ML20128K213

From kanterella
Jump to navigation Jump to search
Plant Technical Evaluation Rept on IPE Submittal Human Reliability Analysis,Final Rept
ML20128K213
Person / Time
Site: Pilgrim
Issue date: 04/11/1996
From: Swanson P
CONCORD ASSOCIATES, INC.
To:
NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
Shared Package
ML20128K194 List:
References
CA-TR-93-019-13, CA-TR-93-19-13, NUDOCS 9610100301
Download: ML20128K213 (36)
v  d  e


Text

E

.mm l

l APPENDIX C PILGRIM NUCLEAR POWER STATION INDIVIDUAL PLANT EXAMINATION TECHNICAL EVALVATION REPORT i

(HUMAN RELIABILITY ANALYSIS)

)

4 l

6toio o 3@> 3 c pp.

CONCORD ASSOCIATES,INC.

cuTR 93-019-13 i

Systems Performance Engineers b

PILGRIM NUCLEAR POWER ST TION TECHNICAL EVALUATION REPORT ON THE IPE SUBMITTAL HUMAN RELIABILITY ANALYSIS i

4 FINAL REPORT i

i by P.J. Swanson Prepared for U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Systems Technology j

Draft Report, May 1993 i

Final Report, April 11,1996 i

11915 Cheviot Dr.

725 Pellissippi Parkway 6201 Picketts Lake Dr.

Herndon, VA 22070 Knoxville,TN 37932 Acwonh, GA 30101 (703) 318-9262 (423) 675-0930 (404) 917-0690 w

s CA.TR-93-019-13 PILGRIM NUCLEAR POWER STATION TECHNICAL EVALUATION REPORT ON THE IPE SUBMITTAL HUMAN RELIABILITY ANALYSIS FINAL REPORT P. J. Swanson Prepared for U.S. Nuclear Regulatory Cornmluion Office of Nuclear Regulatory Research i

Division of Systems Technology 4

Draft TER Completed, May 1993.

Final TER, March 1996 4

j CONCORD ASSOCIATES. INC.

Systems Performance Engineers 725 Pellissippi Parkway Knoxville, TN 37932 Contract No. NRC-04-91-069 Task Order No.13

~. -.-.-

3 i

i 1

3 i

TABLE OF CONTENTS E. EXECUTIVE

SUMMARY

E1 El E.1 Plant Characterization....

E1 E.2 Licensee IPE Process.

E.3 Human Reliability Analysis............................. E2 E.3.1 Pre-Initiator Human Actions............

E2 E.3.2 Post-Initiator Human Actions....................... E2 4

E.4 Generic Issues and CPI............................... E4 l

E.5 Vulnerabilities and Plant Improvements..................... E5 E.6 Observations E6 4

l

1. INTRODUCTION..............

1 1

1.1 HRA Review Process............................

1.2 Plant Characterization.......................

1 i

2. TECHNICAL REVIEW.....................................

3 i

2.1 Licensee IPE Process................................

3 3

2.1.1 Completeness and Methodology 2.1.2 Multi-Unit Effects and As-Built, As-Operated Status....,....

3 2.1.3 Licensee Participation and Peer Review.................

4 2.2 Pre-Initiator Human Actions............................

5 2.2.1 Pre-Initiator Human Actions Considered 5

2.2.2 Process for Identification and Selection of Pre-Initiator Human Actio ns....................................

5 2.2.3 Screening Process for Pre-Initiator Human Actions..........

6 2.2.4 Quantification of Pre-Initiator Human Actions.............

6 2.3 Post-Initiator Human Actions...........................

7 2.3.1 Types of Post-Initiator Human Actions Considered........... 8 2.3.2 Process for Identification and Selection of Post-Initiator Human Acti ons....................................

8 2.3.3 Screening Process for Post-Initiator Actions '..............

9 3

2.3.4 Quantification of Post-Initiator Human Actions 10 2.3.4.1 Consideration of Plant-Specific Factors for Response Actions.............................. 12 2.3.4.2 Consideration of Timing 13 2.3.4.3 Consideration of Dependencies for Response Actions.................................... 14 2.3.4.4 Quantification and Significance of Recovery Actions.... 15 2.3.4.5 Treatment of Operator Actions in the Internal Flooding Analysis.................................... 15 i

er

+e.4 y-

4 1

l Table of Contents (continued)

?

2.3 4.6 Treatment of Operator Actions in the Level 2 Asilysis 15 2.3.4.7 GSI/USI and CPI Recommendations..........

16 2.4 Vulnerabilities Insights and Enhancements......

16 2.4.1 Vulnerabilities................................ 16 2.4.2 IPE Insights Related to Human Performance...........

16 2.4.2.1 Imponant Operator Actions................... 16 1

2.4.2.2 Operator Recovery Actions Contributing to Sequences Being Screened Out................................. 18 2.4.3 Human-Related Enhancements 20 1

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS................ 21 i
4. DATA

SUMMARY

SHEETS.........................

23 24 REFERENCES 4

l l

l i

l l

55

l E. EXECUTIVE SGIMARY This Technical Evaluation Report (TER) is a summary of the documentation-c.'y review of the human reliability analysis (HRA) presented as part of the Pilgrim Nuclear.wer Station (Pilgrim) Individual Plant Examination (IPE) submittal from Boston Edison Cc mpany (BECO) to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staff in their evaluation of the IPE and conclusion regarding whether the submittal meets the intent of Generic 12tter 88-20.

E.1 Plant Characterization Pilgrim is a single unit, BWR-3 with a Mark I containment. The unit began commercial operation in December 1972 and is rated at 1998 MWt and 687 MWe (net). The NRC front-end reviewer identified several Pilgrim design features of interest to the 12 vel 1 analysis, these being, (1) a 345-kv bus and a secondary 23 Kv off-site power line are available to supply AC power to the plant, (2) hardened containment vent, (3) 14 hour1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br /> battery lifetime, (4) a portable diesel driven air compressor can be manually attached to the plan compressed air system, (5) the feedwater pumps are motor-driven, allowing these pumps to mject at high pressure in sequences with MSIV closure, (6) Pilgrim has 2 safety valves and 4 relief valves (capacity smaller than for comparable plants), (7) a third non-safety grade diesel generator (Station Blackout Diesel Generator) to supply backup emergency AC power, and (8) ability to crosstie the Fire Water System with the Residual Heat Removal (RHR)/ Low Pressure Core Injection (LPCI) systems. Pilgrim-specific operator actions associated with the Station Blackout Diesel Generator and Fire Water System crosstie to RHR/LPCI were identified as important contributors to CDF.

E.2 Licensee IPE Process Pilgrim's IPE consists of a Level 1 and Level 2 Probabilistic Risk Assessment (PRA) without evaluation of external events. A limited scope IPEM based study done by Boston Edison in 1988 to support the BECO Safety Enhancement Program (SEP) was used as a foundation for the IPE effort. The licensee states that the IPE/PRA methodology follows conventional practice such as described in NUREG/CR-2300 (Reference 1). A two-step process was used to develop Human Error Probabilities (HEPs) in the Pilgrim HRA. An initial screening process based on guidelines developed from WASH 1400 (Reference 2), IDCOR BWR IPE Methodology (Reference 3), and the Technique for Human Error Rate Prediction (THERP)

(Reference 4) was used to develop HEP values for fault tree and event tree quantification.

The dominant human error contributors identified from the sequences quantified were then selected as candidates for detailed HRA. Detailed HRA was performed using THERP. The IPEM appears to have been used extensively to focus on important system interactions, human actions, and potential dommant accident sequences in creating the PRA. The licensee performed a sensitivity analysis as part of the IPE assessment. Human error was identified as a significant contributor to accident sequences leading to core damage. Also, several j

human-performance-related insights and possible enhancements were identified for future l

consideration. Pilgrim staff members with knowledge of plant design, operations and El 1

6 maintenance appear to have had significant involvement in the HRA process. BECO contracted the services of several outside consultants to help in the IPE effort. It is our opinion that the analyst employed a reasonable process for procedure reviews..'.terviews with operations staff, and plant walkdowns which helped to assure that the IPI' epresented the as-built, as-operated plant. In addition, the independent peer review of the 4RA helped to assure appropriate use of HRA techniques.

E.3 Human Reliability Analysis E.3.1 Pre-Initiator Human Actions.

The Pilgrim HRA considered a limited set of pre-initiator human actions. Operator failure to restore a' system after te.st or maintenance and make other system alignments (i.e., operator fails to turn AC breaker fast transfer switch "ON") as directed by the plant operating i

procedures were appropriately treated in the licensee's analysis. However, no consideration was given for miscalibration type events. We consider the omission of miscalibration type errors a significant limitation in the HRA. In cases where miscalibration errors.' lave been modeled, some PRAs have shown them to be a significant contribution to CDF Certain i

parameters such as reactor water level are important in diagnosing the state of the plant and operational capability; improper calibration of instrumentation associated with these I

parameters can lead to important post-initiator operator errors and other system failures. By excluding miscalibration errors from the scope of the analysis, the licensee to some degree limited the potential for identification of contributors to plant risk.

The HRA analyst used a structured process based on flow charts derived from generally accepted methodologies to identify important restoration and alignment human errors. We consider the process used to be reasonable and capable of providing the licensee the opportunity to identify human actions of this type important to CDF All pre-initiator events identified were retained in the fault trees for sequence quantification. An initial HEP was assigned using screening values derived from WASH 1400, the IDCOR IPEM, and THERP (NUREG/CR 1278) methodologies. Flow charts directed the analyst to eliminate some errors based on recovery factors and the assignment screening values to those retained. The screening HEPs were then modified to account for plant-specific factors which may influence the action. Apparently dependencies were accounted for during adjustment of screening I

values. The pre-initiator HEPs values assigned are generally consistent with like events seen in other IPEs we have reviewed.

E.3.2 Post-Initiator Human Actions.

BECO considered both response and recovery actions in their assessment of post-initiator human error. The assessment of pre-initiators included review of plant procedures (e.g.,

emergency / abnormal operating procedures or system instructions), information from plant walkdowns, and discussions with appropriate plant personnel (e.g., operators or training staff.) Operator actions were identified and assigned an initial HEPs using a formal

" screening guideline" process similar to that used for pre-initiator events. The overall E2

a approach for identification of imponant operator actions appears to have included a thorough review of EOPs and response procedures by knowledgeable individuals, and as such afforded the licensee a reasonable opportunity for identification of important human acwns. There is one signi0 cant exception: the assumption that the operators will always inhibit 4DS based on Pilgrim's procedures. This assumption is said to be based on licensee's desire o avoid unnecessary complication in the already complex ATWS event tree. BECO's position is based on a GE study that shows no appreciable core damage would result even if the operator failed to inhibit ADS. Funher, the GE study says that resultant reactor power and pressure rise from cold water insenion will overcome the discharge pressure of the low pressure systems and as such will be self-limiting. However, an uncontrolled low pressure injection complicates the operators task to control RPV level and raises the potential for boron-washout. Cyclic operation of low pressure injection will have dependent effects on the other tasks which the operator (s) must be concerned with during this time period, i.e.,

actions to initiate SLC, increase vessel level in a controlled fashion, and/or maintain level to help assure proper boron mixing. By assuming the operator will always be successful in inhibiting ADS, the analyst omits the dependency effects on other operator actions that are included in the system model. As it turns out, the HRA analyst elected not to O detailed HRA for either SLC initiation or the operators control of reactor vessel level...instead, the events were quantified using the original screening value or values from other studies, namely the GE study. We consider the assumption made for ADS inhibit unsupponed and a limitation in Pilgrim HRA.

I Screening flow chart models are used to assign HEPs. System models and the fault trees were quantified using the screening HEPs, and important post-initiator human actions were identified for detailed HRA. The licensee states that dependencies were accounted for in all dominant cutsets to insure there were no imponant accident sequences missed. However, detailed HRA was performed for only six operator actions using THERP. Operator actions not selected for detailed HRA were retained with their screening value. The licensee justifies the reasonability of retaining screening values for some events based on the estimated HEPs from the screening process being the same or more conservative than HEPs derived from detailed HRA. Generally we find that screening processes in most HRA's use higher values in the range of 0.1 to 0.5 to ensure important human actions and important sequences are not truncated. In the Pilgrim IPE however, some of the screening. values used are in the

" nominal" value range of 1.00E-03 or less. The licensee reviewed all dominant cutsets for accuracy and completeness to ensure that important human actions were not elimmated from the analysis and important sequences were not tmncated because of their use of low values.

They say that where multiple actions are found in shon term sequences, they credited no more than one operator action. Further, all peninent human elements in these cutsets were reviewed with all other components of that cutset and any dependencies were reviewed and incorporated. Additionally, BECO credits their low truncation value (1.00E-09) for eliminating substantial consequence; although a tmncation limit of IE-09 would not necessarily be considered

  • low" by many in the HRA community. Relatively few human actions with nominal HEP values are necessary to drive the overall sequence below 1.0E-09.

Therefore, some sequences may have been eliminated.

E3

The detailed HRA followed the THERP procedure to assigned nominal values from appropriate THERP tables and modified these BHEPs to account for plant-speci6c dependencies and performance shaping factors. Our review of detailed quantircation l

documentation indicates that generally the analyst was consistent with the recer mendations of the THERP. In addition, the post-initiator HRA consideration of dependenus between event tree top events appears reasonable.

Times available for operator action were developed from MAAP and GE studies. Time required, i.e., expected time to complete an action, is not described in the submittal. The j

IPE reports time envelopes as hours from time-0 by which actions must be taken, which is believed to imply sufficient time is available. An NRC RAI requested a listing of the time available and the time required for operator actions to: (1) crosstic feedwater, (2) locally.

open LPCI injection valves, and (3) depressurize. Also requested for these events was the l

basis for the estimated times available, how'different accident sequences were considered.

l how parallel actions were treated, and how the times required were decided. Based on the l

information provided it appears that Pilgrim's analysis included those factors typically assessed in other IPEs, but did not exercise conservatism typically seen when as-igning action times based solely on analyst / operator estimates.

Recovery actions credited by the licensee include only those covered in the EOPs (actions by operators in response to events.) Quantification of recovery actions followed a process similar to that used for response actions, i.e., some subjected to detailed HRA and some l

retained at the initial screening value. It is our observation that the licensee employed a l

reasonable process for the assessment of recovery actions in the Pilgrim analysis.

. The licensee performed a sensitivity analysis which showed that the human actions that dominated were not of the " recovery" type. Actions identified by the licensee as noteworthy included failure to crosstic fire water system and failure to initiate direct torus vent. Two l

recovery actions were among those actions which would be above the NUREG 1335 l

l reporting requirements if it were not for low human error rates. The first event was operator failure to connect a portable diesel operated air compressor to the essential air header supplying the normal vent valves from the prunary containment. This action was associated with the loss if DHR sequences. The second event deals with the failure of the operator to l

open one of the two breakers feeding the safety related buses from the unit auxiliary transformer.

I E.4 Generic Lssues and CPI The licensee's consideration of generic safety issues (GSIs), unresolved safety issues (USIs),

and containment performance improvements (CPI) recommendations are the subject of the front-end review, and back-end review, respectively. Plant modification and changes related to Decay Heat Removal operation were identified during Pilgrim's IDCOR IPEM, which preceded issuance of Generic Letter 88-20. Two human reliability issues related to plant improvements for DHR were highlighted in the SEP study; (1) failure to align fire water system crosstic to RHR/LPCI systems, and (2) failure to align direct torus vent. BECO 4

i

+. -

. +.

c 4

considered Unresolved Safety Issue A-45, " Shutdown Decay Heat Removal Requirements".

resolved based upon the licensee's response to the SEP. Pilgrim's IPE did not identify additional important human actions or procedural enhancements related DHR. There wer_e no other USIs or GSis were addressed in the IPE.

E.5 Vulnerabilities, Insights and Enhancements Pilgrim defined vulnerability as any new or unusual means by which core damage or containment failure occur as compared to those identified in other PRAs, or the results suggest that the Pilgrim core damage frequency would not meet the NRC's safety goal for core damage. No vulnerabilities were identified in the Pilgrim IPE. The licensee did sensitivity analysis on the human data developed and identified a number of rignificant l

" insights" relating to human actions that influenced the results of the IPE to a greater level l

than other events. Both pre-initiator and post-initiator actions were identified as risk i

significant in the Pilgrim analysis. The most important human errors identified are:

e Ooerator failine to depressurize the reactor durine transient (non-AT'VS) :onditions; I

is reported as the single largest human action contributor in the Fussell '.esely importance ranking.

  • Ooerator follows the loss of DC control oower bus A or B orocedure when other DC control nower bus was previousl' lost. This action resulted in all feed pumps to be y

lost because of procedural direction to trip all loads on the AC buses associated with the DC O's lost. This insight was relayed to management and a procedure change was imple:m.,ted to provide explicit instruction to the operators under such conditions.

Additional human errors that appear high on the list of "important actions" are:

e ATWS; those associated with operator failing to inject Standby Liquid, and the operator successfully controlling reactor water level after SLC injection.

Low Pressure Injection; failing to follow the fire water cros.stie procedure, failing to I

e restore FWXT after test or maintenance, and failing to open the LPCI injection valve manually (if required),

Decay Heat Removal; operator failing to align the direct torus vent.

e Pilgrim's process for identifying vulnerabilities appears comprehensive and able to systematically identify " insights" as intended by Generic letter 88-20. Human reliability insights gained through the IPE process led to a several procedure and training modifications.

I i

l

__ m._ _ _ _ _

E.6 Observations o

The following observations from our document-only review are peninent to NP.C's determination of whether the licensee's submittal meets the intent of Generic l ter 88-20:

The licensee's submittal included procedure reviews, interviews with operations staff, and l

plant walkdowns that helped to assure that the IPE represented the as-built, as-operated plant.

An independent peer review of the HRA helped to assure appropriate use of HRA techniques.

1 Restoration and alignment human errors were reasonable treated in the HRA. However some contributors shown to be important in other PRAs were not considered at all and this is considered a significant limitation in the Pilgrim analysis. In panicular, dismissal of calibration errors without significant plant-specific analysis is considered a limitation of the licensee's approach that could have led to overlooking potentially significant contributors to plant risk.

The process for selection and identification of significant human adtions to incirie in the IPE

~

model appears to have been reasonably comprehensive for post-initiator events and pre-initiator events to the extent considered. Both response-type and recovery-type post-initiator actions were included. Quantification of post-initiator errors employed two different approaches - nominal BHEPs were derived using a formal screening process based on WASH 1400, the IDCOR IPEM, and THERP (NUREG/CR 1278) methodologies and THERP was used to assess those actions that underwent detailed HRA. The licensee properly implemented the THERP procedure were used, and numerical results are generally similar to i

l results in other PRAs that have used the method.

A significant limitation in the Pilgrim HRA is the licensee's assumption that the operators would always be successful in inhibiting ADS. This assumption is said to be based on licensee's desire to avoid unnecessary complication in the already complex ATWS event tree.

BECO supports this position based on a GE study that shows no appreciable core damage would result even if the operator failed to inhibit ADS. It does not appear that the full impact of this assumption was taken into consideration as part of the HRA. As a result, HEPs for important operator actions in the ATWS scenario may have been optimistic.

Other limitations in the licensee's HRA include the assignment of relatively low screening values compared to what is generally seen and the assignment of time required for performance of an action.

i i

t E6 i

l

p a

1. INTRODUCTION This Technical Evaluation Report (TER) is a summary of the documentation-orly review of the human reliability analysis (HRA) presented as pan of the Pilgrim Nuclear
wer Station (Pilgrim) Individual Plant Examination (IPE) submittal from Boston Edison Cc..pany (BECO) to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staff in their evaluation of the IPE and conclusion regarding whether the submittal meets the intent of Generic Letter 88-20.

1.1 HRA Review Process The HRA review was a " document-only" process which consisted of essentially four steps:

(1) Comprehensive review of the IPE submittal focusing on all information pertinent to HRA.

(2) Preparation of a draft TER summarizing preliminary findings and cot.clu ions, noting specific issues for which additional information was needed from the licrasee, and i

fonnulating requests to the licensee for the necessary additional information.

(3) Review of preliminary findings, conclusions and proposed requests for additioral information (RAIs) with NRC staff and with " front-end" and "back-end" reviewers.

l (4) Review of licensee responses to the NRC requests for additional information, and preparation of this final TER modifying the draft to incorporate results of the l

additional infonnation provided by the licensee.

1 Findings and conclusions are limited to those that could be supported by the document-only 1

review. No visit to the site was conducted. It was not possible, and it was not the intent of l

the review, to reproduce results or verify in detail the licensee's HRA quantification process.

1.2 Plant Characterization l

Pilgrim is a single unit, BWR-3 with a Mark I containment. The tinit began commercial l

operation in December 1972 and is rated at 1998 MWt and 687 MWe (net). The NRC front-end reviewer identified several Pilgrim design features of interest to the Level 1 analysis, l

I these being, (1) a 345-kv bus and a secondary 23 Kv off-site power line are available to supply AC power to the plant, (2) hardened containment vent, (3) 14 hour1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br /> battery lifetime, (4) a portable diesel driven air compressor can be manually attached to the plant compressed air system, (5) the feedwater pumps are motor-driven, allowing these pumps to inject at high pressure in sequences with MSIV closure, (6) Pilgrim has 2 safety valves and 4 relief valves (capacity smaller than for comparable plants), (7) a third non-safety grade diesel generator (Station Blackout Diesel Generator) to supply backup emergency AC power, and (8) ability to crosstie the Fire Water System with the Residual Heat Removal (RHR)/1.ow Pressure Core Injection (LPCI) systems. Pilgrim-specific operator actions associated with the Station j

1 3

i e

l operator actions associated with the Station Blackout Diesel Generator and Fire Water System crosstic to the RHR/LPCI were identified as important contributors to CDF.

l l

i 5

l

(

l 2

I

2. TECHNICAL REVIEW 2.1 Licensee IPE Process 2.1.1 Completeness and Methodoloev.

The Pilgrim IPE consists of Level 1 and level 2 Probabilistic Risk Assessment (PRA) without evaluation of external events. The PRA used as a foundation the results of the limited scope IPEM based study performed by Boston Edison in 1988 to support the BECO Safety Enhancement Program (SEP). The IPE states that the PRA methodology follows conventional practice such as described in NUREGICR-2300 (Reference 1). The HRA process addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as pan of the response to an accident). Restoration (misalignment) errors were the only contributors considered in the treatment of pre-initiator actions. The licensee's omission of miscalibration error is viewed as a significant limitation in the HRA. Post-initiator actions included both response-type and recovery-type actions. Plant-specific factors were considered in both pre-initiato and post-initiator analyses. The licensee used a two-step process to develop Human Ertpt Probabilities (HEPs). A screening guideline developed from WASH 1400 (Reference 2),

IDCOR BWR IPE Methodology (Reference 3), and the Technique for Human Error Rate Prediction (THERP), (Reference 4) was used to develop HEP values for input to the fault trees and event trees. Post-initirtor human actions identified as dominant contributors in the sequences quantified were selected for detailed HRA. This analysis was performed using the THERP methodology. The licensee performed importance analysis as part of the IPE results assessment. Several human errors were identified as significant contributors in accident sequences leading to core damage, and human-performance-related insights and possible enhancements were identified for future consideration. Pilgrim staff with knowledge of plant design, operations and maintenance appears to have had significant involvement in the HRA process. BECO contracted the services of several consultants to help in Pilgrim IPE/PRA.

The licensee's HRA efforts were supported by Tenera.

2.1.2 Multi-Unit Effects and As-Built. As-Operated Status Pilgrim is a single-unit site; multi-unit effects are not an issue.

The licensee's IPE process included review and assessment of plant documentation, multiple plant walkdowns, and review of several PRAs performed by others. The PRAs reviewed as reference plants include Big Rock Point, Zion, and Indian Point. Also cited as beneficial input to the Pilgrim IPE process was input from the previously completed IPEM that considered Shoreham, Limerick, and Peach Bottom. Plant documentation used in support of l

l the HRA included plant operating history and Pilgrim-specific procedures. Revision 4, l

symptom-based BWR EOPs have been implemented at Pilgrim and are reflected in the IPE l

analysis. Additionally, the analyst used information collected during the task analysis from Pilgrim's Control Room Design Review, the HRA team's operating experience, and plant walkdowns. Walkdowns were performed to verify plant drawings and to address specific 3

l

l l

l concerns that are plant location dependent including the effects of internal flooding, loss of

(

control room cooling, and loss of off-site power. The location, separation, and accessibility l

of equipment for several safety systems were also checked during the walkdom. In addition, the analyst considered the results from the earlier IPEM process in w4ch a team of five PRA specialists from Delian Corporation reviewed equipment location, ac ssibility, and general plant configuration. Specific to the IPE PRA effort, two Pilgrim HRA eam members, experienced in operations, reviewed the Delian results and noted p' ant changes since the previous walkdown. A second walkdown performed by Pilgrim operations personnel focused on the primary containment to verify as-built status of vessel and containment parameters. Pilgrim operations personnel were interviewed and participated in the review of pertinent documentation. Based on the details provided in the sabmittal, it l

appears that the licensee made a substantial effort to assure that the technical information on plant equipment, operating procedures, etc. represent the current plant. It is our observation that the licensee took the appropriate steps to provide reasonable assurance that the HRA-related aspects of the IPE model represented the as-built, as-operated plant.

2.1.3 Licensee Particination and Peer Review.

The NRC review of the submittal attempts to determine whether the utility per'sonnel were involved in the development and application of PRA techniques to their facility, and that the associated walkdowns and documentation review constituted a viable process for confirming that the IPE represents the as-built and as-operated plant. The submittal provides evidence of considerable utility staff involvement in the IPE development process.

The BECO Systems and Safety Analysis Division was responsible for all the PRA/IPE analysis at Pilgrim. The PRA/IPE Program Manager was the single point of contact for IPE related activities and he reported to the BECO Nuclear Engineering Department Manager who had overall review and approval responsibility. The PRA/IPE Team consisted of five Senior Engineers. The discussion of the PRA/IPE team's credentials in Section 2.1.2.1 of the IPE indicates that considerable operations knowledge was represented in the IPE team.

Two levels of independent review were performed. One review was conducted by Pilgrim plant personnel and the other by an external peer review team. The internal peer review team was well staffed with individuals possessing the prerequisite disciplines and experience required. From a plant operations standpoint, the team was experienced and well qualified.

The extemal review involved detailed reviews of the front-end and back-end analysis, and a top-level review to look at the " big picture" issues. Participants in the external review include: Garbor, Kenton, and Associates, New Hampshire Yankee, Northeast Utilities, Tenera, and Yankee Atomic Electric Company. The strong representation of training, operations, and procedures experience is considered a strength in the Pilgrim IPE. In our opinion, the reviews appear to constitute a reasonable process for an "in-house" peer review that provides some assurance that the IPE analytic techniques were correctly applied and that documentation is accurate.

l l

4 l

l l

f 2.2 Pre-Initiator Human Actions Errors in performance of pre-initiator human actions (i.e., actions performed ring maintenance, testing, etc.) may cause components, trains, or entire systems to.e unavailable on demand during an accident, and thus may significantly influence plant risk. Dur review l

of the HRA partion d & IPE examines the licensee's HRA process to determine what consideration was given t1 p e-initiator human actions, how potential actions were identified, the effectiveness of quanti'atiie and/or qualitative screening process employed, and the processes for accounting foc plaat-specific performance shaping factors, recovery factors, and l

dependencies among multiple mions.

L l

2.2.1 Pre-Initiator Human Actions Considered.

l The types of pre-initiator human errors considered in the Pilgrim HRA include, failure to I

restore a system after test or maintenance or make other system alignments (i.e., operator fails to turn AC breaker fast transfer switch "ON") as directed by the plant operating procedures. The Pilgrim IPE did not consider human error that results in the n,scalibration i

of instmmentation. We consider the omission of miscalibration a significant limitation in the licensee's HRA.

l The licensee offered no justification in the submittal for excluding miscalibration. While it is j

generally true that such errors have been rarely identified as significant in PRAs, this is often because they have been excluded from the scope of the other PRAs. In those cases where miscalibration errors have been modeled, some PRAs have shown them to be a significant contribution to CDF. In addition, human errors involving instrumentation systems (including miscalibration errors) have played significant roles in operational events, such as those described in NRC operating experience reports (Reference 5). Certain parameters such as reactor water level are important in diagnosing the state of the plant and operational capability; improper calibration of instmmentation associated with these parameters can lead to important post-initiator operator errors and other system failures. By excluding miscalibration errors (particularly any common-cause errors) from the scope of the analysis, the licensee to some degree limited the potential for identification of contributors to plant risk.

2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions.

l The key concerns of the NRC staff review regarding the process for identification and selection of pre-initiator human events are: (1) whether maintenance, test and calibration l

procedures for the systems and components modeled were reviewed by the systems analyst (s), and (2) whether discussions were held with appropriate plant personnel (e.g.,

l maintenance, training, operations) on the interpretation and implementation of the plant's test, maintenance and calibration procedures to identify and understand the specific actions and the specific components manipulated when performing maintenance, test, or calibration tasks.

1 1

5 P

~

A " Fault Tree Development Guide" was used by the analyst to identified potential pre-initiator human errors. Flow charts guided the analyst through evaluation of proper alignment of systems and/or components following test or maintenance. In the valuation process the analyst is asked to determine if test or maintenance:

(1) Disables the system, train, component, etc., - if not discard, (2) Will the system, component, etc. automatically realign - if it will, discard, and (3) Does the test or maintenance procedure have component status verification? - if verification is required, then a HEP value of 1.00E-03 is assigned, if not, a value of 1.00E-02 is assigned.

We consider the licensee's identification and selection process for restoration and alignment type events reasonable and capable of providing the opponunity for identification of the human actions which are important to CDF.

2.2.3 Screenine Process for Pre Initiator Human Actions.

No numerical screening process was used for pre-initiator human actions. The analyst performed a type of qualitative screening as pan of the identification process discussed above. All pre-initiator events identified during the initial selection process were retained for sequence quantification at the original " screening" HEP value assigned.

2.2.4 Ouantification of Pre-Initiator Human Actions.

Our review of the quantification of pre-initiator human actions emphasizes the degree to which the licensee performed a complete and rigorous assessment of the plant-specific performance shaping factors and dependencies that influence human error. We focus in particular on licensee actions to verify / justify assumptions made in quantifying human performance. Such actions may include, for example, examination of specific procedures, interviews with training, operations, and maintenance personnel, physical observation of components, walkthroughs of procedures, and evaluation of administrative controls such as tagging or independent verification.

Pilgrim's quantification of pre-initiator human error was performed in the initial screening process. In the licensee's response to an NRC request for additional information (RAI),

BECO states that the bases for the values assessed were WASH 1400, the IDCOR IPEM Methodology and THERP (NUREG/CR 1278.) Eleven pre-initiator events were included in the system fault trees as a result of the screening process. The values assessed for these actions were derived from flow charts which guided the analyst to assign a specific value.

Table 2.2-1 list the pre-initiators included in the fault trees. Pilgrim-specific factors appear l

to have been accounted for in the values used for quantification. The licensee states that dependencies were accounted for during adjustment of screening values. In one example provided for 4160 volt A3/A5 breaker maintenance, it appears that time sequence of 6

l l

I I

maintenance activity, different maintenance procedure checklists, and differences in the type of breaker design were considered.

I The HEP values for pre-initiator human errors are generally consistent with liirevents seen in other IPEs we have reviewed. The submittal could be improved if the licerme provided more detail of the actual analysis, but it does appear that the licensees process afforded the opportunity to gain added insight from the review of dependency in maintenance practices.

Table 2.2-1, Pre-Initiator Human Errors Quantified in Fault Trees BASIC EVENT DEsCRDTIoN HEP oCB4160HlY 4160 volt AC bus Al breaker mamtenance error 1.00E-04 oCB4160H2Y 4160 volt AC bus A2 breaker maintenance ermt

!.00E44 oCB4160H3Y 4160 volt AC bus A3/A5 breaker mamtenance error 1.00C94 oCB4160H4Y 4160 volt AC bus A4 breaker mamtenance enor 1.00E 04

)

oCB4160H5Y 4160 volt AC bus A61,reaker mamtenance error 1.00E-04 osM169AXXY operator fails to turn AC breaker fast transfer switch on 1.00E 04 1.00E-02 1

oWN2BNKAY Fadure to restore Na bank A after mamtenance

\\

l oTLN2BNKBY Failure to restore N bank B after mamtenance 1.00E42 3

oTKN2TRLRY Fadure to restore rutrogen trailer after mamtenance 1.00E@-

f oVHTEsTVLY operator fails to align sLC valves to proper configuranon 3.00E43 3.00E43 oVHTsTMA!Y operator fails to realign FWXT valves followmg test or mamtenance 2.3 Post-Initiator Human Actions Human errors in responding to an accident initiator, e.g., by not recognizing and diagnosing the situation properly, or failure to perform required activities as directed by procedures, can greatly affect plant risk. These errors are referred to as post-initiator human errors. Our review assesses the types of post-initiator errors considered by the licensee, and evaluates the l

processes used to identify and select, screen, and quantify post-initiator erTors, including 7

l issues such as the means for evaluating timing, dependency among human actions, and other l

plant-specific performance shaping factors.

2.3.I Tvnes of Post-Initiator Human Actions Considered.

l There are two important types of post-initiator actions considered in most nuciear plant PRAs: (1) response actions, which are performed in response to the first level directives of l

l the emergency operating procedures / instructions (EOPs, or EOls) and, (2) recovery actions, which are performed to recover a speciGc failure or fault, e.g., recovery of offsite power or l

recovery of a front-line safety system that was unavailable on demand earlier in the event.

BECO considered both response and recovery actions in their assessment of post-initiator human error in the Pilgrim HRA.

2.3.2 Process for Identification and Selection of Post-Initiator Human Actions.

l The primary thmst of our review related to this activity is to assure that the process used by the licensee to identify and select post-initiator actions is systematic and thorour.a enough to provide reasonable assurance that important actions were not inappropriately precluded from examination. Key issues are whether: (1) the process included review of plant procedures (e.g., emergency / abnormal operating procedures or system instmetions) associated with the accident sequences delineated and the systems modeled and, (2) discussions were held with appropriate plant personnel (e.g., operators or training staff) on the interpretation and implementation of plant procedures to identify and understand the specific actions and the specific components manipulated when responding to the accident sequences modeled.

Operator actions were identified and assigned an initial HEPs using a formal " screening guideline" process similar to that used for pre-initiator events. Post-initiator human actions considered include:

1) Repair and recovery of systems that fail or are unavailable during a transient, and 1
2) Actions that are taken by the operator in response to a transient that are specified by the EOPs and the satellite procedures.

Pilgrim's analysts considered the findings from the review of six plant PRA studies listed in NUREG-1335 in the identification process used for post-initiator events. Three of those plants, Shoreham, Limerick, and Peach Bottom were used for comparison in the IDCOR IPEM performed as part of the PSE. The additional studies listed considered in the PRA/IPE include Big Rock Point, Zion, and Indian Point. The IPE submittal contains no specific comparison of human actions from these studies, and we made no detailed comparisons either. Other information was obtained during the review of procedures,

(

interviews with plant operations personnel, and plant walkdowns.

A central point of the Pilgrim IPE is the accurate modeling of current Revision 4, symptom-based EOPs. We note that the total number of operator actions quantified in the IPE is 8

I relatively small compared to other IPEs reviewed, with eleven (11) of twenty (20) total risk significant human errors being post-initiators. No information is provided for how many j

actions were considered and not quantified because they were judged not to be important contributors to CDF by the analysts. We found at least one questionable assui:: tion in IPE where it is stated "The ADS system is always assumed to be inhibited by the c p:rator upon the first actuation (reactor water level @ -49 inches) of either timer," and again in Section l

3.5.1.2, Loss of Feedwater Initiator with Reactor Coolant Inventory Failure (Summary of Class IA Dominant Accident Sequences) it is stated that the IPE quantification assumes that j

the operators will inhibit ADS based on Pilgrim's procedures. An NRC RAI asked BECO for additional information on their justification of this assumption. This assumption is said to be based on licensee's desire to avoid unnecessary complication in the already complex ATWS event tree. BECO suppons this position based on a GE study that shaws no appreciable core damage would result even if the operator failed to inhibit ADS. The General Electric TRACG study (Reference 6) concludes that uncontrolled injection with low pressure system during an ATWS will not result in substantial fuel damage or threaten the integrity of the reactor vessel. Funher, the resultant reactor power and pressure rise from cold water insertion will over come the discharge pressure of the low pressuce s; stems and as such will be self-limiting. However, in the discussion of this issue on page,0.5-7 of the IPE, it is acknowledged that uncontrolled low pressure injection complicates the operators task to control RPV level and raises the potential for boron-washout. Cyclic operation of low pressure injection will have dependent effects on the other tasks that the operators are trying to contend with during this time, i.e., initiate SLC, increase vessel level in a controlled fashion, and/or maintain level to help assure proper boron mixing. In assuming the operator will always be successful in inhibiting ADS, the analyst omits the dependency effects on other operator actions that are included in the system model. As it turns out, the HRA analyst elected not to perforTn detailed HRA for either SLC initiation or operator i

control of reactor vessel level, instead the original screening value was retained or values resulting from other studies used. We consider the assumption made for ADS inhibit unsupported and a limitation in Pilgrim HRA.

l In general, aside from the ADS inhibit assumption, the approach outlined for identification of important operator actions appears to have included a thorough review of EOPs and response procedures by knowledgeable individuals, and as such afforded the. licensee a reasonable opponunity for identification of important human actions, l

2.3.3 Screenine Process for Post-Initiator Response Actions.

A numerical screening process was used to identify the most important post-initiator human actions to be selected for detailed HRA. The screening values were determined from flow chart models which were derived from several sources. The repair and recovery systems model was derived from the WASH 1400 time to repair model for valves. The model for l

routine operator actions for simple tasks is from the IDCOR BWR Methodology. For l

complex actions, the HEPs for simple tasks were multiplied by a factor of three. The remained of the HEPs are said to have been derived from the work of Swain and Guttman (NUREG/CR-1278). Here, the probability that the operator will diagnose single and multiple 9

i

annunciators, Table 12-4 of NUREG/CR-1278 was used to select values for situations in l

which; the operator is trained to perform the task, a procedure is available for performing the task, and the operator is required to diagnose the situation.

The screening values derived were added to system models and the fault trees cantified. The l

licensee further states that dependencies were accounted for in all dominant cutsets to insure there were no important accident sequences missed. Operator actions which contributed significantly to the baseline core damage frequency were selected for detailed HRA using l

THERP and the remaining actions retained at their respective screening value. The licensee rationalizes the reasonability for retaining screening values for some events by stating the estimated HEPs from the screening process, when compared to HEPs from detailed HRA for those operator actions determined to be significant contributors to CDF, wen. the same or more conservative. Generally we find that most screening processes use higher values, in the range of 0.1 to 0.5, for all accident scenarios, thereby ensuring that important human actions and important sequences are not tnmcated. In the Pilgrim IPE however, some of the screening values used are in the " nominal" value range of 1.00E-03 or less. In response to an NRC RAI on steps taken to ensure that important human actions were net elbinated from the analysis and important sequences were not tnmeated because of their use o1 low values, the licensee stated that all dominant cutsets were reviewed for accuracy and completeness.

They say that where multiple actions are found in short-term sequences, they credited no more than one operator action. Further, all pertinent human elements in these cutsets were reviewed with all other components of that cutset and any dependencies were reviewed and incorporated. Additionally, BECO credits their low truncation value of 1.00E-09 for eliminating substantial consequence; although a truncation limit of IE-09 would not necessarily be considered " low" by many in the HRA community. Relatively few human actions with nominal HEP values are necessary to drive the overall sequence below 1.0E-09 and therefore some sequences may have been eliminated.

2.3.4 Ouantification of Post-Initiator Human Actions.

The THERP Methodology was used to perform detailed HRA for those human actions determined to be most important from the screening analysis. Actually, only 6 of the 11 post-initiators identified underwent detailed quantification and the remaining HEPs were I

based on other studies or analysts judgement. IPE submittal section Appendix Al provides detailed discussion for those events selected for quantification. Our observation is that the analyst assigned nominal values from appropriate THERP tables and modified these BHEPs to account for plant-specific dependencies and performance shaping factors. Our review of l

the details in ' Appendix Al also indicates that the analyst was generally consistent with the recommendations of the THERP procedure. Table 2.3-1 provides a listing of post-initiator human actions considered for detailed HRA and, where appropriate, the licensee's basis for electing to use a method other than THERP.

10

Table 2.3-1, Post-Initiator Human Actions Considered For Detailed HRA.

1 EVENT HEP DESCRIPTION THERP/OTHER

(

XDEPREssXY 9.3$E44 Operator fads to depressume RX (non THEri ATWs)

FDCPRoC2XY 1.00E 01 operator follows loss of DC procedure No detailed HRA - based on when both DC buses are lost engineering judg'ement that operator would follow pmcedure only 10 percent j

of the ame.

l C4AN 4.00E42 sLC Infection before heat capacity No THERP analysi: - based on studies l

temperature lumt by GE and others C4AI 4.00E.02 sLC injecnon fails before heat capacity No THERP analysis based on studes temperature lust by GE and others.

YFWX'l?RoCY 8.33E 03 Operator fails to follow fire water THERM crossne procedure l

l MXXDTVoPRY 2.50E41 Operator fails to ahan direct torus vent THERP UH 1.00E42 Operator fads to control level after sLC No THERP analysis based on injecuan screenmg value AVENTCoMPY 6.50E 03 Fail to irunate sW cochng compensanon THERP measures IUNJ29ABXY 1.33E 02 Operator fails to manually open LPCI THERP j

l irgecuon valves l

l FDCPRoCIXY 9.97E41 Operator correcdy follows loss of DC No detailed HRA - represent the bus A(B) procedure upon loss of A DC complement of fadure to follow short t

bus procedure with no check off (Table 20-7).

l I

ADLGEsBoXY 5.00E 02 operator fails to complete blackout desel THERP generator procedure l

We noted several minor weaknesses in the analysis, but none were considered to represent significant limitations in the licensee's performance of the detailed HRA. For example:

XDEPRESSXY - Ooerator fails to deDressurize Rx Vessel. NUREG CR-1278 table selection and justification appear straight-forward and reasonable. However, the value for probability that the operator will fail (2.74E-03), and the value presented in Figure Al-1 and Table 3.3-l 2 (9.35E-04) do not coincide. In response to an NRC RAI, the licensee said that i

i 11 1

l

~ _ _ _.

}

XDEPRESSXY was recalculated based on additional simulator data gathered, and the revised value of 9.35E-04 was used in the analysis. No details are provided for the additional 7

i simulator based assessment performed. IPE Section 2.1.2 notes that during the peer review process the head of operator requalification training considered this event's HI? to be conservatively high based on a high level of operator training. Further, the lir.asee states the HEP for this event was subsequently adjusted in response to the reviewer's concern. It would appear that the simulator evaluation is related to the resolution of this comment.

i However, in performing the original calculation the analyst already used an adjustment factor of X5 (THERP Table 20-16) reflecting that credit was taken for an operator who is " skilled" (i.e., experienced and licensed). Without explicit data to support otherwise, we consider the additional adjustment credited appears optimistic and unsupported.

l FDCPROC2XY - Operator strios A&B AC buses upon loss of A&D DC buses as result of i

followira crocedures IAW PNPS 5.3.11 & 5.3 12. No detailed HRA was performed for this event; the licensee assumed a value 1.00E-01 based on engineering judgement that the operator would follow the associated procedure only 10 percent of the time. To assume such a high failure rate for following procedures is inconsistent with Pilgrim's treatment of a similar case, loss of DC bus during a LOCA event, and other procedure relateioperator actions. Specifically, the assumption contradicts the approach taken in basic e' vent FDCPROC1XY, which considers the same basic problem starting with one bus already deenergize. In the latter case THERP Table 20-7 was used to assign a probability value of

.003 for failing to follow a short procedure with no check off provision. The HEP is then calculated by taking the complement of the failure probability, i.e.,0.997. The procedures in question are system procedures which do not typically demand or receive the level of training exposure as would EOPs. The licensee states in response to an NRC RAI that this procedural deficiency was brought to Pilgrim's management attention during performance of the IPE and procedure changes were incorporated to provide more definitive guidance to the operators. We consider the action taken by BECo to be reasonable.

2.3.4.1 Consideration of Plant-Soecific Factors for Resoonse Actions. Pilgrim's analysis of the operator error probabilities for failure to perform actions is said to include:

e Time available for action to be performed.

e Indication of the need for action, e

Stress on the operator.

Successful performance of the associated actions.

e e

Number of members of the crew involved in the decision making and dependencies among them.

Degree of difficulty of the operation.

12

Hesitancy in performing the action.

e In addition to the factors listed above, the screening process included the asse.. nent of operator training and the adequacy of guidance given in the procedures used b,.he operators.

i 2.3.4.2 Consideration of Timine.

For some post initiator operator actions, timing - time available vs. time required by the operators - is a critical determinant of likelihood of success. It is important to assure that the licensee's process for estimating both time available and the time necessary for operators to complete the required actions takes into account plant-specific conditions and provides realistic estimates. Plant-specific phenomenological analysis (accident analysis computer codes) should be used to determine the available time. Actual measures using currently licensed operators in realistic j

walk-throughs or control room simulator exercises is a preferred approach for estimating expected /necessary operator response time. Especially for local actions outside of the control room, it is important to assess time to get to the equipment, accessibility, pcssible impacts on timing of special clothing or environmental factors, etc.

l Times available for operator actions is were derived from MAAP and GE studies. Details of how Pilgrim determined time required, i.e., expected time to complete an action, is not described in the submittal. The IPE only reports time envelopes available for accomplishment of an action, or hours from time-0 by which actions must be taken, which is i

believed to imply sufficient time is available. An NRC RAI requested a listing of the time available and the time required for operator actions to: (1) crosstie feedwater, (2) locally i

open LPCI injection valves, and (3) depressurize. Also requested for these events was the basis for the estimated times available, how different accident sequences were considered, how parallel actions were treated, and how the times required were determined. Table 2.3-2 provides a summary of the licensee's response. Based on the information provided it appears that Pilgrim's analysis included those factors typically assessed in other IPEs. However, their determination of time required appears to be judgmental based on tra' ming / surveillance test experience and did not include procedure walkthroughs. The licensee stated in their response to the RAI that, " Operator Training and Requalification Tra' ing provide the basis m

for the time required to perform the firewater crosstie and depressurization maneuvers. The basis for manually opening the RHR injection valves in the field is based on engineering judgement and the results of surveillance tests." Observation of training to measure time is not mentioned, so it appears these estimates are based on recall of previous training. It is generally accepted in the human factors community that there is higher uncertainty with time estimates base on human judgement. Additionally, the estimates of time-required reported by the licensee and reproduced in Table 2.3-2, appear optimistic, i.e., shorter time period are required than would be expected. We consider this a possible limitation in the licensee's analysis, which could ultimately result in lower HEPs than warranted.

13

.O Table 2.3-2, Summary of Timing Considerations for LPCI and Depressurization Related Analysis.

Operator Action Time Basis for Time Required Basis for ionsideration 1

Available Time Time

$r Different Available Required f equence and I

l'arallel Action l

Operator fails to 35 min.

Analyst 10 to 15 min.

Operator Appears only j

crosstic feedwater/

judgement training and under transient firewater based on GE requalification initiators -

Repon, training.

Licensee NEDO-identified no 23708A sequential effects or concurrent actions.

Operator fails to 35 min.

Analyst 10 min.

Operator jpears only locally open LPCI judgement training and nder transient injections valves based on GE requalification mitiators -

Report, training.

Licensee NEDO-identified no 24708A sequential effects or concurrent actions.

Operator fails to 30 to 40 GE Report.

< 1 min.

Engineering ATWS and depressurize min.

NEDO-judgement and non-ATWS 24708A results of cases treated surveillance separately -

tests.

Licensee identined no concurrent actions.

2.3.4.3 Consideration of Decendencies for Dynamic Response Actions.

An important concern in HRA is the treatment of dependencies. Human performance is dependent on sequence-specific response of the system and of the humans involved. The likelihood of success on a given action is influenced by success or failure on a preceding action, performance of other team members in parallel or related actions, assumptions about the expected level of performance of other team members based on experience, etc. Accounting for dependency among top-level actions in a sequence is panicularly imponant. Pilgrim's post-initiator HRA considered dependencies between event tree top events. Multiple action dependencies within sequences appear to have appropriately accounted for in the flow-charts for screening analysis and in the detailed HRA calculations that appear consistent with the 14

THERP quantification guidelines. A limitation in the Pilgrim analysis is that only a limited number of actions actually underwent detailed HRA; most actions were retained at the

]

- assigned screening value. Also, Pilgrim's screening values are low compared, those j

j typically seen in other PRAs.

i 2.3.4.4 Ouantification and Sienificance of Recoverv Actions.

Only recovery actions covered in the EOPs (actions by operators in response to events) for which operators receive training were analyzed. Quantification of recovery actions followed a process similar to that used for response actions, i.e., some subjected to detailed HRA and some retained at the initial screening value.

The licensee's sensitivity analysis showed that the human actions that dominated were not of the " recovery" type. Actions identified by the licensee as noteworthy were failure to crosstie fire water system and failure to initiate direct torus vent. Two recovery actions were among those actions which would be above the NUREG 1335 reporting requirements if it were not for low human error rates. The first of these actions is the operators failure to connect a portable diesel operated air compressor to the essential air header supplying :he.ormal vent j

valves from the primary containment during the loss if DHR sequences. Settig,q this failure probability to 1, results in the probability of this class accident going up by almost 250%.

However this increase only results in CDF increasing by only about 5%, and the operator has in the order of one and one-half days to accomplish. The second event involves the failure of the operator to open one cf the two breakers feeding the safety related buses from the unit auxiliary transformer, resulting in the buses failing to transfer to the startup transformer. The HEP for this action is taken from the screening value and is 1.2E-01.

Increasing this value to 1 results in an increase in CDF of 14% for the class IIIC sequence r

and over 50% in class II sequence. Although the class II sequence CDF impact is significant the licensee notes that the screening values used is already high and the operators have many hours to perform this operation before core damage occurs.

It is our observation that the licensee employed a reasonable process for the assessment of recovery actions in the Pilgrim analysis.

i 2.3.4.5 Treatment of Ooerator Actions in the Internal Floodine Analysis.

The Pilgrim IPE did not take credit for operator actions in their treatment of internal flooding analysis.

2.3.4.6 Treatment of Ooerator Actions in the 12 vel 2 Analysis.

Human actions are considered in the back-end analysis. However, it does not appear that detailed HRA was performed for events specific to the containment analysis. During Containment Phenomenology Event Tree analysis, Containment Sequence Event Trees (CSETs) included operator action s for initiating drywell sprays and for failing to initiate containment venting.

These basic events were set with values of either 1 or 0, as appropriate to the conditions within the vessel and the primary containment for each plant damage state. A more detailed 15 I

w

_ _ =

h.

assessment beyond the scope of this Step 1 document-only review is required to assess the l

l reasonableness of specific results.

t 2.3.4.7 GSI/USI and CPI Recommendations. The licensee's consideration c' generic safety issues (GSIs), unresolved safety issues (USIs), and containment performance i xrovements (CPI) recommendations are the subject of the front-end review, and back-end review,

}

respectively. Plant modification and changes related to Decay Heat Removal operation were

)

identified during Pilgrim's IDCOR IPEM, which preceded issuance of Generic Letter 88-20.

]

i Two human reliability issues related to plant improvements for DHR were highlighted in the l

SEP study; (1) failure to align fire water system crosstie to RHR/LPCI systems, and (2) i failure to align direct torus vent. BECO considered Unresolved Safety Issue A-45, j

" Shutdown Decay Heat Removal Requirements", resolved based upon the licensee's response to the SEP. Pilgrim's IPE did not identify additional important human actions or procedural 3

l enhancements related DHR. There were no other USIs or GSIs were addressed in the IPE.

I 2.4 Vulnerabilities, insights and Enhancements

(

2.4.1 Vulnerabilities.

i f

The licensee used two criteria to identify vulnerability:

Are there any new or unusual means by which core damage or containment failure i

e occur as compared to those identified in other PRAs?

{

4 l

Do the results suggest that the Pilgrim core damage frequency would not be able to e

l meet the NRC's safety goal for core damage?

5 No vulnerabilities were identified by the licensee based on these criteria. However, there I

were significant " insights" developed relating to systems, components or actions which

]

influenced the results of the IPE to a greater level than other events. Human performance related insights are discussed in Section 2.4.2, below.

t

(

l 2.4.2 IPE Insights Related to Human Performance.

t j

Sensitivity analysis was performed for the' human data developed in HRA to provide insight l

as to the impact that the human reliability has on accident progression, and accident results i

quantified. Both pre-initiator and post-initiator actions were identified as risk significant in j

the Pilgrim analysis. The most imponant human errors identified by the licensee are shown i

in Table 2.4-1 below, by descending Fussell-Vesely (F-V) importance ranking.

i 2.4.2.1 Imnortant Operator Actions. The importance of operator action to the estimated j

core damage frequency is discussed in Sections 5.2.1.1 and 5.2.1.2 of the submittal. IPE j

Section 3.3.3 provides a summary discussion of significant insights that are specifically 1

3

}

t 16 i

i l

4 f

e r

.--.e y

--.y

.-y--

b Table 2.4-1 Risk Significant Human Errors BASIC EVENT DESCRIPTION HEP FV dPORTANCE XDEFRESSXY Opr. fails to depressurue RA (non ATWS) 9.35E44 1.25E 01 FDCPROC2XY Opr. follows loss of DC proc's. when both DC buses 1.00E 01 4.92E42 are lost.

C4AN SLC mjecnon before heat capacity temp. lirrut 4.00E-02 3.08E 02 YFWXTPROCY Opr. fails to follow fire wawr crossne proc.

8.33E 03 1.92E 02 MXXDTVOPRY Opr. fails to align direct torus vent 2.50E41 1.24E-02 C4A1 SLC mjeccon fails before heat capacity temp. lunit 4.00E-02 1.14E-02 UH Opr. fails to control level after SLC injecoon 1.00E42

' !.08E42 AVENTCOMPY Fail to irunate SW cooling comp. naasures 6.50E43 8.59E43 i

YVHTSTMAIY Opr. fails to realign SLC valves following test or 3.00E 03 5.62E-03 mamienance t

LVHTES1VLY Opr. fails to align valves to proper configuranon 3.00E43 3.08E-03 i

f RINJ29ABXY Opr. fails to manually open LPCI injecnon valves 1.33E-02 2.20E43 FDCPROCIXY Opr. correedy follows loss of DC bus A(B) procedure 9.97E 01 1.85E 03 uponloss of a DC bus ACB5605AXY Opr. fails to open ACB $05/506 by hand (AC model) 1.20E 01 1.47E 03 DBCD14XXXY Opr. fails to align 125V charger Die 1.00E 04 9.84E 04 NCMPORTXXY Opr. fails to connect portable air compressor to essennal 1.00E-02 8.22E 04 header ACB4160H3Y 4160 Volt bus A3/A5 breaker mamtenance error 1.00E 04 4.40E 04 ADLGESBOXY Opr. fails to complete blackout desel gen. proc.

5.00E42 4.18E-04 ACB4160H5Y 4160 volt bus A6 breaker maineenance error 1.00E 04 3.27E 04 DGCD12NORE DC banery charger not recoverable dunas maintenance 6.80E41 1.13E 04 ACB5605DXY Opr fails to open ACB505/506 manually (DC model) 1.00E44 1.80E45 17

. ~ _. _.. _

W -

I i

attributable to improved operator actions through enhanced training and/or procedure.

{

the summary sections of the submittal (Sections 1.4 and 7.0) as one of the major findings of l

the IPE. Two actions cited as particularly important include:

a (1) Ooerator failing to deoressurize the reactor durine transient (non-ATWC conditions; is reported as the single largest human action contributor in the Fussell-Vesely importance ranking.

l (2) Ooerator follows the loss of DC control oower bus A or B orocedure when other DC control oower bus was oreviousiv lost. This action resulted in all feed pumps to be lost because of procedural direction to trip all loads on the AC buses a.isociated with' the DC bus lost. This insight was relayed to management and a procedure change I

j was implemented to provide explicit instmetion to the operators under mch l

conditions.

Additional human errors that appear high on the list of important actions are:

i (1) ATWS; those associated with operator failing to inject Standby Liquid, nd the operator successfully controlling reactor water level after SLC injection'.

l i

(2) Low Pressure Injection; failing to follow the fire water crosstic procedure, failing to j

restore FWXT after test or traintenance, and failing to open the LPCI injection valve manually (if required).

4 (3) Decay Heat Removal; operator failing to align the direct torus vent.

i

}

2.4.2.2 Operator Recovery Actions Contributinn to Seouences Beine Screened Out. Table 2.4-2 below, provides a listing of sequences that, were it not for low human error rates in i

recovery actions, would have been above the applicable core damage frequency screening i

criteria. To identify operator actions that caused these sequences to be truncated each basic I

' event was set to a value of 1, and the PRA was requantified.

1 1

1 Table 2.4-2, Sequences Screened Out Because of Low Human Error Probabilities.

I i

HUMAN HEP SEQUENCE ACCIDENT BASEllNE SENSITIVTIT ACTION CLASS CDF CDF 4160 volt bus 1.00E-04 TWQUV II 8.79E-07 1.59E-04

{

A3/A5 breaker maintenance error i

IllC 9.04E-07 9.94E-05 j

1 18 i

4

.a

~

4160 volt bus 1.00E-04 TWQUV IUC 9.04E-07 9.94E-05 A6 breaker maintenance error Operator fails 8.33E-03 ML2.LL2, 11 8.79E-07 4.93E-05 to follow LL4 crosstic procedure Operator fails 3.00E-03 TWQUV 11 8.79E-07 4.70E-05 to realign FWXT valves after test or mamtenance Operator fails 1.00E 01 ML2 LL2, 11 8.79E-07 5.50E-06 to connect LL4 e

portable air compressor to the essential air header 4

Operator fails 2.50E-01 TWQUV II 8.79E-07 3.06E-06 to align direct torus vent Operator fails 1.20E41 TWQUV II 8.79E-07 1.37E-06 l

to open ACB505/605 by hand ML2,LL2, IIIC 9.04E47 1.07E-06 LL4 The results of the sensitivity analysis show that those human error which dominated were not recovery actions. The most dommant human error involved a pre-initiator event, namely, AC breaker maintenance errors which result in impact on feedwater, low pressure injection, decay heat removal, and the loss of AC to the battery chargers. Pre-initiator errors which impacted the fire water crosstie system included failure to align and restore after test or maintenance.

Pilgrim's process for identifying vulnerabilities appears comprehensive and able to systematically identify insights" as intended by the Generic Letter.

19

~:3 Enhancements and Commitments.

In addition to improvements coming from the IPE, several issues addressed iri,ther PRA's were identified for consideration, as were corrective measures taken as part of 7ilgrim's SEP. These included installation of a hardened containment vent, an alternate durce of injection into the vessel through fire water crosstie, installation of a third diesel generator, and installation of backup nitrogen supply for long term pneumatic control capability to the ADS for ATWS response. Significant improvements from the IPE effort include revisions to procedures and training. A number of improvements were identified and implemented with regard to emergency procedure guidelines, Rev. 4 changes. Specific to the IPE were proposed changes to loss of DC control power bus A or B, and one to allow cperators to use fire water, via RHR crosstie, for drywell sprays.

Pilgrim enhancements coming from insights gained through the IPE process include:

1) Procedure changes to address Feedwater DC dependencies.
2) HPCI/LPCI; procedure change to override automatic switchover of the SPCI pump from the CST to the suppression pool in the event of high suppression pool water j

level.

3) HPCI; procedure change to allow the operator to override the low pressure isolation for the RCIC steam line, thus permitting continued operation of the pump during events in which the reactor is depressurized.
4) Improved training content to emphasize importance of depressurization once ADS is inhibited.

~

I 20

.c

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS The purpose of our document-only review is to enhance the NRC staff's abilin to determine with the licensee's IPE met the intent of Generic letter 88-20. The Generic L: aer had four specific objectives for the licensee:

(1) Develop an appreciation of severe accident behavior.

(2) Understand the most likely severe accident sequences that could occur at its plant.

(3) Gain a more quantitative understanding of the overall probability of core damage and radioactive material releases.

(4) If necessary, reduce the overall probability of core damage and radioactive material release by appropriate modifications to procedures and hardware that would prevent or mitigate severe accidents.

With specific regard to the HRA, these objectives might be restated as follows; '

(1) Develop m overall appreciation of human performance in severe accidents; how human actions can impact positively or negatively the course of severe accidents, and what factors influence human performance.

(2) Identify and understand the operator actions important to the most likely accident sequences and the impact of operator action in those sequences; understand how human actions affect or help determine which sequences are important.

(3) Gain a more quantitative understanding of the quantitative impact of human performance on the overall probability of core damage and radioactive material release.

(4) Identify potential vulnerabilities and enhancements, and if necessary/ appropriate, implement reasonable human-performance-related enhancements.

The following observations from our document-only review are seen as pertinent to NRC's determination of the adequacy of the Pilgrim submittal:

1)

Procedure reviews, interviews with operations staff, and plant walkdowns helped to assure that the IPE represented the as-built, as-operated plant. An independent peer review of the HRA helped to assure appropriate use of HRA techniques.

(3)

Pre-initiator human actions were considered in the analysis, though limited in scope.

In particular, dismissal of calibration errors without significant plant-specific analysis is considered a limitation of the licensee's approach that could have led to overlooking potentially significant contributors to plant risk.

21

~f~X (4)

The process for selection and identification of significant human actions to include in the IPE model appears to have been reasonably comprehensive. Both usponse-type and recovery-type actions were included. Quantification of post-initiaw errors employed two different approaches - nominal BHEPs were derived usirja formal screening process based on WASH 1400, the IDCOR IPEM, and THER.)

(NUREG/CR 1278) methodologies and THERP was used to assess those actions that underwent detailed HRA. The licensee properly implemented the THERP procedure were used, and numerical results are generally similar to results in other PRAs that have used the method.

(5)

The licensee assumed that the operators would always be successful in inhibit ADS.

This assumption is said to be based on licensee's desire to avoid unnecessary complication in the already complex ATWS event tree. BECO suppons this position based on a GE study that shows no appreciable core damage would result even if the operator failed to inhibit ADS. It does not appear that the full impact of this assumption was taken into consideration as part of the HRA. As a resul' HEPs for important operator actions in the ATWS scenario may have been optimisic.

(6)

The licensee's HRA used relatively low screening values compared to what is generally seen in typical PRAs. This coupled with a fairly high truncation limit of 1.0E-09 could have resulted in the elimination of a number of imponant sequences.

(7)

Ti'ne required to perform an action appear to have been based on estimates from past training and analyst judgement. Such estimates generally have been found to error in l

the non-conservative direction. Vales provided for a limited number of examples suggest an assessment process which 1 enerated optimistic times, i.e.,10 to 15 minutes to crosstic firewater to the Fecdwater System and 10 minutes to accomplish manual opening of local LPCI Injections valves.

i 22 i

f

4. DATA

SUMMARY

SHEETS l

Important Operator Actions / Errors:

[

Operator fails to depressurize Rx (non-ATWS) i Operator follows loss of DC procedures when both DC buses are lost SLC injection before heat capacity temperature limit (C4AN & C4AI) l Operator fails to follow fire water crosstie procedure l

Operator fails to align direct torus vent l

Operator fails to control level after SLC injection l

. Fail to initiate SW cooling compensation measures Operator fails to realign SLC valves following test or maintenance Operator fails to align valves to prover configuration Operator fails to manually open LPCI injection valves l

Operator correctly follow loss of DC bus A(B) procedure upon loss of a DC bus l

Operator fails to open ACB505/605 by hand (AC model)

Operator fails to align 125V charger D14 i

Operator fails to connect ponable air compressor to essential header 4160 volt bus A3/A5 breaker maintenance error Operator fails to complete blackout diesel generator procedure j

4160 volt bus A6 breaker maintenance error l

DC battery charger not recoverable during maintenance Operator fails to open ACB 505/605 manually (DC model) i Human-Performance Related Enhancements:

)

i Feedwater DC dependencies identify need for procedure changes.

HPCI/LPCI; procedure change to override automatic switchover of the HPCI pump from the CST to the suppression pool in the event of high suppression pool water i

level.

l HPCI; procedure change to allow the operator to override the low pressure isolation l

for the RCIC steam line, thus permitting continued operation of the pump during i

i events in which the reactor is depressunzed.

Improved training content to emphasize importance of depressurization once ADS is inhibited.

23

e REFERENCES.

1)

PRA Procedures Guide. A Guide to the ' Performance of Probablistic R. r Assessments for Nuclear Power Plants. NUREG/CR-2300, January 1983.

2)

Reactor Safety Studv: An Assessment of Accident Risks in U.S. Commercial Power Plants. WASH-1400 (NUREG-75/014), U.S. Nuclear Regulatory Commission, October 1975.

3)

BWR Individual Plant Evaluation Methodolocy. IDCOR Technical Report T86.3B1, Vol.1 & 2, March 1987.

4)

Swain, A.D. and Guttmann, H.E., Handbook of Human Reliability Analysis with Emohasis on Nuclear Power Plant Aeolications. NUREG/CR-1278, August 1983 (Final Report).

5)

Kauffman, J. V., et al., Ooeratine Experience Feedback Report - Humwi Performance in Ooeratine Events. NUREG-1275, Vol. 8, U.S. Nuclear Regulatory Commission, Washington, DC, December 1992.

6)

General Electric Company, TRACG Analvsis Assumine Uncontrolled Low Pressure Iniection (unpublished).

)

1 i

]

4

t
Retrieved from "https://kanterella.com/w/index.php?title=ML20128K213&oldid=4257700"