ML083260404
| ML083260404 | |
| Person / Time | |
|---|---|
| Site: | Oconee  |
| Issue date: | 11/21/2008 |
| From: | Jeffrey Mitman, Rogers W, Antonios Zoulis NRC/NRR/DRA/APOB, Division Reactor Projects II |
| To: | |
| Shared Package | |
| ML083260393 | List: |
| References | |
| EA-08-324 | |
| Download: ML083260404 (60) | |
Text
Phase 3 Risk Assessment of Loss of Inventory Event at Oconee Probabilistic Risk Assessment (PRA) Analyst:
Jeff Mitman, Senior Reliability and Risk Analyst, NRR/DRA/APOB Probabilistic Risk Assessment (PRA) Analyst:
Antonios Zoulis, Reliability and Risk Analyst, NRR/DRA/APOB Probabilistic Risk Assessment (PRA) Analyst:
Walt Rogers Senior Reactor Analyst, R-II/DRS Peer Reviewer:
Gareth Parry, Senior Level Advisor NRR/DRA Enclosure
Page 1 1.0 Introduction On April 12th, 2008 Oconee Unit 1 shutdown for refueling. On April 15th Unit 1 had restored level, from a midloop operation to install coldleg nozzle dams, to below the reactor vessel flange. The head was detensioned in preparation for removal. As part of main generator voltage regulator modification testing, a main generator lockout signal was generated while the switchyard was back-feeding all Unit 1 electrical loads through the main transformer and the associated auxiliary transformer. This caused a slow transfer from the aux transformer to backup transformer (CT1) from the switchyard. The resulting electrical transient caused a momentary loss of power to the running pumps performing shutdown cooling (SDC) and due to one complication a relief valve in the letdown purification system opened and remained open as designed. This transient caused a loss of inventory (LOI) from the reactor coolant system (RCS) to the miscellaneous waste holdup tank (MWHUT).
The operators quickly recognized the LOI and entered the appropriate procedures.
They had the relief valve isolated and makeup water going into the RCS within 17 minutes. During the RCS level transient level dropped from 70 inches above hotleg midloop to approximately 55 inches. Approximately 2000 gallons were transferred from the RCS to the MWHUT.
Prior to the event the purification system was aligned to the LPI system which was inservice in the SDC mode of operation. Both the A and B LPI pumps where in SDC. When the electrical system slow transferred, the 1XP 600 volt AC system initially re-energized as designed. However, it tripped off on over-current from the initial current inrush. The over-current trip was caused by an improperly set instantaneous magnetic trip device. With the 1XP de-energized, three air operated valves in the purification system did not reopen as designed due to a lack of power on the valve solenoids. This caused the purification system to see a pressure above the setpoint of the letdown relief valves (1HP-46) setpoint. The 1HP-46 discharges to MWHUT.
2.0 Discussion of the Performance Deficiency The performance deficiency concerns the failure to implement a main generator AVR maintenance procedure that met the standards/expectations of Nuclear System Directive (NSD) 703, Administrative Instructions for Technical Procedures, to achieve the intended purpose by being technically accurate, safe, and complete. More specifically, AVR maintenance procedure IP/0/B/2005/001, Main Generator Automatic Voltage Regulator Maintenance and Channel Transfer, failed to identify and electrically isolate all AVR trip outputs to the main generator lockout relay. Consequently, during AVR maintenance in Unit 1 on April 15, 2008, a main generator lockout occurred, resulting in a loss of power event that ultimately led to a loss of RCS inventory while in Mode 6. As such, this event challenged the safety-related function of decay heat removal.
Enclosure
Page 2 Additionally, the work order that implemented the AVR procedure was not coded to prevent the procedure from being performed during high risk time periods during the outage (e.g.,
reduced inventory). As such, the possibility existed that the loss of power event could have occurred 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> earlier during reduced inventory (i.e., 23 on LT-5). See the Sensitivity analysis below for additional insights on this possibility.
3.0 Plant Conditions Prior to the Event The following was the status of major plant equipment prior to the event:
Reactor in cold shutdown (mode 6) with the reactor head detensioned but still in place RCS level 70 inches above the midloop and approximately 110 inches above top of active fuel (TAF)
RCS temperature 96 F Estimate of time to boil (TTB) of 20 minutes supplied to shift, however, this TTB was calculated for midloop and shift had raised level 70 inches above midloop so TTB would be greater LPI pumps A and B inservice supplying decay heat removal and reactor temperature indication Low pressure service water (LPSW) loops A and B inservice, supporting SDC All reactor coolant pumps secured LPI was cross connected to the HPI system for letdown purification Steam generator upper primary handholes removed supplying a large vent for the RCS, coldleg nozzle dams installed 4.0 Licensee Event Mitigation Capability The following equipment was available to mitigate any complications:
Borated water storage tank (BWST) operable with 360,000 gallons of water Borated water holdup tank (BHUT) available with 60,000 gallons IA bleed transfer pump available (from BHUT)
LPI A pump and heat exchanger operable and inservice for SDC LPI B pump and heat exchanger operable and inservice for SDC LPI C pump (non-safety related) available for low pressure core injection and SDC High pressure injection A (HPI) inoperable but available with pump breaker racked out HPI B inoperable but available with pump breaker racked out HPI C unavailable LPSW A, B and C operable to support SDC Steam generators unavailable RCS level indicators LT-5A and B operable and midloop ultrasonic level indication available Core exit thermal couples (CETs) at least two operable Containment was closed Enclosure
Page 3 5.0 Significance Determination Process (SDP) Phase 2 Summary Since the plant was shutdown, the inspectors evaluated this finding in accordance with NRC Inspection Manual Chapter 0609 Appendix G, "Shutdown Operations Significant Determination Process (SDP)," February 28, 2005. As part of the SDP, the inspectors assess conditions or events that represent a loss of control.
The Region II Senior Reactor Analyst (SRA) performed the assessment using Appendix G, : "Phase 2 Significance Determination Process Template for PWR during Shutdown." The SRA determined this to be a precursor to an initiating event: A loss of reactor inventory (LOI). The plant operational state (POS) was determined to be "POS 2" (RCS vented). The initial Phase 2 analysis determined that this was a green finding.
However, a review of the Phase 2 analysis by head quarters risk analyst concluded that a Phase 3 analysis was warranted due to inadequacies of the Phase 2 procedure.
6.0 Initiation of a Phase 3 SDP Risk Assessment The Shutdown SDP proceduralized in IMC 0609, Appendix G, is a tool used to screen shutdown findings for potential significance. This finding could not be screened as having very low significance using the Phase 2 analysis. Therefore, a Phase 3 SDP risk assessment was performed by the Office of Nuclear Reactor Regulation (NRR).
The analysts used the following references in preparing the risk assessment:
NUMARC 91-06, Guidelines for Industry Actions o Assess Shutdown Management.
December 1991 NUREG/CR-6883, The SPAR-H Human Analysis Method. August 2005 NUREG-1842, Good Practices for Implementing Human Reliability Analysis. April 2005 NUREG/CR-6595 Revision 1, An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events. October 2004 7.0 Development of the Model No Low Power/Shutdown (LP/SD) SPAR model exists for Oconee plant. Therefore, the at-power Oconee SPAR model was modified to allow analysis of the loss of inventory (LOI) event. A new event trees (ET) was created to analyze the LOI event.
This ET is shown in Appendix A. The ET was linked to existing at-power fault trees (FT) or new FTs. The existing FTs were modified as necessary to appropriately describe system dependencies during shutdown conditions and the different success criterion.
HRA Analysis Shutdown operation is highly dependent on operator actions as most of the required actions are manual (e.g., initiating feed of the RCS). Additional analysis was conducted to properly characterize the required manual actions. The HEPs were calculated using the Low Power Shutdown SPAR-H worksheets from NUREG/CR-6883. Consideration was given to the available time to perform the action, the stress levels of the crew during the event, complexity of the action, crew experience and applicable and relevant training, quality and thoroughness of procedures, ergonomics, fitness of duty issues, and the available work Enclosure
Page 4 processes. Table 1 shows a summary of the HEPs, a detailed discussion of the HRA is given in Appendix B.
In addition to the calculation of specific HEPs for this condition, sequences or cutsets which involved multiple operator actions were examined for human action dependency. Such dependency can occur due to a common cue or short/limited time separation between different cues. The method of identifying dependent operator actions involved reviewing the cutsets that were generated following quantification of the accident sequences. Once those HFEs that were dependent on previously occurring HFEs were identified, SPAR-H was used to perform the initial dependency analysis to calculate the dependent HEP values. Those dependent HEPs and their corresponding values are reported in Table 2. On several HFE combinations, the SPAR-H developed values were determined to be too conservative, for those instances the analyst deviated from those SPAR-H generated values. The final values used in the base case analysis are shown in the far right hand column of Table 2. A sensitivity case was performed to understand how this deviation from SPAR-H impacted the final CCDP. A more detailed description of the dependency analysis is given in Appendix B.
Enclosure
Page 5 Table 1 Summary of HRA Results Human Error Event Description Controlled by Ops Crew Time Available Mean Diagnosis HEP Mean Action HEP Total Mean HEP SD-SLOI-DIAG-XHE 1 Operator fails to diagnose small LOI outside of containment before loss of SDC One 30 min.
1.0E-3 0
1.0E-3 SD-SLOI-FEED-XHE Operator fails to initiate feed before loss of SDC One 40 min.
2.0E-3 4.0E-3 6.0E-3 SD-SLOI-FEED-LT-XHE Operator Fails to Initiate feed after loss of SDC, before core damage One 90 min.
2.0E-4 1.0E-3 1.2E-3 SD-SLOI-ISOL-AFD-XHE Operator fail to terminate SLOI leak before RWST is depleted Two
~30 hrs.
0 1.0E-5 1.0E-5 SD-SLOI-ISOL-BRF-XHE Operator fails to terminate SLOI leak before SDC fails One 40 min.
0 2.0E-3 2.0E-3 SD-SLOI-LTR1-XHE Operators fail to Refill BWST as Part of Long Term Recovery Two
~30 hrs.
1.0E-5 4.0E-4 4.1E-4 SD-SLOI-LTR2-XHE Operators fail to Restart LPI in SDC Mode as Part of Long Term Recovery Two
~30 hrs.
0 2.0E-4 2.0E-4 Notes:
- 1) An HEP below this value will push into reliability range of automatic actuation logic
- 2) Estimated TTB = 20 minutes
- 3) Estimated TTCD is 90 minutes if drain down continues to midloop
- 4) Success criteria > 100 gpm Enclosure
Page 6 Table 2 Summary of Dependent HEP Results Dependent HEP Name Description Applicable Operator Action Failures Independent HEP SPAR-H Dependent HEP Final Dependent HEP SD-SLOI-FEED-LT-XHE-D1 Operator fails to diagnose LOI before loss of SDC and feed RCS late before CD SD_SLOI_DIAG_XHE
- SD_SLOI_FEED_LT_XHE 1.2E-03 5.1E-02 1.1E-02 SD-SLOI-BRF-XHE-D2 Operator fails to feed before loss of SDC and fails to isolate leak before loss of SDC SD_SLOI_FEED_XHE
- SD_SLOI_ISOL_BRF_XHE 2.0E-03 5.2E-02 1.2E-02 SD-SLOI-FEED-LT-XHE-D2 Operator fails to feed before loss of SDC and fails to feed after loss of SDC SD_SLOI_FEED_XHE
- SD_SLOI_ISOL_BRF_XHE
- SD_SLOI_FEED_LT_XHE 1.2E-03 1.4E-01 5.1E-02 SD-SLOI-FEED-LT-XHE-D3 Operator fails to isolate LOI before loss of SDC and fails to feed after loss of SDC SD_SLOI_ISOL_BRF_XHE
- SD_SLOI_FEED_LT_XHE 1.2E-03 5.1E-02 1.1E-02 SD-SLOI-FEED-LT-XHE-D4 Operatory fails to feed before loss of SDC and feed after loss of SDC SD-SLOI-FEED-XHE
- SD-SLOI-FEED-LT-XHE 1.2E-03 5.1E-02 1.1E-02 SD-SLOI-BRF-XHE-D6 Operatory fails to feed before loss of SDC and isolate before loss of SDC SD_SLOI_FEED_XHE
- SD_SLOI_ISOL_BRF_XHE 2.0E-03 5.2E-02 1.2E-02 SD-SLOI-LTR1-XHE-D7 Operator fails to isolate LOI and makeup to BWST SD-SLOI-ISOL-AFD-XHE
- SD-SLOI-LTR1-XHE 4.1E-04 4.1E-04 4.1E-04 Enclosure
Page 7 8.0 Conditional Core Damage Probability (CCDP) Assessment Results A detailed Phase 3 Significance Determination Process risk analysis was performed consistent with NRC Inspection Manual Chapter (IMC) 0609 Appendix G Attachment 2 for Phase 2 analysis. Step 4.3.8 of this procedure directs the analyst to access the significance of shutdown events by calculating an instantaneous conditional core damage probability (ICCDP). The above described SPAR model was evaluated using the SAPHIRE code version 7.27 by setting the loss of inventory initiating event frequency to one.
A change set was created to set the initial plant conditions reflected in Sections 3.0 and 4.0 above. This change set included:
Basic Event Identifier Original Value Change Set Value Comment SD-IE-SLOI-OC n/a 1.0 This initiating event frequency set to 1.0 as event occurred HPI-MDP-TM-C 4.0E-3 1.0 Pump was unavailable due to maintenance SD-SLOI-1ABTP-XM n/a 1.0 1A Boron Transfer Pump - not in at-power model All Other Test & Maintenance Various 0
Equipment that was not in T&M were set to zero The truncation limit was set at 1E-16.
As this SDP evaluates an actual event in which no external events occurred, there was no risk from external events.
The result of the CCDP analysis is 1.2E-5; based on these results the finding is yellow.
The top 5 cutsets containing over 99 percent of the total risk are in Appendix C. The analyst also performed uncertainty analysis, using a Monte Carlo approach with a sample size of 5000. The top four sequences contain over 99 percent of the total risk.
Table 3 below contains these sequence results.
Table 3 CCDP Results with Uncertainty Probability Sequence Point Estimate Mean 5th Median 95th 03 5.1E-09 5.5E-09 1.2E-11 1.3E-09 2.5E-08 06 6.1E-08 6.1E-08 2.2E-11 5.8E-09 2.9E-07 07 3.7E-06 3.3E-06 1.3E-10 1.1E-07 1.5E-05 09 8.4E-07 8.5E-07 2.1E-09 2.8E-07 3.6E-06 10 1.1E-05 1.1E-05 2.2E-09 1.3E-06 5.4E-05 TOTALS 1.6E-05 1.5E-05 1.0E-07 4.2E-06 6.3E-05 In this shutdown event analysis, as is the case with most shutdown analysis, the results are highly dependent on operator actions significantly more so than a typical at-power Enclosure
Page 8 analysis. As summarized above and in greater detail in Appendix B on HRA, PRA practices direct that in cutsets with multiple HEPs, a justifiable minimum value for the combination of HEPs should be specified. NUREG-1792, Good Practices for Implementing Human Reliability Analysis, Section 5.3.3.6 recommends a cutoff of 1E-5.
The analyst did not implement this cutoff value as the results were yellow without imposing this cutoff.
9.0 Conditional Large Early Release Probability (CLERP) Assessment The figure of merit for this analysis is incremental conditional large early release probability (ICLERP). This ICLERP analysis is based on the method for shutdown described in NUREG/CR-6595 Revision 1, An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events, dated 10/2004. This report supplies simplified containment event trees (CET) to determine if the core damage sequence contributes to LERF. NUREG/CR-6595 presents its analysis in terms of LERF, which is interpreted here as ICLERP.
NUREG/CR-6595 defines LERF as the frequency of those accidents leading to significant, unmitigated releases from containment in a time frame prior to effective evacuation of the close-in population such that there is a potential for early health effects. This is identical to the definition of LERF in IMC 0609 Appendix H. Figure 2.1 (PWR Large Dry Containment Event Tree) from NUREG/CR-6595 is applicable to the Oconee event.
An initial review of the core damage event tree indicates that all sequences that lead to core damage are potentially containment bypass events. However, before core damage can occur, RCS water level will drop to below midloop. When midloop is reached any running SDC pumps will be secured or fail. When the B train of SDC stops, pressure in the letdown purification system will drop and the open relief valve should close. Closing of the relief valve will terminate the leak outside of containment and preventing any containment bypass.
Therefore, the review of the LERF event tree yields a worst case containment failure probability for the Oconee conditions of 1E-2. With a CCDP of 1.2 E-5 this yields a CLERP of 1.2E-7 which is white finding.
10.0 Sensitivity Analysis Several sensitivity cases were conducted to further understand the event. The cases are described below.
Case 1: All HEPs Set to True (1.0)
This sensitivity case assumed that the operators always fail to perform the required manual action. It was calculated by setting all HEPs to true. The calculated CCDP was 1.0.
Enclosure
Page 9 Case 2: All HEPs Set to False (0.0)
This sensitivity case assumed that the operators are perfect and never fail. It was calculated by setting all HEPs to false. The calculated CCDP was 7.9E-14.
Case 3: All HEPs Independent of Each Other This sensitivity case removes dependency between HEPs from the model. It was calculated by setting all dependent HEPs to their base value. The calculated CCDP was 2.1E-6.
Case 4: All Dependent HEPs Set to Their SPAR-H Values In the base case the dependency analysis uses values that are less conservative than the values generated by a strict adherence to the SPAR-H methodology. This sensitivity case uses the SPAR-H generated values for dependent HEPs. The calculated CCDP was 9.6E-5.
Case 5: Initial Diagnostic HEP Set to Licensees Values This sensitivity case sets the initial diagnostic HEP (SD-SLOI-DIAG-XHE) to the values calculated in the licensees sensitivity case which is 1.0E-4. The calculated CCDP was 4.9E-6.
Case 6: Event Happens at Midloop Approximately six hours prior to the event, the unit was in midloop operation. There were no process controls that would have prevented the voltage regulator testing from occurring during midloop operations. This sensitivity case evaluates the CCDP assuming that the event occurred during midloop. It assumes that with a slow transfer at midloop the sequence of event would occur identical to the actual event. However, with starting level at midloop it is assumed that there is inadequate time to diagnose the event prior to a decreasing level causing cavitation of the running LPI/SDC pumps necessitating their shutdown. The corresponding CCDP is calculated by setting the initial diagnostic HEP (SD-SLOI-DIAG-XHE) to true. The calculated CCDP was 2.0E-3.
Sensitivity Analysis Conclusions Several conclusions can be drawn from the above sensitivity analysis. First, cases one, two and three are unsupportable and lead to unrealistic conclusions. They illustrate that this event (as most shutdown events) is highly dependent on the operator to prevent core damage. This is true because all of the mitigation actions are dependent on the operator. Second, the licensees process would not have prevented this event from occurring at midloop conditions. If this event had happened at midloop, time available for operator response would have been significantly reduced and the risk would have increased significantly.
Enclosure
Page 10 Appendix A:
Model Figures Enclosure
Page 11 Figure A-1: Loss of Inventory Event Tree SD -SLO I-LT R -F T Long Te rm R eco very in LOI S D -S LOI-FE ED -LT-F T O perato rs Initiate Feed afte r Los s o f SD C ; before C ore D am age SD-SLO I-ISO L-FT Operators Term inate LOI before Loss of S D C SD -S LOI-F E ED -FT O pe rators initiate R C S FE ED before Los s of SD C SD -SLO I-D IAG Operators D ia gno se LOI Ev ent before Loss of S D C S D -IE-SLO I-O C S LOI Outs ide of C o nta inm ent O cc urs EN D -ST ATE 1
OK 2
OK 3
CD-SD 4
OK 5
OK 6
CD-SD 7
CD-SD 8
OK 9
CD-SD 10 CD-SD 1 (E VEN T OC C U R R ED )
S D -S LOI-IS OL-AFD -FT S D -S LOI-IS OL-BR F-FT S D -S LOI-LTR -FT2 S D -S LOI-LTR -FT2 S D -S LOI-LTR -FT1 SD-SLOI-O C -
2008/09/26 Enclosure
Page 12 Figure A-2: Diagnose of Loss of Inventory Fault Tree SD-SLOI-DIAG 1.000E-3 SD-SLOI-DIAG-XHE Operators Diagnose Small LOI Outside of Containment Event Operators fail to diagnose small LOI outside of containment before loss of SDC SD-SLOI-DIAG - Operators Diagnose LOI Event before Loss of SDC 2008/09/01 Page 164 Enclosure
Page 13 Figure A-3: RCS Feed before Loss of SDC Fault Tree SD-SLOI-FEED-FT 165 SD-SLOI-FEED-EQP-FT 6.000E-3 SD-SLOI-FEED-XHE SD-SLOI-INJ 1.000E+0 SD-SLOI-1ABTP-XM Operators initiate RCS makeup for SLOI outside containment event Failure of equipment for Gravity Feed RCS Injection Methods Equipment Failure of 1A Bleed Transfer Pump for Inject from BHUT Equipment Operator fails to initiate feed before loss of SDC SD-SLOI-FEED-FT - Operators initiate RCS FEED before Loss of SDC 2008/09/01 Page 166 Enclosure
Page 14 Figure A-4a: Leak Isolation after Feed is Initiated Fault Tree (SDC Remains In-Service)
SD-SLOI-ISOL-AFD-FT 170 SD-SLOI-ISOL-EQP-FT 1.000E-5 SD-SLOI-ISOL-AFD-XHE Operators terminate SLOI after feed initiates Equipment failures in SLOI leak termination Operators fail to terminate SLOI leak before BWST is depleted SD-SLOI-ISOL-AFD-FT - Operators terminate SLOI after feed initiates 2008/09/01 Page 169 Enclosure
Page 15 Figure A-4b: Leak Isolation after Level Drops to Midloop Fault Tree (SDC is Out of Service)
SD-SLOI-ISOL-BRF-FT 2.000E-3 SD-SLOI-ISOL-BRF-XHE 170 SD-SLOI-ISOL-EQP-FT Equipment failures in SLOI leak termination Operators terminate SLOI before SDC fails (RCS level drops below midloop)
Operator fail to terminate SLOI leak before SDC fails SD-SLOI-ISOL-BRF-FT - Operators terminate SLOI before SDC fails (RCS level drops below midloop) 2008/09/01 Page 171 Enclosure
Page 16 Figure A-5: Feed Initiation Late Fault Tree SD-SLOI-FEED-LT-FT 1.200E-3 SD-SLOI-FEED-LT-XHE 165 SD-SLOI-FEED-EQP-FT SD-SLOI-FEED-LT-FT2 161 SD-HPI 162 SD-LPI 1.000E+0 SD-SLOI-1ABTP-XM Failure of equipment for RCS makeup Failure of 1A Bleed Transfer Pump for Inject from BHUT Equipment HIGH PRESSURE INJECTION for SLOI LOW PRESSURE INJECTION for SLOI Operators fail to initiate feed after loss of SDC; before core damage Operators initiate RCS makeup for SLOI outside containment event 3 before CD Injection Methods SD-SLOI-FEED-LT-FT - Operators Initiate Feed after Loss of SDC; before Core Damage 2008/09/01 Page 168 Enclosure
Page 17 Figure A-6a: Long Term Recovery 1 Fault Tree (Makeup to BWST)
SD-SLOI-LTR-FT1 3.000E-5 SD-SLOI-LTR1-XHE 1.000E-4 SD-SLOI-MU-BWST Long Term Recovery in LOI Operators fail to Refill BWST as Part of Long Term Recovery Replenish BWST SD-SLOI-LTR-FT1 - Long Term Recovery in LOI (BWST Makeup) 2008/09/01 Page 175 Enclosure
Page 18 Figure A-6b: Long Term Recovery 2 Fault Tree (Makeup to BWST and Restore SDC)
SD-SLOI-LTR-FT2 173 SD-SLOI-LTR-EQP-FT 3.000E-5 SD-SLOI-LTR1-XHE SD-SLOI-LTR2-FT2 SD-SLOI-LTR2-FT3 1.000E-4 SD-SLOI-MU-BWST 2.000E-4 SD-SLOI-LTR2-XHE Operators fail to Refill BWST as Part of Long Term Recovery Recover LPI/SDC Makeup to BWST Equipment failures for Recovery of LPI in SDC Mode Equipment Failures for Makeup to BWST Long Term Recovery in LOI (BWST MU and SDC)
Operators fail to Restart LPI in SDC Mode as Part of Long Term Recovery SD-SLOI-LTR-FT2 - Long Term Recovery in LOI (BWST MU and SDC) 2008/09/01 Page 176 Enclosure
Page 19 Appendix B:
HRA Analysis Enclosure
Page 20 Human Error Probabilities A high level discussion of the Human Reliability Analysis (HRA) is presented above in Section 7 on Model Development. Also included above is a summary of the HRA results. The following discusses the Human Failure Events (HFE), the derivation of the in individual Human Error Probabilities (HEP) and the analysis of the dependency between these HEPs. This HRA analysis was done consistent with the guidance of NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, dated August 2005.
The Human Error Probabilities (HEPs) for this analysis were calculated using the Low Power Shutdown SPAR-H worksheets from NUREG/CR-6883. Consideration was given to the available time to perform the action, the stress levels of the crew during the event, complexity of the action, crew experience and applicable and relevant training, quality and thoroughness of procedures, ergonomics, fitness of duty issues, and the available work processes.
The HEPs for this analysis are shown in Table 1 above. Tables B1a-B8b contains the diagnosis and/or action worksheets from SPAR-H used to develop the above HEPs.
B1 HFE ID: SD-SLOI-DIAG-XHE HFE Definition This HFE represents the failure of the diagnosis step that requires the operating crew to recognize that an event has occurred, determine what type of event it is and determine which procedure(s) need to be used to address the event.
Description and Context Associated with Event While performing testing of the recently modified main generator voltage regulator an unplanned generator lockout occurred. This lockout caused the main generator output breakers to open and a subsequent slow transfer from the unit auxiliary transformer to a backup transformer (CT1) from the switchyard. The control room received multiple annunciators during the slow transfer. The electrical transient also caused the running SDC pumps to stop momentarily while power swapped and both pumps restarted when power was returned, as designed the LPI/SDC pump breakers did not open on the transfer.
The control room received no annunciators on the decreasing RCS level.
Most of the electrical loads re-energized as the slow transfer progressed. However, the 1XP 600 volt AC attempted to re-energize but tripped on high in-rush current. It remained de-energized throughout the event and was not re-energized until several hours after the event. This complicated the event because it removed motive power from several front line systems that were required to mitigate the event. It did not impact any of the instrumentation that were required to diagnoses the event. However, it did distract the operators by adding to the cognitive work load.
Enclosure
Page 21 Operator Action Success Criteria The operator must recognize the abnormal event and start implementation of procedure AP-26 Loss of Decay Heat Removal. The specific section that must be started is Section 4C: RCS Vented And FTC NOT Flooded (both primary hand holes removed). The operator needs to perform this action before RCS level drops to the middle of the hotleg at which time the LPI/SDC pumps will begin to cavitate. There is about 70 minutes to diagnose this event and correct the situation, see timing section below for more details.
Cues The control room received multiple annunciators when the electrical power slow transferred from the aux transformer to the backup transformer. The electrical transient also caused the running SDC pumps to stop momentarily while power swapped and both pumps restarted when power was returned.
The control room received no annunciators on the decreasing RCS level.
Decreasing level on control room indicators and associated computer displays feed from LT-5A and 5B. When level has decreased approximately 10 inches to a plus 60 inches a computer point alarm annunciated in the control room. However, the operators missed this annunciation as it was masked by many other computer points that were received due to the loss of power and subsequent re-energization.
A secondary cue was increasing level in the miscellaneous waste holdup tank (MWHUT).
The combination of lowering RCS level and rising MWHUT level is indicative of a problem with the purification system. MWHUT tank level is indicated in the MCR but decreasing level is not annunciated.
Procedure and Relevant Steps AP-26 Loss of Decay Heat Removal revision 20 was the controlling procedure for this event. It supplies the appropriate entry conditions in Step 1. The relevant entry conditions are:
Loss of RCS inventory while on LPI DHR Loss of DHR capability as a result of loss of power In addition the operator must perform nine verifications (steps 4.1 to 4.17) before diagnosing the appropriate section of this AP to perform. Section 4C: RCS Vented and FTC NOT Flooded (both primary hand holes removed) is the appropriate section of the AP.
MCR or Local Action This is a main control room cognitive event. The level indication is indicated in the control room. The reactor operator is responsible for monitoring the appropriate RCS parameters and the shift supervisor (SRO) is responsible for decision making.
Enclosure
Page 22 Diagnosis (with or w/o recovery) / Execution (with or w/o recovery) / Diagnosis +
Execution This is a purely diagnostic event. If the operator fails to recognize that an event is occurring or fails to recognize that this is a loss of inventory event, there will be additional cues when the RCS level decreases sufficiently to perturb the SDC pumps. However, this second scenario will be evaluated with a second HFE. Therefore, there is no recovery analyzed in this event.
Time Windows / Nominal / mean /median actions times RCS level was decreasing at approximately one inch per minute. The indicated starting level was 70 inches; this is from a reference point of instrument zero at the center line of the hotleg. Shortly after reaching a level of 0, the running DHR pumps will need to be secured to prevent damage to them. This will be indicated to the operator by additional control room annunciators. Thus the time available for diagnosis and subsequent operator actions is approximately 70 minutes. The subsequent actions, however, will be handled by other HFEs. For diagnoses 30 of the total available 70 minutes is allocated to perform this function.
In the actual event, and as a point of reference, the operators recognized the event and entered the correct procedure in about two minutes.
Relevant Performance Shaping Factors Only those PSF which are or might be impacted are discussed here.
Time: Extra time was available for this event.
Stress: With a LOI event occurring stress was elevated. In addition to the LOI an additional stressor was the momentary loss of offsite power and a subsequent failure to re-energize the 1XP bus.
Complexity: With the reactor in cold shutdown, the operators primary focus is on reactor level and temperature. The RCS level was being displayed on multiple monitors in the MCR. The operators monitored this parameter by looking for a flat line response on the displays. A flat line indicated that level was being maintained as desired. A decreasing level indicated a problem. However, there were no direct annunciators on this parameter. The first MCR annunciator would not be received on this parameter until 70 minutes after the event initiation.
There was a computer point alarm that was received about 10 minutes after the event initiation, however, the operators missed this cue. The entry conditions for this procedure were straightforward and simple and the operators were well trained on them. Finally, to complicate the diagnoses, a significant number of annunciators were received due to the loss of offsite power and the subsequent re-energization of the unit.
Define Subtasks / failure modes / assign BE id(s)
Subtasks: There are none.
Failure modes:
Operator fails to recognize RCS level is decreasing.
Operators recognize that level is decreasing but fail to enter the correct procedure.
BE Id: SD-SLOI-DIAG-XHE Table B1 Enclosure
Page 23 PSFs PSF Levels Multiplier for Diagnosis Selected PSF Please note specific reasons for PSF level selection in this column.
Inadequate time P(failure) = 1.0 Barely adequate time (? 2/3 Nominal) 10 Nominal time 1
Extra time (between 1 and 2 x nominal and > than 30 min) 0.1 X
Expansive time (> 2 x nominal and > 30 min) 0.01 Insufficient information 1
Extreme 5
High 2
X Nominal 1
Insufficient information 1
Highly 5
Moderately Complex 2
Nominal 1
0.5 X
Obvious diagnosis 0.1 Insufficient information 1
Low 10 Nominal 1
X High 0.5 Insufficient information 1
Not available 50 Incomplete 1
Available, but poor 5
Nominal 1
X Diagnostic/symptom oriented 0.5 Insufficient information 1
Missing/Misleading 50 Poor 10 Nominal 1
X Good 0.5 Insufficient information 1
Unfit P(failure) = 1.0 Degraded Fitness 5
Nominal 1
X Insufficient information 1
Poor 2
Nominal 1
X Good 0.8 Insufficient information 1
NHEP =
1.00E-3 Final Diagnosis HEP 1.00E-03 Negative PSFs adjustment ( >3 negative PSFs)
NA Procedures Ergonomics/HM Fitness for Duty Work Processes Time to loss of DHR is ~70 minutes (this includes time available for both diagnosis and action), time allocated to diagonose is 30 minutes. Time to diagnoses is less than 5 minutes.
LOI caused elevated stress. An additional stressor was momentary loss of offsite power and subsequent failure to re-energize 1XP bus.
Diagnoses requires monitoring simple display. However, with loss of and recovery from LOOP, many annuciators are alarming to mask event.
Available Time Stress Complexity Experience/
Training Part I. DIAGNOSIS WORKSHEET Plant: Oconee Initiating Event: Basic Event: SD-SLOI-DIAG-XHE Basic Event
Description:
Operator fails to Diagnose Loss of Inventory before loss of DHR HRA Worksheets for LPSD SPAR HUMAN ERROR WORKSHEET This HFE will drive the risk results. A higher value to this HEP (by itself) - anything above 6E-3 -would drive the overall results into the red range. A lower value (by itself) - anything below 5E will drive the overall results into white. The analyst believes a 1E-3 value is reasonable, an appreciably lower value would expect the operator to be as effective as an automatic hardwired logic system. For example, the failure to operate probability of a process level logic is 6.25E-4 per demand from NUREG/CR-6928 Industry-Average Performance for Components and Initiation Events at US Commercial NPPs. February 2007.
Enclosure
Page 24 B2 HFE ID: SD-SLOI-FEED-XHE HFE Definition This HFE represents the failure of the operator to inject into the RCS via one of two methods to maintain or increase RCS level after recognizing that a LOI is in progress. The primary source is via the IA bleed transfer pump (IA BTP) or gravity feed from the BWST into the suction of the running LPI pumps. The IA BTP takes suction off the borated water holdup tank (BHUT) and injects into the discharge path of the LPI system.
Description and the Context Associated with the Event The loss of offsite power has occurred and the slow transfer from the aux transformer to the backup has been completed. The running LPI/SDC pumps have stopped and automatically restarted. The operator has recognized that a loss of inventory is in progress and has entered the correct procedure (AP-26). All actions to this point are addressed by the preceding diagnostic HFE (SD-SLOI-DIAG-XHE). The operator must now determine how to inject water into the RCS to makeup for the ongoing loss of inventory. Makeup must exceed the loss rate.
Most of the electrical loads re-energized as the slow transfer progressed. However, the 1XP 600 volt AC attempted to automatically re-energize but tripped on high in-rush current.
It remained de-energized throughout the event and was not re-energized until several hours after the event. This complicated the event because it removed motive power from several front line systems that were required to mitigate the event. It removed power from the solenoid that ported air to the 1CS-46 valve which is the 1A BTP injection valve. This made the IA BTP unavailable for injection. It also removed power from the 1LP-21 and 22 valves which are the main isolation valves which need to be opened for gravity feed.
However, in gravity feed mode these valves are opened using the hand wheel (a local action) and not the motor operator. Therefore, the 1XP unavailability had no immediate affect on the ability to gravity feed.
Operator Action Success Criteria Injection must be established before RCS level drops to midloop to prevent loss of SDC due to cavitation of the LPI pumps. The flow rate must exceed the rate of loss of inventory; in this case that is approximately 100 gpm. Methods available to inject include the 1A BTP and gravity feed via the LP-21 or 22 valves. Other methods (i.e., HPI and realignment of LPI from SDC to injection from the BWST only) are credited in the late feed HFE but not the early attempt analyzed here.
Cues The major portion of the diagnoses and therefore, the associated cues are addressed in the previously occurring HFE (SD-SLOI-DIAG-XHE). However, the following additional cues were prompted by associated procedures:
o Decreasing RCS level o Indication that the LPI pumps restarted on restoration of power o LPI pumps were not cavitating Enclosure
Page 25 None of the above cues are annunciated; they are all supplied via indication.
Procedure + Relevant Steps AP-26 rev 10, Loss of Decay Heat Removal supplies guidance on using the 1A BTP. The guidance is in Enclosure 5.12 which is titled LPI Makeup from 1A BHUT. This procedure opens three valves and starts the pump. All steps are performed locally. (As discussed above, this enclosure was entered but was not completed during the event because 1CS-46 the valve could not be opened due to the lack of power from the 1XP bus.)
AP-26 also supplies guidance on using gravity feed via the LP-21 and 22 valves.
However, due to the scenario encountered during this event the procedural steps for gravity feed would never be reached. This appears to be a deficiency in AP-26, as demonstrated by the licensees quick revision to AP-26 after the event to supply explicit direction to initiate gravity feed in the future. It should be noted that there was considerable discussion at the time of the site visit as to whether this revised guidance was the correct guidance.
Because of the inadequacies of AP-26, the operators reverted to alternative guidance for gravity feed supplied by a Pre-Job Briefing for Draining to RCS to Reduced Inventory/
Mid-Loop. The pre-job briefing simply directs the operator with a single step to manually open either the LP-21 or 22 valves locally at the valve.
MCR or Local Action Most of the actions are remote manual actions performed by equipment operators out in the plant. However, the guidance (procedure reading and decision making) is performed in the MCR. For example the decision to leave AP-26 and enter into the pre-job briefing guidance was a cognitive step performed by the shift supervisor.
Diagnosis (with or w/o recovery) / Execution (with or w/o recovery) / Diagnosis +
Execution This HFE is primarily action but does contain some cognitive (diagnosis) effort in the decision making leading to the use of the pre-job briefing procedure.
Time Windows / Nominal / mean /median actions times RCS level was decreasing at approximately one inch per minute. The indicated starting level was 70 inches; this is from a reference point of instrument zero at the center line of the hotleg. Shortly after reaching a level of 0, the running DHR pumps will need to be secured to prevent damage to them. This will be indicated to the operator by additional control room annunciators. Thus the time available for diagnosis and subsequent operator actions is approximately 70 minutes. Thirty minutes was allocated to perform the previous diagnoses and is handled by HFE SD-SLOI-DIAG-XHE.
A portion of the 70 minutes must be allocated to the event diagnosis action. The remaining time is left to perform this HFE. For HFE SD-SLOI-DIAG-XHE 30 minutes of the Enclosure
Page 26 total was allocated for diagnosis, this leaves the remaining 40 minutes to perform this action.
In the actual event, and as a point of reference, it took the operators 15 minutes to diagnose the event, enter the correct procedure and establish gravity injection.
Relevant Performance Shaping Factors Only those PSF which are or might be impacted are discussed here all other PSFs remained at their nominal setting.
o Time: Nominal time was available for this action o Stress: With a LOI event occurring stress was elevated. In addition to the LOI an additional stressor was the momentary loss of offsite power and a subsequent failure to re-energize the 1XP bus.
o Complexity:
o For Enclosure 5-12 three valves need to be manipulated and one pump started. This is not a complex action.
o For pre-job brief guidance a single valve needs to be open. This is a simple action.
o Procedures: AP-26 is available but not up to standard as it did not give direction to open the gravity feed valves (LP-21 or 22) under the conditions encountered during this event.
However, the replacement instructions provided under the pre-job brief are simple and readily available. As evidence that AP-26 was poor, the licensee updated this procedure shortly after the event to clarify use of the LP-21 and 22 under future similar situations.
o Ergonomics/HMI: Access to the required local controls (valves and pump) is straight forward without restrictions or difficulties.
Define Subtasks / failure modes / assign BE id(s) o Subtasks:
o 1A BTP per Enclosure 5-12 requires three valves to be manipulated and one pump started.
o Pre-job brief guidance requires a single valve to be opened.
Failure modes:
o MCR operator fails to direct the equipment operator to manipulate the correct valves or pump.
o Equipment operator fails to manipulate the correct valves or pump in the appropriate manner.
o BE Id: SD-SLOI-FEED-XHE Enclosure
Page 27 Table B2a PSFs PSF Levels Multiplier for Diagnosis Selected PSF Please note specific reasons for PSF level selection in this column.
Inadequate time P(failure) = 1.0 Barely adequate time (? 2/3 Nominal) 10 Nominal time 1
X Extra time (between 1 and 2 x nominal and > than 30 min) 0.1 Expansive time (> 2 x nominal and > 30 min) 0.01 Insufficient information 1
Extreme 5
High 2
X Nominal 1
Insufficient information 1
Highly 5
Moderately Complex 2
Nominal 1
Obvious diagnosis 0.1 X
Insufficient information 1
Low 10 Nominal 1
X High 0.5 Insufficient information 1
Not available 50 Incomplete 20 Available, but poor 5
Nominal 1
x Diagnostic/symptom oriented 0.5 Insufficient information 1
Missing/Misleading 50 Poor 10 Nominal 1
X Good 0.5 Insufficient information 1
Unfit P(failure) = 1.0 Degraded Fitness 5
Nominal 1
X Insufficient information 1
Poor 2
Nominal 1
X Good 0.8 Insufficient information 1
NHEP =
2.00E-3 NA 2.00E-03 Negative PSFs adjustment ( >3 negative PSFs)
Final Diagnosis HEP Part I. DIAGNOSIS WORKSHEET Plant: Oconee Initiation of Feed during SD Basic Event: SD-SLOI-FEED-XHE Basic Event
Description:
Operator Fails to Initiate Feed during Shutdown before loss of LPI/DHR Complexity Experience/
Training Once LOI is recognized and AP-26 entered, diagnosis of required procedure steps is simple.
HRA Worksheets for LPSD SPAR HUMAN ERROR WORKSHEET Available Time Stress Time to loss of DHR is ~70 minutes.
30 minutes was allocated to previous diag. HEP. Time allocated to this action is 10 minutes. Time necessary to perform action is approxmately 1 minute LOI caused elevated stress. An additional stressor was momentary loss of offsite power and subsequent failure to re-energize 1XP bus.
Procedures Ergonomics/
HMI Fitness for Duty Work Processes Enclosure
Page 28 Table B2b PSFs PSF Levels Multiplier for Action Selected PSF Please note specific reasons for PSF level selection in this column.
Inadequate time P(failure) = 1.0 Time Available is ? the time required 10 Nominal time 1
X Time available is ? 5x the time required 0.1 Time available is ? 50x the time required 0.01 Insufficient information 1
Extreme 5
High 2
X Nominal 1
Insufficient information 1
Highly 5
Moderately 2
Nominal 1
X Insufficient information 1
Low 3
Nominal 1
X High 0.5 Insufficient information 1
Not available 50 Incomplete 20 Available but poor 5
2 X
Nominal 1
Insufficient information 1
Missing/Misleading 50 Poor 10 Nominal 1
X Good 0.5 Insufficient information 1
Unfit P(failure) = 1.0 Degraded Fitness 5
Nominal 1
X Insufficient information 1
Poor 5
Nominal 1
X Good 0.5 Insufficient information 1
NHEP =
4.00E-3 NA 4.00E-03 Fitness for Duty Work Processes Procedures Ergonomics/
HMI Negative PSFs adjustment (>3 negative PSFs)
Final Action HEP Time to loss of DHR is ~70 minutes, time allocated to action is 30 minutes, time necessary to perform action is approxmately 10 minutes LOI caused elevated stress. An additional stressor was momentary loss of offsite power and subsequent failure to re-energize 1XP bus.
AP-26 is incomplete. Operator was required to move to "pre-job brief" to complete gravity injection.
Stress Complexity Experience/
Training HRA Worksheets for LPSD SPAR HUMAN ERROR WORKSHEET Part II. ACTION WORKSHEET Plant: Oconee Initiation of Feed during SD Basic Event: SD-SLOI-FEED-XHE Basic Event
Description:
Operator Fails to Initiate Feed during Shutdown before loss of LPI/DHR Available Time In the SPAR-H NUREG/CR-6883, the specified levels for the procedure SPF are insufficient, nominal, available but poor, incomplete and not available. The analyst chose a value halfway between nominal and incomplete base on the condition of the existing procedures as described above and assigned a multiplier of 2 for this PSF.
Enclosure
Page 29 Table B2c Diagnosis HEP
+
Action HEP
=
Pw/od 2.00E-03
+
4.00E-03
=
6.00E-03 Plant: Oconee Initiation of Feed during SD Basic Event: SD-SLOI-FEED-XHE HRA Worksheets for LPSD Part III - CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCY B3 HFE ID: SD-SLOI-FEED-LT-XHE HFE Definition This HFE represents the failure of the operator to feed the RCS with one or more injections methods after the RCS level has decreased to midloop. Level reaching midloop requires securing the LPI pumps from SDC. The operator must diagnose the cavitation of the running LPI/SDC pumps by recognizing the loss of inventory. Then secure the running LPI pumps. Finally, the operator is required to inject into the RCS via one of several methods to increase RCS level. The potentially available methods to inject are:
o IA bleed transfer pump (IA BTP) o Gravity feed from the BWST into the suction of the LPI pumps o Forced injection with a LPI pump o Forced injection with a HPI pump Description and Context Associated with Event Previous to this HFE, RCS water level has continued to decrease unabated until midloop and the running LPI/SDC pumps have begun to cavitate. The operators have not isolated the leak nor injected into the RCS. Because the leak path is from purification system via LPI and the hotleg the loss of additional inventory ceases when level reaches the bottom of the hotleg. However, without SDC inservice boiling will result.
This condition causes two additional sets of annunciators to alarm in the MCR. They are the low flow and low differential pressure.
Most of the electrical loads re-energized as the slow transfer progressed. However, the 1XP 600 volt AC attempted to re-energize but tripped on high in-rush current. It remained de-energized throughout the event and was not re-energized until several hours after the event. This complicated the event because it removed motive power from several front line systems that were required to mitigate the event.
o It removed power from the solenoid that ported air to the 1CS-46 valve which is the 1A BTP injection valve. This made the IA BTP unavailable for injection.
o It also removed power from the 1LP-21 and 22 valves which are the main isolation valves which need to be opened for gravity feed. However, in gravity feed mode these valves are opened using the hand wheel (a local action) and not the motor operator. Therefore, the 1XP unavailability had no immediate affect on the ability to gravity feed.
Enclosure
Page 30 o To start an LPI pump in forced injection either the LP-21 or 22 valve would need to be fully opened. Normally this would be accomplished from the MCR using the motor operator.
However, as discussed above power was not available to these valves so the valves would need to be opened manually at the valve. This would complicate the action.
The LPI pumps are available to perform forced injection. However, two of these pumps were previously running in SDC and had to be secured due to air entrainment and subsequent cavitation. These pumps would need to be filled and vented before they could be placed in injection mode. AP-26 supplies guidance on how to fill and vent the pumps.
The C HPI pump was not available. The A and B HPI pumps were inoperable but available with their 4kv pump motor breakers racked out.
Operator Action Success Criteria Injection must be established before RCS level drops to the top of active fuel with subsequent core damage.
Time to boil from the bottom of the hotleg (per AP-26 Enclosure 5-5) is about 10 minutes.
Time to core uncovery is about one hour.
To prevent core damage, the inject flow rate must exceed the mass loss rate from boiling.
This value is estimated at 100 gpm. To reflood the RCS and restart LPI/SDC a higher flow rate is required. This value is estimated at 200 gpm. Methods available to inject include the 1A BTP, gravity feed via the LP-21 or 22 valves, HPI, and realignment of LPI from SDC to injection from the BWST only.
Cues o Low indicated RCS level on LT-5A or 5B o Low Pressure Decay Heat Loop A (or B) Flow Low annunciator o Low Pressure Injection Pump A (or B or C) Differential Pressure Low annunciator Procedure and Relevant Steps The Alarm Response Guides for the above cues discussed above direct the operator to AP-26 rev 10, Loss of Decay Heat Removal.
o AP-26 rev 10, Loss of Decay Heat Removal supplies guidance on using the 1A BTP. The guidance is in Enclosure 5.12 which is titled LPI Makeup from 1A BHUT. This procedure opens three valves and starts the pump. All steps are performed locally. (As discussed above, this enclosure was entered but was not completed during the event because 1CS-46 valve could not be opened due to the lack of power from the 1XP bus.)
o AP-26 supplies guidance on using gravity feed via the LP-21 and 22 valves. However, due to the scenario encountered during this event the procedural steps for gravity feed would never be reached. This appears to be a deficiency in AP-26, as demonstrated by the utility quick revision to AP-26 after the event to supply explicit direction to initiate gravity feed in the future. It should be noted that there was considerable discussion at the time of the site visit as to whether this revised guidance was the correct guidance.
Enclosure
Page 31 Because of the inadequacies of AP-26, the operators reverted to alternative guidance for gravity feed supplied by a Pre-Job Briefing for Draining to RCS to Reduced Inventory/ Mid-Loop. The pre-job briefing simply directs the operator with a single step to manually open either the LP-21 or 22 valves locally at the valve.
o AP-26 supplies guidance on realigning LPI from SDC to injection mode in Section 4C, steps 77 to 91; to perform this process also requires pump fill and venting, this is controlled by.6 which has an additional 10 steps.
Because of inadequacies of AP-26 as it applies to this LOI event, it would never direct the operator to perform these steps. It is assumed that the operator would arrive at these steps without the procedural guidance.
o AP-26 supplies guidance on placing HPI injection inservice in Section 4C, steps 101 to 109.
This process will rack in the required pump breakers.
Because of inadequacies of AP-26 as it applies to this LOI event, it would never direct the operator to perform these steps. It is assumed that the operator would arrive at these steps without the procedural guidance. As evidence that AP-26 was incomplete, the licensee updated this procedure shortly after the event to clarify use of the LP-21 and 22 under future similar situations.
MCR or Local Action The diagnosis is performed in the MCR. Additional diagnosis would be required to perform gravity feed, LPI or HPI injection due to the inadequacies of AP-26. The actions steps are a combination of MCR and local actions.
Diagnosis (with or w/o recovery) / Execution (with or w/o recovery) / Diagnosis +
Execution This HFE is a combination of action and diagnosis. It contains some cognitive (diagnosis) effort to recognize the loss of SDC due to cavitation and for performing steps out of sequence. These out of sequence steps are necessitated by the inadequacy of AP-26.
Time Windows / Nominal / mean /median actions times Cavitation of the LPI/SDC pumps will occur approximately 70 minutes after the LOI starts.
If no actions to inject water into the RCS are successful, core damage will occur approximately 90 minutes after loss of SDC (see AP-26, Enclosure 5.5, Table 2 Time to Core Uncovery Prior to Refueling for this estimate).
Time is allocated as follows: 10 minutes to diagnoses the event (the cues for this event are fully annunciated) and enter the appropriate AP-26 steps. The remaining 80 minutes are allocated to start one of the four injection methods. Eighty minutes is sufficient time to perform injection with both IA BTP and gravity feed. This was demonstrated by the operators ability to accomplish this during the actual event in 15 minutes. If neither of these methods is successful, there is time to attempt to realign LPI from SDC to injection and fill and vent the system. If this fails there is no time left to attempt HPI.
Enclosure
Page 32 Relevant Performance Shaping Factors Only those PSF which are or might be impacted are discussed here.
o Time: Time will be an issue if these actions are required, as there is a limited amount of time and some of the actions are complex.
o Stress: Stress level would be increased for the following reasons: Loss of inventory has occurred which the operator has failed initially to properly identify, the event has progress to the point of requiring securing SDC due to cavitation, the first method of injecting (1A BTP) will not work due to the loss of power on the 1XP bus.
o Complexity:
o Cues for diagnosis are very clear and unambiguous.
o Process for performing injection with 1A BTP is short.
o Process for performing gravity feed is a single step.
o Process for performing realignment of LPI and fill and vent is complex.
o Process for performing injection with HPI is short.
o Procedures: Procedure AP-26 is incomplete and ambiguous. It requires the operator to deviate from it as written and make decisions based on his skill to decide which method to use for injection.
Define Subtasks / failure modes / assign BE id(s) o Subtasks:
o Diagnoses o 1A BTP per Enclosure 5-12 requires three valves to be manipulated and one pump started o Pre-job brief guidance requires a single valve to be opened o Realign LPI for inject approximately 25 steps o Align HPI for injection approximately 8 steps o Failure modes:
o MCR operator fails to direct the equipment operator to manipulate the correct valves or pump.
o MCR operator fails to manipulate the correct valves or pump in the appropriate manner.
o Equipment operator fails to manipulate the correct valves or pump in the appropriate manner.
o BE Id: SD-SLOI-FEED-LT-XHE Enclosure
Page 33 Table B3a PSFs PSF Levels Multiplier for Diagnosis Selected PSF Please note specific reasons for PSF level selection in this column.
Inadequate time P(failure) = 1.0 Barely adequate time (? 2/3 Nominal) 10 Nominal time 1
Extra time (between 1 and 2 x nominal and > than 30 min) 0.1 X
Expansive time (> 2 x nominal and > 30 min) 0.01 Insufficient information 1
Extreme 5
High 2
X Nominal 1
Insufficient information 1
Highly 5
Moderately Complex 2
Nominal 1
Obvious diagnosis 0.1 X
Insufficient information 1
Low 10 Nominal 1
X High 0.5 Insufficient information 1
Not available 50 Incomplete 20 Available, but poor 5
Nominal 1
x Diagnostic/symptom oriented 0.5 Insufficient information 1
Missing/Misleading 50 Poor 10 Nominal 1
X Good 0.5 Insufficient information 1
Unfit P(failure) = 1.0 Degraded Fitness 5
Nominal 1
X Insufficient information 1
Poor 2
Nominal 1
X Good 0.8 Insufficient information 1
NHEP =
2.00E-4 NA 2.00E-04 Part I. DIAGNOSIS WORKSHEET Plant: Oconee Initiation of Feed during SD Basic Event: SD-SLOI-FEED-LT-XHE Basic Event
Description:
Operator Fails to Initiate Feed during Shutdown before core damage after SDC failure HRA Worksheets for LPSD SPAR HUMAN ERROR WORKSHEET Available Time Stress Complexity Experience/
Training Total time available before CD for diagnoses and action is 90 minutes. Time allocated to diagnoses is 30 minutes. Time to diagnoses is 5 minutes.
LOI caused elevated stress. An additional stressor was momentary loss of offsite power and subsequent failure to re-energize 1XP bus. In additions, loss of SDC has occurred.
Annuciators for 1) low DHR flow 2) low differential pressure and RCS level trending down.
Procedures Ergonomics/
HMI Fitness for Duty Work Processes Final Diagnosis HEP Negative PSFs adjustment ( >3 negative PSFs)
Enclosure
Page 34 Table B3b PSFs PSF Levels Multiplier for Action Selected PSF Please note specific reasons for PSF level selection in this column.
Inadequate time P(failure) = 1.0 Time Available is ? the time required 10 Nominal time 1
Time available is ? 5x the time required 0.1 X
Time available is ? 50x the time required 0.01 Insufficient information 1
Extreme 5
High 2
X Nominal 1
Insufficient information 1
Highly 5
Moderately 2
Nominal 1
X Insufficient information 1
Low 3
Nominal 1
X High 0.5 Insufficient information 1
Not available 50 Incomplete 20 Available but poor 5
X Nominal 1
Insufficient information 1
Missing/Misleading 50 Poor 10 Nominal 1
X Good 0.5 Insufficient information 1
Unfit P(failure) = 1.0 Degraded Fitness 5
Nominal 1
X Insufficient information 1
Poor 5
Nominal 1
X Good 0.5 Insufficient information 1
NHEP =
1.00E-3 NA 1.00E-03 Plant: Oconee Initiation of Feed during SD Basic Event: SD-SLOI-FEED-LT-XHE Basic Event
Description:
Operator Fails to Initiate Feed during Shutdown before core damage after SDC failure HRA Worksheets for LPSD SPAR HUMAN ERROR WORKSHEET Total time available before CD for diagnoses and action is 90 minutes. Time allocated to Action is 60 minutes. Estimated time to inject is 15 minutes.
LOI caused elevated stress. An additional stressor was momentary loss of offsite power and subsequent failure to re-energize 1XP bus.
In additions, loss of SDC has occurred.
If operators are required to go to HPI, or realign LPI for injection, these procedures are moderately complex.
Part II. ACTION WORKSHEET AP-26 is incomplete. Operator was required to move to "pre-job brief" to complete gravity injection.
Procedures Ergonomics/
HMI Fitness for Duty Work Processes Negative PSFs adjustment (>3 negative PSFs)
Final Action HEP Available Time Stress Complexity Experience/
Training Enclosure
Page 35 Table B3c Diagnosis HEP
+
Action HEP
=
Pw/od 2.00E-04
+
1.00E-03
=
1.20E-03 Plant: Oconee Initiation of Feed during SD Basic Event: SD-SLOI-FEED-LT-XHE HRA Worksheets for LPSD Part III - CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCY B4 HFE ID: SD-SLOI-ISOL-AFD-XHE HFE Definition This HFE represents the failure of the operator to isolate the LOI caused by the open HP-43 relief valve in the purification system before RCS water level reaches the midloop. This is after the operator has succeeded in initiating feed into the RCS at a rate that prevents further decrease in RCS level.
Description and Context Associated with Event Previous to this HFE, the operator has correctly diagnosed the LOI, and initiated makeup to the RCS at a rate greater than the rate of loss. The operator must work through the correct procedure (AP-26) and perform the appropriate steps to isolate the purification system from the LPI systems (and the RCS). In this event, isolating the purification system will isolate the leak.
The 1XP 600 volt AC bus is de-energized. However, it does not appear to have any impact on this action.
Operator Action Success Criteria Isolate the open relief valve 1HP-47 by closing the LP-96 low pressure supply to purification block valve. Because feed to the RCS has already been accomplished, this action needs to be completed before the BWST is depleted.
Cues The major portion of the diagnoses and therefore, the associated cues are addressed in the previously occurring HFE (SD-SLOI-DIAG-XHE). However, the following cues are present:
o Increasing MWHUT level o Decreasing BWST level Procedure and Relevant Steps AP-26 rev 10, Loss of Decay Heat Removal supplies guidance in Section 4C steps 2 and
- 3.
Enclosure
Page 36 MCR or Local Action Verification of purification alignment is in the MCR. Closure of LP-96 is a local action.
Diagnosis (with or w/o recovery) / Execution (with or w/o recovery) / Diagnosis +
Execution Action without recovery Time Windows / Nominal / mean /median actions times Because feed to the RCS has already been accomplished, this action needs to be completed before the BWST is depleted. At the time of the event there was approximately 360,000 gallons of water in the BWST. At an assumed injection rate of 200 gpm, the BWST would last approximately 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> before it will be depleted.
In the actual event, and as a point of reference, it took the operators 17 minutes to recognize the event, enter the correct procedure and isolate after event initiation.
Relevant Performance Shaping Factors Only those PSF which are or might be impacted are discussed here.
o Time: Expanded time is available o Complexity: Simple Define Subtasks / failure modes / assign BE id(s) o Subtasks: Verify purification inservice and close LP-96 o Failure modes:
o MCR operator fails to direct the equipment operator to manipulate the correct valves or pump.
o Equipment operator fails to manipulate the correct valves or pump in the appropriate manner.
o BE Id: SD-SLOI-ISOL-AFD-XHE Enclosure
Page 37 Table B4a PSFs PSF Levels Multiplier for Action Selected PSF Please note specific reasons for PSF level selection in this column.
Inadequate time P(failure) = 1.0 Time Available is ? the time required 10 Nominal time 1
Time available is ? 5x the time required 0.1 Time available is ? 50x the time required 0.01 X
Insufficient information 1
Extreme 5
High 2
Nominal 1
X Insufficient information 1
Highly 5
Moderately 2
Nominal 1
X Insufficient information 1
Low 3
Nominal 1
X High 0.5 Insufficient information 1
Not available 50 Incomplete 20 Available but poor 5
Nominal 1
X Insufficient information 1
Missing/Misleading 50 Poor 10 Nominal 1
X Good 0.5 Insufficient information 1
Unfit P(failure) = 1.0 Degraded Fitness 5
Nominal 1
X Insufficient information 1
Poor 5
Nominal 1
X Good 0.5 Insufficient information 1
NHEP =
1.00E-5 NA 1.00E-05 Plant: Oconee Initiating Event: Basic Event: SD-SLOI-ISOL-AFD-XHE Basic Event
Description:
Operator fails to Isolate Loss of Inventory before core damage HRA Worksheets for LPSD SPAR HUMAN ERROR WORKSHEET 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> is availalble to perform this function. Takes about 15 minutes to perform.
Part II. ACTION WORKSHEET This is simple task.
Procedures Ergonomics/
HMI Fitness for Duty Work Processes Negative PSFs adjustment ( >3 negative PSFs)
Final Action HEP Available Time Stress Complexity Experience/
Training B5 HFE ID: SD-SLOI-ISOL-BRF-XHE Enclosure
Page 38 HFE Definition This HFE represents the failure of the operator to isolate the LOI caused by the open HP-43 relief valve in the purification system before RCS water level reaches the midloop. This is after the operator has failed to initiate feed into the RCS at a rate that prevents further decrease in RCS level.
Description and Context Associated with Event Previous to this HFE, the operator has correctly diagnosed the LOI, and but has failed to initiated makeup to the RCS at a rate greater than the rate of loss. The operator must work through the correct procedure (AP-26) and perform the appropriate steps to isolate the purification system from the LPI systems (and the RCS). In this event, isolating the purification system will isolate the leak.
The 1XP 600 volt AC bus is de-energized. However, it does not appear to have any impact on this action.
Operator Action Success Criteria Isolate the open relief valve 1HP-47 by closing the 1LP-96 low pressure supply to purification block valve before level drops to midloop conditions and the running LPI/SDC pumps need to be secured due to cavitation.
Cues The major portion of the diagnoses and therefore, the associated cues are addressed in the previously occurring HFE (SD-SLOI-DIAG-XHE). However, the following cues are present:
o Decreasing RCS level o Increasing MWHUT level Procedure and Relevant Steps AP-26 rev 10, Loss of Decay Heat Removal supplies guidance in Section 4C steps 2 and
- 3.
MCR or Local Action Verification of purification alignment is in the MCR. Closure of LP-96 is a local action.
Diagnosis (with or w/o recovery) / Execution (with or w/o recovery) / Diagnosis +
Execution Action without recovery Enclosure
Page 39 Time Windows / Nominal / mean /median actions times Because the operator has failed to initially to feed the RCS level continues to decrease.
This action must be completed prior to level reaching midloop at which point LPI/SDC will need to be secured. Level was decreasing at approximately one inch per minute. The indicated starting level was 70 inches; this is from a reference point of instrument zero at the center line of the hotleg (midloop). Shortly after reaching a level of 0, the running DHR pumps will need to be secured to prevent damage to them. Thus the time available for diagnosis and subsequent operator actions is approximately 70 minutes. The previous actions, however, is handled by HFE SD-SLOI-DIAG-XHE.
A portion of the 70 minutes must be allocated to the event diagnosis HFE. The remaining time is left to perform this HFE. For HFE SD-SLOI-DIAG-XHE 30 minutes of the total was allocated for diagnosis this leaves the remaining 40 minutes to perform this action.
In the actual event, and as a point of reference, the operators recognized the event and entered the correct procedure and isolate the leak in 17 minutes after event initiation.
Relevant Performance Shaping Factors Only those PSF which are or might be impacted are discussed here.
o Time: Nominal time was available for this action o Stress: With a LOI event occurring stress was elevated. In addition to the LOI an additional stressor was the momentary loss of offsite power and a subsequent failure to re-energize the 1XP bus.
o Complexity: Simple Define Subtasks / failure modes / assign BE id(s) o Subtasks: Verify purification inservice and close LP-96 o Failure modes:
o MCR operator fails to direct the equipment operator to manipulate the correct valves or pump.
o Equipment operator fails to manipulate the correct valves or pump in the appropriate manner.
o BE Id: SD-SLOI-ISOL-BRF-XHE Enclosure
Page 40 Table B5a PSFs PSF Levels Multiplier for Action Selected PSF Please note specific reasons for PSF level selection in this column.
Inadequate time P(failure) = 1.0 Time Available is ? the time required 10 Nominal time 1
X Time available is ? 5x the time required 0.1 Time available is ? 50x the time required 0.01 Insufficient information 1
Extreme 5
High 2
X Nominal 1
Insufficient information 1
Highly 5
Moderately 2
Nominal 1
X Insufficient information 1
Low 3
Nominal 1
X High 0.5 Insufficient information 1
Not available 50 Incomplete 20 Available but poor 5
Nominal 1
X Insufficient information 1
Missing/Misleading 50 Poor 10 Nominal 1
X Good 0.5 Insufficient information 1
Unfit P(failure) = 1.0 Degraded Fitness 5
Nominal 1
X Insufficient information 1
Poor 5
Nominal 1
X Good 0.5 Insufficient information 1
NHEP =
2.00E-3 NA 2.00E-03 Plant: Oconee Initiating Event: Basic Event: SD-SLOI-ISOL-BRF-XHE Basic Event
Description:
Operator fails to Isolate Loss of Inventory before Loss of LPI/SDC HRA Worksheets for LPSD SPAR HUMAN ERROR WORKSHEET 40 minutes is availalble to perform this function. Takes about 15 minutes to perform.
LOI caused elevated stress. An additional stressor was momentary loss of offsite power and subsequent failure to re-energize 1XP bus.
Part II. ACTION WORKSHEET This is simple task.
Procedures Ergonomics /HMI Fitness for Duty Work Processes Negative PSFs adjustment (>3 negative PSFs)
Final Action HEP Available Time Stress Complexity Experience/
Training Enclosure
Page 41 B6 HFE ID: SD-SLOI-LTR1-XHE (BWST Makeup)
HFE Definition This HFE represents the failure to makeup to the BWST. Operators have succeeded in initiating feed into the RCS in excess of the leakage rate from the LOI but have not been successful in terminating the leak. LPI/SDC is running. However, if the leak is not terminated, the BWST will eventually be depleted. Therefore, makeup to the BWST is required.
Description and Context Associated with Event Prior to this action, the operators have successfully diagnosed the original LOI, they have succeeded in establishing flow into the RCS in excess of the inventory being lost through the leak, and thus SDC remains in service. However, they have not been successful in isolating the leak. Because of the relative low required injection rate, and the high inventory in the BWST a significant amount of time is available to perform this action.
The 1XP 600 volt AC bus is de-energized. However, no known equipment required for this action is impacted.
Operator Action Success Criteria Makeup to the BWST before it is depleted at a rate greater than the rate which water is being feed into the RCS Cues o Decreasing level in the BWST o BWST low level alarm(s)
Procedure and Relevant Steps There is no procedure for BWST makeup. Makeup procedure is currently not known by NRC MCR or Local Action It is anticipated that most actions are local.
Diagnosis (with or w/o recovery) / Execution (with or w/o recovery) / Diagnosis +
Execution Diagnosis and action without recovery Time Windows / Nominal / mean /median actions times BWST will be depleted in approximately 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> after injection is initiated.
Enclosure
Page 42 Relevant Performance Shaping Factors Only those PSF which are or might be impacted are discussed here.
o Time: Extensive time o Stress: nominal o Complexity: complex but routinely performed Define Subtasks / failure modes / assign BE id(s) o Subtasks: Unknown o Failure modes: MCR operator fails to direct the equipment operator to manipulate the correct valves or pump.
o Equipment operator fails to manipulate the correct valves or pump in the appropriate manner.
o BE Id: SD-SLOI-LTR1-XHE Enclosure
Page 43 Table B6a PSFs PSF Levels Multiplier for Diagnosis Selected PSF Please note specific reasons for PSF level selection in this column.
Inadequate time P(failure) = 1.0 Barely adequate time (? 2/3 Nominal) 10 Nominal time 1
Extra time (between 1 and 2 x nominal and > than 30 min) 0.1 Expansive time (> 2 x nominal and > 30 min) 0.01 X
Insufficient information 1
Extreme 5
High 2
Nominal 1
X Insufficient information 1
Highly 5
Moderately Complex 2
Nominal 1
Obvious diagnosis 0.1 X
Insufficient information 1
Low 10 Nominal 1
X High 0.5 Insufficient information 1
Not available 50 Incomplete 20 Available, but poor 5
Nominal 1
X Diagnostic/symptom oriented 0.5 Insufficient information 1
Missing/Misleading 50 Poor 10 Nominal 1
X Good 0.5 Insufficient information 1
Unfit P(failure) = 1.0 Degraded Fitness 5
Nominal 1
X Insufficient information 1
Poor 2
Nominal 1
X Good 0.8 Insufficient information 1
NHEP =
1.00E-5 NA 1.00E-05 Part I. DIAGNOSIS WORKSHEET Plant: Oconee Initiating Event: Basic Event: SD-SLOI-LTR1-XHE Basic Event
Description:
Operator fails to Initiate BWST Makeup HRA Worksheets for LPSD SPAR HUMAN ERROR WORKSHEET Work Processes Time available is 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
Low level alarm as well as level indication.
Available Time Stress Complexity Experience/
Training Negative PSFs adjustment (>3 negative PSFs)
Final Diagnosis HEP Procedures Ergonomics/
HMI Fitness for Duty Enclosure
Page 44 Table B6b PSFs PSF Levels Multiplier for Action Selected PSF Please note specific reasons for PSF level selection in this column.
Inadequate time P(failure) = 1.0 Time Available is ? the time required 10 Nominal time 1
Time available is ? 5x the time required 0.1 Time available is ? 50x the time required 0.01 X
Insufficient information 1
Extreme 5
High 2
Nominal 1
X Insufficient information 1
Highly 5
Moderately 2
X Nominal 1
Insufficient information 1
Low 3
Nominal 1
X High 0.5 Insufficient information 1
Not available 50 Incomplete 20 X
Available but poor 5
Nominal 1
Insufficient information 1
Missing/Misleading 50 Poor 10 Nominal 1
X Good 0.5 Insufficient information 1
Unfit P(failure) = 1.0 Degraded Fitness 5
Nominal 1
X Insufficient information 1
Poor 5
Nominal 1
X Good 0.5 Insufficient information 1
NHEP =
4.00E-4 NA 4.00E-04 Plant: Oconee Initiating Event: Basic Event: SD-SLOI-LTR1-XHE Basic Event
Description:
Operator fails to Initiate BWST Makeup HRA Worksheets for LPSD SPAR HUMAN ERROR WORKSHEET Time available is 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
Making additional borated water is a complex process but one the plant routinely performs.
Part II. ACTION WORKSHEET No procedure available. However, due to the time available it is assumed that adhoc guideance will be establish. Therefore, incomplete was used for his PSF.
Procedures Ergonomics/
HMI Fitness for Duty Work Processes Negative PSFs adjustment ( >3 negative PSFs)
Final Action HEP Available Time Stress Complexity Experience/
Training Table B6c Enclosure
Page 45 Diagnosis HEP
+
Action HEP
=
Pw/od 1.00E-05
+
4.00E-04
=
4.10E-04 Plant: Oconee Initiating Event: Basic Event: SD-SLOI-LTR1-XHE HRA Worksheets for LPSD Part III - CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCY B7 HFE ID: SD-SLOI-LTR2-XHE (Restart LPI/SDC)
HFE Definition This HFE represents failure to restore LPI in SDC mode of operations. Operators initially were not successful in initiating feed into the RCS but have recovered and subsequently started feed in excess of the leakage rate from the LOI. However, they have not been successful in terminating the leak. LPI/SDC is not running but RCS level has been raised above the minimum level required for LPI/SDC operation. This action restarts LPI/SDC.
Description and Context Associated with Event Prior to this action, the operators have successfully diagnosed the original LOI; they have succeeded in recovering RCS level after an initial failure. However, they have not been successful in isolating the leak. SDC is not inservice. Because of the relative low required injection rate, and the high inventory in the BWST a significant amount of time is available to perform this action.
The 1XP 600 volt AC bus is de-energized. Some LPI equipment has been effected. For example LP-21 and 22 LPI suction valves from the BWST.
Operator Action Success Criteria Operators restore SDC to operation.
Cues o Knowledge that the running LPI/SDC pumps had been secured due to low RCS level and cavitation.
Procedure and Relevant Steps AP-26 supplies guidance on realigning LPI for SDC mode in Section 4C, steps 24 to 40 and steps 73 to75; to perform this process, also requires pump fill and venting, this is controlled by Enclosure 5.6 which has an additional 10 steps.
MCR or Local Action Actions are a combination of MCR and local.
Enclosure
Page 46 Diagnosis (with or w/o recovery) / Execution (with or w/o recovery) / Diagnosis +
Execution Action without recovery Time Windows / Nominal / mean /median actions times As RCS makeup in excess of the loss rate has been established, a long time is available to restore LPI/SDC. It is assumed that at least 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> are available.
Relevant Performance Shaping Factors Only those PSF which are or might be impacted are discussed here.
o Time: Extensive time o Stress: nominal o Complexity: complex but routinely performed Define Subtasks / failure modes / assign BE id(s) o Subtasks: Unknown o Failure modes: MCR operator fails to direct the equipment operator to manipulate the correct valves or pump.
o Equipment operator fails to manipulate the correct valves or pump in the appropriate manner.
o BE Id: SD-SLOI-LTR2-XHE Enclosure
Page 47 Table B7a PSFs PSF Levels Multiplier for Action Selected PSF Please note specific reasons for PSF level selection in this column.
Inadequate time P(failure) = 1.0 Time Available is the time required 10 Nominal time 1
Time available is 5x the time required 0.1 X
Time available is 50x the time required 0.01 Insufficient information 1
Extreme 5
High 2
Nominal 1
X Insufficient information 1
Highly 5
Moderately 2
X Nominal 1
Insufficient information 1
Low 3
Nominal 1
X High 0.5 Insufficient information 1
Not available 50 Incomplete 20 Available but poor 5
Nominal 1
X Insufficient information 1
Missing/Misleading 50 Poor 10 Nominal 1
X Good 0.5 Insufficient information 1
Unfit P(failure) = 1.0 Degraded Fitness 5
Nominal 1
X Insufficient information 1
Poor 5
Nominal 1
X Good 0.5 Insufficient information 1
NHEP =
2.00E-4 NA 2.00E-04 Plant: Oconee Initiating Event: Basic Event: SD-SLOI-LTR2-XHE Basic Event
Description:
Operator fails to recover LPI in SDC mode.
HRA Worksheets for LPSD SPAR HUMAN ERROR WORKSHEET Venting of the SDC train is required.
Extensive time is available to recover SDC (>10 hours). It is estimated that filling and venting SDC will take 30 minutes. Restarting the system once filled is 10 minutes.
This task is complex.
Part II. ACTION WORKSHEET Procedures Ergonomics/
HMI Fitness for Duty Work Processes Negative PSFs adjustment ( >3 negative PSFs)
Final Action HEP Available Time Stress Complexity Experience/
Training Enclosure
Page 48 Analysis of Dependency between HEP The initial dependency between multiple operator actions was also performed using NUREG/CR-6883.
The approach used to resolve these dependencies follows the method proscribed in the SPAR-H guidance. The analyst deviated from the SPAR-H methodology when events that contained intervening successes between failed human actions were encountered. Under these situations zero dependency was assigned. The results are summarized in Table 2 above and follow the dependency model used in the SPAR-H method.
The 2003 version of the ASME PRA Standard requires that the total combined probability of all the HEPs in the same accident sequence or cutset should not be less than a justified value. The 2005 version of this standard removes this requirement. However, NUREG-1792, Good Practices for Implementing Human Reliability Analysis, Section 5.3.3.6, recommends a minimum cutoff value of 1E-5. As a starting point the analyst used this value. Because the final results are dominated by a single sequence involving a value above the cutoff, applying a cutoff will not materially impact the results. Therefore no further cutoff analysis were applied to this SDP at this time.
The equations that were used to calculate the dependency were as following:
Complete Dependence the probability of failure = 1.0 High Dependence the probability of failure = (1 + P)/2 Moderate Dependence the probability of failure = (1 +6P)/7 Low Dependence the probability of failure = (1 + 19P)/20 Weak Dependence the probability of failure = (1 + 99P)/100 The final rule above is an additional deviation from the SPAR-H methodology. It was deemed necessary to account for those situations where the dependency between actions existed but the analyst determined that the influences were less then low. For example if two actions in the plant were performed by different equipment operators (sometimes referred to as aux operators) and were directed to perform their specific actions by different reactor operators, who in turn were ultimately directed by the shift supervisor. Finally, SAPHIRE rules were then created to search for the cutset results for the various combinations of HEPs and the cutsets were modified appropriately.
Tables B8 to B14 contains the dependency event trees for these dependent HEPs as determined by the SPAR-H methodology. However, as discussed above, where deemed appropriate, the analyst deviated from the SPAR-H rules and imposed a lower value for the dependencies. This is discussed in the individual dependency analysis below.
B8 SD-SLOI-FEED-LT-XHE-D1 This modified HEP accounts for the dependence between the diagnoses of the initial event and the subsequent action to perform injection once level reaches the midloop level requiring the shutdown of the running LPI/SDC pumps. The dependency analysis is shown in Table B8. Both actions are performed by the same crew; however, they are separated by approximately 70 minutes. The actions are performed on different panels in the main control room (MCR). Additional cues are received when midloop level is reached as the running SDC pumps begin to cavitate. There are no intervening successes. The SPAR-H methodology determines this to be a low dependence. However, the analyst used a dependent HEP value of 1.1E-2 instead of the SPAR-H value of 5.1E-2 based on the length of time between the two events and the strength of the additional cues received at the time of the second HFE. This dependent HEP can occur in Sequence 10.
Enclosure
Page 49 B9 SD-SLOI-ISOL-BRF-XHE-D2 This modified HEP accounts for the dependence between the HFE representing the initial injection into the RCS prior to loss of SDC and the additional action to isolate the leak. This step accounts for the dependency between the first pair of HFEs in Sequence 7 which under some conditions can contain thre HFEs. The dependency analysis is shown in Table B9. Both actions occur simultaneously and are performed by different members of the same crew. Both actions are direct by the MCR operator but are performed by different equipment operators. It is important to note that both actions are ultimately dependent on proper analysis of the situation and use of AP-26 performed by the shift supervisor; if this were not the case the actions would be independent. Additional cues are received by different portions of AP-26. There are no intervening successes. The SPAR-H methodology determines this to be a low dependence. However, the analyst used a dependent HEP value of 1.2E-2 instead of the SPAR-H value of 5.2E-2 because two different equipment operators performed these actions. This dependent HEP can occur in Sequence 7.
B10 SD-SLOI-FEED-LT-XHE-D2 This modified HEP accounts for the dependence between the HFE representing the action to isolate the leak and the subsequent action to inject late into the RCS. This step accounts for the dependency between the second pair of HFEs in a sequence containing three HFEs. The initial pair is analyzed in Section B10 above. The HFE pair is shown in Table B10. It should be recognized that prior to attempting to perform the late injection (the second of these two HFEs) the operator has failed to perform an early injection. The consequence of this earlier failure is that water level has dropped to midloop necessitating the shutdown of the operating SDC pumps. The first action occurs early while the second action occurs 70 minutes into the event and is assumed to be performed by the same crew. Both actions are direct by the MCR operator but are performed by different equipment operators. Additional cues are received when level reaches midloop as the SDC pumps begin to cavitate. There are no intervening successes. The SPAR-H methodology determines this to be a moderate dependence. However, the analyst used low dependency, yielding a dependent HEP value of 5.1E-2 instead of the SPAR-H value of 1.4E-1 because of the significant time lag between the two actions. This dependent HEP can occur in Sequence 7.
B11 SD-SLOI-FEED-LT-XHE-D3 This modified HEP accounts for the dependence between the HFE representing the action to isolate the leak and the subsequent action to inject late into the RCS. In contrast to the previous HFE pair discussed in Section B11 above, this pair has is not preceded by an earlier HFE. This HFE pair is shown in Table B4. Prior to the second of these actions, water level has dropped to midloop necessitating the shutdown of the operating SDC pumps. The first action occurs early while the second action occurs 70 minutes into the event and is assumed to be performed by the same crew. Both actions are direct by the MCR operator but are performed by different equipment operators. Additional cues are received when level reaches midloop as the SDC pumps begin to cavitate. There are no intervening successes. The SPAR-H methodology determines this to be a low dependence. However, the analyst used a dependent HEP value of 1.1E-2 instead of the SPAR-H value of 5.1E-2 because of the significant time lag between the two actions. This dependent HEP can occur in Sequence 7.
Enclosure
Page 50 B12 SD-SLOI-FEED-LT-XHE-D4 This modified HEP accounts for the dependence between the HFE representing the action to perform an early injection (early meaning before level drops to midloop requiring securing the running SDC pumps) and the subsequent action to inject late into the RCS. This HFE pair is shown in Table B12. Prior to the second of these actions, water level has dropped to midloop necessitating the shutdown of the operating SDC pumps. The first action occurs early while the second action occurs 70 minutes into the event, both events are assumed to be performed by the same crew. Both actions are direct by the MCR operator but are performed by different equipment operators. Additional cues are received when level reaches midloop as the SDC pumps begin to cavitate. There is an intervening success which is isolation of the leak. The SPAR-H methodology determines this to be a low dependence. However, the analyst used a dependent HEP value of 1.1E-2 instead of the SPAR-H value of 5.1E-2 because of the significant time lag between the two actions. This dependent HEP can occur in Sequence 7.
B13 SD-SLOI-ISOL-BRF-XHE-D6 This modified HEP accounts for the dependence between the HFE representing the initial injection into the RCS prior to loss of SDC and the additional action to isolate the leak. The dependency analysis is shown in Table B13. Both actions occur simultaneously and are performed by different members of the same crew. Both actions are direct by the MCR operator but are performed by different equipment operators. It is important to note that both actions are ultimately dependent on proper analysis of the situation and use of AP-26 performed by the shift supervisor; if this were not the case the actions would be independent.
Additional cues are received by different portions of AP-26. There are no intervening successes. The SPAR-H methodology determines this to be a low dependence. However, the analyst used a dependent HEP value of 1.2E-2 instead of the SPAR-H value of 5.2E-2 because two different equipment operators performed these actions. This dependent HEP can occur in Sequences 6 and 7.
B14 SD-SLOI-LTR1-XHE-D7 This modified HEP accounts for the dependence between the HFE representing the action to isolate the leak and the subsequent action to makeup to the BWST prior to its depletion. It should be noted that this occurs after an initial success to establish feed of the RCS from the BWST. This HFE pair is shown in Table B14. The first failed action occurs relatively early while the second action occurs very late. The second action is not required until approximately 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> after event initiation. Because of the late time of this event it is assumed to be performed by a different crew. Both actions are direct by the MCR operator but are performed by different equipment operators. Additional cues are received when BWST level decreases to point requiring refill. There are no intervening successes. The SPAR-H methodology determines this to be a zero dependence based on the performance by different crews. This yields a value of 4.1E-4. This dependent HEP can occur in Sequence 3.
Enclosure
Page 51 Table B8: SD-SLOI-FEED-LT-XHE-D1 1st Action 2nd Action 3rd Action 4th Action Multiple Human Errors Same or Different Crew Time Between Events Close or Not Close Same or Different Location Additional Cues?
Intervening Success?
SD-SLOI-DIAG-XHE 1 SD-SLOI-FEED-LT-XHE Same N/A N/A Close in time N/A N/A Different Yes (related)
No Yes (not related)
Same No Same Yes (related)
Yes (not related)
Yes No Not close in time Yes (related)
No Yes (not related)
No Different Yes (related)
Yes (not related)
Yes No Different Independent HEP 1.00E-03 1.20E-03 LD 5.1E-02 1.2E-06 5.1E-05 Zero Low Moderate Low Low Low Moderate Moderate Zero Comment:
Dependence Level N/A Complete High Low Moderate High Zero Zero Zero Complete Complete Complete Complete Complete Complete Complete Moderate High High Moderate High Complete Low Low Moderate Moderate High High High Complete Low Moderate Moderate Total Conditional Joint HEP =
Total Un-conditional Joint HEP =
Conditional HEP =
Moderate Moderate High Low Enclosure
Page 52 Table B9: SD-SLOI-BRF-XHE-D2 1st Action 2nd Action 3rd Action 4th Action Multiple Human Errors Same or Different Crew Time Between Events Close or Not Close Same or Different Location Additional Cues?
Intervening Success?
SD-SLOI-FEED-XHE SD-SLOI-ISOL-BRF-XHE Same N/A N/A Close in time N/A N/A Different Yes (related)
No Yes (not related)
Same No Same Yes (related)
Yes (not related)
Yes No Not close in time Yes (related)
No Yes (not related)
No Different Yes (related)
Yes (not related)
Yes No Different Independent HEP 6.00E-03 2.00E-03 LD 5.2E-02 1.2E-05 3.1E-04 Conditional HEP =
Total Un-conditional Joint HEP =
Total Conditional Joint HEP =
Comment:
Dependence Level N/A Complete Complete Low Moderate Zero Low Low Moderate Moderate High Zero Low Moderate Low Moderate Moderate Zero Low Moderate High Moderate High Complete High Complete Zero Low Moderate Zero Low Moderate Low Moderate High Moderate High Complete High Complete Complete High Complete High Complete Complete Enclosure
Page 53 Table B10: SD-SLOI-FEED-LT-XHE-D2 1st Action 2nd Action 3rd Action 4th Action Multiple Human Errors Same or Different Crew Time Between Events Close or Not Close Same or Different Location Additional Cues?
Intervening Success?
SD-SLOI-FEED-XHE SD-SLOI-ISOL-BRF-XHE SD-SLOI-FEED-LT-XHE Same N/A N/A Close in time N/A N/A Different Yes (related)
No Yes (not related)
Same No Same Yes (related)
Yes (not related)
Yes No Not close in time Yes (related)
No Yes (not related)
No Different Yes (related)
Yes (not related)
Yes No Different Independent HEP 6.00E-03 2.00E-03 1.20E-03 LD md 5.2E-02 1.4E-01 1.0E+00 1.4E-01 1.4E-08 4.4E-05 Comment:
Dependence Level Low Moderate N/A Complete Complete Low Moderate Zero High Zero Low Moderate Low Moderate Zero Low Moderate Moderate High Moderate High Complete Complete Zero Low Moderate Moderate Low Moderate High Complete Complete High Complete Complete Conditional HEP =
Total Un-conditional Joint HEP =
Total Conditional Joint HEP =
High Complete Zero Low Moderate High Low Moderate High Complete High Enclosure
Page 54 Table B11: SD-SLOI-FEED-LT-XHE-D3 1st Action 2nd Action 3rd Action 4th Action Multiple Human Errors Same or Different Crew Time Between Events Close or Not Close Same or Different Location Additional Cues?
Intervening Success?
SD-SLOI-ISOL-BRF-XHE SD-SLOI-FEED-LT-XHE Same N/A N/A Close in time N/A N/A Different Yes (related)
No Yes (not related)
Same No Same Yes (related)
Yes (not related)
Yes No Not close in time Yes (related)
No Yes (not related)
No Different Yes (related)
Yes (not related)
Yes No Different Independent HEP 2.00E-03 1.20E-03 LD 5.1E-02 2.4E-06 1.0E-04 Moderate High Complete High Conditional HEP =
Total Un-conditional Joint HEP =
Total Conditional Joint HEP =
High Complete Zero Low Moderate High Low Complete Complete High Complete Complete Moderate Low Moderate High Complete Zero Low Moderate Moderate High Moderate High Complete Low Moderate Zero Low Moderate High Zero Low Moderate Comment:
Dependence Level Low Moderate N/A Complete Complete Low Moderate Zero Enclosure
Page 55 Table B12: SD-SLOI-FEED-LT-XHE-D4 1st Action 2nd Action 3rd Action 4th Action Multiple Human Errors Same or Different Crew Time Between Events Close or Not Close Same or Different Location Additional Cues?
Intervening Success?
SD-SLOI-FEED-XHE SD-SLOI-FEED-LT-XHE Same N/A N/A Close in time N/A N/A Different Yes (related)
No Yes (not related)
Same No Same Yes (related)
Yes (not related)
Yes No Not close in time Yes (related)
No Yes (not related)
No Different Yes (related)
Yes (not related)
Yes No Different Independent HEP 6.00E-03 1.20E-03 LD 5.1E-02 7.2E-06 3.1E-04 Comment:
Dependence Level Low Moderate N/A Complete Complete Low Moderate Zero High Zero Low Moderate Low Moderate Zero Low Moderate Moderate High Moderate High Complete Complete Zero Low Moderate Moderate Low Moderate High Complete Complete High Complete Complete Conditional HEP =
Total Un-conditional Joint HEP =
Total Conditional Joint HEP =
High Complete Zero Low Moderate High Low Moderate High Complete High Table B13: SD-SLOI-BRF-XHE-D6 Enclosure
Page 56 1st Action 2nd Action 3rd Action 4th Action Multiple Human Errors Same or Different Crew Time Between Events Close or Not Close Same or Different Location Additional Cues?
Intervening Success?
SD-SLOI-FEED-XHE SD-SLOI-ISOL-BRF-XHE Same N/A N/A Close in time N/A N/A Different Yes (related)
No Yes (not related)
Same No Same Yes (related)
Yes (not related)
Yes No Not close in time Yes (related)
No Yes (not related)
No Different Yes (related)
Yes (not related)
Yes No Different Independent HEP 6.00E-03 2.00E-03 ld 5.2E-02 1.2E-05 3.1E-04 Comment:
Dependence Level Low Moderate N/A Complete Complete Low Moderate Zero High Zero Low Moderate Low Moderate Zero Low Moderate Moderate High Moderate High Complete Complete Zero Low Moderate Moderate Low Moderate High Complete Complete High Complete Complete Conditional HEP =
Total Un-conditional Joint HEP =
Total Conditional Joint HEP =
High Complete Zero Low Moderate High Low Moderate High Complete High Enclosure
Page 57 Table B14: SD-SLOI-LTR1-XHE-D7 1st Action 2nd Action 3rd Action 4th Action Multiple Human Errors Same or Different Crew Time Between Events Close or Not Close Same or Different Location Additional Cues?
Intervening Success?
SD-SLOI-ISOL-AFD-XHE SD-SLOI-LTR1-XHE Same N/A N/A Close in time N/A N/A Different Yes (related)
No Yes (not related)
Same No Same Yes (related)
Yes (not related)
Yes No Not close in time Yes (related)
No Yes (not related)
No Different Yes (related)
Yes (not related)
Yes No Different Independent HEP 1.00E-05 4.10E-04 ZD 4.1E-04 4.1E-09 4.1E-09 Comment:
Dependence Level Low Moderate N/A Complete Complete Low Moderate Zero High Zero Low Moderate Low Moderate Zero Low Moderate Moderate High Moderate High Complete Complete Zero Low Moderate Moderate Low Moderate High Complete Complete High Complete Complete Conditional HEP =
Total Un-conditional Joint HEP =
Total Conditional Joint HEP =
High Complete Zero Low Moderate High Low Moderate High Complete High Enclosure
Page 58 Appendix C: Base Case Cutset Enclosure
Page 59 Sort/Slice Cut Set Report Project: OCON-SD-345 Event Tree: SD-SLOI-OC Sequence: MULTIPLE Min Cut Upper Bound: 1.558E-005 Top 10 cut sets This Partition: 1.552E-005 Cut No.
Total
% Cut Set Prob./
Frequency Basic Event Description Event Prob.
1 70.59 70.59 1.100E-005 SD-IE-SLOI-OC SLOI Outside of Containment Occurs 1.000E+000 SD-SLOI-DIAG-XHE Operators fail to diagnose small LOI outside of containment before loss of SDC 1.000E-003 SD-SLOI-FEED-LT-XHE-D1 Operators fail to initiate feed after loss of SDC; before core damage 1.100E-002 2
94.15 23.56 3.672E-006 SD-IE-SLOI-OC SLOI Outside of Containment Occurs 1.000E+000 SD-SLOI-FEED-LT-XHE-D2 Operators fail to initiate feed after loss of SDC; before core damage 5.100E-002 SD-SLOI-FEED-XHE Operator fails to initiate feed before loss of SDC 6.000E-003 SD-SLOI-ISOL-BRF-XHE-D2 Operator fail to terminate SLOI leak before SDC fails 1.200E-002 3
96.78 2.63 4.100E-007 SD-IE-SLOI-OC SLOI Outside of Containment Occurs 1.000E+000 SD-SLOI-DIAG-XHE Operators fail to diagnose small LOI outside of containment before loss of SDC 1.000E-003 SD-SLOI-LTR1-XHE Operators fail to Refill BWST as Part of Long Term Recovery 4.100E-004 4
98.06 1.28 2.000E-007 SD-IE-SLOI-OC SLOI Outside of Containment Occurs 1.000E+000 SD-SLOI-DIAG-XHE Operators fail to diagnose small LOI outside of containment before loss of SDC 1.000E-003 SD-SLOI-LTR2-XHE Operators fail to Restart LPI in SDC Mode as Part of Long Term Recovery 2.000E-004 5
98.70 0.64 1.000E-007 SD-IE-SLOI-OC SLOI Outside of Containment Occurs 1.000E+000 SD-SLOI-DIAG-XHE Operators fail to diagnose small LOI outside of containment before loss of SDC 1.000E-003 SD-SLOI-MU-BWST Equipment Failures for Makeup to BWST 1.000E-004 6
99.04 0.34 5.225E-008 SD-IE-SLOI-OC SLOI Outside of Containment Occurs 1.000E+000 ACP-CBR-CF-N1N2 CCF of MAIN FEEDER BREAKERS N1 & N2 TO OPEN 5.225E-005 SD-SLOI-DIAG-XHE Operators fail to diagnose small LOI outside of containment before loss of SDC 1.000E-003 7
99.23 0.19 2.952E-008 SD-IE-SLOI-OC SLOI Outside of Containment Occurs 1.000E+000 SD-SLOI-FEED-XHE Operator fails to initiate feed before loss of SDC 6.000E-003 SD-SLOI-ISOL-BRF-XHE-D6 Operator fail to terminate SLOI leak before SDC fails 1.200E-002 SD-SLOI-LTR1-XHE Operators fail to Refill BWST as Part of Long Term Recovery 4.100E-004 8
99.39 0.16 2.430E-008 SD-IE-SLOI-OC SLOI Outside of Containment Occurs 1.000E+000 DHR-MOV-CF-DISCH CCF OF DHR/LPI DISCHARGE MOVs 2.430E-005 SD-SLOI-DIAG-XHE Operators fail to diagnose small LOI outside of containment before loss of SDC 1.000E-003 9
99.50 0.11 1.747E-008 SD-IE-SLOI-OC SLOI Outside of Containment Occurs 1.000E+000 LSW-STR-CF-3SF CCF OF UNIT 3 LPSW SYSTEM PUMP SEAL WATER FILTERS 1.747E-005 SD-SLOI-DIAG-XHE Operators fail to diagnose small LOI outside of containment before loss of SDC 1.000E-003 10 99.61 0.11 1.747E-008 SD-IE-SLOI-OC SLOI Outside of Containment Occurs 1.000E+000 LSW-STR-CF-3DS CCF OF UNIT 3 LPSW MDP SUCTION DUPLEX FILTERS 1.747E-005 SD-SLOI-DIAG-XHE Operators fail to diagnose small LOI outside of containment before loss of SDC 1.000E-003 2008/10/31 17:57:48 Model Rev. 3.45 2008/07/08 Enclosure