Text

...

jk*4g 1

{

/Aj

-1 UNITED STATES

,W E'

j NUCLEAR RESULATORY COMMISSION

't WASHINGTON, D.C. 20556 0001

%,.....p Decenber 19, 1996 Mr. Nicholas J. Liparulo, Manager l

i Nuclear Safety and Regulatory Analysis Nuclear and Advanced Technology Division Westinghouse Electric Corporation P.O. Box 355 Pittsburgh, Pennsylvania 15230

SUBJECT:

COMMENTS ON AP600 RELATED CPEN ITEMS ASSOCIATED WITH EL THE HUMAN FACTORS ENGINEERING PROGRAM REVIEW MODEL (HFEP

Dear Mr. Liparulo:

In a letter to Westinghouse dated June 20, 1996, the Nuclear Regulatory Commission staff provided comments on a draft AP600 WCAP-14651, " Integration of Human Reliability Analysis with Human Factors Engineering Design Implemen-tation Plan."

WCAP-14651 addresses Element 6 of the HFEPRM which involves the interrelation among the activities conducted by the man-machine design group, the procedures development group, the probabilistic risk assessment group, and the human reliability analysis group.

Westinghouse revised the report to address the staff's comments and submitted Revision 1 of WCAP-14651 in a

)

letter dated October 9, 1996. The staff has provided an update on the current status of the human factors review of the AP600 design certification related to Element 6 of the HFEPPJi based on the revised WCAP-14651 and Section 18.7 of i

the AP600 standard safety analysis : port (SSAR) as an enclosure to this letter.

As a general comment, not confined to the Element 6 human factors review, the staff has noted that the WCAPs referenced in Chapter 18 of the AP600 SSAR (Revision 9) do not provide information on the specific revision or issue date. The references in Chapter 18 of the SSAR should be corrected to properly identify the applicable version of the WCAPs used by the staff to make its safety evaluation.

)

se ME CBgm COPY pcf 9612230210 961219 PDR ADOCK 05200003 A

PDR

1 Mr. Nicholas J. Liparulo Decernber 19, 1996 If you have any questions regarding this matter, you can contact me at (301) 415-1141.

Sincerely, original signed by:

1 William C. Huffman, Project Manager Standardization Project Directorate Division of Reactor Program Management Office of Nuclear Reactor Regulation Docket No.52-003

Enclosure:

AP600 DSER Open Item Resolution of Element 6, i

Human Reliability Analysis cc w/ enclosure:

i See next page DISTRIBUTION-i

! Docket File. '

PDST R/F TMartin PUBLIC DMatthews TRQuay TKenyon BHuffman JSebrosky DJackson JMoore, 0-15 B18 WDean, 0-17 G21 ACRS (11)

BBoger, 0-10 H5 CThomas, 0-10 D24 JBongarra, 0-10 D24 i

DOCUMENT NAME: A:EL-6REV1.LTR Ta seceive e copy of this elecument,indsete in the boa: 'C' = Copy without attachment /encloswo

• E" = Copy with attachment /encloswo

• N* = No copy 0FFICE PM:PDST:DRPM l

BGAMFIF,BARett- /A:PDST:DRPM l

NAME WCHuffm(n( W ChdEIW TRQuayq?4 DATE 12//t/96 12/#796 12/M/96 j

0FFICIAL RECORD COPY

i Mr. Nicholas J. Liparulo Docket No.52-003 Westinghouse Electric Corporation AP600 i

1

~

cc: Mr. B. A. McIntyre Mr. Ronald Simard, Director Advanced Plant Safety & Licensing Advanced Reactor Programs 1

Westinghouse Electric Corporation Nuclear Energy Institute Energy Systems Business Unit 1776 Eye Street, N.W.

P.O. Box 355 Suite 300 i

Pittsburgh, PA 15230 Washington, DC 20006-3706 i

Mr. John C. Butler Ms. Lynn tonnor Advanced Plant Safety & Licensing Doc-Search Associates Westinghouse Electric Corporation Post Office Box 34 1

Energy Systems Business Unit Cabin John, MD 20818 Box 355 Pittsburgh, PA 15230 Mr. James E. Quinn, Projects Manager LMR and SBWR Programs Mr. M. D. Beaumont GE Nuclear Energy 4

Nuclear and Advanced Technology Division 175 Curtner Avenue, M/C 165 Westinghouse Electric Corporation San Jose, CA 95125 One Montrose Metro 11921 Rockville Pike Mr. Robert H. Buchholz Suite 350 GE Nuclear Energy Rockville, MD 20852 175 Curtner Avenue, MC-781 San Jose, CA 95125 Mr. Sterling Franks U.S. Department of Energy Barton Z. Cowan, Esq.

NE-50 Eckert Seamans Cherin & Mellott 19901 Germantown Road 600 Grant Street 42nd Floor Germantown, MD 20874 Pittsburgh, PA 15219 Mr. S. M. Modro Mr. Ed Rodwell, Manager Nuclear Systems Analysis Technologies PWR Design Certification Lockheed Idaho Technologies Company Electric Power Research Institute Post Office Box 1625 3412 Hillview Avenue Idaho Falls, ID 83415 Palo Alto, CA 94303 Mr. Frank A. Ross Mr. Charles Thompson, Nuclear Engineer U.S. Department of Energy, NE-42 AP600 Certification Office of LWR Safety and Technology NE-50 19901 Germantown Road 19901 Germantown Road Germantown, MD 20874 Germantown, MD 20874

AP600 DSER Open Item Resolution Element 6 Human Reliability Analysis To address Eltoent 6 open items, Westinghouse first submitted a document entitled " Integration of Human Reliability Analysis with Human Factors Engineering Design Implementation Plan" (Westinghouse Implementation Plan) transmitted by fax on May 24, 1995. This was reviewed by the NRC staff in the summer of 1995, and results transmitted to Westinghouse in September 1995.

In May 1996, Westinghouse submitted draft WCAP-14651, " Integration of Human Reliability Analysis with Human Factors Engineering Design Implementation Plan."

This new document was reviewed and the open items re-evaluated based upon its contents. The results of this review were described in a letter from NRC to Westinghouse dated June 20, 1996. On July 3, 1996, a follow-up conference call was held between the NRC and Westinghouse to clarify several open issues.

By letter dated October 9, 1996 Westinghouse submitted WCAP-14651, Revision 1.

The following is an overview of the status of the results of the most recent review for all Element 6 open items:

Open Item (OITS f. DSER f)

Current Status 1348 18.7.3-1: HRA-HFE Integration Implementation Plan Resolved 1349 18.7.3-2: Process for Identification of Critical Human Actions Resolved 1350 18.7.3-3: Critical Human Actions Task Analysis Resolved 1351 18.7.3-4: Detailed Examination of Critical Actions Resolved 1352 18.7.3-5: Use of PRA/HRA Insights Resolved 1353 18.7.3-6: HRA Validation Resolved Enclosure

i i

Open Ites 18.7.3-1: HRA-HFE Intecration Implementation Plan a

i Criterion: While the HFE PRM criterion for this element does not explicitly include an implementation plan, such a plan is needed to address the HFE PRM criterion-based review to follow. This criterion addresses the availability of an implementation plan in the SSAR.

i DSER Evaluation: Based on the material reviewed, Westinghouse does not have an implementation plan for HRA-HFE integration. Such a plan is needed and should consider the information that follows. The plan should address how and when the HRA will be requantified as the HFE program completes the design.

This is especially important because the current HRA/PRA was finished though f

i many aspects of the HFE have not yet been completed; for example:

functional allocation, task analyses, HSI design, procedures, operator training programs.

i In other words, since AP600 HFE design is not complete, the HRA has not taken into account the human performance effects of the new advanced HSI design.

The lack of completion of these areas holds true in the MCR, remote shutdown

~

panel and local control stations and could significantly impact the results of the HRA as well as the PRA. Concern over human error probability (HEP) estimation was expressed by the staff in a meeting with Westinghouse on February 23, 1994, and February 25, 1994. The staff noted that Westinghouse i

calculated very optimistic human error probabilities considering no E0Ps and ERGS are available, the control room layout has not been well defined, the functional relationship of the SR0 and STA has not been well defined, and many 1

significant operator actions require a response in a short time frame. These j

concerns were provided to Westinghouse in RAI's 720.276 through 720.278. An 1

accurate HRA/PRA is important to the HFE process because of their use in determining the critical operator actions. Further, for the newly designed passive plants, such as the AP600, the HRA/PRA is being used for other significant determinations such as the appropriate regulatory treatment of non-safety systems.

Therefore, once the HFE design is complete it is impor-tant to requantify the HRA/PRA and to reverify decisions made based upon the results of the HRA/PRA.

Proposed Resolution:

In WCAP-14651, Revision I dated September, 1996, the various items associated with proper integration of the PRA/HRA and the HFE process are discussed in detail, including: use of HRA/PRA insights to guide HFE design; identification of critical human actions and risk important tasks; task analyses for critical human actions and risk important tasks; re-examina-tion of critical human actions and risk important tasks; and validation of HRA performance assumptions. Thus Westinghouse has developed an Implementation Plan with an appropriate scope.

Further Section 18.7 of the SSAR (Revi-sion 9), references this Implementation Plan. The acceptability of the individual items is discussed under the individual criteria.

In Sections 3.2 and 5.0 of the WCAP (Revision 1), Westinghouse addresses the issue of whether there is a need to re-evalcate and possibly requantify the HRA/PRA after the HFE design is complete. Westinghouse states that perfor-mance assumptions will be confirmed as part of both the task analyses and the control room validation. Westinghoust will perform an evaluation as to whether any of the assumptions of the HRA must be changed.

If necessary the HRA will be modified and the impact on the PRA will be assessed.

Reports will be generated documenting the results, which will be submitted to the NRC for review.

2

i Based upon this information, this DSER open item is resolved and this PRM 1

criterion is satisfied.

STATUS OF OPEN ITEM:

Resolved Goen Item 18.7.3-2:

Process For Identification of Critical >=m Actions Criterion: Critical human actions should be identified from the PRA/HRA and used as input to the HFE design effort. These critical actions should be developed from the Level 1 (core damage) PRA and Level 2 (release from containment) PRA including both internal and external events. They should be developed using selected (more than one) importance measures and HRA sensitiv-ity analyses in order to ensure that an important action is not overlooked due to the selection of the measure or the use of a particular assumption in the analysis.

DSER Evaluatfon: Westinghouse's response to RAI 720.133 indicated that the identification of critical human actions was not completed pending the completion of sensitivity analyses.

Proposed Resolution: This issue, associated with the identification of critical human actions, was raised in the AP600 review as Open Item 18.7.3-2.

It was also raised in the context of the HFE review for DSER Open Items 18.5.3-1 and -2.

Westinghouse initially provided responses to these open items in faxes from S. Kerch to NRC dated April 19, 1995 and May 24, 1995.

NRC provided a faxed set of comments on these responses to Westing-house on June 20, 1995. The Westinghouse responses and NRC comments were discussed in a conference call on June 22, 1995, and the Westinghouse position was further documented in a faxed memo from S. Kerch to NRC dated June 30, 1995. The NRC concerns related directly to the above criterion, which were eventually resolved as discussed below. Westinghouse submitted Draft WCAP-14651, " Integration of Human Reliability Analysis with Human Factors Engineering Design Implementation" (May 1996) which addressed some, but not all, of the NRC comments / questions on the June 20, 1995 NRC fax to Westing-house. The main remaining issue was the quantitative threshold for the identification of the critical human actions. On July 3,1996, a follow-up conference call between the NRC and Westinghouse was held to clarify questions related to critical operator actions.

By letter dated October 9,1996 Westinghouse submitted Revision 1 of WCAP-14651, " Integration of Human Reliability Analysis with Human Factors Engineering Design Implementation Plan,".

The critical human actions of the PRM (NUREG-0711) are defined to be, " Tasks that must be accomplished in order for personnel to perform their functions.

In the context of PRA, critical tasks are those that are determined to be significant contributors to plant risk." In its Integration Plan, Westinghouse chose to subdivide the PRM critical actions into two categories, namely critical actions and risk-important tasks.

However, Westinghouse indicated that they will address both of these types of actions through their HFE design program. This distinction between critical and risk-important human actions by Westinghouse is informative and useful.

3

I f

i The threshold for defining a Westinghouse critical action is high and is any action that, if failed would result in total core damage frequency (CDF) greater than or equal to 1xE-4 events /Rx-year or a severe release frequency j

greater than or equal to lxE-5 events /Rx-year. With these thresholds, the AP600 has no critical human actions. This is because: the low overall CDF of AP600, the passive nature of the AP600, and the high value of the threshold selected.

The thresholds for defining a risk-important task are detailed in the Integra-tion Plan and consist of both quantitative and qualitative criteria.

For the determination of risk important tasks Westinghouse will use the following PRA studies: the internal events at-power PRA, the shutdown events PRA, the focused PRA for regulatory treatment of nonsafety-related systems (RTNSS) analysis, the external events PRA (for fire and flood events), and the seismic i

margins PRA.

For the quantitative criteria, Westinghouse will use two importance measures, risk achievement (or risk -increase) worth and risk reduction (or risk-decrease) worth. The thre hold for risk-increase impor-tance, for at-power internal events and shutd a events, is 200% or a risk

}

achievement worth of 3.0.

This will be applied to both the Level 1 (core damage frequency) and the Level 2 (severe release from containment) PRAs.

This risk increase threshold was initially proposed by Westinghouse in their draft Integration Plan, and lacking additional details, was not accepted by the staff. Some of the reasons for staff hesitation in accepting this value were as follows.

If an applicant sets their risk criteria too high, then there will be very few task analyses that are based on risk. That is, essentially all actions that receive the detailed task analyses prior to HFE design will have been selected based upon engineering judgement.

This could defeat the intent of both the PRM and the PRA. Additionally, a criterion that is based on increasing total CDF by a factor three times for one human action failure could result in a potentially large increase in risk (depending on the original baseline value of risk). These concerns of the staff were addressed in Revision 1 of the integration plan as described below.

WCAP-14651, Revision I specifies all of the PRAs that will be used in the determination of risk important tasks; defines the quantitative thresholds; adds five well-specified qualitative criteria; and provides example results of risk-important tasks in Appendix A.

The latest baseline values of the various PRA studies, as referenced in the Integration Plan, were determined to range from 6.5xE-7 events /Rx-year down to about 2xE-10 events /Rx-year. These are low values compared to the PRAs for current day plants. Thus, AP600 can accept somewhat higher percentage increase than would be acceptable for current plants.

Further, using only the quantitative criteria, the Integra-tion Plan in Appendix A provides examples of risk-important tasks. Depending on how one converts from human action basic events to tasks, there are about 13 to 15 risk-important tasks. This appears to be a reasonable number of risk-defined operator tasks to address in the task analysis portion of the HSI design.

Thus, Westinghouse has developed an acceptable approach to define critical and risk-important human actions from the PRA/HRA to be used as input to the HFE design effort. They are developed from Level 1 and Level 2 PRAs and include consideration of both internal and external events. They will be selected using multiple measures and criteria in order to ensure that important actions are not overlooked.

4

i I

Based on this information, the DSER open item is resolved and this PRM criterion is satisfied.

STATUS OF OPEN ITEM:

Resolved 1

i l

Onen Item 18.7.3-3: Critical >=m Actions Task Analysis Crfterion: The details of human performance of critical htman actions and their associated tasks and scenarios identified through the initial PRA/HRA should be specifically addressed during Element 4 - Task Analysis. This will help ensure that these tasks are within acceptable human performance capabili-ties, e.g.

within time and workload requirements.

DSER Evaluation: The methodology for task analysis with respect to treatment of time and workload considerations was identified as part of Open Item 18.5.3-3: Task analysis methods.

Proposed Resolutfon:

Section 3.0 of WCAP-14651 (Revision 1) provides a commitment that the HRA/PRA group will specify human actions and task sequenc-es to be used as input to the task analyses. This will include critical actions (if any) and risk-important actions. The human actions and tasks identified by HRA activities will be included in the set of tasks examined using operational sequence task analyses. The analyses will include perfor-mance requirements, such as time windows, within which an action needs to be completed. Workload of the operators will also be addressed as discussed in Section 3.2 of the WCAP (Revision 1). By using this process, the M-MIS design and procedures will be developed in a manner that can adequately support the critical and risk important tasks.

Based upon this information, this DSER open item is resolved and this PRM criterion is satisfied.

STATUS OF OPEN ITEM:

Resolved Goen Item 18.7.3-4: Detailed Examination of Critical Actions Criterion: Critical human actions that are identified via PRA/HRA as posing serious challenges to plant safety and reliability should be re-examined by function analysis, task analysis, HSI design, or procedure development to either change the operator task or the control and display environment to reduce or eliminate undesirable sources of error.

DSER Evaluatfon: The relationship between the HFE function allocation and the modeling of manual human actions should be clarified. Westinghouse's response to RAI 720.177, for example, discussed manual and automatic valve actuation during reduced inventory operations. Additional information is needed on the impact on HRA of HFE function allocations yet to be performed. In response to RAI 720.118, Westinghouse indicated that the HEPs were not evaluated to account for "the use of advanced digital technology or to account for the role of the operator as a monitor and decision maker rather than performing actions directed by procedures." This approach is inconsistent with the role of the 5

4 i

t operator described in SSAR Section 18.6.6 and operator training in SSAR Section 18.9.9.3.

The M-MIS is being designed to support an operator trained as a decision-maker and one who doesn't accept procedures in an unquestioning i

manner.

It is expected that such an operator might spend additional time following procedures (for information validation and confirmation of procedure appropriateness and adequacy) and this should be reflected in the DSER Evaluation of critical acticns for HEP estimation.

Westinghouse must, taking into account the concerns identified by the staff in their DSER Evaluation of this criterion, describe the process that will (1) provide additional information on the impact on HRA of HFE function alloca-tions yet to be performed, (2) provide detailed DSER Evaluations of critical actions to reduce or eliminate sources of error, and (3) clarify the possible inconsistency between the operator role assumptions in the HFE design and the HRA.

Proposed Resolutfon:

Section 4.0 of WCAP-14651 states that any critical human action or risk important task that is determined to be a potentially signifi-cant contributor to risk, will be re-examined by task analysis, M-MIS design, and procedure development. These evaluations will be used to identify changes to the operator task or the M-MIS to reduce the likelihood of operator error and provide for error detection and recovery capability.

Section 3.2 of the WCAP (Revision 1) discusses how the task analyses will be used to address the assumptions used in the HRA by developing more accurate estimates of workload and task completion times. This information will be 4

provided to the Westinghouse HRA/PRA group.

Based upon this information, this DSER open item is resolved and this PRM criterion is satisfied.

STATUS OF OPEN ITEM:

Resolved Open Item 18.7.3-5: Use of PRA/HRA Insiehts 1

Criterion: The use of PRA/HRA results by the HFE design team should be specifically addressed; i.e., how critical personnel tasks are addressed l

(through HSI design, procedural development, and training) by the HFE program to minimize the likelihood of operator error and provide for error detection and recovery capability.

DSER Evaluatfon:

In response to RAI 720.117, Westinghouse indicated that "HRA analysts worked together with system designers to perform the individual system analyses used to develop fault trees for the various systems modeled in the PRA, complete the HRA and finalize the system design." The response indicates that specific insights from the HRA were incorporated in the system design and that the individual system designs were modified to support performance of the modeled operator actions. Dominant cutsets were reviewed to identify sequences where human reliability was a significant contributor to failure. For limiting sequences, changes were made to provide necessary operator-related improvements (design and operation) to eliminate the limiting human failures. HRA was integrated with the development of high-level operator action strategies. However, no examples of the process were provided.

6

Proposed Resolutfon: As noted in the DSER and in Section 1.2 of WCAP-14651 (Revision 1), Westinghouse has designed the AP600 taking into account:

lessons learned from existing plant experience, and the results of past HRAs and PRAs. This has allowed Westinghouse to reduce the potential for human error. Westinghouse states that this simplifies the plant and reduces the number of human actions required.

For example, no human actions are required to respond to design basis events.

Further, Section 1.2 of WCAP-14651 (Revision 1) provides a discussion of how the HRA/PRA results will be used in task analysis, HSI design, procedure development, and V & V to identify changes to orcrator tasks, procedures, or the M-MIS to minimize the likelihood of operat w error and provide for error detection and recovery capability.

Regarding training, Westinghouse states that training program development is a COL responsibility.

Section 1.2 of the Westinghouse Implementation Plan discusses how Westinghouse will provide the COL with documentation that includes: a description of HRA assumptions, PRA results relevant to training, and insights relevant to training based upon the V & V.

This will include a list of critical actions (if any), risk important actions, performance requirements for those actions (e.g., response time).

Based upon this information, this DSER open item is resolved and this PRM criterion is satisfied.

STATUS OF OPEN ITEM:

Resolved 1

ODen Item 18.7.3-6: HRA Validation Criterion: HRA assumptions such as decision-making and diagnosis strategies for dominant sequences should be validated via walk-through analyses with personnel with operational experience using a plant-specific control room mockup, prototype, or simulator. Reviews should be conducted prior to the final quantification stage of the PRA.

DSER Evaluation: This issue is not addressed in the methodology described in the AP600 PRA Report - Chapter 5, HRA or the Human Reliability Analysis Guidebook for AP600 Probabilistic Safety Study (ET-SOAR-PRA-91-407).

Proposed Resolutfon:

Section 5.0 of WCAP-14651 (Revision 1) discusses the validation of HRA performance assumptions.

It states that validation of the HRA operator performance assumptions will be performed as part of the Inte-grated HFE System Validation. This will include scenarios that include critical or risk important human actions, as well as specific performance assumptions that the HRA/PRA Group identifies for confirmation. Westinghouse will not validate the quantitative HRA probabilities. After review of the results of the validation, the HRA/PRA group will determine whether any changes need to be made to the HRA assumptions or HRA quantification.

If changes are needed, the HRA will be modified and the impact on the PRA will be assessed. A report will be generated, documenting the results of the exercis-es intended to validate the HRA performance assumptions, and submitted to the NRC for review.

7

,~. -. -. - _. -.

1 i

Based upon this information, this DSER open item is resolved and this PRM criterion is satisfied.

t 1

j STATUS OF OPEN ITEN:

Resolved i

4 1

f 1

1 1

4 i

i 3

1 it 5

(

i l

i i

8