ML17164A887
| ML17164A887 | |
| Person / Time | |
|---|---|
| Site: | Susquehanna  |
| Issue date: | 06/22/1998 |
| From: | Kukielka C PENNSYLVANIA POWER & LIGHT CO. |
| To: | |
| Shared Package | |
| ML17164A884 | List: |
| References | |
| EC-RISK-1063, EC-RISK-1063-R, EC-RISK-1063-R00, NUDOCS 9811180048 | |
| Download: ML17164A887 (63) | |
Text
NUCLEAR ENGINEERING CALCULATION/ STUDY COVER SHEET and File ¹ R2-1 NUCLEAR RECORDS TRANSMITTALSHEET
- 1. Page1of Total Pages
~2. TYPE: CALC >3. NUMBER: EC-RISK-1063 14. REVISION: 0
- 5. TRANSMITTAL¹: 'D6. UNIT: 3 >7 QUALITYCLASS: N
- >8. DISCIPLINE:
>9. DESCRIPTION: Evaluation of Operator Actions for Application in the Susquehanna Individual Plant Examination SUPERSEDED BY: EC-N/A
- 10. Alternate Number: NA 11. Cycle: NA 12: Computer Code or Model used: NA Fiche Q Disk Q Am't
- 13. Application: NA
- ) 14 Affected Systems: NA If N/A then line 15 is mandatory.
">15. NON-SYSTEM DESIGNATOR: RISK "IfN/A then line 14 is mandatory
- 16. Affected Documents:
Q SAR Change Req'd
- 17.
References:
- 18. Equipment/Component ¹:
- 19. DBD Number:
>20. PREPARED BY >21. REVIEWED BY Print Name CasimirA. Ku 'ka rint Name Eric Jebsen Signat re Signature
>22. A VED BY/DATE 23. ACCEPTED BY PP&L/DATE Print Name F. G. Butler Print Name Signature Signature TO BE CON LET D BY NUCLEAR RECORDS NR-DCS SIGNATURE/DATE ADD A NEW COVER PAGE FOR EACH REVISION VeriTied Fields FORM NEPM-QA-0221-1, Revision 2 )'EQUIRED FIELDS t P>>'DR 98iii80048 980709 PDR ADOCK 05000387
r>
lf I
EC - RISK - 1063 Table of Contents Topic 1.0 Introduction 2.0 Evaluations of Operator Actions Taken in Response to an-Initiating Event.
2.1 Method Used to Evaluate Control Room Operator Response to Initiating Events.
2.2 Control Room Operator Response to an Emergency Operating Procedure Entry Condition.
2.3 Field Operations During Station Blackout.
2.4 Entering Appropriate Procedures.
2.5 Treatment of Restoration of Offsite Power and Diesel Generators'.
3.0 Pre-initiator Human Errors References Appendices A Methods Used to Estimate Lognormal and Weibull Parameters B Calculation of Upper Bound Using Kanofsky dk, Srinivansan C Susquehanna Simulator Data Used in this Calculation page 1
EC - RISK - 1063 1.0 Introduction This calculation address the assessment of human error as applied to the Susquehanna IPE. Two types of human errors are considered: those which occur in response to an initiating event; and those which occur prior to an initiating event and remain undetected.
The first type of human errors are referred to as post initiating event operator error and recovery action. The second type of events are called pre-initiator or latent human errors.
The treatment of each type of event is described in the following Sections.
2.0 Evaluations of Operator Actions Taken in Response to an Initiating Event.
This section addresses actions taken in response to initiating events. T'wo types of actions are considered. First are actions directed from the control room using OffNormal and Emergency Operating Procedures, and the procedures referenced from them. Second are actions that are considered to be repair or, in the case of offsite power, restoration.
The discussion of action directed from the control room consists of three parts: first, a discussion of the method used to evaluate the operator response to an initiating event; second, an evaluation of specific operator actions using the previously described method; and third, an evaluation of the impact of executing an inappropriate procedure. The discussion of repair and restoration activity addresses what actions are considered and the method used to determine the probability of failure as a function of time.
2.1 Method Used to Evaluate Control Room Operator Response to Initiating Events.
The general approach used to evaluate the control room response to initiating events is discussed in Reference'. This method is both qualitative and quantitative. The qualitative-evaluation-consists of a review of the procedures against the Severe-Accident Procedural and Interface Defense in Depth Criteria (attachment 1) which provide criteria for defining successful action by the operator. These criteria ensure that the procedures provide the operator with the correct guidance for a wide spectrum of events and that the plant instrumentation, controls, and equipment enable the operator to be successful. This evaluation includes a detailed human factors review which entails both a review of the procedures and a validation of the procedures through simulator tests and interviews with
'operators. These interviews focus on the efficacy of the procedures and the operators'bility to implement them given the available time and facility. The results of this
'valuation are documented in validation reports and safety evaluatioris performed per 10CFR50.59 . The validation and safety evaluations are revised whenever a change occurs to the facility or the procedures.
Once the qualitative review is complete, a quantitative evaluation is performed on operator actions which are incorporated in the IPE. The goal of this activity is to provide point estimates and uncertainty bounds for the operators'on-response probability at page 2
EC - RISK - 1063 performing a given activity and to verify that the non-response probability is on the same order as the failure rate of the equipment being operated.
Several sources of data and methods of generating this data are available to perform this quantitative evaluation. They include:
- 1. Susquehanna operator response data for actual events,
- 2. Susquehanna operator response data for simulated events,
- 3. Absolute Probability Judgment (APJ) evaluations, and
- 4. Generic data sources.
~ ~ ~ 4 The above sources are listed in the hierarchy of preference . Operator response to actual events is the best source of data in that it incorporates all issues and performance shaping factors associated with implementation of the procedure when required. That is, there can'e no criticism that such data does not reflect "reality". Since the need for many of the actions identified in EOPs seldom occurs, the availability of such data is sparse.
Therefore other sources must be used for quantitative evaluation.
The second source of data is obtained from plant simulator exercises and Job Performance Measures (JPM). This data is collected and correlated to fit the needs of the analysis. The application of this data is discussed in the specific sections below where it is used. Simulated data is accepted as not as realistic as actual event responses, but is preferred to any other sources ifthe simulation is performed on the plant specific SSES simulator or in the actual plant, using SSES specific procedures and operators.
In cases where quantitative data from actual events and simulations has not been collected, those experienced with the particular action are queried for their judgment as to the likelihood of success. Currently this process has only been implemented informally:
However a more structured process, based upon the Absolute Probability Judgment method described in Kirwan is being developed for future revisions-of the PRA. Larger =
uncertainty bounds are used to cover uncertainties in these estimates.
When plant specific sources of data are not available, generic sources are used to make estimates. Several sources of generic data are available. In evaluating the various sources available, the question of using THERP (NUREG/CR-1278), or its more abbreviated form ASEP (NUREG/CR-4772) arose. These methods are attractive because they provide both a framework and data so that a user can produce HEP estimates relatively quickly, without the requirement for extensive data base development. These methods also provide traceability, and are authored by acknowledged experts in the fields of cognitive psychology and human factors engineering. These methods also enjoy wide acceptance in the PSA community.
However tempting, the THERP and ASEP methods were not employed in the SSES IPE for several reasons. First, and perhaps most significantly, the authors of THERP and ASEP stress that the use of these methods for post-initiator response is highly page 3
EC - RISK - 1063 speculative. These methods are best used for step-by-step procedures performed during normal operations. The methods are not applicable for highly cognitive, knowledge-based or skill-based responses in times of high stress such as might be expected in the initial period following an initiating event. Second, the basis for the HEPs in these methods assumes only an annual re-qualification training session at a generic simulator.
This was the situation at the time these methods were developed and does not reflect the current practice of regular (i.e. once per 6 weeks) training on the SSES plant specific simulator. Third, the HEPs in these methods assume event-based EOPs, not the symptom-based procedures currently in place. (The ASEP method does provide some rough guidance on adjusting HEPs for symptom-based procedures.) Finally, the THERP and ASEP procedures assume a "traditional" control room layout, not the computer-assisted CRT displays in the advanced SSES control room. The authors of THERP write that regular abnormal-event response practice on high fidelity simulators using symptom-based EOPs in advanced control rooms may reduce "cognitive error" to extremely small
- values, Given the above considerations, and the results of the RMIEP human error methodology comparisons, the decision was made to rely on the "non-response" curve taxonomy of Hannaman for HEP estimates. This methodology provides estimates of non-response based on measured data and does not rely on analyst decomposition of complex event sequences or estimates of such uncertain parameters as operator stress level. Although acknowledged as not perfect, the use of experimentally derived "non-response" curves is judged superior to THERP or ASEP for determining post-initiator response HEPs.
r The data presented in Gertman 8c Blackman and NUREG/CR-4835; were chosen for use because the method for generation and its application are generally consistent with the approach being pursued at Susquehanna. Additionally, many of the operator actions evaluated in these references were developed for a BWR similar to Susquehanna. In some cases these estimates were modified to account for plant or procedural differences.
These cases are identified. With appropriate-interpretations-and-modifications, these sources wer'e judged to be an acceptable surrogate in the absence of specific Susqueharina data.
This judgment was tested by benchmarking non-response probability generated using these data sources against that generated using Susquehanna data. The two cases considered are;
~ Manual Backup of the Scram function,
~ Manual Initiation of Suppression Pool Cooling.
Manual backup of the scram function is listed in Gertman Ec Blackman as "Group 6".
The NUREG/CR data does not apply in this short time frame and is not used. This comparison is shown in Figure 1. A comparison of suppression pool cooling is provided page 4
EC - RISK - 1063 in Figure 2. The NUREG/CR data is included in this time frame. These graphs compare estimates generated using the cited generic sources to the Susquehanna model and empirical estimates derived from the actual data. The term "Susquehanna model" refers to the lognormal fit of the SSES data. Additionally an upper bound derived from the empirical data is provided. Reviewing these comparison shows reasonable agreement, especially when considering the uncertainty in the data. Additional confidence in these other data sources is provided by calculation EC-RISK-1062, a derivation of the HEP for tying in the fire suppression system for RPV injection during SBO for vessel protection.
This calculation employed the ASEP method of HRA with results showing good agreement with the values reported in the NUREG/CR. Therefore in the absence of plant specific data, the above generic sources provide an acceptable source.
Figure 1 Comparision of Nonresponse Probability for Manual Backup of Automatic Scram 1.0 0.9 0.8 0.7
"- ":L.':." ~,.',.'.,";;(;";,,""."~ ~ Empirical 0.6 g
ge 0.5 0.4 0.3 0.2 0.1 0.0 0.0 0.2 0.4 0.6 0.8 1.0 Time (min) page 5
EC - RISK - 1063 Figure 2 Comparision of Nonresponse Probability for initiation of Suppression Pool Cooling 1.0 0.9 0.8
~ Empincal
~SSES g
0.7 0.6
~
~B&G N/CR4835
~95%
0.5 0
0.4 0.3 0.2 0.1 0.0 0.0 2.0 4.0 6.0 8.0 10.0 Time (min) page 6
EC - RISK - 1063 2.2 Control Room Operator Response to an Emergency Operating Procedure Entry Condition.
Emergency Operating Procedures (EOP) are entered any time an entry condition exists.
The entry conditions for RPV Control, EO-000-102 are the scram signals for: RPV water level, RPV pressure and Drywell Pressure. An existing scram condition and power greater 5% is a forth entry condition. Given one of the above EOP entry conditions exists, the operator manually initiates a scram ifthe reactor is not scrammed and then determines the status of the control rods. Ifthe position of more than 1 control rod is greater than 00, that is, ifmore than one control rod is not completely inserted, the operator immediately transfers to and implements EO-000-113, Level Power Control, (ATWS contingency). Ifall but one control rod is fully inserted, the operator implements EO-000-102. This initial response and decision should occur in less than 20 seconds .
The control room is staffed with the following contingent of licensed operators to implement these procedures:
2 Plant Control Operators (PCO) per unit (minimum of Reactor Operators License) 1 Unit Supervisor (US) per unit (Senior Reactor Operators Licerise) 1 Shift Supervisor (SS)(Senior Reactor Operator License), and 1 Shift Technical Advisor (STA) (Graduate Engineer with SRO training)
The SS directs activities that impact the entire station. This includes notification of, onsite personnel and oQsite agencies. Additionally; the SS is the Emergency Director until the Emergency Plan is fully implemented. The SS also oversees the actions of the US and can assist and provide direction to the US as needed. The US directs activities that are specific to the unit. The PCOs implement the actions directed by the US using EOP flow charts, -In general, one PCO performs actions which are implemented on panel C651 (non-ECCS control)." This PCO is referred to as PCO-C651 in subsequent discussions. The other PCO performs actions which are implemented on control board C601 (ECCS control). This PCO is referred to as PCO-C601 in subsequent discussions.
This Section addresses operator performance at executing the procedures. It includes:
- 1. operator actions taken in the plant during an event to preclude a reactor trip, i.e. cross-tying the Instrument Air (IA) system into the Containment Instrument Gas (CIG) system
- 2. operator actions taken in the control room in response to ATWS events,
- 3. operator actions taken in the control room in response to non-ATWS events, and
- 4. operator actions executed in the field during SBO.
page 7
EC - RISK - 1063 2.2.1 Operator Cross-tie of Instrument Air to Containment Instrument Gas (OCTIA)
A loss of a DC bus D620 will cause the suction valve for the Containment Instrument Gas (CIG) system to isolate, with a subsequent MSIV isolation in 10 to 15 minutes. Loss of a DC bus will also result in a loss of HPCI or RCIC, depending on the bus, and a loss of control power to one of two ADS solenoid valves on each of the 6 ADS SRVs. Loss of the second bus will result in a failure of both HPCI and RCIC and loss of all control power to both ADS and non ADS solenoids. Should the reactor scram, core damage will be avoided by initiation of the second CRD pump. Ifthe reactor does not scram, given the above sequences of events, then core damage is postulated from overpower resulting from density wave oscillations. Additionally, for the ATWS event initiated by loss of bus D620, the HPCI system will be unavailable due to the dependency on this bus. Core damage will likely occur ifthe operator does not initiate SLCS within 8 minutes, (Initiation of Standby Liquid Control).
The plant operators can intervene to interrupt this sequence by cross connecting the IA system into the CIG 90 psig header, thus avoiding an MSIV isolation and a subsequent reactor scram. Loss of a DC bus is alarmed in the control room. The alarm response procedure directs the operator to the appropriate OffNormal (ON) procedure. In the case of loss of DC bus D624, the operator is directed to ON-1/225-001. Step 3.1.7 of this procedure explicitly directs the US to cross connect the IA to the CIG (and is proceduralized in OP-1/225-001 step 3.6). The cross connect between IA and CIG is performed every outage. Additionally, it has been performed on line at least three times to prevent MSIV isolation on loss of CIG . No records have been identified. that indicate that the operators have ever failed to perform the cross connect quickly enough to prevent the MSIV isolation.
As discussed in IPE section C.1.3, the point estimate failure probability given zero failures in 3 demands is estimated using 0.5 failures and 3 demands is:
P = 0.5/3 = 0.167 This value is taken as the median. The upper bound was computed using the Poisson distribution with zero failures in three trials. Together these estimates were used with the lognormal distribution to compute the mean and lower bound.
lower = 0.044 median = 0.167 mean = 0.23 upper = 0.63 2.2.2 Operator Actions Taken in the Control Room in Response to ATWS Events page 8
EC - RISK - 1063 Given a reactor trip condition exists, the shift determines ifa successful scram has occurred. This determination is made using the position of the control rods and the reactor power. During simulated ATWS events, this determination is made within 20 seconds after the initiating event. The response to the ATWS event occurs in two phases.
The first phase consists of immediate actions which occur independent of the plant conditions or failures occurring beyond those causing the ATWS. These actions are important at preventing core damage from. unstable operation during turbine trip ATWS with the feedwater pumps available. The second phase consists of longer term actions, and depend on what additional failure have occurred and the status of the plant.
A discussion of longer term ATWS actions follows the discussions of the immediate actions.
2.2.2.1 Immediate Actions Following ATWS The immediate response by the shift to an ATWS is first ensure that the mode switch is in shutdown and that ARI has initiated; then initiate standby liquid control (LQ/Q-3) if power is greater than 5% or unknown, reset the main generator lockout (LQ/L-4), and runback injection flow ifpower is greater than 5% or unknown (LQ/L-6). These actions are important during turbine trip ATWS with the feedwater pumps available. Ifno mitigating actions are taken core damage from unstable operation will occur in about 10 minutes following the failure to scram. However, core damage can be avoided if:
~ the feedwater pumps are run back within 3 minutes, or
~ the operator initiates SLCS in 2 minutes.
Therefore successful completion of these actions are significant for success in the turbine trip ATWS. The significance of these actions has been factored into procedures and training programs. The ability of the operator to successfully implement them has been examined on the simulators.
These actions are automatically performed by the PCOs independent of other plant conditions or failures beyond those causing the ATWS. SLCS is initiated by PCO-C601 since this system is operated from this panel. PCO-C651 will reset the main generator lockout, and in the case of a turbine trip ATWS with feedwater available, will runback feedwater since the feedwater is controlled from this panel. Time response data for each of these activities were collected during, simulator exercises. The feedwater runback and SLCS initiation data were collected from the same exercises. Therefore any correlation or dependence in the data is included in the measurement. The influence of varying performance shaping factors is treated through uncertainty analysis. Each action, SLCS initiation and feedwater runback, is discussed below.
page 9
EC - RISK - 1063 Initiation of Standby Liquid Control (OPSLCSO)
During ATWS events, EO-000-113 step LQ/Q-3 direct the operator to initiate SLCS if the reactor power exceeds 5% or is unknown. Step LQ/Q-8 directs the operator to initiate SLCS ifmore than one control rod is at a position of greater than 00 and the suppression pool temperature reaches 110 'F. These steps ensure prompt SLCS initiation during the more challenging ATWS events and provide a backup action when power is not seen as an issue.
The implementation of these procedures has been evaluated on the plant simulator. A product of these evaluations is lapsed time from the initiating event to when the operator initiates SLCS. This data is used to determine the probability that the operator will not be successful at initiating SLCS in time to.avoid core damage. The events that require prompt SLCS initiation are:
1 ~ Full Turbine Trip ATWS with failure to run back feedwater in three minutes-OPSLCS2
- 2. Partial Turbine Trip ATWS with failure to run back feedwater in six minutes-OPSLCS4
- 8. Partial ATWS with failure of HPCI and ADS - OPSLCS4 Times for each of these events are provided in EC-EOPC-0519'nd presented in Table 1 along with the probability of not initiating SLCS within sufficient time. The probability estimates are based upon a fit of-simulator data to both a Weibull'nd a Lognormal" distribution, Figure 3 compares the point estimates computed from the simulator data with estimates generated from the Wiebull (mean) and Lognormal Models (median). The upper bound was derived using the method discussed in Kanofsky & Srinivansan' The upper bound for the failure probability is 0.33 for SLCS initiation in two minutes, which is conservative. This upper bound was used with the median derived from the data to compute an error factor. This error factor was used to estimate the mean and the bounds for the non-response probability at other times. An error factor of 14 was computed. The Lognormal fit is used to generate point estimates for these actions since they generally produce higher values. Values derived using the Weibull fit are used in a sensitivity study.
page 10
EC - RISK - 1063 Figure 3 Comparison of SLCS Initiation Data with Models 1.0EKS 9.0E.01 8.0E 01
'" ~Observation 7.0E-01 ~
~ Shatator Wehutl Simt tater Log Normal 5I 6.0E-01 5.0E 01 4.0E 01
. 3.0E 01 2.0E 01 I
1.0E 01 t
0.0&00 O.0EI00 2.0&01 4.0&01 6.0&01 8.0&01 1.0&02 Time (sec) page 11
EC - RISK - 1063 Table 1 Non-response Probability of SLCS Initiation Versus Times Operator Available Probability of Not Completing Action Within Time Action Time (min)
Weibull Lognormal Lower median mean Upper OPSLCS2 2 0.000596 1.6E-03 2.3E-02 8.5E-02 3.3E-01 OPSLCS4 2.4E-06 3.4E-05 1.3E-04 4.9E-04 OPSLCS5 1.3E-07 1.9E-06 7.1E-06 2.8E-05 OPSLCS 8.5E-11 1.2E-09 4.5E-09 1.7E-08 OPSLCS9 9 1.0E-11 1.5E-10 5.4E-10 2.1E-09 OPSLCS12 12 3.6E-14 5.2E-13 1.9E-12 7.4E-12 c < 10->
Operator Fails to Run Back the Feedwater"Pump3)ltgi6g ~W8'.(LR¹BE)
Core damage from over power during AVOWS:canroccurif1he:core:-inletsubcooling becomes too high' This event can occurduring.a.turbme=trip ATWS=without feed pump trip, since feed water temperature will drop due-:to-a'.loss-;of-;feedwater-;heating, while the feedwater water pumps. remain in service.= EO=000-113.-step L'Q/L-6.=instructs the operator to reduce RPV level to -60 inches. Calculations reported.,in.EG:EOPC-0519 demonstrate the operator has at least 180 seconds in the full ATWS and 360 seconds in the partial ~
ATWS to initiate feedwater runback to avoid core damage from over power. The sequence, Turbine trip ATWS with success of feed water was run in the simulator. The time at which the operator initiated feedwater run back was recorded and fit to both Lognormal and Weibull distributions. This data and associated correlations are presented in Figure 4. The Lognormal was used to make estimates of the operator failure probability, with the Wiebull used as a sensitivity. The upper bound case was estimated using Kanofsky for the full ATWS case. It was used along with the median value derived from the data to compute the error factor of about 2.2. This error factor was used to estimate the bounds for the partial ATWS case. The results of these calculations are presented in Table 2.
page 12
EC - RISK - 1063 Figure 4 Comparison of Simulator Data with Models for Feed Water Pump Runback Data 1.0E+00 9.0E-01 S.0E41 7.0E41 ',, ~observed 6.0E41 gs 5.0E-01 4.0E-01 h 3.0E41 2.0E41 1.0E41 O.OE+00 0 50 100 '50 200 250 Time (sec.)
page 13
EC - RISK - 1063 Table 2 Nonresponse Probability for Operator Initiation of Feedwater Pump Runback as a Function of Time Model Success Failure Failure Bounds Time (sec) Mean Weibull Lognormal Weibull Lognormal Lower Upper (mean) (median) 180 0.295 0.7098 0.735834 0.2902 0.2642 0.122 0.574166 360 0.0013 1.0000 0.99886 0.0000 0.0011 0.00051 0.002 nc = not calculated 2.2.2.2 Longer Term Operator Actions Implemented During ATWS AAer the initial operator response to the ATWS event, the shift will continue to implement the procedure steps in accordance with the emergency operating procedures.
The strategies perused by the shift are designed to:
~ maintain RPV water level between -60 to -161 inches until hot the shutdown boron weight has been injected,
~ insert control rods that are at a positions greater than 00, and
~ stabilize pressure.
The manner in which the operator implements these strategies depen'ds,upon the available equipment. The ATWS event trees provide a list of accident sequences which require successful execution of particular operator actions used to implement the above strategies given the failures in the accident sequences. Associated with these actions are the time
'ithin which the action must be completed for success. These accident sequences are identified below.
~ ATWS with failure of HPCI and RCIC and the operator fails to initiate rapid depressurization,
~ ATWS with failure of HPCI and failure to control low pressure injection, Operator Initiates Rapid Depressurization when the RPV Level Falls to Top of Active Fuel In an ATWS with failure of high pressure injection, the operator initiates ADS when the page 14
EC - RISK - 1063 RPV water level reaches Top of Active Fuel, (-161)' Once the ATWS occurs the operator monitors the status of the RPV water level and equipment used to respond to the ATWS. As the water level drops to the HPCI initiation setpoint, and HPCI does not start, the operator realizes that low pressure injection from either condensate or RHR is required. This requires monitoring the RPV level and initiating rapid depressurization when the RPV water level falls to TAF. The critical operator action is to initiate ADS when the RPV water level falls to TAF. The RPV water level is monitored on 1C680 and 1C651, by both PCOs and on the Safety Parameter Display System (SPDS) by the STA.
Timing data for the following cases is evaluated:
- 3. Full ATWS with Failure of High Pressure Injection and Required Prior to Bottom Head Dryout.
The non-response probability for the'se scenarios was estimated using the approach discussed in RMIEP . A similar event, ATWS with failure of High Pressure Injection was analyzed, (Sequence 4 TCQW), but with different timing. The Susquehanna timing'ata was applied to the RMIEP method to compute the non-response probability. An error factor of 3 was applied to address the uncertainties associated with the estimate.
Results for the various ATWS events are provided in Table 3. The following discussions provide the specific timing for each of the events identified above.
Full ATWS with failure of HPCI (OADS1F)
Timing data for the full ATWS with loss of HPCI was obtained from EC-EOPC-0519',
Case Sc. The operator has 4 minutes aAer the RPV water level falls below TAF to initiate ADS. The boildown time to TAF is 225 seconds. Therefore the operator has 465 seconds (225 plus 240 seconds) to initiate ADS. As discussed above, failure of HPCI to start at -38 inches is the cue that Rapid Depressurization-will be required to allow low.
pressure injection for core cooling. -38 inches occurs 143 seconds after the failure to scram. Based upon discussions with operators and trainers, it requires a maximum 60 seconds to arm and depress the ADS initiation push buttons. This data is used with the time reliability curve to estimate the non response probability reported in Table 3.
Uncertainties in the action times are incorporated in the uncertainties associated with the estimated failure probabilities.
Partial ATWS with Failure of HPCI (OADSI)
Timing data for the partial ATWS with loss of HPCI was obtained &om EC-EOPC-0519, Case Sc and Section 5.2. The partial ATWS effectively doubles the time for events to occur when the RPV water level is above TAF. After the water level falls below TAF, the operator has about 4 minutes to initiate ADS. The boildown time to TAF for the full ATWS is 225 seconds. Doubling this time results in a boildown time of 450 seconds. Therefore the operator has 690 seconds (450 plus 240 seconds) to initiate h
page 15
EC - RISK - 1063 ADS. Failure of HPCI to start at -38 is the cue. This occurs at 286 seconds, twice the time for the full ATWS case. It requires at most 60 seconds to arm and depress the ADS initiation buttons. This data is used with the time reliability curve to estimate the non response probability reported in Table 3.
Full ATWS with Failure of High Pressure Injection and Rapid Depressurization Prior to Bottom Head Dryout (OADS2F and OADS2)
In this case the operator must depressurize the RPV prior to bottom head dryout. This avoids vessel failure by allowing low pressure injection to cool the core quenched in the
~ lower head. The bottom head will dryout at 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> for the full ATWS (OADS2F) and 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> for the partial ATWS (OADS2). The partial ATWS is far more likely. This data is used with the time reliability curve to estimate the non response probability reported in Table 3.
Table 3 Non Response Probability for Operator Manually Initiating Rapid Depressurization During ATWS Events Time in Minutes Probability Action To Tl Ta Tt Lower Median Mean Upper OADS1F 7.8 2.4- 1.0 4.4 3.0E-02 9.1E-02 '.1E-01 2.7E-01 OADS- 11.5 4,8'.0'.7 1.7E-02, 5.0E-02, 6.3E-02. 1.5E-01 1OAD." 150 4.8', 1.0 144.2 1.5E-05 4.5E:05'.6E-05; 1.4E-04 OADS2E" 90 2;4.'- 1.0 86.6 4.6E-05 1.4E-04'- 1.7E-04'- 4. I E-04 To Overall time from thc initiatiorroftlte;.amdentxcqui>na:to11N'polnnlicactionmusrbccompleted:
Ti The time alter accident sequence:initiatiotr that thc appropriate cucs or symptoms arc given.
Ta ~ Time required to implcmcnt traction:
Operator Controls L'ow Pressure Injection During ATWS.
In an ATWS with failure of high pressure injection, the operator will initiate ADS when the RPV water level reaches Top of Active Fuel, (-161), EO-000-113. The to control low pressure injection depends the nature of the ATWS, partial or full, operators'bility and the equipment used to provide low pressure injection. The cases of interest are listed below.
- 1. Full ATWS condensate available,
- 2. Full ATWS condensate unavailable,
- 3. Partial ATWS condensate available,
- 4. Partial ATWS condensate unavailable.
page 16
EC - RISK - 1063
'f condensate is not available the depressurization will be slower. The condensate system injects comparatively cold water through the feed water sparger when the RPV pressure drops to around 600 psig. The feedwater sparger is at least a meter above the water RPV water level during ATWS. This cold water condenses steam accelerating the depressurization rate. RHR injection on the other hand does not commence until the RPV pressure is below 300 psig and injects through the recirculation loop into the core.
Therefore injection with condensate bounds the RHR injection case. These cases are similar to the RMIEP evaluation of the TCQW' Each case is evaluated below. The non-response probability for each case is presented in Table 4.
Full ATWS (CPLIOF)
During the full ATWS a critical operator action is to control RPV water level following a blowdown. With the condensate system available the key action is to prevent uncontrolled condensate or ECCS injection. EO-000-113 steps LQ/P-I & -2 instruct the operator to prevent uncontrolled injection into the RPV before depressurizing below 600 PSIG and 400 PSIG respectively. The operator will be aware that RPV depressurization is required when HPCI does not start at -38 inches, 143 seconds following the failure to scram. This is taken as the cue. The shutoffhead ofboth RHR and CS is below 300 PSIG. Therefore the operator must lockout the ECCS prior to the RPV pressure reaching 300 PSIG at 425 seconds after sequence initiation. (Rapid depressurization is actuated when RPV water level reaches TAF.) The lockout requires no more than 30 seconds.
Partial ATWS (CPLIO)
As in the case of the full ATWS, the operator must lock out ECCS prior to the RPV pressure dropping to 300 PSIG. The partial ATWS will impact the time to TAF, but the type of ATWS has at best a minor impact on the time to depressurize the RPV since without HPCI injection, the voided core will not be critical during the blowdown. The boildown time for the partial.ATWS-is 450-seconds;- The-time to depressurize to 300 PSIG is about 160 seconds. Therefore the ECCS lockout must occur prior to 610 seconds. The failure of HPCI at -38 is the cue which occurs at 286 seconds. The lockout requires no more than 30 seconds, Table 4 Non Response Probability for Operator Control Low pressure Injection During ATWS Time in Minutes Probability Action To Tl Ta Tt Lower Median Mean Upper CPLIOF CPLIO 7.1 10.17 2.4 4.3 1.0 1.0 3.7 4.4 4.4E-02 3.0E-02 1.3E-O I 9.1E-02 '. 1.6E-OI I E-0 I 4.0E-OI 2.7E-OI page 17
EC - RISK - 1063 Manual Rod Insertion During ATWS (MRI)
Manual control rod insertion as well as the SLCS system can be used to shut down the reactor. The equipment used to shut down the reactor is independent of the equipment failures that caused the ATWS. Additionally, a plant modification has been installed that allows the operator to promptly bypass the Rod Sequence Control System (RSCS). Prior to installation of this modification the RSCS bypass was accomplished by installing jumpers in the relay room." It was estimated that this evolution would not be accomplished prior to 30 minutes following the failure to scram. With the bypass switch installed in the control room the, the bypass can easily be accomplished within 5 minutes following the initiation of the failure to scram.
Based upon calculations in EC-EOPC-0519, the operator has 24 minutes for the full ATWS and 48 Minutes for the partial ATWS to initiate MRI for success (MSIVs closed ATWS). The time required to insert the control rods is factored into the calculation of the initiation times of 24 and 48 minutes. The probability of not completing the MRI evolution within this time period was estimated using the data in Gertman and Blackman' Group 1 data was used to characterize this action. The diagnostic time for each type of ATWS is provided in the following Table 5 along with probability of failure and bounds.
Table 5 Non-Response Probability For Manual Rod Insertion (Time In Minutes)
ATWS Available Cue Decision Lower Median Mean Upper Type Time Time Time Full 24 i9.0 1.2E-03 5.2E-03 6.5E-03 2.3E-02 Partial 48 ----43.0 - .4E-'04 1.0E-03= '1.2E-03 7;40E-03 2.2.3 Non ATWS Operator Actions.
The Susquehanna plant and procedures are designed so that no immediate operator actions are required to respond to a transient event or LOCA. As an example, ifan automatic scram is generated, Feedwater logic controls water level, RCIC & HPCI auto-initiate and control about their set points, ADS and low pressure ECCS auto-initiate.
Therefore, operator action is only required when a substantial number of failures have occurred beyond the initiating event. These situations include:
- 1. Failure of high pressure injection and failure of the low pressure permissive circuit,
- 2. Item 1 plus unavailability of the low pressure permissive circuit bypass switch,
- 3. Failure of high pressure injection and the ADS logic,
EC - RISK - 1063
- 5. Loss of all AC power.
Should any of these events occur operator action is required. Each is addressed below.
Failure of High Pressure Injection and Failure of the Low Pressure Permissive Circuit (BYLPP)
A failure of high pressure injection or large LOCA with failure of the low pressure permissive will result in a loss of core cooling and subsequent core damage. Given either of these events, the operator can mitigate the low pressure permissive failure using a off bypass switch installed at the ECCS benchboard on Panel I/2C601. This switch bypasses the low pressure permissive circuit and allows the RHR and the core spray injection valves to open.
Ifthe low pressure permissive circuit is working, the valves willbegin to open when the RPV pressure drops to 436 PSIG. However, injection flow will not commence until the RPV pressure drops below the ECCS pump shut hea of about 300 PSIG. Therefore the symptom the operator will use to detect a fault in the low pressure permissive circuit 1s:
- 1. ECCS pump(s) running,
- 2. RPV pressure less than 300 psig, and
- 3. no injection flow with injection valves closed.
Given these conditions, the operator will bypass the low pressure permissive circuit and verify that the injection valves open. The amount of time available for the operator to observe these symptoms and operate the bypass switch depends upon the type of event.
The available time as a function of the event is presented in Table 6. The non-response probability and the bounds for these actions were obtained from Gertman. This action is categorized as, Use of Low-Pressure Systems, Group 2. These non-response probabilities were checked for their consistency with other non-response probabilities used in this IPE.
page 19
EC - RISK - 1063 Table 6 Non-response Probability for Operator Repositions the Low Pressure Permissive Bypass Circuit.
(Time in minutes unless specified)
Event Time to Time Action* Thinking Lower Median Mean Upper Core to Cue Tiille Time Bound Bound Damage Transient 57 39 16 1.0E43 1.5E-02 5.7E-02 2.2E-01 SmallLOCA 55 35 18 1.4E44 4.8E%3 5.0E%2 1.7E-01 (S1B)
Medium 34 18 14 7.9E43 4.8E-02 8.7E42 2.9E+I LOCA (L1D)
Large LOCA 64 33 29 1.3E.06 4.1E-04 1.9EA1 1.3E-01
-3 (S1c)
Large LOCA 700 451 120 65 sec 1.0E+00 1.0E+00 1.0E+00 1.0E+00
-4 (L1E) (1 min)
Large LOCA 236 32 120 84 sec 1.0E+00 1.0E+00 1.0E+00 1.0E+00
-5 (L2D) (1 min)
- The "Action Time" includes the time for the operator to operate the bypass switch and for the injected flow to provide for adequate core cooling. For the first 4 cases 1 minute to PCT is reached afler pressure drops below shutoffhead and 1 minute for switch manipulation.
@ Power Uprate calculations did not include the additional mass from feedwater pump coastdown.
Including the additional water from feedwater Pump coast down increase the times in this Table by about 20 to 30 minutes .
23
¹Time is reported in seconds and is based upon a 0.1 square foot SAFER-JESTER calculation
+Time is reported in seconds and is based upon a rupture of the recirculation system pump suction piping SAFER JESTER calculation .
Manual Hand Wheel Operation of 1 of 4 ECCS Injection Valves (MOEV)
Ifthe ECCS valves fail to open due to a failure of the power supplies or motor operator then the bypass switch cannot be use'd to facilitate ECCS injection fl'ow and core damage is inevitable. Vessel failure can still be avoided by manually stroking an ECCS valve using the hand wheel in the valve gallery. The action must be completed prior to bottom head dryout ifvessel failure is to be avoided. The symptom to the control room operator to dispatch an operator is failure of the bypass switch to allow the ECCS valve to open.
The action time for the NPO to walk to the valve core spray valve gallery is 10 minutes and an additional 20 minutes is assumed to open the valve. The valve only needs to be stroked about 10 to 15 % for success.
The available time as a function of the event is presented in Table 7. The non-response probability and the bounds were obtained from Gertman and were checked for consistency and applicability. This action is categorized as, Manually Operate Systems Failed in the Automatic Mode, Group 3. The non-response probabilities are comparable to sensor failures probabilities indicating a failure of the bypass switch.
page 20
EC - RISK - 1063 Table 7 Non-response Probability to Manually Operate the I ow Pressure ECCS Injection Valve (Time in minutes unless specified)
Event Time to Time Thinking Lower Median Mean Upper Vessel Cue'ction to Time Time Bound Bound Failure Transient 236 57 30 149 2.0E-OS 9.9E-04 1.2E-02 4.0E-02 SmallLOCA 240 55 30 155 2.0E-OS 9.9E-04 1.2E-02 4.0E-02 (SIB)
Medium 169 34 30 105 ,
2.0E-OS 9.9E44 1.2E-02 4.0E-02 LOCA (L1D)
Large LOCA
-3 (S lc) 227 64 30 '33 2.0E-OS 9.9E-04 1.2E-02 4.0E-02 Large LOCA 38 12 30 -4 1.0E+00 1.0E+00 I.OE+00 1.0E+00
-4 (LIE)*
Large LOCA 119 30 84 2.0E45 9.9E-04 1.2E-02 4.0E-02
-5 (L2D)
I Power Uprate calculations did not include the additional mass from feedwater pump coastdown.
Including the additional water from feedwater Pump coast down increase the times in this Table by about 20to30minutes .
~Break at the bottom of the RPV head. Thus water continues to drain out the vessel from gravity.
$ Cue taken as the time to core damage. Actually, the operator could realize that the initial action isn' successful when.ECCS does.not inject following operation of the bypass switch. However, the operator has until two-minutes:priorto:core damage to operate the bypass switch. Therefore the cue time is taken as the time to core damage.to cover'all success scenarios.
Manual Initiation:of::Rapi'd Depressurization (MANADS)
There are two cases in which the operator will initiate manual ADS. First, as a backup when the automatic initiation logic system fails and second, when the criteria used b'y the ADS logic are not satisfied, e.g. SBO and no low pressure ECCS pumps running. Each ofthese cases are discussed.
The ADS system receives an initiation signal when the RPV water level drops to -129.
An RPV water level of -129 also causes an audible alarm and a visual alarm flashes on the C601. The ADS system also provides an initiation alarm and illuminates an alarm window on panel C601. Additionally, both bench board operators and the STA monitor the RPV water level and expect the ADS logic to initiate when the RPV water level falls to -129. Therefore the cue that the ADS logic is failed is an RPV water level of -129 and no ADS logic initiation alarm.
A possible cause for the operator to miss this cue is the belief that ECCS pumps are not running and therefore ADS initiation is not anticipated. This was assessed to be a possibility and was accounted for in the uncertainty bounds. When the operator has page 21
EC - RISK - 1063 determined that the RPV water level cannot be maintained above -129 inches, EO-000-102 step RC/L-10 directs the operator to align and start low pressure ECCS pumps in anticipation of rapid depression. The cue for this decision is the failure of HPCI and RCIC to start at or before -38 inches and decreasing water level. Therefore the operator will be come aware of the ECCS pump status shortly after the water level falls to
-38 (-10 minutes after trip) when they are manually initiated and there status is verified on the C601 benchboard. Additionally, the status of the ECCS is monitored by the STA and the unit supervisor. It requires -36 minutes after trip for the RPV.water level to fall to -129. Therefore the operator has about 26 minutes to become aware of the ECCS pump status.
Once the RPV water level falls to -129, and the ADS logic does not initiate, the operator will initiate rapid depressurization per EO-000-112. The operator has until core damage to initiate rapid depressurization since the blowdown will result in significant core cooling. Core damage occurs -79 minutes following reactor trip (blowdown at -205
'ather than TAF per above Table). Therefore the operator has about 43 minutes to manually backup the ADS logic failure. The non response probability was obtained from Gertman. This action was treated as a Group 2 action, Use of Low Pressure Systems.
This choice is based upon Table 5-45 which includes depressurization after RCIC failure to allow use of low pressure injection. The failure probability is assessed at 0.00081, with upper and lower bounds of 0.13 and 0.000001 respectively.
In the second case, the ADS logic will not initiate because the pumps running permissive will not be satisfied since the low pressure ECCS pumps require AC power. Without low pressure pumps aligned and operating, EO-000-102 steps RC/L-16 & RC/L-22, instruct the operator to delay initiating emergency depressurization until the RPV water level drops to -205 inches. However credit is only being taken in this case for avoiding high pressure vessel failure. Vessel failure is avoided ifinjection is restored prior to bottom head dryout. Bottom head dryout occurs in the high pressure boiloffcase at -186 minutes after trip;-=-The operator can initiate-ADS-just prior to.bottom-head-dryout to avoid a high pressure vessel failure. As in the first case, the cue that manual depressurization may. be required is an RPV water level of -38 inches and coincident HPCI and RCIC failure, which occurs -10 minutes aAer trip. Therefore the operator has
-176 minutes to contemplate manually initiating Rapid Depressurization. NUREG/CR-4835 presents a similar situation, SBO with loss of high pressure injection. In the NUREG case however, the operator has 118 minutes to evaluate the plant conditions and initiate a rapid depressurization to prevent core damage. Given these conditions the non-response probability was estimated to be 1.0 x 10 by the analysts who prepared the NUREG. In the case being considered here, the operator has 176 minutes to evaluate the plant condition and initiate a rapid depressurization. Using the time reliability curve used to generate the non-response probability for the case cited in reference 7, and an error factor of 10, the non response probability and bounds are estimated to be to be:
lower bound = 1.0 x 10 page 22
EC - RISK - 1063 median = 3 x 10, mean = 8.0 x 10, upper bound = 1.1 x 10 .
2.3 Field Operations During Station Blackout.
During a Station Black Out the operators enter the symptom based EOPs as well as EO-1/200-030, Unit 1/2 Response to Station Blackout. The symptom based EOPs govern operator actions while EO-1/200-030 provides SBO specific instruction: on restoring both onsite and offsite AC power; and on prioritizing operator action to enhance the stations ability to cope with the SBO. Many of the coping actions identified in EO-1/200-030 require operator action in the plant. Of particular relevance to the IPE are:
'1. Local transfer of the DC power supply to the diesel generators,
- 2. Local initiation and operation of the diesel generators,
, 3. Connection of OG503 to the DC battery chargers,
- 4. Connection of the fire protection system for injection into either the RPV or the Drywell,
- 5. Substitution of the E diesel generator into one the 4 KV busses.
While these actions are directed from the control room in accordance with the symptom based and SBO specific procedures, the station relies of field operators for their implementation. The following minimum compliment of operators are available:
1 Nuclear Plant Operator (NPO) per reactor building = 2 NPOs 1 NPO per turbine building = 2 NPOs 1 NPO for the diesel generators = 1NPO 1 Auxiliary Systems Operator (ASO) for the Rad Waste Building = 1 ASO 1
1 ASO for the pump house buildings Auxiliary-Unit-Supervision-(AUS) - =
- = = -- - - - .
=1ASO
--':==-=-1 =A'US Therefore there are 7 operator to implement these actions and an AUSs to supervise the activities. Each of these operators are identified using the following nomenclature in the following discussion:
NPO-Rl = NPO in the Unit 1 reactor building, NPO-R2 = NPO in the Unit 2 reactor building, NPO-DG = NPO jn the diesel generator building, NPO-Tl = NPO in the Unit 1 turbine building, NPO-T2 = NPO in the Unit 2 turbine building, ASO-P = ASO in the pump house, ASO-R = ASO in the rad waste facility, AUS = AUS.
The priority of the actions identified will depend upon the status of equipment used to page 23
EC - RISK - 1063 respond to the SBO.
Given a Loss of Offsite Power and failure of all four ESS busses to energize, the unit supervisor will enter EO-000-102 and EO-/200-030 and direct the control room and field operator to implement the actions identified in EO-000-102, -103 and EO-1/200-030.
Each of the specific actions identified above is called for in the procedure and is discussed below.
Local Transfer of the DC power Supply to the Diesel Generators and Local Initiation and Operation of the Diesel Generators (BATTFSW)
A potential cause of SBO is a common cause failure of the all four unit batteries. Failure of the batteries willprevent the diesels from starting as the valves which must open to provide compressed air to crank the diesels require DC power to open. This situation can be rectified in at least the following three ways:
- 1. The NPO-DG can perform the common load transfer per ON-1/202-610(20),(30),(40), and energize the diesels from the unit two batteries, as these batteries are not susceptible to the same common cause failure as the unit one batteries, (battery common cause failure is attributed to improper restoration after maintenance. Battery maintenance is performed during refueling outages. Therefore the battery maintenance occurs one year app art.),
- 2. The NPO-DG can manually open the air starting valves to allow the diesel to crank, (residual magnetism in the generator is sufficient to flash the field),
- 3. The NPO-DG can connect the Blue Max to the charger load centers and provide DC power to the air starting valves through the chargers.
Item 1 is considered in this Section. It represents an action that the NPO-DG is expected to perform base upon the EOPs and ONs and is performed as part of normal plant evolution. Item 2 is incorporated into the diesel recovery probability calculation, in that the action is not proceduralized and would more typically be performed after trouble shooting. Finally, item 3 is proceduralized. However this action requires approximately an hour to complete and therefore would not likely be completed prior to core damage.
Therefore only the first item is considered in this section.
Once the control room has completed the immediate response actions, the shift supervisor will begin to implement EO-1/200-030. The first field action encountered is step 2.3.3, manual local start of the diesel generators. The shift supervisor will dispatch the NPO-DG to perform these local actions. It is estimated that the NPO-DG would be at the diesel bay and ready to implement the procedures in no more than 5 minutes . The actual local start of the diesel generators is directed from Section 3.5 of OP-024-001.
Step 3.5.5b3 requires the NPO-DG to observe the status of the DC power on the local page 24
EC - RISK - 1063 control panel. Ifthe DC window is extinguished the NPO-DG is instructed to restore DC power. ON-1/202-610(20),(30),(40), Loss of DC Bus 610(20),(30),(40) provides instructions on the common load transfer. The common load transfer requires changing the position of two switches. This action is currently normally performed prior to the unit one battery discharge test. The local start of the diesel requires: selecting local control on the selector switch, selecting the Isochronous mode on the governor selector switch, and depressing the diesel start buttons. These steps are highly dependent. Ifthe NPO-DG is successful at restoring DC power then it is unlikely that he would not initiate the diesel.
It is conservatively estimated that the operator requires 15 minutes to: observe the DC indicator window on the local control panel, perform the common load transfer and initiate the diesel. This 15 minute estimate bounds the value of five minutes estimated by Gertman and nine minutes for similar local actions . The diesel must be initiate prior to core damage given a high pressure boil off. Core damage occurs during the high pressure boil offat 79 minutes. Given these times the decision time is estimated to be:
Td = Tcd - Ta = 79 - (15 + 5) = 59 minutes.
The non-response probability is estimated to be:
lower bound = 0.0042 median = 0.034 mean = 0.065 upper bound = 0.22 The estimates are based upon Gertman, Group 9 activity, Local Operation of Manually Controlled Components When Control Room Operations Fail.
Connection of 06503 to the DC battery chargers (OCBMAX)
After the initial response actions and initial efforts to start the diesel generators are complete, the shift supervisor will contact the Power Control Center (PCC) to obtain a projected time for recovery of offsite circuits. Ifthe projection exceeds 30 minutes, then the shift supervisor will instruct the field operator to connect the Blue Max, (OG503) to the load center providing power to the batter chargers per ES-002-001. This action is identified as a high priority action per EO-1/200-030 and implements the accident management strategy of conserving battery capacity identified in GL 88-20 Supplements 6
2 Ec 3 . The exact NPO dispatched to implement the action depends upon a number of conditions. If the E diesel generator was substituted prior to the event, then the NPO-DG willprobably implement the ES. Ifthe E diesel is available for substitution, then one of the four NPOs assigned to either the reactor building or turbine buildings will likely implement the ES. All control room operators and NPOs are trained in implementing ES-002-001.
The non response probability is estimated using data in Gertman. It is conservatively page 25
EC - RISK - 1063 estimated that the shift supervisor instructs the NPO to connect OG503 to the charger load centers at 30 minutes following the SBO. The time allotted to complete the action is 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> . The connection should be completed prior to core damage from loss of injection due to battery discharge, which occurs at 12.2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> aAer the SBO . Therefore the diagnosis and analysis time is estimated to be:
diagnosis and analysis time = 12.2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> - 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> - 1/2 hour - 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />.
The non-response probability is estimated to be:
lower bound = 0.0007 median = 0.0047 mean = 0.0087 upper bound = 0.25.
The estimates are based upon Group'8 activity, Request to Use the Last System of Defense.
Connection of the Fire Protection Water for Injection into Either the RPV or thc D~vell (OFAFMVI)
Following the reactor trip with SBO, the shift will implement EO-000-102 RPV Control and EO-000-103 Primary Containment Control. The Level Leg in EO-000-102 step RC/L-4, instructs the operator to Restore and Maintain the RPV water level between+13 and + 54 using Table 3 systems . IfRPV level cannot be restored and maintained above 29
+13 inches, EO-000-102, step RC/L-5 authorizes the use of Table 5 systems which include the fire main. During SBO, RCIC and HPCI are the only Table 3 systems that can operate without AC power. Therefore ifthese systems are failed during SBO the operator will not be able to restore the RPV water level above+13 using Table 3 systems and will then'use Table 5 systems; Use-of the fire main also-implements the accident management strategy identified in GL 88-20 Supplements 2 8'c 3.
The cue used to determine that RPV water level cannot be maintained above+ 13 inches is level 3 (-38 inches) and failure of HPCI and RCIC to initiate. RCIC initiates at -30 inches and HPCI at -38. It takes the RPV level -10 minutes reach -38 inches. Therefore the operator will receive a cue to tie-in the fire main at -10 minutes following reactor
'trip. Additionally, EO-1/200-030 specifically directs the shift to tie in the fire main system for injection. Therefore the operator has ample cues to tie in the fire main system The limiting time for connecting the fire main is short term SBO with failure of HPCI and RCIC. In this case the fire main injection willnot prevent core damage, but will prevent vessel failure. Therefore the fire main must be connected prior to bottom head dryout which occurs at 248 minutes after trip. The fire main connection is made per ES-013-001. Implementing this procedure requires work at the ESW pump house and at page 26
EC - RISK - 1063 the RHR valve galleries in the reactor building. The pump house activity is performed by the ASO-P and consisting of attaching a fire hose to a fire hydrant and to a valve in the basement of the pum[ house; and opening the hydrant and the valve. These activities 3
require -25 minutes . Five minutes is added to this time to account for walking from the circulating water pump house to the ESW pump house. Therefore 30 minutes is allotted to complete this action. The valve gallery activity is performed by either NPO-R1 or NPO-R2 depending on the unit with the HPCI and RCIC failure '. The valve gallery work requires -30 minutes to complete 32 . While parts of the pump house and valve gallery work can be performed in parallel, the final action, opening the injection valve, must be performed by NPO-R1/2. Therefore it is conservatively assumed that these actions are performed in series for a total action time of -60 minutes. Using this information the time available to think is computed to be:
diagnosis and analysis time = 248 60 = 178 minutes.
'he non-response probability is estimated to be:
lower bound = 0.00089 median = 0.019 mean = 0.075 upper bound = 0.29.
The estimates are based upon Gertman, Group 8 activity, Request to Use the Last System of Defense. This estimate is consistent with RMIEP estimate of 0.018 for tie in of the fire main. The RMIEP estimate, however is based upon connection in 130 minutes rather than 168 minutes. The relatively high upper bounds account for the possible operator stress and confusion factors.
Substitution of the E diesel generator into one the 4 KV busses (OED).
The Susquehanna plant is equipped with a maintenance swing diesel which can be substituted for any of the four 4 KV diesel generators. EO-1/200-030 step 2.9 instructs the shift to substitute the E diesel using OP-24-004 as appropriate when manpower is available. EO-1/200-030 places a higher priority on tie-in of the Blue Max than the E diesel. The limiting event for connecting the E diesel is an SBO with failure of HPCI and RCIC. As in this case the fire main, the E diesel is not being credited for preventing core damage, but for preventing vessel failure. Therefore the E diesel must be connected prior to bottom head dryout which occurs at 248 minutes after trip. Diesel substitution occurs about 10 times a year. The substitution requires as little as 45 minutes and as long as 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> with about an hour as the mean time. The substitution requires alignment of two breakers in the E diesel building and one breaker in the substituted diesel building.
Emergency lighting is available in both diesel bays to facilitate the tie-in. The E diesel is self contained in that it has its own fuel supply, air starting system and battery supply. It is assumed that the substitution will be performed by the NPO-DG after completing the page 27
EC - RISK - 1063 connection of the Blue Max arid will commence the substitution 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the initiating event. However all NPOs are trained and capable of the substitution and may start well before an hour and a half. Additionally, the E diesel substitution is performed every time a diesel is removed from service for maintenance.
Using this information the time available to think is computed to be:
diagnosis and analysis time = 248 90 = 98 minutes.
Based upon Gertman, the non-response probability is estimated to be:
lower bound = 0.0016 median = 0.015 mean = 0.036 upper bound = 0.13.
The estimates are based upon Group 5 activity, Restoration of Offsite Power, non-Safety related electrical buses or supply equipment.
page 28
EC - RISK - 1063 2.4 Entering Appropriate Procedures.
The preceding discussions are based upon the operator entering the appropriate procedure given the existence of an entry-condition. Ifthe operator does not enter the appropriate procedure, then the assessments discussed above may not be applicable. Issues associated with entering the appropriate procedure have been addressed through the procedure validation and verification program, and through the procedural and interface defense in depth evaluations discussed in Section 2.1. These activities are documented in validation reports and PORC-approved Safety Evaluations. This Section provides an evaluation of the impact on the calculated risk of entering the inappropriate procedure.
As describe in Section 2.2, EOPs are to be entered given the existence of an entry condition. Given the existence of an entry condition, the operator may respond in one of the following ways:
- 1. enter the appropriate procedures and execute the steps with a given probability of success,
- 2. mis-interpret the entry c'ondition and enter an inappropriate procedure,
- 3. fail to respond to the entry condition for some unspecified reason.
Failure to respond due to a instrument malfunction is included in the second response since the inability to determine a parameter is itself an entry condition, (e.g. power >the 5% or unknown, RPV level unknown, etc.). Responding to issue 1 is the subject of previous sections of this calculation. Issue 2 is reviewed in this Section. The third issue response is outside the scope of PRA analysis and is addressed through the screening operators go through prior to being licensed and the on-going operator surveillance programs. That is, it is judged sufficiently unlikely that operators will do nothing when
-faced with an-EOP entry- condition-that-this possibility-is.not-considered-in. the-IPE.-
The EOP entry conditions; RPV level < 13", RPV pressure > 1087 psig, drywell pressure > 1.72 psig, and reactor power > 5% or unknown concurrent with a valid scram condition are unambiguous, and are displayed on multiple diverse instruments including the Safety Parameter Display System (SPDS). Additionally, the inability to determine a parameter is an entry condition to either an OffNormal (ON) or Emergency Operating Procedure (EOP). The operating shiA has committed these conditions to memory and trains on their use every six weeks on a high fidelity plant specific simulator. Therefore entering an inappropriate procedure is considered extremely rare. However, the EOP entry conditions were reviewed against the entry conditions for ONs and EOPs to identify the potential for confusion which may result in entering the inappropriate procedure.
This review resulted in the following list of ONs and EOPs.
ON-1/200-004 Rx Power Greater than 100%,
ON-1/255-001, Control Rod Problems, page 29
EC- RISK- 1063 ON-1/283-001, Stuck Open SRV, EO-000-102, RPV Control, and EO-000-113, Level Power Control.
For the operator to misinterpret an EOP entry conditions for one of the above would require ignoring all the other diverse cues that occur. Additionally, the entire operating crew would have to make the same misinterpretation. Given their training and the diversity in entry conditions the chance of the above misinterpretation is truly remote.
An evaluation of each of these procedures follows.
The full ATWS event results in a power spike in the 400% range. However, a partial or low power ATWS results in a smaller power spike. A low power could be misinterpretation, though highly unlikely, as power greater than 100% resulting in entering ON-1/200-004 "Rx Power Greater than 100%". This ON instructs the operator to promptly reduce power level, and execute an OD-7 (process computer core monitoring and control rod position program). Ifthe turbine remains on-line then no containment threat exists and the potential damage from over-power is avoided by the power reduction. Ifthe turbine trips, the SRVs will discharge to the suppression pool, causing rapid heat up of the suppression pool. 90 'F is an entry condition for Primary Containment Control, EO-000-103. During a turbine trip ATWS the suppression pool temperature willreach 90 'F in a minute or less. This entry condition is diverse from the initial one, high power, that was interpretation by the operator and requires entry into EO-000-102 with a prompt reactor scram After entering and scraming the reactor, the operator checks the position of the control rods. Ifmore than one is at a position of greater than 00 or power is unknown the operator will initiate SLCS. Therefore ifthe operating staff misinterprets the initial ATWS cue for power in excess of 100% power, ON-1/200-004 and diverse cue's will direct the operator to the appropriate actions. The net impact of this misinterpretation is a delay in SLCS initiation by at most a few minutes. For the full isolation ATWS, the operator has almost 40 minutes to initiate
.SLCS. A review of the-SLCS*response time data shows-that-in-the'-most limiting case (FW available) the operator has at least 2 minutes to initiate SLCS to avoid core damage for the full turbine trip case, considering no other mitigating actions, (note that no credit for SLCS has been taken for mitigating the turbine trip ATWS in the IPE). The ON calls for power reduction, which is consistent with ATWS procedure which calls for the runback of the recirculation and feedwater pumps. The mean probability of initiating feedwate pump runback in 3 minutes is 26%. Additionally, the probability of initiating SLCS in two minutes is 6%. Clearly the probability of misinterpreting a high power ATWS is far less than these percentages. Therefore the risk impact of this misinterpretation is negligible.
A partial ATWS may be misinterpreted as driving control rods. Should this occur the operator will enter ON-1/255-001, Control Rod Problems. This procedure requires the if operator insert a scram more that 3 rods are drifting. Therefore as in the case of ON-1/200-004, the net impact of this misinterpretation is a delay in SLCS initiation.
page 30
EC - RISK - 1063 During a high power ATWS the SRVs will actuate and remain open. This condition may be interpreted as a stuck open SRV and the operator will enter ON-1/283-001, Stuck Open SRV. This procedure requires scraming the reactor ifthe SRV remains open for more than two minutes. The stuck open SRV will result in rapid suppression pool heating A reactor scram and EOP entry occur when the suppression pool exceed 90 'F which should occur in less than 1 minute. Therefore the net impact of this misinterpretation is a few minute delay in the initiation of SLCS.
The operator could properly enter the EOP, but misinterpret the status of the control rods.
The operator has at least three methods of verifying the control rod position; the full core display, the RSCS display and an OD-7 edit from the process computer. The procedure provides diverse methods of determining reactor power. Therefore the operator may fail to enter the appropriate EOP for the following reasons:
- 1. misinterpret an "all rods in" as a low power ATWS and enter EO-000-113,
- 2. misinterprets a low power ATWS as drifting control rods, or
'I
- 3. believes the severity of an ATWS rod insertation failure is small and chooses to remain in EO-000-102.
Case two was previously addressed. Cases one and three are addressed below.
The operator may misinterpret the status of the control rods and enter EO-000-113. In this case the power would be less than 5% otherwise the transfer to EO-000-113 is appropriate. The actions in EO-000-113 are completely consistent with EO-000-102, with one exception. EO-000-113 requires initiation of SLCS when the suppression pool temperature reaches-110-'F.- Inadvertantly-initiating-SLCS has no adverse impact on --
response to an initiating event. Therefore case 1 has no impact on plant risk.
Case three involves an intentional deviation from the procedures given the perception by the operating staff that the ATWS is not severe. Case 3 is clearly a violation of the operators'raining and would probably result in termination of the employee from the company. Given this is the case, the operating staff would initiate manual rod insertion.
Reviewing the description in Section 2, the shift can conservatively commence MRI 19 minutes for the full ATWS case and avoid plant damage. In the partial case the operator has over 40 minutes to start. Therefore in the absence of additional failures, the decision to remain in EO-000-102, has no impact on plant risk. Should additional failure occur, the impact of the procedural error depend upon the severity of the ATWS and the additional failures. Clearly these cases are less probable and less likely to result in a failure to transfer to the ATWS contingency. As an example, an electrical ATWS which results in a checked board rod insertation pattern (failure of 2 scram relays) results in a hot shutdown configuration. Therefore this type of ATWS responds like a normal page 31
EC - RISK - 1063 transient as long as the reactor remains hot. Failures in addition to the ATWS, such as HPCI and RCIC, would require eventual RPV depressurization to allow injection with the condensate or LPCI pumps. However the boildown time to TAF is on the order of 40 minutes. It requires about 45 second to stroke a rod from full out to full in. Therefore, it is likely that at least 30 additional rods would be driven into the core prior to depressurizarion. Forty rods is sufficient to suppress core damage induced from unstable operation. Therefore the impact from failing to follow the ATWS procedure for case three has a small impact.
As described above, the Susquehanna procedures are very forgiving, given the operating staff misinterprets an entry conditions or is confused by the symptoms. This robust nature of the procedures is a direct result of application of Severe Accident Defense in Depth Criteria. These criteria ensure that multiple and diverse success paths exist and that the facility and time is available for the operator to reliably implement the procedures, given additional failures beyond those causing the event in the first place.
This is illustrated by examining reactivity control function. The Susquehanna reactivity control procedure contains:
Level reduction, but with a 100" band above TAF rather than a 30" band below TAF, SLCS initiation when the reactor power exceeds 5% rather that waiting until the suppression pool temperature exceed 110 F or the power oscillations exceed 25%.
Elimination of the HCTL and PCPL which extends the minimum time to SLCS initiation from 2 minutes to 40 minutes in the full MSIV closure ATWS, and Installation of a bypass switch in the control room that allows prompt initiation of manual rod insertion.
Application of the Defense in Depth Criteria has resulted in a marked reduction in risk associated with the operation of the Susquehanna plant.
2.5 Treatment of Restoration of Offsite Power and Diesel Generators.
Credit for the restoration of offsite power and diesel generators was included in the
'usquehanna IPE. Models from NUREG 1032 were used to estimate the likelihood of offsite power recovery as a function of time. The application of the NUREG 1032 model in the IPE is consistent with its application to the Station Blackout Rule which the NRC approved through an SER . IPE Volume II page A-235 and in Volume IV pages F-5 through F-8 provide a discussion of how this model was applied to Susquehanna. Figure 5 provides a comparison of the Susquehanna and the NUREG 1150 Peach Bottom offsite power nonrecovery probability as a function of time. These two curves compare reasonable well.
page 32
EC - RISK - 1063 Recovery of diesel generators was also included in the Susquehanna IPE. The recovery curve was developed from evaluation of plant maintenance records. Section C.2 of the Susquehanna IPE discusses the method used to construct the recovery. Figure 6 compares the Susquehanna diesel nonrecovery probability with the curve used in NUREG 1150. The NUREG 1150 recovery diesel model is specific to the cause of diesel failure. These recovery curves were consolidated for comparison with Susquehanna by weighting each nonrecovery curve by the relative probability of the particular diesel failure mode. As in the case of offsite power recovery, the curves show reasonable agreement.
page 33
EC - RISK - 1063 Figure 5 Comparision of LOOP Nonrecovery Probability for Susquehanna 8 NUREG 1150 0.1 --.-
~
~ SSES NUREG 1150 F1 0
0 L
'.01 O
R t
0.001 0 5 10 15 20 Time (hr)
Figure 6 Comparision of Susquehanna and NUREG-1150 Diesel Nonrecovery Probability 0.9 0.8 0.7 0.6
~
~SSES NUREG 1150 0.5
~ hg g 0.4 gt oo 03 R f 0.2 0.1 0
0 2 4 6 8 10 12 14 16 Time (hours) page 34
EC - RISK - 1063 3.0 Pre-initiator Human Errors Pre-initiator human errors are defined as; errors which leave components or systems unavailable and in an undetected state prior to an initiating event. Pre-initiator human errors were treated in the Susquehanna IPE by including the unavailable time attributable to them into the total equipment out of service time. This time was identified as by, review of plant records. Subsequent to the preparation of the Susquehanna IPE, and in response to NRC questions concerning the treatment of pre-initiator human errors, the maintenance records were re-examined to identify specific instance of undetected system unavailabilities to caused by pre-initiator human errors. Additionally, instrument surveillance records were examined to determine the difference between the "as left" verse "as found" settings. This second activity was performed to determine ifa significant difference existed between these reading, which would be the case ifa significant mis-calibration took place.
The evaluation of plant maintenance records included a review of Equipment Release Form (ERF) and Significant Operating Occurrence Reports (SOOR) summaries from July 1987 until January 1990 for the following systems: SLCS, CRD, RCIC, HPCI, CS and RHR. This information is included in the EC-RISK-503 which documents the work performed to develop component unavailabilities. Human errors that resulted in unavailability of a system, but were discovered as part of the restoration, were not counted as a pre-initiator human error since the restoration procedure is intented to detect-these particular errors. However the unavailable hours associated with the error were included in the outage time. Only. those human errors that are detected after the system is declared operable are included in this tally. Using this criterion, the following pre-initiator human errors were identified for the time period identified above:
Reference Number Description SOOR 87-368 -Turbine-isolation valves closed due to-technician error SOOR 88-5 Incorrect fuses were removed causing HPCI unavailability SOOR 2-89-11 PSV-2F018 wired shut, thus preventing it from opening.
During this time period there were 1305 occasions in which the equipment was released by operations to allow maintenance activities or modifications to proceed. Using this data a mean pre-initiator human error probability of p, = 3/1305 = 2.3 x 10 /maintenance activity The upper and lower bounds are computed using a binomial distribution. Using these bounds the median was computed assuming a lognormal distribution.
page 35
EC - RISK - 1063 lower = 1.1 x 10 median = 2.0 x mean=2.3 x10 upper = 6.0 x 10 This probability and associated bounds were used to estimate the probability that a standby'system or component would be unavailable due to a pre-initiator human error.
These errors are treated as random variables. Pre-initiator human errors that impact multiple components or trains of a system are treated as dependent failures.
This pre-initiator human error probability was assigned to the following systems and components:
Basic Event Description Name SLCS8 SLCS Block F not properly restored from maintenance.
CRD8 Alternate CRD pump not properly restored from maintenance.
DGA-D8 Diesel generators A-D not properly restored from maintenance.
LPCIIVA/B8 LPCI injection valve HV-1/251F015A/8 not properly restored from maintenance.
RCIC8 RCIC not properly aligned after maintenance.
HPCI8 HPCI not properly aligned aiter maintenance.
CCSIVA/B8 Core Spray injection valve HV-1/251/2F005A/B not properly restored from maintenance.
Pre-initiator human errors were not assigned to systems that support suppression pool cooling. Suppression pool cooling is operated on at least a weekly basis and often daily.
Therefore failure to restore a component used fore suppression pool cooling would be identified within a short period of time. These systems and components include the RHR pumps and valves that are used for suppression pool cooling, RHSRSW and Emergency Service Water.
Pre-initiator human errors associated with Instrumentation Technician miscalibration were included in the IPE. A value of 1 x 10 was assigned for four common sensors.
This estimate was compared to one derived from a similar evaluation performed by General Electric and approved by the NRC in support of the BWROG effort to extend surveillance test interval. GE estimated that the probability of miscalibration was 2.0 x 10 . Based upon value used in the Susquehanna analysis and the cited GE report, failure of system actuation due INC tech. miscalibration was dominated by DC failures for Susquehanna. This result was corroborated by an audit calculation performed prior to implementing the new technical specifications at Susquehanna . Again this conclusion was supported by a review of Instrumentation calibration sheets. Examples of these data are provided in Attached Table . Recently this conclusion was revisited. An audit page 36
EC- RISK- 1063 calculation was performed using the ASEP method to evaluate the probability of four like sensors being mis-calibrated . A value of 3 x 10 was derived as the probability of mis-calibration. The ASEP method was developed as a conservative screening tool.
Therefore, given the large uncertainties in these estimates are consistent.,
Finally, the degree of miscalibration is a significant issue to consider when pondering the likelihood of instrumentation miscalibration leading to loss of system actuation.
Consider the low pressure permissive pressure sensors. Reviewing LOCA and Transient calculations demonstrates that the I&C tech would have to miscalibrate the sensors by at least 150 psig. Reviewing the attached drift records, shows that this would event would at best page 37
0 EC - RISK - 1063 References I The Importance of Properly Treating Human Performance In Probabilistic Risk Assessments. C. A.
Kulkielka et. al, Proceedings from the International Topical Meeting on Advanced Reactor Safety, Volume II .Orlando, FL, June 1-5, 1997.
letter from G. W. Boughman to H. W. Palmer.
Subject:
EO-000-113 Rev. 5 Validation Report. PLI-74839. and Susquehanna Steam Electric Station System 1 Validation Report. Vol. 1 & 2.
3 Safety Evaluations NL 16 through NI 92-26 and NL-92-28 address EOPs. These safety evaluations are being revised as part of the Accident Management Implementation Project.
4 THERP NUREG/CR-1278 5 A Guide to Practical Human Reliability Assessment, Barry Kirwan, Taylor & Francis Publishing Company 6 Human reliability and Safety Analysis Data Handbook, David I. Gertman and Harold S. Blackman. John Wiley and Sons, 1994.
7 Comparison and Application of Quantitative Human Reliability Analysis Methods for the Risk Methods Integration and Evaluation Program, Final Report L. N. Haney et. al. NUREG/CR-4835 8 The mean time to place the mode switch in shutdown is 5.6 seconds with a standard deviation of 5.3 seconds. The existence of an ATWS is confirmed on the average of 8.2 seconds with a standard deviation of 4.8 seconds. The greatest time to confirm an ATWS was 15 seconds.
9The three occasion when IA was cross connected to CIG to prevent an MSIV isolation are: 3/18/92 SOOR 2-92-024, 6/13/95 CR 95-0254 & 8/2/96 CR 96-1069. The CR 96-1069 discuss loss of 1A201. This bus provides control power to both CIG compressor which trip on loss of control power. The MSIV were maintained opened with IA. Additionally the cross tie was witnessed by Mike Murphy and Jerry Meartz of SE.
10 Statistical Models and Methods for Life Time Data, J. F. Lawless, John Wiley and Sons, 1982 11 Methods for Statistical Analysis of Reliability and Life Data, N. R. Mann, R. E. Schafer, & N. D.
Singpurwalla, John Wiley and Sons 1974.
12 An Approach to the Construction of Parametric Confidence Bands on Cumulative Distribution-Functions. Paul Kanofsky and R. Srinivasan, Biometrika (1972), 59, 3. p 623.
13 see reference 15 and NEDO-32047, "ATWS Rule Issues Relative to Core Thermal-Hydraulic Stability".
Electric Company January 1992 'eneral 14 EO-000-113 Rev 9 step LQ/L-15 15 SABRE Calculations to Support Technical Basis of the IPE and ATWS EOPs. EC-EOPC-0519 Rev 1.
M. A. Chaiko 16 SABRE Calculations to Support Technical Basis of the IPE and ATWS EOPs. EC-EOPC-0519 Rev 1.
M. A. Chaiko 17 SSES IPE Vol. 4 page F281 18 Comparison and Application of Quantitative Human Reliability Analysis Methods for the Risk Methods Integration and Evaluation Program, Final Report L. N. Haney et. al. NUREG/CR-4835 19 Human reliability and Safety Analysis Data Handbook, David I. Gertman and Harold S. Blackman.
John Wiley and Sons, 1994.
'20 The BWROG EPG Rev. 4 Inhibit of the ADS is not incorporated into the Susquehanna Procedures.
Safety Evaluation for EO-I/200-102, NL-92-023.
21Susquehanna IPE Vol. 4, December 1991.
22 Feed Water Coast Down Measurement of a BWR. C. A. Kukielka et. al. Sixteenth Water Reactor Safety Information Meeting.
23 SAFER/JESTR-LOCA Analysis Basis Documentation of Susquehanna Steam Electric Station. D. C.
Pappone, GE-NE-187-22-0992, Sept. 1993 24 This estimate is based upon simulator observations, discussion with operators and operator trainers, and an independent assessment performed by MPR Associates, Independent Assessment of "E" Emergency Diesel Generator Operability at Susquehanna Steam Electric Station, MPR-1789, December 1996.
page 38
EC - RISK - 1063 25 Table 5-56 allows 15 minutes for locally start or stop a system. Ten of the fifteen minutes are attributed to walking to the location of the action. Therefore the actual time to perform the action is 5 minutes. MPR estimates 9 (steps 16 - 20) minute to perform similar actions, however the diesel is running in the MPR case which would make diagnose more difficult.
26 Generic Letter 88-20 Supplements 2 & 3 27 Supply 125 VDC loads During SBO with Portable Diesel Generator in Accordance with ES-002-001.
Job Performance Measure 200.050.01, rev. I.
28 SSES IPE Vol. 4 Section F. 1, page F-32.
29 Table 3 systems include: feedwater, condensate, CRD, RCIC, HPCI, core spray and LPCI.
30 Fire Protection System Cross-Tie to RHRSW, ES-013-001 (at the ESW Pumphouse). Job Performance measure 9.13.001.102. Rev 0.
31 The fire main has sufficient capacity to supply both units with water. Priority will be provide to the unit with a more urgent need however sufficient manpower is available to connect both units in parallel bothif units suffered a loss of HPCI and RCIC.
32 Fire Protection System Cross-Tie to RHRSW, ES-013-001 (from unit one control room). Job Performance measure 9.13.001.101, Rev 0 33 Unlike the BWROG EPG, the ADS is not inhibited in the Susquehanna EOPs when the reactor power is less than 5%.
34 Letter from George F. Maxwell USNRC to H. W. Keiser PP&L,
SUBJECT:
Supplemental Safety Evaluation for Susquehanna Steam Electric Station, Units 1 and 2.
35 Analysis of Component Outage & Failure Data for Use in the IPE. EC-RISK-0503 Rev. 1 Formally RA-B-NA-033.
36 Technical Specification Improvement Methodology (with Demonstration for BWR ECCS Actuation Instrumentation) Part 1 NEDE-30936P-A, Class III, Dec. 1988.
37 Letter Irom A. C. Thadani to D. N. Grace, subject: General Electric Company (GE) Topical Report NEDC-30936P, "Technical Specification Improvement Methodology (with Demonstration for BWR ECCS Actuation Instrumentation) Part I" 38'Risk Impact of Changing the ECCS Actuation Instrumentation Allowed Outage Time and Surveillance test Intervals, EC-RISK-1046, C. A. Kukielka.
39.EC-049-1019 and EC-049-1020 40 Human Error Probability for Instrumentation Calibration Using the ASEP Method, EC-RISK-1064.
page 39
EC - RISK - 1063 Appendicies page 40
EC - RISK - 1063 Appendix A A.O Methods Used to Estimate Lognormal and Weibull Parameters Susquehanna simulator data was fit to the Cumulative Lognormal and Cumulative Weibull distribution functions. These distributions are then used to estimate the probability of performing a particular action within a given time. The probability of failure is estimated using the complementary cumulative distribution. The methods used to perform these fits are discussed in the excellent texts by Lawless 'nd Mann" . The data is failure truncated and therefore the fit procedures appropriate for Type II censoring is applied.
A.1 Lognormal Distribution The Susquehanna simulator data was fit to the cumulative Lognormal distribution as defined by the MICROSOFT EXCEL 5 function LOGNORMDIST. Maximum likelihood estimates of the distribution location parameter, p and scale parameter o are obtained for complete samples from the following equations from Mann:
I, It =
1 n
glnX, Eq. A.l It It g(lnX,)'n gin(X,) In
~A I~i i+i t
g Eq. A.2 Pl Here:
p = mle of the location parameter, cr = mle of the scale parameter, and X, = the observations of the random variables.
A.2 Weibull Distribution The Susquehanna simulator data was fit to the cumulative Weibull distribution as defined in equation A.3.
F(t) = 1 - exp[-(t/u)"] Eq. A.3 Maximum likelihood estimates of the distribution scale parameter u and shape parameter P are obtained using the following equations from Lawless.
page 41
EC - RISK - 1063 a = *t~ Eq. A.4 p
1 1 pint,=0 Eq. A.5 note that in general the "*"is defined as follows:
I r r g*w, = gw, +(n r)w,- Eq. A.6 Iwl lwl In the case of the. simulator data, r = n. Therefore, *t = t.
P is defined implicitlyin equation A.5. Therefore estimates for u and P are determined iteratively.
page 42
EC - RISK - 1063 Appendix B Calculation of Upper Bound Using, the Method of Kanofsky & Srinivansan.
An uncertainty analysis is included in the Susquehanna IPE. This uncertainty is characterized using the Lognormal distribution. The bound for the uncertainty can be described with the median and the error factor. The median is computed for the Lognormal as described in Appendix A. The error factor is estimated from the upper bound computed using the procedure developed by Kanofsky & Srinivansan" . This procedure can be used to construct a lower confidence bound as well, however it results in a lower bound that is inconsistent with the assumption of the Lognormal. The procedure is discussed the referenced paper. It is applied to the 2 minute SLCS initiation case for which an upper bound of 0.33 was computed The confidence bounds are specified in terms of the cumulative distribution function, 4(x,p,a). The theoretical development of the procedure is provided in the sighted text.
An operational description of the procedure is provided in this Appendix.
For a given sample size and confidence level determine the percentiles I of the Levy distance using Table 1 of Kanofsky Ec Srinivansan.
For a give value of the I of determine the values of xi Ec x2 to adjust for the condition that z w0andsw0from Table2.
Determine bounds using the cumulative distribution, 4, as defined in the following Table.
Upper Bound
- -X< Z-'X2S= = 4(x, z ",ops)
Z - X2S < X< Z + XiS 4(x, z,s)+la X hZ+ XiS @(x, x,a>s)
Lower Bound XK Z-XiS 4(x, z,eris)
Z - XiS < X< Z + X2S 4(x, z,s)-le X >Z+ X2S 4(x, Z,CF2S)
For operator non-response probability, the upper bound is the complement of the lower bound and the lower bound is the complement of the upper bound.
This procedure is applied to the SLCS initiation case. The pertinent data is listed below:
the number of observations n = 6 observations, page 43
EC - RISK - 1063 o, = 0.9 (allows a 5% tail on upper and lower bounds).
the percentile 1, of L for n = 6 and a = 0.9 is obtained &om Table 1, 1 = 0.31 from Table 2, x> = 0.391 k x2= 1.783 cz) = x)/x2 = 0.393/1.783 = 0.219 o'2= 1/err = 1/0.219 =4.56 SLCS initiation at 2 minutes or 120 seconds, therefore ln(120) = 4.79.
x =409 s = 0.349 x = 4.79 > x+ x2s = 4.09+ 1.783(0.349) = 4.71 Therefore the lower bound is computed using the normal distribution for 4(x, x,cr2s) = 4(4.79, 4.09, 4.56*0.349) = 4(4.79, 4.09, 1.59) = 0.67 The upper bound for the failure probability is just the complement of the lower bound.
Therefore the upper bound becomes 1- 0.67 = 0.33.
Appendix C Susquehanna Simulator Data Used in this Calculation Susquehanna simulator-data-was used-for- the-following events: =-=- --.
Manual Backup of Automatic Scram, Initiation of Suppression Pool Cooling, Initiation of Stand By Liquid Control, Feed Water Pump Runback.
'his data is provided along with the results of the curve fit.
page 44
0 EC - RISK - 1063 Manual Backup of Automatic Scram One of the first operator actions following a trip condition is placing the mode switch in shutdown. Placing the mode switch in shutdown is a reactor trip condition and constitutes a backup to the automatic scram.
mode ATWS Scenario switch confirmed
'7 2/10- S2 G 2/10- S2 B 10 15 '2/17 - S4 G 13 14 2/17- S3 B 14 2/24- S4 G 12 2/24- S4 B 2/25 - S3 G 2/25 - S2 B 3/3- S4 B
~ 3/4- S3 G 3/10 S4 G 13 3/11- S2 G 3/11- S3 B mean 5.615385 8.153846 sigma 5.315676 4.845034 This data was'fit to the Lognormal distribution using the procedure presented in Appendix A. The zero response time cases were withdrawn from the sample since the log of zero is not defined. The analysis is presented below page 45
EC - RISK - 1063 In(x) In(x)~2
-2.70805 7.333536
-2.484907 6.174761
-2.484907 6.174761
-2.484907 6.174761
-2.302585 5.301898
-2.014903 4.059834
-1.791759 3.210402
-1.529395 2.33905
-1.261131 1.590452
-2.11806 42.35945 mu sigma SSES -2.11806 0.469495 Initiation of Suppression Pool Cooling Suppression pool cooling is initiated after more immediate actions are carried out. The dates presented below:
Time:(sec) Time (min) ln(t) In(t)"2 Scenario 60 1.0 0 2/24 S3 B 1.6 0.480366 0.230752 2/17 S4 B 114 1.9 0.641854 0.411976 I/20 S2 B 119 2.0 0.684779 0.468922 3/11 S2 G 130 2.2 0.77319 0.597823 2/24 S4 G 145 2.4 0.882389 0.778611 2/25 S2 B 225 3.8 1.321756 1.747039 2/25 S3 G 229 3.8 1.339377 1.793932 3/3 S4 B 305 5.1 1.625967 2.643769 3/4 S3 G 308 5.1 1.635755 2.675695 2/10 S2 G 374 6.2 1.829911 3.348575 3/10 S4 G 644 10.7 2.373354 5.63281 2/17 S3 B 660 11.0 2.397895 5.749902 3/11 S3 B SUM = 1.229738 26.07981 page 46
EC - RISK - 1063 Initiation of Standby Liquid Control.
The operator is instructed to initiate SLCS ifthe reactor power is greater than 5% power with a valid scram signal present. This data was obtained aAer cycle 92-06 test. This data represents the operator response to the latest direction of SLCS initiation.
Development of Weibill parameters.
P 3.71 69.9 Total Response 32 61 70 80 90 378 Time (see) tqb 383801.3 1359623 4203138 7003477.4 11493806 17792612 42236458 In(Tq) 3.465736 3.806662 4.110874 4.2484952 4.382027 4.4998097 24,5136 (Tqb)x(lntq) 1330154 5175625 17278572 29754240 50366163 80063368 1.84E+08 a34/a32 4.355671
'33/n 4.085601 a37-a38 0.270071 Pnew 3.702736 374259.8 1322543 4079484 6790646.4 11133712'7220441 A,new 70.08209 Lognormal In(t) (In(t)) 2 3.465736 12.01133 3.839452 14.74139 4.110874 16.89928 4.248495 18.04971 4.382027 19.20216 4.49981 20.24829 24.54639 101.1522 0.382427 mu= 4.091066 sigma 0.349107 page 47
EC - RISK - 1063 Feed Water Pump Runback.
The operators must run back feed water during turbine. trip ATWS events in order to avoid unstable operation. Data was taken &om cycle 92 -06 for feed water pump run back.
4.53 169 Feed water reduction failures Total Tq 90 130 137 180 190 210 937 tqb 7.12E+08 3.77E+09 4.78E+09 1.646E+10 2.1E+10 3.309E+10 7.98E+10 ln(Tq) 4.49981 4.867534 4.919981 5.1929569 5.247024 5.3471075 30.07441 (Tqb)x(lntq) 3.21E+09 1.83E+10 2.35E+10 8.547E+10 1.1E+11 1.769E+11 4.18E+11 a139/a137 5.233197 A33/n 5.012402 a37-a38 0.220795 Pnew = 4.529083 7.09E+08 3.75E+09 4.76E+09 1.63 8E+10 2.09E+10 3.292E+10 Knew 171.7414 Lognormal Fit feed water run back ln(t) (ln(t))"2 4.49981 20.24829 4.867534 23.69289 4.919981 24.20621 5.192957 26.9668 5.247024 27.53126 5.347108 28.59156 5.012402 151.237 mu 5.012402 sigma 0.286343 page 48
EC - RISK - 1063 References for Appendices 41 Statistical Models and Methods for Life Time Data, J. F. Lawless, John Wiley and Sons, 1982 42 Methods for Statistical Analysis of Reliability and Life Data, N. R. Mann, R. E. Schafer, & N. D.
'n Singpurwalla, John Wiley and Sons 1974.
Approach to the Construction of Parametric Confidence Bands on Cumulative Distribution Functions. Paul Kanofsky and R. Srinivasan, Biometrika (1972), 59, 3. p 623.
44 Susquehanna Control Room Operator Performance Study: Data Compiliation, PP&L Technical Report NPE-87-002, September 1987 page 49