Text

Safety Evaluation Accepting Methodology for Graded QA Initiative in Operations QA Description for Plant
	ML20199B275
Person / Time
Site:	South Texas
Issue date:	11/06/1997
From:	; NRC (Affiliation Not Assigned)
To:	;
Shared Package
ML20199B263	List: ML20199B257; ML20199B275;
References
	FACA, NUDOCS 9711180258
	Download: ML20199B275 (42)
	v • d • e

. _ .

p sMah p .- 11 UNITED STATES

< S NUCLEAR REGULATORY COMMISSION E

if WASHINGTON, D.C. 20066-0001

.....* SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION HOUSTON LIGHTING AND POWER COMPANY SOUTH TEXAS PROJECT. UNITS 1 AND 2 GRADED OUALITY ASSURANCE PEMBM DOCKETS NOS. 50-498 & 50-499

1.0 INTRODUCTION

During early 1995, the Houston Lighting and Power Company (HL&P, the licensee) initiated efforts to modify its Operational Quality Assurance Program (0QAP) for the South Texas Project Electric Generating Station (STP), Units 1 and 2, by grading the application of previously approved quality assurance (QA) controls to safety-related plant structures, systems and components (SSCs) in accordance with their significance to safety. The objective of this initiative, as stated by the licensee, was to maintain the necessary level of protection for the public health and safety while reducing the operating costs for the STP facility. The concept of grading QA cor.trols applicable to SSCs consistent with their importance to safety was long ago embodied ir "RC regulations (10 CFR 50, General Design Criterion 1 of Appendix A, t ';

Cr ' trion II of Appendix B). liowever, the licensee's graded QA (GQA) programmatic changes involve reduced commitments to previously approved QA controls. This necessitated the submittal of supporting information for review and approval by the NRC staff in accordance with 10 CFR 50.54(a). The NRC staff agreed to review the licensee's 50.54(a) submittal and treat STP as a volunteer plant for the development of the GQA initiative potentially applicable for wider industry implementation. Section 6.0 details the chronology of the interactions between the licensee and the staff during the review and approval process.

In a letter to che licensee dated January 24, 1996, the staff proposed ground rules that the NRC and the licensee would follow for implementation of the GQA initiative. As an enclosure to the letter, the staff provided a Draft Evaluation Guide (Reference 1) to further define the framework for evaluating GQA programs. These documents described the process envisioned for development of the GQA initiative and identified four essential elements that are expected to remain as the cornerstone of the regulatory positions and future guidance. These essential elements are:

1. A process that identifies the appropriate safety significance of structures, systems and components (SSCs) in a reasonable and consistent manner.

2. The implementation of appropriate QA controls for SSCs, or groups of SSCs, based on safety function and safety significance.

3. An effective root cause analysis and corrective action program.

971t180258 971106 E PDR ADOCK 05000498 P PDR

). N

4. A means for reassessing SSC safety significance'and QA controls when new information becomes available.

Implementation of these essential elements as well as application of the draft evaluation guidance and satisfaction of NRC regulations have governed the staff's processing of the licensee's GQA proposal.

In revising its QA program, the licensee envisioned that levels of QA controls and oversight could be applied to plant equipment and work activities based on their_ safety significance. In so doing, the licensee indicated that improvements in safety could be achieved by extending QA controls to nonsafety-related SSCs that have been detemined to be useful and useable in preventing and mitigating accidents. The development of-de deterministicinsights,probabilisticriskassessment(PRA)} ailed analytical techniques, and extensive computer-supported condition reporting and failure monitoring tools are integral components of the proposed approach.

In parallel with the licensee's development of the implementation details associated with GQA, the NRC staff prepared several documents (contained in SECY-97-077 dated April 8, 1997) to support the implementation of risk-informed regulation. These documents include Draft Regulatory Guides (RGs)

DG-1061 (Reference 2) and DG-1064 (Reference 3). These documents describe the staff's expectations for licensees who proposa to use risk insights to make adjustments in the application of their QA program controls. The staff used these documents during its evaluation of the licensee's proposed approach, and has contrasted the approach proposed by STP for grading QA controls with the expectations contained in the draft regulatory guidance for risk-informed decision-making. These draft RGs were released to the public for a 90-day comment period by an SRM (Reference 4) from the Commission dated June 5, 1997.

The licensee provided its most recent submittal on August 4, 1997, which completed the responses to the staff's questions and concerns. This Safety Evaluation Report (SER) presents the staff's evaluation and conclusions regarding the licensee's overall approach toward the formulation and implementation of GQA. While not a consideration for the staff review and evaluation, the staff recognizes that projected cost savings for plant operations have played a key role in the licensee's decision to pursue this initiative. The staff based its review and determination of acceptability on regulatory requirements germane to the application of QA controls. The staff gave due consideration to recent Commission policy statements to reduce unnecessary requirements and practices.

2.0 PROPOSED CHANGE

S The licensee revised the 0QAP description for STP to describe the process whereby the SSCs would be evaluated to determine the following:

' For the purposes of this Safety Evaluation, the terms Probabilistic Risk Assessment (PRA) and Probabilistic Safety Assessment (PSA) will be used interchangeably.

2 i

$ i e the safety significance of the SSCs,

the level of QA controls that will be applied to the various equipment categories (generally described in Chapter 2.0, Table I of the 0QAP description),

the corrective action process that will ensure that failures of components covered by the less rigorous program controls will receive appropriate apparent cause analysis to identify failure modes of significance, and

a process to review plant and industry ' performance information on a periodic basis to make necessary adjustments in either the safety significance categorization of SSCs or in the QA controls that are applied to SSCs.

In selected areas, the licensee has identified changes in QA commitments for items in the BASIC QA program that are different from the controls previously applied to all safety-related equipment. The licensee refers to the latter as the FULL QA program (See Section 2.2 of this SER for a discussion of the QA controls applicable to each category). In general, the char.ges will eliminate the necessity to perform QA verifications to the same extent as applied in the FULL program controls. Nonetheless, the revised process should still afford a reasonable level of assurance that safety-related equipment is capable of performing its safety function (s) in accordance with Appendix B to 10 CFR 50.

Section 3.4 of this SER details QA controls associated with the grading initiative.

2.1 Scone of Plant Eautoment for Which G0A Controls Aoolv The licensee has developed a methodology that can be used to determine the relative safety significance of plant equipment. For selected systems, the licensee will evaluate all safety-related and nonsafety-related SSCs with regard to the system functions they support using proba.bilistic and traditional engineering evaluations. The evaluation resuits in the placement of each SSC into a category of safety significance to which a predetermined level of QA controls will be applied.

Section 5.3.3 in Chapter 2.0 of the 0QAP description contains the follncing statement:

" Selected systems are evaluated, at the component level, by a cross-discipline Expert Panel comprised of high-level station management."

The licensee has also indicated that the GQA program is planned for implementation in a manner consistent with cost-effectiveness goals. At the licensee's discretion, further systems will be evaluated for GQA program implementation in accordance with an orderly plan based on cost savings to be realized. Conservatively, for SSCs that have not yet been evaluated under the GQA program, the licensee has committed to continue the current QA treatment in accordance with the previously accepted OQAP description (i.e., the FULL program).

l 3

l l

i E i Thus,-in a sequential fashion, the licensee will-generate documentation-L describing the safety significance of plant equipment, the critical functional attributes of the equipment, and the level of. QA c.ontrols that should be

- applied-to each item.- -From this documentation, plant staff involved with

- line activities will identify and apply appropriate QA controls, subject to l the oversight'and involvement- of two standing. committees comprised of-senior management-and technical personnel, namely, the GQA Working Group (WG) and the .

Comprehensive Risk Management Expert Panel (EP).

As of this time, the licensee has only used this process to categorize plant '

- equipment in selected systems (Radiation Monitoring, Essential Cooling Water, -

and Diesel Generator.).

2.2' Overview of Prooosed Chanaes in DA Controls To implement GQA for both STP units, the lice'nsee has established three levels of QA controls in the 0QAP description. The.three levels are labeled FULL, BASIC,_and TARGETED. The licensee has also established categories of safety

=s ignificant SSCs tnat are labeled High , Medium , and Low-Safety Significant (HSS, MSS,-LSS) -as well as non-risk significant (NRS). For those SSCs modeled in the PRA, the MSS category is further divided into two populations, .

referred to in this SER as MSS-1 and MSS-2. The result is that five categories of safety significant SSCs have been established. Sections 3.2 and 3.4.1 of this SER,-respectively, describe the categories of safety significance and levels of QA controls proposed for use in the STP GQA program.

The' FULL program consists of QA elements that remain essentially unchanged from those implemented for safety-related SSCs at STP-prior to the onset of GQA. Those elements comprise all licensee commitments to QA-related regulatory guides, endorsed standards promulgated by the American National Standards Institute (ANSI), and Standard Review Plan (SRP) positions necessary to meet the requirements of Appendix B to 10 CFR 50 for SSCs that are the most significant to safety. The FULL program QA elements are defined in Chapter 2.0, Table-I of the 0QAP description and apply to HSS safety-related SSCs.

The BASIC program includea. QA elements that have been graded, relative to those elements in the FULL program, consistent with the lesser safety importance of plant. equipment placed in the BASIC category. Section 3.4.1 of this SER lists the areas of grading and includes an evaluation of their compliance to-Appendix B requirements. A more detailed listing of changes to QA elements for the BASIC program is given in Table I, Chapter 2.0 of-the licensee's 00AP description. The BASIC program is applied to MSS-2, LSS, and NRS safety-related SSCs.

The licensee recognizes that some SSCs modeled in the PRA, while highly i reliable, would result in a significant increase in risk if they were to fall l

? when needed.- For these SSCs.(designated MSS-1), the licensee will apply FULL i program controls to those attributes that are relied upon to ensure a-high l leve' of confidence in the equipment performance capabilities to maintain low risL; BASIC program controls will be applied to the remaining attributes.

4

'f

_ __ _ _ _ _ . _ _ . .____ _ __ . . _ ~ - _ _ _ _. . _ _ _ _ _ _ _ _ . -

I b The TARGETED program consists of QA elements from the BASIC and FULL programs applied to those characteristics or critical attributes that render nonsafety-related SSCs safety significant, but only in a forward fit manner (i.e., only future operational activities associated with previously procured and installed equipment of this type would be subject to these requirements).

More specifically, the licensee will apply FULL and BASIC program controls in a selected manner to nonsafety-related SSCs that have been categorized as HSS or MSS (i.e., MSS-1 or MSS-2) in future activities.

LSS and NRS nonsafety-related SSCs would continue to be subject to the licensee's administrative and quality provisions for activities such as procurement and maintenance, as is currently done.

2.3 Review Criteria and Reauirements Regulatory requirements germane to the review of the OQAP description are contained in Appendices A and B to 10 CFR Part 50, as well as 10 CFR 50.54(a) and 10 CFR 50.34(b)(6)(ii). Criteria related to risk-informed initiatives are contain?d in draft regulatory guidance documents DG-1061 (Reference 2),

DG-1064 (Reference 3), and SRP Chapter 19 (Reference 5).

These guidance documents include the following five safety principles, which are addressed in Section 3.5 of this SER:

"The proposed change meets the current regulations. This principle applies unless the proposed change is explicitly related to a requested exemption or rule change.

Defense-in-depth is maintain:1

Sufficient safety margins are maintained.

Proposed increases in risk, and their cumulative effect are small and do not cause the NRC Safety Goals to be exceeded.

Performance-based implementation and monitoring strategies are proposed that address uncertainties in analysis models and data, and provide for timely feedback and corrective action."

The staff &lso used criteria from Chapters 17.1 and 17.2 of the Standard Review Plan (SRP)(Reference 6). Specifically, Section 17.1.11.2B3 (referred to by Section 17.2.II) includes the following guidance:

"The QA organization and the necessary technical organizations participate early in the QA program definition stage to determine and identify the extent QA controls are to be applied to specific structures, systelis, and components. This effort involves applying a defined graded approach to certain structures, systems, and components in accordance with their importance to safety and affects such disciplines as design, procurement, document control, inspection, tests, special processes, records, audits, and others described in 10 CFR [Part) 50, Appendix B."

5

'g j f ,

-i The staff recognizes that the licensee's proposal for STP;took exceptions to- :

'NRC QA regulatory guides and industry QA standards-identified-in SRP Chapters: 7.1 and 17.2,- as delineated in Table I, Chapter 2.0 of the.0QAP-description; 'However, the licensee's proposal is consistent with the-. .

following guidance from SRP Sections 17.1.11 and 17.2.11.

F "The' acceptance criteria used ... to evaluate this QA; program are

-subsections.

listed.in include. a the following commitment (18)ly with the regulations, regulatoryThe acceptance cri to comp positions presented in the appropriate issue of the Regulatory .

Guides,:and-the Branch Technical Positions listed in Subsection V.

...-T.xceptions and alternatives to these acceptance criteria may be adopted by applicants, provided adequate justification is given

... When the QA program description meets the applicable

-- acceptance criteria of this subsection or provides acceptable '

exceptions or alterr.atives, the program is considered to be in

-compliance with pertinent NRC regulations."

_Thus, the licensee has the flexibility to propose alternatives to the SRP and-regulatory guides, and the staff will evaluate these alternatives on their-individual merits.

3.0 STAFF EVALUATION-The licensee proposal to implement GQA involver categorizing component safety significance,--identifying critical component attributes, assigning QA controls to the critical component attributes, and utilizing long term corrective action feedback from the condition _ reporting, monitoring, and trending systems. Moreover, the licensee considers these aspects to be an integrated process, not a series of independent decisions. Consequently, the staff's evaluation-of each element in the process is predicated on the inter- ;

relationshipLbetween-the various elements of the integrated process.

E 3.1 Traditional Enaineerina Evaluation Many of the evaluations performed by the licensee in its GQA methodology, and much of the information gathered as a result of-those evaluations, re similar c to the traditional determination of safety-related equipment, but at a' greater level of detail. For example, during the licensee's process for STP, all i -functions of each evaluated system are developed and documented, along with the operating functions required of each SSC involved to support each critical system function.

The deterministic-information for each component in the system being evaluated is collected from operations, system engineering, licensing, QA, and other-11 plant departments, as appropriate. The information is summarized in descriptive text and tables, which then become part of the report prepared for

, each system called the GQA Basis Document.- A typical draft report

[ (Reference 7): includes the following qualitative information:

i

!

the current design basis description, functions, and constraints on

the system and components, i 6 ,

l i

1

I k

the Itcensing basis including regulatory commitments, constraints imposed by the updated final safety analysis report (UFSAR),

Technical Specifications, and other correspondence commitments.

review of the operating experience as reflected in the plant-specific reliaMlity and condition reporting system and deficiencies reported by industry groups,

use of the system components in the emergency operations or response procedures.

current safety-related and Maintenance Rule status,

self-assessment and system health reports, e equipment history (successes and failures).

NRC inspection reports and systematic assessments of licensee performance (SALP),

e corporate and joint utility management audits and reports, and

reports issued by the Institute of Nuclear Power Operations (INPO).

This deterministic information is collected, reviewed, and evaluated by the GQA WG during the categorization of the safety significance for the SSCs, as discussed in Section 3.2.3 of thi: SER. The information and recommendations are documented in each systex's GQA Basis Document and delivered to the EP for final review and approval, as discussed in Section 3.3 of this SER.

3.2 fEgess of Cateaorizina SSCs by Safety Sionificance lhe licensee's approach for categorizing SSCs in accordance with their significance to safety utilizes a combination of performance-based information, risk insights, and deterministic insights regarding the safety functions of systems and ccmponents. The process relies on engineering evaluation and judgment, supplemented by certain PRA calculations (where amenable) to arrive at recommendations for SSC categorization and, eventually, the assignment of QA controls.

As discussed in Section 3.3 of this SER, the GQA WG is responsible for collecting the appropriate information and making recommendations. These recommendations are then presented to an EP. The process of categorizing SSCs by safety significance is not complete until the EP accepts or modifies the final recommendations from the WG.

The licensee evaluates each system using a comprehensive approach that addresses each component in the system. During this process, the licensee identifies and lists all functions that the system may be called upon to perform, including all support fund tons the system provides to ot1er systems.

The licensee a511gns a safety significance to each system function based on 7

I '

the combination of PRA insight and deterministic evaluation as discussed in this section.

The licensee assigns each system component to a safety-significance category.

The assignment is made after determining all system functions supported by the corponent, and the safety significance of each of these system functions.

Every component in the system is assigned to one of the five categories known as HSS, MSS-1, MSS-2, LSS, and NRS. The use of the NRS category has no safety implications, because the SSCs assigned to this category are treated identically to the LSS SSCs.

As discussed in Section 3.2.5 of this SER, the MSS-1 and MSS-2 categories are differentiated by the maximum potential impact of the SSCs failure on the core damage frequency (CDF) and the large early release frequency (LERF) risk metrics. In Chapter 2.0 of the 0QAP description, the licensee identified the MSS-1 population components " based on their risk importance" and differentiated them from the HSS and other MSS components with paragraph 5.3.9 which reads as follows:

" Components that are highly reliable, yet whose failure would result in a significant increase in rist, will rsceive FULL program coverage, or will be evalumed based on their risk importance to ensure that FULL program controls are applied to their critical attributes."

The licensee uses a single MSS category label for both MSS-1 and MS$-2 SSCs modeled in the PRA, as well as for those SSCs deterministically categorized MSS (where no MSS-1 and MSS-2 diff'rentiation exist). The staff differentiates the two populations throughout this SER with the MSS-1 and MSS-2 labe!s. (The deterministically categorized SSCs are treated as MSS-2 SSCs). Nevertheless, the staff concurs that the distinctions between the categories are qualitatively defined in the 0QAP description and, where applicable, quantitatively defined based on importance measure values in the implementing procedures. The staff accepts the licensee's use of these multiple categories and considers the categories to be an acceptable means of grouping SSC's based on safety-significance.

3.2.1 PRA Model and apolication to Cateaorization of Safety Sianificance Changes in the application of QA controls do not lend themselves to a quantitative assessment of the change in core damage frequency (CDF) or large early release frequency (LERF) resulting from the implementation of GQA. In Draft RG DG-1061 (Reference 2), the staff recognized that, in some applications, quantitative estimates may not be possible. In such instances, DG-1061 allows the use of acceptable alternatives such as calculated risk-importance measures, bounding estimates, or a qualitative assessment of the impact of the change on the plant's risk. These alternatives are used for GQA applications.

The licensee used PRA anal,vt lc techniques and the plant specific PRA model to clearly identify a group of components which, individually, are highly significant to plant safety, because they are the most important contributors to CDF and LERF (HSS), or because they would become important contributors if 8

i i d i i

their reliability or availability degrades (HSS or MSS-1). Components that !'

are less-significant to plant safety are further subdivided to provide the WG and IP with as much guidance as can reasonably be obtained using PRA insights.

The MSS-2 catejory identifies components that individually are small l contributors to CDF and LERF. The LS$ category includes those components with !

, minimal er negligible individual importance to safety. The NRS category is i not used for components modti ed in the PRA. i In the proposed approach, the licensee compares component importance measures !

developed by PRA analysis against quantitative guidelines, and the com>onents are placed into the category consistent with each component's CDF and .ERF j

,t importance measures. The-PRA based safety-significance categories are ;

aumented with a description of assumptions and bounding conditions that >

. gu'ded the modeling of the system (and its components) in the PRA. This information is delivered to the WG for use in its deliberations, as discussed in Section 3.3.

The licensee also uses the PRA to perform sensitivity studies to bound the .

impact of highly uncertain modeling assumstions on the categorization, and to study the potential aggregate impact of tie simultaneous change in reliability or availability in all components to which reduced QA controls will be applied.

3.2.2 PRA Quality ,

The staff reviewed the PRA quality with the objective of determining the acceptability of the PRA, as it is used to support the present application.

The licensee uses the PRA to develop risk insights by broadly categorizing the ;

safety significance of all components modeled in the PRA. These categories. -

along with clarifying assumptions and limitations, are used by the WG and EP ^

for use in their deliberatu a regarding which components shoJ1d be affected by changes to the QA program, in discussions with the licensee, the staff considered its observations and findings from the following NRC staff reports regarding the licensee's PRA for STP:

SER (Reference submitted by the 8) licensee on b 14, rilprepared 1989. Inbythis theSER, staff the to assess staff the level 1 concluded that the PRA was a st,te-of-the-art level I risk assessment.

SER (Reference 9) prepared by the staff to assess the external events analysis in the level 1 PRA submitted by the licensee on April 14, 1989. In this SER, the staff concluded that the licensee carried out the external event analysis using acceptable state-of-the-art approaches used in many contemporary PRAs.

Staff (RES) evaluation (Reference 10) to assess the Individual Plant submitted by the licensee on August 28, 1992. The Examination assessment emphas(IPE)ized the level 2 enhancements made to the 198 9

L

_ _ _ _. _ _ . _ _. _ _ _ _ _ _ _ _._i

! k

< In this evaluation, the staff found that the IPE submittal was !

conolate and that the process was capable of identifying the most ;

likely severe accidents and severe accident vulnerabilities in accordance with Generic Letter (GL) 88-20 (Reference 11).

The staff noted any areas in the previous PRA reviev4 where potential areas >

for enhancements to the risk assessment were identified. The staff followed 1 up each area with the licensee to assess how these topics had been considered -

or factored into modifications to the PRA. The licensee documented this information in responses to RAls. The $taff also reviewed the QA process used -

to assure the quality of .he changes to the PRA between 1989 and the current i 1997 version. Since the initial PAA submittal in 1989, the Commission has .

grcinted two amendments changing-the plant's Technical S*ecifications, in part i' on the basis of PRA insights (References 12 and 13). TIiecurrentPRAreflects these changes.

The licensee performed a variety of sensitivity studies to provide additional assurance that important $$Cs are not inappropriately categorized because of PRA modeling limitations and uncertainties. Toward this end, the. licensee's PSA Risk Ranking procedure (Reference 14) includes the following bounding i values and analyses:

equipment planned to be out of service during each of the plant's scheduled maintenance states is set to unavailable, ,

all operator recovery actions are removed, e all common cause failures ((( s) are removed, [

the potential degradation of availability of nominally identical components used in several systems is evaluated by studying the impact of a common increase in unavailability, and ,

the effect of a possible over-estimate of induced steam generator tube rupture (SGTR) overshadowing other LERf considerations is ,

studied. ,

All components categorized in the base case as being less significant to plant safety, but categorized as HSS in any of the above sensitivity studies, will !

be identified and described, and relevant comments prepared for special i consideration by the WG and the EP.

During the course of this assessment, the staff evaluated the results of previous STP PRA reviews, obtained acceptable resolution of issues raised

, during.the previous reviews and assessed the bounding values and ar.alyses used to support the categorization process. On that basis, the staff finds that -

i the quality of the licensee's PRC analysis is sufficient for the assigning of SSCs broad (safety-significance categories for consideration by the WG and EP.in relation h

10

- . -- _- . - -- .- - - - ~ __ . . - _

l

! k 3.2.3 PRA Quality Assurance To perfom the PRA analyses, the licensee uses computer software known as RISKMAN, Version 8. The licensee stated they originally procured the software from the vendor, PLG, Inc. (Newport Beach, Califorrila), as a safety-related procurement and invoked the QA requirements of Appendix B to 10 CFR Part 50. i on the software, and the PLG licensee performed theproper verified the verification andofvalidation operation the < nsta [V&V)lled code using the sample .

model provided to test the installation. '

issued to PLG for PRA services included:

The licensee's of the development Purchase PRA system Order leve (PO)l and/or event tree risk models; risk model development and maintenance; plant specific data analysis; and risk-related outage support. For work performed at PLG facilities, PLG was directed to util'ze its QA program. For work performed onsite at STP, PLG was directed to work in accordance with the licensee's QA program and procedures.

PLG a) plies QA controls to both software development and PRA model development and t1e licensee's staff participated in QA audits of PLG. The NRC staff then reviewed the licensee's audit report 95-073 (VA), documenting the audit ,

conducted at PLG on September 11 - 14, 1995 (Reference 15). That audit examined the implementation of the PLG QA plan with an emphasis on the control of RISKMAN software development and changes. The audit scope included software quality assurance (SQA), procurement, document control, and QA program compliance.

In reviewing the licensee's audit report, the NRC staff noted that PLG had revised two PLG quality-related procedures in response to concerns identified during the licensee's audit. Additionally, the staff examined the licensee's audit checklist (derived from an audit checklist-)romulgated by the Nuclear Procurement Issues Committee), which documented t1at the audit was performed in accordance with the requirements of Appendix B 10 CFR Part 50, as well as ANSI /ASME-NQA-1 (Reference 16), ANSI N45.2.12 (Refer!nce 17), and ANSI N45.2.13 (Reference 18) and the corresponding sections of the PLG QA plan. On the basis of PLG's scope of work, some aspects of 10 CFR Part 50, Appendix B were determined not to apply. A significant number of the items on the licensee's audit checklist were concerned with SQA elements for software V&V, and configuration management. The audit team included a technical specialist who focused on examining computer software aspects.

While the audit did identify some nonconformances, the licensee determined

, that they were not significant to the procured analysis, as they had no impact on the quality of work actually performed by PLG. By confirming the implementation of the PLG QA plan controls, the licensee's audit gives additional confidence in the adequacy of the software and services provided by PLG in support of GQA.

The licensee's independent Nuclear Safety Evaluation Department (NSED) conducted an evaluation (Licensee Report No. 96-02, Reference 19) of the licensee's own risk assessment activities associated with shutdown risk assessment during an outage and for the conduct of on-line maintenance. The NRC staff considers the conduct of NSED evaluations of PRA activities appropriate and consistent with the manner in which the risk assessment results are used with respect to operational plant activities.

11

j The licensee has strengthened quality control beginning with the version of the PRA issued in March 1997 through the following actions:

placing PRA documentation in the vault and under the purview of Records Management, e developing a contre,Iled copy of the computer model, which is only modified after suggesteo changes are reviewed and documented, and

using the plant-wide ' Calculations" procedure (Reference 20) to perform PRA calculations.

The licensee has also identified the plant documentation used as a basis for the PRA analysis, and has n ored the references to the supporting information in a database. Periodically, the licensee's PRA staff searches the plant's documentation system to itlentify any basis documentation that has been changed. The PRA staff then reviews all changed documents and u> dates the working model *.o reflect the changed basis, as necessary. All c1anges to the PRA model, resulting from modeling improvements or plant modifications, are verified by supervisory review before being incorporated into the model.

During the initial categorization, and during each periodic review, the WG and the EP review the PRA assumptions, input, and results together with the deterministic operating and maintenrnce information. This review ensures an on-going evaluation of the PRA by knowledgeable system and plant personnel.

The staff finds the licensee's control of PRA related information acceptable and that it provides for checking and maintaining the correspondence between the plant and the PRA.

3.2.4 EfB. kong The licensee's PRA is an internal and external event, full power, level 2 PRA.

A shutdown risk analysis has been prepared but has not been reviewed or incorporated into the full power model. In the interim, the qualitative review of SSCs by the WG and the EP includes explicit consideration of whether a given SSC is used during shutdown. Shutdown risk contribution is minimized by appropriate administrative controls at STP.

Contributions from all initiating events at full power are included in the importance measure calculations used as the basis for the PRA-based categorization, and the system reports reflect PRA assumptions and boundary conditions. Therefore, the staff finds the scope of the PRA to be acceptable.

3.2.5 PRA Results and Insiahts The application of PRA insights to GQA requires establishing the relationship between basic events in the PRA model and the components that will be subject to GQA controls. A basic event in the PRA model can represent the failure of a single component, a set of redundant components, an entire system, or a collection of components that perform a well-defined function. The staff finds that the licensee has clearly defined the linkage between these items 12

t using a traceable format with tables containing system functions, component-versus-system function, and component-versus-critical function attributes.

The licensee includes these tables in each system's GQA Basis Document report.

During the course of the review of the sroposed GQA program, the staff observed that the evaluation developed >y the licensee to support the categorization of components by their safety significance is conceptually similar to, but more comprehensive than, the evaluation performed to support the categorization of components under the Maintenance Rule. Unlike the industry guidance document (NUMARC 93-01) (Reference 21) which is endorsed by the Maintenance Rule RG (Reference 22), Draft RG DG-1064 (Reference 3) does not specify which importance measures should be used, or the guideline values to be used for those measures. Rather, Draft RG DG-1064 indicates that the licensee should choose and justify appropriate measures and values as part of their GQA application.

The licensee uses the fussell-Vesely (FV) and risk achievement worth (RAW) importance measures to characterize the NA-based safety significance of basic events and thereby the associated SSCs. The FV value is the fraction of tne CDF or LERF to which the failure of the SSC contributes. RAW value is the factor by which the CDF or LERF would increase given that the SSC is unavailable or fails on demand. An SSC with both high RAW and low FV values is highly reliable, but its failure would lead to a major reduction in tne degree of defense-in-depth.

The RAW and FV importance measures used to characterize a given SSC include the contribution of all modaled failure modes for the SSC, including any common cause failures (CCF). If a CCF is modeled (resulting from )lausible CCF mechanisms), the FV and RAW values reflect the importance of 11e system's function that would fall when subjected to a CCF event. If no CCF is modeled (resulting from diversity or reliance on only passive functions for which no plausible CCF mechanism is known), the FV and RAW values reflect the importance of the individual SSCs. The staff finds that this process conforms to the Draft RG DG-1064 (Reference 3) position that the importance of system functions should be considered when CCFs are plausible.

In general, the licensee links the safety-significance category to the level of system and plant performance that could be impaired by degraded SSC performance with the following definitions.

HSS: Degradation of components will result in unacceptable system performance, and possibly plant performance.

MSS-1: Degradation of components could result in unacceptable system performance.

MSS-2: Degradation of components could impair system-level performance. The WG and EP should consider this potential.

LSS: Degradation of components is not expected to impact system performance.

13

i l

! l l !

1 NRS: Failure of component does not impact any safety-significant system function (not applied to SSCs modeled in the PRA). i i

! Figure 1 graphically illustrates the relationship between the RAW, FV, and the i l safety-significance categories for those SSCs modeled in the PRA. Since FV i and RAW are relative measures, both CDF- and LERF-related results are compa ed

to the guidelines and the SSC assigned the highest category. The staff finds .

l this process acceptable, and that the suggested RAW and FY values provide l

reasonable assurance that plant equipment will receive a level of QA control

commensurate with in)ortance to safety. Furthermore, since the licensee i assigns all SSCs witi elevated RAW to the HSS or MSS-1 categories, the staff l finds that the licensee's proposal conforms with the Draft RG DG-1064 l (Reference 3) position that high reliability alone is not sufficient for '

j reducing QA controls.

1

i !

( i I

I l '

l l i ! l I

y l

I I

Ee 100,u.sium tuss.ti I 1 i ! ;

> 10 )

.e iu.vi (uss. -

j 2 3 l 1 , t.. (Lis) Medium tu ss.nl i

, E I i r i a l 0.005 0.01 i Fussel Vesely importance l r u n , s,.m i. .,,ii.e i. .,iii..i .iiris ui. . .....ic i. e sin

i n . n i. n . . . . n i. . . . . . . . ri n i i _;

j Figure 1

! Probabilistic Risk Importance Thresholds for Input to GQA Component Classifications l 14 I

l

-~---o----,.-,,,.~..------.--e.e,-----,-------------

} '.

To investigate the contribution of plant safety attributable to the successful operation of the LSS SSCs, the licensee performed sensitivity studies in which the unavailability was simultaneously increased for all modeled SSCs which could be eventually subjected to reduced QA controls. The calculations for these studies were performed using the PRA logic model (rather than cut-set or sequence results), so truncation errors did not require special study. The staff finds the sensitivity studies to be an acceptable method of ensuring the potential aggregate risk impact of the reduction of QA controls on the LSS SSCs is well understood.

3.2.6 Qualitative Cateaorization Methodolooy During the qualitative categorization )rocess, the WG compiles a system function list and component list for tie system. This involves evaluating all components in the system, whether modeled in the PRA or not, using deterministic considerations to assign an appropriate safety-significance category. . The WG and EP may assign categories on the basis of their knowledge and experience, but the assignment shall be justifiable. Therefore, components categorized as HSS from the PRA are generally also categorized as HSS by the WG with minimal further evaluation. The WG may scrutinize safety-related SSCs categorized as MSS-1 from the PRA to determine the cause of the MSS-1 designation, and may reduce QA controls on the SSC's non-critical attributes. However, as with the HSS categorization, the WG must justify reducing QA controls on critical attributes for a MSS-1 SSC.

To expand the categorization to SSCs not modeled in the PRA (and accept the appropriateness of reduced QA controls on safety-related MSS-2 and LSS SSCs modeled in the PRA), the WG identifies and documents every component attribute which supports any HSS system function. For example, a normally-closed motor operated valve (MOV) which must open to allow Emergency Core Cooling System (ECCS) injection would have the critical attributes of opening on demand, remaining open, and maintaining pressure boundary integrity.

The WG structures its final evaluation of the collected information by assigning consensus weighting factors to each of the following questions for each component:

Could the SSC's failure cause an initiating event?

Could the SSC's failure cause a risk significant system to fail?

Is the SSC used to mitigate accidents or transients?

Is the SSC relied upon in the Emergency Operating Procedure?

Is the SSC significant to safety during mode changes or shutdown?

After assigning the weighting factors, the WG assigns a safety-significance category and a corresponding level of QA controls to each component. The WG develops a record of the critical component attributes, the weighting factors, the applicable PRA category, and the assigned safety significance category, and inserts this information into the GQA Basis Document for review and 15

1 s I

[

i approval by the EP. Section 3.3 of this SER presents additional dotati concerning the licensee's integrated decision-making process. i 3.2.7 Conclusions Renardina the Licensee's Analysis Used to Cateaorize SSCs I

. l As described in previous sections of this SER, the staff evaluated the results r' of previous reviews of the PRA, as well as the robust QA program used by the licensee in developing and u> dating the PRA, and the process the licensee !

intends to use to maintain t to PRA current and use it to evaluate future risk !

changes. On the basis of this review, the staff finds that the quality of the PRA analysis, which includes the PRA models and the various application- '

specific bounding studies, is sufficient for the assigning of SSCs (in '

into broad !

relation safety-significance to their importance categories. to the In CDF and LERF addition, the risk staffmetrics) finds t hat the PRA ;

assumptions and SSC categories are sufficiently well defined. When delivered to the WG and EP along with the system report, as described in the licensee's F

- risk ranking procedure OPGP01-ZA-0304 (Reference 23), these groups of experts can render a risk-informed decision concerning the safety significance of the SSCs and tce appropriate level of QA controls.

As discussed in Section 3.2.5 of-this SER, the staff finds that the importance r measures calculated by the licensee, and the guidelines used to develop the - :

PRA-based categorization from these measures, are reasonable and consistent. :

, Furthermore.'as discussed in Section 3.2.6 of this SER, all SSCs which support HSF system functions are explicitly identified and documented by the WG, and

the information is used during the assignment of appropriate QA controls.

Consequently, the staff finds that the licensee's pro >osed approach conforms with the Draft RG-1064 (Reference 3)_ positions that tie importance of system 3

functions should be considered when categorizing the safety-significance of the individual SSCs, and that it is not always necessary that every SSC supporting an HSS function be categorized HSS.

. 3.3 Intearated Assessment and Monitorina Process f

Final decisions regarding the categorization of SSCs and assignment of appropriate QA controls are made by the EP on the basis of recommendations from the GQA WG and the knowledge and experience of the members of these groups. The EP is composed of senior level management. The WG is composed of 4

senior, multi-disciplinary personnel with the necessary technical backgrounds 4

to enable the rendering of logical recommendations. In addition, the EP and the WG are supported by a var < ety of other organizational entities, as

) discussed in Sections 3.3.1 and 3.3.2 of this SER.

All of the organizational entitles involved with the categorization of SSCs are " standing groups." That is, their existence is defined and ,

responsibilities are described in plant procedures and in the OQAP description (partially). When the licensee implements its GQA program, the different entities will gather, organize, and interpret operational experience. This information will be used by the WG and EP in their periodic reviews of the '

- program to adjust component categorization and/or QA controls, as necessary.

16 ,

=*-.~---w.-erwe--we- -men.m-*-*w--em..-.--*wm-F fr++sy gr - , gp yr -+g. _eeWy _ma. e 4w-,4,e,- a,-wev -ew--g-s- >9 eve rae--- e,.e--ee,w m -pyc-e e- g m.ug,yg+,y% r-ggyyyg- p-

}

3.3.1 Workina Groun The GQA process at STP involves the participation of the GQA WG. This group develops justifiable, risk-informed, performance-based recommendations for the categorization of SSCs and the identification of appropriate QA elements for final consideration by the EP.

The WG is comprised of representatives from Systems Engineering (chairman),

Design Engineering, Quality, Risk and Reliability Analysis, Operating Experience, Licensing, Operations, and Maintenance / Work Control. In addition, the WG membership can be augmented as needed on the basis of the topics under consideration at a given time. A minimum quorum for the WG requires the presence and t.articipation of the chairman and three regular members.

In developing their recommendations for the EP, the WG analyzes component and system performance information, considers available risk insights, as well as the risk-related effects of processes, work activities, and organizations on SSCs, and factors in deterministic insights. The WG then develops a GQA Basis Document for each system, which includes the recommendations and all of the supporting information.

For SSCs within the scope of the PRA, the WG accepts or modifies the categorization developed from the importance measures. To ensure that the WG (and eventually the EP) are fully aware of the strengths and limitations of the PRA models and results, safety significance categories developed from the PRA are augmented with supporting descriptive information. All of the information is compiled into a detailed system report that becomes part of the GQA Basis Document. In addition to the identified categories, the detailed report includes the importance measures for individual components is well as the quantitative guidelines use to assign SSCs to the categories.

Specifically, the detailed Basis Document report (Reference 24) includes the following information :

description of the assumptions used in the PRA related to the system under consideration, e a description of CCFs included in the model,

a description of how support systems are included in the model, e a discussion of system-level failure probabilities, e discussion of potential truncation errors applicable to the system.

model assumptions related to repair and restoration of failed equipment.

human errors and error rates for the system,

limitations in the meaning of the importance measures applicable to the system, and 17

}

(

e results of any sensitivity studies indicating that the .

categorization of components is sensitive to the parameters studied. l The WC also evaluates SSCs that are not within the PSA scope, including *

. balance-of-plant items, instrumentation, mode transition, and shutdown i operations. In such instances the WG evaluates deterministic attributes associated with the eouipment such as seismic, environmental qualification, ,

and electrical separation to arrive at a significance ranking of the items.

(Section 3.2.6 of this SER elaborates on the set of 5 questions that guide the i deterministic evaluation). j The WG then provides the EP with documented recommendations regarding the ,

following considerations: j

identification of QA control levels for SSCs (FULL, BASIC, or I TARGETED),and.

basis for categorization recommendations (PSA inputs, performance analysis, deterministic inputs). .

The WG determines these recommendations by reaching a consensus. Any ,

dissenting opinions will be forwarded to the EP for resolution, in August 1996, the staff had the benefit of witnessing the conduct of a WG i meeting concerning the evaluation of the radiation monitoring system. On that basis, the staff observed the value of a WG to develop supporting information and recommendations for use by the EP in categorizing SSCs and establishing an ;

, appropriate level of QA controls. The staff, therefore, concludes that use of '

a WG is an acceptable method for formulating the GQA program for STP.

3.3.2 Expert Panel The EP is responsible for developing the final decisions regarding the ,

categorization of SSCs and the identification of applicable QA elements in accordance with the licensee's risk management procedure, OPGP02-ZA-0003 (Reference 25). This panel is composed of the Managers of Design Engineering, .,

Systems Engineering, Nuclear Licensing, Risk Management and Industry Relations '

(Chairman), the Administrator of Risk and Reliability Analysis, the Director of Quality, and the General Manager of Generation. A minimum quorum requires '

the presence and participation of the Chairman, the Administrator of Risk and Reliability Analysis, and two regular members. Records of the EP's decision must be maintained as QA records in the licensee's Record Management System .

for STP.

The EP uses the same criteria as the WG when reviewing recommendations from the WG. -Upon completing its review, the EP forwards the approved categorization of SSCs and assignment _ of QA controls to the Plant Change Committee for integration into the licensee's Business Plan for action. The EP also attempts to resolve dissenting opinions from the WG evaluations. Any '

dissenting opinions that are not resolved by the EP will be sent to the Senior Management Team for resolution. :

18 I

.--+-..,,.+y,, u . 3 v.-v,._-,ce.rs., w,.%_,e...,.w.w... _., .,,.mer..mm+..we ,,-,,....w,_,w,, w ,, y y,- % ,,%...e,, .pm.+,..~.wo.,-

. _ ~ -- . - _ - - - - -. .. . - -

,1 \

The role of the EP is to perform the following functions that require senior-level expertise:

approve the criteria for SSC categorization.

review and approve the categorization of SSCs, e approve the criteria for assigning of QA measures to SSCs,

review and approve the assignment of QA measures to SSCs, e forward approved SSC categorization and associated QA measures to the Plut Change Committee, and ,

1

appoint WG members. l l

in August 1996, the staff had the opportunity to attend an EP meeting concerning decisions regarding the radiation monitoring and the essential i cooling water systems. On that basis, the staff observed the value of the EP as a final arbiter for SSC categoritation and QA element assignment. The l staff, therefore, concludes that use of the EP is an acceptable method for formulating the GQA program for STP.

3.3.3 Ooerational Feedback i The licensee has committed to provide a " feedback" loop to identify pertinent ;

performance and operating experience from STP and across the industry. The purpose of this feedback is to facilitate assessment of the effectiveness and appropriateness of the in-place quality elements and the categorization of SSCs. The Operating Experience Group (OEG) is assigned this responsibility, as described in the licensee's risk management procedure OPGP02-ZA-0003 (Reference 25). It is, furthermore, the responsibility of all STP personnel to identify aerformance information and forward that information to de)artment managers. T1e managers, in turn, have the responsibility to provide t11s information to the OEG for evaluation, as described in the licensee's data collection procedure OPGP02-ZA-0004 (Reference 26). The following types of information (among others) should be collected:

all problems reported in the plant's integrated Corrective Action Program database, along with information about the resolution of those problems, e independent oversight results, e self-assessment and system health reports.

equipment history (repairs / successes / failures),

NRC inspection reports and SALP assessments, 19

? \-

I

~

i corporate and joint utility management audits and reports, and j i

e- INP0 reports.

The OEG reviews, evaluates, and catoporizes the performance data into one of five groups, such as " sustained exce lance," ' good with declining trend," or ;

poor perfomance.' The OEG also provides a biannual report to the GQA WG to :

' communicate the results from the current and two prior 6-month periods. For !

equipment assigned to either the BASIC or TARGETED controls, if the OEG performance reports indicate declining or poor perfomance, the WG shall -

review the appropriateness of the assigned QA controls. Adjustments-tothose i controls will be made as necessary. The WG evaluations in these situations :

will be documented and forwarded to the EP for a final determination. l Independent.of the biannual WG meetings, the licensee's Risk and Reliability l Analysis Department (RRAD) will_ update the PRA at least once every refueling cycle (andmoreoftenifnecessary). This update will include model-changes .

as needed, an update of the input failure parameters to reflect the observed ;

equipment performance for the period, a calculation of the new CDF and LERF me rics, and a comparison of tse $$Cs' new importance measures with the ;

i prwvious values. After completing _the update, the results are furnished to '

the WG, which in turn recategorizes the safety significance of the SSCs as needed.

Additionally, the licensee monitors SSC reliability and unavailability, as

-[ Reference 21) which mandated is endorsedby by the industry ;uidance the Maintenance document-(NUMARC Rule RG (Reference 22). T g3-01) hts monitoring !

1 program is currently in place, and provides for continuous evaluation of -

equ<pment failures and maintenance of tne plant's Equipment History Database, j After reviewing the licansee's established and planned feedback mechanisms, the staff concludes that these mechanisms should enable the licensee to maintain control over equipment reliability after implementation of GQA. The periodic PRA updates will ensure that the licensee's RRAD staff will identify :

changing SSC failure parameters and plant changes, which may impact the CDF, LERF, or the safety significance of the SSCs; this information will be provided to the WG and EP for appropriate action. In addition, the OEG's reports and trending studies are intended to identify deteriorating !

performance before failures occur. This proactive approach provides further confidence that SSCs will perform satisfactorily in service, and the Maintenance Aule program will ensure continuing assessment and control of SSC failures.

The DEG plans to search for indications of deteriorating performance among nominally identical conponents. Furthermore, the licensee interprets the ,

, scope of the Maintenance Rule RG (Reference 22) on monitoring for repetitive

. maintenance functional failures to include identification and corrective action following similar failures observed among nominally identical SSCs, and not just similar failures in the same equipment. The staff finds that these approaches are an improvement over the current practice in the licensee's ;

c 20 L i L

L _ __ ,

,! 's !

i ability to detect many pote.itial CCF failure mechanisms before they cause I equipment failures, and are acceptable.

3.3.4 Conclusions Reaardina the Intearated Assessment and Monitorina Process As discussed in previous sections of this SER, the staff reviewed the .

licensee's process of categorizing SSCs based on their s3fety significance.

The staff finds that the licensee's process yields acceptable results because appropriate deterministic and probabilistic insights are discussed and documented by qualified personnel.

In addition, the staff reviewed the licensee's GQA Basis Documents for the essential cooling water, radiation protection monitoring, and diesel generator during several visits to the STP facilities. The organization and content of these documents proved very useful while clarifying a number of the staff's questions regarding methodology, as well as system and component function. On that basis, the staff finds that the documents are comprehensive, well organized, and capable of providing a scrutable record of the functional relationships linking systen, functions to individual component attributes for proper categorization and assignment of QA controls.

Since the licensee has not yet implemented GQA, the staff has not observed any of the organizational entities or work products associated with operational feedback. Nonetheless, the staff finds that the licensee's commitment to performance-based monitoring and feedback will improve control, relative to current practice, over the reliability of plant equipment.

3.4 Licensee's OA Element Gradina and Staff's Evaluation This section of the SER discusses the licensee's approach to grading certain QA elements from the FULL program for applicability to the BASIC program. The staff's evaluation of each area of grading and overall conclusions are also presented.

3.4.1 OA Element Gradina Based on Safety Sionificance of SSCs As part of the GQA proposal, the licensee revised the 00AP description of the QA controls to be implemented for SSCs based on their safety significance. The nine areas of grading of QA elements for the BASIC program are dinussed in the following sections. In each area, the FULL program requirement, and the licensee's commitment for GQA are identified; this is followed by an evaluation of- each area of grading relative to the degree of compliance to the guidance given in RGs, industry standards, and the SRP. The licensee's listing of specific departures of the GQA elements from current commitments is generally given in Table 1 Chapter 2.0 of the OQAP description.

3.4.1.1 Documentation of the Use of Desian Inouts

a. FULL Proaram Reauirement: Section 3.2, " Requirements," of 1 ANSI N45.2.11-1974 (Reference 27), identifies the relevant design input considerations. In addition, Section 3.1,

" General,' of the same standard requires the documentation of applicable design inputs.

21

~

j .

b. STP Commitment: The licensee will require its personnel to consider design input items 1 through 28 from Section 3.2 of ANSI N45.2.ll-1974; however, a documented checklist reflecting consideration of these items shall be prepared only as deemed necessary for the BASIC p a ram.

c. Staff Evaluation: The licensee's commitment to consider technical aspects associated with the applicable design inputs riescribed in Items I through 28 wien performing design activities, and documenting such considerations only when deemed necessary, is acceptable. This alternative is consistent with the provisions contained in Draft RG DG-1064 (Reference 3).

3.4.1.2 jndeoendent Desian Verification

a. FULL Proaram Reauirement: Regulatory Position C.2 of RG 1.64 (Reference 28), Revision 2, requires the following:

'Regardless of their title, individuals performing design verification should not (1) have immediate supervisory responsibility for the individual performing the design, (2) have specified a singular design approach, (3) have ruled out certain design considerations, or (4) have established the design inputs for the particular design aspect being verified. While design verification by the designer's immediate supervisor is encouraged, it should not be construed that such verification constitutes the required independent design verification, nor should the independent design verification be construed to dilute or replace the clear responsibility of supervisors for the quality of the work performed under their supervision."

In addition, design reviews shall consider and document tha 19 questions listed in Section 6.3.1, " Design Reviews," c ANSI N45.2.ll-1974 (Reference 27) which is endorsed by RG 1.64 (Reference 28).

b. STP Commitment: For the BASIC program, the licensee pro)osed to accomplish design verification in accordance wit 1 Section 6.1, " General," of ANSI N45.2.ll-1974 (Reference 27), which states, in part, the following:

"This verification may be performed by the originator's supervisor provided the supervisor did not specify a singular design approach, or rule cut certain design considerations and did not establish the design inputs used in the design, or if the supervisor is the only individual in the organization competent to perform the verification.

Cursory supervisory reviews do not satisfy the intent of this standard."

22

) ?.

The licensee has committed to consider the 19 design review questions, but will document the checkitst items only as ,

deemed necessary,

c. Staff Evaluation: The licensee's exception to Regulatory Position C.2 of RG 1.64 (Reference 28) is considered acce) table since it is included in NQA-1-1983 (Reference 16) whic) was endorsed by the NRC in RG 1.28, Rev. 3 (Reference 29). In addition, this alternative is consistent with the provisions of Draft RG DG-1064 (Reference 3).

With regard to documentation of the 19 design review question checklist, the Itcensee will continue to consider the technical aspects of the 19 questions and the staff considers documentation to be implemented only as deemed necessary to be acceptable, and consistent with the provisions contained in Draft RG DG-1064 (Reference 3).

3.4.1.3 Inspection of Maintenance and Modification Activities

a. FULL Proaram Reauirement: Section 5.2.7, " Maintenance and 4 Modifications," of ANS-3.2/ ANSI N18.7-1976 (Reference 30) as endorsed by RG 1.33 (Reference 31) states, dn part, the following: ,

"A suitable level of confidence in structures, systems, and components on which maintenance and modifications have been performed shall be attained by appropriate inspection and performance testing... *

b. STP Commitment: The licensee proposed to perform inspections of maintenance and modification activities, for the BASIC program, as deemed necessary based on the relative complexity of the work.

c. Staff Evaluation: The staff considers the alternative proposed by the licensee to be acceptable based on the following:

1. Inspections will be performed on relatively complex maintenance and modification activities. For ;

maintenance and modification activities that are not complex, the licensee will continue to perform post-installation testing, applicable periodic surveillance testing, receiving inspections, and inservice inspections in accordance with the appropriate BASIC program controls. These testing and inspection activities are expected to produce adequate confidence that the SSCs which are less significant to safety will perform their intended functions.

23

,1 ..

2. The licensee's DQAP description includes provisions to conduct an independent overview of GQA activities and evaluation of failure trends and the performance of all LSS SSCs including those that have not had inspections performed on associated maintenance and modification activities. Chapter 2.0 of the licensee's proposed GQA program provides for feedback mechanisms that would adjust QA controls on an as-needed basis.

3. This alternative is consistent with the provisions contained in Draft RG DG-1064 (Reference 3).

3.4.1.4 Certification of Personnel Performino Insoections

a. TULL Proaram Reautrements: Inspection personnel are qualified and certified in accordance with the provisions of ANSI N45.2.6-1978 (Reference 32), which has been endorsed by the NRC in RG 1.58 (Reference 33). This standard includes specific educational and experience requirements, as well as inspection activity capabilities that candidates must demonstrate in order to attain certifications for Levels I, II, and III.

b. STP Commitment: The licensee proposed to use the following criteria when selecting personnel to inspect maintenance and modification activities for the BASIC program:

With the exception of receipt inspection, personnel may perform inspections, examinations and tests provided they are experienced, task qualified journeymen, or supervisors, who did not perform or directly supervise the activity being inspected, examined or tested. These individuals shall also receive training to the Quality organization's inspection procedure / process / methods in accordance with a Quality approved training program; and Quality will provide periodic oversight of the inspection activities.'

c. Staff Evaluation: The staff considers the licensee's

)roposed alternative to be acceptable on the following

) asis:

1. To ensure technical adequacy and adherence to quality program require:wnts, inspections at STP will be performed by individuals that are knowledgeable in the area being inspected. And have also received inspection training from the Quality organization.

l

2. To maintain suitable independence and objectivity, personnel performing these inspections will not be the same individuals who performed or supervised the work.

l 24 l

t i

3. The licensee's GQA program will provide periodic independent oversigit of these inspections by QA personnel and results of these oversights will be evaluated to identify possible trends. In addition, Cntpter 2.0 of the licensee's 00AP description provides for feedback mechanisms that would result in adjustments of QA controls on an as-needed basis.

4. This alternative is consistent with the provisions contained in Draft RG DG-1064 (Reference 3).

3.4.1.5 Procurement Control of SSCs

4. FULL Proaram Renoirement: Regulatory Positions C.6.a./c./d.

in RG 1.123 (Reference 34) provide guidance for evaluating suppliers, criteria for certificates of conformance (C0C), ,

and acceptance by receiving inspection. These posit 90ns are -

as follows:

The purchaser shall evaluate the supplier's history of providing a product that performs satisfactorily in actual use. t

Where COCs are used for acceptance, the COC shall identify the product purchased, ks well as the procurement requirements that were met or not met, and a QA functionary must attest to these statements. in addition, either the purchaser's or supplier's QA program must describe the procedure for issuing the COC, and shall provide a means for verifying the validity of the C00 system.

Receiving inspections shall be coordinated with the review of supplier documentation when such documentation is furnished prior to the receiving inspection.

b. STP Commitment: for the BASIC program, the licensee proposed to follow the guidance given in Sections 4.2.a.

10.2 (a through f), and 10.3.2 in ANSI N45.2.13-1976 (Reference 18) rather than the positions presented in RG 1.123 (Reference 34). Specifically, the guidance in this ANSI standard permits i te purcha:er to meet the above requirements as deemed necessary,

c. Staff Evaluation: The licensee's proposed alternative to the positions presented in RG 1.123 (Reference 34) is considered acceptable because the items are less significant to safety, and because the licensee has proposed a program to monitor and trend failures as a source of feedback information to guide any necessary corrective actions. In 25 l

,1 *.

addition, this alternative is consistent with the provisions contained in Draft RG DG-1064 (Reference 3).

3.4.1.6 Sunnlier Evaluation

a. FULL Proaram Reautrement:

NRC endorsed the guidance provided In RG 1.123 (Reference 34 , the7.2.1),7.3.1 in Sections 10.3.1, and 12 of ANSI N45.2.13-1976 (Reference 18). This guidance includes the following:

Section 7.2.1, " Source Verification Planning,"

requires that source verification activity planning shall " identify the appropriate inspections, tests, prerequisites and inspection sequence, and the documentation required by the procurement document."

Section 7,3.1, " Source Verification Activities,"

indicates that "when planning requires purchaser source surveillance, it shall be implemented to monitor, witness or observe activities. Similarly, source inspection shall be implemented in accordance with plans to perform inspections, examinations, or tests at predetermined points. Source surveillance and inspection may require the assignment of personnel

, to a supplier's facilities. When conformance to procurement requirements is verified by audit, such audits shall be conducted in accordance with established methods."

Section 10.3.1, " Acceptance by Source Verification,'

indicates that " acceptance by source verification should be considered when the item or service is vital to plant safety; or difficult to verify quality characteristics after delivery; or complex in design, manufacture, and test. The source verification activities should include but not be limited to the following as applicable:

a. Documentation has been submitted as required and provides verification of approvals, material, applicable inspections, and tests,

b. Fabrication procedures and processes have been approved and complied with and the applicable qualifications, process records, and certifications are available,

c. Components and assemblies have been inspected, examined, and tested as required and applicable inspection, test and certification records are available.

26 L

\

l .

.1 , S :

d. Nonconformances have been dispositioned as }

required. ;

e. Components and assemblies are cleaned, preserved packed and identified in accordance i withspeclfiedrequirements. j i

f.

Upon purchaser acceptance by source verification, documented evidence of acceptance r shall be furnished to the receiving destination 1

of the ites, to the purchaser, and to the !

supplier."

Section 12, " Audit of Procurement Program,' indicates !

, that " periodic or randon audits shall be performed to ,

verify compliance with procurement activities described in this standard. The scope of planned :

. auditing activity may cover individual operations. -

events, processes,'or the complete quality assurance ,

program. When deemed necessary by the purchaser, !

aud' ts of subtier- suppliers shall be carried out to assure that their quality assurance programs on procurement adequately translate the necessary requisites of the governing procurement documents to i the items or services involved. The audits shall be i conducted in accordance with established methods." .

i

b. STP Commitment: The licensee pro >osed to implement the ANSI standard provisions (summarized a >ove), for the BASIC program, only when deemed necessary to assure the quality of l a procured item or service.

c. Staff Evaluation: The staff considers the licensee proposal to perform the ANSI standard provisions only when deemed necessary as described above to be acceptable because the ,

items procured in this manner are less significant to safety, and because the licensee committed to perform 1 receipt inspections, conduct preoperational testing, and monitor and trend failures for feedback to identify any necessary corrective actions. In addition, these alternatives are consistent with the provisions contained in >

. Draft RG DG-1064 (Reference 3). It P further noted that the licensee's identified alternative to Section 7.3.1 of the standard is considered acceptable since the language in the standard already makes source verification optional, and i RG 1.123 (Reference 34) does not make it mandatory.

]

3.4.1.7 Auditina cf Sunnliers' Performance

a. FULL Proaram Reautrement: Regulatory Iosition C.3.b in RG 1.144 (Reference 35) provides guidance regarding the conduct of supplier auditing and the frequency of supplier 27

.._, _ . . _ . _ , _ . ., _ _ ,. m . _._ _ _ . _ _ . _ _ _ _ _

I l

,1 %

j evaluations. ANSI N45.2.12-1977 (Reference 17) also -

provides guidelines regarding the conduct of external i audits.. Similarly, Section 2.4 of ANSI N45.2.2-1972 ;

(Reference 36) which is endorsed by RG 1.38 (Reference 37) )

also addresses the requirement for external audits. The RG l

< 1.144 guidance for the auditing of suppliers is as follows: !

For items that are not simple or standard in design, !

manufacture, or test; are not amenable to standard er :

automated inspections or tests during receipt inspection; or cleanness could be ;

and whose adversely integrity,

_affected duringfunction,ipt rece inspection, " elements of a :

supplier's quality assurance profiram should be audited by the purchaser on a triennial bas's with the audit implemented in-accordance with Section _4. " Audit !

Implementation," of ANSI /ASME N45.2.12-1977" (Reference 17).

In addition, RG 1.144 (Reference 35) provides the following- i guidance on the frequency of supplier evaluation:

"A documented evaluation of the supplier should be _

performed annually." ,

b. STP Commitment: The licensee has proposed, for the BASIC '

program, that suppliers of SSCs should be audited only as deemed necessary. Those audits that are conducted will be as unplanne4/ unscheduled-audits. The licensee also took exception to Regulatory Position C.J.b with regard to the frequency of supplier evaluation. Specifically, the licensee ;

proposed to perform such evaluations on a biennial basis.

In addition, the licensee will pe-f.rm overviews of !

suppliers based on performance monitoring and trending of ;

feedback from receipt inspection results, post-modific.ation tests and inspections, and plant operational results,

c. Staff Evaluation: The staff concludes that the licensee's alternative approach to evaluating suppliers is acceptable because the items to be procured from these suppliers are less significant to safety, and because of the licensee's commitment to review the suppliers' QA programs for acceptability, perform receipt inspections by certified Quality inspectors, conduct preoperational testing, and monitor and trend component failures as a source of feedback information to guide any necessary corrective actions. In addition, this alternative is consistent with the provisions contained in Draft RG DG-1064 (Reference 3).

3.4.1.8 Other Reaulatory Guide and Standards Guidelines ,

'In Chapter 2.0, Table I, of the 0QAP description, 'the licensee indicated that it will implement other RG positions and recommendations as stated if not specifically addressed in the table. With regard to the ANSI standards, the 28

, .' 's [

i licensee will implement requirements i.e., "shall") except where the standard. ,

provides options or requires a graded (approach (notwithstanding the general ;

applicability statements typically found in Section 1.0 of many of the 3 standards), but only in those areas to which the endorsing RG positions and ;

recommendations do not speak. The staff finds this acceptable because the :

licensee will continue to apply the FULL program controls in those cases not addressed in-the table. In addition the licensee's graded application of the -

ANSI standard 'shall" statements is In accordance with previously accepted l

. licensee commitments. l 3.4.1.g Corrective Action The 0QAP description includes a prorium for implementing appropriate :

corrective actions to address component failures. This program was in place ;

before the onset of GQA and will continue for all safety-related and !

nonsafety-related SSCs addressed by both the FULL and BASIC programs.- In addition, this corrective action program includes provisions for identifying - :

. and tracking conditions adverse to quality for management review to assess i

! their significance. For those conditions determined to be significant to '

-safety, root cause analysis and corrective action to preclude repetition will be conducted; the entire process will be monitored by management. In addition, the licensee will evaluate and trend conditions adverse-to quality. ;

As part of the BASIC program, the licensee has committed to continue implementing the current corrective action program with the addition of one facet discussed below. In so doing, one of the licensee's purposes is to evaluate operating experiences and the performance history of all components.

Such evaluations enable the licensee to determine the need for programmatic modifications, such as a change in QA controls applied to the item, or a change in its safety significance categorization, if a weakness is identified.

. Criterion XVI of Appendix 8 to 10 CFR Part 50 requires such a program, but limits the need for root cause analysis of component failures to those that could cause a significant condition adverse te mality. Since the failures of SSCs that are addressed by-the BASIC program wis not generally rise to that level of significance, the licensee has additionally committed to perform 4

cause determinations of such component failures. . Based on trending analyses, the licensee can then identify and take appropriatri corrective action. The licensee has indicated this may result in the need for more detailed root cause analyses in the event of repeated failures or failures with generic implications for items addressed by the FULL program. The ste G finds that ,

the licensee's application of these corrective action controls conforms to 4 Draft RG DG-1064 (Reference 3).

3.4.2 Medium Safety Sionificant and TARGETED 0A Controls The QA controls applicable to safety-related SSCs determined to be of medium safety significance (namely -the MSS-1 category), and nonsafety-related SSCs 29

} h l

determined to be of safety significance (namely, the HSS, MSS-1 and MSS-2 categories) will be selected from the FULL and BASIC programs as follows:

The critical attributes of safety-related SSCs in the MSS-1 category will be subjected to the QA controls in the FULL program, and the remaining attributes subjected to QA controls in the BASIC program.

Safety-related SSCs in the MSS-2 category will be subjected to QA controls in the BASIC program unless modified by the WG.

The critical attributes of nonsafety-related SSCs in the HSS MSS-1 and MSS-2 categories will be subject to the QA controls in the FULL and BASIC programs in a forward fit manner (i.e., only future operational activities associated with previously procured and .

Installed equipment of this type would be subject to this requirement).

3.4.3 Conclusions Reaardina the Licensee's Gradina of OA Controls In light of the findings discussed previously, the staff concludes that the licensee's pro, nosed BASIC program, for grading the applicability of QA clements for activities conducted on safety-related SSCs consistent with their importance to safety, continues to be in conformance with the requirements of Appendix B to 10 CFR Part 50. Further, the licensee's prorosed GQA program for safety-related SSCs in the LSS. MSS-1 (where FULL controls are also applied to critical attributes) and MSS-2 categories is in general agreement with the provisions contained in the staff's Draft RG DG-1064 (Reference 3).

The staff draws these conclusions primarily on the basis of the medium and low safety significance of the SSCs to which the BASIC program applies, and because of the licensee's commitment to perform receipt inspect %ns, conduct preoperational testing, and monitor and trend failures as a direct source of feedback to assist in developing any necessary correctite actions. In addition, licensee management will monitor the adequacy of the program on a semi-annual basis, and programatic changes in response to failure cause determinations will be implemented as necessary. The 00AP description for STP also provided an adequate identification of the QA elements that the licensee will implement for both the FULL and BASIC programs to satisfy the requirements of 10 CFR 50.34(b)(6)(ii).

3.5 Resulst of Staff Evaluations As discussed in Section 2.3 of this SER and described in Draft RD DG-1061 (Reference 2), changes arising from risk-informed applications are expected to meet a set of five key principles. During a number of internal meetings, the staff discussed how the licensee's proposal addressed each of the five principles with NRC management. Issues raised during these meetings were communicated back to the licensee and resulted in changes to the submittal.

All issues were resolved as documented in the SER. Because this was the first GQA application, increased management attention was applied to the pilot submittal even though the staff does not expect the GQA process for STP to result in a risk increase corresponding to the region of the acceptance 30

, , 'g.

guidelines in Draft AG DG-1061 (Reference 2) that calls fur

increased management attention". Each pr< nciple is discussed below.

, 3.5.1 The Pronosed Channe Meets the Current Reaulations

Criterion 1 in Appendix A to 10 CFR Part 50, permits GQA as indicted by the following excerpt

Structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed."

Criterion !! in Appendix B to 10 CFR Part 50, permits GQA, as indicated by the following excerpt:

'The quality assurance program shall arovide control over activities affecting the quality of tie identified structures, systems, and components, to an extent consistent with their importance to safety."

Therefore, an exem> tion or rule change is not required to implement GQA. The staff finds that tie licensee's proposed GQA program initiative is consistent with the current regulations.

3.5.2 Defense-in-Denth is Preserved The level of defense-in-depth at STP is a result of deterministic factors such ,

as the plant's design basis, safety limits, and operating margins. No change !

will be made to any design characteristics of any SSC under the GQA program.

The changes to the QA program will only adapt the control over activities affecting the quality of the categorized SSCs to an extent consistent with !

their importance to safety.

Defense-in-depth consists of a number of elements that can be used as guidelines for making the assessment that the philosophy of defense-in-depth is maintained. The staff finds that the licensee's process preserves defense against each element as discussed below.

A reasonable balance is nreserved amona orevention of core damaae.

nrevention of containment failure. and consecuence sitiaation Implementation of GQA does not of itself alter the plant's response ;

to transients or other initiators and will not alter the preventive or mitigative capability of station equipment. Characterizing the safety significance of SSCs on the basis of PRA insights reflects the balance between preventing core damage and consequence mitigation by directly addressing concerns regarding both CDF and .'

LERF. Additionally, all SSCs in the system, whether modeled in the PRA or not, are deterministically evaluated by the WG and EP. These deterministic evaluations consider each SSC's ability to cause 31 F

initiating events, its potential use in mitigating design-base accidents (DBAs), and its use in supporting 10Ps.

The licensee's GQA program should improve this balance by incorporating nonsafety-related SSCs in the TARGETED QA program.

This can prove particularly useful in preventing or mitigating transients outside of the traditional DBAs, since the enhanced application of QA controls should result in a higher degree of ,

confidence in the capability o' these SSCs to perform their design function (s).

Over-reliance on oroarammatic activities to comoensate_for weaknesses in plant desian is avoided The licensee's GQA program will not reduce design margins or defense-in-depth based on compensating programmatic activities. For example, the licensee will not develop new operator actions to compensate for any perceived design weaknesses.

System redundancy. indeoendence. and diversity ai-e preserved gggtninigrate with the exoected freauency and consecuences of challenoes to the systems The licensee determines the safety significance of SSCs from the expected frequency and consequences of challenges to the systems, including nonsafety-related SSCs that have been determined to provide a useful function for preventing or mitigating reactor accidents. SSCs modeled in the PRA receive explicit frequency and consequence characterizations. SSCs not modeled in the PRA are characterized with a set of deterministic questions addressing the frequency and consequences of challenges. Therefore, the licensee's implementation cf GQA should not degrade, and may improve, the balance between each system's redundancy, independence, and diversity and the expected frequency and consequences of challenges to the system.

Indeoendence of barriers is not dearaded The licensee's implementation of GQA will neither remove nor alter existing physical barriers. Moreover, the current levels of system redundancy and diversity in the plant's design will not be changed as a result of the implementation of GQA. Less rigorous QA controls, which might reduce independence because of an increased possibility of CCFs, will only be applied with due consideration of the safety significance of such a reduction. In addition, the licensee proposed a monitoring and corrective action program capable of identifying unacceptable reductions.

Defenses aaainst human errors are preserved Less rigorous QA controls, which might lead to increased maintenance errors, will only be applied with due consideration of the safety 32

significance of such a reduction. Furthermore, no new post-transient operational errors will be introduced, since no changes to SSC design or abnormal operating procedures (AOPs) or E0Ps are associated with GQA.

3.5.3 Sufficient Safety Marains are Maintained As proposed, the licensee's implementation of GQA does not involve changing any acceptance criteria in the current licensing basis. Codes and standcrds relative to equipment qualification are also not changed; however, the program will entail the use of certain alternatives to codes and standards that implement Appendix B to 10 CFR Part 50, with regard to the application of QA controls. This SER documents the staff's evaluation of these alternatives and the staff's conclusion that GQA will maintain sufficient safety margins.

3.5.4 Pronosed Increases in Risk. and Their Cumulative Effect Are Small and Do Not Cause the NRC Saf'tv Goals to be Exceeded The licensee's proposed GQA approach does not provide a quantitative estimate of the change in risk resulting from the change in QA controls over SSCs ber.ause no data or models are available to quantify the impact on SSC (e11 ability. However, the staff noted the following observations with regard to the risk associated with the licensee's GQA initiative.

The categorization process is sufficiently robust to provide reasonable confidence that safety-related SSCs which are significant to plant safety will receive FULL QA controls.

The continued application of BASIC controls to MSS-2 and LFS safety-related SSCs ensures that the quality of all safety-related SSCs continues to receive appropriate attention (as a measure of defense-in-depth).

The increased QA controls on HSS and MSS nonsafety-related SSCs will improve the confidence that these SSCs will perform satisfactorily.

The licensee's (excluding only shutdown risk) estimated CDF of slightly less than 1.0E-5/yr and estimated LERF of slightly more than 1.0E-7/yr compare favorably with the 1.0E-4/yr CDF and 1.0E-5/yr LERF guidelines in Draft RG DG-1061 (Reference 2).

The licensee implementation of GQA includes a variety of periodic and comprehensive monitoring, evaluation, and feedback mechanisms to permit trending of component performance. These mechanisms provide confidence that SSC degradation and failures throughout the plant will be evaluated in an integrated manner, and that actions will be taken on the insights from the evaluations as appropriate.

The staff expects that the increased performance monitoring coupled with the increased QA controls or, HSS and MSS nonsafety-related SSCs should compensate for any potential risk increase due to applying the BASIC program to safety-related SSCs of less safety-significance.

33

Although it could result in a decrease in reliability of some LS$ and HSS-2 I

$$Csv based on increased QA controls on HS$ and MSS nonsafety-related $$Cs and i appropriate monitoring of equipment perfomance, the staff expects that the !

GQA process would likely result in an overall decr?ase in risk and is thus l consistent with principle 4.- !

-3.5.5 performance-Based ' molonennatinn and Monitorina Strateales Address .

Uncertatnties and I ' rov ' de "1me' y Feedback and Corrective Action !

As discussed in Section 3.3 of this SER, the staff finds that the proposed

feeJback mechanisms provide confidence that the licensee will be able to .

maf.ntain control over equipment. reliability after implementing the GQA !

program. These mechanisms also explicitly provide for monitoring possible ir, creases in CCF after implementation of GQA. ;

Specifically, short-term monitoring of failed equipment will include weekly-estimates of risk profiles; additional information is also provided by the $$C -

failure evaluation process used to-implement the Maintenance Rule. Long-ters i monitoring will include both the periodic PRA updates and the OEG's trending studies, which are intended to tect increases in the number of deteriorating i conditions, even when-such conuitions are repaired before outright failures .

occur. j

4.0 CONCLUSION

S AND RECOMENDATIONS The staff concludes that the licensee has proposed an acceptable methodology for the-GQA initiative in the OQAP description for STP which is further amplified upon in the associated implementation procedures and other docketed information. The licensee has developed procedures for the categorization of SSCs, and committed to control changes to-these procedures in accordance with the requirements of 10 CFR 50.59. The staff further concludes that the proposed methodology is generally consistent with the applicable regulatory review criteria in: Draft RGs DG-1061 (Reference 2) and DG-1064 (Reference 3); SRP Chapters 17.1 and 17.2 (Reference 6); and draft SRP Chapter 19 (Reference 5). The staff has evaluated the differences between the licensee's approach and the pertinent regulatory guidance and found that these differences are technically acceptable. On the basis of this safety evaluation, the staff reached the following additional conclusions: ,

The licensee has developed an acceptable methodology to determine the relative safety significance cf plant SSCs. l

The licensee has defined-appropriate QA controls for applicability to the categories of plant SSCs.

The licensee has adequate feedback mechanisms in place to adjust the GQA provisions if operational performance should dictate the need. '

All pertinent regulatory requirements continue to be satisfied. ,

The staff has concluded that the licensee's proposed Revision 13 of the OQAP description for'GQA at-STP (comprised of change QA-028, dated 5/22/97, change L 34 ,

l

l. ' . . '* ,

0A-032, dated 6/10/97, and change QA-033, dated 7/16/97) continues to meet the requirements of Appendix 8 to 10 CFR Part 50. The staff's conclusions are based on the review and evaluation of documented information provided by the licensee beginning with the initial GQA submittal of the proposed DQAP description dated March 28, 1996 (Change QA-028), and the final submittal of information dated August 4, 1997. All information submittals are listed in Section 6.0 of this SER and ir. elude OQAP description changes QA-028, QA-032, and QA-033 (Revision 13), responses to the staff's RAls, arocedures addressing the PRA process for categorizing SSCs, and revisions to Caapter 13.0 of the FSAR. To provide continued assurance of the effectiveness of the licensee's OQAP, the staff intends to monitor the licensee's implementation of the GQA program for STP.

35

5.0 REFERENCES

1. Draft Evaluation Guide, Revision 5, " Development of Graded Quality Assurance Programs," January 1996.

2. Draft RG DG-1061, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Current Licensing Basis," March 28, 1997.

3. Draft RG DG-1064, "An approach for Plant-Specific, Risk-Informed ,

Decision Making: Graded Quality Assurance," March 24, 1997. '

4. NRC SRM, SECY-97-077, " Draft Regulatory Guides, Standard Review Plans and NUREG Document in Spoport of Risk Informed Regulation for Power Reactors," June 5, 1997.

< 5. Draft SRP, Chapter 19, NUREG-0800, "Use of Probabilistic Risk Assessment' in Plant-Specific, Risk-Informed Decisionmaking: General Guidance,"

March 27, 1997.

'. .6. SRP, Chapters 17.1 and 17.2, NUREG-0800, " Quality Assurance'During the Design and Construction Phases" and " Quality Assurance During the Operations Phase," July 1981.

7. Draft licensee document, " Radiation Monitoring System Graded Quality Assurance Basis document," included as attachment to NRC Meeting Summary issued November 7, 1996.

S. " Safety Evaluation by the Office of Nuclear Reactor Regulation Related to the Probabilistic Safety Analysis Evaluation," sent to the Houston Lighting & Power Company under cover letter dated January 21, 1992,

9. " Safety Evaluation by the Office of Nuclear Reactor Regulation Related to the Probabilistic Safety Assessment - External Events," sent to the Houston Lighting & Power Company under cover letter dated August 31, 1993,

10. " Staff Evaluation of South Texas Project Individual Plant Examination (Internal Events Only)," sent to the Houston Lighting & Power Company under cover letter dated August 9,1995.

11. Generic Letter 88-20, " Individual Plant Examination for Severe Accident Vulnerabilities - 10 CFR 650.54(f)," November 23, 1988.

12. STP, Units 1 and 2, Amendment Nos. 59 and 47 to Facility Operating License Nos. NPF-76 and NPF-80, February 17, 1994.

13.- STP, Units 1 and 2, Amendment Nos. 85 and 72 to Facility Operating License Nos. NPF-76 and NPF-80, October 31, 1996.

14. OPGP01 1A-0304, Rev. 1, STP procedure "Probabilistic Safety Assessment i Risk Ranking," Addendum 2, May 20, 1997. I l

36 1

j f,":h -

e i

.y r

p

15. HL&P audit repnt of PLG, Audit No.95-073(VA), conducted on

< ^ September 11-14, 1995. ,

,v .16p ANSI /ASME NQA-1-1983 Edition, " Quality Assurance' Program Requirements 1 t for Nuclear Facilities". j i1 C _ >:}y', > ANSI /ASME N45.2.12-1977, " Requirements for Auditing of Quality Assurance; i '

Programs for Nuclear Power Plants". .

i

. L .

! , . /18.m ANSI:N45.2.13-1976, " Quality Assurance Requirements for Control of ,

Procurement of Items and Services for Nuclear Power Plants".-

L e ;

19 7 : HL&P Nuclear Safety Evaluation Report, NSE 96-02, July 3.1904 a'

- f20. OPGP03-ZE-0002, Rev. 3, " Station Procedure - Safety-Re1 ' U q Calculations".

21. NUMARC 93-01,~Rev. 2 (April 1996), " industry Guideline u

M t" 9 the Effectiveness of Maintenance at Nuclear Power Plants.

22. RG 1.160, Rev. 2 (March 1997), " Monitoring the Effectivenen Maintenance at Nuclear Power Plants.

23. OPGP01-ZA-0304, Rev. 1, "Probabilistic Safety Assessment Risk Ranking,

- Addendum 2, Graded Quality Assurance".

24. " Radiation Monitoring System Graded Quality Assurance Basis Document,"

draft report, Auguet 21, 1996,

25. OPGP02-ZA-0003, Rev. 2 " Comprehensive Risk Management Procedure".

26. OPGP02-ZA-0004, Rev. O, draft, " Station Performance Data Collection, Categorization, and Reporting Procedure".

27. ANSI N45.2.ll-1974, " Quality Assurance Requirements for the Design of Nuclear Power Plants".

28. RG 1.64, Rev (June 1976), " Quality Assurance Requirements for the i Design of Nuclear Power Plants". '

29. RG 1.28, .Rev 0 (June 1972), " Quality Assurance Program Requirements (Design and Construction)".

30._ ANS-3.2/ ANSI N18.7-1976, " Administrative Controls and Quality Assurance for the Operational Phase of Nuclear Power Plants".

i31. RG.I.33, Rev 2 (February-1978), " Quality Assurance Program Requirements (Operation)".

32. ANSI /ASME N45.2.6-1978, " Qualifications of Inspection, Examination, and Testing- Personnel for Nuclear Power Plants".

'37 g j f

.g 4 y r

. *, f ! , 'a ,

33. RG'l.58 Rev 1 (September 1980), " Qualification of Nuclear Power Plant

. Inspection, Examination, and Testing: Personnel". ,

34. RG. I.123, .Rev 1 (July 1977), " Quality Assurance Requirements ' for~ Control.

of Procurement.of Items'and Services for Nuclear Power Plants".

35, _ RG 1.144-1980, Rev'l', _" Auditing of-Quality Assurance Programs for' ,

Nuclear' Power Plants".

36. ANSItN45,2.2-1972, " Packaging, Shipping, Receiving, Storage and Handling

. - of Items for. Nuclear Power Plants". ,

y -37 7 RG 1,38, Rev 2 (May 1977), " Quality Assurance Requirements for'. .

F

-Packaging, Shipping, Receiving, Storage, and Handling of Items-for-

, , &' Water-Cooled Nuclear Power Plants", -

t ;

7 g 'f ; * .S , + ,

4 b 5

t. E I, s .5

p __ %. k y -->

5

<k "

~-

t

.- N.

3 1 l}

t

_ =

38

,'. ' i U .

6.0- CHRONOLOGY OF EVENTS Significant correspondence and other major events related to the licensee's submittal and the staff's review of the revised 0QAP in support of GQA for STP are listed below:

4/19/95 HL&P/NRC initial meeting to discuss GQA overview, Mtg. summary dated 4/20/95 5/8/95 HL&P/NRC meeting to discuss GQA concepts, Mtg. summary issued 6/9/95 7/17/95 HL&P/NRC meeting on planned GQA submittals, Mtg. summary issued 7/27/95 ,

10/3/95 HL&P/NRC maeting on draft GQA procedures, Mtg. summary issued 11/7/95 12/7/95 HL&P/NRC meeting on updated draft procedures, Mtg. summary issued on 2/2/96 L

1/24/96 NRC ltr. to HL&P, GQA initiative 3/28/96 HL&P ltr. submitted 0QAP, change QA-02A and the following documents:

draft implementation procedure " Comprehensive Risk Management" (OPG02-2A-0003),

e draft implementation procedure "Probabilistic Safety Assessment Risk Ranking "(0PG01-ZA-0304),

a draft implementation procedure "Probabilistic Safety Assessment Program" (OPG04-ZA-0604),

. draft implementation procedure " Configuration Control of the Probabilistic Safety Assessment" (OPE 01-ZA-0303),

. draft implementation procedure " Station Performance Data Collection, Categorization, and Reporting" (0PGP02-ZA-0004), and

= a draft Charter for the Graded QA Expert Panel.

4/11/96 NRC/ industry mtg. on NRC evaluation guide, Mtg. summary issued 5/1/96 -

P 4/16/96 NRC ltr., supplemental information on GQA initiative (CBLA) 4/17/96 HL&P ltr. comments on NRC GQA evaluation guide 4/25/96 Meeting on Schedular Aspects, Mtg. summary issued on 5/8/96 5/1/96 NRC ltr. to HL&P on review schedule 39

,. . - ~

j.

l . o. ; -

' \

b

.[

~

^4- :6/19/96- HL&P/NRC meeting on draft RAls,for GQA; Mtg. sumary issued 7/24/96- .

%; i NRC ltr. to HL&P' transmitting Palo Verde trip report ?

. _"'7/31/96

.,; e , .

1, ;,

j' 8/16/96 NRC letter to HL&P transmitting RAls + , -

, ^)21/96 8 HL&P/NRC mtg. at STP site to observe GQA. aspects, Mtg._ summary- -

issued 11/7/96 ,

s

'10/15/96 HL&P/NRC management meeting on PRA efforts, Mtg. sumary issued y

'10/28/96 i ,

.~

-10/30/96 HL&P ltr. responding to PRA RAI _ questions 1/21/97' HL&P submittal of revised 0QAP

~3/31/97 - HL&P/NRC meeting on GQA topics, Mtg. sumary issued 4/9/97

'4/14/97 NRC ltr transmitting 2nd set of RAls 4/21/97- HL&P/NRC mtg. on the RAI and GQA content, Mtg. sumary issued 5/8/97

-5/6-8/97 HL&P/NRC~ mtg. at STP site on GQA and PRA aspects, Mtg. sumary issued 7/10/97' 5/8/97 HL&P ltr. on preliminary 2'd RAI response 5/21/97 HL&P ltr. submitted draft OQAP revision responding to 2nd RAI 5/22/97 HL&P ltr. submitted finalized 00AP revision 5/22/97 HL&P ltr., coments on 4/14/97 RAI 5/22/97 HL&P ltr. submitted updated GQA procedures 5/29/97 HL&P/NRC telecon on draft 0QAP content 6/10/97 HL&P ltr. submitted 00AP change QA-032, Revision 13

. 6/13/97 NRC ltr. transmitting 3rd RAI 6/26/97 . HL&P ltr. submitted response to 3rd RAI 7/16/97 HL&P ltr. submitted 0QAP change QA-033, Revision 13 7/31/97 HL&P ltr. transmitting additional information regarding GQA 4

procedure use and change control 8/4/97. HL&P ltr. submitted response to final RAI

/ ,

c Y

40 4

8

.., g r; I w ~I :

r-

,; S-

, y , , , ,

n=pf,*o) / j ,

. l.

, ;g) => 3 >

x-3 g

'j- 4

. z a- # e "- .x o

,d .$ * >bY .

% _ . gg i.

w

, , . C =-p-j ' { i K" '

7.0 ' LIST OF ACRONYMS _

js?

s^ %) '

-1

-. A0P?.1.._.-Abnormal! Operating Procedure' ,

j

!p_ ,

ANSI. . . American National Standards Institute

. ASME l . . American Society' of Mechanical ' Engineers

-CCF .1. . Common Cause Failure CDFc. . . Core Damage Frequency CFR' .: . . Code of Federal Regulations i C0C . . . Certificate of Conformance DBA .=. . Design Basis Accident DRG . .. .~ Draft Regulatory Guide ECCS . . Emergency Core Cooling System E0P , . . Emergency Operating Procedure EP . .... Expert Panel l FV- . . . Fussell-Vesely

- GQA . , ,.= Graded Quality Assurance HL&P . . Hotston Lighting & Power Company HSS . ... High Safety Significant U zINP0 . . Institute of Nuclear Power Operations I

., LERF . . Large Early-Release Fiequency i

m,-

-LSS'. . . Low Safety Significant

?

MOV ."< . f. Motor Operated Valve ,

. .- \

i - > MSS-1:. . Medium Safety Significant (high) '

i

H y, . EMSS2[..MediumSafetySignificant(low) 1

' I s

- NUMA'RC[. Nuclear Management and Resources Council ,

7;3 ,

L& ' 's,'NRC S s. i Nuclear Regulatory Co.amission

! s

4. y

~:n -

a

~

+ y 41

<,, fi. <

- i f,N: n+ x c.,

9

j'}h .,

1' ;

+. ,

.i . 1

/ < ; < :+ 3 g. .0

~.d,'.

^

n 4 r ?

.c .

4' NRRN . . Nuclear Reactor _ Regulation , >* - -

/:/y - , , ..

fj~-

,;f;_ Q -_:rkRS=.

3-

.c.'Non-Risk-Significant~

s = '.4 .i "

Al .

h ! * -(NSED ^. . Nuclear Safety Evaluation Department + c _\

W

~

a -

s_$N j; ;g ~(tNQAT.

r. Nuclear Quality Assurance 7 1

, n Operational Experience Group _

.[ = I ~ $0EGf.

.c.

s -

~

, .a ;;. .

gm0QAP- . . 0perational' Quality Assurance Program, g -c ,

n .; 2 '.

PO . .. Purchase Order t + .

C -PRA . . .{Probabilistic Risk Assessment s

,3- 7:PSA:,

4 Probabilistic Safety Assessment

-QA .-. . Quality Assurance RAI . . . Request for Additional Information RAW ... . Risk Achievement Worth RG ..--.. Regulatory Guide RRAD . . Risk'and Reliability Analysis. Department SALP , _. Safety Assessment of Licensee Performance SER , . . Safety Evaluation Report SGTR . . Steam Generator Tube Rupture SQA- . . -. Software -Quality Assurance SRM . .-. Staff Requirements Memorandum

'SSC . . . Si.'uctures, Systems and Components SRP , . . Standard Review Plan-STP , .-. South Texas Project-UFSAR . f. Updated Final Safety Analysis Report V&V . . . Verification and Validation WG. ... .- Working Group q ,

, f- 42 l- ', r? % -

+

g- .. 2 N,2S.~t.

_

). j

'~

.) ,

~

( c >

.P j.t} ,

' _r s

,

ML20199B275

Contents

Text

1.0 INTRODUCTION

2.0 PROPOSED CHANGE

4.0 CONCLUSION

5.0 REFERENCES

Navigation menu

ML20199B275

Text

1.0 INTRODUCTION

2.0 PROPOSED CHANGE

4.0 CONCLUSION

5.0 REFERENCES

Navigation menu

Search