ML18180A326
| ML18180A326 | |
| Person / Time | |
|---|---|
| Site: | LaSalle  |
| Issue date: | 07/03/2018 |
| From: | Bhalchandra Vaidya Plant Licensing Branch III |
| To: | Bryan Hanson Exelon Generation Co, Exelon Nuclear |
| Vaidya B | |
| Shared Package | |
| ML18157A263 | List: |
| References | |
| LER 2017-003-01 | |
| Download: ML18180A326 (45) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, O.C. 20555-0001 July 3, 2018 Mr. Bryan C. Hanson Senior Vice President Exelon Generation Company, LLC President and Chief Nuclear Officer Exelon Nuclear 4300 Winfield Road Warrenville, IL 60555
SUBJECT:
LASALLE COUNTY STATION, UNIT 2-TRANSMITIAL OF FINAL LASALLE COUNTY STATION, UNIT 2, ACCIDENT SEQUENCE PRECURSOR REPORT (LICENSEE EVENT REPORT 374-2017-003-01)
Dear Mr. Hanson:
By letter dated August 9, 2017 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML17236A160), LaSalle County Station (LSCS) submitted licensee event report (LER) 374-2017-003-01 to the U.S. Nuclear Regulatory Commission (NRC or Commission) staff pursuant to Title 10 of the Code of Federal Regulations (10 CFR) Section 50.73. As part of the accident sequence precursor (ASP) program, the NRC staff reviewed the event to identify potential precursors and to determine the probability of the event leading to a core damage state. The result of the analysis are provided in the enclosure to this letter.
The NRC does not request a formal analysis review, in accordance with Regulatory Issue Summary 2006-24, "Revised Review and Transmittal Process for Accident Sequence Precursor Analyses" (ADAMS Accession No. ML060900007). The analysis resulted in an increase in core damage probability (LlCDP) of 1.75x10-5 which is less than the 1x1Q4 review threshold.
Final ASP Analysis Summary A brief summary of the final ASP analysis, including the results, is provided below.
High-Pressure Core Spray System Inoperable due to Injection Valve Stem-Disc Separation This event is documented in LER 374-2017-003-01 and Inspection Report 05000374/2017009.
Executive Summary During a refueling outage with the reactor in Mode 5, the LSCS, Unit 2, high-pressure core injection (HPCS) system was declared inoperable on February 8, 2017 to support performance of a water leak rate test and stem lubrication/rotation check of the HPCS injection valve 2E22-F004. On February 11 1h, while attempting to fill and vent the HPCS system, no flow was observed from the drywell vent valves or downstream of valve 2E22-F004. Valve 2E22-F004 was cycled to verify the valve was open; however, no air or water was observed from the drywell vents. Trouble shooting revealed that there was no flow downstream of valve
B. Hanson 2E22-F004. Operators determined that valve 2E22-F004 failed sometime after the successful leak rate tests on February 8, 2017, when the valve was cycled successfully five times and most likely during the fill and vent sequence. Prior to this failure, valve 2E22-F004 was not operated since the plant's last refueling outage in 2015. The licensee concluded the cause of the valve malfunction was due to stem-disc separation. The valve internal components were replaced prior to restart of the unit from the refueling outage.
This exposure period in which HPCS was unavailable is a significant modeling uncertainty for this ASP analysis. The duration of the exposure period is based on the length of time that the HPCS system would have been unavailable to perform its safety function. In this case, whether the HPCS system would have been able to perform its safety function is dependent on whether it would have been expected to cycle a greater number of times than it was successfully cycled since the 2015 refueling outage and prior to the observed failure. During a postulated loss of feedwater event with reactor core isolation coolant (RCIC) unavailable, the HPCS injection valve will automatically cycle a number of times after a reactor trip as reactor water level alternates between Level 2 (reactor water low level setpoint) and Level 8 (reactor water level high setpoint). If operators take manual control to maintain reactor water level, the number of HPCS/HPCI system cycles will increase depending on how close to the level setpoints reactor water level is maintained.
In licensee event report (LER) 374-2017-003-01 (Reference 1), the licensee states that only four injection cycles are needed to maintain the design function of HPCS. No additional information was provided in the LER that supported this conclusion. Operating experience is limited on the number of HPCS cycles during loss of feedwater events with a RCIC unavailability because they are relatively rare. In addition, data on the number of HPCS cycles is not typically included in LERs and other readily available data sources. However, a loss of offsite power (LOOP) event with a subsequent RCIC unavailability occurred at Perry Nuclear Power Plant in 2003 involving 16 HPCS cycles prior to operators initiating shutdown cooling. Relevant thermal-hydraulic calculations performed as part of NUREG-1953, "Confirmatory Thermal-Hydraulic Analysis to Support Specific Success Criteria in the Standardized Plant Analysis Risk Models-Surry and Peach Bottom," show that high-pressure coolant injection (HPCI) would cycle eight times given a loss of feedwater and RCIC at Peach Bottom Atomic Power Station. As such, because it is expected that valve 2E22-F004 would have needed to cycle more than five times to ensure completion of the HPCS safety function, HPCS was assumed to be unable to fulfill its safety function since the plant's last refueling outage in 2015.
Therefore, the maximum exposure time of 1 year is used in this ASP analysis.
The point estimate increase in ~CDP for this event is 1.75x10*5 , which is considered a precursor in the ASP program. According to the risk analysis modeling assumptions used in this ASP analysis, the most likely core damage scenarios involve initiating events that result in a loss of feedwater (include LOOP, loss of instrument air, etc.) and subsequent failures/unavailabilities of HPCS, RCIC, and the failure of manual reactor depressurization. Collectively, these accident sequences account for approximately 62 percent of the ~CDP for the event.
Inspectors identified a licensee violation related to inadequate design control for the HPCS injection valve 2E22-F004; however, the NRC exercised enforcement discretion because no licensee performance deficiency was identified. Specifically, inspectors determined that this issue was not within the licensee's ability to foresee and correct. The determination was partially based on the fact that it was a latent design issue that had not been previously identified within the industry. Since no licensee performance deficiency was identified for this event, an independent ASP analysis was required.
B. Hanson Summary of Analysis Results.
This operational event resulted in a best estimate of an increase in ~CDP of 1.75x1Q-5 .
Non-Concurrence. Non-concurrence 2018-02 (ADAMS Accession No. ML18157A263), related to the LSCS ASP report was processed. The NRC has a process (Management Directive 10.158, ADAMS Accession No ML13176A371 ), that permits employees to raise concerns and differing views and have them considered without the fear of reprisal. A concern was raised about the ASP report lacking human reliability analysis (HRA) for dependency related to loss of feedwater accident sequences that account for approximately 62 percent of the ~CDP for the event. There appears to be unaccounted for dependency between key human actions in the probabilistic risk assessment for the LSCS ASP evaluation in regards to the occurrence of the two human actions in the same risk cut set. For the event under consideration, there are several cut sets involving both an operator's failure to effect high-pressure injection with RCIC, then followed by the operator's similar and subsequent failure to depressurize in support of low-pressure injection. When dependency exists, the event analysis must quantify the effect on the event's change in ~CDP using the NRC's Standardized Plant Analysis Risk-Human Reliability Analysis (SPAR-H) procedures. The ASP report, as written, indicates the two actions are independent and, therefore, do not require further HRA dependency consideration.
Non-Concurrence 2018-02 is based upon the belief that dependency exists, to some degree, and that the event analysis does not take this into consideration. The nonconcurrence was dismissed by NRC management since dependency had not been demonstrated as being more likely than the operational assumption of independency of the human actions. The ASP analysis is consistent with the independence assumption and the HRA dependency calculations using SPAR-H is not required.
If you have any questions, please contact me at 301-415-3308 or via e-mail at Bhalchandra.Vaidya@nrc.gov.
Sincerely,
~
~
Bhalchandra K. Vaidya, Project Manager Plant Licensing Branch Ill Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-374
Enclosures:
- 1. Final Accident Sequence Precursor Analysis -
LaSalle County Station (Unit 2), High-Pressure Core Spray System Inoperable due to Injection Valve Stem-Disc Separation
- 2. Non-Concurrence on Ninal ASP Program Analysis Precursor High Pressure Core Spray System Inoperable due to Injection Valve Stem Disc Separation LaSalle County Station, Unit 2 NCP-2018-002 cc: Listserv
ENCLOSURE 1 FINAL ACCIDENT SEQUENCE PRECURSOR ANALYSIS - LASALLE COUNTY STATION (UNIT 2), HIGH-PRESSURE CORE SPRAY SYSTEM INOPERABLE DUE TO INJECTION VALVE STEM-DISC SEPARATION CLER 374-2017-003)- PRECURSOR LASALLE COUNTY STATION, UNIT 2 DOCKET NO. 50-374
Final ASP Pro sis - Precursor LaSalle County High-Pressure Core Spray System Inoperable due to Injection Station, Unit 2 Valve Stem--Disc Separation LERs: 374-2017-003-01 , 374-2017-001 ,
Event Date: 2/11/2017 374-2017-002 flCDP = 2x10-5 IR: 05000374/2017009 Plant Type: General Electric 5 Boiling-Water Reactor (BWR) with a Mark II Containment Plant Operating Mode Mode 5 (0% Reactor Power)
(Reactor Power Level):
Analyst: DEY 3/22/2018 Reviewer: Approval Date:
Non-Concur: ADAMS ML18157A263 Christopher Hunter 6/27/2018 EXECUTIVE
SUMMARY
During a refueling outage with the reactor in mode 5, the Unit 2 high-pressure core injection (HPCS) system was declared inoperable on February 8, 2017, to support performance of a water leak rate test and stem lubrication/rotation check of the HPCS injection valve 2E22-F004.
On February 11 1h, while attempting to fill and vent the HPCS system, no flow was observed from the drywell vent valves or downstream of valve 2E22-F004. Valve 2E22-F004 was cycled to verify the valve was open; however, no air or water was observed from the drywell vents.
Trouble shooting revealed that there was no flow downstream of valve 2E22-F004. Operators determined that valve 2E22-F004 failed sometime after the successful leak rate tests on February 8, 2017, when the valve was cycled successfully five times, and most likely during the fill and vent sequence. Prior to this failure, valve 2E22-F004 was not operated since the plant's last refueling outage in 2015. The licensee concluded the cause of the valve malfunction was due to stem-disc separation. The valve internal components were replaced prior to restart of the unit from the refueling outage.
This exposure period in which HPCS was unavailable is a significant modeling uncertainty for this accident sequence precursor (ASP) analysis. The duration of the exposure period is based on the length of time that the HPCS system would have been unavailable to perform its safety function. In this case, whether the HPCS system would have been able to perform its safety function is dependent on whether it would have been expected to cycle a greater number of times than it was successfully cycled since the 2015 refueling outage and prior to the observed failure. During a postulated loss of feedwater event with RCIC unavailable, the HPCS injection valve will automatically cycle a number of times after a reactor trip as reactor water level alternates between Level 2 (reactor water low level setpoint) and Level 8 (reactor water level high setpoint). If operators take manual control to maintain reactor water level, the number of HPCS/HPCI system cycles will increase depending on how close to the level setpoints reactor water level is maintained.
In licensee event report (LER) 374-2017-003-01 (Ref. 1), the licensee states that only four injection cycles are needed to maintain the design function of HPCS. No additional information was provided in the LER that supported this conclusion. Operating experience is limited on the number of HPCS cycles during loss of feedwater events with a RCIC unavailability because
LER 374-2017-003-01 they are relatively rare. In addition, data on the number of HPCS cycles is not typically included in LERs and other readily available data sources. However, a loss of offsite power (LOOP) event with a subsequent RCIC unavailabilty occurred at Perry Nuclear Power Plant in 2003 involving 16 HPCS cycles prior to operators initiating shutdown cooling. Relevant thermal-hydraulic calculations performed as part of NUREG-1953, "Confirmatory Thermal-Hydraulic Analysis to Support Specific Success Criteria in the Standardized Plant Analysis Risk Models-Surry and Peach Bottom," show that high-pressure coolant injection (HPCI) would cycle eight times given a loss of feedwater and RCIC at Peach Bottom Atomic Power Station. As such, because it is expected that valve 2E22-F004 would have needed to cycle more than five times to ensure completion of the HPCS safety function, HPCS was assumed to be unable to fulfill its safety function since the plant's last refueling outage in 2015.
Therefore, the maximum exposure time of 1 year is used in this ASP analysis.
The point estimate increase in core damage probability (~CDP) for this event is 1.8x 10-5, which is considered a precursor in the ASP Program. According to the risk analysis modeling assumptions used in this ASP analysis, the most likely core damage scenarios involve initiating events that result in a loss of feedwater (include LOOP, loss of instrument air, etc.) and subsequent failures/unavailabilities of HPCS, reactor core isolation cooling (RCIC), and the failure of manual reactor depressurization. Collectively, these accident sequences account for approximately 62 percent of the ~CDP for the event.
Inspectors identified a licensee violation related to inadequate design control for the HPCS injection valve 2E22-F004; however, the NRC exercised enforcement discretion because no licensee performance deficiency was identified. Specifically, inspectors determined that this issue was not within the licensee's ability to foresee and correct. The determination was partially based on the fact that it was a latent design issue that had not been previously identified within the industry. Since no licensee performance deficiency was identified for this event, an independent ASP analysis was required.
EVENT DETAILS Event Description. During a refueling outage with the reactor in mode 5, the Unit 2 HPCS system was d~clared inoperable on February 8, 2017, to support performance of a water leak rate test and stem lubrication/rotation check of the HPCS injection valve 2E22-F004. On February 11 1h, while attempting to fill and vent the HPCS system, no flow was observed from the drywell vent valves or downstream of valve 2E22-F004. Valve 2E22-F004 was cycled to verify the valve was open; however, no air or water was observed from the drywell vents. Trouble shooting revealed that there was no flow downstream of valve 2E22-F004. Prior to this fill and vent sequence, the HPCS system had been taken out of service for leak rate testing and then drained for relief valve work. The leak rate tests (which involved cycling the valve 2E22-F004 valve open and closed) all passed satisfactory. Upon completion of those tests, the system was drained from the drywell down to the pump suction. System parameters observed during the leak rate tests provided firm evidence that the HPCS injection isolation valve satisfactorily cycled as designed. Therefore, operators determined that valve 2E22-F004 failed sometime after the successful leak rate tests, when the valve was cycled successfully five times, and most likely during the fill and vent sequence. The licensee concluded the cause of the valve malfunction was due to stem-disc separation. The valve internal components were replaced prior to restart of the unit from the refueling outage. Additional information regarding this event can be found in LER 374-2017-003-01 (Ref. 1) and inspection report (IR) 05000374/2017009 (Ref. 2).
2
LER 374-2017-003-01 Cause. The licensee determined the root cause of the HPCS injection valve 2E22-F004 malfunction was due to stem-disc separation. The valve stem threads and wedge pin were found to be damaged, causing separation from the valve disc. The stem-disc separation was due to to insufficient capacity of the shrink-fit stem collar, combined with multiple high-load closing cycles (with both axial thrust and torque components), resulting in loosening and eventual shear failure of the wedge pin and threads. A contributing cause was insufficient preload and insufficient capacity of the stem collar and wedge pin assembly. In particular, the collar axial load capacity was 50-60 percent of the normal applied loads, allowing collar slippage along the stem to occur. The inspection report stated that the licensee incorrectly identified the weak link of the valves as the valve stem, instead of the stem-to-wedge threaded and pinned connection, which had a more limiting structural capacity.
MODELING ASSUMPTIONS Basis for ASP Analysis/SOP Results. The ASP Program uses Significance Determination Process (SOP) results for degraded conditions when available and as applicable. However, an independent ASP analysis is performed for potentially risk significant events when no licensee performance deficiency is identified (i.e., no SOP risk analysis is completed).
The NRC conducted a special inspection for the event associated with LER374-2017-003-01 in accordance with Management Directive 8.3, "NRC Incident Investigation Program." 1 . A violation related to inadequate design control for the HPCS injection valve 2E22-F004 was identified; however, the NRC exercised enforcement discretion because no licensee performance deficiency was identified. Specifically, NRC inspectors determined that this issue was not within the licensee's ability to foresee and correct. The determination was partially based on the fact that it was a latent design issue that had not been previously identified within the industry. See IR 05000374/2017009 for additional information. An independent ASP analysis is required because no licensee performance deficiency was identified for this event.
A search of LaSalle County Station (Unit 2) LERs revealed the following potential "windowed" events:
- LER 374-2017-001 (Ref. 3) is associated with a reactor scram that occurred on January 23, 2017. Operators manually scrammed the reactor due to a main generator run-back caused by a generator stator winding cooling system malfunction. All equipment functioned as designed in response to this event; however, HPCS would have failed to fulfill its safety function if demanded due to its failed injection valve 2E22-F004. An initiating event assessment shows that a reactor scram without HPCS results in a conditional core damage probability of 3x1Q-6. The risk of this initiating event assessment sensitivity case is lower than the ~CDP of the condition assessment of HPCS unavailable for 1 year (3x1Q-5 ). Therefore, this "windowed" event is not considered further as part of this analysis.
- LER 374-2017-002 (Ref. 4) is associated with a potential unavailability of the HPCS system caused by stem-disc separation of a diesel generator cooling water system backwash valve. Because the HPCS system was already unavailable due to the failed Four deterministic criteria were met because the event: involved a major deficiency in design, construction, or operation having potential generic safety implications; led to the loss of a safety function or multiple safety failures in systems used to mitigate an actual event; involved possible adverse generic implications; and involved repetitive failures or events involving safety-related equipment or deficiencies in operations. The risk evaluation for this degraded condition resulted in ab.CDP of 2.5x1Q-5 . Based on the deterministic criteria met and the results of the risk evaluation, a special inspection was performed.
3
LER 374-2017-003-01 injection valve 2E22-F004, this "windowed" event is not considered further as part of this analysis.
Analysis Type. A condition assessment was performed using a newly created trial and limited use LaSalle standardized plant analysis risk (SPAR) model Revision 8.52, created on February 21, 2017.
Exposure Period. On February 11, 2017, the HPCS injection valve 2E22-F004 was found to be failed in closed position due to stem-disc separation. This valve was successfully cycled just three days earlier on February 81h. Prior to this, valve 2E22-F004 was not operated since the plant's last refueling outage in 2015. 2 During postulated initiating events in which feedwater is unavailable, HPCS and RCIC system can provide a source of high-pressure inventory makeup to the reactor. If RCIC is available, it is typically the preferred source for reactor water level control because it is easier control (as compared to HPCS). 3 The risk impact of HPCS being unavailable is minimal as long as RCIC is available for most scenarios (with the exception of loss-of-coolant accidents). 4 If RCIC is unavailable, then HPCS is the sole source of high-pressure injection into the reactor. 5 The duration of the exposure period is based on the length of time that the HPCS system would have been unavailable to perform its safety function. In this case, whether the HPCS system would have been able to perform its safety function is dependent on whether it would have been expected to cycle a greater number of times than it was successfully cycled since the 2015 refueling outtage and prior to the observed failure. During a postulated loss of feedwater event, the HPCS injection valve will automatically cycle a number of times after a reactor trip as reactor water level alternates between Level 2 (reactor water low level setpoint) and Level 8 (reactor water level high setpoint). In LER 374-2017-003-01 , the licensee states that only four injection cycles are needed to maintain the safety function of HPCS. No additional information was provided for this assumption.
Operating experience is limited on the number of HPCS cycles during events where feedwater and RCIC are both lost because these events are relatively rare. In addition, data on the number of HPCS (or HPCI) system cycles is not typically included in LERs and other readily available data sources. However, an applicable event that included the relevant information occurred at Perry Nuclear Power Plant. Specifically, LER 440-2013-002-01 describes the LOOP event that occurred on August 14, 2003, due to the Northeast Blackout. During the event response, both HPCS and RCIC were initiating when reactor water level decreased to reactor water low level setpoint (Level 2). Use of RCIC was discontinued after one injection cycle because continued use would have resulted in an automatic isolation of RCIC due to high steam tunnel temperature (caused by a loss of ventilation as a result of the LOOP). HPCS was cycled a total of 16 times prior to operators initiating shutdown cooling .
2 The valve is only opened during testing when the plant is shutdown or actual system demands (i.e., HPCS inject to the reactor).
3 Typically, HPCS has a flow rate approximately an order-of-magnitude greater than RCIC.
4 During a small loss-of-coolant accident, RCIC can provide initial reactor inventory control; however, a source of low-pressure injection is needed to bring the plant to a safe/stable end-state. The HPCS system capacity is sufficient to bring the plant to safe/stable end state (along with suppression pool cooling) during a small loss-of-coolant accident.
5 The control rod drive system can also provide high-pressure inventory makeup to the reactor. However, it's flow rate is typically not sufficient to provide reactor water level control immediately after a reactor trip. Therefore, it is not typically credited for early high-pressure injection in most PRAs.
4
LER 37 4-2017-003-01 Another source of information that provides an estimate on the number of HPCS/HPCI system cycle are thermal-hydraulic calculations. NUREG-1953, "Confirmatory Thermal-Hydraulic Analysis to Support Specific Success Criteria in the Standardized Plant Analysis Risk Models-Surry and Peach Bottom ," provides some relevant calculations for Peach Bottom Atomic Power Station. Case 7, a LOOP and subsequent station blackout with RCIC unavailable, estimates that HPCI would cycle eight times. The Surry and Peach Bottom plants are relevant due to the availability of mature and well exercised MELCOR input models arising from the State-of-the-Art Reactor Consequence Analyses (SOARCA) project. This calculation assumes HPCI system is cycled automatically between Level 2 and Level 8 automatically. If operators take manual control to maintain reactor water level, the number of HPCS/HPCI system cycles will increase.6 Based on this information , the best estimate case for this ASP analysis assumes that HPCS was unable to fulfill its safety function since the plant's last refueling outage in 2015. Therefore ,
the maximum exposure time of 1 year is used. This assumption is considered a key modeling uncertainty.
SPAR Model Modifications. The following SPAR model corrections (unrelated to the analysis) were made to update and create the test and limited use model for the condition analysis:
- Changes were made to the DGO (LaSalle diesel generator 0) fault tree associated with the emergency diesel generator (EOG) 0 that can be aligned to either unit. The "swing" EDG will align preferentially to the unit that has a LOOP with an ECCS actuation signal.
To account for the potential that the "swing" EOG may be unavailable to Unit 2 due to a LOOP with a subsequent loss-of-coolant accident (LOCA), the modeling associated with the failure of the opposite unit safety relief valves (SRV) failure to reclose during a site-wide LOOP was modified . New basic events were added for the SRVs from the opposite unit to replace the modeling of the SRVs in the same unit undergoing the LOOP. The following basic events were inserted under the existing OR gate DG030 (see Figure B-1 in Appendix B):
PPR-SVR-00-1VL VU 1, One BWR SRV Fails to Close on Opposite Unit PPR-SVR-00-2VLVU 1, Two or More BWR SRV Fails to Close on Opposite Unit PPR-SVR-00-3VLVU1 , Three or More BWR SRV Fails to Close on Opposite Unit
- Additional changes were made to the DGO fault tree to include the probability of the LOOP affecting both units that could result in the transfer of the "swing" EOG to the opposite unit in the event of stuck-open SRV(s) in the opposite unit during a site-wide LOOP. House basic events triggered by various site-wide LOOP events were inserted under new AND gates under the existing OR gate DG031 (see Figure B-1 in Appendix B):
OEP-VCF-LP-SITEGR, Site LOOP (Grid-Related)
OEP-VCF-LP-SITEWR, Site LOOP (Weather Related OEP-VCF-LP-SITESC, Site LOOP (Site LOOP (Switchyard Centered)
OEP-VCF-LP-SITEPC, Site LOOP (Plant Centered 6 Discussions with NRC inspectors indicate that the number of HPCS system cycles could be between 20-40 during a postulated loss of feedwater transients with RCIC unavailable. The number of cycles would depend on how close operators maintain reactor water level between the Level 2 and Level 8 setpoints and how quickly shutdown cooling could be initiated.
5
LER 374-2017-003-01 Key Modeling Assumptions. The following assumptions were determined to be significant to the modeling of this event:
- Basic event HCS-MOV-CC-F004 (HPCS injection valve fails to open) was set to TRUE because HPCS injection valve 2E22-F004 was failed in the closed position due to the stem-disc separation. ,
Dependency. The most likely core damage scenarios for this event involve initiating events with human performance aspects that result in a loss of feedwater (include LOOP, loss of instrument air, etc.) and subsequent failures/unavailabilities of HPCS, RCIC, and the failure of manual reactor depressurization using the automatic depressurization system. These three systems are designed to initiate automatically; however, if the automatic start/control functions fail (or under certain conditions) these systems can be control manually by operators. Generally speaking, dependence may exist when the failure of a human action in an accident sequence or cut set potentially increases the likelihood of failure of a later human action. The dominant cut sets for this analysis that contained multiple human failure events were reviewed to determine the potential for dependency. Based on this review, it was concluded that dependency was either unlikely for the applicable cut sets or the explicit treatment of dependency would not result in a significant change in the numerical results of the analysis ..
ANALYSIS RESULTS
.dCDP. The point estimate ~CDP for this event is 1.75x1Q-5 . The ASP Program acceptance threshold is a CCDP of 1x 1Q-6 for degraded conditions. Therefore, this event is a precursor.
Dominant Sequence. The dominant accident sequence is a loss of main feedwater sequence 59 (~CDP = 4.81 x 1Q-6) that contributes approximately 27 percent of the total internal events ~CDP. This sequence is shown graphically in Figure A-1. The sequences that contribute at least 1 percent of the total internal events ~CDP are provided in the following table.
Dominate Sequences with Event Descriptions Sequence ACDP Percentage Description Loss of main feedwater; successful reactor trip; SRVs operate and successfully close; HPCS LOMFW 59 4 .81 x1Q-6 27.49%
fails; RCIC fails; and reactor depressurization fails Loss of offsite power (all types); successful reactor trip; EOG loads; SRVs operate and LOOP40 2 .22x1Q-6 12.70%
successfully close; HPCS fails; RCIC fails; and reactor depressurization fails Loss of offsite power; successful reactor trip; EOG loads; SRVs operate _and successfully close, HPCS fails; RCIC injects; suppression LOOP 19 1.56x1Q-6 8.91%
pool cooling fails; successful depressurization; shutdown cooling fails; containment spray fails; containment venting fails Loss of instrument air; successful reactor trip; offsite power available, SRVs operate and LOIAS 56 1.06x1Q-6 6.06%
successfully close; HPCS fails; RCIC fails; and reactor depressurization fails 6
LER 37 4-2017-003-01 Dominate Sequences with Event Descriptions Sequence ACDP Percentage Description Medium loss of coolant accident; successful MLOCA14 9.25x1Q*7 5.29%
reactor trip; HPCS fails; depressurization fails General transient; successful reactor trip; offsite power available; SRVs operate and successfully TRANS 66 7.17x1Q*7 4.10% close; turbine bypass fails to remove heat, feedwater failure, HPCS fails; RCIC fails; and reactor depressurization fails Loss of offsite power (all types), successful reactor trip; onsite emergency power fails; SRVs operate and successfully close; recirculation LOOP 43-25 5.92x10* 7 3.38% pump seal fails; HPCS fails; RCIC injects; refill condensate storage tank (CST) to extend RCIC; successful DC load shed; recover offsite power in 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />, recover EDG in 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> Loss of service water; successful reactor trip, offsite power available, SRVs operate and successfully close, HPCS fails, RCIC injects; LOSWS 27 4.78x1Q*7 2.73% suppression pool cooling fails; successful depressurization; low pressure injection succeeds; shutdown cooling fails; service water recovery fails; low pressure injection fails Loss of main feedwater; successful reactor trip; LOMFW 60-29 4.65x1Q*7 2.66% offsite power available; HPCS fails; RCIC fails; failure to depressurize Loss of service water, successful reactor trip; offsite power available; loss of feedwater; HPCS fails; RCIC injects; low pressure injection LOSWS 58-12 3.75x10*7 2.14%
succeeds; suppression pool cooling fails; containment spray fails; service water recovery fails Loss of Service Water, successful reactor trip; offsite power available; SRVs operate and LOSWS 57 3.73x1Q*7 2.13%
successfully close; HPCS fails; RCIC fails; and reactor depressurization fails Loss of instrument air; successful reactor trip; offsite power available; loss of feedwater; HPCS fails; RCIC injects; low pressure injection LOIAS 57-12 3.65x10*7 2.09%
succeeds; suppression pool cooling fails; containment spray fails; instrument air recovery fails General transient; successful reactor trip; Consequential loss of offsite power; EDG loads; TRANS 69-40 2.89x1Q*7 1.65% SRVs operate and successfully close; HPCS fails; RCIC fails; and reactor depressurization fails Loss of vital DC bus, successful reactor trip, offsite power available, SRVs operate and LODCA69 2.47x1Q*7 1.41% successfully close; turbine bypass fails to remove heat, main feedwater fails; HPCS fails; RCIC fails; and reactor depressurization fails!
7
LER 374-2017-003-01 Dominate Sequences with Event Descriptions Sequence 4CDP Percentage Description Loss of instrument air; successful reactor trip; offsite power available; SRVs operate and successfully close; HPCS fails ; RCIC injects; LOIAS 26 2.36x1Q-7 1.35% suppression pool cooling fails ; deppressurization successful ; low pressure injection succeeds; shutdown cooling fails ; instrument air recovery fails ; late injection fails Loss of condenser heat sink; successful reactor trip, offsite power available; SRVs operate and LOCHS 65 1.97 x1Q-7 1.13% successfully close; main feedwater fails ; HPCS fails ; RCIC fails ; and reactor depressurization fails Grid-related LOOP; successful reactor trip; emergency power fails ; SRVs operate and successfully close; recirculation pump seals LOOPGR 43-31 1.81 x10- 7 1.03%
maintained ; HPCS fails; RCIC fails ; offsite power recovery in 30 minutes fails , emergency power recovery in 30 minutes fails Grid-related LOOP; successful reactor trip; SRVs operate and successfully close; HPCS fails ; RCIC fails; successful depressurization; LOOPGR 31 1.80x1 o-7 1.03% low pressure injection succeeds; suppression pool cooling fails ; shutdown cooling fails; containment spray fails ; containment venting fails ; late injection fails REFERENCES
- 1. LaSalle County Station , "LER 374/2017-003-01 -High Pressure Core Spray System Inoperable due to Injection Valve Stem-Disc Separation ," dated August 9, 2017 (ADAMS Accession No. ML17236A160).
- 2. U.S. Nuclear Regulatory Commission, "LaSalle County Station, Units 1 and 2 - Special Inspection Team Report and Exercise of Discretion: Inspection Report 05000374/2017009,"
dated August 31 , 2017 (ADAMS Accession No. ML17243A098).
- 3. LaSalle County Station, "LER 374/2017-001 - Manual Reactor Scram due to Turbine-Generator Run-Back Caused by Stem-Disc Separation in Stator Water Cooling Heat Exchanger Inlet Valve," dated March 24, 2017 (ADAMS Accession No. ML17083A122).
- 4. LaSalle County Station, "LER 374/2017-002 - High Pressure Core Spray System Declared Inoperable due to Cooling Water Strainer Backwash Valve Stem-Disc Separation," dated March 31 (ADAMS Accession No. ML17089A657) 8
LER 374-2017-003-01 Appendix A: Key Event Tree Figure A-1. LaSalle Loss of Main Feedwater Event Tree A-1
LER 374-2017-003-01 Appendix B: Model Changes I.ASAU.EIEB.<BBAlORO FAII.Tll!f om
'I I I l Oll5ELCBBAlOlll)(DllC -OFl)(DOOElOIJlCA FAIURESOFOIEliB.<BBAlOIIO 9JPPOltlS FAIi.TS CONJJRRENrWIIH LOOP r>9 ANIUSIS}
OOH)C-S5 -,,;; 00>-l BlGFAIU.IIEFROMSEISIICBelT A
~
B'S-~ fl!!. FAIU.ltE lO ao5E OF SRY ON lA5AW' STA11l1JY C0QUN; WAlfR OPPOSITE INT FADSlOom
~
IXlllO 00,.SC\W 75.
' fl!!.
B I
~ ~ ~ ~
CIIE 1WR SRV FADS lO ao5E ON OPPOSITE UNIT 111.\\Jl 9.!0E-Ol TWO OR K>RE MR SRIF.i FAD. 10 ao5E ON OPPOSITE UNIT PPII-SRY-00-2\l.\5l/1 11.00E-OJ lllU5I' E\00"
- LOSS OF OFFS!11' r 5111'1.00P (OOD-RE!AlBJ) lllU5I' E\00"
- LOSS OF OFFSl11' SITE LOOP (WEAMR-RE!AlBJ) lllU5I' MIil"
- LOSS OF OFfSl1E SITE LOOP (PIANT-c!NlERED) 1IIRll: OR l<<JRE IWR SR'6 FAil. lO l'OWER IE HAS OCCUlRED (G!ID- l'OWER IE HAS OCCUlRED POWER IE HAS OCC\JllRED CEll!tRED) POWER IE HAS OCCURRED RE!ATIDJ (WEAMR-RE!ATID) (SWITtHYAAO-RElATID) (PIANT-CEll!tRED) ao5E ON OPPOSITE UNIT
.... ~
IFals< OIP-\Cf-!P-SllEG! 14.23E-OI 1£-lOOPWR IFals< OIP-\CF-LP-SITl'WR IJ.60E-Ot IIF-IOOP<C lfa&e OIP-\CF-LP-SllESC l1.6CE-Ol *~~ 1Fa5e OIP-\CF-LP-SITTJ'C 11.~1 PPll*SRY-00-J\l.\5Ul 11.IXlE--01 (') () (') (J (~ ( ) n (l Figure B-1. Revised DGO Fault Tree B-1
ML18157A263 *Non-Concurrence date i NCP-2018-002)
OFFICE RES/DRA/PRB RES/DRA/PRB RES/DRA/PRB RES/ORA NAME D. Yeilding A. Gilbertson F. Gonzalez M. Cheok Non-Concur (via email)
DATE 03/22/18* 06/05/18 06/27/18 06/28/18 ENCLOSURE 2 NON-CONCURRENCE ON FINAL ASP PROGRAM ANALYSIS PRECURSOR HIGH PRESSURE CORE SPRAY SYSTEM INOPERABLE DUE TO INJECTION VALVE STEM DISC SEPARATION NCP-2018-002 LASALLE COUNTY STATION, UNIT 2 DOCKET NO. 50-374
NON-CONCURRENCE PROCESS COVER PAGE The U.S. Nuclear Regulatory Commission (NRC) strives to establish and maintain an environment that encourages all employees to promptly raise concerns and differing views without fear of reprisal and to promote methods for raising concerns that will enhance a strong safety culture and support the agency's mission .
Employees are expected to discuss their views and concerns with their immediate supervisors on a regular, ongoing basis. If informal discussions do not resolve concerns, employees have various mechanisms for expressing and having their concerns and differing views heard and considered by management.
Management Directive, MD 10.158, "NRC Non-Concurrence Process," describes the Non-Concurrence Process (NCP), http://nrcweb.nrc.gov:8600/policy/directives/catalog/md10.158.pdf.
The NCP allows employees to document their differing views and concerns early in the decision-making process, have them responded to (if requested), and attach them to proposed documents moving through*the management approval chain to support the decision-making process.
NRC Form 757, "Non-Concurrence Process" is used to document the process.
Section A of the form includes the personal opinions, views, and concerns of a non-concurring NRC employee.
Section B of the form includes the personal opinions and views of the non-concurring employee's immediate supervisor.
Section C of the form includes the agency's evaluation of the concerns and the agency's final position and outcome.
NOTE: Content in Sections A and B reflects personal opinions and views and does not represent official factual representation of the issues, nor official rationale for the agency decision. Section C includes the agency's official position on the facts, issues, and rationale for the final decision.
At the end of the process, the non-concurring employee(s) :
Oconcurred
~ Continued to non-concur D Agreed with some of the changes to the subject document, but continued to non-concur D Requested that the process be discontinued D The non-concurring employee(s) requested that the record be non-public.
~ The non-concurring employee(s) requested that the record be public.
D This record is non-public and for official use only.
~ This record has been reviewed and approved for public dissemination .
NRC FORII 7S1 NRCIID10.158 (11-2018} :
- ¥."a.i pV° .......,
U. S. NUCLEAR REGULATORY COIIIIISSION NCP TRACl<ING NUUBER NCP-2018-002
. ~ ..... I NON-CONCURRENCE PROCESS NCP PM 03/26/18 SECTION A* TO BE COIIPLETED BY NON.coNCURRING EIIPLOYEE 1111.E OF SUBJECT DOCUMENT ADAMS ACCESSION NO.
Final ASP Program Analysis-Precursor LaSalle County Station, Unit 2, HPCS System Inoperable ML18072A326 DOCUIIENT SIGNER SIGNER TB.EPHONE NO.
Michael Cheok (301) 415-04S2 l1l1.E ORGANIZATION RES/ORA Division Director RES/ORA NAME OF NON-CONCURRING EMPLOYEE(S) TB.EPHONE NUMBER Dale Yeilding (301) 4 t s..om TmE ORGANIZATION Reliability & Risk Engineer RES/ORA 0 DOCUMENT AlmlOR D DOCUMENT CONTRIBUTOR D DOCUMENT REVIEWER D ON CONCURRENCE NQN..CONCURRING EMPLOYEE'S SUPERVISOR Anders Gilbertson l1l1.E ORGANIZATION ActingRES/DRA/PRBBraochChld RES/DRA/PRB 0 I V\OULD LIKE MY NON-CONCURRENCE CONSIDERED AND V\OULD LIKE A WRITI'EN EVALUATION IN SECTION BAND C.
D I V\OULD LIKE MY NON-CONCURRENCE CONSIDERED, BUT A WRITIEN EVALUATION IN SECTIONS BAND C IS NOT NECESSARY.
\/\/HEN lliE PROCESS IS COMPLETE, I WOULD LIKE lliE NCP FORM: [{)PUBLIC DNON-PUBUC REASONS FOR lliE NON-CONCURRENCE, POTENTIAL IMPACT ON ~ISSION. AND lliE PROPOSED ALTERNATIVES (use contlnualon pages or 8llach 'Mlr'd dc>c:uTlln)
See attached Non-C.oncum:nce - PRA Human Dependency SIGNATU~ DATE
{ ~ ~ tL. }:)_ p? . -- VALE YEtu>,~c.., 3 -'2\..- '2..*\f
. r- - /
NRC FORII 751 11..:!016) /
Non-Concurrence - PRA Human Dependency Document - Final Report for the Accident Sequence Precursor (ASP) Program Analysis for LaSalle County Station, Unit 2: High-Pressure Core Spray (HPCS) System Inoperable due to Injection Valve Stem-Disc Separation, (ADAMS ML#18072A326); Licensee Event Report (LER) 37 4-2017-003-01; Inspection Report 05000374/2017009.
Subject of Disagreement - Whether or not dependency exists in a Probabilistic Risk Assessment (PRA) when two human actions appear in the same cutset for the LaSalle event PRA analysis. Specifically for the subject event, there are several cutsets involving an operator's failure to high pressure inject with Reactor Core Isolation Cooling (RCIC) followed by the operator failure to depressurize in support of low pressure injection. When dependency exists, the event analysis must quantify the effect on the*event's change in core damage probability (aCDP) using the agency's Standardized Plant Analysis Risk-Human Reliability Analysis SPAR-H procedures. The current ASP report incorrectly indicates the two actions are independent, not requiring Human Reliability Analysis (HRA) dependency consideration. This non-concurrence is based upon dependency existing to some degree and the event analysis not taking this into consideration which is reflected in a sensitivity study in the table below.
Background- The Risk Assessment of Operational Events Handbook (RASP) Volume 1 (ML17348A149) Section 9.4 describes dependency:
Determination of Dependency. Simply stated, dependence may exist when factors that contribute to the occurrence of one Human Failure Event (HFE) may affect the likelihood of a second HFE. Dependence at the HFE level occurs when operators have an incorrect mental model about the situation (or diagnosis of the event) and that incorrect mental model persists across time. Therefore, as dependence arises from operator mindset, the key to postulating dependence between human actions is postulating a single mindset that spans HFEs. Simply having two or more HFEs together in a sequence or cut set does not make them dependent.
It is expected that the qualitative analysis and resulting context and operational story should help to identify the existence of compelling reasons for dependence. The analyst should be on the lookout for situations in which operators develop an incorrect mindset about the situation and identify ways in which that mindset can be corrected to break dependence. Analysts should review the situation and context carefully and consider, for example, the following factors allow for an opportunity to minimize or break dependence:
- Time (to allow forgetting and emptying of working memory). The analyst must consider time available to implement recovery actions against the time required to determine the influence of this factor on dependency. For example, whereas ten minutes may have no impact, one or more shift turnovers may have a significant influence on dependency.
- Location (introducing new information, potentially interrupting the erroneous mindset),
- Different persons or crew (allows for new mindset to develop), and
- Cues (stimulate the human to think differently) .
The operator would be maintaining reactor level after an event using emergency procedure, LGA-001 , Reactor Pressure Vessel (RPV) - Control. This procedure is in the agency's Incident Response elibrary. The "Level" sequence of this emergency procedure states, *control RPV water level between 11 inches and 59. 5 inches using any of the systems listed below". Both RCIC and low pressure
systems (requiring depressurization) are listed. Considering the RASP four factors from above, it is not evident how a possible break in dependency (operator mindset) can be justified:
Close in time with an eminent need to low pressure inject following RCIC failure, RCIC operation and depressurization are initiated in same location, (control room),
Same crew, since a shift change would be unlikely to occur during the event, Procedure LGA-001 does not identify specific cues.
Change in Core Damage Probability (.ACDP) - The analysis results currently reported in the draft ASP report for the LaSalle 1-year loss of HPCS, indicate the event 6CDP of 1.75E-5 without considering dependency. Using the NRC SPAR-H procedures applying Complete or High dependency, the 6CDP increases by an order of magnitude.
Using the above factors with the SPAR-H HRA Worksheet, Part IV Dependency Condition Table, "Complete" dependency is identified. SPAR-H then requires the operator failure to depressurize basic event, ADS-XHE-XM-MDEPR probability of 5E-4 to be replaced with a value of 1.
Sensitivity Study Dependency ACDP None 1.75E-5 Moderate 5.01E-5 HiQh 1.32E-4 Complete 2.46E-4 Justification and Supporting Facts 1.Management Misinformed - RES/ORA managers were misinformed that the basic events for the RCIC human response were quantified by combining both RCIC equipment failure rates with human response failure rates. Which in fact is not true.
RCI-XHE-XL-RSTRT, operator fails to recover/restart RCIC, 2.5E-1 RCI-XHE-XL-XFER, operator fails to recover RCIC failure to transfer, 2.5E-1 RCI-XHE-XM-OPERATE, operator fails to start/cqntrol RCIC injection, 2E-3 The first two basic events involving restart and transfer were quantified from a 1999 RCIC study/report: NUREG/CR-5500, Vol.7 Reliability Study: Reactor Core Isolation Cooling System, 1987-1993 that collected data associated with both the automatic and manual failures of the RCIC system. These were actual equipment failures reported in LERS and had no HRA associated with human performance factored into the failure probabilities. e.g., there were no performance shaping factors established. The RCIC HFE of an operator failure to initiate RCIC would not even be reportable in an LER.
Thus only actual RCIC system equipment failures were factored into the failure probability value for the restart and transfer basic events. Equipment boundaries by
definition include the failure of control logic in addition to failures of the component.
These two basic events should not have been labeled with the "XHE" in their name since there is no associated operator failure.
The third basic event involving the operator fails to start/control RCIC injection is truly a pure human failure event with the LaSalle SPAR report depicting the performance shaping factors used to quantify the basic event's failure probability. Thus, this RCIC-XHE-XM-OPERATE basic event should be analyzed where it appears several times in the same cutset along with the operator failure to depressurize to support low pressure injection.
- 2. Minimum Joint Human Event Probability (JHEP) - Since two human failure events (HFE) appear together in several cutsets the RASP minimum value should be applied.
JHEP = RCI-XHE-XM-OPERATE x ADS-XHE-XM-MDEPR JHEP = 2E-3 x SE-4 JHEP = 1E-6 (which is below the minimum 1E-5)
The NRC has recommended a minimum JHEP of 1E-5 in the RASP, Volume 1 Section 9.4 and also in NUREG 1792, Section 5.3.3.6 Good Practice #6: Account for Dependencies Among Post-Initiator HFEs. The Electric Power Research Institute (EPRI) also provides guidance on the treatment of JHEPs in a report titled: Establishing Minimum Acceptable Values for Probabilities of Human Failure Events (EPRI 1021081 ).
This topic is currently be considered by both the NRC and Industry Risk Informed Steering Committees (RISC).
Human failure events below the minimum JHEP was also documented five years ago in a LaSalle ASP Report associated with a loss of offsite power, Final ASP Precursor Analysis LaSalle County Station Unit 1 and Unit 2, Dual Unit Loss of Offsite Power Due to Lightning Strike, ADAMS ML#15070A232. There has been little NRC nor industry progress in the subsequent years to reach agreed nor consistently apply a minimum JHEP.
- 3. SPAR Quantifies Only Half the RCIC HEP - Documented in the LaSalle SPAR Report, Version 8.52, dated December 2017 is the SPAR-H Part II worksheet "Action" performance shaping factors that combined, determine the basic event failure probabilities for the RCIC and ADS human failure events.
ADS-XHE-XM-MDEPR, operator fails to initiate reactor depressurization RCI-XHE-XM-OPERATE, operator fails to start/control RCIC injection What is missing from both these basic events, is the performance shaping factors for the human failure "Diagnosis" from the Part 1 SPAR-H worksheet. Diagnosis analysis
begins with a larger number (1 E-2) than the Action analysis (1 E-3) before being adjusted by the shaping factors, and this deemed more significant.
The SPAR documentation attempts to justify this shortcoming by:
ADS - "Diagnosis of the need for the operator to depressurize the reactor is not modeled since the actions are proceduralized and the need for action is obvious." Using this reasoning to eliminate diagnosis from HRA could possibly effect most operator actions since procedures control plant operations.
RCIC - "Diagnosis of the need for the operator to depressurize the reactor is not modeled."
This statement incorrectly correlates depressurization with RCIC and cold be a typo which then leaves unjustified the missing RCIC diagnosis HRA.
SPAR-H Step By Step Guidance (ML112060305), states:
"Diagnosis for the purpose of SPAR-H quantification refers to the entire spectrum of cognitive processing, from the very complex process of interpreting information and formulating an understanding of a situation, to the very simple process of just deciding to act... Most HFEs in the SPAR models involve much more cognition than merely pushing a switch; therefore it is not appropriate to routinely exclude the Diagnosis component from HFE quantification. The only exception where it can be justified that the HFE involves no cognitive activity beyond simple action implementation is when the cognitive aspect is modeled as a separate HFE and only the execution is being considered.
It is a rare situation where Diagnosis is judged to not be a relevant contributor to the overall HEP for HFE in SPAR models. In the context of PRA in general, and SPAR models in particular, there are very few situations where a Diagnosis and an Action are not linked somehow. Action rarely occurs without Diagnosis, but it might be possible to have a Diagnosis that is not followed by an Action. Really the only question here is: is the Diagnosis represented in the PRA or SPAR model as a separate HFE, or is it combined with the Action part into a single-composite HFE?
Therefore, the default modeling in SPAR-H should include both Diagnosis (cognitive processing) and Action (execution) . Justification is needed to eliminate one of these elements. This is consistent with the Good Practices for HRA (Kolaczkowski et al, 2005), which states that both screening and detailed quantification should include both Diagnosis and Execution components, unless the qualitative HRA "indicate(s) that one of these failure modes predominates the other in such a way that the effect of only one failure needs to be quantified."
The RCIC and ADS basic events should have included in their HEP value an additional risk of failure with regards to a Diagnosis HRA. The results of action and diagnosis would then be summed together to accurately reflect the combined operator risk of failing. The base LaSalle model should then be adjusted accordingly.
- 4. EPRI Cites 2 plants with RCIC/ADS Dependency - EPRI Report 1021081 , Establishing Minimum Acceptable Values for Probabilities of Human Failure Events Practical Guidance for Probabilistic Risk Assessment, surveyed utilities and asked for examples of scenarios that involve combinations of HFEs for which the lower bound is applied . Two plants identified the failure to depressurize the RPV following failure of high-pressure injection. Thus two examples for these plants justify dependency between RCIC and depressurization.
- 5. LaSalle SPAR Model Acknowledges Dependency-The base LaSalle SPAR model currently invokes a rule to acknowledge a JHEP that raises the operator failure to operate
HPCS when appearing in the same cutset with an operator failure to operate RCIC due to dependency. The model section is titled, "HEP Dependency Rules Section."
HCS-XHE-XO-ERROR, Operator fails to Start/Control HPCS Injection, 1E-3 HCS-XHE-XO-ERROR1, Operator fails to Start/Control HPCS Injection, 1.43E-1 is based upon moderate dependency High Pressure Injection SPAR Model Rule zRCI = RCI-XHE-XM-OPERA TE; zHCS = HCS-XHE-XO-ERROR; if zRCI
- zHCS then DeleteEvent = HCS-XHE-XO-ERROR; AddEvent = HCS-XHE-XO-ERROR1; endif Since injection with high and low pressure systems is controlled in the same step of emergency procedure, LGA-001, RPV Control, the further dependency with the operator's failure to depressurize could be assumed. Modeling RCIC/HPCS as a JHEP and not modeling RCIC/ADS as a JHEP is not consistent.
- 6. LaSalle SPAR Model Sensitive to Small Degradations in Operator Performance - The LaSalle SPAR Report, in Section 8.3.3.3 states that the overall plant risk is relatively sensitive to small degradations in operator performance. Thus it can be concluded that performing JHEP analyses when two human failure rates occur in the same cutset, that the resultant change in core damage probability will increase. This sensitivity is realized in this event analysis since considering Complete or High dependency between basic events for the operator failure to initiate RCIC and subsequently depressurize raises the event b.CDP an order of magnitude.
- 7. Multiple RES/DRA/PRB Branch Chiefs Fail to Address Dependency - Three branch chiefs over a several week period did not support HRA for this ASP analysis of the operator's failure to inject with RCIC followed by a failure to depressurize.
The first branch chief dismissed the need for HRA due to misinformation regarding a wrong assumption that the RCIC basic events involved a combination of both equipment and human failure probabilities, (see supporting fact #1).
The second branch chief working with that same misinformation, supported development of an ASP report section explaining this deficiency.
The third branch chief was finally convinced that an expert HRA staffer should weigh-in and assist with the HRA analysis. The RES Division of Risk Assessment has a branch for Human Factors with many staff within that branch having HRA expertise. Prior to actually quantifying JHEP, guidance documentation called for first determining if dependency exists. The third branch chief formulated the question to the expert to do just that, determine if dependency exists and not quantify. Both RASP and SPAR documentation do not provide clear guidance for
this determination since their focus is on quantification. The HRA expert concluded that dependency does not exist.
HRA Expert: Yes, I prefer to say they are not dependent, because the second HFE (depressurization of RCS) is only the part of ACTION without DIAGNOSIS.
The correlation for the existence of dependency relying on the SPAR model lack of addressing DIAGNOSIS is not a clear conclusion or may not even be relevant. Dependency is based upon a single operator mindset spanning two basic events and not necessarily related to the proper quantification of each basic event to include both action and diagnosis. (see support fact #3 above). The full task presented by the third branch chief along with the email thread from the HRA expert is presented in Appendix A. Since the expert did not identify any attributes that would break dependency, this non-concurrence submittal documents disagreement with the expert's determination that dependency does not exist.
Conclusion - The agency should modify the LaSalle ASP event analysis to address human dependency or more completely justify why dependency does not exist. Even though a narrow look at the SPAR-H procedures calls for complete dependency, the risk analysts may determine a lower level of dependency exists but could not accurately conclude that no dependency exists.
The agency may alternately, acknowledge that the current SPAR-H procedures do not accurately identify dependency and quantify joint human failure events probabilities and there use should be suspended until adequate guidance becomes available. Agency risk analysts will face similar human dependency situations requiring HRA for JHEPs. The agency should provide a clear and accurate direction forward .
---Dale Yeilding, RES/DRA/PRB Risk and Reliability Engineer
Appendix A Non-Concurrence - PRA Human Dependency Third Branch Chief Communications with Human Reliability Analysis Expert Task & Expert Response is Yellow Highlighted Below From: Gilbertson, Anders Sent: Tuesday, March 20, 2018 10:21 AM To: Yeilding, Dale <Dale.Yeilding@nrc.gov>
Cc: Hunter, Christopher <Christopher.Hunter@nrc.gov>
Subject:
RE: LaSalle Dependency - HP inject/depressurize Importance: High Dale ,
Given Song-Hua's conclusion, please proceed with reviewing my comments and proposed changes on the LaSalle ASP analysis as written (see attachment). The redline/strikeout changes in the attached version are identical to that of the last one I sent. I would like to be able to signoff and pass this forward to Mike Cheok no late than tomorrow.
Thank you .
Anders Gilbertson Acting Chief Perfonnance and Reliability Branch Division of Risk Analysis Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Phone: 301-415-1541 Fax: 301-415-6671 Anders.Gilbertson@nrc.gov From: Shen, Song-Hua Sent: Tuesday, March 20, 2018 9:58 AM To: Gilbertson, Anders <Anders.Gilbertson@nrc.gov>; Yeilding, Dale <Dale.Yeilding@nrc.gov>;
Peters, Sean <Sean.Peters@nrc.gov>
Cc: Hunter, Christopher <Christopher.Hunter@nrc.gov>
Subject:
RE: LaSalle Dependency - HP inject/depressurize Yes, I prefer to say they are not dependent, because the second HFE (depressurization of RCS) is only the part of ACTION without DIAGNOSIS.
Song-Hua Shen, Ph.D., PE.
Sr. Reliability & Risk Engineer
US. Nuclear Regulatory Commission RESIDRAIHFRB 301-415-2034 TJOB22 Song-Hua. Shen(@nrc.gov From: Gilbertson, Anders Sent: Tuesday, March 20, 2018 9:56 AM To: Shen , Song-Hua <Sonq-hua.Shen@nrc.gov>; Yeilding , Dale <Dale.Yeildinq@nrc.gov>;
Peters, Sean <Sean.Peters@nrc.gov>
Cc: Hunter, Christopher <Christopher.Hunter@nrc.gov>
Subject:
RE : LaSalle Dependency - HP inject/depressurize Song-Hua, Just to be clear, in answering the question I posed . are you saying that there is no compelling reason or justification to postulate dependence for the sequences in question in the LaSalle analysis?
Anders Gilbertson Acting Chief Performance and Reliability Branch Division of Risk Analysis Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Phone: 301-415-1541 Fax: 301 -415-6671 Anders.Gilbertson@nrc.gov From: Shen, Song-Hua Sent: Tuesday, March 20, 2018 9:49 AM To: Gilbertson, Anders <Anders.Gilbertson@nrc.gov>; Yeilding, Dale <Dale.Yeildinq@nrc.gov>;
Peters, Sean <Sean.Peters@nrc.gov>
Cc: Hunter, Christopher <Christopher.Hunter@nrc.gov>
Subject:
RE : LaSalle Dependency - HP inject/depressurize Anders .
According to the following information :
""',-;,., 111;;*u '-*t*... ,.uo.u * '"-~ 11.
- i.u ,.., * ., =-*-:
~*c:--'-----::,------,...,.--,-,----4 nu, l11u1""' fo1hu<> ~,-cnt ,1:01 1, lr<>m I tll po,.,cr opgauo11 Di.1~0-i, of the 11~ fo, dt OIJ'!t,l!Ot h:> dqlle>>u.11.ze 1bc 1c.:mo1 1, 11011uodd<?d ,111cc th~ a hOlh ate in \l<l1u.thl~d ~ud du: 11~d fot, ch,lll" ob,*, th . Th .tcrio:o "u>.>dded TI,e tttue OPl:R.*HOR l'A!L'> TO
- OOE~H a1*aalnl>lc fo11hc 3-U,"'fl. abt ,uc,'i l<\~l and ti ~ompltxuy ;uc 3 'itu1iw uou1111.1l Ilic INITIATE RL\.C'T"uR
- C:\1'"1<"11*<" lralllUlf" <"iq><<le,I fl~ l>c l11!1l1 due to th,: w~11,1n,;~ or tlm amou The DEPRESWRIZ TIO:>:
1nNed1t1** Ill~.:. ~ , uu, ~*H11m.,11 M.1clu11.: Js11c:if.11 e iHl\HI, 111,i,!,, fo, ,hU)'. ruul wo, t.; pi c,~s ;iic al,o tlOllUCLll Dcpc-11.tcuq*" 001 moddcd fot tlu, arn011 T11c
~eo1i.c1nc me.\J1 of 1a11t101111,* ,c!e;1e,l ci3u,,*3Je111 PR..\ t:\.!lth ,, - ~E--t ___ -.- - 1
Dli~ hlUll<'III failurc c-,*c111 ,1.ut s from full powc-r ~ tio1L Di.1i;uom of the uffii foi I Pl;RATOR fr\.fL~ TO Iii,: Qf1¢r.,lor 10 d t pr¢'>1111l ¢ 1t,c 1,m.;10, 1> 11<>1 u ,c,d~Je4 A ~ti,111 ~,,mpleSII)' *~ ;\"1u111NS
'OOE --Ol llMXkr~IC' ctnc 10 lh-: u cJ to, Oll~Ollli UL\UU.ll lC':\dJTI\IUlctlh ol 001,*. 1¢,"C'I All olb¢r IR( l*XHE*X~I-OPElv\TE HART 01'"TROt
- '
- Jo.)1i u1
- f.) 1or- au :, ,111ntd 11i>1111u.1t The a 1100 1, 1110.l~I~ . Oc-J><mlc,..:~ " ,,01 RCIC D;JH1 10:,;
uiodclcd fol tlu, a~ue11 Tiit: peo111Crnc wc.m ofr.mdomly \Clrtlcd ,,quh-alcnr PRA C\'ctll'i Ii ~ I E*3
-;- r ** -;-, - .-.. - -
These two depressurization HFEs are EXECUTION only. The diagnosis part is not modeled. In fact, diagnosis (common cognitions) is the major part of the dependency.
As the descriptions of these two HFEs, diagnosis of the need to depressurize the reactor is not modeled since the actions are procedurized . The only dependency of the HFE with the previous HFE should be "the operators do not enter the specific procedure" that can be ignored .
Song-Hua Shen, Ph.D.. PE.
Sr. Reliability & Risk Engineer U.S. Nuclear Regulatory Commission RESIDRAIHFRB 301-./15-2034 TJOB22 Song-Hua.Shen@nrc.gov From: Gilbertson, Anders Sent: Tuesday, March 20, 2018 8:54 AM To: Shen, Song-Hua <Sonq-hua.Shen@nrc.gov>; Yeilding, Dale <Dale.Yeilding@nrc.gov>;
Peters, Sean <Sean.Peters@nrc.gov>
Cc: Hunter, Christopher <Christopher.Hunter@nrc.gov>
Subject:
RE: LaSalle Dependency - HP inject/depressurize Importance: High Song-Hua, As a follow up to our discussion yesterday afternoon and to help focus your efforts, keep in mind that at this point we are only trying to answer the following question:
- Is there a compelling reason/justification to postulate dependence between two human failure events (HFE's) for the dominant sequences in question for the LaSalle analysis?
We are not looking to determine the level of dependence before we have a firm and compelling case that postulating dependence is warranted. As such, we are looking to answer the above question in recognition of the fact that the SPAR-H step-by-step guidance indicates that "At the HFE level, independence is more likely; dependence is the exception rather than the rule. " As such, if there is no compelling reason or justification for postulating dependence, we would be fine to simply state as much and close the issue.
The sequences in question are mostly associated with the top four sequences shown in the table of the attached draft ASP analysis report and reproduced below. The question about dependence between HFEs is associated with the failure of HPCS, RCIC, and reactor depressurization or combinations of those failures. This is because the cut sets in the LaSalle analysis include some basic events that combine the hardware and human failures. Although we recognize that such combining of failures is generally problematic and, more specifically, causes difficulty for calculating the level of dependence (if it exists) , we are not looking to fix that problem for this ASP analysis.
You indicated yesterday that you would take a look at the LaSalle SPAR model and that you would also need the relevant procedures to do your evaluation. Together with the attached draft report, is that enough information for your evaluation? If so, please let us know as soon as possible and give me an estimate of when you expect to finish your evaluation so that I can plan accordingly as we are trying to finish this analysis this week.
- Thanks.
Dominate Sequences with Event Descriptions Sequence 6CDP Percentage Description Loss of main feedwater; successful reactor trip; SRVs operate and successfully close; HPCS LOMFW59 4.81 x1Q-6 27.49%
fails; RCIC fails; and reactor depressurization fails Loss of offsite power (all types); successful reactor trip; EOG loads; SRVs operate and LOOP40 2.22x1Q*6 12.70%
successfully close; HPCS fails; RCIC fails; and
' reactor depressurization fails Loss of offsite power; successful reactor trip; EOG loads; SRVs operate and successfully close, HPCS fails; RCIC injects; suppression LOOP 19 1.56x 1Q-6 8.91%
pool cooling fails; successful depressurization; shutdown cooling fails; containment spray fails; containment venting fails Loss of instrument air; successful reactor trip; offsite power available, SRVs operate and LOIAS 56 1.06x1Q*6 6.06%
successfully close; HPCS fails; RCIC fails; and reactor depressurization fails Anders Gilbertson Acting Chief Performance and Reliability Branch Division of Risk Analysis Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Phone: 301 -415-1541
Fax: 301 -415-667 1 Anders.Gilbertson@nrc.gov From: Shen, Song-Hua Sent: Monday, March 19, 2018 3:38 PM To: Yeilding, Dale <Dale.Yeilding@nrc.gov>; Peters, Sean <Sean.Peters@nrc.gov>
Cc: Gilbertson, Anders <Anders.Gilbertson@nrc.gov>
Subject:
RE: LaSalle Dependency - HP inject/depressurize Thanks !
Song-Hua Shen. Ph.D., PE.
Sr. Reliability & Risk Engineer U.S. Nuclear Regulatory Commission RESIDRA/HFRB 301-415-2034 TJOB22 Song-Hua.Shen@nrc.gov From: Yeilding, Dale Sent: Monday, March 19, 2018 3:37 PM To: Shen , Song-Hua <Sonq-hua.Shen@nrc.gov>; Peters, Sean <Sean.Peters@nrc.gov>
Cc: Gilbertson, Anders <Anders.Gilbertson@nrc.gov>
Subject:
LaSalle Dependency - HP inject/depressurize Song-Hua, This is the link to the LaSalle RPV Control Procedure, LGA-001 , and the portion snipped below for HPCS and low pressure systems.
---Dale
+
CAUTION: Exc:.eding Figures NH, NR, NL, or NC, the NPSH Limits for HPCS, RHR, LPCS, or RCIC may ~use system d~ge.
CAUTION: Operating HPCS, LPCS, or RHR with pool level below -18 ft. may cause system mmage.
Control RPV water level between 11 in. and 59.5 in. using any of the systems listed below:
.- .11 swell could exceed 59.5 in., control level bei-en -30 111. and 59.5 si.
.- Otect Oetlil I to, RPV w;iter level inS1Nmen1 Imitations.
.- Otect f igure L fa RPV level isolatJon and lrip signals.
.- OK to defe3t RCIC .ection val11e 1rip of TDRF?i-..
0 Condensate (0-650 psig}
0 CRO (LGA-RD-0 1)
.- OK to defeat low sudlcn p,esi-.ure interlocb.
0 RCIC CAUTION: Oper.ating RCIC with suetion from the suppression pool and pool level below -11.4 ft. may ~use syslem damage.
CAUTION: Exceeding 180"F lube oil tem~re may cause system cbma~.
Preferred .- Use CST suction If you can.
Injection .- OK to defeat low RPV pressure and hV! area tempera re isolalions Systems (LGA-Rl-101/201 )
0 LPCI (0-260 psig}
.- Use HXs as soon as you can (LGA-RH-1031203).
0 RHR shutdown cooling rewm {0-260 psig} (LGA-RH-101/201 )
.- Use HXs as soon as you can .
.- OK 10 defeat shuldown cooling isolations.
0 RHR head spray (0-260 psig) (LGA-RH-102/202)
.- Use HX5 as soon as you can .
.- OJ< 10 oefeat shutdown cooling ISOlations.
Reliability Engineer Office of Nuclear Regulatory Research Division of Risk Analysis 301-415-0898, 1WFN T-10A26
NRC FORM 757; U.S. NUCLEAR REGULATORY COMMISSION NCP TRACKING NUMBER NRC MO 10.158 II (11-2016)
NCP-2018-002 NON-CONCURRENCE PROCESS TITLE OF SUBJECT DOCUMENT ADAMS ACCESSION NO.
Final ASP Pro~rarn Analysis-Precursor LaSalle County Station, Unit 2, HPCS System Inoperable MLI8072A326 NAME Anders GilbertsonI TITLE II TELEPHONE NUMBER Acting Chief i (301) 415-1541 ORGANIZATIONj RES/DRA/PRB COMMENTS FOR THE NCP REVIEWER TO CONSIDER (use continuation pages or attach Word document)
See attached Microsoft Word docwnent titled, "Section B Comments on Non-Concurrence NCP-2018-002 Regarding the LaSalle ASP Analysis tuman Dependency."
DATE
"{/to io18
Section B Comments on Non-Concurrence NCP-2018-002 Regarding the LaSalle ASP Analysis Human Dependency Introduction The treatment of dependency in a human reliability analysis (HRA) for a probablistic risk assessment (PRA) is a topic that lacks a general consensus in a number of areas. To properly identify where dependency significantly impacts a PRA, it is important to first understand the overall limitations of HRA within the Nuclear Regulatory Commission 's (NRC's) standardized plant analysis risk (SPAR) models. A full independent HRA for a given plant is a complex technical effort requiring a significant amount of time and level of resources that includes accessing and evaluting the plant site and plant operators and procedures. The purpose of an HRA is to develop an estimated human error probability (HEP) for a given human failure event (HFE). Given the intended purpose and scope of the SP AR models and resources allocated for SPAR model development, a full independent HRA is not performed for most SPAR models. Instead, the NRC leverages related information from the licensees' PRA models to model operator actions in the SP AR models.
The SPAR model developers at ldado National Laboratory (INL) largely use the HEPs calculated from a licensee' s PRA for HFEs in the SPAR models. INL performs a review of a licensee' s HEPs to determine whether a given HFE is too optimistic when compared to similar HFEs at other plants. Depending on the results of the review, the licensee' s HEP or an industry average HEP may be used for the HFE. Current SPAR model documentation does not contain detailed information on this review process for most models; however, it does contain other HRA information for all HFEs in a given model related to the Standardized Plant Analysis Risk-Human Reliability Analysis (SP AR-H) methodology evaluations.
These SPAR-H evaluations are not derived from a full HRA and are tailored to match the HEPs selected during the previously described review process.
An additional limitation of the SPAR models with regard to HRA dependency is the treatment of dependency between HFEs in the SP AR model cut set results. Specifically, dependency between two HFEs in a given SPAR model cut set is explicitly treated only in those cases where the related licensee PRA cut sets, which the licensee shares with INL, explicitly treat dependence. There are only a few instances where licensees' PRA cut sets explicitly treat dependence between HFEs and, as such, SPAR models commonly have very few , if any, dependent HFEs.
Beyond the noted SP AR model limitations, the general issue of dependency in HRA lacks a consensus approach. However, some general high-level guidance (oral and written) is available to NRC analysts on how to address HRA dependency modeling in a PRA. Additionally, the treatment of dependency in HRA is often informed by informal internal discussions on the agency's current state of practice. The evaluation of the non-concurrence addresses the issues of dependency modeling. It is important to note that most of the issues documented in the non-concurrence are broader issues associated with the general PRA technical guidance and SPAR models in general and are not related only to the LaSalle Accident Sequence Precursor (ASP) analysis.
The remaining sections of this evaluation were developed to address each of the sections in the submitted documentation for NCP-2018-002.
1 of 9
=
Background===
Two key pieces of guidance available to NRC analysts on assessing dependency between multiple HFEs in a given cut set include the Risk Assessment Standardization Project (RASP) Handbook (Volume 1, Internal Events) and the SPAR-H step-by-step guidance. The RASP Handbook provides guidance in Section 9.4 on analyzing dependencies in risk assessments for operational events and licensee performance issues, which includes ASP analyses. This guidance describes two main activities associated with analyzing dependencies, which are 1) making a determination of dependency and 2) accounting for an identified dependence. With regard to the first activity, the RASP Handbook provides a general discussion about how to treat dependency. The RASP Handbook goes on to cite the following four factors that should be considered in the context of the situation to identify opportunities to minimize or break a potential depedency.
- Time (to allow forgetting and emptying of working memory). The analyst must consider time available to implement recovery actions against the time required to determine the influence of this factor on dependency. For example, whereas ten minutes may have no impact, one or more shift turnovers may have a significant'irifluence on dependency.
- Location (introducing new information, potentially interrupting the erroneous mindset),
- Different p ersons or crew (allows for new mindset to develop), and
- Cues (stimulate the human to think differently).
Additionally, the RASP Handook makes the following statement about dependency in Section 9.4:
Simply having two or more HFEs together in a sequence or cut set does not make them dependent. It is exp ected that the qualitative analysis and resulting context and operational story should help to identify the existence of compelling reasons for dependence.
The SPAR-H step-by-step guidance is a supplemental guidance document that supports the use of the SPAR-H methodology. The SPAR-H step-by-step guidance includes a section on accounting for HRA dependencies, which states the following:
At the HFE level, indep endence is more likely; dependence is the exception rather than the rule.
Analysts should still consider whether it is present, however. Independence should not be assumed without first asking the question and considering the context of the situation. Instead, analysts should first justify why dependence is present, and then determine dep endence level.
Additional guidance for assigning dependence level is still in development and not available at this time.
Additionally, the SPAR-H step-by-step guidance explicitly states the following with regard to evaluting the four factors (i.e., aspects):
All these aspects should be considered within the framework of the accident scenario context (e.g., simp ly having the same person, close in time, no additional cues, etc., does not necessarily mean dep endence is present).
Similar to the RASP Handbook, the SPAR-H step-by-step guidance goes on to provide the following important statement, which is one of the strongest pieces of guidance to an NRC analyst regarding providing a strong justification for postulating dependence:
2 of 9
In a normal or familiar situation, with good procedures, no compelling reason for dependence exists. Some compelling reasons that can cause dependence (this list is not exhaustive):
- No feedback,
- Misleadingfeedback,
- Masking ofsymptoms,
- Disbelieving indications,
- Incorrect situation assessment or understanding of the event in progress,
- Situation mimics an often -experienced sequence,
- Situation triggers a well-rehearsed, well-practiced response, and
- Time demand, workload, and task complexity (such that a slip, lapse, or mistake is more likely).
In addition to these pieces of guidance, it has been communicated in senior reactor analyst counterpart meetings since 2006 that the existence of a dependence must be justified prior to applying the Technique for Human Error-Rate Predition (THERP) dependency scheme. However, guidance on how to perform and develop a justification for dependency could be improved upon in both the RASP handbook and SPAR-H step-by-step guidance.
In NCP-2018-002, the non-concurring individual cites the following bases for determining that the postulated dependency between the RCIC and depressurization HFEs cannot be minimized or broken, as related to the four factors cited above from the related guidance documents:
- Close in time with an eminent need to low pressure inject following reactor core isolation cooling (RCIC) failure,
- RCIC operation and depressurization are initiated in same location, (control room),
- Same crew, since a shift change would be unlikely to occur during the event,
- Procedure LGA-001 does not identify specific cues.
However, these bases by themselves do not provide a compelling reason for why dependency cannot be broken in the subject cut sets from the LaSalle ASP analysis. For example, with regard to the factor of time, a justification for why dependence between the two HFEs cannot be broken might be based on a comparison between the available time between the HFEs and the subsequent operator action (i.e., time until core damage after failure of the first action, as based on relevant thermal-hydraulics evaluations) and the time required by the operator to perform the action (i.e., including diagnosing the problem and executing the required action). Such a comparison would need to demonstrate and provide a compelling reason why there is a lack of confidence in the operator's ability to reliabily perform the action within the available time, given the failure of the first action. Additionally, the justification would need to clearly explain why the dependency would not be broken by the fact that the HFEs in question related to different safety functions, have different cues, and are driven by different procedures, all of which are common ways that a postulated dependency would be broken.
Consistent with the available guidance, the evaluation of these factors should be limited to breaking dependence, rather than using them to justify a postulated dependency. If the four factors are evaluated for the purpose of justifying dependence, it is likely that one could demonstrate strong dependence for 3 of 9
nearly all HFE combinations, which is considered by the PRA/HRA community at large, including NRC subject matter experts, to be an unreasonable position. For example, most operator actions in the PRA are performed by the same crew (i.e., within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />), in the same location (i.e., main control room), and procedures (i.e., when examined at a high enough level such as reactor trip procedure or boiling-water reactor flow charts). Because HFEs represent the entire spectrum of failures (e.g., simple slips to an incorrect operator understanding of the event), it is overly simplisitic to assume that a given HFE is primarily due to incorrect operational mindset without performing a thorough evaluation justifying such an assumption. Additionally, using these factors to confirm dependence, versus breaking dependence, is similar in nature to applying the THERP dependency table itself, which should not be done prior to first determining whether a dependency exists.
It has been recognized (prior to this ASP analysis) that additional work is needed in the area of dependency. To this point, an initial effort in the form of a scoping study is currently under consideration for the purpose of determining common HFE combinations based on plant type, and work with HRA experts to determine if/how dependency needs to be explicitly treated.
Change in Core Damage Probability (ACDP)
The non-concurring individual cites the extreme effects of simply applying the THERP dependency table.
However, in the preliminary ASP analysis, a justification for dependency between the RCIC and depressurization HFEs was not provided, which is inconsistent with the available PRA guidance.
Additionally, no discussion of dependence was provided in the ASP report given to the Senior Analyst for review on February 15, 2018.
- 1. Management Misinformed The non-concurring individual states that management was misinformed that "the basic events for the RCIC human response were quantified by combining both RCIC equipment failure rates with human response failure rates." The non-concurring individual originally briefed Performance and Reliability Branch (PRB) Chiefs and the RES Division of Risk Analysis, (DRA) Divison Director on the implications of this dependency. In that briefing, all three RCIC basic events were detailed as potential dependency candidates and the range of ~CDPs was presented as follows:
Sensitivity Study for Joint Human Event Probability For the failure to Depressunze after the Fa1"Iure of RCIC Depresurization Dependency Event ACDP*
Dependency Basic Event Formula HPCS I-year failure P with "-ndencv = Pwith deoendency =
Pw1thout dependency None l.75E-5 n/a 5.0 E-4nominal Low J.52E-4 5.05E-2 [1 +(19 X Pwiod)) / 20 Moderate 4.0lE-4 l.43E- l r1 +(6 x Pwtoo)l / 7 High 1.34E-3 5E-1 [l+(Pwtoo)] I 2 Complete 2.7E-3 1 1
- The ASP ACDP for several dependency scenarios involving the failure to depressurize after RCIC failure. A SPAR model rule was developed to change the failure probability of the failure to depressurize basic event AOS-XHE-XM-MDEPR when appearing in the same cutset with a RCIC failure basic event. (23 cutsets)
A Senior Analyst was asked to provide an opinion on the dependency impact. The Senior Analyst described how the three RCIC HEPs were not all based on HRA, but rather the associated basic events represented a blend of equipment failures and human actions. The Senior Analyst stated that the two basic events based on equipment failures should not be included in a dependency evaluation, as 4 of 9
dependency is limited to basic events that are based on HRA. Therefore, only a subset of the original 23 cut sets presented should be considered for dependency justification, which is reflected in the non-concurrence report of L\CDPs. The three example HFEs mentioned are:
- RCI-XHE-XL-RSTRT, Operator fails to recover/restart RCIC, HEP= 2.5x10* 1
- RCI-XHE-XL-XFER, Operator fails to recover RCIC failure to transfer, HEP= 2.5x 10* 1
- RCI-XHE-XM-OPERATE, Operator fails to start/control RCIC injection, HEP= 2x10*3 The non-concurring individual correctly mentions that the first two HFEs were evaluated using data from the RCIC system study and the third HFE was evaluated by HRA (via the licensee's PRA). Sometimes the potential for operator action to restore equipement is dominanted not by human error per se, but whether the equipment is actually recoverable. These first two HFEs are examples of such a case, The current state of practice in HRA is to not evaluate dependency between HFEs if one (or both) were not evaluated by HRA. The cut sets that contain RCI-XHE-XL-RSTRT show that RCIC successfully started and injected in the reactor, but failed to automatically restart on low level signal. The potential for failure of operators to restart the RCIC pump is strongly dependent on whether the failure of the RCIC pump is actually recoverable (e.g., over-speed trip versus damaged equipment) and whether operators attempt to restore the equipment given the failure. Therefore, the use of the data from the RCIC system study is more appropriate for this type ofHFE where the recoverability of the hardware is the dominant factor. A similar situation exists for cut sets containing the basic event RCI-XHE-XL-XFER.
The third HFE (RCI-XHE-XM-OPERATE) represents a different situation. Although a portion of the event is evaluated using HRA, this HFE actually represents a SPAR model simplification to model the hardware failure of automatic level control and operator failure to manually start/control RCIC given this failure. This simplification is done because instrumentation and controls (l&C) are not modeled to a high level of detail in the SPAR models. The simplification is likely conservative, but is typically sufficient for base SPAR model applications. If an analyst wanted to evaluate dependency for this HFE combination, the analyst would need to represent these aspects separately under a logical AND gate, which was not done in the preliminary ASP analysis. If this had been done in the preliminary ASP analysis, the numerical result would likely not be affected by strong dependence of the human actions because the cut set would also have to include the probability of the related I&C failure prior to the human action. ln addition, an evaluation of whether dependency should be treated explicitly was not performed in the preliminary ASP analysis. A senior ASP analyst and HRA expert reviewed the applicable HFE combinations and determined dependency was unlikely. The operator action to depressurize the reactor given the loss of high-pressure systems is heavily trained on by operators and is not dictated by a common system procedure, which significantly reduces if not eliminates the potential for dependence. In addition, the safety functions of high-pressure injection and depressurization are diverse, which is another opportunity to demonstrate that a postulated dependence is broken. *
- 2. Minimum Joint Human Event Probability (JHEP)
The non-concurring individual cites that "since two HFE appear together in several cut sets the RASP minimum value should be applied." The current RASP guidance states that the minimum joint HEP of 10-5 is guidance specific to the Significance Determination Process (SDP):
SDP-Specific Guidance. In order to minimize the subjectivity in SDP analyses, an analyst must consult an HRA expert if it is determined that a minimum joint HEP of lower than 10*5 is used.
However, the ASP Program is different from the SDP and there are many instances where the ASP and SDP differ in their analysis methods. The reason this guidance is SOP-specific is that RES staff 5 of 9
disagreed with the application of a minimum joint HEP (provided in the RASP guidance) at l 0-5 because no consensus value has been determined. This value could reasonably be 1o-6 or 1o-7 .
- 3. SPAR Quantifies only Half the RCIC HEP The issue of the RCIC and ADS basic events not having a diagnosis failure accounted for in their respective HEPs is not specific to the subject LaSalle ASP analysis. The non-concurring individual states that the " diagnosis" component is not evaluated for some HFEs in the base SPAR model, which is contrary to the SPAR-H step-by-step guidance. However, it is important to note that these HFEs are evaluated largely based on the licensee' s PRA values, which are reviewed to determine whether the associated HEP is too optimistic, as discussed previously in the Introduction section of this evaluation.
The original SPAR-H NU REG allowed analysts to eliminate the " diagnosis" from SPAR-H evaluations.
However, subsequent dicussions on this issue with the SPAR-H developers revealed that SPAR-H developers could not provide examples of when an anlyst would perform this elimination. As such, the step-by-step guidance document was developed to provide updated guidance on addressing diagnosis.
The likely source of confusion about eliminating diagnosis from SPAR-H evaluations is how the term "diagnosis" is used in the SPAR-H method documentation. A literal interpretation of the term diagnosis would imply that it only relates to the identification of a problem from an analysis of symptoms.
However, in the SPAR-H method documentation, the term "diagnosis" is representative of the cognitive portion of the HFE, which accounts for a broader set of cognitive aspects beyond just the identification of a problem.
HRA experts do not believe that cognitive aspects of the HFE should be eliminated in an HRA. If one takes a more literal interpretation of the term "diagnosis," one could determine that proceduralized actions do not really need to be diagnosed as it could be argued that they are essentially automatic to the operator.
Therefore, the diagnosis portion of the HFE could be eliminated in the HRA evaluation. However, eliminating the diagnosis portion of the action is incorrect because the HFEs still require some cognitive function that is not represented only by the indentification of a problem. For simple proceduralized actions and if there is sufficient basis, an analyst should use the "obvious diagnosis" performance shaping factor (PSF) instead of eliminating the diagnosis portion of the action. The current practice is that analysts should use the HEPs in the base SPAR model unless they determine that the values are not representive of the analysis they are perfonning. If a reevaluation is performed, it should be done using the SPAR-H step-by-step guidance. However, the SPAR-H information provided in the SPAR model documentation continues to be a source of confusion on this issue and this source of confusion should be addressed.
The preliminary ASP analysis did not include a discussion of adjusting the HEPs based on adding a "diagnosis" component of the action. This portion of the non-concurrence appears to address a larger issue with general modeling ofHEPs in the SPAR models, rather than a specific issue with the LaSalle SPAR model used for the subject ASP analysis.
- 4. EPRJ Cites 2 plants with RCICIADS Dependency The example cited in the non-concurrence related to EPRI report 1021081 supports the idea that there is no consesus currently within industry on the treatment of dependency in HRA. In particular, EPRI report 1021081 states the following on page 2-4 in the section titled, "Treatment of Dependencies Among HFEs:"
6 of 9
Although there is no consensus with regard to how these dependencies should be addressed, the approach incorporated into the HRA Calculator is in widespread use, at least within the nuclear industry in the U.S.
Additionally, it is difficult to foresee significant differences between plants that would reasonably justify dependency for some plants but not others for this particular HFE combination. Without the liscensee HRA documentation for the two subject plants as well as other plants, it is not possible to determine why the actions were determined to be dependent. Without such a detailed analysis, the cited information is not considered to be an adequate basis for concluding that dependency exists between the RCIC and depressurization HFEs in the LaSalle ASP analysis.
It is also important to note that the EPRI report addresses the application of a lower bound for an HFE, which is different than the issue raised by the non-concurring individual where it is suggested that an adjustment of the second HEP be made in the relevant cut sets from the LaSalle ASP analysis from 5x10*4 to 1.0 using a complete dependency.
- 5. LaSalle SPAR Model Acknowledges Dependency The non-concurring individual states that an HFE combination between operators actions to start/control RCIC and HPCS are considered dependent in the base SPAR model. This dependency was noted by SPAR model developers based on cut set reviews of the licensee PRA. However, this combination is not applicable to this specific LaSalle ASP analysis because HPCS is already assumed to have failed in the condition analysis, which means that the analysis does not evaluate random failures ofHPCS due to equipment or human failures. Therefore, this HFE combination does not exist in the LaSalle ASP analysis. The dependency between HPCS and RCIC in the base SPAR model dependency makes sense because HPCS and RCIC share the same safety function (i.e., high-pressure injection), cues (i.e., Level 2, low reactor water level), and procedures. However, control of RCIC (given a failure of automatic control) and manual reactor depressurization are related to different safety functions, have different cues, and use different procedures, all of which strongly supports breaking a postulated dependence between the related HFEs.
The statement by the non-concurring individual that "modeling RCIC/HPCS as a JHEP and not modeling RCIC/ADS as a JHEP is not consistent" seems to indicate that if one HFE combination is dependent, all others must also be dependent. This apparent assumption is inconsistent with the available guidance.
Each HFE combination must be evaluated on its own to determine whether dependence exists. The non-concurring individual assumes that the omission of dependency for RCIC and depressurization is inconsistent with the fact that RCIC and HPCS HFEs are dependent. It is important to recognize that the relationship between the RCIC and depressurization HFE and the RCIC and HPCS HFE are substantially different as noted above. Further, in recognition of the difference in the dependency for these HFEs, the licensee determined that the HPCS/RCIC HFEs were dependent and also determined that dependence for the RCIC/depressurization HFEs was not justified.
The ASP analysis presented for review never contained written documentation of a dependency evaluation, but only showed how the results of the LaSalle ASP analysis would change if a minimum JHEP was applied or the THERP dependency table was used, which is not a valid means of justifying dependence.
- 6. LaSalle SPAR Model Sensitive to Small Degradations in Operator Performance This issue is not specific to the LaSalle ASP analysis and, further, it is unclear how the sensitivities relate to the theme of dependency outlined in the non-concurrence report. As stated previously, the LaSalle 7 of 9
ASP analysis results are sensitive to small degradations in operator performance, which highlights the importance of the human failure events in the analysis. However, the sensitivity of the SPAR model to small degradations in operator performance is not in and of itself an appropriate basis for postulating dependence between the RCIC and depressurization HFEs.
The sensitivity analyses performed as part of the base SPAR model sets all HEPs to 1.0, 0, or multiply the HEPs by a factor of 10. The results being greatly affected by these sensitivities is not surprising and similar results would be expected with other SPAR models. The risk changes from these sensitivities could be coming from cut sets with only one HFE. Sensitivity studies are effective for showing the relative importance of a given event(s); however, they otherwise have limited value as the likelihood of the various sensitivity cases are not known. If the point being made is that the SPAR model results would be greatly affected if all HFE combinations were strongly dependent, then this is correct; however, this is not an appropriate basis for postulating dependence. Additionally, based on licensee PRA infonnation and current guidance, there is no evidence that any dependence exists, much less a strong dependence.
Even if a postulated dependency were assumed to exist and was justifiable, the results would still be lower than the results of the sensitivity cases because the HEP of the first HFE would not be adjusted given that the first HFE is always considered to be independent.
- 7. Multiple RES/DRA/PRB Branch Chiefs Fail to Address Dependency The consensus reached by RES/DRNPRB Chiefs, other ASP analysts, and an RES/DRA HRA expert remains that dependency is not justified for the RCIC and depressurization HFEs. The non-concurring individual states that "[s]ince the expert did not identify any attributes that would break dependency, this non-concurrence submittal documents disagreement with the expert' s determination that dependency does not exist." As outlined in the above discussion, the first step in determining dependency is to justify its existence. The statement that the expert did not identify attributes that would break dependency presumes that dependency is automatically assumed until proven otherwise, which is contrary to the available related guidance. As discussed previously, the analyst must provide a compelling reason for dependency, which is noted as the exception rather than the rule. However, the preliminary and revised LaSalle ASP analysis did not include a justification for dependence.
NRC staff and management are aware of challenges with applying the current treatment of dependency.
Work in the area of dependence in PRA analyses would enhance the ability to address these challenges.
However, the treatment of dependency in PRA is a complex t~chical issue that, as whole, lacks consensus across the PRA and HRA technical communities at large. A scoping study is being considered to determine whether additional research on this topic is warranted. Should this research be conducted, new and/or revised guidance and methods may be developed as part of this effort.
Conclusion Although the non-concurring individual raises several challenges related to the current treatment of dependency modeling in SPAR models as a whole, regarding this specific LaSalle ASP analysis, the justification provided for postulating dependency between the RCIC and depressurization HFEs is not considered to be adequate and is not consistent with available guidance. Additionally, there is consensus agreement among RES/DRNPRB management, other RES/DRA risk analysts, and an RES/DRA HRA expert that dependency is not warranted in this case for the LaSalle ASP analysis. As discussed in the RASP Handbook and the SPAR-H step-by-step guidance, an analyst should presume independence between two or more HFEs unless there are compelling reasons for postulating dependence. Such reasoning should be based on a careful review of the situation and context of the scenario and, in doing so, analysts should be looking for opportunities to break a postulated dependence versus using the guidance to justify dependence. The justification cited in the non-concurrence and discussed during the 8 of 9
development of the LaSalle ASP analysis report appears to presume dependence; however, the justification was not considered to have provided a compelling reason for the dependence, which is contrary to the available guidance.
With regard to dependency between the HPCS and RCIC HFEs currently in the base SPAR model, this is adopted from the licensee's PRA model and is considered to be appropriate as both systems perform the same safety function, rely on similar cues, and.are driven by similar procedures. In this case, it is more difficult to justify how an incorrect mental framework could be broken or interrupted based on the guidance in the RASP Handbook and the SP AR-H step-by-step guidance as there is a high degree of commonality between the related HFEs. In contrast, postulating dependency in the LaSalle SPAR model between the RCIC and depressurization HFEs is not considered to be appropriate largely because they are related to different safety functions and the actions have different cues and are driven by different procedures. As such, there are multiple opportunities to break the postulated dependence between the RCIC and depressurization HFEs, which is consistent with the available guidance on dependency analysis. Through discussion with other agency risk analysts and HRA experts, there is a consensus that the case for dependency could not be made in this instance.
Additionally, the non-concurrence seems to suggest that dependency is justified in part due to the fact that the results of the analysis are highly sensitivity to the small degradations in human performance; however, the sensitivity of the results is not an appropriate basis for justifying the existence of a dependency and is contrary to the available guidance.
9 of 9
NRC FORM 757 U.S. NUCLEAR REGULATORY COMMISSION NCP TRACKING NUMBER NRC MD 10158 (11-2016)
NCP-2018-002 NON-CONCURRENCE PROCESS TITLE OF SUBJECT DOCUMENT ADAMS ACCESSION NO.
Final ASP Program Analysis-Precursor LaSalle County Station, Unit 2, HPCS System Inoperable ML I 8072A326 NAME John C Lane TITLE TELEPHONE NUMBER Sr Reliability & Risk Engineer (30 I) 415-2476 ORGANIZATION PRB/DRA/RES AGREED UPON
SUMMARY
OF ISSUES (use continuation pages or attach Word document)
There appears to be unaccounted for dependency between key human actions in the probabilistic risk assessment (PRA) for the LaSalle ASP evaluation in regards to the occurrence of the two human actions in the same risk cut set. For the event under consideration, there are several cut sets involving both an operator' s failure to effect high pressure injection with Reactor Core Isolation Cooling (RCIC), then followed by the operator' s similar and subsequent failure to depressurize in support oflow pressure injection.
When dependency exists, the event analysis must quantify the effect on the event' s change in core damage probability (~CDP) using the agency' s Standardized Plant Analysis Risk-Human Reliability Analysis SPAR-H procedures. The ASP report, as written, indicates the two actions are independent and therefore do not require further Human Reliability Analysis (HRA) dependency consideration.
Non-concurrence 2008-02 is based upon the belief that dependency exists, to some degree, and that the event analysis does not take this into consideration.
EVALUATION OF NON-CONCURRENCE AND RATIONALE FOR DECISION (use continuation pages or attach Word document)
MULTIPLE HFEs CONSIDERED The concern originally expressed by the non-concurring employee (NCE) centered on the interdependence of four " human" actions that emerged in the ASP evaluation as being significant to the final risk determination:
- RCI-XHE-XL-RSTRT, operator fails to recover/restart RCIC, 2.5E- I
- RCI-XHE-XL-XFER, operator fails to recover RCIC failure to transfer, 2.5E- I
- ADS-XHE-XM-MDEPR, operator fails to initiate reactor depressurization, 5E-4 Upon the initial concern being raised and in consultation with the SPAR developers and NUREG/CR-7700, Vol. 7, all parties, including the NCE, realized that the first two basic events were actually equipment failures and not solely human failure events (HFEs).
TYPED NAME OF NCP COORDINATOR TITLE John C Lane Senior Reliability & Risk Engineer ORGANIZATION PRB/DRA/RES SIGNATURE--NCP COORDINATOR TYPED NAME OF NCP APPROVER TITLE Michael Cheok Director ORGANIZATION Division of Risk Analysis/Office of Nuclear Regulatory Research SIGNATURE- NCP APPROVER DATE b-1\t,- ,-r NRC FORM 757 (11 -201 6)
Use ADAMS Template NRC-006 (ML063120159)
NRC FORM 757 U- S. NUCLEAR REGULATORY COMMISSION NCP TRACKING NUMBER NRCMD10.158 (11-2016)
NCP-201-002 NON-CONCURRENCE PROCESS TITLE OF SUBJECT DOCUMENT ADAMS ACCESSION NO.
Final ASP Program Analysis-Precursor LaSalle County Station, Unit 2, HPCS System Inoperable ML I 8072A326 CONTINUATION OF SECTION D A D B 0 C
--2--
With that realization, the NCE focused on the potential dependency of last two HFE listed, both occurring in the same cut sets:
- ADS-XHE-XM-MDEPR, operator fails to initiate reactor depressurization, SE-4 ALTERNATIVE APPROACHES PROPOSED IN THE NCP The importance of the potential human dependency in the risk determination is significant in that, should the dependence be determined to be "complete", the ~CDP (delta core damage probability) would increase by a factor of - 14 from l .75E-05 to 2.46E-04. Lesser dependence would result in a smaller ~CDP increase, for example, whereby "moderate" dependence would result in a ~CDP increase of less than a factor of three.
Two approaches were mentioned in the non-concurrence as possible alternatives available to address the potential HFE dependence and thus impact the final result:
(I) Use a minimum joint HEP of I E-05 or (2) Use the approach via the SPAR-A Step-by-Step Guidance (ML112060305) to fully develop the dependency aspect of the HEPs DECISION However, the overarching resolution of this non-concurrence process (NCP) in regards to the dependency issue is that neither approach is satisfactory or appropriate since dependency has not been demonstrated as being more likely than the operational assumption of independence of the human actions. In the absence of stronger, fact-based evidence that dependence exists in the HFEs under question, the prevailing assumption is that independence is assumed. As such, the ASP analysis is consistent with that assumption and should not be revised. Specifically, in the instance under question, that of operator action to effect BWR high pressure injection and/or depressurization, there appears ample evidence that the human actions are independent and that accurate diagnosis of the situation would be virtually certain. Furthermore, in order to postulate and confirm the existence of a dependent condition between the actions, much more detail would be required than has been made available regarding such things as the specific tasks involved, operator experience and guidance, and cognitive awareness. In essence, lacking this level of details, the presumption of independence in the human response is difficult to refute .
In support of the independence assumption, continued control room alarm annunciation would function as a significant and separate symptom that follow-on action to depressurize the reactor would be an unavoidable and required next step should high pressure injection be unsuccessful. Symptom-based procedures, adequately trained upon, would help ensure that the situation was diagnosed and understood completely given the time available and the extensive technical support available to the operators in the control room provided by shift technical advisor and others.
NRC FORM 757 (11 -2016)
Use ADAMS Template NRC-006 (ML063120159)
NRC FORM 757 U. S. NUCLEAR REGULATORY COMMISSION NCP TRACKING NUMBER NRCMD10.158 (11-2016)
NCP 2018-002 NON-CONCURRENCE PROCESS TITLE OF SUBJECT DOCUMENT ADAMS ACCESSION NO.
Final ASP Program Analysis-Precursor LaSalle County Station, Unit 2, HPCS System Inoperable ML18072A326 CONTINUATION OF SECTION D A D B [lj C
--3--
DISCUSSION ON MIN JOINT HEP Consideration was given to the impact an assigned, minimum joint HEP would have on the outcome of this ASP evaluation. This was in response to the point described in the NCP that EPRI Report 1031081 , "Establishing Minimum Acceptable Values for Probabilities of Human Failure Events Pract/cal Guidance for Probabilistic Risk Assessment" cited a somewhat similar combination ofHFEs, related to failure to depressurize associated with failure to control high pressure injection, as being industry evidence of a situation that warrants the need to use a joint HEP. Although the RASP Manual, Vol I "recommends" a minimum HEP value of I E-05, in practice others, including some in NRC, have suggested that an appropriate value, ifthere is one, could likely be lower than IE-05 . In the case of the two HEPs involved, their joint HEP is IE-06, a value that has also been proposed as a valid lower bound joint HEP. While the NRC staff, in general, supports the use of a joint HEP floor, a range ofjustifiable values seems more appropriate than an explicit, fixed limit, especially given the range of valves currently espoused by knowledgeable practitioners. At present it is not a requirement in ASP evaluations.
A scoping study is under consideration, which, if approved and conducted, would look at common HFE combinations in important SPAR model cutsets with the aim of shedding additional light on the impact and treatment of potential dependencies. ln that regard, the point made by the NCE is well taken and appreciated.
Other supporting evidence proposed by the NCE, such as, that the LaSalle SPAR model already acknowledges interdependence in some other HFEs, is adequately and correctly addressed and rebutted in Section B of this evaluation. Consequently, the decision in regards to this LaSalle analysis is that the assertion of operator independence has not been rebutted and so is adequately treated in the analysis.
DISCUSSION ON ADEQUACY OF DIAGNOSIS rN HEPS In addition to the dependence issue discussed above, another aspect of the HRA evaluation was raised--that the manner in which the HEPs were derived neglects diagnosis and so is potentially non-conservative. The issue relates to the fact that the HFEs did not include consideration of the significant aspect of operator diagnosis of the event progression, and instead, focused solely on operator action.
As mentioned by the NCE, the SPAR-H Step-by-Step Guidance indicates " It is a rare situation where Diagnosis is judged to not be a relevant contributor to the overall HEP for HFE in SPAR models. In the context of PRA in general, and SPAR models in particular, there are very few situations where a Diagnosis and an Action are not linked somehow."
A complicating factor in addressing this concern is the somewhat disparate manner in which failure-to-diagnose is handled. For example, HFEs may explicitly or implicitly account for the diagnosis phase. It can be explicitly accounted for by a dedicated HFE designed exclusively to address the failure-to-diagnose an accident condition subsequently leading to a specific procedure, followed by separate action-HFE related to performance. Conversely, and frequently in SPAR models, HFEs implicitly include consideration of both failure- to-diagnose the need for a procedure and failure-to-perform the required actions directed by that procedure.
This concern is reasonable and has merit, in general, but in the situation posited here, there are compelling reasons why failure-to-diagnose need not be explicitly quantified. In the conduct of typical risk assessments employing SPAR models, significant reliance must, by necessity, be placed upon HFE values derived from the licensee' s HRA and provided to NRC, as is similarly done with other detailed aspects of licensee plant models. HFE values thus obtained are screened for their reasonableness and if they appear so, are then included in our SPAR model, despite that fact that a SPAR-H analysis is typically not performed for them.
NRC FORM 757 (11-2016)
Use ADAMS Template NRC-006 (ML063120159)
NRC FORM 757 U.S. NUCLEAR REGULATORY COMMISSION NCP TRACKING NUMBER NRCMD10.158 (11-2016)
NCP 2018-002 NON-CONCURRENCE PROCESS TITLE OF SUBJECT DOCUMENT ADAMS ACCESSION NO.
Final ASP Program Analysis-Precursor LaSalle County Station, Unit 2, HPCS System Inoperable ML J8072A326 CONTINUATION OF SECTION D A D B [l] C
--4--
As indicated, in the case of the LaSalle SPAR model, the diagnosis component of the HFE was not modeled explicitly. The licensee assessed, and the staff concurred, that, since the action was highly proceeduralized, trained upon and performed in the main control room, therefore it could be assumed to succeed with such little likelihood of failure as to be ignored. This appears to be reasonable given the time available to the operators to examine cues, the clarity provided by the symptom-based emergency operating procedures (EOPs) and their training on the relevant EOPs. Consequently, no additional allowance for failure-to-diagnose will be made in this instance. However, the ASP staff will be notified of this concern and will be encouraged to examine and ascertain from INL the bases for licensee-provided HFEs to confirm their application in the SPAR models.
RASP MANUAL Another recommendation resulting from this NCP submittal is that the RASP guidance should be updated to indicate that, while there is room for disagreement as to the appropriateness of postulating dependence in human actions, the decision should not be overly subjective but rather should be as objectively based as possible. Insights provided by the scoping study, mentioned above, should provide guidance to the staff as they weigh factors impacting dependency in human actions, such as:
- Are there differences in control room indications for separate HFEs that would break suspected dependence?
- Is time adequate or a limiting factor, so as to determine if there is adequate time to counter group-think or diagnosis errors?
- Were there near-term, near-by operator successes that may suggest a "resetting" of mindsets?
- Is a lower-bound floor for joint HEPs between I E-05 and I E-06 appropriate?
The RASP manual will be updated as emerging and evolving guidance proves informative.
NRC FORM 757 (11 -2016) Use ADAMS Template NRC-006 (ML063120159)
Package No. ML18157A263 Transmittal Letter: ML18180A326 ASP Report (Enclosure 1): ML18072A326 Non-Concurrence (Enclosure 21: ML18157A264 (*) via email OFFICE NRR/DORL/LPL3/PM NRR/DORL/LPL3/LA RES/ORA/RE (*) NRR/DORL/LPL3/PM NAME BVaidya SRohrer DYeilding BVaidya DATE 07/02/18 07/02/18 06/28/18 07/03/18