ML20117J300
| ML20117J300 | |
| Person / Time | |
|---|---|
| Site: | Callaway  |
| Issue date: | 01/15/1996 |
| From: | Swanson P CONCORD ASSOCIATES, INC. |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| Shared Package | |
| ML20117J268 | List: |
| References | |
| CON-NRC-04-91-069, CON-NRC-4-91-69 CA-TR-95-019-44, CA-TR-95-19-44, NUDOCS 9605310069 | |
| Download: ML20117J300 (38) | |
Text
.
CONCORD ASSOCIATES,INC.
CA/TR 95-019-44 Systems Performance Engineers CALLAWAY PLANT, UNIT 1 TECHNICAL EVALUATION REPORT ON THE IPE SUBMITTAL HUMAN RELIABILITY ANALYSIS l
FINAL REPORT
)
by P.J. Swanson Prepared for U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Systems Technology Final Report, January 15,1996 11915 Cheviot Dr.
725 Pellissippi Parkway 6201 Picketts Lake Dr.
Herndon, VA 22070 Kreoxville, TN 37932 Acworth, GA 30101 (703) 318-9262 (423) 675-0930 (404) 917-0690 bk kDO K O O
83
e.
CA/TR-95-019-44 CALLAWAY PLANT, UNIT 1
]
TECHNICAL EVALUATION REPORT ON THE IPE SUBMITTAL HUMAN RELIABILITY ANALYSIS FINAL REPORT P. J. Swanson Prepared for U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Systems Technology January 15,1996 i
CONCORD ASSOCIATES. INC.
Systems Performance Engineers 725 Pellissippi Parkway l
Knoxville, TN 37932 4
Contract No. NRC-04-91-069 Task Order No. 44
I i
\\
\\
l
\\
t l
TABLE OF CONTENTS l
l l
E.
EXECUTIVE
SUMMARY
...........El l
El.
P' ant Characterization......
......El l
E2.
Licensee IPE Process..................................... E l l
l E3.
Human Reliability Analysis.......
.........................E!
E4.
Generic Issues and CPI...............
....................E3 E5.
Vulnerabilities and Plant Improvements......................... E4 E6.
Observations..............
............................E4 I
1 1.
INTRODUCTION........................
...................1 1.1 Review Process.........................................
1 1.2 Plant Characterization..........
..........................1 1
2.
TECHNICAL REVIEW
........................................3 2.1 Licensee IPE Process........
........................3 1
2.1.1 Completeness and Methodology......................... 3 2.1.2 Multi-Unit Effects and As-Built, As-Operated Status........... 3 2.1.3 Licensee Participation and Peer Review.................... 4 i
2.1.3.1 Licensee Participation..................... 4 2.1.3.2 In-House and External Reviews............... 4 22 Pre-Initiator Human Actions......
..........................4 2.2.1 Types of Pre-Initiator Human Actions Considered............. 5 2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions.................................... 5 2.2.3 Screening Process for Pre-Initiator Human Actions............ 8 2.2.4 Quantification Process for Pre-Initiator Human Actions......... 8 2.3 Post-Initiator Human Actions................................ 8 2.3.1 Types of Post-Initiator Human Actions Considered............ 8 2.3.2 Process for Identification and Selection of Post-Initiator Human Actions.................................... 9 2.3.3 Screening Process for Post-Initiator Human A'ctions...........
10 l
2.3.4 Quantification of Post-Initiator Human Actions..............
10 2.3.4.1 Response-Type Actions.........................
10 2.3.4.2 Recovery-Type Actions.........................
14 2.3.4.3 Consideration of Operator Actions in the Level 2 Analysi s...................................
15 i
2.3.5 Generic Issues and CPI..............................
15 2.3.6 Flooding Analysis..................................
15 l
2.4 Vulnerabilities, Insights and Enhancements......................
15 l
2.4.1 Vulnerabilities....................................
15 l
2.4.2 Insights Related to Human Performance...................
16 2.4.3 Human Performance Related Enhancements................
17
\\
1 i
I e.
1 l
Table of Contents (continued) l 3.
CONTRACTOR OBSERVATIONS AND CONCLUSIONS...............
19 4.
DATA S HE ETS.............................................
21 5.
REFERENCES
.............................................22 i
l h
l 11 l
l l
l
I..
.l e o j
l E.
EXECUTIVE
SUMMARY
This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Union Electric Company's Individual Plant Examination (IPE) submittal for the Callaway Plant, Unit I to the U.S.
Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staffin their evaluation of the IPE and conclusion regarding whether the submittal meets the intent of
)
. the Generic Letter 88-20.
E.1 Plant Characterization Callaway is a single-unit Westinghouse four-loop pressurized water reactor (PWR) plant rated at 3565 Mwt. Commercial operation started in April 1985. Callaway and Wolf Creek are sister plants designed and constructed under the Standardized Nuclear Unit Power Plant System (SNUPPS) concept. The NRC front-end reviewer identified a number of Callaway design features that impact core damage frequency (CDF) relative to other PWRs, namely, l
ability to perform feed and bleed once-through cooling, service water flexibility and redundancy, use of ESW system as a source of backup supply to auxiliary feedwater, eight hour battery life for turbine-driven AFW pump, semi-automatic Emergency Core Cooling system switchover, high temperature reactor coolant pump seals, and use of diesel-driven fire pump to feed a depressurized steam generator.
E.2 Licensee IPE Process The Callaway HRA was performed by Union Electric personnel. Significant utility staff involvement, plant walkdowns and document review helped to assure that the IPE/HRA l
represented as-built, as-operated plant. Four different elements were employed in an l
independent review process, namely; 1) peer review (others within the group, but not working l
on the area of review),2) an HRA expert from Halliburton NUS Corporation,3) i inter-departmental review, and 4) external review by Wolf Creek Nuclear Operating Corporation personnel. The HRA process addressed both pre-initiator and post-initiator actions. Pre-initiator actions considered included both restoration errors and miscalibration.
Post-initiator actions included both response-type and recovery-type' actions. Pre-initiator actions considered included both restoration errors and miscalibration. Pre-initiator human errors were quantified using generic data from other PRAs which was derived from the EPRI
-PRA Repository, NASC-152 and the Handbook of Human Reliability Analysis for Nuclear Power Plants, NUREG/CR-1278. Post-initiator human errors were quantified using the EPRI-NP-6560 approach. Plant-specific performance shaping factors and dependencies were considered in the analysis of post-initiator human errors.
E.3 Human Reliability Analysis i
The Callaway HRA considered three types of human actions (called human interactions (His) 2 in the submittal), pre-initiator human actions, human actions causing an initiating event, and l
El
[
I l
post-initiator human actions. Human actions which cause an initiating event were treated as HRA events in the model but incorporated implicitly in the initiating event frequencies obtained from Callaway's operating experience.
I i
l Pre-Initiator Human Actions -
l The Callaway HRA addressed pre-initiator errors in maintenance, test and surveillance actions by incorporating human error into the systems analysis (fault trees) as a specific cause for j
system unavailability. Both restoration and miscalibration were considered.
Pre-initiator actions to be quantified were identified and selected through a review of past PRAs. A limited number of pre-initiator human errors (7) were included in the IPE model, 4 calibration errors and 3 restoration errors. The pre-initiator events included in the model were l
selected following review of Callaway administrative controls related to system restoration and testing and calibration, incident reports, SOS reports, and LERs. Some actions were removed form further consideration by application of " qualitative screening" guidelines. Our review indicates that those guidelines were reasonable and consistent with practices seen in other accepted PRAs.
The approach used to quantify pre-initiators was to assign generic values taken from other l
PRAs performed on plants of similar design to the Callaway plant. We believe this approach i
could have deprived the licensee of full appreciation for the contribution which plant-specific pre-initiator type events have of CDF. However, it is not believed that the integrity of the overall analysis was impacted.
l l
Post-Initiator Human Actions -
The Callaway HRA process addressed three subcategories (Types C1, C2 and C3) of post-initiator actions performed as part of the response to an accident. The subcategories treated under post-initiator events included:
Cl Manual backup on failure of automatic initiation, provided there is a clear step in the EOP or on the ESFAS status panel that indicates that the manual action i
should be taken.
L C2 Operator actions performed as part of an EOP. These actions are those required to satisfy one of the critical safety functions and prevent core damage.
C3 Recovery actions to ensure a safety function that failed because of equipment malfunction. The Callaway HRA addressed both response-and recovery-type post-initiator human actions.
The primary technique employed for quantification of Cl type errors identified as important i
and all C2 type post-initiator errors was the EPRI methodology summarized in EPRI i
E2
- o NP-6560. Those C1 errors which were found to be unimportant were assigned values using a similar approach to that used for pre-initiator events. For important C1 error and C2 errors, each response action is considered as a combination of two types of actions: 1) detection / diagnosis / decision, or " cognitive" action, and 2) manual action. Errors can occur in the cognitive action via failures in cognitive processing or procedural " mistakes", or they can l
occur by failing to process information in a timely manner. Errors in manual actions are j
considered manipulative " slips". The total HEP is a probabilistic combination of the l-probabilities of failure by.each of the three mechanisms:
j P1 - mistakes in cognitive processing P2 - failure to process information in time l.
P3 - slips.
l A range of generic values are provided for P1 and P3, along with guidance for the analyst to subjectively evaluate the plant-specific situation and select one of the screening values. The-value for P2 is calculated from a " time reliability correlation" which provides HEPs as a function of the ratio of time required to time available for the operator action. Time available was' determined from transient analysis codes. Required time was based on the judgment of analysts and operators, with some input from observed simulator exercises. Plant-specific perfonnance shaping factors and dependencies were considered in the analysis. Comparison.
L of the HEP values with values from other PRAS for similar actions indicates that, in general, i
the Callaway estimates are consistent with typical values used in accepted NRC PRAs (NUREG-1150) and other similar plant IPEs.
t Imoortant Ooerator Actions -
f Based on Callaway's front-end analysis results, Union Electric identifies loss of offsite power l
as the single. most important event in terms of risk. This event generated all of the station blackout core damage risk and most of the transient-induced RCP seal LOCA core damage
' risk. Human error and support system failures were identified as also being significant l
contributors to core damage sequences. The highest probability core damage sequence is a postulated flood in the basement of the control building due to rending ESW system isolation valves inoperable during a Service Water System pipe break. In this scenario, loss of all service water results in a RCP seal LOCA without reactor coolant makeup. Both operator actions associated with the mitigation of RCP seal failure and operator action to isolate internal flooding are particularly significant. Other insights involving human actions are j
reflected in the plant enhancements and improvements.
E.4
. Generic Issue and CPI l
(
The licensee's consideration of generic safety issues (GSIs) and unresolved safety issues l
(USIs) and of containment performance improvements (CPI) recommendations are the subject E3 i
r l
of the front-end review, and back-end review, respectively. The Callaway IPE addresses two Unresolved Safety Issues (USIs), A-17, " Systems Interactions," and A-45, " Shutdown Decay Heat Removal Requirements." The licensee has included reasonable consideration of human actions in their assessment o'f these issues. Based on the Callaway analysis (reference IPE Sections 3.3.9 & 3.4.3), Union Electric considers both A-17 and A-45 to be resolved.
)
l E.5 Vulnerabilities and Plant Improvements
)
l Union Electric used the NUMARC 91-04, Severe Accident Closure Guidelines in order to define Callaway-specific vulnerabilities. The licensee states that no vulnerabilities were -
identified through the IPE process.
' E.6 Observations The following observations from our document-only review are seen as pertinent to NRC's determination of the adequacy of the Callaway submittal.
Utility personnel were involved in the development and application of PRA/HRA techniques to their facility, and associated walkdowns and documentation reviews constituted a viable process for confirming that the IPE represents the as-built and as-operated plant. An independent review was performed which constitutes a reasonable process for an "in-house" peer review that provides some assurance that the IPE analytic techniques were correctly applied and documentation is accurate.
The licensee's HRA process considered human actions related to restoration / realignment of equipment following maintenance or test and miscalibration/ maintenance errors. The process utihzed by the licensee to identify and select the pre-initiator actions included review of procedures and discussion with plant personnel. No numerical screening process was employed to eliminate pre-initiator errors that were not important contributors to CDF. The qualitative guidelines for eliminating certain errors from consideration appear reasonable. A total of seven pre-initiator errors were included in the IPE model, two of which appear in the top 100 importance ranking based on risk reduction worth. Pre-initiator human errors were not quantified as Callaway-specific values, but assigned values for similar events taken from other PRAs. A fairly rigorous consideration of plant-specific factors was performed during qualitative screening ofimportant events to be included in the model.
i The licensee's process considered post-initiator human events that are needed to prevent an j
accident' as well to mitigate the consequences of an accident. Both response-type and j
. recovery-type actions were addressed. The process used by the licensee to identify and select
)
the post-initiator human events included review of procedures and discussions with j
l appropriate plant personnel. The actions selected for quantification appear to be reasonably i
comprehensive and the HRA appears to have been consistent with the guidelines found in EPRI documents. No numerical screening was employed to eliminate post-initiator human j
errors which were not important contributors to CDF. No vulnerabilities were identified.
i l
E4 i
~
^
j
\\
1 l
e e
s,
l
1.0 INTRODUCTION
This Technical Evaluation Report (TER) is a summary of the review of the human reliability analysis (HRA) presented as part of the Callaway Plant, Unit 1 Individual Plant Examination (IPE) submittal to the U. S. Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staff in their evaluation of the IPE and conclusion regarding whether the submittal meets the intent of Generic Letter 88-20. This section of the TER highlights findings from the technical review.
1.1 Review Process The HRA review was a " document-only" process which caitsisted of essentially four steps:
(1) Comprehensive review of the IPE submittal focusing on all information pertinent to HRA.
(2) Preparation of a draft TER summarizing preliminary findings and conclusions, noting specific issues for which additional information was required from the licensee, and formulating requests to the licensee for the necessary additional information.
(3)- Review of preliminary findings, conclusions and proposed requests for additional information (RAIs) with NRC staff and with " front-end" and i
"back-end" reviewers.
(4) Review of licensee responses to the NRC requests for additional information, and preparation of this final TER modifying the draft to incorporate results of the additional information provided by the licensee and finalize conclusions.
Findings and conclusions are limited to those that could be supported by the document-only l
review. No visit to the site was conducted. No discussions were held with plant personnel or IPE/HRA analysts, either during the initial review of the submittal, nor after receipt of licensee responses to NRC's request for additional information (RA'I). No review of detailed
" Tier 2" information was performed, except for selected details provided by the licensee in direct response to NRC RAls. In general it was not possible, and it was not the intent of the review, to reproduce results or verify in detail the licensee's HRA quantification process. The review addressed the reasonableness of the overall approach with regard to itr ability to i
permit the licensee to meet the goals of Generic Letter 88-20.
1.2 Plant Characterization i
Callaway is a single-unit Westinghouse four-loop pressurized water reactor (PWR) plant rated i
at 3565 megawatts thermal (Mwt). Commercial operation started in April 1985. Callaway l
and Wolf Creek are sister plants designed and constructed under the Standardized Nuclear Unit Power Plant System (SNUPPS) concept. The NRC front-end reviewer identified a i
1
- a l
l L
number of Callaway design features that impact core damage frequency (CDF) relative to
)
other PWRs, namely, ability to perform feed and bleed once through cooling, service water
(
j; flexibility and redundancy, use of ESW system as a source of backup supply to auxiliary l
feedwater, eight hour battery life for turbine-driven AFW pump, semi-automatic Emergency Core Cooling system switchover, high temperature reactor coolant pump seals, and use of
-l diesel-driven fire pump to feed a depressurized steam generator.
1 I
i I
i i
I l-i j
i I
l 2
~
.o
- o j
l 2.0 TECHNICAL REVIEW t
2.I Licensee IPE Process 2.1.1 Completeness and Methodoloev l
l The Callaway HRA was performed by Union Electric personnel. Significant utility staff I
involvement, plant walkdowns and document review helped to assure that the IPE/HRA represented the as-built, as-operated plant. Four different elements were employed in an independent review process, namely: 1) peer review (others within the group, but not working
{
on the area of review), 2) an HRA review by Wolf Creek Nuclear Operating Corporation personnel. The.HRA process addressed both pre-initiator and post-initiator actions.
Pre-initiator actions (referred to as " Type" A human interactions in the IPE) considered included both restoration errors and miscalibration. Post-initiator actions (referred to as " Type C" humn interactions in the IPE) included both response-type and recovery-type actions.
Pre-initiator human errors were quantified using generic data from other PRAs which was derived from the EPRI PRA Repository, NASC-142 (Reference 1) and the Handbook of Human Reliability Analysis for Nuclear Power Plant, NUREG/CR-1278 (Reference 2).
Post-initiator human errors were quantified using the EPRI NP-6560 (Reference 3) approach.
Plant-specific performance shaping factors and dependencies were considered in the analysis of post-initiator human errors.
2.1.2 Multi-Unit Effects and As-Built. As-Ooerated Status The NRC review of the submittal attempts to determine whether the utility personnel were involved in the development and application of PRA techniques to their facility, and that the associated walkdowns and documentation reviews constituted a viable process for confirming that the IPE represents the as-built and as-operated plant.
Multi-unit effects are not applicable for the Callaway facility.
l Documentation used in the performance of HRA (Section 2.4.3) included: procedures, Callaway Licensee Event Reports and Incident Reports, maintenanc'e work orders, Operating i
Logs, piping and instrumentation diagrams, piping isometric drawings, one-line and elementary electrical diagrams, electrical schematics, mechanical and electrical systems descriptions, and the FSAR. Submittal Section 2.4.5, provides a brief description of four categories of plant walkdowns (two each, in support of the Lev:.11 and Level 2 analysis) that were performed as part of the IPE process.
Overall, the submittal documentation indicates that the licensee took steps to provide reasonable assurance that the HRA-related aspects of the IPE model represented the as-built, as-operated plant during the time frame of the IPE development.
i 3
1 l
2.1.3 Licensee Particination and Peer Review The NRC review of the submittal attempts to determine whether the utility personnel were involved in the development and application of PRA techniques to their facility, and that the associated walkdowns and documentation reviews constituted a viable process for confirming j
that the IPE represents the as-built and as-operated plant.
i l
2.1.3.1 -
Licensee Particination.
The overall PRA' effort was under the direction of a l
Union Electric supervising engineer, Licensing and Fuel Safety Analysis and Reactor Design l
(SARD) Group. Assisting the licensee's SARD supervising engineer were eight SARD team members with diverse technical expertise. The HRA was performed by the SARD supervising engineer, with support from two Union Electric licensed SROs who have been or are currently i
involved in operator training at the Callaway plant. In addition, a consulting engineer from l
NUS supported the SARD supervising engineer during the treatment of human actions in the l
Level 2 and internal flooding analyses.
L 2.1.3.2 In-House and External Reviews.
Union Electric's review program for the IPE was comprised of four elements which include; l) peer review,2) consultant revikw, 3) i interdepartmental review, and 4) an external review by Wolf Creek Nuclear Operating Corporation. The areas of emphasis in these reviews are as follows:
Peer Review - all PRA/IPE task documentation received a peer review by another j
individual within the SARD group to assure the IPE task reflected the design and cperation of the Callaway plant and that the PRA/IPE methodologies were correctly l
applied.
Consultant Review - NUS reviewed the HRA to assure that the methodologies were correctly applied.
In our opinion, the reviews appear to constitute a reasonable process for an in-house" peer review that provides some assurance that the IPE analytical techniques were correctly applied and that documentation is accurate.
2.2 Pre-Initiator Human Actions Errors in performance of pre-initiator human actions (i.e., actions performed during routine operations and maintenance, such as failure to restore or properly align equipment after testing or maintenance, or calibration of system logic instrumentation) may cause components, trains, or entire systems to be unavailable on' demand during an accident, and thus may significantly impact plant risk. The NRC staff review of the HRA portion of the IPE examines the
{
licensee's HRA process to determine what consideration was given to pre-initiator human j
events, how potential events were identified, the effectiveness of quantitative and/or qualitative screemng process employed, and the processes for accounting for plant-specific j
performance shaping factors, recovery factors and dependencies among multiple actions.
4 l
2.2.1 Tvoe of Pre-Initiator Human Actions Considered.
The Callaway HRA included a very limited number of pre-initiator actions (performed during maintenance, test, surveillance, etc.). A total of 7 pre-initiator actions were modeled which included 3 restoration type errors and 4 miscalibration type errors. The licensee acknowledges the relatively limited number of pre-initiator events compared to other PRAs, but defends their assessment with a fairly robust argument based upon Callaway's experience attributable to good administrative controls and procedures.
2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions.
The key concerns of the NRC staff review regarding the process for identification and selection of pre-initiator human events are: a) whether maintenance, test and calibration-procedures for the systems and components modeled were reviewed by the systems analyst (s), and (b) whether discussions were held with appropriate plant personnel (e.g., maintenance, training, operations) on the interpretation and implementation of the plant'.; test, maintenance and calibration procedures to identify and understand the specific actions and the specific components manipulated when performing the maintenance, test or calibration tasks.
Pre-initiator events selected for consideration in the HRA model were identified from a review of Callaway's administrative controls related to system restoration, testing and calibration, incident reports, SOS reports, and LERs.
Following the screening review, miscalibration errors were considered for the following actuation or control signals:
. Safety injection Reactor trip l
Auxiliary feedwater start Auxiliary feedwater transfer to ESW ECCS transfer to containment sump Containment spray actuation Containment spray transfer to containment sump Diesel generator fuel oil transfer control.
I The licensee considers miscalibration events as rare. In support of this conclusion, an evaluation of human performance with respect to miscalibration events was performed by the 5
I
. c Callaway Independent Safety Engineering Group (ISEG). The ISEG first reviewed the equipment used, the design, and the calibration procedures for the following functions:
l l
AFW Transfer to ESW on Low Suction Pressure (LSP)
RWST Level Diesel Generator Day Tank Level Containment Pressure Each function has redundancy but the events evaluated were presumed to have all channels incorrectly calibrated.
The ISEG also evaluated actions performed under the various tasks to identify potential human errors. Information of LERs, Callaway SOSs, calibration procedures, and human performance references were evaluated. As part of this process, interviews were conducted with 1&C personnel to " walk-through" the calibration procedures and work processes. The major human performance issue identified was procedural usage which entails reading an instruction, performing the task called for and checking it off the checklist, retest, and restoration.
The AFW transfer on LSP, RWST level and containment pressure calibration procedures are listed as " continuous use" procedures (i.e., requires procedure to be in hand and step-by-step compliance). These instrument calibration procedures have check-off initials for critical steps.
The diesel generator day tank level calibration requires only a checklist attachment to be completed by the technician. The licensee stated in response to NRC's request for additional information that it is uncommon for the same technician to do all the channels. After each calibration, the individual device is checked against other indications which would highlight an instrument with an aberrant reading. All procedures have bounding readings (acceptable range) and any channel falling outside of the bounds requires review by the I&C supervisor.
Additionally, a number of recovery actions are present, namely, control room monitoring, procedural referencing, I&C supervisor involvement, calibration procedure verification and restoration, and procedural built-in checking. It is the licensee's position that these checks and balances facilitate detection and recovery of human error.
Similar arguments are offered for the low number of restoration errors identified. Union Electric's guidelines established to allow the fault tree analysts to screen potential restoration errors included:
General Component Guidelines:
l Restoration following test or maintenance activities was treated the same, i
6 l
Restoration errors (called faults in the IPE) were not postulated if the component had l
an indication in the control room which was verified on a daily basis and was readily hpparent to the operators if out of position or if power was disconnected.
Restoration faults were not postulated if the components were included on a daily checklist.
i Pumo Guidelines:
Restoration following test or maintenance activities was treated differently.
Restoration errors following maintenance were not postulated if the pump was flow I
tested prior to return to service and had a technical specification requiring quarterly (or more frequent) testing requirements.
Restoration errors following testing were not postulated unless a lockout / maintenance circuit existed which was activated to test the pump and there was no control room indication that the lock-out was activated.
Manual Valve Guidelines:
Restoration following test or maintenance activities was treated the same.
Restoration errors were not postulated if there was double (independent) verification of position following test / maintenance and the valve was also verified in the correct l
position between test / maintenance events (e.g., on a checklist).
Restoration errors were not modeled if the valve was administratively controlled to be in its correct alignment as locked open, locked closed, or locked throttled and checked quarterly or more frequently.
Valves (Other than Manual) Guidelines:
L Restoration following test or maintenance activities was treated the same.
Restoration errors were not postulated if the valve had an individual position indication in the control room and was included on a daily (or more frequent) checklist.
- - Restoration errors were not postulated if the valve received a signal to go to the correct position and a position indication light showed if power was not connected.
)
i Restoration errors were not postulated if there was double (independent) verification of position following test / maintenance and the valve was also verified in the correct i-position between test / maintenance events (e.g'., on a checklist).
7 L
_ Restoration errors were not postulated if the valve was administratively controlled to L
be in its correct alignment as locked 'open, locked closed, or locked throttled with motive power removed.-
2.2.3 Screenine Process for Pre-Initiator Human Actions.
In evaluation of pre-initiator events prior to the iaitial accident sequence quantification, a screening value of 0.1 was used for leaving a com,3onent in the wrong configuration and for sensor miscalibration.' 'After initial accident sequence quantification, important events were
]
evaluated by performing a more detailed review of errors used in past PRAs. Callaway justifies this approach based upon their detailed program of administrative controls in place which is stated as the basis for greatly reducing the likelihood of pre-initiator human enor.
The qualitative screening performed on the Callaway HRA is discussed in Section 2.2.2, above.
2.2.4 Ouantification of Pre-Initiator Human Actions.
Quantification of pre-initiator events included in the model was done using generic data from other PRAs reported in EPRI, NSAC-152 (Reference 1) and technical reference, NUREG/CR-1278 (Reference 2). We found the pre-initiators and values assigned to be generally consistent with those seen in other PWR IPE reviewed.
I 2.3 Post-Initiator Human Actions a
l Human errors in responding to an' accident initiator, e.g., by not recognizing and diagnosing the situation properly, or failure to perform required activities as directed by procedures, can have a significant effect on plant risk, and in some cases have been shown to be dominant contributors to core damage frequency (CDF). These errors are referred to as post-initiator j
human errors. The NRC staff review determines the types of post-initiator errors considered by the licensee, and evaluates the processes used to identify and' select, screen, and quantify post-initiator errors, including issues such as the means for evaluating timing, dependency among human actions, and other plant-specific performance shaping factors.
2.3.1 Tvoes of Post-Initiator Human Actions Considered.
j L
There are two important types of post-initiator actions considered in most PRAs: response-l tag actions, which include those human actions performed in response to the first level l
directives of the emergency operating procedures (EOPs); and, recoverv-tvoe actions, which include those performed to recover a specific failure or fault (primarily equipment
. failure / fault) such as recovery of offsite power or recovery of a front-line safety system that l:
was unavailable on demand earlier in the event. The HRA process addressed three i
subcategories (Types C1,' C2 and C3) of post-initiator actions performed as part of the j-
. response to an accident. The subcategories treated under post-initiator events incluc'ed:
[
8
i 1
5 4
Cl Manual backup on failure of automatic initiation, provided there is a clear step in the EOP or on the ESFAS status panel that indicates that the manual action should be taken.
C2 Operator actions performed as part of an EOP. These actions are those required to satisfy one of the critical safety functions and prevent core damage.
)
C3 Recovery actions to ensure a safety function that failed because of equipment
. malfunction. The Callaway HRA addressed both response-and recovery-type post-initiator human actions.
4 3
2.3.2 Process for Identification and Selection of Post-Initiator Human Actions.
j The primary thrust of our review related to this question is to assure that the process used by the licensee to identify and select post-uuth..or actions is systematic and thorough enough to provide reasonable assurance that important actions were not inappropriately precluded from examination. Key issues are whether: (1) the process included review of plant procedures associated with the accident sequences delineated and the systems modeled; and, (2) 1 discussions were held with appropriate plant personnel (e.g., operators and training staff) on the interpretation and implementation of plant procedures.to identify and understand the i
specific actions and the specific components manipulated when responding to the accident sequences modeled.
Post-initiator response actions (Type C1 and C2) were identified from a review of Callaway's emergency operating procedures (EOPs) where the functions the operator needed to perform to prevent core damage or that it provided an alternative path to success, then it was modeled.
The submittal contains general details in Sections 3.3.3.3.1 'through 3.3.3.3.7, indicating that procedures were reviewed and that operations and training personnel were appropriately involved in identification and review of operator actions. All response-type actions were included in the EOPs. Detailed documentation of the HEP calculations for specific example human actions were provided in response to an NRC request for additional information.
. Included were references to specific procedures associated with each response action quantified, and a summary of key points pertinent to the assessment of error probability. The purpose of each procedure / action is discussed, specific critical steps are identified, and important information such as instrumentation and displays is provided.
Recovery actions were identified from review of dominant sequences after initial quantification. Where it was determined that the conditions associated with a given failure in a cutset would result in the operator using a backup procedure, and it was judged that sufficient time was available to make the recovery action, the recovery action was included in the IPE model.
I Comparison of human actions selected for incorporation into the IPE model with human i
' actions typically included in other PWR PRAs did not identify any major actions applicable to Callaway that were not included. The actions identified by the NRC front-end reviewer as 9
i i
l potentially important to IPE results were included in the model. We believe the licensee employed a systematic process to identify and select potential post-initiator actions which provided reasonable assurance that important actions were not overlooked.
2.3.3 Screenine Process for Post-Initiator Response Actions.
Cl type human actions were set to a screening value of 0.1 in the initial sequence quantincation. Following initial quantification, those C1 actions identified as important were subjected to the same detailed quantification process as C2 actions. All C2 actions identified were retained for analysis.
j 2.3.4 Ouantification of Post-Initiator Human Actions.
2.3.4.1 Response-Tvoe Actions. The primary technique employed for quantification of post-initiator errors was the EPRI methodology smnmarized in EPRI NP-6560L (Ref. 2). A graphic representation of the general logic of this model is presented in Figure 2-1 below.
Each response action is considered as a combination of two types of actions: 1) Detection /
s DETECTIONIDIAGNOSIS MANUAL IDECISlON ACTION i
Manipulative Failtue to Process slips 3
Informationin a Tunely Manner Cognitive Processingl P3 PaedmalMms F(NR Slips)
P2 F (Non-Response in a given time Window P1 F(NR Mistakes)
S = Success F = Failure i
I Figure 2-1 Conceptual Model of Operator Response to an Accident Event 10
l I
diagnosis / decision, or " cognitive" action, and 2) manual action. Errors can occur in the cognitive action via failures in cognitive processing or procedural " mistakes", or they can occur by failing to process information in a timely manner. Errors in manual actions are considered manipulative " slips". The total HEP is a probablistic combination of the three i
error probabilities P1, P2, and P3.
Estimates for P1 In the Callaway analysis, the probability P1 of an unrecovered cognitive " mistake", was assessed based on a table of generic values defined for the number of cognitive conditions satisfied for a task following a review of the EOPs and a review of the indications and aids a available to the operator. A listing of the generic values for P1 and conditions assessed are provided in Table 2.3.4-1 Table 2.3.4-1 Generic P1 Values and Conditions Considered Number of Conditions Satisfied Value 0
1.0E-05 1
1.0E-04 i
2 1.0E-03 3
1.0E-02 4
1.0E-01 5
0.5 Conditions Considered i
1.
Indication for action is weak (masked by other indications or procedural instructions are not clear).
2.
Competition exists from other actions.
3.
Action is not stressed in training (both simulator and classroom training).
4.
Relatively little time is available to correct cognitive slips.,
5.
The action is counter-intuitive.
Callaway based the reasonability of these estimated values upon the results of the plant-specific precedure verification and validation program, simulating a wide spectrum of scenarios involdng all EOPs, performed for Pennsylvania Power and Light (PP&L).
Callaway also cites their participation in the V&V of the symptom-based Westinghouse Owners Group EOPs, the results of which are stated as being consistent with the findings of the PP&L effort. The original PP&L data is said to have justified a range of values for each l
number of conditions satisfied. The low end of this range was selected for Callaway based on Callaway's use of symptom-based EOPs and the callaway SPDS. An arbitrary cut-offlimit of l.0E-05 was also imposed. Where human actions were borderline, positive attributes such as 11
l e.
I
)
l extremely clear instructions, well practiced evolutions, and ample time for recovery were also considered.
l Estimates for P2 1
The method used for estimating P2 was the time reliability curve represented by the 1
l HCR/ ORE correlations in the EPRI methodology.
The value of P2 was calculated from the lognormal function:
i In(T,JT )
i 3
P
- I - 4I 3
2 0
1 l
where Tw = time window available Tm = time required for recognition o = logarithmic standard deviation p(x) = standard normal cumulative distribution Estimates of the time window available, Tw, was based on the time behavior of plant processes obtained from existing Callaway transient analyses contained in the FSAR, EOPs, i
L background analysis,other reference reports (i.e., WCAPs), hand calculations, or MAAP sensitivity studies. Time constraints for specific equipment or systems were determined from various factional requirements, such as allowable time to restore Component Cooling Water, lubrication systems, room cooling, or specific operating procedure limits.
l Two methods were used to estimate the crew median response time, Tl/2. The first method obtained estimates from numerous actual plant simulator exercises. The second method was expert opinion.. A panel of SRO-trained members of the Callaway Training and ISEG departments provided time estimates for the operators to respond to a cue and initiate the necessary actions. A listing of the panel estimates and final selected values are provided in IPE Table 3.3.3-5.
r Estimates for P3 For the estimation of manipulative error probabilities the licensee used a simplified logic model based on Callaway's two column EOP format. The left column identifies the preferred response. If steps in the left column are performed successfully, there will be a successful response to the initiating event. Thus, the left column steps are serial in nature. If a response in the left column cannot be obtained, the right column was listed and its appropriate type of manipulative or recognition errors were identified. Since all left steps are serial in nature, all
. errors were summed to obtain the total error. The parallel steps in the right column were also i
included in the model. First key right column steps were identified. The associated left column step was then assumed to fail and right column steps were specifically included in the 4
12 l
J
1
-s c overall serial error. For non-critical left column errors, the associated right column recovery responses were ignored.
Generic data for NUREG/CR-1278, Chapter 20 was used to quantify each slip or manipulative error. Operator stress was' incorporated as a multiplier on the base value. Because multiple operators and the STA participate in the response to an EOP, along with the presence of the SPDS which reduces the probability of manipulative errors, the impact of these checks was also included as a multiplier on the base value. For human errors which had a long Tw, checking was also credited for staffing of the Technical Support Center (TCS) and Emergency operations Facility (EOF), if activated. In most cases, single checking was included; however, if the activity was obvious to the entire control room crew, a second checker was included in some situations such as transferring to the wrong procedure or missing a step.
Dependencies between control actions were taken into consideration for P3 type actions. In the logic model, a distinction was made between the different ways of carrying out the task, i.e., either serial tasks or parallel tasks. The probability values could go from the probability of an effective single action for. complete dependey (CD) to the sum of a number of actions for zero dependency (ZD). For a CD, the actions of the operator were considere'd to be closely coupled and may be considered to be one action. If p(n) is the error probability of the nth action, the total error probability for the serial task P3 (s) is written as:
P3 = p(1) + kp(2) +.............. + kp(n) where:
k = coupling coefficient (characteristic of the degree of dependency).
For complete dependency k = 0, and for zero dependency k = 1. A linear relationship between ZD and CD was assumed for intermediate dependence levels, as required. ~ For normal serial dsks in the same EOP, a value of 1.0 was selected for the coupling coefficient.
Where a large number of similar tasks were involved, e.g., it is impossible to tell one valve from another, a multiplier equal to the number of similar components was used:
P3 = Mkp(l).
A value of 0.1-1.0 was used for the coupling coefficient based upon the number of similar components (the more the components, the lower the coupling coefficient).
Parallel tasks were treated for zero, low, moderate, high and complete dependence using the levels of dependency from NUREG/CR-1278, Table 20-17.
13 I..
.I O
- 4 I
l l
Consideration of Denendencies in Tvoe C2 Actions.
l An important concern in HRA is the treatment of dependencies. Human performance is i
dependent on sequence-specific response of the system and the humans involved. The j
likelihood of success for a given action is influenced by success or failure on a preceding i
action, performance of other team members in parallel or related actions, assumptions about the expected level of performance of other team members based on past experience, etc.
l
- Accounting for dependency among top-level actions in a sequence is particularly important.
The human error probability estimates for HRA are conditional probabilities. If dependencies j
are not specifically accounted for, and HEPs are treated as independent, the probabilistic l
l.
combination of HEPs can lead to an unrealistically low estimate of human performance l
l overall, and to a significant ur.dere-tirr. ate of risk. The licensee's treatment of dependencies l
-in post-initiator human actions is wmewhat narrower in scope than typical, but appears to i
l have been an effective means of quanufying the impact of the important dependencies.
l Two types of dependencies were addressed'for the Type C2 human actions: 1) the first is related to the effect on the time.available for performing an action, and 2) the second is the question of cognitive dependency between sequential, or parallel, actions.
At the single human action level, dependency between the time allowable for recognition and
-decision making and the time needed to perform the action was considered. The time window l
(Tw) was determined by subtracting from it the mean time to complete the action. This l
modified time window was used in the HCR/ ORE correlation. When two or more actions are l
performed either sequentially, or in parallel, and are part of the same general procedure, they are cognitively correlated. In these cases, the errors represented by probabilities P1 and P2 were used only once to model entry into the procedure.
l 2.3.4.2 Recovery-Tvoe Actions. Recovery actions (Type C3) were estimated using the ORE method. However, in developing the values of these errors for use in the Callaway IPE, additional factors were considered by the licensee. Because C3 human actions involve equipment malfunction, often they cannot be accomplished due to a hardware malfunction.
l Therefore, some of the Callaway actions include a hardware-related failure probability which acts to decrease their likelihood for success.
l l
In the Callaway event trees, recovery of certain systems are questioned at different, increasing times. Many of these top headings involve C3 human actions. For example, EF-XHE-FO-MANESW, OP-XHE-FO-ESW2HR, and OP-XHE-FO-ESW8HR all model the operator t-failing to align ESW to supply flow to the safety-related heat loads after failure of normal service water. While they are the same human action, the Loss of All Service Water Event Tree questions recovery at different times after loss of normal service water. Therefore, one l
difference among these basic events is the Tw assumed in the P2 calculation (1,2 and 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> respectively). The event tree structure also makes use of these errors dependently. The I
licensee states they quantified the Type C3 actions using the ORE method, often including I
special adjustments necessary to reflect the actions mission in the Callaway fault or event i
14 i
J w O
1 trees. The licensee stated in response to an NRC RAI, that only one recovery action was i
considered for a cutset.
l 2.3.4.3 Consideration of Operator Actions in the Level 2 Analysis. Callaway's Level 2 analysis included an objective to gain an understanding of operator actions which are important to risk. An extension of the Level 1 event trees was performed under the accident sequence delineation task to include key containment systems. The resultant plant response trees were used throughout the containment performance evaluation effort.
A conference call between NRC and the licensee revealed that other than operator actions included in the Level 1 event trees used, only AC power recovery was included in the Level 2 analysis. The AC power recovery values were taken from WCAP 10541 and NUREG-1032.
i l
2.3.5 Generic issues and CPI The Callaway IPE addresses two Unresolved Safety Issues (USIs), A-17, " Systems Interactions," and A-45, " Shutdown Decay Heat Removal Requirements." The licensee has included reasonable consideration of human actions in their assessment of these issues. Based I
on the Callaway analysis (reference Sections 3.3.9 and 3.4.3 of the IPE), Union Electric considers both A-17 and A-45 to be resolved.
2.3.6 Flooding Analysis The Callaway CDF contribution due to internal flooding is approximately 30%. The licensee recognized the benefit that any reduction ofinitiating event frequency and conditional I
probabilities of core damage from internal flooding would reduce core damaEe risk at Callaway. A task team comprised of members from Safety Analysis /PRA Group, Training, l
Engineering, Operations, Quality Assurance, and the Independent Safety Engineering Group was assigned to evaluate potential improvements for lowering internal flooding contribution to CDF. It was determined that the installation of a third centrifugal charging pump could provide mitigation to the core damage contribution from flooding and the loss of all CCW.
l Additionally, the provision of flood detection and control room annunciation, improved l
drainage, and flooding response procedures could all be beneficial in mitigating core damage resulting from flooding events. These potential modifications are being evaluated further by Union Electric.
2.4 Vulnerabilities, Insights and Enhancements 2.4.1 Vulnerabilities l
Union Electric used the NUMARC 91-04, Severe Accident Closure Guidelines in order to i
define Callaway-specific vulnerabilities.
The licensee states in Section 3.4.2.5 of the IPE that no vulnerabilities were identified.
4 However, the licensee says that some insights related to core damage risk, two of which 4
l.
15 1
\\
r c
l.
l l
include operator action, were gained. Under accident Group IIA, " Accident Sequences t
Involving an Induced LOCA with Loss of Primary Coolant Makeup or Adequate Heat
]
Removal in Injection Phase", the failure to mitigate an RCP seal LOCA was found to i
comprise 1.0E-05 of the total 1.87E-05 CDF for this group. Union Electric believes that there is uncertainty with the CDF results based on uncertainties which exist with the primary
{
issue itself, it is their position that the calculated frequency of this group is not reflective of Callaway. Additionally, in accident Group VII, " Internal Flooding Sequences", the Callaway analysis shows core damage from internal flooding primarily coming from flooding in three areas: service water piping in the basement of the control building; battery room flooding; and
- ESF switchgear room flooding. The licensee's position is that simplified methods in the analysis for modeling leak-before-break effects, the impact of normal surveillance on pipe break frequency, and the impact of operator action overstate the probability and consequence in these areas. These effects, combined with the overall uncertainty in pipe break probabilities and propagation model, result in a conservatively high CDF calculation.
l 2.4.2 Insiehts Related to Human Performance Based on Callaway's front-end analysis results, Union Electric identifies loss of offsite power as the single most important event in terms of risk. This event generated all of the station blackout core damage risk and most of the t'ransient-induced RCP seal LOCA core damage risk. Human error and support system failures were identified as also being significant contributors to core damage sequences. The highest probability core damage sequence is a postulated flood in the basement of the control building due to rending ESW system isolation valves inoperable during a Service Water System pipe break. In this scenario, loss of all service water results in a RCP seal LOCA without reactor coolant makeup. Both operator actions associated with the mitigation of RCP seal failure and operator action to isolate internal flooding are particularly significant. ~ Other insights involving human actions are reflected in the plant enhancements and improvements. Although no vulnerabilities are cited as having been identified, improvement of several procedural directed operator actions are l
considered to have significant benefit on overall CDF. These actions and recommendations are discussed in TER Section 2.4.3, below.
Union Electric performed importance analysis for the Callaway accident sequence results. A number of operator actions appear in the listing of risk achievement worth and risk reduction worth, IPE Table 3.3.8-1. Table 2.4.2-1 lists those operator actions appearing in the top 100
- basic events.
Table 2.4.2-1, Operator Action Basic Events Appearing in Top 100 F/V Importance Ranking in Order of Descending Risk Reduction Worth.
Balj,ng k
J.vve g Description jg g
8 OP.XHE-Fo CCWRHX operator fails to establish CCW flow to RHR exchanger 1.64E-03 14 oP-XHE-Fo-ACRECV operator fails to recover vital AC 6.34E-03 l
16 y
,a.r w-ve-4--
-m y.-
+e,1 e-+
' --ime-
- A--
r--
+r P- - --
- + ' +
^ - - - - - - - --
...... ~
--..-~~..,~n-
~ ~ -. - ~. - -,. -. ~ -. - -
- e
.i l
l 15 OP-XHE-Fo-ESW21!R Operator fails to start and align ESW within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 5.28E-01
- 20 OP XHE-FO-ESWBHR Operator fails to start and align ESW within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> 3.24E-01 27 BN-XHE-MC-RWST -
Miscalibration of all RWST level channels.
5.00E-04 32 -
EA XHE-Fo SWSBo Operator fails to realign SW to ESW - SBO 4.57E-02 48 NE-XHE-MC-DGDAY Miscalibration of all DG Day Tank level channels 5.00E 49 OP XHE-FO-DEPTC.
Operator fails to cooldown and depressurire.1.oss of CCW 9.72E-03 i
54 OP-XHE-Fo SBOSGL operator fails to control stearn generator level 580 4 49E 03 86
Opcretor fails to establish RCs feed and bleed path f
with PORVs 2.77E-02 I
' 88 FAILToMNLINSRODS Operator fails to manually insert rods 2.10E-01 39 AE-XHE-Fo MFWFLO Operator fails to re establish MFW flow 5.42E-02 i
t I
l 1
2.4.3 Human Performance Related Enhancements l
l Union Electric states in IPE Section 6.2, that some optional safety enhancements and plant l
improvements were identified during the Callaway analysis, which ifimplemented could reduce the already " acceptably low" probability of a core damage accident.
I The enhancements where operator action contribute to lowering core damage risk include:
Addition of procedural guidance (and required hardware) to enable the operators to feed one or more steam generators with a diesel-driven firewater pump. ' Procedure FR-H.1 was modified and needed hardware acquired to enable the operators to l
accomplish the requisite actions prior to submittal of the IPE. Union Electric estimates j
that this enhancement reduces CDF (excluding flood:ng) by approximately 10%.
3 However, this action was not credited in the IPE because the implementation of this change was not completed prior to compiling Callaway's CDF.
Addition of procedural guidance to re-establish normal service water should essential
[
service water fail. There was no procedure that directed the operators to re-establish-1 normal service water should ESW fail. A procedure was developed and, in addition, the loss of AC power procedure was revised to direct the operators to restore SW, after AC power is restored, for accidents where ESW has failed.
i Addition of procedural guidance for running charging and safety injection pumps without component cooling water (CCW). There was no procedural guidance for i
running charging and safety injection pumps when CCW was lost. Without CCW RCP seal injection, RCS makeup and feed and bleed core cooling were not available.
Procedures were modified to include operator actions to help mitigate this event.
17 l
i
1
~..
Additional procedural guidance to verify RHR pump room cooling at switchover to ECCS recirculation phase. Through the IPE effort, Callaway determined that many of the safety-related pumps which have room would not actually require room cooling to operate during an accident. An exception to this finding are the RHR pumps which do require room cooling during the ECCS recirculation phase. Procedures were changed to direct the operator to verify RHR pump room cooling at the time of switchover to recirculation. Also, the revised procedure provides guidance to assist the j
operators in providing RHR pump room cooling if the room cooler has failed.
1 l
l i
l l-18
>v.
v.
i t
)
l (1
l 3.
CONTRACTOR OBSERVATIONS AND CONCLUSIONS The intent of our document-only review of the licensee's HRA process is to determine if the
)
licensee's IPE met the intent of Generic Letter 88-20. The Generic Le:ter had four specific i
objectives for the licensce:
)
(1)
Develop an overall appreciation of human performance in severe accidents; how human actions can impact positively or negatively the course of severe accidents, and what factors influence human performance.
j (2)
Identify and undezstand the operator actions important to the most likely accident sequences and the impact of operator action in those sequences; understand how human actions affect or help determine which sequences are important.
l I
j (3)
- Gain a more quantitative understanding of the quantitative impact of human l
performance on the overall probability of core damage and radioactive material release.
(4)
Identify potential vulnerabilities and enhancements, and if necessary/ appropriate, implement reasonable human-performance related enhancements.
l l
l With specific regard to the HRA, these objectives might be restated as follows:
(1).
Develop an overall appreciation of human perfonnance in severe accidents; how human actions can impact, positively or negatively, the course of severe accidents, and what factors influence human performance.
(2)
Identify and understand the operator actions important to the most likely accident sequences and the impact of operator action in those sequences; understand how human actions affect or help determine which sequences are important.
l (3)
Gain a more quantitative understanding of the quantitative impact of human performance on the overall probability of core damage and radioactive material release.
(4)
Identify potential vulnerabilities and enhancements, and if necessary/
appropriate, implement reascnable human-performance-related enhancements.
l The following observations from our documenton!.y review are seen as pertinent to NRC's determination of the' adequacy of the Callaway submittal:
i 19 I
~ _ -. -
i>+
~,
l i
1)
Utility personnel were involved in the development and application of PRA/HRA techniques to their facility, and associated walkdowns and documentation reviews constituted a viable process for confirming that the IPE
)
represents the as-built and as-operated plant.
l 2)
Callaway conducted reviews which appear to constitute a reasonable process f
for an "in-house" peer review that provides some assurance that the IPE l
analytic techniques were correctly applied and that documentation is accurate.
l l
3)
The licensee's HRA process considered human actions related to
.{
restoration / realignment of equipment following maintenance or test and
'{
miscalibration/ maintenance errors. The process utilized by the licensee to
. identify and select the pre-initiator actions included review of procedures and discussion with limited plant personnel (i.e., no mention of maintenance i
personnel being involved in the review). No numerical screening process was f
employed to eliminate pre-initiator errors that were not important contributors L
to CDF. The qualitative guidelines for eliminating certain errors from j
consideration appear reasonable. Seven pre-initiator errors were included in l
the IPE model.
?
)
4)
Pre-initiator human errors were not quantified as Callaway-specific values, but
]
assigned values for similar events taken from other PRAs. A fairly rigorous i
consideration of plant-specific factors was performed during qualitative l.
screening of important events to be included in the model.
5)
The licensee's process considered post-initiator human events that are needed to prevent an accident as well as to mitigate the consequences of an accident.
I Both response-type actions and recovery-type actions were addressed.
6)
The process used by the licensee to identify and select the post-initiator human l
events included review of procedures and discussions with appropriate plant I
personnel. The actions selected for quantification appear to be reasonably l
comprehensive and appear generally to have been consistent with the guidelines found in EPRI documents. No numerical screening was employed to eliminate post-initiator human errors which were not important contributors to CDF. It is our observation the licensee reasonably treated post-initiator human action events in the HRA.
7)
No vulnerabilities were identified. However, a number of procedures enhancements were identified subsequently implemented, but not credited in l
the IPE.
l l
i i
20 F
e
>a n.
4.
DATA SHEETS Important Operator Actions / Errors:
l The licensee did not identify major operator actions in the submittal. Our review of the
{
Fussell-Vesley importance ratings for the top accident sequences listed in Table 3.3.8-1 suggests the following actions as most important:
Pre-Initiator Errors:
l Miscalibration of all RWST level channels. (BN-XHE-MC-RWST)
Miscalibration of all DG Day tank level channels. (NE-XHE-MC-DGDAY) l Post-Initiator Errors:
l Operator fails to establish CCW flow to RHR exchanger. (OP-XHE-FO-CCWRHX) l Operator fails to recover vital AC. (OP ?CIE-FO-ACRECV)
Operator fails to start and align ESW within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. (OP-XHE-FO-ESW2HR)
Operator fails to start and align ESW within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. (OP-XHE-FO-ESW8HR) l Operator fails to realign SW to ESW - SBO. (EA XHE-FO-SWSBO)
Operator fails to cooldown and depressurize - Loss of CCW. (OP-XHE-FO-DEPTC) l Operator fails to control steam generator level - SBO. (OP-XHE-FO-SBOSGL) i Operator fails to establish RCS feed and bleed path with RORVs.
l (FB XHE-FO-PORVIS) l Operator fails to manually insert rods. (FAILTOMNLINSRODS) l Operator fails to re-establish MFW flow. (AE-XHE-FO-MFWFLO) l Operator fails to feed and bleed. (OP-XHE-FO-FANDB) l Human-Performance Related Enhancements:
i Procedural enhancements identified in the Level I analysis:
l 1)
Addition of procedural guidance (and required hardware) to enable the operators to feed one or more steam generators with a diesel-driven firewater i
Pump.
2)
Addition of procedural guidance to re-establish normal service water should essential service water fail.
3)
Addition of procedural guidance for running charging and safety injection pumps without component cooling water (CCW).
4)
- Addition of procedural guidance to verify RHR pump room cooling at switchover to ECCS recirculation phase.
21
!??o l
l-5.
REFERENCES 1._
Systematic Human Action Reliability Procedure (SHARP), Electric Power Research Institute (EPRI), EPRI NP-3583,1984.
.2.
A Human Reliability Analysis Approach Using Measurements of Individual Plant Applications, EPRI NP-6560,1989.
i 3.
Handbook of Human Reliability Analysis for Nuclear Power Plants, NUREG/CR-1278, l-1983.
l
' 4.
EPRI PRA Repository, NSAC-152,1990.
5.
Operator Reliability Experiments Using Power Plant Simulators, EPRI NP-6937,1990, Vol: anes 1-3.
i l
l.
l L
i 1
I l
l l
I l
I 22