ML003739165

From kanterella
Jump to navigation Jump to search
Draft Regulatory Guide DG-1052 (Supersedes DG-1040), Time Response Design Criteria for Safety-Related Operator Actions
ML003739165
Person / Time
Issue date: 11/30/1996
From:
Office of Nuclear Regulatory Research
To:
References
DG-1052
Download: ML003739165 (15)


Text

I U.S. NUCLEAR REGULATORY COMMISSION November 1996 OFFICE OF NUCLEAR REGULATORY RESEARCH Division I jo I

DRAFT REGULATORY GUIDE Draft DG-1052

Contact:

J.J. Kramer (301)415-5891 DRAFT REGULATORY GUIDE DG-1052 (Supersedes DG-1040)

TIME RESPONSE DESIGN CRITERIA FOR SAFETY-RELATED OPERATOR ACTIONS A. INTRODUCTION In Appendix A, "General Design Criteria for Nuclear Power Plants," of 10 CFR Part 50, "Domestic Licensing of Production and Utilization Facilities," Criterion 19, "Control Room," calls for a control room from which actions can be taken to operate the nuclear power unit safely under normal and accident conditions. Generic Safety Issue B-17, "Criteria for Safety-Related Operator Actions," called for the development of time criteria for safety-related operator actions that included a methodology for determining whether or not automatic actuation would be needed to mitigate a design basis event. Generic Issue B-17 was listed in NUREG-0471, "Generic Task Problem Descriptions (Category B, C, and D Tasks)," and in NUREG-0933, "A Prioritization of Generic Safety Issues" (Refs. I and 2).

In 1984, the American Nuclear Society issued ANSI/ANS-58.8-1984, "Time Response Design Criteria for Nuclear Safety Related Operator Actions" (Ref. 3),

to address this issue from NUREG-0471. The development of this standard was prompted by the safety issue of when credit could be taken for safety-related operator actions (Generic Safety Issue B-17), the recognition that there were at that time no generally accepted timing criteria for nuclear safety-related operator actions, and the realization that the prevailing guidelines needed to be updated. Since the publication of the original standard in 1984, additional This regulatory guide is being issued in draft form to'involve the public in the early stages of the development of a regulatory position in this area. It has not received complete staff review and does not represent an official NRC staff position.

Public comments-are being solicited on the draft guide (including any implementation schedule) and its associated regulatory analysis or value/impact statement. Comments should be accompanied by appropriate supporting data. Written comments may be submitted to the Rules Review and Directives Branch, DFIPS, Office of Administration, U.S. Nuclear Regulatory Commission, Washington, DC 20555. Copies of comments received may be examined at the NRC Public Document Room, 2120 L Street NW., Washington, DC. Comments will be most helpful if received by January 24, 1997.

Requests for single copies of draft or active regulatory guides (which may be reproduced) or for placement on an automatic distribution list for single copies of future draft guides in specific divisions should be made in writing to the U.S. Nuclear Regulatory Commission, Washington, DC 20555, Attention: Distribution and Mail Services Section, or by fax to (301)415-2260.

relevant data have been collected; as a result, the American Nuclear Society determined that it would be beneficial to revise and update the 1984 version of ANS-58.8 to reflect the information derived from the additional data.

This regulatory guide endorses ANSI/ANS-58.8-1994, "Time Response Design Criteria for Safety-Related Operator Actions" (Ref. 4), as it contains methods acceptable to the NRC staff for developing and applying timing criteria for safety-related operator actions for design basis events. The revised standard establishes criteria by which plant designers may credit manual operator action for stabilizing the plant. The standard contains empirically derived operator response times and a definition of the methodology needed to apply these criteria. These criteria are not intended to serve as a basis for determining actual operator action times in procedures or training, nor do they set requirements for operator staffing or qualification. The ANSI/ANS-58.8-1994 criteria ensure that if the total equipment processing and alarm time delays do not allow the operator sufficient time to complete the actions that he or she is required to take in order to mitigate the consequences of a design basis event, prior to exceeding a plant design limit, those mitigating actions are to be automated.

Regulatory guides are issued to describe and make available to the public such information as methods acceptable to the NRC staff for implementing specific parts of the Commission's regulations, techniques used by the staff in evaluating specific problems or postulated accidents, and guidance to applicants. Regulatory guides are not substitutes for regulations, and compliance with regulatory guides is not required. Regulatory guides are issued in draft form for public comment to involve the public in the early stages of developing the regulatory positions. Draft regulatory guides have not received complete staff review and do not represent official NRC staff positions.

The information collections contained in this draft regulatory guide are covered by the requirements of 10 CFR Part 50, which were approved by the Office of Management and Budget, approval number 3150-0011. The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number.

2

B. DISCUSSION NUREG-0471 (Ref. 1) describes several generic safety issues. Issue 27 of NUREG-0471 was evaluated by the NRC staff, prioritized via value/impact calculations, and documented as Item B-17, "Criteria for Safety-Related Operator Actions," of NUREG-0933 (Ref. 2). Item B-17, "Criteria for Safety Related Operator Actions," called for the development of time criteria for safety-related operator actions that included a methodology for determining whether or not automatic actuation would be required to mitigate the event.

For B-17, it was reasoned that automation of some safety-related actions currently initiated manually would reduce the frequency of human errors during the response to or recovery from a design basis event. In order to address Item B-17, a set of criteria needed to be established that (1) prescribed time limits for safety-related operator actions and (2) indicated which safety related actions must be automated. ANSI/ANS-58.8-1994 addresses both of these issues.

The response time criteria established by an earlier version of the standard, ANSI/ANS-58.8-1984, were based on simulator measurements of operator performance and plant data collected from actual events (Ref. 3). The test subjects represented skill levels ranging from initially qualified operators to experienced operators performing requalification training. Operators' responses to various anticipated operational occurrences and accident situations were measured to determine the promptness of their actions. The data were collected automatically and later reduced using statistical methods.

These empirical data provided the basis for the standard to define time intervals of sufficient length to ensure operator response.

The data do not indicate whether the operator actions were correct.

However, it is assumed that if the intervals used in a plant's design meet the time criteria of the standard, then other performance-shaping factors, such as training level, operating procedures, and panel layout, might dominate the "time available" in their combined influence on the probability of operator error.

After the original standard was issued in 1984, studies and experiments aimed at resolving other human performance issues have generated additional data that, although not specifically collected to support ANSI/ANS-58.8-1984, are nonetheless relevant. The most recent study was the Operator Reliability 3

Experiments (ORE) conducted by the Electric Power Research Institute (EPRI)

(see Reference 4). The ORE data were collected by EPRI in order to (1) develop models of operator reliability for control room decisions and actions, (2) obtain data to validate the models, mainly using plant simulators, and (3) design, enable quantification of post-TMI benefits from changes in control room procedures, training, and operator aids. The 1994 revision of ANS-58.8 reflects a detailed review of 50% of the ORE data. These data were compared in either with the previous data to determine whether revisions were warranted the time tests or the methodology of the 1984 standard.

A brief outline of the ORE data analysis is provided in the appendix to the ANSI/ANS-58.8-1994 standard (Ref. 4). A review of this analysis by the generally ANSI/ANS-58.8-1994 Working Group members determined that the analysis substantiated the original 1984 standard's required response times and suggested simplifications in the methodology. ANSI/ANS-58.8-1994 effected two significant changes to the methodology:

(1) Simplification of the terminology used to define the discrete time points and time intervals that incorporate the time tests of the 1984 version of this standard into the appropriate time intervals.

(2) Unidirectional calculation of the time points and intervals from the beginning of the design basis event to the conclusion of the design basis event (in the 1984 version of this standard, calculations were necessary from both the beginning and the conclusion of the DBE).

The 1984 standard and the 1994 standard differ only in respect to terminology and methodology (items 1 and 2 above). The actual time limits 2 of delineated by both versions of the standard are the same (see Tables I and the Value/Impact Analysis for this guide (attached)). In general, the ORE data substantiated the time limits specified in the 1984 standard.

C. REGULATORY POSITION The methodology contained in ANSI/ANS-58.8-1994, "Time Response Design to the Criteria for Safety-Related Operator Actions" (Ref. 4), is acceptable the NRC staff for determining the allowable response times for stabilizing 4

plant by manual operator action (i.e., safety-related operator actions) for design basis events.

D. IMPLEMENTATION The purpose of this section is to provide information to applicants and licensees regarding the NRC staff's plans for using this regulatory guide. No backfitting is intended or approved in connection with the issuance of this proposed guide. Any backfitting that may result from application of this new guidance to operating plants will be justified in accordance with established NRC backfitting guidance and procedures.

This draft guide has been released to encourage public participation in its development. Except in those cases in which an applicant proposes an acceptable alternative method for complying with specified portions of the NRC's regulations, the method to be described in the active guide reflecting public comments will be used in the evaluation of submittals in connection with applications for construction permits, standard design certifications and design approvals, and combined operating licenses. The final guide will also be used to evaluate submittals from operating reactor licensees that propose modifications that go beyond the current licensing basis if those modifications are voluntarily initiated by the licensee and there is a clear connection between the proposed modifications and this guidance.

5

REFERENCES

1. U.S. Nuclear Regulatory Commission, "Generic Task Problem Descriptions (Category B, C, and D Tasks)," NUREG-0471, September 1978.
2. R. Emrit et al., "A Prioritization of Generic Safety Issues," Item B-17:

Criteria For Safety-Related Operator Actions Revision 2, U.S. Nuclear Regulatory Commission, NUREG-0933, Supplement 06, March 1987.*

3. American Nuclear Society, "Time Response Design Criteria For Nuclear Safety Related Operator Actions," ANSI/ANS-58.8-1984, La Grange Park, Illinois, 1984.
4. American Nuclear Society, "Time Response Design Criteria For Safety Related Operator Actions," ANSI/ANS-58.8-1994, La Grange Park, Illinois, 1994.

Copies are available for inspection or copying for a fee from the NRC Public Document Room at 2120 L Street NW., Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555; telephone (202)634-3273; fax (202)634 3343. Copies may be purchased at current rates from the U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20402-9328 (telephone (202)512 2249); or from the National Technical Information Service by writing NTIS at 5285 Port Royal Road, Springfield, VA 22161.

6

VALUE/IMPACT ANALYSIS GENERIC ISSUE B-17 In order to resolve a generic issue, one of two actions must occur.

Either a regulatory requirement or guidance must be established and implemented that addresses the issue in question or there must be a documented decision that no change in requirements is warranted (Ref. V-i). Based on the groundwork and research that went into the development of ANSI/ANS-58.8-1994, "Time Response Design Criteria for Safety-Related Operator Actions" (Ref. V-2),

it is the opinion of the NRC staff that no change in requirements is warranted in the case of Generic Issue B-17, "Criteria for Safety-Related Operator Actions."

A review of the pertinent section of Generic Issue B-17 indicates that two separate issues must be addressed in order to resolve B-17. The first issue involves developing a set of time criteria for safety-related operator actions, which must include a methodology for determining if and when safety-related actions are to be automated. The second issue involves determining whether or not plants are currently capable of complying with the criteria contained in the standard. In order to resolve Generic Issue B-17, it is necessary to demonstrate that both issues have been addressed by standards and practices that currently exist.

Criteria ANSI/ANS-58.8-1994 (Ref. V-2) establishes a set of time criteria for safety-related operator actions. In addition, the standard provides a methodology for determining which safety-related actions may be initiated manually during a design basis event and which must be initiated automatically.

The standard accomplishes this by (1) establishing a set of empirically substantiated response times for operator actions during simulated accident conditions and (2) requiring safety-related actions to be automated if these response times cannot be met. Specifically, the criteria established by the standard provide a basis for the following:

1. Establishing certain requirements for determining whether a particular action to initiate or control a safety-related system 7

might be accomplished by operator action or must be accomplished by an automatic action;

2. Determining when design modifications can obviate the need for automatic actions that would otherwise be required; and
3. Establishing general guidance on hardware to support safety-related operator actions.

ANSI/ANS-58.8-1994 defines two important time limits that must be met.

The first time limit, TIdiagnosi,, is the time interval between the first time indication of a design basis event to the plant operators and the earliest for which credit can be taken for initiation of a safety-related operator action. The second time limit, TIoperator, is the time interval during which the operator initiates and completes safety-related actions. The limits established for TIdiagnosis and TIopelator (Tables 1 and 2 respectively) are event specific and are based on the estimated frequency of a particular event (i.e.,

plant conditions) occurring per reactor year. Table 3 summarizes the plant conditions. Tables 1, 2, and 3 have been taken from ANSI/ANS-58.8-1994 (Ref.

V-2).

Table 1 Minimum TIdi*ago~s for Each Plant Condition 8

Table 2 TIoP.rator Sub-intervals (Minutes) for Each Plant Condition and for Actions To Be Taken Outside of the Control Room Plant Condition Fixed sub- Variable* sub interval interval 2 1+ n 3 3+ n 4 5+ n 5 5+ n Outside Control Room 30+ n

  • "n" signifies the number of discrete manipulations to complete a specific, single operator action.

The time limit established for TIoperator takes into account both the complexity of a design basis event and the number of individual manipulations that an operator must take as part of the safety-related operator actions required to mitigate the event. Complexity is accounted for by the fixed sub interval portion of TIoperator while the number of discrete manipulations required to mitigate the event is accounted for by the variable sub-interval of Tloperator (nominally 1 minute per manipulation).

Table 3 Plant Condition Categories Estimated Frequency of Plant Condition Occurrence (F) Per Reactor Year 1 Normal Operations 2 F > 10' 3 10-> F> 10-2 4 10.2 >F> 10-4 5 10-4 >F> 10.6 The time limits embodied in Tables 1 and 2 were calculated, using an appropriate design margin, to ensure that mitigating actions during a design basis event, both automated and manually initiated, could be completed in sufficient time to preclude exceeding a plant design limit. The Table I and 2 9

limits were empirically developed using data collected by Oak Ridge National Laboratory (ORNL) and General Physics for the NRC, and data developed by Westinghouse as part of their experimental program on safety-related operator actions. (See the Appendix to ANSI/ANS-58.8-1994 (Ref. V-2) for a detailed explanation of how TIopera t or and TI diagnosis relate to safety-related operator actions.)

Conformance NUREG-0933 indicates that, as a possible solution to Generic Issue B-17, "plants would be required to perform task analysis, simulator studies, and analysis and evaluation of operational data to assess current ESF and safety related control system designs for conformance to new criteria" (Ref. V-i). In 1982, the NRC required all licensees and applicants to conduct task analyses as part of meeting the requirements of Generic Letter 82-33, "Emergency Response Capabilities," which is Supplement 1 to NUREG-0737 (Ref. V-3). This is the crux of the conformance issue, i.e., demonstrating that plants can conform to the timing criteria set forth in ANSI/ANS-58.8-1994 (Ref. V-2). In order to understand the pivotal role that ANSI/ANS-58.8-1994 plays in resolving the conformance issue, it is first important to understand how the time limits embodied in the standard were developed.

In the late 70s and early 80s, beginning with early unpublished standards research, an effort was initiated to establish industry design standards for safety-related operator actions. At that time, the lack of an objective data base on operator performance precluded development of such criteria. During the early part of the 1980s, however, the NRC sponsored studies that were conducted by ORNL and the General Physics Corporation (Ref. V-4) to collect data on operator response times during simulated casualty conditions. The time limits contained in the 1984 version of ANS-58.8 were developed from these and other empirically derived data (see NUREG/CR-1908, Ref. V-5; NUREG/CR-2534, Ref. V-6; NUREG/CR-3123, Ref. V-7). In 1987, EPRI collected additional data on operator response times as part of their Operator Reliability Experiments (ORE). The ORE data, again empirically derived, in general substantiated the time limits contained in the 1984 standard (and were subsequently used to revise that standard to what is now ANSI/ANS-58.8-1994). The working group for the 1994 version of the standard reviewed most of the ORE data and concluded 10

that the data show some conservatism in both timing requirements, even with an observed trend of symptom-based procedures toward shortening or eliminating Tldiagnosis and lengthening the fixed and variable sub-intervals of TIoperator.

The history behind ANSI/ANS-58.8-1994 (Ref. V-2) is important in that it serves to demonstrate how the time limits were developed. Over a period of many years a volume of empirical data was collected (and measurement techniques were improved) that ascertained actual operator response times during simulated design basis events. Simulator studies were used in most cases rather than actual operational data, because the nuclear industry has so little data of equivalent detail on incidents of major consequence over the past three decades. Therefore, the ANSI/ANS-58.8-1994 time limits for TIdiagnosis and T loperator were developed, for the most part, by measuring the actual response times for various operators (crews) at various plants. The important point is that, since the standard's time limits were developed from an accumulation of actual operator response times, operators, by design, should be able to respond within those limits. Essentially, the simulator studies and the analysis and evaluation of operational data called for by B-17 were conducted en route to developing the standard's time criteria. The fact that it was these data that were used to develop the criteria substantiates that operators will be able to perform their safety-related actions rapidly enough during a design basis event. Operator licensing and requalification program results confirm this as well. Hence, the conformance criterion has been met.

There is additional evidence to support the inference that operators have ample time to complete their safety-related operator actions, and that is that the Operator Reliability Experiment data, with few exceptions, demonstrated that "the great majority of crews successfully initiated the required actions

[during an unanticipated transient] before unacceptable results occur" (Ref. V 4).' In effect, the Operator Reliability Experiments drew a sample of nuclear power plant crews from the industry's operator base and tested them against the standard's criteria. In the vast majority of cases the crews responded well within the allotted time limits. For a detailed analysis and discussion of the Operator Reliability Experiment data, see References V-2, V-8, and V-9.

'The exceptions included anticipated transients without scram and certain other complex events. See the Appendix to ANSI/ANS-58.8-1994 (Ref. V-2) for further details.

11

To sum up, there are two pieces of evidence that support the argument that power plant operators are able to conform to the timing criteria established by ANSI/ANS-58.8-1994. The first is that the ANSI/ANS-58.8-1994 timing criteria were based on an accumulation of data collected on actual response times; thus, operators can react in time by design. The second is that the EPRI Operator Reliability Experiment data confirm, for the most part, that operators have sufficient time to complete their safety-related operator actions.

12

REFERENCES V-1. "A Prioritization of Generic Safety Issues," Item B-17: Criteria For Safety-Related Operator Actions Revision 2, U.S. Nuclear Regulatory Commission, NUREG-0933, Supplement 06, March 1987.1 V-2. American Nuclear Society, Time Response Design Criteria For Safety Related Operator Actions, ANSI/ANS-58.8-1994, La Grange Park, Illinois, 1994.

V-3. USNRC, "Clarification of TMI Action Plan Requirements: Requirements for Emergency Response Capability," NUREG-0737, Supplement 1, January 1983.

V-4. American Nuclear Society, Time Response Design Criteria For Safety Related Operator Actions, ANSI/ANS-58.8-1984, La Grange Park, Illinois, 1984.

V-5. T.F. Bott et al., "Criteria for Safety-Related Nuclear Power Plant Operator Actions: Initial Pressurized Water Reactor (PWR) Simulator Exercises," NUREG/CR-1908, October 1981.'

V-6. A.N. Beare et al., "Criteria for Safety-Related Nuclear Power Plant Operator Actions: Initial Boiling Water Reactor (BWR) Sipulateed Exercises," NUREG/CR-2534 (ORNL/TM-8195), November 1982.

V-7. D.S. Crowe et al., "Criteria for Safety-Related Nuclear Power Plant Operator Actions: 1982 Pressurized Water Reactor (PWR) Simulator Exercises," NUREG/CR-3123 (ORNL/TM-8626), June 1983.

V-8. P. Moieni, A.J. Spurgin, and J.P. Spurgin, "Bridging Document Between Simulator Data on Operator Time Response and the ANS-58.8 Standard,"

Accident Prevention Group, APG Report #19, January 1992.2 V-9. P. Moieni, A.J. Spurgin, and J.P. Spurgin, "Application of the EPRI Operator Reliability Experiments (ORE) Data To Update the ANS-58.8 Standard," Accident Prevention Group, APG Report #12, December 1990.2

'Copies are available for inspection or copying for a fee from the NRC Public Document Room at 2120 L Street NW., Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555; telephone (202)634-3273; fax (202)634 3343. Copies may be purchased at current rates from the U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20402-9328 (telephone (202)512 1800); or from the National Technical Information Service by writing NTIS at 5285 Port Royal Road, Springfield, VA 22161.

2Copies are available for inspection or copying for a fee from the NRC Public Document Room at 2120 L Street NW., Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555; telephone (202)634-3273; fax (202)634 3343.

13

Federal Recycling Program U.S. GOVERNMENT PRINTING OFFICE: 1996 417-801/60003

UNITED STATES FIRST CLASS MAIL POSTAGE AND FEES PAID NUCLEAR REGULATORY COMMISSION USNRC WASHINGTON, DC 20555-0001 PERMIT NO. G-67 OFFICIAL BUSINESS PENALTY FOR PRIVATE USE, $300