ML20100D247
| ML20100D247 | |
| Person / Time | |
|---|---|
| Site: | Nine Mile Point  |
| Issue date: | 08/22/1995 |
| From: | Swanson P CONCORD ASSOCIATES, INC. |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| Shared Package | |
| ML17059B097 | List: |
| References | |
| CON-NRC-04-91-069, CON-NRC-4-91-69 CA-TR-94-019-31, CA-TR-94-19-31, NUDOCS 9602050068 | |
| Download: ML20100D247 (40) | |
Text
1 CONCORD ASSOCIATES.INC. CAfrR 94-019-31 .
Systems Performance Engineers l
NINE MILE POINT NUCLEAR STATION, UNIT 1 -
1 TECHNICAL EVALUATION REPORT ON THE IPE SUBMrITAL HUMAN RELIABILITY ANALYSIS FINAL REPORT By P.J. Swanson Prepared for:
U.S. Nuclear Regulatory Commission l
Office of Nuclear Regulatory Research Division of Systems Technology l
Draft Report October,1994 l
Final Repon August 22,1995 I
11915 Cheviot Drive 725 Pellissippi Parkway 6201 Picketts Lake Drive Herndon,VA 22070 Knoxville, TN 37932 Acwonh,GA 30101 (703) 318-9262 (615) 675-0930 (404) 917-0690 kS5ccM 197 Xn 96c4oy I
CA/TR-94-019-31 NINE MILE POINT NUCLEAR STATION, UNIT 1 TECHNICAL EVALUATION REPOP.T ON THE IPE SUBMTITAL HUMAN RELIABILITY ANALYSIS FINAL REPORT By:
P. J. Swanson Prepared for:
U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Systems Technology Draft Report October,1994 Final Report August 22,1995 CQNCORD ASSOCIATES. INC.
Systems Perfonnance Engineers 725 Pellissippi Parkway Knoxville, TN 37932 Contract No. NRC-04-91-%9 Task Order No. 31 l
l I
. mm.m m rammap a wm-pa am. a.a.e..-s..
h I
8 P
e t
I P
A i
I
'l l
l i
I J
l i
I I
I 1
i l
]
TABLE OF CONTENTS E. EXECUTIVE
SUMMARY
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 .
E.2 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 l E.3 Human Reliability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 E.3.1 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . 2 ;
E.3.2 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . .
3 E.4 Generic Issues and CPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 E.5 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . 4 E.6 Observations ..................................... 4 l
- 1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 i 1.1 HRA Review Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
- 2. TECHNICAL REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.1 Completeness and Methodology ..................... 7 2.1.2 Multi-Unit Effects and As-Built, As-Operated Status . . . . . . . . . 7 2.1.3 Licensee Participation and Peer Review . . . . . . . . . . . . . . . . . 8 2.2 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1 2.2.1 Pm-Initiator Human Actions Considered . . . . . . . . . . . . . . . . 10 2.2.2 Process for Identification and Selection of Pre-Initiator Human ,
Ac don s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 'l 2.2.2.1 Misalignment Errors . . . . . . . . . . . . . . . . . . . . . . . 10 2.2.2.2 Miscalibration Errors ...................... 11 2.2.3 Screening Prc. ess for Pre-Initiator Human Actions . . . . . . . . . . 12 2.2.4 Quantification of Pre-Initiator Human Actions . . . . . . . . . . . . . 12 2.3 Post-Initiator Human Actions ........................... 14 2.3.1 Types of Post-Initiator Human Actions Considered . . . . . . . . . . 15 2.3.2 Process for Identification and Selection of Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.3.3 Screening Process for Post-Initiator Response Actions . . . . . . . . 15 2.3.4 Quantification of Post-Initiator Human Actions . . . . . . . . . . . . 16 2.3.4.1 Consideration of Plant-Specific Factors for Dynamic (Response) Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.3.4.2 Consideration of Timing .................... 18 1 2.3.4.3 Consideration of Dependencies for Dynamic (Response)
Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.3.4.4 Quantification of Recovery Actions. ............. 19 I
2.3.4.5 Treatment of Operator Actions in the Internal Flooding Analy si s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.3.4.6 Treatment of Operator Actions in the Level 2 Analysis . . 21 2.3.4.7 GSI/USI and CPI Recommendations . . . . . . . . . . . . . 21 1
= _ . . -. _ _ _ _ _ _ _ . . _ _ ..
Table of Contents (continued) 2.4 Vulnerabilities, Insights and Enhancements . . . . . . . . . . . . . . . . . . . 22 2.4.1 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.4.2 IPE Insights Related to Human Performance . . . . . . . . . . . . . . 22 2.4.3 Human-Related Enhancements ...................... 24
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . . 27 i
- 4. DATA
SUMMARY
SHEETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 REFERENCES............................................. 33 i
l l
t 1
1 i
i 1
i li l
4 E. EXECUTIVE
SUMMARY
This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Nine Mile Point Nuclear Station
- Unit 1 (NMP1) Individual Plant Examination (IPE) submittal from Niagra Mohawk Power Corporation (NMPC) to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staff in their evaluation of the IPE and conclusion regarding whether the submittal meets the intent of Generic Letter 88-20.
E.1 Plant Characterization Nine Mile Unit 1 is a BWR-2 with a Mark I containment, sharing a site with a much later vintage BWR. The utility served as their own architectural engineer and use Stone &
Webster for construction. The unit is rated at 1850 MWt and 620 MWe (net). The NRC Front-end reviewer identified a number of NMP1 design features which directly impact core damage frequency (CDF), these being,1) emergency isolation condensers,2) hardened containment vent, 3) eight hour battery lifetime, 4) diesel driven firewater, and (5) the ability to power CRD pumps off IE power.
E.2 Licensee IPE Process The NMP1 IPE was a I.evel 2 PRA and considered operator actions in both the level 1 and Ixvel 2 analysis. The HRA process addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident). Pre-initiator actions considered included both restoration (misalignment) errors and miscalibration. Post-initiator actions (human interactions) included both response-type and recovery-type actions. The primary HRA techniques employed to quantify human error included the Accident Sequence Evaluation Program (ASEP) HRA procedure (Reference 1) for pre-initiator actions, and elements of EPRI TR-100259 (Reference 2), Technique for Human Error Prediction (THERP) (Reference 3) and ASEP for post-initiator actions. Plant-specific factors were considered in both pre-initiator and post-initiator analyses. Human errors were identified as significant contributors in accident sequences leading to core damage, and human-performance-related insights and/or possible enh ncements were identified for future consideration. Licensee staff with knowledge of plant design, operations and maintenance appear to have had significant involvement in the HRA process. Their efforts were support by HRA specialists from General Physics and Haliburton NUS. Procedures reviews, interviews with operations staff, and plant walkdowns helped assure that the IPE represented the as-built, as-operated plant. An independent review of the HRA performed by an independent contractor and in-house staff helped to assure appropriate use of HRA techniques. The post-initiator actions quantified and included in the IPE model were compared with and found to be generally similar to the response actions addressed in the NUREG-1150 study and other BWR IPEs reviewed previously. All of the actions identified by the NRC front-end Back-end reviewers as important were addressed by the licensee.
1
E.3 Human Reliability Analysis E.3.1 Pre-Initiator Human Actions.
The NMP1 HRA process for Pre-Initiator human errors included both misalignment (restoration) and miscalibration. In the assessment of these errors the IPE team analysts were supported on process related matters by consultants and for technical issues by the cognizant NMPC Nuclear Division Group.
The licensee performed a review of surveillance procedures and calibration procedures to determine the potential contribution to system unavailability due to human errors. The misalignment of components that are not aligned during testing, but would result in top event failure were evaluated on a case-by-case basis. Additionally, calibration history documents were reviewed to identify any instrument loops requiring frequent readjustment.
Misalignment-type errors were selected in three steps. First, for those systems judged to be important to core damage mitigation an evaluation was performed to determine if a single component misalignment could render the system unavailable or if two misalignments are needed. Next, a review of surveillance procedures was performed to identify components which are temporarily aligned during test and would render the system inoperable during the test period. Then, the system restoration part of the procedures was reviewed to determine the likelihood of leaving a system in an inoperable state. The licensee applied formal qualitative criteria for determining which misalignment errors were important enough to qualify for quantification. Components related with sixteen different systems were considered as candidates for misalignment. Ultimately, all misalignment errors were dropped from further consideration; in each instance the licensee cites what appears to be reasonable cause under their criteria for elimination, j Analysis of calibration errors considered sensors, transmitters and/or the analog trip units.
The calibration procedures for each of these instrument devices were analyzed to identify if mechanisms existed to significantly shift operational characteristics enough to impact the IPE thermal-hydraulic model. A functional assessment of instrument loops was performed to determine which loops had potential for impact on risk and three were selected for further consideration, namely, Core Spray Reactor Pressure Permissive (PT 36-08A,B,C and D),
Emergency Condenser Hi Steam Flow (dPT 36-06A,B,C and D), and Reactor Core Level Channels (LT 36-24A and B). The first two of these were included in the PRA model based upon qualitative screening. No numerical screening of pre-initiator human errors was performed. The miscalibration of the low pressure permissive function on Core Spray Reactor Pressure Permissive causes a loss of core spray capability and may remain undetected for an entire refueling cycle. This miscalibration error was found to have the highest ranking in risk achievement worth. The second selected for modeling was a failure to close the instrument bypass valve on either of two Emergency Condenser Hi Steam Flow channels which defeats steam line break protection. NMP1 used the ASEP method to quantify these pre-initiators and their application of ASEP appears reasonable. The calculated HEP values appear consistent with results seen in other IPEs using the ASEP method.
2
E.3.2 Post-Initintar Human Actions.
Post-initiator Human Interaction (HI) actions analyzed were identified from the event trees.
Event Sequence Diagrams summarizing system and operator functions necessary to successfully respond to initiating events were constructed. Event trees were produced from the Event Sequence Diagrams taking into account potential failures. Specific operator actions from the EOPs and other procedures are incorporated along with automatic system actions in the event trees. The event trees contained the function which the operator actions were to accomplish. The HRA analysts used procedures, operator and trainer interviews, and simulator observations ta complete the information required for the HRA analysis of the operator functions in the event trees. Functional grouping of m:enarios in terms of cues, procedures, and key operator responses for human interaction was performed to reduce the number of evaluations. An HEP was evaluated for the most demanding scenario in a functionally similar group. The limiting or bounding scenarios were identified through discussions with the event sequence analysts. The NMP1 HRA contains both response type and recovery type post-initiator actions. No numerical screening of post-initiator human errors was performed in selecting those actions to be quantified.
Thme methods were used to evaluate post-initiator response actions: (1) EPRI methodology; (2) THERP, and (3) ASEP. NMP1's model for human actions splits the response into two components, a detection, diagnosis and decision (DDD) phase, and an execution phase. For the majority of HEPs, the decision tree approach from the EPRI methodology was used for the DDD phase. Where not applicable (such as highly time-critical actions or memorized, non-procedure-driven actions) the ASEP method was used. The THERP Handbook method was used to estimate most of the execution phase HEPs. In applying these methods, the licensee states that time available, cues, procedural direction and detailed steps required to achieve success were evaluated. Data was obtained from NMP1 simulator observations, interviews with trainers and operators, as well as industry and INPO LER data. In addition, opportunities to recover from an error were identified to give a basis for applying recovery factors to the initial base value HEP.
E.4 Generic Issues and CPI The licensee addressed Decay Heat Removal (USI) and Adequacy of Safety-Related DC Power Supplies (GSI) in their IPE. This DHR issue considered several operator actions, namely, (1) event tree top event OU which models operator actions to provide long term .
makeup to the emergency condensers, (2) event tree top event OH dealing with operator l actions in torus cooling and containment spray hut removal modes, (3) top event SD involving operator actions to align shutdown cooling trains, and (4) event tree top event CV which models opening the suppression chamber purge exhaust and venting through the stack to prevent severe containment overpressure and provide a heat removal path. Appropriate operator actions are included in HRA performed. The results of importance analysis performed for loss of DHR indicate that operator error is the dominant contributing factor.
In analysis of the adequacy of DC power supplies, operator actions to detect failures (annunciated alarms) and go to the local DC panel to assess cause and either repair or align 3
i
- redundant equipment. Failures of concern were judged to have a minor contribution to system unavailability. CPI related issues identified by the back-end reviewer include
and use of raw water cross-tie (containment spray raw water to core spray) for alternate j
- injection. Each of these areas are addressed by the beensee m their HRA. j j E.5 Vulnerabilities, Insights and Fmhancements
- The IPE submittal compares the results to the proposed safety goals for core damage ,
! frequency and concludes that there are no vulnerabilities for NMPl. The submittal did not j describe a screening process for improvements. Important sequences, top event split fractions :
I I
^
and human action split fractions which contribute to core damage frequency were identified and ranked in Section 3.4 of the submittal. IPE Section 6, discussed a number of potential improvements being considered as a result of the review of the major contributors to core damage. Section 4.8 discusses Accident Management insights for severe accidents provided as a result of this IPE. l Despite limited discussion on details of the actual process used to identify insights, the results would indicate an overall process employed appears to have systematically identified
" insights" as intended by the Generic letter. NMP1 has not committed to the l implementation of any of the potential improvements identified under the IPE insights analysis. However the licensee states that improvements to procedures and training materials )
which have been captured will be reviewed during the normal course of operation and I incorporated as conditions may warrant. ,
E.6 Observations ,
The following observations from our document-only review are pertinent to NRC's determination of whether the licensee's submittal meets the intent of Generic letter 88-20: P (1) Utility personnel appear to have been appropriately involved in the development and l application of PRA/HRA techniques to their facility, and associated walkdowns and ;
documentation reviews constituted a viable process for confirming that the IPE represents the as-built and as-operated plant. The licensee performed an in-house peer j review that provided reasonable assurance that the IPE analytic techniques had been correctly applied and documentation is accurate.
(2) The licensee's HRA process appears to have adequately considered pre-initiator human error related to restoration of equipment following maintenance or test. Calibration j errors also have been considered in a reasonable fashion compared to other IPEs reviewed. The qualitative guidelines used by the licensee in eliminating certain errors i I
from consideration appear reasonable. However, very few pre-initiator actions (two calibration errors) were quantified. This is a relatively small number compared to similar pre-initiator errors treated in other BWR plants reviewed, but ine licensee's justification appears reasonable. No numerical screening process was employed. A 4
review of HRA results with IPE/HRA results of similar type plants show NMPl's HEPs to be generally consistent with others reviewed.
(3) The licensee's process addressed both response type actions and recovery type actions.
l No numerical screening was employed to eliminate post-initiator errors that were not important contributors to CDF All actions selected appear to have been quantified and incorporated into the IPE model. A reasonably comprehensive assessment pmcess appears to have been used, including data collection on a plant-specific simulator, to i support adjustment of basic (generic) HEPs to account for the impact of plant-specific
! performance shaping factors such as time available, time required, and W.
, (4) No vulnerabilities were identified. The licensee identified the importance of human action to CDF through importance calculations, sensitivity studies and insights gained l
l from the review of the IPE. Operator action is noted as a significant contributor to l core damage, and as the dominant contributor in key functional failures and accident sequences. A number of procedures enhancements were suggested for future
- consideration. The licensee states that human error insights gained will immediately benefit operator training programs and as opportunity presents itself, improve procedures.
i 5
- 1. INTRODUCTION This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Nine Mile Point Nuclear Station
- Unit 1 (NMP1) Individual Plant Examination (IPE) submittal from Niagra Mohawk Power Corporation (NMPC) to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staff in their evaluation of the IPE and conclusion regarding whether the submittal meets the intent of Generic letter 88-20.
1.1 HRA Review Process The HRA review was a " document-only" process which consisted of essentially four steps:
(1) Cotayebensive review of the IPE submittal focusing on all information pertinent to HRA.
(2) Preparation of a draft TER summarizing preliminary findings and conclusions, noting specific issues for which additional information wa:s needed from the licensee, and formulating requests to the licensee for the necessary additional information.
(3) Review of preliminary findings, conclusions and proposed requests for additional information (RAls) with NRC staff and with " front-end" and "back-end" reviewers.
(4) Review of licensee responses to the NRC requests for additional information, ar.d preparation of this final TER modifying the draft to incorporate results of the additional information provided by the licensee.
Findings and conclusions are limited to those that could be supported by the document-only review. No visit to the site was conducted. No review of detailed " Tier 2" information was performed, except for selected details provided by the licensee in direct response to NRC's request for additional information (RAIs). In general it was not possible, and it was not the intent of the review, to reproduce results or verify in detail the licensee's HRA quantification process.
1.2 Plant Characterization Nine Mile Unit 1 is a BWR-2 with a Mark I containment, sharing a site with a much later vintage BWR. The utility served as their own architectural engineer and use Stone &
Webster for construction. The unit is rated at 1850 MWt and 620 MWe (net). The NRC Front-end reviewer identified a number of NMP1 design features which directly impact core damage frequency (CDF), these being,1) emergency isolation condensers,2) hardened containment vent, 3) eight hour battery lifetime, 4) diesel driven firewater, and the ability to power CRD pumps off IE power.
I 6
l i 2. TECHNICAL REVIEW s
a 2.1 Licensee IPE Process ,
8 f 2.1.1 Conipl& ness and Methodology. f I The NMP1 IPE was a level 2 PRA and considered operator actions in both the Level 1 and ;
! I4 vel 2 analysis. The HRA process addressed both pre-initiator actions (performed during j maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the :
- response to an accident). Pre-initiator actions considered included both restoration '
- (misalignment) errors and miscalibration. Post-initiator actions (referred to as human
- interactions HIs in the submittal) included both response-type and recovery-type actions. The l primary HRA techniques employed to quantify human error included the Accident Sequence !
Evaluation Program (ASEP) HRA procedure (Reference 1) for pre-initiator actions, and
) elements of EPRI TR-100259 (Reference 2), Technique for Human Error Prediction (THERP) (Reference 3) and ASEP for post-initiator actions. Plant-specific factors were l considered in both pre-initiator and post-initiator analyses. Human errors were identified as j significant contributors in accident sequences leading to core damage, and human-i performance-related insights and/or possible enhancements were identified for future consideration. NMP1 staff with knowledge of plant design, operations and maintenance j appear to have had significant involvement in the HRA process. Their efforts were supported I
- by HRA experts from General Physics and Haliburton NUS. It is our opinion that the procedure reviews, interviews with operations staff, and plant walkdowns helped to assure
] performed by an independent contractor and in-house staff helped to assure appropriate use of HRA techniques. The post-initiator actions quantified and included in the IPE model were compared with and found to be generally similar to the response actions addressed in the NUREG-1150 study and other BWR IPEs reviewed previously. All of the actions identified by the NRC front-end Back-end reviewers as important were addressed by the licensee.
2.1.2 Multi-Unit Effects and As-Built. As-Operated Status J
Nine Mile Point is a two unit site; this review considers only one of two IPE's submitted, that for Unit 1. Unit I and 2 are both General Electric Boiling Water Reactors (BWRs), but share few systems because of the relatively long time period between building the plants.
Unit 1 achieved commercial operation in December 1%9 and Unit 2 in April of 1988. No human factors issues concerning dual unit operation were identified during the course of this review.
The licensee's IPE process included review and assessment of plant documentation, multiple plant walkdowns, and review of several PRAs performed by others. Documentation used in the IPE (Section 2.4.1) included: procedures (emergency, operating, test, maintenance and j surveillance), LERs, in-service test results, maintenance work reports, UFSAR, and design basis documents. Section 1.2 of the IPE describes three categories of plant walk downs that i were performed as part of the IPE process. The walk downs included; 1) primary r
l 7
containment and equipment contained therein (performed during shutdown),2) reactor building structure (performed during operation), and 3) numerous individual system walk downs performed as part of the systems analysis. The PRAs reviewed include Brunswick, Shoreham, Limerick, Seabrook, and Reactor Safety Study (WASH-1400). The licensee also made use of the IPE prepared for Nine Mile Point, Unit-2.
Overall, the submittal documentation indicates that the licensee took steps to provide reasonable assurance that the HRA-related aspects of the IPE model represented the as-built, as-operated plant during the time frame of the IPE development.
2.1.3 Licenw Particinatian and Peer Review.
The NRC review of the submittal attempts to determine whether the utility personnel were involved in the development and application of PRA techniques to their facility, and that the associated walkdowns and documentation reviews constituted a viable process for confirming that the IPE represents the as-built and as-operated plant.
NMPC has adopted an approached to PRA which includes a long-term commitment for suppon of future risk management and accident management activities with the establishment of a full time PRA team of five engineers. One of the team members has operating experience and all members participated in two weeks of intense training in PRA/IPE prior to the start of the program.
The PRA team was organized under the NMPC Nuclear Technology Department and given the responsibility for developing the PRA and ensuring NMPC involvement in all aspects of the IPE effort. To meet these responsibilities a formal project plan was developed which included assignment of twenty-four technical support personnel from the Nuclear Division representing a broad cross-section of technical expertise. Table 2.1-1 lists the Nuclear Division groups from which technical support was drawn along with their respective areas of assigned responsibilities.
Table 2.1-1 NMPC Technical Support for Design, Engineering, and Operations Nuclear Division Group Area of Support l
Nuclear Technology Project management, Project plan development, Containment design.
Operations Emergency and Special ops, Operation, EOPs Operations / Engineering EOPs, Sequence development, System operation Operations / Licensing Operation Operations / Work Control Operation Safety Analysis (RCM) Maintenance System Engineering Systems operation and data Electrical Design Electrical design, Design Reactor Engineering Initiating events analysis Plant Evaluation Design, Station Blackout Training HRA (simulator)
Fuels Thermal hydraulic analysis 8
l l
(Table 2.1-1 continued) l Desip Basis Fama=8itution Plant design, instrumentation and control Equipment Qualification Equipment qualification j Mechanical Design HVAC Fire Protection Equipment surveillance U2 Electrical Design Level instrumentation (level control - degassmg)
The technical support staff are reported as not having day-to-day participation in the development activities of the IPE, but were involved in the information assembly effort and j served as a resource of technical expertise which was used by the IPE Team. Also !
supporting the IPE Team in the day-to-day HRA development were consultants from General )
Physics Corporation and Haliburton NUS. l The licensee established an independent in-house review team to " assure technical accuracy, develop additional awareness and knowledge, and provide quality assurance to the process."
The NMPC Quality Assurance Department (QA) 7.nd the Independent Safety Engineering Group (ISEG) had responsibility for the in-house peer review program. QA had the lead for j organizing, planning, and documenting the reviews. Additional resources fom other Nuclear Division departments assisted with portions of the in-house review. Most elements of the IPE l underwent two reviews in the process, an initial and a final review. Initial reviews were conducted concurrent with the IPE development effort in order to facilitate timely feedback to the developers. l The submittal states that a sizable number of comments were received during the review, but did not include comments with the submittal. The majority of comments were said to have focused on operation of plant systems during upset conditions, actions required by EOPs, assumptions used to model complex plant systems, and issues relating to PRA theory. The submittal states that comments were generally incorporated directly into the study and reviewed with the individual submitting the comment.
In our opinion, the reviews uppear to constitute a reasonable process for an "in-house" peer review that provides some assurance that the IPE analytic techniques were correctly applied ,
and that documentation is accurate. )
I 2.2 Pre-Initiator Human Actions l Errors in performance of pre-initiator human actions (i.e., actions performed during maintenance, testing, etc.) may cause cemponents, trains, or entire systems to be unavailable on demand during an accident, and thus may significantly impact plant risk. Our review of the HRA portion of the IPE examines the licensee's HRA process to determine what consideration was given to pre-initiator human actions, how potential actions were identified, the effectiveness of quantitative and/or qualitative screening process (es) employed, and the processes for accounting for plant-specific performance shaping factors, recovery factors, and dependencies among multiple actions.
9 i 1
l 2.2.1 Pre-Initintar Human Actions Considered, l 1
The NMPC HRA qualitatively addressed pre-initiator errors in maintenance, test and '
surveillance actions. Misalignment (restoration) errors and miscalibration were both considered for quantification in the analysis. Additionally, calibration history documents were reviewed to identify any instrument loops requiring frequent readjustment. Only two miscallibration errors were determined to have the potential for significantly increasing system or multiple system failures and selected for quantification.
2.2.2 Prneau for Identifiention and S*1 action of Pre-Initintnr Human Actions.
The key concerns of the NRC staff review regarding the process for identification and selection of pre-initiator human events are: (a) whether maintenance, test and calibration procedures for the systems and components modeled were reviewed by the systems analyst (s),
and (b) whether discussions were held with appropriate plant personnel (e.g., maintenance, training, operations) on the interpretation and implementation of the plant's test, maintenance and calibradon procedures to identify and understand the specific actions and the specific components manipulated when performing the maintenance, test, or calibration tasks.
The submittal states that a review of surveillance procedures and calibration procedures was conducted to determining the potential contribution to system unavailability due to human errors. Additionally, the misalignment of components that are not aligned during testing, but would result in top event failure were also evaluated on a case-by-case basis. The IPE Team andysts were supported on technical issues by the cognizant Nuclear Division Group.
2.2.2.1 Misalignment Errors - The identification of misalignment (restoration) errors was performed in three steps. First, for those systems judged to be important to core damage mitigation an evaluation was performed to determine if a single component misalignment could render the system unanilable or if two misalignments are needed. Next, a review of surveillance procedures was performed to identify components which are temporarily aligned during test and would render the system inoperable during the test period. Then, the system restoration part of the procedures were reviewed to determine the likelihood of leaving a system in an inoperable state.
The licensee applied the following qualitative criteria in determining which misalignment pre-initiator human errors were important enough to qualify for quantification. Components i
identified as meeting any one of the following criteria were dropped from further consideration.
e Components status is alarmed or indicated in the control room. For example, valve '
status indication, bypass and inoperable alarm features.
e The component repositioning has second party independent verification, e The surveillance test calls for a functional test to prove operational readiness.
e Components that are position verified but were not affected by the surveillance procedure.
10
o Components that are automatically repositioned to the desired state by an actuation signal.
o Components that are not expected to be misaligned since they are not impacted by the surveillance procedures. l This criteria appears consistent with accepted guidelines except for second party iPt t verification which is generally given a 0.1 HEP in ASEP and similarly treated in THERP. It is interesting to note, that in the only example given for pre-initiator error quantification, the J licensee applied the ASEP value of 0.1. Section 3.3.3.4.1 of the submittal provides a 1 detailed discussion of the qualitative evaluation for each component identified. In total, components from sixteen different systems, some including multiple components, were identified as candidates for misalignment quantification. Ultimately, all misalignment errors were dropped from further consideration. In each instance, the licensee provided reasonable ,
justification for their elimination of misalignment errors based upon the referenced criteria. .
. 2.2.2.2 Calibration Errors - In identification of calibration-type errors, sensor, transmitter and/or the analog trip units were evaluated as possible candidates for human error.
The calibration procedures for each of these instrument devices were analyzed to identify if mechanisms existed to significantly shift operational characteristics enough to impact the IPE ,
thermal-hydraulic model. A functional assessment of each instrument loop associated with !
those systems determined to be important was performed to determine which loops had potential for impact on risk. Operator interface and circuit analysis factors were considered to determine if a nonrecoverable condition could result. Examples given for nonrecoverable .
impact include:
e A malfunction resulting from the miscalibration of the instrument loop causes a plant condition that cannot be recovered. The circuit does not have any manual override capabilities. The plant operators cannot recover.
e The system action resulting from the miscalibration and subsequent events causes an ISLOCA. The operators now have to deal with an additional, complicated event.
- Miscalibration of process parameter loops causes the operator to incorrectly diagnose the plant condition and the response leads to nonrecoverable situation, i.e., core damage.
The licensee did not consider events involving miscalibration that are detectable during normal operation.
The following three functions were selected for further consideration:
Core Spray Reactor Pressure Per.nissive (PT 36-08A,B,C and D)
Emergency Condenser Hi Steam Flow (DPT 36-06A,B,C and D)
AC Power Systems (instrument loops that can effect the operation of the EDGs).
11
4 l
Of these three only the first two were selected for quantification. The first is a miscalibration of the low pressure permissive function on Core Spray Reactor Pressure Permissive, which I causes a loss of core spray capability and may remain undetected for an entire refueling cycle. Therefore, core spray miscalibration causing failure of all 4 trains, was considered important and was modeled in the top event P3 (ZP301). The second is a failure to close the instrument bypass valve on either of two Emergency Condenser Hi Steam Flow channels which defeats steam line break protection. However, if there is a steamline break and the i high flow detection loop fails to actuate because of instrument miscalibration, the operator l can manually close the isolation valves. Given the low frequency of occurrence for this event l and because both channels must fail, the likelihood for this event was na-M to be low and was not evaluated. The AC Power Systems, EDG instrument loop failures may not be recoverable in short term since troubleshooting may be required and then recalibration necessary. All of the EDG instrument loops assess are verified operable during normal DG i surveillance testing. This miscalibration cannot go undetected for long periods of time. The licensee assumed that miscalibration of these instrument loops resulting in failure of both DGs is 2dequately enveloped by the existing EDG data analysis.
2.2.3 Screenine Process for Pre-Initiator Human Actions.
There was no numerical screening performed for pre-initiator human errors.
2.2.4 Ouantification of Pre-Initintnr Human Actions.
The probability of error in performing pre-initiator human errors can vary substantially (up or down) from " generic" estimates because of plant specific factors affecting human performance, practical " recovery factors" that exist due to plant design features or operational practice, or dependencies among multiple restoration /miscalibration tasks that may exist as a result of " systemic," but perhaps subtle, human performance problems in training, procedures, etc. If the licensee is to gain a realistic understanding of the potential impact of pre-initiator human error on plant risk, it is important that the HRA include a reasonably rigorous assessment of these plant-specific factors and dependencies. In general, this assessment involves thorough examination of actual plant operational practice in maintenance, test and surveillance. Lowering of basic human error probabilities (BHEPs) should be appropriately justified by examination of procedures, interviews with training, operations, and maintenance personnel, physical observation of components, walkthroughs of procedures, and ,
evaluation of administrative controls such as tagging or independent verification. If credit is taken for a recovery factor such as post-maintenance checks, it should be verified that those ;
checks are routinely performed, and that they would reveal the identified human error.
Potential for dependencies across various systems or components due to performance by the same crew at the same time, basic problems with training, etc., should be considered through interview / discussion with the appropriate plant personnel as well as by analysis and examination of physical systems, components and equipment. Potential for common cause failure of instrumentation due to miscalibration should be addressed through systematic evaluation of equipment and human performance factors influencing dependency. While the numerical HEP estimate is important, the benefit gained from the pre-initiator HRA is to a 12
large degree a function of the rigor of this more qualitative evaluation of plant-specific ,
factors. 1 The licensee's general approach in evaluation of miscalibration error involved the following '
six step process:
- 1) Identify the physical configuration of the sensors and logic.
- 2) Evaluate the calibration procedures and their frequencies.
- 3) Identify any function testing of the logic and sensors or double sign-off that would provide recovery from an initial mistake.
- 4) Construct a logic model that summarizes the contribution to the probability of miscalibration to defeat the logic.
- 5) Use NUREG/CR-1278 and ASEP methodologies to develop basic event failure probabilities.
- 6) Perform sensitivity studies to give insights to the Operations Department regarding ,
procedural changes and potential uncertainties in the quantification.
The licensee appears to have appropriately used the referenced methodologies in quantifying the miscalibration errors incorporated in the analysis. The calculation of the HEP was based on the following assessment of the hardware, procedures, operator errors, and recovery:
- 1) The evaluation is performed assuming the Core Spray injection valve test has been verified at some time in the past to produce an acceptable set point that will allow the valves to open in the range of 378 psig. (Test unit not faulty).
- 2) The calibration errors required to defeat the low pressure interlock are considered to be gross miscalibration errors. These errors require changes in the setpoints of much more than a few percent of scale. Therefore, error probabilities and recovery probabilities typical of relatively small miscalibration error are not applicable to this error estimation.
- 3) For instrument miscalibration, the Basic Human Error Probability (BHEP) was assumed to consist of an error of active participation (EAP). The EAP occurs due to improperly performing the calibration. An error of omission in identifying a miscalibration from the previous test is deemed to have negligible contribution since several human errors would have to occur (i.e., the EAP, the previous error in miscalibrating the instrument, plus failure to identify the error).
A value 3 dmes that suggested by Swain in NUREG/CR-1278 is used, i.e., 3E-3.
- 4) For miscalibrating instruments, moderate dependence was used between multiple EAPs. This assumption for miscalibration was made since miscalibration can be the result of a mistake which is systematic in its influence and thus can be made repeatedly.
13
l 1
1 4
- 5) The review of operating experience with the I&C technicians indicates that the
- calibration portion of the procedure is rarely carried out during the quarterly test - a j check that no drift has occurred is the only portion of the procedure that is usually j performed. Estimates by the I&C technicians are that quarterly recalibration is
. required only 1 percent of the time. In the model, this factor is conservatively assumed to be a probability of 0.1 that calibration is required during the quarterly l testing. This effect is then included in the base case and one sensitivity case. For the :
other sensitivity cases, it is assumed that the instrument is always recalibrated at the ;
! quarterly test. l The quantification process appears consistent, or conservative, with respect to the -1 methodology applied. Table 2.2-1 compares NMP1 results with Swain's methods.
l Table 2.2-1, Comparison of NMP1 Miscalibration Error (ZP301) with Swain's Values l i SELECTED HUMAN ERROR EVENTS SWAIN CORRESPONDING l NMP1 VALUES l 1
Basic event failure to calibrate correctly (BHEP) 0.01 3E 3* !
- I Recovery of this error 0.5 1.0" l Conunon Cause Failure causing multiple miscalibration 0.1 0. l* !
S Failure to recover second large miscalibration 0.01 1.0'* .l Total Failure Probability SE-6 3E-4 i
Licensee Notes:
m Based on NUREG/CR-1278 Table 20-21 and correspondence with other PRAs. ,
a included in masa==mant of BHEP j
$ Considered reasonable estimate for the gross miscalibration. (Moderate Dependence)
'* Cannot justify additional recovery given that the miscalibration is unnoticed after the first instrument is left grossly miscalibrated.
The licensee's HRA process appears to have appropriately included performance shaping factors and dependencies have been considered. HEP values of 1.5585E-04 for Core Spray Reactor Pressure Permissive and 1.2E-03 for Emergency Condenser Hi Steam Flow appear reasonable with values typical for ASEP or THERP pre-initiator HEPs.
2.3 Post-Initiator Human Actions Human errors in responding to an accident initiator, e.g., by not recognizing and diagnosing
- the situation properly, or failure to perform required activities as directed by procedures, can
! have a significant effect on plant risk. These errors are referred to as post-initiator human errors. Our review assesses the types of post-initiator errors considered by the licensee, and
)
evaluates the processes used to identify and select, screen, and quantify post-initiator errors, 14
l i
including issues such as the means for evaluating timing, dependency among human actions, l
. and other plant-specific performance shaping factors.
l li 2.3.1 Tvoes of Post-Initintnr Human Actions Considered, j 'liwe are two important types of post-initiator actions considered in most nuclear plant J
PRAs: (1) response actions, which are performed in response to the first level directives of
] the emergency operating procedures / instructions (EOPs, or EOls); and, (2) recovery actions, i which are performed to recover a specific failure or fault, e.g., recovery of offsite power or
- recovery of a front-line safety system that was unavailable on demand earlier in the event.
The NMP1 HRA contains both response type and recovery type post-initiator operator actions 3
(called human interactions (HIs) in the submittal). .
) 2.3.2 Preau for Identification and Selection of Post-Initintnr Human Actions, f
The primary thrust of our review related to this question is to assure that tha orocess used by the licensee to identify and select post-initiator actions is systematic and thorcah enough to
! provide reasonable assurance that important actions were not inappropriately precluded from l i examination. Key issues are whether: (1) the process included review of plant procedures i (e.g., emergency / abnormal operating procedures or system instructions) associated with the j accident sequences delineated and the systems modeled; and, (2) discussions were held with l
! appropriate plant personnel (e.g., operators or training staff) on the interpretation and !
I implementation of plant procedures to identify and understand the specific actions and the l specific components manipulated when responding to the accident sequences modeled. j l
! 1
- Event Sequence Diagrams summarizing system and operator functions necessary to 1 successfully respond to initiating events were constructed. Event trees were produced from J the Event Sequence Diagrams taking into account potential failures. Specific operator actions I from the EOPs and other procedures are incorporated along with automatic system actions in the event trees. The event trees contained the function which the operator actions were to accomplish. The HRA analysts used procedures, operator and trainer interviews, and simulator observations to complete the information required for the HRA analysis of the operator functions in the event trees. Functional grouping of scenarios in terms of cues, procedures, and key operator responses for operator actions was performed to reduce the l number of evaluations. An HEP was evaluated for the most demanding scenario in a I functionally similar group. The limiting or bounding scenarios were identifled through discussions with the event sequence analysts.
Generally, the licensee states that consideration was given to time factors, dependencies, identification of cues, procedural directives and detailed steps required to achieve success. )
2.3.3 Screenine Process for Post-Initiator Resoonse Actions.
No numerical screening of post-initiator HEPs performed.
l 15
1 l
)
- 2.3.4 Ouantification of Post-Initiator Human Actions.
l Three methods were used to evaluate post-initiator response actions: (1) EPRI methodology )
(Reference 1); (2) THERP (Reference 2); and (3) ASEP (Reference 3). The application and ;
i methodology are discussed in sections 3.3.3 and 4.6.2.5 of the submittal for front-end and back-end analysis, respectively. l Section 4.6.2.5 provides a masonably complete description of the general method used for evaluating each of the operator actions. NMPl's model for human actions splits the response into two components, a detection, diagnosis and decision (DDD) phase, and an execution phase. For the majority of DDD phase HEPs, the decision tree approach from the EPRI methodology was used. Where it was not applicable (such as highly time-critical actions or memorized, non-procedure-driven actions) the ASEP method was used. The THERP Handbook was used to estimate most of the execution phase HEPs. In applying these I methods, the licensee states that time available, cues, procedural direction and detailed steps I
required to achieve success were evaluated. In addition, opportunities to recover from an error were identified to give a basis for applying recovery factors to the initial base value HEP. Table 2.3-1 lists the DDD and execution phase contributions to selected HEPs. The different event names represent different evaluations of the failure probability for different conditions as represented by different accident sequences. ,
l Table 2.31 Example Post-Initiator Operator Actions DDD Execution Human Action ID Contribution Castributist IEE Operator inhibits ADS-ATWS (with FW) A101 9.7E 05 1.35E-04 2.3E-04 TLOF Initiator (w/o FW) A102 2.0E-02 1.6E-03 2.3E-02 HPI fails, opr opens ERVs 1 I
to depressurize (30 min) OD01 1.6E-03 1.6E-04 1.8E-03 HPI fails, opr reopens MSIVs to depress & cooldown OD02/04 3.2E-03 1.6E-02 1.4E-03 (30m/10h)
Opr opens ERVs to depress to SDC (10hllh/2h) OD03/05/06 2.4E-03 4.8E-04 3.0E-03 Shed diesel loads given loss of one ll5kv transformer -
with LOCA LS01 1.0 1.0 Shed diesel loads given loss of both 115kv & LOCA LS02 8.0E-04 1.6E-03 2.4E43 The DDD contributions were taken from EPRI decision trees. The value listed is the sum of DDD values from eight different decision trees representing independent ways of leading to failure. The appropriate path through each decision tree is determined by assessing which !
branches to follow on a path through each decision tree on a scenario specific basis. The licensee stated that some (assumed minority) DDD contribution was estimated using the 16
THERP annunciator response model. The licensee provided example calculations for operator action to inhibit ADS.
DDD Phase:
In event A101 (FW available) the EPRI method was used because reactor level remains high and operators are expected to follow the p;ocedure in an orderly manner.
Procedure step RQ-14 and then again in step RL-3 the operater is instructed to perform the inhibit action.
HEP = .006 X .006 = .000036 This is assumed to be the median of a lognormal distribution with an error factor of 10 (because the HEP is low), and therefore, the final HEP is
.000036 X 2.7 = 9.7E-05.
In event AIO2 (FW not available) the level drops very quickly, and there is less time to react. The primary cue for the action now becomes recognition that an ATWS has occurred. This is modeled using the THERP annunciator model.
Base value of .05 selected, which corresponds to 10 simultaneous annunciators. 'Ihis event is also a well trained on scenario. Two recovery factors considered,0.5 for recognizing ADS status alarm and 0.5 for the chance the operators would get to step )
RQ-14 or RL-3 before blowdown commenced. Simulator observation was used to j verify adequacy of time available.
HEP = .05 X 0.5 X 0.5 = .0126 This was assumed to be the median of a lognormal with error factor of 5, and the final HEP is
.0126 X 1.6 = 2.0E-02 Execution Phase:
Once a decision to inhibit is made, the operator need only position two key lock switches. Each switch is well delineated and has only two positions. The error assessed is failure to transfer the key from one switch to the other. This error ;
represents a misoperation of controls and was assigned a value of .0005 from Table 10-12, Item 5, of the THERP Handbook. A factor of 2 was applied for moderate stress, resulting in a median value of .001. In the AIOl case, a recovery factor of .05 l was applied for short term check with alerting factors, based on the ADS initiator alarm (Table 20-22, Item 3). For case AIO2, no recovery factor was considered because of the limited time available in this case.
17
l I-J 2.3.4.1 Consideration of Plant-Speciffc Factorsfor Response Actions. DDD contributions l
] were estimated using the approach of EPRI TR-10029. In this approach, the HEPs are taken
, directly from a set of decision trees. There are eight trees corresponding to eight failure
- mechanisms, which are considered to be independent ways of leading to the human failure j event. The appropriate path through each decision tree is determined by assessing which j branches to follow on a path through each decision tree on a scenario specific basis. The l branches correspond to performance shaping factors that are judged to impact the particular j failure mechanism. The execution phase was quantified using THERP. Plant specific factors 1 considered appear to have been consistent with the guidelines of the methodology, although i the licensee provided only general information of limited detail in discussion of this area.
i j 2.3.4.2 Consideration of Timing. For some post-initiator operator actions, timing - time i available vs. time required by the operators - is a critical determinant of likelihood of
} success. It is important to assure that the licensee's process for estimating both time available 1 and the time necessary for operators to complete the required actions takes into account i plant-specific conditions and provides realistic estimates. Plant-specific phenomenological
] analysis (accident analysis computer codes) should be used to determine the available time.
i Actual measures using currently licensed operators in realistic walk-throughs or control room simulator exercises is a preferred approach for estimating expected /necessary operator
( response time. Especially for local actions outside of the control room, it is important to assess time to get to the equipment, accessibility, possible impacts on timing of special l clothing or environmental factors, etc.
\
j NMP1 developed time available estimates using the MAAP code thermal hydraulic model.
J
! Timing is discussed in the detailed sequence descriptions in IPE Section 3.3.3.3. The j submittal states that simulator observations and interviews with operations and training staff l 1 served as input for determination of adequacy of time available to actually accomplish tasks.
Where simulator observations were not performed, the ASEP guidelines were applied in i determining time required.
i l 2.3.4.3 Consideration ofDependenciesfor Dynamic (Response) Actions. An important j concern in HRA is the treatment of dependencies. Human performance is dependent on
- sequence-specific response of the system and of the humans involved. The likelihood of j success on a given action is influenced by success or failure on a preceding action, i performance of other team members in parallel or related actions, assumptions about the
- expected level of performance of other team members based on past experience, etc.
i Accounting for dependency among top-level actions in a sequence is particularly important.
- The human error probability estimates for HRA are conditional probabilities. If dependencies j are not specifically accounted for, and HEPs are treated as independent, the probablistic
- combination of HEPs can lead to an unrealistically low estimate of human performance
} overall (i.e., of the joint human error probability), and to a significant underestimate of risk.
j j The submittal states that human actions that occur during an accident sequence were evaluated j for dependent effects such as competing demands and the impact of previous actions with
.}
18 i
I l
I many of the important actions being modeled a separate event tree top events to maintain visibility of these dependencies.
Functional dependencies between human actions, e.g., "if event A occurs, event B cannot be successful," were included in the overall structure of the model (i.e., they are hardwired into the event tree structure). This was done to consider influence of success or failure of an ,
event on the probability of success or failure of a subsequent event. Identification of ;
cognitively correlated actions was carried out under the following guidelines:
(a) If two human actions are associated with responses to the same cues, the cognitive ,
part of the failure probabilities are considemd to be totally Mt.
(b) As a corollary to this, in the chronological development of the scenarios, a human action failure follows a successful human action, and the procedural instructions for both actions are closely related, the cognitive failure probability of the second action should be very small and can be neglected, since the success in the first event implies a successful recognition of the scenario.
(c) If human actions are i) separated by a significant time (i.e., time between cues or required responses is long), or ii) separated chronologically in the sequence by a successful action, or iii) responses to different cues in different parts of the EOPs, they may be regarded as being independent.
(d) In addition, memorized responses may be regarded as independent from these actions for which the procedures are expected tc be providing the direction.
Other types of dependency, such as the fact that performance of one function may take resources away from another were also considered by addressing the role of crew personnel, both in performing the actions called for, and in recovering from failure to execute correctly.
The majority of all dependent human interactions are found in ATWS scenarios.
2.3.4.4 Quanti /ication ofRecovery Actions. Recovery actions are included in the Level 1 system event trees and the top-level event trees. System event trees include operator actions to recover system function after component failures. Operator intervention provided for in the EOPs is included in the top event Trees.
In the Level 1 analysis only procedural driven recovery actions were considered. Therefore the plant specific factors considered for level I recoveries are the same as response actions.
The Level 2 analysis did include both EOP and non-EOP actions. The licensee did not provide the same level of detail on the treatment of plant specific factors for Level 2 operator actions. However, the submittal discussion and results suggests that factors similar to those considered in Level 1 assessment were also considered for Level 2 actions.
The Level 2 analysis includes important human actions that can affect containment performance and radionuclide release frequency, magnitude and timing. Four Level 2 19
1 recovery actions were identified in sectioa 3.4.2.5 of the submittal. These actions are listed below. The IPE states that where recovery of a previous operator error is modeled it was important to the quantification of low risks. However the net effect or contribution to reduction of overall release was not specified.
Recovery actions:
e Recovery of Screen House intake (REC 2), where immediate recovery of the human error is credited as part of the initiating event.
e Recover emergency condensers (FL), where operator actions in controlling overfill events and operating ECs following water hammer events are important.
e Recover loss of instrument air (REC 3), where the model includes operator actions to respond to containment heat removal.
e Recover loss of service water (REC 4), where the model includes operator action to recover heat removal capability when torus cooling and containment venting cannot be aligned locally.
2.3.4.5 Treatment of Operator Actions in the Internal Flooding Analysis. The NMP1 assessment of internal flooding primarily consisted of a review based on plant layout and review of industry flooding experience. Initially flood scenarios were quantified using conservative industry data and taking no credit for operator action. For those events
- considered to be important (i.e., surviving this conservative analysis), more detailed analyses were performed where credit was given for operator action.
Operator actions credited in internal flooding analysis were considered in the following manner:
S, == R,(D, + I,)
where, S, =_ The annual frequency of the scenario and recovery failure.
R, =_ The initiating event frequency of the scenario.
D, =_ The conditional probability that the operating crew fails to detect the flood.
I, =_ The conditional probability of the operating crew not isolating or mitigating the flood prior to the dependent failure of critical systems, given detection of the flood.
20
A description of operator actions, alarms annunciated in the control room, monitoring instrumentation available, and EOP/ Alarm procedures which provide guidance to the operating crew is provided in the submittal. However, detailed calculation of the conditional probabilities are not specifically addressed. NMPI's flooding analysis did not identify any locations in the Turbine or Reactor Buildings that, if flooded, would seriously affect the operators ability to safely shut down the plant. Therefore, the licensee concluded that them is negligible contribution to CDF from postulated flooding events and none where explicitly modeled in the NMP1 IPE.
( ,
! 2.3.4.6 Treatment of Operator Actions in the Lewi 2 Analysis. A number of operator
- actions were included in the containment event trees (CETs) in the Level 2 analysis.
1 Operator actions included in HRA for Level 2 (submittal Table 4.6 2) include:
i
- Emergency depressurization during in-vessel core degradation l e Operator fails to maintain depressurization j
- e Operator fails to recover injection before RPV melt-through e Alignment for alternate sources for RPV injection l
- Operator intervenes and terminates injection l
j e Operator staff fails to initiate vent per procedure
- e Operator restores cooling injection after control rods are melted i e Failure 'to inject SLC with boron for low water level j e Operator fails to initiate dry well sprays
- Operator fails to align alternate injection sources
- e Operator fails to recover low pressure systems j e Containment Flood
- Operator fails to initiate containment flooding
- e Drywell Vent
- Operator fails to install jumpers ,
- e RPV Vent
- Operator fails to align venting path l l e Torus Vent: Operator fails to properly align system l
! e Failure to switch to alternate injection sources outside reactor building l
! e Operator fails to initiate suppression pool cooling
' ASEP is referenced as the primary HRA approach used to analyze these operator actions.
THERP and Engineering Judgement were used for a very limited number of events. From our review of the licensee's discussion in Section 4.2.6.5 (including notes to Table 4.6-2) and results (HEPs) it appears the analysis performed was reasonable.
2.3.4. 7 GSI/USI and CPI Recommendations. The licensee's consideration of generic safety i issues (GSIs) and unresolved safety issues (USIs) and of containment performance improvements (CPI) recommendations are the subject of the front-end review, and back-end review, respectively. The licensee addressed Decay Heat Removal (USI) and Adequacy of Safety-Related DC Power Supplies (GSI) in their IPE. This DHR issue considered several operator actions, namely, (1) event tree top event OU which models operator actions to provide long term makeup to the emergency condensers, (2) event tree top event OH dealing with operator actions in torus cooling and containment spray heat removal modes, (3) top event SD involving operator actions to align shutdown cooling trains, and (4) event tree top 21
event CV which models opening the suppression chamber purge exhaust and venting through !
the stack to prevent severe containment overpressure and provide a heat removal path. The results of importance analysis performed for loss of DHR indicate that operator error is the dominant contributing factor. In analysis of the adequacy of DC power supplies, operator actions to detect failures (annunciated alarms) and go to local DC panel assess cause and ;
l either repair or align redundant equipment. Failures of ccncern were judged to have a minor contribution to system unavailability. Battery board 11 and 12 (125 VDC) are modeled in l tree top events DA, DB D1 and D2. DA and DB model the availability of the battery and on I demand for boards 11 and 12 respectively. D1 and D2 model the battery and charger availability along with the switchgear for boards 11 and 12 respectively. Operator actions are included in HRA. ,
I I
CPI related issues identified by the back-end reviewer include hardened the drywell vent, implementation of Revision 4 of the BWR Owners Group EPGs, and use of raw water cross- l tie (containment spray raw water to core spray) for alternate injection.
2.4 Vulnerabilities, Insights and Enhancements l 2.4.1 Vulnerabilities.
Section 3.4.2 of the IPE submittal compares the results to the proposed safety goals for core damage frequency and concludes that there are no vulnerabilities for NMPl. The submittal did not describe a screening process for improvements. Important sequences, top event split l fractions and human-action split fractions which contribute to core damage frequency were !
identified and ranked in Section 3.4 of the submittal. Possible plant improvements identified {
during the study are summarized in Section 6 of the IPE and summarized in Section 2.4.3 below. However, NMP1 cites no action items or commitments concerning the implementation of potential improvements identified.
2.4.2 IPE Insiehts Reinteel to Human Performance.
The estimated mean core damage frequency (CDF) for NMP1 is 5.5E-06. The licensee followed criteria in Appendix A of Generic Letter 88-20 and NUREG-1335 to identify inaportant severe accident sequences. The sequences with significant contribution to CDF (aoove the cutoff of IE-08/yr) are listed in Table 2.4-1.
Table 2.4-1 CDF Contribution by Sequence Seauence CDF Uvr) Fraction of CDF LOSP - Station Blackout 5.5E-06 0.64 Loss of Injection 1.0E-% 0.19 Anticipated Transient Without Scram 5.4E-07 0.10 Loss of Heat Removal 3.5E-07 0.06 22
l Operator error was identified as a contributor for each of the sequences listed in Table 2,4-1, and appropriately accounted for in the quantification of CDF. Loss of Offsite Power (LOSP) :
- Station Blackout is reported as the single largest contributor to CDF at NMP1 with a l contribution of 64%. Two operator actions associated with this sequence were ranked ,
number one and number seven in importance in sensitivity analysis performed by the l licensee. These actions were AC power recovery and DC load shedding given station blackout. Both power recovery and DC load shedding are reported as areas identified for q further evaluation with regard to potential improvement. Other significant operator actions !
cited by the licensee include, load shedding emergency diesel given LOCA conditions, i depressurizing RPV, preventing Emergency Condenser isolation and recovery after isolation, calibration of core spray injection permissive, feedwater control given loss of instrument air, and aligning torus cooling mode of containment spray.
IPE Section 3.4.2.5 addresses the risk reduction worth for top event split fractions with human actions. Many of the split fractions also contained equipment failures. IPE Table 3.4.2-6 summarizes these top events and split fractions that contain operator actions. This table also provides "Importance" ranking of split fractions and " Risk Achievement Worth",
where:
e Split faction "Importance" has been calculated as the fractional contribution to total core damage frequency of sequences that contain the split fraction, and
- " Risk Achievement Worth" which is the factor increase in core damage fn.quency when the top event split fraction is set to guaranteed failure.
The licensee's review of split fractions relative to the importance of operator actions on core damage prevention (from Table 3.4.2-6) reports the following ordered ranking of most 1
important human actions:
l e AC power recovery
- I. cad shedding emergency diesel given LOCA conditions e Depressurizing RPV e Preventing EC isolation & EC recovery after isolation
- Calibration of core spray injection permissive e Feedwater control given loss of instrument air
- DC load shedding given station blackout e Aligning torus cooling mode of containment spray i
The submittal notes that the review of the " Risk Achievement Worth" suggests where reduced reliability of operator actions could significantly impact the quantitative results of the study.
Those actions found in the licensee's review to be most important from the risk achievement worth perspective are listed below. A Pre-initiator error, " Calibration of core spray injection permissive", has the highest ranking with a risk achievement worth of 4.0185E+02.
23
The ranking by risk achievement worth is:
o Calibration of core spray injection permissive l e Aligning torus cooling mode of containment spray !
e load shedding emergency diesel given LOCA conditions l e Depressurizing RPV )
e ATWS mitigation 2.4.3 Enhancements and Commitments.
The licensee states in Section 6.2 of the submittal that "given the low risks calculated for NMP1, it appears that any plant improvement aimed at one specific area (or sequence type) and based purely on the IPE results may not be cost beneficial." A number of areas with the potential for improvement in procedures and training related materials could benefit overall risk were identified for possible future consideration but no commitments were stated.
The following insights and potential improvements identified as having the greatest possibility to reduce risk are quoted from the submittal:
e Station blackout " Station blackout (SBO) sequences are important to the IPE results.
SBO is the most important type of scenario in both the level I and 11 results. In the Ievel I model, offsite power recovery after 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> is not credited in the IPE because it is assumed that the batteries are discharged. In other words, the emergency condensers can be functioning properly with the diesel fire water pump providing long term injection (> 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> after event initiation), but there is no way to recover AC power without DC power and operators lose instrumentation. Also, offsite power can not be recovered if battery 11 fails. As an example, procedural improvements that shed the non-safety battery such that it would be available as a backup could improve the IPE results. Additional possibilities include a portable battery charger. The analysis also shows the reliability of the diesel fire water pump and operator actions are important."
e Core Sorav Iniection MOV Perminive "The calibration of the low PRV pressure permissive is important. Miscalibration of this device results in the failure of core spray injection to the vessel due to the inability to open the supply MOVs. It is an important contributor to both level I and II results. The important scenarios are water LOCA initiating events (CRD and feedwater capacities are inadequate for RPV inventory control) with failure of the low pressure permissive. Since CRD and feedwater are not adequate and core spray failed due to miscalibration, loss of inventory control leads to core uncovery. The calibration of these devices should continue to be a high priority and any potential improvements that arise from ongoing activities should receive priority attention."
e Reclosure of Relief Valves "A stuck open relief valve following a plant trip is relatively important because the emergency condensers become ineffective. Therefo e, 24
J l
l in the IPE model, a stuck open relief valve results in the failure of the emergency l condensers. However, there has never been a stuck open relief valve at NMP1 and an ,
overall lack of generic data may have led to an overestimation of valve rescal failure. l Therefore, the actual contribution could be demonstrated to be smaller given i additional data and analysis."
A number of other insights of lesser importance were gained through the IPE process.
'Ihese include:
e Reliability and Maintenance Programs (applicable event tree top events are in parentheses). Consideration should be given for possible improvements. (no specific human-improvement identified)
- 2) Emergency AC power (A2 and A3)
- 4) Electronic relief valves reclosing (RC)
- 5) Diesel fire pump supply to RPV (FP) e Emphasis should be given in operatar training on the importance of the following post-accident recovery actions.
- 1) Screenhouse intake water supply.
- 2) Emergency condensers operation regarding controlling overfill events and operation following water hammer events.
- 3) Operator actions to respond to containment heat removal during loss of instrument air.
- 4) Operator actions to maintain long term cooling capability when loss of service water occurs.
Additionally, the following operator action improvements were identified as factors which I should be given consideration during the development of the Accident Management Program or improvement of EOPs with respect to severe accidents: ;
i e Containment isolation - Emergency Condenser isolation. Consider procedural l methods of ensuring proper isolation of the ECs under severe core damage conditions. ,
e Deoressurization - Present EOPs soecify deoressurization for most situations reauired.
Provide caution in RC/P or EOP-8 regarding halting RRV depressurization at some predetermined minimum pressure to maximize the potential heat removal by the emergency condensers. Delay RPV depressurization substantially longer than is currently advocated in the EPGs when injection is not available at high pressure.
25
o In-vaccel Recoverv - Present EOPs do not identify oreferred iniection system. HPCI system may not be as effective as Core Spray for accidents involving bottom head breach, because HPCI flow is directed outside the core barrel and would bypass the core region and flow out the break.
e Ex-vaccal Recoverv - Use of CS or DW sorav in lieu of HPCI annears to be most meful in resnonse to deerndad core conditions. Current restrictions in the containment spray initiation curve may preclude the use of dry well spray for many of the accidents analyzed in Level 2, but by using DW spray before RPV breach drywell shell failure from debris attack could be prevented. Changes to the EOPs may also be required to remove any ambiguity regarding the diversion of injection sources away from the RPV when adequate core cooling is not assured.
e Shell Integrity - EOPs do not orovide euidance on initiatine drvwell sorays from Catsmal sources. Consideration should be given to revising procedures to allow drywell sprays to be supplied by containment spray raw water pumps for the purposes of drywell cooling, debris cooling, flooding the drywell floor, and containment flooding.
e Containment floodine - A nossible imoroved resnonse for current containment flood secuences for which the current EPG direction result in the hiehest notential consequences at the earliest time. Provide the operators guidance on protecting containment and cooling debris using methods that do not require venting the RPV and avoid using the DW vent unless no other alternative exists. Consider revising the torus cooling procedure to preferentially close the remotely operated AOVs during non-routine situations rather than manipulating local manual valves in the reactor building.
26
r s
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS The purpose of our document-only review is to enhance the NRC staff's ability to determine ,
with the licensee's IPE met the intent of Generic 1.etter 88-20. The Generic Letter had four specific objectives for the licensee:
6 (1) Develop an appreciation of severe accident behavior.
(2) Understand the most likely severe accident sequences that could occur at its plant. l I
(3) Gain a more quantitative understanding of the overall probability of core damage and radioactive matenal releases. ,
(4) If necessary, reduce the overall probability of core damage and radioactive material release by appropriate modifications to procedures and hardware that would prevent or mitigate severe accidents.
With specific regard to the HRA, these objectives might be restated as follows:
(1) Develop an overall appreciation of human performance in severe accidents; how
. human actions can impact positively or negatively the course of severe accidents, and what factors influence human performance.
(2) Identify and understand the operator actions important to the most likely accident sequences and the impact of operator action in those sequences; understand how human actions affect or help determine which sequences are important.
(3) Gain a more quantitative understanding of the quantitative impact of human performance on the overall probability of core damage and radioactive material release.
(4) Identify potential vulnerabilities and enhancements, and if necessary/ appropriate, implement reasonable human-performance-related enhancements.
The following observations from our document-only review are seen as pertinent to NRC's determination of the adequacy of the NMP1 submittal:
(1) Utility personnel were involved in the development and application of PRA/HRA techniques to their facility, and associated walkdowns and documentation reviews constituted a viable process for confirming that the IPE represents the as-built and as-operated plant.
I (2) The licensee performed an in-house peer review that provided reasonable assurance that the IPE analytic techniques had been correctly applied and documentation is accurate.
27
i i
t
! (3) The licensee's HRA process appears to have adequately considered human actions related to restoration of equipment following maintenance or test. Calibration errors j also have been considered in a reasonable fashion compared to other IPEs reviewed.
(4) The process utilized by the licensee to identify and select pre-initiator actions included review of procedures and discussion with plant personnel, j (5) The qualitative guidelines used by the licensee in eliminating certain errors from j consideration appear r==annble. However, very few pre-initiator actions (two
- calibration errors) were quantified. This is a relatively small number compared to '
similar pre-initiator errors treated in other BWR plants reviewed.
l
~
(6) No numerical screening process was employed.
l (7) A review of HRA results with IPE/HRA results of similar type plants show NMPI's
. HEPs to be generally consistent with others reviewed.
j (8) The licensee's process addressed both response type actions and recovery type actions.
} (9) The process used by the licensee to identify and select the post-initiator human events included review of procedures and discussions with appropriate plant personnel. The actions selected for quantification appear to be reasonably comprehensive.
l (10) No numerical screening was employed to eliminate post-initiator errors that were not j important contributors to CDF. All actions selected appear to have been quantified i and incorporated into the IPE model, i
- (11) A reasonably comprehensive assessment process appears to have been used, including i data collection on a plant-specific simulator, to support adjustment of basic (generic) j HEPs to account for the impact of plant-specific performance shaping factors such as 1 time available, time required, dependencies, etc.
4 j (12) No vulnerabilities were identified. The licensee identified the importance of human
- action to CDF through importance calculations, sensitivity studies and insights gained from the review of the IPE. Operator action is noted as a significant contributor to core damage, and as the dominant contributor in key functional failures and accident sequences. A number of procedures enhancements were suggested for future consideration. The licensee states that human error insights gained will immediately benefit operator training programs and as opportunity presents itself, improve procedures.
Our overall evaluation and conclusion from the document-only review is that the licensee's HRA process used for identifying important actions,, analyzing factors which influence human performance and assessing the impact of human error on system response (and therefore CDF 28
and releases) appears reasonable within the guidance of the referenced methodologies and consistent with practices seen in other PRAs.
i l
l 29
- 4. DATA
SUMMARY
SHEETS Important Operator Actions / Errors:
(applicable event tree top events are in parentheses)
ACTION AC power recovery (OGR, EDG and OSP)
Ioad shedding emergency diesel given LOCA conditions (LS)
Preventing EC isolation & EC recovery after isolation (FL)
Calibration of core spray injection permissive (P3)
Feedwater control given loss of instrument air (FW)
DC load shedding given station blackout (015 and 030)
Aligning torus cooling mode of containment spray (OH)
Human-Performance Related Enhancements:
NMP1 has made no commitment for human-performance related enhancements. However a number of potential improvements identified during the IPE process will be considered with ongoing and future related activities.
The following potential improvements were identified during the IPE Ievel I and II reviews:
e Station blackout
- 1) Procedure improvements that shed the non-safety battery such that it would be available as a backup.
- 2) Operator actions associated with diesel fire water pump.
- Core Spray Injection MOV Permissive 1)
Calibration of these devices should continue to be a high priority and any potential improvements that arise from ongoing activities should receive priority attention. (no specific improvements identified) e Reliability and Maintenance Programs (applicable event tree top events are in parentheses). Consideration should be given for possible improvements. (no specific human-improvement identified)
- 2) Emergency AC power (A2 and A3)
- 4) Electronic relief valves reclasinh (RC) 30
- 1 i l 1
- Emphasis should be given in operator training on the importance of the following )
l
, post-accident recovery actions.
)
, 1) Screenhouse intake water supply. ,
l 2) Emergency condensers operation regarding controlling overfill events and j operation following water hammer events. ;
] 3)- Operator actions to respond to containment heat removal during loss of !
instrument air. ;
- 4) Operator actions to maintain long term cooling capability when loss of service l water occurs.
)
The following improvements were identified as factors which should be given consideration during Accident Management initiatives:
o Containment isolation - Emernency Condenser isolation. Consider procedural methods I of ensuring proper isolation of the ECs under severe core damage conditions. !
l e Deoreuurintion - Present EOPs enecify deoressurintion for most situations required.
Consider providing caution in RC/P or EOP-8 regarding halting RRV depressurization
]
at some predetermined minimum pressure to maximize the potential heat removal by the emergency condensers. Also consider delaying RPV depressurization substantially longer than is currently advocated in the EPGs when injection is not available at high pressure. ,
l e In-veuel Recoverv - Present EOPs do not identify omferred iniection system. HPCI j system may not be as effective as Core Spray for accidents involving bottom head breach, because HPCI flow is directed outside the core barrel and would bypass the I core region and flow out the break.
1 e Ex-venel Recovery - Use of CS or DW sorav in lieu of HPCI annears to be most j useful in resoonse to denraded core conditions. Current restrictions in the containment spray initiation curve may preclude the use of dry well spray for many of the accidents analyzed in I.evel 2, but by using DW spray before RPV breach drywell shell frdlure from debris attack could be prevented. Changes to the EOPs may also be required to remove any ambiguity regarding the diversion of injection sources away from the RPV when adequate core cooling is not assured.
- Shell Intenrity - EOPs do not orovide guidance on initiating drvwell sorays from external sources. Consideration should be given to revising procedures to allow ,
drywell sprays to be supplied by containment spray raw water pumps for the purposes I of drywell cooling, debris cooling, flooding the drywell floor, and containment flooding.
l
)
31 1
r e Containment fintwiine - A nossible imoroved resoonse for current containment flood wuences for which the current EPG direction result in the hiehest notential conearneca< at the earliest time. Provide the operators guidance on protecting l containment and cooling debris using methods that do not require venting the RPV and avoid using the DW vent unless no other alternative exists. Consider revising the toms cooling procedure to preferentially close the remotely operated AOVs during non-routine situations rather than manipulating local manual valves in the reactor i building. i i
32
REFERENCES
- 1. Swain, Alan D., " Accident Sequences Evaluation Program Human Reliability Analysis Procedure," NUREG/CR-4772, February 1987.
- 2. EPRI TR-100259, "An Approach to the Analysis of Operator Actions in Probablistic Risk Assessment," Electric Power Research Institute, December,1991.
- 3. A.D. Swain and Guttmann, H.E., " Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications," NUREG/CR-1278, August,1983.
33