NOC-AE-06001994, Response to NRC Requests for Additional Information on STPNOC Proposed Risk-Informed Technical Specifications

From kanterella
Jump to navigation Jump to search

Response to NRC Requests for Additional Information on STPNOC Proposed Risk-Informed Technical Specifications
ML061280591
Person / Time
Site: South Texas  STP Nuclear Operating Company icon.png
Issue date: 04/26/2006
From: Mcburnett M
South Texas
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
NOC-AE-06001994
Download: ML061280591 (139)
v  d  e


Text

Nuclear Operating Company a 0 Soath rows PmT EkerkfaciCaftnSbfUon PO. Bo 282 Wdith, Tras77483 AAAA.

April 26, 2006 NOC-AE-06001994 10CFR50.90 U. S. Nuclear Regulatory Commission Attention: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738 South Texas Project Units 1 and 2 Docket Nos. STN 50-498, STN 50-499 Response to NRC Requests for Additional Information on STPNOC Proposed Risk-Informed Technical Specifications

References:

1. Letter from T. J. Jordan to NRC Document Control Desk dated August 2, 2004, "Broad-Scope Risk-Informed Technical Specification Amendment Request,"

(NOC-AE-04001666, ML042190366)

2. Letter from T. R. Tjader (NRC) to Biff Bradley (NEI) dated June 3, 2005, transmitting Requests for Additional Information on the STP application in Reference 3 (ML051510103)
3. Letter from M. A. McBumett to NRC Document Control Desk dated February 10, 2006, "Response to NRC Requests for Additional Information on STPNOC Proposed Risk-Informed Technical Specifications," (ML060480439, NOC-AE-06001969)

Reference 1 is STP Nuclear Operating Company's (STPNOC) proposed license amendment request for a broad-scope set of risk-informed changes to the Technical Specifications.

Reference 2 is a set of NRC requests for additional information (RAIs) on the STPNOC application. Reference 3 is the partial STPNOC response to the RAIs.

STPNOC noted in Reference 3 that we would submit a follow-up response to the remainder of the RAIs. This submittal is that follow-up response.

Several prior responses have been revised on the basis that the response should reference the EPRI Risk-Managed Technical Specification Guidelines instead of being STP-specific. Revised responses are identified by appropriate notations and explanations.

PO(

06001994 (STP RITS PRA RAI response).doc STI 31995767

NOC-AE-06001994 Page 2 of 3 There are no commitments in this letter.

If you have any questions regarding the responses, please call Wayne Harrison at 361-972-7298 or me at 361-972-7206.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on AA?4f12?,

bate M. A. McBurnett Manager Nuclear Safety Assurance Attachments:

1. Response to NRC Request for Additional Information dated June 3, 2005
2. Technical Specification Pages Affected by the RAI Responses

NOC-AE-06001994 Page 3 of 3 cc:

(paper copy) (electronic copy)

Regional Administrator, Region IV A. H. Gutterman, Esquire U. S. Nuclear Regulatory Commission Morgan, Lewis & Bockius LLP 611 Ryan Plaza Drive, Suite 400 Arlington, Texas 76011-8064 Mohan C. Thadani U. S. Nuclear Regulatory Commission Richard A. Ratliff Christine Jacobs Bureau of Radiation Control Steve Winn Texas Department of State Health Services Michael A. Reed 1100 West 49th Street NRG South Texas LLP Austin, TX 78756-3189 Senior Resident Inspector C. Kirksey U. S. Nuclear Regulatory Commission City of Austin P. 0. Box 289, Mail Code: MN 16 Wadsworth, TX 77483 Jon C. Wood Cox Smith Matthews C. M. Canady J. J. Nesrsta City of Austin R. K. Temple Electric Utility Department E. Alarcon 721 Barton Springs Road City Public Service Austin, TX 78704

NOC-AE-06001994 Attachment 1 Response to NRC Request for Additional Information dated June 3, 2005 06001994 (STP RUTS PRA RAI response).doc STI 31995767

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 1 Request for Additional Information - Technical Review of STP RMTS Initiative 4B Full Plant Pilot

1. RAI #1 requested clarification of the risk calculations planned for the RMTS program to assure Regulatory Guide 1.174 criteria for acceptably small risk increases was being met. The response stated that the total ICCDP and ICLERP would be "automatically determined as the risk is being accumulated...". Please provide additional detail as to how this automatic calculation is physically accomplished.

Response

The approach used at STP for configuration risk management employs pre-solved configuration-specific Level 1 PRA calculations. The PRA scope and quality is structured to satisfy RG 1.200 requirements and also be acceptable for calculating the change in risk due to the removal of equipment from service. Only the equipment within the scope of the CRMP can be evaluated in terms of delta risk (i.e., change in core damage frequency). The CRMP processes are procedurally controlled. The procedure establishes the organizational requirements and responsibilities for administering the CRMP. The automatic calculations are physically performed by the Risk Management organization as part of the proceduralized PRA update process. All the existing configurations (>20,000) are individually calculated, verified, and the results stored in a database. Station personnel can then access the pre-calculated results using the Risk Assessment Calculator (RAsCal) software tool. This software tool is LAN-based and uses a centralized database. The software complies with the station's software QA program. In the event a configuration is entered into the RAsCal program which is not represented in the pre-solved configuration database, an error message ("unquantified maintenance state") is displayed and information detailing the specifics of the configuration are captured. A member of the Risk Management team is on duty or on call at all times. They are trained in calculating plant configurations.

Once an unquantified maintenance state error message is received, the configuration is calculated and added to the pre-solved configuration database. This process can take up to an hour, but is rare for an actual plant condition. STPNOC plans to incorporate enhancements into the RAsCal program such as display of the risk-informed completion time (RICT), ore damage frequency (CDF) and large early release frequency (LERF) to facilitate the implementation of risk-managed Technical Specifications (RMTS).

It is the staff's understanding that the accumulated risk, tracked from the point when the frontstop CT is first exceeded until all extended CTs are exited, and based on actual plant configurations, will be cumulatively tracked and periodically reviewed to determine that the overall RITS program application meets the criteria in Regulatory Guide 1.174 for small risk increases. Please confirm.

Response: The accumulated risk will be tracked in accordance with the RMTS Guidelines, which provide for comparing the accumulated risk to Regulatory Guide (RG) 1.174.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 2 Further, it is the staffs understanding that the actual integrated risk (either ICDP or ILERP) will be tracked during use of the RICT and will be used to determine the amount of time available to reach the integrated risk limits for the RICTs (i.e., 106/10-7 ICDP/ICLERP for RMA threshold RICT, 10-/10i4 ICDP/ICLERP for the maximum safety limit RICT). That is, the calculated RICT is dependent upon the actual configuration which currently exists, and on the actual accumulation of risk which has occurred from the point the equipment was declared inoperable. Please clarify.

Response: The staff's understanding as described is correct.

Finally, it is also the staff's understanding that once the RICT is entered, accumulation of risk toward the 10-5 /10 4 ICDP/ICLERP for the maximum safety limit RICT continues until all LCOs for which the frontstop CTs have been exceeded have been restored to a MET status (components fully operable). Please confirm.

Response:The staff's understanding as described is correct.

2. RAI #3, in part, requested the requirements for crediting compensatory measures and contingency actions in risk assessments performed for RICT calculations. In response, it was stated that only actions in the PRA model would be credited, typically, and that special emergent conditions would require procedural and administrative controls.

This seems to contradict the guidance provided in Attachment 3 of the licensee's August 2, 2004 submittal, used by the operators to determine functionality, which implies that SSCs can be considered functional with manual operator actions

"...contained in approved written instructions..." (item 1), and that realignment from surveillance testing can be credited if included in the test procedure. Considering such equipment functional appears to be the expected outcome of the guidance, and effectively assigns an HEP of zero to those manual actions. The staff believes that credit should be taken in accordance with the applicable PRA standards after a realistic or bounding human reliability analysis is used to quantify the action, and an assessment of potential dependencies with other actions is considered. Further, the relevant procedures should be part of the expected plant response to accidents or transients (i.e., emergency or abnormal operating procedures), or to component failure (alarm response procedures), to assure that a direct cue is available which directs the operator to the applicable procedure. The mere existence of written instructions does not assure timely implementation of recovery actions. Please discuss in detail how manual actions are credited for functionality determinations for RICT calculations.

Response

For RICT calculations, out-of-service time will be based on the time the affected equipment is not OPERABLE per TS requirements. The current HRA and associated HEPs satisfy RG 1.200 and other requirements documents (e.g., ASME RA-S-2002). Operator actions are not credited in a RICT calculation unless the actions are accounted for in the PRA. (See also the response to 8.c.)

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 3

3. RAI #4 asked for clarification of the STP process for assessing common cause failure potential. Additional information is required for the staff to understand how STP assesses CCF within the context of a RMTS program.
a. STP identified their Corrective Action Program as providing guidance for the CCF assessment. Please discuss the specific technical guidance provided to the operators which would apply to an emergent failure or condition of components within the scope of the RMTS. Does the CCF assessment require testing, inspections, or other activities to reach a determination? How is the time frame for this assessment determined within the Corrective Action Program (i.e., within the frontstop CT?).

Response

The STP common-cause assessment is performed consistent with the description in the proposed RMTS Guidelines.

The STP Corrective Action Program (CAP) is based in part on the guidance provided in Part 9900 of the NRC Inspection Manual for degraded and non-conforming conditions (originally provided as Generic Letter 91-18). The CAP procedure requires evaluation of extent of condition for emergent issues that could affect plant reliability. In addition, Licensed Operators recognize that an emergent condition identified on a TS component may have the potential to affect a redundant component or similar components. In addition to a determination of operability on the affected component, the Operator is expected to make a judgment with regard to whether the operability of similar or redundant components might be affected. In accordance with the guidance of Part 9900 of the NRC Inspection Manual for degraded and nonconforming conditions, the determination of operability is to be done promptly, commensurate with the safety significance of the affected component. The STP procedure direction is that initial Operability screening is to be commensurate with the safety significance of the Condition, but should normally not exceed one work week. Initial Operability screening for Conditions with allowed outage time less than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, and which have a shutdown action statement, should normally be completed within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

b. From Attachment 3 of the licensee's August 2, 2004 submittal, it is stated that SSCs are considered functional if it is "reasonably assured" that they can perform intended functions. If an emergent failure of one of three redundant components occurs, would all trains be declared inoperable, but the unfailed components be considered "reasonably assured" of being functional unless they specifically exhibited symptoms of the failure mode?

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 4

Response

Based on the information available, the Licensed Operator is often able to make an immediate determination that there is reasonable assurance that redundant or similar components are not affected. Using his judgment with regard to the specific condition, the Operator may direct that similar or redundant components be inspected for evidence of the degradation. For conditions where the Operator has less information, assistance from other organizations, such as Engineering, is typically requested. The organization continues to perform the evaluation promptly, as described above. Absent indication that the redundant or similar components are affected by the condition, the Operator may consider those components to be operable. The guidance contained in Part 9900 of the Inspection Manual is used as well as conservative decision-making for extent of condition evaluations. The components are considered functional in the PRA unless the operability evaluation determines otherwise.

c. It is stated that if a CCF issue is determined to exist, "it will be accounted for in the operability determination". Please clarify - does this mean that the components will be considered inoperable or non-functional?

Response

See the response to 3.b. above. If the operability determination identifies the same degraded or non-conforming condition exists in the redundant train components, they will be declared inoperable.

d. It is stated that the PRA and CRMP are used to provide safety significance insights "for components that might affect more than one train or function".

Please clarify - should this refer to "component failure modes" instead of "components"? How are the insights used in the RMTS program for RICT calculation?

Response

STP agrees that "component failure modes" is a more appropriate description. Insights are used in the RMTS program to identify qualitative risk management actions but are not typically used for RICT calculations. The insights may be used to facilitate and prioritize the determination of the extent of condition, as discussed in the response to Question 3a. The RICT may be affected if other SSCs are determined to be affected.

e. It is stated that the PRA "includes the effect of a component failure in the CCF of similar components", but then states that the failure rate of "cross-train" components is not adjusted. Please clarify exactly what the PRA calculation is doing for CCF rates when an emergent SSC failure occurs.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 5

Response

The failure rates for cross train equipment within the same system are not adjusted under the assumption that a "train" is removed from service (voluntarily or involuntarily). The RISKMAN software is designed to account for removing a train or trains from service (i.e., guaranteeing failure of one or more trains). The common cause treatment is adjusted mathematically by the software.

STPNOC has provided input to revise the RMTS Guidance to reflect that failure rates need not be adjusted for a single failure.

£ It is stated that the CRMP "...requires consideration..." of risk reduction actions including plant shutdown if the risk crosses the 1E-5 threshold. It is understood that the 1E-5 risk is the RICT limit, which would require applicable TS shutdown actions. How could such actions only be "considered" in a RMTS program?

Response

When the proposed risk-informed TS is implemented, TS 3.13.1 will require application of the pertinent TS ACTION from the referencing TS if the lE-05 threshold is crossed. If that ACTION requires shutdown, then that will be the action required by TS 3.13.1. In accordance with TS 3.0.2, the shutdown action may be exited if the limiting condition is restored.

4. RAI #7 requested clarification of the assessment of LERF within the RMTS program.

In response it was stated that CDF is the only required metric "for nearly all evaluations", then described the capability to perform such assessments with the PRA model. Please clarify under what configurations would a LERF assessment be performed. The RMTS guidelines require the LERF evaluation for all RICT calculations, so it is not clear how LERF could not be required.

Response

The term "for nearly all evaluations" is based on STP's current experience with our RAsCal program which shows that CDF is almost always the limiting figure-of-merit for a RICT calculation. Only the equipment that is important for containment performance and has little or no role in the likelihood of core damage 1s equipment for which LERF would be more limiting. STPNOC will perform a study of 6he STP Level 2 PRA to determine what configurations or equipment are more limitk from a LERF perspective as opposed to CDF.

The CRMP will be designed to select the/ more limiting of the two figures-of-merit, CDF or LERF, for the appropriate RICT calculation.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 6

5. RAI #8 requested clarification of the RMTS program treatment of planned vs.

emergent configurations. In response, it was stated that a threshold CDF of 106 was established for planned configurations, consistent with the generic guidelines, but then identified that a higher risk level could be used by duty manager approval. It was not stated if this approval is used only to address emergent conditions or if it could be part of the normal planned maintenance practices. It is the staff's understanding that planned use of RICTs would be applicable to preventive as well as emergent corrective maintenance, and will not exceed thresholds of 106 for CDF and 10-7 for LERF. It is also the staff's understanding that the use of the higher RICT limits would only be used for emergent failures of equipment or other unanticipated conditions which occur during implementation of an RICT. Please clarify.

Response

The staff's understanding is generally correct with the exception that emergent conditions are not necessarily only those that occur during implementation of a RICT. STP plans routine maintenance not to exceed the 1E-06 ICDP threshold in accordance with the configuration risk management procedure. However, the procedure allows planned exceedance of this threshold with Plant General Manager approval. Although it is not a procedure or program limitation, the most likely reason for a planned exceedance would be to address an unexpected condition identified during operation. Configurations where the I E-06 ICDP threshold is exceeded will be tracked in the Corrective Action Program.

6. RAI #9 requested clarifications of the risk assessments documented in Table 2 of the licensee's August 2, 2004 submittal. Table 2 includes the column "Risk Basis Calculated STP AOT Before Backstop (base case)" which is further clarified in footnote 1 as the calculated time to reach an ICDP of 1E-5. Each of the technical specification LCOs includes actions for one or more of the redundant trains being inoperable, but only a few of the table entries provide the corresponding RICT for each separate configuration. Please provide an expansion of this table to provide the calculated RICT for each number of trains being inoperable within the proposed scope of the submittal. If there is a significant difference in the RICT depending upon which train(s) is inoperable, identify each RICT and provide the basis for the asymmetry in the calculated RICT.

Response

Table 2 is being revised to include additional cases and to better describe the asymmetries in the risk associated with inoperable trains. This information will be provided in the revised license amendment request submittal. Note that Table 2 is not intended to be all-inclusive.

Its purpose was to provide the reviewer with a general insight with regard to the margin to the existing allowed outage times.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 7

7. The staff has no additional questions regarding RAI #10, except to confirm our interest in seeing the STP program demonstrate application of the RMTS for several plant configurations.

Response: STPNOC can arrange to demonstrate the application either at the STP site or in the NRC offices.

8. RAI #12 requested further explanation of the distinction between "inoperable" and "non-functional" components within the RMTS process. In response, Attachment 3 of the licensee's August 2, 2004 submittal was referenced. The staff requests additional clarification of the use of functionality to determine RICTS for TS.
a. The licensee submittal identifies a differentiation between the definition of OPERABILITY applied to the technical specification LCOs, and the term "functionality", which is not defined in technical specifications, to be applied to components for calculating RICTs. When a component is INOPERABLE, due to the inability to perform a limited portion of its intended functions, and these functions are distinguishable in the PRA model and can therefore be quantified while taking credit for those functions which the component is still able to perform, it may be acceptable for the RICT to be longer than would otherwise be calculated if the component is assumed to be completely non-functional. However, if one or more components are determined to be INOPERABLE, but the loss of functionality is (1) not known or uncertain, or (2) not capable of being addressed in the PRA model, then the component should be assumed to be non-functional for purpose of calculating a RICT. This would typically arise with emergent issues associated with design issues of components which impact all safety trains, and would currently require entry into TS 3.0.3. Please discuss in detail how components which are inoperable may be evaluated as fully or partially functional in the calculation of RICTs. Several examples which cover the spectrum of possible conditions may be beneficial to the staff's understanding of this issue.

Response

STPNOC agrees that if a component is determined to be inoperable and there is not reasonable assurance of its functionality or it is not capable of being addressed in the PRA model, it should be assumed to be non-functional for calculating the RICT. As discussed in the response to Question 3.b, the redundant or similar components may still be considered operable and functional.

The August 2, 2004 application provides the current CRMP requirements for a component to be considered functional. The criteria described in the CRMP typically apply to situations affecting a single component, not conditions where TS 3.0.3 would apply. In no case is a component determined to be functional without authorization from a Senior Reactor Operator.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 8 Application of TS 3.13.1 will provide action for conditions where more than one train or channel of a function is inoperable. Unless otherwise permitted in the TS, TS 3.13.1 will not be applied for configurations where there is a complete loss of function (e.g.,

all three trains of ECW or all channels of an actuation logic that results in all trains of a function being non-functional).

For determination of a RICT, STPNOC proposes to apply the PRA Functional criteria currently proposed in the RMTS Guidelines.

[Details of functionality determination from the prior response are deleted. STPNOC will apply the RMTS Guidelines.]

b. With regards to functionality vs. operability, it is understood that functionality will only address requirements modeled in the PRA. Some mitigating functions are reviewed and screened out in the development of a PRA model due to low frequency of demand for the particular function, or the low probability of failure of the function. For specific configurations which may be encountered during planned maintenance or testing, combined with possible emergent conditions, these screened functions could become more important, and would potentially impact the calculation of a RICT. For each of the TS LCOs for which the RMTS will apply, (1) identify the PRA function(s) which are modeled including success criteria if different than the design basis, and (2) identify any design basis functions not modeled, and (3) justify that these should not significantly impact the calculated RICT under configurations covered by the RMTS.

Response

The following are general responses to the question. STPNOC will provide more specific answers in a later submittal.

1) In general, the PRA system success criteria follow the design basis success criteria with regard to the number of systems required for success or required system performance (flow, etc.). However, for core cooling, the design basis acceptance criteria are the criteria of 10CFR50.46 while PRA acceptance criteria is based on no core damage (core exit thermocouple temperature less than 12000 F). The deterministic design basis also includes assurance that departure from nucleate boiling does not occur as an acceptance criteria in the analysis of non-LOCA accidents. There are no directly corresponding PRA acceptance criteria.
2) Design functions that are not modeled include the boron concentrations for the accumulators (TS 3.5.1) and the refueling water storage tank (TS 3.5.5), and the pressurization and filtration function for control room envelope ventilation (TS 3.7.7).

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 9

3) STPNOC has not identified a difference between the PRA acceptance criteria and the design basis acceptance criteria that is considered to be risk-significant or material to the mitigation functions of the systems in the scope of RMTS. The control room envelope ventilation pressurization and filtration functions that are not modeled have been evaluated to have no effect on core damage or large early release that would affect a RICT, which is consistent with the functionality criteria proposed in the RMTS Guidelines. Were the boron concentration of the accumulators or the RWST not within TS limits, the components would be considered non-functional, which is also consistent with the RMTS Guidelines.

Consequently, STPNOC considers the modeling scope of the PRA adequate for the calculation of a RICT.

c. Further with regards to functionality vs. operability, Attachment 3 of the licensee's submittal identified procedural requirements for functionality. The staff requests additional clarifications of the application of these requirements in RMTS:

Item 1 states that a component is functional without automatic actuation if "prompt restoration" by the control room operator or a dedicated local operator is available, with written instructions provided for actions not involving complex repairs or diagnostics. Similarly, item 9 allows actions in surveillance procedures to be similarly credited. The staff assumes that such recovery actions would not normally be part of the baseline PRA model, but would be specific to the configuration. Crediting such manual recovery actions, without a quantitative consideration of the human error probability, or of dependencies on other actions which may be required in specific sequences, would not be appropriate for calculation of RICTs. This also appears to conflict with responses made to NRC RAI 3, that only PRA modeled actions are typically credited in the RICT calculations.

Item 4 identifies examples of alterations which affect functionality. Some can be directly evaluated as to impact (i.e., jumpers or lifting electrical leads), but the others are somewhat uncertain as to the impact on functionality.

Item 5 allows an SSC to be functional if there is "reasonable assurance" that it can perform its intended functions. The staff is concerned that two standards are being applied with regards to the operators' confidence in assessing the status of SSCs, one to determine operability and a lesser standard to determine functionality.

Items 5 and 8 identify that, if the functionality determination is later determined to be in error, "non-functional time will be corrected accordingly". This implies that the determination of functionality need not be rigorous and can have some degree of uncertainty, since it can be later modified if found to be incorrect. This would not be appropriate for RICT determination.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 10

Response

The standards for determining whether a component is functional with manual action in lieu of automatic action are identical to the standards applied in Part 9900 of the Inspection Manual for determining whether a component is operable with manual action in lieu of automatic action. For an operator action to be credited to maintain functionality, it must be modeled in the PRA.

The response to Question 8.a. describes the standards for functionality, which clearly require the component to be able to perform its function. The RMTS Guidelines criteria for functionality must be met. The requirements for operability as it is defined in the TS have not changed.

The functionality determination is expected to be correct. The functionality determination is performed in accordance with the RMTS Guidelines as mentioned above. The likelihood of the functionality determination being wrong would be considered a rare event unless new information was discovered that had a direct impact.

In the event that this occurs, the RICT calculation would be corrected and incorporated.

Other actions that may be required as a result of the revised RICT calculation would be processed in accordance with station procedures. The intent is not to relax the rigor of the determination, but only to prescribe how the component is to be treated in tracking the cumulative risk in the unlikely event that the determination is found to be incorrect.

9. RAI #24 requested justification of proposed changes which involved application of the RMTS to loss of function conditions. The staff requests additional discussion of these configurations, and refers to new RAIs #25 through #38.
10. The licensee proposes to apply a RICT to the reactor trip breakers (TS 3.3.1.20) and to the automatic trip and interlock logic (TS 3.3.1.21). It is therefore critical to this application that the PRA modeling and success criteria for ATWS sequences be thorough and comprehensive, unless bounding analyses are applicable.
a. In the development of accident sequences, it is not unusual to screen out failure to trip the reactor for some initiating events, such as LOCAs, steamline breaks, or SGTRs, since the combination of the low frequency initiator and the failure of the reactor trip system, as well as the potential for adequate negative reactivity from ECCS flow, make these sequences very low frequency. However for this application, such a screening process may not be appropriate. Please discuss.

Response

STP has elected to remove the reactor trip breakers (TS 3.3.1.20) from the scope of the application.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 11

b. The success criteria for mitigation of an ATWS event is dependent upon the specific point in each operating cycle, as well as the cycle-specific core reactivity design characteristics (i.e., moderator temperature coefficient and the unfavorable exposure time). It is not unusual that the risk calculations performed to support the CRMP for Maintenance Rule a(4) would not specifically account for the time in the operating cycle, but instead use a cycle-average risk calculation. In order to support the calculation of a RICT for these TS, such an average calculation may not be appropriate, and the configuration-specific risk should account for this time-dependent impact. Please discuss.

Response

See response to RAI #lOa above.

As general information to the Staff the following is provided:

For purposes of the RICT calculation, the PRA does not use cycle averaged risk values for core reactivity design characteristics. Instead conservative or bounding values are used for establishing success criteria for equipment required in ATWS scenarios.

Therefore, the maintenance states and subsequent RICT calculations used in STP's CRMP are not varied based on operating cycle core reactivity design characteristics.

c. The existing technical specifications do not address the operability of the AMSAC.

Since the AOT is only six hours when the reactor trip function is unavailable, it is not critical that AMSAC be considered. However, if a RICT is implemented, then the operability of AMSAC should be required so that there is some mitigation immediately available in the event of a demand for a reactor trip. Please discuss how AMSAC is addressed in the PRA model, and whether a new TS for AMSAC should be required given the proposed modifications to these TS requirements.

Response

See response to RAI #lOa above.

As general information to the Staff the following is provided:

AMSAC does not meet the I OCFR5O.36(c)(2)(ii) criteria necessary for a limiting condition for operation. However, AMSAC is included in the PRA and its contribution is calculated for all maintenance states. It should be noted that its quantitative effect is negligible in terms of a RICT.

d. The emergency boration system (EBS) was deleted from the STP design based on acceptable fuel performance in the event of a return to criticality for a steamline break accident. STP is proposing to apply a RICT to the trip logic and breakers, and the MSIVs and actuation logic. How does the STP PRA model address steamline break accidents with regards to the synergies between reactor trip and steamline isolation functions? Is the model detail able to distinguish concurrent

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 12 unavailability of these related functions with regards to the potential for core damage due to return to criticality?

Response

See response to RAI #1Oa above.

The reactor trip signal from safety injection actuation is unaffected by the proposed changes. Reactor trip signals from a steam line break event are also expected from Power Range High Flux, Over-temperature delta T, and Overpower delta T, which are independent of the safety injection signals generated by a steam line break. Concurrent unavailability of all functions is not allowed. Steam line isolation and reactor trip are modeled explicitly in the PRA and are quantified as independent events given that the relevant signals are present. Steam line isolation failure given a steam line break is assumed to lead to core damage regardless of the status of the reactor trip function.

11. The licensee proposes to apply a RICT to the steam line isolation actuation logic and relays (TS 3.3.2.4.b), to the turbine trip and feed water isolation actuation logic and relays (ES 3.3.2.5.a), to the main steam line isolation valves (ES 3.7.1.5), and to the main feedwater isolation valves (ES 3.7.1.7). These LCOs exist to limit the reactor cooldown transient, and such events are not typically modeled in PRAs as being relevant to core damage. Please describe how the STP PRA models these functions such that an RICT is appropriate.

Response

Turbine trip and feedwater isolation logic and relays (TS 3.3.2.5.a) and Feedwater isolation valves (TS 3.7.1.7) are being removed from the scope of the proposed application.

The Staff is correct that cooldown transients are not always modeled in PRAs; however, STP's PRA does include cooldown events. Cooldown events are modeled for General Transients (i.e., turbine-generator trip), since this initiator is relatively frequent in a probabilistic sense, and for the Small LOCA and SGTR initiating events. Cooldown events are not modeled under other initiators such as large/medium LOCA since decay heat removal is a part of the initiator itself or is not applicable to the initiator. For any excessive cooldown, the effect of the cooldown is modeled under pressurized thermal shock event tree top events. In summary, cooldown events are included in STP's PRA, their contribution is small and, therefore, their contribution to a RICT is very small.

12. The licensee proposes to apply a RICT to the pressurizer code safety valves (TS 3.4.2.2). There are no tests or maintenance performed on these valves during operation, and no challenges occur which would reveal an INOPERABILITY.

Therefore, the only application of the RICT would be to allow extended time to deal with an emergent issue causing INOPERABILITY of all three valves.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 13

a. Does the scope of the STP PRA model include all design basis events which result in a challenge to the code safety valves? If not, please identify those events not modeled, discuss the plant response to the event under these conditions, discuss why continued plant operation is appropriate with no code safety valves OPERABLE to mitigate those events, and identify what compensatory measures would be applicable during such operation.

Response

STP has elected to remove the pressurizer code safety valves (TS 3.4.2.2) from the scope of the application.

b. The submittal states that the pressurizer PORVs and sprays provide overpressure protection. Is the mitigating capability of these components (e.g., capacity, response time, availability during design basis events) equivalent to the code safety valves? Are these components able to provide equivalent overpressure protection to the reactor coolant system pressure boundary for the spectrum of design basis events which challenge the code safety valves? The pressurizer spray valves are not included in the scope of technical specifications, and indefinite power operation with both PORVs isolated is permitted under TS 3.4.4; should this specification include a requirement for OPERABILITY of one or both PORVs and/or the pressurizer spray valves? Does the STP PRA model include both the PORVs and spray valves as an alternative to the code safety valves?

Response: See response to RAI #12a above.

c. The proposed changes to TS 3.4.2.2 do not include any assurance of the OPERABILITY of any component(s) which are capable of providing overpressure protection to the reactor coolant system pressure boundary to assure that the safety limit for maximum RCS pressure is not exceeded. Please identify how the integrity of the RCS as a fission product barrier is assured under such operations.

Response

The STP application is being revised to remove TS 3.4.2.2 from its scope.

13. The licensee proposes to apply a RICT to the pressurizer power-operated relief valves and their associated block valves (TS 3.4.4). The submittal identifies a RICT of 352 days with one PORV inoperable, and 349 days with both PORVs inoperable. It is not clear why these RICTs are so similar. Please clarify:

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 14

Response

The PRA models the pressurizer PORVs for Feed and Bleed, RCS pressure response to loss of load events, RCS depressurization in response to a steam generator tube rupture, and response to ATWS overpressure events. If a PORV is blocked due to leakage, that PORV is unavailable for ATWS response in the PRA. If a PORV is unavailable for any other reason, the PRA assumes that the PORV is failed. Unavailability of either PORV guarantees failure of the feed and bleed function modeled in the PRA. The slight difference in the RICT for one or two PORVs inoperable reflects the small contribution of pressurizer PORV failure to scenarios other than feed and bleed.

a. What accident sequences take credit for operation of the PORVs?

Response

ATWS and feed and bleed scenarios both incorporate the contribution of PORV operation in their accident sequences. SGTR sequences include the PORVs as an alternate to the pressurizer spray valves. Loss of load initiating events assume PORV challenge and question PORV reclosure.

b. What is the success criteria for the PORVs for each accident sequence?

Response

Feed and bleed requires two of two pressurizer PORVs. ATWS overpressure response models plant overpressure response given zero, one, or two PORVs available. SGTR sequences require one of two PORV's for RCS pressure reduction. Loss of load initiators assume all available PORVs are challenged and require closure of all available PORVs.

c. If the PORVs are credited for overpressure protection of the RCS, as a redundant capability to the code safety valves, discuss if operator action is credited in the event of (1) the failure of the automatic function or (2) if the PORV is isolated due to seat leakage.

Response

With the exception of ATWS events, the PORVs are not credited as redundant capability to the pressurizer code safety valves. For the PRA ATWS response, the likelihood of failure of RCS integrity is influenced by the number of PORVs available.

In addition, two PORVs are assumed to be equivalent to one pressurizer safety valve in terms of pressure relieving capability in the ATWS pressure relief models. Note, this assumption does not significantly affect the core damage contribution from ATWS events.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 15

14. The licensee proposes to apply a RICT to the safety injection system accumulators (I'S 3.5.1).
a. Confirm that the success criteria and the required accident sequences for the accumulators is consistent with the design basis analyses, or provide a sensitivity study of the calculated RICTs for one or more accumulators inoperable using the design basis criteria.

Response

The accumulator success criteria for injection is the same as the design basis. Two accumulators inject into intact loops, one accumulator injects into the broken loop.

b. For action b when boron concentration is not within limits, the submittal states that the RICTs presented for action a apply. This seems inconsistent with other parts of the submittal where it is stated that the functionality of the INOPERABLE components is used to determine the RICT. Please discuss how the RICT would be applied to action b.

Response

For action b, STPNOC would apply the criteria of the RMTS Guidelines to determine the functionality of the accumulators. If the accumulators cannot be shown to be functional using the guidelines, they would be considered non-functional and a RICT would be calculated accordingly. Currently, the boron concentration is not modeled or otherwise assessed and the accumulators would be considered non-functional.

15. For TS 3.5.2 for ECCS, with two or more subsystems INOPERABLE, the proposed change requires restoration of at least one ECCS train to OPERABLE status within one hour. In Table 2 for this LCO, it states that a risk-informed AOT is appropriate with no OPERABLE trains. However, the RICT could not apply since the proposed action requirement is to restore one train within one hour. Is this the intent of the changes to TS 3.5.2? Please clarify.

Response

The proposed change to TS 3.5.2.b has been revised to change "and",to "or'. For a condition where all three trains of HHSI are inoperable and non-functional, the configuration will exceed the I E-03/yr instantaneous core damage freluency criterion and the shutdown action of TS 3.5.2.b will be required.

16. For TS 3.6.2.3 for the reactor containment fan coolers, the ca'culated RICT is stated to be based on CDF and there was no impact on LERF. Please'claif how the fan coolers are credited in the PRA model for mitigation of core iamlage given that the design basis function is containment heat removal, and identify the basis for the success criteria (i.e., judgment or specific calculations).

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 16

Response

The reactor coolant fan coolers (RCFCs) are included in the PRA in the Late Event Response event trees. With an intact containment (i.e., no large opening), the heat removal capacity of the RCFCs is such that long-term decay heat removal can be accomplished using two of six RCFCs. This decay heat removal function is only credited on sequences where a sump recirculation flow path is established but normal decay heat removal using the residual heat removal heat exchangers is not available. This was verified during the Sandia review of the original PRA. The RCFCs also provide containment cooling, the status of which is tracked in the Level 2 PRA model.

17. For TS 3.7.1.5 and 3.7.1.7, the wording of the action requirement includes a note which states: "Separate condition entry is permitted for each MSIV (MFIV)." This wording is inconsistent with other action statements being revised, as is noted in Table 2.

Introducing a new phrasing would seem to be an unnecessary complication and distraction to the operators applying the technical specifications. Further, as worded the proposed action could be interpreted to allow a new 30-day backstop AOT to be constantly applicable without restoration of all MSIVs or MFIVs to OPERABLE status. Please confirm that inclusion of this note is not intended to create any unique interpretation of the application of a RICT for these specifications, with regards to applying the 30-day backstop. Specifically, confirm that it is not intended to have a separate 30-day backstop for each individual MSIV or MFIV, but only a single 30-day backstop applicable to all valves.

Response

TS 3.7.1.5 for MSIVs has been revised to be consistent with the format of the other TS that reference TS 3.13.1. The provision for separate condition entry has been eliminated.

STPNOC has removed TS 3.7.1.7 for MFIVs from the scope of the application since the MFIVs are not modeled in the PRA.

The informational TS markup in Attachment 2 is changed from the first set of RAI responses. However, the changes involve format only and do not affect the intent of this question.

18. For TS 3.7.14 for chilled water, which supplies room cooling to safety-related equipment, it is typical that the PRA model would only include a subset of the components supported, based on room heatup evaluations. It is also typical to include time-of-year flag events to turn off the ventilation models when cooler outside temperatures exist. These PRA model conventions would result in a 30-day LCO for large portions of the system, and during winter months. Please discuss STP plans in this regard.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 17

Response

The safety-related chilled water system (essential chilled water) in the STP PRA includes cooling to the two major ventilation systems, Electrical Auxiliary Building HVAC and Control Room HVAC, and room coolers associated with the safety injection pumps and the essential chillers. Not included are several smaller room coolers such as the penetration space coolers, reactor make-up water pump cubicle, boric acid transfer pump cubicle, radwaste control room AHU, CVCS valve room coolers, etc. These smaller coolers either do not support continuously operating equipment that is modeled in the PRA or only support components that are not modeled in the PRA.

Room heat-up calculations have been used to modify the success criteria for the safety injection pump rooms which are supplied by the essential chilled water system.

The PRA does not include time of year flags for ventilation cooling requirements for any of the modeled ventilation, chilled water, or room cooling systems.

19. For TS 3.8.1.1 for AC sources, Table 2 states that the STP switchyard is served by 8 incoming lines. However, there is no control in the technical specifications requiring these 8 separate lines. Please describe how the STP PRA model accounts for the unavailability of one or more incoming lines. Describe also the plant configuration controls on the incoming lines.

Response

The eight incoming lines feed the STP switchyard and are part of the off-site electric power grid. As such, they are not subject to TS requirements. TS 3.8.1.1 requires two independent circuits between the off-site transmission network and the on-site Class IE distribution system in accordance with GDC-l 7. Addendum 1 to this attachment discusses the TS treatment for the required off-site circuits. The STP PRA models two of the eight lines to account for maintenance on the North Bus or South Bus in the STP switchyard. Otherwise, the eight lines are not specifically modeled in the PRA.

STPNOC is not the controlling authority for the off-site transmission network. However, STP has direct communications with the controlling authority and may coordinate activities with the system operator. The controlling authority will not perform switching operations or restoration that affects STP without first contacting the STP control room. In addition, STP has agreements with the operator for early power restoration should there be a loss of off-site power. The controlling authority will notify STP regarding status of grid restoration should the grid be lost.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 18

20. For TS 3.8.1.1, Action d, which applies concurrently with actions b and c, is inconsistent with those actions with regards to the application of 3.13.1. Specifically, action d requires that 3.13.1 be applied within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The requirement to apply 3.13.1 at 14 days (action b) is unnecessary since 3.13.1 was already in effect from action
d. Similarly, the requirement to apply 3.13.1 at 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (action c) renders action d unnecessary.

Response

The submittal has been revised to delete TS 3.8.1.1.d. Proposed new TS 3.13.2 will require a risk assessment when two or more actions apply for SSCs in the scope of TS 3.13.1. The proposed TS 3.13.2 is provided in Attachment 2.

21. For TS 3.8.1.1 Action d, the defense-in-depth requirement that, for a loss of offsite power, at least one safety train of equipment is OPERABLE and powered from an OPERABLE EDG is eliminated, as is the requirement for OPERABILITY of the steam driven AFW pump for station blackout mitigation. In response to related RAI
  1. 20, STP stated that existing procedures "require very similar compensatory actions".

It is not clear why an existing requirement is proposed to be eliminated from TS control within the context of RMTS 4b initiative. Please discuss, and provide examples of the RICT for cases involving EDGs and other supported equipment.

Response

Proposed new TS 3.13.2 will replace TS 3.8.1.l.d. TS 3.13.2 has broader applicability than TS 3.8.1.1.d. since it is not limited to conditions where an SDG is affected but will require a risk assessment when two or more LCOs apply for SSCs in the scope of TS 3.13.1. Note that TS 3.8.I.1.d is limited to cross-train SSCs, whereas the proposed TS 3.13.2 is not.

If there are inoperable cross-train components, the AOT should depend on the risk significance of the specific configuration. For instance, an inoperable cross-train accumulator or reactor containment fan cooler would be of low significance and additional time up to the 30-day backstop can be justified if necessary. Concurrent inoperability of an SDG and the turbine-driven auxiliary feedwater pump is more limiting but still has more than 20 days to cross the lE-05 threshold (see Example 2 in the August 2, 2004 application).

Example 1 in the August 2, 2004 application quantifies a configuration with a Train A maintenance outage (including EDG A, and HHSI A) and a concurrent failure of Train B HHSI. Train C is unaffected in this example. The calculated time to cross the I E-05 threshold is also more than 20 days.

22. For TS 3.8.1.1 Action e, which applies when two of the two required offsite AC circuits are INOPERABLE, Table 2 of the submittal states that STP will maintain in this configuration at least one ESF bus with offsite power. This requirement is not found in the technical specifications. Please confirm if this is intended as a commitment.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 19

Response

The application of TS 3.13.1 to TS 3.8.1.1 ACTION a and ACTION e is discussed in detail in Addendum 1.

23. For TS 3.8.3.1 (onsite power distribution), Table 2 states that the loss of a single ESF bus does not result in a plant trip. If the ESF bus is de-energized, the battery chargers for that train would be lost, and after a period of time the batteries would deplete.

Does the loss of one DC train cause a plant trip? If so, wouldn't the application of 3.13.1 for this LCO (and for TS 3.8.2.1 for batteries and chargers) potentially lead to a plant transient?

Response

Implementation of the energize-to-actuate modifications in both units has removed the immediate plant trip associated with the loss of one DC channel. However, for loss of the Channel I or Channel III DC bus, a plant trip on low steam generator level will occur within a short time as the hydraulic pressure bleeds down for the feedwater isolation valves associated with those channels and the valves closed.

It is not STPNOC's intent to use TS 3.13.1 to extend the allowed outage time for configurations where the battery bank is the sole source of power for the loads on the DC bus. A note has been added to TS 3.8.2.1 to restrict the application of TS 3.13.1 for these conditions.

Operator action can be taken to energize the ESF bus from alternate sources, such as the Emergency Transformer, its own SDG, or the opposite unit Standby Transformer.

In addition, STP has procedures to enable cross-train feed to an ESF bus for some configurations. These configurations are currently limited to cross-connecting the B Train SDG to the A Train or C Train ESF Bus to provide a charging pump for protection of RCP seals and maintain availability of a DC source to ensure adequate plant instrumentation is available for monitoring plant conditions, and to cross-connecting the C Train SDG to the A Train or B Train ESF Bus to energize one set of Fuel Handling Building (FHB) emergency ventilation system heaters. There is substantial margin for providing cross-connect capability. From Table 8.3-3 of the STP UFSAR, the worst case train SDG loading is 3868.3 kW during a loss of offsite power. The STP SDGs are rated for 5500 kW continuous.

AC vital distribution panels can be energized from same-train Class IE AC power apart from the normal power to their associated inverters. The DC bus could be energized through its associated batteries with its associated charger powered from an alternate source or from a temporary charger. With inoperable batteries, the DC bus can be energized through an operable charger or a temporary charger. Most of the example alternatives could be implemented in either a planned or emergent condition and none would result in a plant

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 20 transient. TS 3.13.1 would allow appropriate consideration of these alternatives in determining an allowed outage time.

See Addendum 1 for additional discussion.

RG 1.200 PRA Quality NOTE: During the staff review of Regulatory Guide 1.200 conducted at STP, the reviewers encountered difficulty in assessing how the STP PRA complied with the elements of the standard. This was based in part on the staff's unfamiliarity with the support state methodology; however, it was also attributed to the lack of adequate documentation. The staff is currently assessing how to assure a thorough review and assessment of STP PRA quality per the requirements of Regulatory Guide 1.200, and considers the following RAIs to be gathering preliminary information leading to a more detailed assessment.

24. Regulatory Guide 1.200 sections 1.2.4 and 1.2.5, and section 1.3 Table 3, identify attributes of a fire PRA and external events PRA, which are not addressed by existing PRA standards. The licensee is requested to describe the scope and quality of their fire and external events PRA models, addressing the attributes identified in the guide.

Response

Background on STP's Fire PRA STP's original Fire PRA was completed in 1989 as part of the Level 1 PSA using state-of-the-art practices at that time. The STP Level 1 PSA , Fire PRA, and External Events Analysis was independently reviewed by Sandia National Labs and documented in NUREG/CR-5606, "A Review of the South Texas Project Probabilistic Safety Analysis for Accident Frequency Estimates and Containment Binning (August 1991)". STP's Level 1 PSA, including Fire PRA, received a favorable response and several improvements were made during the resolution of technical comments. The Fire PRA was subsequently updated in 1992 in response to Generic Letter 88-20 reflecting the plant design as of April 15, 1991; however, the fire analysis portion was based on the plant design dated back to the original Level 1 PSA (October 1988). Sandia extensively reviewed the Fire PRA during their review of the original Level I PSA and found the STP fire analysis to be acceptable. This conclusion was due to the physical separation used in STP's design, the technical approach used to meet the requirements of Appendix R, and the three and four train redundancy of most of STP's safety related systems. Sandia's conclusions about fire risk were accepted by the NRC and documented in the NRC safety evaluation dated January 21, 1992.

The STP Fire PRA methodology, analysis and results are documented in three reports: the STP Level I PSA (1989), the Individual Plant Examination (IPE) performed in 1992 in fulfillment of GL 88-20, and in the Fire PRA Update to address Thermolag performance relative to Appendix R (1994). Numerous fire PRA walkdowns had previously occurred for the earlier studies and a comprehensive walkdown was performed in May 1994 to identify all areas where Thermolag was used. The Fire PRA Update to address Thermolag performance

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 21 included an update of the spatial interactions analysis for selected areas that used Thermolag and would continue to use Thermolag to meet Appendix R requirements. The Fire PRA Update addressed the risk associated with the use of Thermolag and accounted for the plant design as of June 30, 1994.

The following table provides a listing of attributes contained in RG 1.200 (Sections 1.2.4, 1.2.5, and Table 3) and the corresponding location of that information in the STP IPE, the STP Level 1 PSA, and/or the Fire PRA Thermolag Update.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 22 echnical STP LI P Eleme-!n,, '..-,t, IPE and Level 1 PSA

-I-Screening Analysis Performed as part of IPE Section 3.4.1 and Table Required screening analysis performed to Spatial Interactions 3.4.1-1 determine where fires could result in Analysis portion of the significant accident sequences. Twelve STP Fire PRA Level 1 PSA (1989), Section databases established to fully document this 3.4 in Summary Report task. -

Walkdowns performed per Verification Walkdowns documented.

IPE Section 3.4.1.4.1, Table 3.4.1-9, Table D-2, The elements contained in the Screening Appendix D of Li PSA, Analysis section of RG 1.200 are addressed in Section 4 of Fire PRA the STP documents.

Update Thermolag I I .

Fire Damage Analysis Performed as part of IPE Section 3.4.1.5 and The elements contained in the Fire Damage Internal Fires Analysis Section 3.4.2 Analysis section of RG 1.200 are addressed in portion of the STP the STP documents.

Fire PRA Level 1 PSA (1989), Section 3.4 in Summary Report Section 4 of Fire PRA Update Thermolag

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 23 Section Ee nt Elem=1C ent Plant Response Analysis Performed as part of IPE Section 3.4.1 and The elements contained in the Plant Response Internal Fire Analysis Section 3.4.2 Analysis section of RG 1.200 are addressed in portion of the STP the STP documents.

Fire PRA Level 1 PSA (1989), Section 3.4 in Summary Report Section 4 of Fire PRA Update Thermolag Quantification Performed as part of IPE Section 3.4.1 and Level The elements contained in the Quantification Internal Fire Analysis 1 PSA (1989), Section 3.4 in section of RG 1.200 are addressed in the STP portion of the STP Summary Report documents.

Fire PRA Section 4 of Fire PRA Update Thermolag 1.2.5 IPE and Level 1 PSA IPE Section 3.4.4, Seismic 7 External Events Hazards Technical -

Screening & Bounding Performed as part of IPE Section 3.4 The elements contained in the Screening &

Analysis STP External Events Bounding section of RG 1.200 are addressed PRA and Seismic IPE Table 3.4.1-1 in the STP documents.

PRA IPE Section 3.4.4 Hazard Analysis IPE Section 3.4.4.1 The elements contained in the Hazards Analysis section of RG 1.200 are addressed in the STP documents.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 24 Fragility Analysis IPE Section 3.4.4.2 The elements contained in the Fragility section of RG 1.200 are addressed in the STP documents.

Level I Model IPE Section 3.4.4.3 The elements contained in the Level 1 Modification Modification section of RG 1.200 are IPE Section 3.4.4.4 addressed in the STP documents.

IPE Section 3.4.4.5

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 25 The above information is intended to correlate the technical elements of internal fires and external hazards contained in RG 1.200 with the locations of that information in STP's PRA documentation. The review of the STP documentation confirms that the RG 1.200 technical elements have been addressed and that the quantification results appropriately incorporate the fire risk and external event risk contributions to average annual core damage frequency and average annual LERF. The current contribution of fire to core damage frequency is approximately 11%. These contributions are included in all PRA calculations supporting the risk informed completion times (RICT) for plant specific configurations.

Future updates to the Fire PRA and External Events PRA will be performed in accordance with STP's Risk Management strategic plan.

25. Regulatory Guide 1.200 section 4.2 requires the licensee to submit "... a discussion of the resolution of the peer review comments that are applicable to the parts of the PRA required for the application." Two options are identified, one to provide a discussion of how the PRA model has been changed, and the second to provide a sensitivity study that demonstrates the particular issue does not impact the significant accident sequences or contributors. The licensee has provided only the numerical identification of their peer review facts and observations, and identified which were categorized as level 'A' or 'B' (Attachment 5, Resolution of Peer Review Comments, to submittal

- letter dated 10/28/2004). Therefore, the licensee is requested to submit the information required by the guide to address the resolution of peer review comments.

Response

Attached Table I describes the disposition of the findings and observations from the peer review of the STP PRA. Most of the peer review comments that affected model quantification were incorporated into the Revision 4 STP PRA model. The change in core damage frequency as a result of these model changes is difficult to determine because of other model changes that were also incorporated. The changes, in order of relative importance, are summarized below: I

  • Updating of equipment reliability resulted in an overall slight increase in CDF. Train unavailability update resulted in an overall decrease in CDF. Update of the operator actions resulted in decrease in the CDF.
  • Initiating event update resulted in a decrease in the overall likelihood of an initiating event by about 10%. Initiating event contribution to CDF overall decreased with the exception of Large Break LOCA (LLOCA) and Loss of Power (LOSP) events. Increases in LLOCA contribution to CDF are attributed to modeling of the accumulators and hot leg recirculation. LOSP increases in CDF contribution are due to update of failure rate data for breakers. Loss of Condenser Vacuum initiating event frequency increased due to the plant specific update.
  • Modeling changes include the abandonment of the 150 ton chillers, inclusion of safety injection hot leg recirculation, accumulator injection, and modeling of ATWS events.

These changes resulted in a slight change in the CDF.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 26 Model Name CDF Value LERF Value STP 1999 1.17E-05 5.76E-07 STP REV4 9.08E-06 5.377E-07 No system level modeling changes as a result of peer review comments were found to be significant. The modified human reliability analysis (HRA) that was incorporated in STPREV4 along with the changes in plant specific planned maintenance unavailability contribute most to the decrease in CDF and LERF between the two PRA models.

STP Revision 5, currently being completed, incorporates a modification in the HRA process and shifts to the EPRI HRA calculator. A Level 2 PRA update which includes the resolution of the final Level 2 Peer Review comments and the NRC comments from the site visit is also included in Revision 5.

26. Regulatory Guide 1.200 section 4.2 requires the licensee to submit the identification of the key assumptions and approximations relevant to the results used in the decision-making process, along with the peer reviewers' assessment of those assumptions.

Reference is made to Regulatory Guide 1.174 in section 3.3 for applicable guidance on addressing the impact of these assumptions on uncertainty as it relates to the decision-making process. Only four areas were identified by the licensee, and the peer review assessment was not provided (Attachment 4, Key Assumptions and Approximations, to submittal letter dated 10/28/2004). Since this is a "whole plant" application of risk-informed TS initiative 4B, it is expected that there would be something more than four key assumptions/approximations applicable. Therefore, the licensee is requested to submit additional information regarding the key assumptions and approximations in their PRA model, along with the peer reviewer assessments.

Response

Key sources of uncertainty and key assumptions will be included in Revision 5 to the STP PRA currently in progress. The update will include the latest guidance from the Westinghouse Owner's Group (June 2005) for the identification of the assumptions. The model update is expected to be completed by May 2006.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 27

27. Regulatory Guide 1.200 section 4.2 requires the licensee to submit documentation that the PRA is consistent with the standard as endorsed in the appendices to the guide, and the identification of the parts of the PRA that conform to the less detailed capability categories and the limitations which this imposes. The licensee did not identify how their PRA model conforms to the capability categories identified in the ASME Standard as endorsed by the appendices to Regulatory Guide 1.200 (Attachment 3, Conformance to Standards, to submittal letter dated 10/28/2004). Further, during the NRC staff review of the STP PRA for the Regulatory Guide 1.200 pilot, the reviewers noted that the STP self assessment documentation was "difficult to discern their conclusions about their PRA". Therefore, the licensee is requested to submit the information required by the guide, and their plans and schedules (if applicable) to address identified deficiencies which are relevant to this application.

Response

The current PRA model revision that is being performed (Rev. 5) is intended to ensure that issues identified during peer review (e.g., Facts and Observations), the RG 1.200 Self-Assessment, and other reviewer comments are addressed and incorporated into the PRA, as appropriate. Table 2 attached contains the results of the updated self-assessment that was performed to satisfy the requirements of RG 1.200 Appendix B.

The PRA model revision that is currently in process is being performed to ensure that the STP PRA satisfies the requirements of Capability Category 2 of the ASME standard as modified by RG 1.200 Appendix B. Items that are not yet complete, but will be completed upon the release of STPREV5, are also highlighted in Table 2.

Major tasks that are not yet complete at the time of the response are listed below. The tasks are scheduled to be complete in support of issuing Revision 5 of the PRA in May 2006.

  • HRA Update - A major update to the PRA HRA analysis in support of Revision 5 is nearing completion. The final review comments have been developed and discussed with the HRA contractor. The HRA update project involved a complete update to the methods previously used to develop operator responses to initiating events and pre-initiator operator error quantification. Thermal-hydraulic analysis and simulator testing for timing was also included in the update project. Once the updated HRA values are approved, the PRA will be requantified to develop important HRA sequences for dependency analysis.
  • Key Assumptions and Uncertainities - An evaluation of the key assumptions and uncertainties is being performed as part of the Revision 5 model development.

Identification and analysis of key assumptions will follow guidance developed by the Westinghouse Owners Group.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 28

  • Common Cause Data Development - A complete review of the NRC common cause failure (CCF) database and development of generic prior distributions from this review are being completed in support of the Revision 5 PRA update.
  • General guidance documentation for various elements of the PRA - These documents are being prepared and reviewed. Although the guidance documents do not affect the PRA revision, their development will ensure consistent performance of the various tasks necessary for PRA model update. Completion is expected in May 2006.
  • LERF Key Assumptions and Uncertainty - A complete revision to the STP Containment Response Model and the Level 2 event tree model has been completed in support of Revision 5 to the PRA. Once the remaining elements of the PRA update are complete and incorporated into the PRA, the key assumptions and resulting uncertainties will be developed for the LERF results.
28. Regulatory Guide 1.200 section 1.2.6 describes the characteristics of PRA model documentation. During the NRC staff review of the STP PRA for the Regulatory Guide 1.200 pilot, deficiencies in the documentation were specifically noted, and it was further identified that STP placed excess reliance on one particular experienced staff member. Because the nature of this application is to place ongoing reliance on the accuracy and quality of the PRA model to calculate RICTs for the technical specifications, robust documentation of the PRA model is essential to assure the capability of the licensee to properly maintain the fidelity of the model, without undue reliance on specific staff members. The licensee is therefore requested to describe the current capability of their PRA model documentation, and to identify a schedule for updates and upgrades to assure their documentation is adequate to permit ongoing maintenance of their PRA models for the following key areas:

Response

STP PRA models are maintained and updated in accordance with station procedures. PRA models are procedurally required to be updated at least every three years for plant modifications and procedure changes and at least every five years for performance data updates. The documentation of the model is performed by each team member of the PRA group and is readily available on STP's local area network. Thus, access to the documentation is protected and available to PRA personnel. Each team member is responsible for multiple PRA areas and therefore has familiarity with the documentation over a large scope of the PRA. Currently, STP's PRA documentation is considered to be adequate for knowledgeable RISKMAN practitioners and meets the needs of STP's risk-informed programs and applications. With the completion of the PRA update scheduled for completion in 2006, STP's PRA documentation will meet available industry standards (Capability Category 2) and Regulatory Guide 1.200 such that the documentation of the PRA, including the areas listed below, are more robust to greater ensure that the long term maintenance and knowledge transfer activities are satisfactorily performed.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 29

a. Key assumptions and approximations applicable to system and event tree models.

Response

See response to item # 26.

b. Screening of sequences or failure modes from the model.

Response

"Screening of sequences" is not performed on STP's PRA. All sequences are included as generated by the event tree structures. Failure modes are listed in system notebooks for each system within the PRA scope. Failure modes not listed would not be included.

The documentation contained in STP's system notebooks includes this information at a system level. This includes the system boundary conditions, split fraction rules, and specific sources of system unavailability. At a plant level, the event tree notebooks contain the documentation for sequence structure, logic rules, binning rules, etc.

Recovery top events specifically contain the conditions necessary for operator actions to be successful or failed. All this information and more resides in the event tree notebooks. The documentation is considered adequate for STP PRA work activities associated with model maintenance and transfer of model knowledge. Several Peer Review open items were associated with documentation and will be closed with the upcoming PRA update.

c. Quantification instructions, including recovery rules and their bases, mutually exclusive event combinations and their bases, and truncation levels.

Response

Recovery rules, mutually exclusive event combinations, truncation levels, and associated bases are all contained in STP's PRA documentation either in system notebook or event tree notebook documentation. In general, event tree rules are used to address recovery and mutually exclusive event combinations. Complicated event combinations are usually discussed in the event tree notebooks. Since STP uses event tree linking instead of linked fault trees, mutually exclusive events can be addressed by more direct means. For example, loss of AC power leading to a loss of DC power is explicitly treated with event tree rules and recovery analysis. Conversely, loss of DC power prior to a loss of AC power is addressed by specific event tree rules. For loss of essential cooling water after SDGs are questioned in the event tree (diesels require the cooling water), specific event tree macros map these failures to failure of the affected downstream components (CCW, ECH, SI, AFW, etc.). All systems in the PRA scope are evaluated and treated in a similar manner but in each case a specific treatment will be used which is documented in the event tree notebooks. This information is available for Staff review or discussion for any area within the PRA.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 30 PRA Technical Ouestions

29. During the NRC staff review of the STP PRA for the Regulatory Guide 1.200 pilot, issues with the adequacy of the common cause failure modeling were noted during very brief reviews of system modeling. The methods were not using the most recent available information, and some CCF modes were not considered (i.e., batteries, chargers). The licensee is requested to describe the development of CCF models for their PRA, and provide a listing of the CCF modes considered, the components which are modeled for CCF, and the sources of data used.

Response

Common cause failure modeling in the STP PRA uses the Multiple Greek Letter (MGL) method for the quantification of the likelihood of failure of similar sets of equipment due to shared causes outside of system direct dependencies (e.g., shared common tank).

In each system, sets of active equipment are defined and MGL parameters are developed.

The development of system level cutsets from common cause failure is performed within the RISKMAN code. In general, once a common cause group is defined in RISKMAN, all combinations of independent and common cause failure are developed and substituted for the independent basic event in the system failure tree. For example, the high head safety injection system consists of three pumps that are normally in standby. The pumps start automatically in response to a safety injection signal. No MOVs need change position for system success. The common cause groups are:

Pump Fail to Start 3 pumps Pump Fail to Run 3 Pumps RISKMAN will develop the following modifications for the HHSI system basic events.

HHSI Pump A Independent - Fail to Start HHSI Pump B Independent - Fail to Start HHSI Pump C Independent - Fail to Start HHSI Pumps A and B - Fail to Start HHSI Pumps A and C - Fail to Start HHSI Pumps B and C - Fail to Start HHSI Pumps A, B and C - Fail to Start HHSI Pump A Independent - Fail to Run HHSI Pump B Independent - Fail to Run HHSI Pump C Independent - Fail to Run HHSI Pumps A and B - Fail to Run HHSI Pumps A and C - Fail to Run HHSI Pumps B and C - Fail to Run HHSI Pumps A, B and C - Fail to Run

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 31 System level cutsets are then generated and used for system level quantification under various boundary conditions.

Common cause groups are defined for:

All motor driven pumps - Start and Run Emergency Diesel Generators - Start, Run for first Hour, Run for remaining 23 hours2.662037e-4 days <br />0.00639 hours <br />3.80291e-5 weeks <br />8.7515e-6 months <br /> All room fans, including EAB and Control Room HVAC systems - Start and Run Mechanical Chillers - Start and Run MOVs that must change position - Fail to Open or Fail to Close AOVs that must go to a failed position - Fail to Go to Failed Position Check valves in the essential cooling water (Raw Water) system - Fail to Open Check valves in the containment spray system - Fail to Open

[All other clean water check valves do not include common cause failure]

Pressurizer PORVs - Fail to Open Pressurizer Safety Valves - Fail to Open Steam Generator PORVs - Fail to Open Steam Generator Safety Valves - Fail to Open Smoke Purge Dampers - Fail to Operate on Demand Air Compressors - Fail to Start and Run MSIVs - Fail to Close Turbine Trip Solenoids - Fail to Operate on Demand Class IE 4160V switchgear and 480V load center breakers - Fail to Open on Demand, Fail to Close for breakers associated with AC power distribution (4160V and 480V)

Reactor trip breakers - Mechanical failure, shunt trip failure and under-voltage trip device failure Safeguards Actuation Relays - Fail to Operate (Master and Slave)

SSPS Actuation Bistables - Fail to Operate Class I E 120V AC inverters - Fail to Continue Operation IE Sequencers - Fail to Operate on Demand QDPS processing equipment - Fail during operation Common cause is not included for Class IE DC batteries based on a review of the latest NRC CCF database. Common cause is not included for Class I E DC battery chargers because there are two 100% capacity chargers per DC train, one charger is in operation, the other is off. No CCF events applicable to STP's configuration for battery chargers met the criteria for inclusion into the recently updated CCF screening for STPREV5.

The source of the generic common cause data used in STPREV4 was the original IPE for most components. Failures of fresh water check valves, emergency diesel generators, and essential cooling water pumps in the NRC CCF database were reviewed as part of the STPREV4 model update. The current model update, STPREV5, includes a screening analysis of all events in the NRC CCF database and development of new generic priors based on that data screening. In general, the MGL parameters show a decrease based on this review.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 32

30. For use in the configuration risk management program, the baseline PRA model requires changes to account for the real time nature of the calculations, compared to the average annual risk calculation of the baseline model. The licensee is requested to describe the process of making changes to the baseline PRA model for the CRMP, including the following key areas in their discussion:
a. Alignment of operating train(s), including swing or spare components.

Response

STP's baseline PRA employs a maintenance pre-tree to establish a specific configuration.

This pre-tree establishes the initial alignment of running and standby trains of equipment for systems which are under continuous duty (e.g., Essential Cooling Water, Component Cooling Water). All reasonable initial configurations (based on plant operating experience) are included in the pre tree quantification. For the CRMP, the actual equipment configurations are set by event tree macros (the equivalent of fault tree flags).

Maintenance equipment macros are defined for all trains/components included in the RICT calculations. Given an initial operating support system configuration, e.g., A and B operating, C in maintenance, all affected initiating event rules and train top event rules are defined by the status of the pre-tree maintenance macros.

b. Disallowed maintenance (i.e., multiple trains in maintenance typically removed from final results, should be retained in CRMP model).

Response

No post-processing of disallowed maintenance states is performed in the STP PRA model. Any possible maintenance configuration can be set by the equipment configuration macros and the PRA model quantified. Therefore multiple trains in maintenance are not disallowed by the CRMP PRA model. Typically however, once the initial alignments are established planned maintenance events are modeled in accordance with station procedures and work planning guidelines (i.e., two trains out of service for planned maintenance is not permitted). NOTE: Unplanned maintenance events due to hardware failure, etc. are included in the system level models.

c. Maintenance impact on initiating events for systems.

Response

Maintenance unavailabilities are specifically incorporated for impact on initiating events frequencies.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 33

d. Adjustment of initiator frequencies (i.e., average CDF model includes unit availability factor, not applicable to CRMP model).

Response

Initiating event frequencies are all adjusted to represent annual operation (i.e., per operating year (8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br />)). The at-power average PRA specifically adjusts for station availability factors. For purposes of configuration risk calculations, no initiating event adjustment is performed.

e. Seasonal dependencies, or point-in-cycle dependencies (e.g., seasonal HVAC requirements, ATWS success criteria).

Response

Currently, STP's CRMP model does not incorporate seasonal dependencies or point-in-cycle dependencies.

f Repairs of failed components (should be removed in CRMP model).

Response

STP's PRA model does not take credit for repair of out-of-service equipment as a recovery action for configuration risk calculations (i.e., a RICT calculation). There is an exception in that limited credit for repair of a diesel generator after an initiating event is included; however, this credit does not apply to a diesel generator that was out of service for maintenance when the initiating event occurred.

31. During the NRC staff review of the STP PRA for the Regulatory Guide 1.200 pilot, issues with the adequacy of the LERF model were identified and require resolution:
a. The STPNOC self-assessment of LERF did not include an explicit review of the LERF elements of the PRA. Rather, reliance was placed on results of the independent peer review and an STPNOC contractor's proposal for addressing the peer review comments. However, the technical issues and criteria used to conduct the peer review do not fully cover the areas addressed in the ASME standard. As a result, the assessment of PRA capability in the area of LERF is incomplete. Please complete the self assessment of LERF, and identify the results and corrective actions from that assessment.

Response

Included in corrected response to RAI #27.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 34

b. The attributes used to distinguish large, early releases from other source terms is insufficient to discern a "potential for early health effects" as required by the Standard.

Response

The ASME Standard requires that Level 2 "end states are clearly defined to be LERF or non-LERF." The ASME standard also "establishes requirementsfor a limited Level 2 analysis sufficient to evaluate the large early releasefrequency (LERF) for internal events while atpower." The ASME standard defines a large early release as "the rapid, unmitigatedreleaseof airbornefissionproductsfrom the containment to the environment occurringbefore the effective implementation of off-site emereencv response and protective actions such that there is a potentialfor early health effects."

In NUREG/CR-6595, the NRC defines LERF "as thefrequency of those accidents leading to significant unmitigatedreleases from the containmentin a time frame priorto effective evacuation of the close-in population such that there is a potentialfor early health effects." The ASME and NRC definitions for large early release appear to be consistent.

The Westinghouse Owners Group (WOG) definition of large, early release [WOG-PA-RMSC-001 1, Phase 2, July 2004] contains guidance for both "large" and "early." Large refers to the quantity of radionuclides that are released to the environment. The WOG document notes that a release of 10 % or more of the core cesium/iodine contents is considered to be large. Early refers to the time between accident initiation or core damage and implementation of off-site emergency response and protective actions.

At the time of the STP IPE submittal, early releases were defined as those that occurred up to four hours after vessel breach. This time period was selected for two reasons. First, a four-hour time window following vessel breach was believed to be sufficiently long for natural processes to result in a significant depletion of the airborne source terms in the containment. Secondly, it was implicitly assumed that public protection measures such as sheltering and evacuation would be initiated no later than two hours prior to vessel breach at which time a serious challenge to the containment might occur. This approach allowed a six-hour window for protecting the public prior to a major release of radioactivity to the environment. Large releases were related to the area associated with the containment failure or containment bypass except for steam generator tube rupture events. A large containment failure was defined as one with an area sufficiently large that a large fraction of the total radionuclide source term in the containment atmosphere is released over a time period less than two hours. Such releases were considered puff releases and would likely cause early health effects if the public were exposed. Small containment failures were defined as those that develop a leak area that is sufficiently large to preclude a further increase in containment pressure, but sufficiently small such that the containment blowdown time (or the time over which a substantial fraction of the radionuclide source term is released) exceeds one to two hours.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 35 Prior to the recent containment capacity analysis performed by ABS, only two containment failure modes (hoop failure and liner tearing) were addressed in the STP PRA studies. Hoop failure results in a catastrophic failure of the containment and would release the radioactive contents of the containment atmosphere within a short period of time. Liner tearing was assumed to result in a small containment failure. Accordingly, if a containment hoop failure occurred within four hours of vessel breach, the release was binned to LERF. If a liner tearing failure mode occurred within four hours of vessel breach, the release was considered to be a small, early release.

NUREG/CR-6595 identifies an approach that permits a subset of the core damage sequences identified in a Level I analysis to be allocated to a release category that is equivalent to LERF. This approach uses a simplified event tree. RG 1.174 cites NUREG/CR-6595 as an approach for estimating LERF. NUREG/CR-6595 is also cited in the ASME Standard as an acceptable alternative for certain aspects of Level 2 quantification. NUREG/CR-6595 defines the following five containment failure mode classes:

  • early structural failure
  • containment bypass
  • containment isolation failure
  • late structural failure
  • containment venting The first four of these failure mode classes are included in the IPE and current Containment Event Trees (CET). It is assumed that deliberate venting leading to a large release would be precluded. The failure modes listed above were further characterized as follows:
1. Early containment failure, bypass, isolation failure or early venting ... potentially leading to a large release, (i.e., early fatalities)
2. Late containment failure or late venting potentially leading to a large release but with sufficient warning time to allow effective evacuation of the surrounding population, (i.e., early fatalities unlikely) or containment intact (i.e., early fatalities unlikely).
3. Late containment failure with potential for early fatalities due to impeded evacuation by seismic events. (For the purpose of estimating LERF, this category is considered a contributor to LERF.)

The NUREG/CR-6595 simplified CET for large, dry PWRs contains six top events, all of which are included in the STP CET except for the last event, which asks whether there is a potential for early fatalities. The potential for early fatalities depends on the magnitude and timing of the radionuclide release. The magnitude of the release is important because there is a threshold below which the doses from the early exposure pathways will be

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 36 unlikely to cause an early fatality. The timing of the release is important due to radioactive decay processes and evacuation considerations. There are a number of site-specific considerations embedded in the above. NUREG/CR-6595 also notes that to properly respond to this CET question, the time from the declaration of a general emergency to the time of the start of the release must be determined.

To take credit for emergency actions, the response must be implemented with sufficient "lead time" for the public to take protective measures such as evacuation and sheltering before the release occurs. The STP Emergency Plan establishes requirements for issuing protective action recommendations to state and local authorities that will provide adequate response time for protective action to be implemented.

Conclusions As described above, STP has factored the industry-accepted standards and the capability of the STP Emergency Response Organization into the identification of large, early release events, and it is concluded that the approach currently used in the STP PRA is adequate for addressing the frequency of large, early releases.

With the exception of containment bypass and induced steam generator tube rupture (ISGTR), the sole characteristic of large early release (LER) sequences is the size of the opening in the containment pressure boundary. Although this attribute is typically an important contributor, it is not the only one. Some of the sequences assigned to the LER category involved long-term operation of containment sprays and have wet cavities (i.e.,

quenched debris ex-vessel). Conversely, some of the small early release (SER) sequences involve dry containments (no sprays and dry cavities). A technical basis for this counter-intuitive grouping scheme is not offered in PRA documentation.

Response

A conservative treatment of the potential for hydrogen deflagration-to-detonation transition (DDT) leading to containment failure was used in the IPE/PRA. Thus, sequences in which sprays were operating would tend to de-inert the containment atmosphere and sudden releases of hydrogen into the containment were expected to result in large hydrogen concentrations, potentially resulting in DDT and containment failure.

In the absence of large, early failures of the containment, sequences involving dry containments (no sprays and dry cavities) would eventually overpressurize the containment, but this would occur late in the accident sequence. Slow pressurization should result in small containment failures. If there were small isolation failures at the beginning of the accident, the accident would be binned to the small, early release group.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 37 Further, the simplistic method of assigning release categories does not appear to be supported by results of plant-specific MAAP calculations of radionuclide release. Consider the following two damage states:

- SGTR (fast station blackout with induced SGTR during core damage).

- 07SU (fast station blackout with pre-existing containment leakage).

According to the attributes used to assign accident sequences to release categories, the first of these is allocated to LER (RC-I), whereas the second is classified as SER (RC-II).

However, the MAAP results indicate the following actual release fractions within the first 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> of the event:

Percent of Core Inventory Fission product Released to Environment group ISGTR R07SU Xe, Kr 20 50 I 9 3 Cs 8 2

Response

The release fractions cited in the following table were taken from the Level 2 Accident Progression Notebook prepared to support PRA model STP_1 997.

Release Fractions for ISGTR and R07SU Based on STP_1997 Fission Percent of Core Inventory Released to Environment Product Group ISGTR R07SU 5 hr 24 hr 5 hr 24 hr Xe, Kr 20 26; 3 51 Cs,I 9 12.4 1.5 2.6 As indicated in the above table, the release fractions for release category ISGTR are substantially larger than those for release category R07SU except for the long-term (24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) noble gas release. The WOG definition of large, early release is limited to the iodine release fraction. Thus, the assignment of ISGTR to LERF and R07SU to SERF is justified.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 38

c. A systematic search for, and evaluation of, plant-specific containment failure modes was not evident in PRA documentation. As assessment of containment failure modes was performed as part of the STP IPE. However, much of the IPE analysis relied on adapting the structural evaluation of the Zion containment.

Although adaptation of reference plant analysis is acceptable for determining the ultimate strength of the containment pressure boundary under quasi-static loads, a plant-specific evaluation of alternative failure modes was not found in PRA documentation.

Response

A plant-specific Containment Response Model and Revised Level 2 Analysis has been completed to support Revision 5 to the PRA. A systematic search for and evaluation of plant-specific failure modes is included in this updated Containment Failure Analysis Report. The results are available for NRC review.

d. Actions to mitigate the effects of core damage recommended in the STP severe accident guidelines (SAGs) are not addressed in the PRA. For example, successful implementation of the guidelines offered in SCG-1 could alter the magnitude of radiological releases.

Response

The specific SAG that is cited (SCG- 1) relates to the mitigation of fission product release. While its implementation could reduce source terms somewhat for some accident sequences, its implementation is not likely to have a significant effect on LERF. The SAMGs were reviewed as a result of this question and although several instances of explicit consideration of the guidance contained in the SAMGs was found in the Level 2 Model documentation (e.g., RCS depressurization in split fraction LSB), specific SAMG steps or strategies are not identified in the Level 2 Model Documentation. The Revision 5 PRA will explicitly consider specific SAMGs and associated guidance. Note: LERF is dominated by Station Blackout type events (External events that disable all plant equipment, loss of offsite power without recovery, etc.) which preclude the successful implementation of SAMG strategies.

e. The effects of major assumptions, simplification and uncertainties on LERF have not been evaluated.

Response

The effects of major assumptions, simplifications and uncertainties will be addressed in the new EPRI uncertainty analysis guidance prior to completion of the STPREV5 PRA model update.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 39

f. The effects of adverse environmental conditions in containment and physical effects of structural failure(s) of the containment pressure boundary on long-term spray recirculation operation are not addressed. STPNOC documentation provided during the review indicates the minimum NPSH required by containment spray pumps (operating in recirculation mode) is 20 ft-112 0.

Response

The containment spray function is modeled in two events in the Level 1 PRA model.

Top event CSR models the injection and recirculation modes of containment spray.

Top event WI models operator action to start the containment spray system in the injection mode in response to failure of the safety injection systems to ensure water on the containment floor. The status of containment spray injection and recirculation and injection only is passed to the Containment Event Tree (CET) model using quantification macros. The various split fractions for the top events in the CET model are assigned based on the status of these quantification macros. The containment spray top events are guaranteed to be failed if necessary support systems are unavailable, or if shared equipment, such as the refueling water storage tank is unavailable. For the spray and recirculation top event, CSR, failure is guaranteed if the recirculation function is failed. The recirculation top events include the effects of excessive debris inside containment in the quantification. The effects of containment pressure boundary integrity on SI and CS pump net positive suction head have been included in the design basis calculations for SI and CS pump NPSH. In all cases, the design basis analysis took no credit for containment sump sub-cooling and adequate NPSH was demonstrated at saturated conditions in the sump.

In general, the Level 2 issues that dominate LERF are associated with long-term station blackout. Under this condition, containment spray is not capable of operating.

Disabling of containment spray in the model changes the LERF from 5.11 9E-07 to 5.120E-07 per year.

Additional Electrical Ouestions

32. This is a followup question on the STP response to RAI 19 on compensatory measures, as it would apply to Technical Specification (TS) 3.8.2.1, DC Sources,. Following the December 15, 2004 public meeting at NRC, the licensee provided a copy of procedure OPOP01-ZO-0006, Extended Allowed Outage Time.

The risk informed completion time (RICT) for two out-of-service battery chargers for this TS is 140-1042 days with a proposed 30-day back-stop. A backstop time of 30 days by itself is not acceptable for the following reasons:

a. The battery, without a battery charger, will continue to discharge at a rate related to the normal dc operating load. This may result in a deep discharge damaging the connected battery cells by a reverse polarity to the weakest cells. This could be irreversible.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 40

b. The battery is sized for a limited time discharge of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. If a battery charger is not restored within that time, loss of a complete protection channel will result.

Also, possible loss of a complete ac power train could result because de control is required for the ac power system to be operable.

c. Typical battery manufacturer's operating manuals state that damage may occur to an open circuited (unloaded) after some time (months) without the battery being on charge.

Response

The 30-day backstop is proposed as the backstop that will apply to all of the risk-informed TS in this application. The responses to Questions 23 and 34 and Addendum 1 are also relevant to the applicability of TS 3.13.1 to batteries.

The calculated allowed outage time for the batteries includes the risk associated with the consequential failures from the unavailability of the batteries, including the loss of a protection channel. Loss of a protection channel is addressed in the proposed changes to TS 3.3.2 and the calculated AOT also allows application of the 30-day backstop. The length of the AOTs reflects the very small effect on CDF.

For planned configurations involving application of TS 3.13.1 from TS 3.8.2.1 for an inoperable battery, STPNOC would be able to plan the work to prevent damage to the batteries. For emergent conditions where TS 3.13.1 might be applied from TS 3.8.2.1, STP procedures recognize the potential for battery depletion or damage from discharge and require appropriate action to minimize this potential.

33. Procedure OPOP01-ZO-0006, Extended Allowed Outage Time, does not address the DC system. Please identify all compensatory measures for the DC system when removing a required battery charger from service. Also, please address how the following items, including required action time, will be accomplished when battery charging capability is not available:
a. Limit the immediate discharge of the affected battery.
b. Recharge the affected battery to float voltage conditions using a spare battery charger.
c. Confirm that the partially discharged battery has sufficient capacity remaining to perform its safety function.
d. Periodically verify battery float voltage is equal to or greater than the minimum required float voltage.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 41

Response

STPNOC does not intend OPOPO1-ZO-0006 to be a comprehensive listing of compensatory actions.

Procedures OPOP04-AE-0004 "Loss Of Power To One Or More 4.16 KV ESF Bus," and OPOP05-EO-ECOO "Loss Of All AC Power," have steps to open the breaker to any one of the safety-related 125 VDC busses when a minimum battery voltage is reached.

These procedural steps will keep a battery from being totally discharged.

The actions listed in 33.a - d are all actions that could be applied to manage the risk associated with an inoperable battery. The response to Question 23 and Addendum 1 also address options for managing the risk associated with inoperable batteries or DC power alignment.

34. The original allowed outage times (AOTs)/completion times (CTs) established in the technical specifications were, in part, based on realistic industry standards for maintenance time intervals for equipment under test or maintenance. It is the staffs understanding that the additional optional extended AOTs based on the risk management techniques will not be entered as a standard operating practice but will only be entered when the maintenance or test conditions can not be completed because of some extraordinary circumstance. This being the case; Response: Use of the risk-informed completion times is not limited to extraordinary circumstances. They may be used for planned or emergent activities.
a. Please identify those electrical components where you believe this extended AOT/CT may be necessary, identify the length of the extended AOT/CT and provide justification why such an extended AOT/CT would be required. A 30-day extended outage should not be required based upon past industry experience for the following equipment: Circuit breakers and other switchgear components, transformers, motors, cables, battery chargers, inverters, control and protective relays and associated circuits.

Response

The STP application specifically identifies the electrical system TS to which TS 3.13.1 may be applied and includes all the electrical TS that apply in MODE 1-4. Table 2 in the application identifies example AOTs associated with those TS, assuming the condition identified in the table is the only inoperable TS component.

TS 3.8.2.1 and TS 3.8.3.1 have particularly short completion times for one inoperable channel or train that are not commensurate with their risk significance. All of the STP electrical TS for a condition where more than one of the three ESF trains is inoperable currently require entry into TS 3.0.3 even though an intact ESF train remains operable

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 42 and safety function is not lost. These are valid reasons for the application of risk-informed completion times for either planned or emergent work.

The extended completion time, up to the 30-day backstop, allows time to obtain parts for work on emergent conditions or for the work to be deferred to a normal work week schedule, or to obtain an emergency or exigent TS change if necessary. For instance, STP's normal maintenance schedule is based on rotating seven-day ESF train outages within a 12-week schedule (i.e., ESF Train A, ESF Train B, ESF Train C, non-ESF Train D). Conditions permitting (allowed outage time, functionality of affected equipment, etc.), STP would plan to perform corrective maintenance on emergent items within their associated seven-day ESF train outage, especially those emergent items identified during their associated train outage. If the corrective maintenance is not completed in the train week, then extending the seven-day ESF train outage could adversely affect the work scheduled for the succeeding week. If the corrective maintenance could not be completed in the train week (e.g., parts unavailable), then application of TS 3.13.1 with the 30-day backstop could allow STP to safely defer work to repair the condition. Similarly, the 30-day backstop can be applied to safely defer corrective maintenance of emergent conditions in a train different from the current work-week train. There is no technical or risk basis to limit the components to which it may be applied if the extended completion time is managed in accordance with the Configuration Risk Management Program.

It is not STPNOC's intent to use TS 3.13.1 to extend the allowed outage time for configurations where the battery bank is the sole source of power for the loads on the DC bus. A note has been added to TS 3.8.2.1 to restrict the application of TS 3.13.1 for these conditions.

Additional information on the application of TS 3.13.1 to electrical systems TS is provided in Addendum 1.

b. In as much as an extended AOT/CT based on risk management techniques would be the exception rather than the rule, please describe the record keeping system identifying the following items to verify application for the risk-informed process:

(1) each application of risk management techniques to extend the AOT/CT, (2) any contingency actions or compensatory measures used during the extended time, and (3) the analysis that justified the extension.

Response

Although it is expected that most work activities will continue to be performed within the existing allowed outage times, there is no restriction on how often the risk-informed completion times may be applied. They may be applied for routine planned or emergent conditions.

The tracking of entry into RICT, associated evaluations, and documentation of compensatory action will be performed in accordance with the RMTS Guidelines.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 43

c. Will the risk-informed extension of the AOT result in a 30 day extension to a 10CFR 50.72 or 50.73 reporting requirements if the 30-day backstop is invoked?

Response

The 30-day backstop will have no different effect on reporting than any other allowed outage time extension. It is possible that a SSC in a 30-day RICT might not be restored within the 30 days, consequently requiring a plant shutdown. This condition would be reportable under 10CFR50.73 as a shutdown required by TS. The 60-day clock for submitting the event report would start at the time the Shift Supervisor determines the condition is reportable; i.e., when the shutdown condition is achieved.

If a component in the scope of TS 3.13.1 is discovered to have been inoperable beyond its frontstop completion time and the requirements of TS 3.13.1 were not applied within their required time frames, the condition would be reportable under 10CFR50.73 as an operation or condition prohibited by the Technical Specifications, even if application of TS 3.13.1 would have permitted the extension of the allowed outage time up to the 30-day backstop. The 60-day clock for submitting the event report would start at the time the Shift Supervisor determines the condition is reportable.

Conditions resulting in loss of function of more than one train or involving common mode failure still meet the reporting requirements of I OCFR50.73 even if the CRMP would permit an extended completion time.

35. 10 CFR 50, Appendix B, states that:

"This appendix establishes quality assurance requirements for the design, construction, and operation of those structures, systems, and components. The pertinent requirements of this appendix apply to all activities affecting the safety-related functions of those structures, systems, and components; these activities include designing, purchasing, fabricating, handling, shipping, storing, cleaning, erecting, installing, inspecting, testing, operating, maintaining, repairing, refueling, and modifying.

As used in this appendix, "quality assurance" comprises all those planned and systematic actions necessary to provide adequate confidence that a structure, system, or component will perform satisfactorily in service."

Please confirm that the STP Configuration Risk Management Program (CRMP) and associated procedures fall under the 10 CFR 50 Appendix B. If STP believes these programs and procedures are not subject to the Appendix B requirements, please justify any exceptions to those requirements.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 44

Response

STPNOC agrees that 10CFR5O Appendix B applies to the CRMP and its implementing procedures.

36. In Table 2, Specifications 3.3.2.8.a-c, new Action 20.A.b states, "with the number of operable channels more than one less than the Total Number of Channels, within one hour apply the requirements of specification 3.13.1, or be in at least Hot Standby within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and be in at least Hot Shutdown within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and be in Cold Shutdown within the subsequent 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />."
a. How long does it take to update the CRMP database regarding plant equipment configuration changes? Is it credible that the implementation of T.S. 3.13.1 can be accurately accomplished within one hour? Would not the loss of the second channel fall into the "emergent conditions" that would not be expected to require an extension of the AOT (page 2 of license submittal dated August 2, 2004)?

Response

Because STP's CRMP approach is based on pre-solved Level 1 CDF calculations, the information to calculate a RICT is essentially instantaneous. For items with very short allowed outage times, these will be specifically targeted to ensure those configurations are immediately available to control room personnel. In general, the time to update the CRMP database is usually less than one hour although it is acknowledged that it could take longer in certain situations. In the event that an unquantified maintenance state occurs for an item with a short allowed outage time, then the control room staff will attempt to get the required information or perform the actions required by the Technical Specifications.

b. During the five year history of the use of the CRMP to make risk assessments, has there been any instances where the initial assessment significantly differed from the final assessment?

Response

Because STP's CRMP uses pre-solved Level I CDF calculations, differences between initial and final assessments are not the result of PRA modeling errors. Differences have occurred in the past five years as a result of planning or scheduling changes, changes in operator functionality calls, or equipment clearance timing issues such that the maintenance states (i.e., configurations) that were planned ended up being different.

These events have also occurred for actual risk profiles when new or discovery information is identified which impacts a maintenance state (i.e., configuration). When these events happen, condition reports are generated and corrected risk profiles are generated.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 45 With regard to this pilot application, the determination of maintenance states is predicated on OPERABILITY determinations. The process for OPERABlITY determinations follow both industry and regulatory guidance. Log entries for TS equipment will be entered into the CRMP with the same controls.

c. The primary function of the loss-of-power instrumentation system is to assure the independence between offsite and onsite systems. This independence, pursuant to GDC 17 of 10 CFR Part 50, Appendix A, minimizes the probability of losing electric power from the onsite electric supplies as a result of, or coincident with, the loss of power from the offsite power supply. Loss-of-power instrumentation initiates load shedding to prevent overloading of the stand-by diesel generators (SDGs). It also supports independence between redundant ac systems and, together with automatic load sequencing, assures the capacity and capability of the offsite and onsite ac power supplies. Please confirm that the proposed changes in T.S. 3.2.2.8.b and .c will not reduce this independence between power sources.

Response

The proposed changes affect the required completion time for restoring inoperable loss of power instrumentation (degraded voltage/undervoltage relaying per TS 3.3.2 Item 8).

The UFSAR design function of the components is not affected and no physical changes are involved. Implementation of the proposed change will permit a longer allowed outage time and eliminate the potential for entry into TS 3.0.3 for more than one inoperable channel. As described in Table 2 of the application, the extended completion time evaluation for these relays is bounded by the evaluation performed for an inoperable standby diesel generator. Additional configuration control for the standby diesel generator is provided by the current TS restriction that prevents MODE changes with an inoperable diesel generator. Therefore, if the undervoltage/degraded voltage relays associated with a particular diesel were non-functional such that the diesel was inoperable, the Technical Specifications will prohibit changing MODE.

37. In Table 2, Specification 3.8.1.1, New Action Requirement, specifies restoration of at least one SDG to operable status within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> whereas the existing Action requirement calls for restoration of at least one standby diesel generator within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and two standby diesel generators within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Please explain why this change was not submitted separately in accordance with Regulatory Guides 1.174 and 1.177 since the technical basis provided does not justify this change.

Response: The requirement should have stated two hours and it has been corrected.

38. New Action Requirement 3.8.2.1 implies that one battery bank and one battery charger can be inoperable indefinitely. Please clarify whether Action is initiated only if multiple components are inoperable. In addition, please address concerns stated in question 36 for Specification 3.8.2.1.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 46

Response

The TS require operability of only one of the two full capacity chargers for each battery bank; consequently, one charger for each battery bank can be inoperable indefinitely. The LCO still requires entry into the ACTION if less than the required four battery banks are operable; therefore, even if only one battery bank is inoperable the action must be applied.

The ACTION statements have been reformatted from the February 10, 2006 response to this question and are now consistent with the approach proposed for the other TS in the scope of this application. TS 3.8,2.l markup in Attachment 2 shows the revised proposed wording.

The electrical components within the scope of the application are modeled in the STP PRA; therefore, configurations involving these components are included in the configuration risk monitor. Thus, the responses to Question 36.a and 36.b also apply to this question.

39. New Action Requirement 3.8.3.1.a implies that one battery bank and one battery charger can be inoperable indefinitely. Please clarify Action if only one train of the AC power ESF busses is inoperable. In addition, please address concerns stated in question 36 for Specification 3.8.3.1.a.

Response

As indicated in the response to Question 38, the TS do not allow one battery bank to be inoperable indefinitely. LCO 3.8.3.l.a, b, and c require three energized ESF busses. The ACTION statements have been reformatted from the February 10, 2006 response to this question and are now consistent with the approach proposed for the other TS in the scope of this application. The TS 3.8.3.1 markup in Attachment 2 shows the revised proposed wording.

The electrical components within the scope of the application are modeled in the STP PRA; therefore, configurations involving these components are included in the configuration risk monitor. Thus, the responses to Question 36.a and 36.b also apply to this question.

40. Please address concerns stated in question 36 for Specifications 3.8.3.1.b and 3.8.3.1.c (Re. the one hour risk assessment.)

Response

The electrical components within the scope of the application are modeled in the STP PRA; therefore, configurations involving these components are included in the configuration risk monitor. Thus, the responses to Question 36.a and 36.b also apply to this question.

41. Please clarify how the proposed changes will differentiate between degraded vs.

inoperable systems, trains, channels or components.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 47

Response

The proposed change does not affect the definition of OPERABLE or how an affected SSC is determined to be operable. The SSC's TS ACTION will be entered when the SSC is determined to be inoperable and will not be exited until the SSC meets the requirements for operability. Application of TS 3.13.1 will permit the allowed outage time to be calculated based on the risk associated with the inoperability of the component.

The risk imposed by an inoperable SSC can depend on the nature of the inoperable condition. The response to Question 8 describes how functionality is addressed.

General Ouestions

42. LCO 3.13.1 specifies that when referred to this specification, equipment that has been declared inoperable shall be evaluated for its impact on risk and AOT determined accordingly. The first two actions require the determination of the acceptability of the configuration for AOT beyond the frontstop AOT when equipment is declared inoperable, and for the continued operation beyond the frontstop AOT whenever the configuration changes, respectively. In response to previous RAI 22 to specify the allowable time to complete the required determination process, the licensee stated that this time will be defined in the implementing procedure for the Configuration Risk Management Program and will be consistent with the generic industry guidance.

However, each referencing Action specifies that within a specific frontstop completion time (e.g., 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />) ... apply the requirements of Specification 3.13.1. Also Section 1 of Attachment 1 (Description of Changes and Safety Evaluation) stated that the frontstop time also provides the operator sufficient time to determine and apply an appropriate extended time from the application of the CRMP for those situations where it is determined that an extended AOT is necessary.

a. Explain and justify why it is acceptable to specify the allowable time in the implementing procedure for the CRMP, rather than in TS 3.13.1 or the referencing TSs?

Response

Proposed TS 3.13.1 has been revised to make it clear that ACTION a is to be performed within the allowed outage time of the referencing TS. This is consistent with the application of the model TS in the RMTS Guidelines. ACTION b establishes a time in accordance with the CRMP to verify acceptability of a configuration change, (currently twelve hours, which is consistent with the RMTS Guidelines). Twelve hours is considered to be acceptable because it allows adequate time for calculation and review and there is little chance that a configuration will exceed a threshold in twelve hours.

b. Clarify whether the frontstop time specified in the referencing TS is also the allowable time to complete the required determination process in Specification 3.13.1.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 48

Response

See the response to 42.a.

43. Some ACTION statements are revised and some new ACTION statements are created to deal with cases with more than one channel, component, train, or subsystem inoperable, which currently do not have a associated ACTION statement and would be subject to TS 3.0.3. These revised or new Action statements generally require that within one hour restore at least one inoperable channel, component, train, or subsystem to OPERABLE status or apply the requirements of Specification 3.13.1, or be in HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. Examples of these revised or new ACTION statements are Action 3.4.2.2 (pressurizer code safety valves), 3.4.4 Actions c and e (PORVs), 3.5.1.a and b (Accumulators), 3.5.2.b (ECCS subsystems), 3.6.2.1.b (containment spray systems),3.6.2.3.b (containment fan coolers), Table 3.3-1 (RTS Instrumentation)

Actions 9, and 9A.b, Table 3.3-3 (ESFAS Instrumentation) Actionl4.b, 17.b, 19.b, 20A.b, and 22.b.

a. Since these revised or new Action statements have a frontstop AOT of only one hour, is one hour sufficient to apply LCO 3.13.1 requirements, which include the use of CRMP to determine AOT extension and the need for corrective or compensatory actions?

Response

As discussed in other responses, the STP CRMP can readily be applied to determine the appropriate revised completion time.

b. Could there be cases where it takes longer than one hour to determine that an AOT extension for the configuration is not acceptable, and therefore the frontstop AOT is exceeded without implementing subsequent actions?

Response

STP's evaluations have not identified a condition where the extension of the completion time could not be completed within the frontstop time. STPNOC has not identified any configuration that would exceed the lE-06 threshold within one hour. A condition that exceeds the threshold within an hour would almost certainly involve serious degradation of multiple cross-train SSCs such that the first priority for the operator would be to place the plant in a safe condition.

44. For these conditions that could result in the loss of the required safety function, compensatory actions are most likely required as a defense-in-depth consideration.

Section 4 of Attachment 1 (Description of Changes and Safety Evaluation) discussed the use of the CRMP to determine the safety implications associated with multiple

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 49 inoperable components, and to assist the operator in identifying effective corrective or compensatory actions for various plant configurations to maintain and manage acceptable risk levels. It is said that these compensatory actions may be incorporated in procedures, work instructions, or other station media. To support this TS amendment, please identify all TS changes (especially for those conditions where two or more channels or trains are inoperable) that require compensatory actions to reduce risk significance, describe each compensatory action and where it is incorporated.

Response

STP's current procedure for risk management actions provides the requirements for the general risk management actions listed below if the configuration risk will exceed the non-risk-significant threshold (Incremental Core Damage Probability > lE-06). These are examples of the general risk management actions that will be included in the implementing procedures for RMTS.

The Shift Supervisor performs the following actions:

Notifies the Duty Operations and Duty Plant Manager of the expected exceedance.

Identifies and implements compensatory measures approved by the Duty Plant Manager. Compensatory measures may include but are NOT limited to the following:

  • Reduce the duration of risk sensitive activities.

Remove risk sensitive activities from the planned work scope.

Reschedule work activities to avoid high risk sensitive equipment outages or maintenance states.

Accelerate the restoration of out-of-service equipment.

  • Determine and establish the safest plant configuration.
  • Establish contingency plan to reduce the effects of the degradation of the affected SSC(s) by utilizing the following:

o Operator actions o Increased awareness of plant configuration concerns and the effects of certain activities and transients on plant stability o Administrative controls o Ensure availability of functionally redundant equipment

  • Ensures any measures taken to reduce risk are recorded in the Control Room Logbook.
  • Evaluates whether heightened station awareness is acceptable while attempting to return components or systems to functional status. Duty Plant Manager approval is required to solely implement heightened station awareness.

Extensions of the allowed outage time for the standby diesel generator, essential cooling water, essential chilled water, and auxiliary feedwater currently have the configuration-specific compensatory actions listed below. These are examples of the types of configuration-specific risk management actions that would be included in the RMTS

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 50 implementing procedures. These actions are currently based on exceeding the original allowed outage time; however, with the implementation of RMTS, they will be based on whether the configuration will exceed the risk-management action risk threshold of lE-06.

These actions include:

  • Actions to confirm the availability of offsite power, including coordination with the operator of the offsite transmission network, as necessary
  • Actions to confirm the availability of emergency electric power, such as the 138 kV line to STP's Emergency Transformer, unaffected standby diesel generators, and the Technical Support Center (TSC) diesel generator.
  • Actions to restrict maintenance on normal and emergency electric power sources that could affect their availability.
  • Actions to confirm availability of the positive displacement charging pump, which can be powered from the TSC diesel and provide RCP seal injection.
  • Actions to minimize containment purges and activities where containment integrity could be challenged.
  • Actions to confirm the availability of the redundant AFW trains.

STPNOC plans to evaluate the other LCOs in the scope of RMTS to determine if other actions to address specific configurations or uncertainties should be included in the implementing procedures. This will be done in accordance with the EPRI RMTS Guidelines.

45. In WCAP-15773-P, Rev. 0, supporting TSTF-424, it is stated in Section B3.2, "Scope and Structure of the Flexible AOT Concept," that typically, AOTs/CTs less than one day are associated with loss of system function and extension beyond the existing AOT may incur significant risks. Therefore, shorter term Action Statements, such as those associated with complete system inoperability or loss of an entire safety function will retain an Action Statement with a fixed AOT/CT value based on the system's or function's risk importance.... The flexible AOT concept would also not apply to TS associated with plant operational limits." However, in the STP's application of LCO 3.13.1 for AOT extension, many referencing TSs have 24-hour frontstop AOT (e.g., Table 3.3-1, Actions 9A.a) and some have one-hour frontstop AOT (e.g., TS 3.5.1 Actions a and b, TS 3.5.2 Action b). Explain why the application of LCO 3.13.1 for those TSs with frontstop AOT of one and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is not contradictory to TSTF-424.

Response

From Table 2 in STPNOC's application, it can be seen that there are many exceptions to the position that short allowed outage times are typically associated with significant risk. As discussed in the response to Question 8.a, STP will not apply TS 3.13.1 where there is a Loss of Function. From that response it can be seen that there are still configurations where the current TS have a short allowed outage time, but the PRA Functionality approach in the risk-informed TS will permit a substantially longer RICT.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 51 STPNOC has proposed a one hour frontstop for conditions where the current TS would require application of TS 3.0.3. This time was proposed to avoid the need to justify a new frontstop time and thereby complicate the review of the application and because STP's program can be applied within that time.

46. In TS Table 3.3-3, Action 19.a specifies the action with the number of OPERABLE channels less than the Minimum Channels OPERABLE requirement, and therefore appears to cover Action 19.b, which specifies the action with the number of OPERABLE channels more than one less than the Minimum Channels OPERABLE requirement. Is there a typographic error in Action 19.a in that it is intended for the number of operable channels one less than the minimum channels operable requirement?

Response

Yes. The word "one" has been inserted in ACTION 19.a. See markup in Attachment 2

Table 1 (Question 25) NOC-AE-06001994 Attachment 1 Page 52 of 139 Table 1 (Question 25)

Disposition of Findings and Observations from Peer Review

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 53 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review HR-04 A The STPEGS HRA was performed In 1988 and has not been updated. An Operator actions (all risk significant actions plus selected additional Closed update for SGTR sequences was performed in 1999, but has not been actions not just SGTR actions) were updated at the end of 1999 by incorporated into the model. The underlying basis of the HEP values is the an HRA team which included STP and contractor personnel involved operator interviews conducted in 1988. These provide the operator inthe original HRA. The review of the calculation had not been assessment of the PSF for each event. The resultant HEPs reflect the completed by the time of the data freeze date of the Revision 3 procedures, training, and experience of STP which were in place in 1988. model. The updated HRA data were reviewed during the Revision 3 The actual operator interviews may have been done prior to the plant update process. Because the results of the operator error going critical. It is very probable that the collective knowledge and requantification were not significantly different than what was being experience of the operating staff isvery different today than in 1988. used in the PRA, a decision was made to defer using this data until a review of event trees and ESDs was also complete. This was FLIM also uses a 'calibrating curve' for calculation of the final HEP. The explained to the peer review team at the beginning of the peer review calibrating curves for STP are derived from PRA's completed prior to process and the results of the calculation were made available to the 1988. peer review team. The updated HRA data Is included in the Revision 4 PRA model.

Te final HEPs for STP may not be indicative of current plant conditions and operating practices. A larger scale HRA update using the HRA calculator is in the final review process for the Revision 5 PRA model Tis comment also applies to the pre-initiator HEPs. The quantification of hese events was based on maintenance procedures in effect in 1988.

They should be reviewed to see if they have changed since then.

i1 44 HR-06 A There is no process developed in the HRA to perform a systematic There is no documented process, however part of model signoff is a Partial examination of dependent human actions, credited on individual review of PRA accident sequences to ensure that they accurately sequences. reflect the plant and that no errors such as this finding describe exist. Complete with s part of the risk ranking, sensitivity analysis on operator actions are REV5 model Current HRA practices generally require a systematic process to identify, also performed and are described In the risk ranking procedure.

assess and adjust dependencies between multiple human errors in the Selected sequences (down to 1E-111) were re-reviewed as a result of same sequence, including those in the initiating events. his finding, and no instances of linked operator actions that are not accurately quantified could be found. STP accident sequences are dominated (>90%) by single operator actions with equipment failure or multiple (e.g., common cause) equipment failures.

An HRA guidance document will be prepared as part STPREV5 that discusses sensitivity analysis that may be used to discover these pe of operator linkages through event sequences.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 54 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review MU-03 A Prior PRA applications have not yet been evaluated qualitatively or Problems within RISKMAN prevented performing basic event Closed quantitatively with the 1999 updated model to ensure that the conclusions importance using the previous PRA model update. The problem had of those applications remain valid. In addition, STP is still using the 1996 to do with size limitations on output results. The limitations were PRA model results for all ongoing PRA risk ranking and risk categorization such that basic event importance results could not be generated for applications due a limitation in the component risk-ranking feature in the results of the model at STP model cutoff of 1E-12. Results could be newer version of the RISKMAN code. The current RISKMAN code can obtained at 1IE-10, but the number of basic events truncated out of calculate basic event importances, however, it cannot correctly calculate the results would have affected component risk ranking for several component importances for module events. Therefore, the 1997 and 2001 tens of components with low failure frequencies and at the margin of PRA model results have not been utilized in any risk ranking or risk the GQA risk ranking procedure. Basic event risk ranking with categorization applications to date. The STP personnel indicate that a STPREV4 indicates the RISKMAN problems have been resolved.

corrective action item has previously been entered into their corrective In addition, RISKMAN now allows the development of component risk action process to track this issue and the delay Is due to RISKMAN ranking from basic event data (components and failure mode). The software problems. model update procedure will be revised to ensure that the requirement for the update of applications is performed, or if Also, STP Procedure OPGP01-ZA-0305 "PRA Model Update and computer problems, etc. preclude an update, an alternative will be Maintenance" indicates that prior PRA applications must be updated' as developed and documented for the application review.

a part of each model update, but this is not required by the NEI Peer Review process guidance. Instead, the NEI Peer Review Process allows the use of qualitative assessments to screen prior PRA applications which may be affected by a PRA model update; for those applications which cannot be screened out by qualitative evaluation a quantitative assessment is to be performed to ensure the conclusions of the PRA application are not Impacted. The vagueness of the wording In procedure OPGP01 -ZA-0305 in terms of the scope and content of the evaluation of prior PRA applications may be contributing to the ongoing delay in the evaluation of prior PRA applications.

IE-02 B The Interfacing Systems LOCA - V Sequence Analysis notebook Changes made to model and documentation to clarify process. The (vseqrev3.doc) does not provide a clear definition of the ISLOCA RISKMAN system notebook provides the details of the quantification pathways modeled, nor does it provide the development of the frequency of the likelihood of an interfacing systems LOCA analysis.

for each pathway. The supporting local variables and basic events are tabulated in the notebook, but there is no indication of how they are combined to calculate the frequency of ISLOCA through each pathway. It is not clear where the value for Gross Leakage through check valves (ZTVMCX) comes from; it does not appear to match the value used in the IPE. The ISLOCA analysis takes no credit for relief valves in the low pressure systems.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 55 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review IE-03 B The ISLOCA initiating event analysis does not produce the correct cutsets Comment 1 - The cutsets portrayed in the certification findings are Closed for the configuration of the system. The ISLOCA notebook shows 3 types correct as presented in the model. The LOCA path identified is of cutsets: through the CCW piping which the reviewer missed. Comment 3 -

The failure of the check valve in question determines whether the MOV-60-Fail* MOV-61-Fail*MOV-18-HEP-FTC, LOCA is inside or outside containment and is correct as stated. The outset makes sense according to the system configuration.

MOV-60-Fail*MOV-61-Fail'CKV-30-FTC MOV-1 8-HEP-FTC, Comment 4 - The fault tree is somewhat confusing, since success of a basic event in some cases leads to failure of the top event through CKV-32-FTC*CKV-38-FTC*CKV-65-FTC*MOV-1 8-HEP-FTC*MOV another path. However, 'Does Not Appear to be Correct' Is wrong, HEP-FTC. as the fault tree is correct. We have an unusual design that the reviewer was not familiar with.

Observations are:

1. The first cutset does not credit Check valve 30, which Is necessary to cause a low pressure pipe overpressurization.
2. The second cutset is correct
3. The third cutset includes a failure of CKV-65, which has nothing to do with overpressurization of the LHSI system. The event does not make sense according to the system configuration..
4. The 'fault tree' in the system notebook, which describes the flow paths for ISLOCA, does not appear to be correct.

IE-04 B The loss of ECW initiating event frequency fault tree includes a common Initiating event models have been modified to include component Closed cause strainer clogging event. However, this is modeled as a 24-hour repair times, versus 'exposure time' identified in certification finding mission time event, under the assumption that such a failure would be and corrected to ensure that all operating basic events use the recognized and dealt with promptly. While this is likely a reasonable 'annual vs. hourly" conversion factor. Initiating event models are assertion, it violates the premise of an initiating event fault tree: each availability models instead of post trip response reliability models, resulting failure combination must represent an annual frequency. The which creates confusion in reviewers and model developers. The assignment of a 24-hour mission time to this failure means that it does not mission time that was used previously with basic event failures was a represent the full mission time; it is missing a factor of 365, since, over the surrogate repair time. The models have been modified to use ourse of a year, there would be that many times the "daily frequency" of omponent repair times rather than the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time occurrence for such an event. substitute. See the Initiating Event Notebook. The ECW plugging basic event uses an annual mission time rather than a reliability mission time. Strainer plugging is not considered a common cause failure because of the unique STP ECP layout and operation. (Based upon a review of ECW common cause events at other sites).

AS-04 B Hot leg recirculation is not modeled in the large LOCA event tree. No Hot leg recirculation has been added to STPREV4. See safety Closed

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 56 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review AS-08 B The reactor coolant pump seal LOCA model used in the STP PRA is At STP, seal LOCA is not as important as at other facilities. The high Closed outdated. Plant PRA staff have indicated to the reviewers that an up-to- pressure injection pumps are not supported by other cooling systems date seal LOCA model has been prepared and documented, but has not such as CCW and ECW. A single pump train can be operated in been integrated into the PRA model yet. excess of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> with no room cooling. The low pressure injection system, which provides long term core decay heat removal through the RHR heat exchanger, does require CCW and ECW for decay heat removal. Upon loss of CCW or ECW, operator action to secure e running RCPs, trip the reactor, and initiate a plant cooldown prior o a seal LOCA occurring Is highly likely. A non-safety diesel generator, the TSC diesel, provides power to a positive displacement charging pump, which has the capability to provide seal cooling in the event of a station blackout or loss of CCW or ECW. An improved Rhoades RCP LOCA model is included in offsite power and station blackout modeling.

AS-10 B he second highest ranking core damage sequence set (3.6% of total Mapping is corrected in STPREV4. AMSAC 'black box' added to Closed CDF) is an ATWS with loss of secondary heat sink scenario. The STP_REV4. See Reactor Trip Rev. 4 notebook.

transient is Initiated by toss of control room envelope ventilation with one train out of service for maintenance. The loss of control room ventilation initiating event is assumed to result in spurious equipment start/stop signals while disabling the solid state protection system. Operator action to recover these sequences is also assumed to fail due to the nature of the initiating event is sequence is very unusual in PWR PRAs. The heat-up of the control room and spurious equipment operation would not be expected prior to tri of the unit due to loss of control room habitability and evacuation of the ontrol room.

Nevertheless, assuming the sequence is appropriate, the sequence set does not consider the impact of AMSAC in mitigating this dominant scenario. AMSAC automatically actuates on low steam generator level (15% narrow range) when the reactor power level reaches 30% of nominal. AMSAC is independent of the solid state reactor protection system, located in the QDPS cabinets outside of the control room boundary, and is designed for operation to 50 deg C.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 57 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review TH-01 B (1)The Level 1 Quantification Notebook for the STP 1999 PRA revision success Criteria - Use of UFSAR criteria - The single train success Closed provides the following definition of core damage: 'The PRA assumes that .riteria used for most PRA sequences is based primarily on UFSAR any scenario in which the loss of core heat removal progressed beyond riteria and SBO calculations. Use of more realistic criteria, as the point of core uncovery, and core exit temperatures exceeded 1,200 suggested in the reviewer comments and as a general rule, will not deg F, is a core damage scenario. Any sequence that terminates in stable significantly affect accident sequence modeling In the PRA.

plant conditions or that exhibits a transient in core heat removal in relation kitemative criteria, such as crediting RCFCs for decay heat removal to heat generation that is recovered before the core exit temperatures r success criteria for the containment spray system, are based on reach 1,200 deg F is classified as success.' This is a reasonable reasonable assumptions concerning success criteria and are definition of core damage for use inperforming PRA analyses with codes documented in either the IPE or the PRA. Detailed calculations such as MAAP, and is consistent with definitions commonly used in other support modeling of operator response where appropriate. Where PRAs. jetailed alternative calculations are required, they are Included or referenced In the PRA. Examples include room heat-up calculations The reviewers note that much of the STP PRA model success criteria are for establishing ventilation success criteria.

derived from design basis rather than PRA-specific analyses, and this definition does not really apply to sequences for which success is based on UFSAR calculations (which use 10CFR50.46 App. K criteria). This should be clarified in the Quantification Notebook.

A Success Criteria Notebook was created during the Revision 4 (2) A 24-hour mission time is defined in the STP IPE (section 3.1.1), but model update which includes the definition of mission time and the the reviewers did not find this definition in the current PRA documentation. criteria for core damage (1200 F CET).

This should be included in the Quantification notebook (or the appropriate current PRA document) along with the core damage definition.

TH-03 B For the MLOCA and LLOCA initiating events, SI accumulators have been Accumulators have been added to the large and medium LOCA Closed determined not to be required for success. In the LLOCA ESD description event tree models. See the safety injection system notebook and the in the 1997 model (Rev. 1, dated 226/97), it is stated that the large and medium LOCA event tree models.

accumulators do not significantly alter the time of core uncovery for LLOCA events, based on analyses with the MAAP computer code.

Several points should be considered to better justify this modeling feature:

a) The MAAP code results that are used to justify this modeling feature are not referenced and not readily available, b) There are known limitations (published by EPRI) of the MAAP3b code for modeling certain features of large LOCA sequences. A companion document Is not available for the MAAP4 code. Any use of the MAAP code to justify deletion of accumulators from the large and medium LOCA event trees should be documented in light of these identified limitations.

Elsewhere in the STP PRA documentation, there is a statement that:

.analyses for Beznau plant showed that no accumulators were required to prevent core damage.' There are significant differences between the

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 58 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review

-111 I --- l- -~lQU F UM1 re4uire assessitment MIelure results from Beznau can be applied to South Texas, including the core power density (Beznau is a 350 MWe, 2-loop Westinghouse PWR with a 10 foot core).

1 1 4 4 TH-05 B The Thermal-hydraulic Analysis Notebook documents the results of MAAP Updated operator actions incorporated into the Revision 4 model Closed analyses used for establishing the time available for operator actions. resolve the apparent issues. A re-evaluation of the HRA models for However, the results presented for the analyses are given in terms of the STPREV5 using the HRA calculator and additional HRA experts is total time from beginning of the accident that is available for the results of nearing completion.

he operator action to be successful. This neglects the time into the accident at which cue is provide to the operator to take that action. It appears that the analyses took into account the time required for the system to respond after the action istaken.

An example of this is the time available for operator action to initiate bleed and feed when AFW is not available to the SGs. The analysis documented In the notebook concludes that 60 minutes is available for this operator action. However, bleed and feed according to the FR-H.1 EOP is not prescribed until the SG level drops below about 10% wide range which Istypically about 30 minutes after the initiation of the accident. Prior to this, the operators are performing EOP steps to try to re-establish auxiliary feedwater or an alternate means of feed to the steam generators.

Thus, only 30 minutes would be available for the operators to diagnose the need for and then perform the bleed and feed operation.

e level of detail from the MMP runs provided in the Thermal-hydraulic Notebook is minimal so that the times for success criteria cannot be validated from the Notebook.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 59 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review TH-07 B The Reactor Coolant System Notebook defines success criteria for kTWVS modeling described in WCAP 15831 has been incorporated In Closed pressure relief during ATWS as 3 safety valves or two PORVs and two STPREV4 safety valves. The reference for this is NUREG/CR-4550 (Sequoyah).

The model assumes the pressure relief capacity requirements are independent of core reactivity feedback throughout the cycle. Such as assumption is contrary to other 'standards ATWS models (e.g., NRC SECY-83-273, Westinghouse WCAP-1 1992), in which it is acknowledged that there may be some fraction of the cycle in which, for limiting transient initiators (e.g., loss of main feedwater), either moderator temperature coefficient (MTC) is not sufficiently negative (NRC model) or the integratec core reactivity feedback is insufficient (WCAP model) to prevent RCS overpressure even with operation of all PORV and safety valves. In the WCAP model, the pressure relief requirement is further a function of the amount of AFW available, and whether there is successful insertion of control rods using the rod control system. It is possible that the STP design is such that this fraction of the cycle is zero, but no such information is provided.

SY-06 B Justification for not modeling Power Conversion System (PCS) (Main Justification for not modeling be added to STPREV5. Based upon Open Feedwater, Condensate, and steam dump to the condenser) was not simulator timing evaluations performed in support of the HRA update, provided. It is not typical among other similar PWR PRAs to have the PCS is likely to be secured early in any transient and for all Will be closed excluded the PCS from the scope of modeled systems. LOCAs. The PCS appears to provide limited benefit in terms of CDF in REV5 reduction. Further justification will be provided in the Revision 5 update md update.

SY-08 B System success criteria In most cases appear to be reasonable, but there Corrected in STP-REV4. See previous comments Closed are, in general, no specific references given in the system notebooks or the accident sequence notebooks to provide the bases for the criteria used. (Specific exceptions to this that were noted during the review are th Essential Cooling Water notebook and Component Cooling Water notebook, in which success criteria are referenced to applicable analyses.)

The IPE, in Section 3.2.1.1.3, Includes a general statement that system success criteria were initially taken to be the UFSAR success criteria, and might be later modified Ifdetermined to be unrealistic. In many cases in the current PRA, system success criteria can be readily inferred to be design basis (e.g., requiring one train of AFW for decay heat removal ollowing reactor trip, requiring one train of ECCS injection for small LOCA response), but this is not always the case.

For example, the AFW success cr11erion for ATWS response is stated In the AFW system notebook to be success of at least two AFW top events

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 60 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review (AFA-AFD), with no basis provided. There is a general statement given in the ATWS event tree notebook indicating that this is based on generic estinghouse analyses, but no reference is provided. The generic 4-loop Westinghouse ATWS analysis requires "full' AFW flow for the limiting ase, corresponding to 3 AFW pumps (typically two motor-driven and 1 urbine driven with a capacity double that of a single motor-driven) providing flow to 4 steam generators. Since the STP motor-driven AFW pumps have a capacity equal to that of the turbine driven pump, which has a capacity roughly equivalent to that of turbine driven pumps at other plants, the 2-pump requirement for STP appears to be reasonable. But determining that it is reasonable should not require a knowledgeable analyst to make assumptions based on having other knowledge, and making evaluations. Additional analysis information should be provided.

Another example is the lack of modeling of accumulators as part of ECCS response to large and medium LOCAs. This is based on a distinction between core damage and 'onset of" core damage, and is based on analyses performed for another plant Rev. 1 of the LOCA event tree notebook indicates, for medium LOCA: "If the accumulators fail to inject, some transient fuel cladding damage may occur, but no significant fuel damage is expected before RCS pressure falls below 300 psig. Since LHSI makeup is always required for long-term success during the MLOCA events, the accumulators are therefore not considered inthe model." This is insufficient basis for a system (and accident sequence) success criterion hat is different than that used in most plant PRAs. STP PRA personnel indicated that this has been discussed with NRC and found to be acceptable, but it appears that the basis for NRC acceptance was low incremental CDF for a sensitivity case where accumulators were included.

Indiscussions about the accumulator modeling, STP personnel indicated that they have developed an accumulator model for use inthe large and medium LOCA event sequences, and intend to incorporate this into the baseline model ina future PRA update. Specific analyses have not been performed for that model, but the criteria used ina recent application of the model (Analysis PRA-01 -010, Probabilistic Risk Study for changing Accumulator Allowed Outage Time) appear to be consistent with UFSAR for LLOCA and reasonable for MLOCA.

I1.. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 61 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review

)A-01 B rhe common cause MGL parameters are based on outdated generic data, A limited review of the INEEL database for diesel generators and Partial available at the time of the IPE. The common cause analysis included check valves was performed. No significant changes were identified plant specific screening of generic common cause events and mapping to for the current diesel generator common cause factors given the Will be closed plant specific system sizes, but does not include any plant specific factors currently in use. The check valve review indicated that the with REV5 collection of common cause data. practice of not modeling common cause failure of fresh water check update valves is valid. Based on this review, the INEEL database was not reviewed for the STP_REV4 update. A more complete review is being completed for the STP-REV5 update which, in general, reduces the effects of common cause failure of mechanical components and electrical components. A previous review of common cause factors for motor-operated valves was completed for he STP.l 996 model.

1-DA-02 B The data update of May 2001 included derivation of 28 new failure These data variables have been corrected in the STP REV4 model. Closed elements. Each failure rate was developed using Bayesian update. Priors Adata analysis guidance document to be generated in support of were selected from the RISKMAN database. 3TP_REV5 will reduce the likelihood of these types of data analysis errors.

The observation is that in several cases, the point estimate of the plant specific data was outside the bounds of the posterior limits. This is due to the very skinny distributions on the priors. Some of the priors are not true data, but are posteriors from the 1997 STP data update.

The elements where this occurs are:

480v breaker fail to close, EDG output breaker fail to close, EDG Output breaker transfer open, EDG failure during the first hour, EAB fan fail to run, ECH Pump fail to start.

None of these elements were off by more than a factor of two from the 95th or 5th bound. Some of the elements were too low, but most were too high.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 62 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review DA-03 B There is no specific guidance document developed for the data analysis. In general, generic data sources have not been used for data update Partial The data analysis notebook and IPE data analysis sections provide since the original IPE. Operating experience data is reviewed for guidance for the data analysis. But, the component boundaries were not every model update and a decision on update based on plant defined, the method used for plant data collection and analysis was not Will be closed operating experience is made. Initiating event data update for with REV5 described, and the generic data sources used for the 1999 model update STP_1999 used the latest NRC NUREG on initiating event update were not presented in the notebook. frequencies for data update as described in the IE notebook. As generic sources are published (such as the IE data), they are reviewed for inclusion in the PRA as part of the model update process. As a generic source is identified, a tracking CR is generated under an update CR to review the data for applicability to the current or next PRA model. General component boundaries for use in data collection will be developed for use in STPREV5.

t I I IR-02 B rhe STP PRA uses the FLIM (Failure Likelihood Index Method, which is a An updated HRA using an improved FLIM is incorporated into Closed variation of the Success Likelihood Index Method, SLIM) methodology to STPREV4.

quantify the post initiator human actions. The HRA quantification currently n use in the STP PRA was completed in 1988 and has not been updated.

Since then, there have been improvements to the SLIM/FLIM method to address some of the identified limitations. Specifically, the early method (believed to be in use at STPEGS) can only combine the performance A HRA update project for STPREV5 is using the EPRI HRA shaping factors (PSFs) linearly to develop the overall FLI for each action. calculator and its included HRA modeling techniques. The update Amore realistic approach is to allow PSFs can have non-linearities. For has been performed under the guidance of an external HRA expert.

Ixample if a particular action is rated poorly for a given PSF and imoderately in all the others, 'middle of the road' (i.e., averaged-out) HEPs end to result even though poor performance in only one PSF may be ndicative of poor human reliability irrespective of what is going on with the lther PSFs. Dr. Ali Mosleh of University of Maryland has addressed this ssue in a refinement of the FLIM method (which allows assignment of mportance to PSFs) in an update of the Calvert Cliffs PRA, the earlier version of which used a version of FLIM similar to what is used in the Diablo Canyon PRA.

HR-03 B There were two sets of HEPs in the STPEGS PRA. One set is the Hi's This is an editorial issue. In the PRA, the operator actions that were Closed ictated by the Emergency Procedures. These are designated with a 'H" developed in response to a plant initiating event (usually those and are quantified by the FLIM method. covered by the emergency procedures) are designated as an "H_

in the PRA database. Those operator actions that are not related to The other set of Hi's involve component start or restoration. They are a specific plant procedure or are 'generic' are designated as ictated by the abnormal or operating procedures and are designated "Z *. Three exceptions exist. The plant specific operator "ZH". Examples are: response actions for three support system initiating events have a "Z designator rather than an 'H . designator. The actions ZHEPR1-Human Action- 5.96E-3. are described in the IPE and are based on operator interviews and

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 63 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review pRamw spebiii1 pluuetureU. ine varaIees were udevelopeu UUneuuLy ZREAS - Reasonable Human Action = 9.7E-3. and are used appropriately. In order to eliminate confusion, these three data variables were redesignated to 'H__ in the Revision 4 ZHEEW1 - Align the off CEW train 4.93E-5. model.

The basis/method for quantification of the "ZH' Hi's was not found.

It is not known if the quantification basis for these two sets of HI's is compatible.

It is also not known if the two types of Hi's appear together in the same sequences. If they do, how they relate to each other?

HR-07 B It is not apparent that the use of sequence timing in the development of Sequence timing is included in all plant specific operator response Partial HEPs is done. The HEPs were based on operator interviews, for which the actions in the PRA. The time availabilities listed on each HRA input and output information is not available for this review. The available worksheet. This time is based upon the identified need for the action Will be closed documentation for sequence timing is simplistic. The reference for the (a cue, plant conditions, etc.) and the time to damage once the with REV5 iming is not stated. Whether the 'available time' was subdivided into condition occurs. For example, feed and bleed is based upon the update ractions for diagnosis, action, and execution is not documented in the ime available once steam generator low level occurs until the steam analysis. The time for the first 'cue' is not stated. The only available data generator inventory is essentially gone (dryout). The worst case time is the time from reactor trip to the time of the undesired event. is used in almost all cases. Loss of offsite power recovery uses time failure modeling (e.g., for EDGs). Clarification in an HRA guidance document would eliminate the confusion that this finding indicates.

Will be included in the HRA guidance document for STPREV5.

DE-01 B Propagation pathways: There are four issues that the PEER team identified: Closed Flood propagation through drains, stairwells, and cracks under doors were 1. Not all pathways such as HVAC ducts, pipe chases, considered. It is not apparent that pathways such as HVAC ducts, pipe penetrations, and pipe tunnels were considered chases and penetrations, pipe tunnels were considered in the same detail.

Al flood barriers were assumed to be in their functional position. That is, 2. All flood barriers assumed in functional position doars being open, structural failure of doors, dikes being removed for maintenance were not considered. Drains being blocked or drain line check valves being failed open were not considered. 3. Drain blockage or drain line check valves being failed open were not considered All rooms were screened based on the room alone. No propagation analysis was done. 4. No propagation was done 1.1.1.1.1.1 Not allpathways considered

_______________________________________There___are_

___________________ multaepmultpleoflodinsccenarisowerewateraroeagaesofrogates__from

Response to June 3, 2005 RAT NOC-AE-06001994 Attachment 1 Page 64 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review veer--- outed -I - F-' -s va.. --.. ,- *1-

"stairwells", "corridors", etc. Credit is not given to door maintaining integrity or a door being closed when evaluating propagation scenarios. In addition, dykes were not included for mitigating propagation of a flooding event Example Scenario Z006-FW-02 represents a flood inTrain A Electrical Penetration Room that propagates to zones ZO10 (Train A Cable Vault) and Z01 6 (Corridor on Elevation 1).

The scenario detail is as follows:

Flood may propagate to Z01 0 and Z01 6 through open door or through door gaps. The probability for such a scenario is low, since Z006 contains eight 6"floor drains. Door to ZO16 may be open, though for fighting a fire may propagate to ZO1 6.

The scenario frequency is:

(3.8E-2 total pipe break frequency inside Aux. building) * (0.076 fraction of FW inside Aux building) * (0.002 distribution of pipe break frequency inside Aux building) * (0.1 fraction of water) * (0.1 propagation factor) = 5.78E-7/yr However, HVAC ducts, pipe chases/penetrations, and pipe tunnels were not explicitly spelled out inthe original spatial interactions analysis (table D-6).

1.1.1.1.1.2 Aliflood barriersassumedfuctional There are cases with flood barriers not assumed functional. For example, in flood scenario, Z136-FW-03 assumes watertight door between room 071 (Floor drain tank, Z1 36) and room 067B (hallway, Z1 02) is left open. The volume of water from the tank will flood to a depth of 2.4 inches over the entire area of the two zones. Zone 104 contains eleven 4" floor drains and 3 sumps, which can handle the volume of floodwater. There are no PRA equipment within these two zones. The PRA equipment in the adjacent zones are all mounted

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 65 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review 1.1.1.1.1.3 Drainblockage orfaileddrain line check valves In the updated internal flooding analysis, drains flow rates are reduced by 50% (unless otherwise stated) to account for partial blockage. Failure of drain line check valves in the open position, thereby allowing water to propagate into an unanticipated room, Is accounted for by operator alarm response procedures.

1.1.1.1.1.4 Nopropagation beyond room The comment, 'All rooms were screened based on the room alone" is incorrect. An analysis was performed on all flooding paths into and out of each room. For example, flooding scenario Z102-FW-01 represents localized flooding in zone 102 (Corridor and Non-rad pipe chase area). Z102-FW-02 represents floods propagating from zone Z102 to zones Z136, Z137, and Z138. Note, zones can contain more than one room.

All internal flooding events that could propagate from one zone to another were investigated. For each hazard scenario analyzed in Table D-6, line item '4" addresses path of propagation including path type and propagation to. This includes the flooding scenarios.

Flooding propagation scenarios are generally identified with a FW-02, FW-03, FW-04, etc.

DE-02 B It appears that all flood sources from safety related components and The methodology of calculating internal flood frequencies does Closed external reservoirs were identified. It Isnot apparent that the water include both safety-related and non-safety related sources.

volumes of each flood source were factored into the analysis. It is not clea that non-safety systems were considered.

As part of the updated internal flooding analysis, the engineering looding calculations were used to identify the biggest source of floodwater. Sources were analyzed regardless of safety system classification. Water volumes were explicitly taken into account for calculating maximum flood volume levels. For example a flood in room 067 (Train A Chiller Room, Z128) the biggest flood source is a

_crack on a 24" CC line with a flow rate of 80.2 ft3/min. Based on the

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 66 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review DLtV URProum Fuuiri propagjation patns (e.g., Door drains, gaps unde doors), the maximum flood level is 12" and is limited by the makeup capacity to the CCW surge tank.

DE-03 B Pipe breaks and tank ruptures appear to be the only cause of flooding In the original PRA, the flood frequencies were based on a 1983 Closed considered in the 1988 analysis. Floods caused by human errors during report (Reference Intemal Flood Hazard Model, Kazarians and maintenance, water hammer, and failures during off-normal operations Fleming, Transaction of the American Nuclear Society, Oct. 30 -

were not considered as flooding initiators. Nov. 3, 1983). Intemal frequencies were based on 60 events at U.S.

nuclear power plants. According to the summary of the report, the events involved 'flooding of some sort' in the documentation of operating experience through July 1981. This implies that any human error, water hammer or off-normal operations were captured in the database.

DE-04 B The maximum flow rate of the flood was not considered. The screening The original PRA internal flooding analysis was performed using a Closed analysis appears to be based on the flood water volume caused by the screening process. The first step was to assume a flood in the flood design basis flood. Flow rates, duration of the flow rates and ultimate zone and determine the impact, assuming the worst case scenario water volumes produced during the flood were not stated. Reference to (i.e., all equipment failed). The maximum flood rates and levels were he drain size was not mentioned. not considered.

In the updated process, maximum flow rates and flood levels were considered using the engineering flood calculations. These calculations assume either a crack in the pipe with the largest possible flow rate or instantaneous failure of the non-safety related tanks. The flood calculations are based on creditable water volumes.

Drains and propagation paths are accounted for in the analysis.

Calculation of the maximum flood height (

Reference:

Flooding Analysis MAB, NC-9703) assumes reasonable operator response for mitigating the volume of discharged water. Assumption 3 states, "Operator actions in the main control room are assumed to be initiated at 10 minutes after control room indication is available to show that action is required. Operator response time to complete ations outside the control room is assumed to be 30 minutes after ontrol room indication.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 67 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review DE-07 B Flooding frequencies were based on a 1983 paper, which provided an Current flooding data is not readily available. Pipe break failure Closed overall frequency for flooding in the Aux Building, DG building, turbine frequencies are available from an EPRI report titled, Piping System building. These frequencies were apportioned to rooms of interest based Failure Rates and Rupture Frequencies for Use in Risk Informed In-on square footage. Service Inspection Applications (TR-1 11880). However, this data Is limited only to pipes and does not include non-piping flood sources Continued use of flooding frequencies based on 19-year-old data is not (e.g., pump casing, valve body failures, or human error). Of the 1511 appropriate. Further, the method of apportioning the data may no longer failures resulting in flood contained in the SKI 96:20 database, 274 reflect current industry experience. were screened out due to non-applicability to Risk Informed In-service Inspection application.

In order to use the EPRI database, the 274 flooding event will have to be screened for applicability to internal flooding frequencies. The SKI database is the intellectual property of the Swedish Nuclear Power Inspectorate, and therefore, will require a memorandum of understanding in order to use the data. STP has not yet asked for this agreement.

Until this agreement has been reached with SKI or some other internal flooding data source becomes available, STP will use 1983 data with some modifications in the screening process. These modifications are designed to limit the importance of flooding frequencies on the screening process. For example, in the initial screening the frequency of a flood in a building will be used without scaling to room size. If the flooding scenario does not screen out, the next flooding frequencies will be based on the frequency of a crack on the pipe rupture assumed in the engineering flooding analysis.

This approach is conservative and will be updated when new intemal flooding frequencies are developed.

DE-09 B All potential flood rooms were screened away based on analysis of a In the updated internal flooding analysis, the screening criteria was Closed single room. The flooding screening criteria were qualitative and established at 1E-7. The current STP CDF is approximately 1E-5 quantitative. The final screening criteria was the flooding CDF of 2E-7. 13 events/reactor year. Screening with a threshold of two orders of sequences were screened based on the estimate of CDF being less than magnitude below the current CDF would be consistent with screening 2E-7. The total plant CDF is now I E-5, whereas in 1988, the CDF was out other external events. 1E-7 is sufficiently low in order to capture greater than 1E-4. Based on the current CDF, the 2E-7 screening criterion events that have a measurable impact on CDF and, thereby, could is no longer appropriate. possibly impact risk informed processes. Including events below the 1E-7 would provide little value unless a large number of events are right below the threshold, where as the aggregate of the internal ooding event would sum to the significant contribution to overall CDF. This is not the case for STP due to our plant design (i.e., room separation and relatively new plant design).

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 68 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review ST-01 B The ISLOCA analysis does not consider probabilistic failure of pipes and There is a misunderstanding the South Texas interfacing systems Partial other components. LOCA model. The STP RHR system is contained entirely within the Containment building. Any failure of the RHR piping within the Nill be closed The fault tree includes 'success events' for the rupture of the RHR HX ontainment building with a concurrent overpressure event from the Nith REV5 tubes or the RHR pump seals. The assumption is that failure of the RHR RCS will result in a LOCA inside containment For this reason, update seals or RHR HX will relieve pressure in the system thus preventing the failure of the RHR piping is not considered. This event is similar to ISLOCA pipe failure. This Is not substantiated and may be not true. The the LOCAs already modeled and not included in the interfacing pressure relief provided by these failure paths are not sufficient to reduce systems LOCA analysis.

pressure in the event of the complete check valve failure.

An interfacing system LOCA at STP that results in a containment Probability of pipe rupture should address the design margins in the pipe, bypass can only result from an RCS pressure boundary failure AND:

as indicated in NUREG/CR-5102 and other documents. 1: Failure of RHR heat exchanger tubes such that the overpressure event carries over into the CCW system, or; 2. Failure of the The method used in the PRA increases the probability of certain valve containment isolation check valves for the LHSI trains. The most failures by a factor of 10 to account for the higher pressure. No basis or likely scenario quantified is the failure of the RHR heat exchanger justification for this approach is provided. tubes with consequential failure of the CCW system outside containment with failure of the operator to isolate. Operator action to isolate the CCW system after tube failure (value equal to 0.1) or isolation of the LHSI piping after piping failure is considered in the model. Failure of the RHR heat exchanger tubes serves to direct an interfacing systems LOCA to the CCW system. Success of the heat exchanger tubes challenges the LHSI piping.

An updated notebook that more completely describes the interfacing systems LOCA with more clarity will be developed for STP.REV5.

XU-02 B The Level 1 quantification summary document provides the top sequences Additional sequence detail has included in the Revision 4 update. Partial and the contribution to CDF from individual initiators and initiator groups. Additional sensitivity studies still needed (above those performed to It also provides a comparison of results between the current model and support GQA risk ranking). Will be closed the previous version of the PRA model. with REV5 update e summary document does not, however, provide any sensitivity analyses for the PRA model.

Further, textual descriptions are provided in the summary for only a few of e top sequences and should be Included for more of the important sequences.

e above are important aspects to examine in order to gain a full understanding of the results.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 69 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review QU-03 B Uncertainty analysis was performed by using RISKMAN. The statistical Key sources of uncertainty will be identified and selected sensitivity Open parameters such as mean, variance and 5th, 50th and 95th percentile ltudies etc. to bound these assumptions will be included in the were calculated (CNAQ 01 -17305-1, Uncertainty Analysis for STP 1999). 3TP_REV5 model Nill be closed Nith REV5 Five sensitivity studies were performed and the results were documented update (OPGP01-ZA-0304, PSA Risk Ranking Sensitivity Study).

However, there is no evidence that the causes of uncertainty in the model (e.g., associated with data, modeling assumptions, success criteria analyses, etc.) were studied and were linked to the sensitivity analysis L2-01 B The Level 2 assessments that impact LERF from early containment Resolved, South Texas Project Electric Generating Station Level 2 Closed failures (vessel thrust, steam explosions, DCH, hydrogen bums, etc.) rely Probabilistic Risk Assessment Update - 2005, Section 2.1 heavily on the containment loads estimated for Zion in the NUREG-1 150 (and the NUREG/CR-4551 series). These loads are then combined with he containment structural capability results for South Texas, using the STADIC code. This provides a conservative assessment of LERF contributions from early containment failures. Later information on the Revised split fractions for Top Events C2 (Containment Failure at potential for early containment failures from DCH (NUREG/CR-6338), essel Breech), L2 (Large Containment Failure at Vessel Breech),

steam explosions (NUREG-1524), etc. has not been considered in the and AP (alpha mode failure) are included in the updated model STP LERF model. This later information indicates that these phenomena do not present as severe a challenge to containment integrity as previously suspected. Also see F&O L2-02 for further information related t conservative assessments-of LERF.

12-02 B The Level 2 assessments that impact LERF from thermally induced SGTR Resolved, South Texas Project Electric Generating Station Level 2 Closed are based on NUREG-1 150 (NUREG/CR-4551 series) expert elicitation of Probabilistic Risk Assessment Update - 2005, Section 2.2 hermal induced steam generator tube rupture (TISGTR). Additional conservative MAAP analyses were performed for the SG replacement for Unit 1. These analyses show that TISGTR will occur for tubes degraded substantially past the current tech spec limit of 40% remaining tube wall thickness. More recent generic assessments of TISGTR In EPRI report Minor corrections to Top Events in ISGTR intermediate event tree.

R-107623-VI can be used to conclude that the likelihood of TISGTR is very small for Westinghouse NSSS configurations. The SG replacement analyses provide a conservative assessment of LERF contributions from early containment failures. TISGTR is the dominant LERF contributor in STP-1999 model.

The Level 2 assessments that impact LERF are generally based on a very conservative assessment of phenomena that can challenge the plant fission boundaries. For the current STP PRA-1999 model, the TI SGTR

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 70 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review ommV1 III0me C Len-rl uFy %AMnILrl overIP VtT; I U. ume1r ,V LoserVOLIVuly assessed LERF contributors such as DCH contribute another 5 to 6% to the total LERF.

The issue with conservative analyses for dominant contributors to LERF is that they can mask the real risk importance of other contributors. For example, consider risk importance of an ISLOCA SSC. If the "always faill condition (RAW importance) for this SSC tripled the ISLOCA LERF value, then the RAW that would be computed is 1.10. On the other hand, assume that a more realistic overall LERF assessment for STP shows a 50%

contribution from ISLOCA. For the same SSC, the new RAW value would be 15.0. In the case of LERF, the risk importance measures for LERF can be significantly impacted by the conservatism inherent in the analyses.

L2-04 B There are few success criteria in the Level 2 analysis that impact LERF. Resolved, South Texas Project Electric Generating Station Level 2 Closed The primary success criterion is the RCS depressurization after core Probabilistic Risk Assessment Update - 2005, Section 2.3 damage that helps to reduce the LERF contribution from TI SGTR. In this case, an estimate is made for success without any analytical basis.

Correction to Top Event FD in ISGTR intermediate event tree.

L2-05 B he impact of severe accident environment on continued operability of the Resolved, South Texas Project Electric Generating Station Level 2 Closed pressurizer PORV was assessed from the perspective of sticking open. Probabilistic Risk Assessment Update - 2005, Section 2.4 This provided a benefit for RCS depressurization. However, the failure to open or remain open was not assessed. This would be a negative impact Dcumentation issue. No changes made to PRA in terms of RCS depressurization.

Also the impact of severe accident environment on the continued operation of the containment fans coolers is not documented In the Level 2 assessment. The containment loads used to assess LERF challenges to e containment consider operation of the fan coolers. The conditional LERF containment failure probability could be impacted by inability of fan coolers to survive during a severe accident.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 71 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review

.2-06 B The Level 2 endstates include all key LERF contributors found in most Resolved, South Texas Project Electric Generating Station Level 2 Closed lRAs with the following exceptions: Probabilistic Risk Assessment Update - 2005, Section 2.5 Pre-existing containment leakage Isnot considered in the containment Pre-existing leakage' from AOV control valves is a design constraint, isolation failure model. The basis for this is not documented. The peer the valve controllers adjust valve position based on system review team was told that they have to vent containment every two or parameters. There are no leaks to fix unless the plant moves to all three days to prevent pressure buildup to the tech spec limit due to electronic control valves.

eakage from compressed air systems Inside containment. A pre-existing Dpening would prevent such a buildup and be noticed by the plant aperating staff. Thus pre-existing openings would not exist for extended Refined the analysis for the SGTR scenarios, no mapping changes periods of time. The reviewer questions what would happen if the were made (i.e., from Late Release to Early Release). Failure to leakage from the compressed air system is fixed. Would this be picked up isolate the SGTR, the dominant cause of core damage, does not lead in a modification to PRA? to core damage for > 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. Revised operator actions based on new timing, and changes to equipment operation (TD AFW pump and All SGTR core damage sequences are assessed to be late core melts. associate battery) will reduce the overall contribution from SGTR Thus they are excluded from LERF. There are two issues here: 1)this is sequences in the current model update.

in complete contrast to NRC positions stated In their SDP on the Indian Point 2 Tube failure event in 2000 and their draft guidance on Tube No changes required to existing model Inspections (3/2002), and 2) there is no basis for the time of fission product release in relation to the potential order for radiological protection actions in the STP Emergency Plan.

L2-07 B The LERF model does not incorporate the Emergency Action Levels Resolved, South Texas Project Electric Generating Station Level 2 Closed (EALs) into the evacuation model. The LERF model assumes all SGTR Probabilistic Risk Assessment Update - 2005, Section 2.6 sequences that lead to core damage will be late releases.

See response to L2-06. Core damage sequences are mapped To classify as a late release, it is necessary to show evacuation was correctly.

started 4-6 hours prior to the release. Without designated EALs for evacuation, it is not possible to justify all SGTR sequences being 'late". Discussion in Level 2 model will clarify use of EALs and timing for SGTR.

MU-01 B STP Procedure OPGP01-ZA-0305 'PRA Model Update and Maintenance' See attached Response to F&O MU-01 (MU-01 Response) Closed does not ensure that the current state of PRA technology or 'accepted industry approaches' are used in updating the PRA. There is no reference in the PRA maintenance and update procedure to prompt the analyst to consider the possibility that methods used in the PRA may no longer be accepted. Several of the F&Os from this review identify methods used in the PRA which are no longer widely accepted PRA technology (e.g., common cause modeling factors, human reliability aalysis, flooding analysis).

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 72 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review MU-05 B STP PRA procedures specify a fixed PRA update schedule (3 years for The findings described in MU-05 come from Section 4.2 of OPGP03- Closed plant changes, 5 years for data update) and also indicate that as plant ZA-0305 which describes how to disposition changes to references changes are identified, they are to be reviewed for PRA impact. PRA used in the PRA utilizing the database of inputs. Sub-steps also impacts are determined by a PRA analyst and categorized as no describe how the model change should be dealt with if there is a significant impact (estimated delta-CDF less than 10%, no immediate quantifiable impact to the model. Step 4.4 of OPGP03-ZA-0305 action required), or significant impact (estimated delta-CDF 10% or states 'if system or model changes are made within a maintenance greater, PRA manager/supervisor determination of need for immediate model, in order to track cumulative changes, the responsible PRA PRA update to address). analyst Shall:' Sub-steps go on to describe exporting changes to the reference model coordinator for cumulative impact assessment

1. The guideline as written does not require the evaluation of the between model updates. Risk management guideline 002 goes into cumulative (or combined) effects of multiple pending changes. It would much more detail on this topic as well. See response to MU-02.

appear to allow the accumulation of multiple changes, each with baseline Additionally, analysis assessments are performed per OPGP05-ZE-CDF impact of up to 10%, for a period of up to 3 years (i.e., between 0001 on quantifiable changes. In these assessments, the impact on regular updates). the PRA is documented and the maintenance models created for these assessments are saved for further evaluation and exporting to

2. The guide does not require the evaluation of the impact of minor a new reference model. The reference model coordinator is changes between scheduled PRA update, or the cumulative or combined responsible to track cumulative effects on the model. Should effects of such pending changes, on existing PRA applications. It is cumulative effects cause a change of greater than 10% to the PRA, possible that a number of individually minor impact changes that are then an evaluation will be done to determine if a revision to the awaiting implementation could have a cumulative significant impact on an reference model should be generated before the next PRA reference application. model update. Therefore quantifiable changes to the PRA are documented and their cumulative effects are monitored by procedure. We disagree with the finding level of significance.

IE-01 C In the support system initiating event models, only basic events involved in nitiating event models have been modified to include component Closed common cause groups have the year long exposure time applied to them. repair times, versus 'exposure time identified in certification finding.

Other basic events may be minor contributors to the initiating event nitiating event models are availability models instead of post trip frequency, but should have the long exposure time applied for response reliability models which creates confusion in reviewers and completeness. nodel developers. The mission time that was used previously with basic event failures was a surrogate repair time. The models have been modified to use component repair times rather than the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> nission time substitute. See the Initiating Event RISKMAN Notebook.

rhe 'Long Exposure Time" is actually a conversion from hourly too annual failure and not an "exposure time". All operating basic events nclude the conversion factor. Standby basic events use a repair ime.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 73 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review ALS-01 C The RCP Seal LOCA Initiating event is designated as RCPL in the PRA 'hanged in the initiating events notebook. Editorial. Closed model and RCPS in the initiating event notebook.

l- l AS-02 C Some top event split fraction rules use the 'all support available' split Nhen building a new PRA model using RISKMAN, a method typically Closed fraction as the default split fraction. Other top events do not have a defaull used to find logic errors in split fraction rules is to use a 'Guaranteed split fraction. It is good practice to use the guaranteed failure split fraction -ailure" split fraction as the last rule In the split fraction definition set as the default split fraction to highlight logic combinations not captured by This method allows event tree processing to continue in the event a the split fraction rules. valld split fraction is not found in the split fraction set. This has severe limitation. If the sequences which contain the 'Guaranteed

-ailure" split fraction are low In frequency, the split fraction logic error

-nay never be found. In the South Texas PRA, a concerted effort has

)een made to assure the correct assignment of split fractions to the Bvent tree rules. In the case of complicated logic, all split fraction ogic is completely defined. Although the "All support Available* split raction is the last one in the split fraction set, the logic used to define his split fraction assignment is specific. "Guaranteed Failure' is not used as a default split fraction. This allows any split fraction logic arrors to halt processing of the event trees. Given the mature state

)f the South Texas PRA, the "Guaranteed Failure' split fraction is not appropriate as the last split fraction logic rule in the split fraction set.

AS-03 C Reactor trip is not modeled for several of the initiating events, including the At a high level, the likelihood of reactor trip failure and MLOCA Open SGTR and MLOCA. In the case of the SGTR initiating event, this has occurrence is approximately 1E-10. With successful safety injection, been identified as an open item in the SGTR Notebook documentation no core damage would be expected. Based on frequency, inclusion Will be closed (page v of FNTLSGTR.DOC, Rev. 1, 4/30/97). However, in the case of of reactor trip failure (ATWS) in Medium LOCA is not necessary. with REV5 he MLOCA, no justification for its deletion is provided. Generic analyses Inclusion of reactor trip failure for other LOCA initiating events is still update have shown that trip is required at the lower end of the medium LOCA under review, but reactor trip failure during LOCAs would not be risk break range, especially for the case of MLOCA without auxiliary feedwater significant because of the low frequency of occurrence. Will be available because the amount of borated RWST water that can be injected incorporated into REV5 model update.

nto the RCS is limited.

AS-09 C The S2 event tree does not address core cooling recovery (CCR). Recovery of core cooling (recirculation cooling) Ismodeled in the Closed LOCA recovery event tree for small SLOCA events. Detailed The SGTR tree, which is similar to S2, does include CCR. reatment of other core cooling recovery scenarios In the small LOCA event trees is not considered necessary because of the low CCR is in the STP procedures. requency associated with possible recovery actions, It is considered in the SGTR event tree because of the release consequences associated with the SGTR event. The same recovery action currently modeled in the LOCA recovery event tree is not possible in the SGTR event tree.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 74 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review TH-02 C The IPE system notebooks include reference to room heat-up analyses Added as an action for the REV 5 model Open that were performed using an STP code called HEATUP. No documentation of this code was available for the peer review. The Will be closed HEATUP analyses appear to still be the basis for the current PRA room with REV5 cooling modeling decisions for some rooms. If this is the case, the update analyses, including documentation of the HEATUP code capabilities and limitations, should be retrieved and retained with the PRA documentation.

TH-04 C The traceability of the success criteria documentation that is not provided A success criteria notebook was created for STP_REV4. Closed in the Thermal-hydraulic Analysis Notebook is not well laid out. While many of the systems success criteria are based on the FSAR Additional success criteria calculations/bases will be added as requirements for the system, the references are not provided in many appropriate in STP REV 5 cases. Some of the Systems Notebooks have criteria embedded in the Notebook (e.g. AFW), again with no reference to the basis for the success criteria.

There are other instances in the Event Sequence Diagrams and Event Trees where the event sequence is stated with no reference to the basis.

H-06 C The IPE notes that accident sequence and system success criteria were Actions related to this finding are Incorporated into STP_REV4. See Closed initially established using design basis criteria (e.g., operating support previous responses to TH-04 and TH-05.

system continues to operate for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />; one train of a 3-train mitigating system starts and operates for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />). In specific cases, e.g., CCW and ECW system success criteria, the success criteria have been based n better estimate analyses that better reflect the conditions modeled in the PRA. There is no specific guidance for these analyses, but the approach used can generally be discerned from the referenced analyses.

In some cases, MAAP plant-specific analyses have been performed to define success criteria for specific accident scenarios and to support the HRA. The Thermal-hydraulic Analysis (TH.Calcs) notebook, which was prepared prior to but incorporated as part of the 1999 model update, documents these analyses, and provides a limited but sufficient set of guidance to allow an experienced analyst to perform such analyses.

SY-01 C Formal guidance describing the current process for updating and revising The current STP fault tree models and system notebooks are used to Partial fault trees was not found. In addition, guidance for generic modeling rain new PRA engineers. As part of the training cycle, new assumptions (e.g., when to model diversion flow paths), naming engineers are given responsibility for several of the system model Will be closed conventions or standard component failure modes was not found. notebooks and associated documentation. However, the suggestion with REVS is well founded in that a guide for new and recently qualified PRA update engineers will ensure consistent standards for fault tree models. I _ _

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 75 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review SY-03 C Simplified schematics (piping & instrumentation diagrams) of systems P&lDs were included with the model up until Revision 3 (STP1 999). Partial showing system boundaries were not found during the review. Given the flexibility of LAN access to P&lDs, etc, and concerns about maintaining marked-up drawings current, these drawing were Will be closed removed from the system notebooks. The descriptions in the with REV5 notebooks concerning boundaries are sufficient for a qualified update reviewer/analyst to mark up the P&lDs if necessary. P&lDs and descriptions will be added to STPREV5 based on guidance provided in the ASME standard.

SY-05C No evidence was found that operating experience with each system was Operating experience review is incorporated In the GQA process. A Partial reviewed to ensure that important system characteristics were modeled PRA member is also a member of the GOA working group. Actual appropriately. review experience indicates questions concerning operating Will be closed experience effects on the PRA model is being incorporated into the with REV5 PRA as necessary from this process. Will be considered as an update addition to the system analysis guidance process for STPREV5.

SY-07C Traceability of basic events to modules and cutsets is not transparent to There are no modules in the STP PRA fault trees. The reviewer Closed the reviewer. Modules may limit ability to discern between components in comment relates to the grouping of series components into a single a module that are characterized as high risk importance for Fussell-Vesely basic event to ensure generation of system level cutsets. Previous only, unless special steps are taken to do this. versions of RISKMAN fault tree codes imposed time or outset generation limits on outset generation and quantification. Each system analysis attempted to generate all cutsets or used a sufficiently low outset truncation value to ensure accurate representation of system level cutsets. Each use of a composite basic event to represent a series of component failures was reviewed in light of the reviewer comments. The composite basic events were used correctly in the system models. Concems about risk ranking of components is valid, however as noted by the reviewer, the risk ranking results would be conservative in that each component in a composite basic event would have the risk rank of the basic event.

ith the exception of the AFW pump composite events, all composite basic events contain only passive components. A new version of the RISKMAN code increases the outset limits and outset element limits.

A revision 4.1 STP PRA model expanded most of the composite basic events to individual component basic events with no significant change in cutset eneration times. The RAW component risk ranking

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 76 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review

-- S ta ..y t5 .. ......a'

.- W I U e- WvS - S-individual component and failure mode basic events decreased as expected.

SY-09 C Basis for not modeling ECW screen clogging during internal events due to The STP ECP is a open loop cooling system with its own cooling Closed screen wash failures is not adequately justified. The operating pond which is not connected to the main cooling reservoir or its experience with the ECW screens was not provided as a basis for not make-up source (the Colorado river). The ECW system is chemically modeling. treated to reduce (or eliminate) the likelihood of screen plugging from plant growth. Several incidences in plant history have indicated the potential for water bome grass formation, which led to the current treatment cycle. Evidence from plant operation indicate that screen plugging (or strainer plugging) is not an issue of concern at STP.

The screen wash system is designed to mitigate the consequences of an upstream dam failure that overtops the ECP embankment with the potential for concurrent excessive waterbome debris.

DA-04 C Although generic and plant specific databases are available for use, the Creating a direct link to data used in the original IPE for select Partial data sources used for the generic database is not easily traceable. The variables has been noted in past updates. In general, the data inthe generic data used for the Bayesian update in the current model update current PRA is based on an extensive data update for the 1994 Will be closed has been updated few times since the first PRA model was developed. model update and is documented In that data notebook. Since the with REV5 1996 update, the link to data is documented in the data analysis update notebook and also noted in the PRA data module. An attempt to document potential errors in the data variables will be made. The creation of a data analysis guide will enhance the documentation of the update process and the generic variables used.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 77 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review HR-01 C Pre-initiator operator errors are Included in the model and the method for The screening method currently in use is not described well in the Partial quantifying these error rates is sufficiently documented in the IPE. Jocumentation. In general, each system notebook contains a review However, there is no written evidence of a systematic approach for of all plant procedures with a potential to affect the system as Will be closed identifying which pre-initiator errors to include in the model. modeled in the PRA. The effect of the procedure is identified during nith REV5 the review and modeled as appropriate (see the AFW system). update Potential miscalibration for actuation systems is included in the reactor protection notebook. Miscalibration of individual sensors is implicitly included In the component failure rate if applicable. The HRA update process for STP._REV5 corrects this issue.

DE-08 C Although the walkdown documentation is extensive, it does not discuss For the original analysis, the screening criteria is described in chapter Closed the screening criteria used for flooding, nor does it discuss the results of 8 of the STP PSA report. Walkdown, or spatial interaction the walkdown with respect to what information was included in the PRA. information for each scenario, is contained in the table D-6 of the original report. Section 8, PRA Equipment Affected, clearly states what equipment are in the zone, whether it is impacted by the hazard and a cross reference to the effect in the PRA model.

QU-01 C At the present time, the system module of the RISKMAN computer code is See response to SY-07 Closed somewhat limited in the size of fault trees that can be quantified, causing some consolidation of component failures into supercomponents (modules). This can have an Impact on the risk ranking of equipment It has been indicated that a newer version of RISKMAN is soon to be released that wilt address this limitation. Also, there is no evidence of tten guidance concerning how to deal with code limitations such as this ne.

QU-04 C The use of the maintenance/operating configuration top event divides Additional sequence detail has included in the Revision 4 update. Closed sequences into three similar sequences. The summary document for Level 1 results presents approximately the top 170 sequences, but this is only equivalent to the top 60 or since the sequences were subdivided by the configuration top event More sequences should be included in the summary.

TA -- v T ^^A! A T Response to June 3, ZU: RKAI NOC-AE-06001994 Attachment 1 Page 78 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review I IU-05 C T ere was no evidence that a comparison of STP important sequences Repneto QU-05 Closed wihimportant sequences from other plants was made.

Accident sequences from other plants are not readily available.

WOG has provided a PSA survey database that contains some useful information on PRA results but not sequences.

Compared results from other Westinghouse PWRs using RISKMAN.

The comparison involved initiating event contribution to CDF and system importance (risk reduction).

Reference W PSA model method and results comparison database -

Rev 2. Information for database obtained in 1997.

Sequence comparison - physical sequence comparison is not possible, however, information can be gleaned from other available information.

Comparison made between the following similar plants: Diablo Canyon, Seabrook, Beaver Valley, Sequoyah and Watts Bar.

Comparison of table 9.2 CDF by IE - inlarge part STP's value were different due to incorporation of generic initiating event information rom NUREG/CR-5750, February 1999. Information other plants did not have access to. This issue also hampers comparison of other available tables like CDF by sequence type.

Comparison of Table 9.5 system importance can be made. For the most part system importance compares favorably (i.e., within 10%)

except the following:

AFforDiablo Canyon (11%dec) , Seabrook (17%inc) and BV (17%

inc) - each plant has two MD and one TD DG for Diablo Canyon (33% inc) and Sequoyah (12% dec) - Diablo Canyon - 3 diesel and ESF bus cross-tie, Sequoyah - two DG per unit and ESF bus crosstie.

DJ for Sequoyah (27% inc) - two DC buses A- _____________

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 79 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review RC (pressure relief for Seabrook (13% !no) and Beaver Valley (14%

Jec)

EW for Beaver Valley (24% inc) - two cross-tied MD trains. STP has 3 non cross-tied EW trains each with a MD.

It Isdifficult to make a direct comparison with the limited information provided in W database. However, two STP engineers participated in 4 WOG PRA peer certification reviews. This provides confidence that STP PRA is comparable to other PRAs.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 80 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review MU-02 C STP Procedure OPGP01-ZA-0305 'PRA Model Update and Maintenance' See attached response to MU-01 Closed and OPGP04-ZA-0604 "Probabilistic Risk Assessment Program' do not address operational experience, new maintenance policies, operator training program changes, technical specification changes, emergency plan changes, and industry studies, as specified in the sub-element.

4 4 I.

AS-07 D The Event Sequence Diagrams lay out a very detailed accident sequence This finding relates to potential success paths described in the event Closed model. Some of the ESD model is based on assumptions and conceptual sequence diagrams for the South Texas PRA that were not strategies that were not carried forward into the PRA event tree models incorporated into the actual event trees. The concern appears to be due to lack of analytical basis or their perceived lack of benefit for the that caution is necessary before these alternatives are included in the intended purposes of the PRA. Some of these are very "cutting-edge' PRA model. Changes to the PRA event tree models are based on modeling assumptions, such as using RV head vents to supplement changes to plant procedures, TH calculations that support new PORVs for RCS depressurization and draining the containment sump to success criteria, and new finding in plant behavior under accident the radwaste system to prevent flooding vital containment equipment. As conditions. The ESDs contain large numbers of potential success a result, their future incorporation into PRA models for risk informed paths that were considered during the original development of the applications could be done without a very thorough review of the South Texas PRA. Inclusion of these paths will only be made if capabilities and limitations. supported by changes in plant procedures, TH calculations, or new information from industry research. A caution is not required.

is F&O is documented because the South Texas PRA documentation already includes a discussion of these strategies which may imply that there is more of a basis for these than for conceptual strategies that were captured in the ESDs for posterity.

SY-02 D The following are editorial comments identified during the System Corrected in STP_REV4. Closed Notebook review:

(1) In the Reactor Containment Fan Coolers notebook, the success criteria discussion (section 3.1.2) refers to the 'single train shutdown letter ST-YB-HL-13518, dated November 17, 1986 [Ref. 5.11 .b]"; there is no Ref. 5.11.b in the References section, but this letter is listed as Ref. 5.1O.c, following Ref. 5.1O.a (there is no Ref. 5.1O.b).

(2)The Safety Injection System Notebook includes, in Section 3.1.2, a reference to Ref. 5.1 (b) for basis for not requiring room coolers for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for a single SI train. Ref. 5.1(b) is a reference to the plant Tech Specs. It is likely that the correct reference is 5.1 (d), which is listed as an intemal memo about SI room cubicles.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 81 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review SY-04 D No evidence that a search for plant specific failure modes was performed guidance document for reviewing MR failures is not necessary. Partial for PRA updates subsequent to the IPE. STP PRA staff indicates that The PRA staff sits on the MR expert panel and reviews all MR feedback from Maintenance Rule operating experience has been factored failures for inclusion in the PRA. Each failure is coded as PSAFF (a Will be closed into the PRA as a means of capturing plant-specific failures. PSA functional failure), kept for general PRA data update, or not Nith REV5 applicable to PRA. Given the emphasis in the ASME standard on lpdate guidance documents, and the expectation for qualifying new data analysts, a guidance document for data analysis will be created for STPREV5 model.

AS-05 S Failure of turbine trip or failure of the MSIVs to close is modeled in the n/a STP PRA as a possible event sequence pathway that can result in a PTS failure of the vessel, based on the resultant excessive plant cooldown. In addition, these failures are also modeled to potentially fail the turbine riven auxiliary feedwater pump based on low SG pressure to drive the steam turbine.

AS-06 S The Event Sequence Diagrams are constructed to show a very large n/a number of possible accident sequence progressions based on operator actions specified in the EOPs as well as interactions between systems and components. These were then used to construct the Event Trees, which are subsequently quantified for core damage and fission product releases.

A discussion is provided concerning the tracking between event sequence diagram and the event tree, including the elimination of event sequence diagram nodes for the event tree. The event sequence diagrams show that a thorough effort was completed to identify the applicable operator actions from the EOPs and the system interactions. In addition, very detailed dependency matrices document the support system requirements and other dependencies between systems. These dependencies are translated into event tree loge by way of the event tree structure and split raction rules.

HR-05 S The HRA analysis develops PSF's for 7 factors. The process for n/a quantification of each PSF involved multiple operator interviews (25). To he extent the reviewers could assess the interview process, it appeared tc provide unbiased questioning of operators opinions. The insight and opinions resulting from the PSF questionnaires is invaluable.

DE-05 S A dependency matrix is available to describe the dependency relationship n/a among systems. The level of detail is at the train level with quite thorough documentation. The initiating event effects on front line and support

__ systems were described through the analysis of event tree and top event

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 82 Table 1 (Question 25) Disposition of Findings and Observations from Peer Review spilt TIrULAcII, dIU wer well U eUUI I[ItU. I IVaL uwI Iu IILVISy*Irn I-Lu system dependencies was modeled and there is clear traceable documentation.

DE-06 S In all aspect of spatial dependencies, the STPEGS PRA (in 1988) n/a performed a rigorous hazard analysis which considered jet water, spray water, explosive canisters, equipment drops, high temperatures and missiles. The work was largely completed in an extensive walk down. All rooms were walked down and documented.

12-03 S The use of a methodology such as the STADIC code to determine the n/a probability of containment challenges permits the correct assessment of two probability events. This methodology requires the determination of probability distributions for both containment loads and containment response and permits the assessment of the impact of distribution "tails'.

MU-04 S STP Procedure OPGP01-ZA-0305 'PRA Model Update and Maintenance' n/a specifies that the models shall be stored on permanent media (e.g., CD ROM) in accordance with quality documents (i.e., copy placed in a secure vault). OPGP04-ZA-0604 'Probabilistic Risk Assessment Program" references OPGP07-ZA-001 4 'Software Quality Assurance" for the trols on the PRA software. Code and model software control is very good, with controlled copies of the model stored on the local area network.

The model naming convention ensures that correct versions of the code and models are used. Procedures require copying down current version from local area network before performing any calculation to ensure current version of the model being used. Hard copies of results and calculations, including sensitivity runs, are transmitted to Records for permanent retention.

Table 2 (Question 27) NOC-AE-06001994 Attachment 1 Page 84 of 140 Table 2 (Question 27)

ASME Criteria Validation

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 85 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review PRA Techncali S e=. iSR IncludedaNI0O0

.ME SPEvlaion ASC iy Revie Element

~~~~In NEI 02 006 LMET C t ->; -

atgr

, =

-ll Cmet Fac tsan dn.

Initiating Events IE-AI Yes IE-07, IE-08, Response: Covered under peer review Met IE R-2, 3,8, 9 IE-09, IE-10 F&O IE-04 Initiating Events IE-A2 Yes IE-05, IE-07, Response: Listed initiators were included except Internal flood initiators - Met IE-R5, R2, R3, R9 IE-09, IE-10 which were screened out. Note that the LOCA Outside Containment and F&O IE-O1, IE-04 ISLOCA initiators are combined in the STP PRA - refer to VSEQS initiator top event. The RTRIP general transient initiator includes operator manual reactor trips. VSEQS initiator includes human error basic events for failure to close MOV to Isolate leak path. Loss of support system initiators, e.g., LOECW, LOCCW, include operator failure to start standby train human error basic event based on plant Abnormal Procedures.

Initiating Events IE-A3 Yes IE-08, IE-09 Response: Covered under peer review Met IE-R8, R9 Initiating Events IE-A4 Partial IE-05, IE-07, Response: Loss of a single train of class IE DC power (A or B) is included as Met IE-R5, R2, R3, R9 IE-09, IE-10 an initiating event. The CCW support system initiator is quantified with one F&O IE-01, IE-04 train in maintenance, one train running, and the potential for failure of the standby train.

Initiating Events IE-A5 Yes IE-08 Response: Table 5-2 in the Initiating Events Notebook shows examples of Met IE-R8 several part power trips used in the data update. However, section 3.2.1 of the notebook states that initiating events at shutdown are not included in the at-power scope.

Initiating Events IE-A6 Yes IE-16 Response: Input from industry reports, other PRAs, and knowledgeable risk Category 2 IE-R7 personnel have ensured a complete set of initiators. In addition, extensive plant operating experience is used to update the current set of initiators.

Recent plant operating experience is used to evaluate addition or removal of initiating events, e.g., loss of vital 120VAC, energize-to-actuate modifications affect on loss of 1E DC. Specific operations personnel interviews have not been used to identify potential initiators during recent plant updates.

Initiating Events IE-A7 Yes IE-16, IE-10 Response: Master logic diagram category MLD-17 General Indirect Category 2 IE-R7 F&O IE-04 Initiators' provides for an evaluation of precursor events. In addition, the support system FMEA was used to help identify support system precursor failures. Reference Rev.4 IE notebook.

Initiating Events IE-A8 Yes IE-10 Specific support system initiators are developed for operating systems that Category 2 Met F&O IE-04 reflect the unavailability of components in the systems. For example, Loss of CCW has two separate initiators, one assuming three trains are available and one assuming two trains are available, one trains is in maintenance. The PRA then uses the appropriate initiator based on historical plant unavailability information.

Initiating Events IE-Ag Yes IE-05, IE-10 Response: Support system initiating events are Included as specific fault tree Category 2 Met IE-R5 models based upon historical plant maintenance information IF&O IE-01, IE-04

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 86 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review Elemen

-- In ?4t0,,, :ELEMENS Ctgr Con¶i ~ -j t Initiating Events IE-A10 Yes IE-06 Response: NA, there are no shared systems used in the PRA models. NA IE-R12 Initiating Events E-B1 Yes IE-04, AS-04 Response: Separate Initiating events are quantified through the PRA model Met IE-R3, AS-R1 F&O AS-01 Initiating Events IE-B2 Yes IE-04, IE-07 Response: Heat balance fault trees and FMEAs were both used to develop Met IE-R3, R2 the set of initiating events quantifed In the model.

Initating Events IE-B3 Yes lE-04, IE-12 Response: Only one IE is grouped, the core power excursion is grouped with Met IE-R3. R4 the general reactor trip initiating event The plant effects are generally the same and the frequency of the core power excursion event is much smaller than the general reactor trip frequency.

Initiating Events IE-B4 Yes IE-04 Response: Unique initiating events include those with different success Met IE-R3 criteria or consequences.

Initiating Events IE-C1 Yes IE-13, IE-15, Response: Each of the STP support system initiators (LOEAB, LOCR, Met IE-R10, R13, R7, IE-16 IE-17 LOECW, LOCCW, Li DC) credits an operator action in the initiating event R14 frequency calculation. Specific justification of this credit reference the F&O IE-04 appropriate Abnormal Plant Response procedure and is included inthe HRA analysis results.

Initiating Events IE-C2 Yes IE-13, IE-16 Response: All generic initiating events are updated with plant specific Category 2 IE-R10, R7 information Met Initiating Events IE-C3 No Response: STP initiating event frequencies contained in the PRA model are Met based on per calendar year. The historical plant availability factor defined in top event GENST is used by the PMET event tree to ensure the quantification accounts for the fraction of time the plant is at-power. Refer to section 5.0 of the IE notebook Rev.4.

Initiating Events IE-C4 No Response: Initiating event screening basis is provided InTable 3.4-1 IE Met Notebook Rev.4. Although the specific criteria listed in ASME IE-C4 requirement is not used in the STP PRA screening documentation, the documented basis in STPs PRA is correct and Mets the intent of this requirement. Most screened initiating events are subsumed in a different quantified IE category.

Initiating Events IE-C5 No req. for N/A Response: N/A NA Cat i Initiating Events IE-C6 Yes IE-15,IE-17 Response: The support system initiator fault tree analyses have been Met IE-R13, R14 developed using the mitigating system top event fault trees as a template, F&O IE-04 he appropriate change in mission time was included and the analyses Met the appropriate systems analysis requirements.

Initiating Events IE-C7 No Response: Initiator fault tree models use an appropriate mission time of 8760 Met hours to establish an annual event frequency.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 87 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review PRA Tchnieal ASIE S wcd NEi-0-02 \- XAMSEY SI? Evaluai CaablEPeer Rei2ew

.i.0Element - In-:.-

NE 80 0- fELEVNTS a met t Initiating Events IE-C8 No Response: The fault tree initiators Met this requirement. Met Initiating Events IE-C9 Yes IE-15, IE-16 Response: The HEPs used in the support system initiator fault trees have Category 2 IE-R13, R7 been developed consistent with the HRA. Met Initiating Events IE-C10 Yes IE-13 Response: System initiating event results are compared to generic data Met IE-R10 where available and applicable.

Initiating Events IE-CI1 Yes IE-12, IE-13, Response: The latest data from the LBLOCA Expert elicitation process is Met IE-R4, RIO, R13 IE-15 compatible with this IE frequency[CR 04-13754-1-1]

Initiating Events IE-C12 Yes IE-14 Response: The ISLOCA - VSEQS notebook contains the plant features used Met IE-R6 to determine the frequency as described in the ASME standard F&O IE-02. IE-03 initiating Events IE-DI Partial IE-18, IE-19 Response: STP documentation Meting these requirements are contained in Met IE-RI 1 the IE notebook Rev.4 F&O IE-02 Initiating Events IE-D2 Partial IE-09, IE-20 Response: STP documentation Meting these requirements are contained in Met IE-R9 the IE notebook Initiating Events IE-D3 Partial IE-09, IE-18, Response: STP documentation Meting these requirements are contained in Met IE-R9, RI 1 IE-19 the IE notebook F&O IE-02 Initiating Events iE-D4 Partial AS-04, DE-05, Response: N/A. IE-D4 does not exist in ASME-RA-Sa-2003. NA AS-RI, DE-R3, SY-SY-21 R21 F&O AS-01, DE-05 Accident Sequence AS-A Yes AS-04, AS-08 Response: The STP PRA is based on the linked event tree methodology via Met AS-RI, R3, R13 Analysis the use of RISKMAN. The event trees are built from Event Sequence F&O AS-01, AS-06 Diagrams (ESDs), which are based, on emergency operating and abnormal operating procedures. The STP PRA represents the as-built, as-operated power plant.Peer Certification Comment (R13): Documentation of the accident sequence model including guidance, is detailed and fairly extensive, including the ESDs and the event trees.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 88 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review

_ 02 c=act,,,> an. -'

Acident Sequence AS-A2 Yes AS-06, AS-07, Response: Each of the 50+ initiating events are grouped into response event Met AS-R3, R7 Analysis S-08, AS-09, trees representing each of the following events: F&O AS-03, AS-09, S-17 - General Transients AS-1 0, SY-06, AS-

- Steam Generator Tube Ruptures 06, AS-04, TH-04

- Small LOCAs Medium LOCAs

- Large LOCAs The key safety functions are defined In the appropriate Event Tree Notebook and supporting event sequence diagrams. All functions necessary to successfully mitigate the accident/transient are questioned.

Accident Sequence AS-A3 Yes AS-07, AS-17, Response: The system functions necessary to mitigate the initiating event are Met AS-R7, SY-R17 Analysis SY-17 identified within each Event Tree. These criteria are passed to the various F&O AS-10, SY-02, System Notebooks, the Success Criteria Notebook and the model SY-08 Accident Sequence AS-A4 Yes AS-19, SY-05 Response: Operator actions are defined in the Event Sequence Diagrams Met with AS-R12, SY-R5 Analysis and section 3.3.4 of the Individual Plant Examination. Human reliability data REV5 F&O AS-07, SY-05 was updated in the late 90s (PRA-99-01 0) and is curt being updated via

_ the HRA Calculator'._

Accident Sequence AS-A5 Yes AS-05, AS-18, Response: The accident sequence models are based on the Event Met AS-R2., R8, R12, Analysis AS-19, SY-05 equence Diagrams as outlined in the IPE. These scenarios were SY-R5 F&O AS-revalidated during the HRA update. 07, SY-05 Accident Sequence AS-A6 Yes AS-08, AS-13, Response: Covered under peer review. Where possible, the events are Met AS-R3, R4, RI Analysis AS-04 sequentially ordered. F&O AS-06, AS-01 Accident Sequence AS-A7 Yes AS-04, AS-05, Response: The ESDs identify possible paths given a particular initiating Category 2 Met AS-R1, R2, R3 Analysis S-06, AS-07, event. Most paths identified as possible in the ESDs are included in the F&O AS-01, AS-03, S-08, AS-09 initiating event response event trees. Some success paths were eliminated AS-09, AS-10, AS-based upon qualitative frequency arguments. 06, AS-04, SY-06, TH-04 Accident Sequence 5-AB Partial S-20, AS-21, Response: End states in the STP PRA model for CDF are defined as either Met AS-R9, RI0, RI 1 Analysis AS-22, AS-23 successful or melt (i.e., core damage). End states for level 2 are defined as F&O TH-01 type of release or successful containment performance (e.g., large early,

__ _ __ __ _ __ _ __ _ __ _ __ _ _ _ _ _ _ _ _ _ ~late.). _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Accident Sequence AS-A9 Yes AS-18, TH-04 Response: Accident progression parameters are based on the UFSAR, plant Category 2 Met AS-R8, TH-R5 Analysis specific MMP analyses, or other special analysis (i.e., room heat-up calcs).

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 89 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review PRA Technica ;SME:SR Included NEl-O . Mvaition AMS. C eer Revew Elemen11t in NEI 600- ELMENTS ,- - -- Ctgoy Cmet R.j

_02 Fac't- a Accident Sequence AS-A10 Yes AS-04, AS-05, Response: System and operator response for each initiator is explicitly Category 2 Met AS-R1, R2, R3, Analysis S-06, AS-07, modeled in the STP PRA event trees or system analysis such that significant R12, SY-R5, HR-AS-08, AS-09, differences are captured In the event tree model and quantification rules. R6 AS-19, SY-05, F&O AS-01, AS-03, SY-08, HR-23 AS-09, AS-10, AS-06, AS-04, SY-06, SY-05, TH-04 Accident Sequence AS-A11Yes AS-08, AS-10, Response: In the software, event trees are linked for each initiator. Status of NA AS-R3, DE-R4 Analysis AS-15, DE-06, the previous event tree top events is maintained within the software. No F&O AS-06, AS-05, AS Checklist transfers are used in the current STP PRA models. DE-06 Note 8 Accident Sequence AS-B1 Yes IE-C04, IE-05, Response: Initiators that affect mitigating systems or functions are explicitly Met IE-R3, R5, AS-R1, nalysis IE-10, AS-04, modeled within the STP PRA model. This is accomplished via top event R2, R3, DE-R3 AS-05, AS-06, boundary conditions and/or split fraction rules. F&O IE-01, IE-04, S-07, AS-08, AS-01, AS-03, AS-AS-09, AS-10, 09, AS-10, AS-06, AS-Il, DE-05 AS-04, AS-05, AS-02, SY-06, TH-04, DE-05 Accident Sequence AS-B2 Yes AS-1, AS-1, Response: These dependencies are documented in the Event Sequence Met DE-R2, R3, R4 Analysis DE-04, DE-05, Diagrams and handled in the event trees by the assignment of split fraction F&O AS-05, AS-06, DE-06 rules. AS-02, DE-05, DE-06 Accident Sequence S-B3 Yes AS-10, DE-10, Response: Phenomenological conditions that affect system/function are Met DE-R9, SY-RI 1, Analysis SY-I 1, TH-08 identified in the event tree notebooks and translated to split fractions or H-R2 quantification macros. (See Containment sump plugging). F&O AS-05, AS-06, DE-06, SY-09, TH-02 Accident Sequence AS-B4 Yes S-a8, AS-09, Response: In the STP PRA model, all train dependent top events are Met AS-R3 Analysis AS-10, AS-11 ordered from A to B to C. In addition, all conditional split fractions are F&O AS-06, AS-04, calculated in the same manner. AS-0s, AS-02, TH-Accident Sequence AS-B5 Yes AS-10, AS-11, Response: The event trees contain top events for all trains in most case. Met DE-R2, R3, R4 Analysis DE-04, DE-05, Intersystem dependencies and train level Interfaces are identified explicitly. F&O AS-05, AS-06, DE-06, QU-25 AS-02, DE-05, DE-06 Accident Sequence AS-B6 Yes AS-13 Response: The STP PRA model includes tme-phased dependencies for AC Met AS-R4 Analysis power recovery, diesel generator recovery and battery life.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 90 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review

-' . r _ S S I n N E ObseX y2atle~

Accident Sequence SCl Yes S-24, AS-25 Response: A review of the top rank sequences is performed and Met F&O SY H-04 Analysis documented in Level I results notebook. The top sequences are reviewed against the Event Sequence Diagrams to ensure the split fraction logic rules are correctly modeling the event In addition, a formal review of accident sequences is performed at the end of the update process to ensure logical modeling Accident Sequence S-C2 Yes AS-24, AS-25, Response: The treatment for each initiator and event trees is documented in Met F&O SY-08, TH-04 Analysis AS-26 the Initiating Event and Event Tree Notebooks. Specifically, the initiator is defined in the former and the rules for each event tree in the later.

Accident Sequence S-C3 Partial AS-1, AS-17, Response: There is no one notebook that documents all the items within the Met with the AS-R7, R9, TH-R6, Analysis AS-20, AS-24, hecklist exception of the DE-R4 DE-06, TH-05(a) The link between initiating event and accident sequence analysis is HRA dependency. F&O AS-02, AS-06, contained within the STP PRA model, i.e., in the initiating event dialog box of Will be completed Y-08, TH-04, TH-the event tree module. This dialog box contains a list of all the linked event prir to Rev. 5 model 05, HR-07, SY-08, trees used in quantifying the initiating event. signoff. DE-06 (b) The definition of Core Damage is, the STP PRA assumes that any scenario in which the loss of core heat removal progressed beyond the point of core uncovery, and core exit temperatures exceeded 1,2000F, is a core damage scenario (documented in the Level 1 Results notebook).

(c) See Human Reliability section for more information on traceability of HRA (d) The STP PRA models sequences to success, any sequence not mapped to success is mapped to melt The event tree notebooks contain more information on how success is defined (via the macro SUCC in the PDS even trees). Mapping to Plant Damage States is described in the Level 2 Notebooks.

(e) Documentation for integrated treatment of dependencies in various notebooks and within the model is contained In the PRA documentation.

Initiating Events Analysis - Initiating Event Notebook and Event Tree notebooks; Systems Analysis - Dependency matrices; Data Analysis -

dependencies are described in the original IPE and carred into the method for quantifying system models; Human Relability Arialysis Dep es are being analyzed In the HRA update project; and Level 1 Quantification dependencies are described in the various event tree notebooks.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 91 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review

^- -. -X B . o <ia.'>>,.

X-_ -.- Q4g Accident Sequence S-C4 Partial AS-11, AS-24 Response: There is no one notebook that documents all the items within the Met with the F&O AS-02, AS-06.

nalysis eck list exception of item (d) Y-08, TH-04 (a) success criteria is contained within various documents, including the system and event tree notebooks and the success criteria notebook.

(b) there is only one model, which can quantify both level 1 and 2 results. All initiating events are included within this model (c) the event sequence diagrams documented in the IPE describe the progression of each class of initiators (e.g., small break LOCA)

(d) the event sequence diagrams contain assumptions however, the Impad of these assumptions are not specifically described in the ESEs are included In the model documentation (e) analysis/calculations are contained within the system notebooks (e.g.,

reference to room heat up calcs), Level 2 Accident Progression notebook, the thermal hydraulic Calculation notebook. Event sequence diagrams within the IPE may contain additional information.

(f)Operation information is contained within the system notebooks.

(g) See system notebooks for equipment operation (e.g., PDP operation within the CVCS system notebook)

(h) for the most part, the STP model does not model systems under a single top event. There are some exception like RHR pump (OC) and heat exchanger (RX) and these are documented within the sytemn notebook Success Criteria SC-Al Yes AS-20, AS-22, Response: CDF is defined in the Level 1 Quantification Notebook, along with Met AS-R9, R10 AS Footnote 4 reference to its basis. (F&O TH-01 Peer Review) F&O TH-01 Definition: The PRA assumes that any scenario in which the loss of core heat rmoval progressed beyond the point of core uncovery, and core exit f eperatures exceeded 1,200*F, is a core damage scenario.

Success Criteria SC-A2 Yes AS-22, TH-04, Response: See Level 1 Quantification Notebook definition of CDF. Additional Met AS-10, TH-R5, R6, TH-05, TH-07, information resides in the Level 1 Thermohydraulic Analysis Notebook. There R3 AS Footnote 4 is not a single location for this Information. F&O TH-01, TH-05, TH-03, HR-07, SY-08 Success Criteria SC-A3 Yes AS-06, AS-07, Response: Event Sequence Diagrams and PRA Initiating event models Met AS-R7, R9 S-17. AS-20 define the necessary functions for core damage or release mitigation. For F&O AS-03, AS-09, example, see the definition of SUCCESS In the PDS event tree macros. AS-10, SY-06

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 92 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review 02' `EVct07;nd -- --

Success Criteria SC-A4 Yes S-07,AS-17, Response: See response to SC-A3. The current PRA model does not share Met AS-R7, R8, SY-R8, S-18, SY-08, capabilities between units other than standby transformers because R17, TH-R8, IE-SY-17, TH-09, procedures did not exist at the time to perform such tasks. However, future R12, DE-R3 IE-06, DE-05 model updates may incorporate the capability to crosstie power between the F&O AS-10, SY-06, units. SY-02, SY-08, TH-

____ ____ _ __ ___ ____ ____ 04,TH-05, DE-05 Success Criteria SC-A5 Partial AS-21, AS-23, Response: Mission times for systems are discussed throughout the System Met AS-R9, RI I S-20 Notebooks, the Success Criteria Notebook, and Level 1&2 Quantification and Results Notebooks. The mission time for most systems Is set at 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Some exceptions - batteries with no chargers (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> based on calculations); Level 2 analysis power recovery following station blackout of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> top event CV (table 2.2-1).

Success Criteria SC-A6 Yes AS-05, AS-18, Response: See Thermohydraulic Analysis Notebook and supporting Met S-R2, R8, R12, AS-19, TH-04, documentation for model. TH-R5, R6, R2, ST-TH-05, TH-06, R2, R3, SY-R5 TH-08, ST-04, F&O AS-07, AS-04, ST-05, ST-07, H-05, TH-07, TH-ST-09, SY-05 03, TH-02, HR-07, SY-08, SY-05, ST-01, IE-03 Success Criteria SC-B1 Yes AS-18, SY-17, Response: Table A-1 comments: MMP4 code was developed and verified Category 2 AS-R8, SY-R17, TH-04. TH-06, by qualified trained users. Success criteria are based upon, UFSAR TH-R5, R7, R3 TH-07 requirements, applicable industry assessments (e.g., ATWS), or plant specific F&O SY-02, SY-08, MMP analyses TH-07, TH-03, AS-Success Criteria SC-B2 No TH-04, TH-08 Response: (Use of Expert Judgment) - Not used in STP PRA Category 2 TH-R5, R2 Met F&O TH-02 Success Criteria SC-B3 es AS-18, TH-04, Response: See Thermohydraulic Analysis Notebook, Success Criteria Met AS-R8, TH-R5, R6, TH-05, TH-06, Notebook and supporting documentation. R7 TH-07 F&O TH-07, TH-03, TH-05, HR-07, SY-

__ 08, AS-04 Success Criteria SC-B4 Yes AS-18, TH-04, Response: Table A-1 response: see SC-B 1 Met AS-R8, TH-R5, R7, TH-06, TH-07 R3 F&O TH-07, TH-03, AS-04 Success Criteria SC-B5 Yes TH-09, TH-07 Response: Check the reasonableness of TH analysis. Known ssues *rm Met with TH-R8, R3 Peer Review TH-07. Current model update il riesolve REV5 F&O TH-04, TH-03, I__TH-05, SY-08

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 93 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review

&PRATehnical > SME S Inclded: NEI4 vs0-02

.- STW valuation i 7< < AMS-- iapbiflt I4e Rowvdew Elmn B y t NE 0 ELEMENTS< Caegr Comet .(R-X Success Criteria SC-B6 Yes QU-27, QU-28 Response: See Success Criteria, Thermohydraulic Analysis, and System NA QU-R9 Notebooks. See also PRA Analysis Assessments for sensitivity studies F&O QU-03 performed on the PRA model. Also see the IPE, which contains the initial analysis. Not requirement deleted in 2003 ASME Code).

Success Criteria SC-Cl Yes ST-13, SY-10, Response: Documented in Success Criteria and Thermohydraulic Notebooks Metwith ST-RI, SY-R10, SY-17, SY-27, and their references. See MAAP analysis Notebooks, Design Basis REVS RI 7, R22, TH-R2, TH-08, TH-09, Documents and calculations, Table A-1 response: Key assumptions as R8, R9, AS-R7, R8 TH-10, AS-1 7, defined in Reg. Guide 1.200T not yet documented. WIl be completed for F&O SY-02, SY-08, AS-18 current PRA revision. TH-02, TH-04, TH-05, QU-03 Success Criteria SC-C2 No TH-10 Response: (Document Expert Judgment) - N/A, Not used in STP PRA NA TH-R9 Success Criteria SC-C3 Yes AS-12, AS-13, Response: Key assumptions not documented. (Known Issues from Peer Met i AS-R4, TH-R8, R9 H-09, TH-10 Review TH-06, TH-07) Will be completed for current PRA resion.. REV5F&O AS-08, TH-04, 05, SY-08 Success Criteria SC-C4 Partial S-24. SY-27, Response: See PRA Notebooks, specifically Level 1 and 2 Quantification, Met with SY-R27, TH-R8, TH-09, TH-10, Success Criteria, Thermohydraulic Analysis, and IPE. Key assumptions not REVS R9, HR-R17 HR-30 documented. Will be completed for current PRA revision. F&O SY-08, TH-04,

. TH-05 Systems Analysis SY-Al Yes SY-04, SY-19 Response: System models are developed for all systems modeled in the Met SY-R4, Rl9 PRA (AMSAC uses generic 'black box' model)

Systems Analysis SY-A2 Yes SY-05, SY-13, Response: Collected information is reflected in the System Notebooks Met SY-R5, R13, R16, SY-16, AS-19j12 F&O SY-05, SY-04, AS-07 Systems Analysis SY-06, Response: By procedure OPGP01-ZA-0305, section 4.0, all plant information Met SY-R5, R6, R8, SY-08, SY-12, sources used to define and establish the PRA must be reviewed during the R12, R14 SY-14 model update process and periodically between model updates to insure that F&O SY-05, SY-06, the PRA represents the 'As Built' plant. See PRA Database of Inputs. Items c SY-03, AS-06, DA-through h are contained in the systems analysis notebooks. Item a system 03 component boundaries are defined in current model data notebook. System boundaries are described in the system notebooks.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 94 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review pRA S - model at as um.pon followin amIoel rl or -ankin Aupdte Per Rriwi aElemenomp onent.Ths p iNdeoos aATSi onal anwethttes.s asegosur

,<mari,whichR inclu-de componentsy, failure modes, and assumponsev,aes Systems Analysis Y-A4 Partial SY-0, DE-11, Response: walk downs and in Plant ti on dutesd during the initial Met SY-R8O, DE-R6, SY Footnote 5 PRA development, and are periodically conducted during the design change R 1S X >process goretyefcs Cna}=;smi between model updates a design;ted-whenas-opera Eth as-uit change Syte the plant. impacts h;,, PRA and igh-level periodically during model updates. The GQA working group also reviews the PRA model and assumptions following a model update prior to risk ranking systems and components. This provides additional assurance that the system analysis correctiy reflects the as-built, as-operated plant. System high-level summaries, which include components, failure modes, and assumptions, are also reviewed as part of the CRMP program.systembundary.F_________SY_0 Systems Analysis SY-AS Partial SY-06, SY-11, Response: Within the STP PRA documentation of systems, every system Met SY-R8, RI QU-R2 QU U-19 model description includes conditions that prevent system operation those F&O SY-0S and function including both normal and altemkate alignments. See System Notebooks sections 2 and 3 Systems Analysis SY-A6 Yes SY-07, SY-19, Response: Components required for system success, interfaces with support Met SY-R7, R8, R12, SY-12, SY-13, systems, and other components that could fail the system are defined in the R13, R14 SY-14 system analysis notebooks and included in the system boundary. F&O AS-06, SY-03 Systems Analysis SY-A7 Yes SY-OS, SY-07, Response: in the STP PRA only the AMSAC system fits this description and Met SY-R6, R7, RB, R9, SY-OB, SY-Og, is only used in selective sequences, See EPONSITE top AM. All other R19 SY-ig systems are modeled in detail in fault trees. F&O SY-OB, SY-07 Systems Analysis SY-AB Partial SY-06, SY-Og Response: System notebooks describe the boundaries of the Met SY-R6, R9 systems/functions modeled in the notebook. The data analysis guideline F&O SY-03, SY-06,

_________defines component boundaries for data collection and modeling purposes. ________SY-07, DA-03 Systems Analysis SY-Ag Yes SY-06, SY-ig, Response: All trains of modeled systems are included in the system fault Met SY-R6, Rig, QU-QU-12, QU-13 trees and translated to event tree top events. R2

_____________________ __________________________ _______ F&O SY-06

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 95 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review

-RA Tecnical SM R:nlue NEI0-0w2 ST Evafuai..W...............n..............I A-S Capability. PeeTevie Elmn in El-e00.*--022 ELEMENTS0 Catgory Cmet (-..J i_6 02 ", tsan Systems Analysis SY-A10 Partial SY-O9 Response: Super components are not generally used in the STP PRA to Met SY-R9 simplify system modeling. Whenever a super component Is used, measures F&O SY-07 are taken to ensure that only those components relative to the function being modeled are used. A typical use of super components in the STP PRA would be collecting passive components, such as manual valves, into a single basic event for a train. There is no mixing of systems, and actuation signals are modeled separately. Super components that are made up of multiple components that have different failure probabilities are generally split.

Collecting component failure data at a higher level, i.e., EDG and associated auxiliaries, does not necessarily result in a super-component. The EDG system model actually splits sequencer, breaker, and engine into separate basic events. Super components are heavily scrutinized by the GQA expert panel during system and component risk ranking following a model update to ensure they are modeled correctly. See System Notebooks, and GQA risk ranking process.

Systems Analysis SY-A1I Yes SY-12, SY-13, Response: The effects of variable success criteria are Included in the system Met SY-R12, R13, R17, SY-1 7, SY-23, analyses. The actual quantification of variable success criteria is R23 AS-10, AS-13, accomplished with event tree split fraction rulest quantification macros. F&O AS-06, AS-05, AS-16, AS-17 SY-02, SY-08 Systems Analysis SY-A12 Partial SY-06, SY-07, Response: Passive critical components whose failure affects system Met SY-R6, R7, R8, R9, SY-OB, SY-O9, operability such as heat exchangers and tanks are modeled In the STP PRA. R12, R13, R14 SY-12, SY-13, Because of STP's design, and because piping failure rates are significantly F&O SY-06, SY-07, 5Y-14 lower than other passive components which are modeled, piping is not SY-03 AS-06 included in the STP PRA system models. See System Notebooks for example Safety Injection, Component Cooling Water, or Auxiliary Feedwater.

Systems Analysis SY-A13 Yes SY-15, SY-16, Response: The identified failure modes are included where appropriate In the Met SY-R15 DA-04 systems analyses. F&O SY-04, DA-02 Systems Analysis SY-A14 No SY-08, HR-04, Response: Components and failure modes are not screened for items (a) Met SY-R8, HR-R3, R5 HR-05, HR-07 and (b). Pre-initiator screening and test procedure review identifies those F&O HR-01 instances where item (c) applies. See system notebooks.

Systems Analysis SY-A15 Yes SY-08, HR-04, Response: Component failure data does not include pre-initiator HFE data. Category 3 SY-R8, HR-R3, R5 HR-05, HR-07 Pre-initiator HFE analyses are included in the systems analysis where Met F&O HR-01 appropriate.

Systems Analysis SY-Al6 Yes SY-08, HR-08, Response: Systems analysis in general does not include post-initiator HFEs. Met SY-R8, HR-R6 HR-09, HR-10 These HFE's are generally top events in the event trees. Exceptions include:

Feed and bleed quantification, manual start of the PD pump. __

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 96 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review Elemnt. I. NE .:fi 2, 00-V>A ELEMENT

>.t,;.b

.- .P . -I , eg,, Comiits (- 4~J1;

>S 0 2t _ _ - A . .m i -X - cs arko=

nn,5

,O6X"S Systems Analysis SY-A17 Yes SY-10. SY-1 1, Response: The STP PRA System Notebooks address for each system the Met SY-R1, RI1, RI 3, SY-13, AS-13 conditions that cause the system to isolate or trip. The Support System Model AS-R4 Notebook contains the direct system dependency descriptions. Though some F&O SY-09 dependencies are covered in the system analysis, most direct dependencies are evaluated in the event trees. See Event Tree Notebooks for EPONSITE and MECHSUP.

Systems Analysis SY-A18 Yes SY-08, SY-22, Response: The PMET Event Tree contains branches that reflect operating Met SY-R8, R22, DA-DA-07 experience for planned maintenance for most PRA systems. System level R3 unplanned unavailability is included in individual System Notebooks, System testing frequency and surveillances are located in the individual System Notebooks.

Systems Analysis SY-A19 Yes SY-1 1, SY-13, Response: Under adverse conditions, the STP PRA assumes in most cases Category 2 SY-RI1, R13, R17, SY-17, AS-18, the affected systems fail. An example of an exception to this rule Is EAB Met S-R8, DE-R9, TH-DE-10, TH-08 HVAC system calculation. This calculation established the mission time for R2 loss of EABHVAC for affected system components. See EAB HVAC System F&O SY-08, SY-02, Notebook Sections 2.1.6. 2.1.7, 2.4.4, and 3.4. Actual modeling of this DE-06, TH-02 dependency is performed in the event trees.

Systems Analysis SY-A20 Partial SY-05, SY-1 1, Response: The STP PRA systems were developed directly from the design Met SY-R5, RI 1, RI 3, SY-13, SY-2, basis documents and in most cases no credit is taken beyond the rated or AS-R8, TH-R2 AS-19, TH-08 designed capability. The PRA model in general credits single train success, F&O SY-05, SY-09, using UFSAR and post-fire safe shutdown analyses. Ventilation H-02 requirements in select areas may be excluded because of components supplied. For Level 2 analysis, equipment survivability during severe accidents is discussed in the Level 2 Analysis notebook where probabilities are used to determine the design limits of SSCs like the containment and the associated justification.

Systems Analysis SY-A21 Yes SY-18 Response: System designators are unique and generally follow the plant Met SY-RI8 T_PNS system.

Systems Analysis SY-A22 Yes SY-24, DA-15, Response: STP PRA models limited repair actions by operators to the EDGs Met SY-R24, DA-R4 OU-18 only. The recovery analysis and credit taken Is documented in the LOOP recovery analyses.

Systems Analysis SY-B1 Yes SY-08, DA-08, Response: Common cause identified in this requirement is included in the Category 2 SY-R8, DA-R7, DA-14, DE-08, appropriate systems models. No common cause is included for batteries and Met R12, DE-R7, R8 DE-09 battery chargers. (Data was reviewed, see common case data analysis) F&O DA-01 Systems Analysis SY-B2 No req. for Response: Inter-system common cause is included for Class 1E breakers Category 2 Cat II after a LOOP. Other possible inter-system common cause has been - Not Required screened. See common cause data analysis.

Systems Analysis SY-B3 es DE-08, DE-09, Response: Common cause data groups satisfy the ASME requirements Met DE-R7, R8, DA-R9 DA-10, DA-12

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 97 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review SY-08, DA-08, Response: sor DA-10, DA-11, as appropriate. RIO, R11, R12, DA-12, DA-13, DE-R7, R8, QU-R1 DA-14, DE-08, F&O DA-01 DE-09, QU-09 Systems Analysis SY-B5 Yes SY-12, DE-04, Response: System dependencies are explicitly Identified and quantified in Met SY-R12, DE-R2, DE-05, DE-06 the event trees. Quantification macros are based on these system level R3, R4 dependencies. F&O AS-06, DE-05, DE-06 Systems Analysis SY-B6 Yes SY-12, SY-13 Response: Support system success criteria are established based upon the Met SY-R12, R13 variability in the conditions present during the postulated accidents for which F&O AS-06 the system is required to function. In most cases, UFSAR success criteria are used to establish success criteria for support systems, in other cases, plant specific analyses for unique plant conditions establish the success criteria for support systems (e.g., room cooling requirements).

Systems Analysis SY-87 Yes SY-13, SY-17, Response: Support system modeling Is based on realistic assessment of Category 2 SY-R13, R17, AS-AS-1, TH-07, system capabilities and requirements. R8, TH-R3, R2 TH-08 F&O SY-02, SY-08, TH-03, TH-02 Systems Analysis SY-B8 Yes SY-10, DE- 1I Response: Spatial and environmental hazards that affect system have been Met SY-R10, DE-R6, identified and are include in event tree quantification of the external hazards. DE-R11 Systems Analysis SY-B9 Yes SY-10, AS-20, Response: Explicit treatment of the containment conditions is included in the Met SY-10, AS-R9, L2-L2-08, L2-09, Level 2 Accident progression model. R5 L2-11, L2-13 F&O L2-01, 12-02,

__ L2-05, L2-03 Systems Analysis SY-B10 Yes SY-12, SY-13 Response: Support systems are identified in each system analysis and Met SY-R12, R13 include the items identified in the ASME standard. F&O AS-06 Systems Analysis SY-Bi Yes SY-08, SY-12, Response: Systems that are required for Initiation or actuation of systems Category 2 SY-RS, R12, R13 SY-13 are specifically modeled in the STP PRA, See QDPS, SSPS, and Reactor Met F&O AS-06 Trip System Notebooks. These notebooks describe the conditions needed for automatic actuation along with permissives and lockouts. Event Trees EPONSITE and MECHSUP present the dependencies other systems have on the actuation systems. Event tree macros are also used to define boundary conditions for systems/trains.

Systems Analysis SY-312 Yes SY-13 Response: The STP PRA models inventory of tanks, battery capacity, air, Met SY-R13 power, and cooling systems. See the associated system notebooks for load and mission time capabilities.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 98 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review e

r=cludod, S=0e4 X ha! - eR Systems Analysis SY-B13 No Response: Proceduralized recovery actions are modeled In the PRA for the Met support system initiators. Proceduralized recovery actions not eliminate a support system from the model.

Systems Analysis SY-B14 Partial DE-06, AS-06 Response: Not directly applicable at STP due to system design and system Met DE-R4 boundary definitions. Exception examples, CCW to RHR heat exchanger in F&O DE-06, AS-03, RHR top OC, and also in heat exchanger top RX. LHSI pumps in injection AS-09 and recirculation - event tree rules. Support system dependency is treated In the Event Trees PMET, EPONSITE, and MECHSUP. Within the System Notebooks, descriptions of basic event components like a common suction valve that can disable multiple trains of that system are discussed. See uxiliary Feed Water or Safety Injection System Notebooks for examples.

Systems Analysis SY-B15 Yes SY-1 1 Response: In general, no SSC is credited for operating beyond its design in Met SY-RI I the PRA without a calculation to support the assumption (Example see Si F&O SY-09 room cooling calculation for exception). See applicable System Notebooks, Event Tree Notebooks and PRA Analysis/Assessments for operation in adverse conditions.

Systems Analysis SY-B16 Yes SY-O 8 Response: Operator interface dependencies are induded where applicable. NA SY-R8 Systems Analysis SY-CI Partial SY-23, SY-25, Response: The systems analysis notebooks and the event tree notebooks Met SY-R23, R25, R26, SY-26, SY-27 contain the information identified in this SLR. R27 Systems Analysis Y-C2 Yes SY-05, SY-06, Response: Basic events in the system model are traceable to tagged plant Met SY-R5, R6, R9, SY-o9, SY-27 components and to system cutsets. R27 F&O SY-05, SY-06,

________ ___ SY-07 Systems Analysis SY-C3 Yes SY-18, SY-27 Response: The nomenclature used in the system models is documented in Met SY-R18, R27 the on inal PSA and is consistent in the current s stem models Human Reliability HR-Al Yes HR-04, HR-05 Response: A pre-initiator human action analysis has been performed and MetWith REV5 HR-R3 Analysis incorporated into the system analysis. However, this particular analysis has Model-Update F&O HR-01 not been updated since the IPE. A specific review of test and maintenance procedures was performed for the STP 1996 and STP_1997 models (all systems). A continuing review of test and maintenance procedures is a standard part of a PRA system analysis update and is performed by all nalysts for their respective systems. A pre-initiator HRA identification and screening analysis is being performed for the REV5 PRA model update.

propriate HEPs will be incorporated in the systems analysis. [CR 04-13754-2-1]

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 99 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review al - ES ue 02 i- S Eveehaim <V ,

Human Reliability HR-A2 yes HR-04, HR-05 Response: The REV5 pre-initiator HRA update satisfies this requirement. Met With REV5 HR-R3 nalysis Model Update F&O HR-01 Human Reliability HR-A3 Yes HR-05. DE-07 Response: The REV5 pre-initiator HRA update satisfies this requirement. MetWh REV5 HR-R3, DE-R5 Analysis Model Update F&O HR-01 Human Reliability HR-B1 Yes HR-05, HR-06 Response: The REV5 pre-initiator HRA update uses screening criteria Category 2 HR-R3, R4 Analysis contained ina written guideline. Met With REV5 F&O HR-01, HR-04 Model Update Human Reliability HR-B2 Partial HR-05, HR-06, Response: The REV5 HRA pre-initiator screening is consistent with this Met With REVS HR-R3, R4, R5, Analysis HR-07, HR-26, requirement; however, certain calibration activities that impact diverse and Model Update R16 DA-05, DA-06 redundant equipment may be screened by systematically considering the F&O HR-01, HR-04 diversity inother instrumentation and control channels that provide the same function. If it can be shown that sufficient diversity exists among the instrumentation and control channels, then the relevant activities can be screened out.

Human Reliability HR-Cl Yes HR-27, SY-08, Response: The REV5 pre-initiator HRA update defines the HFE for Met WVit REVS HR-R16, SY-R8, Analysis SY-09 unscreened events in the HRA calculator. Model Update R9

_ _F&O HR-06, SY-07 Human Reliability HR-C2 Yes HR-07, HR-27, Response: Unscreened activity unavailability is included inthe system Category 2 HR-R3, R5, R16, Analysis SY-08, SY-09 analysis. Example is top AFWS. See also HR-B1 STP-specific operating Met With REVS SY-R8, R9 experience review Is included in the REV5 pre-initiator HRA update. Model Update F&O HR-06, SY-07 Human Reliability HR-C3 Yes HR-05, HR-27, Response: Applicable miscalibration impacts on standby systems are Met With REV5 HR-R3, R16, SY-Analysis SY-08, SY-09 included inthe REV5 pre-Initiator HRA update. Model Update R8, R9 F&O HR-01, HR-

_ 06, SY-07 Human Reliability HR-D1 Yes HR-06 Response: THERP Isused to estimate the pre-initiator HEPs. Met With REVS HR-R4 Analysis Model Update &OHR-04 Human Reliability HR-D2 Yes HR-06 Response: The REV5 pre-initiator HRA update uses detailed assessments to Category 2 HR-R4 Analysis determine HEP values. Met With REVS F&O HR-04 Model Update Human Reliability HR-D3 No Response: These performance shaping factors are considered in the REV5 Category 2 Analysis HRA pre-initiator HEP assessments. [CR 04-13754-2-2] Met With .REV5 Model Update Human Reliability HR-D4 No Response: Incorporated inthe REV5 HRA pre-initiator update.[CR 04-13754- .Met With REV5 Analysis 2-2] Model Update:

Human Reliability HR-D5 Yes HR-26, HR-27, Response: Joint probability assessed inthe REV5 pre-initiator update. .vMet Wlth REVS HR-R16, DE-R5 Analysis DE-07 Model-Update X F&O HR-06

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 100 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review

<$E~f 4nPIudek Bigi ;I=O~O m-~TAMSE~aajlt e~eiewt

-O 2 y1 - , _ _ _ _

Human Reliability HR-D6 No Response: Developed HEPs are log normal distribution with associated range Met Analysis factor.

Human Reliability HR-D7 No Response: When using HEPs in the PRA, analysts judge the reasonableness Met Analysis of the values prior to use in the models. This reasonability check is inherent in the process, but not well documented. [CR 04-13754-2-3]

Human Reliability HR-El Yes HR-09, HR-10, Response: Performed during initial event sequence diagram (ESD) Met HR-R6, R10, AS-Analysis HR-16, AS-19, development. R12, SY-R5 SY-05 F&O HR-04, AS-07, SY-05 Human Reliability HR-E2 Yes HR-08, HR-09, Response: Performed during initial event sequence diagram (ESD) Met HR-R6, R14, R15 Analysis HR-10, HR-21, development. F&O HR-04 HR-22, HR-23, HR-25 Human Reliability HR-E3 Partial HR-10, HR-14, Response: This supporting requirement Ismet during the operator interview Category 2 HR-Re, R9, R13 nalysis HR-20 process. Met F&O HR-07 Human Reliability HR-E4 Partial HR-14, HR-16 Response: Post-initator HFE talk-throughs with operations personnel Category 2 HR-R9, R10 Analysis performed. In REV5 HRA post-initiator update, Inaddition to talk-throughs, a Met F&O HR-07, HR-04 limited set of simulator observations were performed.

Human Reliability HR-FI Yes HR-16, AS-19, Response: HFEs defined inscenario sheets. Category 2 HR-R10, AS-R12, Analysis SY-05 Met SY-05 F&O HR-04, AS-07, SY-05 Human Reliability HR-F2 Partial HR-1l, HR-16, Response: The HEPs developed for dynamic human actions include scenario Category-2 HR-R7, HR-Rio, Analysis HR-17, HR-19, sheets, which define the HFE. The items included are 1)scenario Met With REVS HR-R11, HR-R12, HR-20, AS-19, description, 2)high level specific tasks, and 3) time window for successful ModelUWate HR-R1 3, AS-RI2, SY-05 completion. Lacking are the specific timing of cues, listing of the specific SY-R5 procedure guidance, and listing of the available cues/indications. However, F&O HR-02, TH-the availability of cues/indications and procedure guidance is specifically 05, HR-04, HR-05, evaluated by the PSFs. Related F&O is HR-02. STP's plan is to migrate the AS-07, SY-05 HEPs to the EPRI HRA Calculator, which will result inlisting specific cues and procedure guidance. [CR 04-13754-2-4]

Human Reliability HR-GI Yes HR-15, HR-17, Response: HEPs are developed using detailed analysis. Category 2 HR-R11 Analysis HR-18 Met F&O HR-05, HR-07 I__TH-05

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 101 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review PRATcrnla iETXua _ T Svatatloi= -. - > AlVSE Capability Pergeie E mnf~ InSWE O0 +. MENTS LE:S Cte I--go;0rby Cmetsf,,(R-jJ~q; 7Rke(

Human Reliability HR-G2 Yes HR-02, HR-1I Response: At STP, the FLIM method has been used to determine HEPs. Category 2 HR-R2, HR-R7 Analysis This method accounts for cognition and execution errors via the Performance Met VWiREVS F&O HR-02, HR-03 Shaping Factors. An example of the cognition-related PSFs is titled "Plant Model Update H-05 Man-Machine Interface and Indications". STP plans to migrate the HEPs to the EPRI HRA calculator - this tool provides explicit treatment of Pcog and Pexe via the CBDTMITHERP methods.

Human Reliability HR-G3 Partial HR-17, HR-18 Response: The FLIM PSFs evaluate the impact of(a) through (h). Items (i) Categoy 2 HR-R1I Analysis and 0) are not explicitly evaluated in the FLIM PSF worksheets. The EPRI MetWitt REVS F&O HR-05, HR-HRA Calculator evaluates all of these supporting requirement elements. Model Update 07, TH-05 Human Reliability HR-G4 Partial HR-18, HR-19, Response: STP time windows generally Met this category 11requirement (as Category 3 HR-R12, HR-R13, Analysis HR-20, AS-13 clarified in HR-G4 App.). Time windows are documented In PLG-0675 Met WithREVS AS-R4 (original STP PSA) Volume 4, Appendix B, and the TH notebook (MMP Model Updat F&O HR-07, TH-05 calculations for selected HEPs). The REV5 HRA post-initiator update includes a plant-specific MAAP timing analysis that meets this requirement.

See related F&O HR-07. [CR 04-13754-2-51 Human Reliability HR-G5 Partial HR-16, HR-18, Response: The requirement is met during the operator interviews that Category 2 HR-R10, HR-R13 Analysis HR-20 include a talk-through of the HEP scenario sheet and applicable procedures. Met F&O HR-04, HR-Concurrence of the reasonableness of the listed time window is also 07, TH-05 requested during this process.

Human Reliability HR-G6 Yes HR-12 Response: This supporting requirement is met by the inherent review and Met With REV5 HR-R8 alysis approval process for developing HEPs. The performance of this consistency Model Update check Isnot specifically documented but is planned for the updated HEPs in the REVS HRA update[CR 04-13754-2-61 Human Reliability HR-G7 Partial HR-26, DE-07 Response: This systematic dependency analysis has not been performed - Met With REV5 HR-R16, DE-R5 Analysis refer to F&O HR-06. This will be met with the REV5 HRA update.[04-13754- Model Update F&O HR-06 2-7l Human Reliability HR-G8 No HR-27 Response: This supporting requirement has not been met, and Is dependent MetWhREVS HR-R16 Analysis on completing HR-G7. This SR will be met with the REV5 HRA update.[CR Model-Update F&O HR-06 04-13754-2-8]

Human Reliability HR-G9 No Response: The HEPs are developed in RISKMAN as lognormal distrilbutions, Met Analysis and thus have an associated error factor. The mean values are used In the PRA quantifications.

Human Reliability HR-H1 Yes HR-21, HR-22, Response: Human recovery actions are included as appropriate In the STP Category 2 HR-R14, HR-R6 Analysis HR-23 PRA to reduce unnecessary conservatism. Met F&O HR-04

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 102 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review Human Reliability HR-1-2 Yes HR-22, HR-23 Response: STP use of recovery actions Met these supporting requirements. Met HR-R6 Analysis In general, recovery actions are only credited if approved procedures support F&O HR-04 procedures (EOPs, Off-normals, Annunciator Response). These procedures typically contain the applicable cues. Attention isgiven to the appropriate elements of HR-G3 for PSFs.

Human Reliability HR-H3 Yes HR-26 Response: Dependency analysis of multiple recovery HFEs in a sequence O lfth RE HR-R16 Analysis has not been systematically performed - refer to F&O HR-06. This will be met Model Updat ith the REV5 HRA update Human Reliability HR-11 Partial HR-28, HR-30 Response: Documentation of the HRA is contained in PLG-0675 Vol.4 Met With REVS HR-R17 Analysis Section 14, the IPEEE, and assessment PRA-99-0tO. Enough detail is Model Update contained inthese documents to understand the STP HRA. Some of the documentation specified inthis supporting requirement Isnot available for certain SRs. Examples include:

1)documentation of pre-initiator screening - see F&O HR-01, 2)dependency analysis - see F&O HR-06, 3)summarized source of timing information, and 4)basis for minimum probability for multiple HEPs occurring ina sequence.

[CR 04-13754-2-10 Data Analysis DA-Al Yes DA-04, DA-05, Response: Component boundaries for data, common cause factors, Met SY-R8, SY-R14 DA-15, SY-08, unavailability, etc. are included Inthe Data Analysis notebook and inRAsCal F&O DA-02, SY-03 SY-14 System guidelines.

Data Analysis DA-A2 No Response: Binomial and Poisson distributions are used appropriately. Met Data Analysis DA-A3 Yes DA-04, DA-05, Response: parameters to be estimated and the data required are identified. Met DA-R3, SY-R8 DA-06, DA-07, F&O DA-02 SY408 Data Analysis DA-Bl Yes DA-05 Response: Components are grouped according to type, mission type, and Category 2 service condition.

Data Analysis DA-B2 Yes DA-06 Response: Obvious outliers are not included indata analysis. Met I __Category 1 Data Analysis DA-CI Yes DA-07, Response: Generic parameter estimates are from recognized data sources Met DA-R3, DA-R8, DA-09, DA-19, ncluding NUREGs. DA-R6 DA-20 F&O DA-02, DA-03, DA-04

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 103 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review Data Analysis DA-C2 Yes DA-04, DA-05, Reponse: Plant specific data Iscollected by groups and by component Met DA-R3, DA-RI2 DA-06, DA-07, A-R6, MU-R4 DA-14, DA-15, F&O DA-02, DA-DA-19, DA-20, 03, DA.-04

____________ ~M U-05 _ _ _ _ _

Data Analysis DA-C3 Partial DA-04, DA-05, Response: Plant specific information is collected from as broad a time period Met DA-R3, MU-R4 DA-06, DA-07, as possible. Initiating event data is from initial criticality. Component failure F&O DA-02 MU-05 and maintenance data is from information collected in support of the Maintenance Rule.

Data Analysis DA-C4 No Response: Identification of component events as failures is based upon Met reviews performed to support the Maintenance Rule. Discussions with the system engineers on the specific details of the failure ensure correct representation of the condition.

Data Analysis DA-C5 No Response: Repeated component failures in a short period of time would be Met counted as a single event under the Maintenance Rule.

Data Analysis DA-C6 Yes DA-06, DA-07 Response: Demands are based primarily on surveillance tests and actual Met DA-R3 demands.

Data Analysis DA-C7 Yes DA-06, DA-07 Response: Number of surveillance tests and planned maintenance activities Met DA-R3 are based upon actual plant experience.

Data Analysis DA-C8 No Response: The time that components were configured in their standby status Met is based upon reasonable assumptions of support system operating status.

Data Analysis DA-C9 Yes DA-04, DA-06, Response: Operational time is based on estimates of surveillance test times Met DA-R3 DA-07 and actual plant experience. Category 1 F&O DA-02 Data Analysis DA-C10 No Response: Surveillance test procedures are reviewed and credited Met appropriately for demands in the system notebooks.

Data Analysis DA-CI 1No Response: Maintenance unavailabilities have been updated based on Met RAsCal data. RAsCal data meets this requirement.

Data Analysis DA-C12 No Response: Maintenance unavailabilities have been updated based on Met RAsCal data. RAsCal data meets this requirement. Category 2 Data Analysis DA-C13 No Response: Coincident maintenance unavailabilitles are updated based on Met data. RAsCal data meets this requirement.

IRAsCal Data Analysis DA-C14 Yes DA-15, AS-16, Response: Maintenance unavailabilifies have been updated based on Met S-R6, SY-R24 ISY-24 RAsCal data. RAsCal data meets this requirement

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 104 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review

.'-=1ii~ Z0t~ 11¶C>Mh~ded v s

  • rflEatsj = atOi i@AcTHH

= =-

_ b 7AM 11bilyd tarmet^Peering I2 eeyX~iw ew i¢i s Kfi S CIF--- AStftgo d Data Analysis DA-C15 Yes DA-15, IE-13, Response: Repair times for support system initiators is not included In the Met IE-R1O, IE-R13, IE IE-15, IE-16, PRA. Recovery times for LOOP are based on generic industry information R7, AS-R6, SY-AS-16, SY-24, and grid specific information for the grid in the STP area. R24 QU-18 Data Analysis DA-DI No Response: Realistic parameter estimates are used for significant basic Met events. A Bayesian update process is used to calculate parameter estimates.

he update process for component failures is generally limited to components that have experienced failures over an update period (e.g., MRPSAF criteria exceeded).

Data Analysis DA-D2 No Response: STP's data variables have been developed consistent with this Met requirement. Most data is based on generic estimates or plant-specific updates.

Data Analysis DA-D3 Partial QU-30 Response: All STP data parameters include the mean value and statistical Category 2 QU-R1O parameters associated with a lognormal distribution as represented by a DPD.

Data Analysis DA-D4 No Response: When performing Bayesian updating, all of the attributes are Met reviewed. Category 2 Data Analysis DA-D5 Partial DA-08, DA-09, Response: STP's CCF parameters are based on the Multiple Greek Letter Category 2 DA-R7, DA-R8, DA-10, DA-11, model, which meets this requirement. DA-R9. DA-R10, DA-12, DA-13, DA-Ri1, DA-R12 DA-14 F&O DA-01 Data Analysis DA-D6 Partial DA-08, DA-09, Response: Realistic common cause failure probabilities consistent with plant Met with DA-R7, DA-R8, DA-10, DA-1 1, specific data are being Incorporated into the current model update. -The REVS DA-R9 DA-R10, DA-12, DA-13, previous PRA models had not been updated with recent experience. D-i, DA-R12 DA-14 F&O DA-01 Data Analysis DA-D7 No Response: STP's model update process and design change impact review Category 2 ensures that appropriate data Is used to support the system models.

Data Analysis DA-El Partial DA-01, DA-19, Response: STP's data update documentation lacks some of th Metith DA-Rl, DA-R6 DA-20 requirements. The following docurmentatior sto be generate`dlaomeet REV5 F&O DA-03, DA-04 the requirement:

(a) system and component boundariesiused thestabtlsh c "om n'entfailur probabilities (c) sources for generic parameter esimtsfe as sumtions mde n the Interpretatioof data and the rea--sonlng(bbe nlr engIneerI'g, systems mordeling, opelations~idstel1-saa11 gejsipoing its use i parameter estimation -(i}the rationale for arty distribuios used- as priors for Bayesian updates, here app~cablet (CR 04-13754-3-31 WillMbe nrorated into the current model update K I~

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 105 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review

-<lement . . hw~ed. ~NEtLEyNSW f 00A- - i 2.. Comet .J Internal Flooding IF-Al No Response: Flooding areas are defined by all three Items identified in the Met DE-R9, IF-R5 standard. F&O DE-06 Internal Flooding IF-A2 No Response: The Spatial Interactions Database covers this information. Ail Met DE-R9, IF-R6 equipment potentially effected by internal floods are identified. Since most of F&O DE-06 the internal flooding scenarios were screened out in the early screening process, spatial locations were not required. Only flood scenario, Z123-FW-01 required further analysis based on spatial information (Ref. IPE section 3.4.3.3). This scenario also screened out below the significance threshold.

Internal Flooding IF-A3 No Response: Spatial Interactions Database contains SSCs within flood areas. Met DE-R9, IF-R6 F&O DE-06 Internal Flooding IF-A4 No Response: A plant walkdown was performed to verify/obtain spatial Met DE-R9 information, SSCs and potential flood sources.

Reference:

Original PSA and F&O DE-06 IPE. This walkdown was recently repeated as part of the spatial database update.

Internal Flooding IF-Bl No Response: Flooding Sources are identified In Spatial Interactions Database. Met IF-R7 Identification is performed by analyzing the type of flooding source (e.g., Fire F&O DE-02 Hoses, Moderate/High Energy Lines, etc.). Reference Table D-3 in Original PRA.

Internal Flooding IF-B2 No Response: Corrected in flooding update walkdowns Met IF-R7

____ _______ ____ ___ F&O DE-03 Internal Flooding IF-B3 No Response: Included in IPEEE and verified in flooding update. Met IF-R9

____ _______ ____ ___ F&O DE-04 Internal Flooding IF-B4 No Remarks: Floor drains are credited for limiting the propagation of internal Met IF-R10 floods but not for limiting the effect on flooding of the room with which the F&O DE-04 drains are located. This Is being reevaluated in the internal flood hazard update (on-going).

Internal Flooding IF-Cl No Response: Spatial Interactions Database contains multiple examples of flood Met IF-R 1I propagation from one zone to another. It is assumed that propagation of &O DE-01 water from one room to another will flood all equipment within the room and propagate to the lowest building level. This issue will be revalidated during the Spatial Interaction Database update.

Internal Flooding IF-C2 No Remarks: The STP PRA contains no internal flooding events, therefore, this NA IF-R12 is not an issue. Any justification for screening internal flooding scenarios Is documented in the spatial interactions analysis.

Internal Flooding IF-C3 No Response: The Intemal Flooding analysis in the original PRA and the IPE Met IF-R13 assume all equipment in an area is failed because of the flood. (See IPE I _ _ _ _ _ _ _Table 3.4.1.7 Equipment Susceptibility) I_ I

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 106 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review

]PRtATphnlcl ASME SR 1ntue

_.NVi-OU-2,SPEautin242MSCp1t

,erRve

- e - ..ELEMENTS- T =f a= 5 Internal Flooding IF-C4 No Response: Propagation pathways were developed from plant walk downs. Met IF-R14 No credit was given to operator with the exception of the Control Room (Manned 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> a day).

Internal Flooding IF-C5 No Remarks: This information is documented in the Spatial Interactions Met IF-R14 Database. There are no internal flooding scenarios that survived the screening process Internal Flooding IF-C6 No Response: With the exception of floods within the Control Room, no human NA IF-R14 mitigation was credited.

Internal Flooding IF-Di No Response: A structured, systematic process for developing the spatial Met interactions database was used. See section 8 in the original PRA for documentation.

Internal Flooding IF-D2 No Response: Flooding scenarios were binned into different classes (i.e., type of Met IF-R14 scenarios), including scenarios that result in initiating events. All internal flooding events were screened out early in the screening process. However, if further evaluation had been required, then systems alignments, including support systems, would have been performed. [The PRA fire analysis contains examples for plant configuration screening]

Internal Flooding IF-D3 No Response: No internal flooding scenarios required grouping of initiating NA events as all scenarios screened.

Internal Flooding IF-D4 No Remarks: STP does not have any shared systems or structures that would NA impact the internal flooding analysis.

Internal Flooding IF-DS No Response: The flooding frequencies were developed from 2 sources: 1) LER Met IF-RI5 database and then 2) updated/reanalyzed to support shutdown events at F&O DE-07 Seabrook (Ref PLG-0624). STP is currently in the process of updating the internal flooding frequencies with TR-1 1880, Piping System Failure Rates.

Internal Flooding IF-El No Remarks: The STP PRA contains no internal flooding scenarios, therefore, NA this is not an issue.

Internal Flooding IF-E2 No Remarks: The STP PRA contains no Internal flooding scenarios, therefore, NA F&O DE-04 his is not an issue.

Internal Flooding IF-E3 No Remarks: The STP PRA contains no internal flooding scenarios, therefore, NA this is not an issue.

Internal Flooding IF-E4 No Remarks: The STP PRA contains no internal flooding scenarios, therefore, NA this is not an issue.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 107 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review PReh~a~SE-SR Ancltdd EIW00 STP' EVM601tN kiAMECpaiiy. Pe Rve Eleer::. wFr~i'i In2NEI 00- EENTa  : is not - 7i aee.

pnenlFodng I-5 N earks The SPP otiaEnsgnGoGineal flodn scenaiosE-- thrforN w #I-R12e Internal Flooding IF-E5 No Remarks: The STP PRA contains no internal flooding scenarios, therefore, NA IF-R12 this is not an issue.

Internal Flooding IF-E6 No Remarks: The STP PRA contains no internal flooding scenarios, therefore, NA IF-R12 this is not an issue.

Internal Flooding IF-E7 No Remarks: The STP PRA contains no internal flooding scenarios, therefore, NA F&O DE-09 this is not an issue.

Internal Flooding IF-F1 No Remarks: The Spatial Interactions Database is well documented. The WOG Met PRA Peer resulted in a Level of Significance of 'S' with the following documentation: In all aspect of spatial dependencies, the STPEGS PRA (in 1988) performed a rigorous hazard analysis which considered jet water, spray wter, explosive canisters, equipment drops, high temperatures and missiles.

The work was largely completed in an extensive walk down. AU rooms were walked down and documented.

Internal Flooding IF-F2 No Remarks: This information is documented in the IPE and Original PSA Met including Table D-6.

Quantification QU-AI Yes AS-04, AS-05, Response: Accident sequence delineation, system models, data, and HRA in Met AS-R1, AS-R2, AS-nalysis S-06, AS-07, the quantification process for each initiating event group, accounting for R3, AS-R12 S-08, AS-9, system dependencies, to arrive at accident sequence frequencies are F&O AS-01, AS-03, S-10, AS-19 integrated. S-09, AS-10, SY-06, AS-06, AS-04, TH-04, AS-05,AS-07 Quantification QU-A2 Yes QU-08 Response: Conditional split fractions used in the event tree quantification Category 2 QU-R13 alysisprocess Incorporate the effects of 'The State of Knowledge' dependence in F&O AS-10 component failure data.

uantification QU-A3 Yes QU-04, QU-08, Response: Contributors to CDF are discriminated in the RISKMAN software Met QU-R13, QU-R1, QlysisU-09, QU-10, tothe level of detail in the models. QU-R2 U-11, QU-12, FO AS-10, HR-06, U-13 HR-07, QU-05 Quantification QU-A4 Yes QU-18, QU-19 Response: Recovery is credited in STP PRA primarily in the Event Trees. Met QU-R4 AnalysisSee the event tree notebooks. Most operator recovery top events start with letter 'O." Recovery for the support system initiators is included In the

_initiating event fault trees.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 108 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review SPRY~cr~aV IESttR 1finWd -NET-00O2 -4; _ , ~t%

=_P Evtu i ;L gAMECpblity Pee Reie

- - _.,_ -y 02'- - - _

'_ ,_ i d - - -- - -- - - i; . -.--- , " M+ - Fa dt i Quantification QU-BI Yes QU-04, QU-05, Response: RISKMAN software used and sensitivity cases after quantification Met F&O QU-01 Analysis QU-06 using different methodologies are performed to insure appropriate solutions.

User group tracks the limitations of the code and known problems and resolutions Quantification QU-B2 es QU-21, QU-22, Response: Sensitivity studies are performed at various cutoff frequencies to Met QU-R5, QU-R6, Analysis QU-23, QU-24 insure stable results for final solution. See Level 1 and Level 2 Quantification QU-R8 Notebooks. The current model cutoff frequency for sequences is 1E-12, sensitivity studies to 1E-14 confirm convergence on CDF. System level cutset cutoff frequencies are limited and are appropriate for the cutset results.

The highest cutoff frequency used is I E-1 8 Quantification QU-B3 Partial QU-19, QU-22, Response: Sensitivity studies are performed at various CDF cutoff Met QU-R4, QU-R5, Analysis QU-24 frequencies from Ie-10 to 1e-14 to insure stable results for final solution. QU-R6 Quantification QU-B4 Yes QU-04 Response: RISKMAN software uses both min cut and rare event Met Analysis approximation solutions. Sensitivity studies are performed to insure reasonable results.

Quantification QU-15 Yes QU-14 Response: Circular logic is quantified in the event trees using quantification Met QU-R3 Analysis macros (ECW and diesel generators) or modeled conservatively (AC and DC power)

Quantification QU-B6 Yes QU-04, QU-20, Response: Success and failure branches are quantified in RISKMAN Met QU-R15, AS-R3 Analysis QU-25, AS-08, models. F&O AS-06, AS-04, AS-9 TH-04 Quantification QU-B7 Yes QU-26 Response: Mutually exclusive events are excluded during model Met QU-R7 alysis development.

Quantification QU-B8 No Response: Not directly applicable to RISKMAN models. 'Logic flags' in Met Analysis event trees are typically macros like those found in PMET event tree are either set to failure by the associated logic statements or are by definition "Not Failed". In system fault trees, 'Logic Flags' are typically House events whose status is explicitly controlled by split fraction definition equations. See the various system notebooks or the event tree macros and split fraction rules.

Quantification QU-B9 Partial SY-09 Response: Shared components, etc. are included in 'Intermediate System' Met SY-R9 Analysis logic modules. The system level results are then used to develop and F&O SY-07 quantify train specific split fractions to ensure appropriate quantification.

Quantification QU-C1 Yes QU-10, QU-17, Response: Cutsets are not used in sequence quantification. HFEs have Met with HR-R16 nalysis HR-26 been appropriately developed for the current model update to ensure this REV5 F&O HR-06, HR-07 1_comments requirement is met. See HR Section comments specificallyHR and F&O HR-06.

7, 8

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 109 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review

\PRTeh~ At SME SR nfie O-V _ _ _ _ M cpbtl Quantification QU-C2 Partial Q -10, QU-17 Response: See HR DS and HR G7 Evalubo Mretwith F &0 HR-06, HR Aalysis REVS; Quantification Yes QU-20 Sequence information is directly linked In the current event tree Met -R15 Analysis logic.

Quantification QU-D1 Yes QU-08, QU-09, Response: Sequences are reviewed for consistency and correct logic Metwh & R13, QU-R1 Analysis QU-10, QU-11, development All sequences > 1E-1 Oare reviewed. The results of the various QU-R2, QU-R3, QU-12, QU-13, risk ranking sensitivity results are reviewed for internal consistency. QU-R14 QU-14, QU-15, F&O AS-1 0, HR-QU-16, QU-17 06, HR-07, QU-02, QU-04. QU-05 Quantification QU-D2 Partial QU-27, QU-28, Response: Modeling assumptions that drive the results are being developed Met with QU-R9, SY-R22 Analysis SY-22 for the current model update. Previous models did not satisfy this REV5 F&O QU-03, HR-requirement. 04, HR-06 Quantification QU-D3 Yes QU-08, QU-11, Response: Quantification results have been compared with other similar Category 2 Met QU-R13 Analysis QU-31 Westinghouse plants. Other than physical plant differences (three vs. two F&O AS-10, QU-tains), results are consistent. 05, QU-02, QU-04 I CR 02-618-9-5 Quantification QU-D4 Yes QU-15 Response: Selected non-significant sequences are reviewed for consistency Met QU-R14 Analysis and correct modeling. Performed during the model quantification process.

Quantification QU-D5 Yes QU-08, QU-31 Response: See Level 1 Quantification Notebook for overall Importance and Category 2 Met QU-R13 Analysis system level importance. See component importance for risk ranking of PRA F&O AS-1 0, QU-modeled components used in GQA exemption from special treatment 02, QU-04 applicabion.

Quantification QU-EI Yes QU-30 Response: Parameter uncertainty is included in system and event tree Met QU-R10 Analysis results. , F&O QU-03 Quantification QU-E2 Yes QU-27, QU-28 Response: See F&O QU-03. Being incorporated into the current model Metwith QU-R9 Analysis update. Was not performed for previous models. EVS F&O QU-03 Quantification QU-E3 Partial QU-30 Response: Uncertainty is evaluated during model update process OPGP03- Category 2 QU-R10 Analysis ZA-0305. the state of knowledge correlation is accounted for. F&O QU-03 Quantification QU-E4 Partial QU-28, QU-29, Response: See F&O QU-03 Table A-1 response: Key assumptions I Met with QU-R10 Analysis QU-30 uncertainty as defined in Reg. Guide 1.200 not yet documented. Will be REV5 F&O QU-03, QU-02 incorporated into the current model update

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 110 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review Elmn nECOw. ELMENTSCaefy Cmments(R.,.J Quantification QU-F1 Partial QU-31, QU-32, Response: See Level 1 and Level 2 Quantification Notebooks for overall Met with REVS QU-R 1I Analysis QU-34 results, System Notebooks for system level results. Table A-1 response: part Items (c), (g), (h),&O QU-02, QU-04 G significant basic events causing accident sequences to be non-significant is and (1) not yet documented.

(a)records of the process/results when adding non-recovery terms as part of the final quantification - Not directly applicable. Recovery is Included in

'Recovery' event trees according to logic rules.

(b)records of the cutset review process - Level 1 and Level 2 Quantification Notebooks provide the record of the review.

(c) a general descdiption of the quantification process inutidingaccounig for systems successes, the truncation values used, how recovery and post-initiator HFEs are applied - There is no general description of these Itmi'.

The Quantification notebooks discuss truncation results, the Operator modeling notebook discusses HFEs (d)the process and results for establishing the truncation screening values fo final quantification demonstrating that convergence towards a stable result was achieved - Level 1 Quantification Notebook (e)the total plant CDF and contributions from the different initiating events and accident classes - Level 1 and 2 Summary Notebooks.

(f) the accident sequences and their contributing cutsets - Level 1 and Level 2 Quantification Notebooks.

(g) equipment or human actions that are the key factors in causing the accidents to be non-dominant - Not yet identified.

(h)the results of all sensitivity studies - Included in GQA risk ranking process. Not identified In PRA model.

(i) the uncertainty distribution for the total CDF - In Level lQuantification Notebook.

0)importance measure results - InLevel 1 and Level 2 quantification notebooks and inthe GQA risk ranking results.

(k)a list of mutually exclusive events eliminated from the resulting cutsets and their bases for elimination - Not applicable (I) key-assumptions used in the quai and a ent of"I thisk significance - Being incorporated into the current model revision. Not done for previous models QuantificatIon QU-F2 Yes QU-31 Response: See Level 1 and Level 2 Quantification Notebooks for overall Category 2 Analysis results. Significant contributors and dominant sequences are described in Met Quantification Notebooks.

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment I Page 111 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review

-~ 1. tiici ; . _ E _. AMSE~ bity PeerRevlew*

Quantification QU-F3 Yes QU-27, QU-28, Response: Key sources of uncertainty and key assumpton e not yet Metwith QU-R9, QU-R 1I Analysis QU-32 dentified or analyzed inthe current PRA model. Being incopated inte REV5 &O QU-03 odel revision.

mcurrent Quantification QU-F4 Yes QU-12, QU-13 Response: Other than fire scenarios, there are no significant asymmetries in Met QU-R2 Analysis the model. Documented infire results of IPEEE and thermolag analysis.

Quantification QU-F5 Yes QU-04, MU-07 Response: RISKMAN program has been verified by the vendor SQA Met MU-R5 Analysis program and by site SQA evaluation of the model. Vender retains all F&O MU-04 documentation 'proof' for code capability and yielding correct results. When a revision to the software takes place STP verifies same results with single model.

Quantification QU-F6 No Response: See application analysis assessments, and PRA assumptions. Met Aalysis -

LERF Analysis LE-Al Yes L2-07. L2-08, Response: The physical characteristics of the Level I end-states that affect Met L2-R4, AS-R5, AS-L2-22, AS-14, LERF analysis are included in the Level 2 Analysis notebook. R9, AS-R10, AS-AS2, AS-21, i 11 AS-22, AS-23 lO 80-2-01, L2-02, I 2-04TH-01 LERF Analysis LE-A2 Yes L2-07, L2-08, Response: The accident sequence characteristics that lead to the physical Met L2-R4, AS-R9 AS-21 characteristics above are identified in the Level 2 Analysis notebook. F&O L2-01, L2-02 LERF Analysis LE-A3 Yes L2-07, L2-08, Response: Accident sequences are not binned for use in Level 2 NA L2-R4 12-21 quantification. Transition event trees (PDS trees) are used to define F&O L2-01, L2-02, quantification macros used inthe Containment Event Tree. All Level I L2-06 sequences are passed to the containment event trees l . -

LERF Analysis LE-A4 Yes 12-07, L2-08, Response: Level 1 information istransferred into the Level 2 model directly Met L2-R4, AS-R9 12-21, AS-20, through event tree linking. F&O 12-01, L2-02.

AS-21 l L2-06 LERF Analysis LE-A5 Yes 12-08, L2-21, Response: Plant damage states are defined as described inthe ASME Met AS-R9 S-20 standard, however, plant damage states are no longer used Inthe Level 1 F&O 12-01, 12-02, model. All Level 1 sequences are passed to the Containment Event Tree. L2-06 LERF Analysis LE-B1 Yes 12-08, L2-10, Response: Credible LERF contributors as Identified inASME Table 4.5.9-3 Category 2 L2-R6, L2-R7, L2-L2-15, 12-16, are included inthe Level 2 Analysis. R3 12-17, 12-19 F&O L2-01, L2-02, I _L2-03 LERF Analysis LE-B2 Yes 12-13, L2-14 Response: Containment challenges are determined ina realistic manner. Category 2 L2-R7 I F&0 L2-03

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 112 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review 02, Caegr 23;f' SPU ,

C:. ieuit (R.. ,

-i = -- __ __ __- B ,-.t LERF Analysis LE-B3 Yes L2-14, L2-15, Response: Plant specific T/H analysis were used in the development of the Category 2 L2-R7, ST-R2 ST-04 containment response model. [Note requirement deleted in S2003] Met -INA] F&O TH-03 LERF Analysis LE-Cl Yes L2-24 Response: Containment event trees are developed to quantify the likelihood Met L2-R8 of release.

LERF Analysis LE-C2 Yes L2-09, L2-12, Response: Operator actions to restore offsite power are credited In the Level Category 2 L2-R5

-L2-25 2 model. Met F&O L2-05 LERF Analysis LE-C3 Yes L2-08, L2-24, Response: Branch points in the Containment Event Tree provide a realistic Category 2 L2-R8 L2-25 estimate of the LERF frequency F&O L2-01, L2-02, L-5 LERF Analysis LE-C4 Yes L2-04, L2-05, Response: The Containment Event Tree quantification uses a combination of Category 2 L2-R3, L2-R3 L2-6 realistic and conservative success criteria based on reviews of other Level 2 F&O L2-01, L2-02, analyses. L2-04 LERF Analysis LE-C5 Yes L2-07, 12-11, Response: System models that support Level 2 analysis requirements satisfy Met L2-R4, AS-R9 L2-25, AS-20, the requirements of para. 4.5.4. F&O L2-05 AS-21 _ _

LERF Analysis LE-C6 Yes L2-12, L2-24, Response: HFEs that support the Level 2 analysis requirements satisfy the Met L2-R8 12-25 requirements of para. 4.5.5. F&O 12-05 LERF Analysis LE-C7 Yes L2-7, 12-11, Response: Accident sequence dependencies are included as appropriate Met L2-R4, L2-R8 12-12, L2-24 F&O L2-05 LERF Analysis LE-C8 es 12-11, 12-12 Response: Environmental effects are treated in a realistic manner in the Category 2 F&O L2-05

__ Level 2 analysis model.

LERF Analysis LE-C9 Yes 12-11, 12-12. Response: Containment failure impacts are treated in a realistic mane in the Category 2 L2-R3, L2-R8, AS-12-16, 12-24, Level 2 analysis. R9 L2-25,

- AS-20 F&O 12-05 LERF Analysis LE-C10 No Response: Containment bypass is treated in a realistic manner. No credit is Category 2 taken for scrubbing for a containment bypass.

LERF Analysis LE-D1 Yes L2-14, 12-15, Response: A realistic containment response analysis has been completed Category 2 12-R7, L2-R3, 12-12-16, L2-17, that supports the accident response models. R8 12-18, L2-19, F&O L2-01, L2-02, L2-20, ST-05, L2-03 ST-6 LERF Analysis LE-D2 No Response: Failure locations are based on a realistic containment response Category 2 analysis.

LERF Analysis LE-D3 Yes IE-14, ST-09 Response: A realistic interfacing systems LOCA analysis including Category 2 IE-R6, ST-R3 consideration of piping, relief valves, heat exchangers, pump seals, etc. is F&O IE-02, IE-03, included in the Level 2 analysis. ST-01 LERF Analysis LE-D4 No Response: A realistic analysis of secondary side isolation Is Included in the Category 2

___ _ _ _plant PRA.

Response to June 3, 2005 RAI NOC-AE-0600 1994 Attachment 1 Page 113 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review ORA Technia S S -ncXde IO-0R Q-b STP: -rAa usA - L Pee Re LERF Analysis L E-35N Reponse: Induced SGTR is treated in a realistic manner. Plant specific Category 2 MAAP analyses support the treatment of ISGTR.

LERF Analysis L E-36 Yes 1-2-16, 1-2-18, Response: Containment isolation is treated in a realistic manner. Category 2 1-2-113, L2-R7, L2-L-2-19, 1-2-24, Consideration is given to safety systems without automatic isolation 8 L2-25 . capability. F&O 1.2-03, L2-05 LER Analysis LE-EtNo 0 2-05,L2-1E1, Response: Parameter values are selected consistent with the requirements Met L2-R3 L2-12 of para. 4.5.5 and 4.5.6. F&O 1-2-01, 1-2-02, 1-2-04, L2-05 LERF Analysis LE-E2D52-12,o2-13, Response: Reaparameterlistic estimates are used inthe accident Category 2 L2-R7, L2-R8 L12-17, L2-18, progression estimates. ca ry L2 2-01, 12-02, DA-04, HR-15, p y2-03, DA-02 1-2-19, L2-20 LERF Analysis LE-E3 No- QU sub- Response: LERF is quantifi ed consistent w theith requirements of para. 4.5.8 Met elmnts apicable to LRF LERF Analysis LE-F Yes QU-08, QU-09, Response: I mportanc e is analysis to used thesignificantcontributCategory 2 identify QU-R13 QU-10, QU-11, to LERF. Met F&O AS-10, HR-QU-31 06, HR-07. QU-02, QU-05 LERF Analysis LE-F2 No QU-27 Response: Uncertainty analys, including senisitivity studfies, are big Category 2 QU-Rg performed for the currenit model update. Met with 0 &OU-03

. ~REVS5 LERF Analysis LE-G3 Partial s2-26, 2-27, Response: The characteristics of accident s equenes, binning infofmation Met L2-Rl0 L-8 and plant damage states and their attributes are included in the model mentation.

LERF Analysis LE-G2 Partial 1-2-26, 1-2-27, Response: Containment failure modes, phenomena, equipment failures, and Met L2-R9, L2-Rl0 1.2-28 human actions considered in the development of the accident progression sequences are documented.

LERF Analysis LE-G3 Partial 2-26, L2-27, Response: Treatment of factors influendng cont challenges and ainment Met L2-Rg, L2-R13 L2-28 containment capability, as appropriate for the level of detail of the analysis are documented.

LERF Analysis LE-G4 Partial 12-26, L2-27, Response: the level ofdetail of the analysis, asappropriate for Met L2-R9, L2-RIO L2-28 (a)containment challenges treated (b)containment failure modes identified (c) containment event tree (CET) and basis for event tree nodes (d)containment capabity and its basis (e)containment failure locations and probabilities

_) basis for parameter estimates

Response to June 3, 2005 RAI NOC-AE-06001994 Attachment 1 Page 114 Table 2 (Question 27) Disposition of Findings and Observations from Peer Review LERF Analysis LE-G5 Partial L -6,1-2-27, Response: 'Met with RE/5 L2-R9, I-2-R10 8 ()a general description of the quantification inLevel 2 (b and (e) Rters umentation (b)key assumptions that affect the 'results. No Xt yi ti~de (c) the total plant LERF and contributions from the different plant damage states and accident classes - Included in Level 2 Results documentation (d) equipment or human actions that are significant basic events - Included in Level 2 Results documentation (e) the results of all sensitivity studies, (as applicable).' Not yet complat LERF Analysis LE-G6 Partial L2-26, L2-27, Response: Detailed description of significant contributors to LERF are Category 2 Met L2-R9, L2-R10 12-28 provided LERF Analysis LE-G7 Partial 12-26, 12-27, Response: Sources of uncertainty are not yet docuimiented -finolmod Me with REVS L2-R9, L2-R10 12-28 LERF Analysis LE-G8 Partial 12-26, L2-27, Response: Limitations on use of the Level 2 model in applications are not'et Metwith REXV 12-R9, L2-R10 12-28 identified

NOC-AE-06001994 Addendum 1 Application of Risk-Informed Completion Times to Electrical Components

Addendum I Application of Risk-Informed Completion Times to Electrical Components NOC-AE-06001994 Page I In the review of risk-informed Technical Specification (TS) changes proposed by STPNOC that would allow a "floating" risk-informed completion time with a 30-day backstop (Initiative 4B),

the NRC Electrical Systems Branch reviewers asked several questions related to the application of the proposed TS to electrical systems. STPNOC agreed to prepare a response that describes how the Initiative 4B changes will be applied to electrical components.

General Comments on Application of TS 3.13.1 Events that result in a de-energized bus or discharging batteries will be addressed and the plant stabilized before there would be any consideration of whether the allowed outage time for the component can be extended. This is consistent with the requirements in the proposed RMTS Guidelines.

Application to an ESF Bus (TS 3.8.1.1 ACTION a and ACTION e)

STP Normal Configuration

Description:

Each of the three Class IE 4.16 kV busses for each STP unit is fed from its associated non-class 13.8 kV Standby bus through its associated non-class IE 13.8 kV - 4.16 kV Auxiliary ESF Transformer. Two of the three 13.8 kV Standby busses are energized from the Unit's Standby Transformer and the other 13.8 kV Standby bus is energized from the Unit Auxiliary Transformer (UAT). Power to the Unit 1 Standby Transformer comes from the North Bus in the switchyard. Power to the Unit 2 Standby Transformer is from the South Bus. Power to each unit's UAT is from the unit's main transformer. The generator breaker arrangement is such that on generator trip, only the generator breaker opens and the offsite power connection to the ESF bus that is energized from the UAT is not interrupted. The Standby Transformers and the busses they supply are not affected by the trip.

Each UAT is capable of supplying all three of the unit's ESF busses and all non-ESF busses.

Each Standby Transformer is capable of supplying all three ESF busses on both units. Although a unit's ESF busses are normally aligned to its own associated UAT and Standby Transformer, the ESF busses may also be aligned to the other unit's Standby Transformer. All line-ups are done manually from the control room.

An off-site source is operable if it is capable of supplying the required power to one or more ESF busses. The off-site sources are independent as long as all of a unit's ESF busses are not powered from a single UAT or Standby Transformer and the switchyard configuration or condition is not such that a single fault will cause a loss of both transformers supplying the ESF busses.

Alternate Sources of Power for the ESF Bus:

In addition to the alignments described above, the Station Emergency Transformer is capable of powering one ESF bus on each unit. STP has conservatively not credited the Emergency Transformer as an independent off-site source. Emergency power to the ESF bus is provided by its associated standby diesel generator (SDG).

Addendum I Application of Risk-Informed Completion Times to Electrical Components NOC-AE-06001994 Page 2 Conditions for Entry into TS 3.8.1.1 ACTION a:

ACTION a establishes a 72-hour required completion time if one of the two required circuits between the off-site transmission network and the on-site Class lE distribution system is inoperable.

ACTION a may apply for either planned work or an emergent condition. The conditions that would require entry into the action include the following:

  • A configuration where an ESF bus is powered from a source other than a Standby Transformer or the UAT (e.g., from the Emergency Transformer or its associated SDG)
  • A configuration where all the ESF busses on a unit are powered from a single UAT or Standby Transformer
  • A condition or configuration in the switchyard where a single fault will cause a loss of power to all ESF busses on a unit
  • A condition where a properly aligned and energized ESF bus is determined not to be in conformance with its design basis such that it is inoperable (e.g., found not to be seismically qualified)

The first bullet above could involve a de-energized 4.16 kV ESF bus. A loss of off-site power to the bus will cause the associated SDG to start and load, which is included in the second bullet.

STPNOC would not normally plan an at-power work activity that de-energizes the 4.16 kV ESF bus.

The other examples describe conditions where the ESF bus is energized, but the TS action must be applied because the off-site sources are aligned such that they not independent or an ESF bus is degraded. Although entry into the TS action may be caused by a degraded or non-conforming condition of the ESF bus, the most likely reason for entering the action is a condition or work activity involving the switchyard or one of the transformers.

Proposed changes to ACTION a would permit STPNOC to extend the 72-hour allowed outage time in accordance with the requirements of proposed TS 3.13.1.

Table 2 of STPNOC's August 2, 2004 application depicts a 30-day backstop risk-informed completion time for a configuration involving loss of a single ESF bus. The calculation for the completion time is based on the availability of an alternate source to energize the 4.16 kV ESF bus. TS 3.13.1 will be applied only in those cases where the availability of the alternate source of power is modeled and the risk assessment can be quantified. The STP PRA model includes the preferred sources (Standby Transformers, UAT), the SDG, and the Emergency Transformer.

Addendum 1 Application of Risk-Informed Completion Times to Electrical Components NOC-AE-06001994 Page 3 Conditions for Entry into TS 3.8.1.1 ACTION e:

ACTION e establishes a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> required completion time if two required circuits between the off-site transmission network and the on-site Class IE distribution system are inoperable.

Two required circuits would be considered inoperable if any of the following conditions are met:

  • Loss of a 13.8 kV Standby Bus to 4.16 kV ESF Bus line while in a configuration where ACTION a applies
  • A condition where two or more properly aligned and energized ESF busses are determined not to be in conformance with the design basis such that they are inoperable TS Note 1 (cited above) does not reflect STP's three-train design. With the loss of two 13.8 kV Standby bus to 4.16 kV ESF lines, STP still has one 13.8 kV Standby to 4.16 kV ESF connection.

STPNOC believes any condition where entry into ACTION e is required would be the result of an emergent condition.

The first two conditions would result in either a de-energized ESF bus or one or more ESF busses powered from their associated SDG. If the condition involves a loss of the UAT, the SDG will pick up the ESF loads; however, the reactor will trip on reactor coolant pump (RCP) undervoltage/underfrequency or RCS low flow because the reactor coolant pumps will lose power and coast down. Loss of the Standby Transformer should not result in a reactor trip.

If the condition is the result of a loss of offsite power (LOOP) or partial LOOP, the operators will be taking action to establish stable plant conditions from the transient as a priority before any consideration of applying TS 3.13.1 to extend the completion time. One of those actions will most likely be securing the SDG and energizing the ESF bus from a preferred source, at which time the configuration will be the same as the condition addressed by ACTION a.

ACTION e also imposes a 72-hour completion time, consistent with ACTION a. STPNOC proposes to delete the 72-hour portion of ACTION e as an administrative change that eliminates the potential for being in ACTION a and ACTION e at the same time.

STPNOC proposes to allow application of TS 3.13.1 to TS 3.8.1.1.e.

Application to Batteries and Battery Chargers (TS 3.8.2.1):

TS 3.8.2.1 requires four channels of batteries and associated chargers. If a required battery bank is inoperable or if the battery bank has no operable charger, the TS requires the function be restored in two hours or the plant must be shutdown. TS 3.0.3 currently applies in the event of inoperability of more than one channel.

STPNOC proposes to allow the application of TS 3.13.1 to extend the two-hour completion time for batteries or battery chargers.

Addendum I Application of Risk-Informed Completion Times to Electrical Components NOC-AE-06001994 Page 4 Since the batteries provide the power for the field flashing for the emergency diesel generator, an emergent condition where a train of batteries is carrying the associated DC bus with no power to either of the battery chargers could indicate an in-progress loss of off-site power transient in which the emergency diesel generator for the affected ESF train did not start or is not available.

STPNOC does not believe it is appropriate to apply TS 3.13.1 to extend the allowed outage time during an ongoing emergent transient condition.

Discharge of the battery banks supporting the Channel II and Channel IV DC loads will not result in a plant trip or transient; however, STPNOC would not normally permit continuous discharge of a battery in an emergent condition (provided power to one of the chargers is available) or plan a work activity that involved an extended discharge of a battery bank.

Discharge of the battery banks supporting Channel I and Channel III will not result in an immediate plant trip; however, a plant trip on low steam generator level will result after a loss of DC power as the Feedwater Isolation Valve hydraulic control system pressure bleeds off and the valves close. The evolution of the event provides the operators with an opportunity to anticipate this trip and it can be avoided with timely local operator action. As discussed in the General Comments, it is not STPNOC's intent to use TS 3.13.1 to extend the allowed outage time for configurations where the battery bank is the sole source of power available for the loads on the DC bus. A note has been added to TS 3.8.2.1 to restrict the application of TS 3.13.1 for these conditions. The note states:

Specification 3.13.1 may not be entered for batteries or chargers when the batteries are the sole source of available power to their DC bus. If the batteries discharge for more than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> as the sole source of power to their DC bus while Specification 3.13.1 is being applied and no alternate source of power is available, the Specification 3.13.1 LCO shall be considered not met.

As stated in the response to Question 23, the DC bus could be energized through its associated batteries with its associated charger powered from an alternate source or from a temporary charger. With inoperable batteries, the DC bus can be energized through an operable charger or a temporary charger. TS 3.13.1 would allow appropriate consideration of these alternatives in determining an allowed outage time.

Application to Onsite Power Distribution (TS 3.8.3.1):

ACTION a establishes a completion time of eight hours to restore a train of AC ESF busses that is not fully energized. STP has three independent trains of ESF busses and there is no action for more than one train de-energized, so TS 3.0.3 would apply for that situation. For an emergent condition on either Train A or Train B, the consequences of a de-energized ESF train include the loss of power to the Channel I or Channel III battery chargers, respectively. As discussed above, without operator intervention a plant trip can result after a loss of DC power on these channels.

The Class 1E 480-volt AC distribution system is powered through a double ended load center which is supplied by separate breakers from the 4.16kV Class IE load center via independent step down transformers. The step down transformers and breakers are sized to allow either transformer to carry the entire load center. The load center includes a tie breaker that allows

Addendum 1 Application of Risk-Informed Completion Times to Electrical Components NOC-AE-06001994 Page 5 powering of both sides of the load center from either transformer. Individual motor control centers and loads are fed from either side of the load center.

The design of the distribution system is such that each of the two battery chargers is supplied by motor control centers that are supplied by different sides of the 480-volt load center. The 125 VDC bus can be powered from either of the two battery chargers. This allows one side of the 480-volt load center to be taken out of service without affecting the operability of the DC system which only requires one charger for the system to be operable.

Conditions may arise where ACTION a is entered because a "downstream" bus (e.g. one half of the double ended 480-volt load center) has been de-energized by a fault or needs to be de-energized to perform maintenance. Due to the previously described redundancy, the eight hour completion time of ACTION a is unnecessarily restrictive and application of TS 3.13.1 is appropriate.

Each NSSS class IE 120VAC distribution panel (DP1201, 1202, 1203 and 1204) is normally supplied by a dedicated static inverter. Backup power to the panel is supplied via a static transfer switch from a dedicated voltage regulating transformer. In the event AC power is lost to the inverter or the inverter AC-DC power section is lost, inverter loads are instantaneously picked up by the class lE DC system. The class IE DC system battery chargers are sized to carry the inverter load in addition to the other normal loads while keeping the battery fully charged.

Each TMI (post-accident monitoring) class IE 120VAC distribution panel (DPOOI and 002) is normally supplied by a dedicated static inverter. Backup power to the panel is supplied via a manual bus transfer switch from a dedicated voltage regulating transformer. The inverter and the voltage regulating transformer are supplied from the same motor control center. In the event AC power is lost to the inverter or the inverter AC-DC power section is lost, inverter loads are instantaneously picked up by the class IE DC system. The class IE DC system battery chargers are sized to carry the inverter load in addition to the other normal loads while keeping the battery fully charged.

ACTION b applies when a 120 VAC vital distribution panel is not energized from its associated inverter or with the inverter not connected to the DC bus. The action requires the panel to be energized within two hours and energized through its inverter and DC bus within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

These completion times may be extended with the application of TS 3.13.1. The preceding discussions describe the redundancy that enables STPNOC to manage the configuration risk when ACTION b applies.

ACTION c applies when a DC bus is not energized from its associated battery bank and requires it to be re-energized from the battery bank within two hours. Power to the DC bus can also be provided by either of its associated chargers. The two-hour allowed outage time is not consistent with the redundancy available from the other DC channels and the low likelihood of a LOOP.

TS 3.8.3.1 ACTION c should be consistent with the ACTION for TS 3.8.2.1 for batteries and chargers. Consequently, it is appropriate to be able to apply TS 3.13.1 to extend the two-hour allowed outage time for either an emergent condition or a planned maintenance evolution for which the corrective action requires the battery bank to be disconnected from the DC bus.

NOC-AE-06001994 Attachment 2 Technical Specification Pages Affected by the RAI Responses NOTE: The attached TS pages are provided for the staff's information to show how responses to several questions were addressed. They are NOT intended as the replacement pages for the STPNOC license amendment request. STPNOC will provide a complete set of marked-up TS pages in a revised license amendment request that will be submitted later.

NOC-AB-06001994 Attachment 2 TABLE 3.3-3 (Continued)

C, ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION 0

C I MINIMUM

--I TOTAL NO. CHANNELS CHANNELS APPLICABLE m FUNCTIONAL UNIT OF CHANNELS TO TRIP OPERABLE MODES ACTION Cn 6. Auxiliary Feedwater z a. Manual Initiation 1/pump 1/pump 1/pump 1,2,3 26

b. Automatic Actuation Logic 2 1 2 1,2,3 22
c. Actuation Relays 3 2 3 1,2,3 22 C',

=0 d. Stm. Gen. Water Level --

Low-Low Start Motor-Driven Pumps 4 /stm. gen. 2/stm. gen. in 3/stm. gen. in 1, 2, 3 20 W% and Turbine-Driven Pump any stm. gen. each stm. gen.

e. Safety Injection See Item 1. above for all Safety Injection initiating functions and requirements.

W' f. Loss of Power (Motor Driven See Item 8. below for all Loss of Power initiating functions and requirements.

I', Pumps Only)

7. Automatic Switchover to C Containment Sump****
a. Automatic Actuation Logic 3-1/train 1/train 1/train 1, 2, 3, 4 19A 0.

and Actuation Relays

b. RWST Level -- Low-Low 3-1/train 1/train 1/train 1, 2, 3, 4 19A 3

M Coincident With: Safety Injection See Item 1. above for all Safety Injection initiating functions and requirements.

CD CD Z) 0.

z 0

NOC-AE-06001994 Attachment 2 TABLE 3.3-3 (Continued)

ACTION STATEMENTS (Continued)

2. With two less than the Minimum Channels OPERABLE requirement for RCB Purge Radioactivity-High, operation may continue provided the containment purge supply and exhaust valves are maintained closed.

c) MODE 6*0: With less than the Minimum Channels OPERABLE requirement for RCB Purge Radioactivity - High, apply the requirements of Technical Specification 3.9.9 for an inoperable Containment Ventilation Isolation System.

NOTE:

With one less than the Minimum Channels Operable requirement for RCB Purge Radioactivity-High, Supplementary or Normal containment purge supply and isolation valves may be open for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> at a time for required purge operation provided the valves are under administrative control.

Response to 0.46.

ACTION 19- a.With the number of OPERABLE channels Ej less than the Minimum Channels OPERABLE requirement, within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> restore the inoperable channel to OPERABLE status or apply the requirements of Specification 3.13.1, or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

b.With the number of OPERABLE channels more than one less than the Minimum Channels OPERABLE requirement, within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> restore the inoperable channel to OPERABLE status or apply the requirements of Specification 3.13.1, or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

ACTION 19A With the number of OPERABLE channels one less than the Minimum Channels OPERABLE requirement, within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> restore the Inoperable channel to OPERABLE status or apply the requirements of Specification 3.13.1, or be In at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and In COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

ACTION 20 - With the number of OPERABLE channels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions are satisfied:

a. For Functional Units with installed bypass test capability, the inoperable channel may be placed in bypass, and must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Note: A channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing per Specification 4.3.2.1, provided no more than one channel is in bypass at any time.

b. For Functional Units with no installed bypass test capability,
1. The inoperable channel Is placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, and
2. The Minimum Channels OPERABLE requirement is met; however, the inoperable channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing of other channels per Specification 4.3.2.1.

ACTION 20A - a.With the number of OPERABLE channels one less than the Total Number of Channels, STARTUP andlor POWER OPERATION may proceed provided the following conditions are satisfied:

1. The Inoperable channel Is placed In the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, and SOUTH TEXAS - UNITS I & 2 3/4 3-27 Unit 1 - Amendment No Unit 2 - Amendment No.

NOC-AE-06001994 Attachment 2 EMERGENCY CORE COOLING SYSTEMS 3/4.5.2 ECCS SUBSYSTEMS - TAVG GREATER THAN OR EQUAL TO 3500 F LIMITING CONDITION FOR OPERATION 3.5.2 Three independent Emergency Core Cooling System (ECCS) subsystems shall be OPERABLE with each subsystem comprised of:

a. One OPERABLE High Head Safety Injection pump,
b. One OPERABLE Low Head Safety Injection pump,
c. One OPERABLE RHR heat exchanger, and
d. An OPERABLE flow path capable of taking suction from the refueling water storage tank on a Safety Injection signal and automatically transferring suction to the containment sump during the recirculation phase of operation through a High Head Safety Injection pump and into the Reactor Coolant System and through a Low Head Safety Injection pump and its respective RHR heat exchanger into the Reactor Coolant System.

APPLICABILITY: MODES 1, 2, and 3.*

ACTION:

a. With less than the above subsystems OPERABLE, but with at least two High Head Safety Injection pumps in an OPERABLE status, two Low Head Safety Injection pumps and associated RHR heat exchangers in an OPERABLE status, and sufficient flow paths to accommodate these OPERABLE Safety Injection pumps and RHR heat exchangers,** within 7 days restore the inoperable subsystem(s) to OPERABLE status within 7 days or apply the requirements of Sp-cification 3.13.1, or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in HOT SHUTDOWN within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

b.l With less than two of the required subsystemsVOPERABLE, within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> restore at Ieast two subsystems to OPERABLE statur7 apply th requirements of Specification 3.13.1, or be in at least T STAN "and" changed to next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in HOT SHUTDOWN within the:fotiowin "or" per response to

c. In the event the ECCS is actuated and injects water into the React _ _

System, a Special Report shall be submitted within 90 days describing the circumstances of the actuation and the total accumulated actuation cycles to date.

The current value of the usage factor for each affected Safety Injection nozzle shall be provided in this Special Report whenever its value exceeds 0.70.

  • The provisions of Specifications 3.0.4 and 4.0.4 are not applicable for entry into MODE 3 for the Safety Injection pumps declared inoperable pursuant to Specification 4.5.3.1.2 provided that the Safety Injection pumps are restored to OPERABLE status within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or prior to the temperature of one or more of the RCS cold legs exceeding 3750 F, whichever comes first.
    • Verify required pumps, heat exchangers and flow paths OPERABLE every 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.

SOUTH TEXAS - UNITS 1 & 2 3/4 5-3 Unit 1 - Amendment No. 45I Unit 2 - Amendment No. -39

NOC-AE-0600 1994 Attachment 2 PLANT SYSTEMS MAIN STEAM LINE ISOLATION VALVES LIMITING CONDITION FOR OPERATION 3.7.1.5 Each main steam line isolation valve (MSIV) shall be Reworded to respond to Q.1 7.

APPLICABILITY: MSI fopen din MODES 1, 2, and 3 The mode applicability and action structure is changed from the original RAI response.

ACTION: However this is a format change only to match the description in Table 2 of the

a. With onea MSIV inoperable iutopen, POWlicense amendment request.

within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> o oestore the inoperable valve isFrestored to OPERABLE status, or appequirements of Specification 3.13:.1 3...-oure; otherwise be in HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in HOT SHUTDOWN within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

b.With m ha n SIV inoperable, within Ihour close or restore at l ree valves toOERAB st , or apply the requirements of Specification 3.13.1; otherwise bein HOTSTANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in HOT SHUTDOWN within the following' 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

SURVEILLANCE REQUIREMENTS 4.7.1.5 Each MSIV shall be demonstrated OPERABLE by verifying full closure within 5 seconds when tested pursuant to Specification 4.0.5. The provisions of Specification 4.0.4 are not applicable for entry into MODE 3.

NOC-AE-06001994 Attachment 2 3/4.8 ELECTRICAL POWER SYSTEMS 3/4.8.1 A.C. SOURCES OPERATING lNoChanges LIMITING CONDITION FOR OPERATION 3.8.1.1 As a minimum, the following A.C. electrical power sources shall be OPERABLE.

a. Two physically independent circuits between the offsite transmission network and the onsite Class 1E Distribution System('), and
b. Three separate and independent standby diesel generators, each with a separate fuel tank containing a minimum volume of 60,500 gallons of fuel, and an automatic load sequencer.

APPLICABILITY: MODES 1, 2, 3, and 4.

ACTION:

a. With one offsite circuit of the above-required A.C. electrical power sources inoperable, demonstrate the OPERABILITY of the remaining A.C. sources by performing Surveillance Requirement 4.8.1.1.1 .a within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and at least once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter. Within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> isore the offsite circuit to OPERABLE status within 72 houre or apply the requlrements of Specification 3.13.1, or be in at least HOT SHUTDOWN within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in COLD SHUTDOWN within the following 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
b. With a standby diesel generator inoperable, demonstrate the OPERABILITY of the above-required A.C. offsite sources by performing Surveillance Requirement 4.8.1.1.1.a within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and at least once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter. If the standby diesel generator became inoperable due to any cause other than an inoperable support system, an independently testable component, or preplanned preventive maintenance or testing, demonstrate the OPERABILITY of the remaining OPERABLE standby diesel generators by performing Surveillance Requirement 4.8.1 .1.2.a.2) for each such standby diesel generator separately within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, unless it can be demonstrated there is no common mode failure for the remaining diesel generator(s). Within 14 days restore the inoperable standby diesel generator to OPERABLE status within 14 days or apply the requirements of Specification 3.13.1, or be in at least HOT SHUTDOWN within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in COLD SHUTDOWN within the following 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. (12)
c. With one offsite circuit of the above-required A.C. electrical power sources and one standby diesel generator inoperable, demonstrate the OPERABILITY of the remaining A.C. sources by performing Specification 4.8.1.1.1a. within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and at least once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter; and if the standby diesel generator became inoperable due to any cause other than an inoperable support system, an independently testable component, or preplanned preventive SOUTH TEXAS - UNITS 1 & 2 3/4 8-1 Unit 1 - Amendment No. 86 Unit 2 - Amendment No. 72, 148

NOC-AE-06001994 Attachment 2 ELECTRICAL POWER SYSTEMS LIMITING CONDITION FOR OPERATION ACTION (Continued) maintenance or testing, demonstrate the OPERABILITY of the remaining OPERABLE standby diesel generator(s) by performing Surveillance Requirement 4.8.1.1 .2a.2) within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, unless it can be demonstrated there is no common mode failure for the remaining diesel generators; w4ithrin 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> restore at least one of the inoperable sources to OPERABLE status WIthin12-hours or apply the requirements, ofSefication 3.13.1, or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. Restor aft lexst two offeit6e ircuits to OPERABLE sttus within'72 houirs and three Standby diesel generators to OPERA.BLE status within 411 days from"th time of initial loss or be in at least HOT STAhNDBY within the next'6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SH)TDOWNI within the following 30 hour3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />sm.( 2 d.

it .'All reuiedsystems sbssemstrin cmoent, and devices5 that*'dop~et~i~scb:nd on t remaining OA LE dieses Iugenerators

.__ M as a oref emergenc poweare al-o OPERA8LE, and

2. Whecn in MODE ., 2,or 3,the steam dren auxilar','.fe .-*,r pump is TOPEAL.

if Ithcse cnditions6 are not satisfied within 21 hours2.430556e-4 days <br />0.00583 hours <br />3.472222e-5 weeks <br />7.9905e-6 months <br />' be in at least H'OT STANDBY within ~the ncxt 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and In'COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

e. With two of the above required offsite A.C. circuits inoperable, within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> restore at least one of the inoperable offsite sources to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or apply the requirements of Specification 3.13.1, or, be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. With onyone osit source restored, rcstociat least tlwo Weffsi circuits to OPERABLE etatus within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> from time of initial loss or be in at least HOT STANDBY wtn thenet6hou and i'nCOLD SHUTDOWN within the folIowing 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
f. With two or three of the above required standby diesel generators inoperable, demonstrate the OPERABILITY of two offsite A.C. circuits by performing the requirements of Specification 4.8.1.1.1a. within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and at least once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter; § restore at least one standby diesel generator to OPERABLE status Within 24hours or apply the requirements of Specification 3.13.1, or at least two standby dies'el generators to OPERABLE status within 41 hours4.74537e-4 days <br />0.0114 hours <br />6.779101e-5 weeks <br />1.56005e-5 months <br /> oF be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. Restore at least three standby diesel generator6 to OPERABLE status within 11 days from time of initial loss or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWM4N within the following 30 bot&2)

Response to 7/2004 Q.14 and 6/2005 Q.37.

SOUTH TEXAS - UNITS 1 & 2 3/4 8-2 Unit 1 - Amendment No. 85 Unit 2- Amendment No. 72, 148

NOC-AE-06001994 Attachment 2 ELECTRICAL POWER SYSTEMS 3/4.8.2 D.C. SOURCES OPERATING LIMITING CONDITION FOR OPERATION 3.8.2.1 As a minimum, the following D.C. electrical sources shall be OPERABLE:

a. Channel I 125-volt Battery Bank El Al I(Unit 1), E2A 1I (Unit 2)and one of its two associated chargers,
b. Channel 11125-volt Battery Bank El DI1 (Unit 1), E2D 1 (Unit 2) and one of its two associated full capacity chargers,
c. Channel IlIl 125-volt Battery Bank El B11 (Unit 1), E2B11I (Unit 2)and one of its two associated full capacity chargers, and
d. Channel IV 125-volt Battery Bank El C 1 (Unit I E2CI1 (Unit 2)and one of its two associated chargers. The Note is added in APPLICABILITY: MODES 1, 2, 3, and 4Jresponse to Q.23.

ACTION: f S SW),~,v.

11 nlwaU 4

I.V. IJ.

h4 1I Ilay I k

TVI s7qwB1%-u WIs hNatf TV}

NTE IC0IO

%,I I,

V:IV IIIJV, hi IV UJGLI ha IV110 IIC

.,tah LIIV OSu source' of aailabeepower to their DC bus. Ifthe batteries discharge for more than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> as the 'soource of power to their DC bus while Specification 3.13.1 is being applied and no alternate source of Dower is available, the Soecification 3.1i3.'1 LCO shall be considered not met.

a. With one of the required battery banks inoperable, withIn 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> restore the inoperable battery bank to OPERABLE status or apply the requirements of Specification 3.13.1, w-04i eurs or be in at least HOT STANDBY within re ond on MI SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. Response to Q.38 bW' Wth more than one of the required battery banks in bleithn 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> restoat least threebattery banks to OPERABLE status or apply the requirements of Specification 3.13.1 or be in'at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
c. With one channel with no battery chargers for a hannel OPERABLE, within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> restore at least one battery charger to OPERABLE status within'2-hours or apply the requirements of Specification 3.13.1, or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />
d. With more thanone' channel with no battery chargers <fora channel-OPERABLE, within 1 Dhour restore at least one battery charger to OPERABLE status oh at least three channels or apply the requirements of Specification 3.13.1, or be In at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> SURVEILLANCE REQUIREMENTS 4.8.2.1 Each 125-volt battery bank and charger shall be demonstrated OPERABLE:
a. At least once per 7 days by verifying that:
1) The parameters in Table 4.8-2 meet the Category A limits, and
2) The total battery terminal voltage is greater than or equal to 129 volts on float charge.

SOUTH TEXAS - UNITS I & 2 3/4 8-10 Unit 1 - Amendment No. 4r73 Unit 2 - Amendment No. 62

NOC-AE-06001994 Attachment 2 ELECTRICAL POWER SYSTEMS NO CHANGES 3/4.8.3 ONSITE POWER DISTRIBUTION OPERATING LIMITING CONDITION FOR OPERATION 3.8.3.1 The following electrical busses shall be energized in the specified manner:

a. Train A A.C. ESF Busses consisting of:
1) 4160-Volt ESF Bus # EIA (Unit 1), E2A (Unit 2), and
2) 480-Volt ESF Busses # EIAI and EIA2 (Unit 1), E2AI and E2A2 (Unit 2) from respective load center transformers.
b. Train B A.C. ESF Busses consisting of:
1) 4160-Volt ESF Bus # EIB (Unit 1), E2B (Unit 2), and
2) 480-Volt ESF Busses # El BI and EIB2 (Unit 1), E2BI and E2B2 (Unit 2) from respective load center transformers.
c. Train C A.C. ESF Busses consisting of:
1) 4160-Volt ESF Bus # EIC (Unit 1), E2C (Unit 2), and
2) 480-Volt ESF Busses # EICI and EIC2 (Unit 1), E2CI and E2C2 (Unit 2) from respective load center transformers.
d. 120-Volt A.C. Vital Distribution Panels DP1201 and DP001 energized from their associated inverters connected to D.C. Bus # EIAII* (Unit 1), E2AII* (Unit 2),.
e. 120-Volt A.C. Vital Distribution Panel DP1202 energized from its associated inverter connected to D.C. Bus # EIDII* (Unit 1), E2DII* (Unit 2),
f. 120-Volt A.C. Vital Distribution Panel DP1203 energized from its associated inverter connected to D.C. Bus # EIBII* (Unit 1), E2BII* (Unit 2),
g. 120-Volt A. C. Vital Distribution Panels DP1204 and DPOO2 energized from their associated inverters connected to D. C. Bus #El C1 * (Unit 1), E2C11 * (Unit 2),
h. 125-Volt D. C. Bus E1Al1 (Unit 1) E2A11 (Unit 2) energized from Battery Bank E1A 1I (Unit 1), E2A 1I (Unit 2),
i. 125-Volt D. C. Bus El D11 (Unit 1) E2OD1I (Unit 2) energized from Battery Bank E1Di1 (Unit 1), E2DI1 (Unit 2),
j. 125-Volt D. C. Bus E1B1 (Unit 1) E2B11 (Unit 2) energized from Battery Bank El B11 (Unit 1), E2B1 1 (Unit 2), and
k. 125-Volt D. C. Bus El C1I (Unit 1) E2C1 (Unit 2) energized from Battery Bank E1C1 (Unit 1), E2C11 (Unit 2).
  • The inverter(s) associated with one channel may be disconnected from its D.C. bus for up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> as necessary, for the purpose of performing an equalizing charge on its associated battery bank provided: (1) its vital distribution panels are energized, and (2) the vital distribution panels associated with the other battery banks are energized from their associated inverters and connected to their associated D.C. busses.

SOUTH TEXAS - UNITS 1 & 2 3/4 8-14 Unit 1 - Amendment No. 4 Unit 2 - Amendment No.

NOC-AE-06001994 Attachment 2 ELECTRICAL POWER SYSTEMS LIMITING CONDITION FOR OPERATION (Continued)

APPLICABILITY: MODES 1, 2, 3, and 4.

ACTION: Response to Q.39.

a. With one of the required trains of A.C. ESF busses not fully energized, within 86hours reenergize the train or pplythe requirements ofSpecification3.13.1 'or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
b. With m'e 'thanone offthe required trains of A.C. ESFbusise not fully energized, within iI hournergetleast two-trains or applytherequirements of Spectification 3.13.1, or be in at leas~t HSTA^NDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD6SHUTDOWN :withinhthe folowing 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
c. With one A.C. vital distribution panel either not energized from its associated inverter, or with the inverter not connected to its associated D.C. bus' (1)w'ithi n 2'ho urs reene e the: A.C disrib2 orap ly the requirements Speifcatiin131, or be in wat least; HOTSTANDBYwit~hin the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> andjin`COLD SHUTSDOWNwithinthe following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />; and (2)within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> reenergize the A.C. vital distribution panel(s) from its associated inverter connected to its associated D.C. bus Within 2u6 or aplyfihe requiremet if ecatio313, or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
d. 'With more than one A.C.vital distribution panel 'either not energized from Its' associated Inverter, or with the inverter not connected to its associated D.C. bus: (1) within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> reenergize at least three A.C.' distribution panels or app lythe requirements of Specification 3.13.1, or bein at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> andin COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />; and (2)within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> reenergize at least three6AC. vital distribution p'anels from their associated inverters'connected to their associated D.C. bus or apply the requirements of Specification 3.13.1 or' be in at least'HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
e. With one D.C. bus not energized from its associated battery bank, within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> reenergize the D.C. bus from its associated battery bank within- heur; or apply the requirements of Specification 3.13.1, or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
f. 0With more than one D.C.bus not energized from Its associated battery bank, within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> reenergize at least three D.C. bu es from their associated battery banks or apply the requirements of Specification 3.11 31,r be in at least HOT STANDBY within the next 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />smand In COLD SHUTDOWN wit in the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

SURVEILLANCE REQUIREMENTS 4.8.3.1 The specified busses shall be determined energized in the required manner at least once per 7 days by verifying correct breaker alignment and indicated voltage on the busses.

SOUTH TEXAS - UNITS 1 & 2 3/4 8-15 Unit 1 - Amendment No.

Unit 2 - Amendment No.

NOC-AE-06001994 Attachment 2 3/4.13 RISK MANAGEMENT 3/4.13.1 ALLOWED OUTAGE TIME DETERMINATIONS LIMITING CONDITION FOR OPERATION 3.13.1 When referred to this specification, equipment that has been declared inoperable shall be evaluated for its impact on plant risk and allowed outage times determined in accordance with the Configuration Risk Management Program.

APPLICABILITY: 1) MODE 1, 2, &3, and

2) Conditions where a Loss of Function has not occurred ACTION:
a. Within the allowed outage time of the referencing specification determine that the configuration is acceptable for extension beyond the allowed outage time for the referencing specification, AND
b. Within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> determine that the configuration is acceptable for continued operation beyond the allowed outage time for the referencing specification whenever configuration changes occur that may affect plant risk as calculated in the CRMP, AND
c. Restore required inoperable subsystem, component to OPERABLE status within the acceptable allowed outage time extension or 30 days, whichever is shorter.

OR Take the ACTION(s) required in the referencing specification for required action or completion time not met SURVEILLANCE REQUIREMENTS 4.13.1 As required by the referencing specification Differences with February 10, 2006 letter:

  • Mode applicability has been added to be consistent with draft RMTS Guidelines
  • ACTION b has been made more specific by addition of the bolded phrase.

SOUTH TEXAS - UNITS 1 & 2 3/4 13-1 Unit I - Amendment No.

Unit 2 - Amendment No.

NOC-AE-06001994 Attachment 2 3/4.13.2 ALLOWED OUTAGE TIME DETERMINATIONS FOR ACTION STATEMENTS IN MULTIPLE LCOs LIMITING CONDITION FOR OPERATION 3.13.2 When two or more ACTION statements to which Specification 3.13.1 may apply are entered, the allowed outage time shall not exceed the criteria of the Configuration Risk Management Program APPLICABILITY: 1) MODE 1,2 & 3, and

2) Entry into two or more ACTION statements to which Specification 3.13.1 may be applied, and
3) Configurations where LCO 3.13.1 is not being applied ACTION: Determine the configuration is acceptable for the application of at least the specified allowed outage times for the affected components within the shorter of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> or the shortest affected allowed outage time. For configurations where the specified allowed outage time is longer than the calculated allowed outage time, restore one or more of the affected components to OPERABLE status within the calculated allowed outage time or take the ACTION(s) required in the referencing specification(s) for required action or completion time not met.

Changes to version in the February 10, 2006 letter:

  • Mode applicability has been added to be consistent with draft RMTS Guidelines
  • Limitation of applicability to cross-train equipment has been eliminated.
  • Grammatical improvements in LCO SOUTH TEXAS - UNITS 1 & 2 3/4 13-2 Unit 1 - Amendment No.

Unit 2 - Amendment No.

NOC-AE-06001994 Attachment 2 Bases for Specification 3.13.1 Specification 3.13.1 establishes provisions for performing a risk assessment to determine required actions and allowed outage times for specifically identified specifications for structures, systems, and components. Application of the risk assessment is consistent with the requirements of the Maintenance Rule, 10CFR50.65(a)(4), to assess and manage the increase in risk that may result from maintenance activities. The process to manage the risk assesses the rate of accumulation of risk in plant configurations and determines the allowed outage time (AOT) by calculating the time required to cross a conditional core damage probability threshold of 1.OE-05.

Application of the risk assessment to manage allowed outage time in different plant configurations is complemented by the station's programs to monitor performance indicators for long-term availability of risk-significant components. The requirement to achieve acceptable long-term performance indicators provides a significant disincentive to the potential to regularly extend baseline AOTs to the detriment of availability.

TS 3.13.1.a establishes the conditions for performance of the risk assessment. The LCOs subject to the Configuration Risk Management Program (CRMP) specifically reference TS 3.13.1. The baseline AOT or required completion time specified in the LCO may be used to apply the TS 3.13.1 to determine an alternate AOT and compensatory actions.

TS 3.13.1 applies separately to each ACTION for which TS 3.13.1 is entered. When TS 3.13.1 is entered from a referencing TS, it is entered at ACTION a, even if TS 3.13.1 is already being applied for another referencing TS; i.e., TS 3.13.1 is applied as an extension of the ACTION statement of the referencing TS. Although TS 3.13.1 may be applied to extend the allowed outage time for a referencing TS, except for the extension in the allowed outage time, the other requirements of the referencing TS continue to apply. For instance, if TS 3.13.1 is applied to extend the allowed outage time for Train A ECW (TS 3.7.4.a), the provisions of TS 3.7.4.b. will apply if another ECW train becomes inoperable.

The requirement in ACTION b to continuously determine the acceptability of the plant means that once the subject LCO has exceeded the baseline AOT, the risk assessment must be reperformed as needed to identify changes to the required action and time limits resulting from subsequent changes to the plant configuration. This requirement provides assurance that the configuration risk is adequately assessed. The risk contribution from non-TS components modeled in the PRA is also included in the quantification of the allowed outage time.

Consequently, ACTION b applies for conditions where a non-TS component modeled in the PRA fails or is removed from service. The requirements of TS 3.13.1 will continue to apply as long as any TS ACTION is beyond its frontstop time. Although a particular ACTION with the allowed outage time extended may be exited when the affected SSC is restored to operable status, the accumulated risk of that configuration will continue to contribute to the configuration risk for the associated entry into TS 3.13.1 until all affected ACTIONs are exited or within their frontstop allowed outage time.

TS 3.13.1 is applied with the referencing specification and ACTION c requires the action required by the referencing specification to be taken if the configuration risk exceeds the risk-informed completion time. It recognizes that the plant is in an extended AOT that has a specified required action if the required action time is exceeded. In a configuration where the risk reaches the risk-informed completion time, the calculated AOT has been exceeded and the action required at the expiration of the AOT must be taken. If more than one LCO action is

NOC-AE-06001994 Attachment 2 beyond its frontstop time, all affected LCO actions that are beyond their frontstop will be considered not met and the prescribed action taken.

Application of TS 3.13.1 will provide action for conditions where more than one train or channel of a function is inoperable. Unless otherwise permitted in the TS, TS 3.13.1 will not be applied for configurations where there is a complete loss of function (e.g., all three trains of ECW or all channels of an actuation logic that results in all trains of a function being non-functional).

If a component is determined to be inoperable, it may still be considered to have PRA Functionality for calculation of a RICT if there is reasonable assurance that it can perform its required functions for events not affected by the degraded or non-conforming condition and if the condition can be quantified in the PRA. If these conditions are not met, the component will be assumed to be non-functional for calculating the RICT; i.e., it will have no PRA Functionality.

For the purposes of this specification, Loss of Function occurs when there is no PRA Functionality in any train or channel of a TS required function to mitigate specific PRA scenarios.

Examples of where a component has PRA Functionality such that the condition could be quantified in the determination of an allowed outage time are listed below.

  • SSCs that don't meet seismic requirements but are otherwise capable of performing their design function.
  • SSCs that are inoperable but secured in their safe position (e.g., a closed containment isolation valve).
  • SSCs powered from a source other than their normal power source, provided the alternate power source is modeled in the PRA.
  • An SSC with an inoperable automatic function if the manual actuation of the SSC is modeled in the PRA (e.g., a diesel generator with an inoperable sequencer). Actuation channels are associated with their actuated components or trains. Loss of actuation channels is not considered a Loss of Function unless no train of the actuated SSC function has PRA Functionality.
  • An SSC that is functional for mitigation of a set of events (e.g. steam generator tube rupture, small break LOCA) but is not functional for other events for which it is credited (e.g. large break LOCA or steam line break), providing the PRA model can quantify the risk for the calculation of a RICT. An example of this type of condition is degradation of environmental qualification.

Reference 1 specifies the criteria for determining functionality.

TS 3.13.1 establishes a backstop AOT of 30 days. This backstop AOT prevents allowing a component with little or no risk significance from being inoperable indefinitely and resulting in a defacto change to the design or licensing basis of the plant.

Bases for Technical Specification 3.13.2 Technical Specification 3.13.2 requires confirmation that the specified allowed outage times are acceptable when ACTIONs are entered for components on separate LCOs. The allowed outage times for SSCs are often based on no other SSC being inoperable at the same time.

Some configurations where the plant is in two or more LCO ACTION statements could potentially impose an unacceptable level of risk. This is particularly the case if the affected

NOC-AE-06001994 Attachment 2 components are in different safety trains because the redundancy of accident mitigation capability could be adversely affected.

TS 3.13.2 applies only in MODE 1, MODE 2, and MODE 3 because those are the at-power modes best represented by the PRA and because there is little risk from multiple LCO entry in MODE 4.

TS 3.13.2 applies to the LCOs to which TS 3.13.1 can be applied because those are the SSCs that are modeled in the PRA and for which a quantified allowed outage time can be determined.

To prevent redundant or conflicting requirements, TS 3.13.2 does not apply when TS 3.13.1 is being applied to manage risk for configurations with components beyond their frontstop allowed outage times. In those situations, TS 3.13.1 already imposes the appropriate requirements for the assessment of configuration risk.

References 1: EPRI Risk-Managed Technical Specifications Guidelines

NOC-AE-06001994 Attachment 2 6.0 ADMINISTRATIVE CONTROLS 6.8 Procedures, Programs, and Manuals 6.8.3.j (continued)

Peak calculated containment internal pressure for the design basis loss of coolant accident (LOCA), Pa is 41.2 psig.

The maximum allowable containment leakage rate, La, is 0.3 percent of containment air weight per day.

Leakage rate acceptance criteria are:

1) Containment overall leakage rate acceptance criterion is <1.0 La. During the first unit start-up following testing in accordance with this program, the leakage rate acceptance criteria are < 0.60 La for the combined Type B and Type C tests, and <.75 La as-left and < 1.0 La as-found for Type A tests.
2) Air lock testing acceptance criteria for the overall air lock leakage rate is <

0.05 La when tested at > Pa.

The provisions of Surveillance Requirement 4.0.2 do not apply to the test frequencies specified in the Containment Leakage Rate Testing Program.

The provisions of Surveillance Requirement 4.0.3 apply to the Containment Leakage Rate Testing Program.

k. Configuration Risk Management Program (CRMP)

A program to assess changes in core damage frequency and cumulative core damaoe nrobabilitv resuItina from ann1inahle nlantr_

conficuratinns The nrnoram k.._C:'._H should include the fAllowing shall s be in accordance with Section 2 of the EPRI Risk-Managed Technical Spe cifications (RMTS) Guidelines, Rev. [ ].

l 1 trainina nf nfr~er'inne]-

2) procedures for-identifiing plant configurations, the generation of risk profiles and the evaluation of risk against established thresholds; and
3) procedures for evaluating changes in risk resulting from unplanned maintenance activities. Change to show how RMTS Guideline would be incorporated.

(continue -rd)

SOUTH TEXAS - UNITS 1 & 2 6-10 Unit 1 - Amendment No.

Unit 2 - Amendment No.

Retrieved from "https://kanterella.com/w/index.php?title=NOC-AE-06001994,_Response_to_NRC_Requests_for_Additional_Information_on_STPNOC_Proposed_Risk-Informed_Technical_Specifications&oldid=2585343"