Enclosure 5: Request for Additional Information Need to Complete the Technical Review of the South Texas Projects (STP) Rmts Initiative 4b Full Plant Pilot

ML050130181
Person / Time
Site:	South Texas
Issue date:	01/14/2005
From:	Office of Nuclear Reactor Regulation
To:
Tjader T., NRC/IROB, 415-1187
Shared Package
ML050120117	List: ML050130181
References
Download: ML050130181 (16)
v • d • e

Text

Request For Additional Information Needed To Complete The Technical Review Of The South Texas Project (STP) RMTS Initiative 4b Full Plant Pilot

1. It is stated (on page 5) that the proposed change (i.e., allowing flexible AOTs/CTs) addresses the principles of risk-informed decision-making set forth in Regulatory Guides 1.174 and 1.177. It is further stated (on page 6) that the proposed change does not measurably change overall average core damage frequency for STP. The staff requests further clarification of these statements because there may be a difference in the understanding of such statement between the staff and the industry:

< Please explain how the risk increases to be used in RG 1.174 criteria will be calculated (e.g., assessment of configuration risk vs. risk associated with the AOT/CT extensions, credit for compensatory measures, risk increases measured from the zero maintenance baseline or the average maintenance baseline). If the risks associated with the extensions are not assessed separately from the overall configuration risks, please explain how the guidance of RG 1.174 will be implemented.

The risks associated with AOT/CT extensions will be calculated from the time the affected component(s) is determined to be inoperable until there are no components in ACTION statements beyond their frontstop allowed outage time.

The risk associated with the extended AOT can be tracked separately from the risk determined in the normal Configuration Risk Management Program (CRMP). The change in risk, the Incremental Conditional Core Damage Probability (ICCDP) or the Incremental Conditional Large Early Release Probability (ICLERP), will be determined using the zero maintenance plant PRA model and the actual plant configurations existing at the time of TS entry until the AOT/CT is exited. Any PRA credit determined to appropriate will be included in the ICCDP/ICLERP calculation. Comparison of the calculated change will be compared to the requirements of RG 1.174 (1E-05 per year for core damage frequency (CDF) and 1E-06 per year for large early release frequency (LERF)) by assuming that the change results in a temporary increase in CDF (or LERF) for the operating year.

The current method of calculating ICCDP/ICLERP in the CRMP is based on the maintenance configurations actually encountered during a maintenance week and is controlled by procedure. If an existing maintenance configuration is carried over into the next week, the total ICCDP for the configuration is manually calculated by summing the weekly ICCDPs for the configuration until the component is returned to functional status.

The method of calculation for the proposed AOT/CT extension is identical to the calculations performed under the current CRMP with the following additional consideration. The total ICCDP/ICLERP will be automatically determined as the 1

risk is being accumulated (i.e., a running summation until the AOT/CT is exited).

If contingency actions and compensatory measures are credited in assessing risk increases, risk-informed regulation requires procedures and administrative controls as well as appropriate PRA modeling for such actions and measures. Please discuss how this requirement will be implemented.

If contingency actions or compensatory measures are required, they will be implemented in accordance with plant procedures and the RMTS Guidelines. (See the response to Question 3.)

2. Describe the process, including criteria, for initiating a plant shutdown. How will this process address the proposed removal of current constraints to plant operation at power imposed by the fixed AOTs/CTs? The staff believes that the guidance provided in maintenance rule (a)(4) regarding the initiation of plant shutdown needs improvement to compensate for the proposed removal of current constraints to plant operation at power imposed by the TS fixed AOTs/CTs. The staff believes that a risk-informed shutdown process based on clear generic principles and criteria is needed. Please discuss.

If the configuration risk crosses the 1E-05 Potentially Risk Significant threshold or if the affected component cannot be restored to operable status in the allowed outage time, application of TS 3.13.1 with the Configuration Risk Management Program (CRMP) requires that the LCO be considered not met and the action required by the TS that invoked TS 3.13.1 must be taken (e.g., be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />). The operators will proceed with an orderly shutdown in accordance with station procedures in the same manner they would for any other TS required shutdown. As provided by the TS, the shutdown does not have to be completed if the affected component is restored to operable status in the interim. This is consistent with the RMTS Guidelines.

Based on the discussion above, STPNOC believes the existing shutdown process and procedures are adequate for shutdowns that are required by proposed TS 3.13.1.

3. Does STP have a process for identifying contingency actions and compensatory measures and determining their acceptability for both planned and emergent conditions? Will there be procedures and administrative controls for contingency actions and compensatory measures credited in risk assessments? Will there be any plant-specific guidance in assessing the risk impact of contingency actions and compensatory measures credited in risk assessments? Please discuss how STP proposes to address this issue in the risk-informed decision-making process for flexible AOT/CT extensions.

The procedure for the CRMP includes guidance for compensatory actions.

2

In general, STP will only credit contingency actions and compensatory measure that are already included in the PRA. For special emergent conditions where a contingency action or compensatory measure is not currently credited in the PRA, then either the affected equipment will be conservatively assumed to be inoperable and not functional or procedural and administrative controls will be required prior to taking credit in the PRA.

The CRMP includes criteria for determining whether a SSC may be considered functional in the risk assessment. Those criteria are described in STPNOCs formal license amendment request dated August 2, 2004.

4. An important element of the proposed process, which is applicable to emergent conditions, is the ability to promptly consider and resolve common cause issues.

What guidance is, or is expected to be, available at STP on how to identify potential common- cause issues and on strategies and actions to promptly resolve any such issues? Is (will be) plant shutdown an option in this strategy? Please discuss.

The STPNOC process is consistent with the RMTS Guidance.

If a non-conforming or degraded condition is identified, the process of determining operability will assess the potential for common cause and whether other trains or components may be affected. This evaluation is performed in accordance with the STPNOC Corrective Action Program in a time frame commensurate with the safety significance of the affected equipment.

The requirement for a plant shutdown will be determined based on the operability of the affected equipment and the action required by the TS.In addition, the operability determination process performed by a licensed senior reactor operator when a degraded condition is identified requires a reasonable assurance that there is not a common cause issue. If a common cause issue is present, it will be accounted for in the operability determination, prior to the AOT determination. For components that might affect more than one train or function, the PRA and CRMP are used to provide insights regarding the safety significance. The STP PRA includes the effect of a component failure in the common cause failure of similar components; therefore, STPNOC does not adjust the failure rate for cross-train components when SSC is found to be inoperable. The CRMP currently requires implementation of appropriate compensatory action if the calculated risk crosses the 1E-06 non-risk-significant threshold, and requires consideration of placing the plant in configuration that reduces the risk, including mode changes or shutdown, if the calculated risk crosses the Potentially Risk-Significant threshold of 1E-05.

5. Does STP have guidance for considering unmodeled external challenges (e.g.,

challenges beyond the scope of PRA evaluation)? Please discuss.

In STP's At-Power PRA model (Modes 1 & 2) seismic, flood, and internal fires external events are explicitly modeled. Other external events were screened out as part of the external events analysis such as aircraft crash, tsunami, and toxic gas. Grid disturbances that could lead to offsite power degradations or loss of offsite power degradations are 3

included in the quantified model. Additional qualitative risk management guidance will be a part of the Configuration Risk Management software program used at STP as a part of this pilot effort. This feature will allow the incorporation of future risk management guidance that is deemed appropriate for the configuration risk management program.

6. Does STP have guidance for identifying high risk configurations in a timely manner? Will high risk configurations be pre-assessed? Please discuss.

The current CRMP computer tool, RAsCal, has the capability to quickly determine a high risk configuration and these configurations have been pre-assessed for the CRMP.

Using for discussion a definition of high risk configuration of greater than 1E-06 ICCDP within a week, only cross-train configurations of risk-significant components have the potential to cross the 1E-06 ICCDP limit currently in effect in the CRMP. Examples include: two trains of essential cooling water; two standby diesel generators, or; one essential cooling water train and another standby diesel generator.

Under the proposed AOT/CT process, the risk calculator will have at least the same capabilities as the current calculator. In addition, the calculator will contain a set of pre-assessed high risk configurations (those configuration where the AOT/CT extension is less than the proposed back-stop).

7. Does STP have guidance for considering the impact of inoperabilities on LERF?

The staff believes that guidance is required to ensure that the increase in LERF (when equipment important to LERF is out of service) is assessed and considered in the decisionmaking process when an AOT/CT extension is considered. Also, please comment on the adequacy of the STP PRA models to calculate LERF increases.

Will they be detailed assessments and/or bounding-type calculations?

For nearly all evaluations, CDF is the only required metric. The STP PRA model includes a Level 2 Containment Response model (event tree). If containment response results are desired, an initiating event batch file that calls the containment event tree will be used to quantify the Level 2 results. Systems affecting containment response are included in the Level 1 event trees. Event tree macros are defined in a set of transition event trees (identified as plant damage state (PDS) event trees in the model) that determine the status of the various systems and plant conditions necessary to properly quantify the level 2 event tree. The assessments for LERF will be detailed assessments (within the limitations of the level 2 model).

8. In the STP response to Acceptance Review RAI #3b, it is stated that establishing separate TS criteria for emergent and planned conditions would be counterproductive and administratively burdensome. The staff believes that the distinction between planned and emergent conditions is already part of the Maintenance Rule (a)(4) guidance (e.g., see action thresholds based on quantitative considerations, Section 11 of NUMARC 93-01 endorsed by Regulatory Guide 1.182). This distinction, when properly tied to clear criteria for allowed risk increases, can be used (1) to 4

compensate for the proposed removal of current constraints imposed by the fixed AOTs/CTs and (2) to develop a well-defined strategy for initiating a plant shutdown. For example, during an AOT/CT extension which is voluntary, will ICDPs greater than 1E-5 or instantaneous risks greater than 1.0E-3/year be allowed? If the answer is no, shouldnt an ICDP greater than 1E-5 or an instantaneous risk greater than 1.0E-3/year require the initiation of plant shutdown? Furthermore, the industrys RMTS guide states that preventive maintenance involving an AOT/CT extension will be planned so that it is completed before the ICDP reaches the value of 1E-6. Please discuss.

In accordance with the RMTS Guide, STPs CRMP establishes 1E-06 as the non-risk significant threshold. All maintenance work activities performed on equipment within the CRMP scope (i.e., planned or emergent) is included. Per the CRMP procedure, exceeding the 1E-06 threshold requires approval from the duty plant manager (in the case of planned work) and notification to the duty plant manager (in the case of emergent work). The 1E-05 threshold is established as the potentially risk significant threshold. Exceeding this level or anticipating that this threshold will be exceeded due to plant conditions requires compensatory measures up to and including plant shutdown as described in the response to Question 2.

The responses to Questions 2 and 4 discuss requirements for shutdown at the Potentially Risk Significant threshold (1E-05). STPNOC plans to establish an instantaneous risk threshold of 1E-03/yr. in the CRMP, which is consistent with the RMTS Guide and the guidance endorsed by RG 1.182 for 10CFR50.65(a)(4) risk assessments. STPNOCs formal license amendment application dated August 2, 2004 (NOC-AE-04001666) also clarifies the application of TS 3.13.1 and the CRMP. In Section 1 of Attachment 1 to that application, STPNOC clarifies that the risk threshold limit for planned maintenance is the non-risk-significant threshold of 1E-06.

9. In the STP response to Acceptance Review RAI #2, regarding the lack of information about the risk assessments that support the proposed changes to the technical specifications described in Table 2, it is stated that general risk insights are included in Table 2 and that the level of detail need to be resolved in a meeting with the NRC. The staff notes the following:

(a) For many of the most risk significant proposed changes it is explicitly stated that the risk basis will be provided later.

The risk basis is provided in the formal license amendment application dated August 2, 2004.

(b) No risk insights or even a brief risk-based justification are provided for most of the proposed changes (see Table 2 column, labeled Risk Basis Calculated STP AOT before Backstop). Statements, such as 30 days (backstop) and 5

Not risk significant cannot be considered risk insights or appropriate risk-based justification for the proposed changes.

The column is only intended to provide a perspective on the difference between a risk-informed AOT and the current frontstop AOT. It is not intended to be a justification. The justification is the methodological approach of measuring incremental and cumulative risk due to maintenance as described in STP's CRMP, the technical approach described in STP's submittal as augmented by EPRI Technical Report XXXXX, the results of the PRA RG 1.200 quality pilot effort.

(c) Many requested TS changes are not associated with Initiative 4b. Such changes should be submitted as separate risk-informed amendments.

The non-relevant changes have been deleted for the formal license amend application.

(d) In many cases the front-stop AOT is being extended or arbitrarily defined (e.g., when new action statements involving failure of more than one train are introduced). Extending the front-stop AOT or defining a front-stop for new actions requires separate risk-informed amendments according to RG 1.177.

This comment was made in the January 2004 meeting with the staff. STPNOC revised the proposed changes so that the front stops are the same as current TS. If current TS would require application of TS 3.0.3, the frontstop is 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

(e) Entries in Table 2 column labeled Risk Basis Calculated STP AOT Before Backstop need clarification. What do they represent? For example, what does it mean 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> risk-based AOT before back-stop or 1 inoperable train of CCW: 29 years AOT before backstop? Please explain.

The table notes explain how the AOT was calculated. It is the time required for the cumulative risk to reach the Potentially Risk Significant threshold of 1E-05, assuming only the subject component or train is inoperable. It is provided to give the reviewers a perspective on the relative significance of the component.

10. In the STP response to Acceptance Review RAI #2, regarding the lack of information about the risk assessments that support the proposed changes to the technical specifications described in Table 2, it is stated that the PRA quality evaluation is expected to provide a substantial level of confidence in the risk assessments. Although the staff does not disagree with this statement, it is important to confirm that the process of extending AOTs/CTs will be properly implemented. There are cases where uncertainties in PRA models and data can have a significant impact on the decision-making process. The PRA quality evaluation is not expected to fully address this issue. In addition, the application of 6

the RMTS process to some representative and bounding plant configurations would facilitate discussion between the industry and the staff and would provide useful input to the RMTS Guide currently being developed. For this purpose, it is proposed that STP and NRC staff meet to select a suitable set of plant configurations to apply the proposed Initiative 4b process. The analyses and results of such applications would be reviewed by the staff and discussed with STP.

STP agrees that sampling of plant configuration evaluations should be reviewed by the Staff and discussed with STP. In general, parameter (aleatory) uncertainties will not be significant since the risk results used the the RITS 4B application are delta CDFs or LERFs (i.e., they cancel out). Of more interest would be a discussion on modeling (epistemic) uncertainty and how bounding and other sensitivity studies can be used to address this area. STP also notes that risk management actions will mitigate uncertainties and that uncertainty is addressed in Section 3.5.2.1 of the RMTS Guide.

STP believes the PRA quality evaluation will be effective in addressing this issue.

11. In the STP response to Acceptance Review RAI #6, it is stated that for STP it is expected that Initiative 7 will be subsumed by Initiative 4b. STP staff stated, during follow-up meetings with the staff, that this is possible due to the good separation of the three STP safety system divisions. The staff need more detailed information about the existing divisional separation at STP and how this design feature will be incorporated in the PRA to address the inoperability of affected safety equipment, regardless of the cause. Please discuss.

There are four independent trains of Class 1E DC power. Train A supplies Train A equipment and Class 1E Vital Distribution Channel 1. Train B supplies Train B equipment and Class 1E Vital Distribution Channel 3. Train C supplies Train C equipment and Class 1E Vital Distribution Channel 4. Train D supplies the turbine driven auxiliary feedwater pump and Class 1E Vital Distribution Channel 2. The associated battery chargers (two per train, one required) are powered from the associated Class 1E AC distributions system. Train D chargers are powered from Class 1E AC distribution train A. There is no cross-train capability.

There are four independent Class 1E Vital distribution channels supplied by a safety related inverter and a non-regulated 120V transformer. The Channel 1 inverters and transformer are supplied from AC train A backed up by Class 1E DC Train A. The Channel 2 inverter and transformer is supplied from AC train A backed up by Class 1E DC Train D. The Channel 3 inverter and transformer is supplied from AC train B backed up by Class 1E DC Train B. The Channel 4 inverters and transformer are supplied from AC train C backed up by Class 1E DC Train C. There is no cross-channel capability.

There are four independent Qualified Display Parameter System (QDPS) trains. This systems provide safety grade indication (RG 1.97 requirements) and control of selected plant systems (e.g., AFW flow control valves and steam generator PORV control). QDPS 7

train A is supplied from Class 1E vital channel 1, train B is supplied from Class 1E vital channel 3, train C is supplied from Class 1E vital channel 4, and train D is supplied from Class 1E vital channel 2. There is no cross-train capability.

There are four trains of auxiliary feedwater, 3 motor-driven and 1 turbine driven. Each train supplies its associated steam generator (A, B, C motor-driven, D turbine driven).

Manually controlled, air-operated (normally closed, fail closed) cross-ties are provided that allows any pump to feed any steam generator. These normally closed cross-ties are not included in the PRA model. Steam for the turbine driven AFW pump is supplied by the D steam generator.

The three train electrical auxiliary building (EAB) ventilation system supply and return headers are headered to allow ventilation air flow to all areas of the EAB with any set of supply and return fans. The three train control room ventilation system is similar.

The three train essential cooling water (ECW) system has manually operated (normally closed manual valves) cross-train capability that allows any ECW train to supply any essential chilled water condenser. This capability is adminstratively controlled (valves are closed during power operation) and not currently credited in the PRA.

The above system/train inter-relationships are explicitly modeled in the PRA. Especially for support systems, each train/channel is modeled as an individual event tree top event to ensure the relationships are correctly translated for quantification of the PRA.

The inoperability of safety related equipment is modeled in the PRA using event tree macros to define equipment/train failure. Event tree top event rules and split fractions are defined for all combinations of equipment inoperability. The causes of the inoperabilty include: Out of service for planned or unplanned maintenance or; failure or unavailablity of the various support systems. The current PRA model includes maintenance macros for most equipment included in the RITS initiative. Additional macros will be developed and added to the PRA model for those components (i.e., reactor trip bypass breakers, PORV block valves) that do not currently have maintenance macros.

12. An explanation of when the STP CRMP/RMG process would be utilized when equipment is Tech Spec inoperable yet is PRA functional, and explain the rationale for those circumstances.

This is discussed in more detail in Attachment 3 to the formal license amendment application.

13. The level of documentation required for an Initiative 4b risk assessment must be described; the documentation must be adequate for inspectors to verify the assumptions and results of the STP CRMP process.

The required documentation will be described in the implementing procedure consistent with the generic industry guidance.

8

14. When in limiting condition for operation (LCO) 3.8.1.1 action f (Table 2), with two or three required standby diesel generators (SDGs) inoperable, please clarify why the LCO is changed from the current 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. Also, if all three SDGs are inoperable, the risk basis calculated AOT before backstop is 40 hours4.62963e-4 days <br />0.0111 hours <br />6.613757e-5 weeks <br />1.522e-5 months <br />; justify operating for 40 hours4.62963e-4 days <br />0.0111 hours <br />6.613757e-5 weeks <br />1.522e-5 months <br /> when all SDGs are inoperable. We believe that application of Specification 3.13 is inappropriate in this case.

With no operable SDGs, STP current TS require at least one SDG to be restored within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. With two inoperable SDGs, STPs current TS require at least one of the inoperable SDGs to be restored in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

As part of the plan to revise the application so that changes to frontstop times are not proposed, the proposed frontstop for TS 3.8.1.1.f should be 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. STPNOC will revise the proposed action accordingly in a supplement to the application.

STPNOC would not pre-plan an action where all three SDGs are inoperable. In the unlikely event that an emergent condition made all three SDGs inoperable or if the condition was such that the SDGs were inoperable but functional, the TS 3.13.1 AOT provides the opportunity to resolve the condition.

15. With one required load sequencer inoperable and one required SDG not associated with the inoperable sequencer also inoperable, what would be the maximum time allowed by specification 3.13 assuming another safety system also becomes inoperable? Provide various examples.

Using the "worst" combination of DG and SEQ (DGB and SEQA with Idle Train "B")

results in a risk-informed completion time of 20.4 days. Assuming that another safety system (Essential Cooling Water or Safety Injection Common) becomes inoperable, the results are as follows:

DGB EWA SEQA = 5.0 days DGB EWB SEQA = 15.7 days DGB EWC SEQA = 37.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> DGB SEQA SICA = 18.4 days DGB SEQA SICB = 19.9 days DGB SEQA SICC = 19.9 days

16. The new LCO 3.8.3.1 action a, requires that with one or more A.C. vital distribution panel(s) either not energized from its associated inverter, or with the inverter not connected to its associated D.C. bus: (1) within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> re-energize the A.C.

distribution panel(s) or apply Specification 3.13. Please provide the following:

a. Why is the LCO changed from one A.C. vital distribution panel to one or more A.C. vital distribution panel(s).

9

The revised wording allows for the application of TS 3.13.1 for conditions where more than one vital distribution panel is not energized in accordance with the LCO. The AOT is reduced to one hour to account for the one hour frontstop associated with the application of TS 3.0.3, which is the TS that would apply for more than one panel not being properly energized.

b. Why would you go to Specification 3.13 when you need only to just re-energize the A.C. distribution panel which can be accomplish in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. We believe entering in Specification 3.13 in this case is inappropriate.

STPNOC would probably not apply TS 3.13.1 if the action could be completed within the revised frontstop time (proposed 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />). The redundancy of the STP electrical power systems will provide adequate justification for extending the time beyond 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, if necessary.

17. It is stated on page 8 that in cases where there are multiple components inoperable in more than one train, the calculated risk-informed AOT for the combinations may be less than currently prescribed in technical specifications. Please provide an example in the electrical area.

STPNOC has not identified a electrical-only example. There may be examples involving a combination of electrical and mechanical components.

18. It is stated on page 7, fifth paragraph, that STP will not unnecessarily extend AOT times such that equipment availability and reliability is adversely affected or in conflict with maintenance rule requirements. What would be your course of action in case an equipment reliability does not satisfy the maintenance rule goals.

STPNOC will maintain the plant in a safe configuration and comply with the TS and with the requirements of the STP implementing procedures for the maintenance rule (e.g.,

application of 50.65(a)(1), etc.). This action is independent of and compatible with the implementation of the proposed risk-informed TS.

19. Provide justification for changing the current 3.8.2.1 actions a and b to new action requirement that combines both batteries and chargers. Is this change part of the risk informed technical specification amendment request?

This change is part of the proposed risk-informed TS amendment request. Combining the actions to a single action is justified because the allowed outage time and required actions are the same for inoperable chargers and inoperable battery banks. There is no significant difference in the applicability of the TS and the change is largely administrative. The proposed 1-hour time limit is consistent with TS 3.0.3 which would be required by the current TS for more than one inoperable battery bank.

10

20. Page 10 discusses the compensatory measures that STP takes during the extended AOT. The staff feels that these measures are not adequate when an electrical equipment such as diesel generator is taken out for an extended period. Other compensatory measures that must also be included are as follows:

a. The condition of the offsite power supply, switchyard and the grid will be evaluated prior to entering the extended AOT.for elective maintenance. An extended SDG AOT will not be entered to perform elective maintenance when grid stress conditions are high such as during summer temperature and

/ or high demand.

b. No discretionary switchyard maintenance will be allowed. In addition, no discretionary maintenance will be allowed on the main, auxiliary or startup transformers associated with the unit.

c. No maintenance or testing that affects the reliability of the trains associated with the OPERABLE SDGs will be scheduled during the extended AOT. If any testing and maintenance activities must be performed while the extended AOT is in effect, it is recognized that a 10CFR50.65 (a)(4) evaluation will be performed.

d. The steam driven emergency feedwater pump will not be taken out of service for planned maintenance activities and will be treated as protected equipment.

e. The system dispatcher will be contacted once per day and informed of the SDG status along with the power needs of the facility.

STPs procedures currently require very similar compensatory actions for this configuration. Implementing procedures for the CRMP will maintain the requirements for these compensatory actions. STPNOC believes a licensee controlled document such as the CRMP is the appropriate location for compensatory actions so that changes can be made if necessary to address a particular situation.

21. The staff has been granting SDG AOT extensions up to 14 days provided the licensees have installed an extra A.C. power source or make available the alternate A.C. source installed to satisfy the requirements of station blackout rule. This extra power source can be substituted for an inoperable SDG during the extended AOT.

Additionally, these requests are supported by a PRA analysis that demonstrates that overall risk is very low during the extended outage. In view of the above, provide justification for extending the AOT beyond 14 days without an extra power source.

STPNOC performed extensive evaluations to justify the one-time extension of the allowed outage time for SDG-22 (Unit 2, Train B) to 113 days. Although STPNOC installed 11

temporary diesel generators as a compensatory action, the actual configuration risk for the SDG-22 extended outage without crediting the temporary diesel generators was less than 1E-05 (see attached figure).

The case of SDG-22 is unusual and would still require prior NRC approval, even with the approval of the proposed amendment. However, it is a good example of the application of the CRMP to manage risk.

For the application of the proposed amendment, STPNOC would be able to plan SDG maintenance with duration less than the non-risk-significant threshold of 1E-06. For the SDGs, this duration would be about 19 days for the Train A SDG, and the backstop 30 days for Train B and Train C SDGs.

The demonstration of the ability to manage the risk and the relative risk significance of the STP SDGs and the limitation provided by the 30 day backstop justifies the ability to extend the AOT beyond 14 days without temporary emergency power.

22. The STP TS 3.13 Actions require determining that the plant configuration is acceptable for a completion time extension beyond the [Front Stop AOT.] It also requires determining that the configuration is acceptable for completion time extension beyond the [Front Stop AOT] whenever configuration changes occur that may affect plant risk. Specify the allowable time to complete the required determination process and justify that the associated risk is negligibly small.

This time will be defined in the implementing procedure for the Configuration Risk Management Program and will be consistent with the generic industry guidance.

23. The 30 day CT backstop needs to be explained and justified.

The 30 day backstop does not have a technical basis. It preserves the licensing and design basis described in the UFSAR for configurations that are not risk-significant and where application of the risk threshold alone would result in extremely long allowed outage times. It is analagous to, but more conservative than the 90 days allowed by the implementation of 10CFR50.59 for a temporary modification in support of maintenance to be in place before a 10CFR50.59 evaluation is required.

24. For the following specifications discuss application of the risk-informed CT (RICT) determination process to conditions not currently addressed by the STP Technical Specifications (TS), including loss of function conditions. Discuss compensatory measures including accident mitigation strategies, and the availability of alternative safety and non-safety accident mitigation systems. Justify the proposed changes to the TS.

a. STP TS 3.4.2.2 - Pressurizer Code Safety Valves: WOG STS 3.4.10 , Action A requires that with one pressurizer safety valve (PSV) inoperable, 12

restoration must take place within in 15 minutes. The completion time (CT) of 15 minutes reflects the importance of maintaining the RCS overpressurization protection systems. Action B requires that if the inoperable PSV cannot be restored within the CT or two or more PSVs are inoperable, the plant be brought to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in MODE 4 in the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The proposed TS 3.4.2.2 allows one or more PSVs inoperable up to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, or the RICT for restoration. The use of a RICT for two or more PSVs inoperable is not consistent with either the current STP TS or the STS.

The STP TS do not have a 15 minute requirement. The STP TS has action only for one inoperable code safety valve and requires the inoperable valve to be restored in one hour. If more than one code safety valve is inoperable, TS 3.0.3 applies until the plant is in MODE 4 where the code safety valve TS no longer applies. Consequently, the effective allowed outage time in the current TS is one hour regardless of how many code safety valves are inoperable.

STPNOC believes TS 3.13.1 should be allowed to be applied to this TS. The pressurizer PORVs are functionally redundant for pressure control of the reactor coolant system. Since the safety valves are not tested or challenged during normal plant operation, the only likely challenge to their operability is a design basis question or a qualification question where there is likely to be some degree of functionality. Application of TS 3.13.1 would enable STPNOC to resolve the operability issue or seek regulatory relief, if necessary.

b. STP TS 3.4.4 (ACTION c) - PORVs and Block Valves: Action c of the current TS 3.4.4 specifies requirements for the plant conditions with both PORVs inoperable due to causes other than excessive seat leakage, and is consistent with Action E of STS 3.4.11 that requires that the plant be brought to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for both PORVs inoperable. The use of a RICT with both PORVs inoperable is not consistent with either the current STP TS or the STS.

Because the safety valves provide overpressure protection and there is low likelihood of an initiating event, application of the CRMP is practical for this situation. The risk calculated in the formal license amendment request would permit extending the allowed outage time to the 30 day backstop. However, a condition where both PORVs are inoperable would be the result of an emergent condition and would not be a planned configuration.

c. STP TS 3.5.1 (Action a) - Accumulators: STS 3.5.1 requires that with one accumulator inoperable due to reasons other than boron concentration outside the required limits, the accumulator must be returned to operable status within one hour. In this condition, the required content of three accumulators cannot be assumed to reach the core during a LOCA. Due to 13

the severity of the consequences should a LOCA occur in this condition, the one-hour CT ensures that prompt action will be taken to return the operable accumulator to operable status. Furthermore, Action D requires that if two or more accumulators inoperable, LCO 3.0.3 must be entered immediately since the plant is in an condition outside the accident analysis. The proposed TS 3.5.1 (Action a) allows one or more accumulators inoperable up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, or to the RICT for restoration. The use of RICT for more than one accumulator inoperable is not consistent with either the current STP TS or the STS.

The formal license amendment request changed the proposed 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed outage time for 1 or more inoperable accumulators to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, which is consistent with the current TS allowed outage time for more than one inoperable accumulator (i.e., TS 3.0.3). STPNOC can determine a risk-informed completion time for more than one inoperable accumulator within that proposed allowed outage time. The accumulators have very low significance in the STP PRA and allowing a risk-informed completion time for more than one inoperable accumulator is appropriate.

d. STP TS 3.5.2 (Action b) - ECCS in MODES 1, 2 and 3: STS 3.5.2 requires that for a condition where the ECCS flow is less than 100 % of the required ECCS flow assumed in the LOCA analysis, the plant must enter into LCO 3.0.3 immediately because the plant is in a condition outside the accident analysis. Action b of the proposed TS 3.5.2 allows less than two of the required ECCS subsystems to be operable for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> or to the RICT to restore operability. Allowing up to the RICT to restore operability of at least two of the required ECCS subsystems is not consistent with either the current STP TS or the STS. To be consistent with TS 3.5.2, Action b should be changed so that for the ECCS flow less than that assumed in the LOCA analysis, the plant must be brought into LCO 3.0.3 immediately.

With 2 inoperable trains of SI there is generally not a loss of safety function, although STP cannot mitigate LBLOCA if the SI train is injecting into the broken RCS loop. Mitigation of SBLOCA with SI in the broken loop requires operator action. Steam line break mitigation is impaired, but DNB is not expected to occur.

With no operable trains, STP loses the SI safety function; however, a risk-informed AOT is appropriate to accommodate specific situations where the SI trains are degraded but still functional and to allow for timely actions commensurate with the actual significance of the condition. Note that risk-informed completion times are not based on meeting design basis assumptions.

The proposed 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> time limit is consistent with the requirement of TS 3.0.3 which would apply to the current TS.

14

Comparison of Planned and Actual Risk (ICCDP) for Unit 2 During SDG 22 Outage Data source: NDG Planned - PRA Rev 4 Model including NDG effect on risk (NDG failure and associated operator data are assumed)

Rev 4 Planned - PRA Rev 4 Model assuming no NDG effect on risk Actuals - RAsCAL data for previous work week and PRA Rev 4 1.0E-05 ICCDP Limit (0PGP03-ZA-0091) = 1.0E-05 3/31/04 8.17E-6 ECW2B 8.0E-06 ESF "A" Projected Surveillance Actual for 3/31/04 6.0E-06 8.17E-6 ICCDP 3/31/04 NDG 3.04E-6 4.0E-06 DG23 Inspection DG21 Inspection 2.0E-06 0.0E+00 08-Dec 15-Dec 22-Dec 29-Dec 05-Jan 12-Jan 19-Jan 26-Jan 02-Feb 09-Feb 16-Feb 23-Feb 01-Mar 08-Mar 15-Mar 22-Mar 29-Mar Date NDG Planned Rev 4 Planned Actual NDG Actual 15