ML20140B652
| ML20140B652 | |
| Person / Time | |
|---|---|
| Site: | Clinton  |
| Issue date: | 04/11/1996 |
| From: | Swanson P CONCORD ASSOCIATES, INC. |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| Shared Package | |
| ML20140B649 | List: |
| References | |
| CA-TR-95-019-43, CA-TR-95-19-43, NUDOCS 9703200206 | |
| Download: ML20140B652 (45) | |
Text
-
CONCORD ASSOCIATES,INC.
curs vs ois-43 Systems Performance Engineers i
CLINTON POWER STATION TECHNICAL EVALUATION REPORT '
ON THE IPE SUBMITTAL i
HUMAN RELIABILITY ANALYSIS FINAL REPORT by P.J. Swanson Prepared for U.S. Nuclear Regulatory Commission Omce of Nuclear Regulatory Research Division of Systems Technology Final Report, April 11,1996 11915 Chevio:Dr.
725 Pellissippi Parkway 6201 Pickens Lake Dr.
Herndon, VA 22070 Knoxville, TN 37932 Acworth, GA 30101 (703) 318-9262 (423) 675 0930 (404) 917-0690
~.-
O.
p
~
CA/TR-95-019-43 1
CLINTON POWER STATION TECflNICAL EVALUATION REPORT ON THE IPE SUBMTITAL KUMAN RELIABILITY ANALYSIS i
FINAL REPORT 4
P. J. Swanson Prepared for U.S. Nuclear Regulatory Commission Omce of Nuclear Regulatory Research Division of Systems Technology Final Report, April 1996 CONCORD ASSOCIATES. INC.
Systems Performance Engineers 725 Pellissippi Parkway Knoxville, TN 37932 Contract No. NRC-04 91-069 Task Order No. 43 i
i
TABLE OF CONTENTS E. EXECUTIVE
SUMMARY
......................................... El E.:
Plant Characterization..................................... El
-i E.2 Licensee IPE Process
.................................... E l
[
E.3 Htunan Reliability Analysis................................. E2 i
E.3.1 Pre-Initiator Human Actions............................ E2 i
E.3.2 Post Initiator Htunan Actions........................... E3 I
E.4
. Generic Issues and CPI.................................... E4 E.5 Vulnerabilities and Plant Improvements......................... E4 r
E.6 Observations........................................... ES
- 1. INTRODUCTI ON............................................... 1 i
1.1 HRA Review Process.................
1 l.2 Plant Characterization..................................... I i
i
- 2. TECHNICAL REVIEW........................................... 2 i
2.1 Licensee IPE Process..................................... 2 l
2.1.1 Completeness and Methodology......................... 2 l
2.1.2 Multi Unit Effects and As Built, As-Operated Status........... 2 2.1.3 Licensee Participation and Peer Review.....'............... 3 2.2 Pre-Initiator Human Actions................................. 5 2.2.1 Pre-Initiator Human Actions Considered................... 5 2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions.......................................... 5 2.2.3 Screening Process for Pre-Initiator Human Actions............ 6 2.2.4 Quantification of Pre-Initiator Human Actions............... 8 i
2.3 Post-Initiator Human Actions................................ 9 4
2.3.1 Types of Post-Initiator Human Actions Considered............ 9 2.3.2 Process for Identification and Selection of Post-Initiator Human Actions.......................................... 9
{
2.3.3 Screening Process for Post-Initiator Actions................
10 2.3.4 ' Quantification of Post-Initiator Human Actions............... I1 l
2.3.4.1 Consideration of Plant-Specific Factors for i
Response Actions..................................
12 l
2.3.4.1 Consideration of Timing.......................
13 2.3.4.3 Consideration of Dependencies for Post Initiator Human Acti ons....................................,....
15 2.3.4.4 Quantification of Recovery Actions.
...............16 2.3.4.5 Treatment of Operator Actions in the Internal Flooding Analysis........................................
16 2.3.4.6 Treatment of Operator Actions in the Level 2 Analysis...
16 2.3.4.7 GSI/USI and CPI Recommendations............... 20 i
~.=.-.
=.
A n
i Table of Contents (continued) 1 I
l 2.4 Vulnerabilities, insights and Enhancements.....................,. 20 2.4.1 Vulnerabilities.................................... 20 l
2.4.2 IPE Insights Related to Human Performance................ 21 2.4.3 Human-Related Enhancements......................... 23
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS.................. 25
- 4. DATA
SUMMARY
SHEETS...................................... 28 REFERENCES
..................................................30 l
l i
l i
l I
4 1
l 1
11 i
i 1
i
o E. EXECUTIVE
SUMMARY
7 This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Clinton Power Station (CPS) j Individual Plant FramiWon (IPE) submittal from Illinois Power (IP) to the U.S. Nuclear Regulatory Ca==3== ion (iiiRC). The review was performed to assist NRC staff in their evaluation of the IPE and conclusion.vgarding whether the submittal meets the intent of Generic I.etter 88-20.
' E.1 Plant Characterization
'Ibe CPS is a single unit, BWR-6 with a Mark III containment. The unit is rated at 2894
)
Mwt and 933 Mwe (net). Plant commercial operation began in April 1987. The NRC front-end reviewer identified several CPS design features that influence core damage frequency (CDF) relative to other BWR 6 plants, these being, (1) a four-hour battery lifetime, (2) the ability of emergency core cooling system (ECCS) pumps to operate with a saturated
{
suppression pool, and (3) the ability to cross-connect 'he fire gem %a system for core t
injection. Operator actions identified in the IPE as having the greatest effect on core CDF deal with: (1) manual reactor depressurization, (2) recovery of off-site power and diesel generators, and (3) manual back up to the automatic start of the shutdown service water pumps.
E.2 Licensee IPE Process The CPS IPE was a I.evel 2 PRA and considered operator actions in both the Izvel 1 and level 2 analysis. The HRA process addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator. actions (performed as part of the response to an accident). Pre-initiator actions considered included both restoration (misalignment) errors and minenlibration. Post-initiator actions (human interactions) included both response-type and recovery-type actions. The primary HRA techniques employed to quantify human error included the Handbook of Haman Reliability Analysis with^ Emphasis on Nuclear Power Plants for the screening process and the Accident Mm Evaluation Program (ASEP) HRA procedure for detailed HRA. Several different methods were used to quantify recovery action probabilities. Signifk: ant component failure basic events were quantified by using the results of Edison Power Research Institute (EPRI) RP-3000-34,
" Faulted Systems Recovery Experience." Off-site power recovery was based on NUREG-1032, " Evaluation of Station Blackout Accidents at Nuclear Power Plants" and mamini initiation of Emergency Core Cooling Systems (ECCS) recovery actions used the methodology from IDCOR Technical Report 86,3B1, " Individual Plant Framination Methodology for Boiling Water Reactors." Recovery actions were considered in both I.evel 1 and I.evel 2 analysis. Plant-specific factors were considered in both pre-initiator and post-initiator analyses. Human errors were identified as significant contributors in accident sequences leading to core damage and radionuclide release, and human-performance-related insights and/or possible enhancements were identified for future consideration. Licensee El
- - - ~ - - -. _ - -. - _... -
personnel with knowledge of plant design, operations and maintenance appear to have had significant involvement in the HRA process. Their efforts were support by consultants from
. the IPE Partnership (IPEP) made up of Tenera, L.P., Fauske and Associates, Inc., and Westinghouse Electric Corporation. Procedure reviews, involvement of operations staff, and
' plant walkdowns helped assure that the IPE manied the as-built, as-operated plant. Two levels of indapaadant review performed by in-house staff with some expert consultant.
assistance helped to assure appropriate use of HRA techniques.
Those actions identified by l
the NRC front-end Back-end reviewers as important were included in the licensee's consideration of human action basic events.
E.3 Human Reliability Analysis E.3.1 Pre lahintnr Human Actions.
The CPS HRA addressed human errors in maintenance, test and surveillance, and calibration by incorporating human error into the systems analysis (fault trees) as a specific cause for system unavailability. Both restoration (realignment of equipment after maintenance, test or
. calibration) and calibration ofinstrumentation were addressed. The process used by the analyst to identify human events involving restoration and miscalibration of instrumentation was based on the identification of those events modeled in the fault trees which can have a
.significant effect on systems, trains, or components. There are approximately 131 pre-initiator events included in the CPS models. The HRA analyst reviewed the fault trees from systems analysis to identify pre initiator human events. Although not specifically discussed in the IPE HRA section, the licensee made reference in IPE Section 2.4 to detailed procedure reviews
- (including maintenance and testing procedures), discussions with appropriate plant personnel, and the review of other similar plant PRAs.
The analyst assigned screening probabilities for all events explicitly modeled. Screening HEPs were derived through what the licensee calls an " abbreviated" adaptatica of the THERP methodology. The analysts first applied a qualitative screening model to eliminate human events that would be unlikely to occur based on system / component design features. In addition, quantification results were ernminad to ensure that sequences were not being dropped artificially. Our observation from the review of the detailed analysis is that the analyst properly applied the dapaadaag model from THERP. in their meneemment process.
Accident sequence truncation took place more than four orders of magnitude below the CDF; therefore the licensee concluded there would be little risk of loosing significant accident sequences, even if the HEP estimates were non-conservative by an order of magnitude. No pre-initiator human errors were found to have sufficient significance to warrant selection for detailed HRA.
If a realistic understanding of the potential impact of pre-initiator human error on plant risk is to be gained, it is important that the HRA include a reasonably rigorous assessment of these plant-specific factors and dep' ndencies.' In general, this assessment involves thorough e
examination of actual plent operational practice in mainterance, test and surveillance. The L
E2
i l
j licensee's limited consideration of plant-specific influences in the determination of HEPs for j
pre-initiator's is viewed as a limitation in their analysis. However, the identificatbn of human events and assignment of screening HEPs appeu reasonably complete. The screening i
values used in the quantification of sequence cutsets are generally conservative with respect to other PRAs we have reviewed.
E.3.2 Post-Initiator Human Actions.
4
]
The CPS HRA considered response and recovery types of actions in the assessment of post-1 initiator contribution to CDF. Of particular' note is the large number of recovery factors 4
credited in the Level 2 analysis, which is not typical of most PRAs. 'Ibe manna ment of post-j initiators was conducted by a team of individuals with operating experience, systems engineering, and human reliability expertise. 'Ibe process used in the I.evel 1 analysis to i
identify and select post-initiator human events involved detailed ernmination of system l
descriptions, system design and performance characteristics, examination of emergency 3
procedures and guidelines, operator interview, talk throughs, and walk throughs to j
understand how the plant would respond to an initiating event, how the operators would j
respond to an event which would activate use of abnormal or emergency procedures and l
could otherwise lead to a safety system challenge, what would be the most likely plant i-response to an initiating event, and what would be involved in the = -;Gd recovery of
' failed systems. A similar process is said to have been used to identify and select restoration er recovery actions for functions important to the mitigation of accident scenarios. 'the analyst assigned screening probabilities for all events explicitly modeled. Screening HEPs were derived using the THERP methodology. It appears the process used by CPS HRA included a reasonable screenira process for selection of hmnan events for detallad HRA.
The CPS IPE included approximately 55 post-initiator human events in the HRA. The majority of these events were applied to cutsets at their screening value. Six events were selected for quantification using detailed HRA. The ASEP procedure was used to calculate
~
the error probability for those events selected for detailed HRA. The error probabilities were derived by considering performance shaping factors (PSFs) that influence the likelihood of error, time available and time required to perform the action, and dependencies which influence performance of the action. The licensee's piuwss for treating PSFs, timing, and dependency, was generally consistent with the recommendations of the methodologies selected. Seven performance shaping factors adapted from a concise formula described in Chien, S.H., Dykes, A. A., Stetkar, J.W., & Bley, D.C., "Quantification of Human Error Rates Using a SLIM-Based Approach," Proceedings of the TERE Fourth Conference on Human Factors and Power Plants, Pp. 297-302, June 5-9,1988 were used in the detail HRA.
Assessment of these PSFs for each human action began with a detailed task anal sis. Once the HRA analysts had completed the task analysis, the completed PSPs were reviewed by an operating crew as well as operations training instructors.
Determination of timing involved walkdowns of in-plant equipment for locations outside the main control room, and operator and training instructor's estimates for actions performed 6
?
inside the main control room. Based on our review of the submittal and the examples provided in response to an NRC RAI, we consider this a reasonable approach for ectimeing operator action timing. One exception was the treatment of time for repair or restoration of components related to recovery actions. Here the recos ery failure probabilities were based on the results from EPRI RP-3000-34, 'Taulted Systems Recovery Experience." Failure to l
consider CPS-specific factors in repair or restoration of components is considered a possible limitation in the licensee's analysis. The licensee responded to a conference call inquiry by I
saying that both a licensed operator and senior maintenance person where involved in the
. subjective evaluation. However it is our observation from the discussion, that the process was rather informal; lacking a systematic structure naadad to ensure,that all obstacles which could j
interfere with successful accomplishment of tasks would be identified.The overall impact of this limitation on the calculated radioactive release frequency is a back-end issue.. Typically, credit for this type of recovery action is riot taken in PRAs because of the great deal of uncertainty associated with varied failure mechanisms and performance of maintenance.
l Taking credit for these types of recovery actions result in lowering containment release l
projections and.is generally discouraged without rigorous plant-specific annamenent similar to that given post-initiator response and other types of recovery actions ' considered.
i E.4 Generic Issues and CPI The licensee's consideration of generic safety issues (GSis) and containment performance l
improvements (CPI) recommendations are the subject of the front-end review, and back-end review, respectively. CPS considered human erTor in their analysis of the Decay Heat Removal USI. The IPE DHR discussion mentions only one operator action as a significant contributor, namely, "DC load shedding not successful." However, the discussions on systems important to DHR include several additional operator response / recovery actions that are important to success. All DHR events appear to have been considered in the licensee's HRA and several DHR related human actions are included in CPS's list of major HRA events based on sensitivity analysis.
CPI related issues identified ty the back end reviewer include harden vent system, implementation of Revision 4 of the BWR Owners Group EPGs, alternate injection water supply (Fire Protection System), hydrogen ignitor backup power, and enhanced depressurization reliability (backup air supply for the ADS). Each of these areas is addressed in the CPS HRA.
E.5 Vulnerabilities, Insights and Fmhancessents The licensee refererices the guidance from Appendix 2 of Generic Letter 88-02, in def' ming vulnerability. The criteria used to determine if vulnerabilities exist were:
1)
Are there any new or unusual means by which core damage or containment failure occur as cornpared to those identified in other probabilistic risk l
assessments (PRAs)?
E4
=
2)
Do the results suggest that the CPS core damage frequency would not be able to meet the Nuclear Regulabry Commission's safety goal for core damage?
~.
3)
Are there any systems, comp meats, or operator actions that control the core
~
damage result (i.e., greater thaa 90%)?
No vulnerabilities were identified by the licensee using these criteria. However, one human i
action, namely " failure to depressurize," appears to meet the first criterion for a higher contribution to CDF than typically seen in other BWR PRAs (even with a fairly low HEP value of 5.0E-04.) The licensee said that failure to depressurize did not represent a vulnerability at CPS h== manual initiation of ADS was the only depressurization method considered. If alternate depressurization methods were credited (as typical of other IPE's),
contribution to risk would be reduced. The licensee's review of the depressurization event, as reported in their response to an NRC request appears to have been thorough. Included was a comprehensive validity check of PSF ratings by a review group consisting of six operating crew members and two instructors, with the training simulator available as a discussion aid.
It is our opinion from review of the documentation that the licensee took the r+s =y steps to assure a reasonable assessment for vulnerability.
I h.6 Observations The following observations from our document-only review are pertinent to NRC's determination of whether the licensee's submittal meets the intent of Generic letter 88-20:
1 The submittal and supporting documentation indicates that utility personnel were involved in the HRA, and that the walkdowns and documentation reviews constituted a viable piucess for confirming that the HRA portions of the IPE repi ecat the as-built, as-operated plant.
Additionally; the licensee' performed an in-house peer review that provides some assurance that the HRA techniques have been correctly applied and that documentation is accurate.
l The licensee's analysis of pre-initiator human actions was appropriate in scope in that it considered both calibration and restoration errors, and used a reasonable process to identify and select pre-initiator errors to be included in the model. The quantification process used for the pre-initiator HRA was essentially a " generic" assessment with limited plant-specific.
evaluation. This generic approach limits the opportunity for the licensee to identify and understand factors influencing human performance in. pre-initiator events. However, the process applied to identify human events and assign screening HPEs appears reasonably complete. The screening values used in the quantification of sequence cutsets are generally conservative with values reported in many other PRAs.-
The post-initiator HRA addressed both response-type and recovery-type actions. The process for identification and selection of post-initiator human actions included review of procedures and discussion with plant operations and training staff. The licensee used a numerical-screening process to eliminate events oflow importance from the analysis. The screening E5 i
4 5
- - - - ~_. -
. -. - - - - - =
9 3
values and sequence cutoff value used were unlikely to have eliminated important actions / sequences. Based on these findings, it is our judgment that the post-initiator HRA y
employed a process for identification, selection, qualitative screening, au:mtitative screening that provided r-asonable assurance that the important post-initiator actions were identified and included in the IPE model. A majority of the post-initiator human events considered were applied to cutsets at their THERP based screening value. Six events were selected for j
detailed HRA based on a sensitivity analysis. De ASEP procedure was used to quantify post-initiator response-type actions selected for detailed HRA. The analysts appear to have performed quantification consistent with.the ASEP prc,cedure. Plant-specific performance
' shaping factors, timing and deaandancies were treated in consistent with the general approach recommended in the ASEP procedure.
i Recovery failure probabilities for significant component failure basic events in Level 2 analysis were determined using generic results from EPRI RP-3000-34, " Faulted Systems Recovery Experience." The licensee's failure to consider CPS-specific factors in repair or restoration of components in Level 2 analysis is considered a limitation in the IPE. The overall impact of this limitation on the calculated radioactive release frequency is a back-end issue. Typically, credit for this type of recovery action is not taken in PRAs because of the great deal of uncertainty associated with varied failure mechanisms and performance of mamtenance.
- aking credit for this type of recovery action results in lowering containment release projections and is generally discouraged without rigorous plant-specific assessment similar to that given post-initiator response and other types of reco,very actions considered.
The licensee identified operator actions important to risk by performing importance calculations (Fussell-Vesely) and sensitivity studies. A syneemade process was used to screen for vulnerabilities and identify potential anhancements. No vulnerabilities were identified.
However, the process did identify several human-performance-related (training and procedures) enhancements expected to reduce the likelihood of human enor, and consequently reduce the estimated CDF. Dese human-performance enhancements have been impk:cented at the CPS through requalification training and procedure modifications.
t 4
w-,
+
v.
- 1. INTRODUCT10N y
This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Clinton Power Station (CPS)
Individual Plant Examination (IPE) submittal from Illinois Power (IP) to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to a:sist NRC staff in their evaluation of the IPE and conclusion regarding whether the submittal meets the intent of Generic 1.etter 88-20.
.1.1 HRA Review Process The HRA review was a " document-only" process which consisted of essentially four steps:
(1) Comprehensive review of the IPE submittal focusing on all information pertinent to HRA.
(2) Preparation of a draft TER summarizing preliminary fmdings and conclusions, noting specific issues for which additional information was needed from the liceneer, and formulating requests to the licensee for the necessary additional information.
- (3) Review of preliminary findings, conclusions and proposed requests for additional information (RAIs) with NRC staff and with front end and back-end reviewers.
(4) Review of licensee responses to the NRC requests for additional information, and preparation of this faal TER modifying the draft to incorporate results of the additional information provided by the licensee.
Findings and conclusions are limited to those that could be supported by the document-only review. No visit to the site was conducted. It was not possible, and it was not the intent of the review, to reproduce results or verify in detail the licensee's HRA quantification process.
1.2 Plant Characterization The CPS is a single unit, BWR-6 with a Mark III containment..The unit is rated at 2894 Mwt and 933 Mwe (net). Plant commercial operation began in April 1987. 'Ibe NRC front-end reviewer identified several CPS design features that influence core damage frequency (CDF) relative to other BWR 6 plants, these being, (1) a four-hour battery lifetime, (2) the ability of emergency core cooling system (ECCS) pumps to operate with a saturated suppression pool, and (3) the ability to cross-connect the fire protection system for core injection. Operator actions identified in the IPE as having the greatest effect on core CDF deal with: (1) marnial reactor depressurization, (2) recovery of off-site power and diesel generators, and (3) mamini back-up to the automatic start of the shutdown service water pumps.
~
1
mj
- 2. TECHNICAL REVIEW 2.1 Licensee IPE Process
~
2.1.1 Comnletenac and Methodolory.
The CPS IPE was a 1.evel 2 PRA and considered operator actions in both the I.evel 1 and I.evel 2 analysis. The HRA process addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc'.) and post-initiator actions (performed as'part of the response to an accident). Pre-initiator actions considered included both restoration
]
(misalignment) errors and miscalibration. Post-initiator actions (human interactions) in@Mied both response-type and recovery-type actions. The primary HRA techniques employed to i
quantify human enor included the " Handbook of Human Reliability Analysis with Emphasis j
on Nuclear Power Plants" (Reference 1) for screening and the " Accident Sequence Evaluation Program (ASEP)" procedure (Reference 2) for detailed HRA. Several different i
methods were used to quantify recovery action probabilities. Significant component failure basic events were determined by using the Edison Power Research Institute (EPRI) RP-3000-i 34, " Faulted Systems Recovery Experience." Off-site power recovery was based on NUREG-1032, " Evaluation of Station Blwkout Accidents at Nuclear Power Plants" (Reference 3) and manual initiation of Emergency Core Cooling Systems (F.CCS) recovery actions used the methodology from IDCOR Technical Report 86,3B1, " Individual Plant Examination Methodology for Boiling Water Reactots" (Reference 5). Recovery actions were considered in both I.svel 1 and I.evel 2 analysis. Plant-specific factors were considered in both pre-initiator and post-initiator analyses. Human errors were identified as signifx: ant i
I contributors in accident sequences leading to core damage, and '
s-;wformance-related l
m l
insights and/or possible enhancements were identified for future consideration. Individuals J
l from the licensee's staff with knowledge of plant design, operations and maintenance appear to have had significant involvement in the HRA reocess. Their efforts were support by consultants from the IPE Partnership (IPEP) made up of Tenera, L.P., Fauske and Associates, Inc., and Weatinghe Electric Corporation. Procedure reviews, involvement of operations staff, and plant walkdowns helped assure that the IPE represented the as-built, as-operated plant. Two levels of independent review performed by in-house staff with some i
expert consultant assistance helped to assure appropriate use of HRA techniques. Those actions identified as important by the NRC front-end and back-end reviewers were included
-in the licensee's consideration of human action basic events.
2.1.2 Multi-Unit Effects and As-Built. As-Onerated Stanic Clinton is a single unit site; multi-unit effects are not an issue.
I Information on licensee actions to assure that the IPE..y..
ats the as-built, as-operated plant is provided in Section 2.4 "Information Assembly" of the submittal. ~ IPE Section 2.4 contains I
a brief summary of major plant design features and key plant safety features and safety l
systems. CPS's evaluation included an extensive review of the NRC risk study perfo med on l
2
" ~ ~ ' ~ -
o t
~
Grand Gulf, another BWR-6 plant. Additionally, other PRAs and industry studies were said to have been reviewed to compare detailed syrtem models, common cause. failures, human i
actions, and support system dependencies. Applicable information collected by the Boiling Water Reactor Ovmers Group (BWROG) IPE subcommittee was also reviewed to identify i
potentially significant dependencies and insights found at any of the BWR-6 plants. The Khosheng Nuclear Station Unit 1 PRA is specifically referenced as one of the BWROG data sources.
~
A listing is provided in the submittal (Section 2.4.3) of the plant documents (and some i
generic industry sources) used in the information assembly and plant familiarization nbse, and of the general type ofinformation taken from each source. The submittal ne'.es that the IPE Team was located at the plant site and therefore had ready access to plant systems, to systems engineers, to operators, and to the plant simulator to verify accuracy of the.
i l
documentation used.
l l
Section 2.4.4 of the IPE provides a discussion of walkdowns conducted throughout the IPE to j
verify system information accuracy, identify spatial or unusual characteristics ofindividual
~
components or their locations, and identify potential recovery actions. Specific walkdowns mentioned include:
General system walkdowns as necessary to answer specific questions as they arose.
l A human reliability analysis walkdown.
Simulator walkdowns (during operator tr'ining exercises and non-training a
l environments).
An intemal flooding walkdown (including Interfacing Systems LOCA effects).
The noting of a walkdown conducted specifically for human' error analysis was a positive sign from the perspective of the HRA analysis.' The walkdown included the CPS analyst and an HRA consultant.
The listing of documents, the brief statements on verification approach,'and the comments on the walkdowns suggest that the licensee had a reasonably thorough approach to assuring that the IPE represented the as-built, as-operated plant.
j 2.1.3 I ken-Particination and Peer Review.
The NRC's review of the submittal attempts to detennine whether the utility personnel were involved in the development and application of PRA techniques to their facility, and that the associated walkdowns and documentation reviews constituted a viable process for confirming that the IPE represents the as-built and as-operated plant.
3 i
- -,.~,
w.
l IP Nuclear Station Engineering depanment was responsible for the IPE effort and all IPE team members were from this depanment. Included in the IPE team were two individuals h'olding active qualifications for performing shift duties in the main control room, one Senior Reactor Operator and ore Shift Technical Advisor. Individuals from Licensing and Safety, Plant Staff, Quality Assurance, and Nuclear Training depanments were used to suppon the IPE effon.
Multiple "in-house" peer reviews provided some assurance that the IPE analytic techniques were correctly applied and that documentation was accurate. These include:
Systems Fagiw P.eview - Review of each system model, including the fault tree and narrative, to ensure that the system was accurately modeled.
I l
IPE Independent Review Team (IIRT) - An independent senior level review by 4
l experienced IP personnel. This review focused on accurate representation of CPS design, operating history, operator response, maintenance and surveillance schedules, and recovery actions in the IPE.
Senior Management Review Team (SMRT) - Oversight review of the IPE process and results.
l L
Engineering Assurance Review - On-site group reviewed IPE program compliance with applicable instructions and procedures, including documentation techniques.
Besides the "in-house" reviews, IP's consultants functioned to suppen the review process in four ways:
- 1) Assisted in assuring correct and consistent implementation and interpretation of PRA guidance as applied to Clinton.
- 2) Provided training to the'IPE group and assisted the IP technical lead with training for the review groups.
- 3) Provided an IPEP Senior Management Support Team to provide a quasi-independent review of the IPE.
It is our observation that the process as applied appears capable of assuring the analyses adequately reflect the as-built, as-operated plant to the degree that the models incorporate factors associated with the plant's design and operation.
)
l
i 2.2 Pre-Initiator Human Actions l
j Errors in performance of pre inidator human actions (i.e., actions perfo.cd during maintenance, temag, etc.) may cause components, trains, or entire systems to be unavailable on demand during an accident, and thus may significantly impact plant risk. Our review of the HRA portion of the IPE ernmines the licensee's HRA process to determine what consideration was given to pre-initiator human actions, how potential actions were identiN, the effectiveness of quantitative and/.or qualitative screening process (es) employee, and the processes for accounting for plant-specific performance shaping factors, recovery factors, and dependencies among multiple actions.
i 2.2.1 Pre-Initintor Human Actians Coneidared.
The CPS HRA addressed human errors in maintenance, test and surveillance, and calibration by incorporating human error into the systems analysis (fault trees) as a specific cause for system unavailability. Both restoration errors (realignment of equipment after maintenance, test or calibration) and errors in the' calibration of instrumentation were assessed.
l 2.2.2 Process for Identification and Selection of Pre Initintar Human Actions.
The key concerns of the NRC staff review regarding the process for identification and selection of pre-initiator human events are: (1) whether maintenance, test and calibration procedures for the systems and components modeled were reviewed by the systems analyst (s), and (2) whether discussions were held with appropriate plant personnel (e.g.,
maintenance, training, operations) on the interpretation and implementation of the plant's test, maintenance and calibration procedures to identify and understand the specific actions and the specific components manipulated when performing the maintenance, test, or '
calibration tasks. The process used by the analyst to identify human events involving restoration and miscalibration ofinstrumentation was based on the identification of those events modeled in the fault trees which can nave a significant effect on systems, trains, or compo. uni.s. There are approximately 131 pre-initiator events included in the CPS models.
The HRA analyst reviewed the fault trees from systems analysis to identify candidate pre-initiator human events. Although not specifically discussed in the IPE HRA section, the l
licensee made reference to detailed procedure reviews (including maintenance and testing procedures), discussions with appropriate plant personnel, and the review of other similar plant PRAs in IPE Section 2.4.
IPE Section 3.3.3.1.1 cites two criterions for eliminating restoration errors from further consideration. These were:
- 1) If provisions exist for automatic override of the system to the required configuration when an initiating event occurs, the restoration error is eliminated from the fault tree.
5
_. ~
i 1
l
- 2) If the system is normally manually started and the steps required to start the syst m include the necessary lineups, then the improper restoration error is not included.
i l
For the miscalibration of instrumentation, if events had very little effect on a system, then no l
human event was included. The human event was eliminated if the maintenance / testing does l
not disable the system or if the system automatically realigns to perform its safety function.
i However, because of the number and variety of procedures contained within each event, no l
event was eliminated for these reasons alone.
A transmitter miscalibration basic event was included in the ECCS initiation fault trees for each level transmitter modeled. A HEP value of 3.0E-03 was used for all of the reactor level transminers modeled in the ECCS initiation fault trees. This HEP was used sinc.e the l
maintenance procedures include steps for component status verification as part of the j
restoration process. Two reactor water level transmitters were modeled in each division for '
division one and division two initiator circuitry. Four reactor water level transmitters were j
.modeled for the division three circuitry. For the ATWS initiation circuitry, there were four i
reactor level transmitters modeled, two for each channel. As mentioned before, each transmitter modeled had a miscalibration event included in the system fault tr'ee model.
Transmitter miscalibration basic events were also modeled for pressure transmitters that are part of the divisional initiation circuitry.
l 2.2.3 Screenine Process for Pre-Initiator Human Actions.
The CPS HRA used the same screening process for pre-and post-initiator human events.
Following identification and modeling of human actions in the system fault trees the analyst l
assigned screening probabilities for those events explicitly modeled. The screening HEPs l
were derived through what the licensee calls an "abbrenated" adaptation of the THERP methodology. The analysts first applied a qualitative screening model to eliminate pre-
)
initiator human events that would be unlikely to occur based on system / component design i
i features. If a test or maintenance activity does not disable the system or component or if the system / component automatically realigns, the event was eliminated from further j
consideration. For the remaining human events, if the procedure, test, or calibration activity included steps for ' component status verification, a HEP of 3.0E-03 was assigned, otherwise a value of 1.0E-02 was assigned. In addition, quantification results were examined to ensure i
that sequences were not being dropped artificially. Accident sequence truncation took place more than four orders of magnitude below the CDF; therefore the licensee concluded there l
would be little risk of loosing significant accident sequences, even if the HEP estimates were non-conservative by an order of magnitude.
Following quantification of core damage sequences using the screening values the analyst L
reviewed the results to determine the most significant human actions for detailed HRA.
a The process used to select human actions for more detailed analysis included:
i
+
l 6
i 1
i l
were derived through more detailed analysis (Fussell-Vesely value 0.1 or greater).
The screening value HEP's used for many events were upper bound estimates based i
on conservative assumptions about operator actions. A more detailed analysis has the potential to lower the HEP enimates significantly, as more realistic assumptions could be utilized. 'Ihose events whose HEPs would lead to a significant reduction in the core damage frequency were included for detailed HRA.
- 2) The core damage sequence results were e=ntaaA to see if potentially non--
conservative HEP estimates for any operator actions could have led to inappropriately L
optimistic =~=m quantification results. NUREG-1335, the guidance document for IPE submittal, specifies that any significant operator " recovery" actions modeled in l
4 the IPE be reported (Recovery actions in this context were interpreted by the licensee to mean all post-initiator human actions). Specifically, low-probability human actions j
must be reported that cause sequences to fall below the IPE threshold of 1.0E-06 per 1
l year. Consequently, human actions that have a significant potential to increase the i
frequency of sequences from below 1.0E-06 per year were included in the detailed i
HRA.
1-i i
To assess if human actions fit either of these two criteria, the sensitivity of core damage i
frequency to changes in HEP's was evaluated. The magnitude of the change in each HEP l
used in these sensitivity studies depended on the magnitude of the screening HEP and the i
likely effect on the HEP of the detailed HRA. This magnitude of change was estimated i
based on-engineering judgement. In each sensitivity study, the IPE models were i
requantified using the changed HEP for each human actions and a new core damage j
frequency was calculated. If the sensitivity study resulted in a significant reduction in CDF, tiien the human action was included in the detailed HRA under the first criterion. If the sensitivity study resulted in a significant increase in core damage frequency for sequences i
under 1.0E-06, then the human action was. included in the detailed HRA under the second j
criterion.. Human actions were included if the change in CDF in the sensitivity study l
exceeded 5.0E-06 per year. Five human actions were chosen under the first criterion and
'one action (initiate SLC) was chosen under the second criterion. All six of these human j
j actions selected for detailed HRA were of the post-initiator type. No pre-initiator human errors were found to have sufficient significance to warrant selected for detailed HRA.
i Table 2.2-1 presents the results of the sensitivity analysis for pre-initiator human events j
analyzed.
Table 2.2-1, Pre-Initiator Human Event HRA Sensitivity Analysis Results l
SCREENING OPERATOR ACI1ON CHANGE DETAILED HNAL HEP.
i 3.0E-03 HPCS system impropetly restored 4.5E 06 No Screening from maimenance I
e
- I esr sv-e r-a
, - - - =
m wn-,,
e i
l 3,
l 3.0E 03 Miscalibration of HPCS flow
-2.0E-06 No Screening.
i transmitter
+
3.0E-03 Common cause miscalibration of 4.5E 06 No Screening l
RCIC tank level transminer 1
j 3.0E-03 Div 2. Failure to properly restore
= 2.0E-06 No Screening
[.
from maintenance 3.0E 03 Failure to restore SX Division IA
= 1.0E 06 No Screening
)
j after maintenance i
3.0E-03 Failure to restore SX Division 2
= 1.0E-06 No Screenag after maintenance J
1 3.0E-03 Failure to restore SX Division 3
= 1.0E 06 No Screening after mainienance 3.0E 03 Room cooler IVH07SA improperly
= 1.0E4 No Screening j
restored from maintenance I
3.0E 03 Room cooler IVH07SB improperly
= 1.0E 06 No Screenmg
?
restored from mamtenance 3.0E-03 Room cooler IVH07SC improperly
= 1.0E 06 No Screening l
restored from mantenance b
3.0E-03 Room cooler IVYO8SA improperly 4.5E-06 No Screening l
restored from maintenance l
2.2.4 Ounntification of Pre initiator Human Actions, f
The probability of' error in performing pre-initiator human errors can vary substantially (up j-or down) from " generic" estimates because of plant specific factors affecting human j_
performance, practical " recovery factors" that exist due to plant design featuies or operational practice, or - dependencies among multiple restoration /miscalibration tasks that may exist as a result of " systemic," but perhaps subtle, human performance problems in i
training, procedures, etc. If the licensee is to gain a realistic understanding of the potential l.
impact of pre-initiator human error on plant risk, it is important that the HRA include a reasonably rigorous assessment of these plant-sp' cific factors and dependencies. In general, e
j i
i this assessment involves thorough eynmination of actual plant operational practice in j
maintenance, test and surveillance.
4 l
The licensee's limited consideration of plant-specific influences during the determination of j
HEPs for pre-initiators is viewed as a limitation in their analysis. However, the identification of human events and assignment of screening HPEs appear reasonably i
5 i
1
complete. The screening values used in the quantification of sequence cutsets are generally conservative with many other PRAs we have reviewed.
i 2.3 Post-Initiator Human Actions 1
Human errors in responding to an accident initiator, e.g., by not recognizmg and diagnosing the situation properly, or failure to perform required activities as directed by procedures, can have a significant effect on plant risk. These errors are called post-initiator human errors.
j
.Our review assesses the types of post-initiator errors considered by the licensee, and evaluates the processes used to identify and select, screen, and quantify post initintar errors, including issues such as the means for evaluating timing, Waag among human actions, and other plant-specific performance shaping factors.
l l
2.3.1 Tvoes of Post Initintar Human Actions Cered.
There are two important types of post-initiator actions considered in most nuclear plant PRAs: (1) response actions, which are performed in re'sponse to the first level directives of l
the emergency operating procedures / instructions (EOPs, or EOls), and, (2) recovery actions, l
which are performed to recover a specific failure or fault, e.g., recovery of off-site power or recovery of a front-line safety system that was unavailable on demand earlier in the event.
The CPS HRA considered both types of actions in the nameatment of post-initiator contribution to CDF. Of particular note is the large number of recovery. factors credited in f
the I.evel 2 analysis, which is not typical of most PRAs.
2.3.2 Process for Identification and Selection.of Post-Initiator Human Actions.
The primary thrust of our review related to this question is to assure that the process used by i
the licensee to identify and select post-initiator actions is systematic and thorough enodgh to l
provide reasonable assurance that important actions were not inappropriately precluded from j
examination. Key issues are whether: (1) the process included review of plant procedures (e.g., emergency / abnormal operating procedures or system instructions) associated with the accident sequences delineated and the systems modeled, and, (2) discussions were held with appropriate plant personnel (e.g., operators or training staff) on the interpretation and l
implementation of plant procedures to identify and understand the specific actions and the
)
specific components manipulated when responding to the accident sequences modeled.
~
The identification and selection of post-initiator actions were accomplished using a five-step process. The elements of the process include:
- 1) The functions and systems needed to prevent core damage and/or containment failure were identified for each accident initiator. Identification of accident initiators included reviews of CPS and industry data.
1 l
l 9
l
1 l
- 2) The supporting systems needed by the essential front line systems identified in step 1 l
were determined.
I t
i
- 3) The human actions needed to successfully accomplish the initiation and operation of
~
l the system (s) or function (s) were then determined.
l
- 4) The accident sequences and systent functions were modeled to establish the time available for actions.
- 5) The accident sequences were quantified and sensitivity studies performed to select important human actions for detailed HRA.
I j
The assessment pwcess was conducted by a team of individuals with operating experience, systems engineering, and human reliability expertise. The process used involved detailed examination of system descriptions, system design and performance characteristics, examination of emergency ymced es and guidelines, operator interview, talk throughs, and walk throughs to understand how the plant would respond to an initiating event, how the operators would respond to an event which would activate use of abnormal or emergency j
procedures and could otherwise lead to a safety system challenge, what would be the most l
likely plant response to an initiating event, and what would be involved in the attempted recovery of failed systems. A similar process is said to have been used to identify and select j
i
' restoration or recovery actions for functions important to the miti ation of accident scenarios.
5 i
I 2.3.3 Screening Process for Post-Initiator Response Actions.
l
}
The screening process used to evaluate post-initiator human error is the same as the process
~
l used to screen pre-initiator human events. See Section 2.2.3 of this report for details of the screening process. Table 2.3-1. presents the results of the sensitivity analysis for post-initiator human events analyzed.
l Table 2.' -1, Post-Initiator Human Event HRA Sensitivity Analysis 3
i SCREENING OPERA'!OR ACI10N CHANGE DETAHED FINAL HEP HEP IN CDF HRA i
8.4E-03 Operator fails to place a f=4--,
1.lE 05 Yes 5.0E-04 i-back in service t
2.8E-03 Operator fails to manually initiate 6.lE-05 Yes~
5.0E-04 ADS I
i 1.0E-01 Operator fails to restart RCIC 1.7E 05 Yes 1.0" i
Gland Seal Co r..
ar 1.0E-02 Operator fails to initiate SLC A & '
Yes 4.03E 04
)
B 1
1 10 1
]
I
?
i j
1.0E Common cause operator fails to 7.3E-06 Yes 2.5E-03 manually open ISX014A B. & C j
9.0E41 DC load sheddag per CPS 4200.1 1.8E-05 Yes 2.98E 02 j
not successful
" Engineermg juclgement used to select llus evem heraner or it! SigmfiCance m ADV5 sequences, j
- Subsequent analysis deteramed that loss of RCIC Gland Seal Compressor does not render RCIC inoperable.
l The CPS HRA included what we consider a reasonable screening process for selection of human events for detailed HRA.
2.3.4 Oumntificarian of Post initintar Human Actions, i
l
~n.e CPS IPE included approximately 55 post-initiator human events in the HRA. The majority of these events were applied to cutsets at their screening value. A total of six events were quantified using detailed HRA.
The ASEP procedure was used to calculate the j
error probability for those events selected for detailed HRA. 'Ibe analyst considered the following factors for each action'in determining the HEP estimates:
i l
Time available to complete the action 4
Procedural guidelines available for the action l
Training given to the operators on the action 4
b Stress associated with the action i
Potential for different opemting. crew members to correct mistakes.
I ne analyst applied a technique which includes: (1) breaking down the human action into i
smaller constituent actions, (2) evaluatirig the likelihood of errors in these individual actions; and (3) deriving the total human error probability by combining the probabilities of the i-individual action errors. The error probt.bilities were derived by considering performance ~
shaping factors (PSFs) that influence the likelihood of error, time available and time requ. ired I
to perform the action, and dependencies which influence performance of the action.
i t
Table 2.3-2, Operator Act' ions Selected for Detailed HRA i
BASIC EVENT DESCRDrTION CA14ULNIED arr J
j SAS01ABSWW Operator falls to initiate Standby Liquid Control (SLC) A & B.
4.03E 04 4i-1 GADSMANSYW Operator fails to manu=11y initiate Automatic Depressurization 5.00E-04 j
System (ADS).
1 i.
i 11 4
I l
}
FOPERCCSWW Operator fails to place a Feedpump back in service.
5.00E-04 i
XSX14CCXVW Common cause operator fails to maimally open ISX014A. B. &
2.50E-03 L
C.
j YDCLOADSWH 1and sheddag per CPS 4200.01 not successful.
2.98E 02 i
l IXCD02FCPW Operator fails to restart RCIC Gland Seal Compressor 1.0"8
" Subsequent analysis performed by licensee determined that loss of the RCIC Gland 5 cal Compressor does not j
render RCIC inoperable.
I l
2.3.4.1 Consideration of Plant-S-ific Factors for Reenonse Actions, i
Seven performarx:e shaping factors weriused in the detailed HRA analysis. The PSPs
)
l chosen for this analysis were adapted from a concise formula described in Chien, S.H.,
Dykes, A. A., Stetkar, J.W., & Bley, D.C., "Quantification of Human Error Rates Using a SLIM-Based Approach," Proceedings of the IEEE Fourth Conference on Human Factors and Power Plants, Pp. 297-302, June 5-9,1988. These factors are as follows:
Complexity of operator action' i
Adequacy of Time Factors i
4 l
- . Crew's level of knowledge, skills, training and experience j
l Adequacy of guidance materials i
Characteristics of the intertece 4
l Previous, subsequent and concurrent actions.
- Stress.
Assessment of these PSFs for each human action began with a detailed task analysis. This task analysis reviewed the following aspects of each human action:
l
}
What signals would be received from plant equipment that would direct the action to be performed? This includes compelling and confirmatory signals used both for diagnosis of
[
the event as well as to determine how quickly the action must be performed.
j What procedures exist that describe how the action should be performed? This step i
examines the clarity of their guidance as well as the complexity of the action being j
performed.
f-12
?
i i
How the action, had to be performed? This step' examined conditions such as where the
{
j action had to be performed, lighting conditions in the work areas, what communications are available and whether the task must be performed in conjunctic with other tasks or i
required multiple operators.
f l
How much time was available to perform the human action? His required the identification of how long the task takes to perform as well as how much time it takes for l
the event signals to come in and be correctly diagnosed.
)
How familiar is the operator with the action to be performed? Dis step reviews the training the operator has received on the particular human action. This review identifies j
how frequently the operator is trained on the particular action. The type of training, i.e.,
i simulation in the field, simulator or classroom lecture, is also determined.
i How many operators are available to perform post event human actions? This step i
identifies the minimum number and. qualifications of the shift complement. It also identified which operators are available to perform individual tasks.
e Once the HRA analysts had completed the task analysis, the completed PSFs were reviewed by an operating. crew as well as operations training instructors. The comments and insights provided by the operations and training personnel were incorporated into the PSF l
The PSPs in the detailed analysis were applied iMapadantly of the ASEP methodology that was the basis for the quantifiable failure probability estimates. The ASEP method includes adjustments for factors that are similar to the detailed HRA PSPs. The ASEP adjustments j
overlap with the PSFs used in the detailed analysis. In no case however, are they ideutical.-
l.
Generally, the PSPs used in the detailed analysis were more comprehensively defined (both individually and as n' set) 'than the adjustment factors used by the ASEP method. The PSF i
scores were used as an independent, qualitative check of how likely the action's PSF wouid j
induce some kind of aperator error in the context in which it is expected to occur at CPS.
~
1 j
The results of this eleck for a particular action were used in two ways: (1) to adjust the j
failure probability useA in the IPE, for cases in which comparison of the PSF definitions suggest adjustments ovedooked by ASEP, and (2) to examine more closely those actions j,
whose PSF scores suggest that modification of their respwtive PSF contexts could reduce the l
event failure probability.
l
- 2.3.4.2 Consideration of Timina. The analyst used the ASEP nominal procedure for post-i accident tasks. Two phases of an action are " merged" into one human error probability -
diagnosis and post-diagnosis actions. Diagnosis includes the " cognitive" behaviors referred i
to in various HRA models as detection, diagnosis, and decision making. Post-diagnostic I
actions may be actions inside or outside the control room. Figure 2.1 (a reproduction of Figure 6-3 from NUREG/CR-4772) illustrates the timeline relationships used in the ASEP i
procedure and in the CPS HRA. The HRA analyst obtains the estimate of T from the l
systems analyst, 13 4
.i
,____m
. - ~ _ -
t i
i i
T, T.
l l
l T.
l T.
{
T, =
Annunciation (or other compelling signal) of an abnormal i
event T. -
Maximum time available for diagnosis and performance of an action following the initiating event that will prevent core
- damage, i
T, =
Maximum tim' available for diagnosis which will still allow e
performance of the specific human action. T, equals T. -
l T,.
j i
T, =
Time needed to reach a particular location and perform a j
required action once a correct diagnosis of an initiating event i
has been mah.
g Figure 2:1 Time Relationships Addressed in ASEP estimates T., the time required for post-diagnostic actions, and calculates the time available i
j for diagnosis from the relationship:
l T, = T - T.
i The ASEP " Nominal Diagnosis Model" provides graphical or tabulated estimates of basic HEPs for diagnosis based on the value of T,. Values of HEPs for the post-diagnostic actions j
are estimated following ASEP guidance for evaluation of performance shaping factors and i
dependencies. The total merged HEP is the sum of the HEPs for the diagnosis the HEP (s) for the post-diagnostic hetion(s).
I IPE Section 3.3.3.1.6 states that in deterrninntion of T, involved plant walkdowns of in-plant equipment for locations outside the main control room, and operator and training instructors' estimates for actions performed inside the main control room. Maximum time available,'T,
- T where:
i determination in the CPS detailed HRA is defined as T. = T - T2 3
i i
T
- The length of time starting at the occurrence of the accident sequence initiator i
and ending at the point core damage occurs without the operator action. The MAAP 3.0B code was used to determine this value. The time used for different accident sequences was the minimum value obtained for any accident sequence for which the action was required.
I j
i 14 1
.s
+
l T
- The length of time starting at the occurrence of the accident sequence initiator 2
and ending at the time when the compelling signal for the operator action is received. The MAAP 3.0B code was also used to calculate this valve.
However, for conservatism the licensee used the maximum value since longer l
times for this value dwd the time available to diagnose and perform the i
action. Additionally, these values were specifically reviewed for reasonability i
by individuals holding SRO licenses at CPS.
T
- The length of time required for the operator to be effective following the 3
performance of the action. Determination of this time was based on the particular action in question. For manual depressurization of the reactor vessel, the analyst used MAAP; for initiation of SLC, the time was taken from the analysis in the CPS USAR; for load shedding manual action, the time was assumed to be instantaneous once all required DC breakers were opened.
i l
Based on our review of the information in the submittal and examples provided in response to an NRC RAI, we consider that a reasonable approach was used for estimating operator action timing in the detailed HRA.
One exception from tne process described above was the licensee's treatment of time for repair or restoration of components related to recovery actions. The recovery failurr probabilities for significant component failure basic events were qualitatively selected based on results from EPRI RP-3000-34, " Faulted Systems Recovery Experience."
l 2.3.4.3 Consideration of Denendencies for Post-Initintar Human Actions.
The CPS HRA included consideration of dependency for response and recovery type post-initiator human errors. HEPs were adjusted for combinations of dependent events found in the core damse sequence cutsets using the procedure and formula tables from Chapter 10, of the Technique for Human Error Rate Prediction (THERP), NUREG/CR-1278. The analyst first determined the combinations of human error that occur together in sequence cutsets. These combinations were determined by initially setting all HPEs to 1.0 for potentially dependent human error events and quantifying the sequences. Five levels of dependency were employed and the following factors were considered:
Coincidence or close proximity in time, Same procedure or EOP path, and Common diagnosis of need for operator action..
For those cutsets which had two or more dependent human actions, the dependent failure i
probability was inserted into the cutsets in place of the 1.0 values applied to investigate these actions. The remaining events were reset to their prior value'(screening or detailed HRA as appropriate). The cutsets were then re-evaluated.
?.
l 15 t
.)
In response to an NRC RAI the licensee provided details of the analysis for dependency in i
the treatment of basic human events SAS01 ABSWW and. YATWSLVSYH (operator failure to initiate SLC together with a failure to perform ATWS level control to reduce reactor power.) Our observation from the review of the detailed analysis is that the analyst properly applied the dependency model from THERP in their assessment process.
i 2.3.4.4 Oumntification of Recovery Actions.
The HRA analyst reviewed initial sequence cutsets to assess the events which contribute most to CDF and identify potential recovery j
actions. Three types of recoveries of failed components were considered; these include:
I j.
Repair and restoration of failed components, such as a pump that fails to start or a valve that fails to stroke.
3 Manual initiation of systems for cases in which automatic initiation has failed and other manual system recoveries from the main control room.
l Use of alternate systems or actions, such as using Fire Protection (FP) or Control Rod l
Drive (CRD) as injection sources.
j l
CPS used the following criteria to choose basic events to include in the analysis, and assign recovery times appropriate for each event. Basic human events with Fussell-Vesely importance values greater than or equal to 1.0E-02 were considered in recovery analysis. The e
i events identified were reviewed to discard basic events related to recovery actions,. flags and j
event tree headings, auxiliary power (except circuit breakers), maintenance or other human actions. Post initiator recovery actions in Level 1 analysis were quantified the same as response human actions.
I
~
{
In the Level 2 analysis, recovery failure probabilities for significant component failure basic j.
events were determined using generic results from Electric Power Research Institute (EPRI)
RP-3000-34, " Faulted System-Recovery Experience." The recovery probability for all basic events corresponds to a Gne of 1/2 hour except basic events related to roorn cooling for injection systems, namely, component type "FN" (fans) and events in the Sbutdown Service l
Water System (SX) which supplies cooling water were a four-hour recovery probability was l
used. Failure to consider CPS-specific factors in repair.or restoration of components in i
Level 2 analysis is considered a limitation in the licensee's IPE. The nature and extent of consideration for Clinton-specific factors was sought in a telephone conference call with the j
licensee. The licensee said that both a licensed operator and senior maintenance person where
{
involved in the subjective evaluation. However it is our observation from the discussion, that the process was rather informal lacking a systematic structure needed to ensure that all i
obstacles which could interfere with we=%1 accomplishment of tasks would be identified.
l The overall impact of this limitation on the calculated radioactive release frequency is a Back-end issue. Typically, credit for this type of recovery action is not takers in PRAs due,to the i
great deal of uncertainty associated with varied failure mechanist i and performance of maintenance. We found no evidence to justify such a detailed process was followed. From 16
~
.a j
j our p.yective, Clinton did not appropriately justify a basis for crediting the Level 2 recovery 1
actions. See discussion in Section 2.3.4.6, below for additional information on the licensee's j
treatment of recovery actions in Level 2 analysis.
1 2.3.4.5 Trst.iwilt of Onerator Actions in the Internal Floadino Annivsis, i
l Contrary to what is implied in IPE Section 3.4.1.12.4, Clinton took no credit for operator j
actions during a flood. In response to an NRC RAI the licensee says that although it is i
. expected that the operator would take action in some flooding circumstances such as a Service Water System rupture, i.e., trip the WS pumps to reduce flow out of the rupture and then take i
steps to isolate the leak, the magnitude of this effect is uncertain, so no credit was taken.
i i
2.3.4.6 Trha..=t of Onerator Actions in the Level 2 Analysis.
CPS considered procedurally based response and' recovery actions in containment.
quantification. Revision 4 of the BWROO EPGs have been incorporated in the CPS EOPs, l
and verification and validation studies completed. Operations personnel had completed training, including simulator, on the EOP revisions prior to submittal of the IPE. Operator j
recovery actions (recovery in back-end analysis included response type actions) reported in the back-end analysis are summarized below.
F l
Power Recoverv to Prevent Reactor Vessel Failure Following Core Damare. Time phased i
recoveries for AC electrical power were assigned recovery probabilities based on historical values 9am NUREG-1032, " Evaluation of Station Blackout Accidents at Nuclear Power l
Plants... Final Report." Failure recovery probabilities were==a-d for; (1) off-site i
power is not recovered within four hours, (2) battery load =bddian is net mecessful and off-i site power is not recovered within.1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, and (3) HPCS and RCIC both fail and off-site-power is not recovered within one-half hour. Time available to recover AC power in order to j
recover injection is 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> based on MAAP code vessel fai. lure projection of 2.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> after start of blackout. Recoveries at later times were treated as conditional on failure of recovery i
at the earlier times. Recoveries were sequence-dependaat.
I Power Recoveries to Prevent Containment Failure for Containment Event Trees in Which
)
Containment isolation is Successful or for inte Infection for Debris Cooline or Scrubbing on the Non-Isolated Cases. Maximum of four hour recovery time. Conditional recovery failure probability of 4.69E-01 was assessed to recovery at 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
. Recovery for Failure to Recover Infection Systems Before and Afier Reactor Vessel Failure l
Following Core Damare. All core damage sequences resulted from failure to depressurize or j
to recover injection systems in time to prevent core damage. The analysis shows that vessel failure may be averted, even after core damage, ifinjection systems can be recovered within i
2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> in high pressure sequences and 15 minutes'in low y,es.am sequences. Even if i
injections systems are not recovered prior to vessel failure, containment failure can be
{
prevented in most cases if injection is recovered within 13 be.a- (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for SBO). In i
17 q
i 2
--u 5-
.,_.4
k 3
W i
response to an NRC RAI, the licensee identified a total of 36 iecovery factors considered for injections system recovery. Table 2.3-1 lists the recovery aedons and conditions under which i
3 they are applied.
Table 2.3-3, Recovery Actions Included for Failure to Recover Injection System, I
DESCRIPTION RPV Fagan CNT Failure 1
i HP SEQ.
LP SEQ.
HP SEQ.
LP SEQ..
i l
Failure to restore Bus IM in time to prevent 1.4E-01 3.0E 01 5.0E 01 23E 01 l
5 Failure to recover failed HPCS in time to prevent 2.4E-01 4.8E 01 l'5E-01 l
Failure to recover HPCSFAIL to start in time to 2.0E-01 4.0E 01 IJE-01 P'* vent...
Failure to recover failed HPCS valve in time to avoid 1.6E 01 2.5E 01 5.0E-02 l~
Failure to recover from failed suction switchover in 1.2E-C!
2.2E-01 3.0E 02 1
i dme to avoid...
i j
Failure to recover from FW bypass in time to avoid.
3.5E-01 4.2E-01 5.lE-01 43E-01 i
j Failure to recover improperly restored FW pump C in 2.6E 01 4.8E-01 5.0E-01 2.7E-01 time to save...
1 i
1
]
i Failure to recover failed FW system in time to avoid...
9.0E 01 1
(
Failure 'to restart tripped F,W system in time to avoid.
1.9E-Oi i
Failure to recover from operator fail.to blow down 8.0E 01 RPV in ' time to save i
f Unconditional failure to recover frorn operator fail to 4.0E 04 blow down to save. -
l Failure to recover failed HPCS in time to save.
8.82E-01 9.74E 01 9.28E 01 8.6E 01 i
Failure to recover LP systems in time to savr.
5.0E 01 6.7E-01 4.0E-01 3.0E-01 4
l Failure to Initiate Containment Sorav Since containment spray is manually initiated, the l
HEP from HRA screening analysis was used. A conditional recovery probability of 3.0E-01 was applied.
i Failure to Isolate Containment in Case ofStation Blackout (SBO). A HEP for manually l
closing IFC008 was taken from Level 1 }{RA. This event is described as a procedurally 18 i
i i
d x
l
?
1 1
directed activity performed in fuel building, relatively simple task, and one-half hour is available to complete the action. Limited consideration was given to plant-specific factors that could influence likelihood for successfully accomplishment of the task, namely, radiation exposure in the general area of the valve in question.
i' Failure to Recover Lone-Term Containment Heat Removal in 48 Hours. Because no data is i
available for recovery of power or equipment at 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, engineering judgement was used in assigning a value of 1.0E-03. This'value was based upon the extended time available to organize outside assistance and arrange for equipment delivery if required.
Failure to Onen ADS Backun Air Bottles Isolation Valves on Loss ofPower. The ADSILLS i
l motor-operated backup air supply isolation valves are opened from the Main Control Room if j
normal Instrument Air to the SRV's is lost. However, these valves must be opened locally before the air accumulators are depleted during SBO. The analyst assigned a HEP of 1.2E-01 for this action.
4 i
i Failure to Vent Containment. Three of the largest containment. vent paths at CPS are modeled in the PRA. These include the Fuel Pool Cooling and Cleanup System (FC), -
)
Residual Heat Removal System (RH), and Continuous Containment Purge (VR). The Level I j
HEP for containment venting was used for Level 2 quantification. Factors considered by the analyst in applying the screening flow chart and tables for this event include the following:
Manual alignment of a system Cannot be completed from the Main Control Room Area is accessible
, Not a practiced task
=
Task'is proceduralized (EOP 6, " Primary Containment Control," and EOP 7,
=
" Hydrogen Control")
Task is accomplished in the Fuel and/or Auxiliary Buildings Task is complex (more than 10 steps) e Greater than 45 minutes are available to accomplish The Level I screening HEP value of 2.5E-01 was used in the Level 2 analysis. For additional information on the reasonability of the licensee's use of these recoveries see Section 2.3.4.4 of this report.
19
. -f i
}
l 2.3.4.7 GSI/USI and CPI Reammend=* ions. The licensee's consideration of generic safety
}
issues (GSis) and unresolved safety issues (USls) and of containment perfonnance
~
improvements (CPI) ecommendations are the subject of the front-end review, and back-end i
reviu, respectively. The licensee considered human error in their analysis of the Decay i
Heat Removal Unresolved Safety Issue. The DHR issue discussion mentions only one i
operator action as a significant contributor, namely, YDCLOADSWH, DC load shedding not j
successfully. However, the discussion on systems identified as important to DHR suggest i
several additional operator response / recovery actions that are important to success. DHR related human actions are included in CPS's list of major HRA events based on sensitivity analysis. Other si 2-==t operator actions include: (1) Event.RSPCOOLSWW - failure to F
j initiate RHR in Suppression Pool Cooling mode and, (2) Event GADSMANSYW - failure to manually initiate ADS. All Ayyivydete operator actions are included in HRA performed.
j CPI related issues identified by the back-end reviewer include harden vent system, s
implementation of Revision 4 of the BWR Owners Group EPGs, alternate injection water supply (Fire Protection System), hydrogen ignitor backup power, and enhanced l
.depressurization reliability (backup air supply for the ADS). Each of these areas are j
addressed by the licensee in their HRA.
2.4 Vulnerabilities, Insights and Enhancements 2.4.1 Vulnerabilities.
l Vulnerability screening is discussed in Section 3.4, "Results and Screening Process" of the submittal. The licensee makes reference to the guidance provided in Appendix 2 of. Generic Letter 88-02, in citing the following screening criteria used in their evaluation for l
vulnerabilities:
l j
1)
Functional sequences with a core damage frequency greater than 1.0E-07 per l
year. The functional sequences are grouped into accident classes. Within each i
accident damage class, sequences were generally identified by the dominant initiating events.
t
~
j 2)
Functional sequences that contribute 5% or more to CDF. Any sequence greater than 1.2E-06 per reactor year will be discussed. This criterion is j
enveloped by criterion 1 above.
l 3)
Sequences determined by Illinois Power Company to be important contributors '
i to CDF.
[
The criteria used to determine if vulnerabilities exist are as follows:
1 l
[
1 1
i
)*
4 i
1)
Are there any new or unusual means by which core damage or containment i
failure occur as compared to those identified in other probabilistic risk 3
essessments (PRAs)?
{
2)
Do the results suggest that the CPS core damage frequency would not be able to meet the Nuclear Regulatory Comminion's safety goal for core damage?
j 3)
Are there any systems, components, or operator actions that control the core damage result (i.e., greater than 90%)?
4 l
j.
No vulnerabilities were identified by the licensee using these criteria. However, one human action, namely " failure to depressurize," appears to meet the first criterion above based on a i
I higher contribution to CDF than typically seen in other BWR PRAs; even with a fairly low 3
j HEP value of 5.0E-04. An NRC request for additional information (RAI) asked IP to explain i
what was done to assure that this event did not represent a vulnerability at CPS. Manual j
initiation of ADS was the only Ayaization method considered in the CPS analysis.
Other PRAs have generally taken credit for alternate depressurization methods which would decrease contribution to risk. The licensee's review of the depressurization event, as reported s
i
'in their resporse, appears to have been thorough. Included was a comprehensive validity
[
c'acci of PSF ratings by a review group comprised of 6 operating crew members and 2
)
~ review of the documentation that the licensee took the necessary steps to assure a reasonable instructors, with the training simulator available as a discussion aid. It is our opinion from l
assessment for vulnerability. The significance of the event has not been overlooked by IP as -
evident from the training emphasis given this event (see Section 2.4.3, " Enhancements and Commitments" of this report.)
p.
j '
There were significant " insights" developed relating to systems, components or actions which j
influenced the results of the IPE.to a greater level than other events. Human performance l
related insights are discussed below.
2.4.2, IPE Insichtc Relatad to Human Performance.
I l
CPS used the following guidelines to identify significant insights that may involve human l
(
performance:
l')
An operator action which had a significant impact on the results of an accident i
class or the overall results.
i 2)
A failure or operator action worthy of consideration of a recommendation.
g i
j 3)
A critical operator action which had limited procedural guidance.
4 l
21 J
l
,--.---,--w.
I 3
l These criteria were applied in conjtmetion with the licensee's evaluation of basic human action events that appeared high in importance analysis ranking for core damage cutsets and containment release cutsets.
1 Evaluations were performed of the core damage cutsets and the radioactive release cutsets to analyze those basic events or inda;*adent sub trees with the highest Fussell-Vesely l
importance measures. Events with the highest importance measure have the greatest effect on i
the overall core damage or radioactive release risk. Table 2.4-1 Provides a listing human i
action related basic events which appear in the top cutsets for' core damage and radioactive release.
Table 2.4-1, Human Action Basic Events With. Highest Fussell-Vesely Importanec Measures Related Core Damage / Containment Radioactive Release f
BASIC EVENT DESCRIPTION F-V VALUE CUTSET (Core Damage / Radioactive Release)
Failure to recover off-site power in 0.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />.
5.01E-01/ 8.96E 01 Core Damage / Radioactive 1
(YLI)
Release j
Basic event representing recovery of HPCS 4.15E-01/ 2.0E-01 Core Damage / Radioactive j
failures. (BISTHPINJR)
Release 1
i j
Basic event..r
- ing recovery of RCIC 2.41E41 /1.13E-01 ~
Core Damage / Radioactive failures. (BISTRllNJR)
Release I
i Operator fails to manually initsste ADS.
2.41E41 Core Damage (GADSMANSYW) i l
Failure to recover the Division 2 diesel within Srst 1.29E-01/ 7.44E 01 Core Damage / Radioactive i
4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> of station blackout. (YDG2R04DGH)
Release f
Basic event..r.
..ng recovery tom Shutdown 1.01E 01 Core Damage i
Service Water (SX) automatic initianon failures by
}
manual initiation of SX. (BSXMANSTRT) l i
Failure to recover off-site power within Erst 4 7.28E-01 Radioactive Release l
hours of station blackout. (YOSOTO4SWH) f Failure to recover off site power in time to prevent 5.47E-01 Radioactive Release -
RPV failure (conditional to failure to recover within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />)(BOSOTO4SWH) i I
Conditional failure to recover offdite power in 4 3.3E-01 Radioactive Release i
hours given failure to recover in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
i (BLATERRCVY) l 3
1 22 i
i
,f Failure of station blackout containment isolation 5.66E-01 Radioactive Release failure (manual isolation by operators).
(BSBOISOLOK)
Failure to recover diesel generator ISTS in time to 1.3E-01 Radscactive Release avoid RPV failure. (BDORC oDR4) l 2.4.3 Fnhancements and Commitments.
t IPE Section 6.0 reports insights gained through performance of,the IPE. Table 2.4-2 provides
^
a list of enhancements which help to reduce or control plant risk at CPS, the systems l
involved, IP's disposition of the improvement, and effect on CDF if known.
Table 2.4-2, CPS HRA Related Enhancements SYSTEM DESCRIPTION / ENHANCEMENT DISPOSITION IMPACT ON CDF Off-Site Power Probability that off-site power will not Training provided in None identified
,be recovered within one-half hour.
licensed operator Emphasize Level I analyses requalification class. -
l consequence and i. i.wes of l
maintaining off-site power.
Same concern in Level 2 analyses Training provided in None identified because of containment isolation impact.
heensed operssor requalification class.
High Pressure Core Suppression pool suction isolation valve Surveillance procedure Estimated Spray (HPCS) obstnaction could go unnoticed for life CPS 9051.01 issued reduction in core of plant! Require surveillance requiring flow damage risk procedure that verifies operability on a '
verification every 4
'12.8% based on 4 year basis, years.
core damage cutsets used in IPE.
Automatic Failure to manual depressurize the Training provided in None identified Depressurization reactor The importance of manual licensed operator (ADS) initiation of ADS should be emphasized requalification training in training.
and simulator training.
AC Power Importance of being able to recover AC Training departrnent None identified power supplies under loss of off-site undertoos an power conditions. Training should evaluation of both evaluate potential for improved training operator and for diesel generator and auxiliary power mantenance training system operation.
in these areas. No I
. final disposition reported.
23 l
\\
I i
Same concem in Level 2 analyses.
Training provided in None identified licensed operator requalification training class. (training provided is not described).
Shutdown Service Operator action to recover from a failed IP decided not to None identified Water (SX)
SX discharge pressure instrument or make procedure instruments by manually starting the changes based en associated SX pump or pumps small perceived Consider additional procedural benefit.
confirmation that SX pumps have staned when required for diesel
(
generator operation.
t Containment Operator action to manually complete a information provided None identified Isolation containment isolation under Station in a licensed operator Blackout (SBO) conditions. Training requalificatum trauung i
insight for evaluation by training class.
J department.
i l
SCRAM Significance of SCRAM hardware Training providInl in None identified failure and importance of good licensed operator
' maintenance and operation of requalification training equipment. Training insight.
class. The licensee made no reference to action taken relative to maintenance practices.
e O
t j
_..__._..__.____._._.._____.m
}
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS l
t i
l The purpose of our document-only review is to enhance the NRC' staffs ability to determine 1
with the licensee's IPE met the intent of Generic Letter 88-20. The Generic Letter had four
]
specific objectives for the licensee:
(1)
Develop an appreciation of severe accident behavior.
l l
(2)
Understand the most likely severe accident sequences that could occur at its plant.
I (3)
Gain a more quantitative understanding of the overall probability of core
)
damage and radioactive material releases.
l (4)
If necessary, reduce the overall probability of core damage and radioactive material release by appropriate modifications to procedures and hardware that i
would prevent or mitigate severe accidents.
{
[
With specific regard to the HRA, these objectives might be restated as follows:
(1)
Develop an overall. appreciation of human performance in severe accidents; how human actions can impact positively or negatively the course of severe accidents, and what factors influence human performance.
j
)
i
(
(2)
Identify and understand the operator actions 1-ymi ui to the most likely I
accident *~1uences and the impact of operator action in those sequences; i
I understand how human actions affect or help determine which sequences are important.
s*
l (3)
Gain a more quantitative understanding of the quantitative impact of human f
performance on the overall probability of core damage and radioactive material release.
2
)
(4)
Identify potential vulnerabilities and enhaments, and if i
necessary/ appropriate, implement reasonable human-performance-related enhancements.
F i
j The following observations from our document-only review are seen as pertinent to NRC's determination of the adequacy of the Clinton Power Station submittal:
s 1
i.
1)
The submittal and supporting documentation indicates that utility personnel were involved in the HR A, and that the walkdowns and documentation reviews constituted a viable process for confirming that the HRA portions of the IPE represent the as-built, as-operated plant.
25 e$
+e
j i'
l 2)
' The licensee performed an in-house peer review that provides some assurance that the l
HRA techniques have been correctly applied and that documentation is accurate.
1 j
3)
The licensee's analysis of pre-initiator human actions was appropriate in scope in that it considered both calibration and restoration errors, and used a reasonable process to j
identify and select pre-initiator errors to be included in the model.
i j
4)
The quantification process used for the pre-initiator HRA was essentially a " generic" 1
l na**** ment with limited plant-specific evaluation. This generic yymach limits the j
opportunity for the licensee to identify and understand factors influencing human performance in pre-initiator events. However, the identification of imman events and i
assignment of screening HPEs appear reasonably complete. The screening values l
)
used in the quantification of sequence cutsets are generally conservative with many j
other PILAs we have reviewed.
i
)-
5)
The post-initiator HRA addressed both response-type and recovery-type actions. The l
process'for identification and selection of post-initiator human actions included review of procedures and discussion with plant operations and training staff. The licensee used a numerical screening process to eliminate events which were oflow importance from the analysis. The screening values and sequence cutoff value. employed were j
unlikely to have eliminated important actions / sequences. Based on these findings, it is j
our judgment that the post-initiator HRA employed a process for identification, selection, qualitative screening, quantitative screening that provided reasonable l
assurance that the imyon.ut post-initiator actions were identified and included in the j
IPE model.
6)
A majority of the post-initiator human events considered were applied to cutsets at i
their screening value. Screening values were determined using the THERP
~
{
procedure. Six events were selected for detailed HRA based on a sensitivity analysis.
l The ASEP procedure was used in the detailed HRA to quantify post-initiator response-l type actions.
a l
7)
Recovery failure probabilities for signiht component failure basic events in Level 2 j
analysis were determined using generic sesults from EPRI RP-3000-34, " Faulted i
i Systems Recovery Experience."
Failure to give rigorous consideration to CPS-I specific factors in repair or restoration of components in Level 2 analysis is considered i
a limitation in the licensee's IPE. The overall impact of this limitation on the calculated radioactive release frequency is a back-end issue. Typically, crulit for this i
type of recovery action is not taken in PRAs because of the great deal of tacertainty j
associated with varied failure mechanisms and performance of maintenance. Taking I
i credit for this type of recovery action results in lowering containment release projections and is generally discouraged without rigorous plant-specific menenement i
similar to that given post-initiator response and other types of recovery actions considered.
i 26 I
i.
f
=
I i 8)
The licensee identified operator actions important,to risk using importance calculation (Fussell-Ve'sely) and sensitivity studies.
a i
1 9)
The licensee employed a systematic process to scian for vulnerabilities and identify potential anh====ts. Ne vulnerabilities were identified. However, the ' process did identify several human-performance-related (training and procedures) anhwments j
expected to reduce.the likelihood of human error, and consequently reduce the' estimated CDF. These human performance enhancement < have been implemented at j
the CPS through requalification training and procedure modifications.
I 1
l i
4 1
l i
\\
1 1
f n
e i '
i a
a i
i
)
t 4
i 27 j
)
l'
,i
- 4. DATA
SUMMARY
SHEETS i
'3 Important Operator Actions / Errors:
Failure to initiate Residual Heat Removal (RHR) in Suppression Pool Cooling mode.
HRA dependent failure to restore tripped Feedwater (FW) system.
l Operator fails to manually initiate the Automatic Depressurization System (ADS).
3 j
Operator fails to initiate Standby Liquid Control,(SLC) trains A & B.
i DC load Mdino not successful.
Failure to recover from the common cause failure of three diesel generators to run in one hour.
j Failure of time-phased diesel run in one hour.
1 Operator fails to recover failed High Pressure Core Spray System.
Operator fails to recover failed Reactor Core Isolation Cooling System.
Failure to recover off-site power within one-half hour of loss.
Failure to recover off-site power.within one hour.
~
Failure to recover off-site power within four hours.
l
)
l Human-Performance Related Enhancements:
SYSTEM DESCRIPTION / ENHANCEMENT DISPOSITION IMPACT ON CDF 2
l Off-Site Power Probability that off-site power will not Traming provided in None identi6ed l
be recovered within one-half bour /
heensed operator Emphasize Level 1 analyses requalification class.
4 j
consequence and importance of maintaining off-site power.
Same concern in Level 2 analyses Training provided in None identified because of containment isolation impact.
licensed operator
{
requalification class.
1 High Pressure Core Suppression pool suction isolation valve Surveillance procedure Estimated i
Spray (HPCS)
, obstruction could go unnoticed for life CPS 9051.01 issued reduction in core of plant / Require surveillance requiring flow damage risk' l
procedure that verifies operability on a verification every 4 12.8% based on j
4 year basis.
years.
core damage t
cutsets used in IPE.
l f
Automatic Failure to manual depressurize the Trainmg provided None identified Depressurization reactor., / The importance of manual during licensed (ADS) initiation of ADS should be emphasized operator i
in training.
requalification training and simulator training.
4 T
1 4
4
.)
AC Power importance of being able to recover AC Training department None identified power supplies under loss of off-site undertook an s
power conditions / Training should evaluation of voth evaluate potential for improved trauung operator and for diesel generator and nuviliary power maintenance training system operation.
in these areas. No Anal disposition reported.
3 Same concern in Level 2 analyses.
Training provided in None identified tw=aamd operator requali6 canon training class. (training provided is not
}
described).
Shutdown Service Operator action to recover 6cm a failed IP decided not to None identified Water (SX)
SX discharge pressure instrument or make procedure instranents by manually startag the changes based on associated SX pump or pumps /
srnall perceived
)
Consider additional procedural benent.
)
anArmanon that SX peps have.
started when required for diesel generator operation.
i Containment Operator action to r.anually complete a
'information was None identified lsolation containment isolabon tmier Station provided in a licensed Blackout (SBO) condstbas / Training operator insight for evaluation b training requalification training department.
class.
SCRAM Significance of SCRAM hardware Training provided in None identified
)
failure and importance of good licensed operator ensintenance and op= tion of equipment requalificanon training
/ Training insight.
class. The licensee made no reference to action taken relative to maintenance Practices, l
4
)
29 i
e
s
. REFERENCES i
3 1)
Swain, A.D. and Guttmann. H.E., Handbook of Human Reliability Analysis with Emnhasis on Nuclear Power Plant Aeolications. NUREG/CR-1278.
i 2)
A.D. Swain, Accident Seauence Evaluation Program Human Reliability Annivsis Procedure. NUREG/CR-4772, February,1987.
3)
Evaluation of Station Blackout Accidents at Nuclear Power Plants. NUREG-1032.
4)
BWR Individual Plant Evaln= tion Methodology. IDCOR Technical Report, T86.3B1, Vol. I & II.
e a
e i
i a
a w
4 h
.s
--_L J
a--
m
.a AJ.
e
..m.
1 4
APPENDIX C
~
BACK-END (CONTAINMENT) TECHNICAL EVALUATION REPORT i
i i
i I
1 W
i l
i l
l t
i i