ML100710755

From kanterella
Jump to navigation Jump to search
Attachment 6 to DCL-10-028, Impacts of PRA Open Items/Gaps on Application
ML100710755
Person / Time
Site: Diablo Canyon  Pacific Gas & Electric icon.png
Issue date: 03/11/2010
From:
Pacific Gas & Electric Co
To:
Office of Nuclear Reactor Regulation
References
DCL-10-028
Download: ML100710755 (28)
v  d  e


Text

Enclosure PG&E Letter DCL-10-028 Impacts of PRA Open Items/Gaps on Application Enclosure PG&E Letter DCL-10-028 Impacts of PRA Open Items/Gaps on Application

PG&E Letter DCL-10-028 Enclosure 1

Impacts of PRA Open Items/Gaps on Application The DCPRA is a living PRA, which is maintained through a periodic review and update process. The sections below discuss the review process that the DCPRA had under gone, the status of the disposition/resolution of the findings from the reviews and the impact of those outstanding/open issues from the reviews on the results and conclusions of this study.

Westinghouse Peer Review (Certification)

Peer Review (Certification) of the DCPP PRA model, using the WOG Peer Review Certification Guidelines, was performed in May 2000 and the final report for the peer review was published in August 2000 [Reference 1]. On the basis of its evaluation, the Certification Team determined that, with certain facts and observations (F&Os) addressed, the technical adequacy of all elements of the PRA would be sufficient to support risk significance evaluations with defense-in-depth input relative to the requested Emergency Diesel Generator completion time (CT) extension from the NRC during that time period.

The two "A" F&Os, related to the human reliability analysis (HRA) were addressed by upgrading the methodology used for the evaluation. The upgraded HRA analysis was recently subjected to a focused peer review. A discussion of this focused HRA peer review is provided below.

The B F&Os from the WOG Peer Review were addressed during model updates in support of the EDG Completion Time Extension (CTE) license amendment request (LAR), the LAR effort to extend the Completion Times (CTs) for several emergency core cooling system (ECCS) components, and the MSPI calculations. The updated DCRA model in which issues related to the B F&Os from the WOG Peer Review were addressed is the DC01 PRA model. There are no outstanding issues (B F&Os) from the WOG Peer Review.

DCPRA Gap Analysis In addition to the WOG Peer Review, three recent limited scope and independent assessments of the DCPP PRA Level 1 and Level 2 PRA models have been performed by leading industry PRA experts (i.e., Gap Analyses) to support several risk-informed applications, including the MSPI calculations and DCPP's transition to the National Fire Protection Association (NFPA) 805 Standard [Reference 2].

Review and Re-evaluation of DCPP Internal Flooding Hazards

PG&E Letter DCL-10-028 Enclosure 2

The Diablo Canyon Internal Flood PRA (Reference 3) was reviewed by Scientech/Jacobsen Engineering (Reference 4) to identify any specific weaknesses in its approach or implementation which might impair its ability to be used for risk informed decision making. The approach for the review was to compare the method of implementation and documentation of the existing Internal Flooding PRA with the requirements of the ASME PRA standard Addendum B (March 17th 2005 Draft)

(Reference 5).

Most of the review comments/finding was on the lack of documentation or related to the approaches not affecting the offsite power sources such as the 230kV power supply.

Table 1 summarizes the issues/deficiencies from the review and recommendations for improvement in some of the areas of the DCPP Internal Flooding PRA for the PRA to meet at least the Capability Category II requirements. The expected impact of these issues on the application is also provided. There are no open issues that would impact the results and conclusions of this evaluation.

PG&E Letter DCL-10-028 Enclosure 3

TABLE 1. Summary of DCPP Internal Flood Analysis Areas for Improvement (Table 2-1 of Reference 4)

Supporting Requirement from ASME Std Summary of Existing DCPP Internal Flood PRA Approach (Reference 3) and Nature of Associated Deficiency with Respect to ASME Std Recommendation for Improvement to meet Standard Expected Impact on Application IF-A4 IF-B3a IF-C9 IF-A3 A plant walk down was conducted as part of the Rev 0 analysis to collect additional information to confirm previous documentation and judgments on the flood sources and potential impact. This was documented by photographs of important equipment. For Rev 1 analysis an additional walkdown was conducted (Attachment 6 -

Reference 3) to confirm information used in the intake structure analysis.

Analysis needs to be brought up to date by repeating procedure performed for Rev 1 analysis.

Since that last comprehensive walkdown was performed in 1991 (and not well documented) it is recommended that it is repeated and documented using a set flood area walk down sheets and checklists.

Documentation issue and no impact on application is expected IF-B1 Major flood sources in each area are identified by type (e.g. water piping high/ moderate energy, steam piping high energy) in table F.4-2. However specific systems, pipe sizes or external flood sources are not identified.

Potential in leakage is not explicitly identified although it can be inferred from the propagation paths "to" column (Note in some cases the potential for propagation is identified without describing the specific route (doorway opening etc. Where pathway is described no explicit reference is given (e.g. door number)

See recommendation for creating flood area information sheets in IF-A4 which identified requisite information.

Documentation issue and no impact on application is expected IF-B1b IF-C5 IF-C5a Table F.4-2 (Reference 3) includes a screening process. However the general screening criteria used are not well defined and justified and in some cases include judgmental credit for isolation of sources before damage/ propagation can occur and /or drainage capacity. The containment is screened out on the basis that it is designed for LOCA and high energy line breaks in containment (section F.4.3).

Recommend defining a set of qualitative and quantitative screening criteria consistent with the ASME standard and indicating for each specific flood area which particular criteria is applicable.

Flooding events are not significant contributors to CDF.

Most of SSCs which could impact the availability of vital 4 kV buses and offsite power are located in Aux Bldg and TB areas where a flooding damage is very unlikely. Whether screening out or in of such areas in the flooding analysis should not significantly impact the proposed Completion Time extension of offsite power and/or 4 kV bus.

PG&E Letter DCL-10-028 Enclosure 4

TABLE 1. Summary of DCPP Internal Flood Analysis Areas for Improvement (Table 2-1 of Reference 4)

Supporting Requirement from ASME Std Summary of Existing DCPP Internal Flood PRA Approach (Reference 3) and Nature of Associated Deficiency with Respect to ASME Std Recommendation for Improvement to meet Standard Expected Impact on Application IF-C1 IF-C3b Table F.4-2 identifies the flood propagation paths from the source area to an adjacent area ( but no further) Section F.4.3.2 provides a general discussion Section F.4.3.2 provides a good general description for each building (turbine, intake, auxiliary and fuel handling) of the flood propagation pathways to their ultimate point of accumulation Did not see any reference to analysis of structural failures in the analysis although this probably because the potential for significant flood accumulation in most cases is minimal given the plant design The only evidence of random barrier element failures being considered is in respect of the ASW room drain check valves.

In flood area information sheets (see IF-A4) document potential propagation paths thru cable penetrations as well as doors and HVAC ducts Review flood analysis to identify cases where flood accumulation may occur (or has not been ruled out) and determine if consequences of barrier element challenges (e.g. doors or penetration seals) may result in a plant impact which has not been addressed in the current flood analysis. If so perform engineering analysis to determine if the barrier element will withstand the loading Performing the above will satisfy the Cat II requirements.

In order to satisfy Cat III requirements the random failure of any barrier elements identified as being challenged and with significant consequences of failure will need to be addressed. ( See Westinghouse F&O type C ) For area which may be susceptible to high energy line breaks determine if barriers and barrier elements will be challenged by over pressure and determine consequences of failure.

Only areas where significant accumulation leading to structural failure of barrier elements are the SI Pump room and Charging Pump Room. In these cases one can assume that barrier failures may lead to damage in adjacent areas where appropriate.

Flooding events are not significant contributors to CDF.

There are no SSCs in or next to SI and Charging pump rooms, where a flooding could lead to a loss of vital electrical buses or offsite power which could significantly impact the availability of the protected vital buses or other risk significant SSCs during the proposed configuration.

IF-C2a IF-C6 Automatic or operator responses to terminate floods are summarized in the discussion of flood location and scenario evaluations provided in section F.4.3.2 Table F4 Scenarios 45, 46, 53, 54 appears to credit manual action for isolation in order to screen (although it is not clear whether the consequences of non isolation are significant).

No discussion of flood indication, timing or means of isolation is provided.

Where such features form part of the argument for screening or evaluating flood scenarios this information should be provided.

Specifically recommend evaluating the reliability of actions credited in the scenarios 45, 46, 53, 54, 69, 83 and 84.

Consequences of non isolation in a timely manner were found to be potentially significant for SCW, CCW, RWST supply floods and AFW pump room floods in terms of controlling the potential for flood propagation or gross system impact.. A screening analysis is proposed which does not credit isolation, except in the case of the SCW where the flooding rate relative to the volume required to cause

PG&E Letter DCL-10-028 Enclosure 5

TABLE 1. Summary of DCPP Internal Flood Analysis Areas for Improvement (Table 2-1 of Reference 4)

Supporting Requirement from ASME Std Summary of Existing DCPP Internal Flood PRA Approach (Reference 3) and Nature of Associated Deficiency with Respect to ASME Std Recommendation for Improvement to meet Standard Expected Impact on Application damage was judged to be such that the time available would be many hours.

The proposed system realignment (electrical bus and power supply configuration) and plant modification/testing activities during the extended Completion Time should not impact the time available for any operator actions and other human performance factors associated with either terminating or mitigating consequences of a flooding.

IF-C3 Equipment susceptibility to various types of flood hazard are identified in table F.2-12 of the original DCPP flood PRA. In summary this table indicates that all electrical components except cables are assumed to be susceptible to flood accumulation and spray. High energy jet impingement may cause damage to all electrical components including cables. No reference to junction box qualification/damage is given and the treatment needs to be checked. It is not clear that high energy line break effects have been considered in the Revision 1 update Need to include potential damage to junction boxes treatment due to spray and submergence.

Impact of high/moderate energy line breaks (HELB/MELB) need to be considered for Capability Category II. An update of the Internal Flooding Analyses should evaluate and document the impact of HELB/MELB.

Impact on conclusions of the current application will be negligible since offsite and onsite power sources not affected.

IF-C3c The results of engineering calculations of maximum flood heights reported in DCM T-20 (see table F.4.4) are used in the study. For example a maximum flood height of 3" is cited as the reason for lack of flood propagation from the AFW TDP pump room to the AFW MDP pump rooms. When this reference was reviewed the calculation referred to was not apparent Need to identify location of flooding calculations relied upon in the analysis and review underlying basis to ensure consistency with PRA requirements ( e.g. no restrictions on maximum crack size or assumptions about isolation within specific time)

An update of the Internal Flooding Analysis should determine the applicability of design calculations cited in the existing Internal Flooding study.

Impact on conclusions of the current application will be negligible since offsite and onsite power sources not

PG&E Letter DCL-10-028 Enclosure 6

TABLE 1. Summary of DCPP Internal Flood Analysis Areas for Improvement (Table 2-1 of Reference 4)

Supporting Requirement from ASME Std Summary of Existing DCPP Internal Flood PRA Approach (Reference 3) and Nature of Associated Deficiency with Respect to ASME Std Recommendation for Improvement to meet Standard Expected Impact on Application affected.

IF-C4 Flood scenario development is generally accomplished in section F4.5.1. However it is not clear the analysis has recognized the consequences of flood isolation on system availability That is isolation of an AFW system flood may require the CST source to all pumps to be isolated depending upon (the break location).

Isolation of a CCW flood may require partial isolation of the CCW system Screening analyses proposed which does address impact of isolation of flood source. Further detailed analyses may be needed if this conservative analysis shows high risk contribution.

No expected to impact the conclusions of the current application since offsite and onsite power sources not affected.

IF-C5a It appears that DCPP analysis (Table F.4-2 item

23) credits isolation of a large turbine building flood prior to propagation to the DG corridor or the fuel oil pump room vaults via drains, and the 12kV room due to the automatic condenser mitigating features. This qualitative argument is used to screen out all propagation scenarios from the turbine building.

Further examination of the reliability of the isolation system, the timing available for operator action, the integrity and reliability of the doors and drain check valves which protect the EDG rooms, the fuel oil pump vaults and the 12kv SWGR room as well as any drainage paths to the outside, is warranted in order to screen this scenario (Although extremely unlikely this scenario could lead to a loss of the EDGs and loss of offsite power).

An update of the Internal Flooding Analysis will re-examine the Turbine Building flood scenario(s). Since it is extremely unlikely that the EDG will be affected by TB flooding events, this issue would have insignificant impact on the conclusion of the current application.

IF-D3 Flood scenarios are grouped as follows:

FL1 - All CCW floods FL2 - Charging suction header floods FL3 - AFW OR Fire Water Floods in AFW MDP Room If the consequences of isolation of the CCW or AFW is potentially more significant than currently identified (See IF-E5a) flood scenarios may need to be broken up in order to recognize specific consequences associated with different break locations in order to meet cat II or III requirements.

This issue has been partially resolved. Not expected to impact the conclusions of the current application since offsite and onsite power sources not affected.

IF-E5a Only three non screened flood scenarios were developed for quantification of CDF. Only the CCW scenario which credited isolation (prior to system depressurization ) and in this analysis a 10% probability of failure to isolate was assumed without any justification on the basis of flood indication, event timing, and means of isolation. In addition the analysis does not appear to address the consequences of conducting isolation which Need to address potential impact of flooding on HEPs included in the internal events PRA including an assessment of degradation of instrumentation and access for local actions Need to perform more robust justification of flood isolation probability used for CCW floods and impact.

Although a screening HEP value was used in the scenario, this is not expected to impact the conclusions of the current application since offsite and onsite power sources not affected.

PG&E Letter DCL-10-028 Enclosure 7

TABLE 1. Summary of DCPP Internal Flood Analysis Areas for Improvement (Table 2-1 of Reference 4)

Supporting Requirement from ASME Std Summary of Existing DCPP Internal Flood PRA Approach (Reference 3) and Nature of Associated Deficiency with Respect to ASME Std Recommendation for Improvement to meet Standard Expected Impact on Application presumably would be lead to at least partial loss of the system. None of the three flood scenario analyses appear to have addressed the potential degradation on operator errors modeled in the PRA associated with the flooding event. (see IF-D3)

PG&E Letter DCL-10-028 Enclosure 8

Self-Assessment of DCPRA Level 1 Internal Events A self-assessment of the Diablo Canyon Level 1 Internal Events PRA was performed by ERIN Engineering and Research, Inc. and the results were published in December 2006 (Reference 6) and then updated in January 2008 (Reference 7). The self-assessment was done with respect to the high level requirements (HLR) and supporting requirements (SR) in the ASME PRA Standard RA-Sb-2005, accounting for NRC interpretations of these requirements per Appendix A and Appendix B of Regulatory Guide 1.200 (Reference 8). One aim of the self-assessment is to identify SR for which the DCPP PRA may not meet the ASME PRA STD RA-Sb-2005 Capability Category II requirements. This category is generally viewed, for a given SR as sufficient capability for most currently envisioned risk-informed applications. The self-assessment did not include the determination of whether the DCPP PRA met the requirements for Large Early Release Frequency.

Table 2 summarizes the disposition/recommended action associated with the SR resulting from the self-assessment, and determines whether the issue associated the SR has any impact on the application. There are no opening issues that would impact the results and conclusion of this evaluation.

PG&E Letter DCL-10-028 Enclosure 9

Table 2 Summary of Suggested Disposition Actions from the DCPRA Gap Analysis (See Table 1 of Reference 7)

Applicable ASME SRs Description and Suggested Disposition Action Expected Impact on Application IE-A7 IE-A7 is met at Capability Category I; precursors are not directly factored into the model. However, this may be a pessimistic assessment, since insights gained from past precursors has been incorporated, so Capability Category II could be appropriate. The set of initiating events modeled is believed to adequately represent the spectrum of applicable industry experience, and it is unlikely that not meeting Capability Category II for this SR would have an impact on applications of the PRA. Consider adding a discussion of how initiating event precursors should be addressed to either the H.1.6 calc or to PRA update guidance.

Calc File H.1.6 updated to include discussion of screening of precursor events.

Documentation Issue and no impact is expected IE-A10, IE-B5, SC-A4a, SY-A11 IE-A10 is Not Met. The treatment of dual unit initiators should be reviewed, and the documentation of the basis for the current treatment, or an update, should be developed.

ASW for Unit 2 only credited if U2 EDGs are operable and can support pumps. Vital power cross tie not currently credited.

Calc File H.1.6 updated to include discussion of plant response to dual-unit initiators.

Documentation Issue and no impact is expected. Most of potential dual unit trip events are external hazards (e.g., ocean swell, kelp/jelly fish attacks).

The issue/application involved in this submittal is an internal event in nature (i.e., SLUR/FLUR setpoint, 4 KV UV trips).

SC-A6, SC-B1, SC-B3 While SR SC-A6, SC-B1, SC-B3 are judged to be met, the issues in C-significance F&Os DA-7 and TH-4 might have significance to particular applications. The impact of these should be considered on an application-specific basis until resolved Both ATWS issue (F&O DA-7) and PTS issue (under TH-4) resolved. Calc File E.11 updated to reflect changes. No impact on application.

SY-A20 To meet SR SY-A20, a confirmation that credited SSCs are able to operate in all modeled accident scenarios, including those where SSC design basis conditions may be exceeded, is needed.

Equipment qualification discussion to be addressed in Calc File E.17. No impact on application.

HR-D4 HR-D4 is met with one exception, lack of an established maximum credit for recovery in the pre-initiator HEPs.

Although a maximum credit is not assigned, excessive credit is not taken for recovery. Therefore, this SR has been judged to be adequately met. However, this issue could easily be addressed in the documentation.

HRA was re-peer reviewed and findings discussed below.

PG&E Letter DCL-10-028 Enclosure 10 Table 2 Summary of Suggested Disposition Actions from the DCPRA Gap Analysis (See Table 1 of Reference 7)

Applicable ASME SRs Description and Suggested Disposition Action Expected Impact on Application HR-G4 HR-G4 does not appear to be met. The bases for HEP timing success criteria analyses are not adequately specified in Calc G.2; times are specified but the bases for the times are unclear in the calc. (They may be documented in the HRA Calculator). [This assessment is based on information available prior to the re-peer review of the HRA.]

HRA was re-peer reviewed and findings discussed below.

HR-G5 HR-G5 does not appear to be met. The validation of human action timing is unclear. Calc G.2 refers to operator interviews for required times, but it is unclear as to what this covers.

[This assessment is based on information available prior to the re-peer review of the HRA.]

HRA was re-peer reviewed and findings discussed below.

DA-D2 DA-D2 is currently NA since there are no instances of failure events with no applicable generic data. Consideration should be given to developing a process for estimating data for which there is no generic data source, consistent with the DA-D2 requirements, for future application.

SR N/A. No impact DA-D7 DA-D7 is currently NA since there are no instances where existing plant experience data are no longer applicable.

Consideration should be given to developing a process/guidance for dealing with data that are no longer applicable, consistent with the DA-D7 requirements, for future application.

SR N/A. No impact QU-D4 QU-D4 is Not Met. Consideration should be given to adopting a sampling process for review of non-dominant sequences as part of the model quantification.

Discussion of the review of non-significant sequences has been included in Calc File C.9.

Documentation issue and no impact on application.

PG&E Letter DCL-10-028 Enclosure 11 Human Reliability Analysis Peer Review To address the findings and observations of an earlier peer review [in particular, the Human Reliability Analysis (HRA) portion] of the PRA (Reference 11), an upgrade of the HRA was performed (Reference 9). A follow-on peer review of the HRA was needed (required by ASME PRA Standard) and was performed by ABS Consulting, Inc. The findings were published in July 2007 (Reference 10).

This peer review identified eighteen elements that did not meet category level II of the PRA Standard. Seven of these were documentation issues or did not affect the results of the application. The remaining eleven were subsequently either dispositioned or were demonstrated to have a negligible effect on the results of this application through a sensitivity evaluation.

The disposition of each open issue from the HRA peer review is presented in Table 3.

PG&E Letter DCL-10-028 Enclosure 12 Table 3 - HRA Peer Review Observations ID L

Observation Resolution HR-F2-1 B

Better, more detailed, and more precise accident sequence descriptions should be provided. The description should include the all of the preceding actions/indications, the initiating events, relevant plant response, concurrent actions/indications, etc.

Especially for actions that may be applied in a variety of sequence conditions, the description should make clear which one of the conditions forms the basis for the action evaluation. This information is important to evaluate whether the HEP so obtained is later applied appropriately in the sequence models. See reviewer notes for sample action ZHECV1 (Recovery from seismic relay chatter).

Generally, such HFEs have been modeled conservatively, so it is not expected that the HEPs would change. The dependency analysis serves to identify any HFEs that are out of context assumed in the development of the HFE. The dependency analysis has been reperformed and no "out of context" HEPs were found.

HR-F2-2-1 B

The HRA analysis was largely updated in the spring of 2002. Many of the procedures referenced at that time have been revised since the analysis was first performed. It is therefore unclear how it can be concluded that the current assessment represents the current, as-operated design.

Although procedure revision numbers and step numbers may change, the critical steps and recovery steps would essentially be the same and would therefore not impact the quantification as such. It is not expected that there had been any significant changes to EOPs since 2002, as the EOPs are standardized. If any additional critical steps have been added, the expected change would be small and bounded by the HEP sensitivity evaluation for this study.

HR-F2-2-2 B

For the analysis of ZHEFO4 (Fuel Oil Recovery), the most important procedure step in the current procedures was not identified as part of the tasks to be performed and the evaluation of the execution errors did not cover it. In the analysis of the execution error for ZHEOR1 (SGTR - RCS cooldown and depressurization), it was assumed that level control in the intact S/Gs was already successful since level control for the ruptured S/Gs was successful. However this task was not analyzed and accounted for in action ZHEOX1 either.

Impact of procedural step issue for ZHEFO4 and ZHEFO5 is bounded by sensitivity evaluation. ZHEOR1 are actions not affected by the status of the 230kV power source. Therefore the 230kV power supply evaluation is not sensitive to changes in this HEP.

PG&E Letter DCL-10-028 Enclosure 13 On page 2, it is stated that memorized actions use the HCR/ORE method while on page 4 this is contradicted. There it states that both memorized and time critical actions use the HCR/ORE method.

Assumption 1 in Section 4.2.3 and Section 5.4 on Page 19 indicate that the HEPs for the cognitive part of early memorized actions (i.e., those associated with reactor trip, reactor trip required, safety injection or safety injection required) can be considered negligible. The reviewers disagree with this assertion. Based on our understanding, this assertion is refuted by simulator data performed for Diablo Canyon and which in part formed the basis for the HCR/ORE model; i.e. for reactor trip under ATWS conditions.

Documentation issue.

Documentation will be updated to clarify that the assumption of a negligible HEP for entering E-0 given a RT or SI does not apply to ATWS.

There are also other actions that were assumed to have negligible HEPs for the cognitive contribution and were not evaluated for cognitive errors (there are a total of 15 actions which have zero values in Table 1 for the human cognitive response probability; e.g.

ZHEOR1 for SGTR cooldown and depressurization).

This review does not accept the assertion that these actions can be assigned zero cognitive error probabilities.

Applicable HEPs for this study were reviewed and it was determined that the sensitivity case bounds the impact of including cognitive failure probabilities for each applicable HEP.

The HCR/ORE model can be interpreted as accounting for the time-dependent contribution to both cognitive and execution type errors. In actions where time-pressures are large, the time-dependent errors may dominate. However, where such time-pressures are computed to be small, the contribution from time-independent errors should be incorporated; e.g. execution errors if not negligible.

The DCPP PRA model uses CBDTM/THERP for all HEPs.

This methodology accounts for the contribution from time-independent errors. The comments from the observation specifically address the time-independent impact of execution errors that should be incorporated if time pressures are small. All DCPP HEPs reflect these time independent errors.

HR-G2-2 B

HEPs were derived using EXCEL for reactor trip and turbine trip actions and documented in Appendix A, but the HEPs listed in Table 1 for execution errors for these actions are the same as those obtained in Appendix A for cognitive errors.

Documentation issue only.

PG&E Letter DCL-10-028 Enclosure 14 HR-G3-1 B

Due to the short time window available for cognitive diagnosis and decision-making (excluding cue time, any other delay time, and manipulation time), some actions may be significantly influenced by the PSF for "Time" (e.g., ZHERE5, ZHEPR1, ZHEOE1, ZHERF2, of the 10 sampled are of this type) These actions were evaluated using the CBDT approach only. For actions evaluated using the CBDT, the PSF for Time is accounted for only in the assignment of the level of dependency for recovery. For the evaluation of the initial errors, however, the PSF for Time (which may contribute to the occurrence of error due to the time pressure) is not accounted for in the CBDT tree branches.

HCR/ORE calculated for the HEPs identified in the observation to verify if time-based contribution should be incorporated. All HEPs affected by the status of the 230kV power supply were increased by a factor of 5.

The methodology description provides a brief summary of the CBDT approach (in section 4.2.1) and references a 1992 description. The write-up also notes a number of modeling assumptions specifically identified for Diablo Canyon for both cognitive and execution contributions. However, since 1992 much work has gone into standardizing the judgments needed to implement the CBDT approach (see, for example, draft Guidelines for Performing Human Reliability Analyses - using the HRA calculator effectively dated June 2003. The judgments used in the update are not all consistent with the more recent EPRI guidance.

Documentation issue. Update the methodology description using the latest EPRI guidance for the use of HRA Calculator.

Section 5.3 on Page 19 states that single procedure should be selected for PCE but this seems inconsistent with EPRI guidance. (see actions ZHEPR1, ZHERF2,).

These actions will not impact the 230kV power supply evaluation results.

HR-G3-2 B

For Assumption 11 in Section 4.2.3 on Page 9, the provisions for using check-offs and provisions for place-keeping are not evident in most of the procedures referenced. (e.g., the use of E-1.3 for the analysis of ZHERF2 and the use of annunciator response procedure for the analysis of ZHECV1).

AD1.ID2 "Procedure Use and Adherence" directs procedure users to sign off each step after is performed and prior to performing the next step. This procedural requirement ensures that placeholding/checkoffs are performed.

PG&E Letter DCL-10-028 Enclosure 15 The stress level is underestimated in some cases (e.g., work in radiation environment). The stress level for SGTR sequences is stated in one place as moderate (Modeling Convention 8.1 in Section 4.3.4 on Page 14) and another as high (Assumption 1 in Section 4.1 on Page 2).

High stress is reserved for scenarios where the procedural options are exhausted or are not successful due to multiple failures (Functional restoration procedures). High stress is also related to workload exceeding available manpower e.g. in loss of support system scenarios such as station blackout or loss of instrument air. For SGTR, the stress level assumed is low to moderate. The documentation needs to be clarified.

Regarding Assumption 7 in Section 4.1 on Page 4, not all procedures use the Response Not Obtained format so it is unclear if the THERP tables used are correctly adjusted for all actions. For example, Step 3.h in Appendix B of Procedure OP AP-11 was treated in the analysis of the execution error for ZHECC1 (CCW heat load reduction) as if the procedure is in a columnar or Response/Response Not Obtained format, while this procedure is not written in this format. Another example is the annunciator response procedure used for the analysis of ZHECV1 (Control room ventilation recovery).

Actions important to risk typically involve procedures that are in a RNO format (All EOPs except for some appendices). Neither of the HEPs that this finding refers to directly mitigate a LOCA. The status of the 230kV power supply is not sensitive to these HEPs. Therefore the 230kV power supply evaluation is not sensitive to changes in this HEP.

For Modeling Convention 6 in Section 4.3.4 on Page 13, the reviewers do not believe that NUREG/CR-1278 intended that the first 10 steps of a long list can be assumed to be from a short list. (e.g., in the analysis of ZHERF2).

A factor of three difference between short and long HEPs.

With credit for recoveries, this factor of three is reduced to a factor of 1.5 in the case of ZHERF2. This HEP is not affected by the status of the 230kV power supply. Therefore 230kV power supply evaluation is not sensitive to changes in this HEP.

Section 5.1 on Page 15 states that most errors of commission which use Table 20-12 should select Item 3 but this is not what is used in the actions reviewed. Seldom is Item 3 selected.

Use of the word typical in the documentation does not imply that all selections from table 20-12 should use Item 3. This is a documentation issue.

The sequence descriptions do not always identify all of the preceding and concurrent events/actions/indications, and as such the operator work load and distractions involved may be underestimated and unaccounted.

Original determination of workload was based on operator interviews. This determination was made independent of sequence desription detail. This is a documentation issue.

PG&E Letter DCL-10-028 Enclosure 16 Credit for recovery (e.g., due to self review for the cognitive error and consideration of specific procedure steps for the execution error) may need to be reexamined in some cases. For example, credit for self review when performing a local action in a radiation environment may not be appropriate.

This observation refers to ZHEMU3 (Makeup to RWST from spent fuel pool). The self review recovery is performed in the control room as it involves reading RWST level indications.

The radiation environment would not impact likelihood of self review.

No recovery was considered for some of the procedure steps (e.g., opening of one pressurizer PORV, closing the PORV, etc.) in the analysis of ZHEOR1, although the steps for checking the RCS pressure can certainly serve as opportunities for recovery from previous failures.

Potential credit for recovery not taken in the model. The application results are conservative.

The DCPRA considers multiplicative factors on the post-trip operator actions following a strong earthquake. These factors should be considered screening values because they are not action specific. Per requirement SA-B2 of the external events standard (ANS-58.21-2003), the factors used should be justified For spectral accelerations between 1.75 and 2.5g, the operator may be disconcerted and confused by equipment and structure movement taking place around him, but he is unlikely to be physically affected. A multiplication factor of 5 typically was assigned to error rates for seismic events within this range.

For spectral accelerations greater than 2.5g, the operator may be even more anxious and may be physically affected. He may be knocked down or knocked against something; things may fall on him, or the atmosphere may be clouded by dust limiting visibility. It is not expected that operators will be trapped or otherwise disabled by falling objects. A multiplication factor of 30 was used for these cases.

The methodology section does not describe the modeling of actions after a strong earthquake.

Detailed analyses had been performed e.g. ZHECT1, ZHECT2 and ZHECT3 (seismic relay chatter) using CBDT.

HR-G3-4 B

Detailed analyses for these post-earthquake actions should consider the time elapsed since the earthquake, the access routes to control stations outside the control room, and the potential direct effects of the earthquake on operator conditions.

During the development of the DCPP IPEEE, all of the operator routes to remotely actuated equipment were checked for potential blockage resulting from a seismic event. No operator routes were judged as likely to be blocked.

PG&E Letter DCL-10-028 Enclosure 17 For many of the sample actions reviewed, the reference provided does not document T/H analyses to support the assumed time available for the action analyzed. The times assumed for occurrence of the indications is also often not tied to T/H analyses. For example, action ZHEMU3 states the Tw is 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and references an earlier version of G.2. That reference does not contain T/H analysis, only an unreferenced estimate for the two hour value.

Similarly, the assessment of action ZHEPR1 again references G.2 but there is no T/H analysis to support the 16 minute estimate.

Documentation basis for timing has been updated. In some cases, the timing used is based on input assumptions for thermal hydraulic calculations. For example, the time requirement of 10 minutes to isolate a faulted steam generator is based on the analysis assumption used in the thermal hydraulic calculation. A best-estimate evaluation of the actual time window to avoid HR-G4-1 A

In Section 5.4 on Page 19, the time windows for reactor and turbine trip are noted here. Based on our understanding, these times were originally selected for the success criteria to avoid a PORV challenge or an SI signal, and therefore they may not be appropriate for ATWS mitigation.

Time windows for ATWS mitigation would be longer than time windows to avoid PORV challenge or SI signal. The use of shorter time windows would result in a conservative calculation of the HEP.

From the documentation provided, it is unclear how the sequences listed are determined to contain multiple actions. Some cross-reference between split fractions and HFEs is needed. The analysis assumes that one can identify combinations of action by revising each HEP to 0.1, and then quantifying the core damage sequences. By this approach, sequences with 3 or more actions may be discarded prior to qualitative evaluation. The number of core damage sequences reviewed individually (100 for internal events, and 50 each for seismic and fires) for dependence between actions is insufficient to ensure that this does not happen. As an example, small LOCA sequences involving failure of both switchover for cold leg recirculation and failure to align RWST supply to the RWST did not appear in the latest dependency analysis reviewed. However, these sequences did appear in an earlier dependency analysis and at that time were judged to be highly dependent.

Dependency analysis was re-performed using a higher weight for HEPs (0.5 instead of 0.1).

200 internal and 100 seismic/fire sequences were reviewed. The dependency reference in the observation (Dependency between switchover to RWST and makeup to the RWST) is modeled as having a high dependency (0.5 conditional failure probability). The 230kV power supply evaluation is not sensitive to changes in this HEP.

The dependence analysis does not describe the actions already assessed as completely dependent; i.e. where the later actions are not credited in the sequence model due to earlier action failures.

This observation refers to a lack of documentation for actions assessed as completely dependent and modeled as such. Since the dependencies are modeled, this will not affect the application.

HR-G7-1 B

Consideration should be given to actions important for LERF and/or containment bypass.

Sequences leading to Large Early Release do not have additional operator actions for mitigation of offsite releases.

PG&E Letter DCL-10-028 Enclosure 18 In the dependence analysis, the HFEs in most sequences with two or more operator actions were judged to be independent or only with very weak dependence (i.e., dismissed as low dependence actions) due to such considerations as "different functions (performed for different reasons)," while directed by the same procedures, or "different procedures," etc. In some cases, a common cognitive element may still exist, even though different detailed functions are involved. The basis for these judgments should be examined; e.g. to say which functions and to identify the different reasons.

The HRA documentation describes the purpose for each of the separate actions.

Additional detail is needed in the documentation.

The dependence analysis documentation suggests that there was a general assumption that if actions are directed by procedures with different numbers they can be considered independent. This is questionable. Other factors, such as time required, increased stress, availability of resources, and common instrumentation, can lead to dependencies between actions. Such dependencies governed by time are noted in the HRA methodology write-up.

The sensitivity case provided increases HEPs relevant to the application by a factor of 5.

In some sequences, the presence of an intervening successful action (i.e. in the same sequence) can be used to dismiss actions failed in the same sequence as being only weakly dependent. Successful actions were not considered in the dependence review.

Not crediting successful intervening actions is conservative. Disposition of this issue will not adversely affect the results of this application.

The summary of quantified actions in Table 1 does not incorporate any dependencies found in attachment A.7. The highest HEP is only 6.8E-2.

This is a documentation issue and will not affect the results of the application.

Some HEPs are said to be highly dependent on other actions but assigned values of 0.1. High dependence should be assigned values of 0.5, per Table 20-17 in NUREG/CR-1278.

The sensitivity case provided adjusts the dependency impact to 0.5 for actions considered highly dependent.

HR-G7-2 B

For one selected sequence involving ZHEOE1, the analysis asserts that the action quantification analysis itself (using CBDT) adequately considers dependence with preceding actions in the sequence. This is not correct. Another example of a need to carefully evaluate the dependence on preceding actions in specific sequences is ZHEMU3.

High ZHEMU3 (makeup to the RWST) dependency on switchover to recirculation included in the sensitivity analysis. The 230kV power supply evaluation is not sensitive to changes in this HEP.

For the analysis of recovery actions (e.g., in the case of ZHECT1), it is unclear if credit can be taken, when the procedural guidance referenced is not sufficiently detailed to determine the operators execution steps.

Failure mechanism PCF may better be evaluated as item (g) 6E-2, rather than (a) negligible.

ZHECT1 is an operator recovery action for seismic relay chatter.

The 230kV power supply evaluation is not sensitive to changes in this HEP.

HR-H2-1 B

The action contained in recovery split fraction RE6A is mentioned in the dependency analysis but is not included in summary Table 1 RE6A is a recovery for a loss of switchgear ventilation. The 230kV power supply evaluation is not sensitive to changes in this HEP.

PG&E Letter DCL-10-028 Enclosure 19

  • Observations make reference to the DCPP HRA calculation file.

Level 2 Peer Review The level 2 peer review comments were reviewed for impact on the ECCS completion time LAR. None of the identified issues were determined to have a significant impact on the results of the original evaluation. Table 4 details the open issues and their disposition relative to this application. There are no open issues that would affect the results and conclusions of this evaluation.

PG&E Letter DCL-10-028 Enclosure 20 Table 4 - Summary Resolution for Level 2 Peer Review Comments Issue Index Met/Not Met Issue Disposition LE-C2a Met at CC-1 LE-C2a is Met at Capability Category I. Post-core-damage actions are not modeled.

Although the treatment of such actions is conservative, the evaluation of potential LERF contributors, as documented in Calc N.1, indicates that it is unlikely that inclusion of post-core damage operator actions would significantly affect LERF insights or conclusions.

Non-modeled actions have small LERF impact. Actions may provide additional benefits for late release assessments.

LE-C2b Met at CC-1 LE-C2b is Not Applicable to Category I. The Capability Category II/III criteria are not met, and there is no criterion for Capability Category I. For particular applications in which a plant issue might directly affect containment systems or SSCs that are significant contributors to LERF, additional consideration of post-core damage recoveries per EOP actions noted by the re-peer reviewers, and possibly SAMG actions, may be warranted.

As a result of the rapid progression of LERF events, repair of equipment is of low probability and is not considered in the PRA model. Thus, the impact on the baseline PRA is not considered significant for the overall LERF and the impact on the use of the PRA for application is expected to be small and limited to specific component related applications.

PG&E Letter DCL-10-028 Enclosure 21 LE-C3 Met at CC-1 LE-C3 is met at Capability Category I. The LERF model is believed to contain sufficient logic to provide a "realistic estimation of the significant accident progression sequences resulting in a large early release." However, the features listed for Capability Category II are not included.

Credit for mitigating actions, fission product scrubbing, and beneficial failures are not included in the Level 2 model.

Inclusion of the additional features listed would not likely have a significant impact on LERF, since only limited credit could be justified.

Assumed value of PORV (PSV) failure has small LERF impact. Note that overall assessment of TI-SGTR is conservative in that combined impact of operator action to depressurize the RCS and mechanical failure to reseat of PSVs is biased low. Model assumption should not impact application. No credit is taken for fission product scrubbing when feedwater is available. Application results are conservative.

LE-C8a Met at CC-1 based on improved sump design LE-C8a may not be fully met.

The re-peer review recommendations should be addressed to establish that survivability issues are adequately dealt with for the LERF model. The Level 2 re-peer reviewers made several recommendations regarding survivability for the CFCUs and ducting/hatches in the reactor cavity.

Long term survivability of the CFCUs is not a concern for LERF. New containment sump design addresses sump concern. The PRA model does not consider the impact of ducting failures on the ability of the reactor cavity to flood following reactor vessel lower head failure. This is not considered an impact on LERF LE-C9a Met at CC-1 LE-C9a is met at Capability Category I. Credit is not taken in the Level 2 or LERF modeling for containment failure-related impacts on equipment survivability.

This scenario that is the primary issue here has a very low likelihood at DCPP as it requires a low probability core challenge in conjunction with simultaneous failure of all trains of CFCUs and the entire CSS. Credit for operation beyond containment failure is possible however there is no value in developing the justification for modeling this issue as containment failure would be expected following off-site evacuation. While this feature may impact long term core performance the late nature of the failure suggests that the event would not contribute to the plant LERF.

PG&E Letter DCL-10-028 Enclosure 22 LE-C9b Met at CC-1 This item requires that the utility review significant accident progression sequences resulting in a large early release to determine if engineering analyses can support operation or operator actions after containment failure that could reduce LERF.

Current treatment is conservative.

Upgrade to CC-II would not adversely affect the application results.

LE-C10 Met at CC-1 Credit is not taken for scrubbing in the bypass sequences.

Neglect of scrubbing may bias LERF result. The SGTR PRA model does not credit scrubbing to remove bypass events from LERF. This is a conservative position and may overestimate the LERF contribution.

Upgrade to CC-II would reduce conservatism but will not change results.

LE-D3 Met at CC-1 pending resolution of IE-C12 IE-C12 cat-II requires realistic evaluation of ISLOCA probability.

Conservative ISLOCA piping failure probability is used in the DCPP PRA model. Application results are conservative.

LE-F2 Met at CC-1.

See Reference 12 and Appendix C

The Level 2 re-peer reviewers noted a lack of evaluation of impact of key sources of uncertainty on the Level 2 LERF model. The re-peer report discusses a number of potential sources of uncertainty and impacts. For most PRA applications, it is not likely that such issues will affect LERF insights.

A discussion of key sources of uncertainty is included in the LAR submittal.

LE-G1 Not Met The LERF analysis shall be documented consistent with the applicable supporting requirements (HLR-LE-G). The Level 2 re-peer reviewers commented that the existing documentation generally does not meet the LE-G high level requirement.

Documentation issue. Does not effect the results of the application.

LE-G3 Met at CC-1 The significant contributors to LERF are documented in the quantification calc (Calc C.9).

Additional detail as noted for Category II/III is not included.

Documentation issue. Does not effect the results of the application.

PG&E Letter DCL-10-028 Enclosure 23 LE-G4 Not Met LE-G4 is not met. Basis is the Level 2 re-peer reviewer's assessment. Consideration should be given to developing the recommended evaluation of Key Assumptions and Key Sources of Uncertainty for the LERF model.

A discussion of key sources of uncertainty is included in the LAR submittal.

LE-G5 Not Met An assessment of limitations of the LERF model that might impact applications has not been developed.

A discussion of key sources of uncertainty is included in the LAR submittal.

LE-G6 Not Met A statement of the quantitative definition for significant accident progression sequences has not been included in the documentation.

Documentation issue.

PG&E Letter DCL-10-028 Enclosure 24 References

1. Diablo Canyon Power Plant Probabilistic Risk Assessment Peer Review Report, Final Report, August 2000
2. National Fire Protection Association (NFPA) 805 Standard
3. PRA Internal Flooding Analysis, Calculation File F.4, Revision 1
4. Review and Reevaluation of Specific Issues of internal Floods Analysis
5. American Society of Mechanical Engineers (ASME) RA-Sb-2003, Addenda to ASME RA-S-2002, Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications, dated March 17, 2005 (draft)
6. Diablo Canyon Power Plant PRA Self-Assessment (Draft Report), ERIN Engineering and research, December 2006.
7. Diablo Canyon Power Plant PRA Self-Assessment, ERIN P0114060001-2717 R1, January 2008.
8. Regulatory Guide 1.200, Revision 1, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, U.S. NRC dated, January 2007.
9. Davis, Earnest G., Human Action Analysis - Failure Likelihood and Range Factor Calculation, Calculation file number: G.2, revision 5, 392 pages, undated but after May, 2006
10. Diablo Canyon Follow-On Peer Review of HRA Update, Final Report, R-1736044-1728, July 31, 2007.
11. Sloane, Barry, et al, Diablo Canyon Power Plant PROBABILISTIC RISK ASSESSMENT PEER REVIEW REPORT - FINAL REPORT, prepared for Westinghouse and Pacific Gas & Electric Company, August 2000.
12. PRA-File C.9, Revision 10, Quantification of CDF and LERF for the DCPP PARA Model, June 2006.

PG&E Letter DCL-10-028 Enclosure 25 References

13. Diablo Canyon PRA (DCPRA-1988)
14. Long-Term Seismic Program (LTSP)
15. Supplement No. 34 to NUREG-0675, dated June 1991.
16. NUREG/CR-5726
17. Sloane, Barry, et al, Diablo Canyon Power Plant PROBABILISTIC RISK ASSESSMENT PEER REVIEW REPORT - FINAL REPORT, prepared for Westinghouse and Pacific Gas & Electric Company, August 2000.
18. U.S. Nuclear regulatory Commission, Staff Evaluation of the Diablo Canyon Power Plant (DCPP) Units 1 and 2, Individual Plant Examination (IPE) - Internal Events Submittal, June 30, 1993.
19. U.S. Nuclear regulatory Commission, Individual Plant Examination of External Events for severe Accident Vulnerabilities, Generic Letter 88-20, Supplement 4, June 28, 1991
20. U.S. Nuclear regulatory Commission, Staff Evaluation of the Diablo Canyon Power Plant (DCPP) Units 1 and 2, Individual Plant Examination of External Events (IPEEE) Submittal, December 4, 1997.
21. NUREG/CR-5750
22. SBO submittal

PG&E Letter DCL-10-028 Enclosure 26

23. Common Cause Failure Database and Analysis System, NUREG/CR-6268, INEEL/EXT-97-00696.
24. Common Cause Failure Parameter Estimations, NUREG/CR-5497, INEEL/EXT-97-01328.
25. Reliability Study: Westinghouse Reactor Protection System, 1984-1995, NUREG/CR-5500 Vol2, INEEL/EXT-97-00740.
26. Calculation File H.4, Revision 3
27. Calculation File H.3 Revision 2
28. Draft NUREG/CR (INEEL/EXT-04-02326), Evaluation of Loss of Offsite Power Events at Nuclear Plants: 1986-2003 (Draft), October, 2004 by S.A.Eide, C.D.

Gentillon, and T.E Wierman of INEEL and D.M. Rasmuson of USNRC

29. EPRI Calculator
30. PRA Calculation File PRA05-05, Re-Evaluation of Selected Split Fractions in Level 2 Model, Revision 0, December 5, 2005
31. Calculation File GF.2, Revision 5
32. PRA Calculation File PRA02-06 Revision 0, EDG 14 day LAR
33. Diablo Canyon Power Plant Probabilistic Risk Assessment Peer Review Report, Final Report, August 2000
34. National Fire Protection Association (NFPA) 805 Standard
35. PRA Internal Flooding Analysis, Calculation File F.4, Revision 1
36. Review and Reevaluation of Specific Issues of internal Floods Analysis
37. American Society of Mechanical Engineers (ASME) RA-Sb-2003, Addenda to ASME RA-S-2002, Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications, dated March 17, 2005 (draft)
38. Diablo Canyon Power Plant PRA Self-Assessment (Draft Report), ERIN Engineering and research, December 2006.
39. Diablo Canyon Power Plant PRA Self-Assessment, ERIN P0114060001-2717 R1, January 2008.
40. Regulatory Guide 1.200, Revision 1, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, U.S. NRC dated, January 2007.

PG&E Letter DCL-10-028 Enclosure 27

41. Davis, Earnest G., Human Action Analysis - Failure Likelihood and Range Factor Calculation, Calculation file number: G.2, revision 5, 392 pages, undated but after May, 2006
42. Diablo Canyon Follow-On Peer Review of HRA Update, Final Report, R-1736044-1728, July 31, 2007.
Retrieved from "https://kanterella.com/w/index.php?title=ML100710755&oldid=5302719"