ML20086G528
| ML20086G528 | |
| Person / Time | |
|---|---|
| Site: | Hatch  |
| Issue date: | 11/30/1994 |
| From: | Haas P CONCORD ASSOCIATES, INC. |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| Shared Package | |
| ML20086G518 | List: |
| References | |
| CON-NRC-04-91-069, CON-NRC-4-91-69 CA-TR-94-019-27, CA-TR-94-19-27, NUDOCS 9507140445 | |
| Download: ML20086G528 (55) | |
Text
f
.c . .
CAffR-94-019-27 EDWIN I. HATCH NUCLEAR PLANT UNITS 1 AND 2 TECHNICAL EVALUATION REPORT ON THE INDIVIDUAL PLANT EXAMINATION
< HUMAN RELIABILITY ANALYSIS FINAL REPORT By Paul M. Haas Philip J. Swanson Prepared for:
U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Safety Issue Resolution Draft Report May,1994 Final Report November,1994 CONCORD ASSOCIATES. INC.
Systems Performance Engineers 725 Pellissippi Parkway Knoxville, TN 37932 i
Contract No. NRC-04-91-069 !
Task Order No. 27 I g-chf l csgyyo e
Y45 ,
O O TABLE OF CONTENTS 1.0 EXECUTIVE
SUMMARY
. .. ... . ....... ... ... .. .. .2 1.1 General Review ....... ..... . . .... .. . . .2 1.2 Pre-Initiator Human Actions . . . . .. .. . .... . .3 1.3 Post-Initiator Human Actions .. . ... ... .. . . .6 1.4 Vulnerabilities, Insights, and Enhancements . .... . .. . . . .9 2.0 CONTRACTOR REVIEW FINDINGS . . . .......... .. . . .... . 10 2.1 General Review ........... ........ ..... ... . . . . . 10 2.1.1 Utility Participation and Process for Confirmine As-Built. As-Onerated Plant ....
........... ... .. ... ....... ... . 10 2.1.2 In-House Peer Review . . . . . . . . .. . . ... ... .. 11 2.2 Pre-Initiator Human Actions . . . . . . . .. . ... .... ..... . 13 2.2.1 Pre-Initiator Human Actions Considered . ...... ....... 13 2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions ... .............. .............. . . . . . . 13 2.2.3 Screenine Process for Pre-Initiator Human Actions . . . . . . . . . . 14 :
2.2.4 Plant-Soecific Performance Shaoine Factors and Regovery Factors for l Pre-Initiator Human Actions . . . . . . ............ . . . . . . 14 2.2.5 Consideration of Dependencies for Pre-Initiator Human Actions . 17 2.3 Post-Initiator Human Actions . . . . . . . . . . ............... ... 18 l 2.3.1 Tvoes of Post-Initiator Human Actions Considered ....... . 18 )
2.3.2 Process for Identification and Selection of Post-Initiator Human l Actions . . . . .... ........... .............. . . . . 19 l 2.3.3 Screenine Process for Post-Initiator Human Actions . .... ... 22 l 2.3.4 Consideration of Timine for Dynamic (Response) Actions . . . . . . . 22 2.3.5 Consideration of Plant-Soecific Factors for Dvnsmic (Response) ,
Actions .................... ..... ....... .... .23 I 2.3.6 Consideration of Dependencies for Dynamic (Response) Actions . . 28 2.3.7 Ouantification of Recovery Actions .......... ..... 29
{
2.3.8 Treatment of Operator Actions in the Floodine Analysis . . .. 32 l 3.0 OVERALL EVALUATION AND CONCLUSION . . . . .... ........ ... 33 4.0 VULNERABILITIES, INSIGHTS AND ENHANCEMENTS . . .... . ... 35 4.1 IPE Insights Related to Human Performance . . . . . . . . . . . . . .... . 35 4.2 Enhancements and Commitments ........ ... ....... .....38 5.0 DATA
SUMMARY
SHEETS . . . . . ..... ...... ........ ..... . . 40 REFERENCES . . . . ...... ...... . .. .. .. ..... .... . .. 42 APPENDIX A . ... . . . .. ......... . . . ... .. . 43
1.0 EXECUTIVE
SUMMARY
This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Edwin 1. Hatch Nuclear Plant Units 1 and 2 Individual Plant Examination (IPE) submittal to the U.S. Nuclear Regulatory Commission (NRC). He review was performed to assist NRC staff in their evaluation of the IPE and conclusions regarding whether the submittal meets the intent of Generic Letter 88-20.
1.1 General Review Based on our review of the submittal, we conclude that utility staff were appmpriately involved in the HRA portions of the IPE, and that plant walkdowns and documentation reviews provided reasonable assurance that the IPE represents the as-built, as-operated plant.
The technical expertise and methodology for the HRA (and other front-end analysis efforts) was provided by PLG, Inc. The submittal discussion of the organization of the IPE program indicates significant involvement of utility personnel - corporate personnel, and to a lesser degree, site personnel - in the development of the IPE. The corporate Manager, Nuclear Engineering and Licensing had overall responsibility for the IPE program. A Project Engineer from the Licensing Group was responsible for coordination of the project with site activities and resolution ofissues that could impact plant design .
and operation. Corporate Technical Services personnel were responsible for the technical oversight of the IPE, including technical lead for the Level I analysis. They conducted major portions of the Level I analysis and some portions of the Level II analysis. Plant Hatch site personnel participated in plant walkdowns and operator interviews, responded to specific requests for information from the IPE team, and reviewed analysis and related documentation. Several site managers and supervisors were involved in the Independent Review Group (IRG).
Three major plant walkdowns are summarized in the submittal: (1) a general systems walkdown; (2) an intemal flooding walkdown; and, (3) a containment / Level II walkdown.
The general systems walkdown was performed by two corporate engineers experienced in l PRA evaluations, with assistance from site Engineering staff. Pertinent to the HRA, one l of the specific goals cited for the walkdowns was to detemiine factors affecting local operator recovery actions identified as potentially important to risk. The submittal also ,
notes that, "The accessibility of components and the environments in which they are j located were examined from a human factors standpoint." i l
ne licensee appears to have employed a masonable independent internal review process that j provides some assurance that the D'E ana.lyde tcchniopes were correctly applied and that !
documentation is accurate. Guidance provided in NUREG-1335 regarding an independent in-house review was addressed 'oy 17. pmjt.ct qualiry usurance and control procedures employed throughout the IPE development, and 2) reviews performed by the IRG, by General Electric, and by other site and corporate personnel.
2 1
A specific procedure, "lPE Work Package Preparation and Verification," was developed and used to ensure consistency and control of work package generation. Individual work packages (e.g., the MAAP parameter file) were independently reviewed by a second analyst f "to the extent practicable," and were approved by the PRA supervisor. Issued documents were treated as quality documentation and retained for the life of the plant. Work products generated by contract personnel were conducted under their quality assurance programs, i
which were reviewed and approved by the corporate Quality Services group.
The IRG provided critical review of the IPE plan, processes, documentation and results.
Members included the corporate Manager of Nuclear Engineering and Licensing and a corporate Project Engineer, plus site managers / supervisors from Operations, Maintenance, Outages and Planning, Training, and Nuclear Safety and Compliance. A senior level GE engineer experienced in PRA techniques and BWR technology served as a consultant to the IRG providing more detailed reviews of the methods employed and individual analyses. The IRG focused in more depth on areas requiring site-specific knowledge, and reviewed samples of specific analyses. The IRG provided comments on programmatic issues, operating insights, comments on data effectiveness and clarity for future use by site personnel, technical basis for assumptions, and the scope of analysis. All comments were satisfactorily resolved. Examples of three significant comments were provided in the submittal. No comments directly related to the HRA were cited in the submittal.
Prior to the formation of the IRG, GE was contracted to review several portions of the IPE, including the HRA. These reviews were considered as input to the IRG process. The example GE comments cited in the submittal included one that noted that some of the human error probabilities (HEPs) from the SLIM analysis were lower than those used in other industry analyses. Specific HEPs were not identified. The submittal indicates that upcn further review, it was decided that the values were reasonable and should not be revised 1.2 Pre-Initiator Human Actions The Hatch HRA addressed pre-initiator errors in maintenance, test and surveillance actions by incorporating human error into the systems analysis (fault trees) as a specific cause for system unavailability. Both misalignment (restoration) errors and miscalibration were considered.
The submittal provides limited information on the process used by the licensee to identify and select pre-initiator human errors. However, in response to an NRC request for additional information, the licensee provided more specific information which substantiates that when a particular pre-initiator action was identified as potentially important, procedures were examined and discussions were held (as needed) with appropriate plant personnel (e.g., !
maintenance, training, operations) on the interpretation and implementation of those procedures. Funher, the licensee indicated that other PRAs had been surveyed, and that no additional important actions applicable to Hatch were identified beyond those identified by the Hatch analysts. Finally, the licensee provided a discussion of the qualitative screening process with specific examples illustrating the rationale and judgment used in eliminating 3
l l
l
O
- relatively unimportant actions These responses from the licensee addressed our concems. In addition, the list of pre-initiators quantified compares reasonably well with similar lists from other PRAs and was found to be relatively comprehensive. (Appendix A compares pre-initiator and post-initiator human actions addressed in Hatch to those addressed in the NUREG-1150 Peach Bottom study and in several BWR IPEs reviewed previously). Based on the results of the process (i.e., the list of pre-initiator actions included in the model) and the additional information provided by the licensee, we conclude that the licensee employed a )
reasonable pmcess for identification and selection of pre-initiator human actions.
No numerical screening of pre-initiator human events was performed. All events selected for analysis were quantified using a PLG approach that applies numerical estimates obtained from l
the THERP Handbook.
The approach used by the licensee to quantify pre-initiators involves breaking the potential !
errors down to more " basic" errors that correspond to actions listed in THERP Handbook tables, and then combining the error probabilities for the basic events to estimate an overall probability for the pre-initiator action. The submittal indicates that each pre-initiator human action selected for quantification was analyzed "in detail," and that the errors associated with ,
each action were decomposed into four basic (generic) types of human errors: !
- 1) An error committed during the calibration of an instrument channel, using a wTitten .
procedure,
- 2) Mispositioning a valve after the completion of a test or maintenance activity,
- 3) A two-position switch left in the wrong position without being detected, and
- 4) Failure during an independent verification to detect an error made previously.
A total of eighteen pre-initiator human errors were quantified and incorporated into the IPE model. Each pre-initiator used in the IPE model is comprised of one or more of the basic HEPs from THERP. The Monte Carlo sampling technique in the system analysis module of the RISKMAN software package to multiply the distributions together and calculate a new distribution (mean,5th percentile and 95th percentile) for the combined action.
The " detailed" analysis performed to arrive at the conclusion that all pre-initiator errors could 1 be represented as one of, or a combination of, the four basic errors is not discussed in the submittal. Possible site-specific influences, or performance shaping factors, that may have been considered were not identified. The " nominal" values listed in the THERP tables were not adjusted to address specific performance shaping factors. The HEPs employed, then, are ,
essentially " generic" values.
While the numerical results are useful, the greater benefit obtained from HRA is the improved )
understanding of the plant-specific factors related to human error that are potential j contributors to risk. For pre-initiator human errors this improved understanding is derived 4 from thorough examination of actual plant operational practice in maintenance, test and surveillance. That examination might include, for example, systematic and rigorous l
4
1 examination of procedures, and discussions with and perhaps observation of, maintenance i
personnel and other plant personnel who actually perform the tasks. The rigor of analysis was difficult to judge from the summary information required and reported in the IPE l
submittal. However, the licensce's discussion of the process in response to an NRC request '
for additional information provided evidence of a reasonably systematic plant-specific :
assessment of pre-initiator actions supporting the generic quantification approach. Factors i that were considered in the analysis included:
- 1) The type of action (one of the four " generic" types i
- 2) Complexity of the task
- 3) Whether the same or separate procedures are used for surveillance / test of redundant channels or trains
- 4) Schedules of surveillance and test activities (whether tasks are performed at the same time
- 5) Location of the action
- 6) Instrumentation available for error detection ;
- 7) Effectiveness of the verification.
In addition, the licensee's response indicated that during the IPE development period, a comprehensive system walkdown was performed in which major components were located and their associated plant conditions, as well as some human engineering aspects, were .
evaluated. In our view, the licensee's approach to quantifying pre-initiator actions can be considered a " fine screening" approach. The supporting plant-specific assessment constituted a reasonable approach that is consistent with the level of rigor in other accepted screening approaches that have been used in PRAs accepted by NRC, e.g., the ASEP methodology. ,
The submittal does not discuss the issue of dependency among the basic pre-initiator HEPs f combined. Success or failure on a preceding action can significantly affect the likelihood of success / failure on a subsequent action. Therefore, we had a concem that the overall HEP '
estimates for pre-initiators in the Hatch analysis may be artificially low. In response to an NRC request for additional information, the licensee indicated that dependencies were considered qualitatively, in particular dependency between performance of the original action and performance of the prescribed verification action (e.g., verifying correct alignment after maintenance / test). The approach used was to evaluate multiple actions qualitatively and to make a judgment as to whether the actions were or were not dependent. Quantitatively, it was assumed that multiple actions were either completely dependent or completely independent. The licensee provided examples of the qualitative consideration of specific actions which illustrated the judgment process and rationale. While this is a simplified approach for addressing dependencies, it at least provided a framework for the licensee to E systematically consider the potential impact of dependency of one pre-initiator action on ,
.nother, and a means to adjust HEPs to appropriately adjust the HEPs. We consider the licensee's appmach to treating d--l-acies in pre-initiator actions to be reasonable. :
5
i .
1.3 Post-Initiator Human Actions ne Hatch HRA addressed both response and recovery actions. The submittal uses the term
" dynamic", rather than " response" actions. Dynamic actions are described as scenario-specific, mission-directed activities which are an integral pan of the plant response to an initiating event. The operators must accomplish well-dermed tasks for manual initiation, control and alignment of plant emergency equipment or selected backup systems. These tasks are generally guided by the plant emergency response procedures. Recovery actions, as defined in the submittal, also can be classified as mission-directed activity, but they involve recovery from unexpected failures that completely or partially disable automatic system response during a plant transient. The submittal notes that most actions classified as recovery actions in the Hatch analysis are not as well documented in the plant emergency response procedures (emergency or abnormal procedures). In explaining this statement, the submittal notes that the actions "Are proceduralized, where practicable, though not necessarily in the EOPs."
In general, dynamic actions were quantified using the PLG SLIM-based methodology, and recovery actions were quantified using " engineering and operator judgment." The flooding analysis used screening values for operator actions and did not use the SLIM-based process.
1 The submittal notes that operator actions were selected for quantification by reviewing the .
plant event sequence diagrams (ESDs) and event trees to identify operator actions that impact plant risk, and that this process generally followed the methodology outlined in steps 1 and 2 of the Systematic Human Action Reliability Procedure (SHARP) (Ref. 3). l 1
The dynamic actions quantified and included in the IPE model were compared and found to l be generally similar to the response actions addressed in the NUPEG ll50 Peach Bottom l study and other BWR IPEs reviewed previously. The majotity of the actions identified by the NRC front-end reviewers as important were addressed by the licensee. Exceptions and or insufficient discussion in the submittal were clarified by additional information provided by the licensee in response to an NRC request for information. Based on our review of the submittal and the additional information pmvided by the licensee, we conclude that the licensee's process for identification and selection of post-initiator actions was reasonably
{
systematic and comprehensive, and provided reasoanble assurance that important actions were l
not omitted.
l The submittal does not indicate that any numerical screening of post-initiator human actions was performed. Actions selected for quantification from the qualitative analysis described i above were quantified using the PLG SLIM-based process. Additional recovery actions were I quantified and added to some sequences.
l Timing of operator actions is specifically addressed in the qualitative and quantitative analysis performed in the Hatch evaluation of post-initiator actions. The estimated time available for each operator action is listed in the submittal. The submittal does not specifically identify the 6
basis for these time window estimates, though general discussion about the basis for detailed scenario information notes the usual combination of thermal hydraulic analysis, plant data, judgment, and previous PRA experience. The expected time of operator response is not estimated directly. The likelihood of operators performing the required action within the available time is one of the performance shaping factors rated by the panels of experts. Thus, the impact of timing is accounted for in the SLIM process essentially by subjective evaluation, and is therefore subject to the biases and uncertainties (and approaches to eliminate or account for those biases and uncertainties) inherent in the subjective process employed. There is no indication in the submittal that timed walk-throughs or simulator exercises were performed to obtain data or to help " anchor" the subjective process. Such walkthroughs/ exercises would have provided a stronger basis for the time estimates.
(Subsequent information from the licensee indicated that some walkdowns were performed for out-of-control-room actions.)
Seven performance shaping factors were considered by expert raters in the SLIM-based assessment. The basis for selection of these seven and elimination of other possible factors was not discussed in the submittal. Other HRAs performed by PLG as part ofIPEs have used a similar set of PSFs with some variations. The seven included in the Hatch assessment were:
e Task Complexity
- Man-Machine Interface and Indications of Conditions
- Adequacy of Time to Accomplish Action
- Procedural Guidance
- Significant Preceding and Concurrent Actions e Training and Experience
- Stress Seven groups of expens provided ratings. One group was comprised of operations personnel, and one group of analysts from PLG. Five of the " groups" were actually single individuals -
one shift supervisor, three senior reactor operators, and one Plant Hatch analyst. The submittal provides a listing of the calibration tasks used for the Hatch analysis. They were selected from six different previous PRAs.
1 This assessment of the plant-specific effects of performance shaping factors follows the SLIM methodology, which is well documented and generally accepted by the HRA community. In general, the method appean to have been implemented properly. A concem remaining after our initial review of the submittal was the level ofinformatiori and background discussion provided to the raters in preparation for the rating process. In response to an NRC request for additional information, the licensee noted that a balance must be maintained between providing the raters enough specific information to permit effective evaluation of the context of the accident progression and providing too much or too direct input from the PRA analysts t
l f
1 l
i that could bias the raters' evaluations. The discussion provided by the licensee and the summary of the information provided to the raters addressed our concems.
An important concem in HRA is the determination of how the probability of success or failure on one task may be related to success or failure on another. One of the advantages cited by some for the SLIM methodology is that it emphasizes the assessment of perfonnance shaping factors in the context in which the action takes place in the plant. Thus plant-specific factors, and event / sequence-specific factors are inherently addressed by the raters. The performance shaping factor, "Significant Preceding and Concurrent Actions" addresses directly concems about the dependency of failure of one task on preceding and concurrent tasks. The scaling guidance states that "If necessary, some strongly dependent failures may be accounted for by specific split fractions in the event trees." However, there was little further detail in the submittal to determine specifically how dependencies were quantified. In response to an NRC request for additional information, the licensee provided a comprehensive summary discussion of the approach used to address dependencies in the post-initiator HRA, including various types of dependencies addressed, the rationale used to assess the degree of dependency existing between multiple actions, means for quantifying the impact of dependencies, and means for incorporating dependency effects in the IPE logic models (fault trees and event trees). In our view, the licensee's approach was a comprehensive and thoughtful treatment of dependencies.
HEP values for recovery actions were, in general, selected on the basis of engineering and ' ,
operator judgment. The submittal states that the judgment considered the difficulty of the l action, time available for the action, and the indications available to the control room staff. It !
also states that most of the actions are relatively simple recovery actions with which the l operators are familiar and that they are guided by procedures "where appropriate." Twenty recovery actions are summarized in the submittal. A brief discussion of each action is !
provided in the submittal, along with a general summary of the rationale for the selection of !
the numerical value, identification of where (e.g., which top event or split fraction) the action is considered in the IPE model, and often a comparison to values for similar actions determined by SLIM or used in other sources. Information provided by the licensee in response to an NRC request provided substantial additional detail on the qualitative and quantitative assessment of recovery actions, including evaluation of plant-specific factors such as location and travel time for out-of-control room actions and impact of credit for recovery actions (in terms of risk achievement worth).
Overall, the numerical values for recovery actions appear to be slightly lower than conservative numbers frequently used when such actions are quantified on the basis of subjective judgment without the benefit of a systematic HRA technique. A sensitivity study was performed with all values for recovery actions set to 0.1 (except the recovery of offsite i grid, which already had values abow 0.1). Core damage frequency (CDF) was increased by a l factor of 5.8 for Unit I and 5.3 for Unit 2. Most of the sequences contributing to the increased CDF were already in the top 100 sequences when the nominal values were used.
8
4
,j 1.4 Vulnerabilities, Insights, and Enhancements Human error was identified in the submittal as a significant contributor to core damage frequency. Failure of operators to perform emergency depressurization is one of the
~
dominant basic events contributing to CDF (second highest importance value for all hardware and human failures). .Other operator actions were identified as significant contributors to most accident classes.
Vulnerability screening by the licensee, which appears to be consistent with guidance n provided in NUREG-1335, identified no vulnerabilities. However, a number of plant L enhancements were identified and implemented during the development of the IPE and were credited in the IPE. Enhancements significant to human performance included:
- 1) A hardened vent was designed to address loss of decay heat removal sequences .]
with respect to available suppon systems. Venting is important to maintaining containment integrity and controlling releases.
- 2) Procedure changes and modifications to HVAC duct for the control building were initiated to allow continued operation of electrical equipment in the control building upon loss of HVAC. These modifications enhance the ability to support continued operation of emergency AC and DC distribution systems, .
which is important for station blackout.
- 3) A recovery action to initiate the purge mode of MCR cooling on loss of the control room chillers was proceduralized. This action is imponant for events initiated by loss of all plant service water (PSW) or loss of control room cooling.
- 4) Procedures for operating the intake structure ventilation system were made to.
ensure that a single control systen failure would not lead to the loss of the intake structure fans. Loss of ventilation fans could cause failure of PSW and RHRSW pumps for both units.
- 5) Procedure changes were implemented to inform the operator that tripping unneeded pumps when room ventilation is not available will help ensure equipment operation.
- 6) Procedure changes were implemented to allow cross-connecting of motor cooling water for the RHRSW pump motors when one division of PSW has failed.
i 9
\
c .
2.0 CONTRACTOR REVIEW FINDINGS This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Edwin 1. Hatch Nuclear Plant Units 1 and 2 (Hatch) Individual Plant Examination (IPE) submittal from Georgia Power Company (GPC) to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staffin their evaluation of the IPE and conclusions regarding whether the submittal meets the intent of Generic Letter 88-20. Review findings responsive to the items specified in the Statement of Work from NRC are summarized below.
2.1 General Review 2.1.1 Utility Panicipation and Process for Confirmine As-Built. As-Operated Plant.
The NRC review of the submittal attempts to determine whether the utility personnel were involved in the development and application of PRA techniques to their facility, and that the associated walkdowns and documentation reviews constituted a viable process for confirming that the IPE represents the as-built and as-operated plant.
The technical expenise and methodology for the HRA (and other front-end analysis efforts) was provided by PLG, Inc. The submittal discussion of the organization of the .
IPE program indicates significant involvement of utility personnel - corporate personnel, and to a lesser degree, site personnel - in the development of the IPE. The corporate Manager, Nuclear Engineering and Licensing had overall responsibility for the IPE program. A Project Engineer from the Licensing Group was responsible for coordination of the project with site activities and resolution ofissues that could impact plant design and operation. Corporate Technical Services personnel were responsible for the technical oversight of the IPE, including technical lead for the Level I analysis. They conducted major ponions of the Level I analysis and some ponions of the Level 11 analysis. Plant Hatch site personnel participated in plant walkdowns and operator interviews, responded to specific requests for information from the IPE team, and reviewed analysis and related documentation. Several site managers and supervisors were involved in the Independent Review Group (IRG), which is discussed in Section 2.1.2 below.
The submittal notes that the " baseline plant configuration" date for the IPE was November,1991. Changes to the plant incorporated after that deadline and included in the IPE are identified and discussed in the submittal. The submittal notes that specific steps were integrated into the Hatch IPE process to provide assurance that the IPE represents the as-built, as-operated plant. Work packages generated during the IPE process received an independent technical review prior to approval. During development of each work package, the originator stated any assumptions made and kept a list of questions related to operation and current plant configuration. During the analysis development, the work packages were reviewed by personnel with plant site experience. These reviewers provided responses to any questions related to as-built conditions and stated their 10
O
- agreement or disagreement with the originator's assumptions. Reviewer comments and the associated responses related to as-built conditions were incorporated into work packages as pan of the comment resolution process. In addition, the intemal review process described in Section 2.1.2 below included independent technical review by Hatch personnel and by the IRG. The IRG included experienced site and corporate management representatives from selected depanments familiar with day-to-day plant operations and design.
Three major plant walkdowns are summarized in the submittal: (1) a general systems walkdown; (2) ar: intemal flooding walkdown; and, (3) a containment / Level II walkdown.
The general systems walkdown was performed by two corporate engineers expedenced in PRA evaluations, with assistance from site Engineering staff. Pertinent to the HRA, one of the specific goals cited for the walkdowns was to determine factors affecting local operator recovery actions identified as potentially imponant to risk. The submittal also notes that, "The accessibility of components and the environments in which they are located were examined from a human factors standpoint."
The submittal provides a listing of plant-specific IPE information sources that includes sources typical of previous IPEs and other PRAs. Of panicular note for the HRA are procedures for maintenance, surveillance, and normal, abnormal and emergency operations, and operator training material. Plant-specific information peninent to the IPE .
was extracted and summarized in system notebooks. The submittal states that the l notebooks were reviewed by " appropriate site systems engineers and, where deemed appropriate, by licensed personnel to verify that an accurate representation of plant design and operation was achieved."
Finally, the subjective SLIM-based process used for evaluation of " dynamic" human actions (i.e., actions in response to an initiating event) included significant direct involvement of operators and others knowledgeable of plant operations in the evaluation and quantification of human error for these types of actions. These individuals served as
" subject matter expens" providing the ratings from which the human error probabilities included in the IPE model were derived.
Based on the above findings as documented in the submittal, we conclude that overall the licensee's IPE process included steps to provide reasonable assurance that the IPE model represents the as-built, as-operated plant.
2.1.2 In-House Peer Review.
The submittal indicates that the guidance provided in NUREG-1335 regarding an independent in-house review was addressed by 1) project quality assurance and contml procedures employed throughout the IPE development, and 2) reviews ped'ormed by the IRG, by General Electric, and by other site and corporate personnel.
11 i
A specific procedure, "lPE Work Package Preparation and Verification," was developed and used to ensure consistency and control of work package generation. Individual work packages (e g., the MAAP parameter file) were independently reviewed by a second analyst l "to the extent practicable," and were approved by the PRA supervisor. Issued documents were treated as quality documentation and retained for the life of the plant. Work products generated by contract personnel were conducted under their quality assurance programs, which were reviewed and approved by the corporate Quality Services group.
l The IRG provided critical review of the IPE plan, processes, documentation and results.
Members included the corporate Manager of Nuclear Engineering and Licensing and a corporate Project Engineer, plus site managers / supervisors from Operations, Maintenance, Outag.s and Planning, Training, and Nuclear Safety and Compliance. A senior level GE engineer experienced in PRA techniques and BWR technology served as a consultant to the IRG providing more detailed reviews of the methods employed and individual analyses. The IRG focused in more depth on areas requiring site-specific knowledge, and reviewed samples of specific analyses. The IRG provided comments on programmatic issues, operating insights, comments on data effectiveness and clarity for future use by site personnel, technical basis for assumptions, and the scope of analysis. All comments were satisfactorily resolved. Examples of three significant comments were provided in the submittal. No comments directly related to the HRA were cited in the submittal.
Prior to the formation of the IRG, GE was contracted to review several portions of the IPE, including the HRA. These reviews were considered as input to the IRG process. The example GE comments cited in the submittal included one that noted that some of the human error probabilities (HEPs) from the SLIM analysis were lower than those used in other industry analyses. Specific HEPs were not identified. The submittal indicates that upon further review, it was decided that the values were reasonable and should not be revised.
Additional independent review of specific areas was provided by site and corporate personnel.
Site system engineers reviewed the system notebooks. Representatives from the Operations and Operations and Planning departments reviewed the dependency matrix, and, pertinent to l
the HRA, Operations department management reviewed the proposed recovery actions for applicability and impact on plant procedures. Corporate engineers reviewed the Event Sequence Diagrams (ESDs), portions of the initiating event analysis, and key analysis assumptions. The ESDs are input to development of the event trees; they provide a visual l
means for identifying important operator actions. The ESD reviewer was an engineer who held a Senior Reactor Operator (SRO) license.
In our opinion, these reviews collectively constituted a reasonable process for an "in-house" peer review that pmvides some assurance that the IPE analytic techniques were correctly applied and that documentation is accurate. j i
I l )
t l 12 i
1 1
1 2.2 Pre-Initiator Human Actions Errors in perfomiance of pre-initiator tasks (i.e., tasks performed during routine operations and maintenance, such as failure to restore or properly align equipment after testing or l
maintenance, or calibration of system logic instrumentation) may cause components, trains, or j
entire systems to be unavailable on demand during an accident, and thus may significantly l impact plant risk. The NRC staff review of the HRA portion of the IPE examines the i licensee's HRA process to determine what consideration was given to pre-initiator human l cvents, how potential events were identified, the effectiveness of quantitative and/or !
qualitative screening precess (es) employed, and the processes for accounting for plant-specific !
performance shaping factors, recovery factors, and dependencies among multiple actions. l l
2.2.1 Pre-Initiator Human Actions Considered. i l
The Hatch HRA addressed pre-initiator errors in maintenance, test and surveillance actions by incorporating human error into the systems analysis (fault trees) as a specific cause for system unavailability. Both misalignment (restoration) errors and miscalibration were considered.
2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions.
The key concems of the NRC staff review regarding the process for identification and .
selection of pre-initiator human events are: (a) whether maintenance, test and calibration ,
procedures for the systems and components modeled were reviewed by the systems analyst (s), l and (b) whether discussions were held with appropriate plant personnel (e.g., maintenance, training, operations) on the interpretation and implementation of the plant's test, maintenance and calibration procedures to identify and understand the specific actions and the specific components manipulated when performing the maintenance, test, or calibration tasks.
The submittal states (page 3.3-12) that, "An initial list of pre-initiating event human actions l was assembled from a review of the system test and maintenance procedures. Several of these actions (such as miscalibration errors which would be detected during shift channel checks) were screened out due to having a low contribution to system unavailability compared i to hardware failures." Other than this statement, no specific information is provided in the l
submittal regarding the process for identification and selection of pre-initiator human events.
{
As indicated in Sections 2.1.1 and 2.1.2 above, the submittal makes general statements ;
indicating that appropriate site personnel and corporate personnel with site-specific knowledge !
were involved in development and review of systems analysis. Our initial review raised
{
questions about: 1) the degree to which this identification and selection process involved i examination of procedures and discussion with appropriate plant personnel,2) whether the I licensee had examined other PRAs to identify pre initiator actions that may be important to l Plant Hatch, and 3) the qualitative " screening" process used to eliminate actions from further consideration. l l
I l
13
)
l l
l
i In response to an NRC request for additional information, the licensee provided more specific information which substantiates that when a particular pre-initiator action was identified as 1 potentially important, procedures were examined and discussions were held (as needed) with !
appropriate plant personnel (e.g., maintenance, training, operations) on the interpretation and implementation of those procedures. Further, the licensee indicated that o'her PRAs had been surveyed, and that no additional important actions applicable to Hatch were identified beyond those identified by the Hatch analysts. Finally, the licensee provided a discussion of the qualitative screening process with specific examples illustrating the rationale and judgment !
used in eliminating relatively unimportant actions These responses from the licensee addressed our concems. In addition, the list of pre-initiators quantified compares reasonably ,
well with similar lists from other PRAs and was found to be relatively comprehensive.
(Appendix A compares pre-initiator and post-initiator human actions addressed in Hatch to l those addressed in the NUREG-1150 Peach Bottom study and in several BWR IPEs reviewed l previously). Based on the results of the process (i.e., the list of pre-initiator actions included in the model) and the additional information provided by the licensee, we conclude that the licensee employed a reasonable process for identification and selection of pre-initiator human actions.
I 2.2.3 Screenine Process for Pre-Initiator Human Actions.
No numerical screening of pre-initiator human events was performed. All events selected for analysis were quantified using a PLG approach that applies numerical estimates obtained from the THERP Handbook (Ref.1).
2.2.4 Plant-Soecific Performance Shapine Factors and Recovery Factors for Pre-Initiator Human Actions.
The approach used by the licensee to quantify pre-initiators involves breaking the potential errors down to more " basic" errors that correspond to actions listed in THERP Handbook tables, and then combining the error probabilities for the basic events to estimate an overall probability for the pre-initiator action. The submittal indicates that each pre-initiator human action selected for quantification was analyzed "in detail," and that the errors associated with each action were decomposed into four basic (generic) types of human errors:
- 1) An error committed during the calibration of an instrument channel when using a written procedure,
- 2) Mispositioning a valve after the completion of a test or maintenance activity, j l
- 3) A two-position switch left in the wrong position without being detected, and
- 4) Failure during an independent verification to detect an error made previously.
14 1
1
_. - ~
The tabulated THERP actions associated with these four basic errors, and the HEPs employed in the Hatch HRA are listed in Table 2-1 (reproduced from Table 3.3-8 in the submittal). A total of eighteen pre-initiator human errors were quantified and incorporated into the IPE model Each pre-initiator used in the IPE model is comprised of one or more of the basic HEPs from THERP. The Monte Carlo sampling technique in the system analysis module of the RISKMAN software package to multiply the distributions together and calculate a new distribution (mean, 5th percentile and 95th percentile) for the combined action.
Table 2-1 Basic HEPs from THERP Used to Quantify Pre-Initiator Human Error iluman Error Description TIIERP IIatch TIIERP Ref.'
Median Range Mean Range Error of commission during calibration 0.003 3 4.67E-03 4.69 Table 14-2 when using written procedures (1980)
Error of omission per item of 0.003 3 4.33E-03 4.11 Table 15-3 instruction when use of wntten (1983) -
procedure is specified (long list. >10 items)
Error of commission in operating a 0.0001 10 5.05E-03 19.27 Table 13-3 two-position switch (recovery action (1983) included)
A checker fails to detect errors made 0.1 5 2.2E-01 7.89 Table 19-1 by others (1983)
+ Submittal reference 3.3-11 is the draft version of the TIIERP handbook published in 1980; reference 3.3-12 is the final version. published in 1983. There apparently was a simple editing mistake which reversed these citations in Table 3.3-8 Table 14 2 in the 1980 version no longer exists as such in the final version.
There is no HFS for this type of error related specifically to calibration tasks in the final version. The value of 0.003 used is typical of TIIERP values for errors of commission in manipulating manual controls, and for errors of omission in performing proceduralized tasks.
THERP tables provide a point estimate and an error factor representing an assumed (lognormal) distribution for each HEP. The point estimate is the median of the distribution. The PLG method used in the Hatch IPE uses the THERP median as a "best estimate" and applies the error factor to obtain a lower bound and upper bound.
For example, when the THERP table lists an HEP of 0.003 and an error factor of 3 (logarithmic scale), the PLG method would assume a best estimate of 0.003, a lower 15 o
l l
bound of 0.001, and an upper bound of 0.01. The PLG method then calculates a mean for an assumed lognormal distribution along with a 5th and 95th percentile value. In l performing the calculation, the PLG methodology treats the upper bound as if it were I the 90th percentile value (rather than the 95th percentile as assumed in THERP). The use of the 90th vs. the 95th percentile is intended to indicate the PRA analyst's judgment that the uncenainty associated with the point estimate is greater than assumed in the i THERP handbook. The HEP distribution (mean, median,5th and 95th percentile) for '
each pre-ini tiator human error used in the IPE model and the combination of basic l HEPs used to obtain the estimate are listed in the submittal (Table 3.3-15). Each HEP l is comprised of from one to three of the basic HEPs from THERP.
The " detailed" analysis performed to arrive at the conclusion that all pre-initiator errors could be represented as one of, or a combination of, the four basic errors is not disemed in the submittal. Possible site-specific influences, or performance shaping factors, that may have been considered were not identified. The " nominal" values listed in the THERP tables were not adjusted to address specific performance shaping factors. !
He HEPs employed, then, are essentially " generic" values. Additional discussion of this approach from the licensee in response to an NRC request for additional information i provided further insights into the licensee's rationale for grouping pre-initiator errors !
into these four " generic" categories. Examples provided in this additional discussion j indicate that a reasonably systematic and plant-specific, though qualitative, judgment process was employed.
While the numerical results are useful, the greater benefit obtained from HRA is the improved understanding of the plant-specific factors related to human error that are ,
potential contributors to risk. For pre-initiator human errors this improved understanding is derived from thorough examination of actual plant operational practice in maintenance, test and surveillance. That examination might include, for example, systematic and rigorous examination of procedures, and discussions with and perhaps observation of, maintenance personnel and other plant personnel who actually perform the tasks. The rigor of analysis is difficult to judge from the summary information required and reported in the IPE submittal. In response to an NRC request for l additional information, the licensee indicated that performance shaping factors such as '
plant-speciSc information, plant conditions, human engineering, performance by the same crew at the same time, and adequacy of training and procedures were not modeled directly in the pre-initiator HRA. Rather, the Plant Hatch pre-initiator human error analysis was a screening analysis, and was intended to focus the quantification on those human errors having the potential to significantly impact the unavailability of systems.
l Factors that were considered in the analysis included:
- 1) The type of action (one of the four "peric" types j
- 2) Complexity of the task ;
- 3) Whether the same or separate praeuuies are used for surveillance / test of redundant channels or trains j 16
- 4) Schedules of surveillance and test activities (whether n:sks are performed at the same time
- 5) Location of the action
- 6) Instrumentation available for error detection
- 7) Effectiveness of the verification.
In addition, the licensee's response indicate'd that during the IPE development period, a comprehensive system walkdown was performed in which major components were located and their associated plant conditions, as well as some human engineering aspects, were evaluated. The licensee indicated that this walkdown helped to assure that plant conditions or human engineering aspects that made performance of system-level action much more error-prone than other activities would have been identified and modeled, and that no evidence of significant adverse conditions was noted.
In our view, this " fine screening" approach to the pre initiator error analysis described by the licensee, with the supporting plant-specific assessment described in the response to the NRC request for additional information constituted a reasonable approach that is consistent with the level of rigor in other accepted screening approaches that have been used in PRAs accepted by NRC, e.g., the ASEP methodology (Ref. 2).
2.2.5 Consideration of Dependencies for Pre-Initiator Human Actions. .
The combination of HEP distributions from THERP to arrive at a final distribution to be used in the IPE was described above. The submittal discussion indicates only that i this combination was performed by the Monte Carlo sampling technique in the )
RISKMAN software. It does not address the issue of dependency among the basic HEPs combined. Failure to account for dependencies, particularly when operator actions are incorporated into system fault trees, can result in multiplying human error probabilities and unrealistically optimistic estimates of overall human performance. In response to an NRC request for additional information, the licensee indicated that dependencies were considered qualitatively, in particular dependency between performance of the original action and performance of the prescribed verification action (e.g., verifying correct alignment after maintenance / test). The approach used was to l evaluate multiple actions qualitatively and to make a judgment as to whether the actions j were or were not dependent. Quantitatively, it was assumed that multiple actions were '
either completely dependent or completely independent. The licensee provided examples of the qualitative consideration of specific actions which illustrated the judgment process and rationale. While this is a simpli5ed approach for addressing dependencies, it at least provided a framework for the licensee to systematically consider the potential impact of dependency of one pre-initiator action on another, and a means to adjust HEPs to appropriately adjust the HEPs. We consider the licensee's approach to treating dependencies in pre-initiators to be reasonble.
I l
17 l l
l 2.3 Post Initiator iluman Actions Human error in responding to an accident initiator, e.g., by not recognizing and diagnosing the situation properly, or failure to perform required activities as directed by procedures, can have a significant effect on plant risk, and in some cases have been shown to be dominant contributors to core damage frequency (CDF). These errors are referred to as post-initiator human errors. The NRC staff review determines the types of post-initiator errors considered by the licensee, and evaluates the processes used to identify and select, screen, and quantify post initiator errors, including issues such as the l means for evaluating timing, dependency among human actions, and other plant-specific performance shaping factors.
l 2.3.1 Types of Post-Initiator Human Actions Considered.
I There are two important types of post-initiator actions considered in most PRAs:
response actions, which include those human actions performed in response to the first level directives of the emergency operating procedures / instructions (EOPs, or EOls);
and, recovery actions, which include those performed to recover a specific failure or fault (primarily equipment failure / fault) such as recovery of offsite power or recovery of a front line safety system that was unavailable on demand earlier in the event. Often, recovery actions are assessed after initial quantification of the IPE model, and often the quantitative impact of those recovery actions is estimated by probabilistically adding them to the cutsets that were identified initially. Obviously, the CDF for a sequence is sensitive to failure probabilities added at this top level. The important concern for recovery actions is whether the plant-specific and context-specific factors influencing the likelihood of performance have been appropriately considered, and whether it can reasonably be expected that operators will identify the need for and correctly perform the recovery action during the accident response. For example, credit for recovery actions that are not proceduralized and are not routinely practiced should be viewed !
skeptically without specific justification. '
i The flatch IIRA addressed both response and recovery actions. The submittal uses the i term " dynamic", rather than " response" actions. Dynamic actions are described as scenario- specific, mission-directed activities which are an integral part of the plant response to an initiating event. The operators must accomplish well-defined tasks for manual initiation, control and alignment of plant emergency equipment or selected backup systems. These tasks are generally guided by the plant emergency response procedures. Recovery actions, as defined in the submittal, also can be classified as mission-directed activity, but they involve recovery from unexpected failures that completely or panially disable automatic system response durirg a plant transient. The submittal notes that most actions classified as recovery actions in the Hatch analysis are not as well documented in the plant emergency response procedures (emergency or abnormal procedures). In explaining this statement, the submittal notes that the actions "Are proceduralized, where practicable, though not necessarily in the EOPs."
18
The submittal notes that another reason for categorizing an action as a recovery action may be simply that it is a dynamic action that is added to a " risk sensitive" sequence after quantification of the model. This permits " detailed analyses" for specific recovery actions in "very specialized plant response event sequences" without undue expenditure of time or resources (presumably, compared to the effort that would be required if this detailed and specialized analysis were performed for. all dynamic actions). However, the analysis of recovery actions in most PRAs, including Hatch, typically is not more " detailed and specialized" than the analysis performed for the dynamic actions. In fact, many PRAs use relatively high HEPs typical of screening values because of the greater uncertainty associated with estimating the likelihood of successful recovery actions.
With regard to incorporation of recovery aedons in the Hatch IPE model, the submittal indicates that some dynamic and recovery actions were incorporated into the system model (fault trees), and some were quantified separately and became part of the decision points or split fractions in the plant response tree model.
In general, dynamic actions were quanti 5ed using the PLG SLIM-based methodology (Ref. 3). Three dynamic actions are discussed which were not initially considered but were identified from interaction with operators during the SLIM process. These three were evaluated by modifying operator inputs related to similar actions evaluated by the SLIM based process. The flooding analysis used screening values for operator actions .
and did not use the SLIM-based process. The specific operator actions quantified and the screening values used are not discussed in the submittal. The submittal states that recovery actions were quantified using engineering and operator judgment." Treatment of recovery actions is discussed in Section 2.3.7 below.
2.3.2 Process for Identification and Selection of Post-Initiator Human Actions.
The primary thrust of the NRC staff review related to this question is to assure that the process used by the licensee to identify and select post-initiator actions is systematic and thorough enough to provide reasonable assurance that important actions were not inappropriately precluded from examination. Key issues are whether: (1) the process included review of plant procedures (e.g., emergency operating procedures, system instructions, off-normal (or abnormal) event procedures) associated with the accident sequences delineated and the systems modeled; and, (2) discussions were held with appropriate plant personnel (e.g., operators, shift supervisors, training, operations) on the interpretation and implementation of plant procedures to identify and understand the specific actions and the specific components manipulated when responding to the accident sequences modeled.
As indicated above, the primary methodology used to evaluate post-initiator actions was the PLG adaptation of the Success Likelihood Index Methodology (SLIM) developed by Brookhaven National Laboratory for the NRC (Ref. 3). The submittal notes that operator actions were selected for quantification by reviewing the plant event sequence 19
diagrams (ESDs) and event trees to identify operator actions that impact plant risk, and that this process generally followed the methodology outlined in steps 1 and 2 of the Systematic Human Action Reliability Procedure (SHARP) (Ref. 4). Those two steps in the SHARP process are " Definition" and " Screening", though it does not appear that any numerical screening was performed. The ESDs are pictorial representations (flow charts) of the sequence derived by the PRA analysts from review of procedures, plant documentation and discussion with personnel knowledgeable of plant operations. They are an interim product to, and they support development of, the event trees. To some extent, then, there is some screening of potential operator actions by the PRA analysts as the ESDs are developed. However, we assume that review and feedback from the HRA process contributed to and modified the ESDs.
A significar.t feature of the SLIM process, which is emphasized in the submittal,is the treatment of operator actions in the context of the scenario in which they are embedded.
The submittal emphasizes the importance of the qualitative evaluation performed prior to quantification to fully understand and document the scenario and sequence-specific factors that influence operator performance, likelihood of success, and the importance of the human action within the scenario. The important consequence of this emphasis is that the HRA team reviewed the scenarios in depth from the perspective of human performance issues, and did not simply quantify specific human actions identified by systems analysts. The qualitative analysis characterized the general scenario and plant, .
including success criteria for operator response. In some cases individual sequences with commo- leatures from the perspective of operator decisions and actions were grouped together. Factors affecting operator response time were identified. Support system ,
dependencies, i.e., failures of support systems that could limit the ability of the operators to respond, were identified. Significant preceding actions that may have dependency effects on the action ofinterest were identified. And a qualitative assessment of important factors relating to procedures and to operator training and experience were noted. He submittal notes that some operator actions were observed in simulator training sessions, and that these observations provided the IPE analysts with the " proper orientation and framework within which to evaluate plant-speciSc human actions by giving them a better sense of the timing and compl:xity associated with ;he selected human actions.
Documentation of this qualitative analysis is prepared in the fonn of a human action description form that is used to provide a common basis for evaluation during the quantification by expert raters. A sample of one form is provided in the submittal. The submittal notes that these action descriptions were prepared by the IPE analyst, reviewed by the human action analyst, and reviewed by personnel with operation experience to l ensure consistency with plant practices and nomenclature. Sixty one operator actions were selected for quantification. While much of the submittal discussion of this qualitative analysis is written as though the list of actions to be quantified was already determined and then the analysis was performed, the nature of the interaction between 20
l the HRA and the other IPE analysis is iterative. We assume that this analysis significantly influenced the selection of operator actions to be quantified.
l The dynamic actions quantified and included in the IPE model were compared to actions addressed in the NUREG-1150 Peach Bottom analysis and in other BWR IPEs reviewed previously. This comparison, summarized in Appendix B, indicated that the dynamic actions quantified in the Hatch IPE are generally consistent with response actions addressed in other PRAs. Also, the majority of the actions identified as important by the NRC front-end reviewers were addressed in the submittal, though the discussion of some of them is very limited (See Appendix B). Two operator actions identified as important by the front-end reviewers and not addressed, or not clearly discussed in the submittal:
a) Manual initiation of containment venting, and b) Manual alignment of core / containment flooding systems such as Residual Heat Removal Service Water (RHRSW) crosstie and firewater, and subsequent control over containment water level.
In response to an NRC request for additional information, the licensee provided specific information on the quantification of these human actions. The manualinitiation of containment venting was not treated using the SLIM methodology because the design for the hardened vent was incomplete at the time, and the operators would not have been able to provide meaningful input for the SLIM quantification process. Operator action in venting was treated with what amounts to a coarse screening approach for two cases, depending on whether operator action OL (establish adequate long term heat removal) was successful or failed. For the case in which adequate core cooling has been established, but containment heat removal is unavailable, success or failure in venting is assumed to be dominated by equipment failure, which has failure rate estimates between 6.0E-03 and 1.0E-02. This is based on the qualitative judgment that human error probability would be low because the action can be initiated from the control room and is fully proceduralized as part of the EOPs. We note that typical HRA methods for this operator action are likely to provide an estimate for operator error in the same range as these equipment failure rates, and that therefore the overall failure rate may be somewhat higher, but probably not sufficiently increased to have an important impact on i overall CDF results. For the second case, in which the operators have failed to establish ;
decay heat removal, a screening value of 0.1 was assumed for the operator action to initiate venting. As part of the response to the NRC question, the licensee provided a discussion of the potential dependency between the two actions (establishing long term ;
heat removal and venting) and justification for assuming the two are not dependent. The licensee's discussion also identified the assumed HEP for venting after core damage for the level 2 analysis. A screening value of 0.05 was assumed if OL was bypassed or was successful in the Level 1 scenario; and no credit was taken if OL was unsuccessful in the l Level 1 analysis. I l
21 l l
i
Operator actions to align RHRSW and fire water for injection into the vessel were treated as a part of the operator action YHEAl2, align and operate available alternate injection systems. The SLIM analysis did not distinguish among the alternate systems available. 'Ihe IPE did not take credit for took no credit for arresting core damage in-vessel, and did not evaluate the operator action associated with containment flooding, i The Level 2 analysis did take credit for injection into containment, but did not take credit for aligning RHRSW for this purpose if the RHR pumps were unavailable.
We conclude that the licensee employed a reasonably comprehensive and systematic approach to identify and select post Initiator human actions, and that the process provided reasonable assurance that important actions were not overlooked. ;
2.3.3 Screening Process for Post-Initiator Human Actions.
As indicated above, the submittal does not indicate that any numerical screening of post-initiator human actions was performed. Actions selected for quantification from the qualitative analysis described above were quantified using the PLG SLIM-based process.
Additional recovery actions were quantified and added to some sequences.
1 2.3.4 Consideration of Timine for Dynamic (Response) Actions. !
In some post initiator operator actions, timing - time available vs. time required by the operators - is a critical determinant of likelihood of success. It is important to assure that the licensee's process for estimating both time available and the time necessary for operators to complete the required actions takes into account plant-specific conditions j and provides realistic estimates. Plant-specific phenomenological analysis (accident l analysis computer codes) should be used to determine the available time. Actual l measures using currently licensed operators in realistic walk-throughs or control room i simulator exercises is a preferred approach for estimating expected /necessary operator l response time. Especially for local actions outside of the control room, it is important to assess time to get to the equipment, accessibility, possible impacts on timing of special clothing or environmental factors, etc. Guidance in ASEP and THERP is that estimates l
based on operator judgment alone should be multiplied by a factor of 2. l l
Timing of operator actions is specifically addressed in the qualitative and quantitative analysis performed in the Hatch evaluation of post-initiator actions. The submittal notes that there is a "relatively well-defined time window available for successful operator response." It also notes that timing determines important factors that influence the l operators' ability to diagnose the problem, decide what actions are appropriate, and ,
complete those actions within the required time window. l The operator action descriptions provided as input to the expert raters provides the information available from the systems analysis regarding the time window available.
The estimated time available for each operator action is listed in the submittal (Table 22
3.3-9). The submittal does not identify the basis for specific time window estimates, though general discussion about the basis for detailed scenario information notes the usual combination of thermal hydraulic analysis, plant data, judgment, and previous PRA experience.
]
The expected time of operator response is not estimated directly. The likelihood of operators performing the required action within the available time is one of the performance shaping factors rated by the panels of experts. Thus, the impact of timing is accounted for in the SLIM process essentially by subjective evaluation, and is therefore subject to the biases and uncertair; ties (and approaches to eliminate or account for those biases and uncertainties) inherent in the subjective process employed. Here is no indication that timed walk-throughs or simulator exercises were performed to obtain data or to help " anchor" the subjective process. The tendency for operators to provide optimistic estimates of their ability to respond in a timely fashion should be recognized by the analysts, and appropriate consideration should be given to results using these subjective estimates. For example, sensitivity studies identifying the impact of optimistic estimates might be considered.
2.3.5 Consideration of Plant-Specific Factors for Dynamic (Response) Actions.
Seven performance shaping factors were considered in the SLIM-based assessment. Th.e basis for selection of these seven and elimination of other possible factors was not discussed in the submittal. Other HRAs performed by PLG as part of IPEs have used a similar set of PSFs with some variations. The seven included in the Hatch assessment were:
- 1) Task Complexity - rates the effect of multiple requirements on task success; may include such factors as coordination, multiple locations, remote operations, variety of tasks, communication requirements, and availability of resources.
- 2) Man-Machine Interface and Indications of Conditions - relates the impact of the man-machine interface on the likelihood of success; measures degree to which the control room or the local conditions at the time when the action must be accomplished assist (or impede) the operator in performing the action.
- 3) Adeauacy of Time to Accomplish Action - measure of the time required to act compared with the time available to recognize, diagnose, and accomplish the action; judgment of the evaluators based on input provided in task descriptions.
- 4) Procedural Guidance - accounts for the extent to which plant procedures enhance the operators' ability to perform the action; e.g., procedures available, clear, definite, vague, misleading.
23
- 5) Sienificant Preceding and Concurrent Actions -impact of other time-related actions; preceding and concurrent actions set the stage for (provide context for) the modeled action and make it necessary and obvious to the operators; they can also divert operators' attention from this action or event cause failure.
- 6) Training and Experience - measure the effect of familiarity and con 6dence the operators have about their actions.
- 7) Stress - accounts for situations that may endanger the operator, damage or contaminate either the plant or the environment, or result in a long plant outage; depending on its level, stress can serve as an incentive to accomplish the action, produce a reluctance to act, or provide a diversion of attention that increases the likelihood of failure.
Seven groups of experts provided ratings. One group was comprised of operations personnel, and one group of analysts from PLG. Five of the " groups" were actually single individuals - one shift supervisor, three senior reactor operators, and one Plant Hatch analyst. In response to an NRC request for additional information, the licensee indicated that the use of groups of only one person was not considered to have a signi5 cant impact on the results of the expert evaluation, primarily because experience has shown that individuals within a group are often inDuenced by a " dominant" member, and because within-group variance has been typically been less dramatic than between-group variance. As discussed below, the submittal also indicated that the licensee performed a " sensitivity" study which showed that within-group van. don would not have significantly impacted results.
I Each group provided ratings for PSFs for each action against two criteria: (1) the degree to which the PSF helps or hinders the operator in the performance of the action (scale i of 0 to 10); (2) the relative importance (weight) of each PSF on the likelihood of success j of the action (rated high, medium, or low). The submittal provides blank samples of the i sheets given to the evaluators that define each performance shaping factor (PSF) and provide guidance for scaling. A blank sample of the form used to record results from each rater for each action was also provided in the submittal. The final rating used is a consensus of the ratings from the seven groups. The process for obtaining consensus was not described in the submittal. j l
In order to provide a manageable set of numerical variables that reasonably represent l the variability in human performance, analysts using SLIM often group actions having similar PSF weights. In the Hatch analysis, numerical weights of 2,1, and 0 were assigned to high, medium and low ratings, respectively, and these weights were then normalized to sum to 1 for each evaluated human action. The normalized PSF weights are used in the computation of the success likelihood index, or in the PLG methodology, the failure likelihood index (FLI). Eight groupings were selected for the Hatch analysis:
24
.. w
- Group 1 -
Training is very important e . Group 2 -
LIndications and time available are very important e Group 3 -
Procedures are important; stress is unimportant e Group 4 -
Time available, training, and preceding and concurrent
, actions are important; task complexity, procedures, and L
stress are unimportant e Group 5 -
Time available, task complexity, indications, and training are important; procedures and stress are unimportant i e Group 6A -
Task complexity is important; stress is unimportant e Group 6 -
Task complexity and training are important; stress is unimportant e Group 7 -
Indications are important.
It is interesting to note that none of the eight groups is distinguished by stress being "very important" or "important"; particularly since the guidance for evaluating stress is based on the potential consequences of operator failure, not on some subjective evaluation of expected " psychological" state. All of the other seven PSFs appear as one of the discriminators in one or more groups. Apparently, the evaluators do not perceive that stress is'an important discriminating factor in the likelihood of srecess/ failure for the actions described. Typically stress is one of the performance shaping factors most often addressed and considered important in HRA analysis methods. The consensus ratings, '
and the average of consensus ratings, for each of the seven factors for each action (except for three that were evaluated separately and not included in the eight groups) are provided in the submittal (Table 3.3-13).
Treatment of "within-group" uncertainties was addressed by varying each rating upward or downward one increment (e.g., a rating of 7 varied between 6 and 8) and assigning the human error rate obtained from the maximum values of this variation to represent I the 95th percentile in an assumed lognormal distribution, and the error rate from the I minimum to represent the 5th percentile. The lognormal distribution uses the nominal )
rating as the median with the range factor determined by the 5th and 95th percentile !
values. Between group uncertainty was treated by merging the individual team ratings )
assuming equal weight. PLG's Bayesian Reliability Program was used to merge the ;
values and produce the final probability distributions. 1 1
An important consideration in the quantification of human error using SLIM is the selection of calibration tasks. The submittal notes that the " Calibration tasks must be influenced by PSFs with the same relative weights as the group of actions and have known or accepted values of the human error rate. If PSF ratings are available for the calibration task, they should be used in the quantification for each of the evaluator groups. If PSF ratings are not available for the calibration task but the calibration task is found to be equivalent to one of the actions being evaluated, the PSF ratings given to the evaluated action by each evaluator group should be used for the calibration task in 1
25
quantifying that evaluator group's actions. A calibration task must either have its own PSF ratings or be equivalent to an evaluated action." The notion of identifying a task that is "similar" and then applying the PSF ratings from another task is somewhat problematic. In behavioral terms, what makes one task "similar" to another is, to a large degree, the various PSFs that are significant for both tasks. The PSFs, in effect, are the dimensions along which similarity is measured. If two tasks could be determined to be behaviorally similar/different by some other set of factors, then those factors should be considered as the basis for defining the degree of " similarity", and the basis for grouping tasks together; i.e., they should be included as PSFs. What is important to identify for HRA is the set of task characteristics that significantly affect the probability of success / failure. If the PSFs rated do that, then they define what will be a similar or different task and what will be a similar HEP.
The submittal provides a listing (Table 3.3-14) of the calibration tasks used for the Hatch analysis. They were selected from six different previous PRAs. Five of those six were performed by PLG; the other, Peach Bottom, was a NUREG-1150 plant. The submittal does not state whether PSF ratings were available for the calibration tasks taken from the previous PLG reports, or whether they were simply judged by the analyst (s) to be "similar" and the Hatch groups' ratings were then applied. It appears that the latter is the case, at least for some of the referenced sources. We were not able to examine the five referenced PRAs performed by PLG to assess the basis (i.e., the calibration tasks) .
used in those studies. The IPE submitted for one of the plants referenced indicated that data from 15 different PRAs were considered in selecting the calibration tasks for that study. Since there is no comprehensive data base of HEPs from actual experience, it is still necessary to base HEP estimates essentially on " judgment." It is important that this judgment represent, as best as possible, the cumulative judgment and consensus of the community and results from different HRA techniques and different HRA analysts.
Thus the selection of source data for calibration tasks is important. A concern is to assure that initial subjective estimates by PLG analysts in early PRA studies are not simply " propagated" and gain inappropriate credibility by virtue of repeated use alone.
While it is beyond the scope of this document-only review, detailed information on the ultimate sources of data should be available for examination.
The methodology for treating the plant-specific effects of performance shaping factors follows the SLIM methodology, which is well documented and generally accepted by the HRA community. In general, the method appears to have been implemented properly.
While the submittal information on the implementation of the methodology was ;
reasonably complete, we felt that the submittal would have been strengthened by including further information on the plant-specific assessment performed by the analysts to prepare the input to the evaluators also should have been provided. From our review of the submittal it appeared that fairly general descriptive information was prepared, and that the results therefore were highly dependent on the raters' knowledge of the details of performing that action. For example, the rater is to address man-machine interface and plant indications of conditions. What information on the man-machine interface and 26 l
. . 1 I
the indicators was provided to the evaluators? In rating stress, the rater has to have an understanding of the consequences, directly or indirectly, of operator failure. Were evaluators provided with that information, or was it assumed that all evaluators are knowledgeable and were thinking of all of the potential consequences? Was information from timed walk-throughs or simulator exercises on specific operator response times available to raters to " calibrate" their judgments on timing?
In response to an NRC request for additional information, the licensee indicated that by design, the information presented to the raters in the action descriptions was limited to that information needed by the evaluators to understand the specific scenario and human action in question. The evaluators were expected to be familiar with specific information such as available instrumentation, procedures, training, etc. It is the licensee's view that presenting this information could bias the raters evaluations. For example, specific procedures are not discussed, because knowledge of available procedures is one of the performance shaping factors to be evaluated. The licensee indicated that evaluators were provided with an approximately one-hour presentation prior to the evaluation which included discussion of the general purpose of the IPE and of the SLIM methodology, as well as instructions on completing the evaluation sheets, scaling guidance, and the summary action descriptions illustrated in the submittal. A PRA analyst was available to the raters to answer specific questions, but intentionally was not directly involved in the rating process in order to avoid biasing the raters. We recognize and agree with the licensee's concern about specific discussions influencing raters' evaluations. At the same time, however, it is important to assure that the raters are " experts" in what they are being asked to rate. For example, an SRO may be highly knowledgeable and d'ed in plant operation, but without some guidance and discussion, may not understano .he significance of behavioralinfluences such as dependency among multiple human actions.
Or, has been shown, highly skilled and confident operators may provide optimistic estimates of operator response times. The licensee's response indicates an awareness of and sensitivity to the complexities of the subjective evaluation process involved in implementation of the SLIM methodology.
Another general methodology issue addressed in a response to an NRC request for additional information is the licensee's treatment of diagnostic errors using the SLIM methodology. The licensee's response explained that the SLIM process treats the overall operator response in an integrated fashion. That is, unlike a number of other HRA techniques, operator actions are not separated into " cognitive" (diagnosis, decision, detection) and " manipulation", or " execution" phases. The licensee provides a discussion, using specific examples of operator actions in the Plant Hatch analysis, of the rationale for this approach in SLIM and why such separations are viewed as an artificial one. In our view, HRA techniques which address the two " phases" as distinct and, in fact, use different approaches for quantifying the two phases are useful for application in PRA.
However, the viewpoint of the SLIM process, which is summarized by the licensee, is more consistent with current understanding of human behavior. That is, that the i
I 27 ;
distinction between " cognition" and " execution" is not well defined, and may be more realistically treated as an integrated whole.
2.3.6 Consideration of Dependencies for Dynamic (Response) Actions.
An important concern in HRA is the determination of how the probability of success or failure on one task may be related to success or failure on another. Human behavior typically is highly dependent on the context in which the task is performed - success or failure on a preceding task, performance of other team members in parallel or related tasks, assumptions about the expected level of performance of other team members based on past experience, and many other factors. The human error probability estimates for HRA are conditional probabilities. If dependencies are not specifically accounted for, and HEPs are treated as independent, the probabilistic combination of HEPs can lead to an unrealistically low estimate of human performance overall (i.e., of the joint human error probability), and to a significant underestimate of risk.
One of the advantages cited by some for the SLIM methodology is that it emphasizes the assessment of performance shaping factors in the context in which the action takes place in the plant. Thus plant-specific factors, and event / sequence-specific factors are !
inherently addressed by the raters. The performance shaping factor,"Significant Preceding and Concurrent Actions" addresses directly concerns about the dependency o.f failure of one tesk on preceding and concurrent tasks. ' Die sample action description 1 sheet included in the submittal (Table 3.3-10) shows that preceding and concurrent actions are listed for the rater. However, there is little discussion in the submittal that indicates hcw raters were instructed to assess the level or impact of dependency. The scaling guidance (Table 3.3-11, Sheet 5 of 7) states that "If necessary, some strongly dependent failures may be accounted for by specific split fractions in the event trees."
No information is provided in the submittal as to what constitutes a strongly dependent '
failure, or how one would have been identified by the raters or the analysts. Specific I cases in which split fractions were adjusted by the analyst to account for these strongly dependent actions were not identified; and the "model" or rationale used to make that numerical adjustment was not discussed. The scaling guidance does provide a set of verbal descriptors, or " anchors" for the knowledgeable operator who is thoroughly familiar with and consciously thinking of the context of the action to make a rating of the impact of previous and concurrent actions.
In response to an NRC request for additional information on the treatment of dependencies, the licensee provide a comprehensive summary of the approach used.
Dependencies were treated in one of five ways, depending on the case-by-case assessment of the particular actions involved:
- 1) Assume complete dependence and treat subsequent action as failed (HEP =1.0) when the preceding action failed. l 28
h .y-i 2)i Evaluate the' HEP using the SLIM process, but account for sequence-speci6c variation by assuming the most adverse conditions apply, e.g., by assuming the upper end of the break size for a medium LOCA. ,
4
- 3) De6ne separate scenarios for evaluation. For example, action to control j high pressure injection is treat.ed as two different operator actions !
, depending on whether HPCI has failed or whether both'HPCI and RCIC !
are available, i
- 4) Combine two actions into a single action 'for evaluation. This is l appropriate when the two actions are closely related and performed .
sequentially close in time, e.g., performance of an action and veri 6 cation of. j expected system response. :
i
- 5) Assume dependency is weak enough to treat the actions as independent. l The licensee's discussion also addressed a number of approaches for assuring appropriate accounting for dependencies among multiple actions incorporated into the IPE logic ' -:
models (event trees and fault trees). The discussions included treatment of dependencies .!
for recovery actions.
i
~
Based on our review of this substantial supplementary information provided by the - l licensee, we conclude that the licensee's treatment of dependencies in the post-initiator i HRA was comprehensive and thoughtful. Models of dependency used in various HRA
~!
techniques are, in general, speculative, and the approaches used by the licensee are -
reasonable and justifled by the explanation provided. !
2.3.7 Ouantification of Recovery Actions. I As noted earlier, HEP values for recovery actions were, in general, selected on the basis-of engineering and operator judgment. (Some recovery actions were modeled using the
{
SLIM-based approach.) The submittal states that the judgment considered the difficulty .;
of the action, time available for the action, and the indications available to the control -:
room staff. It also states that most of the actions are relatively simple recovery actions
, with which the operators are familiar and that they are guided by procedures "where i appropriate." Twenty recovery actions are summarized in the submittal. These twenty l are listed in Table 2-1. A brief discussion of each action is provided in the submittal, j along with a general summary of the rationale for the selection of the numerical value, l identi6 cation of where (e.g., which top event or split fraction) the action is considered in :
the IPE model, and often a comparison to values for similar actions determined by SLIM +
or used in other sources. This concise summary documentation of recovery actions is !
consistent with guidance in NUREG-1335, and is a positive contribution to the submittal. ;
.j 29 l
PL-'r=
- .e .
o i
i Overall, the numerical values for recovery actions appear to be slightly lower than ;
conservative numbers frequently used when such. actions are quantified on the basis of l
subjective judgment without the benefit of a systematic HRA technique. A sensitivity study was performed with all values for recovery actions set to 0.1 (except the recovery of l offsite grid, which already had values above 0.1). Core damage frequency (CDF) was >
increased by a factor of 5.8 for Unit I and 5.3 for Unit 2. ~ Most of the sequences ;
contributing to the increased CDF were already in the top 100 sequences when the !
nominal values were used. The results of this sensitivity study are discussed further in !
Section 4 of this TER.
After our initial review of the submittal, there was a concern about treatment of I dependencies for recovery actions. However, as discussed above, the licensee's response a' to an NRC request for additional information included a discussion of this issue and resolved our concern. A second issue addressed in the NRC request for additional information was the degree to which out-of-control-room recovery actions were examined l for feasibility. For example, were time walkdowns performed for time-critical actions, :
and were assumptions about accessibility, availability of tools, etc. verified by ,
walk-throughs or " simulations" of operator actions in the plant? Were environmental factors and other physiological or psychological " stressors" accounted for? As indicated above, the submittal notes that timing, difficulty, and control room indications were considered, but provides no further details as to how these factors were evaluated or, in.
particular, whether additional factors may have been important for out-of-control room ' :
actions. The licensee's response to NRC's request identi6ed each recovery action .
credited that requires actions outside of the control room. Risk achievement worth for l each action was identified, and for those actions with a significant risk achievement I worth, a summary was provided of the action requirements, travel time, environmental .
factors and other factors considered in evaluating the action. The summary information provided indicates that a reasonable effort was made by the licensee to evaluate plant-specific factors influencing human performance in out-of-control room recovery actions, ,
including use of plant walkdowns to estimate travel time. The supplementary l information provided by the licensee satisfactorily addressed our concerns. j l
l 30 l
i
l Table 2-1 Recovery Actions Modeled in the Hatch IPE ACTION HEP' MODELED
- 1. RPS Bus Alignment to Alternate Supply 0.01 Top Events (Top) RPSA, RPSB
- 2. Restoration of Power to Normal Buses 0.05 Most Non-LOSP events
- 3. Recovery of DC Panel Failure 0.012 Spit Frac DCRECl; Top DCREC
- 4. Recovery of P41-F303A Transfer Closed 0.001 Spit Frac SWRECl; Top SWREC
- 5. Recovery of Intake Structure Screen Plugging 0.01 Spit Frac SWREC2; Top SWREC
- 6. Restoration of MCR Cooling after Rec. PSW N/A All hdware; oper error assumed 0.0
- 7. Recovery of Motor Cooling for RIIRSW Pumps upon PSW Discharge Line Blockage 0.1 Spit Frac RSRECl; Top RSREC
- 8. Recovery of Motor Cooling for RHRSW Pumps upon Loss of One Division of PSW 0.01 Spit Frac RSREC2; Top RSREC
- 9. Transfer of Controls to Remote Shutdown upon Loss of MCR Cooling 0.001 Spit Frac KRSDP3; Top KRSDP (Same action with PSW unavailable) 0.01 Spit Frac KRSDP2; Top KRSDP
~
- 11. Recovery of Failed Low Pressure Permissive 0.01 Spit Frac NSREC1 and NSREC2; Signal for CS/LPCI Valves Top NSREC
- 12. Interconnect Reactor Building PSW licaders to Restore Drywell Cooling 0.0001 Spit Frac OWE; Top OW
- 13. Recovery of Containment Heat Removal 0.1 Spit Frac QRA; Top QR
- 14. Recovery of Diesel Start Failures 0.4 Top UA
- 15. Initiation of the Purge Mode of MCR Cooling 0.01 7
- 16. Recovery of liigh Pressure Injection Top HI e No injection avail from CRD 0.5 Spit Frac HIA2, HIB2, HID2 e CRD available 0.2 Spit Frac HIAl, HIB1, HIDI e Condensate only available 0.01 Spit Frac HICOI
- 17. Align Alternate Chiller to Alternate Division of PSW 0.001 Fault tree for Top VM
- 19. Manually Align and Control Diesel Fuel Oil Transfer Pump 0.0262 Fault tree for Top DGS'
- 20. Restoration of Offsite Grid -
Top GR' Notes:
- 1. Values listed apparently are median values assumed; mean values of a lognormal distribution are used in the IPE model. Those mean values are listed in Table 3.3-23 of the submittal.
- 2. Includes human and h:.tlware failure; submittal states that industry data indicate majority of failures due to human error.
- 3. This action was quantified using SLIM; variable YHEEPD.
- 4. Vanable recovery factors depending on time; based on NSAC-166 model.
31
- l. .. .
l 2.3.8 Treatment of Operator Actions in the Flooding Analysis.
I The submittal indicates that operator actions were considered in the quantification of flooding scenarios and that human error probabilities were based on judgment, but essentially no further information is provided regarding consideration of human error in the flooding analysis. Flooding was determined to be only a minor contributor to CDF.
For completeness, a summary of the human actions credited in the flooding analysis and the rationale for quantification of those human actions should have been provided in the 4 submittal. In response to an NRC request for additional information, the licensee i provided an explanation of the approach used to quantify human error in the flooding j analysis. Screening values for diagnosis and action (combined) of 0.05,0.1,0.2, or 0.5 were used as HEP estimates for operator action to isolate the flood source, depending l primarily on the timing available for operator action, which in turn is related to the specific details of the flooding initiator (total flooded area, etc.). The technical basis for these screening values provided by the licensee was essentially a SLIM analysis of an action judged to be similar in timing and other aspects to (but somewhat more complex than) the action required to isolate flooding caused by inadvertent activation of the fire protection system. The SLIM analysis for that action provided an estimate HEP estimate 0.046, and the screening value of 0.05 was used for the flooding analysis. The higher screening values were selected as conservative values for more severe cases. This screening approach appears to be a reasonable attemative to a detailed HRA. More than 30 operator actions were credited in the flooding analysis. It is apparent from this summary that credit for operator action is a significant factor in the flooding analysis.
l l
l 32 i
)
l
3.0 OVERALL EVALUATION AND CONCLUSION
. Based on our review of the submittal and the supplementasy information provided by the licensee in response .to NRC requests for additional information we conclude that the -
human reliability analysis approach employed by the licensee was capable of providing ;
the licensee with an appreciation of the imp,act of human performance on the overall probabilities of core damage' and fission product releases. Overall findings and s conclusions from our review are as follows:
General
- 1) Utility personnel were involved in the development and application of PRA/HRA i techniques to their facility, and associated walkdowns and documentation reviews constituted a viable process for confirming that the IPE represents the as-built and as-operated plant.
- 2) The licensee performed an in-house peer review that provided some assurance that the IPE analytic techniques had been correctly applied and documentation is l
accurate, t
Pre-Initiator Human Events .
- 1) The licensee's HRA process considered human events that can disable a system, and-therefore, involve either miscalibration of system logic instrumentation or failure to ,
restore system or component after test or maintenance.
- 2) The process utilized by the licensee to identify and select the pre-initiator human j events was reasonably comprehensive and included review of procedures and -
discussions with appropriate plant personnel regarding the interpretation and ;
implementation of procedures.
- 3) No numerical screening process was conducted for pre-initiator human actions.
- 4) The licensee's quanti 6 cation process for pre-initiator operator actions employed what might be considered a "6ne screening" approach in which all actions were categorized as one of four " generic" types of actions with different HEPs. However, the plant-speci6c assessment of performance shaping factors and dependencies associated supporting this assessment was reasonably thorough and systematic and provided the opportunity for plant-specific insight to a degree that is at least comparable to other simpli6ed techniques that have been accepted in other PRAs, e.g., ASEP. :
33 i
,, . . . . , n.- -, ., , - . ,,.e-.,,,,-- - , , , ~ -
t Post-Initiator Human Events .
1)' The licensee's process considered human events that are needed to prevent an ;
accident as well to mitigate the consequences of an accident. Both response type i actions and recovery type actions were addressed. ;
- 2) The process used by the licensee to identify and select the post initiator human ,
events included both a) review of plant procedures associated with the accident i sequences delineated and review of systems modeled in the IPE, and b) discussions with appropriate plant personnel on the interpretation and implementation of plant procedures.
I
- 3) No numerical screening process was employed. All operator actions identi6ed as l signi6 cant were quanti 6ed with " nominal" values. l l
- 4) The licensee's treatment of time considered both the time available and the time -
required for the human action. Time available was determined from plant-speci6c thermal hyudraulic calculations, plant data, engineering judgment, and other PRAs. ,
Time required was not estimated directly. Per the SLIM methodology," expert" l raters with operations experience provided ratings of the impact of available vs. l required time as a performance shaping factor. .
1
- 5) The licensee addressed in a systematic manner a reasonable set of plant-speciSc factors inDuencing human performance in response actions and recovery actions.
l
- 6) The licensee's HRA approach included a reasonably thorough and thoughtful consideration of dependencies in the treatment of post-initiator human actions, both l response-type and recovery actions. '
1 l
l 34 ll
4.0 VULNERABILITIES, INSIGHTS AND ENHANCEMENTS 4.1 IPE insights Related to Human Performance I i
ne core damage frequency (CDF) estimates for Unit 1 and Unit 2 are 2.1E-05/yr and 2.2E-05/yr,' respectively. (An update to the IPE dated January 10,1994, stated that errors had been identi6ed and corrected, and the revised CDF estimates increased by ;
87c and 99c, respectively for Units 1 and 2.) The initiating events dominating the CDF estimate are Loss of Offsite Power (including Station Blackout), Transients (Loss of Feedwater, MSIV Gosure, Turbine Trip, Reactor Scram, Loss of Condenser Vacuum),
and Electrical Support System Initiators (Ioss of an AC Bus, less of a DC Bus, Loss of i
a Startup Transformer). Dese three groups together contribute more than 80% of the i CDF. Mechanical Support System Initiators (less of Plant Service Water, Loss of Main Control Room Cooling) and LOCA Events (Inadvertent Opening of a Relief Valve, Medium Break LOCA, LOCAs outside containment, and others) also are significant l
contributors. Anticipated Transients Without Scram (ATWS) and Internal Floods are relatively minor contributors. Table 4-1 lists the initiating event groups and their contribution to CDF for Units I and 2. Contribution by accident classes is summarized in Table 4-2.
Most of the HEPs listed in Section 3.3 of the submittal for pre initiators, post-initiator .
dynamic actions, and post-initiator recovery actions are incorporated into the IPE model through fault trees. Since fault trees are not required and not presented in the IPE, it is difficult to determine exactly where many of the human actions are credited. And, since the importance calculations are presented for top events, it is not easy to directly compare importance of specific human actions. However, the results reported in the submittal clearly indicate the importance of human error as a contributor to CDF.
Human errors are significant contributors to many of the dominant sequences. Table 4-3 lists top events which are human errors or recovery actions involving human and equipment action which contribute 1% or more to the CDF estimate. The importance value is the percentage of CDF involving the particular top event. The ranking is the relative ranking of importance among all top events. Table 4-4 provides similar information for each accident class. In this case, importance is defined as the percentage of accident class frequency involving the particular top event. Tables 4-3 and 4-4 present data for Unit 1 only. Unit 2 results are similar.
Operator failure to perform emergency depressurization is a major contributor to CDF.
It is the second largest contributor of all top events (38.5% of total CDF) and is a dominant contributor to Cass IA, Cass IC and Cass IIIevents.
1 l
l i i 3 ;
l 4.0 VULNERABILITIES, INSIGHTS AND ENilANCEMENTS 4.1 IPE Insights Related to Human Performance i l
The core damage frequency (CDF) estimates for Unit 1 and Unit 2 are 2.1E-05/yr and 2.2E-05/yr, respectively. (An update to the IPE dated January 10,1994, stated that
. i errors had been identified and corrected, and the revised CDF estimates increased by )
89c and 9%, respectively for Units 1 and 2.) The initiating events dominating the CDF l estimate are Loss of Offsite Power (including Station Blackout), Transients (Loss of l Feedwater, MSIV Gosure, Turbine Trip, Reacter Scram, Loss of Condenser Vacuum), l and Electrical Support System Initiators (Loss of an AC Bus, Loss of a DC Bus, Loss of a Startup Transformer). These three groups together contribute more than 80% of the ;
CDF. Mechanical Support System Initiators (Loss of Plant Service Water, Loss of Main !
Control Room Cooling) and LOCA Events (Inadvertent Opening of a Relief Valve, Medium Break LOCA, LOCAs outside containment, and others) also are signi5 cant !
contributors. Anticipated Transients Without Scram (ATWS) and Internal Floods are l relatively minor contributors. Table 4-1 lists the initiating event groups and their I contribution to CDF for Units 1 and 2. Contribution by accident classes is summarized in Table 4 7 1 Most of the HEPs listed in Section 3.3 of the submittal for pre-initiators, post-initiator .
dynamic actions, and post-initiator recovery actions are incorporated into the IPE model through fault trees. Since fault trees are not required and not presented in the IPE, it is difficult to determine exactly where many of the human actions are credited. And, since !
the importance calculations are presented for top events, it is not easy to directly I compare importance of specific human actions. However, the results reported in the submittal clearly indicate the importance of human error as a contributor to CDF. '
Human errors are significant contributors to many of the dominant sequences. Table 4-3 lists top events which are human errors or recovery actions involving human and equipment action which contribute 1% or more to the CDF estimate. The importance value is the percentage of CDF involving the particular top event. The ranking is the relative ranking of importance among all top events. Table 4-4 provides similar information for each accident class. In this case, importance is defined as the percentage of accident class frequency involving the particular top event. Tables 4-3 and 4-4 present data for Unit 1 only. Unit 2 results are similar.
Operator failure to perform emergency depressurization is a major contributor to CDF. t It is the second largest contributor of all top events (38.5% of total CDF) and is a l dominant contributor to Gass IA, Cass IC and Cass IIIevents.
35 '
-Q. 4 i i
Table 4-1 !
Contribution to CDF by Initiating Event Category j r
i Percent Contribution to CDF .
Initiatine Event Group Unit 1 Unit 2 Special Initiators - Electrical 32.36 30.13 .
Loss of Offsite Power 26.01 29.83 :
Transients 25.07 23.46 Special Initiators - Mechanical 9.87 9.53 LOCAs 4.06 3.96 ATWS Events 2.46 2.93 Internal Floods 0.16 0.15 l
i Table 4-2 -
l Core Damage Frequency by Accident Class
]
Percent Contribution to CDF :
Accident Class Unit 1 Unit 2 IA I oss of injection, failure to depressurize 32.48 36.78 II Loss of heat removal 22.96 19.47 IB Station blackout, failure to depressurize 15.95 16.20 4 IIIB LOCA, high pressure core damage 14.07 l
14.86 l ID Loss of low pressure injection 11.62 9.47 l IV ATWS, loss of heat removal 1.35 1.59
- V Unisolated LOCA outside containment 0.83 1.59 IC ATWS, loss of injection 0.50 0.61 IIIC LOCA, low pressure core damage 0.23 0.20 l
l I
l
?
Table 4-3 ;
Important Top Events Involving Human Error - All Accident Classes (Unit 1)
Top '
Event Event Description Imoortance Rank i DE Operators fail to perform emergency depressurization 38.5 2 HI Recovery of high pressure injection before TAF ??
I 4 i GR Offsite grid not recovered before core damage occurs 16.8 6 '
UA Recovery of diesel start failures 7.8 14 L10P Operators fail to restart drywell cooling after LOCA sig. -
4.1 24 OL Operators fail to align for long term heat removal 3.8 26 OR Heat removal not recovered before containment failure .
l 3.4 28 i i
KMCR Recovery of MCR cooling fails (purge mode) 2.9 31 l DCREC Recovery of DC panel R25-S001 fails 1.7 35 KRSDP Operators fail to transfer RSDP on loss of MCR cooling l 1.5 41 L10P Failure to restore PSW to turb bldg after LOCA sig. 1.2 43 Table 4-4 !
Important Top Events Involving Human Error - By Accident Class (Unit 1)
Top Event Event Description Importance Rank Accident Class IA DE Operators fail to perform emergency depressurization 68.3 1
!!! Recovery of high pressure injection before TAF unsuccessful 48.4 4 LIOP Operators fail to restan drywell cooling after LOCA signal 8.4 7 KMCR Recovery ofloss of MCR cooling fails (purge mode) 5.0 10 -
r Accident Class IB GR Restoration of offsite power fails 95.7 1 37 ,
l UA_ Recovery of diesel start fa21ures unsuccessful 46.8 6 til Recovery of high pressure injection fails 5.6 13 i
Accident Class IC DE Operator fails to perform emergency depressurization 100.0 2 IIR IIPCI fails to restart following level reduction to TAF 20.2 4 11 0 Operators allow IIPCI to refill vessel (failure to control Ivl) 9.8 6 LlOP Operators fail to restore drywell cooling 5.5 8 FC Operators fail to reduce fecdwater flow 5.2 9 Table 44 (continued) i Atcident Class ID 111 Recovery of high pressure injection before TAF unsuccess. 33.7 3 !
KRSDP Operators fail to transfer RSDP on loss of MCR cooling 10.3 6 i KMCR Recovery of loss of MCR cooling fails (purge mode) 10.1 7 VOP Operators fail to trip pumps on loss of RIIR/CS room c!g. 6.8 10 DCREC Recovery of DC panel R25 S001 fails 5.0 14 Accident Class II l QV liardened vent fails (operator error or hardware) 57.7 1 OL Operators fall to align for long term heat removal 17.6 6 QR IIcat removal not recovered before containment failure 15.8 8 RPSB RPS Bus fails to rem. enrgzd (includes fail to realign) 2.42 2 SWREC Recovery of blocked intake screens falls 1.5 25 l
Accident Class 111B DE Operators fail to perform emergency depressurization 99.9 1 Accident Class filC L10P Operators fail to restart drywell cooling 5.2 10 Accident Class IV OS Operators fail to initiate SLCS 53.9 2 FC Operators fail to reduce feedwater flow 3.5 9 4.2 Enhancements and Commitments The vulnerability screening performed as part of the Hatch IPE, which appears to be consistent with guidance in NUREG-1335, identified no vulnerabilities. However, during the course of the IPE a number of plant and operational improvements were ;
implemented during the course of the IPE, and were credited in the IPE. Those i modifications with human performance significance are:
- 1) The design of the hardened vent, as recommended by NRC GL 89-16, was developed to ensure the design ad<.:quately addressed loss of decay heat i
38
0
,, y I7 removal sequences with respect to available support systems.- Venting is important to maintaining containment integrity and controlling releases.
- 2) Procedure changes and modifications to HVAC duct for the control building were initiated to allow continued operation of electrical equipment in the control building upon loss of HVAC. Operator actions include opening the duct batches and opening doors in'the control building to establish natural circulation. These modi 6 cations enhance the ability to support continued operation of emergency AC and DC distribution systems, which is important for station blackout.
- 3) A recovery action to initiate the purge mode of MCR cooling on loss of the control room chillers was proceduralized. This action is important for events initiated by loss of all plant service water (PSW) or loss of control room cooling.
- 4) Procedures for operating the intake structure ventilation system were made to ensure that a single control system failure would not lead to the loss of the intake structure fans. Loss of ventilation fans could cause failure of PSW and RHRSW pumps for both units.
- 5) Procedure changes were implemented to inform the operator that tripping unneeded pumps when room ventilation is not available will help ensure equipment operation. Calculations performed for the IPE indicate either a -
LPCI or CS pump could operate in each room for the 24-hour IPE mission time without room cooling if the unneeded pumps are tripped. This recovery action is credited in the IPE (VOPA = 0.001).
- 6) Procedure changes were implemented to allow cross-connecting of motor cooling water for the RHRSW pump motors when one division of PSW has failed.
39
5.0 DATA SUSINIARY SHEETS Important Operator Actions / Errors:
Importance evaluations were reported for top events. Top events involving human error, the importance value, and the overall importance ranking of the top event are as follows:
1 TOP EVENT TOP EVENT EVENT DESCRII' TION IMPORTANCE RANK DE Operators fail to perform emergency depressurization 38.5 2 111 Recovery of high pressure injection before TAF unsuccess. 21.2 4 GR Offsite grid not recovered before core damage occurs 16.8 6 UA Recovery of diesel start failures l 7.8 14 ;
LIOP Operators fail to restart drywell cooling after LOCA signal 4.1 24 l OL Operators fail to align for long term heat removal 3.8 26 QR lleat removal not recovered before containment failure 3.4 28 KMCR Recovery of MCR cooling fails (purge mode) 2.9 31 DCREC Recovery of DC panel R25-S001 falls 1.7 35 KRSDP Operators fail to transfer RSDP on loss of MCR cooling 1.5 41 LIOP Operators fail to restore PSW to turb bldg after LOCA sig. 1.2 43 Iluman Performance Related Enhancements:
Six significant human-performance-related enhancements were reported as resulting l from the IPE/HRA analysis: l
- 1) The design of the hardened vent, as recommended by NRC GL 89-16, was developed to ensure the design adequately addressed loss of decay heat removal sequences with respect to available suppon systems.
- 2) Procedure changes and modifications to HVAC duct for the control building were initiated to allow continued operation of electrical equipment in the control building upon loss of HVAC. Operator actions include opening the duct hatches and opening doors in the control building to establish natural l circulation.
- 3) A recovery action to initiate the purge mode of MCR cooling on loss of the control room chillers was proceduralized.
40
,- .o-
- 4) Procedures for operating the intake structure ventilation system were made l
to ensure that a single control system failure would not lead to the loss of the intake structure fans. ,
- 5) Procedure changes were implemented to inform the operator that tripping unneeded pumps when room ventilation is not available will help ensure--
equipment operation.
- 6) Procedure changes were implemented to allow cross-connecting of motor '
cooling water for the RHRSW puinp motors when one division of PSW has failed.
I l
I l
I i
41 .
1
i ..
REFERENCES' y
- 1. A.D. Swain and Guttman, H.E., " Handbook of Human Reliability Analysis with i Emphasis on Nuclear Power Plant Applications, Final Report," NUREG/CR-1278F,'
August,1983.' ,
- 2. A.D. Swain, "The Accident Sequence Evaluation Program (ASEP) Human ;
Reliability Analysis Procedure," NUREG/CR-4772,1987. l
- 3. Proprietary PLG Methodology, based on D.E. Embrey, et al. " SLIM-MAUD: An Approach To Assessing Human Error Probabilities Using Structured Expert l Judgment," NUREG/CR-3518, July,1984.
- 4. Hannaman, G.W., and A.J. Spurgin, " Systematic Human Action Reliability .!
Procedure (SHARP)," EPRI-NP-3583, Electric Power Research Institute,. ;
1984.
I l
i i
4 42
9 9 F
APPENDIX A SELECTION OF OPERATOR ACTIONS ,
G 4
l l
. I l
_ I 43
APPENDIX A SELECTION OF OPERATOR ACTIONS To provide additional insights on the reasonableness of the licensee's approach and results, in particular on the human actions selected for quantification, a comparison of the Hatch HRA was made with the HRA performed as part of the Peach Bottom NUREG-ll50 study, Browns Ferry IPE, Pilgrim IPE, Oyster Creek IPE and Cooper IPE. Particular points of comparison were the pre-initiator and post-initiator operator actions addressed, operator actions identified as important to core damage or risk, and general quantitative results. Operator actions in for each were divided into pre-initiator actions and post-initiator actions. The review and comparison of initiating events and accident sequences is one of the primary issues of the front-end review, and the reader is referred to that review for more detailed information.
Those operator actions identified by the front-end reviewer as important to the IPE were given special attention in the HRA review.
A.1 Pre-Initiator Operator Actions - Hatch, Peach Bottom, Browns Ferry, Pilgrim, and Cooper identified pre-initiator actions, although number of actions and type of actions varies. Pre-initiator operator actions quantified in the Hatch IPE are listed in Table 3.3-15 of the submittal. Table A-1 provides a summary of types of pre-initiator .
actions considered by the HRA's compared. Comparison of the Hatch list with the Peach Bottom list in Table 4.8-1 of NUREG/CR-4550, Vol.4, Rev.1, Part 1, shows similarity in types of actions considered, i.e., failure to restore valves or breakers following test and mamtenance, and miscalibration errors. The Peach Bottom list contains more actions than the Hatch list. The Cooper list contains more actions than the Hatch list and includes failure to remove jumpers and boots in addition to alignment errors, but does not include miscalibration errors. The pre-initiator errors reported for Pilgrim is very limited. The Pilgrim IPE did include a pre-initiator error as one of its operator actions most important to CDF. The only other study to do so was Peach Bottom which included two actions, one of which being the same as Pilgrim and involves failure to restore SLC following test.
TABLE A 1 Comparison of Pre-Initiator Type Actions Identified by Those Plants Considered 1
Plant Failure to Restore Valves or Miscalibration Failure to Remove Breakers Following Test or jumpers or Boots After Maintenance Testing IIATCH YES YES NO PEACil BOTTOM YES YES NO BROWNS FERRY YES NO YES l
l 44 l
PILGRIM YES YES NO CCX)PER YES YES NO A.2 Post-Initiator Operator Actions - Post-initiator response actions, referred to in the Hatch IPE as " Dynamic Human Actions'," are listed in Table 3.3-16 of the Hatch submittal. The corresponding list of operator actions in NUREG/CR-4550 is '
provided in Table 4.8-2. The types of actions are quite similar. Table A-2 provides a comparison between Hatch, Peach Bottom, Browns Ferry, Pilgrim and Oyster Creek of post-initiator actions which were identified as those operator actions important to CDF. Most of the analyses listed similar type actions, although few one-to-one correspondence between reports was found. For those actions which were felt to be reasonably similar, only the Hatch description is provided. Action items which are not marked in the table may appear in the overall list of operator actions analyzed, but were not identified in the respective reports as being important.
l TABLE A 2 Comparison of Post Initiator Operator Action Identified as ImDoriant !
to CDF. l ACTION Hatch Peach Brwns Pigrm Oystr Btm Ferry Creek -
Emergency depressuruation (llatch) X X X X X Recovery HP injection before TAF unsuccessful (Hatch) X X X Offsite grid recovered before CD (Hatch) X X X Recovery of DG start failure (Hatch) X Fail to restart drywell cooling after LOCA (Hatch) X X Fail to align for Long Term Cooling (Hatch) X X Heat Removal not recovered before containment failure (llatch) X X X Recovery of Main Control Room (MCR) Cooling - purge mode (llatch) X Recovery of DC panel R25.S001 (Hatch) X Fail to transfer RSDP on Loss of MCR cooling (Hatch) X Fail to restore PSW to turbine building after LOCA (llatch) X Recover suppression pool cooling (Browris Ferry) X Align alteinate injection to reactor vessel via Unit 1 & 2 crosstie (Browns Ferry) X 45
. . + i l
Start RilR or CS pump, pven IIP mjection failure '
(Browns Ferry) X Restore power to 480 V RMOV Board 2A or 2(Browns I Ferry) X Transfer Umt 1 & 2 4kV loads to 161kV with loss of l 500kV power (Browns Ferry) X X Stan SLC, given ATWS with reactor vessel isolated (Browns Ferry) X X X Align RHR for drywell spray dunng non-ATWS (Browns Ferry) X l Miscalibrates reactor pressure sensors (Peach Bottom); l pre-initiator X SLC failure to restore after test (Peach Bottom); pre-initiator X X SLC injection failure before Heat Capacity Temp Limit (Pilgrim) X i Fail to align direct torus vent (Pilgrim) X X l
Failure to manually open LPCI injection valves (Pilgrim) X 1 Fauure to follow fire water cross-tie procedure (Pilgrim) X Failure to control level after SLC injection (Pilgrim) X Fail to initiate SW cooling comr:nsation measures (Pilgrim) X i
I A.3 Quantitative Results: HEP Values - Because of differences in methods, data ;
sources, level of analysis, assumptions and analyst judgment, each HRA is unique.
Direct comparison of numerical results is difficult and does not necessarily provide a definitive conclusion. However, general comparisons of range of results and spot comparisons of quantitative values for similar actions provide another indicator of reasonableness of the licensee's approach and rationale. Attached are listing of HEPs for Hatch and Peach Bottom.
Peach Bottom results for pre-initiator human errors were typically in the range between 1E-04 and 1E-03. Hatch results for pre-initiator human errors were typically in the 1E-05 range. Post-initiator operator action on Peach Bottom were in the IE-01 to IE-02 range and Hatch consistently showed lower values with a range spanning IE-02 to IE-04. This difference is not unexpected given the Peach Bottom HRA used the conservative ASEP approach and Hatch used SLIM to quantify HEPs.
46
?. ..
l A.4 Operator Actions Identified as important in the Front end Review - The front-end reviewers identiSed the following operator actions as important to the IPE:
o manual initiation of depressurization (note: procedure direct manual inhibition of automatic ads for ATWS mitigation considerations [IPE. page 3.1-13])
e manual initiation of SP cooling e manual initiation of containment venting e manual initiation of smoke purge ventilation for the main control room o manual tripping of all but one RHR/CS pump in ECCS room (s) on loss of ventilation to the room (s) e manual switchover of RCIC and HPCI from the SP to the CST long term when SP cooling is lost -
e manual alignment of core / containment flooding systems such as RHRSW crosstic and Brewater, and subsequent control over containment water level ,
e manual actions for crosstic of power between units.
Two of these actions do not appear to be addressed in the Hatch HRA: (1) manual initiation of containment venting, and (2) manual alignment of core / containment Dooding system such as RHRSW crosstic and Brewater, and subsequent control over containment water level. Operation of torus cooling was addressed, but very limited discussion is presented in the submittal. The remaining items identi6ed by the front-end reviewer appear to have been considered and discussed in the submittal.
,$a 47
. e i
l OPERATOR ACIlONS IDENTIFIED AS OPERATOR ACllONS IDENTIFIED IN TIIE IMPORTANT IN TIE FRONT END REVIEW IIRA REVIEW
- 1) manual initiation of depressurization (note: YlEDEI - Lower pressure for condensate injection l
procedure direct manual inhibition of automatic ads !
using TBVS or SRVS for ATWS mitigation considerations [IPE. page 3.1- YlEDE2 - Depressurize for low pressure injection l 13]) using SRVS l YHEDE3 - Depressurize given stuck open SRV, no l high pressure injection l YlEDE4 - Depressurize given medium break LOCA, no high press injection i Y1EDES - Depressurize following ATWS, no high l press injection Y1EDE6 - Depressurize with no low pressure injection level at -207" 1 Yl-EDE7 - Initiate low pressure injection given '
start signal failed YlEDEA - Depressurize given no elevated DW temp, CRD flow available YHEDE- Depressurize given no elevated DW temp, no high press injection YHEDEC - Depressurize given no high DW temp, stuck open SRV present
CISD, SLCS=F, Level Control Success
- 3) manual initiation of containment venting ???
- 4) manualinitiation of smoke purge ventilation Recovery Action - Initiate purge mode of MCR for the main control room Cooling
- 5) manualinpping of all but one RHR/CS pump Recovery action - limited specific information in ECCS room (s) on loss of ventilation to the room (s) - tripping of LPCI and CS pumps upon loss of room cooling
- recovery of motor cooling for RHRSW pumps upon loss of one division of PSW
- 6) manual switchover of RCIC and HPCI from YHELTC - Align for Long Term Shutdown Cooling the SP to the CST long term when SP cooling is lost
- 7) manual alignment of core / containment flooding ???
systems ruch as RHRSW crosstic and firewater, and subsequent control over containment water level i
l l
1 l
48 l
1 l
1 i
l 1
e a
- 8) manual actions for crosstic of power between Several YHEEP actions and (6) Recovery actions -
units. electric power recovery actions involved in the HEA are broad and varied in scope, the type, level of response and detail demonstrated the consideration of alternate power source alignment invoMng operator actions.
I l
49
C o
SUMMARY
OF THE HATCH UNITS 1 ANG 2 INDIVIDUAL PLANT EXAMINATION (IPE)
SUBMITTAL ON MTFrbit EVENTS I
Enclosure 5
i Summar_y of the Hatch Units 1 And 2 Individual Plant Examination (IPE) Submittal on Internal Events t
The NRC staff completed its review of the internal events portion of the Hatch Units 1 and 2 IPE submittal and associated information. The licensee .
performed a separate analysis for each unit and reported the results. The IPE !
did not identify any severe accident vulnerabilities associated with either !
core damage or containment performance. Based on the review of the Hatch 1 Units 1 and 2 IPE submittal, the staff concludes that the licensee met the intent of Generic Letter 88-20. !
The licensee's IPE results* are summarized below: ;
e Total core damage frequency (CDF)': 2.23 and 2.36 x 10" per reactor-year l for Unit I and Unit 2, respectively. l e Contributions to dominant core damage sequences:
Seauence Contribution Unit 1 Unit 2 o Transient with loss of high pressure 32.5% 36.8%
injection and failure to depressurize-o Loss of containment heat removal, 23.0% 19.5%
injection lost after containment failure j o Station blackout with loss of high pressure 16.0% 16.2%
injection and failure to depressurize o Small or medium LOCA with loss of high 14.1% 14.9%
pressure injection and failure to depressurize o Transient with loss of low pressure injection 11.6% 9.5%
o ATWS with containment overpressurization 1.4% 1.6%
followed by loss of injection a Unisolated LOCA outside containment, 0.8% 0.8%
o ATWS with loss of injection 0.5% 0.6%
o LOCA with failure of low pressure injection 0.2% 0.2%
a Major operator actions to prevent core damage or containment failure:
a Failure to depressurize o Failure to recover high pressure coolant injection a Failure to recover offsite grid before core damage a Failure to recover diesel generator start failures a Failure to restart drywell cooling after LOCA o Failure to align for long term heat removal a Failure to recover containment heat removal 1
4
< {c 'o% ,
i o Failure to recover main control room (MCR) cooling a Conditional containment failure probability given core damage:
Containment Failure locations Unit 1 Unit 2 o Over Temperature 20.0% 20.0%
(Drywell)
O Over Pressure 25.0% 21.0%
(Wetwell vent line bellows) o Venting 5.0% 5.0% i o Isolation Failure 0.2% 0.2%
o Bypass 1.0% 1.0%
0 Intact 49.0% 53.0%
Containment Failure Timinas 1 Unit 1 Unit 2 a Early 2.0% 3.0% l 0 Intermediate 20.0% 20.0%
0 Late 29.0% 25.0%
0 Intact 49.0% 53.0%
a No Vessel Breach 0.0% 0.0%
e Significant PRA findings:
i o Core damage was quantified separately for both units, but the results are not significantly different for the two units; a two plant-specific initiating events contribute significantly to the overall CDF: Loss of 600 V AC Bus C and Loss of Station Battery A; a loss of control room Heat, Ventilation, and Air Conditioning (HVAC) and loss of once through ventilation, requires control of key systems from ,
the shutdown panel to mitigate accidents; l 0 battery lifetime is only 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> and procedures do not direct DC load -l shedding to preserve battery lifetime; i a room cooling is not required if only one low pressure coolant injection (LPCI) or core spray (CS) pump in a room is operating; o core cooling can be maintained without containment cooling if containment venting is successful; no credit was taken for core cooling without containment cooling and without containment venting, after l containment failure. !
e Improvements that were credited in the IPE and were either implemented or scheduled for implementation by Spring of 1993 are:
o Installation of hardened containment vent; o removal of common Plant Service Water (PSW) discharge valve in Unit 1; i o changes in procedures and modifications to ducting for the control; building to allow continued operation of electrical equipment in the control building following loss of HVAC; 2
4
- 64 e
a recovery action to use smoke purge ventilation upon loss of control room chillers was proceduralized; a modifications to intake structure ventilation system; a procedure changes to allow tripping of residual heat removal (RHR) and CS pumps in emergency core cooling system (ECCS) rooms'to allow continued operation of 1 pump without room cooling; a procedure changes to allow cross connection of PSW cooling water to Residual Heat Removal Service Water o modification to allow swing chiller compressor (RHRSW) pump room for control. motors; HVAC to be powered by either division of. electrical power; o modifications to meet the Station Blackout rule including: replace station service battery chargers, and enhance procedures dealing with loss of ventilation.
m Important plant hardware and plant characteristics:
a Eight inch hardened torus vent; a Swing DG with dedicated PSW cooling water pump; o Hardened Containment Vent; o Ability to flood core / containment with alternate sources such as RHRSW and firewater; o 2.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> battery lifetime, procedures do not instruct' operators to shed DC loads.
(* Information has been taken from the Hatch IPE and has not been validated by the NRC staff.)
l l
3 l
I l
I Mr. J. T. Beckham, Jr. July 18,1995 GL 88-20 suggested that licensees could use their IPE submittals to address, among other things, Unresolved Safety Issue (USI) A-45, " Shutdown Decay Heat Removal Requirements." As discussed in the SE and front-end TER, this issue is adequately resolved for Hatch by the IPE.
This completes our action with respect to TAC Nos. M74419 and M74420. If you have any comments regarding the enclosed evaluation, please contact me.
Sincerely,
/s/
Kahtan N. Jabbour, Senior Project Manager Project Directorate II-2 Division of Reactor Projects - I/II Office of Nuclear Reactor Regulation Docket Nos. 50-321 and 50-366
Enclosures:
As stated cc w/ encl: See next page c:
DISTRIBUTION Docket File PUBLIC ,
PD22 Reading File J. Zwolinski S. Varga 0GC ACRS (4)
E. Herschoff, RII R. Crlenjak, RII R. Hernan, NRR DOCUMENT NAME: G:\ HATCH \ HAT 74419.LTR T2 seceive a copy of this document,indcate in the boa: "C" = Copy without attachment / enclosure *E' = CopewettL4Eactwnent/ enclosure *N* = No copy l0FFICE LA:PD22:DRPb h l E PM:PD22:DRPE l6 PM:DRPE o_ l /, D:PD2f(DR.M lC l
'NAME LBerry , A& KJabbour:dt , /, lT RClerk @' fn HBJW DATE 7/ & 195 7/ I 'i( 195 W~ 7/fB /95} [i ~7/ lW 195 V
0FFICIAL RECORD COPY
[$ $
- - - - - - a