L-2018-006, Third Response to Request for Additional Information Regarding License Amendment Request to Adopt Risk Informed Completion Times TSTF-505, Revision 1, Provide Risk-Risk Informed Extended Completion Times - RITSTF Initiative 4b

From kanterella
Jump to navigation Jump to search

Third Response to Request for Additional Information Regarding License Amendment Request to Adopt Risk Informed Completion Times TSTF-505, Revision 1, Provide Risk-Risk Informed Extended Completion Times - RITSTF Initiative 4b
ML18032A614
Person / Time
Site: Saint Lucie  NextEra Energy icon.png
Issue date: 02/01/2018
From: Deboer D
Florida Power & Light Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
L-2018-006
Download: ML18032A614 (38)
v  d  e


Text

FEB 0 1 2018 L-2018-006 10 CFR 50.90 U. S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, D.C. 20555-0001 Re: St. Lucie Nuclear Plant, Units 1 and 2 Docket Nos. 50-335 and 50-389 Third Response to Request for Additional Information Regarding License Amendment Request to Adopt Risk Informed Completion Times TSTF-505, Revision 1, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b"

References:

1. Florida Power & Light Company letter L-2014-242, "Application to Adopt TSTF-505, Revision 1, Provide Risk-Informed Extended Completion Times- RITSTF Initiative 4B,"

December 5, 2014 (ML14353A016)

2. NRC E-mail "Request for Additional Information- St. Lucie TSTF-505 EICB - MF5372 &

MF 5373," March 28,2016 (ML16089A006)

3. NRC E-mail "Request for Additional Information- St. Lucie TSTF-505 APLA - MF5372 &

MF5373," April13, 2016 (ML16105A456)

4. NRC E-mail "Request for Additional Information- St. Lucie TSTF 505 APLA - MF5372 &

MF5373," May 27,2016 (ML16152A187)

5. Florida Power & Light Company letter L-2016-114, "Response to Request for Additional Information Regarding License Amendment Request to Adopt TSTF-505, 'Provide Risk-Informed Extended Completion Times- RITSTF Initiative 4B'," July 8, 2016 (ML16193A659)
6. Florida Power & Light Company letter L-2016-135, "Second Response to Request for Additional Information Regarding License Amendment Request to Adopt TSTF-505,

'Provide Risk-Informed Extended Completion Times- RITSTF Initiative 4B'," July 22, 2016 (ML16208A061)

7. Florida Power & Light Company letter L-2017 -007 "Supplement to License Amendment Request to Adopt Risk Informed Completion Times TSTF-505, Revision 1, "Provide Risk-Informed Extended Completion Times- RITSTF Initiative 4b," February 25, 2017 (ML17058A181)
8. NRC E-mail "Request for Additional Information- St. Lucie RICT LAR- MF5372/5363,"

October 4, 2017 (ML17277A369)

Florida Power & Light Company 6501 S. Ocean Drive, Jensen Beach , FL 34957

Florida Power & Light Company L-2018-006 Page 2 In Reference 1, as supplemented by References 5, 6 and 7, Florida Power & Light Company (FPL) submitted a license amendment request (LAR) for St. Lucie Units 1 and 2. The proposed amendment would revise the Technical Specifications (TS) to implement TSTF-505, Revision 1, "Provide Risk-Informed Extended Completion Times RITSTF [Risk Informed TSTFJ Initiative 4b."

In Reference 8, the NRC staff requested additional information to support its review of the LAR.

The Enclosure to this letter provides FPL's response to the request for additional information (RAI) in the areas of risk assessment (APLA) and technical specifications (STSB).

Attachments 1 and 2 to the Enclosure provide markups of the operating licenses for St. Lucie Units 1 and 2, respectively, which add a license condition regarding the Risk Informed Completion Time Program. Attachments 3 and 4 to the Enclosure contain markups of the TS for Units 1 and 2, respectively, which revise the proposed Risk Informed Completion Time Program in the administrative section of the TS. The TS markups supersede the corresponding markups provided in Reference 7.

This RAI response does not alter the conclusions in Reference 1 that the changes do not involve a significant hazards consideration pursuant to 10 CPR 50.92, and there are no significant environmental impacts associated with the changes.

No new or revised commitments are included in this letter Should you have any questions regarding this submittal, please contact Mr. Mike Snyder, Licensing Manager, at (772) 467-7036.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on February f ~ '2018 Sincerely, Dan DeBoer Site Director Florida Power & Light Company Enclosure cc: NRC Regional Administrator, Region II NRC Senior Resident Inspector NRC Project Manager Ms. Cindy Becker, Florida Department of Health

Enclosure L-2018-006 Page 1 of 28 Response to Request for Additional Information (RAI)

A. Probabilistic Risk Assessment (APLA) RAI

1. RAI-MF5372/73-APLA-01.c.R1 (Internal event probabilistic risk assessment (PRA))

The July 8, 2016, response to RAI-MF5372/73-APLA-01.c (Agencywide Documents Access and Management System (ADAMS) Accession No. ML16193A659) states that the initiating event frequency associated with loss of a single 120 V instrument bus is 9E-04/year and states that the common cause failure of 120 V instrument buses would only have a very small impact on RICT estimates. It is not clear why the common cause failure (CCF) of 120 V instrument buses would only have a very small impact on RICT estimates, given that failure of redundant 120 V instrument buses could lead to an unanticipated system response. The NRC staff notes that although the CCF frequency of 120 V instrument buses would be less than the failure frequency of a single bus, the criteria for screening initiating events based on Supporting Requirement IE-C6 of the Probabilistic Risk Assessment (PRA) Standard would likely not be met (i.e., an initiating event can be screened if the frequency of the event is less than 1E-06/year and the core damage would not occur unless at least two trains of mitigating systems are failed independent of the initiator).

a) Summarize the anticipated plant responses to the common mode failure of redundant 120 V instrument buses.

b) Based on the plant response, justify the exclusion of the CCF of redundant 120 V instrument buses as an initiating event contributor.

c) Provide an explanation on how excluding CCF events for these buses affects the CCF calculations described in RAIs RAI-MF5372/73 12 and 13 below.

Florida Power & Light Company (FPL) Response

a. In Unit 1, four redundant 120VAC single-phase instrument power buses (1MA, 1MB, IMC, and IMD) provide power to essential instrumentation and control loads. Each bus is supplied separately from an inverter (1A, 1B, 1C, and 1D) powered from one of the two vital 125VDC buses (1A and 1B). Manually aligned alternate feeds are provided to the 120V AC instrument buses from vital MCC's through step-down transformers in case of an inverter failure. To permit maintenance of any inverter without de-energizing the corresponding instrument bus, two redundant maintenance bypass buses (1A and 1B) powered by isolimiters (1A and 1B) through make before break transfer switches are provided. Breaker interlocks are provided to prevent simultaneous connection of more than one instrument bus to a maintenance bypass bus.

In Unit 2, four pairs of 120VAC single-phase instrument buses (2MA, 2MA-1, 2MB, 2MB-1, 2MC, 2MC-1, 2MD, and 2MD-1) provide uninterruptible power to Engineered Safety Features Actuation System (ESFAS) and Reactor Protective System (RPS) instrumentation. Each pair of instrument buses is supplied from an inverter (2A, 2B, 2C, and 2D) connected to one of the vital 125VDC buses. To permit maintenance without disabling the corresponding instrument bus, maintenance bypass transformers and voltage regulators are provided for each inverter system.

Common mode failure of redundant 120V instrument buses would cause the affected unit to trip. Emergency Core Cooling System (ECCS) would be actuated (i.e., actuates upon de-

Enclosure L-2018-006 Page 2 of 28 energized 120V AC buses leading to activation of 2 out of 4 channels actuation logic system) and ESFAS would be actuated. 125V DC power would still be available, which allows ECCS and auxiliary feedwater (AFW) flow to be operational. All other components fail to their safety-related position. Indication instruments relying on 120V AC power will also lose their function.

b. St. Lucie Models considered CCF of inverters feeding the buses rather than the buses consistent with the availability of CCF Alpha Factors for the inverters. Therefore, the CCF of buses is included as an initiating events contributor.
c. CCF of inverters feeding the buses bounds the CCF of the buses.
2. RAI-MF5372/73-APLA-02.b.R1 (Fire PRA)

The response to RAI-MF5372/73-APLA-02 part b explains that the PRA model and update process required by the PRA procedure ensures the model is consistent with the as-built, as-operated plant by using various triggering factors. The response does not describe the factors that will be considered and monitored to trigger an update, such as plant modifications, procedure changes, changes in industry information and other changes. Accordingly, it is not clear to the NRC staff how the procedure ensures that the models used in the RICT program will reflect the as-built, as-operated plant. Describe the factors considered and monitored that would trigger an update such as plant modifications, procedure changes, changes in industry information and other changes to ensure the models used in the RICT program reflect the as-built, as-operated plant.

FPL Response As required in RG 1.200, revision 2, FPLs PRA configuration and update program monitors the following for impact to the PRA:

  • Operational Experience,
  • Plant Design Changes,
  • New Maintenance Policies,
  • Operator Training Program Changes,
  • Technical Specification Changes,
  • Revised Engineering Calculations,
  • Emergency and Abnormal Operating Procedures ,
  • Operating Procedures,
  • Fire Response Procedures,
  • Plant and System Operating History,
  • Accident Management Programs,

Enclosure L-2018-006 Page 3 of 28 Any item that impacts the PRA and indicates the PRA does not match the as-built, as-operated plant, is entered in the model change database (MCDB). Each entry is reviewed by the model owner and an estimate is made of the risk impact, including cumulative risk impact of open MCDB items.

If the impact is minor, the change is made at the next scheduled model update. If the impact is major, a model change is conducted promptly.

3. RAI-MF5372/73-APLA-09.R1 (NFPA 805 Modification Implementation)

The response to RAI-MF5372/73-APLA-09 states that at the time of implementation of [a] RICT, any modifications that are not installed will not be credited in the estimation of [core damage frequency] or [large, early release frequency]. Using this approach, it is possible, depending on the modifications that remain to be installed at the time of a RICT implementation, that the as-built, as-operated plant may not meet Regulatory Guide (RG) 1.174 risk acceptance guidelines. Explain when the modification that will place the risk below the RG 1.174 acceptance guidelines is expected to be completed and what the risk is expected to be. Also, provide a license condition that will verify that the as-built, as-operated plant meets RG 1.174 risk acceptance guidelines at the time a RICT is implemented.

FPL Response All modifications credited in the transition to NFPA 805 will be implemented prior to implementation of the Risk-Informed Completion Time (RICT) Program. Prior to implementation of the RICT Program, FPL will confirm that the all hazards CDF and LERF estimates will be less than 1E-04 per year and 1E-05 per year, respectively. (See response to RAI-MF5372/73-APLA-16, Implementation Items.) Current estimated risk is provided in response to RAI-MF5372/73-APLA-09.1b, NFPA 805 Modification Implementation.

4. RAI-MF5372/73-APLA-09.R1b (NFPA 805 Modification Implementation)

The response to RAI-MF5372/73-APLA-09 states that at the time of implementation of [a] RICT, any modifications that are not installed will not be credited in the estimation of CDF or LERF.

Using this approach it is possible, depending on the modifications that remain to be installed at the time of a RICT implementation, that the as-built, as-operated plant may not meet RG 1.174 risk acceptance guidelines.

As discussed in the March 31, 2016, safety evaluation for the amendment to transition the fire protection program to Section 50.48(c) of Title 10 of the Code of Federal Regulations (10 CFR)

(ADAMS Accession No. ML15344A346), FPL used the guidance in frequently asked question (FAQ) 08-0046, "Closure of National Fire Protection Association 805 Frequently Asked Question 08-0046 Incipient Fire Detection Systems," to incorporate its very early warning fire detection system (VEWFDS) into the fire PRA. In December of 2016, the NRC staff published NUREG-2180, "Determining the Effectiveness, Limitations, and Operator Response for Very Early Warning Fire Detection Systems in Nuclear Facilities, (Delores-VEWFIRE)," which included new guidance on modeling VEWFDS. The methodology in NUREG-2180 is currently the best available guidance and replaces the guidance in FAQ 08-0046, which has been retired.

Enclosure L-2018-006 Page 4 of 28 By letter dated November 17, 2016 (ADAMS Accession No. ML16253A111), the NRC staff informed the industry that, [i]f a licensee is performing a periodic or interim PRA update, performing a fire risk evaluation in support of self-approval, or submitting a future risk informed license amendment request, the staffs expectation is that they will assess the impact of new operating experience and information [e.g., NUREG-2180] on their PRA analyses and incorporate the change as appropriate per Regulatory Guide 1.200, Revision 2.

a) If FPL will use the methodology in NUREG-2180, please provide:

1. An estimate of the current CDF and LERF for all quantified hazards using the NUREG-2180 methodology in the fire PRA.
2. If the current CDF and LERF estimates do not satisfy the limitations and conditions in Section 4, item 6 of the NEI 06-09 safety evaluation, provide an explanation of how these guidelines will be met before implementation of the RICT program.
3. If the methodology (e.g., approach, methods, data, and assumptions) has not been incorporated into the fire PRA (i.e., PRA model changes and documentation completed and the upgrade peer reviewed), provide an explanation of when it will be incorporated into the PRA model of record that will be used to estimate RICTs (the response may reference the response to RAI-MF5372/73-APLA-16 (below) which requests a list of implementation items).

b) If FPL proposes not to use the methodology in NUREG-2180, please provide:

1. Confirmation that the methodology in the retired FAQ 08-0046 is not the proposed methodology.
2. A description of the proposed methodology (e.g., approach, methods, data, and assumptions) that will be used in the fire PRA. The description should include a detailed comparison of that proposed methodology with the methodology in NUREG-2180.
3. Justification of the proposed methodology including comparison with available experimental results. Development and use of a proposed alternative may result in additional RAIs and significantly extend the time and resources required to complete the review.
4. An estimate of the current CDF and LERF for each quantified hazard with fire PRA results:

(1) without credit for VEWFDS; (2) that would be obtained had the guidance in NUREG-2180 been applied, and (3) obtained using the proposed methodology.

5. If the current CDF and LERF estimates do not satisfy the limitations and conditions in Section 4, item 6 of the NEI 06-09 safety evaluation, provide an explanation of how these guidelines will be met before implementation of the RICT program.
6. An evaluation on how using the proposed methodology instead of the NUREG-2180 methodology could impact the RICT estimates.
7. If the methodology (e.g., approach, methods, data, and assumptions) has not been incorporated into the fire PRA (i.e., PRA model changes and documentation completed and the upgrade peer reviewed), provide an explanation of when it will be incorporated into the

Enclosure L-2018-006 Page 5 of 28 PRA model of record that will be used to calculate the RICTs (response may reference the response to RAI-MF5372/73-APLA-16 which requests a list of implementation items).

FPL Response a) The methodology in NUREG-2180 will be incorporated into the St. Lucie Fire PRA model. This update will include the incorporation of the new event tree factors for the very early warning fire detection system (VEWFDS) as well as further refinements to the Fire PRA scenarios based on the conservatisms described below. These updates will be done using existing NRC approved Fire PRA methodologies.

1. The sensitivity evaluation for estimate of CDF and LERF for all quantified hazards with the NUREG-2180 methodology is as follows:

U1 CDF U1 LERF U2 CDF U2 LERF IE 2.64E-06 2.46E-07 1.98E-06 9.58E-08 Flood 1.09E-07 2.21E-08 5.64E-09 4.27E-10 Seismic 3.49E-06 3.49E-07 3.49E-06 3.49E-07 Fire 4.20E-05 7.28E-06 3.45E-05 5.03E-06 Fire Risk Increase due 0 0 1.00E-06 2.20E-07 to NUREG-2180 Total Risk 4.82E-05 7.90E-06 4.10E-05 5.70E-06 Note: Seismic risk was evaluated based on plant-level High Confidence of Low Probability of Failure (HCLPF) using plant-specific data developed by EPRI. The bounding plant-level Seismic CDF is calculated as shown and LERF value is conservatively estimated as 10% of CDF value See RAI-MF5372/73-APLA-17, External Events, response.

2. The current CDF and LERF estimates satisfy the limitations and conditions in Section 4, item 6 of the NEI 06-09 safety evaluation.
3. The methodology in NUREG-2180 will be incorporated into the fire PRA model of record used to estimate RICTs as part of the next fire PRA model consistent with the maintenance and upgrade process.

b) N/A

5. RAI-MF5372/73-APLA-11.R1 Instrumentation Models In response to RAI-MF5372/73-APLA-11, regarding the level of detail in the modeling of TS 3.3.2.1 (Unit 1) and TS 3.3.2 (Unit 2) for Engineered Safety Features Actuation System Instrumentation, the licensee stated that the PRA model includes the individual instrumentation channels; therefore, inoperability of individual instrument channels can be assessed directly by the PRA for the RICT Program.

Enclosure L-2018-006 Page 6 of 28 a) Please explain how instrumentation is modelled in the PRA. If there are different types of models (e.g., multiple channel basic events versus a single combined basic event) that are used for different instrumentation, please explain all the different models.

b) Clarify how each of the models will be changed to model the impact of an unavailable channel and why this modelling given one unavailable channel is correct or will conservatively bound the RICT calculation.

c) If any instrument channels included by the Risk Managed Technical Specifications (RMTS) program are not modeled at all in the PRA, explain how that instrument channel failure will be included in the RICT estimate.

FPL Response TS LCO/ a) Please explain how b) Clarify how each of the c) If any instrument Condition instrumentation is models will be changed channels included modelled in the PRA. If to model the impact of by the Risk there are different types an unavailable channel Managed of models (e.g., multiple and why this modelling, Technical channel basic events given one unavailable Specifications versus a single combined channel, is correct or (RMTS) program basic event) that are used will conservatively are not modeled at for different bound the RICT all in the PRA, instrumentation, please calculation. explain how that explain all the different instrument models channel failure will be included in the RICT estimate.

3.3.2 ESFAS This equipment is not If one channel is inoperable, In the case of one Instrumentation modeled in the PRA. the remaining operable failed manual SI Functions 1a, channel can still be actuated channel the event Action 12 One of by the operator to achieve a Operator Fails To two manual SI manual SI. A bounding Actuate SI Manually, channels RICT is calculated by not would be set to True.

inoperable crediting the required This is conservative for operator action to initiate a one channel inoperable SI using the manual SI as it mathematically will channel, which is a more be failure of manual SI limiting situation than one (i.e., failure of both channel out of two being channels).

inoperable because if the operator action is not credited for the RICT, then the remaining operable channel is also not being credited.

3.3.2 ESFAS SSCs are modeled consistent PRA model includes the N/A Instrumentation with the TS scope. individual instrumentation Functions 1d, channels; therefore, Action 12 One of inoperability of individual

Enclosure L-2018-006 Page 7 of 28 two automatic SI instrument channels can be channels assessed directly by the PRA inoperable for the RICT Program (Unit 2 Only) 3.3.2 ESFAS This equipment is not If one channel is inoperable, In the case of one Instrumentation modeled in the PRA the remaining operable failed manual CSAS Functions 2a, channel can still be actuated channel the event Action 12 One of by the operator to achieve a Operator Fails To two manual CSAS. A bounding RICT is Initiate CS Manually, CSAS channels calculated by not crediting would be set to True.

inoperable the required operator action This is conservative for to initiate a CSAS using the one channel inoperable manual CSAS channel, as it mathematically will which is a more limiting be failure of manual CS situation than one channel (i.e., failure of both out of two being inoperable channels).

because if the operator action is not credited for the RICT, then the remaining operable channel is also not being credited.

3.3.2 ESFAS This equipment is not If one channel is inoperable, In the case of one Instrumentation modeled in the PRA. the remaining operable failed manual SI Functions 1a, channel can still be actuated channel the event Action 12 One of by the operator to achieve a Operator Fails To two manual SI manual SI. A bounding Actuate SI Manually, channels RICT is calculated by not would be set to True.

inoperable crediting the required This is conservative for operator action to initiate a one channel inoperable SI using the manual SI as it mathematically will channel, which is a more be failure of manual SI limiting situation than one (i.e., failure of both channel out of two being channels).

inoperable because if the operator action is not credited for the RICT, then the remaining operable channel is also not being credited.

3.3.2 ESFAS SSCs are modeled consistent PRA model includes the N/A Instrumentation with the TS scope. individual instrumentation Functions 2c, channels; therefore, Action 12 One of inoperability of individual two automatic instrument channels can be CSAS channels assessed directly by the PRA inoperable for the RICT Program 3.3.2 ESFAS SSCs are modeled consistent PRA model includes the N/A Instrumentation with the TS scope. individual instrumentation Function 2b, channels; therefore, Action 18c Two inoperability of individual

Enclosure L-2018-006 Page 8 of 28 of four instrument channels can be Containment assessed directly by the PRA Pressure High- for the RICT Program High CSAS channels inoperable 3.3.2 ESFAS This equipment is not This equipment is not In the case of one Instrumentation modeled in the PRA modeled in the PRA. If one failed manual CIS Functions 3a, channel is inoperable, the channel the event Action 12 One of remaining operable channel Operator Fails To two manual CIS can still be actuated by the Close Containment channels operator to achieve a CIS. A Isolation Manually, inoperable bounding RICT is calculated would be set to True.

by not crediting the required This is conservative for operator action to initiate a one channel inoperable CIS using the manual CIS as it mathematically will channel, which is a more be failure of manual limiting situation than one CIS (i.e., failure of both channel out of two being channels).

inoperable because if the operator action is not credited for the RICT, then the remaining operable channel is also not being credited.

3.3.2 ESFAS SSCs are modeled consistent PRA model includes the N/A Instrumentation with the TS scope. individual instrumentation Functions 3e, channels. Therefore, Action 12 One of inoperability of individual two automatic instrument channels can be CIS channels assessed directly by the PRA inoperable for the RICT Program 3.3.2 ESFAS This equipment is not This equipment is not In the case of one Instrumentation modeled in the PRA. modeled in the PRA. If one failed MSIS channel the Functions 4a, channel is inoperable, the event Operator Fails to Action 12 One of remaining operable channel Initiate MSIS would be two manual can still be actuated by the set to True. This is MSIS channels operator to achieve a MSIS. conservative for one inoperable Unit 1 A bounding RICT is channel inoperable as it Only) calculated by not crediting mathematically will be the required operator action failure of manual MSIS to initiate a MSIS using the (i.e., failure of both manual MSIS channel, which channels).

is a more limiting situation than one channel out of two being inoperable because if the operator action is not credited for the RICT, then the remaining operable channel is also not being

Enclosure L-2018-006 Page 9 of 28 credited 3.3.2 ESFAS SSCs are modeled consistent PRA model includes the N/A Instrumentation with the TS scope. individual instrumentation Functions 4d, channels. Therefore, Action 8 One of inoperability of individual two MSIS instrument channels can be automatic assessed directly by the PRA actuation logic for the RICT Program channels inoperable Unit 2 Only) 3.3.2 ESFAS This equipment is not This equipment is not In the case of one Instrumentation modeled in the PRA modeled in the PRA. If one failed manual RAS Functions 5a, channel is inoperable, the channel the event Action 12 One of remaining operable channel Operator Fails To two manual RAS can still be actuated by the Initiate Sump Recirc channels operator to achieve a RAS. A After LOA & Auto inoperable bounding RICT is calculated Switchover Fails, would by not crediting the required be set to True. This is operator action to initiate a conservative for one RAS using the manual RAS channel inoperable as it channel, which is a more mathematically will be limiting situation than one failure of manual RAS channel out of two being (i.e., failure of both inoperable because if the channels).

operator action is not credited for the RICT, then the remaining operable channel is also not being credited.

3.3.2 ESFAS SSCs are modeled consistent PRA model includes the N/A Instrumentation with the TS scope. individual instrumentation Functions 5c, channels. Therefore, Action 12 One of inoperability of individual two automatic instrument channels can be RAS channels assessed directly by the PRA inoperable for the RICT Program 3.3.2 ESFAS SSCs are modeled consistent PRA model includes the N/A Instrumentation with the TS scope. individual instrumentation Function 5b, channels; therefore, Action 19a One inoperability of individual of four Refueling instrument channels can be Water Tank - assessed directly by the PRA Low channels for the RICT Program inoperable 3.3.2 ESFAS This equipment is not This equipment is not In the case of one Instrumentation modeled in the PRA modeled in the PRA. If one failed manual AFAS Functions 7a, channel is inoperable, the channel the events for Action 15 One remaining operable channels failed operator actions ,

of four manual can still be actuated by the would be set to True.

Enclosure L-2018-006 Page 10 of 28 AFAS channels operator to achieve an This is conservative for inoperable AFAS. A bounding RICT is one channel inoperable calculated by not crediting as it mathematically will the required operator action be failure of manual to initiate an AFAS using the AFAS (i.e., failure of all manual AFAS channels, channels).

which is a more limiting situation than one channel out of four being inoperable because if the operator action is not credited for the RICT, then the remaining operable channel is also not being credited.

3.3.2 ESFAS This equipment is modeled in This equipment is not In the case of one Instrumentation the PRA as independent SSCs. modeled in the PRA. If one failed automatic AFAS Functions 7b, The automatic AFAS channels channel is inoperable, the channel the event Logic Action 15 One are not modeled holistically. A remaining operable channels Circuit AF1D [or of four AFAS surrogate event will be utilized can still be actuated to AF2D] Fails to Automatic for this TS as a bounding achieve an AFAS. A Generate Signal, would Actuation Logic RICT. bounding RICT is calculated be set to True. This is channels by not crediting the one conservative for one inoperable AFAS signal, which is a channel inoperable as it more limiting situation than mathematically will be one channel out of four failure of one AFAS being inoperable. signal 3.3.2 ESFAS This equipment is not This equipment is not In the case of one Instrumentation explicitly modeled in the PRA. explicitly modeled in the failed SG Level-Low Function 7c, A surrogate event will be PRA. If one channel is Channels, the event Action 20 One utilized for this TS as a inoperable, the remaining Miscalibration of SG of four SG Level bounding RICT. operable channels can still Level Xmtrs would be

- Low channels actuate to provide a 2/4 low set to True. This is on one SG Steam Generator Signal. A conservative for one inoperable bounding RICT is calculated channel inoperable as it by causing the event for fails all SG Level-Low miscalibration of all eight Channels.

Low Steam Generator Level channels, which is a more limiting situation than one channel being inoperable because the RICT assumes failure of this function.

6. RAI-MF5372/73-APLA-12 Clarification of Less than Design Basis Capability Reductions in the functional capability below the design basis success criteria and vulnerable plant configurations with currently short completion times, will reduce the defense in depth and safety margins available below previously accepted levels while the plant operates in that condition during an extended completion time. The NRC staffs safety evaluation for Nuclear Energy Institute (NEI) 06-09, Risk-Informed Technical Specifications Initiative 4b - Risk- Managed Technical

Enclosure L-2018-006 Page 11 of 28 Specifications (RMTS) Guidelines, as well as the constraints regarding PRA Functionality, limit the use of PRA Functional by specifying that the remaining function capability continues to meet the design basis success criteria parameters (e.g. maintaining the functional capability to perform at the level of one operable train) unless appropriate disposition and restrictions are provided. For example, in the submittal the licensee proposes an LCO condition associated with the Code Safety Valves that appears to have a RICT calculation, even though the deign bases success criteria parameter values do not seem to be capable of being met which may be a TS Loss of Function.

Table E1-1, In Scope TS/LCO Conditions to Corresponding PRA Functions, of the December 5, 2014, LAR indicates that the design basis success criteria is 3 of 3 valves while the PRA success criteria is 2 of 3 valves. Also, there may be other TS loss of function conditions which, if entering a RICT, also are not capable of meeting the design basis success criteria.

For each loss of function LCO condition that includes a RICT, but where the design basis success criteria parameters may not be modelled or may not be met for the PRA success criteria:

a) Identify the design basis parameters that may not be available (e.g., the relief capability credited in the design basis that requires 3 of 3 versus 2 of 3 valves).

b) Identify the design basis accident scenarios that rely on those parameters (e.g., what design basis accidents require greater than 2 valve pressure relief capabilities).

c) For each of these accident scenarios, explain the impact of only having the PRA parameter capabilities on the affected design basis success accidents. Include a justification of the effect this change in available capabilities will have on defense-in-depth and safety margins.

d) If new PRA functional parameters are proposed, identify how these parameters will be included in the technical specifications.

e) If new PRA functional parameters are not proposed, remove the conditions from the program.

FPL Response FPL is not proposing to apply the RICT Program to conditions that involve a loss of function. As discussed in the February 25, 2017 supplement to this license amendment request, FPL modified the RICT Program added to the administrative section of the TS to exclude use of a RICT for any configuration that represents loss of a specified safety function or inoperability of all required trains of a system required to be operable. The RAI responses in section B of this enclosure, Technical Specifications (STSB) RAI, discuss loss of function and withdraw proposed changes that included use of a RICT for conditions involving a loss of function.

7. RAI-MF5372/73-APLA-13 Common Cause Failure Terms for Planned Maintenance While the guidance in NEI 06-09 states that no CCF adjustment is required for planned maintenance, the NRC approval of NEI 06-09 is based on RG 1.177, as indicated in the NRC safety evaluation to NEI 06-09 (ADAMS Accession No. ML071200238). Specifically, Section 2.2 of the NRC staffs safety evaluation for NEI 06-09 states that, specific methods and guidelines acceptable to the NRC

Enclosure L-2018-006 Page 12 of 28 staff are [] outlined in RG 1.177 for assessing risk-informed TS changes. Further, Section 3.2 of the NRC staffs safety evaluation states that compliance with the guidance of RG 1.174 and RG 1.177, is achieved by evaluation using a comprehensive risk analysis, which assesses the configuration-specific risk by including contributions from human errors and common cause failures.

The guidance in RG 1.177, Section 2.3.3.1, states that, CCF modeling of components is not only dependent on the number of remaining inservice components, but is also dependent on the reason components were removed from service (i.e. whether for preventative or corrective maintenance).

In relation to CCF for preventive maintenance, the guidance in RG 1.177, Appendix A, Section A-1.3.1.1, states:

If the component is down because it is being brought down for maintenance, the CCF contributions involving the component should be modified to remove the component and to only include failures of the remaining components (also see Regulatory Position 2.3.1 of Regulatory Guide 1.177).

According to RG 1.177, if a component from a CCF group of three or more components is declared inoperable, the CCF of the remaining components should be modified to reflect the reduced number of available components in order to properly model the as-operated plant.

a) Please explain how CCF are included in the PRA model (e.g., with all combinations in the logic models as different basic events or with identification of multiple basic events in the cut sets) b) Please explain how the quantification and/or models will be changed when, for example, one train of a 3X100 percent train system is removed for preventative maintenance and describe how the treatment of CCF either meets the guidance in RG 1.177 or meets the intent of this guidance when quantifying a RICT.

FPL Response

a. For each grouping of SSCs analyzed in PRA, there is an ALPHA factor basic event assigned to it based on the failure mode being modeled. A group of 3 SSCs would have 2 ALPHA factor basic events; one would represent CCF of any two out of three SSCs and the other would represent CCF of all 3 SSCs, for a particular failure mode. Two module AND-gates are then added to the logic representing the failure of each SSCs such that:

CCF2_of_3 AND Alpha_Factor_2_of_3 Indep_BE CCF3_of_3 AND Alpha_Factor_3_of_3 Indep_BE Where:

CCF2_of_3: Module AND-gate added to failure logic of each component in the group.

CCF3_of_3: Module AND-gate added to failure logic of each component in the group.

Enclosure L-2018-006 Page 13 of 28 Alpha_Factor_2_of_3: Alpha Factor of CCF failure representing any two SSCs in the group.

Alpha_Factor_3_of_3: Alpha Factor of CCF failure representing all three SSCs.

Indep_BE: the independent basic event representing failure rate of any one SSC in the group for a particular failure mode.

One advantage of using a module gate in CAFTA is that when the model is solved, modules can be pruned which effectively turns the logic under the module gate to be replaced by a representative basic event in the cutsets with probability equivalent to the solution of the that logic. Using this technique for CCF, the module gates listed above will be shown in cutsets as representative basic events with probability equivalent to the multiplication of Alpha Factor times the associated independent basic event in cutsets associated with failure for each SSC in the group. In the example listed above, corresponding basic events CCF2_of_3 and/or CCF3_of_3 will be shown in associated cutsets where a particular SSC failure mode is listed.

b. For planned maintenance (PM), in order to obtain expedited calculation in a straightforward manner, the St. Lucie CRMP does not adjust the failure probabilities of CCF basic events (that appear in the final cutsets) to include only the remaining components in the group, as required by RG-1.177. Depending on the component in question and CCF group size, this treatment may underestimate the delta CDF by a value around 1E-09 per year, which in terns may elongate the RICT time scale by a peripheral value. Delta LERF is estimated to be lower than that of the delta CDF, and thus the impact on RICT calculation is even lower. If CCF basic events for three SSCs (A, B, and C) group to be modified where SSC A is out of service for PM, CCF basic events associated with (A and B group, A and C group, and A, B, C group) would be equated to zero (or set to false), and CCF basic events associated with B and C group would be modified with a slightly higher value involving higher Alpha-Factor for 2 out of 2 (remaining) components. FPL conclusion is the approximation treatment involving no modification of CCF basic events still meets the intent of RG-1.177 and RICT evaluation with imperceptible impact.

This methodology is consistent with that of Vogtle (MLML14315A051) accepted by the NRC (ML15127A669).

For corrective maintenance (CM), and consistent with RG-1.177, CCF contribution involving the component would be modified to equate CCF basic events with the respective Alpha-factors, i.e., setting the independent failure probability equal to 1 to effectively equate CCF basic event probability to the respective Alpha-factor value. For the example of three SSCs (A, B, and C) group to be modified where SSC A is out of service for CM, CCF basic event probabilities associated with 2 out of 3 groups would be equated with Alpha-factor of 2 out of 3 groups, and CCF basic event probability associated with 3 out of 3 group would be equated with Alpha-factor of 3 out of 3 group. Treatment of potential CCF during RICT is explained in response to APLA-14 RAI.

Enclosure L-2018-006 Page 14 of 28

8. RAI-MF5372/73-APLA-14 Evaluation of Common Cause for Emergent Failures According to Section A-1.3.2.1 of Appendix A of RG 1.177, when a component fails, the CCF probability for the remaining redundant components should be increased to represent the conditional failure probability due to CCF of these components, in order to account for the possibility that the first failure was caused by a CCF mechanism. When a component fails, the calculation of the plant risk, assuming that there is no increase in CCF potential in the redundant components before any extent of condition evaluation is completed, could lead to a non-conservative extended completion time calculation, as illustrated by inclusion of the guidance in Appendix A of RG 1.177. Much of the discussion in Appendix A describes how configuration specific risk calculations should be performed.

In Section 3.2 of the NRC staffs safety evaluation for NEI 06-09, the staff states that compliance with the guidance of RG 1.174 and RG 1.177, is achieved by evaluation using a comprehensive risk analysis, which assesses the configuration-specific risk by including contributions from human errors and common cause failures.

The requirement to consider additional risk mitigation actions (RMAs) prior to the completion of the extent of cause evaluation was included by the NRC staff in the safety evaluation for NEI 06-09 as an additional measure to account for the increased potential that the first failure was caused by a CCF mechanism. However, no exception to the RG 1.177 guidance was taken in the calculation of the RICT with regards to the quantification of the unresolved potential for CCF before the extent of cause evaluation is complete. The NRC staff interprets that the combined guidance in RG 1.177 and NEI 06-09 0-A could be met with the following process.

When, prior to exceeding the front stop, there is a high degree of confidence based on the evidence collected that there is no common cause failure mechanism that could affect the redundant components, the RICT calculation may use nominal Common Cause factor probability.

If a high degree of confidence cannot be established that there is no common cause failure that could affect the redundant components, the RICT shall account for the increased possibility of common cause failure. Accounting for the increased possibility of common cause failure shall be accomplished by one of the two methods below. If one of the two methods below is not used, the TS front stop shall not be exceeded.

1. The RICT calculation shall be adjusted to numerically account for the increased possibility of common cause failure, in accordance with RG 1.177, as specified in Section A-1.3.2.1 of Appendix A of the RG. Specifically, when a component fails, the common cause failure probability for the remaining redundant components shall be increased to represent the conditional failure probability due to common cause failure of these components, in order to account for the possibility the first failure was caused by a common cause mechanism.
2. Prior to exceeding the front stop, the licensee shall implement RMAs in addition to those already credited in the RICT calculation, that target the success of the redundant and/or diverse structures, systems or components (SSC) of the failed SSC, and, if possible, reduce the frequency of initiating events which call upon the

Enclosure L-2018-006 Page 15 of 28 function(s) performed by the failed SSC. Documentation of RMAs shall be available for NRC review.

a) Please confirm and describe how that treatment of CCF, in the case of an emergent failure, either meets the guidance in RG 1.177 or meets the intent of this guidance together with the NEI 06-09 0-A guidance when quantifying a RICT.

b) Please propose where the guidance on how CCFs will be treated will be placed to ensure that the guidance is followed, e.g., as a license condition or in the Administrative TS that implements the RICT program.

FPL Response a) St. Lucie will follow the industry guidance on this issue, which states that if the extent of condition evaluation for inoperable Structure, System, or Components (SSCs) is not complete prior to exceeding the Completion Time, the RICT shall account for the increased possibility of CCF by either:

1. Numerically accounting for the increased possibility of CCF in the RICT calculation, or
2. Risk Management Actions (RMAs) not already credited in the RICT calculation shall be implemented that support redundant or diverse SSCs that perform the functions(s) of the operable SSCs, and, if practical, reduce the frequency of initiating events that challenge the functions(s) performed by the inoperable SSCs.

b) Guidance on how CCFs will be treated will be placed in the Administrative TS that implements the RICT program.

9. RAI-MF5372/73-APLA-15 License Condition In Section 4.0, "Limitations and Conditions" of the NRC staffs safety evaluation for NEI 06-09, the staff states:

As part of its review and approval of a licensee's application requesting to implement the RMTS, the NRC staff intends to impose a license condition that will explicitly address the scope of the PRA and non-PRA methods approved by the NRC staff for use in the plant specific RMTS program. If a licensee wishes to change its methods, and the change is outside the bounds of the license condition, the licensee will need NRC approval, via a license amendment, of the implementation of the new method in its RMTS program.

Please propose a license condition limiting the scope of the PRA and non-PRA methods to what is approved by the NRC staff for use in the plant-specific RMTS program. Wording consistent with the example below would be acceptable.

The risk assessment approach, methods, and data shall be acceptable to the NRC, be based on the as-built, as-operated, and maintained plant; and reflect the operating experience at the plant. Acceptable methods to assess the risk from extending the completion times must be

Enclosure L-2018-006 Page 16 of 28 PRA methods accepted as part of this license amendment, or other methods currently approved by the NRC for generic use. If a licensee wishes to change its methods and the change is outside the bounds of this license condition, the licensee will need prior NRC approval, via a license amendment.

FPL Response FPL proposes the following license condition, which is the same as that approved for Vogtle Units 1 and 2 in License Amendments 188 and 171, respectively, on August 8, 2017 (ML15127A669):

The risk assessment approach and methods, shall be acceptable to the NRC, be based on the as-built, as-operated, and maintained plant, and reflect the operating experience of the plant as specified in RG 1.200. Methods to assess the risk from extending the completion times must be PRA methods accepted as part of this license amendment, or other methods approved by the NRC for generic use. If the licensee wishes to change its methods, and the change is outside the bounds of this license condition, the licensee will seek prior NRC approval via a license amendment.

10. RAI-MF5372/73-APLA-16 Implementation Items Please provide a list of activities (i.e., implementation items) that are credited as part of the approval of the request to implement a RICT program that will not be completed before issuing the amendment but must be complete prior to implementation of the RICT program.

FPL Response FPL proposes the table of implementation items and the associated license condition as shown below.

Table of implementation items:

Item Implementation Date Prior to implementation

1. Confirm that the all hazards CDF and LERF estimates of the Risk Informed achieved using NRC accepted methods will be less than 1E-Completion Time 04 per year and 1E-05 per year, respectively.

Program License Condition:

FPL will complete the items listed in the table of implementation items in the enclosure to FPL letter L-2018-006 dated February 1, 2018 prior to implementation of the Risk Informed Completion Time Program.

Enclosure L-2018-006 Page 17 of 28

11. RAI-MF5372/73-APLA-17 External Events NEI 06-09, Section 3.3.5, External Events Consideration clarifies that external hazards impact on incremental configuration risk should be addressed for each RICT calculation. Enclosure 4 of the December 5, 2014, LAR, Information Supporting Justification of Excluding Sources of Risk not addressed by the PRA Models, addresses external events. The Enclosure summarizes the evaluation of the risk of external hazards that appears to be consistent with the ASME/ANS PRA Standard, i.e., screening associated with the baseline risk contribution. The results of the evaluation summarized in LAR Table E4-1, Evaluation of Risks from External Hazards, seem to indicate, however, that all external hazards will be excluded from every configuration risk evaluation, e.g. no unique PRA model for seismic events is required in order to assess configuration risk for the RICT Program. However, there may be situations where the hazard may be important in a configuration risk calculation even though the baseline risk can be screened out consistent with the ASME/ANS PRA Standard. For example, external floods seem to be excluded because the plant design conforms to the Standard Review Plan (SRP) criteria. Presumably, smaller flood levels may fail plant equipment not required to be protected by the SRP criteria which could affect configuration risk, and sometimes the flood barriers themselves may be degraded or undergoing maintenance which could affect configuration risk. Similarly, extreme wind seems to be fully excluded because of low frequency of occurrence and SRP conformance, but these factors may not have considered the plant configuration during a RICT.

Please clarify if all external hazard risks are excluded from the RICT program or if the program includes guidance to assure that the assumptions supporting the screening of the hazards remain applicable given the plant configuration during the RICT. If all hazards are fully excluded, please address the issue related to screening based on meeting the SRP criteria (e.g., design flood height and mitigating features) or based on low nominal risk values. If, instead, guidance is provided, please describe the guidance (e.g., in certain instances, hazards which were initially screened out from the RICT calculation may be considered quantitatively if the plant configuration could impact the RICT).

FPL Response External hazards will not all be excluded from RICT calculation. While some analyzed external hazards will be excluded based on the provided rationale, Internal Fire, Internal Flood, and Seismic risks will be included as part of every configuration risk evaluation, including RICT calculations.

In terms of seismic risk, Florida plants, including St. Lucie, are located in areas with the lowest seismic activities in the country. Per IPEEE, St. Lucie-specific seismic screening program was approved by the NRC based on walk down of SSCs rather than having a full Seismic Margin Assessment (SMA) calculation. Per response to post-Fukushima Near Term Task Force (NTTF) recommendation 2.1, St. Lucie re-evaluated its seismic risk by comparing its updated plant-specific Ground Motion response Spectrum (GMRS) developed by EPRI against the 1.3 times the sites Safe Shutdown Earthquake (SSE) level to find that the updated GMRS where lower than the sites SSE at a range of 1 Hz to 100Hz, indicating that seismic hazard at St. Lucie is low and bounded by the design basis value of 0.10g PGA. NRC staff confirmed that GMRS developed by the NRC staff are bounded by the St. Lucies SSE over the same range. Therefore, a seismic risk evaluation, spent fuel

Enclosure L-2018-006 Page 18 of 28 pool evaluation, and a high frequency confirmation were not merited for St. Lucie.

Notwithstanding, FPL will include the latest bounding plant-level seismic risk as part of RICT calculations, to ensure seismic risk is confidently being addressed. The latest bounding plant-level seismic risk was evaluated in response to post-Fukushima NTTF recommendation 2.1, which is based on the High Confidence of Low Probability of Failure (HCLPF) method documented in the NRC GI-199 Safety/Risk assessment with the most recent plant-specific data developed by EPRI in 2013. Based on that evaluation, it was concluded that mean seismic hazard estimate at St. Lucie is lower when used the recent EPRI data than that of IPEEE (1993).

In terms of High Winds, Hurricane, and Tornado hazards at Florida plants, including St. Lucie, controlled procedures require monitoring and tracking of these events. The most credible events at the site are associated with hurricanes, which are slow moving events. Sites controlled procedures require controlled shutdown to be initiated 30 min following a hurricane warning issuance by National Hurricane Center in Miami, Florida. The procedures also include many details for preparing the site for such events. The configuration risk management procedure includes guidance that prohibits removing the emergency diesel generators or blackout cross tie equipment out of service during the time frame of such events for any elective maintenance, and allowed only for corrective maintenance in a manner that maintains the safe shutdown status. These procedure requirements are not obviated during RICT evaluations.

All other external events hazards that are screened out in accordance with ASME PRA STANDARD as endorsed by RG-1.200 are unlikely to contribute to the RICT calculation in any significance. The screening criteria upon which these hazards are screened would be examined for applicability on case-by-case basis for a RICT calculation in which a particular configuration is viewed to be impacted.

12. RAI-MF5372/73-APLA-18 Dual Unit Impacts The proposed changes to the TSs sometimes differ between Unit 1 and Unit 2 (e.g., 3.6.1.7 , page 11 of 23), and sometimes do not. The RICT estimates also appear to sometimes differ between the units (e.g., 3.6.2.1.a), and sometimes do not.

a) Clarify whether there are two independent baseline PRAs and, if not, how are the unit specific risk estimates developed?

b) Clarify whether two independent CRMP models will be developed and used in parallel and, if not, how will unit specific RICTs be estimated?

c) Explain how the unit-specific RICT calculations will be appropriately estimated given any differences between the units, interactions between the units caused by the shared equipment, and the different out of service SSCs in each unit.

FPL Response St. Lucie units have limited shared systems and components and thus each unit has its own independent PRA model.

Enclosure L-2018-006 Page 19 of 28 a) Each St. Lucie unit has an independent CRMP model. Shared systems and components are included in each model (e.g., Emergency Diesel Generators supporting success criteria of each unit, and instrument air systems supporting operation of both units).

b) There will be two independent CRMP models to be used for RICT calculations at St. Lucie.

c) As indicated in a) and b), each CRMP model for each unit includes shared components and thus can be evaluated independently from the other units CRMP.

B. Technical Specifications (STSB) RAI In the letter dated February 25, 2017, FPL stated that Attachments 3 and 4 to the letter provide a complete markup of the TS for this LAR, and supersede the TS markups provided previously. The letter also states FPLs intended approach in this supplement is to remove loss of function provisions.

The categories of items required to be in the TSs are provided in Title 10 of the Code of Federal Regulations (10 CFR) Section 50.36(c). As required by 10 CFR 50.36(c)(2)(i), the TSs will include limiting conditions for operation (LCOs), which are the lowest functional capability or performance levels of equipment required for safe operation of the facility. Per 10 CFR 50.36(c)(2)(i), when an LCO of a nuclear reactor is not met, the licensee shall shut down the reactor or follow any remedial action permitted by the TSs until the condition can be met.

Within the context of the RICT program, a TS Loss of Function (TS LOF) is considered to exist when there is insufficient OPERABLE equipment to fulfill a safety function. Additional administrative controls are needed to support the application of a RICT to TS LOF conditions due to safety margin and defense-in-depth considerations.

The staff requests the following information to support a determination that the proposed remedial actions and time frames for completion are appropriate.

1. RAI-MF5372/MF5373-STSB-01:

Unit 1 TS LCO 3.4.3 and Unit 2 TS LCO 3.4.2.2 require that all pressurizer code safety valves shall be OPERABLE with specified lift settings. ACTION a is applicable when one pressurizer code safety valve is inoperable, and requires, in part, restoring the inoperable valve to Operable status within 15 minutes. The LAR proposes to apply a RICT to this ACTION.

The TS Bases state that during operation, all pressurizer Code safety valves must be OPERABLE to prevent the Reactor Coolant System from being pressurized above its Safety Limit. Based on this statement, it appears that the safety function could not be accomplished if one Code safety valve is inoperable.

If this condition does not represent a loss of function, please provide technical justification supporting that conclusion. If this condition does represent a loss of function, please provide additional justification for its inclusion in the RICT program, including appropriate administrative controls and explain how safety margin and defense-in-depth considerations are maintained.

Enclosure L-2018-006 Page 20 of 28 If this condition does not represent a loss of function, please provide technical justification supporting that conclusion. If this condition does represent a loss of function, please provide additional justification for its inclusion in the RICT program, including appropriate administrative controls and explain how safety margin and defense-in-depth considerations are maintained.

FPL Response FPL is withdrawing the proposed changes to TS 3.4.3 and 3.4.2.2 that added a risk-informed completion time for an inoperable code safety valve.

2. RAI-MF5372/MF5373-STSB-02:

Unit 1 TS LCO 3.4.12 and Unit 2 TS 3.4.4 require that each Power Operated Relief Valve (PORV)

Block Valve shall be OPERABLE. ACTION a applies when one or more block valves are inoperable, and requires restoration of the block valve(s) to OPERABLE status within one hour or close the block valve(s) and remove power from the block valve(s).

Unit 1 UFSAR Section 5.5.3.2 describes the PORVs as half-capacity valves with a motor actuated isolation valve upstream of each of the PORVs to permit isolating the (PORV) valve for maintenance or in case of valve failure.

With both block valves closed and de-energized, operation of the PORVs could be delayed until power could be restored to the block valves. Please provide a description of the actions and general time frames that would be required to re-energize the block valves so that the PORVs could be opened. Please provide a summary of the UFSAR Chapter 15 analyses in which operation of the PORVs is credited; and explain why delays in PORV operation are consistent with the analyses presented.

FPL Response For St. Lucie Units 1 and 2, the PORVs perform the safety function of providing low temperature overpressure protection for the reactor coolant system. Unit 1 LCO 3.4.13, Power Operated Relief Valves, and Unit 2 LCO 3.4.9.3, Overpressure Protection Systems, require operable PORVs in Mode 4 and below to perform this function. However, in Modes 1 through 3, the TS only require operability of the PORV block valves. The PORVs are not credited with performing any accident mitigation function, and they are not relied upon to cool down the plant. Therefore, any delay in operation of the PORVs in Modes 1 through 3 has no affect on the UFSAR Chapter 15 analyses.

3. RAI-MF5372/MF5373-STSB-03:

For Units 1 and 2, TS LCO 3.5.1 requires that each Reactor Coolant System safety injection tank shall be OPERABLE.

ACTION b applies with one safety injection tank inoperable, except as a result of parameter limits specified in ACTION a, not being within limits. The LAR proposes to apply a RICT to this ACTION.

Enclosure L-2018-006 Page 21 of 28 Unit 1 UFSAR Section 6.2.1.3.2, Containment Vessel Transient Analysis, and Unit 2 UFSAR Section 6.2.1.1.3, Design Evaluation - Containment Pressure - Temperature Analysis, state that the LOCA accident analyses are based upon the following additional overall assumptions:

For the discharge leg break, the contents of three safety injection tanks (SITs) discharge into the reactor vessel when reactor coolant system pressure drops below tank pressure.

This assumes the entire contents of the safety injection tank in the ruptured leg does not reach the core. For the hot and suction leg cases the contents of four SITs is considered.

It is not clear to the staff how the assumptions in the accident analysis would be satisfied for a LOCA in which the contents of one accumulator is lost through the break, and a second accumulator is inoperable at the time of the event.

If this condition does not represent a loss of function, please provide technical justification supporting that conclusion. If this condition does represent a loss of function, please provide additional justification for its inclusion in the RICT program, including appropriate administrative controls and explain how safety margin and defense-in-depth considerations are maintained.

FPL Response FPL is withdrawing the proposed changes to TS 3.5.1, Action b that added a risk-informed completion time for an inoperable accumulator.

4. RAI-MF5372/MF5373-STSB-04:

For Units 1 and 2, TS LCO 3.6.2.1 requires that two containment spray trains and two containment cooling trains be operable. ACTION e applies when two containment cooling trains are inoperable, and requires, in part, that one cooling train be restored to operable status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The LAR proposes to include this ACTION in the scope of the RICT program.

Unit 1 UFSAR Section 6.2.1.3.2, Containment Vessel Transient Analysis, and Unit 2 UFSAR Section 6.2.1.1.3, Design Evaluation - Containment Pressure - Temperature Analysis, provide a summary of the containment peak pressure and temperature analysis.

For the LOCA, the listing of input assumptions includes the following:

The analyses are based on the loss of offsite power in which a coincident loss of diesel generator is assumed. This results in the loss of one cooling train which disables two fan coolers and one containment spray. This leaves one containment spray pump and one train of fan coolers (i.e. two units) available for operation.

Enclosure L-2018-006 Page 22 of 28 It is not clear to the staff how the assumptions in the accident analysis would be satisfied if two containment cooling trains are inoperable.

If this condition does not represent a loss of function, please provide technical justification supporting that conclusion. If this condition does represent a loss of function, please provide additional justification for its inclusion in the RICT program, including appropriate administrative controls and explain how safety margin and defense-in-depth considerations are maintained.

FPL Response The condition of two inoperable containment cooling trains does not represent a loss of function.

For Units 1 and 2, Action e in TS 3.6.2.1 applies when two containment cooling trains are inoperable and provides 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to restore one cooling train to operable status before a plant shutdown is required. Action e is consistent with the required action and 72-hour completion time in TS 3.6.6A in the standard TS (NUREG-1432) for the condition that two containment cooling trains are inoperable. If two inoperable containment cooling units represented a loss of function, a 72-hour completion time would not be appropriate because the TS typically require prompt action to initiate a plant shutdown for a loss of function. In addition, the Bases for TS 3.6.2.1 discuss that the 72-hour completion time for Action e takes into account the redundant heat removal capability and the iodine removal capability of the remaining operable systems.

The UFSAR for Unit 1 discusses that both containment spray subsystems provide at least minimum heat removal capability necessary to limit and reduce the post-accident containment pressure and temperature. In addition, analyses for Unit 2 show that operation of two containment spray trains and no fan coolers will maintain containment pressure and temperature within limits.

Plant operation in accordance with Action e requires that both containment spray trains are operable. Therefore, inoperability of two containment cooling trains does not represent a loss of function because two operable trains of containment spray must be operable at the same time to provide heat removal and iodine removal capability. On the other hand, as discussed in the Bases for TS 3.6.2.1, any combination of three or more containment cooling and containment spray trains inoperable is a condition outside the accident analysis, i.e., a loss of function, and requires a prompt plant shutdown in accordance with TS 3.0.3.

5. RAI-MF5372/MF5373-STSB-05:

Unit 1 TS LCO 3.6.3.1 and Unit 2 TS LCO 3.6.3 require that the containment isolation valves be operable. The Actions are applicable with one or more of the isolation valve(s) inoperable and require, in part, restoration of the valve(s) to operable status or isolation of each affected penetration within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

The LAR proposes to include these Actions in the scope of the RICT program.

It is not clear to the staff how the assumptions regarding containment isolation would be satisfied if more than one valve in a given penetration is inoperable.

Enclosure L-2018-006 Page 23 of 28 If this condition does not represent a loss of function, please provide technical justification supporting that conclusion. If this condition does represent a loss of function, please provide additional justification for its inclusion in the RICT program, including appropriate administrative controls and explain how safety margin and defense-in-depth considerations are maintained.

FPL Response The condition involving two inoperable containment isolation valves in the same penetration represents a loss of function. However, FPL is proposing to apply a RICT to the containment isolation valves only for conditions that do not involve a loss of safety function as explained below for each unit.

Unit 1 The Action in TS 3.6.3.1 addresses the condition in which one or more isolation valves is inoperable and provides four hours to restore valve operability or to isolate the affected penetration. However, the situation that both required containment isolation valves in the same penetration are inoperable (with the penetration not isolated by a manual valve, blind flange, or deactivated automatic valve secured in its closed position) results in a failure to maintain containment vessel integrity. Without containment vessel integrity, the Action in TS 3.6.1.1, Containment Vessel Integrity, which provides one hour to restore containment vessel integrity, is applicable. Consequently, the RICT program would not be applicable to the condition involving a loss of function with both isolation valves in the same penetration inoperable. The RICT program would be applied to containment isolation valves in the Actions of TS 3.6.2.1 for conditions involving only one inoperable isolation valve in a penetration, a condition that does not represent a loss of function.

Unit 2 The Action in TS 3.6.3 addresses the condition in which one or more isolation valves is inoperable and provides four hours to restore valve operability or to isolate the affected penetration. However, different from the Unit 1 TS, the Unit 2 Action includes an additional requirement to maintain at least one isolation valve operable in each affected penetration that is open when a containment isolation valve is inoperable. Therefore, the Action in TS 3.6.3 addresses only one inoperable isolation valve in an open penetration while requiring operability of the redundant isolation valve in the penetration.

The condition that two isolation valves in the same penetration are inoperable results in a failure to maintain containment integrity. The Action in TS 3.6.1.1, Containment Integrity, which provides one hour to restore containment vessel integrity, is applicable. Consequently, the RICT program would not be applicable to the condition involving a loss of function with both isolation valves in the same penetration inoperable. The RICT program would be applied to containment isolation valves in the Actions of TS 3.6.3 for conditions involving only one inoperable isolation valve in a penetration, a condition that does not represent a loss of function

Enclosure L-2018-006 Page 24 of 28

6. RAI-MF5372/MF5373-STSB-06:

For Unit 2, TS LCO 3.6.1.7 requires that each containment purge supply and exhaust valve be OPERABLE with each 48-inch containment purge supply and exhaust isolation valve sealed closed and the 8-inch containment purge supply and exhaust isolation valves be open for purging and/or venting as required for safety related purposes such as those listed in the LCO.

ACTION a applies with a 48-inch containment purge supply and/or exhaust isolation valve(s) open for reasons other than maintaining containment pressure or reducing containment atmosphere airborne radioactivity and/or improving air quality. The ACTION requires closing the valve or isolating the penetration(s) within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The proposed change is to allow the calculation of a RICT for this configuration, which would allow postponement of isolating the penetration for up to 30 days.

ACTION b applies with an 8-inch containment purge supply and/or exhaust isolation valve(s) open for reasons other than maintaining containment pressure or reducing containment atmosphere airborne radioactivity and/or improving air quality. The ACTION requires closing the valve or isolating the penetration(s) within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The proposed change is to allow the calculation of a RICT for this configuration, which would allow postponement of isolating the penetration for up to 30 days.

ACTION c applies with containment purge supply and/or exhaust isolation valve(s) having a measured leakage rate exceeding the limits specified in the Surveillance Requirements. The ACTION requires, in part, restoring the valve to operable status or isolating the penetrations such that the measured leakage rate does not exceed the limits within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The proposed change is to allow the calculation of a RICT for this configuration, which would allow postponement of restoring the valve to operable status or isolating the penetration for up to 30 days.

The St. Lucie Unit 2 UFSAR Section 15.6.5.5.2, Compliance with RG 1.183 Regulatory Positions, Compliance with Regulatory Position 3.8 states:

100% of the radionuclide inventory of the RCS is released instantaneously at the beginning of the event. The containment purge flow is 2500 cfm through the eight-inch line and is assumed to be isolated after 30 seconds. No filters are credited.

Please explain how the specified safety function of the containment purge portion of the containment ventilation system would be accomplished during application of a RICT to these ACTIONS. Please explain how the proposed changes would ensure the assumptions regarding isolation of the containment purge system in the accident analysis are satisfied.

FPL Response FPL is withdrawing the proposed changes that add a RICT to the Actions in TS 3.6.1.7.

Enclosure L-2018-006 Page 25 of 28

7. RAI-MF5372/MF5373-STSB-07:

For Units 1 and 2, TS LCO 3.7.1.5 requires that each main steam line isolation valve (MSIV) be Operable. The ACTION for Mode 1 requires, in part, that with one MSIV inoperable, Power Operation may continue provided the inoperable valve is restored to Operable status or closed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

The proposed change is to allow the calculation of a RICT for this configuration, which would allow postponement of restoring the valve to operable status for up to 30 days.

The TS Bases state that the operability of the MSIVs ensures that no more than one steam generator will blow down in the event of a steam line rupture. This restriction is required to 1) minimize the positive reactivity effects of the Reactor Coolant System cooldown associated with the blowdown, and 2) limit the pressure rise within containment in the event the steam line rupture occurs within containment.

It is not clear to the staff how the assumptions in the accident analysis would be satisfied when one MSIV is inoperable.

If this condition does not represent a loss of function, please provide technical justification supporting that conclusion. If this condition does represent a loss of function, please provide additional justification for its inclusion in the RICT program, including appropriate administrative controls and explain how safety margin and defense-in-depth considerations are maintained.

FPL Response The main steam system is designed to prevent blowdown of both steam generators in the event of a steam line break by automatically closing the MSIVs. The failure of one MSIV to close during a steam line break does not result in an uncontrolled blowdown of more than one steam generator. In the event that one MSIV is inoperable, the remaining operable MSIV remains available to close so that no more than one steam generator will blow down in the event of a steam line rupture. For a steam line break downstream of the MSIVs, closure of the operable MSIV will prevent blowdown of more than one steam generators. If a break occurs upstream of the MSIV, blowdown of the other steam generator by backflow is prevented by closure of either the MSIV in the broken steam line or closure of the MSIV in the intact steam line. Additionally, in the case of a steam line break upstream of an MSIV on Unit 1, blowdown of the other steam generator by backflow to the break will be prevented by the check valve in the broken steam line.

With one MSIV inoperable, the remaining operable MSIV will close on an actuation signal to prevent blowdown of both steam generators in the event of a steam line break accident. Therefore, a loss of function does not result from inoperability of one MSIV.

Enclosure L-2018-006 Page 26 of 28

8. RAI-MF5372/MF5373-STSB-08:

For Units 1 and 2, TS LCO 3.7.1.5 requires that each main steam line isolation valve (MSIV) be Operable.

The existing ACTION for Mode 1 states:

With one main steam line isolation valve inoperable, POWER OPERATION my continue provided the inoperable valve is either restored to OPERABLE status or closed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />; otherwise be in HOT STANDBY with the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The existing ACTION for Modes 2 and 3 states:

With one or both main steam isolation valve(s) inoperable, subsequent operation in MODES 2 or 3 may proceed provided the isolation valve(s) is (are) maintained closed.

Otherwise, be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The proposed ACTION for Mode 1 would state:

With one main steam line isolation valve inoperable, POWER OPERATION my continue provided the inoperable valve is either restored to OPERABLE status or closed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or in accordance with the RICT Program; otherwise be in MODE 2 with the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The proposed ACTION for Modes 2 and 3 would state:

With one or both main steam isolation valve(s) inoperable, subsequent operation in MODES 2 or 3 may continue provided:

1. The inoperable main steam isolation valves are closed within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, and
2. The inoperable main steam isolation valves are verified closed once per 7 days.

Otherwise, be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in HOT SHUTDOWN within the following 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The proposed changes would align the St. Lucie LCO Actions with the corresponding Actions in the Standard Technical Specifications. In the Standard Technical Specifications, the time allowed to close an inoperable main steam isolation valve while in MODES 2 or 3 is a bracketed value.

Values enclosed in brackets are used to signify a licensee-specific value. Please provide the technical justification for the selection of the 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> value for St. Lucie.

Enclosure L-2018-006 Page 27 of 28 FPL Response The MSIVs function to ensure that no more than one steam generator will blow down in the event of a steam line rupture and to provide a containment isolation boundary. With one or both MSIVs inoperable in Mode 2 or 3, eight hours is a reasonable time to close the inoperable MSIV(s) considering the probability of an accident that would require closure of the MSIVs. The likelihood of occurrence of a steam line rupture, a postulated accident that is not expected to occur during the life of the plants, during the eight-hour period is low.

With regard to the containment isolation function, the St. Lucie TS provide a four- hour completion time for inoperable containment isolation valves. However, the proposed completion time is greater than four hours because the MSIVs isolate a closed system that penetrates containment. The closed system provides a second barrier for containment isolation. In addition, providing a longer completion time for penetrations consisting of one isolation valve and a closed system is consistent with NUREG-1432, Standard Technical Specifications - Combustion Engineering Plants, where TS 3.6.3 provides a 72-hour completion time for an inoperable valve in a penetration consisting of one isolation valve and a closed system.

9. RAI-MF5372/MF5373-STSB-09:

TS 6.8.4 states, The following program shall be established, implemented, and maintained.

Proposed TS 6.8.4.q describes the RICT program.

Element c requires that when a RICT is being used, any plant configuration change within the scope of the RICT program must be considered for the effect on the RICT. The terminology within the scope of the RICT program could be misinterpreted to only include equipment governed by TS LCOs that are included within the RICT program. In accordance with NEI 06-09, any plant configuration change, as defined in NEI 06-09 0-A, must be considered for its effect on the RICT. Please propose revised language to reflect the broader scope of changes that could affect the RICT.

The proposed TS 6.8.4.q does not address the treatment of common cause when an emergent failure occurs. Please propose additional administrative controls to address the treatment of common cause.

FPL Response FPL proposes to revise element c in the RICT by replacing within the scope of the RICT Program with within the scope of the Configuration Risk Management Program. The proposed change reflects the broader scope of changes that could affect the RICT and is consistent with NEI 06-09.

FPL proposes to add paragraph e below to the Risk Informed Completion Time Program in Specification 6.8.4 in the administrative section of the TS.

e) If the extent of condition evaluation for inoperable structures, systems, or components (SSCs) is not complete prior to exceeding the Completion Time, the RICT shall account for the increased possibility of common cause failure (CCF) by either:

Enclosure L-2018-006 Page 28 of 28

1. Numerically accounting for the increased possibility of CCF in the RICT calculation, or
2. Risk Management Actions (RMAs) not already credited in the RICT calculation shall be implemented that support redundant or diverse SSCs that perform the function(s) of the inoperable SSCs, and, if practicable, reduce the frequency of initiating events that challenge the function(s) performed by the inoperable SSCs.

Attachment 1 L-2018-006 Page 1 of 3 ATTACHMENT 1 St. Lucie Unit 1 Markups of the Operating License

Attachment 1 L-2018-006 Page 2 of 3 INSERT J J. FPL is authorized to implement the Risk Informed Completion Time Program as approved in License Amendment No. XXX subject to the following conditions:

1. FPL will complete the items listed in the table of implementation items in the enclosure to FPL letter L-2018-006 dated February 1, 2018 prior to implementation of the Risk Informed Completion Time Program.
2. The risk assessment approach and methods, shall be acceptable to the NRC, be based on the as-built, as-operated, and maintained plant, and reflect the operating experience of the plant as specified in RG 1.200. Methods to assess the risk from extending the completion times must be PRA methods accepted as part of this license amendment, or other methods approved by the NRC for generic use. If the licensee wishes to change its methods, and the change is outside the bounds of this license condition, the licensee will seek prior NRC approval via a license amendment.

Attachment 2 L-2018-006 Page 1 of 3 ATTACHMENT 2 St. Lucie Unit 2 Markup of the Operating License

Attachment 2 L-2018-006 Page 2 of 3 INSERT O O. FPL is authorized to implement the Risk Informed Completion Time Program as approved in License Amendment No. XXX subject to the following conditions:

1. FPL will complete the items listed in the table of implementation items in the enclosure to FPL letter L-2018-006 dated February 1, 2018 prior to implementation of the Risk Informed Completion Time Program.
2. The risk assessment approach and methods, shall be acceptable to the NRC, be based on the as-built, as-operated, and maintained plant, and reflect the operating experience of the plant as specified in RG 1.200. Methods to assess the risk from extending the completion times must be PRA methods accepted as part of this license amendment, or other methods approved by the NRC for generic use. If the licensee wishes to change its methods, and the change is outside the bounds of this license condition, the licensee will seek prior NRC approval via a license amendment.

Attachment 3 L-2018-006 Page 1 of 3 ATTACHMENT 3 St. Lucie Unit 1 Markup of the Technical Specifications

Attachment 3 L-2018-006 Page 2 of 3 INSERT 3

r. Risk Informed Completion Time Program This program provides controls to calculate a Risk Informed Completion Time (RICT) and must be implemented in accordance with NEI 06-09, "Risk-Informed Technical Specifications Initiative 4b: Risk-Managed Technical Specifications (RMTS) Guidelines, Revision 0-A, November 2006. The program shall include the following:
a. The RICT may not exceed 30 days;
b. A RICT may only be utilized in MODES 1 and 2;
c. When a RICT is being used, any plant configuration change within the scope of the Configuration Risk Management Program must be considered for the effect on the RICT.
1. For planned changes, the revised RICT must be determined prior to implementation of the change in configuration.
2. For emergent conditions, the revised RICT must be determined within the time limits of the Required Action Completion Time (i.e., not the RICT) or 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the plant configuration change, whichever is less.
3. Revising the RICT is not required If the plant configuration change would lower plant risk and would result in a longer RICT.
d. Use of a RICT is not permitted for entry into a configuration which represents a loss of a specified safety function or inoperability of all required trains of a system required to be OPERABLE.
e. If the extent of condition evaluation for inoperable structures, systems, or components (SSCs) is not complete prior to exceeding the Completion Time, the RICT shall account for the increased possibility of common cause failure (CCF) by either:
1. Numerically accounting for the increased possibility of CCF in the RICT calculation, or
2. Risk Management Actions (RMAs) not already credited in the RICT calculation shall be implemented that support redundant or diverse SSCs that perform the function(s) of the inoperable SSCs, and, if practicable, reduce the frequency of initiating events that challenge the function(s) performed by the inoperable SSCs.

Attachment 4 L-2018-006 Page 1 of 3 ATTACHMENT 4 St. Lucie Unit 2 Markup of the Technical Specifications

Attachment 4 L-2018-006 Page 2 of 3 INSERT 3

s. Risk Informed Completion Time Program This program provides controls to calculate a Risk Informed Completion Time (RICT) and must be implemented in accordance with NEI 06-09, "Risk-Informed Technical Specifications Initiative 4b: Risk-Managed Technical Specifications (RMTS) Guidelines, Revision 0-A, November 2006. The program shall include the following:
a. The RICT may not exceed 30 days;
b. A RICT may only be utilized in MODES 1 and 2;
c. When a RICT is being used, any plant configuration change within the scope of the Configuration Risk Management Program must be considered for the effect on the RICT.
1. For planned changes, the revised RICT must be determined prior to implementation of the change in configuration.
2. For emergent conditions, the revised RICT must be determined within the time limits of the Required Action Completion Time (i.e., not the RICT) or 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the plant configuration change, whichever is less.
3. Revising the RICT is not required If the plant configuration change would lower plant risk and would result in a longer RICT.
d. Use of a RICT is not permitted for entry into a configuration which represents a loss of a specified safety function or inoperability of all required trains of a system required to be OPERABLE.
e. If the extent of condition evaluation for inoperable structures, systems, or components (SSCs) is not complete prior to exceeding the Completion Time, the RICT shall account for the increased possibility of common cause failure (CCF) by either:
1. Numerically accounting for the increased possibility of CCF in the RICT calculation, or
2. Risk Management Actions (RMAs) not already credited in the RICT calculation shall be implemented that support redundant or diverse SSCs that perform the function(s) of the inoperable SSCs, and, if practicable, reduce the frequency of initiating events that challenge the function(s) performed by the inoperable SSCs.
Retrieved from "https://kanterella.com/w/index.php?title=L-2018-006,_Third_Response_to_Request_for_Additional_Information_Regarding_License_Amendment_Request_to_Adopt_Risk_Informed_Completion_Times_TSTF-505,_Revision_1,_Provide_Risk-Risk_Informed_Extended_Completion_Times_-_RITSTF_Initiative_4b&oldid=1953915"