ML20101G760
| ML20101G760 | |
| Person / Time | |
|---|---|
| Site: | 05200001 |
| Issue date: | 06/01/1992 |
| From: | Duncan J GENERAL ELECTRIC CO. |
| To: | Kelly G NRC |
| References | |
| NUDOCS 9206260275 | |
| Download: ML20101G760 (11) | |
Text
T
- s, ;.;3 4 ;if iEEig;g g.
8 U
q GEAbcisarEnergy ABWR Date UW I
(' ELL Y Fax No.
To 6LENA
/
b)12 C -
This page plus h page(s)
N' <bVY usil coes __.
From 175 Curtner Avenue San Jose, CA 95'25 Phone (408) 925 _
FAX (408) 925-1193 or (408) 925-1687 Subject IfuM&J PACitaf
/M N" NUr-Puuc-t!
ctsi
- 1/S, /6
%c,j k(%
s l
(
s Message TAL bSad>N lo tx n
_a G
W-n MSAd 7b 867Ym / &ws n
8, C, a D -
n Uf'l 230073
- 8m889 n888am PDR A
FF:"
a.... :
3 g;--.;--- --
/
4 Sensitivity Analysis of HEPs in the ABWR PRA A sensitivity analysis has been conducted of the human error lk probabilities in the Level I ABWR PRA.
The first step in the sensitivity analysis process was to identify and list in ranP of importance all human errors included in the Level I PRA.
That listing is shown in the attached Tables 1 and 2.
Two additional recovery items involving operator action are recovery of offsite power and recovery of Those two items are not included in this diesel generators.
sensitivity analysis since the f ailure probabilities for those items were determined from actual data, not from human reliability analysis, and include factors other than human actions.
The 12 HEPs in Tabl6 1 are the only HEPs that show-up in the top 300 cutsets of the analysis, representing 98% of the total core damage The fearth column in the table gives the HEP value used in frequency.
the PRA.
The fifth column is the error factor (the ratio of the 95th to 50th percontile of the uncertainty distribution) on the HEP, as provided by the 'PRA uncertainty analysis.
In cases where there was no clear basis for determining an error factor, a value of 15 was used.
The sixth column is the Fussell-Vessly Importance, which is a measure The of the percentage contribution of each item to the total CDF.
items in the table are ranked according to decreasing F.V.
The last column is the Risk Achievement Worth, which is another importance measure, and is the factor by which the total CDF would be multiplied if that specific item had a failure probability of 1.0.
All items below #5 (MBMAERl) contribute much less than it, individually, to total CDF.
Most of the items in Table 1, plus CALN002, HFE00BCF, and HPR007CF from Table 2 have a relatively high R.A.W., often because these items have relatively low assigned failure probabilities.
All items on the list except the 15 items identified above have very low F.V. and R.A.W. measures, and are eliminated from further consideration.
The first screening analysis was made by doubling all the failure probabilities (simultaneously) of all of the 15 items identified above, and then reevaluating core. damage frequency.
The resulting CDF was 58.94% higher than the gase CDF.
This result provided an indication that the CDF was fairly sensitive to one or more of the 15 items.
The next sensitivity run was made by increasing the failure probability of each of the 15 items, individually, by a factor of 4.
The factor cf 4 includes the 95th percentile of the uncertainty distribution.
The results are shown it. Table 3.
The top 5 items each resulted in increases in :JF greater than 1%.
The 6th and lower-ranked items each resulted in increases of less than 1/2%, which is considered to be insignificant.
An additional analysis was made, in which the failure probabilities of the 10 items below #5 were increased (simultaneously) by a factor of 4.
=c
)
__ 7. F T ~------
2r i
The result was a 2.33% increase in total core damage frequency, providing a further indication of the relative insensitivit/ of CDP to variability of the failure probability of these 10 items.
Because of the general uncertainty in theoretical human error 'nalysis, a
and the invo;_ad and labor-intensive nature of the various HRA precedures, the ABWR PRA uses screening methods wherever possible.
Even though the HEPs used in the ABWR PRA are screening values and are no sensitivity runs were made with failure probabilities conservative, decreased from the values used in the PRA.
The use of more realistic HEPs would reduce total CDF by a small amount, but would require Use of more realistic HEPs might also additional more-detailed HRA.
change the relative importance and sensitivity of the individual HEPs, but it is doubtful that any basic conclusions or recommendatians would change.
The top 5 items are identified as the most The top 4 items are operator actions that are needed after the accident sequence is initiated (Type C actions).
Each of the operator actions represented by HEPs #1-/4 requires the following:
- 1. The operator must have a clear unambiguous indication of the conditions requiring the action.
- 2. The operator must have the capability of performing the necessary action from the main control room in a simple straightforward manner.
- 3. The operator must have clear written operating procedures regarding the action to be taken.
- 4. The operator must have thorough cimulator training in the conditions requiring the action.
I_
HEP #5 represents a Type A action (occurs prior to initiation of the This error may be an error of emission or an error accident sequence).
To prevent this error from occurring, administrative of commission.
controls must be in place to require independent verification of the valve position following maintenance, positive control of the key to the valvo lock during periods when entry to the containment is possible, and control room verification of the valve position prior to startup.
Discussions of the derivation of the failure probabilities for the five most sensitive actions follow.
All five of the important operator actione relate to makeup of reactor and une (COND) with inventory - four with the reactor at high pressure, the reactor at low (er) pressure.
One of the items (H00BOPHL) is an failed to initiate operatcr action to backup automatic signals thatare actions for recovery of HPCF.
Three of the items (Q, Q2, and COND)
. c
_~
.h____
___________________________._____________-___________s
-[-
...; u
.c.-
n.. -
b (non-safety) systems that were in normal operation and were lost (tripped) at the time of the event.
In cases where failure of the system was the cause of (initiated) the event, no credit was given to Ir scme instances, this is a the operator for recovery of the systen.
The remaining item (HBMAER1) is a Type A very conservative treatment.
operator action resulting in mispositioning of a valve on the HPCF B discharge line.
HOOBOPHL - Failure to Manually Initiate HPCF.
HPCF is automatically initiated if reactor water level decreases to Level 2.
The PRA gives credit to the operator for manual backup of the automatic Lignal.
The value used for the probability of failing to provide manual backup initiation is 0.1.
(This value for manual backup actions is used throughout the PRA wherever the action required is simple and performed from the control room.)
The action required to manually start the HPCS pumps is simple and is performed directly from the control room with ninimal time required for The operator has direct (hardwire) control performance of the action.
for initiation of HPCF B.
Manual initiation of HPCF C is transmitted through multiplex equipment.
Operator action for initiation of HPCF B and C ie modeled as a single action.
The time available to the operator for cognition and performance of the backup action is at least 30 minutes, except for the ATWS and large LOCA events, where the events For those events, the initiating frequency is proceed more rapidly.
low, and the backup manual initiation of HPCF has little effect on CDF.
The estimate of 10% for operator failure probability is made based on a long trail back through GESSAR, the Limerick PRA, Swain and Guttman (NUREG/CR-1270) and even WASH-1400 (see Table G-1 on p.G-4 of August, 1983 issue of NUREG/CR-1278).
In Figures 7-1 and 8-1 of NUREG/CR-4772 (February,1987) curves for suggested screening values and nominal values for diagnosis HEPs are given. In the case of the ABWR backup manual initiation of HPCF, the operator has at least 30 minutes p
available, and the actual operation of starting the pumps (after recognition-of the -need) is simple and requires a minical amount of time.
With at least 30 minutes available for dingnosis, the curves of Figures 7-1 and 8-1 of RUREG/CR-4772 suggest a failure probability of 0.01.
The ABWR PRA uses a conservative screening value of 0.1.
O - Failure to Iniect with Feedwater Durino a Non-Isolation Event.
The ABWR feedvater controller is designed to withstand turbine trips (and other transients) without tripping.
Nevertheless, the PRA analysis assumed (conservatively) that 50% of the non-isolation It initiating events would result in tripping of the feedwater pumps.
was further postulated that in 10% of these cases, the operator would fail to restart feedwater pumps.
(This also is probably conservative, and cince the FW pumps were in operation just prior to the incident, only one pump is needed in the accident sequences.) {
1
.aT. i.
..e n
4' i
As in the case of backup initiation of HPCF, the estimate of operator the Limerick PRA, and failure probability is made based on GESSAR,The same curves in Figures 7-1 and Swain and Guttman (NUREG/CR-1278).
for suggested screening values 8-1 of NUREG/CR-4772 (February, 1987)
In all cases of FW and nominal values for diagnosis HEPs were used.
the operator has at least 30 minutes recovery in the ABWR PRA, available, and the actual operation of restarting a FW pump (after requires a minimal amount of time.
With at recognition of the need) least 30 minutes available for diagnosis, the curves of Figures 7-1 and The value 6-1 of NUREG/CR-4772 suggest a failure probability et 0.01.
of 0.1 used in the ABWR PRA is conservative, - even more conservative because of the higher
,than the value used for initia' Hon of HPCF, frequency of, and greater operator familiarity with, startup of feedwater pumps.
Initiation and control of feedwater and condensate are basic, routine actions which are performed by the operator repeatedly, from the and under a wide spectrum of varying circumstances and control room, There are few, if any, actions nore familiar to the conditions. However, it is essential that the operator have clear operator.
indications of the plant conditions (particularly reactor water level and status of ECCS pumps), that he be thoroughly trained under conditions simulating the spectrum of accident sequences of concern, and that the plant EOPs provide clear instructions.
to Iniect with Feedwater During an Isolation Event 02 - Failure The analysis in the ABWR PRA assumes that 40% of isolation initiating This is based on operating events will be due to loss of feedwater.
data from BWRs in the U.S.
For events that are initiated by loss of This is conservative feedwater, the PRA gives no credit for recovery.
treatment, since many loss-of-feedwater events (.n operating plants) are due to spurious trips which are routinely reset.
The ABWR PRA assumes that 60% of the isolation initiating events will be due to closure of the MSIVs.
The ABWR feedwater controller is designed to ride-through a MSIV closure event without tripping.
Even the ABWR PRA analysis so, as in the case of non-isolation events, asbumes that 50% of the MSIV closure events will result in trip of the feedwater pumps.
Also, as in the case of the non-isolation eve..ts, the probability of failure of the operator to recover feedwater is assigned In this case, the operator must first reopen a value of 0.1 in the PRA It is essential that the operator have the means of the MSIVs.
and have clear instructions reopening the MSIVs from the control room, to do so in the event of falling water level and failure of ECCS pumps It is also necessary that the operator have training in a to start.
wide spectrum of events that require him to reopen the MSIVs.
(0.6
- 0.5 Based on the above factors, the value for Q2 is 0.43 [0.4
+
- 0.1)). -
c
^
..... F.T 577p-(to a Deerespurized Reactori COND - Failure to Iniect with condensate In the PRA analysis, for transient events with successful scram, and credit is given for operator recovery of for the small LOCA event, condensate following failure of high oressure injection and Actually, in most depressurization of the reactor on low water lesel.since condensate pumps vill cases no operator action is required, continue to operate and pump through minimum bypass lines so long as If MsIVs close, operator action power and suction water are availsele. initiate nakeup to the condenser may be needed to reopen MSIVs, since the hotvell has a betwell, or start mechanical vacuum pumps, that are needed to maintain very large supply of water, these actions, Plant administrative suction to the pumps, are very long-term actions.
pror.edures should also require that the valve position be independently The value of 0.1 used for the verified following maintenance.
probability of failure to recover condensate is a very conservctive screening value.
HBMAER1 - Valve E22-F005B Closed fNOFCl Valve E22-F005L is a normally-open valve on the discharge of the B-loop
'alve is a manual locked-open valve located inside of HPCF pump.
Ibis the drywell, anG.ne valve position is indicated in the main control The PRA assigns a probability of 0.01 to the possibility of the Since the valve is inside the room.
valve being closed, due to human error.
the human error must be containment and is a manual locked-open valve, suggests use of a basic NUREG/CR-4772 (ASEP)
Type A (pre-accident). HEP of 0.03 for pre-accident errors, which it considers conservative.
1983 version of NUREG/CR-1278 The ASEP and Table 20-22 of the August, Because of the suggest application of a facter of 0.1 for recovery. valve lock and the control room indi The value of 0.01 application of the recovery factor is reasonable.
used in the PRA is conservative.
HCMAER1, which is the operator error for mispositioning the HPCF C hovaver, it discharge valve, also has a HEP value of 0.01 in the PRA; is much less sensitive than HBMAERI.
This is because there is no hardwire backup for manual initiation of HPCF C.
Table 4 gives a list of human action acronyms that have been deleted frem an earlier issue of the PRA.
The reasons are given in the table. -
==
l a
Table 1 - Iluman Actions in the Too 300 Cutsets (98.0% of CDF)
ASSIGNED
_IMPORTANCE PROP.
E. F..
F_.V.
R.A.W.
i,j j
DESCEIPTION
(%)
l HANK HAME O.10 5
16.0 2.44 Failure to manually initiate HPCF 1.
HOOISOPlil, hardwire backup for FMUX failure - HPCF B)
(Incl.
I-0.0S S
12.5 3.37 2.
Q Failure to inject with feedwater 0.43 S
10.9 1.14 3.
Q2 Failure to inject with feedwater(TIS) u 0.10 15 1.85 1.17
'l 4.
COND Failure to inject with condensate
.', l 0.01 5
1.72 2.71 Valve E22-F005B closed (NOFC)
S.
IIBMAER1 O.10 S
0.15 1.01 l
fails to attempt manual vlv. op.
l 6.
ROERROR4 Oper.
{liackup for RCIC disch. Vlv. (F013)'
l CTG manual disconnect switch [left] open 3E-3 3
0.07 1.24 7
CTGMANSW (Following maintenance on gas t urbine gen. }
1E-4 15 0.07 8.08 8
RECVRII Recovery event for Class II sequences (Oper. falla to initiate firewater inj.(0.1))
SE-S 10 0.05 11.8 Sensor miscalibration 9.
RPR00SCF SE-S 10 0.05 11.8
- 10. RFLOO7CF Sensor miscalibration
- 11. IIFELEBilX Water level 8 sensors miscal. (4 div.)
2E-S 10 0.05 25.8 6E-S 10 0.02 4.09 fails to manually initiate 12.
RILRSPER Oper.
(SP cooling initiation (within 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br />))
B
l (2.01 St CDF.1
- lluman_Ac_tjons BelgwJbe_Xop ?OO Cutsets Table 2 AssicNED
_IMEQET1WCf,__
j
_ERQL__
LL F,V, LM
,.j DESCRIPTION
(%)
HAME CALN002A Miscal. of flow xatrs FT008A,B & C SE-5 10 0.14 28.2 I
0.10 5
0.06 1.01 fails to manually initiate IUIRCFER Oper.
flood A/B/C) t*
(Backup for RIIR core Valve E22-P005C mispositioned (NOFC) 0.01 5
0.05 1.05 l
IICMAER1 D.01 5
O.04 1.00 faiIs to nanua1ly open valve ROERROR3 Oper.
2E-3 5
0.01 1.06 i
Failure of ADS manual init. (backup)
ADSMAN min.
0.10 5
<.01 1.00 fails to initiate within 30 ROOIOPHL Oper.
(Backup for RCIC) 0.01 15
<.01 1.00
{
Failure to restore normal heat renoval I
POIR 0.10 5
<.01 1.00 Failure to actuate RWCU RWCU 0.01 5
<.01 1.00 RSTTCOPF Operator fails to reset trip circuit (RCIC internal trips) i 2E-5 10
<.01 1.07 Doron concentration sampling failure 0.01 10
<.01 1.00 SLC000SA Operator fails to initiate SLC 2E-3 5
<.01 1.00 SLC001HE Operator fails to initiate SLC tank heater SLC0021IE 0.01 5
WOPERR Oper, fails to perform indicated action (Backup to RDCW initiation) 0.01 5
fails to transfer from CST to SP IIUEROR5 Oper.
IE-3 5
VOPERRF Operator fails to start pump initiation 0.10 5
ASECSNA Operator fails to backup N2 the cutset cutoff 1cvel (E-13) i
- Below d
as (2.0Lof CDE1
- Human Actions Delow the You 300 Cutsets Table 2 (continued)
ASSIGNED
__LMPORTMLC_E_.,_
E. V_._
BM V
PROB.
E.F, DEEf31PTION
(%)
NAME initiation 0.10 5
operator fails to backup ARI CMArs
' Electr_i_cla 1E-3 10
<.01 1.06 DIU69C Operator fails to transfer power 1E-3 10 Operator fails to bypass 1E-3 10 E!!UB1 DIUB2 Operator fails to bypass IE-3 10 I,
DIUB3 Operator fails to bypass IE-3 10
/, l Operator fails to bypassfails to xfer stdby charger to Div.I1E-3 10 J
DIUB4 1E-3 10 E!IUS1AD Oper. fails to Xfer stdby charger to Div.II l
10 fails to xfer stdby charger to Div.II.I IE-3 DIUS1BD Oper.
IE-3 10 DIUSICD Oper.
fails to xfer stdby charger to Div.IV DIUS1DD Oper.
Ziiscalibratim s1 SE-S 10 0.01 3.45 IfFEODBCF Miscal. of flow xmtrs SE-S 10 0.01 3.45 IIPROO7CF Miscal. of pressure xntrs.
2E-5 10 Miscal. of pressure xmtrs.
2E-S 10 A!!PT006 Miscal. of CST Icvel sensors SE-5 10
<.01 1.21 RFE63SHX Elec. overspeed sensor miscal.
SE-S 10
<.01 1.11 REOSSMSC RPR309MC High turbine exh. press. xatr. misc'l.
SE-5 10
<.01 1.11 RMOSSMSC Mech. overspeed sensor miscal.
SE-5 10
<.01 1.11 rmtr. miscal.
RPR303MC 1.ow suction press.
Valve Mispo_sitjonsi 0.01 3
Valve F0a inadvertently left open 0.01 5
ROERRORS left open Test valve E22-F009B inadvert.
0.01 5
IIBMADt2 left oper.
Test valve E22-F009C inadvert.
1.8E-4 10 I!CMAER2 Manual override fails initiation signal Manual override fails initiation signal 1.8E-4 10 CODIAMOV 1.8E-4 10 COO 1BMOV Manual override falls initiation signal C001CMOV Below the cutset cutoff level (E-13)
)
9 4 (Individually) g T.able 3 - CDF Increase With _.AUWR FM HRAs MultiDlied by NEW CDF PROB._
E F.
I_lipHEASJ DESCRIPTION BANK
[ LAM _E (t)
O.40 5
47.9 1.
I!OOBOPML Failure to martually initiate HPCF (Incl. hardwire backup for EMUX failure - HPCF B) n O.20 5
37.3 Failure to inject with feedwater 2.
Q 0.40 15 5.39 Failure to inject with condensate Q
3.
COND 0.04 5
4.98
,l 4.
IIBMAERI Valve E22-FOO5B closed (NOFC)
S.
Q2 Failure to inject with feedwater(TIS) 0.52 5
2.28 6.
ROERROR4 Oper. fails to attempt manual vlv. op.
O.40 5
0.44 (Backup for RCIC disch. viv. (F013))
7.
CALN002A Miscal. of fis:w xmtrs FrOOBA,B, & C 2E-4 10 0.41 8.
CTGMANSW C?G manual disconnect switch [left] open 2E-4 3
0.21 (Following maintenance on gas turbine gen.)
]
4E-4 15 0.21 i
7 9.
RECVRII Recovery event for Class II sequences f ails to initiate fitewater inj. (0.1) )
(Oper.
I 2E-4 10 0.15
- 10. RPROOSCF Sensor miscalibration 2E-4 10 0.16 l
- 11. RFLOO7CF Sensor niscalibration
- 12. IIFELEBI!X Water level 8 sent. ors miscal. (4 div.)
S E-S 10 0.15 13.
RIIRSPER Oper. fails to manually initiate 2.4E-4 10 0.06 g
~
(SP cooling initiation (within 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br />))
4 2E-4 10 0.04
- 14. HFE00BCF Miscal. of flow xatrs.
- 15. IIPROO7CF Miscal. of pressure xmtrs.
SE-5 10 0.04 i
I t
f i
4
a T_able 4 - Iluman Action Acronyms Deleted from the Model ZiA!1S DESCRIPTION Operator fails to inhibit ADS with an ATWS (ADS inhibit new automatic)
PA ROERROR7 Valve 1J59 inadvertently left open (Renamed ROERRORS)
IIBMAER3 Manual valve F016B inadvertently left open (Renamed HBF2LER2) ilCMAER3 Manual valve F016C inadvertently left open (Renamed HCMAER2)
IIFL301CF Miscalibration of flow transmitter (Renamed HFE008CF)
Operator fails to attempt manual initiation within 30 min. (Renamed HOOBOPHL) i HOOCOPHL Miscalibration of pressure transmitter (Renamed HPR007CF) 1 HPR305CF b
Failure to manually initiate within 30 min. (Renamed RHRCFER)
COO 1AMOP t
AOPINHB Operator improperly inhibits ADS (HEP deleted - error of ccamission)
Miscalibration of pressure transmitters (Renamed AHPT006)
AHPT303B I
.t t
}
I
_f
~
~
O L
I r
f 4
I s
1 i
--.