NRC-2017-000292 - Resp 4 - Interim. Agency Records Subject to the Request Are Enclosed

ML19319B177
Person / Time
Issue date:	11/12/2019
From:	NRC/OCIO
To:
References
FOIA, NRC-2017-000292
Download: ML19319B177 (176)
v • d • e

Text

{{#Wiki_filter:From: Sent: To: Cc:

Subject:

Attachments: Importance:

Joel, Purnell, Blake 15 Mar 2016 09:29:57 -0400 Wiebe, Joel Poole, Justin FW: FYI/ACTION: Exelon OEDO drop-in (OED0-16-00165-NRR)

Braidwood-Byron Backfit Bullets.docx High Please provide an update for the briefing package by COB regarding the status of the Braidwood/Byron backfit appeal. Attached is what we had in the last briefing package. Blake Purnell 301-415-1380 From: Wilson, George Sent: Tuesday, March 15, 2016 7:05 AM To: Poole, Justin <Justin.Poole@nrc.gov>; Purnell, Blake <Blake.Purnell@nrc.gov>

Subject:

FW: FYI/ACTION: Exellon OEDO drop-in (OED0-16-00165-NRR) Importance: High George Wilson Deputy Director Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation USNRC 301-415-1711 Office 08E4 From: Clark, Theresa Sent: Tuesday, March 15, 2016 6:59 AM To: Wertz, Trent <Trent.Wertz@nrc.gov>; Orf, Tracy <Tracy.Orf@nrc.gov>; Krohn, Paul <Paul.Krohn@nrc.gov>; Wilson, George <George.Wilson@nrc.gov>; King, Michael <Michael.King2@nrc.gov>; Lee, Samson <Samson.Lee@nrc.gov>; Giitter, Joseph <Joseph.Giitter@nrc.gov>

Subject:

FYI/ACTION: Exelon OEDO drop-in (OED0-16-00165-NRR) Importance: High I wanted to make sure you guys saw this action come through, since it is super short turnaround. I'm sorry about the timing-w e only found out about the drop-in late on Friday and it Just got through the system and reminded me. The topics are pretty big, so please do what you can and I am happy to pull material myself if you have links or other documents. That way we can squeeze out a little more time. Just a few high-level bullets of main concerns (maybe we had these ready for t he RIC?) might be enough, plus bios on the people named. I would not include plant information for the whole Exelon fleet.

Topics Risk-informed approach to regulation (e.g., digital l&C, consideration of FLEX in SOP, 10 CFR 50.46c rulemaking) Delivering the Nuclear Promise {In particular, security programs Generic Issue Resolution (e.g., TIAs, role of CRGR, backfits) Open Phase Condition Accident Tolerant Fuel [they did not mention it, but you might put in a few bullets on the Byron/Braidwood backfit appeal status if you have it handy) Attendees Bryan Hanson, Senior Vice President Exelon Generation, President and Chief Nuclear Officer Brad Fewell, Senior Vice President Regulatory Affairs and General Counsel Scot Greenlee, Senior Vice President Engineering and Technical Services Keith Jury, Vice President, Licensing and Regulatory Affairs Here's the link to a package that the PM and I just finished for TVA in case you want to use it as a formatting starting point: M L16055A363. Thanks! Theresa Valentine Clark Executive Technical Assistant (Reactors) U.S. Nuclear Regulatory Commission Theresa.Clark@nrc.gov I 301-415-4048 I 0-16E22 From: ADAMS p8_icm_service Sent: Monday, March 14, 2016 7:43 PM To: ICM_STARS_NRR <ICM STARS NRR@nrc.gov>; ACMSuppport@nrc.gov; Clark, Theresa <Theresa.Clark@nrc.gov>

Subject:

NEW: (OED0-16-00165-NRR) Details about the ticket are listed below. Ti.cket was assigned to you by Boyer, Raebel (rcj3) on 03/14/2016. To access the ticket please go to https://adamsicm.nrc.gov/ST ARS Comment:03/14/2016 The Ticket information is below. Ticket Info Activity information

lncoming ADAMS Accession Incoming ADAMS Package Incoming lnformation Process Information Case Number OED0-16-00165-NRR Status New Activity Type Task EDO Due Date 03/16/2016 SECY Due Date Requested Due Date Assigned Offices Routing Copies to EDO Point of Contact Other Parties ML16074A44 l Date of 1 ncoining ML l6074A44 Q Frequency Originator Originator Organizatiou Task Addressee Name Addressee Affiliation Incoming Received Date Subject Description Special Instructions Type NRR NRO Clark, Theresa ( txv) The entireADAMS package (ML16074A446) is pubUcly available. Patricia Sprogeris, OBDO/DBDR OEDO E-mail 03/11/2016 Briefing Package Request for Meeting with Exelon on March 23, 2016 Briefing Package

Special Instructions Near Term Comment Requested Action Type Cross Reference umbers Signatw-e Level OIG Recommend OEDO Concunence OCM Concurrence OCA ConcwTence Please prepare briefing package in accordance with OEDO Procedure 0240 (ML13262A361/ML13262A365). Provide input to Theresa Clark, OEDO by 3/16/16. Briefing Package No Signature Required

From: Sent: To:

Subject:

Attachments:

Jeanne, Garmoe, Alex 1 Sep 2016 14:59:47 +0000 Dion, Jeanne RE: FYI/ACTION: Exelon OEDO drop-in (OED0-16-00165-NRR)

Braidwood-Byron Backfit Bullets 031516 ADG comments.docx Attached are my comments for your consideration. I cannot speak to the details of the EDO panel's review since it was independent from us in NRR. I do know that the EDO panel recommended a reversal of the NRC's position to date on this issue but do not know what the EDO's perspective is, the specific rationale, or how and when it will be communicated to Exelon. Theresa Clark is the point of contact in the EDO's office for this topic but she is out this week. In her absence you could try Tara Inverso or Jeremy Bowen. Alex From: Dion, Jeanne Sent: Thursday, September 01, 2016 9:21 AM To: Garmoe, Alex

Subject:

FW: FYI/ACTION: Exelon OEDO drop-in (OED0-16-00165-NRR) Importance: High Hey Alex-I'm pulling together a quick turnaround briefing package for a commissioner drop in with Exelon. Are there any updates to this Information on backfits for Braidwood/Byron? I need input ASAP. Thanks! Jeanne From: Purnell, Blake Sent: Thursday, September 01, 2016 9:18 AM To: Dion, Jeanne <Jeanne.Dion@nrc.gov>

Subject:

FW: FYI/ACTION: Exellon OEDO drop-in (OED0-16-00165-NRR)

Jeanne, Alex Garmoe gave me the input on the last briefing package regarding the Braidwood/Byron backfit.

Blake Purnell 301-415-1380 From: Garmoe, Alex Sent: Tuesday, March 15, 2016 10:38 AM To: Poole, Justin <Justin.Poole@nrc.gov> Cc: Purnell, Blake <Blake.Purnell@nrc.gov>; Bailey, Marissa <M arissa.Bailey@nrc.gov>

Subject:

RE: FYI/ACTION: Exelon OEDO drop-in (OED0-16-00165-NRR)

Justin, I revised the one-pager you provided. Please let me know if you need more.

Alex From: Poole, Justin Sent: Tuesday, March 15, 2016 10:00 AM To: Garmoe, Alex Cc: Purnell, Blake

Subject:

FW: FYI/ACTION: Exelon OEDO drop-in (OED0-16-00165-NRR) Importance: High

Alex,

Can you please provide any necessary update to the Braidwood/Byron backfit appeal by COB today? I know that a public meeting was held on March 7, but nothing beyond that. Attached was what was in the last Exelon briefing book. Sorry for the short turnaround but we just received the request this morning. Thanks. Justin C. Poole Acting Chief NRR/DORL/LPL3-2 U.S. Nuclear Regulatory Commission {301)415-2048 From: Wiebe, Joel Sent: Tuesday, March 15, 2016 9:50 AM To: Purnell, Blake <Blake.Purnell@nrc.gov> Cc: Poole, Justin <Justin.Poole@nrc.gov>

Subject:

RE: FYI/ACTION: Exelon OEDO drop-in (OED0-16-00165-NRR) DORL does not have the action on the backfit appeal. To ensure accuracy, any updates should be provided by DPR. Alex Garmoe has the lead for DPR. Joel From: Purnell, Blake Sent: Tuesday, March 15, 2016 9:30 AM To: Wiebe, Joel <Joel.Wiebe@nrc.gov> Cc: Poole, Justin <Justin.Poole@nrc.gov>

Subject:

FW: FYI/ACTION: Exelon OEDO drop-in (OED0-16-00165-NRR) Importance: High

Joel, Please provide an update for the briefing package by COB regarding the status of the Braidwood/Byron backfit appeal. Attached is what we had in the last briefing package.

Blake Purnell 301-415-1380 From: Wilson, George Sent: Tuesday, March 15, 2016 7:05 AM To: Poole, Justin <Justin.Poole@nrc.gov>; Purnell, Blake <Blake.Purnell@nrc.gov>

Subject:

FW: FYI/ACTION: Exelon OEDO drop-in (OED0-16-00165-NRR) Importance: High George Wilson Deputy Director Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation USNRC 301-415-1711 Office 08E4 From: Clark, Theresa Sent: Tuesday, March 15, 2016 6:59 AM To: Wertz, Trent <Trent.Wertz@nrc.gov>; Orf, Tracy <Tracy.Orf@nrc.gov>; Krohn, Paul <Paul.Krohn@nrc.gov>; Wilson, George <George.Wilson@nrc.gov>; King, Michael <Michael.King2@nrc.gov>; Lee, Samson <Samson.Lee@nrc.gov>; Giitter, Joseph <Joseph.Giitter@nrc.gov>

Subject:

FYI/ACTION: Exelon OEDO drop-in (OED0-16-00165-NRR) Importance: High

I wanted to make sure you guys saw this action come through, since it is super short turnaround. I'm sorry about the timing-we only found out about the drop-in late on Friday and it just got through the system and reminded me. The topics are pretty big, so please do what you can and I am happy to pull material myself if you have links or other documents. That way we can squeeze out a little more time. Just a few high-level bullets of main concerns (maybe we had these ready for the RIC?) might be enough, plus bios on the people named. I would not include plant information for the whole Exelon fleet. Topics

• Risk-informed approach to regulation (e.g., digital l&C, consideration of FLEX in SDP, 10 CFR 50.46c rulemaking)
• Delivering the Nuclear Promise (in particular, security programs
• Generic Issue Resolution (e.g., TIAs, role of CRGR, backfits)
• Open Phase Condition
• Accident Tolerant Fuel
• [they did not mention it, but you might put in a few bullets on the Byron/Braidwood backfit appeal status if you have it handy]

Attendees

• Bryan Hanson, Senior Vice President Exelon Generation, President and Chief Nuclear Officer
• Brad Fewell, Senior Vice President Regulatory Affairs and General Counsel
• Scot Greenlee, Senior Vice President Engineering and Technical Services
• Keith Jury, Vice President, Licensing and Regulatory Affairs Here's the link to a package that the PM and I just finished for TVA in case you want to use it as a formatting starting point: ML16055A363.

Thanks I Theresa Valentine Clark Executive Technical Assistant (Reactors) U.S. Nuclear Regulatory Commission Theresa.Clark@nrc.gov I 301-415-4048 I 0-16E22 From: ADAMS p8_icm_service Sent: Monday, March 14, 2016 7:43 PM To: ICM_STARS_NRR <ICM STARS NRR@nrc.gov>; ACMSuppport@nrc.gov; Clark, Theresa <Theresa.Clark@nrc.gov>

Subject:

NEW: (OED0-16-00165-NRR) Details about the ticket are I isted below. Ticket was assigned to you by Boyer, Rachel (rcj3) on 03/14/2016. To access the ticket please go to https://adarnsicm.nrc.gov/ST ARS Comment:03/ 14/2016 The Ticket information is below. Ticket Info Activity T nfonnation Case Number OED0-16-00165-NRR Status New Activity Type Task EDO Due Date 03/16/2016

[ncoming ADAMS Accession lncoming ADAMS Package Incoming information Process Information SECY Due Date Requested Due Date Assigned Offices Routing Copies to EDO Point of Contact Other Parties ML16074A441 Date of Incoming ML16074A44 § Frequency Originator Originator Organization Task Addressee Name Addressee Affiliation i ncoming Received Date Subject Description Special Instructions Type Special Instructions Near Term NRR NRO Clark, T beresa (txv) The entire package (ML!li074A446) is publicly aYailable. Patricia Sprogeris, OEDO/DEDR OEDO E-mail 03/11/2016 Briefing Package Request for Meeting with Exelon on March 23, 2016 Briefing Package Please prepare briefing package in accordance with OEDO Procedure 0240 (ML l 3262A36 l/ML l 3262A365). Provide input to Theresa Clark, OEDO by 3/16/ 16.

Comment Requested Briefing Package Action Type Cross Reference Numbers Signature No Signature Required Level OIG Recommend OEDO Concurrence OCM Concurrence OCA Concurrence

from: To: SubJect: D*te : James, - ~:~ RE: ttEP dependencies via l"(!()()~y r1.1le, Weooes,clay, Mv 27, 2016 1 :S0:3S PM For an uncomplicated response to the inadvertent SI, I wouldn't expect a SG safety valve to hft, and certainl*1 nm to behave the way the valve at Millstone did. I agree that the Millstone event 1s atypical due to the large nuMber of complicating factors. But it,s,nustrauve,n terms of the types or unant,c,pated delays that ocwr due to complicating factors. So again, I've no problem with stating that there,s h,gh confidence that l he operator act,on at Byron/Braidwood can be performed in the available lime. I just wouldn't want to see that us,ed to justify a very low HEP without due consideration of a Mlllstone~type event. Don From: Chang, James Sent: Wednesday, July 27, 2016 1:35 PM To: Helton, Dona d <Donald.Helton@nrc.gov>: S~ncaktar, Selim <Sellm.Sancaktar@nrc.goV>

Subject:

RE: HEP dependencies via recovery rules

Don, In the MIiistone event. the operators' responses were ll~ely slowed down by the opon of the B S1G safety valves and the fail-to-start of the TD AFWP. Is the opening of SG safety valve expected in the Byron scenario?

James From: Helton, Donald Sent: Wednesda1*, July 27, 2016 12:40 PM To: Chang, James <,lamec;; Cbana@nrc gov>; 5ancaktar, Sehm <Selim C.ancaktar@>nrr gov>

Subject:

RE: HEP dependencies via recovery rules

James, The Millstone event is attached The timel1ne IS,nan attachment near the end Sorry, t thought you had this already...

Don From: Chang, James Sent: Wednesda\\', July 27, 2016 12:08 PM To: Helton, Dona d <Donald Heltoo@occ cov>; Saincaktar, Selim <Selim Saocaktar@occ eov>

Subject:

RE: HEP dependencies via recovery rules

Don, The Millstone time dala you provide could be relevant. Could you send me the event report or direct me where I can find it?

Mt time analysis only tries to address the HEPIDHEAS-G's HEP equation on human error simply due to insufficient time (see the equation below). Because IDHEAS-G does not have quant1f1cation equations so far, I ends up using SPAR-H and NARA to calculate HEPs. HEP

• HEP(due to insufficient time) + HEP(Detectlng) + IHEP(Understanding) + + HEP(Dec1ding) + HEP(Actlon)

Jamos From: Helton, Donald Sent: Wednesda\\', July 27, 2016 10:34 AM To: Chang, James <James Chaog@occ gov>; Sancaktar, Selim <Selim Saocakrac@orc eov>

Subject:

RE: HEP dependencies via recovery rules James - Though!> on two,tern, from your ema,I follow... "The later one Is negligible (It 1s 2E* 7 using the above number for a 15 minutes time window)."

.- I don't ha~ a problem with this per se But If we are no: going to address add1t1onal failures In the timing analysis, then I l honk,t should be addressed tn some way via other performance influencing factor(s), in light of one of our realMworld data pomts (the 2005 MIiistone event). To illustrate my point, I've tned to overlay the Byron procedure path with the Millstone event tlmelir>f'.11 appears that the M,tlstone crew,.. ached the ~tep where they would h;,ve opened o block valve (had they been closed) sometime around 15 minutes. So agam, no problem with usmg timins associated with an uncomplicated response, but I want to make sure we somehow account/acknowledge our OpE,n out reliabl lty estimation.

Byron ProcedurJI Path

• Interpreted equivalent timing 1n M1ll,tonr event (minutes since initiator)

E-0 entry 0 E O Step 4 (C~ec~ SI status) 0 E *O Step to (Ver,fy AF system) 7 E-0 Step 18 (Check PRZ PORV and spray status) 1? E-0 Step 21 (Check SG pressure boundaries) 21

E-05tep 22 (Check 56 tubes 111tactl 25 E-0 Step 24 (Check If ECCS fiow should be reduced) 30 ES-1.1 Step 1 (R?set Sil 31 ES l. 1 Step 10 ( m stop directly assocrated w,tro 44 lerrt1lnat1ng SI) ES* l.l Step 13 (*:heck if letduwn cari be 51' established) ES-1.J 5tcp 21 (Check if DGs should be stopped) 80

• This,s tlie 1,me at which letdown was estaollshed. so 11 may Include some add1t1onal actions associated w1:h e.tablishirig letdown (beyund hav,ng reach this step,n ES*

1 1) "Do we have a good Justification that because the crew missed the step of isolating the PZR lsoladon valve so lhey have high chance of skipping the step of resetting SI?' , It seems to me that these are NOT strongly linked in thi> respect. The former is a sub-step m an over.II step that is locused on checking status (and addressing problem, 11 rieeded). The latter occurs after t,ansit,on,ig to a new procedure, and is largely compris.ed ol action-oriented steps From: Chang, James Sent: Wednesdal'. July 27. 2016 9:15 AM To: Helton. Dona d <Donald ~ielton@nrr eov>; Sancaktar, Selim <Selim Saocaktar@nrc 1;mv>

Subject:

RE. HEP dependencies via recovery rules I need to think t1is more. For the inadvertent SI actuation IE, I do not see the scenario -procedure Impose challenge (l only look at the procedure upon to opening the PZR isolation valves). The crew should arril*es at the step ol opening the PZR Isolation valve within live minutes (with the estimated mean of 238 seconds, and a standard deviation of 138 seconds). Without other instrumentation failure, tho likely reason that the crew dtd not open the PZR isolation valve Is likely duo to sk,pp,ng tho procedure step (EOP*O Step 18.c) or a really slow crew. The later one is negllglblo (It,s 2E-7 using the above number for a 1 ~ minutes time window). Do we have a good justification that because the crew missed the step of isolating the PZR isolation vafve so they have high chance of skipping tho step of reselling SI? James From: Helton, Donald Sent: Wednesda\\', July 27, 2016 6:27 AM To: Sancaktar1 Selim <Selim Sancaktar@nrc ROY> Cc: Cht1ng, James <JJmcr. Cbane@nrc eoY>

Subject:

RE: HEP dependencies via recovery rules "James, Don,,~r the second type potential HEP dependencies when failure ol SI termination causes C-LOCA, we can not very well claim independence of operator actions that deal with C-LOCA, from the initial OPA-1 and OPA-2, right?" As a first cut, no, I rlon' t1h,nk we can James can propose cn1c*1a for assesstng oependence, based on wh,c~ever HRA model he is employing, and we c01,ld then assess whether there Is a case lor Independence !e.g.. more than a,~ifl's worth ol lnterver,mg time). But It seems Jnllkely l.hJt,ndependene would Jpply From: Sancaktar. Sehm Sent: Tuesday, July 26, 2016 l :57 PM To: Boben BueH@ml gov Cc: Helton, Donakl <Dooafd Heltoar@or, tWl>; Chans. James <James Cln,oe@occ gov>; Coyne, Kevin <Kevm COYC!t@'I((. ~Qt>

Subject:

HEP dependenc,es v,a recovery rules Hi Bob, I was looking at some cutsets (see below). I see that we may need a few recovery rules added to the model for dependencies. There are 2 classes of additional dependencies:

1. If HEP cf OPA-1 goes up when OPA-3 fails (easy to handle with a single recovery rule)

2. HEPs ol LOCA response OPAs already in the SPAR model may go up when failure of OPA-1 or OPA-2 cause consequential LOCA: this case ls more complicated since there are multiple combi1* ations (for example, see cutset #3 below:,.

Do you have a clever suggestion for handling the second type HEP adjustments In bulk, or do I have to identify all combinations (yuck). James, Don, for the second type potential HEP dependencies when failure of SI termination causes C-LOCA, we can not very welf claim independence of operator actions that deal with C-LOCA, from the initial OPA-1 and OPA-2, right? Regards, Selim Ca&e-3 Cutsels lor ISINJ ET Sequence #7 Prob/Freq Total Cut Set Description Total B.65E-10 100 Displaying 17 Cul Sets. (17 Original) 3.16E-10 47.43 ISINJ. 07-07 1.47E*02 IE*ISINJ INADVERTENT SAFETY INJECTION

5.37E*07 ACP* TFM*CF* 1312X CCF OF 4160Vi480V TRANSFORMERS 131 X/132X L OOE*02 HPI XHE*XM THRTL 1 OPERATOR FAILS TO CONTROLJTEAMINATE SAFETY INJECTION FLOW (0PA*1 ISINJ) 9.72E*11 14.61 ISINJ : 07,07 1.47E*02 IE*ISINJ INADVERTENT SAFETY INJECTION 1.65E-07 ACP-CRB-CF-1415X25X CCF OF 4KV ESF BUSES 141/142 BREAKERS TO OPEN L.OOE*02 HPI XHE* XM THATL 1 OPERATOR FAILS TO CONTROLJTERMINATE SAFETY INJECTION FLOW (OPA 1 ISINJ) $.49E*11 12.76 ISINJ : 07-03 1 47E-02 IE*ISINJ INADVERTENT SAFETY INJECTION 3.54E-03 PPR-PRV-CC-455A PZR PORV 455A FAILS TO OPEN ON DEMAND 2 OOE*02 PPR-XHE XM-UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PER OPA-3

• .OOE-02 HPI-XHE-XM-THRTL 1 OPERATOR FAILS TO CONTROLJTERMINATE SAFE TY INJECTION FLOW iOPA 1 ISINJ)

L.QOE*03 HPI-XHE-XM RECIRC OPERATOR FAILS TO START/CONTROL HIGH PRESSURE RECIRC

• PWR 5 IOE*01 LPl*XHE* XM RECIRC I OPERATOR FAILS TO INITIATE LOW =>RESSURE RECIAC iPWR LOCA) (DEPENDENT) 6 54E-11 9.83 ISINJ : 07*03 1.47E-02 IE-ISINJ INADVERTENT SAFETY INJECTION 5.45E-05 PPR-PRV-CF-PORVS CCF OF PZR PORVs TO OPEN L.00E*02 HPl*XHE-XM-THRTL 1 OPERATOR FAILS TO CONTROLJTEAMINATE SAFETY INJECTION FLOW (OPA*1 ISINJ)

L.OOE-03 HPI-XHE-XM-RECIRC OPERATOR FAILS TO START/CONTROL HIGH PRESSURE RECIRC - PWR 5.10E-01 LPI-XHE-XM-RECIRC1 OPERATOR FAILS TO INITIATE LOW "RESSURE RECIRC (PWR - LOCA) (DEPENDENT) 5 L.16E-11 6.26 ISINJ : 07-05 1 47E-02 IE*ISINJ INADVERTENT SAFETY INJECTION 3.54E-03 PPR-PRV-CC-455A PZR PORV 455A FAILS TO OPEN ON DEMAND 2 OOE-02 PPR-XHE-XM-UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PER OPA-3 L.OOE-02 HPl*XHE-XM-THRTL1 OPERATOR FAILS TO CONTROLJTEAMINATE SAFETY INJECTION FLOW (OPA-1 ISINJ) 1.00E-03 RHR-XHE-XE-PMPLC OPERATORS FAIL TO STOP AHR PU~PS (INSF MIN-FLOW* GIVEN LOCAs) 6 3.21E-11 4.82 ISINJ : 07 -05 1.47E-02 IE*ISINJ INADVERTENT SAFETY INJECTION 5.45E-05 PPR*PRV-CF-PORVS CCF OF PZR PORVs TO OPEN L.OOE-02 HPI-XHE-XM-THRTL1 OPERATOR FAILS TO CONTROUTEFMINATE SAFETY INJECTION FLOW (OPA ISINJ) 1.00E-03 RHR-XHE-XE-PMPLC OPERATORS FAIL TO STOP AHR PU~ PS (INSF MIN-FLOW

• GIVEN LOCAs) 7.37E-12 1.11 ISINJ : 07-05 1 47E-02 IE*ISINJ INADVERTENT SAFETY INJECTION

_54E-03 PPR-PRV-CC-455A PZR PORV 455A FAILS TO OPEN ON DEMAND

54E-03 PPR-PRV-CC-456 PZR PORV 456 FAILS TO OPEN ON DEMAND L OOE-02 HPI-XHE-XM-THRTL 1 OPERATOR FAILS TO CONTROUTEAMINATE SAFETY INJECTION FLOW (OPA ISINJ) 1.00E-03 RHR-XHE-XE-PMPLC OPERATORS FAIL TO STOP AHR PU~PS (INSF MIN-FLOW - GIVEN LOCAs) 8 L.16E-12 0.63 ISINJ

07-03 1 47E-02 IE-ISINJ INADVERTENT SAFETY INJECTION 3 54E-03 PPR-PRV-CC-455A PZR PORV 455A FAILS TO OPEN ON DEMAND 2.00E-02 PPR-XHE-XM-UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PER OPA-3 L OOE-02 HPI-XHE-XM-THRTL 1 OPERATOR FAILS TO CONTROUTEAMINATE SAFETY INJECTION FLOW (OPA-1 ISINJ) 1.00E-04 HPI-ASL-MC-RWST RWST LOW LEVEL COMPONENTS MISCALIBRATED 9

,21E-12 048 ISINJ 07*03 1.47E-02 IE-ISINJ INADVERTENT SAFETY INJECTION 1.00E-04 HPI-ASL-MC-RWST RWST LOW LEVEL COMPONENTS MISCALIBRATED 4 OOE-02 HPI-XHE-XM-THRTL 1 OPERATOR FAILS TO CONTROUTERMINATE SAFETY INJECTION FLOW (OPA ISINJ)

~ 45E-05 PPR-PAV CF PORVS CCF OF PZR PORVs TO OPEN 10 Z.02E 12 030 ISINJ 07 05 1 47E-02 IE*ISINJ INADVERTENT SAFETY INJECTION

-, 33E 05 ACP BAC LP 141 DIVISION 1AAC POWER 4kV BUS 141FAILS 4.00E-02 HPI-XHE-XM THRTL 1 OPERATOR FAILS TO CONTROUTERMINATE SAFETY INJECTION FLOW (OPA 1 ISINJ) 2.00E-02 PPR-XHE-XM-UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PER OPA-3

~ 15E*03 AHR MDP-TM-1B AHR TRAIN B UNAVAILABLE DUE TO TEST AND MAINTENANCE 11 2.02E-12 0.30 ISINJ : 07 -05 1 47E-02 IE-ISINJ INADVERTENT SAFETY INJECTION o.33E*05 ACP-BAC-LP-LCC131X FAILURE OF 480V LCC 131X BUS 4.00E-02 HPI-XHE-XM-THRTL 1 OPERATOR FAILS TO CONTROUTERMINATE SAFETY INJECTION FLOW (0PA*1 ISINJ) Z.OOE*02 PPR XHE XM UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PER OPA 3 ~.15E-03 RHR-MDP* TM-1 B AHR TRAIN B UNAVAILABLE DUE TO TEST AND MAINTENANCE 12 2.01E-12 030 ISINJ.07 05 1 47E-02 IE*ISINJ INADVERTENT SAFETY INJECTION 4.00E-02 HPI-XHE-XM-THRTL 1 OPERATOR FAILS TO CONTROUTERMINATE SAFETY INJECTION FLOW (OPA-1 ISINJ) ~ 63E 04 PPR MOV CC 80006 PORV 80008 BLOCK VALVE FAILS TO OPEN o.54E*03 PPR-PAV CC*455A PZR PORV 455A FAILS TO OPEN ON DEMAND 1 OOE-03 AHR XHE-XE-PMPLC OPERATORS FAIL TO STOP AHR PU~PS (INSF MIN*FLOW GIVEN LOCAs) 13 l.88E 12 0 28 ISINJ : 07 -05 1.47E-02 IE*ISINJ INADVERTENT SAFETY INJECTION

,33E 05 ACP BACLP 141 DIVISION 1A AC POWER 4kV BUS 141 FAILS 4.79E-03 CCW-MDP-TM-1 B CCW MDP-1 B UNAVAILABLE DUE TO TEST AND MAINTENANCE 4.00E*02 HPI XHE-XM THRTL 1 OPERATOR FAILS TO CONTROUTERMINATE SAFETY INJECTION FLOW (OPA 1 ISINJ) 2.00E 02 PPR XHEXM UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PER OPA 3 14 1.67E*12 0.25 ISINJ

07-05 1.47E*02 IE-ISINJ INADVERTENT SAFETY INJECTION 4.00E*03 HPI-XHE-XM RECIRC OPERATOR FAILS TO START/CONTROL HIGH PRESSURE RECIRC

• PWR 4.00E*02 HPI XHE*XM THRTL 1 OPERATOR FAILS TO CONTROUTERMINATE SAFETY INJECTION FLOW (OPA 1 ISINJ)

.54E-03 PPR-PRV CC 455A PZR PORV 455A FAILS TO OPEN ON DEMAND 2.00E*02 PPR-XHE-XM-UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PER OPA-3 1.00E 02 AHR XHE*XM SLOCA OPERATOR FAILS TO INITIATE AHR SYSTEM (GIVEN SLOCA) 15 1.61E-12 0.24 ISINJ

07-11 1.47E*02 IE-ISINJ INADVERTENT SAFETY INJECTION i.BOE 05 ACP CAB CF 14121422 CCF OF OF 4KV ESF BUSES 14 11142 BREAKERS TO OPEN

1.75E-03 ACP-TFM-TM-UISATS BOTH UNIT 1 SA Ts OOS FOR T&M 4.00E-02 HPI-XHE-XM-THRTL I OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW (OPA-1 ISINJ1 2.00E-02 OEP-VCF-LP-CLOPL CONSEQUENTIAL LOSS OF OFFSITE POWER

• LOCA 16 1.37E-12 0.21 ISINJ : 07 -05 1.47E-02 IE-ISINJ INADVERTENT SAFETY INJECTION 2.27E-05 ACP-TFM-FC-131 X 4160V/480V TRANSFORMER 131X FAILS 4.00E-02 HPI-XHE-XM-THRTL I OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW (OPA-1 ISINJ1 2.00E-02 PPR -XHE-XM-UNBLOCK OPERATOR FAILS TO OPEN POAV BLOCK VALVES PER OPA-3 5.15E-03 AHA-MDP* TM* I B AHR TRAIN B UNAVAILABLE DUE TO TEST AND MAINTENANCE 17 1.28E-12 0.19 ISINJ : 07 *OS 1.47E-02 IE-ISINJ INADVERTENT SAFETY INJECTION 4.00E-03 HPI-XHE-XM-AECIAC OPERATOR FAILS TO START/CONTROL HIGH PRESSURE AECIRC
• PWA 4.00E-02 HPI-XHE-XM-THATL 1 OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW (OPA-1 ISINJ\\

5.45E-05 PPA -PAV-CF-POAVS CCF OF PZA PORVs TO OPEN 1.00E-02 RHR-XHE-XM-SLOCA OPERATOR FAILS TO INITIATE AHA SYSTEM LGIVEN SLOCA

from: To: SubJect: Date: James, - l.blDumll RE: ~ P dependencieJ via reoovtfy r1.1le, Wednes(:lav.Mv21, 201e 3:35:12 PM OK. I hadn1t pulled the Millstone procedures, and was extrapolatrng from the Byron procedures. There are t.No steps m E-0 that seemed relevant: one deals with venfying AFW alignment (Byron Step 10) and tho other deals with venfying AFW flow/ SG level (Byron Step J 5). The former seomed l1ko what that lone item,n the Millstone t,mehne was relerring to, since Its focused on TD-AFW pump operation. But II your look at the Millstone procedure has shown you that ot,s actually the former, then l'rn okay with that Interpretation. That would make the table; Byron Procedural Path

• Interpreted equivalent timing,n Millstone event (minutes since Initiator)

E*O entry 0 E-0 Step 4 (Check SI status) 0 [ O Step l 5 {Ve, fy,\\F flow} 7 E O Step 18 (Check PRZ PORV and spray status) ?? E*O Step 21 (Check SG p,essure boundaries) 21 E-0 Step 22 (Check SG tubes intact) 25 E-0 Step 24 {Check if ECCS flow should be reduced) 30 LS 1.1 Step 1 (Reset SI) 31 ES* 1.1 Step 10 ( ast step directly associated w1tl> 44 terminating 51) ES-1. l Step 13 {Check if letdown can be 51* established I ES* U Step 21 {Check if DGs should be stopped) 80

• This is the time at which letdown was established, so it may include some additional actions associated w,:h establishing letdown (beyond hav,ng reach this step in ES*

l.l) Don From, Chang, James Sent: Wednesda\\', July 27, 2016 2:31 PM To: Helton, Dona d <Donald.Helton@nrc.gov>

Subject:

RE: HEP dependencies via recovery rules

Don, The Millstone event, at 7 minutes alter the IE, the crew,11as at E*O Step 16 "Verify ECCS flow" \\\\hich is equivalent to Byron EOP-0 step 17 "Very ECCS Flow". This is different from the Lime shown I your table... I use te Millstone procedure found in te eLolbrary.

James From: Helton, Donald Sent: Wednesda1*, July 27, 2016 10:34 AM To: Chang, James <James Cheine@occ gqy>; Sancak1ar, Sel,m <Selim Saucdktar@orc wav> Subject, RE: HEP dependencies via recovery rules James-Thought; on two,terns from your email follow.. The later one is negligible (It is 2E-7 using the above number for a 15 minutes time window)." }.>- I don't have a problem with this per se. But if we are no: gomg to address additional failures in the timing analysis. then I thmk tt should be addressed m some way via other performance influencing factor{s), in light of one or our real world data points (the }00o Millstone event). To illustrate my point, I've tried to ovNlay the Byron procedure path with the Millstone event timehr>e. It appears that the Millstone crew reached the step where they would have opened a block valve (had they been closed) sometime arm,nd 15 minutes So again, no problem w,th usmg t1m1ng associated with an uncomplicated response, but I want to make sure w~ somehow account/acknowledge our OpE,n out reliabi ity estimation. Byron Procedural Path ... Interpreted equivalent timing,n Millstone event (minutes since initiator) E-0 entry 0 E -0 Step 4 {Check SI status) 0 E O Step 10 {Vc11fy Ar system) 7 E*O Step 18 (Check PRZ PORV and spray status) ?? E-0 Step 21 (Check SG pressure boundaries) 21 E*O Step 22 {Check SG tubes intact) 25 C O Step 24 (Check If (CCS flow should be reduced) 30 ES-1.l Step 1 (Reset SI) 31 ES-1.1 Step 10 ( ast step directly associated with 44 term,natong SI) ES l. I Step 13 (Check if letdown can be 51' established I ES-l.1 Step 21 (Check If DGs should be,topped) 80

'This 1> the t,me dt which letdowr1 was establl,1,ed. so,t mav include,orne addlt,onal actions as,ocoated w,:h e,tablishlng letdown (bevund having,each thos,tep in ES* 1.1) "Do we have a good justification that because the crew missed the step of isolating the PZR isolation valve so they have high chance of skippin_g the step of reselling SI?" , It seems to me that these are NOT strongly linked in t hl, respect. The former is a sub-step in an overall steo that is focused on checking status (ancl addressin~ problems tf needed) The latter occurs after trans,t1on,1g to a new procedure, and is largely comprised of act,on onented steps. From: Chang, James Sent: Wednesda\\', July 27, 2016 9:15 AM To: Helton, Dona d <Donald dPlton@nrc gov>; Sancaktar, Sellrn <SPl1m 5ancaktar@nrr gQY>

Subject:

RE: HEP dependencies via recovery rules I need to think tils more. For the madverlent SI actuation IE, I do not see the scenario -procedure Impose challenge (I only look at the procedure upon to opening the PZR isolation valves). The crew should arrives at the step ol opening ihe PZR isolation valve wilhln five minutes (with the estlmaled mean of 238 seconds, and a standard devialion of 138 seconds). Without 01hor instrumentation failure. tho likoly reason that tho crew did not open the PZR lsolat,on valve Is likely due to skipping the procedure stop (EOP-0 Step 18.c) or a really slow crew. The later one 1s negligible (II ls 2E-7 using the above number for a 1 ~ minutes time window). Do we have a good justification that because the crew missed lhe step of isolating the PZR isolation vafve so !hey have high chance of skipping the step of reselling S I? James From: Helton, Donald Sent: Wednesda\\', July 27, 2016 6:27 AM To: Sancaktar, Selim <?Phm san,_..1ktar@nfC rov> Cc: Chang, James <James Coaoc@orc goV>

Subject:

RE: HEP dependencies via recovery rules James, Don, f~r the second type polenlial HEP dependencies when failure of SI termination causes C-LOCA, we can not very well claim independence of operator actions that deal with C-LOCA, from the initial OPA-1 and OPA-2, right?" As a first cut, no, I don' uh1nk we car1 Jnmes can propose crote*oa for assessing d~prndence, based on whocl*ever I-IRA model he I, employh18, and we could 11len asses, whether there 1$~ c,m, lor lodepeodence te.g., more th* n u~ltrs worth ol interven,ng lome). Out It seem,,mlikely ohat 1ndependene would *pply. From: Sancaktar1 Selim Sent: Tuesday, July 26, 2016 l :57 PM To: Robert BHeH@inl ~OY Cc: Helton, Donald <Pooafd HeUoo@orr jOY>; Chans, James <fames Cbao9@0,r eoy>; Coyne, kevin <Kevm Coyoe@orr wov>

Subject:

HEP dependencies voa recovery rules Hi Bob, I was looking at some cutsets (see below). I see thal we may need a few recovery rules added to the model for dependencies. There are 2 classes of additional dependencies:

1. If HEP cf OPA-1 goes up when OPA-3 fails (easy 10 handle with a single recovery rule)

2. HEPs ol LOCA response OPAs already In tho SPAR model may go up when failure of OPA-1 or OPA-2 cause consequential LOCA: this case Is more complicated since there are multiple combir ations (for example, see cutset #3 below).

Do you have a clever suggestion for handling the second type HEP adjustments in bulk, or do I have to identify all combinations (yuck). James, Don, lor the second type potential HEP dependencies when failure of SI terminatior1 causes C-LOCA, we can not very well claim Independence of operator actions that deal with C-LOCA, from the initial OPA-1 and OPA-2, right? Regards, Selim Caoe-3 Cutsels for ISINJ ET Sequence #7 Tolal Prob/Freq &.65E*10 3 t6E*10 1 47E*02 5.37E*07 < OOE*02 9 72E*11 t 47E-02 1 65E*07 < OOE,02 $ 49E*11 I 47E-02 Total Cul Set 100 Displaying 17 Cul Sets. (17 Orlglnall 47.43 ISINJ 07*07 14 61 IE*ISINJ ACP*TFM*CF*t312X HPI XHE-XM THRTL 1 ISINJ : 07*07 IE-ISINJ ACP*CRB-CF*14 t5X25X HPI-XHE-XM THRTL t 12.76 ISINJ : 07*03 IE*ISINJ Description INADVERTENT SAFETY INJECTION CCF OF 4 t 60V/480V TRANSFORMERS t 31 X/132X OPERATOR FAILS TO CONTROLJTE~MINATE SAFETY INJECTION FLOW IOPA I ISINJI INADVERTENT SAFETY INJECTION CCF OF 4KV ESF BUSES 14 t/142 BREAKERS TO OPEN OPERATOR FAILS TO CONTROLJTE~MINATE SAFETY INJECTION FLOW (OPA t ISINJ) INADVERTENT SAFETY INJECTION

3.54E*03 PPA*PAV-CC-45SA PZR POAV 455A FAILS TO OPEN ON DEMAND 2.00E 02 PPR XHE XM UNBLOCK OPERATOR FAILS TO OPEN POAV BLOCK VALVES PEA OPA-3 <.OOE*02 HPI-XHE-XM-THATL 1 OPERATOR FAILS TO CONTROUTEFMINATE SAFETY INJECTION FLOW iOPA*I

• ISINJ)

<.OOE*03 HPI-XHE-XM-AECIAC OPERATOR FAILS TO START/CONTROL HIGH PRESSURE AECIAC

• PWA 5.IOE*01 LPI XHE XM AECIAC I OPERATOR FAILS ro IN111ATE LOW PRESSURE AECIAC (PWA LOCAi (DEPENDENn 6 54E 11 9 83 ISINJ
• 07*03 1.47E*02 IE-ISINJ INADVERTENT SAFETY INJECTION 5.45E*OS PPA-PAV-CF-POAVS CCF OF PZA PORVs TO OPEN 4 OOE*02 HPl*XHE-XM*THATL1 OPERATOR FAILS TO CONTROi/TERMiNATE SAFETY INJECTION FLOW iOPA* I
• ISINJJ

<.OOE*03 HPI-XHE-XM-RECIRC OPERATOR FAILS TO START/CONTROL HIGH PRESSURE RECIRC

• PWR 5.10E*01 LPI-XHE-XM-AECIAC1 OPERATOR FAILS TO INITIATE LOW "AESSUAE AECIAC (PWR
• LOCAi (DEPENDENT)

<.16E-11 6.26 ISINJ : 07-05 1 47E*02 IE*ISINJ INADVERTENT SAFETY INJECTION 3.54E*03 PPA*PAV-CC*455A PZR PORV 455A FAILS TO OPEN ON DEMAND 2.00E-02 PPA*XHE-XM-UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PEA OPA-3 <.OOE-02 HPI-XHE-XM*THATL1 OPERATOR FAILS TO CONTROi/TERMiNATE SAFETY INJECTION FLOW (OPA-1

• ISINJ) 1.00E*03 RHR-XHE-XE-PMPLC OPERATORS FAIL TO STOP RHA PU!v1PS (!NSF MIN-FLOW - GIVEN LOCAs) 6 3.21E-1 1 4.82 ISINJ : 07-05 1.47E-02 IE-ISINJ INADVERTENT SAFETY INJECTION 5.45E-05 PPA*PAV-CF-POAVS CCF OF PZA POAVs TO OPEN

<.OOE-02 HPI-XHE-XM*THATL 1 OPERATOR FAILS TO CONTROi/TERMiNATE SAFETY INJECTION FLOW iOPA-1

• ISINJ) 1 OOE-03 AHR*XHE-XE-PMPLC OPERATORS FAIL TO STOP AHR PU!v1PS (INSF MIN-FLOW
• GIVEN LOCAs) 7 37E-12 1.11 ISINJ 07-05 I 47E-02 IE-ISINJ INADVERTENT SAFETY INJECTION 3.54E-03 PPR*PAV-CC-455A PZR PORV 455A FAILS TO OPEN ON DEMAND 3.54E*03 PPA-PAV-CC-456 PZR PORV 456 FAILS TO OPEN ON DtMAND

<.OOE-02 HPI-XHE-XM-THRTL 1 OPERATOR FAILS TO CONTROi/TERMiNATE SAFETY INJECTION FLOW iOPA ISINJ) 1 OOE-03 RHR-XHE*XE-PMPLC OPERATORS FAIL TO STOP RHR PU!v1PS (INSF MIN*FLOW

• GIVEN LOCAs) 8

<.16E-12 0.63 ISINJ : 07-03 1 47E-02 IE-ISINJ INADVERTENT SAFETY INJECTION 3.54E-03 PPR-PRV-CC-455A PZR PORV 455A FAILS TO OPEN ON DEMAND 2.00E-02 PPR-XHE-XM-UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PER OPA-3 '.OOE-02 HPI-XHE-XM-THATL 1 OPERATOR FAILS TO CONTROi/TERMiNATE SAFETY INJECTION FLOW iOPA-1

• ISINJJ 1.00E-04 HPI-ASL-MC-RWST RWST LOW LEVEL COMPONENTS MISCALIBRATED 9

3.21E-12 0 48 ISINJ 07-03 1.47E-02 IE-ISINJ INADVERTENT SAFETY INJECTION 1 OOE-04 HPI-ASL-MC-RWST RWST LOW LEVEL COMPONENTS MISCAUBRATED <.OOE-02 HPI-XHE-XM-THRTL 1 OPERATOR FAILS TO CONTROi/TERMiNATE SAFETY INJECTION FLOW (OPA ISINJ) 5 45E-05 PPR-PRV-CF-PORVS CCF OF PZR PORVs TO OPEN 10 2.02E 12 030 ISINJ : 07*05 1 47E-02 IE*ISINJ INADVERTENT SAFETY INJECTION 3.33E 05 ACP BAC LP 141 DIVISION IA AC POWER 4kV BUS 141 FAIL$ <.OOE*02 HPI-XHE-XM* THRTL 1 OPERATOR FAILS TO CONTROUTEFMINATE SAFETY INJECTION FLOW (OPA-1

• ISINJ) 2.00E-02 PPA-XHE-XM-UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PEA OPA 3

5. I 5E-03 AHA MDP TM 16 AHA TRAIN B UNAVAILABLE DUE TO TEST AND MAINTENANCE 11 2.02E-12 0.30 ISINJ : 07-05 I 47E 02 IE*ISINJ INADVERTENT SAFETY INJECTION 3.33E*05 ACP-BAC-LP*LCC131X FAILURE OF 480V LCC 131X BUS

<.OOE-02 HPI XHE-XM-THRTL 1 OPERATOR FAILS TO CONTROUTEFMINATE SAFETY INJECTION FLOW (OPA 1 ISINJ) 2.00E*02 PPA-XHE XM UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PEA OPA 3 5.1 SE-03 AHA-MOP-TM-1 B AHA TRAIN B UNAVAILABLE DUE TO TEST AND MAINTENANCE 12 2.01E 12 030 ISINJ : 07-05 1.47E-02 IE-ISINJ INADVERTENT SAFETY INJECTION <.OOE-02 HPI-XHE-XM-THATL 1 OPERATOR FAILS TO CONTAOUTEFMINATE SAFETY INJECTION FLOW (OPA 1 - ISINJ) 9 63E 04 PPR MOV *CC 80006 PORV 80006 BLOCK VALVE FAILS TO OPEN 3.54E-03 PPA-PAV-CC-45SA PZA POAV 455A FAILS TO OPEN ON DEMAND 1.ooE-03 AHR-XHE XE PMPLC OPERATORS FAIL TO STOP AHA PU!v1PS (INSF MIN FLOW GIVEN LOCAs) 13 1.88E*12 0 28 ISINJ : 07*05 1 47E-02 IE*ISINJ INADVERTENT SAFETY INJECTION 3.33E 05 ACP BAC LP-141 DIVISION IA AC POWER 4kV BUS 141 FAILS <.79E*03 CCW-MOP-TM*1B CCW MDP 18 UNAVAILABLE DUE TO TEST AND MAINTENANCE

• OOE*02 HPI XHE-XM THRTL 1 OPERATOR FAILS TO CONTROUTEFMINATE SAFETY INJECTION FLOW (OPA 1 ISINJ) 2.00E*02 PPA-XHE XM UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PEA OPA 3 14 1.67E*12 0.25 ISINJ : 07 *05 1.47E 02 IE*ISINJ INADVERTENT SAFETY INJECTION

<.OOE*03 HPI XHE-XM-RECIAC OPERATOR FAILS TO START/CONTROL HIGH PRESSURE AECIAC

• PWR

<.OOE*02 HPI XHE-XM THATL 1 OPERATOR FAILS TO CONTAOUTEFMINATE SAFETY INJECTION FLOW (OPA 1 ISINJ) 3.54E-03 PPR PAV CC*455A PZA PORV 455A FAILS TO OPEN ON DEMAND 2.00E*02 PPA-XHE-XM UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PEA OPA-3 1.00E*02 AHA XHE XM SLOCA OPERATOR FAILS TO INITIATE AHA SYSTEM (GIVEN SLOCA) 15 1.S1E*12 0.24 ISINJ: 07-11 1.47E-02 IE*ISINJ INADVERTENT SAFETY INJECTION 7.SOE-05 ACP CAB*CF 14121422 CCF OF OF 4KV ESF BUSES 14 11142 BREAKERS TO OPEN 1.75E*03 ACP* TFM-TM*U 1 $ATS BOTH UNIT 1 SA Ts OOS FOR T&M < OOE*02 HPI XHE-XM THATL 1 OPERATOR FAILS TO CONTROL/TEFMINATE SAFETY INJECTION FLOW (OPA 1 ISINJ) 2.00E*02 OEP*VCF-LP-CLOPL CONSEQUENTIAL LOSS OF OFFSITE POWER

• LOCA 16 1.37E*12 0.21 ISINJ : 07*05 1.47E*02 IE ISINJ INADVERTENT SAFETY INJECTION 2.27E*OS ACP*TFM-FC-131X 4160V/480V TRANSFORMER 131X FAILS
• .OOE-02 HPI XHE*XM THRTL 1 OPERATOR FAILS TO CONTROUTEFMINATE SAFETY INJECTION FLOW (OPA 1 ISINJ) 2.00E*02 PPR*XHE-XM-UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PER OPA-3 5.15E*03 RHR-MDP*TM-1B AHR TRAIN B UNAVAILABLE DUE TO TEST AND MAINTENANCE I 28E*12 0.19 ISINJ : 07-05

1.47E-02 4.00E-03 4.00E-02 5.45E-OS 1.00E-02 IE*ISINJ HPI-XHE-XM*RECIRC HPI-XHE-XM-THRTL 1 PPR -PRV-CF-PORVS RHR-XHE-XM-SLOCA INADVERTENT SAFETY INJECTION OPERATOR FAILS TO START/CONTROL HIGH PRESSURE RECIRC

• PWR OPERATOR FAILS TO CONTROUTERMINATE SAFETY INJECTION FLOW (OPA-1 ISINJJ CCF OF PZR PORVs TO OPEN OPERATOR FAILS TO INITIATE RHR SYSTEM (GIVEN SLOCA)

1 Spurious Safety Injection Subject of interest: The probability of the operator does not open the pressurizer isolation valve in time that leads to a water-solid pressurizer and the RCS water leaks from the pressurizer safe relief valve in a spurious safety injection (SI) occurred at full power operation and all pressurizer PORV isolation (block) valves are closed (blocked). 1.1 Scenario Analysis and Operational Narrative 1.1.1 Component Responses The Byron/Braidwood (Update Final Safety Analysis Report (B/B-UFSAR) states A safety injection (SI) signal normally results in a direct reactor trip and a turbine trip. However, any single fault that actuates the ECCS will not necessarily produce a reactor trip. The B/B-UFSAR states: A spurious (SI) signal initiated after the logic circuitry in one solid-state protection system train for any of the following engineered safety feature (ESF) functions could cause this incident by actuating the ESF equipment associated with the affected train.

a. High containment pressure,

b. Low pressurizer pressure, or

c. Low steamline pressure.

Following the actuation signal, the suction of the coolant charging pumps diverts from the volume control tank to the refueling water storage tank. Simultaneously, the valves isolating the charging pumps from the injection header automatically open and the normal charging line isolation valves close. The charging pumps force the borated water from the refueling water storage tank (RWST) through the pump discharge header, the injection line, and into the cold leg of each loop. The passive accumulator tank safety injection and low head system are available. However, they do not provide flow when the reactor coolant system (RCS) is at normal pressure. A safety injection (SI) signal normally results in a direct reactor trip and a turbine trip. However, any single fault that actuates the ECCS will not necessarily produce a reactor trip. If an SI signal generates a reactor trip, the operator should determine if the signal is spurious. If the SI signal is determined to be spurious, the operator should terminate SI and maintain the plant in the hot-standby condition as determined by appropriate recovery procedures. If repair of the ESF actuation system instrumentation is necessary, future plant operation will be in accordance with the Technical Specifications. If the SI results in discharge of coolant through the pressurizer safety relief valves, the operators will bring the plant to cold shutdown in order to inspect the valves. If the reactor protection system does not produce an immediate trip as a result of the spurious SI signal, the reactor experiences a negative reactivity excursion due to the injected boron, which causes a decrease in reactor power. The power mismatch causes a

drop in Tavg and consequent coolant shrinkage. The pressurizer pressure and water level decrease. Load decreases due to the effect of reduced steam pressure on load after the turbine throttle valve is fully open. If automatic rod control is used, these effects will lessen until the rods have moved out of the core. The transient is eventually terminated by the reactor protection system low pressurizer pressure trip or by manual trip. The time to trip is affected by initial operating conditions. These initial conditions include the core burnup history which affects initial boron concentration, rate of change of boron concentration, and Doppler and moderator coefficients. After the actuation of a SI signal regardless how the SI signal is actuated, the following ECCS actions are designed to take place because of interlocks with the SI signal:

1. Centrifugal charging pumps start on "S" signal.

2. RWST suction valves to the charging pumps open on "S" signal.

3. Safety injection containment isolation valves open on "S" signal.

4. Normal charging path valves close on "S" signal.

5. Charging pump miniflow isolation valves CV8110 and CV8111 close on "S" signal, concurrent with LO-2 RWST level.

6. Charging pump miniflow isolation valves CV8114 and CV8116 close on low RCS pressure in conjunction with an "S" signal. These valves open to protect the pump should the RCS pressure increase above the open setpoint with an "S" signal present.

7. Safety injection pumps start on "S" signal.

8. The RHR pumps start on "S" signal.

9. VCT outlet isolation valves close on "S" signal.

1.1.2 Operator Responses Assuming the reactor is at full power operation, after a spurious actuation of a SI signal, the nuclear power starts decreasing immediately due to boron injection, but steam flow does not decrease until later in the transient when the turbine throttle valve is wide open. The mismatch between load and nuclear power causes Tavg, pressurizer water level, and pressurizer pressure to drop. Without operator intervention, the reactor trips and control rods start moving into the core when the pressurizer pressure reaches the pressurizer low pressure trip setpoint. The reactor is calculated to trip automatically at about 76 seconds after the SI actuation if the SI signal does not cause an automatic reactor trip and the operator does not manually trip the reactor before its automatic trip. Even though the reactor may or may not be tripped immediately following the SI signal, the operator responses in these two scenarios are very similar. After verifying a SI actuation, the operator will perform the immediate actions according to the emergency operating procedure (EOP)-0 Reactor Trip or Safety Injection that are summarized as the following: Verify the reactor is tripped. If the reactor is not tripped then manually trip the reactor. Verify the turbine is tripped. If the reactor is not tripped then manually trip the turbine. Verify electric power is available to the 4KV essential safety function (ESF) busses. Check SI status. If the SI is required then manually actuate SI if it is not actuated already. IF the SI is not required then transfer to procedure ES-0.1 reactor trip response.

In this analysis, with the assumption of a single failure (i.e., spurious SI actuation), once completed the above four immediate actions the following are the expected status: The reactor is trip. The turbine is trip. The 4KV ESF buses are energized. The SI actuation is on. The SI status is determined to be on is the procedure instruction as shown in Table 1. In this scenario, because the SI equipment is automatically actuated, the operator would not entering the response not obtained column. Table 1 The procedure step of checking SI status ACTION/EXPECTED RESPONSE RESPONSE NOT OBTAINED CHECK SI STATUS

a. Check if SI - ACTUATED:

Any SI first out announciator - LIT SI ACTUATED permissive light - LIT SI equipment - AUTOMATICALLY ACTUATED: o Either SI pump - RUNNING o Either CENT CHG pump to cold leg injection isolation valve - OPEN: 1SI8801A 1SI8801B

a. Check if SI is required PZR pressure less than or equal to 1829 PSIG.

Steamline pressure less than or equal to 640 PSIG Containment pressure greater than or equal to 3.4 PSIG If SI is required, THEN manually actuate SI. IF SI is NOT required, THEN GO TO ES-0.1 REACTOR TRIP RESPONSE, Step 1.

b. Manually actuate SI 1PM05J 1PM06J When the reactor operator (RO) is performing the immediate actions, the shift supervisor (SS), a senior reactor operator, is bringing out the EOP-0 procedure. Once the RO finished the immediate response actions, the SS interacts with the RO and the auxiliary RO (ARO) to implement the EOP-0. They starts to implement the EOP-0 from step 1. The first four steps (i.e., immediate response actions) are to reconfirm the immediate actions performed by RO.

Because except the spurious SI actuation, all component and instrument are function as designed and the operator is expected familiar with the EOP-0, the operating crew is expected to follow the EOP-0 instruction with ease. After manually trip the reactor, all procedure steps request the operator to check the key components automatically responding to the situation as designed until step 18 that requires the operator to open a pressurizer isolation (or block) valve. Table 2 provides the procedure instruction of the step 18.

Table 2 The procedure step 18 that instructs establishing a PZR relief path. ACTION/EXPECTED RESPONSE RESPONSE NOT OBTAINED CHECK PZR PORVS AND SPRAY VALVES

a. PORVs - CLOSED:

1RY455A 1RY456

a. If PZR pressure is less than 2315 PSIG, THEN manually close PORVs.

IF any PORV can NOT be closed, THEN manually or locally close its isolation valve: 1RY8000A (1RY455A) MCC 131X2B A5 (414 Q11RXB1) 1RY8000B (1RY456) MCC 132X2 C4 (426 Q11 RXB1) IF PORV isol valve can NOT be closed, THEN GO TO 1BEP-1,

b. PROV isolation valves - AT LEAST ONE ENGINERED

b. GO TO Step 18d.

c. PORV relief path - AT LEAST ONE AVAIABLE:

PORV in - AUTO Associated isolation valve - OPEN

c. Perform the following to establish a PORV relief path for any PORV NOT failed open:

1. Place the PORV in AUTO.

2. Open the associated PORV isolation valve.

d. Normal PZR spray valves - CLOSED:

1RY455B 1RY455C

d. IF PZR pressure is less than 2260 PSIG, THEN manually close spray valve(s)

IF any spray valve(s) cannot be closed, THEN stop RCP(s) as necessary to stop spray flow: RCP 1D RCP 1C RCP 1B RCP 1A Because the initial condition is that the pressurizer PORV isolation valves are close, the operator is expected to identify that the statuses of the associated isolation valves (in Step 18.c bullet 2) as not open. This will lead the operator to perform the actions in the response not obtained column of the Step 18.3 that include placing the PORVs in auto and opening the associate PORV isolation valve. 1.1.3 Task Analysis The operator responses to this scenario starts with detecting the plant abnormal symptoms triggered by the advertent SI actuation. Regardless whether the operator manually trips the reactor, the EOP-0 procedure will be entered. Within this procedure, the operators main tasks are to verify that the components and systems automatically responding to the event as designed. The main operator physical actions to interference the scenarios are opening at least one pressurizer isolation valve (Step 18.c) and resetting Si (Step 27). Both actions are performed within the main control room. Both tasks are simple actions. Opening a pressurizer isolation valve is by turning the valve control switch to the open position, and confirming the

valve status light changed from green to red. Resetting the SI is by depressing the two SI reset buttons, and confirming that the action is successfully performed by verifying the SI ACTUATED permissive light went off and the AUTO SI BLOCKED permissive light went on. 1.1.4 Relevant Operating Experience The following event description is from [0]: On April 17, 2005, at 8:29 a.m., Millstone Unit 3 experienced a reactor trip from 100 percent power following an unexpected A train safety injection (SI) actuation signal and main steam line isolation (MSI). Control room operators entered emergency operating procedure (EOP) E-0, Reactor Trip or Safety Injection, Revision 22, and manually actuated the B train of safety injection within 30 seconds. The first-out annunciator panel indicated that the reactor trip was caused by a Steam Line Pressure Low Isolation SI signal sensed by the solid state protection system (SSPS). The Shift Manager (SM) arrived in the control room approximately five minutes after the reactor trip and assumed Director of Site Operations (DSO) duties. As a result of the MSI signal, the main steam isolation valves (MSIVs) and two of the four main steam line atmospheric dump valves (ADVs) automatically closed. With the closure of the MSIVs, the main steam line safety valves (MSSVs) opened to relieve secondary plant pressure. Control room operators manually actuated the B MSI train in accordance with station procedures. Both motor driven auxiliary feed water (MDAFW) pumps started to maintain steam generator levels. The turbine-driven auxiliary feedwater (TDAFW) pump attempted to start but immediately tripped on overspeed. Operators were dispatched to investigate the cause of the trip. The TDAFW pump trip was subsequently reset and the TDAFW was restarted at 10:19 a.m. At approximately 8:42 a.m., the SM noted that a B MSSV had remained opened for an extended period of time. In consultation with the Unit Supervisor (US) and Shift Technical Advisor (STA), the SM declared an ALERT based on a stuck open MSSV. The crew determined that the stuck open MSSV represented an unisolable steam linebreak outside containment. At 8:45 a.m., due to the addition of the inventory from the SI, the pressurizer reached water solid conditions and the pressurizer PORVs cycled numerous times to relieve reactor coolant system (RCS) pressure and divert the additional RCS inventory to the pressurizer relief tank (PRT). No pressurizer safety valve actuations occurred and the PRT rupture diaphragm remained intact. The control room received reports of substantial leakage in the auxiliary building near the high head safety injection (HHSI) pumps. The leakage was coming from the packing of two valves in the HHSI system alternate minimum flow (AMF) line and was estimated to be approximately 60 gpm. Several hundred gallons spilled onto the auxiliary building floor. At approximately 8:59 a.m., the operating crew transitioned from EOP E-0 to ES-1.1, SI Termination. The SI was reset and the crew terminated safety injection at 9:12 a.m. and normal RCS letdown was re-established at 9:20 a.m. Millstone Unit 3 entered Mode 4 [Hot Shutdown]

at approximately 7:03 p.m. and the ALERT was terminated shortly thereafter. NRC Region I had been in a Monitoring Mode during the event and returned to the Normal Mode at 11:45 p.m. 1.2 HFEs 1.2.1 OPERATOR FAILS TO OPEN PORV BLOCK VALVES (OPA-3) 1.2.1.1 Task Description The task (OPERATOR FAILS TO OPEN PORV BLOCK VALVES) starts from the operator detecting the plant abnormality then to follow the EOP-0 to Step 18 and open at least one isolated pressurizer isolation valves based on the Step 18s instruction. The macrocognition discussion based on the overall task is the following: Detecting the abnormal symptom: the advertent actuation of SI signal causes a number of automatic components status changes related to the containment-A isolation as identified in section 1.1. These changes will trigger a number of alarms. The automatic start and re-alignment of the central charging pumps and SI pumps are clear to the operators. The operators are familiar with and are trained to pay attention to these component statuses. Understanding the issue and making decision on response plan: Once detecting the SI actuation, the EOP-0 is the procedure to enter. Operators are routinely trained on entering and implementing EOP-0. The understanding and making decision are based on the procedure instruction. The operators main activity is to follow the procedure instruction to check plant parameters values and components statuses. Action: The main action is to open a pressurizer isolation valve. This action is performed inside the main control room by turning the control switches of the pressurizer isolation valves from close to open and verifying with the isolation values status indication light changed from green (close) to red (open). Another action that the operator may perform at the beginning of the scenario is to manually trip the reactor if the reactor is not automatically tripped by the SI signal. In this case, whether the operator manually trip the reactor makes little diffidence in the scenario from safety consideration because the reactor eventually will be automatically tripped due to low pressurizer pressure at about 76 seconds [1] after the inadvertent SI actuation. The key task is to open at least one pressurizer isolation valve as instructed by EOP-0 step 18. This is a main control room action performed by the RO to perform a simple task either to This is performed by a team work between the SS and RO. The SS reads the procedure instruction to direct and monitor the RO to perform the task. Once the task is completed, the RO is expected to inform the SS that the task is performed. The actual physical activity to change the system status is to push a button (or turn a switch) to open the isolation valve. 1.2.1.2 Time Analysis Two sources are used to assess the operator response time: The Millstone event [1] and the paper published by KAREI. The first source is a real event, and the second source is based on simulator training.

Millstone Event This inadvertent SI actuation event is complicated by the stuck open of the B S/G safety valve which was opened immediately after the inadvertent SI caused reactor trip, the turbine driven auxiliary feedwater pump (TD AFWP) tripped three seconds after start, and a partial main steam isolation. The stuck open of the B S/G safety valve and the partial mainsteam isolation led to operator to spent more time to confirm that this was not a main steamline break event than a clean inadvertent SI actuation event. The TD AFWP trip did not affect safety in this event because the TD AFWP is a backup to the two motor drive AFWPs. AL these together slowed down the operator responses. Time (minutes) Event 0

• A Train SSPS Steam Line Pressure Low SI/MSI signal followed by a reactor trip: First Out alarm: Steam Line Pressure Low Isolation SI.
• MSIVs closed as expected.
• 3 MSS-PV20A&C, Atmospheric Dump Valves (ASDVs) open.
• 3 MSS-PV20B&D received closed signals via MSI. (1/2 of ASDVs shut on 1/2 MSI.)
• B S/G Safety opens.
• The control room crew entered E-0 Reactor Trip/SI emergency response procedure.
• At step 4 the crew initiated train B SI.
• Terry Turbine steam supplies open and Terry Turbine trips 3 seconds later.

7 At EOP-0 Step 16 Verify ECCS Flow. Crew performed a debrief of the situation. The crew reinforced to the entire control staff that there was no Terry Turbine Aux Feed flow, B S/G Safety was still open and manual initiation of both trains SI was required. Dispatched a PEO to the Terry Turbine who verified that it was not running. Found V5 unlatched and shut. Mech Trip tappet was NOT in overspeed condition. (Crew continues to evaluate plant conditions, thought stuck S/G Safety caused SI.) 11 Pressurizer PORVs commence cycling at RCS pressure of 2350#. 30 Transition from E-0 to ES 1.1. In the Millstone event, the operator reached at EOP-0 Step 16 verify ECCS flow seven minutes after the initiating event. The Byrons EOP-0 has the step of verifying ECCS flow at Step 17. Immediately after step 17, the Byron EOP-0 Step 18 instructs to open the pressurizer isolation valves to remain at least one pressurizer PORV path open. Therefore, overlapping the millstone event in Byron procedure, it is estimated that the operator would complete step 18 (open pressurizer isolation valves) eight minutes after the initiating event. KAERI Simulator Analysis The operator normal response time is based on [2] which is based on Korean crews responding to a steam generator tube rupture (SGTR) scenario. The Korean crew structure and procedures are similar to the Byron nuclear power plant. Without Byron plant specific data, the data in [2] is considered as a good approximation. The time data in [2] are reproduced in Table 3.

Task ID Task Description Time1 (sec) SD2 (sec) Procedure Steps3 1 Confirming immediate responses after reactor trip 41.9 25.5 1 to 4 2 Confirming the isolation of essential valves 12.0 2.9 5 to 6 3 Confirming the operation of essential pumps 17.9 5.6 7 to 10 4 Verifying containment status 33.9 22.3 11 to 14 5 Verifying the delivery of SI and AFW flow 55.4 27.8 15 to 18 6 Verifying the status of RCS heat removal 38.9 16.0 19 to 21 7 Entering E-3 procedure according to the status of SGs 34.7 16.3 22 to 23 1Averaged task performance time in second. 2Standard deviation in second. 3Based on the EOP-0 of the Korean nuclear power plant. For the task of OPERATOR FAILS TO OPEN PORV BLOCK VALVES, the sum of the time of Task IDs one to six in Table 3 is use for the time in the situation of the reactor tripped by the advertent SI signal. To include the situation that the reactor is not tripped by the SI signal, a 76 seconds of mean time (assuming no manual trip) with zero variation is added to the total time. This results in a mean of 270 seconds and a standard variation of 100.1 seconds. The number is considered as consistent with the Millstone event (eight minutes or 240 seconds). Time Sufficiency Check Use a normal distribution with the mean of 270 seconds, standard variation of 100 seconds, and a time window of 15 minutes (900 seconds), the failure probability due to insufficient time (without any complicating factors) is negligible. 1.2.1.3 HEP Calculation This section uses a number of HRA methods to calculate the HEPs. SPAR-H[3] The SPAR-H uses eight performance shaping factors (PSFs) to calculate the HEPs of diagnosis and action. The tasks HEP is the sum of the diagnosis HEP and action HEP. The following discusses the statuses of the eight performance shaping factors of diagnosis and action. Available Time: The available time is 15 minutes. The meantime, including diagnosis and action, is 270 seconds (4.5 minutes). Based on SPAR-Hs classification, the status of the PSF available time is normal time. Stress/Stressor: The stress level is determined as normal because all the operator activities are within EOP-0 and there is no surprise except the SI actuation may not trip the reactor automatically. Complexity: For diagnosis, the complexity is determined as normal because the diagnosis is performed by following the EOP-0. For action, turning a switch from close to open is a simple task. The status is normal. Experience/Training: For diagnosis, this is determined as nominal because the inadvertent SI actuation is not a routinely trained scenario. For action, turning a switch from close to open is straightforward to the operator. Procedure: For diagnosis, the EOP is a diagnosis/symptom oriented procedure. The status is high. For action, the procedure instruction is clear. The status is normal.

Ergonomic/HMI, fitness for duty, and work process: Their statuses are normal. Table 4 shows the PIF status and their HEP modification factors. PSF Diagnosis Action Status Multiplier Status Multiplier Available Time Nominal time 1 Nominal time 1 Stress/Stressors Nominal 1 Nominal 1 Complexity Nominal 1 Nominal 1 Experience/Training Nominal 1 High 0.5 Procedures Diagnostic/symptom oriented 0.5 Nominal 1 Ergonomics/HMI Nominal 1 Nominal 1 Fitness for Duty Nominal 1 Nominal 1 Work Processes Nominal 1 Nominal 1 Therefore, the HEP = 0.01

• 0.5 + 0.001
• 0.5 = 0.0055 NARA[4]

The NARA calculates HEP by mapping the task of analysis to the generic task types (GTTs) of NARA. Each GTT has a base HEP value. The final HEP is the base HEP multiplied by the multipliers of the NARA PSFs applied to the task. NARAs PSFs only have negative effects on HEP (i.e., increase the HEP value). The following two GTTs are identified to corresponding to the diagnosis and action portion of the HFE OPERATOR FAILS TO OPEN PORV BLOCK VALVES: Simple response to a key alarm within a range of alarms/indications providing clear indication of situation (simple diagnosis required). Response might be direct execution of simple actions or initiating other actions separately assessed. The base HEP is 0.0004. Carry out simple single manual action with feedback. Skill-based and therefore not necessarily with procedure. The base HEP is 0.006. No negative NARAs PSFs is applicable to the HFE. Therefore The HEP = 0.0004 + 0.006 = 0.0064. The average HEP of the SPAR-H and NARA is used for the final HEP. The final HEP = (0.0055 + 0.0064)/2 = 6.0E-3. The failures are likely due to scenario complications which are not explicitly modeled that slowed down the operator in implementing the procedures or deviated from the expected procedure following path. 1.2.2 OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW(OPA-1) The task OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW starts from the pressurize isolation valves been opened or not opened as instructed at EOP-0 step 18

to the resetting SI action instructed by EOP-0 Step 27. The OPA-1 is further divided into the following two classes: OPA-1A: This assumes that the operator successfully open the pressurizer isolation valves. OPA-1B: This assumes that the operator failed to open the pressurizer isolation valves. This lead to pressurizer solid and water leaks through the pressurizer safety relief valves. 1.2.2.1 OPA-1A 1.2.2.1.1 Task Description The OPA-1A starts with the operators successfully opened the pressurizer isolation valves (in EOP-0 Step 18). To succeed the OPA-1A, the operator is expected to continue the EOP-0 to step 24.e Go To ES-1.1 SI Termination Step 1. The ES-1.1 Step1 instructs the operator to depress both SI reset button to reset the SI and to verify the completion of the task by checking the SI ACTUATED permissive light is off and the AUTO SI BLOCKED permissive light is on. At the beginning of this task, the operating crew is already in the EOP-0. The operator continues following the EOP-0. Between the Step 18 and step 24, the potential procedure following deviation is transferring to the EOP-2 Faulted steam generator isolation, EOP-3 Steam generator tube rupture, and EOP-1 Loss of reactor or secondary coolant. 1.2.2.1.2 Time Analysis The time estimation is based on the KAERI time data shown in Table 2. The total seven task IDs shown in Table 2 covers the EOP_0 to the point SGTR is checked. To reach to the Step 24.e, the operator needs to check if this is a LOCA event. Two minutes (with standard deviation of zero) is added to cover the time to check the LOCA symptoms and transferring to ES-1.1 to reset SI. Therefore, the total time for OPA-1A is with the mean of 354.7 seconds and the standard deviation of 116.4 seconds. Time Sufficiency Check With the mean time of 354.7 seconds, the standard deviation of 116.4 seconds, and the available time window is 20 minutes (1200 seconds), the human failure probability simply due to time insufficiency is negligible. 1.2.2.1.3 HEP Calculation SPAR-H[3] The SPAR-H uses eight performance shaping factors (PSFs) to calculate the HEPs of diagnosis and action. The tasks HEP is the sum of the diagnosis HEP and action HEP. The following discusses the statuses of the eight performance shaping factors of diagnosis and action. Available Time: The available time is 20 minutes. The meantime, including diagnosis and action, is 354 seconds (5.9 minutes). Based on SPAR-Hs classification, the status of the PSF available time is normal time.

Stress/Stressor: The stress level is determined as normal because there is no immediate safety concern to the operators. Complexity: For diagnosis, the complexity is determined as normal. The operators have to successfully conclude that the event is not any of the MSLB, SGTR, and LOCA event. The indications is expected to be clear to reach the conclusion. Experience/Training: For diagnosis, this is determined as normal. Even though the operator is routinely trained on diagnosing a MSLB, SGTR, and LOCA event. Diagnosing all of them successfully makes the determination as normal instead of high. For action, depressing the SI reset button is straightforward to the operator. Procedure: For diagnosis, the EOP is a diagnosis/symptom oriented procedure. The status is high. For action, the procedure instruction is clear. The status is normal. Ergonomic/HMI, fitness for duty, and work process: Their statuses are normal. Table 4 shows the PIF status and their HEP modification factors. PSF Diagnosis Action Status Multiplier Status Multiplier Available Time Nominal time 1 Nominal time 1 Stress/Stressors Nominal 1 Nominal 1 Complexity Nominal 1 Nominal 1 Experience/Training Normal 1 High 0.5 Procedures Diagnostic/symptom oriented 0.5 Nominal 1 Ergonomics/HMI Nominal 1 Nominal 1 Fitness for Duty Nominal 1 Nominal 1 Work Processes Nominal 1 Nominal 1 Therefore, the HEP = 0.01

• 0.5 + 0.001
• 0.5 = 0.0055 NARA[4]

The following two GTTs are identified to corresponding to the diagnosis and action portion of the HFE of OPA-1A: Judgement needed for appropriate procedure to be followed, based on interpretation of alarms/indications, situation covered by training at appropriate intervals. The base HEP is 0.01. Carry out simple single manual action with feedback. Skill-based and therefore not necessarily with procedure. The base HEP is 0.006. No negative NARAs PSFs is applicable to the HFE. Therefore The HEP = 0.01 + 0.006 = 0.016. The average HEP of the SPAR-H and NARA is used for the final HEP. The final HEP = (0.0055 + 0.016)/2 = 1.1E-2.

The failures are likely due to scenario complications which are not explicitly modeled that slowed down the operator in implementing the procedures or deviated from the expected procedure following path.

Reference:

1. Millstone Power Station Unit 3 - NRC Special Inspection Report 05000423/2005012

2. Byron Nuclear Power Station, Updated Final Safety Analysis Report, Chapter 15.6.

3. Park, J. and Jung, W. A study on the development of a task complexity measure for emergency operating procedures of nuclear power plants, Reliability Engineering and System Safety, 92 (2007), 1102-1116

4. Gertman, D., Blackman, H., Marble, J., Byers, J. and Smith C., The SPAR-H Human Reliability Analysis Method, NUREG/CR-6883, 2005.

5. Kirwan, B., Gibson, H., Kennedy, R., Edmunds, J., Cooksley, G., and Umbers, I. (2004)

Nuclear Action Reliability Assessment (NARA): A data-based HRA tool. In Probabilistic Safety Assessment and Management 2004, Spitzer, C., Schmocker, U., and Dang, V.N. (Eds.), London, Springer, pp.1206 - 1211.

1 1 Spurious Safety Injection.................................................................................................... 2 1.1 Results Summary......................................................................................................... 2 1.2 Scenario Analysis and Operational Narrative............................................................... 3 1.2.1 Component Responses........................................................................................ 3 1.2.2 Operator Responses............................................................................................. 4 1.2.3 Task Analysis........................................................................................................ 6 1.2.4 Relevant Operating Experience............................................................................ 7 1.3 HFEs............................................................................................................................ 8 1.3.1 OPERATOR FAILS TO OPEN PORV BLOCK VALVES (OPA-3)......................... 9 1.3.1.1 Task Description............................................................................................ 9 1.3.1.2 Time Analysis...............................................................................................10 1.3.1.3 HEP Calculation............................................................................................11 1.3.1.3.1 Overall HEP...............................................................................................12 1.3.1.3.2 HEP due to Slow.......................................................................................13 1.3.1.3.3 HEP Due to skip the EOP-18 Step 18.c.....................................................13 1.3.1.3.4 HEP due to misread the PZR isolation valve indication..............................15 1.3.1.3.5 Failure Modes and Fail Probability Discussion...........................................16 1.3.2 OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW(OPA-1)...................................................................................................................17 1.3.2.1 OPA-1...........................................................................................................17 1.3.2.1.1 Task Description........................................................................................17 1.3.2.1.2 Time Analysis............................................................................................17 1.3.2.1.3 HEP Calculation........................................................................................17 1.3.2.2 OPA-1.2........................................................................................................19 1.3.2.2.1 Task Description........................................................................................19 1.3.2.2.2 Time Analysis............................................................................................19 1.3.2.2.3 HEP Calculation........................................................................................20

1 Spurious Safety Injection Subject of interest: The probability of the operator does not open the pressurizer isolation valve in time that leads to a water-solid pressurizer and the RCS water leaks from the pressurizer safe relief valve in a spurious safety injection (SI) occurred at full power operation and all pressurizer PORV isolation (block) valves are closed (blocked). 1.1 Results Summary The spurious SI actuation scenarios include two HFE: opening a pressurizer isolation valve and terminating the SI. The failure of opening a pressurizer isolation valve is further analyzed for its failure modes. Three potential failure modes are identified and analyzed as shown in the figure below. YES NO YES NO Task HEP HEP (OPA-3) 3.SE-3 HEP(OPA-3.1) nealiaible HEP(OPA-3.2) 3.SE-3 HEP(OPA-3.3) neqliqible YES NO Failure due to '---11>1 incorrect detecting -- Valve status (OPA-3.3) Task HEP (OPA-1) HEP(OPA-1.1) HEP(OPA-1.2) HEP(OPA-1.2) 2 Terminate SI (OPA-1) Terminate SI (OPA-1.1) Terminate SI (OPA-1.2) Terminate SI (OPA-1.3) HEP 3.9E-3 N/A 0.5 NIA

3 1.2 Scenario Analysis and Operational Narrative 1.2.1 Component Responses The Byron/Braidwood (Update Final Safety Analysis Report (B/B-UFSAR) states A safety injection (SI) signal normally results in a direct reactor trip and a turbine trip. However, any single fault that actuates the ECCS will not necessarily produce a reactor trip. The B/B-UFSAR states: A spurious (SI) signal initiated after the logic circuitry in one solid-state protection system train for any of the following engineered safety feature (ESF) functions could cause this incident by actuating the ESF equipment associated with the affected train.

a. High containment pressure,

b. Low pressurizer pressure, or

c. Low steamline pressure.

Following the actuation signal, the suction of the coolant charging pumps diverts from the volume control tank to the refueling water storage tank. Simultaneously, the valves isolating the charging pumps from the injection header automatically open and the normal charging line isolation valves close. The charging pumps force the borated water from the refueling water storage tank (RWST) through the pump discharge header, the injection line, and into the cold leg of each loop. The passive accumulator tank safety injection and low head system are available. However, they do not provide flow when the reactor coolant system (RCS) is at normal pressure. A safety injection (SI) signal normally results in a direct reactor trip and a turbine trip. However, any single fault that actuates the ECCS will not necessarily produce a reactor trip. If an SI signal generates a reactor trip, the operator should determine if the signal is spurious. If the SI signal is determined to be spurious, the operator should terminate SI and maintain the plant in the hot-standby condition as determined by appropriate recovery procedures. If repair of the ESF actuation system instrumentation is necessary, future plant operation will be in accordance with the Technical Specifications. If the SI results in discharge of coolant through the pressurizer safety relief valves, the operators will bring the plant to cold shutdown in order to inspect the valves. If the reactor protection system does not produce an immediate trip as a result of the spurious SI signal, the reactor experiences a negative reactivity excursion due to the injected boron, which causes a decrease in reactor power. The power mismatch causes a drop in Tavg and consequent coolant shrinkage. The pressurizer pressure and water level decrease. Load decreases due to the effect of reduced steam pressure on load after the turbine throttle valve is fully open. If automatic rod control is used, these effects will lessen until the rods have moved out of the core. The transient is eventually terminated by the reactor protection system low pressurizer pressure trip or by manual trip.

4 The time to trip is affected by initial operating conditions. These initial conditions include the core burnup history which affects initial boron concentration, rate of change of boron concentration, and Doppler and moderator coefficients. After the actuation of a SI signal regardless how the SI signal is actuated, the following ECCS actions are designed to take place because of interlocks with the SI signal:

1. Centrifugal charging pumps start on "S" signal.

2. RWST suction valves to the charging pumps open on "S" signal.

3. Safety injection containment isolation valves open on "S" signal.

4. Normal charging path valves close on "S" signal.

5. Charging pump miniflow isolation valves CV8110 and CV8111 close on "S" signal, concurrent with LO-2 RWST level.

6. Charging pump miniflow isolation valves CV8114 and CV8116 close on low RCS pressure in conjunction with an "S" signal. These valves open to protect the pump should the RCS pressure increase above the open setpoint with an "S" signal present.

7. Safety injection pumps start on "S" signal.

8. The RHR pumps start on "S" signal.

9. VCT outlet isolation valves close on "S" signal.

1.2.2 Operator Responses Assuming the reactor is at full power operation, after a spurious actuation of a SI signal, the nuclear power starts decreasing immediately due to boron injection, but steam flow does not decrease until later in the transient when the turbine throttle valve is wide open. The mismatch between load and nuclear power causes Tavg, pressurizer water level, and pressurizer pressure to drop. Without operator intervention, the reactor trips and control rods start moving into the core when the pressurizer pressure reaches the pressurizer low pressure trip setpoint. The reactor is calculated to trip automatically at about 76 seconds after the SI actuation if the SI signal does not cause an automatic reactor trip and the operator does not manually trip the reactor before its automatic trip. Even though the reactor may or may not be tripped immediately following the SI signal, the operator responses in these two scenarios are very similar. After verifying a SI actuation, the operator will perform the immediate actions according to the emergency operating procedure (EOP)-0 Reactor Trip or Safety Injection that are summarized as the following: Verify the reactor is tripped. If the reactor is not tripped then manually trip the reactor. Verify the turbine is tripped. If the reactor is not tripped then manually trip the turbine. Verify electric power is available to the 4KV essential safety function (ESF) busses. Check SI status. If the SI is required then manually actuate SI if it is not actuated already. IF the SI is not required then transfer to procedure ES-0.1 reactor trip response. In this analysis, with the assumption of a single failure (i.e., spurious SI actuation), once completed the above four immediate actions the following are the expected status: The reactor is trip. The turbine is trip. The 4KV ESF buses are energized. The SI actuation is on.

5 The SI status is determined to be on is the procedure instruction as shown in Table 1. In this scenario, because the SI equipment is automatically actuated, the operator would not entering the response not obtained column. Table 1 The procedure step of checking SI status ACTION/EXPECTED RESPONSE RESPONSE NOT OBTAINED CHECK SI STATUS

a. Check if SI - ACTUATED:

Any SI first out announciator - LIT SI ACTUATED permissive light - LIT SI equipment - AUTOMATICALLY ACTUATED: o Either SI pump - RUNNING o Either CENT CHG pump to cold leg injection isolation valve - OPEN: 1SI8801A 1SI8801B

a. Check if SI is required PZR pressure less than or equal to 1829 PSIG.

Steamline pressure less than or equal to 640 PSIG Containment pressure greater than or equal to 3.4 PSIG If SI is required, THEN manually actuate SI. IF SI is NOT required, THEN GO TO ES-0.1 REACTOR TRIP RESPONSE, Step 1.

b. Manually actuate SI 1PM05J 1PM06J When the reactor operator (RO) is performing the immediate actions, the shift supervisor (SS), a senior reactor operator, is bringing out the EOP-0 procedure. Once the RO finished the immediate response actions, the SS interacts with the RO and the auxiliary RO (ARO) to implement the EOP-0. They starts to implement the EOP-0 from step 1. The first four steps (i.e., immediate response actions) are to reconfirm the immediate actions performed by RO.

Because except the spurious SI actuation, all component and instrument are function as designed and the operator is expected familiar with the EOP-0, the operating crew is expected to follow the EOP-0 instruction with ease. After manually trip the reactor, all procedure steps request the operator to check the key components automatically responding to the situation as designed until step 18 that requires the operator to open a pressurizer isolation (or block) valve. Table 2 provides the procedure instruction of the step 18.

6 Table 2 The procedure step 18 that instructs establishing a PZR relief path. ACTION/EXPECTED RESPONSE RESPONSE NOT OBTAINED CHECK PZR PORVS AND SPRAY VALVES

a. PORVs - CLOSED:

1RY455A 1RY456

a. If PZR pressure is less than 2315 PSIG, THEN manually close PORVs.

IF any PORV can NOT be closed, THEN manually or locally close its isolation valve: 1RY8000A (1RY455A) MCC 131X2B A5 (414 Q11RXB1) 1RY8000B (1RY456) MCC 132X2 C4 (426 Q11 RXB1) IF PORV isol valve can NOT be closed, THEN GO TO 1BEP-1,

b. PROV isolation valves - AT LEAST ONE ENGINERED

b. GO TO Step 18d.

c. PORV relief path - AT LEAST ONE AVAIABLE:

PORV in - AUTO Associated isolation valve - OPEN

c. Perform the following to establish a PORV relief path for any PORV NOT failed open:

1. Place the PORV in AUTO.

2. Open the associated PORV isolation valve.

d. Normal PZR spray valves - CLOSED:

1RY455B 1RY455C

d. IF PZR pressure is less than 2260 PSIG, THEN manually close spray valve(s)

IF any spray valve(s) cannot be closed, THEN stop RCP(s) as necessary to stop spray flow: RCP 1D RCP 1C RCP 1B RCP 1A Because the initial condition is that the pressurizer PORV isolation valves are close, the operator is expected to identify that the statuses of the associated isolation valves (in Step 18.c bullet 2) as not open. This will lead the operator to perform the actions in the response not obtained column of the Step 18.3 that include placing the PORVs in auto and opening the associate PORV isolation valve. 1.2.3 Task Analysis The operator responses to this scenario starts with detecting the plant abnormal symptoms triggered by the advertent SI actuation. Regardless whether the operator manually trips the reactor, the EOP-0 procedure will be entered. Within this procedure, the operators main tasks are to verify that the components and systems automatically responding to the event as designed. The main operator physical actions to interference the scenarios are opening at least one pressurizer isolation valve (Step 18.c) and resetting Si (Step 27). Both actions are performed within the main control room. Both tasks are simple actions. Opening a pressurizer isolation valve is by turning the valve control switch to the open position, and confirming the

7 valve status light changed from green to red. Resetting the SI is by depressing the two SI reset buttons, and confirming that the action is successfully performed by verifying the SI ACTUATED permissive light went off and the AUTO SI BLOCKED permissive light went on. 1.2.4 Relevant Operating Experience The following event description is from [1]: On April 17, 2005, at 8:29 a.m., Millstone Unit 3 experienced a reactor trip from 100 percent power following an unexpected A train safety injection (SI) actuation signal and main steam line isolation (MSI). Control room operators entered emergency operating procedure (EOP) E-0, Reactor Trip or Safety Injection, Revision 22, and manually actuated the B train of safety injection within 30 seconds. The first-out annunciator panel indicated that the reactor trip was caused by a Steam Line Pressure Low Isolation SI signal sensed by the solid state protection system (SSPS). The Shift Manager (SM) arrived in the control room approximately five minutes after the reactor trip and assumed Director of Site Operations (DSO) duties. As a result of the MSI signal, the main steam isolation valves (MSIVs) and two of the four main steam line atmospheric dump valves (ADVs) automatically closed. With the closure of the MSIVs, the main steam line safety valves (MSSVs) opened to relieve secondary plant pressure. Control room operators manually actuated the B MSI train in accordance with station procedures. Both motor driven auxiliary feed water (MDAFW) pumps started to maintain steam generator levels. The turbine-driven auxiliary feedwater (TDAFW) pump attempted to start but immediately tripped on overspeed. Operators were dispatched to investigate the cause of the trip. The TDAFW pump trip was subsequently reset and the TDAFW was restarted at 10:19 a.m. At approximately 8:42 a.m., the SM noted that a B MSSV had remained opened for an extended period of time. In consultation with the Unit Supervisor (US) and Shift Technical Advisor (STA), the SM declared an ALERT based on a stuck open MSSV. The crew determined that the stuck open MSSV represented an unisolable steam linebreak outside containment. At 8:45 a.m., due to the addition of the inventory from the SI, the pressurizer reached water solid conditions and the pressurizer PORVs cycled numerous times to relieve reactor coolant system (RCS) pressure and divert the additional RCS inventory to the pressurizer relief tank (PRT). No pressurizer safety valve actuations occurred and the PRT rupture diaphragm remained intact. The control room received reports of substantial leakage in the auxiliary building near the high head safety injection (HHSI) pumps. The leakage was coming from the packing of two valves in the HHSI system alternate minimum flow (AMF) line and was estimated to be approximately 60 gpm. Several hundred gallons spilled onto the auxiliary building floor. At approximately 8:59 a.m., the operating crew transitioned from EOP E-0 to ES-1.1, SI Termination. The SI was reset and the crew terminated safety injection at 9:12 a.m. and normal RCS letdown was re-established at 9:20 a.m. Millstone Unit 3 entered Mode 4 [Hot Shutdown]

8 at approximately 7:03 p.m. and the ALERT was terminated shortly thereafter. NRC Region I had been in a Monitoring Mode during the event and returned to the Normal Mode at 11:45 p.m. 1.3 HFEs There are two HFEs identified in this initiating event: (1) open the isolated pressurizer isolation valves ((OPERATOR FAILS TO OPEN PORV BLOCK VALVES); and (2) terminate the SI (OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW). The labels in PRA model for the first HFE is OPA-3 and the second is OPA-1. The expected operator response corresponding to the two HFEs are that the operator would enter EOP-0 immediately after the inadvertent SI actuation. At EOP-0 Step 18.c, the operator open the isolated pressurizer isolation valves. At EOP-0 step 24.e, the operator transfers to ES-1.1 to terminate the SI. The failure mode of failing to open the pressurizer isolation valves are: (1) the operator is simply slow (think slow and act slow) in moving the procedure; (2) the operator overlook EOP-0 Step 18; and (3) operator mistakenly think that at least a PORV isolation valve is already open due to reasons such as a wrong valve status detection. These three failure modes have different effects on the reliability of terminating the SI. If the reason that the operator does not open the pressurizer isolation valves is slow in thinking and action, then based on the time available for the OPA-3 (15 minutes) and OPA-1 (20 minutes) the operator has little chance to perform the OPA-1 in time. If the reason is that the operator overlook the EOP-0 Step 18.c, there is a good chance that the operator may overlook the EOP-0 Step 24.e. If the reason is that the operator mistakenly think that a pressurizer isolation valve is already open this is not expected to affect performing the OPA-1. These relation is shown in figure 1 which is the structure of analyzing the probabilities of OPA-1 and OPA-3.

YES NO NO YES ailure due to overlook procedure step? (OPA-3.2) YES NO Failure due to ,___I>! incorrect detecting Valve status -- (OPA-3.3) Terminate SI (OPA* l) Terminate SI (OPA-1.1) Terminate SI (OPA-1.2) Terminate SI (OPA-1.3) Figure 1 Failure modes of opening a PZR isolaUon valve affect the success probability of terminating SI. Based on the analysis in section 1.2.1.3.1 to 1.3.1.3.5, the following are the HEPs of OPA-3's: HEP (OPA-3) = 3.5E-3. HEP(OPA-3.1) = 0.0 HEP(OPA-3.2) = 3.5E-3 HEP(OPA-3.3) = 0.0 1.3.1 OPERA TOR FAILS TO OPEN PORV BLOCK VALVES (OPA-3) Success criteria: The task has to be completed within 15 minutes from the initiating event. 1.3.1.1 Task Description The task (OPERATOR FAILS TO OPEN PORV BLOCK VALVES) starts from the operator detecting the plant abnormality then to follow the EOP-0 to Step 18 and open at least one isolated pressurizer isolation valves based on the Step 18's instruction. The macrocognition discussion based on the overall task is the following: Detecting the abnormal symptom: the advertent actuation of SI signal causes a number of automatic components status changes related to the containment-A isolation as identified in section 1.1. These changes will trigger a number of alarms. The automatic start and re-alignment of the central charging pumps and SI pumps are clear to the operators. The operators are familiar with and are trained to pay attention to these component statuses. Understanding the issue and making decision on response plan: Once detecting the SI actuation, the EOP-0 is the procedure to enter. Operators are routinely trained on entering and implementing EOP-0. The understanding and making decision are based on the procedure instruction. The operator's main activity is to follow the procedure instruction to check plant parameters' values and components' statuses. 9

10 Action: The main action is to open a pressurizer isolation valve. This action is performed inside the main control room by turning the control switches of the pressurizer isolation valves from close to open and verifying with the isolation values status indication light changed from green (close) to red (open). Another action that the operator may perform at the beginning of the scenario is to manually trip the reactor if the reactor is not automatically tripped by the SI signal. In this case, whether the operator manually trip the reactor makes little diffidence in the scenario from safety consideration because the reactor eventually will be automatically tripped due to low pressurizer pressure at about 76 seconds [2] after the inadvertent SI actuation. The key task is to open at least one pressurizer isolation valve as instructed by EOP-0 step 18. This is a main control room action performed by the RO to perform a simple task either to This is performed by a team work between the SS and RO. The SS reads the procedure instruction to direct and monitor the RO to perform the task. Once the task is completed, the RO is expected to inform the SS that the task is performed. The actual physical activity to change the system status is to push a button (or turn a switch) to open the isolation valve. 1.3.1.2 Time Analysis Two sources are used to assess the operator response time: The Millstone event [1] and the paper published by KAREI[3]. The first source is a real event, and the second source is based on simulator training. Millstone Event In the Millstone event, the operator reached at EOP-0 Step 16 verify ECCS flow seven minutes after the initiating event (see table 3). The Byrons EOP-0 has the step of verifying ECCS flow at Step 17. Immediately after step 17, the Byron EOP-0 Step 18 instructs to open the pressurizer isolation valves to remain at least one pressurizer PORV path open. Therefore, overlapping the millstone event in Byron procedure, it is estimated that the operator would complete step 18 (open pressurizer isolation valves) eight minutes after the initiating event. Table 3 The Millstone event timeline for responding time to the procedure step of check to open pressurizer isolation valves Time (minutes) Event Description 0

• A Train SSPS Steam Line Pressure Low SI/MSI signal followed by a reactor trip: First Out alarm: Steam Line Pressure Low Isolation SI.
• MSIVs closed as expected.
• 3 MSS-PV20A&C, Atmospheric Dump Valves (ASDVs) open.
• 3 MSS-PV20B&D received closed signals via MSI. (1/2 of ASDVs shut on 1/2 MSI.)
• B S/G Safety opens.
• The control room crew entered E-0 Reactor Trip/SI emergency response procedure.
• At step 4 the crew initiated train B SI.
• Terry Turbine steam supplies open and Terry Turbine trips 3 seconds later.

11 7 At EOP-0 Step 16 Verify ECCS Flow. Crew performed a debrief of the situation. The crew reinforced to the entire control staff that there was no Terry Turbine Aux Feed flow, B S/G Safety was still open and manual initiation of both trains SI was required. Dispatched a PEO to the Terry Turbine who verified that it was not running. Found V5 unlatched and shut. Mech Trip tappet was NOT in overspeed condition. (Crew continues to evaluate plant conditions, thought stuck S/G Safety caused SI.) 11 Pressurizer PORVs commence cycling at RCS pressure of 2350#. KAERI Simulator Analysis The operator normal response time is based on [3] which is based on Korean crews responding to a steam generator tube rupture (SGTR) scenario. The Korean crew structure and procedures are similar to the Byron nuclear power plant. Without Byron plant specific data, the data in [3] is considered as a good approximation. The time data in [3] are reproduced in Table 3. Table 4 The time data collected in operator simulator training by KAERI [3]. Task ID Task Description Time1 (sec) SD2 (sec) Procedure Steps3 1 Confirming immediate responses after reactor trip 41.9 25.5 1 to 4 2 Confirming the isolation of essential valves 12.0 2.9 5 to 6 3 Confirming the operation of essential pumps 17.9 5.6 7 to 10 4 Verifying containment status 33.9 22.3 11 to 14 5 Verifying the delivery of SI and AFW flow 55.4 27.8 15 to 18 6 Verifying the status of RCS heat removal 38.9 16.0 19 to 21 7 Entering E-3 procedure according to the status of SGs 34.7 16.3 22 to 23 1Averaged task performance time in second. 2Standard deviation in second. 3Based on the EOP-0 of the Korean nuclear power plant. Discussion In the Millstone event, the operator took about eight minutes (240 seconds) to reach to the procedure step of checking at least a PZR isolation path is open. In the KAERIs simulator data, the mean time to reach to the same step is about 270 seconds with a standard variation of 100.1 seconds. The numbers are consistent with the Millstone event (eight minutes or 240 seconds). 1.3.1.3 HEP Calculation The HEP calculation is performed by the analysis of time. This is typically based on the time data collected from simulator exercises. For the time data collected from simulator exercise whose scenarios are single failure and textbook type scenarios, the time data is used to compare with the time available to check the probability of human failure due to simply insufficient time without other complication. In most cases, the time available is expected to be sufficient. In this situation, HRA methods are used to calculate the HEPs. In this analysis, the SPAR-H [4] and NARA [5] methods are used. The final HEP is average of the HEPs calculated by these two method.

12 1.3.1.3.1 Overall HEP SPAR-H The SPAR-H uses eight performance shaping factors (PSFs) to calculate the HEPs of diagnosis and action. The tasks HEP is the sum of the diagnosis HEP and action HEP. The following discusses the statuses of the eight performance shaping factors of diagnosis and action. Available Time: The available time is 15 minutes. The meantime, including diagnosis and action, is 270 seconds (4.5 minutes). Based on SPAR-Hs classification, the status of the PSF available time is normal time. Stress/Stressor: The stress level is determined as normal because all the operator activities are within EOP-0 and there is no surprise except the SI actuation may not trip the reactor automatically. Complexity: For diagnosis, the complexity is determined as normal because the diagnosis is performed by following the EOP-0. For action, turning a switch from close to open is a simple task. The status is normal. Experience/Training: For diagnosis, this is determined as nominal because the inadvertent SI actuation is not a routinely trained scenario. For action, turning a switch from close to open is straightforward to the operator. Procedure: For diagnosis, the EOP is a diagnosis/symptom oriented procedure. The status is high. For action, the procedure instruction is clear. The status is normal. Ergonomic/HMI, fitness for duty, and work process: Their statuses are normal. Table 4 shows the PIF status and their HEP modification factors. PSF Diagnosis Action Status Multiplier Status Multiplier Available Time Nominal time 1 Nominal time 1 Stress/Stressors Nominal 1 Nominal 1 Complexity Nominal 1 Nominal 1 Experience/Training Nominal 1 High 0.5 Procedures Diagnostic/symptom oriented 0.5 Nominal 1 Ergonomics/HMI Nominal 1 Nominal 1 Fitness for Duty Nominal 1 Nominal 1 Work Processes Nominal 1 Nominal 1 Therefore, the HEP = 0.01

• 0.5 + 0.001
• 0.5 = 0.0055 NARA The NARA calculates HEP by mapping the task of analysis to the generic task types (GTTs) of NARA. Each GTT has a base HEP value. The final HEP is the base HEP multiplied by the multipliers of the NARA PSFs applied to the task. NARAs PSFs only have negative effects on HEP (i.e., increase the HEP value).

The following two GTTs are identified to corresponding to the diagnosis and action portion of the HFE OPERATOR FAILS TO OPEN PORV BLOCK VALVES:

13 Simple response to a key alarm within a range of alarms/indications providing clear indication of situation (simple diagnosis required). Response might be direct execution of simple actions or initiating other actions separately assessed. The base HEP is 0.0004. Carry out simple single manual action with feedback. Skill-based and therefore not necessarily with procedure. The base HEP is 0.006. No negative NARAs PSFs is applicable to the HFE. Therefore The HEP = 0.0004 + 0.006 = 0.0064. The average HEP of the SPAR-H and NARA is used for the final HEP. The final HEP = (0.0055 + 0.0064)/2 = 6.0E-3. 1.3.1.3.2 HEP due to Slow Using the time data discussed in section 1.2.1.2, a normal distribution with the mean of 270 seconds, standard variation of 100 seconds, and a time window of 15 minutes (900 seconds), the failure probability for a normal operating crew failing to open the pressurizer isolation valve due to simply slow in thinking and action is negligible.

== Conclusion:== Probability(OPA-3.1) = 0.0. 1.3.1.3.3 HEP Due to skip the EOP-18 Step 18.c Among the available HRA methods, the EPRIs Cause-Based Decision Tree (CBDT) [6] method and THERP [7] method are the two published HRA method calculate the failure probabilities specific to certain error modes (or error mechanisms). (The IDHEAS-at-power method calculates the probability but the method has not been published in public domain). These two methods are used to estimate the HEP due to certain error modes.

14 Figure 2 CBDTs decision tree on skipping an important procedure step Figure 3 THERP table in estimating the probability of skipping a key procedure step. Discussion THERP and CBDT provides consistent estimate a 0.001 probability of skipping the EOP-0 Step 18.c.

15 1.3.1.3.4 HEP due to misread the PZR isolation valve indication In CBDT, two failure mechanisms apply to this case: (1) data not attended to (i.e., the data is available but the operator fail to check for the information); and (2) data misread. The decision trees of these two failure mechanisms are shown in Figures 2 and 3. THERPs relevant failure mechanism is that the operator incorrectly read a wrong indication. The estimated failure probabilities are shown in Figure 5. Discussion Based on the considered factors, the CBDT would estimate the failure probability (OPA-3.3) is negligible. THERPs estimate is between negligible and 0.0005. Figure 4 CBDTs decision tree on data not attended to decision tree

16 Figure 5 The decision tree used to calculate the misread failure probability in the CBDT method. Figure 6 THERPs table relevant to misread the PZR isolation valve status indication. 1.3.1.3.5 Failure Modes and Fail Probability Discussion The following are a summary of the HEP estimates of section 1.3.1.3.1 to 1.3.1.3.4: The general failure probability is 6.0E-3 (section 1.3.1.3.1) The failure probability due to think slow and act slow is negligible (section 1.3.1.3.2) The failure probability due to skip the EOP-0 18.c is 1E-3. (section 1.3.1.3.3) The failure probability due to incorrectly detect the PZR isolation valve status is negligible (assuming no indication failure). (section 1.3.1.3.4)

17 Because there is difference between the overall HEP (6E-3) and the sum of all failure modes HEPs (1E-3), this analysis average the HEP. This conclude that the total HEP is 3.5E-3. All of the failure is due to skipping the EOP-0 Step 18.c. 1.3.2 OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW(OPA-1) The task OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW starts from the pressurize isolation valves been opened or not opened as instructed at EOP-0 step 18 to the resetting SI action instructed by EOP-0 Step 27. The OPA-1 is further divided into the following two classes: OPA-1: This assumes that the operator successfully open the pressurizer isolation valves. OPA-1.2: This assumes that the operator failed to open the pressurizer isolation valves due to overlook the EOP-0 Step 18.c. 1.3.2.1 OPA-1 1.3.2.1.1 Task Description The OPA-1 starts with the operators successfully opened the pressurizer isolation valves (in EOP-0 Step 18). To succeed the OPA-1A, the operator is expected to continue the EOP-0 to step 24.e Go To ES-1.1 SI Termination Step 1. The ES-1.1 Step1 instructs the operator to depress both SI reset button to reset the SI and to verify the completion of the task by checking the SI ACTUATED permissive light is off and the AUTO SI BLOCKED permissive light is on. At the beginning of this task, the operating crew is already in the EOP-0. The operator continues following the EOP-0. Between the Step 18 and step 24, the potential procedure following deviation is transferring to the EOP-2 Faulted steam generator isolation, EOP-3 Steam generator tube rupture, and EOP-1 Loss of reactor or secondary coolant. 1.3.2.1.2 Time Analysis The time estimation is based on the KAERI time data shown in Table 2. The total seven task IDs shown in Table 2 covers the EOP_0 to the point SGTR is checked. To reach to the Step 24.e, the operator needs to check if this is a LOCA event. Two minutes (with standard deviation of zero) is added to cover the time to check the LOCA symptoms and transferring to ES-1.1 to reset SI. Therefore, the total time for OPA-1A is with the mean of 354.7 seconds and the standard deviation of 116.4 seconds. 1.3.2.1.3 HEP Calculation Time Sufficiency Check With the mean time of 354.7 seconds, the standard deviation of 116.4 seconds, and the available time window is 20 minutes (1200 seconds), the human failure probability simply due to time insufficiency is negligible. SPAR-H

18 The SPAR-H uses eight performance shaping factors (PSFs) to calculate the HEPs of diagnosis and action. The tasks HEP is the sum of the diagnosis HEP and action HEP. The following discusses the statuses of the eight performance shaping factors of diagnosis and action. Available Time: The available time is 20 minutes. The meantime, including diagnosis and action, is 354 seconds (5.9 minutes). Based on SPAR-Hs classification, the status of the PSF available time is normal time. Stress/Stressor: The stress level is determined as normal because there is no immediate safety concern to the operators. Complexity: For diagnosis, the complexity is determined as normal. The operators have to successfully conclude that the event is not any of the MSLB, SGTR, and LOCA event. The indications is expected to be clear to reach the conclusion. Experience/Training: For diagnosis, this is determined as normal. Even though the operator is routinely trained on diagnosing a MSLB, SGTR, and LOCA event. Diagnosing all of them successfully makes the determination as normal instead of high. For action, depressing the SI reset button is straightforward to the operator. Procedure: For diagnosis, the EOP is a diagnosis/symptom oriented procedure. The status is high. For action, the procedure instruction is clear. The status is normal. Ergonomic/HMI, fitness for duty, and work process: Their statuses are normal. Table 5 shows the PIF status and their HEP modification factors. PSF Diagnosis Action Status Multiplier Status Multiplier Available Time Nominal time 1 Nominal time 1 Stress/Stressors Nominal 1 Nominal 1 Complexity Nominal 1 Nominal 1 Experience/Training Normal 1 High 0.5 Procedures Diagnostic/symptom oriented 0.5 Nominal 1 Ergonomics/HMI Nominal 1 Nominal 1 Fitness for Duty Nominal 1 Nominal 1 Work Processes Nominal 1 Nominal 1 Therefore, the HEP = 0.01

• 0.5 + 0.001
• 0.5 = 0.0055 NARA The following two GTTs are identified to corresponding to the diagnosis and action portion of the HFE of OPA-1A:

Judgement needed for appropriate procedure to be followed, based on interpretation of alarms/indications, situation covered by training at appropriate intervals. The base HEP is 0.01. Carry out simple single manual action with feedback. Skill-based and therefore not necessarily with procedure. The base HEP is 0.006. No negative NARAs PSFs is applicable to the HFE. Therefore The HEP = 0.01 + 0.006 = 0.016.

19 The reason of including the GTT Judgement needed for appropriate procedure to be followed, based on interpretation of alarms/indications, situation covered by training at appropriate intervals is because after opening the pressurizer isolation valves, the procedure instruct the operator to check symptoms of SGTR, MSLB, and LOCA to enter the corresponding procedures. The operator has routine simulator training on these events. Determining not to enter these procedure pose similar cognitive challenge to entering these procedures. CBDT The CBDT is used because the significant difference between SPAR-H (5.5E-3) and NARA (1.6E-2). The following are the error probabilities of the eight CBDTs error mechanisms: HEP(Data not available) = negligible HEP(Data not attended to) = negligible HEP(Data misread or miscommunicate) = negligible HEP(information misleading): negligible HEP(relevant step in procedure missed) = 0.002 HEP(misinterpret instruction) = negligible HEP(Error in interpreting logic) = 0.0003 HEP(deliberate violation) = negligible Therefore, the CBDT estimates an HEP of 2.3E-3. Discussion Based on the following HEP estimations: SPAR-H: 5.5E-3 NARA: 1.6E-2 CBDT: 2.3E-3 The NARA estimate is considered overestimate. Therefore, only SPAR-H and CBDT estimates are used. The average HEP of the SPAR-H and CBDT is used for the final HEP. The final HEP = (0.0055 + 0.0023)/2 = 3.9E-3. 1.3.2.2 OPA-1.2 1.3.2.2.1 Task Description The OPA-1.2 is performing SI termination in the condition that the operator omitted the EOP-0 Step 18.c to open at least a pressurizer isolation valve. 1.3.2.2.2 Time Analysis Millstone Event[1]

20 The Millstone inadvertent SI actuation event shows that the time operator would take to perform a diagnosis is strongly depend on context. Table 5 shows the relevant time line of the Millstone event and the corresponding EOP-0 steps of Millstone and Byron. Table 5 implies that the Millstone operator took four minutes to complete the diagnosis of not a SGTR event. Comparing to the average 34.7 seconds observed in KAERIs simulator data [3], the time required is significantly different. This is the other component failures (e.g., B SG safety valve stuck open) and the complications due to scenario evolution (e.g., pressure became water solid). Table 5 The diagnosis timeline of entering ES-1.1 to reset SI in the Millstone event. Time Event Description EOP-0 Step 0829 The initiating event occurred 0850 The crew decided not to make an E-2 transition based upon SI termination priority and no uncontrolled S/G pressure decrease. (Discussion occurred between US and SM. Did not meet E-2 entry conditions.) Millstone - 25; Byron - 21 0854 Determined no S/G tube rupture based on no adverse S/G level trend. Millstone - 26; Byron - 22 Based on the failure mode that the operator fails to open a pressurizer isolation valve is due to overlook the EOP-0 Step 18.c, it is expected that the operator will proceed to Step 24.e within 10 minutes. This estimation is based on the simulator time data in [3]. Until this time, no scenario complication is expected. Therefore, the operator is expected to reach to the EOP-0 Sept 24.c to transfer to ES-1.1 step 1 to terminate SI without scenario complication. 1.3.2.2.3 HEP Calculation The independent HEP of the OPA-1.2 is same as the OPA-1. The HEP is 3.9E-3. However, because the operator erroneously omitted the step of opening a pressurizer isolation valve, there could be dependency in omitting the step of terminating SI. Based on the dependency model presented in the NUREG-1921 Fire HRA (Figure 7) the dependency level is high dependency (Sequence 8 of figure 7). This will change the HEP to about 0.5.

21 Figure 7 The NUREG-1921s dependency model

Reference:

1. Millstone Power Station Unit 3 - NRC Special Inspection Report 05000423/2005012

2. Byron Nuclear Power Station, Updated Final Safety Analysis Report, Chapter 15.6.

3. Park, J. and Jung, W. A study on the development of a task complexity measure for emergency operating procedures of nuclear power plants, Reliability Engineering and System Safety, 92 (2007), 1102-1116

4. Gertman, D., Blackman, H., Marble, J., Byers, J. and Smith C., The SPAR-H Human Reliability Analysis Method, NUREG/CR-6883, 2005.

5. Kirwan, B., Gibson, H., Kennedy, R., Edmunds, J., Cooksley, G., and Umbers, I. (2004)

Nuclear Action Reliability Assessment (NARA): A data-based HRA tool. In Probabilistic Dependence Level Case Intervening Success Crew Cognitive Cue Demand Stress Sequential Timing Location Manpower High or Moderate 1 Common 2 7 3 4 5 6 8 9 10 11 12 13 14 15 16 17 18 19 High or Moderate High or Moderate High or Moderate High or Moderate High or Moderate High or Moderate High or Moderate Different Different Yes No Same Simultaneous Sequential Same Different Sufficient Insufficient Same Different 0-15 15-30 30-60 >(60-120) CD CD HD MD LD CD CD HD HD MD MD LD LD ZD LD ZD LD ZD ZD

22 Safety Assessment and Management 2004, Spitzer, C., Schmocker, U., and Dang, V.N. (Eds.), London, Springer, pp.1206 - 1211.

6. Garry, P., Lydell, B., Spurgin, A., Moieni, P., and Bears, A An approach to the analysis of operator actions in probabilistic risk assessment, EPRI TR-100259, June 1992

7. Swain, A. and Guttmann, H. Handbook of human reliability analysis with emphasis on nuclear power plant applications, U.S. NRC NUREG/CR-1278, 1983

1 1 Spurious Safety Injection......................................................................................................... 2 1.1 Results Summary............................................................................................................. 2 1.2 Scenario Analysis and Operational Narrative.................................................................. 3 1.2.1 Component Responses............................................................................................ 3 1.2.2 Operator Responses................................................................................................. 4 1.2.3 Task Analysis............................................................................................................ 6 1.2.4 Relevant Operating Experience................................................................................ 7 1.3 HFEs................................................................................................................................. 8 1.3.1 OPERATOR FAILS TO OPEN PORV BLOCK VALVES (OPA-3)........................... 9 1.3.1.1 Task Description................................................................................................ 9 1.3.1.2 Time Analysis.................................................................................................. 10 1.3.1.3 HEP Calculation.............................................................................................. 11 1.3.1.3.1 Overall HEP.................................................................................................. 12 1.3.1.3.2 HEP due to Slow.......................................................................................... 13 1.3.1.3.3 HEP Due to skip the EOP-18 Step 18.c...................................................... 13 1.3.1.3.4 HEP due to misread the PZR isolation valve indication.............................. 15 1.3.1.3.5 Failure Modes and Fail Probability Discussion............................................ 16 1.3.2 OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW(OPA-1)....................................................................................................................... 17 1.3.2.1 OPA-1.............................................................................................................. 17 1.3.2.1.1 Task Description........................................................................................... 17 1.3.2.1.2 Time Analysis............................................................................................... 17 1.3.2.1.3 HEP Calculation........................................................................................... 17 1.3.2.2 OPA-1.2........................................................................................................... 19 1.3.2.2.1 Task Description........................................................................................... 19 1.3.2.2.2 Time Analysis............................................................................................... 20 1.3.2.2.3 HEP Calculation........................................................................................... 20

1 Spurious Safety Injection Subject of interest: The probability that the operator does not open at least one pressurizer isolation (a.k.a., block} valve in time, leading to a water-solid pressurizer and passing of RCS water through a pressurizer safety relief valve, all following a spurious safety injection (SI} occurring at full power operation. 1.1 Results Summary The spurious SI actuation scenarios includes two HFEs of interest: opening a pressurizer isolation valve (when both PO RVs are unavailable at the start of the accident) and terminating the SI. The failure of opening a pressurizer isolation valve is further analyzed for its failure modes. Three potential failure modes are identified and analyzed as shown in the figure below. Task HEP (OPA-3) HEP(OPA-3.1) HEP(OPA-3.2) HEP(OPA-3.3) YES YES failure due to Incorrect detecting Valve status (OPA*3.3) HEP for failing to Task open at least 1 pressurizer isolation valve 3.SE-3 HEP (OPA-1) nealiaible HEP(OPA-1.1) 3.SE-3 HEP(OPA-1.2) nealiaible HEP(OPA-1.3) 2 Terminate SI (OPA*ll Terminate SI (OPA*l.1) Terminate SI (OPA*L2) Terminate SI (OPA*l.3) HEP for failing to terminate SI 3.9E-3 NIA 0.5 N/A

3 1.2 Scenario Analysis and Operational Narrative 1.2.1 Component Responses The B/B-UFSAR states: A spurious (SI) signal initiated after the logic circuitry in one solid-state protection system train for any of the following engineered safety feature (ESF) functions could cause this incident by actuating the ESF equipment associated with the affected train.

a. High containment pressure,

b. Low pressurizer pressure, or

c. Low steamline pressure.

Following the actuation signal, the suction of the coolant charging pumps diverts from the volume control tank to the refueling water storage tank. Simultaneously, the valves isolating the charging pumps from the injection header automatically open and the normal charging line isolation valves close. The charging pumps force the borated water from the refueling water storage tank (RWST) through the pump discharge header, the injection line, and into the cold leg of each loop. The passive accumulator tank safety injection and low head system are available. However, they do not provide flow when the reactor coolant system (RCS) is at normal pressure. A safety injection (SI) signal normally results in a direct reactor trip and a turbine trip. However, any single fault that actuates the ECCS will not necessarily produce a reactor trip. If an SI signal generates a reactor trip, the operator should determine if the signal is spurious. If the SI signal is determined to be spurious, the operator should terminate SI and maintain the plant in the hot-standby condition as determined by appropriate recovery procedures. If repair of the ESF actuation system instrumentation is necessary, future plant operation will be in accordance with the Technical Specifications. If the SI results in discharge of coolant through the pressurizer safety relief valves, the operators will bring the plant to cold shutdown in order to inspect the valves. If the reactor protection system does not produce an immediate trip as a result of the spurious SI signal, the reactor experiences a negative reactivity excursion due to the injected boron, which causes a decrease in reactor power. The power mismatch causes a drop in Tavg and consequent coolant shrinkage. The pressurizer pressure and water level decrease. Load decreases due to the effect of reduced steam pressure on load after the turbine throttle valve is fully open. If automatic rod control is used, these effects will lessen until the rods have moved out of the core. The transient is eventually terminated by the reactor protection system low pressurizer pressure trip or by manual trip. The time to trip is affected by initial operating conditions. These initial conditions include the core burnup history which affects initial boron concentration, rate of change of boron concentration, and Doppler and moderator coefficients. After the actuation of a SI signal regardless how the SI signal is actuated, the following ECCS actions are designed to take place because of interlocks with the SI signal:

4

1. Centrifugal charging pumps start on "S" signal.

2. RWST suction valves to the charging pumps open on "S" signal.

3. Safety injection containment isolation valves open on "S" signal.

4. Normal charging path valves close on "S" signal.

5. Charging pump miniflow isolation valves CV8110 and CV8111 close on "S" signal, concurrent with LO-2 RWST level.

6. Charging pump miniflow isolation valves CV8114 and CV8116 close on low RCS pressure in conjunction with an "S" signal. These valves open to protect the pump should the RCS pressure increase above the open setpoint with an "S" signal present.

7. Safety injection pumps start on "S" signal.

8. The RHR pumps start on "S" signal.

9. VCT outlet isolation valves close on "S" signal.

1.2.2 Operator Responses Assuming the reactor is at full power operation, after a spurious actuation of a SI signal without the expected accompanying reactor trip, the nuclear power starts decreasing immediately due to boron injection, but steam flow does not decrease until later in the transient when the turbine throttle valve is wide open. The mismatch between load and nuclear power causes Tavg, pressurizer water level, and pressurizer pressure to drop. Without operator intervention, the reactor trips and control rods start moving into the core when the pressurizer pressure reaches the pressurizer low pressure trip setpoint. In the Chapter 15 safety analysis, the reactor is calculated to trip automatically at about 76 seconds after the SI actuation if the SI signal does not cause an automatic reactor trip and the operator does not manually trip the reactor before its automatic trip. Even though the reactor may or may not be tripped immediately following the SI signal, the operator responses in these two scenarios are very similar. After verifying a SI actuation, the operator will perform the immediate actions according to the emergency operating procedure (EOP)-0 Reactor Trip or Safety Injection that are summarized as the following: Verify the reactor is tripped. If the reactor is not tripped then manually trip the reactor. Verify the turbine is tripped. If the turbine is not tripped then manually trip the turbine. Verify electric power is available to the 4KV essential safety function (ESF) busses. Check SI status. If the SI is required then manually actuate SI if it is not actuated already. IF the SI is not required then transfer to procedure ES-0.1 Reactor Trip Response. In this analysis, with the assumption of a single failure (i.e., spurious SI actuation), once the above four immediate actions are completed the following is the expected status: The reactor is tripped. The turbine is tripped. The 4KV ESF buses are energized. SI is actuated. The SI status is determined via the procedure instruction as shown in Table 1. In this scenario, because the SI equipment is automatically actuated, the operator would not enter the response not obtained column. Table 1 The procedure step of checking SI status

5 ACTION/EXPECTED RESPONSE RESPONSE NOT OBTAINED CHECK SI STATUS

a. Check if SI - ACTUATED:

Any SI first out announciator - LIT SI ACTUATED permissive light - LIT SI equipment - AUTOMATICALLY ACTUATED: o Either SI pump - RUNNING o Either CENT CHG pump to cold leg injection isolation valve - OPEN: 1SI8801A 1SI8801B

a. Check if SI is required PZR pressure less than or equal to 1829 PSIG.

Steamline pressure less than or equal to 640 PSIG Containment pressure greater than or equal to 3.4 PSIG If SI is required, THEN manually actuate SI. IF SI is NOT required, THEN GO TO ES-0.1 REACTOR TRIP RESPONSE, Step 1.

b. Manually actuate SI 1PM05J 1PM06J When the reactor operator (RO) is performing the immediate actions, the shift supervisor (SS), a senior reactor operator, is bringing out the EOP-0 procedure. Once the RO has finished the immediate response actions, the SS interacts with the RO and the auxiliary RO (ARO) to implement the EOP-0. They starts to implement the EOP-0 from step 1. The first four steps (i.e., immediate response actions) are to reconfirm the immediate actions performed by the RO.

Because except for the spurious SI actuation, all components and instruments are functioning as designed and the operator is expected to be familiar with the EOP-0, the operating crew is expected to follow the EOP-0 instruction with ease. After manually tripping the reactor, all procedure steps request the operator to check the key components automatically responding to the situation as designed until step 18 which requires the operator to open a pressurizer isolation (or block) valve (if neither PORV is available). Table 2 provides the procedure instruction of the step 18.

6 Table 2 The procedure step 18 that instructs establishing a PZR relief path. ACTION/EXPECTED RESPONSE RESPONSE NOT OBTAINED CHECK PZR PORVS AND SPRAY VALVES

a. PORVs - CLOSED:

1RY455A 1RY456

a. If PZR pressure is less than 2315 PSIG, THEN manually close PORVs.

IF any PORV can NOT be closed, THEN manually or locally close its isolation valve: 1RY8000A (1RY455A) MCC 131X2B A5 (414 Q11RXB1) 1RY8000B (1RY456) MCC 132X2 C4 (426 Q11 RXB1) IF PORV isol valve can NOT be closed, THEN GO TO 1BEP-1,

b. PROV isolation valves - AT LEAST ONE ENGINERED

b. GO TO Step 18d.

c. PORV relief path - AT LEAST ONE AVAIABLE:

PORV in - AUTO Associated isolation valve - OPEN

c. Perform the following to establish a PORV relief path for any PORV NOT failed open:

1. Place the PORV in AUTO.

2. Open the associated PORV isolation valve.

d. Normal PZR spray valves - CLOSED:

1RY455B 1RY455C

d. IF PZR pressure is less than 2260 PSIG, THEN manually close spray valve(s)

IF any spray valve(s) cannot be closed, THEN stop RCP(s) as necessary to stop spray flow: RCP 1D RCP 1C RCP 1B RCP 1A In cases where the initial condition is that the pressurizer PORV isolation valves are closed, the operator is expected to identify that the statuses of the associated isolation valves (in Step 18.c bullet 2) as not open. This will lead the operator to perform the actions in the response not obtained column of the Step 18.3 that include placing the PORVs in auto and opening the associate PORV isolation valve. 1.2.3 Task Analysis The operator responses to this scenario starts with detecting the plant abnormal symptoms triggered by the advertent SI actuation. Regardless of whether the operator manually trips the reactor, the EOP-0 procedure will be entered. Within this procedure, the operators main tasks are to verify that the components and systems are automatically responding to the event as designed. The main operator physical actions are opening at least one pressurizer isolation valve (Step 18.c) and resetting SI (Step 27). Both actions are performed within the main control room. Both tasks are simple actions. Opening a pressurizer isolation valve is performed by turning the valve control switch to the open position, and confirming the valve status light

7 changed from green to red. Resetting the SI is performed by depressing the two SI reset buttons, and confirming that the action is successfully performed by verifying the SI ACTUATED permissive light went off and the AUTO SI BLOCKED permissive light went on. 1.2.4 Relevant Operating Experience The following event description is from [1]: On April 17, 2005, at 8:29 a.m., Millstone Unit 3 experienced a reactor trip from 100 percent power following an unexpected A train safety injection (SI) actuation signal and main steam line isolation (MSI). Control room operators entered emergency operating procedure (EOP) E-0, Reactor Trip or Safety Injection, Revision 22, and manually actuated the B train of safety injection within 30 seconds. The first-out annunciator panel indicated that the reactor trip was caused by a Steam Line Pressure Low Isolation SI signal sensed by the solid state protection system (SSPS). The Shift Manager (SM) arrived in the control room approximately five minutes after the reactor trip and assumed Director of Site Operations (DSO) duties. As a result of the MSI signal, the main steam isolation valves (MSIVs) and two of the four main steam line atmospheric dump valves (ADVs) automatically closed. With the closure of the MSIVs, the main steam line safety valves (MSSVs) opened to relieve secondary plant pressure. Control room operators manually actuated the B MSI train in accordance with station procedures. Both motor driven auxiliary feed water (MDAFW) pumps started to maintain steam generator levels. The turbine-driven auxiliary feedwater (TDAFW) pump attempted to start but immediately tripped on overspeed. Operators were dispatched to investigate the cause of the trip. The TDAFW pump trip was subsequently reset and the TDAFW was restarted at 10:19 a.m. At approximately 8:42 a.m., the SM noted that a B MSSV had remained opened for an extended period of time. In consultation with the Unit Supervisor (US) and Shift Technical Advisor (STA), the SM declared an ALERT based on a stuck open MSSV. The crew determined that the stuck open MSSV represented an unisolable steam line break outside containment. At 8:45 a.m., due to the addition of the inventory from the SI, the pressurizer reached water solid conditions and the pressurizer PORVs cycled numerous times to relieve reactor coolant system (RCS) pressure and divert the additional RCS inventory to the pressurizer relief tank (PRT). No pressurizer safety valve actuations occurred and the PRT rupture diaphragm remained intact. The control room received reports of substantial leakage in the auxiliary building near the high head safety injection (HHSI) pumps. The leakage was coming from the packing of two valves in the HHSI system alternate minimum flow (AMF) line and was estimated to be approximately 60 gpm. Several hundred gallons spilled onto the auxiliary building floor. At approximately 8:59 a.m., the operating crew transitioned from EOP E-0 to ES-1.1, SI Termination. The SI was reset and the crew terminated safety injection at 9:12 a.m. and normal RCS letdown was re-established at 9:20 a.m. Millstone Unit 3 entered Mode 4 [Hot Shutdown]

at approximately 7:03 p.m. and the ALERT was terminated shortly thereafter. NRC Region I had been in a "Monitoring Mode" during the event and returned to the Normal Mode at 11 :45 p.m. 1.3 HFEs There are two HF Es identified in this initiating event: (1) open the isolated pressurizer isolation valves ((OPERATOR FAILS TO OPEN PORV BLOCK VALVES); and (2) terminate the SI (OPERATOR FAILS TO CONTROi/TERMiNATE SAFETY INJECTION FLOW). The labels in PRA model for the first HFE is OPA-3 and the second is OPA-1. The expected operator response corresponding to the two HFEs are that the operator would enter EOP-0 immediately after the inadvertent SI actuation. At EOP-0 Step 18.c, the operator opens the isolated pressurizer isolation valves. At EOP-0 step 24.e, the operator transfers to ES-1. 1 to terminate the SI. The failure modes of failing to open the pressurizer isolation valves that are considered are: (1) the operator is simply slow (think slow and act slow) in moving through the procedure; (2) the operator overlooks EOP-0 Step 18; and (3) the operator mistakenly thinks that at least a PORV isolation valve is already open due to reasons such as a wrong valve status indication. These three failure modes have different effects on the reliability of terminating the SI. llf the reason that the operator does not open the pressurizer isolation valves is slow in thinking and action, then based on the time available for the OPA-3 (15 minutes) and OPA-1 (20 minutes) actions, the operator has little chance to perform OPA-1 in time. If the reason is that the operator overlook EOP-0 Step 18.c, there is a good chance that the operator may overlook EOP-0 Step 24.e. If the reason is that the operator mistakenly thinks that a pressurizer isolation valve is already open this is not expected to affect performing OPA-1. These relations is shown in figure 1 which is the structure of analyzing the probabilities of OPA-1 and OPA-3 lc__ _______ - Commented [HD1J:This paragraph makes It saunas 8 like terminating SI is fully accomplished tly E-0 Step 24. In fact. there are a number or steps in ES-1.1 that are required. I suggest re-wording to make this more clear.

YES YES Failure due to ..__..., incorrect detecting Valve status (OPA*3.3) Terminate SI (OPA*l ) Terminate SI (OPA*l.l) Terminate SI (OPA*l.2) Terminate SI (OPA*l.3) Rgure 1 Failure moaes of opening a PZR isolation va/Ve affect the success probability of terminating SI. Based on the analysis in section 1.2.1.3.1 to 1.3.1.3.5, the following are the HEPs of OPA-3's: HEP (OPA-3) = 3.5E-3. HEP(OPA-3.1) = 0.0 HEP(OPA-3.2) = 3.5E-3 HEP(OPA-3.3) = 0.0 1.3.1 OPERATORFA1LS TO OPEN PORV BLOCK VALVES (OPA-3} Success criteria: The task has to be completed within 15 minutes from the initiating event. 1.3.1.1 Task Description The task (OPERATOR FAILS TO OPEN PORV BLOCK VALVES) starts from the operator detecting the plant abnormality and then following EOP-0 to Step 18 and opening at least one isolated pressurizer PORV isolation valve based on Step 18's instruction. The macrocognition discussion based on the overall task is the following: Detecting the abnormal symptom: the inadvertent actuation of SI signal causes a number of automatic component status changes related to the containment Phase A isolation as identified in section 1.1. These changes will trigger a number of alarms. The automatic start and re-alignment of the central charging pumps and SI pumps are clear to the operators. The operators are familiar with, and are trained to pay attention to, these component statuses. Understanding the issue and making decision on response plan: Once detecting the SI actuation, the EOP-0 is the procedure to enter. Operators are routinely trained on entering and implementing EOP-0. The understanding and making decision are based on the procedure instruction. The operator's main activity is to follow the procedure instruction in order to check plant parameter values and component statuses. 9

10 Action: The main action is to open a pressurizer isolation valve. This action is performed inside the main control room by turning the control switches of the pressurizer isolation valves from close to open and verifying with the isolation values status indication light changed from green (close) to red (open). Another action that the operator may perform at the beginning of the scenario is to manually trip the reactor if the reactor is not automatically tripped by the SI signal. In this case, whether the operator manually trips the reactor makes little difference in the scenario from a safety consideration standpoint because the reactor eventually will be automatically tripped due to low pressurizer pressure within a couple of minutes (e.g., at about 76 seconds in the plants safety analysis [2]) after the inadvertent SI actuation. The key task is to open at least one pressurizer isolation valve as instructed by EOP-0 step 18. This is a main control room action performed by the RO to perform a simple task to switch a pressurizer isolation valve to open position under a teamwork between the SS and RO with the SS reading the procedure instruction to direct and monitor the RO to perform the task. Once the task is completed, the RO is expected to inform the SS that the task is performed. The actual physical activity to change the system status is to push a button (or turn a switch) to open the isolation valve. 1.3.1.2 Time Analysis Two sources are used to assess the operator response time: The Millstone event [1] and a paper published by KAREI[3]. The first source is a real event, and the second source is based on simulator training. Millstone Event In the Millstone event, the operator reached at EOP-0 Step 16 verify ECCS flow seven minutes after the initiating event (see table 3). The Byrons EOP-0 has the step of verifying ECCS flow at Step 17. Immediately after step 17, the Byron EOP-0 Step 18 instructs to open the pressurizer isolation valves to ensure at least one pressurizer PORV path is open. Therefore, overlapping the Millstone event to the Byron procedure, it is estimated that the operator would complete step 18 (open pressurizer isolation valves) eight minutes after the initiating event. Table 3 The Millstone event timeline for responding time to the procedure step of check to open pressurizer isolation valves Time (minutes) Event Description 0

• A Train SSPS Steam Line Pressure Low SI/MSI signal followed by a reactor trip: First Out alarm: Steam Line Pressure Low Isolation SI.
• MSIVs closed as expected.
• 3 MSS-PV20A&C, Atmospheric Dump Valves (ASDVs) open.
• 3 MSS-PV20B&D received closed signals via MSI. (1/2 of ASDVs shut on 1/2 MSI.)
• B S/G Safety opens.

11

• The control room crew entered E-0 Reactor Trip/SI emergency response procedure.
• At step 4 the crew initiated train B SI.
• Terry Turbine steam supplies open and Terry Turbine trips 3 seconds later.

7 At EOP-0 Step 16 Verify ECCS Flow. Crew performed a debrief of the situation. The crew reinforced to the entire control staff that there was no Terry Turbine Aux Feed flow, B S/G Safety was still open and manual initiation of both trains SI was required. Dispatched a PEO to the Terry Turbine who verified that it was not running. Found V5 unlatched and shut. Mech Trip tappet was NOT in overspeed condition. (Crew continues to evaluate plant conditions, thought stuck S/G Safety caused SI.) 11 Pressurizer PORVs commence cycling at RCS pressure of 2350#. KAERI Simulator Analysis The operator normal response time is based on [3] which is based on Korean crews responding to a steam generator tube rupture (SGTR) scenario. The Korean crew structure and procedures are similar to the Byron nuclear power plant. Without Byron plant specific data, the data in [3] is considered as a good approximation. The time data in [3] are reproduced in Table 3. Table 4 The time data collected in operator simulator training by KAERI [3]. Task ID Task Description Time1 (sec) SD2 (sec) Procedure Steps3 1 Confirming immediate responses after reactor trip 41.9 25.5 1 to 4 2 Confirming the isolation of essential valves 12.0 2.9 5 to 6 3 Confirming the operation of essential pumps 17.9 5.6 7 to 10 4 Verifying containment status 33.9 22.3 11 to 14 5 Verifying the delivery of SI and AFW flow 55.4 27.8 15 to 18 6 Verifying the status of RCS heat removal 38.9 16.0 19 to 21 7 Entering E-3 procedure according to the status of SGs 34.7 16.3 22 to 23 1Averaged task performance time in second. 2Standard deviation in second. 3Based on the EOP-0 of the Korean nuclear power plant. Discussion In the Millstone event, the operator took about eight minutes (480 seconds) to reach the procedure step of checking at least one PZR isolation path is open. In the KAERIs simulator data, the mean time to reach to the same step is about 270 seconds with a standard variation of 100.1 seconds. The numbers are consistent with the Millstone event (eight minutes or 480 seconds). 1.3.1.3 HEP Calculation The HEP calculation is performed by the analysis of time. This is typically based on the time data collected from simulator exercises. For the time data collected from simulator exercise whose scenarios are single failure and textbook type scenarios, the time data is used to compare with the time available to check the probability of human failure due to simply insufficient time without other complication. In most cases, the time available is expected to be

12 sufficient. In this situation, HRA methods are used to calculate the HEPs. In this analysis, the SPAR-H [4] and NARA [5] methods are used. The final HEP is the average of the HEPs calculated by these two methods. 1.3.1.3.1 Overall HEP SPAR-H The SPAR-H method uses eight performance shaping factors (PSFs) to calculate the HEPs of diagnosis and action. The tasks HEP is the sum of the diagnosis HEP and action HEP. The following discusses the status of the eight performance shaping factors of diagnosis and action. Available Time: The available time is 15 minutes. The meantime, including diagnosis and action, is 270 seconds (4.5 minutes). Based on SPAR-Hs classification, the status of the PSF available time is normal time. Stress/Stressor: The stress level is determined as normal because all the operator activities are within EOP-0 and there is no surprise except the SI actuation may not trip the reactor automatically. Complexity: For diagnosis, the complexity is determined as normal because the diagnosis is performed by following the EOP-0. For action, turning a switch from close to open is a simple task. The status is normal. Experience/Training: For diagnosis, this is determined as nominal because the inadvertent SI actuation is not a routinely trained scenario. For action, turning a switch from close to open is straightforward to the operator. Procedure: For diagnosis, the EOP is a diagnosis/symptom oriented procedure. The status is high. For action, the procedure instruction is clear. The status is normal. Ergonomic/HMI, fitness for duty, and work process: Their statuses are normal. Table 4 shows the PIF status and their HEP modification factors. PSF Diagnosis Action Status Multiplier Status Multiplier Available Time Nominal time 1 Nominal time 1 Stress/Stressors Nominal 1 Nominal 1 Complexity Nominal 1 Nominal 1 Experience/Training Nominal 1 High 0.5 Procedures Diagnostic/symptom oriented 0.5 Nominal 1 Ergonomics/HMI Nominal 1 Nominal 1 Fitness for Duty Nominal 1 Nominal 1 Work Processes Nominal 1 Nominal 1 Therefore, the HEP = 0.01

• 0.5 + 0.001
• 0.5 = 0.0055 NARA The NARA calculates HEP by mapping the task of analysis to the generic task types (GTTs) of NARA. Each GTT has a base HEP value. The final HEP is the base HEP multiplied by the

13 multipliers of the NARA PSFs applied to the task. NARAs PSFs only have negative effects on HEP (i.e., increase the HEP value). The following two GTTs are identified to corresponding to the diagnosis and action portion of the HFE OPERATOR FAILS TO OPEN PORV BLOCK VALVES: Simple response to a key alarm within a range of alarms/indications providing clear indication of the situation (simple diagnosis required). Response might be direct execution of simple actions or initiating other actions separately assessed. The base HEP is 0.0004. Carry out simple single manual action with feedback. Skill-based and therefore not necessarily with procedure. The base HEP is 0.006. No negative NARAs PSFs is applicable to the HFE. Therefore The HEP = 0.0004 + 0.006 = 0.0064. The average HEP of SPAR-H and NARA is used for the final HEP. The final HEP = (0.0055 + 0.0064)/2 = 6.0E-3. 1.3.1.3.2 HEP due to Slow Using the time data discussed in section 1.2.1.2, a normal distribution with the mean of 270 seconds, standard variation of 100 seconds, and a time window of 15 minutes (900 seconds), the failure probability for a normal operating crew failing to open the pressurizer isolation valve due to simply slow in thinking and action is negligible.

== Conclusion:== Probability(OPA-3.1) = 0.0. 1.3.1.3.3 HEP Due to skip the EOP-18 Step 18.c Among the available HRA methods, the EPRIs Cause-Based Decision Tree (CBDT) [6] method and THERP [7] method are the two published HRA methods that calculate the failure probabilities specific to certain error modes (or error mechanisms). (The IDHEAS-at-power method calculates the probability but the method has not been published in the public domain). These two methods are used to estimate the HEP due to certain error modes.

14 Figure 2 CBDTs decision tree on skipping an important procedure step Figure 3 THERP table in estimating the probability of skipping a key procedure step. Discussion THERP and CBDT provides consistent estimates of 0.001 probability of skipping the EOP-0 Step 18.c.

15 1.3.1.3.4 HEP due to misread the PZR isolation valve indication In CBDT, two failure mechanisms apply to this case: (1) data not attended to (i.e., the data is available but the operator fails to check for the information); and (2) data misread. The decision trees of these two failure mechanisms are shown in Figures 2 and 3. THERPs relevant failure mechanism is that the operator incorrectly read a wrong indication. The estimated failure probabilities are shown in Figure 5. Discussion Based on the considered factors, the CBDT method would estimate the failure probability (OPA-3.3) is negligible. THERPs estimate is between negligible and 0.0005. Figure 4 CBDTs decision tree on data not attended to decision tree

16 Figure 5 The decision tree used to calculate the misread failure probability in the CBDT method. Figure 6 THERPs table relevant to misread the PZR isolation valve status indication. 1.3.1.3.5 Failure Modes and Fail Probability Discussion The following are a summary of the HEP estimates of section 1.3.1.3.1 to 1.3.1.3.4: The general failure probability is 6.0E-3 (section 1.3.1.3.1) The failure probability due to think slow and act slow is negligible (section 1.3.1.3.2) The failure probability due to skip the EOP-0 18.c is 1E-3. (section 1.3.1.3.3) The failure probability due to incorrectly detect the PZR isolation valve status is negligible (assuming no indication failure). (section 1.3.1.3.4)

Because there is difference between the overall HEP (6E-3) and the sum of all failure modes' HEPs (1 E-3), this analysis averages the HEP. This concludes that the total HEP is 3.SE-3. All of the failure is due to skipping EOP-0 Step 18.c. 1.3.2 OPERATOR FAILS TO CONTROL/ TERMINATE SAFETY INJECTION FLOW(OPA-1) The task OPERATOR FAILS TO CONTROL/TERMINAT E SAFETY INJECTION FLOW starts after the pressurizer isolation valves been opened or not opened as instructed at EOP-0 step 18 to the resetting SI action instructed by ES-1.1. The OPA-1 is further divided into the following two classes: OPA-1: This assumes that the operator successfully opens the pressurizer isolation valves. OPA-1.2: This assumes that the operator failed to open the pressurizer isolation valves due to overlooking the EOP-0 Step 18.c. L3.2.1 OPA-1 1.3.2.1.1 Task Description The OPA-1 starts with the operators successfully opening the pressurizer isolation valves (in EOP-0 Step 18), when applicable. To succeed for OPA-1, the operator is expected to continue ~ EOP-0 to step 24.e "Go To ES-1.1 SI Termination Step 1." lrhe ES-1.1 Step1 instructs the operator to depress both SI reset button to reset the SI and to verify the completion of the task by checking the SI ACTUATED permissive light is off and the AUTO SI BLOCKED permissive light is on... LI ---------------------------- Commented (HD2J: Step 1 resets the SI signal. It does At the beginning of this task, the operating crew is already in the EOP-0. The operator continues followin~ EOP-0. Between the Step 18 and step 24, the potential procedure following deviation is transferring to the EOP-2 "Faulted steam generator isolation*. EOP-3

• steam generator tube rupture", an d "EOP-1 "Loss of reactor or secondary coolant.*

1.3.2.1.2 Time Analysis lfhe time estimation is based on the KAER! time data shown in Table 2. The total seven task IDs shown in Table 2 covers the EOP _Oto the point SGTR is checked. To reach to the Step 24.e, the operator needs to check if this is a LOCA event. Two minutes (with standard deviation / of zero) is added to cover the time to check the LOCA symptoms and transferring to ES-1.1 to reset SI. Therefore, the total time for OPA-1 is with the mean of 354.7 seconds and the standard deviation of 116.4 seconds.I ~--------------------~ 1.3.2.1.3 HEP Calculation Time Sufficiency Check ~ ith the mean time of 354.7 seconds, the standard deviation of 116.4 seconds, and the available time window is 20 minutes (1200 seconds), the human failure probability simply due to time insufficiency is negligibleJ ~------------------------- 17 not stop or control the SI flow. Therefore it does not stop pressurizer overfill. To successfully complete the operator action in question. the operators need to make it through ES-1.1 Step 13 (at which point they Will have re-established normal charging and letdown). That said, after they've successfully completed Step 8 (normal charging), the rate of pressurizer level rise Will be reduced, so arguably this is partial success. Commented [HD3J: I don't think this is adequate. Given the KAERI data, and the Millstone event (whictt is more complicated of course), I would expect a nominal (uncomplicated) timeline more like: E-0 Steps 1-18: 5 minutes E-0 Steps 19-24: 3 minutes ES-1.1 Steps 1-3: 1 minutes ES-1.1 Steps 4-8: s minutes ES-1.1 Steps 9-12: 2 minute ES-1.1 Steps 13: 2 minutes That would result in a range of 14-18 minutes. For the (complicated) Millstone event. this took 44 minutes. Commented [HD4J: I think this should be updated in light of the above.

SPAR-H The SPAR-H uses eight performance shaping factors (PSFs) to calculate the HEPs of diagnosis and action. The task's HEP is the sum of the diagnosis HEP and action HEP. The following discusses the statuses of the eight performance shaping factors of diagnosis and action. Available Time: The available time is 20 minutes. trhe meantime, including diagnosis and action, is 354 seconds (5.9 minutes). Based on SPAR-H's classification, the status of the PSF available time is normal time.,_ __________________ ~ Stress/Stressor: The stress level is determined as normal because there is no immediate safety concern to the operators. Complexity: For diagnosis, the complexity is determined as normal. The operators have to successfully conclude that the event is not any of the MSLB, SGTR. and LOCA event. The indications is expected to be clear to reach the conclusion. Experience/Training: For diagnosis, this is determined as normal. Even though the operator is routinely trained on diagnosing a MSLB, SGTR. and LOCA event~.,. ~ iagnosing all of them successfully makes the determination as normal instead of high. [For action, depressing the SI reset button is straightforward to the operator.L_ ____ __ Procedure: For diagnosis, the EOP is a diagnosis/symptom oriented procedure. The status is high. For action, the procedure instruction is clear. The status is normal. Ergonomic/HMI, fitness for duty, and work process: Their statuses are normal. Table 5 shows the PIF status and their HEP modification factors. PSF Diaanosis Status Multiolier Available Time Nominal time 1 Stress/Stressors Nominal 1 Comolexitv Nominal 1 Exoerience/Trainina Normal 1 Procedures Diagnostic/symptom 0.5 oriented Eroonomics/HMI Nominal 1 Fitness for Dutv Nominal 1 Work Processes Nominal 1 Therefore, the HEP= 0.01

• 0.5 + 0.001
• 0.5 = 0.0055

~ Action Status Nominal time Nominal Nominal Hiah Nominal Nominal Nominal Nominal Multiolier 1 1 1 0.5 1 1 1 1 The following two GIT s are identified to corresponding to the diagnosis and action portion of the HFE of OPA-1: Judgement needed for appropriate procedure to be followed, based on interpretation of alarms/indications, situation covered by training at appropriate intervals. The base HEP is0.01. [carry out simple sinQle manual action with feedback. Skill-based and therefore not necessarily with procedure. The base HEP is 0.006.L_ ____________ ___ No negative NARA's PSFs is applicable to the HFE. Therefore 18 Commented [HOS]: Again, I think this needs to be re-evaluated. Commented [HD6J: It is much more involved than this Wilen considering the extra steps in ES-1.1. though whether this warrants a different PSF is your call. Commented [HD7J: Does this change with the additional steps in ES-1.1?

The HEP = 0.01 + 0.006 = 0.016. The reason of including the GTI *Judgement needed for appropriate procedure to be followed, based on interpretation of alarms/indications, situation covered by training at appropriate intervals" is because after opening the pressurizer isolation valves, the procedure instruct the operator to check symptoms of SGTR, MSLB, and LOCA to enter the corresponding procedures. The operator has routine simulator training on these events. Determining not to enter these procedure pose similar cognitive challenge to entering these procedures. CBDT The CBDT is used because the significant difference between SPAR-H (5.5E-3) and NARA (1.6E-2). The following are the error probabilities of the eight CBDT's error mechanisms: HEP(Data not available) = negligible HEP(Data not attended to) = negligible HEP(Data misread or miscommunicate) = negligible HEP(information misleading): negligible HEP(relevant step in procedure missed) = 0.002 HEP(misinterpret instruction) = negligible HEP(Error in interpreting logic) = 0.0003 HEP(deliberate violation) = negligible Therefore, the CBDT estimates an HEP of 2.3E-3. Discussion Based on the following HEP estimations: SPAR-H: 5.5E-3 NARA: 1.6E-2 CBDT: 2.3E-3 lfhe NARA estimate is considered overestimate!. Therefore, only SPAR-H and CBDT estimates ----{ Commented [HD8J: Why/ are used. The average HEP of the SPAR-Hand CBDT is used for the final HEP. The final HEP= (0.0055 + 0.0023)/2 = 3.9E-3. L3.22 OPA-L2 1.3.2.2.1 Task Description The OPA-1.2 is performing SI termination in the condition that the operator omitted the EOP-0 Step 18.c to open at least a pressurizer isolation valve. 19

1.3.2.2.2 Time Analysis Millstone Event[1) The Millstone inadvertent SI actuation event shows that the time operator would take to perform a diagnosis is strongly depend on context. Table 5 shows the relevant time line of the Millstone event and the corresponding EOP-0 steps of Millstone and Byron. Table 5 implies that the Millstone operator took four minutes to complete the diagnosis of not a SGTR event. Comparing to the average 34.7 seconds observed in KAERl's simulator data [3], the time required is significantly different. This is the other component failures (e.g.* B SG safety valve stuck open) and the complications due to scenario evolution (e.g., pressure became water solid}. Table 5 The diagnosis limeline of entering ES-1.1 to reset SI in the Ml/lstone event Time Event Descriotion EOP,Q Steo 0829 The initiatina event occurred 0850 The crew decided not to make an E-2 transition based upon SI termination Millstone - 25; priority and no uncontrolled SIG pressure decrease. (Discussion occurred Byron - 21 between US and SM. Did not meet E-2 entrv conditions.) 0854 Determined no SIG tube rupture based on no adverse SIG level trend. Millstone - 26; Bvron - 22 Based on the failure mode that the operator fails to open a pressurizer isolation valve is due to overlook the EOP-0 Step 18.c, it is expected that the operator will proceed to Step 24.e within 110 minute. This estimation is based on the simulator time data in 3. Until this time, no scenario complication is expected. Therefore, the operator is expected to reach to the EOP-0 Sept 24.c to transfer to ES-1.1 step 1 to terminate SI without scenario complication. 1.3.2.2.3 HEP Calculation The independent HEP of the OPA-1.2 is same as the OPA-1. The HEP is 3.9E-3. However, because the operator erroneously omitted the step of opening a pressurizer isolation valve, there could be dependency in omitting the step of terminating SI. Based on the dependency model presented in the NUREG-1921 "Fire HRA" (Figure 7) the dependency level is high dependency (Sequence 8 of figure 7). This will change the HEP to about 0.5. 20 Commented [HD9J: It is not clear how tnis time relates to tne earlier time estimates.

21 Figure 7 The NUREG-1921s dependency model 2 Main Steamline Break The MSLB event assumes a MSL break before the main steam isolation valve (or the fast acting steamline stop valves in B/B) that immediately actuate the SI signal and a reactor trip. But the peak containment pressure is assumed to be less than 20 psig. If the containment peak pressure is greater than 20 psig, the operator would need to stop all reactor coolant pumps (RCPs), check the containment spray educator suction flow, and align cooling towers. 2.1 Results Summary 2.2 Scenario Analysis and Operational Narrative 2.2.1 Component Responses Following a MSLB event, the section 15.1.5 of the B/B UFSAR states the plant responses as the following: Dependence Level Case Intervening Success Crew Cognitive Cue Demand Stress Sequential Timing Location Manpower High or Moderate 1 Common 2 7 3 4 5 6 8 9 10 11 12 13 14 15 16 17 18 19 High or Moderate High or Moderate High or Moderate High or Moderate High or Moderate High or Moderate High or Moderate Different Different Yes No Same Simultaneous Sequential Same Different Sufficient Insufficient Same Different 0-15 15-30 30-60 >(60-120) CD CD HD MD LD CD CD HD HD MD MD LD LD ZD LD ZD LD ZD ZD

22 The steam release arising from a break of a main steamline would result in an initial increase in steam flow which decreases during the accident as the steam pressure falls. The energy removal from the RCS causes a reduction of coolant temperature and pressure. The major break of a steamline is the most limiting cooldown transient and is analyzed at zero power with no decay heat. Decay heat would retard the cooldown thereby reducing the return to power. A detailed analysis of this transient with the most limiting break size, a double ended break, is presented here. The following functions provide the protection for a steamline break:

a. Safety injection system actuation from any of the following:

1. Two-out-of-three low steamline pressure signals in any one loop

2. Two-out-of-four low pressurizer pressure signals

3. Two-out-of-three high-1 containment pressure signals.

b. The overpower reactor trips (neutron flux and ) and the reactor trip occurring in conjunction with receipt of the safety injection signal.

c. Redundant isolation of the main feedwater lines. Sustained high feedwater flow would cause additional cooldown. Therefore, in addition to the normal control action which will close the main feedwater valves a safety injection signal will rapidly close all feedwater control valves and backup feedwater isolation valves, trip the main feedwater pumps, and close the feedwater pump discharge valves.

d. Trip of the fast acting steamline stop valves on:

1. Two-out-of-three low steamline pressure signals in any one loop.

2. Two-out-of-three high-2 containment pressure signals.

3. Two-out-of-three high negative steamline pressure rate signals in any one loop (used only during cooldown and heatup operations).

Steam release from more than one steam generator will be prevented by the automatic trip of the fast acting isolation valves in the steamlines by low steamline pressure signals, high containment pressure signals, or high negative steamline pressure rate signals. The steamline stop valves are designed to be fully closed in less than 5 seconds from receipt of a closure signal. 2.2.2 Operator Responses Immediately after the MSLB, the reactor trips and the SI actuation automatically occur. After confirming a reactor trip, the RO performs the immediate actions according to the emergency operating procedure (EOP)-0 Reactor Trip or Safety Injection that are summarized as the following: Verify the reactor is tripped. If the reactor is not tripped then manually trip the reactor. Verify the turbine is tripped. If the turbine is not tripped then manually trip the turbine. Verify electric power is available to the 4KV essential safety function (ESF) busses. Check SI status. If the SI is required then manually actuate SI if it is not actuated already. IF the SI is not required then transfer to procedure ES-0.1 Reactor Trip Response.

Reference:

1. Millstone Power Station Unit 3 - NRC Special Inspection Report 05000423/2005012

23

2. Byron Nuclear Power Station, Updated Final Safety Analysis Report, Chapter 15.6.

3. Park, J. and Jung, W. A study on the development of a task complexity measure for emergency operating procedures of nuclear power plants, Reliability Engineering and System Safety, 92 (2007), 1102-1116

4. Gertman, D., Blackman, H., Marble, J., Byers, J. and Smith C., The SPAR-H Human Reliability Analysis Method, NUREG/CR-6883, 2005.

5. Kirwan, B., Gibson, H., Kennedy, R., Edmunds, J., Cooksley, G., and Umbers, I. (2004)

Nuclear Action Reliability Assessment (NARA): A data-based HRA tool. In Probabilistic Safety Assessment and Management 2004, Spitzer, C., Schmocker, U., and Dang, V.N. (Eds.), London, Springer, pp.1206 - 1211.

6. Garry, P., Lydell, B., Spurgin, A., Moieni, P., and Bears, A An approach to the analysis of operator actions in probabilistic risk assessment, EPRI TR-100259, June 1992

7. Swain, A. and Guttmann, H. Handbook of human reliability analysis with emphasis on nuclear power plant applications, U.S. NRC NUREG/CR-1278, 1983

1 1 Spurious Safety Injection......................................................................................................... 2 1.1 Results Summary............................................................................................................. 2 1.2 Scenario Analysis and Operational Narrative.................................................................. 3 1.2.1 Component Responses............................................................................................ 3 1.2.2 Operator Responses................................................................................................. 4 1.2.3 Task Analysis............................................................................................................ 6 1.2.4 Relevant Operating Experience................................................................................ 7 1.3 HFEs................................................................................................................................. 8 1.3.1 OPERATOR FAILS TO OPEN PORV BLOCK VALVES (OPA-3)........................... 9 1.3.1.1 Task Description................................................................................................ 9 1.3.1.2 Time Analysis.................................................................................................. 10 1.3.1.3 HEP Calculation.............................................................................................. 12 1.3.1.3.1 Overall HEP.................................................................................................. 12 1.3.1.3.2 HEP due to Slow.......................................................................................... 13 1.3.1.3.3 HEP Due to skip the E-18 Step 18.c............................................................ 14 1.3.1.3.4 HEP due to misread the PZR isolation valve indication.............................. 15 1.3.1.3.5 Failure Modes and Fail Probability Discussion............................................ 17 1.3.2 OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW(OPA-1)....................................................................................................................... 17 1.3.2.1 OPA-1.............................................................................................................. 18 1.3.2.1.1 Task Description........................................................................................... 18 1.3.2.1.2 Time Analysis............................................................................................... 18 1.3.2.1.3 HEP Calculation........................................................................................... 18 1.3.2.2 OPA-1.2........................................................................................................... 22 1.3.2.2.1 Task Description........................................................................................... 22 1.3.2.2.2 Time Analysis............................................................................................... 22 1.3.2.2.3 HEP Calculation........................................................................................... 22

1 Spurious Safety Injection Subject of interest: The probability that the operator does not open at least one pressurizer isolation (a.k.a., block} valve in time, leading to a water-solid pressurizer and passing of RCS water through a pressurizer safety relief valve, all following a spurious safety injection (SI} occurring at full power operation. Success criteria: Operator opens a pressurizer isolation (a.k.a., block} valve to prevent pressurizer safety valve lift open within 1 5 minutes from the initiating event Operator terminates the SI within 20 minutes from the initiating event 1.1 Results Summa1y The spurious SI actuation scenarios includes two HFEs of interest: opening a pressurizer isolation valve (when both PORVs are unavailable at the start of the accident) and terminating the SI. The failure of opening a pressurizer isolation valve is further analyzed for its failure modes. Three potential failure modes are identified and analyzed as shown in the figure below. Task HEP (OPA-3) HEP(OPA-3.1) HEP(OPA-3.2) YES HEP for failing to open at least 1 YES Failure due to .._ _ _, incorrect detecting Valve status (OPA*3.3) Task pressurizer isolation valve 3.SE-3 HEP (OPA-1) nealiaible HEP(OPA-1.1) 3.SE-3 HEP(OPA-1.2) 2 Terminate St (OPA*l) Terminate St (OPA*l.1) Terminate Sl (OPA*L2) Terminate St (OPA*l.3) HEP for failing to terminate SI 3.9E-3 N/A 0.5

3 HEP(OPA-3.3) negligible HEP(OPA-1.3) N/A 1.2 Scenario Analysis and Operational Narrative 1.2.1 Plant Responses The B/B-UFSAR states: A spurious (SI) signal initiated after the logic circuitry in one solid-state protection system train for any of the following engineered safety feature (ESF) functions could cause this incident by actuating the ESF equipment associated with the affected train.

a. High containment pressure,

b. Low pressurizer pressure, or

c. Low steamline pressure.

Following the actuation signal, the suction of the coolant charging pumps diverts from the volume control tank to the refueling water storage tank. Simultaneously, the valves isolating the charging pumps from the injection header automatically open and the normal charging line isolation valves close. The charging pumps force the borated water from the refueling water storage tank (RWST) through the pump discharge header, the injection line, and into the cold leg of each loop. The passive accumulator tank safety injection and low head system are available. However, they do not provide flow when the reactor coolant system (RCS) is at normal pressure. A safety injection (SI) signal normally results in a direct reactor trip and a turbine trip. However, any single fault that actuates the ECCS will not necessarily produce a reactor trip. If an SI signal generates a reactor trip, the operator should determine if the signal is spurious. If the SI signal is determined to be spurious, the operator should terminate SI and maintain the plant in the hot-standby condition as determined by appropriate recovery procedures. If repair of the ESF actuation system instrumentation is necessary, future plant operation will be in accordance with the Technical Specifications. If the SI results in discharge of coolant through the pressurizer safety relief valves, the operators will bring the plant to cold shutdown in order to inspect the valves. If the reactor protection system does not produce an immediate trip as a result of the spurious SI signal, the reactor experiences a negative reactivity excursion due to the injected boron, which causes a decrease in reactor power. The power mismatch causes a drop in Tavg and consequent coolant shrinkage. The pressurizer pressure and water level decrease. Load decreases due to the effect of reduced steam pressure on load after the turbine throttle valve is fully open. If automatic rod control is used, these effects will lessen until the rods have moved out of the core. The transient is eventually terminated by the reactor protection system low pressurizer pressure trip or by manual trip.

4 The time to trip is affected by initial operating conditions. These initial conditions include the core burnup history which affects initial boron concentration, rate of change of boron concentration, and Doppler and moderator coefficients. After the actuation of a SI signal regardless how the SI signal is actuated, the following ECCS actions are designed to take place because of interlocks with the SI signal:

1. Centrifugal charging pumps start on "S" signal.

2. RWST suction valves to the charging pumps open on "S" signal.

3. Safety injection containment isolation valves open on "S" signal.

4. Normal charging path valves close on "S" signal.

5. Charging pump miniflow isolation valves CV8110 and CV8111 close on "S" signal, concurrent with LO-2 RWST level.

6. Charging pump miniflow isolation valves CV8114 and CV8116 close on low RCS pressure in conjunction with an "S" signal. These valves open to protect the pump should the RCS pressure increase above the open setpoint with an "S" signal present.

7. Safety injection pumps start on "S" signal.

8. The RHR pumps start on "S" signal.

9. VCT outlet isolation valves close on "S" signal.

1.2.2 Operator Responses Assuming the reactor is at full power operation, after a spurious actuation of a SI signal without the expected accompanying reactor trip, the nuclear power starts decreasing immediately due to boron injection, but steam flow does not decrease until later in the transient when the turbine throttle valve is wide open. The mismatch between load and nuclear power causes Tavg, pressurizer water level, and pressurizer pressure to drop. Without operator intervention, the reactor trips and control rods start moving into the core when the pressurizer pressure reaches the pressurizer low pressure trip setpoint. In the Chapter 15 safety analysis, the reactor is calculated to trip automatically at about 76 seconds after the SI actuation if the SI signal does not cause an automatic reactor trip and the operator does not manually trip the reactor before its automatic trip. Even though the reactor may or may not be tripped immediately following the SI signal, the operator responses in these two scenarios are very similar. After verifying a SI actuation, the operator will perform the immediate actions according to the emergency operating procedure (EOP)-0 Reactor Trip or Safety Injection that are summarized as the following: Verify the reactor is tripped. If the reactor is not tripped then manually trip the reactor. Verify the turbine is tripped. If the turbine is not tripped then manually trip the turbine. Verify electric power is available to the 4KV essential safety function (ESF) busses. Check SI status. If the SI is required then manually actuate SI if it is not actuated already. IF the SI is not required then transfer to procedure ES-0.1 Reactor Trip Response. In this analysis, with the assumption of a single failure (i.e., spurious SI actuation), once the above four immediate actions are completed the following is the expected status: The reactor is tripped. The turbine is tripped. The 4KV ESF buses are energized.

5 SI is actuated. The SI status is determined via the procedure instruction as shown in Table 1. In this scenario, because the SI equipment is automatically actuated, the operator would not enter the response not obtained column. Table 1 The procedure step of checking SI status ACTION/EXPECTED RESPONSE RESPONSE NOT OBTAINED CHECK SI STATUS

a. Check if SI - ACTUATED:

Any SI first out announciator - LIT SI ACTUATED permissive light - LIT SI equipment - AUTOMATICALLY ACTUATED: o Either SI pump - RUNNING o Either CENT CHG pump to cold leg injection isolation valve - OPEN: 1SI8801A 1SI8801B

a. Check if SI is required PZR pressure less than or equal to 1829 PSIG.

Steamline pressure less than or equal to 640 PSIG Containment pressure greater than or equal to 3.4 PSIG If SI is required, THEN manually actuate SI. IF SI is NOT required, THEN GO TO ES-0.1 REACTOR TRIP RESPONSE, Step 1.

b. Manually actuate SI 1PM05J 1PM06J When the reactor operator (RO) is performing the immediate actions, the shift supervisor (SS), a senior reactor operator, is bringing out the E-0 procedure. Once the RO has finished the immediate response actions, the SS interacts with the RO and the auxiliary RO (ARO) to implement the E-0. They starts to implement the E-0 from step 1. The first four steps (i.e.,

immediate response actions) are to reconfirm the immediate actions performed by the RO. Because except for the spurious SI actuation, all components and instruments are functioning as designed and the operator is expected to be familiar with the E-0, the operating crew is expected to follow the E-0 instruction with ease. After manually tripping the reactor, all procedure steps request the operator to check the key components automatically responding to the situation as designed until step 18 which requires the operator to open a pressurizer isolation (or block) valve (if neither PORV is available). Table 2 provides the procedure instruction of the step 18.

6 Table 2 The procedure step 18 that instructs establishing a PZR relief path. ACTION/EXPECTED RESPONSE RESPONSE NOT OBTAINED CHECK PZR PORVS AND SPRAY VALVES

a. PORVs - CLOSED:

1RY455A 1RY456

a. If PZR pressure is less than 2315 PSIG, THEN manually close PORVs.

IF any PORV can NOT be closed, THEN manually or locally close its isolation valve: 1RY8000A (1RY455A) MCC 131X2B A5 (414 Q11RXB1) 1RY8000B (1RY456) MCC 132X2 C4 (426 Q11 RXB1) IF PORV isol valve can NOT be closed, THEN GO TO 1BEP-1,

b. PROV isolation valves - AT LEAST ONE ENGINERED

b. GO TO Step 18d.

c. PORV relief path - AT LEAST ONE AVAIABLE:

PORV in - AUTO Associated isolation valve - OPEN

c. Perform the following to establish a PORV relief path for any PORV NOT failed open:

1. Place the PORV in AUTO.

2. Open the associated PORV isolation valve.

d. Normal PZR spray valves - CLOSED:

1RY455B 1RY455C

d. IF PZR pressure is less than 2260 PSIG, THEN manually close spray valve(s)

IF any spray valve(s) cannot be closed, THEN stop RCP(s) as necessary to stop spray flow: RCP 1D RCP 1C RCP 1B RCP 1A In cases where the initial condition is that the pressurizer PORV isolation valves are closed, the operator is expected to identify that the statuses of the associated isolation valves (in Step 18.c bullet 2) as not open. This will lead the operator to perform the actions in the response not obtained column of the Step 18.3 that include placing the PORVs in auto and opening the associate PORV isolation valve. 1.2.3 Task Analysis The operator responses to this scenario starts with detecting the plant abnormal symptoms triggered by the advertent SI actuation. Regardless of whether the operator manually trips the reactor, the E-0 procedure will be entered. Within this procedure, the operators main tasks are to verify that the components and systems are automatically responding to the event as designed. The main operator physical actions are opening at least one pressurizer isolation valve (Step 18.c) and resetting SI (Step 27). Both actions are performed within the main control room. Both tasks are simple actions. Opening a pressurizer isolation valve is performed by turning the valve control switch to the open position, and confirming the valve status light

7 changed from green to red. Resetting the SI is performed by depressing the two SI reset buttons, and confirming that the action is successfully performed by verifying the SI ACTUATED permissive light went off and the AUTO SI BLOCKED permissive light went on. 1.2.4 Relevant Operating Experience The following event description is from [1]: On April 17, 2005, at 8:29 a.m., Millstone Unit 3 experienced a reactor trip from 100 percent power following an unexpected A train safety injection (SI) actuation signal and main steam line isolation (MSI). Control room operators entered emergency operating procedure (EOP) E-0, Reactor Trip or Safety Injection, Revision 22, and manually actuated the B train of safety injection within 30 seconds. The first-out annunciator panel indicated that the reactor trip was caused by a Steam Line Pressure Low Isolation SI signal sensed by the solid state protection system (SSPS). The Shift Manager (SM) arrived in the control room approximately five minutes after the reactor trip and assumed Director of Site Operations (DSO) duties. As a result of the MSI signal, the main steam isolation valves (MSIVs) and two of the four main steam line atmospheric dump valves (ADVs) automatically closed. With the closure of the MSIVs, the main steam line safety valves (MSSVs) opened to relieve secondary plant pressure. Control room operators manually actuated the B MSI train in accordance with station procedures. Both motor driven auxiliary feed water (MDAFW) pumps started to maintain steam generator levels. The turbine-driven auxiliary feedwater (TDAFW) pump attempted to start but immediately tripped on overspeed. Operators were dispatched to investigate the cause of the trip. The TDAFW pump trip was subsequently reset and the TDAFW was restarted at 10:19 a.m. At approximately 8:42 a.m., the SM noted that a B MSSV had remained opened for an extended period of time. In consultation with the Unit Supervisor (US) and Shift Technical Advisor (STA), the SM declared an ALERT based on a stuck open MSSV. The crew determined that the stuck open MSSV represented an unisolable steam line break outside containment. At 8:45 a.m., due to the addition of the inventory from the SI, the pressurizer reached water solid conditions and the pressurizer PORVs cycled numerous times to relieve reactor coolant system (RCS) pressure and divert the additional RCS inventory to the pressurizer relief tank (PRT). No pressurizer safety valve actuations occurred and the PRT rupture diaphragm remained intact. The control room received reports of substantial leakage in the auxiliary building near the high head safety injection (HHSI) pumps. The leakage was coming from the packing of two valves in the HHSI system alternate minimum flow (AMF) line and was estimated to be approximately 60 gpm. Several hundred gallons spilled onto the auxiliary building floor. At approximately 8:59 a.m., the operating crew transitioned from EOP E-0 to ES-1.1, SI Termination. The SI was reset and the crew terminated safety injection at 9:12 a.m. and normal RCS letdown was re-established at 9:20 a.m. Millstone Unit 3 entered Mode 4 [Hot Shutdown]

8 at approximately 7:03 p.m. and the ALERT was terminated shortly thereafter. NRC Region I had been in a Monitoring Mode during the event and returned to the Normal Mode at 11:45 p.m. 1.3 HFEs There are two HFEs identified in this initiating event: (1) open the isolated pressurizer isolation valves ((OPERATOR FAILS TO OPEN PORV BLOCK VALVES); and (2) terminate the SI (OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW). The labels in PRA model for the first HFE is OPA-3 and the second is OPA-1. The expected operator response corresponding to the two HFEs are that the operator would enter E-0 immediately after the inadvertent SI actuation. At E-0 Step 18.c, the operator opens the isolated pressurizer isolation valves. At E-0 step 24.e, the operator transfers to ES-1.1 to terminate the high head ECCS at ES-1.2 step 6. The failure modes of failing to open the pressurizer isolation valves that are considered are: (1) the operator is simply slow (think slow and act slow) in moving through the procedure; (2) the operator overlooks E-0 Step 18; and (3) the operator mistakenly thinks that at least a PORV isolation valve is already open due to reasons such as a wrong valve status indication. These three failure modes have different effects on the reliability of terminating the SI. If the reason that the operator does not open the pressurizer isolation valves is slow in thinking and action, then based on the time available for the OPA-3 (15 minutes) and OPA-1 (20 minutes) actions, the operator has little chance to perform OPA-1 in time. If the reason is that the operator overlook E-0 Step 18.c, there is a good chance that the operator may overlook E-0 Step 24.e leading to not transferring to ES-1.1. If the reason is that the operator mistakenly thinks that a pressurizer isolation valve is already open this is not expected to affect performing OPA-1. These relations is shown in figure 1 which is the structure of analyzing the probabilities of OPA-1 and OPA-3.

YES YES Failure due to ..__..., incorrect detecting Valve status (OPA*3.3) Terminate SI (OPA*l ) Terminate SI (OPA*l.l) Terminate SI (OPA*l.2) Terminate SI (OPA*l.3) Rgure 1 Failure moaes of opening a PZR isolation va/Ve affect the success probability of terminating SI. Based on the analysis in section 1.2.1.3.1 to 1.3.1.3.5, the following are the HEPs of OPA-3's: HEP (OPA-3) = 3.5E-3. HEP(OPA-3.1) = 0.0 HEP(OPA-3.2) = 3.5E-3 HEP(OPA-3.3) = 0.0 1.3.1 OPERATORFA1LS TO OPEN PORV BLOCK VALVES (OPA-3} Success criteria: The task has to be completed within 15 minutes from the initiating event. 1.3.1.1 Task Description The task (OPERATOR FAILS TO OPEN PORV BLOCK VALVES) starts from the operator detecting the plant abnormality and then following E-0 to Step 18 and opening at least one isolated pressurizer PORV isolation valve based on Step 18's instruction. The macrocognition discussion based on the overall task is the following: Detecting the abnormal symptom: the inadvertent actuation of SI signal causes a number of automatic component status changes related to the containment Phase A isolation as identified in section 1.1. These changes will trigger a number of alarms. The automatic start and re-alignment of the central charging pumps and SI pumps are clear to the operators. The operators are familiar with, and are trained to pay attention to, these component statuses. Understanding the issue and making decision on response plan: Once detecting the SI actuation, the E-0 is the procedure to enter. Operators are routinely trained on entering and implementing E-0. The understanding and making decision are based on the procedure instruction. The operator's main activity is to follow the procedure instruction in order to check plant parameter values and component statuses. 9

10 Action: The main action is to open a pressurizer isolation valve. This action is performed inside the main control room by turning the control switches of the pressurizer isolation valves from close to open and verifying with the isolation values status indication light changed from green (close) to red (open). Another action that the operator may perform at the beginning of the scenario is to manually trip the reactor if the reactor is not automatically tripped by the SI signal. In this case, whether the operator manually trips the reactor makes little difference in the scenario from a safety consideration standpoint because the reactor eventually will be automatically tripped due to low pressurizer pressure within a couple of minutes (e.g., at about 76 seconds in the plants safety analysis [2]) after the inadvertent SI actuation. The key task is to open at least one pressurizer isolation valve as instructed by E-0 step 18. This is a main control room action performed by the RO to perform a simple task to switch a pressurizer isolation valve to open position under a teamwork between the SS and RO with the SS reading the procedure instruction to direct and monitor the RO to perform the task. Once the task is completed, the RO is expected to inform the SS that the task is performed. The actual physical activity to change the system status is to push a button (or turn a switch) to open the isolation valve. 1.3.1.2 Time Analysis Two sources are used to assess the operator response time: The Millstone event [1] and a paper published by KAREI[3]. The first source is a real event, and the second source is based on simulator training. Millstone Event In the Millstone event, the operator reached at E-0 Step 16 verify ECCS flow seven minutes after the initiating event (see table 3). The Byrons E-0 has the step of verifying ECCS flow at Step 17. Immediately after step 17, the Byron E-0 Step 18 instructs to open the pressurizer isolation valves to ensure at least one pressurizer PORV path is open. Therefore, overlapping the Millstone event to the Byron procedure, it is estimated that the operator would complete step 18 (open pressurizer isolation valves) eight minutes after the initiating event. Table 3 The Millstone event timeline for responding time to the procedure step of check to open pressurizer isolation valves (all procedure steps are based on Millstone Unit 3 procedures) Time (minutes) Event Description 0 (08:29)

• A Train SSPS Steam Line Pressure Low SI/MSI signal followed by a reactor trip: First Out alarm: Steam Line Pressure Low Isolation SI.
• MSIVs closed as expected.
• 3 MSS-PV20A&C, Atmospheric Dump Valves (ASDVs) open.
• 3 MSS-PV20B&D received closed signals via MSI. (1/2 of ASDVs shut on 1/2 MSI.)
• B S/G Safety opens.
• The control room crew entered E-0 Reactor Trip/SI emergency response procedure.

11

• At step 4 the crew initiated train B SI.
• Terry Turbine steam supplies open and Terry Turbine trips 3 seconds later.

7 (08:36) At E-0 Step 16 Verify ECCS Flow. Crew performed a debrief of the situation. The crew reinforced to the entire control staff that there was no Terry Turbine Aux Feed flow, B S/G Safety was still open and manual initiation of both trains SI was required. Dispatched a PEO to the Terry Turbine who verified that it was not running. Found V5 unlatched and shut. Mech Trip tappet was NOT in overspeed condition. (Crew continues to evaluate plant conditions, thought stuck S/G Safety caused SI.) 21 (08:50) The crew decided not to make an E-2 transition based upon SI termination priority and no uncontrolled S/G pressure decrease. (Discussion occurred between US and SM. Did not meet E-2 entry conditions.) 25 (08:54) Determined no S/G tube rupture based on no adverse S/G level trend. 30(08:59) Transition to ES-1.1 from E-O Step 29. 31(09:00) Reset SI (ES-1.1 Step 1) 44(09:13) Terminated SI (ES-1.1 step 8), The charging pumps are stopped at ES-1.1 step 3. 51 (0920) Normal letdown established (ES-1.1 step 12) In the Millstone event, the average time spent on a procedure step is about 75 seconds. KAERI Simulator Analysis The operator normal response time is based on [3] which is based on Korean crews responding to a steam generator tube rupture (SGTR) scenario. The Korean crew structure and procedures are similar to the Byron nuclear power plant. Without Byron plant specific data, the data in [3] is considered as a good approximation. The time data in [3] are reproduced in Table 4. KAREIs data show that the average time spent for a procedure step is about 10 seconds. The difference between the average of 75 seconds per procedure step in Millstone event and the average of 10 seconds per procedure step in KAERI simulator data is significant. This shows that scenario complexity could significantly affect the pace of implementing procedures. Table 4 The time data collected in operator simulator training by KAERI [3]. Task ID Task Description Time1 (sec) SD2 (sec) Procedure Steps3 1 Confirming immediate responses after reactor trip 41.9 25.5 1 to 4 2 Confirming the isolation of essential valves 12.0 2.9 5 to 6 3 Confirming the operation of essential pumps 17.9 5.6 7 to 10 4 Verifying containment status 33.9 22.3 11 to 14 5 Verifying the delivery of SI and AFW flow 55.4 27.8 15 to 18 6 Verifying the status of RCS heat removal 38.9 16.0 19 to 21 7 Entering E-3 procedure according to the status of SGs 34.7 16.3 22 to 23 1Averaged task performance time in second. 2Standard deviation in second. 3Based on the E-0 of the Korean nuclear power plant. Discussion

12 In the Millstone event, the operator took about eight minutes (480 seconds) to reach the procedure step of checking at least one PZR isolation path is open. In the KAERIs simulator data, the mean time to reach to the same step is about 270 seconds with a standard variation of 100.1 seconds. The numbers are consistent with the Millstone event (eight minutes or 480 seconds). 1.3.1.3 HEP Calculation The HEP calculation is performed by the analysis of time. This is typically based on the time data collected from simulator exercises. For the time data collected from simulator exercise whose scenarios are single failure and textbook type scenarios, the time data is used to compare with the time available to check the probability of human failure due to simply insufficient time without other complication. In most cases, the time available is expected to be sufficient. In this situation, HRA methods are used to calculate the HEPs. In this analysis, the SPAR-H [4] and NARA [5] methods are used. The final HEP is the average of the HEPs calculated by these two methods. 1.3.1.3.1 Overall HEP SPAR-H The SPAR-H method uses eight performance shaping factors (PSFs) to calculate the HEPs of diagnosis and action. The tasks HEP is the sum of the diagnosis HEP and action HEP. The following discusses the status of the eight performance shaping factors of diagnosis and action. Available Time: The time available is 15 minutes. Based on the KAERIs data shown in Table 4, the estimated mean of the time required, including diagnosis and action, is estimated as 200 seconds. Based Millstone event timeline, the estimated time required is 10 minutes. In either case, the status of the PSF available time is normal time. Stress/Stressor: The stress level is determined as normal because all the operator activities are within E-0 and there is no surprise except the SI actuation may not trip the reactor automatically. Complexity: For diagnosis, the complexity is determined as normal because the diagnosis is based on the E-0. There is no foreseeable mismatch between the E-) and the scenario. For action, turning a switch from close to open is a simple task. The status is normal. Experience/Training: For diagnosis, this is determined as nominal because operators are trained on the inadvertent SI actuation scenario in simulator training in a frequency about once per two years. The actions to terminate SI (the high head ECCS in this case) include resetting SI by pressing two SI rest buttons; aligning the central charging pumps suction to the refueling water storage tank (RWST); reset SI recirculation sump isolation valves; resetting and opening the central charging pumps minimum flow isolation valves; and closing the central charging pumps to cold legs injection isolation valves. All these actions are procedure-based. Procedure: For diagnosis, the EOP is a diagnosis/symptom oriented procedure. The status is high. For action, the procedure instruction is clear. The status is normal.

13 Ergonomic/HMI, fitness for duty, and work process: Their statuses are normal. Table 4 shows the PIF status and their HEP modification factors. PSF Diagnosis Action Status Multiplier Status Multiplier Available Time Nominal time 1 Nominal time 1 Stress/Stressors Nominal 1 Nominal 1 Complexity Nominal 1 Nominal 1 Experience/Training Nominal 1 Normal 1 Procedures Diagnostic/symptom oriented 0.5 Nominal 1 Ergonomics/HMI Nominal 1 Nominal 1 Fitness for Duty Nominal 1 Nominal 1 Work Processes Nominal 1 Nominal 1 Therefore, the HEP = 0.01

• 0.5 + 0.001 = 0.0055 NARA The NARA calculates HEP by mapping the task of analysis to the generic task types (GTTs) of NARA. Each GTT has a base HEP value. The final HEP is the base HEP multiplied by the multipliers of the NARA PSFs applied to the task. NARAs PSFs only have negative effects on HEP (i.e., increase the HEP value).

The following two GTTs are identified to corresponding to the diagnosis and action portion of the HFE OPERATOR FAILS TO OPEN PORV BLOCK VALVES: Simple response to a key alarm within a range of alarms/indications providing clear indication of the situation (simple diagnosis required). Response might be direct execution of simple actions or initiating other actions separately assessed. The base HEP is 0.0004. Carry out simple single manual action with feedback. Skill-based and therefore not necessarily with procedure. The base HEP is 0.006. No negative NARAs PSFs is applicable to the HFE. Therefore The HEP = 0.0004 + 0.006 = 0.0064. The average HEP of SPAR-H and NARA is used for the final HEP. The final HEP = (0.0055 + 0.0064)/2 = 6.0E-3. 1.3.1.3.2 HEP due to Slowness (HEP = 4.5E-3) The estimations based on KAERIs simulator data and the Millstone event are 200 seconds and 10 minutes, respectively. Millstone event is considered as more complex than the event of this analysis (a single failure of inadvertent SI actuation). Because in both cases, the operators did not make major mistakes. The time can be used to represent the time required to complete the task. The average time of these two data set is used for the time analysis. This give a mean time required as 400 seconds. Based on KAREI data, the standard deviation is about a half of

14 the time required. Therefore, a standard deviation of 200 seconds is used. The probability a normal distribution with the mean of 400 seconds, standard variation of 200 seconds, and a time window of 15 minutes (900 seconds), the failure probability for a normal operating crew failing to open the pressurizer isolation valve due to simply slowness is 0.006.

== Conclusion:== Probability(OPA-3.1) = 0.006. This HEP is adjusted to 4.5E-3 (see section 1.3.1.3.5). 1.3.1.3.3 HEP Due to skip the E-18 Step 18.c (HEP = 0.0015) Among the available HRA methods, the EPRIs Cause-Based Decision Tree (CBDT) [6] method and THERP [7] method are the two published HRA methods that calculate the failure probabilities specific to certain error modes (or error mechanisms). (The IDHEAS-at-power method calculates the probability but the method has not been published in the public domain). These two methods are used to estimate the HEP due to certain error modes. Figure 2 CBDTs decision tree on skipping an important procedure step

15 Figure 3 THERP table in estimating the probability of skipping a key procedure step. Discussion THERP (Item 2 in Figure 3) and the CBDT (Path c in Figure 2) provides consistent estimates of 0.003 probability of skipping the E-0 Step 18.c. Both methods include error recovery. An error recovery factor of 0.5 is applied. The final HEP is 0.0015. 1.3.1.3.4 HEP due to misread the PZR isolation valve indication (HEP = negligible) In CBDT, two failure mechanisms apply to this case: (1) data not attended to (i.e., the data is available but the operator fails to check for the information); and (2) data misread. The decision trees of these two failure mechanisms are shown in Figures 2 and 3. THERPs relevant failure mechanism is that the operator incorrectly read a wrong indication. The estimated failure probabilities are shown in Figure 5. Discussion Based on the considered factors, the CBDT method would estimate the failure probability (OPA-3.3) is negligible. THERPs estimate is between negligible and 0.0005.

16 Figure 4 CBDTs decision tree on data not attended to decision tree Figure 5 The decision tree used to calculate the misread failure probability in the CBDT method.

17 Figure 6 THERPs table relevant to misread the PZR isolation valve status indication. 1.3.1.3.5 Failure Modes and Fail Probability Discussion Because there is difference between the overall HEP (6E-3) and the sum of all failure modes HEPs (7.5E-3), this analysis keep the total HEP as 6E-3 and the HEP of skipping the critical step is 0.0015. But the HEP due to slowness is changed to 4.5E-3. This is because the time HEP is sensitive to the time required and the time available. In calculating the time required, the average time of KAREI data and Millstone data is used. The averaged time may not be best reflect the time required for the scenario of analysis. Therefore, the revised HEPs are: The following are a summary of the HEP estimates of section 1.3.1.3.1 to 1.3.1.3.4: The general failure probability is 6.0E-3 The failure probability due to slowness is 4.5E-3 The failure probability due to skip the E-0 18.c is 1.5E-3. The failure probability due to incorrectly detect the PZR isolation valve status is negligible (assuming no indication failure). 1.3.2 OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW(OPA-1) The task OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW starts after the pressurizer isolation valves been opened or not opened as instructed at E-0 step 18 to the resetting SI action instructed by ES-1.1. The OPA-1 is further divided into the following two classes: OPA-1: This assumes that the operator successfully opens the pressurizer isolation valves. OPA-1.2: This assumes that the operator failed to open the pressurizer isolation valves due to overlooking the E-0 Step 18.c.

18 1.3.2.1 OPA-1 1.3.2.1.1 Task Description The OPA-1 starts with the operators successfully opened the pressurizer isolation valves (in E-0 Step 18). To succeed the OPA-1, the operator is expected to continue in E-0 to step 24.e Go To ES-1.1 SI Termination Step 1. In the ES-1.1 Step1, the key steps to this analysis include reset SI (step 1) and terminate high-head ECCS (step 6). At the beginning of this task, the operating crew is already in the E-0. The operator continues following E-0. Between the Step 18 and step 24, the potential procedure following deviation is transferring to the E-2 Faulted steam generator isolation, E-3 Steam generator tube rupture, and E-1 Loss of reactor or secondary coolant. 1.3.2.1.2 Time Analysis In the Millstone event, the SI was terminated at 44 minutes after the initiating event. Using KAREIs 10.2 seconds procedure step for 30 steps in Byron procedures to terminate SI (24 steps in E-0 and 6 steps in ES-1.1), 306 seconds are estimated. The average time is use for the time analysis. This results in 1473 seconds for the mean of the time required. A standard variation of 737 seconds is used based on a half of the time required. Two discrete time available are used representing the uncertainty of the time a pressurizer valve would stuck open from a water solid pressurizer. The two time available are 15 minutes and 40 minutes. Table 5 shows the HEP due to the error mode of slowness. This is because the operators in these two data sets did not make major errors (e.g., enter an incorrect procedure). Table 5 The HEPs based on various the combinations of the time available and time required HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (mean: 306 sec; SD: 153 sec) Negligible Negligible Averaged Data (Mean: 1473 sec; SD: 737 sec) 0.64 0.10 Millstone Event Data (Mean: 2640 sec; SD: 1320 sec) 0.86 0.57 1.3.2.1.3 HEP Calculation SPAR-H The SPAR-H uses eight performance shaping factors (PSFs) to calculate the HEPs of diagnosis and action. The tasks HEP is the sum of the diagnosis HEP and action HEP. The following discusses the statuses of the eight performance shaping factors of diagnosis and action. Available Time: Based on the time analysis discussed in the previous section (section 1.3.2.1.2), the available time range from insufficient to expensive time. Table 6 shows

19 the statuses of the available time factor for diagnosis. Table 6 assessment is based on using the time available to subtract the expected action time to become the time available for diagnosis. The action time is calculated by the average time spent on each step multiples the procedure steps in performing the action (in ES.1-1). This makes the time available for the action of all cases as normal. Table 6 The status of time available factor in SPAR-H of various cases HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (Tdiagnosis: 245 sec; Taction: 61 sec) Normal Time Expansive Time Averaged Data (Tdiagnosis: 1178 sec; Taction: 295 sec) Barely Adequate Time Extra Time Millstone Event Data (Tdiagnosis: 2112 sec; Taction: 528 sec) Inadequate Time Barely Adequate Time Stress/Stressor: The stress level is determined as normal because there is no immediate safety concern to the operators. Complexity: For diagnosis, the complexity of KAREI is determined as normal. The average case, the complexity level is moderately high (HEP multiplier is 2). The Millstone event the complexity is highly complex (HEP multiplier is 5). The operators have to successfully conclude that the event is not any of the MSLB, SGTR, and LOCA event. The indications is expected to be clear to reach the conclusion. Experience/Training: For diagnosis, this is determined as normal. Even though the operator is routinely trained on diagnosing a MSLB, SGTR, and LOCA event, diagnosing all of them successfully makes the determination as normal instead of high. For action, the actions are discrete actions to be performed in the order as instructed by the procedure. The experience/training for action is normal. Procedure: For diagnosis, the EOP is a diagnosis/symptom oriented procedure. The status is high. For action, the procedure instruction is clear. The status is normal. Ergonomic/HMI, fitness for duty, and work process: Their statuses are normal. The SPAR-Hs PSFs statuses are shown in Table 7. The final SPAR-Hs HEPs are shown in Table 8. Table 7 The PIF status and their HEP modification factors. PSF Diagnosis Action Status Multiplier Status Multiplier Available Time Nominal time Vary Nominal time 1 Stress/Stressors Nominal 1 Nominal 1 Complexity Nominal 1 Nominal 1

20 Experience/Training Normal 1 High 1 Procedures Diagnostic/symptom oriented 0.5 Nominal 1 Ergonomics/HMI Nominal 1 Nominal 1 Fitness for Duty Nominal 1 Nominal 1 Work Processes Nominal 1 Nominal 1 Table 8 The SPAR-Hs HEPs on various situations. HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data 6E-3 1.1E-3 Averaged Data 0.1 3E-3 Millstone Event Data 1.0 0.26 NARA The following two GTTs are identified to corresponding to the diagnosis and action portion of the HFE of OPA-1: Judgement needed for appropriate procedure to be followed, based on interpretation of alarms/indications, situation covered by training at appropriate intervals. The base HEP is 0.01. Start or reconfigure a system from the Main Control Room following procedures, with feedback. The base HEP is 0.001. In NARA, two PSFs applicable to the analysis: Time pressure and Unfamiliarity. The time pressure factor is described as a shortage of time would tend to increase the likelihood of the operator failing to successfully complete the required action. This may be due to the operator feeling under pressure to complete the action within a short interval, or not having sufficient time to review and adjust the actions attempted. The maximum value for the time pressure factor to affect the base HEP is 11. Table 9 shows the multiplier used for this calculation. The values are calculated based on the following rule: if the time available is greater than 2 times of the time required then the multiplier is 1; otherwise, the multiplier is calculate proportion to the ratio of the time required and the time available. Table 9 The multipliers used for time stress to calculate NARA HEP. Time Stress Factor Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (mean: 306 sec) 1 1 Averaged Data (Mean: 1473 sec) 11 7.1 Millstone Event Data (Mean: 2640 sec) 11 11 Unfamiliarity is explained as the following under optimum conditions the operators would be fully familiar with the alarms for which a response is required., This would be achieved by ensuring that the operators were provided with adequate procedures to guide the response, a means of

21 promptly accessing the correct procedures and training to ensure familiarity with the actions required. In NARA, the unfamiliarity has a maximum effect of 20. The Millstone event is considered as a maximum unfamiliar scenario. Table 10 shows the unfamiliarity multiplier. Table 10 NARA unfamiliarity multiplier Time Stress Factor Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (mean: 306 sec) 1 1 Averaged Data (Mean: 1473 sec) 10.5 10.5 Millstone Event Data (Mean: 2640 sec) 20 20 Table 11 shows the HEPs calculated by NARA. Table 11 NARA HEPs HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (mean: 306 sec) 0.011 0.011 Averaged Data (Mean: 1473 sec) 1 0.82 Millstone Event Data (Mean: 2640 sec) 1 1 The final HEPs are calculated by averaging the SHPAR-H and NARA HEPs as shown in Table

12.

Table 12 The averaged HEPs Average HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (mean: 306 sec) 8.5E-3 6.1E-3 Averaged Data (Mean: 1473 sec) 0.55 0.41 Millstone Event Data (Mean: 2640 sec) 1 0.63

L3.22 OPA-L2 1.3.2.2.1 Task Description The OPA-1.2 is performing SI termination in the condition that the operator omitted the E-0 Step 18.c to open at least a pressurizer isolation valve. 1.3.2.2.2 Time Analysis Millstone Eventf1] The Millstone inadvertent SI actuation event shows that the time operator would take to perform a diagnosis is strongly depend on context. Table 5 shows the relevant time line of the Millstone event and the corresponding E-0 steps of Millstone and Byron. Table 5 implies that the Millstone operator took four minutes to complete the diagnosis of not a SGTR event. Comparing to the average 34.7 seconds observed in KAERl's simulator data (3), the time required is significanuy different. This is the other component failures (e.g., B SG safety valve stuck open) and the complications due to scenario evolution (e.g.* pressure became water solid). Table 13 Tne diagnosis 1/me/ine of entering ES-1. 110 reset SI in tne Millstone event Time Event Description E-OSteo 0829 The initiatina event occurred 0850 The crew decided not to make an E-2 transition based upon SI termination Millstone - 25; priority and no uncontrolled SIG pressure decrease. (Discussion occurred Byron - 21 between US and SM. Did not meet E-2 entrv conditions.\\ 0854 Determined no SIG tube rupture based on no adverse SIG level trend. Millstone - 26; Bvron - 22 Based on the failure mode that the operator fails to open a pressurizer isolation valve is due to overlook the E-0 Step 18.c, it is expected that the operator will proceed to Step 24.e within 110 minute. This estimation is based on the simulator time data in 3. Until this time, no scenario complication is expected. Therefore, the operator is expected to reach to the E-0 Sept 24.c to transfer to ES-1.1 step 1 to terminate SI without scenario complication. 1.3.2.2.3 HEP Calculation The independent HEP of the OPA-1.2 is same as the OPA-1. The HEP is 3.9E-3. However, because the operator erroneously omitted the step of opening a pressurizer isolation valve, there could be dependency in omitting the step of terminating SI. Based on the dependency model presented in the NUREG-1921 "Fire HRA" (Figure 7) the dependency level is high dependency (Sequence 8 of figure 7). This will change the HEP to about 0.5. 22 Commented [HDlJ: It is not clear how this time relates to the earlier lime estimates.

23 Figure 7 The NUREG-1921s dependency model 2 Main Steamline Break The MSLB event assumes a MSL break before the main steam isolation valve (or the fast acting steamline stop valves in B/B) that immediately actuate the SI signal and a reactor trip. But the peak containment pressure is assumed to be less than 20 psig. If the containment peak pressure is greater than 20 psig, the operator would need to stop all reactor coolant pumps (RCPs), check the containment spray educator suction flow, and align cooling towers. Success criteria: terminate SI within 60 minutes from the initiating event. 2.1 Results Summary Figure 9 is a summary of the Item 5 analysis results. For the ex-CTMT MSLB event, it is assumed that 50% of the time having zero (0%) false secondary radiation alarms and 50% of the time having 50% of false secondary radiation alarms. Dependence Level Case Intervening Success Crew Cognitive Cue Demand Stress Sequential Timing Location Manpower High or Moderate 1 Common 2 7 3 4 5 6 8 9 10 11 12 13 14 15 16 17 18 19 High or Moderate High or Moderate High or Moderate High or Moderate High or Moderate High or Moderate High or Moderate Different Different Yes No Same Simultaneous Sequential Same Different Sufficient Insufficient Same Different 0-15 15-30 30-60 >(60-120) CD CD HD MD LD CD CD HD HD MD MD LD LD ZD LD ZD LD ZD ZD

For the O"/o percent false alarm case, the probability of deciding to entering E-3 is 0.00045. Once entering the E-3, the operator does not have sufficient time to terminate SI. The probability of deciding to not to entering E-3 is 0.99955. In this condition, there is an HEP of 0.005 due to action error of failing to terminate the SI. For the 50% percent false alarm case, the probability of deciding to entering E-3 is 0.15. Once entering the E-3, the operator does not have sufficient time to terminate SI. The probability of deciding to not to entering E-3 is 0.85. In this condition, there is an HEP of 0.239 of failing to terminate SI. Among which, 0.234 is due to insufficient time, and 0.005 is due to other reasons. For the in-CTMT MSLB event, HEP is 1.0 due to insufficient time. Therefore, the HEP for the ex-containment event is 0.202 (= 0.5

• 0.99955
• 0.005 + 0.5
• 0.00045
• 1.0 + 0.5
• 0.85
• 0.239 + 0.5
• 0.15
• 1.)

The HEP for in-containment is 1.0. EX*CTMT MSLB IN*CTMT Not Enter E-3; p = 0.99955 0% false alarms I P= 0.5 50% false alarms P =0.5 I Enter E-3; p = 0.00045 Not Enter E *3: p = 0.85 I I Enter E-3; p = 0.15 HEP = 0.005 (Pt= 2E*6; Pc = 0.005) HEP = l.O (Pt= 1.0) HEP = 0.239 (Pt = 0.234; Pc= 0.005) HEP= 1.0 (Pt = 1.0) HEP= 1.0 (Pt = 1.0) 2.2 Scenario Analysis and Operational Narrative 2.2.1 Plant Responses Following a MSLB event, the section 15.1.5 of the BIB UFSAR states the plant responses as the following: The maj or break of a steamline is the most limiting RCS cooldown transient. The steam release arising from a break of a main steamline would result in an initial increase in steam flow which decreases during the accident as the steam pressure falls. The energy removal from the RCS causes a reduction of coolant temperature and pressure. Decay heat would retard the cooldown thereby reducing the return to power. The following functions provide the protection for a steamline break:

a. Safety injection system actuation from any of the following:

1. Two-out-of-three low steamline pressure signals in any one loop

2. Two-out-of.four low pressurizer pressure signals 24

25

3. Two-out-of-three high-1 containment pressure signals.

b. The overpower reactor trips (neutron flux and ) and the reactor trip occurring in conjunction with receipt of the safety injection signal.

c. Redundant isolation of the main feedwater lines. Sustained high feedwater flow would cause additional cooldown. Therefore, in addition to the normal control action which will close the main feedwater valves a safety injection signal will rapidly close all feedwater control valves and backup feedwater isolation valves, trip the main feedwater pumps, and close the feedwater pump discharge valves.

d. Trip of the fast acting steamline stop valves on:

1. Two-out-of-three low steamline pressure signals in any one loop.

2. Two-out-of-three high-2 containment pressure signals.

3. Two-out-of-three high negative steamline pressure rate signals in any one loop (used only during cooldown and heatup operations).

Steam release from more than one steam generator will be prevented by the automatic trip of the fast acting isolation valves in the steamlines by low steamline pressure signals, high containment pressure signals, or high negative steamline pressure rate signals. The steamline stop valves are designed to be fully closed in less than 5 seconds from receipt of a closure signal. 2.2.2 Operator Responses Immediately after the MSLB, the reactor trips and the SI actuation signal occurred automatically. After confirming a reactor trip, the RO performs the immediate actions according to the emergency operating procedure (EOP)-0 Reactor Trip or Safety Injection. In the meantime, the main control room shift supervisor would bring up the E-0 reactor trip and safety injection to implement the procedure with RO and ARO. The E-0 instructs the operators to check the system and component automatically responding to the event as expected. At E-0 step 14 check if main steamlines should be isolated, the operator would check the SGs pressure and identify the faulted SGs pressure is less than 640 psig. Because the fast acting steamline stop valves, it is expected that the intact SGs pressures are significantly higher than the faulted SG which is below 640 psig. This gives the operator first indication of the troubled SG. At E-0 step 21 Check if SG secondary pressure boundaries are intact directs the operators to transfer to E-2 Faulted steam generator isolation if any SG pressure dropping in an uncontrolled manner or any SG completely depressurized. The E-2 step 6 directs the operators to check the secondary radiation trends and sample the secondary radiation. If the secondary radiation indication is abnormal, the procedure instruct the operator to transfer to E-3 steam generator tube rupture. A note in the procedure states that A MSLB outside of the containment may cause the secondary radiation monitors to fail high due to elevated area temperature. Therefore, if a MSLB occurred inside the main containment, the secondary radiations alarms are expected to fail high due to elevated temperature. If the operator does not transfer to E-3 from E-2 step 6, at E-2 step 7, the operator would enter ES-1.1 SI termination to terminate SI.

26 2.2.3 Task Analysis The cue that lead the operator to enter the E-0 is salient. The plant parameters and procedure instruction are clear for the operators to follow the E-0 step 21 check if SG secondary pressure boundaries are intact. The following is this steps instruction: Check pressure in all SGs: No SG pressure dropping in an uncontrolled manner No SG completely depressurized If the answer to any of the above two bullets is NO, then the operator should enter E-2 faulted SG isolation. If the operator enters into E-2, the E-2 step 6 is another cognitive challenge that directs the operators to check the secondary radiation to decide whether the E-3 SGTR should be entered. A MSLB outside of the containment could trigger false secondary radiation alarm that would increase the likelihood of misdiagnosis that leads to enter E-3. If the operator mistakenly entering into E-3 by the secondary radiation indications shown in the main control room, the E-2 Step 6 instructs the operator to ask the chemistry department to periodically sample the SGs radiation. The sample results would redirect the shift supervisor to return to the E-2 Step 6 from E-3. If the operator did not enter the E-3, the E-2 step 8 would direct the operators to transfer to ES-1.1 to terminate SI. If the operator mistakenly enters into the E-3, the operators diagnosis is likely a combination of MSLB and SGTR scenario because a clear MSLB symptom (a depressurized SG) and the false secondary radiation alarms. The chance for the operator to re-conclude that there is no SGTR is by sampling SGs radiation. This has to be done on site by chemistry staff. Another symptom to identify where there is a SGTR ongoing is by the rising SG water level. This symptom would be hard to detect in a MSLB event because the faulted SG water level gauge indication is below zero due to blowdown. The intact SGs water levels are affected by AFW that makes detecting an uncontrolled SG water level challenge. 2.2.4 Relevant Events Turkey Point 3 safety valve header failure (December, 1971; ML003736245; not-publically available) Early on the morning of the incident the hot-functional tests were nearing completion and preparations were under way for rolling the turbine. The header failed ~ 15 min prior to the shift change, so that only personnel from the midnight crew and some of the day-shift crew who had come early were present. Equilibrium conditions of 547F and 2235 psig had been established in the primary cooling system for > 8 hrs. prior to the header failure. Three primary pumps were in service, one charging pump was operating, and letdown flow through the mixed-bed demineralizer was 60 gpm. The pressurizer pressure and level controls were on automatic. Baration of the primary system was the only test procedure in progress and this operation had been established ~ 2 hrs prior to the incident. The secondary-system pressure had been established at 990 psig for > 8 hrs.,the main steam-line isolation bypass valves were closed, the main FW and FW bypass valves were closed, and the steam-generator feed pumps were off. The secondary system was operating under static-load conditions, only.

27 The initial indication in the control room was a loud noise that sounded like escaping steam. The operators then observed a rapid decrease in pressurizer level and pressure, a rapid decrease in the temperatures of the hot and cold legs of the loop and in the average loop temperature, a rapid decrease in steam-generator level, closure of the letdown valve, and a trip of the pressurizer heater. From the console the operators immediately stopped the 3 primary pumps, started a 2nd charging pump, closed the FW valve to the steam generator, closed the atmospheric steam-dump valves on the other 2 loops, and initiated makeup of primary water to restore the level in the volume-control tank. The pressurizer level was restored to normal within 15 min and then one of the charging pumps was stopped and a 45-gpm letdown was established. When conditions had stabilized, the coolant pump in the failed loop was restarted and an orderly cooldown was initiated. No personnel were on the steam line platform at the time of the incident, but the blast and debris associated with the escaping steam resulted in minor injury to 16 people, 2 of whom required hospitalization. Since the safety valve headers are located upstream of the isolation valves on the main steam lines, a complete blowdown of steam generator 3A occurred, accompanied by partial cooldown of the reactor coolant system. When the steam blowing had subsided, it was observed that 3 of the 4 safety valves had blown off the header on one steam loop and that the north segment of the header was split open. H.B. Robinson 2 Circumferential Pipe Rupture-Blowdown (April, 1970; ML003736245; not-publically available) The steam generator secondary system safety valve lift set pressure was being checked. Verification of safety valve set points and adjustments as necessary were being performed using a pneumatic test device which allows the set points to be verified without having the system pressure up to lift pressure. The plant was operating at 533F and 2225 psi primary system pressure with a secondary system pressure of 900 psi and a constant level in the steam generator. Eight of a total of 12 valves had been tested. The pneumatic test device had been installed on the valve and air pressure was being increased to relax the valve spring force, to make a determination of the valve set pressure. A loud noise was beard followed by a shower of steam, insulation, scaffolding, metal parts and construction debris. The men in the vicinity of the valve were either knocked to the deck by the explosion or were forced to lie down due to lack of air to breathe. The rapid release of steam displaced the air from the area above the pipe requiring the men to stay in a position near the floor. They made their way out of the area and down the steps away from the immediate scene of the incident on their own power. The men were transported to a local hospital and treated for burns and injuries. One man was released. The other 6 were admitted to the hospital for treatment. The Initial noise was immediately followed by a second louder noise or sound. The initial steam accumulation in the area of the break spread in an almost horizontal plane, followed by the formation of a vertical column of steam which rose an estimated 150 ft into the air. There was an area of localized cutting of insulation on a nearby line on a horizontal plane from the break. This damage suggests an initial crack in the pipe. Steam apparently was directed horizontally in this direction for a brief period of time prior to a complete severance of the pipe and expulsion of the total valve assembly from the area by the force of the steam jet. Such a sequence of events is also suggested by the reported 2 stages of sound, the appearance of the

28 fracture, and the direction of travel of the separated valve. The valve was propelled against the structural members supporting the steam lines and rebounded back toward the turbine building. The valve came to rest on the turbine building mezzanine floor. In addition to striking the supporting structure, the valve struck and carried away an angle brace and dented and moved the stack from the auxiliary boilers, causing its supports to bend and break away. There was no conclusive evidence to show that this valve actually reached its set point and "popped". At the time of the incident a loud noise was heard by the control operator followed by a rapid decrease in pressurizer level and pressure. In addition, level decreased rapidly in the "C" steam generator and reactor coolant system temperature began to rapidly decrease. Action was taken by the control operator to secure all 3 reactor coolant pumps. Two additional charging pumps were placed in service and letdown was secured to minimize the effects of pressurizer level and pressure decrease. Pressurizer heaters were manually de-energized prior to reaching the automatic heater cutoff set point on pressurizer low level. Even though the pressurizer level decreased off scale, it is not believed that pressurizer steam bubble expanded out of the surge line. The level in steam generator "C" decreased to zero in ~ 1 hr. The overall transient caused the reactor coolant system to cooldown approximately 213F over 1 hr. Millstone Event (AS described in Section 1.2.4) The Millstone event is a combination of an advertent SI actuation and a SG safety valve stuck open. The procedure following path and cognitive challenge are relevant to the MSLB event. 2.3 HFE The HFE of Isolating the SI in a MSLB scenario can be represented by the crew response diagram as shown in Figure 8. Figure 8 shows the potential procedure following paths as explained below (the numbering below is corresponding the block numbers in Figure 8):

1. Enter E-0 Step 1 due to confirmation of a reactor trip and SI signal

2. At E-0 Step 21: check the SG secondary pressure boundary by whether any SG pressure dropping in an uncontrolled manner and any SG completely depressurized. If any SG secondary pressure boundary is breached (the expected detection) then transfer to E-2 step 1 (Item 3). If all SGs secondary pressure boundary is intact (an incorrect detection) then continues to E-0 Step 22.

3. Transfer and enter to E-2 Step 1.

4. E-2 Step 6: check the secondary radiation. If the radiation level is normal then transfer to ES-1.1 (Item 5). If the radiation is abnormal then transfer to E-3 (Item 6). The shift supervisor requests chemistry department to periodically sample all SGs for radiation.

Note: A MSLB occurred outside of the containment may cause the secondary radiation monitors to fail high due to elevated area temperatures.

5. Enter ES-1.1 to terminate SI. The success criterion is to terminate SI within 60 minutes from the initiating event.

6. Enter E-3: This is due to a misdiagnosis. The operator mistakenly concluded that the secondary radiation level is abnormal.

7. Sample SG radiation as instructed by E-2 Step 6.

29

8. Check if SGs tubes are intact. If intact, the procedure path would lead to entering into ES-1.1 to terminate SI. If not intact, E-3 is entered.

9. Enter ES-1.1 to terminate SI.

10. Enter E-3. The E-3 has instruction to request sampling SG radiation (Item 11).

11. Sample SG radiation as instructed by E-3 step ??. If the sampling concludes no radiation, the operator would return back to E-0 step 22 the in turn would lead to ES-1.1.

A delayed sampling result would result in the lift of pressurizer safety valves. 1. Enter E-0 Step 1 By Reactor Trip and SI Signal 3. Transfer to E-2 Step 1 2. E-0 step 21 check if SG secondary pressure boundaries are intact. (OPA-2.1) 8. E-0 step 22 check if SG Tubes Are Intact. (OPA-2.2) 9. Enter ES-1.1 4. E-2 step 6 Check Secondary radiation. (OPA-2.3) 10. Enter E-3 6. Enter E-3 5. Enter ES-1.1 Not Intact Intact Intact Not Intact Radiation Abnormal 11. Sample SGs Radiation in Time Yes 7. Sample SG Radiation in Time Yes PZR safety valve lift No No Radiation Normal Figure 8 The potential procedure following paths. 2.3.1 HEP(Item 2) HEP = Negligible. Item 2 is to check the SG secondary pressure boundary at E-0 Step 21. The loud steam leaking noise as indicated in both the Turkey Point 3 and H.B. Robinson 2 events (in section 2.2.40 and a clear depressurization of the faulted SG provide clear indication of the SG secondary integrity has been breached. THERP The corresponding error modes include: Miss the procedure step: HEP =.003 EF = 3 (Table 20-7 Item 2 Long list. > 10 items) Select an incorrect display: The SGs pressure displays are dissimilar to the adjustment displays. HEP = negligible (Table 20-9, Item 1).

30 Misread the display: The operator only need to know a SG pressure is much lower than the other SGs. The operator does not need to know the exact faulted SG pressure. The reading is reading the status. Therefore, the Table 20-11 Item 8 Confirming a status change on a status lamp applies. HEP + negligible. CBDT The corresponding error modes include: Relevant step in procedure missed: HEP =.003 (Pce path c) Misread or miscommunicated: HEP = negligible (Pcc path a) Discussion Both THERP and CBDT estimate a basic HEP of.003. Two factors are expected to significantly reduce the HEP estimate: (1) the loud noise caused by the MSLB. The operator will be immediately aware the secondary side is abnormal. And (2) the MSLB is a frequently trained simulation scenario. The operators receive MSLB scenario simulator training about three times a year. For the above reason, the probability of skipping the procedure step is determined as negligible. 2.3.2 HEP(Item 4) ; HEP(in-containment) = 1.0; HEP(ex-containment) = 0.075 E-2 Step 6: check the secondary radiation. This step instructs the operators to check the following radiation indications to determine the transfer to E-3 SGTR. SJAE/Gland Steam Exhaust Gas SG Blowdown Liquid Radiation: Main Steamline 2A, MSIV Rm Main Steamline 2B, MSIV Rm Main Steamline 2C, MSIV Rm Main Steamline 2D, MSIV Rm Secondary activity samples (measured in a frequency about once per hour) The following assumptions are applied to this analysis. More precise estimates require a plant walk-through that is not available to this analysis:

1. If the MSLB break is inside the containment, it is assumed that all most of the above radiation indications will fail high.

2. If the MSLB break is outside of the containment, there is a 50% of chance that 50% of the secondary radiation indications listed above will fail high. The taking secondary activity sample cannot be performed due to adverse environmental effect caused by the MSLB.

2.3.2.1 In-Containment MSLB. HEP = 1.0 Because all radiation indications failed high, the probability for the operators to transfer to E-3 is one. 2.3.2.2 Ex-Containment MSLB; HEP = 0.075 The ex-containment MSLB assumes that there is a 50% of chance that 50% of the secondary radiation indications listed above will fail high. These two situations are discussed separately: 50% of the secondary radiation alarms failed high. Conditional probability is 50%. No secondary radiation alarm failed high. Conditional probability is 50%.

31 2.3.2.2.1 50% of the secondary radiation alarms failed high. HEP = 0.15 SPAR-H Table 14 SPAR-H evaluation of 50% of the secondary radiation indication is failed high due to an ex-containment MSLB PSF Diagnosis Justification Status Multiplier Available Time Nominal time 1 Stress/Stressors High 2 Encountering a major event with many secondary radiation alarms. Complexity Highly complex 5 50% of false indications Experience/Training Normal 1 MSLB simulation is performed three times a year but 50% of false alarms is less frequently trained. Procedures Normal 1 Ergonomics/HMI Nominal 1 Fitness for Duty Nominal 1 Work Processes Nominal 1 The HEP (of Table 6) is 0.01

• 2
• 5
• 0.5 = 0.1 NARA Applying the generic task of Identification of situation requiring interpretation of complex pattern of alarms/indications. Base HEP = 0.2.

The averaged HEP is 0.15. 2.3.2.2.2 No secondary radiation alarm failed high; HEP = 0.00045 SPAR-H Table 15SPAR-H evaluation of 50% of the secondary radiation indication is failed high due to an ex-containment MSLB PSF Diagnosis Justification Status Multiplier Available Time Nominal time 1 Stress/Stressors Normal 1 Familiar scenario as trained in simulator Complexity Obvious diagnosis 0.1 No false alarms Experience/Training High 0.5 MSLB simulation is performed three times a year. Procedures Normal 1 Ergonomics/HMI Nominal 1 Fitness for Duty Nominal 1 Work Processes Nominal 1 The HEP is 0.01

• 0.1
• 0.5 = 0.0005 NARA

32 Applying the generic task of Simple response to a key alarm within a range of alarms/indications providing clear indication of situation (simple diagnosis required). Base HEP is 0.0004. The averaged HEP is 0.00045 [0.0005 + 0.0004)/2] The averaged final HEP for an ex-containment MSLB is HEPs = 0.055 [(0.15 + 0.00045)/2] = 0.075 2.3.3 HEP (Item5) ES-1.1 includes two essential operator actions for the interest of this analysis: Reset SI (Step 1) Terminate high head ECCS (Step 6). This only can be performed when Step 1 is completed. Including the diagnosis process, the high head ECCS needs to be terminated within 60 minutes from the initiating event. The following two procedure following paths would reach to Item 5 ES-1.1. These two procedure following paths are analyzed separately: Path 1: Item 1 Item 2 Item 3 Item 4 Item 5 Path 2: Item 1 Item 2 Item 3 Item 4 Item 6 Item 7 Item 5 2.3.3.1 Path 1; HEP = 0.122 Time analysis: Three data sets are compared: The Turkey Point 3 safety valve header failure 3 event description states The pressurizer level was restored to normal within 15 min and then one of the charging pumps was stopped and a 45-gpm letdown was established. Corresponding to the Byron procedure, E-2 Step 7.d is maintaining PZR water level, and E-2 Step 7.e is transferring to ES.1-1. Stopping charging pump is instructed in ES-1.1 Step 6. Completing the ES-1.1 within 60 minutes is considered as success in this analysis. In the Millstone event, the operator took 21 minutes to reach to the E-0 step in determining whether E-2 should be entered. This corresponding to Byron E-0 Step 21. KAERI data show the operator average spent 200 seconds reaching to the E-O step in diagnosing a SGTR event. This corresponding to Byron E-0 Step 22. Comparing these three set of data, KAERI has the fast pace in following the procedures followed by the Turkey Point 3. The Turkey Points 3 event occurred in 1971. The symptom based procedure is not available at that time. With onsite observation report, the Turkey Point control room operator seems entering into the E-2 procedure promptly. The Millstone event represent a more complicate scenario.

33 The IDHEAS-G provides a table to identify the factors affecting the time required to complete a task as shown in Table 8. It is concluded that the time variability in the above three data sets are dominated by the diagnosis time due to scenario complexity. Therefore, the Path 1 time assessment is divided into the following three situations: Situation A: Ex-containment MSLB without triggering false secondary radiation alarms Situation B: Ex-containment MSLB triggering 50% false secondary radiation alarms In Situation A, the Turkey Point 3 time data is used. Three minutes is added into the data (15 minutes) to cover the time needed to transfer to ES.1-1 and performing to ES.1-1 Step 6. Therefor the time required is estimated as 18 minutes. Based on the KAERI data, in average the standard deviation time is about one half of the time required. Applying this information to this analysis, using a standard distribution with the mean required time of 18 minutes, the standard deviation of 9 minutes, and the time available is 60 minutes, this results in an HEP of 2E-6. Situation B represents a complicate diagnosis situation with 50% false secondary radiation alarms. The operator chose not to enter into E-3. The Millstone events time data are used. Crew briefing is likely to take place to discuss the situation and to reach the consensus of not entering the E-3. Crew briefing was occurred in the Millstone event to discuss whether the E-2 procedure should be entered. In Millstone event, it took 44 minutes to terminate SI. This is used as the mean time required. The standard deviation is assumed to be 22 minutes which is one half of the mean time required. Applying this information to this analysis, using a standard distribution with the mean required time of 44 minutes, the standard deviation of 22 minutes, and the time available is 60 minutes, this results in an HEP of 0.234. Because the situation A and situation B are assumed each with 50% of conditional probability, the HEP due to insufficient time is the average of the two HEP. The averaged HEP is 0.117. Table 16 The factors affecting the variability of time required

34 Cognitive task Factors contributing to the time required Detection Travel to source location of information; Prepare and calibrate equipment needed for detection; Detect/attend to an indication; Confirm and verify the indicators; Record and communicate the detected information. Diagnosis Assess the information needed for diagnosis, such as knowledge and status of a valve, pump, heater, and battery, etc., integrate low-level information to create and/or determine high-level information; Identify plant status and/or conditions based on several parameters, symptoms and the associated knowledge, collect information and delineate complex information such as a mass and/or energy flow with which two or more system functions; Delineate conflicting information and unstable trends of parameters, e.g., interpret SG pressure trends when one train has failed; Wait for continuous or dynamic information from the system to complete diagnosis; Verify the diagnosis results or reach a team consensus. Decision-making Prioritize goals. establish decision criteria, Collect, interpret and integrate data to satisfying decision; Make decision - Determine on parameters, choose strategies or develop a plan; Coordinate the decision-makers (especially with hierarchy of decision-making or distributed decision-making team) or achieve consensus needed for the decision or wait for certain information in order to make decision; Simulate or evaluate the outcome of decision. Action Evaluate the action plan and coordinate staff; Travel and access to the action site; Time to acquire (deploy, install, calibrate) the tools and equipment (e.g., put on gloves) to perform the actions; Time needed for action implementation - Action steps, continuous action, and required timing of steps; Confirmation of the actions, waiting for system feedback Cognitive Analysis Terminate SI is an action task because the diagnosis is led by the procedure. Table 17 SPAR-H action table for performing SI termination Status Multiplier Notes Available Time Nominal time 1 Stress/Stressors Normal 1 Complexity Normal 1 Experience/Training High 0.5 Procedures Normal 1 Ergonomics/HMI Nominal 1 Fitness for Duty Nominal 1 Work Processes Nominal 1

35 The HEP is 0.001

• 00.5 = 0.005 This action failure probability applies to both situation A and situation B mentioned in the earlier time analysis. The final HEP of path 1 is 0.122 (= 0.117 + 0.005).

2.3.3.2 Path 2; HEP = 1.0 Path 2 represents the scenario that the operator misdiagnosed a SGTR is ongoing so the operator transfer to E-3 from E-2 Step 6. E-3 step 22 instructs the operator to terminate the high head ECCS (SI). However, before reaching to step 22, the operator needs to identify and isolate the broken SG(s) and cooldown and depressurize the RCS. Because there is no SGTR ongoing, the scenario and procedure is mismatch. The operator is determined to be trapped in performing these two key steps and not be able to terminate SI within 60 minutes. 2.3.4 HEP Summary Figure 9 is a summary of the Item 5 analysis results. For the ex-CTMT MSLB event, it is assumed that 50% of the time having zero (0%) false secondary radiation alarms and 50% of the time having 50% of false secondary radiation alarms. For the 0% percent false alarm case, the probability of deciding to entering E-3 is 0.00045. Once entering the E-3, the operator does not have sufficient time to terminate SI. The probability of deciding to not to entering E-3 is 0.99955. In this condition, there is an HEP of 0.005 due to action error of failing to terminate the SI. For the 50% percent false alarm case, the probability of deciding to entering E-3 is 0.15. Once entering the E-3, the operator does not have sufficient time to terminate SI. The probability of deciding to not to entering E-3 is 0.85. In this condition, there is an HEP of 0.239 of failing to terminate SI. Among which, 0.234 is due to insufficient time, and 0.005 is due to other reasons. For the in-CTMT MSLB event, HEP is 1.0 due to insufficient time. Therefore, the HEP for the ex-containment event is 0.202 (= 0.5

• 0.99955
• 0.005 + 0.5
• 0.00045
• 1.0 + 0.5
• 0.85
• 0.239 + 0.5
• 0.15
• 1.)

The HEP for in-containment is 1.0.

EX-CTMT MSLB IN-CTMT Not Enter E-3: p = 0.99955 0% false alarms I P=0.5 50% false alarms P =0.5 I Enter E-3; p = 0.00045 Not Enter E-3; p = 0.85 I I Enter E-3: p = 0.15 Rgure 9 me MSLB HEP summary

Reference:

HEP = 0.005 (Pt= 2E-6: Pc = 0.005) HEP = 1.0 (Pt= 1.0) HEP = 0.239 (Pt = 0.234: Pc = 0.005) HEP = 1.0 (Pt = 1.0) HEP= 1.0 (Pt = 1.0)

1. Millstone Power Station Unit 3 - NRG Special Inspection Report 05000423/2005012

2. Byron Nuclear Power Station, Updated Final Safety Analysis Report, Chapter 15.6.

3. Park, J. and Jung, W. "A study on the development of a task complexity measure for emergency operating procedures of nuclear power plants," Reliability Engineering and System Safety, 92 (2007), 1102-1 116

4. Gertman, D., Blackman, H., Marble, J., Byers, J. and Smith C., The SPAR-H Human Reliability Analysis Method, NUREG/CR-6883, 2005.

5. Kirwan, B., Gibson, H., Kennedy, R., Edmunds, J., Cooksley, G., and Umbers, I. (2004)

Nuclear Action Reliability Assessment (NARA): A data-based HRA tool. In Probabilistic Safety Assessment and Management 2004, Spitzer, C., Schmocker, U., and Dang, V.N. (Eds.), London, Springer, pp.1206 - 1211.

6. Garry, P., Lydell, B., Spurgin, A., Moieni, P., and Bears, A "An approach to the analysis of operator actions in probabilistic risk assessment", EPRI TR-100259, June 1992

7. Swain, A. and Guttmann, H. "Handbook of human reliability analysis with emphasis on nuclear power plant applications", U.S. NRG NUREG/CR-1278, 1983 36

1 1 Spurious Safety Injection.................................................................................................... 3 1.1 Results Summary......................................................................................................... 3 1.2 Scenario Analysis and Operational Narrative............................................................... 4 1.2.1 Plant Responses................................................................................................... 4 1.2.2 Operator Responses............................................................................................. 5 1.2.3 Task Analysis........................................................................................................ 8 1.2.4 Relevant Operating Experience............................................................................ 8 1.3 HFEs............................................................................................................................ 9 1.3.1 OPERATOR FAILS TO OPEN PORV BLOCK VALVES (OPA-3)......................... 9 1.3.1.1 Task Description............................................................................................ 9 1.3.1.2 Time Analysis...............................................................................................10 1.3.1.3 HEP Calculation............................................................................................11 1.3.1.3.1 Pt Calculation............................................................................................12 1.3.1.3.2 Pc - SPAR-H..............................................................................................13 1.3.1.3.3 Pc - NARA.................................................................................................15 1.3.1.3.4 Final HEP..................................................................................................15 1.3.2 OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW(OPA-1)...................................................................................................................16 1.3.2.1 HEP Calculation............................................................................................16 1.3.2.1.1 Time Distribution HEP...............................................................................16 1.3.2.1.2 Pc - SPAR-H..............................................................................................17 1.3.2.1.3 Pc - NARA.................................................................................................18 1.3.2.1.4 Final HEP..................................................................................................19 2 Main Steamline Break........................................................................................................21 2.1 Results Summary........................................................................................................21 2.2 Scenario Analysis and Operational Narrative..............................................................22 2.2.1 Plant Responses..................................................................................................22 2.2.2 Operator Responses............................................................................................22 2.2.3 Task Analysis.......................................................................................................23 2.2.4 Relevant Events...................................................................................................23 2.3 HFE............................................................................................................................26 2.3.1 HEP(Item 2) HEP = Negligible.............................................................................27 2.3.2 HEP(Item 4).........................................................................................................28

2 2.3.2.1 Ex-Containment MSLB.................................................................................28 2.3.2.1.1 50% of the secondary radiation alarms failed high. HEP = 0.15.................28 2.3.2.1.2 No secondary radiation alarm failed high; HEP = 0.00045.........................29 2.3.2.2 In-Containment MSLB...................................................................................29 2.3.3 HEP (Item5).........................................................................................................29 2.3.3.1 Path 1...........................................................................................................29 2.3.3.1.1 Pt - Path-1..................................................................................................29 2.3.3.1.2 Pc - Path 1................................................................................................31 2.3.3.2 Path 2...........................................................................................................32 2.3.4 HEP Results........................................................................................................32

3 1 Spurious Safety Injection Subject of interest: The probability that the operator does not open at least one pressurizer isolation (a.k.a., block) valve in time, leading to a water-solid pressurizer and passing of RCS water through a pressurizer safety relief valve, all following a spurious safety injection (SI) occurring at full power operation. Success criteria: Operator opens a pressurizer isolation (a.k.a., block) valve to prevent pressurizer safety valve lift open within 15 minutes or 40 minutes from the initiating event Operator terminates the SI within 20 minutes or 40 minutes from the initiating event 1.1 Results Summary The estimated HEPs are shown in the figure and tables below. Open a PZR Isolation Valve (Table 10) Terminate SI (Table 18) Terminate SI (Table 19) success fail Table 10 The HEPs of not opening a PZR isolation valve in time Available Time Status Time Available 900 sec (15 min.) Time Required KAREI Data (Tdiagnosis: 152 sec; Taction: 9 sec) 5.8E-3 Averaged Data (Tdiagnosis: 286 sec; Taction: 35 sec) 6.0E-3 Millstone Event Data (Tdiagnosis: 420 sec; Taction: 60 sec) 4.6E-2

4 Table 18 The final independent HEP of not terminating SI in time. Average HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (mean: 306 sec) 3.5E-3 1E-3 Averaged Data (Mean: 1473 sec) 0.65 0.1 Millstone Event Data (Mean: 2640 sec) 0.885 0.59 Table 19 The final dependent HEP of not terminating SI in time. Average HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (mean: 306 sec) 0.5 0.5 Averaged Data (Mean: 1473 sec) 0.65 0.5 Millstone Event Data (Mean: 2640 sec) 0.885 0.59 1.2 Scenario Analysis and Operational Narrative 1.2.1 Plant Responses The B/B-UFSAR states: A spurious (SI) signal initiated after the logic circuitry in one solid-state protection system train for any of the following engineered safety feature (ESF) functions could cause this incident by actuating the ESF equipment associated with the affected train.

a. High containment pressure,

b. Low pressurizer pressure, or

c. Low steamline pressure.

Following the actuation signal, the suction of the coolant charging pumps diverts from the volume control tank to the refueling water storage tank. Simultaneously, the valves isolating the charging pumps from the injection header automatically open and the normal charging line isolation valves close. The charging pumps force the borated water from the refueling water storage tank (RWST) through the pump discharge header, the injection line, and into the cold leg of each loop. The passive accumulator tank safety injection and low head system are available. However, they do not provide flow when the reactor coolant system (RCS) is at normal pressure. A safety injection (SI) signal normally results in a direct reactor trip and a turbine trip. However, any single fault that actuates the ECCS will not necessarily produce a reactor trip.

5 If an SI signal generates a reactor trip, the operator should determine if the signal is spurious. If the SI signal is determined to be spurious, the operator should terminate SI and maintain the plant in the hot-standby condition as determined by appropriate recovery procedures. If repair of the ESF actuation system instrumentation is necessary, future plant operation will be in accordance with the Technical Specifications. If the SI results in discharge of coolant through the pressurizer safety relief valves, the operators will bring the plant to cold shutdown in order to inspect the valves. If the reactor protection system does not produce an immediate trip as a result of the spurious SI signal, the reactor experiences a negative reactivity excursion due to the injected boron, which causes a decrease in reactor power. The power mismatch causes a drop in Tavg and consequent coolant shrinkage. The pressurizer pressure and water level decrease. Load decreases due to the effect of reduced steam pressure on load after the turbine throttle valve is fully open. If automatic rod control is used, these effects will lessen until the rods have moved out of the core. The transient is eventually terminated by the reactor protection system low pressurizer pressure trip or by manual trip. The time to trip is affected by initial operating conditions. These initial conditions include the core burnup history which affects initial boron concentration, rate of change of boron concentration, and Doppler and moderator coefficients. After the actuation of a SI signal regardless how the SI signal is actuated, the following ECCS actions are designed to take place because of interlocks with the SI signal:

1. Centrifugal charging pumps start on "S" signal.

2. RWST suction valves to the charging pumps open on "S" signal.

3. Safety injection containment isolation valves open on "S" signal.

4. Normal charging path valves close on "S" signal.

5. Charging pump miniflow isolation valves CV8110 and CV8111 close on "S" signal, concurrent with LO-2 RWST level.

6. Charging pump miniflow isolation valves CV8114 and CV8116 close on low RCS pressure in conjunction with an "S" signal. These valves open to protect the pump should the RCS pressure increase above the open setpoint with an "S" signal present.

7. Safety injection pumps start on "S" signal.

8. The RHR pumps start on "S" signal.

9. VCT outlet isolation valves close on "S" signal.

1.2.2 Operator Responses Assuming the reactor is at full power operation, after a spurious actuation of a SI signal without the expected accompanying reactor trip, the nuclear power starts decreasing immediately due to boron injection, but steam flow does not decrease until later in the transient when the turbine throttle valve is wide open. The mismatch between load and nuclear power causes Tavg, pressurizer water level, and pressurizer pressure to drop. Without operator intervention, the reactor trips and control rods start moving into the core when the pressurizer pressure reaches the pressurizer low pressure trip setpoint. In the Chapter 15 safety analysis, the reactor is calculated to trip automatically at about 76 seconds after the SI actuation if the SI signal does

6 not cause an automatic reactor trip and the operator does not manually trip the reactor before its automatic trip. Even though the reactor may or may not be tripped immediately following the SI signal, the operator responses in these two scenarios are very similar. After verifying a SI actuation, the operator will perform the immediate actions according to the emergency operating procedure (EOP)-0 Reactor Trip or Safety Injection that are summarized as the following: Verify the reactor is tripped. If the reactor is not tripped then manually trip the reactor. Verify the turbine is tripped. If the turbine is not tripped then manually trip the turbine. Verify electric power is available to the 4KV essential safety function (ESF) busses. Check SI status. If the SI is required then manually actuate SI if it is not actuated already. IF the SI is not required then transfer to procedure ES-0.1 Reactor Trip Response. In this analysis, with the assumption of a single failure (i.e., spurious SI actuation), once the above four immediate actions are completed the following is the expected status: The reactor is tripped. The turbine is tripped. The 4KV ESF buses are energized. SI is actuated. The SI status is determined via the procedure instruction as shown in Table 1. In this scenario, because the SI equipment is automatically actuated, the operator would not enter the response not obtained column. The point in table 1 is that the SI is not needed in this scenario. The Response not obtained column in Table 1 has an opportunity of transferring to the ES-0.1 procedure. There is no path for the operator move to the response-not-obtained column. Table 1 The procedure step of checking SI status ACTION/EXPECTED RESPONSE RESPONSE NOT OBTAINED CHECK SI STATUS

a. Check if SI - ACTUATED:

Any SI first out announciator - LIT SI ACTUATED permissive light - LIT SI equipment - AUTOMATICALLY ACTUATED: o Either SI pump - RUNNING o Either CENT CHG pump to cold leg injection isolation valve - OPEN: 1SI8801A 1SI8801B

a. Check if SI is required PZR pressure less than or equal to 1829 PSIG.

Steamline pressure less than or equal to 640 PSIG Containment pressure greater than or equal to 3.4 PSIG If SI is required, THEN manually actuate SI. IF SI is NOT required, THEN GO TO ES-0.1 REACTOR TRIP RESPONSE, Step 1.

b. Manually actuate SI 1PM05J 1PM06J When the reactor operator (RO) is performing the immediate actions, the shift supervisor (SS), a senior reactor operator, is bringing out the E-0 procedure. Once the RO has finished the immediate response actions, the SS interacts with the RO and the auxiliary RO (ARO) to implement the E-0. They starts to implement the E-0 from step 1. The first four steps (i.e.,

7 immediate response actions) are to reconfirm the immediate actions performed by the RO. Because except for the spurious SI actuation, all components and instruments are functioning as designed and the operator is expected to be familiar with the E-0, the operating crew is expected to follow the E-0 instruction with ease. After manually tripping the reactor, all procedure steps request the operator to check the key components automatically responding to the situation as designed until step 18 which requires the operator to open a pressurizer isolation (or block) valve (if neither PORV is available). Table 2 provides the procedure instruction of the step 18. Table 2 The procedure step 18 that instructs establishing a PZR relief path. ACTION/EXPECTED RESPONSE RESPONSE NOT OBTAINED CHECK PZR PORVS AND SPRAY VALVES

a. PORVs - CLOSED:

1RY455A 1RY456

a. If PZR pressure is less than 2315 PSIG, THEN manually close PORVs.

IF any PORV can NOT be closed, THEN manually or locally close its isolation valve: 1RY8000A (1RY455A) MCC 131X2B A5 (414 Q11RXB1) 1RY8000B (1RY456) MCC 132X2 C4 (426 Q11 RXB1) IF PORV isol valve can NOT be closed, THEN GO TO 1BEP-1,

b. PROV isolation valves - AT LEAST ONE ENGINERED

b. GO TO Step 18d.

c. PORV relief path - AT LEAST ONE AVAIABLE:

PORV in - AUTO Associated isolation valve - OPEN

c. Perform the following to establish a PORV relief path for any PORV NOT failed open:

1. Place the PORV in AUTO.

2. Open the associated PORV isolation valve.

d. Normal PZR spray valves - CLOSED:

1RY455B 1RY455C

d. IF PZR pressure is less than 2260 PSIG, THEN manually close spray valve(s)

IF any spray valve(s) cannot be closed, THEN stop RCP(s) as necessary to stop spray flow: RCP 1D RCP 1C RCP 1B RCP 1A In cases where the initial condition is that the pressurizer PORV isolation valves are closed, the operator is expected to identify that the statuses of the associated isolation valves (in Step 18.c bullet 2) as not open. This will lead the operator to perform the actions in the response not obtained column of the Step 18.3 that include placing the PORVs in auto and opening the associate PORV isolation valve.

8 Operators have SI inadvertent actuation simulator training at a frequency about once per two years. 1.2.3 Task Analysis The operator responses to this scenario starts with detecting the plant abnormal symptoms triggered by the advertent SI actuation. Regardless of whether the operator manually trips the reactor, the E-0 procedure will be entered. Within this procedure, the operators main tasks are to verify that the components and systems are automatically responding to the event as designed. The main operator physical actions are opening at least one pressurizer isolation valve (Step 18.c) and resetting SI (Step 27). Both actions are performed within the main control room. Both tasks are simple actions. Opening a pressurizer isolation valve is performed by turning the valve control switch to the open position, and confirming the valve status light changed from green to red. Resetting the SI is performed by depressing the two SI reset buttons, and confirming that the action is successfully performed by verifying the SI ACTUATED permissive light went off and the AUTO SI BLOCKED permissive light went on. 1.2.4 Relevant Operating Experience The following event description is from [1]: On April 17, 2005, at 8:29 a.m., Millstone Unit 3 experienced a reactor trip from 100 percent power following an unexpected A train safety injection (SI) actuation signal and main steam line isolation (MSI). Control room operators entered emergency operating procedure (EOP) E-0, Reactor Trip or Safety Injection, Revision 22, and manually actuated the B train of safety injection within 30 seconds. The first-out annunciator panel indicated that the reactor trip was caused by a Steam Line Pressure Low Isolation SI signal sensed by the solid state protection system (SSPS). The Shift Manager (SM) arrived in the control room approximately five minutes after the reactor trip and assumed Director of Site Operations (DSO) duties. As a result of the MSI signal, the main steam isolation valves (MSIVs) and two of the four main steam line atmospheric dump valves (ADVs) automatically closed. With the closure of the MSIVs, the main steam line safety valves (MSSVs) opened to relieve secondary plant pressure. Control room operators manually actuated the B MSI train in accordance with station procedures. Both motor driven auxiliary feed water (MDAFW) pumps started to maintain steam generator levels. The turbine-driven auxiliary feedwater (TDAFW) pump attempted to start but immediately tripped on overspeed. Operators were dispatched to investigate the cause of the trip. The TDAFW pump trip was subsequently reset and the TDAFW was restarted at 10:19 a.m. At approximately 8:42 a.m., the SM noted that a B MSSV had remained opened for an extended period of time. In consultation with the Unit Supervisor (US) and Shift Technical Advisor (STA), the SM declared an ALERT based on a stuck open MSSV. The crew determined that the stuck open MSSV represented an unisolable steam line break outside containment.

9 At 8:45 a.m., due to the addition of the inventory from the SI, the pressurizer reached water solid conditions and the pressurizer PORVs cycled numerous times to relieve reactor coolant system (RCS) pressure and divert the additional RCS inventory to the pressurizer relief tank (PRT). No pressurizer safety valve actuations occurred and the PRT rupture diaphragm remained intact. The control room received reports of substantial leakage in the auxiliary building near the high head safety injection (HHSI) pumps. The leakage was coming from the packing of two valves in the HHSI system alternate minimum flow (AMF) line and was estimated to be approximately 60 gpm. Several hundred gallons spilled onto the auxiliary building floor. At approximately 8:59 a.m., the operating crew transitioned from EOP E-0 to ES-1.1, SI Termination. The SI was reset and the crew terminated safety injection at 9:12 a.m. and normal RCS letdown was re-established at 9:20 a.m. Millstone Unit 3 entered Mode 4 [Hot Shutdown] at approximately 7:03 p.m. and the ALERT was terminated shortly thereafter. NRC Region I had been in a Monitoring Mode during the event and returned to the Normal Mode at 11:45 p.m. 1.3 HFEs There are two HFEs identified in this initiating event: (1) open the isolated pressurizer isolation valves ((OPERATOR FAILS TO OPEN PORV BLOCK VALVES); and (2) terminate the SI (OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW). The labels in PRA model for the first HFE is OPA-3 and the second is OPA-1. 1.3.1 OPERATOR FAILS TO OPEN PORV BLOCK VALVES (OPA-3) Success criteria: The task has to be completed within 15 minutes from the initiating event. 1.3.1.1 Task Description The task (OPERATOR FAILS TO OPEN PORV BLOCK VALVES) starts from the operator detecting the plant abnormality and then following E-0 to Step 18 and opening at least one isolated pressurizer PORV isolation valve based on Step 18s instruction. The macrocognition discussion based on the overall task is the following: Detecting the abnormal symptom: the inadvertent actuation of SI signal causes a number of automatic component status changes related to the containment Phase A isolation as identified in section 1.1. These changes will trigger a number of alarms. The automatic start and re-alignment of the central charging pumps and SI pumps are clear to the operators. The operators are familiar with, and are trained to pay attention to, these component statuses. Understanding the issue and making decision on response plan: Once detecting the SI actuation, the E-0 is the procedure to enter. Operators are routinely trained on entering and implementing E-0. The understanding and making decision are based on the procedure instruction. The operators main activity is to follow the procedure instruction in order to check plant parameter values and component statuses. Action: The main action is to open a pressurizer isolation valve. This action is performed inside the main control room by turning the control switches of the pressurizer isolation valves from close to open and verifying with the isolation values status indication light changed from green (close) to red (open). Another action that the operator may perform

10 at the beginning of the scenario is to manually trip the reactor if the reactor is not automatically tripped by the SI signal. In this case, whether the operator manually trips the reactor makes little difference in the scenario from a safety consideration standpoint because the reactor eventually will be automatically tripped due to low pressurizer pressure within a couple of minutes (e.g., at about 76 seconds in the plants safety analysis [2]) after the inadvertent SI actuation. The key task is to open at least one pressurizer isolation valve as instructed by E-0 step 18. This is a main control room action performed by the RO to perform a simple task to switch a pressurizer isolation valve to open position under a teamwork between the SS and RO with the SS reading the procedure instruction to direct and monitor the RO to perform the task. Once the task is completed, the RO is expected to inform the SS that the task is performed. The actual physical activity to change the system status is to push a button (or turn a switch) to open the isolation valve. 1.3.1.2 Time Analysis Two sources are used to assess the operator response time: The Millstone event [1] and a paper published by KAREI[3]. The first source is a real event, and the second source is based on simulator training. Millstone Event In the Millstone event, the operator reached at E-0 Step 16 verify ECCS flow seven minutes after the initiating event (see table 3). The Byrons E-0 has the step of verifying ECCS flow at Step 17. Immediately after step 17, the Byron E-0 Step 18 instructs to open the pressurizer isolation valves to ensure at least one pressurizer PORV path is open. Therefore, overlapping the Millstone event to the Byron procedure, it is estimated that the operator would complete step 18 (open pressurizer isolation valves) eight minutes after the initiating event. Table 3 The Millstone event timeline for responding time to the procedure step of check to open pressurizer isolation valves (all procedure steps are based on Millstone Unit 3 procedures) Time (minutes) Event Description 0 (08:29)

• A Train SSPS Steam Line Pressure Low SI/MSI signal followed by a reactor trip: First Out alarm: Steam Line Pressure Low Isolation SI.
• MSIVs closed as expected.
• 3 MSS-PV20A&C, Atmospheric Dump Valves (ASDVs) open.
• 3 MSS-PV20B&D received closed signals via MSI. (1/2 of ASDVs shut on 1/2 MSI.)
• B S/G Safety opens.
• The control room crew entered E-0 Reactor Trip/SI emergency response procedure.
• At step 4 the crew initiated train B SI.
• Terry Turbine steam supplies open and Terry Turbine trips 3 seconds later.

7 (08:36) At E-0 Step 16 Verify ECCS Flow. Crew performed a debrief of the situation. The crew reinforced to the entire control staff that there was no Terry Turbine

11 Aux Feed flow, B S/G Safety was still open and manual initiation of both trains SI was required. Dispatched a PEO to the Terry Turbine who verified that it was not running. Found V5 unlatched and shut. Mech Trip tappet was NOT in overspeed condition. (Crew continues to evaluate plant conditions, thought stuck S/G Safety caused SI.) 21 (08:50) The crew decided not to make an E-2 transition based upon SI termination priority and no uncontrolled S/G pressure decrease. (Discussion occurred between US and SM. Did not meet E-2 entry conditions.) 25 (08:54) Determined no S/G tube rupture based on no adverse S/G level trend. 30(08:59) Transition to ES-1.1 from E-O Step 29. 31(09:00) Reset SI (ES-1.1 Step 1) 44(09:13) Terminated SI (ES-1.1 step 8), The charging pumps are stopped at ES-1.1 step 3. 51 (0920) Normal letdown established (ES-1.1 step 12) In the Millstone event, the average time spent on a procedure step is about 75 seconds. KAERI Simulator Analysis The operator normal response time is based on [3] which is based on Korean crews responding to a steam generator tube rupture (SGTR) scenario. The Korean crew structure and procedures are similar to the Byron nuclear power plant. Without Byron plant specific data, the data in [3] is considered as a good approximation. The time data in [3] are reproduced in Table 4. KAREIs data show that the average time spent for a procedure step is about 10 seconds. The difference between the average of 75 seconds per procedure step in Millstone event and the average of 10 seconds per procedure step in KAERI simulator data is significant. This shows that scenario complexity could significantly affect the pace of implementing procedures. Table 4 The time data collected in operator simulator training by KAERI [3]. Task ID Task Description Time1 (sec) SD2 (sec) Procedure Steps3 1 Confirming immediate responses after reactor trip 41.9 25.5 1 to 4 2 Confirming the isolation of essential valves 12.0 2.9 5 to 6 3 Confirming the operation of essential pumps 17.9 5.6 7 to 10 4 Verifying containment status 33.9 22.3 11 to 14 5 Verifying the delivery of SI and AFW flow 55.4 27.8 15 to 18 6 Verifying the status of RCS heat removal 38.9 16.0 19 to 21 7 Entering E-3 procedure according to the status of SGs 34.7 16.3 22 to 23 1Averaged task performance time in second. 2Standard deviation in second. 3Based on the E-0 of the Korean nuclear power plant. 1.3.1.3 HEP Calculation In this analysis, three approaches are used to calculate the HEP: time distribution, SPAR-H [4] and NARA [5]. Consistent with IDHEAS-Gs guidance, the final HEP is used the following equation:

12 HEP = Pt + Pc Eq.1 Where Pt is the HEP simply due to the time available is insufficient. The operator does not make major mistake (e.g., entering a wrong procedure or performed an incorrect action that complicate the scenario, etc.). Pc is the HEP contributed by all factor other than insufficient time available. In this analysis, the Pt is calculated based on time data obtained from relevant simulator data (KAERI) and real event (Millstone event). The Pc is calculated based on the average of the SPAR-H and NARA HRA methods. 1.3.1.3.1 Pt Calculation The HEP calculation is performed by the analysis of time. Time Available Two time available is provided for this analysis: 20 minutes and 40 minutes. The 20 minutes is the estimated time that the PZR will become water solid leading to opening of the PZR SRVs. After the PZR is water sold, the SRV starts to cycle open to maintain the PZR pressure. The 40 minutes is the estimated time that the SRV is assumed would stuck open. The 20 minutes represent a conservative assumption that once the SRV is open by water the SRV would stuck open that leads to an un-isolable loss of coolant accident (LOCA). Time Required Based on KAREI data, the procedure step of opening a PZR isolation valve is corresponding to the Task ID 5 in Table 4. This results in a mean time of 161.1 second and a standard deviation of 84.1 second. Based on the Millstone event, the estimated time to reach the procedure step in opening the PZR isolation valve is about 8 minutes. A standard deviation of 4 minutes (i.e., a half of the time required) is used for this analysis. Table 5 shows the HEP results of uses a normal distribution with the use of the time data from KAREI and Millstone event, and the average to calculate against the time available of 20 minutes and 40 minutes.

13 Table 5 HEP calculated based various time required and time available HEP Time Available 900 sec (15 min.) Time Required KAREI Data (mean: 161 sec; SD: 84 sec) Negligible Averaged Data (Mean: 321 sec; SD: 162 sec) 2.0E-4 Millstone Event Data (Mean: 480 sec; SD: 240 sec) 4.0E-2 1.3.1.3.2 Pc - SPAR-H The SPAR-H method uses eight performance shaping factors (PSFs) to calculate the HEPs of diagnosis and action. The tasks HEP is the sum of the diagnosis HEP and action HEP. The following discusses the status of the eight performance shaping factors of diagnosis and action. Available Time: The time available is 15 minutes. The total time required is divided into Tdiagnosis and Taction. This is done by calculating the Taction first. Then the Tdiagnosis is the total time minus the Tac ion. In KAREI time data, the total time represent a performance of 18 procedure steps. The Taction is 1/18 of the total time. In the Millstone event, one minute was assumed for performing the Taction. The status of the available time is shown in Table 6. Because part of available times effects on HEP is covered in Pt, only positive available time effect (i.e., with multiplier less than one) is considered. If the multiplier is greater than one, then the multiplier will be set to one. Table 6 The status of available time Available Time Status Time Available 900 sec (15 min.) Time Required KAREI Data (Tdiagnosis: 152 sec; Taction: 9 sec) Normal Time Averaged Data (Tdiagnosis: 286 sec; Taction: 35 sec) Normal Time Millstone Event Data (Tdiagnosis: 420 sec; Taction: 60 sec) Normal Time

14 Stress/Stressor: The stress level is determined as normal because all the operator activities are within E-0 and there is no surprise except the SI actuation may not trip the reactor automatically. Complexity: For diagnosis, the complexity is determined as normal because the diagnosis is based on the E-0. There is no foreseeable mismatch between the E-) and the scenario. For action, turning a switch from close to open is a simple task. The status is normal. Experience/Training: For diagnosis, this is determined as nominal because operators are trained on the inadvertent SI actuation scenario in simulator training in a frequency about once per two years. The actions to terminate SI (the high head ECCS in this case) include resetting SI by pressing two SI rest buttons; aligning the central charging pumps suction to the refueling water storage tank (RWST); reset SI recirculation sump isolation valves; resetting and opening the central charging pumps minimum flow isolation valves; and closing the central charging pumps to cold legs injection isolation valves. All these actions are procedure-based. Procedure: For diagnosis, the EOP is a diagnosis/symptom oriented procedure. The status is high. For action, the procedure instruction is clear. The status is normal. Ergonomic/HMI, fitness for duty, and work process: Their statuses are normal. Table shows the PIF status and their HEP modification factors. Table 7 The SPAR-H PSFs statuses. PSF Diagnosis Action Status Multiplier Status Multiplier Available Time Normal 1 Nominal time 1 Stress/Stressors Nominal 1 Nominal 1 Complexity Nominal 1 Nominal 1 Experience/Training Nominal 1 Normal 1 Procedures Diagnostic/symptom oriented 0.5 Nominal 1 Ergonomics/HMI Nominal 1 Nominal 1 Fitness for Duty Nominal 1 Nominal 1 Work Processes Nominal 1 Nominal 1 Table 8 SPAR-H calculated HEPs. Available Time Status Time Available 900 sec (15 min.) Time Required KAREI Data (Tdiagnosis: 152 sec; Taction: 9 sec) 5.5E-3 Averaged Data (Tdiagnosis: 286 sec; Taction: 35 sec) 5.5E-3 Millstone Event Data (Tdiagnosis: 420 sec; 5.5E-3

15 Taction: 60 sec) 1.3.1.3.3 Pc - NARA The NARA calculates HEP by mapping the task of analysis to the generic task types (GTTs) of NARA. Each GTT has a base HEP value. The final HEP is the base HEP multiplied by the multipliers of the NARA PSFs applied to the task. NARAs PSFs only have negative effects on HEP (i.e., increase the HEP value). The following two GTTs are identified to corresponding to the diagnosis and action portion of the HFE OPERATOR FAILS TO OPEN PORV BLOCK VALVES: Simple response to a key alarm within a range of alarms/indications providing clear indication of the situation (simple diagnosis required). Response might be direct execution of simple actions or initiating other actions separately assessed. The base HEP is 0.0004. Carry out simple single manual action with feedback. Skill-based and therefore not necessarily with procedure. The base HEP is 0.006. No negative NARAs PSFs is applicable to the HFE. Therefore The HEP = 0.0004 + 0.006 = 0.0064. The average HEPs of SPAR-H and NARA are shown in Table 9. Table 9 The average HEPs of NARA and SPAR-H Available Time Status Time Available 900 sec (15min.) Time Required KAREI Data (Tdiagnosis: 152 sec; Taction: 9 sec) 5.8E-3 Averaged Data (Tdiagnosis: 286 sec; Taction: 35 sec) 5.8E-3 Millstone Event Data (Tdiagnosis: 420 sec; Taction: 60 sec) 5.8E-3 1.3.1.3.4 Final HEP The final HEP is calculated based on the maximum of time calculation and method calculation. The method calculations are using the average of SPAR-H and NARA results. Table 6 shows the results. Table 10 The final HEPs for open PZR isolation valve Available Time Status Time Available

16 900 sec (15 min.) Time Required KAREI Data (Tdiagnosis: 152 sec; Taction: 9 sec) 5.8E-3 Averaged Data (Tdiagnosis: 286 sec; Taction: 35 sec) 6.0E-3 Millstone Event Data (Tdiagnosis: 420 sec; Taction: 60 sec) 4.6E-2 1.3.2 OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW(OPA-1) The task OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW starts after the pressurizer isolation valves been opened or not opened as instructed at E-0 step 18 to the resetting SI action instructed by ES-1.1. 1.3.2.1 HEP Calculation 1.3.2.1.1 Time Distribution HEP Time Available Two time available is provided: 20 minutes and 40 minutes. In the Millstone event, the SI was terminated at 44 minutes after the initiating event. Using KAREIs average 10.2 seconds for each procedure step for 30 steps to terminate SI (24 steps in E-0 and 6 steps in ES-1.1) in Byron procedures, a total of 306 seconds of time required are estimated. The simulator time (KAREI) and Millstone event time are used for this analysis. The average time is use for the time analysis. This results in 1473 seconds for the mean of the time required. A standard variation of 737 seconds is used based on a half of the time required. Two discrete time available are used representing the uncertainty of the time a pressurizer valve would stuck open from a water solid pressurizer. The two time available are 15 minutes and 40 minutes. Table 5 shows the HEP due to the error mode of slowness. This is because the operators in these two data sets did not make major errors (e.g., enter an incorrect procedure). Table 11 The HEPs based on various the combinations of the time available and time required HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (mean: 306 sec; SD: 153 sec) Negligible Negligible Averaged Data (Mean: 1473 sec; SD: 737 sec) 0.64 0.10 Millstone Event Data (Mean: 2640 sec; SD: 1320 sec) 0.86 0.57

17 1.3.2.1.2 Pc - SPAR-H The SPAR-H uses eight performance shaping factors (PSFs) to calculate the HEPs of diagnosis and action. The tasks HEP is the sum of the diagnosis HEP and action HEP. The following discusses the statuses of the eight performance shaping factors of diagnosis and action. Available Time: Based on the time analysis discussed in the previous section (section 1.3.2.1.2), the available time range from insufficient to expensive time. Table 6 shows the statuses of the available time factor for diagnosis. Table 12s time assessment is based on using the time available to subtract the expected action time to become the time available for diagnosis. The action time is calculated by the average time spent on each step multiples the procedure steps in performing the action (in ES.1-1). This makes the time available for the action of all cases as normal. Note, because the Pt covers the effect of insufficient time available, the SPAR-Hs available time only consider the effect on reducing HEP. Table 12 The status of time available factor in SPAR-H of various cases. This factor only can have effect of reducing HEPs. HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (Tdiagnosis: 245 sec; Taction: 61 sec) Normal Expansive Time Averaged Data (Tdiagnosis: 1178 sec; Taction: 295 sec) Normal Extra Time Millstone Event Data (Tdiagnosis: 2112 sec; Taction: 528 sec) Normal Normal Stress/Stressor: The stress level is determined as normal because there is no immediate safety concern to the operators. Complexity: For diagnosis, the complexity of KAREI is determined as normal. The average case, the complexity level is moderately high (HEP multiplier is 2). The Millstone event the complexity is highly complex (HEP multiplier is 5). The operators have to successfully conclude that the event is not any of the MSLB, SGTR, and LOCA event. The indications is expected to be clear to reach the conclusion. Experience/Training: For diagnosis, this is determined as normal. Even though the operator is routinely trained on diagnosing a MSLB, SGTR, and LOCA event, diagnosing all of them successfully makes the determination as normal instead of high. For action, the actions are discrete actions to be performed in the order as instructed by the procedure. The experience/training for action is normal. Procedure: For diagnosis, the EOP is a diagnosis/symptom oriented procedure. The status is high. For action, the procedure instruction is clear. The status is normal. Ergonomic/HMI, fitness for duty, and work process: Their statuses are normal.

18 The SPAR-Hs PSFs statuses are shown in Table 13. The final SPAR-Hs HEPs are shown in Table 14. Table 13 The SPAR-Hs PSFs statuses and their HEP modification factors for diagnosis tasks. PSF Diagnosis Action Status Multiplier Status Multiplier Available Time Vary Vary Nominal time 1 Stress/Stressors Nominal 1 Nominal 1 Complexity Vary Vary Nominal 1 Experience/Training Normal 1 High 1 Procedures Diagnostic/symptom oriented 0.5 Nominal 1 Ergonomics/HMI Nominal 1 Nominal 1 Fitness for Duty Nominal 1 Nominal 1 Work Processes Nominal 1 Nominal 1 Table 14 The SPAR-Hs HEPs on various situations. HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (Tdiagnosis: 245 sec; Taction: 61 sec) 6E-3 1.0E-3 Averaged Data (Tdiagnosis: 1178 sec; Taction: 295 sec) 1.2E-2 2E-3 Millstone Event Data (Tdiagnosis: 2112 sec; Taction: 528 sec) 3E-2 2.6E-2 1.3.2.1.3 Pc - NARA The following two GTTs are identified to corresponding to the diagnosis and action portion of the HFE of OPA-1: Start or reconfigure a system from the Main Control Room following procedures, with feedback. The base HEP is 0.001. In NARA, the unfamiliarity applies to the analysis. Unfamiliarity is explained as the following under optimum conditions the operators would be fully familiar with the alarms for which a response is required., This would be achieved by ensuring that the operators were provided with adequate procedures to guide the response, a means of promptly accessing the correct procedures and training to ensure familiarity with the actions required. In NARA, the unfamiliarity has a maximum effect of 20. The Millstone event is considered as a maximum unfamiliar scenario. Table 15 shows the unfamiliarity multiplier. Table 15 NARA unfamiliarity multiplier Time Stress Factor Time Available

19 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (mean: 306 sec) 1 1 Averaged Data (Mean: 1473 sec) 10.5 10.5 Millstone Event Data (Mean: 2640 sec) 20 20 Another NARA factor time pressure is relevant to the analysis. The time pressure factor is described as a shortage of time would tend to increase the likelihood of the operator failing to successfully complete the required action. This may be due to the operator feeling under pressure to complete the action within a short interval, or not having sufficient time to review and adjust the actions attempted. The time pressure effect is considered covered by the Pt. Table 17 shows the HEPs calculated by NARA. Table 16 NARA HEPs HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (mean: 306 sec) 1E-3 1E-3 Averaged Data (Mean: 1473 sec) 1.05E-2 1.05E-2 Millstone Event Data (Mean: 2640 sec) 2E-2 2E-2 Table 18 shows the average HEPs of the SPAR-H and NARA. Table 17 The averaged HEPs of NARA ad SPAR-H Average HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (mean: 306 sec) 3.5E-3 1E-3 Averaged Data (Mean: 1473 sec) 1.12E-2 1.52E-3 Millstone Event Data (Mean: 2640 sec) 2.5E-2 2.3E-2 1.3.2.1.4 Final HEP The final HEP is the sum of Pt (Table 11) and Pc (Table 18). The results are shown in Table 19. Table 18 The independent HEP of not terminating SI in time. Average HEP Time Available 1200 sec (20 min.) 2400 sec (40 min)

20 Time Required KAREI Data (mean: 306 sec) 3.5E-3 1E-3 Averaged Data (Mean: 1473 sec) 0.65 0.1 Millstone Event Data (Mean: 2640 sec) 0.885 0.59 The HEPs shown in Table 19 are the independent HEP (i.e., assuming the PZR isolation valve is successfully open). If the PZR isolation valve is not opened, there could be task dependency effects. Figure 7 shows the dependency NUREG-1921s dependency model. The sequence 8 (high dependency) represents the effects of failing to open a PZR isolation valve on the termination of SI. Table 20 shows the dependent HEP of the SI termination. Figure 1 The NUREG-1921s dependency model Table 19 The dependent HEP of not terminating SI in time. Average HEP Time Available Dependence Level Case Intervening Success Crew Cognitive Cue Demand Stress Sequential Timing Location Manpower High or Moderate 1 Common 2 7 3 4 5 6 8 9 10 11 12 13 14 15 16 17 18 19 High or Moderate High or Moderate High or Moderate High or Moderate High or Moderate High or Moderate High or Moderate Different Different Yes No Same Simultaneous Sequential Same Different Sufficient Insufficient Same Different 0-15 15-30 30-60 >(60-120) CD CD HD MD LD CD CD HD HD MD MD LD LD ZD LD ZD LD ZD ZD

1200 sec (20 min.) 2400 sec (40 min) KAREi Data 0.5 0.5 "O (mean: 306 sec) Q.) ~ Averaged Data E *s 0.65 0.5 0-(Mean: 1473 sec) f-- Q.) c:::: Millstone Event Data 0.885 0.59 (Mean: 2640 sec) 2 Main Steamline Break The MSLB event assumes a MSL break before the main steam isolation valve (or the fast acting steamline stop valves in BIB) that immediately actuate the SI signal and a reactor trip. But the peak containment pressure is assumed to be less than 20 psig. If the containment peak pressure is greater than 20 psig, the operator would need to stop all reactor coolant pumps (RCPs), check the containment spray educator suction flow, and align cooling towers. Success criteria: terminate SI within 60 minutes and 80 minutes from the initiating event. 2.1 Results Summary Figure 3 is a summary of the MSLB HEP analysis. The HEP of ex-containment MSLB is 0.175. This number is based on the 50% of chance that 50% of secondary radiation alarms fail high. The HEP of in-containment MSLB is 4.5E-4. 0% false alarms P = 0.5 EX-CTMT P = Y 50% false alarms MSLB P = 0.5 IN-CTMT P = Z Figure 3. The MSLB HEP summary Not Enter Terminate E-3 SI p = 0.999 I I p = 0.001 p = 0.765 p = 0.85 I IP= 0.235 p = 0.15 p = 0.999 I I p = 0.001 21 1 S 4.99E-1 x Y 2 F 500E-4 x Y 3 S 3.25E-1 x Y 4 F 9.99E-2 x Y 5 F 7.50E-2 x Y 6 S 9.99E-1 x Z 7 F 4.50E-4 x Z

22 2.2 Scenario Analysis and Operational Narrative 2.2.1 Plant Responses Following a MSLB event, the section 15.1.5 of the B/B UFSAR states the plant responses as the following: The major break of a steamline is the most limiting RCS cooldown transient. The steam release arising from a break of a main steamline would result in an initial increase in steam flow which decreases during the accident as the steam pressure falls. The energy removal from the RCS causes a reduction of coolant temperature and pressure. Decay heat would retard the cooldown thereby reducing the return to power. The following functions provide the protection for a steamline break:

a. Safety injection system actuation from any of the following:

1. Two-out-of-three low steamline pressure signals in any one loop

2. Two-out-of-four low pressurizer pressure signals

3. Two-out-of-three high-1 containment pressure signals.

b. The overpower reactor trips (neutron flux and ) and the reactor trip occurring in conjunction with receipt of the safety injection signal.

c. Redundant isolation of the main feedwater lines. Sustained high feedwater flow would cause additional cooldown. Therefore, in addition to the normal control action which will close the main feedwater valves a safety injection signal will rapidly close all feedwater control valves and backup feedwater isolation valves, trip the main feedwater pumps, and close the feedwater pump discharge valves.

d. Trip of the fast acting steamline stop valves on:

1. Two-out-of-three low steamline pressure signals in any one loop.

2. Two-out-of-three high-2 containment pressure signals.

3. Two-out-of-three high negative steamline pressure rate signals in any one loop (used only during cooldown and heatup operations).

Steam release from more than one steam generator will be prevented by the automatic trip of the fast acting isolation valves in the steamlines by low steamline pressure signals, high containment pressure signals, or high negative steamline pressure rate signals. The steamline stop valves are designed to be fully closed in less than 5 seconds from receipt of a closure signal. 2.2.2 Operator Responses Immediately after the MSLB, the reactor trips and the SI actuation signal occurred automatically. After confirming a reactor trip, the RO performs the immediate actions according to the emergency operating procedure (EOP)-0 Reactor Trip or Safety Injection. In the meantime, the main control room shift supervisor would bring up the E-0 reactor trip and safety injection to implement the procedure with RO and ARO. The E-0 instructs the operators to check the system and component automatically responding to the event as expected. At E-0 step 14 check if main steamlines should be isolated, the operator would check the SGs pressure and identify the faulted SGs pressure is less than 640 psig. Because the fast acting steamline stop

23 valves, it is expected that the intact SGs pressures are significantly higher than the faulted SG which is below 640 psig. This gives the operator first indication of the troubled SG. At E-0 step 21 Check if SG secondary pressure boundaries are intact directs the operators to transfer to E-2 Faulted steam generator isolation if any SG pressure dropping in an uncontrolled manner or any SG completely depressurized. The E-2 step 6 directs the operators to check the secondary radiation trends and sample the secondary radiation. If the secondary radiation indication is abnormal, the procedure instruct the operator to transfer to E-3 steam generator tube rupture. A note in the procedure states that A MSLB outside of the containment may cause the secondary radiation monitors to fail high due to elevated area temperature. Therefore, if a MSLB occurred inside the main containment, the secondary radiations alarms are expected to fail high due to elevated temperature. If the operator does not transfer to E-3 from E-2 step 6, at E-2 step 7, the operator would enter ES-1.1 SI termination to terminate SI. 2.2.3 Task Analysis The cue that lead the operator to enter the E-0 is salient. The plant parameters and procedure instruction are clear for the operators to follow the E-0 step 21 check if SG secondary pressure boundaries are intact. The following is this steps instruction: Check pressure in all SGs: No SG pressure dropping in an uncontrolled manner No SG completely depressurized If the answer to any of the above two bullets is NO, then the operator should enter E-2 faulted SG isolation. If the operator enters into E-2, the E-2 step 6 is another cognitive challenge that directs the operators to check the secondary radiation to decide whether the E-3 SGTR should be entered. A MSLB outside of the containment could trigger false secondary radiation alarm that would increase the likelihood of misdiagnosis that leads to enter E-3. If the operator mistakenly entering into E-3 by the secondary radiation indications shown in the main control room, the E-2 Step 6 instructs the operator to ask the chemistry department to periodically sample the SGs radiation. The sample results would redirect the shift supervisor to return to the E-2 Step 6 from E-3. If the operator did not enter the E-3, the E-2 step 8 would direct the operators to transfer to ES-1.1 to terminate SI. If the operator mistakenly enters into the E-3, the operators diagnosis is likely a combination of MSLB and SGTR scenario because a clear MSLB symptom (a depressurized SG) and the false secondary radiation alarms. The chance for the operator to re-conclude that there is no SGTR is by sampling SGs radiation. This has to be done on site by chemistry staff. Another symptom to identify where there is a SGTR ongoing is by the rising SG water level. This symptom would be hard to detect in a MSLB event because the faulted SG water level gauge indication is below zero due to blowdown. The intact SGs water levels are affected by AFW that makes detecting an uncontrolled SG water level challenge. 2.2.4 Relevant Events Turkey Point 3 safety valve header failure (December, 1971; ML003736245; not-publically available)

24 Early on the morning of the incident the hot-functional tests were nearing completion and preparations were under way for rolling the turbine. The header failed ~ 15 min prior to the shift change, so that only personnel from the midnight crew and some of the day-shift crew who had come early were present. Equilibrium conditions of 547F and 2235 psig had been established in the primary cooling system for > 8 hrs. prior to the header failure. Three primary pumps were in service, one charging pump was operating, and letdown flow through the mixed-bed demineralizer was 60 gpm. The pressurizer pressure and level controls were on automatic. Baration of the primary system was the only test procedure in progress and this operation had been established ~ 2 hrs prior to the incident. The secondary-system pressure had been established at 990 psig for > 8 hrs.,the main steam-line isolation bypass valves were closed, the main FW and FW bypass valves were closed, and the steam-generator feed pumps were off. The secondary system was operating under static-load conditions, only. The initial indication in the control room was a loud noise that sounded like escaping steam. The operators then observed a rapid decrease in pressurizer level and pressure, a rapid decrease in the temperatures of the hot and cold legs of the loop and in the average loop temperature, a rapid decrease in steam-generator level, closure of the letdown valve, and a trip of the pressurizer heater. From the console the operators immediately stopped the 3 primary pumps, started a 2nd charging pump, closed the FW valve to the steam generator, closed the atmospheric steam-dump valves on the other 2 loops, and initiated makeup of primary water to restore the level in the volume-control tank. The pressurizer level was restored to normal within 15 min and then one of the charging pumps was stopped and a 45-gpm letdown was established. When conditions had stabilized, the coolant pump in the failed loop was restarted and an orderly cooldown was initiated. No personnel were on the steam line platform at the time of the incident, but the blast and debris associated with the escaping steam resulted in minor injury to 16 people, 2 of whom required hospitalization. Since the safety valve headers are located upstream of the isolation valves on the main steam lines, a complete blowdown of steam generator 3A occurred, accompanied by partial cooldown of the reactor coolant system. When the steam blowing had subsided, it was observed that 3 of the 4 safety valves had blown off the header on one steam loop and that the north segment of the header was split open.

25 H.B. Robinson 2 Circumferential Pipe Rupture-Blowdown (April, 1970; ML003736245; not-publically available) The steam generator secondary system safety valve lift set pressure was being checked. Verification of safety valve set points and adjustments as necessary were being performed using a pneumatic test device which allows the set points to be verified without having the system pressure up to lift pressure. The plant was operating at 533F and 2225 psi primary system pressure with a secondary system pressure of 900 psi and a constant level in the steam generator. Eight of a total of 12 valves had been tested. The pneumatic test device had been installed on the valve and air pressure was being increased to relax the valve spring force, to make a determination of the valve set pressure. A loud noise was beard followed by a shower of steam, insulation, scaffolding, metal parts and construction debris. The men in the vicinity of the valve were either knocked to the deck by the explosion or were forced to lie down due to lack of air to breathe. The rapid release of steam displaced the air from the area above the pipe requiring the men to stay in a position near the floor. They made their way out of the area and down the steps away from the immediate scene of the incident on their own power. The men were transported to a local hospital and treated for burns and injuries. One man was released. The other 6 were admitted to the hospital for treatment. The Initial noise was immediately followed by a second louder noise or sound. The initial steam accumulation in the area of the break spread in an almost horizontal plane, followed by the formation of a vertical column of steam which rose an estimated 150 ft into the air. There was an area of localized cutting of insulation on a nearby line on a horizontal plane from the break. This damage suggests an initial crack in the pipe. Steam apparently was directed horizontally in this direction for a brief period of time prior to a complete severance of the pipe and expulsion of the total valve assembly from the area by the force of the steam jet. Such a sequence of events is also suggested by the reported 2 stages of sound, the appearance of the fracture, and the direction of travel of the separated valve. The valve was propelled against the structural members supporting the steam lines and rebounded back toward the turbine building. The valve came to rest on the turbine building mezzanine floor. In addition to striking the supporting structure, the valve struck and carried away an angle brace and dented and moved the stack from the auxiliary boilers, causing its supports to bend and break away. There was no conclusive evidence to show that this valve actually reached its set point and "popped". At the time of the incident a loud noise was heard by the control operator followed by a rapid decrease in pressurizer level and pressure. In addition, level decreased rapidly in the "C" steam generator and reactor coolant system temperature began to rapidly decrease. Action was taken by the control operator to secure all 3 reactor coolant pumps. Two additional charging pumps were placed in service and letdown was secured to minimize the effects of pressurizer level and pressure decrease. Pressurizer heaters were manually de-energized prior to reaching the automatic heater cutoff set point on pressurizer low level. Even though the pressurizer level decreased off scale, it is not believed that pressurizer steam bubble expanded out of the surge line.

26 The level in steam generator "C" decreased to zero in ~ 1 hr. The overall transient caused the reactor coolant system to cooldown approximately 213F over 1 hr. Millstone Event (AS described in Section 1.2.4) The Millstone event is a combination of an advertent SI actuation and a SG safety valve stuck open. The procedure following path and cognitive challenge are relevant to the MSLB event. 2.3 HFE The HFE of Isolating the SI in a MSLB scenario can be represented by the crew response diagram as shown in Figure 2 that shows the potential procedure following paths as explained below (the numbering below is corresponding the block numbers in Figure 2):

1. Enter E-0 Step 1 due to confirmation of a reactor trip and SI signal

2. At E-0 Step 21: check the SG secondary pressure boundary by whether any SG pressure dropping in an uncontrolled manner and any SG completely depressurized. If any SG secondary pressure boundary is breached (the expected detection) then transfer to E-2 step 1 (Item 3). If all SGs secondary pressure boundary is intact (an incorrect detection) then continues to E-0 Step 22.

3. Transfer and enter to E-2 Step 1.

4. E-2 Step 6: check the secondary radiation. If the radiation level is normal then transfer to ES-1.1 (Item 5). If the radiation is abnormal then transfer to E-3 (Item 6). The shift supervisor requests chemistry department to periodically sample all SGs for radiation.

Note: A MSLB occurred outside of the containment may cause the secondary radiation monitors to fail high due to elevated area temperatures.

5. Enter ES-1.1 to terminate SI. The success criterion is to terminate SI within 60 minutes from the initiating event.

6. Enter E-3: This is due to a misdiagnosis. The operator mistakenly concluded that the secondary radiation level is abnormal.

7. Sample SG radiation as instructed by E-2 Step 6.

8. Check if SGs tubes are intact. If intact, the procedure path would lead to entering into ES-1.1 to terminate SI. If not intact, E-3 is entered.

9. Enter ES-1.1 to terminate SI.

10. Enter E-3. The E-3 has instruction to request sampling SG radiation (Item 11).

11. Sample SG radiation as instructed by E-3 step ??. If the sampling concludes no radiation, the operator would return back to E-0 step 22 the in turn would lead to ES-1.1.

A delayed sampling result would result in the lift of pressurizer safety valves.

27 1. Enter E-0 Step 1 By Reactor Trip and SI Signal 3. Transfer to E-2 Step 1 2. E-0 step 21 check if SG secondary pressure boundaries are intact. (OPA-2.1) 8. E-0 step 22 check if SG Tubes Are Intact. (OPA-2.2) 9. Enter ES-1.1 4. E-2 step 6 Check Secondary radiation. (OPA-2 3) 10. Enter E-3 6. Enter E-3 5. Enter ES-1.1 Not Intact Intact Intact Not Intact Radiation Abnormal 11. Sample SGs Radiation in Time Yes 7. Sample SG Radiation in Time Yes PZR safety valve lift No No Radiation Normal Figure 2 The potential procedure following paths. 2.3.1 HEP(Item 2) HEP = Negligible. Item 2 is to check the SG secondary pressure boundary at E-0 Step 21. The loud steam leaking noise as indicated in both the Turkey Point 3 and H.B. Robinson 2 events (in section 2.2.40 and a clear depressurization of the faulted SG provide clear indication of the SG secondary integrity has been breached. THERP The corresponding error modes include: Miss the procedure step: HEP =.003 EF = 3 (Table 20-7 Item 2 Long list. > 10 items) Select an incorrect display: The SGs pressure displays are dissimilar to the adjustment displays. HEP = negligible (Table 20-9, Item 1). Misread the display: The operator only need to know a SG pressure is much lower than the other SGs. The operator does not need to know the exact faulted SG pressure. The reading is reading the status. Therefore, the Table 20-11 Item 8 Confirming a status change on a status lamp applies. HEP = negligible. CBDT The corresponding error modes include: Relevant step in procedure missed: HEP =.003 (Pce path c) Misread or miscommunicated: HEP = negligible (Pcc path a) Discussion

28 Both THERP and CBDT estimate a basic HEP of.003. Two factors are expected to significantly reduce the HEP estimate: (1) the loud noise caused by the MSLB. This occurred in the Turkey Point and H,B, Robinson events. The operator will be immediately notices the secondary side is abnormal; and (2) the MSLB is a frequently trained simulation scenario. The operators receive MSLB scenario simulator training about three times a year. For the above reason, the probability of skipping the procedure step is determined as negligible. Because the HEP of the Item 2 is negligible, the Items 8, 9, 10, and 11 in figure 2 do not need to be analyzed. 2.3.2 HEP(Item 4) E-2 Step 6: check the secondary radiation. This step instructs the operators to check the following radiation indications to determine the transfer to E-3 SGTR. SJAE/Gland Steam Exhaust Gas SG Blowdown Liquid Radiation: Main Steamline 2A, MSIV Rm Main Steamline 2B, MSIV Rm Main Steamline 2C, MSIV Rm Main Steamline 2D, MSIV Rm Secondary activity samples (measured in a frequency about once per hour) A note in E-2 states A MSLB occurred outside of the containment may cause the secondary radiation monitors to fail high due to elevated area temperatures. All the above radiation monitors are located outside of the containment. The following assumptions are applied to this analysis. More precise estimates require a plant walk-through that is not available to this analysis:

1. If the MSLB break is inside the containment, none of the radiation indications will be triggered.

2. If the MSLB break is outside of the containment, there is a 50% of chance that 50% of the secondary radiation indications listed above will fail high. The taking secondary activity sample cannot be performed due to adverse environmental effect caused by the MSLB.

2.3.2.1 Ex-Containment MSLB The ex-containment MSLB assumes that there is a 50% of chance that 50% of the secondary radiation indications listed above will fail high. These two situations are discussed separately: 50% of the secondary radiation alarms failed high. Conditional probability is 50%. No secondary radiation alarm failed high. Conditional probability is 50%. 2.3.2.1.1 50% of the secondary radiation alarms failed high. HEP = 0.15 SPAR-H Table 20 SPAR-H evaluation of 50% of the secondary radiation indication is failed high due to an ex-containment MSLB PSF Diagnosis Justification Status Multiplier Available Time Nominal time 1

29 Stress/Stressors High 2 Encountering a major event with many secondary radiation alarms. Complexity Highly complex 5 50% of false indications Experience/Training Normal 1 MSLB simulation is performed three times a year but 50% of false alarms is less frequently trained. Procedures Normal 1 Ergonomics/HMI Nominal 1 Fitness for Duty Nominal 1 Work Processes Nominal 1 The HEP (of Table 20) is 0.01

• 2
• 5
• 0.5 = 0.1 NARA Applying the generic task of Identification of situation requiring interpretation of complex pattern of alarms/indications. Base HEP = 0.2.

The averaged HEP of 50% secondary radiation alarms is 0.15. 2.3.2.1.2 No secondary radiation alarm failed high; HEP = negligible Because there is no false secondary alarms, the probability of mis-detecting multiple radiation indications is negligible. 2.3.2.2 In-Containment MSLB The in-containment analysis is identical as the analysis of the ex-containment without false radiation alarms (section 2.3.2.1.2) 2.3.3 HEP (Item5) ES-1.1 includes two essential operator actions for the interest of this analysis: Reset SI (Step 1) Terminate the high head ECCS (Step 6). This only can be performed when Step 1 is completed. Including the diagnosis process, the high head ECCS needs to be terminated within 60 minutes from the initiating event. The following two procedure following paths would reach to Item 5 ES-1.1. These two procedure following paths are analyzed separately: Path 1: Item 1 Item 2 Item 3 Item 4 Item 5 Path 2: Item 1 Item 2 Item 3 Item 4 Item 6 Item 7 Item 5 2.3.3.1 Path 1 2.3.3.1.1 Pt - Path-1 Three data sets are compared: The Turkey Point 3 safety valve header failure 3 event description states The pressurizer level was restored to normal within 15 min and then one of the charging pumps was stopped and a 45-gpm letdown was established. Corresponding to the

30 Byron procedure, E-2 Step 7.d is maintaining PZR water level, and E-2 Step 7.e is transferring to ES.1-1. Stopping charging pump is instructed in ES-1.1 Step 6. Completing the ES-1.1 within 60 minutes is considered as success in this analysis. In the Millstone event, the operator took 21 minutes to reach to the E-0 step in determining whether E-2 should be entered. This corresponding to Byron E-0 Step 21. KAERI data show the operator average spent 200 seconds reaching to the E-O step in diagnosing a SGTR event. This corresponding to Byron E-0 Step 22. Comparing these three set of data, KAERI has the fast pace in following the procedures followed by the Turkey Point 3. The Turkey Points 3 event occurred in 1971. The symptom based procedure is not available at that time. With onsite observation report, the Turkey Point control room operator seems entering into the E-2 equivalent procedure (an event based procedure) promptly. The Millstone event represent a more complicate scenario. The IDHEAS-G provides a table to identify the factors affecting the time required to complete a task as shown in Table 8. It is concluded that the time variability in the above three data sets are dominated by the diagnosis time due to scenario complexity. Therefore, the Path 1 time assessment is divided into the following two situations: Situation A: Ex-containment MSLB without triggering false secondary radiation alarms Situation B: Ex-containment MSLB triggering 50% false secondary radiation alarms Pt - Path-1 No False Secondary radiation Alarms In Situation A, the Turkey Point 3 time data is used. Three minutes is added into the data (15 minutes) to cover the time needed to transfer to ES.1-1 and performing to ES.1-1 Step 6. Therefor the time required is estimated as 18 minutes. Based on the KAERI data, in average the standard deviation time is about one half of the time required. Applying this information to this analysis, using a standard distribution with the mean required time of 18 minutes, the standard deviation of 9 minutes, and the time available is 60 minutes, this results in an HEP of 2E-6. Pt - Path-1 50% False Secondary radiation Alarms Situation B represents a complicate diagnosis situation with 50% false secondary radiation alarms. The operator chose not to enter into E-3. The Millstone events time data are used. Crew briefing is likely to take place to discuss the situation and to reach the consensus of not entering the E-3. Crew briefing was occurred in the Millstone event to discuss whether the E-2 procedure should be entered. In Millstone event, it took 44 minutes to terminate SI. This is used as the mean time required. The standard deviation is assumed to be 22 minutes which is one half of the mean time required. Applying this information to this analysis, using a standard distribution with the mean required time of 44 minutes, the standard deviation of 22 minutes, and the time available is 60 minutes, this results in an HEP of 0.234.

31 Table 21 The factors affecting the variability of time required Cognitive task Factors contributing to the time required Detection Travel to source location of information; Prepare and calibrate equipment needed for detection; Detect/attend to an indication; Confirm and verify the indicators; Record and communicate the detected information. Diagnosis Assess the information needed for diagnosis, such as knowledge and status of a valve, pump, heater, and battery, etc., integrate low-level information to create and/or determine high-level information; Identify plant status and/or conditions based on several parameters, symptoms and the associated knowledge, collect information and delineate complex information such as a mass and/or energy flow with which two or more system functions; Delineate conflicting information and unstable trends of parameters, e.g., interpret SG pressure trends when one train has failed; Wait for continuous or dynamic information from the system to complete diagnosis; Verify the diagnosis results or reach a team consensus. Decision-making Prioritize goals. establish decision criteria, Collect, interpret and integrate data to satisfying decision; Make decision - Determine on parameters, choose strategies or develop a plan; Coordinate the decision-makers (especially with hierarchy of decision-making or distributed decision-making team) or achieve consensus needed for the decision or wait for certain information in order to make decision; Simulate or evaluate the outcome of decision. Action Evaluate the action plan and coordinate staff; Travel and access to the action site; Time to acquire (deploy, install, calibrate) the tools and equipment (e.g., put on gloves) to perform the actions; Time needed for action implementation - Action steps, continuous action, and required timing of steps; Confirmation of the actions, waiting for system feedback 2.3.3.1.2 Pc - Path 1 Terminate SI is an action task because the diagnosis is led by the procedure. Item 5 does not need to consider cognitive element. The action is to perform a series of about 10 discrete action in the sequence directed by the procedure. Table 23 provides the SPAR-H PSFs statuses for performing the actions. Table 22 SPAR-H action table for performing SI termination Status Multiplier Notes Available Time Nominal time 1 Stress/Stressors Normal 1 Complexity Normal 1 Experience/Training High 1

32 Procedures Normal 1 Ergonomics/HMI Nominal 1 Fitness for Duty Nominal 1 Work Processes Nominal 1 The action HEP is 0.001. This action failure probability applies to both situation A and situation B mentioned in the earlier time analysis. 2.3.3.2 Path 2 Path 2 represents the scenario that the operator misdiagnosed a SGTR is ongoing so the operator transfer to E-3 from E-2 Step 6. This only occurs at the 50% false secondary radiation alarms situation. The no false alarm scenarios (i.e., ex-containment 0% false secondary radiation alarm and the in-containment MSLB) is not included in path 2. The operators mind set is to confirm a SGTR is ongoing. The objective is to follow the E-3 to identify and isolate the broken SG(s) and to cooldown and depressurize the RCS. Because there is no SGTR ongoing, the scenario and procedure are mismatch. The operator wont be able to identify the broken SG(s). This task is complicated by the following considerations: The operator would use SGs water levels to identify the broken SGs. The faulted SGs level is below the instrument measuring point. The intact SGs water levels are affected by the AFW. The symptom of water leakage from RCS to SGs will be masked. To take the secondary activity samples is challenged by the high temperature and potentially high radiation alarms caused by the ex-containment MSLB. Requesting health physicists and on-site engineer to wear protective clothes and equipment to survey the MSLB damage and radiation could provide operator with correct information. However, the results are not expected to be available within the 60 minutes time available. Based on the above argument, it is assessed that if the operator mistakenly enter E-3 because of false secondary radiation alarms, the operator wont be able to terminate the SI in time. HEP is 1.0. 2.3.4 HEP Results Figure 3 is a summary of the MSLB HEP analysis. The HEP of ex-containment MSLB is 0.175. This number is based on the 50% of chance that 50% of secondary radiation alarms fail high. The HEP of in-containment MSLB is 4.5E-4.

0% false alarms P = 0.5 EX-CTMT P =Y 50% false alarms MSLB P = 0.5 IN-CTMT P = Z Figure 3 The MSLB HEP summary

Reference:

Not Enter Terminate E-3 SI p = 0.999 I I p = 0.001 p = 0.765 p = 0.85 I IP= 0.235 p = 0.15 p = 0.999 I I p = 0.001 1 S 4.99E-1 x Y 2 F 500E-4 x Y 3 S 3.25E-1 x Y 4 F 9.99E-2 x Y 5 F 7.50E-2 x Y 6 S 9.99E-1 x Z 7 F 4.50E-4 x Z

1. Millstone Power Station Unit 3 - NRC Special Inspection Report 05000423/2005012

2. Byron Nuclear Power Station, Updated Final Safety Analysis Report, Chapter 15.6.

3. Park, J. and Jung, W. "A study on the development of a task complexity measure for emergency operating procedures of nuclear power plants," Reliability Engineering and System Safety, 92 (2007), 1102-1 116

4. Gertman, D., Blackman, H., Marble, J., Byers, J. and Smith C., The SPAR-H Human Reliability Analysis Method, NUREG/CR-6883, 2005.

5. Kirwan, B., Gibson, H., Kennedy, R., Edmunds, J., Cooksley, G., and Umbers, I. (2004)

Nuclear Action Reliability Assessment (NARA): A data-based HRA tool. In Probabilistic Safety Assessment and Management 2004, Spitzer, C., Schmocker, U., and Dang, V.N. (Eds.), London, Springer, pp.1206 - 1211.

6. Garry, P., Lydell, B., Spurgin, A., Moieni, P., and Bears, A "An approach to the analysis of operator actions in probabilistic risk assessment", EPRI TR-100259, June 1992

7. Swain, A. and Guttmann, H. "Handbook of human reliability analysis with emphasis on nuclear power plant applications", U.S. NRC NUREG/CR-1278, 1983 33

1 1 Spurious Safety Injection.................................................................................................... 3 1.1 Results Summary......................................................................................................... 3 1.2 Scenario Analysis and Operational Narrative............................................................... 4 1.2.1 Plant Responses................................................................................................... 4 1.2.2 Operator Responses............................................................................................. 5 1.2.3 Task Analysis........................................................................................................ 8 1.2.4 Relevant Operating Experience............................................................................ 8 1.3 HFEs............................................................................................................................ 9 1.3.1 OPERATOR FAILS TO OPEN PORV BLOCK VALVES (OPA-3)......................... 9 1.3.1.1 Task Description............................................................................................ 9 1.3.1.2 Time Analysis...............................................................................................10 1.3.1.3 HEP Calculation............................................................................................11 1.3.1.3.1 Pt Calculation............................................................................................12 1.3.1.3.2 Pc - SPAR-H..............................................................................................13 1.3.1.3.3 Pc - NARA.................................................................................................15 1.3.1.3.4 Final HEP..................................................................................................15 1.3.2 OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW(OPA-1)...................................................................................................................16 1.3.2.1 HEP Calculation............................................................................................16 1.3.2.1.1 Time Distribution HEP...............................................................................16 1.3.2.1.2 Pc - SPAR-H..............................................................................................17 1.3.2.1.3 Pc - NARA.................................................................................................18 1.3.2.1.4 Final HEP..................................................................................................19 2 Main Steamline Break........................................................................................................21 2.1 Results Summary........................................................................................................21 2.2 Scenario Analysis and Operational Narrative..............................................................22 2.2.1 Plant Responses..................................................................................................22 2.2.2 Operator Responses............................................................................................22 2.2.3 Task Analysis.......................................................................................................23 2.2.4 Relevant Events...................................................................................................23 2.3 HFE............................................................................................................................26 2.3.1 HEP(Item 2) HEP = Negligible.............................................................................27 2.3.2 HEP(Item 4).........................................................................................................28

2 2.3.2.1 Ex-Containment MSLB.................................................................................28 2.3.2.1.1 50% of the secondary radiation alarms failed high. HEP = 0.15.................28 2.3.2.1.2 No secondary radiation alarm failed high; HEP = 0.00045.........................29 2.3.2.2 In-Containment MSLB...................................................................................29 2.3.3 HEP (Item5).........................................................................................................29 2.3.3.1 Path 1...........................................................................................................29 2.3.3.1.1 Pt - Path-1..................................................................................................29 2.3.3.1.2 Pc - Path 1................................................................................................31 2.3.3.2 Path 2...........................................................................................................32 2.3.4 HEP Results........................................................................................................32

3 1 Spurious Safety Injection Subject of interest: The probability that the operator does not open at least one pressurizer isolation (a.k.a., block) valve in time, leading to a water-solid pressurizer and passing of RCS water through a pressurizer safety relief valve, all following a spurious safety injection (SI) occurring at full power operation. Success criteria: Operator opens a pressurizer isolation (a.k.a., block) valve to prevent pressurizer safety valve lift open within 15 minutes or 40 minutes from the initiating event Operator terminates the SI within 20 minutes or 40 minutes from the initiating event 1.1 Results Summary The estimated HEPs are shown in the figure and tables below. Open a PZR Isolation Valve (Table 10) Terminate SI (Table 18) Terminate SI (Table 19) success fail Table 10 The HEPs of not opening a PZR isolation valve in time Available Time Status Time Available 900 sec (15 min.) Time Required KAREI Data (Best Estimate: 161 sec) 5.8E-3 Averaged Data (Best Estimate: 321 sec) 6.0E-3 Millstone Event Data (Best Estimate: 480 sec) 4.6E-2

4 Table 18 The final independent HEP of not terminating SI in time. Average HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (Best Estimate: 306 sec) 3.5E-3 1E-3 Averaged Data (Best Estimate: 1473 sec) 0.65 0.1 Millstone Event Data (Best Estimate: 2640 sec) 0.885 0.59 Table 19 The final dependent HEP of not terminating SI in time. Average HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (Best Estimate: 306 sec) 0.5 0.5 Averaged Data (Best Estimate: 1473 sec) 0.65 0.5 Millstone Event Data (Best Estimate: 2640 sec) 0.885 0.59 1.2 Scenario Analysis and Operational Narrative 1.2.1 Plant Responses The B/B-UFSAR states: A spurious (SI) signal initiated after the logic circuitry in one solid-state protection system train for any of the following engineered safety feature (ESF) functions could cause this incident by actuating the ESF equipment associated with the affected train.

a. High containment pressure,

b. Low pressurizer pressure, or

c. Low steamline pressure.

Following the actuation signal, the suction of the coolant charging pumps diverts from the volume control tank to the refueling water storage tank. Simultaneously, the valves isolating the charging pumps from the injection header automatically open and the normal charging line isolation valves close. The charging pumps force the borated water from the refueling water storage tank (RWST) through the pump discharge header, the injection line, and into the cold leg of each loop. The passive accumulator tank safety injection and low head system are available. However, they do not provide flow when the reactor coolant system (RCS) is at normal pressure. A safety injection (SI) signal normally results in a direct reactor trip and a turbine trip. However, any single fault that actuates the ECCS will not necessarily produce a reactor trip.

5 If an SI signal generates a reactor trip, the operator should determine if the signal is spurious. If the SI signal is determined to be spurious, the operator should terminate SI and maintain the plant in the hot-standby condition as determined by appropriate recovery procedures. If repair of the ESF actuation system instrumentation is necessary, future plant operation will be in accordance with the Technical Specifications. If the SI results in discharge of coolant through the pressurizer safety relief valves, the operators will bring the plant to cold shutdown in order to inspect the valves. If the reactor protection system does not produce an immediate trip as a result of the spurious SI signal, the reactor experiences a negative reactivity excursion due to the injected boron, which causes a decrease in reactor power. The power mismatch causes a drop in Tavg and consequent coolant shrinkage. The pressurizer pressure and water level decrease. Load decreases due to the effect of reduced steam pressure on load after the turbine throttle valve is fully open. If automatic rod control is used, these effects will lessen until the rods have moved out of the core. The transient is eventually terminated by the reactor protection system low pressurizer pressure trip or by manual trip. The time to trip is affected by initial operating conditions. These initial conditions include the core burnup history which affects initial boron concentration, rate of change of boron concentration, and Doppler and moderator coefficients. After the actuation of a SI signal regardless how the SI signal is actuated, the following ECCS actions are designed to take place because of interlocks with the SI signal:

1. Centrifugal charging pumps start on "S" signal.

2. RWST suction valves to the charging pumps open on "S" signal.

3. Safety injection containment isolation valves open on "S" signal.

4. Normal charging path valves close on "S" signal.

5. Charging pump miniflow isolation valves CV8110 and CV8111 close on "S" signal, concurrent with LO-2 RWST level.

6. Charging pump miniflow isolation valves CV8114 and CV8116 close on low RCS pressure in conjunction with an "S" signal. These valves open to protect the pump should the RCS pressure increase above the open setpoint with an "S" signal present.

7. Safety injection pumps start on "S" signal.

8. The RHR pumps start on "S" signal.

9. VCT outlet isolation valves close on "S" signal.

1.2.2 Operator Responses Assuming the reactor is at full power operation, after a spurious actuation of a SI signal without the expected accompanying reactor trip, the nuclear power starts decreasing immediately due to boron injection, but steam flow does not decrease until later in the transient when the turbine throttle valve is wide open. The mismatch between load and nuclear power causes Tavg, pressurizer water level, and pressurizer pressure to drop. Without operator intervention, the reactor trips and control rods start moving into the core when the pressurizer pressure reaches the pressurizer low pressure trip setpoint. In the Chapter 15 safety analysis, the reactor is calculated to trip automatically at about 76 seconds after the SI actuation if the SI signal does

6 not cause an automatic reactor trip and the operator does not manually trip the reactor before its automatic trip. Even though the reactor may or may not be tripped immediately following the SI signal, the operator responses in these two scenarios are very similar. After verifying a SI actuation, the operator will perform the immediate actions according to the emergency operating procedure (EOP)-0 Reactor Trip or Safety Injection that are summarized as the following: Verify the reactor is tripped. If the reactor is not tripped then manually trip the reactor. Verify the turbine is tripped. If the turbine is not tripped then manually trip the turbine. Verify electric power is available to the 4KV essential safety function (ESF) busses. Check SI status. If the SI is required then manually actuate SI if it is not actuated already. IF the SI is not required then transfer to procedure ES-0.1 Reactor Trip Response. In this analysis, with the assumption of a single failure (i.e., spurious SI actuation), once the above four immediate actions are completed the following is the expected status: The reactor is tripped. The turbine is tripped. The 4KV ESF buses are energized. SI is actuated. The SI status is determined via the procedure instruction as shown in Table 1. In this scenario, because the SI equipment is automatically actuated, the operator would not enter the response not obtained column. The point in table 1 is that the SI is not needed in this scenario. The Response not obtained column in Table 1 has an opportunity of transferring to the ES-0.1 procedure. There is no path for the operator move to the response-not-obtained column. Table 1 The procedure step of checking SI status ACTION/EXPECTED RESPONSE RESPONSE NOT OBTAINED CHECK SI STATUS

a. Check if SI - ACTUATED:

Any SI first out announciator - LIT SI ACTUATED permissive light - LIT SI equipment - AUTOMATICALLY ACTUATED: o Either SI pump - RUNNING o Either CENT CHG pump to cold leg injection isolation valve - OPEN: 1SI8801A 1SI8801B

a. Check if SI is required PZR pressure less than or equal to 1829 PSIG.

Steamline pressure less than or equal to 640 PSIG Containment pressure greater than or equal to 3.4 PSIG If SI is required, THEN manually actuate SI. IF SI is NOT required, THEN GO TO ES-0.1 REACTOR TRIP RESPONSE, Step 1.

b. Manually actuate SI 1PM05J 1PM06J When the reactor operator (RO) is performing the immediate actions, the shift supervisor (SS), a senior reactor operator, is bringing out the E-0 procedure. Once the RO has finished the immediate response actions, the SS interacts with the RO and the auxiliary RO (ARO) to implement the E-0. They starts to implement the E-0 from step 1. The first four steps (i.e.,

7 immediate response actions) are to reconfirm the immediate actions performed by the RO. Because except for the spurious SI actuation, all components and instruments are functioning as designed and the operator is expected to be familiar with the E-0, the operating crew is expected to follow the E-0 instruction with ease. After manually tripping the reactor, all procedure steps request the operator to check the key components automatically responding to the situation as designed until step 18 which requires the operator to open a pressurizer isolation (or block) valve (if neither PORV is available). Table 2 provides the procedure instruction of the step 18. Table 2 The procedure step 18 that instructs establishing a PZR relief path. ACTION/EXPECTED RESPONSE RESPONSE NOT OBTAINED CHECK PZR PORVS AND SPRAY VALVES

a. PORVs - CLOSED:

1RY455A 1RY456

a. If PZR pressure is less than 2315 PSIG, THEN manually close PORVs.

IF any PORV can NOT be closed, THEN manually or locally close its isolation valve: 1RY8000A (1RY455A) MCC 131X2B A5 (414 Q11RXB1) 1RY8000B (1RY456) MCC 132X2 C4 (426 Q11 RXB1) IF PORV isol valve can NOT be closed, THEN GO TO 1BEP-1,

b. PROV isolation valves - AT LEAST ONE ENGINERED

b. GO TO Step 18d.

c. PORV relief path - AT LEAST ONE AVAIABLE:

PORV in - AUTO Associated isolation valve - OPEN

c. Perform the following to establish a PORV relief path for any PORV NOT failed open:

1. Place the PORV in AUTO.

2. Open the associated PORV isolation valve.

d. Normal PZR spray valves - CLOSED:

1RY455B 1RY455C

d. IF PZR pressure is less than 2260 PSIG, THEN manually close spray valve(s)

IF any spray valve(s) cannot be closed, THEN stop RCP(s) as necessary to stop spray flow: RCP 1D RCP 1C RCP 1B RCP 1A In cases where the initial condition is that the pressurizer PORV isolation valves are closed, the operator is expected to identify that the statuses of the associated isolation valves (in Step 18.c bullet 2) as not open. This will lead the operator to perform the actions in the response not obtained column of the Step 18.3 that include placing the PORVs in auto and opening the associate PORV isolation valve.

8 Operators have SI inadvertent actuation simulator training at a frequency about once per two years. 1.2.3 Task Analysis The operator responses to this scenario starts with detecting the plant abnormal symptoms triggered by the advertent SI actuation. Regardless of whether the operator manually trips the reactor, the E-0 procedure will be entered. Within this procedure, the operators main tasks are to verify that the components and systems are automatically responding to the event as designed. The main operator physical actions are opening at least one pressurizer isolation valve (Step 18.c) and resetting SI (Step 27). Both actions are performed within the main control room. Both tasks are simple actions. Opening a pressurizer isolation valve is performed by turning the valve control switch to the open position, and confirming the valve status light changed from green to red. Resetting the SI is performed by depressing the two SI reset buttons, and confirming that the action is successfully performed by verifying the SI ACTUATED permissive light went off and the AUTO SI BLOCKED permissive light went on. 1.2.4 Relevant Operating Experience The following event description is from [1]: On April 17, 2005, at 8:29 a.m., Millstone Unit 3 experienced a reactor trip from 100 percent power following an unexpected A train safety injection (SI) actuation signal and main steam line isolation (MSI). Control room operators entered emergency operating procedure (EOP) E-0, Reactor Trip or Safety Injection, Revision 22, and manually actuated the B train of safety injection within 30 seconds. The first-out annunciator panel indicated that the reactor trip was caused by a Steam Line Pressure Low Isolation SI signal sensed by the solid state protection system (SSPS). The Shift Manager (SM) arrived in the control room approximately five minutes after the reactor trip and assumed Director of Site Operations (DSO) duties. As a result of the MSI signal, the main steam isolation valves (MSIVs) and two of the four main steam line atmospheric dump valves (ADVs) automatically closed. With the closure of the MSIVs, the main steam line safety valves (MSSVs) opened to relieve secondary plant pressure. Control room operators manually actuated the B MSI train in accordance with station procedures. Both motor driven auxiliary feed water (MDAFW) pumps started to maintain steam generator levels. The turbine-driven auxiliary feedwater (TDAFW) pump attempted to start but immediately tripped on overspeed. Operators were dispatched to investigate the cause of the trip. The TDAFW pump trip was subsequently reset and the TDAFW was restarted at 10:19 a.m. At approximately 8:42 a.m., the SM noted that a B MSSV had remained opened for an extended period of time. In consultation with the Unit Supervisor (US) and Shift Technical Advisor (STA), the SM declared an ALERT based on a stuck open MSSV. The crew determined that the stuck open MSSV represented an unisolable steam line break outside containment.

9 At 8:45 a.m., due to the addition of the inventory from the SI, the pressurizer reached water solid conditions and the pressurizer PORVs cycled numerous times to relieve reactor coolant system (RCS) pressure and divert the additional RCS inventory to the pressurizer relief tank (PRT). No pressurizer safety valve actuations occurred and the PRT rupture diaphragm remained intact. The control room received reports of substantial leakage in the auxiliary building near the high head safety injection (HHSI) pumps. The leakage was coming from the packing of two valves in the HHSI system alternate minimum flow (AMF) line and was estimated to be approximately 60 gpm. Several hundred gallons spilled onto the auxiliary building floor. At approximately 8:59 a.m., the operating crew transitioned from EOP E-0 to ES-1.1, SI Termination. The SI was reset and the crew terminated safety injection at 9:12 a.m. and normal RCS letdown was re-established at 9:20 a.m. Millstone Unit 3 entered Mode 4 [Hot Shutdown] at approximately 7:03 p.m. and the ALERT was terminated shortly thereafter. NRC Region I had been in a Monitoring Mode during the event and returned to the Normal Mode at 11:45 p.m. 1.3 HFEs There are two HFEs identified in this initiating event: (1) open the isolated pressurizer isolation valves ((OPERATOR FAILS TO OPEN PORV BLOCK VALVES); and (2) terminate the SI (OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW). The labels in PRA model for the first HFE is OPA-3 and the second is OPA-1. 1.3.1 OPERATOR FAILS TO OPEN PORV BLOCK VALVES (OPA-3) Success criteria: The task has to be completed within 15 minutes from the initiating event. 1.3.1.1 Task Description The task (OPERATOR FAILS TO OPEN PORV BLOCK VALVES) starts from the operator detecting the plant abnormality and then following E-0 to Step 18 and opening at least one isolated pressurizer PORV isolation valve based on Step 18s instruction. The macrocognition discussion based on the overall task is the following: Detecting the abnormal symptom: the inadvertent actuation of SI signal causes a number of automatic component status changes related to the containment Phase A isolation as identified in section 1.1. These changes will trigger a number of alarms. The automatic start and re-alignment of the central charging pumps and SI pumps are clear to the operators. The operators are familiar with, and are trained to pay attention to, these component statuses. Understanding the issue and making decision on response plan: Once detecting the SI actuation, the E-0 is the procedure to enter. Operators are routinely trained on entering and implementing E-0. The understanding and making decision are based on the procedure instruction. The operators main activity is to follow the procedure instruction in order to check plant parameter values and component statuses. Action: The main action is to open a pressurizer isolation valve. This action is performed inside the main control room by turning the control switches of the pressurizer isolation valves from close to open and verifying with the isolation values status indication light changed from green (close) to red (open). Another action that the operator may perform

10 at the beginning of the scenario is to manually trip the reactor if the reactor is not automatically tripped by the SI signal. In this case, whether the operator manually trips the reactor makes little difference in the scenario from a safety consideration standpoint because the reactor eventually will be automatically tripped due to low pressurizer pressure within a couple of minutes (e.g., at about 76 seconds in the plants safety analysis [2]) after the inadvertent SI actuation. The key task is to open at least one pressurizer isolation valve as instructed by E-0 step 18. This is a main control room action performed by the RO to perform a simple task to switch a pressurizer isolation valve to open position under a teamwork between the SS and RO with the SS reading the procedure instruction to direct and monitor the RO to perform the task. Once the task is completed, the RO is expected to inform the SS that the task is performed. The actual physical activity to change the system status is to push a button (or turn a switch) to open the isolation valve. 1.3.1.2 Time Analysis Two sources are used to assess the operator response time: The Millstone event [1] and a paper published by KAREI[3]. The first source is a real event, and the second source is based on simulator training. Millstone Event In the Millstone event, the operator reached at E-0 Step 16 verify ECCS flow seven minutes after the initiating event (see table 3). The Byrons E-0 has the step of verifying ECCS flow at Step 17. Immediately after step 17, the Byron E-0 Step 18 instructs to open the pressurizer isolation valves to ensure at least one pressurizer PORV path is open. Therefore, overlapping the Millstone event to the Byron procedure, it is estimated that the operator would complete step 18 (open pressurizer isolation valves) eight minutes after the initiating event. Table 3 The Millstone event timeline for responding time to the procedure step of check to open pressurizer isolation valves (all procedure steps are based on Millstone Unit 3 procedures) Time (minutes) Event Description 0 (08:29)

• A Train SSPS Steam Line Pressure Low SI/MSI signal followed by a reactor trip: First Out alarm: Steam Line Pressure Low Isolation SI.
• MSIVs closed as expected.
• 3 MSS-PV20A&C, Atmospheric Dump Valves (ASDVs) open.
• 3 MSS-PV20B&D received closed signals via MSI. (1/2 of ASDVs shut on 1/2 MSI.)
• B S/G Safety opens.
• The control room crew entered E-0 Reactor Trip/SI emergency response procedure.
• At step 4 the crew initiated train B SI.
• Terry Turbine steam supplies open and Terry Turbine trips 3 seconds later.

7 (08:36) At E-0 Step 16 Verify ECCS Flow. Crew performed a debrief of the situation. The crew reinforced to the entire control staff that there was no Terry Turbine

11 Aux Feed flow, B S/G Safety was still open and manual initiation of both trains SI was required. Dispatched a PEO to the Terry Turbine who verified that it was not running. Found V5 unlatched and shut. Mech Trip tappet was NOT in overspeed condition. (Crew continues to evaluate plant conditions, thought stuck S/G Safety caused SI.) 21 (08:50) The crew decided not to make an E-2 transition based upon SI termination priority and no uncontrolled S/G pressure decrease. (Discussion occurred between US and SM. Did not meet E-2 entry conditions.) 25 (08:54) Determined no S/G tube rupture based on no adverse S/G level trend. 30(08:59) Transition to ES-1.1 from E-O Step 29. 31(09:00) Reset SI (ES-1.1 Step 1) 44(09:13) Terminated SI (ES-1.1 step 8), The charging pumps are stopped at ES-1.1 step 3. 51 (0920) Normal letdown established (ES-1.1 step 12) In the Millstone event, the average time spent on a procedure step is about 75 seconds. KAERI Simulator Analysis The operator normal response time is based on [3] which is based on Korean crews responding to a steam generator tube rupture (SGTR) scenario. The Korean crew structure and procedures are similar to the Byron nuclear power plant. Without Byron plant specific data, the data in [3] is considered as a good approximation. The time data in [3] are reproduced in Table 4. KAREIs data show that the average time spent for a procedure step is about 10 seconds. The difference between the average of 75 seconds per procedure step in Millstone event and the average of 10 seconds per procedure step in KAERI simulator data is significant. This shows that scenario complexity could significantly affect the pace of implementing procedures. Table 4 The time data collected in operator simulator training by KAERI [3]. Task ID Task Description Time1 (sec) SD2 (sec) Procedure Steps3 1 Confirming immediate responses after reactor trip 41.9 25.5 1 to 4 2 Confirming the isolation of essential valves 12.0 2.9 5 to 6 3 Confirming the operation of essential pumps 17.9 5.6 7 to 10 4 Verifying containment status 33.9 22.3 11 to 14 5 Verifying the delivery of SI and AFW flow 55.4 27.8 15 to 18 6 Verifying the status of RCS heat removal 38.9 16.0 19 to 21 7 Entering E-3 procedure according to the status of SGs 34.7 16.3 22 to 23 1Averaged task performance time in second. 2Standard deviation in second. 3Based on the E-0 of the Korean nuclear power plant. 1.3.1.3 HEP Calculation In this analysis, three approaches are used to calculate the HEP: time distribution, SPAR-H [4] and NARA [5]. Consistent with IDHEAS-Gs guidance, the final HEP is used the following equation:

12 HEP = Pt + Pc Eq.1 Where Pt is the HEP simply due to the time available is insufficient. The operator does not make major mistake (e.g., entering a wrong procedure or performed an incorrect action that complicate the scenario, etc.). Pc is the HEP contributed by all factor other than insufficient time available. In this analysis, the Pt is calculated based on time data obtained from relevant simulator data (KAERI) and real event (Millstone event). The Pc is calculated based on the average of the SPAR-H and NARA HRA methods. 1.3.1.3.1 Pt Calculation The HEP calculation is performed by the analysis of time. Time Available Two time available is provided for this analysis: 20 minutes and 40 minutes. The 20 minutes is the estimated time that the PZR will become water solid leading to opening of the PZR SRVs. After the PZR is water sold, the SRV starts to cycle open to maintain the PZR pressure. The 40 minutes is the estimated time that the SRV is assumed would stuck open. The 20 minutes represent a conservative assumption that once the SRV is open by water the SRV would stuck open that leads to an un-isolable loss of coolant accident (LOCA). Time Required Based on KAREI data, the procedure step of opening a PZR isolation valve is corresponding to the Task ID 5 in Table 4. This results in a mean time of 161.1 second and a standard deviation of 84.1 second. Based on the Millstone event, the estimated time to reach the procedure step in opening the PZR isolation valve is about 8 minutes. A standard deviation of 4 minutes (i.e., a half of the time required) is used for this analysis. Table 5 shows the HEP results of uses a normal distribution with the use of the time data from KAREI and Millstone event, and the average to calculate against the time available of 20 minutes and 40 minutes.

13 Table 5 HEP calculated based various time required and time available HEP Time Available 900 sec (15 min.) Time Required KAREI Data (mean: 161 sec; SD: 84 sec) Negligible Averaged Data (Mean: 321 sec; SD: 162 sec) 2.0E-4 Millstone Event Data (Mean: 480 sec; SD: 240 sec) 4.0E-2 1.3.1.3.2 Pc - SPAR-H The SPAR-H method uses eight performance shaping factors (PSFs) to calculate the HEPs of diagnosis and action. The tasks HEP is the sum of the diagnosis HEP and action HEP. The following discusses the status of the eight performance shaping factors of diagnosis and action. Available Time: The time available is 15 minutes. The total time required is divided into Tdiagnosis and Taction. This is done by calculating the Taction first. Then the Tdiagnosis is the total time minus the Tac ion. In KAREI time data, the total time represent a performance of 18 procedure steps. The Taction is 1/18 of the total time. In the Millstone event, one minute was assumed for performing the Taction. The status of the available time is shown in Table 6. Because part of available times effects on HEP is covered in Pt, only positive available time effect (i.e., with multiplier less than one) is considered. If the multiplier is greater than one, then the multiplier will be set to one. Table 6 The status of available time Available Time Status Time Available 900 sec (15 min.) Time Required KAREI Data (Tdiagnosis: 152 sec; Taction: 9 sec) Normal Time Averaged Data (Tdiagnosis: 286 sec; Taction: 35 sec) Normal Time Millstone Event Data (Tdiagnosis: 420 sec; Taction: 60 sec) Normal Time

14 Stress/Stressor: The stress level is determined as normal because all the operator activities are within E-0 and there is no surprise except the SI actuation may not trip the reactor automatically. Complexity: For diagnosis, the complexity is determined as normal because the diagnosis is based on the E-0. There is no foreseeable mismatch between the E-) and the scenario. For action, turning a switch from close to open is a simple task. The status is normal. Experience/Training: For diagnosis, this is determined as nominal because operators are trained on the inadvertent SI actuation scenario in simulator training in a frequency about once per two years. The actions to terminate SI (the high head ECCS in this case) include resetting SI by pressing two SI rest buttons; aligning the central charging pumps suction to the refueling water storage tank (RWST); reset SI recirculation sump isolation valves; resetting and opening the central charging pumps minimum flow isolation valves; and closing the central charging pumps to cold legs injection isolation valves. All these actions are procedure-based. Procedure: For diagnosis, the EOP is a diagnosis/symptom oriented procedure. The status is high. For action, the procedure instruction is clear. The status is normal. Ergonomic/HMI, fitness for duty, and work process: Their statuses are normal. Table shows the PIF status and their HEP modification factors. Table 7 The SPAR-H PSFs statuses. PSF Diagnosis Action Status Multiplier Status Multiplier Available Time Normal 1 Nominal time 1 Stress/Stressors Nominal 1 Nominal 1 Complexity Nominal 1 Nominal 1 Experience/Training Nominal 1 Normal 1 Procedures Diagnostic/symptom oriented 0.5 Nominal 1 Ergonomics/HMI Nominal 1 Nominal 1 Fitness for Duty Nominal 1 Nominal 1 Work Processes Nominal 1 Nominal 1 Table 8 SPAR-H calculated HEPs. Available Time Status Time Available 900 sec (15 min.) Time Required KAREI Data (Tdiagnosis: 152 sec; Taction: 9 sec) 5.5E-3 Averaged Data (Tdiagnosis: 286 sec; Taction: 35 sec) 5.5E-3 Millstone Event Data (Tdiagnosis: 420 sec; 5.5E-3

15 Taction: 60 sec) 1.3.1.3.3 Pc - NARA The NARA calculates HEP by mapping the task of analysis to the generic task types (GTTs) of NARA. Each GTT has a base HEP value. The final HEP is the base HEP multiplied by the multipliers of the NARA PSFs applied to the task. NARAs PSFs only have negative effects on HEP (i.e., increase the HEP value). The following two GTTs are identified to corresponding to the diagnosis and action portion of the HFE OPERATOR FAILS TO OPEN PORV BLOCK VALVES: Simple response to a key alarm within a range of alarms/indications providing clear indication of the situation (simple diagnosis required). Response might be direct execution of simple actions or initiating other actions separately assessed. The base HEP is 0.0004. Carry out simple single manual action with feedback. Skill-based and therefore not necessarily with procedure. The base HEP is 0.006. No negative NARAs PSFs is applicable to the HFE. Therefore The HEP = 0.0004 + 0.006 = 0.0064. The average HEPs of SPAR-H and NARA are shown in Table 9. Table 9 The average HEPs of NARA and SPAR-H Available Time Status Time Available 900 sec (15min.) Time Required KAREI Data (Tdiagnosis: 152 sec; Taction: 9 sec) 5.8E-3 Averaged Data (Tdiagnosis: 286 sec; Taction: 35 sec) 5.8E-3 Millstone Event Data (Tdiagnosis: 420 sec; Taction: 60 sec) 5.8E-3 1.3.1.3.4 Final HEP The final HEP is calculated based on the maximum of time calculation and method calculation. The method calculations are using the average of SPAR-H and NARA results. Table 6 shows the results. Table 10 The final HEPs for open PZR isolation valve Available Time Status Time Available

16 900 sec (15 min.) Time Required KAREI Data (Best Estimate: 161 sec) 5.8E-3 Averaged Data (Best Estimate: 321 sec) 6.0E-3 Millstone Event Data (Best Estimate: 480 sec) 4.6E-2 1.3.2 OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW(OPA-1) The task OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW starts after the pressurizer isolation valves been opened or not opened as instructed at E-0 step 18 to the resetting SI action instructed by ES-1.1. 1.3.2.1 HEP Calculation 1.3.2.1.1 Time Distribution HEP Time Available Two time available is provided: 20 minutes and 40 minutes. In the Millstone event, the SI was terminated at 44 minutes after the initiating event. Using KAREIs average 10.2 seconds for each procedure step for 30 steps to terminate SI (24 steps in E-0 and 6 steps in ES-1.1) in Byron procedures, a total of 306 seconds of time required are estimated. The simulator time (KAREI) and Millstone event time are used for this analysis. The average time is use for the time analysis. This results in 1473 seconds for the mean of the time required. A standard variation of 737 seconds is used based on a half of the time required. Two discrete time available are used representing the uncertainty of the time a pressurizer valve would stuck open from a water solid pressurizer. The two time available are 15 minutes and 40 minutes. Table 5 shows the HEP due to the error mode of slowness. This is because the operators in these two data sets did not make major errors (e.g., enter an incorrect procedure). Table 11 The HEPs based on various the combinations of the time available and time required HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (mean: 306 sec; SD: 153 sec) Negligible Negligible Averaged Data (Mean: 1473 sec; SD: 737 sec) 0.64 0.10 Millstone Event Data (Mean: 2640 sec; SD: 1320 sec) 0.86 0.57

17 1.3.2.1.2 Pc - SPAR-H The SPAR-H uses eight performance shaping factors (PSFs) to calculate the HEPs of diagnosis and action. The tasks HEP is the sum of the diagnosis HEP and action HEP. The following discusses the statuses of the eight performance shaping factors of diagnosis and action. Available Time: Based on the time analysis discussed in the previous section (section 1.3.2.1.2), the available time range from insufficient to expensive time. Table 6 shows the statuses of the available time factor for diagnosis. Table 12s time assessment is based on using the time available to subtract the expected action time to become the time available for diagnosis. The action time is calculated by the average time spent on each step multiples the procedure steps in performing the action (in ES.1-1). This makes the time available for the action of all cases as normal. Note, because the Pt covers the effect of insufficient time available, the SPAR-Hs available time only consider the effect on reducing HEP. Table 12 The status of time available factor in SPAR-H of various cases. This factor only can have effect of reducing HEPs. HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (Tdiagnosis: 245 sec; Taction: 61 sec) Normal Expansive Time Averaged Data (Tdiagnosis: 1178 sec; Taction: 295 sec) Normal Extra Time Millstone Event Data (Tdiagnosis: 2112 sec; Taction: 528 sec) Normal Normal Stress/Stressor: The stress level is determined as normal because there is no immediate safety concern to the operators. Complexity: For diagnosis, the complexity of KAREI is determined as normal. The average case, the complexity level is moderately high (HEP multiplier is 2). The Millstone event the complexity is highly complex (HEP multiplier is 5). The operators have to successfully conclude that the event is not any of the MSLB, SGTR, and LOCA event. The indications is expected to be clear to reach the conclusion. Experience/Training: For diagnosis, this is determined as normal. Even though the operator is routinely trained on diagnosing a MSLB, SGTR, and LOCA event, diagnosing all of them successfully makes the determination as normal instead of high. For action, the actions are discrete actions to be performed in the order as instructed by the procedure. The experience/training for action is normal. Procedure: For diagnosis, the EOP is a diagnosis/symptom oriented procedure. The status is high. For action, the procedure instruction is clear. The status is normal. Ergonomic/HMI, fitness for duty, and work process: Their statuses are normal.

18 The SPAR-Hs PSFs statuses are shown in Table 13. The final SPAR-Hs HEPs are shown in Table 14. Table 13 The SPAR-Hs PSFs statuses and their HEP modification factors for diagnosis tasks. PSF Diagnosis Action Status Multiplier Status Multiplier Available Time Vary Vary Nominal time 1 Stress/Stressors Nominal 1 Nominal 1 Complexity Vary Vary Nominal 1 Experience/Training Normal 1 High 1 Procedures Diagnostic/symptom oriented 0.5 Nominal 1 Ergonomics/HMI Nominal 1 Nominal 1 Fitness for Duty Nominal 1 Nominal 1 Work Processes Nominal 1 Nominal 1 Table 14 The SPAR-Hs HEPs on various situations. HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (Tdiagnosis: 245 sec; Taction: 61 sec) 6E-3 1.0E-3 Averaged Data (Tdiagnosis: 1178 sec; Taction: 295 sec) 1.2E-2 2E-3 Millstone Event Data (Tdiagnosis: 2112 sec; Taction: 528 sec) 3E-2 2.6E-2 1.3.2.1.3 Pc - NARA The following two GTTs are identified to corresponding to the diagnosis and action portion of the HFE of OPA-1: Start or reconfigure a system from the Main Control Room following procedures, with feedback. The base HEP is 0.001. In NARA, the unfamiliarity applies to the analysis. Unfamiliarity is explained as the following under optimum conditions the operators would be fully familiar with the alarms for which a response is required., This would be achieved by ensuring that the operators were provided with adequate procedures to guide the response, a means of promptly accessing the correct procedures and training to ensure familiarity with the actions required. In NARA, the unfamiliarity has a maximum effect of 20. The Millstone event is considered as a maximum unfamiliar scenario. Table 15 shows the unfamiliarity multiplier. Table 15 NARA unfamiliarity multiplier Time Stress Factor Time Available

19 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (mean: 306 sec) 1 1 Averaged Data (Mean: 1473 sec) 10.5 10.5 Millstone Event Data (Mean: 2640 sec) 20 20 Another NARA factor time pressure is relevant to the analysis. The time pressure factor is described as a shortage of time would tend to increase the likelihood of the operator failing to successfully complete the required action. This may be due to the operator feeling under pressure to complete the action within a short interval, or not having sufficient time to review and adjust the actions attempted. The time pressure effect is considered covered by the Pt. Table 17 shows the HEPs calculated by NARA. Table 16 NARA HEPs HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (mean: 306 sec) 1E-3 1E-3 Averaged Data (Mean: 1473 sec) 1.05E-2 1.05E-2 Millstone Event Data (Mean: 2640 sec) 2E-2 2E-2 Table 18 shows the average HEPs of the SPAR-H and NARA. Table 17 The averaged HEPs of NARA ad SPAR-H Average HEP Time Available 1200 sec (20 min.) 2400 sec (40 min) Time Required KAREI Data (mean: 306 sec) 3.5E-3 1E-3 Averaged Data (Mean: 1473 sec) 1.12E-2 1.52E-3 Millstone Event Data (Mean: 2640 sec) 2.5E-2 2.3E-2 1.3.2.1.4 Final HEP The final HEP is the sum of Pt (Table 11) and Pc (Table 18). The results are shown in Table 19. Table 18 The independent HEP of not terminating SI in time. Average HEP Time Available 1200 sec (20 min.) 2400 sec (40 min)

20 Time Required KAREI Data (Best Estimate: 306 sec) 3.5E-3 1E-3 Averaged Data (Best Estimate: 1473 sec) 0.65 0.1 Millstone Event Data (Best Estimate: 2640 sec) 0.885 0.59 The HEPs shown in Table 19 are the independent HEP (i.e., assuming the PZR isolation valve is successfully open). If the PZR isolation valve is not opened, there could be task dependency effects. Figure 7 shows the dependency NUREG-1921s dependency model. The sequence 8 (high dependency) represents the effects of failing to open a PZR isolation valve on the termination of SI. Table 20 shows the dependent HEP of the SI termination. Figure 1 The NUREG-1921s dependency model Table 19 The dependent HEP of not terminating SI in time. Average HEP Time Available Dependence Level Case Intervening Success Crew Cognitive Cue Demand Stress Sequential Timing Location Manpower High or Moderate 1 Common 2 7 3 4 5 6 8 9 10 11 12 13 14 15 16 17 18 19 High or Moderate High or Moderate High or Moderate High or Moderate High or Moderate High or Moderate High or Moderate Different Different Yes No Same Simultaneous Sequential Same Different Sufficient Insufficient Same Different 0-15 15-30 30-60 >(60-120) CD CD HD MD LD CD CD HD HD MD MD LD LD ZD LD ZD LD ZD ZD

1200 sec (20 min.) 2400 sec (40 min) KAREi Data 0.5 0.5 "O (Best Estimate: 306 sec) Q.) ~ Averaged Data E *s 0.65 0.5 0-(Best Estimate: 1473 sec) f-- Q.) c:::: Millstone Event Data 0.885 0.59 (Best Estimate: 2640 sec) 2 Main Steamline Break The MSLB event assumes a MSL break before the main steam isolation valve (or the fast acting steamline stop valves in BIB) that immediately actuate the SI signal and a reactor trip. But the peak containment pressure is assumed to be less than 20 psig. If the containment peak pressure is greater than 20 psig, the operator would need to stop all reactor coolant pumps (RCPs}, check the containment spray educator suction flow, and align cooling towers. Success criteria: terminate SI within 60 minutes and 80 minutes from the initiating event. 2.1 Results Summary Figure 3 is a summary of the MSLB HEP analysis. The HEP of ex-containment MSLB is 0.175. This number is based on the 50% of chance that 50% of secondary radiation alarms fail high. The HEP of in-containment MSLB is 4.5E-4. 0% false alarms P = 0.5 EX-CTMT P = Y 50% false alarms MSLB P = 0.5 IN-CTMT P = Z Figure 3. The MSLB HEP summary Not Enter Terminate E-3 SI p = 0.999 I I p = 0.001 p = 0.765 p = 0.85 I IP= 0.235 p = 0.15 p = 0.999 I I p = 0.001 21 1 S 4.99E-1 x Y 2 F 500E-4 x Y 3 S 3.25E-1 x Y 4 F 9.99E-2 x Y 5 F 7.50E-2 x Y 6 S 9.99E-1 x Z 7 F 4.50E-4 x Z

22 2.2 Scenario Analysis and Operational Narrative 2.2.1 Plant Responses Following a MSLB event, the section 15.1.5 of the B/B UFSAR states the plant responses as the following: The major break of a steamline is the most limiting RCS cooldown transient. The steam release arising from a break of a main steamline would result in an initial increase in steam flow which decreases during the accident as the steam pressure falls. The energy removal from the RCS causes a reduction of coolant temperature and pressure. Decay heat would retard the cooldown thereby reducing the return to power. The following functions provide the protection for a steamline break:

a. Safety injection system actuation from any of the following:

1. Two-out-of-three low steamline pressure signals in any one loop

2. Two-out-of-four low pressurizer pressure signals

3. Two-out-of-three high-1 containment pressure signals.

b. The overpower reactor trips (neutron flux and ) and the reactor trip occurring in conjunction with receipt of the safety injection signal.

c. Redundant isolation of the main feedwater lines. Sustained high feedwater flow would cause additional cooldown. Therefore, in addition to the normal control action which will close the main feedwater valves a safety injection signal will rapidly close all feedwater control valves and backup feedwater isolation valves, trip the main feedwater pumps, and close the feedwater pump discharge valves.

d. Trip of the fast acting steamline stop valves on:

1. Two-out-of-three low steamline pressure signals in any one loop.

2. Two-out-of-three high-2 containment pressure signals.

3. Two-out-of-three high negative steamline pressure rate signals in any one loop (used only during cooldown and heatup operations).

Steam release from more than one steam generator will be prevented by the automatic trip of the fast acting isolation valves in the steamlines by low steamline pressure signals, high containment pressure signals, or high negative steamline pressure rate signals. The steamline stop valves are designed to be fully closed in less than 5 seconds from receipt of a closure signal. 2.2.2 Operator Responses Immediately after the MSLB, the reactor trips and the SI actuation signal occurred automatically. After confirming a reactor trip, the RO performs the immediate actions according to the emergency operating procedure (EOP)-0 Reactor Trip or Safety Injection. In the meantime, the main control room shift supervisor would bring up the E-0 reactor trip and safety injection to implement the procedure with RO and ARO. The E-0 instructs the operators to check the system and component automatically responding to the event as expected. At E-0 step 14 check if main steamlines should be isolated, the operator would check the SGs pressure and identify the faulted SGs pressure is less than 640 psig. Because the fast acting steamline stop

23 valves, it is expected that the intact SGs pressures are significantly higher than the faulted SG which is below 640 psig. This gives the operator first indication of the troubled SG. At E-0 step 21 Check if SG secondary pressure boundaries are intact directs the operators to transfer to E-2 Faulted steam generator isolation if any SG pressure dropping in an uncontrolled manner or any SG completely depressurized. The E-2 step 6 directs the operators to check the secondary radiation trends and sample the secondary radiation. If the secondary radiation indication is abnormal, the procedure instruct the operator to transfer to E-3 steam generator tube rupture. A note in the procedure states that A MSLB outside of the containment may cause the secondary radiation monitors to fail high due to elevated area temperature. Therefore, if a MSLB occurred inside the main containment, the secondary radiations alarms are expected to fail high due to elevated temperature. If the operator does not transfer to E-3 from E-2 step 6, at E-2 step 7, the operator would enter ES-1.1 SI termination to terminate SI. 2.2.3 Task Analysis The cue that lead the operator to enter the E-0 is salient. The plant parameters and procedure instruction are clear for the operators to follow the E-0 step 21 check if SG secondary pressure boundaries are intact. The following is this steps instruction: Check pressure in all SGs: No SG pressure dropping in an uncontrolled manner No SG completely depressurized If the answer to any of the above two bullets is NO, then the operator should enter E-2 faulted SG isolation. If the operator enters into E-2, the E-2 step 6 is another cognitive challenge that directs the operators to check the secondary radiation to decide whether the E-3 SGTR should be entered. A MSLB outside of the containment could trigger false secondary radiation alarm that would increase the likelihood of misdiagnosis that leads to enter E-3. If the operator mistakenly entering into E-3 by the secondary radiation indications shown in the main control room, the E-2 Step 6 instructs the operator to ask the chemistry department to periodically sample the SGs radiation. The sample results would redirect the shift supervisor to return to the E-2 Step 6 from E-3. If the operator did not enter the E-3, the E-2 step 8 would direct the operators to transfer to ES-1.1 to terminate SI. If the operator mistakenly enters into the E-3, the operators diagnosis is likely a combination of MSLB and SGTR scenario because a clear MSLB symptom (a depressurized SG) and the false secondary radiation alarms. The chance for the operator to re-conclude that there is no SGTR is by sampling SGs radiation. This has to be done on site by chemistry staff. Another symptom to identify where there is a SGTR ongoing is by the rising SG water level. This symptom would be hard to detect in a MSLB event because the faulted SG water level gauge indication is below zero due to blowdown. The intact SGs water levels are affected by AFW that makes detecting an uncontrolled SG water level challenge. 2.2.4 Relevant Events Turkey Point 3 safety valve header failure (December, 1971; ML003736245; not-publically available)

24 Early on the morning of the incident the hot-functional tests were nearing completion and preparations were under way for rolling the turbine. The header failed ~ 15 min prior to the shift change, so that only personnel from the midnight crew and some of the day-shift crew who had come early were present. Equilibrium conditions of 547F and 2235 psig had been established in the primary cooling system for > 8 hrs. prior to the header failure. Three primary pumps were in service, one charging pump was operating, and letdown flow through the mixed-bed demineralizer was 60 gpm. The pressurizer pressure and level controls were on automatic. Baration of the primary system was the only test procedure in progress and this operation had been established ~ 2 hrs prior to the incident. The secondary-system pressure had been established at 990 psig for > 8 hrs.,the main steam-line isolation bypass valves were closed, the main FW and FW bypass valves were closed, and the steam-generator feed pumps were off. The secondary system was operating under static-load conditions, only. The initial indication in the control room was a loud noise that sounded like escaping steam. The operators then observed a rapid decrease in pressurizer level and pressure, a rapid decrease in the temperatures of the hot and cold legs of the loop and in the average loop temperature, a rapid decrease in steam-generator level, closure of the letdown valve, and a trip of the pressurizer heater. From the console the operators immediately stopped the 3 primary pumps, started a 2nd charging pump, closed the FW valve to the steam generator, closed the atmospheric steam-dump valves on the other 2 loops, and initiated makeup of primary water to restore the level in the volume-control tank. The pressurizer level was restored to normal within 15 min and then one of the charging pumps was stopped and a 45-gpm letdown was established. When conditions had stabilized, the coolant pump in the failed loop was restarted and an orderly cooldown was initiated. No personnel were on the steam line platform at the time of the incident, but the blast and debris associated with the escaping steam resulted in minor injury to 16 people, 2 of whom required hospitalization. Since the safety valve headers are located upstream of the isolation valves on the main steam lines, a complete blowdown of steam generator 3A occurred, accompanied by partial cooldown of the reactor coolant system. When the steam blowing had subsided, it was observed that 3 of the 4 safety valves had blown off the header on one steam loop and that the north segment of the header was split open.

25 H.B. Robinson 2 Circumferential Pipe Rupture-Blowdown (April, 1970; ML003736245; not-publically available) The steam generator secondary system safety valve lift set pressure was being checked. Verification of safety valve set points and adjustments as necessary were being performed using a pneumatic test device which allows the set points to be verified without having the system pressure up to lift pressure. The plant was operating at 533F and 2225 psi primary system pressure with a secondary system pressure of 900 psi and a constant level in the steam generator. Eight of a total of 12 valves had been tested. The pneumatic test device had been installed on the valve and air pressure was being increased to relax the valve spring force, to make a determination of the valve set pressure. A loud noise was beard followed by a shower of steam, insulation, scaffolding, metal parts and construction debris. The men in the vicinity of the valve were either knocked to the deck by the explosion or were forced to lie down due to lack of air to breathe. The rapid release of steam displaced the air from the area above the pipe requiring the men to stay in a position near the floor. They made their way out of the area and down the steps away from the immediate scene of the incident on their own power. The men were transported to a local hospital and treated for burns and injuries. One man was released. The other 6 were admitted to the hospital for treatment. The Initial noise was immediately followed by a second louder noise or sound. The initial steam accumulation in the area of the break spread in an almost horizontal plane, followed by the formation of a vertical column of steam which rose an estimated 150 ft into the air. There was an area of localized cutting of insulation on a nearby line on a horizontal plane from the break. This damage suggests an initial crack in the pipe. Steam apparently was directed horizontally in this direction for a brief period of time prior to a complete severance of the pipe and expulsion of the total valve assembly from the area by the force of the steam jet. Such a sequence of events is also suggested by the reported 2 stages of sound, the appearance of the fracture, and the direction of travel of the separated valve. The valve was propelled against the structural members supporting the steam lines and rebounded back toward the turbine building. The valve came to rest on the turbine building mezzanine floor. In addition to striking the supporting structure, the valve struck and carried away an angle brace and dented and moved the stack from the auxiliary boilers, causing its supports to bend and break away. There was no conclusive evidence to show that this valve actually reached its set point and "popped". At the time of the incident a loud noise was heard by the control operator followed by a rapid decrease in pressurizer level and pressure. In addition, level decreased rapidly in the "C" steam generator and reactor coolant system temperature began to rapidly decrease. Action was taken by the control operator to secure all 3 reactor coolant pumps. Two additional charging pumps were placed in service and letdown was secured to minimize the effects of pressurizer level and pressure decrease. Pressurizer heaters were manually de-energized prior to reaching the automatic heater cutoff set point on pressurizer low level. Even though the pressurizer level decreased off scale, it is not believed that pressurizer steam bubble expanded out of the surge line.

26 The level in steam generator "C" decreased to zero in ~ 1 hr. The overall transient caused the reactor coolant system to cooldown approximately 213F over 1 hr. Millstone Event (AS described in Section 1.2.4) The Millstone event is a combination of an advertent SI actuation and a SG safety valve stuck open. The procedure following path and cognitive challenge are relevant to the MSLB event. 2.3 HFE The HFE of Isolating the SI in a MSLB scenario can be represented by the crew response diagram as shown in Figure 2 that shows the potential procedure following paths as explained below (the numbering below is corresponding the block numbers in Figure 2):

1. Enter E-0 Step 1 due to confirmation of a reactor trip and SI signal

2. At E-0 Step 21: check the SG secondary pressure boundary by whether any SG pressure dropping in an uncontrolled manner and any SG completely depressurized. If any SG secondary pressure boundary is breached (the expected detection) then transfer to E-2 step 1 (Item 3). If all SGs secondary pressure boundary is intact (an incorrect detection) then continues to E-0 Step 22.

3. Transfer and enter to E-2 Step 1.

4. E-2 Step 6: check the secondary radiation. If the radiation level is normal then transfer to ES-1.1 (Item 5). If the radiation is abnormal then transfer to E-3 (Item 6). The shift supervisor requests chemistry department to periodically sample all SGs for radiation.

Note: A MSLB occurred outside of the containment may cause the secondary radiation monitors to fail high due to elevated area temperatures.

5. Enter ES-1.1 to terminate SI. The success criterion is to terminate SI within 60 minutes from the initiating event.

6. Enter E-3: This is due to a misdiagnosis. The operator mistakenly concluded that the secondary radiation level is abnormal.

7. Sample SG radiation as instructed by E-2 Step 6.

8. Check if SGs tubes are intact. If intact, the procedure path would lead to entering into ES-1.1 to terminate SI. If not intact, E-3 is entered.

9. Enter ES-1.1 to terminate SI.

10. Enter E-3. The E-3 has instruction to request sampling SG radiation (Item 11).

11. Sample SG radiation as instructed by E-3 step ??. If the sampling concludes no radiation, the operator would return back to E-0 step 22 the in turn would lead to ES-1.1.

A delayed sampling result would result in the lift of pressurizer safety valves.

27 1. Enter E-0 Step 1 By Reactor Trip and SI Signal 3. Transfer to E-2 Step 1 2. E-0 step 21 check if SG secondary pressure boundaries are intact. (OPA-2.1) 8. E-0 step 22 check if SG Tubes Are Intact. (OPA-2.2) 9. Enter ES-1.1 4. E-2 step 6 Check Secondary radiation. (OPA-2 3) 10. Enter E-3 6. Enter E-3 5. Enter ES-1.1 Not Intact Intact Intact Not Intact Radiation Abnormal 11. Sample SGs Radiation in Time Yes 7. Sample SG Radiation in Time Yes PZR safety valve lift No No Radiation Normal Figure 2 The potential procedure following paths. 2.3.1 HEP(Item 2) HEP = Negligible. Item 2 is to check the SG secondary pressure boundary at E-0 Step 21. The loud steam leaking noise as indicated in both the Turkey Point 3 and H.B. Robinson 2 events (in section 2.2.40 and a clear depressurization of the faulted SG provide clear indication of the SG secondary integrity has been breached. THERP The corresponding error modes include: Miss the procedure step: HEP =.003 EF = 3 (Table 20-7 Item 2 Long list. > 10 items) Select an incorrect display: The SGs pressure displays are dissimilar to the adjustment displays. HEP = negligible (Table 20-9, Item 1). Misread the display: The operator only need to know a SG pressure is much lower than the other SGs. The operator does not need to know the exact faulted SG pressure. The reading is reading the status. Therefore, the Table 20-11 Item 8 Confirming a status change on a status lamp applies. HEP = negligible. CBDT The corresponding error modes include: Relevant step in procedure missed: HEP =.003 (Pce path c) Misread or miscommunicated: HEP = negligible (Pcc path a) Discussion

28 Both THERP and CBDT estimate a basic HEP of.003. Two factors are expected to significantly reduce the HEP estimate: (1) the loud noise caused by the MSLB. This occurred in the Turkey Point and H,B, Robinson events. The operator will be immediately notices the secondary side is abnormal; and (2) the MSLB is a frequently trained simulation scenario. The operators receive MSLB scenario simulator training about three times a year. For the above reason, the probability of skipping the procedure step is determined as negligible. Because the HEP of the Item 2 is negligible, the Items 8, 9, 10, and 11 in figure 2 do not need to be analyzed. 2.3.2 HEP(Item 4) E-2 Step 6: check the secondary radiation. This step instructs the operators to check the following radiation indications to determine the transfer to E-3 SGTR. SJAE/Gland Steam Exhaust Gas SG Blowdown Liquid Radiation: Main Steamline 2A, MSIV Rm Main Steamline 2B, MSIV Rm Main Steamline 2C, MSIV Rm Main Steamline 2D, MSIV Rm Secondary activity samples (measured in a frequency about once per hour) A note in E-2 states A MSLB occurred outside of the containment may cause the secondary radiation monitors to fail high due to elevated area temperatures. All the above radiation monitors are located outside of the containment. The following assumptions are applied to this analysis. More precise estimates require a plant walk-through that is not available to this analysis:

1. If the MSLB break is inside the containment, none of the radiation indications will be triggered.

2. If the MSLB break is outside of the containment, there is a 50% of chance that 50% of the secondary radiation indications listed above will fail high. The taking secondary activity sample cannot be performed due to adverse environmental effect caused by the MSLB.

2.3.2.1 Ex-Containment MSLB The ex-containment MSLB assumes that there is a 50% of chance that 50% of the secondary radiation indications listed above will fail high. These two situations are discussed separately: 50% of the secondary radiation alarms failed high. Conditional probability is 50%. No secondary radiation alarm failed high. Conditional probability is 50%. 2.3.2.1.1 50% of the secondary radiation alarms failed high. HEP = 0.15 SPAR-H Table 20 SPAR-H evaluation of 50% of the secondary radiation indication is failed high due to an ex-containment MSLB PSF Diagnosis Justification Status Multiplier Available Time Nominal time 1

29 Stress/Stressors High 2 Encountering a major event with many secondary radiation alarms. Complexity Highly complex 5 50% of false indications Experience/Training Normal 1 MSLB simulation is performed three times a year but 50% of false alarms is less frequently trained. Procedures Normal 1 Ergonomics/HMI Nominal 1 Fitness for Duty Nominal 1 Work Processes Nominal 1 The HEP (of Table 20) is 0.01

• 2
• 5
• 0.5 = 0.1 NARA Applying the generic task of Identification of situation requiring interpretation of complex pattern of alarms/indications. Base HEP = 0.2.

The averaged HEP of 50% secondary radiation alarms is 0.15. 2.3.2.1.2 No secondary radiation alarm failed high; HEP = negligible Because there is no false secondary alarms, the probability of mis-detecting multiple radiation indications is negligible. 2.3.2.2 In-Containment MSLB The in-containment analysis is identical as the analysis of the ex-containment without false radiation alarms (section 2.3.2.1.2) 2.3.3 HEP (Item5) ES-1.1 includes two essential operator actions for the interest of this analysis: Reset SI (Step 1) Terminate the high head ECCS (Step 6). This only can be performed when Step 1 is completed. Including the diagnosis process, the high head ECCS needs to be terminated within 60 minutes from the initiating event. The following two procedure following paths would reach to Item 5 ES-1.1. These two procedure following paths are analyzed separately: Path 1: Item 1 Item 2 Item 3 Item 4 Item 5 Path 2: Item 1 Item 2 Item 3 Item 4 Item 6 Item 7 Item 5 2.3.3.1 Path 1 2.3.3.1.1 Pt - Path-1 Three data sets are compared: The Turkey Point 3 safety valve header failure 3 event description states The pressurizer level was restored to normal within 15 min and then one of the charging pumps was stopped and a 45-gpm letdown was established. Corresponding to the

30 Byron procedure, E-2 Step 7.d is maintaining PZR water level, and E-2 Step 7.e is transferring to ES.1-1. Stopping charging pump is instructed in ES-1.1 Step 6. Completing the ES-1.1 within 60 minutes is considered as success in this analysis. In the Millstone event, the operator took 21 minutes to reach to the E-0 step in determining whether E-2 should be entered. This corresponding to Byron E-0 Step 21. KAERI data show the operator average spent 200 seconds reaching to the E-O step in diagnosing a SGTR event. This corresponding to Byron E-0 Step 22. Comparing these three set of data, KAERI has the fast pace in following the procedures followed by the Turkey Point 3. The Turkey Points 3 event occurred in 1971. The symptom based procedure is not available at that time. With onsite observation report, the Turkey Point control room operator seems entering into the E-2 equivalent procedure (an event based procedure) promptly. The Millstone event represent a more complicate scenario. The IDHEAS-G provides a table to identify the factors affecting the time required to complete a task as shown in Table 8. It is concluded that the time variability in the above three data sets are dominated by the diagnosis time due to scenario complexity. Therefore, the Path 1 time assessment is divided into the following two situations: Situation A: Ex-containment MSLB without triggering false secondary radiation alarms Situation B: Ex-containment MSLB triggering 50% false secondary radiation alarms Pt - Path-1 No False Secondary radiation Alarms In Situation A, the Turkey Point 3 time data is used. Three minutes is added into the data (15 minutes) to cover the time needed to transfer to ES.1-1 and performing to ES.1-1 Step 6. Therefor the time required is estimated as 18 minutes. Based on the KAERI data, in average the standard deviation time is about one half of the time required. Applying this information to this analysis, using a standard distribution with the mean required time of 18 minutes, the standard deviation of 9 minutes, and the time available is 60 minutes, this results in an HEP of 2E-6. Pt - Path-1 50% False Secondary radiation Alarms Situation B represents a complicate diagnosis situation with 50% false secondary radiation alarms. The operator chose not to enter into E-3. The Millstone events time data are used. Crew briefing is likely to take place to discuss the situation and to reach the consensus of not entering the E-3. Crew briefing was occurred in the Millstone event to discuss whether the E-2 procedure should be entered. In Millstone event, it took 44 minutes to terminate SI. This is used as the mean time required. The standard deviation is assumed to be 22 minutes which is one half of the mean time required. Applying this information to this analysis, using a standard distribution with the mean required time of 44 minutes, the standard deviation of 22 minutes, and the time available is 60 minutes, this results in an HEP of 0.234.

31 Table 21 The factors affecting the variability of time required Cognitive task Factors contributing to the time required Detection Travel to source location of information; Prepare and calibrate equipment needed for detection; Detect/attend to an indication; Confirm and verify the indicators; Record and communicate the detected information. Diagnosis Assess the information needed for diagnosis, such as knowledge and status of a valve, pump, heater, and battery, etc., integrate low-level information to create and/or determine high-level information; Identify plant status and/or conditions based on several parameters, symptoms and the associated knowledge, collect information and delineate complex information such as a mass and/or energy flow with which two or more system functions; Delineate conflicting information and unstable trends of parameters, e.g., interpret SG pressure trends when one train has failed; Wait for continuous or dynamic information from the system to complete diagnosis; Verify the diagnosis results or reach a team consensus. Decision-making Prioritize goals. establish decision criteria, Collect, interpret and integrate data to satisfying decision; Make decision - Determine on parameters, choose strategies or develop a plan; Coordinate the decision-makers (especially with hierarchy of decision-making or distributed decision-making team) or achieve consensus needed for the decision or wait for certain information in order to make decision; Simulate or evaluate the outcome of decision. Action Evaluate the action plan and coordinate staff; Travel and access to the action site; Time to acquire (deploy, install, calibrate) the tools and equipment (e.g., put on gloves) to perform the actions; Time needed for action implementation - Action steps, continuous action, and required timing of steps; Confirmation of the actions, waiting for system feedback 2.3.3.1.2 Pc - Path 1 Terminate SI is an action task because the diagnosis is led by the procedure. Item 5 does not need to consider cognitive element. The action is to perform a series of about 10 discrete action in the sequence directed by the procedure. Table 23 provides the SPAR-H PSFs statuses for performing the actions. Table 22 SPAR-H action table for performing SI termination Status Multiplier Notes Available Time Nominal time 1 Stress/Stressors Normal 1 Complexity Normal 1 Experience/Training High 1

32 Procedures Normal 1 Ergonomics/HMI Nominal 1 Fitness for Duty Nominal 1 Work Processes Nominal 1 The action HEP is 0.001. This action failure probability applies to both situation A and situation B mentioned in the earlier time analysis. 2.3.3.2 Path 2 Path 2 represents the scenario that the operator misdiagnosed a SGTR is ongoing so the operator transfer to E-3 from E-2 Step 6. This only occurs at the 50% false secondary radiation alarms situation. The no false alarm scenarios (i.e., ex-containment 0% false secondary radiation alarm and the in-containment MSLB) is not included in path 2. The operators mind set is to confirm a SGTR is ongoing. The objective is to follow the E-3 to identify and isolate the broken SG(s) and to cooldown and depressurize the RCS. Because there is no SGTR ongoing, the scenario and procedure are mismatch. The operator wont be able to identify the broken SG(s). This task is complicated by the following considerations: The operator would use SGs water levels to identify the broken SGs. The faulted SGs level is below the instrument measuring point. The intact SGs water levels are affected by the AFW. The symptom of water leakage from RCS to SGs will be masked. To take the secondary activity samples is challenged by the high temperature and potentially high radiation alarms caused by the ex-containment MSLB. Requesting health physicists and on-site engineer to wear protective clothes and equipment to survey the MSLB damage and radiation could provide operator with correct information. However, the results are not expected to be available within the 60 minutes time available. Based on the above argument, it is assessed that if the operator mistakenly enter E-3 because of false secondary radiation alarms, the operator wont be able to terminate the SI in time. HEP is 1.0. 2.3.4 HEP Results Figure 3 is a summary of the MSLB HEP analysis. The HEP of ex-containment MSLB is 0.175. This number is based on the 50% of chance that 50% of secondary radiation alarms fail high. The HEP of in-containment MSLB is 4.5E-4.

0% false alarms P = 0.5 EX-CTMT P =Y 50% false alarms MSLB P = 0.5 IN-CTMT P = Z Figure 3 The MSLB HEP summary

Reference:

Not Enter Terminate E-3 SI p = 0.999 I I p = 0.001 p = 0.765 p = 0.85 I IP= 0.235 p = 0.15 p = 0.999 I I p = 0.001 1 S 4.99E-1 x Y 2 F 500E-4 x Y 3 S 3.25E-1 x Y 4 F 9.99E-2 x Y 5 F 7.50E-2 x Y 6 S 9.99E-1 x Z 7 F 4.50E-4 x Z

1. Millstone Power Station Unit 3 - NRC Special Inspection Report 05000423/2005012

2. Byron Nuclear Power Station, Updated Final Safety Analysis Report, Chapter 15.6.

3. Park, J. and Jung, W. "A study on the development of a task complexity measure for emergency operating procedures of nuclear power plants," Reliability Engineering and System Safety, 92 (2007), 1102-1 116

4. Gertman, D., Blackman, H., Marble, J., Byers, J. and Smith C., The SPAR-H Human Reliability Analysis Method, NUREG/CR-6883, 2005.

5. Kirwan, B., Gibson, H., Kennedy, R., Edmunds, J., Cooksley, G., and Umbers, I. (2004)

Nuclear Action Reliability Assessment (NARA): A data-based HRA tool. In Probabilistic Safety Assessment and Management 2004, Spitzer, C., Schmocker, U., and Dang, V.N. (Eds.), London, Springer, pp.1206 - 1211.

6. Garry, P., Lydell, B., Spurgin, A., Moieni, P., and Bears, A "An approach to the analysis of operator actions in probabilistic risk assessment", EPRI TR-100259, June 1992

7. Swain, A. and Guttmann, H. "Handbook of human reliability analysis with emphasis on nuclear power plant applications", U.S. NRC NUREG/CR-1278, 1983 33}}