Text

TER of IPE Submittal Human Reliability Analysis, Final Rept, Task 23.Draft Dtd 940131,final Aug 1994
	ML20078E150
Person / Time
Site:	Point Beach
Issue date:	08/31/1994
From:	Haas P; CONCORD ASSOCIATES, INC.
To:	; NRC
Shared Package
ML20078D982	List: ML20078E047; ML20078E122; ML20078E150;
References
	CON-NRC-04-91-069, CON-NRC-4-91-69 CA-TR-93-019-23, CA-TR-93-19-23, NUDOCS 9501310144
	Download: ML20078E150 (44)
	v • d • e

W l

'd v

POINT BEACH NUCLEAR PLANT INDIVIDUAL PLANT EXAMINATION TECHNICAL EVALUATION REPORT (HUMAN RELIABILITY ANALYSIS) h P

FJCIDSURE 4

.a o

CA/TR-93-019-23 POINT PEACH UNITS 1 AND 2 TECHNICAL EVALUATION REPORT OF THE IPE SUBMITTAL HUMAN RELIABHJTY ANALYSIS FINAL REPORT i

P. M. Haas I

Prepared for U.S. Nuclear Regulatory Commkclon Office of Nuclear Regulatory Research Division of Safety Issue Resolution Draft, January 31,1994 Final, August,1994 CONCORD ASSOCIATES. INC.

Systems Performance Engineers 725 Pellissippi Parkway Knoxville, TN 37932 Contract No. NRC-04-91-069 Task Order No. 23

.w TAPLE OF CONTENTS EXECUTIVE

SUMMARY

............................................. ii 1.0 INTROD UCTION............................................... I 1.1

Ihe HRA Review Process...................................

I 1.2 Peas Evaluated in the hm-Only HRA Review.

3 1.3 Summary of the Point Beach HRA Methodology.....................

6 2.0 CONTRACTOR REVIEW FINDINGS..................................

7 2.1 General Review of the HRA.................................

7 2.1.1 Utility Participation and Process for Confirming As-Built, As-Operated Plant.....................................

7 2.1.2 In-House Peer Review.................................

7

'2 Pre-Initiator Human Actions.................................

8 2.2.1 Pre-Initiator Actions Considered..........................

8 2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions..

9 2.2.3 Screening Process for Pre-Initiator Human Errors............... 10 t

2.2.4 Plant-Specific Performance Shaping Factors, Recovery Factors, and Dependencies for Pre-Initiator Human Errors.................. 10 2.3 Post-Initiator Human Actions..............................

11 2.3.1 Post Initiator Human Actions Considered..................

11 2.3.2 Process for Identification and Selection of Pcst-Initiator Human j

A ctions.........................................

12 l

2.3.3 Screening Process for Post-Initiator Response Actions............ 12 2.3.4 Consideration of Timing and Other Performance Shaping Factors for Post-Initiator Response Actions...........................

13 l

2.3.5 Consideration of Depe..xiencies for Post-Isitiator Res 15 Recovery Actions..................... ponse Actions 2.3.6 17 2.3.7 Post-Accident Errors................................. 20 2.3.8 Interna! Flooding A1.alysis.............................. 21 3.0 IPE INSIGHTS, ENHANCEMENTS AND CONCLUSIONS.................... 22 3.1 Importance of Human Actions................................ 22 3.1.1

'Ihe Importance of Human Error in Point Beach Severe Accident Behavior......................................... 22 3.1.2 Important Operator Actions............................. 22 3.1.3 Sequences Screened Out Due to Low Human Error Probabilities...... 23 3.2 Definition and Identification of Vulnerabilities...................... 24 3.3 Human-Performance-Related Enhancements........................ 25 3.4 Overall Evaluation and Conclusion From the HRA Review.............. 26 I

.................................. 26 3.4.1 General......

)

3.4.2 Pre-Initiator Humar. Actions............................ 27 3.4.3 Post-Initiator Human Actions............................ 27 J

3.4.4 Insights and Enhanca ments............................. 28 4.0 DATA

SUMMARY

SHEETS....................................... 29 REFERENCES...................................................

30

h l

EXECUTIVE

SUMMARY

His Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Point Beach Units 1 and 2 Individual Plant Examination (IPE) submittal by Wisconsin Electric Power Company (WEPCO) to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staffin their evaluation of the IPE and conclusions regarding whether the submittal meets the intent of Generic letter 88-20.

Overall, the submittal description of the HRA methodology is reasonably complete, but is presented at a fairly general level. Findings and conclusions in this TER are based on the submittal plus supplemental material obtained from the licensee in response to an NRC request for additional information. His supplemental information included material that could be considered tier 2 information, such as samples of calculation worksheets and

}

operator interview forms.

l General ne submittal indicates significant utility participation in the human reliability analysis.

I WEPCO personnel performed more than 80 percent of the effort. The HRA was performed by a WEPCO staff member with operations background, including experience as a Duty Technical Advisor and as a participant in the WEPCO Emergency Operating Procedures (EOP) upgrade program. An HRA specialist (Gareth Parry, from NUS) was contracted to train WEPCO staff and review the analysis. Operations, engm' eering and training staff were involved in review of procedures and ob:ervation of simulator runs. Operator interviews were conducted to obtain plant-specific input for the HRA, such as time required for pre actions, difficulty of tasks, and stress levels that would exist at the time of the action.

j De licensee performed an appropriate independent review of the IPE including: (1) an internal review of initial PSA documentation by WEPCO operations, engineering and PSA staff, (2) an independent review of the initial level I headed by an independent consultant and including non-WEPCO personnel and WEPCO personnel not involved in the development of the PSA, and (3) an internal review cf the final draft PSA notebooks by another team of WEPCO engineering, operations, training, and safety staff. Modification of the HRA methodology and incorporation of restoration errors were identified as major comments from the internal review of the initial level 1 PSA. Apparently, the HRA contractor was switched from Westinghouse to NUS at that time, and the EPRI methodology was employed.

In the HRA discussion, the licensee classified human actions (or human interaction events) as one of three types:

Tvoe A: Pre-Inidatine Event Interactions - those occurring prior to an initiating event when plant personnel can affect availability and afety of the plant by inadvertently kk

4

=

a

.a-

'O disabling equipment during surveillance, testing arid /or maintenance. (These are referred to by NRC as pre-initiator actions.)

Type B: Initiating Event Related Interactions - those that directly cause an initiating event to occur. Type B human interaction events were assumed to be accounted for implicitly in the initiating event frequency estimates, and were not analyzed explicitly or quantified in the HRA.

Tvne C: Post-Inithtine Event Interetians - those that are performed by plant staff f

after an initiating event has occurred. (nese are referred to by NRC as post-initiator reg = type actions.)

'i In addition, human rewary actions were considered for some sequences, and the probability of non-recovery was used as a multiplier for the affected cutsets. Those probabilities were subjectively assigned values believed by the licensee to be conservative. Human actions to identify and isolate leaks were considered in the flooding analysis, using subjective estimates of human error probabilities. With few exceptions,

)

no credit was taken for operator action after core melt.

Pre-Initiator Human Actions l

l

Ihe pre-initiator human actions treated in the HRA were restoration errors, primarily valves or switches left in an incorrect configuration. Calibration errors were not i

addressed. A review of procedures, including Technical Specification Tests, Inservice Tests, and Refueling Maintenance procedures, was performed to identify potential human errors in restoring equipment. Potential restoration errors identified in the systems analysis were evaluated to identify those for which there is a likelihood of recovery prior to the time of system demand. Human errors of equipment misalignment were screened out if the equipment were misaligned, but not disabled, and would receive a realignment sigr'al on system demand. Human error in maintenance activities were screened out if a full functional test is carried out upon completion of the maintenance. Dese qualitative screening assumptions are consistent with accepted HRA techniques (including ASEP) and with practice in other PRAs.

De human error probabilities fHEPs) for the remaining restoration errors were estimated following the ASEP methodology (Ref.1) Credit was taken for various recovery mechanisms, following guidance in the ASEP methodology orjudgment of the HRA analyst (s). nirty one pre-initiator restoration errors were quantified and included in the system models (fault trees). HEP values are generally consistent with the range of values from fine screening or best estimate analysis in other PRAs. De contribution to core damage frequency (CDP) from failure to restore equipment after test and maintenance was determined to be relatively minor (approximately 5%). In our opinion, calibration errors should not have been omitted from the model without a more rigorous plant-specific assessment of their potential impact.

iii

o D

Post-Initiator Human Actions l

Both response-type and recovery-type post-initiator human actions were evaluated.

Response actions were identified as an integral part of the initial sequence (event-tree) analysis and systems (fault-tree) analysis. De discussion of the accident sequence analysis indicates that the sequence delineation and analysis was strongly driven by an assessment of operating procedures. Each human action is identified by the procedure (s) in which it is required; or, in a few cases in which the action is not proceduralized, that fact is noted. De detailed discussion of event trees emphasizes operator actions and procedures. De number and scope of HEPs included in the IPE model indicates a reasonably comprehensive identification procss, and comparison with erapted PRAs indicates that the important human actions typically included in PWR PRAs were addressed. In general, operator actions identified as important by the NRC front-end reviewers were included. Rwd on these indications, we conclude that the licensee employed a reasonably comprehensive and thorough process to identify and select potential post-initiator human error contributors, and important actions were not likely to be missed.

An initial quantification was performed using screening values (primarily HEP =0.05) to eliminate unimportant cutsets. The screening value of 0.05 is somewhat lower than is frequently used (e.g.,0.3,0.5), but the licensee presented a rationale and data which indicated that it is unlikely that sequences screened out had a significant impact on estimated CDP.

Final, or "best-estimate" HEPs were obtained using a combination of data from THERP tables (Ref. 2) and the EPRI approach described in EPRI-TR-100259 (Ref. 3). In this EPRI methodology, each human action is treated as consisting of two ponions: one related to the failure to detect, diagnose and make a decision (the " cognitive" portion);

the other related to the proper execution of the required actions once the correct decision is made.

In the Point Beach analysis, the probability of failure of the execution portion, Pe, was calculated using data tables from THERP along with recovery factors and dependency guidelines from THERP and from the HRA specialist. The probability of failure in the detection, diagnosis, decision phase, Pc, was estimated using the EPRI decision tree methodology, which is an expert judgment process focused on causal mechanisms for errors. It considers factors such as quality ofinformation, procedures, and training that contribute to human performance. Error recovery factors were applied to both the Pc and Pe estimates.

Dependencies between post-initiator actions were addressed, following THERP guidance and/orjudgment of the analyst (s). Multiplying factors were added to cutsets to decrease or increase the HEP based on the nature of the dependency. A lower bound value of 1.0E-04 was applied to the final post-initiator HEPs.

iv

l i

1 f

Recovery actions were identified from a review of the dominant sequences after initial quantification with best-estimate HEPs. He HEPs are subjectively assigned values intended to be couervative. In response to an NRC request for further information on the basis for the subjective estimates, the licensee indicated that the judgment on availability of sufficient time was the primary consideration. Further, the licensee indicated that " worst-case" timing estimates were used, and that, "if the call was marginal" no credit was taken for the recovery action. He submittal identifies and briefly discusses three sequences for which the application of these human recovery actions caused the core damage frequencies to drop by more than an order of magnitude to a value below the screening criteria for reporting. All three of the sequences are steam generator tube rupture sequences. A MAAP run for the associated damage state

[

indicated that 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months would be available before the core started to uncover. De i

licensee contends, appropriately, that the recovery factors applied are reasonable subjective estimates given the length of time available. Overall, the credit taken for human recovery action, while based on subjective estimates, appears to be reasonable.

HEPs range from 0.005 to 0.5. His range is typical of best-estimate or " conservative" values used for recovery actions in other PRAs. In its response to an NRC request, the licensee stated that the overall impact of credit for recovery actions is to reduce the CDF by an order of magnitude.

With one significant exception, which was discussed in the submittal, the IPE analysis takes little or no credit for operator actions following core damage. He exception is for station blackout sequences. If offsite power is recovered within approximately six hours, credit is then given (probability of success of 1.0) for operator action to start a containment fan and restoie service water. In response to an NRC request for additional information regarding the basis for the HEP estimate and the potential. impact on estimated release due to credit for this post-core-melt operator action, the licensee indicated that if no operator action were credited following the onset of core damage, a rough estimate is that the resulting challenge to containment (due to overpressure) would increase by 90.4% of the SBO CDF contribution, or 3.17E-5, compared to the currently estimated total containment overpressure challenge from transients and SBO of 1.81E-5.

No specific HEP was calculated for operator actions to recover fan coolers and the service water system subsequent to recovery of offsite power. The licensee estimates that since these actions are proceduralized in the "I.oss of Offsite Power" procedure the HEP for failure to perform these actions will be 0.001. De impact of this failure on containment failure probability is estimated to be approximately 1.4E-08. It has no Ngnificance to the estimated probability of containment overpressure of 1.8E-05.

De internal flooding analysis included an assessment of the likelihood of operator intervention to prevent a plant trip by isolating the leak or diverting the flood accumulation, or to mitigate the results of the flooding sequence by recovering disabled systems. The human error probability for failure to isolate the leak or divert the flood before the critical height is reached was estimated by using a screening value that decreased with time available for diagnosis and response. HEP values ranged from 0.01 y

to 1.0. Dese subjectively assigned screening values are consistent with typical conservative screening values used in other PRAs. Further, there was sor e.vidence cited for the likelihood of datar*ian of flooding by the operators, i.e., alarras or control room indications. Therefore, use of these screening values appear to be reasonable.

Insights and Enhancements The submittal included the licensee's definition of vulnerability and the criteria used to identify vulnerabilities, which essentially are related to NRC's safety goal target values for core damage frequency and large fission product release frequency. No vulnerabilities were identified, though enhancements were identified. Commitments were made to' make two human-performance-related enhancements, both by June,1994:

1) EOPs will be revised to provide greater assurance that ECCS switchover steps can be performed in the time required (as little as 20 minutes).

2) EOPs will be revised to include more detailed steps for aligning condenser hotwell or fire water sources to AFW pumps after CST depletion.

'Ihe submittal clearly identifies the significant impact of human action on the estimated CDF.

Six of the top seven, and seven of the top ten, most important basic events are human error events. Human errors are dominant contributors for key sequences, and sensitivity studies indicate results for some of those key contributing sequenas are quite sensitive to HEP estimates. De licensee indicates that the relatively high importance of human error is expected because Point Beach is an older plant with more manual actions than more recent PWRs. Another factor is the use of relatively conservative basic HRA modeling assumptions, such as establishing a lower limit of 1.0E-04 for post-initiator HEPs.

vi

1.0 INTRODUCTION

his technical evaluation report (TER) is a summary of the documentation-only review of the human rehability analysis (HRA) presented as part of the Point Beach Units 1 and 2 Individual Plant Examination (IPE) submittal by Wisconsin Electric Power Company (WEPCO) to the U.S. Nuclear Regulatory Commission (NRC). De review was performed to assist NRC staffin their evaluation of the IPE and their conclusions regarding whether the submittal meets the intent of Generic letter 88-20. His introduction describes the process used to evaluate the HRA and provides a brief summary of the HRA methodology as described by the licensee in the IPE submittal. Section 2, Contractor Review Findings, which summarizes findings related to specific issues identified in NRC guidance for performance and review of the HRA; Sectica 3, IPE Insights, Enhancements and Conclusions, which identifies important HRA-related insights and human-performance related enhancements either implemented or planned that were presented in the submittal, and summarizes the overall evaluation and conclusion from our review, and Section 4, Data Summary Sheets presents IPE Evaluation and Data Summary Sheets.

~

l 1.1 De HRA Review Process He process followed to review the HRA is depicted in Figure 1. The primary steps of the document-oaly review process are shown in the left hand column. They include:

i (1)

Scopine Review - an overview of the entire IPE submittal to obtain a general

]

sense of the completeness and level of detail ofinformation presented on the HRA and to identify the basic HRA approach used, appropriate reference plant (s) for comparison (e.g., NUREG-1150 plants), references cited that need to be obtained and reviewed, key insights and results of the IPE, obvious items missing, and other general information.

(2)

Detailed Review and Resoonse to Work Reauirements - a detailed reading of the IPE including front-end, back-end, and HRA sections focused on the specific work requirements (issues of concem) identified in the NRC statement of work. Information relevant to the HRA methodology typically appears throughout the IPE, esprcially in the Front-End sections on systems analysis and accident sequence delineation. To adequately assess the licensee's approach for identification ofimportant human interactions, and j

the methodology, assumptions, and data sources for quantifying the impact of human performance, it is necessary to review the entire IPE. As part of the 1

s.i-

--m.

3 m.

y.-

9 Scoping Review

"'emmmmmme enemmmum i r Detailed Review Licensee Response and Response to

> to NRC Questions /

y Work Require-Comments ments 1ausumumme ammmmmmune M

1r i f Front /Back End No Interfaces Further Review Required?

luummmmmma 1 r Draft TER and I

'I Questions for Document Review 1r i

NRC Staff / Con-3e tractor Meeting Site Visit Plan to Licensee 1r uestio Yes m

.icensee?

Site Visit No 1r 1 r Final TER Figure 1 - Human Reliability Analysis Review Approach 2

4 assessment of the licensee's process and documentation, an attempt is made to track the HRA process through identification, screening, qualitative and o

quantitative analysis for specific errors; not to reprodece or critique specific numerical values, but simply to determine if the information in the submittal provides a traceable description of the process. The review focuses on, but is not limited to, the W& work requirmnants identified by NRC.

Overall, its purpose is to identify strengths and weaknesses of the licensee's HRA approach and identify important insights related to human performance.

(3)

Front-End and Back-End Interfaces - a two-way exchange ofinformation with the NRC front end and back-end contractors, with emphasis on issues identified by those contractors that have a bearing on the HRA review, or human-performance references are reviewed, and a comparison is made to methods and -related issues that affect their review. 'Ihis interaction occurs informally during the review and more formally at the NRC staff / contractor meeting after the draft report is prepared.

(4)

Preoaration of the Draft TER - development of findings and conclusions, and writing, technical review, editing and printing of this TER. Included are questions and/or requests for additional information from the licensee that are deemed to be -

y for NRC staff to complete their review.

(5)

NRC Staff / Contractor Meeting - a meeting of NRC staff plus front end, back-end and HRA review contractors to summarize and integrate review findings, resolve open issues, final questions or requests for information from the licensee (if any) and plan subsequent actions.

If there is no need for additional information from the licensee, and all open issues are resolved, the final TER will be prepared and transmitted to NRC for use in completing the staff's evaluation and preparation of the SER. If additionalinformation is required, a request is transmitted to the licensee. If licensee responses to this request for additional information resolve all outstanding issues and concerns, then the final TER is prepared.

In some cases, a Step 2 review, involving additional document review and/or a site visit / audit may be necessary to resolve all issues and prepare the final TER.

1.2 Items Evaluated in the Document-Only HRA Review.

Ihe document-only review is guided by the task order statement of work requirements i

and general guidance provided by NRC. Typically, HRA-related items appear in each section of the IPE. The types of HRA considerations evaluated are summarized in Table l

1.1 following the IPE organization described in NUREG-1335.

i 3

Table 1.1 NUREG-1335 Items Addressed in the HRA Review NUREG.1335 REFERENCE INFORMATION PERTINENT TO HRA 2.1.1 General Mr^adalogy Concase description of HRA cHort and how a is ategrated with the IPE tasks / analysis.

2.1.2 Information Assembly 2.1.2.2 List of reference PRAs, insights regardmg HRA, human performana.

2.1.23 Concise description of plant documentation used for HRA information; concise discussion of the process used to confirm that the HRA represents conditions in the as-built, as-operated plant.

2.1.2.4 Description of the walkthrough activity, including HRA spedalist participation.

2.13 Arrident Sequence Dehneadon Description of process for assuring human actions considered in initiating events and accident sequence delineation; HRA specialist involvement 2.1.4 System Analysis Description of process for assuring that the impacts of human actions are included in systems analysis; process for integrating HRA.

2.1.5 Ouantification Process 2.1.5.1 HRA in common cause analysis.

2.1.53 Types of human failures considered in the IPE; a categorization and concise description exist.

2.1.5.4 IJst of human reliability data and time available for recovery actions; data sources clearly identified; if screened, a list of errors considered, criteria for screening, and results of screening.

2.1.5.5 List of HRA data obtained from plant experience and method / process for obtaining data; list of generic data.

2.1.5I> Concise description of method by which HEPs are quantified, including break down such as task analysis, and techniques for combining probabilities, assessing dependencies, etc.

4

I e

2.1.6 Front-End Results and Screening Human contnbudons to unportant sequences are clearly Process identified. A concise definition of vulnerabilities is provided, along with a d'e-6 of witeria used to identify vulnerabihties. A hsting of vulnerabilities is provided, with clear definitina of those related to human performance.

Underlying causes of human related vulnerabilities are sa,me.n,A 2.144 Sequences that, were k not for low human error rates in remvery actions, would lave been abcrx the applicable core damage frequency screening criteria are identified and a;w. -A 2.14.7 Any human performance issues pertinent to USIs or GSIs are identified and dimused as appropriate.

2.2 Back.Ead Submittal Impacts of operator action on containment response are identified. Actions assumed to be accomplished by operators can reasonably expected to be accomplished under the severe accident conditions expected; equipment accruthility, survivability, information availability, etc. have been considered. Critical human actions have been identified and included in the event trees and quantitative HRA assessments.

2.3 Specific Safety Features and Any human performance related aspects of unique and/or PotentialImprovements important safety features are d:m=-d. including any that resulted in signibatly lowering typically high frequency core melt sequences. Human related potential improvements -

procedures, training, etc.- in response to vulnerabilities are clearly identified and discussed.

2.4 IPE Utihty Team and Internal The submittal describes the utility staff participation and Review involvement in the HRA. An independent in-house review of the HRA was conducted.

5

1.3 Summary of the Point Beach HRA Methodology

'Ihe submittal defined three types of human interaction (HI) events:

7 Tyne A: Pre-Initiatine Event Internetiana - those occurring prior to an initiating event when plant personnel can affect availability and safety of the plant by inadvertently disabling equipment during surveillance, testing and/or maintenana. (Ihese are refened to by NRC as pre-initiator actions.)

Tyne B: Initiatine Event Palatad Interactions - those that directly cause an initiating event to occur. Type B HIs were assumed to be accounted for implicitly in the initiating event frequency estimates, and were not analyzed explicitly or quantified in the HRA.

Tyne C: Post-Initiatine Event Interactions - those that are performed by plant staff after an initiating event has ocmr'ed. (These are referred to by NRC as post-initiator response-type actions.)

In addition, human recovery actions were considered for some sequences, and the probability of non-recovery was used as a multiplier for the affected cutsets. Those probabilities were subjectively assigned values believed by the licensee to be conservative. Human actions to identify and isolate leaks were considered in the flooding analysis, using subjective estimates of human error probabilities. With few exceptions, no credit was taken for operator action after core melt.

Pre-initiator human errors were quantified using ASEP (Ref.1). Post initiator errors were quantified using the EPRI methodology in EPRI TR-100259 (Ref. 3), which involves use of decision trees to guide the analyst to selection of a generic "best-estimate" values and use of data from THERP (Ref. 2) tables.

6

o 2.0 CONTRACTOR REVIEW FINDINGS a

2.1. General Review 2.1.1 Utility Particination and Prnepet for Confirmine As-Built. As-Carated Plant.

4 i

ne NRC review of the submittal attempts to determine whether the utility personnel were involved in the development and typlication of the PRA techniques to their facility, and whether the associated walkdowns and documentation reviews constituted a viable process for confirming that the IPE represents the as-built, as operated plant.

%e submittal (Section 5.1) identifies licensee staff participation in the various tasks involved in the development of the IPE. It states that more than 80% of the IPE was performed by WEPCO personnel. De HRA was performed by a WEPCO staff member with operations experience at Point Beach, including qualification as Duty Technical Advisor and involvement in the Emergency Operating Procedures (EOP) upgrade program. A consultant (Gareth Parry of NUS) provided HRA training to WEPCO staff and reviewed the analysis.

i The design freeze date for the IPE was September 5,1990. The submittal states that i

plant walkdowns were performed to confirm that the IPE model reflected the as-built condition at the time of the walkdowns and that the submittal results do represent the design and operation of the plant as of the freeze date. T.dk-throughs with operating l

crews and training staff, simulator runs with training staff operating the simulator, and a plant walkdown to determine accessibility of equipment for local operator actions were performed specifically for the HRA. In response to an NRC request for additional information, the licensee provided examples of completed operator interview worksheet forms which were used to guide and to document results from operator interviews conducted to obtain input to the HRA. Included were examples of completed checklists used to obtain information on specific actions and the plant-specific performance shaping factors influencing likelihood of access / error.

De direct participation in and leadership of the HRA by a former operations staff member, plus involvement of operations and training staff through the talk-throughs, interviews and simulator observations provided appropriate involvement of plant personnel; and, combined with the review of procedures and plant documentation, this involvement reasonable assurance that the assumptions and plant-specific information used i

in the HRA represents current.

2.I.2 In-House Peer Review.

De submittal states that the Point Beach PSA received several reviews over the course of the project. The primary reviews pertinent to the Front-End analysis and, in particular, the HRA were: (1) an internal review of initial PSA documentation by WEPCO 7

- o i

operations, engineering and PSA staff, (2) an iaPat review of the initial 1.svel 1 i

headed by an independent consultant and including non-WEPCO personnel and WEPCO l

pei sgl not involved in the development of the PSA, and (3) an internal review of the fmal draft PSA notebooks by another team of WEPCO engineering, operations, training, and safety staff. Modification of the HRA methodology and inceipuintion of restoration errors were identified as major comments from the internal review of the initial Level 1 PSA. Apparently, the HRA contractor was switched from Westinghouse to NUS at that time, and the EPRI rehodology was employed.

j 2.2 Pas-Initiator Human Actions l

Errors in performance of pre-initiator actions (e.g., failure to restore or properly align components after maintenance or testing, or calibration of system logic instrumentation) may cause components, trains, or entire systems to be unavailable on demand during an accident, and thus may significantly impact plant risk. The NRC staff review of the HRA portion of the IPE examines the licensee's HRA process to determine what

~

consideration was given by the licensee to pre-initiator human actions, how potential errors were identified, the effectiveness of quantitative and/or qualitative screening process (es) employed, and the pivcess for accounting for plant-specific performance shaping factors, potential error recovery mechanisms, and dependencies.

2.2.1 Pre-Initiator Actions Considered.

The pre initiator human errors treated in the HRA were restoration errors, primarily valves or switches left in an incorrect configuration. Calibration errors were not addressed. In response to an NRC request for additional information,,the licensee indicated that calibration errors were omitted because their consultant indicated that calibration errors have rarely been shown to be important in past PRAs. The reasons cited are that 1) even if miscalibration should occur, it is likely that the actuation signal would still occur, although possibly at a different time than it should; and, 2) nearly all actuation signals that are important have multiple instruments that feed the actuation signal. The licensee indicated that their review of other PRAs indicated that either they did not include calibration errors, or if they did, calibration errors were not an important contributor to the results.

't While we concur that, in most PRAs, pre-initiator errors have had less impact on estimated CDF than post-initiator errors, there have been a some NRC approved PRAs and other IPEs in which pre-initiator errors have been among the most important human actions in the PRA model. A notable example is the NUREG-1150 Peach Bottom study, in which a high level of dependence in performance of calibration of sensors (actions were performed by a single crew in a single shift) led to a relatively high likelihood of failure of LPCI and LPCS valves to open. In this case, the calibration error was an important contributor to CDF. In our vh.c the potential contribution from calibration e:rors should not be dismissed without plant-specific assessment of calibration procedures 8

i l

e and practices, in particular, the potential for Wes leading to common cause failure. Such dependencies may be related to problems with procedures common to multiple sensors, training, performance by the same crew, or other factors which could increase the potential for miscalibration across multiple instruments and hence increase the likelihood of failure of key safety equipment on demand.

2.2.2 Process for Identifiention and Selection of Pre-Initiator Human Actions.

The key issues addressed in the NRC staff review regarding the process for identification and selection of pre-initiator human actions are: a) whether maintenance, test and calibration procedures for the systems and components modeled were iewed by the systems analyst (s); and, b) whether discussions were held with appropriate plant personnel (e.g., maintenance, training, operations) on the interpretation and implementation of the plant's test, maintenance and calibration procedures to identify and

{

understand specific actions and the specific components manipulated when performing maintenance, test, and calibration tasks.

The omission of calibration errors and the licensee's rationale for that omission were discussed above. With regard to restoration errors, however, the submittal states that many sources were reviewed to determine maintenance, testing and surveillance that is performed, including the plant Computerized History and Maintenance Planning System equipment list, the PSA Data Analysis Notebook, and the operations periodic checks and inservice tests. In response to an NRC request for additional information, the licensee stated that Technical Specification Tests, Inservice Test, and Refueling Maintenance Procedures were reviewed to assess the potential that an operator may leave a component in a position that negatively impacts the safety function of a system. Each opportunity for mispositioning of key equipment was reviewed to determine if there is a procedure signoff present, an indepaah* verification with signoff, panel lights in the control room, i

lock number required with the number recorded, or confirmation of the correct positioning by a verification of the actual system performance later in the procedure.

Single use procedures developed to direct corrective maintenance or one-time testing were not reviewed. Support systems were not reviewed for pre-initiator errors. The review was performed by a contractor with PRA/ systems expertise. It did not involve sigaificant interaction with personnel outside the PSA Group, such as plant maintenance / operations personnel. There is no specific reference to walkdowns related to identification of

{

potential pre-initiator errors, but as indicated in Section 2.1.1 above, there was substantial involvement of operations and training staff in the development and review of the HRA.

i Potential pre-initiator actions identified in the systems analysis were reviewed (qualitatively screened) to identify those for which there is a likelihood of recovery prior to the time of system demand. Specifically, the following activities were screened out and not considered in the IPE model:

4 9

-rn-pm-n

,y u

e B

1) Human errors of equipment misalignment were screened out if the equipment were

- misaligned, but not disabled, and would receive a realignment signal on system demand.

t

2) Human error in maintenance activities were screened out if a full functional test is canied out upon completion of the maintenance.

These qualitative screening assumptions are consistent with accepted HRA techniques (including ASEP) and with practice in other PRAs.

2.2.3 Screenine Prce-a for Pre-Initintar Human Errors.

No numerical screening process was employed to eliminate pre-initiator enors from further detailed analysis. All of the human errors that were not ruled out by the qualitative screening discussed above were quantified generally following the guidance in t

Reference 1 for ASEP.

2.2.4 Plant-Soecific Performance Shanme Factors. Recovery Factors. and Denendencies I

for Pre-Initiator Human Actinnt.

ASEP is intended to be a somewhat simplified technique for quantification of human error (e.g., in comparison to full implementation of THERP), and is intended to be correspondingly " conservative". ASEP does allow for, and provide guidance for, consideration of plant-specific performance shaping factors, though the intent is to reduce the level of effort required for in-depth analysis and provide simplified guidance to select and modify " generic" HEPs. The Point Beach analysis generally followed the ASEP guidance for selection of a basic HEP and then applied recovery factors based on a general assessment of plant-specific practice.

Ihe submittal notes that review of maintenance documentation indicated that "in nearly every case" when a test is performed on the equipment identified in the pre-initiator actions, an independent verification is required by procedure. Therefore the medu value 0.03 recommended in ASEP to account for both errors of omission and errors of commission was multiplied by 0.1, and the mean value of the basic HEP assumed for pre-initiators was 0.005 (0.003 multiplied by 1.6 to obtain the mean value, based on an enor factor of 5, and rounded up to 0.005). In addition, credit was taken for recovery mechanisms as follows:

1) For recovery via a functional test, a recovery factor of 0.01 was assumed; except that in some cases this was judged to be conservative and the human error was j

screened out completely by the qualitative criterion 2 above 10

_. _ ~. _ _

e

2) For cases of potential valve mispositioning in which the valve position is checked many times more often than the valve is positioned, the mean unavailability time was significantly reduced (dapanding on the ratio of number of checks to number of manipulations),

i The credit for indapaadaat verification and recovery via functional test is consistent with the guidance provided for the ASEP methodology in Reference 1. De reduction in

)

estimated unavailability in item 2 above is not specifically part of ASEP guidance, but appears to be a reasonable rationale for accounting for the increased likehhood of error i

detection with increased checking. This assumes that the checking is truly "indanandaat",

and does not account for behavior dependency, e.g., the likelihood of detection in l

subsequent checks decreasing because the individuals in the later checks assume effective performance on the part of previous checkers. These two recover factors appear to be the only plant-specific factors considered to modify the basic (generic) ASEP HEP.

Thirty one pre-initiator human errors were quantified and included in the system models (fault trees). Most of the values are 5.0E-3; six are 1.0E-03, and two are 1.0E-04.

Overall, these values are consistent with the range of values used in other NRC accepted

)

PRAs and other IPEs.

In summary, the licensee's process for quantification of pre-initiator human errors in restoring equipment generally followed the ASEP guidance; it involved a limited but reasonable assessment of plant-specific factors influencing human error, in particular focusing on likelihood of error recovery mechanisms; and, it resulted in quantification of a significant number of potential errors with HEP values in a range consistent with accepted PRAs. As indicated above, we do not believe that calibration errors should have been dismissed without a plant-specific assessment.

2.3 Post-Initiator Human Actions Human error in responding to an accident initiator, e.g., by not recognizing and diagnosing the situation promptly and properly, or failure to perform required actions as directed by procedures, can have a significant impact on plant risk, and in some cases has be shown to be a dominant contributor to CDF. Dese errors are referred to as post-initiator errors. The NRC staff review determines the types of post-initiator errors considered by the licensee and evaluates the processes used to identify and select, screen, and quantify post-initiator errors, including issues such as the means for evaluating timing, dependency among human actions, and other plant-specific performance shaping factors.

2.3.1 Tvoes of Post-Initiator Human Actions Considered.

There are two important types of post-initiator actions considered in most nuclear plant PRAs: respong actions, which include human actions performed in response to the first 11

g L.

o level directives of the emergency operating procedures / instructions (EOPs/EOls); and recovery actions, which include those performed to recover a specific failure or fault, such as recovery of offsite power or recovery of a front-line safety system that was unavailable on demand. De Point Beach HRA addressed both types of post-initiator human errors.

2.3.2 PE=u for Identifiention and M=bn of Post-Initiator Human Actions, ne submittal discussion of the process for initially identifying " candidate" post-initiator errors is limited, but the emphasis on operator actions in the event tree development and comparison of actions quantified to those quantified in other PRAs suggests a Panaanhly thorough process was employed to identify all potentially important human errors.

Recovery actions were identified after the initial quantification via subjective evaluation of the more important sequences contributing to CDF. Response actions were identified as an integral part of the initial sequence (event-tree) analysis and systems (fault-tree) analysis. The discussion of the accident sequence analysis indicates that the sequence delineation and analysis was strongly driven by an assessment of operating procedures.

In general, each human action is identified by the procedure (s) in which it is required; or, in a few cases in which the action is not proceduralized, that fact is noted. The detailed event-tree discussion emphasize operator actions and procedures. The number and scope of HEPs included in the IPE model indicates a reasonably comprehensive identification process, and comparison with accepted PRAs indicates that the important human actions typically included in PWR PRAs were addressed. In general, operator actions identified as important by the NRC front-end reviewers were included. Based on these indications, we conclude that the licensee employed a reasonably comprehensive and thorough process to identify and select potential post-initiator human error contributors, and important actions were not likely to be missed.

2.3.3 Screening Process for Post-Initiator Resnonse Actions.

Post-initiator response actions identified during the accident sequence and systems analysis (event tree and fault tree development) were screened by initially quantifying the system models using screening values for HEPs. In response to an NRC request for additional information, the licensee provided a list of screening values employed. In most cases, a value of 0.05 was used, while in a few cases higher values (0.1, 0.3,1.0) were used. Typically, higher screen values, any 0.5, are considered appropriate to screen out unimportant contributors from further analysis while not eliminating potential important actions. Information provided by the licensee in response to an NRC request indicated that the "best-estimate" value exceeded the screening value for eleven post-initiator HEPs, by a factor ranging from less than 1.4 to 10.0. ne truncation limit for sequences in the screening analysis was IE-9, and in some cases IE-10. He licensee indicated that the CDF for the quantification using screening values was 1.15E42/yr.

For the quantification using b:st-estimate HEPs, but no recovery actions, the CDF was 1.19E-03/yr, a order of magnitude decrease. The final CDF was 1.15E-04/yr. The 12

licensee provided a summary of numbers of sequences containing the HEPs that were higher than the screening value grouped according to magnitude of the cutset contribution to CDF. The licensee's conclusion, which appears to be generally supported by the rationale and data presented, is that the screening values used were large enough to syhir the cutsets that have an important impact on the overall CDF.

2.3.4 Consideration of Timine and Other Nifer.nanm Shanine Factors for Post-Initiator Response Actions.

Best estimate HEPs for post-initiator response actions were obtained following the EPRI approach described in EPRI-TR-100259 (Ref. 3) and using generic values from THERP tables. In the EPRI methodology, each post-initiator error is treated as consisting of two portions: one related to the failure to detect, dim and make a decision (the

" cognitive' portion); the other related to the proper execution of the required actions once the correct decision is made.

In the Point Beach analysis, the probability of failure in the detection, diagnosis, decision phase, Pc, was estimated using the EPRI decision tree methodology, which is an expert judgment process focused on (1) failure mechanisms (2) causes for those mechanisms, and (3) compensating or recovery mechanisms. Effective application of the approach

)

requires a thorough understanding of the context of the human error and assess such as quality of information, procedures and training that contribute to human performance.

Mechanisms for failure in detection, diagnosis, decision include:

)

1) Data not available l

2) Data not attended to

3) Data misread or miscommunicated

]

4) Available information misleading and misinterpreted

5) Relevant :.tep in procedure misread i

6) Misinterpreted procedure instructions j

7) Error in interpreting the decision logic

8) Deliberate (though well intentioned) violation of the procedure The EPRI methodology uses a different decision tree for each failure mechanism to guide the analyst through a subjective evaluation of causes and causal factors and to select a value for Pc, the overall failure probability for the detection, diagnosis, decision task.

13 i

o

Ihe probability of failure of the execution portion, Pe, was calculated using data tables from THERP along with recovay factors and dependency guidelines from THERP and judgment of the analyst (s). Ik malysis consisted ofidentifying the critical execution steps in the procedure, identifying potential error recovery mechanisms, assigning HEPs from THERP tables with rwvay factors and -E=>=-ry considerations pertinent to those steps. An example of a isvay mechanism is a procedural requirement for a verification of valve position following a procedural action to position that valve. In that case, medium dependency was assumed if the verification step was on the same page as the instructions to perform the action.

For time-critical tasks, consideration of time available was factored into the analysis through the recovery actions; i.e., credit for recovery actions was taken only if the analyst judged that there was sufficient time for the operator to get feedback from the plant and correct the error. Thus the probability of error is only indirectly depaadaat on time available. Other recovery factors, or " multipliers" applied to the HEP included the following:

1) When the cognitive portion of the task myolved a system or function being established that is shared by the two units, a recovery factor of 0.5 was applied because there are two independent crews addressing the situation

2) A self-checking recovery factor of 0.5 was usually applied for any of the memorized immediate action steps of EOPs under the assumption that subsequent reading of the procedure serves as a check of the operator's immediate actions.

3) A recovery factor (unstated value) was applied if the procedure steps were repeated in a subsequent procedure that would serve to verify the initial action had been performed correctly.

4) Multipliers were used to increase HEP values for actions that are not practiced, have little explicit guidance, or would be performed under an unusually high stress environment.

These recovery factors are based on discussions in EPRI TR-100259 and/or recommendations of the HRA consultant. They are not inconsistent with the concepts of THERP, and the arguments, in general, are plausible. Practical application of HRA methodology involves considerable judgment by qualified HRA specialists, and the use of plausibility arguments such as these is common. These recovery factors and dependency considerations were, in our opinion, reasonably applied to arrive at a firm 1 *best estimate" HEP values.

One comment that was made in the submittal regarding application of recovery factors was that the factors were applied only in cases in which it was determined that sufficient time existed for the operators to recognize the error and complete the action. In response 14

.y_.

~~_

~.

v to an NRC request regarding the basis for the time estimates, the licensee inviicatal that, 3

in general, the source of time estimates was operator interviews. For the particularly critical case of transfer to ECCS recirculation, walkdowns and simulator observations and MAAP calculations were used for determining the available and required times. He inclusion or exclusion of these recovery factors is the primary and most direct means by which time estimates influence the selection of HEPs. It should be recognized that experience has shown that operator estimates of required time to accomplish actions, wi.ny when made in a " table-top" discussion or interview session outside of the context of actual or simulated performance, typically are optimistic.

In response to an NRC request for additional information, the licer,see provided several examples of worksheets for the calculation of Pc and Pe. The sample worksheets suggest a reasonably thorcugh, though somewhat mechanistic, application of the EPRI decision tree approach to estimate values for Pc. Each of the eight causal mechanisms were addressed for each human action, though typically all but two or three are considered to be negligible. Recovery factors employed are documented, and the calculation of Pc, including comments and notes, is documented on the worksheet forms for future reference. Similarly, the calculation of Pe using THERP tables is documented on worksheet attachments, including the appropriate reference to the THERP Handbook table used and a brief description of the rationale for using that particular table / entry.

De final estimated HEP is the sum of Pc and Pe. In general, a lower bound value of 1.0E-04 was applied to post initiator HEPs; i.e., calculated values below 1.0E-04 were usually set at this value in the IPE model. As discussed below, dependencies between multiple post-initiator response actions were evaluated following the general guidance outlined in the THERP handbook.

2.3.5 Consideration of Denendencies for Post-Initiator Resoonse Actions.

An important consideration in HRA is the determination of how the probability of success or failure on one human action may be related to success or failure on a preceding or parallel action. Human behavior typically is highly dependent on the context in which the behavior takes place. Included in the factors providing the context are preceding and parallel tasks. The individual's failure on a preceding action, performance of other team members on tasks closely related in time or physical location, expected level of I

performance of other team members based on past expe:ience, and other such dependencies influence the likelihood of success / failure on a current task. De HEP estimates used in HRA are conditional probabilities. If dependencies are not specifically accounted for, and HEPs are treated as independent, the probabilistic combination (multiplication) of HEPs can lead to an unrealistically low estimate of human performance overall (i.e., of the joint human e Tor probability), and hence to an underestimate of plant risk. Development of methods for quantification of dependencies is still evolving. He 15

~

k:

THERP handbook includes one approach that has received use in the HRA community, but it is widely recognized that this is an area in which methodology improvement is mar====ry.

'Ihe Point Beach submittal makes a distinction between two types of dependencies:

1) Deg.=hy among " elemental HEPs* that make up Pc, and

2) D-ad y among different Type C event HEPs in the same cutset.

'Ihe licensee's response to an NRC request for information clarified the submittal discussion of the first type of depaadaney, which occurs when the cognitive dacitiari j

process is the same for more than one HEP in a cutset. An saample provided by the licensee is the operator action to maintain a suction source for the==itiary feedwater (AFW) pumps following depletion of the condensate storage tank (CST). 'Ihe operators have several options, including using the Fire Water pumps to refill the CSTs, aligning Service Water to the AFW pump suction, or refilling the CST with water from the cor. denser hotwell. If the operator fails to make the basic correct decision to maintain AFW given depletion of the CST, then all three of these actions would be failed; they are not independent actions.

Guidelines for treating the second type of dependencies for post-initiator actions, which we consider to be reasonable and plausible, were as follows:

1) Actions which are initiated by the same cue, and are parallel success paths, should be treated as having a common cognitive element (as the same cognitive action) with the single probability Pc.

2) Actions that are of a similar type for redundant trains should be treated as totally dependent (Complete Dependence per THERP).

3) Responses to memorized immediate action steps of EOP-0 or ECA 0.0 (top level response procedures) can be regarded u independent of actions taken later in the procedures.

4) Memorized or instinctive reactions are independent if they are performed by different crew members.

5) Responses performed closely in time may be regarded as being dependent actions, even if the cues are different, if they are being directed by the same crew member (e.g., shift supervisor or procedure reader). General rules for such dependaariae are as follows:

Time Senaration (minutes)

Derree of Denendenev 0 < t < 15 high 16

W b-15 < t < 30 medium i

30 < t < 60 low 60 < t zero l

6) Two failures separated in time by an essential neceanful action may be regarded as being independent.

7) If an operator action causes a significant reduction in the time window available for a subsequent operator action, high of+d=-ry of failure of the second action upon the first is===eanad.

1

8) If an operator action is required as a direct consequence of a prMag failure, and the action occurs closely in time during a period of high workload, and/or has an obscured cue, then high der,.a.crcy of the second HEP on the first HEP is assessed.

For both types of dependencies, the mechanism for incorporating the deper.dsicy considerations quantitatively into the model was to identify all of the cutsets in which the dependent actions occurred and to apply a multiplier to those cutsets. 'Ihe submittal identified (Table 3.3.3-3) eleven combinations of multiple actions for which multipliers were calculated and applied to those cutsets containing those multiple actions. The I

multiplier is the ratio of the value calculated assuming # +d= y to the value calculated f

assuming no dependency. Values range from 1.3 to 2,250.

2.3.6 Recovery Actions.

After initial quantification and screening, the dominant sequences and 'cutsets were reviewed and revised to eliminate invalid cutsets (due to some logical error in modeling) t and to account for potential actions to recovery critical equipment / functions. Each recovery event credited and the sequences in which it appears is concisely identified in the submittal (Table 3.3.7-1), and each action is discussed. Where the recovery action involves an estimated human error probability, the assumed value is identified. Table 2-1 summarizes the recovery actions and estimated failure probabilities. In general, the j

HEPs are subjectively assigned values intended to be conservative. In response to an NRC request for further information on the basis for the subjective estimates, the licensee indicated that the judgment on availability of sufficient time was the primary consideration. Further, the licensee indicated that " worst-case" timing estimates were used, and that, "if the call was marginal" no credit was taken for the recovery action.

The submittal identifies and briefly discusses (Section 3.4.1, page 9 of 59) three sequences for which the application of these human recovery actions caused the core damage frequencies to drop by more than an order of magnitude to a value below the 17

i e

Table 2-1, Recovery Actions RECOVERY DESCRWilON FAILURE EVENT PROBABILITY REC-MAN OPENVLV2 Any cutset is recovered that contams basic event IA-AOV-CM 04748, IA-AOV CC 03047, or IA-AOV-CC 03048 (instrument air supply valves to 1.0E-01 containment fail) when operator manually opens these valves using handwheel on valve.

HEP-ECA-EOP31-32 Any cutscs as recovered that coauains basic event HEP 4DC-EOP-3-21, failure to depressurize using intact steam generator aRer tube rupture, since 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months are 7.7E-03 available to depressurize using ECA-3.1, act bour in EOP-3-21.

RESDLATE-1 Cutacas are recovered that conta4n MS-M5V OO-02017 or MS-MSV4042018 (Main steam isolation valve fails 5.0E-02 open) wher. operator manually closes main steam isolation valve locally.

REC-TURB-BYPASS Cutsets are recovered that contam MS-AOV-CM-15-16, MS-AOV-CC-02015, MS-AOV-CC42016, (failures of 5.0E-02 atmospheric steam dumps for steam generators) when operator manuaUy opens these vs!ves using handwheel on valve.

HEP-125-EOP1M8 HEP-125-EOP10-08 is the operator actaon wtuch manually restores the battery chargers a Aer concurrent LOSP and

$1. Cutsets are eliminated which contain this basic event N/A for sequences which do not have a concurrent LOSP and (cutsets d1+='d)

St. They are invalid cutsets SUCCESS-AFW2 Any cutset is recovered that contams basic twent NONRECOVERAC-4H inon-recovery of AC power in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ) when operators successfully refill the CST: from 5.0E-01 the fire water system using the diesel driven fire water Pump.

HEP-125 EOP1048 Cutsets are chrnmated wtuch contam basac events HEP-125-EOP1048 (failure to restore banery chargers or FO-MDP-CM-P70AB aAer concurrent LOSP and SI) or FO-MDP-CM-P70AB N/A (common mode failure of both fuel oil transfer pumps).

(cutsets elimmated)

These are 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months diesel faDures, but AC power is recovered aner 2.

NONRECOVERAC-7HR Any cutset is recovered that contains basic event 138-GT-LP40G05 (failure of gas turbine to start and run for 8 houri) with offsite power recovery within 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months , 8.2E-02 since it tsie a long time for this sequence to go to core mek.

REC-OPEN-CV0112 Any cutset is recovered that contams basic events wtuch fail 001 when operator locally operates handwheel on CV.

I12B, (RWST to charging pumps), since the other diesel 1.0E-01 is running to power a charging pump and water can be supplied manually.

18

0' (Table 21 continued)

REC TDP4UCT4W Any oissa as asoovered that contaans basac event AF-P38A-AtlON-U2 (motor driven aus. imod pump abgned to 2.5E42 Unit 2) when operator manually opans service water sumion MOV using local handwheel NONRECOVERAC-4H Any cusset as sw;.c. : that scouuns benac event 135-GT-LP40005 (gas turbine fails to start and run for 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months ),

HEP-SW-EPOLDOUT (operator fails to provide service water backup to the suctaan of the a= Ley feedwater pumps), or HEP-HHR-EOP13-23 (failure to align safee 1.3E 01 muesson system for high head recirculation) when AC power is recovered in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , since adequate water is available to the aux feedwater pump for ecoling from the CSTs for 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

E5F-OPR-RE-43 BAT Borac acsd storage tank level adacesor selector swach as only valid for St. This is a bleed and feed sequence N/A which means operesor will start $1 manually.

(cutsas hM)

HEP-5W-EOP449 Cutsets are ^="--'-d which contain basic event 345-GRD-LP-LOSP (loss of oNsite power aAer plant trip) and the HEP-SW-EOP449 (operesor fails to start standby N/A service water pumps since pumps), receive auto start (cutsets chaumated) signal on LOSP.

REC-GT-OR 05P-1H Any cansat as recovered that contains basac event 345-GRD-LP-LOSP (loss of offsite power aAer plant trip) with recovery of oNsite power within 1 bour or gas turbine 1.6E41 starts and runs.

CCl-AOV-PG-0021A Cutacts are chmanated which contaan basac event CCI-AOV-PG-0021 A (component cooling water heat exchanger HX-12A teenperature control valve plugs) and cutsas with CCI-AOV-OC-0012A (mmponent cooling water heat exchanger HX-12A ternperatum control valve normally open, fails closed). "Ihese are not a valid failure since this N/A AOV is used only to automatically increase service water (cutsets elirmnesed) when there is a rapid change in temperature.

HEP-AF-AOP5B-XX This as an invahd event. Failure of operator to manuaUy conuel MDAFWP discharge Dow will not fail the pump.

N/A (cutsets eliminated)

REC-5WFLOW Any cutset as recovered that contams banac event 5Wl-MDP-FR 0032A(D) (failure of service water pump P32A(P32D) to run for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) *SW-CKV-OO-0032A(D) (failure of service water check valve 32A(32D) 5.0E 02 to close) when operssor closes manual isolation valve stopping flow throu;h the failed open check valve on the failed pump.

REC 4WPUMP Any cutset as recovered that contains basic event HEP-5%1-AOP9A41 (operator fails to start standby service water pumps before a reactor trip) when operator recovers one service water pump before CST supply to the turbine 3.0E 02 driven auxiliary feedwater pump is depicted at 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

19

u screening criteria for reporting. All three of the sequences are steam generator tube rupture sequences. A MAAP run for the associated damage state indicated that 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months would be available before the core started to uncover. The licensee contends, appropriately, that the recovery factors applied are reasonable subjective estimates given the length of time available.

Overall, the credit taken for human recovery action, while based on subjective estimates, appears to be reasonable. HEPs range from 0.005 to 0.5. This range is typical of best-estimate or " conservative" values used in other PRAs for recovery actions. As indicated above, the overall impact of credit for recovery actions is to reduce the CDF by an order of magnitude.

2.3.7 Post-Accident Errors.

The submittal (Section 3.3.3.8) discusses treatment of human action following core damage, and indicates that, in general, "little or no credit" is taken for operator actions following core damage. He rationale provided in the submittal for not taking credit is plausible. First, the submittal notes that some of the actions are not proceduralized and use of existing HRA techniques for non-proceduralized actions is highly uncertain.

Second, while EOPs do contain some instructions for actions that are essentially the same action and may be applicable during post-core-melt situations, e.g., refilling the RWST or minimizing the RWST depletion rate, there is a basic change in state and change in goals driving operator behavior after core damage. EOPs and training are focused primarily on prevention of core damage. For core damage to have occurred, the EOPs either have not been used properly or were not effective for some reason. Therefore, it is not clear that operators would continue to follow EOPs, or if they did, that the specific steps intended for pre-core melt situations would be effective. Finally, the high stress levels anticipated for core melt situations makes it questionable to take much credit for action.

The exception noted in which credit for human action was taken is the station blackout sequences. If offsite power is recovered within approximately six hours, credit is then given (probability of succms of 1.0) for operator action to start a containment fan and restore service water. The basic rationale provided for this exception to the above logic is that in this case operators are very likely to be in the correct procedure, and that procedure is focused on restoring power, not on preventing core damage.

In response to an NRC request for additional information regarding the basis for the HEP estimate and the potential impact on estimated release due to credit for this post-core-melt operator action, the licensee indicated that a specific HEP was not calculated. Successful action was assumed based on the long time available (at least 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) as determined by MAAP calculations. Further, the licensee indicated that for Station Blackout sequences, the probability of power recovery within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months of core uncovery is 90.4% per the IPE results. If no operator action were credited following the onset of core damage, a rough

(

20

O-estimate is that the resulting challenge to containment (due to cvryi are) would increase by 90.4% of the SBO CDF contribution, or 3.17E-5, compared to the currently estimated total containment ovmyi ure challenge from transients and SBO of 1,81E-5.

No specific HEP was calculated for operator actions to recover fan coolers and the service water system subsequent to recovery of offsite power. He licensee estimates that sina shese actions are proadurahzed in the "I. mss of Offsite Power" procedure the HEP for failure to perform these actions will be 0.001. He impact of this failure on containment failure probability is estimated to be approximately 1.4E-08. It has no signi% to the estimated probability of containment overpressure of 1.8E45.

2.3.8 Intemal Flandine Analvsis.

De imernal flooding analysis included an assessment of the likelihood of spridor intervention to prevent a plant trip by isolating the leak or diverting the flood accumulation. or to mitigate the results of the flooding sequence by recovering disabled systems. T12 human error probability for failure to isolate the leak or divert the flood before the critical height is reached was estimated by using a screening value that decreased with time available for diagnosis and response as follows:

Time Available HF2 Iess than 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months 1.0 1 to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months 0.5 2 to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months 0.1 Greater than 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months 0.01 Dese subjectively assigned screening values are consistent with typical " conservative" screening values in other PRAs. Further, there was some evidence cited for the likelihood of detection of flooding by the operators, i.e., alarms or control room indications. Therefore, these HEPs appear to be reasonable generic screening values.

Based on the assessment of expected frequencies of flooding initiators, the zone-by-zone assessment of the flooding progression and consequences, and the application of the above human intervention probabilities, three flooding sequences were identified as requiring a more detailed assessment and quantification of operator response: (1) large service water break in the auxiliary building, (2) medium service water break in the auxiliary building, and (3) small service water break in the cable spreading room. Data tables from THERP were used to obtain estimates of 1.8E-02 for the HEP for diagnosis and isolation of the leak. No additional credit was taken for restoring failed equipment.

De assessment of HEPs considered the control room indications that would be available, the timing available for detection and action, the procedural instructions for isolating the leak, and the likelihood of other activities at the time affecting the operators' performance. De submittal notes that for the large break in the auxiliary building, oly 19 minutes is available; and, for the small service water break in the cable spreading rocm, there is not a direct and immediate indication in the control room, ne HEP 21

l 5

estimates for these cases appear to be reasonable best-estimate values.

3.0 IPE INSIGHTS, ENHANCEMENTS AND CONCLUSIONS 3.1 Importance of Human Actions 3.1.1 The Imnortance of Human Error in Point haeh Severe Accident bhavior.

The submittal clearly identifies the importance of human error to the estirrated CDF. Six of the top seven, and seven of the top ten, most important basic events (wit'i respect to risk reduction) are human error events; and human errors rank among the highest risk increase contributors. (Importance measures used the Top Event Matrix Analysis Code.)

Human errors are dominant contributors for key sequences, and sensitivity studies indicate results for some of those key contributing sequences are quite sensitive to HEP estimates.

He submittal states that the significance of human reliability at Point Beach is expected, since the plant is of an older vintage with a, simpler, less automated design. Manual switchover to ECCS recirculation has been identified in a number of PWR PRAs as a significant contributor to plant risk, and is one that is reduced to some degree in plants with automatic switchover. Other manual actions that may be more automatic in newer plants that are manual in Point Beach cited by the licensee in response to an NRC request include switchover of AFW suction supply following depletion of the CST, manual control of AFW discharge valves on a loss ofinstrument air, aligning alternate battery charger if the normal charger is failed, and manual control of atmospheric steam dump valves with a loss of all power. The licensee also correctly notes that major assumptions such as assuming no post-ir.itiator HEP below 1.0E-4 are important reasons that the operator error contribution is so important in the Point Beach results.

The submittal notes that failure to restore equipment following test and maintenance, 1

contributes only 5% to CDF. As indicated previously, this is not inconsistent with general results from other PRAs, but in some cases, the contribution from pre-initiators has been substantial. Recall that the potential impact of calibration errors was not i

quantified by the licensee.

3.1.2 Important Operator Actions.

As indicated above, operator actions are shown as among the most important contributors to risk. The top ten most important human error events and their overall importance (risk reduction) ranking are shown in Table 3.1 below. Note that the ranking is for all basic events. The highest ranking basic event in the IPE model is operator failure to i

align for low head sump recirculation. He third through the seventh most important i

basic events are human actions. Sensitivity studies were performed to address major j

areas of uncertainty included human actions related to these top ten human actions:

22 m

r-ew y

1) Aligning ECCS for containment sump recitati". ion is a dominant contributor to the CDF from I.arge and Medium LOCAs, widch together contribute 30% to the total CDF. 'Ihis switchover action, which is reasonably complex and time-critical, has been shown to be a significant contributor in other PRAs.

Sensitivity studies showed a fairly high sensitivity of CDP to this HEP.

(Increasing the HEP from 0.1 to 0.5 increases the CDF by a factor of 2 for tiu low pressure case and 3 for the high pressure case.)

2) Providing auxiliary feedwater cooling for decay heat renoval is critical function that, through various sequences, contributes 38% to total CDP. Failure of operator action to assure a long-term suction source for the AFW pumps is die most important contributo-. failure of this function. Possibilities for backup sources include service '

., condenser hotwell water, or fire water. Procedural guidance is not detaile; ad it was assumed that there is some de =>=d;y among I

the failures. Sensitivity studier showed the increasing the HEP from the estimated value of 0.01 to 0.05 increases the estimated CDF increases an order of magnitude, and increasing it to 0.55 raises the CDF by another order of magnitude.

3) Sensitivity studies performed on failure to establish feed and bleed indicated that the CDF is relatively insensitive to this failure. Increasing tie HEP from the estimated 0.05 to 0.55 would increase the CDF by only a factor of two.

Table 3.1 Top Ten Most Important Human Error Events HEP IDENTIFIER DESCRIPT10N Rag HEP RHR-EOP13 23 Failuie to align for low bend sump recircedesion 1.0 HEP SW-EFOLDOUT Failure to provide service water backup to APW suction 3.0 j

HEP-CS-EF01.DOUT Failure to align botwell supply to CST 4.0 NEP RCS-CSPHl.12 Failure to establish feed and bleed (no safety impetion) 5.0 HEP-HHR EOP13 23 Failure to align for high bend sump recirculataan 6.0 1

NEP ECC-ECA00-21 Failure to depressuriae steam generators to 250 pai 7.0 I

HEP-138 ECA00-5B Failure to start and load gas turbane 10.0 NEP-AF-ECA00-XX Failure to control turb. dr. AFW pump flow, min 30 Ivl 14.0 HEP-SWI-AOP9A41 Failure to start standby service water pumps, no Rx trip 24.0 HEP-SW EOP449 Failure to isolese non emesatial service woest loads 28.0 3.1.3 Secuences Screened Out Due to Iow Human Error Prnhahilities.

Per NUREG-1335, Section 2.1.6, item 6, the submittal does identify and briefly discuss 23 O

E

- = - _

.q three sequences for which the application of human acovery actions caused the core damage frequencies to drop by more than an order of magnitude to a value below the a

screening criteria for reporting. Rav..f actions were added to cutsets after initial quantification. Section 3.3.7 of the submittal identifie.s 19 human recovery actions and i

the sequences credited. It also provides a brief discussion of the actions and a very general rationale for admian of the estimated nonise f probability (typically an arbitrary value intended to be conservative). The three sequences reduced by an order of magnitude or more to below the cutoff criteria are summarized in Section 3.4.2 of the submittal. Dese sequences and ruv..j actions were as follows:

1. Sequence R13 is a steam generator tabe rupture (SGTR)in which the steam i

generator has been successfully isolated, secondary cooling is available using main feedwater to the intact steam generator, and safety injection is operational. De operators fail to cooldown and depressurize within the first hour. His ultimately leads to core damage after the RWST has been depleted because the operator is unable to establish long term cooling. MAAP calculations showed that the time available to cooldown and depressurize and establish long term cooling is actually spproximately 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . A recovery factor of 7.7E-03 was applied, which is equal to the HEP for failure to depressurize and cooldown and establish RHR conditions within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months using emergency contingency action (ECA) procedures.

i i

2. Sequence TFB12 is a consequential SGTR after a steamline or fandline break inside containment. Auxiliary feedwater has been established to the intact steam generator, which is functioning to remove decay heat. Safety injection is operational, but the affected steam generator is not isolated due, to failure of the MSIV to close. The primary-to-secondary leak is not controlled, and core damage results after RWST depletion. A recovery factor (nonrecovery probability) of 0.05 was applied to account for the potential for operators to manually shut the MSIV or isolate the affected steam generator using alternative means described in the EOPs. The time available for the action is 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

)

1 I

3. Sequence TFB14 is a consequential SCTR after a steamline or feedline break outside containment. The sequence proceeds in the same manner as for the break inside containment, and the same recovery action and probability of 0.05 is applied.

ne HEP values used to represent the recovery actions under these sequences are based on judgment rather than a systematic plant-specific analysis. In general, they appear to be reasonable and generally consistent with best-estimate values for recovery actions in other PRAs.

3.2 Definition and Identification of Vulnerabilities 24

o:

De submittal (Section 3.4.3) defines severe accident vulnerabilities as, " plant-specific l

design or operating characteristics resulting in dominant contributors to core damage l

w fiw.cy (CDF) or large fission product release frequency (FPRF) significantly above the NRC's mean safety goal targets for all domestic nuclear plants [lE-4/ year and IE4/yr, respectively).* A significant dominant contributor to CDF or FPRF would call for immediate corrective action to address the vulnerability. No vulnerabilities were identified, based on the following conclusions.

I

1) No plant-specific design or operatmg characteristics lead to core damage or large j

fission product re case (more than 1We of the volatile radioactive fission products in the core) acquences which clearly dominate.

2) The largest core damage sequences are well below the generic safety goal target.

3) De estimated total CDF is approximately equal to the target average value of IE-4/yr.

4) The estimated fission product release fraction for large releases is near the genaic safety goal target.

While there were no vulnerabilities identified, there were important contributors identified and enhancements proposed. With regard to the HRA and examination of the human j

i contribution to risk, the submittal clearly emph=i= that human actions play a major role i

in preventing core damage, or conversely, contributing to the total CDF. Several major f

human error contributors are highlighted, and enhancements are proposed to improve f

human performance. Dese enhancements are discussed below.

j 3.3 Human-Performance-Related Enhancements ne submittal identifies enhancements that will be made in three areas: 1) operating procedures, 2) plant design, and 3) accident management guidelines. The procedures and i

accident management guidelines clearly are human performance related. In addition, procedures and training revisions will accompany design modifications related to installation of quick-connect mechanisms for hooking fire water hoses to the CSTs.

l 3

The procedures revisions are as follows:

1) EOP 1.3, " Transfer to Containment Sump Recirculation," and EOP 1.4,

Transfer to Containment Sump Recirculation, One Train Inoperable," will be revised to l

provide greater assurance that ECCS switchover steps can be performed in the time required (as little as 20 minutes). Specific changes had not been finalimt i

when the submittal was completed. Possible changes might include, for example, i

starting the switchover earlier, reordering and/or eliminating steps, or adding steps to decrease the RWST depletion rate. Procedure modifications will be l

l

_~

~ -.

x accomptied by revised training and testing. Design modifications to install remote operating capability fmm the contml mom for critical valves will be i

considered if procedure and training changes do not pmvide high confidence of i

success. The target date for completion of procedures, training, and testing was June,1994.

i

2) EOPs will be revised to include more deemilaf steps for aligning condenser hotwell or fire water sources to AFW pumps after CST depletion. Dese actions currently i

are identified but not detallad in the EOPs. De target date for completion of i

procedures revisions and==wiatad training are expected to be completed by June, 1994.

' The accident management guidelines address areas that the licensee notes as conservatisms in the Level-2 analysis and are intended to provide additional reductions in FPRF. De submittal notes that some of the long-term actions to prevent containment j

damage and/or mitigate release are already in the EOPs, but were not credited, and that accident management guidelines to structure the response of emergency response staff and operators will further increase confidence in taking credit for sp reur action, j

While specific calculations are not presented, the submittal states that the combination of procedures enhancement:, design modifications, and accident management guidelines will l

reduce total CDF from approximately 1.0E-4/yr to 8F-5/yr and will reduce FPRF by roughly an order of magnitude to 3E-6/yr.

j 3.4 Overall Evaluation and Conclusion From the HRA Review 3.4.1 General i

Overall, the submittal provides a reasonably complete but general description of the HRA. Combined with supplemental information provided by the licensee in response to an NRC request for additional information, the documentation of the HRA process and results was sufficient for us to conclude that the process employed was reasonable and generally consistent with HRA approaches used in NRC== fad PRAs and other IPEs.

The approach permitted the licensee to develop an appreciation for the importance of the human role in severe accident response and gain a more quantitative understanding of the impact of human error on core darnage frequency and fission product releases.

1 i==aa staff were appropriately involved in the development of the HRA, and associated walkdowns and documentation reviews constituted a viable process for confirming that, with regard to the HRA, the IPE represents the as-built, asagerated plant. De licensee performed an in-house peer review that provides some assurance that the HRA analytic techniques had been correctly applied and that documentation is 26 i

i

~ -

accurate.

3.4.2 Pre-Inidatar Human Actinae.

The submittal addressed pre-initiator human errors. However, consiste 4t with the licensee's stated belief that pre-initiator errors are in general not important contributors to plant risk, the plant-specific investigation of pre-initiator errors appean to have been less i

detailed and rigorous. In particular, we do not concur that consideration of calibration errors should have been dismissed without a more rigorous plant-gecific evaluation.

j i

The treatment of post-maintenance / test restoration errors appears to have been trasonable and generally consistent with other NRC e"*plad PRAs and IPEs. Based on F2neral statements in the submittal and overt.ll results, it appears that the process for identification of actions involved review of appropriate procedures. 'Ihe analysis likely would have been strengthened by direct discussions wth plant maintenance personnel, but i

in general appears to have been effective. No numerical screening process was employed. Best-estimate HEPs were obtained for all of the pre-initiator errors identified, using the simplified ASEP approach, with plant-specific assessment of error recovery factors. Potential dependencies in pre-initiators were not addressed. Overall, the numerical results, i.e., the HEPs, are in a range that is similar to fine screening or best-estimate values in other accepted PRAs and IPEs.

{

t 3.4.3 Post-Initiator Human Actions.

f The analysis and quantification of post-initiator human errors appropriately implemented the selected HRA methodology and resulted in HEP estimates consistent with other accepted PRAs and IPEs. Both response-type and recovery actions were addressed. 'Ihe i

process for identification and selection of post-initiator human errors included appropriate review of procedures associated with the accident sequences delineated and discussions with appropriate plant operations and training personnel. The numerical screening process employed appeared to be effective in " screening in" important post-initiator human errors and not truncating significant accident sequences.

Estimates of time required for operator response were, in general, based on operator interviews and judgment. Actual time measurements from operator " simulations" is the preferred source for these timing estimates. In the Point Beach analysis, observations of l

simulator exercises were used in a general way to support judgment, and in at least one critical case, plant specific calculations and walkdowns were performed. Plant-specific assessment of other performance shaping factors was performed in acevidance with the i

selected EPRI methodology, and dependancies among human actions were appropriately accounted for. With very few exceptions, only proceduralized actions are credited.

l i

i 9

Credit for recovery actions, which was based primarily on subjective evaluation of the relative amount of time available, appears to have been reasonable and consistent with

best-estimate" assessment of recovery actions in other PRAs. With one exception, the back end analysis takes no credit for operator action to prevent containment damage or mitigate releases following core damage. The exception is noted and discussed by the licensee, and the rationale presented is reasonable.

3.4.4 Insights and Enhancements.

Ihe submittal provided a concise definition of severe accident vulnerabilities and identified vulnerability screening criteria. No vulnerabilities were identified, but at least two significant procedures enhancements are planned that address insights from the HRA.

'Ihe submittal identified a number of human errors that are important contributors to core damage frequency and/or releases, and in general identified the importance of human error to plant risk. A significant reduction in estimated CDF due to post-initiator response actions and recovery actions was identified. Pre-initiator errors were determined to have a minor effect.

l

)

28

1 4

Credit for recovery actions, which was based primarily on subjective evaluation of the relative amount of time available, appears to have been reasonable and consistent with

best-estimate" assessment of recovery actions in other PRAs. With one exception, the back-end analysis takes no credit for operator medon to prevent containment damage or mitigate releases following core damage. The exception is noted and discussed by the licensee, and the rationale presented is reasonable.

3.4.4 Insights and Enhancements.

1he submittal provided a concise definition of severe accident vulnerabilities and identified vulnerability screening criteria. No vulnerabilities were identified, but at least two significant procedures enhancements are planned that address inr/ghts from the HRA.

1he submittal identified a number of human errors that are important contributors to core damage frequency and/or releases, and in geneml identified the importance of human error to plant risk. A significant reduction in estimated CDF due to post-initiator response actions and recovery actions was identified. Pre-initiator errors were determined to have a minor effect.

s 28 i

I-

't e

,4 4.0 DATA

SUMMARY

SHEE15 Importsat Operator Actions /Emms:

'Ihe top ten important laman error basic events, their HEPs, and their relative ranking in importance among all basic events (based on risk reduction) are as follows:

l HEP IDENTIFIER HER DESCRIPTION M

HEP-RHR-EOP13-23 9.67E43' Failms to aliga for low head mump recirculanos 1.0 HEP-SW-EFOLDOUT 4.10E44 Failwe to provide service water backup to APW suctica 3.0 HEP-CS-EPOIDOUT 3.86E43 Failwe to aliga hoewell supply to CST 4.0 i

HEP-RCS CSPHI 12 2.36E42 Failure to =Alia feed and bleed (no anfety igisedom) 5.0 HEP-HHR-EOP13-23 9.00E43 Failure to aliga for high head semp recircolation 6.0 HEP-ECC-ECA00-21 5.00E41 Failure to depresswue samm generators to 250 pai 7.0 HEP-138-ECA00-5B 1.30E-01 Failwe to start and load gas tubine 10.0 HEP-AF-ECA00 XX 2.40E41 Failwe to control tub. dr. AFW pwnp flow, niin 50 Ivl 14.0 HEP SWI AOP9A-61 7.90E44 Failure to start standby service water pumps, no Rx trip 24.0 HEP-SW-EOP-o49 8.65E 03 Failure to isolate non essential service water loads 28.0

The value for the Imge LOCA is 1.0E 01 Human-Perfonnance Related Enhancements:

t i

Two primary enhancements were identified; both so be completed by June,1994:

EOP 1.3, " Transfer to Containment Sump Recirculation," and EOP 1.4, "IEpHWil) to Containment Sump Recirculation, One Train Inoperable," will be revised to provide greater assurance that ECCS rwitchover steps can be performed in the l

time required (as little as 20 minutes).

2) EOPs will be revised to include more detailed steps for aligning condenser hotwell 7

or fire water sources to AFW pumps after CST depletion.

i l

t 6

1 1

I

i p.

t

'4 REFERENCES 1.

Swain, A.D., " Accident Sequence Evaluation Program Human Reliability Analysis Procedure," NUREG/CR-4772, February,1987 2.

Swain, A.D. and H.E. Guttman, " Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications," NUREG/CR-1278F, U.S. Nuclear Regulatory Commission, August,1983.

3.

EPRI TR-100259, 'An Approach to the Analysis of Operator Actions in Probabilistic Risk Assessment," Eectric Power Research Institute, June,1992.

l l

i l

l l

30

/

J L

SUMMARY

OF THE POINT BEACH NUCLEAR PLANT INDIVIDUAL PLANT EXAMINATION (IPE)

SUBMITTAL ON INTERNAL EVENTS 9

ENCIDSURE 5

I L

Summar_y of the Point Beach Nuclear Plant (PBNP) Units 1 & 2 Individual Plant Examint. tion (IPE) Submittal on Internal Events The NRC staff completed its review of the internal events portion of the Point Beach Nuclear Piint (PBNP) Individual Plant Examination (IPE) submittal and associated information. The latter includes the licensee's responses to staff generated questions seeking clarification of the licensee's process.

The licensee's IPE is based on a PBNP limited-scope Level 2 probabilistic safety assessment (PSA). The Wisconsin Electric Power Company (WEPCO) personnel maintained extensive involvement in the developmet.t and application of PSA techniques to the PBNP facility. The staff notes that all primary plant departments provided input to the IPE/PSA development.

The licensee defined severe accident vulnerabilities as plant-specific design or operating characteristics resulting in dominant core damage or large fission product release.

In summary, the licensee used IE-4/ year for dominant core damage and IE-6/ year for large fission product release. Based on these guidelines, the licensee did not identify any severe accident vulnerabilities.

The results of the PBNP IPE showed a core damage frequency (CDF) of 1.2-4/ year from the internally initiated events, including the contribution from internal floods. The CDF is dominated by large and medium loss of coolant accidents (LOCAs) which contribute 31% to the CDF. The dominant contributor for the LOCA sequences is the large LOCA, which is dominated by failure to manually align the emergency core cooling system (ECCS) for low pressure containment sump recirculation. Additionally, the loss of offsite power (LOSP) and station blackout (5B0) initiators contribute 21% to the total CDF. This contributor stems from the plant design which requires the sharing of two emergency diesel generators (EDGs) between two units, and minimal credit taken for the availability of a gas turbine generator.

The licensee, however, is in the process of installing two additional EDGs which were not credited in the l

IPE, and which will reduce the overall SB0 contribution.

Based on the review of the PBNP IPE submittal and associated documentation, the staff concludes that the licensee met the intent of Generic Letter 88-20.

The licensee's IPE results* are summarized below:

o Plant Type:

Westinghouse 2 loop PWR i

o Containment Type:

Large Dry o Total core damage frequency (CDF) :

1.2E-4/ year t

o Major initiating events:

3 y

t.

Contribution (%)

Loss of offsite power (LOOP) 21 (Blackout 13%)

i (Non-blackout 8%)

i Large break loss of coolant kccident (LOCA) 22 Transients without power conversion system (PCS) 10 Medium LOCA 9

Loss of service water (SW) 7 Transient with PCS 5

Steam generator tube rupture (SGTR) 5 o-Major contributions by accident classes:

Contribution (%J Large and medium LOCAs 31 Transients 15 Loss of support systems 15 Flooding 9

Major contributions to dominant core damage sequences:

o Large LOCA with failure of the operator to align the system for low pressure containment sump recirculation.

Medium LOCA with failure to establish long term cooling via high pressure containment sump recirculation.

Transient without the PCS and failure of the operator to establish long term water supply to the AFW or successfully align for feed and ble9d.

i Rupture of SW header or circulating water expansion joint, failure of the operator to isolate the flood resulting in loss of all equipment for j

coping with a reactor coolant pump (RCP) seal LOCA.

Station blackout (SBO) with failure to recover AC power in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months and failure of the operators to cooldown and depressurize the reactor I

coolant system (RCS) with tnanual control of the atmospheric steam dump valves and the turbine-driven AFW (10AFW) pumps o Major operator action failures:

Failure to align for low head sump recirculation Failure to provide service water backup to AFW pump suction Failure to align hotwell supply to condensate storage tank (CST)

Failure to establish feed and bleed Failure to align for high head sump recirculation Failure of the operators to depressurize the steam generators (SGs)

Contribution to total containment failure probability o

2

if"

}

given core damage:

Early Containment Failure 0%

Late Containment Failure i

17%

Containment Bypasses Containment Isolation Failure 6%

<1%

No Containment Failure 77%

o Significant PSA findings:

22% (2.6E-5/ year) of the PBNP total CDF (I.2E-4/ year) represents dual unit core damage, with SB0 and flooding events contributing about 55%

and 42% respectively of this value.

Major contributors in four of the top five dominant sequences including i

large and medium LOCA and transients with and without PCS (but not flood) that about 45% of the total CDF, are operator errors of failure to align the safety injection system for recirculation from the sump, or to provide alternate water supply for the AFW pump.

The TDAFW pumps for PBNP are supplied with SW to cool the bearing oil and pump stuffing box, but if SW is unavailable, cooling water will automatically be provided by the fire water system, thus eliminating the absolute dependency of the AFW pumps on the SW system for cooling.

The charging pumps at PBNP are air cooled and therefore do not require closed cooling water (CCW) or SW systems to provide seal injection to the RCPs, thus eliminating a dual dependency of seal injection and thermal barrier cooling on cooling water support systems.

PBNP takes credit for 40,000 gallons of water being available in the CST based on operating history even though technical specifications only require 13,000 gal. This volume (40,000 gal.) allows credit to be taken for 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months of decay heat removal (DHR) with the TDAFW pump supplying j

water to the SGs, with subsequent manual control after the assumed battery life of I hour.

j Improvements identified in the PBNP IPE proposed to be implemented:

o Procedure Revisions l

Improve the manual alignment of the emergency core cooling system (ECCS) to the containment sump recirculation mode in the event of a LOCA to reduce the contribution to CDF from the switchover to ECCS recirculation from the sump.

Improve the manual alignment of the alternate water sources to the suction of the AFW pumps upon depletion of the CST.

Desian Modifications 3

F-E y

Install connections to facilitate the rapid alignment of the fire water system to refill the CSTs.

Reverse the access doors and door frames in the control building tunnel such that it ensures their opening to allow water from rupture of the service water header in the AFW pump room free access to the turbine building hall and prevents flooding of the vital switchgear Installation of the third and fourth EDG (initiated for other reasons than the IPE) which will reduce the contributton to CDF from SBO.

Severe Accident Manaaement (SAM) Guidelines The licensee is actively participating in the Westinghouse Owners Group (WOG) Severe Accident Subcommittee, which is overseeing the development by Westinghouse of vendor-specific SAM guidelines. The licensee is planntag to incorporate these guidelines into the PBNP SAM program based on the les ons learned from the PBNP IPE.

(* Information has been taken from the Point Beach IPE and has not been validated by the NRC staff.)

A 4

.-

ML20078E150

Contents

Text

SUMMARY

SUMMARY

SUMMARY

1.0 INTRODUCTION

SUMMARY

SUMMARY

Navigation menu

ML20078E150

Text

SUMMARY

SUMMARY

SUMMARY

1.0 INTRODUCTION

SUMMARY

SUMMARY

Navigation menu

Search