Text

WPPSS Nuclear Project,Unit 2 TER on IPE Submittal Human Realiability Analysis, Final Rept
	ML20138J839
Person / Time
Site:	Columbia
Issue date:	12/10/1996
From:	Wreathall J; CONCORD ASSOCIATES, INC.
To:	; NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
Shared Package
ML17292A805	List: ML20138J827; ML20138J833; ML20138J839;
References
	CA-TR-96-019-46, CA-TR-96-19-46, NUDOCS 9702130118
	Download: ML20138J839 (40)
	v • d • e

0 s APPENDIX C WASHINGTON PUBLIC POWER SUPPLY SYSTEM - NUCLEAR PROJECT NO 2 TECHNICAL EVALUATION REPORT (HUMAN RELIABILITY ANALYSIS)

I l

1 S

.W" 97D112301.'8 XA

= ,

CONCORD ASSOCIATES,INC. CA/TR 96-019-46 Systems Performance Engineers s

T d

WPPSS NUCLEAR PROJECT, UNIT 2 TECHNICAL EVALUATION REPORT i ON THEIPE SUBMITTAL

HUMAN RELIABIL.ITY ANALYSIS i

FINAL REPORT i l

l l

by John Wreathall

! John Wreathall & Company, Inc. 1 l

I Prepared for

! U.S. Nuclear Regulatory Commission l Office of Nuclear Regulatory Research Division of Systems Technology Final Report, December 10,1996 I

i l.

i 11915 Cheviot Dr. 725 Pellissippi Parkway 6201 Picketts Lake Dr.

Herndon, VA 22070 Knoxville,TN 37932 Acworth, GA 30101 (703) 318-9262 (615) 675-0930 (404) 917-0690 r

* + l 4 I CA/TR-96-019-46 l l

l i

4 wPPSS NUCLEAR PROJECT, UNTr 2 TECHNICAL EVALUATION REPORT ON THE IPE SUBMITTAL

HUMAN RELIABILITY ANALYSIS ,

f 4

FINAL REPORT i .

l

John Wreathall

John Wreathall & Company, Inc.

1 Prepared for U.S. Nuclear Regulatory Carnmisslan Omce of Nuclear Regulatory Research

- Division of Systems Technology Draft Final TER, March 1996 l ~

Final TER, December 1996 i

CONCORD ASSOCIATES. INC. :

Systems Performance Eng!neers :

723 Pellissippi Parkway Knoxville, TN 37932 ,

1 Contract No. NRC-04-91069 1 Task Order No. 46 1

l i

l 1

I

. I

_J

a 4 WNP-3 Final TER,12/9/96 TABLE OF CONTENTS E. EXECUTIVE

SUMMARY

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . El E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . El E.2 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . El E.3 Human Reliability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E2 E.3.1 Pm-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . E2 -

E.3.2 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . E3 E.4 Generic Issues n'.d CPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E4

- E.5 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . . ES 4

E.6 Observatious . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . E6

1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 :

1.1 Review Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

. 2. TECHNICAL REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.1 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.1.1 Completeness and Methodology. . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.1.2 Multi-Unit Effects and As-Built, as Operated Status. . . . . . . . . . . . 2 l 2.1.3 Licensee Participation and Peer Review. . . . . . . . . . . . . . . . . . . . . 3 2.2 Pre-Initia0 tor Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2.1 Types of Pre-Initiator Human Actions Considered. . . . . . . . . . . . . 4 2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions. . . . . . . . . . . . ...........................................5 4

. 2.2.3 Screening Process for Pre-Initiator Human Actions. . . . . . . . . . . . 5 2.2.4 Quantification Process for Pre Initiator Human Actions. . . . . . . . . 5 2.3 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 i 2.3.1 Types of Post-Initiator Human Actions. . . . . . . . . . . . . . . . . . . . . . 6 2.3.2 Process for Identification and Selection of Post-Initiator Human

A cti ons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3.3 Screening Process for Post Initiator Human Actions. . . . . . . . . . . 7 2.3.4 Quantification Process for Post-Initiator Human Actions. . . . . . . . 7 2.3.5 Generic Issues and Containment Performance Improvement. . . . 12 2.3.6 Intemal Flooding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.4 Vulnerabilities, Insights, and Enhan=nents . . . . . . . . . . . . . . . . . . . . . 15 2.4.1 Vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.4.2 Insights Related to Human Performance. . . . . . . . . . . . . . . . . . . . 15 '

2.4.3 Human Performance-Rdued Fahar-nents. . . . . . . . . . . . . . . . . 17 4

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . . . 19 1

4. PLANT DATA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.1 Important Operator Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 ;

4.2 Human Performance-Related Fahan~ments . . . . . . . . . . . . . . . . . . . . . 22 7 t

5. RzPEREwCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 7 ;

r ,

WNP 2 Final TER,12/9/96 1 E. EXECUTIVE

SUMMARY

! i

! This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the IPE gispewd by .

Washington Public Power Supply System for the Washington Nuclear Plant 2 (WNP-2).-

The review was performed to assist NRC staffin their evaination of the IPE and conclusion regarding whether the submittal meets the intent of NRC's Generic Letter

$8-20.

l E.1 Plant Characterization

WNP-2 is a boiling water reactor (BWR) of the General Electric BWR-5 design, within a

Mark II containment. The reactor is rated at 3323MWth and WNP-2 has a design ,

electrical output of 1154Mwe. The plant began commercial operation in December 1984.

WNP-2 is located on the US DOE Hanford Site near Richland, Washington.

No unique characteristics associated with the human-performance aspects were identified

i in the IPE.

1 E.2 LicenseeIPE Process The WNP-2 IPE comprises a Level 1 and Level 2 PRA, and irrhules the analysis of j internal floods. The HRA task was performed primarily as part of the Level I study. ,

Human actions were included in the scope of the intemal-flooding r.nalysis,'and some recovery actions were considered in the Level 2 portion of the IPE. The Level 1 PRA ;

included the analysis of both pre-initiator and post-initiator human actions. 'Ihe analysis of pre-initiat' or human actions included failures in test, maintenance and calibration

activities that can render equipment unavailable when required to respond to an accident condition. The analysis of post-initiator human actions included both response and recovery actions. Recovery actions were incorporated in the Level 2 PRA. This range of human actions is comprehensive compared with the scope of the HRA tasks in other i IPEs, and is considered a strength of the WNP-2 IPE.

! The HRA task was performed by the licensee's in-house Level 1 PRA team following specialist training by an outside consultant - the Individual Plant Evaluation Partnership I (IPEP). Following the initial Level 1 modeling, the PRA was reviewed by a separate outside consultant - NUS Corporation, who suggested changes in the modeling.

The Level 1 PRA team was staffed by personnel within the licensee's hgi%

Directorate, supported by staff from the Operations Department, including the assignment ,

of a former shift Independent in-house reviews of the Level 1 analyses were provided by 1 a team that included personnel from the WNP-2 maintenance, operations, and training departments. l External reviews were provided by the IPEP team, NUS Corporation, and Tenera, L.P., at !

different stages of the study. The initial models were reviewed on an on-going basis by the IPEP team. Once completed, the first version of the Level 1 models were reviewed

. by NUS Corporation, who identified modifications (including those related to the HRA

.E1 1

_ - ~ . . . , _ . . . _ - - _ - - . .- . _ . - - . _ _ .

4

~

e

! WNP 2 Final TER,12/9/96 l modeling) to improve the realism of the models. NUS then provided consulting and review services to the licensee as the modifications were implemented. The resulting -

Level 1 analysis was identified as the " Revision 1"IPE and forms much of the basis of i

the submission. The Revision 1 models were reviewed by Mr. John Raulston of Tenera, L.P. !

Following the peer review of tiie Revision 1 models, a limited number ofissues remained -

outstanding.

t I '

E.3 Humaan Reliability Analysis.

! E3.1 Pre-Initiator Human Actions. -

The analysis of pre-initiator human actions included failur's e in test, maintenance and calibration activities that can render equipment unavailable when required to respond to

an accident condition.

F 1he scope of the WNP-2 pre-initiator analysis is somewhat unusual in that errors associated with the replacement and stocking of nitrogen bottles required for the ;

containment instrument-air system are included. These are in addition to the more typical !

l types of pre-accident human actions such as failing to restore components to the available

condition after test, or miscalibration ofimportant level and pressure switches. It is l

' understood that this level of modeling in the containment instrument-air system was performed to reflect operational problems that had occurred at WNP-2. In addition, one ermr was identified associated with errors during the RCIC pump oil change. In the RAI, the licensee identified that this error no longer would lead to pump failure and will be .

deleted from the models.

The submittal presented a description of the process for the initial identification of pre-4 initiator human actions. This process included identification of all components whose j states were changed during testing, maintenance, and calibration as defined in the WNP-2 procedures; this identification included walkdowns of the systems in collaboration voith operations personnel.

While a screening analysis was performed of the pre-initiator human actions, none were

. elimi=*=A from the detailed quantification process. As a consequence,82 pre-initiator human actbus were analyzed. The detailed analysis was performed using the HRA method developed for the NRC's Accident Sequence Evaluation Program (ASEP) as the basis.1his method was applied using assumptions that actions will be independently i checked and the component subjected to functional testing. While these assumptions.

t may be valid for many of the events, it is unclear that they apply in every case. In addition, it is not clear that all the systems analyzed for pre-initiator actions were considered consistently, with different types of failure events apparently being identified for different systems and components. No pre-initiator human actions were identified as important to the WNP-2 core-damage frequency.

l 4

9

.__m _ _ _ . .__.____1________________- _ _ _ _ . . . - _. . . . - . . , , .._ ,, , .- _

, WNP-2 Final TER,12/9/96

' While these limitations in the analysis of the pre-initiator actions may or nay not have a j

'significant impact on the gross quantitative results of the IPE or the basic conclusions - l 1

. drawn from the study, they do limit the potential for the licensee to gain a full j appreciation of the ways in which human performance can influence overall risk and to 1 identify potential risk-reduction measures.

It is noted that the licensee intends to perform sensitivity analyses of the pre-initiator .

J human actions to provide additional insights for studies of technical-specifications

[ requirements and for implementation of NRC's Maintenance Rule.

E.3.2 Post-Initinvar Wnan stian. .

~ The quantification process for the post-initiator human actions was based on the ASEP HRA method. The post-initiator human actions were divided into thme types for the

-l quantification process -

l l 1. manual back-up of automatic actions; i l

2. emergency operating procedure (EOP)-based actions; and i I

3. recovery actions incorporated in the Level 2 PRA models.

Different processes were used to identify and select the actions backing up automatic i

actions and EOP-based actions, and the recovery actions. The beck-up and EOP actions were those actions necessary to accomplish the success paths and function needs as i represented in the event-tree sequences and system fault trees, and their identification was i

based on reviews of the EOPs, training programs (including simulator training scenarios),

i transient analyses, and other PRA models. The identification of the Level 2 recovery

, actions was based on examinations of the dominant causes of the Level 1 model core-damage sequences, and the analysts' knowledge and familiarity with plant hardware,

, EOP guidance, training programs, and transient analyses.

c A quantitative screening analysis was performed for the post-initiator human actions, by quantifying all post-initiator human actions using the error probability of 0.1. However, no actions were elimin=*ad from the detailed modeling of post initiator human actions.

l Eight manual back-up actions were msdeled. Six of the eight actions are immediate memorized back-up actions associated with the principal front-line systems like the

automatic depressurization system (ADS), high-pressure core spray (HPCS), and the reactor-core isolation cooling (RCIC) system. However, it is unclear that two actions, 4

associated with turning on fan coil units, correspond to the concept of back-up actions.

All back-up actions were modeled using a single failure probability of 2.66E-03 based on guidelines provided in the ASEP HRA method. No plant-specific performance-shaping factors (PSFs) were incorporated in this failure probability. None of the manual back-up actions was identified as being important to the WNP-2 core-damage frequency.

I E3 i-

_ ,3

- - - . . . __~ - .-. - .- - - -- - - . - ,

e. , !

WNP 2 Final TER,12/9/96 Two separate probabilities are estimated for each of the EOP-based actions. The first is

the probability of failure associated with the diagnosis element of the action, and the second is associated with performing the actions following successful diagnosis. In the estimation of both the diagnostic and action-related failure probabilities, the analysis considered very few plant-specific PSFs. The probabilities of failure in diagnosis were t e<tima'ad using the nominal time / reliability correlation provided by the ASEP HRA method. The probabilities of failure to perform the actions following diagnosis were i estimated using the step-by-step or dynamic task models of the ASEP HRA method.

The modeling of EOP actions assumed that post-initiator human actions associated with different tasks were indapeadaat; actions related to a single diagnosis were completely depesient on the correct diagnosis, however.

3 A total of 13 EOP-based actions were analyzed. Several of the EOP based actions were identified as being important to the WNP-2 core-damage frequency, as discussed in

Section E.5.

The analysis of recovery actions in the Level 2 PRA was performed on a case-by-case basis where opportunities existed to recover failed functions in the Level 1 PRA or

- otherwise to restore containment integrity (for example, closing containment penetrations that have failed open). Most recovery actions were modeled using a failure probability of 0.1; these actions were assumed independent of the failures in the Level 1 PRA. The bases for this assumption include: the timescales for the Level 2 actions are much longer than for the Level 1 actions; and the Level 2 actions would be under the direction of the

Technical Support Center.

The submittal does not provide any detailed description of the failures in recovery actions or their contribution to the probability of containment failure.

E.4 Generic Issues and CPI 1

E.4.1 Decav Heat Remnval.

l ..

At WNP-2, the accidents resulting from loss of decay-heat removal involve containment failure before core damage. Two operator actions are potentially important in preventing

. core damage. The first is the failure of operators to initiate cooling of the suppression pool using the RHR system; RHR cooling must remained failed for an estimated 29 hours3.356481e-4 days 0.00806 hours 4.794974e-5 weeks 1.10345e-5 months before the containment failure pressure is reached. The second action is to vent the i' containment. Venting of the containment is required when the containment pressure reaches 39psig. The operators have an **+i==*ad 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months to perform the action after that pressure is reached before the expected containment failure pressure is reached. The probability of failure of initiating suppression-pool cooling is 1.0E-5 for transient-initiated sequences, and 3.0E-05 for LOCA-initiated sequences. Failing to vent the containment has a probability of 0.06.

)

E4 4

a .

WNP-2 Final TER,12/9/96 E.4.2 Sve**m=' Interactions.

The licensee notes that systems' interactions associated with common-mode human errors are igated explicitly by human-action events in the PRA models for cases involving multiple miscalibrations and the performance of procedural steps associated with multiple

. _ systems. The licensee states that results of the PRA modeling (which includes the human interactions) demonstrates that no vulnerability associated with systems' interactions exists.

E.4.3 Inarnal Floods.

The analysis ofintemal floods considered two specific aspects of human actions: the

! times required to terminate the flooding source to prevent loss of equipment, and the failure probability of terminating the source. One action, to tenninate flooding in the reactor building from a break in the turbine-building service water system (TWS), was i identified as being important to prevent core damage from internal floods.

j E.4.4 Containment Performance Imnrovemente.

The licensee discussed three issues associated with containment-performance

^

improvements that involve human performance. These are:

e The relinhility of operator actiane to initiata cooling of the suppassion nool neing )

. theRHR sysicm. The licensee considers that actions to modify this probability , )

would not significantly change the contribution of sequences involving failure of i

RHR, and therefore no changes are planned. l e Onerator actions to denressurize the ranetor nressure vaeerl (RPV1 before the

an=*t of core damage. WNP-2 EOPs and operator training currently include the actions for early depressurization of the RPV.

L e Imnroved EOP training. The licensee considers the NRC's guidance associated with improved EOP training has been effectively incorporated at WNP-2.

E.5 Valnerabilities and Plant Improvements The licensee has concluded that no plant vulnerabilities have been identified by the WNP-2 IPE. Therefore there are no vulnerabilities identified that related to human perfomunce.

I' ; Several of the EOP-based actions were identified as being important to the WNP-2 core-i damage frequency. These are.

o Operators opening the RCIC room doors within thirty minutes during station blackout scenarios, to allow natural circulation of the air to prevent failure of the i RCIC pump from room overheating. (However, the licensee's responses to l

E5

- . - - - - - - - _ - _ _ _ _ _ _ _ - . - - _ . - , - u, , . . - . . . - . . , , . . , . . . ~ - - - - , , , .

WNP 2 Final TER,12/9/96

! .NRC's Request for Additional Information identify that this action is no longer needed, since the tempmeme in the RCIC room with the doors closed should not cause RCIC to fail.)

e Operators venting the containment to prevent the containment from repressurizing I

(which would otherwise cause the ADS valves to reclose) following certain

. internal floods that cause failure of high-pressure ECCS systems.

) ,

e- Operators initiating suppression-pool cooling.

j e Operators sc+n=+ine the standby liquid control (SLC) in an anticipated transient i-without scram (ATWS) sequence.

. o Operators inhibiting operation cf the ADS and controlling the RCS water level in an ATWS sequence.

l The licensee has identified several possible enhaneaments related to human performance

as a result of performing the IPE. No credit was taken'in the IPE models for these

changes but subsequently, the licensee has a=+imatad the potential change in core-damage i frequency. These are

e ADS inhibit switch. This aakaarament is to allow the operators to use the A' DS -

inhibit switch (used for ATWS sequences to override the automatic ADS signal)

, for non-ATWS scenarios. This modification is estimated to reduce the core-damage frequency by 1.5%. This modification has been implemented subsequent

to the IPE analysis.

e incramead surveillance and onerator trainine for floodino sources in the ranctor and l turhine buildinoa. This modification has been determined not to be cost-beneficial l subsequent to the IPE analysis and is therefore not being implemented.

! O Station blacknut denreeenrization.# 'Ihis enhancement is for the operators to

, depressurize the reactor vessel prior to battery depletion, which will extend the time for potential recovery. This modification is estimated to reduce the core-l damage frequency by 34%. This modification has been implemented subsequent to the IPE analysis.

Odm modifications irvolve operator activities but are not modeled in the HRA part of the IPE. These include (we of the 500kV backfeed (under consideration), and changes in

preventive mair.tenance scheduling (implemented).

r. ,

E.6 Observations The following observations were produced by our document-only review of the WNP-2 m submittal that are pertinent to NRC's evaluation of whether the submittal has met the intent of the NRC's Generic Letter 88-12.

, E6 I

d

,_ , _ . _ . , _ , . , ,,4 , ~-m,- --. ~ - - --- - - - - - - - - - - - - - - - - - ' - -*

- .-. . . ~ . - . - -. -- - . . - . - . - - . - - . . - - - .

e~ ,.

l l WNP-2 FinalTER,12/9/96 l

Particular strengths in the WNP-2 HRA analysis are considered to be:

. 1 l

I I. The identification and analysis of pre-initiator human actions has been performed l for a wide range of activities, encompassing actions associated with preventive maintenance and the provision of resources for systems like the containment-air system as well the more conventionally modeled actions associated with test, maintenance, and calibration activities.

2. The licenace intends to perform a sensitivity analysis of pre-initiator human i

actions as part of the use of the IPE to support other licensing issues such as the

response to NRC's Maintenance Rule.

3. The identification of post-initiator human actions includes a broad range of actions to prevent core damage and to prevent containment failure. It also includes actions to terminate and mitigate internal floods. The actions to prevent core l damage included the separate analysis ofimmediate-response actions from l

memory and actions based on instructions in the EOPs. The process used to identify post-initiator actions is unlikely to have missed any important actions j

j- 4. The analysis of post-initiator EOP-based actions included failures in both the I diagnostic and action-related elements of the action. An appropriate type of model was used for each element. i

5. In the analysis of post-initiator EOP-based actions, the time available for operator diagnosis was used as the basis for quantifying failures in diagnosis. The licensee described a process for selecting particular scenarios to act as the basis for ,

calculating the time available for diagnosis. This process seems appropriate for l 4 the examples presented.

However, there appear to be certain limitations in the analysis. These are:

1. There does not appear to be a thorough case-by-case (plant specific and event-j' l

' specific) assessm.ent of the factors influencing human actions to assure a l corapletely realistic understanding of human performance in the plant. The !

analysis of pre- and post-initiator human actions does not include any consideration of the human-system interface or the presentation of procedures, for example.

2. The quantification of all pre-initiator human actions was performed using a single failure probability of 3.0E-04. This value was derived using assumptions that l

2 each pre-initiator action would be: (1) indapendently checked by a second A operator, and (2) subjected to a functional test. While these assumptions may be l true for some actiot ', it is not clear that they apply to all pre-initiator human l

,- . actions.

E7 W .

a. ,s )

l

\

o ,

WNP 2 Final TER,12/9/96 L The use of this assumption may lead to underestimates by a factor of 10 or more for the failure probability of some pre-initiator actions: for example, those

associated with miscalibrations oflevel switches for the suppression-pool and L

_ condensate storage tank. Because the submittal did not include any thorough

! analysis of plant-specific characteristics, it is not possible to identify which pre-

. initiator human actions for which this quantification is optimistic, nor the specific L degree ofoptimism involved.

3. It appears that a uniform .tevel of modeling pre-initiator human actions has not

been applied across systenis. For example, in modeling the residual-heat removal (RHR) system, separate ht: man actions were modeled for failures in: (I) preventive maintenance, (2) repairs, and (3) testing. For the reactor-core isolation i cooling (RCIC) system, however, errors in preventive maintenance or repair were not considered. Further, the same probability of failure is assigned to each pre-initiator humr.n action regardless of the number of steps or the complexity of the actions.

4. In the analysis of post-initiator human actions, the failure probability is estimated

, partly on the basis of the time that operators have available for performing

. actions. In calculating this time, estimates of the time required to access and operate controls are required. No plant-specific analysis was performed for times of these actions, such as performing walk-downs of EOP-based actions or simulator drills; rather, the analysis was performed using generic guidelines.

- 5. The lack ofincorporation of dependencies between post-initiator actio u is considered a potentially significant limitation. Following the IPE, the licensee undertook a review of the potential effects of dependencies between actions in

, single sequences and concluded that, for all combinations identified, the actions could be considered independent. The licensee appears not to recognize that this can lead to joint failure probabilities of actions to fulfill a common goal (such as :

, ensuring the long-term removal of decay heat) being extremely low. Its effect is

!. to reduce the frequency of some sequences involving failure oflong-term heat removal from the core-damage frequency at WNP-2.

J I

a

<r -4 x~,~ _ , .,,

v 4 .

WNP 2 FinalTER,12/9/96

1. . INTRODUCTION

. - 1.1 Review Process The HRA review was a " document-only" process, which consisted of essentially f/tr 1 steps:

1) Comprehensive review of the IPE submittal focusing on all information pertinent ;

to HRA. ,

. 2) Ly eion of a draft TER summarizing preliminary findinga and conclusions, noting specific issues for which additional information was required from the licensee, and formulating requests to the licensee for the m-ry additional a - information.

3) Review of preliminary findings, conclusions and proposed requests for additional information (RAls) with NRC staff and with " front-end" and "back-end" t reviewers.

4) Review oflicensee responses to the NRC requests for additional information, and preparation of this final TER modifying the draft to incorporate results of the additional information provided by the licerisee. .

Findings and conclusions are limited to those that could be supported by the l

document-only review. No visit to the site was conducted. In general it was not possible,

~

and it was not the intent of the review, to reproduce results or verify in detail the

, licensee's HRA quantification process.

1.2 Plant Characterization The Washington Nuclear Plant 2 (WNP-2) is a boiling water reactor (BWR) of the General Electric BWR-5 design, within a' Mark II containment. The reactor is rated at 3323MWth and WNP-2 has a design electrical output of 1154Mwe. The plant began commercial operation in December 1984. WNP-2 is located on the US DOE Hanford Site near Richland, Washington. It is operated by the Washington Public Power Supply System. WNP-2 is a single-reactor unit.

He licensee identifies that the WNP-2 emergency operating procedures (EOPs) are based on Revision 4 of the BWR Owners' Group emergency procedure guidelines, and that the WNP-2 operator traming program is accredited by the Institute of Nuclear Power Operations (INPO). There is no description of other plant-specific human-performance-

. related factors.

No unique safety characteristics related to the HRA task are identified by the licensee.

k 1

1

o ,

WNP-2 Final TER,12/9/96 2.- TECHNICALREVIEW l 2.1 LicenseeIPE Process .

This section of the TER discusses the overall process used by the licensee to perform the HRA portion of the analysis.

2.1.1 Carnaletan,== mna Methnaninnv.

i

. The WNP-2 IPE comprises a Level 1 and Level 2 PRA, and includes the analysis of

[ internal floods. The HRA task was performed primarily as part of the Level I study.

4 Human actions were included in the scope of the internal-flooding analysis, and some

recovery actions were considered in the Level 2 portion of the IPE. The Level 1 PRA included the analysis of both pre-initiator and post-initiator human actions. The analysis

. of pre-initiator human actions included failures in test, maintenance and calibration activities that can render equipment unavailable when required to respond to an accident condition. The analysis of post-initiator human actions included both response and recovery actions. This range of human actions is comprehensive compared with the scope of the HRA tasks in otherIPEs.

Both pre- and post-initiator human actions were modeled using the HRA method developed for the NRC's Accident Sequence Evaluation Program (ASEP) [1]; this method is a somewhat simplified version of the Technique for Humcn Error Rate

Prediction (THERP).

The WNP-2 IPE included the performance of both importance and sensitivity analyses.

The importance analysis calculated both Fussel-Vesely (F-V) and Risk-Achievement Worth (RAW) parameters, and the fifty events having the highest F-V or RAW values are reported. A sensitivity analysis was performed for the post-initiator human actions; a sensitivity analysis is planned to be performed for the pre-initiator human actions as part of studies of technical-specifications requirements and for implementation of NRC's i Maintenance Rule. -

A number of post-initiator human actions were identified as potentially important contributors to the frequency ofcore damage at WNP-2. However, one action identified as important (to open certain doors to ensure equiprr nt cooling in the event of a station ,

blackout) has been identified by the licensee as being no longer nec..ssary. Analyses performed after the submittal of the IPE indicate that, if the doors are not opened, the temperature in the equipment rooms will not cause equipment failures. .

2.1.2 Multi-Unit Fffects and As-Built As-Oner=*aA Statuc.

The WNP-2 station is a single-unit station, and therefore there are no multi-unit effects.

lhe licensee provides no description of the information used specifically in the ,

~ development of the HRA models as opposed to that used generally in the Level 1 E

I 2

,l .

_ . ._. . _ _ _ _ __ _ _ . _ _ ~ _ _ _ _ . __ ._

W ,

WNP-2 Final TER,12/9/96 modeling. The information that formed the basis of the Level 1 modeling included the following:

1) WNP-2 operating procedures;

2) WNP-2 surveillance procedures;

. 3) WNP-2 maintenance procedures;

4) WNP-2 systems training notebooks. ,

i System walk-downs were performed for all systems. Among other things, the walk-L downs helped to ensure that systems' line-ups were as documented and consistent with plant drawings, and that access impediments (high tempewes, humidity, etc.) were o taken into account.

l The systems models were reviewed by the in-house independent review team, which j' included operations, maintenance and training persuw.cl. 1 It is considered that the process used by the licensee is capable of representing the as-built and as-operated plant to the degree that the models incorporate factors associated with the plant's design and operation.

. 2.1.3 Thw Particination and Peer Review. I r

The HRA task was performed by the licensee's in-house Level 1 PRA team following I specialist training by an outside consultant - the Individual Plant Evaluation Partnership 4 ' (IPEP). Following the initial Level 1 modeling, the PRA was reviewed by another i outside consultant - NUS Corporation, who suggested changes in the modeling.

The Level 1 PRA team was staffed by personnel within the licensee's Engineering Directorate, supported by staff from the Operations Department, including the assignment j of a former shift manager, who participated in plant walkdowns and provided reviews of p system models.

l Independent in-house reviews of the Level'1 analyses were provided by a team that included personnel from the WNP-2 maintenance, operations, and training departments.

Extemal reviews were provided by the IPEP team, NUS Corporation, and Mr. John Raulston of Tenera, L.P., at different stages of the study. 'Ihe initial models were reviewed on an on-going basis by the IPEP team. Once completed, the first version of the Level 1 models were reviewed by NUS Corporation, who identified modifications J

(including those related to the HRA modeling) to improve the realism of the models.

NUS then provided consulting and review services to the licensee as the modifications were implemented. The resulting Level 1 analysis was identified as the " Revision 1" IPE and forms much of the basis of the submission. The Revision 1 models were reviewed by -l

' Mr. John Raulston of Tenera, L.P. 1 Following the peer review of the Revision 1 models, a limited number ofissues remained l outstanding. Two related to the HRA task:

U 3

,v

i + 4 WNP-2 Final TER,12/9/96

1) Refill of the condensate storage tank (CST) could be credited as a means of continuing injection cooling if the suppression pool temperature fexceeds the design temperature of the reactor core isolation cooling (RCIC) and high-pressure core spray (HPCS) systems during the

. recirculation cooling phase; and

2) A truncation of the combined human-error probabilities should be applied I

for accident sequences involving multiple human errors, which, in the current models, are assumed indapaad-at.

2~

These issues were to be re-evaluated by the licensee following the submission of the IPE, as part of the licensee's intended on-going review.

! 2.2 Pre-Initiator Human Actions.

I Errors in performance of pre-initiator human actions (i.e., actions performed during maintenance, testing, and calibration) may cause components, trains, or entire systems to

! . be unavailable on demand during an accident, and thus may significantly impact plant risk. For information, the licensee refers to pre-initiator human actions as " pre-accident human errors."

. - Our review of the HRA portion of the IPE includes evaluating the licensee's HRA 1 process to determine what consideration was given to pre-initiator human actions, how l

potential actions were identified, the effectiveness of screening processes employed, and the processes for accounting for plant-specific performance shsPg factors, recovery !

a factors, and dependencies among multiple actions.

4-2.2.1 Tynes of Pre Initintnr Human Actions Coneidared.

The analysis of pre initiator human actions included failures in test, maintenance and l calibration activities that can render equipment usavailable when required to respond to !

an accident condition, l i .. l The scope of the WNP-2 pre-initiator analysis is somewhat unusual in that errors l

associated with the replacement and stocking of nitrogen bottles required for the containment instrument-air system are included. 'Ihese are in addition to the more typical types of pre-accident human actions such as failing to restore components to the available

, condition after test, or miscalibration ofimportant level and pressure switches. It is understood that this level of modeling in the containment instrument-air system was performed to reflect operational problems that had occurted at WNP-2.

In addition, one error was identified associated with errors during the RCIC pump oil change (RCIHUMN-PIX 3LL). In the RAI, the licensee identified that this error no longer would lead to pump failure and will be deleted from the models. -

4

._f ..4~ . . . .

. c- ,

WNP-3 Final TER,12/9/96 The range of pre-initiator human actions in the WNP-2 IPE is as broad as that seen in any PRA; the inclusion of human actions associated with support system resoorces is unique.

This range is considered a strength of the WNP-2 IPE.

2.2.2 Prnca== for identifie= tion and Selectinn of Pre-Initintar Human Actions.

A limited description of the process for the initial identification of pre-initiator human actions is provided.

First, systems that could influence the development of accident sequences were identified and selected as part of the front end analysis. For each such system, detailed systems' analysis notebooks were ymysisi. These included identification of all components whose states were changed during testing and maintenance, as defined in the WNP-2 test and maintenance procedures; this identification was performed on a system-by-system

, basis and included walkdowns of the systems in collaboration with operations personnel.

Those components whose changes of state during testing and maintenance or whose miscalibration could lead to system or train failures (within the definition of the system fault trees) were then subject to detailed HRA quantification modeling. The detailed quantification process is discussed in Section 2.2.4.

It is considered that the identification and selection of pre-initiator human actions was performed in a manner similar to that used in other studies. As described in Section 2.1.3, the systems analyses were subject to extensive review by plant and other licensee personnel; these reviews should have ensured that .yymyriate pre-initiator actions within the scope selected for the WNP-2 analysis were identified.

2.2.3 Screenino Proca== for Pre-initiatnr Human Actinnt No screening process was used by the licensee in the analysis of pre-initiator human actions, though the final quantification 15, in places, referred to as a " screening analysis."

4 2.2.4 Oumntificatinn Proce== for Pre-Initiatnr Human Actions.

The quantification process for the pre-initiator human actions is described as being based on the ASEP HRA method [1].

The WNP-2 analysis applies a single failute probability of 3.0E-M to all pre-accident human actions, based on the following rationale:

. based on the guidelines of Table 5-1 of[1], a basic human error probability of 3.0E-02 was assigned to each pre-initiator action- .

e two recovery factors of 0.1 were assigned: recovery by a second person verifying (using a written check-off) completion of the task, and recovery by a post-maintenance or post-calibration test; i

L l 5

l-

- + , - - ,, -, - -. -

O <

WNP.2 Final TER,12/9/96

zero dependaace was assumed between actions performed in series on

components or performed more than two minutes apart; and

complete dapandance was assumed between actions performed by the

_ same individual using the same procedure.

i A total of 82 pre-initiator human actions were quantified in the IPE using this method, i though one (RCIHUMN-PIX 3LL) has been subsequently been removed, as mentioned I

in Section 2.2.1 above. A complete list of all pre-initiator human actions is presented in Table 41.

, The licensee has identified that the WNP-2-specific experience of pre-initiator human i actions over the period of 1994-1995 indicates an error rate of approximately 5.0E-04,

! based on licensee event reports (LERs). However, the licensee reports that "many of the reportable occurrences were recovered before the equipment was declared operable" whereas the quantified error probability applies after the equipment was declared

operable. The licensee therefore considers the plant experience as supporting the value of i '3.0E-04.

No pre-initiator human actions were identified as significant by the importance analysis.

l l The quantification of pre-initiator human actions did not included any accounting for plant-specific performance shaping factors such as the location and layout of controls or ,

the formatting of procedures. 'Iherefore plant-specific deficiencies in these factors will -

not be identified or incorporated in results of the IPE. This omission is considered a limitation of the WNP-2 IPE. -

l In addition, the appropriateness of a single failure probability, which includes recovery

factors associated with independent checking and functional testing, for all the pre-

initiator human actions is unclear. For example, it is not clear how these recovery factors j apply to the events associated the supply of nitrogen to the containment instrument-air system. Does the recovery factor of functional testing apply in the case of miscalibration

of the suppression pool level sensors (when the critical calibration is often associated with switch settings on the level transmitter)? Neither the submittal nor the RAI clarifies these issues.

2.3 Post-Initiator Human Actions i

Failures by operators to take actions in responding to an accident initiator (e.g., by not i recognizing and diagnosing the situation properly or failing to perform required activities as directed by procedures) can have a significant effect on plant risk. 'Ibese actions are

_ref erred to as post-i niit atorhuman acti ons; h t elicensee ref ers to ht ese as post-acc I

ident human errors." Our review assesses the types of post-initiator human actions considered F by the licensee, and evaluates the processes used to identify and select, screen, and quantify post-initiator errors, including issues such as the means for evaluating timing, i dapaad*acy among human actions, and other plant-specific performance shaping factors.

6

'k

__.__L_--_________.-._____.._ _ , , , - _ . , - - , - . .

_. - . . ~ - -. - - -. -. . . -. . . . . . . . . . ~ . - - . - - . - . - - .

o , ,

WNP-2 Final TER,12/9/96 [

f'

.2.3.1 Tynes of Post-Initintar Mnnan Actions Considered.

l De licensee identified and analyzed three types of post-initiator human actions:

1). manual back-up of automatic actions; 2). actions associated with emergency operating procedures (EOPs); and

3) recovery actions identified in the containment performance (Level 2) analysis.

4 In addition, the licensee included the modeling of human actions within the internal-flooding analysis. De analysis of the flooding-related actions is discussed la Section 2.3.6.

2.3.2 Process for Identification and Selection of Post-Initiaine Rwnan Actions.

l : Different processes were used to identify and select the actions h=ekino up automatic actions and EOP-based actions, and the recovery actions.

I De back-up and EOP-based actions were identified by the systems analysts and event-tree analysts as those actions necessary to accomplish the success paths and function needs rep exated in the combinations of event paths and system fault trees. He

~ identification of the necessary actions was based on reviews of the EOPs, training 1

programs (including simulator training scenarios), transient analyses, and other PRA

models. l The post-initiator human actions were iepieaated either in the system-level fault trees or

the event trees. If the actions were largely independent of the sequence conditions (such

as the times available for actions), they were represented in the fault trees. If the actions l

were strongly dependent on the sequence conditions, they,were myieaated in the event trees.

2.3.3 Semino Procau for Post-Initiator Human Actions.

I A quantitative screening analysis was performed for the post-initiator human actions.

However, no actions were elimin= tad from the detai!cd modeling of post-initiator human actions.

l De screening process was performed by quantifying all post initiator human actions using the error probability of 0.1. and calculating F-V importance measures to rank the actions. 'All post-initiator human actions were requantified using the quantification process described in the next section.

2.3A Oumatific=+ inn Prne, for Post Initiment Human Actions.

- De quantification process for the post-initiator hinnan actions was based on the ASEP HRA method [1].

7 1'

_._i__1______--_________ - . _ _ . -, - , - - < - - . . , - . . , - -

t WNP-2 Final TER,12/9/96 +

i The post-initiator human actions were divided into three types for the quantification process *

r

1) manual back-up of automatic actions;

2) EOP-based actions; and 1

3) recovery actions incorporated in the Level 2 PRA models.

2.3.4.1 Manual back-up of automatic actions. All failures of actions to back up the. :

e '

automatic actuation of systems are modeled using a sing lc failure probability of 2.66E-03 i based on a datum provided in Table 8-5 of[1] 'Ihe datum provided in Table 8-5 l con ==de to: ;

" Perform a post-diagnosis immadia'a emergency action for the reactor vessel / ,

l

' containment critical parameters, when (a) it can be judged to have been 4

committed to memory, (b) it can be classified as skill-based actions per Table '

2-1, and (c) there is a backup written procedure. Assume no immediate RF j [ recovery factor] from a second person for each action."(Item 10 of Table 8-

. 5, p. 8-14)

This item provides a median failure probability of 1.0E-03, with an error factor of 10; the i licensee has converted this to a mean failure probability of 2.66E-03 using a standard

! statistical formula.

I 4 Eight actions were modeled using this process; they are summarized in Table 4-2. As can be seen in that table, six of the eight actions appear to correspond to the description quoted above; these are the back-up actions associated with the principal systems like the automatic depressurization system (ADS), HPCS, and RCIC. However, it is unclear whether the two actions associated with tuming on the fan coil units correspond to the definition provided above. .

2.3.4.2 EOP h===A actiam. Two separate. probabilities are estimated for each of the

' EOP-based actions. The first is the probability of failure associated with the diagnosis elencat of the action, and the second is associated with performing the actions following the diagnosis.

Diagnostic Errors. A time / reliability relationship is provided in Tables 8-1,8-2 and -3 of

[1] to provide a basis for quantifying the diagnostic portion of the post-initiator actions.

The WNP-2 analysis used the nominal values in Table 8-2, which are shown in Figure 2-1. According to Table 8-3 of[1], these values apply in cases where: l l

"(a) the only practice of the event is in simulator requalification exercises and all operators have had this experience, or l

- (a) none of the rules for use of upper or lower bounds apply."

i

^ !

8 j

.e ,

WNP 2 Final TER,12/9/96 Figure 2-1, ASEP HRA Nominal time / reliability correlation. -

8

.m..,

O' 0 ' gill $ i i

e 1 '

6 6 lll l l

- Il l' llil l l i l li

. A 11 : lull ;

J , 'I I' l :

l!

1 s .

L; ..

l

,. . . . . . , , , i.

I*I( ll' 44i i l I I l '

lI i /

illl l l l'Il f

' I 'I 'l I l' I l /

llll l 1 l Illli ll 1,l l 1: lll l l .ll / ;

ll' i! lll /

lllll l ,

l ll!l l l l -

l /

I I

I i

/ ,

ll 2 /

, a ...,

/ .

. . = . , . .. . . . . . ..

e. e e e ge, , e eei. . 6 e ie6.e i 6 e t*d6 *a . 6

" l ll 9 4 6 $ . 4$,4 6 l t $ $ l@I* .b i lI8 0 $ $ $ $ $$1 e $

ill I I l I I Il1 * + l t B lll11 I $ l l IlIl l l I i h h' 1I l 4 I 4 li t i i i i i stio e i i i Illil i I i i litiliI i l Me i l i i i i I

. .!!!Il l l 'l ll!.i 1 i i llilllIl l lllIliI M liIll' l l l ib I!llll I I Itin!! I I 11llll l l l EK! I I IMH l l l

!I MlI Il l y

o n .

u...: : ,a..- : m: : . i ,an :: I na u:

I! i * '

I I '

.'.Ii t i / li' 4 i l! l

t i 4 4 6 II' 6 8 i l i i l 'l!ll l l !

ill'l i I I V 11 . . i i j i i llI i l l l litIi l l lill ! l /1 lir t i L I '

lilll l l 111ll l l 1 ill !!l lIlll ll /l ll!il!l l llll lll llllll l llllll l *

/ hi i

/ Hi ,

'f l

a. f. l.ii

+

4 Ama.scu m. 4 ? ? ? ?

. m m m m.

a 9

.i. ,

, , -. ,. - - . . y -

--.-p_ q , '

. . . . . .. - . ~ . - - . - , - . - . . . - _ - - . - . . . .

.* e WNPo2 Final TER,12/9/96 I

1 l

nis assignment is considered appropriate, and, for some actions, conservative. In the l

cases where operators are well practiced, understand the procedures, the procedures are '

well designed, and the symptoms are clear, probabilities of a factor of 10 lower than those used in the WNP-2 analysis could be used according to Table 8-1. Some other IPEs have used the lower probabilities for actions defined in the EOPs. l The process for estimating the time available for diagnosis is described in Chapter 6 of !

i [1]; this procedure appears to have been followed generally by the licensee. He l submittal presents some limited information as to how individual times were di med for:

y I) the time available for actions to prevent core damage, and j 2) the times required to perform the individual actions following diagnosis.

t The times available for actions to prevent core damage were estimated using the accident-phenomena code, MAAP. For each action modeled, a review was performed of those ,

i dominant sequences in which failure of the action occurred and a representative sequence l selected. An analysis of the phenomena associated with that representative sequence was performed to estimate the time from the initiating event to the onset of core damage (specifically, as defined by failure to meet the success criteria described in Section 3.1.1.3 l of the submittal). The time from the initiating event to the occurrence of" compelling i signals" (typically control room panel alarms) is then subtracted to leave a time within J which operators must recognize the event and respond appropriately. l 2

1 The licensee has estimated the times required to perform the individual actions following diagnosis - examples are provided in the RAI - but the beis for these times are not

- provided. Chapter 6 of[1] recommends that these time estimates should be based on scenario walk-throughs in the simulator for in-control-room actions, and on plant walk-downs for ex-control-room actions. Opinions should be used only as a "last resort." The

values used in the WNP-2 appear to be consistent with the guidelines provided in Table l 8-1 of[1], however.

Errors inperforming actions. Tables 8-1 and 8-5 of[1] provide the basis for quantifying failures of operators to perform critical post-initiator actions following correct diagnosis.

In this, model, actions are categorized according to:

1) being either step by-step or dynamic, and

2) the level of stress.

Step-by-step actions are generally those taken in the simple linear application of steps in a procedure; dynamic actions are generally those where actions requires decisions based on feedback, branching to several parallel procedures, or when failures are encountered in

. applying the step-by-step actions.

l 10

.e 1

l ..- _ . . ; -

e ..

WNP 2 Final TER,12/9/96 )

, Two levels of stress were used in the WNP-2 modeling: moderate stress, and extreme stress, as described in Table 8-1 of[1]. Moderate stress is the " normal" level of stress q assumed for the first two hours or more after an initiating event. Extreme stress is assumed to occur in the event of a large loss-of-coolant accident (LOCA) or in the event

. that more than two primary safety systems fail to function.

l

, As shown in Table 2-1, probabilities of failure are assigned for each combination of

, action type and stress level. Also shown are recovery factors assigned for each !

combination. These are applied "when ample time permits" for a second operator to )

detect and correct the initial mistake; the value of" ample time"is not defined. The values pra-a'ai in Table 2-1 are median probabilities. The licensee converted these to j mean probabilities using standard statistical methods for consistency with the PRA

, quantification process.

It is noted that the licensee claims that in applying the values presented in Table 2-1, "it j

is conservatively assumed that there is a novice person backed by a more experienced person in performing the action to fulfill the safety function." However the values

! presented in Table 2-1 are based on an assumption that a novice is replaced by a skilled person for critical actions (Table 8 5 of(1]).

. Table 4-3 identifies the EOP-based actions modeled in the WNP-2 IPE.

Table 2-1. Failure probabilities assigned to post-diagnosis setions.

Step-by-step, Step-by-step, Dynamic, Dynamic, j moderate stress extnme stress moderste stress extreme stmss l

j 1

Response action 0.02 0.05 0.05 0.25 l Recovery tactor 0.2 0.5 0.5 0.5 I l 2.3.4.3 Recovery actions. Recovery actions in the WNP-2 IPE are those actions modeled in the Level 2 PRA that have the potential to prevent containment failure. Some actions i consider the recovery of plant functions that previously had failed (including those because of human error), and some (such as recover isolation of containment penetrations) iepieecat actions not modeled in the level 1 PRA. Recovery of previously j failed functions was considered possible because of the often extended timescales before

containment faih're that would allow the Technical Support Center to be activated and the severe accident management plan to be activated.

L i Section 4.4 of the submission states that, in most cases, the failures of recovery actions i-were quantified using a probability of 0.1. This probability was determined judgmentally ,

to include implicitly the potential influence of stress and the possible influence of l dependency betv.cen the Level 1 and Level 2 actions. 'Ihe exceptions were for actions to i recover failures in isolation of the containment penetrations. These were considered

" difficult" principally because of difficulties in identifying which penetrations had failed l

. and because of the possibility ofimpaired access to the equipment locations. The failure )

. l 11 i i

4 i

l e ,

WNP 2 Final TER,12/9/96 l probability for recovering containment-penetration isolation wasjudgmentally assigned the value of 0.5. However, recovery actions were modeled using different failure probabilities. For example, failure of the operators to depressurize the reactor before the onset of core damage for non-station blackout sequences was estimated to be 2.0E see the discussion in Section 2.3.5.3.

1 The submittal does not provide any detailed description of the failiares in recovery actions !

or their contribution to the probability of containment failure. l 2.3.4.4 Dependency Modeling. The models used in the WNP-2 submittal assumed that i post initiator human actions associated with different tasks were iaAagad-at; actions !

following diagnosis were completely dependent on the correct diagnosis,however.

Following the submittal, the licensee has performed an analysis of dependencies of post-initiator human actions as described in their response to question 30 of the NRC's RAI.

In this analysis, the licensee has examined the cutsets of the Level 1 PRA to identify combinations of the EOP-related human actions, and has evaluated which combinations i are dependent and revised the combined probabilities accordingly. [Since the Level 1 PRA models include only 13 EOP-related human actions, it is considered feasible to perform this analysis manually.]

One combination of actions was identified for the ATWS event tree associated with turbine trips (TTC2) involving the control of feedwater (RFWHUMN-1 A-H3LL) and SLC initiation (SLCHUMN40 MINUTES). However, modeling this combination as dependent has no impact on the core-damage frequency. Other combinations were ,

identified for failures oflong-term cooling (for example, initiation of RHR cooling of the i l

suppression pool, reopening the main-steam isolation valves (MSIVs), and venting the containment (RHRHUMNSP-COOLL*ZM*VENTFAIL). However, the licensee judges such combinations as independent since:

1) the actions are separated in time;

2) the actions are identified in-different paths of the EOPs;

3) different plant parameters are used to cue the actions;

4) the actions involve different systems; and

5) in most cases, the actions would be overseen by the TSC. !

l As a result, the review of dependencies did not lead to changes in the Level 1 PRA results presented in the submittal. It is noted that the combined failure probability for the joint ;

event (RHRHUMNSP-COOLL*ZM*VENTFAIL) in transient-initiated sequences with I the power-conversion system available is 4.8E-09.

12 1 -

e , 1 WNP 2 Final TER,12/9/96 I l

2.3.5 Generic Issues and Containment Performance Imnrovement. I

~

2.3.5.1 Drsay Heat Removal. The licensee performed a detailed assessment of the risks from decay-heat removal. The total frequency of core damage resulting from loss of

decay heat removal is estimated to be 1.4E-06 per year. Failures of post-initiator human t

actions provide a contribution to this frequency.

At WNP-2, the accidents resulting from loss of decay heat removal involve containment failure causing core damage. Two operator actions are potentially important in

, preventing core damage.

De first is the failure of operators to initiate cooling of the suppression pool using the RHR system, as directed by the EOPs (event RHRHUMNSP-COOLL). This action has an estimated failure probability of 1.0E-5 for transient-initiated sequences, and 3.0E-05 i I

for LOCA-initiated sequences. RHR cooling must remained failed for an estimated 29 hours3.356481e-4 days 0.00806 hours 4.794974e-5 weeks 1.10345e-5 months before the containment failure pressure is reached.

i

' l The second action identified in the EOPs associated with decay-heat removal at WNP-2 l

is to vent the containment (event VENTFAIL), which has an estimated failure probability I

of 0.06. This action is to be taken when the containment pressure reaches 39psig. The l operators have an estimated 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months to perform the action after that pressure is reached l before the expected containment failure pressure is reached. !

The licensee believes that the unresolved safety issue associated with decay-heat removal is resolved for WNP-2 by the adequately low core-damage frequency of 1.4E-06 per year

. (which includes failures of the above human actions), and that modifications such as a hardened vent are "non-beneficial."

2.3.5.2 System Interactions. The licensee notes that systems' interactions associated with common mode human errors are represented explicitly by human-action events in

, the PRA models for cases involving multiple miscalibrations and the performance of procedural steps associated with multiple, systems.

l The licensee states that results of the PRA modeling (which includes the human interactions) demonstrates that no vulnerability associated with systems' interactions

. exists.

2.3.5.3 Containment Performance Imnrovement. The licensee discusses several issues associated with containment-performance improvements that involve human performance. Dese are:

e

the reliability of operator actions to initiate cooling of the suppression pool using the RHR system; !

i operator actions to depressurize the reactor pressure vessel (RPV) before

. the onset ofcore damage; and 13 h

.- - * - - , , , - - _ _ _ _ - --___m -

. .. .. - .~_ - - . - .- . ~._ .. ._ - . - - - - - - - -. - -.. -- .

!. a ,' i i

wNP-2 Final TER,12/9/96

improved EOP training.

'~

The failure of operators to initiate cooling of the suppression pool using the RHR system represents about 10% of the failure to accomplish decay heat removal. The licensee

considers that actions to modify this probability would not significantly change the

, contribution of sequences involving failure of RHR, and therefore no changes are planned. [f t is noted in this review that reductions in the failure probability of this action (1.0E-05) would be difficult tojustify using current HRA methods.)

WNP-2 EOPs and operator training currently include the actions for early

. depressurization of the RPV; failure of this event (event DPR) is modeled in the recovery

analysis and is represented as an event in the relevant containment event trees. For station black-out (SBO) sequences, the failure probability is enti=M to be 0.1, and for i non-SBO sequences 2.0E-03 according to Section 4.5.1.1 of the submittal. The licensee notes that it would be difficult to justify any lower probability given the expected stress associated with the scenario.

[It is noted that the response to question 32 of the WNP-2 RAI quotes the non-SBO-

related failure probability as 2.7E-03. Both values are different from the generally applied value of 0.1 discussed in Section 2.3.4. No explanation is provided for these apparent inconsistencies.)

Conceming the possible improvements in EOP training discussed in supplements to the NRC's Generic Letter 88-20, the licensee states that the EOPs on which the training is based are derived from revision 4 of the BWR emergency procedure guidelines, and that in 1991 and 1992, the EOPs were significantly improved from both the technical and human-factors gwgctives. Therefore the licensee considers the NRC's guidance ;

associated with improved EOP training has been effectively incorporated at WNP-2.

In summary, the licensee believes no further analyses or responses associated with human actions as part of the containment performance improvement analysis are required.

{ 2.3.6 Intemal Floodino.

The analysis ofintemal floods considered two specific aspects of human actions: the 4

times required to terminate the flooding source to prevent loss of equipment, and the failure probability of tenninating the source. Human actions following termination of the flooding source, and to start or control equipment to prevent core damage, were analyzed using the methods discussed in Section 2.3.4.

The times required to take actions to terminate flooding sources were estimated using the

". ' guidelines for action times presented in Table 8-1 of [1].

1)' Assess a 5-minute delity after correct diagnosis before initiating the first 4

action if written procedures are to be used; i

14

't

. . - , . , , _,.m.

-e o l

WNP 2 Final TER,12/9/96

'2) Assess a 1-minute time for each action taken at the primary operating panelsin the control room;and 3)' Assess a 2-minute time for each action taken at other than the primary operating panels in the control room.

The resulting time to perform the actions is added to the time required to detect the j flooding, to estimate the total time required to tenninate the flooding source. (This time j- is used in the flooding analysis to estimate the total volume of flooding and the extent of -

equipment failure that would result.)

j The probability of failure to terminate the flooding was estimated using the data ,

presented in Table 2-1 corresponding to " dynamic actions under moderate' stress" with j the corresponding recovery factor applied (i.e.,0.05 x 0.5, or 0.025).

In the flooding analysis, this probability was combined with the flooding initiating-event

. frequency to provide a frequency of unterminated flooding for a particular room or area.

i Event trees were developed to model the accident sequences that could lead to core

damage as a result of the untenninated flood. One action, to _ terminate flooding in the l reactor building from a break in the turbine-building service water system (TWS), was identified as having a significant F-V importance (event FLD7, F-V-0.10).

The event trees for unterminated intemal floods include human actions to prevent core

damage (for example, ADS initiation and containment venting). The failure probabilities

- for these actions appear to be the estimates as described in Section 2.3.4, though no specific discussionis provided.

, 2.4 Vulnerabilities, Insights, and Enhancements j 2.4.1 Vulnerabilitien Related to Human Performance.

4 l

l The licensee has concluded that no plant vulnerabilities have been identified by the j

WNP-2 IPE. Therefore there are no vulnerabilities related to human performance. .

2.4.2 Innichts Reint*A to Human Performance.

The licensee has not identified any explicit contribution of human errors to the WNP-2 l core-damage frequency. However, the licensee does identify five sequences that 4

contribute at least 5% of the core damage frequency and together contribute approximately 71% of the core-damage frequency. Of these five, two involve failures in human actions. These are:

' station blackout with HPCS and RCIC failure, and failure to recover offsite power within 30 minutes (sequence TE-S19, freq. = 2.7E-06/yr); '

and ]

I

. intemal flood with failure of containment venting (sequence FLD7-S02, j freq. = 1.0E-06), i 1

s -

15 j 4

, w , --- - -

' ,e v wNP-2 Final TER,12/9/96 i

Sequence TE-S19 involves failure of RCIC. One cause of RCIC failure is the loss of '

7 RCIC room cooling because ofloss of the 4kV electrical supply to the standby service j water system. 'Ihis failure can be averted by operators opening the RCIC room doors L - within thirty minutes to allow natural circulation of the air. However, it is noted in the ,

l WNP-2 responses to the NRC's RAI (question 4), this action is no longer needed since

!' the temperature in the RCIC room with the doors closed should not cause RCIC to fail.

l Therefore this sequence will be deleted by the licensee in future revisions of the IPE.

L Me FLD7-S02 is initiated by a pipe failure in the TSW system that causes loss of i 1 all emergency core-cooling system (ECCS) pumps except low-pressure core spray (LPCS) pumps. Providing the reactor is depressurized successfully, the reactor is cooled. ,

However failure of the ogerators to vent the containment allows the containment to ;

! repressurize to 62 psig, at which point the ADS valves reclose and low-pressure cooling 2 is lost. The failure to vent the containment, event VENTFAIL, has an assessed failure . j l probability of 0.06. ;

i .

In addition to the five sequences comprising 71% of the core damage frequency, a further j

14 sequences comprise an additional 24% of the WNP-2 core-damage frequency. Four of ;

these additional sequences involve failures associated with containment venting. Other

' human action events in these sequences are associated with: :

L e failure to initiate suppression-pool cooling (event RHRHUMNSP-COOLLL)in several sequences, ,

3 l l . failure to actuate the standby liquid control (SLC) system (event j SLCHUMN" MINUTES)ir an anticipated transient without scram (ATWS) sequence (sett.ence ITC-S17); and l i

. failure to inhibit the ADS operation (event AI) in an anticipated transient

without scram (ATWS) sequence (sequence 'ITC-S16).

The WNP-2 IPE included the performance of bcch importance 1.nd sensitivity analyses. j l The importance analysis calculated both Fusse?-Vuely (F-V) and Risk-Achievement j Worth (RAW) parameters, and the fifty events having the highest F-V or RAW values are j reported in the submittal. The post-initiator human actions in the list of" top 50" events 4 ranked by their F-V importance measures are shown in Table 2-2; one action is in the list I

of" top 50" events ranked by their RAW importance measures and is shown in Table 2-3.

i i

4 a

a F 16 1 l

.t }

t . - - - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

o tv i i

WNP 2 FinalTER.12/9/96 Table 2-2. Human actions with significant F-V importance measures.

Event Description Failure Probability F-V Importance 4 VENTFAIL Failure to vent 6.0602 0.08

) 8 containment RCIHUMNRCOOLH3LL Failure to open RCIC 5.0LO2 0.06 4 pump-room door * ,

i i ADSHUMNSTARTH3LL Failure to imtate 2.7603 0.02 ADS ,

RHRHUMNSP-COOLL Failure to initiate SP - 3.0E05 0.02

) cooling or spray ;

j- Al Failure to inhibit 5.0E-02 0.01 ,

ADS or control RCS j i level (ATWS) -

'The action to open RCIC doors to ensure equipment cooling in the event of a station !

blackout has been identified by the licensee as being no longer necessary, as described ;

. above. Analyses performed aAer the submittal of the IPE indicate that, if the doors are not opened, the temperature in the equipment rooms will not cause equipment failures.

4 Table 2-3. Huruan actions with significant RAW importance measures.

Event Description Failure Probability RAW

['

Importeve ,

4 RHRHUMNSP-COOLL Failure to initiate SP 3.0E-05 515

cooling or spray i

! The sensitivity analysis ofpost initiator human actions was performed by recomputing

!~ . the WNP-2 core-damage frequency for cases where the failure probability for each human . :

action was first increased and then decreased by a factor of 10 from its estimated value.

The licensee reports four events as having the hijiest sensitivities; these are shown in i . Table 2-4. . ..

Table 2-4. Summary of sensitivity asc; sis for post-initistor human actions.

! Event Failure Increase la CDF for Decrease la CDF for Probability lacreased HEP Decmased HEP VENTFAIL 6.0bO2 69 % 7%

RCIHUMNRCOOLH3LL 5.0602 58% 6%

Al 2.66E-01 17% 2%

{kHRHUMNSP-COOLLL -3.0L _

14 % 1%

i l _ In summary, both the importance analyses and the sensitivity analysis indicate that one small group of human actions appear to be the most influential for the WNP-2 IPE.

i

i 17

e v WNP 2 Final TER,12S/96 2.4.3 Fahancemente Relatad to Human Performance The licensee has identified several possible enhane-mants related to human performance as a result of performing the IPE. No credit was taken in the IPE models for these changes but subsequently, the licensee has estimated the potential change in core-damage frequency. These are:

1) ADS inhibit switch. This enhaneament is to permit the operators to use the ADS inhibit switch (used for ATWS sequences to override the

. automatic ADS signal) for non-ATWS scenarios. This modification is estimated to reduce the core-damage frequency by 1.5%. This modification has been implemented subsequent to the IPE analysis.

2) Tacra===A surveillane =ad anaratar trainincr for flaadinct sources in the r =ctor and turhine buildincra. His modification has been determined not to be cost-beneficial subsequent to the IPE analysis and is therefore not being implemented.

3) Statian blackout denr**=nrivatian This anhaarament is for the operators to depressurize the reactor vessel prior to battery depletion, which will extend the time for potential recovery. This modification is estimated to i reduce the core-damage frequency by 34%. This modification has been implemented subsequent to the IPE analysis.

Other modifications involve operator activities but are not modeled in the HRA part of the IPE. These include use of the 50CkV backfeed (under consideration), and changes in preventive maintenance scheduling (implemented).

b I

l ..

l 1

k i

t h

18

* + s c WNP 2 Final TER,12/9/96

3. CONTRACTOR OBSERVATIONS i ne intent of our document-only review of the licensee's HRA process and results is to determine wheG.er the process supports the licensee's meeting specific objectives of GL .;

, 88-20 [2] as they relate to human performance issues. That is, does the HRA process permits the licensee to:

1) Develop an overall appreciation of human performance in severe accidents; how human actions can impact positively or negatively the ;

j course of severe accidents, and what factors influence human performance.

! 2) Identify and understand the operator actions important to the most likely p accident sequences and the impact of operator action in those sequences; j i-understand how human actions affect or help determine which sequences

are important.

3) Gain a more quantitative under=tanding of the quantitative impact of human performance on the overall probability of core damage and :

radioactive material release.

4) Identify potential vulnerabilities and enhancements, and if appropriate, unplement reasonable human-performance related enhancements.

4 it is our general conclusien from the review of the submittal and the additional material provided by the licensee in response to NRC requests for additional information that the

! licensee's HRA process appears generally capable of providing the licensee with a general appreciation of the impact of human performance on the overall pmbabilities of core damage and fission-product releases.

However, there does not appear to be a thorough case-by-case (plant-specific and event-specific) assessment of some of the factors influencing human actions to assure a completely realistic understanding of human performance in.the plant. The analysis of

. pre- and post-initiator human actions does not include any consideration of the human-system interface or the presentation of procedures, for example.

ne analysis of pre-initiator human actions has been performed for a wide range of activities, and includes actions rarely (if ever) included in other PRAs such as actions to ensure an adequate supply of nitrogen for the containment-air systems and failures in preventive maintenance. The scope of analysis of the pre-initiator human actions is considered a significant strength of the WNP-2 IPE. j l

However, the failure probabilities of all pre-initiator human actions were modeled usmg a j i

single value (3.0E-04) based on a very simplistic quantification gocess that assumed: (1) I all actions would be followed by a functional test, and (2) all actions would be !

indapaadently checked. It is by no means clear that these assumptions apply equally to )~

all the actions modeled. Miscalibrations ofswitches that measure basic plant parameters

(for example, suppression pool and mada===*a storage tank level switches) rarely are 4

19

1 n n WNP-2 Final TER,12/9/96 revealed by functional testing because the basic parameters cannot be varied in the range ,

of operability of the switches. In this case, the failure probabilities of these actions are i tmderestimated by a factor of10. l l

In addition, it is not clear from the submittal or the responses to the RAI that a unifonn level ofmodeling pre-initiator human actions has been applied across systems. For ;

example, in modeling the RHR system, separate human actions were modeled for failures in: (1) preventive maintenance, (2) repairs, and (3) testing. For the RCIC system, ;

however, errors in preventive maintenance or repair were not considered. Further, the j same probability of failure is assigned to each pre-initiator human action regardless of the number of steps or the complexity of the actions.

While these limitaticas in the analysis of the pre-initiator actions may or may not have a significant impact on the grou quantitative results of the IPE or the basic conclusions drawn from the study, they do limit the potential for the licensee to gain a full ;

appreciation of the ways in which human performance can influence overall risk and to identify potential risk-reduction measures. It is noted that the liensee intends to perform sensitivity analyses of the pre-initiator human actions to provid e additional insights for l studies of technical-specifications requirements and for implemsntation of NRC's Maintenance Rule.

The scope of the licensee's analysis of post-initiator human actions is extensive in its inclusion of actions to prevent core damage for sequences involving both internal events and intemal flooding, and consideration of actions to prevent containment failure following core damage. This scope is considered a strength of the WNP-2 IPE. The classification of post-initiator human actions into (1) manual backup actions, (2) EOP- >

based actions, and (3) Level 2 recovery actions, is considered appropriate. However, the' inclusion of two actions, to start fan coil units when required, as manual backup actions which are described as immediate actions recalled from memory seems possibly

, inappropriate, though the probabilities of failure assigned (2.7E-03) would seem ,

reasonable even if these events were analyzed as EOP-based actions.

l 'Ihe decomposition of failures of EOP-based actions into diagnosis failures and action failures is appropriate, and the use of a time / reliability conelation to quantify the j diagnosis failure is appropriate. The time / reliability correlation in the WNP-2 IPE is j considered appropriate, and, for some actions, conservative. In the cases where operators

are well practiced, underuand the procedures, the procedures are well designed, and the ;

symptoms are clear, probabilities of a factor of 10 lower than those used in the WNP-2

' analysis could be used. i

' Specific bases for the times for action are not provided by the licensee, other than the i

overall times available for actions were based on MAAP calculations. It would seem that

the times required for individual actions were based on the guidelines contained in [1]

rather than any plant-specific walk-downs or evaluations. No consideration was given to sources of uncertainty in the times calculated in the MAAP analyses, though they can ,

lead to signiScant levels of uh614y in the resulting failure probabilities. The licensee did describe the process for selecting representative sequences for the MAAP analyses, ;

20 l

.g i

s- . ,

y .i WNP 2 Fina! TER,12/9/96 which appears logical and appropriate; few IPE submittals have presented an explanation for this selection process. , ,

The analysis of action failures was based on a simple two-dimensional analysis of action

type, and stress. To a limited degree, the action type implicitly incorporates such factors as the clarity of procedures and the degree of operator training. However, no description !

or evaluation of the human-factors characteristics of the plant are provided, nor are they !

explicitly represented in the modeling.

l The lack ofincorporation of Wwies bet;cm post-initiator actions is considered a !

potentially significant limitation. Following the IPE, the licensee undertook a review of the potential effects of Weies between actions in single sequences and concluded that, for those combinations identified, the actions could be considered independent. In effect, the combined failure probability for onejoint set of human actions (event RHRHUMNSP-COOLL*ZM*VENTFAIL) wou!d be 4.8E-09. The licensee appears not to recognize that this is an extremely low probability, and cannot be supported empirically. Its effect is to reduce the frequency of some sequences involving failure of ;

long-term heat removal from the core-damage frequency at WNP-2.

l l

1 1

, l 1

1 l

v

(

.]

l 21 I

___-__-_.--__--_____I

J L

i. WNP 2 Final TER,12/9/96

'4. PLANTDATA i 4.1 Important Operator Actions. .l Several of the dominant sequences in the WNP-2 IPE involve failaes in human actions.

These are:-

Sequence TE-S19, station blackout with HPCS and RCIC failure, and

i. failure to recover offsite power within 30 minutes. One cause of RCIC l failure is the loss of RCIC room cooling, which can be averted by the l l operators opening the RCIC room doors within thirty minutes to allow l natural circulation cooling. However, it is noted in the WNP-2 responses )

. to the NRC's RAI that this action is no longer needed and therefore this j sequence will be deleted by the licensee in future revisions of the IPE. j l

Sequence FLD7-S02, intemal flood with failure of containment venting:

In this sequence, all ECCS cooling except LPCS. fails from the flooding. i

! Providing the reactor is depressurized successfully, the reactor is cooled )

l by LPCS. However failure of the operators to vent the containment allows 1 l the containmert to repressurize to 62 psig, at which point the ADS valves

[ reclose and low -pressure cooling is lost.

Failure to initiate suppression-pool cooling (event RHRHUMNSP-

COOLLL) to remove decay heat in several sequences.

I

Failure to actuate the standby liquid control (SLC) system (event l SLCHUMN" MINUTES) in an anticipated transient without scram

[

(ATWS) sequence (sequence TTC-S17). ;

i l

Failure to inhibit the ADS operation (event AI)in an anticipated transient without scram (ATWS) sequence (sequence TTC-S16).

i ne WNP-2 IPE included the performance of both importance and sensitivity analyses.

nese analyses indicated the importance of the human actions listed above.

I Ta ple_4-1 presents all the pre-initiator human action events modeled in the WNP-2 if IPE. Table 4-2 lists the post-initiator actions to manually back up automatically initiated -

i~

equipment, and Table 4-3 identifies the EOP-based actions. No list is provided in the j- submittal for recovery actions.

4.2 ' Hassan Performance-Related Enhancements

! De licensee has identified several possible enhancements related to human performance as a result of performing the IPE. No' credit was taken in the IPE models for these I changes but subsequently, the licensee has epim*d he t potential change in core-damage

. -- frequency. Dese are:

l 22

I

~ w WNP-2 FinalTER,12/9/96 ADS inhibit switch. His enhancement is to permit the operators to use the ADS

' inhibit switch (used for ATWS sequences to override the automatic ADS signal) for non-ATWS scenarios. His modification is' estimated to reduce the core-damage frequency by 1.5%. Th*s modification has been implemented subsequent to the IPE analysis.

Increased surveillaner and onerninr trainino for finridino sources in the remefor and turbint buildinoa. This modification has been determined not to be cost-beneficial subsequent to the IPE analysis and is therefore not being implemented.

. statinn blachaut &...u=Amtion. This enhancement is for the operators to depressurize the reactor vessel prior to battery depletion, which will extend the time for potential recovery. This modification is estimated to reduce the core-damage frequency by 34%. This modification has been :

implemented subsequent to the IPE analysis.

Other modifications involve operator activities but are not modeled in the HRA part of the IPE. These include use of the 500kV backfeed (under consideration), and changes in preventive maintenance scheduling (implemented).

Table 4-1. Pre-initiator human actions analyzed in the WNP-2 IPE.

Event - Action Error Pmbability l CIAHUMNBUTAKX3X Failure to replace specific N2 bottle when 3.0E-4 X- required i

CIAHUMNBUTBKX3X Failure to replace specific N2 bottle when 3.0E-4

JX required CIAHUMNTK20AX3XX Failure to replace N2 bottle CIA-TK-20A 3.0E-4 when required i CIAHUMNTK20BX3XX Failure to replace N2 bottle CIA-TK-20B 3.0E-4

! when required CIAHUMNV-20J3XX TM error on CIA-V-20 3.0E-4

,_ CIAHUMNV-30AJ3XX TM error on CIA-V-30A 3.0E-4 CIAHUMNV-30BJ3XX TM error on CIA-V-30B 3.0E-4 CN-HUMNTK-lX3XX Failure to reorder N2 when required

3.0E-4 l HPSHUMNLSI-3M3LL HPCS-LS-1 A/lB/3A/3B miscalibration of 3.0E-4 CSTlevel sen::or HPSHUMNLS2ABM3L HPCS-LS-2A and -B miscalibration of SP 3.0E-4 l L level sensor j HPSHUMNPM--X3LL Failure during HPCS preventive mamtenance 3.0E-4

HPSHUMNPVOPEX3LL Failure during HPCS operability test 3.0E-4 HPSHUMNSYSTMJ3LL Failure dunng HPCS repair maintenance, 3.0E-4 L, tested component LD-HUMN-603AM3LL Failure, LD-TS-603A 3.0E-4 L 23

w WNP 2 Final TER,12/9/96 LD-HUMN-603BM3LL Failure, LD-TS-603B 3.0E-4 LPSHUMN--ICX3LL LPCS I&C test and maintenance failure 3.0E-4 LPSHUMN-V-5X3LL LPCS test and maintenance failure, LPCS-V- 3.0E-4 5 _

LPSHUMN-V-6X3LL LPCS test and maintenance failure, LPCS-V- 3.0E-4 6 ,

LPSHUMNFIS-4M3LL LPCS-FIS-4 flow sensor miscalibrated 3.0E-4 LPSHUMNPVOPEX3LL Failure durmg LPCS operability test 3.0E-4 LPSHUMNSYSTMJ3LL Failure during LPCS system repair 3.0E-4 MS-HUMN-100AM3LL MS-LIS-100A miscalibration 3.0E-4 MS-HUMN-100BM3LL MS-LIS-100B miscalibration 3.0E-4 MS-HUMN BDPSM3LL MS-PS-48B & D pressure switch testmg 3.0E-4 failure MS-HUMNBDLISM3LL MS-LIS-37B & D level sensor testmg failure 3.0E-4 MS-HUMNLE24BM3LL MS-LIS-24B & D human error 3.0E-4 MS-HUMNLE31 AM3LL MS-LIS-31 A & C miscalibration 3.0E-4 MS-HUMNLE31BM3LL MS-LIS-31B & D miscalibration 3.0E-4 MS-HUMNLE36AM3LL MS-LIS-36A & C miscalibration 3.0E-4 MS-HUMNLE36BM3LL MS-LIS-36B & D miscalibration 3.0E-4 MS HUMNLE37AM3LL MS LIS-37A & C miscalibration -3.0E-4 MS-HUMNLE37BM3LL MS-LIS-37B & D miscalibration 3.0E-4 MS HUMNLS37AM3LL MS-LIS-37A & C human error 3.0E-4 MS-HUMNLS37BM3LL MS-LIS-37B & D human error 3.0E-4 MS-HUMNP413CM3LL MS-PS-413C miscalibration 3.0E-4 MS-HUMNPE47AM3LL MS-PS-47A & C miscalibration 3.0E-4

. . MS-HUMNPE47BM3LL MS-PS-47B & D miscalibration 3.0E-4 MS-HUMNPE48AM3LL MS-PS-48A & C miscalibration 3.0E-4 MS-HUMNPE48BM3LL MS-PS-48B & D testing failure 3.0E-4 l.

MS-HUMNPS45AM3LL~ MS-PS-45A & C miscalibration 3.0E-4 l MS-HUMNPS45BM3LL MS-PS-45B & D miscalibration 3.0E-4

! RCIHUMN-PIX 3LL Failure durmg pump oil change" 3.0E-4 RCIHUMNLS15AM3LL RCIC-LS-ISA human error 3.0E-4 l 3.0E-4 RCIHUMNLS15BM3LL RCIC-LS-ISB human error

! RCIHUMNPS--6M3LL RCIC-PS-6 miscalibration 3.0E-4 RCIHUMNPS-9AM3LL RCIC-PS-9A & B miscalibration 3.0E-4 RCIHUMNPS12AM3LL RCIC-PS-12A human error 3.0E-4 ,

RCIHUMNPS12BM3LL RCIC-PS-12B human error 3.0E-4

[

RCIHUMNPS12CM3LL RCIC-PS-12C human error 3.0E-4

! RCIHUMNPS12DM3LL RCIC-PS-12D human error 3.0E-4 i RCIHUMNPS13AM3LL RCIC-DPIS-13A human enor 3.0E-4 RCIHUMNPS12BM3LL RCIC-DPIS-12B & 7B human error 3.0E-4

!' RCIHUMNPS22AM3LL RCIC-PS-22A human error 3.0E-4 RCIHUMNPS22BM3LL RCIC-PS-22B human error 3.0E-4 24

.-._.7 4

k.)

j WNP-2 Final TER 12/9/96 )

1

', RCIHUMNPS22CM3LL RCIC-PS-22C human error 3.0E-4

, RCIHUMNPS22DM3LL RCIC-PS-22D human error 3.0E-4 RCIHUMNPVTSTX3LL Failure durmg RCIC operability test 3.0E-4

RHRHUMN-PMAX3LL Failure durmg RHRloop A preventive 3.0E-4

i. maintenance

] RHRHUMN-PMBX3LL Failure during RHRloop B preventive 3.0E-4

, maintenance

! RHRHUMN-PMCX3LL Failure during RHRloop C preventive 3.0E-4

maintenance

! RHRHUMN-FIXAJ3LL Repair error, RHRloop A 3.0E-4 RHRHUMN-FIXBJ3LL - Repair error, RHR loop B 3.0E-4 j RHRHUMN-FIXCJ3LL Repair error, RHR loop C 3.0E-4 _

RHRHUMNTESTAX3L Testing error, RHR loop A 3.0E-4 ;

L l RHRHUMNTESTBX3L Testing error, RHR loop B 3.0E-4

}- L' i

RHRHUMNTESTCX3L Testmg error,RHRloop C 3.0E-4 L j RRAHUMNFC-01J3D2 RRA-FC-01 failure durmg repair 3.0E-4 l l RRAHUMNFC-02J3D1 RRA-FC-02 failure during repair 3.0E-4 l RRAHUMNFC-03J3D2 RRA-FC-03 failure dunng repair 3.0E-4 l

! RRAHUMNFC-04J3D3 - RRA-FC-04 failure during repair 3.0E-4 l 1

RRAHUMNFC-05J3D1 RRA-FC-05 failure during repair 3.0E-4 l RRAHUMNFC-06J3D2 RRA-FC-06 failure during repair 3.0E-4 3

RRAHUMNFC-10J3D2 RRA-FC-10 failure during repair 3.0E-4 RRAHUMNFC-11J3D1 RRA-FC-11 failure during repair 3.0E-4 RRAHUMNFC-1233D1 RRA-FC-12 failure dung repair 3.0E-4 l SLCHUMN-TMX3XX Failure of SLC due to test or maintenance 3.0E-4 error i

SLCHUMN-SLCJ3XX Failure durmg SLC repair maintenance, tested 3.0E-4 l

component j i SLCHUMNBORONX3X Failure in preventive maintenance causing 3.0E-4 l X insufficient boron in injection fluid i i SW HUMNSWPIAJ3LL Failure during preventive mamtenance (pump 3.0E-4 l or valve)

SW-HUMNSWP1BJ3LL Failure durmg preventive maintenance (pump 3.0E-4 or valve)

TSWHUMNSW1BJ3PB Unavailability from human error 3.0E-4 l TSWHUMNSW1BX3PB Failure durmg preventive mamtenance (pump 3.0E-4 i

or valve) hinics *- In the response to NRC's RAI, question 17, the licensee indicates that

. - this event should be renamed " Failure to refill liquid nitrogen when required."

25 1

M, A WNP-3 Final TER,12/9/96

]

I j . **- In the response to NRC's RAI, question 17, the licensee indicates that this

! event is no longer considered a failure mode of the RCIC pump and wil1 be 4

deleted from the PRA models.

f Table 4-2. . anal back-up post-initiator human actions.

Event Action Error 4

Probability -

l ADSHUMNSTARTH3L Failure to stan ADS when required 2.7E-03 ~

]. L :

HPSHUMNSTARTH3LL Failure to start HPCS when required 2.7E-03

} LPSHUMNINITIH3LL Failure to start LPCS when required 2.7E-03 RCINUMNSTARTH3LL Failure to start RCIC when required 2.7E-03 RHRHUMNLPCISTART Failure to start LPCI when required 2.7E-03

ARIHUMN H3LL Failure to initiate ARI when required 2.7E-03 j RRAHUMNRFC10H3D2 Failure to start RRA-FC-10 fan coil unit when 2.7E-03

i. needed RRAHUMNRFCI1H3D1 Failure to start RRA-FC-11 fan coil unit when 2.7E-03

! needed l Table 4-3. EOP-based post-initiator human actions.

l Event Action Error

Probability Al Failure to inhibit ADS and lower RCS 0.05 water level to control power during MSIV-l closure ATWS l AIM Failure to inhibit ADS and lower RCS 0.05

! water level to control power during non-i MSIV-closure ATWS i FP-HUMNSYS62H3LL Failure to connect Firewater Condensate 0.036 l System during long-term SBO sequence

, RCIHUMNRCOOLH3L Failure to open RCIC room doors, SBO' O.005 L

l RCIHUMNRCOLH3LL Failure to provide altemative room cooling 0.002 4 to RCIC room RFWHUMN-1A-H3LL Failure to use RFW to controllevel 0.034 following turbine trip RHRHUMNMKIIFLOO Failure to flood contamment 0.09 D

RHRHUMNSP-COOLL Failure to bnng the RHR system into the 1.0E-5 (trans) suppression-pool cooling mode 3.0E-5 (LOCA)

RHRHUMNSWCRTIEL Failure to cross-tie SW to RHRloop B 01 (SBO)

L 1.0 (trans) l l

26 i

\

n.

WNP 2 Final TER,12/9/96 RPTHUMN-RPTH3LL Failure to initiate RPT manually 1.0 SLCHUMN20 MINUTE Failure to initiate SLC in 20 minutes during 0.035 S MSIV-closure ATWS .

SLCHUMN40 MINUTE Failure to initiate SLC in 40 minutes during 0.025 S MSIV-closure ATWS VENTFAIL Failure to vent containment 0.06 ZM Failure to open MSIVs to recover PCS 8.0E-3 Nota: *- In the response to NRC's RAI, question 4, the licensee indicates that this event '

is no longer considered a failure mode of RCIC and will be deleted from the PRA models.- (It is not clear how this event differs from event RCIHUMNRCOLH3LL.)

i l

2 i

i S

I i

27 l 4

PN

~~gw WNP 2 FinalTER,12/9/96 REFERENCES A. D. Swain," Accident Sequence Evaluation Program Human Reliability

[1]

Analysis Procedure," Sandia National Laboratories, Albuquerque, NM NUREG/CR-4772, February 1987.

U. S. NRC," Individual Plant Examination for Severe Accident Vulnerabilities,"

[2]

Generic Letter GL 88-20, Washington, D.C., November 23 1988.

A l

i 28 L

'i .,

ML20138J839

Text

SUMMARY

SUMMARY

Navigation menu

Search