Text

Risk Sensitivity to Human Error in the Lasalle PRA
	ML20012E267
Person / Time
Site:	LaSalle
Issue date:	03/31/1990
From:	Crouch D, Higgins J, Luckas W, Ohara J, Wong S; BROOKHAVEN NATIONAL LABORATORY
To:	; Office of Nuclear Reactor Regulation
References
	CON-FIN-A-3853 BNL-NUREG-52228, NUREG-CR-5527, NUDOCS 9004030071
	Download: ML20012E267 (153)
	v • d • e

{{#Wiki_filter:- - - - - - - _ _. . ._ __- NUREG/CR-5527 BNLe-NUREG-52228 - 1 Risk Sensitivity to ; Human Error in the ~ LaSalle PRA l Prepared by . % ng J, f i ins J. O'Hara Brookhaven National Laboratory Prepared for U.S. Nuclear Regulatory Commission 888*288?A88888sn p PDR

AV/lLABILITY NOTICE AvmRaburty of Reference Materials Cned in NRC Putscabons Mos' documents cited in NRC publications wlO be available from one of the fobowing sources:

1. The NRC Public Document Room,2120 L Street, NW, Lower Level, Washington, DC 20555 i l

2. The Superintendent of Documents, U.S. Government Printing Office P.O. Box 37082, Washington, DC 20013-7082

3. The National Technical Information Service, Springfleid, VA 22161 Although the isting that foWows reprnsents the majority of documents cited in NRC pubRcations, it is not intended to be exhaustive, {

j Referenced documents available for inspection and copying for a fee from the NRC Pubuc Document Room j include NRC correspondence and internal NRC memoranda; NRC Office of inspection and Enforcement ' buDetins, circulars, Information notices, inspection and investigation notices; Licensee Event Reports; ven-dor reports and correspondence; Commiss,lon papers; and appucant and licensee documents and corre-spondence, i The following documents in the NUREG series are available for purchase from the GPO Sales Program: i formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booidets and brochures. Also available are Regulatory Guides. NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances. Documents avanable from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencles and reports prepared by the Atomic Energy Commis-sion, forerunner sg.ncy to the Nuclear Regulatory Commission. Documents available from public and special technical librarles include al open Iterature items, such as I books, journal and periodical articles, and transactions. Federal Register notices, federeJ and state legista-tion, and congressional reports can usually be obtained from these Ibraries. Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference pro-ceedings are avaXable for purchase from the organization sponsoring the pubucation cited. Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Office of information Resources Management, Distribution Section, U.S. Nuclear Regulatory Commisslan, Washingten, DC 20555, 4

Coples of Industry codes and standards used in a substantive manner in the NRC regulatory process are < maintained at the NRC Library,7920 Norfolk Avenue, Bethesda, Maryland, and are avaRable there for refer-ence use by the public. Codes and standards are usuauy copyrighted and may be purchased from the ) originating organization or, If they are American National Standards, from the American National Standards institute,1430 Broadway, New York, NY 10018. l DISCLAIMER NOTICE This report was prepared as an account of work sponsored by an agency of the United States Govemment. Noitherthe United States Govemment nor any agency thereof, or any of their employees, makes any warranty, expresed or implied, or assumes any legal liability of responsibility for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights.

i l l NUREG/CR-5527 BNL-NUREG-52228 I t RX l Risk Sensitivity to Human Error in the ; LaSalle PRA < Manuscript Completed: February 1990 Date Published: March 1990 Prepared by S. Wong, J. Higgins, J. O'Hara D. Crouch, W. Luckas Brookhaven National l_aboratory Upton, NY 11973 Prepared for Division of Radiation Protection and Emergency Preparedness Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN A3853

                                                                                                        )
                                     =

ABSTRACT A sensitivity evaluation was conducted to assess the impact of human errors on the internal event risk parameters in the LaSalle plant. The results provide the variation in the risk parameters, namely, core melt frequency and accident sequence frequencies, due to hypothetical chareges in human error probabilities. Also provided are insights derived from the , results, which highlight important areas for concentration of risk limitation efforts associated with human performance. f 111

s EXECUTIVE

SUMMARY

This report presents an evaluation of the rensitivity of nuclear. pover-plant risk parameters to human errors that are modeled in a probabilistic risk assessment (PRA) and that can occur during normal and accident conditions at j the plant. The PRA of the LaSalle nuclear power plant was the basis of the study and the human errors, whose impact are assessed, are those included in the PRA. This PRA is currently being completed by the Sandia National Laboratory for the Risk Methods Integration and Evaluation Program and is still in draft form. The 1988 version of the draft PRA was selected for use in this study. The risk parameters chosen are the " internal event" accident sequence frequencies and the overall core-melt frequency. The sensitivity evaluations show the changes in these risk parameters for systematic variation of all human error probabilities and for selected categories of human errors. Human error probabilities were varied in groups and over conservatively large ranges in order to obtain insights on the effect o: tisk, rather than to ' obtain realistic values for possible variations in elf. ; Two similar sensitivity studies were previously completed by Brookhaven National Laboratory for the Surry plant (NUREG/CR-1879) and the Oconee plant (NUREG/CR-5319). These studies showed notable sensitivity of risk to changes in human error probabilities and derived some insights that appeared to have generic implications. Since Surry and Oconee were pressurized water reactors (PWRs), the next plant selected for such a study was a boiling water reactor (BWR), namely LaSalle. Due to the similarity of the earlier studies to this one, the background and methodology development, presented in NUREG/CR-5319, is applicable but is not fully repeated here. The importance of human error in determining risk from nuclear power plants is well known, and thus, the purpose in performing this sensitivity evaluation was broader than merely verifying such importances. The sens-itivity evaluation presented here provides a quantitative representation of changes in the human error probabilities (HEPs), identifies the change in risk obtained through variation of these HEPs, and identifies specific categories of human errors that particularly affect risk. Based on the plant-specific application using the LaSalle power plant PRA, the insights derived have both plant specific and generic implications.

While conclusions regarding generic applicability cannot be overly broad at this time, some results as noted in the Executive Summary appear to be= '

generally applicable, based on their nature and based on a comparison with the previous two studies. The results of the human error sensitivity evaluations are presented in graphs showing the variation in the risk parameter due to changes in the human-error probabilities. Figure i shows the sensitivity of LaSalle core melt frequency to variation in all human error probabilities within estimated ranges. Conclusive data was not'available to help establish realistic ranges or bounds on human error probabilities. For this reason, and since all human errors were varied simultaneously, the displayed extreme values of core melt frequency should be regarded as hypothetical, resulting from extrapolation of PRA models beyond their originally intended purposes. ' v i

Specific insights from this core melt-frequency curve are presented here. The details of interpretation of a number of such curves are presented in the report. 1.0E - 03

C - O - R _ ! E M , E L 1.0E -04 : T : F R E - 0 _ 1.0E -05 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR Figure 1. Overall LaSalle CMF sensitivity to human error (B - base case) i The LaSalle CMF varies by a factor of 35 times as all of the HEPs vary -l over their full range. This consists of a_ factor of 3.5 decrease in CMF as 't HEPs are decreased below their base case values to their lower bound and a j factor of 10 increase in CMP as HEPs are increased above their base case j values to their upper bound. A large portion of these changes occur as HEPs are varied within a factor of 5 increase or decrease'from their base-case .j values. These results as well as the earlier studies show that risk is-generally quite sensitive to human performance. As will be discussed in 1 Section 4, the range over which the HEPs are varied is~due to several factors, I including innate human variability and uncertainty in the human reliability I analysis (HRA). Since much of the range over which the HEPs were varied is due to uncertainty in the HEPs rather-than actual human performance variabil- j ity, more effort in improving human reliability analysis (HRA) techniques i vould appear beneficial. Additionally, if one assumes that the' current HEP estimates are reasonably accurate, there is a large risk incentive to ensuring that human performance does not degrade beyond that assumed in the PRA (an increase in HEPs). There is-also a smaller but noticeable risk incentive for improving human performance beyond that. assumed in the PRA (a decrease inL HEPs). These general conclusions are similar to those drawn from the earlier Surry and Oconee studies. The span of CMF variation.is approximately the same-as that found for Surry and notably less than for Oconee. These results for . LaSalle are largely driven by the dominant accident sequence which is primar- 'l 11y a loss of offsite power-type sequence. -] I vi . (

.t

l l In this study, the human errors were categorized into various groups to understand the importance of various aspects of human behavior. The important insights derived from the sensitivity evaluation of these human. error cate-- gories are summarized below: a) Significance of During Accident Errors Human errors were categorized by the timing of the error as either i* pre accident or during accident. Ninety-five percent of the LaSalle errors were during accident. As with the Oconee study, ; the sensitivity analyses show that the large majority of CMF ' sensitivity is due to the during accident errors. These errors consist of both failure of operators to perform procedurally . required actions and failure of operators or maintenance personnel to recover failed components or systems. As noted above, the-range over which HEPs are varied is due to both human variability. i and uncertainty in the.HRA 'As a result, some' analytical work to. l better define these HEPs would appear worthwhile. Also, since- 7 there is sensitivity in both the increase and decrease direction, ; reasonable actions to maintain or improve operator performance in these areas also appears worthwhile. b) Issue of Simulator Modelling of Human Errors The LaSalle PRA has taken a step forward in human reliability. assessment (HRA) by utilizing, where possible, the LaSalle control room simulator to help quantify human error probabilities. However, not all errors were able to be determined from the simulator test runs. The sensitivity analyses;showed that the group of HEs associated with during-accident, non-simulator, '

operations errors (such as recovery from a loss of offsite power),

rather than simulator errors, dominated risk.

'}

c) Significance of Operator Type The Reactor Operators (R0s) have prime responsibility for actions in the large majority of the LaSalle human errors. However, almost half of the errors are the dual responsibility of the R0' and a non-licensed operator (NL). These RO/NL, dual respons-

ibility, errors are more complex and generally involve activities directed from the main control room, but consisting of both.

control room and outside control room manipulations, such as recovery of offsite power or recovery of a failed system or. . component. These errors also require coordination and communica-tion between the different operators within the shift to success-fully accomplish the action. The majority of risk sensitivity is due to the shared responsibility RO/NL errors. This points out the importance of the non-licensed operators and the importance of-good communications among the operations shift team'. . A similar general conclusion about the importance of the non-licensed operators and good teamwork was made for Oconee, even though the l' vii

specific errors and sequences that were dominant were quite different. Since these errors are somewhat complex, they are likely difficult to model and to properly train operators to respond to them. This illustrates the importance of effective accident management, including: training during emergency l preparedness exercises, good emergency operating procedures, and H an effective organization. d) Role of Pre Accident Human Errors Somewhat differently than other PRAs, the final LaSalle model' l includes very few pre-accident errors such as calibration errors '

          - and failure to properly restore valves after test-or maintenance.

For the base case PRA, this shows that these errors have little-risk importance. However; since they were not available to vary, , no conclusions can be drawn about their sensitivity. More detailed insights related to specific aspects of the study.nay be found in Chapters 5 and 6 of the report.

                                                                                         .1 I

i i i I viii

,1

                                             . CONTENTS EALt ARSTRACT . . . . . . . . . . . . . . . . .. . . . . . . . . .. . . . .                                   iii EXECUTIVE

SUMMARY

    , . . . . . . . . . . . . . .. . . . . . . . . . . .                              v LIST OF FIGURES    . . . . . . . . . . . . . . . . . . . . . . . . . . . .                              xi LIST OF TABLES . . . . . . . . . . . . . . . . . . .. . . . . .. . . . .                                xii ACKNOWLEDGEMENT    . . . . . . . . . . . . . . . . . . . . . . .. . . . .                               xiii

1. INTRODUCTION , . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Purpose . . . . . . . . . . . ., .. . . . . . . . . . . . . . .1 1.3 Objectives . . . . .. . . . . ... . . . . . . . ... . . . . 2 1.4 Scope and Limitations. . . . . . . . . . . . .. . . . . . . . 2 1.5 Organization of Report

                                               . . . . . . . . . . . . . . . . . . .                      3

2. METHODOLOGY , . . . . . . . . . . . . . . . . . . . . . . . . . . 5 '

3. CATEGORIZATION OF HUMAN ERRORS IN LASALLE PRA . . . . . . . . . . 9 l 3.1 Identification of Important Human Errors . . . . . . .. . . . '9 3.2 Development of Categorization Scheme . . . . . . . . . .. . .- 9 3.3 Construction of Human Error Database . . . . . . .. . . . . 12 3.4 Results of Categorization . . . . . ., . . . . . . . . . . 13 3,4.1 Sorts of Categories . . . . . . . . . . . . . . . . . 13 3.4.2 Recovery Errors '

                                               . . . . . . . . . . . . . .. . . . .                     20             ;

3.5 Conclusions . . . . . . . , , . . . . . . . . . . . . . . . 23 i 4 DEVELOPMENT OF RANGE ESTIMATES FOR HUMAN ERROR PROBABILITIES . . . 25

l 4.1 Methodology . . . . . . . . . . . . . ... . . . . . . . . . . 25 4.1.1 Sources of Uncertainty and Variability in Human Error (HEP) Estimation . . . . . . .. . . . . . ... . . . 25 4.1.2 Definition of Error Factor Groups and Assignment of Human Errors . . . . . . . . . . . . . . 27 4.1.3 Specification of Error Factors (EFs) for Human _l Errors . . . . . . . . . . . . . . . . . . .. . . . . 31 4.1.4 HEP Range Estimation . . . . . . . . . . .. . . . . . 34 4.2 Resulta of HEP Range Calculations . . . . . . . . . . . . . 3E

5. SENSITIVITY CALCULATIONS . . . . . , , . . . . . . . . ,. . . . . -37 .

l 5.1 Method / Approach . . . . . . . . ., . . . . . . . . . . . . . 37' 1 5.1.1 Sensitivity Evaluation . . . . . . . . . . . . . . . . 37 5.1.2 Methods of Varying HEPs . . . . . . . . . . . . . . . .-39 : 5.2 Results of Sensitivity Calculations . . . . . . . . . . . . . 39 5.2.1 Overall Sensitivity of Risk Parameters . . . . . . . . 40 5.2.2 Sensitivity of Risk (CMF) to Various Categories of Human Errors . . . . . . . . . . . . . . . . . . . . 47 i ix ' i

CONTENTS (Cont'd.) ZA&ft 5.2.3 Sensitivity of Dominant Accident Sequences to Human Errors . . . . . . . . . . . .. . . . . . . . . 54 5.2.4 Sensitivity Evaluation of Recovery Errors . . . . . . . 55 5.2.5 Importance Ranking of Risk Significant Human Errors . . 57 '

6.

SUMMARY

OF RESULTS AND INSIGHTS . . . . . . . . . . . . . . . . . . 59 d 1 6.1 Overall Sensitivity of CMF . . . . . . . . . . . . . . . . . 59 6.2 Sensitivity of Various Categories'of HEs . . .. . . . . . . . 601 6.2.1 Importance'of During Accident Errors . . . .- . -, . . . 60= 6.2.2 Action Type . . . . . . . . . . . . . . . . . . . . .. . 61 6.2.3 Simulator Modelling and Sensitivity Groups- . . . . ... 61 6.2.4 Operator Type.. . . . .. . . . . . . . . . . . . . . . . 62 6.2.5 Recovery Action Sensitivity.. . . . . . . . . . . . <. 63 6.3 Individual Accident Sequence Sensitivity . . . . . . . . . . 63,

7. REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 5 APPENDIX A: DETAILS OF HUMAN ERROR CATEGORIZATION . . . . . . . . . . . A APPENDIX B: LASALLE PRA MODEL . ., . . . . . .. . . . . . . . = . . . .-B-1 j APPENDIX C: SENSITIVITY CALCULATION DATA . . . . . . . . . - . - . . . . . . C l' I APPENDIX D: CHARACTERIZATION OF IMPORTANT HUMAN ERRORS IN LASALLE PRA . . . . . . . . . . . . . . . . . . . . . . . D-1 .j 1

4 APPENDIX E: CALCULATION OF RANGE OF- HEPS IN VARIOUS ERROR , GROUPS . . . . . . . . . . . . . . . . . '.. . . . . . . . . . E1 l APPENDIX F: SENSITIVITY OF DOMINANT ACCIDENT SEQUENCES TO HUMAN ERROR , F-1 q i a 1 X a

1 LIST OF FIGURES HIL. 11.111 2A&R 2.1 Overview of methodology . . . . . . . . . . . . . . . . . . . . . . 6 3.1 Distribution of human errors across LaSalle plant systems . . . . . 14 3.2 Distribution of human errors among LaSalle plant components . . . . 15 i' 3.3 Human _ errors in the LaSalle database PERSONNEL category . . . . . 15 3.4 Human errors in the LaSalle database - LOCATION category . . . . 16

 -3.5   Human errors in the LaSalle. database - ACTIONTYPE category . . . .

17 3.6 Human errors in the LaSalle database ~ ACTIVITY category . . . . . 17 3.7 Human errors in the LaSalle database - SIMULATOR category . . . . . 18 3.8 Human errors in the LaSalle database - GENERIC category . . . . . . 19

 -3.9 Human errors in the LaSalle database - SENSITIVITY GROUP category . 19 3.10 Linkage diagram of human error categorization based on timing, location, and personnel categories                               . . . . . .. . . . . . . . . .                       21 3.11 Linkage diagram of human error categorization based on simulator, generic, and sensitivity group categories . . . . . . . . . .                                       . . .            _22 4.1   Algorithm for assignment of errors to specific groups .                                              . . . . . .      30 5.1   Overall CMF sensitivity to human error                                    . . . . . . . . . .             ' . . . . 41 5.2   Sensitivity of CMF to HEP variations . . . . . . . . . . . . . . .                                                    42 5.3   Relative distribution of accident risk for transient sequences over HEP range .     . . . . . . . . . . . . . . . . . . . . . .. . . . . .                                                43 5.4   Relative distribution of accident risk for LOCA and ATWS sequences over HEP range        , . . . . . . . . . . . . . . . . . . . . . . . . .                                             44 5.5   Sensitivity of dominant accident sequences to HEP variation (HEP factor)   . . . . . . . . . . . . . . . . .. . . . . . . . . . . . .                                                  45 5.6   Variation of ASF factors to HEP changes . . . . . . . . . . . . . .                                                   46~

5.7 Sensitivity of CMF to pre accident and during uccident errors . . . 48 5.8 Sensitivity of CMF to types of human' performance ections . . . . . 49 5.9 Sensitivity of CMF to categories of manual actions . . . .. . . . 50 5.10 Sensitivity of CMP to personnel type and RO interactions . . . . . 50 _ 5.11 Sensitivity of CMF to simulator-based HEPs . . . . . .. . . . . . 52 5.12 Sensitivity of CMF to error types . .. . . . . . . . . . . . . . . 53 5.13 Influence of sensitivity group on CMF . .. . . . . . . . . . . . . . 54 5.14 Impact of RA-type events on CMF with non RA during-accident errors-varied by HEP factors . . . . . . . . . . , . . . . . . . . . . . . 56-5.15 Impact of RA-type events on accident sequence frequency of'T8 - sequence for during-accident errors . . . . . . . . . . . . . . . . 57 i l I xi i

LIST OF TABLES FA. Tit 1e En.gg 3.1 Human Error. Categorization Scheme . . . . . . . . . . . . . . . . . 11 3.2 Examples of Human Error Categorization . . . . . . . . . . . . . . 12 3.3 Human Errors in the LaSalle Database - NRC Program Category . . . . 20 4.1 Error Factors as a Function of Uncertainty / Variability Sources and Error Group . . . . . . . . . . . . . . . . . . . . . . .. . . . . 32-4.2 Total Error Factors Derived for Human Error Croups . . . . . . . . 36 i 5.1 Summary of Sensitivity Evaluations to Assess Implications of Human Errors on LaSalle Plant Risk . . . . . . . . . . . . . . . . . . . 38 5.2 Importance Ranking of Human Errors in the LaSalle PRA Model . . . . 58 6.1 Factors by Which CMF Changes with Changes in HEPs . . . . . . . . . -60 ' 6.2 Summary of Human Error Groups for LaSalle PRA . . . . . . . . . . . 62 1 i i a l

                                                                                .q k

xii o

ACKNOWLEDGEMENT The authors wish to thank the NRC technical monitors for the program, Robert Palla and Adel El-Bassioni, for their comments and constructive guidance on all phases of this project. We also extend our thanks to Thomas Murley of.the NRC for the inspiration and support to initiate and continue the proj ec t. We further wish to thank all those associated with the LaSalle PRA' project for their assistance in providing information throughout this program and comments on the draft versions of this report, including Dale Rasmuson, NRC, and Donnie Whitehead and Art Payne, Sandia National Laboratory. We also extend our gratitude to our associates at Brookhaven National Laboratory for review, comments, insights, and assistance: Robert Hall, Sonja Haber, Raymond Voss, and Robert Youngblood. Finally, we'thank Kathleen Nasta for her excellent help in preparing the manuscript from several-different authors over an extended period of time, i l l xiii

1.0 INTRODUCTION

I 1.1 Background j l Risk to the public from nuclear power plants (NPPs) has been assessed ( l quantitatively over the past 15 years by a technique known as probabilistic ( risk assessment or PRA. This technique is a comprehensive, integrated analysis of the plant, systems, components, and the operator actions needed to control the plant. , In the first stage of the PRA (Level 1), the likelihood of . risk to the public is expressed as the frequency of damage to the reactor core or core melt frequency (CMF). This is later extended to offsite public health effects through detailed containment (Level 2) and consequence (Level 3) analyses. This study will focus on risk only in terms of the Level 1 PRA and core melt frequency. Thus, where risk is used-in this report, it refers to-core melt frequency. In the PRA, failure probabilitias are assigned to equipment based on , data analysis. The human actions which are modelled in the PRA as human-errors are also quantified via a Human Reliability Assessment (HRA). HRA methods have continuously improved over the last decade, but are still subjective and contain some uncertainty. Despite this uncertainty, human performance is believed to play a very important role in overall plant safety and hence, in determining plant risk. The two core melt events that have occurred at power reactors (Three Mile' Island and Chernobyl) were heavily influenced by human errors. As a result, there is a desire to quantify how much of an effect human performance has on risk via a PRA and if possible, derive insights on how to limit risk. Toward this end, two previous studies were conducted at Brookhaven to determine the sensitivity of risk (i.e., CMF) to human error and to develop insights relative to the results. The first study (NUREG/CR-1879) analyzed the Surry nuclear power plant (NPP), which is a Pressurized Water Reactor (PWR), as modelled in the WASH-1400 PRA. This PRA was the first one' performed for a NPP and was completed in 1975. The HRA methods were just under develop-ment at that time. The study showed that variation in the human error probabilities could noticeably affect,the CMF results of the PRA. The second

study (NUREG/CR-5319) analyzed the.0conee NPP, also a PWR, as modelled in the NSAC 60 PRA. This PRA was completed in 1984 and used a much more detailed HRA methodology. These study results showed an even greater sensitivity of CMP to human error variation than Surry. Interesting insights were obtained regard-ing the. types of human actions that most significantly affected risk and the specific accident sequences within the PRA, which were particularly sensitive to human performance errors.

1.2 Purcose The current study was designed as a follow on to the Surry and Oconee studies mentioned above. The purpose was to perform a similar risk sens-itivity study for a Boiling Water Reactor (BWR) plant with a recent PRA, which utilized current HRA methods. The purpose was to detennine the sensitivity of plant risk (as measured by CMF) to variations in human errors and to identify and characterize those human actions which had particular risk significance. 1 l 1 l

The LaSalle PRA, currently being performed by Sandia National Laboratories for the U.S. NRC, was chosen for the study. This PRA is described in Appendix B. A detailed comparison between the results of this LaSalle study and the previous Oconee study, and an analysis of reasons for differences will be per-formed in the future. These two studies were selected for a detailed com-parison because both are recent PRAs with somewhat different risk sensitivity results. I 1.3 Objectives In order to meet the above stated purposes of the study, more specific objectives were established. However, first some preliminary tasks were needed. The human error categorization scheme developed in the Oconee study was modified slightly to fit the LaSalle HRA. Then ranges were developed over which the human error probabilities (HEPs) might be expected to vary, due-to uncertainty and personnel variability. The specific objectives then addressed were:

1) To vary all HEPs over their estimated ranges and to determine the resultant effects on plant risk as measured by core melt frequency (CMF) and the various accident sequence frequencies (ASF).

2) To examine the effects on risk (i.e., CMF and ASF) of varying HEPs within the numerous different categories of human errors that were established.

3) To develop insights relative to the types and aspects of human performance which are important to risk, based on examining the i results of 1 and 2.

In the process of completing this project, an integrated team approach l was used, where the various team members brought a variety of diverse skills l to the project. Included on the team were people with experience in the following areas: PRA, human factors, reactor operations,-statistics,-or-ganization & management,.and data analysis, 1.4 Scone and Limitations l l The current study of human error sensitivity at LaSalle is constrained ! by several factors. The LaSalle PRA has been underway for about three years. While it is nearing completion, not all documentation is completed, and not all pertinent reviews have been performed, thus it is still considered to be j in draft form. This study accepted the PRA as is and hence,.any limitations on modelling in the PRA also apply to this study. For example,-as is typical in current PRAs, there are no operator errors of commission included in the PRA; any human errors occurring in the-conduct of maintenance, resulting in , later equipment failure, are included only in the hardware failure rates and ' not as specific human errors; and the effects of management and training are not modelled. Other human error modelling issues unique to the LaSalle PRA are discussed in Appendix B. Additionally, this study only considered 2 1 i l

i d internal events (as termed in PRA literature) such as plant transients and loss of coolant accidents. External event sequences (such as fires, floods, , and earthquakes) were not analyzed in this sensitivity evaluation. Several comments are pertinent regarding the ranges over which the human error probabilities (HEPs) were varied. An attempt was made to establish realistic maximum ranges over which HEPs could vary'due to uncertainty in HRA - modelling, data limitations, and the inherent variability among plant person- , nel. Different ranges were subjectively established for several groups of human errors. No attempt was made to postulate systematic causes for such HEP variation nor to develop realistic ranges of HEP variation based on such systematic factors such as changing management or training practices. However, one can o'bserve the changes in risk that occur as the HEPs are varied over their ranges, both above and below their PRA base case values, and can make inferences about the effect of such systematic changes. The development ' of these ranges was not meant to imply any disagreement with'the mean values of HEPs used in the LaSalle PRA. It will be seen that risk is very sensitive to HEP variations in certain areas and relatively unaffected in other areas. This information can be useful in deciding where to. improve HRA methods to reduce uncertainty and in deciding where to expend efforts to ensure good human performance (both to reduce variability and to lower mean HEPs). The actual ways that HEPs vary, due to say changes in management or safety culture, is not known and is the subject of other NRC research projects at BNL. 1.5 Organization of Reoort Section 1 of this report provides the background and objectives of the proj ect , and Section 2 provides an overview of the study methodology. Section 3 discusses the development of the Human Error Categorization scheme and provides the results of this categorization process. Section 4 describes the development of the ranges over which the HEPs were varied. Section 5 des-cribes the various sensitivity calculations performed, gives graphs _of the results, and also interprets the individual evaluations. Section 6 summarizes the important results and broad insights gained from the various sensitivity evaluations. The Appendices provide additional details on specific aspects of the study. l t l L 3

J

2. METHODOLOGY This section gives an overview of the methodology employed in this proj ec t. Similar to the earlier study on the Oconee-3 nuclear plant, the sensitivity evaluation consists of varying the input parameters (human error probabilities) associated with the plant risk model and determining the resultant change in the output risk parameters, namely core damage frequency.

As described in detail in the Oconee-3 study, the methodology consists of three main tasks: (1) the categorization of the full set of human errors, (2) a determination of the range over which human error probabilities are to be varied, and (3) an assessment of the sensitivity of plant risk parameters _to human errors. As shown in Figure 2.1, the three basic tasks of the sensi-

                                                                                       -l tivity evaluation process are further subdivided into nine subtasks. The              '

first subtask required the identification and review of human errors treated in the plant risk model. An applicable categorization scheme was then developed for classifying human errors extracted from the PRA database in terms of types of operator actions, location, personnel involved, etc. This categorization scheme was merely an adaptation of that developed and used for the Oconee study. Each human error was then coded to identify specific characteristics which relate various aspects of human performance'in the nuclear plant. The database of coded human errors was subsequently imple-mented on the "dBase Ill-plus" data management utility to . allow convenient analysis and quick sorting of human errors for sensitivity study applications. For example, the human errors were sorted into categories such as pre-accident errors and during accident errors so that risk impact calculations for-these : error categories could be easily obtained. Human errors coded under multiple ! sub-categories of a specific category were also sorted by the dBase program to analyze interrelationships of errors within a category that were not well- ; defined, i The second task in the risk-based sensitivity evaluation process was to. select the range of each human error probability (HEP) for the human errors in , the plant risk model. A methodology was developed to define the range around 1 the point estimate-of the HEP which took into account the various causes of I uncertainty in HEP estimation and also human variability. The approach in this methodology entailed the identification of various influences on point } estimate uncertainty and a determination of error factors for.various human error groups. Each human error group was defined by.a unique pattern of ) i influences across the sources of uncertainty-and variability. Subjective judgments were involved in establishing the error factors so that reasonable but conservatively broad estimates of the ranges were obtained. These ranges reflect the bulk of the uncertainty in HPA estimates and also take into account variation across plants, not just 'LaSalle specific variation. The application of the derived error factors and ranges allowed the determination of upper-bound and lower-bound estimates for each HEP. ; The sensitivity calculations to show the change in plant risk level due to variations in human error probabilities constitutes the major part of the sensitivity study. This task required the implementation of the. LaSalle plant ; risk model on the mainframe computer for the large number of computations to i

5 l

Sensitivity Evaluation to Determine Ef fect of Human Errors on Plant Risk DeterminaHon of Range of g ,,,,,,,ggy Human Error Categorization Human Error Probabilities Calculations th C alculate Implement Develop Identif y Construct D evelop Develop Es timates Plant Strategy Calculate Human. Database M e t h o d. Evalu ate Errors Categor- of HEPS -Risk for ,q :, g of Cate- ogogy for Senal-In go rized Along Model g ,,,,,, Ization 889' Parame tes PRA Scheme Percen tile on PC . tivlty Model Human of of Errors HEPs Range retem Cal,cula-Figure 2.1. -Overview of methodology

         = - - . __     -_          -. .=          = . - _ - _ --                       _ _ . -                            _a                -_ . __:                                -                        __

be performed subsequently. The plant risk model provided by Sandia National Laboratories (SNL) contained the Boolean expressions of the minimal cutsets for various accident sequences that remained after the application of screen. ing, recovery, and truncation considerations. A strategy for performing the sensitivity evaluations was defined to properly focus on the various combinations of calculations needed to derive the desired insights such as the overall effect of human errors, effect of specific types of human errors, effect of variation in error rate on the types of accident sequences that dominate risk, and the effect of recovery con. siderations on the plant risk indicators. Once the preliminary results were obtained, additional sensitivity evaluations were included in the strategy to derive further insights into the human role in plant risk sensitivity. Within the scope of the study, the risk parameters evaluated were the core melt frequency (CMF) and the accident sequence frequency (ASF). The CMP repre-sented the overall plant risk which was obtained by the summation of estimated frequencies of all event sequences leading to core melt or damage. The calculation of these risk parameters for a set of HEP variations provided the output from which risk sensitivity curves were plotted. Together with importance analyses to determine the relative ranking of human errors, these sensitivity curves provided insights to identify and characterize risk-significant human errors. l l 7 i l

3. CATEGORIZATION OF HUMAN ERRORS IN IASALLE PRA

This section describes the detailed categorization of the human errors that were identified in the LaSalle plant risk model. Human errors were extracted from the database for the LaSalle Probabilistic Risk Asr.essment (PRA) model and categorized in terms of types of operator actions, location, , personnel involved, etc. As discussed further in this section,.a database of l categorized human errors was constructed for sensitivity study applications. l 1 3.1 Identification of Imoortant Human Errors The database of basic events considered in the LaSalle plant risk model was reviewed to identify all human errors. Human errors were identified by review of documentation of the draft LaSalle PRA that was supplied by Sandia National Laboratory (SNL). This documentation included information written on floppy disk such as the "LaSalle Dictionary," which contains summar'y descrip-tions of all failure events except recovery errors. Recovery errors were identified from documentation in draft form entitled, " Operator Recovery Actions." The original database used by SNL in the initial solution of the system fault tree models contained about 3500 events, which included 240 human errors. As a result of quantitative screening, which requires judgement as to the correct value to be used for basic events, SNL analysts obtained a reduced database of over 850 basic events. This was provided to Brookhaven National Laboratory (BNL) in the form of a data file written on floppy disk. Since i this study is only considering internal events, the sequences and basic events i associated with external (such as seismic events) were removed. In this l database, there were about 40 errors associated with scismic induced accident ; sequences. Removal of these errors left about 180 uniquely identified human i errors for severe accident scenarios initiated by internal events. The plant risk model used for sensitivity evaluations in this study contains all minimal cutsets of the 37 accident sequences with frequencies greater than 1040 (after truncation and recovery). Details'on the computa-tional model of plant risk are provided in Appendix B. From the database utilized for the quantification of the accident sequence cutsets, 83 human errors were extracted. Some of these errors are generic errors, which-correspond to more than one specific error in the PRA sequences. Appendix A provides further details on the database of human errors used for the various sensitivity evaluations. By way of comparison, there were 223 human errors used in the sensitivity study for the Oconee 3 plant in sequences above the 1040 truncation level. 3.2 Development of Categorization Scheme i In developing the categorization scheme for human errors modeled in the-LaSalle PRA, an initial step was to examine the categories used in the earlier Oconee study (NUREG/CR-5319). In that study, the various categories included the timing of the error (pre- or during-accident), the system or component involved in the error, where the error occurred (location in the plant), the ; 9 1

s related plant activity in which the error-is committed (operations, test or-maintenance, and calibration), whether the cause was an act of commission or omission, the personnel responsible for the error (reactor operator, non-licensed operator), and the type of human failure event (inadvertent actua-tion, operator inhibits). While=not part of the categorization scheme, the Oconee errors were also identified as recovery or non recovery errors. In this project, most of the categories used for categorizing the human , errors in the database of the Oconee-3 study were retained in the categoriza. j tion scheme. A few new categories have been included and some inappropriate ' categories were deleted because of the modeling characteristics of human errors in the LaSalle PRA database. For example.-the " action type," "simula-tor," and " generic" categorie's were added to define respectively, similar ! types of operator response, the errors whose HEP estimates were based on simulator data, and whether the error is generic or specifically related to actuation of a particular plant system / component. As with Oconee, the LaSalle errors were also identified using the error code itself (not part of the categorization scheme) as recovery or non-recovery errors. Categories in the- l human error categorization scheme for the Oconee 3 study such as the " depend- ; ency" and "Oconee important" categories were not applicable in the current ! study, and therefore,.were deleted. Table 3,1 lists the categories included in the categorization scheme for. human errors in the 1.aSalle database, with a brief description of the elements of each category and some. of the symbols used for encoding each error. An examination of the categorization scheme reveals the utility of the human error categorization for a risk-based sensitivity evaluation. The usefulness of most categories such as the timing, personnel, location, or utility program activity categories for sensitivity analyses has been demonstrated in the earlier Oconee study. In the current study, the " action type" category classifies the human errors in terms of operator actions such as manual action, manual backup, or manual override actions. This category indicates l the type of human actions that have an effect on plant risk. The sensitivity evaluation for this category provides the relative significance of manual action-type errors with respect.to manual override errors. A full discussion of each category with examples from the LaSalle human error database is provided in Appendix A. i Certain categories used in Oconee were not duplicated in LaSalle. The initiating event (ACCINIT) category was not found to be useful. Event type, i dependency, and Oconee important categories were taken directly from the Oconee PRA and were not available in the LaSalle PRA. Similar to the categorization scheme developed for the Oconee-3 study, a strong relationship exists among the categories used to identify specific characteristics of the human errors in the LaSalle database. For example, if a human error extracted from the database was determined to be committed by'a non-licensed operator (personnel category), by definition, the event occurred , outside the control room (location category). i 10

Table 3.1. Human Error Categorization Scheme Surry Oconee 3 LaSalle Category Identification (A) (B) TIMING Pre Accident Initiator (P), X X X During Accident Initiator (D) SYSTEM Hardware System (e.g., RCIC) X X X COMPONENT Unit of System (e.g., Pump) X X PERSONNEL Individual Involved (e.g., X X X Reactor Operator (RO)) CMCOM Omission (OM), Commission (COM) X X X-LOCATION Control Room (CR), Outside Control Room (OCR) X X X ACTIONTYP Manual Action (M), Manual Backup (MB), X Manual Override (MO) ACTIVITY Utility Program Activity (e.g., Operations X X- X (0)) ' OTHERINF Maximum Time for Action (e.g., 2 hours, X 27 hours) NRCPCM Relationship to NRC Inspection Program X X (e.g., Operations (OPS)) SIMULATOR Relationship to Simulator Based Human Error X Probability Estimate GROUP NO. Groups of Similar Responses by Operating X Staff in Simulator Drills (e.g., RA-1) GENERIC Specific Relationship to a System or Com- X ponent SENSICROUP Groups of Actions with a Common Error Factor X ACCINIT Initiating Event (e.g., SLOCA) X EVENTTYPE Human Event Type in Oconee PRA Model (e.g., X Unavailability (U), Inadvertent Action (1)) DEPEND Dependencies Between Events X OCIMPT Important Human Errors in Oconee PRA Model X (A) NUREG/CR-1879, (B) NUREG/CR-5319 11

I The lack of independence between some of the categories is important for I interpreting the results of the various sensitivity analyses (discussed later). Some analyses were performed with only one category and, in fact, may represent at least two or three categories, depending upon their relation-ships. For example,"the errors occurring before an accident initiator (pre-accident) were-also all non simulator errors. These relationships between categories are better defined in the specific discussions with linkage diagrams that show the breakdown of the LaSalle human errors in terms of a number of categories (Section 3.3). 3.3 Construction of Human Error Database A database of the 83 human errors in the LaSalle plant risk model was ; constructed using the "dBase III plus" software operating on an IBM PC. Each category of the 14-element categorization scheme was set up as a field with a-pre determined size based on the coding descriptors of the categories. Each human error was defined as a record with 14 fields. The database of coded ' human errors provided the capability for convenient analysis and quick sorting of human errors for sensitivity study applications. . 1 i Each of the LaSalle human errors was encoded according to the categoriz- ! ation scheme. In performing this task,.each human error was analyzed and a. I distinct element within each category that characterized the error was determined. For example, consider the human error DCOMOD RUM 0, which , describes the operator failure to restore a circuit breaker DOVB202X after de- J energization on one of three diesel generator motor-operated dampers. This error results before the initiation of an accident (Pre), is an omission-type error, and the responsibility for the error lies with the non licensed operator. The NRC inspection categories that influence this partir.ular error are Operations (OPS) and System Walkdown (SW). Table.3.2 shows the categor-ization of some of the human errors in the LaSalle database. Table 3.2. Examples of Human Error Categorization Error Categoritation Desceiption of Human Error Error Code Timing Personnel Action Type Om/com Location NRC Program

1) Restoration of AC power within RA 81H During RO/NL M Om CR/0CR Ops, Tr one hour of LOSP

2) Repair of DG f ailure within RA-9 1H During R0/NL/MT M Om OCR Maintenance one hour DGOM00 RUM-0 Pre NL M Om OCR )

3) falture to restore C800VB202x Ops Wa {kdownSystem after one of three DGOM00

4) Falture to open RCIC F063 OPFAIL REOPN 20M During R0 M0 am CR ops, Tr valve within 20 minutes During M Om CR/0CR Opp, Ops, Tr

5) Falture to vent within two OPFAIL VENT 2H RO/NL hours 12 1

l 1

3.4 Results of Catenorization In this study, human error categories were also analyzed singly; for example, examining all "during accident" errors, or in combination with each other; for example,-all during-accident errors committed by licensed reactor operators that involve manual actions. The distribution of event statistics within each category was examined to provide a perspective on the relative importance of human error groups on plant risk. The results on the sorting of~ human errors for each category are discussed further in the following section,

                                                                                                                 ,        i 3.4.1 Sorts of Categories A total of 83 human errors were encoded and sorted within the various                                  ;

categories. The distribution of=the event statistics within a particular category is shown by pie charts. General observations on the relative distribution of the 83 human errors in the LaSalle database of categorized j errors are discussed, and comparisons to the-results for the Oconee 3 study are made where applicable. Timing In the database of 83 categorized human errors, four were prs-accident- l errors and 79 were during-accident errors. -The four pre-accident errors were omission type, plant equipment restoration errors following maintenance activities. All of the during accident errors were accident recovery actions (see definition of " recovery" in Section 5) and routine operator responses to plant transient or accident conditions. In contrast, there were 124 pre-accident errors accounting for 56% of the 223 human errors-in the Oconee 3 database. The human errors were also coded. System i Figure 3.1 shows the distribution of human error events across the i LaSalle plant systems. The highest number of uniquely identified human errors occurs in the AC power system (ACPS) where most of these errors involve operator actions to restore AC power and ensure diesel generator (DG) availa-bility after a loss of offsite power transient. These human errors are found { in the significant cutsets of the most dominant accident sequence, i.e., T8 { sequence, and therefore, contribute dominantly to-the human error impact on-plant core-damage frequency. Sensitivity curves at the CMF level presented ! i for the systems would provide no additional insights from those already provided. ! A high percentage of errors falls in the broad category of system actuations. This category constitutes generic (G) errors wherein each error could be associated with several different systems. These generic errors-have much lower probability estimates than those in the ACPS and therefore, such. errors would have a smaller impact on plant core-damage frequency. ,' Other plant systems that have a significant distribution of human error events are the Power Conversion System (PCS), Containment Isolation (CI) System, Reactor Core Isolation Cooling (RCIC) System, Standby Liquid Control System (SLCS), and Residual Heat Removal (RHR) System. The number of human error events vary from five to twelve errors in these categories. Most of 13 i

L these errors occur as routine operator responses during abnormal plant conditions. In contrast, the Oconee 3 results show that most human errors occur in the Low Pressure Injection and Service Water Systems which provide cooling flow to normally operating equipment. Human errors in these systems , were mostly related to operator actions involved in assuring proper alignment of many components, e.g. , valves, in the system flowpaths. RCIC 6 7% amm SLCS 6 ~ ACPS 21 7% 25% Cl 8 i 10 % OTHER0 'li I

                                          !!!                     l RHR5 7%          [f'                             ' 0%

PCS 12 14 % ' G 19 23% Figure 3.1. Distribution of human errors across LaSalle plant systems (total of 83 errors) Components The largest number of human error events are associated with the conponent category of "S" or system level error. (Figure 3.2). Most of the , errors in the system component category represent erroneous actions involved i with multiple component types. Besides being largest in number, these types of errors were the most risk significant also. Hence, particular sensitivity curves for this category would not be especially useful. Other categories of plant components that have a significant distribution of human errors are valves (VLV), diesel generators (DG), and pumps (PMP). Very few errors were associated with circuit breakers (CB), switches (SWTCH), seals, and fuses. Results in the Oconee 3 study show that valves are the components with the i largest number of human errors. ! Personnel , l Errors were coded as to the type of personnel responsible for the i action. Reactor Operator (RO) and Non-Licensed (NL)-Operator errors were wholly the responsibility of those personnel. Errors coded as .R0/NL and , RO/NL/MT were the responsibility of multiple personnel including Ros, NLs, and ' Maintenance (MT) personnel. Similar to results observed in the earlier Oconee 3 study, the reactor operator is the personnel type mainly responsible for many of the errors in the LaSalle database (Figure 3.3). The sum of all crrors encoded with RO, RO/NL, or RO/NL/MT exceeds 90% of the total database, The non-licensed operator is accountable for all the pre-accident errors involved in restoring equipment to operable status after maintenance. The 14 f

largest number of errors falls in the category of shared responsibility between the reactor operator and non licensed operator. This category of errors describes dual responsibility of both types of personnel for the occurrence of an error during recovery actions such as containment venting and routine responses to plant transient conditions. One should note here that a few of the errors (i.e., recovery of offsite power) may also involve offsite utility personnel, such as linesmen. The percentage of RO/NL errors is higher ' (42%) compared to that observed in the Oconee 3 study (9%). , S 36 43% CB 2 2% FUSE 1 1j 1% VLV 20 .. 0G 24% 32 Tm: iiiiiiiii! Jg"li !!!!!!!!!!!!! iiiiiii SWTCH 2 2% SEAL 1 PMP 11 1% 13 % Figure 3.2. Distribution of human errors among LaSalle plant components RO/NL 35 i 42% NL 4 5% D.g RO/NL/MT 11 13 % RO 33 40% Figure 3.3. Human Errors in the LaSalle database - PERSONNEL category 15

Location Most human errors occur (40%) in the contro1~ room (CR), while 31% of the j errors were found to occur outside the control room (OCR). The category with the smallest number of errors, Control Room /Outside Control Room (CR/0CR), . represents multiple actions, occurring in dual locations, some in the control I room and others outside the control room. One error with uncertainty in the j location of the error occurrence was also coded CROCR. The percent distribu- ! tion of errors in the various location categories is similar to that observed in the Oconee 3 study. CR 33 40% l (

                                 \'    \
                               .           I OCR 31% 26 '\ s
                                  \

s CROCR 24 ,

                                                   -   29%                          i i

Figure 3.4. Human errors in the LaSalle database - LOCATION category ) Action Tyne J This category was added to the LaSalle categorization scheme in an attempt to develop insights regarding the role of the operators versus the automated systems. There are different cognitive processes at work-depending on whether an operator.is acting for himself (manual), acting as backup to a failed automatic system (manual backup), or acting to actually defeat an automatic system (manual override). Fifty-seven human error events in the database fall in the category of manual (M) actions (Figure 3.5). Most of ; these manual actions involve manual operation of a system or component within the control room. Only 20 human errors are coded as manual backup (MB) actions, while six errors are in the category of manual override'(MO) actions, i All six MO errors were associated with the need to reopen a RCIC valve that received an isolation signal. The action type category was not utilized in the earlier Oconee study, although Oconee did contain the various types of - actions. 16

                                                                                                                                                                          'l M 57 69%

i I 7% i MB 20

                                                                                                        '24%'

Figure 3.5. Human errors in the LaSalle database - ACTIONTYPE category Activity Operations-related errors are the 'most :significant type of error. . accounting for 824 of the human error events in the database 1(Figure 3.6). ? The predominance of operations related errors is'also observe'd in the Oconee 3

database. Eleven errors are' defined as errors that occur during the emergency- '

repair-of a plant component, e.g., the. diesel generator.- Four pre-accident i errors fall into the category of errors of restoration from test and mainte- ' nance activities. There were no calibration errors because they were dropped' 3 from the database as a result of a screening analysis by SNL analysts; In the ' Oconee of commission, 3 database, there were 44 calibration errors which are largely' errors u ! OPS 68 i 82% M/R 4 - >

                                                                                                 's        >

5% up" E/R 11 13% - s i-Figure 3.6. Human errors in the LaSalle database - ACTIVITY CATEGORY l 17 1 l d

                                     -4.,

Simulator Fifcy ei ht 6 human errors fall into the category of errors whose HEP ; estimates were based on simulator data (Figure 3.7). These human errrr events ' represent operator performance actions in response to severe accident scenar. ios. Most of these actions are recovery actions which could significantly affect the termination of an initiating evant. Routine responses from the i control room during plant abnormal conditions are also included in this category because simulator data on these actions were used to provide more realistic estimates of their error rates. ,

f SIMULATOR 58 - ; 70% [ t I

NON-SIMULATOR 25 ! 30% i Figure 3.7. Human errors in the LaSalle database - SIMULATOR category Twenty five human errors were categorized as errors whose HEP estimates were not derived from simulator exercises. These events include the four pre-accident errors, 11 during accident, operations related errors, and errors related to emergency repair of diesel generators. cencric s i Nineteen human errors were categorized as generic errors (Figure 3.8). These are the same 19 errors noted as C in the system category. Each of these generic errors represent a group of errors that had the same HEP and were : generally similar. For example, the generic error RA 1-1 8H represents about 50 unique errors that are related to different plant components (draft < communication from SNL). The precise number of errors represented by each generic error was not available at this time. The remaining 64 errors fall into the category of errors that were associated with operator actions involved in actuating a specific system or component. 18 l

SPECIFIC 64 77% GENERIC 19 23% Figure 3.8. Human errors in the LaSalle database CENERIC category Sensitivity Croun As discussed further in Section 4, human errors in the LaSalle plant risk model were categorized in various sensitivity groups wherein each group of errors is characterized by a common error factor. These error factors are derived in Section 4 of this report. The largest number of human error events > (28 HEs) fall in the category of sensitivity group TWO (Figure 3.9). This i group of errors represent specific operations related human errors occurring l during a plant accident, and their HEP estimates are based on simulator data. ; Sensitivity group THREE category has the next largest number of human error ; events (19 HEs), while each of the sensitivity group ONE and group FIVE ; categories has 11 human error events. Ten human errors are in the group SIX t category, and four human errors fall in the group FOUR category. The dif-forent characteristics of each sensitivity group are also described in , Section 4. ; i TWO 28 34% ONE 11 13 % , f 1, i j '1l SIX 10 THREE 19 i 12 % 23% l} 1,j . FIVE 11 FOUR 4 13 % 6% Figure 3.9. Human errors in the LaSalle database - SENSITIVITY CROUP category 19

i 1 NRC Pronram [ This category provides information about which NRC inspection program ' i area was judged to affect the human error failure probability. An attempt was made to list all those NRC inspection progras creas which could have an effect, hence, most errors were coded with more than one area. As a result, i the total number of items in Table 3.3 below exceed the number of HEs (83) and ' hence, percentages are not used to display the results, Table 3.3. Human Errors in the LaSalle Database . NRC Program Category } NRC Inspection Number of HE Coded Program Area With Area - i Operations 73 Trainin6 41 l Maintenance 20 Operations Policy 6 System Walkdown 5 Calibration 0 Quality Assurance O Surveillance Testing 0 Operations and Training were often coded together, Because of the clear dominance of these two categories, they would certainly dominate CMP in sens. itivity calculations. This dominance is a result of the type of operational errors modelled in the PRA. Thus, since no new insights would be obtained, f sensitivity runs were not performed on this category. Based on the sorting of human errors in the various categories, linkage diagrams were constructed using the data set of 83 human errors to provide some statistics regarding the distribution of human errors among the various categories (see Figures 3.10 and 3,11). These linkage diagrams show the breakdown of the LaSalle human errors in terms of the number of categories whose interrelationships are also exhibited. 3.4.2 Recovery Errors Although not specifically a part of the categorization scheme, the total numbers of recovery type errors are worthy of note, as sensitivity analyses were performed on them. Of the 83 LaSalle human errors, 48 were coded as RA-XXX, where RA designated Recovery Action. These RA XXX errors were "ANDed" to the accident sequence cutsets during the recovery analysis. The other 35 human errors were variously coded and consisted of the four pre-accident [ errors and 31 during-accident errors, Some of the 31 during accident, non RA errors could potentially be considered as recovery actions also, but were not recoded by BNL, Appendix B discusses in slightly more detail the LaSalle breakdown between recovery and non recovery errors. The sensitivity analyses in Section 5 for recovery errors were performed on the 48 RA errors, 20

Human Errors - 1 Timino I Pre-Accident During-Accident (5%) (95%) Location Outside Con- Control Room Outside Con- Control Room / trol Room (42%) trol Room Outside Con-(100%) (28%) trol Room (30%) Personnel ' I I RO/NL/MT RO/NL NL RO (4%) (96%) (100%) (100%) 4 4 RO/NL/MT RO/NL (45%) (55%)

Human Errors in the LaSalle plant risk model for sensitivity study.

Figure 3.10. Linkage diagram of human error categorization based on timing, location and personnel categories

i i Human Error Probabilities

I

Simulator Simulator- Non-simulator-based based (70%) (30%) l l Generic } } Equipment / l Generic System Specific (33%) m (67%) w Sensitivity Group ' I l I < . Group 1 Group 2 Group 3 Group 4 Group 5 Group 6 EF=28 E F = 15 EF = 21 EF = 23 EF-26 EF-29 (28%) (100%) (16%) (44%) (40%) l (72%) 1 Figure 3.11. Linkage diagram of human error categorization based on simulator, generic, and sensitivity group categories

3.$ Conclusions This section summarizes some overall conclusions on the categorization of 83 human errors in the final database of the LaSalle plant risk model. From the sorting of the 83 human errors in the various categories developed in the categorization scheme, some conclusions can be made. These conclusions are based on the number of errors in a specific category and not their risk significance, which is addressed in Section 5. (1) There is a large predominance of during accident type of errors. This results in a large predominance of reactor operator (RO) errors and operations related errors. (2) There are no errors of commission in the final database largely due to the exclusion of calibration errors as a result of screening analysis by SNL analysts. (3) There were a small number (four) of pre accident plant equipment restoration errors following test and maintenance in the final database. Other restoration type errors ve e eliminated in the earlier described SNL quantitative screening analysis. As such, the overall plant risk should be largely sensitive to during accident errors. 23

4 DEVE1DPMENT OF RANGE ESTIMATES FOR HUMAN ERROR PROBABILITIES In this section, the development of range estimates for the human error probabilities (HEPs) used in sensitivity evaluations of the LaSalle plant risk , model is described. The causes of variability included in the calculation of ; the range estimates are discussed and the methodology _to determine the range estimates of HEPs is presented in detail. The definition of error factor groups and the assignment of human errors to a group are also discussed. Finally, the application of the methodology for determining the range es-timates of HEPs in the LaSalle human error database is presented. , 4.1 Methodology The primary purpose of the HEP range estimate analysis is to define the bandwidth around the point estimate which is the measure of central tendency ' for the HEP. In order to develop realistic, yet conservatively broad es. timates of HEP ranges, the methodology presented here entails four basic , steps:

1) Identify sources of uncertainty and variability in HEP estimation,

2) Establish the grouping dimensions that provide discrimination across uncertainty and variability sources (UVS) by which to group each human error,

3) Define an error factor profila for each group of human errors as a l function of UVS, and

4) Determine the upper and lower bounds for each HEP where the upper bound is the 95th percentile and the lower bound is the 5th percentile of the distribution around the median estimate. [

4.1.1 Sources of Uncertainty and Variability in Human Error Probability (HEP) ' Estimation The PRA Procedures Guide (NUREG/GR 2300) identified five sources of uncertainty and variability in HEP estimation. The definitions of these sources were broad enough to encompass the major factors contributing to

overall variance in the point estimate of an HEP. The consideration of these !

factors were used in the determination of range estimates for the Oconee Sensitivity Study (NUREG/CR 5319. Section 4.2). In the present study, these same factors were also considered in the application of the methodology to , determine the range estimates of the LaSalle HEPs. A brief description of each UVS is provided below: ;

1) Lack of Data Uncertainty in a point estimate may arise from a paucity of relevant data upon which to determine the estimate. Generally, .

the more appropriate is the data available for estimating an HEP, the more confidence one has in the derived value. 25

1 I

2) Inexactness of Hn=an Performance Models This source of uncertainty reflects weaknesses in two aspects of human reliability modeling: one aspect is outside, and the other is within the PRA. First, at best, models of human performance only approximate real world performance. Thus, the theoretical i basis for establishing HEPs is not well developed, and therefore, f is subject to a great deal of uncertainty. Second, human perfor-mance actions as modeled in PRAs frequently reflect clusters or chains of human activities, such as " repair of diesel generator,"

rather than single event tasks. Since specific examples of i performance within such a domain can be considerably different : from others, a single point estimate for the entire cluster of l human performance events is inherently uncertain. [

3) Differences in Task Descriotion ,

Uncertainty in point estimates arises due to generalization of an HEP for a given task to another similar task. To the extent that the task descriptions differ, there is uncertainty regarding the validity of the generalization. Also generalizing from data collected on similar tasks from other nuclear plants entails some degree of uncertainty, i.e., all tasks and performance shaping factors are not identical when deriving an HEP estimate for Plant

A from data specific to Plant B. The degree of uncertainty may be even greater when utilizing data from non nuclear industry sources. Although some tasks may be similar, generalizing across industries may be tenuous due to the differences in operator i populations, training, procedures, etc.

4) Canabilities of the Human Reliability Analyst The general skill of the analyst in the data collection and inference process, as well as the methods utilized to account for plant-specific influences, may introduce uncertainties in the point estimate.

$) Differences 1mpnc Personnel if a HEP is assumed to represent an accurate point estimate, that estimate reflects a measure of central tendency. Actual risk is non stationary and is influenced by the variability around the point estimate. This variability is related to human performance factors such as operator skill differences; training standardiza. , tion, the availability, extent and standardization of procedures; shift schedules; supervision; and situational states such as stress, fatigue, and alertness. The influence of these factors and the associated variation in human performance upon the point estimate of the HEP can have a significant influence on plant risk and therefore, should be fully accounted for in a sensitivity evaluation, t 26

l l 4.1.2 Definition of Error Factor Groups and Assignment of Human Errors , I In applying the methodology for developing ranges for HEPs, human errors I were grouped according to factors that are likely to discriminate the HEPs j across the sources of uncertainty and variability. Groups of human errors ; vere defined, and a profile of error factors (the array of error factors - across UVS) was determined for each group. Error factors were not determined for each HEP on an individual basis. The error factor profile for each particular group of human errors was utilized to calculate upper and lower ; bound values for each HEP belonging to the group, l Based on a review of the methods of HEP estimation in the human error [ database for the LaSalle plant risk model, five factors were identified: '

1) HEP Data Source! Simulator versus Non-simulator ,

In the LaSalle PRA, simulator data on human performance were . utilized in the estimation of many error probabilities and their uncertainty involving operator recognition and decision processes within the control room. HEPs based on these data are likely to [ differ from those based on more traditional methods. Simulation ; can be used to collect valuable data on human performance parame- [ ters that are not well modeled using more traditional HRA ap-proaches such as THERP. Such valuable data would include parame- } ters such as decision making, knowledge based processes, and rule- , based activities for infrequently occuring events. While valu- ' able, the use of simulator generated data to estimate real world i point est. mates is complicated and not well understood. The i generalization from simulation to real world still contains ' uncertainty. There are many factors that need to be addressed when simulator data is generalized to represent "real world" ' probabilities. Consider, for example, the influence of (1) performance shaping factors, and (2) effect on human information processing. First, simulator exercises will not reflect the influence of all important performance shaping factors. For example, the stress associated with a simulated transient will not be the same during a simulation as it will be during the real-world event. Neither will factors such as control room chaos and noise. Second, the characteristics of the human information processing system are altered, speciff.cally signal detection threshold, event probability, and response probability. For example, when a simulator exercise begins, the operator knows something other than normal operations will unfold. During simulated events, very low probability events are likely to occur

and the operator expects them - unlike the real world. Hence, the operator's attention la aroused to detect problems - As the >

situation develops, events which the operator would never expect , to occur in the real world are given a high likelihood / probability ( of occurring, i.e. , events with a 10 probability of happening occur several times a day on a simulator. Also, the operator's , responses will be optimized according to established procedures. ' There are no consequences to responses made on a simulator; i.e., 27

no conflict between safety and productivity. There are major consequences to real world actions which will affect an operator's probability and timing of taking actions. These factors require the recognition of uncertainties in the use , of simulator data. This discussion should not be interpreted as indicating that simulator data is not useful. On the contrary, these data are extremely valuable. But, the use of simulator data j for real-world point estimation is not well understood at this time, which contributes to uncertainty in its application.

2) Error Soecificity: Generic Error versus Soecific Error i

Some of the human errors identified in the LaSalle database describe human interactions with a plant specific system or component. These errors, such as " operators fails to reset MrW trip," were categorized as specific errors. Errors that were not clearly associated with any specific equipment, such as " manual operation of a system or component from the control room," were , categorized as generic errors, even though each of these errors may be combinations of specific human faults tested on the , simulator. Therefore, the uncertainty on the estimated probabil-ity of a generic error is conservatively assumed to be larger than-that for a specific error simply because of uncertainty propaga- . tion from the combined effects of various specific faults. ! L

3) Timinc Pre accident versus During accident ,

Probability estimates of errors which occur pre accident are likely to differ from post accident errors in terms of both uncertainty and variability factors. The difference between the t estimates of these two types of errors is due, in part, to the different methods of estimation. For example, the THERP methodol-ogy provides greater credit for recovery factors and a more detailed consideration of dependence effects for pre accident errors than post accident errors (see discussion in Appendix B). . In addition, factors such as differential stress and paucity of-actuarial data associated with during accident errors also make these error probabilities more difficult to estimate when compared to pre-accident errors.

4) Tvoc of Activirv Operations versus Emercenp M a gir In LaSalle, this error factor grouping distinguishes operations-related errors from emergency. repair errors (i.e., failure to '

complete emergency repairs within the specified time intervals). The latter refers to a group of errors or recovery actions that relate to failures to restore the diesel generator to an operable , status when necessary after failure. It should be noted that for some percentage of EDG failures, equipment problems will preclude , operator emergency repairs. i i 28 l 1

5) Consecuences of the Activity' Hith" Risk versum " Normal" Risk Operator actions with high risk implications in BWR plant opera-tion are: containment venting and standby liquid control (SLC) utilization. Both types of actions were considered as belonging to a separate group which define risk actions. Venting is the release of radioactive steam and non condensables from the primary containment in a controlled fashion to relieve overpressure within the reactor containment. Overpressure could possibly lead to containment failure and resultant uncontrolled release. In l general (and at LaSalle specifically),.there is the added problem of failures of portions of the vent ductwork system due to overpressure within the reactor building (secondary containment) j upon venting.- The second type of activity is related to the ,

actuation of standby liquid control system which injects boron pentaborate solution into the reactor coolant system. In a BWR, activities involving use of this system can cause boron contamina-tion and an extensive clean up that could result in a multi month reactor shutdown. It may be true that with the advent of BWROG ; symptom based EPGs and plant specific simulator training that SLC initiation has become as routine as actions such as RHR initia-tion, but this may not be generic. The requirements for SLC initiation are substantially different than that for RHR initia-tion in terms of diagnosis and stress, and in the concern about , injecting chemical poison that could cause an extended plant ! shutdown. Even with well written procedures for taking a specific action, human response probability is influenced by the operator's perception of the consequences of his actions. This is well : documented in the human performance literature (Wickens, 1984) and j nuclear operations experience data (Davis Besse incident report - , INREG 1154) . Therefore, based on human performance theory, ' laboratory research, and nuclear operations experience, operator , actions involved in activities which could have beyond normal consequences were considered to represent a unique category. In this study, each error was assigned to a specific error group by the ( algorithm depicted in Figure 4.1. All combinations of grouping fcctors are not relevant. For example, pre accident versus daring-s,ccident timing was not a relevant factor for simulator data sinc 6 all errors for which simulator data -! was used were "during accident" events. The relationship between the grouping factors is shown in Figure 4.1. l Six d'istinct groups of errors were defined based on the grouping j factors: l , l i) Group 1: simulator based, high consequence, specific operations-related human errors occurring during accident (11 HEs).

11) Group 2: simulator based, " normal" consequence, specific opera-l tions-related human errors occurring during accident (28 HEs).

l 29

                          ,    ,                       .                                 - - - - ,   b

START U DATA SOURCE w a I It U Simulator Simulator 1r y r m r , ERROR TIMING SPECIFICITY v i e i I I V U U U Pre During Specific Generic Accident Accident U U CONSE-QUENCE ACTIVITY t ; i

  "                    "                                         V                  U Specific           Diesel Gen, High              " Normal" Operations         Emerg, Rep.

U U V U U y W W lW lWl Wl w i t J J l t Figure 4.1. Algorithm for assignment of errors to specific groups 30

iii) Group 3: simulator based, generic operations-related human errors occurring during accident (19 HEs) iv) Group 4: specific restoration-tape errors after maintenance occurring pre-accident, which *.cre not simulator based (4 HEs). l v) Group 5: specific operations related human errors occurring i during accident, which were not simulator based (11 HEs). l vi) Group 6: diesel generator emergency repair human errors occurring i during accident which were not simulator based (10 HEs). A listing of the human errors categorized in each group is provided in Appendix A. 4.1.3 Specification of Error Factors (EFs) for Human Errors In this study, the methodology presented for quantitative determination of the range estimates of the LaSalle HEPs was similar to that used in the Oconee 3 study. The influences of each of the sources of uncertainty and variability were defined in terms of error factors and the variances in the HEP due to each of the sources are combined to obtain the overall variance in ; the HEP estimates. Inherent in the variance estimation methodology was a consideration of the generalizibility of the results to other NPPs and PRAs. This was reflected in the selection of UVS sources and the specification of . bounding values for the maximum contribution of any one UVS (which were based i upon values typically used in HRA analyses). The resulting error factors were derived from generalizations obtained from the literature which were adjusted ' by evaluating the methodology utilized in the LaSalle PRA. Thus, the error factors are influenced by two components: generalized variability estimates and LaSalle specific analysis methodologies. The overall variance was then used to obtain the range estimate of the HEP. Subjective judgements were used to define the error factors associated with each of the uncertainty and variability sources (UVSs), This approach was considered adequate for ; sensitivity evaluation since the objective is to develop conservative es-timates of the ranges that account for varicus UVS. The error factors for each human error group were derived by the - procedure described below. The assignment of error factors for LaSalle human error groups was different due to the different development of the HEP estimates. A main difference in the LaSalle database was the use of simula-tor based data to derive more realistic HEP estimates. Three human reliability analysts were asked to make independent judge-ments reSarding the contribution of each UVS to HEP uncertainty and variabil-ity. Each analyst was given a blank copy of Table 4.1, the definitions of the UVSs and grouping dimensions of each human error group, and a listing of the > errors in each group. A rating of "small," " moderate," or "large" (contribu-tions to uncertainty / variability) was made in each cell of Table 4.1. 31

Table 4.1. Error Factors as a Function of Uncertainty / Variability Sources and Error Group crow 2 Crow 3 Groe 4 Groe 5 Groe.6 prow i During Accident During Accident During Accident Durin0 Accident Pre Accident During Accident Nigh specific Generic hon- Non Simletor Non-$1mt stor Consequen:e Repair timtator $1mtator Operations Simtator $lmtator Errors trrors Errors Errors Errors trrors (28 errors) (19 errors) (4 errors) (11 errors) (10 errors) LWS (11 errors) 6 10 10 10 Lock of Date 6 2 i Ineneetness of 5 6 9 ! Mukt 7 3 6 5 5 7 9 Task Differences 9 2 2 3 5 3 HRA capabilities 6 2 personnel 7 3 6 7 vertability 10 7 When the rating process was completed, the results were compiled into a single table. Of 30 cells in the table, there were complete agreement on 13, whereas disagreement spanning more than adjacent ratings, i.e., a "large" and "small" rating for the same cell, was observed only on three cells. These three cells were task differences in Groups 1 and 6 and HRA capabilities in Group 1. The rest contained pairs of the same ratings with one adjacent rating, such as "small-small moderate." The analysts met to discuss the three cells containing widely varying ratings and consensus agreement was attained. No effort was made either to force the consensus or to modify ratings in the i other cells. A scaling fhetor was used to qu&ntify the error factors. It was assumed that any single UVs would not contribute more than one order of magnitude to the uncertainty and variability of an HEP, thus a "10" was assigned to a "large" rating. This assignment is consistent with the Oconee study and

generally consistent with single source uncertainty factors discussed in the PRA literature, e.g., NUREC/CR-2300. It was further assumed that some degree of uncertainty was inherent in any generalization from data in the literature to a PRA HEP estimate, i.e., s "no effect" was not permitted. Thus , a "2 was assigned to a "small" rating. " Moderate" ratings were given a value of "6."

The cell values in Table 4.1 represent the average of the ratings from three analysts which were converted to quantitative values as described above. The general rationale for the distribution of ratings in each UVS is discussed below. Specific numerical values of the ratings were assigned by the process described previously. 32

m " Lack of Data: The use of simulator based human performance data in estimating HEPs in the LaSalle PRA (NUREG/CR 4834) was perceived to strengthen the HEP estimates by reducing the uncertainty associated with a lack of more realistic data. However, this source of uncertainty is not totally eliminated. A degree of generalization is still required in deriving HEP estimates from simulator based data to "real world" HEPs. In addition, the data were used only to estimate the HEP for the diagnosis phase, and not the action phase (because the error probability of the action phase was usually small). Further, error data used in calculations were derived from pooling data by similar decisions. Hence, there is still uncertainty in generalizing from the pooled error estimate for the quantification of any single HEP. In Table 4.1, human errors defined in sensitivity groups 1, 2, and 3 were based upon simulator data, while those in groups 4, 5, and 6 were not. The latter groups of human errors were assigned the maximum uncertainty ratings. Between the simulator groups, Group 2 was considered to represent the highest fidelity of specific actions to actual plant safety systems. Thus, a rating of "2" was given because the generalization uncertainty was considered small. Even though HEPs in groups 1 and 3 were derived from simulator 6ta, these two groups were assigned moderate ratings. The errors in Group 1 were judged to be most subject to the generalization difficulties from simulator to "real world" data which was previously discussed. Group 3 was given slightly higher uncertainty ratings compared with Group 2 because the actions were pooled into a generic value. Inexactness of the Model: A fairly large degree of uncertainty was assumed to be associated with the modeling of during accident, emergency repair errors (Group 6). This group mostly include errors involving repair of a diesel generator. Since this is a complex system encompassing many failure modes and dependent human failures, modeling DG recovery errors as single events results in a great deal of uncertainty. Groups 1, 3, 4, and 5 were all'given moderate ratings. The lowest modeling uncertainty was judged to be associated with Group 2, since HEPs of these errors were simulator based. Trsk Differences: Group 2 HEPs were acsociated with the least amount of uncertainty due to task differences. This was due to the generalization of specific events based on the Lass 11e control room simulation exercises and operational procedures to specific errors modeled in the PRA. Since the degree of similarity is high, a low rating was given. Hoderate uncertainty due to task differences were associated with human error groups 3, 4, and 5. HEPs in Groups 4 and 5 are based on data generally available in the nuclear industry. . Based on subjective judgement, a high rating was assigned to Groups 1 (high consequence errors) and Group 6 (during accident emergency repair errors). The latter, as noted previously, could involve many different tasks and thus, representation of a DG recovery error as a single value required considerable task description generalization. Group 1 was rated high because actions with high risk implications have task specific performance shaping factors (such as stress, belief in situational reliability, and concern over personal consequences) that are quite different when a simulated accident sequence is compared with a real world accident sequence. 33

HRA Analyst Capabilities: The consideration of this source of uncertainty centers on the extent to which the analyst can influence the HEP. In general, this cause of variability has the least influence on HEP estimation. The analyst was presumed to play less of a role in influencing the HEP estimation for errors in Groups 2 and 3, since the major component of these error probabilities (the decision phase) was calculated directly from the simulator exercises. Groups 4 and 6 were also rated low. Groups 1 and 5 were rated as moderate because both contained during accident operations related errors for which a great deal of judgement on the part of the analyst is required. While , estimation of group 1 HEPs was based on simulator data, it was determined that l an analyst would have to interpret the effsets of performance shaping factors i that influence real world performance nf tasks with high risk implications. Personnel Variability: The ratings for various error groups ranged from 3 to 10 on variability associated with intra- and inter personnel differences. The lowest rating was given to pre accident errors since these errors were more routine and not subject to some of the factors, such as stress, which tend to increase variability of during accident situations. Groups 2, 3, 5, and 6 were all rated as having moderate variability effects, since all were during- ' a accident errors. Group 1 was given the highest rating since it contains the r errors that have high risk implications during an accident. 4.1.4 HEP Range Estimation The statistical assumptions and methodology for calculating the upper and lower bounds of HEPs that were utilized in this study are detailed in the Oconee study (NUREG/CR 5319, " Risk Sensitivity to Human Error"). This methodology is summarized below. The calculation of the range estimate for each human error probability is based on three inputs:

1) the point estimate of the HEP (measure of central tendency),

ii) the distributional characteristics of the HEP, and iii) the error factor profile derived for the human error group in which the human error is categorized. In the LaSalle human error database, HEPs in Groups 1, 2, and 3 were derived in part from data collected during simulator trials (NUREG/CR 4834). The probability of human error (HE) was estimated as a function of diagnosis failure and action failure. In most cases, the diagnosis failure was the major contributor of the total error probability estimate. For these es-timated error probabilities, the mean HEP was converted to a median HEP by the following process. Because each of these human errors was associated with a LaSalle crew recovery action group, the median HEP was identified from a table in the NUREG/CR 4834 providing median failure probabilities as a function of time for that particular group of recovery actions (Tables 2.1.9 1 through 2.1.9 10 in NUREG/CR 4834 provide the reference information for the various recovery action groups). ' 34

Range estimates for the HEP were determined using an additive linear model. The sources of uncertainty and variability were presumed to move the HEP from the point estimate to an upper and lower bound according to the additive linear model. It was further assumed that the sources could inter-act. Thus, the total variance (V) of the HEP could be described as: V - y S) +g s isj Eqn 4.1 j where S is the standard deviation associated with a source of uncercainty and variability. The interaction term, [ S S , in Equation 4.1, measures the departure from the additive model. Thednckudionofthisterm,whichdefinesinterac-tion among the sources of uncertainty and variability, was to derive the most conservative range, or the broadest bandwidth of variance around the median HEP. A lognormal distribution was assumed for characterizing the statistical distribution of the HEPs. For HEPs of 0.1 and above, a lognormal distribution , was assumed for the calculation of the lower bound values, and the upper bound values were set at 1.0. The upper and lower bounds were calculated by the following steps: ;

1) Calculate the mean HEP (pj) for each error factor component (EF) based upon the median HEP by the equation:

2 p)-e"+ " /2 Eqn. 4.2 where, y - In (EF)/1.645, and p - In (median HEP) n

2) Calculate the standard deviation (S)) for each error factor component based upon the equation:

24 ,y n2 1)) Eqn 4.3 S)- [ p

3) Calculate the pooled variance term assuming a complete interaction of components as discussed above:

S

        -{S) + g[j        Sg S)

Eqn. 4.4

4) Calculate the total error factor (TEF) for estimation of HEP range:

TEF - e Eqn. 4.5 35

where, y,2 - [In (1 + S2 jy2 )), and p2 - [(Ep )/n)2 l

'l

5) When the total error factor is derived, the upper (UB) and lower (LB) bounds encompassing 90 percent of the HEP distribution are calculated as !

a function of the lognormal distribution: UB - HEpmedian * (TEF), and LB - HEPmedian/ F Eqn, 4.6 . 4.2 Results of HEP Rance Calculations ! The methodology described above was applied to the LaSalle HEPs included in the risk based sensitivity evaluation. Appendix A shows the listing of the . upper and lower bounds of the HEPs calculated for each human error.' The total ' error factor used in the estimation of the lower and upper bound values for : each HEP in a specific human error group is shown in Table 4.2. Example calculations of the range estimates, i.e., the total. error factors, for<each

human error group, are'shown in Appendix E. The span of the total error. '-

factors (15 to 29) for the various human error groups in the LaSalle database. is comparable to the span obtained in the Oconee 3 study (13 to 26). . r Table 4.2. Total Error Factors Derived for. Human Error Groups! I i i Human Error Groups Total Error Factor Number of; Human Errors ! Group 1 28 lic t Group 2 15 28 : Group 3 21 19 r Group 4 23 4 Group 5 26 11 ; Group 6 29 10 I

t 36 h

l j

5. SENSITIVITY CALCU1ATIONS This section gives the detailed results of the sensitivity calculations primarily by graphs, and provides an analysis of those results. Appendix C ;

contains the data on which the graphs are based, and Appendices D and F l provide further detail of some of the analyses. The specific objectives of the risk based sensitivity evaluations performed in this study were to identify the quantitative impact of human erroro in the plant risk levels, to identify the specific aspects of human i errors that have higher risk impact, and to identify those categories of human j errors whose improvement might provide significant risk benefits. With that ) objective, a strategy was developed to define the types of sensitivity l evaluations to be studied. Each type of sensitivity evaluation addressed the combination of human errors whose effect on a particular output risk parameter ! was being sought. The specific sensitivity evaluations performed in this l j study and the significance of the evaluations are summarized in Table 5.1. A number of additional sensi::ivity evaluations could similarly be designed to l derive further insights into the human role on plant risk. The LaSalle plant risk model, which was used for the sensitivity , calculations, was first constructed on the BNL mainframe computer using the SETS computer code. A brief description of this model is provided in Appendix B.3, " Computer Model of LaSalle Plant Risk." Tho large number of calculationc , necessary in each sensitivity evaluation was facilitated by the use of the PAIRWISE computer program, developed at Brookhaven National Laboratory (BNL). ; The PAIRWISE program is an interactive personal conputer program where a - select group of basic events (e.g. , human errors) can be defined and their ; associated probability estimates are changed so that the corresponding accident sequence frequencies and core melt frequencies can be obtained. This : code is described in detail in NUREG/CR 5319, Appendix D. 5.1 Method /Ancroach 5.1.1 Sensitivity Evaluation l Similar to the Oconee 3 study, the sensitivity evaluations performed here were intended to determine the influence of human errors on the various-plant risk parameters. The plant risk parameters evaluated were the core melt frequency and the accident sequence frequencies. The accident sequence models used in sensitivity evaluation are the minimal cutset expressions of the accident sequences. In this study, the accident sequences considered in the LaSalle plant risk model are due to " internal events" such as plant trans. ients, loss of coolant accidents, etc. Risk sensitivity within external , events sequences (e.g., earthquakes, floods, fires) were not assessed within the scope of this study. Risk sensitivity was based on the variation in risk due to HEP changes ' without regard to the actual cause of the change in HEPs. In the sensitivity calculations, the probabilities of all the human errors that were considered to influence a risk parameter were changed together. The justifications for 37

Table 5.1. Summary of Sensitivity Evaluations to Assess Implications of Human Errors on LaSalle Plant Risk i Sensitivity Significance of the Evaluation Evaluation i i

1. Sensitivity with respect to ;

all identified HEs in a plant l

a. CMF versus HEPs 1) identifies the role of HEs in plant i

b. ASF versus HEPs risk

11) identifies the role of HEs in like. l lihood of accident sequences !

111) identifies accident sequences that are most sensitive to HEs

2. Sensitivity of CMF to 1) identifies the perturbations in the

     " Routine" (Pre accident)              risk level due to variation in the       l Human Activity                        performance level of plant staff         l*

11) identifies the human errors deserving special attention during plant '

operation -

3. Sensitivity of CMP to Identifies the ability of operating Errors of Recovery staff to respond to an accident a

4. Sensitivity of CMF to Categories of HEs ,

a. TIMING category a) relative significance of during-tecident initiator & pre. accident >

initiator HEs

b. LOCATION category b) role of HEs in and out of control rooms

c. PERSONNEL category c) risk significance of role of various ,

types of personnel

d. ACTIVITY category d) risk significance of types of human !

activities

e. ACTIONTYPE category e) risk significance of various types.of '

actions j

f. SIMULATOR category f) risk significance of simulator-based HEPs

g. SPECIFIC category g) relative significance of plant specific 6 generic HEs

h. SENSITIVITY CROUP category h) risk significance of human error groups .;

characterized by a common error factor _s profile !

5. Relative likelihood of various Identifies the dominance _of accident '

accident sequences as HEPs vary sequences based on the performance of the plant crew i 38 - l l L

this approach are: (a) the derivation of HEPs in PRAs are subjective, and conceivably, there may be underestimation or overestimation in the HEP, (b) the HEPs are average estimates and there are any number of factors that may vary the HEPs, and (c) a nuclear power plant may experience an improved performance or a degraded performance by its operating staff which are . respectively signified by decreased or increased HEPs. Nonetheless, insights , can be gleaned to focus upon areas for potential improvement in human perfor-mance in nuclear power plant operations. In addition to sensitivity calculations, an in depth analysis was performed to identify the dominant human errors in the minimal cutsets of the ! dominant accident sequences. The cutset analyses identified specific human , errors that contributed significantly to risk in tho various accident so. , quences, as well as those minimal cutsets containing multiple human errors. ; This process permitted the analysis of human error coupling with hardware failures in each accident sequence in more depth than would have been the case by observing risk variation in sensitivity curves alone. In general, the ' cutset analysis provided good agreement with the results of the sensitivity evaluations in describing the important types and groups of human errors. . Details of the cutset analyses to identify the significant human errors in the six most dominant accident sequences of the LaSalle plant risk model are : provided in Appendix D. Selected results are presented throughout this i section in conjunction with the appropriate sensitivity curves. 5.1.2 Method of Varying HEPs Two methods of HEP variation were developed in the Oconee study to ; change HEPs from the base case values to their upper and lower bounds. These ; two methods are the Factor Method and the Range Method. Most all of the e results for LaSalle were obtained by using the factor method. ; In the " factor" method, the HEPs are varied in a multiplicative fashion : over their derived ranges. Within these ranges, the median HEP for each error

is multiplied (or divided) by a fixed constant factor (e.g., 5, 10, 15, etc.).

A new set of HEPs is generated for each individual factor, and a new CMF is ; calculated. An HEP, however, stops increasing when it reaches its upper bound or the value of 1.0. The largest upper bound value for any HEP is 29 times ,! its base case value. An HEP stops decreasing when it reaches its lower bound. A description of the more involved range method is presented in NUREG/CR-5319. 5.2 Results of Sensitivity Calculations Sensitivity evaluations, summarized in Table 5.1, were performed to determine the effect of human errors on plant risk parameters. Each sens- : t itivity evaluation addresses some aspect of human performance in nuclear power plant operation. Sensitivity curves of the various risk parameters were plotted from the calculated data for each analysis. Appendix C gives the actual data on which the risk variation curves are based. The results and the interpretation of risk variation curves produced for-each specific evaluation are presentsd in the following subsections, t 39 , w

Subsection 5.2.1 discusses the overall sensitivity of the risk parame-ters (e.g., core melt frequency or accident sequence frequency) to HEP variations. The sensitivity of plant risk to various categories of human errors is discussed in subsection 5.2.2. To compare the sensitivity of different accident types, selected accident sequences are examined in subsec-tion 5.2.3. Sensitivity evaluations to address special situations such as the impact of recovery events and routine human actions on plant risk are de-scribed in subsection 5.2.4. Where possible, comparisons with the results obtained in the earlier Oconee 3 sensitivity study are made to indicate significant differences in the impact of human errors on the two plants. A detailed analyses of the differences between the studies is being performed in a follow on study. 5.2.1 Overall Sensitivity of Risk Parameters The impact of human errors on the LaSalle plant risk was assessed by evaluating the sensitivity of risk parameters to changes in HEPs. As dis-cussed previously, the probabilities of all human errors that are considered to influence a risk parameter were changed together. The following subsec- j tions describe the sensitivity of two risk parameters, viz., the core melt l frequency and the accident sequence frequencies, to HEP variations. 5.2.1.1 CMP Sensitivity to Human Errors Sensitivity of the LaSalle core melt frequency (CMF) to multiplicative changes in the HEPs is shown in Figure 5.1. In this evaluation, the probabil-ity estimates of all human errors were increased or decreased by multiplica-tive factors until the respective upper or the lower bound of the HEPs were reached. The LaSalle CMF varies about one and one half order of magnitude (1.1E 5 to 3.9E-4) within the ranges of HEP variation. In contrast, the Oconee 3 sensitivity results show that the Oconee CMF variability due to human error effects was over four orders of magnitude. The smaller extent of LaSalle CMF change over the HEP range is mechanistically attributable to the types of human error combinations modeled in the minimal cutsets of the various accident sequences. Specifically, the LaSalle dominant sequences have fewer cutsets with double, triple, or even quadruple human errors than does Oconce. Insights on the underlying reasons for such differences (such as plant types, PRA models, or HRA methods) will be derived from a comparative analysis in a follow on study. The largest change in the LaSalle CMF is observed within a factor of 5 increase in base case HEPs. This effect is due to a moderate number of HEPs with large initial values, e.g., recovery actions with HEPs of 0.2 to 1.0, reaching their upper bounds within this interval. The review of minimal cutsets (see Appendix D) showed that the HEPs of recovery errors in the most dominant accident sequences, e.g., restoration of AC power within one hour of loss of offsite power (RA 8-1H), tended to drive the increase in CMF sens-itivity. On the other hand, reduction in HEPs by constant factors resulted in a significant decrease in CMP until hardware failure contributions supercede the human error impact. l 40

t

1.0E-03 - ; 1 c - O - R - E M , E , L 10E-04 : T :

                         -                                                         l F                                                                       '

R E O , i ' ' i ' ' ' ' ' ' ' 1.0E -05 1/291/251/20 1/10 1/5 8 5 10 20 25 29 HEP FACTOR- , Figure 5.1. Overall CMF sensitivity to human error The effects of varying HEPs for recovery action (RA ) type errors and other operator errors (non RA type errors) upon CMF are displayed in Figure 5.2. The RA type errors are operator recovery actions that were "ANDed" to r accident sequence cutsets in the LaSalle PRA to represent the ability of plant operators and other support personnel to prevent or mitigate core damage during the accident sequence. .The risk variation curves plotted in Figure 5.2 > indicate that LaSalle CMF is much more sensitive to RA-type errors than the non RA type errors. One should note, however, that in the LaSalle HRA scheme, there is not a clear operational distinction between those during accident errors that are RA and non RA. That is, there are some other recovery type during accident errors, which were modelled in the fault trees and hence, are not designated as RA errors. Sensitivity results for the Oconee 3 study show ' the Oconee CMP is quite sensitive to both during accident non-recovery errors and recovery errors. 5.2.1.2 Accident Sequence Sensitivity to Human Error ' In the LaSalle PRA, the accident sequences are not characterized strictly by initiating events according to the traditional methods. Each sequence for LaSalle is representative of an event tree that is composed of a set of functional and system failures. The system failures themselves are in turn repres~ented by fault trees. Finally,: the fault trees show logically how a system may fail. Included in the fault trees as basic events are the initiating events. Thus, each event tree (or sequence) will be generated by more than one initiating event. When the entire sequence or event tree is solved, the minimal cutsets represent those combinations of basic event failures which lead to core damage. An examination of the cutsets for a sequence shows more than one initiating event; however, most all sequences are generally dominated by a single initiating event. Thus, an analysis of 41

sensitivity to human error by accident sequence type can still be performed, using the doeinant initiating event in a given sequence. This section analyzes both the relative and the absolute contribution to CMP of the various types of accident sequences. 1.0E -03 3 C L

k - E 1.0E -04 M i - c -o F R 1.0E -05 :" E : 4 O - 1.0E -06 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR ALL HEs --+- R A H E s NON-RA HEs , Figure 5.2. Sensirivity of core melt frequency to llEP variations In the LaSalle PRA, transient-initiated sequences are pNdominant:. For , analysis purposes here, the transient sequences are further grouped into'four types: Loss of Offsite Power (LOOP) sequences, Turbine Trip (TT) sequences, , Loss of Feedwater (1hFW) sequences, and Loss of AC Power (IAAC) sequences. Appendix B, Table B.3, shows the specific sequences that are included within , each of these groups. After the transient sequences, there are three types of sequences which contribute slightly, but measurably to the overall core melt , frequency; namely, t.he transient-induced loss of coolant accidents (14CAs), the small LOCAs, and the anticipated transient without scram (ATWS) sequences. The specific sequences within these groups are also listed in Table B.3. The relative contribution of each type of accident sequence at LaSalle' versus llEP is shown on the next two figures (5.3 and 5.4) and is discussed below. Following these discussions, plots are given which show the absolute variation of accident sequence frequency with llEP variation. In reviewing the relative distribution curves, even though the accident sequence frequency increases as !!EPs increase, the relative contribution of that sequence may still drop if other sequences' frequency increases faster. Figure 5.3 shows the relative contribution to core melt frequency of the transient initiated sequences. This figure contains information on the two dominant types of sequences for LaSalle, namely iDOP and TT. The loss of offsite power (LOOP) sequences increase from 75% to about 92% contribution as IIEPs increase from base case to upper bound values. The LOOP sequences are 42

characterized by a group of six accident sequences (see Table B.3) whose minimal cutset expressions are largely driven by the loss of offsite power ; initiator event (IE-LOSP). When HEPs were set at lower bound values, the ' relative contribution to core melt frequency from LOOP sequences decrease to [ 334. For turbine trip (TT) sequences (three sequences largely driven by the initiator event, IE TI), the relative contribution to overall plant risk decreases from 21% to 6% as HEPs increase from base case to upper bound , values. The reduced sensitivity for TT sequences is due to the fact that the ! number of significant human error contributors were smaller and their upper bound values were generally lower than those for LOOP sequences. At lower - bound values of HEPs, the relative contribution to core melt frequency from TT sequences is $96. Again, this indicates that these sequences are not affected by human errors to the same extent as the LOOP sequences. l' 100 80 - h N > B 60 < [ ' 40 - - - - O C 20 - M F 9 M , ? -- e n-.~,. . -

                                                                             ,  e LB   .1     .2    3     .4     B      .6       .7       .8 .9 UB >

HEP RANGE ACC SEO T YPE

                              -* LOOP    -*- T T    -*- LOF W         -*- LOAC Figure 5.3. Relative distribution of accident risk for transient sequences over HEP range As shown in Figure 5.4 the relative contribution of transient induced        ,

LOCAs (e.g., T1 LDCA, T2 LOCA)1, small LOCAs and ATWS-(anticipated transient without scram) sequences to plant risk over the HEP range is generally small. The loss of feedwater induced LOCA (T2 LOCA) sequences decrease from 3% to ' near zero in relative contribution to plant risk as HEPs vary from lower to upper bound values. This is because the T2-LOCA sequence cutsets do not ; contain many significant human errors. These observations imply that accident sequences characterized by hardware failures and malfunction of automatic - 1 T1-LOCA: Loss of offsite power transient-induced LOCA. T2 LOCA: Loss of feedwater transient induced LOCA. 43

safety systems are not driven by human errors to the same extent as transient event sequences. Thus, the contribution from these sequences is largely a function of hardware reliability rather than human errors. Overall, whether 11EPs are at their base case, lower bound, or upper bound, the LaSalle transient sequences as a group are still by far the most dominant sequences to core melt frequency. 3.5

          %       u 0   ~                                                                                ~

C 2.5 R 2 - - - -- - 1 B " 1.5

                                                                    -          -                  -~

T O 1 C 0.5 - y , . F 0'[-

                                                         ;   ,    ;    ,    ;    ,  ;   ,    7%           3 LB       .1       2      .3           A          B         6      .7        8       .9 UB HEP RANGE ACC SEO T YP E
                              -+- T 1-LOCA    -+- T 2-LOCA            + SM LOCA         -*- AT WS Figure 5.4. Relative distribution of accident risk for IDCA and ATWS sequences                           ,

over 11EP range 1 Figure 5.5. shows the sensitivity of the three nost dominant accident sequences to changes in HEPs. Thir, fif ure shows the variation in accident sequence frequency together with the total CMP variation on one plot. Together, these three sequences represent 90% of the total CMF. This curve also illustrates graphically how much these three sequences contrib.tte to the total CMF at various HEP factors. In general, all dominant accident sequences up to 95% of total core melt frequency at the LaSalle plant are fairly sensitive to human error and vary over about one to two orders of magnitude as all HEPs increase from lower bound to upper bound values. The sensitivity curves show that Loss of Offsite Power (LOOP) accident sequences have sig-nificant human error dependence. (For example, sequences T8 and T3E are predominantly initiated by Loss of Offsite Power. Table B.3 of Appendix B shows all sequences included within the LOOP category and Appendix D provides a more detailed description of each accident sequence such as T8). The probabilities of such sequences have the potential for being reduced when the human error rates are reduced, especially those HEPs for sequence dependent recovery errors (e.g., RA 8 1H, RA 8 8H). The decrease in failure probabili-ties uf recovery errors can potentially be influenced by causal factors such as training, well developed procedures, and Sood operating practices. For the T2VL sequence, which is largely initiated by turbine trip, the sensitivity curve shows that there is no great reduction in accident sequence frequency 44

I even when the contributions from human errors are decreased significantly. This effect is due to cutset-dependent recovery errors (e.g., RA 1 1-27H, RA-2 11-27H) already having low error probabilities in the magnitude of 10** i because the maximum allowable time for recovery actions is longer. j i 1.0E-03 : C : O - R - E - -M 1.0E -04 * - 1 M E j E _ o L - T - F 1.0E - 05 : R dC 0 0 0 E : O -

                         *g    ;   g       -

1,0E -00 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR TOTAL CMF -+- T B -*- T 2VL T3E Figure 5.5. Sensitivity of dominant accident sequences to HEP variation (HEP factor) - Loss of Offsite Power sequences (T8 and T3E) and Turbine Trip sequence (T2VL) Similar to the Oconee 3 study, it is observed that increasing human error probabilities from the base values greatly increases the sequence frequencies or likelihoods to varying extents depending on the involvement of human actions in each sequence. The increasing accident sequence likelihoods due to human errors identify the role of degraded human performance in accident risks. The impact of human performance for specific representative types of accident sequences is further evaluated (in Figure 5.6) by observing the , factor by which ASF (accident sequence frequency) changes as HEPs are varied in steps to their upper ano lower bounds. The highest frequency sequence was selected from each of the accident sequence groups discussed above and listed in Table B.3. Figure 5.6 shows the variation of ASF factors due to changes in HEPs for these six different representative accident sequences. The ASF factor is defined as the ratio of the new ASF to the baseline ASF when all the HEPs are multiplied by a fixed constant. In contrast to the Oconee 3 results where the ASF factor for the dominant sequence is nearly seven orders of magnitude, the extent of ASF factor over the full HEP range for the dominant sequences in the LaSalle plant risk model is slightly less than two orders of magnitude. The primary reason is that the accident sequence frequencies are 45

largely driven by single c.nd double human error combinations rather than triple or quadruple human error combinations in the minimal cutset expres-sions. Figure 5.6 contains the following sequences which are representative of the accident sequence groups as shown: 100P T8 Turbine Trip - T2VL Loss of AC Power - T3BL Transient induced IDCA TL8 Small IhCA L2VL ATWS - A49 30 20 - 10 - 1 F _jf t [o 10 - [R 20 - 30 - 40 - e So u 1/291/261/20 1/10 1/5 1 6 10 20 25 29

HEP FACTOR ,

ACCIDENT SEQUENCE

                                - 18               -+- T2VL       4-    T3BL
                                -G-   TLB           -*- L2VL      "+- A49 Figure 5.6.      Variation of ASF factors to HEP changes The loss of feedwater sequence (T2) shown in Figure 5.3 is not very sensitive and hence is not repeated here. The transient initiated accident sequences, such as the T3BL and the T8 sequences, show stronger sensitivity to human       ,

error as compared to the small LOCA sequence, L2VL. The T3BL and T8 sequence frequencies decreased twice as much as that for the L2VL sequence when there , is a factor of 10 improvement in the HEPs. This is because multiple human errors appear in the dominant terms of the accident frequencies for the T3BL and T8 sequences, whereas T2VL has mainly single HEs in its cutsets. One impact of multiple human errors is further highlighted by the higher ASF factors for the T3BL and the A49 (ATWS) sequences. An interesting insight gleaned from these observations is that an insignificant sequence such as the i 46 l t

A49 ATWS sequence can potentially have a inermed impact on plant risk when human performance becomes degraded. For exampli., if just this sequence is perturbed, it can go from 0.1% of total CMF to almost 2% of CMF. Also, the , level of risk reduction is significant for improvement in human performance during the A49 accident sequence. In contrast to the Oconee 3 results, LaSalle accident sequences with high initiating event frequencies do not show a marked sensitivity to human errors. For example, the turbine trip (IE-T1 - 4.5 events /. year) and loss of feedwater (IE T5 - 0.6 events / year) sequences show smaller sensitivity to , human errors. On the other hand, at LaSalle, accident sequences resulting i from loss of offsite power (IE LOSP - 9.7E 2 events / year) or loss of AC bus (IE T101 - 5.0E 3 events / year) events are among the more human. error sensitive accident sequences. Even though these occurrences are low likelihood initiat-ing events, these sequences are major contributors to CMF, The human error impact during these station blackout sequences is significant and conse-- quently, the frequencies of these accident sequences can be significantly lowered through improvement in the associated human error probabilities. 5.2.2 Sensitivity of Risk (CMF) to Various Categories of Human E2rors In evaluating the human role during normal operation of the LaSalle plant, a number of sensitivity evaluations were performed which collectively provided insights on the influence of human performance actions / errors on the plant risk, namely the core melt frequency. Sensitivity evaluati an were conducted to identify the contributors to the spectrum of risk in terms of accident timing, action type, personnel involvement, error type, and sens-itivity group defined by a common error factor profile. The risk impact of various categories of human errors is addressed by the relative ranking of significant human errors, such that a small subset of human errors can be , identified that might reduce risk. Similar to the Oconee 3 study, contribu- ! tions of human error to LaSalle CMP are analyzed by changes in groups of HEPs defined un&r specific human error categories. The results are presented in Figures 5./ through 5.13. l 5. 2. 2.1 Tirdng As with the Oconee 3 sensitivity results, the LaSalle core melt fre-quency is more sensitive to during accident human errors than pre accident errors as shown in Figure 5.7. This sensitivity is due to the dominant effect of recovery type errors during accidents. For specific accident sequences, '

recovery errors such as failure to restore AC power or repair of the diesel l generator within one hour of loss of offsite power (e.g., EA-8-1H, RA-9-1H) have estimated probabilities greater than 2 x 10". These errors are sequence l dependent and occur in all cutsets of certain dominant accident sequences.

l Within the dominant cutsets, the recovery errors are also combined with dynamic human errors, i.e., errors in taking actions by following procedures during an accident sequence (e.g., OPFAILSCDS-0E 8M, TDRFP T-0E-27H). The multiple effect of recovery errors and dynamic human errors modeled in the dominant cutsets has a large impact on core melt frequency when HEPs are increased. The various combinations of these errors-that drive risk sens-l- itivity are given in the cutset analysis, detailed in Appendix D. 47 l i i l

1.0E -03 .. O E O - ===O

R " E 1.OE -04 : M E E -: : : : : - : - - -

                             "                 ~

p 1.0E -05 ; R : E : O - 1.0E -06 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR TIMING ALL HEs + PRE-ACC + DUR-ACC Figure 5.7. Sensitivity of CMP to pre accident and during accident errors There are only four pre accident errors in the final LaSalle plant risk model, and they are observed to have a minimal effect on core melt frequency when HEPs are increased. These pre

accident errors are latent human errors, ,

e.g., failure to restore a component after testing or maintenance (DGOV01CA- i RUM 0, LCSC002A RUM 1, RRRC003B RUM-1), which have probability estimates between 2 x 10'8 and 1. 0 x 10 . In contrast to during accident errors, pre-- accident errors usually occur as singular events in the dominant cutsets. Also, the number of cutsets containing one or more pre accident errors is less. than those containing multiple during-accident errors. Therefore. the greater number and contribution of dominant cutsets with multiple during-accident errors are key reasons that "during accident" errors have greater influence on 1 core melt frequency than pre accident errors. In the-direction of decreasing HEPs, the pre accident errors show esser.tially no effect on CMF. A full analysis of " pre " versus "during-accident" errors, however, could not be performed since the final LaSalle PRA model available to BNL already had the large majority of pre accident errors eliminated either through analysis, screening, or truncation. Thus, since they were not included in the final cutsets, their HEPs could not be varied to determine what the effect would be, if any. 5.2.2.2 Human Performance Actions , i Section 3 of this report discusses the definition of the different codes for human performance action (i.e. , manual, manual backup, and manual over- i ride) and gives the numerical distribution of HEs into the different codes. In evaluating the impact of human performance actions on the LaSalle plant 48 4 4 ___._____.___2

s risk, " manual" actions (M. ACT) were found to have the most significant effect on core melt frequency (Figure 5.8). The impact of these manual actions (e.g., RA 8 1H; failure to restore offsite power) is largely due to dynamic errors in the operator's response'to plant upset and to recovery actions when the operating staff is performing actions under stress. Manual override or M. OVR (e.g. , RA 312 80M; operator fails to reopen RCIC isolation valve within 80 minutes, given RCIC room isolation) and manual backup (M. BKUP) actions (e.g., RA 2-3-1H; failure of local operation of system or component that failed to automatically actuate) have minimal impact on core melt frequency, primarily due to the small number of errors of this type and the sequences in which they appear. Some small sensitivity to M. OVR errors is seen for the T8 sequence in Figure 5.15. 1.OE -03 - C : O : h #

M E L 1. 0E -04 : T : f__g _ o y _

                                                                          *---e O

1.0E -05 +==-e m - v f " ' ' , ' ' ' ' 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR ACTION TYPE

                             - ALL HEs  + M. ACT     + M. BK UP    + M. OVA Figure 5.8.      Sensitivity of CMP to types of human performance actions Since it han been observed that LaSalle CMF has marked sensitivity to manual actions, the effect on plant risk for the subset of manual actions that relate to the high consequence actions of containment venting and initiation of standby liquid control (SLC) system was assessed.             In this study, these operator actions (e.g., OPFAIL-VENT-2H, OPFAIL-SLC1B 56M) are termed as

" ultimate actions" because of their significance in BWR plant operations and accident response. The errors involved are the errors in sensitivity group No. 1. Figure 5.9 shows that the impact of the errors involved in " ultimate actions" is relatively small on the LaSalle CMF. This effect is partially due to the estimated probabilities of the " ultimate action" error events being on the order of 2 x 10-3 and hence being in low frequency cutsets. Complicating effects related to the ultimate actions of containment venting should be noted. As mentioned in Section 4.1.2, the vent ductwork could fail within secondary continment, and the steam released could damage needed safety. equipment. The LaSalle FRA modelled both failure to vent and the complement (or inverse) event of successful venting. Varying both of these events has compensating effects. As a result, firm conclusions cannot be drawn at this stage regarding the sensitivity to these venting-type errors. 49

O 1.0E -03 - O E R - E _ M E L 1.0E -04 : T i p

R ~ E O ~ ~ ~ 1.0E -05 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR MANUAL AOTIONS

                               - ALL HEs                              -+- ALL M As
                               -*- NON-ULT. M As                      -*- ULT ACT Figure 5.9.         Sensitivity of CMF to categories of manual actions 5.2.2.3 Personnel Figure 5.10 identifies personnel that are-dominant contributors to plant risk. The curves show that core melt frequency is more sensitive to opera-tional errors where reactor operators (Ros) have primary responsibility. This=

group consists of 95% of the errors and-includes those denoted as RO only, RO/NL, and RO/NL/MT. The four non licensed operator-only (NLO) related errors have a minimal effect. The predominance of the R0 type errors were simil.arly observed in the Oconee 3 sensitivity study. C 1.0E-03 - O : R E : M - E L 1.0E -04 : T 5 . . _ p :.. 2

                                                                                                       .         l.

p : : : _ - E O c ~ 1.0E -05 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR _ l PERSONNEL' f

                                    - ALL HEs                + ROs Only                 -*- RO/NL
                                    -*- RO /N L /M T         -+* N LO i

Figure 5.10. Sensitivity of CMF to personnel type and RO interactions l 4 50 , i l

4 The larger number and higher probability estimates of RO errors, which also occur mostly in dominant cutsets, contribute to the greater sensitivity of core melt frequency to these errors.- The four NLO-only errors are those where the non licensed operator has prime responsibility. The minimal offect of N14 only errors is due to their smaller number, and the fact that the NLO. , only errors involve the less important restoration errors from test and maintenance activities. , Due to the risk significance of the reactor operator role, a further sensitivity evaluation was conducted delineating various responsibilities of the reactor operators. The sensitivity curves in Figure 5.10 show the sensitivity of LaSalle CMF for changes in HEPs defined by wholly reactor operator responsibility (RO only), dual reactor operator and non-licensed operator (RO/NL) responsibility, shared reactor operator, non licensed operator and/or maintenance personnel (RO/NL/MT) responsibility, and NLO only responsibility. Similar to the Oconee 3 results, errorn with an interaction between reactor operator and non licensed operator (RO/NL) have more influence on core melt frequency than errors committed by any other personnel category. Even though there are 35 RO/NL errors compared to 33 "R0s only" errors, the large impact shown by RO/NL errors is because most of these errors involve sequence-dependent recovery errors. As discussed earlier, this set of recovery errors occurs as multiple events in dominant cutsets of important accident sequences and the. magnitude of their probability estimates is high. - This result implies that coordination between reactor operator and non-licensed personnel, especially during recovery actions in accident situations (e.g., RA 8 1H, RA-2-3-1H) is important in limiting risk. The interaction between the reactor operator, non licensed operator, and maintenance personnel has minimal effect on the core melt frequency. The 11 RO/NL/MT errors are-emergency diesel generator repair errors (e.g., RA-9-1H, RA-15-1H). These ; repair errors occur as single events in less important cutsets. Therefore, their influence on core melt frequency is not significant as the HEPs are varied. Similar sensitivity curves were obtained for the location of human error l occurrence, i.e., within the control room (CR), outside the control room (OCR), and uncertainty of whereabouts or dual location (CROCR). The inter-pretation of the location sensitivity curves'are similar to the personnel category and provided no new insights, so they are not presented. 5.2.2.4 Simulator /Non-simulator HEPs Figure 5.11 shows that HEPs based on non simulator data rather than { simulator derived HEPs have the dominant effect on core melt frequency. The l simulator based error curve, however, also.shows some notable sensitivity. [ Time dependent HEPs derived from performance data of operating teams tested on

severe accident scenarios at the LaSalle nuclear power plant simulator are

[ dominated by the diagnosic portion of the simulated accidents. As expected, most of the HEPs based on simuistor data were lower than those of non simula-tor type. Therefore, the marked sensitivity of core melt frequency to non-simulator HEPs appears to be partially due to their higher probability estimates, usually greater than 0.1, even though the number of errors with non simulator HEPs is smaller. These higher base' case probabilities make ! 51 l l

their cutsets more important to CMF. Also contributin6 to their sensitivity is the functional importance of the non simulator errors for LaSalle, par-ticularly those errors associated with recovery of offsite AC power and repair of the emergency diesel generators (DGs).

1. 0E C :

O : R - E -

M E L 1.0E -04 : _ _. _. , F R . . E _ O c ; ; . 1.0E - 05 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR SIMULATOR .

                                  - ALL HEs      -*- SIM HEPs    + NON-SIM HEPs         .i Figure 5.11.         Sensitivity of CMF to simulator based HEPs This sensitivity illustrates that not all important human errors can be-            I.

simulated in the standard control room simulators, which has implications for future human reliability analysis. Further, considering the issue of accident , management and training for mitigating the important accident sequences,- )' again, control room simulation will not address all important events. Training on other types of actions such as recovery of offsite AC power and ) perhaps troubleshooting of DG failures also appears.beneficia1'and would need i to be accomplished through means other than control room simulators. ; i Further insights into the specific simulator /non-simulator error can be obtained from a review of the next two categories analyzed: error specificity and the sensitivity groups, , 5.2.2.5 Generic / Specific Errors As shown in Figure 5.12, " specific" human errors rather than generic human errors have a dominant effect on plant risk. Specific human errors are. those that were identified to be associated with actions performed on a plant-specific system or component. Generic errors are typically those identified as " failure to operate a system or component," such as RA-1-1 errors. All of the generic errors were simulator modelled errors. In the LaSalle HRA ; analysis, similar errors with the same HEP were grouped under one error code as a single generic error. Thus, this sensitivity analysis could not change these independent of each other. The largest. grouping under a generic. error ! 52 l

actually represented about 50 individual errors. However, despite this methodology, these generic errors were found to have minimal effect on the risk sensitivity. The use of this generic approach did not change the number ' of places in cutsets that the human errors appeared, only what they were called. Hence, we conclude that the cutsets in which they appear are gener - , ally not significant cutsets.

5.2.2.6 Sensitivity Group As discussed earlier in Section 4, human errors were sorted into various sensitivity groups based on common error factor profiles. Figure 5.13 shows that the LaSalle core melt frequency is most sensitive to sensitivity group five human errors. These sensitivity group five human errors are mostly related to the restoration of offsite AC power after a loss of offsite power ,

event, and are in the dominant cutsets of the most dominant sequence. Sensitivity group two and three human errors show a moderate effect on the core melt frequency. The number of human errors in sensitivity group two is the largest (28), and their common error factor is the smallest (15) among the various consitivity groups. These errors are " normal consequence," specific operations related human errors with simulator based HEPs, and they occur during accident. Most of the group three human errors are related to the manual operation of a system or component. These are " generic" errors,_ and were defined as recovery actions (e.g., RA 1 1-8H, RA-2-3 1H) where each event may be related to a number of plant-specific systems or components. l Sensitivity groups one, four, and six human errors show minimal impact l on the core melt frequency. The sensitivity group one human errors are related to human actions in containment venting and SLC initiation, group four human errors are pre-accident errors, while group six human errors are related to emergency repair of diesel generators to an operable status. 1.0E-03 - C : O : R E - M E L 1.0E -04 : T : , - 3 o -o { e 2 o-E ~ O x - 5' 1.0E -05 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR SPECIFICITY ALL HEs -+- SPEC HEs -*- GEN HEs Figure 5.12. Sensitivity of CMP to error types 53 "

C 1.OE-03 - O E R -

E : M

E L 1.0E -04 :

T p 7 ; ; ; : PY -- p . . - - E ' O ' 1 OE-05 1/10 1/5 8 5 10 1/291/251/20 20 25 29 HEP FACTOR I SENSITIVITV GROUP

                               --*- AL L H E s -+ SSG1        -*- SSG2    -*- SSG3
                               -+- SSG4        -*- SSG5       -*- SSG0                               .

l Figure 5.13. Influence of sensitivity group on CMF 1 The above findings correspond with insights obtained from the-sens-itivity curves for types of human performance actions, showing the importance of actions to restore offsite AC power in dominant accident sequences, the curves for simulator versus non simulator errors, and from the sensitivity ; curves of during accident versus pre accident errors showing the importance of RO and NLO interactions during the accident time regime. These findings also agree with an examination of errors shown to be important in the minimal cutsets (see Appendix D). 5.2.3 Sensitivity of Dominant Accident Sequences to Human Errors = As discussed earlier in subsection 5.2.1.2, the dominant accident sequences are very sensitive to human errors and vary about two' orders of magnitude as HEPs are varied. The six most dominant sequences, which repre-sent about 97.5 percent of the risk in the LaSalle PRA model, are largely , transient-initiated sequences (see Appendices.B and D). In this study, five ' different accident sequences in the baseline risk model were selected to analyze the role of human errors at the accident sequence level. Each of these five accident sequences represents the most dominant sequence for its type of accident initiator. The accident sequences analyzed along with the 1 predominant initiator for that sequence were: the loss of offsite-power (T8), turbine trip with bypass available (T2VL), loss of feedwater transient-induced LOCA (TL2), small-small (recirculation pump seal) IDCA (L2VL) and ATWS (A49) ~ l sequences. The T8 sequence involves a transient initiator, which is predominantly.a loss of offsite power event, and failure of all high and low pressure injec-- tion systems after successful scram and safety relief valve (SRV)' operation. It is responsible for 57% of the total core melt frequency in the base case. The T2VL sequence is initiated by a turbine trip, MSIV closure, or loss of 54

feedwater. High pressure core spray (HPCS) and one train of the control rod drive (CRD) system then operate to provide high pressure injection. This sequence is responsible for 21% of the base case core melt frequency. The TL2 sequence is characterized by a transient-initiator, e.g., loss of main feelwater, but one or more SRVs fail to reclose when required (i.e. , a stuck open ERV). This sequence accounts for about 1% of the base case core melt frequency. The L2VL sequence is characterized by a small-LOCA initiating event, while the A49 sequence is an ATWS sequence largely initiated by turbine trip without bypass, total main steam isolation valve (MSIV) closure, or loss of condenser vacuum events. These two sequences are sensitive to certain risk significant human errors related to the recovery of a plant specific system or component, even though each sequence separately accounts for only about 0.1 percent of the base case core melt frequency. The details of_the individual accident sequence sensitivities are presented in Appendix F. 5.2.4 Sensitivity Evaluation of Recovery Errors Similar to the Oconee 3 study, the sensitivity evaluations discussed in this section address the role in LaSalle of human errors for recovery efforts during accident conditions (denoted as RA xxx type errors). Human errors of recovery relate to the ability of operating staff to restore an interrupted function in response to accident conditions. Section 3.4.2 discusses =the 4 breakdown of these errors (48 of 83 are RA errors). By. performing a sens- ! itivity analysis with respect to these errors, the operator performance during abnormal plant conditions can be assessed. In this study, the term " recovery action" refers to an action which must be accomplished by the operators to prevent or mitigate core damage during an accident. Operator actions ident-ified as "RA type" events in the LaSalle plant risk model. describe significant ! actions that were "ANDed" to the accident sequence cutsets to represent the likelihood of accident recovery. Therefore, the sensitivity evaluations to determine the changes in risk indicators due to recovery considerations. I applicable to the LaSalle plant are focussed on the effect of these RA-type events on plant risk. It should be noted that these errors for LaSalle are quite similar to the other during-accident errors listed as OPFAILS ... in the human error list of Appendix A. However, the sensitivity to these RA-errors is so strong that even the inclusion of other non-RA, during-accident errors that relate to recovery, would not noticeably increase the sensitivity. 5.2.4.1 Impact of RA-Type Events on Core Melt Frequency j The dramatic impact of the LaSalle modelled recovery actions is shown by ; the sensitivity curves plotted on Figure 5.14. The three curves are for all recovery actions fixed at either 1.0, their base case, or 0.0001 (approxi-mately zero). The plotted risk values are obtained when the HEPs of all during accident errors, excluding the now fixed RA-type errors (or a total 30 errors), are varied simultaneously by a multiplicative factor. When all recovery error probabilities are assumed to be 1.0 (representing no recovery), the core melt frequency is increased by more than two orders of magnitude to 6.70E-3. If recovery error probabilities are assumed to be 1 x 10 to represent essentially perfect recovery, the core melt frequency is reduced by only a factor of 3.0. The baseline core melt frequency is 1.17E 5 when this 55

successful recovery ( 0001) is assumed. If all recovery errors are assumed to be " perfect" (probability equal to zero), the core melt frequency only decreases to 1.07E 5. 1.0E -02 n C E N no recovery O : E 1.0E -03 : M : T

               ,.0e-0,  ;

g, pc : _ e r a 2 1.0E -05 ;C

                                                                     \,,,,,,,,,,,,,y,,,

O : 1.0E -06 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR RECOVERY ERROR PROB. ; 1.0 : BASE -*- 0.0001 Figure 5.14. Impact of RA type events on core melt frequency with non RA during accident errors varied by_ HEP factors The large potential for risk increase and the relatively smaller potential for risk reduction, are collectively due to HEPs of many recovery s actions being assigned low base values in the LaSalle model. ' Recovery actions with low HEPs are generally those expected over a longer time interval after= t accident initiation, whose HEPs were derived from simulator data. This result shows that the ability of the operating staff to recover _from accident conditions can significantly influence the core melt frequency. It also shows that significant degradations in an operating-staff's capability to recover , during-accident situations, can also significantly impact plant: risk. These l observations are similarly found in the Oconee 3 study results,'even'though- , the number of recovery events in the Oconee 3' dominant sequence cutsets are ' less than the RA-type events modeled in the significant cutsets of. the- LaSalle plant risk model (20 versus 49). 5.2.4.2 Impact of RA-Type Events on Accident-Sequence Frequency-The impact of recovery actions during the occurrence of the most dominant accident sequence, viz, T8 sequence, is shown on Figure-'5.15. The-sensitivity curves are plotted from risk values obtained when the HEPs of all-during accident errors excluding recovery errors are varied simultaneously. The values of recovery error probabilities are fixed as-indicated. For this 56 i l

particular sequence, the baseline accident frequency is increased to 8.53E-5 when no recovery is assumed. If successful recovery (.0001) is' assumed. the accident frequency is reduced by one order of magnitude to 1.38E-6. 1.OE-04 _ A : C - C - E * - - ' O 1.0E -05 g F : R - E - O _ e : : : : : : o 1.0E -06 - 1/291/251/20 1/10 1/5 B 5 20 25 29 HEP FACTOR RECOVERY ERROR PROB.

                                               - 1.0           -*- BASE        -*- 0.0001 Figure 5.15. Impact of RA type events on accident sequence frequency of T8
                                                                ~

sequence for during-accident errors In contrast to the Oconee 3 sensitivity results-for.the most dominant sequence, viz. , loss of inst.rument air transient (T6BU), ' the potential for ., risk reduction of T8 sequence. likelihood is smaller because the probability - [ estimates of the RA-type events that drive the sequence-risk are= lower and- , there are fewer multiple HE occurrences in the dominant-cutsets. It should be noted that recovery error probabilities of 0.0001;may be very difficult to obtain for certain recovery actions. One must realize-that some actions are i complex, involving multiple actions, sometimes ill defined and limited in the i time available to complete the action. 5.2.5 Importance Ranking of Risk Significant Human Errors Risk-significant individual human errors during accident conditions can-be identified by a cutset analysis similar to Appendix'D and by performing single-event or pairwise importance analyses on errors that operators may commit during the accident situation. The human errors were ranked by single-event importance annlysis according to both the Fussell-Vesely and Birnbaum-importance measures. Table 5.2 ranks the 20 during-accident human errors 3 j found to be most important in terms of the Fussell-Vesely (FV) importance j measure, and provides the importance measure values for both measures. The FV measure has been used in NRC inspection prioritization work in the past. , 1 57 1

Table 5.2. Importance Ranking of Human Errors in LaSalle PRA Model Fussell-Vesely Birnbaum No. Human Error HEP Importance Importance 1 RA-8-1H 2.5E 1 1.92E-5 7.68E-5 2 OPEAILS-REOPEN 1.0E+0 8.96E 6 8.96E 6 3 RA 9-1H 9.3E-1 5.25E 6 5.64E-6 4 kA 8 10H 2.0E-2 1.89E-6 9.43E-6 5 RA-9-2H 8.7E 1 1.89E 6 2.14E-6 6 RA 8-8H 2.7E-2 1.78E 6 6.59E-5 7 RA 8-27H 4.5E 3 1.33E-6 2.96E-4 8 RA-1-1 27H 2.1E-3 8.24E-7 3.92E 4 9 RA 9-27H 4.0E-1 7.14E-7 1.79E-6 10 RA-9-8H 6.0E-1 6.22E 1 04E-6 11 OPFAILSCDS 0E 8M 3.4E 1 4.86E 7 1.43E-6' 12 RA-2-11 27H 1.6E-3 3.86E-7 2.41E-4 13 RA-15 8H 4.5E-1 3.61E-7 8.02E-7 ! 14 RA-MSLDV-1 2H 2.1E 3 3.00E-7 1.43E-4 15 RA 3-12-80M 3.5E-3 2.94E 7 8.40E 5 16 RA-15 1H .9.1E-1 2.15E 7 2.36E-7 17 CRD REALIGN-0E 2.1E-3 1.73E-7 8.25E-5 18 RA-SeSOM 2.0E-1 1.47E 7 7.33E-7 19 OPFAIL VENT-2H 2.1E 3 1.30E-7 6.10E 5 20 RA-8 48M 3.0E 1.11E 7 3.68E-7

                                                                                 *b Significant human errors, according to'the importance measures, are-          ;

mostly actions involved with the restoration of offsite AC power (e.g.,-RA 1H, RA-8-10H) or with returning the diesel _ generator to operable-status (e.g... j RA-9 1H, RA-9-2H) within a specified time of a loss of offsite power incident. Operator failure to reopen safety system valves (e.g., OPEAILS-REOPEN),-or j maintain control of a balance-of plant system (e.g., OPEAILSCDS-0E-8M) are. also important, according to the Pusse11-Vesely measure. Manual actions to " actuate a plant safety system or component from the control room.(e.g., RA 1-27H) and having low HEP estimates, are ranked as most important according to-the Birnbaum measure. ' ( l I t 58

s l

6.

SUMMARY

OF RESULTS AND INSIGHTS I J This section summarizes the results of the various sensitivity evalua-tions that were performed and provides insights derived from these studies. A top level comparison is also provided between the three studies that have baen completed; Surry, Oconee, and LaSalle. A detailed comparison and analysis of differences between the Oconee and LaSalle results will be performed in a follow up study, s The results discussed below are based on a variation of the PRA human error probabilities (HEPs) over their subjectively derived ranges. For the different groups of human errors in LaSalle, the lower and upper limit of the ranges were determined to be factors of 15 to 29, based on various uncertain-ties and inherent human performance variability. As the HEPs are varied over their ranges, the effect on risk, as measured by overall core melt frequency (CMF) and individual accident sequence frequency (ASF) was determined. 6.1 overall Sensitivity of CMF As shown previously in Figure 5.1, the LaSalle CMF varies by a factor of 35 times as all of the HEPs vary over their' full range. This consists of a factor of 3.5 decrease as HEPs are decreased below their base case values and a factor of 10 increase as HEPs are increased above their base case values. A large portion of these changes occur as HEPs are varied within a factor of 5 increase or decrease from their base case values. These results show that risk is generally quite sensitive to human performance. Ao noted in Section 4, the range over which the HEPs are varied is due to several-factors, including innate human variability and uncertainty.in the HRA. Since much of the range over which the HEPs were varied is due to uncertaintyLin the HEPs rather than actual human performance variability, more effort in improving human reliability analyses (HRA) techniques would appear beneficial, Addi- i tionally, if one assumes ~that the current HEP estimates are reasonably

accurate, there is a large risk incentive to ensuring that human performance does not degrade below that assumed in the PRA and a smaller but noticeable l risk incentive for improving human performance beyond that assumed in the PRA.

l l These general overall conclusions are similar to those drawn from the earlier Surry and Oconee studies. By way of comparison, Table 6.1 below shows the overall core melt sensitivities for the three studies. One-should note that the ranges over which the HEPs are varied were similar but not precisely the same. Column one illustrates the factor by which CMF changes as all the HEPs are varied simultaneously over their full range, from lower bound to , upper bound. This corresponds to an approximate increase in HEPs by about 25 l_ times to their upper bound and a corresponding decrease in HEPs by 25 times to their lower bound. Column two shows how much CMF increases even for the relatively mcdest increase in HEPs by a factor of 10 times. This also removes the effect of different ranges for the various categories of human errors, ~3 Column three shows how since all range factors were greater than 10 times. much CMF decreases as HEPs are decreased by a factor of ten times. i 59 l

Table 6.1. Factors by Which CMP Changes with Changes in HEPs Full Range Increase HEPs Decrease in HEPs PRA of Sensitivity by 10 times by 10 Times LaSalle 35 5.3- 3 . P. Surry 40 6- 1.7 Oconee 10,000 150 25 As vill be seen below, some specific areas (or categories) of human performance are more sensitive than others and hence, would provide a more fertile area.for improvement either in HRA or in' actual performance. Regarding the large ditferences in sensitivity among the three plants analyzed, it is believed that a number of factors are at work. A detailed-comparison between Surry and Oconee was performed in NUREG/CR-5319, and a comparison between LaSalle and Oconee will be performed as a follow-up to this study. Among those factors that possibly contribute:to the overall sens-itivity differences are: HRA modelling differences, plant design differences (BWR versus PWR, B&W versus Westinghouse, and plant-specific features), and overall PRA modelling issues such as cutset truncaticn, fault tree modelling, and assumptions. Some specific important issues, associated with differences between the studies, and which were identified to date, are:

1) The Oconee PRA modelled notably more uniquely identified human errors-(HEs) than Surry or LaSalle. This resulted in the accident ,

sequences containing more cutsets.with double, triple, and even f quadruple human errors; which,-in turn, created increased sen-sitivity to human error.

2) The Surry HE model contained primarily pre-accident errors and not recovery errors, the LaSalle model contained primarily during-accident errors (many of which were recovery errors), and Oconee contained a large number of both-types of HEs. .

3) The Oconee plant is a B&W designed'PWR with two dominant sequences in its PRA that are particularly sensitive to human errors; namely, Loss of Instrument Air and Loss of Service Water, oThese sequences are not important in Surry or LaSalle.

6.2 Sensitivity of Various Categories of HEs This section summarizes the important results from the sensitivity . analyses performed on the various categories of hv. man errors (HEs). 6.2.1 Importance of During-Accident Errors Human errors were categorized by the Timing of the' error as'either pre-accident or during-accident. 95% of the LaSalle errors were during-accident; Some reasons for this distribution of errors are that the. large majority of t pre accident errors were eliminated in the early PRA stages through analysis, ! 60 l

i

2 screening.: or truncation (see discussion in Appendix B). The sensitivity analyses (Figure 5.7) show that the large majority of LMF sensitivity is due to the during accident errors. While little can be c6 eluded from this study about the pre-accident errors due to their absence, one can comment on the "during" errors. During accident errors in LaSalle consist of both failure of operators to perform procedurally required actions and failure of operators or maintenance personnel to recover failed components or systems. As with , Oconee, changes in the during-accident HEPs resulted in notable changes in CMF. As noted previously, the range over which the HEPs are varied is'due to both human variability and uncertainty in the HRA. Thus, more detailed analyses to better define these HEPs would_ appear worthwhile. Also, since there is sensitivity in both the increase and decrease direction, reasonable actions to maintain or improve operator performance in these areas also: appears worthwhile. 6.2.2 Action Type The human errors were coded for action type into manual actions (69%), manual backup actions in response to an automatic actuation failure (24%), and manual override of an automatic feature (7%). The 69% manual actions were i further subdivided into ultimate or high consequence actions (13%) associated ' with containment venting or standby liquid control and non ultimate manual actions (56%). The purpose of this category (ActionType) was to determine if specific types of operator actions were particularly important to risk. As' ; shown in Figures 5.8 and 5.9, the majority of risk sensitivity . cones from the ; non ultimate manual actions. These non ultimate manual actions are primarily , procedurally defined operator actions.and other recovery actions. The curves show that risk is not sensitive to HEs of the type associated with manual backup, manual override, or ultimate actions. It is important to note that for the LaSalle PRA, the defined ultimate actions are only those associated with Standby Liquid Control and containment venting. These sensitivity , results are notable since they identify particular areas that do not appear to I need increased emphasis. For example, although there is not complete agree-ment within the PRA community as to the correct HEP values for ultimate-actions, this analysis shows that for LaSalle, the precise values are not particularly important to the overall risk conclusions. As noted in Section 5, however, there are some plant and PRA specific aspects of the-ultimate actions associated with venting that do not. allow generalization. 6.2.3 Simulator Modelling and Sensitivity Groups For purposes of defining the ranges over which the HEPs were to be varied, the human errors were placed into six groups. Theso groups are summarized in Table 6.2. The sensitivity analysis results for each group is shown in Figure 5.13, ) with Group 5 being the most dominant. Most of the errors in Group 5 are ;~ associated with recovery from a loss of offsite power. These errors were not modeled in the simulator runs performed for the HRA portion of the LaSalle PRA. The sensitivity results for simulator (Groups 1, 2, and 3) versus.non-simulator (Groups 4, 5, and 6) errors shows, in Figure 5.11, that the non-61

          . . _ . - ~ ..  -

simulator errors are most dominant,-even though they only constitute 30% of l the errors. As just mentioned, this dominance comes from the aroup 5 errors. There is also some moderate sensitivity to simulator errors Ltom Groups 2 and 3. Table 6.2. Summary of Human Error Groups for LaSalle PRA Sensitivity Number of Group Number Description Errors 1 During-Accident, High Consequence (Ultimate Action) Simulator Errors 11 2 During-Accident, Specific Simulator Errors 28 3 During Accident, Generic Simulator Errors 19 4 Pro Accident, Non-simulator Errors 4. 5 During-Accident, Non simulator Operations Errors 11 6 During-Accident, Non simulator Repair Errors 10 This information shows that further HE modelling and/or operator performance improvements in the area of recovery of offsite power would potentially be beneficial. Modelling for these errors will not be appreciably i aided by control room-simulator studies. Also, training for these actions needs to include several types of operators and must address actions bothi inside and outside the control room. As a-result, emergency drills which include control room and auxiliary operators appear beneficial. - Part of the . resson for the importance of these particular types of errors is no doubt the fact that loss of offsite power (LOOP) is the dominant sequence at LaSalle. The earlier Oconee study also found that human errors in the two dominant sequences (transients but not LOOP) were overall very.important to total core melt frequency sensitivity. '6.2.4 Operator Type As shown in Figure 3.3, 95% of all LaSalle Human Errors (HEs) are the prime responsibility of the Reactor Operators (R0s). These are further broken down as follows: 40% are HEs by the RO only, 42% have a dual responsibility by the RO and a non licensed operator (NL), and 13% also bring in some maintenance responsibility (RO/NL/MT). The R0/NL errors are more complex and generally involve activities directed from the main control room, but consist-ing of both control _ room and outside control coom manipulations, such as recovery of offsite power or recovery of a failed system or component. These-errors also require coordination and communication between the different operators within the shift to successfully accomplish'the action. The RO/NL/MT are the diesel generator emergency repair errors. These repairs would be directed by the RO and performed in the-field by the NLs and/or by maintenance (MT) personnel. 62

Figure 5.10 shows that the majority of risk sensitivity is due to the' shared responsibility R0/NL errors. This points out the importance of the. non-licensed operators and the importance of good communications among the operations shift team. A similar general conclusion about the importance of the non licensed operators and good teamwork was made for Oconee, even though. the specific errors and sequences that were dominant were quite different. Since these errors are somewhat complex, they are likely difficult to model and to properly train operators to respond to them. This illustrates the importance of training for these team skills during emergency preparedness exercises or on emergency operating procedures. Figure 5.10 also shows some sensitivity of CMP to the RO only type errors. These are errors confined to the main control room and involve only j the reactor operator These are also the errors which are easier to train for and model on a simulator. 6.2.5 Recovery Action Sensitivity j The impact of varying the probability of successful recovery actions (RA) is shown in Figure 5.30. Although the precise definition of what constitutes a recovery action is not consistent between plant PRAs, generally they are similar to that used in LaSalle. In LaSalle, they are actions taken by the operators during an accident sequence to recover fai3id equipment or systems, for which credit was not taken during the initial iirst cut FRA analysis. This definition is quite similar to that used in the Oconee PRA. This study analyzed the risk sensitivity of recovery actions by assuming no recovery and " perfect" recovery. Figure 5.30 shows that CMF increases significantly (over 100 times) under the no recovery assumption and decreases only slightly under the " perfect" recovery assumption. The assumption of no recovery is unrealistic and goes beyond our HEP upper bounds. However, it does illustrate that significant degradations in an operating staff's capabil-ity to recover during accident situations can very significantly impact plant risk, and reinforces the concept that effective accident management (e .'g . , procedures, training, organization, and management) can limit risk. 6.3 Individual Accident Seauence Sensitivity ( Scositivity of accident sequence types to human errors were analyzed in l this study and the Oconee study (NUREG/CR-5319). An accident sequence type is l defined by a group of individual accident sequences that largely are driven by l the same accident initiator (e.g. , loss of offsite power) . Here, general observations on the influence of human errors in LaSalle accident sequence l types are made. { As noted in section 5.2.3., the sequences which comprise 99% of the internal event core melt frequency are grouped into transients, transient-induced LOCAs, small LOCAs, and anticipated transients without scram (ATWS). The transient class of sequences are by far the most dominant, with the top three sequences (two loss of offsite power and one turbine trip sequence) contributing 98% to overall core melt frequency. 63

When each of the three dominant accident sequences was analyzed by varying the llEPs over their range, they were found to be quite sensitive both to an increase and a decrease in HEPs. Although the other type of sequences (beyond transients) were not a significant contributor to base case CMF., they were also analyzed via sensitivity analyses. The transient-induced 1DCAs and the ATWS sequences were found to be also quite sensitive to changes in HEPs, while the small LOCA sequences were relatively insensitive. This information is illustrated in Figures 5.5 and-5.6. These results are reasonable (and similar to that found in the Oconee study) since the transient-initiated sequences have significant human roles and interactions as compared with the LOCA sequences. One point is worthy of note regarding the less dominant sequences. In the base case,' the most dominant ATWS sequence (A49) only constitutes 0.1% of total CMF. However, this sequence is quite sensitive to human error. If the human errors in only this sequence were increased to their upper bound, then the contribution of the sequence to total CMF would increase to about 2%. Thus, we see that initially insignificant sequences can increase to where they have a measurable impact on risk as human performance degrades. As all HEPs were varied over their range, the various accident sequences change by different amount, since they are not uniformly sensitive to human-performance. Figures 5.3 and 5.4 show how the relative contribution of the various accident sequence types varied over the HEP range. As HEPs increase, the Loss of Offsite Power (LOOP) sequences increase noticeably in their percent contribution from 75% to 92%.- As this occurs, the relative contribu - tion of turbine trip (TT) and transient-induced 14CAs decreases.. Conversely, as HEPs decrease below their base case value, the LOOP sequences decrease somewhat (75% to 32%), while the turbine trip and transient-induced LOCA sequences increase in their relative contribution. .0verall, throughout the full range of HEPs, the transient sequences (IDOP, TT, Loss of Feedwater and Loss of AC Power) remain the most dominant. In addition to the analyses on accident sequence frequency with varia-tion of all HEPs over their range, separate analyses by category of human error were run for the dominant accident sequences of each type in Section 5.2.3. These analyses illustrated that individual sequences are not always driven by the same types of errors or human performance characteristics as is the overall CMP. 64 i

7. REFERENCES !

i

1) P.K. Samanta, R. E. Hall, and A. Swoboda, " Sensitivity of Risk Parameters to Human Errors in Reactor Safety Study for a PWR," NUREG/CR-1879, Brookhaven National Laboratory, June 1981,

2) P.K. Samanta and S.M. Wong et al . , " Risk Sensitivity to Human Errors," NUREC/CR 5319, Brookhaven National Laboratory, April 1989,

3) P.K. Samanta and S.M. Wong et al., "A Risk Methodology to Evaluate Sensitivity of Plant Risk to Human Errors," Proceedings of the 1988 IEEE

Fourth Conference on Human Factors and Power Plants, Monterey, Cali-fornia, June 1988.

4) S.M. Wong, R. Youngblood, and S. Haber, " Performing Sensitivity Evalua-tions of Plant Risk Using Interactive PC-Based Programs," PSA '89 International Topical Meeting on Probability, Reliability and Safety Assessment, Pittsburgh, Pennsylvania, April 1989.

5) A.D. Swain, " Draft 2 of ASEP HRA Procedure for Pre-Accident Tasks,"

Sandia National Laboratories, August 1985- .

6) A.D. Swain, " Draft 2 of ASEP HRA Procedure for Post Accident Tasks,"

Sandia National Laboratories, September 1985. V.M. Andersen and E.T. Burns, " Human Error Probability _Models in the BWR 7) Individual Plant Evaluation Methodology," Proceedings of the 1988 IEEE Fourth Conference on Human Factors and Power Plants, Monterey, Cali-fornia, June 1988.

8) L,M. Weston, D.W. Whitehead, and N.L. Graves, " Recovery Actions in PRAL for the Risk Methods Integration and Evaluation Program (RMIEP)," \olume ,

1, NUREG/CR 4834, Sandia National Laboratories, June 1987.

9) .D.W. Whitehead, " Recovery Actions in PRA for the Risk Methods Integra-tion and Evaluation Program (RMIEP)," Volume 2, NUREG/CR-4834, Sandia National Laboratories, December 1987.

10) "PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants," NUREG/CR-2300, January 1983,

11) NASC'-60, "Oconee PRA: A Probabilistic Risk Assessment of Oconee Unit-3," NSAC-EPRI, June 1984.

12) Swain, A.D., and Guttmann, H.E., " Handbook of Human Reliability Analysis.

with Emphasis on Nuclear Power Plant Applications," NUREG/CR-1278,. October 1983. 65

13) WASH 1400, " Reactor Safety Study (RSS), An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," 1975.

14) Letters from Sandia National Laboratory to Brookhaven National Labora-tory dated June 17,1988, July 22,1988, August 10, 1988, and August 24, 1988, transmitting LaSalle PRA data, i

i i h I v i l l 1 i 66 r __

i r l APPENDIX A

DETAILE OF HUMAN ERROR CATEGORIZATION j This appendix provides documentation for the application (or encoding) ?

of the various categories to the human errors identified in the LaSalle plant risk model. Each of the 14 categories is discussed, with at least one example from the LaSalle human error database used in the sensitivity evaluations. The coding scheme for encoding the human errors under the various categories l is shown on Table A.1. The categorical definitions pertinent to sensitivity evaluation for the various human error categories are summarized on Table A.2. D A.1 Human Error Categories

1) TIMING - This category indicates the timing of the human event in chronological relationship to that of the accident initiating event or transient. A human event which is categorized as " Pre-initiator" (P) is one that occurs before, while one which occurs during (or after) an accident related initiating event or transient is categorized as "During (or after) Initiator" (D). RHRC003B RUM 1 is an event involving failure to restore a valve following test or maintenance and as a result, is designated here as having a TIMING code of "P."

2) SYSTEM - The SYSTEM category identifies the LaSalle plant system associated with the PRA human event. Table D.2 in Appendix D gives a complete listing of all the LaSalle systems identified by BNL as appro-priate for one (or more) LaSalle PRA-related human events, Using the example of RHRC003B-RUM-1, the system associated with this human error is identified as "RHR," the Residual Heat Removal system.

3) COMPONENT - This category indicates the LaSalle plant component (or "subcomponent unit") associated with the human event. For the RHRC003B-RUM 1 example, the appropriate component is "XV," a valve locally controlled by hand. If a human event deals with multiple components of >

different types, then it is coded with an "S" for system.

4) PERSONNEL - The PERSONNEL category identifies the type of individual most responsible for the human event. The following is a complete listing of all PERSONNEL code entries developed by BNL for the LaSalle PRA-related human event:

Personnel Description RO (Licensed) Reactor Operator NLO (or NL) Non-licensed Operator (Equipment or Auxiliary Opera-tor) ICT Inctrumentation and Control Technician RO/NL Event involvos both R0s and NL0s with the R0s assumed to be more-responsible than the NL0s , RO/NL/MT Event involves a RO, a NLO, and a Maintenance Tech-nician (MT) with the RO having primary responsibility A-1

Table A.I. Coding Scheme for Categorizing Human Errors in LaSalle PRA Category Codes for Each Category

1) TIMING Zre Initiator (P), During (or After) Initiator (D)

2) SYSTEM ACPS, CI, CRD, PCS, RCIC, RECIR, RHR, RPS, RWCU, SLCS, G (Generic System Actuation)

3) COMPONENT CB, DG, FUSE, PMP, PMP TD, SEAL, SWTCH-, VLVS, XV, S,etc.

4) PERSONNEL Licensed Reactor Operator (RO), Non-licensed Operator (NLO or NL), Maintenance Technician-(MT), Instrumenta-tion and Control Technician-(ICT)

5) OMCOM Omission (OM), Commission (COM)

6) LOCATION Control Room-(CR), Outside Control' Room (OCR)

7) ACTIONTYPE Manual Action (M), Manual Backup (MB), Manual override (MO) -

8) ACTIVITY Operations (ops), Restoration from Test or Maintenance (T/M/R), Emergency Repair (E/R)

9) OTHERINF 8, 10, 27 hours, etc.

10) NRCPGM OPS, P TR, etc. (EEG frogram Relationships)

11) SIMULATOR True (T) Simulator based HEP, False (F) -' Non simulator based HEP

12) CROUP NO. Groups 1, 2, .. 12 (1,2, .. 12)

13) GENERIC True (T) Generic Human Error, False-(F) - Specific Human Error'

14) SENSIGROUP Sensitivity Groups 1, 2, 3, 4, 5, 6 (1, 2, 3, 4, 5, 6)

L l A-2

                                                                                                          'I Table A.2. Human Error Event Categorical Definitions Pertinent to Sensitivity Evaluation Catenorv           Definill2D TIMING             Indicates the timing of the human event relative to the accident initiating event or transient t

SYSTEM Identifies-the system where the human event occurs COMPONENT Indicates the plant component involved in human error occurrence PERSONNEL Identifies the individual (s) responsible for the event's occurrence OMCOM Indicates whether the. human event is an error of omission or an error of commission 1 LOCATION Identifies where the personnel most responsible for the ; human event is located ACTIONTYPE Indicatos the type of operator action involved.in the human event ACTIVITY Indicates the type of nuclear power plant actfvity that relates to the human event OTHERINF Indicates the maximum time available for operator-response > before the onset of severe accident consequences NRCPGM Lists NRC Inspection areas which have the potential for detecting the-human error event's occurrence-SIMULATOR Indicates whether the human error probability estimate of the human event was based on simulator data GROUP NO. Identifies the groups of similar actions by operating staff in simulator exercises GENERIC Indicates whether the human event was related to a specific l plant system or component SENSIGROUP Identifies the groups of human events for sensitivity evaluation with each group having a common error factor profile l l I l l I 1 A-3 l

q Again, using RHRC003B RUM-1 as a LaSalle PRA-related human event, the associated PERSONNEL category code of "NL" was used.

5) OMCOM - This category identifies human errors of omission (OM) or commission (COM). As used here, acts of omission involve actions which were expected to be accomplished, but were not even attempted (there- !

fore, not completed) . In other words, an act of omission is the failure to attemot to perform a desired action. Conversely, an act of commis-sion involves the completion of an improper action, or an unsuccessful-attempt to perform a desired action (or series of associated actions) to-achieve a specific goal. In the LaSalle human error database, all human errors found in the significant cutsets were categorized as omission errors (OM).

6) LOCATION This category identifies where the person considered most responsible for the human event (and its possible error)'is-located, that is, either in the LaSalle Control Room (CR) or Outside the Control Room (OCR). The CROCR iDCATION coding indicates that there is suffi-cient uncertainty as to where the personnel considered most responsible for the human event are located. The CROCR coding also included events that had multiple actions inside and outside the CR. The example !

s RHRC003B RUM-1 has a LOCATION category code of "0CR."

7) ACTIONTYPE - This category indicates the type of operator action involved in the human event. The "M" coding indicates a manual action with or without backup automatic actuation, "MB" refers'to a manual backup action in response to an automatic actuation. failure, and "M0"-

indicates a manual override which defeats automatic actuation of a plant system or component. The RHRC003B-RUM 1 example has:an ACTIONTYPE category code of "M." l l

8) ACTIVITY - The ACTIVITY category indicates the type of activity being {'

(or that should be) performed during the human event. The following is a complete listing of all code entries developed-by BNL for the ACTIVITY i category: " Operations" (Ops), " Restoration from Test or Maintenance" j (T/M/R), and " Emergency Repair" (E/R). These codes can occur in ! combination. The ACTIVITY code for.the RHRC003B-RUM-1 example is '

                         "T/H/R." Like all PRAs to date, the maintenance-related Human Errors explicitly modelled in the LaSalle PRA are the errors of failure to properly restore components to their normal operational status after maintenance. The failure to properly restore valves that is common at NPPs is considered the primary responsibility of the operations depart-ment. This responsibility may fall on the Ro or NLO, depending on the                                    !'

location of the valve. Also, maintenance personnel often have a' secondary responsibility. Errors committed dyIjI)g maintenance, which - l would cause equipment to fail later, when required to operate, are only : l included implicitly in the data on hardware failure rates. I A-4 I 1

                                                              . . . . . . . . . . . ..                  . . =
                                                                                                               . . . .. ..            I

9) OTHERINF - The OTHERINF category indicates the maximum time available for operator response before the onset of severe accident consequences. 1 This category defines clusters of "During Accident" human errors with the same available time for response. For example, RA 1-1-10H was coded

                                                                                    'i as "10 hours."

10) NRCPCM This category provides information about which EEG Inspection Erogram was judged to effect the human event failure probability or HEP.

An attempt was made to list all those NRC inspection programs which . could have an effect, and then code the error with those that apply. The codes are listed below. The secondary code was assigned with the primary, where appropriate. NRC PCM CODE DESCRIPTION Primary ST Surveillance Testing C Calibration M Maintenance TR Training Q Quality Assurance OPS Operations OPP Operations Policy SW System Walkdown Secondary P Procedures 0 Observation For the example of RHRC003B RUM-1, the NRC PCM codes are OPS (P) and SW. This means that NRC inspections in the operations procedures area and in the system walkdown area could help to lower the HEP. The implicit i assumption is made that increased NRC inspection would result in I increased attention by the utility and hence, improvements. This code l was used to determine those areas which could affect risk; the results should not be used quantitatively, since the magnitude of improvement in HEP from NRC inspections is extremely variable,

11) SIHULATOR - This category indicates whether the human error-probability estimate of the human event was based on simulator data. This code identifies human errors with simulator derived HEPs by a "T" if true, and human errors with non-simulator based HEPs by a "F" if false. The SIMULATOR category code for the RERC003B-RUM 1 example is "F."

A-5

12) GROUP NO. - This category identifies the groups of similar actions by the operating staff tested in simulator exercises. For example, RA-1 10H falls in Group One as it relates to manual operation of a. plant system from the control room during the course of an accident.

13) GENERIC The GENERIC category indicates whether the human event was related to a specific plant system or component. This code identifies-human errors with no identifiable plant system / component by a "T" if true, and human errors associated with plant specific systems / components by a "F" (false). For the RHRC003B-RUM-1 example, the category code is "F."

14) SENSIGROUP - This category identifies the groups of human events for sensitivity evaluation with each group havin6 a common error factor profile. Each of the sensitivity groups are defined by characteristics of the other categories. Sensitivity group ONE indicates that the error ;

is a during accident, specific error of operations with "high" conse-quences associated with it. Sensitivity group TWO indicates that the error is a during accident, specific errors of operations with " normal" consequences associated with it. Sensitivity group THREE indicates that the error is a during accident, generic error of operations, while sensitivity group FOUR defines pre-accident, specific errors in restora-tion of plant equipment after test / maintenance. Sensitivity group FIVE indicates that the error is a during-accident, specific error of operations with non simulator based HEPs, and finally, sensitivity group-SIX indicates a during-accident,-specific error of emergency repair of diesel generators. For the RHRC003B RUM-1 example, the code is "4," indicating a sensitivity group FOUR error, y A.2 Human Error Catenorization Table A.3 shows a listing of the LaSalle human errors and their categor-ization under the various categories. For each listed human error, the base case human error probability (HEP), as used in the LaSalle PRA, along with the upper bound (high HEP) and lower bound (low HEP) values are provided. The base case HEP may be a mean, a median, or a synthesis value. The upper and lower bounds of the HEPs were developed from the median in accordance with the range methodology discussed in Section'4 and Appendix E. Therefore, when means were provided as base case values, it was necessary to calculate the median value before calculating the upper and lower bounds. Table A.4 provides a short description of each error. Comments on the task reports by-SNL, subsequent to the completion of the analyses, indicate that' one error (RLOSP) is not legitimately considered to be a human error. Any changes from this one error were judged not to be significant, i A-6 i

1 1 i i l l- ! t t b 3-x== =------- == = -------- =--------

           .h I

4o =s~~~~.-._~-~~~~~~~-------.-~---..- m a

L A L.--------------------,---------c---

            =                                                                                                                     *
      -    =

l 3 C O c 1 e - e l ssssssssssssssssssssssssssssssssssss i 3

     -     =-                                                                                                                    o

_ - y e - a ___g___ t a _s g E_ n g = a=u_n_.._ s m s i _n g__ E g- u n g _i n g 3 i se n 1 3 !vvvv v vv v v se e eeere. e e e e e e v-u _=====,=============================* O E - e

                                                  ==_=,___r_=,_=,_,___==_==

m [ =, = , _ =, = == == m, = = t,m e . c a I__ =

j sessss=n=essass=nsesE_E=e==EEEEE_E555 m s -

     .     .=

sannsensmannannamanannamanamananname o u y = E. 3. : := : :====m3:28' 22 ~ E *~m *~

a -

m R=8:==~ ==EE==EE ==::=E. a azEEE**Ez:=E s .zz 8 E*E I'==EEEE=2 zE

                                                                           *    ~

E E s i mm ::a t~2E

                                                                                                                 =sf=

aaaaaaaaaa aa a a a -- aaa as W ess -- I

                                                 -E    E SEE!!*====Ef=-

E.E

g-E22===3E=I=EE mf*E - E

                                                           =
                                                                        = . ~= =.
                                                                                                             ~

R A I

                                                                                                                             ~
                                                                                                                             =

l aaaaaaaaaaaaaaaa - aaaaaaa aaaaa: - a 1 IEEE_EEEEgglE_ggggg E e es =._=__ __._ [ l* g g _3 3 E g l l l l*- = 5.......E...k...EE~ _. $ .E.EEk

e=e - N ' -.

                                        =                                                         g     a A
                   =s=-

v V ;._am E . =A

                                                         ==w m a a

a a _ e ; a s E =a g= A a A s _ s m s = w-w = s a. et E g s s ,_w = =4-2t=

               ~ r 5 ~A 5
               ~~

v= 3:~v B.

                                       -Yeta
                                                                           'a                        a
           .A^tAE                                 w A14:                                                           Asa:

EiiEinimisisimisis'sisis':' i isisis'ikiwiE

           --~---~~--==~==================m====

5 A-7 , r

i

         ............m..u.....m..mmmmm.....smum                                                                                   ;
         .~.~.~._._~.~~~~.--~~~-.~~~~~---------

f

         --------------------------------------                                                                                ~

l, 5E5E5E5E5EEEEEEEEEEEEEEEEEEEE5EEEEEEEE . t g e wsw=wswsEt..E ww sews E se Esss=s susEsEsE e o a s m a e e e

s m s SW W W- W WWWWWW WW WW - W WW W W u manzmammazzammazwammmmmmazzmazzmamamma l c o

              =                                      s            =           = ====                                            :

m mBa_m zBa wwww.wa=.. . -- E_m<wattkBBr........ - 4 .m___ ew=wreme__________ s_===w==w====sssm__m.E=sm_e ew .w m m m 4 - 4 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

                                                     ====         ====               ~E ====~ E===~

l.Illiiti=E g=3=3 =~

                           ====

n==g= =3==- ~ -= --~~ -- itiigit=titi ~==i.=i=i lat aaaszn aaaaaaaaaaaaa i ng. aa - a- a - aaaa - Il i 11 t! I 1 !I_111_11111111

_ .=..._8=-

                   =
                            .-.~E.._.l_-l_*--lE..=1_
                                    .          ..m....     *      -. m m . - m :=.mm==~===.--
                                                                     ..       ..     ,m. - .m m . . .m m . .

inting 11: m 11 1_1_: i i E El_i g=i

         =s.g               m   m   =          ==~==- 5            m                           mm==3_31_13                    m

_a=== a c. aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:::: z.~zz zzzzsazzazza __ R E R .E Em N_x 9- = m. . E a s6 s Is +s9sE,s'*Esa, 79? F?n snm e ss a e e e gs ~ va e s = MMRE.vE.veVe. na=t-mze

         ~w~v~e
                                        =asse=v xm                   VVawwwww~svvv~ervr..

s weeassa: aA4aa Aerrvvvvv? v vatte=v=v

         =====t=m=E===s=m             vvva*=zEcEw&E=vgggggvvvvmv~r~
                                                             -E a--           ----             =========                  ,
         ====================x=x                                              s=====3=s=====
                                                                                                                                ~

l A8 L r

2

                                              -l I

l 1 l

s.me-au-r-l t _----_---_ i l > ssssssssss m f 55555Es55E 4)

0 5e r > r = m a r m e z z a. m.

     <       mmmmmmmmmm A

g __________ , l EEEEEEERIE '

             ==========
             ~~~~~~~~-~

l 1 11!I111111 aa aaaaaaa 1111111111 mm==mmmm m i 1811E11E

             ~c~~A~~m I

m l EEEEEEEEEE l adaaaaadad i x5x aAa ' az55EEs+++ i

             +  + + + + + + 2. E. S.
             -----~~

ERRRRRE=== ' L A9 i f' . . - - - -

l Table A.4. Descriptico of lluman Errors in LaSalle Plant Risk Model FRRORS IN GROUP 1 FOR PURPOSES FOR SENSITIVITY ANALYSIS OPFAIL SLCOX 33M *0PERATORS FAIL TO START STANDBY LIQUID CONTROL SYSTEM IN 33 MINUTES (RECOVERY) OPF/ W SLCOX 56M OPERATORS FAIL TO START STANDBY LIQUID CONTROL SYSTEM IN 56 MINUTES (RECOVERY) ; 1 OPFAIL-SLCOX $H *0PERATORS FAIL TO START STANDBY LIQUID CONTROL SYSTEM IN 5 il0URS (RECOVERY) OPFAIL SLC1B 56M OPERATORS FAIL TO START SECOND STANDBY LIQJID CONTROL PUMP IN 56 MINUTES GIVEN FIRST PUMP FAILED (RECOVERY) OPFAIL SLC1B 511 *0PERATORS FAIL TO START SECOND STANDBY LIQUID CONTROL PUMP IN 5 HOURS GIVEN FIRST PUMP FAILED (RECOVERY) , OPFAIL VENT 20M OPERATORS FAIL TO VENT IN 20 MINUTES (RECOVERY) OPFAIL VENT 2tl OPERATORS FAIL TO VENT IN 2 Il0URS (RECOVERY) OPFAIL VENT 411 OPERATORS FAIL TO VENT IN 4 HOURS (RECOVERY) OPFAIL VENT-611 OPERATORS FAIL TO VENT IN 6 il0URS (RECOVERY) RA $V-1-211 OPERATORS FAIL TO VENT WITilIN 2110URS THROUGli ALTERNATE VENT PATil fRECOVERY)

RA 5V 1-611 OPERATORS FAIL TO VENT WITilIN 6110URS TilROUGH ALTERNATE VENT PATil (RECOVERY)

ERRORS IN GROUP 2 FOR PURPOSES OF SENSITIVITY AhALYSIS CRD REALIGN 0E OPERATORS FAIL TO REALIGN THE CRD SYSTEM (2 PUMPS AVAILABLE) IN X 110URS (RECOVERY) CRDl-REALIGN 0E OPERATORS FAIL TO REALIGN THE CRD SYSTEM (1 PUMP AVAILABLE) IN X 110URS (RECOVERY) MFS RESET-33M *0PERATORS FAIL TO RESET MFW TRIP IN 33 MINUTES (RECOVERY) MFS RESET 56M *0PERATORS FAIL TO RESET MFW TRIP IN $6 MINUTES (RECOVERY) MFS RESET-5H *0PERATORS FAIL TO RESET MFW TRIP IN 5110URS (RECOVERY) i MFS RESET-0E-2711 OPERATORS FAIL TO RESET MFW TRIP IN 27 HOURS (RECOVERY) MODESWTCH 0E-56M *0PERATORS FAIL TO CHANGE MODE SWITCH FROM RUN-TO SHUTDOWN IN 56 MINUTES (RECOVERY) A-10 l

Table A.4. Continued ERRORS IN GROUP 2 (CONTINUED) MODESWTCH 0E $H *0PERATORS FAIL TO CHANGE MODE SWITCH FROM RUN TO SHUTDOWN IN $ HOURS (RECOVERY) OP F INITCSS 5H *0PERATORS FAIL 70 INITIATE CONTAINMENT SPRAY SYSTEM IN 5 HOURS (RECOVERY) OP F INITSPC 5H *0PERATORS FAIL TO INITIATE SUPPRESSION POOL COOLING IN $ HOURS (RECOVERY) OPFAIL REOPN 1H OPERATORS FAIL TO REOPEN RCIC F063 VALVE IN ONE HOUR (RECOVERY) OPFAIL REOPN 20M OPERATORS FAIL TO OPEN RCIC F063 VALVE IN 20 MINUTES (RECOVERY) OPFAILS REOPEN OPERATORS FAIL TO REOPEN RCIC F063 VALVE (RECOVERY) OPFAILSCDS 0E 8M OPERATORS FAIL TO CONTROL CONDENSATE SYSTEM IN 8 MINUTES (RECOVERY) RA 3 12 2H OPERATORS FAIL TO OPEN RCIC IS01ATION VALVE (S) WITHIN TWO HOURS GIVEN RCIC ROOM ISOLATION (RECOVERY) RA 3 12 68M OPERATORS FAIL TO OPEN RCIC IS01ATION VALVE (S) WITHIN 68 MINUTES GIVEN RCIC ROOM IS01ATION (RECOVERY) i RA 3 12 80M OPERATORS FAIL TO OPEN RCIC IS01ATION VALVE (S) WITHIN 80 MINUTES GIVEN RCIC ROOM IS01ATION (RECOVERY) RA 7 1-27H OPERATORS FAIL TO IhCALLY OPEN WITHIN 27 HOURS A MANUAL VALVE CIDSED DUE TO UNSCHEDULED MAINTENANCE ON RHR PUMP C003B. RESTORES HEAT REMOVAL (RECOVERY) RA 7 3-10H OPERATORS FAIL TO LOCALLY OPEN WITHIN 10 HOURS A MANUAL VALVE CLOSED DUE TO UNSCHEDULED MAINTENANCE ON RHR PUMP COC3B. RESTORES INJECTION (RECOVERY) RA 7 3 8H OPERATORS FAIL TO LOCALLY OPEN WITHIN 8 HOURS A MANUAL VALVE CIDSED DUE TO UNSCHEDULED MAINTENANCE ON RHR PUMP C003B. RESTORES INJECTION (RECOVERY) RA ATW 11-11-30M OPERATORS FAIL TO CLOSE SBLC F016 OR F017 VALVE WITHIN 30 MINUTES AFTER THE OCCURRENCE OF AN ATWS, GIVEN THE FAILURE TO CLOSE THE VALVES FOLIDWING A PREVIOUS TEST ON THE SBLC SYSTEM (RECOVERY) A 11 1

Table A.4. Continued ERRORS IN GROUP 2 (CONTINUED) RA ATWS 12 3 10M OPERATORS FAIL TO IDCALLY CIASE RWCU VALVE F004 WITHIN 10 MINUTES AFTER THE OCCURRENCE OF AN ATWS (RECOVERY) RA MSLDV 1-2H

OPERATOR FAILS TO USE MAIN STEAM LINE DRAIN VALVE IN 2 HOURS (RECOVERY) description inferred from code TDRFP T 0E 15H OPERATORS FAIL TO TRIP TURBINE DRIVEN REACTOR FEEDWATER PUMPS WITHIN 15 HOURS. PROHIBITS MOTOR DRIVEN FEEDWATER PUMP FROM AUTO STARTING (RECOVERY)

TDRFP T 0E 27H OPERATORS FAIL TO TRIP TURBINE DRIVEN REACTOR FEEDWATER PUMPS WITHIN 27 HOURS. PROHIBITS MOTOR DRIVEN FEEDWATER PUMP FROM AUTO STARTING (RECOVERY) TDRFP T 0E 33M *0PERATORS FAIL TO TRIP TURBINE DRIVEN REACTOR FEEDWATER PUMPS WITHIN 33 MINUTES. PROHIBITS MOTOR DRIVEN FEEDWATER PUMP FROM AUTO STARTING (RECOVERY) TDRFP T-0E 56M *0PERATORS FAIL TO TRIP TURBINE DRIVEN REACTOR FEEDWATER PUMPS WITHIN 56 MINUTES. PROHIBITS MOTOR DRIVEN FEEDWA*aER PUMP FROM AUTO STARTING (RECOVERY) TDRFP T-0E 5H *0PERATORS FAIL TO TRIP TURBINE DRIVEN REACTOR FEEDWATER PUMPS WITHIN 5 HOURS. PROHIBITS MOTOR DRIVEN FEEDWATER PUMP FROM AUTO STARTING (RECOVERY) ERRORS IN GROUP 3 FOR PURPOSES OF SENSITIVITY ANALYSIS RA 1 1 10H FAILURE OF MANUAL OPERATION WITHIN 10 HOURS OF A SYSTEM OR COMPONENT FROM THE CONTROL ROOM THAT HAS NO AUTOMATIC ACTUATION OR PRIOR TO ITS AUTOMATIC OPERATION IF IT HAS AUTOMATIC ACTUATION (RECOVERY) RA 1 1 23H FAILURE OF MANUAL OPERATION WITHIN 23 HOURS OF A SYSTEM OR COMPONENT FROM THE CONTROL ROOM THAT HAS NO AUTOMATIC ACTUATION OR PRIOR TO ITS AUTOMATIC OPERATION IF IT 1%S AUTOMATIC ACTUATION (RECOVERY) RA 1 1 27H FAILURE OF MANUAL OPERATION WITHIN 27 HOURS OF A SYSTEM OR COMPONENT FROM THE CONTROL ROOM THAT HAS NO AUTOMATIC ACTUATION OR PRIOR TO ITS AUTOMATIC OPERATION IF IT HAS AUTOMATIC ACTUATION (RECOVERY) RA 1-1 8H FAILURE OF MANUAL OPERATION WITHIN 8 HOURS OF A SYSTEM OR COMPONENT FROM THE CONTROL ROOM THAT IMS NO AUTOMATIC ACTUATION OR PRIOR TO ITS AUTOMATIC OPERATION IF IT HAS AUTOMATIC ACTUATION (RECOVERY) A 12

Table A.4. Continued ERRORS IN GROUP 3 (CONTINUED) RA 1 3 10H FAILURE OF MANUAL OPERATION WITHIN 10110URS OF A SYSTEM OR COMPONENT FROM THE CONTROL ROOM kHICH FAILED TO AUTOMATI- ; CALLY ACTUATE (RECOVERY) RA-1-3 13H FAILURE OF MANUAL OPERATION WITHIN 13 HOURS OF A SYSTEM OR I COMPONENT FROM THE CONTROL ROOM kHICH FAILED TO AUTOMATI- ! CALLY ACTUATE (RECOVERY) RA 1-3 1H FAILURE OF MANUAL OPERATION WITHIN 1 Il0UR OF A SYSTEM OR ' COMPONENT FROM THE CONTROL ROOM VHICH FAILED TO AUTOMATI-CALLY ACTUATE (RECOVERY) RA 1 3 2711 FAILURE OF MANUAL OPERATION WITHIN 27 Il0URS OF A SYSTEM OR COMPONENT FROM THE CONTROL ROOM WHICil FAILED TO AUTOMATI- ; CALLY ACTUATE (RECOVERY) RA 1 3 8H FAILURE OF MANUAL OPERATION VITHIN 8 HOURS OF A SYSTEM OR COMPONENT FROM THE CONTROL ROOM kHICil FAILED TO AUTOMATI-CALLY ACTUATE (RECOVERY) RA 10 1-27H FAILURE TO REPLACE A FUSE WITilIN 27 Il0URS IN A SYSTEM OR ; COMPONENT THAT HAS NO AUTOMATIC OPERATION OR PRIOR TO ITS AUTOMATIC OPERATION IF IT HAS AUTOMATIC ACTUATION (RECOVERY) RA 2 1 2711

FAILURE OF LOCAL OPERATION WITilIN 27 HOURS OF A SYSTEM OR COMPONENT NORMALLY OPERATED FROM THE CONTROL ROOM THAT HAS :

NO AUTOMATIC ACTUATION OR PRIOR TO ITS AUTOMATIC ACTUATION IF IT HAS AUTOMATIC ACTUATION (RECOVERY) description inferred from coda RA 2 ll 27H LOCAL OPERATION WITilIN 27 Il0URS OF MANUALLY CONTROLLED COMPONENTS NORMALLY OPERATED FROM THE CONTROL ROOM kHEN CONTROL ROOM OPERATION FAILS (RECOVERY) RA 2 3 10H FAILURE OF LOCAL OPERATION WITHIN 10 HOURS OF A SYSTEM OR COMPONENT kHICll FAILED TO AUTOMATICALLY ACTUATE (RECOVERY) 4 RA 2 3 1H FAILURE OF LOCAL OPERATION WITHIN ONE HOUR OF A SYSTEM OR COMPONENT kHICH FAILED TO AUTOMATICALLY ACTUATE (RECOVERY) RA 2 3 27H FAILURE OF LOCAL OPERATION WITHIN 27 HOURS OF A SYSTEM OR COMPONENT kHICil FAILED TO AUTOMATICALLY ACTUATE (RECOVERY) RA-2 3 811 FAILURE OF LOCAL OPERATION WITHIN 8 HOURS OF A SYSTEM OR COMPONENT kHICH FAILED TO AUTOMATICALLY ACTUATE (RECCVERY) A-13

l l Table A.4. Continued ERRORS IN GROUP 3 (CONTINUED) l RA ATWS 1 1 5H

FAILURE OF MANUAL OPERATION WITHIN $ HOURS OF A SYSTEM OR COMPONENT iROM THE CONTROL ROOM WHICH HAS NO AUTOMATIC ACTUATION OR PRIOR TO ITS AUTOMATIC OPERATION IF IT HAS AUTOMATIC ACTUATION AFTER THE OCCURRENCE OF AN ATWS (RECOVERY) description inferred from code RA ATWS 1 3 33M
FAILURE OF MANUAL OPERATION WITHIN 33 MINUTES OF A SYSTEM OR COMPONENT FROM THE CONTROL ROOM WHICH FAILED TO AUTOMATI- i CALLY ACTUATE AFTER THE OCCURRENCE OF AN ATWS (RECOVERY) l RA ATWS 2 1 5H
FAILURE OF LOCAL OPERATION WITHIN 5 HOURS OF A SYSTEM OR COMPONENT MANUALLY OPERATED FROM THE CONTROL ROOM WHICH HAS NO AUTOMATIC ACTUATION OR PRIOR TO ITS AUTOMATIC OPERATION IF IT HAS AUTOMATIC ACTUIATION AFTER THE OCCURRENCE OF AN ATWS (RECOVERY) description inferred from code ERRORS IN GROUP 4 FOR PURPOSES OF SENSITIVITY ANALYSIS DGOMOD RUM 0 FAILURE TO RESTORE CB DOVB202X AFTER 1 0F 3 DGOMOD ,

r DCOV01CA RUM 0 FAILURE TO RESTORE CB DOVB201X AFTER UNSCDGOVOICA LCSC002A RUM 1 FAILURE TO RESTORE XV RHRF98AX AFTER UNSCLCSC002A RHRC003B RUM-1 FAILURE TO RESTORE XV RHRF98BX AFTER UNSCRHRC003B ERRORS IN GROUP 5 FOR PURPOSES OF SENSITIVITY ANALYSIS 1EDC2DEP FRP 27H FAILURE TO RESTORE OFFSITE POWER IN 27 HOURS (RECOVERY) OPFAILSMFW BM OPERATORS FAIL TO CONTROL MFW SYSTEM IN 8 MINUTES (RECOVERY) RA 6 4H IF ONE ELECTRIC POWER TRAIN HAS FAILED, ONE HALF OF THE TIME THE RECIRCULATION PUMP LOCA WILL OCCUR ON THE RECIRCULATION ' PUMP WHICH CAN BE ISOIATED OPERATORS ISOLATE RECIRCULATION PUMP SEAL LOCA AND RESTORE PCS (RECOVERY) RA 8 10H RESTORATION WITHIN TEN HOURS OF OFFSITE POWER (RECOVERY) 1 RA 8 1H RESTORATION WITHIN ONE HOUR OF OFFSITE POWER (RECOVERY) RA B 23H RESTORATION WITHIN 23 HOURS OF OFFSITE POWER (RECOVERY) RA 8-27H RESTORATION WITHIN 27 HOURS OF OFFSITE POWER (RECOVERY) RA 8-48M

RESTORATION WITHIN 48 MINUTES OF OFFSITE POWER (RECOVERY)

RA 8 80M RESTORATION WITHIN 80 MINUTES OF OFFSITE POWER (RECOVERY) A-14 l 1 l l L__________ _

Table A.4. Continued ERRORS IN GROUP 5 (CONTINUED) RA 8 8H RESTORATION WITHIN 8 HOURS OF OFFSITE POWER (RECOVERY) RLOSP

RANDOM LOSS OF OFFSITE POWER description as recovery inferred from code by BNL; Sandia subsequently noted that this is not truly a recovery action ERRORS IN GROUP 6 FOR PURPOSES OF SENSITIVITY ANALYSIS RA 15 1H REPAIR OF DG COMMON MODE FAILURE WITHIN'ONE HOUR (RECOVERY)

RA 15 48M REPAIR OF DG COMMON MODE FAILURE WITHIN'48 MINUTES (RECOVERY) RA 15 8H REPAIR OF DG COMMON MODE FAILURE WITHIN 8 HOURS (RECOVERY) RA 9 10H REPAIR OF DG FAIUURE WITHIN 10 HOURS (RECOVERY) RA 9 1H REPAIR OF DG FAILURE WITHIN ONE HOUR (RECOVERY) RA 9 23H REPAIR OF DG FAILURE WITHIN 23 HOURS (RECOVERY) RA 9 27H REPAIR OF DG FAILURE WITHIN 27 HOURS (RECOVERY) RA 9 2H REPAIR OF DG FAILURF, WITHIN TWO HOURS (RECOVERY) RA 9 48M REPAIR OF DG FAILURE WITHIN 48 MINUTES (RECOVERY) RA 9 8H REPAIR OF DG FAILURE WITHIN 8 HOURS (RECOVERY) Description based on BNL interpretation of general information provided in SNL documentation. A 15 l 1

e y.tyr-yw<.e s.- =.,-.4.-- ~. ,- y pm.w c pa. - f .7- - + ' .c. J - 1 i 1.,c t : . -4 ,

                                                                                                                                                                                                                                                                                                                                                                                                                     ,- ,                                                                                                                     .; 3 9 <                                                                ,,                                   ,
                                        ..5.b                  8 . r.                .,,b                                                ,

e s y - 71 1

                                                                                                                                                       , ,,S t..;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ].

Y

                                                             ,                     1 -g                                                              ,-#      c

1 t

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           , .j
            ;                                .                                                                                                                                                                                           s                 1 k.

k,';.y-t i 8. t

                                                                                                                                                                                                                                                                                                                                                                                                                                    ')
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            },

_*-'r-3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     ?*                   i a

p-.y g. t

                                                                       . I '.
                                                               ,                                                                                                          .                                                                                                                                                                                                                                                                                                         t                                                                                                                                                                                                    1 p                                                                                                                                                                                                      T                            F.

4 s. j J -g' 1 s -

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           - t
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             ,..-                                                     -1 t,

Y i g,. i j,

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  +< .
      ..f....

h '.') 1 . s g ..,s ...-. j e<. . * > v 4 _1Ls ,. q

                 ..                                            :k '                                                                                                               .(                                                                                                                                                                            g             ['         g I                    'h Y                                                                                                                                                                                                                                                                                                                                                          E                                            J 4                                                                                                                                                             \--    *
                                                                                                                                                                                                                                                                .j q'
                                                                                                                                                           -                                                                                                                                                                       s                                                                                                                                                                                                                                                                       c                                                       f si'                                                                                                                                                                                                            _

l E. I b n ( ) 7 6 s i 9

'i.

1,. ?, -s'/.,. i 3 ( , i [ S -,]- g 1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          +                                                                      4 3
           ,'                                                                                                                                                                                                                                                                                                                                                                                                                             . >                                                                                                          1

< 1 h' - 3

-\.

b s

                                                                                                                                                                                                                                                                                                    )                                                                < --
                                                                                                                                                                                                                                                                                                                                                                                                                                                        ,a l'
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     '}
          #h]     T '

l sf. _ ,, e_ , 86

                      = -
                                                                                      , -.                                                                                                                                                                                                                                                                                                                                                                                                   m.,                     . A'4a 3          [

T

                                                                                                                                                                                                                                                                                                                                                                                                                              ,..$                                                                                                            j                                    Iy'?   5 i

6 N'k . 4 ,

( ,', f r.

5 1 -. y

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       , ..               p                                       ^
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          .+      -.5.,.                                                           ,
                                                                                                                                                                                                                                               .o-                                                                                                                                                                                                                                   d /, .. .'M                                                 ,'w, h ,

eky ;;-);

                                                                                                                                                                  '.  ^[>.                                                                                   ,- p f.                                                                                                                                                                                                                                                                                             q' p r

t

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  .g'
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  , , .J                                                       q}                          
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    .y 4                                                                                    %                                i M
                                                                                                                                                                                                                                                                                 '                                                                                                                                                                                                      =~

1 4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    .,j*,.                                                   #

6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             *'.g,..# c               .

e -P' t

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           -a I                                                                                               fi                                    g                         - ' '.

I

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                #,                                                                                                          j 4,

Q; 1

                                                                                                                                                                                                                                                                                            + 4,       ,

15' ;,, , } . P v -,- 1 ' s g'

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           =.)  . ->W'_
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              .;-,p. ,. ,

3

                                                                                                                                                                                                                                                                                                                                                                                                * /
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ~g s       3, 4                                                                                                                                                                                                i                                                                                                                                                                                                                                                         J               3                                                                                                       e
   .q ,
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           ,,.,.7                                                                                                                                     .t
                                                                                                                                                                                                                                   ,. .                                                                                                                                                                                                                                                                                                                                                                                                                                               i
             ':                                                                                                                                                                                                                                                                                                                                                                    #                                                                                                                        .>.d"n
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 "                                                             4                                                                         )) t 4
                                                                                                                                                                                                                                                                                                                                                                                                                        *                                                                                              .                                                                                        3 3                                                                                         ",
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "I'.,                 i                                                              1 3                                                                                                                                                                                                           1' 5                    '-s-  "
                                                                                                                                                                                                                                                                                                                                                                      . i.

a' }'. s s yjm- = - ;q

                                                                                                                                                                                                                                                                                    ; ),                                             ,,t j                                                         .3.'                                                                                     -       }.

N.,1 t . ,

e. e 1.*1.*> -*^

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              %                                    f                  )-
                                                                                                                                                                                                                                                                                                                                                                                                                        . m-:                                                                               Sg,f,- a. tj.'-                                                                                                     -

s

                                                                                                                                                                                                                                                                                                                                                                                 ,- ss .t,..                                                                                                                                                                 .. 3 j ,,.                                                     j[. . g_g;

{

t-,{'.-

J I 4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 . g ,r                                                               c...

f' t. - . ,j ~

                                                                                                                                                                                                                                                                                  <                                                                          u
                                                                                                                                                                                                                                                                                                                                                          .ds ;'
                                                                                                                                                                                                                                                                                                                                                                                                                          >--                                                                             2 ,i p

3 e

                                                                                                                                                                                                                                                                                                                                                                                                                 .-+;                                                                                       ..t                                                  &
                                                                                                                                                                                                                                                                                                                                        '4      r cw m                                                                                                                                     ifa 7                                           M:                                            %y
                                                                                                                                                                                                                                                                                                                                                                                                                       .. i
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           +                                 '

f

                                                                                                                                                                                                                            - ,                                                                                                                             Ig t                                                                                                                                                                                          r.'(. '                    ,
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ~. ~.

h- ','- },-_ '[ 5 ., , + f g

d., - ..2i A i-2 5 1 - " -, !

5 . T " o' .' ,,

                                                                                                                                                                                                                                                                                                                        ",'}e-                                   ;

y - .hr; g

I ,- ) l' i 5 .- i 4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       ;:g .                                                                                                          +

a b w s . 3 - :. - ('- +

                                                                                                                                                                                                                                                                                                            ,[9;_
     'I                                                                                                                                                                                                              ;                                                                                                                               5                                                                                                                             g                                  4 .                                                                                                     [                                (

r t ,.

                                                                                                                                                                                                                                                                                                                                                                                   ., p ?                                                                                                                             1
                                                                                                                                                                                                                                                                                                                                                                              }                                              %\                                                                   4                    g                                                                                                                                                   i%.

s , F e

                                                                                                                                                                                                                                                                                                             ;                                     r                 -' m '         --

s ;. 1 g- -, T L1 _t t n-J +,

                                                                                                                                                                                                                                                                                                                                                                                         -,,k,'
                                                                                                                                                                                                                                                                                                                                                                                              ^-
                                                                                                                                                                                                                                                                                                                                                                                                                                                        . , ,l_                                               ,, R
.e-. .W                                                                                                                                                                                                                                                                  t.                           ,

1_

af_My.

                                                                                                                                                                                                                                                                                                                                                                                                                                                         .-                                                      ,+f    .

l>

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ,2, 2        4
                                                                                                                                                                                                                                                                                                                                                        . I               -.y r

3,. p,j < , y g_ - v9' 1 ?j - t -

                                                                                                                                                                                                                                                                                                                                              .. \y                    '*9.,                                E, 'fi                                                        $

e

l' 5 *r, * - A , __ ._-C , *m, - s u. c n , y p e t. ' h

.:i

( , . , t . i

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             -  ,aa       -
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             t"_'.        .
                                                                                                                                                                                                                                                                                                                                                            , w-                                                                                              J x, c*_;                                                                                                                                        -     I f,,^                                                                                                                                                                                                                !          d,                           1 g i                                   _.$'.                                                                                                                                                                                                                           ,       '[                                  y a
                                                                                                                                                                                                                                                                                                                                                                                                , ,                < ',                                                                                               +                                                                                                                                          n m                                                                                                                                                                                                                                                                                                                                                                                                                                    t                                                             1                 p              4-                                                                               P                                  -
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 +k .
                                                                                                                                                                           -a

[.,h [ , ;;;, . _

                                                                                                                                                                                                                                                           ; (' 4
                                                                                                                                                                                                                                                                                                                                                                                                                                              .1                       "-i'"'h'                                                                                                                                                  -g  s..                          ,EU     ,-             i 3 .e     1 t',
                                                                                                                                                                                                                                                                                                                                                                                                                              .. . y i ' A
                                                                                                                                                                                                                                                                                                                                                                                                                                                                             '. i 1                                                                                    t'
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         -k:!  ?                                                i fp gy                                                                                                                                                       ,g.

M g.e 4 ys . 3 g 'f,.,28- -..g% v

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  <k-E(.2                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  g.

i s } ,.$ >E

                                                                                                                                                                                                                                                                                                                      -; '                                                                                                                                                                                                                                         (g
                             -'f'J 1                  c/

5 :% , a" -. ",. g r ( 4

                                                                                                                                                                                                                                                                                                                                                                                                                                                              ,g                                                                 7                                                      9-g   6                                                                                                                                                                                                                                                                                                          :,
         ,, i N

so y +.,

v i . r-1 / )

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     .y fl                             h e                              13 1

y \

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 \                         f                      J
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  '                                                                                                       l
      .-p                                                                                                                                                                                                                                                                                                                                                                 y N'                                                                                                                           ga .hi u C:                                                                                                                                                                                                                                                                                                                                                                                                  <

e

'c; r 1 7,

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ,i.                                                                       .)                    m S.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     .-f'
                                             ,                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       U                                                                              ~
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              'h 1-L.2.                                                                                                                                                                                                                                                                                                                                                                                                      l i,:;,                                                                  '

e t y1-

                                                                                                                                                                                                                                                                                                                                      ~
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         +
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ..ny.l
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             ,,l
,,,.'-                                             2- jk'.!if'.                                                                                                                                                                  i                                                                                                                                                                                                                                                                                                                                                                                                                       . , , , -                        ,

l C

                                                     '[                                                                                                                                                                                                                                                                                                          ..+2.'                                                                       " . I' 1.                           i f

i ((-_e,

                                                       .'W                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        W                                         j                                                 '_+'

F ^ Y [. ..%, ( .. Y

                                                           -}
                                                          '7                     L z

g' y i

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ., Q2 7"9                                                 .,'6_','.

k k >N 7, 'f' if, h , , t 1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   #                                                       Y '                    g[                                                                          h.

[' T p f,"- i .. g y 4 I. f [

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ','T.-'
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      ^
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "'(

3h "' i, ._gs m + .. g kr -

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         .4                 , . as .~    .
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "d,
                                                                    ,L                                                                                                                                                                                                                                                                                                                                                                            ' ' . . ,,.,                                                                                                                    'c
                                               *L                    + '*_

g W:n , i..s' , ; ' *.y, %-. '8;t +l3g 3

y e : < 'u 2 r. , ;-aave < a. k 7:y-

                                                                                                                                                                                                                                        ; '.,f
                           ,=,[,2   -hg                                                                                        .- .,,.
                                                                                                                                                                                                                                                                                                                                                     ,3,=                                                             ; +!*                                                                                                  , i, j % .
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           ,.. , . ,,                           -      4_    g
                                                                               . ,_ _ , - _ .g ,                                                                                                                                                                                                                          .I'.g
                                                                                                                                                                                                                                                                                                                         .i.1 f
                                                                                                                                                                                                                                                                                                                                                                                                                                      .8 c.~e.g .. -' -,,

n i

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ,,                                                                                                             T;_       :

f,%'##

!.;Y g Jf f                    i..      'e'         - - -                                                              .. , -                                    J,                  .e                                               , , '_                                                                                                "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 .. k%                                                          t %;*-.-h 91,,_                                   - -

4 L - )i,

'M

_,t , s._ .

                                                                                                                                                                                          , _ ,                                                                                                                                                                    .-_4                           4                                     i                 .
                                                                                                                                                         , '                                                                                                                                                                                                                                                                                                                                                                                                   8',e
                ~n.1s'df.                                               ["7uh r     waiAOM -'ew es       bro. iP F e-"-. ed--4> # RFT    *  '- it* lh p-D*'-E  - 't-fr* e* *Tur '     e'F Ir h ee pW a qsksiW Wsi.              - h e# % +'1F- g- P G-gMptiid 'Wih @' 10,,,*                                                                                    '

QV d -hP'* *MN"h N'P Y hj M Ml

APPENDIX 3 LASALLE FRA MODEL In an ongoing study on sensitivity evaluttions of plant risk to human errors, the LaSalle Probabilistic Risk Assessment (PRA) was chosen for sensitivity analyses to identify and characterize critical human performance actions, and associated potential error events of major risk significance that are likely to occur in a BWR (boiling water reactor) plant. These events are commonly termed human errors. A summary description of the LaSalle PRA model is provided below. In addition, human reliability modeling in the PRA was examined to identify the extent of human interaction considerations in the LaSalle plant risk model. Finally, the development of a computer model at BNL of the LaSalle plant risk for sensitivity evaluations is discussed. B.1 Sn===rv Descrintion of LaSalle PRA The LaSalle PRA study is being performed by Sandia National Laboratories (SNL), for the NRC as part of the Risk Methods Integratien and Evaluation Program (RMIEP). This study is currently under review by the LaSalle Quality Assurance Team, and by Commonwealth Edison Company, the licensee of LaSalle, before formal publication. As such, the documentation on the LaSalle PRA was provided to Brookhaven National Laboratory (BNL) in draft form and the LaSalle PRA model is considered as preliminary. This PRA model included both internal and external event initiated accident sequences that may lead to severe core damage. The list of internal event accident initiators is shown on Table B.l. The accident sequences that remained in the PRA model after the application of screening and recovery considerations were grouped under the following general categories: 26 transient initiated, 9 transient induced LOCAs (loss of coolant accidents due to stuck open SRVs), 5 LOCAs, 13 ATWS (anticipated trantients without scram), and 48 seismic induced sequences. Because initiator events were modeled in system fault trees, each sequence contains cutsets for several different initiators which may contribute to the overall sequence risk. The calculated frequency of accident sequences in the LaSalle PRA model vary from about 2.0E-5 to 9.0E-16 events / year. The point estimate of the mean annual core damage frequency due to accident sequences initiated by both internal and external events is 3.90E 5 events / year. The original database used by SNL in the initial solution of the system fault tree models contained about 3500 events, which included 240 human errors. As a result of judgmental and quantitative screening of credible events in the PRA model by SNL analysts, a reduced database of over 850 basic events was obtained, and this was provided to Brookhaven National Laboratory (BNL) in the form of a data file written on floppy disk. From this reduced database, about 180 human errors were identified by BNL for severe accident scenarios initiated by internal events. In this database, there vere about 40 errors associated with the seismic-induced sequences. i B1

Table B.1. Initiating Events in LaSalle PRA Model Accident Estimated Initiator Frequency Description IE T1 4.5 Turbine trip with turbine bypass available IE T2 5.2E 1 Turbine trip with turb!ne bypass unavailable IE T3 6.1E 1 Total main steam isolation valve closure IE-T4 4.1E 1 Loss of normal condenser vaccuum IE T5 6.0E 1 Total loss of feedwater IE-T7 1.4E 1 Inadvertent opening of a safety relief valve (stuck) IE LOSP 9.7E 2 Loss of offsite power IE T9A 5.0E 3 Loss of 125V DC bus A IE T9B 5.0E 3 Loss of 125V DC bus B - IE T101 5.0E 3 Loss of 4160V AC bus A IE T102 5.0E 3 Loss of 4160V AC bus B . IE T11 3.0E 3 Loss of instrument air IE T12 3.0E 3 Loss of drywell pneumatic IE T13 4.4E-3 Loss of 100 psi drywell pneumatic IE T14 0.0 Complete loss of reactor vessel narrow range instrument- - ation IE TISA 2.0E 7 Loss of train A reactor vessel narrow range instrument-ation IE T15B 2.0E 7 Loss of train B reactor vessel narrow range instrument-ation IE-SLOCA 3.0E 2 Small break loss of coolant accident IE MLOCA 3.0E 4 Medium break loss of coolant accident IE LLOCA 1.0E 4 Large break loss of coolant accident The LaSalle PRA team stated that initial truncation and screening was performed at about the level of 10*8 events / reactor-year for accident sequence frequency. After this truncation, recovery actions were applied to appropri-ate cutsets that resulted in the lower level of accident sequence frequency dropping to about 104' events / reactor year. B.2 HRA Modeling in LaSalle PRA The treatment of human interactions in the LaSalle PRA was based, in various but significant degrees, on the Human Reliability Analysis (HRA) methodology and human performance modeling techniques that were dccumented in NUREG/CR 1278 (A. Swain's Handbook of Human Reliability Analysis). Two major categories of human actions were considered in the HRA that was performed for the LaSalle PRA study. The first category includes those actions which occur before an accident (pre-accident). These actions may affect the ability of a system to respond to an accident situation. The other category consists of i l l B-2

human actions which are anticipated to be performed after the start of an accident to mitigate the consequence of the evolving situation (during/ post-accident). Screening rules were established by A. Swain in conjunction with system analysts to provide human error probabilities (HEPs) for (i) pre accident tasks, and for (ii) post accident diagnosis and post diagnosis actions. A fine level of screening was employed to determine HEP estimates of pre-accident errors so that unduly conservative estimates could be avoided by some, but not very much, additional human reliability analysis. Furthermore, the justifications for a very fine level of screening were multifold: (i) it was based on initial plant specific task analyses, (ii) it included credit for human error recovery factors, and (iii) it took into account certain pos-sibilities of task dependence which could result in common cause failures resulting from within person or between person dependence. The screening rules for post accident tasks represented a less fine level of screening, i.e. , " coarse screening," and incorporated major conservatisms from assuming that (i) any incorrect diagnosis would always be followed by a sequence leading to a reactor core melt situation, and (ii) there would be insufficient time to perform any human actions outside the control room that could prevent core uncovery. The human errors found in the reduced database for the LaSalle PRA are human errors which survived the HRA screening process, the initial screening of accident sequences, and the second screening of accident sequences occurr-ing after the first round of recovery actions were added to the cutsets and more detailed examinations of some basic event failure probabilities yielded reduced failure probabilities for those basic events. In this second round of screening, the HEPs associated with human events were refined using human performance data obtained on the LaSalle nuclear plant simulator. This data provided more realistic HEPs estimates, resulting in some human events being eliminated after the second screening of the accident sequences. Certain types of human errors, as discussed below, were determined to be not risk significant for the LaSalle plant by the above process, and hence, are not contained in the final plant risk model. B.2.1 Pre accident HRA Typically, human reliability modeling in a full scale PRA includes pre-accident activities such as instrument mis calibration and improper equipment restoration tasks. In the reduced database for the LaSalle PRA, all pre-accident human events were identified as errors describing " failure to restore" various plant components. These components include various manual valves (XVs), a few motor-operated valves (MOVs), and circuit breakers (CBs), a motor driven pump (MDP), and a strainer. As discussed later in Section B.3, only four of these equipment restoration errors remain in the significant cutsets. The basic screening value HEPs for failure to restore (error of omission) from test and maintenance is as stated in draft Chapter 3 of the LaSalle PRA. When used with the indicated pre accident recovery factor, the resultant screening value HEP for restoration failure is 0.001, and it was this value that was used in the screening analysis. B3 l l I

Regarding calibration errors, SNL stated that they were considered for the LaSalle PRA model. Based on a detailed analysis of the plant instrumenta-tion and associated procedures, calibration errors were determined to be "not likely to cause safety problems at LaSalle," and hence, were not modelea quantitatively, i.e. , dropped in the screening analysis. A particular good feature noted in the LaSalle procedures was multiple independent checks and reviews. One specific operational example given for not modeling calibration errors was the containment pressure instrumentation. These instruments are normally operationally checked because the containment at the LaSalle plant is inerted. B.2.2 During/ Post accident Errors Of the 182 human errors in the reduced database, 150 were during/ post-accident errors. These post accident errors that survived the screening process are labeled as recovery actions. As stated in NUREG/CR 4834, a recovery action is defined as a required action performed by operators to prevent or mitigate core damage during an accident situation. BNL noted that some of these were coded as OPFAILS (for operator fails to ...) to designate - that they were included in the fault tree models, and some were coded as RA (for recovery action) to designate that they were identified and added during examination of sequence cutsets. Each recovery action was defined by two distinct phases, a dia6nosis phase and an action phase. During the diagnosis phase, the operating staff recognizes that some problem exists with one of the critical parameters, namely reactor power level, containment temperature and pressure, reactor water level, and reactor pressure. From the information available, the operators decide on a course of action. During the action phase, the opera- > tors must physically accowplish the action (s) decided upon in the diagnosis phase. The screening value HEPs for post accident human events were determined from an elaborate set of rules which are summarized in the draft Chapter 3 of the LaSalle PRA. These rules were based on information derived from figures and tables in Chapter 12 of NUREG/CR 1278, as well as system analysis methods and simulated measures to estimate the allowable times to correctly diagnose and respond to an abnormal situation. After the screening process, the surviving group of during/ post accident human events were refined as follows: the HEP estimates for the action phase were based.on the NUREG/CR-1278 models, while the estimates for the diagnosis phase were determined by a recovery model based on " actual human actions observed during simulator tests of hypothesized accic'ent scenarios. . ." (from ' NUREG/CR 4834). Since the values for the action phases were typically much lower than the diagnosis phase, the final HEPs were essentially that of the diagnosis phase, which were based on the many simulator experiments conducted for the LaSalle project. B4

Also, as noted in Section 3 of this report, 19 LaSalle errors were generic errors that represent a group of errors having the same HEP. For example, RA 1 1 8H represents about 50 unique errors related to different plant components. B.2.3 Comparison of HRA Modeling LaSalle versus Oconee PRA Both the LaSalle and Oconee PRAs use HRA screening technique 2 to focus attention on the refinement of those HEPs of human errors that were determined to be important by the screening process. However, it is observed that the implementation of the techniques differ with respect to their relative ease and convenience of application. Oconee's screened HEPs are simply pre-determined high values found in Chapter 6 of the Oconee PRA, while LaSa11e's screened "aquivalents," especially for during/ post accident situations, are based on tne detailed and extensive set of rules provided in Chapter 3 of the draft LaSalle PRA. In addition, even though both PRAs depend to a large extent on NUREG/CR-1278, the Oconoe PRA used the 1980 draft version while the LaSalle PRA used the greatly revised October 1983 final version. More importantly for during/ post accident human events, the recovery action model in the LaSalle PRA is based on actual human actions performed during LaSalle control room simulator tests of eight hypothesized accident scenarios (NUREG/CR 4834). This is a notable change from the traditional expert judgment approach which forms the basis for most previous modeling of during/ post accident HEPs (including those developed for the Oconee PRA). The use of simulators to develop HEPs or to verify HEPs generated by expert judgment provides a " reality" check which unverified expert judgment cannot. There is naturally still the question as to how closely the simulator tests represent actual accident scenarios in the control room. B.3 Computer Model of LaSalle Plant Risk The computational model of the " baseline" risk plane for human error sensitivity analyses is defined by dominant accident sequences that were identified in the preliminary LaSalle PRA model. The accident sequences considered in this baseline risk model are initiated by internal events (acci-dents initiated by a functional equipment failure or an external loss of power) that lead to core damage. As such. the risk impact of human errors is enveloped by the internal event analysis of the LaSalle nuclear plant. The accident sequences included in the baseline risk model are presented in Table B.2 under the following general categories: 21 transients, six transient induced LOCAs, two LOCAs and eight ATWS sequences. Each of these 37 accident sequences has a baseline frequency greater than 1.0E-10 events / year. A single block file containing the cutset equations for each of 37 accident sequences was created on the mainframe computer (AMD Cyber 830) using the SETS computer code. The accident sequence equations were then transformed into Fortran functions and linked with subroutines of the PAIRWISE computer code to create a working model for sensitivity evaluations and importance analyses, s B5

The baseline frequencies of all accident sequences in the risk model, as calculated by the PAIRWISE computer code, are given on Table B.2. These estimates of accident sequence frequencies were compared against the SNL calculations. A review of the estimated frequencies shows very close agree-ment in most cases. In some instances where there are differences in decimal fractions, the anomaly is due to the presence of a few original cutsets in some accident sequences having no recovery actions applied to them as yet. The SNL estimates of frequencies for these few accident sequences (e.g. T8, T3E, TL8, TL3E) were based on subsequently revised models with appropriate recovery actions included. For purposes of comparing the sensitivity to human error of the dif-ferent types of accident sequences, the sequences were broken down into smaller groups than shown in Table B.2. Table B.3 shows the groups of' accident sequences for which sensitivity calculations were performed. The results of these calculations are presented and discussed in Section 5.2.1.2. The truncation level for the accident sequences that are considered in the baseline risk model for sensitivity study is 10'". The truncation limit is considered adequate for sencitivity evaluation purposes because all accident sequences with estimated frequencies above this truncation level are ! those that remained after the application of screening and recovery considera. tions to the original cutsets. The total number of minimal cutsets in the risk model is about 22,000 terms. The number of human errors which impact the i risk parameters during sensitivity calculations is 83 errors. These 83 errors were found in the cutsets of the 37 dominant. accident sequences. Four of these errors are pre accident errors, and the remainder are during accident errors. Forty nine during accident errors are recovery action events involv. > ing operator response. Several errors, associated with venting, are modeled with the failure and the complement success event in separate cutsets. Thus, as the error probability is increased, the complement probability decreases resulting in no net effect from some venting errors. In summary, the accident sequences considered here in this baseline risk model for human error sensitivity analyses account for 99% of overall plant core damage frequency due to internal events. The " base case" estimate of the mean annual core damage frequency due to internal events for the LaSalle PRA computer model used in this study is 3.80E 5 events / year, i B6

Table B.2. Summary of LaSalle Accident Sequence Frequencies ESTIMATED FREQUENCY ACCIDENT SEQUENCE SNL BNL Transients: T2 5.11E 1 5.11E 7 T2VCL 2.01E 6 2.01E 6 T2VCR 1.65E 8 1.60E-8 T2VL 7.82E 6 7.82E 6 T2VR 2.74E 8 2,74E 8 T3 AVL 2.52E-9 2.52E.9 T3BCL 1.50E 8 1.50E 8 T3BL 6.90E 8 6.90E.8 T3CCL 3.25E-8 3.25E 8 T3CL 1.78E 8 1.78E 8 T5CR 1.21E-10 1.21E 10 T3DCL 1.29E 8 1.29E 8 T3DL 2.46E-9 2.46E 9 T3E 3.46E-6 4.82E 6 T4 1.47E-7 1.47E 7 TSCL 1.16E-8 1.16E 8 T5L 3.34E 8 3.35E 8 T6CL 1.35E 8 1.35E 8 T6L 1.71E 8 1.71E 8 T6R 1.1GE 10 1.16E 10 T8 2.03E 5 2.17E-5 Transient Induced LOCAs TL2 3.61E 7 3.61E 7 TL2VCL 4.40E-9 4.40E 9 TL2VL 8.55E 9 8.55E 9 TL2VR 3.20E-10 3.20E 10 TL3E 2.09E-8 3.21E 8 TLB 1.22E-7 1.33E 7 LOCAs L2 1.74E 10 1.74E 10 L2VL 3.07E 8 3.07E 8 AIES.1 A22 1.01E-9 1.01E 9 A49 5.41E 8 5.41E 8 A52 6.26E 9 6.26E 9 A93 8.26E 10 8.26E-10 A120 4.65E-8 4.64E 8

   ,                                 A123                      4.38E-8    4.38E 8 A126                      2.39E 9    2.39E.9 A129                      1.63E 10    1.63E 10 Total Core Damage Freq.:       3.52E-5     3.80E-5 B7

Table B.3. Accident Sequence Grouping for Sensitivity Calculations Principal Initiating Sequence Type Event Code Sequences Codes No. of Sequences Transient Seouencent Loss of Offsite Power (LOOP) IE.LOSP T2VCL, T2VCR, 6 T3DCL, T3E, T4, T8 Turbine Trip (TT) IE T1 T2VL, T2VR, 3 T3 AVL Loss of Feedwater (LOFW) IE.T5 T2 1 Loss of AC Power (LOAC) IE.T101, T3BCL, T3BL, 11 IE.T102 T3CCL, T3CL, T3CR, T3DL, T5CL, T5L, T6CL, T6L, T6R Transient. induced LOCAa! Induced by LOOP (T1.LOCA) IE.LOSP TL3E, TL8, 3 TL2VCL Induced by LOFW (T2.LOCA) IE.TS TL2, TL2VL 2 Induced by LOAC (T3.LOCA) IE.T101 TL2VR 1 Loss of Coolant Accidents! Small LOCAs IE.SLOCA L2, L2VL 2 ATWS: Anticipated Transients Without Scram (ATWS) Various A22, A49, A52, 8 A93, A120, A123, A126, A129 Total: 37 i B.8

APPENDIX C SENSITIVITY CALCU1ATION DATA This appendix provides the actual core melt frequency (CMF) and accident sequence data from the various computer runs that were conducted as human error probabilities were varied. The sensitivity curves in Section 5 of the main report were based on these tables. The specific figures in Section 5 that are associated with each Mble are noted herein, s l i C1

inble C.1. Changes in Core Melt f rapy Due to Nm Error Probability Verlation by Multipilcative Factors (Figures 5.1 and 5.2) NEP FACTOR l base IMt4N Ett0R$ 1/29 1/25 1/20 ' 1/10 1/5 case x5 mio x20 x25 x29 All NEa 1.11E 5 1.12E 5 1.13E 5 1.19f 5 1.35E 5 3.80E 5 1.43E 4 2.00E 4 3.22E 4 3.77E 4 3.87E 4 RA* NEs 1.22E 5 1.23E 5 1.24E 5 1.34E 5 1.54E 5 3.80E 5 1.38E 4 1.87E 4 2.86E 4 3.29E 4 3.38E*4 Non-RA HEs 2.87E 5 2.87E 5 2.87E 5 2.90E 5 3.00E 5 3.80E 5 4.11E 5 4.38E 5 4.80E 5 4.94E 5 5.00E*5 Notel

a. Recovery Action h

i a 1 C2 l l

fable C.2. Changes in Individael Accident Sequence f requencies Due to WEP Verlation By M.iltiplicative f actors (Fl9ure 5.5) uEP FACT 0t ACCIDENT base steuENCE 1/29 ?/25 1/20 1/10 1/5 case x5 x10 x20 x25 x29 18 1.68E 6 1.69t 6 1.77t 6 2.21t 6 3.27t 6 2.17t 5 8.79t 5 9.65E 5 1.14t 4 1.21E 4 1.22E 4 T2VL 6.55t 6 6.53t 6 5.53E 6 6.59t 6 6.73t 6 7.82t 6 1.34t 5 2.05t 5 3.39t 5 3.60E 5 3.66t 5 T3C 1.44t 6 1.44t 6 1.45E 6 1.53t 6 1.73t 6 4.8kt 6 2.37t

5 4.69t 5 9.92t 5 1.26t 4 1.32t 4 138L 3.29E 9 3.29t 9 3.45E 9 6.89t 9 1.38t 8 6.90E 8 3.45t 7 6.92t 7 1.39E 6 1.46t 6 1.46t 6 TLB 1.42E 8 1.43E 8 1.5DE 8 1.D8t 6 2.T2E 8 1.33t 7 4.51t 7 5.19t 7 6.31t 7 6.72t 7 6.79t 7 L2VL 5.7DE 9 5.75t 9 6.01E 9 7.31t 9 9.91E 9 3.07t 8 5.69E 8 5.73t 8 5.79t*8 5.82t 8 5.84E 8 A49 1.21t*9 1.26t 9 1.58t 9 3.26t 9 6.99t 9 5.41E 8 1.98E 7 3.11E 7 5.36t 7 6.496 7 7.1?E 7 C3 I l

l 1 4

febte C.3. Changes in Accident Sequence FreSaency (A$F) Factors for Accident Sequences Due to HEP verlation by Muttlplicative Factors (Figure 5.6) NEP FACTOR ACCIDENT base steuEuM 1/29 1/25 1/20 1/10 1/5 cose m5 mio ato x25 x29 T8 12.9 12.8 12.3 9.8 6.6 1.0 4.0 4.4 5.2 5.5 5.6 1 12VL 1.2 1.2 1.2 1.19 1.16 1.0 1.71 2.62 4.34 4.60 4.68 T2 1.08 1.08 1.08 1.07 1.06 1.0 1.34 1.84 3.04 3.50 3.57 T3BL 20.97 20.97 19.98 10.0 5.0 1.0 5.01 10.0 20.17 21.20 21.23 TLB 9.39 9.32 8.88 7.08 4.90 1.0 3.39 3.90 4.74 5.05 5.10 TL2 1.03 1.03 1.03 1.03 1.03 1.0 1.14 1.31 1.64 1.66 1.66 L2VL 5.39 5.35 5.12 4.21 3.10 1.0 1.85 1.86 1.88 1.90 1.70 A49 44.8 43.0 34.3 16.6 7.74 1.0 3.67 5.75 9.91 12.0 13.2 i l l f 1 y 1 C-4

Table C.4a. Sensitivity of Core Melt Fregency to Changes in Categories of Human Error Probabilities (Figures 5.7, 5.8. ard 5.10) NEP FACTOR CATEQORIES OF base NLa w Emm0R 1/29 1/25 1/20 1/10 1/5 case x5 mio x20 x25 x29 Pre accident 3.79t 5 3.79t 5 3.79f 5 3.79E 5 3.79t 5 3.80E 5 3.84t 5 3.88t*5 3.97E 5 3.99E 5 3.99E 5

          'Juring-accident     1.11E 5 1.12E 5 1.13E 5 1.19t 5 1.35E 5 3.80E 5 1.42E 4 1.93t 6 2.97E 4 3.42E 4 3.51t 4 Manual Action       1.17E 5 1.18E 5 1.20E 5 1.29E 5 1.50E 5 3.80E 5 1.41t 6 1.94t 4 3.09E*4 3.63E 4 3.73E 4 Manual Backup       3.79E 5 3.79E 5 3.79t 5 3.79E 5 3.79t 5 3.80E 5 3.86t 5 3.93E 5 4.07E 5 4.08E 5 4.08t 5 Manuel Override     2.93E 5 2.93E 5 2.93E 5 2.96E 5 3.06E 5 3.80E 5 3.93E 5 4.08c 5 4.23E 5 4.23E 5 4.23E 5 R0s* Only     2.84E 5 2.84E 5 2.84E 5 2.88E 5 2.98E 5 3.80E 5 4.34E 5 5.01E 5 6.19E 5 6.30E 5 6.31E 5 b

RO/NL 1.29E 5 1.30E 5 1.32E 5 1.45E 5 1.71E 5 3.80E 5 1.22E 4 1.54t-4 2.16E 4 2.45E 4 2.51t 4 R0/NL/Mi' 2.92E 5 2.93E 5 2.94t-5 2.98E 5 3.0BE 5 3.80E 5 4.07E 5 4.07E 5 4.07E 5 4.07E 5 4.07E S NLD 3.79E 5 3.79E 5 3.79E 5 3.79E 5 3.79E 5 3.80E 5 3.84E 5 3.88E 5 3.97t 5 3.99E 5 3.99E 5 Notel

s. Wholly Reactor Operator

b. Reactor Operator and Non-licensed Operator interaction

c. Reactor Operator, Non Licensed Operator, and Maintenance /fest Personnel interaction i

C5 l 1

Table C.4b. Sensitivity of Core 14ett Frequency to Changes in Categories of thanan Error Probabilities (F Ipures 5.11, 5.12, and 5.13) NEP FACTOR CATEGORIES OF base mee4N ERROR 1/29 1/25 1/20 1/10 1/5 case x5 x10 x20 x25 x29 Slaulator 2.70E 5 2.70E 5 2.70E 5 2.74E 5 2.86E 5 3.80E 5 4.87i 5 6.11E 5 8.22E 5 8.49E 5 8.56E 5 kon-sinutator 1.40E 5 1.40E 5 1.42E 5 1.51E 5 1.69E 5 3.80E 5 1.32E 4 1.74E 4 2.69E 4 3.19E 4 3.29E*4 Generic 3.67E 5 3.67E 5 3.67E 5 3.6ht 5 3.69E 5 3.80E 5 4.35E 5 5.03E 5 6.39E 5 6.52E 5 6.F2E 5 Speelfic 1.24E 5 1.24E 5 1.25E 5 1.31E 5 1.45E 5 3.80E 5 1.37E 4 1.85E 4 2.87E 4 3.38E 4 3.48E 4 Sensitivity M ONE 3.78E 5 3.79E 5 3.79E 5 3.79E 5 3.79E 5 3.80E 5 3.87E 5 3.96E 5 4.14E 5 4.22E 5 4.28E 5 TWO 2.84E 5 2.84E 5 2.84E 5 2.87L $ 2.98E 5 3.8DE 5 4.23E 5 4.66E 5 5.08E 5 5.08E 5 5.08E 5 fliREE 3.67E 5 3.67E 5 3.67E 5 3.68E 5 3.69E 5 3.80E 5 4.35E 5 5.03E 5 6.39E 5 6.52E 5 6.52E 5 FOUR 3.79E 5 3.79E 5 3.79E 5 3.79E 5 3.79E 5 3.80E 5 3.84E*5 3.88E 5 3.97E 5 3.99E 5 3.99E 5 FIVE 1.44E 5 1.44E 5 1.46E 5 1.5eE 5 1.83E 5 3.80E 5 1.17E 4 1.43E 4 1.97E 4 2.24E 4 2.30E 4 SIX 2.92E 5 2.93E 5 2.94E 5 2.98E 5 3.08E 5 3.80E 5 4.07E 5 4.07E*5 4.07E 5 4.07E 5 4.07E 5 i C6 l

l table C.4c. Sensitivity of Core Melt Frequency to Changes in Shet of a Category of Han Error Probabilities (Figure 5.9) NEP FACTOR 90Ris OF MAMuAL base ACTIous 1/29 1/25 1/20 1/10 1/5 case x5 x10 x20 x25 x29 All mas

1.17E $ 1.18E $ 1.20E 5 1.29E 5 1.50E 5 3.80E 5 1.41E 4 1.94E 4 3.09E 4 3.63E 4 3.73E 4 mas ontyb 1.20E 5 1.20E 5 1.21E 5 1.31E 5 1.51E 5 3.80E 5 1.40E 4 1.92E 4 3.05E 4 3.57E 4 3.66E 4 ULT Actions' 3.78E 5 3.79E 5 3.79E 5 3.79E 5 3.79E 5 3.80E 5 3.87E 5 3.96E 5 4.14E 5 4.22E 5 4.28E*5 Note

a. All Manual Actions

b. Manuel Actions excluding Ultimate Actione

c. Ultimate Actions C7

Table C.5. totative contribution to Core Mett Frespency for Various Accident Semaance Types (FISures 5.3 and 5.4) ACCl* NEP RA58E DENT SE-auENCE base TYPE LB *!.1 0.2 0.3 0.4 case 0.6 0.7 0.8 0.9 Ut LOOP 3.65t 6 4.11t*6 5.63t 6 8.59E 6 1.47E 5 2.87E*5 3.75E*5 5.15t 5 7.89E 5 1.60t*4 3.25t*4 6 (32.9X) (35.4%) (42.3%) (52.0%) (63.6%) (75.5%) (78.8%) (82.05) (85.5%) (89.4%) (92.3%) LOAC 3.92E 9 9.18E 9 2.64t*8 5.71E*8 1.11t 7 2.13t*7 3.09E 7 4.65E*? 7.64t 7 1.59E 6 2.98t 6 11 ( 0.0%) ( 0.0%) ( 0.2%) : 0.3%) ( 0.5%) ( 0.6%) ( 0.6%) ( 0.7X) ( 0.82) ( 0.9X) ( 0.95) TT 6.51E 6 6.55E 6 6.68t 6 6.89E 6 7.24E 6 7.85E 6 8.41E 6 9.27E 6 1.00E 5 1.448 5 1.97E*5 3 (58.7X) (56.5%) (50.2%) (41.8%) (31.3%) (20.7%) (17.7%) (14.8%) (11.7%) ( 8.11) ( 5.6%) LOFW 4.74t 7 4.75E 7 4.79E 7 4.85t 7 4.95t*7 5.11E 7 5.35t 7 5.768 7 6.65t 7 9.46E*7 1.49t*6 1 ( 4.3%) ( 4.1%) ( 3.6%) ( 2.95) ( 2.1X) ( 1.3%) ( 1.12) ( 0.9X) ( 0.7%) ( 0.5%) ( 0.4%) T1LOCA 2.55E 8 2.90E 8 3.94t*8 3.79E 8 9.30E 8 1.70E*7 2.i?E.7 2.928 7 4.36E 7 8.54t*7 1.65t 6 3 ( 0.2%) ( 0.3%) ( 0.3%) ( 0.3%) ( 0.4%) ( 0.4%) ( 0.5%) ( 0.5%) ( 0.5%) ( 0.5%) ( 0.5%) T2LOCA 3.55E F 3.55E 7 3.57t 7 3.59E 7 3.63t*7 3.69E 7 3.76E*7 3.86E 7 4.03t*7 4.47E 7 5.11t 7 2 ( 3.2%) ( 3.1%) ( 2.7%) ( 2.2X) ( 1.6%) ( 1.05) ( 0.8%) ( 0.6%) ( 0.4%) ( 0.2%) ( 0.1%) T3LOCA 2.92E*10 2.93E 10 2.95E 10 2.99E 10 3.06E 10 3.20E 10 3.358 10 3.58E 10 4.06E 10 5.39E 10 7.76E 10 1 ( 0.0%) ( 0.0%) ( 0.0%) ( 0.0%) ( 0.0%) ( 0.0%) (0.0%) ( 0.0%) ( 0.05) ( 0.0%) ( 0.0X) SLOCA 5.88E 9 6.92t 9 9.78t 9 1.41t 8 2.06E 8 3.09E 8 3.39E*8 3.74t 8 4.21E 8 5.0E 8 5.76E 8 2 ( 0.0%) ( 0.0%) ( 0.0%) ( 0.11) ( 0.1%) ( 0.1%) ( 0.11) ( 0.1%) ( 0.1%) ( 0.0%) ( 0.0%) ATWS 6.72E 8 6.94t 8 7.58t*8 8.72E 8 1.09E*7 1.55t*7 1.82E 7 2.26t 7 3.15t 7 5.8E 7 1.07t 6 8 ( 0.6%) ( 0.6%) ( 0.6%) ( 0.5%) ( 0.5%) ( 0.4%) ( 0.4%) ( 0.4%) ( 0.3%) ( 0.3%) ( 0.3%) TOTAL 1.11E 5 1.16E 5 1.33E 5 1.65E 5 2.31E*5 3.80E 5 4.76E 5 6.3AE-5 9.Z3E 5 1.79E 4 3.52E 4 tenend LOOP: Loss of Offsite Power LOAC: Loss of AC Bus TT: Turbine Trip LOFW Loss of Feedwater T1LOCA: Transient induced Loss of Coolant Accident (Loss of Offsite Power Initletor) < T2LOCA: Transient induced Ioss of Coolant Accident (Loss of Feedwater Initletor) l T3LOCA: Transient indur n - oss of Coolant Accident (Loss of AC Bus) SLOCA: Small break LOCA 1 ATWS Anticipated Transient Without Scram l l l l l l I I I l l l C-8 i

Table C.6. Charges in Core Melt f ressency During Acclelent Conditions (Fleure 5.14) NEP FACTOR RECOWERY EVENT beoe PROBABILITY 1/29 1/25 1/20 1/10 1/5 cose x5 a10 x20 x25 x29 0.0001 1.08t 5 1.00E 5 1.00E 5 1.09t 5 1.10E 5 1.17E 5 1.43E 5 1.65t 5 1.98t 5 2.09t 5 2.15t 5 tese 2.88t 5 2.88E 5 2.88t 5 2.91t 5 3.01t 5 3.80E 5 4.00E 5 4.30E 5 4.64E 5 4.75E 5 4.81E 5 1.0 6.58E 3 6.58E 3 6.58t 3 6.58t 3 6.59t 3 6.66t*3 6.68t 3 6.70E 3 6.72t 3 6.72t 3 6.73t 3 C9

Table C.7. Changes in Accident segaerce f requency for T8 SMysence Durire Accident (Fleure 5.15) NEP FACTOR kECXMRY EVENT base PROBASILITY 1/29 1/25 1/20 1/10 1/5 cose x5 x10 x20 x25 x29 0.0001 1.38E+6 1.38E 6 1.38E 6 1.38E 6 1.38E 6 1.38E 6 1.38E 6 1.38E 6 1.38E 6 1.3BE 6 1.3BE 6 Base 1.33E 5 1.33E 5 1.33E 5 1.45E 5 1.45E 5 2.17E 5 2.18E 5 2.18E $ 2.18E 5 2.18E 5 2.iBE 5 1.0 7.86E 4 7.86E 4 7.86E 6 7.96E 5 7.96E 5 8.53E 4 8.5!.E 4 8.55E 4 8.55E 4 8.55E 4 8.55E 4 4 C-10

APPENDIX D CHARACTERIZATION OF IMPORTANT HUMAN ERRORS IN 1ASALLE PRA i As part of the overall sensitivity study, the minimal cutsets of dominant accident sequences in the LaSalle plant risk model were examined to determine the nature and importance of human errors contained in dominant cutsets. A minimal cutset is the smallest combination of basic events (component failures and human errors) which will result in core melt. The dominant cutsets are those minimal cutsets that quantitatively contribute most to overall core melt frequency or to individual accident sequence frequency. The primary purpose of this cutset analysis was to identify specific human errors and types of human errors which contribute significantly to probabilistically dominant accident sequences, as well as those cutsets containing multiple human errors. Insights gained from the-cutset analysis help to guide the various sensitivity analyses for evaluating the risk implications of human actions performed during the normal operation of the LaSalle plant. Human errors contained in the cutsets of six most dominant accident sequences, which represent about 97.5 percent of the risk in the LaSalle PRA model, were identified to assess their importance. These six accident sequences and their estimated frequencies are listed on Table D.1. Detailed analyses of accident sequence cutsets for each of the six sequences were conducted to determine the significant human error contributions to accident sequence risk. Each sequence is characterized by an event tree model depicting the initiator and system failures leading to eventual core damage. The system identifiers for various system failures in each of the event tree headings are listed on Table D.2. Table D.1. Accident Sequences Representing 97.5% of Total Core Melt Frequency at LaSalle 1 . I l Accident Sequence Estimated Frequency * % of Total CMF+ T8 2.17E 5 57.1 T2VL 7.82E 6 20.6 T3E 4.82E 6 12.7 T2VCL 2.01E-6 5.3 T2 5.11E 7 1.3 TL2 3.61E-7 0.95 TOTAL: 3.72E 5 97.95

Point estimate frequency based on PAIRWISE calculations at BNL

, + Total core damage frequency - 3.80E 5 i D-1 i l \ l i

1 Table D.2. System Identifiers System l Identifier System Name CDS Condensate System CSS Containment Spray System > CRD Control Rod Drive System FW Main Feedwater System HPCS High Pressure Core Spray System i LPCI Low Pressure Coolant Injection System ; LPCS Low Pressure Core Spray System ; PCS Power Conversion System-RCIC Reactor Core Isolation Cooling System SCS Shutdown Cooling System SPC Suppression Pool Cooling System SRVC Safety Relief Valve Closure < SUR Survivability of Equipment T Transient Initiator VENT Containment Venting D1 CUTSET ANALYSIS FOR SIX MOST DOMINANT ACCIDENT SEQUENCES D.1.1 Loss of Offsite Power (T8) T

FW
HPCS
RCIC
CDS
LPCI
LPCS ,

In this accident sequence, a transient such as loss of offsite AC power . (LOOP) occurs followed by successful scram and safety relief valve (SRV) , operation. All high and low pressure injection systems fail, and core damage ; ensues. The cutsets fall into two groups: (1) an early core damage scenario where all AC power is. lost initially and RCIC system fails due to' loss of DC ' power or RCIC room cooling, and (2) a late core damage scenario where DC power is available for 8 hours and then is lost due to battery depletion. For the' , early scenario, about 80 minutes is allowed for recovery actions to be J affectcJ. In the late scenario, about 10 hours time is permitted for successful recovery actions. The maximum time for successful recovery actions to ensura prevention of core damage, e.g., 80 minutes or 10 hours, is estimated using thermal hydraulic computer codes which determine the amount of time to restore containment heat removal or begin injection of water into the - reactor vessel. The T8 sequence has c total bawe frequency of 2.17E-5 events / year.- An examination of the 3,397 cutset terms derived for this accident sequence showed that the top 250 cutsets which contain' human error events account for a total cutset frequency of 2.07E 5/ year. Two recovery errors, RA 8-1H and RA- ! 8-10H, are sequence-dependent and occur in all cutsets. depending on the assumed time available for successful recovery actions. For these 250 l cutsets, the total frequency for cutsets containing double human errors is l D-2 l

n f 1.00E 5/ year. The total frequency for cutsets containing triple human errors 1 is 2.16E 6/ year. There were no cutsets in the top 250 terms that contain [ quadruple human errors. 7

  ;          Table D.1.la shevs the list of human errors which occur in the T8 j  sequence, the first cutset-term number where each human error is observed, and
   # the number of occurrences for a specific human error event. The data from f  Tablo D.1.la (and other tables in this appendix) was developed using a 1  truncation level of 1E-15, hence the large number of cutsets. Table D.1.lb l' shows the various combinations of human errors and the calculated product of       ;

human error probabilities associated with the respective human errors in the combinations that occur within the top .250 cutsets. Finally, Table D 1.lc . shows the summary description of those dominant human errors that appear to- 1 have a significant effect on the accident sequence frequency. The errors ; noted as doeinant in Table D 1.lc were determined from a review of Tables D.1.la, D.1.lb, and the cutsets themselves. Errors were included based on their occurrence in high order cutsets, their occurrence in a large number of cutsets, and their occurrence with other HEs in doubles or triples. A similar analysis was performed for each sequence to determine the dominant errors. The categorization of these human errors in terms of timing of accident, . personnel involvement, type of utility program activity, omission or ! commission error type, and location of error occurrence is also included on l Table D.1.1c, D 1.2 Turbine Trio (T2VL) j T

FW
PCS
SCS
SPC
CSS
VENT
SUR In this accident sequence, a transient, such as turbine trip, MSIV. .

closure, or loss of feedwater occurs followed by successful scram and SRV l operacion. The main feedwater system fails, but high pressure core spray (HPCS) and one train of the control rod drive (CRD) system operates to provide ; high pressure injection. Normal containment and primary heat removal systems fail, and venting fails, Containment pressure increases until a leak develops. Depending on its location, this leak will produce an environment which could result in failure of systems that are operating or that may be ; able to operate. The maximum time available for the operators to perform successful recovery actions is approximately 27 hours. In some cases, e.g., venting, less time is available. The amount of time depends on the nature of the failures that constitute the r.utset and what recovery action is considered. The T2VL sequence has an estimated base case frequency of 7.82E-6 events / year. An examination of 896 cutsets for this sequence showed that.the } top 115 cutsets, which has human error events, account for a total frequency of 7.28E 6 events / year. There are no double, triple, or quadruple human error- s combinations observed in these top 115 cutsets. However, there are double and-triple human error combinations in cutsets with frequency below 3E-10/ year. : Four cutset-dependent recovery errors, RA-1-1-27H, RA-2-11-27H, RA-MSLDV-1-2H, f and OPFAIL-VENT-2H, occur within the top 115 cutsets. There was no sequence-dependent recovery error modeled in the cutsets of this sequence. D-3

k 1 ( Table D.1.la. Human Errors in T8 Sequence I' First' L Cutset-Term Number Number of I Human Error where HE Appears occurrences HEP { t RA 8 1H 1 1129 2.50E-1 I RA-3 12-80M 3.50E-3 Rt 9 1H 6 7 704 12 9.30E-1 '[s OPFAILS REOPEN 8 153 1.00 l RA 15 1H 16 2 9.10E 1 j RA 8 10H 70 2201 2.00E 2 i RA-9 2H 70 1828- 8.70E 1 DGOMOD-RUM O -84 2- 1.40E-3 i OPFAIL REOPN-20M 214 60 3.50E-1 i DGOV01CA RUM 0 554 16 1.40E 3 RA-1 3 1H 624 206 3.20E 3 ( RA-2 3-1H 1170 9 6.90E 3 < OPFAIL REOPN-1H 1527 173 2.50E 3 3 OPFAILSCDS 0E-8M 1694 4 3.40E-1 1. RA 1-3-10H 1977 336 2.60E-3 'l RHRC003B-RUM-l' 2440 4 3.30E 4 -. d RA-3-12-2H 3 2713 16 2.40E-3 RA 2-3 10H 2768 '21 2,60E-3 t I Table D.1.lb. Combinations of Human Errors in Top 250 Cutsets of T8' Sequence I Combin- Number: Calculated ' Product-Range , ation Human Error of Product ; Type Combination Occurrences of HEPs- Minimum Maximum , 3 Double RA-8-lH

RA-9-1H 151 2.33E-1 8.03E 1 1.0 $

RA-8-10H

RA-9-2H '

16 1.74E-2 2.31E-5 5.22E-1 OPFAILS-REOPEN

RA-8-1H 7 2.50E-1 6.42E-4 1.0 j RA 8-1H
RA-15-1H 2 .2.28E-1 3.02E 4 1.0 DGOVOICA-RUM 0
RA-8 1H 2 3.50E-4 5.86E 7 3.22E-2 g9 i

Ej Triple OPFAILS-REOPEN

RA-8-lH . .b
RA 9 lH 34 .2.33E-1 2.06E 5 l'. 0 h RA-8-10H
RA-9-2H * .

3 OPFAILS REOPEN 10 1.74E 2' 1.54E-6 5.20E-1 'W OPFAIL REOPN 20M

RA B-1H U
RA 9-1H 8.14E 2 3.09E-6 1.0 1

l i l t D-4 i

Table D.1 lc. Dominant Human Errors in T8 Sequence Error Categorization Human Assessed Error Probability Description Timing Personnel Activ. Om/Com Location RA 8-1H 2.50E-1 Restoration of During RO/NL Ops. Om CROCR offsite AC power within 1 hour of LOSP RA-9 1H 9.30E-1 Repair of DG During RO/MT Maint. Om OCR failure within 1 hour OPEAliS- 1.00 Operator fail- During RO Ops. Om CR REOPEN ure to reopen j' RCIC valve F063 RA-9 2H 8.70E-1 Repair of DG During RO/MT Maint. Om OCR i 1 failure within ' 2 hours RA-8-10H 2.00E-2 Restoration of During Ops. RO/NL Om ~CROCR offsite AC power within 10 hrs. of LOSP RA-15 1H 9.10E-1 Repair of DG During Maint. Om RO/MT OCR common mode ' failure within-1 hour Table D.1.2a shows the list of human errors which occur in the T2VL sequence. Table D.1.2b shows the double and triple: human error combinations that exist in the less dominant cutsets, i.e., cutsets with estimated i frequencies of less than 3E-10/ year. Finally, Table D.1.2c shows'the summary { description and error categorization of those dominant human' errors that appear to have an impact on the accident sequence' frequency. D-5

Table D.1.2a. Human Errors in T2VL Sequence First Cutset-Term Number Number of Human Error where HE Appears Occurrences HEP RA 1 1 27H 17 334 2.10E ," RA-2-11-27H 26 141 l'60E 3 RA-MSLDV 1-2H 51 169 2.10E 3 OPEAIL VENT 2H 52 260 2.10E 3

l. RHRC0038-RUM 1 240 1 3.30E-4

LCSC002A-RUM 1 241 1 3.30E 4 l 1EDC2DEP-FRP-27H 338 6 2.00E 2 l RA-5V 1 2H 340 163 2.10E 3 ;

TDRFP T-0E 27H 346 216 2.60E 3 RA-7-1 27H 378 7 2.10E-3 1 Table D 1.2b. Combinations of Human Errors in Less Dominant Cutsets (<3.0E 10/yr) of T2VL~ Sequence , Combin- Number Calculated Product Range i ation Human Error of Product l Type Combination Occurrences of HEPs- Minimum Maximum l Double RA 5V-1-2H

RA-1-1-27H 51 4.00E 6 1.70E-9 5.88E 4 OPEAIL VENT 2H
TDRFP-T- 37 Se46E-6 2.36E 9 4.17E-4 l

OE 27H RA-5V-1 2H

RA-2-11-27H 24 .3.20E 6 1.02E 9 3.53E 4 OPFAIL-VENT-2H
Rh-1-1-27H 17 4.41E 6 1.70E-9 5.88E-4 RA-5V 1-2H
TDRFP-T-0E-27H 9 5.46E 6 2.36E-9 4.17E-4 OPEAIL-VENT-2H.* RA-2 11-27H 9 3.36E 6 1.02E 9 3-53E 4

                                                                                  .        i 1EDC2DEP-FRP-27H

RA-MSLDV- 4 4.20E-5 5.13E-8 7.80E-3 1-2H 1 OPEAIL-VENT-2H
RA-7-1-27H 1 4.41E 6 2.38E-9 4.20E-4 ,

Triple OPEAIL-VENT-2H

TDRFP-T-0E- 134 1.15E-8 1.12E- 8.76E-6 27H
RA-1-1 27H 13 OPEAIL VENT-2H
TDRFP-0E- 35 -8.74E-9 6.74E . 5.26E 6 27H
RA-2-11-27H .14 !

                                                                                           '1 D-6                                        i

2 Table D.1.2c. Dominant Human Errors in T2VL Sequence i l Error Categorization L Human Assessed Error Probability Description Timing Personnel Activ. Om/Com Location ' RA 1 2.10E 1 Manual opera. During RO Ops. Om CR , 27H tion within 27 hrs, of a sys-tem or compo-nent from the control room RA 2-11 1.60E 3 Local operation During RO/NL Ops. Om OCR 27H within 27 hrs. of manually controlled com-ponents RA MSLDV 2.10E-3 Operator opens Durin5 RO Ops. Om CR I

       -1 2H                 main steamline drain valve OPFAIL-        2.10E-3 Operator fails   During  RO/NL      Ops. Om     CROCR VENT-                  to vent in 2 2H                    hrs.

D.1.3 Loss of Offsite Power or Loss of AC or DC Bus (T3E) l T

FW
HPCS
PCS
SCS
CSS
CRD2
CDS
LPCI
LPCS L

l In this sequence, a transient such as loss of offsite AC power, or loss j of an AC or DC bus, occurs followed by successful scram and SRV operation. All high pressure injection except RCIC fails (i.e. , RCIC is available) and containment and primary system heat removal fail. The automatic

depressurization system (ADS) functions, but the low pressure systems are unavailable. The overall time available to the operators to perform-successful recovery actions is approximately two hours. In some cases (e.g.,

restoring offsite power when a DG has been running for some period of time), available time for recovery is longer. The T3E sequence has an estimated base frequency of 4~.82E-6 events / year. Out of 3,054 cutset terms for this sequence, the top 800 cutsets which contain human errors has a total frequency of 4.60E-6 events / year. Two recovery , events, RA 8-8H and RA-8-10H, are sequence dependent and occur in all cutsets, ' depending on the assumed time available for successful recovery actions. The total frequency for all cutsets, in the top 800 terms, containing double human D-7

errors is 1.83E-6/ year. The total frequency for all cutsets containing triple human errors in the top 800 terms is 1.25E 8/ year. There were no cutsets in the top 800 terms that contain quadruple human errors. Table D.1.3a shows the list of human errors which occur in the cutsets

 .of the T3E sequence. Double and triple human error combinations that exist in the top 800 cutsets are shown on Table D.1.3b. Table D 1.3c provides the summary description and error categorization of those dominant human errors that appear to have a significant effect on the accident sequence frequency.

Table D.1.3a. Human Errors in T3E - First Cutset-Term Number Number of Human Error where HE Appears Occurrences HEP , RA 8-8H 1 1224 2,70E-2 OPEAILSCDS-0E-8M 2 17 3.40E-1 RA-15-8H 6 6 4.50E-1 CRD REALIGN 0E 7 1 2.10E-3 RA 9-8H 8 986 6.00E-1 RA-8 10H 9 1782 2.00E-2 RA-9-2H 9 1614 8.70E 1 -) DGOV01CA-RUM-0 381 28 1.40E-3 RA-1 1 10H 385 62 2.10E-3 RA-1-3-13H 1035 11 2.60E-3 RA 1-3-8H 1036 61 2.60E 3 RA 9-10H 1422' 38 5.50E-1 RA 1-3-10H 2386 65 2.60E-3 DGOMOD-RUM 0 2588 4 1,40E-3 RA-2-3-8H 2612 '3 2.60E-3 RA-2-3-10H 2804 9 2.60E-3 RA 7-3-8H 2891 1 2.60E 3 RA-1-1-8H 2946 1 2.10E-3 RA-7-3-10H 3001 3 2.60E-3 l l l l D-8

Table D.1.3b. Combinations of Human Errors in Top 800 Cutsets of T3E Sequences Combin- Number Calculated Product Range ation Human Error of Product Type Combination Occurrences of HEPs Minimum Maximum Double RA-8-10H

RA 9-2H 400 1.74E 2 2.31E 5 5.20E 1 RA 8 8H
RA 9 8H 315 1.74E-2 2.15E 5 7.02E 1 RA 8 10H
RA 9-10H 7 2.50E-2 1.46E-5 5.20E 1 DGOV01CA RUM 0
RA-8 8H 4 2.28E-5 6.33E 8 2.26E 2 OPEAILSCDS 0E-8M
RA 1 1- 4 3.50E 4 9.85E 7 2.10E-2 10H RA 8 8H
RA-15 8H 1 1.22E 1.61E-5 7.02E-1 Triple DGOVOICA RUM 0
RA-8 10H
7 2.44E-5 1.40E 9 1.67E 2 RA 9-2H DGOV01CA RUM 0
RA-8 8H
5 2.27E-5 1.31E-9 2.26E-2 i RA-9 8H Li Table D.1.3c, Dominant Human Errors in T3E Sequence Error Categorization Human Assessed Error Probability Description Timing Personnel Activ. Om/Com Location i

RA-8-8H 2.70E-2 Restoration of During Ops. RO/NL Om CROCR offsite AC power within 8 'I hrs, of LOSP l RA-9 8H 6.00E-1 Repair of DG During Ops. 1~ RO/MT Om OCR failure within 8 hrs. , l

                                                                                                                                                          -l RA 8-10H     2.00E-2            Restoration of During                         Ops.

RO/NL Om CROCR offsite AC , power within 10 i hrs, of LOSP RA 9-2H 8.70E-1 Repair of DG During RO/MT Maint. Om OCR failure within 2 hrs, i D-9

l D.1.4 Loss of 4.16kV AC Bus (T2VCL) 1 T

FW
PCS
SCS
SPC
CSS
VENT
CRD1
SUR In this sequence, a transient such as loss of a 4.16kv AC bus or loss of offsite AC power occurs followed by_ successful scram and SRV operation. The main feedwater system and the CRD system fail, but the HPCS system functions to provide high pressure injection. 'The normal containment and primary heat removal systems fail, and venting fails. Containment pressure increases until a leak develops. Depending on its location, this leak will produce an environment which results in failure of systems that are operating or that may be able to operate. The overall time available to operators to perform successful recovery actions is approximately 27 hours. In some cases (e.g.,

venting) less time is available. . 4 1 The T2VCL sequence has an estimated base frequency _of 2.01E-6 events / year. An e: amination of 4,565 cutsets for this sequence showed that the top 550 cutsets which contain human errors have a total frequency of 1.90E-6 events / year. A recovery event, RA-8-27H, is sequence-dependent and occurs in most of the 550 dominant cutsets. The total frequency for all. cutsets in the top 550 terms containing double human errors is 6.13E-7/ year. The total frequency for all cutsets containing triple human errors in the top 550 terms is 3.75E-9/ year. ; Table D.1.4a shows the list of human errors which occur in the cutsets of the T2VCL sequence. Double and triple human error combinations that exist in the top 550 cutsets are shown on Table D 1.4b. Finally, Table D 1.4c [ provides the summary description and error categorization of those dominant human errors that appear to have a significant effect on the accident sequence e frequency. Table D.1.4a. Human Errors in T2VCL First Cutset-Term Number Number of Human Error where HE Appears Occurrences HEP RA-8-27H 5 1008 4.50E-3 RA-9-27H 5 492 4.00E 1 RA-1-1-27H 10 1760 2.10E-3 RA-2-11-27H 17 61 1.60E-3 DGOV01CA-RUM-0 70 16 1.40E-3 1 1EDC2DEP-FRP-27H 145 105 2.00E-2 CRD1-REALIGN-0E 647 167 2.10E-3 q RHRC003B- RUM-1 667 1 3.30E-4 RA 10-1-27H 732 76 2.10E-3 RA-1-3-27H 838 11 2.60E-3 , D OPEAIL-VENT-2H 1200 24 2,10E-3 1.40E-3 DGOMOD RUM-0 1227 2 RA-MSLDV-1-2H 1296 778 2.10E 3 RA-2-1-27H 1474 614 2.10E-3 D-10 i

l Table D.1.4b. Combinations of Human Errors in Top 55 Cutsets of T2VCL Sequence Combin- Number Calculated Product Range ation Human Error of Product Type Combination Occurrences .of HEPs Minimum Maximum Double RA-8-27H

RA 9-27H 266 1.80E-3 2.39E-6 1.17E 1 RA-8 27H
DGOV01CA-RUM 0 3 6.30E-6 1.05E 8 3.77E-3 Triple RA 8-27H
RA 9-27H
2 2.52E-6 1.45E. 3.77E-3 DCOV01CA RUM 0 10 1 Table D.1.4c. Dominant Human Errors in T2VCL Sequence Error Categorization s.

Human Assessed Error Probability Description Timing Personnel Activ. Location Om/Com RA 8-27H 4.50E-3 Restoration of During RO/NL Ops. Om CROCR. offsite AC i power within 27 hrs of LOSP ) i I RA 9-27H 4.00E-1 Repair of DG During Maint. Om RO/MT OCR ! failure within 27 hrs. RA-1 2.10E-3 Manual opera- During R0 Ops. Om CR I 27H tion within 27 i hrs. of a sys- I tem or compo- ! nent from the control room RA-2 1.60E-3 Local operation During Ops. R0/NL Om OCR-27H wit'nin 27 hrs. 1 of manually ' controlled l 4 components > j l l i I D-11 1 1

D.1.5 Loss of 125V DC Bus or Loss of Main Feedwater (T2) T

FW
PCS
SCS
SPC
CSS
SUR In this sequenc_, a transient, such as loss of a 125 volt DC bus or loss of main feedwater, occurs followed by successful scram and SRV operation. The main feedwater system fails, but HPCS functions to provide high pressure inj ection. The normal containment and primary heat removal systems fail, but the operators are able to vent. Successful venting could produce a humid environment in the secondary containment, which may result in failure of systems that are operating or that may be able to operate. The overall time available to the operators to perform successful recovery actions is approximately 27 hours. ,

The T2 sequence has an estimated base frequency of 5.11E 7 events / year. Out of 456 terms for this sequence, the top 40 cutsets which contain human errors has a total frequency of 4.71E-7 events / year. There are no sequence- q dependent recovery events observed in this particular accident sequence. However, "NOT" events describing human actions in successful venting occur in , all cutsets of this sequence. Also, no double, triple, or quadruple human -j error combinations were observed in the top 40 cutsets. l Table D.1.5a shows the list of human errors which occur in the'T2 sequence. Table D,1.5b shows the double human error combinations that exist R in less dominant cutsets, i.e., cutsets with estimated frequencies.of less ! than 5.0E-11/ year. Finally, Table D.1.5c shows the summary description and error categorization of dominant human errors that appear to have an impact on + the accident sequence frequency. l Table D.1.5a. Human Errors in T2 Sequence First l Cutset-Term Number Number of Human Error where HE Appears Occurrences HEP 1 RA-8-27H 9 33 4.50E 3 TDRFP-T-0E-27H '49 216 2.60E-3 i RA-1-1-27H '51 224 2.10E-3 RA-2-11-27H 60 74 1.60E-3 RA-7-1-27H 117 1 2.10E-3 i { 1 l D-12

Table D.l.5b. Combinations of Human Errors in Less Dominant Cutsets (<5E-11/yr) of T2 Sequence Combin- Number Calculated Product Range ation Human Error of Product Type Combinatiott Occurrences of HEPs Minimum Maximum Double TDRFP-T-0E-27H

RA-1-1-27H 134 5.46E 6 3.14E-9 3.13E-4 '

TDRFP-T 0E 27H

RA-2-11 27H 35 4.16E-6 1.89E-9 1.88E-4 RA-1-1-27H
RA-8-27H 21. 9.45E 6 8.23E 9 2.46E-3 RA-2-11 27H.* RA-8-27H 5 7.20E 6- 4.95E-9 1.47E 3

              . Table D.l.5c. Dominant Human Errors in T2 Sequence Error Categorization-Human    Assessed Error   Probability     Description    Timing Personnel     Activ. Om/Com Location l RA-8 27H   4.50E 3     Restoration of   During     RO/NL      Ops. Om    CROCR l                        offsite AC 1

power within 27 hrs, of LOSP TDRFP-T- 2.60E-3 Operator fail- During RO Ops. Om CR-OE 27H ure to trip turbine driven reactor feed-water pumps within 27 hrs. RA-1 2.10E-3 Hanual opera- During RO Ops. Om CR 27H tion within 27 hrs of a sys-tem or compo-nent from the control room D-13

D.l.6 Loss of Main Feedwater Transient-Induced LOCA (TL2) T

SRVC
FW
PCS
SCS
SPC
CSS
SUR In this sequence, a transient such as loss of main feedwater occurs followed by a successful scram. The SRVs open, but one or more SRV fail to-reclose when required (i.e., a stuck open SRV), resulting in a transient-induced LOCA. The main feedwater system fails, but HPCS functions to provide high pressure injection. The normal containment and primary heat removal systems fail, but'the operators are able to vent. Successful venting produces a humid environment in the secondary containment which may resula in failure-of operating systems or systems that may be able to operate. The overall time

available to the operators to perform successful recovery actions is approximately 27 hours. The TL2 sequence has an estimated base frequency of 3.61E-7 events / year. Out of 292 cutset terms for this sequence, the top 25 cutsets which contain I human errors has a total frequency of 3.46E-7 events / year.- There are no ; sequence dependent recovery events observed in the cutsets of this accident sequence. Also, no double, triple, or quadrupleLhuman error combinations were observed in the top 25 cutsets. Table D.l.6a shows the list of human, errors which occur.in the-TL2 sequence. Table D.1.6b shows the double human error combination that exists in less dominant cutsets, i.e., cutsets with estimated frequencies of less than 7.0E-13/ year. Table D.l.6c shows the summary description and error categorization of dominant human errors in this accident sequence. D.2 ANALYSIS OF RA-TYPE RECOVERY ACTIONS Operator recovery actions identified as RA type actions were "ANDed" to accident sequence cutsets in the LaSalle PRA to represent'the ability of plant operators and other support personnel to prevent or mitigate core damage during the accident sequence. To determine the role of these RA-type actions in reducing risk at the'LaSalle nuclear station, the dominant cutsets in all - 37 " internal events" initiated accident sequences were reviewed by Brookhaven National Laboratory. Based on an analysis and review of dominant cutsets in these 37 sequences, 49 RA-type actions (48 RA-xxx errors plus RLOSP) were identified to have an impact on the cutset frequencies. The summary description of each RA-type recovery action and its associated error - probability is provided in Table D.2.1. l 1 l l D-14 , l

Table D.1.6a. Human Errors in TL2 Sequence First-Cutset-Tera Number Number of Human Error where HE Appears Occurrences REP - RA 1-1-27H 16 121- 2.10E 3 RA 2 11-27H 35 36 1.60E 3 TDRFP T 0E 27H 47 58 2.60E 3 RA 8-27H 58 3 4.50E 3 MFS RESET-0E 27H 174 4 2.10E 3 ! RA 7-1-27H 233- 1 2.10E 3 Table D.1.6b. Combinations of Human Errors in Less Dominant Cutsets (<7.0E 13/yr) of TL2 Sequence Combin- Number calculated Product Range ation Human Error of . Product Type Combination Occurrences of HEPs Minimum Haximum I Double TDRFP-T-0E-27H

RA 1-1-27H 28 5.46E-6 3.14E 9 3.13E 4 j

Table D.1.6c. Dominant Human Errors in TL2 Sequence i Error Categorisation-Human Assessed Error Probability Description Timing Personnel Activ. Da/Com Location RA-1 2.10E Manual opera- During RO Ops. Om- CR 27H tion within 27 1 hrs, of a sys- 1 tem or compo-nent from the control room RA-2 1.60E-3 Local operation During Ops. RO/NL "Om OCR-2?H within 27 hrs, of manually controlled components j TDRFP-T- 2.60E-3 Operator fai- During RO Ops. Om CR i OE-27H lure to trip turbine driven , reactor feed-water pumps within 27 hrs. D-15 l

Table D 2.1. RA Type Recovery Errors Used in Sensitivity Study Error Recovery Event Probability Description RA-8-48M 0.3 Restoration of offsite AC power within 48 mins, of LOSP RA 8 1H 0.25 Restoration of offsite AC power within 1 hr. of LOSP RA 8 80M 0.2 Restoration of offsite AC power within 80 mins. of LOSP RA 9 48M 0.96 Repair of DG failure within 48 mins. RA 9 1H 0.93 Repair of DG failure within 1 hr. RA-9-2H 0.87 Repair of DG failure within 2 hrs. RA-15-48M 0.95' Repair of DG common mode failure within 48 mins. RA-15 1H 0.91 Repair of DG common mode failure within 1 hr. RA-1-3 1H 3.2E-3 Manual operation within 1 hr. of a system or component from the control room which failed to automatically actuate RA-2 3 1H 6.9E-3 Local operation within 1 hr. of a system or component which failed to automatically actuate RA-3-12-68M 1.8E-2 Open RCIC isolation valve (s) within 68 mins. given RCIC room isolation l RA ATW-11-11-30M 1.0 Close SBLC F016 or F017 valve within 30 mins. ! after occurrence of an ATWS, given the failure i to close the valves following a previous test on the SBLC system l RA-ATWS-12-3-10M 1.0 Locally close RWCU valve F004 within 10 mins, after occurrence of an ATWS l RA-8 8H 2.7E-2 Restoration of offsite AC power within 8 hrs, of LOSP RA-8 10H 2.0E-2 Restoration of offsite AC power within 10 hrs. l of LOSP RA-9-8H 0.6 Repair of DG failure within 8 hrs. I l D-16 l . i

Table D.2.1. Continued-r Error Recovery Event Probability Description a RA-9-10H 0.55 Repair of DG failure within 10 hrs. RA-6 4H 0.5 If 1 electric power train has failed 1/2 of the time, pump seal LOCA will occur on the recircu- ; lation pump. Operators isolate recirculation ; pump seal LOCA and restore PCS. l RA-15 8H 0.45 Repair of DG common mode failure within 8 hrs. RA 1 1 8H 2.1E-3 Manual operation within 8 hrs, of a system or component from the control room that has no automatic actuation or prior to its automatic operation if it has automatic actuation i RA 1-1-10H 2.1E-3 Manual operation within 10 hrs of a system or component from the control room that has no automatic actuation or prior to its automatic ! actuation if it has automatic actuation I i RA-1-3 8H 2.6E 3 Manual operation within 8 hrs, of a system or component from the control room which failed te l automatically actuate ! RA-1-3-10H 2.6E-3 Manual operation within 10 hrs, of a system or component from the control room which failed to l automatically actuate i RA-2-3 8H 2.6E-3 Local operation within 8 hrs, of a system or component which failed to automatically actuate [ 3 RA 2 3-10H 2.6E-3 Local operation within 10 hrs of a system or i component which failed to automatically actuate RA-3-12-80M 3.5E 3 Open RCIC isolation valve (s) within 80 mins, given RCIC room isolation ' RA-3-12-2H 2.4E-3 Open RCIC isolation valve (s) within 2 hrs. < given RCIC room isolation RA 5V-1-2H ! 2.lE-3 operators vent within 2 hrs. through alternate vent path RA-7-3-BH 2.6E-3 Locally open within 8 hrs a manual valve ! closed due to unscheduled maintenance on RHR pump C003B - restores injection D-17 l

Table D.2.1. Continued Error Recosery Event Probability Description RA 7 3 10H 2.6E-3 Locally open within 10 hrs. a manual valve closed due to unscheduled maintenance on RHR I pump C003B - restores injection l RA MSLDV 1-2H 2.1E-3 Operator opens main steam line drain valve RA AWS 1-1-5H 2.1E-3 Manual operation within 5 hrs, of a system or component which failed to automatically actuate j' after the occurrence of an AWS RA AWS-2 1 5H 2.1E-3 Local operation within 5 hrs of a system or' i component which failed to automatically actuate , after the occurrence of an AWS ! RA 8 23H 4.5E-3 Restoration of offsite AC power within 23 hrs, of LOSP L RA-8-27H 4.5E 3 Restoration of offsite AC power within 27 hrs, of LOSP RA 9-23H 0.41 Repair of DG failure within 23 hrs. f RA 9 27H 0.4 Repair of DG failure within 27 hrs. ! RA-1-1-23H 2.1E-3 Manual operation within 23 hrs, of a system or component from the control room that has no '; automatic actuation or prior to its automatic operation if it has automatic-actuation i RA-1-1-27H 2.1E-3 Manual operation within 27 hrs, of a system or component from the control room that has no ' automatic actuation or prior to its automatic operation if it.has automatic actuation RA 1 3-13H 2.6E-3 Manual operation within 13 hrs, of a system or component from the control room which failed to { automatically actuate RA-1 3-27H 2.6E 3 Manual. operation within 27 hrs. of a system or j component from the control room which failed to l automatically actuate { RA 2-1 27H 2.1E-3 Local operation within 27 hrs, of a system or component that has no automatic actuation i D-18

 -                                                                                               j 4
         'w

l Table D.2.1. Continued-Error Recovery Event Probability Description RA 2-3 27H 2.6E 3 Local operation within 27 hrs. of a system or component which failed to automatically actuate RA 2-11-27H 1.6E-3 Local operation within 27 hrs, of manually con-trolled components normally operated from.the g control room when control room operations fails ' i RA 7-1-27H 2.1E 3 Locally open within 27 hrs. of a manual valve ! closed due-to unscheduled maintenance on RHR l. pump C003B; restores heat removal l kA SV-1-6H 2.1E-3 Operators vent within 6 hrs, through alternate l vent path ~ RLOSP 1.8E-4 Random loss of offsite power RA-10 1-27H 2.1E-3 Replace a fuse within 27 hrs, in a system or i component that has not automatic operation if 1 it has automatic actuation. RA-ATWS 1 3 33M 1.8E Manual operation within 33 mins, of a system or ' component from the control room which failed to automatically actuate after the occurrence of- j an ATWS 1 i l Footnotes:

1) 5.0E 5 x 10'3 !

2) Recovery error probability is the estimated probability of failure to i recover from a fault. Thus, a recovery error probability of 1.0 means no recovery, and a recovery error probability of 0.0 means perfect or '

completely successful recovery.

3) ATWS - Anticipated Transient Without Scram DG = Diesel Generator PCS - Power Conversion System RCIC - Reactor Core Isolation Cooling RWCU - Reactor Water Cleanup RHR - Residual Heat Removal SBLC - Standby Liquid Control D-19

An examination of the top.50 cutsets in all 37 accident sequences showed the existence of multiple RA-type recovery errors, largely in terms of double combinations. Triple or quadruple combinations of RA type actions were not observed in the dominant cutsets. However, these triple or quadruple combinations occur in cutsets with very low estimated frequencies. Table D.2.2 lists the accident sequences with double combinations or RA-type actions that occur in top level cutsets of the sequences. D3

SUMMARY

The analysis of cutsets in the six dominant accident sequences shows that certain individual cutsets with multiple human errors will be. extremely sensitive to an increase in their human error probabilities (HEPs) when all HEPs are increased simultaneously in some of the sensitivity calculations. For example, less dominant cutsets in the T2VL sequence containing double-human error combinations of RA 5V-1 2H

RA-1-1-27H (calculated product of HEPs - 4.0E 6) will have their cutset frequencies increased by a factor of 2.5 x 108 when the HEPs are increased to 1. Triple human error combinations such as DCOV01CA RUM 0
RA-810H .* RA-9-2H (calculated product of HEPs - 2.44E 5),

which occur in the T3E sequence, will cause the frequency of their associated' cutsets to increase by a factor of 4.0 x 10' when all the HEPs are increased to 1. Table D.2.2. Accident Sequences with Multiple RA Typv Recovery Errors in Top 50 Cutsets Number of Occurrences Accident Sequence Double Triple T2VCR 18 0 T2VCL 13 0 T3CCL 33 0 T3DCL 42 0 T3E 40 0 TL2VCL 8 0 TL3E 42 0 TL89 43 0 T8 42 0 TOTAL 281 .0 In addition to the RA-type recovery errors found to have a significant effect on accident sequence frequencies, other human errors which appear in cutsets together with these recovery errors were determined to have a dominant effect on the sequence frequencies. Table D.3.1 lists all those dominant human errors identified for the six dominant sequences. These errors-are the-ones appearing in the dominant human error' tables (D.1.1c and other c-tables) for each sequence in Section D.2. All of the 15 dominant human errors are

categorized as "during-accident" and omission errors. Under the category off l

personnel involvement for these errors, the grouping is as follows: 4 RO, 6 1 D-20 l i

RO/NL, and 5 RO/MT errors. In terms of the type of utility program activity, 10 of the dominant human errors are categorized as operations-related and the remaining five human errors are maintenance related. Finally, four dominant human errors are considered to occur in the control room.(CR), seven dominant human errors occur. outside the control room (OCR), while the location of occurrence of the four remaining dominant human errors is uncertain (CROCR). Table D.3.1. Important Human Errors Assessed Human Error Probability Description RA-8 1H 2.50E 1- Restoration of offsite AC power within 1 hr. _ of d LOSP RA-9 1H 9.30E-1 Repair of DG. failure within 1 hr. OPEAILS-REOPEN 1.00 Operator failure to reopen RCIC valve F063 l RA 9-2H 8.70E-1 Repair of DG failure within 2 hrs.

                                                                                       .f RA 8-10H             2.00E-2    Restoration of offsite AC_ power within 10 hrs.

1 j of LOSP j RA-15-1H 9.10E-7. Repair of DG common mode failure within 1 hr. { 1 RA-1-1-27H 2.10E-3 Manual operation within 27 hrs. of a system or component from the control room RA-2-11-27H 1.60E-3 Local. operation within 27 hrs. of manually-controlled components

RA MSLDV-1 2H 2.10E-3 Operator fails to open main steamline drain valve OPFAIL VENT-2H 2.10E-3 Operator fails to vent within 2 hrs.

RA-8 8H 2.70E-2 Restoration of offsite AC power _within 8 hrs. of LOSP RA-9 8H 6.00E-1 Repair of DG failure within 8 hrs. RA-8-27H 4.50E-3 Restoration of offsite AC power within 27 hrs. of LOSP ; l RA-9 27H 4.00E 1 Repair of DG failure within 27 hrs. TDRFP-T-0E-27H 2.60E 3 Operator failure to trip turbine driven reactor feedwater pumps within 27 hrs. D-21 _o

e 4 ..M s4 _ ~ J 4 JL ._a. u -- 1 APPENDIX E i CALCU1ATION OF RANCE OF HEPS l IN VARIOUS ERROR GROUPS , I l t t

-(

b

                                                         -f t
                                                          'I E-1

Table E.1. Calculation of Range of HEP in Sensitivity Group ONE - Human Errors .j Examnie Case: OPFAIL-SLCOX 56M Median HEP: 1 x 10'8 Sources of Uncertainty EF y, p3 V3 S 3

                 & Variability
                                                                                                                                                                   -l

1) Lack of Data 6 1.09 1.81E 3 7.47E-6 2.73E-3 --

i

2) Inexactness of Model 7 1.18 2.01E-3 1.22E-5 3.50E 3 ,

3) Task Differencee 9 1.34 2.45E 3 3.02E 5 5.49E-3

4) Capabilities of HRA

               ' Analyst                   6  1.09      1.81E-3       7.47E-6                       2.73E-3

5) Personnel Variability 10 1.40- 2.66E-3 4.32E 6.57E-3 i

p - 2.15E 3 yS)2- 1.01E 4 TEF without interaction - 1,L1 yS+g{SS)-2.72E-4 j g TEF with interaction - 11.d Upper bound (HIHEP) - HEP * ~ ' median Lower bound (LOHEP) - HEPmedianO ~ '" 1 5 s E-2 l _._.___J

r Table E.2. Calculation of Range of HEP in Sensitivity Group TWO Human Errors Examole Case: TDRFP T 0E-56M , Median HEP: 1.5E 3 Sources of Uncertainty EF 7, p3 V3 S 3

                  & Variability

1) Lack of Data 2 0.42 1.64E-3 5.19E 7 7.20E-4

2) Inexactness of Model 3 0.67 1.88E-3 2.00E 6 1.42E-3

3) . Task Differences 2 0.42 1.64E-3 5.19E 7 7.20E 4

4) Capabilities of HRA Analyst 2 0.42 1.64E-3 5.19E-7 7.20E-4

5) Personnel Variability 7 1.18 3.01E-3 2.74E-5 5.23E 3 p - 1.96E-3 yS)2- 3.10E-5 TEF without-interaction - 1121 ,

yS)+fp)SS - 5.44E-5 TEF with interaction - 1121 Upper bound (HIHEP) - HEPmedian

T F - 2.25E 2 Lower bound (LOHEP) - HEPmedian! '

t l l l i l l E-3

Table E.3. Calculation of Range of HEP in Sensitivity Group THREE Iluman Errors Examnle Casel RA-1-1-8H Median HEP- 1 x 10'3 Sources of Uncertainty EF % p3 V3 S 3

             & Variability

1) Lack of Data 6 1.09 1.81E 3 7.47E-6 2.73E-3

2) Inexactness of Model 6 1.09 1.81E 3 7.47E-6 2.73E 3

3) Task Differences 5 0.98 1.62E 3 4.23E-6 2.06E 3

4) Capabilities of HRA Analyst 2 0.42 1.09E 3 2.29E-7 4.79E-4 :

5) Personnel Variability 7 1.18 2.01E-3 1.22E-5 3.50E 3 -l~

                                                                                                                        'l p - 1.67E-3 yS-3.16E-5                                                            TEF without interaction - Lbl-1 yS)+g{SS - 8.19E-5                                                   TEF with interaction -    D_d i

Upper bound (HIHEP) - HEP * ~ *

median <

Lower bound (LOHEP) - HEPmedian gF - 4.76E-5

                                                                                                                               )'
                                                                                                                               }

E-4

1 Table E.4 Calculation of Range of HEP in Sensitivity Group FOUR Human Errors Examnle case: RHRC003B RUM 1 Median HEP: 3.3 x 10" Sources of Uncertainty EF 7, p3 V3 S 3

              & Variability.                                                           1

1) Lack of Data 10 1.40 8.79E-4 4.71E-6 2.17E-3

2) Inexactness'of Model 5 0.98 5.33E 4 4.58E 7 6.77E 4

3) Task Differences' 5 0.98 5.33E 4 4.58E-7 6.77E-4

4) Capabilities of HRA Analyst 3 0.67 4.13E-4 9.66E 3.llE-4

5) Personnel Variability 3 0.67 4.13E-4 9.66E 8 3.llE-4 2 '

y - 5.54E-4 yS-5.82E TEF without interaction - 1L1 y Sj + g{ S S) g - 1.15E 5 TEF with interaction - Lh1 Upper bound (HIHEP) - HEP * ~ * '~ median Lower bound (LOHEP) - HEP median ~ *

E-5

Table E.S. Calculation of Range'of HEP in Sensitivity Group FIVE Human Errors Examnle Case! RA-8 10H Median HEP: 2 x 10 2 Sources of Uncertainty EF g p3 V3 S 3

               & Variability

1) Lack of Data 10 1.40 5.33E 2 1.73E-2 1.32E-1

2) Inexactness of Model 6 1.09 3.62E 2 2.99E-3 5.47E 2 !

3) Task Differences 7 1.18 4.01E-2 4.86E 6.97E-2

4) Capabilities of HRA Analyst 5 0.98 3.23E-2 1.68E-3 4.10E-2

5) Personnel-Variability 6 1.09 3.62E-2 2.99E-3 5.47E-2 p - 3.96E-2 yS)2- 2.98E 2 TEF without interaction - 12.1 yS)+ggSS)-7.68E-2 g

TEF with interaction - 2L.1 Upper bound (HIHEP) - HEP median

EF - 5.20E 1 Lower bound (LOHEP) - HEPmedian O ~ '

l l i i E-6 1

Table E.6. Calculation of Range of HEP in Sensitivity Group SIX ! Human Errors Examole Case: RA 9 27H Median HEP: 4 x 10'1 1 Sources of Uncertainty EF y, p3 V3 S 3

                 & Variability                                                              i

1) Lack of Data. 10 1.40 1.07 6.98 2.64

2) Inexactness of Hodel 9 1.34 9.82E-1 4.84 2.20

3) Task Differences 9 1.34 9.82E-1 4.84 2.20

4) Capabilities of HRA Analyst 3 0.67 5.01E 1 1.42E-1 3.77E-1

5) Personnel Variability 7 1.18 8.02E-1 1.95 1.39 ;

i p - 8.67E-1 yS-18.8 TEF without interaction - 11.d yS)+ggSS)-48.2 g TEF with interaction - 2).d I 1 Upper bound (HIHEP) - HEP

F - 1.0 median i

Lower bound (LOHEP) - HEP medianO ~

1 l

e il E-7 j - .

  - - - - ~ - - ..-a w-- yw.u-a     - -                       M  m .a.

l t

                                                 -APPENDIX F r

SENSITIVITY OF DOMINANT ACCIDENT SEQUENCES TO HUMAN F.RROILS I y

                                                                           -i t

i i r

i i l l 1 F-1 i 4

As discussed in section 5, the dominant accident sequences in the LaSalle PRA model are very sensitive to human errors and vary about two orders of magnitude as HEPs are varied. The six most dominant sequences, which represent about 97.5 percent of the risk in the LaSalle PRA model, are largely transient initiated sequences (see Appendices B and D). In this study, five different accident sequences in the baseline risk model.were selected to

analyze the role of human errors at the accident sequence level. Each of these five accident sequences represents the most dominant sequence for its. type of accident initiator. The accident sequences analyzed along with the predominant initiator for that sequence were: T8 Loss of Offsite Power (LOOP) T2VL Turbine Trip'with Bypass Available TL2 Loss of Feedwater Transient-Induced LOCA L2VL Small-small LOCA (Recirculation Pump Seal) A49 ATWS The T8 sequence involves a transient event which is largely the loss of offsite AC power event, and failure of all high and low pressure injection. systems after successful scram and safety relief-valve (SRV) operation. -It is- .I responsible for 57% of the total core melt frequency in the base case. The ! T2VL sequence is initiated by events such'as turbine trip, MSIV. closure or loss of feedwater transients, but-high pressure core spray (HPCS) and one train of the control rod drive;(CRD) system operates to provide.high pressure q inj ection. This sequence is responsible for 21% of the base case core melt frequency. The TL2 sequence is characterized by a transient-initiator,e.g., , loss of main feedwater, but one or more SRVs fail to reclose when required ! (i.e., a stuck open SRV). This sequence accounts for about 14 of che base case core melt frequency. The L2VL sequence'is characterized by a small-LOCA > initiating event, while the A49 sequence is an ATWS sequence largely initiated' by turbine trip without bypass, total rain steam isolation valve -(MSIV) l closure, or loss of condenser vacuum events. These two sequences are sensi-tive to certain risk significant human errors related to the recovery of a a plant-specific system or component, even though each sequence separately ' accounts for only about 0.1 percent of the base case core melt frequency. l F.1 T8 Scauence This accident sequence is characterized by a transient event which is i l mostly a loss of offsite'AC power event, and failure of all high and low .) l pressure injection systems after successful scram and SRV operation. Two l l time-dependent accident scenarios are postulated: (1) an early core damage scenario where all AC power is lost initially and RCIC system fails due to

loss of DC power or RCIC room cooling, and (2) a late core damage scenario . where DC power is available for 8 hours and then is lost due to battery l depletion. Figure F.1.1 shows that the ASF of T8 sequence is largely sensi-tive to recovery action (RA-type) errors when HEPs.are increased. 'Also, the accident sequence risk is considerably reduced when'RA-type HEPs are de-- y , creased. A primary reason for this behavior is that the RA-type errors with I the largest impact on' risk sensitivity are sequence-dependent. The detailed- ) analysis of T8 sequence cutsets in Appendix D shows that two sequence- j dependent recovery errors, RA-8-1H (restoration of offsite'AC power within one l l F-2 1 l a

t hour of LOSP) and RA 8 10H (restoration of offsite AC power within 10 hours), are the most significant contributors to the ASF sensitivity. Figures F.1.2 throu6h F.1.5 show the ASF sensitivity to various categor-les of human performance actions / errors for the T8 sequence. The ASF of this accident sequence is sensitive primarily to manual actions (e.g., RA 8 iH, RA-8 10H) involved in the restoration of AC power within 10_ hours of LOSP , transient. Other manual actions to assure diesel generator (DG) availability, i.e., repair of DG failure within the time frame of accident (e.g., RA 9 1H, i RA 9 2H) also contribute to ASF sensitivity. There is slight sensitivity of . ASF to manual override errors (e.g., RA 3 12 80M, OPFAIL REOPN 1H) involved in ! the reopening of RCIC valves to ensure RCIC s probabilityestinatesontheorderof1x10'7.stemavailability,whichhave Five of the six manual override type errors appear in the T8 sequence and although overall CMF shows , no sensitivity to these errors, there is some slight sensitivity shown here. As expected, the ASF is highly sensitive to errors committed in dual locations (CR/0CR) because risk significant manual actions to restore AC power are performed by reactor operators within the control roon (CR) vicinity in : coordination with non licensed operators outside the control room (OCR) area (Figure F.1.3) . Therefore, accident recovery requires that actions by both R0s and NLos be well coordinated to mitigate the accident risk level. As shown in Figure F.1.4, the ASF is largely sensitive to non simulator based MF.Ps. A primary reason is that the recovery HEPs for LOSP incidents (e.g., Pi 8 1H, RA 8 10H) were derived from probabilistic models using plant centered data (ref. NUREG/CR 5032) plus generic grid and weather data, rather than r , simulator data. There is slight sensitivity of ASF to simulator based HEPs t due to the impact of manual override actions (e.g., OPFAILS REOPN 1H). ! Finally, the ASF is highly sensitive to plant-specific human errors and sensitivity group five human errors (Figure F.1.5) which are largely recovery actiona to restore AC power. Table F.1 summarizes the categorization of six dominant human errors for the T8 sequence which affects its sensitivity. It should be noted that several insights for this sequence are similar to those for overall CMF sensitivity, sitze this is the most dominant sequence and thus, has a large effect on overall CMF. l l F.2 12VL Secuence In this accident sequence, a transient occurs (e.g., turbine trip, MSIV closure) followed by successful scram and SRV operation. The main feedwater system fails, but high pressure core spray (HPCS) and one train of the control rod drive (CRD) system operates to provide high pressure injection. Normal containment and primary heat removal systems fail and venting fails. Contain-ment pressure increases until a leak develops. Figure F.2.1 shows that the l ASF of the T2VL sequence is wholly sensitive to manual actions involved in the operation of HPCS and CRD systems to provide high pressure injection (e.g. , RA 1-1-27H). Other risk significant manual actions (e.g., RA 2 11-27H) involve local operation of manually controlled components in the RHR shutdown cooling or suppression pool cooling flowpaths to assure containment heat-removal cap ability. The insensitivity of ASF to manual backup or manual l ovarride errors is because none of these errors appear in the minimal cutsets of the accident sequence. F3 l l

1.0E-03 A - C - C ; 1.OE -04 -

                                                                   .g                --     -

E : O - j -c c c a F s e c R 1.0E -05 E : O : 1.0E -00 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR ALL HEs -*~ R A H E s -*- NON-R A HEs Figure F.1.1. Sensitivity of ASF to recovery action type errors for T8 sequence 1.0E -03 _ A : C ~ C ' ' 1.0E -04 ; S E _ O ,, , _ _ , , = = ; ; g ; 3 p 1.0E -05 g b !

                        ..:             J}

1.0E -00 1/291/251/20 1/10 1/5 B 5 10 20' 25 29 HEP FACTOR ACTION TYPE

                              ---- A L L H E s    -+- M ACT       + M. BK UP        + M.OVR Figure F.1.2. Sensitivity of ASF to human performance actions for T8 sequence F-4

y , 1.0E -03 _ A :

C ^ C 1.0E - 04 s , - S : E - O : -

: : : e p R ? 9 M R 1.0E -05 :

E : O : . 1.0E -06 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR LOCATION ALL HEs -+- CR -*- OCR CR/OCR-Figure F.1.3. Sensitivity of ASF to location of errors for T8 sequence 1.0E -03 - A :

C ~ C 1.0E -04 g e g E E O - F * : ; ;" R 1.0E -05 g e : 1.0E -06 1/291/251/20 1/10 1/5 B .5- 10 20 25 29 HEP FACTOR I SIMULATOR ALL HEs + SIM HEPs --*- NON-SIM HEPs Figure F.1.4. Sensitivity of ASF to simulator-based HEPs for T8 sequence F5

1.0E A i C : C - 2 3 1.0E -04 3 E E O ;, ; ; g- 3 g g g g

                                             ~
                              -     ~

F 10E-05 g" R E E . o _: 1 -- ! 1.0E -05 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR < r SENSITIVITY GROUP ALL HEs + SSG1 -*- SSG2 **- SSG3

                         -*- SSG4       -*- SSG5        -*- SSGS                              l Figure F.1.5. Sensitivity of ASF to human errors in sensitivity groups                   [

for T8 sequence Table F.1. Categorization of Six Dominant Human Errors for T8' Sequence , Sensi- ' ivity ! Event Timing Action Type Personnel location Simulator Group l RA 8 1H Durir.g Manual RO/NL CR/0CR Non simulator 5 RA 9 1H During Manual RO/NL/MT OCR Non-simulator 6 RA 9 2H During Manual RO/NL/MT OCR Non simulator 6 RA 8 10H During Manual RO/NL CR/0CR Non simulator 5 i RA 15 1H During Manual R0/NL/MT OCR Non simulator 6 ; OPFAIL REOPN 20M During Man, Override RO CR Simulator 2 : 7 i F6 i k

3 N r 1.0E A

 )              C            -

l C -

                                                                                                                    ~
                             ~
 \              S E

f O 1.0E -05 g, y y ;-- F :, R - E - O _ y - 1.0E -00 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR ACTION TYPE

                                    - ALL HEs              -*- M. A0T          -*- M. BK UP        + M OVR Figure F.2.1.

Sensitivity of ASF to human performance actions for T2VL 1.0E -04 _ A _ C - C - S E O 1.0E -05 : ~ e . _ - ; _ _. e . _.2._ .. ;- ^ F _ R - E - O _ 4 1.0E-06 A ' ' ' ' ' ' ' ' ' ' ' 1/201/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR LOCATION ALL HEs --*- CR -*- OCR --*- CR/OCR Figure F.2.2. Sensitivity of ASF to location of errors for T2VL sequence F-7 l

As shown in Figure F.2.2, the ASF is most sensitive to control room actions, with human errors committed outside of the control room second and dual errors last in sensitivity. These results are quite different from the overall CMF location sensitivity results, which are dominated by CR/0CR errors, as driven by the T8 sequence. This shows how individual sequence sensitivities can vary. The ASF is also largely sensitive to simulator based HEPs because operator response (e.g., RA 1 1 27H, RA 2-11-27H) to manually actuate safety systems from the control room was tested on the LaSalle simulator (Figure F.2.3). This again differs from overall CMF sensitivity. Finally, Figure F.2.4 shows the ASF is most sensitive to human errors in sensitivity group three (e.g., RA 1 1 27H). This obse vation implies that operator actions to maintain normal containment and primary heat removal capability during this accident situation are more significant to risk than ultimate " venting" actions to mitigate containment failure from overpressure conditions. F.3 TL2 Scouence This sequence is characterized by a transient initiator, primarily a j loss of main feedwater event, and one or more SRVs fail to reclose when ' required. The stuck open SRV results in a transient-induced loss of coolant accident. The main feedwater system fails, but HPCS functions to provide high pressure injection. Normal containment and primary heat removal systems fail, but the operators are able to vent. The ASF sensitivities to various categories of human errors for the TL2 sequence are similar to chose observed for the T2VL sequence. Therefore, the ; risk variation curves are not reproduced here. Also, the interpretation of the risk sensitivity curves is similar because both TL2 and T2VL sequences are initiated by transients, even though the human errors may be unique to a particular sequence. F.4 L2VL Secuence In this sequence, a small small LOCA event occurs, which is followed by successful scram and vapor suppression operation. The small small LOCA (50-100 gpm maximum) is usually caused by a recirculation pump seal failure. The Main Feedwater system fails, but HPCS and one train of the CRD system function to provide high pressure injection. Normal containment and primary heat removal systems fail, and venting also fails. Figure F.4.1 shows that the ASF of L2VL sequence is wholly sensitive to manual actions (e.g., RA 6 4H) involved in the isolation of_the recirculation pump when seal failure is detected. The ASF is not sensitive to manual backup or manual override errors because none of these errors appear in the accident sequence cutsets. The flattening out of the overall sensitivity curve in the increase direction is due to high base case HEPs, which saturate quickly at 1.0. As expected, the ASF is sensitive to errors committed in dual locations ' because manual actions to isolate recirculation pump involve operator response in both control room and outside control room locations (fi5ure F.4.2). F-8 t'

1.0E-04 : A : C - C -

s O 1.0E -05 gc 1 1

                                                                            /_          _           _    _

3 F : R - E - O _ 1.0E -06 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR SIMULATOR ALL HES -*- SIM HEPs -*- NON-SIM HEPs Figure F.2.3. Sensitivity of ASF to- simulator based HEPs for T2VL sequence 1.0E -04 - A : C : C : s -

O 1.0E -05 g. _ _ _ _ g E 8* F -

R ~ E O - 1.0E -06 ' ' ' ' ' - 1/291/251/20 1/10 1/5 B S 10 20 25 29 HEP FACTOR SENSITIVITY GROUP

                                   ~ ALL HEs -*- SSG1                       -+- SSG2         -a-SSG3
                                   -*~ SSG4            -*- SSGS
                                                                            -*- 8806 y         Figure F.2.4.

Sensitivity of ASF to human errors in sensitivity groups for T2VL sequence F-9 s_ _

1.0E . . _ . T

w v

                                                                                          -"       ~

2 ' ~ 2 0 5 C

S E O 1.0E -08 g p :.

R - E - O _ 1.0E - 09 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR ACTION TYPE

                                                                                                  - ALL HEs      -*- M, ACT    -#- M. BK UP     -*- M OVR Figure F.4.1.          Sensitivity of ASF to human performance actions for L2VL sequence 1.0E-07    _

C C - : : : : : : : : :

S E O 1.OE - 08 : F _* R - E - O _ 1.0E -09 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR LOCATION AlL HEs + CR -a- OCR -*- CR/OCR Figure F.4.2. Sensitivity of ASF to locations of error for L2VL sequence F 10 1 I i

i I Finally, the ASF is sensitive to non simulator based HEPs of human errors in ; sensitivity group five (Figures F.4.3 and F.4.4). These human errors which drive ASF sensitivity are recovery actions to isolate recirculation pump seal i lhCA and restore the power conversion system if its manual operation was ^ interrupted, i 1.OE -07 - A 5 A ; ; ; C - C -: : : : : /: : : : :

S E l O 1.OE -08 : i : p -r : : A - E - O . 1.0E -09 ' 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR SIMULATOR ALL HEs -+- SIM HEPs -*- NON-SIM HEPs < Figure F.4.3. Sensitivity of ASF to non simulator based HEPs-for L2VL sequence 1.0E-07 - A :

                           ~
                                                                     ^

C - ; ' C .. : : ; . ; > S E O 1.OE -08 : ' l p !:

R ~ E O

1.0E -09 ' '

1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR SENSITIVITY GROUP ,

                               - ALL HEs -*- SSG1               -*- SSG2        -+- SSG3
                               -+- SSG4        -*- SSGS        -*- SSG6 Figure F.4.4.      Sensitivity of ASF to human errors in sensitivity groups for L2VL sequence F-11 l

l

F.5 A49 Seouence This sequence is largely initiated by transient events such as a turbine trip without bypass, total MSIV closure, or loss of condenser vacuum inci-dents. The reactor protection system (RPS) fails to scram, and operator actions are directed toward the control of the main feedwater system and initiation of the standby liquid control (SLC) system. Figure F.5.1 shows the ASF of the A49 sequence is largely sensitive to manual actions. The dominant human error event that is driving the ASF sensitivity is OPFAILSMFW BM, which describes manual actions to control the feedwater flowrate from the main feedwater system within a short time after the transient-initiating event. Note that overall risk is quite sensitive in both directions but actually decreases further than it increases. There is some saturation in the increase direction due to the initially high value of (0,5) of OPFAILSMFW-8M. This allows the decrease in risk to be larger than the increase. Other risk-si 6nificant manual actions involve recovery actions to close inadvertently open SLC test valves to permit SLC initiation (e.g. , RA ATW 11 11-30M) . As might be expected for an ATWS, the ASF for this sequence is somewhat more sensitive to " ultimate actions" than is the overall CMF. A particular ultimate action showing sensitivity is OPFAIL SLCOX-56M, which is failure by operators to start standby liquid control manually within 56 minutes. As shown in Figure F.5.2, the ASF is more sensitive to control room errors when HEPs are increased. On the other hand, dual location errors have a significant effect on ASF as the HEPs are decreased. This implies that improvement in operator response within the control room and outside the control room, under the high stress of an ATWS environment, can significantly reduce the accident sequence risk. Finally, the ASF is more sensitive to human errors in sensitivity group one (i.e., ultimate actions such as OPFAIL-SLCOX 56M) than those in sensitivity group five (e.g. , OPFAILSMFW BM) when HEPs are increased (Figure F.5.3). However, the human errors in group five have a greater effect on ASF as the HEPs are decreased. This implies that operator actions in SLC initiation have a significant effect on accident sequence risk when human performance is degraded. Also, improvement in operator response to control the MFW system can significantly reduce risk. This difference in the sensitivity in the increase versus the decrease direction appears to be due to the differences in the base cree HEPs. For example, OPEAIL SLC0X 56M is 0,0021, which allows an effect r.. the increase but not in the decrease direction. , F 12 l l

1.0E -06 _ s A ~ C ' 1.0E -07 E : O - k 1.0E-08 : E i / O : 1.0E -09 1/291/251/20 1/10 1/5 8 5 10 20_ 25 29 HEP FACTOR MANUAL ACTIONS

                                 - ALL HEs      -+- ALL M AS   M As Only   -*- ULT ACT Figure F.5.1. Sensitivity of ASF to human performance actions for A49 sequence 1.0E - 06 g -

A :

C 1.0E - 07 - E E: : : : :-- 2 2 2 2 " O - R 1.0E -08 g , 1.0E -09 1/291/251/20 1/10 1/5 B 5 10 20 25 29 HEP FACTOR LOCATION ALL HEs - CR -*- OCR CR/OCR Figure F.5.2. Sensitivity of ASF to locations of errors for A49 sequence F-13

i l NIC 808tw 335 U.S. NUCEE AR EE guLAToWY CoMMIS$lON 1. REPOR1 NUMBE H Mck ser. flll"A'.'.E' 5'd,.^'l'2llh'TI'~ """ w.m BIBLIOGRAPHIC DATA SHEET , tsee irer,uct.orw oo rA, ,,,, ni NUREG/CR-5527 2.10EtAND$USMEt BNL-NUREG-52228 Risk Sensitivity to Human Error in the LaSalle PRA I

3. oATE REPORT PUBLISHED uaNin s tasi l

                                                                                                                                          . March                             1090

4. FIN oR GRANT NUMBER A 3853 1

b. AUTHORi$) 6. TYPE oF REPORT S. Wong, J. Higgins, J. O' hora, D. Crouch, W. Luckas Technical

                                                                                                                                            'l R 900 COv1 R E D concousive Deroso     >

0 PE R F oRMING oRG ANIZ AlloN - N AME AND ADDR E6$ fit 4mc. prorsar 0*weg, Orfare er Aeron, M& Nocear Aepuerory Comm8ssson, ena mesim, moviess #f centrecept, pronsor home end mensert 00gnessp ,

Brookhaven National Laboratory ! l Upton, NY 11973

9. one SPo,,NSoRING oRG ANIZ ATION - N AM E AND ADDR ESS (sf h*C, tree "Seme es esose"c si contrecser, prorder 4RC Derdsson. Ortue er Arpea, M5 Nueber As,ubrary Commewes,

                 ,s.smo eaareu.o r

Division of Radiation Protection and Emergency Preparedness ' Office of Nuclear Reactor Regulation i U.S. Nuclear Regulatory Commission Washington, D.C. 20555 ;

10. $UPPEEMENT ARY NOTES II. ABST R ACT im. ores er assi A sensitivity evaluation was conducted to assess the impact of human errors on the ~

internal event risk parameters in the LaSalle plant. The results provide the variation # in the risk parameters, namely, core melt frequency and accident sequence frequencies, due to hypothetical changes in human error probabilities.' Also povided are insights , derived from the results, which highlight important- areas for concentration of risk ' limitation efforts associated with human performance.

12. K E Y WORDb/DE SCR:Fl oR S tras moros or pareses roer ws, msar ersee<eners in sacernae rae reserv.s 34. Av Ai6Assige a y siaiiutNI Nuclear power plants - risk assessment; nuclear power plants - sensi- Unlimited tivity analysis; LaSalle county - 1 reactor - risk assessment; LaSalle ' " * " ' " ' " " ' " ' ' '

county risk assessment; LaSalle county reactor sensitivity *a***'

analysis; LaSalle county - 2 reactor - sensitivity analysis; human Unclassified factors - errors; human factors - failures; probabilistic estimation; *" *'"*'" reactor accidents; reactor cores; meltdown; system failure analysis Unclassified Ib. NUMBER QF PAGE $ 16 PRICE NHC 9 ORM 336 Q491

UNffE9 STATES ' SMCIAL NMITM CLAS$ haft NUCLEAR REGULATORY COMMISSION ecstaos e ms ene

                                                                                              * *C WASHINGTON, D.C. 20666                                                         mawT = w
              . OFFICLAL BUSINESS PENALTY FOR PRIVATE USE. 4300 1.

10'555139531 J 1 1 ANI" f

. us NP -OL r," PJBLICLTIONS _' V,S ,

L DIV FDIA P n R '< U n g e 1p3 l' p.2,3 0555 W As01 N3T n DC

P b b t 5 i 3 i 8 h

                                                                                                                     .I, 15 o

I t E

                                                                                                                         .-y I 't f

1: - t > 9

                                                                                                                       'h h
                                                                                                                         .I fr_

o ii e L i is -r l- J -

                                   * * *                     -                             ,w}}

ML20012E267

Contents

Text

SUMMARY

SUMMARY

SUMMARY

1.0 INTRODUCTION

SUMMARY

SUMMARY

Navigation menu

ML20012E267

Text

SUMMARY

SUMMARY

SUMMARY

1.0 INTRODUCTION

SUMMARY

SUMMARY

Navigation menu

Search