Text

TER of IPE Submittal Human Reliability Analysis, Final Rept
	ML20107K023
Person / Time
Site:	Hope Creek
Issue date:	12/27/1995
From:	Swanson P; CONCORD ASSOCIATES, INC.
To:	; NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
Shared Package
ML20107J981	List: ML20107J996; ML20107K016; ML20107K023;
References
	CON-NRC-04-91-069, CON-NRC-4-91-69 CA-TR-95-019-38, CA-TR-95-19-38, NUDOCS 9604250381
	Download: ML20107K023 (41)
	v • d • e

_ _ _ _ . . _ . . _ _ . . -._____ _ _ _ _ _ _ . _ _ .__ _ _

o 1:

I o

l

' CONCORD ASSOCIATES,INC. CA/TR 95-019-38 1

i Systems Performance Engineers l

i HOPE CREEK GENERATING STATION TECHNICAL EVALUATION REPORT

! ON THE IPE SUBMITTAL HUMAN RELIABILITY ANALYSIS l l

FINAL REPORT

! =

l by P.J. Swanson Prepared for U.S. Nuclear Regulatory Commissier.

Office of Naclear Regulatory Research Division of Systems Technology Draft Repon, January 13,1995 FinalReport, December 27,1995 11915 Cheviot Dr. 725 Pellissippi Parkway 6201 Picketts Lake Dr.

Herndon, VA 22070 Knoxville, TN 37932 Acworth, GA 30101 (703) 318 9262 (615) 675 0930 (404) 917-0690 9604250381 960423 PDR P ADOCK 05000354 PDR

1 CAfrR-95-019-38 HOPE CREEK GENER. STING STATION ,

TECHNICAL EVALUATION REPORT OF THE IPE SUBMITTAL HUMAN RELIABILITY ANALYSIS FINAL REPORT l

P. J. Swanson Prepared for U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Systems Technology Final Report, December 27,1995 CONCORD ASSOCIATES. INC.

Systems Performance Engineers 725 Pellissippi Parkway Knoxville, TN 37933 Contract No. NRC-04-91-069 Task Order No. 38 1

l l

c

M TABLE OF CONTENTS E. EXECUTIVE

SUMMARY

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E l E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E l E.2 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E l E.3 Human Reliability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E2 l E.3.1 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . E2 .

E.3.2 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . E2 E.4 Generic Issues and CPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E3 l E.5 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . . . E4 E.6 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E4

1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 l 1.1 HRA Review Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1

t 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I l

l 2. TECHNICAL REVIEW . . . . . . . . . . . ........ ...... ............... 2 l 2.1

. Licensee IPE Process . . . . . . . . ............................2 2.1.1 Completeness and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.1.2 Molti-Unit Effects and As-Built, As-Operated Status . . . . . . . . . . . 2 2.1.3 Licensee Participation and Peer Review . . . . . . . . . . . . . . . . . . . . 3 2.2 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.2.1 Pre-Initiator Human Actions Considered . . . . . . . . . . . . . . . . . . . 4 2.2.2 Process for Identification and Selection of Pre Initiator Human Actions . . . . . ....... ....................... .... 4 2.2.3 Screening Process for Pre Initiator Human Actions . . ........ 5 l 2.2.4 Quantification of Pre Initiator Human Actions . . . . . . . . . . . . . . . 5 2.3 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.3.1 Types of Post-Initiator Human Actions Considered . . . . . . . . . . . . 8 2.3.2 Process for Identification and Selection of Post-Initiator Human Actio ns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .......... 8 2.3.3 Screening Process for Post-Initiator Response Actions . . . . . . . . . . 9 2.3.4 Quantification of Post-Initiator Human Actions . . . . . . . . . . . . . . . 9 2.3.4.1 Consideration of Plant-Specific Factors for Response Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 j 2.3.4.2 Consideration of Timing ....................... 14 1 2.3.4.3 Consideration of Dependencies for Response Actions . . . . 15 2.3.4.4 Quantification of Recovery Actions. ............... 16 2.3.4.5 Consideration of Operator Actions in the Internal Flooding Analysis . . . .. .............................. 16 i 2.3.4.6 Consideration of Operator Actions in the Level 2 '

Analys i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 16 2.3.4.7 GSI/USI and CPI Recommendations . . . . . . . . . . . . . . . 17 1

a 4

Table of Contents (continued) 2.4 Vulnerabilities, insights and Enhancements . . . . . . . . . . . . . . . . . . . . . . 19 2.4.1 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1 2.4.2 IPE Insights Related to Human Performance . . . . . . . . . . . . . . . . 19 !

2.4.2.1 Important Operator Actions . . . . . . . . . . . . . . . . . . . . . 19 2.4.2.2 Sequences Screened Out By Low HEPs . . . . . . . . . . . . . 22 '

2.4.3 Human-Related Erdiancements . . . . . . . . . . . . . . . . . . . . . . . . . 23

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . . 24 ..

4. DATA

SUMMARY

SHEETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 REFERENCES

.................................................. 28 l APPENDIX A - Sequences Screened Out by Recovery Actions ................29 I

i 1

4 I

i a

1 k Y 1

a l

l 1

ii !

1

1' E. EXECUTIVE

SUMMARY

This Technical Evaluation Report (TER) is a summary of the documentation only review of the human reliability analysis (HRA) presented as part of the Public Service Electric and Gas Company (PSE&G) Individual Plant Examination (IPE) submittal for the Hope Creek Generating Station (HCGS) to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staff in their evaluation of the IPE and conclusion regarding ,

whether the submittal meets the intent of Generic Letter 88-20.

E.1 Plant Characterization The Hope Creek Generating Station (HCGS) is operated by Public Service Electric and Gas Company (PSE&G) and is located approximately 18 miles south of Wilmington, Delaware and 30 miles southwest of Philadelphia, Pennsylvania. The HCGS employs a General Electric boiling water reactor, type BWR-4. The unit uses a Mark 1 containment and a natural draft cooling tower. The HCGS began commercial operation in December 1986.

HCGS design features which impact core damage frequency (CDF) relative to other BWR 4 ;

plants include; 1) four diesel generators, 2) both pumps required in SACS and SSW loops, 3) !

four hour battery lifetime, 4) ability to use alternate injection to the vessel, and 5) automatic actuation of SLC. j E.2 Licensee IPE Process The HRA process addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident). Pre-initiator actions considered included both restoration errors and miscalibration. Post-initiator actions included both response-type and recovery-type actions.

Post-initiator HRA was performed using the Systematic Human Action Reliability Procedure (SHARP), EPRI NP-3583. The panicular methods applied to quantify human errors under SHARP included the Technique for Human Error Prediction (THERP), NUREG/CR-1278 for pre-initiator actions, and a combination of the Accident Sequence Evaluation Program (ASEP), NUREG/CR-4772 and the EPRI NP-6560L methodologies for post-initiator actions.

Plant-specific performance shaping factors and dependencies were considered to some degree in both pre-initiator and post-initiator analyses. Human errors were identified as significant contributors in accident sequences leading to core damage, and human-performance-related enhancements were identified and credited in the IPE/HRA or cited for future consideration.

PSE&G employed the service of Haliburton, NUS to perform the HRA. Licensee staff with knowledge of plant design, operations and maintenance worked with the contractor throughout the HRA process. Procedures reviews, interviews with operations staff, and plant walkdowns helped assure that the IPE represented the as-built, as-operated plant. An independent review to assure appropriate use of HRA techniques was performed by a peer review team comprised of an contractor and PSE&G staff not involved with the actual performance of the HRA.

E1

4l 4

E.3 Human Reliability Analysis

! E.3.1 Prednitutor Human Actions.

The licensee used the ASEP methodology to screen identify pre-initiator human events to be included in the analysis. A review of HCGS's maintenance, surveillance, test, and calibration procedures was performed to help facilitate identification of pre-initiator human events. The involvement of plant operators and analysts appear adequate to assure a

comprehensive assessment of restoration and misalignment errors. There is no mention of

maintenance personnel panicipation in identification and selection of pre-initiator errors (i.e.,

calibration and restoration errors), but it does appears that maintenance personnel were j involved in the review process.

1 i

There was no numerical screening performed for pre-initiator human errors.

i l Miscalibration and restoration errors were quantified using the Handbook of Human l Reliability With Emphasis on Nuclear Power Plant Operations and the Technique for Human Error Rate Prediction (THERP). Detailed HCGS-specific HRA event trees were developed i for miscalibration, dependent miscalibration of three channels, and restoration error following test or maintenance. The licensee did not attempt to develop task-specific THERP {

4 trees for each maintenance procedure but applied a single value for miscalibration error rates l l and another single value for restoration error rates. Events associated with dependent 1 i

miscalibration of two instmments and dependent miscalibration of three instmmems were j each assigned a single value as well. PSE&G's states that "a conservative approach to i

envelop the task by taking advantage of similarities in the procedures" was used. As an i

additional check on reasonability for their approach, the licensee performed a sensitivity l study to bound the effects of potential underestimates of miscalibration HEPs. A total of 25 1

restoration errors and 66 miscalibration errors were included in the fault tree models.

i Overall, HCGS's approach for quantifying pre-initiator errors is consistent with the recommendations of the HRA methodology applied.

E.3.2 Post Initiator Human Actions.

l The HCGS IPE addresses activities performed by crews during and after the occurrence of

! an abnormal event with both response and recovery type actions in post-initiator analysis.

In general, HCGS procedures for system operating, emergency operating, abnormal l

~

operating, and alarm response were used to identify and group human actions. The process involved a review of human actions modeled in the system fault trees, through which the

analyst identified those operator actions that include manual operation or alignment of i components that must be manually initiated and controlled or backup automatic operation. A j list of 41 actions treated in the fault trees is provided in the submittal. Recovery actions .

were applied in transients, ATWS events, and to the longer-term events such as loss of decay l E2 i

- - - - . - - - - . -- _ - - --- - __ _~ --

o 9 heat removal. If several actions were applicable to a cutset, then the actions with the lowest unavailability was applied. The licensee used a numerical screening process to identify and select post-initiator actions for refined analysis. The screening process out?.ined in the ASEP methodology was used. Operator actions that appeared only in cutsets lov er than 1.0E-07/yr or less were left in the fault tree models at the screening value of 1.0. Operator actions that '

appeared in cutsets greater than 1.0E-7/yr were evaluated funher using refined HEP l

estimates and sequences with no operator action modeled were examined to identify potential , l recovery actions. Additionally, all sequences which would have been above the cutoff criteria were it not for low human error probabilities in recovery actions are well documented with detail discussion as requested in NUREG-1335.

1 The human events not screened out were quantified using recommended HEP values from ASEP for slips (P3) and mistakes (P1). For non responses (P2), the simulator based model in EPRI NP-6560L was substituted for the fixed time curves in ASEP. This allowed l l

incorporation of generic and plant-specific information into the assessments. The time available for operators to respond was determined primarily by a combination of severe I

accident codes (MAAP), and simulator observations without operator actions under specified ,

l conditions. Finally the three estimates for detection errors (P1), non-response (P2), and I l post-initiator action errors (P3) were merged into a HEP, and an uncertainty bounds (UCB) as recommended in ASEP was assigned. Forty refined human response and recovery actions l were included in the final analysis.

l

Overall the HCGS's treatment of post initiator human actions appears reasonably thorough and complete. Results from HCGS's HRA are generally consistent with similar BWR 4 plant reviewed.

E.4 Generic Issues and CPI The licensee's consideration of generic safety issues (GSIs) and unresolved safety issues (USIs) and of containment performance improvements (CPI) recommendations are the subject of the front-end review, and back-end review, respectively. The HCGS IPE addresses two l generic issues, USI A Decay Heat Removal, and GSI 105 - Intersystem LOCA Outside :

Containment.

The analysis of DHR reported in submittal consideration of operator actions typically found in the DHR analysis of other IPEs for similar plants. The licensee credits the closure of Unresolved Safety Issue (USI) A-45 as a result of this analysis. The Interfacing System LOCA (ISLOCA) event trees contain human actions for early isolation, RPV depressurization, establishment of other make-up sources, and late isolation. The licensee states that in the case of operator action for early isolation of rupture of the Containment Spray (CS) pumps discharge line, the error probability was obtained with order of magnitude estimates (study performed by ERIN) instead of a detailed HEP analysis. For operator action in late isolation of a rupture of CS pumps discharge line, the operator E3

. t, l

action was assigned a conservative value of 0.5 because of the uncertainty associated with the )

operation of the valve (harsh environment), and dependency on previous operator errors, i Simulator exercise observations are credited with discovering several insights related to leak l isolation during LOCA. Specifically, identification of ruptures / leaks from diverse l

, information systems provided to the control room operating personnel and actions to isolate leaks.

E.5 Vulnerabilities and Plant Improvements '

The HCGS IPE defines vulnerability based on NUREG-1335 screening criteria for reporting systemic sequences. To be considered a vulnerability, those sequences meeting the screening criteria must also contribute inordinately to the CDF with respect to either (1) other sequences or events in the IPE, or (2) in comparison with PRA results for other plants.

In the licensee's analysis, transients involving HVAC failure were determined to contribute l inordinately to the CDF. For example, loss of switchgear or 1E panel room cooling had an initial CDF of 3.29E-3/yr. In response to this vulnerability the licensee developed a new procedure for providing alternate methods for panel room cooling. The sequence analysis was repeated and credit was taken for the new procedure which resulted in a reduction of ,

sequence CDP to 9.87E-7/yr. Operator recovery action associated with the new procedure I includes taking steps to provide alternative cooling means for electrical equipment ta these rooms, ix , open doors, placement of portable fans, etc.. A human error probability of 3.0E-04 was assigned to this action. This is a relatively low value for an HEP, but typical >

of values seen in other IPE analysis where explicit procedural guidance, considerable time available for accomplishment (12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ), and emphasis in training is identified.

Additionally, the licensee initiated a detailed review of the success criteria for SSW and SACS to see if some of the conservatism presently in the model could be relaxed by crediting additional operator action. A new procedure for operating SACS with one pump per loop was thought to result in a substantial improvement in CDF resulting from SBO. The licensee reports in their response to NRC's request for additional information that after detailed evaluation it was determined that little benefit was to be derived by taking credit for this operator action.

E.6 Observations The following observations from our document-only review are pertinent to NRC's determination of whether the licensee's submittal meets the intent of Generic Letter 88-20.

The submittal and supporting documentation indicates that utility personnel were involved in the HRA, and that the walkdowns and documentation reviews constituted a viable process for confirming that the HRA portions of the IPE represent the as-built, as-operated plant. The licensee performed an in-house peer review that provides some assurance that the HRA techniques have been correctly applied and that documentation is accurate.

E4

<al l

l The licensee's analysis of pre initiator human rictions was reasonably complete, though I simplified and relatively generic. Identification and selection of human actions to be quantified included review of calibration, test and maintenance procedures and

, discussion with plant personnel. Both calibration and restoration errors were included. No i

numerical screening was performed; qualitative screening that appears to be rational and !

consistent with other PRAs eliminated some actions from consideration. All actions surviving j ,

the qualitative screening were included in the IPE model as basic even*.s in fault trees. The ,

l

, quantification used THERP to analyze four " generic" pre initiator actions that represented all pre initiator actions included in the model. Plant-specific and certainly case-specific analysis I was very limited. This limits the ability of the licensee to identify factors contributing to human error and therefore plant risk and to identify possible enhancements. However, the analysis appears to have been effective in identifying the relative importance of contributions from pre-initiator human ercors.

The treatment of post-initiator human actions included both response-type and recovery-type actions. The process for identit ication and selection of post-initiator human actions included review of procedures and discuss:on with plant operations and training staff. Numerical screening based on guidance in the ASEP methodology was employed to eliminate actions or sequences from further consideration. Quantification of human error used the ASEP and EPRI NP-6560-L processes for detailed calculations. The guidance for methodologies used appears to have been followed by the licecsee. Evaluation of plant specific performance shaping factors was included, consistent with the simplified ASEP process; and, error '

recovery factors were included according to ASED guidance. Dependencies among post-initiator actions were treated in a manner consistent with the ASEP dependency model.

l The process usec by the licensee to obtain plant specific data for representation of performance shaping factors, which included simulator exercises, procedure walkdowns and -

discussion with key plant personnel, is considered a strength in their HRA. l The licensee employed a systematic process to screen for vulnerabilities and identify potential enhancements. Vulnerability screening criteria included NUREG-1335 reporting criteria plus a comparison with other PRA results to identify unusual contributors. In the license 's analysis, transients involving HVAC failure were Jetermined to contribute inordinately to the CDF. For example, loss of switchgear or 1E panel room cooling had an initial CDF of 3.29E 3/yr. In response to this vulnerability the licensee developed a new procedure for -

providing alternate methods for panel room cooling. The sequence analysis was repeated and I credit was taken for the new procedure which resulted in a reduction of sequence CDF to i 9.87E-7/yr. Operator recovery action associated with the new procedure includes taking j steps to provide alternative cooling means for electrical equipment in these rooms, i.e., open doors, placement of portable fans, etc., ;

i ES l i

l l

Q

1. INTRODUCTION Tbis Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Public Service Electric and Gas Company (PSE&G) Individual Plant Examination (IPE) submittal for the Hope Creek Generating Station (HCGS) to the U.S. Nuclear Regulatory Commission (NRC). Tbc review was performed to assist NRC staff in their evaluation of the IPE and conclusion regarding ,

whether the submittal meets the intent of Generic letter 88-20.

1.1 HRA Review Process The HRA review was a " document-only" process which consisted of essentially four steps:

(1) Comprehensive review of the IPE submittal focusing on all information pertinent to l HRA.

i (2) Preparation of a draft TER summarizing preliminary findings and conclusions, noting j specific issues for which additional information was needed from the licensee, and l formulating requests to the licensee for the necessary additional information.

i i (3) Review of preliminary findings, conclusions and proposed requests for additional j information (RAIs) with NRC staff and with " front-end" and "back-end" reviewers.

1 , ,

(4) Review of licensee responses to the NRC requests for additional information, and preparation of this final TER modifying the draft to incorporate results of the additional information provided by the licensee.

Findings and conclusions are limited to those that could be supported by the document-only review. No visit to the site was conducted. No review of detailed " Tier 2" information was performed, except for selected details provided by the licensee in direct response to NRC's request for additional information (RAIs). In general it was not possible, and it was not the intent of the review, to reproduce results or verify in detail the licensee's HRA quantification process.

1.2 Plant Characterization The Hope Creek Generating Station (HCGS) is operated by Public Service Electric and Gas Company (PSE&G) and is located approximately 18 miles south of Wilmington, Delaware and 30 miles southwest of Philadelphia, Pennsylvania. The HCGS employs a General Electric boiling water reactor, type BWR-4. The unit uses a Mark 1 containment and a natural draft cooling tower. The HCGS began commercial operation in December 1986.

HCGS design features which impact core damage frequency (CDF) relative to other BWR 4 plants include; 1) four diesel generators, 2) both pumps required in SACS and SSW loops, 3) four hour battery lifetime, 4) ability to use alternate injection to the vessel, and 5) automatic actuation of SLC.

1

<)

2. TECHNICAL REVIEW 2.1 Licensee IPE Process 2.1.1 Comoteteness and Methodology.

The HCGS submittal is a Level 2 PRA with HRA components in both Level 1 and Level 2 .

analysis. The freeze date of the IPE model was August,1993. One change to the plant after !

the freeze date was incorporated into the IPE model, that being the incorporation of a new

, procedure for the recovery of HVAC to electrical equipment areas.

The submittal provides a reasonably complete summary of the HRA methodology. The primary leadership of the HRA and all calculation of human errors was performed by Haliburton NUS, with PSE&G engineers providing technical assistance throughout the process. HCGS staff with knowledge of plant design, operations and maintenance appear to have had significant involvement in the HRA. The IPE discussion on accident sequence delineation (event trees), systems analysis, internal flooding analysis, decay heat removal (A-45), and back-end analysis, all provide reasonably complete descriptions of important ,

human actions addressed. Human-performance related insights and enhancements are identified.

The HRA process was performed under the Systematic Human Action Reliability Procedure l

(SHARP), EPRI NP-3583 (Reference 1). The licensee considered both pre-initiator actions !

(performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed l as part of the response to an accident) in their analysis. The primary HRA techniques employed to quantify human error included the Technique for Human Error Prediction (THERP), (Reference 2) for pre-initiator actions, and elements of the Accident Sequence Evaluation Program (ASEP), (Reference 3) and EPRI NP-6560L (Reference 4) for post-initiator actions. Plant-specific factors were considered in both pre-initiator and post-initiator analyses. The quantification results (HEPs) for those actions which the licensee performed

" refined" analysis are summarized in the Submittal, but details on the analysis of specific events is somewhat limited. PSE&G did provide in their response to NRC's request for additional information (RAI), complete and thorough documentation on the quantification process for several requested human error events. The I.evel 2 analysis used a different approach for treating human actions. In Im el 2 analysis, the HRA was performed using the Dougherty and Fragola, TRC methodology.

2.1.2 Multi-Unit Effects and As-Built. As-Ooerated Status HCGS is a single unit plant which shares a common site with two Salem units. The only shared system appears to be the electrical switchyard (s) were each plant can receive off-site power via the others switchyard. This interface does not influence the HRA.

The assembly of information needed to support the IPE included the involvement of HCGS Engineering, Operations, and Training Department personnel. This process included review 2

i.

and assessment of plant documentation, multiple plant system walkdowns, and review of several PRAs for other BWRs. Documentation used in the IPE included: procedures (emergency, operating, test, maintenance and surveillancu), UFSAR, and design basis documents. Overall, the submittal documentation and RAI responses indicate that the licensee took steps to provide reasonable assurance that the HRA-related aspects of the IPE model represented the as-built, as-operated plant during the time frame of the IPE development.

2.1.3 Licensee Particioation and Peer Review.

The overall coordination of the Level 1 PRA was under the responsibility of PSE&G's Nuclear Engineering Department, Probablistic Risk Assessment Group. This group provided engineers to support the study, performed portions of the PRA tasks, and reviewed the 3 results. The technical direction of the effort, training of PSE&G's staff, and major portions of the analysis were provided by contractors. Those contractors involved in the HCGS effort include SAIC, Hallibunon NUS, Gabor, Kenton and Associates, ERIN, ABB Implell, and 4

Reliability and Performance Associates (RAPA).

The primary leadership for the HRA and all evaluations of human errors was performed by PSE&G's contractor with a PSE&G engineer providing technical assistance throughout the process (IPE Section 2.1.4). Additionally, technically knowledgeable PSE&G and HCGS personnel participated throughout the IPE process, including the review of all applicable plant-specific procedures. The utilities staff involvement in the IPE appears to be comprehensive and extensive.

We believe that the utility personnel involvement in the development and application of PRA techniques to their facility and the associated walkdowns and documentation reviews constituted a vi6 e process for confirming that the IPE represents the as-built and as-operated plant.

I An independent review of the IPE and associated documentation was performed in two phase approach. First, a senior level review of ongoing work was done by PSE&G's review team leader and consultants. Then, a formal review team was assemb!cd with personnel from PSE&G's Nuclear Engineering Department who were not involved with the development of the IPE. A contractor from the consulting firm of RAPA, served as technical lead for the ]

independent formal review. All personnel involved in the review appear to have an !

appropriate level of experience and expertise which complements one-another in covering the :

entire range of the IPE. The review process for the HCGS IPE is well documented and j appears reasonable.

In our opinion, the reviews appear to constitute a reasonable process for an "in-house" peer review that provides some assurance that the IPE analytic techniques were correctly applied and that documentation is accurate.

3

9 2.2 Pre-Initiator Human Actions l

Errors in performance of pre-initiator human actions (i.e., actions performed durmg .

maintenance, testing, etc.) may cause components, trains, or entire systems to be unavailable on demand during an accident, and thus may significantly impact plant risk. Our review of the HRA portion of the IPE examines the licensee's HRA process to determine what i

' consideration was given to pre-initiator human actions, how potential actions were identified, , l the effectiveness of quantitative and/or qualitative screening process (es) employed, and the I processes for accounting for plant-specific performance shaping factors, recovery factors, and dependencies among multiple actions. 1 2.2.1 Pre-Initiator Human Actions Considered.

l Pre-initiator (pre-accident) human errors modeled in the HCGS IPE are those related to the tasks of testing and maintenance. Errors in performing these tasks include miscalibration of j sensors and failure to restore components following a test or maintenance activity.

2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions. '

1 t The key concerns of the NRC staff review regarding the process for identification and i 3 selection of pre-initiator human events are: (a) whether maintenance, test and calibration l procedures for the systems and components modeled were reviewed by the systems analyst (s), and (b) whether discussions were held with appropriate plant personnel (e.g.,

maintenance, training, operations) on the interpretation and implementation of the plant's l test, maintenance and calibration procedures te dentify and understand the specific actions l

! and the specific components manipulated who performing the maintenance, test, or l l calibration tasks, i

The licensee states in IPE Section 3.3.3.2, that the " methods used to assess pre-initiator operator actions are consistent with the NUREG/CR-4772 and the NUREG/CR-4550 studies." The licensee reviewed HCGS's maintenance, surveillance, test, and calibration procedures to identify the pre-initiator human events to be used in the analysis. From our review of the pre-initiators reported it appears that selection of specific channels to be considered in the analysis of miscalibration error was based on a functional criteria. Also, the licensee evaluated the valves in standby systems to determine whether a restoration error could result in partial or total failure of the system to perform its required function. We believe the involvement of plant operators and analysts was adequate for a comprehensive assessment of restoration and mis;:lignment errors. There is no mention of maintenance personnel participation in identification and selection of pre-initiator errors (i.e., calibration and restoration errors), but it does appears that maintenance personnel were involved in the review process.

d 4

. ~ - - -- __-

J 2.2.3 Screenine Process for Pre-Initiator Human Actions.

There was no numerical screening performed for pre-initiator human errors. The licensee cites the criteria which they used to screen out restoration / misalignment errors, namely:

e components realigned upon demand, e components which must be tested upon completion of maintenance, e components which are not affected by maintenance and, e misalignments that would be noticed on a shift basis, or would be annunciated.

Screening on the basis of " misalignments that would be noticed on a shift basis, or would be annunciated" could result in important human errors being eliminated if the criterion is applied to informal observations. When used in connection with formal administrative control procedures, such as surveillance procedures for logging Technical Specification cited parameters on a shift basis, we believe taking credit for " noticed on a shift basis" would be appropriate. In response to NRC's request for additional information the licensee provided

" tier 2" documentation for identifying events screened out. Our review of this documentation indicates that the licensee's application of the criteria appears reasonable and should not have eliminated important human error.

s 2.2.4 Ouantification of Pre Initiator Human Actions.

The pr~obability of error in performing pre-initiator human actions can vary substantially (up or down) from " generic" estimates because of plant specific factors affecting human performance. Plant-specific " recovery factors" that exist due to plant design features or .

operational practice, or dependencies among multiple restoration /miscalibration tasks that may exist as a result of " systemic," but perhaps subtle, human performance problems in training, procedures, etc. If the licensee is to gain a realistic understanding of the potential impact of pre-initiator human error on plant risk, it is important that the HRA include a reasonably rigorous assessment of these plant-specific factors and dependencies. While the numerical HEP estimate is important, the benefit gained from the pre-initiator HRA is to a large degree a function of the rigor of this more qualitative evaluation of plant-specific factors.

Miscalibration and restoration errors were quantified using the Handbook of Human Reliability With Emphasis on Nuclear Power Plant Operations and the Technique for Human Error Rate Prediction (THERP). IPE Tables 3.3.3-1 and 3.3.3-4 present the conditions and procedures (administrative controls) associated with calibration and maintenance / restoration respectively. These conditions and procedures are used to support the selection of the

.pecific THERP tables and specific values therein used to quantify the HRA event trees (THERP models). General assumptions / administrative controls which were used by the analyst in quantifying calibration errors include:

5

('

f i

1 e Calibration is normally performed every 3, 6,12, or 18 months as applicable.

e Each calibration is covered by a separate procedure.

e Calibration teams normally involve two or more people; one person perform the calibration and the other person observes the work and checks off each step as it is completed. .

e Procedure sheets have a before calibration reading entry and an after calibration entry which are to be compared when calibration is completed (prior to shift foreman sign-off).

e The I&C maintenance foreman checks the consistency of "before-and-after" readings after the calibration. This is accomplished within three working days.

e !

Some of the instrument panel checks are completed by reactor operators observing the I indicated value from the calibrated instrument, and comparing those readings with l other instrument readings.

l e Calibration procedures involve a second person or group to check the procedure.

l e I&C technicians can close and open most instrument sensing line valves with approved test procedures and shift foreman permission. Other sensing line valves must be closed (and opened) by an operator.

For restoration or misaligrunent type pre-initiator errors, the following assumptions /

admmistrative controls were applied:

e Scheduled maintenance (involves routine preventative maintenance performed on a regular schedule) may be performed while the unit is at power.

e Unscheduled maintenance (corrective maintenance performed when a component fails) can be performed during power operation, within the Technical Specification guidelines.

e Most maintenance acts have an applicable set of procedures.

e Operations personnel perform all isolation before maintenance and realignment after maintenance.

e After maintenance is complete, the shift supervisor approves removal of the blocking i tags.

i 6

L i

9; i e Maintenance teams normally involve two or more people; one or more to perform the maintenance and, one person to observe the work and check off each step as it is

completed, if there is an applicable procedure, o Each component maintained is tested for proper operation following maintenance, if required.

e '

The maintenance supervisor verifies that blocking tags are physically in place for personnel safety prior to allowing any personnel to start work on a component.

e When components in safety-related systems are tagged out, and again when the tags are released, a second operator independently verifies the tag / release. This is in addition to the maintenance personnel verification.

I The submittal includes the detailed HCGS-specific HRA event trees for miscalibration (Table 3.3.3-2), dependent miscalibration of three channels (Table 3.3.3-3), and restoration error following test or maintenance (Table 3.3.3-5). A detailed examination of plant-specific calibration and restoration (following maintenance) procedures was performed by the licensee to ensure technical accuracy of the plant-specific models. The licensee applied a single value of 3.0E-03 per calibration for miscalibration error rates and 5.0E-3 per test or inain'anance for restoration error rates. Dependent miscalibration of two instruments was assigned a probability of 5.0E-4, while dependent miscalibration of three instnunents was assigned 3.0E-4. Dependent restoration errors were treated as contributors to the beta and gamma factors for common cause failures.

Component unavailability (UA), due to miscalibration or restoration, was determined with the following equation:

UA = (HEP) (FD7) (INTRVL) where; HEP = miscalibration (or restoration) error probability FDT = fault duration time before detection, and INTRVL = interval between calibrations (test or maintenance).

The licensee considered a total of 25 restoration errors and 66 miscalibration errors in the fault tree models.

Overall, HCGS's approach for quantifying pre-initiator errors is generally straight forward and appears consistent with the recommendations of the Handbook. However, the pre-initiator HRA did not attempt to develop task-specific THERP trees for each maintenance procedure but used what PSE&G terms as "a conservative approach to envelop the task by taking advantage of similarities in the procedures". As an additional check on reasonableness of their approach, the licensee performed a sensitivity study to bound the effects of potential 7

underestimates of miscalibration HEPs. All events were simultaneously increased by a factor of 10 in the model which resulted in an increased of CDF by 28L The major contributor to l the change noted in CDF was attributed to the effect of miscalibration on the ESF (actuation) support system.

2.3 Post-Initiator Human Actions Human errors in responding to an accident initiator, e.g., by not recognizing and diagnosing the situation properly, or failure to perform required activities as directed by procedures, can have a significant effect on plant risk. These errors are referred to as post-initiator human l

errors. Our review assesses the types of post-initiator errors considered by the licensee, and !

evaluates the processes used to identify and select, screen, and quantify post-initiator errors, including issues such as the means for evaluating tuning, dependency among human actions, and other plant-specific performance shaping factors, l 2.3.1 Tynes of Post-Initiator Human Actions Considered. 1 There are two important types of post-initiator actions considered in most nuclear plant PRAs: (1) response actions, which are performed in response to the first level directives of the emergency operating procedures /instmetions (EOPs, or EOls); and, (2) recovery actions, l which are perfonned to recover a specific failure er fault, e.g., recovery of offsite power or recovery of a front-line safety system that was unavailable on demand earlier in the event. _

4 The HCGS IPE addresses activities performed by crews during and after the occurrence of ~

an abnormal event with both response and recovery type actions in post-initiator analysis. In the discussion of " refined" analysis performed, the submittal refers to all post-initiator actions as recovery actions.

2.3.2 Process for Identification and Selection of Post-Initiator Human Actions.

The prunary thrust of our review related to this question is to assure that the process used by the licensee to identify and select post-initiator actions is systematic and thorough enough to provide reasonable assurance that important actions were not inappropriately precluded from examination. Key issues are whether: (1) the process included review of plant procedures (e.g., emergency / abnormal operating procedures or system instructions) associated with the accident sequences delineated and the systems modeled; and, (2) discussions were held with appropriate plant personnel (e.g., operators or training staff) on the interpretation and implementation of plant procedures to identify and understand the specific actions and the specific components manipulated when responding to the accident sequences modeled.

The submittal states that key operator actions that could have an impact on the consequence of an event sequence were selected using three methods. In general, HCGS procedures for system operating, emergency operating, abnormal operating, and alarm response were used to identify and group human actions. The first method addresses human actions modeled in the system fault trees, through which the analyst identified those operator actions that include manual operation or alignment of components that must be manually initiated and controlled or backup automatic operation. A list of 41 actions treated in the fault trees is provided in 8

j Table 3.3.3-7 of the submittal. The second method presented involves recovery actions applied to sequence cutsets. Here the recovery actions were applied in transients, ATWS l events, and to the longer-term events such as loss of decay heat removal. If several actions were applicable to a cutset, then the action with the lowest unavailability was applied.

Specific details on the formulation of specific timing criteria and determination of which l

actions did or did not meet timing criteria are not provided in the submittal. Finally, refined

recovery actions were selected to replace combined human actions. These recovery actions ,

j are typically cutset dependent. Therefore, they were applied at the cutset level after the i

initial sequence cutsets had been grouped into similar sequences.

2.3.3 Screenina Process for Post-Initiator Resoonse Actions.

l Initial screening of post-initiator errors was quantified with all actions identified in the initial l

models set to 1.0 in order to see all combinations of operator actions to ensure that all dependencies of operator actions were known. However, there were an unmanageable number of cutsets which would have dropped below the reporting screening criteria once the recovery actions were applied. Therefore in a second screening step a new value of 0.1 was assigned. This resulted in many cutsets with'1 to 3 human actions combined with several l equipment failures. The value of each of those human actions was then assigned a l probability of 1.0. The resultir.g cutsets were examined, and if the recovery actions were i separate in time, then the screening process outlined in the ASEP procedure was used. For i example, if the first recovery action in a cutset was based on a detailed quantification, then ,

the second action was included in the quantification by multiplying the greater of either the ~

detailed HEP assessment for the second action or 0.03 as recommended for screening the j guidance document. If a third action was identified, a HEP of 0.1 was assigned (or detailed assessment HEP, if greater). The licensee states that this process accounts for human action dependencies during the sequence quantification.

Operator actions that only appeared in sequences lower than 1.0E-07/yr or less were left in the fault tree models at the screening value of 1.0. Operator actions that appeared in sequences greater than 1.0E-7/yr were evaluated further using refined HEP estimates and sequences with no operator action modeled were exammed to identify potential recovery actions.

Additionally, all sequences which would have been above the cutoff criteria were it not for low human error probabilities in recovery actions are well documented with detail discussion as requested in NUREG-1335.

2.3.4 Ouantification of Post-Initiator Human Actions.

l The human events not screened out were quantified using recommended HEP values from NUREG/CR-4772 for slips (P3) and mistakes (P1). For non-responses (P2), the simulator based model in EPRI NP-6560L ' 1 substituted for the fixed time curves in NUREG/CR-l 4772. This allowed incorpora, m - generic and plant-specific information into the

assessments. The time availabt t a cerators to respond was determined primarily by a l

9 1

1 combination of severe accident codes (MAAP), and simulator observations without operator actions under specified conditions. This accounted for combinations of working and inoperative control systems. The transient information was used to estimate the time to core uncovery, conditions for actions to protect the suppression pool, and construction of timing information for cutset analysis. Finally the three estimates for detection errors (PI), non-response (P2), and post-initiator action errors (P3) were merged into a HEP and an UCB as recommended in NUREG/CR-4772 was assigned. .

Operator actions that proved to be dominant contributors to accident sequence underwent further analysis by means of a refmed (normal) HRA. The refined analysis was performed using NUREG/CR-4772 analysis procedure and time dependent model and data developed in EPRI-6560L. The refined assessment reduced conservatism introduced through HRA

screening, and identified specific actions that are important for maintaining the risk and the i

expected level. Table 2.2-1 lists the 40 human recovery (response and recovery) actions and results for those operator actions subjected to refined analysis. The licensee did not

distinguish between response and recovery actions in their analysis, both were treated with j the same analysis with exceptions noted.

l Table 2.2-1, Post-Initiator Operator Response and Recovery Actions Modeled.

IDE?f!1PTER DESCRIFDON REP

. NR AIR-24 Failure to recover the IAS wunin 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months $.7E 3

} NR ATWS-ADS-INH Fadure to inhibit ADS during an ATWS #

7.5E 2 AR-ATWS-ARI Failure to manually initiate ARI 1.4E-2 NR ATWS-DEP Fadure to manually depressurize the PRV durms an ATWS 5.6E 2 NR-ATWS-HPCI-30M Failure to innaase HPCI dunns an ATWS 5.0E-2 NR ATWS-HPCI CS Failure to isolme HPCI injection through the Core Spray pipmg during an ATWS 2.4E t NR ATWS-LCNTL-LO Failure to control RPV water level we LPCI during an ATWS 4.7E 1 NR COND-5 Failure to restart condensme pumps aAer other injecuon systems fail 3.7E 2 NR DG-4 Faihare to recover D/Go within 6 brs Gadopendent failures of D/Gs)* 7.0E 1 NR-DG-DF4 Failure to recover D/Go within 6 bre (esammes cause failures of D/Gs)* 6.0E-1 NR HPCI LCNT HIE Failure to control RPV waer levet usms HPCI durmg an ATWS to prevent core damage 4.6E 2 NR HVC.PNRM-12 Falhare to provide akernate ventilation to the Panel Rossi within 12 bre after less of HVACS 3.0E-4 NR HVC SWGR 24 Failure to provide alismus ventilmion to the Swuchseer Room wuhin 24 hrs aAer loss of HVAC 1.6E-4 NR !GS-24 r to restart the E!AC after RACS cooling has been restored followmg a LOCA isolauon Fadu'e 3 8E 3 NR LOSP-24 Fadure to restore offsite power wuhin 24 hrs 2.2E 3 NR LOSP-12 Failure to restore offsue power withm 12 hrs 1.5E 2 NR LOSP-6 Failure to ressere offsite power within 6 hrs'" 5.0E 2 NR-LOSP 5 Fadure to restore offsite power wahm 5 hrs 7.0E 2 NR LOSP 1 Fadure to restore offsne power wnhin I hout 4.0E 1 NR LOSP-40M Fadure to restore offsue power wahm 40 minutes 5.5E 1 NR LOSP 30M Fadure to restore offsne power wuhm 30 minuts: 6.0E 1 10

4l l

I NR PCS-24 Fadure to restore the PCS wahin 24 lirs followmg a atrbme try or MSIV closure inausung event 7.0E4 NR-PCS-1 Faihare to restore the PCS within 1 bour'"

6.0E-1 i NR PCS40M Fadure to restore the PCS within 40 mmuses 9.0E 1 NR-Q-FWLVH4M Failure to prevent a level 8 trip of feedwmer during a transunt 1.4E 2 l

NR-Q FWLYL-24M Failure to prevent a level 8 trip of feedweer sharing a small LOCA 4.9E-3 NR RACS-24 Failure to restore the RACS aner a LOCA isolauon '

3.tE-3 NR RHR-LNTT Failure to imune RHR for decay heat removal within 24 hn S.0E-S NR SLEAK-ISO-1SM Failure to isolate recirculauon pung seal LOCA 4.2E-2 1 NR-SPL-LYLL-4 Faihare to align core sprey to the CST for long-terza injection (without DHR)* 1,15 1 NR-UlX DEP-30M Faihste to sammuauy depressurtae the RFV within 30 animates'"

7.35 3 NR UlX-DEP-40M Fadure to manually depressurus the RPV within 40 nunuus S.2E-3 NR-UlX DEF-60M FaGure to manuaHy depressurtse the RPV within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months '" 4.6E 3 NR-UV-ECCS-1 Fadute to manually initiate ECCS within I hout 3.9E-2 t

NR UV-WTLYL 20M Failure to control RPV water level wah high pressure injection systems (non-ATWS) 4.3E-2 NR VENT 3 Failure to iniume contamment venting 2.0E 3 NR-WWl SWP 1 Failure to manually start SSWS or SACS pumps widun I haut 1.2E-2 NR-WWi SWP 12 Fadure to manually start SSWS or SACS pumps wahm 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months 1.9E4 NR WWi SWP-20 Fadure to manually start SSW3 or SACS pumps within 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months 7.4E-S NR WWl SWP-40M Failure to manually start SSWS or SACS pumps wnhin 40 minutes

1.6E 2 l

l

Dis action appears in the top 30 event fauures as determined by risk reductism snessure.

The quantification process used by the licensee to complete the refined assessment which -

generated the above listed results includes the following 11 steps:

1) Define recovery actions that decrease a sequence below 1E-7/yr whose screening l value is less than 0.1 for a cutset. This includes the combination of all recovery j actions modeled in the fault trees and non-recovery actions that result from the l

l examination of the information contained in the cutset. The qualitative insights gained l l from simulator observations were used to define the nature of the recovery action.

2) For the recovery actions that are not included in the fault trees, apply the appropriate recovery action identifier to the cutset.

l 3) Starting with the Basic HEPs for errors of omission and commission in NUREG/CR-

4772 (treated as slips-errors in actions P1 and mistakes - errors in diagnosis P3 in EPRI-6560L), apply the PSFs for procedures, practice feedback, interface designs, stress and task complexity.

P1 = PSFsi e HEPo i

I l

l 11

1 l

P3 = PSFs3

HEPc

! 4) Estimate the time dependent part of the non-recovery probability by first determining 1 the times for action and system time allowed. These times can be determined from I l

thermal-hydraulic calculations, simulator observations, experienced events, or expert )

judgement as recommended in NUREG/CR-4772. Specifically, .

l TM (the maximum time in which both phases of the recovery action must be !

completed) is estimated using thermal-hydraulic computer codes which provide time dependent information on core or containment parameters (i.e., pressure, temperature, water level, etc.), and/or information based on equipment failure characteristics (loss of room cooling, seal cooling, etc.).

TA (the time required to physically accomplish the action phase) can be conservatively estimated as the sum of the maximum time required to reach the area where the action is be accomplished and the time required to l accomplish the action - these should be based on actual measurements where i possible.

Estimate the time available to diagnose the recovery action, Td, by the following expression:

Td = IM - TA

5) Estimate the median response time, the type of cue that triggers the action or the level of cognitive processing required. Observations of simulator training, studies of procedures and walkdown of the plant support these plant-specific assessments.

! Options are to use the standard conservative curve provided in NUREG/CR-4772, or grouped data from simulator observations provided in NUREG/CR-4834 Vol 2. The

, desired approach in this study is to use plant-specific simulator observations, and to l gain risk reduction insights through the process.

6) Obtain an estimate of the median failure probability for the time dependent non-recovery portion, P2, using the correlation from EPRI-6560L or NUREG/CR-4834 data described in step 5.

P2 = 1-4 (In(Td/Th)/o]

Where 4(.) is the standard normal cumulative distribution, Td is the decision time and l Th is a median time estimate for crew responses, and a is the standard deviation of

! normalized time derived from data in EPRI-6560L to represent the type of cue or I cognitive processing required for the task.

t 12

7) Estimate the median HEP for the action phase of the recovery task by assessing P1 and P3, and by applying the PSFs for each. Alternate methods using RMIEP, or the models the Handbook can be used. These involve the development of actions specific

logic trees to represent each error.

! Values for P1 and P3 were taken from NUREG/CR-4772, and from scaled simulator 1 observations. In the case of P2, the simulator based model in EPRI NP-6560-L was .

substituted for the fixed time curves in NUREG/CR-4772. Use of the simulator-based

! model supports incorporation of generic and plant specific information.

1

~

} 8) Estimate the total median failure probability for the recovery action, P(NR), using the j following expression:

l P(NR-median) = P1 + P2 + P3 - (Pl*P2 + Pl*P3 + P3*P2) i i

l 9) If the detailed assessment is for the first recovery action, and second or third action is l to be applied to a single cutset, apply the dependence assessment methods in

! NUREG/CR-4772. To consider dependencies, the HEP for multiple actions is a i product of the detailed quantification for the first action, and the greater of either the

{ detailed assessment for the second action or 0.03 as recommended for screening in the guidance document. If a third action was identified, a HEP o 0.1 was assigned (or ,

detailed assessment HEP, if greater). This process accounts for human action

dependencies during the sequence quantification. Detailed assessments of dependency i

can be used to justify lower dependencies on a case-by-case basis, i P(NR-Dep-median) = R(NR-median)

P(NR2)

P(NR3) l For cutsets containing hardware recoveries (e.g. recovery of offsite power, the

Emergency Diesel Generators or the feedwater system), the hardware recovery was applied using its calculated value. If a second hardware recovery was applied, it was l also given its detailed value. There were no cutsets which contained two hardware j recoveries and any additional recoveries. For cutsets containing one hardware recovery only, up to two additional operator recoveries were allowed. the first was j assigned its quantified value, and second was assigned a value of 0.03 or the HEP

value, whichever was larger. Following these rules, no cutsets were allowed more j than three post-accident recovery actions.

j 10) Specify the uncenainty on the median HEP by assigning the Uncertainty Bound j (UCB) according to the ratio of the 95th percentile to the 5th percentile of the

lognormal distribution. This assignment produces a lognormal distribution for the i HEP distribution, determined by the median and the UCB. A calculated mean value j from the lognormal distribution is typically used in quantifying the mean value of a l cutset to reflect uncertainty rage int he HEP.

T

}

j 13

_ _ . __ ._ ---- _- ~- - - - - -

i

11) The new cutset probability, allowing for recovery, is then:.

P(cutset), = P(cutset) original

P(NR-Dep-mean) 2.3.4.1 Consideration of Plant-Soecific Factors for Resoonse Actions. Considered a strength in the HRA is the licensee's formal process for gaining insight on performance ,

shaping factors used in the analysis. IPE Section 3.3.3.5 discusses the plant walkdowns, operator interviews, and simulator' observations used by IPE team members and consultants to enhance the plant specific understanding of key operator actions. For example, information gained from walkdown of the 300 series procedures (those involve lifting of jumpers, realigning valves and inserting piping elements) was used to estimate time required ;

(TA). The times were formally documented in a Job Performance Measures (JPM) program

administered by the Training Department. The JPM program includes data for the travel time and confirmation of the feasibility for each procedure performed outside the control

, room. The timing data includes the time to obtain the procedures, tools, and transient time to the local site. Additional time was added to TA for troubleshooting and carrying out the l response actions such as installing the spool piece for the. fire water injection based on the

recommendation of operating crews interviewed during the simulator exercises. Information i

obtained from the walkdowns and review of the procedures included the feasibility of actions j based on logistics, time availability, and ease of completion. These insights and sensitivities j to operator actions expected in actual operation were used in estimating PSFs for P1 and P3.

l PSFs were taken from NUREG/CR-1278, NUREG/CR-4772, and NP-6560-L, based on j those considered most appropriate for HCGS after review operating procedures, discussing the use of procedures with plant personnel, and observing operations crews in plant simulator

exercises.

i j i

l In the quantification process PSFs for both P1 and P3 events were assessed. The particular l PSFs applied are. :

i }

l ESE1 E.SE1 i Location Detection / diagnosis I Preassigned crews Feedback Practics Procedures (100, 200)

Complexity Consequences, Workload Decision making, and Time ratio Practice / experience ;

Procedures for action (300 series) 2.3.4.2 Consideration of Timine. The HCGS plant-specific simulator was used to gain ,

qualitative insights to support the IPE/HRA quantification. Scenarios were developed based l on identified sensitivity of certain operator actions identified in the initial quantification of cutsets. Those scenarios selected included:

14 i 1

l

G Transients with turbine trip and loss of feedwater - ATWS, LOP - with loss of high pressure injection, MSIV closure - ATWS, and A transient with loss of all injection due to loss of service water.

The simulator exercises were performed by two different operating crews of varying experience and qualifications. Each exercise was structured to replicate the actual expected .

operations in the plant, including shift turnovers, and field responses to control room requests. Three observers were used to validate the sequence timing and validate the i observations. The operating crew was debriefed to assess the events and circumstances

surrounding the scenario. The resulting insights, observations and discussions were documented and then incorporated into the analysis in support of the medium time estimate for crew response (Th), decision time (Td), and standard deviation of normalind time (a) during the cutset review process. The process for estimating Td is described in step 4), of the licensee's quantification guidelines cited above. The median response time, Th, was estimated from the action time lines developed from observer notes which were compared with independent measurements from other BWRs in EPRI-6560L and NUREG/CR-4834.

For non-measured cases, human reliability estimates in observed cases were extrapolated using model data and engineering judgement.

j 2.3.4.3 Consideration of Denendencies for Resoonse and Recovery Actions. An important i

concern in HRA is the treatment of dependencies. Human performance is dependent on ;

sequence-specific response of the system and of the humans involved. Appropriate consideration was given the likelihood of success of a given action based on influences from the success or failure on a preceding action and performance of other team members. The HCGS analysis does not distinguish between response and recovery type actions. Dependency among top-level actions in a sequence appear to have been appropriately accounted for based on review of specific examples provided by PSE&G which document the assessment of

, dependencies.

The treatment of response / recovery action dependency in HCGS's analysis is stated as being the dependence assessment method in NUREG/CR-4772. As discussed under step 9 of the 11 step quantification process described in Section 2.3.4 of this report, dependency values of 0.03 and 0.1 for second and third events in a cutset were applied after operator dependencies had already been examined and treated. When recovery events within cutsets were identified, dependent individual action were merged into a single basic event. As part of the dependency assessment, observation of crews performance on the simulator demonstrated the

capability to perform multiple operator actions in a short time frame. These results (team l response) were said to have been used when applicable. No specific examples were identified.

Several core damage sequences were developed as a result of multiple independent system failures, but operators do not necessarily perceive these as independent. NUREG/CR-4772, Table 8-2 provided guidance for appropriate value selection in these cases.

15

=.. - .. .- -. .- . - --

.- t I

i

' 2.3.4.4 Ouantification of Recovery Actions. The HCGS HRA does not distinguish between the quantification of response and recovery actions. Estimated human error probabilities are handled in same manner as discussed in Section 2.3.4, above.

I 2.3.4.5 Consideration of Ooerator Actions in the Internal Floodina Annivsit The licensee j considered internal flooding events which affect the reactor building, turbine building, and

] service water intake building. The quantification of CDF results from internal flooding .

1 events included consideration for operator action to isolate leaks. However, there is no 1

discussion on how HRA was performed on these events. Discussion of operator action is

limited to two cases which are said to be typical. The first case addresses the reactor building room 4105 and states that given the cues available to the operator, the operator is j expected to isolate the affected system and stop the internal flooding. It is assumed that core spray will be lost and if flooding is in the SACS, the operator isolates that portion of SACS.

The submittal is somewhat vague on how the operator action is quantified, but it appears that j either a value of 1.0 or 0 was used in the fault tree quantification. In the second case where

operator actions is discussed, torus area Room 4102, an HEP of 1.0E-3 was assigned for 4

operator failure to isolate the leak. The value of 1.0E-3 is based on a longer time available to the operators to avoid the failure of the ECCS systems, because the flood water raise I .

slowly in a larger number of rooms.

i i

' Operators are alerted to flooding events by annunciators in the control room and procedurally directed response. HEPs were calculated using nominal diagnosis model of NUREG/CR-i 1278. PSE&G provided an example to demonstrate the process by which these events were i assessed. The example given involved the isolation of flooding in RM-4105.

l HCGS's treatment of operator action in responding to internal flooding scenarios appears to have been consistent with the guidance of the referenced methodology. I 2.3.4.6 Consideration of Ooerator Actions in the 12 vel 2 Analysis. HCGS performed HRA for containment event tree (CET) basic events associated with operator actions, although the submittal is vague as to the particular methodology applied. Both diagnosis and action events are addressed. The quantification of HEPs is said to have included the following factors:

e The time available for the operator to act, l j

e The level of stress the operator is under, l

e )

Whether step-by-step procedures are available to guide the operator, and ;

i e Whether technical oversight is provided (e.g., by a senior operator, or by the i tecimical support center (TSC)).

The majority of the HEPs are associated with the failure of the operator to perform the correct action, with very little influence from diagnostic errors. The licensee attributes this to relatively long time frames (typically one hour or more) being available for the operator to 16 l

l l

j* %

t j

act, which we believe is reasonable. The licensee cites the following assumptions for CET j quantification:

j e l All operator actions will be guided by the SRO or TSC (total dependence),

e All operator actions are assumed to have associated procedures for the operator to follow, e

Operators will be under high stress during the back-end (Level 2) portion of the i accident. .

1 l

Operator actions considered in the Level 2 analysis were selected following a detailed review of EOPs and abnormal procedures for adequacy under post-core damage conditions.

Quantification of the operator actions selected was performed using the Dougherty and Fragola TRC method (Reference 5). ERIN was consultant to PSE&G for this analysis and their selection of this adjusted correlation to estimate HEPs is reasonable given this method is

{'

reported by the author to better address out-of-control room tasks.

Generally the process includes the following steps:Dougherty and Fragola method.

1) Identify types of human error (omission, commission)

2) Identify PSFs based on similarity with I2 vel 1 operator actions.

3) Develop detailed description. "

4) Assign numerical parameters for input to HEP quantification, based on HRA 1 experience. !

5) Generate point estimates and percentages.

A total of 28 operator action basic events are reported in IPE Table 4.6-1. In general, HEP values appear to lean toward the conservative side.

2.3.4.7 GSI/USI and CPI Recommendations. The licensee's consideration of generic safety !

issues (GSIs) and unresolved safety issues (USIs) and of containment performance {

improvements (CPI) recommendations are the subject of the front-end review, and back-end 1 review, respectively. The HCGS IPE addresses two generic issues, USI A Decay Heat i Removal, and GSI 105 - Intersystem LOCA Outside Containment. !

I Decay Heat Removal (DHR) - Overall the analysis of DHR reported in submittal Section 3.4.4 appears to be thorough and rigorous in HCGS's consideration of operator actions typically found in other IPEs for similar plants. The licensee credits the closure of Unresolved Safety Issue (USI) A-45 as a result of this analysis. Several recovery actions l associated with the loss of DHR were found to contribute significantly (as compared to other l human actions considered) to the reduction of CDF, namely these events are discussed in Section 2.4.2.2 of this report.

i l

t 17 '

1 4

Interfacing System LOCA Outside of Containment (ISLOCA) - IPE Section 3.1.3.5 contains a discussion of the ISLOCA event trees, Figures 3.1.3-7 through 3.1.2-10. Four operator actions are associated with the event tree top events and these include:

i -

IS1 carly isolation X RPV depressurization j -

O other makeup sources adequate ,

j -

IS2 late isolation The Interfacing System LOCA (ISLOCA) event trees, Figures 3.1.3-7 through 3.1.2.10, contain human actions for early isolation, RPV depressurization, establishment of other make-up sources, and late isolation. However, there is no mention of early or late isolation in the discussion on HRA, Section 3.3.3. The licensee states in their response to a RAI, that

in the case of operator action IS1, (early isolation) of rupture of CS pumps discharge line, j the error probability was obtained with order of magnitude estimates instead of a detailed 1

HEP analysis (study performed by ERIN). For ope,.ator action IS2 (late isolation) of rupture of CS pumps discharge line, the operator action was assigned a conservative value of 0.5 because of the uncertainty associated with the o' peration of the valve (harsh environment),

and dependency on previous operator errors. The ISLOCA event trees, top event actions and HEPs are listed in Table 2.3-1 below.

IPE Section 3.3.3.5.1 contains a discussion of simulator exercise observations and cites ~

several insights related to leak isolation during LOCA. Specifically, identification of ruptures / leaks from diverse information systems provided to the control room operating personnel and actions to isolate leaks were performed in a consistent and effective manner.

i Overall the HCGS's treatment of post-initiator human actions appears reasonably thorough and. complete. Results from HCGS's HRA are generally consistent with similar BWR 4 plant reviewed.

Table 2.3-1, ISLOCA Operator Actions EVENT IS1 X O IS2 (early isolation of (RPV (other makeup (late isolation of low pressure depressurization) sources low pressure piping) available) piping)

Interface rupture of CS 2.1E 3 (rupture) 1.0E-3 1.0E 2 TO 1.0 5.0E-1 pumps discharge lines 2.2E 3 (leak)

Interface rupture of RHR 3.2E-1 (rupture) 1.0E-3 1.0E 2 TO 1.0 5.0E-1 shutdown cooling return 4.7E 1 (leak) line Interface leakage of RHR 1.7E-1 1.0E-3 1.0E-2 TO 1.0 5.0E-1 cooling suction line interface leakage of RHR 4.2E-1 1.0E-3 1.0E-2 TO 1.0 5.0E-1 pumps discharge lines (LPCI) 18 J

3 2.4 Vulnerabilities, Insights and Enhancements 2.4.1 Vulnerabilities.

The HCGS IPE defines vulnerability based on NUREG-1335 screening criteria for reporting systemic sequences. To be considered a vulnerability, those sequences meeting the screening criteria must also contribute inordinately to the CDF with respect to either (1) other .

sequences or events in the IPE, or (2) in comparison with PRA results for other plants.

In the licensee's analysis, transients involving HVAC failure were determmed to contribute inordinately to the CDF. For example, loss of switchgear or 1E panel room cocling had an initial CDF of 3.29E-3/yr. In response to this vulnerability the licensee developed a new procedure for providing alternate methods for panel room cooling. The sequence analysis was repeated and credit was taken for the new procedure which resulted in a reduction of sequence CDF to 9.87E-7/yr. Operator recovery action associated with the new procedure includes taking steps to provide alternative cooling means for electrical equipment in these rooms, i.e., open doors, placement of portable fans, etc .

2.4.2 IPE Insights Related to Human Performance.

The licensee states (IPE Section 7.1.1.4.2) that sensitivity studies involving adjustment of HEPs upward and downward were not performed for post-accident operator errors because ,

their development was based upon plant-specific data obtained through simulator exercises.

However, the licensee performed importance analysis for the highest frequency cutsets and i this includes operator action basic events. Although not a sensitivity study, the importance analysis generated results are said to have served as a means to assess which operator actions are most important.

2.4.2.1 Imoortant Ooerator Actions. In IPE Section 7.1.1.2, the licensee identifies miscalibration events, safety / relief valves (SRVs), DC Buses, reactor protection (scram) and HPCI/RCIC as most important basic events, based on risk increase importance. Whereas, the operator recovery of off-site power, operator recovery of diesel generators, test / maintenance of SSW and SACS loops, failure to depressurize and failure of diesel generators are considered to be most important from a risk reduction viewpoint.

I Section 3.4.1.2 and 7.1.1.2 discuss the importance analysis performed by the licensee on 745 1 highest frequency cutsets, which included 393 basic events and represents 90% of the HCGS IPE results. The results of two measures, risk reduction and risk increase, are reported in submittal Tables 3.4-4 and 3.4-5 respectively. Risk reduction reflects the improvement ,

(decrease) in the expected CDF achieved by reducing the failure probability of a basic event.

Risk increase reflects the degradation (increase) in the expected CDF form arbitrarily failing a basic event. Three out of the top thirty risk-increase events (Table 2.4-1), and twelve out of the top thirty risk-reduction events (Table 2.4-2), are related to operator actions.

19 l l

1 l

i l 9 1

Table 2.41, Important Operator Actions by Risk Increase Measure l RANK BASIC EVENT DESCRFTION 5 ESF XHE-MC-DF02 Miscalibration of all level tran:,mitters.

7 ESF XHE-MC DF01 Miscalibration of all pressure transminers.

11 NR-HVC PNRM-12 Failure to provide alternate ventilation to the Panel Room I within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after a loss of HVAC. .

l Table 2.4-2, Important Operator Actions by Risk Reduction Measure RANK BASIC EVENT DESCRFTION l 1 NR LOSP-6 Failure to restore off-site power within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

2 NR-DG-6 Failure to recover EDGs within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months of independent failures of EDGs.

6 NR-DG-DF-6 Failure to recover EDGs within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months of common cause failures of EDGs.

7 ADS XHE-FO-DEPRE Operator fails to depressurize.

8 ADS-XHE-OK-INHIB ADS fails at level I due to INHIBIT by operator.

9 NR-UlX DEP 60M Failure to manually depressurize the RPV within 60 minutes.

10 NR-PCS 1 Failure to restore the PCS within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

16 SWS-XHE-FO-ISOL Operator fails to isolate SWS flow diversion.

20 CST-XHE-FO-ALIGN Operator fails to align condensate storage tanit.

23 NR-HVC-PNRM-12 Failure to provide alternate ventilation to the Panel Room within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after a loss of HVAC.

26 NR SPL LLVL-4-03 Failure to align core spray to the CST for long-term injection (without decay heat removal).

28 NR-UlX DEP-30M Failure to manually depressurize the RPV with 30 minutes.

The top eleven dominant accident sequences account for 94% of the total CDP with the first five sequences contributing 84.2%. We reviewed these sequences to identify which operator actions were related and compared these with the sensitivity measures, and treatment in HRA to insure consistency. Table 2.4-3, provides a listing of these accident sequences, a brief description of sequence, and the corresponding operator actions which we believe to be relevant to that sequence. The results from this review appear reasonable with no significant deviation in the licensee treatment.

Table 2.4-3, Operator actions related to the top 11 dominant accident sequences (94.0%

of the total CDF).

SEQUENCE % CONTRIBUTION DESCRFFION OPERATOR ACTION (S)

TeEDO 71.4 % SBO (LOP wah failure of Recovery of omne power CDF=3.27E 5/yr D/Gs). banenes depiaed (NR LOSP n) in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months terminsung HPCI & RCIC.

TfU1U2X 6.0% Totalloss of feedwater Operator fails to depressurtas the RPY CDF =1.76E-6/yr fadure of both HPCI &

RCIC. fa41ure to depress.

20

+

.. . . n .. ..~ _

, . . - . ~ . - . _ . - -

k u m.

l l TmUX 2.3 % Msty closure, fadure of Opermor fads to depressunus the RPV CDF= 1.05E-6/yr HPCI & RCIC, fadure to

- depress. the RPV.

j SIWUv 2.3 % Medium LOCA, loss of Opermor fails to align core spray

CDF= 1.04E4yr DHR. longaerm reake-up to the CST for long-earm impecess.

j unsuccessful. (NR SPL LLYL443)

TtQUX 2.3 % Turbme inp. failure of Opermor fails to depressunse the RPV CDF= 1.03E4yr feedweer, falun of both HPCI & RCIC, failure to depress. the RPV.

t

$1UlX 2.2 % Madam LOCA. failure of Operssor fais to depressunse the RPV CDF=9 96E-7/yr HPCI fadure to de-pressurue the RPV, Thw 2.2 % Loss of HVAC to enhor Opersor fails to provide abernsee CDF=9.87E 7/yr Panet room or Swar.h. wenulsuon to Paast Room wahin gear room, fadure to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ofloss of HVAC, recover HVAC.

TeEDFP 2.1% SBO (same as TeEDG) (see TeEDG)

CDF=9 67E 7/yr w/ a smck open SRV.

TfQRWWlUv 1.2 % Totalloss of feedwaar Opermor fails to recover FW, CDF=5 30E 7/yr with fadure to recover, fads to initime cornmenar veuung, fadure of contmament best fads to provide longaerm makegap removal, fadure of conten.

ment venung, fadure of f longaerm make-up.

TiQUX 1.2% Inadvertent opening of a Opermor fails to recover FW, CDF=5 29E 7/yr SRV (10RV). fadure of FW. fads to depressurus the RPV HPCI & RCIC, and failure to depress the RPV.

TmC2 1.1% Turbine tnp failure (rnsch) Opermor fails to inhibit ADS. fads CDF = 5.07E-7/yr control rods to insert, to manually iniume ARI. fails to failure of SLC to inject. manually dapress the RFV, fails to initime HPCI, fads to isonne HPCI igj. through core spray, fais to control RPV waar level w/

LPCI In our review of the IPE we look for indications that the licensee has appropriately considered all operator actions which have been found to be important in IPEs for similar plants as well as any actions which may be necessitated because of unique design features, An important input to this element of our review is the insight which the NRC's front-end reviewer (and of lesser degree back-end) offer in the way of identifying which operator actions are important from their perspective. Table 2.4-4 provides a listing of those operator actions deemed to be important to CDF contribution by the front-end reviewer, the fault / event tree identifier, and the HEP assessed, Twenty-eight human actions were included in the I2 vel 2 analysis, see Section 2.3.4,6 of this report. Other than the generalization that all operator actions are considered important in the level 2 analysis, specific significant human actions were not identified.

e i

21 9

1 Table 2.4-4, HCGS Operator Actions Identified as Important by Front-end Reviewer OPERATOR ACTION HRA HEP IDENTIFIER 1

Manual initiation of depressurization NR-UlX-DEP-60M 4.6E-3 ;

NR UlX DEP-30M 7.5E-3 '

(ADS-SHE-FO-DEPRE)

Providing alternate ventilation for electrical NR-HVC-PNRM 12 3.0E-4 areas (HVAC-XHE FO-RECY)

Inhibition of ADS during ATWS sequences NR-ATWS ADS-INH 7.5E-2 (ADS-XHE-ATWS INH)

(ADS-XHE-OK INHIB)

Manual initiation of SP cooling (RHS-XHE-FO-SPC) N/A Screened out A

Inhibition of HPCI injection via core spray NR ATWS-HPCI-CS 2.4E-1 following an ATWS (ATW-XHE-HP-CS-IN)

Using alternate SACS loop for DG cooling Dropped following N/A (cross-tie) detailed evaluation

' Implementation of alternate injection for core NR SPL-LLVL-4-03 1.1E 1 1

cooling (UV1 XHE-FO-ALIGN)

(CST-XHE-FO-ALIGN)

Isolation of a seal LOCA NR-SLEAK ISO-15M 8.2E-2 l (XHE FO-SEAL-ISOL)

Isolation of internal floods within 30 minutes 1S1 4.7E41 to 2.1E-03 5

depending on location 2.4.2.2 Seauences Screened Out By Low HEPs. Sequences which would have been above the cutoff criteria were it not for low human error probabilities in recovery actions are discussed in the submittal. This aspect of the licensee's analysis is well documented with detail discussion consistent with what is requested in NUREG-1335.

i

~

Appendix A attached to this TER report, lists in table format the 30 sequences screened out by low HEPs. The exhibit table is structured to provide the sequence identifier, sequence description, human recovery actions applicable, and a description of those actions in order to j better facilitate identification of the type of accidents involved. It is of interest to note that the predominant accident sequences appearing in the 9 top events (those just below the cut-

, off) are associated with loss of DHR. Additionally, Table 3.4-6 of the submittal reports a substantial change in certain accident sequences contribution to CDF due to recovery actions applied (e.g., TtQWW1Uv from 2.08E+00 to 1.4E-08 and TmWW1Uv from 1.43E-01 to

< 1E-10). Also notable, is that a number of the specific actions associated with the j sequences screened are outlier events in the non-conservative direction, namely; 1) NR-PCS-4 22 t

1 24, failure to restore the PCS within 24 hrs following a turbine trip or MSIV closure initiating event (7.0E-04), 2) NR-RHR-INIT, failure to initiate RHR for decay heat removal within 24 hrs (5.0E-05), and 3) NR-WW1-SWP-20, failure to manually start SSWS or SACS pumps within 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months (7.4E-05). In response to a NRC RAI, the licensee provided the ;

detailed " Tier 2" analysis for events NR-RHR-INIT and NR-WW1-SWP-20. We reviewed l these assessments and found the analysis process to be reasonably thorough, complete and consistent with the methodology applied. In the case of event NR-PCS-24, a HEP was not .

calculated in the same manner as the others but was taken from NUREG/CR-4550.

2.4.3 Fnhancements and Commitments.

Durmg the IPE effort a significant impact on CDF was identified where HVAC is lost for electrical equipment rooms. A procedure was developed, and credited in the analysis, for !

providing alternate cooling to key electrical equipment rooms. As a result of procedural recovery of partial cooling CDP was lowered from 3.29E-3/yr to 9.8E-7/yr.

Additionally, the licensee initiated a detailed review of the success criteria for SSW and ,

SACS to see if some of the conservatism presently in the model could be relaxed by crediting l additional operator action. A new procedure for operating SACS with one pump per loop i was thought to result in a substantial improvement in CDF resulting from SBO. The licensee l repons in their response to NRC's request for additional information that after detailed ,

evaluation it was deternuned that little benefit was to be derived by taking credit for this ,

l operator action.

23

1

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS The purpose of our document-only review is to enhance the NRC staff's ability to determine with the licensee's IPE met the intent of Generic Letter 88-20. The Generic letter had four

specific objectives for the licensec

l (1) Develop an appreciation of severe accident behavior.

(2) Understand the most likely severe accident sequences that could occur at its plant.

(3) Gain a more quantitative understanding of the overall probability of core i damage and radioactive material releases.

(4) If necessary, reduce the overall probability of core damage and radioactive material release by appropriate modifications to procedures and hardware that would prevent or mitigate severe accidents.

l j With specific regard to the HRA, these objectives might be restated as followt: 5 h (1) Develop an overall appreciation of human performance in severe accidents; how human actions can impact positively or negatively the course of severe

! accidents, and what factors influence human performance.

. (2) Identify and understand the operator actions important to the most likely I

accident sequences and the impact of operator action in those sequences; understand how human actions affect or help determine which sequences are important.

I

! (3) Gain a more quantitative understanding of the quantitative impact of human j performance on the overall probability of core damage and radioactive material

release.

!- (4) Identify potential vulnerabilities and enhancements, and if i necessary/ appropriate, implement reasonable human-performance-related enhancements.

1 The following observations from our document-only review are seen as pertinent to NRC's i

determination of the adequacy of the HCGS submittal:

{ 1) The submittal and supporting documentation indicates that utility personnel were involved in the HRA, and that the walkdowns and documentation reviews constituted a viable process for confirming that the HRA portions of the IPE represent the

j as-built, as-operated plant.

i 24 1

) ,

d

t 1

2) The licensee performed an in-house peer review that provides some assurance that the l

HRA techniques have been correctly applied and that documentation is accurate.

l

3) The licensee's analysis of pre initiator human actions was reasonably complete, l though simplified and relatively generic. Identification and selection of human actions to be quantified included review of calibration, test and maintenance procedures and discussion with plant personnel. Both calibration and restoration e.rrors were . ,

included. No numerical screening was performed; qualitative screuing that appears I l to be rational and consistent with other PRAs eliminated some actions from I

consideration. All actions surviving the qualitative screening were included in the IPE model as basic events in fault trees. The quantification used THERP to analyze four 4

I

" generic" pre-initiator actions that represented all pre-initiator actions included in the j model. Plant-specific and certainly case-specific analysis was very limited. This limits the ability of the licensee to identify factors contributing to human error and

therefore plant risk and to identify possible enhancements. However, the analysis

appears to have been effective in identifying the relative importance of contributions i from pre initiator human errors.

! 4) The treatment of post-initiator human actions included both response-type and i

recovery-type actions. The process for identification and selection of post-initiator human actions included review of procedures and discussion with plant operations and training staff. Numerical screening based on guidance in NUREO/CR-4772 was ,

employed to eliminate actions or sequences from further consideration. Quantification of human error used the ASEP and EPRI NP-6560-L processes for detailed calculations. The guidance for methodologies used appears to have been followed by the licensee. Evaluation of plant-specific performance shaping factors was included, consistent with the simplified ASEP process; and, error recovery factors were included according to ASEP guidance. Dependencies among post initiator actions were treated in a manner consistent with the ASEP dependency model.

5) The process used by the licensee to obtain plant-specific data for representation of performance shaping factors, namely simulator exercises, procedure walkdowns and discussion with key plant personnel, is considered a strength in their HRA.

6) The licensee employed a systematic process to screen for vulnerabilities and identify potential enhancements. Vulnerability screening criteria included NUREG-1335 reporting criteria plus a comparison with other PRA results to identify unusual contributors. In the licensee's analysis, transients involving HVAC failure were determined to contribute inordinately to the CDF. For example, loss of switchgear or ,

1E panel room cooling had an initial CDF of 3.29E-3/yr. In response to this vulnerability the licensee developed a new procedure for providing alternate methods for panel room cooling. The sequence analysis was repeated and credit was taken for the new procedure which resulted in a reduction of sequence CDF to 9.87E-7/yr.

Operator recovery action associated with the new procedure includes taking steps to 25

1 4

provide alternative cooling means for electrical equipment in these rooms, i.e., open doors, placement of portable fans, etc,.

i

7) A total of 28 operator action basic events are reported in IPE Table 4.6-1, back-end analysis. HRA appear to have been appropriately performed using the Dougherty and l Fragola TRC methodology. 1 i

l

-)

)

l 3 l a

1 e

d l 1 l 4

i 4

I 1

i I

l l

26

i

4. DATA

SUMMARY

SHEETS I Important Operator Actions / Errors:

Pre-Initiator Errors: !

)

Miscalibration of all level transmitters.

Miscalibration of all pressure transmitters.

{

Post-Initiator Errors:

)

i Failure to restore off-site power within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

l Failure to recover EDGs within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months of independent failures of EDGs.

Failure to recover EDGs within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months of common cause failures of EDGs. l Operator fails to depressurize. l ADS fails at level I due to INHIBIT by operator, i

Failure to manually depressurize the RPV within 60 minutes.

Failure to restore the PCS within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . !

Operator fails to isolate SWS flow diversion. !

Operator fails to align condensate storage tank.

Failure to provide alternate ventilation to the Panel Room within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after a loss l of HVAC, i Failure to align core spray to the CST for long-term injection (without decay heat l removal).

Failure to manually depressurize the RPV with 30 minutes. {

i i

Human-Performance Related Enhancements: i i

Enhanced Procedures and Operator Actions:

Alternate cooling methods during loss of HVAC to key electrical equipment rooms l resulted in a decrease in CDF from 3.29E-3/yr to 9.8E-7/yr. Procedurally directed actions to facilitate alternate cooling methods on loss of HVAC to electrical equipment !

rooms has a significant impact for reducing CDF.

Potential Operational Improvement Under Consideration and Not Modeled:

Procedure enhancements related to SSW and SACS could have a substantial influence i on the reduction of CDF in SBO, A new procedure for operating SACS with one '

pump per loop could result in a substantial improvement in CDF resulting from SBO.

Subsequent to the submission of the IPE, the licensee determined little benefit was to be derived from this action, and dropped it from further consideration.

27

4 l

l REFERENCES 1

1) Systematic Human Action Reliability Procedure (SHARP), EPRI NP-3583. l 1

2) Handbook of Human Reliability Analysis With Emphasis on Nuclear Power Plant l Operations, NUREG/CR-1278 ,

3) Accident Sequence Evaluation Program Human Reliability Analysis Procedure (ASEP),

NUREG/CR-4772.

4) A Human Reliability Analysis Approach Using Measurements For Individual Plant Examinations, EPRI NP-6560L.

5) E.M. Dougherty and J.R. Fragola, Human Reliability Analysis: A System Enaineering Acoroach With Nuclear Power Aeolications. New York: John Wiley Interscience, 1988. '

.s' 28

1 Appendix A la Renn nce. Identined As Reing Rrreen.A One hv Deenverv Actinne SEQUENCE SEQUENCE DESCRIMION RECOVERY ACTION RECOVERY DESCRIMION TIQWWlUv 1.cas of DHR NR PCS-24 Failwe e resume PCS within 24trs. '

TmWW1Uv NR.RHR DGT Fail e inniens PS within 24 lus.

NR WWl-SWP-20 Failure to manual start

$$WS or SCAS pangs within 20 hrs.

NR VENT.5 Fail e ininses conment i venong '

TeWW1uV LOP w/ loss of DHR NR-LOSP 24 l Failure to resam offsise power wnhin 24 hrs.

l NR-RHR-!NTT Failwe to innaas RHR '

wth 24 hrs.

NR VENT.5 Fail to imnase conouant venong TmPP2WUv MSIV closure w/ 2 SORVs NR-PCS-24 Fail to resese PCS stuck open and loss of DHR within 24 hrs NR-RHR-DUT Falwe to initions RRR wnhas 24 brs.

NR WWi SWP 20 Failee to manual start SSWS or SCAS pumps ,

within 20 hrs.

SIWWlUv Mediurn LOCA and loss of NR-RHR D4T Falure to innisse RHR DHR widun 24 hrs.

NR VENT 3 Fail to imame conemnt venong TtPP2WWlUv Turbine tnp with 2 NR.RHR INIT Failure to ininaw RHR SORVs and loss of DHP wittun 24 hrs.

NR WWl SWP 20 Failure to manual start SSWS or SCAS pumps ws&in 20 hrs.

NR VENT 3 Fail to imness contnant venung AWWlUv Large LOCA with loss of NR-RHR DUT Failure to imnase RHR

^

DHR withm 24 hrs.

NR VENT 5 Fail to ininane conmmnt venong TmPP2WWlUv MSIV closure w/ 2 SORVs NR-PCS-24 Fail to resem PCS stuck open, loss of DHR within 24 hrs and failee to vent NR WWi SWP 20 Failure e manual start conmanment SSWS or SCAS pumps wnhan 20 hrs.

NR RHR-INIT Failure to iniones RRR within 24 hrs.

NR VENT 5 Fail to inrtiene contnmnt vennns TiaWWlUw Loss of mstrument air NR RHR-DUT Failure to ininaw RHR and loss of DHR withm 24 hrs.

NR WWi SWP 20 Fail to manual start S$WS or SCAS pumps within 20 hrs.

29

NR VENT.5 Fait m initians consumet venang

$2S31soQUX Recuc pump seal LOCA. NR.5 LEAK ISO 15M Fmiure to isoisas loss of FW, loss of HPC1 resuculamon pusep seal

& RCIC, and falure to LOCA depressunse NR UlX-DD 40M Failus to manually depress the RPV wnhse 40 sunuant ThvP- Loss of HVAC wnh 50RV NR HVC-PNRM.12 Failure to pnwide alterums --

to abs panel team walun 12 hrs aAer loss of HVAC.

TtPQUX Turbine inp with SORV, NR.PCS-40M Fakse to restore PCS loss of FW, loss of HPCI wielun 40 annuass.

& RCIC, and fadure to NR UlX-DU-40M Fail to rassuelly the depressunas depress the RPV within 40 nunuass.

NR-Q-FWLVH-4M Falure to prevent a level 8 tip of feedwenr dunne a sansunt TraPP2WUv Loss of RACS w/ 2 SORVs, NR-WW1.SWP 20 Failure to manual sert loss of DHR SSWS or SCAS pumps within 20 hrs.

NR-RRR-INIT Failure to initions RHR wnhin 24 hrs-NR. VENT.5 Fel to incises contunnt venang ;

TfUIU2UV Loss of FW w/ fdure of NR.UV.WTLW20M Failure to consol RPV all injecuon to RPV weaur level w/ high pressure injecnon systems (non ATWSk NR-UV-ECCS.1 Failure to manually 5

innaans ECCS wnhio 1 ihr.

1 J TeUX LOP w/ future of HPCI & NR-LOSP40M Failure to restore offsie i RCIC, falure e depress. power wittun i br.

NR.UlX.DD 60M Falute to manually

} depress the PRV j wnhin 1 br S2QUX Small LOCA, failure of FW, NR.UlX DD 40M Failure to manually HPCI & RCIC, fail to deprens. depressmas the RPV wnhin 40 minussa.

NR-Q-FWLYL-24M Failure to prevent a level 8 mip of feedweest dunns a small LOCA.

TrsQUX Loss of RACS fdure of FW, NR UlX DD40M Failure to reanually HPCI & RCIC, fut to depress. depress the RPV mtlun I hr.

NR.Q FWLVH4M . Failure to prevent a level 8 tip of feedwarer dunng a manssent NR.WWi SWP.I Falure to manually start SSWS or SACS pumps mehin I hr.

TmUV MS!V closure w/ failure of NR PCS-1 Failure es ressere PCS all injecnon to RPV. wnhan I hr.

30

1 NR UV ECCS-1 Falure to manually minase ECCS withan '

t hr.

NR UV WTLVL 20M Falure to convoi RPV wasar level with high presswo impacnon I systems (non AlWSk

TtPUlU2X Loss of FW wi a SORV, false NR UlX DEP-40M Falwe to manually of HPCI & RCIC, fail to depress depressunas the RPV RPV.

within 40 nunuous.

i

~

SIUlWWlUv !

Mediwa LOCA, falwe of HPCI, NR-RHR-INIT Failwe to initions RHR loss of DHR.

withe 24 hrs.

NR VENT-5 Failwe to innene coneunmens vennas.

TePWWlUw LOP w/ a SORV, loss of DHR. NR-LOSP 24 False to restors oEsits power within 24 hrs.

NR RHR DUT Falure to imnase RHR within 24 hrs.

NR VENT.5 Future to inansas cormaman vennas.

TmPUX MSIV-closure w/ a SORV, falure NR-UlX-DEP 40M Failure to ma===Ily of HPCI, fut to depress RPV. depressunas the RPV widun 40 manuess.

TaQUIX MSIV.closwe, ATWS (mech), fadure NR ATWS-HPCI Failure to ininsee HPCI HPCI. FW, ful to depress RPV. during ATWS.

NR ATWS DEP Fadwe to saanually depresswus the PRV dunas ATWS. 3 TraPP2WWlUv Loss of RACS w/ 2 SORVs, loss NR WWl SWP-20 Failwe to manually of DHR.

start SSWS or SACS pumps within 20 hrs.

A 'AHR DET Failure to irunaae RHR within 24 hrs.

NR-VENT 5 Failure to inutians conramment vennng.

TiaPP2WUv Loss ofIAS w/ 2 SORVs, loss NR-WWi SWP 20 Failure to manually of DHR. start $$WS or SACS pumps within 20 hrs.

NR SPL-LYLL-4 Failwe to align core spray to the CST for long term infecnon (w/o DHRK ThvPP2 Loss of HVAC w/ 2 SORVs. NR HVC PNRM-12 Failure to provide alternese venalamon to the Panel Room m1thm 12 hrs aner loss of HVAC.

ThvU Loss of HVAC, failwe of HPCI NR HVC PNRM 12 Failwe to provide

& RCIC. altername venalamon to the Pump Room within 12 hrs aner loss of HVAC.

TiQUV inadvenant opemns of SRV, NR UV WTLYL 20M Failure to consol RPV failure of FW and all other water level with high injection to the RPV. pressure injecuon systems (non-ATWS).

31 9

e W NR-UV ECCS4M Fauum a manusuy initian ECCS wnhis 40 mismas.

, TeEDGU 280, fadure of HPCI & RCIC. NR-LOSP L FaGum a russore oHWes power wishin I br.

j NR-UV ECCS 3 Fadun to ammumpy laisians ECCS wnhas 1

t hr. i NR.UV WILYL 20M Fadure e ceasel RPV <

l woor level wah high .

Pamure impactes systems (non ATW51 TsQWUv Turbum sig fadure of FW, NR PCS-24 Faaure to reseen PCS loww of DHil within 24 hrs.

l l

l 32

ML20107K023

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search