ML18011B126
| ML18011B126 | |
| Person / Time | |
|---|---|
| Site: | Harris  |
| Issue date: | 06/30/1995 |
| From: | Haas P CONCORD ASSOCIATES, INC. |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| Shared Package | |
| ML18011B119 | List: |
| References | |
| CON-NRC-04-91-069, CON-NRC-4-91-69 CA-TR-94-019-28, CA-TR-94-19-28, NUDOCS 9602020048 | |
| Download: ML18011B126 (42) | |
Text
Systems Performance Engineers CA/TR 94-019-28 SHEARON HARMSNUCLEARPLANT TECHNICALEVALUATIONREPORT ON THE IPE SUBMITTAL HUMANRELIABILITYANALYSIS FINALREPORT By P.M. Haas Prepared for.
U.S. Nuclear Regulatory Commission Office of.Nuclear Regulatory Research Division of Safety Issue Resolution Draft Report June, 1994 Final Report June, 1995 11915 Cheviot Drive Hezndon, VA 22070 (703) 318-9262 725 Pellissippi Parkway 6201 Picketts Lake Drive Knoxville,TN 37932 Acworth, GA 30101 (615) 675-0930 (404) 917-0690 9602020048 960126 PDR ADOCK OS000400 P
CA/TR-94-019-28 SHEARON HARRIS NUCLEAR PLANT TECHNICALEVALUATIONREPORT ON THE IPE SUBMITTAL HUMANRELIABILITYANALYSIS FINALREPORT By; P. M. Haas Prepared for.
U.S. Nudear Regulatory Commission OAice of Nuclear Regulatory Research Division of Safety Issue Resolution Draft Report June, 1994 Final Report June, 1995 CONCORD ASSOCIATES INC.
Systems Performance Engineers 725 Pellissippi Parkway Knoxville, TN 37932 Contract No. NRC-04-91-069 Task Order No. 28
TABLE OF CONTENTS E. EXECUTIVE
SUMMARY
E.l Plant Characterization E.2 Licensee IPE Process E.3 Human Reliability Analysis E.3.1 Pre-Initiator Human Actions...
E.3.2 Post-Initiator Human Actions..
Genetic Issues and CPI..'.........
Vulnerabilities and Plant Improvements Observations
~
~
~
~
~
~
~
~
~
~
~
~
1 1
1 2
2
.2 3
3 4
- 1. INTRODUCTION........;........
1.1 ERA Review Process 1.2 Plant Characterization
- 2. TECHNI 2.1 2.2 2.3 CAL REVIEW
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
Licensee IPE Process..
2.1.1 Completeness and Methodology..
2.12 Multi-UnitEffects and As-Built, As-Operated Status........
2.1.3 Licensee Participation and Peer Review.
2.1.3.1 Licensee Participation 2.1.3.2 Peer Review Pre-Initiator Human Actions 2.2,1 Pre-Initiator Human Actions Considered 2.22 Process for Identification and Selection of Pre-Initiator Human Actions 2.2.3 Screening Process for Pre-Initiator Human Actions.........
2.2.4 Plant-Specific Performance Shaping Factors, Recovery Factors, and Dependencies for Pre-Initiator Human Actions.........
Post-Initiator Human Actions 2.3.1 Types of Post-Initiator Human Actions Considered.........
2.32 Process for Identification and Selection of Post-Initiator Human Actions 2.3.3 Screening Process for Post-Initiator Response Actions
~.. ~...
2.3.4 Quantification of Post-Initiator Human Actions 2.3.4.1 Consideration of Timing..
2.3.4.2 Consideration of Other Plant-Specific Performance S haping Factors 2.3.4.3 Consideration of Dependencies....
2.3.4.4 Quantification of Recovery Actions 2.3.4.4 Quantification of Recovery Actions 2.3.4.5 Treatment of Operator Actions in the Internal Flooding Analysis
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
8 8
9 9
9 10 10 10 11 ll 13 13 14 14 14 16 17 20 20 22 23
TABLE OF CONTENTS (CONT'D) 2.4 2.3.4.6 Treatment of Operator Actions in the 2.3 4.7 GSIJUSI and CPI Recommendations Vulnerabilities, Insights and Enhancements.......
2.4.1 Vulnerabilities 2.42 IPE Insights Related to Human Performance 2.4.3 Enhancements.....
Level 2 Analysis 24 25 26 26 26 30
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS...
- 4. DATASUIV1MARYSHEETS REFERENCES 31 33 34
E. EXECUTIVE
SUMMARY
This Technical Evaluation Report gZR) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Carolina Power and Light Company (CP8Q.) Shearon Harris Nuclear Power Plant (SHNPP) Individual Plant Examination (IPE) submittal to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staK in their evaluation of the IPE and conclusions regarding whether the submittal meets the intent of Generic Letter 88-20.
E.l Plant Characterization SHNPP is a single-unit Westinghouse three-loop pressurized water reactor (PWR) plant rated at 2775 megawatts thermal, 860 megawatts electric.
Commercial operation was initiated in 1987.
Similar units in operation are Beaver Valley 1 and 2, Farley 1 and 2, and HB Robinson 2.
Some of the major design features with particular significance to human action are: 1) it is necessary to transfer the source of offsite power from the auxiliary to startup transformers following a plant trip; non-vital dc power is required to operate the breakers in order to make the transfer, these requirements, including operator action, increase the probability of losing offsite power to the 1E buses; 2) semi-automatic switchover of Emergency Core Cooling System (ECCS) from injection to recirculation, which reduces the impact of operator erzor on Core Damage Frequency (CDF); 3) bleed and feed can be accomplished using a safety valve ifa Power Operated Relief Valve (PORV) is unavailable,
- 4) a large condensate storage tank reduces the need for backup sources for auxiliary feedwater (AFW), and 5) isolation of main feedwater (M&V)following a normal plant trip, which eliminates operator actions required for post-trip use of MFW. The unit has a plant-specific simulator, which was used in the development of the HRA.
E2 Licensee IPE Process The HRA process addressed both pre-initiator and post-initiator actions.
Pre-initiator actions considered included both restoration errors and miscalibration.
Post-initiator actions included both response-type and recovery-type actions.
HRA techniques/methods employed to quantify human error included ASEP (Ref; 1), THERP (Ref. 2), and an EPRI methodology (Ref. 3).
Plant-specific performance shaping factors and dependencies were considered.
Human errors were identified as significant contributors in accident sequences leading to core damage, and procedure enhancements were identified and credited in the IPE/HRA. Licensee staff with-knowledge of plant design, operations and maintenance had significant involvement in the HRA process.
Procedures reviews, interviews with operations staff, and plant walkdowns helped assure that the IPE represented the as-built, as-operated plant. An independent review of the HRA performed by a consultant helped to assure appropriate use of HRA techniques.
E9 Human Reliability Analysis E.3.1 Pre-Initiator Human Actions.
The HRA addressed pre-initiator errors in maintenance, test and surveillance actions by incorporating human ezror into the systems analysis {fault trees) as a specific cause for system unavailabiTity. As indicated above, both misalignment (restoration) errors and miscalibration were considered.
Pze-initiator actions to be quantified were identified and selected from operating procedures and functional test procedures during the development of the system models and failure sequences.
Qualitative evaluation removed the certain unlikely errors, e,g.,
those that would be annunciated by a "compelling signal", from further consideration.
The submittal provided only very limited and general information on the quantitative analysis of pre-initiator human actions.
The licensee's response to an NRC Request for Additional Information (RAI) provided clarification and examples of analysis for specific human error probabilities (HEPs).
No numerical pre-screening was employed.
HEPs were derived for fifteen errors surviving the qualitative screening. The ASEP HRA procedure was used for an initial quantification of these fifteen pre-initiator actions.
Based on a review of importance, two of the HEPs were selected for a more detailed (less conservative) analysis using 'PERP.
Our review of three sample calculations using both ASEP and THERP indicate that the licensee appropriately applied the HRA techniques and considered plant-specific performance shaping factors and dependencies.
Overall, the numerical values for the fifteen pre-initiator actions are consistent with results in other PRAs using the two methods.
Two pre-initiator actions (one of which was calculated via THERP) are among the top ten most important human actions (calculated using the Fussel-Vesely importance measure).
E.3.2 Post-Initiator Human Actions.
As indicated above, the HRA addressed both response-type'and recovery-type actions.
Response
actions were identified from review of procedures and by discussion and interview with operations staff.
IPE team members included individuals with plant operational experience.
The response actions identified and quantified are generally consistent with those analyzed in other PWR PRAs, A screening value of 1.0 was applied to screen out actions that did not have significant impact on core damage frequency.
Those actions that were not screened out were quantified following the general guidance in Reference 3 for the EPRI methodology.
Each post-initiator response action was treated as a combination of two types of actions: (1) a detection/diagnosis/decision, or "cognitive" action, and (2) manual, or "execution" actions.
The probability of failure of the cognitive action was assessed using the supplementary "cause-based" approach in the EPRI document.
This approach identifies failure mechanisms, related causal factors and error recovery factors and uses a decision tree format to guide the analyst through an evaluation of those factors leading to selection of an assigned HEP.
The probability of failure in execution actions was determined using ASEP or THERP. The licensee considered plant-specific performance shaping factors, and dependencies among
multiple human actions were accounted for. The submittal discussions of the plant-specific implementation of the HRA techniques was limited in detail.
However, in response to an NRC RAI, the licensee provided sample calculations for nine HEPs.
Our review of those samples indicates that the licensee appropriately applied the HRA techniques.
Numerical results for response-type actions, in general, are in the range typical for other PRAs (1.0E-04 to 1.0E-01).
Recovery actions were identified after initial quantification of the IPE using the HEP values for pre-initiators and post-initiator response actions. Allrecovery actions credited were proceduralized.
Most recovery actions were quantified using the same EPRI methodology that was used for response actions.
Recovery of offsite power was treated separately using industry data Credit for recovery action was added to the cutset after the initial quantification.
Dependency between recovery actions and top-level response actions already part of the cutset was addressed by the same dependency model used for response actions.
Numerical values for recovery actions appear to be reasonable, i.e., consistent with other PRAs.
E.4 Generic Issues and CPI The licensee's consideration of generic safety issues (GSIs) and unresolved safety issues (USIs) and of containment performance improvements (CPI) recommendations are the subject of the front-end review, and back-end review, respectively.
The licensee addressed diverse means of decay heat removal (DHR) in the IPE proposed resolution of USI A-17 related to internal flooding. The Qont-end reviewer identified a number of plant-specific design features that impact directly or indirectly decay heat removal.
Among'hese features are several, e.g.,
semi-automatic switchover of ECCS from injection to recirculation, and isolation of main feedwater following a normal plant trip, which have significant impact on operator actions.
Our review of the licensee's discussions and of the front-end reviewer comments identified no unique issues associated with the HRA that relate to the licensee's treatment of GSIs or USIs.
The back-end reviewer noted that the licensee did not directly address CPI recommendations in the submittal.
Additional information was supplied by the licensee in response to an NRC RAI. There are no apparent HRA issues related to the licensee's discussion of the CPI recommendations.
ES Vulnerabilities and Plant Improvements The licensee did not provide a concise definition of a vulnerability. Qualitative criteria, from NUiMARC91-04 were used as guidelines to assess potential cost-effective enhancements.
In addition, the licensee had as a goal to reduce the overall CDF from about 7E-05/yr to about 5E-05/yr. No vulnerabilities were cited.
Human error is identified as a significant contributor in accident sequences leading to core damage.
Credit for manual operation of breakers to align for offsite power substantially reduces estimated core damage frequency.
The importance of this manual action and the need for enhancement of procedures (and possibly additional instrumentation) was identified from
the initial IPE quantification.
The procedures enhancements were implemented during the IPE development, and the operator action was credited.
E.6 Observations The following observations are pertinent to the NRC's determination of whether the licensee's submittal met the intent of Generic Letter 88-20:
(1)
The submittal and supporting documentation indicates that utilitypersonnel were involved in the HRA, and that the walkdowns and documentation reviews constituted a viable process for confirmin that the HRA portions of the IPE represent the as-built, as-operated plant.
(2)
The licensee performed an in-house peer review that provides some assurance that the HRA techniques have been correctly applied and that documentation is accurate.
(3)
The HRA addressed pre-initiator errors in maintenance, test and surveillance actions.
Both misalignment (restoration) errors and miscalibration were considered.
The processes for identification and selection, qualitative screening, quantification, and incorporation of pze-initiator errors into the IPE model were reasonable and consistent with practice in other PRAs. Numerical results are consistent with results in other PRA's. Two pre-initiator actions an: among the top ten most important human actions.
(4)
The treatment of post-initiator human actions was reasonably complete and thorough.
Both response-type and recovery-type actions were included.
The process for identification and selection of actions involved review of procedures and discussions with plant personnel. No numerical screening process was performed.
Quantification of post-initiator errors appears to be reasonably complete and appears to have appropriately employed the chosen HRA techniques.
Plant-specific performance shaping factors and dependencies were consider'ed.
Quantitative estimates of post-initiator human error probabilities are generally consistent with results in other PRAs.
(5)
Insights reported by the licensee indicate that the HRA provided the licensee with an appreciation for the importance of human error to the estimated core damage and radioactive material release fractions.
Human action was noted as an important contributor in the dominant sequences.
Qedit for human action in the recovery analysis was noted as a significant factor in reducing the estimated core damage frequency.
Importance calculations were performed which identified the most important human error contributors.
(6)
While a specific definition of vulnerability was not provided, the licensee employed a reasonable process to screen for cost-effective enhancements.
One significant
human performance related enhancement (a procedure improvement) was identified early in the IPE analysis and credited in the final IPE quantification.
- 1. INTRODUCTION This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Carolina Power and Light Company (CPEd.) Shearon Harris Nuclear Power Plant (SHNPP) Individual Plant Examination (IPE) submittal to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staff in their evaluation of the IPE and conclusions regarding whether the submittal meets the intent of Generic Letter 88-20.
1.1 HRA Review Process The HRA review was a "document-only" process which consisted of essentially four steps:
(1)
Comprehensive review of the IPE submittal focusing on all information pertinent to HRA.
(2)
Preparation of a draft TER summarizing preliminary findings and conclusions, noting specific issues for which additional information was required from the licensee, and formulating requests to the licensee for the necessary additional information.
(3)
Review of preliminary findings, conclusions and proposed requests for additional information (RAIs) with NRC staff and with "frontwnd" and "back-end" reviewers (4)
Review of licensee responses to the NRC requests for additional information, and preparation of this final TER modifying the draft to incorporate results of the additional information provided by the licensee and finalize conclusions.
Findings and conclusions are limited to those that could be supported by the document-only review.
No visit to the site was conducted.
No discussions were held with plant personnel or IPEJHRA analysts, either during the initial review of the submittal, nor after receipt of licensee responses to NRC RAIs. No review of detailed "Tier 2" information was performed, except for selected details provided by the licensee in direct response to NRC RAIs. In general it was not possible, and it was not the intent of the review, to reproduce results or verify in detail the licensee's HRA quantification process.
The review addressed the reasonableness of the overall approach with regard to its ability to permit the licensee to meet the goals of Generic Letter 88-20.
1.2 Plant Characterization SHNPP is a single-unit Westinghouse three-loop pressurized water reactor (PWR) plant rated at 2775 megawatts thermal, 860 megawatts electric.
Commercial operation was initiated in 1987.
Similar units in operation are Beaver Valley 1 and 2, Farley 1 and 2, and HB Robinson 2.
Some of the major design features with particular significance to human action are: 1) it is necessary to transfer the source of offsite power from the auxiliary to startup
transformers following a plant trip; non-vital dc power is required to operate the breakers in order to make the transfer; these requirements, including operator action, increase the probability of losing offsite power to the 1E buses; 2) semi-automatic switchover of Emergency Core Cooling System (ECCS) Gem injection to recirculation, which reduces the impact of operator error on Core'Damage Frequency (CDF); 3) bleed and feed can be accomplished using a safety valve ifa Power Operated Relief Valve (PORV) is unavailable,
- 4) a large condensate storage tank reduces the need for backup sources for auxiliary feedwater (AFW), and 5) isolation of main feedwater (hGW) following a normal plant trip, which eliminates operator actions required for post-trip use of MFW. The unit has a plant-specific simulator, which was used in the development of the HRA.
- 2. TECHNICALREVIE%
2.1 Licensee IPE Process 2.1.1 Co leteness and Methodolo The submittal information on the HRA process was generally complete in scope, but limited in detail. Additional information obtained from the licensee in response to the NRC RAIs was sufficient to complete our assessment of the overall HRA.
The HRA process addressed both pre-initiator and post-initiator actions.
Pre-initiator actions considered included both restoration errors and miscalibration.
Post-initiator actions included both response-type and recovery-type actions.
HRA techniques/methods employed. to quantify human error included ASEP (Ref. 1), THERP {Ref. 2), and an EPRI methodology {Ref. 3).
Plant-specific performance shaping factors and dependencies were considered.
Human errors were identified as significant contributors in accident sequences leading to core damage, and procedure enhancements were identified and credited in the IPE/HIRA. Licensee staff with knowledge of plant design, operations and maintenance had significant involvement in the HRA pmcess.
Procedures reviews, interviews with operations staff, and plant walkdowns helped assure that the IPE represented the as-built, as-operated plant. An independent review of the HRA performed by a consultant helped to assure appropriate use of HRA techniques.
2.1.2 Multi-UnitEffects and As-Built As-crated Status.
SHNPP is a single-unit plant. The issue of multi-unit effects is not applicable.
The submittal indicates that the "normal plant documentation control system" ensures that the plant documentation used for the IPE was current as of the f'reeze date of January 1, 1992 (with several exceptions noted-in which changes were made after the freeze date and credited in the IPE). The submittal also notes that the major portion of the work involved in developing the system notebooks and fault trees was performed on site, and that the analysts had access to all current plant information as well as to plant systems engineers.
Plant documentation identified in. the submittal appears to be comprehensive and appropriate.
Systems analysis information appears to be thoroughly documented in the systems notebooks.
A standard table of contents for a system notebook is presented in the submittal. A separate section under "System Interactions" focuses on "Operator Interface/Procedures".
Operator actions, both pre-initiator and post-initiator, appear to be specifically identified under the system model description.
Simulator exercises performed in support of the HRA provided a means for verification of current control room operations practice 'and other assumptions and data used in the HRA. Walkdowns were performed to assess risk significant actions outside of the control room.
Interviews were conducted with operations staff as pan of the IPE/HRA process.
The combination of document and procedure review, plant walkdowns, and interviews with plant personnel, plus the involvement of utilitypersonnel in the IPE process
appears to have constituted a viable process to assure that the IPE/HRA represents the as-built, as-operated plant.
2.1.3 Licensee Partici ation and Peer Review.
2.1.3.1 Licensee Partici ation. The submittal notes that CP&L development of PRA expertise began in the early 1980's and has continued to evolve through the development of the SHNPP IPE. A preliminary level 1 PRA was completed in 1988 by a contractor.
CF&L staff performed approximately 50% of that effort, and emphasis was placed on technology transfer from the contractor to CP&L A summary of the technical organization of the SHNPP IPE project (Section 5 of the submittal) shows substantial CP&L staff technical participation in and management of the IPE. CP&L staff were supported by subcontractors, including SAROS, Inc., SAIC, Tenera, Kenton, Gabor and Associates, Inc., and others, The HRA was led by a CP&L staff member with "technology transfer" from G. Parry of NUS.
The submittal notes substantial involvement of Corporate personnel with knowledge of plant systems and operations.
Mere is very little discussion of direct involvement by Shearon Harris plant personnel in the development of the IPE, though there were currently licensed operations staff involved in reviewing the IPE.
2.1.3.2 Peer Review. The submittal notes that the initial SHNPP PRA underwent an independent review by subcontractors not involved in its development, and that the comments from that review were used in planning for the IPE revision and update.
The IPE analysis team generated responses to each comment and identified action items to ensure that the comment resolutions would be represented in the IPE update.
Additional independent review activities conducted as part of the IPE project included:
~ Review'f the systems analysis (fault trees) by experienced PRA practitioners not involved in their initial development.
Review comments and responses from the systems analyst were documented.
~ Review of the systems analysis by plant systems engineers who were independent from the PRA staff.
Commentsresponses and changes to plant models were documented.
~ Internal review of quantified cutset results with plant Operations and Training personnel, including shift supervisors and shift technical advisors with current SRO licenses; additional support for this review was provided by corporate engineering and nuclear licensing departments plus outside contractors and an independent member from the Institute for Nuclear Power Operations.
~ Internal review of the back-end analysis by CP&L or contractor back-end team members not directly involved in the analysis.
~
Independent review of IPE results by the "Severe Accident Issues Project" team to examine results, develop insights, and consider potential enhancements to address insights.
This team was directed by the Manager, Nuclear licensing. It included corporate personnel from Nuclear Engineering and Nuclear Licensing plus the Risk Assessment managers responsible for the IPE. It also included plant personnel from Operations, Technical Support, and Training.
No specific review comments or resolutions are identified in the submittal.
No specific information regarding independent review focused specificaGy On the HRA is provided, except for general statements about review by operations and training staff. The participation in the HRA by G. Parry of NUS serve'd to some degree as an independent review of work performed by CP8cL staff.
In our judgment, these reviews collectively constituted a reasonable process for an "in-house" peer review that provides some assurance that the IPE analytic techniques were correctly applied and that documentation is accurate.
2.2 Pre-Initiator Human Actions Errors in performance of pre-initiator tasks (i.e., tasks pe'rformed during maintenance,
- test, etc.) may cause components, trains, or entire systems to be unavailable on demand during an accident, and thus may significantly impact plant risk. Our review of the HRA portion of the IPE examines the licensee's HRA process to determine what consideration was given to pre-initiator human events, how potential events were identified, the effectiveness of quantitative and/or qualitative screening process(es) employed, and the processes for accounting for plant-specific performance shaping factors, recovery factors, and dependencies among multiple actions.
2.2.1 're-Initiator Human Actions Considered.
The SHNPP HRA addressed pre-initiator errors in maintenance, test and surveillance actions by incorporating human erxor into the systems analysis (fault trees) as a specific cause for system unavailability. Both misalignment (restoration errors) and miscalibration were considered.
2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions.
The key concerns of our review regarding the process for identification and selection of pre-initiator human events are: (a) whether maintenance, test and'calibration procedures for the systems and components modeled were reviewed by the systems analyst(s), and (b) whether discussions were held with appropriate plant personnel (e.g., maintenance,
- training, operations) on the interpretation and implementation of the plant's test, maintenance and calibration procedures to identify and understand the specific actions and the specific components manipulated when performing the'aintenance, test, or calibration tasks.
10
The submittal states (page 3-225) that pre-initiator human events {the submittal uses the EPRI terminology "human interactions", or HIs) were identified and defined by the PRA analysts from operating procedutes and functional tests during the development of the system models and failure sequences.
Also, as indicated in Section 2.1.1 above, the sample table of contents from the systems notebooks indicates specific focus on both pre-initiator and post-initiator human errors that could impact system performance.
The following pre-initiator HIs were eliminated horn further consideration and quantification:
~ Activities for which errors are considered fullyrecoverable by "compelling signals,"
usually one or more annunciators when the activity is completed or before normal operation can be resumed.
~ Activities for which errors can be fully recovered by a post-activity functional test.
~ Alignments which are double verified, unless the error is judged to significantly degrade multiple safety systems or multiple trains of one system.
~ Activities for which errors can be fully recovered by a re-alignment signal when a demand occurs.
In our opinion, these "qualitative screening" guidelines are reasonable and consistent with practice in other accepted PRAs.
2.2.3 Screenin Process for Pre-Initiator Human Actions.
Fifteen pre-initiator errors were identified and quantified.
These fifteen are listed in Table 2-1 below. The submittal was unclear regarding numerical screening.
However, the licensee's response to the NRC RAI clarified that no numerical pre-screening of pre-initiator errors was performed.
HEPs were derived for all fifteen etrors that survived the qualitative screening. The ASEP HRA procedure was used for an initial quantification all of these actions.
Based on a review of importance, two of the HEPs were selected for a more detailed (less conservative) analysis using THERP.
2.2.4 Plant-S ecific Performance Sha in Factors Recove Factors and De endencies for Pre-Initiator Human Actions.
The probability of error in performing pre-initiator human errors can vary substantially (up or down) from "generic" estimates because of plant specific factors affecting human performance, practical "recovery factors" that exist due to plant design featutes or operational practice, or dependencies among multiple restoration/miscalibration tasks that may exist as a result of "systemic," but perhaps subtle, human performance problems in training, procedures, etc. Ifthe licensee is to gain a realistic understanding of the potential im'pact of pre-initiator human error on plant risk, it is important that the HRA include a reasonably rigorous assessment of these plant-specific factors and dependencies.
The subminal provides only very general information regarding the analysis associated with the quantification of pre-initiator human errors.
The four "qualitative screening" guidelines listed in Section 2.2.2 above are, in effect, recovery factors which reduce the estimated error probability to zero, i.e., they eliminate the potential human error from further consideration.
No other specific information is provided in the submittal regarding plant-specific performance shaping factors, recovery factors, or potential dependencies considered in the quantification of pre-initiator human errors.
In response to the NRC's RAI, the licensee indicated that the technical basis for assumptions in the pre-initiator HRA included interviews with operations, maintenance, and control zoom personnel.
In addition, a cutset review Table 2-1 Pre-Initiator Human Actions in the SHNPP IPE (Submittal Table 3-32)
Human Interactions HEP
~Descri tion LOPERRWSV" EOPERPRZLO EOPERHICON EOPERUVOLT EOPERRWTLO 7.02E44 LOE42 4.03E42 6.03E42 6.0E43 ISI-331 left closed after OST-1008 or OST-1092.
Operator miscalibtates low pressurizer pressure transmitters.
Operator miscalibrates high containment pressure transmitters.
Operator miscalibrates undervoltage sensing relays.
Operator miscalibrates RWST lo-lo level transmitters.
BOPERLFAH1 BOPERLFAH4 WOPERL9302 WOPER9209A WOPER9209B WOPER9101A WOPER9101B GOPERB 0TH"'OPERCSATA SOPERCSATB 4.8E42 4.8E42 4.8E42 4.8EM 4.8E42 4.8E42 4.8E42 2.9E43 4.8E-02 4.8E42 Operator aligns inoperable fan to lead fan in AH-1.
Operator aligns inoperable fan to lead fan in AHA.
Operator miscalibrates level switch LS-9302.
Operator miscalibrates pressure control)a PC-9209A.
Operator miscalibtates pressure controller PC-9209B.
Operator miscalibrates pressure uansmitter Fl'-9101A.
Operator miscalibrates pressure transmiuer PT-9101B.
Personnel open one PAL door while the second is inoperable or open both doors simultaneously.
Miscalibration of containment spray additive tank level transmitter LT-7150.
Miscalibration of containment spray additive tank level transmitter LT-7166.
(I) Quantified using THERP; the remaining HEPs were derived using ASEP meeting was held that involved operations, training and risk assessment unit personnel and consultants reviewing risk-significant human actions.
In this cutset review meeting, the assumptions used in deriving HEPs were discussed and veriQed or modified as necessazy.
12
The licensee's response to the NRC RAI also included three examples of more detailed information supporting the derivation of pre-initiator HEPs.
Two examples were for HEPs derived using ASEP, and one using THERP (LOPERRWST, in Table 2-1 above, which was the fourth highest ranked operator action per the Fussel-Vesely importance measure).
Our review of these thtee sample calculations indicates that the licensee did consider plant-specific performance shaping factors and dependencies and that the licensee appropriately applied the ASEP and 'IHERP guidance for quantification of pre-initiator actions.
Overall, the numerical values for pre-initiator HEPs are consistent with, perhaps slightly more conservative than, values calculated in other PRAs using the two techniques.
Based on these findings, it is our opinion that the HRA process emyloyed far assessment of pre-initiator human actions was capable of providing the licensee with a reasonable understanding of the contribution to plant risk associated with human error in such actions.
2.3 Post-Initiator Human Actions Human error in responding to an accident initiator, e.g., by not recognizing and diagnosing the situation properly, or failure to perform required activities as directed by procedures, can have a significant effect on plant risk, and in some cases have been shown to be dominant contributors to core damage frequency (CDF). These errors are referred to as post-initiator human errors.
The NRC staff review determines the types of post-initiator errors considered by the licensee, and evaluates the processes used to identify and select, screen, and quantify post-initiator errors, including issues such as the means for evaluating timing, dependency among human actions, and other plant-specific performance shaping factors.
2.3.1 T
es of Post-Initiator Human Actions Considered.
There are tvro imponant rypes of post-initiator actions considered in most PRAs: ~res onse actions, which include those human actions performed in response to the first level directives of the emergency operating procedures/instructions (Eops, or Eois); and, recovere actions, which include those performed to recover a specific failure or fault (primarily equipment failure/fault) such as recovety of offsite power or recovery of a front-line safety system that was unavailable on demand earlier in the event.
The SHNPP HRA addressed both response and recovery actions.
Quantification of response actions followed the general approach outlined in EPRI TR-100259 (Ref. 3). Most response actions were incorporated into the IPE model as basic events in the top-logic fault trees, though some were incorporated in system models.
This EPRI methodology was also applied to quantify recovery actions, apparently with some adjustment (increase) in the estimated HEP for recovery actions which are not specifically called out in Emergency Operating Procedures (EOPs):
Recovery actions were incorporated into the cutsets after initial quantification.
13
2.3.2 Process for Identification and Selection of Post-Initiator Human Actions.
The primary thrust of our review related to this question is to assure that the process use'd by the licensee to identify and select post-initiator actions is systematic and thorough enough to provide reasonable assurance that important actions were not inappropriately precluded from examination.
Key issues are whether: (I) the process included review of plant procedures (e.g., emergency operating procedures, system instructions, off-normal (or abnormal) event procedures) associated with the accident sequences delineated and the systems modeled; and,
.(2) discussions were held with appropriate plant personnel (e.g., operators, shift supervisors, training, operations) on the interpretation and implementation of plant procedures to identify.
and understand the specific actions and the specific components manipulated when responding to the accident sequences modeled.
Discussion in the submittal of the process for identification of important post-initiator actions is very limited. However, our overall review of the submittal discussions of the front-end analysis and results - including the general methodology discussion in Section 2 of the submittal, the accident delineation and systems analysis in Section 3, and discussions in Section 5 of utilitypersonnel involvement in the development and review of the front-end-suggest that a reasonably systematic and thorough approach was used to identify potentially significant post-initiator human error contributors.
This approach included appropriate review of procedures and discussions with plant/corporate personnel and/or IPE team members with direct experience as licensed operators at Shearon Harris.
We compared initiating events identified for SHNPP to initiating events identified for other PRAs identified in the submittal and/or accepted by NRC. Our comparison indicated that the SHNPP identification of initiating events is reasonably comprehensive, and generally addresses the important sequences identified in other PVfR PRAs.
We also independently reviewed key sequences analyzed in the SHNPP IPE, to identify important actions..Most of the important actions identified from our review of the key sequences were quantified and included by the licensee in the IPE model.
Based on these findings, we conclude that the licensee employed a reasonably comprehensive and thorough process to identify and select important post-initiator human actions for quantification in the IPE model.
2.3.3 Screenin Process for Post-Initiator Re onse Actions.
The submittal does not discuss pre-screening of post-initiator actions.
Apparently, none was performed.
However, as part of the assessment of dependencies, a quantification was performed with all HEPs set to 1.0 in order to assure that failure to account for dependencies in the initial quantification did not result in truncation of important sequences.
This analysis is discussed below in Section 2.3.4.3.
2.3.4 uantifiication of Post-Initiator Human Actions.
The primary methodology used for quantification of post-initiator actions is the EPRI methodology described in Reference
- 3. In the EPRI methodology, each post-initiator action is 14
considered as a combination of a "cognitive" part and an "execution" part.
Often the HEP estimate is dominated by the cognitive portion. Two methods are presented in Reference 3 for assessing the cognitive part of the action.
One is the use of time reliability curves based on data from EPRI-supported simulator exercises.
The other is a decision-tree based assessment which focusing on underlying causal mechanisms for the human errors being assessed.
The EPRI methodology does not include a separate technique for quantification of execution errors, but instead recommends existing methods such as THERP or ASEP.
The SHNPP HRA employed'he "cause-based" methodology for the cognitive portion and THERP/ASEP for the execution portion. Forty two post-initiator response-type actions were included in the IPE model.
Only seventeen of these operator actions appeared in core damage cutsets.
Those seventeen are listed in Table 2-2 below. Twelve.mcuvezy actions were credited.
The quantification of recovery actions is discussed in Section 2.3.4.4 below, and the actions are listed in Table 2-4 in that section.
Table 2-2 Post-Initiator Response Actions Appearing in Core Damage Cutsets ACTION DESCRIPTION TIME AVAIL
'D.
OPER-1 OPER-3 OPER-35 OPER-30 OPER-11 12E43 1.85E43 53E43 7.0E43 33E43 Operator fails to establish recircuhtion (LHSI, Large LOCA)
Operator fails to implement feed-and-bleed cooling Operator fails to manually start AFW pump Operator faBs to establish long term injection source Operator fails to switch instrument bus to backup AC power supply 1 hrJ seconds 45 minJ seconds 1 hrJ seconds 1 hrJ 30 min.
40 minJ 30 min.
OPER-9 OPER-17 OPER-21 OPER42 OPER-41 OPER-25 OPER-39.,
OPERA OPER-2 OPER-14 OPER43 OPER-26 IM43 52E44 4~43 1.0E41 125E43 1.0E42 3.7E43 2~43 1.8E43 125E43 2.65E43 1.4E43 Operator fails to initiate RCS cooldown to use LPSI (SBLOCA)
Operator fails to establish recirculation (HHSI)
Operator fails to establish shutdown cooling Operator fails to align CSIP suction for SI Operator fails to initiate RCS cooldown to use LPSI (SGTR)
Operator fails to manually start equipment (auto start fail)
Operator fails to realign AFW after spurious isolation Operator fails to open containment sump valves during recirc Operator fails to isolate one low pressure injection line Operator fails to manually start EDG Operator fails to align offsite AC (non vital battery no output)
Operator faBs to control SG levels 2 hrsJ seconds 1 hrJ seconds 45 hrs./30 min.
seconds/ seconds 2 hrsJ seconds seconds/ seconds 40 minJ seconds 15 minJ seconds 30 minJ seconds 2 hrsJ seconds 1 hrJ seconds 30 minJ continuous 15
2.3.4.1 Consideration of Timin. In some post-initiator operator actions, timing - time available vs. time required by the opeiators - is a critical determinant of likelihood of success.
It is important to assure that the licensee's process for estimating both time available and the time necessary for operators to complete the required actions takes into account plant-specific conditions and provides realistic estimates.
Plant-specific phenomenological analysis (accident analysis computer codes) should be used to determine the available time.
Actual measures using currently licensed operators in realistic walk-throughs or control room simulator exercises is a preferred approach for estimating expected/necessary operator response time. Especially for local actions outside of the control room, it is important to assess time to get to the equipment, accessibility, possible impacts on timing of special clothing or environmental factors, etc.
Guidance in ASEP and TWERP is that estimates based on operator judgment alone should be multiplied by a factor of two.
As indicated above, the EPRI methodology treats each response action as consisting of two separate but related parts: a "cognitive" part involving detection, diagnosis and decision making, with a failure probability p;, and, an "execution" part involving performance of the manual actions per procedures, with failure probability p,. Timing of operator response affects the overall HEP primarily through its impact on p,. The primary approach for estimating p, presented in Reference 3 is the "time correlation" methodology using data from EPBI-sponsored Operator Reliability Experiment (ORE) Program simulator exercises.
In the SHNPP HRA, p, was evaluated using the alternate "cause-based" approach, which treats timing in a less direct manner.
The cause-based approach involves the identification and evaluation of situation-specific error conducive factors. It was guided by an analysis of errors observed in the ORE program and elsewhere but does not involve an empirical time-reliability correlation.
Timing is considered in the analysis as it impacts basic causal mechanisms and, especially, as it impacts possibilities for recovery mechanisms, but is not a direct parameter in the estimation of the HEP. For example, one potential failure mechanism is "data not attended to," and one cause for this failure mechanism is high workload. Time required vs. time available might influence the evaluation of workload, and thus indirectly, the probability of failure. A possible recovery mechanisms for data not attended to is a specific procedure requirement subsequent to the action to check plant status or otherwise verify that the correct action had been taken earlier.
The viability of that recovery mechanism might depend on the time available to obtain the necessary confirmation and then perform corrective action upon discovery of the original error. This approach is discussed further in the following paragraph on consideration of plant-specific factors.
The submittal notes that for the SHNPP analysis, a time line was'developed for each cognitive action assessed.
The initial cue that alerts the crew to the need for a response and the specific procedural instructions related to the response were noted.
The time lines were used to verify that the action could be performed and to justify credit taken for recovery actions.
The submittal notes that simulator exercises performed specifically for the SHNPP HRA "provided information on the amount of time needed to go through various procedures,"
16
but does not state clearly the basis for specific time estimates, and does not discuss specific results or insights Rom the simulator exercises.
The time available for each action is tabulated in the submittal.
Estimated actual performance time is not provided.
In response to the NRC RAI, the licensee provided estimated required time for each response action.
Note that those time estimates were included in the listing of the seventeen actions in Table 2-2. Our comparison of the time available to time required for all 42 response actions indicated that in all case's, the time available is equal to or greater than the estimated time required.
Several actions modeled are memorized immediate responses per EOPs; both time available and time required in those cases are listed as "seconds".
In most other cases, the time available substantially exceeds the time required.
One exception is OPER-11, "Operator fails to switch instrument bus to backup AC power supply," for which the available time is 40 minutes and the required time is 30 minutes.
In cases such as this, it is prudent for the licensee to assess the timing and the action involved more carefully to assure that credit for operator action is appropriately conservative.
It appears that in the case of SHNPP, the licensee did investigate such actions more closely for out-of-contxol room actions.
The licensee's response to the NRC RAI noted that the majority of response-type and recovery-type actions credited in the IPE are performed in the main control room, that in-control-room response times usually are relatively short (and, we would add, less variable than out-of-control-room actions), and detailed analysis of timing was not required.
The licensee states that for the few ex-control-room actions credited, interviews were conducted with the plant personnel who would perform the actions to detexmine the estimated response times. Ifthe action could be accomplished in a small fraction of the available time, then no further investigation was made.
For actions which involved more extensive equipment manipulations, walkdowns were performed to provide additional assurance that there were no unique local factors which could impact the response time.
These walkdowns involved the
,HRA analyst, a PRA analyst, a senior reactor operator and other personnel as necessary to evaluate specific actions.
The licensee's response did not include a listing of required time for recovery actions; so we were unable to compare the required vs. available time. In general, the available time for recovery actions was xelatively long.
Operator failure to manually start RHR pumps in a medium LOCA sequence (OPER-R7) must be accomplished within 15 minutes.
Two other recovery actions - OPER-R3, "Operator fails to restore main feedwater (MFW), and OPER-R4, "Operator fails to align MFW following a safety injection," must be accomplished within 30 minutes.
An hour or more is available for all other recovery actions.
Interestingly, these three recovery actions with the shortest time available have the lower HEP estimates than most of the other recovery actions, values typical of response-type actions.
Details of the actions were not available for review.
Presumably, these are in-contxol-room actions, or per the licensee's statement, required time was only a &action of the available time.
2.3.4.2 Consideration of Other Plant-S ecific Performance Sha in Factors'.
As indicated above, the EPRI methodology treats each post-initiator action as a combination of two types of actions - cognitive and execution.
Each part is treated independently, and the total failure 17
probability p is calculated from the p the probability of failure in the cognitive action, and p the probability of failure in the execution action(s):
p = pc + pe pc pe'lant-specific and sequence specific/situation specific factors can influence both p, and p,.
Effective use of the alternate cause-based approach to estimate p, requires the analyst to obtain, understand and evaluate a substantial amount of information regarding plant and sequence/situation specific influences such as the quality and availability of information from displays and annunciators, training, procedures, operating policies, etc.
The methodology requires/permits the HRA analyst to evaluate, using decision trees and associated
- guidance, eight different mechanisms for failuze, each of which have different combinations of influencing factors and recovery factors.
Thus, the method has the potential to guide the analyst thxough an in-depth and comprehensive assessment of the performance shaping factors of interest.
Of course, the "accuracy" of the estimated HEP and, perhaps more importantly, the insights gained about human performance, are highly dependent on the rigor of the analysis (which is difficultto assess from a document-only review).
With regard to the estimates for pwhich were obtained using tables from the THERP Handbook (Ref. 2), the submittal states that, "The mosi commonly used were Table 20-7 for errors of omission and Table 20-12 for errors of commission.
Recovery factors were applied where appropriate, and THERP or fault trees were employed as necessary to determine the overall HEP." The submittal also states that'once risk significant human interactions had been identified, walkdowns were performed, including verification of accessibility of equipment and transit times for local actions outside the control zoom.
No further details are provided.
The submittal is intended to be a summary document and does not contain sufficient detail to obtain a sense of the level of rigor. Supplemental information provided by the lic'ensee in response to the NRC RAI, including examples of calculations for nine significant HEPs pzovided sufficient information for us to conclude that the licensee's approach included reasonable consideration of plant-specific factors influencing the probability of human error.
The licensee's zesponse states that plant-specific information was obtained by performing talk-throughs and walkdowns of specific human actions.
Initially,visits to the training center were made to familiarize the analysts with the plant staff's use of emergency and abnormal operating procedures.
Following an initial desktop analysis of operator actions, several visits were made to the simulator and to the plant to perform walkdowns of complex operator responses.
Photographs of the control panels were available for the HRA analysts'se, and telephone conversations with plant staff were used to clarify specific issues related to interpretation of procedures and performance of operator actions.
The licensee notes (as we indicated above) that the EPRI methodology "requires" a substantial amount of plant-specific details on procedures, complexity of action, location of indications, etc.
The licensee also states that in applying THERP the SHNPP analysis considered the following performance shaping factors:
18
~ Stress - directly modified basic HEPs
~ Crew structure - normal complement was assumed and was used to address the availability of staff in times of high workload
~ Time available - impacts the possibility of recovery from initial mistakes or slips (whether or not credit is taken for recovery, e.g., reduce the HEP by 0.1)
~ Training - considered both as it provides necessary skills and as a means for establishing priorities between several potential concurrent requirements
~ Procedure quality
~ Panel/Equipment layout - for out-of-control-room actions; used to select basic HEP from appropriate THERP table.
Our review of the nine sample calculations indicates that the THERP analysis consisted primarily of selection of the basic HEP for an error of commission/omission from THERP Table 20-12, "Estimated probabilities of errors of commission in operating manual controls,"
and Table 20-7, "Estimated probabilities of errors of omission per item of instruction when use of written procedures is specified," respectively, and multiplying those basic HEPs (or not multiplying them) by a recovery factor of 0.1 (presumably for non-proceduralized checking by other crew members).
The above performance shaping factors explicitly or implicitlyare addressed in using these tables with some degree of case-by-case evaluation.
The nine example calculations illustrate the implementation of the EPRI cause-based approach showing the quantitative assessment based on consideration of plant-specific shaping factors on a case-by-case basis.
The description of the operator action and the summary discussion of the analysis provided &om "tier 2" information provide substantial evidence of plant-specific and case-by-.case evaluation of key factors influencing each operator action.
Additional evidence of plant-specific evaluation was provided by the licensee's response to an NRC RAI requesting additional information on the use of simulator exercises.
The use of simulator exercises was noted in'he submittal, but not discussed in any detail.
The licensee's response indicated that the simulator exercises involved observation by the HRA analysts of normal periodic requalifiication training for currently licensed operators.
Some adjustments were made to the training scenarios based on input Rom the HRA analysts about key operator actions of interest.
Training exercises observed were unrehearsed.
Besides general information on control room crew response, examples of specific information from these observations that was used in the HRA included timing of specific operator actions, identification of specific conditions by multiple crews (indicating a high probability of diagnosis/detection),
lack of hesitation in operator response to specific action in question, and lack of problems in multiple crew's performing complex, manual control actions.
These examples indicate effective use of the simulator exercises to supplement and confirm assumptions and plant-specific analysis conducted for the HRA.
19
2.3.4.3 Consideration of De endencies.
An important concern in HRA is the determination of how the probability of success or failure on one human action may be related to success or failure on another.
Human behavior typically is highly dependent on the context in which the performance takes place - success or failure on a preceding action, performance of other team members in parallel or related actions, assumptions about the expected level of performance of other team members based on past experience, and many other factors.
The human error probability estimates for HRA are conditional probabilities. Ifdependencies are not specifically accounted for, and HEPs are treated as independent, the probabilistic combination of HEPs can lead to an unrealistically low estimate of human performance overall (i.e., of the joint human error probability), and to a significant underestimate of risk.
Probably the most significant impact on the estimated HEP is from dependencies among multiple human actions modeled in event trees (or as in the case of SHNPP, in the top-logic fault trees).
The approach used to address this type of dependency in the SHNPP HRA has been used in previous IPEs (primarily those performed by or guided by G. Parry of NUS). It employs a quantitative framework adapted Rom the THERP handbook model, which increases the HEP as the degree of dependency increases, along with fairly comprehensive guidance for the analyst to qualitatively assess the degree of dependency.
The dependency model is reasonably well documented within the submittal. Highlights of some of the guidance is provided in Table 2-3 below.
The model is applied to address multiple response actions within a sequence/cutset.
The submittal also notes (page 2-11) that the recovery analysis included "explicit consideration of the potential'dependencies of the recovery action with the other human reliability events in the sequence."
This latter consideration usually has been overlooked in previous IPEs reviewed.
The mechanics of applying the dependency model to sequences with multiple operator actions involved first setting all operator action probabilities, including those added as recovery actions, to 1.0 so that no credit was taken for human actions in those sequences.
In most cases cutsets with multiple dependent actions were still below the 1E-08 cutoff for sequence contribution to CDF, and no further analysis was performed.
For those dependent action combinations contained in cutsets above the 1E-08 cutoff, a flag event was added to the cutset which adjusted the cutset frequency to the proper value based on the dependency model.
We consider this overall approach to be a reasonable treatment of dependencies of top-level human actions.
2.3.4.4 uantifiication of Recove Actions. As noted previously, HEP values for recovery actions were, in general, determined using the same methods as described above for the response actions.
Recovery actions were identified during review of cutsets after quantification using the nominal HEPs for both pre-initiators and post-initiators.
Credit for recovery actions was taken by adding the action directly to the cutset.
The submittal states 20
Table 2-3 Highlights of SHNPP Human Action Dependency Model 1.
Following the THEIR'odel, the failure probability for a human action, given failure of a preceding action, is increased as the degree of dependency (ZERO, LOW, MEDIUM,HIGH, COMPLE'IE) is increased.
2.
For actions with distinct cues, the degree of dependency is higher for actions closer together in time; the time relationship is different for high stress vs. low stress situations.
3.
COMPLETE dependency is assigned for actions which are assumed to be one, or identical, or actions which are immediately consecutive or are alternauve responses called out by procedure in response to the same set of cues.
4.
HIGH dependency is assigned for. an operator action which is the direct consequence of the immediately preceding one; actions occurring closely in time; action which has a high workload or an obscured cue; two actions taking place nearly simultaneously and directed by a common procedure reader, cases in which failure to perform an action causes a significant reduction in the time window available for the subsequent action; operator actions which are the fourth human action in a cutset (with no intervening successful actions and assuming no additional factors to reduce dependency).
5.
MEDIUMdependency is assigned for operator actions which are the third human action in a cutset (with no intervening successful actions and assuming no additional factors to reduce dependency).
6.
LOW dependency is assigned for items occumng in the same time frame, but having different operators responding to different cues, or directed by different people considered to have low dependence.
7.
ZERO dependency (independence) is assigned for. actions of two different operators when the action in question is a memorized immediate action; operator actions in which failure of one action. is separated from failure of the other action by successful performance; cases in which failure of one action increases the likelihood of success on the subsequent action by removing alternative actions.
that all recovery actions credited were proceduralized, though some were not in the Emergency Operating Procedures.
Those that were not in the EOPs were assigned a higher failure probability p, for the cognitive portion of the action, based on the analyst(s)'udgment that the "crew must think independently of these procedures and use diagnostic rather than symptom based reasoning."
Assigning a higher failure probability when the necessary.
The mechanics of applying'he dependency model to sequences with multiple operator actions involved first setting all operator action probabilities, including those added as recovery actions, to 1.0 so that no credit was taken for human actions in those sequences.
In most cases cutsets with multiple dependent actions were still below the 1E-08 cutoff for sequence contribution to CDF, and no further analysis was performed.
For those dependent action combinations contained in cutsets above the lE-08 cutoff, a flag event was added to the cutset which adjusted the cutset frequency to the proper value based on the dependency model.
We 21
consider this overall approach to be a reasonable treatment of dependencies of top-level human actions.
2.3.4.4 uantifiication of Recove Actions. As noted previously, HEP values for recovery actions. were, in general, determined using the same methods as described above for the response actions.
Recovery actions were identified during review of cutsets after quantification using the nominal HEPs for both pre-initiators and post-initiators.
Credit for recovery actions was taken by adding the action directly to the cutset.
The submittal states that all recovery actions credited were proceduralized, though some were not in the Emergency Operating Procedures.
Those that were not in the EOPs were assigned a higher failure probability p, for the cognitive portion of the action, based on the analyst(s)'udgment that the "crew must think independently of these procedures and use diagnostic rather than symptom based reasoning."
Assigning a higher failure probability when the necessary instructions are not embedded in the procedure directly in use is reasonable, though there is little firm basis for the amount of the adjustment, and no quantitative values are provided as examples in the submittaL The majority of the recovery actions credited are local actions taken outside of the control room. The submittal and the licensee responses to the NRC RAI indicated that walkdowns of risk significant local actions were performed; in particular, where time available was not substantially greater than the estimated time required.
Four visits to SHNPP were conducted by the HRA analysts.
The licensee states that walkdowns of individual operator actions typically included timing verifications for local actions, discussion with operator or other personnel responsible for the actions, an assessment of local conditions, panel layouts, equipment labeling, accessibility and other factors which could influence the HEP. As indicated previously, potential dependency between recovery actions and other human actions in the sequence was addressed explicitly.
Overall, we consider the approach to treatment of post-initiator recovery actions to be reasonable.
A documented systematic approach was used.
Credit was restricted to actions addressed by procedures, and lower credit was given to actions not identified in EOPs but only in "lower level" procedures.
I.ocal actions out of the control room were addressed and apparently evaluated by walkdowns. A listing of the 12 recovery actions identified in the submittal is provided in Table 2-4.
(Table 3-34 in the submittal.)
Time available for action was included in the submittal..The estimated time required for action was not provided in the submittal or in the licensee's response to the NRC RAI.
One area that required clarification was the treatment of recovery of offsite power.
This is a significant recovery action for SHNPP and most PRAs.
Varied approaches have been used to assess the combination of equipment failures and human error involved. The submittal notes that the offsite power recovery assessment is based on "industry data" but cites no source and provides essentially no information on the analysis. It does indicate that no credit was taken for repair of equipment, and that human actions to recover offsite power are treated as independent from other human action in the sequence because the actions (which is not unreasonable).
The licensee's response to the NRC RAI, the licensee indicated that the industry data source was NSAC-166, which has been used in other PRAs.
These data 22
Table 24 Recovery Actions ACTION DESCRIPTION TIME AVAIL.
OPER-Rl OPER-R2 OPER-R3 OPER-R4 OPER-RS OPER-R6 OPER-R7 OPER-R9 OPER-R14 OPER-R15 OPER-R16 OPER-R17 1.0E42 1.0E42 5.8SE43 9.1E43 3.1E43 S.OE-02 SM43 1.0E41 1.0E41 1.0E41 1.0E-01 1.0E41 Operator faBs to locally align offsite AC gate, no DC)
Operator fails to locally align offsite AC (early, no DC)
Operator fails to restore MFW Operator fails to align MFW following SI Operator fails to manually align alternate HHSI path Operator fails to align swing pump (CCW or HHSI)
Operator fails to manually stan RHR pumps (Medium LOCA-injection)
Operator fails to locally align offsite AC for backfeed Operator fails to locally align offsite AC (breaker fail-to-open, early)
Operator fails to locaHy align offsite AC (breaker fail-to-close, early)
Operator faBs to locally align offsite AC (breaker fail-to-open, hte)
Operator fails to locally align offsite AC (breaker fail-to-close, late) 15 hrs.
15 hrs.
30 min.
30 min.
1 hr.
15 min.
8 hrs.
ID hrs.
LS hrs.
1.5 hrs.
13 hrs.
implicitlycombine human error with equipment failure probabilities, and no separate human error analysis was conducted.
This approach has been used in other PRAs, and in our view is a reasonable approach for quantifying recovery of offsite.power.
2.3.4.5 Treatment of erator Actions in the Internal Floodin Anal sis.
Discussions of initiating sequences and sequence delineation for the analysis of internal flood identify operator actions that were credited as part of the analysis.
The submittal notes (page 3-64) that, 'The evaluation of human errors in the models was completed with full consideration of both the human errors associated with flood sequences and the possible limitations on actions imposed by the flood itself." However, we were not able to identif'y specific operator actions and associated HEPs. The licensee's response to the NRC RAI states that credit was taken in the flooding analysis for operator action to identify and isolate large service water piping breaks, and that these breaks are the only internal flooding sequences evaluated which require operator action.
The licensee further states that "Abnormal Operating Procedures (AOPs) direct the operaror to immediately isolate the affected header.
For large service voter pipe breaks, the operators vvould have immediate indicarions of rhe problem rhrough the alarms in rhe service water system and in rhe sumps in the pipe runnel. Local visual verificarion and 23
diagnosis ofthe problem should reasonably be expected.
A response time of47 minutes for the largest size break in the service water piping tunnel (IZ2,000 gpm) is available before a crirical depth is reached whichfails tne motor-driven AFS'umps.
Based on procedural direcrion and available response time, a (1.0E-02 J value is used for the HEP to isolate the leakage source for piping breaks in the service water piping tunnel. For breaks on the 236 ft. level of the reactor auxiliary building, a (I.OE0IJ value is used. For lesser size breaks (60,000 gpm),
up to 23 hours2.662037e-4 days <br />0.00639 hours <br />3.80291e-5 weeks <br />8.7515e-6 months <br /> is available for isolation of the break, and an HEP ofSE-03 is therefore used."
While this assessment consists essentially of qualitative review and judgment of the analysts, the HEP values selected and the rationale provided appear to be reasonable.
2.3.4.6 Treatment of erator Actions in the Level 2 Anal sis.
Our review of the submittal identified at least two potentially significant operator actions that were credited in the containment event tree (CET) representing plant behavior after core damage (back-end analysis).
However, there was no discussion of operator actions credited in the back-end analysis.
The licensee's response to the NRC RAI stated that there were three operator actions identified in the CET. The quantification process described by the licensee consisted of qualitatively judging the probability of the human action to be "likely"or "unlikely", and assigning an "arbitraty" quantitative value (e.g., 0.9 or 0.1) based on that qualitative judgment.
The licensee states that qualitative analysis considered available information, procedures, timing, required action "and other factors". As part of its response to the NRC RAI, the licensee provided a summary description of each of the three actions credited and the rationale for determining whether the action was considered likely or unlikely.
Abbreviated summaries of the actions are provided below:
~ OPER-IV. Depressurization of the Reactor Coolant System (RCS) prior to Reactor Pressure Vessel (RPV) failure in order that low pressure injection can provide RCS makeup and arrest the progression of the accident while the RPV is still intact.
Judgment of the likelihood of operator action was based on a review of the NUREG-1150 Sequoyah analysis, with modifications for Shearon Harris. In particular, the Sequoyah analysis assumed that failure to depressurize in the post-core-damage time frame was completely dependent on failure to depressurize earlier in the sequence when depressurization is called for as part of initiating bleed-and-feed cooling, while the Shearon Harris analysis assumed two actions were not dependent.
The argument for independence is based on the separation in time and the use of two different procedures.
Based on the qualitative assessment, failure to depressurize was considered unlikely and was assigned an HEP of 0.1.
The limited discussion provided by the licensee suggests a reasonable qualitative review and justification for assignment of this HEP value.
~
OP-H2REC.
Operator action to preclude a late hydrogen burn following restoration of containment cooling. A high steam concentration in containment precludes 24
hydrogen burns.
Restoration of containment cooling reduces steam concentration and therefore enhances the potential for hydrogen burn.
Current procedures do not provide guidance for operators to address this increased likelihood when containment cooling is recovered, though accident management guidance and procedures are expected to provide such guidance.
In the IPE, failure to preclude late hydrogen burn was considered likely and was assigned a probability of 0.9. While it is not uncommon to simply assume failure (HEP=1.0) in such cases, the assumed failure probability of 0.9'is not substantially lower than 1.0; and may in fact be more "realistic" given that the issue has been identified in the IPE and, presumably, reviewed with operators.
~ RECPROB.
Operator action to'recover containment cooling given AC power is available and given that the loss of containment cooling is due to equipment failure.
Restoration of containment cooling decreases the likelihood of containment failure due to overpzessure.
The time available for restoration of cooling is on the order of 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> for the most limiting case.
Typically, a relatively low HEP would be assigned when the time available is this long.
The licensee, in fact, cites an EPRI study showing probability of restoration of equipment is relatively high (80% of equipment failures in the study could be restored within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />).
However, the licensee assigned an HEP of 0.80 for this action, citing the adverse environment and conditions that may hinder restoration of equipment following a severe accident.
Note that the assignment of a high failure probability is not necessarily conservative, since as noted above restoration of containment cooling can increase the likelihood of hydrogen burns late in the sequence.
It is appropriate for the licensee to address the impacts of the severe environment on the probability of failure to restore equipment.
Based on the limited information in the licensee's response it is not possible for us to "second-guess" the licensee's judgment regarding the failure probability assigned.
It may have been more reasonable for the licensee to address the issue with a limited sensitivity study using a range of values.
However, the overall process used by the licensee to consider qualitatively the impacts on human performance and then assign a quantitative value is not unusual or unzeasonab)e for treatment of post-core-melt actions.
2.3.4.7 GS SI and CPI Recommendations.
The licensee's consideration of generic safety issues (GSIs) and unresolved safety issues (USIs) and of containment performance improvements (CPI) recommendations are the subject of the front-end review, and back-end review, respectively.
The licensee addressed diverse means of decay heat removal (DHR) in the IPE proposed resolution of unresolved safety issue (USI) A-17 related to internal flooding.
The &ont-end reviewer identified a number of plant-specific design features that impact directly or indirectly decay heat removal.
Among these features are several, e.g.,
semi-automatic switchover of ECCS from injection to recirculation, and isolation of main feedwater following a normal plant trip, which have significant impact on operator actions.
Our review of the licensee's discussions and of the front-end reviewer comments identified no unique issues associated with the HRA that relate to the licensee's treatment of GSIs or USIs.
25
The back-end reviewer noted that the licensee did not directly address CPI recommendations in the submittaL Additional information was supplied by the licensee in response to an NRC RAI. There are no apparent BRA issues related to the licensee's discussion of the CPI recommendations.
2.4 Vulnerabilities, Insights and Enhancements 2.4.1 Vulnerabilities.
The licensee did not provide a specific definition of a vulnerability, but instead used (page 3-250 of the submittal) "both qualitative and quantitative criteria in successive levels of screening to drive the assessment of possible enhancements."
The screening was performed by a team of CP8cL staff knowledgeable in plant operation, training, technical support, engineering, licensing and PRA analysis. The criteria used in the screening focused on identification of cost-effective improvements that reduce or eliminate the important vulnerabilities and were intended to be responsive to general guidance in Generic Letter 88-20 and NUMARC91-04. Sequences with estimated core damage or containment bypass frequency exceeding certain quantitative values or sequences contributing more than certain percentage of total CDF are addressed by addressed by a layered series of actions, such as administrative, procedural or hardware modifications to reduce the likelihood of the accident initiator, modifications to EQPs to prevent core damage, or implement severe accident management guidelines to prevent/mitigate vessel or containment failure. Application of these criteria after the initial model quantification identified a high contributor to core damage from the plant non-vital DC system, which is discussed further in Section 2.4.3 below.
.2.4.2 IPE Insi hts Related to Human Performance.
The total core damage frequency (CDF) estimate for SHNPP is 7.0E-05 per yr. The licensee followed the reporting criteria in Appendix A of Generic Letter 88-20 and NUREG-1335 for potentially important sequences.
Small LOCA and Station Blackout are the largest contributors to core damage (34% and 26%, respectively).
Transient with loss of decay heat removal contributes 11%.
Table 2-5 lists CDF contributions by functional sequence.
Numerical results from importance calculations were not presented in the submittal.
Response-type operator actions were identified in order of their importance to CDF, and the 17 actions in core damage cutsets were presented previously in Table 2-4. The submittal did not identify the methodology used to assess importance and did not provide importance rankings which included pre-initiator actions and recovery actions.
In response to guidance in NUREG-1335 (paragraph 2.1.6.6) the submittal identified sequences which were below the cutoff of 1.0E-6 but would have been above the cutoff were it not for credit taken for human action.
Thirteen sequences were identified which would have been above 1.0E-6 ifthe HEPs in the sequence were increased to 0.1. A brief description of the sequence and the dominant human actions is provided in the submittal.
Table 2-6 summarizes these sequences, the
Table 2-5 CDF Contribution by Sequence Seeuence CDF Contribution 1.
2.
3.
4.
5.
Station Blackout Small LOCA - Injection failure Small LOCA - Recirculation failure Transient with loss of Decay Heat Removal Internal Flooding 26%
17%
17%
11%
6.
7.
8.
9.
ATWS at Beginning of Life Medium LOCA - Recirculation failure Large LOCA - Recirculation failure Other 6%
3%
3%
10%
operator actions, and the impact of the lower HEPs on CDF. It is evident that credit taken for operator actions in these sequences substantially reduces the estimated CDF. The submittal provides no insights regarding this reported study.
From the summary information in Table 2-6, it appears that there were cases in which more than one operator action was credited in a sequence, and the actions were assumed to be independent.
In those cases, caution should be taken to assure that the assumption of.independence is valid and the substantial reduction in CDF is warranted.
In response to an NRC RAI, the licensee clarified that the importance calculations were performed using the Fussel-Vesely importance measure, and identified the Fussel-Vesely rankings for all operator actions included in core damage cutsets.. Thirty Gve actions are listed.
The top twenty ranked (all actions with Fussel-Vesely importance greater than 1E-04) are listed in the summary data anached as Section 4 to this report.
The RAI also requested, and the licensee provided, brief discussions of general insights regarding significant human actions.
The licensee's response noted that two operator actions were identified in sequences above the cutoff for consideration of lE-06/yr. These two were OPER-3, operator fails to establish feed-and-bleed cooling, in sequence TBU, and OPER-l, operator fails to establish component cooling water to residual heat removal (RHR) heat exchangers during recirculation, in sequence S,X.
Operator actions associated with recovery of offsite power also were cited as significant, due to the fact that station blackout is an important contributor to CDF. (Note that the model for recovery of offsite power uses "global" data combining equipment and operator failures, and does not address individual operator actions.)
The pre-initiator human error LOPERRWST, mispositioning the RHR 27
Table 2-6 Functional Sequences Screened Due to Human Error Probabilities Less Than 0.1
~Se uence Transient Induced LOCA-TQUP Small LOCA S1PX Small LOCA S 1 UP SGTR-RPY Transient Induced LOCA TQGXD Dominant Human Action Failure to initiate RCS cooldown Failure to initiate RCS cooldown and depressurization Establish recirculation and RWST makeup Failure to initiate RCS cooldown Failure to initiate RCS cooldown and depressurization Failure to a!ign for refill of RWST Failure to close PORV
. block valve 138-03 158-03 5.2E-04 1.5E-03 1.258-03 7.0E-03 75E-04 HEP 5.SE-OS 2.1E-07 1.28-07 S.75E-OS 1.08-0S CDF CDF with HEP=0.1 3.6E-04 1.78-04 1.1E-04 1.0E-04 3.58-05 Comment EOP/FRP Action EOP actions.
Assume No Dependency EOP/FRP action EOP actions Assume no dependency ATWS l Failure to align for long term shutdown cooling Failure to manually trip reactor 4.5E-03 1.0E-04
<1.084S 1.S8-05 No credit for other shutdown means (complete dependence) 28
~Se uence Transient Induced LOCA-TQUP Transient TBX (failure of secondary-side heat removal and feed-and-bleed Transient Induced LOCA-TQUGD SGTR-RUP Transient Induced LOCA-TQPX Small LOCA - SlGXD SGTR-RWGY SGTR-RWP Y Dominant Human Action Failure to initiate RCS cooldown Failure to align HHSI for recirculation Failure to align makeup to RWST Failure to initiate RCS cooldown and depressurization Failure to align makeup to RWST Failure to align makeup to RWST Failure to align RHR for DHR Failure to initiate RCS cooldown and depress urization Failure to align makeup to RWST 1.5E-03 5.28-04 7.08-03 1.25E-03 7.0E-03 7.08-03 4.5E-03 1.25E-03 7.0E-03 HEP 5.SE-OS 7.1E-OS 3.6E-07 6.48-0S
<1.084S 4.0E-OS 1.08-0S
<I.OE-OS CDF CDF with HEP=0.1 3.6E-04 1.5E-05 1.08-05 7.28-06 6.4E-06 4.4E-06 2.18-06 1.S3E-06 Comment EOP/FRP Action Combined action includes makeup to RWST (EOP action)
EOP action EOP action EOP action EOP action EOP action EOP actions.
Assume no dependency
pump test valve is cited by the licensee as significant. It affects both trains of low pressure safety injection.
2.4.3 Enhancements.
After the initial model quantification, application of the'vulnerability screening criteria discussed in Section 4.1.1 above identified failures in the non-vital 125 V DC system as high contributors to CDF. The non-vital battery provides power for breaker control during automatic bus transfer Rom the unit auxiliary transformers to the startup transformers,
~ which occurs on any generator trip. Without the non-vital DC power, the breakers cannot change position to align for power f'mm oKsite AC instead of the main generator, and a loss of offsite power occurs.
Procedures changes were made to allow for manual breaker operations.
Credit for this operator action was taken in the subsequent quantification of the IPE (Operator Action OPER43, HEP=2.65E-03).
The submittal indicates that without redit for this operator action, failure of non-vital DC contributed 50% to the overall CDF.
In addition to the procedure changes, the licensee plans to:
1)
Investigate the feasibility of installing instrumentation for improved battery monitoring capability, especially for detection of open circuit faults while the bus is carried by the battery charger.
This would reduce the likelihood of open circuit or loose terminal failures, which was one of the two failure modes identified.
2)
Ensure testing and maintenance practices for the non-vital 125 V DC battery are equivalent to practices for safety-related batteries.
No other human-performance-related enhancements or commitments for action were identified in the submittal.
One operational feature that was identified as exacerbating outcomes from some sequences is a procedural action which increase the potential for temperature-induced failure of a steam generator tube.
The operator action, directed by procedures, is intended to provide core cooling. It results in the restart of the reactor coolant pumps at a time when there may be very hot gases in the vessel.
With the startup of the RCPs, these gases would be transferred to the steam generators, possibly leading to the tube rupture and thus containment bypass.
This sequence contributes about 25% to the containment failure frequency.
30
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS The intent of the IPE is summarized in four specific objectives for the licensee identified in Generic Letter 88-20 and NUREG-1335:
(1)
Develop an appreciation of severe accident behavior.
(2)
Understand the most likely severe accident sequences that could occur at its plant.
(3)
Gain a more quantitative understanding of the overall probability of core damage and radioactive material releases.
(4)
Ifnecessary, reduce the overall probability of core damage and radioactive material release by appropriate modifications to procedures and hatdware that would prevent or mitigate severe accidents.
With specific regard to the HRA, these objectives might be restated as follows:
(1)
Develop an overall appreciation of human performance in severe accidents; how human actions can impact positively or negatively the course of severe accidents, and what factors influence human performance.
(2)
Identify and understand the operator actions important to the most likely accident sequences and the impact of operator action in those sequences; understand how human actions affect or help determine which sequences are important.
(3)
Gain a more quantitative understanding of the quantitative impact of human performance on the overall probability of core damage and radioactive material release.
(4)
Identify potential vulnerabilities and enhancements, and ifnecessary/appropriate, implement reasonable human-performance-related enhancements.
The major observations and conclusions from our review pertinent to the NRC staff's determination of whether the licensee's submittal met the intent of Generic Letter 88-20 are:
(1)
The submittal and supporting documentation indicates that utilitypersonnel were involved in the HRA, and that the walkdowns and documentation reviews constituted a viable process for confirming that the HRA portions of the IPE represent the as-built, as-operated plant.
(2)
The licensee performed an in-house peer review that provides some assurance that the HRA techniques have been correctly applied and that documentation is accurate.
31
The HRA addressed pre-initiator errors in maintenance, test and surveillance actions.
Both misalignment (restoration) errors and miscalibration were considered.
The processes for identification and selection, qualitative screening, quantification, and incorporation of pre-initiator errors into the IPE model were reasonable and consistent with practice in other PRAs. Numerical results are consistent with results in other PRAs. Two pre-initiator actions are among the top ten most important human actions.
(4)
The ueatment of post-initiator human actions was reasonably complete and thorough.
Both response-type and recovery-type actions were included.
The process for identification and selection of actions iavcdmxf review of procedures and discussions with plant personnel. No numerical screening process was performed.
Quantification of post-initiator errors appears to reasonably complete and appears to have appropriately employed the. chosen HRA techniques.
Plant-specific performance shaping factors and dependencies were considered.
Quantitative estimates of post-initiator human error probabilities are generally consistent with results in other PRAs.
(5)
Insights reported by the licensee indicate that the HRA provided the licensee with an appreciation for the importance of human error to the estimated core damage and radioactive material release fractions.
Human action was noted as an important contributor in the dominant sequences.
Credit for human action in the recovery analysis was noted as a significant factor in reducing the estimated core damage frequency.
Importance calculations were performed which identified the most important human error contributors.
(6).
While a specific definition of vulnerability was not provided, the licensee employed a reasonable process to screen for cost-effective enhancements.
One significant human performance related enhancement (a procedure improvement) was identified early in the IPE analysis and credited in the final IPE quantification.
32
- 4. - DATA
SUMMARY
SHEETS Important Operator Actions/Errors:
The following is a listing of the top twenty most important operator actions, per the Fussel-Vesely importance measure.
These twenty include all actions appearing in core damage cutsets that had a F-V importance value greater than 1.0E-04.
The types of actions are: pre-initiator (PRE); post-initiator response-type (RES); and post-initiator recovery-type (REC):
Op. Action Name
~Deacti tion Type F-V Action Value OPER-P 1/5 OPER-POS OPER-1 LOPERRWST OPER-3 OPER-35 WOPER9209B OPER-30 OPER-RI6 EOPZRUVOLT OPER-17 OPER-11 OPER-9 OPER-PO OPER-21 OPER-39 OPER-R1 OPER-25 OPER-41 OPER<2 Failure to restore offsite AC-15 Hrs.
Failure to restore offsite AC (SSHR = 0, SLLOCA)
Operator fails to establish recirculation (CCW to RHR HX)
Valve 1SI-331 left open after testing Operator fails to implement feed-and-bleed cooling Operator fails to manually start AFW pump Miscalibration of pressure controller PC-9209B Operator fails to establish long term injection source Failure to locally align offsite AC gate)
Miscalibration of undervoltage sensing relays Operator fails to establish recirculation (HHSI)
Operator fails to switch instr. bus to backup power supply Operator fails to initiate RCS cooldown to use LPSI/RHR Failure to restore offsite AC - 0 Hrs.
Operator fails to estab)ish shutdown cooling Operator fails to realign AFW after spurious isolation Failure to locally align offsite AC gate, no DC)
Operator fails to manually start equipment Operator fails to initiate RCS cooldown to use LPSI/RHR (SGTR)
Operator fails to align CSIP suction for SI REC 1.802E41 REC 6.03E42 RES 5.33E42 PRE 326E42 RES 2.18E42 RES 1.67E42 PRE 125E42 RES 1.12E42 REC 930E44 PRE 7.10E44 RES 6.00E44 RES 5.10E44 RES 4.70E44 REC 4.40E44 RES 2.90E44 RES 2.90E44 REC 220E44 RES 1.70E44 RES 1.70E~
RES 1.70E44 Human-Performance Related Enhancements:
Procedure enhancements to allow for manual action to locally aligning offsite AC power if the breakers fail to automatically actuate and cannot be controlled from the main control board.
Related actions by the licensee were to investigate the feasibility of installing instrumentation for improved battery monitoring and to ensure testing and maintenance practice for non-vital batteries are equivalent to practices for safety-related batteries.
33
REFERENCES
- 1. A33. Swain, "Accident Sequence Evaluation Program Human Reliability Analysis Procedure," %3KG/CR-4772, February, 1987.
- 2. AJ3. Swain and Guttmann, KE., "Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, Final Report," NUREG/CR-1278F, August, 1983.
- 3. G.W. Parry, et'aL, "An Approach to the Analysis of Operator Actions in Probabilistic Risk Assessment," EPRI TR-100259, Electric Power Research Institute, June, 1992.
APPENDIX D
SUMMARY
OF SHEARON HARRIS INDIVIDUALPLANT EXAMINATION FINDINGS
Summar of the Shearon Harris Individual Plant Examination IPE Submittal on Internal Events Based on the review of the Shearon Harris IPE submittal and associated documentation, the staff concludes that the licensee met the intent of Generic Letter 88-20.
In addition, the licensee intends to maintain a "living" PSA.
This latter activity is not a requirement of Generic Letter 88-20.
The licensee's IPE results* are summarized below:
o Total core damage frequency (CDF) 7E-5/year (The CDF from internal flooding is 5E-6/year) o Major accident classes:
Contribution Loss of coolant accidents (LOCAs)
Station blackout transient with loss of DHR others internal flooding ATWS early in core life 40X 26K llew lOX 7X 6X o
System failure contributing to the CDF in a'decreasing order of importance:
High head safety injection (HHSI)
Residual heat removal (RHR)/low head safety injection (LHSI)
Diesel generators (DGs)
Normal service watei (NSW) and emergency service water (ESW))
Heating ventilation and air conditioning (HVAC) for DGs and charging/HHSI pumps Component cooling water (CCW)
DC power Engineered safety features actuation system (ESFAS)
Instrument Power.
o Hajor operator failures:
Failure to restore offsite AC Failure to establish recirculation (CCW to RHR heat exchanger)
Failure to close valve ISI-331 after testing Failure to implement feed-and-bleed cooling
Failure to manually start AFW pump Failure to correctly calibrate pressure controller PC-9209B Failure to establish long-term injection source Failure to locally align offsite AC (late)
Failure to correctly calibrate undervoltage sensing relays o
Contribution to total containment failure probability given core damage:
Early Failures Late Failure Bypass (V-event)
Bypass (SGTR)
Isolation Failures Intact 3X 5X 1X 6X
<1X 85X o
Significant PSA findings:
1.
After a plant trip, transfer of the offsite power from the unit auxiliary transformers to the startup transformers requires non-vital 125 V DC power for control power to circuit breakers.
A failure of the non-vital 125 Y DC power would result in a failure to provide offsite power to 1E buses.
2.
A plant-specific containment failure mode involves direct liner attack by core debris from a high pressure-induced dispersal.
3.
A procedure that requires an operator to restart the RCP to provide core cooling would lead to thermally-induced steam generator tube rupture (SGTR).
The issue is being addressed by the Mestinghouse Owners Group.
o Enhancements made as a result of IPE:
A procedure change has been implemented to provide for manual operation of circuit breakers if the non-vital 125 V DC control power is lost.
The testing and maintenance practices for the non-vital 125 V DC battery were verified to be equivalent to the practices for safety-related batteries.
o Potential improvements under evaluation:
The licensee is investigating the feasibility of installing improved instrumentation for monitoring of the non-vital 125 V DC batteries.
(* Information has been taken from the Shearon Harris IPE and has not been validated by the NRC staff.}
'