ML20101E556

From kanterella
Jump to navigation Jump to search
TER on IPE Submittal Human Reliability Analysis, 940831 Draft Rept & 950831 Final Rept
ML20101E556
Person / Time
Site: North Anna  Dominion icon.png
Issue date: 08/31/1995
From: Haas P
CONCORD ASSOCIATES, INC.
To:
NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
Shared Package
ML20101E052 List:
References
CA-TR-94-019-30, CA-TR-94-19-30, NUDOCS 9603250112
Download: ML20101E556 (33)
v  d  e


Text

e O l

l i

Enclosure 4 l l

i NORTH ANNA NUCLEAR PLANT INDIVIDUAL PLANT EXAMINATION TECHNICAL EVALUATION REPORT (HUMAN RELIABILITY ANALYSIS) a 2

s d

s 9603250112 DR 960305 l p ADOCK 05000338 PDR

4 . .

l CONCORD ASSOCIATES. INC. CMR MW30

} Systems Performance Engineers i

t i

j

NORTH ANNA POWER STATION
TECHNICAL EVALUATION REPORT ON THE i i IPE SUBMITTAL i
HUMAN RELIABILITY ANALYSIS l FINAL REPORT 4

l l By

P.M. Haas i

l I

Prepared for:

l U.S. Nuclear Regulatory Commission Omce of Nuclear Regulatory Research Division of Systems Technology Draft Repon August,1994 Final Repon August,1995 11915 Cheviot Drive 725 Pellissippi Parkway 6201 Picketts Lake Drive Herndon,VA 22070 Knoxville,TN 37932 Acwonh,GA 30101 (703) 318-9262 (615) 675-0930 (404) 917 0690

TABLE OF CONTENTS E. EXECUTIVE S UMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.2 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.3 Human Reliability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 E.3.1 Pre-Initiator Human Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 E.3.2 Post. Initiator Human Actior.s . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

. E.4 Generic Issues and CPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 E.5 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . . . 4 E.6 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 i 1.1 HRA Review Process ..................................... 6  ;

1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 i i  ;

2. TECHNICAL REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 '

2.1 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 I;

2.1.1 Completeness and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.2 Muld-Unit Effects and As-Built, As-Operated Status . . . . . . . . . . . 8  ;

i 2.1.3 Licensee Participation and Peer Review . . . . . . . . . . . . . . . . . . . . 9 l l 2.1.3.1 Licensee Panicipadon . . . . . . . . . . . . . . . . . . . . . . . . . . 9 j n

2.1.3.2 Peer Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 il

2.2 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 i 2.2.1 Pre-Initiator Human Actions Considered . . . . . . . . . . . . . . . . . . . 10  !

l 2.2.2 Process for Identification and Selection of Pre-Initiator Human i

! Ac tions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 I 2.2.3 Screening Process for Pre Inidator Human Actions . . . . . . . . . . . . 11 I'

2.2.4 Quantification of Pm-Initiator Human Actions . . . . . . . . . . . . . . . 11 4

2.3 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.3.1 Types of Post-Inidator Humaa Actions C#% . . . . . . . . . . . . 13

~

2.3.2 Process for Identificadon and Selection of Post-Initiator Human Acdons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.3.3 Screening Process for Post-Initiator Response Actions . . . . . . . . . . 14 2.3.4 Quandfication of Post-Initiator Human Actions . . . . . . . . . . . . . . . 14 2.3.4.1 Response-Type Actions . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.3.4.2 Recovery Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.3.5 GSI/USI and CPI Recommendations . . . . . . . . . . . . . . . . . . . . . . 19 2.4 Vulnerabilities, Insights and Enhancements . . . . . . . . . . . . . . . . . . . . . . 20 2.4.1 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.4.2 _ Insights Related to Human Performance . . . . . . . . . . . . . . . . . . . 20 2.4.2.1 Important Response-Type Actions . . . . . . . . . . . . . . . . . 20 2.4.2.2 Important Recovery-Type Actions . . . . . . . . . . . . . . . . . 22 2.4.3 Human Perfonnance Related Enhancements . . . . . . . . . . . . . . . . . 23

y

TABLE OF CONTENTS (Cont'd)
3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . . . . 26
4. DATA

SUMMARY

SHEETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

...................................................30 4

4 4

l 1

1 1

l i

e I

E. EXECUTIVE

SUMMARY

This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) that is part of the North Anna Power Station (NAPS)

Units 1 and 2 Individual Plant Examination (IPE) submitted by Virginia Power to the U.S.

Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staff in
their evaluation of the IPE and conclusions regarding whsther the submittal meets the intent i of Generic letter 88-20.

. E.1 Plant Characterization i

North Anna Units 1 and 2 are both three loop Westinghouse pressurized water reactor (PWR) units with rated power of 2893 MWt and 915 MWe (net). Unit 1 began wowdal operation in 1978; Unit 2 in 1980. The Surry Plant, also operated by Virginia Power, is i similar in design. Other similar plants in operation include Beaver Valley and Turkey Point. ]

Design features identified by the front-end reviewers that have an impact on core damage l frequency (CDF) and are relevant to human performance include:

= the ability to use charging pumps from the opposite unit tends to decrease the CDF (operator action is required) ,

= automatic switchover of ECCS from injection to recirculation tends to decrease the CDF; operator action to manually switch over has been a significant conuibutor to CDF in some PWR plants

= requirement for mechanical refrigeration to cool the emergency switchgear rooms (ESGR); operator action to restore cooling to switchgear room is an important action.

Two important operator actions specifically cited by the licensee are (1) the restoration of the emergency switchgear room (or main control room) HVAC within 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> as noted above, and (2) failure to initiate high head safety injection, which is required in sequences involving loss of auxiliary feedwater and manually initiated bleed and feed and in pump seal loss of coolant accident sequences.

E.2 Licensee IPE Process -

The HkA approach employed by the licensee was generally complete in scope. Both pre-initiator human actions (actions during maintenance, test, etc.) that could cause failure of important equipment on demand during an accident, and post-initiator human actions (those taken in response to an accident event) were quantified and included in the IPE model. The relatively limited treatment of miscalibration in the pre initiator HRA is considered to be a weakness of the licensee's approach. A notable strength of the post initiator assessment was the use of simulator observations obtained over a two-month period as part of routine license requalification training. These observations pmvided data and insights on operator performance directly applicable to the HRA. The licensee's process for identification and selection of human actions involved review of plant documentation and discussion with plant

personnel. Plant personnel were involved in the development and review of the IPE.

, Documentation review, plant walkdowns and discussion with plant personnel helped to assure j that the HRA represents the as built, as-operated plant. The licensee's independent review process helped to assure that the HRA methods were properly applied. He IPE model was j developed for Unit 1, but the licensee's assessment concluded that the IPE is applicable to i both units. Shared system and multi-unit effects were considered, though dual unit core damage was not addressed.

! EJ Human Reliability Analysis E.3.1 Pre Initiator Hu' man Events The NAPS HRA addressed pre-initiator errors in maintenance, test and surveillance actions by incorporating human error into the systems analysis (fault trees) as a specific cause for system l unavailability. Both restoration errors and calibration errors were addressed, though the treatment of calibration errors was relatively limited. Calibration errors were considered i qualitatively and in some cases were assumed to be included as part of equipment failure data, but the licensee's qualitative evaluation determined that no calibration errors were significant enough to warrant modeling as individual basic events in the fault tree model.

The details of this qualitative assessment are not provided. We consider this limited treatment of calibradon errors to be a weakness of the licensee's HRA approach, though it is not possible to determine from this document-only review how significant this weakness is.

l A more detailed analysis probably would have enhanced the licensee's understanding of the l potential influence of this type of human error on CDF. The treatment of restoration errors

' used the THERP approach. A relatively generic analysis was performed, but some consideration of plant-specific factors was made in assigning error recovery factors and in l considering dependencies among multiple pre initiator human actions. Dependencies were

- evaluated qualitatively, and where a dependency was identified among multiple actions, the actions were treated as a single basic event in the IPE model. His is equivalent to assuming

! complete dependency.

1 I E.3.2 Post-Initiator Human Actions i

The post initiator HRA addressed both response-type and recovery type actions. A reasonably j comprehensive process was employed by the licensee to identify and select the post-initiator

- actions to be included in the IPE model. No numerical screening was performed. All human actions identified as important during the systems and sequence analyses were quantified in

[

the model. The primary methodology used for quantification of post-initiator actions was an l

EPRI approach which treats each post initiator response as a combination of a " cognitive" j

action and an " execution" action. This methodology has been used in other IPEs and has j been reviewed previously. He probability for failure in the cognitive portion is determined 1 primarily from a " time reliability correlation". In the NAPS HRA, estimates of the time I window available were based on results of MAAP calculations, engineering judgment, or i available results from previous calculations. The estimates for time required were based on i

1 2 J

i f

i

i

-_. _ .i

i l ,

judgment supported by plant-specific simulator data and interviews with trainers and other j knowledgeable persons, or in some cases were taken from NUREG/CR-4550, Vol. 3. The probability of failure in the execution phase is determined using THERP.

1 i The licensee's analysis considered plant-specific information in the assessment of operator  :

i response times and in adjusting basic human error probabilities obtained from THERP tables.

4 Data and insights fmm observations of simulator training were significant sources of plant-i specific information. He licensee treated dependencies among multiple actions in a i sequence. The qualitative criteria used to identify dependencies were reasonable, though not as. comprehensive in scope as some PRAs. The quantitative approach was generally i consistent with practice in other PRAs.

Recovery-type actions were quantified (in most cases) using a value of the HEP for'the same

~

or similar actions already quantified as a response action. In some cases, the HEP was modified to account for context-specific conditions, e.g., differences in timing or complexity of diagnosis for the recovery situation vs. the response situation. In many PRAs, conservative

values are applied to recovery actions because of the uncertainty associated with operator i r response under conditions that may be less familiar, less frequently trained for, require transfer to other procedures, etc. It would be overly optimistic to make a general assumption that the probability of failure is the same for a recovery vs. a response type action, even though the specific physical action may be the same. The NAPS analysis did recognize that the " nominal" values obtained for response type actions needed to be adjusted (increased) in specific cases and did make some adjustments based on plant-specific assessment. Values of i recovery HEPs used in the NAPS analysis tend to be somewhat lower than conservative values typically used in PRAs. However, the overall recovery failure probabilities including human and equipment failure do not appear to be unreasonably low. The licensee examined the quantified impact of recovery actions on CDF through. sensitivity studies. The total core i

< damage frequency was reduced by approximately a factor of 3, from 2.2E-04 to 6.8E-05, by credit for recovery actions. This magnitude of reduction is generally consistent with results in other PRAs.

E.4 Generic Issues and CPI The licensee addressed unresolved safety issue (USI) A-45, Decay Heat Removal (DHR).

The front-end reviewer identified the unique or plant-specific design features of North Anna that impact availability to provide DHR. Those features, and the human performance implications of the features, were noted in Section E.1 above, including the necessary cooling of the ESGR, automatic switchover of ECCS to recirculation, and the ability to use charging pumps from the other unit. With regard to Containment Perfortnance Improvement (CPI) recommendations, the licensee addressed the issue of local and global hydrogen combustion and associated threats to containment.

3

i E.5 Vulnerabilities and Plant Improvements The licensee defines a vulnerability as a failure (component fault or human error) that is

significantly greater than others, i.e., that contributes more than ten percent to overall core j damage frequency or is a factor of three greater than the next highest similar event.

l Contributions were evaluated by importance calculations. nree measures of importance are

wyorwd in the submittal for each basic event
Fussel-Vesely, risk reduction worth, and risk achievement worth. No vulnerabilities were identified by the licensee.

i i The licensee identified a number of procedure enhancements and practices that are required as i a result of the IPE. The enhancements / requirements were credited in the IPE, and in some i cases are in place. These enhancements are briefly summarized below:

l 1) Revise all procedures which open AFW full flow recirculation manual valves to add independent verification. Without independent verification of these human actions, the

! estimated CDF would increase fmm 6.8E-05/yr to 7.2E-05/yr.

T 4

2) Revise all procedures which realign Quench Spray or Recirculation Spray headers for
testing to provide independent verification that the headers have been restored to fully operable upon completion of the test. Without independent verification, the esd=*A
CDF would increase to 7.0E-05/yr.
3) Revise EOP 1-E-0, Reactor Trip or Safety Injection, to provide guidance to use the alternate SI header. Without this improvement, the CDF estimate would increase to 7.1E-05/yr.
4) Revise administrative procedures / controls to ensure that the Low Head Safety Injection pump testing is performed in a staggered fashion, i.e., test one pump each 45 days, instead of both pumps at 90 days. The estimated CDF would increase to 7.0E-05/yr if the tests were not staggered.
5) Revise administrative procedures / controls to eliminate preplanned dual outages for the MCR/ESGR chiller train equipment. De estimated CDF ,would increase to 7.1E-05/yr if the dual chiller outages continue at the same frequency as in the past.
6) Improve maintenance practices to limit the mean time to repair (MTTR) MCR/ESGR chiller train equipment to less than 60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> when one chiller is inoperable, and less than 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> when two chillers are inoperable. The CDF estimate would increase to 8.0E-05/yr if the MITR is not improved.
7) Modify station procedures to provide troubleshooting and repair of MCR/ESGR chiller protection circuitry and reduce refrigerant-related chiller failures. Use historical data to identify sensors / equipment susceptible to failure. Without these changes the estimated CDF would increase to 7.3E-05/yr.

4

In addition, procedures enhancements / requirements to reduce the contribution from flooding were identified. Credit was taken in the IPE for these items. The submittal states that some of them already exist, and that the others should be put into place before the next test interval (typically 18 months).

E.6 Observations The following observadons are pertinent to NRC staff's determination of whether the licensee's submittal met the intent of Generic Letter 88-20:

(1) The submittal and supporting documentation indicates that udlity personnel were involved in the HRA, and that the walkdowns and documentation reviews constituted a viable process for confirming that the HRA portions of the IPE represent the as built, as-operated plant.

(2) De licensee performed an H-house peer review that provides some assurance that the HRA techniques have been correctly applied and that documentation is accurate.

(3) ne relatively limited analysis of pre-initiator human actions is, in our view, a weakness of the HRA approach. The analysis was relatively generic, and in the case of calibration errors was limited to essentially a qualitative review.

(4) The treatment of post-initiator human actions was reasonably complete in scope.

The process for selection and identification of significant human actions to include in the IPE model appears to have been reasonably comprehensive. Both response type and scovery-type actions were included. Quantification of post-inidator errors properly applied the selected HRA techniques. Simulator observations of operator requalification training were employed effectively to obtain data and insights on operator response to accident events. Dependencies among multiple operator actions in a sequence were assessed.

(5) ne licensee identified a number of human actions that were important factors in the overall risk profile for the North Anna units.

(6) He licensee employed a systematic process to screen for vulnerabilities and identify potential enhancements. The process idendfied a number of human-performance-related (procedure) enhancements expected to reduce the likelihood of human error.

the majority of which were related to the seal LOCA event. These enhancements credited in the IPE.

5 i

m

1. INTRODUCTION This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the North Anna Power Stadon (NAPS) Uni.ts 1 and 2 Individual Plant Examination (IPE) submittal from Virginia Power to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staff in their evaluation of the IPE and conclusions regarding whether the IPE submittal meets the intent of Generic Letter 88-20.

1.k HRA Review Process The HRA review was a " document-only" process which consisted of essentially four steps:

(1) Comprehensive review of the IPE submittal focusing on all information pernnent to

, HRA.

I l (2) Preparation of a draft TER summarizing preliminary findings and conclusions, noting

] specific issues for which additional information was required from the licensee, and

formulating requests to the licensee for the necessary additional information.

I i (3) Review of preliminary findings, conclusions and proposed requests for additional

information (RAIs) with NRC staff and with " front-end" and "back-end" reviewers

! (4) Review of licensee responses to the NRC requests for additional information, and j preparation of this final TER modifying the draft to incorporate results of the

' additional informatior. provided by the licensee and finalize conclusions.

Findings and conclusions are limited to those that could be supported by the document-only review. No visit to the site was conducted. No review of detailed " Tier 2" information was performed, except for selected details provided by the licensee in direct response to NRC

! RAIs. In general it was not possible, and it was not the intent of the review, to reproduce

results or verify in detail the licensee's HRA quantification process. The review addressed
the reasonableness of the overall approach with regard to its ability to permit the licensee to l meet the goals of Generic Letter 88 20.

1.2 Plant Characterization North Anna Units 1 and 2 are both three loop Westinghouse pressurized water reactor (PWR) l:

units with rated power of 2893 MWt and 915 MWe (net). Unit 1 began commercial l operation in 1978; Unit 2 in 1980. The SuiTy Plant, also operated by Virginia Power, is similar in design. Other similar plants in operation include Beaver Valley and Turkey Point.

Design features identified by the front-end reviewers that have an impact on core damage j frequency (CDF) and relevant to human performance include:

) 6 e

t b i

9

  • the ability to use charging pumps from the opposite unit tends to decrease the CDF (operator action is required)

- automa:ic switchover of ECCS from injection to recirculation tends to decrease the CDF; operator action to manually switch over has been a significant contributor in some PWR plants

  • requirement for mechanical refrigeration to cool the emergency switchgear rooms; operator action to restore cooling to switchgear room is an important action.

Two important operator actions WEcally cited by the licensee are (1) the restoration of the emergency switchgear roorn (or main control room) HVAC within 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> as noted above, and (2) failure to initiate high head safety injection, which is required in sequences involving loss of auxiliary feedwater and manually initiated bleed and' feed and in pump seal loss of coolant Eddaat sequences.

e 7

4 3

2. TECHNICAL REVIEW i

2.1 Licensee IPE Process

+ 1 i 2.1.1 Comoleteness and Methodolorv The submittal information on the HRA process was generally complete in scope. Some l additional information and clarification was required from the licensee. That information was l obtained fmm the licensee in response to an NRC request for additional information (RAI).

The HRA appmach employed by the licensee addressed both pre-initiator human actions l (actions during maintenance, test, etc.) that could cause failure of important equipment on demand during an accident, and post-initiator human actions (those taken in response to an accident event). Pre inidator human actions were quantified with a relatively generic (non-i plant specific) analysis following THERP (Ref.1). C#* cation of calibration errors appears to have been quite limited, which is considered to be a weakness of the pre-initi analysis. Post-initiator human actions were quantified using an EPRI methodology (Ref. 2) l' and THERP. Both response-type actions (.mticipated actions in response to an accident event such as those designated in emergency operating procedures), and recovery-type actions (those 4

i involving alternative responses or recovery of failed equipment) were addressed. A notable strength of the licensee's approach was the use of simulator observations obtained over a two-l month period as part of routine license requalification training. These observations provided l

data and insights on operator performance directly applicable to the HRA.

! 2.1.2 Multi-Unit Effects and As-Built. As-Operated Status l 1

  • The IPE model was developed for Unit 1, but was stated by the licensee to be applicable to both units. The two units share service water, component ' cooling water, and instrument air l systems. Initiating events modeled in the IPE that result in dual-unit trip inchc loss of offsite power, loss of service water and loss of instrument air. (The front-end reviewer notes l

that loss of component cooling water also results in a dual-unit trip.) The IPE considers the sharing of systems necessary to maintain one unit in hot standby while mitigating an accid

! at the other unit, but does not address dual-unit core damage.

I The Surry IPE provided a substantial basis of information pertinent to NAPS. Other t( plant-specific documentation assembled and reviewed by the NAPS IPE team inclu l

UFSAR, an earlier fault tree analysis of the Service Water system, P& ids, normal and l emergency operating procedures, contml room logs, and selected thermal hydraulic l- performed previously by the Architect Engineer, Stone & Webster. Contractor m l

the IPE team made a number of site visits early in the project for plant familiarization l

through system walkdowns, data collection, and observations of operator training and performance in the simulator. In addition to these document reviews and plant vis

' licensee cites the following specific actions that were taken to help assure that the NAP represents the as built, as-operated plant:

l 4

8 4

E e

l

1) The study was performed at' Virginia Power's facilities in Richmond, where there was ready access to quality assured design documentation.
2) Analysis files and a PRA document data base were set up for each phase of the model development to ensure that the documents used and decisions made on the basis of a given document were tsvided. 'Ihis helped assum control and consistency of documentation as subsequent design changes are implemented.
3) Mechanical system engineers walked down the system (s) for which they are responsible and reviewed many of the IPE system models for accuracy concerning system operations.
4) Current operating procedures were used in performing the HRA, and some of the operator  !

actions were observed in the simulator and discussed with training staff.

5) Data was acquired from control room logs, Licensee Event Reports, and Deviation Reports.
6) Visits were made to the plant to identify the flooding sources and flood propagation pathways.
7) Site visits, drawings and the Video Disc Information System were used to confirm the layout and arrangement of Containment Building systems.
8) Intermediate reviews of IPE work products and a review of the draft report were performed by station personnel from operations, training, and engineering departments as part of the independent in-house review discussed below.

2.1.3 Licensee Particination and Peer Review.

2.1.3.1 Licensee Participation. The IPE team organization and task structure is discussed in Section 5.1 of the submittal. "Ihe IPE was performed by NUS Corporation with participation by, and technology transfer to, Virginia Power. Three Virginia Power engineers from corporate staff were team members. Each of the three engineers participated in more than one task, so that each task had at least one Virginia Power team member. A notable suength of the HRA process that provided direct involvement of operations / training staff as well as familiarization of the HRA staff with control room operations was_the collection of data from requalification training exercises on the plant-specific simulator. It is our view that the utility  !

personnel were significantly involved in the IPE/HRA, and that the document reviews, plant walkdowns and other actions taken by the licensee provided reasonable assurance that the IPE/HRA models represent the as. built, as-operated plant. .

2.1.3.2 Peer Review. The submittal (Sections 5.2,5.3, and 5.4) describes an independent review process conducted by plant personnel, corporate staff, and consultants. Two senior PRA analysts from Science Applications International Corporation (SAIC) chaired the 9

independent myiew committee and had overall responsibility for the preparation of the independent review reports. A senior analyst from Stone oc Webster Engineering Corporation

- (SWEC) reviewed the containment analysis. Corporate staff involvement was through the Ceryerets Nuclear Safety group, which is independent of the Engineering Group (i.e., from the IPE team engineers). Corporate staff included individuals with experience at Nonh Anna.

Review team members from NAPS included licensed Senior Reactor Operators, Control Room Operators, a Shift Technical Adviser, and a member of the Procedures group.

Representatives from the Systems Engineering group were available on an as-needed basis.

'Ihe review was conducted over a one-week period at the North Anna site. Both the Level 1 and the Level 2 analysis were reviewed, as well as the interface between the two analyses. .'

All comments were h=ated on document review forms. General results and examples of

significant comments are presented in the submittal. The submittal also states that each comment has been msolved. This peer review process appears to have been reasonably thorough and appropdately documented. ,

2.2 Pre Initiator Human Actions

! Errors in performance of pm-initiator human actions, such as failure to astore or properly ,

l align equipment after testing or maintenance or calibration of system logic instrumentation, l may cause components, trains, or entire systems to be unavailable on demand during an l accident, and thus may significantly impact plant risk. Our review of the HRA portion of the

! IPE examines the licensee's HRA process to determine what consideration was given to j pre initiator human events, how potential events were identi6ed, the effectiveness of l quanitative and/or qualitative screening process (es) employed, and the processes for accounting for plant-specific pc ormance o shaping factors, recovery factors, and dependencies i among multiple actions.

2.2.1 Pre-Initiator Human Actions Considered.

1 The NAPS HRA addressed pre-initiator errors in maintenance, test and surveillance actions by )

l incorporating human error into the systems analysis (fault nees) as a specific cause for system l L unavailability. The submittal (page 3-%) defines pre-initiator, or " Type A" human actions as l including calibration as well as maintenance and testing. However, examination of HRA calculations in Appendix D of the submittal indicates that all pre initiators quantified were errors in alignment of equipment (mostly valves) after maintenance or test. No calibration errors were quantified. In response to an NRC RAI, the licensee stated that calibration errors were considered during the systems analysis, but that, "No calibration enors were found to be significant enough to be included in the final IPE fault tree models uniquely represented by a

separate basic event." Them was no further information provided on the qualitative criteria by which the " significance" of an error was detennined. The licensee also stated that, "Some i calibration errors were included in the final model as part of other basic events or discussed j relative to basic events which remained in the final model." "Ihe licensee cites several  !

examples from Appendix A of the IPE submittal which illustrate that calibration errors were j considered qualitatively and in some cases their impact was assumed to be accounted for as l l

! 10 l l

L

C o part of another basic event. For example, common cause failure to properly calibrate containment pressure channels was assumed to be the primary contributor to the failure

probability of 0.1 assumed for common cause failure of the channels. A more detailed plant-j specific and case by-case assessment of the contribution fmm miscalibration pmbably would i have provided the licensee with a more better understanding of the contribution of human i performance, in those actions. However, the licensee's analysis did at least assess

< quelitatively the importance of calibration errors, and in some cases indirectly quantified the impact of those errors.

2.2.2 Process for identificadon and Selection of Pre-Inidatar Human Acrions.

,! The key concems of the NRC staff review regarding the pmcess for identification and selection of pre-initiator human events are: (a) whether maintenance, test and calibration procedures for the systems and components modeled were reviewed by the systems analyst (s),

and (b) whether discussions were held with appropriate plant personnel (e.g., maintenance, l

training, operations) on the interpretation and implementation of the plant's test, maintenance l

j and calibration procedures to identify and understand the specific actions and the specific

! components manipulated when perfonning the maintenance, test, or calibration tasks.

i

) The submittal includes general statements that procedures were reviewed and discussions were held with plant personnel. In addition, the detailed calculation summaries in Appendix D i

i identify specific pmcedures associated with each action quantified and pmvide a succinct -

discussion of each procedure, including the purpose of the psdam, =pae* critical steps, ,

j verification praedce, etc. It appears that at least the procedures associated with the actions j

quantified were reviewed in substantial detail,' and that key assumptions used in the HRA, e.g., independent verificadon, were verified by discussion with plant personnel. Initial identification of actions to be included was based on the Surry IPE. Actions were added or l deleted based on plant-specific differences. Appendix D includes the Surry value of the i

equivalent HEP for direct comparison, where applicable.

2.2.3 Screeninz Process for Pre-Initiator ((uman Actions.

j No numerical screening press was employed to eliminate pre initiator human errors from j- detailed quantification. All pre initiator errors identified as significant by the systems analysts j

were assigned an HEP using THERP (Ref 1.). Nineteen pre-initiator actions were quantified

and isc issi r into the IPE model.

' 2.2.4 Ouantificadon of Pre-Initiator Human Actions.

The quantification of pre-initiator actions consisted essentially of selecting a basic HEP (BHEP) from THERP and modifying the BHEP to account for independent checking. Basic HEPs were selected from the appropriate THERP tables for errors of omission or commission for rule-based actions. These basic error probabilities were modified to account for potential errtr recovery due to independent checking. Two types, or levels, of checking were credited:

11 .

Positive Checkins - an operational or functional check which, if properly performed, indicates that the equipment is in the correct position, and >

Non-Positive Checkins - a visual check or " verification" which relies on plant personnel to confirm that the component is in the cornet position.

Detailed task analysis was not performed as part of the quantification of each action. The potential for positive checking and/or verificadon was considered for each pre-initiator human action quandfied, and the basic HEP obtained from the THERP Handbook was adjusted using the appropriate equation. Consistent with THERP guidance, basic error probabilities from THERP were multiplied by a factor of 2 because NAPS personnel work

'12-hour shifts. Review of the HEP calculations in Appendix D indicates that additional factors, such as tagging practice and potential confusion due to procedural inadequacies were considered, at least qualitatively, in the evaluation of human error. In general, however, there was limited variation in the quantitative results due to consideration of plant-g-i& performance shaping factors. Fifteen of the nineteen pre-initiator human errors in the modeled were quantified at a value of 7.5E-G4; three at a value of 3.8E-4, and one at 1.lE-4. In some cases, credit was taken for planned procedure changes, e.g., the addition of positive checking.

The detailed calculations in Appendix D of the submittal show that dependency was considered for each action, and that no dependency existed. The factors considered in making this subjective evaluadon were r.ot discussed. In response to an NRC RAI, the licensee explained that a dependency analysis was performed early in the HRA process and were not reported in the IPE submittal. In this early analysis, all event ute sequences were reviewed to identify all possible combinations of pre initiator human actions. If a sequence was found to have sp='=nt pre-initiator human actions for any reason, then the dependent actions were combined into a single basic event. This review of sequences for dependencies was repeated during the final quantification to verify that there were no new potential dependencies. This approach of combining dependent actions into a single basic event is a commonly accepted method of accounting for dependencies among pre-initiator human actions.

2.3 Post Initiator Human Actions Human errors in r==~whg to an accident initiator, e.g., by not recognizing and diagnosing the situation properly, or failure to perform required activities as directed by procedures, can have a significant effect on plant risk, and in some cases have been shown to be dominant contributors to core damage frequency (CDF). These errors are refernd to as post-initiator human errors. The NRC staff review determines the types of post initiator errors considered by the licensee, and evaluates the processes used to identify and select, screen, and quantify post-initiator errors, including issues such as the means for evaluating 12 l 1

l

6 ,

i

! timing, dependency among human actions, and other plant specific performance shaping

< factors.

4 1 2.3.1 Tynes of Post-Initiator Human Actions Considered.

. There are two important types of post-initiator actions considered in most PRAs: response-

.tyg actions, which include those human actions performed in response to the first level directives of the emergency operating procedures / instructions (EOPs, or EOls); and, j recoverv-tvoc actions, which include those performed to recover a =padM failure or fault 1 (pnmarily equipment failure / fault) such as recovery of offsite power or recovery of a

front-line safety system that was unavailable on demand earlier in the event. The NAPS HRA addressed both response-type and recovery-type actions.

2.3.2 Pra~<s for Identi&meion and Selection of Post-Initinear Human Actions. t i

L

The primary thmst of our review related to this question is to assure that the process used by the licensee to identify and select post-initiator actions is systematic and thorough enough to provide reasonable assurance that important actions were not inappropnately j precluded from examination. Key issues are whether
(1) the process included review of j plant procedures associated with the accident sequences delineated and the systems

! modeled; and, (2) discussions were held with appropriate plant personnel (e.g., operators

! and training staff) on the interpretation and implementation of plant procedures to identify j and understand the specific actions and the specific components manipulated when i responding to the accident sequences modeled.

4

'Ihe submittal contains general statements indicating that procedures were reviewed and that operations and training personnel were appropriately involved in identificadon and review of operator actions. All response-type actions were included in the EOPs. The detailed documentation of the HEP calculations in Appendix D identifies specific j procedures associated with each response action quantified, and provides a succinct summary of key points pertinent to the assessment of error probability. The purpose of  !

j J each procedure / action is discussed, specific critical steps are identified, and important j

informadon such as instrumentation and displays is provided. As with pre-initiator actions, l the initial basis for selection was actions included in the Surry IPE, and actions were added . I

{ or deleted based on plant-specific assessment. In fact, an initial quantification was i performed using Surry values. Appendix D compares North Anna and Surry HEP values for each applicable HEP.

l Recovery actions were identified from review of dominant sequences after initial l

j quantification. Where it was determined that the conditions associated with a given failure in a cutset would result in the operator using a backup procedure, and it was judged that l sufficient time was available to make the recovery action, the recovery action was included i

l j in the IPE model. '

1

)'

i

! 13 4

l 4

i  :

4 1 i l

i ,

Comparison of human actions selected for incorporation into the IPE model with human actions typically included in other PWR PRAs did not identify any major actions applicable to North Anna that were not included. Most of the actions identified by the NRC front-end reviewer as potentially important to IPE results were included in the model. We believe the licensee employed a systematic process to identify and select potential post initiator actions which provided reasonable assurance that imponant actions were not overlooked.

2.3.3 Screening Pmeess for Post-Initiator Resoonse Actions.

No numerical screening process was employed to eliminate some operator actions from the more detailed quantification. HEPs were developed and included in the IPE model for all of the operator actions identified as important from the systems and sequence analyses.

2.3.4 Ouantification of Post-Initiator Human Actions.

2.3.4.1 Response-Tvoe Actions. The primary technique employed for quantification of post-initiator erron was the EPRI methodology summarized in EPRI NP-6560L (Ref. 2).

A graphic representation of the general logic of this model is presented in Figure 2-1 below. Each response action is considered as a combination of two types of actions: 1)

DETECTIONIDIAGNOSIS MANUAL IDECISiON ACTION Manipulative Failure e Process HPs 3 Informationin a ThnelyManner Cognitive Processingl P3 Procedmalm F (NR Slips) . 2 P2 F @n Response in a giventime window F1 F (NR Mistakes)

S = Success F = Failure ,

. I I

Figure 2-1 Conceptual Model of Operator Response to an Accident Event 14 1

?

Detection / dNaa<is/ decision, or " cognitive" action, and 2) manual action. Enors can occur in the cognitive action via failures in cognitive processing or pmcedural " mistakes",

or they can occur by failing to process information in a timely manner. Errors in manual actions are considered manipulative " slips". The total HEP is a probabilistic combination of the three error probabilities Pi , P2, and P3.

Estimates for P1 and P3 In the NAPS analysis, the probability P iof an unrecovered cognitive " mistake", was viewed essentially as a lower bound for a realistic estimase of the HEP, and was arbitrarily set at a mean value'of 1.0E-04. 'Ihe probability P3of errors in execudon actions, or l

" slips", was aanmarm,I using THERP tables for errors of omianian or commisalon in performing rule-based actions. Consistent with gmdance in the 'IHERP Handbook, estimanen of P 3 were multiplied by a factor of 2 to account for the fact that North Anna operators are on 12-hour shifts. (Note that this does not multiply the overall HEP by a factor of 2, only the execution portion.) No other adjustments were made to basic HEPs  !

l for execution actions to account for site specific performance shaping factors. Recovery factors applied to P3are discussed below.

Estimates for P.

l The value of P was calculated from the lognormal function: 1 2

P3 = 1 - $[ in(T,/f)]

i o

where Tw = time window available l'

Tgg = time required for recognidon o = logarithmic standard deviadon

$(x) = standard normal cumulative distribution Estimates of the time window available were based on results of MAAP calculations, engineering judgment, or available results fmm previous calculations. The estimates for L

time requimd were based on judgment supported by plant-specific simulator data and L

l interviews with trainers and other knowledgeable persons, or in some cases were taken l from NUREG/CR-4550 Vol. 3.

Simulator Data l

l Simulator observations pmvided data on timing and qualitative insights on crew performance, e.g., communications practice, usage of procedures, command and control, and difficulty of diagnosis / detection / decision. Simulator exercises conducted as part of 15 l

l

license requalification training were observed over a two-month period. Training sequences were adjusted as feasible to include specific equipment failures identified during preliminary event / fault tree analysis performed for the IPE. Information was collected by observers and from video tape recordings of the exercises. Data was collected from a total of 7 scenarios, variations of Steam Generator Tube Rupture (SGTR) sequences. The submittal (Appendix D) pmvides a fairly detailed, and in our view, thoughtful, discussion of the strengths and problems associated with obtaining and applying data from simulator exercises. While subjective judgment and caution is necessary to apply simulator data, the quantitative data and qualitative insights obtained from these simulator exercises are a positive contribution to the HRA and a significant strength of the licensee's HRA SPProach.

Variabilirv in Crew Resoonse The shape parameter o in the lognormal distribution represents the variability in the assumed distribution. In the NAPS analysis the HRA analysts use o as an adjustable parameter to represent subjective evaluations about the nature of operator behavior in response to the abnormal event. Increasing the value of a increases the value of the HEP estimated mean. The analysts applied different lues of o, depending on judgments about complexity of diagnosis, prwedures, training, etc., as follows:

o = 0.4 - skill based actions; response to immediate actions in EOPs that are memorized o = 0.6 - actions for which there is procedural guidance in EOPs and there has been training

. o = 0.8 - actions for which there is procedural guidance in non-EOP procedures and there has been training

- o = 1.0 - actions for which erocedural ruidance is indirect. and there has been rlq scenario-soecific training. but crews are knowledgeable about the actions necessary.

As is the case with many assumptions and models in HRA, this model is speculative and does 1 I

not have a firm theoretical or empirical basis. It does offer a convenient mechanism and a systematic, logical approach for the analyst to incorporate subjective judgment based on observations of operator performance. However, the approach is still fundamentally a means of expressing subjective judgment. The results should not be attributed with any greater or less significance because they have been implemented by means of a mathematical formulation.

16 l

l l

I l

.- .. L Credit for Error Recovery The submittal notes that EOPs do not usually have independent verification of operator actions, and usually credit was not taken for recovery of operator error. However, credit was taken for non proceduralized checking of additional station personnel, depending on the time window available, as follows:

(a) If the time window is greater than one hour, credit is taken for recovery of crmes by Technical Support Center (TSC) personnel, if the action is one that can be monitored

- in the TSC. A rwwsy factor of 0.1 is applied to execution enors (i.e., to P3).

(b) If the dme window is greater than 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, credit is taken for both the TSC staff, and a shift change in control room personnel. A factor of 0.1 is applied to both the P2and the P3 tenns.

(c) If the time window is greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, additional credit is taken for active checking by operators taking routine surveillance log, plus the fact that two shift changes would have occuned. A multiplying factor of 0.01 is applied to both P2 and P3 tenns. j i

This credit for non-proceduralized checking is speculative, but in our view is reasonable,  !

l particularly since it was applied judiciously to actions for which the timing appears to warrant credit, and since in no case was it applied to basic mistakes in cognitive processing, i.e., to the P3term. Basic mistakes in cognitive processing may lead the operators to errors of commission which could alter the sequence path significantly. In those cases simple models of time driven response, including these recovery factors, would be inappropriate.

Consideradon of Decendencies An impuriant concern in HRA is the treatment of dependencies. Human performance is dependent on sequence specific response of the system and of the humans involved. The likelihood of success on a given action is influenced by success or failure on a preceding action, pfvimance of other team members in parallel or related actions, assumptions about l

the expected level of perfonnance of other team members based on past experience, etc.

j Accounting for dependency among top-level actions in a sequence is panicularly important.

l The human error probability estimates for HRA are conditional probabilities. If dependencies are not ig;;fically accounted for, and HEPs are treated as independent, the probabilistic combination of HEPs can lead to an unrealistically low estimate of human performance overall (i.e., of the joint human error probability), and to a significant underestimate of risk.

The NAPS submittal does not contain a narrative summary of the treatment of dependencies.

However, examination of the detailed HEP calculations in Appendix D indicates that dependency was considered for each HEP.

17

In response to an NRC RAI, the licensee stated that the criteria for identifying dependencies l between operator actions (basic events) were:

l l (1) Do the basic events represent the manipulation of similar equipment to accomplish l different tasks, or l (2) Do the basic events represent the operator attempting to accomplish the same task using different equipment?

If the answer to either question was yes, a dependency was assumed to exist between the two ]

basic events. Rese two " criteria" are reasonable indicators that a significant dependency is likely to exist, but are relatively narrow criteria for identifying dependencies. Different operator tasks on different equipment may very well be dependent if failure / success on the first task influences the likelihood of failure / success on the subsequent task. It is not possible to determine from this document only review whether this limited definition of dependency had a significant impact on the quantitative results of the HRA. It is positive that the licensee identified the potential for dependencies in post-initiator action to increase the overall failure probability for human action (in comparison to treating all actions as independent).

With regard to the quantification of dependencies, the licensee indicated that there were two )

approaches. In some cases, dependent operator actions were combined into a single basic event, similar to the treatment of dependencies in pre-initiator actions. In other cases (such as )

those identified in our review of Appendix D of the submittal) point estimates of the individual failure probabilities were modified to account for the dependency. The licensee also noted in the response to the RAI that dependency between post-inidator tesponse type 1

actions and post-initiator recovery-type actions were considered. Where dependencies between these two types of actions were identified, the combination of those actions was not allowed. (We take this statement by the licensee to mean that credit for the recovery action was not' applied when a dependency existed.) Table B.3.4-1 in the submittal identifies fifteen combinations of recovery and response-type actions that were considered. In nine of those cases, the combination was disallowed; in the remaining six, the combination was allowed.

Overall, the licensee's treatment of dependencies in post-initiator human actions was somewhat narrower in scope than typical, but appears to have been an effective means of quantifying the impact of the important dependencies.

2.3.4.2 Recovery Actions. The recovery analysis is described in Appendix B of the l submittal. Failures in both equipment and human action are considered. De probability of failure of a recovery action is the sum of the failure probabilities for equipment and human action (where a human action was identified). Narrative discussion of the HEP quantification i

is limited, but summary calculations for each recovery failure probability provide a reasonably detailed description of the process (i.e., permit us to infer the process). All human actions ,

credited were proceduralized, though typically not in the EOPs. The procedures associated  !

with each recovery action were evaluated, and sequence-specific impacts on human

18 i

~

7

. o performance were considered qualitatively. In general, the backup action was related to the same or a similar response action that had previously been quantified. Frequently, it was

. judged that the conditions - timing, complexity of diagnosis and an. ion, etc. - were similar to , ,

l conditions evaluated for the response action, and the response-action HEP was used. In some l l cases, the calculation of the previous HEP was recalculated to account for differences in the j specific conditions. i t

This overall approach is reasonable, but results are highly dependent on analyst judgment about the similarity of recover actions to response actions, and the equivalency of factors such  :

as stress on human performance. In many PRAs the HEP values used for recovery actions are considerably higher than for typical response actions. Analysts use what they believe to ,

i

be relatively conservadve values because of uncertainty associated with the estimates under accident conditions in which equipment has failed and the primary response procedures are no longer effeedve or applicable. Even though the action taken may be directed by a system  !

procedure or other backup procedure, and may be physically the same as a " normal" accident i response, the likelihood of success may be impacted by stress, additional workload, increased .

time pressure, etc. These sequence-specific dependencies m2y significandy influence the )'

HEP. In general, the NAPS HEP values for recovery actions are more typical of response actions than of the conservative values usually used in other PRAs. However, it appears that the licensee's approach addressed sequence-specific influences qualitatively and did adjust some of the HEP estimates accordingly. De licensee examined the quantified impact of- i i

recovery actions on CDF through sensitivity studies. The total core damage frequency was reduced by approximately a factor of 3, from 2.2E 04 to 6.8E-05, by credit for recovery actions. Sensitivity analyses are discussed in Section 2.4 below. This magnitude of reduction is generally consistent with results in other PRAs.

2.3.5 GSI/USI and CPI Reccww.er.dations.

Review of the submittal discussions of Generic Safety Issues (GSIs) and Unresolved Safety 1ssues (USIs) is primarily the focus of the front-end reviewer. Review of submittal discussions of any licensee acdons in response to Containment Performance Improvement (CPI) recommendadons is perfumed primarily by the back-end (Level 2) reviewer. If the licensee's discussion of these issues has particular significance to the HRA or human performance issues, those points are included in this review. The licensee addressed USI A-45, Decay Heat Removal (DHR). The front-end reviewer identified the unique or plant-specific design features of North Anna that impact availability to provide DHR. hose features, and the human performance implications of the features, were noted previously in Section 1.2 of this TER. Included were:

4

  • the ability to use charging pumps from the opposite unit tends to decrease the CDF (operator action is required) 19 l

l L

l

. automatic switchover of ECCS from injection to recuculation tends to decrease the l CDF; operator action to manually switch over has been a significant contributor in l some PWR plants I . requirement for mechanical refrigeration to cool the emergency switchgear rooms; operator action to restore cooling to switchgear room is an important action.

The licensee also proposes that USI A-17 related to intemal flooding and GSI-23, RCP seal LOCA are resolved by the IPE submittall .

With regard to Containment Performance Improvement (CPI) 1-x- ..a.idations, the licensee addressed the issue of local and global hydrogen combustion and associated threats to containment. He licensee stated that hydrogen buildup to sufficient concentrations that could result in combustion and failure of containment was unlikely in most accident situations'due to the availability of ignition sources, and that buildup to the level of detonation was not possible in the North Anna containment.

2.4 Vulnerabilities, Insights and Enhancements 2.4.1 Vulnerabilities.

The licensee defines a vulnerability as a failure (component fault or human error) that is signifie=atly greater than others, i.e., that contributes more than ten percent to overall core damage frequency or is a factor of three greater than the next highest similar event.

- Contributions were evaluated by importance calculations, nroe measures of importance are

,@6.d in the submittal for each basic event: Fussel-Vesely, risk reduction worth, and risk achievement worth. No vulnerabilities were identified by. the licensee.

2.4.2 Insiehts Relamd to Human Performance.

2.4.2.1 Imoortant Resoonse-Tyne Actions. Tables 3.4.1-6 and 3.4.1-7 in the submitral provide Fussel Vesely, risk achievement worth, and risk reduction worth importance measures for over 700 basic events, including initiating event fiequencies, component failures, human actions, and recov'zy action failure probabilities comprised of equipment failure and human error. The top een res}onse-type (which are all of this type of actions with Fussel-Vesely importance values grea:er than IE-02) are listed in Table 3-1. The two most important operator acdons contributing to CDF are:

1 The Commission has since disapproved issuance of a proposed rule on GSI-23 for public comment. (Ref. SEC'Y-94-225-Issuance of Proposed Rulemaking Package on GI-23," Reactor Coolant Pump Seal Failure.")

20 l

I

1) HEP-FRH:1 Failure to initiate High Head Safety Iniection (HHST) . This operator action appears in transient sequences involving loss of AFW and the need i for manually initiated bleed and feed, and in pump seal LOCA sequences. This -

vi sw action is the third most important basic event (fifth on the overall list including initiadng frequencies). I

2) HEP-OAP55-10HR - Restoration of Emersency Switchaear Room (ESGR) or Main Control Room (MCR) HVAC within 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. Operator actions include starung air handlers on the unaffected unit, opening fire doors between switchgear rooms, and opening cabinet doors to cool with portable ventiladon. This action is the tenth i 1

most important basic event (sixteenth on the overall list including initiadng frequencies).

l Table 3-1 l Post-Initiator Human Actions in the Top 100 Basic Events j M DESCRFTION jgf. F-V 1mnort. M HEP-FRit! 11 Initime High Head Safety injection 4.82E 02 1.16E 01 5 Remore ESGR/MCR HVAC,10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> 4.95E 02 7.08E 02 16 HEP-OAP5510HR A steam generator, medium LOCA 1.00E @ 5.96E 02 20 HEP 1FRC:11151 E-

/ 2 1.00E400 3.91E42 35 HEP NO PROCEDURE Operssor action without y.

2.18E 02 333E42 36 HEP 1E3-13 Initiate RCS cooldown. SG11t Remore ESGRMCR HVAC,20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> 2.6E-04 3.68E 02 J9 HEP OAP55 20HR Initime refill Emergency Condensate Storage Tank 1.75E 04 337E42 42 HEP 1 AP22:5 133E 01 2.50E42 47 HEP 10P49:1 Stanup and shutdown of service waser system Ressore ESGRMCG HVAC,40 hours4.62963e-4 days <br />0.0111 hours <br />6.613757e-5 weeks <br />1.522e-5 months <br /> 1.25E 01 1.66E 02 71 HEP-OAP55-40HR 1.06E42 133E42 80 HEP 1FRC:11152 Depressurise steam generascr, small LOCA The importance of operator action is made evident in the moiwsiy discussion of dominant initiating events, functional failures, and sequences. The functional sequences contributing significantly to CDF are listed in Table 3-2. (Per cent contribution totals more than 100%

because functions occur in multiple sequences.) Failure of operator cooldown and depressurization is a dominant contributor to CDF. In sequences with failure of HHSI, failure to depressurize will prevent the use of Low Head Safety Injection to maintain inventory.

Cooldown also is required to avoid a pump seal LOCA in sequences with loss of emergency power. Human action contributions to failure ofinjection and ESGR cooling were noted above, and operator actions are important in the other functional failures.

The submittal provides a summary of the dominant sequences, i.e.,22 sequences which contributed IE-06/yr or more to the CDF estimate. Operator actions and/or recovery actions 21 )

l~

l including operator action are identified as significant contributors to most of these top sequences, and as the dominant contributor in a number of them.

Table 3-2 Functional Failures Contributing to Core Damage i

l l CDF Function Contnbution Failure of injection 42%

Failure to cooldown and depressurize 36 %

Failure of emergency switchgear room cooling 34 %

Failure of auxiliary feedwater 24 %

Failure of recirculation 13 %

Failure to recover offsite power 12 %

Failure of bleed and feed 1%

Seal LOCA <1%'

2.4.2.2 Imnortant Recoverv-Tyne Actions. Table 3.4.1-12 in the submittal identifies recovery actions quantified. Table 3-3 essentially reproduces that table. Both equipment failure and l

human error probabilities are listed along with the total probability of failure for the recovery action. The dominant recovery actions, per the submittal (page 3-129, revised in the licensee's response to the NRC RAI) are' listed below. Shown in parentheses are the results of a sensitivity study performed by the licensee indicating the impact on the CDF of individually increasing the failure probability for each recovery action to 1.0:

1) REC-IFRH:1 Recovery of main feedwater (93.1% increase in CDF)
2) REC-SCREEN-TURNS - Recovery of (rotate and wash) plugged SW traveling screens (39.4% increase in CDF)
3) REC-1AP28 - Local recovery of Unit 1 Instrument Air
4) REC-10P14:1 - Local opening of RHR valves to recover RHR following a steam generator tube rupture (37.6% increase in CDF)
5) REC-B12 AVE - Recovery of 1H emergency from maintenance in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (20.7%

increase in CDF).

An important insight that was apparent from the pre-initiator analysis is the significant reduction in error probability, and hence CDF, afforded by independent verification of manual action. A number of procedure enhancements to require independent verification were identified and were credited in the IPE model. These are noted in the following section.

' 22

i J d l

l l

l Table 3-3 Recovery Actions i

Failure Probability HggE EggikHgEln. .T.nsal Descriotion REC-CONTAINMENT 2E42 04 2E42 Recover sequences, cansain failure, no core damage

-=i=

REC 1ES1:2 2E 03 9E 04 3E 03 Post LOCA cooldown and h REC OOP21:6 6E 04 1E 03 2E43 Recover MCR and relay room air conditioning REC-MMP C MR 2 2E 03 2E 01 3E 01 Troubleshoot and repair MCR chiller units  :

REC SCREEN TURNS 1E41 0.0 1E41 Service waser waveling screen auso rosase and wash REC 1AP2s 1E 01 2E43 1E 01 Recover loss of insmunent air REC 2AP28 1E 01 2E43 1E 01 Recover loss of instrument air REC-1FRH: 14 8E 03 3E 03 1E42 Recover loss of main feedwater l I

REC 10P14:1 1E 01 ' 4E 03 1E 01 Recover RHR REC 1ESI:41 1E 01 4E 03 1E 01 Open MOV valves, hot leg recire l REC B12 AVE 1E 01 0.0 1E 01 Time avgd non secovery of AC power in 12 hr 2.4.3 Human NLiw.ence-Related Enhancements.

The licensee identified a number of procedures enhancements and practices that are required as a result of the IPE. 'Ihese pmcedural enhancementshequirements are discussed in Section 6 of the submittal and succinctly summarized in Table 6-1 (for intemal events) and 6-3 (for flooding). For the internal events, the enhancementshequirements were credited in the IPE, and in some cases are in place. These enhancements are'briefly summarized below:

1) All piuced.s which open AFW full flow recirculation manual valves should be revised to add independent verification. Without independent verification of these human actions, the estimated CDF would increase from 6.8E-05/yr to 7.2E-05/yr, 1
2) All procedures which realign Quench Spray or Recirculation Spray headers for testing j I

should revised to provide independent verification that the headers have been restored to fully operable upon completion of the test. Without independent verification, the )

i estimated CDF would increase to 7.0E-05/yr.

3) Revise EOP 1-E-0, Reactor Trip or Safety Injection, to provide guidance to use the alternate SI header. Without this improvement, the CDF estimate would increase to 7.lE-05/yr.
4) Revise administrative procedures / controls to ensure that the law Head Safety Injection pump testing is performed in a staggered fashion, i.e., test one pump each 45 days, 23 m --n -- - - ,-

> .e instead of both pumps at 90 days. The estimated CDF would increase to 7.0E-05/yr if the tests were not staggered.

5) Revise administrative procedures / controls to eliminate preplanned dual outages for the MCR/ESGR chiller train equipment.- The estimated CDF would increase to 7.1E-05/yr if the dual chiller outages continue at the same frequency as in the past.
6) Improve maintenance practices to limit the mean time to repair (MTTR) MCR/ESGR  !

chiller train equipment to less than 60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> when one chiller is inoperable, and less than 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> when two chillers are inoperable. The CDF esrimate would increase to 8.0E-05/yr if the MTTR is not improved.

7) Modify stadon pmcedures to provide troubleshooting and repair of MCR/ESGR chiller powcdon circuitry and reduce refrigerant-related chiller failures. Use historical data i to identify sensors / equipment susceptible to failure. Without these changes the estimated CDF would increase to 7.3E-05/yr. ,

Procedures enhancements / requirements to reduce the contribution from flooding were identified. Credit was taken in the IPE for these items. The submittal states that some of them already exist, and that the others should be put into place before the next test interval (typically 18 months). Flooding related procedure requirements include:

1) Inspect the Charging Pump Cubicle drain back flow prevention devices every 18 months and replace if necessary.
2) Administrative control and periodic inspection of all flood dikes and baniers once every 18 months to verify they are in place.
3) Periodic testing of alarms and all automatic equipment actuations for important flooding level switches.
4) Modification of Auxiliary Building Flooding abnonnal procedure to include steps to identify and isolate temotely isolatable floods and RWST floods.

24

.* e

(

i

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS The intent of the IPE is summarized in four specific objectives for the licensee identified in Generic Letter 88-20 and NUREG-1335:

l *

(1) Develop an appreciation of severe accident behavior.

(2) Undentand the most likely severe accident sequences that could occur at its plant.

l (3) Gain a more quantitative undentanding of the overall probability of core damage and radioactive material releases.

(4) If aaca===7, reduce the overall probability of core damage and radioactive material release by appropriate mMi&ations to procedures and hardware that would prevent or mitigate severe accidents.

With *paci& regard to the HRA, these objectives could be restated as follows:

(1) Develop an overall appreciation of human performance in severe accidents; how human actions can impact positively or negatively the course of severe accidents, and what factors influence human performance.

(2) Identify and understand the operator actions important to the most likely accident sequences and the impact of operator action in those sequences; understand how l

I human actions affect or help determine which sequences are important.

t I

(3) Gain a more quantitative understanding of the quantitative impact of human performance on the overall probability of core damage and radioactive material l release.

(4) Identify potential vulnerabilities and enhancements, and if necessary/ appropriate, implement reasonable. human-performance-related enhancements.

The following observations and conclusions are pertinent to NRC staff's determination of whether the licensee's submittal met the intent of Generic Letter 88-20:

The submittal and supporting documentation indicates that utility personnel (1) were involved in the HRA, and that the walkdowns and documentation reviews constituted a viable process for confirming that the HRA portions of the IPE represent the as-built, as-operated plant (at least for the post initiator error evaluation).

25 L

, o .

J 4

l (2) The licensee performed an in house peer review that provides some assurance j- - that the HRA techniques have been correctly applied and that documentation is i J accurate.

(3) Pre inidator human actions were considered in the analysis. Both restoration

errors and miscalibration were considered, though the treannent of calibration l crrors was limited to a qualitative review and subjective quantitative l I consideration as part of equipment failure probabilities. No calibration errors I were judged by the licenses to be significant enough to warrant individual

! quantification as a basic event in the system fault trees. His relatively limir,A i trearmant of calibration errors is a weakness of the licensee's analysis. The I treatment of pre-initiator restoration errors was essentially generic, though some j- plant specific consideradon was applied in assessing performance shaping l (error recovery)' factors and dapa~tancies.  ;

(4) The treatment of post initiator human actions was reasonably complete. He l 1 process for selection and identification of significant human actions to include l

l in the IPE model appears to have been reasonably comprehensive. Both l response-type and recovery-type actions were included. Quantification of l post-initiator errors followed an EPRI methodology and "lEERP. Some consideration was given to plant specific performance shaping factors.

Simulator observations of operator requalification training were employed to j obtain data and insights on operator response to accident events. Lbpa~iancies  !

among multiple operator actions in a sequence were assessed. l l'

(5) The licensee identified a number of human actions that were Lipnt factors in the overall risk profile for the North Anna units. Operator response-type actions were identified as among the most important basic events in the IPE model. And, the licensee conducted sensitivity studies and reported results that-recognized that credit for operator recovery actions were a significant factor in reducing the estimated CDF.

(6) The licensee employed a systematic process to screen for vulnerabdities and identify potential enh=~*ments. The process identified a number of human-performance-related (procedure) enhancements expected to reduce the likelihood of human error, the majority of which were related to the seal LOCA event. These enhancements credited in the IPE.

26

4. DATA

SUMMARY

SHEETS Important Operator Actions / Errors:

The top ten post-initiator response actions, per the Fussel-Vesely importance measure are:

N.F @, DESCRIP110N ME F-V Imnort. Egg (

HEP PRH:1 11 Inisisse High Head Safety Injecuan 4.82E42 1.16E41 5 HEP OAP55-10HR Resense ESGRMCR HVAC,10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> 4.95E42 7.08E42 16 HEP 1PRC:11151 Depressanse mesm generator, medium LOCA 1.00E40 5.96E42 20 HEP-NO-PROCEDURE Operaser acuan without procedure 1.00E40 3.91E42 35 HEP 1E3-13 laisiase RCS cooldown. SG11t 2.18E42 333E42 36 HEP OAP55-20HR Ressore ESGRMCR HVAC,20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> 2.6E 04 3.68E42 39 HEP 1AP22:5 Initiase refill Emergency Condensase Storage Tank 1.75E.04 337E42 42 HEP 10P49:1 Startup and shutdown of service waser system 133E 01 2.50E42 47 HEP OAP55 40HR Remore ESGRMCG HVAC,40 hours4.62963e-4 days <br />0.0111 hours <br />6.613757e-5 weeks <br />1.522e-5 months <br /> 1.25E.01 1.66E42 71 HEP 1FRC:111 S2 Depressurus steam generator, small LOCA 1.06E42 133E42 80 Human-Performance Related Enhancements: ,

The following enhancerrets related to internal events other than flooding were identified and credited in the IPE model:

1) All procedures which open AFW full flow recirculation manual valves should be revised to add iadaaaadant verification. Without independent verification of these human actions, the estimated CDF would increase from 6.8E 05/yr to 7.2E-05/yr.
2) All procedures which realign Quench Spray or Recirculation Spray headers for testing should revised to provide indapaadant verification that the headers have been restored to fully operable upon compledon of the test. Without independent verification, the estimated CDF would increase to 7.0E 05/yr.
3) Revise EOP 1-E-0, Reactor Trip or Safety Injection, to provide guidance to use the alternate SI header. Without this improvement, the CDF estimate would increase to

-7.1E-05/yr.

4) Revise administrative procedures / controls to ensure that the 1.ow Head Safety Injection pump testing is performed in a staggered fashion, i.e., test one pump each 45 days, instead of both pumps at 90 days. The estimated CDF would increase to 7.0E-05/yr if the tests were not staggered.

27

  • e i l l 5) Revise administrative procedures / controls to climinate preplanned dual outages for the l MCR/ESGR chiller train equipment. The estimated CDP would increase to 7.1E-05/yr if l the dual chiller outages continue at the same frequency as in the past.

i

6) Improve maintenance pracdces to limit the mean time to repair (MITR) MCR/ESGR l

chiller train equipment to less than 60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> when one chiller is inoperable, and less than 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> when two chillers are inoperable. The CDF estimate would increase to l 8.0E-05/yr if the MTIR is not improved.

7) Modify stadon evcedes to provide troubleshooting and repair of MCR/ESGR chiller protection circuitry and reduce refrigerant-related chiller failures. Use historical data to identify sensots/ equipment susceptible to failure. Without these changes the estimated CDF would increase to 7.3E-05/yr.

l l

Flooding related pmcedure enhancements identified and credited in the IPE include:

l l

l 1)~ Inspect the Charging Pump Cubicle drain back flow prevention devices every 18 months I

! and replace if necessary.

2) Administradve control and periodic inspection of all flood dikes and barriers once every 18 months to verify they are in place.

l

! 3) Periodic testing of alarms and all automatic equipment actuations for important flooding level switches. 4 l 4) ~ Modification of Auxiliary Building Flooding abnormal procedure to include steps to l identify and isolate remotely isolatable floods and RWST floods.

i l

l i

k i

i 28

a ,e w

l 1

I REFERENCES l

~

l 2 1. A.D. Swain and Guttmann, H.E., " Handbook of Human Reliability Analysis with j Emphasis on Nuclear Power Plant Applications, Final Report," NUREG/CR-1278F, August,1983.

2. EPRI NP-6560L, "A Human Reliability Analysis Approach Using Measurements for Individual Plant Examination," Electric Power Research Institute, December,1989.

(Cited as Reference 3.3-18 in the NAPS submittal.)

' j 1

1 l

1 1

4 4

I l

i 1

I

'I t

i s

29

Retrieved from "https://kanterella.com/w/index.php?title=ML20101E556&oldid=2775645"