ML20098C560

From kanterella
Jump to navigation Jump to search
Technical Evaluation Rept of IPE Submittal Assessment of Human Reliability Analysis,Final Rept, for Plant Units 1 & 2
ML20098C560
Person / Time
Site: Quad Cities Constellation icon.png
Issue date: 08/31/1994
From: Haas P
CONCORD ASSOCIATES, INC.
To:
NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
Shared Package
ML20094L068 List:
References
CON-NRC-04-91-069, CON-NRC-4-91-69 CA-TR-93-019-22, CA-TR-93-19-22, NUDOCS 9510100204
Download: ML20098C560 (28)
v  d  e


Text

.. -- - . . -. -- ----._.. - - ...- . - .- - .. . ... . -_

t CAffR-93-019-22 l QUAD CITIES NUCLEAR POWER STATION UNITS 1 AND 2 TECHNICAL EVALUATION REPORT OF THE IPE SUBMITTAL ASSESSMENT OF HUMAN RELIABILITY ANALYSIS FINAL REPORT I

l P.M. Haas P.J. Swanson i

Prepared for U.S. Nuclear Regulatory Commission Omce of Nuclear Regulatory Research Division of Safety Issue Resolution August,1994 CONCORD ASSOCIATES. INC.

Systems Performance Engineers 725 PcIlissippi Parkway Knoxville, TN 37932 Contract No. NRC-04-91-069 Task Order No. 22

~ "fac 45 ct S loI Co 2D'l M)-

l TABLE OF CONTENTS 1.0 EXECUTIVE

SUMMARY

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2.0 CON 1RACTOR REVIEW FINDINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 l 2.1 General Review of the HRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.1 Summary of the Quad Cities HRA Methodology . . . . . . . . . . . . . 6 2.1.2 Utility Involvement, and the Process to Confirm the IPE Represents the As-Built, As-Operated Plant . . . . . . . . . . . . . . . . . 6 2.1.3 In-House Peer Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 l 2.2.1 Types of Pre-Initiator Human Actions Addressed . . . . . . . . . . . . . 8 2.2.2 Process for Identification and Selection of Pre-Initiator Human A c tions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.3 Screening of Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . 9 2.2.4 Quantification of Pre-Initiator Human Actions . . . . . . . . . . . . . . . 9 2.3 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3.1 Types of Post-Initiator Actions Addressed . . . . . . . . . . . . . . . . . . 10 2.3.2 Process for Identification and Selection of Post-Initiator Actions . . . 10 2.3.3 Screening of Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . 11 2.3.4 Quantification of Post-Initiator Human Actions . . . . . . . . . . . . . . . 11 2.2.3 Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.0 IPE INSIGHTS, IMPROVEMENTS AND COMMITMENTS . . . . . . . . . . . . . . . . . 18 3.1 Definition and Identification of Vulnerabilities . . . . . . . . . . . . . . . . . . . . 18 3.2 IPE Insights Related to Human Performance . . . . . . . . . . . . . . . . . . . . . . 18 3.2.1 CECO Process for Identification of IPE and Accident Manage me nt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.2.2 Impact of Human Performance on Severe Accident Behavior . . . . . 20 3.3 Enhancements and Commitments .............................21 4.0 OVERALL EVALUATION AND CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . 22 5.0 DATA

SUMMARY

SHEETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 l

j

i 1.0 EXECUTIVE

SUMMARY

This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Quad Cities Nuclear Power Station Units 1 and 2 Individual Plant Examinadon (IPE) submittal to the U.S. Nuclear Regulatory Commission (NRC) by Commonwealth Edison Company (CECO). The review was performed to assist NRC staff in their evaluation of the IPE and conclusion regarding whether the submittal meets the intent of Generic Letter 88-20.

General The submittal discussion of the HRA methodology was very general and high-level. The findings and conclusions in this TER are based on the submittal plus more detailed information provided by the licensee in response to an NRC request for additional information. The detailed information included examples of calculations of human error probabilities for pre-initiator and post-initiator actions.

The Quad Cities HRA emphasized quantification of human error probabilities for human actions identified by systems analysts as important to system response to initiating events, i.e.,

for post-ntiator response actions. Analysis of pre-initiator human actions was included, but the scope and leve: of detail of the analysis was relatively limited in comparison to some other PRAs. The methodology for quantification of post-initiator human actions is described in the submittal as consisting of two " phases". Phase I is the quantification of human error probabilities, generally following the guidance and using data tables from THERP. Phase II involved subjective review, and in some cases (downward) adjustment of HEPs of the ten most important human actions. Performance shaping factors considered in the Phase I quantification were stress level, potential error recovery mechanisms, and dependencies  !

among multiple human actions within the same sequence. Operator actions were included in the Plant Response Trees (PRTs) and in supporting fault tree models.

The summary of the IPE Program Organization in the submittal identifies substantial CECO involvement in the IPE. CECO was supported in the analysis by the IPE Partnership (IPEP),  ;

consisting of Westinghouse, TENERA, and Fauske and Associates. The submittal states that  !

Quad Cities personnel provided support to the project through data collection, plant walkdowns, interviews concerning operator or equipment response, and some review of accident sequence modeling. Confirmation that the IPE model represented the as-built, as-operated plant was accomplished by a combination of document review and plant j walkdowns.

The licensee appears to have performed an appropriate internal review of the HRA. No separate independent review was provided. However, the review process that went on i throughout the development of the IPE included multiple reviews by the various team members, including the various levels of CECO and IPEP management, the Senior 1

i

)

l Management Suppon Team (SMST), and a " Tiger Team" composed of senior engineers familiar with plant design and operations and with severe accident issues.

Pre-Initiator Human Actions The submittal did not discuss pre-initiator errors, such as miscalibration or failure to properly restore / align equipment after test or maintenance. However, material provided by the licensee in response to an NRC request for additional information indicates that pre initiator human actions were considered by the licensee. Six pre-initiator human actions (actually two different actions carried out on multiple components) were quantified and included in the IPE model. From the material presented by the licensee, it appears that errors in calibration of instruments were not considered to be significant. None of the six HEPs included in the model were for calibration enors.

Quantification of pre-initiator human actions was performed using the same.THERP-based methodology employed for post-initiator actions. No diagnosis / detection / decision phase was assumed for pre-initiator actions, which is appropriate. Basic HEPs for errors of omission and enors of commission were obtained from THERP tables for proceduralized actions. Basic HEPs were not modtded by plant-specific performance shaping factors.

Factors such as human-machine interface design, lighting, labeling, adequacy of procedures, and training were considered to have Iteen addressed by other programs, such as the Detailed Control Room Design Review, and were considered to be nominal, i.e., to have no impact on the basic HEP. In each case examined, only one critical operator action was considered in each procedure; thus there was no accounting for dependencies among multiple actions. HEPs were adjusted to account for potential error recovery by routine testing. For example, the HEP for failure to properly restore the diesel-driven fire pump after annual testing was multiplied by 1/12 to account for the expected identification and recovery of the error during monthly testing.

Based on our findings, we conclude that the treatment of pre-initiator human actions for the Quad Cities IPE was somewhat limited in scope and level of detail (in comparison to some PRAs), but the quantification was generally consistent with 'IEERP guidance. A more rigorous assessment of pre-initiator actions may contribute to a better understanding of their potential impact on plant risk.

Post-Initiator Human Actions.

The Quad Cities analysis of post-initiator human actions focused on response actions.

Non-proceduralized recovery actions were not addressed, with the exception of recovery of offsite power. Some proceduralized actions that may be referred to as recovery actions in other PRAs were included as response actions per the Quad Cities definition.

l 2

- . - .- - - . . . . - . . - - - . . - ~ - . - . - . -.-- ---.--- ---

, s The process for identification of important post-initiators human actions appears to have .

been systematic and reasonably thorough. It was an integral part of the process for sequence analysis, which was heavily driven by an assessment of the operating j pmcedures. The procass began with the definition of critical safety functions. De identification of systems and operator actions necessary to avoid core damage was guided by tracking the accident progression through the Quad Cities General Abnormal Procedures (QGAs), which are the Quad Cities implementation of the BWR Owners Group symptom-based Emergency Procedure Guidelines. Operator actions which are specifically called for in the QGAs and which were deemed to significantly alter the progression of the accident and the equipment used by the operator were examined for quantification. Success criteria for the final sequence descriptions include operator actions and equipment failures or unavailability. Some potentially significant actions were identified by the NRC front-end reviewer as not being appropriately addressed. Dese actions are discussed in the TER prepared by the front end reviewer.

No numerical screening of post-initiator human actions was performed to identify the most critical actions and eliminate unimportant actions from further consideration /quantification.

All post-initiator operator actions identified by were quantified using a THERP-based approach. Human errors are included as top-level actions in the Plant Response Trees (PRTs) and in fault trees. He fault tree actions are system-related; sequence-specific  !

factors and dependencies are not addressed for those actions.

The licensee states that each operator action addressed in the PRTs is a combination of ,

two parts: a detection / diagnosis / decision (cognitive) part; and, an execution part. l However, the licensee makes a basic assumption that because of symptom-based  !

procedures and training, the cognitive part of operator actions can be quantified using basic HEPs from THERP tables for " rule-based" or step-by-step actions. His assumption.

is, in our view, overly simplistic. Treatment of ermrs in these " cognitive" actions as errors of omission / commission in step-by-step procedures is inconsistent with THERP and other current HRA techniques, and may lead to an overly optimistic estimate of operator reL'oility. i Recovery factors applied to reduce basic HEPs were consistent with THERP, or were based on speculative models that in our view were reasonable and not inconsistent with subjective evaluations in other PRAs.

J Dependencies among individual steps in a single acnon and among multiple actions in a sequence were accounted for by using a decision tree ao assess the level of dependence, and and applying the dependency model of THERP. De decision tree appears to be reasonable, and the implementation of the THERP model appears to have been consistent with THERP guidance.

3

l i,

With the exception of the basic assumption that operator diagnostic / detection / decision actions can be treated essentially the same as step-by-step proceduralized actions, and the related impact on selection of THERP tables and interpretation of THERP guidance, the Phase I quantification process for post initiator actions appears to have been a reasonable, though relatively generic, approach.

The discussion of the Phase II approach is limited, but it appears that the Phase II assessment provided some opportunity for more in-depth, though qualitative and subjective, assessment of t plant-specific factors influencing the most significant operator actions. And, it provided an additional opportunity for direct involvement of operations / training staff in the HRA process.

Vulnerabilities. Insights. and Enhancements The submittal did not provide a precise definition of vulnerability, but did clearly specify criteria used to identify a vulnerability. The criteria are consistent with the guidance in NUREG-1335. In addition, the submittal discusses the results from the IPE in comparison to NUMARC guidance for closure of severe accident issues. No vulnerabilities were identified.

The submittal distinguishes between "IPE insights" and " Accident Management insights".

The IPE insights are those that address the capability of the existing plant to respond to an initiating event. Accident Management (AM) insights deal with enhancements to the capability of the plant emergency response organization to respond to an accident situation, given that it has occurred. The submittal provides a high-level summary of the structured processes for identifying IPE and AM insights during the course of performing and reviewing the IPE. The submittal notes that 81 IPE insights were developed and provides some general statistics on the nature of those insights,i.e., the percent of the 81 findings in each of five broad categories as follows: (1) Plant Specific Procedure Enhancements (51%); (2) Hardware Enhancements (26%); (3) Training (6%); (4)  !

Information (15%); and, (5) Test & Maintenance (2%). No information is provided about  !

any specific IPE insights.

The CECO pmcess for identification of AM insights as an integral part of the IPE is an advancement beyond the requirements / guidance for IPE submittals. It has been used and reported in previous CECO IPEs. The process appears to provide systematic and effective guidance to individuals performing and reviewing the IPE to identify AM insights in five broad areas: (1) Organization and Decision Making; (2) Accident Management Guidance (Strategies); (3) Calculational Tools; (4) Training; and, (5) Plant Status Information.

l Quantitative results of the HRA were succinctly presented. Importance calculations were performed, but are not presented. The top four most important human actions are:

(1) Operator action to depressurize the reactor, i.e., to initiate the automatic depressurization system (ADS)

(2) Operator action to align cooling to the residual heat removal (RHR) heat exchanger 4

a 6

. - . , - , , - . _ e ~,-

(3) Operator action to align to contaminated condensate storage (CCST) suction source.

(4) Operator medon to initiate Safe Shutdown Makeup Pump (SSMP)- Align to CCST with High Pressure Coolant Injection (HPCI) system injection signal present Sensitivity analyses were peJwmed on the first three of these actions. Increasing the  ;

values of the HEPs for these three operator actions (individually) had a significant but not dramatic impact on CDF (increase by 190%,98%, and 98%, respectively). Decreasing l the HEPs by an order of magnitude had a relatively small effect on the estimated CDF  !

(less than 20% nduction for each action).

Overall Evaluation and Conclueian Based on our findings, we conclude that the HRA allowed the licensee to develop a general quantitative understanding of the contribution of human errors to core damage frequency and containment failure probabilities. However, there m two areas which rr.ay lead the licensee to underesdmate 6e impact of human error, and which may warrant more in-depth consideration by the licensee: (1) the potential contribution from errors in pre-initiator human actions, especially calibration, and (2) the treatment of human behavior in the diagnosis / detection / decision phase of post-initiator human actions.

1 I

I i

i 5

1 t

j 2.0 CONTRACTOR REVIEW FINDINGS .

This technical evaluation repon (TER) is a summary of the documentation-only review of i

the human reliability analysis (HRA) presented as pan of the Quad Cities Nuclear Station l Units 1 and 2 Individual Plant Examination (IPE) submittal to the U.S. Nuclear ,

i Regulatory Commission (NRC) by Commonwealth Edison Company (CECO). The review 3 was performed to assist NRC staff in their evaluation of the IPE and their conclusion j regarding whether the submittal meets the intent of Generic letter 88-20. This section of

the TER~ summarizes the significant findings from the document-only review. The

} discussions of the HRA methodology in the IPE submittal are very general and high-level.

The findings discussed below are based on the material in the submittal plus more detailed i information obtained from the licensee in response to an NRC request for additional
information. The detailed information included example calculations of human error probabilities for pre-initiator and post-initiator human actions.

l a

2.1 General Review of the HRA 2.1.1 Summary of the Ouad Cities HRA Methodology.

The Quad Cities HRA emphasized quantification of human error probabilities for human actions identified by systems analysts as important to system response to initiating events, i.e., for post-initiator response actions. Analysis of pre-initiator human actions was included, but the scope and level of detail of the analysis was relatively limited in comparison to some other PRAs. The methodology for quantification of post-initiator human actions is described in the submittal as consisting of two " phases". Phase I is the quantification of human error probabilities, generally following the guidance and using data tables from THERP (Ref.1). The primary focus of the quantification was human actions incorporated into the PRTs. Each action was assumed to consist of a cognitive portion and an execution portion. However, both portions were quantified using THERP tables for rule-based procedures. The analysis addressed stress level, potential error recovery mechanisms, and dependencies among multiple human actions within the same sequence. The Phase II analysis involved subjective review, and in some cases adjustment of human error probabilities, of the ten most imponant human actions by Quad Cities simulator instructor staff.

2.1.2 Utility Involvement. and the Process to Confirm the IPE Reoresents the As-Built.

As-Operated Plant.

The summary of the IPE Program Organization in Section 3.1 of the submittal identifies i I

substantial CECO involvement in the IPE. CECO was supponed in the analysis by the IPE Pannership (IPEP), consisting of Westinghouse, TENERA, and Fauske and Associates.

The submittal states that Quad Cities personnel provided suppon to the project through data collection, plant walkdowns, interviews concerning operator or equipment response, and some review of accident sequence modeling.

l 6

l l

l

=

l 1

o f

A fairly elaborate organizational structure is depicted in which the overall manager of the , ,

effort was the CECO IPE/AM Program Manager. He was responsible for conducting the i six CECO plant IPEs. He directed the work of the CECO PRA/IPE group and the IPEP l effort, and coordinated the involvement of other CECO groups. The bulk of the technical i effon appears to have been performed by the IPEP, with the IPEP Quad Cities Project Manager reporting through the IPEP Program Manager to the CECO IPE/AM Program Manager. Containment Assessment /AM suppon was provided by a separate IPEP group reporting not to the IPEP Quad Cities Project Manager, but to the IPEP Program Manager.

Other groups involved were: the IDEP Senior Management Support Team (SMST), who advised the CECO Program Manager ca IPE and regulatory matters; the IPEP Tiger Team, a group of senior level engineers (which included members of the CECO PRA/IPE Group) who regularly met to review and distill IPE and accident management insights; the CECO Quad Cities PRA Group, who were technically involved in the analysis, apparently primarily as reviewers of IPEP work; and, an individual designated as the Quad Cities Site Interface.

The design freeze date for the IPE was July,1991, with the exception that the model included the hardened containment vent due to be installed at about that time. Plant familiarization and confirmation that the IPE model represented the as built, as-operated plant were accomplished by a combination of document review and plant walkdowns.

The submittal provides a listing of plant documentation used for the IPE, including plant i

specific documents, previous PRAs, and generic studies and data sources. Plant-specific information documentation reviewed included the FSAR, design drawings, design descriptions, training procedures, normal and emergency operating procedures, technical specifications, maintenance and test procedures, LERs and deviation reports, plant operating histories, maimenance records, and other sources. Plant specific data on failures, testing and maintenance, and event initiators was obtained from logs, repons, and operator interviews for a seven year period from January 1,1985 through December 31, 1991. Plant walkdowns were conducted to obtain a better physical visualization of equipment location and environmental impacts and to check on accuracy and completeness of plant drawings and design descriptions.

2.1.3 In-House Peer Review.

The licensee's IPE review process included multiple reviews by the various team members described above, including the various levels of CECO and IPEP management, the SMST, and the Tiger Team. Independent review of each system model was routinely performed by the contractor (IPEP) before submittal to CECO, and CECO PRA staff members reviewed the models for accuracy and completeness. The Tiger Team was composed of senior level engineers familiar with plant design, operations, and severe accident issues.

They provided a review of the IPE results focused on insights related to IPE results and potential accident management strategies and/or plant improvements. 'The SMST reviewed interim products and results with the CECO Program Manager to assure reasonableness of 7

e

-w-- ,

the technical approach and results. We believe that this intemal review process provided ' . !

reasonable assurance of the accuracy of the IPE models with regard to plant systems.

2.2 Pre-Initiator Human Actions 2.2.1 Tvoes of Pm-Initiator Human Actions Addressed Typically, PRAs address potential errors in two types of pre-initiator human actions: 1) restoration of equipment after maintenance or test, and 2) calibration of instruments. As noted earlier, there is no discussion in the submittal of any assessment of pre-initiator  ;

human actions. However, material provided by the licensee in response to an NRC request for additional information indicates that pre-initiator human actions were I considered by the licensee. Six pre-initiator human actions (actually two different actions  ;

carried out on multiple components) were quantified and included in the IPE model.  ;

From the material presented by the licensee, it appears that errors in calibration were I deemed to be insignificant. None of the six HEPs included in the model were for calibration errors.

2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions The licensee states that a qualitative screening process was used, "To identify the maintenance / surveillance [ emphasis added] procedures having the potential for the most significant pre-initiator." However, the licensee also notes that the first step of this screening process was that, "The test, maintenance and calibration [ emphasis added]

procedures performed for the systems and components deemed important to mitigate core damage or containment releases were reviewed to evaluate the related ' failure to restore' events." Thus it appears that the review focused on restoration actions; and that, calibration pmcedures were reviewed, but miscalibration errors were judged to be not significant. Qualitative screening guidance applied to restoration errors included the following:

1

1) Systems that are normally in service were not evaluated further because any lack of operability upon completion of the test, maintenance and/or calibration would be immediately obvious.
2) Systems where a functional test, an alarm, or some other independent method of operability detection is available were not evaluated funher.

These qualitative screening rules are reasonable, and are typical of guidance used in other PRAs. The important consideration in the HRA is that these general assumptions are supported by rigorous plant-specific assessment. A systematic evaluation of procedures and discussion with plant maintenance and operations personnel should be carried out, with direct observation ofin-plant practice where appropriate, to verify that actual plant procedures and practice justify eliminating specific actions from consideration or justify 8

1, ,

i. ,

I credit for error recovery mechanisms. In response to an NRC request for additional information, the licensee indicated that the pre-initiator analysis .had included review of procedures and " numerous" queries of plant personnel regarding key activities and the i; availability and use of procedures. Direct observation of maintenance, test, surveillance or calibration procedures was not deemed to be necessary.

l 2.2.3 Screenine of Pre-Initiator Human Actions i .

I No numerical screening of pre-initiator human actions was performed to identify the most critical actions or eliminate less important actions from further consideration. As indicated above, the subjective identification and qualitative screening eliminated all potential pre-initiator actions from further consideration except six HEPs associated with  !

two restoration actions. I 2.2.4 Ouantification of Pre-Initiator Human Actions Quantification of pre-initiator human actions was performed using the same THERP-based i methodology employed for post-initiator actions. No diagnosis / detection / decision phase was assumed for pre-initiator actions, which is appropriate. Basic HEPs for errors of omission and errors of commission were obtained from THERP tables for proceduralized actions. Basic HEPs were not modified by plant-specific performance shaping factors.

Factors such as human-machine interface design, lighting, labeling, adequacy of procedures, and training were considered to have been addressed by other programs, such as the Detailed Control Room Design Review, and were considered to be nominal, i.e., to have no impact on the basic HEP. In each case examined, only one critical operator action was considered in each procedure; thus there was no accounting for dependencies among multiple actions. HEPs were adjusted to account for potential error recovery by routine testing. For example, the HEP for failure to properly restore the diesel-driven fire pump after annual testing was multiplied by 1/12 to account for the expected identification and recovery of the error during monthly testing.

In our judgment, the quantification process for pre-initiator human actions for the Quad Cities IPE was relatively limited in the level of detail and the rigor of plant-specific assessment, but is generally consistent with THERP guidance. The range of resulting HEPs is typical of HEP values for generally restoration errors in other PRAs. The scope of the analysis, i.e., the number and types of actions quantified is relatively limited compared to other IPEs reviewed. In particular, it appears that calibration errors were dismissed from detailed consideration without a rigorous plant-specific assessment.

Calibration errors have been identified as significant in some other PRAs, most notably in the NUREG-ll50 analysis for Peach Bottom.

l 9

_ . . _ _ _ _ _ . _ . _ _ _ . ~ _ . ~ _ _ _ . _ _ _ _ _ __._ _ _____

, o 2.3 Post Initiator Human Actions 4

2.3.1 Tvoes of Post-Initiator Actions Addressed There are two important types of post-initiator actions considered in most PRAs:

response-tvoc actions, which include those human actions performed in response to the first level directives of the emergency operating procedures / instructions (EOPs, or EOls); and, recoverv-tvoc actions, which include those performed to recover a specific failure or fault (primarily equipment failure / fault) such as recovery of offsite power or recovery of a front-line safety system that was unavailable on demand earlier in the e' vent. Usually, mcovery-type actions are identified from review of important sequences after initial quantification, and credit is added to applicable cutsets. In the Quad Cities analysis, neatment of recovery actions of this type is limited to recovery of offsite power, which includes both human error and equipment failures. CECO's definition of recovery actions is restricted to actions taken "beyond the EOPs", and no credit was taken for such actions.

Actions that are taken in response to failed equipment, and which are directed by system-level procedures, are considered by CECO to be an integral part of the EOP-directed response and are therefore considered to be " response-type" actions rather than " recovery" actions. Some of these actions size modeled in f. ult trees vs. in the PRTs. Regartiless of the semantics, it appears that the Quad Cities analysis does not treat actions that are not proceduralized, either duectly in the EOPs, or in related system procedures hied by the EOPs. All of the actions included in the model were identified in the procedures and included in the PRTs or system fault trees.

2.3.2 Process for Identification and Selection of Post-Initiator Actions.

The primary thrust of the NRC staff review related to this question is to assure that the process used by the licensee to identify and select post-initiator actions is systematic and thorough enough to provide reasonable assurance that important actions were not inappropriately precluded from examination. Key issues are whether: (1) the process included review of plant procedures associated with the accident sequences delineated and the systems modeled; and, (2) discussions wer: held with appropriate plant personnel (e.g., operators, shift supervisors, training, operations) on the interpretation and implementation of plant procedures to identify and understand the specific actions and the specific components manipulated when responding to the accident sequences modeled.

In the Quad Cities submittal, the general summary of the process for sequence analysis, i.e., for development of the PRTs, suggests a systematic top-down structure based heavily on accident response procedures was used to identify and delineate the accident sequences.

The process began with the definition of critical safety functions. The identification of systems and operator actions necessary to avoid core damage was guided by tracking the accident progression through the Quad Cities General Abnormal Procedures (QGAs),

which are the Quad Cities implementation of the BWR Owners Group symptom-based Emergency Procedure Guidelines. Operator actions which are specifically called for in the 10

. . - . . - - - . . = - . _ - - . - - . _ - - - . - .- . . . - -

s QGAs and which were deemed to significantly alter the progression of the accident and ~ ,

the equipment used by the operator were quantified. - Success criteria for the final sequence descriptions include operator actions and equipment failures or unavailability.

Information was gathered from Quad Cities site personnel via meetings, telephone conversations with members of Operations and Training, and simulator observations. The licensee staand that the simulasor observations provided general information on shift manning and division of duties, command and control, communications practice, procedure usage, control room human factors, and quality of simulator training. This process appears to be one which provides reasonable assurance that important (post-initiator) operator actions would not be overlooked.

Additional indication of completeness in identification of human actions is provided by comparison with previous BWR PRAs. Our comparison indicated that most of the important actions typically inchuki in other PRAs were included in the Quad Cities analysis. One notable exception identified by the front-end reviewer is that operator action to inhibit ADS is not included in the ATWS success criteria. An HEP for operator failure to inhibit ADS was calculated for the General Plant Transient. In response to an NRC request for information, the licensee indicated that operator action to inhibit ADS in an ATWS was assumed successful (HEP = 0.0) because of extensive training / practice by operators and the direct guidance in the EOPs. Typically BWR PRAs have included an estimated failure probability for operator action to inhibit ADS,,and in some BWR studies, the combination of this and other operator actions in response to an ATWS have been important contributors to core damage frequency. Usually failure of manual action to depressurize, either by initiating ADS after it has been inhibited, by manual operation of relief valves,is a more significant contributor. Other operator actions of potential importance that were not clearly identified or discussed in the submittal were identified by the front-end reviewers and are addressed in their TER.

2.3.3 Screening of Post-Initiator Human Actions Ne numerical screening cf post-initiator human actions was performed to identify the most critical actions or eliminate les important actions from more detailed analysis. All operator actions identified from the review of procedures and 'discussions with operations staff were quantified and included in the IPE model.

2.3.4 Ouantification of Post-Initiator Human Actions As indicated earherin Section 1.1.1, quantification of post-initiator HEPs was accomplished using a two-phase approach. Phase I was the quantification of human error probabilities, generally following the guidance and using data tables from THERP. Phase II involved subjective review, and in some cases adjustment of HEPs, of the ten most important hurnan actions (determined via Fussel-Vesely importance values) by Quad Cities simulator instructor staff. The implementation of this Phase II assessment provided for direct involvement of operations and training staff in the HRA, which is a positive 11

. i contribution to the HRA. However, the description of the Phase II assessment provided ~  !

by the licensee is very general, and did not provide evidence that the Phase II assessment l

was substantially more rigorous or more critical than the Phase I assessment. All j adjustments made to Phase I HEPs were in the downward direction, i.e., HEPs were reduced as a result of the Phase II assessments. I A limited number of system-related operator actions were included in the fault-tree models. Sequence-specific factors and dependencies were not addressed for those actions.  ;

The quantification of human actions focused on the higher level actions modeled in the

. PRTs, as do the discussions below. I 2.3.4.1 Treatment of Cornitive Behavior. The licensee states that each post-initiator action included in the PRTs is treated as consisting of two parts: a detection / diagnosis / decision (cognitive) part , and an execution pan. This designation of two distinctly different types of human behavior is common to most current HRA models/ techniques. The cognitive processes involved in performance of these initial actions in response to an abnormal event is not well understood. A firm theoretical or empirical basis for predicting human reliability in such actions does not exist. The use of

{

symptom-based procedures, as well as training and practice on simulators, is intended to l aid the operator in the diagnosis / detection / decision phase by guiding the operator more directly to proceduralized step-by-seep procedures (in comparison to the old " event-based" procedures). However, there is little data on operator performance in actual accident situations, or even simulator studies, upon which to base conclusions about human error l probabilities. Most existing HRA approaches, including THERP and those developed l under EPRI sponsorship (Ref. 2), have employed simplified conceptual models, in which '

the error probability decreases as the time available for cognitive action increases. These models, while speculative, do recognize basic differences in human behavior in these

" cognitive" tasks vs. " execution" tasks.

The Quad Cities treatment of the cognitive portion of human actions assumes that because of the symptom-based procedures, operator actions can be quantified using essentially the same basic HEPs used in THERP for the execution phase, i.e., " rule-based" or step-by step actions. In our opinion, this is an overly simplistic treatment of operator response in response to an abnormal event, and may lead to overly optimistic estimates of HEPs. It clearly is a departure from other existing techniques, and it is not supported by analysis from the licensee.

2.3.4.2 Basic HEPs.

Diagnosis / detection / decision actions are considered as " time-critical" or "non-time-critical". The submittal notes that the QGAs are flow-chan procedures typical of the BWROG EPGs, which provide general guidance for symptom based response, not necessarily specific step-by-step guidance. Specific action execution, e.g.,line up of systems indicated in the QGAs, especially for time-critical action, is accomplished from 12

- - ,w. n-.- . - - -.

i memory by the operators. These activities are considered " skill of the craft". Operators .

are expected to refer to step-by-step procedures as time permits to verify cornet line ups. l i

For non time-critical actions, the operators are expected to follow procedures step-by-step.

In either case basic HEPs were taken from THERP tables for errors of omission or errors of commission. For example, basic HEPs for errors of omission in time-critical actions, which are assumed to be performed from memory, are taken from THERP Table 20-8,

" Estimated probabilities of errors in recalling oral instruction items not written down." It is our understanding that this THERP table is intended for routine situations in which i l

individuals are given oral instructions, e.g., by a supervisor, consisting of one to five or more distinct steps. The human behavior that is the focus of the THERP discussion )

underlying this table, and of the focus of the basic research supporting the discussion,is essentially short-term memory. It is not at all clear that application of the basic HEPs in this table to operator response under accident conditions using the BWR flow-chart procedures is appropriate.

The execution portion of the action addressed only those steps which were judged by the systems analysts to be the minimum required steps to meet the PRA success criteria.

Both errors of omission and commission are treated. Omission errors include missing a procedure step or failure to recall non-written instructions. Commission errors include selection of the wrong switch, control or gage, or improper operation of controls given conect selection. The nominal HEPs for errors of omission and commission were taken from the various THERP tables for rule-based actions. The licensee's interpretation and application of THERP tables is not always in strict compliance with THERP guidance.

For example, the licensee assumed that use of THERP tables for procedures with check-off provisions is appropriate, because Quad Cities operators use markers as place-keeping aids. THERP guidance (page 15-13 of the Handbook) is that, " Proper use of a checklist is defined as reading an item in the checklist, performing the operation called for in the item, and then checking off that item in the checklist to indicate it has been done. Any other use of a checklist is defined as improper and is considered as tantamount to ignoring the checking function of the checklist."

2.3.4.3 Treatment of Stress. The submittal states that factors such as " lighting, noise levels, control board ergonomics and administrative controls" were considered nominal and were not addressed in the HRA. Adjustment to basic HEPs was made to account for stress, for error recovery factors, and for dependencies among multiple steps / actions.

Factors considered in assessing the stress level were the time available to perform the i action, the amount of activity during that time, and the availability of systems and components. In general, less time available, greater workload, and more equipment failures were considered to result in higher stress. Consistent with 'IEERP, stress levels ,

were assessed as optimal, moderate, or high; the nominal HEP was used for conditions with optimal stress, and a factor of 2 or 5, respectively, was applied for moderate and high stress. These values of multiplier factors in THERP are for " step-by-step" procedures. The THERP guidance indicates higher values for dynamic actions in response )

to abnormal events (e.g., a factor of 5 for moderate stress). Thus, the selection of the PSF 13

_.m--,,- w - - , - - - r -m - ,- - - - , , . ,-. - e - - -.,.- - -

i i

value is consistent with the licensee's basic assumption that post-initiator response actions '

can be treated as step-by-step procedures, but is not consistent with the recommended values in THERP. ,

2.3.4.4 Error Recovery Factors. Two "models" are used to account for the potential for  !

operators to detect and recover human error before significant consequence occurs. The i

first is a THERP model which adjusts the HEP (multiplies by a factor) to account for specific identified error recovery mechanisms such as:

A procedure step directing the operator to verify that the system is performing its intended function A second alarm at another location in the control room that a different crew member may acknowledge  ;

I An alarm that would indicate that the action had not been performed correctly, assuming that there would till be sufficient time to accomplish the action.  :

A second factor, the " slack-time" recovery factor is applied globally to represent the potential for recognition and recovery of a human error by a person or persons not i previously involved with the accident response / mitigation, e.g., manning of the Technical Support Center, arrival of off-duty personnel to assist the crew, etc. The submittal discussion of this recovery factor was unclear and inconsistent. However, clarification was provided by the licensee in response to an NRC request for additional information.

The slack time recovery credit was applied to non-time-critical actions only, and was applied only if the required action could be delayed more than one hour after the initiation of the event. In those cases, a multiplier 0.11 was applied to reduce the HEP estimate.  !

While this "model" of slack time recovery is speculative, the credit taken by the licensee is not unreasonable and was applied logically to selected actions.

2.2.3 Deoendencies.

The HRA addressed two types of dependencies: (1) among subtasks within a single operator action, and (2) among multiple operator actions within the same sequence. A

" decision tree" was used to assign dependency levels between PRT nodes, i.e., between top-level operator actions within the same sequence. The decision tree was provided by the licensee in response to an NRC request for additional information. In our view, it provides the analyst with a consistent rationale for assessing dependency. The quantification of the impact of dependency follows the THERP guidance. The formulae presented in Table 20-17 of the THERP Handbook were used for the conditional probability of failure on task "n", given failure of the previous task "n-1" was applied for five levels of dependency - complete, high, moderate, low and zero.

14 l

l l

. 1

2.3.4.5 Consideration of Human Actions in the Back-End Analysis.  ;

Containment analysis and source term analysis are reported in &E Sections 4.3 and 4.5.5 of the submittal, respectively. Two containment failure modes are discussed in Section 4.3.3.3: )

(1) containment high pressure and high temperature, and (2) liner melt-through. IPE Section  ;

4.3.1.2 discusses the various operator actions associated with those systems which influence l the control of containment temperature and pressure. Specific operator actions addressed are j as follows:

(1) ' Realignment of the Residual Heat Removal (RHR) pumps from their normal RPV I injection alignment to discharge to either the drywell or wetwell spray headers.

Emergency procedures instruct the operator to initiate wetwell sprays if the torus pressure cannot be controlled with the standby gas treatment system (SBGT) or l drywell coolers and if wetwell sprays are insufficient to initiate drywell sprays; l (2) Initiation of all available drywell coolers if the drywell gas temperature reaches 180*F. The fans must be manually restaned following either low bus voltage or a '

)

core spray initiation signal-l (3) Wetwell or drywell venting, by way of the SBGT system or hardened vent j respectively, for primary containment pressure contml. The preferred method  !

directed by the procedures is first to vent via the wetwell, then drywell and finally through the hardened vent directly to the stack.

Section 4.3.3.2 of the submittal discusses a number of other failure modes which were 1 l

determined by CECO to be unlikely. In four of these failures operator interfaces are partially accountable for the conclusion reached. Each of these are discussed below.

(1) Hydrogen Combustion - the only legitimate potential for hydrogen combustion failure would arise if AC power is recovered and the drywell sprays are initiated without first venting the wetwell. This assumes a station blackout sequence without initial nitrogen containment inerting. The IPE states that it appears very reasonable to expect that this situation can be avoided if wetwell venting is implemented before any attempt to use the drywell sprays.

(2) Direct Containment Heating (DCH) - The IPE states that the most significant means of preventing DCH is to assure reactor depressurization through the use of the ADS system. Operator action to depressurize the reactor "OADl" is identified as one of three most significant operator actions in the FRA.

(3) Containment Isolation Failure - Two human error related activities are identified as mechanisms by which containment isolation would fail. The first would be failure to close fluid line or mechanical penetrations which are required to be closed during 15

.- ._,m .,- , , - , - . _ _ , - - .

, operation. The second would be a failure of the operator to isolate a fluid line which is required to be open following an isolation signal to perform a system function and the system is failed or the operation terminated. An inerted I containment and an insignificant likelihood of multiple valve failures are given as the basis for the conclusion that this failure mode is unlikely.

l (4) Containment Bypass - The most likely mechanism for this failure is an interfacing system LOCA with RHR or CS piping or with the piping to the isolation condenser. The faquency for ISLOCA at Quad Cities is given as 6.3E-10 and therefore ISLOCA was not analyzed in the I.evel II analysis. The IPE discussion for this event appears to have been taken from the Dresden IPE.

2.3.4.6 Intemal Floodine Analysis.

The discussion of the flooding analysis in Section 4.4.4 of the submittal is rather general and high level. All of the identified flooding zones, except for the Turbine Condensate Pump Rooms, were eliminated from consideration on the basis of a qualitative review of flooding effects. 'Ihe submittal states that the frequency of flooding in these rooms is estimated to be 1.3E-02 per year, that the effects would be similar to a loss of feedwater transient; and, that the contribution of this initiator is insignificant in comparison with the overall frequency of transient initiators. The only indication of consideration of human performance in the flooding analysis is a statement that instruments required by the operators for operator actions in the top nodes of fault trees were included in the assessment of survivability of important equipment. Specific actions were not identified, and no discussion of any analysis of those human actions is provided.

2.3.4.7 Decay Heat Removal Analysis.

Section 4.6.4 of the submittal provides a brief general summary of the decay heat removal analysis requested in NUREG-1335. The overall conclusion is that additional effort to )

reduce the CDF attributable to failure of decay heat removal is not warmnted because: i 1

. The overall CDF for Quad Cities is relatively low, )

. Less than 30% of the CDF is due to failures of components or operator actions associated with the RHR system,

= Failure by the operators to cornetly initiate long term heat removal accounted for only about 12% of the CDF, and  ;

. No specific vulnerabilities were identified in the analysis.

16

The most imponant operator action identified is manual depressurization of the reactor if high pmssure injection sources fail during transients. This is accomplished by using the l turbine bypass valves to depressurize the main condenser or the relief valves of the ADS to depressurize the torus. Both of these actions are quantified in the HRA, and failure to  !

depressurize is noted as one of the most significant operator actions contributing to CDF.

l l

l 1

l i

17

- - - . - - - . _ - - - ~ . - . ... - . - .- -.- ---

3.0 IPE INSIGHTS, IMPROVEMENTS AND COMMITMENTS 3.1 Definition and Identification of Vulnerabilities The submittal does not provide a precise de5nition of a severe accident vulnerability.

However, it does pmsent a concise listing of criteria for reporting sequences to the NRC as part of the IPE submittal. These reporting criteria were that the sequences which meet I the following criteria, not to exceed the top 100 sequences meeting one or more criteria, l would be reported:  !

i I) Any sequence that contributes IE-07 or more per reactor year to core damage. i

2) All sequences within the upper 95 percent of.the total core damage frequency. l
3) All sequences within the upper 95 percent of the total containment failure l probability.
4) Sequences that contribute to a containment bypass frequency in excess of IE-08 per reactor year.
5) Any sequence that CECO determines from previous applicable PRAs or by engineering judgment to be cf interest irrespective of core damage frequency or estimated containment performance.
6) Any sequence that dropped below the core damage frequency criteria because the frequency was reduced by more than an order of magnitude by credit taken for human recovery actions not in the Quad Cities emergency procedures.

These criteria appear to be consistent with guidance in NUREG-1335, with the exception of criterion 6. In our view, this request in NUREG-1335 includes proceduralized actions.

However, we recognize that there wem different interpretations of the requirement, and of the defintion of recovery actions. The licensee's interpretation of this reporting guidance is consistent with the licensee's definition of recovery actions. The licensee's sensitivity studies on the most important actions address to some degree the underlying issue.

The submittal also summarizes an evaluation of the Quad Cities IPE results against the NUMARC Severe Accident Closure Guidelines. Accident sequences were grouped into eight groups and compared to NUMARC guidelines for specific levels of closure action.

All sequences groups fell below the NUMARC frequency cutoffs, and therefore no actions are required. i 3.2 iPE Insights Related to Human Performance 3.2.1 CECO Process for Identification of IPE and Accident Management Insights.

The submittal distinguishes between "lPE insights" and " Accident Management insights".

The IPE insights are those that address the capability of the existing plant to respond to an initiating event. Accident Management (AM) insights deal with enhancements to the 18

. s capability of the plant emergency response organization to respond to an accident situation, given that it has occurred. The submittal provides a high-level summary of the stmetured processes for identifying IPE insights and AM insights during the course of performing and reviewing the IPE. The submittal notes that 81 IPE insights were developed and provides some general statistics on the nature of those insights, i.e., the ,

percent of the 81 findings in each of five broad categories as follows: 1 (1) Plant Specific Procedure Enhancements (51%)

(2) Hardware Enhancements (26%)

(3) Training (6%)

(4) Information (15%)

, (5) Test & Maintenance (2%).  ;

1 In response to an NRC request for additional information, the licensee provided j information on examples of IPE insights. The process appears to have been effectively I 4 implemented.

The CECO process for identification of AM insights as an integral pan of the IPE is an advancement beyond the requirements / guidance for IPE submittals. It has been used and ,

reported in previous CECO IPEs. The process appears to provide systematic and effective guidance to individuals perfomling and reviewing the IPE to identify AM insights in five broad areas: I l

(1) Organization and Decision Making (2) Accident Management Guidance (Strategies)

(3) Calculational Tools (4) Training (5) Plant Status Information.

An interesting addition to the CECO process reponed in the submittal is the performance of - :ask analysis of key positions in the Generating Stations Emergency Plan (GSEP) focusing on organization, training and plant status information and the optimum location for performance of human tasks associated with the GSEP (e.g., control room or Technical Suppon Center).

Several specific accident management insights are summarized in the submittal, including flooding the reactor pedestal prior to core damage in order to prevent failure of the reactor l vessel, and providing alternate sources for containment spray. A significant insight related I to human performance in accident management is that accident management should be the responsibility of the GSEP organization, (Technical Support Center and Emergency Operations Facility) not the Control Room staff. Also, CECO concludes that a corporate 4

resource should be developed to provide support for any corporate organization during an emergency condition. Additional general human performance related AM insights are noted in the areas of training, and presentation of information during a severe accident.

19 4

- - - --a-. - _ _ -, , - - - .__

Another human-related insight reponed is that most of the human errors that dominate the SAM sequences (those that do not result in core damage within the 24-hour mission t ene, i

but would result in core damage without accident management actions) are errors of y omission. And further, that for these errors, there is considerable time available for recovery before core damage occurs. This suggests opportunities for effective accident management strategies to further reduce potential for containment failure and fission product release given cose damage.

3.2.2 Impset of Human Performance on Severe Accident Behavior The submittal concludes, based on the accident sequence quantification, that, "There is a minor contribudon [to CDF] from operator acdons such as failure to initiate I

depressurization of torus cooling, or failure to align RHR or CS pump suction to the CCST." Importance calculations were performed, but only selected references to results are provided in the submittal. Operator actions are top-level elements in the PRTs for most sequences of importance; and appear in vinually all of the top 22 dominant accident sequences.

Sensitivity studies were performed on three of the most significant operator actions:

(1) OADI Operator action to depressurize the reactor vessel (2) OHX Operator action to align cooling to RHR (3) OCST Operator action to align low pressure pumps to the CCST.

All three of these actions appear in multiple sequences, and because of sequence dependencies have multiple values for HEPs. Failure to depressurize (proper operation of the ADS)is an important operator action for the medium break LOCA and some Loss of Offsite Power sequences. Alignment of RHR cooling is necessary to provide flow to the reactor vessel for low pressure coolant injections to the suppression pool for suppression pool cooling, or to the containment spray headers in the drywell, and suppression chamber for containment sprays. 'Ihe CCST is an alternate source for core cooling during LOCAs. Increasing the values of the HEPs for these three operator actions (individually) had a significant but not dramatic impact on CDF as shown in Table 3.1 below. The table shows the estimated total CDF when all instances of the operator action were quantified at the nominal HEP compared to the total CDF when all instances of the operator action had the HEP increased or decreased by a factor of 10. Decreasing the HEP by an order of magnitude had a relatively small effect on the estimated CDF.

20

O

  • Table 3.1 Results of Sensitivity Study on Three Important Operator Actions ACTION NOMINAL CDF INCREASED HEP DECREASED HEP OADI 1.20E-06/yr 3.47E-0&yr 9.84E-07/yr l

l OHX 1.20E-0&yr 2.37E-06/yr 1.09E-0&yr '

OCST 1.20E-0&yr 2.37E-06/yr 1.09E-06/yr ,

I An additional sensitivity study was performed on recovery of offsite power. In the IPE model, no credit was taken for recovery of offsite power given that AC power was available. Taking credit for offsite power recovery decreased the CDF only slightly, from 1.20E-6 to 1.10E-06. The licensee concludes on the basis of this sensitivity study that, given that no other improvements are considered, improvements in procedures and training associated with recovery of offsite power for non-station blackout sequences would not result in significant risk benefit.

3.3 Enhancements and Commitments The submittal states that, while there were no vulnerabilities identified, a large number of I insights resulted from the IPE for improvement in plant equipment, procedures, and training, and for development of an Accident Management program, as well as for  ;

positive features of the existing plant. The primary Accident Management insights and potential enhancements were discussed in Section 3.2 above.

l l

l 21 l

e

+

  • 4.0 OVERALL EVALUATION AND CONCLUSION Overall, the submittal provides a reasonably complete but very general, high-level description of the HRA. Findings and conclusions in this TER are based on review of the submittal and review of additional, more detailed, information provided by the licensee in response to an NRC request for additional information. Summary conclusions pertinent to the key points in NRC's evaluation are as follows:

(I) Utility personnel were involved in the IPE, and the associated plant walkdawns and documentation reviews constituted a viable process for confirming that the IPE represents the as-built, as-operated plant.

(2) The licensee performed an in-house peer review that provides some assurance that the IPE analytic techniques had been correctly applied and documentation is accurate.

(3) The quantification process for pre-initiator human actions appears to have been limited in the level of detail and in the rigor of plant-specific assessment, in comparison to some IPEs, but is generally consistent with THERP guidance. The range of resulting HEPs is typical of HEP values for generally restoration errors in other PRAs. A more rigorous assessment of pre-initiator actions, including instrument calibration, may improve the licensee's understanding of the quantitative impact of human error on plant risk.

(4) The treatment of the diagnosis / detection / decision portion of post-initiator human actions is, in our view, overly simplistic. Treatment of these errors in these

" cognitive" actions as errors of omission / commission in step-by-step procedures is inconsistent with THERP and other current HRA techniques, and may lead to an overly optimistic estimate of operator reliability. Application of this basic assumption affected the licensee's interpretation and use.of THERP tables and assumptions, e.g., in the selection of basic HEPs and consideration of the irnpact of stress.

(5) Recovery factors applied to reduce basic HEPs were generally consistent with  !

THERP, or were based on speculative models that in our view were reasonable and not inconsistent with subjective evaluations in other PRAs.

(6) Dependency among individual steps in an action and among multiple actions in a sequence was accounted for in using a decision tree and subjectively based factors consistent with THERP guidance.

22

s -

j

! (7) The licensee employed a reasonable process to identify vulnerabilities. The j systematic processes for identification of IPE insights and Accident Management insights m, in our opinion, a strength of the licensee's IPE pmcess.

(8) Overall, the HRA allowed the licensee to develop a general quantitative understanding of the contribution of human ermrs to core damage frequency and containment failure probabilities. However, there are two areas which may lead the licensee to underestimate the impact of human error, and which may warrant more l inwiepth consideration by the licensee: (1) the potential contribution fmm errors in pre-initiator human actions, especially calibration, and (2) the treatment of human behavior in the diagnosis / detection / decision phase of post-initiator human actions.

23

- 1 5.0 DATA

SUMMARY

SHEETS

. Important Operator Actions / Errors:

The submittal identifies three actions as the most imponant human error events.

Importance values are not provided.

l HEP IDENTIFIER JgP., DESCRIMION

.QAD.I. Operator failure to depresmrise the reactor (initiene ADS)

ODICSI 4.9E-03 ODI CS2 5.4E 04 ODI-CS4 6.0E 03 OD1 CS9 9.8E-03 OD1-CS10 1.lE 03 ODI CSI1 9.8E-03 ODI-CS12 6.5E-03 ODI-CS17 2.5E-02 ODI CSIS 2.7E 02 ODI-CS19 7.4E 03 ODI-CS20 2.7E-03 ODI-CS21 7.4E-02

.QlE. Operator failure to align cooling to RHR OHX-CSI 8.2E-03 OHX-CS2 9.0E-04 OHX-CS6 1.6E-02 OHX-CS9 1.7E-02 OHX-CS10 1.9E-03 OHX-CS14 1.7E-02 OHX-CS18 4.9E-03 OHX-CS22 2.0E 02

.OgjT Operator failure to properly align low pressure pumps to the CCST I OCS-CSI 1.0 OCS-CS2 9.2E-03 OCS-CS10 1.9E-02 OCS-CS12 2.3E 02 OCS-CSIS 4.6E-02 i OCS-CS20 4.9E 02 )

OSMP3 Operator action to initiate SSMP with suction aligned to the CCST and the presence of HPCI injection signal Case 3 5.7E-02 Case 9 1.8E-02 Case 10 2.0E-03 Case 11 6.7E-02 Case 12 7.4E-03 Case 13 1.6E-01 24 i

1

I , -

l Case 17 6.4E-02 Case 18 7.0E.03 Case 19 1.1E-01 Case 20 1.2E-02 Human Performance Related Enhancements:

No specific commitments to human-performance-related er.hancements were made by the licensee. IPE insights and accident management insights include numerous items related  :

to human performance. l 1

i l

i l

\

25

t

REFERENCES
1. A.D. Swain and Guttmann, H.E., " Handbook of Human Reliability Analysis with
Emphasis on Nuclear Power Plant Applications, Final Report," NUREG/CR-1278F,

] August,1983.

2. G.W. Parry, et al., "An Approach to the Analysis of Operator Actions in Probabilistic Risk Assessment," EPRI TR-100259, June,1992.

l 4

f 2

.'h 4

6 1

2 4

26

Retrieved from "https://kanterella.com/w/index.php?title=ML20098C560&oldid=2781225"