ML20055G895
| ML20055G895 | |
| Person / Time | |
|---|---|
| Issue date: | 07/13/1990 |
| From: | Kenyon T Office of Nuclear Reactor Regulation |
| To: | Kintner E ALWR UTILITY STEERING COMMITTEE |
| References | |
| PROJECT-669A NUDOCS 9007240306 | |
| Download: ML20055G895 (15) | |
Text
.~
i July 13.1999 -
~
j h
Project'No. 669' i
Hr. E. E. Kintner,ing Coneittee Chairman
,c ALWR Utility Steer
.GPU Nuclear Corporation 1
One Upper Pond Road Parsippany, New Jersey 07054 l
Dear Mr. Kintner:
SUBJECT:
REQUEST FOR ADDITIONAL INFORMATION ON EPRI ALWR REQUIREMENTS DOCUMENT k
As a result of our review of Appendix A to Chapter 1 of the EPRI ALWR Require.
ments Document, the staff has determined that it needs additional information
.in order to complete our review of the design criteria. Our concerns are 1
discussed in the enclosure to this letter.
Please respond to this request within 60 days of the date of this letter.
If i
you have any questions regarding this matter, call me at (301) 4921120.
Sincerely, OriginalSigned By:
Thomas J. Kenyon, Project Manager Standarcization Project Directorate Division of Reactor Projects - III, IV, V, and Special Projects Office of Nuclear Reactor Regulation
Enclosure:
As stated cc w/ enclosure:
See next page.
t E
NRC & Local PDR PDS r/f D. Crutchfield l
W. Travers C. Miller T. Ken P. Shea ACRS (yon 10)
OGC E. Jordan 1
W: PD5/LA
- PD5/P PD5/D 1....:
- NAME
- PShea\\ g...:...
..... :..... pk
- TK 6dfcw :CM111er @ :
l.....:............:..L........:............:............:............:............:.........
!DATE:07/]/90
- 07/6/90
- 07//3 /90 M[
k OFFICIAL RECORD COPY 9)
Docum. en,t Hanie:
RAI APPENDIX A TO CHAPTER 1 n
l
.;ga72dd 71 BC RE MMS MM 39i 669A q;
July 13. 1990
,j P'roject No. 669 j
l Mr. E. E. Kintner, Chainnan ALWR Utility Steering Comittee GPU Nuclear Corporation One Upper Pond Road i
Parsippany, New Jersey 07054 i
Dear Mr. Kintner:
SUBJECT:
REQUEST FOR ADDITIONAL INFORMATION ON EPRI ALWR REQUIREMENTS i
D,0CUMENT As.a result of our review of Arpendix A to Chapter 1 of the EPRI ALWR Require.
ments Document, the staff has determined that it needs additional information in order to complete our review of the design criteria. Our concerns are discussed in the enclosure to this letter.
Please respond to this request within 60 days of the date of this letter.
If you have any questions regarding this matter, call me at (301) 4921120.
Sincerely, OriginalSigned By:
Thomas J. Kenyon, Project Manager Standardization Project Directorate l-Division of Reactor Projects - III, I'
IV, V, and Special Projects L
Office of Nuclear Reactor Regulation 1
Enclosure:
As stated g
\\
L cc w/ enclosure:
See next page DISTRIBUTION central F11e NRC & Local PDR PDS r/f D. Crutchfield W. Travers C. Miller T. Xen P. Shea ACRS(yon 10) l OGC E. Jordan C :PDs/LA
- PD5/P,,,
- PD5/D
[....:............:............:............:............:.........
cw :CM111ere:
i NE :PShea
- TK 4
...;...........:..k........:............:............:............:...........:.........
.TE:07/}/90
- 07/y/90
- 07//3 /90 OFFICIAL RECORD COPY' l
Document Name:
RAI APPENDIX A TO CHAPTER 1 i
l
h -.
so mee
{'?'/
'g UNITED STATES
? {8 f
NUCLEAR REOULATORY COMW,lSSION a
wassimoYou, p. c. russ l
]t-j July 13. 1990 e...**
PfojectNo.669 i
1 Mr. E. E. Kintner, Chairman ALWR Utt11ty Steering Comittee GPU Nuclear. Corporation One Upper Pond Road Parsippany,' New Jersey 07054
Dear Mr. Kintner:
SUBJECT:
RE0 VEST FOR ADDITIONAL INFORMATION ON EPRI ALWR REQUIREMENTS DOCUMENT L
As a' result of our review of Appendix A to Chapter 1 of the EPRI ALWR Require-ments Document, the staff has detvrmined that it needs additional infonnation in order to complete our review of the design criteria. Our concerns are discussed in the enclosure to this letter.
J
. Please respond to this request within 60 days of the date of this letter.
If
.you have any questions regard'(ng this matter, call me at (301) 492-1120.
j Sincerely.
-l 0
j Thomas J. Kenyon', Project ager Standardization Project Directorate Division of Reactor Projects - III, IV, V, and Special Projects Office of Nuclear Reactor Regulation
Enclosure:
As stated cc w/ enclosure:
See next page e
wg pf t.,
Nt-4,0:
4 1%
Mr'. Edwin E. Kintner, Chairman Project No. 669 p.T ALWR Utility-Steering Committee EPRI
- ii Mr. William Sugnet cc:
Nuclear Power Division Electric Power Research Institute P.O. Box 10412 s
Palo Alto, CA 94303 I. -
PRELIMINARY REVIEW COMMENTS ON EPRI/ALWR APPENDIX A: PRA KEY ASSUMPTIONS AND GROUNDRULES DOCUMENT l
l' This list of coneents has been divided into two parts, general and specific.
The specific consents are usually identified by a page and section paragraph number corresponding to a particular arts in the EPRI Appendix A document. Human factors and safeguards issues are in separate sections at the end.
I
GENERAL COMMENT
S.
The NRC staff and a contractor (BNL) have performed an overall review of Appendix A that has led to the comments and questions listed below. These comments should be considered to be preliminary in that there are many aspects of Appendix A that the NRC staff is not in a position to either endorse or take issue with at this time.
An example is the reference made in the document to certain EPRI or other industry approaches such as the use of the L
" SHARP" and "THERP" techniques for human interaction assessments (Paragraphs l-2.9.1 and 2.9.2 of Page A.2-7 of Appendix A). While we strongly encourage the identification of specific methods for such analyses, the NRC has not reviewed all of these approaches in detail and therefore cannot endorse them outright..
This may still be the case when it comes time to write a final evaluation of Appendix A. Another example is the extensive data listings in the latter part of Appendix A, particularly in the Annexes, of recommendec numerical values for such quantities as initiating event frequencies, component failure rates, etc.
Again, we strongly endorse the listing s of these values because we agree that the identification of such generic data may be very useful for future plant applications, however, we have not re tiewed all of the values in sufficient detail to support a firm statement at the time as to their acceptability. Based on the cursory review that we have perforned of this data, the values appear-to be reasonable considering current technology capabilities. It may be that a final judgement as to the acceptability of certain of the values cited will not be possible until such values are referenced for a specific design application.
At that time, the context of the application of the specific component (its system and location, etc.) will be known and this may be tiportant in some cases.
It is our belief that we should view the use of wh data as a commitment by the designer that his plant as finally constructo Mil perform reasonably close to the standard associated with the assumed reliability values used in the design's PRA. It will be necessary to include some means for judging if that commitment has been fulfilled at the time that a specific application is submitted.
While the staff is conducting a review of the EPRI Requirements Document including Appendix A, it is noted that the staff is preparing a regulatory guide on the preparation and use of PRAs for future license applications as required by 10 CFR 52.47(a) and 10 CFR 52.79(b). The regulatory guide and its supporting documentation will address many of the issues included in this set of comments.
GENERAL COMMENT
1: EPRI should provide a description of what means they would propose for confirming that all important commitments, (assumptions regarding performance) are preserved in an ALWR once the plarit is built and operated.
..g
]
-w 1
GENERAL COMMENT
2: The Advanced Light Water Reactor (ALWR) Requirements Doument should provide a descriptica of a program for demonstrating the performance of
]
the ALWR designs in comparison witi EPRl's stated performance goals as well as 4
the Commission's where those goals differ.
The " measurement against goals" assessment program should include methods to assess the risk significance of i
.important cere damage prevention and containment mitigation systems, to estimate the risk significance of high priority generic safety issues and severe accident phenomenological effects, and to compare the proposed ALWR designs against the i
EPRI design goals and the Commission's. The staff believes that the development of a reasonable measurement program and con;ideration of high priority generic safety issues and severe accident phenomenological effects are crucial review elements for the approval of the ALWR Requirenents Document by the staff, d
L l
GENERAL COMMENT
3:
EPRI should identify the specific version of the MAAP code that they plan to endorse for use in analyzing severe accidents for future ALWRs.
1 4
GENERAL COMMENT
4: During the last eighteen years, the staff and industry have spent considerable resources in developing reasonable methods to estimate the risk for various postulatra accident scenarios.
Recently, the REL staff has completed the development of the risk and reliability analysis methods as mart j
of the NUREG-ll50 (Second Draft), and demonstrated, in detailed fashion, tiese methods by conducting risk analyses for five nuclear facilities in the United States. Therefore, the staff suggests that the EPRI ALWR Requirements Document
)
should make use of either the methods of the NUREG-ll50 studies or equivalent j
state-of-the-art risk methods.
The staff believes that the probabilistic evaluations of the ALWR designs should be performed (for regulatory purposes) univ after the reactor system and associated component designs (in ) articular the state-of-the-art type) are completed in detail.
Also, the pro)abilistic i
evaluation of critical human factor issues and beyond-design basis seismic and fire events should be performed oniv after the ALWR design-specific details (such as advanced control room design and site parameters) are completed. it is important to note that the staff encourages the probabilistic evaluations and trade-off studies of various design features be performed during the design stage. However, the risk submittals to the NRC staff should reflect an essentially complete design.
1
~
~
3 i
)
The follo5ing set of connents are directed to specific sectier,5 of the Appendix document as noted.
SPECIFIC COMENTS:
1.
(Fage 1, Foreward)
The first bullet in the forwarti states that a primary
}
c purpose of the PRA is to " provide a nochanism for assuring a balanced design from j
a risk standpoint." It is presumed that this refers to a balanced design in terns of a balance between prevention and nitigation of severe accidents. If this is what is neant, it is not clear from the present versinn of Appendix A as to how i
this balance will be both nessured and assured.
i
)
2.
(Fage 1, Foreward) The sixth bullet in the Forewarti states that an objective of the PRA will be to " satisfy the NRC Severe Accident Policy Statement requirement that a PRA be conducted."
10 CFR Part 52 should be referenced as the source of this requirement, not the Severe Accident Policy Statement.
)
- 3. (Fage A.1-2, Par.1.1.4) l-power initiating events. This is not consistent It is stated that ALWR PRAs shall be limited to consideration of nominal ful with the current staff position that other operating nodes such as startup, low power, hot shutdown to cold shutdown including ald-loop operation, and refueling events could contribute significantly to overall plant risk.
This position is documented in Generic letter 88-17 as well as in SECY-89-153 (ABWR) and in SECY-90-016 (nid-loop operation for ALWRs). These conditions are particularly important when they allow certain off-normal conditions such as deinerted containments, bypassed protective systens and deenergized busses. Please address this concern.
L i
- 4. (Page A.1-3, A.1-4; Par. 1.2)
In the definition given for " core damage," a
- 1 temperature Ifnit of 2200F is given for "any node of the core." It is assumed that this limit is to be applied to the fuel clad tempcrature rather than "any node of the core" but this is not clear from the present wortling. Please clarify.
j
)
l p-e w
w-
-m>
e I' 6. (Page A.t-2, Par. 2.3) (1) It is stated that a definitir of success is to be provided. Who is to provide that definition? (e.g., EPRI v: the designer or the PRA analyst?) (ii) The use of conservative assumptions by PRA analysts to avoid unnecessary expenditures for analyses seems reasonable, There is, however, o second - important reason for using conservative assumptions for certain analyses. That is when there is considerable uncertainty associated with our understanding of accident behavior.
While we generally strive to use "best-estinate* analysis approaches for PRA, a second calculation using nore conservative assumptions can often provide useful sensitivity information about accident behavior. This sensitivity information allows us to determine if we have analyzed certain situations in sufficient detail and if the plant is adequately protected from various challenges. We would add a caution also that
- advanced"
- reactors, including the evolutionary designs, may introduce sufficiently different design features and resulting accident behavior that extra care should be exercized in characterizing what analysis assumptions are indeed
" conservative."
- 6. (Fage A.t-6, Par. 2.8.2.1) The analyst is given great latitude in his choice of nethods used to treat connon-cause failure. This section should be expanded to cover those cases when the " Bets" ( g ) factor treatment is no longer adequate.
1
- 7. (Fage A.2-8, Far. t.g.2.4) It is stated that Type 4 actions (operator actions leading to inappropriate plant response) nay be excluded from consideration because " current synpton-based procedures greatly reduce the opportunities for serious alsdiagnosis." The premise that this type of human error is uninportant to severe accident assessments is not acceptable without further justification.
- 8. (Page A.2-8, Far. 2.9.3) We agree that PRAs for future designs should include credit for certain recovery actions using non-safety equipment provided that appropriate justification is provided in the PRA documentation. We note that such justification aust include a consideration of the severe accident environment (temperature, hunidity, pressure, etc.) that such equipment would likely be exposed to. Both the expected environment and the expected mission time (addressed in Paragraph 2.10 of App. A) nust be addressed in such cases, r
9.
(Page A.2-9, Far. 2.10)
Further justification / documentation is needed to justify that a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time is sufficient for all inportant severe accident events (e.g., further documentation of studies of decreased heat renoval needs and svallable tine for equipment repair during LOCAs after a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period).
s i
9.
. 10.
(Fage A.t-12)
The statenent that: "A noninal unavailability of 0.1 for full-load rejection feature may be assumed," has not b an substantiated by operational experience in the staff's experience. Please provide the basis and data that s cport this value.
11.. (Fage A.t-12) On this page the annual frequency for steen generator tube rupture is givven as 6.1E-3 but is calculated to be 4.5E-3 on page A.A-5.
(a) Mhy don't these numbers agree?
(b) How will differences in the age of steam generator tubes in service and in the data base be accounted for?
12.
(Page A.2-13, Paragraph 2.11.3)
A failure rate of 1.2[-3/d is given for the failure of offsite power following reactor trip however the bssis for this value stets to be alssing from Section A3 of Annex A. Flesse provide the basis and dets that support this yklue.
13.
(PageA.t-14) It is not clear whether failure data for the pilot operated relief values (PORVs) and safety relief valves (SRVs) are for steam or water environnent s.
The numbers could vary significantly depending on the underly.'ng assumptlon. (Also applies to Tab.e A3-1).
It should also be noted that in addition to identifying failure prcbabilities that appear to be " unattainable,"
the ALWR design and PRA should focus on those systens and compont ts that have not performed well over the years like PORVs and SRVs.
This would encourage better performance for those probles systens and components that need inprovenent.
1,4.
(PageA.2-tl,A.2-tt) One of the more important findings that stenned from the A-44 Station Blackout technical analysis is that the probabf11ty of not recovering offsite power during a loss of offsite power transient is both plant and site specific. Caution should be used when referencing generic values for the conditional probability of failure to restore off-site power as a function of time following plant trip.
In addition, the loss of normal offsite power frequency (Page A. A-6) will also be plant and site specific.
The suggested generic initiator frequency of.035 per year, for example, contains two components, one with long and the other with short recovery times. Because EPRI proposes the sane recovery time be used in all cases, certain plants may over-estinate the risk from station blackout, while others may underestinate the risk.
Likewise, Appendix A of the EPRI document does not consider station blackout coping capability.
The coping time plays an important role in estinating the risk from station bisckout.
[See NUREG-1032, " Evaluation of Station Blackout Accidents at Nuclear Power Plants.")
Extended coping capability provides diversity and defense-in-depth protection against station blackout and should not be overlooked.
\\
. 15. (Page A.3-4, Par. 3.2.17)
The statenent on the exclusion of external flooding does not specifically list dan failure as a potential source. Does this Man that ALWRs will not be allowed to be located in areas where this is a risk?
If so, this should be specified.
- 16. (Page A.3-5, Par. 3.2.1g and 3.2.20) These paragraphs indicate that internal fires and floods will not need to be included in external events PRA analyses due to their expected low contributions to overall plant risk. Although spatial separation and fire barrier separation requirenents for the ALWR are good, the risk from other aspects of fire (effects of snoke, heat, fire protection actuation, fire brigade actions, etc.) need to be addressed and would seen to be ignored in the present EPRI approach.
In addition, it would be useful to require an evaluation of the operator and fire brigade response to a compartment fire with a plant walkdown once the plant is built, since the spatial location of sone systens and components may change durin;; construction and give rise to vulnerabilities not previously considered.
Further justification will need to be supplied for excluding these events and considerations from ALWR PRA assessments.
- 17. (Pages A.3-8 thru A 3-14, Par.s 3.3.2.1 thru 3.3.2.7) 6ra sections address selsnic issues and were suballted by EPRI in February 1990 for staff review.
^
The staff has not completed its review of these sections yet. Questions and coneents wi11 be forwartled when the review is complete.
- 18. ("ege A.4-5, Par. 4.6.2)
This listing of potentially important phenonena which are not currently addressed in the NAAP code includes nost of the issues identified in the ongoing discussions between the NRC and the industry. However, a key issue that is not included is that of the uncertainty associated with debris coolability. While it is true that NAAP does deal with this issue in terns of providing a coolability nodel, the NRC has not been able to accept the nodel due to the current lack of supporting data. The inpact of this disagreement has been widespread affecting such issues as hydrogen control and other challenges to containment perfornance. It say be argued that this issue is addressed in NAAP but its lack of resolution is so significant, that it needs to be identified in some (perhaps in a separate category in the APP. A document) listing of outstanding issues along with hydrogen deflagration and direct containment heating, etc.
19.
(Annex A, Page A. A-6)
The use of operating reactor experience or its equivalent (e.g., NUREG-1150 data, Oconee PRA data and the Linerick PRA data) is reasonable to estinate accident sequence frequencies.
However, the appropriateness of the
+
r 7
use of specific values for a particular ALWR PRA will have to be evaluated as part of the specific ALWR design review. Specifically, EPRI's clain for the reactor trip frequency will have to be supported by the specific features included in the 80P for each ALWR design.
to. (Annex A, section A2) This section provides background on how the loss of offsite power frequencies were established for the ALWR.
The total loss of offsite power frequency established for the ALWR (0.0077 losses / site year) is an order of nagnitude less than the long tern historical average for total loss of offsite power at U.S.
nuclear plants (0.07 losses / site year), and is approxinately 23% of the three year average (0.033 losses / site year for years 1986, 1987 and 1988) found in NSAC/144.
7he ALWR frequency appears ta be too low when compared to even the three year average.
This results fron EPRI's elinination and reclassification of some loss of offsite power events that were felt to not be appilcable to the ALWR.
It would seen that at least a portion of the events that occurred at the two plants elfoulnated from the data base (Palo Verde and Turkey Point) should be reinstated since they appear to be related to phenonens (weather, panel jarring, fire, nultiplexer-) that would also be coneon to the ALWR.
In addition, a few events in Table A2-1 that were reclassified could also be generally applicable to an ALWR.
The najor potential source of error, however, appears to rest in not adjusting the data to account for vulnerabilities that may be unique to the ALWR design features themselves.
Credit is taken for these design features to favorably adjust the data in the data reclassification process, but nowhere are features analyzed for their potential failure effects on the offsite power systen design.
This pitfall is alluded to on page A.A-2 relative to a general discussion of initiating events, but again it appears that no attempt is made to account for potentially new or different initiating events.
We reconeend that the data in Section A2 be adjusted to account for the potential failure effects of the ALWR desing features by providing an analysis of such failure effects or by simply adjusting the frequency of loss of offsite power events down to more closely natch the three year average found in NSAC/144.
21.
(Annex A, Section A2) This section also addresses how the times reported for initial recovery of offsite power were evaluated to derive a distribution of non-recovery probability as a functior of time for the ALWR. Following the reclassification process tabulated in Table A2-1, EPRI found that the remaining four events that involved a loss of both the normal and reserve supply (fact, total 1 css of offsite power) had recovery times that were all relatively long. In they were all at or above the average recovery time of all events considered together. It was therefore concluded that these four data points alone were not sufficient to support a recovery-tine distribution, and EPRI developed instead a single distribution to be used for all losses of offsite power (total and partia1) apparently based on the data fron all events.
t 3
This, however, results in recovery-tine probabilities that are more favorable to a total loss of offsite power than the four data points themselves would suggest. We believe that these data points are not en abberation of the data but rather the natural result of the view taken during processing of the data. This is the view that the ALWR design features will eliminate nany of the loss of offsite power events found in the data while not adding any additional events that nay be peculiar to the features thenselves. Such a plant quite naturally would have a low vulnerability to total loss of offsite power (such as is suggested by EPRI by using a frequency of 0.0077 losses / site year) leaving it rainly vulnerable to total loss of offsite power fron quite wide ranging catastrophic type events (such as weather related events) that requite relatively long recovery tines.
We therefore reconeend that if these recovery time probabilities are to be retained, they be conbined with note conservative loss of offsite power frequencies such as suggested in the previous question.
22.
(Annex A, Iten #52 under "ALWR Component Failure Data Survey")
This iten provides diesel generator failure dara taken fron several sources.
The failure rates given are specifically for diesel generator failures to start on demand.
The value selected to be used in ALWR PRAs (1.4E-2) rs taken fron atSAC-108. The data used to derive this failure rate in %AC-108 however, considered a real start demand (non-test, non-planned) to be a success if the diesel generator started within 5 ninutes from the first start attempt.
This failure rate, which therefore relates more to a station flackout type event, nay not be appropriate when analyzing accident scenarios wtere the success criteria requires that the diesel generator start within a short period of time such as 20 seconds. We therefore suggest that EPRI use a more conservative number when analyzing these events.
- 23. (Annexa,Iten#63) This iten provides diesel generator failure data. The failure rates given under this iten, however, relate to failures of the diesel generator to run. While some cf the failure rates given are in terns of failures /denand, the rallure rate referenced for NUREG-2989 (that is also the value selected for the ALWR PRA) is based on failures / hour.
The information prlvided in Iten 053, however incorrectly, identifies this failure rate as failures / demand. Please correct this error.
24.
(Annex A, Iten #62)
This iten under the "ALWR Component Failure Data Survey" provides failure rates of high voltage transformers taken from several sources. The failure rate selected for ALWR PRAs is 1.2E-6 failures /hr. Is it intended that this failure rate be used for the ALWR nain step-up transformers 1
1 1
.yg, j i
and is it representative of power station nain step-up transformers? Did;the data that was used to derive this failure rate consist of nain step-up transfomers, other station or transmission transformers, or sone combination of these?
The failure rate appears to be low for main step ~up transformers (1.2E-6 failures /hr = 1 failure /95 years) Judging from the number of reports we
\\
have had of nain transformer failures.
If this failure rate is supposed to be representative of ALWR nain step-up transformers and is actually this low, why does paragraph 3.4.3 of Chapter il call for an installed spare single-phase main step-up transformer? Also, please provide a failure rate for the nain step-up transformers derived from the NERC data referenced in the rationale to paragraph 3.4.3 of Chapter 11.
25.
HUMAN FACTORS AND ISSUES MODELING:
The following are some general connents on human factors.
The ALWR Requirements Document does not describe the details regarding the modeling aspects of the human reliability issues.
For example, the glossary, and the document itself, make no mention of the human reliability analyses (HRA).
The human behavior is referred to under two sections of the document, i.e.,
1 2.6.4, " Dependencies Due to human Actions," and 2.9, " Human Interaction." The human actions are not discussed as part of the sequential guidelines for conducting the ALWR PRA.
Therefore, the staff suggests that EPRI provide additional documentation related to the HRA role in the ALWR Requirements Document.
t in particular, the staff expects the ALWR Requirements Document to address the following itens and to provide reconnendations for treating each.
25.1 What will be the specific r#u that HRA will play in the ALWR PRA? What will be the mechanism to achieve what role?
25.2 How will new man-machine and man-man interfaces (e.g., state-of-the art type digital technology, expert systems, remote control devices) in the ALWR PRA be handled?
)
1, a.
10-25.3 How will the task analyses be conducted to insure appropriate representation of the human actions in the event trees and fault trees or in their equivalent methods?
This issue seems to be getting more and more discussion as timo goes on, especially regarding the concatenation of cognitive errors during dynamic accident scenarios.
25.4 How will generic human error probability data sources be applied to provide bounding and anchor values that will quantify single human actions and more comp h x human actions involving several interdependent steps by individuals or groups of individuals?
25.5 The document should provide systematic guidelines on selecting person-centered, tash-centered, and environment-centered performance shaping factors (PSFs) to insure that the task actions are adequately characterized.
25.6 The document should provide a list of tools (e.g., checklists, criteria) l for assessing PSFs to insure that these evaluations are consistent across tasks and sequences, to provide qualitative information for subsequent audits of the I
analyses, and for selecting remedial actions for dealing with significant contributors to unacceptably high human error rates.
25.7 The document should provide a list of human error quantification methods for both single action events, and for multiple action (common cause) events that l
will be applicable to the ALWR design.
l 25.8 The document should provide guidelines on developing and maintaining systematic documentation to implement the HRA work including the modeling issues indicated in items 25.2 thru 25.7 i
The following are more specific comments related to the application of the HRA nethods:
25.9 New Technologies:
There is no discussion of, or reference to, the anticipated changes to the basic LWR control room design we are familiar with today. This shortcoming appears to hold for other hardware also.
l l
l
-v,.-~,.
e--,m e
w
-.c-
-r s-
r, 11 25.10 Generic Human Error Rate Data sources:
The document does not address the adequacy of the applicability of generic human error probability data sources.
In fact, Section 2.11, ' Reliability Data" is restricted to only component failure rates. Human error probability data sources are available at RES/USNRC and currently used by many PRA groups, most prominently NUCLARR (developed by RES/USNRC). EPRI should include in its data sources the additional work (done outside of EPRI) on generic data sources.
25.11 Gu'idance for selecting Performance shaping Factors (PSFs): The document does not address this item.
This is a serious omission since the selection of the appropriate set of PSFs, and their assessment, are crucial for achieving realistic human error probability point estimates, uncertainty bounds, and l
recovery potential. EPRI should include a discussion of PSFs.
25.12 Human Error Quantification Methods:
EPRI's ALWR Requirements Document references one such method, its own Human Cognitive Reliability (HCR) method. There is no mention made of other single action quantification methods or of multiple action quantification methods.
Again, it appears that EPRI intends to limit its guidance to methods, data, etc., developed only by EPRI.
We note that the HCR method is still in its development stage and does not handle multiple action sequences especially those involving interaction among teams or groups of individuals. EPRI should investigate the use of other methods as L
well.
25.13 HRA Documen';ation and Information Management:
The document does not address this item.
This is a cerrent subject under research review.
The staff requests that EPRI discuss these specific itens in future revisions to the ALWR Requirenents Document or in their responses to these questions and connents.
I l
- 26. SAFEGUARDS ISSUES 26.1 (Page A.2-1. Par. 2.1)
PRA has not been used in analysis of reactor sabotage because of the lack of quantitative estimates of the probability of attempted sabotage. However, the logical model structure developed in accordance with raragraph 2.1, prior to the truncation of low frequency sequences permitted in PRA modelling, has possible use in sabotage vulnerability analysis in Chapter 9 of the Requirements Document. This could be combined with a model of sabotage initiator locations in the manner described in NUREG/CR-0809 as a guide for cvaluating the effect of sabotage resistant design alternatives.
Perhaps it would be appropriate to incluoe mention of this in Appendix A.
f
],,.*
l
, j 1
16.2 (Page A.3-4, Par. 3.2.16)
The rationale of this paragraph includes the statement:
{
" Plant security and other barriers preclude any significant contributionfrom(ground)transportationaccidents."
In general, plant security barriers are not required to be' resistant to ground transportation accidents and are not designed to stop a moving truck. Paragraph 3.2.16 should be revised to reflect this. Furthermore, the recent Vogtle station blackout event could be considered a ground transportation accident.
Discuss
)
whether attention need be given in the design of roadways and rail spurs to the plant in order to justify precluding ground transportation accidents from the PRA.
26.3 (PageA.A.7) We note that a full-load rejection capability is specified for the advanced PWR, If the main turbine-generator and unit auxiliary transformer are within the plant's protected area, this could make successful external sabotage considerably more difficult. Has consideration been given to requiring this?
?
i i
e l
,n 4
n