ML17331B369
| ML17331B369 | |
| Person / Time | |
|---|---|
| Site: | Cook  |
| Issue date: | 04/25/1994 |
| From: | Fitzpatrick E INDIANA MICHIGAN POWER CO. (FORMERLY INDIANA & MICHIG |
| To: | Russell W NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| AEP:NRC:1082J, NUDOCS 9405090139 | |
| Download: ML17331B369 (18) | |
Text
ACCELERATED DI UTION DEMONSTPATION SYSTEM REGULATORY INFORMATION DISTRIBUTION SYSTEM (RIDS)
ACCESSION NBR:9405090139 DOC.DATE: 94/04/25 NOTARIZED: NO DOCKET FACIL:50-315 Donald C.
Cook Nuclear Power Plant, Unit 1, Indiana M
05000315 50-316 Donald C.
Cook Nuclear Power Plant, Unit 2, Indiana M
05000316 AUTH.NAME AUTHOR AFFILIATION FITZPATRICK,E.
(formerly Indiana 6 Michigan Ele RECIP.NAME RECIPIENT AFFILIATION RUSSELL,W.T.
Document Control Branch (Document Control Desk)
SUBJECT:
Responds to request for addi info re human reliability analysis for Donald C Cook Nuclear Plant individual plant exam.
DISTRIBUTION CODE A011D COPIES RECEIVED:LTR ENCL SIZE:
TITLE: Generic Ltr 88-20 re Individual Plant E aluations NOTES:
D RECIPIENT ID CODE/NAME PD3-1 PD INTERNAL: ACRS HOUSTON,M NRR/DORS/OEAB NRR/DRPE/PD1-4 NRR DSSA SPSB LE 01 S/SAIB RGN 2
RGN 4
EXTERNAL: NRC PDR COPIES LTTR ENCL 1
1 1
1 1
1 1
1 1
1 1
1 3
3 1
1 1
1 1
1 RECIPIENT ID CODE/NAME HICKMAN,J AEOD/DSP/TPAB NRR/DORS/OTS B NRR/DRPW NRR/OGCB RES/DSIR/SAIB/B RGN 1
RGN 3
NSIC COPIES LTTR ENCL 1
1 1
1 1
1 1
1 1
1 7
7 1
1 1
1 1
1 D
D D
NOTE TO ALL"RIDS" RECIPIENTS:
PLEASE HELP US TO REDUCE WAS'ONTACI'HEDOCUMENT CONTROL DESK, ROOM Pl-37 (EXT. 20079) TO ELIMINATEYOUR NAiVlEFROiVI DISTRIBUTION LISTS FOR DOCUMENTS YOU DON'T NEED!
TOTAL NUMBER OF COPIES REQUIRED:
LTTR 27 ENCL 27 D
D
Indiana Michigan Power Company P.O. Box 16631 Cofumbus, OH 43216 N
AEP'NRC'1082J Donald C.
Cook Nuclear Plant Units 1 and 2
Docket Nos.
50-315 and 50-316 License Nos.
DPR-58 and DPR-74 INDIVIDUALPLANT EXAMINATION
RESPONSE
TO NRC REQUEST FOR ADDITIONALINFORMATION U.
S. Nuclear Regulatory Commission Document Control Desk Washington, D.
C.
20555 Attn: W. T. Russell April 25, 1994
Dear Mr. Russell:
In meetings with NRC staff on February 23 and 24,
- 1994, the NRC verbally requested additional information concerning the human reliability analysis for Donald C.
Cook Nuclear Plant individual plant examination.
This request was subsequently documented in a telecopy from J.
B. Hickman, dated March 10, 1994.
The additional information is provided in Attachment 1.
During your recent detailed review of the human reliability
- analysis, several differences between the AEPSC human reliability analysis methods and those described in "Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications" (NUREG/CR-1278) were noted.
Although the current AEPSC methods were based on NUREG/CR-1278, some modifications were considered by AEPSC to be appropriate in order to account for current plant procedures and training, as well as to provide a
consistent documentation format.
Our review
- does, however, indicate that some of these modifications are not consistent in all respects with current industry practice.
The impact,and resolution of these inconsistencies are addressed below.
The sensitivities performed on the human reliability analysis portion of the individual plant examination, as described in Attachment 1,
showed that significant changes to the human error probabilities did not impact the ability of the individual plant examination to identify severe accident vulnerabilities.
Thus, in spite of differences in our analysis methodology, AEPSC has concluded that the current human reliability analysis is sufficient to meet the requirement of GL 88-20 to identify severe accident vulnerabilities.
- Further, since the same systems and components 9405090i39
'F40425 PDR ADOCK 050003i5 PDR
W. T. Russell AEP:NRC:1082J were found to be significant for a wide range of human action error rates, it is also concluded that the individual plant examination adequately evaluates the relative risk contribution of these systems and components.
It is noteworthy that most of the individual plant examination implementation programs only use this relative risk ranking.
Given the findings of the sensitivity analyses described in Attachment 1,
AEPSC plans to utilize its individual plant examination in the future for both internal risk prioritization (e.g.
maintenance rule support) and in support of submissions to the NRC.
In order to address the state-of-the-art in human reliability analyses methodologies,
- however, AEPSC is planning to revise the human reliability portion of its analysis at the next revision of the individual plant examination. Details of our intent in this regard are provided in Attachment 2.
Any submissions made to the NRC in the interim utilizing the current analysis will include an evaluation of the impact of the human reliability analysis.
Sincerely, p E.
E. Fitzpatrick
~
~
Vice President dr Attachments CC:
A. A. Blind G. Charnoff J.
B. Martin - Region III NFEM Section Chief NRC Resident Inspector J.
R. Padgett
ATTACHMENT 1 TO AEP:NRC:1082J
Response
to NRC Request for Additional Information on Human Reliability Analysis for Donald C.
Cook Nuclear Plant Individual Plant Examination
Attachment 1 to AEP:NRC:1082J t
Page 1
ADDITIONALINFORMATION RE UEST NO 1
Provide us with the results of the two sensitivity studies where the core damage frequency was requantified by (1) increasing those human error probabilities (HEPs)
(1E-3 to lE-3, and (2),increasing the HEPs by a factor of 10.
The results we wish to see include the following:
Changes to the accident sequences, were any dominant accident sequence truncated or did any new dominant accident sequences appear2 Changes to the dominant contributors, did any contributors disappear and did any new contributors appear?
Contributors could include hardware equipment failures, etc., not just: human events.
V Did the relative ranking or relative contribution of accident sequences and contributors change2 Only interested in significant changes (not, for example, from 10 to 15%).
Changes to the core damage frequency.
RESPONSE
/
To study the sensitivity of the Cook Nuclear Plant Individual Plant Examination analysis to the human reliability portion of the analysis, studies were undertaken which increased important human error probabilities.
The results were then reviewed to see if components or human actions which would significantly contribute to the core damage frequency and were not previously identified as significant would be found.
These contributors can be viewed as vulnerabilities to severe accidents, and the identification of such vulnerabilities was a goal of Generic Letter 88-20.
For thoroughness, this review was completed to identify components or human actions whose failure contributed a
frequency of 1.E-6/year or greater to the core damage frequency, which is less. than two percent of the basic core damage frequency of 6.26E-5/year.
This type of. assessment of the significance of contributors is termed risk reduction importance.
Although a specific numerical criteria for significance was not used in the Cook Nuclear Plant Individual Plant Examination, contributors of less than two percent were not considered significant. Since an absolute number for the determination of dominant contributors was used, contributors do not disappear from the rankings in these sensitivity studies.
Similarly, only accident sequences that contributed a frequency of more than 1.E-6/year to the core damage frequency were reviewed for changes in this sensitivity analysis.
With an absolute cutoff, accident sequences do not disappear from this sensitivity analysis.
Attachment 1 to AEP:NRC:1082J Page 2
esults of First Sensitivit Stud 'rder of Ma nitude Increase For this sensitivity, three separate analyses were performed in order to clearly determine the impact of the changes.
One analysis was performed for each of the two highest human error contributors to core damage frequency, and one analysis was performed for the combined effect of a set of seven of the next highest contributors whose individual impact exceeded a risk reduction importance.of 0.1%.
The operator action to trip the reactor coolant pumps after the loss of reactor coolant pump seal cooling is the most important human action contributor to core damage.
The assumption behind the action failure was that, if reactor coolant pump seal cooling was lost (through a loss of either the component cooling water or essential service water support systems) and the operators failed to trip the reactor coolant pumps quickly, then the seals would be destroyed.
Reactor coolant pump seal leakage would significantly increase and core damage would ensue aEter enough reactor inventory was lost.
This was assumed to be an unrecoverable failure.
This effect is more pronounced in the loss of component cooling water event since the initiating event frequency is higher.
than that for the loss of essential service water event.
The initial human error failure rate was 1.3E-02.
In the first sensitivity examination, this value was increased one order of magnitude to reflect an increase in human error.
Raising the value had a large effect on core damage frequency, raising it by a factor of over 2.5 to 1.69E-04/year.
The risk reduction importance and the accident sequence rankings were compared with the base case.
As would be expected with this significant of a change, the contribution of the failure to trip the reactor coolant pumps increased significantly in both absolute magnitude and relative ranking.
Since this seal failure is considered to be an unrecoverable failure for both of the accident initiating events, the risk reduction importance ranking of both of those initiating events increased significantly in relative position and by an order of magnitude in absolute terms.
Otherwise, no other dominant contributors changed significantly in rank or absolute contribution.
In the second sensitivity, the operator action to refill the condensate storage tank after the condensate storage tank would have been drained while combating an accident was examined.
When the auxiliary feedwater system was modeled, the condensate storage tank was conservatively assumed to be required for the full 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> modeled duration of an accident while the tank was assumed to initially be at its minimum level.
The minimum level in the condensate storage tank required by Technical Specifications provides only nine hours oE cooling water to the steam generators in hot standby.
The human failure probability for this action was raised by one order of magnitude to study the impact of increased human error.
The core=
damage frequency increased by 15$.
Attachment 1 to AEP:NRC:1082J Page 3
The risk reduction importance ranking, of the dominant contributors was compared with the base case.
The ranking of the operator action to refill the condensate storage tank increased significantly in both absolute terms and relative ranking.
In addition, the ranking of the two initiating events in which this action is dominant, transient with power conversion systems available and loss of 250 volt direct current
- power, also increased significantly.
Two accident sequences corresponding to these initiating events with subsequent failure of the auxiliary feedwater system due to the failure to refill the condensate storage tank also increased by an order of magnitude, from below to above a frequency of 1.E-6/year.
The importance of the action to refill the condensate storage tank is considered to be overly conservative since the condensate storage tank water volume is normally maintained at a level which would provide close to, if not beyond, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> worth of hot standby cooling.
Additionally, it is not expected that the plant would be maintained in a hot standby condition following an accident, but would be cooled down, which requires less condensate storage tank water as cooldown progresses.
In the third sensitivity, all other basic human action errors with risk reduction importance values greater than 0.1% were selected for additional review.
The human action errors selected were the following:
Reactor Coolant System Depressurization (diagnosis error)
Power Restoration (simple action error)
Power Restoration (verification error)
Restoration of Reactor Inventory (simple action error)
Place Standby Air Compressor in Service (entire action error)
Restoration of Reactor Inventory (diagnosis error)
Post-LOCA Secondary Side Cooldown (diagnosis error)
The respective human error probabilities were increased by an order of magnitude for these seven human actions with two exceptions.
The power restoration verification and the post-LOCA secondary side cooldown errors were not modified since they already had an error probability of greater than 10%.
The combined impact of these human action error modifications increased the core damage frequency by 23% to 7.72E-05/year.
The risk reduction importance ranking of the dominant contributors was compared with the base case.
As would be expected, the contribution of the various human actions increased by an order of magnitude in absolute terms and somewhat in relative ranking.
In addition, the initiating events that depended significantly on these actions also increased in both absolute magnitude and relative ranking. Specifically, these initiating events are loss of component cooling water, medium break loss of coolant
- accident, and station blackout. Otherwise, no other dominant contributors changed significantly in rank or absolute contribution.
Attachment 1 to AEP:NRC:1082J Page 4
Three accident sequences increased by an order of magnitude to a frequency in the high 1.E-6/year range.
Each sequence failed directly due to the failure of a human action in this sensitivity analysis.
These are loss of component cooling water with failure to restore reactor inventory, medium break loss of coolant accident with failure to depressurize and cooldown, and station blackout with failure to restore power.
Results of Second Sensitivit Stud 'inimum Human Error of 001 For this sensitivity, important human error values which were less than
.001 were raised to
.001, while the human error values which were originally greater than
.001 were not modified.
This sensitivity was intended to address a concern about the ability to predict the human error rate for low error rates, and examine the effect of an arbitrary minimum level of human accuracy.
Human actions that were modeled as scalars in the analysis were directly modified, and human actions that were modeled as fault trees were adjusted to obtain a fault tree error value of approximately
.001 when support systems were not included.
To simplify the
- task, only human actions which would increase the core damage frequency by greater than 200$ if the human action completely failed were modified.
Other human action error changes will not significantly impact the analysis.
After these
- changes, the core damage frequency increased about 46% to 9.2E-5.
The risk reduction importance ranking of the dominant contributors was compared with that of the base case.
As would be
- expected, the contribution of the various human actions increased in absolute terms and in relative ranking.
In addition, the several initiating events that depend significantly on these human actions increased in both absolute magnitude and relative ranking.
One hardware failure was identified as a
potentially significant contributor in this sensitivity analysis. This was discounted since its apparent significance was found to be due to a
modelling simplification which was not obvious at the original human error failure rate. Otherwise, no core damage contributors changed significantly in rank or absolute contribution.
The failure frequency of two accident sequences increased by more than a factor of two in this sensitivity analysis.
These are the same sequences identified above in the sensitivity analysis for failure to refill the condensate storage tank, and the increases are due to the similar increase to the failure frequency of this action.
As described
- above, this apparent increase is due to a modelling simplification.
~Summa The sensitivity of the Cook Nuclear Plant Individual Plant Examination to the human reliability analysis was studied.
Although large changes in the
Attachment 1 to AEP:NRC:1082J Page 5
magnitude of the human error probabilities do impact the core damage frequency, significant changes in the magnitude of the human error probabilities do not lead to the identification of additional significant contributors to the core damage frequency, either procedural or hardware.
Significant contributors to core damage frequency are potential vulnerabilities to severe accidents.
Therefore, the existing human reliability analysis meets the goal of Generic Letter 88-20 in identifying severe accident vulnerabilities. In addition, since the same systems and components are found to be significant for a wide range of human action error rates, the individual plant examination can be considered to be adequate to evaluate the relative risk contribution of these systems and components.
ADDITIONALINFORMATION RE UEST NO 2
Provide us with the details regarding how Donald C.
Cook Nuclear Plant performed its pre-initiator HRA, Specifically, how were pre-initiator events identified and selected to evaluate and quantify2 What assumptions and boundary conditions were used in determining what systems,
- trains, or components to quantify for HEPs and how were they incorporated into the IPE models In reviewing the HRA
- notebook, the following pre-initiators appear to have been quantified:
A.
¹675, Failure to restore a
typical manual valve after test/maintenance.
B,
¹677, Failure to restore a typical air or MOV with indications in the control room after test/maintenance.
G.
¹680, Inadvertent mispositioning of turbine-driven AFV pump fan test switch.
z.
¹715, Failure to assure containment drain operability.
Turbine driven AFW pump room door left closed inadvertently.
RESPONSE
Pre-initiator concerns were addressed within the Human Reliability Analysis (HRA) and the system analyses of the Donald C. Cook Nuclear Plant Individual Plant Examination (IPE);
The human errors associated with leaving a
component or a necessary support system's component in an inoperable configuration following test or maintenance were considered human error pre-initiators in the HRA, as the affected components would be unavailable at the time of the accident initiation.
Attachment 1 to AEP:NRC:1082J Page 6
This response first details the assumptions and boundary conditions used to identify pre-initiator concerns for systems, trains and components.
The four generic guidelines used for the screening of pre-initiators for detailed quantification of human error probabilities (HEP) are described next.
A description of the application of these generic guidelines for pumps is provided, which justifies the lack of pre-initiator HEPs for the pumps modelled in the IPE.
Finally, background on the identification of the five pre-initiators considered in the IPE is provided.
"'s a system was modelled for the IPE, each component was examined for pre-initiator concerns.
Only trains and components modelled as not running at the time of the accident (i.e.,
in standby) were examined for pre-initiator concerns.
The pre-initiator concerns for the selected components were then either eliminated by the screening guidelines given below or were quantifi'ed in the HRA and included within the system fault tree models.
Human error induced common cause failures (i.e.,
several similar components fail due to same cause) were not addressed in the HRA.
These concerns were implicitly accounted for in the common cause values in the system fault trees.
These common cause concerns include procedure error (i.e., ambiguity, incompleteness or error in procedures) and plant staff error (i.e., errors of omission and commission on the part of the plant
- staff, such as failure to follow a correct procedure).
See previous response in AEP:NRC:1082F (page 24, response
- 13) for more information.
The four generic guidelines listed below were used to screen for pre-initiators.
All four of these conditions must have been met for a pre-initiator HEP to be calculated in the IPE:
1) any postulated improper valve positioning willnot be detected using pump operability flow tests 2) any postulated valve or other component misposition is not immediately detectable by status lights and/or alarms at the main control board 3) any postulated misposition must cause failure of the function 'of the associated component 4) the postulated valve misposition is not automatically corrected by a safety signal as a result of an assumed accident As an extension 'to the philosophy of Guideline 2, failure to restore locked or sealed open manual valves to their required positions following test and maintenance was not considered significant due to weekly walkdowns that verify the position of sealed and locked valves.
Misposition of these valves would be
- obvious, as a chain or wire is conspicuously attached to the valve operator and a nearby stationary
Attachment 1 to AEP:NRC:1082J Page 7
- object, such that it is not possible to operate the valve without removing the chain or wire.
The human error pre-initiator of failing to properly restore a
pump following test or maintenance was not considered credible for any of the pumps modelled in the IPE.
A detailed justification for this position is provided below.
During normal operation, all the main feedwater pumps and the circulating water pumps are in operation.
Failure to restore these pumps following test or maintenance is, therefore, not considered.
Each standby pump modelled in the IPE is also addressed for pre-initiator concerns.
Many of these are dispositioned as non pre-initiators because it was found that post-maintenance test procedures ensure that the pumps are available to perform their design function.
Specifically, when pumps are disabled for test or maintenance, operators will 1) place the control switch in
- lockout,
- 2) remove the control power fuses, and 3) rack out the breaker.
Following the test or maintenance, these three conditions are corrected and then the pump is tested to ensure pump operability.
Control room operators would be aware when the power fuses or breaker conditions are not corrected following failure of the pump operability
- test, and because the breaker indicating lights for that pump willnot be
'lluminated.
These two concerns can, therefore, be eliminated for every pump, based on both Guidelines 1 and 2.
Returning a pump control switch to lockout following the pump operability testing is also addressed but determined not to be a concern.
For the pumps requiring a
manual start, the control switch in lockout is not relevant (one train of the condensate booster pumps and the hotwell pumps).
All of the pumps modelled in the IPE as starting automatically have an alarm in the control room which indicates that the pump can not
- start, including having the control switch locked out.
Therefore, based on Guideline 2, this pre-initiator concern was not considered credible for these pumps.
The pumps listed below have annunciated alarms in the control room:
Auxiliary Feedwater (AFP) Motor and Turbine Driven Pumps Centrifugal Charging Pumps Component Cooling Water Pumps Containment Spray Pumps Essential and Nonessential Service Water Pumps Residual Heat Removal Pumps Safety Injection Pumps Based on the above arguments, it was not necessary to calculate detailed HEPs for pre-initiator concerns for any pumps modelled in the IPE.
This confirms the validity of the original position that pumps are not credible pre-initiators.
~
Attachment 1 to AEP:NRC:1082J Page 8
Background information on the identification of each of the five pre-initiators for which HEPs were calculated in the IPE is given below:
A.
¹675, Failure to restore a
typical manual valve after test/maintenance.
This pre-initiator HEP was used in several system fault trees for the manual valves that met the generic guidelines given above.
All manual valves were treated the same, regardless of the pedigree of the affected system, as plant personnel use the same control methods to remove and restore to service valves of different systems.
B.
¹677, Failure to restore a typical air or motor operated valve with indications in the control room after test/maintenance.
This pre-initiator HEP was used in several system fault trees for the air or motor operated valves that met the generic guidelines given above.
All motor operated and air operated valves were treated the same, as plant personnel use the same control methods to remove and restore to service valves of different systems.
G.
¹680, Inadvertent mispositioning of turbine-driven AFW pump fan test switch.
This pre-initiator concern was found following the review of AFW support systems.
The turbine-driven AFW pump requires room ventilation to operate for more than four hours, and the fan will not start automatically if the switch is left open.
One of the two fans is needed for successful operation.
T.
¹715, Failure to assure containment drain operability.
This concern was identified in the containment drains system
- analysis, as failure of the human actions to ensure drain operability could lead directly to core melt.
(Containment inspection tours verify that the drain flange covers have been removed and that containment is free of debris.)
This calculated human error failure probability was considered insignificant with respect to core melt frequency, so it was not used.
z.
¹720, Turbine driven AFW pump room door left closed inadvertently.
This concern was found following the review of AFW support systems.
The turbine-driven AFW pump requires room ventilation to operate for more than four hours.
During a station blackout, when the room fans are not available, these doors must be open to ensure adequate cooling of the turbine driven AFW pump.
Attachment 1 to AEP:NRC:1082J Page 9
In summary, pre-initiator human errors were addressed for each system and component modelled in Cook Nuclear Plant IPE.
Assumptions based on the initial operating conditions and a set of screening guidelines concerning test and maintenance activities were used to determine which pre-initiators needed HEPs calculated.
When detailed HEPs were calculated, these basic events were included in the appropriate system fault trees.
ATTACHMENT TO 2 AEP:NRC'1082J
Response
to NRC Request for Additional Information on Human Reliability Analysis for Donald C.
Cook Nuclear Plant Individual Plant Examination Planned Modifications to Human Reliability Analysis Methods
Attachment 2 to AEP:NRC:1082J Page 1
PLANNED MODIFICATIONS TO HUMAN RELIABILITYANALYSIS METHODS During the detailed review of the human reliability analysis, several differences between the AEPSC human reliability analysis methods and those described in "Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications" [Reference 1] (frequently referred to as the Technique for Human Error Rate Prediction THERP) were noted.
Although the current AEPSC methods were based on
- THERP, these methods included modifications to account for current plant procedures and
- training, as well as to provide a consistent documentation format. In
- review, some of these modifications were found not to be consistent with current industry practice.
It is the intent of AEPSC to apply the THERP methods in a usable and consistent basis.
To modify the AEPSC methodology to conform with the THERP
- methods, a
complete comparison of the existing AEPSC human reliability analysis methods to the THERP methods will be performed.
The Accident Sequence Evaluation Program (ASEP) methodology [Reference 2], the comments on the human reliability analysis of NUREG 1150
[Reference 3],
and human reliability information from the Electric Power Research Institute (to which AEPSC has recently obtained access) will be used as additional guidance.
Based on these
- reviews, the AEPSC methods will be updated to be more consistent with the THERP method and to reflect newer information which is deemed to be consistent with the existing THERP methods.
The individual plant examination probabilistic risk assessment will then be updated to utilize the new human reliability analysis.
The specific issues to be addressed, at a minimum, are summarized below.
Human reliabi1it action s ecific to se uences:
The current human reliability analysis utilizes a simplifying assumption that an operator
- action, such as establishing primary feed and bleed, is independent of the accident sequence since the reactor conditions when the need is reached would be similar for all accident sequences
[Reference 4]. Although this assumption should be true for many accident sequences, the accident sequences will be reviewed to identify, based on such items as timing and equipment availability, other influences on the human error probability.
When appropriate, sequence specific human error probabilities will be calculated.
De endence Modelin In the review of sequences described above, prior human action failures will be assessed for modeling of dependent failures of subsequent
- actions, both within a modeled action and between different modeled actions.
Dependence modeling was used infrequently in the current
- analysis, and a sensitivity review performed earlier
[Reference 5]
indicated that the assumption of independence of action had little impact on the core damage frequency analysis.
A set of rules for determining the level of dependence to be assumed in the revised model will be developed based on guidance in the reference documents.
Attachment 2 to AEP:NRC:1082J Page 2
Performance sha in factors in dia nosis:
To account for the symptom based Emergency Operating Procedures and increased
- training, the AEPSC methodology utilized training and stress performance shaping factors for the recommended diagnosis error frequencies.
In the ASEP methodology, the lower error bound of the range was used to account for the same effects.
Although the net result should be similar, AEPSC will revise its methods to utilize this more consistent technique.
E licit consideration of timin For most
- cases, timing was only considered in the AEPSC analyses in a qualitative
- manner, with the diagnosis error rate being frequently based on the time needed to complete the action.
AEPSC will review the timing requirements explicitly, and allocate time appropriately for diagnosis, action, and recovery actions as needed.
Guidelines found in the ASEP methodology, which is generally conservative with respect to the THERP method on which it is based, will be used to support evaluations of diagnosis error rates.
Consistent use of second erson checkin Credit was generally taken in the human reliability analysis for checking, to the extent needed to determine an acceptably accurate final result i.e.
once a human error failure path was found to be not the dominant path, further credits were not taken.
- Thus, known actions such as second person checking were inconsistently used.
To ensure the thoroughness of the calculation, these credits will be used on a more consistent basis.
Trainin erformance sha in factors:
These training factors were included to address the impact of improved training and procedures.
The THERP and ASEP methods provide guidance on the types of credit for these
- areas, and the training factors will either be modified so they more rigorously reflect the THERP methods or they will be eliminated.
After review of the THERP and ASEP methods, and based on the sensitivity analyses found in Attachment 1 and Reference 5, it is believed that the methodology modifications indicated above will not significantly change the impact of the human reliability analysis on the basic results of the individual plant examination.
Important differences in the'ore damage frequency or component and sequence rankings are not expected.
Since analyses of off normal configurations, such as evaluations of equipment unavailabilities, may change based on different human error probabili,ties, a more consistent set of human error probabilities will aid in ensuring the results of such sensitivities are also accurate.
Therefore, analyses performed before the above changes are completed will evaluate the impact of the existing human reliability analysis.
Attachment 2 to AEP:NRC:1082J Page 3
References "Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications,"
A.
D.
Swain and H.
E.
- Guttmann, NUREG/CR-1278, 1983.
2.
"Accident Sequence Evaluation Program Human Reliability Analysis Procedure,"
A. D. Swain, NUREG/CR-4772, 1987.
3.
"Severe Accident Risks:
An Assessment for Five U.S. Nuclear Power Plants",
NUREG-1150, 1990.
4.
"Individual Plant Examination,
Response
to NRC Questions",
Letter AEP:NRC:1082F from E.
E.
Fitzpatrick to T.
E.
Murley dated February 24, 1993.
5.
"Individual Plant Examination,
Response
to NRC Questions",
Letter AEP:NRC:1082H from E.
E.
Fitzpatrick to T.
E.
Murley dated December 3, 1993.