRA group for input to PRA j model evaluation. j l TU Electric also provided the following statement in Attachment 1 to TXX-96371 (response to
- question E1-5):
Performance history and data, including the adequacy of compensatory measures, will be fed back through the site processes to the IST coordinator and the expm panel, in this way, any unacceptable performance will be detected early and can be factored into l the program. If an ineffective test interval is detected, it will be evaluated through the l corrective action programs and resolved through appropriate changes to the IST
- program. :
l l i TU Electric also indicated that as part of the corrective action, the IST Coordinator would l evaluate the necessity of increasing the test frequency (i.e., decreasing the time between tests)
!. of a component (or group of components)if the cause of failure is determined to be age-related.
l In Attachment 1 to TXX-97189, TU Electric indicated that "the corrective action process will ;
provide for a method to reduce the LSSC test interval in the event that performance is shown to be degrading at an unanticipated rate."
56 5.4.2 Staff Evaluation The licensee's corrective action program is initiated by component failures that are detected by the IST program, as well as by other mechanisms, such as normal plant operation, or inspections.
The staff has determined that the licensee's corrective action procedures achieve the following objectives:
The procedures comply with Criterion XVI," Corrective Action." as specified by Appendix B to 10 CFR Part 50.
The procedures determine the impact of the failure or nonconforming condition on system / train operability. The licensee will follow the appropriate Technical Specification when component capability cannot be demonstrated, a The procedures determine and correct the apparent or root cause of the failure or nonconforming condition (e.g., improve testing practices, repair or replace the component).
The procedures assess the applicability of the failure or nonconforming condition to other components in the IST program (including any test sample expansion that may be required for grouped components such as relief valves).
The procedures correct other susceptible similar IST components as necessary.
. The procedures consider the effectiveness of the component's test strategy (i.e.,
frequency and methods)in detecting the failure or nonconforming condition. They adjust the test frequency or methods or both, as appropriate, where the component (or group of components) experiences repeated or age-related failures or nonconforming conditions.
The licensee's corrective action evaluations will periodically be given to the licensee's PRA group so that any necessary model changes and regrouping are done as might be appropriate.
As stated in Section 5.5 below, the licensee's RI-IST program documents will be periodically revised to record any RI-IST program changes resulting from corrective actions taken.
5.4.3 Conclusion The staff concludes that the licensee's corrective action program is acceptable for implementation with the RI-IST program because it contains a performance-based feedback mechanism to ensure that if a particular component's test strategy is adjusted in a way that is ineffective in detecting component degradation and failure, the IST program weakness will be promptly detected and corrected. That is, the f6edback and corrective action aspects of TU Electric's proposed RI-IST program are consistent with the acceptance guidelines contained in Section 5.4 of RG 1.175 (as contained in SECY-98-J67) and are acceptable.
1
t 57
)
5.5 Periodic Reassessment 5.5.1 ' I lennema's Pronomad Annmach
-l l, As stated in TU Electric's proposed Rl-IST Program Description (Enclosure 1 to TXX-98134):
L As a living process, components will be reassessed at a frequency not to exceed every
. other refueling outage (based on Unit i refueling outages) to reflect changes in plant
. configuration, component performance test results, industry experience, and other inputs to the process. The RI-IST reassessment will be completed within 9 months of l completion of the outage.
l Part of this periodic reassessment will be a feedback loop of information to the PRA.
This will include information such as components tested since last reassessment, number and type of tests, number of failures, corrective actions taken including generic implication and changed test frequencies. Once the PRA has been reassessed, the information will be brought back to the IDP for deliberation and confirmation of the .
existing lists of HSSCs and LSSCs or modification of these lists based on the new data.
As part of the IDP, confirmatory measures previously utilized to categorize components as LSSC will be validated. ' Additionally, the maximum test interval will be verified or modified as dictated by the IDP.
TU Electric also provided the following statement in Attachment 1 to TXX-96371 (response to '
l ' question E1-5):
The risk analysis performed for the initial Risk-Based IST Program will be updated every other refueling outage. As part of the update plant-specific performance histories will be
. analyzed by the PRA analysts and incorporated into the PRA models, then importances will be recalculated. .The expert panel will then review the performance histories and PRA inputs and determine if any LSSCs should be re-categorized as HSSCs because of plant-specific performance and vice versa.
In Attachment 1 to TXX-96371 (response to question E2-5) TU Electric elaborated on how plant-specific performance histories would be incorporated into the CPSES IPE. TU Electric stated that plant specific data will be incorporated into the generic data using appropriate updating techniques (e.g. Bayesian updating). The database will be updated on the same cycle as the ,
normal IPE updates as part of the living PRA process. When the list of components is affected, !
changes will be provided to the NRC in regular program updates. !
l TU Electric stated in Attachment 1 to TXX-97189 (page 3 of 34) that components with a significant RAW (e.g.', greater than 2) could be categorized as LSSC if a compensatory measure was selected that would ensure that degradations were promptly identified. Compensatory measures are tests and other rosasures that could be credited to reduce the increase in core damage frequency associated with test interval changes (e.g., pump operability tests or pump IST for pump discharge check valves, slave relay test for MOVs, normal instrumentation monitoring, locked valve program, position surveillance every 30 days per technical specifications). Thus for each LSSC that has a high RAW, the expert panel either selected a compensatory measure or provided justification, based on model considerations, wb" a compensatory measure was not required. As stated in TU Electric's RI-IST Program Description f
l
58 (TXX-98134)," Compensatory measures which are used as part of the IDP process to qualitatively justify the extension of test interval will be re-verified during the IDP process update."
5.5.2 Staff Evaluation As discussed in the licensee's RI-IST Program Description, the proposed program for periodic reassessment of the licensee's RI-IST program has the following objectives:
- It prompts M licensee to conduct overall program assessments periodically to reflect changes in plant configuration, component performance, test results, and industry experience.
. It prompts the licensee to review and revise as necessary the models and data used to categorize components to determine if component groupings have changed.
. It prompts the licensee to reevaluate equipment performance (based on both plant-specific and generic information) to determine if the IST program should be adjusted.
l The licensee's proposed program for periodic reassessment of the Rl-IST program will l
incorporate the results of its corrective action program. This is acceptable to the staff (see Section 5.4 above).
Rather than have procedures in place to ensure that the Rl-IST program is updated following a major plant modification, the licensee indicated in its RI-IST Program Description that, "For an emergent plant modification, any new IST component added will initially be included at the !
current Code of Record test frequency. Only after evaluation of the component through the RI-IST program (i.e., PRA model update if applicable and IDP review) will this be considered l LSSC." This alternative approach is acceptable to the staff because it will ensure that any new IST components will be evaluated by the licensee's RI-IST process before its ASME Code test ,
requirements are relaxed. '
In the RI-IST Program Description (TXX-98134), TU Electric indicated that, as part of the periodic reassessment, compensatory measures (i.e., associated with components that had a high RAW but were categorized as LSSC) which are used as part of the IDP process to justify the extension of test interval for specific components will be checked to ensure that they are still in effect. The staff agrees with TU Electric that it is appropriate to periodically verify that compensatory measures remain in effect since compensatory measures may include licensee activities and controls that would otherwise be completely outside purview of the RI-IST program (see Section 4.6.1 above).
As stated in TU Electric's RI-IST Program Description, as part of periodic reassessments,"the maximum test interval will be verified or modified as dictated by the IDP." The staff find this to be acceptable because the RI-IST Program Description also specifies a maximum test interval of 6 years for check valves, MOVs, and pumps as discussed in Section 5.1 above (or beyond any longer intervals specifically approved by the NRC staff, such as MOV testing conducted in
! 59 l
accordance with NRC endorsed Code Case OMN-1). This is consistent with Section 5.1 of RG 1.175 and is therefore acceptable to the staff.
5.5.3 Conclusion The staff concludes that the licensee's plans for periodic reassessment of its risk-informed IST program, as stated in its RI-IST Program Description, are acceptable because they ensure that the licensee's test strategies are periodically assessed to incorporate results of IST and new l industry findings.
This conclusion is consistent with the acceptance guidelines contained in Section 5.5 of RG 1.175 (as contained in SECY-98-067).
5.6 RI-IST Program Changes After Initial Acoroval 5.6.1 Licensee's Pronosed Anoroach As stated in TU Electric's proposed RI-IST Program Description (Enclosure 1 to TXX-98134):
Changes to the process [RI-IST program)...and to the evaluation of risk impact will require prior NRC approval. Changes to the categorization of components and associated testing strategies using the above process will not require prior NRC approval. As changes to component categorization are made, TU Electric will periodically submit them to the NRC for information.
1 5.6.2 Staff Evaluation i
The licensee requesteo permission to implement changes to its RI-IST program that are i consistent with the staff-approved RI-IST process and with its evaluation of risk without prior staff approval. The staff's guidance provided in RG 1.175 (as contained in SECY-98-067) states that licensees may change its RI-IST programs consistent with the process as defined in the RI-IST program description and results that were reviewed and approved by the NRC staff.
Therefore the licensee's proposalis acceptable to the staff.
As stated in RG 1.175, examples of changes to RI-IST programs which would not require prior NRC review snd approval include, but are not limited to, the following:
. changes to component groupings, test intervals, and test methods that do not i involve a change to the overall RI-IST process (as described in the RI-IST Program Description) which has been reviewed and approved by the NRC
. compcnent test method changes that involve the implementation of an NRC endorsed ASME Code or an NRC-endorsed Code Case
. re-categorization of components as a result of experience, PRA insights, or design changes where the process used to recategorize the components is consistent with the RI-IST Program Description and results that have been reviewed and approved by the NRC i
l
l l
- i 60 )
Changes to the CPSES RI-IST program which would require staff review and approval prior to implementation may include, but are not limited to, the following:
chan es to the approved RI-IST program that involve programmatic changes (e.g.,
chaws in the acceptance guidelines used for the licensee's integrated i decisionmaking process and specified in the RI-IST Program Description)
- test method changes that involve deviation from the NRC-endorsed Code requirements, NRC-endorsed Code Case, or published NRC guidance i
changes to the licensee's RI-IST Program Description (e.g., test philosophies, test
- methods, implementing strategies)
The cumulative impact of all RI-IST program changes (initial approval plus later changes) should j l be consistent with the results that were reviewed and approved by the NRC staff and should i continue to comply with the acceptance guidelines in Section 4.3.3 of RG 1.175 (i.e., as contained in SECY-98-067. This section of RG 1.175 refers to Section 2.4.2 of RG 1.174 which ,
is contained in SECY-98-015), or el.se prior staff approval of the change must be obtained.
Changa to a licensee's Rl-IST program should also be evaluated using change mechanisms described in the regulations (e.g.,10 CFR 50.55a,10 CFR 50.59), as appropriate, to determine 1 if prior NRC staff review and approvalis required before implementation.
TU Electric is not required to submit periodic RI-IST program updates [IST Program 120-month updates are still required by 10 CFR 50.55a(f)(4)(ii)]. TU Electric may elect to submit RI-IST i program updates to keep the staff apprised of significant program changes that do not require prior NRC review and approval.
5.6.3 Conclusion The staff concludes that the licensee has adequate processes or procedures in place to ensure that RI-IST program changes that could adversely affect the RI-IST program or results that were previously reviewed and approved by the NRC staff will be evaluated and approved by the NRC before implementation.
TU Electric's process for controlling changes to its RI-IST program after initial NRC approval is consistent veth the acceptance guidelines contained in Section 3.3 of RG 1.175 (as contained in SECY-98-067) and is therefore acceptable.
6.0 OVERALL CONCLUSIONS The licensee's RI-IST program meets the detailed acceptance guidelines specified in each section of RG 1.175 (as contained in SECY-98-067) and is therefore acceptable. The staff concludes that the licensee's proposed RI-IST program may be authorized as an alternative to the ASME Code IST requirements (i.e., test frequencies and test methods) pursuant to 10 CFR 50.55a(a)(3)(i), based on the alternative providing an acceptable level of quality and safety. The authorization of this alternative to the ASME Code IST requirements provides reasonable assurance of the operational readiness of pumps and valves and will not have an adverse 4
L--------__-._____
4 61
]
impact on safe operation of the Comanche Peak Steam Electric Station (CPSES), Unit 1 and j Unit 2.
The implementation of TU Electric's RI-IST Program Description is authorized for the remainder of each unit's plant life. TU Electric is not expected to resubmit its RI-IST Program Plan unless significant changes are made to the RI-IST Program Description that could potentially affect the staffs overall conclusions. TU Electric is still required to update its IST Program Plan for pumps I and valves every 120 months and submit requests for relief from impractical Code requirements pursuant to 10 CFR 50.55a(f)(4)(ii) and (f)(5). l
7.0 REFERENCES
, 1. TU Electric, Individual Plant Examination - Comanche Peak Steam Electric Station, Volume 1: Front End Analysis, RXE-92-01 A, August 1992; and Volume 2: Back End Analysis, RXE-92-01B, October 1992.
- 2. TU Electric, IPEEE for Severe Accident Vulnerabilities - Comanche Peak Steam Electric Station, ER-EA-008, (Tornado Risk Assessment, ER-EA-004; Extemal Flood, Transportation and Nearby Facility Accidents, ER-EA-005; Fire Evaluation, ER-EA-006).
- 3. USNRC, Standard Review Plan Chapter 19,"Use of Probabilistic Risk Assessment in Plant-Specific, Risk-informed Decisionmaking: General Guidance," draft, January 7,1998
[As contained in SECY-98-015 and approved by the Commission for publication in the FederalRegisteron May 20,1998).
- 4. USNRC, Standard Review Plan Chapter 3.9.7," Risk-Informed Inservice Testing," draft, March 27,1998 [As contained in SECY-98-067 and approved by the Commission for publication in the Federal Register on June 29,1998).
- 5. USNRC, Regulatory Guide 1.174,"An Approach for Using ProbabilisticRisk Assessment
- in Risk-informed Decisions in Plant-Specific Changes to the Current Licensing Basis,"
draft, January 7,1998 [As contained in SECY-98-015 and approved by the Commission !
for publication in the Federa/ Register on May 20,1998].
- 6. USNRC, Regulatory Guide 1.175, "An Approach for Using Plant-Specific, Risk-Informed 4 Decisionmaking: Inservice Testing," draft, March 27,1998 [As contained in SECY-98-067 ]
and approved by the Commission for publication in the Federal Register on June 29, 1998).
7, TU Electric letter logged TXX-95260, from C.L. Terry to the NRC, November 27,1995.
- 11. USNRC," Individual Plant Examination Program: Perspectives on Reactor Safety and Plant Performance," NUREG-1560, December 1997.
62
- 12. USNRC, " Individual Plant Examination Database," NUREG-1603, April 1997.
I
- 13. USNRC, " Analysis of Core Damage Frequency: Internal Events Methodology,"
NUREG/CR-4550, January 1990.
- 14. USNRC Information Notice 97-31: Failures of Reactor Coolant Pump Thermal Barriers and Check Valves in Foreign Plants, June 3,1997.
- 15. Brookhaven National Laboratories,"MAAP 3.0B Code Evaluation Final Report," BNL Report FIN L-1499, October 1992.
- 16. TU Electric, Section FR-H.1, " Response to Loss of Secondary Heat Sink,"in "
Westinghouse Owners Group Emergency Response Guidelines FR-S/C/H High Pressure Version Background," HP-Rev.1, September 1,1983.
- 17. TU Electric, " Success Criteria Calculations and Inferences" Calculation File RXE-SY-CP1/1-033, Rev. O.
. 18. TU Electric,"MAAP Calculations of Accident Baselines Representing the CPSES IPE Plant l
. Damage States," Calculation File RXE-LA-CP1/0-003,1991.
- 19. TU Electric," Comanche Peak Steam Electric Station: Risk-Based in-Service Testing Program Expert Panel Guidance Document," Rev.1, November 22,1995.
l 21. Brookhaven National Laboratories, Technical Evaluation Report of the IPE Submittal and RAI Responses for the Comanche Peak Steam Electric Station Unit 1, BNL Report FIN W-6449, January 3,1997.
l
- 22. USNRC," Evaluation of Potential Severe Accidents During Low Power and Shutdown Operations at Surry, Unit 1," NUREG/CR-6144, October 1995.
- 23. USNRC, Draft Regulatory Guides, Standard Review Plans and NUREG Document in Support of Risk Informed Regulation for Power Reactors, SECY-97-077, April 8,1997.
l
- 24. USNRC,"An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events," Draft NUREG/CR-6595, November 1997.
L i
- 25. USNRC," Risk Assessment of Severe Accident-Induced Steam Generator Tube Rupture,"
NUREG-1570, Draft Report for Comment, May 1997,
L i
63
- 32. USNRC, " Guidelines for Testing at Nuclear Power Plants," NUREG-1482, April 1995.
- 33. USNRC,"Probabilistic Safety Analysis Procedures Guide," NUREG/CR-2815, August 31, 1995.
- 35. TU Electric letter from H. G. Hamzehee to M. Cheok (NRC), July 2,1996.
- 36. USNRC letter from T. J. Polich to C. L. Terry (TU Electric), Docket Nos. 50-45/446, March 12,1997.
- 37. USNRC letter from T. J. Polich to C. L. Terry (TU Electric), Docket Nos. 50-445/446, April 25,1997.
Attachments: 1. Appendix A
- 2. Appendix B Principal Contributors: D. Fischer M. Check i W. Hardin J. Colaccino G. Parry T. Scarbrough Date: August 14, 1998 l
l l
l APPENDlX A: REVIEW OF THE COMANCHE PEAK PRA USED IN I
( SUPPORT OF THE RISK-INFORMED INSERVICE TESTING SUBMITTAL l A.1 INTRODUCTION 4
! This appendix documents the results of review activities carried out to determine if the risk analysis used to support the Comanche Peak Steam Electric Station (CPSES) pilot risk-informed inservice testing (RI-IST) submittal is of sufficient quality to support the conclusions of l that submittal. The supporting risk model comprised the PRAs performed as part of CPSES l
Individual Plant Examina' ion (IPE) [1] and Individual Plant Examination for Extemal Events (IPEEE) [2]. The staffs review is consistent with guidance contained in NRC Standard Review Plan Chapter 19 [3] and Section 3.S.7 [4].
l The original RI-IST submittal [7,8,9,10) was based on the concept that for non-risk significant pumps and valves, an increase in test interval could be tolerated because the increase in failure ,
probability predicted for those components as a result of the change would translate into a negligible impact on risk. The change in jailure probability was calculated using a model where failure probability was proportional to test interval. In the original submittal, no credit was taken '
for the ber .1 fits of enhanced testing strategies.
Reviewing the licensee's analysis of the magnitude of the change in risk was one area of review.
Another review area was the baseline analysis of risk itself since guidance provided in RG 1.174
[5] specifies that plants would need to have some margin with respect to safety objectives (CDF and LERF) before increases in risk would be acceptable. These two areas - baseline risk and change in risk attributable to the proposed change - are treated separately in this appendix.
Because this RI-IST submittal was part of a pilot project, significant evolution took place in the staffs review approach and in the licensee-proposed RI-IST process between the time of the original licensee submittal and the writing of this SER. For example, guidance on the magnitude of acceptable changes underwent evaluation and changes. In addition, with the licensee's
- adoption of enhanced testing methods as part of the RI-IST program, and as staff evaluation on i the benefits of enhanced testing strategies continued to progress, a staff position emerged that l the benefits of enhanced valve testing may be such that valve availability is improved through l use of enhanced testing methods, even with test intervals extended to as long as 18 months, i When the change in risk is shown to be small, as in the case of this RI-IST application, guidance in RG 1.174 specifies that the emphasis on the plant's baseline risk can be reduced. As a result, some issues that were originally identified as potentially important in the evaluation of the
- baseline risk have become less significant. However, since this is a pilot application, such issues are identified and discussed in this appendix. These discussions, together with the other l review comments and findings will aid in future staff reviews of risk-informed submittalt from l Comanche Peak. Lessons-leamed from these reviews could also be applied to other RI-IST l submittals from other plants.
ATTACHMENT 1 A-1
l i
A.2 REVIEW PROCESS l
The focus of this review was to establish that the PRA appropriately reflects the plant's design ,
j and actual operating conditions and practices, and that there is a suitable technical basis to i support the PRA-related findings that have to be made in this SER.
l In assessing overall PRA quality, an evaluation was made of the licensee's process to ensure i quality (e.g., the licensee's intemal quality assurance (QA) process, and the process, findings, and conclusions of the independent peer review of the PRA). In addition, since the PRA is ,
. based on the IPE and the IPEEE models, reviewers took into consideration the requests for i
. additional information (RAls) issued by the staff in connection with those examinations, as well as the licensee's responses to those RAls, and the staff evaluation reports regarding the licensee's IPE and IPEEE submittals.
l
! ' To reach specific findings regarding the quality of the PRA for the RI-IST application, a focused-l scope evaluation was performed that concentrated on elements of the PRA affected by this l l application, and on the assumptions and elements of the PRA model that drive the results and l l conclusions. Sources of information used in the review, other than the PRA and the related j
- backup documentation to these PRAs, include the submittals related to the RI-IST pilot, licensee !
RAI responses, and information exchanged during licensee-staff meetings. As part of the PRA review process, reviewers visited the plant site (July 14-18,1997) where access to backup calculational files, analysis files, and reference documents (e.g., vendor calculations, plant procedures, plant drawings, etc.) was provided. The site visit also allowed reviewers an ;
- opportunity to visit selected portions of the plant in order to pursue specific questions. Licensee '
l staff was also available to answer technical questions. On this occasion, the reviewers had ;
essentially full access to all CPSES-specific information that bears on this submittal. During this visit, the reviewers disposed of some questions, reinforced or raised others, and spot-checked some of the backup informatir,n.
A.3 REVIEW OF THE BASELINE RISK EVALUATION in this section, the conclusions from the review of the CPSES baseline risk evaluations are presented. In addition, the effects of the licensee's proposed RI-IST program on the different i model elements will be discussed.
The CPSES IPE consisted of Level I and 11 PRAs, and included an evaluation of plant vulnerabilities from intemal event initiators at full-power operation. The total core damage frequency (CDF) calculated in the IPE was 5.7E-5 per reactor year (ry). This includes a '
contribution of 1.3E-5/ry from the internal flooding initiators. The IPEEE included evaluations of plant vulnerability from the extemal event initiators. All initiators were screened out as unimportant in terms of plant risk with the exception of events initiated by fires and tornadoes.
The PRAs performed for these initiators calculated CDFs of 2.1E-5 and 3.7E-6/ry for the fire and tomado initiating events respectively. Finally, using its outage planning software, the licensee estimated a low power and shutdown CDF of 3E-6/ry. These results are summarized in Table A.1.
A-2 L-_____________-_-_-_- _ _ - - - - _- __ -
l l
l 1 AtSLt: A.1 COMANCHE PEAK CDF vat 11ES Rick Contributor Cora Damana Franunne v (CDF) l Internal Events (IPE) 5.72 E-5/ year Fire, high wind, tornado 2.46 E-5/ year Seismic 5E-7/ year (estimate)
Low power & shutdown (LP&S) 3E-6/ year (estimate)
Tntal 8 5 F-5/vant A.3.1 Conclusions from the Review of the Leveli Risk Evaluation A.3.1.1 initiating Events Through comparison with other PRAs and data sources, the initiating events considered in the l CPSES PRA were found to represent a complete set. The grouping of the initiating events was found to be appropriate and event frequencies were consistent with other PRAs with the exception of the frequency of loss af offsite power (LOOP). l i
The frequency of a LOOP event was estimated to be .035/yr (one loss expected every 29 years) l for CPSES. The CPSES PRA indicates that this initiator is the dominant CDF contributor, contributing 27.9% to the CDF. However, the LOOP frequency was considered to be potentially too low for the following reasons:
l (1) it is the lowest (along with two other plants) of all frequencies estimated for other l
Westinghouse four-loop PRAs on the basis of NUREG-1560 and associated database l [11,12]. Ref.11 lists a range of LOOP frequency estimates from 28 4-loop Westinghouse plants from .035 to .132/yr., with an average of approximately .07/yr. It is recognized that LOOP frequencies are to a large degree plant specific, and the CPSES units appear to have reliable offsite power feeds. However, Ref.11 indicates that PRAs for the two South Texas plants, in the same general region as CPSES, estimate the highest LOOP frequency of all plants (.132/yr.)
(2) the high frequency of tornadoes (estimated at over 40 per year in the CPSES PRA)in the plant region suggests that electrical grid damage causing LOOP from tornado damage could be a significant plant-specific contributor.
During the site visit, it was learned that TU Electric has updated its estimated LOOP frequency
[ value to .058/yr (one event expected every 17 years) based on an update of the generic data i with site-specific information. This is more consistent with other IPE values, and is considered acceptable for this RI-IST application. This increase, if no other changes are considered, would increase the total calculated CDF by approximately 10%. However, the decrease in diesel generator and steam-driven auxiliary feedwater pump failure rates derived using plant-specific data will offset the increased LOOP estimate (see Section A.3.1.4).
A comparison was also made between the CPSES PRA initiating event frequencies and NUREG/CR-4550 values (13]. The results of the comparison are shown in Table A.2. In this table, only events with corresponding values from both sources are included. As seen in the last column in the table which provides a ratio of the NUREG/CR-4550 and CPSES values, the data j are consistent (within a factor of 3) for initiating events involving medium loss of coolant accident A-3 l
l
(LOCA), very small LOCA, and plant transients. In the cases of initiating events involving large l LOCA, small LOCA, loss of DC bus, and loss of non-vital AC bus, the CPSES values are all
! greater than the NUREG/CR-4550 frequencies. These differences are not considered important l since these initiating events were not found to be significant CDF contributors (all are less than l 10% contributors)in the CPSES PRA.
l l TABLE A.2 COMPARISON OF INITIATING EVENT FREQUENCIES l
Event NUREG/CR 4550 CPSES NUREGICR-4550
+ CPSES Large LOCA (>6") SE-4/yr 2E-3/yr 0.25 l -
Medium LOCA (4 to 6") 1E-3/yr 4.65E-4/yr 2.15 Small LOCA (2 to 4") 1E-3/yr 5.83E-3/yr 0.17 L
! Very Small LOCA (<2") 2E-2/yr 1.26E-2/yr 1.58 Transients 1.2/yr 2.9/yr 0.41 l
Loss of DC bus 6E-3/yr 3.35E-2/yr 0.18 Loss of non-vital AC bus SE-3/yr 8.23E-2/yr 0.06
!_ in terms of the effects of the proposed RI-IST program on the modeling of initiating events, the j staff reached the following findings: )
- The proposed changes do not affect the grouping of initiating events.
1
. The effects of proposed changes on the frequencies of modeled initiating events were l taken into account by the licensee by the re-quantification of those events caused by the i loss of support systems (i.e., loss of component cooling water system, service water ;
j system, and safety chilled water system) (response to RAI question PRA-16 in TXX-96371 '
l [8)).
l
. The effects of IST cnanges on initiating events screened out of the PRA (e.g., interfacing systems LOCAs) are taken into account by use of sensitivity studies and by the expert panel process (see responses to questions PRA-3 and PRA-12e of Ref. 8). Another initiator that could be affected by changes to the IST program is the RCP thermal barrier LOCA. Operational problems have been experienced with the CCW check valves upstream of the thermal barrier, not only at CPSES but also at other plants. These events L
are summarized in NRC Information Notice 97-31 [14). In response to question 9a in Ref.
9, the licensee has stated that previous problems with the CCW stop-check valves sticking open have been corrected, and that these valves are manually exercised every 3 months.
A.3.1.2 Event Trees and Sucemns criteria Findings from the review of the event trees and success criteria are documented separately below.
A-4
l 1
Event 't rees l
Since the event trees presented in the IPE do not include much detail (e.g., for a typical I transient, the IPE simply states that either secondary side cooling or bleed and feed cooling is required, but the required systems are not identified), backup analyses were used to support staff review. At the site visit, reviewers were given access to the Accident Sequence Fault Trees (ASFTs) which provide explicit, system-level accident sequences (accident sequences in terms of system-level failures, and linkages to the system-level fault trees). A review of the ASFTs did not identify any inadequacies within the scope of the development that was actually l carried out. I It should be noted that, in most cases, the modeling of accident sequences stopped when the I plant attains a hot standby mode, and modeling of equipment needed for the plant to attain cold shutdown was not included. Therefore, systems or components needed beyond this time frame (e.g., requirements for secondary cooling [ availability of condensate] when the plant stays in hot
- standby for an extended period of time; or requirements for pressurizer sprays or other means of pressure reduction for plant cooldown; or requirements for control of boric acid in the core in the latter stages of LOCA scenarios) may not be included in the PRA results. In risk-informed regulation, limitations such as these can be addressed through an integrated decisionmaking ,
process, including the use of an expert panel. A review of the results of the licensee's expert panel process shows that components needed to transition to cold shutdown are properly accounted for in the component categorization.
Success Criteria in the CPSES analysis, mission success criteria are reflected in the accident sequences both in the selection of system-level events to be linked in a givt sequence in the ASFT, and in the top logic within the system-level fault trees that are linked through the ASFT. Table 3.1.1-1 of the PRA presents system-level success criteria for the top events that appear in the ASFT and Section 3.1.1 of the PRA discusses the bases for these mission success criteria.
Reviewers have identified an issue with the CPSES success criteria in that some of the criteria lack a firm thermal-hydraulic technical basis. This potentially has an effect on baseline CDF.
However, a precise analysis of baseline risk is not necessary for this RI-IST submittal since the change in risk is small as discussed in Section A.4.2. However, the issue is described here because it is expected to have generic significance in addressing submittals that propose changes where risk increases are not smalt.
CPSES Treatment of Mission Success Criteria Similar to most pressurized water reactor (PWR) PRAs, the CPSES PRA takes credit for bleed and feed upon the loss of secondary cooling. The CPSES analysis indicates that success criterion for this function is the successful operation of one PORV and one centrifugal charging pump (CCP), or the successful operation of one PORV and one safety in.lection pump (SIP).
The basis for this success criterion is analysis using the MAAP computer code. Based on a Westinghouse analysis on the " bleed-and-feed" process [Ref.16], the staff was concemed as to whether the relief capacity that is modeled as successful is sufficient to relieve enough steam to keep system pressures low enough for the modeled systems to inject sufficient water. Timing of initiation is also an issue, as is the initial condition of the system when bleed and feed is initiated.
A-5 i
l
l The subsections below discuss the Westinghouse analysis, and then summarizes the CPSES l basis for a one-PORV criterion, and in particular how this basis is tied to MAAP resultc. Finally, l some limitations of the MAAP code are briefly described.
Westinghouse Analysis The following are excerpts from the Westinghouse Owners' Group emergency response guidelines [16):
"An appropriate method to categorize the relationship of pressurizer r ORV capacity to core power level is the rated pressurizer PORV flow to licensed core power ratio..
"These generic analyses were performed on a four-loop 3411-MWt plant assuming loss of offsite power,120% of the ANS 5.1 Standard decay heat, and minimum safeguards Si flow availability with no spilling lines and an Si temperature of 100*F...
.. cold SI water has available heat capacity to absorb some quantity of heat in reaching the existing average RCS temperature...
" Based on the analyses (Reference 3), these ("H.P."] plants can successfully initiate bleed and feed heat removal before or even shortly after the time of steam generator dryout if the PORV flow to power ratio is greater than 140 (Ibm /hr)/(MWt). This PORV capacity was determined from Fig. 5 which shows a bleed and feed success line derived from the i analysis. ..
"For plants with a PORV flow-ttrpower ratio of less than 140 (Ibm /hr)/(MWt), waiting for SG dryout for the initiation of bleed and feed is not adequate to prevent significant core uncovery based on the current analyses. The best indication still is wide range steam generator level. The condition necessary for successful initiation of bleed and feed is 5000 ,
Ibm of liquid mass in each of the steam generators." )
The " Fig 5" mentioned above is a plot whose axes are "PORV opening time" and the flow-to-power ratio defined above, with a series of code runs performed for different values of opening time and ratio. Some runs are shown as leading to " core remains covered" and some are shown as leading to " core exhibits sustained uncovery." The runs performed for values of the flow-to-power ratio > 140 were all in the category of " core remains covered," including one whose opening time was beyond dryout. Of those lesser values of the ratio that were analyzed, ,
two cases led to " sustained uncovery," including one slightly before and one slightly after "SG l liquid mass depleted," which occurred at 30 fr.inutes.
It appears that for CPSES, this analysis would not support a one-PORV success criterion, and would push the required timing of initiation to *before SG dryout," not "just after core uncovery."
However,it should be noted that this calculation made the conservative assumption of extra decay heat (120% of the ANSI 5.1 standard), as well as other licensing-basis assumptions. As a result, the Westinghouse analysis cannot be used to directly refute the CPSES analysis described below.
l A-6
CPSES Analysis Succortino the IPE Model During the site visit, reviewers were given access to documentation supporting the PRA analysis that is maintained at the site [17,18). Review of that material indicated that the one-PORV success criterion was based on particular MAAP runs, designated TRAN01 and TRAN03.
In TRAN01, the sequence of events is reactor trip, no MFW, no AFW, and then the following:
..15 minutes into the accident, all steam dump valves are opened for 5 minutes bringing the steam generator pressures down to 215 psia in a failed attempt to feed them via condensate pumps. The secondary depressurization brings the primary system down quickly so that at 985 seconds (approximately 1.5 minutes after the steam dump valves are opened) the 2 CCPs and 2 SIPS inject ... At 20 minutes, the operator successfully opens one PORV. This feed (2 CCP and 2 SIP) and bleed (1 PORV) continues...
TRAN03 obtained success with one PORV, but did so after substantial secondary deprescurization had occurred. Secondary depressurization reduces RCS pressure to a point where bleed and feed has an improved chance of succeeding; TRAN03 would therefore arguably not be a suitable basis for arguing the sufficiency of a single PORV, unless the need to depressurize the secondary was also assumed in the modeling of the event, which it is not (although plant procedures do in fact call for this course of action).
In the course of discussion of this point with plant staff, reviewer attention was directed to a different run, TRAN05, in which relatively little secondary depressurization occurred (a brief depressurization was put into the code run in order to force MAAP to actuate the SI pumps), one PORV was opened after the core began to uncover, and success was achieved. This run initially appears closest to being a basis for the one-PORV aspect of the success criterion, however, documentation related to TRAN05 also states the following:
"It is important to note that the present CCP alignment for safety injection would not have permitted these pumps to discharge as assumed here due to the shutoff limitation of CCP in Si alignment... Hence the actual flow in charging alignment would have been about half the value used here..." (i.e., in the run justifying one PORV).
Concerns With the Use of the MAAP Code in July 1992, Brookhaven National Laboratories (BNL) completed an evaluation of the MAAP 3.0B code for the NRC [Ref.15]. The purpose of the evaluation was to provide guidance and insight on the application of MAAP for the NRC IPE reviewers. In summary, the BNL report indicated that the MAAP code is adequate for most transient and accident conditions, provided that it is properly applied and that limitations are properly accounted for. Guidance provided as part of the BNL report states that MAAP should not be used for determining mission success criteria in events where clad damage has occurred (e.g., to determine whether or not a core can be successfully reflooded after fuel melting has occurred), in addition, the BNL report states that, although MAAP is adequate for predicting thermal-hydraulic behavior before clad damage, it should not be relied upon when the following thermal-hydraulic conditions are encountered.
. The break location gives rise to a quasi steady state two-phase flow condition I
A-7 l
The RPV water level and vessel flow conditions may expose the fuel to departure from nucleate boiling (DNB) conditions while MAAP continues to predict adequate core cooling Summarv in summary, the staff has concerns regarding the validity of MAAP results in certain scenarios (including scenarios like " feed-and-bleed' which exhibit periods of two-phase break flow).
Although thermal-hydraulic analysis has not been performed to establish that CPSES's success criteria for " feed-and-bleed" are invalid, questions have been raised regarding its validity. A modification to the success criteria has the potential to change CDF and to possibly change some of the component rankings. Resolving this issue will require plant-specific thermal- i hydraulic analysis, and quantifying the effect on risk from a change in the success criteria would require modification of the PRA model. These analyses have not been performed in the present review, because of the conclusion that the impact of the proposed change on risk is, at most, l very small (see Section A.4.2). For a change involving risk which may approach staff guidelines l as specified in RG 1.174, it is possible that the issue would need to be pursued to its resolution. I A.3.1.3 System Analysis Staff review of the system analysis task consisted of a review of the system notebooks, a spot I check of the system fault trees, and a spot check of the sequence cutsets. The primary focus of 1 this review was to gain confidence that (1) the models reflected the as-built and as-operated plant; (2) dependencies on support systems were properly included; and (3) interfaces with the event tree analysis and data analysis were correctly modeled.
This review did not reveal any inadequacies that would affect the conclusions of the PRA or the RI-IST application. In particular, reviewers concluded that the system models adequately reflect the plant hardware and procedures, including the system design and alignments, system performance characteristics, support system dependencies, and operational procedures and operational philosophies.
Changes proposed in the RI-lST program will not have a direct impact on the system models because these changes would not affect the equipment or the operator actions, needed for successful operation of the system. Changes in IST only impact the parameters that are used to quantify the event probabilities involved in the fault trees. This impact on event probabilities is modeled as part of the parameter estimation as discussed in Section A.4.2 A.3.1.4 Data Analysis The CPSES PRA utilized generic data from an industry data source and did not initially consider plant-specific data. The stated reason for the use of generic data was that insufficient plant-
- specific data existed from the Comanche Peak generating units as a result of its limited operating history when the PRA was prepared in 1992. (At the time of completion of the PRA, only two reactor years of operating data were available.) The concern here is whether plant-specific data is sufficiently different from the generic data used in the PRA to change the plant risk profile to such an extent that the RI-IST application implemented with the generic data PRA would be inappropriate. In response to this concem, TU Electric supplied data in which generic data and plant-specific data were combined to produce an updated database.
A-8 r
k
l l
l Table A.3 was compiled as part of the review to examine the differences in the data. As can be seen from this table, with one minor exception (electro-hydraulic pumps) the plant-specific data values are lower than those used in the PRA. Most of the values are similar (within a factor of 3), so th9t no significant change in overall results would be expected in several cases (chillers failure to start, ventilation fan failure to operate, motor-driven pumps failure to operate, and air cooler failure to start) the plant-specific data are more than a factor of 3 lower than the PRA
- values. However, random failures of chillers, ventilation fans, and air coolers have not been found to be important CDF contributors in PRAs (although dependent failures of these components can be significant). Motor-driven pumps can be important, but the failure to start ,
contribution, as can be seen from the tabulated data, is typically the dominant failure mode.
l l
To further evaluate the PRA data, a comparison was maoe with the data used in NUREG/CR-4550[13]. Table A.4 shows this comparison. As shown by the table, the data values are consistent (within a factor of 3) with the following exception of PORV reclosure, compressor failure to start, diesel generator failure to run for the first hour, ventilation fan failure to operate, turbine-driven pump failure to operate, and batteries failure to operate. The diesel generator run l failure rate is much higher for the CPSES PRA for the first hour than the NUREG/CR-4550 l
value. However, as seen from Table A.4, this is balanced by the failure to start probability, and the difference in the combined probabilities (failure to start and failure to run for the first hour) is small. The PORV reclosure difference is not considered significant because this failure event did not represent a significant contribution to CDF in the CPSES, even though the failure probability was much higher than the NUREG/CR-4550 value. The different rates for failure to operate for the ventilation fans and batteries are also not considered significant since the values are quite low, and failure of this equipment did not appear as significant contributors to tile CDF in the CPSES PRA. In the category of turbine-driven pumps, the only pump of significance is the auxiliary feedwatei i, team turbine-driven pump. This pump is in standby during plant operation and is required when the normal feedwater and the two motor-driven AFS trains fail.
The significant event in this case is loss of offsite power. For this scenario, the dominant failure l mode for the pump is failure to start, since this contribution is significantly greater than the l contribution due to failure to operate for the first few hours of operation, given a successful start.
l l
l l l A-9 l i
i I
4 E_ -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - . ----- - - - - - - - - - -o
l I AtSLt: A.;5 l
COMPARISON OF CPSES PRA GENERIC DATA AND CURRENT PLANT-SPECIFIC DATA l Component Failure Mode PRA Data Plant Specific Plant l Data Spec./PRA Check Valve Operate 2.69E-4/d 1.99E-4 .75 E-H Valves Operate 1.52E-3/d 2.28E-3 1.5 MO Valves Operate 4.3E-3/d 1.72E-3 0.4 PORV Reclose 2.5E-2/d 2.18E-2 0.88 PORV Open 4.27E-3/d 4.16E-3 0.97 Safety Valves Reclose 1.0E-2/d 2.87E-3 0.46 Chillers Operate 9.44E-5/hr 4.2E-5 0.45 Chillers Start 8.07E-3/d 1.69E-3 0.2 Compressors Operate 9.81 E-5/hr 8.22E-5 0.84 Compressors Start 3.29E-3/d 2.0E-3 0.6 Diesel Generators Start 2.14E-2/d 7.1 E-3 0,33 Diesel Generators Run (1hr) 1.7E-2/hr 8.99E-3 0.53 Diesel Generators Run (>1hr) 2.51 E-3/hr 1.16E-3 0.46 Ventilation Fan Operate 7.88E-5/hr 1.58E-6 0.2 Ventilation Fan Start 4.84E-4/d 4.49E-4 0.92 M.D. Pumps' Operate 3.36E-5/hr 7.15E-6 0.21 M.D. Pumps' Start 2.35E-3/d 8.39E-4 0.36 2
M.D. Pumps Operate 3.42E-5/hr 2.38E-5 0.7 M.D. Pumps 2 Start 3.2E-3/d 1.25E-3 0.39 Turbine Pumps Operate 1.03E-3/hr 9.75E-4 0.95 Turbine Pumps Start 3.31E-2/d 2.32E-2 0.7 Air Cooler Operate 1.0E-5/hr 9.84E-6 0.98 Air Cooler Start 2.93E-3/d 4.84E-4 0.165 Batteries Operate 7.53E-7/hr 6.65E-7 0.88 1- Normally operating motor-driven pumps 2- Motor-driven rumps in standby i
A-10 1
I AISLt A.4 COMPARISON OF CPSES PRA GENERIC DATA AND DATA USED IN NUREG/CR 4550 Component Failure Mode PRA NUREG/CR- PRAl4550 asso Check Valve Operate 2.69E-4/d 1E-4/d 2.69 E-H Valves Operate 1.52E-3/d 2.0E-3 0.76 MO Valves Operate 4.3E-3/d 3.0E-3 1.43 PORV Reciose 2.5E-2/d 2.0E-3 12.5 PORV Open 4.27E-3/d 2E-3 2.14 Safety Valves Reclose 1.0E-2/d 1.6E-2 0.63 Chil'9rs Operate 9.44E-5/hr (3) -
Chillers Start 8.07E-3/d (3) --
Compressors Operate 9.81 E-5/hr 2.0E-4 0.49 Compressors Start 3.29E-3/d 8.0E-2 0.04 Diesel Generators Start 2.14E-2/d 3.0E-2 0.71 Diesel Generators Run (1hr) 1.7E-2/hr 2.0E-3") 8.5 Diesel Generators Run (>1hr) 2.51 E-3/hr 2.0E-3") 1.255 Ventilation Fan Operate 7.88E-5/hr 1.0E-5 7.88 Ventilation Fan Start 4.84E-4/d 3.0E-4 1.61 M.D. Pumps' Operate 3.36E-5/hr 3.0E-5 1.12 M.D. Pumps' Start 2.35E-3/d 3.0E-3 0.78 i 2
M.D. Pumps Operate 3 42E-5/hr 3.0E-5 1.14 M.D. Pumps 2 Start 3.2E-3/d 3.0E-3 1.07 Turbine Pumps Operate 1.03E-3/hr SE-3 0.2 1 Turbine Pumps Start 3.31E-2/d 3E-2 1.1 l Air Cooler Operate 1.0E-5/hr (3) -
l Air Cooler Start 2.93E-3/d (3) -
l Batteries Operate 7.53E-7/hr 1.0E-7 7.53 i
1- Normally operating motor-dnven pumps ;
2- Motor-driven pumps in standby 3- Data not provided
- 4. Time interval not specified l
Concerning the use of the CPSES PRA data in support of the proposed RI-IST program, the findings are as follows:
A-11
. The failure rates and probabilities used, including those that are affected by the
- proposed RI-IST process are consistent with plant-specific experience and with values from PRAs of similar plants.
In the response to question NRC-RAl-7 of Ref. 9, the licensee stated that the expert panel process considered the possibility that individual components could be performing more poorly than the average associated with their class, and has avoided relaxation for those components to the point where the unavailability of the poor performers would be appreciably worse than that assumed in the risk analysis.
= In the response to question NRC-RAl-12 of Ref. 9, the licensee stated that data used to support changes to the IST program are supported by an appropriate performance monitoring program.
A.3.1.5 Modelina of Common-Cauca Failures The CPSES PRA used the Multiple Greek Letter (MGL) approach for quantifying common-cause failure probabilities. It appears that significant effort was spent to apply this model, reflecting plant-specific characteristics in development of model parameters where possible (i.e., common-cause fsilure potential was based on the vulnerability of the plant design to specific common-cause failures).
The CPSES analysis of CCF has the tendency to produce slightly optimistic values for the MGL L parameters since the screening of CCF events for applicability to the plant is not accompanied by a screening of the independent events. As a result, the MGL parameters that were used are relatively small when compared to those appearing in other PRAs. Use of small values in the MGL model means that the contribution of CCF is smaller and this could influence the baseline CDF as well as the classification of some components. An additional concern was in the cases of components for which CCF contributions are not included in the PRA models. In these cases, the concem stems from the cases where CCF contribution may become more significant under the proposed extended IST intervals (compared to the current PRA model where CCF screening 4 was determined on the basis of historical and engineering evidence driven by current IST requirements),
4 l An independent assessment of the above issues was not undertaken as part of this review, and it is not suggested that the CCF modeling used by the licensee is inappropriate. Rather, licensee actions to overcome these potential shortcomings are discussed below.
e in its response to question NRC-RAl-12 of Ref. 9, the licensee stated that a review of the CCF models was performed which confirmed that the exclusion of CCF contribution (for
!- pumps and valves where CCF was not modeled) is valid een for extended IST intervals l since it was determined that current IST activities have neghgible impact on CCF l - contribution.
- The licensee has proposed a phased implementation approach to the RI-IST process, together with a performance monitoring and corrective action program to reduce the potential for an increased incidace of CCFs attributable to extending test intervals.
Phased implementation and the staggering of testing by component groups will ensure that similar component types are tested often, even though individual ccmponents may A-12 l
not be. Performance monitoring and trending will be enhanced by the adoption of improved testing strategies which are designed to detect component degradation including those caused by potential CCF mechanisms (e.g., aging effects).
A.3.1.6 Human Relishilitv Analynia The review of the human reliability analysis (HRA) concentrated on the following topics:
e identification and definition of the human failure events (HFEs) e qualitative and quantitative screening incorporation of the HFEs in the logic model
. HRA models e evaluation of the human error probabilities (HEPs)
= event dependency.
This will be discussed separately for pre- and post-initiator HFEs.
Pre-Initiato- HFEs While a large number of pre-initiator HFEs was included in the model, the basis for their identification is not clear. In most cases, the definitions of the events are at the level of identifying which equipment is left unavailable, and references to specific test and maintenance procedures are not included. Consequently, it was difficult to determine if a systematic approach has been used to qualitatively screen HFEs. However, a review of the modeled events revealed a comprehensive list (compared to PRAs of similar plants). There were no HFEs that were left out on the basis of the screening values.
The incorporation of the HFEs into the logic model structure is consistent with their definitions.
The model used for quantification (of HEPs) is the screening decision tree. A detailed review of l the derivation of these decision trees was not performed, but their use appears in some instances to result in conservative HEPs (when corapared to PRAs for other plants). One example is event AFCPTPTD01FX, which models the turbine-driven auxiliary feedwater )
(TDAFW) pump train unavailable as a result oflatent human error. With a probability of 0.02, this event is a significant contributor to the unavailability of the TDAFW train. As a result, there are several conservatively high cutsets in the model. Using the Fussell-Vesely importance measures in Table 3.3.3-1 of the IPE, an upper bound estimate of the contribution of the top four pre-initiator HFEs (three latent errors on diesel generators, and one latent error on the TDAFW pump)is on the order of 20% of the total CDF.
In the modeling of dependencies, the adoption of the beta factor approach for " common cause" l human failures might not be conservative for cases where there is a strong likelihood that the j manipulations represented by the HFEs are likely to be performed close in time, or by the same I crew, etc. However, a review of these common cause events and a comparison with event i probabilities from other PRAs revealed that probabilities used in the CPSES IPE were reasonable.
i A-13 t
l
(
l Pont-Initiator HFEs
- - The PRA analysts appeared to have used a systematic approach (reviewing the emergency l operating procedures in the context of the accident sequences) to identify the functions required of the operators. However, the definitions of the HFEs are not documented clearly in either the l PRA or in the backup calculations. As a result, the following information was not immediately l apparent to the reviewer
identification of the cues used by the operators a the procedure used, including the steps of the procedure l
a task analysis designating the equipment required to be manipulated, and an identification of those tasks that, if not performed correctly, represent potential failures,
- and those that are a drain on resources
. the time available for each scenario e an estimate of the time required i As a result, it was not clear that equipment that is essential to the completion of the various functions is captured in the PRA model. It does appear however that, for the procedures that were reviewed by the staff, the expert panel process did address this problem, and that equipment that was required for operator actions were categorized appropriately.
During a review of the plant procedures, it was determined that in the event of a small LOCA, the more likely success paths directed by the emergency operating procedures (EOPs) have not been modeled in the PRA. In this event, procedures direct operators to cooldown and depressurize the primary system, and to establish RHR. Instead, the success path modeled in the PRA is the initiation of high-pressure injection followed by cold leg recirculation. Omitting the EOP success path is a potential conservatism in terms of baseline CDF but a potential non- l conservatism when it comes to the identification of components for extended testing intervals. l However, in this examplo, the effect on the RI-IST conclusions is minimal since small LOCAs l are relatively small contributors (3 percent) to the total CDF.
Human error probabilities were assigned screening values in the range of 0.05 to 1.0. No HFEs were screened out on the basis of their HEPs. Only 10 human actions were assigned more realistic values, leaving the remainir:g HEPs at their screening values. The magnitudes of the l ten " realistic" HEPs are reasonable based on the available time for operator action (before core damage) and on the existing plant procedures that guide these operator actions. Still, there l exists a possible distortion of the results from leaving the conservative screening values in the !
dominant sequences. However, as discussed in Section A.4.1, sensitivity studies performed as !
part of the RI-IST submittal showed that this is not a factor in the component categorization process.
The incorporation of the HFEs into the PRA model appears to have been done consistently with their definitions. HFE dependency has been taken into account in the higher level functions found in the functional fault trees. However, for those events that appear in the system level fault trees, this may _not have been completely achieved. For example, cutset #241 for l sequence T6CM2 contains events RC&800A and RC&800B (failures to open the block valves)
! and event AFRECOVX01 (fai!ure to recover inadvertently misaligned suction valve to AFW l
pump). These events are all associated with recovery from failure of automatic initiation of the AFW system, and could be argued to be highly correlated. However, the effect of" correcting" A-14 l
1 l
this cutset would be minimal since it is a lower order cutset, and there will not be a significant impact on the overall CDF.
Recoverv Actions As part of the accident sequence quantification, the CPSES analysis takes credit for recovery actions (i.e., recovery of failed equipment). Without this credit, CDF would increase by 70%. All l credited recovery actions are proceduralized, and recovery probabilities are reasonable based 1 on the time available for operator actions and on the procedures available for these actions.
The exception is that for 4 events, the failure probability for the recovery actions appear to be lower than expected when the complexity of the action and the time available for the action is considered. These events are X6 RECOVER (recover component cooling water within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, with a probability of 4.5E-3); X7 RECOVER (recover service water within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, with a probability of SE-3); EPDGRUN1 (recover a failed diesel generator in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, with a probability of 0.25); and EPDGRUN2 (recover a diesel generator within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> when both DGs have failed, with a probability of 0.1). However, the effects on the component categorization process i in the RI-IST submittal are minimal since the loss of CCW and SW initiating events are small
! (1.6% and 1.1% of CDF respectively), and the components needed for the mitigation of a station blackout are already ranked high.
PRA Undate As stated in Section A.3.1.4, the CPSES PRA was completed in 1992, and it has not been I updated since. The question of whether plant procedures have been modified or whether new !
procedures have been instituted since the PRA was completed was discussed during the plant visit. In addition, the effect of implementing any new procedures which were recommended in i the IPE was discussed. It was determined that no new procedures of significance have been ,
implemented at the plant since the completion of the IPE, and that I the procedures recommended in the IPE were either already being followed, or are still being considered for implementation and would not have a significant impact on the plant risk profile. ;
l Summarv In summary, the findings concerning the HRA as it affects the RI-IST application are as follows:
. The HRA approach adopted does not unreasonably bias the estimates of CDF/LERF and ACDF/ALERF non-conservatively (i.e., it does not impact the results with respect to
! the acceptance guidelines).
I . The use of screening HEPs can distort the risk profile so that the importance of some IST components may be affected, however, the use of sensitivity studies and the expert panel process have compensated for this effect - see Section A.4.1.1 for further discussion of this topic.
. No human actions were used to compensate for potential risk increases resulting from increased test intervals (response to question NRC-RAl-6 in Ref. 9).
A-15
l A.3.1.7 Sanuanca cuantification in the quantification of accident seque As, the PRA utilizes a truncation limit of 1E-8. In response to RAI question PRA-4 in Ref. 8, the licensee stated that the " effective truncation limit" for the CPSES study is much less than 1E-8 due to the use of modules /supercomponents.
Modules consist of a number of logically OR-ed components of a system, typically a pump and valves in the flow path and includes all the associated failure modes for each component. For example, module AFSEGA2 consists of the motor-driven auxiliary feedwater pump (fails to start, fails to run, and train latent human error), pump suction and discharge valves (manual valve plugs and check valve fails to open on demand), and discharge flow element (plugs / ruptures).
Ref. 8 states that, when these modules are expanded, cutsets as low as 1E-24 are found to be included. Thus, functionally important, but highly reliable components, such as oump discharge check valves, are included in as many cutsets as the equivalent risk significant components such as the pump.
In the requantification of CDF and LERF to determine the effects of the RI-IST process, a re-solution of the model was performed. Since sequence cutsets have been requantified, potential l problems with low order cutsets that could have been truncated from the original cutset solution but could become more significant as a result of increased test intervals, are avoided. In l addition, the licenses has performed a study of the results of the PRA model to determine which l SSCs have been truncated from the model. The number of truncated components appears to be small, and the basic events representing those components are typically low probability failure modes (e.g., plugging). Therefore, their contribution, even if increased, would be small.
For pumps and valves in the IST program which have not been included in the PRA model, the impact of changes to these components is not included in the quantification of ACDF and l ALERF estimates. lne licensee submittal [7] provides tables on the disposition of all l components in the IST program by the expert panel process. For example, components not
- modeled in the PRA could be categorized as low safety significant because they do not result in l accident initiators or because no credit has been taken for them for accident mitigation. Other non-modeled components were categorized as nonsafety- significant because of assessed l reliability and the expert panel opinion that testing will not significantly affect this reliability. Staff I review of the licensee's expert panel process (19] and the results of this process [7] finds that l the treatment of components not modeled in the PRA to be acceptable for the Rl-IST program and that the quantification of ACDF and ALERF estimates will not be significantly affected by the
. omission of these components. t in summary, the licensee has satisfactorily established that conclusions are not adversely l l affected by the cutset truncation value chosen. The change in risk from the RI-IST process was i
calculated by the requentification of the base model. In addition, pumps and valves not modeled .
in the PRA are satisfactorily dispositioned by the expert panel process. j Another aspect of the quantification process is the way the numerical results are characterized.
. In the CPSES PRA, the quantification of CDF and LERF is based on a point estimate evaluation.
The parameter values used in the PRA model are mean values and the calculated changes in CDF and LERF are to a first approximation, mean values also. A study of the dominant CDF cutsets did not suggest that a mean value obtained by propagating the uncertainty through the analysis would be significantly different from the point estimate. This is based on the fact that the state-of-knowledge" correlation is not important in the contributing cutsets since these A-16 l
T 4
cutsets do not involve muitiple events that rely on the same parameter for their quantification.
One possible exception is in the evaluation of LERF as discussed below.
l Approximately 14% of LERF comes from the interfacing systems LOCA (ISLOCA) initiator. The j contribution from the cutsets for this initiator, which comprise mainly of the failure of a series of valves, could potentially be underestimated by not taking the state-of-knowledge correlation into account. (That is, there is a concern that failure to perform an uncertainty analysis can lead to an underestimate of the ISLOCA frequency. The cutsets for the frequency of some of the ISLOCA paths involve multiples of the same parameter, A. The true mean frequency should be l l obtained by performing an uncertainty analysis sampling from the distribution on A, and using
. the same sampled value for each A in the expression. This will yield a different value for the l '
overall mean because <A>2 is less than <A2>.) However, a staff review of the cutsets involving I valves affected by the RI-IST application showed that this is not a problem. The affected valves were either not in cutsets with other valves, or if multiple valves existed in the same cutset, a locked-close valve is also present in the same cutset. Because these are cutsets with low frequencies compared to the other contributors to ISLOCA events, the evaluation of the change in risk will not be significantly affected by not taking the " state-of-knowledge" correlation into account for these cutsets.
A.3.1.8 Internal Flooding
! The internal flooding CDF estimated by CPSES PRA is 1.3E-5/ry, or about 15% of the total ,
, CDF. A total of 101 flood-initiated core damage sequences were found to contribute to the flooding CDF. This assessment is characterized as conservative. Review conclusions are summarized below.
The methodology appears to have involved comprehensive state of the art analysis, and
! included identification of flood sensitive plant areas, flood source determination, propagation paths, scenario development, scenario frequency screening, and final quantification. No errors or omissions in the methodology were found and no shortcomings were found that have the potential to change the CDF results.
No components categorized as low safety significant were identified which, on the basis of flood analysis, should be considered high safety significant. The dominant sequences (about 50% of l the total CDF contribution) involve flooding of the auxiliary building, resulting in loss of all ECCS as well as the motor-driven auxiliary feedwater pumps, leaving only the TDAFW pump available
- to prevent core damage (feed-and-bleed is not possible due to loss of E.CCS). This focuses attention on the importance of the TDAF system. However, this is already an important system l
because of the loss-of-offsite power (LOOP) sequences; therefore, it is not expected that relative rankings will shift as a result of the inclusion of flood sequences.
A.3.1.9 Fire Analysis l
CPSES's IPEEE for fires was performed using a fire PRA, and resulted in a CDF contribution of 2.09E-05/ry. A staff review of this analysis concluded that state-of-the-art methodology was used; conservative screening methods and criteria were used; the issues addressed are extensive and are considered to be complete; the information provided supports the analysis and conclusions; and the final conclusions are reasonable and within the range of results expected for a PWR power plant. The weaknesses that were identified relate to insufficient A-17
f documentation of the analysis, with examples being the documentation of effects of the fires on human reliability, and the documented analysis of data. Nevertheless, the overall conclusion is that the fire risk evaluation is sufficient in scope and detail to support the categorization process and the risk determination process used in the CPSES RI-IST program.
A.3.1.10 Tornadn Analysis The IPEEE reported a CDF resulting from tomados as 3.7E-06/ry, with the biggest contribution coming from station blackout. The tornado PRA was done using a state-of-the-art approach.
The only issue raised as a concem was the fact that, unlike in most other tomado PRAs, credit was taken for recovery of offsite power. Using the results of the IPE, the probabilities of failure to recover power are about an order of magnitude greater for the tomado events. While this may be optimistic, especially for the higher F-category tomados, given the values used for the probabilities of failure to recover offsite power (Attachment 15 to TXX-96390), this is judged to l be unlikely to lead to a significant underestimation of the overall CDF. Moreover, since the equipment required to mitigate a station blackout is already classified as high safety significant, the categorization of components will not be affected.
A.3.1.11 Low Power and Shutdown Ooerating Modes The licensee estimated the LP&S CDF to be 3E-6/ year on the basis of its Outage Safety Function (OSF) Guidelines and a conservative application of their EPRI outage risk assessment monitor (ORAM) computer model and assuming a 45-day outage. A staff review of the OSF guidelines and the ORAM model was performed during the site visit, and it was determined that, based on the specifications of the model and procedures and expectations in the guidelines, the OSF guidelines and ORAM model were adequate for evaluating and assuring defense-in-depth requirements and for maintaining the required shutdown safety functions. In addition,
! discussions with the licensee on plant practices revealed the following:
. The fuelis off-loaded for much of the outage.
. The plant uses the OSF Guidelines to ensure defense-in-depth for the critical safety functions and their mitigating functions.
l
. There are precautions to prevent the occurrence of initiating events, such as losses of
- critical safety functions. For example, a) when work is performed in the switchyard, equipment is hand carried to avoid the driving of trucks inside the switchyard. Also,in i this case, the control room staff would be alerted to be ready for potential problems; b) the lowering of reactor water level is guided by plant procedure IPO-10, upon which the operators are trained. In addition, operators are always available to monitor the - mss, and level Instrumentation is available; c) to prevent flooding accidents, maintenana activities are controlled by establishing clearance boundaries with the focus on self-verification; d) equipment required for defense-in-depth is roped off and identified; and e) the ignition of fires is controlled by work practices, fire watches, etc.
. It aas been the plant practice to start on mid-loop operations only towards the back-end of the outage when decay heat levels are lower.
A-18
l .
Diesel generator maintenance tends to be a critical path item. Therefore, the diesel -
l maintenance is started early in the outage. However, both diesels from the other CPSES unit are available during the off-load period, and the spent fuel pool is cooled from the other unit. A portable diesel generator is brought in for the duration of the outage, specifically to provide for RHR defense-in-depth.
=
In planning the outage, ORAM is used to evaluate support system issues and defense-l in-depth issues.
L Based on the above considerations and on a staff assessment using bounding estimations, it was concluded that the ilcensee's LP&S CDF is reasonable.
The licensee used the expert panel process together with a set of qualitative criteria to
! determine if pumps and valves were candidates for extended testing intervals. These criteria, l
provided in Ref. 7, are mainly predicated on defense-in-depth concepts and are judged to be
, adequate for this RI-IST application.
l' A.3.2 Conclusions from the Review of the Level 11 Risk Evaluation The determination of Level 11 PRA quality as it relates to LERF is based on a review and evaluation of the IPE, the licensee-sponsored peer review of the Level 11 PRA, the NRC review of the IPE, and the staff review of the relevant portions of the RI-IST submittal.
I i For the purposes of the Rl-IST submittal, the quality of the full-power Level ll PRA (intemal &
external events)is adequate. With regard to the LERF evaluation, it is noted that previous studies [11] have shown that PWR large dry containments to be relatively robust with respect to l severe accident challenges, therefore, review attention focussed on the subset of core damage
! events that cause releases resulting from containment bypass and/or failure to isolate l
sequences.
The licensee uses the definition of large early release (LER) from the EPRI "PSA Applications l Guide"[20): )
A large, early release is a radioactive release from containment which is both \
large and early. Latge is deMned as involving the rapid, unscrubbed release of airbome Mssion products to the environment. Eadyis defined as occum'ng before i the effective implementation of the offsite emergency response and protective
- actions.
l l
The CPSES IPE presented Level ll accident sequences, but LERF was not calculated.
Therefore, the licensee had to interpret the Level ll results for the RI-IST application. The l following discussion focuses on the adequacy of the bases for the LERF values calculated by the licensee and listed in Table A.5, which sum to the total LERF of 9.3E-7/ry.
A-19
I At$Lt; A.D COMANCHE PEAK LERF VALUES Risk Contributor Large Early Release Frequency Il FRF)
Intemal Events (IPE) 7.70 E-7/ year Fire, high wind, tornado 1.23 E-7/ year Seismic negligible LP&S 3.80 E-8/ year (estimated)
Tntal 9 31 F-7/vant A.3.2.1 i FRF from intemal Events A LERF value of 7.7E-5/ry was determined by the licensee using information from the Comanche Peak Level ll PRA. The important potential contributors to LERF are "early" i l
containment structural failures, containment bypass events, and containment isolation failures.
A summary of these containment failures is given in Table A.6 (taken from the Ref. 21), together with comparisons to other PWRs with large-dry containments.
TABLE A.0 CONTAINMENT FAILURE AS A PERCENTAGE OF TOTAL CDF
= = = - . = - = _ = = = = = = = = = = mannemensammium = = - = --.:- i Containment Failure CPSESIPEW Surry Zion i Mode NUREG 1150 NUREG-1150 I (candidates for LERF in
( bold)
Early Failure 1.2 0.7 1.4 Late Failure 51.1 5.9 24.0 Bypass 8.2 12.2 0.7 l
Isolation Failure 0.02 (2) (3)
Intact 39.5 81.2 73.0 l CDF (/ry) 5.7E-5 4.0E-5 3.4E-4 l
' Based on Table 4.6-14 of the IPE submittal.
2 included in Early Failure, approximately 0.02%
8 Included in Early Failure, appror.imately 0.5%
1 The conditional probability of early containment failure for Comanche Peak is approximately 1.2% of total CDF, of which 56% comes from Alpha mode failure and 44% comes from failure associated with high-pressure melt ejection (HPME). In the definition of release categories, the Comanche Peak IPE defines an "early" release as one occurring at or shortly after vessel breach. For accident sequence classes, early containment failure comes primarily from transient sequences with the RCS at high pressure. Given the IPE data (Tables 4.7-1 through 4.7-6), approximately half of the early failures have large releases and thus this would qualify as A-20
1 I
l failures contributing to LERF. The models of and assumptions regarding the phenomenology j reflect the current state of knowledge to a degree sufficient for this application.
j As shown in Table A.6, for Comanche Peak the probability of containment bypass, conditional I on core damage, is 8.2%. Of this, the steam generator tube rupture (SGTR) initiating event j contributes 95%, ISLOCA contributes 3.3%, and induced SGTR (ISGTR) contributes 1.7%. '
) Again, on the basis of the IPE data (Tables 4.7-1 through 4.7-6), all of the above are failures that !
l result in large releases. All of the interfacing-systems loss-of-coolant accidents (ISLOCAs) were I considered LERs. However, most of the SGTR events have delayed releases (e.g., releases 17 hours1.967593e-4 days <br />0.00472 hours <br />2.810847e-5 weeks <br />6.4685e-6 months <br /> after the start of the accident) and thus are not considered as "early" for the purposes of defining LERF, even though they are considered "early"in the IPE. (In the definition of"LERF,"
- RG 1.174 defines "early" as a time frame that is adequate to effectively evacuate the close-in l population such that early health effects can be avoided. In general, time intervals in excess of 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> are adequate for this purpose.) A review of the licensee process foi selecting SGTR sequences as candidates for LERF showed no inadequacies, in summary, the process used to determine LERF from the intemal event (at power) initiators appears to be reasonable.
As part of this pilot process, an independent assessment of the LERF for Comanche Peak was l also made by using the guidance draft NUREG/CR-6595 [24]. ')ata from the CPSES IPE and the RI-IST submittal was applied to the NUREG/CR-6595 Event Tree for PWRs with large-dry containment to determine the LERF and to evaluate the sensitivity of this value to several parameters.
Figure A.1 shows the base analysis. In this figure, split fractions were derived mainly from Refs.
1 and 21. In addition, the split fraction for Top Event 7 (No potential early fatalities) for containment bypass events was given a value of 0.101 so that the total LERF is equal the value l
- provided by the licensee in its submittal (i.e.,7.7E-7/ry). This is consistent with licensee values where on!y approximately 10% of the SGTR events end up as LERF contributors.
Using Figure A.1, two sensitivity studies were performed:
- The first was to determine the role Top Event 7, "No potential early fatalities," plays in the final results. If it was assumed that 100% of Event 7 would be "No" (i.e., if it was assumed that all sequences at this branch resulted in early fatalities), a LERF of 50E-7/yr would be obtained. This is six times larger than the base value of 7.7E-7/yr.
+ In a second sensitivity study, the possibility of severe accident-induced SGTR and its contribution to LERF was introduced. For Top Event 5 "No induced SGTR," a split fraction probability of 0.053 from draft NUREG-1570 (25] was incorporated. In this case, the estimate for LERF changes to 30E-7/yr and the contribution to LERF from the induced SGTR (22.4E-7/yr) is considerably larger than the other contributors (spontaneous SGTR and containment failure).
l The results from the above sensitivity cases are summarized in Table A.7. It should be noted that, even with more conservative assumptions used, the CPSES LERF is within the guidelines provided in Section 2.2.4 of RG 1.174 for proposed changes that will result in, at most, small risk increases.
A-21 L___________________________ _ _ _ _ _ _ . _ . __ _ _ _ _ ___
1 1
TABLE A.7 l CPSES LERF - SENSITIVITY STUDY l
Case Case Description l LERF (per year) 1 Licensee estimate for Comanche Peak 7.7E-7
[
2 Case 1, except all bypass events are assumed to 49.5E-7 )
l be large early releases ;
3 Case 1, except adding an induced SGTR 30.0E-7 probability from NUREG 1570 i
I l
l I .
l l
l i
A-22 l
i 1
FIGURE A.1 COMANCHE PEAK LERF
SUMMARY
(estimated)*
core damage containment RCS Core No induced No No potential Path & path Law Eady Frequency isolated or not dupressunzed Damage SGTR containment early fatalities frequency Release trypassed Arrested failure at VB without VB 1 2 3 4 5 6 7 ,
! 1 no i 0.00 0.0 0.133 2 no l 1.00 1.00 69.9E-7 l 3 no 0.00 NA 0.0 j 0.919 Failure- NA 4 yes 0.0 5 no O.867 0.001 45.6E-7 6 no l 0.985 448.5E-7
! 1.00 l 7 no 5.72E-5/yr 1Yes 0.999 0.015 0.56 3.8E-7 l
l INo Failure- _0.44 8 yes 3.0E-7 l 9 no i 0.00 0.072 0.0 Bypass- 0.928 10 yes
=
LERF (E 7) 0.0 3.0+4.7 = 7.7 11 no i 0.081 0.899 41.6E 7 l Bypass - 0.101 12 yes l 4.7E-7 l
- Note that the split fractions in this event tree are approximations obtained from the CPSES IPE and the RI-IST submittal. They are also composite values; the NUREG/CR-6535 approach is to assess each core damage segaence, one at a time, and then sum up the LERF co itributions.
4 l
l l
A-23
l A.3.2.2 l_ FRF frorn Evtarnal Event Initiminrs l
Given the CDF developed from the IPEEE, the licensee estimated external-event LERF values (Ref. 9) by use of qualitative arguments. The rationale for the licensee's LERF estimations is summarized below.
l_ For events initiated by fires, high winds and tornadoes, the licensee estimated a LERF of 1.2E-7/yr. For this calculation, the licensee stated that the relative contributions to LERF from fires, high winds, and tornadoes are much less than that for the intemal events since the major contributors to LERF for intemal events, namely ISLOCA, containment isolation, and SGTR were insignificant contributors to the CDF for fires, high winds and tomadoes. Therefore, the licensee's estimation of LERF 'or these events only considered the phenomenological failure modes and random containment isolation failures. The staff concurs with the licensee's evaluation and therefore considers the LERF estimate to be appropriate for the purposes of this RI-IST application.
For seismic events, the licensee stated that the LERF contribution was negligible due to the low l seismic hazard in the area of the plant. The staff agrees that the LERF contribution from l seismic events will be small compared to contributions from internal everits and the other extemal event initiators. Therefore, the staff finds that the " negligible" value assigned by the licensee to seismic events is appropriate.
A.3.2.3 t ERF for Low-Power and Shutdown Ooerating Modes The licensee estimated a shutdown LERF value of 3.8E-8/yr by assuming that the ratio of LERF to CDF for the full-power analysis would also apply in shutdown scenarios. Arguments were also presented that, if a core damage accident does occur, it will develop relatively slowly and there will be time to close the containment and, in most cases, sufficient time for emergency response.
! During a recent [22] evaluation of LP&S risks, it was determined that the ability to close the containment to prevent a large early release of radionuclides following loss of all AC power i
during shutdown was an important consideration. This issue was discussed with the licensee I during the site visit. TU Electric indicated that they have available, during shutd awn, at least one
! operable emergency diesel generator and a portable diesel generator. Furthermore, personnel are available on standby during shutdown to close the containment equipment hatch. In addition, in order to improve closure time, a new winch has been added that does not require ,
electrical power when the hatch is open. Licensee experience shows that the hatch can be i closed in less than one hour if required._ Thus, it appears that containment closure during shutdown upon loss of AC power is not a significant issue for the CPSES units.
Since the LP&S CDF is relatively low (relative to fire and intemal events contributors), and since the licensee has measures in place to control containment closure during plant outages, the value estimated by the licensee is considered appropriate for purposes of this RI IST application.
A-24
A.4 REVIEW OF THE EVALUATION OF TFIE CHANGE IN RISK FROM THE RI-IST PROGRAM The PRA is used in the CPSES Rl-IST submittal in the following way. First, it is used to help in the categorization of pumps and valves as either HSSCs or LSSCs. Deterministic and plant-
~
specific factors are then included in an integrated decisionmaking process to produce a final categorization. Pumps and valves placed in the LSSC category are candidates for test interval extension. Pumps and valves classified HSSC that are not currently in the IST program will be tested commensurate with their safety significance. The impact of the RI-IST changes on CDF and LERF is then assessed to demonstrate that the change in risk is small. The analysis of change in risk models the IST change by assuming that all test intervals on LSSC components are increased to 6 years, and by a requantification of the PRA models. When compensatory actions are available, the quantification takes credit for this.
The appropriateness of the categorization process and the modeling of changes in risk resulting from changes in testing strategy are addressed in this section of the appendix. ,
1 A.4.1 Appropriateness of the Categorization Process I The first step in the licensee's categorization process was to obtain a risk ranking of components using two importance measures, Fussell-Vesely (FV) and Risk Achievement Worth (RAW). The internal events PRA from the IPE and the fires and tomado PRA from the IPEEE were used as i the base models. Components were placed into three groups based on the values of these j l importance measures with respect to a set of decision criteria. These groups form the basis for the initial categorization of pumps ar,d valves into either the HSSC or LSSC categories. ;
l' An integrated decisionmaking process (in the form of an expert panel) was then used to address
( potential limitations of the PRA. For example, asymmetries introduced into the model for i calculational convenience were identified and corrections made. Using qualitative engineering i and risk insights, the plant expert panel then arrived at a final component categorization by considering the LP&S modes of operation, missing initiating events such as seismic, and by
[ considering components required for the mitigation of the release of radioactivity. Results of l sensitivity studies, p' ant operating experience, and an assessment of whether components would benefit from increased testing independent of safety considerations were also considered -
by the expert panel. The expert panei process was particularly important for the disposition of l those IST components not included in the PRA models.
i A.4.1.1 Categorization of Comoonents Modeled in the PBA i
in the initial risk ranking of components using importance measures, the expert panel used the following guidelines:
. Components having a high FV (>0.001) are considered HSSC.
. Components having both a low FV and a low RAW are considered LSSC, unless the paael believes that there is some particular reason that more testing would be beneficial (i.e., a component with a poor performance record may be upgraded so that it is tested more often).
A-25 L________ _ _ _ . _
l
+- A component having a low FV but a high RAW (>2) was placed into the " medium" category with special considerations. This combination of indicators implies that even though the component is not "significant" at present: it might become so if its performance were to be degraded. Its classification into HSSC or LSSC depended in part on whether it undergoes manipulations other than IST that provide assurance of ongoing performance of the safety function. An example of this is a check valve in series
- . with a pump; the check valve is flow-tested when the pump is tested. If such l " compensatory" measures exist, then the component is eligible for the LSSC category.
The numerical values used as the criteria for the initial grouping of components appear to be reasonable on the basis of confirmatory evaluation of the changes to CDF and LERF (see Section A.4.2).' However, this should not be taken as an endorsement of these values in a generic sense for other applications or for other plants since these values would be dependent i on the base CDF and LERF of the plant and the eval
- ion of the change in risk would be' i application-dependent.
' Of the 365 pumps and valves in the IST program that are modeled in the intemal events PRA, 56 had FV values a 0.001 and were initially classified as HSSC, and 275 had FV values < 0.001 and a RAW < 2 and these were initially classified as LSSC. The remaining 34 with FV values <
0.001 but RAW 2 2 were identified for expert judgement, with placement in either the HSSC or LSSC category dependent, in large part, on whether compensating actions were available for these components.
A quantitative risk ranking was also performed for the significant (i.e., non-screened out) external event initiators. Component importances were obtained using a cutset file for the risk significant fire and tornado scenarios from the CPSES IPEEE. Using criteria similar to that for
- the intemal events PRA,20 additional components were added to the HSSC category on the basis of fire-induced risk. No additional components were found to be risk significant with respect to tornadoes and high winds (that were not already risk significant for the internal events or fires).
In the IPEEE, the licensee performed a reduced-scope seismic margin evaluation (SME) to
- determine seismic risks. As such, CDF scenarios or cutsets are not available for use to rank l components for seismic importance. However, qualitative insights from the SME and in l particular from the safe shutdown equipment list were used to provide insights to the RI-IST component categorization process. Given the relatively low frequency and magnitude of seismic l.
events at CPSES, the ruggedness of the components needed to mitigate these events, and the fact these components are, in general, already determined to be risk significant for the intemal events initiators, no components were added to the HSSC category for seismic reasons.-
! In support of the RI-IST application, the licensee performed a number of sensitivity studies to show the robustness of its component categorization. The results of these studies are briefly discussed below.
Truncation Limit: A study to understand whether "important" components were being truncated inappropriately concluded that the cutsets surviving the truncation prewss include all the important IST components. The effect of cutset truncation on one specific system, the AF system, was demonstrated.
A-26 l
LL__ -- - - _ -
Common Cause Failure (CCF): A study was performed with CCF values set to zero to address whether artificially high CCF contributions for some components could mask the significance of other components. Results showed some variation in the importance rankings, however, there were no components that became sufficiently important to be considered HSSC. Although the importance measures for many IST components were lower without consideration of CCFs, the expert panel took the approach that components that were ranked HSSC by the PRA solely because of CCF should remain HSSC in the final categorization.
Joint importance (Search for Synergistic Risk Effects): Since CCF modeling addresses only intra-system common cause effects, a study was done in which the importance of certain failure combinations of otherwise LSSCs was investigated. It was found that in every case, FV
- measures remained low. However, some combinations of LSSCs had a "high RAW sensitivity to comporonts taken two at a time." The licensee troated these components as if they had high individual RAW values (i.e., they were classified as HSSC unless compensatory measures could j be credited). A similar study for the three-at-a-time case did not reveal any new contributors.
Human Error Probabilities: Calculations were performed to determine the sensitivity of l relative rankings to probabilities assigned to human errors. Two categories of human error were l manipulated, including recovery actions and dynamic actions (operator actions performed in the l course of controlling a system, as opposed to restoring failed equipmem a, functions). Three l cases were considered, including no credit for either category, credit only for recovery actions, l and credit only for dynamic actions. The conclusion was that component categorization was not affected in any of these cases.
On the basis of the its review of the results from the above sensitivity studies, the staff concludes the following:
. The categorization process is robust overall. Many components are in the LSSC category essentially because they appear in cutsets that are high-order (i.e., contain multiple basic events). When components are LSSC for this reason, it usually implies that defense-in-depth is not compromised.
. Synergistic effects can be important in principle, but in this case are not s!gnificant for the -
magnitude of the change that is being proposed.
A.4.1.2 Consideration of Low-Power and Shutdown Modes of Ooeration To account for the impact of LP&S modes on IST component rankings, the licensee performed a qualitative assessment. Systems required for shutdown accident sequences were analyzed and ranked with respect to their shutdown configuration. A set of rules was used to guide the risk ranking for shutdown. For example, the following components were categorized as HSSCs:
e pumps that must start to perform function (high FV)
. MOVs or AOVs that must t hange state to perform function (but not portions with redundant paths)(high FV)
. MOVs or AOVs that must change state to prevent flow diversion that can fail redundant trains (high FV, high RAW)
A-27
l l
pressure relief valves (safety or power-operated) needed to control pressure so that redundant trains of systems can perform function (high or low FV, high RAW)
Components that are potentially HSSC (i.e., those with low FV and moderate to high RAW values) are identified as follows:
j pumps that must continue running (iow FV, moderate RAW) l valves in single path portions of redundant systems that are not required to change state, e.g., RHR cutlet valves (usually low FV, moderate or high RAW) l check valves and MOVs or AOVs that must remain as is if they are in the trains only flow l path (low FV, moderate RAW)
I .
l check valves for which reverse flow can fail redundant trains simultaneously (Iow FV, high RAW)
L a MOVs or AOVs which, if they change state, can cause flow diversion that een fait redundant trains (Iow FV, high RAW) a control components that need to function to prevent system degradation (e.g., AFW flow control valves to the steam generators that can fail the TDAFW pump) (Iow FV, moderate RAW)
Components are categorized LSSC in terms of LP&S risk if they do not fall into the above two categories.
The above rules were applied to the systems that support several safety functions important to l shutdown:
l
. over-pressure protection f . shutdown cooling; spent fuel pool cooling
. Inventory control .'
. reactivity control; AC power i
. containment integrity The systems analyzed include the auxiliary feedwater system, the residual heat removal system, i the spent fuel pool cooling system, the safety injection system, the chemical and volume control l system / emergency boration system, and components related to preservation of containment integrity, as well as those for low-temperature overpressure mitigation.
Fifteen components were added to the HSSC category on the basis of LP&S considerations.
A.4.1.3 Consideration of Laroe Eartv Relances Risk importances of containment functions were determined by use of quantitative importance measures for accidents contributing to large, early releases. The CPSES IPE found that large, early releases are more likely to result from accidents with the following attributes:
A-28
. a failure in containment exists at the time c,f the accident, either because the containment fails to isolate or it is bypassed
- a high-pressure core meltdown occurs with containment heat removal (sprays) unavailable at the time of core melting Using the above guidelines, the licensee identified the following failures / scenarios as potential contributors to a large, early release:
e steam generator tube rupture
= failuras of containment cooling systems (containment sprays)
= failures of containment isolation valves l
= fdures of high-low pressure interface valves leading to ISLOCA sequences a failures of safety systems uniquely important to preventing HPCM scenarios Th9 results of the licensee evaluation for each of these scenarios are summarized below.
For SGTR scenarios, the licensee stated that isolation of the break was not a significant (i.e.,
<0.1%) contributor to LERF. Th'e expert pane' determined that this contribution could be reduced further for many scenarios since operator actions identified in the EOPs (closing of i valves to isolate the leak path) had not been fully credited in the LERF evaluation. Therefore, no components were added to the HSSC list on the oasis of LERF considerations for this scenario.
The licensee determined that the containment spray system is not a large contributor to LERF because of the robustness of the containment ("the containment can withstand significant energy releases without heat removal and still reliably remain intact") and that system failures are dominated by failures in the support systems (e.g., electrL: power and component cooling ;
water systems). However, the containment spray pumps were categorized HSSC because of ;
past problems with pump vibration. Inservice testing was deemed by the expert panel as an !
effective means to ensure that such problems have been resolved. (Note: Since containment j spray pumps were classified as HSSCs, many containment spray valves that are designated i l~ LSSCs will be " tested" when the pump IST tests are performed. In addition, many of the other active components, such as MOVs, are tested because of technical specification requirements.)
To perform a risk categorization of the containment isolation valves (CIVs), the licensee l' reviewed the PRA cutsets for each set of CIVs to determine which would have the equivalent of a high FV with respect to LERF. Four lines were found to be dominant contributors to LERF with each line having a FV LERF of approximately 5.0E-03. Eight valves were added to the HSSC category on the basis of this evaluation.
There are ten ISLOCA initiating events in the IPE. A review of the specific valves contributing to each initiator showed that the most LERF-significant contributors involve valves in the RHR suction, low-pressure injection, and intermediate injection lines. Using the FV values relative to LERF for each line, the licensee added seventeen valves to the HSSC category.
A licensee evaluation of accident sequence cutsets indicated that, in terms of LERF, core damage sequences that resulted in HPCM scenarios were more important than other scenarios.
Most of the LERF-significant scenarios involve RCP seal LOCAs and transients that resulted A-29
from loss of injection. As a result of this evaluation, seven valves in the Si and CS systems were added to the HSSC category.
A.4.1.4 Non-Modeled Comoonents To ensure that an IST component is low risk significant, the licensee performed an evaluation of the intended functions of IST on each component that is in the IST program but is not explicitly modeled in the PRA. The equivalent importance was then determined using a method similar to the qualitative component ranking process used for LP&S risk described in section A.4.1.2.
In general, the purpose of IST is to maintain the integrity of fission product boundaries, and to ensure safety system operability. These are modeled in the PRA in the following ways:
. SSCs used to ensure the integrity of fission product boundaries. That is, primary and secondary system integrity, and conta' ament isolation are usually implicitly modeled as initiating events such as LOCAs, stearn line breaks, spurious opening of relief valves, internal flood, ISLOCAs, etc., or are excluded because they mitigate highly unlikely scenarios.
. Safety system operability functions are usually explicitly modeled in PRAs. Exceptions to this for CPSES, include five IST functions that were assumed in the PRA to have low significance because of ample opportunity for operator recovery action, and one function that is considered part of the basic events used to model the emergency diesel generator (EDG). The five functions that are assumed to have low significance are boration dilution, spent fuel pool cooling, spent fuel pool emergency makeup, surnp discharge (equipment sumps), and surge tank emergency makeup. The IST safety function that is considered part of the ED0 is the pump discharge (lube oil;.nd jacket water for the EDG).
Using the mapping of the IST and PRA safety functions, the licensee developed a process to evaluate IST components not explicitly modeled in the PRA. This process depended on
, information in the PRA and in the supporting documents. For example, thermal-hydraulic calculations were reviewed to determine why certain components, primarily flowpath boundary components and pump mini-flow lines. were not considered risk significant. Plant operations support and engineering support from the expert panel was also used to rank a number of i components such as those associated with surge tank emergency makeup. Factors considered include the frequency of use of the system, the failure modes that would have to occur to fail an IST function and the probability of these failures, and the redundant components that have to fail in order for the IST function to fail.
For each IST component not modeled in the PRA, documentation was available on its IST function, the risk categorization by the expert panel, the basis for this categorization, and compensatory actions for potentially safety significant components. A total of 25 components not explicitly modeled in the PRA were catego'rized as HSSC.
l A.4.1.5 Conclusions of the Categorization Process I
A staff review cf the process used and the results of the component categorization showed that this process is robust and that results are supportable based on plant risk and on the l
A-30 l l
1
maintenance of" defense in depth." Initial staff findings of components which appeared to be classified inappropriately were satisfactorily resolved in the licensee's responses to the staff's RAls.
It should be noted that in categorizing components as HS'iC or LSSC, the assessed " safety l
significance" of components in series can alternate between "high" and " low" for some system
! segments. This is counter-intuitive in that if a segment is considered important, then it would be l expected that all components in this segment that have failure modes that compromise safety l
function of the segment, would also be considered important. However, because of inherent I
device characteristics and service conditions, individual component failure probabilities may i differ significantly, i.1erefore, in the licensee proposed RI-IST process, the testing requirements of individual components in a series group may indeed alternate between "more" and "less" so that there is an optimization of resources that would appropriately allocate relatively more attention to the relatively weaker links in the series chain. The terms "HSSC" and "LSSC" are
- arguably inappropriate, but the implication is that some IST relaxation can be tolerated for the i class of components categorized as "LSSC."
Because the component categorization scheme used in this RI-IST application is based, in part, on arguments such as the effects of testing on component reliability, or the use of non-IST
" tests" as compensatory measures, or by a comparison of the IST function to the PRA function, the conclusion regarding the acceptability of the categorization approach pertains specifically to testing-related issues. In the CPSES RI-IST process, the categorization effectively corresponds ;
to whether a given component needs relatively more, or relatively less testing. l A.4.2 Evaluating the Changes in Risk Resulting From Changes in IST The licensee's submittal relies on the classification of components such that proposed testing j changes for components classified as LSSC would only result in small changes in risk. The '
focus is on the demonstration that the classification process is robust, and that even with a bounding calculation, the estimated change in risk is small.
The calculation of the change in risk uses a reliability model of the test interval dependent contribution to standby components (i.e., Q = AT/2, where Q is the component unavailability, Ais the failure rate, and T is the test interval). Other effects of testing (e.g., unavailability due to i testing, component wearout, and human errors associated with the testing process that incapacitate the system) are not modeled. In addition, the efficiency of the existing IST scheme, versus improvements in the state of knowledge of near-term component reliability obtained through an improveN. Sng strategy is also not modeled.
Therefore, the approe@ taken in the submittal was to quantify a ACDF on the basis of the assumption that the time-averaged failure probability of an IST component is proportional to the IST test interval. For example, extending IST from 3-month intervals to a 6-year interval changes each IST component's failure probability by a factor of 24.
From the licensee submittal [7), the following conclusions on ACDF were obtained:
" Assuming full credit for the compensatory measures for the LSSC components with significant RAW results in an increase in the CDF to about 1.5% and the same increase A'-31
in LERF, namely about 1.5%. The change in CDF and LERF is then these percentage values times the base CDF and LERF respectively."
The above applies to a 6-year test interval for components in the LSSC group and is only evaluated for the initiating events modeled in the PRA. The impact on total CDF and LERF is then obtained by arguing that the increases for the other modes are in direct proportion to those i for the iPE. Since the basu CDF and LERF (from Ref. 9)is 8.5E-5/ry and 9.3E-7/ry respectively, the changes to CDF and LERF are therefore calculated as 1.3E-6/ry and 1.4E-8/ry respectively.
Sensitivity of Change in Risk to Efficacy of Compensatory Measures As part of the licensee submittal, sensitivity calculations regarding the effect of compensatory measures on both the ACDF and ALERF calculations were performed. A" compensatory measure"is a system exercise where information regarding operability of an IST component can be obtained, even though the manipulation is carried out for some other reason (e.g., testing of
, another IST component). Compensatory measures were used to justify retention of certain l
high-RAW components in the LSSC category. The results of this study [ Figs. 4-4 through 4-7 of Ref. 7) showed that for a scale factor of 24 (test interval changed from 3 n'onths to 6 years), the percentage change in CDF increases from 1.5% to 15%, and the percentage change in LERF increases from 1.5% to 13% on not taking credit for compensatory measures.
Sensitivity of Change in Risk to Change in Test interval In this sensitivity study, the licensee calculated the change in CDF and LERF for a range of scale factors (corresponding to scaled test intervals) for all basic event probabilities for components in the LSSC group. Results show that for a scale factor of 100 (e.g., test interval changing from 3 months to 25 years), and assuraing no compensatory measures, the CDF increases by 66%, and the LERF increases by 70%. With compensatory measures and a scale factor of 100, CDF increases by 6%, LERF increases by 17%.
Using the above results, the licensee indicated that even for test intervals as large as 25 years (essentially assuming no testing for LSSCs for the remainder of the plant life), the risk increases are relatively small (less than a factor of 2).
Staff Evaluation '
Modeling the effect of extending the test interval on a component's failure probability by prorating the failure probability by the ratio of the new to the old test interval is equivalent to assuming a constant (i.e., non-time-dependent) standby failure rate A, and estimating the basic event probability using AT/2, where T is the time between tests. When applying this model, it is assumed that the components are retumed to a " good as new" state following a test. If there is no significant active degradation mechanism, including those resulting from intermittent use of the component, and the failures are primarily caused by random external influences, this formula is appropriate. Since the RI-IST program catis for tests on the components to be staggered, and since component performance will be monitored with thq help of new test methods (documented in ASME code cases for pump and valve testing) which are designed to identify significant degradation mechanisms, corrective action can be taken to effectively remove or correct for these degradation mechanisms including thse caused by aging. Therefore, the AT/2 model can be considered to be adequate for this application.
A-32 1
l l
i In this context, any tests that demonstrate functional success can be regarded as
" compensatory" measures, since they limit the exposure time to the failed state. In the framework of the model used by the licensee, credit taken for a compensatory test would require i
that the test be performed at the same frequency as the original test (usually 3 months). This l condition would hold true for the majoriiy cf the time when compensatory measures proposed in the RI-IST program are associated with pump tests, which are expected to be performed at 3-l month intervals. This interval is also consistent with the generic data which was used in the i CPSES PRA where a test interval of 3 months is universally assumed for those cases where the failure probabilities are given in terms of failure on demand.
! From the results of the sensitivity analysis on the frequency and/or effectiveness of the I
compensatory tests, the licensee showed that the calculated impact of changing the IST test intervals would be intermediate between a CDF of 1.3E-05/ry for the case with no credit for compensatory actions, and a CDF of 1.3E-06/ry for the case with full credit. Based on a review l- of the compensatory measures and the number of components which can take credit for these
- measures, it is judged that the CDF increase is closer to the lower end of this range. !
Furthermore, since the base case A contains contributions from failures resulting from degradation mechanisms, the value used to represent the random failure contributions should
. be smaller. In addition, for a significant number of the LSSCs, the components will actually be functionally tested on a much higher frequency than that of the IST tests. For example, many of ;
l the valves identified as LSSC for the AFW system will be demonstrated to be operable every j time the AFW system is used, which is at least twice every time the plant is shutdown. Thus, j given that the model for the impact of the increased test interval discussed above is accepted, i
!' the universal use of the factor 24 to adjust failure rates for the LSSCs is conservative.
Given these considerations, it is judged that the increase l'1 CDF is considerably less than 1 E-j' 05/ry, and is closer to 1E-06/ reactor year. If credit for improved testing methods is taken, this L risk increase can be argued to be even smaller. Thus, given that the assessed total CDF is on l the order of 1E-04/ry, the acceptance guidelines provided 'n Section 2.2 of RG 1.174 are met for this RI-IST application. Similar conclusions on meeting the RG 1.174 guidelines can be made with respect to LERF since the baseline LERF is less than 1E-6/ry and the increase in LERF is l calculated to be 1.4E-8/ry.
Finally, it should be noted that sensitivity studies performed by the licensee showed that for large increases in test interval (scale factors larger than 40), the change in CDF and LERF begins to be non-linear. Since in these studies, each basic event is either left alone or scaled linearly according to the test interval, non-linear contributions mean that cutsets having more l- than one scaled event are becoming relatively important. Tbk implies that, at the proposed 6-l year test intervals (scale factor of 24), cutsets containing more than one LSSC are not a factor, l
and that defense-in-depth is not compromised.
A.5 CONCLUSIONS l It is concluded that the CPSES PRA is of sufficient quality, scope and level of detail to support the conclusions made in the RI-IST submittal. Although some issues were raised on potential shortcomings of the PRA, these issues did not affect the final conclusions on the acceptability of the change in risk relative to the baseline plant risk. In most cases, the PRA shortcomings were compensated for by the expert panel which supplemented PRA information with traditional engineering insights, plant operating experience, and risk insights from other sources.
A-33
l APPENDIX B: EVALUATION OF RELIEF REQUEST V-8 (REVISION 2)
ON MOTOR-OPERATED VALVE INSERVICE TESTING
1.0 BACKGROUND
. The ASME Boiler and Pressure Vessel Code specifies the performance of stroke-time testing of j motor-operated valves (MOVs) at quarterly intervals as part of the requirements for inservice l testing (IST) programs established under the Code of Federal Regulations,10 CFR 50.55a. In j response to concems regarding MOV performance in nuclear power plants, the NRC staff issued Generic Letter (GL) 89-10 " Safety-Related Motor-Operated Valve Testing and Surveillance,"in June 1989 to request that licensees verify the design-basis capability of their safety-related MOVs by reviewing MOV design bases, verifying MOV switch settings initially and l periodically, testing MOVs under design-basis conditions where practicable, improving j evaluations of MOV failures and necessary corrective action, and trending MOV problems, in l GL 89-10, the NRC staff noted the benefits of stroke-time testing of MOVs (such as valve l exercising and providing a limited measure of on-demand reliability) but stated that such testing
! alone is not sufficient to provide assurance of MOV operability under design-basis conditions.
l l
With recognition of the weakness in information provided by quarterly MOV stroke-time testing, j the ASME developed Code Case OMN-1," Alternative Rules for Preservice and inservice Testing of Certain Electric Motor-Operated Valve Assemblies in Light-Water Reactor Power Plants, OM Code-1995, Subsection ISTC," as an acceptable altemative program of exercising l and diagnostic testing to provide continuing assurance of the capability of MOVs to perform their i safety functions. In particular, OMN-1 specifies exercising of MOVs at least rsnce a year or l every refueling cycle (whichever is longer) to verify electrical continuity and to provide intemal lubrication. ' Further, OMN-1 specifies periodic diagnostic testing of MOVs (including a mix of static and dynamic tests) to obtain sufficient information to determine the rate of degradation of MOV performance in terms of the potential increase in required thrust and torque, and the
, potential decrease in actuator output. From this information, licensees can establish periodic ,
i diagnostic test intervals that may extend up to 10 years if there is assurance that tne MOV will l l remain capable of performing its safety function thrcughout the interval. The NRC is evaluating l OMN-1 for possible endorsement through rulemaking or by a regulatory guide.
l As additional information on MOV performance became available, the NRC staff issued GL 96-05," Periodic Verification of Design-Basis Capability of Safety-Related Motor-Operated Valves," in September 1996 to request that licensees establish a program, or to ensure the effectiveness of their current program, to verify on a periodic basis that safety-related MOVs j
continue to be capable of performing their safety functions within the current licensing bases of the facility. GL 96-05 supersedes GL 89-10 with respect to periodic verification of MOV design-basis capability. In GL 96-05, the NRC staff stated that, with certain limitations, the method described in ASME Code Case OMN-1 is considered to meet the intent of the generic letter to verify the design-basis capability of safety-related MOVs on a periodic basis. The limitations identified by the NRC staff in GL 96-05 on the use of OMN-1 to meet the intent of the generic letter wers (1) a precaution regarding consideration of benefits and potential adverse effects when determining appropriate MOV testing, (2) a provision for the evaluation of ATTACHMENT 2 B-1 L - ------ - -- _ _ - . - - - - - - . ----- - - --- _ _ - -- - - - - - - - - _ - - - - - - - _ - - - - -
applicable MOV test information before extending test intervals beyond 5 years or three refueling outages (whichever is longer), and (3) a provision for licensees participating in the
! industry pilot effort for IST programs considering risk insights to address the relationship of OMN-1 to their pilot initiative.
l 2.0 RELIEF REQUEST V-8 By letter dated June 24,1998 (TXX-98153), TU Electric (licensee) submitted Relief Request V-8 (Revision 2) from the ASME Code requirements for the IST program at the Comanche Peak Steam Electric Station (CPSES) Units 1 and 2. In Relief Request V-8, the licensee indicates l
that the current test requirements for quarterly stroke-time testing of MOVs in its IST program are specified in Paragraph 4.2 of OM Part 10. As an attemative to those requirements, the licensee proposes to use the program described in ASME Code Case OMN-1 with certain limitations and exceptions.
l 2.1 Licensee's Basis for Relief The licensee provided the following basis for the relief request:
As discussed in NRC GL 96-05 stroke time testing of MOVs has been recognized as an ineffectual method of ensuring MOV operational readiness. Also as required in NRC
, GL 96-05 each licensee is to develop a periodic verification program to ensure l operational readiness for the life of the plant. The GL provides guidance on the periodic
- verification program. As such, the performance of such testing (i.e. exercising each MOV during a fuel cycle, static diagnostic testing and confirmatory dynamic testing linked
- with a preventative maintenance program) will more adequately ensure operational readiness.
2.2 Pronosed Alternative Testina The licensee proposed the following altemative testing:
Motor Operator Valve (MOV) performance will be verified in accordance with the NRC l GL 96-05," Periodic Verification of Design-Basis Capability of Safety-Related Motor-l Operated Valves," requirement. The CPSES commitment for satisfying GL 96-05 is described in TU Electric's response to GL 96-05. LPSES MOV periodic verification testing will comply with the requirements of ASME O&M Code Case OMN-1," Alternative Rules for Preservice and Inservice Testing of Certain Electric Motor-Operated Valve Assemblies in Light-Water Reactor Power Plants, OM Code-1995 Edition, Subsection
, ISTC," with the following limitations:
- 1) The potential benefits (such as identification of decreased thrust output and j increased thrust requirements) and potential adverse effects (such as l accelerated aging or valve damage) will be considered when detemining the
! appropriate testing for each MOV.
- 2) Where the selected inservice test frequency extends beyond 6 years or 4 refueling outages (whichever is longer), performance and test experience B-2
(
l
i obtained from valve testing conducted during the first 6 year or 4 refueling outage j time period shall be evaluated to justify the longer periodic verification frequency.
1 3) The risk insights determined during TU Electric's participation in the Electric l Power Research Institute (EPRI) Risk-Informed Inservice Testing Pilot Project (ref. EPRI TR-105869) and on-going development of an updated risk-informed categorization process based upon ASME Research guidance and Codes as
! applicable will be used in accordance with the requirements of the ASME OM l Code Case OMN-1.
Inservice testing shall be conducted in the "as-found" condition only. "As-found" refening to: no maintenance activities that may affect the performance of an MOV shall be conducted prior to performing inservice testing. MOV Preventative Maintenance (PM) activities (including stem lubrication) will be performed on time ba3ed intervals to ensure the MOV is maintained in optimum working condition. PM activitit,.. will be scheduled l l separately and frequencies determined independently from MOV inservice test requirements Performance of a MOV PM will not alter an MOV's "as-found" status with regards to p eforming inservice testing. The effects of PM activities on MOV operational readiness wM be assessed to ensure the PM activities do not affect the validity of the MOV inservice test results.
i inservice testing shall be sufficient to assess changes in MOV functional margin.
Therefore, MOVs requiring maintenance prior to their scheduled inservice test frequency shall be evaluated to determine whether or not performance of an inservice test prior to j the maintenance activity will provide sufficient and/or valuable information in assessing changes in the MOVs' functional margin. This evaluation, as a minimum, shall consider:
inservice test frequency, time from last inservice or preservice test, functional margin, maintenance activity to be performed, grouping, MOV history, risk significance, and a
! review of the last inservice or preservice test performed. In addition, this evaluation shall be documented for future reference.
Any OMN-1 Code Case requirements that are not currently included in the CPSES MOV 1 program will be implemented using a controlled process in accordance with OMN-1 and evaluated under 10 CFR 50.59.
TU Electric intends to take the following exceptions to the requirements in ASME Code Case OMN-1 as described below:
- 1) Paragraph 3.3.1, items (a) & (b) - The initial inservice test frequency for each MOV shall be determined based upon the MOV's risk significance category (i.e.
! High or Low) and magnitude of margin. See Figure 1 (in TU Electric submittal) for l initial inservice test frequency details. The inservice test frequency may change l when sufficient test data has been collected and analyzed to determine a more l ,
appropriate test frequency. No test frequency shall exceed 10 years.
l l 2) Paragraph 6.4.3 - In order to maintain consistency and compatibility with the Joint l Owners Group (JOG) MOV Periodic Verification Program, " Functional Margin" will be redefined to agree with the definition of" Margin" as detailed in Topical Report MPR-1807 (Reference 1 (in TU Electric submittal]). The terms " Functional B-3
\
1 Margin" and " Margin" shall be synonymous within the CPSES MOV Periodic .
l Verification program. l l
" Margin," as defined in Reference 1, is dependent upon " Required Thrust." At CPSES " Required Thrust" for rising stem MOVs has been determined from stem
. thrust measurements taken during extensive Daseline testing performed in I response to GL 89-10 under both static and dynamic test conditions. Valve ;
l factors have been determined by statistical means for each group of rising stem !
l MOVs; these factors will be reviewed / verified as new data is obtained from
! CPSES testing and results are received from the JOG Periodic Verification l
l Program.
3.0 EVALUATION i
E 1 in its relief request, the licensee has addressed the limitations discussed by the NRC staff in j GL 96-05 on the application of ASME Code Case OMN-1. The licensee has also taken two exceptions to the provisions of OMN-1 for the implementation of the code case at Comanche Peak. The NRC staff considers the limitations and exceptions to OMN-1 described l by the licensee in its relief request to be responsive to the staff recommendations discussed in GL 96-05 and therefore acceptable with the following conditions proposed by the licensee:
l a. One limitation addressed by the licensee on its application of ASME Code Case OMN-1 ll at Comanche Peak is that, where a selected IST frequency for an MOV extends beyond l 6 years or four refueling outages (whichever is longer), performance and test experience obtained from valve testing conducted during the first 6-year or four-refueling-outage time period will be evaluated to justify the longer periodic verification frequency. GL 96-05 recommended that, in applying r;MN-1, licensees evaluate test information in the first
- 5-year or three-refueling-outage time period to validate assumptions made in justifying a l
! longer test interval. The Comanche Peak licensee has indicated that the 6-year interval l to evaluate test data in its OMN-1 program was selected to be consistent with its ongoing l
! efforts to develop a risk-informed IST program. As stated in Attachment 2 to TXX-97189, I I
TU Electric believes that compelling documentation has been submitted to justify
, extending the interval to 6 years. The draft DG-1062 does allow up to a 6 year l extension (based on three 2 year refueling outages). Also, the grouping /
l phased-in approach is easier and less burdensome to implement over 4 refueling l outages.
l l The NRC staff finds the licensee's proposed interval for evaluating test information to be acceptable because the staff stated in GL 96-05 that it would accept 3 refueling outages which would allow a 6-year interval for licensees on a 2-year refuel cycle, the phased-in implementation strategy proposed by the licensee, and the benefit of consistency with the licensee's RI-IST program. As described in Section 7 of the licensee's proposed RI-IST Program Description (TXX-98134), the licensee will be expected to respond to any adverse test information during the 6-year or four refueling-outage time period to ensure that MOVs with longer test intervals are promptly evaluated for their continued capability,
- b. Another limitation specified by the licensee in applying ASME Code Case OMN-1 at
. Comanche Peak is that risk insights determined during the licensee's participation in the B-4
i I
EPRI Risk-informed inservice Testing Pilot Project and ongoing development of an updated risk-informed categorization process based upon ASME Research guidance and Codes (as applicable) will be used in accordance with the provisions of OMN-1. The NRC staff had indicated in GL 96-05 that, in applying OMN-1 in response to the generic letter, licensees involved in pilot risk-informed IST programs need to specifically address i
- the relationship of OMN-1 to their pilot initiative. Paragraph 3.7 of OMN-1 allows the use !
l of risk insights in implementing the provisions of the code case such as those involving MOV grouping, acceptance criteria, exercising requirements, and testing frequency. In implementing OMN-1 at Comanche Peak, the NRC staff considers the licensee's I
application of risk insights developed through its participation in the EPRI Risk-informed l Inservice Testing Pilot Project to be acceptable based on the extensive review of the i pilot project by the NRC staff (see Sections 4.4 through 4.6 of the SER). In applying those risk insights, the licensee will be expected to comply with the staff-approved RI-IST
' Program Description (TXX-98134). For example, Paragraph 3.6.2 of OMN-1 states that !
l exercising more frequently than once per refueling cycle shall be considered for MOVs l
[ with high risk significance. Therefore, the licensee will also be expected to ensure that j l any extension of quarterly stroke-time test intervals for MOVs categorized as HSSC is l consistent with the acceptance guidelines specified in Section 4.3.3 of RG 1.175 as well !
as with the implementation philosophy for LSSC approved by the NRC staff and I described in Section 5.2 of the SER for the RI-IST program at Comanche Peak. In particular, if HSSC MOV exercise intervals are intended to be extended at Comanche !
, Peak, the licensee will be expected to follow the RI IST Program Description to ensure l tnat increases in core damage frequency and/or risk associated with the increased i HSSC exercise interval are small and consistent with the intent of the Commission's ;
Safety Goal Policy Statement (see Section 4.6 of the RI-IST SER). Also, as discussed in ,
Sections 5.1 and 5.2 of the SER, sufficient information from the specific HSSC MOV, or '
similar MOVs, should demonstrate that exercising on a refuelir g outage frequency does not significantly affect component performance. For example, such information may be obtained by grouping similar MOVs and staggering the exercise testing of MOVs in the group equally over the refueling interval. l l
- c. In one of its two exceptions to ASME Code Case OMN-1, the 'lcensee addresses Paragraph 3.3.1(b) of OMN-1 which specifies that MOV inservice testing shall be conducted every 3 years or two refueling cycles (whichever is longer) until sufficient data exist to determine a more appropriate test frequency. In lieu of this provisicn of OMN-1, the licensee indicates that the initial test frequency for each MOV shall be determined based on the MOV's risk significance category and the magnitude of its deterministic margin of motor-actuator output capability above operating requirements. The licensee proposes to establish a two-tier risk categorization approach with three levels of margin as indicated in the table below:
Low Margin Medium Margin High Margin High Risk 1 cycle 2 cycles 3 cycles Low Risk 2 cycles 4 cycles 6 cycles l The licensee specifies low margin as less than 10%, medium margin as greater than or equal to 10% but less than 15%, and high margin as greater than or equal to 15%. The B-5
I L
licensee limits the maximum test interval for MOVs categorized as low risk (LSSC) with high margin to 6 refueling cycles, but no more than 10 years.
Where insufficient data exist to determino an IST frequency using the calculations described in Paragraph 6.4.4 of OMN-1, the staff considers the licensee's proposal to establish an initial MOV test frequency using risk significance and margin rather than meeting the general provision of Paragraph 3.3.1(b) of OMN-1 to be acceptable based i on the licensee's extensive MOV testing program in response to GL 89-10 and the l anticipated slow degradation of MOV performance by aging effects. The NRC staff has reviewed and approved the licensee's RI-IST Program Description (TXX 98134) that will l- categorize the MOVs by risk significance. The licensee's establishment of MOV margin is addressed in paragraph d below. As provided in OMN-1 and discussed in RG 1.175, the licensee will need to ensure that each MOV in the IST program will have adequate margin to remain operable until the next scheduled test, regardless of its risk categorization. !
t
- d. . The other exception to ASME Code Case OMN-1 by the licensee involves the calculation of MOV " functional margin" described in Paragraph 6.4.3 of OMN-1. At Comanche ;
Peak, the licensee indicates that " functional margin" will be redefined to be equivalent to 1
" margin" as applied in the Joint Owners Group (JOG) Program on MOV Periodic Verification in response to GL 96-05. The NRC staff does not object to the licensee establishing compatible MOV programs to implement the provisions of OMN-1 and the guidance provided by the JOG in response to GL 96-05. However, OMN-1 specifies that i the functional margin of an MOV must be sufficient to satisfy the uncertainties in the acceptance criteria (such as data measurement uncertainty and equipment repeatability) while the JOG program calcGates margin using thrust (or torque) values that have been adjusted for uncertainties. Consistent with OMN-1, the licensee will ensure that uncertainties are adequately considered in its implementation of OMN-1, such as when calculating an allowable test interval or when applying uncertainties to actuator output or valve required thrust (or torque) as appropriate.
- e. The licensee states that any provisions of ASME Code Case OMN-1 that are not currently included in the Comanche Peak MOV program will be implemented using a controlled process. The licensee will be expected to follow the provisions of OMN-1, as endorsed by the NRC, in developing procedures to implement the code case at Comanche Peak. The NRC staff may review those procedures, including the basis for '
any extension of HSSC MOV exercise intervals and consideration of uncertainties in MOV calculations, during an on-site inspection when they are available.
4.0 CONCLUSION
The NRC staff has determined that the licensee's proposed use of ASME Code Case OMN-1 described in Relief Request V-8 (Revision 2), together with the specified conditions herein, provides an acceptablo level of quality and safety in assuring the operational rea# ness of MOVs. Therefore, the NRC staff concludes that the licensee's proposed attemative in Relief Request V-8 (Revision 2) to use ASME Oode Case OMN-1 at Comanche Peak with the l
specified conditions is authorized pursuant to 10 CFR 50.55a(a)(3)(i).
I B-6
I The licensee has not completed the development of procedures for implementing ASME Code Case OMN 1 at Comanche Peak. The NRC staff requests that the licensee notify the NRC upon completion of those procedures. Following such notification, the NRC staff may review the procedures during an on-site inspection prior to implementation of the alternative MOV program I at Comanche Peak.
The NRC is evaluating ASME Code Case OMN-1 for possible endorsement through rulemaking or by a regulatory guide. Relief Request V-8 (Revision 2) is approved until such time as the ,
NRC staffs generic position on OMN-1 is issued through rulemaking or some other means. At '
that time, if the licensee intends to continue to implement this relief request, the licensee is to follow the provisions of OMN-1 with any limitations or conditions specified in the NRC staff endorsement.
1 B-7 i
i i