ML063170256
| ML063170256 | |
| Person / Time | |
|---|---|
| Site: | Fort Calhoun  |
| Issue date: | 04/13/2006 |
| From: | NRC/RES/DRASP/DDOERA/OEGI |
| To: | |
| Shared Package | |
| ML063170246 | List: |
| References | |
| IR-05-010, LER-04-002-00 | |
| Download: ML063170256 (64) | |
Text
1 This value is based on a key assumption such that the quite unique diesel-driven AFW FW-54 pump, which does not rely on the vital AC or DC power, could be used given success of a series of required operator actions following depletion of the station batteries. The CDP for this event increases to 1.8 x 10-5 if the prevention of core damage by use of this pump during the extended station blackout is not credited, as discussed in the sensitivity analysis.
1 Final Precursor Analysis Accident Sequence Precursor Program -- Office of Nuclear Regulatory Research Fort Calhoun Nuclear Station Inoperable Diesel Generator for 28 Days Due to Blown Fuse Event Date 10/19/2004 LER 285/04-002; IR 05000285/2005010 CDP1 =
3.8 x 10-6 April 13, 2006 Event Summary On October 19, 2004, while reviewing detailed plant computer data related to the operation of Emergency Diesel Generator Number 2 (DG-2)1, it was discovered that DG-2 had become inoperable for approximately 28 days and 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> from July 21, 2004 (8:30 a.m.) through August 18, 2004 (5:25 p.m.) [1, 2]. The plant was at 100% power during this period, and the DG-2 inoperability was due to a failed fuse, 2FU, in the generator excitation circuit, affecting the voltage output. Data obtained from the plant's computer system indicates that the open fuse condition occurred as the operators were performing engine unloading and shutdown during completion of the monthly surveillance test on July 21, 2004.
The open fuse was initially discovered during the performance of the same monthly surveillance test on August 18, 2004. Initially, the open fuse was believed to have failed during the field flash and startup of the diesel generator. Troubleshooting activities performed at that time found no component failures or operating conditions that could explain the reason for the open fuse. The fuse set (i.e., 1FU and 2FU) was subsequently replaced and the surveillance test was successfully re-performed.
Important conditions experienced during the event, i.e., while DG-2 was in failure for about 28 days, include:
C DG-1 was available except for 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> during its monthly surveillance testing.
C The surveillance test on DG-1 following the repair of DG-2 on August 18, 2004 was successful.
C Offsite power was available 100 percent of the time during the 28 day period.
Cause. The root cause of this event was premature aging of fuse 2FU for DG-2. It appears that the failed fuse had experienced accelerated degradation due to past cyclic loading. A lack of formality or rigor in validating computer alarms which occur during the performance of routine evolutions (such as surveillance testing) was the root cause for the delay in recognizing the initial inoperability condition of DG-2.
LER 285/04-002 2 Since this condition did not involve an actual initiating event, the parameter of interest is the measure of the incremental increase between the conditional probability for the period in which the condition existed and the nominal probability for the same period but with the condition nonexistent and plant equipment available. This incremental increase or importance is determined by subtracting the CDP from the CCDP. This measure is used to assess the risk significance of hardware unavailabilities especially for those cases where the nominal CDP is high with respect to the incremental increase of the conditional probability caused by the hardware unavailability.
2 Condition Duration. The failure condition of the 2FU fuse for DG-2 has existed for 28 days and 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> (i.e., 682 hrs), from July 21, 2004 (8:30 a.m.) through August 18, 2004 (5:25 p.m.)
[1, 2].
Recovery Opportunities. Should DG-2 have failed to start upon actual demand due to the 2FU fuse problem, the failed fuse could not have been recovered in time because [2]:
No direct indication existed that Fuse 2FU had failed.
A multimeter should be used to identify that the fuse had failed.
Fuse 2FU was of unique design and replacements were not immediately available to the operators.
Other concurrent or windowed events. No other significant operating events existed at Fort Calhoun while the DG-2 was inoperable according to the LER Search Database.
Analysis Results C
Importance2 The risk significance of DG-2 being unavailable for automatic initiation is determined by subtracting the nominal core damage probability from the conditional core damage probability:
Conditional core damage probability (CCDP) =
4.3 x 10-6 Nominal core damage probability (CDP) =
4.2 x 10-7 Importance (CDP = CCDP - CDP) =
3.8 x 10-6 This is an increase of 3.8 x 10-6 over the nominal CDP for the 28-day period when the diesel generator was not available. The Accident Sequence Precursor Program acceptance threshold is an importance (CDP) of 1.0 x 10-6. The uncertainty distribution for the event importance is given below.
Importance 5%
Mean 95%
Fort Calhoun 1.7E-6 3.8E-6 7.4E-6
LER 285/04-002 3 This top event is always set to True in the original Fort Calhoun SPAR model (Change 3.20) because the RCP seal controlled bleedoff is not isolated on station blackout in Fort Calhoun, according to WCAP-16175-P (Rev. 0, January 2004).
4 This top event is always set to True in the original Fort Calhoun SPAR model (Change 3.20) because only 20 to 50EF of subcooling is supposed to be maintained in Fort Calhoun as per WCAP-16175-P (Rev. 0, January 2004), even though there is significantly less chance of a pop-open challenge to the lowermost seal stage if the plant establishes RCS subcooling greater than 50EF.
3 C
Dominant Sequences The dominant core damage sequence for this event is Loss of Offsite Power (LOOP),
Station Blackout (SBO) Sequence 22-21-02 highlighted in Figures 1 through 3 of Appendix A, which include:
a LOOP initiating event, a successful reactor trip, failure of the emergency power system, operator failure to isolate controlled bleedoff,3 operator failure to maintain reactor coolant subcooling greater than 50EF,4 operator failure to recover offsite power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, operator failure to recover emergency diesel in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, and operator failure to provide sufficient AFW flow following battery depletion.
This dominant sequence can be characterized as follows:
A loss of offsite power occurs followed by failure of the on-site emergency electric power system (i.e., failure of both diesel generators). Both the offsite power and the diesel generators are not recovered within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (i.e., the assumed lifetime of the station batteries). The operators successfully perform all the actions (i.e., minimize the DC loads, flood the steam generators up to 94% wide range via feed ring, swap AFW nozzles and locally throttle both of the AFW isolation valves HCV-1107B and HCV-1108B, and isolate condensate storage tanks) required to use the diesel-driven AFW FW-54 pump other than the action to provide sufficient AFW flow in the late stage of the SBO condition without normal lighting and instrumentation available due to depletion of the station batteries. The operator action to provide sufficient AFW flow following battery depletion (i.e., AFW-XHE-DRYOUT) has a high failure probability of 0.1 because of high stress, poor procedure, and poor ergonomics available in that situation (refer to Appendix B).
The most dominant minimal cutset (MCS) for this sequence is the following:
IE-LOOP 3.590E-002 LOSS OF OFFSITE POWER AFW-XHE-DRYOUT 1.000E-001 OPERATOR FAILS TO PROVIDE SUFFICIENT AFW FLOW FOLLOWING BATTERY DEPLETION EPS-DGN-CF-START 2.090E-002 COMMON CAUSE FAILURE OF DIESEL GENERATORS TO START
EPS-XHE-XL-NR04H1 1.000E+000 OPERATOR FAILS TO RECOVER EMERGENCY DIESEL IN 4 HOURS OEP-XHE-XL-NR04H 1.566E-001 OPERATOR FAILS TO RECOVER OFFSITE POWER IN 4 HOURS The conditional core damage frequency (CCDF) for this specific MCS is 1.2 x 10-5 per year, and the corresponding importance (i.e., CDP) accounting for the condition duration (i.e., 682 hours0.00789 days <br />0.189 hours <br />0.00113 weeks <br />2.59501e-4 months <br />) is 9.3 x 10-7. Note that only one operator action is modeled for the COB and RSUB top events in Figure 2; namely, Operator fails to isolate RCP seal controlled bleedoff (RCS-XHE-XM-CBOFF), and Operator fails to maintain RCS subcooling greater than 50EF (RCS-XHE-XM-SUBCOOL), respectively; and they do not show up in the above minimal cutset, because these basic events are always set to True in the Fort Calhoun SPAR model.
C Results Tables The conditional probabilities for the dominant sequences are shown in Table 1.
The event tree sequence logic for the dominant sequences is presented in Table 2a.
Table 2b defines the nomenclature used in Table 2a.
The most important cut sets for the dominant sequences are listed in Table 3.
Definitions and probabilities for modified or dominant basic events are provided in Table 4.
Modeling Assumptions C
Analysis Type The Revision-3-Plus (Change 3.20) of the Fort Calhoun Standardized Plant Analysis Risk (SPAR) model [3] created in September 2005 for only internal events was used for this assessment. This event was modeled as an at-power condition assessment with DG-2 unavailable for 682 hours0.00789 days <br />0.189 hours <br />0.00113 weeks <br />2.59501e-4 months <br />.
In addition, credit was taken in this analysis for the potential use of the diesel-driven auxiliary feedwater (AFW) pump FW-54 in the event of a station blackout following depletion of the station batteries. The original SPAR model does not take credit for the AFW FW-54 pump under such circumstances, and therefore, has been modified so that the modified model can be used as a new base model for this event analysis.
C Unique Design Features Diesel-driven auxiliary feedwater pump FW-54. In addition to the two safety class AFW pumps (i.e., motor-driven FW-6, and turbine-driven FW-10), one non-safety class AFW pump (i.e., diesel-driven FW-54) is provided in Fort Calhoun. The FW-54 pump is driven by a diesel engine which is capable of starting and running without reliance on
LER 285/04-002 5 Concerning pump cooling, Section 9.4 of the Updated Safety Analysis Report (USAR) for Fort Calhoun [5] indicates that: The engine driven pump does not rely on any outside services for its operation. Batteries provide engine starting and DC control power. The pumped fluid cools the engine and an engine mounted auxiliary generator can provide AC power requirements.
Hence, all the heat generated by the AFW FW-54 pump is rejected by its own engine driven ventilation system and does not rely on an additional HVAC-type support system to effect its operation.
6 The potential for a CCF of both diesel generators to start was modeled by making the following changes to the SPAR model: 1) set EPS-DGN-FS-1B, EPS-DGN-FR-1B and EPS-DGN-TM-1B to 1, 0 and 0, respectively; 2) set EPS-DGN-CF-RUN to 0; and 3) manually change EPS-DGN-CF-START to the 2 value (i.e., 2.09E-2). The values of 1 and 0 in lieu of True and False were used with a manual change of the CCF probability, because the recovery rules in the Fort Calhoun SPAR model include some of these basic events, and as a result, the recovery rules will not be properly applied if they are set to True and False.
5 external mechanical or electrical support systems [5].5 The pump is supplied with fuel from Diesel Fuel Oil Storage System Tank FO-10. Tank FO-10 has a minimum volume of 10,000 gallons of diesel fuel as required by Technical Specification 2.7. Eight thousand gallons of the tank's inventory are readily available for use by the FW-54 pump. Therefore, this pump could run for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> without fuel addition. In addition, the NRC noted that the condensate storage tank (CST) would provide about 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> of water based on licensee calculated steam generator steaming rates [2].
C Modeling Assumptions Summary Key modeling assumptions. The key modeling assumptions are listed below. These assumptions are important contributors to the overall risk.
Use of the AFW FW-54 pump during an extended station blackout. In the case of an extended station blackout (i.e., following depletion of the station batteries given no offsite and onsite AC power available), core damage is typically assumed in PRA models because secondary cooling from the turbine-driven AFW pump cannot be properly maintained (e.g., due to loss of normal instrumentation, loss of pump control, etc.). Hence, in the original Fort Calhoun SPAR model, core damage is also assumed if neither offsite power nor onsite power can be recovered before the battery depletion (i.e., within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> of the battery lifetime in the case of Fort Calhoun). However, Fort Calhoun is equipped with a quite unique diesel-driven AFW FW-54 pump as described above. It was assumed that the AFW FW-54 pump could be used to cope with the extended station blackout condition after depletion of the station batteries, provided that a series of required operator actions succeed.
Common cause failure of diesel generators. It was assumed in this analysis for the baseline operating condition that both diesel generators might fail to start due to the similar fuse problem (i.e., a common-cause failure to start), because a single successful start of another diesel generator (i.e., DG-1) on August 18, 2004 following repair of the failed fuse on DG-2 does not guarantee that DG-1 would have definitely started if demanded while DG-2 was unavailable. In addition, it was also assumed that the failed fuse would not affect the running mode of the diesel generators because the fuse is used for the generator excitation circuit [1,2].6
Time to battery depletion and time to steam generator dryout during station blackout. These timing aspects, which had been originally assessed during the final Significant Determination Process [2] through the analysis of generic steam generator data and the plant Final Safety Analysis Report [5],
were adopted in this analysis. Accordingly, the following assumptions were made herein:
a)
The station batteries will be depleted in about 8 or 2.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> if the operators succeed or fail to minimize the DC loads within 15 minutes, respectively, and therefore, either 8 or 2.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> are available for the operators to flood the steam generators (i.e., SG-XHE-FLOOD1 or SG-XHE-FLOOD2) depending on the specific circumstances; b)
In the case where the operators succeed to minimize the DC loads, the steam generators (SGs) will boil down in ~5 or 2.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> depending on their success or failure to flood the SGs before battery depletion, respectively; and c)
If the operators fail to minimize the DC loads, the SGs will boil down in approximately 4 or 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> depending on their success or failure to flood the SGs prior to battery depletion, respectively.
Human actions to use AFW FW-54 pump during a station blackout. Various human actions required to operate the AFW FW-54 pump to prevent core damage during an SBO are modeled in the SBO-3 event tree which has been constructed for this event analysis. The human error probabilities (HEPs) for these actions were evaluated using the time estimates as discussed earlier (see Appendix B for details).
Other assumptions. Another assumption that has a negligible impact on the results due to relatively low importance is as follows:
Simultaneous unavailability of diesel generators. DG-1 was unavailable for 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> due to the monthly surveillance testing while DG-2 was in failure.
However, simultaneous unavailability of diesel generators during this short time interval was not considered in this analysis because of the test override capability of the diesel generator upon under-voltage condition.
C Modifications to event tree and fault tree models Station blackout event tree. The station blackout event tree (a subtree of the LOOP event tree) was modified to take credit for the diesel-driven AFW pump, FW-54, in the case of a SBO with station batteries depleted. Event sequences 3, 9, 15, and 21 in the original SBO event tree lead to core damage due to failure to recover AC power prior to battery depletion. The core-damage end states for these specific sequences were changed such that they transfer to the SBO-3 event tree. This SBO-3 subtree was
LER 285/04-002 7 Note that the AFW FW-54 pump is modeled twice: (1) as part of the AFW top event in the SBO event tree (Figure 2),
and (2) separately under the AFW-FW54 top event in the SBO-3 event tree (Figure 3). The modeling for the first top event was maintained without any change in this ASP analysis because the subsequent modeling in the SBO event tree is developed with consideration of all the three AFW pumps in the original Fort Calhoun SPAR model. The AFW FW-54 pump is modeled separately in terms of a new top event, AFW-FW54, in the SBO-3 event tree developed in this analysis, because if the AFW FW-54 pump itself is inoperable (e.g., fails to start or run during the mission time, or is unavailable for operation for test/maintenance), then core damage is inevitable. The various human actions to prevent core damage during the extended station blackout are modeled only for the case where this pump itself is functional. Even though the AFW FW-54 pump is double modeled, correct minimal cutsets are obtained through the Boolean algebra.
7 developed in this analysis to model the AFW FW-54 pump separately, along with the various operator actions required to use the pump during the SBO condition following battery depletion.7 The modified SBO event tree and the SBO-3 subtree are shown in Figures 2 and 3, respectively.
SBO-3 event tree linkage rules. The following linkage rules were added to the SBO-3 event tree so that an appropriate fault tree is used to quantify the human error event for a specific event sequence:
if /AFW-FW54*/DC-LOAD then
/SG-FLOOD = SG-FLOOD1; SG-FLOOD = SG-FLOOD1; endif if /AFW-FW54*DC-LOAD then
/SG-FLOOD = SG-FLOOD2; SG-FLOOD = SG-FLOOD2; endif if /AFW-FW54*/DC-LOAD*/SG-FLOOD then
/NOZZLE = NOZZLE1; NOZZLE = NOZZLE1; endif if /AFW-FW54*/DC-LOAD*SG-FLOOD then
/NOZZLE = NOZZLE1; NOZZLE = NOZZLE1; endif if /AFW-FW54*DC-LOAD*/SG-FLOOD then
/NOZZLE = NOZZLE2; NOZZLE = NOZZLE2; endif if /AFW-FW54*DC-LOAD*SG-FLOOD then
/NOZZLE = NOZZLE2; NOZZLE = NOZZLE2; endif
Fault trees for operator actions. The SBO-3 event tree includes several top events for the various operator actions required to be performed prior to battery depletion in the event of an SBO for prevention of a core damage. The fault trees for these top events (i.e., DC-LOAD, SG-FLOOD1, SG-FLOOD2, NOZZLE1, NOZZLE2 and CST-ISOL),
developed to credit the AFW FW-54 pump during an SBO following battery depletion, are shown in Figures 4 to 9.
C Modifications to recovery rules The following recovery rules were added to the original recovery rules of the Fort Calhoun SPAR model because if DG-1 also failed to start upon demand due to the same fuse problem (i.e., a common-cause failure of diesel generators to start as represented by EPS-DGN-CF-START in the SPAR model), then the DG-1 failure also could not have been recovered because of the reasons discussed earlier [2]:
if EPS-DGN-CF-START
- EPS-XHE-XL-NR01H then DeleteEvent = EPS-XHE-XL-NR01H; AddEvent = EPS-XHE-XL-NR01H1; elsif EPS-DGN-CF-START
- EPS-XHE-XL-NR04H then DeleteEvent = EPS-XHE-XL-NR04H; AddEvent = EPS-XHE-XL-NR04H1; endif In the above recovery rules, the recovery failure probabilities of the new non-recovery basic events (i.e., EPS-XHE-XL-NR01H1 and EPS-XHE-XL-NR04H1) were set to 1 to reflect the non-recovery potential.
C Other Items of Interest The original SPAR model [3] yields a total CDF of 1.03 x 10-5 per year. On the other hand, the modified base model (i.e., with the SBO event tree extended to take credit for the AFW FW-54 pump following battery depletion) gives a total CDF of 5.83 x 10-6 per year, i.e., approximately 43% of reduction in the total CDF as a result of accounting for the potential use of the AFW FW-54 pump in such a situation. This relatively large reduction in the risk impact results from the fact that an SBO is a dominant scenario (i.e., contributing over 60% to the total CDF) in the original model.
C Sensitivity Analyses Sensitivity analyses were performed to determine the effects of model uncertainties on results based on best estimate assumptions. The following table provides the results of the sensitivity analyses.
Modification Importance Case A: Assume that there was no common-cause failure potential for diesel generators to start for 682 hours0.00789 days <br />0.189 hours <br />0.00113 weeks <br />2.59501e-4 months <br /> 1.9E-6 Case B: Assume a complete dependency of the operator failure to start and align AFW FW-54 pump upon the operator failure to control AFW flow (through AFW MDP FW-6 or TDP FW-10 pump) to steam generators, with existence of the CCF potential for both diesel generators to start 4.7E-6 Case C: Take no credit for the potential use of AFW FW-54 pump in the event of an SBO following battery depletion assuming existence of the CCF potential for both diesel generators to start 2.4E-5 Case A shows that the importance of this event will decrease by a factor of 2 if it is assumed that there was no CCF potential for both diesel generators to start.
Case B shows a relatively small increase (i.e., a factor of 1.2) in the importance even under a conservative assumption that the operators will definitely fail to start and align AFW FW-54 pump given that they could not properly control AFW flow from AFW MDP FW-6 or TDP FW-10 pump. Note that this relatively small impact on the importance results from the fact that the dependency in these AFW-control-relevant human error events has been already taken into account to some extent in the original Fort Calhoun SPAR model by use of the dependent human error event (i.e., AFW-XHE-XM-FW541 with a value of 0.51 as opposed to the nominal human error event of AFW-XHE-XM-FW54 with a value of 0.02).
In Case C, the event was analyzed using the original SPAR model which does not credit the AFW FW-54 pump during an extended SBO condition (i.e.,
following depletion of the station batteries). The CCF potential is assumed also in this case such that both diesel generators might fail to start due to the same fuse problem. This sensitivity analysis indicates that the importance of this event will increase from the base importance value of 3.8 x 10-6 to 2.4 x 10-5.
LER 285/04-002 10 References 1.
LER 285/04-002, Revision 00, Inoperable Diesel Generator for 28 Days Due to Blown Fuse During Shutdown, Event Date: October 19, 2004.
2.
NRC Inspection Report, EA-05-038, Final Significance Determination for a White Finding and Notice of Violation - Fort Calhoun Station - NRC Inspection Report 05000285/2005010, April 15, 2005.
3.
Idaho National Engineering and Environmental Laboratory, Standardized Plant Analysis Risk Model for Fort Calhoun, Revision 3 Plus (Change 3), September 2004.
4.
Idaho National Engineering and Environmental Laboratory, The SPAR-H Human Reliability Analysis Method, INEEL/EXT-02-01307, May 2004.
5.
Fort Calhoun Nuclear Station, Updated Safety Analysis Report (USAR), April 26, 2004.
LER 285/04-002 11 Table 1. Conditional core damage probabilities of dominating sequences.
Event tree name Sequence number Importance1 Percent Contribution LOOP 22-21-02 1.70E-06 44.7 LOOP 22-30 9.40E-07 24.7 LOOP 22-21-17 5.80E-07 15.3 Total (all sequences)2 3.8E-006 100
- 1. Values are point estimates.
- 2. Total importance includes all sequences (including those not shown in this table).
Table 2a. Event tree sequence logic for dominating sequences.
Event tree name Sequence number Logic
(/ denotes success; see Table 2b for top event names)
LOOP 22-21-02
/RPS EPS
/AFW-B
/PORV-B CBO RSUB
/RCPSI04 OPR-04H DGR-04H
/AFW-FW54
/DC-LOAD
/SG-FLOOD1
/NOZZLE1 DRYOUT LOOP 22-30
/RPS EPS AFW-B OPR-01H DGR-01H LOOP 22-21-17
/RPS EPS
/AFW-B
/PORV-B CBO RSUB
/RCPSI04 OPR-04H DGR-04H AFW-FW54 Table 2b. Definitions of top events listed in Table 2a.
Top Event Definition AFW-B AFW UNAVAILABLE DURING SBO AFW-FW54 AUXILIARY FEEDWATER PUMP FW-54 CBO CONTROLLED BLEEDOFF ISOLATED DC-LOAD DC LOADS MINIMIZED DGR-01H OPERATOR FAILS TO RECOVER EMERGENCY DIESEL IN 1 HOUR DGR-04H DIESEL GENERATOR RECOVERY IN 4 HOURS
LER 285/04-002 Top Event Definition 12 DRYOUT PROVIDE SUFFICIENT AFW FLOW EPS EMERGENCY POWER NOZZLE1 AFW NOZZLES SWAPPED & THROTTLED - > 4.5 HRS AVAILABLE OPR-01H OFFSITE POWER RECOVERY IN 1 HOUR OPR-04H OFFSITE POWER RECOVERY IN 4 HRS PORV-B NO PORVs OPEN - SBO RCPSI04 RCP SEALS FROM LOSS OF ALL COOLING RPS REACTOR TRIP RSUB REACTOR COOLANT SUBCOOLING MAINTAINED SG-FLOOD1 STEAM GENERATORS FLOODED TO 94% - 8 HRS AVAILABLE Table 3. Conditional cut sets for the dominant sequences.
Importance Percent Contribution Minimum Cut Sets (of basic events)
Event Tree: LOOP Sequence: 22-21-02 9.3E-007 55.0 EPS-DGN-CF-START OEP-XHE-XL-NR04H AFW-XHE-DRYOUT EPS-XHE-XL-NR04H1 4.4E-007 25.6 EPS-DGN-FS-1B EPS-DGN-FR-1A EPS-XHE-XL-NR04H OEP-XHE-XL-NR04H AFW-XHE-DRYOUT 1.9E-007 11.4 EPS-DGN-FS-1B EPS-DGN-TM-1A EPS-XHE-XL-NR04H OEP-XHE-XL-NR04H AFW-XHE-DRYOUT 1.1E-007 6.4 EPS-DGN-FS-1A EPS-DGN-FS-1B EPS-XHE-XL-NR04H OEP-XHE-XL-NR04H AFW-XHE-DRYOUT 1.7E-006 100 Total (all cutsets)1
LER 285/04-002 13 Importance Percent Contribution Minimum Cut Sets (of basic events)
Event Tree: LOOP Sequence: 22-30 4.0E-007 42.2 EPS-DGN-CF-START AFW-XHE-XO-FLOW OEP-XHE-XL-NR01H AFW-XHE-XM-FW541 EPS-XHE-XL-NR01H1 3.0E-007 32.3 EPS-DGN-FS-1B EPS-DGN-FR-1A AFW-XHE-XO-FLOW EPS-XHE-XL-NR01H OEP-XHE-XL-NR01H AFW-XHE-XM-FW541 1.3E-007 14.1 EPS-DGN-FS-1B EPS-DGN-TM-1A AFW-XHE-XO-FLOW EPS-XHE-XL-NR01H OEP-XHE-XL-NR01H AFW-XHE-XM-FW541 7.3E-008 7.8 EPS-DGN-FS-1A EPS-DGN-FS-1B AFW-XHE-XO-FLOW EPS-XHE-XL-NR01H OEP-XHE-XL-NR01H AFW-XHE-XM-FW541 9.4E-007 100 Total (all cutsets)1 Importance Percent Contribution Minimum Cut Sets (of basic events)
Event Tree: LOOP Sequence: 22-21-17 1.9E-007 32.2 EPS-DGN-CF-START OEP-XHE-XL-NR04H AFW-XHE-XM-FW54 EPS-XHE-XL-NR04H1 8.6E-008 14.8 EPS-DGN-FS-1B EPS-DGN-FR-1A EPS-XHE-XL-NR04H OEP-XHE-XL-NR04H AFW-XHE-XM-FW54 4.6E-008 7.9 EPS-DGN-CF-START AFW-EDP-FS-FW54 OEP-XHE-XL-NR04H EPS-XHE-XL-NR04H1 4.6E-008 7.9 EPS-DGN-CF-START OEP-XHE-XL-NR04H AFW-EDP-TM-FW54 EPS-XHE-XL-NR04H1 3.8E-008 6.6 EPS-DGN-FS-1B EPS-DGN-TM-1A EPS-XHE-XL-NR04H OEP-XHE-XL-NR04H AFW-XHE-XM-FW54 3.6E-008 6.2 EPS-DGN-CF-START AFW-EDP-FR-FW54 OEP-XHE-XL-NR04H EPS-XHE-XL-NR04H1 5.8E-007 100 Total (all cutsets)1
- 1. Total Importance includes all cutsets (including those not shown in this table).
LER 285/04-002 14 Table 4. Definitions and probabilities for modified and dominant basic events.
Event Name Description Probability/
Frequency (per year)
Modified AFW-EDP-FR-FW54 AFW DDP FW-54 FAILS TO RUN 3.95E-03 No AFW-EDP-FS-FW54 AFW DDP FW-54 FAILS TO START 5.00E-03 No AFW-EDP-TM-FW54 AFW FW-54 UNAVAILABLE DUE TO TEST AND MAINTENANCE 5.00E-03 No AFW-XHE-DRYOUT OPERATOR FAILS TO PROVIDE SUFFICIENT AFW FLOW FOLLOWING BATTERY DEPLETION 1.00E-01 N/A AFW-XHE-XM-FW54 OPERATOR FAILS TO START AND ALIGN AFW FW-54 2.00E-02 No AFW-XHE-XM-FW541 OPERATOR FAILS TO START AND ALIGN AFW FW-54 (DEPENDENT) 5.10E-01 No AFW-XHE-XO-FLOW OPERATOR FAILS TO CONTROL AFW FLOW TO SGs GIVEN SBO/LOIA 2.50E-02 No EPS-DGN-CF-START COMMON CAUSE FAILURE OF DIESEL GENERATORS TO START 2.09E-2 Yes EPS-DGN-FR-1A DIESEL GENERATOR A FAILS TO RUN 2.07E-02 No EPS-DGN-FS-1A DIESEL GENERATOR A FAILS TO START 5.00E-03 No EPS-DGN-FS-1B DIESEL GENERATOR B FAILS TO START 1.00E-00 Yes EPS-DGN-TM-1A DIESEL GENERATOR A UNAVAILABLE DUE TO TEST AND MAINTENANCE 9.00E-03 No EPS-XHE-XL-NR01H OPERATOR FAILS TO RECOVER EMERGENCY DIESEL IN 1 HOUR 7.72E-01 No EPS-XHE-XL-NR01H1 OPERATOR FAILS TO RECOVER EMERGENCY DIESEL IN 1 HOUR 1.00E-00 N/A EPS-XHE-XL-NR04H OPERATOR FAILS TO RECOVER EMERGENCY DIESEL IN 4 HOURS 4.80E-01 No EPS-XHE-XL-NR04H1 OPERATOR FAILS TO RECOVER EMERGENCY DIESEL IN 4 HOURS 1.00E-00 N/A OEP-XHE-XL-NR01H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HOUR 5.30E-01 No OEP-XHE-XL-NR04H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 4 HOURS 1.57E-01 No
LER 285/04-002 15 Appendix A Event Tree and Fault Tree Figures
LER 285/04-002 16 CS R CO NT AINME NT CO OLIN G H P R S UMP R E CIR C SD C SH UTD O W N COO LIN G S S C S E COND A RY S IDE C O OL DOW N O PR-06 H O FF SITE P OW E R RE COV E R Y IN 6 HR S OP R -02H OF FS IT E PO W ER R E C OV E RY IN 2 H RS O T C O N CE T H RO U GH CO OL ING H P I H IG H P RES S U RE INJE CT IO N LOS C RC P S E AL COO LING MA INT A INE D P O R V P O R Vs A RE C L OS ED A FW A U XILIA RY FE E DW A TE R EP S EM E RGE NC Y PO W E R RP S RE A C T OR T R IP IE -LO OP LO SS OF OF FS ITE P OW E R E N D-ST A T E 1
OK 2
T LO OP -1 3
OK 4
OK 5
CD 6
CD 7
OK 8
CD 9
CD 1 0 OK 1 1 CD 1 2 CD 1 3 CD 1 4 OK 1 5 OK 1 6 CD 1 7 CD 1 8 OK 1 9 CD 2 0 CD 2 1 CD 2 2 T
S BO 2 3 T
A TW S HP I-L H P R-L C SR -L H P R-L C SR -L O T C-L A FW -L P O R V-L LOS C -L L OO P - Fort Ca lhoun P W R G lo ss of offsite po wer 2005/11/0 2 Figure 1. Event Tree for Loss of Offsite Power
LER 285/04-002 17 DGR-04H DIESEL GENERATOR RECOVERY IN 4 HOURS OPR-04H OFFSITE POWER RECOVERY IN 4 HRS RCPSI RCP SEAL INTEGRITY MAINTAINED RSUB REACTOR COOLANT SUBCOOLING MAINTAINED CBO CONTROLLED BLEEDOFF ISOLATED PORV PORVs ARE CLOSED AFW AUXILIARY FEEDWATER SYSTEM EPS EMERGENCY POWER END-STATE 1
OK 2
OK 3
T SBO-3 4
T SBO-1 5
OK 6
CD 7
OK 8
OK 9
T SBO-3 10 T
SBO-1 11 OK 12 CD 13 OK 14 OK 15 T
SBO-3 16 T
SBO-1 17 OK 18 CD 19 OK 20 OK 21 T
SBO-3 22 T
SBO-1 23 OK 24 CD 25 T
SBO-1 26 OK 27 CD 28 T
SBO-2 29 OK 30 CD RCPSI01 RCPSI02 RCPSI03 RCPSI04 OPR-01H OPR-01H OPR-01H OPR-01H OPR-01H OPR-01H DGR-01H DGR-01H DGR-01H DGR-01H AFW-B PORV-B DGR-01H DGR-01H SBO - Fort Calhoun PW R G station blackout - Transfer to SBO-3 (ASP) 2006/02/14 Figure 2. Event Tree for Station Blackout (SBO)
LER 285/04-002 18 DRYOUT PROVIDE SUFFICIENT AFW FLOW CST-ISOL CONDENSATE STORAGE TANK ISOLATED NOZZLE SWAP AFW NOZZLES &
THROTTLE SG-FLOOD STEAM GENERATORS FLOODED DC-LOAD DC LOADS MINIMIZED AFW-FW 54 AUXILIARY FEEDW ATER PUMP FW -54 AFW-REC-SB AFWP FW-54 RECOVERY WITH NO DC END-STATE-NAMES 1
OK 2
CD 3
CD 4
CD 5
OK 6
CD 7
CD 8
CD 9
OK 10 CD 11 CD 12 CD 13 OK 14 CD 15 CD 16 CD 17 CD SG-FLOOD1 SG-FLOOD2 NOZZLE1 NOZZLE1 NOZZLE2 NOZZLE2 SBO To take credit f or AFW FW54 pum p follo wing bettery depletion during SBO 2006/02/14 Figure 3. Event Tree for Station Blackout (SBO-3)
LER 285/04-002 19 DC-LOAD 2.000E-2 DC-XHE-LOAD DC LOADS MINIMIZED OP FAILS TO MINIMIZE DC LOADS DC-LOAD - DC LOADS MINIMIZED 2005/11/02 Page 2 Figure 4. Fault Tree for DC Loads Minimized
LER 285/04-002 20 SG-FLOOD1 1.000E-4 SG-XHE-FLOOD1 STEAM GENERATORS FLOODED TO 94% -
8 HRS AVAILABLE OP FAILS TO FLOOD STEAM GENERATORS
- 8 HRS AVAILABLE SG-FLOOD1 - ST EAM GENERATORS FLOODED TO 94% - 8 HRS AVAILABLE 2005/07/20 Page 60 Figure 5. Fault Tree for Steam Generators Flooded to 94% - 8 Hours Available
LER 285/04-002 21 SG-FLOOD2 1.000E-3 SG-XHE-FLOOD2 STEAM GENERATORS FLOODED TO 94% -
2.6 HRS AVAILABLE OP FAILS TO FLOOD STEAM GENERATORS
- 2.6 HRS AVAILABLE SG-FLOOD2 - ST EAM GENERATORS FLOODED TO 94% - 2.6 HRS AVAILABLE 2005/07/20 Page 62 Figure 6. Fault Tree for Steam Generators Flooded to 94% - 2.6 Hours Available
LER 285/04-002 22 NOZZLE1 1.200E-2 AFW-XHE-SWAP1 AFW NOZZLES SWAPPED
& THROTTLED -
> 4.5 HRS AVAILABLE OP FAILS TO SWAP AFW NOZZLES &
THROTTLE (> 4.5 HRS)
NOZZLE1 - AFW NOZZLES SWAPPED & THROTTLED - > 4.5 HRS AVAILABLE 2005/07/20 Page 28 Figure 7. Fault Tree for AFW Nozzles Swapped and Throttled - > 4.5 Hours Available
LER 285/04-002 23 NOZZLE2 2.400E-2 AFW-XHE-SWAP2 AFW NOZZLES SWAPPED
& THROTTLED -
< 3 HRS AVAILABLE OP FAILS TO SWAP AFW NOZZLES &
THROTTLE (< 3 HRS)
NOZZLE2 - AFW NOZZLES SWAPPED & THROTTL ED - < 3 HRS AVAILABLE 2005/07/20 Pag e 59 Figure 8. Fault Tree for AFW Nozzles Swapped and Throttled - < 3 Hours Available
LER 285/04-002 24 CST-ISOL 2.000E-3 CST-XHE-ISOL OP FAILS TO ISOLATE CONDENSATE STORAGE TANK CONDENSATE STORAGE TANK ISOLATED CST-ISOL - CONDENSATE STORAGE TANK ISOLATED 2005/07/20 Pag e 1 Figure 9. Fault Tree for Condensate Storage Tank Isolated
LER 285/04-002 25 DRYOUT 1.000E-1 AFW-XHE-DRYOUT OPERATOR FAILS TO PROVIDE SUFFICIENT AFW FLOW OP FAILS TO PROVIDE SUFFICIENT AFW FLOW FOLLOWING BATTERY DEPLETION DRYOUT - PROVIDE SUFFICIENT AFW FLOW 2006/02/09 Pag e 86 Figure 10. Fault Tree for Steam Generator Dryout
LER 285/04-002 26 Appendix B Human Performance Modeling
LER 285/04-002 1 NRC Inspection Report, EA-05-038, Final Significance Determination for a White Finding and Notice of Violation - Fort Calhoun Station - NRC Inspection Report 05000285/2005010, April 15, 2005.
27 Fort Calhoun is equipped with a diesel-driven AFW FW-54 pump that does not rely on vital AC or DC power, as mentioned earlier. Various human actions are needed in order to recover auxiliary feedwater using this AFW pump during a station blackout (SBO) following battery depletion.
A detailed analysis for these human actions was conducted as part of the Significance Determination Process (SDP)1 to take proper credit for the use of the AFW FW-54 pump during such an SBO condition. The human actions modeled in the SDP include:
C Minimize DC loads to extend the station battery lifetime during the SBO.
C Flood steam generators to 94% wide-range level prior to battery depletion using either the AFW FW-54 pump or the turbine-driven AFW pump.
C Swap AFW nozzles and manually throttle AFW discharge valves (i.e.,
HCV-1107B and HCV-1108) prior to battery depletion.
C Provide sufficient flow to steam generators following battery depletion.
C Isolate condensate storage tank prior to loss of pressure in the associated nitrogen bottle.
In addition, reactor coolant pump (RCP) seal failure was considered along with these human actions in the SDP. However, it is not included in the extended SBO event tree (i.e., SBO-3) developed in this ASP analysis, because the RCP seal failure is already included in the original SBO event tree for Fort Calhoun in terms of the RCPSI top event representing RCP seal integrity maintained. The mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> was conservatively used in the original SPAR model in quantifying the RCPSI top event probability, and therefore, the potential seal failure during 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is already accounted for by the top event in the SBO event tree.
The human actions described above are regarded as independent from each other. However, the performance of these actions strongly depends on the time available which varies depending on whether the previous action(s) succeeded or not. A detailed time analysis was conducted during the SDP analysis by use of generic steam generator data and plant-specific information from the final safety analysis report (FSAR) and emergency operating procedures (EOPs) for Fort Calhoun. The human error probabilities (HEPs) for the actions were evaluated using the time estimates that were found during the SDP analysis, because they were judged appropriate according to an interview with an ex-SRO in this analysis.
A summary of the human performance evaluation is provided in Table B.1 with the quantified human error probabilities (HEPs) shown in the last column. More details can be found in the SPAR-H worksheets.
LER 285/04-002 28 Table B.1 Summary of human performance evaluation Time Stress Compl-exity Exper-ience Proce-dure Ergono-mics Fitness Work Process DC-XHE-LOAD Operator fails to minimize DC loads within 15 min 10 2
1 1
1 1
1 1
2.0E-02 SG-XHE-FLOOD1 Operator fails to flood SGs -
8 hrs available 0.1 2
1 0.5 1
1 1
1 1.0E-04 SG-XHE-FLOOD2 Operator fails to flood SGs -
2.6 hrs available 1
2 1
0.5 1
1 1
1 1.0E-03 AFW-XHE-SWAP1 Operator fails to swap AFW nozzles and throttle (> 4.5 hrs available) 1 2
1 3
2 1
1 1
1.2E-02 AFW-XHE-SWAP2 Operator fails to swap AFW nozzles and throttle (< 3 hrs available) 1 2
2 3
2 1
1 1
2.4E-02 CST-XHE-ISOL Condensate storage tank isolated within 4 hrs 1
2 1
1 1
1 1
1 2.0E-03 AFW-XHE-DRYOUT Operator fails to provide sufficient flow 1
2 1
1 5
10 1
1 1.0E-01 Performance Shaping Factors (PSFs)
HEP HUMAN ERROR EVENT Description
LER 285/04-002 29 Reviewer: CM HRA Worksheets for At-Power SPAR HUMAN ERROR WORKSHEET Plant: Ft. Calhoun Initiating Event: Basic Event: DC-XHE-LOAD Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to minimize DC loads Does this task contain a significant amount of diagnosis activity? YES ~ (start with Part I -
Diagnosis) NO T (skip Part I - Diagnosis; start with Part II - Action) Why? EOP-00 has a step and multiple notes reminding the operators to take the action when necessary PART II. EVALUATE EACH PSF FOR ACTION A. Evaluate PSFs for the Action Portion of the Task, if any.
PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.
Available Time Inadequate time P(failure) = 1.0
~
Only about 15 minutes are available to minimize the DC loads.
Time available is. the time required 10 T
Nominal time 1
~
Time available > 5x the time required 0.1
~
Time available is > 50x the time required 0.01
~
Insufficient information 1
~
Stress/
Stressors Extreme 5
~
The SBO events are assumed to generate high stress.
High 2
T Nominal 1
~
Insufficient information 1
~
Complexity Highly complex 5
~
Moderately complex 2
~
Nominal 1
T Insufficient information 1
~
Experience/
Training Low 3
~
Nominal 1
T
LER 285/04-002 PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.
30 Reviewer: CM High 0.5
~
Insufficient information 1
~
Procedures Not available 50
~
Incomplete 20
~
Available, but poor 5
~
Nominal 1
T Insufficient information 1
~
Ergonomics/
HMI Missing/Misleading 50
~
Poor 10
~
Nominal 1
T Good 0.5
~
Insufficient information 1
~
Fitness for Duty Unfit P(failure) = 1.0
~
Degraded Fitness 5
~
Nominal 1
T Insufficient information 1
~
Work Processes Poor 5
~
Nominal 1
T Good 0.5
~
Insufficient information 1
~
B. Calculate the Action Failure Probability.
(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3 (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.0E-3 x 10 x 2.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 =
2.0E-2
LER 285/04-002 31 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: DC-XHE-LOAD Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to minimize DC loads C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.
When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:
Action HEP with Adjustment Factor =
D. Record Final Action HEP.
If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the value from Part C.
Final Action HEP =
HEP NHEP PSF NHEP PSF composite composite
=
+
.(
)1 1
2.0E-2
LER 285/04-002 32 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: DC-XHE-LOAD Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to minimize DC loads PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)
Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required without a diagnosis and there is no dependency, then this step is omitted.
Pw/od = Diagnosis HEP 0 + Action HEP 2.0E-2 =
Part IV. DEPENDENCY For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence (Pw/d).
If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the current action unless the previous action has been properly performed, explain here:
2.0E-2
LER 285/04-002 33 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: DC-XHE-LOAD Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to minimize DC loads Condition Number Crew (same or different)
Time (close in time or not close in time)
Location (same or different)
Cues (additional or no additional)
Dependency Number of Human Action Failures Rule
~ - Not Applicable.
Why?
1 s
c s
na complete When considering recovery in a series e.g., 2nd, 3rd, or 4th checker If this error is the 3rd error in the sequence, then the dependency is at lease moderate.
If this error is the 4th error in the sequence, then the dependency is at least high.
2 a
complete 3
d na high 4
a high 5
nc s
na high 6
a moderate 7
d na moderate 8
a low 9
d c
s na moderate 10 a
moderate 11 d
na moderate 12 a
moderate 13 nc s
na low 14 a
low 15 d
na low 16 a
low 17T zero Using Pw/od = Probability of Task Failure Without Formal Dependence (calculated in Part III):
For Complete Dependence the probability failure is 1.
For High Dependence the probability of failure is (1+ Pw/od/2)
For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7 For Low Dependence the probability of failure is (1+19 x Pw/od)/20 T
For Zero Dependence the probability of failure is Pw/od Calculate Pw/d using the appropriate values:
Pw/d = (1 + ( * ))/ =
2.0E-2
LER 285/04-002 34 Reviewer: CM HRA Worksheets for At-Power SPAR HUMAN ERROR WORKSHEET Plant: Ft. Calhoun Initiating Event: Basic Event: SG-XHE-FLOOD1 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to flood steam generators - 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> available Does this task contain a significant amount of diagnosis activity? YES ~ (start with Part I -
Diagnosis) NO T (skip Part I - Diagnosis; start with Part II - Action) Why? A review of EOPs conducted as part of the SDP analysis and an interview with an ex-SRO during this ASP analysis indicates an obvious diagnosis PART II. EVALUATE EACH PSF FOR ACTION A. Evaluate PSFs for the Action Portion of the Task, if any.
PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.
Available Time Inadequate time P(failure) = 1.0
~
Considerable time is available to flood SGs to 94%, but less than 50 times more than the required time.
Time available is. the time required 10
~
Nominal time 1
~
Time available > 5x the time required 0.1 T
Time available is > 50x the time required 0.01
~
Insufficient information 1
~
Stress/
Stressors Extreme 5
~
The SBO events are assumed to generate high stress.
High 2
T Nominal 1
~
Insufficient information 1
~
Complexity Highly complex 5
~
Moderately complex 2
~
Nominal 1
T Insufficient information 1
~
Experience/
Training Low 3
~
SG filling procedures are highly trained upon.
LER 285/04-002 PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.
35 Reviewer: CM Nominal 1
~
High 0.5 T
Insufficient information 1
~
Procedures Not available 50
~
Incomplete 20
~
Available, but poor 5
~
Nominal 1
T Insufficient information 1
~
Ergonomics/
HMI Missing/Misleading 50
~
Poor 10
~
Nominal 1
T Good 0.5
~
Insufficient information 1
~
Fitness for Duty Unfit P(failure) = 1.0
~
Degraded Fitness 5
~
Nominal 1
T Insufficient information 1
~
Work Processes Poor 5
~
Nominal 1
T Good 0.5
~
Insufficient information 1
~
LER 285/04-002 36 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: SG-XHE-FLOOD1 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to flood steam generators - 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> available B. Calculate the Action Failure Probability.
(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3 (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.0E-3 x 0.1 x 2.0 x 1.0 x 0.5 x 1.0 x 1.0 x 1.0 x 1.0 =
C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.
When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:
Action HEP with Adjustment Factor =
D. Record Final Action HEP.
If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the value from Part C.
Final Action HEP =
1.0E-4 HEP NHEP PSF NHEP PSF composite composite
=
+
.(
)1 1
1.0E-4
LER 285/04-002 37 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: SG-XHE-FLOOD1 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to flood steam generators - 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> available PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)
Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required without a diagnosis and there is no dependency, then this step is omitted.
Pw/od = Diagnosis HEP 0 + Action HEP 1.0E-4 =
Part IV. DEPENDENCY For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence (Pw/d).
If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the current action unless the previous action has been properly performed, explain here:
1.0E-4
LER 285/04-002 38 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: SG-XHE-FLOOD1 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to flood steam generators - 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> available Condition Number Crew (same or different)
Time (close in time or not close in time)
Location (same or different)
Cues (additional or no additional)
Dependency Number of Human Action Failures Rule
~ - Not Applicable.
Why?
1 s
c s
na complete When considering recovery in a series e.g., 2nd, 3rd, or 4th checker If this error is the 3rd error in the sequence, then the dependency is at lease moderate.
If this error is the 4th error in the sequence, then the dependency is at least high.
2 a
complete 3
d na high 4
a high 5
nc s
na high 6
a moderate 7
d na moderate 8
a low 9
d c
s na moderate 10 a
moderate 11 d
na moderate 12 a
moderate 13 nc s
na low 14 a
low 15 d
na low 16 a
low 17T zero Using Pw/od = Probability of Task Failure Without Formal Dependence (calculated in Part III):
For Complete Dependence the probability failure is 1.
For High Dependence the probability of failure is (1+ Pw/od/2)
For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7 For Low Dependence the probability of failure is (1+19 x Pw/od)/20 T
For Zero Dependence the probability of failure is Pw/od Calculate Pw/d using the appropriate values:
Pw/d = (1 + ( * ))/ =
1.0E-4
LER 285/04-002 39 Reviewer: CM HRA Worksheets for At-Power SPAR HUMAN ERROR WORKSHEET Plant: Ft. Calhoun Initiating Event: Basic Event: SG-XHE-FLOOD2 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to flood steam generators - 2.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> available Does this task contain a significant amount of diagnosis activity? YES ~ (start with Part I -
Diagnosis) NO T (skip Part I - Diagnosis; start with Part II - Action) Why? A review of EOPs conducted as part of the SDP analysis and an interview with an ex-SRO during this ASP analysis indicates an obvious diagnosis PART II. EVALUATE EACH PSF FOR ACTION A. Evaluate PSFs for the Action Portion of the Task, if any.
PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.
Available Time Inadequate time P(failure) = 1.0
~
Time available is. the time required 10
~
Nominal time 1
T Time available > 5x the time required 0.1
~
Time available is > 50x the time required 0.01
~
Insufficient information 1
~
Stress/
Stressors Extreme 5
~
The SBO events are assumed to generate high stress.
High 2
T Nominal 1
~
Insufficient information 1
~
Complexity Highly complex 5
~
Moderately complex 2
~
Nominal 1
T Insufficient information 1
~
Experience/
Training Low 3
~
SG filling procedures are highly trained upon.
LER 285/04-002 PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.
40 Reviewer: CM Nominal 1
~
High 0.5 T
Insufficient information 1
~
Procedures Not available 50
~
Incomplete 20
~
Available, but poor 5
~
Nominal 1
T Insufficient information 1
~
Ergonomics/
HMI Missing/Misleading 50
~
Poor 10
~
Nominal 1
T Good 0.5
~
Insufficient information 1
~
Fitness for Duty Unfit P(failure) = 1.0
~
Degraded Fitness 5
~
Nominal 1
T Insufficient information 1
~
Work Processes Poor 5
~
Nominal 1
T Good 0.5
~
Insufficient information 1
~
LER 285/04-002 41 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: SG-XHE-FLOOD2 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to flood steam generators - 2.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> available B. Calculate the Action Failure Probability.
(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3 (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.0E-3 x 1.0 x 2.0 x 1.0 x 0.5 x 1.0 x 1.0 x 1.0 x 1.0 =
C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.
When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:
Action HEP with Adjustment Factor =
D. Record Final Action HEP.
If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the value from Part C.
Final Action HEP =
1.0E-3 HEP NHEP PSF NHEP PSF composite composite
=
+
.(
)1 1
1.0E-3
LER 285/04-002 42 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: SG-XHE-FLOOD2 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to flood steam generators - 2.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> available PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)
Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required without a diagnosis and there is no dependency, then this step is omitted.
Pw/od = Diagnosis HEP 0 + Action HEP 1.0E-3 =
Part IV. DEPENDENCY For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence (Pw/d).
If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the current action unless the previous action has been properly performed, explain here:
1.0E-3
LER 285/04-002 43 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: SG-XHE-FLOOD2 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to flood steam generators - 2.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> available Condition Number Crew (same or different)
Time (close in time or not close in time)
Location (same or different)
Cues (additional or no additional)
Dependency Number of Human Action Failures Rule
~ - Not Applicable.
Why?
1 s
c s
na complete When considering recovery in a series e.g., 2nd, 3rd, or 4th checker If this error is the 3rd error in the sequence, then the dependency is at lease moderate.
If this error is the 4th error in the sequence, then the dependency is at least high.
2 a
complete 3
d na high 4
a high 5
nc s
na high 6
a moderate 7
d na moderate 8
a low 9
d c
s na moderate 10 a
moderate 11 d
na moderate 12 a
moderate 13 nc s
na low 14 a
low 15 d
na low 16 a
low 17T zero Using Pw/od = Probability of Task Failure Without Formal Dependence (calculated in Part III):
For Complete Dependence the probability failure is 1.
For High Dependence the probability of failure is (1+ Pw/od/2)
For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7 For Low Dependence the probability of failure is (1+19 x Pw/od)/20 T
For Zero Dependence the probability of failure is Pw/od Calculate Pw/d using the appropriate values:
Pw/d = (1 + ( * ))/ =
1.0E-3
LER 285/04-002 44 Reviewer: CM HRA Worksheets for At-Power SPAR HUMAN ERROR WORKSHEET Plant: Ft. Calhoun Initiating Event: Basic Event: AFW-XHE-SWAP1 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to swap AFW nozzles and throttle (> 4.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> available)
Does this task contain a significant amount of diagnosis activity? YES ~ (start with Part I -
Diagnosis) NO T(skip Part I - Diagnosis; start with Part II - Action) Why?
PART II. EVALUATE EACH PSF FOR ACTION A. Evaluate PSFs for the Action Portion of the Task, if any.
PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.
Available Time Inadequate time P(failure) = 1.0
~
Time available is. the time required 10
~
Nominal time 1
T Time available > 5x the time required 0.1
~
Time available is > 50x the time required 0.01
~
Insufficient information 1
~
Stress/
Stressors Extreme 5
~
High stress is expected for the field operator because actions would affect plant safety.
High 2
T Nominal 1
~
Insufficient information 1
~
Complexity Highly complex 5
~
Moderately complex 2
~
Nominal 1
T Insufficient information 1
~
Experience/
Training Low 3
T The operators do not routinely operate valve gags in this situation.
Nominal 1
~
LER 285/04-002 PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.
45 Reviewer: CM High 0.5
~
Insufficient information 1
~
Procedures Not available 50
~
A multiplier of 2 used because the procedures for implementation are relatively poor.
Incomplete 20
~
Available, but poor 5
~
Nominal 1
~
Insufficient information 1
~
Ergonomics/
HMI Missing/Misleading 50
~
Poor 10
~
Nominal 1
T Good 0.5
~
Insufficient information 1
~
Fitness for Duty Unfit P(failure) = 1.0
~
Degraded Fitness 5
~
Nominal 1
T Insufficient information 1
~
Work Processes Poor 5
~
Nominal 1
~
Good 0.5
~
Insufficient information 1
T
LER 285/04-002 46 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: AFW-XHE-SWAP1 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to swap AFW nozzles and throttle (> 4.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> available)
B. Calculate the Action Failure Probability.
(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3 (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.0E-3 x 1.0 x 2.0 x 1.0 x 3.0 x 2.0 x 1.0 x 1.0 x 1.0 =
C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.
When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:
Action HEP with Adjustment Factor =
D. Record Final Action HEP.
If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the value from Part C.
Final Action HEP =
1.2E-2 HEP NHEP PSF NHEP PSF composite composite
=
+
.(
)1 1
1.2E-2
LER 285/04-002 47 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: AFW-XHE-SWAP1 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to swap AFW nozzles and throttle (> 4.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> available)
PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)
Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required without a diagnosis and there is no dependency, then this step is omitted.
Pw/od = Diagnosis HEP 0 + Action HEP 1.2E-2 =
Part IV. DEPENDENCY For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence (Pw/d).
If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the current action unless the previous action has been properly performed, explain here:
1.2E-2
LER 285/04-002 48 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: AFW-XHE-SWAP1 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to swap AFW nozzles and throttle (> 4.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> available)
Condition Number Crew (same or different)
Time (close in time or not close in time)
Location (same or different)
Cues (additional or no additional)
Dependency Number of Human Action Failures Rule
~ - Not Applicable.
Why?
1 s
c s
na complete When considering recovery in a series e.g., 2nd, 3rd, or 4th checker If this error is the 3rd error in the sequence, then the dependency is at lease moderate.
If this error is the 4th error in the sequence, then the dependency is at least high.
2 a
complete 3
d na high 4
a high 5
nc s
na high 6
a moderate 7
d na moderate 8
a low 9
d c
s na moderate 10 a
moderate 11 d
na moderate 12 a
moderate 13 nc s
na low 14 a
low 15 d
na low 16 a
low 17T zero Using Pw/od = Probability of Task Failure Without Formal Dependence (calculated in Part III):
For Complete Dependence the probability failure is 1.
For High Dependence the probability of failure is (1+ Pw/od/2)
For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7 For Low Dependence the probability of failure is (1+19 x Pw/od)/20 T
For Zero Dependence the probability of failure is Pw/od Calculate Pw/d using the appropriate values:
Pw/d = (1 + ( * ))/ =
1.2E-2
LER 285/04-002 49 Reviewer: CM HRA Worksheets for At-Power SPAR HUMAN ERROR WORKSHEET Plant: Ft. Calhoun Initiating Event: Basic Event: AFW-XHE-SWAP2 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to swap AFW nozzles and throttle (< 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> available)
Does this task contain a significant amount of diagnosis activity? YES ~ (start with Part I -
Diagnosis) NO T (skip Part I - Diagnosis; start with Part II - Action) Why?
PART II. EVALUATE EACH PSF FOR ACTION A. Evaluate PSFs for the Action Portion of the Task, if any.
PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.
Available Time Inadequate time P(failure) = 1.0
~
Time available is. the time required 10
~
Nominal time 1
T Time available > 5x the time required 0.1
~
Time available is > 50x the time required 0.01
~
Insufficient information 1
~
Stress/
Stressors Extreme 5
~
High stress is expected for the field operator because actions would affect plant safety.
High 2
T Nominal 1
~
Insufficient information 1
~
Complexity Highly complex 5
~
Difficult to perform the action during the somewhat limited time in the SBO condition.
Moderately complex 2
T Nominal 1
~
Insufficient information 1
~
Experience/
Training Low 3
T The operators do not routinely operate valve gags in this situation.
Nominal 1
~
LER 285/04-002 PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.
50 Reviewer: CM High 0.5
~
Insufficient information 1
~
Procedures Not available 50
~
A multiplier of 2 used because the procedures for implementation are relatively poor.
Incomplete 20
~
Available, but poor 5
~
Nominal 1
~
Insufficient information 1
~
Ergonomics/
HMI Missing/Misleading 50
~
Poor 10
~
Nominal 1
T Good 0.5
~
Insufficient information 1
~
Fitness for Duty Unfit P(failure) = 1.0
~
Degraded Fitness 5
~
Nominal 1
T Insufficient information 1
~
Work Processes Poor 5
~
Nominal 1
~
Good 0.5
~
Insufficient information 1
T
LER 285/04-002 51 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: AFW-XHE-SWAP2 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to swap AFW nozzles and throttle (< 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> available)
B. Calculate the Action Failure Probability.
(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3 (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.0E-3 x 1.0 x 2.0 x 2.0 x 3.0 x 2.0 x 1.0 x 1.0 x 1.0 =
C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.
When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:
Action HEP with Adjustment Factor =
D. Record Final Action HEP.
If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the value from Part C.
Final Action HEP =
2.4E-2 HEP NHEP PSF NHEP PSF composite composite
=
+
.(
)1 1
2.4E-2
LER 285/04-002 52 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: AFW-XHE-SWAP2 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to swap AFW nozzles and throttle (< 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> available)
PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)
Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required without a diagnosis and there is no dependency, then this step is omitted.
Pw/od = Diagnosis HEP 0 + Action HEP 2.4E-2 =
Part IV. DEPENDENCY For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence (Pw/d).
If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the current action unless the previous action has been properly performed, explain here:
2.4E-2
LER 285/04-002 53 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: AFW-XHE-SWAP2 Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to swap AFW nozzles and throttle (< 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> available)
Condition Number Crew (same or different)
Time (close in time or not close in time)
Location (same or different)
Cues (additional or no additional)
Dependency Number of Human Action Failures Rule
~ - Not Applicable.
Why?
1 s
c s
na complete When considering recovery in a series e.g., 2nd, 3rd, or 4th checker If this error is the 3rd error in the sequence, then the dependency is at lease moderate.
If this error is the 4th error in the sequence, then the dependency is at least high.
2 a
complete 3
d na high 4
a high 5
nc s
na high 6
a moderate 7
d na moderate 8
a low 9
d c
s na moderate 10 a
moderate 11 d
na moderate 12 a
moderate 13 nc s
na low 14 a
low 15 d
na low 16 a
low 17T zero Using Pw/od = Probability of Task Failure Without Formal Dependence (calculated in Part III):
For Complete Dependence the probability failure is 1.
For High Dependence the probability of failure is (1+ Pw/od/2)
For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7 For Low Dependence the probability of failure is (1+19 x Pw/od)/20 T
For Zero Dependence the probability of failure is Pw/od Calculate Pw/d using the appropriate values:
Pw/d = (1 + ( * ))/ =
2.4E-2
LER 285/04-002 54 Reviewer: CM HRA Worksheets for At-Power SPAR HUMAN ERROR WORKSHEET Plant: Ft. Calhoun Initiating Event: Basic Event: CST-XHE-ISOL Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to isolate condensate storage tank within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Does this task contain a significant amount of diagnosis activity? YES ~ (start with Part I -
Diagnosis) NO T (skip Part I - Diagnosis; start with Part II - Action) Why?
B. Calculate the Diagnosis Failure Probability.
(1) If all PSF ratings are nominal, then the Diagnosis Failure Probability = 1.0E-2 (2) Otherwise, the Diagnosis Failure Probability is: 1.0E-2 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Diagnosis: 1.0E-2 x x x x x x x x =
C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.
When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-2 for Diagnosis. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:
HEP NHEP PSF NHEP PSF composite composite
=
+
.(
)1 1
Diagnosis HEP with Adjustment Factor =
D. Record Final Diagnosis HEP.
If no adjustment factor was applied, record the value from Part B as your final diagnosis HEP.
If an adjustment factor was applied, record the value from Part C.
Final Diagnosis HEP =
LER 285/04-002 55 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: CST-XHE-ISOL Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to isolate condensate storage tank within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> PART II. EVALUATE EACH PSF FOR ACTION A. Evaluate PSFs for the Action Portion of the Task, if any.
PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.
Available Time Inadequate time P(failure) = 1.0
~
Time available is. the time required 10
~
Nominal time 1
T Time available > 5x the time required 0.1
~
Time available is > 50x the time required 0.01
~
Insufficient information 1
~
Stress/
Stressors Extreme 5
~
The SBO events are assumed to generate high stress.
High 2
T Nominal 1
~
Insufficient information 1
~
Complexity Highly complex 5
~
Moderately complex 2
~
Nominal 1
T Insufficient information 1
~
Experience/
Training Low 3
~
Nominal 1
T High 0.5
~
Insufficient information 1
~
LER 285/04-002 PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.
56 Reviewer: CM Procedures Not available 50
~
Incomplete 20
~
Available, but poor 5
~
Nominal 1
T Insufficient information 1
~
Ergonomics/
HMI Missing/Misleading 50
~
Poor 10
~
Nominal 1
T Good 0.5
~
Insufficient information 1
~
Fitness for Duty Unfit P(failure) = 1.0
~
Degraded Fitness 5
~
Nominal 1
T Insufficient information 1
~
Work Processes Poor 5
~
Nominal 1
T Good 0.5
~
Insufficient information 1
~
LER 285/04-002 57 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: CST-XHE-ISOL Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to isolate condensate storage tank within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> B. Calculate the Action Failure Probability.
(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3 (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.0E-3 x 1.0 x 2.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 =
C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.
When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:
Action HEP with Adjustment Factor =
D. Record Final Action HEP.
If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the value from Part C.
Final Action HEP =
2.0E-3 HEP NHEP PSF NHEP PSF composite composite
=
+
.(
)1 1
2.0E-3
LER 285/04-002 58 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: CST-XHE-ISOL Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to isolate condensate storage tank within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)
Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required without a diagnosis and there is no dependency, then this step is omitted.
Pw/od = Diagnosis HEP 0 + Action HEP 2.0E-3 =
Part IV. DEPENDENCY For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence (Pw/d).
If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the current action unless the previous action has been properly performed, explain here:
2.0E-3
LER 285/04-002 59 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: CST-XHE-ISOL Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to isolate condensate storage tank within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Condition Number Crew (same or different)
Time (close in time or not close in time)
Location (same or different)
Cues (additional or no additional)
Dependency Number of Human Action Failures Rule
~ - Not Applicable.
Why?
1 s
c s
na complete When considering recovery in a series e.g., 2nd, 3rd, or 4th checker If this error is the 3rd error in the sequence, then the dependency is at lease moderate.
If this error is the 4th error in the sequence, then the dependency is at least high.
2 a
complete 3
d na high 4
a high 5
nc s
na high 6
a moderate 7
d na moderate 8
a low 9
d c
s na moderate 10 a
moderate 11 d
na moderate 12 a
moderate 13 nc s
na low 14 a
low 15 d
na low 16 a
low 17T zero Using Pw/od = Probability of Task Failure Without Formal Dependence (calculated in Part III):
For Complete Dependence the probability failure is 1.
For High Dependence the probability of failure is (1+ Pw/od/2)
For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7 For Low Dependence the probability of failure is (1+19 x Pw/od)/20 T
For Zero Dependence the probability of failure is Pw/od Calculate Pw/d using the appropriate values:
Pw/d = (1 + ( * ))/ =
2.0E-3
LER 285/04-002 60 Reviewer: CM HRA Worksheets for At-Power SPAR HUMAN ERROR WORKSHEET Plant: Ft. Calhoun Initiating Event: Basic Event: AFW-XHE-DRYOUT Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to provide sufficient AFW flow following battery depletion Does this task contain a significant amount of diagnosis activity? YES ~ (start with Part I -
Diagnosis) NO T (skip Part I - Diagnosis; start with Part II - Action) Why?
PART II. EVALUATE EACH PSF FOR ACTION A. Evaluate PSFs for the Action Portion of the Task, if any.
PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.
Available Time Inadequate time P(failure) = 1.0
~
Time available is. the time required 10
~
Nominal time 1
T Time available > 5x the time required 0.1
~
Time available is > 50x the time required 0.01
~
Insufficient information 1
~
Stress/
Stressors Extreme 5
~
The SBO condition without normal lighting and instrumentation available due to battery depletion is assumed to generate high stress.
High 2
T Nominal 1
~
Insufficient information 1
~
Complexity Highly complex 5
~
Moderately complex 2
~
Nominal 1
T Insufficient information 1
~
Experience/
Training Low 3
~
Nominal 1
T
LER 285/04-002 PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.
61 Reviewer: CM High 0.5
~
Insufficient information 1
~
Procedures Not available 50
~
Guidance for providing AFW flow to steam generators using mechanical level transmitter/indicator in lieu of normal instrumentation is available, but is judged to be poor.
Incomplete 20
~
Available, but poor 5
T Nominal 1
~
Insufficient information 1
~
Ergonomics/
HMI Missing/Misleading 50
~
Operators should rely on mechanical level transmitter/indicator in lieu of normal instrumentation due to battery depletion.
Poor 10 T
Nominal 1
~
Good 0.5
~
Insufficient information 1
~
Fitness for Duty Unfit P(failure) = 1.0
~
Degraded Fitness 5
~
Nominal 1
T Insufficient information 1
~
Work Processes Poor 5
~
Nominal 1
T Good 0.5
~
Insufficient information 1
~
B. Calculate the Action Failure Probability.
(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3 (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.0E-3 x 1.0 x 2.0 x 1.0 x 1.0 x 5.0 x 10.0 x 1.0 x 1.0 =
1.0E-1
LER 285/04-002 62 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: AFW-XHE-DRYOUT Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to provide sufficient AFW flow following battery depletion C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.
When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:
Action HEP with Adjustment Factor =
D. Record Final Action HEP.
If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the value from Part C.
Final Action HEP =
HEP NHEP PSF NHEP PSF composite composite
=
+
.(
)1 1
1.0E-1
LER 285/04-002 63 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: AFW-XHE-DRYOUT Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to provide sufficient AFW flow following battery depletion PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)
Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required without a diagnosis and there is no dependency, then this step is omitted.
Pw/od = Diagnosis HEP 0 + Action HEP 1.0E-1 =
Part IV. DEPENDENCY For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence (Pw/d).
If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the current action unless the previous action has been properly performed, explain here:
1.0E-1
LER 285/04-002 64 Reviewer: CM Plant: Ft. Calhoun Initiating Event: Basic Event: AFW-XHE-DRYOUT Event Coder: IK Basic Event Context:
Basic Event
Description:
Operator fails to provide sufficient AFW flow following battery depletion Condition Number Crew (same or different)
Time (close in time or not close in time)
Location (same or different)
Cues (additional or no additional)
Dependency Number of Human Action Failures Rule
~ - Not Applicable.
Why?
1 s
c s
na complete When considering recovery in a series e.g., 2nd, 3rd, or 4th checker If this error is the 3rd error in the sequence, then the dependency is at lease moderate.
If this error is the 4th error in the sequence, then the dependency is at least high.
2 a
complete 3
d na high 4
a high 5
nc s
na high 6
a moderate 7
d na moderate 8
a low 9
d c
s na moderate 10 a
moderate 11 d
na moderate 12 a
moderate 13 nc s
na low 14 a
low 15 d
na low 16 a
low 17 zero Using Pw/od = Probability of Task Failure Without Formal Dependence (calculated in Part III):
For Complete Dependence the probability failure is 1.
For High Dependence the probability of failure is (1+ Pw/od/2)
For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7 For Low Dependence the probability of failure is (1+19 x Pw/od)/20 T
For Zero Dependence the probability of failure is Pw/od Calculate Pw/d using the appropriate values:
Pw/d = (1 + ( * ))/ =
1.0E-1