Text

DPO Case File for DPO-2020-001
	ML21155A062
Person / Time
Issue date:	07/20/2020
From:	Roy Mathew; NRC/NRR/DEX
To:	;
	Figueroa G
References
	DPO-2020-001, NEI 06-09, Rev 0, TSTF-505, Rev 2
	Download: ML21155A062 (57)
	v • d • e

DPO Case File for DPO-2020-001 The following pdf represents a collection of documents associated with the submittal and disposition of a differing professional opinion (DPO) from an NRC employee involving Technical Specifications Task Force Traveler (TSTF)-505, Revision 2 and Nuclear Energy Institute (NEI) 06-09, Revision 0.

Management Directive (MD) 10.159, NRC Differing Professional Opinions Program, describes the DPO Program. https://www.nrc.gov/docs/ML1513/ML15132A664.pdf The DPO Program is a formal process that allows employees and NRC contractors to have their differing views on established, mission-related issues considered by the highest-level managers in their organizations, i.e., Office Directors and Regional Administrators. The process also provides managers with an independent, three-person review of the issue (one person chosen by the employee).

Because the disposition of a DPO represents a multi-step process, readers should view the records as a collection. In other words, reading a document in isolation will not provide the correct context for how this issue was reviewed and considered by the NRC.

It is important to note that the DPO submittal includes the personal opinions, views, and concerns of an NRC employee. The NRCs evaluation of the concerns and the NRCs final position are included in the DPO Decision.

The records in this collection have been reviewed and approved for public dissemination.

Document 1: DPO Submittal Document 2: Memo Establishing DPO Panel Document 3: DPO Panel Report Document 4: DPO Decision

Document 1: DPO Submittal

Reason for DPO:

The reason for filing this DPO is because the responses to NCP-2018-009 regarding the approval of TSTF-505, Revision 2 and continued endorsement of endorsement of NEI 06-009 did not provide sufficient technical and regulatory bases and the regulations concerning electric power system requirements were interpreted incorrectly to extend the Electric Power Systems Technical Specifications Completion Times(CTs).

The TSTF-505, Revision 2 and continued endorsement of NEI 06-009 Revision 2 allow the plants to operate with loss of function of offsite power system (LOOP) and introduced unintended consequences to the licensees compliance with10 CFR 50.63 (station blackout) rule and Order EA-I2-049 and 10 CFR 50.155 rule requirements the batteries are not assumed to be inoperable not more than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months per NRC RG 1.93 (enough time to shutdown of the plant).

The approved TSs for plants electric power sources are no longer operating consistent with design and licensing bases and NRC requirements (GDC I 7 or pre-GDC requirements, 50.36, 50.63, and Order EA-I2-049/ 50.155) and the Commission's Policy for risk-informing (maintaining defense in depth, safety margins, and meeting current requirements). The NRC staff did not follow the current guidance provided in SRP Chapter 8, BTP 8-8, and Regulatory Guidance 1.93, RG 1.155 , RG1.226 in their evaluations to determine whether extending the CTs for electric power sources specified in plants' current Technical Specifications (TS) ensure reasonable assurance of safety without endangering the health and safety of the public as required by conditions specified in 10 CFR 50.57.

Potential Impact on Mission The plant operation with extended CT (without offsite power sources (LOOP) and reduced DC power system capacity) is inconsistent with current operating plants design bases and operational requirements (10 CFR 50.36). It impacts the NRC Mission, NRC Vision, NRC Safety Objectives, NRC Regulatory Effectiveness Strategies, NRC Openness Strategies, and the Principles of Good Regulation.

The proposed TSTF 505, Revision 2 failed to provide reasonable assurance of plant safety. In the event of certain design basis accidents, Abnormal Operating Occurrences, and beyond design basis events (SBO and ELAP), the consequences of certain electric power systems not available would severely impact the public health and safety, and the environment if the plant is allowed to operate up to 30 days without an offsite power system (LOOP) and full complement of two trains of DC system put the plants in unanalyzed conditions for mitigating design basis accidents, transients, and beyond design basis events such as station blackout and extended loss of all ac power events.

Proposed Alternatives

1. Revise TSTF- 505, Revision 2 to state that loss of both offsite circuits (both trains) is a loss of function of the offsite power system, therefore licensees must not use the RICT program for loss of offsite power system.

2. Require alternate or temporary power sources to be available and ready to perform the safety functions of inoperable equipment that the CT for the electrical equipment is being extended consistent with the defense in depth philosophy specified in Branch Technical Position 8-8 or

CT should be restricted to be consistent with regulatory positions established in RG 1.93.

Therefore, TSTF 505 should be revised to reflect the temporary power sources to be available (BTP 8-8 staff position) as part of compensatory measures and defense in depth measures to meet the remedial actions as stated in 10 CFR 50.36 to compensate for the inoperable channel or train of power sources.

3. Since plants current analysis and assumptions are based on both trains of batteries are available (coping with batteries for SBO scenario for 4hours and up to 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months for phase 1 of Flex strategy) and operable while the plant is at power to comply with the provisions of station blackout rule and extended loss of all ac power events (mitigation Order or 10 CFR 50.155, batteries and DC subsystems must be excluded from the RICT program for extending the CT.

Otherwise, plants may no longer be able to mitigate the consequences of SBO (10 CFR 50.63) or loss of extended loss of all ac power events (10 CFR 50.155).

Summary of prevailing staff view, existing decision, or stated position.

The following three issues were originally identified in NCP-2018-009 concerning TSTF 505, Revision 2 and model safety evaluation. These documents were issued on November 21, 2018 without properly addressing my concerns. Traveler TSTF-505, Revision 2, is applicable to both boiling-water reactor (BWR) and pressurized-water reactor nuclear power plants. The licensees are using this traveler to submit license amendment requests to extend the CTs for various electric power sources. The technical concerns remain unresolved and the issues raised in the NCP is still not addressed to-date. I disagree with the disposition of the NCP and the basis for my positions clearly indicate the current NRC requirements and staffs regulatory positions.

SSCs that are required to be operable by TS is in accordance with 10 CFR 50.36. MY DPO covers only the Electric Power System and not any supported systems.

RIS-13-05, NRC Position on the Relationship between General Design Criteria and Technical Specification Operability, states:

Design requirements, such as GDC or similar requirements, are typically included in the licensing basis for every nuclear power plant. The GDC, according to Appendix A to 10 CFR Part 50, establish the necessary design, fabrication, construction, testing, and performance requirements for structures, systems, and components important to safety.

As such, the GDC cover a broad category of SSCs that are important to safety, including those SSCs that are covered by TS. The safety analysis report describes the design capability of the facility to meet the GDC (or a plant-specific equivalent). The staff safety evaluation report documents the acceptability of safety analysis report analyses. The analyses and evaluation included in the safety analysis serve as the basis for TS issued with the operating license. The TS limiting conditions for operation, according to 10 CFR 50.36(c)(2)(i), are the lowest functional capability or performance levels of equipment required for safe operation of the facility. Section 182 of the Atomic Energy Act of 1954, as amended and as implemented by 10 CFR 50.36, requires that those design features of the facility that, if altered or modified, would have a significant effect on safety, be included in the TS. Thus, TS are intended to ensure that the most safety significant design features of a plant, as determined by the safety analysis, maintain their capability to perform their safety functions, i.e., that SSCs are capable of performing their specified safety functions or necessary and related support functions.

Issue No. 1: Traveler TSTF-505, Revision 2, was to eliminate use of a risk-informed CT (RICT) program for loss of function a system (both trains). However, the loss of function of an offsite power system (loss of both circuits of offsite power) is still allowed by the RICT program. The basis provided in the TSTF-505, Revision 2, model safety evaluation (SE) and traveler is incorrect and does not comply with the NRC requirements and staff positions specified for offsite power systems. The offsite power system is a separate system and has a safety function to perform. It is credited for mitigating design basis events and accidents that do not involve a loss-of-offsite power {LOOP). The offsite power system is the preferred power system to mitigate design basis events and accidents when a plant is in an operating mode. Therefore, the proposed U.S. Nuclear Regulatory Commission (NRC) approval of TSTF-505, Revision 2, which clarifies that when the two offsite circuits are unavailable, the safety-related diesel generators would perform the specified safety function is in error to preserve the safety margins and defense-in-depth as required by the NRC regulation (i.e., loss of function of offsite power system). Specifically, Appendix A of Title 10 of the Code of Federal Regulations (10 CFR)

Part 50, General Design Criterion (GDC) 17, Electric power systems, states: "An onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety. The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences [AOOs] and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents."

NCP disposition states: Appendix A of Title 10 of the Code of Federal Regulations ( 10 CFR)

Part 50, General Design Criteria (GDC) for Nuclear Power Plants, establishes minimum requirements for water-cooled nuclear power plants' principal design criteria required by provisions of 10 CFR 50.34, Contents of applications; technical information. The principal design criteria, in turn, establish the necessary design, fabrication, construction, testing, and performance requirements for structures, systems, and components important to safety. A licensee requesting the use of the risk-informed completion time (RICT) program for limiting condition for operation (LCO) 3.8.1 Condition C, "Two offsite Circuits Inoperable," is not proposing a change in design of the facility. Therefore, this does not affect a facility's compliance with GDC 17, Electric Power Systems.

Regarding the loss of function issue, a loss of technical specification (TS) function is defined by the design basis accident analysis, not by the system function. The function of LCO 3.8.1 is to provide alternating current (AC) power source(s) to power engineered safety feature loads. AC sources include offsite circuits and onsite emergency diesel generators (EDGs) for most facilities. During normal operation, the offsite circuits supply power to the onsite Class 1 E power distribution system, and the EDGs are on standby. When the offsite circuits are inoperable (LCO 3.8.1 Condition C), the power for the Class 1 E power distribution system is, by design, supplied by the EDGs, thus the TS function is maintained. Therefore, inoperability of both offsite circuits does not represent a loss of function and the use of a RICT program is permissible. Furthermore, for a RICT program adopted using TSTF-505, Revision 2, the inoperability of two or more trains/channels/subsystems that result in a loss of TS function is not allowed. The model safety evaluation (SE) of TSTF-505, Revision 2, includes provisions for ensuring the function of the AC power sources is maintained by directing technical reviewers to

verify that the AC power to the Class 1 E power distribution system will be supplied by the onsite diesel power sources during the entry of this condition.

Based on discussions with the non-concurring individual prior to submission of the NCP-2018-009, the model SE was augmented to more clearly address this point. No further changes were made to the subject document.

My analysis of the NCP disposition: I carefully reviewed the above disposition provided by the NCP approver and the document signer (TS Branch Chief) and determined that the basis provided in the TSTF-505, Revision 2, model safety evaluation (SE) and traveler is incorrect and does not comply with the NRC requirements and staff positions specified for the offsite power system. As discussed in the RIS and the GDCs mentioned above, both AC power systems (offsite and onsite power systems are required to be operable. This is the current requirement and design basis for all operating plants. The plants that got their TS revised in accordance with TSTF 505 Rev 2 and NEI 06-09 are operating outside the design basis when they enter LCO 3.8.1 for offsite power system DC power system. Th is a significant safety concern. The argument presented by the document approving official is incorrect because TS 3.8.1 LCO requires minimum systems to operable. For at Power Conditions (Mode 1 thru 4). According to the LCO for typical BWR or PWR, both systems must be operable as stated below:

3.8 ELECTRICAL POWER SYSTEMS 3.8.1 AC Sources-Operating LCO 3.8.1 The following AC electrical sources shall be OPERABLE:

a. Two qualified circuits between the offsite transmission network and the onsite Class 1E AC Electrical Power Distribution System;

b. Two diesel generators (DGs) each capable of supplying one train of the onsite Class lE AC Electrical Power Distribution System; and .

Therefore, issue No. 1 disposition and the TSTF -505, Rev guidance concerning offsite power inoperability (LOOP)is a loss of function of the offisite power system. Allowing offsite power system to be inoperable is a violation of 10 CFR 50.36 requirements.

Additional discussion provided in the NCP as the basis for maintaining operability of offsite power system is provided below.

Discussion:

According to Title 10 of Code of Federal Regulations (10 CFR) Appendix A to Part 50 - General Design Criteria (GDC) for Nuclear Power Plants, important to safety structures, systems and components are those which provide reasonable assurance that the facility can be operated without undue risk to the health and safety of the public.

In a 1981 Memorandum, the Director of NRR stated that important to safety encompasses a broad class of plant features covered (not necessarily explicitly) in the GDC that contribute in an important way to safe operation and protection of the public in all modes and aspects of the facility operation (i.e., during normal, transient, and abnormal operating occurrences, and accident mitigation). In the same Memorandum, the Director of NRR stated that safety related systems are a subset of important to safety systems. Safety-related SSCs, as defined in that

Memorandum, are described as those SSC necessary to remain functional to assure required safety functions, which are listed as follows:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; or (3) The capability to prevent or mitigate the consequences of accidents which could result in potential off-site exposures comparable to the guideline exposures of this part.

Thereafter, Generic Letter (GL) 84-01 was issued which provided the same information to nuclear power plant licensees. In 1997, the NRC amended 10 CFR 50.2 to add a definition of safety-related SSCs to 10 CFR Part 50, but the term, important to safety continued to be defined only in 10 CFR Part 50, Appendix A. 62 FR 47268 (September 8, 1997).

GDC 17 explicitly states that the offsite and onsite power system design must meet the failure criterion on a system basis without loss of capability to provide power for all safety functions. By definition of single failure criterion, the complete onsite electric power system (Class 1E) must be capable of sustaining a single failure without loss of capability to provide power for the minimum required safety functions. Hence, the offsite and onsite power systems considered together must be capable of sustaining a double failure, one of which is complete loss of offsite power coupled with a single failure in the onsite power system without loss of capability to provide power for the minimum required safety functions.

The significance of offsite power system is recognized in specific GDCs that explicitly state that offsite power system and an onsite power system shall be provided and the design shall meet the failure criteria on each system basis without loss of capability to provide power for all safety functions .

The basis provided in the SE and TSTF is incorrect. It should be noted that the offsite power system is a separate system and has a safety function to perform for current operating reactors. As stated above, offsite power system is credited for mitigating design basis events, AOOs, and accidents that does not involve LOOP. In summary, an offsite power system is required to perform safety functions by providing electric power with sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences, and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents. The offsite power system is the preferred electrical power system to accomplish safety functions of important to safety systems specified in GDCs 17, 33, 34, 35, 38, 41, and 44. The offsite power system is classified as important to safety, and its safety function is to provide sufficient power to permit proper functioning of structures, systems, and components (SSCs) important to safety, including safety-related SSCs.

The limiting conditions for operation (LCOs) specify the actions a licensee must take following a loss of one or both offsite power circuits. These actions include restoration of offsite power within a certain time frame or shutdown of the plant.

Based on my review of the above TS changes specified in Revision 2 of TSFT 505, loss of both offsite power circuits was incorrectly identified as not as a loss of function of electric power system and included in the RICT program is incorrect and not in accordance NRC requirements and licensing basis of operating reactors.

No. ML020950074), when a plant condition does not meet the LCO requirement and is relying on the provisions of the ACTIONS table, the single failure criterion consideration is suspended.

Per TSTF-505, Revision 2, loss of function is not eligible for a RICT, therefore the unaffected train must be operable to allow entry into a RICT, and while in a RICT, the operable train will be protected. With regard to meeting Regulatory Guide (RG) 1.93, "Availability of Electric Power Sources" (ADAMS Accession No. ML090550661 ), it should be noted that RGs are one acceptable way to meet a regulation, but they are neither requirements, nor the only way to comply. Although RG 1.93 contains good guidance for assisting the review of deterministic applications to ensure the adequacy of the offsite power system, RG 1.93 should not be solely depended on while reviewing a risk-informed application as it did not factor in risk insights.

Furthermore, Section C, "Regulatory Position," of RG 1.93 states: "If there is any inconsistency with respect to CTs between this regulatory guide and the plant-specific technical specifications, the plant-specific technical specification should be used."

As a result of this issue, no changes were made to the subject document.

My analysis of the NCP disposition:

I carefully reviewed the above disposition provided by the NCP approver and the document signer (TS Branch Chief) and determined that the response fall short in that the concern was not regarding single failure criteria or operability of the vital ac or dc system, it is questioning whether the extension of CT specified in the plant-technical specifications can be done safely without clearly understanding and evaluating the consequences to the plants accident mitigation systems. This is because protection and control systems logics are made of 4 channels derived from two trains of DC systems and exposure to unavailability of two channels for a longer duration and potential voltage spikes or transient to other operable channels could complicate the RPS, ESF, ESFAS ,and ECCS systems could complicate safe shutdown of the plant. Neither the NRC nor the industry addressed these issues in the past when NSSS vendors such as GE and Westinghouse approached NRC for longer bus outages longer than recommended in vital ac and dc systems. The RICT program directly contradicts with the safety system design principles and design requirements specified in various GDCs and regulations established by the Commission for nuclear power plant operation for ensuring reasonable assurance of safety without endangering the health and safety of the public.

I also noted that the statement in NCP disposition which states that it should be noted that RGs are one acceptable way to meet a regulation, but they are neither requirements, nor the only way to comply, is concerning to me because neither the NCP response nor the revised TSTF-505 and model safety evaluation addressed this issue (alternative way of meeting RG 1.93.

Discussion:

Section 2.2.2 of TSTF 505, Technical Specification [5.5.15/5.5.18] Risk-Informed Completion Time Program states:

Technical Specification [5.5.15/5.5.18], which describes the RICT Program, would be added to the TS and reads as follows:

Risk Informed Completion Time Program

This program provides controls to calculate a Risk Informed Completion Time (RICT) and must be implemented in accordance with NEI 06-09-A, Revision 0, Risk-Managed Technical Specifications (RMTS) Guidelines. The program shall include the following:

The RICT may not exceed 30 days; Based on the above, highly safety-significant electrical subsystems such as battery and inverters could be inoperable for up to 30 days when plant is at Mode 1, 2, 3, and 4. This is inconsistent with NRC regulatory position established in Regulatory Guide 1.93 for availability of electric power sources. Since NRC staff has not performed any analyses to determine the consequences to the plants safety systems such as RPS, ECCS, and ESF, a design basis event or AOOs coupled with a concurrent transient to the remaining power supplies could put the plant in an analyzed condition. For this reason, these electric power sources should be excluded from the RICT program. In addition, these conditions have never been analyzed by NSSS vendors. In addition, these systems are required for mitigating beyond design basis events. This is further discussed in Issue No. 3 below.

The CT for DC power supply outage time is limited to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months in the current TS. This was based on the duration the battery can sustain adequate voltage while supplying the operational loads in the absence of a charger and still retaining sufficient capacity to safely bring the plant to an orderly shutdown. In order to increase this limit to more hours (30 days considered as back stop), the impact of reduced voltage on the DC power and consequently vital AC power degradation was not specifically addressed. Because of this control system vulnerabilities, RG 1.93 makes the statement The licensee should closely monitor the required functions of the DC system during the shutdown process and take necessary actions (such as cross-connecting a supply or shedding optional loads) to ensure safe shutdown to be sensitive to the potential complications from degraded DC voltage. The LAR review for 4b, with primary focus on PRA, has not addressed the power supply outage limitations in RG 1.93 or how such vulnerabilities are compensated in the extension of outage time.

A plant-specific design bases evaluation is required to consider only single failure as in loss of voltage and not a degrading voltage condition for DC power and logic control systems.

Therefore, if the outage time is extended as allowed by 4b program, the evaluation should include factors such as impact of reduced voltage and its consequences such as assessing the failure mode from a degrading voltage, the acceptability of the variety of failure modes in the RPS, ESF, and ECCS logic functions, and its independent and collective impact on plant safety.

The nuclear system suppliers and Architect Engineers have not consistently designed 2/4 logic systems with desirable failure modes for voltage degradation. In certain cases, the safety related logic systems were designed with 2/3 channels for actuation. The power supply for actuation logic is derived from 2 divisions into 4 instrument channels. Loss/degradation of one division of control power, needs to be addressed for relaxing the outage time to avoid potential entry into an unanalyzed condition. A logic designed from 2/3 may be blocked by a degradation in the source that feed 2 channels or it could lead to a spurious actuation and such control and actuation relay logic is not modeled in PRA. As discussed in the Information Notices below, such inappropriate actuations were experienced in the opening of power-operated relief valve and containment sump recirculation actuation. The designers found it difficult to fix the failure modes and therefore settled to increase reliability of power and avoid such undesirable results.

International operating event such as Forsmark-BWR event in Sweden revealed that where logic system failures resulted in unsafe operating conditions and created a LOCA by opening dump valves while the degraded injection system attempted to keep the core covered. This condition originated from a common cause, an electrical fault and a consequential voltage spike that originated from 400 kV switchyard. The undesirable failure mode of UPS failure from voltage transient, to more than one channel exacerbated the plant transient making it difficult to keep the core covered. Below are further examples I found of such exacerbating failure modes of control system failures from control power supply issues in US plants.

(1) Information Notice 1997-81: Deficiencies in Failure Modes and Effects Analyses for Instrumentation and Control Systems On May 15, 1997, while Waterford Unit 3 was at 100-percent power, the licensee discovered that in the postulated conditions of a LOCA with one RWST-level monitoring channel placed in a tripped state [as allowed by the Technical Specifications], if a single failure, such as a failure of another RWST-level channel occurs, a potential for premature initiation of the recirculation mode exists [when containment sump is empty]. In another situation, with one channel of steam generator (SG) differential pressure (DP) instrumentation associated with the emergency feed water actuation signal placed in a tripped state, an event such as a main steam line break or a feed water line break concurrent with a single failure such as loss of another SG DP instrument channel, results in a potential for not isolating the faulted SG from the emergency feed water supply line (LER 97-16, Accession No: 9706180379).

On October 30, 1996, while ANO-2 was at 100-percent power, the licensee discovered that while one plant protective system (PPS) channel is in bypass, a scenario consisting of a LOOP concurrent with a single failure, such as a loss of the train A dc bus, would result in a failure of certain engineered safeguard function (ESF) systems to actuate automatically. ESF systems that would be affected are the containment isolation system (CIS), containment spray system (CSS), and emergency feedwater system (EFWS). The consequence of a dc bus failure alone could lead to the same failures with loss of off-site power and loss of on-site power in the affected train (LER 96-04-01, Accession No: 9702120360).

(2) Information Notice 1993-11: Single Failure Vulnerability of Engineered Safety Features Actuation Systems If power is lost to either one of the two dc vital buses, both the safety injection actuation signal and sump recirculation actuation signal would be simultaneously initiated. The recirculation actuation signal would result in tripping all low pressure injection pumps. Also, the spurious sump recirculation actuation signal would cause one of the containment sump outlet valves to open. [Pumps coming on with no water available for suction.] It is to be further noted that the CE plants of this vintage had to disable two of the 2/4 logic system because the design could not be modified to desirable failure mode against all the scenarios to be addressed.

The loss of all dc power to one actuation train would cause a power -operated relief valve in the other train to open. In addition, when control power alone is lost to only the sensor cabinets in a single actuation train, spurious high pressurizer pressure signals would cause the relief valves in both trains to open. Both cases would result in a loss of primary coolant.

(3) LER 2010-003-001 from Clinton Power Station

It was reported that during full power operation, several containment isolation valves closed and several components were tripped. The actuations were the result of Division 2 load driver card that spuriously actuated its loads without a valid Loss of Coolant Accident signal or a manual initiation signal and it was reported to NRC. The root cause was not identified until a spurious actuation happened in Division 1. The cause of the actuation was a slight voltage degradation to the Self Diagnostic System card. The same system was utilized in the reactor protection and emergency core cooling systems.

This event further illustrates the greater sensitivity of electronic digital equipment to slight voltage degradations. In this specific case it was serendipitous that the failure did not lead to an unsafe conditions because the design does not account for this failure mode. Depending on the application, it could fail to actuate, not actuate, or lock up and the load relay could lead the plant to an unanalyzed condition and challenge plant safety.

It should be noted that problems of this nature could remain unnoticed because the DC bus and TSs review responsibility comes under electrical branch but impact of the bus voltage degradation/interruption affects the control systems under I&C review.

It should also be noted that Westinghouse Owners Group had requested NRC to approve DC bus CT extension (Ref. WCAP-15622-NP, ADAMS #ML011770404) on June 15, 2001. This request was withdrawn because the owners group could not provide answers to the safety concerns on the logic system failure modes presented and those issues remain unaddressed while the 4b RICT program (NEI 06-09) was approved for CT extension.

Based on my review of the revised TSTF 505 and the model SE, the revised documents neither addressed technical and regulatory concerns nor provide any reasonable technical justifications why plant can operate safely with one train of dc power system inoperable for up to 30 days without endangering the health and safety of the public. The operating events discussed above indicate that it is not safe to operate without fulfilling the LCO requirements specified in current approved TSs (2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months CT).

Issue No. 3: Because of TSTF-505 or 4b approval methodology allows extending the CT of inoperable DC system, a plant is no longer be able to meet the station blackout initiating event requirements in accordance with 10 CFR 50.63, Loss of all alternating current power, or an extended loss of AC power per Order EA-12-049, "Order Modifying Licenses with Regard To Requirements for Mitigation Strategies for beyond Design Basis External Events," (ADAMS Accession No. ML12054A735), when systems such as DC and Diesels are unavailable. This is a safety" concern that should have been addressed before the NRC approved, TSTF 505, Revision 2, and lifting the suspension on the use of TSTF-505.

NCP disposition states: The Westinghouse Standard Technical Specifications (NUREG -

14311) and the statement of considerations for the station blackout (SBO) rule (10 CFR 50.63, Loss of all alternating current power) along with the NRC endorsed implementing document for the mitigating strategy order (NEI 12-06, Revision 4) were reviewed. TSs establish minimum equipment requirements for operation and these limits are derived from the plant's accident analyses. In recognition of the need to perform maintenance or to respond to emergent equipment failures, the TSs specify remedial actions for various plant conditions with attendant CTs. While in a TS LCO action statement, the plant is in a configuration that does not meet its design basis accident analysis. It is reasonable that a similar concept is applicable for the SBO and mitigating strategy analyses.

NEI 12-06, Revision 4, addresses unavailability of FLEX equipment, but does not provide a discussion of any credited plant equipment, nor does it contain any discussion with respect to SBO. The limits on unavailability of equipment for the purpose of responding to design basis accidents in TSs are equal to or more conservative than those for beyond design basis accidents. Therefore, this concern does not preclude issuance of TSTF-505, Revision 2.

Clarification of the relationship between TSs and beyond design basis equipment and strategies may be considered in future guidance development.

As a result of this issue, no changes were made to the subject document.

My analysis of the NCP disposition:

This concern was recently during the review of a LAR concerning TS changes for battery subsystem CTs. Although there are no TS requirements for complying with station blackout (SBO) rule, plant Batteries are required to mitigate an SBO scenario in accordance with 10 CFR 50.63. Specifically, the rule requires that each nuclear power plant must be able to withstand for a specified duration and recover from a station blackout as defined in § 50.2.

There are 44 nuclear plant power plant units that mitigate SBO scenario using plant batteries (coping for 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ) without load shedding (ac-independent coping). Typically, at the end of four hours, the licensee has to recover one of the four sources (offsite circuits or diesel generators).

For this reason, the licensee has to maintain both trains of batteries available and operable to recover from an SBO. Since the probability of power restoration is based on all four power sources, to maintain consistency with assumptions used for compliance with SBO rule, redundant trains of DC power need to be available to start the first available onsite source or offsite source and close the appropriate breakers. If the plant wants to rely only on a single DC power source for SBO compliance, then the probabilistic risk analyses and coping analyses performed for compliance with 10 CFR 50.63 for a four hour coping duration are no longer valid (i.e., nuclear power plant may not be able to withstand for a specified duration and recover from a station blackout). This is a concern.

In addition, all current operating plants are required to meet NRCs Mitigating Strategy Order EA-12-049 (ELAP) , and 10 CFR 50.155. For flex strategy phase 1, all licensees assume that both trains of batteries are operable and available. This is because no failures are assumed for beyond design basis events. Also, licensees typically use load shedding features to extend the coping duration of batteries to support core cooling until the plant transitions to phase 2 strategy (typically 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months ). If 4b is implemented, the batteries for one train not be available up to 30 days for meeting both the SBO or ELAP requirements. This is a significant safety concern that should have been addressed before the NRC issued TSTF 505, Revision 2 and lifting the suspension on the use of TSTF-505 until all issues have been satisfactorily resolved. The Commission should have been made of this safety concern when it issued the final ELAP rule.

Based on my review of the revised TSTF 505 and the model SE, the revised documents neither addressed my technical and regulatory concerns nor provide any reasonable technical justifications why the plants can operate safely with one train of dc power system inoperable for up to 30 days which would impact mitigation of beyond design basis events such as SBO and ELAP and jeopardize safe shutdown of operating nuclear power plants.

Document 2: Memo Establishing DPO Panel

J. Bowen, et al. The DPO Panel has a critical role in the success of the DPO Program. Your responsibilities for conducting the independent review and documenting your conclusions in a report are addressed in the handbook for MD 10.159 in Section II.F and Section II.G, respectively. The DPO Web site also includes helpful information, such as a Differing Views Best Practices Guide, tables with status information and timeliness goals for open DPO cases, and closed DPO case files (which include DPO panel reports). We will also be sending you additional information that should help you implement the DPO process.

Timeliness is an important DPO Program objective. Thus, the disposition of this DPO should be considered an important and time sensitive activity. Although the DPO MD identifies a timeliness goal of 75 calendar days for the DPO panel review and report and 21 additional calendar days for the issuance of a DPO Decision, the DPO Program also sets out to ensure that issues receive a thorough and independent review. Therefore, the overall timeliness goal will be based on the significance and complexity of the issues, schedule challenges, and the priority of other agency work. Process Milestones and Timeliness Goals specific to this DPO will be discussed and established at a kick-off meeting.

Communication of expected timelines and status updates are important in the effectiveness and their overall satisfaction with the Differing Views Program. If you determine that your activity will result in the need for an extension beyond your timeliness goal, please send an e-mail to Mr. Nieh, the DPO submitter, and DPOPM.Resource@nrc.gov and include the reason for the extension request and a proposed completion date for your work. Mr. Nieh is responsible for subsequently forwarding the request for a new DPO Decision issuance timeliness goal to the EDO for approval.

An important aspect of our organizational culture includes maintaining an environment that encourages, supports, and respects differing views. As such, you should exercise discretion and treat this matter appropriately. Documents should be distributed on an as-needed basis.

In an effort to preserve privacy, minimize the effect on the work unit, and keep the focus on the issues, you should simply refer to the employee as the DPO submitter. Avoid conversations and refrain from behaviors that could be perceived as retaliatory or chilling to the DPO submitter or that could potentially create a chilled environment for others. It is appropriate for employees to discuss the details of the DPO with their co-workers as part of the evaluation; however, as with other predecisional processes, employees should not discuss details of the DPO outside the agency. If you have observed inappropriate behaviors, heard allegations of retaliation or harassment, or receive outside inquiries or requests for information, please notify me or Ian Gifford.

On an administrative note, please ensure that all DPO-related activities are charged to Activity Code ZG0007. Managers should report time to their Management/Supervisor Activity Code. Administrative Assistants should report time to their Secretary/Clerical Activity Code.

We appreciate your willingness to serve and your dedication to completing a thorough and objective review of this DPO. Successful resolution of the issues is important for NRC and its stakeholders. If you have any questions or concerns, please feel free to contact me or Ian Gifford. We look forward to receiving your independent review results and recommendations.

J. Bowen, et al.

Enclosures:

1. DPO-2020-001 Submittal

2. Process Milestones and Timeliness Goals cc: H. Nieh, NRR A. Veil, NRR M. Gavrilas, NRR R. Taylor, NRR R Mathew, NRR B. Titus, NRR L. Lund, RES N. Taylor, RIV L. Betancourt, NRR C. De Messieres, NRR G. Wilson, OE F. Peduzzi, OE D. Solorio, OE G. Figueroa-Toledo, OE I. Gifford, OE

Document 3: DPO Panel Report

A. Veil potential impact on plant safety. The panels perspective is that improvements in NRC/industry documentation on the implementation and acceptability of TSTF-505 could have potentially enhanced the clarity of the decision-making process.

We also offer the following recommendations for your consideration:

There are many different configurations of electrical transmission and distribution systems in use by licensees and there are numerous system interactions and interdependencies. The panel recommends stressing the need for independent technical review of plant specific configurations and probabilistic risk assessments to avoid approval of applications based on comparisons to a standardized model of electrical power systems.

Consideration should be given to developing guidance for handling duplicative concerns identified in future differing views submittals (non-concurrence or DPO) to clearly separate issues of concern that are unresolved (or open) as part of other submittals that are undergoing disposition. Clarity should be provided to the submitter when the submittal is accepted into the process.

Please do not hesitate to contact us if you have any questions regarding the enclosed report.

Enclosure:

DPO Panel Report cc: J. Tappert, NRR L. Betancourt, NRR C. De Messieres, NRR G. Wilson, OE F. Peduzzi, OE D. Solorio, OE I. Gifford, OE J. Thompson, OE

INTRODUCTION On July 21, 2020, a U.S. Nuclear Regulatory Commission (NRC) staff member filed a Differing Professional Opinion (DPO) in accordance with NRC Management Directive 10.159, The NRC Differing Professional Opinions Program. The DPO involved Technical Specifications Task Force (TSTF) Traveler TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b, dated July 2, 2018 (Agencywide Documents Access Management System (ADAMS) Accession No. ML18183A493). The submitters concerns were that the issues identified in NCP-2018-009 (ADAMS Accession No. ML18310A175, submitted on October 3, 2018) were not resolved consistent with NRC requirements and staff positions.

The NRCs Office of Enforcement accepted the DPO on July 28, 2020, and assigned the DPO case number DPO-2020-001. By memorandum dated August 11, 2020, (ADAMS Accession No. ML20224A277), the Office of Enforcement established an Ad Hoc Review Panel (the panel) to perform a review of the DPO. The panel developed a draft Summary of Issues (SOI) and shared it with the submitter on September 14, 2020. Based on subsequent discussions and feedback from the submitter, a final SOI was agreed to by the DPO panel and the submitter on September 22, 2020. The final SOI is documented in the next section.

The panel was tasked with reviewing the individual DPO issues and providing conclusions, and recommendations, if necessary. Following initial discussions with the submitter and development of the SOI, the panel performed its review by collecting and reviewing documents and interacting with knowledgeable NRC staff. A list of documents reviewed is provided as Appendix A to this report.

SUMMARY

OF ISSUES (SOI)

Based on a review of the DPO submittal, the panel identified that the individual concerns could be grouped into three distinct areas. Based on a review of the DPO submittal and associated references as well as an interview with the submitter, the following issues were identified:

Overarching Issue: TSTF-505, Revision 2 allows electrical power systems to be inoperable for up to 30 days, in accordance with a risk-informed completion time (RICT) program, which could result in a plant not meeting regulatory requirements or being in an unanalyzed condition.

Specific Issue 1: TSTF-505, Revision 2 allows for complete loss of a safety function of offsite electric power system, specifically, the offsite power system function through loss of both circuits of offsite power.

Submitters Recommended Resolution: The loss of offsite power sources should be excluded from the RICT program.

Specific Issue 1A: The basis provided in the TSTF-505, Revision 2, and model safety evaluation (SE) does not comply with the NRC design basis requirements for offsite power system (i.e., an onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety).

Specific Issue 1B: NRC approval was based on interpretation of Technical Specifications definition of operability of a system (e.g., non-electric power system such as high pressure safety injection (HPSI)) and not based on design basis requirements specified in design and licensing basis requirements for an electric power system (limiting conditions for operation in accordance with 10 CFR 50.36(c)(2)).

Specific Issue 2: TSTF-505, Revision 2 allows a licensee to change the Completion Times (CTs) for limiting conditions for operation (LCOs) for structures, systems, and components (SSCs) such as vital alternating current (AC) buses (inverters) and one train of direct current (DC) sources without clearly understanding and evaluating the consequences to the plant's accident mitigation safety systems (transients, potential loss of safety functions, unanalyzed conditions, and single failures).

Submitters Recommended Resolution: These electric power sources should be excluded from the RICT program.

Specific Concern 2 is duplicative of a concern identified in DPO-2016-003, which is currently under appeal review by the Executive Director for Operations (EDO).

Specifically, Concern 1 in the DPO-2016-003 appeal stated, The concerns raised in the DPO was not addressed. EEEB staff raised several concerns questioning the safety evaluation for approving TSTF-505 and TR NEI 06-09. The most significant safety concern is that for allowing a licensee to change the Completion Times (CTs) for LCOs for SSCs such as AC and DC electric power systems based on risk without clearly understanding and evaluating the consequences to the plants accident mitigation safety systems (loss of safety functions and single failures). The submitter further stated in the appeal, DPO-2016-003 disposition stated that Given that RISTF Initiative 4b is currently suspended, has been extensively revised, and is out for comment, the submitter's suggested remedies for this concern have been addressed.

Based on my review of the response, that is not correct.

The submitter communicated to the DPO-2020-01 panel that Specific Concern 2 was included because the issue has yet to be addressed (including with the issuance of Revision 2 to TSTF-505) and the submitters suggested remedy has not been assessed. The ad-hoc panel for DPO-2020-001 communicated to the Office of Enforcement (OE) and OEDO that the submitter continues to have this concern. This specific issue is not a newly identified issue of concern. Following consultation with the Director of OE, this specific issue of concern will not be assessed by the ad-hoc panel for the DPO-2020-001 review. This is because this is not a new issue of concern and because DPO appeals are dispositioned at a higher level than DPOs. The specific issue of concern is already being assessed as part of the DPO-2016-003 appeal and will be dispositioned as part of that process.

Specific Issue 3: TSTF-505, Revision 2 allows onsite and offsite power systems to be inoperable in a manner that could result in a plant not meeting the station blackout requirements specified in 10 CFR 50.63 or the extended loss of all AC requirements of Order EA-12-049 and 10 CFR 50.155. These systems being inoperable changes the assumptions associated with these beyond-design-basis requirements and are unintended consequences from the NRC approving the TSTF-505 program.

Submitters Recommended Resolution: These electric power sources should be excluded from the RICT program.

BACKGROUND TSTF-505, Revision 1, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b, and a model SE were announced in the Federal Register (77 FR 15399) on March 15, 2012. The NRC staff identified areas requiring further review related to TSTF-505, Revision 1, during its review of plant-specific license amendment requests (LARs) to adopt a RICT program.

The NRC staff notified the TSTF of its concerns in a letter dated November 15, 2016, and suspended its approval of Revision 1 at that time (ADAMS Accession No. ML16281A021). The staff elaborated on these concerns during a subsequent public meeting on December 13, 2016 (ADAMS Accession No. ML16336A498). The TSTF submitted a response to the NRC staffs identified issues in a letter dated September 27, 2017 (ADAMS Accession No. ML17290B229).

The NRC staff prepared a draft revised traveler denoted as TSTF-505, Revision 2, along with drafts of a table of revised retained technical specification (TS) actions and a table listing the TS actions that require additional justification if an applicant elects to include them in the scope of its RICT program. The NRC staff also prepared a draft revised model SE and a revised model application. These documents were provided to the TSTF by letter dated May 1, 2018 (ADAMS Accession No. ML17290A003), for review and comment. The TSTF commented on the documents, provided editorial corrections, and provided a new Revision 2 of TSTF-505 (including model application) by letter dated July 2, 2018 (ADAMS Accession No. ML18183A493).

On November 21, 2018 (ADAMS Accession No. ML18310A171), the NRC staff approved Revision 2 of TSTF-505 and lifted the suspension on the use of TSTF-505. The model SE provided the format and content to be used when preparing the plant-specific SE of a LAR to adopt TSTF-505. The model SE explained that the methodology is based on the Nuclear Energy Institute (NEI) Topical Report 06-09, Revision 0-A (NEI 06-09-A), Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS)

Guidelines, November 2006 (ADAMS Accession No. ML12286A322). NEI 06-09-A provides a methodology for extending existing CTs and thereby delay exiting the operational mode of applicability or taking required TS actions if risk is assessed and managed within the limits and programmatic requirements established by a RICT program.

EVALUATION The following provides the Panels evaluation of each concern identified in the Summary of Issues. In several instances, the Panel referred to the original DPO submittal and conversations with the submitter to ensure the evaluation considered all aspects of the issue.

Issue 1 TSTF-505, Revision 2 allows for complete loss of a safety function of offsite electric power system, specifically, the offsite power system function through loss of both circuits of offsite power.

Specific Issue 1A: The basis provided in the TSTF-505, Revision 2, and model safety evaluation (SE) does not comply with the NRC design basis requirements for offsite power system (i.e., an onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety).

Specific Issue 1B: NRC approval was based on interpretation of Technical Specifications definition of operability of a system (e.g., non-electric power system such as HPSI) and not based on design basis requirements specified in design and licensing basis requirements for an electric power system (limiting conditions for operation in accordance with 10 CFR 50.36(c)(2)).

Discussion and Evaluation Regulatory requirements and definitions The first issue concerns alignment of TSTF-505 with regulatory requirements. In evaluating the submitters concerns, the panel performed an independent review of the relationship of TSTF-505 to the regulatory requirements associated with the electrical power distribution system and the TSs. A complete listing of the regulatory requirements considered by the panel is provided as Appendix B to this report. Selected references are discussed below.

General Design Criterion (GDC) 17, Electric power systems states, in part:

An onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety. The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents.

GDC 20 Protection system functions states:

The protection system shall be designed (1) to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and (2) to sense accident conditions and to initiate the operation of systems and components important to safety.

10 CFR 50.36(c)(2), Limiting conditions for operation, states, in part:

Limiting conditions for operation are the lowest functional capability or performance levels of equipment required for safe operation of the facility. When a limiting condition for operation of a nuclear reactor is not met, the licensee shall shut down the reactor or follow any remedial action permitted by the technical specifications until the condition can be met.

10 CFR 50.65, Requirements for monitoring the effectiveness of maintenance at nuclear power plants states, in part:

(a)(1) Each holder of an operating license for a nuclear power plant under this part and each holder of a combined license under part 52 shall monitor the performance or condition of structures, systems, or components, against licensee-established goals, in a manner sufficient to provide reasonable assurance that these structures, systems, and components, as defined in paragraph (b) of this section, are capable of fulfilling their intended functions.

(4) Before performing maintenance activities (including but not limited to surveillance, post-maintenance testing, and corrective and preventive maintenance), the licensee shall assess and manage the increase in risk that may result from the proposed maintenance activities. The scope of the assessment may be limited to structures, systems, and components that a risk-informed evaluation process has shown to be significant to public health and safety.

(b) The scope of the monitoring program specified in paragraph (a)(1) of this section shall include safety-related and non-safety-related structures, systems, and components, as follows:

1) Safety-related structures, systems and components that are relied upon to remain functional during and following design basis events to ensure the integrity of the reactor coolant pressure boundary, the capability to shut down the reactor and maintain it in a safe shutdown condition, or the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposure...

2) Non-safety-related structures, systems, or components:

i. That are relied upon to mitigate accidents or transients or are used in plant emergency operating procedures; or ii. Whose failure could prevent safety-related structures, systems, and components from fulfilling their safety-related function; or iii. Whose failure could cause a reactor scram or actuation of a safety-related system.

To ensure clarity, the panel also felt it was important to reference the accepted definition of the following specific regulatory terminology associated with this issue:

Anticipated operational occurrences: From 10 CFR Part 50, Appendix A, anticipated operational occurrences mean those conditions of normal operation which are expected to occur one or more times during the life of the nuclear power unit and include but are not limited to loss of power to all recirculation pumps, tripping of the turbine generator set, isolation of the main condenser, and loss of all offsite power.

Important to Safety: The GDC use the term Important to Safety and defines it in the introduction section as, The principal design criteria establish the necessary design, fabrication, construction, testing, and performance requirements for structures, systems, and components important to safety; that is, structures, systems, and components that provide reasonable assurance that the facility can be operated without undue risk to the health and safety of the public. NRC Generic letter GL-84-01, NRC Use of the Terms, Important to Safety and Safety-Related, dated January 5, 1984, and the

memorandum from Harold R. Denton to all NRR personnel, Standard Definitions for Commonly-No. ML111230453), provides additional guidance concerning important to safety and safety-related Safety Systems and Components (SSCs):

o Those SSCs that provide reasonable assurance that the facility can be operated without undue risk to the health and safety of the public o Encompasses the broad class of plant features, covered (not necessarily explicitly) in the General Design Criteria, that contribute in important way to safe operation and protection of the public in all phases and aspects of facility operation (i.e., normal operation and transient control as well as accident mitigation) o Includes Safety-Grade (or Safety-Related) as a subset Single failure. From 10 CFR Part 50, Appendix A, a single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions.

Operable-Operability: The Standard TSs define, Operability Determinations, a system, subsystem, train, component, or device shall be OPERABLE or have OPERABILITY when it is capable of performing its specified safety function(s) and when all necessary attendant instrumentation, controls, normal or emergency electrical power, cooling and seal water, lubrication, and other auxiliary equipment that are required for the system, subsystem, train, component, or device to perform its specified safety function(s) are also capable of performing their related support function(s).

Evaluation of TSTF-505 for conformance with design basis requirements Specific Issue 1A concerns compliance with the NRC design basis requirements. In its evaluation, the panel considered the design criteria of the electrical power system, which is principally outlined in GDC 17. GDC 17 has several components that form the design basis requirements for an offsite power system, and the panel evaluated each component separately.

1. GDC 17 Requirement: An onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety.

Panel Assessment: All plants have been licensed for conformance to this requirement, having an offsite and onsite power system. TSTF-505 Revision 2 does not allow licensees to make changes to this requirement.

2. GDC 17 Requirement: The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that Panel Assessment: All plants have been licensed for conformance to this requirement.

The capacity and capability of the power sources remains part of the current licensing basis of all plants. TSTF-505 Revision 2 does not allow licensees to make changes to this requirement.

3. GDC 17 Requirement: (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not

exceeded as a result of anticipated operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents.

Panel Assessment: The GDC presumes other systems will be unavailable. The safety function of the electrical distribution system is to supply electrical power to necessary safety equipment to maintain critical functions associated with core cooling, spent fuel cooling and containment. Although the offsite power system is the preferred power source, it is not designed or assumed to withstand an external event outlined in GDC 2, Design bases for protection against natural phenomena. The NRC does not allow both credited emergency AC power sources to be inoperable under the RICT program.

Hence the loss of two offsite sources would be acceptable. Anticipated Operational Occurrences (see definition above) include consideration of loss of offsite power and are adequately addressed in accident analyses. The overall conformance to core cooling and containment integrity are demonstrated in accident analyses with or without offsite power.

Relationship between design basis and operability Design basis and licensing basis are not necessarily equivalent. While design basis supports construction approval, licensing basis reflects the plants currently approved configuration and operation. The licensing basis may differ from the original design basis. In May 2013, the NRC issued Regulatory Issue Summary (RIS) 13-05, NRC Position on the Relationship between General Design Criteria and Technical Specification Operability. In addition to clarifying the relationship between the GDC and the TSs, the RIS clarified the process for addressing any SSC nonconforming condition with the GDC, as incorporated into a plants current licensing basis (CLB). Section 54.3 to 10 CFR Part 54, Requirements for Renewal of Operating Licenses for Nuclear Power Plants, provides the definition of Current Licensing Basis.

As outlined in the RIS, the GDC and the TS differ from each other in that the GDC specify the NRCs requirements for the design of nuclear power reactors, whereas the TS are included in the license and specify requirements for the operation of nuclear power reactors. As such, the GDC cover a broad category of SSCs that are important to safety, including those SSCs that are covered by TS. The RIS identifies the staff position that failure to meet GDC, as described in the licensing basis (e.g., nonconformance with the CLB for protection against flooding, seismic events, tornadoes), should be treated as a nonconforming condition and is an entry point for an operability determination if the nonconforming condition calls into question the ability of SSCs to perform their specified safety function(s) or necessary and related support function(s). Consistent with this guidance, loss of offsite power is considered a nonconforming condition and appropriate entry into the LCO is made after determining operability of TS related SSCs.

TS LCOs are the lowest functional capability or performance levels of equipment required for safe operation of the facility. The Final Safety Analysis Report (FSAR) documents the conformance of the plant design to the regulations. The analyses in the FSAR form the bases from which the TS are derived. The specific values, functions, or equipment required by the TS under normal conditions are selected to assure that the system or component will be able to carry out its design functions under accident and transient conditions, including maintenance of defense-in-depth. 10 CFR 50.36(c)(2)(ii) discusses establishment of LCO for functions, not specific types of systems. CTs in the TSs were originally established using experiential data,

risk insights, and engineering judgment. They are generic. RICT allows for assessment of plant-specific configuration. RICT uses plant-specific operating experience for component reliability and availability data. Allowances permitted by the RICT program are directly reflective of actual component performance in conjunction with component risk significance.

Relationship to the maintenance rule A RICT established in accordance with TSTF-505, Revision 2 must continue to adhere to other regulatory requirements, and licensees must identify and assess the potential impacts of implementing RICT to SSCs. Before performing maintenance activities, the licensee must assess and manage the increase in risk in accordance with the requirements of 10 CFR 50.65.

The maintenance rule provides the scope of the monitoring program to include safety-related and non-safety-related SSCs which can be considered important to safety. The intent of the maintenance rule is to provide reasonable assurance that: (1) equipment important to safety identified for monitoring will be reliable and readily available when required to perform its intended function, and (2) equipment important to safety will not cause a reactor scram or actuation of safety-related system. The following examples illustrate cases where extended plant operation, without offsite power available immediately, may be construed as contrary to requirements of 10 CFR 50.65, as they result in reactor scram and actuation of safety related systems:

a. Non-safety-related service water (NSW) systems are used in some plants to support the Ultimate Heat Sink (UHS) maintain inventory and/or support operation of safety-related cooling water system required to operate for 30 days - as assumed in accident analysis and required by Regulatory Guide 1.27, Ultimate Heat Sink For Nuclear Power Plants.

In such designs, the NSW system should be considered important to safety and in the category Whose failure could prevent safety-related structures, systems, and components from fulfilling their safety-related function. Since the NSW system is supplied from offsite power sources only, plant operation without offsite power available will preclude operation of NSW system. The current Probabilistic Risk Assessment (PRA) considers the allowable RICT based on a 24-hour mission time for mitigating the consequences of an accident. The NSW system is therefore not considered in PRA as the safety-related cooling water systems can operate without the NSW for more than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

b. Circulating water and vacuum pumps are required to maintain main generator condenser vacuum. Reactor coolant pumps or recirculation pumps are needed to maintain forced circulation in the reactor coolant system. These non-safety-related systems are powered from offsite power system and are designed to be readily available upon unit trip and fast transfer of the buses powered by the main generator. When the offsite power source is not available for an extended duration, a potential reactor trip will result in loss of these non-safety-related loads and result in actuation of safety-related system.

In addition, the reactor scram under these conditions will impose a pressure and thermal transient which is contrary to the intent of 10 CFR 50.65 to minimize reactor trips, avoid unnecessary actuation of safety systems and preclude thermal transients.

The RICT Program separately monitors cumulative risk exposure for the whole plant. The program requires that the licensee address situations where use of the RICT program causes an increase in risk greater than a small change in risk (i.e., 1 E-5 core damage frequency (CDF)

and 1 E-6 LERF) as assessed against the guidelines in Regulatory Guide (RG) 1.174. This assessment is performed every refueling cycle and at least every two years. Similarly, SSC unavailability resulting from a RICT must be factored into calculation of maintenance rule risk assessments. This additional facet of the RICT Program and the nexus to the maintenance rule provides an additional, diverse, layer of monitoring and control for exposure to risk.

Furthermore, the RICT program is implemented in conjunction with the Reactor Oversight Process (ROP). The ROP includes Performance Indicators (PIs), a quantitative measure of an attribute of licensee performance that shows how well a plant is performing. If a licensee were to continually maneuver equipment in and out of TS Operability, it would eventually result in transitioning a PI from Green to White and so on, due to increasing equipment unavailability.

Exceeding the Pl thresholds would trigger additional regulatory oversight.

Relationship to the Station Blackout Rule Conformance with the Station Blackout Rule is discussed under the evaluation associated with Issue 3.

Risk insights The submitter also communicated concerns with adherence to the risk principles and the Commissions PRA Policy Statement.

The NRCs deterministic approach involves asking only what can go wrong and what are the consequences. Nonetheless, the NRC assumed that undesirable events can occur and required plant designers to include safety systems capable of preventing and/or mitigating the consequences of accidents. Through advances in knowledge, the Commission decided to implement risk-informed, and ultimately performance-based, approaches. The 1995 PRA Policy Statement (60 FR 42622) formalized the Commissions commitment to risk-informed regulation through the expanded use of PRA. The policy states, in part, The use of PRA technology should be increased in all regulatory matters to the extent supported by the state of the art in PRA methods and data, and in a manner that complements the NRC's deterministic approach and supports the NRC's traditional defense-in-depth philosophy.

The statements of consideration amplify that, PRA methods have been applied successfully in several regulatory activities and have proved to be a valuable complement to deterministic engineering approaches. This application of PRA represents an extension and enhancement of traditional regulation rather than a separate and different technology. Regarding defense-in-depth, the statements of consideration state, In the defense-in-depth philosophy, the Commission recognizes that complete reliance for safety cannot be placed on any single element of the design, maintenance, or operation of a nuclear power plant. Thus, the expanded use of PRA technology will continue to support the NRC's defense in-depth philosophy by allowing quantification of the levels of protection and by helping to identify and address weaknesses or overly conservative regulatory requirements applicable to the nuclear industry.

RG 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-specific Changes to the Licensing Basis provides guidance on the use of PRA findings and risk insights to support licensee requests for changes to a plants CLB, as in requests for license amendments and TS changes. The RG describes an acceptable approach for assessing the nature and impact of proposed licensing basis changes by considering

engineering issues and applying risk insights. These assessments should consider relevant safety margins and defense-in-depth attributes, including success criteria and equipment functionality, reliability, and availability. The analyses should reflect the actual design, construction, and operational practices of the plant.

Risk-informed decision-making requires an appropriate balance among risk insights, deterministic considerations, engineering judgment, defense-in-depth and safety margins. The TSTF-505, Revision 2 model SE includes reference to both the Commissions 1995 PRA Policy Statement and the risk principles and guidance in RG 1.174. Consideration of the Commissions PRA Policy Statement is an important element in regulatory decision-making.

The policy states that PRA methods should be used in a manner that complements the NRC's deterministic approach and supports the NRC's defense-in-depth philosophy (i.e. risk informed rather than risk based). Appropriate application of the RICT process enables the use of PRA information to complement traditional deterministic approaches and the defense-in-depth philosophy. RG 1.174, Revision 3 discusses considerations for evaluating the impact of a proposed licensing basis change that might adversely impact one or more of the layers of defense-in-depth. The RG provides seven considerations that should be used to evaluate the impact of such changes on defense-in-depth and delineates detailed guidance on how to apply these considerations.

PRA information can be used to reduce unnecessary conservatisms in current requirements, which is an objective called out in the policy statement. However, PRA information should not be considered independently. As discussed above, in the Background section of the panel report, the NRC staff determined that reductions in safety margins and defense-in-depth were not adequately evaluated for loss of function conditions proposed by TSTF-505 Revision 1. In a letter dated November 15, 2016 (ADAMS Accession No. ML16281A021), the staff identified concerns with PRA Functional and reduction in defense-in-depth. During a subsequent public meeting on December 13, 2016 (ADAMS Accession Nos. ML16336A498 and ML17124A030),

the staff elaborated on these concerns and provided specific examples of TSs that should not be considered for RICT. The TSTF-505 Working Group (WG) provided a draft response to the staffs concerns in draft letter TSTF-17-01 (ADAMS Accession No. ML17037C193). By letter dated July 2, 2018 (ADAMS Accession Nos. ML18183A493), the TSTF WG provided proposed changes to the model SE and included a discussion of NRC staff concerns noted in the December 13, 2016 meeting.

In the model SE for TSTF-505, Revision 2, the NRC reviewer is directed to consider the plant-specific configuration and assess: (a) how the design success criteria for accomplishing safety functions are met, (b) the verification of remaining credited onsite power sources (e.g.,

emergency power sources, Emergency Diesel Generators (EDGs)), (c) the availability of supplemental electrical power sources/equipment, and (d) examples of the compensatory measures or risk management actions. Because there are many different configurations of electrical transmission and distribution systems in use by licensees, the independent technical review plays a vital role in ensuring defense-in-depth and safety margins will be maintained.

Furthermore, the standardized model PRA and related analyses are based on a simple single unit design. Multi-unit plants have shared electrical and process related systems. A PRA measuring the risk associated with a single reactor unit does not identify or measure the risk of interactions between units. Because of the increased level of interactions between reactor systems, the increased interactions and inter-dependencies for multi-unit sites would need to be addressed. There is no one-size-fits-all approach that will account for the design differences in

plant configurations, making the rigorous review of plant specific configurations necessary to ensure application of RICT does not adversely impact safety. The panel stresses that a thorough technical review of plant specific configurations is necessary to ensure consistency with risk-informed principles, and stresses avoidance of blanket approval of applications based on comparisons to a standardized model of electrical power systems.

Consistent with the position that probabilistic and deterministic reviews should not be separate and distinct, in the public comments received on the PRA Policy Statement, one commentator stated that the use of probabilistic analysis is simply an extension of deterministic analysis.

They are not separate and distinctive concepts. In response, the Commission stated, The Commission agrees with this concept Since that time, the NRC has been working to improve the use of risk insights. On April 23, 2007, the ACRS sent a letter (ACRSR-2245) to the EDO concerning their briefing on Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications Guidelines which concluded that ACRS concurred with the staff that the program requirements of NEI 06-09, Revision 0-A were acceptable for referencing by licensees proposing to amend their technical specifications to implement RMTS. Specifically, the ACRS commented that: The major benefit of this initiative is that it provides flexibility to the licensees to operate the plants according to the risk associated with specific plant configurations. It heightens the operators awareness of the existing risk profile of the plant and avoids unnecessary plant shutdowns.

Furthermore, on the relationship between risk and defense-in-depth, RG 1.174, Revision 3 discusses defense-in-depth as providing a reasonable balance among the defense layers. The defense-in-depth philosophy preserves a reasonable balance among avoidance of core damage, avoidance of containment failure, and consequence mitigation. The defense-in-depth philosophy is not impacted by appropriate implementation of TSTF-505, as licensees are not proposing any changes to the design of the plant or any operating parameter, no new operating configurations, and no new changes to the design basis. RG 1.174, Revision 3 states:

It is presumed that, before the implementation of the proposed licensing basis change, the as-built and as-operated plant is consistent with the defense-in-depth philosophy.

However, there might be situations in which a plant is not in compliance with its design basis or licensing basis or new information might arise indicating that the design basis or licensing basis is deficient. In such cases, the as-built and as-operated plant might not be consistent with the defense-in-depth philosophy before the implementation of the proposed licensing basis change. When this occurs, the licensee should ensure compliance with existing requirements (e.g., regulations, license conditions, orders, etc.)

and address any non-compliances. When addressing these deficiencies or non-compliances, consideration should be given to the concepts in this document to help achieve consistency with the defense-in-depth philosophy.

Therefore, the existing balance between avoidance of core damage, avoidance of containment failure, and consequence mitigation should be preserved by ensuring that TS CTs do not result in a loss of multiple barriers associated with current plant configuration.

It is the assessment of the ad-hoc panel that the staffs approach with TSTF-505, Revision 2 is aligned with the philosophy outlined in the Commissions 1995 PRA Policy Statement and the principles in RG 1.174. A rigorous technical review using the guidance in RG 1.174, Revision 3 and the model SE, coupled with licensees continued sensitivity to changes in plant conditions,

provides reasonable assurance of adequate protection against accidents that could adversely affect the health and safety of the public. Though, as discussed above, inconsistent application of the risk-informed principles can lead to a lack of clarity in decisions about the application of a RICT program.

Conclusion - Issue 1 Specific issue 1A is related to design basis requirements, as delineated in the safety analyses of a nuclear power plant. The operability of SSCs required for mitigating the consequences of an accident is determined based on the availability of onsite or offsite power sources. Therefore, operability of these SSCs is maintained, despite a loss of offsite power. Based on the discussion above, the panel concludes that the staff position on TSTF-505 Revision 2 for allowing two offsite power systems to be inoperable, for an extended risk-informed duration, is in conformance with current NRC requirements.

Specific issue 1B is related to the relationship of TSs to design basis requirements. A loss of offsite power is considered a nonconformance with the GDC, necessitating entry into the LCO after determining operability. 10 CFR 50.36(c)(2)(ii) discusses establishment of LCO for functions, not specific types of systems. RICT allows for assessment of plant-specific configuration. Based on the discussion above, the panel concludes that the staff position on TSTF-505, Revision 2 is consistent with the design and licensing basis requirements for an electrical power system.

Recommendation - Issue 1 There are many different configurations of electrical transmission and distribution systems in use by licensees, and there are numerous system interactions and interdependencies. The panel recommends stressing the need for independent technical review of plant specific configurations and PRA to avoid approval of applications based on comparisons to a standardized model of electrical power systems.

Issue 2 TSTF-505, Revision 2 allows a licensee to change the Completion Times (CTs) for LCOs for SSCs such as vital alternating current (AC) buses (inverters) and one train of direct current (DC) sources without clearly understanding and evaluating the consequences to the plant's accident mitigation safety systems (transients, potential loss of safety functions, unanalyzed conditions, and single failures).

Discussion and Evaluation Issue 2 is duplicative of a concern identified in DPO-2016-003, which is currently under appeal review by the Executive Director for Operations (EDO). Specifically, Concern 1 in the DPO-2016-003 appeal stated, The concerns raised in the DPO was not addressed. EEEB staff raised several concerns questioning the safety evaluation for approving TSTF-505 and TR NEI 06-09. The most significant safety concern is that for allowing a licensee to change the CTs for LCOs for SSCs such as AC and DC electric power systems based on risk without clearly understanding and evaluating the consequences to the plants accident mitigation safety systems (loss of safety functions and single failures). The submitter further stated in the

appeal, DPO-2016-003 disposition stated that Given that RISTF Initiative 4b is currently suspended, has been extensively revised, and is out for comment, the submitter's suggested remedies for this concern have been addressed. Based on my review of the response, that is not correct.

The submitter communicated to the DPO-2020-01 panel that Specific Concern 2 was included because the issue has yet to be addressed (including with the issuance of Revision 2 to TSTF-505) and the submitters suggested remedy has not been assessed. The panel for DPO-2020-001 communicated with OE and OEDO that the submitter continues to have this concern. This specific issue is not a newly identified issue of concern. Following consultation with the Director of OE, this specific issue of concern will not be assessed by the ad-hoc panel for the DPO-2020-001 review. This is because this is not a new issue of concern and because DPO appeals are dispositioned at a higher level than DPOs. The specific issue of concern is already being assessed as part of the DPO-2016-003 appeal and will be dispositioned as part of that process.

Challenges were encountered in determining how to address the overlap with the appeal to DPO-2016-003, particularly because the process had these steps occurring in parallel.

Substantial time and resources were expended on the part of the submitter and the panel to determine a mutually agreeable path forward for this issue. The submitter expressed frustration that there was lack of clarity on how and when this issue would be disposition by another agency process.

Conclusion - Issue 2 Due to the duplicative nature of this concern with concern 1 in the DPO-2016-003 appeal, this issue is not addressed in this report.

Recommendation - Issue 2 Consideration should be given to developing guidance for handling duplicative concerns identified in future differing views submittals (non-concurrence or DPO) to clearly separate issues of concern that are unresolved (or open) as part of other submittals that are undergoing disposition. Clarity should be provided to the submitter when the submittal is accepted into the process.

Issue 3 TSTF-505, Revision 2 allows onsite and offsite power systems to be inoperable in a manner that could result in a plant not meeting the station blackout requirements specified in 10 CFR 50.63 or the extended loss of all AC requirements of Order EA 049 and 10 CFR 50.155. These systems being inoperable changes the assumptions associated with these beyond-design-basis requirements and are unintended consequences from the NRC approving the TSTF-505 program.

Discussion and Evaluation This issue describes concerns with availability of AC and DC power systems and potential unforeseen or latent adverse impacts the risk-informed TS program may have on previous

program assumptions for beyond-design-basis events station blackout (SBO) and extended loss of ac power (ELAP). The analytical assumptions may be invalidated by implementation of risk-informed completion times which differ from the current allowed outage times. The submitter also was concerned that RICT backstop of 30 days does not appear to consider the limitations on vital station battery capacity and the subsequent effect on SBO coping times. The concern also includes potential scenarios in which both credited offsite sources or both credited onsite sources may be inoperable concurrent with extended allowed outage times in a risk-informed TS program.

Regulatory requirements In addition to the regulatory requirements outlined previously, this issue concerns additional requirements.

10 CFR 50.63, Loss of all alternating current power states, in part:

Each light-water-cooled nuclear power plant licensed to operate under this partmust be able to withstand for a specified duration and recover from a station blackout as defined in § 50.2. The specified station blackout duration shall be based on the following factors:

(i) The redundancy of the onsite emergency AC power sources; (ii) The reliability of the onsite emergency AC power sources; (iii) The expected frequency of loss of offsite power; and (iv) The probable time needed to restore offsite power.

10 CFR 50.155, Mitigation of beyond-design-basis events states, in part:

(b) Strategies and guidelines. Each applicant or licensee shall develop, implement, and maintain: (1) Strategies and guidelines to mitigate beyond-design-basis external events from natural phenomena that are developed assuming a loss of all AC power concurrent with either a loss of normal access to the ultimate heat sink or, for passive reactor designs, a loss of normal access to the normal heat sink. These strategies and guidelines must be capable of being implemented site-wide and must include the following:

(i) Maintaining or restoring core cooling, containment, and spent fuel pool cooling capabilities; and (ii) The acquisition and use of offsite assistance and resources to support the functions required by paragraph (b)(1)(i) of this section indefinitely, or until sufficient site functional capabilities can be maintained without the need for the mitigation strategies.

Station blackout The SBO rule evolved from the results of numerous analyses that collectively concluded that SBO could be an important contributor to the total risk from nuclear power plant accidents. The concern about station blackout arose because of the accumulated experience regarding the reliability of ac power supplies. Many operating plants had experienced a total loss of offsite electric power, and in some cases, the onsite emergency ac power supplies were not

immediately available to supply the power needed by vital safety equipment. The original 1988 rule required, in part, that licensees propose and justify an SBO coping duration based on their ability to: (1) maintain highly reliable onsite emergency AC electric power supplies; (2) ensure that the plants can cope with an SBO for some period of time based on the probability of an SBO at the site and the capability to restore power to the site; (3) develop procedures and training to restore offsite and onsite emergency AC power should either become unavailable; and (4) if necessary, make modifications necessary to meet the SBO rule requirements. For a multi-unit site station blackout was assumed to occur only at one unit. The SBO rule only included events associated with switchyard or grid-related events, or weather-related events that affected the offsite power system either throughout the grid or at the plant and did not consider impacts of a loss of offsite power caused by external events such as fires, flooding, or seismic activity. The NRC staff subsequently developed and issued RG 1.155, Station Blackout, which provided an acceptable method for licensees to meet the objectives of the rule.

As part of a plant coping analysis, licensees also determined how long the safety-related station batteries would be capable of providing adequate voltage and current (capacity) to vital equipment including instrumentation and control, without AC power and the probable time to restore offsite power. This coping duration was established on probability of restoration of offsite power sources in less than 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . To minimize risk during loss of offsite power events, plants that were vulnerable to extremely severe weather-related events, were required to shutdown prior to potential loss of offsite power. Under normal operating conditions, plant vital dc systems are typically powered by installed station battery chargers, powered from vital ac sources.

During loss of AC power events, plant vital DC systems are powered by station batteries. The coping time analysis was based, in part, on analytical assumptions of the time required to restore a source of AC power to ensure required systems would remain capable of performing functions necessary to provide core cooling and decay heat removal. RG 1.155 also allows for the use of non-safety-related equipment to mitigate a station blackout stating, in part, that consideration should be given to using available non-safety-related equipment, as well as safety-related equipment, to cope with a station blackout provided such equipment meets certain independence criteria from onsite power systems and the quality assurance guidelines described in Appendices A and B to the RG.

NUREG-1032, Evaluation of Station Blackout Accidents at Nuclear Power Plants, provided much of the technical bases for RG 1.155 by analyzing the effect of variations in various offsite and onsite ac power system designs and plant locations, EDG reliability, and SBO coping capability on the SBO CDF and provided a treatment of the potential impact of both internal and external factors on the risk. This report documented the findings of technical studies performed as part of the program to resolve the SBO issue, and noted that the important factors analyzed included the frequency of loss of offsite power; the probability that emergency or onsite AC power supplies would be unavailable; the capability and reliability of decay heat removal systems independent of AC power; and the likelihood that offsite power would be restored before systems that cannot operate for extended periods without ac power fail, thus resulting in core damage. This report also addresses effects of different designs, locations, and operational features on the estimated frequency of core damage resulting from station blackout events. The factors were part of the analytical assumptions used to develop coping strategies.

NUREG-1776, Regulatory Effectiveness of the Station Blackout Rule, published in 2003, evaluated the effectiveness of the SBO rule by comparing regulatory expectations to outcomes in the areas of coping capability, risk reduction, emergency diesel generator reliability, and

economics. This report concluded that the SBO rule was effective considering that the risk expectations were achieved, and that industry and NRC costs to implement the SBO rule were reasonable. The NUREG also concluded that the plants have gained SBO coping capability, reduced risk, increased the tolerance to a loss of AC offsite or onsite power, and that many plants benefited economically from the addition of additional AC power supplies. In implementing the SBO rule, some plants installed additional onsite AC generating capacity (e.g., the addition of a diesel generator or gas turbine generator power supplies). For those plants that installed alternate AC power (AAC) sources that would be available within 10 minutes, no coping analysis was required. For these plants, battery chargers can be aligned to the AAC source and vital station battery depletion times would not be significant, and thus for those plants the original analytical assumptions for SBO coping time capability would not be adversely affected by implementation of the risk-informed TS CT extensions as the availability of the AAC source was provided for that purpose. These alternate power sources, credited with SBO mitigation, are not required to meet the specific quality assurance requirements of Appendix B to 10 CFR 50 for safety-related equipment, however the quality assurance guidelines outlined in RG 1.155 applied. For plants that did not provide an AAC source, a four-hour maximum coping duration was typically established.

NUREG/CR-6890, Reevaluation of Station Blackout Risk at Nuclear Power Plants, published in December 2005, was written as part of a comprehensive program to update the results of previous evaluations of grid stability and offsite power issues after the widespread loss of the Nation's electrical power grid (blackout) resulted in loss of offsite power (LOOP) events at nine U.S. commercial nuclear power plants (NPPs) in August 2003. This report noted that one extremely important subset of LOOP-initiated scenarios involves SBO situations in which the affected plant must achieve safe shutdown by relying on components that do not require AC power, such as turbine- or diesel-driven pumps and the reliability of these components, DC battery depletion times, and characteristics of offsite power restoration. This report identified a further reduction in CDF related to SBO and attributed it to improvements in plant risk modeling, improved component performance and significant improvements in EDG reliability. At the time, these improvements played a role in licensees capability to cope with an SBO caused by internal events. For those plants without an AAC power source, these improvements added additional margin to the previous analytical assumptions establishing SBO coping capability.

Mitigation of beyond-design-basis events In February 2002 the NRC issued Order EA-02-026, Order for Interim Safeguards and Security Compensatory Measures which mandated additional interim compensatory measures to be taken in the aftermath of September 11, 2001. The interim compensatory measures were eventually codified in 10 CFR 50.54(hh)(2), and required licensees to develop and implement guidance and strategies intended to maintain or restore core cooling, containment, and spent fuel pool cooling capabilities under the circumstances associated with loss of large areas of the plant due to explosions or fire. These strategies included provisions for additional sources of AC power generation to necessary equipment to provide core and spent fuel cooling. While this equipment was not required by plant technical specifications and was not credited in the analysis created for the original SBO coping times, the equipment is required to be maintained and remain functional. The equipment also provides another source of AC power for use in beyond-design basis events, extending the availability of vital power systems and improving a plants capability to cope with SBO conditions.

After the Fukushima Dai-ichi event in 2011, NRC staff undertook a methodical and systematic review to improve licensee preparedness to mitigate certain risk-significant beyond-design-basis events, including the ELAP. The events that occurred at the Fukushima Dai-ichi Nuclear Power Plant site highlighted the possibility that extreme natural phenomena could challenge multiple defense-in-depth layers that were in place under the NRCs regulatory framework. Based on the staff reviews of the Fukushima event, the staff determined that loss of offsite power events can affect all nuclear power plants on a multiunit site (differing from previous SBO assumptions), and determined that consideration must be given to those nuclear power plants with less robust electrical power system designs, including those with extended allowed outage times for performing online maintenance of the emergency power systems. As describe in this report, the SBO rule was intended to require measures to cope with a loss of offsite power concurrent with the loss of all onsite AC power sources (with the exception of AC power provided by station inverters via batteries), which is a beyond-design-basis internal event, but not a beyond-design-basis external event (BDBEE) such as occurred at Fukushima Dai-ichi which was more significant in scope.

To address the uncertainties associated with beyond-design-basis external events, the NRC issued Order EA-12-049, Order Modifying Licenses with Regard to Requirements for Mitigation Strategies for Beyond-Design-Basis External Events, on March 12, 2012. This order imposed new requirements for additional defense-in-depth measures so that the NRC could continue to have reasonable assurance of adequate protection of public health and safety in mitigating the consequences of a beyond-design-basis external event. In SRM-COMSECY-13-002, dated March 4, 2013, the Commissioners instructed the NRC staff to consolidate rulemaking activities associated with strengthening station blackout mitigation capability at all operating and new reactors for design-basis and beyond-design-basis external events and enhancing spent fuel pool makeup capability and instrumentation for the spent fuel pool into one rulemaking, entitled the Station Blackout Mitigation Strategies Rulemaking.

The industry, in conjunction with NRC staff worked to develop guidance that would aid licensees in creating diverse and flexible mitigation strategies (FLEX) dedicated to increasing defense-in-depth for BDBEE scenarios to address an ELAP and loss of normal access to the ultimate heat sink (LUHS) occurring simultaneously at all units on a site. Guidance document NEI 12-06, Diverse And Flexible Coping Strategies (Flex) Implementation Guide includes a three-phase approach strategy to increase licensees defense-in-depth preparedness by requiring both an onsite component using plant equipment, as well as FLEX-designated equipment stored at or near the plant site and an offsite component for the provision of additional materials and equipment for longer-term response. The initial phase makes use of installed plant equipment and resources to maintain or restore key safety functions including core cooling, containment, and spent fuel pool (SFP) cooling. The next phase includes providing sufficient, portable, onsite equipment and consumables, including portable AC power generation, to maintain or restore these functions until they can be accomplished with resources brought from offsite. The final phase includes obtaining sufficient offsite resources to sustain these functions indefinitely. This dedicated portable ac power generation equipment significantly improves the plants ability to cope with an SBO and ELAP, including extending the availability of dc power sources.

NEI 12-06 provided performance attributes, general criteria, and baseline assumptions for use in the development and implementation of the strategies and guidelines under 10 CFR 50.155,Mitigation of beyond-design-basis events, including assumptions for analyses used to establish a baseline coping capability that includes an ELAP affecting all units at a plant site,

and the specification that all design basis installed sources of emergency onsite AC power and SBO alternate ac power sources are assumed to be not available and not imminently recoverable. This assumption would necessarily bound prior coping time analysis assumptions, in that no credited or alternate AC power sources are available or recoverable within the coping time assumption. Similar to the alternate AC sources (AAC) installed for SBO mitigation, dedicated FLEX equipment is not required to meet specific quality assurance requirements of 10 CFR 50, Appendix B, however the industry guidance does implement programmatic controls, including quality assurance provisions which require design control attributes, procedural development and adherence, equipment storage criteria and change control guidelines. The guidance also has controls limiting time periods in which the equipment and connection points may be non-functional for any reason, with the duration of the acceptable time period being based on the ability of the licensee to accomplish the intended function of the equipment by other means. When a licensee cannot accomplish the intended function of the equipment by other means, durations for which the equipment is non-functional are limited to periods comparable to those allowed by technical specifications for safety-related SSCs with similar functions.

10 CFR 50.155 codifies the requirements that licensees develop, implement, and maintain mitigation strategies for beyond-design basis external events including beyond design-basis external events from natural phenomena that are developed assuming a loss of all AC power (the term extended is considered redundant) concurrent with either a loss of normal access to the UHS. These mitigating strategies are based on the guidance in NEI 12-06, which was endorsed by the NRC in RG 1.226, Flexible Mitigation Strategies For Beyond-Design-Basis Events, issued in June 2019.

Analytical assumptions The panel recognizes that the implementation of risk-informed TS CTs (up to a 30-day CT for redundant offsite power sources and onsite DC power system equipment) may invalidate the original analytical assumptions made by some licensees for their SBO coping analysis. These early analyses included only equipment credited to be available before the event, including vital station batteries and inverters, or credited additional non-safety-related AC sources of power installed specifically to mitigate the loss of AC power event. From a deterministic perspective, the panel believes the impacts would not be significant from an equipment availability perspective, considering the mandated availability of additional AC generating sources as outlined in this report, installed or made available due to global events that required NRC actions resulting in improved defense-in-depth capabilities for loss of AC power events. The panel is unaware of prohibitions on the use of non-TS or non-credited equipment and strategies (FLEX) for mitigation of beyond design-basis events, which includes station blackout. The original analytical assumptions related to availability of AC power sources to power station vital equipment were performed long before the events of 2001 and 2011 and did not include the availability of those additional AC power sources added to mitigate those more significant events.

As described in the Final Revised Model Safety Evaluation for TSTF-505, Initiative 4B, when the necessary equipment redundancy is not maintained, and the system loses the capability to perform its safety function(s) without any further failures (e.g., two trains of a two-train system are inoperable), the plant must exit the mode of applicability for the LCO, or take remedial actions, as specified in the TSs. If a vital station battery or single train of vital DC power system

was out of service under a RICT, one train of credited equipment necessary to satisfy the safety function must remain operable. If a beyond-design-basis event were to occur in conjunction with this configuration, the availability of non-credited equipment (FLEX) and mitigation strategies would be available to mitigate the event. A key principle of the program recognizes the licensee will be able to have design-basis equipment out-of-service longer than the current TS allow and the likelihood of successful fulfillment of the function will be decreased when redundant train(s) are not be available, however the capability to fulfill the function will be retained when the available equipment functions as designed.

Frequency of beyond-design-basis events Then panel acknowledges that loss of offsite power is a significant contributor to CDF. Both 10 CFR 50.63 and 10 CFR 50.155 address beyond-design-basis events. By their nature, beyond-design-basis events are unbounded and can result in a multitude of damage states and associated accident conditions. There is a distinction in the regulations between a design basis event and a beyond-design-basis event. Design basis events are addressed through defense-in-depth of SSCs. Beyond-design-basis events are addressed through mitigation and diversity of defense. There is no requirement for redundancy of specific SSCs, nor are there assumptions of additional failure because of the extraordinary circumstances associated with beyond-design-basis events. From a practical standpoint, to make timely regulatory decisions, reasonable boundary conditions need to be established for these types of events. Although these assumptions do not encapsulate the full spectrum of possibilities, when combined with the extremely low probability of beyond-design-basis events, they do provide reasonable assurance of adequate protection. Where appropriate, additional factors should be considered, including the use of compensatory measures or mitigating strategies. One such example is the contingency included to address the 10 CFR 50.155 requirements for a loss of all ac power.

Although the boundary conditions for this event assumes AC power from the batteries through the inverters, contingencies are included in the mitigation strategies to enable actions to be taken under those circumstances (e.g., sending operators to immediately take manual control over a non-AC-powered core cooling pump). The panels observation is that even a scenario where a RICT removed a combination of offsite/onsite power sources from service for 30 days, such that the assumptions of 10 CFR 50.63 or 10 CFR 50.155 were in question, the overlap of this time with the rare frequency of a beyond-design-basis event is the beyond the standard of reasonable assurance of adequate protection. Further, the availability of additional, diverse strategic equipment and strategies provide additional capabilities that was not part of the original analytic assumptions.

Conclusion - Issue 3 Issue 3 is related to the impact of TSTF-505, Revision 2 on the assumptions with beyond-design-basis requirements. As discussed, any increase in credited equipment unavailability for a longer allowed outage time is included in the RICT evaluation and would be mitigated by the additional FLEX strategies. Therefore, the panel concluded that safety margins and previous analytical assumptions are not adversely affected by the implementation of the RICT program, and the objectives of these beyond-design-basis requirements are met.

CONCLUSIONS The submitters overarching concerns is that TSTF-505, Revision 2 allows electrical power systems to be inoperable for up to 30 days, which could result in a plant not meeting regulatory requirements or being in an unanalyzed condition.

The panel concludes that the NRCs staffs response to TSTF-505, Revision 2 is consistent with NRC requirements and the Commissions risk-informed policy statement. The panel acknowledges that there is not absolute assurance of prohibiting a configuration with no offsite electrical power system for up to 30 days. However, there is reasonable assurance that this configuration would be avoided or appropriately mitigated by licensees risk management programs, including the TST-505, Revision 2 RICT program, and supported by an independent review by the NRC staff.

The issues identified in DPO-2020-001 have been raised in other forums, including formal non-concurrences and another DPO that is currently at the appeal stage. A lack of clarity potentially contributed to some stakeholder views regarding resolution of the concerns and the potential impact on plant safety. The panels perspective is that improvements in NRC/industry documentation on the implementation and acceptability of TSTF-505 could have potentially enhanced the clarity of the decision-making process.

RECOMMENDATIONS Because there are many different configurations of electrical transmission and distribution systems in use by licensees, the panel recommends stressing the need for independent technical review of plant specific configurations to avoid approval of applications based on comparisons to a standardized model of electrical power systems.

Consideration should be given to developing guidance for handling duplicative concerns identified in future differing views submittals (non-concurrence or DPO) to clearly separate issues of concern that are unresolved (or open) as part of other submittals that are undergoing disposition. Clarity should be provided to the submitter when the submittal is accepted into the process.

Appendix A Documents Reviewed DPO 2020-001 Number Title Revision/Date NEI 06-09 Risk-Informed Technical Specifications Initiative 4b 0 Risk-Managed Technical Specifications (RMTS)

Guidelines NEI 06-09 Risk-Informed Technical Specifications Initiative 4b 0-A Risk-Managed Technical Specifications (RMTS)

Guidelines TSTF-11-07 TSTF-505, Revision 1, "Provide Risk-Informed Extended June 14, 2011 PROJ0753 Completion Times - RITSTF Initiative 4b" Errata TSTF-18-08 TSTF-505, Revision 2, "Provide Risk-Informed Extended July 2, 2018 PROJ0753 Completion Times - RITSTF Initiative 4b" ML16281A021 Issues with Technical Specification Task Force Traveler November 15, and TSTF-505-A, Revision 1, "Provide Risk-Informed 2016 ML17124A030 Extended Completion Times RITSTF Initiative 4B" ML18267A259 Final Revised Model Safety Evaluation By The Office Of November 21, Nuclear Reactor Regulation Technical Specifications 2018 Task Force Traveler TSTF-505, Revision 2 Provide Risk-informed Extended Completion Times - RITSTF Initiative 4B NUREG-1032 Evaluation of Station Blackout Accidents at Nuclear June 1988 Power Plants NUREG-1776 Regulatory Effectiveness of the Station Blackout Rule August 2003 NUREG/CR- Reevaluation of Station Blackout Risk at Nuclear Power December 2005 6890, Vol. 2 Plants NEI 12-06 Diverse And Flexible Coping Strategies (Flex) April 2018 Implementation Guide RG 1.155 Station Blackout August 1988 60 FR 42622 PRA Policy Statement August 16, 1995 RG 1.174, An Approach for Using Probabilistic Risk Assessment in January 2018 Revision 3 Risk-Informed Decisions on Plant Specific Changes to Licensing Basis RG 1.93, Availability of Electric Power Sources March 2012 Revision 1 RG 1.226 Flexible Mitigation Strategies For Beyond-Design-Basis June 2019 Events NRC-2011- Rulemaking for Station Blackout Mitigation April 2013 0299 Strategies Appeal for RITSTF 4b & 5b and event reporting for LOOP August 6, 2018 DPO-2016-003 NCP-2018-009 TSTF-505, Provide Risk-Informed Completion Time- October 3, 2018 RITSTF Initiative 4b, Rev 2 NCP-2017-008 Vogtle 4b LAR June 27, 2017 NCP-2015-009 Discussion of EEEB Comments on Vogtle 4b SE August 13, 2015 RIS-13-05 NRC Position on the Relationship between General May 9, 2013 Design Criteria and Technical Specification Operability

Appendix B Regulatory Requirements Associated with TSTF-505 Initiative 4b, Revision 2 and NEI 06-09-A, Revision 0 10 CFR Part 50, Appendix A, General Design Criteria for Nuclear Power Plants GDC 17, Electric power systems GDC 20, Protection system functions The following GDC also discuss onsite and offsite power GDC 34 Residual heat removal GDC 35 Emergency core cooling GDC-37 Testing of Emergency Core Cooling System GDC 38 Containment heat removal GDC 41 Containment atmosphere cleanup GDC 44 Cooling water 10 CFR 50.36, Technical Specifications 10 CFR 50.65, Requirements for monitoring the effectiveness of maintenance at nuclear power plants 10 CFR 50.63, Loss of all alternating current power 10 CFR 50.155, Mitigation of beyond-design-basis events

Document 4: DPO Decision UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 May 13, 2021 MEMORANDUM TO: Anton Vegel, Acting Director Office of Enforcement Signed by Veil, Andrea FROM: Andrea D. Veil, Director on 05/13/21 Office of Nuclear Reactor Regulation

SUBJECT:

DIFFERING PROFESSIONAL OPINION DECISION INVOLVING TECHNICAL SPECIFICATIONS TASK FORCE TRAVELER, (TSTF)-505, REVISION 2, AND NEI 06-09, REVISION 0 (DPO-2020-001)

The purpose of the memorandum is to respond to differing professional opinion (DPO)

DPO-2020-001, submitted on August 5, 2020 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML20210M363), in accordance with Management Directive 10.159, The Nuclear Regulatory Commission [NRC] Differing Professional Opinions Program (ADAMS Accession No. ML15132A664). The DPO, titled TSTF-505- RITSTF Initiative 4b, Revision 2, and [Nuclear Energy Institute] NEI 06-09-A, Revision 0, asserts that select electrical power system-related provisions in TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b (ADAMS Accession No. ML18183A493), could result in a nuclear power plant not meeting regulatory requirements or being in an unanalyzed condition.

The DPO is of high technical quality and raises issues that ensure NRC approved risk-informed initiatives embody the NRCs risk-informed philosophy whereby risk insights are considered together with other factors, including defense-in-depth and safety margins. Although the DPO submitter is now retired, I commend the submitters dedication to the NRC mission, willingness to raise concerns ensuring the concerns are heard and understood, and commitment to ensuring a healthy safety culture within the agency.

My response to the DPO is described in the enclosure.

Enclosure:

DPO regarding TSTF-505, Revision 2, and NEI 06-09, Revision 0 (DPO 2020-001)

CONTACT: Candace de Messieres, NRR 301-415-8395

ML21128A000 OE-011 OFFICE NRR NRR NAME CdeMessieres AVeil DATE 05/13/21 05/13/21 DIRECTORS DECISION FOR DIFFERING PROFESSIONAL OPINION (DPO)

TECHNICAL SPECIFICATIONS TASK FORCE TRAVELER, (TSTF)-505, REVISION 2, AND NUCLEAR ENERGY INSTITUTE (NEI) 06-09, REVISION 0 (DPO-2020-001)

Background

In DPO-2020-001, titled TSTF-505 - RITSTF Initiative 4b, Revision 2, and NEI 06-09-A, Revision 0 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML20210M363), asserts that select electrical power system-related provisions in TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b ADAMS Accession No. ML18183A493), could result in a nuclear power plant not meeting regulatory requirements or being in an unanalyzed condition. Specifically, DPO concerns are related to potential TSTF-505 allowance of: (1) loss of both circuits of offsite power; (2) changes to limiting conditions for operation (LCOs) Completion Times (CTs) for select electrical structures, systems, and components (SSCs) without clearly understanding and evaluating the consequences to the plant's accident mitigation safety system; and (3) inoperable onsite and offsite power systems in a manner that could result in unintended consequences including a plant not meeting the station blackout (SBO) requirements or the extended loss of all alternating current (AC) requirements.

The DPO concerns are related to issues previously identified in DPO-2016-003, dated October 12, 2016 (ADAMS Accession No. ML16295A102), and Non-Concurrence Process (NCP)-2018-009, dated October 3, 2018 (ADAMS Accession No. ML18310A175). The submitter contends that documents precipitating NCP-2018-009 were issued without properly addressing their concerns. An appeal of the decision for DPO-2016-003 is currently under review by the Executive Director for Operations (EDO); therefore, issues pending an EDO decision will not be addressed here (ADAMS Accession No. ML18271A074). Additionally, in accordance with Management Directive 10.159, The Nuclear Regulatory Commission [NRC]

Differing Professional Opinions Program (ADAMS Accession No. ML15132A664), concerns or recommendations regarding the differing views program are referred to the Office of Enforcement (OE).

The DPO Ad Hoc Review Panel (the Panel) issued their report to me on February 19, 2021, after reviewing the applicable documents, interacting with knowledgeable NRC staff, and completing their deliberations (ADAMS Accession No. ML21050A327). I discussed the Panel report with the DPO Panel members on March 2, 2021.

To inform my decision regarding this DPO, I reviewed the submittal, the Panels report, the related NCP and DPO, TSTF-505, Revision 2, and the associated NRC staff final revised model safety evaluation (SE) and NEI implementation guidance, NEI 06-09, Revision 0-A (ADAMS Accession Nos. ML18267A259 and ML12286A322, respectively). I also considered additional pertinent guidance and staff positions and information provided by subject matter experts.

Further, I assigned an independent staff member to assist in my evaluation and the documentation of my decision.

Summary of Issues The Panel identified that individual DPO concerns could be grouped into three distinct areas, which are summarized below:

(1) TSTF-505, Revision 2, allows for the complete loss of both circuits of offsite power.

a. The basis provided in the TSTF-505, Revision 2, and model SE does not comply with the NRC design basis requirements for offsite power system (i.e., an onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety).

b. NRC approval was based on interpretation of the technical specifications (TSs) definition of operability of a system (e.g., non-electric power system such as high-pressure safety injection) and not based on design basis requirements specified in design and licensing basis requirements for an electric power system LCO in accordance with Title 10 of the Code of Federal Regulations (10 CFR) 50.36(c)(2)).

(2) TSTF-505, Revision 2, allows a licensee to change the CTs for LCOs for SSCs such as vital AC buses (inverters) and one train of direct current (DC) sources without clearly understanding and evaluating the consequences to the plant's accident mitigation safety systems (transients, potential loss of safety functions, unanalyzed conditions, and single failures).

(3) TSTF-505, Revision 2, allows onsite and offsite power systems to be inoperable in a manner that could result in a plant not meeting the SBO requirements specified in 10 CFR 50.63 or the extended loss of all AC requirements of Order EA-12-049 and 10 CFR 50.155. Inoperability of these systems changes the assumptions associated with beyond-design-basis requirements and are unintended consequences of the NRC approving the TSTF-505 program.

My Assessment of the Panel Conclusions Issue 1 I agree with the Panels conclusion that the staff position on TSTF-505, Revision 2, of allowing two offsite power systems to be inoperable for an extended risk-informed duration,1 is in conformance with applicable NRC design and licensing basis requirements. The Panel report includes a discussion and evaluation of pertinent regulatory requirements and definitions, the 1 Topical report NEI 06-09 Revision 0-A, Risk-Informed Technical Specifications Initiative 4b Risk-Managed Technical Specifications (RMTS) Guidelines describes a risk-informed methodology that permits TS LCO CTs to be extended, provided risk is assessed and managed through a licensees configuration risk management program. For those LCOs within the proposed plant-specific scope of the RMTS, a new action requirement is provided to permit continued operation beyond the existing CTs of applicable action requirements of the LCOs. This new action requirement tracks risk as measured by the configuration-specific core damage frequency and large early release frequency, and assesses this risk using processes and limits specified in NEI 06-09, Revision 0. Additional requirements for compensatory measures or risk management actions, requirements for probabilistic risk assessment (PRA) acceptability, and for quantitative evaluation of risk sources for which PRA models may not be available are also specified in NEI 06-09, Revision 0.

relationship between design basis and operability as it relates to implementing TS LCO risk-informed completion times (RICTs), and TSTF-505 conformance with design basis, maintenance rule, and station black out requirements. I found this discussion and evaluation helpful to more fully understand the submitters concerns and the basis for the Panels conclusions.

I agree with the Panels assessments of General Design Criteria (GDC) 17 requirements as they relate to TSTF-505. Specifically, TSTF-505 adoption does not impact design requirements that plants have an offsite and onsite power system with sufficient capacity and capability to supply electrical power to necessary safety equipment to maintain critical functions associated with core cooling, spent fuel cooling, and containment during anticipated operational occurrences and postulated accidents. The Panel report also states that although the offsite power system is the preferred power source, it is not designed or assumed to withstand an external event as outlined in GDC 2, Design bases for protection against natural phenomena and, therefore, both credited emergency AC power sources cannot be inoperable under the RICT program.

I also found the Panels analysis of information contained in Regulatory Issue Summary (RIS) 13-05, NRC Position on the Relationship between General Design Criteria and Technical Specification Operability (ADAMS Accession No. ML13056A077), helpful in assessing the DPO submitters concerns. The RIS states:

It is the staffs position that failure to meet GDC, as described in the licensing basis (e.g.,

nonconformance with the CLB [current licensing basis] for protection against flooding, seismic events, tornadoes) should be treated as a nonconforming condition and is an entry point for an operability determination if the nonconforming condition calls into question the ability of SSCs to perform their specified safety function(s) or necessary and related support function(s) if the TS SSC is inoperable, then the licensee must enter its TS and follow the applicable required actions.

The Panel summarizes that the specific values, functions, or equipment, required by the TS under normal conditions are selected to assure that the system or component will be able to carry out its design functions under accident and transient conditions, including maintenance of defense-in-depth. Specifically, the Panel references 10 CFR, Section 50.36, Technical specifications, that discusses the establishment of LCOs for functions, not specific types of systems. While CTs in the TSs were originally established using experiential data, risk insights, and engineering judgment, the Panel notes that the RICT program allows for consideration of plant-specific operating experience for component reliability and availability data that directly reflect actual component performance.

The Panel also considered implications of TSTF-505 implementation to 10 CFR 50.65, Requirements for monitoring the effectiveness of maintenance at nuclear power plants (addressed here) and 10 CFR 50.63, Loss of all alternating current power (described in my assessment of Issue 3). While the Panel provides cases where extended plant operation, without offsite power available immediately, could be construed as contrary to the intent of the maintenance rule, the Panel also identifies that SSC unavailability resulting from a RICT must be factored into calculation of maintenance rule risk assessments. I note that the NRCs TSTF-505 model SE states that monitoring performed in conformance with the maintenance rule, 10 CFR 50.65, can be used when the monitoring is sufficient for the SSCs affected by the risk-informed application [According to Enclosure [X] of the submittal, the SSCs in the scope of the RICT program are also in the scope of the maintenance rule.] In addition, TSTF-505 implementation guidance instructs the licensee to track the risk associated with all entries

beyond the previously established CT by performing a cumulative risk assessment at least every refueling cycle, but not to exceed every 24 months. If any limits are exceeded, corrective actions are taken to ensure that future plant operational risk is within the acceptance guidance.

I agree with the Panels assessment that the RICT program nexus to the maintenance rule provides an additional, diverse, layer of monitoring and control for exposure to risk.

Moreover, as described in Use of Probabilistic Risk Assessment [PRA] Methods in Nuclear Regulatory Activities; Final Policy Statement (60 Federal Register (FR) 42622), PRAs should be used to reduce unnecessary conservations or support additional regulatory requirements:

PRA and associated analyses should be used in regulatory matters, where practical within the bounds of the state-of-the art, to reduce unnecessary conservatism associated with current regulatory requirements, regulatory guides, license commitments, and staff practices. Where appropriate, PRA should be used to support the proposal for additional regulatory requirements in accordance with 10 CFR 50.109 (Backfit Rule). The existing rules and regulations shall be complied with unless these rules and regulations are revised.

The NRC has a well-established process for ensuring PRAs are acceptable for use in PRA applications as documented in Regulatory Guide (RG) 1.200, Revision 3, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities (ADAMS Accession No. ML20238B871). PRA acceptability, which includes the PRAs scope, level-of detail, plant-representation, and conformance with PRA standard technical elements, is evaluated by the NRC staff in a graded manner commensurate with the level of operational freedom afforded by the licensing request. Therefore, PRAs supporting implementation of TSTF-505 are subject to rigorous NRC staff acceptability reviews.

In summary, I agree with the Panels assessment that TSTF-505 adoption does not impact compliance with existing rules and regulations. I also have confidence that the staffs approach ensures that PRAs appropriately support TSTF-505 implementation. Lastly, TSTF-505 was developed in a manner that complements the NRC's deterministic approach and supports the NRC's traditional defense-in-depth philosophy; therefore, I support its continued use to the extent practical.

Issue 2 The Panel summarizes that the submitter included Concern 2 in DPO-2020-001 because the issue and suggested remedy has yet to be addressed as part of DPO-2016-003. The Panel communicated with OE and the EDO regarding the submitters sustained concern. Since this is not a newly identified issue, the Panel did not address this concern and defers to the EDOs decision. Accordingly, I do not provide an assessment of Issue 2 in this decision.

Issue 3 This issue pertains to the potential for TSTF-505, Revision 2, implementation to allow onsite and offsite power systems to be inoperable in a manner that could result in a plant not meeting select requirements in (1) 10 CFR 50.63 and (2) 10 CFR 50.155, Mitigation of beyond-design-basis events and NRC Order EA-12-049, Order Modifying Licenses with Regard to Requirements for Mitigation Strategies for Beyond Design Basis External Events (ADAMS Accession No. ML12054A735). The submitter contends that off-site power systems being inoperable changes the assumptions associated with these beyond-design-basis requirements

of offsite power events expected at a particular site, recovery time for offsite power, frequency of grid blackout events, and diesel generator reliability. Changes to these parameters may have a significant effect on the SBO duration and coping analyses, and these may differ from the original determination performed by a licensee. If the NRC determines that a licensees plans for coping with an SBO are no longer adequate, the NRC can require a licensee to modify its SBO plans or related equipment as necessary, so long as the NRC satisfies the requirements of 10 CFR 50.109, Backfitting.

Regarding mitigation of beyond-design-basis events, the Panel summarizes 10 CFR 50.155 requirements that licensees develop, implement, and maintain mitigation strategies for beyond-design basis external events including beyond design-basis external events from natural phenomena that are developed assuming a loss of all AC power (ELAP) concurrent with a loss of normal access to the heat sink. The panel also summarizes that Order EA-12-049 contains additional defense-in-depth measures so that the NRC can continue to have reasonable assurance of adequate protection of public health and safety in mitigating the consequences of a beyond-design-basis external event.

I agree with the Panels assessment that the use of compensatory measures or mitigating strategies, such as those included to address the 10 CFR 50.155 requirements for a loss of all AC power is appropriate for addressing beyond-design-basis events. The Panel states that although the boundary conditions for this event assumes AC power from the batteries through the inverters, contingencies are included in the mitigation strategies to enable specific actions to be taken under those circumstances. The Panel observes that even in a scenario where a RICT removed a combination of offsite and onsite power sources from service for 30 days, such that the assumptions of 10 CFR 50.63 or 10 CFR 50.155 were in question, the overlap of this time with the rare frequency of a beyond-design-basis event is beyond the standard of reasonable assurance of adequate protection.

In summary, given that additional actions precipitated by more recent beyond-design-basis events requirements ensure reasonable assurance of adequate protection, consideration of frequency of beyond-design-basis events, and my observation that a reanalysis of SBO coping time is not required by the SBO rule, I find that adoption of TSTF-505 does not impact compliance with 10 CFR 50.63,10 CFR 50.155, and NRC Order EA-12-049 requirements.

Response to Recommendations Panel Recommendation 1 There are many different configurations of electrical transmission and distribution systems in use by licensees and there are numerous system interactions and interdependencies. The panel recommends stressing the need for independent technical review of plant specific configurations and probabilistic risk assessments to avoid approval of applications based on comparisons to a standardized model of electrical power systems.

Independent technical review of plant-specific changes for defense-in-depth and safety margins is an essential part of risk-informed decisionmaking. The NRC is a risk-informed, and not risk-based regulator, whereby, risk insights are considered together with other factors, including defense-in-depth and safety margins, to establish requirements that better focus licensee and

regulatory attention on design and operational issues commensurate with their importance to public health and safety.3 NRCs model SE for TSTF-505 explicitly considers applicable Commission Policy such as the PRA Policy Statement (Final Policy Statement: Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities (60 FR 42622)) and reactor safety-specific guidance including RG 1.174, Revision 3, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis (ADAMS Accession No. ML17317A256). The five key principles in RG 1.174 are evaluated in Section 3.1 of the NRC staffs model TSTF-505 SE as follows: (1) Compliance with Current Regulations; (2) Defense-in-Depth; (3) Safety Margins; (4) Change in Risk Consistent with the Safety Goal Policy Statement; and (5) Performance Measurement Strategies - Implementation and Monitoring Program.

Section 3.1 also states that Each of these principles are addressed in NEI 06-09-A. The NRC staffs evaluation of the licensees proposed use of RICTs against these key safety principles is discussed below.

It is current practice that risk-informed licensing reviews involving electrical system changes, including reviews of requests to implement TSTF-505, include evaluations by both electrical subject matter experts and risk analysts. These diverse staff members work together to ensure all risk-informed key principles, including defense-in-depth and safety margins, are met prior to approval of a risk-informed licensing action.

I agree with the Panel in emphasizing the need for independent technical review of plant specific configurations of electrical transmission and distribution systems in use by licensees to avoid approvals of applications based on comparisons to a standardized model of electrical power systems. Therefore, I support continuation of the current approach whereby diverse staff members work together to perform TSTF-505 and other risk-informed reviews in an integrated manner consistent with NRCs guiding risk-informed philosophy. I do not see a need to initiate new or additional initiatives or taskings.

Panel Recommendation 2 Consideration should be given to developing guidance for handling duplicative concerns identified in future differing views submittals (non-concurrence or DPO) to clearly separate issues of concern that are unresolved (or open) as part of other submittals that are undergoing disposition. Clarity should be provided to the submitter when the submittal is accepted into the process.

The NRCs differing views programs, including the NCP and DPO processes, are vital to ensuring a healthy safety culture within the agency and illustrate the NRCs commitment to the free and open discussion of professional views. I carefully considered the Panels observations regarding the treatment of duplicative concerns in future NCP or DPO submittals and support efforts to enhance the differing views program in order to improve clarity in this area. In accordance with Management Directive 10.159, I refer this recommendation regarding the differing views program to OE.

3 SRM-SECY-98-144, Staff Requirements - SECY-98-144 - White Paper on Risk-Informed and Performance Based Regulation, dated March 1, 1999 (ADAMS Accession No. ML003753601) defines the terms and Commission expectations for risk-informed and performance-based regulation.

Concluding Remarks The submitters DPO is of notable technical merit and highlights the importance of ensuring that reviews of risk-informed initiatives are consistent with the NRCs risk informed philosophy whereby risk insights are considered together with other factors, including defense-in-depth and safety margins. While I do not agree with the DPO submitters recommended resolution to exclude the loss of offsite power sources from the RICT program, I do emphasize that independent technical review of plant-specific electrical transmission and distribution system configurations is essential to ensuring the appropriate eligibility of TS LCO CTs for a RICT under TSTF-505.

Although the submitter is now retired, I commend the submitters commitment and dedication to the NRC mission. By raising these concerns and ensuring that they are heard and understood, the submitter contributes to a healthy safety culture within the agency.

A summary of the DPO will be included in the Weekly Information Report (when the case is closed) to advise employees of the outcome.

ML21155A062

Text

Enclosures:

Enclosure:

SUMMARY

SUBJECT:

Enclosure:

Background

Navigation menu

Search