ML17180A881
| ML17180A881 | |
| Person / Time | |
|---|---|
| Site: | Dresden  |
| Issue date: | 08/24/1994 |
| From: | Stang J Office of Nuclear Reactor Regulation |
| To: | Farrar D COMMONWEALTH EDISON CO. |
| References | |
| GL-88-20, TAC-M74405, TAC-M74406, NUDOCS 9408290171 | |
| Download: ML17180A881 (20) | |
Text
Docket Nos. 50-237 and 50-249 Mr. D. L. Farrar
- Manager, Nuclear Regulatory Services Commonwealth Edison Company Executive Towers West Ill, Suite 500 1400 OPUS Place Downers Grove, Illinois 60515
Dear Mr. Farrar:
August 24, 1994 *
SUBJECT:
REQUEST FOR ADDITIONAL INFORMATION ON THE DRESDEN, UNITS 2 AND 3, INDIVIDUAL PLANT EXAMINATION (TAC NOS. M74405 AND M74406)
By letter dated January 28, 1993, you submitted your Individual Plant Examination (IPE) for Dresden, Units 2 and 3, in accordance with Generic Letter 88-20.
Additional information is required in order for the staff to complete its review.
We request that you provide a response to the enclosed Request for Additional Information (RAI) within sixty days from the date of this letter.
The reporting and/or recordkeeping requirements contained in this letter affect fewer than ten respondents; therefore, OMB clearance is not required under P.L. Yb-oll.
If you have any questions, please contact me at (301) 504-1345.
Sincerely, original signed by Robert Capra for 940S290i 7 i 940024 ----
. PDR ADOCK 05000237 John F. Stang, Project Manager Project Directorate III-2 c;,-c'j1
\\"'<-}
c_)
- .:~)
(_;;)
P PDR
Enclosure:
Request for Additional Information cc w/enclosure:
See next page DISTRIBUTION:
Docket File PDIII-2 R/F J. Zwolinski J. Stang C. Moore ACRS (10)
NRC & LPDRs J. Roe R. Capra E. Adensam OGC B. Clayton, Rill Division of Reactor Projects - III/IV Office of Nuclear Reactor Regulation C. Ader, RES J. Flack, RES E. Butcher R. Hernan R. Cl ark, RES PM:PDIII-2 D:PDIII-2 JSTANG:lm ~~
RCAPRA DRIPE.LTR
1.Docket Nos. 50-237 and 50-249 Mr. D. L. Farrar
- Manager, Nuclear Regulatory Services Commonwealth Edison Company Executive Towers West III, Suite 500 1400 OPUS Place Downers Grove, Illinois 60515
Dear Mr. Farrar:
August 24, 1994 *
SUBJECT:
REQUEST FOR ADDITIONAL INFORMATION ON THE DRESDEN, UNITS 2 AND 3, INDIVIDUAL PLANT EXAMINATION (TAC NOS. M74405 AND M74406)
By letter dated January 28, 1993, you submitted your Individual Plant Examination (IPE) for Dresden, Units 2 and 3, in accordance with Generic Letter 88-20. Additional information is required in order for the staff to complete its review.
We request that you provide a response to the enclosed Request for Additional Information (RAI) within sixty days from the date of this letter.
The reporting and/or recordkeeping requirements contained in this letter affect fewer than ten respondents; therefore, OMB clearance is not required under P.l.96-511.
If you have any questions, please contact me at (301) 504-1345.
Enclosure:
Sincerely, original signed by Robert Capra for John F. Stang, Project Manager Project Directorate IIl-2 Division of Reactor Projects - III/IV Office of Nuclear Reactor Regulation Request for Additional Information cc w/enclosure:
See next page DISTRIBUTION:
Docket File PDI II-2 R/F J. Zwolinski J. Stang C. Moore ACRS (10)
' A:*;PDII I-2 MO.O'Rf \\
(YES/NO Na e:
DRIPE.LTR NRC & LPDRs J. Roe R. Capra E. Adensam OGC B. Clayton, RIII C. Ader, RES J. Flack, RES E. Butcher R. Hernan R. Cl ark, RES PM:PDIII-2 D:PDIII-2 JSTANG:lm
~t>-v RCAPRA
Mr. D. L. Farrar Commonwealth Edison Company cc:
Michael I. Miller, Esquire Sidley and Austin One First National Plaza Chicago, Illinois 60690 Mr. J. Eenigenburg Station Manager, Unit 2 Dresden Nuclear Power Station 6500 North Dresden Road Morris, Illinois 60450-9765 Mr. D. Bax Station Manager, Unit 3 Dresden Nuclear Power Station 6500 North Dresden Road Morris, Illinois 60450-9765 U. S. Nuclear Regulatory Commission Resident Inspectors Office Dresden Station 6500 North Dresden Road Morris, Illinois 60450-9766 Regional Administrator U. S. NRC, Region III 801 Warrenville Road Lisle, Illinois 60532-4351 Illinois Department of Nuclear Safety Office of Nuclear Facility Safety 1035 Outer Park Drive Springfield, Illinois 62704 Chairman Grundy County Board Administration Building 1320 Union Street Morris, Illinois 60450 Dresden Nuclear Power Station Unit Nos. 2 and 3
REQUEST FOR ADDITIONAL INFORMATION FOR DRESDEN INDIVIDUAL PLANT EXAMINATION ENCLOSURE
- 1.
Two aspects of the Individual Plant Examination Plan (IPEP) methodology are not clearly explained in the submittal.
(a)
The manner in which the methodology considers dependencies among events in the event trees. It appears that the event trees do not consistently use split fractions, since more than two branches were not developed for all events on the event trees. It also appears that fault tree linking was not used either. The submittal indicates that some nodes were dependent on other nodes which precede them on the plant response tree (PRT), and th~t for these nodes, conditional probabilities were calculated and used in place of fault trees top events.
It is not clear how this approach rigorously accounts for dependencies among events in the PRTs.
Please explain by way of examples.
(b)
It is not clear what recovery means in the Individual Plant Examination (IPE).
Is it taking credit for extra equipment or operator actions restoring equipment? It appears that recovery is*
included in the PRT models before initial calculations were performed instead of, as typically done, being applied to the dominant sequences.
Please provide:
(1) a clear definition of "recovery," and (2) describe the treatment of recovery.
- 2.
All transient initiating events except loss of offsite power and loss of 125V DC power at one unit were modeled as a general transient.
Please explain:
(a) what plant specific initiating events comprise the general initiating event category, (b) how the event-specific effects of these initiating events on the availability of mitigating systems were considered in the models, and (c) elaborate on why loss of heating, ventilation and air conditioning (HVAC) and loss of instrument air were screened out as initiating events.
- 3.
The submittal does not provide, unlike a typical probabilistic risk assessment {PRA)/IPE, a description of any event sequence for any PRT; this makes the review of the event trees very difficult. Please provide the descriptions of the event sequences for the general transient event tree.
- 4.
The success criteria for a large loss-of-coolant accident (LOCA) indicates that one low pressure coolant injection (LPCI) can be used for
I_*
- mitigation and that one containment cooling service water (CCSW) pump is adequate for containment cooling.
Please explain whether:
(a) this is one LPCI pump or one LPCI train, (b) the success criteria for LPCI accounted for leakage at the jet pumps' slip and bolted joints, and (c) potential fouling conditions in the residual heat removal (RHR) heat exchanger(s) was considered in the quantification.
- 5.
The submittal does not specify whether or not recirculation pump seal LOCAs were included in the small LOCA initiating event. Also, the submittal credits the isolation condenser for decay heat removal without considering the need for cooling the recirculation pump seals; without seal cooling, a LOCA can develop and disrupt natural circulation between the core and isolation condenser.
Please discuss treatment of recirculation pump seal LOCA and the impact on the isolation condenser operation.
- 6.
The submittal provides no detailed information on the quantification of interfacing system LOCAs as initiating events.
Please discuss your treatment of interfacing systems LOCAs; including the sources of data used to quantify the probability of failure for components exposed to beyond design basis pressure.
- 7.
The submittal does not address dual unit core damage.
Dresden has three diesel generators, one of which is shared between the two units as a swing diesel, and either of the diesels can mitigate loss of offsite power at a unit. Station blackout at one unit increases the likelihood of station blackout at the other unit, due to the unavailability of the shared diesel generator.
Please provide an estimate of the frequency of dual unit core damage.
- 8.
The success criteria for core damage considers fuel temperature, but not peak cladding temperature (PCT).
PCT is the limiting parameter for maintaining coolable geometry except for rapid overpower transients.
Please explain:
(a) why was PCT not considered in the criteria for core damage, (b) how can a coolable geometry be assured based on consideration of fuel temperature alone, and (c) what long-term collapsed core w~ter level does the assumed core damage criteria correspond to?
- 9.
The systems/sequences success criteria for-preventing core damage have numerous differences from the success criteria used in other PRA/IPE
- studies of boiling water reactors (BWRs).
Please respond to the following issues:
(a)
The submittal states that reactor trip is not required following a large LOCA *. The emergency core cooling system (ECCS) water is not borated.
The following studies of BWRs required reactor trip following a large LOCA:
WASH 1400, NUREG-1150 for Peach Bottom, NUREG-1150 for Grand Gulf, IPE for Browns Ferry, IPE for Fermi, and IPE for Perry.
What is the justification for not requiring reactor trip?
(b)
The submittal states that only one relief valve is required to depressurize so that LPCI or core spray (CS) can be used.
Other PRA/IPEs assumed that more than one valve is required; for example, the NUREG-1150 study for Peach Bottom assumed that three are required.
Please discuss any calculations that support this assumption.
(c)
The submittal models include containment venting for the back-end analysis, but the front-end success criteria do not address containment venting.
If the containment is vented with a hot suppression pool, adequate net positive suction head available (NPSHA) can be lost for ECCS pumps pulling from the suppression pool; this was the assumption in the NUREG-1150 analysis of Peach Bottom.
Please explain how this aspect was addressed on the Dresden IPL (d)
Credit is taken for supplying containment with water from the Standby Coolant System (SBCS) following a large LOCA if suppression pool cooling is lost. This system involves using feedwater to supply water to the containment from the condenser hotwell with the hotwell makeup supplied from service water. This preserves adequate NPSHA for the LPCI and CS pumps.
Please:
(1) discuss all support systems and operator actions required to implement this option, (2) provide sample calculations regarding time required and time available for the operator actions, and (3) explain how overfill of containment is avoided.
(e)
Explain why the success criteria for a large LOCA do not address the need to close the recirculation discharge isolation valve in the intact recirculation loop to prevent loss of LPCI injected water out of the break.
(f)
Explain why the success criteria for LOCAs do not address LOCAs outside containment, for example in steam and feedwater lines, and
- the need to isolate the breaks to prevent loss of suppression pool inventory from ECCS out of the break.
(g)
Explain why the success criteria for anticipated transient without scram (ATWS) does not discuss operator action to inhibit depressurization to prevent reactivity increase due to the injection of large quantities of cold water.
(h)
Explain why the success criteria indicate that if the core is cooled using feedwater, containment failure has no impact on the ability to maintain core cooling.
(i) Explain why the success criteria indicate that only one relief valve is required to open and clo~e in response to any transient.
(j) Explain how the submittal modeled the requirements for cooling of electrical switchgear rooms, battery rooms, CCSW rooms, and the control room.
(k)
Explain why containment cooling with spray was not considered in the success criteria for containment pressure/temperature control.
(l) The success criteria do not require containment cooling to support operation of high-pressure coolant injection (HPCI).
Please discuss the impact of the loss of containment cooling on the operation of HPCI, considering pump/system temperature limits, NPSHA, and trip on high turbine back pressure.
(m)
Provide the basis for the assumption that no safety or relief valves open during a station blackout, before operator action can establish cooling with the isolation condenser.
- 10.
Discuss the impact of failure to isolate containment on the ability to maintain adequate ECCS pump NPSHA from the suppression pool.
What is the effect of containment isolation on the ability to cool the recirculation pump seals?
- 11.
The submittal uses the following modeling for an ATWS:
OSLl is operator action to use one of two standby liquid control (SLC) system pumps to borate, and the PRT indicates that if OSLl is not successful, OSL2 can successfully provide boration, and OSL2 is operator action to use two of two SLC pumps.
Please explain:
(a) why are there two actions, (b) whether these actions are independent, and (c) how can two pumps be used if one pump is not used?
- 12.
The common cause failure values used in the IPE are lower than those typically used in other IPE/PRAs.
For example, the beta factor for failure of two motor-operated valves (MOVs) is a factor of 5 to 9 lower
- than the beta factor typically used, and the beta factor for diesel generators {DGs) is a factor of 10 lower than the beta factor typically used.
Screening out common cause data for plant-specific applicability based on expert opinion may be optimistic because common cause events address classes of "unknown" events as opposed to specific events.
Please provide the justification for screening out events and the subsequent low common cause factors used in the IPE.
- 13.
The submittal screened out internal flooding as a contributor to core damage frequency.
Please provide:
(a) a description of the flood sources considered, (b) the locations of these sources, (c) the equipment failed as a direct result of the floods, and (d) the criteria used for screening out the floods.
- 14.
Please ident1fy the core damage frequency from the Success with Accident Management (SAM) accident sequences, and summarize the major actions that can be taken to prevent core damage in these sequences.
- 15.
Please explain the involvement of Dresden plant operations and maintenance personnel in the development and review of the PRTs, and fault trees.
- 16.
For loss of all AC power at one unit, credit is taken for supply of power by crosstie from the other unit via the 24-1 and 34-1 buses.
Please describe:
(a) how the crosstie is accomplished, and (b) what other actions must be taken to provide power to both units using one diesel generator dedicated to one unit if the swing diesel generator has failed and the dedicated diesel at one unit has failed.
- 17.
Dresden is sensitive to the loss of DC power in one of its units. Are any procedural or design modifications under consideration to eliminate or reduce the frequency of this initiating event?
- 18.
The last sentence, starting on page 4-88 and continuing on to the top of page 4-89 (and page 4-104), states: ulf the [standby gas treatment system] SGTS flow capacity is not sufficient to control and maintain torus/drywell pressure below the primary containment pressure limit or the SGTS system fails, then venting is performed through the 18-inch vent dampers... to the [Augmented Primary Containment Vent] APCV system." *
(emphasis added)
This implies that the operators are instructed to vent through the SGTS until the SGTS fails and then the hardened vent path will be used.
Is this interpretation correct?
- (a)
If not, please explain how the emergency operating procedures (EOPs) instruct the operators to use the various venting paths.
(b)
If it is correct, please provide a description of the effects of the SGTS failure on equipment needed to mitigate the accident scenarios and personnel access.
(c)
Given that the status of the SGTS is a decision point for the operators and use of the SGTS may result in its failure, provide the rationale for not including the PRT branch points for:
(1) operator switching from the SGTS to the APCV, and (2) hardware operability of the switch over operation.
- 19.
Page 1-12 states that Uthe wetwell or drywell may be vented through either the Standby Gas Treatment... system or directly to the 310 foot chimney through the JO-inch 0 hardened" vent." (emphasis added)
Section 4.2.1.14 on page 4-90 states venting with the APCV system uis performed through the 18-inch vent dampers" and that Uthe exhaust duct ultimately vents directly to the main chimney."
(emphasis added)
(The drawings provided (Figures 4.2.1.14-1 through -3, 4.3-6, and 4.3-6a and b) do not clarify the issues.)
(a)
Is the APCV line(s) hardened (i.e., a pipe) from the drywell and wetwell to the chimney, i.e., no ductwork anywhere between the primary containment and the chimney?
(Note: Figure 4.3-6b (page 4-107) shows a line entering the uRadwaste Ventilation Duct" upstream of the main chimney.)
If it contains ductwork:
(1)
Where is this ductwork?
(2)
If this ductwork fails, what is the effect(s) on accident recovery with respect to equipment and personnel?
(b)
What is the size of the hardened vent line, 10- or 18-inches? There are no line sizes or duct/pipe identifications on the APCV system figures.
- 20.
Page 4-104 states that uThe APCV or hardened vent is not presently installed at Dresden, but for the purpose of the IPE the hardened vent was assumed operational." When will it be installed?
How much credit had been taken for the hardened vent (i.e., reduction in core damage) and other venting strategies?
- 21.
The ularge LOCA Tree 3, LPI Failure," (Volume 2, no page number provided) indicates that:
(a) the wetwell will not be vented if either the operator action to flood containment fails or equipment failure prevents flooding of containment, and (b) the 2 inch drywell vent will be used before the 10 inch wetwell vent (this is common to all PRTs).
Provide the rationale for not venting the wetwell when the drywell has not been flooded.
Provide the rationale for not using the 10 inch wetwell vent before using the 2 inch drywell vent, given that any use of a drywell vent will increase the release of radioactivity over the use of wetwell vent.
- 22.
There is no discussion of the conditional probability of the different failure locations. Given total core damage, what is the total conditional probability of:
(a) drywell failure (total, structural, and liner melt through),
(b) wetwell failure, (c) containment bypass, (d) vent line bellows failure, and (e) intact containment?
- 23.
Pages 4-119 and 4-120 discuss the "Unlikely Failure Modes," one of which being "Containment Isolation Failure." The IPE correctly defines what constitutes a containment isolation failure; in particular type 2 which is "[a] fluid line, which has isolation valves which are required to be closed on an isolation signal, but fails to close." However, the rationale for considering containment isolation failures as unlikely is stated as follows:
"The reason for this is that the containment, during normal operations, is always inerted.
In order for the containment to be inert, the containment has to be isolated. Therefore, there are no systems which have to isolate upon initiation of a severe accident event.
Consequently, there were no containment isolation failures
- identified in the Dresden IPE."
This does not justify why the likelihood of a Type 2* containment isolation failure is low.
Provide either:
(a) a quantitative or qualitative discussion justifying why the likelihood of the Type 2 containment isolation failure is low, or (b) the results of revised PRT analyses with the Type 2 containment isolation failure as the node decision point in the containment event portion of the PRTs, as discussed in Generic Letter 88-20, Appendix 1, page 1-2, last paragraph.
24.* Page 4-242 states that the diesel driven isolation condenser make up water pump has not been installed.
When will it be installed?
How much credit had been taken in the IPE, i.e., reduction in Core Damage Frequency (CDF)?
- 25.
Page 1-1 states that the Dresden EOPs are based on the Boiling Water Reactor Owners' Group (BWROG) symptom-based guidance.
Please specify which revision of the BWROG emergency procedure guidelines (EPGs) were used as the basis for the Dresden EOPs.
- 26.
Provide a discussion of the benefits of containment flooding as specified in Revision 4 of the EPGs.
This discussion should include timing of flooding with respect to commencement of core relocation, probability of reactor vessel failure, source terms, and whether this procedure has been incorporated into the Dresden EOPs.
Had the fire protection system been considered for tie-in and flooding of containment per CPI recommendation?
Please provide your disposition of this potential safety enhancement.
- 27. to Generic Letter 88-20, Supplement l, identifies one of the potential containment performance improvements, as improving the reliability of the reactor pressure vessel depressurization system.
Please provide a quantitative discussion of the benefit of improving the reliability of the reactor vessel depressurization system at Dresden, and disposition as a potential safety enhancement.
- 28.
The ability of one unit to take advantage of the other unit's mitigating capabilities is noted in the submittal.
To what extent did the IPE take credit for this ability?
- 29.
No node exists in the PRTs to address drywell coolers.
How were these coolers addressed in the IPE?
- 30.
The statement is made on page 1-4 that "The models developed in the IPE represent with mtnor exceptions the as-built, as-operated Dresden Station, as of a data cut-off in January 1991." (emphasis added)
Please discuss the significance of the exceptions in the context of the IPE.
- 31.
Page 1-22 implies that the conditional probability of an intact containment (i.e., no containment venting or failure) is 11.3% while Table 7.1-3 shows a probability of 0.3%.
Is the value in Table 7.1-3 a typographical error? If not, please explain the difference.
- 32.
Given core damage, the IPE submittal indicates that the conditional containment failure timing probabilities are 3.0% early, 84.2% vented and late, 1.5% late (not vented), and 11.3% intact. However, Table 4.1.3-2 (page 4-24) indicates that core damage timing is divided into three time periods: early, intermediate, and late. Please provide ~he conditional containment failure timing probabilities showing the intermediate timing probability.
- 33. Table 4.5.6-1 on page 4-205 indicates that "drywell (DW) liner is unlikely to melt through if there is water on the floor, but more likely if the DW floor is dry."
(a)
What is the probability of liner melt through for dry sequences?
(b)
What fraction of the core damage frequency was composed of sequences that involve a dry containment floor?
- 34.
Section 4.7 indicates that 130 insights were obtained from the IPE.
(a)
Which, if any, of the insights are relevant to the containment systems and post-core damage phase of severe accidents?
(b)
Have any of the identified insights been used as a part of the EOPs?
(c)
Provide a summary of thP. insiqhts (and their use in the EOPs, if any) for drywell flooding, interfacing system~ loss-of-coolant accident (ISLOCA), NRC strategies, and containment performance (as grouped on page 4-258).
- 35.
Commonwealth Edison Company has decided not to pursue the external vessel cooling strategy (Section 5.3.2 on page 5-11).
What risk benefit model was used to justify the exclusion of this strategy? Address the observation that, given that a large percentage of the core damage sequences result in vessel breach and containment failure, there could be sufficient justification in pursuing accident management strategies that would prevent vessel breach.
Given core damage, what is the conditional probability of vessel breach? Discuss any mitigation actions credited that would prevent vessel breach given core damage.
- 36.
Section 4.3.3.2 lists and discusses a number of "unlikely" containment failure modes.
(a)
Why was the possibility of hydrogen combustion within the reactor building not considered as part of the IPE?
(b)
A number of parameters are listed that impact containment pressurization during a direct containment heating (DCH) event on page 4-117.
(1)
What fraction of the core damage frequency involve vessel breach at high pressure?
(2)
Why is the uncertainty associated with these parameters not considered on containment pressurization?
(3)
What plant-specific analyses were performed to determine that DCH was not a potential early containment failure mode?
10 -
(4)
The statement is made on page 4-117 that uthe most significant means of preventing OCH" is the use of the automatic depressurization system (ADS).
However, for different sequences, the ADS may not be available.
What is the probability of ADS failure?
(c)
Page 4-118 indicates that ex-vessel steam explosions are not a threat to containment integrity.
(1)
What is the basis for this conclusion?
(2)
Were any plant-specific analyses performed to arrive at this position?
(3)
What is the impulse capacity of the pedestal wall and the drywell structures?
(d)
Page 4-118 indicates that core-concrete interaction (CCI) can be ruled out as a threat to containment failure.
(1)
Describe in detail the analyses performed to arrive at this conclusion.
(2)
Was the uncertainty in the debris coolability by overlying pool of water taken into account in these models?
(3)
Were the effects of non-condensible gas generation taken into account in these models?
(e)
Why were breaks outside of containment sequences not considered as possible bypass sequences?
- 37.
In the evaluation of source terms for the various accident sequences, what were the decontamination factors used for the suppression pool under saturated and subcooled conditions?
- 38.
Was credit taken for retention of fission products within the reactor building? If so, please discuss the source of reduction and amount.
- 39.
What is the contribution of revaporization to the reported release fractions for volatile species?
- 40.
Was the probability of safety relief valve tail pipe vacuum breaker valve failures considered?
How was this issue treated in the IPE?
- 41.
Human errors that occur during routine operations, for example, during calibration or restoration of equipment after test or maintenance, are called pre-initiator human events. These types of errors may leave a system in undetected disabled state and, therefore, unavailable at demand.
In many PRAs such errors were found to be significant. The
11 -
submittal does not provide a discussion for these types of events. Table 4.4.2-2, however, lists at least one pre-initiator, "Failure to restore Unit 1 diesel fire pump following test or maintenance" which indicates that some pre-initiator human error analysis was performed.
Please:
(a)
Provide a brief and concise discussion of how pre-initiator events important to system and component unavailability were identified.
(1)
Include a description of the reviews on the test, maintenance and calibration procedures performed for the systems and components modeled.
(2)
Include a description of discussions held with appropriate plant personnel from the maintenance, training, and operations departments on the interpretation and implementation of the plant's test, maintenance and calibration procedures.
(3)
Include descriptions of actual test, maintenance, nr calibration activity observations performed in order to better evaluate how existing error control procedures may impact the availability of the system(s) (or component(s)) on which these activities are performed.
(b)
Provide a brief discussion of the quantitative or qualitative screening process that might have been used in order to identify the most significant pre-initiator human errors.
(c)
Provide the list of pre-initiator-type errors that were finally modeled (usually on the fault trees) and quantified and provide examples of their quantification process.
- 42.
Provide examples demonstrating how dependencies associated with pre-initiator human errors were addressed and treated in the IPE to assure that important accident sequences were not eliminated. These dependencies could, for example, affect the availability of many safety systems simultaneously, or could affect the availability of only a certain class of systems (e.g., complete dependence may be assumed for miscalibration of all reactor water level sensors). Dependencies are identified through the examination of factors such as:
- plant conditions (e.g., poor lighting) human engineering (e.g., labels, accessibility etc.)
- performance by same crew, same time adequacy of training adequacy of procedures interviews with training, operations and various crews
- 43.
Human actions that are needed during an abnormal event for mitigation are called post-initiator human events. These events involve failure to properly responding to an abnormal event by either not performing the required activities as directed by the plant's procedures (e.g., EOPs),
or not recognizing the critical faults and taking proper action.
Post-initiator human events can be further distinguished as:
- Response type actions, those human actions performed in response to the first level directive of the EOPs.
For example, suppose the EOP directive instructs the operator to determine reactor water level status, and another directive instructs the operator to maintain reactor water level with system x.
These actions - reading instrumentation to determine level and actuating system x to maintain level - are response type actions.
- Recovery type actions, those performed to recover a specific failure or fault.
For example, suppose system x failed to function and the operator attempts to recover it. This action - diagnosing the failure and then deciding on a course of action to "recover" the failed system
- is a recovery Lype action.
Section 4.4.2.1.2 of the submittal states that "For [Dresden Emergency Operating Procedure] DEOP actions which do not explicitly provide direction to the operator, it is assumed that the operator is acting from memory.
Therefore, it is assumed that the operator will respond to the requirements of the DEOPs based upon how they have practiced the evolutions during training.
For this reason, the Job Performance Measures (JPM) procedures were utilized instead of the operating procedures for these types of actions."
(a)
Of the actions in Tables 4.4.2-1 and 4.4.2-2 please indicate:
(1)
Which can be characterized according to the above terminology as response-type and which can be characterized as recovery-type?
(2)
Which have JPMs and which do not have JPMs?
(3)
For those actions for which JPMs exist, please provide an example demonstrating how the JPM was used for modeling the errors and discuss how Dresden's use of JPMs, in lieu of plant emergency and operating procedures, assured that potentially significant human actions or steps within an action were not overlooked.
(4)
For those that JPMs do not exist, please discuss how operator response was modeled and provide an example illustrating the process.
(5)
Provide a brief and concise description of discussions that were held with appropriate plant personnel (e.g.,
operators, shift supervisors, and training) during Phase 1 of the Human Reliability Analysis (HRA) regarding the
- interpretation and implementation of plant procedures (or JPMs) in order to identify important actions to be modeled as well as critical steps within an action, and to understand exactly how specific components are manipulated when responding to an accident sequence.
Such discussions would assure an accurate representation of operator response into the plant model.
They would also serve as a vehicle to improve the knowledge of operations staff on important aspects of their performance during an abnormal event.
- 44.
Section 4.4.2.1.2 of the submittal indicates that there are two parts of post-initiator operator actions:
(a) detection, diagnosis, and decision, and (b) action execution.
The submittal states that the human error probability (HEPs) for two types of act i ans were taken frum tho "appropriate tables" in Chapter 20 of THERP (NUREG/CR-1278).
Please:
(1)
Identify the exact Tables used and provide examples of the assigned HEP values for each of the two parts of post-initiator operator actions.
(2)
Provide examples of HRA trees used to analyze human actions involving the two parts of operator actions.
(3)
For each of the examples, discuss the underlying assumptions and plant-specific assessments used for assigning these values.
(4)
Provide examples to demonstrate how the probabilities for the two parts a) detection, diagnosis, and decision, and b) execution were combined to provide the final estimate for the HEP.
- 45.
Section 4.4.2.1.1 seems to distinguish between two types of post-initiator operator "action executions":
tasks performed from memory
("memorized") and task performed following procedures ("proceduralized").
The IPE states that time available for operator response was determined from Modular Accident Analysis Program (MAAP) results and that the DEOPs are in a flow-chart format and provide very general guidance for the operators. Therefore, the line-up of systems directed by the QGAs is accomplished from memory by the operators, without initial reliance on procedures.
However, the operators are expected to consult with the procedures as time permits. This represents a recovery opportunity which is dependent upon enough time being available and is included in the "slack time" recovery.
In addition, Section 4.4.2.1.2 notes that a "slack time" recovery factor is applied to actions that are to take place greater than an hour after the initiating event.
"Slack time" refers to the amount of time available to the operator over and above that necessary to diagnose and perform the action.
However, no information is provided in the submittal regarding the evaluation of the expected time needed for operators to complete actions. Please:
{a)
For each of the 19 operator actions listed in Table 4.4.2-1 and actions in Table 4.4.2-2, identify which actions are expected to be performed from memory and which are performed following procedures.
{b)
For those identified as "procedura7ized," please provide the basis for:
(1) how the time needed for preceding activities was taken into account for determining these actions as non-time critical, (2) the underlying hypotheses for MAAP time calculations, and (3) explain whether MAAP estimations were further confirmed by the input of plant operations personnel and actual time measurements (through simulator or walk throughs).
(c)
For those identified as "memorized," explain:
(1) how "slack time," i.e., time available minus time needed, was determined for a specific action performed under different accident conditions, (2) how the time needed for preceding activities was taken into
- account, (3) how the time for detection, diagnosis and decision was differentiated from time for execution, and (4) the underlying hypotheses for MAAP time calculations and explain whether MAAP estimations were further confirmed by the input of plant operations personnel and actual time measurements {through simulator or walk throughs).
(d)
Provide both time available and time needed for each "memorized" action in Tables 4.4.2-1 and 4.4.2-2.
(e)
Provide examples of the quantification process of "memorized" tasks clearly indicating how the operator performing from memory can recover due to "slack time" and how the final mean value was assigned.
(f) Explain by way of examp7e(s) how the quantification of actions that are to take place greater than an hour after the initiating event differs from the quantification of 11proceduralized 11 actions.
- 46.
Section 4.4.2.1 of the submittal states that in order to take credit for operator recovery from an error by an independent cue (a procedure check, an alarm, or other persons checking), the nominal HEPs were modified by factors taken from THERP Table 20-22 (3) "checking that involves special short term one-of-a kind checking with alerting factors." The staff was not able to identify Table 20-22 (3) in THERP (NUREG/CR-1278).
Item (3) of Table 20-22, "Estimated Probabilities that a checker will fail to detect errors made by others," refers to recovery due to "special short term one-of-a kind checking with alerting factors." Also, this Table is also appropriate for errors associated with pre-initiator error quantification. Further, it appears, that the equations from Table 20-17 were used for error detection rather than values from Table 20-22.
Please explain.
- 47.
In order to account for the effects of stress, the nominal HEPs were modified by stress factors (of 1, 2, or 5) taken from THERP Table 20-16 (NUREG/CR-1278).
As indicated in THERP (NUREG/CR-1278), however, the values extracted from this Table are the factors suggested for the quantification of errors associated with "routine," (pre-initiator) activities rather than values suggested for "dynamic" tasks such as the tasks during a post-initiator event. Thus, the IPE used modifiers for stress by, at most, a factor of 5 although THERP suggests the use of an HEP of 0.25 for tasks performed under "extreme high stress." Please explain.
- 48.
Section 4.4.2.1.1. of the submittal states that a "slack time" recovery factor of.21 was applied for actions that take place greater than an hour after the initiating event.
Recoveries of this type include the Shift Control Room Engineer (SCRE) becoming available to focus on the event in progress.
For the first hour into the accident, only 11 identifiable recovery opportunities" are credited.
The non-recovery probabilities associated with these recovery opportunities are taken from the "appropriate" table in NUREG/CR-1278.
Please:
(a)
Identify the THERP table used for the "identifiable recovery opportunities."
(b)
Provide examples and discuss how recovery factors were combined; was recovery applied on each individual subtask or was it applied after an initial quantification of the action?
(c)
It appears that if an action is to be executed "one hour" into the accident, a recovery factor of.21 was applied.
It is not clear how this recovery was applied with regards to time available and time required considerations.
The simple fact that an action will be needed "one hour into the accident," does not justify recovery credit, unless time and other considerations were explicitly examined.
Please explain by way of examples.
- {d)
For the actions of Table 4.4.2-1 identify which recovery factors were applied.
{e)
Briefly discuss whether the two types of recovery opportunities (identifiable recovery opportunities occurring within the first hour vs. "slack time" recovery opportunities occurring after the first hour) are considered to be independent of each other.
- 49.
Section 4.4.2.1 states that a "decision tree" was used to assign dependency levels between PRT nodes.
The submittal also states that the formulae for conditional probability of a task "n, 11 given failure of previous task "n-1" for each level of dependence, as presented in Table 20-17 of NUREG/CR-1278, were utilized to appropriately modify the HEP for any given operator action or subtask.
Please:
(a)
Provide a copy of the decision tree and provide examples explaining its use in the Quad Cities HRA.
(b)
Provide examples of the application of Table 20-17 of the THERP handbook to evaluate dependencies among subtasks within a single operator action.
{c)
Clearly indicate how levels of dependency were assessed.
- 50.
Table 4.4.2-1 provides mean HEPs for numerous cases of operator actions.
However, the submittal does not contain descriptions of these cases in order to understand how the cases differ.
For example what is the difference between the two cases of operator action OAT "operator action to initiate Alternate Rod Insertion," that would result in the mean HEP that differs by two orders of magnitude?
For the top ten operator actions listed in Table 4.4.2-1:
(a)
Provide the event descriptions for each case, clearly indicating how stress, dependency and recovery factors were addressed.
(b)
Provide examples of the quantification process for each of the top ten operator actions.
- 51.
Table 4.4.2-2 indicates that the mean HEP for "operator fails to initiate core spray following failure of automatic initiation" is 1.0. However, in the Quad Cities IPE submittal, this operator action is given a mean HEP of 7.5E-03. This seems to be a large difference in HEP values for two very similar plants. Please provide the quantification and event description for this operator action.
- 52.
Table 4.4.2-1 lists a mean HEP of 5.lE-02 for ORP "Operator manually initiates recirculation pump trip." Operator action OSPC "Operator action to align for suppression pool cooling," however, lists several HEPs, for example, 2.lE-03 for case 4 and 6.6E-04 for case 7.
Please discuss why lower HEPs are found for a relatively complicated operator
- actions such as OSPC as compared to the much less complicated action, ORP.
- 53.
The IPE submittal states that, "There were no accident sequences that dropped below the core damage frequency criteria because the frequency had been reduced by more than an order of magnitude by credit taken for human recovery actions not defined in the Dresden emergency procedures."
NUREG-1335, Section 2.1.6, item 5, states "In addition to sequences reported under the screening criteria, any sequence that drops below the core damage frequency criteria because the frequency has been reduced by more than an order of magnitude by credit taken for human recovery action should be discussed."
NUREG-1335, then, applies to all actions, not just those that are non-proceduralized.
Please:
(a) discuss whether credit for any proceduralized or non-proceduralized human recovery action resulted in a sequence being reduced by more than an order of magnitude to a value below the screening criteria, and (b) identify and briefly discuss any sequence that was reduced to below the screening criteria because of this credit.