ML20072E032

From kanterella
Jump to navigation Jump to search
Plant TER of IPE Submittal,Human Reliability Analysis,Draft Rept
ML20072E032
Person / Time
Site: Perry FirstEnergy icon.png
Issue date: 06/30/1994
From: Bovell C, Haas P
CONCORD ASSOCIATES, INC.
To:
NRC
Shared Package
ML20072D793 List:
References
CON-NRC-04-91-069, CON-NRC-4-91-69 CA-TR-92-019-06, CA-TR-92-19-6, NUDOCS 9408220082
Download: ML20072E032 (22)


Text

- -________-______

l Ef1 CLOSURE 4 PERRY IflDIVIDUAL PLAf1T EXAMINATION TECHNICAL EVALUATION REPORT i

(HUMAN REllABILITY ANALYSIS)

}

ggotz2aar2 >Or 22pp

CA/TR-92-019-06 PERRY NUCLEAR POWER PLANT TECIINICAL EVALUATION REPORT OF THE ,

IPE SUBMITTAL l HUMAN RELIABILITY ANALYSIS I) RAFT C. R. Bovell P. M. Haas 1

Prepared for U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Safety Issue Resolution l

Draft, October 1992 l Final, June 1994 ,

i CONCORD ASSOCIATES, INC.

Systems Performance Engineers 725 Pellissippi Parkway Knoxville, TN 37932 Contract No. NRC-04-91-069 Task Order No. 6

Table of Contents I

INTRODUCTION . .

1. . .

1.1 Review Approach . . .. . .. . . . . . . . .. I 3

1.2 The Perry IPE HRA Approach .... . .. . .. ..

.. . . .. .. 5

2. CONTRACTOR REVIEW FINDINGS . . .. . .

2.1 General Review of the Human Reliability Analysis . .. .. . .. 5 5

2.1.1 Completeness of the Submittal Information 12 2.1.2 Clarity of the HRA hiethodology Description . .

2.1.3 Process to Confirm that the IPE Represents the As-built. As-

.. . . . . . 14 operated P! ant .. .... . ..... . . .

14 2.1.4 Peer Review of HRA ... .

15 2.2 Review of the $1ost Likely Sequences ... ...

2.2.1 Consistency of Operator Actions and Results with NUREG-1150 15 and Other NRC accepted PSAs .. . .

2.2.2 Accident Sequences Screened Out Because of Low Human Error . . 15 16 2.3 Quantitative Results 16 2.3.1 Appropriateness of Numerical Screening Values 17 2.3.2 Completeness of Information on Human Enor Probabilities 2.3.3 Information on Sources of Generic Human Reliability Data . 17 17 2.3.4 Description of the Recovery hiethod .

2.4 The IPE Approach to Reducing the Probability of Core Damage or Fission 17 Product Release .

17 2.4.1 Definition of Vulnerability . .

18 2.4.2 Reasonableness of Identified Human Related Plant $1odifications

. . . . IS 2.5 Interface Issues with Front-end and Back-end Reviewer

. . . .. . 19

3. OVERALL EVALUATION AND CONCLUSIONS .

. 20

4. IPE EVALUATION AND DATA SUhi>1ARY SHEETS

. .. . . . 24 REFERENCES . . .. .

1 l

l l

1. INTRODUCTION This technical evaluation report (TER) is a summay of the documentation-only review of the Human Reliability Analysis (HRA) portion of the Perry Nuclear Power Plant Individual Plant Examination (IPE) submittal to the U.S. Nuclear Regulatog Commission (NRC). The body of the report consists of four sections: (1) this Introduction, which provides a brief summary of the approach of the documentation-only review and of the Perg IPE HRA approach; (2) Contractor Review Findings, a detailed documentation of findings for each work requirement specified in the NRC Task Order, (3) Overall Evaluation and Conclusions, which summarizes the important findings and results from the review, and (4) the NRC summary data sheets.

I.1 Review Approach The review approach for the Perry IPE HRA involved the following six steps illustrated in Figure

1. These steps, especially steps 2 through 4, were interactive and iterative, but followed this general progression:

(1) Scoping Review - an overview of the entire IPE submittal. Read summary sections, plant descriptions, the major HRA-peninent section(s), and result sections. Skim / scan the entire submittal, including appendices and detailed front-end and back-end analyses.

Identify the basic approach used for the HRA and the organization of the HRA documentation, including any obvious major omissions. Identify notable features of the plant, the overall IPE approach, or the HRA approach that deserve special attention.

Identify and obtain references that may need to be reviewed or checked, and obvious points of interface with front-end and back-end analysis. Review descriptions of IPE/HRA team qualifications.

(2) Detailed Review of HRA Sections - a detailed review and assessment of the primary HRA section(s) of the submittal. This involves first a thorough (re) reading of descriptions of methodology noting assumptions, data sources, and other important aspects of the analysis, and annotating any questions, potential problem areas, missing information, or issues for further investigation. Second, it involves a comparison of information and documentation found in the submittal about the overall HRA methodology / approach to the information/ documentation " requirements" identified in accepted HRA approaches used in other PSAs. Finally, the detailed review involves an attempt to " track" the complete assessment of a few key operator actions through the HRA process described in the submittal. By tracking, we mean identifying that the submittal contains sufficient information to clearly delineate methodology, major assumptions, important parameters such as performance shaping factors, data sources, references, etc., for the qualitative and quantitative assessment of human actions. There is no attempt to reproduce quantitative analysis.

1

l Scoping Review v

Detailed Review HRA Sections .

v 4 y Respond to Work Requirements V

, Front /Back End )

Interfaces i V

4 Prepare TER v

l Closure Meeting I Figure 1 - Human Reliability Analysis Step 1 Review Approach 2

l l

(3) Response to Work Requirements - assessment of specific issues identined in the Task {

Order work requirements. This is an item-by-item assessment responding to each work requirement The focus is identification of strengths and weaknesses of the HRA portions of the submittal and insights regarding important results or potential areas of improvement. Any questions that require additional input from the licensee are identined.

This step includes completion of the NRC data sheets, which is Work Requirement 2 in the Task Order.

(4) Interface with Front-End and Back-End Reviewers - two-way exchange ofinformation and discussion of issues. The focus is on HRA aspects of front-end or back-end analysis, but the interaction includes a general exchange of information and findings The interaction takes place informally throughout the review, but primarily after completion of the overview in Step 1 above, and again after completion of Steps 2 and 3 as writing of the TER begins. Additional interaction occurs during the closing meeting of NRC staff and IPE review contractors in Step 6.

This (5) Prepare a Draft TER - develop and write a draft technical evaluation report.

involves: preparation of a draft report documenting all work accomplished,6ndings,and conclusions; intemal technical review verifying findings and conclusions and compliance with Task Order Requirements: editorial review; and printing.

l (6) NRC Staff and Contractor Meeting - held after submittal of the TERs from the contractors to review findings and conclusions and finalize questions for the licensee.

This final TER modiGes and updates the draft version, incorporating information gained from the licensee's responses to NRC's request for additional information.

1.2 The Perry IPE HRA Approach The Perry IPE consists of a full scope Level 2 Probabilistic Risk Assessment (PRA) without evaluation of external events. Initiating events were identified using industry data, and comparison to NUREG/CR-4550. the Grand Gulf PRA. The "small event tree

- large fault tree" methodology described in NUREG/CR-2300 (Ref.1) was used for the PRA system analysis.

The Perry HRA was performed using a method developed by the Electric Power Research Institute (EPRI). The technical reference for this methodology, EPRI-TR 100259, is not in the open literature and,it was unavailable for this review.

Operator error probabilities were evaluated by Grst breaking down each task to a detection, diagnosis, and decision (DDD) phase, and an execution phase. Time critical operator actions were analyzed using the time-reliability curve approach of the EPRI methodology. For tasks that are not time-critical or are dependent on time critical actions, The an " alternate approach of the EPRI methodology" was used for the analysis.

l execution phase of each task was analyzed using either a simplined ASEP (Ref. 2) or 1

3

-- - _ _ _ _ _ _ _ _ _ _ _ . _ _ _ . _ ]

THERP-based approach. (Ref. 3) The submittal also stated that some less important actions were estimated using data from the Grand Gulf PRA of NUREG/CR 4550.

t I

?

i 5

a t

i i

l E

I l

4

l l

2. CONTRACTOR REVIEW FINDINGS The subsections below address each of the work requirements specified in the Task Order. For each item. there is an attempt to identify notable points about the submittal, both strengths and weaknesses, and insights with regard to the specific work requirement and the overall intent of Generic Letter 88-20.

l 2.1 General Review of the Human Reliability Analysis.

2.1.1 Completene(s of the Submittal Information.

In general, the submittal contains the type and level of detail requested in NUREG-1335. The most obvious exception pertinent to HRA is the lack of information on the EPRI methodology.

Table 2-1 lists the major items identified in NUREG-1335 pertinent to HRA that were evaluated as part of the overall review of methodology. Findings related to each item are summarized in the subsections below.

2.1.1.1 General Methodolocv. The general methodology for accident sequence selection, accident sequence development, system modeling, HRA, and accident sequence quantification is described in Section 2 of the submittal. Section 2 also discussed quantification, plant damage states, containment evaluation, and risk contribution evaluation. Human actions are incorporated into the plant model, the combination of system trees and event trees, by including the human actions associated with safety functions on the event trees, and restoration errors on the system trees (Section 3.2). The human interactions were included in the plant model as basic events.

The events were denned in terms of the failure mode they reprexat. Detailed definition of the events was accomplished by examining the cues and procedures the operators use to guide their actions. Requirements for success of the events on a functional basis, the time available, and other factors that influence success or failure were also defined. All of these factors were assessed on a scenario basis, since accomplishing a given plant function varies from one accident sequence to another.

Therefore, the HRA approach taken requires a complete description of accident events. This was accomplished by studying the events in which human actions were significant contributors, and understanding the time line of events. Once the human events were fully understood in context of the scenarios, the events were then quantified. Description of the HRA methodology will is provided in more detail in Section 2.1.2 of this TER.

5

Table 2-1 NUREG-1335 IIRA Items Checked - WR 1.1.1 NUREG-1335 REFERENCE INFORMATION PERTINENT TO HRA 2.1.1 General Methodology Concise description of HRA effon and how it is integrated with the IPE tasks / analysis.

2.1.2 Information Assembly 2.1.2.2 List of reference PRAs, insights regarding HRA, human performance.

2.1.2.3 Concise description of plant documentation used for HRA information; concise discussion of the process used to confirm that the HRA represents conditions in the as-built, as-operated plant.

2.1.2.4 Description of the walkthrough activity, including HRA specialist panicipation. T 2.1.3 Accident Sequence Description of process for assuring human actions Delineation considered in initiating events and accident sequence delineation; HRA specialist involvement.

2.1.4 System Analysis Description of process for assuring that the impacts of human actions are included in systems analysis; process for integrating HRA.

2.1.5 2.1.5.1 HRA in common cause analysis.

Quantification Process 2.1.5.3 Types of human failures considered in the IPE; a categorization and concise description exist.

2.1.5.4 List of human reliability data and time available for recovery actions; data sources clearly identified; if screened, a list of errors considered, criteria for screening, and results of screening.

2.1.5.5 List of HRA data obtained from plant experience and method / process for obtaining data; list of generic data.

2.1.5.6 Concise description of method by which HEPs are quantified, including break down such as task analysis, and techniques for combining probabilities, assessing dependencies, etc.

6

l l

Table 21 NUREG-1335 HRA Items Checked - WR 1.1.1 NUREG-1335 REFERENCE INFORhaTION PERTINENT TO HRA 2.1.6 Front-End Results and Human contributions to important sequences are Screening Process clearly identified. A concise definition of vulnerabilities is provided, along with a discussion of criteria used to identify vulnerabilities. A listing of vulnerabilities is provided, with clear definition of those related to human performance. Underlying causes of human-related vulnerabilities are identified.

2.1.6.6 Sequences that, were it not for low human error rates in recovery actions, would have been above the applicable core damage frequency screening criteria are identified and discussed.

2.1.6.7 Ar.y human performance issues pertinent to USIs or GSIs are identified and discussed as appropriate.

2.2 Back-End Submittal Impacts of operator action on containment response are identified. Actions assumed to be accomplished i

by operators can reasonably expected to be j

accomplished under the semre accident conditions expected; equipment accessibility, survivability, information availability, etc. have been considered. I Critical human actions have been identified and included in the event trees and quantitative HRA f assessments.  ;

Any human performance related aspects of unique l 2.3 Specific Safety Features and/or imponant safety features are discussed, j and Potential Improvements including any that resulted in significantly lowering typically high frequency core melt sequences.

Human related potential improvements - procedures,  !

training, etc.- in response to vulnerabilities are l clearly identified and discussed.

IPE Utility Team and The submittal describes the utility staff participation 2.4 Internal Review and involvement in the HRA. An independent in-house review of the HRA was conducted.

7 l

2.1.1.2 Information Assembiv. Section 2.4 of the submittal provides an oveniew of the information assembly and review of related documents. Similar PSAs were reviewed by the licensee for possible HRA insights, includins the Grand Gulf PRA and other BWR/6 PRAs.

The submittal discussed, in general terms, the information assembly process employed by all disciplines involved in the IPE. The task plans used for each portion of the analysis and reporting are listed in Table 2-1 of the submittal.

As a first step in the information essembly, documents required to perform the analysis were assembled and reviewed. In addition to other PSAs, this document review included piping and instrumentation diagrams (P&lDs), normal and emergency procedures, control room logs, maintenance records, and selected thermal hydraulic analyses performed by GE and Gilbert / Commonwealth. PSAs from Kuosheng and Cofrentes (foreign BWR/6 plants) were also obtained for reference.

Teams from each of the major disciplines were given plant familiarization, since a significant portion of the team consisted of contractor personnel from Gilbert / Commonwealth (the plant architect / engineer), and Halliburton NUS. Plant familiarization consisted of review of system descriptions and plant visits.

The submittal notes that HRA analysts worked closely with the procedures group at the plant to ensure that the latest emergency procedures were used in the analysis. Plant walkdowns and interviews with the training staff were used to assess the timing of important operator actions.

2.1.1.3 Accident Sequence Delineation. Accident sequence delineation is discussed in Section i 1 of the submittal. Initiators were selected based on the criteria of a plant occurrence that either irJtiates and automatic scram, or requires immediate manual trip of the plant with a transients, challenge to safety systems. The events identified fell into one of three categories:

LOCAs, or special initiators (loss of electrical power, instrument air, etc.). After grouping the '

initiating events according to plant response, frontline event trees were developed. Included in the submittalis the general description of each event tree, success criteria, and a description of each node making up the event tree.

2.1.1.4 System Analvsis. System analysis is in Section 3.2 of the submittal. Using the analysis of initiating event, the systems required to respond to the events were identified. Identification of systems concentrated on decay heat removal and containment integrity, resulting in a broader list of plant functions required to meet these requirements. In general, the accident sequence analysis results in the identification of the functional requirements, which in tum are translated into individual system requirements. This information is presented in the submittal in the form of a system description, system operation, system interface and dependencies, and success criteria for each front-line system.

2.1.1.5 Ouantification Process. The sequence quantification process is describe in Section 3.3.

The sources of generic data are clearly identified. The major reference for generic data is the Grand Gulf PRA in NUREG/CR-4550. Also the NUS BWR Gcneric Data Base, a summary of 8

i LERs (NUREG/CR-1363), IEEE-500, WASH-1400, GESSAR II, and Kuosheng PRA were compared to NUREG/CR-4550 to establish that the results in the Grand Gulf study are of the same order of magnitude. Significant plant specific data was not available for the IPE, since the plant had operated for only one cycle when the IPE process began.

Quantification of human interaction (HI) basie events considered three classes of events, depending on the time at which the event occurs in the accident scenario. " Type A HIs" occur before the event initiator, and are the result of human errors during maintenance, testing, or calibration activities. " Type B HIs" are those that result in, or contribute to, initiating events.

These are implicitly incorporated in the initiating event frequencies obtained from plant operating experience. Therefore, Type B HIs are not included in the IPE HRA analysis. " Type C HIs" are broken down into two sub-classes: (1) operator actions performed in response to an Emergency Operating Procedure (EOP), including manual backup on failure of automatic initiation of systems, and (2) recovery actions in response to unavailability of a safety function that failed because of equipment malfunction. These events are referred to as Type CP and Type CR events, respectively. Type CP events are can either appear as headings in the event trees, or as basic events in system or functional fault trees. Type CR events are addressed at the accident sequence cutset level.

Type A interactions were subjected to a qualitative screening (discussed in more detail in Section 2.1.2 of this TER). In general, the probabilities that a system would be left in a condition where it could not meet its safety function is greatly reduced if the system is functionally tested following maintenance. Also, if there is clear indication or alarms in the control room. or the system is checked daily, then the probability that the system is not properly aligned is low. After applyinc the screening criteria, only restoration faults on non-safety systems were evaluated for Type A HIs.

Type C HIs were analyzed for each of the accident scenarios in the plant logic model. A task.

analysis was performed to understand the cues and procedures for accomplishing a plant function, the actions necessary to accomplish a function successfully, the time available, and other factors that influence probability of success or failure. Dependencies among HI events were identified as the next step in the analysis. The identification of dependencies was performed to determine cases where success or failure in a preceding event affects the probability of success or failure of another event. Dependencies for "cognitively correlated" His were identified by four criteria that are discussed in more detail in Section 2.1.2 of this TER.

Final quantification of HIs was accomplished by first dividing response into two components:

a detection, diagnosis, and decision (DDD) phase, and an execution phase. Time reliability curves from the EPRI approach were used to quantify time-critical HIs. For HIs dependent on time-critical HIs, or those that are not time-critical, a simplified THERP or the ASEP approach was used to estimate HEPs for the execution phr.se. Quantificaticn was performed on a sequence by sequence basis to more completely address the dependency issues.

9

Common cause failures were identified using NUREG/CR-4780 guidelines. Miscalibration of sensors is a human related common cause failure that was included in the analysis, since such failures affect the actuation of safety systems. However, the Appendix D of the submittal states that common cause error was not evaluated explicitly, but was included with a value representing a tenth of the failure of a single sensor.

2.1.1.6 Front-End Results and Screening Process. Front-end results, including internal flooding, and the screening process are reported in Section 3.4 of the submittal. Included in this discussion are Perry definitions of core damage and vulnerabilities. Vulnerabilities are discussed in Section 2.4.1 of this TER.

The screening criteria used for reporting event frequencies and core damage frequency was taken from NUREG-1335. The event trees were constructed with plant functions combining one or more systems and operator actions used as the heading. However, the criteria for systematic sequences rather than functional sequences was used for the screening. The following six screening criteria were used (quoted directly from submittal):

1. Any sequence that contributes lE-07 or more per reactor year to core damage has been included in the summary of core damage frequencies by initiating event. (Table 3.4.1 - 1 )
2. Any sequence that contributes 1E-07 or more to the total core damage frequency, grouped by initiator. (Table 3.4.1-2)
3. All sequences that are within the upper 957c of the total core damage frequency.

(Table 3.4.1-3)

4. Any systemic sequences that contribute to a containment bypass frequency in excess of 1E-08 per reactor year. (Table 3.4.1-4)
5. Any systemic sequences that are determined from previous applicable PRAs'or by engineering judgement to be important contributors to core damage frequency or poor containment performance which are not already included in Table 3.4.1-1 through 3.4.1-4.
6. All systemic sequences greater than 1% within the upper 95% of the total containment failure frequency. (Tables 3.4.1-11)

Core damage frequency calculations were performed using a truncation value of IE-10 for sequence cutsets. Recovery actions were included in the event trees after the initial quantification. No sequences were cut off after adding the recovery actions. The significant contributcrs to core damage frequency were subjected to three separate analyses: sensitivity, importance, and uncertainty. The importance analysis identifies the dominant contributors to the core damage frequency and source term frequency. One product of the sensitivity analysis is the 10

identification of events were the core damage frequency was reduced below the screening criteria because of an order of magnitude change attributed to operator recovery actions. Table 3.4.1-12 of the submittallists the recovery actions included in the model. Table 3.4.1-5 list the sequences that were reduced below lE-07 due to recovery actions. This table compares the base case (with recovery actions) with the CDF setting the HEPs to 1.0. Also of interest is Table 3.4.1-13 of the l submittal that shows the impact of the three most significant recovery actions on le total core I damage frequency. And finally, the contribution to total CDF due to operator actions can be  :

found in Table 3.4.1-14 of the submittal. The base case CDF is reponed as 1.2E-5. With perfect l operator performance, there is a 66% reduction in CDF to 3.9E-6.

Several human error contributors to core damage frequency were identi6ed in Section 3.4.1.1.

The third highest contributor to core damage frequency is failure of the operator to maintain power conversion system during ATWS with power conversion system initially available (NSHICPEC5-2-L1T3). Failure to perform this action is assumed, and the HEP is set to 1.0.

Failure of the operator to re-open the motor feed pump control valves or manually depressurize the reactor during ATWS with loss of PCS (FWHICPEL-2-FDW-V) is the 6fth most imponant event for core damage. Analysis in Appendix D shows how the HEP of 5E-03 was derived. The final human error contributor to CDF is the failure of the operators to inhibit ADS for ATWS scenarios where feedwater system has failed (ADHICPC5-ADS-0). This is the seventh most important contributor to core damage frequency, and the HEP was calculated to be 7.2. (We assume that all HEPs 21.0 are entered into the system model as 1.0.)

Section 3.4.3 of the submittal reports the results of evaluating plant capabilities for Unresolved Safety Issue (USI) A-45, decay heat removal. The evaluation determined that three types of events at Perry were significant for this issue: loss of ofiiite power and make-up, loss of coolant inventory make-up at low pressure, and loss of high pressure make-up and failure to depressurize.

Since these events are already analyzed in the plant model, the human reliability impact on the USI is incorporated in the analysis.

2.1.1.7 Back-End Submittal. The back-end analysis is described in Section 4 of the submittal.

Very little reference is made to operator actions. The interface between the front-end and back-end is a set of plant damage states containing the front-end sequences. Reference to human actions and failures are found in a number of places throughout the back-end analysis. For example, identification of key event timing, plant damage state event trees, and containment event trees. An imponant mode of containment failure included an operator error for failure to initiate hydrogen ignition system.

2.1.1.8 Specine Safetv Features and PotentialImprovements. Section 6.2.1 of the submittallists the plant improvements made as a result of IPE insights. In addition, the submittal cover letter lists improvements under evaluation, and one potential improvement that was rejected. Plant improvements made include steps taken to reduce CDF by improving instructions for loss of offsite power and flooding. Several system modifications are also listed, and the out-of-service time for certain critical components was reduced. HRA related plant improvements will be discussed later in this TER.

I1 l

l

2.1.1.9 IPE Utility Team and Internal Review. Overall responsibility for the IPE development was given to Halliburton NUS because of a lack of experienced analysts on the plant staff. Up to five engineers were assigned to the IPE, but unly three were assigned full time. The submittal states that utility personnel we're involved in all portions of the analysis, but it is not clear to what extent the utility personnel were involved in the HRA. Also, since the utility did not have the expertise available on staff at the time the IPE was undertaken, the expetience gained fmm the IPE process should be available to continue with the "living" PRA.

2.1.2 Clarity of the HRA Methodoloev Description.

The discussion of the HRA methodology is in the first seven pages of Appendix D of the submittal. A detailed description of the methodology used is not included in the discussion, and the justification for the methods used to quantify the human error probabilities (HEPs) is not clear. Appendix D states that the EPRI approach was used for the Detection, Diagnosis, and Decision (DDD) phase, while either the ASEP or THERP methods were used for quantification of the execution phase. Some of the details of the EPRI approach can be found in the analysis of the operator actions, but there are no examples of the time reliability curves that were used for point estimates. The referenced document for the methodology, "An Approach to the Analysis of Operator Actions in Probabilistic Risk Assessment / EPRI-TR-100259, was not available for this assessment.

The submittal states that the analysis is documented on a function-by-function basis in the context of the sequences, so that the relationship between the human interactions and the scenario can be explored. The analysis, therefore, concentrated on only those actions that were direct c~tributors to system performance and appear in functional fault trees or contributors to the top gates of system fault trees.

The first step of the analysis was to identify the Type A and Type C HIs. This was accomplished as pan of th systems and event tree development. Type A HIs were qualitatively screened using the following criteria:

General Component Tvne A Guidelines

- Restoration faults following maintenance were not postulated if the system undergoes a full functional test following completion of maintenance.

- Restoration faults were not postulated if the component has an indication in the control room which is verified on a daily basis, and it is readily apparent to the operators if out of position or if power is disconnected.

- Restoration faults were not postulated if the components are included on a daily checklist.

12 1

1

Manual Valve Tvpe A Guidelines

- Restoration faults were not postulated if there is double (independent) verification of position following test / maintenance and the valve is also verified in the correct position between test events (e.g., on a checklist).

- Restoration or mispositioning faults were not modeled if the valve is administratively controlled to be in its correct alignment as locked open, locked closed, or locked throttled, and checked quarterly or more frequently.

Valves (Other Than ManuaD Tvoe A Guidelines

- Restoration faults were not postulated if the valve has an individual position indication in the control room, and is included on a daily (or more frequent) checklist.

- Restoration faults were not postulated if the valve receives a signal to go to the correct position, and a position indication light shows if power is not connected.

- Restoration faults were not postulated if there is double (independent) verification of position following test / maintenance, and the valve is also verified in the correct position between test events (e.g., on a checklist).

- Restoration faults were not be modeled if the valve is administratively controlled to be in its correct alignment as locked open, locked closed, or locked throttled with motive power removed.

After applying the above screening criteria, no Type A HIs for safety systems remained.

However, Type A His for non-safety systems were included in the plant model. A number of the Type A His appear in Table 3.3.3-lof the submittal having a zero HEP.

Type C HIs (procedural and recovery actions) were analyzed in the context of the scenarios in which they were performed to account for different influences for the same action between scenarios. Therefore, the first step in the analysis of the Type C HIs was to understand the cues and procedures the operator use to guide them to perform the required functions, the time available, and other factors that might influence their probability of success or failure. The events were defined as clearly as possible prior to quantification.

A key factor in the HRA is determining the influences on a given human ac: ion resulting from performance / failure to perform previous human actions. Functional dependencies were identified by the following guidelines (quoted from the submittal): i i

- If two HI events are associated with responses to the same plant status, the cognitive l part of the failure probabilities are considered to be totally dependent.

13

- As a corollary to this, if, in the chronological development of the scenarios, and HI failure event follows a successful HI, and the procedural instructions for both events are closely related, the cognitive failure probability of the second HI should be very small and can be neglected, since the success in the first event implies a successful recognition of the scenario.

- If human interactions are i) separated by a significant time (i.e., time between cues or required responses is long), or ii) separated chronologically in the sequence by a successful action, and/or iii) responses to different cues in different pans of the EOPs, they may be regarded as being independent.

- In addition, the early memorized responses may be regarded as independent from those actions for which the procedures are expected to be providing the direction.

Other types of dependency, such as the fact that performing a given function may take resources This away from the performance of another action, are also considered in the analysis.

dependency is evaluated by the role of the crew personnel, both in performing the procedural act. ion, and recovery from failure to execute correctly.

2.1.3 Process to Confirm that the IPE Represents the As-built. As-operated Plant.

Section 2 4 en information assembly describes the steps taken to ensure the IPE represents the as-built, as-operated plant. January 1,1990 was used as a cut-off date for collection of design and operational information. Among the steps listed in Section 2.4, the HRA analysts were provided with a current set of operating procedures. The HRA analysts also discussed actions Cth operations and training personnel.

2.1.4 Peer Review of HRA.

The review process is discussed in Section 5.2 of the submittal. Two reviews pertinent to HRA were performed by Perry Operations Staff. The initial operations review performed by two licensed operators. Their comments were addressed and incorporated into the model. Following quantification, the dominant sequences were reviewed by licensed operators, including a Shift Supervisor, in the procedures organization that were responsible for developing the emergency procedures using the BWR Owners Group Emergency Procedures Guidelines (EPGs).

Funher, a Level I review was performed by outside consultants. The major HRA issue raised during this review was the conclusion that no coupled human errors survived truncation. The use of symptom-based EPGs did not justify decoupling of many actions, and some coupling would still be expected due to time coincidence of some actions. At the time of the Level I review, the HRA was undergoing an internal review. During the internal review, coupling of a number of actions was identified for the ATWS sequences in the initiation of some systems. This  ;

i resulted in modification of the human reliability modeling and quantification. While the submittal did not specifically describe an HRA review process, we infer from the comments that i 1

14 i

1 the review teams contained sufficient HRA expertise to identify and address substantial HRA issues.

2.2 Resiew of the Most Likely Sequences.

2.2.1 Consistency of Operator Actions and Results with NUREG-1150 andOther NRC Accepted PSAs.

Frequent reference to the Grand Gulf PSAs of NUREG/CR-4550 and NUREG/CR-4551 was made throughout the Perry IPE. It was noted that the Perry plant had only one cycle of operation at the time the IPE began. Therefore, the historical data of the Grand Gulf PSAs were a viable substitute for plant operating experience.

Comparison of the HRA portion of the Grand Gulf PRA with the Perry IPE reveals that the bas approach to identifying human errors is similar. The Grand Gulf PRA, however, did not includ the qualitative screening employed by Perry for the pre-initiator errors. Values are given in the Grand Gulf results for a considerable number of failure to restore actions that would hav screened out by the Perry methodology (e.g. " Failure to restore CRD valve V217B following maintenance" on Table 4.8-1). Point estimates for similar actions appear in Table 3.3.3-1 with a value of zero. For post-accident human actions, the grouping of actions in the Grand Gulf PRA differed from that of Peny. The Perry list appears to be somewhat more complete than the Grand Gulf list. In general, the Grand Gulf results show higher HEPs for similar actions. For example, the emergency depressurization during ATWS is given as 7E-03 or 1.4E-02 in Perry versus 0.125 in Grand Gulf. However, verification of individual results is beyond the scope of this review. Few actions in the Grand Gulf PRA had a value less than IE-03. However, as Iscussed in the next section of this TER, there is some question concerning the use of zero probabilities and one very low HEP (1.0E-10) in the model.

2.2.2 Accident Seouencu Screened Out Because of Low Human Error.

A qualitative screening process was used for pre-initiator human events. For events screened o using the criteria listed in Section 2.1.2 of this TER, a value of zero was used in the model.

There is some question as to whether a quantitative screening would have included some events that were eliminated using the qualitative screening.

The discussion of events screened out due to low human error is provided in the section on sensitivity analysis (3.4.1.6). To assess the 3ensitivity to human error probabilities, the values were increased by a factor of ten if the base value was 0.1 or less. If the base case was between i

0.1 and 1.0, the value was increased to 1.0. The core damage frequency increased by a factor i of 28 as a result of this sensitivity analysis. The importance of training and procedures was the '

key factor in these results. Table 3.4.1-5 of the submittal lists 53 accident sequences failure of decay that were l screened out due to human interactions. These sequences fellinto three groups:

heat removal, ATWS events, and events associated with manual depressurization.

I l

l 15

A number of the actions included on the human interaction basic events list that could potentially >

impact these events have zero listed for the HEP (point estimate). These are the pre-initiator human errors that were excluded because of u.e screening criteria used. For example, failure to restore Standby Liquid Control following maintenance or test (action SLHIMA in Table 3.3.3-1).

A zero HEP for this action would have a significant a.ffect on the quantification of the ATWS scenarios. He core damage frequency for these events is relatively high (4.74E-06/40.7% of total CDF). Therefore, use of some non-zero value for SLHIMA would affect core damage frequency for ATWS events. Licensee response to NRC's question regarding this issue indicated that the typical unavailability of equipment associated with such pre-initiator human actions is 3E-03; and that typical HEPs (e.g., from THERP) are IE-05 or IE-06. The licensee therefore concludes that it is appropriate to ignore these actions in the IPE model. .

In addition, the licensee did not include miscalibration of sensors in the assessment of pre-initiator human errors. Licensee response to an NRC question regarding this omission was that miscalibration errors were modeled as common cause basic events and assigned a value of 0.1 ,

times the value for random component failure. Further, the licensee stated that a sensitivity study with miscalibration common cause basic events increased to a value of 9.3E-02 resulted in only a 79 increase in CDF.

The numerical estimate of CDF may or may not have been substantially altered as a result of a more in-depth and direct human reliability assessment of miscalibration and restoration errors.

However, the greater benefit to be derived from perfonning the HRA is the increased understanding of the plant-specific factors that could lead to human error. This understanding comes from a systematic and rigorous assessment of procedures, discussion with maintenance and 7erations personnel and thorough evaluation of actual plant practice. Use of simplified screening rules and " arbitrary" removal of actions such as calibration tasks from further consideration limit the licensee's ability to obtain such insights as recommended by NUREG-1335 guidance, which instructs the licensee to examine procedures (including maintenance and suneillance procedures) to develop an understanding of the underlying causes of contributions to core damage.

2.3 Quantitatise Results.

2.3.1 Appropriateness of Numerical Screenine Values.

A quantitative screening was not performed for this analysis. Appendix D of the submittal discusses only the qualitative screening performed for maintenance, test, and calibration activities.

After applying the screening criteria, only errors in non-safety related systems remained. The criteria used in the qualitative screening were listed in Section 2.1.2 of this TER. For procedural and recovery errors, the submittal states that operator actions in the emergency procedures were included in the model. While the " criteria" used for the qualitative screening, taken individually, appear to be reasonable, the submittal would have been enhanced by a discussion addressing what For the analysts did to assure themselves that significant human errors were not screened out.

16

i example, how did they achieve a level of confidence comparable to what would be expected from a more traditional approach of using quantitative screening values with relatively high HEPs?

2.3.2 Completeness of Information on Human Error Probabilities.

Part B of Appendix D of the submittal describes, at a general level, the analysis for each important action included in the model. Human actions associated with five types of events were analyzed: ATWS, Loss of Offsite Power, Station Blackout, Transients and LOCAs, and other events that require the operator to recover from specific failures (including some post-core damage actions). A thorough description of the analysis for a number of the important actions is included. This description includes sample calculations, data sheets, and sample trees. Each error in Table 3.3.3-1, with the exception of pre-initiator actions on safety systems, is discussed in Appendix D.

2.3.3 Information on Sources of Generic Human Reliabilitv Data.

Sources of generic data are identified. Generic values for the execution phase of certain actions were taken from The Handbook or the Grand Gulf PRA though the submittal did not identify which HEPs were taken from which source. Quantification of less important actions was based on assigned screening values based on engineering judgement.

2.3.4 Description of the Recoverv Method.

I Recovery actions are included in the Type 3 HIs analyzed in Pan B of Appendix D. However, most of the actions analyzed were procedural errors. The recovery actions were addressed at the accident sequence cutset level. Table 3.4.1-12 lists 12 recovery actions that were included in the model, and Table 3.4.1-13 shows the impact of the three most significant recovery actions on the core damage frequency. Recovery actions, in general, yielded improvements in core damage frequency of less than an order of magnitude. The individual actions nominally improved core damage frequency by a factor of two, while the combination of all three improved core damage frequency by a factor of 3.5.

i 2.4 The IPE Approach to Reducing the Probability of Core Damage or Fission Product Release.

2.4.1 Definition of Vulnerabilitv.

The IPE uses a definition of vulnerability based on the NUMARC Severe Accident Closure Guidelines which state, "If the contribution from a given initiator or system failure is greater than 50 per cent of the total core damage frequency it is interpreted as a significant vulnerability, if it contributes 20-50% it is interpreted as a potential vulnerability to be investigated. Similarly, contribution from scquence groups between a coce damage frequency of 10~5 to 10" are reviewed to determine ti there is an effective plant procedure or hardware change which would teduce the frequency of the sequences." Table 7-1 of the submittal, a summary of cc-' damage frequency 17 ,

f i

by events, shows that no single initiator contributes more than 357c (an ATWS sequence; total for ATWS sequences was 40.77c) to total CDF. Table 7-3 shows events by grouping,in which no single group contributes more than 22% to total CDF. Therefore, the IPE results support the definition of vulnerability, and indicate that no vulnerabilities exist.

2.4.2 Reasonableness of Identified Human Related Plant Modifications.

Plant improvements made as a result of IPE insights include enhancements to the procedures for loss of offsite power, and flooding. The improvements to the loss of offsite power procedures include retention of the RCIC isolation bypass on high steam tunnel temperature caused by a loss of sentilation. Also, the process for crosstieing Unit I and Unit 2 batteries and recovery of offsite power to the HPCS were enhanced. The improvement to the flooding instructions relate to the response to flooding scenarios.

2.5 Interface Issues With Front End and Back-End Reviewer.

No back-end issues related to HRA were identified. Several requests for additional information identified from the front-end review were directly related to operator actions and HRA modeling.

Licensee responses to these requests are addressed in the final report from the front-end reviewer.

I 18

3. OVERALL EVALUATION AND CONCLUSIONS On the basis of our review, we concluded that, with regard to the HRA, the submittal demonstrates that the licensee used a reasonable process to meet the intent of Generic Letter 88-
20. Overall, the HRA methodology used for identification of important human actions, analysis of factors influencing human performance, quantificadon of human error, assessing the impact of human error on system response (and therefore CDF and releases) appears reasonable and consistent with practice in other PSAs. A reasonable process was in place to identify potential human-related improvements.

A notable weakness of the submittal documentation is the lack of information on the EPRI methodology used as a primary tool for quantification of human error. The unavailability of source documentation and the lack of sufficient infom1ation within the submittal on the technical bases for this methodology and the use of the methodology by the licensee significantly impacted our ability to assess the licensee's approach. It is important that the licensee provide the appropriate reference (s) and sufficient discussion of the inputs, assumptions and rationale employed by the HRA analysts in applying the methodology. Information on the EPRI approach was obtained by NRC subsequently. It was not possible to re-examine the submittal in detail.

However, a very general overview indicates that the EPRI methodology was appropriately applied.

The limited treatment of pre-initiator human errors, especially calibration errors, also is considered to be a weakness of the HRA. More thorough assessment of potential underlying causes for pre-initiator human error is recommended in follow-on studies by the licensee.

19

4. IPE EVALUATION AND DATA SU31 MARY SHEETS IPE DATA SU.iiMARY SHEETS (HUMAN RELIABILITY)

Plant Name: Perry Nuclear Power Plant Information Assembly List of plants, PSAs or other analyses known to have employed similar HRA methodology.

Peny is a BWR/6 with a Mark III containment design. The Grand Gulf Level 3 PRA of NUREG/CR-4550 and NUREG/CR-4551 (NUREG-1150 repons) were used as references for the Perry IPE.

- Ex-control room actions treated? List.

Several ex-control room actions were included in Table 3.3.3-1. For example, alignment of Firewater Alternate Injection, and vent path lineup for venting through the containment spray sparger or fuel pool cooling and cleanup system.

Human Failure Data (Generic and Plant Specific)

Analytic method used, e.g., Expert Judgement, THERP, SLIM MAUD, HCR, TRC.

l Three separate methods were used for total HRA effort. For time-critical actions, the time-reliability curces in the EPRI approach to HRA was used to estimate the probability of failure on the detection, diagnosis, and decision (DDD) phase. The reference for this  ;

methodology is "An Approach to Analysis of Operator Actions in Probabilistic Risk i Assessment," EPRI-TR 100259. It was noted in Appendix D of the submittal that the  !

EPRI reference contained a second quantification methodology referred to as the decision tree approach. A simplified THERP or ASEP approach was used to estimate the HEP for the execution phase of operator actions. The analysis concentrated cn human interaction events which are direct contributors to system performance and appear in functional fault trees or as contributors to the top gates of system fault trees.

Were the following human errors considered:

(1) Pre-initiator, e.g., mamtenance error including testing, equipment calibration, and restoration?

I

.l 20 1 1

I l

l

- , i

Testing, maintenance, and calibration activities were analyzed, although no list of the actions was included in the IPE. Appendix D of the submittal contains a discussion of the criteria used to screen the ex control room actions. The actions screened include maintenance, test, and calibration of general components, manual valves, and valves (other than manual). After applying the screening criteria, the analysts concluded that only non-safety system components remained. Therefore, no detailed analysis of the errors was performed. In the case of instrument and system air systems, however, a restoration error was assigned a HEP of IE-03. No explanation of this values is given.

(2) Post-initiator procedural?

The submittal states that a wide range of specific actions following an accident are classified as Type C Human Interactions (HIs). Type C HIs are comprised of two sub-categories, operator responses to procedures, and recovery actions.

(3) Post-initiator recovery

- Control Room Post-initiator control room actions are included in the analysis as Type C HIs.

- Ex-Control The list of Human Interaction Basic Events in Table 3.3.3-1 indicates that important ex-control room actions are included in the analysis. Local control actions, such as operation of manual valves, are included in this table.

Types of human errors considered, e.g. omission, commission.

Three types of human errors are described in Appendix D. Type A HIs are errors made dudng maintenance, testing, and calibration that leave a safety system unavailable for use during an accident. Type B HIs are errors that initiate events. Type C HIs are errors in following procedures (including a detection, diagnosis, and decision phase), and errors in recovery actions. Type C His are incorporated in the initiating event frequencies obtained from plant operating experience. Both Type A and C HIs analyzed in the HRA for Perry are errors of omission.

21

. Source of human reliability data.

Generic Data?

Generic data for "the imponant actions" was taken from THERP or methods based on those developed as a result of the Operator Reliability Experiments (ORE) program.

Data from this program was not available for review. HEPs for less important actions were estimated using the Grand Gulf PRA of NUREG/CR-4550. (Reference Section 2.3.6 of the submittal.)

Simulator Data?

No mention of the use of simulator data was found in the submittal.

Expen Judgement?

No mention of the use of expen judgement was found in the submittal.

Most significant operator actions.

Imponant operator actions for internal events, recovery and post-core phase, internal flooding, and response to specific failures are included in the analysis. These are discussed and listed in Appendix D of the submittal. ,

. Human error contribution to core damage frequency (if known).

Core damage frequency (CDF)is discussed in Section 3.4.1.1 of the submittal. Twenty-one events have a core damage frequency greater than IE 07. Table 3.4.1-7 lists the basic events along with imponance and risk reduction factors. These events were ranked using the Fussell-Vesely measure. Using this measure, the following human errors were ranked as significant contributors to CDF:

~

1. Failure of the operator to maintain Power Conversion System (PCS) during an ATWS with PCS initially available, or during a loss of feedwater transient is ranked as the third highest contributor to CDF. Fussell-Vesely importance is 0.27, and risk reduction factor is 1.38.
2. Failure of the operator to re-open the motor feed pump control valves or manually depressurize the reactor during an ATWS event (PCS unavailable)is the fifth most important event. The Fussell-Vesely imponance is 0.25, with a risk reduction factor of 1.33.
3. Failure of the operator toinhibit Automatic Depressurization System (ADS) during ATWS with feedwater unavailable is the seventh most imponant basic event. The 22

Fussell-Vesely is 0.22, with a risk reduction factor of 1.28. With this factor dropped from all events requiring this action, total CDF is reduced 19% from 1.3E-05 to IE-05.

4. Of the next 14 events, six are either human error events, or have some human error contribution.

Vulnerabilities associated with human error.

Vulnerabilities and vulnerability screening are discussed in Section 3.4.2. One vulnerability was identified that is attributed to human error. This error is the failure to inhibit ADS during an ATWS with feedwater unavailable.

PLANT D1 PROVE 5fENTS AND UNIQUE SAFETY FEATURES Improvement insights stemming from HRA.

None of the improvement insight listed in the submittal are specifically attributed to the HRA. It appears as if allimprovements were identified as the result of systems and fault tree analysis results, including the internal flooding analysis.

Implemented human factor improvements or enhancements stemming from HRA.

Several human factor improvements are given in Section 6.2.1. To reduce core damage frequency due to loss of offsite Power, procedures have been enhanced to instruct the operators to bypass the RCIC insolation on high steam tunnel temperature, to instmet operators on using the Unit 2 (incomplete unit) batteries, and for recovery of HPCS and alternate injection systems by restoring offsite power. Also, instructions for response to flooding events have been revised.

Human factors improvements or enhancements under consideration.

A significant improvement in CDF would be achieved with the installation of an automatic ADS inhibit for ATWS events. This design change is under consideration.  ;

Also, improvements in ATWS procedures for controlling power / level as a function of containment pressure with a RPV water level near the minimum allowable for steam cooling would improve containment failure frequency.

i

)

I 23 1

l l