NOC-AE-06001969, Response to NRC RAI on STPNOC Proposed Risk-Informed Technical Specifications

From kanterella
Jump to navigation Jump to search
Response to NRC RAI on STPNOC Proposed Risk-Informed Technical Specifications
ML060480439
Person / Time
Site: South Texas  STP Nuclear Operating Company icon.png
Issue date: 02/10/2006
From: Mcburnett M
South Texas
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
NOC-AE-06001969
Download: ML060480439 (84)
v  d  e


Text

STY Nuclear Operating Company South TcwsPro/cc! Electri Gefnc gStation PO. Box 289 ftdsmwrth, Ts77483 February 10, 2006 NOC-AE-06001969 10CFR50.36 10CFR50.90 U. S. Nuclear Regulatory Commission Attention: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852 South Texas Project Units 1 and 2 Docket Nos. STN 50-498, STN 50-499 Response to NRC Requests for Additional Information on STPNOC Proposed Risk-Informed Technical Specifications

References:

1. Letter from S. M. Head to NRC' Document Control Desk dated March 18, 2003, "Letter of Intent to Submit a Broad-Scope Risk-Informed Technical Specification Amendment Request" (NOC-AE-03001458, ML031700451)
2. Letter from T. J. Jordan to NRC Document Control Desk dated August 2, 2004, "Broad-Scope Risk-Informed Technical Specification Amendment Request" (NOC-AE-04001666, ML042190366)
3. Letter from T. R. Tjader (NRC) to Biff Bradley (NEI) dated July 14, 2004, transmitting Requests for Additional Information on the Risk-Informed Technical Specification Initiative 4B submittals, including the STP letter in Reference 1 (ML044820347)
4. Letter from T. R. Tjader (NRC) to Biff Bradley (NEI) dated June 3, 2005, transmitting Requests for Additional Information on the STP application in Reference 3 (ML051510103)

Reference 1 is a letter of intent for STP Nuclear Operating Company (STPNOC) to submit a broad-scope risk-informed set of Technical Specification changes. Reference 2 is the license amendment request for the proposed risk-informed changes to the Technical Specifications described in Reference 1. Reference 3 is a set of NRC requests for additional information (RAIs) based on the staff's review of Reference 1. Reference 4 is a set of NRC RAls based on the staff's review of informal responses to Reference 3 and their review of Reference 2.

This submittal is provided to document STPNOC's response to both sets of NRC RAIs on the STP docket. A number of the Reference 4 RAI questions pertain to the STP Probabilistic Risk Assessment. As discussed with the NRC staff in a meeting on December 14 and 15, 2005, those responses require additional preparation and STPNOC will respond to those questions in a later submittal. 4 G0 STI 31978272

NOC-AE-06001969 Page 2 There are no commitments in this letter.

If you have any questions, please call Wayne Harrison at 361-972-7298 or me at 361-972-7206.

I declare under penalty of perjury that the foregoing is true and correct.

Executed onV4 tt, ZO(P&

Date M. A. McBurnett Manager Nuclear Safety Assurance Attachments:

1. Response to NRC Request for Additional Information dated July 14, 2004
2. Response to NRC Request for Additional Information dated June 3, 2005
3. Technical Specification Pages Affected by the RAI Responses

NOC-AE-06001969 Page 3 cc:

(paper copy) (electronic copy)

Bruce S. Mallett A. H. Gutterman, Esquire Regional Administrator, Region IV Morgan, Lewis & Bockius LLP U. S. Nuclear Regulatory Commission 611 Ryan Plaza Drive, Suite 400 Mohan C. Thadani Arlington, Texas 76011-8064 U. S. Nuclear Regulatory Commission Richard A. Ratliff Steve Winn Bureau of Radiation Control Michael A. Reed Texas Department of State Health Services Texas Genco, LP 1100 West 49th Street Austin, TX 78756-3189 Jeffrey Cruz C. Kirksey U. S. Nuclear Regulatory Commission City of Austin P. 0. Box 289, Mail Code: MN116 Wadsworth, TX 77483 Jon C. Wood Cox Smith Matthews C. M. Canady J. J. Nesrsta City of Austin R. K. Temple Electric Utility Department E. Alarcon 721 Barton Springs Road City Public Service Austin, TX 78704

NOC-AE-06001969 Attachment 1 Response to NRC Request for Additional Information dated July 14, 2004

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment I Page 1 Request For Additional Information Needed To Complete The Technical Review of the South Texas Project (STP) Risk-Managed Technical Specifications (RMTS) Initiative 4b Full Plant Pilot These questions were provided to STPNOC via a letter NRC to NEI datedJuly 14, 2004.

STPNOC respondedto these questions through electronic correspondencefrom NEI to NRC.

STPNOC is now formally providing the responses as part of its docketed license amendment request. The initial responses to some of the questions have been revised to be consistent with the responses to a set of NRC questions received in a letterfrom NRC to NEI datedJune 3, 2005 and to reflect resolutions reached in meetings and conference calls with the NRC staff The revisions are denoted by strike-throughs and underlines.

1. It is stated (on page 5) that the proposed change (i.e., allowing flexible AOTs/CTs)

"addresses the principles of risk-informed decision-making setforth in Regulatory Guides 1.174 and 1.177." It is further stated (on page 6) that "the proposedchange does not measurably change overallaverage core damagefrequencyforSTP." The staff requests further clarification of these statements because there may be a difference in the understanding of such statement between the staff and the industry:

Please explain how the risk increases to be used in RG 1.174 criteria will be calculated (e.g., assessment of configuration risk vs. risk associated with the AOT/CT extensions, credit for compensatory measures, risk increases measured from the "zero maintenance" baseline or the "average maintenance" baseline).

If the risks associated with the extensions are not assessed separately from the overall configuration risks, please explain how the guidance of RG 1.174 will be implemented.

Response

The risks associated with AOT/CT extensions will be calculated from the time the affected component(s) is determined to be inoperable until there are no components in ACTION statements beyond their frontstop allowed outage time. The risk associated with the extended AOT can be tracked separately from the risk determined in the normal Configuration Risk Management Program (CRMP). The change in risk, the incremental conditional core damage probability (ICCDP) or the incremental conditional large early release probability (ICLERP), will be determined using the "zero maintenance" plant Probabilistic Risk Assessment (PRA) model and the actual plant configurations existing at the time of TS entry until the AOT/CT is exited. Any PRA credit determined to be appropriate will be included in the ICCDP/ICLERP calculation. Comparison of the calculated change will be compared to the requirements of Regulatory Guide (RG) 1.174 [lE-05 per year for core damage frequency (CDF) and IE-06 per year for large early release frequency (LERF)] by assuming that the change results in a temporary increase in CDF (or LERF) for the operating year.

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 2 The current method of calculating ICCDP/ICLERP in the CRMP is based on the maintenance configurations actually encountered during a maintenance week and is controlled by procedure. If an existing maintenance configuration is carried over into the next week, the total ICCDP for the configuration is manually calculated by summing the weekly ICCDPs for the configuration until the component is returned to functional status.

The method of calculation for the proposed AOT/CT extension is identical to the calculations performed under the current CRMP with the following additional consideration. The total ICCDP/ICLERP will be automatically determined as the risk is being accumulated (i.e., a running summation until the AOT/CT is exited).

  • If contingency actions and compensatory measures are credited in assessing risk increases, risk-informed regulation requires procedures and administrative controls as well as appropriate PRA modeling for such actions and measures.

Please discuss how this requirement will be implemented.

If contingency actions or compensatory measures are required, they will be implemented in accordance with plant procedures and the RMTS Guidelines. (See the response to Question 3.)

2. Describe the process, including criteria, for initiating a plant shutdown. How will this process address the proposed removal of current constraints to plant operation at power imposed by the fixed AOTs/CTs? The staff believes that the guidance provided in maintenance rule (a)(4) regarding the initiation of plant shutdown needs improvement to compensate for the proposed removal of current constraints to plant operation at power imposed by the TS fixed AOTs/CTs. The staff believes that a risk-informed shutdown process based on clear generic principles and criteria is needed.

Please discuss.

Response

If the configuration risk crosses the lE-05 Potentially Risk Significant threshold or if the affected component cannot be restored to operable status in the allowed outage time, application of Technical Specification (TS) 3.13.1 with the CRMP requires that the LCO be considered not met and the action required by the TS that invoked TS 3.13.1 must be taken (e.g., be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />). The operators will proceed with an orderly shutdown in accordance with station procedures in the same manner they would for any other TS required shutdown. As provided by the TS, the shutdown does not have to be completed if the affected component is restored to operable status in the interim. This is consistent with the RMTS Guidelines.

Based on the discussion above, STPNOC believes the existing shutdown process and procedures are adequate for shutdowns that are required by proposed TS 3.13.1.

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 3

3. Does STP have a process for identifying contingency actions and compensatory measures and determining their acceptability for both planned and emergent conditions? Will there be procedures and administrative controls for contingency actions and compensatory measures credited in risk assessments? Will there be any plant-specific guidance in assessing the risk impact of contingency actions and compensatory measures credited in risk assessments? Please discuss how STP proposes to address this issue in the risk-informed decision-making process for flexible AOT/CT extensions.

Response

The procedure for the CRMIP includes guidance for compensatory actions.

In general, STP will only credit contingency actions and compensatory measures that are already included in the PRA. For special emergent conditions where a contingency action or compensatory measure is not currently credited in the PRA, then either the affected equipment will be conservatively assumed to be inoperable and not functional or procedural and administrative controls will be required prior to taking credit in the PRA.

The CRAMP includes criteria for determining whether a SSC may be considered functional in the risk assessment. Those criteria ar- described in STPNOC's formal license amendment request dated August 2, 20047 The criteria for determining functionality are discussed in the response to Question 8 of the June 2005 NRC Request for Additional Information (RAI).

4. An important element of the proposed process, which is applicable to emergent conditions, is the ability to promptly consider and resolve common cause issues.

What guidance is, or is expected to be, available at STP on how to identify potential common- cause issues and on strategies and actions to promptly resolve any such issues? Is (will be) plant shutdown an option in this strategy? Please discuss.

Response

The STPNOC process is consistent with the RMTS Guidelines.

If a non-conforming or degraded condition is identified, the process of determining operability will assess the potential for common cause and for other trains or components being affected. This evaluation is performed in accordance with the STPNOC Corrective Action Program in a time frame commensurate with the safety significance of the affected equipment.

The requirement for a plant shutdown will be determined based on the operability of the affected equipment and the action required by the TS. In addition, the operability determination process performed by a licensed senior reactor operator when a degraded condition is identified requires reasonable assurance that there is not a common cause issue. If a common cause issue is present, it will be accounted for in the operability determination prior to the AOT determination. For components that might affect more than

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 4 one train or function, the PRA and CRMP are used to provide insights regarding the safety significance. The STP PRA includes the effect of a component failure in the common cause failure of similar components; therefore, STPNOC does not adjust the failure rate for cross-train components when a SSC is found to be inoperable. The CRMP currently requires implementation of appropriate compensatory actions if the calculated risk crosses the lE-06 non-risk-significant threshold, and requires consideration of placing the plant in configuration that reduces the risk, including mode changes or shutdown, if the calculated risk crosses the potentially risk-significant threshold of IE-05.

The response to Question 3 of the June :3, 2005 NRC RAI provides additional information.

5. Does STP have guidance for considering unmodeled external challenges (e.g.,

challenges beyond the scope of PRA evaluation)? Please discuss.

Response

In STP's at-power PRA model (Modes 1 & 2) seismic, high wind, flood, and internal fires are explicitly modeled external events. Other external events were screened out as part of the external events analysis such as airc raft crash, tsunami, and toxic gas. The contribution from grid disturbances that could lead to offsite power degradations or loss of offsite power degradatiens are incorporated in the quantified model. Additional qualitative risk management guidance will be a part of the Configuration Risk Management seftware program used at STP as a part of this pilot effort. This feature will allow the incorporation of future risk management guidance that is deemed appropriate for the configuration risk management program.

6. Does STP have guidance for identifying high risk configurations in a timely manner?

Will "high risk configurations" be pre-assessed? Please discuss.

Response

The current CRMP computer tool, Risk Assessment Calculator (RAsCal), has the capability to quickly determine a "high risk configuration" and these configurations have been pre-assessed for the CRMP. Using a definition of high risk configuration of greater than lE-06 ICCDP within a week, only cross-train configurations of risk-significant components have the potential to cross the IE-06 ICCDP limit currently in effect in the CRMP. Examples include: two trains of essential cooling water; two standby diesel generators; or one essential cooling water train and another standby diesel generator.

Under the proposed AOT/CT process, the risk calculator will have at least the same capabilities as the current calculator. In addition, the calculator will contain a set of pre-assessed high risk configurations (those configuration where the AOT/CT extension is less than the proposed backstop).

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 5

7. Does STP have guidance for considering the impact of inoperabilities on LERF? The staff believes that guidance is required to ensure that the increase in LERF (when equipment important to LERF is out of service) is assessed and considered in the decisionmaking process when an AOT/CT extension is considered. Also, please comment on the adequacy of the STP PRA models to calculate LERF increases. Will they be detailed assessments and/or bounding-type calculations?

Response

For nearly all evaluations, CDF is the only required metric. The STP PRA model includes a Level 2 Containment Response model (event tree). If containment response results are desired, an initiating event batch file that calls the containment event tree will be used to quantify the Level 2 results. Systems affecting containment response are included in the Level 1 event trees. Event tree macros are defined in a set of transition event trees (identified as plant damage state event trees in the model) that determine the status of the various systems and plant conditions necessary to properly quantify the Level 2 event tree.

The assessments for LERF will be detailed assessments (within the limitations of the Level 2 model).

8. In the STP response to Acceptance Review RAI #3b, it is stated that "establishing separate TS criteriafor emergent andplanned conditions would be counterproductive and administrativelyburdensome." The staff believes that the distinction between planned and emergent conditions is already part of the Maintenance Rule (a)(4) guidance (e.g., see "action thresholds based on quantitative considerations," Section 11 of NUMARC 93-01 endorsed by Regulatory Guide 1.182). This distinction, when properly tied to clear criteria for allowed risk increases, can be used (1) to compensate for the proposed removal of current constraints imposed by the fixed AOTs/CTs and (2) to develop a well-defined strategy for initiating a plant shutdown. For example, during an AOT/CT extension which is voluntary, will ICDPs greater than 1E-5 or instantaneous risks greater than 1.OE-3/year be allowed? If the answer is no, shouldn't an ICDP greater than 1E-5 or an instantaneous risk greater than 1.OE-3/year require the initiation of plant shutdown? Furthermore, the industry's RMTS guide states that preventive maintenance involving an AOT/CT extension will be planned so that it is completed before the ICDP reaches the value of 1E-6. Please discuss.

Response

In accordance with the RMTS Guidelines, STP's CRMP establishes lE-06 as the non-risk significant threshold. All maintenance work activities performed on equipment within the CRMP scope (i.e., planned or emergent) are included. Per the CRMP procedure, exceeding the 1E-06 threshold requires approval from the duty plant manager (in the case of planned work) and notification to the duty plant manager (in the case of emergent work). The IE-05 threshold is established as the potentially risk significant threshold. Exceeding this level or anticipating that this threshold will be exceeded due to plant conditions requires

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 6 compensatory measures up to and including plant shutdown as described in the response to Question 2.

The responses to Questions 2 and 4 discuss requirements for shutdown at the potentially risk significant threshold (lE-05). STPNOC plans to establish an instantaneous risk threshold of lE-03/yr. in the CRMP, which is consistent with the RMTS Guidelines and the guidance endorsed by RG 1.182 for 10CFR50.65(a)(4) risk assessments. STPNOC's formal license amendment application dated August 2, 2004 (ML042190366) also clarifies the application of TS 3.13.1 and the CRMP. In Section 1 of Attachment I to that application, STPNOC clarifies that the risk threshold limit for planned maintenance is the non-risk-significant threshold of IE-06.

9. In the STP response to Acceptance Review RAI #2, regarding the lack of information about the risk assessments that support the proposed changes to the technical specifications described in Table 2, it is stated that "generalrisk insights" are included in Table 2 and that "the level of detail need to be resolved in a meeting with the NRC."

The staff notes the following:

(a) For many of the most risk significant proposed changes it is explicitly stated that the risk basis will be provided later.

Response

The risk basis is provided in the formal license amendment application dated August 2, 2004.

In the responses to the June 2005 RAI, STPNOC agreed to include additional information in Table 2.

(b) No risk insights or even a brief risk-based justification are provided for most of the proposed changes (see Table 2 column, labeled "Risk Basis Calculated STP AOT before Backstop"). Statements, such as "30 days (backstop)" and "Not risk significant" cannot be considered risk insights or appropriate risk-based justification for the proposed changes.

Response

The column is only intended to provide a perspective on the difference between a risk-informed AOT and the current "frontstop" AOT. It is not intended to be a justification. The justification is the methodological approach of measuring incremental and cumulative risk due to maintenance as described in STP's CRMP, the technical approach described in STP's submittal as augmented by the RMTS Guidelines.

In the responses to the June 2005 RAI. STPNOC agreed to include additional information in Table 2.

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 7 (c) Many requested TS changes are not associated with Initiative 4b. Such changes should be submitted as separate risk-informed amendments.

Response

The non-relevant changes have been deleted for the formal license amendment application.

(d) In many cases the "front-stop" AOT is being extended or arbitrarily defined (e.g., when new action statements involving failure of more than one train are introduced). Extending the "front-stop" AOT or defining a "front-stop" for new actions requires separate risk-informed amendments according to RG 1.177.

Response

This comment was made in the January 2004 meeting with the staff. STPNOC revised the proposed changes so that the frontstops are the same as current TS. If current TS would require application of TS 3.0.3, the frontstop is 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

(e) Entries in Table 2 column labeled "Risk Basis Calculated STP AOT Before Backstop" need clarification, What do they represent? For example, what does it mean "12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />" risk-based AOT before back-stop or "1 inoperable train of CCW: 29 years" AOT before backstop? Please explain.

Response

The table notes explain how the AOT was calculated. It is the time required for the cumulative risk to reach the Potentially Risk Significant threshold of IE-05, assuming only the subject component or train is inoperable. It is provided to give the reviewers a perspective on the relative significance of the component.

10. In the STP response to Acceptance Review RAI #2, regarding the lack of information about the risk assessments that support the proposed changes to the technical specifications described in Table 2, it is stated that the PRA quality evaluation is expected to provide a substantiallevel of confidence in the risk assessments. Although the staff does not disagree with this statement, it is important to confirm that the process of extending AOTs/CTs will bee properly implemented. There are cases where uncertainties in PRA models and data can have a significant impact on the decision-making process. The PRA quality evaluation is not expected to fully address this issue. In addition, the application of the RMTS process to some representative and "bounding" plant configurations would facilitate discussion between the industry and the staff and would provide useful input to the RMTS Guidelines currently being developed. For this purpose, it is proposed that STP and NRC staff meet to select a suitable set of plant configurations to apply the proposed Initiative 4b process. The

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 8 analyses and results of such applications would be reviewed by the staff and discussed with STP.

Response

STP agrees that sampling of plant configuration evaluations should be reviewed by the Staff and discussed with STP. In general, parameter (aleatory) uncertainties will not be significant since the risk results used the the RITS 4B application are delta CDFs or LERFs (i.e., they cancel out). Of more interest would be a discussion on modeling (epistemic) uncertainty and how bounding and other sensitivity studies can be used to address this area.

STP also notes that risk management actions will mitigate uncertainties and that uncertainty is addressed in Section 3.5.2.1 of the RMTS Guidelines.

STP believes the PRA quality evaluation will be effective in addressing this issue.

STPNOC demonstrated its risk calculator (RAsCal) in the December 2005 meeting with the staff and understands that the staff plans to visit the STP site for additional review of the process.

11. In the STP response to Acceptance Review RAI #6, it is stated that for STP it is expected that Initiative 7 will be subsumed by Initiative 4b. STP staff stated, during follow-up meetings with the staff, that this is possible due to the good separation of the three STP safety system divisions. The staff need more detailed information about the existing divisional separation at STP and how this design feature will be incorporated in the PRA to address the inoperability of affected safety equipment, regardless of the cause. Please discuss.

Response

There are four independent trains of Class IE DC power. Train A supplies Train A equipment and Class IE Vital Distribution Channel 1. Train B supplies Train B equipment and Class lE Vital Distribution Channel 3. Train C supplies Train C equipment and Class IE Vital Distribution Channel 4. Train D supplies the turbine-driven auxiliary feedwater pump and Class IE Vital Distribution Channel 2. The associated battery chargers (two per train, one required) are powered from the associated Class lE AC distributions system.

Train D chargers are powered from Class lE AC distribution train A. There is no cross-train capability.

There are four independent Class IE Vital distribution channels supplied by safety-related inverters and non regulated 120V volta e regulating transformers. The Channel 1 inverters and transformer are supplied from AC train A backed up by Class IE DC Train A. The Channel 2 inverter and transformer are supplied from AC train A backed up by Class lE DC Train D. The Channel 3 inverter and transformer is supplied from AC train B backed up by Class IE DC Train B. The Channel 4 inverters and transformer are supplied from AC train C backed up by Class lE DC Train C. There is no cross-channel capability.

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 9 There are four independent Qualified Display Parameter System (QDPS) trains. This system provides safety grade indication (RG 1.97 requirements) and control of selected plant systems (e.g., auxiliary feedwater (AFW) flow control valves and steam generator power operated relief valve (PORV) control). QDPS train A is supplied from Class IE Vital Channel 1, Train B is supplied from Class IE Vital Channel 3, Train C is supplied from Class lE Vital Channel 4, and Train D is supplied from Class IE Vital Channel 2.

There is no cross-train capability.

There are four trains of AFW, three motor-driven and 1 turbine-driven. Each train supplies its associated steam generator (A, B, C motor-driven, D turbine-driven). Manually controlled, air-operated (normally closed, fail closed) cross-ties are provided that allows any pump to feed any steam generator. These normally closed cross-ties are not included in the PRA model. Steam for the turbine-driven AFW pump is supplied by the D steam generator.

The three-train electrical auxiliary building (EAB) ventilation system supply and return headers are headered to allow ventilation air flow to all areas of the EAB with any set of supply and return fans. The three-train control room ventilation system is similar.

The three-train essential cooling water (ECW) system has a manually operated (normally closed manual valves) cross-train capability that allows any ECW train to supply any essential chilled water condenser. This capability is administratively controlled (valves are closed during power operation) and not currently credited in the PRA.

The above system/train interrelationships are explicitly modeled in the PRA. Especially for support systems, each train/channel is mnodeled as an individual event tree top event to ensure the relationships are correctly translated for quantification of the PRA.

The inoperability of safety-related equipment is modeled in the PRA using event tree macros to define equipment/train failure. Event tree top event rules and split fractions are defined for all combinations of equipment inoperability. The causes of the inoperabilty include out of service for planned or unplanned maintenance, or failure or unavailability of the various support systems. The current PRA model includes "maintenance macros" for most equipment included in the RITS initiative. Additional macros will be developed and added to the PRA model for those components (i.e., reactor trip bypass breakers, PORV block valves) that do not currently have maintenance macros.

12. An explanation of when the STP CRMP/RMG process would be utilized when equipment is "Tech Spec inoperable" yet is "PRA functional," and explain the rationale for those circumstances.

Response

This is discussed in more detail in the response to Question 8 of the June 2005 RAI Attachment 3 to the formal license amen deappt eapp;etf.

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 10

13. The level of documentation required for an Initiative 4b risk assessment must be described; the documentation must be adequate for inspectors to verify the assumptions and results of the STP CIRMP process.

Response

The required documentation will be described in the implementing procedure consistent with the generic industry guidance.

14. When in limiting condition for operation (LCO) 3.8.1.1 action f (Table 2), with two or three required standby diesel generators (SDGs) inoperable, please clarify why the LCO is changed from the current 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. Also, if all three SDGs are inoperable, the risk basis calculated AOT before backstop is 40 hours4.62963e-4 days <br />0.0111 hours <br />6.613757e-5 weeks <br />1.522e-5 months <br />; justify operating for 40 hours4.62963e-4 days <br />0.0111 hours <br />6.613757e-5 weeks <br />1.522e-5 months <br /> when all SDGs are inoperable. We believe that application of Specification 3.13 is inappropriate in this case.

Response

With no operable SDGs, STP's current [S require at least one SDG to be restored within two hours. With two inoperable SDGs, STP's current TS require at least one of the inoperable SDGs to be restored in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

As part of the plan to revise the application so that changes to frontstop times are not proposed, the proposed frontstop for TS 3.8.1 .1.f should be two hours. STPNOC will revise the proposed action accordingly in a supplement to the application.

STPNOC would not pre-plan an action where all three SDGs are inoperable. In the unlikely event that an emergent condition made all three SDGs inoperable or if the condition was such that the SDGs were inoperable but functional, the TS 3.13.1 AOT provides the opportunity to resolve the condition.

As discussed with the staff. TS 3.13.1 will not apply for a loss of function. The response to Question 8 of the June 3, 2005 RAI provides additional information.

15. With one required load sequencer inoperable and one required SDG not associated with the inoperable sequencer also inoperable, what would be the maximum time allowed by specification 3.13 assuming another safety system also becomes inoperable? Provide various examples.

Response

Using the "worst" combination of SDG and sequencer (SEQ) (i.e., SDG B and SEQ A with Idle Train "B") results in a risk-informed completion time of 20.4 days. Assuming that another safety system (Essential Cooling Water or Safety Injection Common) becomes inoperable, the results are as follows:

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 11 DGB EWA SEQA = 5.0 days DGB EWB SEQA = 15.7 days DGB EWC SEQA = 37.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> DGB SEQA SICA = 18.4 days DGB SEQA SICB = 19.9 days DGB SEQA SICC = 19.9 days

16. The new LCO 3.8.3.1 action a, requires that with one or more A.C. vital distribution panel(s) either not energized from its associated inverter, or with the inverter not connected to its associated D.C. bus: (1) within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> re-energize the A.C.

distribution panel(s) or apply Specification 3.13. Please provide the following:

(a) Why is the LCO changed from one A.C. vital distribution panel to one or more A.C. vital distribution panel(s).

Response

The revised wording allows for the application of TS 3.13.1 for conditions where more than one vital distribution panel is not energized in accordance with the LCO. The AOT is reduced to one hour to account for the one hour frontstop associated with the application of TS 3.0.3, which is the TS that would apply for more than one panel not being properly energized.

(b) Why would you go to Specification 3.13 when you need only to just re-energize the A.C. distribution panel which can be accomplish in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. We believe entering in Specification 3.13 in this case is inappropriate.

Response

STPNOC would probably not apply TS 3.13.1 if the action could be completed within the revised frontstop tinme (proposed 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />). The redundancy of the STP electrical power systems will provide adequate justification for extending the time beyond one hour, if necessary.

17. It is stated on page 8 that in cases where there are multiple components inoperable in more than one train, the calculated risk-informed AOT for the combinations may be less than currently prescribed in technical specifications. Please provide an example in the electrical area.

Response

STPNOC has not identified a electrical-only example. There may be examples involving a combination of electrical and mechanical components.

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 12 STPNOC has proposed a separate specification to confirm the acceptability of the current AO T (i.e. frontstop) if action statements are entered in more than one LCO in the scope of the risk-mana-ged TS.

18. It is stated on page 7, fifth paragraph, that STP will not unnecessarily extend AOT times such that equipment availability and reliability is adversely affected or in conflict with maintenance rule requirements. What would be your course of action in case an equipment reliability does not satisfy the maintenance rule goals.

Response

STPNOC will maintain the plant in a safe configuration and comply with the TS and with the requirements of the STP implementing procedures for the maintenance rule [e.g.,

application of 10CFR50.65(a)(1), etc.]. This action is independent of and compatible with the implementation of the proposed risk-informed TS.

19. Provide justification for changing the current 3.8.2.1 actions a and b to new action requirement that combines both batteries and chargers. Is this change part of the risk informed technical specification amendment request?

Response

This change is part of the proposed risk--informed TS amendment request. Combining the actions into a single action is justified because the allowed outage time and required actions are the same for inoperable chargers and inoperable battery banks. There is no significant difference in the applicability of the TS and the change is largely administrative. The proposed one-hour time limit is consistent with TS 3.0.3 which would be required by the current TS for more than one inoperable: battery bank.

20. Page 10 discusses the compensatory measures that STP takes during the extended AOT. The staff feels that these measures are not adequate when an electrical equipment such as diesel generator is taken out for an extended period. Other compensatory measures that must also be included are as follows:

(a) The condition of the offsite power supply, switchyard and the grid will be evaluated prior to entering the extended AOT.for elective maintenance. An extended SDG AOT will not be entered to perform elective maintenance when grid stress conditions are high such as during summer temperature and / or high demand.

(b) No discretionary switchyard maintenance will be allowed. In addition, no discretionary maintenance will be allowed on the main, auxiliary or startup transformers associated with the unit.

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 13 (c) No maintenance or testing that affects the reliability of the trains associated with the OPERABLE SDGs will be scheduled during the extended AOT. If any testing and maintenance activities must be performed while the extended AOT is in effect, it is recognized that a 10CFR50.65 (a)(4) evaluation will be performed.

(d) The steam driven emergency feedwater pump will not be taken out of service for planned maintenance activities and will be treated as protected equipment.

(e) The system dispatcher will be contacted once per day and informed of the SDG status along with the power needs of the facility.

Response

STP's procedures currently require very similar compensatory actions for this configuration. Implementing procedu res for the CRMP will maintain the requirements for these compensatory actions. STPNOC believes a licensee-controlled document such as the CRMP is the appropriate location for compensatory actions so that changes can be made if necessary to address a particular situation.

21. The staff has been granting SDG AOT extensions up to 14 days provided the licensees have installed an extra A.C. power source or make available the alternate A.C. source installed to satisfy the requirements or station blackout rule. This extra power source can be substituted for an inoperable SDG during the extended AOT. Additionally, these requests are supported by a PRA analysis that demonstrates that overall risk is very low during the extended outage. In view of the above, provide justification for extending the AOT beyond 14 days without an extra power source.

Response

STPNOC performed extensive evaluations to justify the one-time extension of the allowed outage time for SDG-22 (Unit 2, Train B) to 113 days. Although STPNOC installed temporary diesel generators as a compensatory action, the actual configuration risk for the SDG-22 extended outage without crediting the temporary diesel generators was less than lE-05 (see attached figure).

The case of SDG-22 is unusual and would still require prior NRC approval, even with the approval of the proposed amendment. However, it is a good example of the application of the CRMP to manage risk.

For the application of the proposed amendment, STPNOC would be able to plan SDG maintenance with a duration less than the non-risk-significant threshold of IE-06. For the SDGs, this duration would be about 19 days for the Train A SDG, and the 30-day backstop for Train B and Train C SDGs.

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 14 The demonstration of the ability to manage the risk and the relative risk significance of the STP SDGs and the limitation provided by the 30-day backstop justifies the ability to extend the AOT beyond 14 days without temporary emergency power.

22. The STP TS 3.13 Actions require determining that the plant configuration is acceptable for a completion time extension beyond the [Front Stop AOT.] It also requires determining that the configuration is acceptable for completion time extension beyond the [Front Stop AOT] whenever configuration changes occur that may affect plant risk. Specify the allowable time to complete the required determination process and justify that the associated risk is negligibly small.

Response

This time will be defined in the implementing procedure for the Configuration Risk Management Program and will be consistent with the generic industry guidance.

23. The 30-day CT backstop needs to be explained and justified.

Response

The 30-day backstop does not have a technical basis. It preserves the licensing and design basis described in the UFSAR for configurations that are not risk-significant and where application of the risk threshold alone would result in extremely long allowed outage times.

It is analogous to but more conservative than the 90 days allowed by the implementation of 10CFR50.59 for a temporary modification in support of maintenance to be in place before a 10CFR50.59 evaluation is required.

The 30-day backstop is also consistent with the existing TS allowed outage times for non-risk-significant equipment such as radiation monitors post-accident monitoring, and remote shutdown.

24. For the following specifications discuss application of the risk-informed CT (RICT) determination process to conditions not currently addressed by the STP Technical Specifications (TS), including loss of function conditions. Discuss compensatory measures including accident mitigation strategies, and the availability of alternative safety and non-safety accident mitigation systems. Justify the proposed changes to the TS.

(a) STP TS 3.4.2.2 - Pressurizer Code Safety Valves: WOG STS 3.4.10, Action A requires that with one pressurizer safety valve (PSV) inoperable, restoration must take place within in 15 minutes. The completion time (CT) of 15 minutes reflects the importance of maintaining the RCS overpressurization protection systems. Action B requires that if the inoperable PSV cannot be restored within the CT or two or more PSVs are inoperable, the plant be brought to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in MODE 4 in the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The proposed TS 3.4.2.2 allows one or more PSVs inoperable up to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, or the RICT for

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 15 restoration. The use of a RICT for two or more PSVs inoperable is not consistent with either the current STP TS or the STS.

Response

As discussed with the staff, STPNOC has deleted the applicability of TS 3.13.1 to TS 3.4.2.2 for pressurizer safety valve s.

The STP TS de not have a 15 minute requirement. The STP TS has action only for one inoperable code safety valve and requires the inoperable valve to be restored in one hour. If more than one code saf ale s;inoperable, T 3.0.3 applies until the plant isa inMODEwhere thccde safety vale T n longer applies. onasequently,X the effective allowed outage time in the current TS is one hour regardless of how many code safety valves are inopmble.

STPNOC believes TS 3.13.1 should be allowed to be applied to this TS. The pressurizer-POR Hs functionally redundant for pressureVontro1 of the reacto are coolant system. Since the safety valves are not tested o- challenged during normal plant operation, the only likely challenge to their operability is a design basis question or a qualification question where there is likely to be some degree of functionality.

Application of TS 3.13.1 would erable STPNOC to resolve the operability issue or 1 , __ -- 1. _ _  :.

secFei Eefuater-vI reffei. it nieeessarlv.

A, (b) STP TS 3.4.4 (ACTION c) - PORVs and Block Valves: Action c of the current TS 3.4.4 specifies requirements for the plant conditions with both PORVs inoperable due to causes other than excessive seat leakage, and is consistent with Action E of STS 3.4.11 that requires that the plant be brought to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for both PORVs inoperable.

The use of a RICT with both PORVs inoperable is not consistent with either the current STP TS or the STS.

Response

Because the safety valves provide overpressure protection and there is low likelihood of an initiating event, application of the CRMP is practical for this situation. The risk calculated in the formal license amendment request would permit extending the allowed outage time to the 30-day backstop. However, a condition where both PORVs are inoperable would be the result of an emergent condition and would not be a planned configuration.

(c) STP TS 3.5.1 (Action a) - Accumulators: STS 3.5.1 requires that with one accumulator inoperable due to reasons other than boron concentration outside the required limits, the accumulator must be returned to operable status within one hour. In this condition, the required content of three accumulators cannot be assumed to reach the core during a LOCA. Due to the severity of the consequences should a LOCA occur in this condition, the one-hour CT ensures

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 16 that prompt action will be taken to return the operable accumulator to operable status. Furthermore, Action D requires that if two or more accumulators inoperable, LCO 3.0.3 must be entered immediately since the plant is in an condition outside the accident analysis. The proposed TS 3.5.1 (Action a) allows one or more accumulators inoperable up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, or to the RICT for restoration. The use of RICT for more than one accumulator inoperable is not consistent with either the current STP TS or the STS.

Response

The formal license amendment request changed the proposed 24-hour allowed outage time for one or more inoperable accumulators to one hour, which is consistent with the current TS allowed outage time for more than one inoperable accumulator (i.e.,

TS 3.0.3). STPNOC can determine a risk-informed completion time for more than one inoperable accumulator within that proposed allowed outage time. The accumulators have very low significance in the STP PRA and allowing a risk-informed completion time for more than one inoperable accumulator is appropriate.

(d) STP TS 3.5.2 (Action b) - ECCS in MODES 1, 2 and 3: STS 3.5.2 requires that for a condition where the ECCS flow is less than 100 % of the required ECCS flow assumed in the LOCA analysis, the plant must enter into LCO 3.0.3 immediately because the plant is in a condition outside the accident analysis.

Action b of the proposed TS 3.5.2 allows less than two of the required ECCS subsystems to be operable for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> or to the RICT to restore operability. Allowing up to the RICT to restore operability of at least two of the required ECCS subsystems is not consistent with either the current STP TS or the STS. To be consistent with I'S 3.5.2, Action b should be changed so that for the ECCS flow less than that assumed in the LOCA analysis, the plant must be brought into LCO 3.0.3 immediately.

Response

With two inoperable trains of SI there is generally not a loss of safety function, although STP cannot mitigate LBLOCA if the SI train is injecting into the broken RCS loop. Mitigation of SBLOCA with SI in the broken loop requires operator action. Steam line break mitigation is impaired, but DNB is not expected to occur.

With no operable trains, STP loses the SI safety function; however, a risk-informed AOT is appropriate to accommodate specific situations where the SI trains are degraded but still functional and to allow for timely actions commensurate with the actual significance of the condition. Note that risk-informed completion times are not based on meeting design basis assumptions.

The proposed one hour time limit is consistent with the requirement of TS 3.0.3 which would apply to the current I'S.

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 17 The response to Question 8 of the .rune 2005 RAI provides additional information with regard to how functionality will be assessed. TS 3.13.1 cannot be applied for a Loss of Function. A Loss of Function for ECCS occurs when none of the three ECCS trains are functional.

Response to July 14, 2004 RAI NOC-AE-06001969 Attachment 1 Page 18 Comparison of Planned and Actual Risk (ICCDP) for Unit 2 During SDG 22 Outage Data source: NDG Planned - PRA Rev 4 Model Including NDG effect on risk (NDG failure and associated operator data are assumed)

Rev 4 Planned - PRA Rev 4 Model assuming no NOG effect on risk Actuals - RAsCAL data for previous work week and PRA Rev 4 1.OE-05 8.01E-06 II, 6.OE-06 0

U 4.OE-06 2.01E-06 O.OE+00 O a C. 0 C C C r- .0 .0 .0 .0 1..-

(D a) a) a) co Ca u Cu a a) a a uco cd as C II I I? I S I I SL~

Cb o

it J~ 0 C\J 0 LO) C'J 0) to e\j CY Cc0 co co LO I

(\J 0) i- ' - C\j 0 0 V' C\j 0 0 '- (' (\1 Date

- - - NDG Planned - -- --- Rev 4 Planned Actual NDG Actual I

NOC-AE-06001969 Attachment 2 Attachment 7 Response to NRC Request for Additional Information dated June 3, 2005

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 1 Request for Additional Information - Technical Review of STP RMTS Initiative 4B Full Plant Pilot Note: As discussed in the cover letter, some responses associatedwith RAIs regardingthe PRA requireadditionalpreparationand will be provided in a latersubmittal. Those responses are denoted with an asterisk.

1. RAI #1 requested clarification of the risk calculations planned for the RMTS program to assure Regulatory Guide 1.174 criteria for acceptably small risk increases was being met. The response stated that the total ICCDP and ICLERP would be "automatically determined as the risk is being accumulated...". Please provide additional detail as to how this automatic calculation is physically accomplished.

Response

The approach used at STP for configuration risk management employs pre-solved configuration-specific Level 1 PRA calculations. The PRA scope and quality is structured to satisfy RG 1.200 requirements and also be acceptable for calculating the change in risk due to the removal of equipment from service. Only the equipment within the scope of the CRMP can be evaluated in terms of delta risk (i.e., change in core damage frequency). The CRMP processes are procedurally controlled. The procedure establishes the organizational requirements and responsibilities for administering the CRMP. The automatic calculations are physically performed by the Risk Management organization as part of the proceduralized PRA update process. All the existing configurations (>20,000) are individually calculated, verified, and the results stored in a database. Station personnel can then access the pre-calculated results using the Risk Assessment Calculator (RAsCal) software tool. This software tool is LAN-based and uses a centralized database. The software complies with the station's software QA program. In the event a configuration is entered into the RAsCal program which is not represented the pre-solved configuration database, then an error message ("unquantified maintenance state") is displayed and information detailing the specifics of the configuration are captured. A member of the Risk Management team is on duty or on call at all times. They are trained in calculating plant configurations. Once an unquantified maintenance state error message is received, the configuration is calculated and added to the pre-solved configuration database. This process can take up to an hour, but is rare for an actual plant condition.

It is the staff's understanding that the accumulated risk, tracked from the point when the frontstop CT is first exceeded until all extended CTs are exited, and based on actual plant configurations, will be cumulatively tracked and periodically reviewed to determine that the overall RITS program application meets the criteria in Regulatory Guide 1.174 for small risk increases. Please confirm.

Response: The staff's understanding as described is correct.

Further, it is the staff's understanding that the actual integrated risk (either ICDP or

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 2 ILERP) will be tracked during use of the RICT and will be used to determine the amount of time available to reach the integrated risk limits for the RICTs (i.e., 10.6/10.7 ICDP/ICLERP for RMA threshold RICT, 10 51106 ICDPAICLERP for the maximum safety limit RICT). That is, the calculated RICT is dependent upon the actual configuration which currently exists, and on the actual accumulation of risk which has occurred from the point the equipment was declared inoperable. Please clarify.

Response:The staff's understanding as described is correct.

Finally, it is also the staff's understanding that once the RICT is entered, accumulation of risk toward the 10.5/10.6 ICDPAICLE RP for the maximum safety limit RICT continues until all LCOs for which the frontstop CTs have been exceeded have been restored to a MET status (components fully operable). Please confirm.

Response: The staff s understanding as described is correct.

2. RAI #3, in part, requested the requirements for crediting compensatory measures and contingency actions in risk assessments performed for RICT calculations. In response, it was stated that only actions in the PRA model would be credited, typically, and that special emergent conditions would require procedural and administrative controls.

This seems to contradict the guidance provided in Attachment 3 of the licensee's August 2, 2004 submittal, used by the operators to determine functionality, which implies that SSCs can be considered functional with manual operator actions

"...contained in approved written instructions..." (item 1), and that realignment from surveillance testing can be credited if included in the test procedure. Considering such equipment functional appears to be the expected outcome of the guidance, and effectively assigns an HEP of zero to those manual actions. The staff believes that credit should be taken in accordance with the applicable PRA standards after a realistic or bounding human reliability analysis is used to quantify the action, and an assessment of potential dependencies with other actions is considered. Further, the relevant procedures should be part of the expected plant response to accidents or transients (i.e., emergency or abnormal operating procedures), or to component failure (alarm response procedures), to assure that a direct cue is available which directs the operator to the applicable procedure. The mere existence of written instructions does not assure timely implementation of recovery actions. Please discuss in detail how manual actions are credited for functionality determinations for RICT calculations.

Response

For RICT calculations, out-of-service time will be based on the time the affected equipment is not OPERABLE per TS requirements. The current HRA and associated HEPs satisfy RG 1.200 and other requirements documents (e.g., ASME RA-S-2002). Operator actions are not credited in a RICT calculation unless the actions are accounted for in the PRA. (See also the response to 8.c.)

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 3

3. RAI #4 asked for clarification of the STP process for assessing common cause failure potential. Additional information is required for the staff to understand how STP assesses CCF within the context of a RMTS program.
a. STP identified their Corrective Action Program as providing guidance for the CCF assessment. Please discuss the specific technical guidance provided to the operators which would apply to an emergent failure or condition of components within the scope of the RMTS. Does the CCF assessment require testing, inspections, or other activities to reach a determination? How is the time frame for this assessment determined within the Corrective Action Program (i.e., within the frontstop CT?).

Response

The STP common-cause assessment is performed consistent with the description in the proposed RMTS Guidelines.

The STP Corrective Action Program (CAP) is based in part on the guidance provided in Part 9900 of the NRC Inspection Manual for degraded and non-conforming conditions (originally provided as Generic Letter 91-18). The CAP procedure requires evaluation of extent of condition for emergent issues that could affect plant reliability. In addition, Licensed Operators recognize that an emergent condition identified on a TS component may have the potential to affect a redundant component or similar components. In addition to a determination of operability on the affected component, the Operator is expected to make a judgment with regard to whether the operability of similar or redundant components might be affected. In accordance with the guidance of Part 9900 of the NRC Inspection Manual for degraded and nonconforming conditions, the determination of operability is to be done promptly, commensurate with the safety significance of the affected component. The STP procedure direction is that initial Operability screening is to be commensurate with the safety significance of the Condition, but should normally not exceed one work week. Initial Operability screening for Conditions with allowed outage time less than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, and which have a shutdown action statement, should normally be completed within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

b. From Attachment 3 of the licensee's August 2, 2004 submittal, it is stated that SSCs are considered functional if jit is "reasonably assured" that they can perform intended functions. If an emergent failure of one of three redundant components occurs, would all trains be declared inoperable, but the unfailed components be considered "reasonably assured" of being functional unless they specifically exhibited symptoms of the failure mode?

Response

Based on the information available, the Licensed Operator is often able to make an immediate determination that there is reasonable assurance that redundant or similar components are not affected. Using his judgment with regard to the specific condition,

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 4 the Operator may direct that similar or redundant components be inspected for evidence of the degradation. For conditions where the Operator has less information, assistance from other organizations, such as Engineering, is typically requested. The organization continues to perform the evaluation promptly, as described above. Absent indication that the redundant or similar components are affected by the condition, the Operator may consider those components to be operable. The guidance contained in Part 9900 of the Inspection Manual is used as well as conservative decision-making for extent of condition evaluations. The components are considered functional in the PRA unless the operability evaluation determines otherwise.

c. It is stated that if a CCF issue is determined to exist, "it will be accounted for in the operability determination". Please clarify - does this mean that the components will be considered inoperable or non-functional?

Response

See the response to 3.b. above. If the operability determination identifies the same degraded or non-conforming condition exists in the redundant train components, they will be declared inoperable.

d. It is stated that the PRA and CRTVIP are used to provide safety significance insights "for components that might affect more than one train or function".

Please clarify - should this refer to "component failure modes" instead of "components"? How are the insights used in the RMTS program for RICT calculation?

Response

STP agrees that "component failure modes" is a more appropriate description. Insights are used in the RMTS program to identify qualitative risk management actions but are not typically used for RICT calculations. The insights may be used to facilitate and prioritize the determination of the extent of condition, as discussed in the response to Question 3a. The RICT may be affected if other SSCs are determined to be affected.

e. It is stated that the PRA "includes the effect of a component failure in the CCF of similar components", but then states that the failure rate of "cross-train" components is not adjusted. Please clarify exactly what the PRA calculation is doing for CCF rates when an emergent SSC failure occurs.

Response

The failure rates for cross train equipment within the same system are not adjusted under the assumption that a "train" is removed from service (voluntarily or involuntarily). The common cause treatment is changed. The RISKMAN software is designed to account for removing a train or trains from service (i.e., guaranteeing

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 5 failure of one or more trains). The common cause treatment is adjusted mathematically by the software.

STPNOC has provided input to revise the RMTS Guidance to reflect that failure rates need not be adjusted for a single failure.

f. It is stated that the CRMIP "...requires consideration..."of risk reduction actions including plant shutdown if the risk crosses the 1E-5 threshold. It is understood that the 1E-5 risk is the RICT limit, which would require applicable TS shutdown actions. How could such actions only be "considered" in a RMTS program?

Response

When the proposed risk-informed TS is implemented, TS 3.13.1 will require application of the pertinent TS ACTION from the referencing TS if the lE-05 threshold is crossed. If that ACTION requires shutdown, then that will be the action required by TS 3.13.1. In accordance with TS 3.0.2, the shutdown action may be exited if the limiting condition is restored.

4. RAI #7 requested clarification of the assessment of LERF within the RMTS program.

In response it was stated that CDF is the only required metric "for nearly all evaluations", then described the capability to perform such assessments with the PRA model. Please clarify under what configurations would a LERF assessment be performed. The RMTS guidelines require the LERF evaluation for all RICT calculations, so it is not clear how LERF could not be required.

  • Response:

The term "for nearly all evaluations" is based on STP's current experience with our RAsCal program which shows that CDF is almost always the limiting figure-of-merit for a RICT calculation. Only the equipment that is important for containment performance and has little or no role in the likelihood of core damage is equipment for which LERF would be more limiting. STP's PRA will have an update to its Level 2 PRA in 2005. Once the Level 2 update is completed, a study will be performed to determine what configurations or equipment are more limited from a LERF perspective as opposed to CDF. The results of this study will be a key input to the final resolution of this issue. Should the occurrence of LERF limited components be relatively small or few (<10), then a logical solution would be to incorporate the LERF calculation directly into the RAsCal database. Should the occurrence of LERF limited components be relatively high (>10), then it could be more cost effective to augment the RAsCal database with LERF calculations for all configurations. In either case, the CRMP will be designed to select the more limiting of the two figures-of-merit, CDF or LERF, for the appropriate RICT calculation.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 6

5. RAI #8 requested clarification of the IRMITS program treatment of planned vs.

emergent configurations. In response, it was stated that a threshold CDF of 10'6 was established for planned configurations, consistent with the generic guidelines, but then identified that a higher risk level could be used by duty manager approval. It was not stated if this approval is used only to address emergent conditions or if it could be part of the normal planned maintenance practices. It is the staff's understanding that planned use of RICTs would be applicable to preventive as well as emergent corrective maintenance, and will not exceed thresholds of 10-6 for CDF and 10 7 for LERF. It is also the staff's understanding that the use of the higher RICT limits would only be used for emergent failures of equipment or other unanticipated conditions which occur during implementation of an RICT. Please clarify.

Response

The staff's understanding is generally correct with the exception that emergent conditions are not necessarily only those that occur during implementation of a RICT. STP plans routine maintenance not to exceed the lE-06 ICDP threshold in accordance with the configuration risk management procedure. However, the procedure allows planned exceedance of this threshold with Plant General Manager approval. Although it is not a procedure or program limitation, the most likely reason for a planned exceedance would be to address an unexpected condition identified during operation. Configurations where the 1E-06 ICDP threshold is exceeded will be tracked in the Corrective Action Program.

6. RAI #9 requested clarifications of the risk assessments documented in Table 2 of the licensee's August 2, 2004 submittal. Table 2 includes the column "Risk Basis Calculated STP AOT Before Backstop (base case)" which is further clarified in footnote 1 as the calculated time to reach an ICDP of 1E-5. Each of the technical specification LCOs includes actions for one or more of the redundant trains being inoperable, but only a few of the table entries provide the corresponding RICT for each separate configuration. Please provide an expansion of this table to provide the calculated RICT for each number of trains being inoperable within the proposed scope of the submittal. If there is a significant difference in the RICT depending upon which train(s) is inoperable, identify each RICT and provide the basis for the asymmetry in the calculated RICT.
  • Response:

Table 2 is being revised to include additional cases and to better describe the asymmetries in the risk associated with inoperable trains This information will be provided in a later submittal. Note that Table 2 is not intended to be all-inclusive. Its purpose was to provide the reviewer with a general insight with regard to the margin to the existing allowed outage times.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 7

7. The staff has no additional questions regarding RAI #10, except to confirm our interest in seeing the STP program demonstrate application of the RMTS for several plant configurations.

Response: STPNOC can arrange to demonstrate the application either at the STP site or in the NRC offices.

8. RAI #12 requested further explanation of the distinction between "inoperable" and "non-functional" components within the RMTS process. In response, Attachment 3 of the licensee's August 2, 2004 submittal was referenced. The staff requests additional clarification of the use of functionality to determine RICTS for TS.
a. The licensee submittal identifies a differentiation between the definition of OPERABILITY applied to the technical specification LCOs, and the term "functionality", which is not defined in technical specifications, to be applied to components for calculating RICTs. When a component is INOPERABLE, due to the inability to perform a limited portion of its intended functions, and these functions are distinguishable in the PRA model and can therefore be quantified while taking credit for those functions which the component is still able to perform, it may be acceptable for the RICT to be longer than would otherwise be calculated if the component is assumed to be completely non-functional. However, if one or more components are determined to be INOPERABLE, but the loss of functionality is (1) not known or uncertain, or (2) not capable of being addressed in the PRA model, then the component should be assumed to be non-functional for purpose of calculating a RICT. This would typically arise with emergent issues associated with design issues of components which impact all safety trains, and would currently require entry into TS 3.0.3. Please discuss in detail how components which are inoperable may be evaluated as fully or partially functional in the calculation of RICTs. Several examples which cover the spectrum of possible conditions may be beneficial to the staff's understanding of this issue.

Response

STPNOC agrees that if a componenti is determined to be inoperable and there is not reasonable assurance of its functionality or it is not capable of being addressed in the PRA model, it should be assumed to be non-functional for calculating the RICT. As discussed in the response to Question 3.b, the redundant or similar components may still be considered operable and functional.

The August 2, 2004 application provides the current CRMP requirements for a component to be considered functional. The criteria described in the CRMP typically apply to situations affecting a single component, not conditions where TS 3.0.3 would apply. In no case is a component determined to be functional without authorization from the Shift Supervisor.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 8 For determination of a RICT, STPNOC proposes to apply criteria that conform to the criteria currently proposed in the RNITS Guidelines and are described below.

Application of TS 3.13.1 will provide action for conditions where more than one train or channel of a function is inoperable. Unless otherwise permitted in the TS, TS 3.13.1 will not be applied for configurations where there is a complete loss of function (e.g.,

all three trains of ECW or all channels of an actuation logic that results in all trains of a function being non-functional).

If a component is determined to be inoperable, it may still be considered to have PRA Functionality for calculation of a RICT if there is reasonable assurance that it can perform its required functions for events not affected by the degraded or non-conforming condition and if the condition can be quantified in the PRA. If these conditions are not met, the component will be assumed to be non-functional for calculating the RICT; i.e., it will have no PRA Functionality. Components that are not capable of meeting an operating parameter specified in the TS (e.g., pump flow) may not be considered functional for the events for which that parameter is assumed to be met.

For the purposes of this specification, Loss of Function occurs when there is no PRA Functionality in any train or channel of a TS required function to mitigate specific PRA scenarios.

Examples of where a component has PRA Functionality such that the condition could be quantified in the determination of an allowed outage time are listed below.

  • SSCs that don't meet seismic requirements but are otherwise capable of performing their design function.
  • SSCs that are inoperable but secured in their safe position (e.g., a closed containment isolation valve).
  • SSCs powered from a source other than their normal power source, provided the alternate power source is modeled in the PRA.
  • An SSC with an inoperable automatic function if the manual actuation of the SSC is modeled in the PRA (e.g., a diesel generator with an inoperable sequencer).

Actuation channels are associated with their actuated components or trains. Loss of actuation channels is not considered a Loss of Function unless no train of the actuated SSC function has PRA Functionality.

  • An SSC that is functional for mitigation of a set of events (e.g. steam generator tube rupture, small break LOCA) but is not functional for other events for which it is credited (e.g. large break LOCA or steam line break), providing the PRA model can quantify the risk for the calculation of a RICT. An example of this type of condition is degradation of environmental qualification.

The STPNOC functionality assessment is consistent with the guidance proposed in the RMTS Guidelines.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 9

b. With regards to functionality vs. operability, it is understood that functionality will only address requirements modeled in the PRA. Some mitigating functions are reviewed and screened out in the development of a PRA model due to low frequency of demand for the particular function, or the low probability of failure of the function. For specific configurations which may be encountered during planned maintenance or testing, combined with possible emergent conditions, these screened functions could become more important, and would potentially impact the calculation of a RICT. For each of the TS LCOs for which the RMTS will apply, (1) identify the PRA function(s) which are modeled including success criteria if different than the design basis, and (2) identify any design basis functions not modeled, and (3) justify that these should not significantly impact the calculated RICT under configurations covered by the RMTS.
  • Response:

The response to this question will be addressed in parts. However, prior to each of the three sections some background information is provided.

1) STP's PRA has undergone several independent reviews for scope and quality. In general, PRA functions modeled are contained in the system and event tree notebooks documentation. In this regard, the documentation of PRA functions is required by PRA standard's requirements. In STP's peer review there was not an observation documented on the lack of this information but that the information was dispersed in numerous system and event tree notebooks. STP will be providing a Success Criteria notebook with the upcoming Revision 5 of its PRA to place modeled PRA functions and associated success criteria in a more reviewer-friendly format.
2) It is important to note that only those safety functions which are within the PRA scope (or which can be directly linked to a PRA scoped function) are in the RMTS scope. In general there are very few design basis functions not within the PRA scope. An example of a design basis function not modeled in the PRA is radiological detection systems.
3) As mentioned in 2) above, onl y those systems within the PRA scope are in the RMTS scope. Those systems which are not in the scope of the PRA will not be a part of the RMTS and, thus, w ill retain their current TS allowed outage time requirements.

STPNOC will provide a comparison in a follow-up submittal.

c. Furtherwith regards to functionality vs. operability, Attachment 3 of the licensee's submittal identified procedural requirements for functionality. The staff requests additional clarifications of the application of these requirements in RMTS:

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 10 Item 1 states that a component is lunctional without automatic actuation if "prompt restoration" by the control room operator or a dedicated local operator is available, with written instructions provided for actions not involving complex repairs or diagnostics. Similarly, item 9 allows actions in surveillance procedures to be similarly credited. The staff assumes that such recovery actions would not normally be part of the baseline PRA model, but would be specific to the configuration. Crediting such manual recovery actions, without a quantitative consideration of the human error probability, or of dependencies on other actions which may be required in specific sequences, would not be appropriate for calculation of RICTs. This also appears to conflict with responses made to NRC RAI 3, that only PRA modeled actions are typically credited in the RICT calculations.

Item 4 identifies examples of alterations which affect functionality. Some can be directly evaluated as to impact (i.e., jumpers or lifting electrical leads), but the others are somewhat uncertain as to the impact on functionality.

Item 5 allows an SSC to be functional if there is "reasonable assurance" that it can perform its intended functions. The staff is concerned that two standards are being applied with regards to the operators' confidence in assessing the status of SSCs, one to determine operability and a lesser standard to determine functionality.

Items 5 and 8 identify that, if the functionality determination is later determined to be in error, "non-functional time will be corrected accordingly". This implies that the determination of functionality need not be rigorous and can have some degree of uncertainty, since it can be later modified if found to be incorrect. This would not be appropriate for RICT determination.

Response

The standards for determining a component is functional with manual action in lieu of automatic action are identical to the standards applied in Part 9900 of the Inspection Manual for determining a component is operable with manual action in lieu of automatic action. For an operator action to be credited to maintain functionality, it must be modeled in the PRA.

The response to Question 8.a. describes the standards for functionality, which clearly require the component to be able to perform its function and requires the degradation to be quantified in the PRA. If the degradation cannot be modeled in the PRA then the component would be considered not functional for purposes of calculating a RICT. The requirements for operability as it is defined in the TS have not changed.

The functionality determination is expected to be correct. The functionality determination is performed in accordance with regulatory inspection guidance as mentioned above. The likelihood of the functionality determination being wrong would

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 11 be considered a rare event unless new information was discovered that had a direct impact. In the event that this occurs, the RICT calculation would be corrected and incorporated. Other actions that may be required as a result of the revised RICT calculation would be processed in accordance with station procedures. The intent is not to relax the rigor of the determination, but only to prescribe how the component is to be treated in tracking the cumulative risk in the unlikely event that the determination is found to be incorrect.

9. RAI #24 requested justification of proposed changes which involved application of the RMTS to loss of function conditions. The staff requests additional discussion of these configurations, and refers to new RAD; #25 through #38.
10. The licensee proposes to apply a RICT to the reactor trip breakers (TS 3.3.1.20) and to the automatic trip and interlock logic l(TS 3.3.1.21). It is therefore critical to this application that the PRA modeling and success criteria for ATWS sequences be thorough and comprehensive, unless bounding analyses are applicable.
a. In the development of accident sequences, it is not unusual to screen out failure to trip the reactor for some initiating events, such as LOCAs, steamline breaks, or SGTRs, since the combination of the low frequency initiator and the failure of the reactor trip system, as well as the potential for adequate negative reactivity from ECCS flow, make these sequences very low frequency. However for this application, such a screening process may not be appropriate. Please discuss.

Response

STP has elected to remove the reactor trip breakers (TS 3.3.1.20) from the scope of the application.

b. The success criteria for mitigation of an ATWS event is dependent upon the specific point in each operating cycle, as well as the cycle-specific core reactivity design characteristics (i.e., moderator temperature coefficient and the unfavorable exposure time). It is not unusual that the risk calculations performed to support the CRMP for Maintenance Rule a(4) would not specifically account for the time in the operating cycle, but instead use a cycle-average risk calculation. In order to support the calculation of a RICT for these TS, such an average calculation may not be appropriate, and the configuration-specific risk should account for this time-dependent impact. Please discuss.

Response

See response to RAI #1Oa above.

As general information to the Staff the following is provided:

For purposes of the RICT calculation, the PRA does not use cycle averaged risk values for core reactivity design characteristics. Instead conservative or bounding values are

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 12 used for establishing success criteria for equipment required in ATWS scenarios.

Therefore, the maintenance states and subsequent RICT calculations used in STP's CRMP are not varied based on operating cycle core reactivity design characteristics.

c. The existing technical specificatio as do not address the operability of the AMSAC.

Since the AOT is only six hours when the reactor trip function is unavailable, it is not critical that AMSAC be considered. However, if a RICT is implemented, then the operability of AMSAC should be required so that there is some mitigation immediately available in the event of a demand for a reactor trip. Please discuss how AMSAC is addressed in the PRA model, and whether a new TS for AMSAC should be required given the proposed modifications to these TS requirements.

Response

See response to RAI #lOa above.

As general information to the Staff the following is provided:

AMSAC does not meet the 10CFR50.36(c)(2)(ii) criteria necessary for a limiting condition for operation. However' AMSAC is included in the PRA and its contribution is calculated for all maintenance states. It should be noted that its quantitative effect is negligible in terms of a RICT.

d. The emergency boration system (EBS) was deleted from the STP design based on acceptable fuel performance in the event of a return to criticality for a steamline break accident. STP is proposing to apply a RICT to the trip logic and breakers, and the MSIVs and actuation logic. How does the STP PRA model address steamline break accidents with regards to the synergies between reactor trip and steamline isolation functions? Is the model detail able to distinguish concurrent unavailability of these related functions with regards to the potential for core damage due to return to criticality?

Response

The reactor trip signal from safety injection actuation is unaffected by the proposed changes. Reactor trip signals from a steam line break event are also expected from Power Range High Flux, Over-temperature delta T, and Overpower delta T, which are independent of the safety injection signals generated by a steam line break. Concurrent unavailability of all functions is not allowed. The functions, steam line isolation, and reactor trip, are modeled explicitly in the PRA and are quantified as independent events given that the relevant signals are present. Steam line isolation failure given a steam line break is assumed to lead to core: damage regardless of the status of the reactor trip function.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 13

11. The licensee proposes to apply a RICT to the steam line isolation actuation logic and relays (TS 3.3.2.4.b), to the turbine trip and feed water isolation actuation logic and relays (TS 3.3.2.5.a), to the main steam line isolation valves (TS 3.7.1.5), and to the main feedwater isolation valves (TS 3.7.1.7). These LCOs exist to limit the reactor cooldown transient, and such events are not typically modeled in PRAs as being relevant to core damage. Please describe how the STP PRA models these functions such that an RICT is appropriate.

Response

The Staff is correct that cooldown transients are not always modeled in PRAs; however, STP's PRA does include cooldown events. Cooldown events are modeled for General Transients (i.e., turbine-generator trip), since this initiator is relatively frequent in a probabilistic sense, and for the Small LCOCA and SGTR initiating events. Cooldown events are not modeled under other initiators such as large/medium LOCA since decay heat removal is a part of the initiator itself or is not applicable to the initiator. For any excessive cooldown, the effect of the cooldown is modeled under pressurized thermal shock event tree top events. In summary, cooldown events are included in STP's PRA, their contribution is small and, therefore, their contribution to a RICT is very small.

12. The licensee proposes to apply a RICT to the pressurizer code safety valves (TS 3.4.2.2). There are no tests or maintenance performed on these valves during operation, and no challenges occur which would reveal an INOPERABILITY.

Therefore, the only application of the IRICT would be to allow extended time to deal with an emergent issue causing INOPE RABILITY of all three valves.

a. Does the scope of the STP PRA model include all design basis events which result in a challenge to the code safety valves? If not, please identify those events not modeled, discuss the plant response to the event under these conditions, discuss why continued plant operation is appropriate with no code safety valves OPERABLE to mitigate those events, and identify what compensatory measures would be applicable during such operation.

Response

STP has elected to remove the pressurizer code safety valves (TS 3.4.2.2) from the scope of the application.

b. The submittal states that the pressurizer PORVs and sprays provide overpressure protection. Is the mitigating capability of these components (e.g., capacity, response time, availability during design basis events) equivalent to the code safety valves? Are these components able to provide equivalent overpressure protection to the reactor coolant system presswure boundary for the spectrum of design basis events which challenge the code safety valves? The pressurizer spray valves are not included in the scope of technical specifications, and indefinite power operation with both PORVs isolated is permitted under TS 3.4.4; should this

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 14 specification include a requirement for OPERABILITY of one or both PORVs and/or the pressurizer spray valves? Does the STP PRA model include both the PORVs and spray valves as an alternative to the code safety valves?

Response: See response to RAI #12a above.

c. The proposed changes to TS 3.4.2.2 do not include any assurance of the OPERABILITY of any component(s) which are capable of providing overpressure protection to the reactor coolant system pressure boundary to assure that the safety limit for maximum RCS pressure is not exceeded. Please identify how the integrity of the RCS as a fission product barrier is assured under such operations.

Response

The STP application has been revised to remove TS 3.4.2.2 from its scope.

13. The licensee proposes to apply a RICT to the pressurizer power-operated relief valves and their associated block valves (TS 3.4.4). The submittal identifies a RICT of 352 days with one PORV inoperable, and 349 days with both PORVs inoperable. It is not clear why these RICTs are so similar. Please clarify:
a. What accident sequences take credit for operation of the PORVs?

Response

ATWS and feed and bleed scenarios both incorporate the contribution of PORV operation in their accident sequences. SGTR sequences include the pressurizer PORVs as an alternate to the pressurizer spray valves.

b. What is the success criteria for the PORVs for each accident sequence?

Response

Feed and bleed requires two of two pressurizer PORVs. ATWS overpressure response requires one of two PORV's, depending upon the status of the AFW pumps. SGTR sequences require one of two PORV's for RCS pressure reduction.

c. If the PORVs are credited for overpressure protection of the RCS, as a redundant capability to the code safety valves, discuss if operator action is credited in the event of (1) the failure of the automatic function or (2) if the PORV is isolated due to seat leakage.

Response

The PORVs are not credited as redundant capability to the pressurizer code safety valves.

Response to June 3, 2005 RAP NOC-AE-06001969 Attachment 2 Page 15

14. The licensee proposes to apply a RICT to the safety injection system accumulators (TS 3.5.1).
a. Confirm that the success criteria and the required accident sequences for the accumulators is consistent with the design basis analyses, or provide a sensitivity study of the calculated RICTs for one or more accumulators inoperable using the design basis criteria.

Response

The accumulator success criteria for injection is the same as the design basis. Two accumulators inject into intact loops, one accumulator injects into the broken loop.

b. For action b when boron concentration is not within limits, the submittal states that the RICTs presented for action a apply. This seems inconsistent with other parts of the submittal where it is stated that the functionality of the INOPERABLE components is used to determine the RICT. Please discuss how the RICT would be applied to action b.

Response

Unless the PRA can quantify the specific effects of the boron concentration, STP will consider the accumulator made inoperable to be non-functional. However, a RICT for one or more non-functional accumulators will be substantially longer than the current allowed outage time and application of TS 3.13.1 is appropriate for ACTION b.

15. For TS 3.5.2 for ECCS, with two or more subsystems INOPERABLE, the proposed change requires restoration of at least one ECCS train to OPERABLE status within one hour. In Table 2 for this LCO, it states that a risk-informed AOT is appropriate with no OPERABLE trains. However., the RICT could not apply since the proposed action requirement is to restore one train within one hour. Is this the intent of the changes to TS 3.5.2? Please clarify.

Response

The proposed change to TS 3.5.2.b has been revised to change "and" to "or". For a condition where all three trains of HHSI are inoperable and non-functional, the configuration will exceed the lE-03/yr instantaneous core damage frequency criterion and the shutdown action of TS 3.5.2.b will be required.

16. For TS 3.6.2.3 for the reactor containment fan coolers, the calculated RICT is stated to be based on CDF and there was no impact on LERF. Please clarify how the fan coolers are credited in the PRA model for mitigation of core damage given that the design basis function is containment heat removal, and identify the basis for the success criteria (i.e., judgment or specific calculations).

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 16

Response

The reactor coolant fan coolers (RCFCs) are included in the PRA in the Late Event Response event trees. With an intact containment (i.e., no large opening), the heat removal capacity of the RCFCs is such that long-term decay heat removal can be accomplished using two of six RCFCs. This decay heat removal function is only credited on sequences where a sump recirculation flow path is established but normal decay heat removal using the residual heat removal heat exchangers is not available. This was verified during the Sandia review of the original PRA. The RCFCs also provide containment cooling, the status of which is tracked in the Level 2 PRA model.

17. For TS 3.7.1.5 and 3.7.1.7, the wording of the action requirement includes a note which states: "Separate condition entry is permitted for each MSIV (MFIV)." This wording is inconsistent with other action statements being revised, as is noted in Table 2.

Introducing a new phrasing would seem to be an unnecessary complication and distraction to the operators applying the technical specifications. Further, as worded the proposed action could be interpreted to allow a new 30-day backstop AOT to be constantly applicable without restoration of all MSIVs or MFIVs to OPERABLE status. Please confirm that inclusion of this note is not intended to create any unique interpretation of the application of a RICT for these specifications, with regards to applying the 30-day backstop. Specifically, confirm that it is not intended to have a separate 30-day backstop for each individual MSIV or MFIV, but only a single 30-day backstop applicable to all valves.

Response

TS 3.7.1.5 for MSIVs has been revised to be consistent with the format of the other TS that reference TS 3.13.1. The provision for separate condition entry has been eliminated.

STPNOC has removed TS 3.7.1.7 for MFIVs from the scope of the application since the MFIVs are not modeled in the PRA.

18. For TS 3.7.14 for chilled water, which supplies room cooling to safety-related equipment, it is typical that the PRA model would only include a subset of the components supported, based on room heatup evaluations. It is also typical to include time-of-year flag events to turn off the ventilation models when cooler outside temperatures exist. These PRA model conventions would result in a 30-day LCO for large portions of the system, and during winter months. Please discuss STP plans in this regard.

Response

The safety-related chilled water system (essential chilled water) in the STP PRA includes cooling to the two major ventilation systems, Electrical Auxiliary Building HVAC and Control Room HVAC, and room coolers associated with the safety injection pumps and the essential chillers. Not included are several smaller room coolers such as the penetration

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 17 space coolers, reactor make-up water pump cubicle, boric acid transfer pump cubicle, radwaste control room AHU, CVCS valve room coolers, etc. These smaller coolers either do not support continuously operating equipment that is modeled in the PRA or only support components that are not modeled in the PRA.

Room heat-up calculations have been used to modify the success criteria for the safety injection pump rooms which are supplied by the essential chilled water system.

The PRA does not include time of year flags for ventilation cooling requirements for any of the modeled ventilation, chilled water, or room cooling systems.

19. For TS 3.8.1.1 for AC sources, Table 2 states that the STP switchyard is served by 8 incoming lines. However, there is no control in the technical specifications requiring these 8 separate lines. Please describe how the STP PRA model accounts for the unavailability of one or more incoming lines. Describe also the plant configuration controls on the incoming lines.

Response

The eight incoming lines feed the STP switchyard and are part of the off-site electric power grid. As such, they are not subject to TS requirements. TS 3.8.1.1 requires two independent circuits between the off-site transmission network and the on-site Class lE distribution system in accordance with GDC-17. Addendum 1 to this attachment discusses the TS treatment for the required off-site circuits. The STP PRA models two of the eight lines to account for maintenance on the North Bus or South Bus in the STP switchyard. Otherwise, the eight lines are not specifically modeled in the PRA.

STPNOC is not the controlling authority for the off-site transmission network. However, STP has direct communications with the controlling authority and may coordinate activities with the system operator. The controlling authority will not perform switching operations or restoration that affects STP without first contacting the STP control room. In addition, STP has agreements with the operator for early power restoration should there be a loss of off-site power. The controlling authority will notify STP regarding status of grid restoration should the grid be lost.

20. For TS 3.8.1.1, Action d, which applies concurrently with actions b and c, is inconsistent with those actions with regards to the application of 3.13.1. Specifically, action d requires that 3.13.1 be applied within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The requirement to apply 3.13.1 at 14 days (action b) is unnecessary since 3.13.1 was already in effect from action
d. Similarly, the requirement to apply 3.13.1 at 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (action c) renders action d unnecessary.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 18

Response

The submittal has been revised to delete rS 3.8.1.1 .d. Proposed new TS 3.13.2 requires a risk assessment any time Limiting Conditions for Operation are entered for PRA-modeled TS SSCs on different trains. The proposed TS 3.13.2 is provided in Attachment 3.

21. For TS 3.8.1.1 Action d, the defense-in-depth requirement that, for a loss of offsite power, at least one safety train of equipment is OPERABLE and powered from an OPERABLE EDG is eliminated, as is the requirement for OPERABILITY of the steam driven AFW pump for station blackout mitigation. In response to related RAI
  1. 20, STP stated that existing procedures "requirevery similar compensatory actions".

It is not clear why an existing requirement is proposed to be eliminated from TS control within the context of RMTS 4b initiative. Please discuss, and provide examples of the RICT for cases involving EDGs and other supported equipment.

Response

Proposed new TS 3.13.2 will replace TS 3.8.1.1.d. TS 3.13.2 has broader applicability than TS 3.8.1.1.d. since it is not limited to conditions where an SDG is affected but will require a risk assessment when two or more LCOs apply for SSCs in the scope of TS 3.13.1. Note that TS 3.8.1.1.d is limited to cross-train SSCs, whereas the proposed TS 3.13.2 is not.

If there are inoperable cross-train components, the AOT should depend on the risk significance of the specific configuration. For instance, an inoperable cross-train accumulator or reactor containment fan cooler would be of low significance and additional time up to the 30-day backstop can be justified if necessary. Concurrent inoperability of an SDG and the turbine-driven auxiliary feedwater pump is more limiting but still has more than 20 days to cross the IE-05 threshold (see Example 2 in the August 2, 2004 application).

Example 1 in the August 2, 2004 application quantifies a configuration with a Train A maintenance outage (including EDG A, and HHSI A) and a concurrent failure of Train B HHSI. Train C is unaffected in this example. The calculated time to cross the lE-05 threshold is also more than 20 days.

22. For TS 3.8.1.1 Action e, which applies when two of the two required offsite AC circuits are INOPERABLE, Table 2 of the submittal states that STP will maintain in this configuration at least one ESF bus with offsite power. This requirement is not found in the technical specifications. Please confirm if this is intended as a commitment.

Response

The application of TS 3.13.1 to TS 3.8.1. 1 ACTION a and ACTION e is discussed in detail in Addendum 1.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 19

23. For TS 3.8.3.1 (onsite power distribution), Table 2 states that the loss of a single ESF bus does not result in a plant trip. If the ESF bus is de-energized, the battery chargers for that train would be lost, and after a period of time the batteries would deplete.

Does the loss of one DC train cause a plant trip? If so, wouldn't the application of 3.13.1 for this LCO (and for TS 3.8.2.1. for batteries and chargers) potentially lead to a plant transient?

Response

Implementation of the energize-to-actuate modifications in both units has removed the immediate plant trip associated with the loss of one DC channel. However, for loss of the Channel I or Channel III DC bus, a plant trip on low steam generator level will occur within a short time as the hydraulic pressure bleeds down for the feedwater isolation valves associated with those channels and the valves closed.

It is not STPNOC's intent to use TS 3.13.1 to extend the allowed outage time for configurations where the battery bank is the sole source of power for the loads on the DC bus. A note has been added to TS 3.8.2.1 to restrict the application of TS 3.13.1 for these conditions.

Operator action can be taken to energize the ESF bus from alternate sources, such as the Emergency Transformer, its own SDG, or the opposite unit Standby Transformer.

In addition, STP has procedures to enable cross-train feed to an ESF bus for some configurations. These configurations are currently limited to cross-connecting the B Train SDG to the A Train or C Train ESF Bus to provide a charging pump for protection of RCP seals and maintain availability of a DC source to ensure adequate plant instrumentation is available for monitoring plant conditions, and to cross-connecting the C Train SDG to the A Train or B Train ESF Bus to energize one set of Fuel Handling Building (FHB) emergency ventilation system heaters. There is substantial margin for providing cross-connect capability. From Table 8.3-3 of the STP UFSAR, the worst case train SDG loading is 3868.3 kW during a loss of offsite power. The STP SDGs are rated for 5500kW continuous.

AC vital distribution panels can be energized from same-train Class IE AC power apart from the normal power to their associated inverters. The DC bus could be energized through its associated batteries with its associated charger powered from an alternate source or from a temporary charger. With inoperable batteries, the DC bus can be energized through an operable charger or a temporary charger. Most of the example alternatives could be implemented in either a planned or emergent condition and none would result in a plant transient. TS 3.13.1 would allow appropriate consideration of these alternatives in determining an allowed outage time.

See Addendum 1 for additional discussion.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 20 RG 1.200 PRA Quality NOTE: During the staff review of Regulatory Guide 1.200 conducted at STP, the reviewers encountered difficulty in assessing how the STP PRA complied with the elements of the standard. This was based in part on the staffs unfamiliarity with the support state methodology; however, it was also attributed to the lack of adequate documentation. The staff is currently assessing how to assure a thorough review and assessment of STP PRA quality per the requirements of Regulatory Guide 1.200, and considers the following RAIs to be gathering preliminary information leading to a more detailed assessment.

24. Regulatory Guide 1.200 sections 1.2.4 and 1.2.5, and section 1.3 Table 3, identify attributes of a fire PRA and external events PRA, which are not addressed by existing PRA standards. The licensee is requested to describe the scope and quality of their fire and external events PRA models, addressing the attributes identified in the guide.
  • Response:

This response will be provided in a later submittal.

25. Regulatory Guide 1.200 section 4.2 requires the licensee to submit"... a discussion of the resolution of the peer review comments that are applicable to the parts of the PRA required for the application." Two options are identified, one to provide a discussion of how the PRA model has been changed, and the second to provide a sensitivity study that demonstrates the particular issue does not impact the significant accident sequences or contributors. The licensee has provided only the numerical identification of their peer review facts and observations, and identified which were categorized as level 'A' or 'B' (Attachment 5, Resolution of Peer Review Comments, to submittal letter dated 10/28/2004). Therefore, the licensee is requested to submit the information required by the guide to address the resolution of peer review comments.
  • Response:

Facts and Observations (F&Os) generated by the Peer Review and the current status of all F&Os will be provided in a later submittal.

26. Regulatory Guide 1.200 section 4.2 requires the licensee to submit the identification of the key assumptions and approximations relevant to the results used in the decision-making process, along with the peer reviewers' assessment of those assumptions.

Reference is made to Regulatory Guide 1.174 in section 3.3 for applicable guidance on addressing the impact of these assumptions on uncertainty as it relates to the decision-making process. Only four areas were identified by the licensee, and the peer review assessment was not provided (Attachment 4, Key Assumptions and Approximations, to submittal letter dated 10/28/2004). Since this is a "whole plant" application of risk-informed TS initiative 4B, it is expected that there would be something more than four key assumptions/approximations applicable. Therefore, the licensee is requested to

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 21 submit additional information regarding the key assumptions and approximations in their PRA model, along with the peer reviewer assessments.

  • Response:

Peer review F&Os will be provided in a later submittal. Key sources of uncertainty and key assumptions will be included in the update of the STP PRA currently in progress. The update will include the latest guidance from the Westinghouse Owner's Group (June 2005) for the identification of the assumptions.

27. Regulatory Guide 1.200 section 4.2 requires the licensee to submit documentation that the PRA is consistent with the standard as endorsed in the appendices to the guide, and the identification of the parts of the PRtA that conform to the less detailed capability categories and the limitations which this imposes. The licensee did not identify how their PRA model conforms to the capability categories identified in the ASME Standard as endorsed by the appendices to Regulatory Guide 1.200 (Attachment 3, Conformance to Standards, to submittal letter dated 10/28/2004). Further, during the NRC staff review of the STP PRA for the Regulatory Guide 1.200 pilot, the reviewers noted that the STP self assessment documentation was "difficult to discern their conclusions about their PRA". Therefore, the licensee is requested to submit the information required by the guide, and their plans and schedules (if applicable) to address identified deficiencies which are relevant to this application.
  • Response:

The current model revision that is being performed is intended to ensure that issues identified during peer review, the RG 1.200 Self-Assessment, and reviewers comments on the PRA are adddressed. The response to this RAI will be provided at the completion of the model update.

28. Regulatory Guide 1.200 section 1.2.6 describes the characteristics of PRA model documentation. During the NRC staff review of the STP PRA for the Regulatory Guide 1.200 pilot, deficiencies in the documentation were specifically noted, and it was further identified that STP placed excess reliance on one particular experienced staff member. Because the nature of this application is to place ongoing reliance on the accuracy and quality of the PRA model to calculate RICTs for the technical specifications, robust documentation of the PRA model is essential to assure the capability of the licensee to properly maintain the fidelity of the model, without undue reliance on specific staff members. The licensee is therefore requested to describe the current capability of their PRA model documentation, and to identify a schedule for updates and upgrades to assure their documentation is adequate to permit ongoing maintenance of their PRA models for the following key areas:

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 22

Response

STP PRA models are maintained and updated in accordance with station procedures. PRA models are procedurally required to be updated at least every three years for plant modifications and procedure changes and at least every five years for performance data updates. The documentation of the model is performed by each team member of the PRA group and is readily available on STP's local area network. Thus, access to the documentation is protected and available to PRA personnel. Each team member is responsible for multiple PRA areas and therefore has familiarity with the documentation over a large scope of the PRA. Currently, STP's PRA documentation is considered to be more than adequate for knowledgeable RISKMAN practitioners and meets the needs of STP's risk-informed programs and applications. With the completion of the PRA update, STP's PRA documentation is targeted to meet available industry standards (Capability Category 2) and Regulatory Guide 1.200 such that the documentation of the PRA, including the areas listed below, are more robust to ensure that the long-term maintenance and knowledge transfer activities are satisfactorily performed.

a. Key assumptions and approximations applicable to system and event tree models.
  • Response:

See response to item # 26.

b. Screening of sequences or failure [modes from the model.

Response

"Screening of sequences" is not performed on STP's PRA. All sequences are included as generated by the event tree structures. Failure modes are listed in system notebooks for each system within the PRA scope. Failure modes not listed would not be included.

The documentation contained in ST P's system notebooks includes this information at a system level. This includes the system boundary conditions, split fraction rules, and specific sources of system unavailability. At a plant level, the event tree notebooks contain the documentation for sequence structure, logic rules, binning rules, etc.

Recovery top events specifically contain the conditions necessary for operator actions to be successful or failed. All this information and more resides in the event tree notebooks. The documentation is considered more than adequate for STP PRA work activities associated with model maintenance and transfer of model knowledge. It is important to note that several Peer Review open items were associated with documentation and will be closed with the upcoming PRA update. Documentation will continue to be an area of focus, scrutiny, and continued improvement as it is recognized that long-term workforce management of STP's Risk Management group is essential to accommodate personnel changes over the next decade.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 23

c. Quantification instructions, including recovery rules and their bases, mutually exclusive event combinations and their bases, and truncation levels.

Response

All of the personnel assigned to the PRA are capable of quantifying STP's risk models at any level (system or plant) and do so as a part of their regular work activities (e.g.,

Significance Determination Process, Risk Ranking, Maintenance Rule, On-line Maintenance). Recovery rules, mutually exclusive event combinations, truncation levels, and associated bases are all contained in STP's PRA documentation either in system notebook or event tree notebook documentation. In general, event tree rules are used to address recovery and mutually exclusive event combinations. Complicated event combinations are usually discussed in the event tree notebooks. Since STP uses event tree linking instead of linked fault trees, mutually exclusive events can be addressed by more direct means. For example, loss of AC power leading to a loss of DC power is explicitly treated with event tree rules and recovery analysis. Conversely, loss of DC power prior to a loss of AC power is addressed by specific event tree rules.

For loss of essential cooling water after SDGs are questioned (diesels require the cooling water), specific event tree macros map these failures to failure of the affected downstream components (CCW, ECH, SI, AFW, etc.). All systems in the PRA scope are evaluated and treated in a similar manner but in each case a specific treatment will be used which is documented in the event tree notebooks. This information is available for Staff review or discussion for any area within the PRA.

PRA Technical Questions

29. During the NRC staff review of the SIP PRA for the Regulatory Guide 1.200 pilot, issues with the adequacy of the common cause failure modeling were noted during very brief reviews of system modeling. The methods were not using the most recent available information, and some CCF modes were not considered (i.e., batteries, chargers). The licensee is requested to describe the development of CCF models for their PRA, and provide a listing of the CCF modes considered, the components which are modeled for CCF, and the sources of data used.
  • Response:

Common cause update of generic prior data is included in the general update of the STP PRA currently in progress. This response will be provided after the model update is complete.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 24

30. For use in the configuration risk management program, the baseline PRA model requires changes to account for the real time nature of the calculations, compared to the average annual risk calculation of the baseline model. The licensee is requested to describe the process of making changes to the baseline PRA model for the CRMP, including the following key areas in their discussion:
a. Alignment of operating train(s), including swing or spare components.

Response

STP's baseline PRA employs a maintenance pre-tree to establish a specific configuration.

This pre-tree establishes the initial alignment of running and standby trains of equipment for systems which are under continuous duty (e.g., Essential Cooling Water, Component Cooling Water). All reasonable initial configurations (based on plant operating experience) are included in the pre-tree quantification. For the CRMP, the actual equipment configurations are set by event tree macros (the equivalent of fault tree flags). Maintenance equipment macros are defined for all trains/components included in the RICT calculations.

Given an initial operating support systems configuration, e.g., A and B operating, C in maintenance, all affected initiating event rules and train top event rules are defined by the status of the pre tree maintenance macros.

b. Disallowed maintenance (i.e., multiple trains in maintenance typically removed from final results, should be retained in CRMP model).

Response

No post-processing of disallowed maintenance states is performed in the STP PRA model. Any possible maintenance configuration can be set by the equipment configuration macros and the PRA model quantified. Therefore, multiple trains in maintenance are not disallowed by the CRMP PRA model. Typically, once the initial alignments are established, planned maintenance events are modeled in accordance with station procedures and work planning guidelines (i.e., two trains out of service for planned maintenance is not permitted). NOTE: Unplanned maintenance events due to hardware failure, etc. are included in the system level models.

c. Maintenance impact on initiating events for systems.

Response

Maintenance unavailabilities are specifically incorporated for impact on initiating events frequencies.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 25

d. Adjustment of initiator frequencies (i.e., average CDF model includes unit availability factor, not applicable to CRMP model).

Response

Initiating event frequencies are all adj usted to represent annual operation [i.e., per operating year (8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br />)]. The at-power average PRA specifically adjusts for station availability factors. For purposes of configuration risk calculations, no initiating event adjustment is performed.

e. Seasonal dependencies, or point-in-cycle dependencies (e.g., seasonal HVAC requirements, ATWS success criteria).

Response

Currently, STP's CRvP model does not incorporate seasonal dependencies or point-in-cycle dependencies.

f. Repairs of failed components (should be removed in CRMP model).

Response

STP's PRA model does not take credit for repair of out-of-service equipment as a recovery action for configuration risk calculations. There is limited credit for repair of diesel generator failures after an initiating event; however this credit does not apply to a diesel generator that was out of service when the initiating event occurred.

31. During the NRC staff review of the STP PRA for the Regulatory Guide 1.200 pilot, issues with the adequacy of the LERF model were identified and require resolution:
a. The STPNOC self-assessment of LERF did not include an explicit review of the LERF elements of the PRA. Rather, reliance was placed on results of the independent peer review and an STPNOC contractor's proposal for addressing the peer review comments. However, the technical issues and criteria used to conduct the peer review do not fully cover the areas addressed in the ASME standard. As a result, the assessment of PRA capability in the area of LERF is incomplete. Please complete the self assessment of LERF, and identify the results and corrective actions from that assessment.
b. The attributes used to distinguish large, early releases from other source terms is insufficient to discern a "potential for early health effects" as required by the Standard. With the exception of containment bypass and induced steam generator tube rupture (ISGTR), the sole characteristic of large early release (LER) sequences is the size of the opening in the containment pressure boundary.

Although this attribute is typically an important contributor, it is not the only one.

Some of the sequences assigned to the LER category involved long-term operation

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 26 of containment sprays and have wet cavities (i.e., quenched debris ex-vessel).

Conversely, some of the small earily release (SER) sequences involve dry containments (no sprays and dry cavities). A technical basis for this counter-intuitive grouping scheme is not offered in PRA documentation.

Further, the simplistic method of assigning release categories does not appear to be supported by results of plant-specific MAAP calculations of radionuclide release. Consider the following two damage states:

- SGTR (fast station blackout with induced SGTR during core damage).

- 07SU (fast station blackout with pre-existing containment leakage).

According to the attributes used to assign accident sequences to release categories, the first of these is allocated to LER (RC-I), whereas the second is classified as SER (RC-II). However, the MAAP results indicate the following actual release fractions within the first 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> of the event:

Percent of Core Inventory Released Fission product to Environment group ISGTR R07SU Xe, Kr 20 50 I 9 3 Cs 8 2

c. A systematic search for, and evaluation of, plant-specific containment failure modes was not evident in PRA documentation. As assessment of containment failure modes was performed as part of the STP IPE. However, much of the IPE analysis relied on adapting the structural evaluation of the Zion containment.

Although adaptation of reference plant analysis is acceptable for determining the ultimate strength of the containment pressure boundary under quasi-static loads, a plant-specific evaluation of alternative failure modes was not found in PRA documentation.

d. Actions to mitigate the effects of core damage recommended in the STP severe accident guidelines (SAGs) are not addressed in the PRA. For example, successful implementation of the guidelines offered in SCG-1 could alter the magnitude of radiological releases.
e. The effects of major assumptions, simplification and uncertainties on LERF have not been evaluated.
f. The effects of adverse environmental conditions in containment and physical effects of structural failure(s) of the containment pressure boundary on long-term spray recirculation operation are not addressed. STPNOC documentation

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 27 provided during the review indicates the minimum NPSH required by containment spray pumps (operating in recirculation mode) is 20 ft-H2 0.

  • Response:

The elements in this question are being addressed in the update of STP's Level 2 PRA.

The responses to each of the items in this RAI items will be provided at that time.

Additional Electrical Ouestions

32. This is a followup question on the STP response to RAI 19 on compensatory measures, as it would apply to Technical Specification (TS) 3.8.2.1, DC Sources,. Following the December 15, 2004 public meeting at NRC, the licensee provided a copy of procedure OPOP01-ZO-0006, Extended Allowed Outage Time.

The risk informed completion time (RK[CT) for two out-of-service battery chargers for this TS is 140-1042 days with a proposed 30-day back-stop. A backstop time of 30 days by itself is not acceptable for the following reasons:

a. The battery, without a battery charger, will continue to discharge at a rate related to the normal dc operating load. This may result in a deep discharge damaging the connected battery cells by a reverse polarity to the weakest cells. This could be irreversible.
b. The battery is sized for a limited time discharge of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. If a battery charger is not restored within that time, loss of a complete protection channel will result.

Also, possible loss of a complete ac power train could result because dc control is required for the ac power system to be operable.

c. Typical battery manufacturer's operating manuals state that damage may occur to an open circuited (unloaded) after some time (months) without the battery being on charge.

Response

The 30-day backstop is proposed as the backstop that will apply to all of the risk-informed TS in this application. The responses to Questions 23 and 34 and Addendum 1 are also relevant to the applicability of TS 3.13.1 to batteries.

The calculated allowed outage time for the batteries includes the risk associated with the consequential failures from the unavailability of the batteries, including the loss of a protection channel. Loss of a protection channel is addressed in the proposed changes to TS 3.3.2 and the calculated AOT also allows application of the 30-day backstop. The length of the AOTs reflects the very small effect on CDF.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 28 For planned configurations involving application of TS 3.13.1 from TS 3.8.2.1 for an inoperable battery, STPNOC would be able to plan the work to prevent damage to the batteries. For emergent conditions where TS 3.13.1 might be applied from TS 3.8.2.1, STP procedures recognize the potential for battery depletion or damage from discharge and require appropriate action to minimize this potential.

33. Procedure OPOP01-ZO-0006, Extended Allowed Outage Time, does not address the DC system. Please identify all compensatory measures for the DC system when removing a required battery charger from service. Also, please address how the following items, including required action time, will be accomplished when battery charging capability is not available:
a. Limit the immediate discharge of the affected battery.
b. Recharge the affected battery to float voltage conditions using a spare battery charger.
c. Confirm that the partially discharged battery has sufficient capacity remaining to perform its safety function.
d. Periodically verify battery float voltage is equal to or greater than the minimum required float voltage.

Response

STPNOC does not intend OPOPO1-ZOD-0006 to be a comprehensive listing of compensatory actions.

Procedures OPOP04-AE-0004 "Loss Of Power To One Or More 4.16 KV ESF Bus," and OPOP05-EO-ECOO "Loss Of All AC Power," have steps to open the breaker to any one of the safety-related 125 VDC busses when a minimum battery voltage is reached.

These procedural steps will keep a battery from being totally discharged.

The actions listed in 33.a - d are all actions that could be applied to manage the risk associated with an inoperable battery. The response to Question 23 and Addendum 1 also address options for managing the risk associated with inoperable batteries or DC power alignment.

34. The original allowed outage times (AOTs)/completion times (CTs) established in the technical specifications were, in part, based on realistic industry standards for maintenance time intervals for equipment under test or maintenance. It is the staff's understanding that the additional optional extended AOTs based on the risk management techniques will not be entered as a standard operating practice but will only be entered when the maintenance or test conditions can not be completed because of some extraordinary circumstance. This being the case;

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 29 Response:Use of the risk-informed completion times is not limited to extraordinary circumstances. They may be used for planned or emergent activities.

a. Please identify those electrical components where you believe this extended AOT/CT may be necessary, identify the length of the extended AOT/CT and provide justification why such an extended AOT/CT would be required. A 30-day extended outage should not be required based upon past industry experience for the following equipment: Circuit breakers and other switchgear components, transformers, motors, cables, battery chargers, inverters, control and protective relays and associated circuits.

Response

The STP application specifically identifies the electrical system TS to which TS 3.13.1 may be applied and includes all the electrical TS that apply in MODE 1-4. Table 2 in the application identifies example AOTs associated with those TS, assuming the condition identified in the table is the only inoperable TS component.

TS 3.8.2.1 and TS 3.8.3.1 have particularly short completion times for one inoperable channel or train that are not commensurate with their risk significance. All of the STP electrical TS for a condition where more than one of the three ESF trains is inoperable currently require entry into TS 3.0.3 even though an intact ESF train remains operable and safety function is not lost. These are valid reasons for the application of risk-informed completion times for either planned or emergent work.

The extended completion time, up to the 30-day backstop, allows time to obtain parts for work on emergent conditions or for the work to be deferred to a normal work week schedule, or to obtain an emergency or exigent TS change if necessary. For instance, STP's normal maintenance schedule is based on rotating seven-day ESF train outages within a 12-week schedule (i.e., ESF Train A, ESF Train B, ESF Train C, non-ESF Train D). Conditions permitting (allowed outage time, functionality of affected equipment, etc.), STP would plan to perform corrective maintenance on emergent items within their associated seven-day ESF train outage, especially those emergent items identified during their associated train outage. If the corrective maintenance is not completed in the train week, then extending the seven-day ESF train outage could adversely affect the work scheduled for the succeeding week. If the corrective maintenance could not be completed in the train week (e.g., parts unavailable), then application of TS 3.13.1 with the 30-day backstop could allow STP to safely defer work to repair the condition.

Similarly, the 30-day backstop can be applied to safely defer corrective maintenance of emergent conditions in a train different from the current work-week train. There is no technical or risk basis to limit the components to which it may be applied if the extended completion time is managed in accordance with the Configuration Risk Management Program.

It is not STPNOC's intent to use TS 3.13.1 to extend the allowed outage time for configurations where the battery bank is the sole source of power for the loads on the DC

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 30 bus. A note has been added to TS 3.8.2.1 to restrict the application of TS 3.13.1 for these conditions.

Additional information on the application of TS 3.13.1 to electrical systems TS is provided in Addendum 1.

b. In as much as an extended AOT/Cl based on risk management techniques would be the exception rather than the rule, please describe the record keeping system identifying the following items to verify application for the risk-informed process:

(1) each application of risk management techniques to extend the AOT/CT, (2) any contingency actions or compensatory measures used during the extended time, and (3) the analysis that justified the extension.

Response

Although it is expected that most work activities will continue to be performed within the existing allowed outage times, there is no restriction on how often the risk-informed completion times may be applied. They may be applied for routine planned or emergent conditions.

1. The Control Room logs show the entry and exit time for each TS action and will reflect the application of a RICT.
2. Any compensatory action that requires a temporary modification will be documented in accordance with the Temporary Modification procedure. Required contingency actions are normally documented in the work instructions.
3. A record of the risk profile for the configuration will be retained. STPNOC routinely compares the actual configuration risk for each week to the projected risk for the week.
c. Will the risk-informed extension of the AOT result in a 30 day extension to a 10CFR 50.72 or 50.73 reporting requirements if the 30-day backstop is invoked?

Response

The 30-day backstop will have no different effect on reporting than any other allowed outage time extension. It is possible that a SSC in a 30-day RICT might not be restored within the 30 days, consequently requiring a plant shutdown. This condition would be reportable under 10CFR50.73 as a shutdown required by TS. The 60-day clock for submitting the event report would start at the time the Shift Supervisor determines the condition is reportable; i.e., when the shutdown condition is achieved.

If a component in the scope of TS 3. 13.1 is discovered to have been inoperable beyond its frontstop completion time and the requirements of TS 3.13.1 were not applied within their required time frames, the condition would be reportable under 10CFR50.73 as an operation or condition prohibited by the Technical Specifications, even if application of TS 3.13.1 would have permitted the extension of the allowed outage time up to the 30-

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 31 day backstop. The 60-day clock for submitting the event report would start at the time the Shift Supervisor determines the condition is reportable.

Conditions resulting in loss of function of more than one train or involving common mode failure still meet the reporting requirements of 10CFR50.73 even if the CRMP would permit an extended completion time.

35. 10 CFR 50, Appendix B, states that:

"This appendix establishes quality assurance requirements for the design, construction, and operation of those structures, systems, and components. The pertinent requirements of this appendix apply to all activities affecting the safety-related functions of those structures, systems, and components; these activities include designing, purchasing, fabricating, handling, shipping, storing, cleaning, erecting, installing, inspecting, testing, operating, maintaining, repairing, refueling, and modifying.

As used in this appendix, "quality assurance" comprises all those planned and systematic actions necessary to provide adequate confidence that a structure, system, or component will perform satisfactorily in service."

Please confirm that the STP Configuration Risk Management Program (CRMP) and associated procedures fall under the 10 CFR 50 Appendix B. If STP believes these programs and procedures are not subject to the Appendix B requirements, please justify any exceptions to those requirements.

Response

STPNOC agrees that 10CFR50 Appendix B applies to the CRMP and its implementing procedures.

36. In Table 2, Specifications 3.3.2.8.a-c, new Action 20.A.b states, "with the number of operable channels more than one less than the Total Number of Channels, within one hour apply the requirements of specification 3.13.1, or be in at least Hot Standby within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and be in at least Hot Shutdown within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and be in Cold Shutdown within the subsequent 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />."
a. How long does it take to update the CRMP database regarding plant equipment configuration changes? Is it credible that the implementation of T.S. 3.13.1 can be accurately accomplished within one hour? Would not the loss of the second channel fall into the "emergent conditions" Ihat would not be expected to require an extension of the AOT (page 2 of license submittal dated August 2, 2004)?

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 32

Response

Because STP's CRMP approach is based on pre-solved Level 1 CDF calculations, the information to calculate a RICT is essentially instantaneous. For items with very short allowed outage times, these will be specifically targeted to ensure those configurations are immediately available to control room personnel. In general, the time to update the CRMP database is usually less than one hour although it is acknowledged that it could take longer in certain situations. In the event that an unquantified maintenance state occurs for an item with a short allowed outage time, then the control room staff will attempt to get the required information or perform the actions required by the Technical Specifications.

b. During the five year history of the uise of the CRMP to make risk assessments, has there been any instances where the initial assessment significantly differed from the final assessment?

Response

Because STP's CRMP uses pre-solved Level 1 CDF calculations, differences between initial and final assessments are not the result of PRA modeling errors. Differences have occurred in the past five years as a result of planning or scheduling changes, changes in operator functionality calls, or equipment clearance timing issues such that the maintenance states (i.e., configurations) that were planned ended up being different.

These events have also occurred for actual risk profiles when new or discovery information is identified which impacts a maintenance state (i.e., configuration). When these events happen, condition reports are generated and corrected risk profiles are generated.

With regard to this pilot application, the determination of maintenance states is predicated on OPERABILITY determinations. The process for OPERABIITY determinations follow both industry and regulatory guidance. Log entries for TS equipment will be entered into the CRMP with the same controls.

c. The primary function of the loss-of-power instrumentation system is to assure the independence between offsite and onsite systems. This independence, pursuant to GDC 17 of 10 CFR Part 50, Appendix A, minimizes the probability of losing electric power from the onsite electric supplies as a result of, or coincident with, the loss of power from the offsite power supply. Loss-of-power instrumentation initiates load shedding to prevent overloading of the stand-by diesel generators (SDGs). It also supports independence between redundant ac systems and, together with automatic load sequencing, assures the capacity and capability of the offsite and onsite ac power supplies. Please confirm that the proposed changes in T.S. 3.2.2.8.b and .c will not reduce this independence between power sources.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 33

Response

The proposed changes affect the required completion time for restoring inoperable loss of power instrumentation (degraded voltage/undervoltage relaying per TS 3.3.2 Item 8).

The TJFSAR design function of the components is not affected and no physical changes are involved. Implementation of the proposed change will permit a longer allowed outage time and eliminate the potential for entry into TS 3.0.3 for more than one inoperable channel. As described in Table 2 of the application, the extended completion time evaluation for these relays is bounded by the evaluation performed for an inoperable standby diesel generator. Additional configuration control for the standby diesel generator is provided by the current TS restriction that prevents MODE changes with an inoperable diesel generator. Therefore, if the undervoltage/degraded voltage relays associated with a particular diesel were non-functional such that the diesel was inoperable, the Technical Specifications will prohibit changing MODE.

37. In Table 2, Specification 3.8.1.1, New Action Requirement, specifies restoration of at least one SDG to operable status within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> whereas the existing Action requirement calls for restoration of at least one standby diesel generator within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and two standby diesel generators within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Please explain why this change was not submitted separately in accordance with Regulatory Guides 1.174 and 1.177 since the technical basis provided does not justify this change.

Response: The requirement should have stated two hours and it has been corrected.

38. New Action Requirement 3.8.2.1 implies that one battery bank and one battery charger can be inoperable indefinitely.. Please clarify whether Action is initiated only if multiple components are inoperable. In addition, please address concerns stated in question 36 for Specification 3.8.2.1.

Response

The TS require operability of only one of the two full capacity chargers for each battery bank; consequently, one charger for each battery bank can be inoperable indefinitely. The LCO still requires entry into the ACTION if less than the required four battery banks are operable; therefore, even if only one battery bank is inoperable the action must be applied.

The ACTION is worded such that it applies until all the battery banks are operable. The phrase "battery bank" in the ACTION has been changed to "battery bank(s)" to make the requirement clearer.

The electrical components within the scope of the application are modeled in the STP PRA; therefore, configurations involving these components are included in the configuration risk monitor. Thus, the responses to Question 36.a and 36.b also apply to this question.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 34

39. New Action Requirement 3.8.3.1.a implies that one battery bank and one battery charger can be inoperable indefinitely., Please clarify Action if only one train of the AC power ESF busses is inoperable. In addition, please address concerns stated in question 36 for Specification 3.8.3.1.a.

Response

As indicated in the response to Question 38, the TS do not allow one battery bank to be inoperable indefinitely. LCO 3.8.3.1 .a, to, & c require three energized ESF busses.

ACTION a must be entered if one or more of the three busses are not energized and may not be exited until all three busses are energized. The phrase "reenergize the train" has been revised to "reenergize the train(s)" to make the requirement clearer.

The electrical components within the scope of the application are modeled in the STP PRA; therefore, configurations involving these components are included in the configuration risk monitor. Thus, the responses to Question 36.a and 36.b also apply to this question.

40. Please address concerns stated in question 36 for Specifications 3.8.3.1.b and 3.8.3.1.c (Re. the one hour risk assessment.)

Response

The electrical components within the scope of the application are modeled in the STP PRA; therefore, configurations involving these components are included in the configuration risk monitor. Thus, the responses to Question 36.a and 36.b also apply to this question.

41. Please clarify how the proposed changes will differentiate between degraded vs.

inoperable systems, trains, channels or components.

Response

The proposed change does not affect the definition of OPERABLE or how an affected SSC is determined to be operable. The SSC's TS ACTION will be entered when the SSC is determined to be inoperable and will not be exited until the SSC meets the requirements for operability. Application of TS 3.13.1 will permit the allowed outage time to be calculated based on the risk associated with the inoperability of the component. Unless the condition of the affected SSC can be quantified in the PRA, it will be considered to be non-functional and unavailable.

The risk imposed by an inoperable SSC can depend on the nature of the inoperable condition. The response to Question 8 describes how functionality is addressed.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 35 General Ouestions

42. LCO 3.13.1 specifies that when referred to this specification, equipment that has been declared inoperable shall be evaluated for its impact on risk and AOT determined accordingly. The first two actions require the determination of the acceptability of the configuration for AOT beyond the frontstop AOT when equipment is declared inoperable, and for the continued operation beyond the frontstop AOT whenever the configuration changes, respectively. In response to previous RAI 22 to specify the allowable time to complete the required determination process, the licensee stated that this time will be defined in the implementing procedure for the Configuration Risk Management Program and will be consistent with the generic industry guidance.

However, each referencing Action specifies that within a specific frontstop completion time (e.g., 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />) ... apply the requirements of Specification 3.13.1. Also Section 1 of Attachment 1 (Description of Changes and Safety Evaluation) stated that the frontstop time also provides the operator sufficient time to determine and apply an appropriate extended time from the application of the CRMP for those situations where it is determined that an extended AOT is necessary.

a. Explain and justify why it is acceptable to specify the allowable time in the implementing procedure for the CRMP, rather than in TS 3.13.1 or the referencing TSs?

Response

Proposed TS 3.13.1 has been revised to make it clear that ACTION a is to be performed within the allowed outage time of the referencing TS. This is consistent with the application of the model TS in the RMTS Guidelines. ACTION b establishes a time in accordance with the CRMP to verify acceptability of a configuration change, (currently twelve hours, which is consistent with the RMTS Guidelines). Twelve hours is considered to be acceptable because it allows adequate time for calculation and review and there is little chance that a configuration will exceed a threshold in twelve hours.

b. Clarify whether the frontstop time specified in the referencing TS is also the allowable time to complete the required determination process in Specification 3.13.1.

Response

See the response to 42.a.

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 36

43. Some ACTION statements are revised and some new ACTION statements are created to deal with cases with more than one channel, component, train, or subsystem inoperable, which currently do not have a associated ACTION statement and would be subject to TS 3.0.3. These revised or new Action statements generally require that within one hour restore at least one inoperable channel, component, train, or subsystem to OPERABLE status or apply the requirements of Specification 3.13.1, or be in HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. Examples of these revised or new ACTION statements are Action 3.4.2.2 (pressurizer code safety valves), 3.4.4 Actions c and e (PORVs), 3.5.1.a and b (Accumulators), 3.5.2.b (ECCS subsystems), 3.6.2.1.b (containment spray systems),3.6.2.3.b (containment fan coolers), Table 3.3-1 (RTS Instrumentation)

Actions 9, and 9A.b, Table 3.3-3 (ESFAS Instrumentation) Actionl4.b, 17.b, 19.b, 20A.b, and 22.b.

a. Since these revised or new Action statements have a frontstop AOT of only one hour, is one hour sufficient to apply LCO 3.13.1 requirements, which include the use of CRMIP to determine AOT extension and the need for corrective or compensatory actions?

Response

As discussed in other responses, the STP CRMP can readily be applied to determine the appropriate revised completion time.

b. Could there be cases where it takes longer than one hour to determine that an AOT extension for the configuration is not acceptable, and therefore the frontstop AOT is exceeded without implementing subsequent actions?

Response

STP's evaluations have not identified a condition where the extension of the completion time could not be completed within the frontstop time. STPNOC has not identified any configuration that would exceed the 1E-06 threshold within one hour. A condition that exceeds the threshold within an hour would almost certainly involve serious degradation of multiple cross-train SSCs such that the first priority for the operator would be to place the plant in a safe condition.

44. For these conditions that could result in the loss of the required safety function, compensatory actions are most likely required as a defense-in-depth consideration.

Section 4 of Attachment 1 (Description of Changes and Safety Evaluation) discussed the use of the CRMP to determine the safety implications associated with multiple inoperable components, and to assist the operator in identifying effective corrective or compensatory actions for various plant configurations to maintain and manage acceptable risk levels. It is said that these compensatory actions may be incorporated in procedures, work instructions, or other station media. To support this TS amendment, please identify all TS changes (especially for those conditions where two

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 37 or more channels or trains are inoperable) that require compensatory actions to reduce risk significance, describe each compensatory action and where it is incorporated.

Response

STP's CRMP requires the implementation of the risk management actions listed below if the configuration risk will exceed the non-risk-significant threshold (Incremental Core Damage Probability > lE-06). Except fCr extensions of the allowed outage time for the standby diesel generator and the auxiliary feedwater, configuration-specific compensatory actions are not prescribed at STP. Compensatory action would be determined on a case by case basis.

Risk Management Actions:

The Shift Supervisor performs the following actions:

Notifies the Duty Operations and Duty Plant Manager of the expected exceedance.

Identifies and implements compensatory measures approved by the Duty Plant Manager. Compensatory measures may include but are NOT limited to the following:

  • Reduce the duration of risk sensitive activities.
  • Remove risk sensitive activities from the planned work scope.
  • Reschedule work activities to avoid high risk sensitive equipment outages or maintenance states.
  • Accelerate the restoration of out-of-service equipment.
  • Determine and establish the safest plant configuration.
  • Establish contingency plan to reduce the effects of the degradation of the affected SSC(s) by utilizing the following:

o Operator actions o Increased awareness of plant configuration concerns and the effects of certain activities and transients on plant stability o Administrative controls o Ensure availability of functionally redundant equipment

  • Ensures any measures taken to reduce risk are recorded in the Control Room Logbook.
  • Evaluates whether heightened station awareness is acceptable while attempting to return components or systems to functional status. Duty Plant Manager approval is required to solely implement heightened station awareness.
45. In WCAP-15773-P, Rev. 0, supporting TSTF-424, it is stated in Section B3.2, "Scope and Structure of the Flexible AOT Concept," that typically, AOTs/CTs less than one day are associated with loss of system function and extension beyond the existing AOT may incur significant risks. Therefore., shorter term Action Statements, such as those associated with complete system inoperability or loss of an entire safety function will retain an Action Statement with a fixed AOT/CT value based on the system's or

Response to June 3, 2005 RAI NOC-AE-06001969 Attachment 2 Page 38 function's risk importance.... The flexible AOT concept would also not apply to TS associated with plant operational limits." However, in the STP's application of LCO 3.13.1 for AOT extension, many referencing TSs have 24-hour frontstop AOT (e.g., Table 3.3-1, Actions 9A.a) and some have one-hour frontstop AOT (e.g., TS 3.5.1 Actions a and b, TS 3.5.2 Action b). Explain why the application of LCO 3.13.1 for those TSs with frontstop AOT of one and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is not contradictory to TSTF-424.

Response

From Table 2 in STPNOC's application, it can be seen that there are many exceptions to the position that short allowed outage times are typically associated with significant risk. As discussed in the response to Question 8.a, STP will not apply TS 3.13.1 where there is a Loss of Function. From that response it can be seen that there are still configurations where the current TS have a short allowed outage time, but the PRA Functionality approach in the risk-informed TS will permit a substantially longer RICT.

STPNOC has proposed a one hour frontstop for conditions where the current TS would require application of TS 3.0.3. This time was proposed to avoid the need to justify a new frontstop time and thereby complicate the review of the application and because STP's program can be applied within that time.

46. In TS Table 3.3-3, Action 19.a specifies the action with the number of OPERABLE channels less than the Minimum Channels OPERABLE requirement, and therefore appears to cover Action 19.b, which specifies the action with the number of OPERABLE channels more than one less than the Minimum Channels OPERABLE requirement. Is there a typographic error in Action 19.a in that it is intended for the number of operable channels one less than the minimum channels operable requirement?

Response:Yes. The word "one" has been inserted in ACTION 19.a.

Addendum 1 Application of Risk-Informed Completion Times to Electrical Components

Addendum 1 Application of Risk-Informed Completion Times to Electrical Components NOC-AE-06001969 Attachment 2 Page 1 In the review of risk-informed Technical Specification (TS) changes proposed by STPNOC that would allow a "floating" risk-informed completion time with a 30-day backstop (Initiative 4B),

the NRC Electrical Systems Branch reviewers asked several questions related to the application of the proposed TS to electrical systems. STPNOC agreed to prepare a response that describes how the Initiative 4B changes will be applied to electrical components.

General Comments on Application of TS 3. 13.1 Events that result in a de-energized bus or discharging batteries will be addressed and the plant stabilized before there would be any consideration of whether the allowed outage time for the component can be extended. This is consistent with the requirements in the proposed RNITS Guidelines.

Application to an ESF Bus (TS 3.8.1.1 ACTION a and ACTION e)

STP Normal Configuration

Description:

Each of the three Class IE 4.16 kV busses for each STP unit is fed from its associated non-class 13.8 kV Standby bus through its associated non-class lE 13.8 kV - 4.16 kV Auxiliary ESF Transformer. Two of the three 13.8 kV Standby busses are energized from the Unit's Standby Transformer and the other 13.8 kV Standby bus is energized from the Unit Auxiliary Transformer (UAT). Power to the Unit 1 Standby Transformer comes from the North Bus in the switchyard. Power to the Unit 2 Standby Transformer is from the South Bus. Power to each unit's UAT is from the unit's main transformer. The generator breaker arrangement is such that on generator trip the generator breaker opens and provides immediate offsite power connection to the ESF bus that is energized from the UAT. The Standby Transformers and the busses they supply are not affected by the trip.

Each UAT is capable of supplying all three of the unit's ESF busses. Each Standby Transformer is capable of supplying all three ESF busses on both units. Although a unit's ESF busses are normally aligned to its own associated UAT and Standby Transformer, the ESF busses may also be aligned to the other unit's Standby Transformer. All line-ups are done manually from the control room.

An off-site source is operable if it is capable of supplying the required power to one or more ESF busses. The off-site sources are independent as long as all of a unit's ESF busses are not powered from a single UAT or Standby Transformer and the switchyard configuration or condition is not such that a single fault will cause a loss of both transformers supplying the ESF busses.

Alternate Sources of Power for the ESF Bus:

In addition to the alignments described above, the Station Emergency Transformer is capable of powering one ESF bus on each unit. STP has conservatively not credited the Emergency Transformer as an independent off-site source. Emergency power to the ESF bus is provided by its associated standby diesel generator (SDG),

Addendum 1 Application of Risk-Informed Completion Times to Electrical Components NOC-AE-06001969 Attachment 2 Page 2 Conditions for Entry into TS 3.8.1.1 ACTION a:

ACTION a establishes a 72-hour required completion time if one of the two required circuits between the off-site transmission network and the on-site Class IE distribution system is inoperable.

ACTION a may apply for either planned work or an emergent condition. The conditions that would require entry into the action include the following:

  • A configuration where an ESF bus is powered from a source other than a Standby Transformer or the UAT (e.g., from the Emergency Transformer or its associated SDG)
  • A configuration where all the ESF busses on a unit are powered from a single UAT or Standby Transformer
  • A condition or configuration in the switchyard where a single fault will cause a loss of power to all ESF busses on a unit
  • A condition where a properly aligned and energized ESF bus is determined not to be in conformance with its design basis such that it is inoperable (e.g., found not to be seismically qualified)

The first bullet above could involve a de-energized 4.16 kV ESF bus. A loss of off-site power to the bus will cause the associated SDG to start and load, which is included in the second bullet.

STPNOC would not normally plan an at-power work activity that de-energizes the 4.16 kV ESF bus.

The other examples describe conditions wher the ESF bus is energized, but the TS action must be applied because the off-site sources are aligned such that they not independent or an ESF bus is degraded. Although entry into the TS action may be caused by a degraded or non-conforming condition of the ESF bus, the most likely reason for entering the action is a condition or work activity involving the switchyard or one of the transformers.

Proposed changes to ACTION a would permit STPNOC to extend the 72-hour allowed outage time in accordance with the requirements of proposed TS 3.13.1.

Table 2 of STPNOC's August 2, 2004 application depicts a 30-day backstop risk-informed completion time for a configuration involving loss of a single ESF bus. The calculation for the completion time is based on the availability of an alternate source to energize the 4.16 kV ESF bus. TS 3.13.1 will be applied only in those cases where the availability of the alternate source of power is modeled and the risk assessment can be quantified. The STP PRA model includes the preferred sources (Standby Transformers, UAT), the SDG, and the Emergency Transformer.

Addendum 1 Application of Risk-Informed Completion Times to Electrical Components NOC-AE-06001969 Attachment 2 Page 3 Conditions for Entry into TS 3.8.1.1 ACTION e:

ACTION e establishes a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> required completion time if two required circuits between the off-site transmission network and the on-site Class lE distribution system are inoperable.

Two required circuits would be considered inoperable if any of the following conditions are met:

  • Loss of a 13.8 kV Standby Bus to 4.16 kV ESF Bus line while in a configuration where ACTION a applies
  • A condition where two or more properly aligned and energized ESF busses are determined not to be in conformance with the design basis such that they are inoperable TS Note 1 (cited above) does not reflect STP's three-train design. With the loss two 13.8 kV Standby bus to 4.16 kV ESF lines, STP still has one 13.8 kV Standby to 4.16 kV ESF connection.

STPNOC believes any condition where entry into ACTION e is required would be the result of an emergent condition.

The first two conditions would result in either a de-energized ESF bus or one or more ESF busses powered from their associated SDG. If the condition involves a loss of the UAT, the SDG will pick up the ESF loads; however, the reactor will trip on low flow because the reactor coolant pumps will lose power and coast down. Loss of the Standby Transformer does not directly result in a reactor trip.

If the condition is the result of a loss of offsite power (LOOP) or partial LOOP, the operators will be taking action to establish stable plant conditions from the transient as a priority before any consideration of applying TS 3.13.1 to extend the completion time. One of those actions will most likely be securing the SDG and energizing the ESF bus from a preferred source, at which time the configuration will be the same: as the condition addressed by ACTION a.

ACTION e also imposes a 72-hour completion time, consistent with ACTION a. STPNOC proposes to delete the 72-hour portion of ACTION e as an administrative change that eliminates the potential for being in ACTION a and ACTION e at the same time.

STPNOC proposes to allow application of TS 3.13.1 to TS 3.8.1.1.e.

Application to Batteries and Battery Chargers (TS 3.8.2.1):

TS 3.8.2.1 requires four channels of batteries and associated chargers. If a required battery bank is inoperable or if the battery bank has no operable charger, the TS requires the function be restored in two hours or the plant must be shutdown. TS 3.0.3 currently applies in the event of inoperability of more than one channel.

Addendum 1 Application of Risk-Informed Completion Times to Electrical Components NOC-AE-06001969 Attachment 2 Page 4 STPNOC proposes to allow the application ol TS 3.13.1 to extend the two-hour completion time for batteries or battery chargers.

Since the batteries provide the power for the field flashing for the emergency diesel generator, an emergent condition where a train of batteries is carrying the associated DC bus with no power to either of the battery chargers could indicate an in-progress loss of off-site power transient in which the emergency diesel generator for the affected ESF train did not start or is not available.

STPNOC does not believe it is appropriate to apply TS 3.13.1 to extend the allowed outage time during an ongoing emergent transient condition.

Discharge of the battery banks supporting the Channel II and Channel IV DC loads will not result in a plant trip or transient; however, STPNOC would not normally permit continuous discharge of a battery in an emergent condition (provided power to one of the chargers is available) or plan a work activity that involved an extended discharge of a battery bank.

Discharge of the battery banks supporting Channel I and Channel III will not result in an immediate plant trip; however, a plant trip on low steam generator level will result after a loss of DC power as the Feedwater Isolation Valve hydraulic control system pressure bleeds off and the valves close. The evolution of the event provides the operators with an opportunity to anticipate this trip and it can be avoided with timely local operator action. As discussed in the General Comments, it is not STPNOC's intent to use TS 3.13.1 to extend the allowed outage time for configurations where the battery bank is the sole source of power available for the loads on the DC bus. A note has been added to TS 3.8.2.1 to restrict the application of TS 3.13.1 for these conditions. The note states:

Specification 3.13.1 may not be entered for batteries or chargers when the batteries are the sole source of available power to their DC bus. If the batteries discharge for more than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> as the sole source of power to their DC bus while Specification 3.13.1 is being applied and no alternate source of power is available, the Specification 3.13.1 LCO shall be considered not met.

As stated in the response to Question 23, the DC bus could be energized through its associated batteries with its associated charger powered from an alternate source or from a temporary charger. With inoperable batteries, the DC bus can be energized through an operable charger or a temporary charger. TS 3.13.1 would allow appropriate consideration of these alternatives in determining an allowed outage time.

Application to Onsite Power Distribution ('S3.8.3.1):

ACTION a establishes a completion time of eight hours to restore a train of AC ESF busses that is not fully energized. STP has three independent trains of ESF busses and there is no action for more than one train de-energized, so TS 3.0.3 would apply for that situation. For an emergent condition on either Train A or Train B, the consequences of a de-energized ESF train include the loss of power to the Channel I or Channel III battery chargers, respectively. As discussed above, without operator intervention a plant trip can result after the batteries discharge.

Addendum 1 Application of Risk-Informed Completion Times to Electrical Components NOC-AE-06001969 Attachment 2 Page 5 The Class IE 480-volt AC distribution system is powered through a double ended load center which is supplied by separate breakers from the 4.16kV Class IE load center via independent step down transformers. The step down transformers and breakers are sized to allow either transformer to carry the entire load center. The load center includes a tie breaker that allows powering of both sides of the load center from either transformer. Individual motor control centers and loads are fed from either side of the load center.

The design of the distribution system is such that each of the two battery chargers is supplied by motor control centers that are supplied by different sides of the 480-volt load center. The 125 VDC bus can be powered from either of the two battery chargers. This allows one side of the 480-volt load center to be taken out of service without affecting the operability of the DC system which only requires one charger for the system to be operable.

Conditions may arise where ACTION a is entered because a "downstream" bus (e.g. one half of the double ended 480-volt load center) has been de-energized by a fault or needs to be de-energized to perform maintenance. Due to the previously described redundancy, the eigh hour completion time of ACTION a, is unnecessarily restrictive and application of TS 3.13.1 is appropriate.

Each NSSS class IE 120VAC distribution panel (DP1201, 1202, 1203 and 1204) is normally supplied by a dedicated static inverter. Backup power to the panel is supplied via a static transfer switch from a dedicated voltage regulating transformer. The inverter and the voltage regulating transformer are supplied via motor control centers from opposite sides of the 480-volt double ended load center. In the event AC power is ]ost to the inverter or the inverter AC-DC power section is lost, inverter loads are instantaneously picked up by the class IE DC system. The class IE DC system battery chargers are sized to carry the inverter load in addition to the other normal loads while keeping the battery fully charged.

Each TMI (post-accident monitoring) class l1E 120VAC distribution panel (DP0Q1 and 002) is normally supplied by a dedicated static inverter. Backup power to the panel is supplied via a manual bus transfer switch from a dedicated voltage regulating transformer. The inverter and the voltage regulating transformer are supplied from the same motor control center. In the event AC power is lost to the inverter or the inverter AC-DC power section is lost, inverter loads are instantaneously picked up by the class IE DC system. The class IE DC system battery chargers are sized to carry the inverter load in addition to the other normal loads while keeping the battery fully charged.

ACTION b applies when a 120 VAC vital distribution panel is not energized from its associated inverter or with the inverter not connected to the DC bus. The action requires the panel to be energized within two hours and energized through its inverter and DC bus within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

These completion times may be extended with the application of TS 3.13.1. The preceding discussions describe the redundancy that enables STPNOC to manage the configuration risk when ACTION b applies.

ACTION c applies when a DC bus is not energized from its associated battery bank and requires it to be re-energized from the battery bank within two hours. Power to the DC bus can also be

Addendum 1 Application of Risk-Informed Completion Times to Electrical Components NOC-AE-06001969 Attachment 2 Page 6 provided by either of its associated chargers. The two-hour allowed outage time is not consistent with the redundancy available from the other DC channels and the low likelihood of a LOOP.

TS 3.8.3.1 ACTION c should be consistent with the ACTION for TS 3.8.2.1 for batteries and chargers. Consequently, it is appropriate to be able to apply TS 3.13.1 to extend the two-hour allowed outage time for either an emergent condition or a planned maintenance evolution for which the corrective action requires the battery bank to be disconnected from the DC bus.

NOC-AE-06001969 Attachment 3 Technical Specification Pages Affected by the RAI Responses NOTE: The attached TS pages are provided for the staff's information to show how responses to several questions were addressed. They are NOT intended as the replacement pages for the STPNOC license amendment request. STPNOC will provide a complete set of marked-up TS pages in a revised license amendment request that will be submitted later.

NOC-AE-06001969 Attachment 3 TABLE 3.3-3 (Continued)

C,, I No ChannpR 0 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION C

= MINIMUM

--I TOTAL NO. CHANNELS CHANNELS APPLICABLE m

x FUNCTIONAL UNIT OF CHANNELS TO TRIP OPERABLE MODES ACTION

D
6. Auxiliary Feedwater C

z

a. Manual Initiation 1/pump 1/pump 1/pump 1, 2, 3 26
b. Automatic Actuation Logic 2 1 2 1, 2, 3 22
c. Actuation Relays 3 2 3 1, 2, 3 22
d. Stm. Gen. Water Level --

Low-Low 90 Start Motor- 4 stm. gen. 2 stm. gen. in 3/stm. gen. in 1, 2, 3 20 Driven Pumps and Turbine- any each stm. gen.

Driven Pump stm. gen.

e. Safety Injection See Item 1. above for all Safety Injection initiating functions and requirements.
f. Loss of Power See Item 8. below for all Loss of Power initiating functions and requirements.

CD) (Motor Driven Pumps Only)

7. Automatic Switchover to

_F\ _L Containment Sump****

a. Automatic Actuation Logic 3-1 /train 1/train 1/train 1,2,3,4 10A and Actuation Relays 3 3 b. RWST Level -- Low-Low 3-1 /train 1/train 1/train 1, 2,3, 4 19A CD (D Q3 =

Coincident With: See Item 1. above for all Safety Injection initiating functions and requirements.

3 3 (D D Safety Injection z0 0z

NOC-AE-06001969 Attachment 3 TABLE 3.3-3 (Continued)

ACTION STATEMENTS (Continued)

2. With two less than the Minimum Channels OPERABLE requirement for RCB Purge Radioactivity-High, operation may continue provided the containment purge supply and exhaust valves are maintained closed.

c) MODE 6##: With less than the Minimum Channels OPERABLE requirement for RCB Purge Radioactivity - High, apply the requirements of Technical Specification 3.9.9 for an inoperable Containment Ventilation Isolation System.

NOTE:

With one less than the Minimum Channels Operable requirement for RCB Purge Radioactivity-High, Supplementary or Normal containment purge supply and isolation valves may be open for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> at a time for required purge operation provided the valves are under administrative control.

Response to Q._46~.~

ACTION '1'9 - a. With the""'n"u'mber of O'PERAABLE chanrnelslKle'ss'than the Minimum Channels OPERABLE requirement, withini 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> restore the inoperable channel to OPERABLE status or apply the requirements of SpecIfication 3.13.1 ,or be 'in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

b. With the number of OPERABLE channels moretha one less than the Minimum' Channels OPERABLE requirement, within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> restorethe Inoperable channel to OPERABLE status or apply the requirements of Specification 3.13.1, or be in at least HOT STANDBY within the next 6ihours'and in COLD SHUTD OWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

ACTION 19A With the number of OPERABLE chaninels one'less than the Minimum Channels OPERABLE requirement, within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> restores the inoperable channel to OPERABLE status or apply the requirementsiof Specification 3.13.1, or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

ACTION 20 - With the number of OPERABLE channels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions are satisfied:

a. For Functional Units with installed bypass test capability, the inoperable channel may be placed in bypass, and must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Note: A channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing per Specification 4.3.2.1, provided no more than one channel is in bypass at any time.

b. For Functional Units with no installed bypass test capability,
1. The inoperable channel is placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, and
2. The Minimum Channels OPERABLE requirement is met; however, the inoperable channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing of other channels per Specification 4.3.2.1.

ACTION 20A'- - a.With "the'number of OPERABLE cha'nnels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions fare satisfied.

1.The inoperable channel is'placed inthe tnrpped condition1within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, and SOUTH TEXAS - UNITS 1 & 2 3/4 3-27 Unit 1 - Amendment No Unit 2 - Amendment No.

NOC-AE-06001969 Attachment 3 EMERGENCY CORE COOLING SYSTEMS 3/4.5.2 ECCS SUBSYSTEMS - TAvG GREATER THAN OR EQUAL TO 3500 F LIMITING CONDITION FOR OPERATION 3.5.2 Three independent Emergency Core Cooling System (ECCS) subsystems shall be OPERABLE with each subsystem comprised of:

a. One OPERABLE High Head Safety Injection pump,
b. One OPERABLE Low Head Safety Injection pump,
c. One OPERABLE RHR heat exchanger, and
d. An OPERABLE flow path capable of taking suction from the refueling water storage tank on a Safety Injection signal and automatically transferring suction to the containment sump during the recirculation phase of operation through a High Head Safety Injection pump and into the Reactor Coolant System and through a Low Head Safety Injection pump and its respective RHR heat exchanger into the Reactor Coolant System.

APPLICABILITY: MODES 1, 2, and 3.*

ACTION:

a. With less than the above subsystems OPERABLE, but with at least two High Head Safety Injection pumps in an OPERABLE status, two Low Head Safety Injection pumps and associated RHR heat exchangers in an OPERABLE status, and sufficient flow paths to accommodate these OPERABLE Safety Injection pumps and RHR heat exchangers,** within,7 days restore the inoperable subsystem(s) to OPERABLE status w da or apply the requirements of Specification 3.13.1, or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in HOT SHUTDOWN within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

b.f With less than two of the required subsystems OPERABLE, within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> restore at least one s'ubsystem to OPERABLE status apply the requ t of Specification 3.13.1, or be in6at least HOT STANDIB ithin the next "and" changed to and in HOT; SHUTDOWN within' the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. "or" per response to Q.15

c. In the event the ECCS is actuated and injects water into the Reactor Coolar System, a Special Report shall be submitted within 90 days describing the circumstances of the actuation and the total accumulated actuation cycles to date.

The current value of the usage factor for each affected Safety Injection nozzle shall be provided in this Special Report whenever its value exceeds 0.70.

  • The provisions of Specifications 3.0.4 and 4.0.4 are not applicable for entry into MODE 3 for the Safety Injection pumps declared inoperable pursuant to Specification 4.5.3.1.2 provided that the Safety Injection pumps are restored to OPERABLE status within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or prior to the temperature of one or more of the RCS cold legs exceeding 3750F, whichever comes first.
    • Verify required pumps, heat exchangers and flow paths OPERABLE every 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.

SOUTH TEXAS - UNITS 1 & 2 3/4 5-3 Unit 1 - Amendment No. 1 Unit 2 - Amendment No. 4-3

NOC-AE-06001969 Attachment 3 PLANT SYSTEMS MAIN STEAM LINE ISOLATION VALVES LIMITING CONDITION FOR OPERATION 3.7.1.5 Each main steam line isolation valve (MSIV) shall be OPERABLE.

APPLICABILITY: 8s openin MODES 1, 2, and 3 ACTION:

MODE 1:

With o a MSIV inoperable but-open, ROWE.R OPERATION may continue provided Within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> close or restore the inoperable valve is restored to OPERABLE status, or apply the re'quirements of Specification 3.13.-1Awi4i 4.=he; otherwise be in HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in HOT SHUTDOWN within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

Reworded to respond to Q. 17.

MODES 2 and 3:

Wilth tmore than one (MSIV inoperable, within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> close or restorethe inoperable vfalve(s) ~to OPERABLE Dstatus, or adpply the requirements of Specification 3.13.1; otherwise beinHOTSTANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> ,and in HOT $SHUTDOWNwithin the followin~g 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

SURVEILLANCE REQUIREMENTS 4.7.1.5 Each MSIV shall be demonstrated OPERABLE by verifying full closure within.5 seconds when tested pursuant to Specification 4.0.5. The provisions of Specification 4.0.4 are not applicable for entry into MODE 3.

NOC-AE-06001969 Attachment 3 3/4.8 ELECTRICAL POWER SYSTEMS 3/4.8.1 A.C. SOURCES OPERATING No Changes l LIMITING CONDITION FOR OPERATION 3.8.1.1 As a minimum, the following A.C. electrical power sources shall be OPERABLE.

a. Two physically independent circuits between the offsite transmission network and the onsite Class 1E Distribution System(l), and
b. Three separate and independent standby diesel generators, each with a separate fuel tank containing a minimum volume of 60,500 gallons of fuel, and an automatic load sequencer.

APPLICABILITY: MODES 1, 2, 3, and 4.

ACTION:

a. With one offsite circuit of the above-required A.C. electrical power sources inoperable, demonstrate the OPERABILITY of the remaining A.C. sources by performing Surveillance Requirement 4.8.1.1.1 .a within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and at least once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter. Within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> restore the offsite circuit to OPERABLE status witilnR-42 hour or apply the requirements of Speclification 3.13.1, or be in at least HOT SHUTDOWN within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in COLD SHUTDOWN within the following 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
b. With a standby diesel generator inoperable, demonstrate the OPERABILITY of the above-required A.C. offsite sources by performing Surveillance Requirement 4.8.1.1.1.a within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and at least once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter. If the standby diesel generator became inoperable due to any cause other than an inoperable support system, an independently testable component, or preplanned preventive maintenance or testing, demonstrate the OPERABILITY of the remaining OPERABILE standby diesel generators by performing Surveillance Requirement 4.8.1.1 .2.a.2) for each such standby diesel generator separately within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, unless it can be demonstrated there is no common mode failure for the remaining diesel generator(s). Within 14 aysrestore the inoperable standby diesel generator to OPERABLE status with#-14 4. or apply the requirements of Specification 3.13.1, or be in at least HOT SHUTDOWN within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in COLD SHUTDOWN within the following 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. (12)
c. With one offsite circuit of the above-required A.C. electrical power sources and one standby diesel generator inoperable, demonstrate the OPERABILITY of the remaining A.C. sources by performing Specification 4.8.1.1.1 a. within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and at least once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter; and if the standby diesel generator became inoperable due to any cause other than an inoperable support system, an independently testable component, or preplanned preventive SOUTH TEXAS - UNITS 1 & 2 3/4 8-1 Unit 1 - Amendment No. 86 Unit 2 - Amendment No. 72, 148

NOC-AE-06001969 Attachment 3 ELECTRICAL POWER SYSTEMS LIMITING CONDITION FOR OPERATION ACTION (Continued) maintenance or testing, demonstrate the OPERABILITY of the remaining OPERABLE standby diesel generator(s) by performing Surveillance Requirement 4.8.1.1.2a.2) within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, unless it can be demonstrated there is no common mode failure for the remaining diesel generators; w'ithin' 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> restore at least one of the inoperable sources to OPERABLE status in our or appl the requirements of Specifiation'3.13.1, or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. Restore at let two offsite circuits to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and three standby ,dieso fgoneratorsto PERABLE status wit hin 14 daysfrom the time of nitial loss or be in at least HOT SrANDBY within the noxt 6hyours and in COLD SHUTDOWN within ,the follow ing 30' hours.8'2 )

d-t d ~e~dSuperseded

nv34 . by nwT 3h sicnafi tiont ,,iOb-o A-abo asHOT STANDBY - 3.13.2. Responds to Q.20 &

aide,,;21.

1. ,All required systoms, subsystemstrains, components, and d6vi~cesthat depend on thh r OPERRABLE diestl genortor as a source of emergency power arfealso lmaining OPER ABLE, and St. When; in ;MODE ,1i,2,'o;r 3,'theseam driv~e~n auxiliar' ,feedwato~r -pump TisOPERABLE.

'Ifthose condition£ Caroe not satisfied'"within 21i hours' be in at least HOT STANDBY within the ext 6,htours and inCOLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

e. With two of the above required offsite A.C. circuits inoperable, Within'24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> restore at least one of the inoperable offsite sources to OPERABLE status within 21 hours2.430556e-4 days <br />0.00583 hours <br />3.472222e-5 weeks <br />7.9905e-6 months <br /> or applyvthe requirements' 0fSp iation 3.13.-1ror" be in at least HOT STANDBY within the next 6 hous. vWit onrl oneo:^ffo source res^toed, roetore' 6 at least }aooffsite citrcs to OPERABLEstatu thin 72 houtr from timeof initial loss or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> anI in COD S HTDOWN wit thenfollowing 3 hoers.

Response to 7/2004 Q.14

f. With two or three of the above required standby diesel generators inoperable, de sns6/2005 Q.37.

the OPERABILITY of two offsite A.C. circuits by performing the requirements 4.8.1.1.1a. within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and at least once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter; restore at least one standby diesel generator to OPERABLE status within 2'heur,' or apply the requirements of Specification 3.13.1, or at leasttwo standby dieselgenerators to OPEFABLE statu wiithin 21 hours2.430556e-4 days <br />0.00583 hours <br />3.472222e-5 weeks <br />7.9905e-6 months <br /> es be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. Rostore at least three standby diosl grenerators t, OPERABLE status within 14 days from time of initial less or be in at loast HOT STANDBY within tho noxt66hours and in COLD SHUTDOWN within thi 4 following 3 14Urt2 1r. d! n 1 r t SOUTH TEXAS - UNITS 1 & 2 3/4 8-2 Unit 1 - Amendment No. 86 Unit 2 - Amendment No. 72, 148

NOC-AE-06001969 Attachment 3 ELECTRICAL POWER SYSTEMS 3/4.8.2 D.C. SOURCES OPERATING LIMITING CONDITION FOR OPERATION 3.8.2.1 As a minimum, the following D.C. electrical sources shall be OPERABLE:

a. Channel I 125-volt Battery Bank El Al1 (Unit 1), E2A1 1 (Unit 2) and one of its two associated chargers,
b. Channel II 125-volt Battery Bank El Dl 1 (Unit 1), E2Dl 1 (Unit 2) and one of its two associated full capacity chargers,
c. Channel III 125-volt Battery Bank El B1 1 (Unit 1), E2B1 1 (Unit 2) and one of its two associated full capacity chargers, and
d. Channel IV 125-volt Battery Bank El Cl 1 (Unit 1), E2C1 1 (Unit 2) and one of its two associated chargers.

APPLICABILITY: MODES 1, 2,3, and 4 The Note is added in ACTION: response to Q.23.

NOTE Specification 3.1.1 may not be entered for batteries or chargerswhen the batteries are the sole source of available power to their DC 1bus. if the batteries discharge for more than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> as the sole source of power to theiirDC bus while Specification 3.13.1 is being applied and no alterate source of power is available, the Specification 3.13.1 LCO shall be considered not met.

With less' than the required battery banks or battery chargers OPERABLE, within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> restore the inoperable battery banl r battery charger, or apply the requirements of Specification 3.13.1, 'or be in at least , andin COLD SHUTDOWN withinlthe following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. XResponse to Q.38 a.Wt h 9oorogirod ba; ' bankc inprbo otr h nprbobfe~ ank to OPERABLE tatuswithin 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> or be ine 'at least HOT STANDBY within tho no' 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> andin~l I COLD SHUTDOAW"N ithin th: foIlewinanhet sr b.0 WAith no baftorv'lcarg wior a chnnl PRABEresoo tlast ne at cargrt OPERABLE At tuswitin 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> ath or in at laeat HOT within WTANDB eant l6 horA thA SURVEILLANCE REQUIREMENTS 4.8.2.1 Each 125-volt battery bank and charger shall be demonstrated OPERABLE:

a. At least once per 7 days by verifying that:
1) The parameters in Table 4.8-2 meet the Category A limits, and
2) The total battery terminal voltage is greater than or equal to 129 volts on float charge.

SOUTH TEXAS - UNITS 1 & 2 3/4 8-10 Unit 1 - Amendment No. 4-73 Unit 2 - Amendment No. 82

NOC-AE-06001969 Attachment 3 ELECTRICAL POWER SYSTEMS NO CHANGES 3/4.8.3 ONSITE POWER DISTRIBUTION OPERATING LIMITING CONDITION FOR OPERATION 3.8.3.1 The following electrical busses shall be energized in the specified manner:

a. Train A A.C. ESF Busses consisting of:
1) 4160-Volt ESF Bus # EIA (Unit 1), E2A (Unit 2), and
2) 480-Volt ESF Busses # EIAI and EIA2 (Unit 1), E2AI and E2A2 (Unit 2) from respective load center transformers.
b. Train B A.C. ESF Busses consisting of:
1) 4160-Volt ESF Bus # EIB (Unit 1), E2B (Unit 2), and
2) 480-Volt ESF Busses # El Bi and EIB2 (Unit 1), E2BI and E2B2 (Unit 2) from respective load center transformers.
c. Train C A.C. ESF Busses consisting of:
1) 4160-Volt ESF Bus # EIC (Unit 1), E2C (Unit 2), and
2) 480-Volt ESF Busses # EICI and EIC2 (Unit 1), E2CI and E2C2 (Unit 2) from respective load center transformers.
d. 120-Volt A.C. Vital Distribution Panels DPi 201 and DP001 energized from their associated inverters connected to D.C. Bus # EIAII* (Unit 1), E2AII* (Unit 2), .
e. 120-Volt A.C. Vital Distribution Panel DPi 202 energized from its associated inverter connected to D.C. Bus # EIDII* (Unit 1), E2DII* (Unit 2),
f. 120-Volt A.C. Vital Distribution Panel DPi 203 energized from its associated inverter connected to D.C. Bus # EIBII* (Unit 1), E2BII* (Unit 2),
g. 120-Volt A. C. Vital Distribution Panels DPi 204 and DPOO2 energized from their associated inverters connected to D. IC.Bus #E1 Cl1 * (Unit 1), E2C1 1* (Unit 2),
h. 125-Volt D. C. Bus El Al 1 (Unit 1) E2Al 1 (Unit 2) energized from Battery Bank El All (Unit 1), E2A11 (Unit 2),
i. 125-Volt D. C. Bus El D11 (Unit 1) E20D1 1 (Unit 2) energized from Battery Bank El Dl1 (Unit 1), E2D11 (Unit 2),
j. 125-Volt D. C. Bus El BI 1 (Unit 1) E2B1 1 (Unit 2) energized from Battery Bank El1B1 (Unit 1), E2B11 (Unit 2), and
k. 125-Volt D. C. Bus ElC1 1 (Unit 1) E2C1 1 (Unit 2) energized from Battery Bank El ClI (Unit 1), E2C1 1 (Unit 2).
  • The inverter(s) associated with one channel may be disconnected from its D.C. bus for up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> as necessary, for the purpose of performing an equalizing charge on its associated battery bank provided: (1) its vital distribution panels are energized, and (2) the vital distribution panels associated with the other battery banks are energized from their associated inverters and connected to their associated D.C. busses.

SOUTH TEXAS - UNITS 1 & 2 3/4 8-14 Unit 1 - Amendment No. 4 Unit 2 - Amendment No.

NOC-AE-06001969 Attachment 3 ELECTRICAL POWER SYSTEMS LIMITING CONDITION FOR OPERATION (Continued)

APPLICABILITY: MODES 1, 2, 3, and 4.

ACTIC )N: Response to Q.39.

a. With one-of the required tra sk.oC. ESF busses not fully energized, within"1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> reenergize the trainf wit 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> or apply the requirements of Specification 3.131, oribe in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
b. With one or more A.C. vital distribution panel4s) either not energized from its associated inverter, or with the inverter not connected to its associated D.C.

bus: (1)within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> reenergize the A.C. distribution panels) or apply the requirements of Specdification 3.13.1, or be in atfleast HOTMSTANDBY within the next6 hour's aind in COL.D SHUTDOWN within the following 30 I9uCr fand (2) within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> reenergize the A.C. vital distribution panel(s) from its associated inverter connected to its associated D.C. bus within 24 iiwis or apply the requirements of Specification 3.13.1, or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

c. With one or more D.C. bus(es) not energized from its associated battery bank, w'ithin 1hour reenergize the D.C. bushes) from its associated battery bank withino- hours or apiy therequilrements of Specification 3.13.1, or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

SURVEILLANCE REQUIREMENTS 4.8.3.1 The specified busses shall be determined energized in the required manner at least once per 7 days by verifying correct breaker alignment and indicated voltage on the busses.

SOUTH TEXAS - UNITS 1 & 2 3/4 8-1'5 Unit 1 - Amendment No.

Unit 2 - Amendment No.

NOC-AE-06001969 Attachment 3 3/4.13 RISK MANAGEMENT 3/4.13.1 ALLOWED OUTAGE TIME DETERMINATIONS LIMITING CONDITION FOR OPERATION 3.13.1 When referred to this specification, equipment that has been declared inoperable shall be evaluated for its impact on plant risk and allowed outage times determined in accordance with the Configuration Risk Management Program.

APPLICABILITY: 1) MODE as required by the referencing specification, and

2) Conditions where a Loss of Function has not occurred ACTION:
a. Within the allowed outageief of the refeirencing specification determine that the configuration is acceptable for extension beyond the allowed outage time for the referencing specification(s),

AND

b. Withinthe time limits of the fCRMP determine that the configuration is acceptable for continued operation beyond the allowed outage time for the referencing specification whenever configuration changes occur that may affect plant risk, AND
c. Restore required inoperable subsystem, component to OPERABLE status within the acceptable allowed outage time extension or 30 days, whichever is shorter.

OR Take the ACTION(s) required in the referencing specification for required action or completion time not met SURVEILLANCE REQUIREMENTS 4.13.1 As required by the referencing specification SOUTH TEXAS - UNITS 1 & 2 3/4 13-1 Unit 1 - Amendment No.

Unit 2 - Amendment No.

NOC-AE-06001969 Attachment 3 3/4.13 RISK MANAGEMENT 3/4.13.2 ALLOWED OUTAGE TIME DETERMINATIONS FOR INOPERABLE CROSS-TRAIN EQUIPMENT LIMITING CONDITION FOR OPERATION 3.13.2 Application of the specified allowed outage times for inoperable equipment in different safety trains shall meet the criteria of the Configuration Risk Management Program APPLICABILITY: 1) Entry into the ACTION statements for two or more LCOs to which Specification 3.13.1 maybe applied.

2) Configurations where LCO 3.13.1 is not being applied ACTION: Determine the configuration is acceptable for the application of at least the specified allowed outage times for the affected components within the shorter of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or the shortest affected allowed outage time. For configurations where the specified allowed outage time is not acceptable, restore one or more of the affected components to OPERABLE status within the calculated allowed outage time or take the ACTION(s) required in the referencing specification(s) for required action or completion time not met.

SOUTH TEXAS - UNITS 1 & 2 3/4 13-2 Unit 1 - Amendment No.

Unit 2 - Amendment No.

Addendum 1 Application of Risk-Informed Completion Times to Electrical Components NOC-AE-06001969 Attachment 2 Page 0 Bases for Specification 3.13.1 Specification 3.13.1 establishes provisions for performing a risk assessment to determine required actions and allowed outage times for specifically identified specifications for structures, systems, and components. Application of the risk assessment is consistent with the requirements of the Maintenance Rule, 1OCF'R50.65(a)(4), to assess and manage the increase in risk that may result from maintenance activities. The process to manage the risk assesses the rate of accumulation of risk in plant configurations and determines the allowed outage time (AOT) by calculating the time required to cross a Potentially Risk-significant Threshold (1.OE-05).

Application of the risk assessment to manage allowed outage time in different plant configurations is complemented by the station's programs to monitor performance indicators for long-term availability of risk-significant components. The requirement to achieve acceptable long-term performance indicators provides a significant disincentive to the potential to regularly extend baseline AOTs to the detriment of availability.

TS 3.13.1.a establishes the conditions for performance of the risk assessment. The LCOs subject to the Configuration Risk Management Program (CRMP) specifically reference TS 3.13.1. The baseline AOT or required completion time specified in the LCO may be used to apply the TS 3.13.1 to determine an alternate AOT and compensatory actions.

TS 3.13.1 applies separately to each ACTION for which TS 3.13.1 is entered. When TS 3.13.1 is entered from a referencing TS, it is entered at ACTION a, even if TS 3.13.1 is already being applied for another referencing TS; i.e., TS 3.13.1 is applied as an extension of the ACTION statement of the referencing TS. Although TS 3.13.1 may be applied to extend the allowed outage time for a referencing TS, except for the extension in the allowed outage time, the other requirements of the referencing TS continue to apply. For instance, if TS 3.13.1 is applied to extend the allowed outage time for Train A ECW (TS 3.7.14.a), the provisions of TS 3.7.14.b.

will apply if another ECW train becomes inoperable.

The requirement in ACTION b to continuously determine the acceptability of the plant means that once the subject LCO has exceeded the baseline AOT, the risk assessment must be reperformed as needed to identify changes to the required action and time limits resulting from subsequent changes to the plant configuration. This requirement provides assurance that the configuration risk is adequately assessed. The risk contribution from non-TS components modeled in the PRA is also included in the quantification of the allowed outage time.

Consequently, ACTION b applies for conditions where a non-TS component modeled in the PRA fails or is removed from service. The requirements of TS 3.13.1 will continue to apply as long as any TS ACTION is beyond its frontstop time. Although a particular ACTION with the allowed outage time extended may be exited when the affected SSC is restored to operable status, the accumulated risk of that configuration will continue to contribute to the configuration risk for the associated entry into TS 3.13.1 until all affected ACTIONs are exited or within their frontstop allowed outage time.

TS 3.13.1 is applied with the referencing specification and ACTION c requires the action required by the referencing specification to be taken if the configuration risk exceeds the risk-informed completion time. It recognizes that the plant is in an extended AOT that has a specified required action if the required action time is exceeded. In a configuration where the risk reaches the risk-informed completion time, the calculated AOT has been exceeded and the

NOC-AE-06001969 Attachment 3 action required at the expiration of the AOT must be taken. If more than one LCO action is beyond its frontstop time, all affected LCO actions that are beyond their frontstop will be considered not met and the prescribed action taken.

Application of TS 3.13.1 will provide action for conditions where more than one train or channel of a function is inoperable. Unless otherwise! permitted in the TS, TS 3.13.1 will not be applied for configurations where there is a complete loss of function (e.g., all three trains of ECW or all channels of an actuation logic that results in all trains of a function being non-functional).

If a component is determined to be inoperable, it may still be considered to have PRA Functionality for calculation of a RICT if there is reasonable assurance that it can perform its required functions for events not affected by the degraded or non-conforming condition and if the condition can be quantified in the PRA. If these conditions are not met, the component will be assumed to be non-functional for calculating the RICT; i.e., it will have no PRA Functionality.

Components that are not capable of meeting an operating parameter specified in the TS (e.g.

pump flow) may not be considered functional for the events for which that parameter is assumed to be met.

For the purposes of this specification, Loss of Function occurs when there is no PRA Functionality in any train or channel of a TS required function to mitigate specific PRA scenarios.

Examples of where a component has PRA Functionality such that the condition could be quantified in the determination of an allowed outage time are listed below.

  • SSCs that don't meet seismic requirements but are otherwise capable of performing their design function.
  • SSCs that are inoperable but secured in their safe position (e.g., a closed containment isolation valve).
  • SSCs powered from a source other than their normal power source, provided the alternate power source is modeled in the PRA.
  • An SSC with an inoperable automatic function if the manual actuation of the SSC is modeled in the PRA (e.g., a diesel generator with an inoperable sequencer). Actuation channels are associated with their actuated components or trains. Loss of actuation channels is not considered a Loss of Function unless no train of the actuated SSC function has PRA Functionality.
  • An SSC that is functional for mitigation of a set of events (e.g. steam generator tube rupture, small break LOCA) but is not functional for other events for which it is credited (e.g. large break LOCA or steam line break), providing the PRA model can quantify the risk for the calculation of a RICT. An example of this type of condition is degradation of environmental qualification.

TS 3.13.1 establishes a backstop AOT of 30 days. This backstop AOT prevents allowing a component with little or no risk significance from being inoperable indefinitely and resulting in a defacto change to the design or licensing basis of the plant.

Bases for Technical Specification 3.13.2 Technical Specification 3.13.2 requires confirmation that the specified allowed outage times are acceptable when ACTIONs are entered for components on separate LCOs. The allowed

NOC-AE-06001969 Attachment 3 outage times for SSCs are often based on no other SSC being inoperable at the same time.

Some configurations where the plant is in two or more LCO ACTION statements could potentially impose an unacceptable level of risk. This is particularly the case if the affected components are in different safety trains because the redundancy of accident mitigation capability could be adversely affected.

To prevent redundant or conflicting requirements, TS 3.13.2 does not apply when TS 3.13.1 is being applied to manage risk for configurations with components beyond their frontstop allowed outage times. In those situations, TS 3.13.1 already imposes the appropriate requirements for the assessment of configuration risk.

Addendum 1 Application of Risk-Informed Completion Times to Electrical Components NOC-AE-06001969 Attachment 2 Page 0 6.0 ADMINISTRATIVE CONTROLS 6.8 Procedures, Programs, and Manuals 6.8.3.j (continued)

Peak calculated containment internal pressure for the design basis loss of coolant accident (LOCA), Pa is 41.2 psig.

The maximum allowable containment leakage rate, La, is 0.3 percent of containment air weight per day.

Leakage rate acceptance criteria are:

1) Containment overall leakage rate acceptance criterion is <1.0 La. During the first unit start-up following testing in accordance with this program, the leakage rate acceptance criteria are < 0.60 La for the combined Type B and Type C tests, and <.75 La as-left and < 1.0 La as-found for Type A tests.
2) Air lock testing acceptance criteria for the overall air lock leakage rate is <

0.05 La when tested at > Pa-The provisions of Surveillance Requirement 4.0.2 do not apply to the test frequencies specified in the Containment Leakage Rate Testing Program.

The provisions of Surveillance Requirement 4.0.3 apply to the Containment Leakage Rate Testing Program.

k. Configuration Risk Management Program (CRMP)

A program to assess changes in core damage frequency and cumulative core damage probability resulting from applicable plant configurations. The program should include the following shall be in accordance with the guidance in the EPRI Risk-Managed Technical Specifications (RMTS) Guidelines, Rev. [ ].

I-I trainin

-1.

a Alf:r riannpl:

AFs*L 2I) proceedures for-identifying plant configurations, the generation of risk profiles and the evalu.ation of risk against established thresholds; and

3) procedures for evaluating changes in risk resulting from unplanned maintenance activities. [t h RMChange to show how RMTS Guideline (continued) would be incorporated.

SOUTH TEXAS - UNITS 1 & 2 6-10 Unit 1 - Amendment No.

Unit 2 - Amendment No.

Retrieved from "https://kanterella.com/w/index.php?title=NOC-AE-06001969,_Response_to_NRC_RAI_on_STPNOC_Proposed_Risk-Informed_Technical_Specifications&oldid=2587302"