ML18101A671
| ML18101A671 | |
| Person / Time | |
|---|---|
| Site: | Salem  |
| Issue date: | 04/25/1995 |
| From: | Olshan L Office of Nuclear Reactor Regulation |
| To: | Eliason L Public Service Enterprise Group |
| References | |
| NUDOCS 9505010009 | |
| Download: ML18101A671 (15) | |
Text
, f' -
c::.)
Mr. Leon R. Eliason Chief Nuclear Officer & President-Nuclear Business Unit
. Public Service Electric and Gas Company Post Office Box 236 Ha~cocks Bridge, NJ 08038 Ape 25, 1995
SUBJECT:
REQUEST.FOR ADDITIONAL ~NFORMATION ON* INDIVIDUAL PLANT EXAMINATION (IPE) SUBMITTAL, SALEM Nl)CLEAR GENERATING STATION, UNITS 1 AND 2
Dear Mr. Eliason:
t Based on our ongoing review of t_he -JPE submi.ttal fbr SaJem, Units 1 and 2, and its associated documentation, we have*enclosed-~~request for'additional information ( RAI).
The RAI 'is related to" the i nterna 1 *event* analysis in the IPE, including the human rel i ab.f1,,ity analys~ s a_n.d ~,.the conta.i.nm~11t performance improvement (CPI) program.
The RAI was developed by* our, contractors (Science Engineering Associates, Concord and. Sd.en"tech).. and reviewed b.Y the* IPE Senior Review Board. (SRB) ~
The:1.*SRB is c_omprised' of. ~taf~ !J1embers* ffom :our Office of Nuclear Regulatory Research ar,id ;<,its cons*uitants* (BrqokHav;en ~Na Hori a 1 Laboratories and *Sandia National Laboratori'es) who have:expert-ise in *
- probab1listic risk assessment..
_., /
- i*
This requirement affects n*i ne or f eWe*r -respond~nts and iheref ore is not subject to Management and Budget revfew under *,*P. l'; _ 96-511.
- If you have any questions, please c'ontact me, -at,,(301) 415-1419.
Docket Nos. 50-272/311
Enclosure:
RAI cc w/encl:
See next page DISTRIBUTION Docket File PUBLIC PDI-2 Reading -
SVarga JZwolinski JStolz
.. ':(
~
~
~..
Sincerely, ;
. */SI
- Leonard N. Olshan, Projett Manager -
Pr*oj ect Di rector ate 1-2 Division of Reactor Projects - I/II Office of NU~lear Reactor Regulation LOl sh an 950501AODOOOC2 6~&6a~72 MO' Brien PDR
~
ACRS(4)
JWhite, RGN-1
- 1...:)
OFFICE
<..:)
(,,)
C:.1 SA74461. GEN J)fol
\\' \\_
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 Mr. Leon R. Eliason Chief Nuclear Officer & President-Nuclear Business Unit Public Service Electric and Gas Company Post Office Box 236 Hancocks Bridge, NJ 08038 April 25, 1995
SUBJECT:
REQUEST FOR ADDITIONAL INFORMATION ON INDIVIDUAL PLANT EXAMINATION
{IPE) SUBMITTAL, SALEM NUCLEAR GENERATING STATION, UNITS 1 AND 2
Dear Mr. Eliason:
Based on our ongoing review of the IPE submittal for Salem, Units 1 and 2, and its associated documentation, we have enclosed a request for additional information {RAI).
The RAI is related to the internal event analysis in the IPE, including the human reliability analysis and the containment performance improvement {CPI) program.
The RAI was developed by our contractors {Science Engineering Associates, Concord and Scientech) and reviewed by the IPE Senior Review Board {SRB).
The SRB is comprised of staff members from our Office of Nuclear Regulatory Research and its consultants {Brookhaven National Laboratories and Sandia National Laboratories) who have expertise in probabilistic risk assessment.
This requirement affects nine or fewer respondents and therefore is not subject to Management and Budget review under P.L.96-511.
If you have any questions, please contact me at {301) 415-1419.
Docket Nos. 50-272/311
Enclosure:
RAI cc w/encl: See next page Sincerely, 0..
~-"' ~*,,11 I
-:; l lt-ti( 4. __.4J).,._
Leonard N. Olshan, Project Manager Project Directorate 1-2 Division of Reactor Projects - I/II Office of Nuclear Reactor Regulation
- \\
Mr: leon R. Eliason ~
,-Public Service Electric & Gas Company cc:
Mark J. Wetterhahn, Esquire Winston & Strawn 1400 L Street NW Washington, DC 20005-3502 Richard Fryling, Jr., Esquire Law Department - T.ower SE 80 Park Place Newark, NJ 07101 Mr. John Summers General Manager - Salem Operations Salem Generating Station P.O. Box 236 Hancocks Bridge, NJ 08038 Mr. J. Hagan Vice President - Nuclear Operations Nuclear Department P~O. Box 236 Hancocks Bridge, New Jersey 08038 Mr. Charles S. Marschall, Senior
~esident Inspector Salem Generating Station U.S. Nuclear Regulatory Commission Drawer I Hancocks B~idge, NJ 08038 Dr. Jill Lipoti, Asst. Director Radiation Protection Programs NJ Department of Environmental Protection and Energy CN 415 Trenton, NJ 08625-0415 Maryland Office of People's Counsel 6 St. Paul Street, 21st Floor Suite 2102 Baltimore, Maryland 21202 Ms. R. A. Kankus Joint Owner Affairs PECO. Energy Company 965 Chesterbrook Blvd., 63C-5 Wayne, PA 19087 Mr. S. LaBruna Vice President - Nuclear Engineering Nuclear Department P.O. Box 236 Hancocks Bridge, New Jersey 08038 Salem Nuclea~enerating Station, Units 1 and 2 Richard Hartung Electric Service Evaluation Board of Regulatory Commissioners 2 Gateway Center, Tenth Floor Newark, NJ 07102 Regional Administrator, Region I U. S. Nuclear Regulatory Commission 475 Allendale Road King of Prussia, PA 19406 Lower Alloways Creek Township c/o Mary 0. Henderson, Clerk Municipal Building, P.O. Box 157 Hancocks Bridge, NJ 08038 Mr. Frank X. Thomson, Jr., Manager Licensing and Regulation Nuclear Department P.O. Box 236 Hancocks Bridge, NJ 08038 Mr. David Wersan Assistant Consumer Advocate Office of Consumer Advocate 1425 Strawberry Square Harrisburg, PA 17120 Ms. P. J. Curham MGR. Joint Generation Department Atlantic Electric Company P.O. Box 1500 6801 Black Horse Pike Pleasantville, NJ 08232 Carl D. Schaefer External Operations - Nuclear Delmarva Power & Light Company P.O. Box 231 Wilmington~ DE 19899 Public Service Commission of Maryland Engineering Division Chief Engineer 6 St. Paul Centre Baltimore, MD 21202-6806
I
\\..._
REQUEST FOR ADDITIONAL INFORMATION ON THE SALEM GENERATING STATION (SGS)
INDIVIDUAL PLANT EXAMINATION (IPE) SUBMITTAL SGS FRONT END QUESTIONS
- 1.
Section 3.1.1.1 of the IPE states that loss of a vital 4,160 VAC bus is not a special initiator at Salem Genera.ting Station (SGS) because such a loss does not require a plant trip or require an ~mmediate plant shutdown.
However, no mention is made in the !PE.of possible consideration of failures of other electrical equipment as initiating events.
Please provide the basis for omitting as initiating events equipment failures related to: non-vital buses;.inverters; and 460 VAC, 230 VAC, and 115 VAC vital buses.
- 2.
The IPE does not model HVAC failures in the following plant areas as potential initiating events:
- the charging pump rooms, the service water pump bays, and the service water control room.
Please provide the basis for omitting these HVAC failures as initiating events. The IPE also states (p. 3.2-100) that HVAC for the turbine driven AFW pump was eliminated as a support system requirement based on discussions with the system engineers. Please provide the technical basis to support thi.s assumption, including a discussion of the expected rate of temperature rise, and the expected time and temperature of failure of the equipment.
- 3.
Section 3.2.1.15.4.1 of the IPE states that 2 fault tree tops were modeled in conjunction with loss of control area air conditioning system.
These tops were (1) insufficient **cooling in the relay room and (2) insufficient cooling in the electrical equipment room.
However, the control area air conditioning system also provides cooling for the control room.
Please clarify the modeling of control room cooling as a support system during the post-accident mitigation period. If cooling to the control room was not considered, please provide the basis for its omission.
(It is recognized that cooling to the control room was eliminated as an initiating event based on the long heat-up times involved.)
- 4.
The CCW system provides seal _cooling water to the RHR pumps, the charging pumps,. and safety injection pumps.
However, seal cooling for these pump categories was not included as a dependency in the analysis.
As stated in Section 3.2.1.2.2.2 of the IPE, the manufacturer's technical manual states that seal water cooling is not necessary for continued operation of the charging pumps.
However, no justification fs provided for the exclusion of sea~ cooling for the safety injection and RHR pumps.
Please provide the basis for excluding seal cooling dependencies for the RHR and safety injection pumps.
- 5.
A review of the common cause failure data listed in Table 3.3-5 of the
- IPE submittal indicates that the licensee's list of common cause events does not include important components that were addressed in othe~
plants. For example, the following equipment categories are not included:
ENCLOSURE
Circuit breakers Electrical switchgear/buses Batteries Inverters Check valves Room ventilation fans {outside containment)
Air compressors Provide the technical basis for the omission of these components.from the common cause analysis. Explain how it was assured that vulnerabilities were not missed as a result of the omission of these common cause failures.
- 6.
The Salem Generating Station has in the past year experienced a plant trip due to fouling of the traveling screens with marsh grass. This plant specific event does not appear to be addressed as an initiating event.
Please provide the technical basis for not considering it in your analysis even though marsh grass is a recurring problem.
Include in your discussion the frequency of the event, consideration given to the concurrent loss of service water due to the same initiator, including possible operator errors and their probability, and the estimated impact on core damage.
If this event was considered as part of the loss of service water event please discuss the above requested information.
- 7.
Section 3.4.~ of the IPE states that for a sequence or event to be considered a vulnerability, it had to pass the systemic sequence reporting criteria provided in NUREG-1335 and contribute inordinately to the CDF with respect to: {l) other SGS core damage sequences or events, or {2) in comparison to similar sequences or events for other plants as determined from PRA results. Please identify what is meant by the term "contribute inordinately" and provide examples of how it was used to determine vulnerabilities.
- 8.
The rupture of the steam supply line to the steam-driven AFW pump during plant operation would be expected to result in a plant trip. At the same time, the steam-driven AFW pump would be disabled, and other equipment in the vicinity of the break might be disabled due to exposure to steam and moisture effects. The IPE is not clear as to whether or not a break in the steam supply line to the steam-driven AFW pump was considered as an initiating event. Please clarify the modeling of this potential initiating event. If this initiating event has not been accounted for, please provide the basis for its omission.
- 9.
The IPE does not identify the specific sources of data used to develop initiating event frequencies for the flooding initiating events.
For example, reference is made on p. 3.3-182c of the IPE to pipe rupture frequency data listed in "Table 3.7-1". However, this table is not included in the IPE submittal. Please provide this table and identify the specific sources of data used to quantify the flooding initiating
- events.
2
- 10.
The transmittal letter for the IPE indicates that updates were made to the flooding analysis results, but are not reflected in the IPE.
Please provide an updated list of flooding accident sequences for both units.
- 11.
Table 3.3.2-1 of the IPE indicates that the mean generic failure rate used for a turbine-driven auxiliary feedwater pump is 5.0E-05/hr. This value is two orders of magnitude lower than NUREG/CR-4550 generic data.
Please identify the source of failure data and discuss its applicability to this p:.1mp.
- 12.
The IPE transmittal letter describes one potential plant improvement resulting from the IPE analysis. This potential improvement would address a procedural weakness related to ISLOCA scenarios.
The IPE submittal states that PSE&G submitted a work request to the Westinghouse Owners Group on July 12, 1993 requesting an evaluation of the procedural improvement and an Emergency Response Guideline revision as appropriate.
What is the status of the proposed procedural change that will be used to address this weakness?
- 13.
Loss of CCW is not analyzed as an initiating event.
The IPE states that due to changes in system dependencies, this initiating event is no longer important.
However, the CCW system supplies water to the RCP thermal barriers and motor bearing oil coolers.
In addition, loss of CCW to the RCP motor bearings could lead to a vibration-induced seal LOCA.
Also, it appears that CCW may be used to provide lube oil cooling for the positive displacement charging pump, which was credited in the analysis as a means of providing RCP seal injection. Please provide the basis for omitting the failure of the CCW system as an initiating event, including a discussion of the above dependencies.
- 14.
The IPE states (p. 3.2-75) that service water intake structure ventilation is assumed to be unnecessary for long-term operation of the service water pumps, though no basis for this assumption is provided.
Also, no specific mention is made of long-term HVAC requirements for the service water control room equipment.
Please provide the basis for excluding HVAC dependencies for the service water control room.
- 15.
It is not clear in the submittal if plant changes due to the Station Blackout rule were credited in the analysis. Please provide the following: (1) identify whether plant changes (e.g., procedures for load shedding, alternate AC power} made in response to the blackout rule were credited in the IPE and what the specific plant changes are that were credited; (2) if available, identify the total impact of these plant changes to the total plant core damage frequency (CDF) and to the station blackout CDF (i.e., reduction in total plant CDF and station blackout CDF}; (3) if available, *identify the reduction, for each individual plant change, to the total plant CDF and to the station blackout CDF; (4} identify any other changes to the plant that have been implemented or planned to be implemented that are separate from those in response to the station blackout rule, that reduce the station blackout
- CDF; (5) identify whether the changes in #4 are implemented or planned; (6} identify whether credit was taken for the changes in #4 in the IPE; 3
and (7) if available, identify the impact of the changes in #4 to the station blackout CDF.
- 17.
Table 7-3 of the IPE submittal provides the decomposition of the core damage frequency (CDF) by initiating event for each unit. Station blackout is listed in this table as an initiating event.
However station blackout represents an accident type involving progression from one or more categories of initiating events into a loss of all AC power condition.
For the station blackout accident type, please identify for each unit:
a)
All the associated initiating events and, b) the individual contributions of each initiating event to the
- station blackout CDF.
SGS BACK-END QUESTIONS
- 17.
It is difficult to understand the overall results of the submittal, particularly the conditional probabilities of containment failure.
a)
Why are the calculated conditional probabilities of early and late containment failure for SGS Units 1 and 2 larger than those calculated for Zion (NUREG-1150 analyses), even though the containment analyses are fairly similar?
b)
Please explain the large differences in results for late containment failure between the two SGS units, even though the methods of containment analysis, and the containments themselves, are identical.
c)
Please provide the results of the CET analyses (conditional probability of containment failure and release frequency) for each PDS, so that the overall results can be reconciled.
- 18.
The following questions concern the containment analyses (i.e., CET analyses and their quantification, as discussed in Sections 4.5 and 4.8 of the submittal).
a)
Please provide the basis and justification of the quantification of the split fraction for the failure of the operator to open the PORVs in Top Event 6 of the CET in high-pressure sequences.* Note that this split fraction can have a major impact on HPME, DCH, and on the conditional probability of early containment failure.
b)
The operator action "Operator Maintains Controlled Steam Generator Cooling after Battery Depletion in Slow Station Blackout Events (CS)" is Salem plant-specific, and can have a major impact on the time of vessel breach and on the conditional probability of early containment failure.
However, there is no information for the value of the human error probability (HEP) for this action, 4
provided in the IPE submittal as is done for other human actions.
Since this value may be significant to the conditional probability of vessel breach and early containment failure, please provide the basis for this value. Discuss the performance shaping factors, including time available and time required, that were applied to this human action to arrive at this value, and the basis for their application.
c)
The basemat in the Salem plant is one of the thickest (16 ft) of all the plants reviewed to date.
Why does the submittal assign a relatively high value of 0.05 to the split frac1:ion for basemat melt-through in Top Event 30 of the CET in the non-coolable debris case?
d)
NUREG-1335 requests that the licensee treat all phenomena that can lead to early containment failure, including steam explosions.
The licensee has excluded ex-vessel steam explosions in the CET as possibly leading to containment failure. Please justify the omission of ex-vessel steam explosions (EVSEs) when calculating the conditional probability of containment failure in Top Event 15 of the CET.
e)
NUREG-1335 requests that the licensee treat all phenomena that can lead to late containment failure, including combustion processes.
For Top Event 27 of the CET ("No Late Containment Failure"),
please detail how the combustion of CO generated due to MCCI has been addressed.
f)
Please detail how the negative impacts of the recovery of long-term containment heat removal (Top Event 24) on the conditional probability of late containment failure (through steam condensation and subsequent late combustion) were treated in the CET.
g)
In the submittal, the treatment of in-vessel recovery of a
- degraded core is not clear, and the footnotes to Table 4.8-1 of the submittal (which provides some details) are cryptic.
Treatment of in-vessel recovery has a direct impact on the estimated probability of vessel breach and containment failure.
Please provide the bases and justification for the various split fractions assigned for in-vessel core coolability (values ranging from 0.033 to 0.65) in the submittal.
- 19.
Why was the effect of elevated temperatures upon containment penetrations (made of elastomers) ruled out for evaluating the containment fragilities, particularly at 900°F?
NUREG-1335 requests that the submittal include an assessment of penetration elastomer seal materials and their exposure to prolonged high temperatures.
How was it ensured that any potential "vulnerabilities" due to elastomer ieal failure of penetrations were not overlooked?
5
- 20.
It is difficult to understand the "basemat flexure" mode of failure in the SGS IPE.
Given that the basemat thickness is 16 ft in the Salem plant, it is difficult to understand how the basemat can fail by flexure.
At low temperatures, the submittal shows that the basemat failure and the failure at dome are equally possible. Please discuss this failure mode and provide details of the calculations for the results shown in Figures 4.4-2 through 4.4-5, as pertaining to the "basemat flexure" mode of failure.
- 21.
The licensee does not appear to make use of insights gained from the CET analyses.
-The two analyses that have the greatest impact on vessel breach and early containment failure appear to be the following: (1) operator action to depressurize by using the PORVs, and (2) cavity flooding and heat transfer to the lower head.
Has the licensee considered these insights for potential procedural modifications, and accident management strategies? If so, please detail these procedures or strategies. Otherwise, please describe how the licensee intends to address these insights.
- 22.
The following questions pertain to radionuclide release categories and the associated source term analyses reported in Section 4.9 of the submittal.
a)
Although the licensee has provided the ranges of the source term magnitudes, Section 2.2.2.7 of NUREG-1335 requests the actual radionuclide release magnitudes for all of the release categories.
Please provide this information.
b)
Please discuss the impact of the CET sensitivity analyses on the frequencies for other release categories (besides the early releases), such as the late large releases. Note that the frequency of a late large release in the SGS IPE is substantial.
- 23.
Generic Letter 88-20 states that IPE submittals should report the following:
"any functional sequence that has a* core damage frequency greater than or equal to 10-6 per reactor year and that leads to containment failure which can result in a radioactive release magnitude greater than or equal to BWR-3 or PWR-4 release categories of WASH-1400."
The IPE submittal does not address this screening criteria.
Please provide a listing of such sequences, including the source term magnitudes and frequencies.
- 24.
Please explain in detail the conditionai probabilities calculated for failure to isolate the containment (1.5% for SGS Unit 1, and 3.2% for SGS Unit 2). Note that the calculated probability of containment isolation failure in both SGS units is larger than that calculated by the NUREG-1150 analysis for Zion (0.5%).
Section 2.2.2.5 of NUREG-1335 requests a detailed treatment of containment isolation, including five areas discussed in the Generic Letter. Also, please explain the difference in the results between the two units.
6
SGS HUMAN RELIABILITY ANALYSIS QUESTIONS
- 25.
The submittal does not clearly discuss the process that was used to identify and select pre-initiator human actions. The process used may include the review of operations, maintenance, test, surveillance and calibration procedures, and discussions with appropriate plant personnel on interpretation and implementation of the procedures, perhaps even in-plant examination of the equipment and walk-through of procedures.
a)
Please provide a description of the process that was used to identify and select pre-initiator human actions for analysis.
b)
Include a discussion of che plant-specific assessment that was performed which supports the conclusion/assumption that all types of pre-initiator errors could be well represented by the four "generic" tasks for which THERP trees were developed.
For example, in practice, different types of calibrations may involve different types of equipment and tools, different set-up actions, different environments, etc. Discuss how it was assured that a comprehensive set of calibration and restoration tasks were examined, and explain the rationale and "criteria" by which it was decided that the many different tasks could be grouped into the four groups discussed in the submittal.
c)
Table 3.3.3-6 of the submittal, which lists HEPs for all pre-initiators included in the fault trees includes seven systems.
How was it determined that these are the only systems for which quantification of pre-initiator actions was required?
- 26.
The submittal identifies four criteria by which pre-initiator human actions were qualitatively screened and some actions were eliminated from consideration. Overall, these criteria appear to be reasonable.
However, one of the criteria for eliminating actions is misalignments that would be noticed shiftly or daily. Please clarify by providing specific examples of how it was determined that misalignments would be "noticed" on a shiftly or daily basis; in particular, discuss what plant specific assessment was performed to assure that important actions were not eliminated from consideration without a high degree of certainty that errors would be detected. Provide a listing, if possible, or at least examples, of specific pre-initiator errors that were screened out by the qualitative screening process.
- 27.
The submittal does not mention the use of any numerical screening process to help differentiate the more important pre-initiator human events. Apparently, all pre-initiator errors that were identified and not screened out by one of the qualitative criteria noted above were quantified at the "generic" values derived from the THERP calculation.
If a screening process was employed, please provide the screening value(s) used and the basis for the value(s); that is, provide the rationale for how the selected screening value did not eliminate (or
, truncate) important human events. Also, provide the list of errors that were screened out.
7
- 28.
The unavailability contribution from pre-initiator human errors was determined by multiplying the HEP by the ratio of fault detection time to the time interval between calibrations (testing, or maintenance).
Please explain the basis for determination of the fault detection time and the plant-specific assessment that verified that detection would be highly likely within that time.
- 29.
It is not clear from the submittal how dependencies associated with pre-initiator human errors were addressed and treated.
a)
One type of dependency that appears to have been addressed is the inter-person dependency between the individual performing the task and a second person who is checking. These were treated using Table 20-22 from the THERP handbook.
The use of the THERP tables appears to be consistent with the Handbook guidance, assuming that plant-specific assessment verified that actual practice always is such that the assumed credit for checking is-valid. Please discuss the plant-specific assessment *performed to justify credit for recovery by the checker.
b)
Another type of dependency occurs when the probability of the subsequent human events is influenced by the probabi l i ty of the first event. Typically, subsequent HEPs in the model will be adjusted (increased) to reflect this dependence.
If not, an unrealistically low estimate of failure may be obtained by multiplication of multiple HEPs.
Please discuss how this type of dependency was treated in the pre-initiator analysis, or explain why it was not treated.
c)
Other types of dependencies may occur when a common factor, such as a human engineering deficiency, miscalibration of multiple instruments by common teams or a common error in procedures, results in increasing the likelihood of what otherwise would have been unrelated human events. Such dependencies are sometimes incorporated in the HRA model by "grouping" the components so they.
fail simultaneously, or by adjusting HEPs individually to reflect the impact of the common feature.
Please discuss how such dependencies were addressed and treated in the pre-initiator HRA, or explain why they were not treated.
- 30.
The submittal does not clearly describe the method used to identify and select response-type post-initiator actions for analysis. The method utilized should confirm that the plant.emergency procedures, design, operations (practices and policies) were examined and understood to identify potential severe accident sequences.
Please provide a description of the process that was used for identifying and selecting the response type actions evaluated.
- 31.
The submittal does not clearly describe the method used to identify and select recovery-type post-initiator actions for analysis. "The method
- utilized should confirm that the plant emergency procedures, design, operations (practices and policies) were examined and understood to 8
.. J identify potential severe accident sequences.
Please provide a description of the process that was used for identifying and selecting the recovery type actions evaluated.
- 32.
The submittal is not clear on what steps where taken to insure important operator actions were not inadvertently eliminated during the screening of post-initiator actions.
Section 3.3.3 of the submittal briefly describes a matrix of screening values used to identify the more important post-initiator human actions and eliminate others. A typical screening value recommended and employed for post-initiator screening is 0.5, which ts higher than many-of the values in this matr~x. When less conservative screening values are used the possibility of elimination of potentially important actions increases. Please, 1) explain how it was assured that the selected screening value did not eliminate (or truncate) important post-initiator human events, and 2) provide a list of errors initially considered and screened out.
- 33.
It is unclear from the submittal what specific process was used to determine time available and time required.
In applying performance shaping factors, the cons.ideration of time is important.
The submittal notes that "talk-throughs" performed in the simulator helped to provide estimates or measurements of the time required to perform actions, but does not provide sufficient information on what was done to assess the reasonableness of the process. Please explain the process used for determining the time available and the time required.
Include times
{travel time, access time, action time, etc.) for actions outside the control room.
Using the following examples, explain precisely how time available and time required were determined.
Ifb Failure to isolate affected steam generator following a feedwater line break...
Ms Failure to remove power to the RPS MG sets, given electrical failure of the automatic RPS actuation.
- 34.
The submittal notes {page 3.3-15) that, "For most of the actions analyzed, there was no diagnosis error included in the total failure probability calculation. This is due to the fact that very little diagnosis is left to the operator. The symptom-oriented {flow-chart)
EOPs direct him to the necessary actions based on control room indications. The operator does not need to know what specific abnormal event has occurred in order to get into the proper procedure." While it is true that symptom-based procedures are designed to aid the operating crew in the diagnosis and decision making tasks that are part of accident response, the degree to which these procedures have reduced the likelihood of error in such "cogn~tive" activities is an open question.
Most PRAs assume that there still remains a significant error potential, and consequently account for diagnostic error in the estimation of HEPs.
There is little empirical evidence from controlled studies to completely resolve this issue and quantify the likelihood of error.
One recently
- published study (Ref. 1) does provide some evidence that cognitive functions such as situation assessment and response planning continue to 9
play an important role in accident response, even when symptom-based EOPs are employed.
Since ASEP was the primary methodology employed in the Salem post-initiator HRA, it should be noted that ASEP guidance (page 8-7) does state that symptom-oriented EOPs may convert formerly knowledge-based behavior such as diagnosis into rule-based behavior; and, that the analyst may judge that the diagnosis aspect of some particular event is negligible because of the combination training and procedures. However, ASEP guidance cautions that, "In making such a judgment, the analyst must unders~and that there is a risk of an overly optimistic assessment of human behavior, especially considering the likely stressful nature of abnormal events no one believes will ever occur...* Such assessments should be fully documented."
We also note that even in those cases in which diagnosis was considered, the Salem analysis used the lower bound value from the ASEP diagnosis model, or even the lower bound value multiplied by a reducing factor such as 0.5 or 0.9.
ASEP guidance reco11111ends using the lower bound value ;f and only ;f:
the event is a well-recognized classic (e.g., TMI-2 incident}, and the operators have practiced the event in simulator requalification exercises, and the talk-through and interviews indicate that all the operators have a good verbal recognition of the relevant stimulus and know what to do or which written procedures to follow.
ASEP recommends using the nominal value if the only practice of the event is in the simulator requalification exercises and all operators have had this experience.
Review of the HEP calculation summaries (Table 3.3.3-13) in the submittal indicates diagnosis was assumed negligible for a number of actions for which other PRAs have assumed a significant diagnosis component exists, and for which the total HEP would be substantially increased if diagnosis were considered.
An example from Table 3.3.3-13 is the operator actions to initiate bleed and feed operation.. The total time available is reported as 5 to 10 minutes, and the total required action time is 7 minutes.
In this example, no margin for conservatism exists; in fact the lower bounds for time available (5 minutes) is less than time required (7 minutes). Another example is failure to initiate boration from the RWST through the BIT, which has a required time of 6 minutes, and a total available time of 10 minutes.
For these cases, there is no margin for error and any diagnostic contribution could result in failure. Therefore, rigorous justification of an assumed zero diagnostic contribution is in order.
Using the actions for bleed and feed, boration, and/or other examples
- from Table 3.3.3-13, please discuss the plant-specific assessment that was performed to incorporate all important facets, especially diagnosis, 10
of operator performance to assure that HEPs for post-initiator response actions were examined appropriately.
- 35.
It is not completely clear from the submittal how dependencies were addressed and treated in the post-initiator HRA.
The performance of the operator is dependent on both the accident under progression and the past performance of the operator during the accident of concern.
Improper treatment of these dependencies can result in the elimination of potentially do~inant accident sequences, and therefore, the identification of significant events. Please provide a discussion and examples illustrating how dependencies were addressed and treated in the post-initiator HRA such that important accident sequences were not eliminated. If the submittal did nut address dependencies in the quantification, please justify. The discussion should address the two cases below:
a)
Human events are modeled in the fault trees as basic events such as failure to manually actuate system functions from the control room.
The probability of the operator to perform this function is dependent on the accident in progression - what symptoms are occurring, what other activities are being performed (successfully and unsuccessfully), etc. When the sequences are quantified, this basic event can appear, not only in different sequences, but in different combinations with different systems failures.
In addition, the basic event can potentially be multiplied by other human events when the sequences are quantified which should be evaluated for dependent effects. Discuss by way of example how dependency was treated for post-initiator actions included in fault trees.
b)
Human events are modeled in.the event trees as top events.
The probability of the operator to perform this function is still dependent on the accident progression.
The quantification of the human events need to consider the different sequences and the other human events. Discuss by way of example how dependencies were treated for human actions incorporated into event trees.
- 36.
The submittal states (page 3.3-14) that recovery actions were quantified "on a screening basis by use of the matrix in Table 3.3.3-7. Others were based on various sources." This explanation does not provide sufficient information to be able to assess the reasonableness of the quantification process applied.
For the below listed recovery actions, please provide more specific information on the basis for quantification of human error in recovery actions; in particular discuss the plant-specific assessment performed to assure that values were realistic.
PRV-RCVY-lA, -18
- vDG-RCVY-18 CIS-XHE-FO-RCPSL -
Recovery of blocked PORV...
Local isolation of RCP seal return {SBO) 11
- 37.
Paragraph 3.3.3.2.3 of the submittal discusses "Recovery Actions Applied to Sequence Cutsets."
On page 3.3-14 of the submittal, it is stated that these recovery actions are cutset dependent, and "therefore, they were applied at the cutset level after the initial sequence cutsets had been obtained."
We concur that recovery actions usually are cutset-dependent and are best treated by being added to specific cutsets rather than incorporated into fault trees or event trees. However, both Table 3.3.3-10 and Table 3.3.7-6, which list recovery actions, indicate that they were treated as top events in event trees.
Please clarify this discrepancy.
If recovery actions were treated in the event trees
{and therefore were part of the sequences), please explain how these recovery actions were applied after the initial sequences were obtained, and how cutset-specific dependencies were accounted for in the analysis.
- 38.
Footnote b in Table 3.3.3-10 identifies several actions for which the quantification takes credit for enhancements that are to be made, including pre-planning *to facilitate the action, enhanced procedures, pre-staged equipment, and control room annunciation added to alert the operators. For each case, provide an update on the status of those enhancements that were credited in the HEP calculation, and if available, the impact of each enhancement to the total CDF.
Reference I.
E.M. Roth, et. al., "An Empirical Investigation of Operator Performance in Cognitively Demanding Simulated Emergencies,"
NUREG/CR-6208, July, 1994.
12