ML20100F068

From kanterella
Jump to navigation Jump to search
TER of IPE Submittal,Human Reliability Analysis, Final Rept
ML20100F068
Person / Time
Site: Vermont Yankee Entergy icon.png
Issue date: 11/20/1995
From: Swanson P
CONCORD ASSOCIATES, INC.
To:
NRC COMMISSION (OCM)
Shared Package
ML20100F049 List:
References
CON-NRC-04-91-069, CON-NRC-4-91-69 CA-TR-94-019-33, CA-TR-94-19-33, NUDOCS 9602200073
Download: ML20100F068 (35)
v  d  e


Text

aea A _-.m. .r.w- --.a --.--

1 1

APPENDIX B VERMONT YANKEE NUCLEAR POWER STATION TECHNICAL EVALUATION REPORT (HRA) 9602200073 960209 PDR ADOCK 05000271 P , ,PDR

CA/TR-94-019-33 VERMONT YANKEE NUCLEAR POWER STATION TECHNICAL EVALUATION REPORT OF THE IPE SUBMITTAL HUMAN RELIABILITY ANALYSIS FINAL REPORT P. J. Swanson Prepared for I

U.S. Nuclear Regulatory Commission  ;

Office of Nuclear Regulatory Research Division of Systems Technology Final Report, November 20,1995.

CONCORD ASSOCIATES. INC.

Systems Performance Engineers 725 Pellissippi Parkway Knoxville, TN 37933 Contract No. NRC-04-91-069 Task Order No. 33 m

- -.~. -. .-~ -. - - - - - .- - _-. -- -. - .-

TABLE OF CONTENTS E. EXECUTIVE

SUMMARY

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . El E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . El E.2 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . El E.3 Human Reliability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E2 E.3.1 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . E2 E.3.2 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . E2 E.4 Generic Issues and CPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E3 E.5 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . . E3 E.6 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E4

1. INTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

I 1.1 HRA Review Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2. TECHNICAL REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.1 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.1.1 Completeness and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.1.2 Multi-Unit Effects and As-Built, As-Operated Status . . . . . . . . . . . 2 2.1.3 Licensee Participation and Peer Review . . . . . . . . . . . . . . . . . . . . 3 2.1.3.1 Licensee Participation . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1.3.2 In-house and External Reviews . . . . . . . . . . . . . . . . . . . . . 4 2.2 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.1 Pre-Initiator Human Actions Considered . . . . . ............. 5 2.2.2 Process for Identification and Selection of Pre-Initiator Human Actio ns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.3 Screening Process for Pre-Initiator Human Actions . . . . . . . . . . . . 6 2.2.4 Quantification of Pre-Initiator Human Actions . . . . . . . . . . . . . . . 6 2.3 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3.1 Types of Post-Initiator Human Actions Considered . . . . . . . . . . . . 8 2.3.2 Process for Identification and Selection of Post-Initiator Human A cti ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.3.3 Screening Process for Post-Initiator Response Actions . . . . . . . . . . 9 2.3.4 Quantification of Post-Initiator Human Actions . . . . . . . . . . . . . . . 9 2.3.4.1 EPRI Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3.4.2 Time Reliability Correlation (TRC) Methodology . . . . . . . . I1 2.3.4.3 Consideration of Plant-Specific Factors for Response Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.3.4.4 Consideration of Timing . . . . . . . . . . . . . . . . . . . . . . . . 12 2.3.4.5 Consideration of Dependencies for Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.3.4.6 Treatment of Operator Actions in the Internal Flooding .

Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 i

2 l

1 Table of Contents (continued) 1 2.3.4.7 l Treatment of Operator Actions in the Level 2 Analysis . . . 13 2.3.4.8 GSI/USI and CPI Recommendations . . . . . . . . . . . . . . . . 13 .

2.4 Vulnerabilities, Insights and Enhancements . . . . . . . . . . . . . . . . . . . . . . 14 2.4.1 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.2 IPE Insights Related to Human Performance . . . . . . . . . . . . . . . . 14 l 2.4.2.1 Important Pre-Initiator Operator Actions . . . . . . . . . . . . . 16

. 2.4.2.2 Important Post-Initiator Operator Actions . . . . . . . . . . . . . 17 2.4.2.3 Comparison to NRC Accepted PRAs and Other IPEs . . . . . 18 2.4.3 Enhancements and Commitments . . . . . . . . . . . . . . . . . . . . . . . 19

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . . . . 20
4. DATA

SUMMARY

SHEETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 REFERENCES .................................................. 25 j l

l il

i E. EXECUTIVE

SUMMARY

This Technical Evaluation Report (TER) is a sununary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Vermont Yankee Nuclear Power Corporation (VYNPC) Individual Plant Examination (IPE) submittal for the Vermont Yankee Nuclear Power Station (VY) to the U.S. Nuclear Regulatory Commission (NRC).

The review was performed to assist NRC staff in their evaluation of the IPE and conclusion regarding whether the submittal meets the intent of Generic letter 88-20.

E.1 Plant Characterization VY is a single-unit General Electric (GE) boiling water reactor (BWR-4) plant, with a Mark I containment. The unit is rated at 1593 MWt and 504 MWe (net). Commercial operation began in 1972. Similar units in operation are Duane Arnold and Cooper. The front-end reviewer cites a number of distinctive design features at VY which tend to decrease core damage frequency. Significant design features, relative to other BWR 4's, which tend to decrease core damage frequency (CDF) and have associated operator actions include,1) a power tie line from Vernon hydroelectric station that can power either IE bus, 2) ability to use diesel driven firewater for injection to the vessel, 3) presence of a John Deere diesel generator that can be used to provide power for opening injection valves and maintaining )

SRVs open to allow core cooling with low pressure firewater injection, and 4) an alternate cooling mode for backup to service water. Other design features which do not directly l require human action but influence the degree of operator involvement durmg accident  !

sequences include,1) a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> battery lifetime, 2) passive, hardened toms vent, and 3) 105 %  !

turbine bypass capability. Operator failure to depressurtze, and operator failure to restore SRVs and nitrogen supply after test and maintenance are dominant human errors contributing to CDF for VY.

E.2 Licensee IPE Process The HRA process addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident). Pre-initiator actions considered included both restoration errors and miscalibration. Post-initiator actions included both response type and recovery-type actions.

The prunary HRA techniques employed to quantify human error included Technique for Human Error Rate Prediction (THERP) for pre-initiator actions, and either the EPRI (NP-6560-L) Method or a modified Time Reliability Correlation (TRC) Method (referred to as the VY TRC Method in this report) derived from THERP (NUREG/CR-1278), WASH-1400 (NUREG-75/014), and NREP (NUREG/CR-2815) for post-initiator actions. Plant-specific performance shaping factors and dependencies were considered to some degree in both pre-initiator and post-initiator analyses. Post-initiator human errors considered important contributors in accident sequences leading to core damage were identified and reported.

Although no human-performance-related vulnerabilities were found, the licensee did identify enhancements which were cited for further consideration.

El

.i 1

Licensee staff with knowledge of plant design, operations and maintenance had significant involvement in the HRA process. Procedures reviews, interviews with operations staff, training staff, procedure writers, and plant walkdowns helped assure that the IPE represented the as-built, as-operated plant. An independent review of the HRA performed by and independent contractor and in-house staff helped to assure appropriate use of HRA techniques.

E.3 Human Reliability Analysis E.3.1 Pre-Initintnr Human Actions.

The W HRA addressed pre-initiator errors (" latent human errors") in calibration, maintenance, and testing during power operation and shutdown / refueling mode. A total of 41 pre-initiator errors are reported in the submittal. Two types of pre-initiator errors are considered in the analysis: failure to realign / restore after test or maintenance; and, miscalibration/ maintenance errors. Of the 41 latent human errors reported, 35 were associated with failure to restore / realign and 6 dealt with miscalibration/ maintenance errors.

No numerical screening was performed for pre-initiator human errors. A form of screening was performed based on a qualitative assessment of W's maintenance, calibration and test

procedures. Programmatic and administrative procedures which control maintenance and .

testing activities were also evaluated. The majority of pre-initiators identified in the HRA (28 out of 41) were judged through qualitative analysis not to be major contributors to system unavailability and assigned a value of 1.0E-04 based on engineering judgement. In the process the licensee used to classify pre-initiators as "not being a major contributor to system unavailability", the analyst considered factors such as,1) independent verification, 2) post maintenance testing, 3) compelling alarms, 4) automatic realignment, and 5) gross error during instmment calibration (error to the point where aninstrument loop or entire logic does not function) are remote.

In general, W's results for pre-initiator HEPs were found to be typically in the range between 1E-04 and 1E-03 which is consistent with other IPEs reviewed. VYNPC's treatment of pre-initiator human error appears reasonable and capable for imparting an appreciation of the human contribution to CDF through pre-initiator human actions.

E.3.2 Post Initiator Human Actions. j As indicated above, the HRA addressed both response-type and recovery-type actions.

Actions to be included were identified from systems analysis and reflect the operator actions specified in W's Emergency Operating Procedures (EOPs). Selection criteria was based on ,

operator actions which were judged to be either important for preventing core damage or important for mitigating radionuclide release. Qualitative information used to complete the HRA included interviews with plant operators, operator training staff, EOP procedure writers, observation of numerous simulator exercises. The actions identified and quantified are generally consistent with those analyzed in other BWR PRAs. HEPs were developed for all actions identified and no numerical screening was performed.

E2

4I The EPRI methodology was used to quantify the majority of post-initiator operator actions (44 out of 51). The VY TRC Method was used when the analyst (expert opinion) judged that the EPRI method was inappropriate. The basis for the analyst selecting the TRC method was that the HRA was performed in parallel with development of fault trees and event tree models. Dynamic operator actions were identified from the "first-cut" trees (initial trees) and other BWR PRAs. Detailed information for the EPRI correlation was gathered on these events and interviews conducted with plant operators. Additional actions were identified and included later in the process. None of the new operator actions were considered by the licensee to present a significant contribution to CDF (none involved severe time constraints).

Because of the level of effort needed to compile detailed data and re-interview operations personnel to allow use of the EPRI method, the simpler TRC method was applied. The licensee justifies this approach based on the generally lower contribution to risk associated with these additional actions.

In the VY analysis, " time windows" (time available) for operator response were derived from deterministic calculations, i.e., plant-specific MAAP calculations, from interviews with senior plant operators, and from engiacering judgement. Mean response time Ti n (" time required"), were selected from interviews with senior reactor operators, shift supervisors, trainers, and EOP writers. Values of T ni used in EPRI time reliability correlation were averages of the times taken from interviews. In addition, simulator observations were used to confirm and supplement the interview results. It appears that the licensee has treated time i considerations consistent with guidance in EPRI NP-6560L. Dependencies between post- 1 initiator human actions were treated during accident sequence modeling.

E.4 Generic Issues and CPI  :

The licensee's consideration of generic safety issues (GSIs) and unresolved safety issues ,

(USIs) and of containment performance improvements (CPI) recommendations are the subject l of the front-end review, and back-end review, respectively. The licensee addressed decay j heat removal in their IPE submittal.  !

i E.5 Vulnerabilities and Plant Improvements VY used the NRC proposed safety goals to identify (define) vulnerabilities, namely: core damage frequency > 1.0E-04/ year, and large Release Frequency > 1.0E-06/ year. Based on these criteria, VY identified no vulnerabilities.

The submittal states that additional procedure insights were identified in the level I and I2 vel II analysis which did not reduce CDF, were not immediately apparent to be cost beneficial, but did have potential for support of VY's " defense in-depth" approach. VY has taken action on nine (9) of thirteen (13) procedural enhancements which were identified, the remaining four (4) insights were dropped from further consideration following detailed assessment.

E3

1:

E.6 Observations The following observations from our review are pertinent to NRC's determination of whether the licensee's submittal meets the intent of Generic letter 88-20:

1) Utility personnel were involved in the development and application of PRA/HRA techniques to their facility, and associated walkdowns and documentation reviews '

constituted a viable process for confirming that the IPE represents the as-built and as-operated plant. The in-house peer review and independent external review appear capable of assuring the HRA process was reasonably addressed,and that the analytical techniques used to quantify human error was appropriately applied.

i

2) The licensee's HRA process considered human actions related to ,

restoration / realignment of equipment following maintenance or test and  ;

miscalibration/ maintenance errors. The process utilized by the licensee to identify

)

and select the pre-initiator actions included review of procedures and discussion  ;

with plant personnel. No numerical screening process was employed to eliminate pre-initiator errors that were not important contributors to CDF. The qualitative guidelines for eliminating certain errors from consideration appear reasonable.

Forty-one pre-initiator errors were included in the IPE model. The quantification process used for pre-initiators appears to have been appropriately treated.

3) The licensee's process considered human events that are needed to prevent an accident as well to mitigate the consequences of an accident. Both response type actions and recovery type actions were addressed. The process used by the licensee to identify and select the post-initiator human events included review of procedures and discussions with appropriate plant personnel. The actions selected for quantification appear to be reasonably comprehensive and appear generally to have been consistent with the guidelines found in EPRI documents. No numerical screening was employed to elimmate post-initiator errors that were not important contributors to CDF. All actions selected were quantified and incorporatci into the IPE model.
4) No vulnerabilitie's were identified. The licensee does not identify important operator actions in the submittal, and it does not appear that importance calculations or sensitivity studies were performed to identify important human contributions. A number of procedures enhancements were identified for further consideration, but not credited in the IPE.

E4

1. INTRODUCTION This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Vermont Yankee Nuclear Power Corporation (VYNPC) Individual Plant Examination (IPE) submittal for the Vermont Yankee Nuclear Power Station (VY) to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staff in their evaluation of the IPE and conclusion regarding whether the submittal meets the intent of Generic I.etter 88-20, i

1.1 HRA Review Process '

The HRA review was a " document-only" process which consisted of essentially four  ;

steps: )

(1) Comprehensive review of the IPE submittal focusing on all information pertinent to HRA.

(2) Preparation of a draft TER summarizing preliminary findings and conclusions, noting specific issues for which additional information was needed from the licensee, and formulating requests to the licensee for the necessary additional information.

(3) Review of preliminary findings, conclusions and proposed requests for additional information (RAIs) with NRC staff and with " front-end" and "back-end" reviewers.

(4) Review of licensee responses to the NRC requests for additional information, and preparation of this final TER modifying t'ae draft to incorporate results of the additional information provided by the licensee.

Findings and conclusions are limited to those that could be supp)rted by the document-only review. No visit to the site was conducted. A te.lephone conference call 1 between the VYNPC, the NRC staff, and NRC's HRA consultant was initiated at the request of VYNPC to obtain additional clarification on NRC's questions. This discussion j helped the licensee to better focus their efforts and produced complete and responsive answers to the questions asked. In general it was not possible, and it was not the intent of the review, to reproduce results or verify in detail the licensee's HRA quantification process.

1.2 Plant Characterization

-VY is a single-unit General Electric (GE) boiling water reactor (BWR-4) plant, with a Mark I containment. The unit is rated at 1593 MWt and 504 MWe (net). Commercial operation began in 1972. Similar units in operation are Duane Arnold and Cooper. The 1

i front-end reviewer cites a number of distinctive design features at VY which tend to decrease core damage frequency. Significant design features, relative to other BWR 4's, which tend to decrease core damage frequency (CDF) and have associated operator actions include,1) a power tie line from Vernon hydroelectric station that can power either IE bus, 2) ability to use diesel driven firewater for injection to the vessel, 3) presence of a John Deere diesel generator that can be used to provide power for opening injection valves and maintaining SRVs open to allow core cooling with low pressure firewater injection, and 4) an alternate cooling mode for backup to service water. Other design features which do not directly require human action but influence the degree of operator involvement during accident sequences include,1) a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> battery lifetime, 2) passive, hardened torus vent, and 3) 105% turbine bypass capability. Operator failure to depressurize, and operator failure to restore SRVs and nitrogen supply after test and maintenance are dominant human errors contributing to CDF for VY.

2. TECHNICAL REVIEW l 2.1 Licensee IPE Process 2.1.1 Comoleteness and Methodology. l I

The HRA process addressed both pre-initiator actions (performed during maintenance, l test, surveillance, etc.) and post-initiator actions (performed as part of the response to an l accident). Pre-initiator actions considered included both restoration errors and miscalibration. Post-initiator actions included both response-type and recovery-type actions. The primary HRA techniques employed to quantify human error included THERP (Reference 1) for pre-initiator actions, and either the EPRI (NP-6560-L) Method ,

I or the Time Reliability Correlation (TRC) Method (References 1, 3, & 4) for post-initiator actions.

Plant-specific performance shaping factors and dependencies were considered to some ,

degree in both pre-initiator and post-initiator analyses. Human errors considered i important contributors in accident sequences leading to core damage were identified and reported. Although no human-performance-related vulnerabilities were found, the licensee did identify enhancements which were cited for further consideration as part of VY

" defense-in-depth" philosophy. Licensee staff with knowledge of plant design, operations and maintenance had significant involvement in the HRA process. Procedures reviews, interviews with operations staff, training staff, procedure writers, and plant walkdowns helped assure that the IPE represented the as-built, as-operated plant. An independent review of the HRA performed by and independent contractor and in-house staff helped to assure appropriate use of HRA techniques.

2.1.2 Multi-Unit Effects and As-Built. As-Ooerated Status Multi-unit effects are not applicable for the VY facility. 1 2

l l

4

1

! 1 i

The process used in the VY IPE to ensure the analysis appropriately reflected the as-j built, as-operated status of the plant included plant walk-throughs, interviews with plant staff and a comprehensive review of pertinent plant documentation.

Two walk-throughs were performed as part of plant familiarization in support of the IPE.
The first walk-down focussed on the Vermont Yankee Reactor Building, to observe I

general arrangement in support of deterministic calculations of secondary containment i '

fission product retention (MAAP modeling). During this walk-through the team also observed the major system equipment and components used in IPE models. The team

, performing the reactor building walkdown was comprised of IPE team members from l YAEC Safety Assessment Group, VY operations, VY corporate engineering, and consultants from GK&A. Other walk-throughs focused on room cooling and HVAC j issues and involved multiple areas of the plant. Participating in these walk-downs were the engineers responsible for the deterministic heatup calculations. The submittal does i not discuss specific considerations given to HRA factors in the walk-throughs conducted, j but individuals involved with the HRA analysis and VY operations personnel participated

in at least one of the walk-throughs.

i The information assembled to support the IPE/HRA process appears to have been appropriate and complete enough to allow the licensee the opportunity to conduct a

, comprehensive evaluation. The information assembled included:

1 i e Generic data, including Nuclear Power Experience (NPE), IDCOR Methodology,

and NUREG/CR-4550, l o Plant-specific maintenance, test, emergency operating, and administrative control
procedures'

, o Plant-specific historical data such as equipment history records, plant trip reports, i LERs, etc.,

1 i e VY Final Safety Analysis Report, plant technical specifications, system training i descriptions, P&ID diagrams, electrical one-line drawings, etc., and i

j e Operations and surveillance procedures, emergency operating procedures 4

(EOPs/EPGs) e i Based on the above findings as documented in the submittal, we conclude that overall the

licensee's IPE process included steps to provide reasonable assurance that the IPE model i represents the as-built, as-operated plant.

2.1.3 Licensee Particioation and Peer Review.

i

The NRC review of the submittal attempts to determine whether the utility personnel 4

were involved in the development and application of PRA techniques to their facility, and 4  !

a i 3 i

1 1

J

i that the associated walkdowns and documentation reviews constituted a viable process for confirming that the IPE represents the as-built and as-operated plant.

2.1.3.1 Licensee Particioation. The overall IPE effort was performed under the direction of a VYNPC principal engineer. Assisting VY and performing the majority of the IPE effon were two full-time, and 4 part-time engineer / analysts from Yankee Atomic Electric Company (YAEC). YAEC is an engineering services organization that provides dedicated support to VY. In addition, a VY licensed SRO/ Shift Supervisor participated in system reviews and served as liaison and consultant in the area of plant operations.

Four outside expert consultants provided specialty support the VY/YAEC team. The assisting consultants and areas of support were as follows:

  • ERIN Engineering and Research, Inc. - human reliability analysis (HRA) and containment phenomenological analysis,
  • Independent consultant - scope and methodology for event and fault tree analysis, o Gabor, Kenton and Associates, Inc. - development of the VY MAAP model and all MAAP simulations used to support level I and Level II analysis, l i

e Chicago Bridge and Iron for analysis of containment ultimate strength.

2.1.3.2 In-House and External Reviews. VY and YAEC engineers who were not l directly involved with the analysis performed the " independent" in-house review. The in-house review team came from Systems Engineering, Electrical Engineering, Mechanical '

Engineering, Instrumentation and Controls Engineering, and Operations. The review was performed through IPE team participation in " system review meetings", where each fault tree model was presented and discussed. These meetings also served to build in-house I familiarity with IPE models and results. Comments were addressed and resolved to the l

satisfaction of the reviewers as work progressed. The review of analytical techniques j used for determining human error probabilities associated with the various accident '

sequences analyzed involved individuals from the VY organization and their consultant ERIN Engineering. Analysis of pre-initiators was performed by R. Turcotte (VY), with l accuracy and : analytical technique (THERP) being reviewed by Kevin Burns (VY) and Dr. E. T. Burns (ERIN). Analysis of the post-initiator human actions was performed by i ERIN Engineering staff with the analytic technique and accuracy being reviewed by i Kevin Burns (VY).

A "high level" review of all aspects of the analysis was performed by Dr. Burns, ERIN Engineering, in addition to the in-house review. This review served to ensure that industry-wide experience in PRA was considered the VY IPE.

4

l I

l In our opinion, the reviews appear to constitute a reasonable process for an "in-house" l

peer review that provides some assurance that the IPE analytic techniques were correctly applied and that documentation is accurate.

l 2.2 Pre-Initiator Human Actions '

1 Errors in performance of pre-initiator human actions (i.e., actions performed during maintenance, testing, etc.) may cause components, trains, or entire systems to be l

unavailable on demand during an accident, and thus may significantly impact plant risk.

Our review of the HRA portion of the IPE examines the licensee's HRA process to determine what consideration was given to pre-initiator human actions, how potential i actions were identified, the effectiveness of quantitative and/or qualitative screening process (es) employed, and the processes for accounting for plant-specific performance i shaping factors, recovery factors, and dependencies among multiple actions. 1 2.2.1 Pre-Initistnr Human Actions Considered.  !

The VY HRA addressed pre-initiator errors, termed " latent human errors" in the submittal, in calibration, maintenance, and testing during power operation and ,

shutdown / refueling mode. A total of 41 pre-initiator errors are reported in Table 3.3.3.1 l of the submittal.

Two types of pre-initiator error were considered in the analysis, failure to realign / restore after test or maintenance, and miscalibration/ maintenance errors. Of the 41 latent hunian  !

errors reported, 35 were associated with failure to restore / realign and 6 dealt with miscalibration/ maintenance errors. i 12.2.2 Process for Identification and Selection of Pre-Initiator Human Actions, i

The key concerns of the NRC staff review regarding the process for identification and l selection of pre-initiator human events are: (a) whether maintenance, test and calibration procedures for the systems and components modeled were reviewed by the systems ,

analyst (s), and (b) whether discussions were held with appropriate plant personnel (e.g., i maintenance, training, o'perations) on the interpretation and implementation of the plant's i test, maintenance and calibration procedures to identify and understand the specific actions and the specific components manipulated when performing the maintenance, test, or calibration tasks.

The licensee's selection of the pre-initiator actions to be considered for analysis was described in the following statement from section 3.3.3.1, of the submittal: "Should such errors [ latent human errors] go undetected, they can contribute to the unavailability of equipment or a system (important to safety]."

The process used by the licensee to identify pre-initiator actions included consideration of the following five areas:

5

l

1) General plant procedures which address control of maintenance & repair activity, tagging & switching rules & practices, control of plant equip and temporary modifications, post maintenance testing requirements, valve & breaker alignment identification;
2) Specific system procedures which govern surveillance testing, calibration and functional testing, battery performance & discharge testing, and system level maintenance;
3) Actual maintenance, testing and calibration tasks for standby systems / components; .
4) Control room annunciator and operator rounds; and
5) Post-maintenance testing practices.

Those pre-initiator errors selected for inclusion in the models were based on a qualitative assessment of VY's maintenance, calibration and test procedures, programmatic and administrative procedures which control maintenance, and testing activities as identified above.

2.2.3 Screenine Process for Pre-Initiator Human Actions.

There was no numerical screening performed for pre-initiator human errors.

2.2.4 Ounntification of Pre-Initiator Human Actions.

l The probability of error in performing pre-initiator human actions can vary substantially (up or down) from " generic" estimates because of plant specific factors affecting human performance. Plant-specific " recovery factors" that exist due to plant design features or l operational practice, or dependencies among multiple restoration /miscalibration tasks that may exist as a result of " systemic," but perhaps subtle, human performance problems in training, procedures, etc. If the licensee is to gain a realistic understanding of the potential impact of pre-initiator human error on plant risk, it is important that the HRA l include a reasonably rigorous assessment of these plant-specific factors and dependencies.

While the nu nerical HEP estimate is important, the benefit gained from the pre-initiator HRA is to a large degree a function of the rigor of this more qualitative evaluation of plant-specific factors.

Candidate pre-initiator errors were assigned in HEP using THERP, NUREG/CR-1278 (Reference 1). The majority of pre initiators identified in the HRA (28 out of 41) were judged (qualitatively) not to be major contributors to system unavailability and assigned a value of 1.0E-04 based on engineering judgement. The classification of a pre-initiator as i

1 6

i "not being a major contributor to system unavailability" was based on analyst's consideration of the following factors:

e independent verification e post maintenance testing e compelling alarms

, e automatic realignment e gross error during instrument calibration (error to the point where an instrument loop or entire logic does not function) is considered remote.

System recovery in the VY analysis was based on system-specific factors:

e component / device included in surveillance testing, e routine operator surveillance with sianoff.

For example, one event identified where recovery by operator surveillance was excluded involved the misalignment of SLC after testing. The reasons for excluding this event included,1) there is no remote indication of valve position, 2) there are no associated alarms, and 3) no automatic realignment will correct the misalignment.

Pre-initiator errors are modeled as either totally dependent or totally independent. If qualitative assessment indicated significant opportunity for dependency, then the event was assessed as totally dependent. For example, miscalibration or failure to restore transmitters and logic associated with each emergency core cooling signal is considered to be totally dependent. Human error is modeled as a total dependency by using a single basic event whose failure causes failure of the associated ECCS signal.

In general, VY's results for pre-initiator HEPs were found to be typically in the range between 1E-04 and 1E-03 which is consistent with other IPEs reviewed. VY's treatment of pre-initiator human error appears to be sufficiently rigorous so as to impart an appreciation of the human contribution to CDF through pre-initiator human actions.

2.3 Post-Initiator Human Actions Human errors in responding to an accident initiator, e.g., by not recognizing and diagnosing the situation properly, or failure to perform required activities as directed by procedures, can have a significant effect on plant risk. These errors are referred to as post-initiator human errors. Our review assesses the types of post-initiator errors considered by the licensee, and evaluates the processes used to identify and select, screen, and quantify post-initiator errors, including issues such as the means for 7

4 evaluating timing, dependency among human actions, and other plant-specific performance shaping factors.

2.3.1 Tynes of Post Initintnr Human Actions Considered.

There are two important types of post-initiator actions considered in most nuclear plant PRAs: (1) response actions, which are performed in response to the first level directives of the emergency operating procedures / instructions (EOPs, or EOIs); and, (2) recovery actions, which see performed to recover a specific failure or fault, e.g., recovery of offsite pown ne recovery of a front-line safety system that was unavailable on demand earlier in *.e em.

The VYNPS HRA addresses both response (dynamic operator actions) and recovery l actions. The submittal discussion on HRA does not differentiate between response and l recovery post-initiator actions, both appear to have been treated using the method and approach.

2.3.2 Process for Identification and Selection of Post-Initintar Human Actions.

l The primary thrust of our review related to this question is to assure that the process used j by the licensee to identify and select post-initiator actions is systematic and thorough l enough to provide reasonable assurance that important actions were not m ' appropriately l precluded frorn examination. Key issues are whether: (1) the process included review of plant procedures (e.g., emergency / abnormal operating procedures or system instructions) associated with the accident sequences delineated and the systems modeled; and, (2) l discussions were held with appropriate plant personnel (e.g., operators or training staff) l on the interpretation and implementation of plant procedures to identify and understand I

the specific actions and the specific components manipulated when responding to the accident sequences modeled.

l The post-initiator human actions (dynamic operator actions and recovery actions) l identified by the licensee generally reflect operator actions specified in VY's Emergency Operating Procedures (EOPs). The VY HRA team reviewed EOPs/EPGs and the IPE l models for the selection of important actions to be included in the HRA. The basic l criteria established for this review included; 1) operator actions which were judged to be l either important for preventing core damage, or 2) operator actions important for l mitigating radionuclide release.

l Qualitative information used for detailed evaluation of each action chosen included; 1) interviews with plant operators, 2) interviews with operator training staff, 3) interviews with EOP writers, and 4) observation of numerous simulator exercises. Most dynamic operator actions are included in the fault trees. Some actions which are event or sequence dependent (e.g. a recovery action to restore the main condenser) are modeled as

event tree top events.

i 8

i!t Comparison of human actions selected for incorporation into VYs IPE model with human actions typically included in other BWR PRAs did not identify any major actions which may be applicable to VY that were not included. Each of the actions identified by the NRC front-end reviewer as potentially important to IPE results were included in the model. We believe the licensee employed a systematic process to identify and select potential post-initiator actions which provided reasonable assurance that imponant actions were not overlocked.

2.3.3 Screenine Prneess for Post-Initintar Resnonse Actions.

No numerical screening of post-initiator HEPs performed. HEPs were included in the IPE model for all of the operator actions identified.

2.3.4 Onnntifiention of Post-Initintar Human Ac.tigm.

Post-initiator actions [ called dynamic operator actions in the Submittal] quantified include  :

both response and recovery type actions. The licensee does not distinguish between these two types in the discussion on quantification. The licensee treated all non-proceduralized operator actions conservatively by assigning a HEP value of 1.0 Iguaranteed failure).

Post-initiator operator actions were quantified using two methods: the EPRI Methodology (NP-6560L) or a modified Time Reliability Correlation (TRC) Method (referred to as the

'W TRC Method' in this report) which was derived from THERP (NUREG/CR-1278),

WASH-1400 (NUREG-75/014), and NREP (NUREG/CR-2815) for post-initiator actions.

The EPRI methodology was used to quantify the majority of post-initiator operator actions (44 out of 51). The W TRC Method was used when the analyst (expert opinion)

- judged that the EPRI method was inappropriate. The basis for the analyst selecting the W TRC Method over EPRI was that the HRA was performed in parallel with development of fault trees and event tree models. Dynamic operator actions wem I

identified from the "first-cut trees" (initial trees) and other BWR PRAs. Detailed information for the EPRI correlation was gathered on these events and interviews conducted with plant operators, all of which were highly resource intensive. Additional actions were identified and included later in the process. None of the new operator actions were considered by the licensee to present a significant contribution to CDF (none involved severe time constraints). The licensee selected the W TRC Method for these actions because of the level of effon needed to compile detailed data and re-interview operations personnel to allow use of the EPRI method, was unwarranted. The licensee justifies this approach based on the generally lower contribution to risk associated with these additional actions.

2.3.4.1 EPRI Methodology. The primary technique employed for quantification of post-initiator errors was the EPRI methodology summarized in EPRI NP-6560L (Reference 1). A graphic representation of the general logic of this model is presented in Figure 2-1.

9

1 Each response action is considered as a combination of two types of actions: 1)

Detection / diagnosis / decision, or " cognitive" action, and 2) manual action. Errors can occur in the cognitive action via failures in cognitive processing or procedural

" mistakes", or they can occur by failing to process information in a timely manner.

DETECTIONIDIAGNOSIS MANUAL IDECISION ACTION Manipulative Slips Falhue e Process 3 Infonnationin a Timely Manner -

Cognitive Processingt Procedura1Mises P3 F(NR Slips)

P2 F(Non-Response in a glYen time Window P1 F(NR Mistakes)  ;

S = Success F = Failure Figure 2-1 Conceptual Model of OpEntor Response to an Accident Event Errors in manual actions are considered manipulative " slips". The total HEP is a probablistic combination of the three error probabilities (P, + P, + P ).3 Estimates for P1 and P3 In the VY analysis, the probability P1 of an unrecovered cognitive " mistake", is viewed essentially as mistakes made by the operating crew due to a number of causes such as misdiagnosis, problems with procedures, plant interface difficulties, lack of training or experience, or a problem with detection of a situation. The probability of this type error is scenario and plant dependent. The probability P3 of errors in execution actions is considered nonrecoverable in the available time window.

Estimates for P2 The P, errors represent the probability that the operating crew takes too long to reach a correct decision in comparison to the time available to respond. Qualitative information used for detailed evaluation of each action chosen included; 1) interviews with plant 10

1 operators, 2) interviews with operator training staff, 3) interviews with EOP writers, and

4) observation of numerous simulator exercises.

l 2.3.4.2 VY's Time Reliability Correlation (TRC) Methodology. This method uses time I

dependent reliability correlations developed in other PRAs. Different time-reliability curves are used for short, medium, and long-term operator responses. In the VY analysis, the response times are defined as follows l l

! Short-term -

0 to 30 minutes l Medium-term - 30 minutes to 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> ,

Long-term - greater than 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> Exhibit A to this report is a reprint of IPE Figure 3.3.2, the time correlation curves used i l by the licensee to quantify seven (7) operator actions with the VY TRC method. The licensee states that these curves were derived from NUREG/CR-1278 (Reference 2), l WASH-1400 (Reference 3), and NUREG/CR-2815 (Reference 4) for different l performance shaping factors (PSFs) such as type of action, degree of difficultly, and stress level. Sensitivity to plant-specific factors is not discussed. Curves A through F represent the time-dependent " cognitive" HEPs e en various PSFs. Interpolation is performed to quantify HEPs for the medium-term and long-term response times. Generally, the licensee used a HEP value of 1.0E-04 for medium-term responses and 1.0E-06 for long-term l responses. A manipulative error (taken from the EPRI method) is added to the cognitive HEP to calculate the total HEP for a given action. The specific operator actions quantified with this method are listed in Table 2-1.

l Table 2-1, Operator Actions Quantified with the VY TRC Method OPERATOR ACTION CURVE TIME HEP l WINDOW Operator opens MOV-64 31 to align CST emergency E 30 min 2.0e-03 mr.keup to the condenser hot well remotely from the control room Operator fails to start a RBCCW pump from the control D 30 min 3.3 E-02 room Operator fails to start a TBCCW pump from the control E 30 min 3.7E-03 room Operator fails to restore MCC 88 to the vital MG set after D 30 min 1.0E-01

! LNP Operator restores AC power to the battery chargers for D1 n/a 2 hrs 1.lE-03 and D2 during an LNP condition Operator aligns spare charger to D1 given failure of the n/a 4 hrs 1.0E-02 l normal charger l

Operator aligns spare charger to DC-2AS given failure of n/a 4 hrs 1.0E-02 the normal charger 11 l

1 2.3.4.3 Consideration of Plant-Soecific Factors for Resoonse Actions. The licensee's process appears to have included a reasonably rigorous assessment of plant-specific factors, namely,1) maintenance, test, emergency operating, and administrative control procedures', 2) plant-specific historical data such as equipment history records, plant trip reports, LERs, etc., 3) VY Final Safety Analysis Report, plant technical specifications, system training descriptions, P&ID diagrams, electrical one-line drawings, etc., and 5)

, Operations and surveillance procedures, emergency operating procedures (EOPs/EPGs)

Qualitative information was gathered through interviews with plant operators, operator

, training staff, and EOP writers for each of the operator actions chosen for detailed evaluation. Numerous simulator exercises were also said to have been used during the information gathering effort.

2.3.4.4 Consideration of Timino. For some post-initiator operator actions, timing - time available vs. time required by the operators - is a critical determinant of likelihood of success. It is important to assure that the licensee's process for estimating both time  !

available and the time necessary for operators to complete the required actions takes into account plant specific conditions and provides realistic estimates. Plant-specific phenomenological analysis (accident analysis computer codes) should be used to determine j the available time. Actual measures using currently licensed operators in realistic l walk-throughs or control room simulator exercises is a preferred approach for estimating expected /necessary operator response time. Especially for local actions outside of the  !

control room, it is important to assess time to get to the equipment, accessibility, possible l impacts on timing of special clothing or environmental factors, etc. In the VY analysis, l

" time windows" (time available) for operator response were derived from deterministic l calculations, i.e., plant-specific MAAP calculations, from interviews with senior plant operators, and from engineering judgement. It appears that the licensee has treated time considerations consistent with guidance in EPRI NP-6560L. The approach used for determining mean response time Ti n (" time required"), included interviews with senior reactor operators, shift supervisors, trainers, and EOP writers. Values of T ni used in EPRI correlation were averages of the times taken from interviews. In addition, simulator observations were used to confinn and supplement the interview results. The licensee provided a listing of " time required" for each operator action quantified in their response i to a NRC request for additional information (RAI).

2.3.4.5 Consideration of Denendencies for Post-Initiator Human Actions. An important concern in HRA is the treatment of dependencies. Human performance is dependent on sequence-specific response of the system and of the humans involved. The likelihood of success on a given action is influenced by success or failure on a preceding action, performance of other team members in parallel or related actions, assumptions about the expected level of performance of other team members based on past experience, etc.

Accounting for dependency among top-level actions in a sequence is particularly important. The human error probability estimates for HRA are conditional probabilities.

If dependencies are not specifically accounted for, and HEPs are treated as independent, the probablistic combination of HEPs can lead to an unrealistically low estimate of human 12

il; I

performance overall (i.e., of the joint human error probability), and to a significant underestimate of risk.

VY considered dependencies between post-initiator human actions during their review of accident sequence modeling. However, details of the process used to assess dependency was not provided. In response to a NRC RAI, VY provided by examples a discussion of the p:ocess by which dependency was assess for human actions. For example; operator I action to spray the drywell is an effective means of vapor suppression for LOCA 1 sequences where the break flow is not directed into the suppression pool (i.e., for cases where a torus-to-drywell vacuum breaker sticks open, thereby allowing break flow to pass l from the drywell into the torus airspace without being forced through the suppression pool). For Small and Medium LOCAs, operator action to open the SRVs for RPV depressurization is another effective means of vapor suppression (since reactor steam is forced into the suppression pool through the SRV T-quenchers). In VY's Small and Medium LOCA event trees, the operator action to depressurize the RPV upon vapor suppression failure is evaluated before the operator action to spray the drywell. This particular evaluation order is used because the actions are judged to be totally dependent, in that operator failure to depressurize leads to operator failure to spray the drywell.

2.3.4.6 Treatment of Operator Actions in the Internal Floodina Annivsis. The VY IPE does not include internal flooding analysis. VY states it their intent to perform the internal flooding analysis as part of the IPEEE (IPE for external events).

2.3.4.7 Treatment of Ooerator Actions in the Level 2 Analysis. Operator actions credited in the Level 2 analysis were quantified using the same methodology as discussed for the Level 1 analysis reported in Section 3.3.3 of the IPE Submittal.

2.3.4.8 GSI/USI and CPI Recommend = dons. The licensee's consideration of generic safety. issues (GSIs) and unresolved safety issues (USIs) and of containment performance improvements (CPI) recommendations are the subject of the front-end review, and back-end review, respectively.  !

i In their evaluation of Decay Heat Removal (DHR), the licensee identified several important operator actions, specifically:

initiation of suppression pool cooling, I

- reopening of MSIVs and restoration of main condenser heat sink, recovery of offsite power,

- control of service water, initiation of the alternate cooling mode, 13

4 control of containment venting, and use of CRD.

Additionally, there are a number of unique features at the VY plant which are relevant to the DHR capability. These include the power tie from Vernon hydroelectric station, ability to use diesel driven firewater for vessel injection, a small diesel generator that can be used to provide power for opening the injection valves and maintaining SRVs open, a passive hardened torus vent, and an alternate cooling mode for backup to service water.

The licensee did not identify and vulnerabilities associated with operator actions in the assessment of DHR capability. However, a number of enhancements which could be beneficial to operator required actions were identified for possible implementation. The

{

enhancements identified by VY through the IPE process are discussed in Section 2.4.3 of 1 this TER.

2.4 Vulnerabilities, Insights and Enhancements 2.4.1 Vulnerabilities.

The licensee does not define vulnerability per say, but deduces that because VY's CDF l and LRF are below NRC-proposed safety goals, no vulnerabilities were identified.

NRC-proposed VY Results Goals ,

CDF <lE-04/yr 4.3E-06/yr LRF <lE-06/yr 9.4E-07/yr 2.4.2 IPE Insiehts Related to Human Performance. .

l The IPE Submittal did not identify specific operator actions which were considered most important to CDF. However, in response to NRC's request for additional information, VY {

provided a rank ordered listing of all operator actions having a Fussell-Vesely Importance 1 (FVI) value greater than 0.005. FVI measures the fraction of total CDF in which the operator error appears as a contributing failure. Table 2.4-1 provides a listing of the VY operator actions with a FVI value greater than 0.005.

Table 2.4-1, VY Operator Actions With a Fussell-Vesely Important Value Greater Than 0.005. I OPERATOR ACTION IDENTIFIER HEP Operator fails to open SRV's for Vessel Depressurization (Small LOCAs EOPADSFL 2.lE-04 j and Transients).

I l

I 14

4 Operator fails to Initiate Firewster System and John Deere Diesel JOPFIS01 1.35E-01 Generator for alternate injection (during SBO conditions).

Operator fails to recover Station Service Water and/or RBCCW Cooling. URECOVERSW 2.0E-01 Operator fails to initiate SLC (Boron Injection) given Main Condenser is IOPSLMCF 5.7E-02 unavailable (ATWS).

Operator fails to initiate HPCI/RCIC Systems (Small LOCA and AOPHRIFL 2.lE-03 Transients).

Operator fails to inhibit ADS during ATWS event with insufficient High ADINHIBITFL 3.6E-02 Pressure Makeup.

Operator fails to initiate alternate cooling mode. UOPACMIFL 3.0E-02 Operator fails to perform RPV depressurization for Vapor Suppression EOPMDIFL ,

2.4E-03 (during Medium LOCA).

Operator fails to restore low pressure injection aAer level / power control LIATWSIFL 1.4E-02 (ATWS).

Operator terminates and prevents injection before RPV depressurization LCATWSIFL 1.3E-02 (ATWS).

Failure to restore SLC System aAer routine and post-maintenance flow IHESLCFL 2.4E-03 tests.

Operator fails to start a TBCCW pump from the Control Room. WOPTBC01 3.7E-03 Operator fails to initiate / Control Feedwater and Conder. sate System (MSIV QOP001FL 3.lE-03 Closure Transient and Small/ Medium LOCA).

Operator fails to establish tie line from the Vemon hydro-electric station to YOPACIFL 1.2E-03 power a IE Bus.  ;

l Generally, those actions identified by the licensee were also identified by NRC Level I reviewer as important based on other IPE reviewed. Table 2.4-2 provides a listing of the important operator actions from the NRC front-end reviewer. Each of these actions have  ;

been addressed in the VY analysis and their respective cutset identifier and calculated HEP l is provided in Table 2.4-2.

Table 2.4-2, Level 1 and Level 2 Operator Actions Important to CDF Included in HRA OPERATOR ACTION IDENTIFIER HEP Manual initiator of depressurization. EOPADSFL 2.lE-04 EHESRVFL Inhibition of ADS during ATWS sequences. ADINHIBITFL 3.6E-02 Control of feedwater aRer plant trip to prevent loss of feedwater due to QOP001FL 3.l E-03 feedwater isolation on high vessel level.

Manualinitiation of SP cooling. KOPACTFL 1.0E-06 15 1

1 Manual control of containment venting (initiation of venting is passive). TVHUVENTINGX 1.0E-02 Manua! initiation of the attemate cooling mode for loss of service wat:r UOPACMIFL 3.0E-02 events.

Initiation of injection with the firewster crosstie using the diesel driven JOPFIS01 1.35E-01 firewster pump, meluding use of the John Deere DG for providing motive AC power to open isolation valves and for providing DC control power for maintaining the SRVs open over the long term during station blackout.

Use of the tie line nom the Vemon hydro-electric station to power a IE YOPACIFL 1.2E-03 Bus.

I Makeup to the CST for long term use of CRD injection to the vessel. STOPCSTIlFL 8.0E-02 Operator fails to align RHRSW for in-vessel injection. VROPERROR03 2.2E-01 j Operator fails to implement EOP for containment flooding using RHRSW. CFHUNOEOPOOX 1.5E-02 Operator fails to open drywell vent path to support containment flood DVHUDWP-00X 3.5E-02 procedures.

Operator fails to control containment vent aAer rupture disc actuates TVHUVENTINGX 1.0E-02

! 2.4.2.1 -Immn.mt Pre-Initiatar Ooerator Actions. We reviewed the top 100 accident sequences reported for both Level I and Level II analysis, IPE Tables 3.4.1 and l 4.6.3, to identify those sequences with split-fractions affected by pre-initiator errors.

Table 2.4-2 below, lists those pre-initiator operator actions appeating in the top twenty l sequences in each Level. As can be seen in Table 2.4-2, there are two recurring latent l human errors in the Level I and II analysis. These are the failure to restore SRV's & N2 supply after test and maintenance (ADSBS) and the failure to restore SLC system after flow test routine and post-maintenance (SLCBS). The single most dominant pre-initiator contributing to CDF is the failure to restore SRV's and N2 supply.

Table 2.4-2, Pre-initiator Events Appearing In The Top 20 Sequences for Level I and 1 II Analysis.

LEVEL RANK INITIATOR S-F DESCRIPTION 2 TLP ADSBS Failure to restore SRV's and N2 supply aAer test and maintenance.

l 1 3 AMS SLCBS Failure to restore system aAer flow tests routine and post-maintenance.

5 T ADSBS Same as I, #2 above.

17 AFWMS SLCBS Same as I, #3 above.

19 TDI D2 BASE Failure to realign 'uattery B-1 aAer test or maintenance.

( 20 TA3 ADSBS Same as I, #2 above.

12 AMS SLCBS Same as I, #3 above.

16 i

l

- - - , y

a 11 13 AMS SLCBS Same as 1, #3 above.

14 UWMS ADSBS Same as I, #2 above.

15- TFWMS ADSBS Same as I, #2 above.

17 AMS SLCBS Same as I, #3 above.

2.4.2.2 Imoortant Post-Initiator Ooerator Actions. We also reviewed these top 100 sequences to identify those sequences with split-fractions affected by post-initiator errors.

Table 2.4-3 below, lists the operator actions appearing in the top twenty sequences in each Level.

Table 2,4-3, Post-initiator Events Appearing In The Top 20 Sequences for Level I and II Analysis, LEVEL RANK INITIATOR SF DESCRIPTION 2 TLP ADSBS Operator fails to manually open SRV's for transient /small LOCA I 3 AMS SLCBS Operator fhils to initiate SLC system given main condenser failed.

5 T FWBASE Operator falls to initiate / control feedwater/

condensate.

RCBASE Operator fails to manually initiate HPCI and RCIC.

ADSBS Operator fails to manually open SRV's for transient /small LOCA.

7 TA3 AISBO Operator fails to initiate fire system alternate 1 injection.

8 TA4 AISBO Same as I, #7 above.

9 TDI AISBO Same as I, #7 above.

10 TD2 AISBO Same as I, #7 above. ,

i 15 TLP VNBASE Operator fails to close Vemon tie breakers.

17 AFWMS SLCBS Same as I, #3 above.

20 TA3 ADSBS Same as I, #2 above.

1 TA3 AISBO Same as I, #7 above.

11 2 TA4 AISBO Same as I, #1 above.

3 TDI AISBO Same as I, #7 above, 4 TD2 AISBO Same as I, #7 above.

8 T AISBO Same as I, #7 above.

12 AMS SLCBS Same as I, #3 above.

13 AMS SLCBS Same as I, #3 above.

17

9 i

14 TFWMS ADSBS Same as I, #2 above. ,

15 TFWMS ADSBS Same t.2 I, #2 r.bcu.

i 17 AMS SLCBS Same as I, #3 above.

l 2.4.2.3 Comoarison to NRC Accented PRAs and Other IPE's. To provide j additional insights on the reasonableness of the licensee's approach and results, we i

performed a comparison of the VY IPE/HRA with the PRA performed as part of the ,

Peach Bottom NUREG/CR study. Particular points of comparison were selected to assess thoroughness and reasonability of process for identification and treatment of operator

actions in important accident sequences. The discussion which follows focuses on the
following HRA issues: l 1

1 Were pre-initiator and post-initiator operator actions which are known to have been important contributors to CDF or release frequency on similar plants have been identified, and i Are the HRA quantitative results generally reasonable when compared with the j findings of other similar plant PRAs.

8 The review and comparison ofinitiating events and accident sequences is one of the primary issues of the front-end review, and the reader is referred to that review for more 1 detailed information.

i In general, the licensee's consideration of pre-initiator type errors reflects typically what has been seen in other PRAs reviewed.

Dynamic operator actions are listed in Table 3.3.3.2 of the submittal. The corresponding lists of operator actions in the NUREG/CR documents reviewed suggest that for the most part similar actions were considered. Because of differences in methods, data sources, level of analysis, assumptions and analyst judgment each HRA is unique. Direct j comparison of numerical results is difficult and does not necessarily provide a definitive i conclusion. However, general comparisons of range of results and spot comparisons of quantitative values for similar actions provide another indicator of reasonab!.eness of the licensee's approach and rationale. Post-initiator operator actions identified as most

important to CDF had HEPs generally in the 1.35E-01 to IE-04 range whi
h is not exceptional from other IPEs reviewed. Most of the analyses listed similar type actions, although limited one-to-one correspondence between reports was found. One particular VY operator action dealing with the loss of off-site power crosstic to Vernon hydroelectric plant is of particular interest, in that it removes a good deal of the impact from loss of power event seen in NUREG/CR-4550 and other IPEs reviewed. The crosstie is relatively straight forward from an operational perspective, requiring the l control room operator to close in two tie breakers from the control room within a 28 minutes time window. The HEP assessed for this action is 1.2E-03, which appears reasonable for the cues available and action required.

4 18

4 2.4.3 Enhancements and Commitments.

No major procedural inadequacies were identified by the licensee through the IPE process. The licensee notes in the submittal, that VY's 1986 containment study resulted in a number of significant procedure clenges which had a beneficial influence on the IPE CDF.

The submittal states that during the level I and Izvel II analysis, VY identified additional procedural insights which did not reduce CDF, were not immediately apparent to be cost beneficial, but did have potential for support of VY's " defense in-depth" approach. The IPE provided a listing of these potential procedure enhancements and indicated further evaluation would be completed by March,1994. Subsequent to the IPE submittal, four of the original thirteen enhancements were dropped from further consideration, including l

both enhancements associated with Level 2. All of the remaining enhancements are '

scheduled for completion by November 10,1995.

The following procedural enhancements where identified by the licensee during the assessment of the IPE:

1) Activating the SLC System so that the "A" SLC Subsystem can be cros.s-connected to the "B" SLC Subsystem. In this way, an operable "A" Subsystem pump can be connected to an operable "B" Subsystem valve (or "A" valve with "B" pump) and provide additional system availability.
2) Monitoring of ECCS Drywell Pressure Channels PT 10-101A-D and Reactor Low Pressure Permissive Channels PT 2-3-52C and D in the same manner that other ECCS/RPS channels are currently monitored. This refmement would provide early detection of a channel or alignment problem.
3) Exercising key manual valves located in the Service Water Alternate Cooling System to additionally assure their availability.
4) Assurmg nitrogen availability for SRV operation whenever Bus 1 or Bus 11 are unavailable during a loss of normal power event. This can be achieved by manually operating the valves locally (versus by normal electrical operation) and by providing additional surveillance on backup nitrogen sources.
5) Using station service water pumps, in addition to the Fire System, as another external injection system to RHRSW-to-RHR crosstie during ISLOCA and LOCA outside containment events.
6) Refilling the CST using Service Water and Condensate Systems when additional makeup rate is required. This method would restore CST level at a capacity of up to 1,000 gpm compared to the normal Demineralized Water System which has a capacity of approximately 100 gpm.

19

1

7) Providing more specific instmctions for manually cross-connecting fuel oil transfer system so that more options are available to the operator.
8) For certain station blackout sequences, considering DC load shedding and limiting DC power use to conserve battery power.
9) Providing instructions for maximizing CRD flow to the reactor for high pressure-normal injection unavailable sequences.

Several of the potential enhancements will influence the top sequences containing operator actions in Table 3.3 above. For example; 1) improving SLC system availability by cross-connecting between A and B systems, and 2) manual operation of N2 valves during power outages and additional surveillance for N2 backup source which supplies SRV.

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS The purpose of our document-only review is to enhance the NRC staff's ability to determine with the licensee's IPE met the intent of Generic letter 88-20. The Generic I2tter had four specific objectives for the licensee:

(1) Develop an appreciation of severe accident behavior.

(2) Understand the most likely severe accident sequences that could occur at its plant.

(3) Gain a more quantitative understanding of the overall probability of core damage and radioactive material releases.

(4) If necessary, reduce the overall probability of core damage and radioactive material release by appropriate modifications to procedures and hardware that would prevent or mitigate severe accidents.

With specific regard to the HRA, these objectives might be restated as follows:

(1) Develop an overall appreciation of human performance in severe accidents; how human actions can impact positively or negatively the course of severe accidents, and what factors influence human performance.

(2) Identify and understand the operator actions important to the most likely accident sequences and the impact of operator action in those sequences; understand how human actions affect or help determine which sequences are important.

20

i (3) Gain a more quantitative understanding of the quantitative impact of human performance on the overall probability of core damage and radioactive material release.

(4) Identify potential vulnerabilities and enhancements, and if necessary/ appropriate, implement reasonable human-performance-related enhancements.

The following observations from our document-only review are pertinent to NRC's determination of the adequacy of the VY submittal: ,

1) Utility personnel were involved in the development and application of PRA/HRA i techniques to their facility, and associated walkdowns and documentation reviews l constituted a viable process for confirming that the IPE represents the as-built and as-operated plant. The in-house peer review and independent external review l appear capable of assuring the HRA process was reasonably addressed and that the l analytical techniques used to quantify human error was appropriately applied. l l
2) The licensee's HRA process considered human actions related to restoration /

realignment of equipment following maintenance or test and miscalibration/

maintenance errors. The process utilized by the licensee to identify and select the-pre-initiator actions included review of procedures and discussion with plant personnel. No numerical screening process was employed to eliminate pre-initiator errors that were not important contributors to CDF. The qualitative guidelines for eliminating certain errors from consideration appear reasonable.

Forty-one pre-initiator errors were included in the IPE model. The quantification process used for pre-initiators appears to have been appropriately treated.

3) The licensee's process considered human events that are needed to prevent an accident as well to mitigate the consequences of an accident. Both response type actions and recovery type actions were addressed. The process used by the licensee to identify and select the post-initiator human events included review of procedures and discussions with appropriate plant personnel. The actions selected for quantification appear to be reasonably comprehensive and appear generally to have been consistent with the guidelines found in EPRI documents. No numerical screening was employed to eliminate post-initiator errors that were not important contributors to CDF. All actions selected were quantified and incorporated into the IPE model.
4) No vulnerabilities were identified. The licensee does not identify important operator actions in the submittal, and it does not appear that importance calculations or sensitivity studies were performed to identify important human contributions. A number of procedures enhancements were identified for further consideration, but not credited in the IPE.

21

. .g Our overall evaluation and conclusion from the document-only review is that the licensee's HRA process should be capable of providing the licensee with a quantitative understanding of the contribution of human actions to core damage frequency.

1 I

1 I

22

, 4 l

l

4. DATA

SUMMARY

SHEETS Important Operator Actions / Errors:

Operator fails to open SRVs for Vessel Depressurization (Small LOCAs and Transients).

Operator fails to initiate Firewater System and John Deere diesel generator for alternate injection (During SBO conditions).

Operator fails to recover Station Service Water and/or RBCCW Cooling.

Operator fails to initiate SLC (Boron Injection) given main condenser is unavailable (ATWS).

Operator fails to initiate HPCI/RCIC Systems (Small LOCAs and Transients).

' Operator fails to inhibit ADS durmg and ATWS Event with insufficient High Pressure Makeup.

Operator fails to initiate Alternate Cooling Mode.

Operator fails to perform RPV Depressurization for Vapor Suppression (durmg Medium LOCA).

Operator fails to restore Low Pressure Injection.after level / power control (ATWS).

Operator terminates and prevents injection before RPV Depressurization (ATWS).

Failure to restore SLC System after routine and post-maintenance flow tests.

Operator fails to start a TBCCW pump from the Control Room.

Operator fails to initiate / control Feedwater and Condensate Systems (MSIV closure transient and Small/ Medium LOCA).

Operator fails to establish Vernon Tie.

Operator fails to restore AC power to battery chargers for D1 and D2 (during an LNP) condition.

Operator fails to lower water level to TAF for level / Power Control (ATWS).

Human-Performance Related Enhancements: I (1) Activating the SLC System so that the "A" SLC Subsystem can be cross-connected to the "B" SLC Subsystem. In this way, an operable "A" Subsystem pump can be connected to an operable "B" Subsystem valve (or "A" valve with "B" pump) and provide additional system availability.

(2) Monitoring of ECCS Drywell Pressure Channels PT 10-101A-D and Reactor Low Pressure Permissive Channels PT 2-3-52C and D in the same manner that other ECCS/RPS channels are currently monitored. This refinement would provide early detection of a channel or alignment problem.

(3) Exercising key manual valves located in the Service Water Alternate l Cooling System to additionally assure their availability. l i l 23 l

l

3 (4) Assuring nitrogen availability for SRV operation whenever Bus 1 or Bus 11 are unavailable during a loss of normal power event. This can be achieved by manually operating the valves locally (versus by normal electrical operation) and by providing additional surveillance on backup nitrogen sources.

(5) Using station service water pumps, in addition to the Fire System, as another external injection system to RHRSW-to-RHR crosstie during ISLOCA and LOCA outside containment events.

(6) Refilling the CST using Service Water and Condensate Systems when additional makeup rate is required. This method would restore CST level at a capacity of up to 1,000 gpm compared to the normal Demineralized Water System which has a capacity of approximately 100 gpm.

(7) Providing more specific instructions for manually cross-connecting fuel oil transfer system so that more options are available to the operator.

l (8) For certain station blackout sequences, considering DC load shedding and limiting DC power use to conserve battery power.

(9) Providing instructions for maximizing CRD flow to the reactor for high pressure-normal injection unavailable sequences, i

24

  • l 1

REFERENCES i

1. A.D. Swain and Guttmann, H.E., " Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, Final Report,"

NUREG/CR-1278F, August,1983.

2. EPRI NP-6560L, "A Human Reliability Analysis Approach Using Measurements for Individual Plant Examination," Electric Power Research Institute, December, 1989.
3. NUREG-75/014, " Reactor Safety Study: An Assessment of Accident Risks on U.S. Commercial Nuclear Power Plants, WASH-1400," U.S. Nuclear Regulatory Commission, October 1975.
4. NUREG/CR-2815, " National Reliability Evaluation Program Procedures Guide" (NERP), June 21, 1982.

I l

l 1

1 i

25

i EXHIBIT A 1.0 i

1 .

\ l

\

1

\

g Nigh stress

  • g
  • """8 LocA curve g
  1. WAIN.la00 Two operators single operator high gependence ,

0.1 -

A gipai- _________' g s

s

- - _ _ ' \ , ,_ _ Q _ ., @

~~.,

3 operaters high gepengence Q@

Swain rausine '. -

eseratar ressent 3,ggy,3, l 0.01 = 88% MU LIGEft0 @

@ e visN.t400

@-@ A Cerived from !=ain sedets Single ,

not used; snewn only for j event MD I re ference /

@ Q 5-ain multiple even: MD

@ O 5-ain single evens' Mp )

@ A 3'-ein routine eserstar l

0.001 = nspense pastar 22 -

g

@ l---4 Ato.1!*tP

.shown only ,fo.r reference , , ,

S to 15 20 IS 30 Tisie Available for Operstar Action (Min.)

EII: Swain recenunended snat if it can be judged that plant personnel have a high level of skill in coping with severe accicents, the HEPs from these curves might De decreased by a factor of 2.

1 FIGUeE 3.3.2 j Human E**er o*eeab flitv eeteente curvet from Swain a u=, 3.3 7 -

26 i

l i

J

Retrieved from "https://kanterella.com/w/index.php?title=ML20100F068&oldid=2777951"