ML20149E691
| ML20149E691 | |
| Person / Time | |
|---|---|
| Site: | Oyster Creek |
| Issue date: | 02/28/1994 |
| From: | Beck M, Haas P CONCORD ASSOCIATES, INC. |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| Shared Package | |
| ML20149E682 | List: |
| References | |
| CON-NRC-04-91-069, CON-NRC-4-91-69 CA-TR-92-019-08, CA-TR-92-19-8, NUDOCS 9406210226 | |
| Download: ML20149E691 (25) | |
Text
_ _
.i CAfrR-92-019-08 TECliNICAL EVALUATION REPORT OYSTER CREEK NUCLEAR GENERATING STATION INDIVIDUAL PLANT EXAMINATION ASSESSMENT OF IIUMAN RELIABILITY ANALYSIS DOCUMENT ONLY M. G. Beck P. M. Ilaas Prepared for U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Safety Issue Resolution Draft, November 1992 Final, February,1994 CONCORD ASSOCIATES,INC.
Systems Performance Engineers i
725 Pellissippi Parkway Knoxville, TN 37932 Contract No. NRC-04-91-069 Task Order No. 8
~~...-..#
D1b O
TABLE OF CONTENTS
- 1. I NTR O D U CTI ON................................................
I 1.1 Step 1 IIRA Review Approach I
1.2 Oyster Creek IPE HRA Approach.............................
3
- 2. CONTRACTOR REVIEW FINDINGS..................................
4 2.1 Work Req uiremen t 1.1.....................................
4 2.1.1 WR 1.1.1 4
2.1.2 WR 1.1.2
........................................ 10 2.1.3 W R 1.1.3......................................... 11 2.1.4 W R 1.1.4......................................... 11 2.1.5 W R 1.1.5 12 2.2 Work Req uiremen t 1.2..................................... 12 2.2.1 WR 1.2.1 12 2.2.2 WR1.2.2.........................................
12 2.3 Work Requiremen t 1.3..................................... 13 2.3.1 WR1.3.1.........................................
13 2.3.2 WR 1.3.2 13 2.3.3 WR 1.3.3 13 2.3.4 WR 1.3.4 14 2.4 Work R eq uiremen t 1.4..................................... 15 2.4.1 WR 1.4.1 15 2.4.2 W R 1.4.2.
15 2.5 Work Requireme n t 2.0..................................... 16
- 3. OVERALL EVALUATION AND CONCLUSIONS......................... 17
- 4. IPE EVALUATION AND DATA
SUMMARY
SIIEETS IPE DATA
SUMMARY
SIIEETS (HU M A N RELI A B ILITY)............................................ 18 R EFER EN CES.................................................... 22 i
i
- 1. INTRODUCTION This technical evaluation repon (TER) is a summary of the documentation-only review of the iluman Reliability Analysis portion of the Oyster Creek Nuclear Generating Station Individual Plant Examination (IPE) submittal to the U. S. Nuclear Regulatory Commission (NRC). The txxty of the repon consists of four sections, per the instructions of the Task Order: (1) this Introduction, which provides a brief summary of the approach to this Step 1 review and of the Oyster Creek IPE HRA approach; (2) Contracror Review Findings, a detailed documentation of findings for each work requirement specified m the Task Order; (3) overall Evaluation and Conclusions, which summarizes the important findings and results from the review, and (4) the NRC summary data sheets.
1.1 Step I IIRA Review Approach The documentation-only review appmach for Oyster Creek IPE HRA involves the following six steps. illustrated in Figure 1.
These steps, especially steps 2 through 4, are interactive and iterative, but follow this general progression:
(1) Scoping Review - an overview of the entire IPE submittal. Read summary sections, plant descriptions, the major HRA-peninent section(s), and result sections. Skim / scan the entire submittal, including appendices and detailed front-end and back-end analyses. Identify the basic approach used for the HRA and 'he organization of the HRA documentation, including any obvious major omissions. Identify notable features of the plant, the overall IP pproach, or the HRA approach that deserve special attention. Identify and obtain refriences that may need to be reviewed or checked; obvious points of interface with front-end and back-end analysis. Review descriptions of IPE/HRA team qualifications.
(2) Detailed Review of IIRA Sections - a detailed review and assessment of the primary IIRA section(s) of the submittal. This involves first a thorough (re) reading of descriptions of methodology, noting assumptions, data sources, and other important aspects of the analysis, and annotating t'ny questions, potential problem areas, missing information, or issues for funber investigation. Second, it involves a comparison of information and documentation found in the submittal about the overall HRA methodology / approach to the information/ documentation " requirements" identified in accepted HRA approaches used in other PSAs. For example, since the Oyster Creek IPE used a Success Likelihood Index based methodology (SLIM), this comparison involved reviewing the information contained in the submittal regarding the major steps in the SLIM approach as described in NUREG/CR-3518 and 4016 (Refs. I and 2). Finally, the detailed review involves an attempt to " track" the complete assessment of a few key operator actions through the IIRA process described in the submittal. By tracking, we mean simply identifying that the submittal contains sufficient information to clearly delineate l
1
l l
I l
methodology, major assumptions, imponant paraneters such as perfomiance shaping factors, data sources, and references for both the qualitative and quantitative assessment of human actions. There is no attempt to reproduce quantitative analysis.
(3) Response to Work Requirements - assessment of specific issues identified in the Task Order work requirements. This is an item-by-item assessment responding to each work requirement. The focus is identification of strengths and weaknesses of the HRA ponions of the submittal and insights regarding important results or potential areas of improvement. Any questions that require additionalinput from the licensee are identified.
This step includes completion of the NRC Data Sheets, which is Work Requirement 2 in the Task Order.
1 (4) Interface with Front-End and Ilack-End Reviewers - two-way exchange ofinformation and discussion of issues. The focus is on HRA aspects of front-end or back-end analysis, but includes a general exchange of information and findings. The interaction takes place informally throughout the review, but primarily after completion of the overview in Step 1 above, and again after completion of Steps 2 and 3 as writing of the TER begins. More formal interaction occurs during the closing meeting of NRC staff and IPE review contractors in Step 6.
(5) Prepare the TER - develop and write this technical evaluation repon. This involves:
preparation of a draft repon documenting all work accomplished, findings, and conclusions; internal technical review verifying findings and conclusions and compliance with Task Order Requirements: editorial review and printing.
i (6) NRC Staff and Contractor Meeting - held after submittal of the TERs from contractors to review findings and conclusions and finalize questions for the licensee (if any).
1.2 Oyster Creek IPE IIRA Approach The Oyster Creek IPE consists of Level 1 and 2 Probabilistic Risk Assessment (PRA) without evaluation of external events. The PRA's methodology employs the "large event tree - small fault tree" approach. The PRA is innovative in that the logic of the plant model is entered as logic statements or " modules" that can be directly linked, eliminating the need for suppon states.
Specific operator actions are identified by the analysts based on review of operating procedures, j
system analysis and development of plant model, and incorporated into the system analysis for system split fractions and plant model.
The HRA approach described in the submittal, essentially directed at quantifying human error probability (HEP) estimates, was performed using a Success Likelihood index (SLIM) based methodology. This method relics heavily on the use of operator input in evaluating human actions. The submittal provides details of performance shaping factors used, the structured j
operator survey fomut and process for determination of PSF values, and the process for evaluation of HEP.
l
\\
l
- 2. CONTRACTOR REVIEW FINDINGS i
The subsections below address explicitly, item by item, each of the work requirements specified in the Task Order. For each item, there is an attempt to identify notable points about the submittal, both strengths and weaknesses, and insights as to how the submittal might be improved with regard to the specific work requirement and the overall intent of Generic Letter 88-20.
i Information obtained from the license in response to NRC questions has been factored into this final mpon.
2.1 Work Requirement 1.1 Perform a general review of the human reliability analysis.
2.1.1 WR I.1.1 The IPE submittal is essentially complete with respect to the type of information and level of detail requested in the IPE Submittal Guidance Document NUREG-13435. List any obvious omissions.
Table 2-1 lists the major items identified in NUREG-1335 peninent to HRA that were checked.
The following are the findings for this work item:
(1) General Methodoloev. The plant model is developed by combining the response of plant systems with operator functions as pmvided in plant procedures (EOPs and abnormal response procedures) to represem the integrated plant response. These operator functions are included as i
top level events. Models for most of these functions require operation of systems or components.
System models required to support the top event also include imponant operator actions (including many of those described above) which affect system operability. They are documented in the system notebooks. Specific operator actions are identified by the analysts were evaluated, and the results were incorporated into the respective system fault trees or sequence event trees.
The overall description of the HRA effort in Section 6 of the PRA (Level 1) repon pmvides a clear understanding of the general methodology and approach to addressing human actions within the IPE. The model of human interactions used for the evaluation of HEPs splits the response into three phases: identification, diagnosis and response.
He actions of operators were i
classified as skill, rule and knowledge based actions and evaluated accordingly.
The SLIM-based method was used to evaluate the operator actions in the IPE. Input peninent to performance shaping factors (PSFs) was obtained from operators. The submittal provided reasonably detailed descriptions of the structured questionnaire used to obtain operator input.
PSFs used were described and justified. The calculation of HEPs based on input was outlined in the submittal. Only post-event human errors were evaluated for the IPE.
l (2)Information Assembly. A listing of reference PRAs of similar plants, including Peach Bottom (Ref. 3), that were reviewed for the Oyster Creek PRA was provided in Section 1.6 of 4
l t
k
Table 2-1 NUREG-133511RA Items Checked - WR 1.1.1 i
NUREG-1335 REFERENCE INFORMATION PERTINENT TO IIRA i
2.1.1 General Methodology Concise description of lira effort and how it is integrated with the IPE tasks / analysis.
2.1.2 Information Assembly 2.1.2.2 List of reference PRAs, insights regarding lira, human performance.
2.1.2.3 Concise description of plant documentation used for IIRA information; concise ciscussion of the process used to confirm that the lira represents conditions in the as-built, as-operated plant.
2.1.2.4 Description of the walkthrough activity, including IIRA specialist participation.
2.1.3 Accident Sequence Description of process for assuring human actions Delineation considered in initiating events and accident sequence delineation; lira specialist involvement.
2.1.4 System Analysis Description of process for assuring that the impacts of human actions are included in systems analysis; process for integrating IIRA.
2.1.5 Quantification Process 2.1.5.1 lira in common cause analysis.
2.1.5.3 Types of human failures considered in the IPE; a categorization and concise description exist.
2.1.5.4 List of human reliability data and time available for recovery actions; data sources clearly identified; if screened, a list of errors cons.i red, criteria for screening, and results of screening.
2.1.5.5 List of 11RA data obtained from plant experience and method / process for obtaining data; list of generic data.
2.1.5.6 Concise description of method by which IIEPs are quantified, including break down such as task analysis, and techniques for combining probabilities, assessing dependencies, etc.
5 l
l l
Table 2-1 NUREG-1335 IIRA Items Checked - WR 1.1.1 NUREG-1335 REFERENCE INFORMATION PERTINENT TO HRA 2.1.6 Front-End Results and Human contributions to important sequences are Screening Process clearly identified. A concise definition of vulnerabilities is provided, along with a discussion of criteria used to identify vulnerabilities. A listing of vulnerabilities is provided, with clear definition of those related to human performance. Underlying causes of human related vulnerabilities are identified.
2.1.6 Sequences that, were it not for low human error rates in recovery actions, would have been above the applicable core damage frequency screening criteria are identified and discussed.
2.1.7 Any human performance issues pertinent to USIs or GSIs are identified and discussed as appropriate.
2.2 Back-End Submittal Impacts of operator action on containment response are identified. Actions assumed to be accomplished by operators can reasonably expected to be accomplished under the severe accident conditions expected; equipment accessibility, survivability, information availability, etc. have been considered.
Critical human actions have been identified and included in the event trees and quantitative HRA assessments.
2.3 Specific Safety Features Any human performance related aspects of unique and Potential Improvements and/or important safety features are discussed, including any that resulted in significantly lowering typically high frequency core melt sequences.
Human related potential improvements - procedures, training, etc.- in response to vulnerabilities are clearly identified and discussed.
2.4 IPE Utility Team and The submittal describes the utility staff participation i
Intemal Review and involvement in the HRA. An independent in-house review of the HRA was conducted.
l 6
the submittal. The methodology used for the HRA analysis is based on the methods used in the TMI 1 PRA (Ref. 4) and is a refinement of that analysis. Plant documentation to acquire HRA infomiation was identified.
It included: plant operating procedures, emergency opemting proculures (EOPs), and surveillance and maintenance procedures. A detailed description was provided for each action to be analyzed by plant operators, including plant conditions and other constraints. 'Ihe plant operators evaluate the PSPs by completing the "PRA Human Action Survey Form." The survey process is a structured method to evaluate the performance shaping factors. The survey form used was provided in the submittal, as well as detailed information on the PSF breakdown and linkage to the survey form rating system.
" Human Action Walkdowns" were performed by tearn members responsible for evaluating operator actions with experienced operator personnel. They were conducted to familiarize themselves with the operator actions modeled as well as to verify operator action survey forms.
The SLIM-based evaluation process used plant operator input from the survey form to evaluate PSFs which were converted to the success likelihood index values. The survey process and information collection appear to be well structured.
(3) Accident Sequence Delineation. Technicalinformation on the plant design and supporting calculations are combined with abnormal response and EOP procedures to form the basis of the Event Sequence Diagrams. Specific operator actions required to prevent degradation of plant conditions are identified by the analysts during development and evaluation of Event Sequence Diagrams. A " Detailed Human Action Description" is provided by HRA analysts and verified /
modified by HRA walkdown. Details of each operator action were provided in Appendix E of the submittal Incorpomtion of operator actions into the PRA is discussed in Section 2.1.3 of this TER.
(4) System Analysis. The System analysis is described in section 5 of the Oyster Creek PRA (OCPRA) Level I report. System descriptions are appropriately detailed and comprehensive.
System notebooks were developed for each system analyzed. A summary of the contents was included in the submittal, and notebooks are provided in Appendix F to the submittal. Included in each notebook are the important operator actions for the system operation. In addition to routine information on major components and instrumentation, the notebooks include information on system dependencies and interfaces, testing and maintenance, technical specifications, system operation, modeling assumptions, and success criteria. Operator actions are incorporated into the PRA in appropriate system fault trees. Documentation of system fault trees are provided in the system notebooks.
Documentation appears to be sufficient to support a detailed evaluation, if one were necessary. The incorporation of EOP steps in system models was addressed above.
(5) Ouantification Process.
Human Interactions (HIs) were grouped into three major classifications for quantification, depending on the time at which the action occurs in the accident scenario. " Group A" HIs occur prior to the initiator event, and are the result of human errors during maintenance, testing, or calibration activities. " Group B" His are those that result in initiating events. These are captured in the initiating event frequencies obtained from plant opeiating experience. Therefore, Group B His are not included in the IPE HRA analysis.
7
" Group C" are broken down into two sub-classes: (CP) operator actions performed in response to procedures, panicularly Emergency Operating Procedure (EOP), and (CR) recovery actions in response to unavailability of a safety function, which may or may not be proceduralized. CP events appear as headings in the event trees or as basic events in system or functional fault trees.
Type CR events are separately added to the model following initial quantification and are addressed at the accident sequence cutset level.
Group A His error frequencies were considered to be captured in the basic equipment failure rates for misalignment or failure to restore systems. The submittal states that this failure mode is not a large contributor to system failure. The submittal stated that certain Group A errors were included in system models, but no details were provided. This is the subject of a request for additional information in section 2.2.1 The quantification process used for Group C His in the Oyster Creek IPE is described in considerable detail. For each operator action, a fairly detailed description of plant conditions and other constraints was provided to the operator. The SLIM-based evaluation process uses plant operator input for evaluating Performance Shaping Factors (PSFs). Selection of PSFs isjustified in the submittal. Conversion of these PSFs to the success likelihood index value is accomplished by use of weighting factors based on the class of action (rule, knowledge or skill based) for each
" phase" of identification, diagnosis and response. The likelihood index value is converted to error probability for each behavior model phase using reference actions to " calibrate" the Success Likelihood Index for each action phase.
The survey sheets completed by the operators are structured to a level of detail and with questions intended to reduce the variability of the subjective responses. All inputs were analyzed to provide a data spread for statistical analysis for estimating the uncertainty of the values l
obtained.
l i
There is a concise summary of the common cause analysis provided in Section 5.3.3.3 of the PRA level I report in the submittal. The submittal states pre-initiator human errors are not considered because they are captured in the component failure data analyzed. Pre-initiator (Group A) human errors are discussed in section 2.2.1 of this report, and a request for additional information on their treatment is provided in that section. Common cause events are a subset of these pre-initiator ermrs.
)
1 (6) Front End Results and Screenine Process. The IPE submittal defines vulnerability as any l
core damage sequence that exceeds 1.0 E-4 per reactor year, or any containment bypass sequence I
or large early containment failure that exceeds 1.0 E-6 per reactor year. No vulnerabilities were identified. A structured review was performed to identify potential low cost improvements. The results oflevel 1 and 2 PRAs, as well as contributors to system unavailability and operator action error rates were reviewed.
8
No listing was provided of sequences that wen: it not for low human error rates in recovery actions, would have been above the applicable core damage frequency criteria; nor was any clear statement that no such sequences exist.
As required by NUREG-1335, GSE and other safety issues, such as internal flooding, Loss of Feedwater Control, and attemate water supply for drywell spray / vessel injection, were analyzed by Oyster Creek, and the results are reported in the IPE submittal. No vulnerabilities were identified. Several analysis of these safety issues involved human actions which were considered important enough to have potential impmvements identified:
1.
The alternate drywell spray source considered cross-tie of fire protection diesel water with manual operated valves. Because of high radiation from core damage, the required shielding to allow access would make the modification cost prohibitive for the minimal affect on cooling core debris.
l 2.
Procedure changes to improve operator response to internal flooding were recommended.
1 3.
A new reactor overfill prevention system is to be installed for loss of feedwater system control because of concerns about operator responses to isolate MSIVs within the allowed time.
(7) Itack End Submittal. The Containment Event Trees (CETs) consider the influence of the physical and chemical processes on changing the containment pressure and (in the case of containment failure or bypass) on affecting the release of fission products from the containment.
The end state of the front-end analysis is binned according to plant damage states and used as input to CETs. The plant damage state information includes the following categories: physical condition in the reactor coolant system and containment at time of vessel breach; integrity of primary containment and status of associated active systems; integrity of secondary containment and status of associated active systems.
Containment models include " dirty venting." These are the only human actions directly modeled in the analysis. The containment analysis used the results of the level I system status as input for the back-end plant damage state. Therefore, many human actions were indirectly incorporated into the back-end analysis. The results of the front-end containment venting HEPs were used in the back-end analysis.
(8) Specific Safetv Features and Potential Improvements. A number of specific safety features of the Oyster Creek plant were discussed in Section 8 of the IPE submittal. Specific procedure changes and modifications were identified as cost effective and are being implemented. These include:
Containment vent modifications and associated procedure revisions.
9
~__ - - -
t e
Station blackout technical basis document and integrated loss of offsite power I
procedure to pmvide: recovery of offsite or onsite power; for alignment and cross-ticing buses to critical equipment; and for startup and alignment of alternate AC capability.
Loss of all DC power pmcedure to be coordinated with the integrated loss of offsite power procedure I
Reactor overfill prevention system is to be installed for reactor overfill transients because of concern for operator response to isolate MSIVs within the required time.
Improvements or enhancements under consideration include:
Development of a specific procedure and training on reactor overfill transients.
l Operator training should emphasize important actions (listed in Section 8.1.5) which were identified by the PRA as important in reducing core damage risk.
(9) IPE Utility Team and Internal Review. While the IPE development was supponed by a consultant (PLG, Inc.), the submittal states that one of the objectives of the study was to build on in-house PRA expenise and develop tools for ongoing risk management activities after the completion of the PRA.
GPU provided system analysts, engineers and plant operations personnel as a part of the PRA team. HRA specialists from the contractor organization as well as GPU were included on the IPE team.
The internal review process described in the submittal appears to be extensive. Multiple engineers and operations personnel with expertise in Oyster Creek design and operation were involved in the reviews. A review of the comments suggests that the team provided a thorough review. An outside consultant with expertise in PRA methodology reviewed the IPE for technical methods. With regard to the personnel on the team, however, no individual was identified as the HRA reviewer or as having previous HRA experience. The submittal would be strengthened if a thorough review of the HRA ponion of the IPE were included in the review process.
2.1.2 WR 1.1.2 The employed HRA methodology is clearly described and justified for selection.
Section 6 of the Level I repon included i~n the submittal clearly describes the steps performed in the HRA portion of the IPE. The SLIM methodology is a well established and documented HRA approach. The SLIM-based evaluation process used at Oyster Creek uses plant operator input as the basis for PSFs which are converted to the success likelihood index value using weighting factors. The success likelihood index value is converted to ermr probability using calibration values from "known" HEPs. 'Ihere are requests for additional information on the implementation of the SLIM-based methodology which are detailed in the sections which follow.
I 10
1 2.13 WR 1.13 The methodology (including the human action taxonomy) employed is capable of identifying important human actions, and contains a discussion i
of the most important human actions and errors.
The human action taxonomy used in the HRA was clearly identified in the submittal. The model of human interactions used for the evaluation divides the response into thme phases:
identification, diagnosis and response. The actions of operators were classified as skill, rule or knowledge based actions and were evaluated accordingly. Details on the human actions and the quantification were provided in Section 6 and Appendix E of the submittal.
The submittal stated that procedums were reviewed to identify operator actions to be included in the plant model. One important operator action that was not included in the plant model, and which is in the EOPs, is containment flooding. This was identified by review of independent review comments for March 27 IIHRG meeting in Appendix D to the submittal. The response to the comment was that the operator action was not required "to establish or maintain stable shutdown conditions." Because the steps are in the EOPs the containment flooding would likely be carried out by the operators. IPEs for BWRs with Suppmssion Pool type containments have identified containment flooding as a source of containment failure when core damage and vessel melt through occur after the torus is flooded (loss of pressure suppression capability). The Licensee indicated in response to an NRC question on this point, that this potential "down-side" of containment flooding had been evaluated and was not included because of its low likelihood of occurrence.
2.1.4 WR 1.1.4 The IPE submittal employed a viable process to confirm that the IPE represents the as-built, as operated plant.
Technical information on the plant design and supporting calculations are combined with abnormal response and EOP procedures to form the basis of the Event Sequence Diagrams (ESD). The ESDs were presented to various GPUN organizations including plant operations, safety analysis, and training departments for review. The resulting final ESDs were used as the primary input in the development of the plant model.
In addition, walkdowns were held to verify infomtation was correct. A structured program was provided to prepare detailed descriptions of allliuman Actions to be analyzed. Plant walkdowns by risk assessment personnel, a human factors specialist, and plant opemtors over a 3 day period confirmed the accuracy of the detailed descriptions.
The final check on as-built and as-operated was provided by the Independent Review Group.
Members were chosen for their expertise in plant design and operation. The Independent Review Group reviewed the entire submittal including system notebooks and operator action sections.
This process appears to be a reasonable and systematic approach to assuring that the IPE represents the as-built, as-operated plant.
11
2.1.5 WR I.1.5 The IIRA had been peer-reviewed to help assure the analytic techniques were correctly applied The internal review process described in the submittal and discussed in Section 2.1.l(9) above appears to be comprehensive, with exception of the HRA analysis. No individual was identified as the HRA reviewer or as having previous llRA experience.
No other peer-review was identified in the submittal for the HRA analysis. Peer-review by qualified HRA personnel helps provide additional confidence that the HRA methods were appmpriately applied and results are correct. The submittal would be strengthened by additional information concerning any HRA review and qualifications of the HRA reviewer (s).
2.2 Work Requirement 1.2 Review the most likely sequences that could occur at the plant.
2.2.1 WR 1.2.1 The accident sequences appropriately considered human actions consistent with other NUREG-II5O and other NRC accepted PSAs (see table NUREG 1335 Appendix II).
The human actions of Grand Gulf (Ref. 5) were compared to the OCPRA human actions. The review shows that equivalent actions were considered in the OCPRA sequences. Additional human actions,en included in the OCPRA because of the additional operator instructions pmvided by tl.s..s (Rev. 4) EOPs. As was noted in Section 2.1.3 carlier, a potential discrepancy in the incorporation of EOP steps was identified and additional information on the process for identifying and in. Nding proceduralized operator actions into the PRA.
Pre-initiator (Group A) human errors such as calibmtion error or misalignment of systems or instrumentation am not modeled in the PRA. The submittal states that " misalignment of systems are not modeled in the OCPRA since these causes of unavailability are captured in the component failum data." Pre-initiator human errors are normally considered in PRAs; (e.g., see Grand Gulf (Ref. 5) and Surry (Ref. 6) PRAs). While it is true that, in general, pre-initiators typically have less impact on estimated CDF than do post-initiators, significant contributions from pre-initiators have been identified in some PRAs. A systematic analysis of pm-initiator human enors and contributing factors would pmvide much greater confidence that no imponant enors have been missed.
And, the information gained on " generic" factors influencing human performance, e.g. procedures on administrative controls, may indicate relatively low-cost means for significant improvement.
2.2.2 WR 1.2.2 The accident sequences screened out because of low human error (see NUREG 1335, Section 2.1.6.6) appears appropriate, based on IIRA techniques l
employed.
j The submittal addressed the importance of human actions by examining the contribution to core damage for three groupings: (1) all operator actions, (2) operator actions gmuped into nine general categories, and (3) top 10 individual operator actions. All modeled operator actions 12
were found to contribute 21% of total core damage. The most important groups of operator action were those associated with establishing RPV injection and removal of containment heat.
The individual operator actions were from the most important groups and ATWS sequences, and their contribution to total core damage ranged from 1% to 2.76%. Detailed infonnation about each operator action is available in Appendix E of the Level 1 Report.
l The analysis of operator action contribution to core damage pmvides insight into which operator actions are the most important, but the specific information required by NUREG-1335, Section 1
2.1.6.6 was not found.
I I
2.3 Work Requirement 1.3 Review the quantitative nature of the IPE submittal.
2.3.1 WR I.3.1 The employed human error probability (IIEP) screening values appear capable of screening in significant human errors.
l Screening or " conservative" values were used for only a few selected operator actions including l
circulating water system flooding and loss of off-site power recovery in this IPE. In these cases l
values are provided without referencing any source. 'Ihe values appear to be appropriate, but the l
submittal would be surngthened if the source of the values is referenced or additional infonnation on the technical basis for these estimates were provided.
While there were few actions for which numerical screening was performed, it should be noted that potentially significant qualitative screening is perfonned in the pmcess of selecting those human actions to be evaluated. Operator actions modeled, including recovery actions appear to be appropriate based on review of similar PRAs. Ilowever, the submittal does not provide much information on the process by which the specific ones selected for Oyster Creek. In general, the basis was said to be " required" operator actions, EOPs, and abnormal procedures. The submittal would be strengthened by a discussion of the specific rationale, assumptions and criteria for selection of actions.
2.3.2 WR 1.3.2 The IPE developed human error probabilities (IIEPs) for significant human actions, or provided rationale for using screening values.
With the exception of the screening values cited above, no numerical screening of IIEPs typical in many PRAs was identified from the submittal review. Actions selected for analysis were analyzed directly, and IIEPs were developed. The method used to quantify IIEPs are discussed in Section 2.3.3.
2.3.3 WR 1.3.3 Sources of generic human reliability data used in the IPE were identified and rationale for their use provided. Generic human error probabilities (IIEP) data were modified using plant-specific Performance Shaping Factors (PSFs) as appropriate, and rationale provided for selection of employed PSFs.
13
The SLIM-based evaluation pmcess uses plant operator input to evaluate operator actions for the 11RA. Thus the data is neither " generic" nor " plant-specific" in the usual sense of those words.
There is some merit to the assertion that since the operators are from this particular plant, their judgments probably reflect some degree of plant-specific experience. On the other hand, the operator judgment primarily specifies the relative importance of PSFs. The absolute values are determined by the selected anchor points; and the submittal does not discuss the selection of those anchor values in much depth. The process for selection of PSFs and justification of the ones selected is reasonably well described in the submittal. The PSFs chosen for use along with the process attempt to account for dependencies and effects of multiple and successive operator actions. As noted earlier, the process for clicitation of expert judgment fmm the operators appears to be well structured and systematically applied.
Conversion of these PSFs to the success likelihood index value is accomplished by use of weighting factors based on the class of action (rule, knowledge or skill based) for each model for action phase of identification, diagnosis and response. An additional factor to account for the significance of the class of action for the diagnosis phase was used to increase the value for knowledge based activities. The submittal provides a general overview of the basis for the weighting factors used. Because of the importance of the weighting factors in calculation of
.%ecess Likelihood Index and the HEPs, it is felt that the submittal would be strengthened by inclusion of a more detailed description of the basis and structured process used in developing the weighting factors used.
The Success Likelihood Index value is converted to error probability using reference actions to
" calibrate" the Success Likelihood Index value for each action identification, diagnosis and response phases. As indicated above, them is little information provided in the submittal on the selection of reference actions / values to calibrate the SLIM methodology.
2.3.4 WR I.3.4 The recovery method is cicarly described and credit for recovery actions appear justified.
Three types of recoveries are addressed in the submittal: system recoveries incorporated into system logic models, procedurally directed recoveries, and non-procedurally directed recoveries.
The later two types of recoveries were added to the plant model following initial quantification and refinement. With exception of " dirty venting" discussed in Section 2.1.1.(7), no credit was included for post vessel breach recoveries in the back-end PRA.
Methods, data, and assumptions used to' quantify recovery actions are clearly and concisely summarized. Information provided includes a description of each recovery action, amount of i
time available for the action, manual actions required, procedure availability, how the need for action is perceived, cognition class for activities, and success criteria for recovery. A concise description of PSFs and their use in the SLIM method was provided. While we did not perform detailed checks to validate numerical estimates, the HEP values overall appear to be reasonable and consistent with other PSAs. Values for selected operator actions were compared with previous PRAs in section 6.3.6 of the level I report and found to be consistent.
14
_. = _ -
i 2.4 Work Requirement 1.4 Review the IPE approach to reducing the probability of core damage or fission product release.
i t
2.4.I W R I.4.1 The IPE analysis appears to support the licensee's definition of vulnerability, and that the definition provides a means by which the identification of potential vulnerabilities (as so defined) and plant modifications (safety I
enhancements) is made possible.
The IPE submittal defines vulnerability as any core damage sequence that exceeds 1.0 E-4 per reactor year, or any containment bypass sequence or large early containment failure that exceeds 1.0 E-6 per reactor year. No vulnerabilities were identified. A structured review was performed to identify potential low cost improvements. The results of level 1 and 2 PRAs were reviewed, well as major contributors to system unavailability and operator action error rates. Results of this review are discussed below. The overall process employed in the IPE for identifying vulnerabilities and cost effective safety enhancements appears to be comprehensive and able to i
systematically identify cost effective safety enhancements.
2.4.2 WR I.4.2 The identification of plant improvements include human-related plant l
modifications (e.g., procedures and training,), and proposed modifications are reasonably expected to enhance human reliability and plant safety.
Cost effective plant impmvements identified during the IPE process and being incorporated are discussed in Section 8 of the IPE report. The results of level 1 and 2 PRAs, contributors to system unavailability, and operator action error rates were reviewed to identify potential enhancements. No information was provided on any evaluation of the improvement in the IPE results, but it appears that the additional guidance in procedures should enhance the operator performance. Specific cost effective enhancements identified are being implemented including:
1 Containment Vent modifications and associated procedure revisions.
l Station Blackout technical basis document and integrated loss of offsite power procedure to provide: recovery of offsite or onsite power; alignment and cross-ticing buses to critical equipment; and startup and alignment of alternate AC capability.
Loss of all DC power procedure to be coordinated with the integrated loss of offsite power procedure l
A new Reactor overfill Prevention system is to be installed for reactor overfill transients because of concem for operator responses to isolate MSIVs within the required time.
15
9 Impmvements or enhancements under consideration include:
Development of specific procedure and training on reactor overfill transients.
Operator Training should emphasize imponant actions listed in Section 8.1.5 were identified by the PRA as imponant in reducing core damage risk.
While no discussion of the evaluation for impmvements was pmvided in the submittal, the procedure changes, tmining emphasis and modifications should help address problems identified by the PRA as contributors to operator enor or system unavailability.
2.5 Work Requirement 2.0 Complete data sheets.
Completed data sheets are included in Section 4 of this TER.
t 16
s
- 3. OVERALL EVALUATION AND CONCLUSIONS On the basis of our review, we concluded that with regard to the llRA, the submittal demonstrates that the licensee used a reasonable process to meet the intent of Generic letter 88-
- 20. Overall, the IIRA methodology used for identiGeation of important actions, analysis of factors influencing human performance, quantification of human error, assessing the impact of humarf error on system response (and therefore CDF and releases) appears reasonable and consistent with practice in other PSAs. A reasonable process was in place to identify potential human-related impmvements.
Notable weaknesses of the submittal are the failure to treat pre-initiator errors explicitly and the description of basis for weighting factors and choice of reference Iluman Error events to calibrate the SLIM-based HRA evaluation. It is typical practice in PRAs to test pre-initiators such as maintenance, test and calibration errors explicitly. The submittal should include a clear and concise justification for the assertion that such errors are negligible and /or are incorporated in component failure data. The conversion of PSFs to Success Likelihood Index is accomplished by use of weighting factors for different types of human interaction. A more detailed description of the derivation of these weighting factors would have strengthened the submittal. He SLIM-based methodology must be " calibrated" using known or accepted IIEPs. The submittal would have been strengthened if the discussion and justification was expanded for the IIEPs used for calibration of the SLIM-based HRA.
4 17
i
- 4. IPE EVALUATION AND DATA
SUMMARY
SIIEETS 3
IPE DATA
SUMMARY
SIIEETS (IIUMAN RELIABILITY) i Plant Name: Oyster Creek Nuclear Generating Station Information Assembly i
List of plants, PSAs or other analysis known to have employed similar methodology.
TMI 1 (PLG)
Ex-Contml Room actions treated? List.
Yes, Multiple actions as required for recovery. Table 6.4.1.a-c pmvides operator actions for sequences and plant k) cation for actions Iluman Failure Data (Generic and Plant Specific)
Analytical method used, e.g., Expert Judgment, TIIERP, SLIM-MAUD, HCR. TRC.
SLIM-based j
Were the following human errors considered:
(1) Pre-initiator, e.g., maintenance error including testing, equipment calibration,
{
and restoration.
Assumed to be included in component failure data.
(2) Post-initiator procedural?
Yes i
s 18
(3) Post-initiator recovery
- Control Room Yes
- Ex-Control Room Yes Types of human errors considered, e.g. omission, commission Errors of omission only Source of human reliability data, Generic Data?
No Simulator Data?
No Expert Judgment?
Used SLIM method: Operator input based on detailed descriptions of operator actions using structured survey form to provide input for PSPs.
Most significant operator actions, The most imponant groups of operator action were those associated with establishing RPV injection, removal of containment heat and ATWS sequences.
Iluman Error contribution to core damage frequency (if known).
21 %
19
Vulnerabilities associated with human ermr.
None identified l
PLANT IMPROVEMENTS AND UNIQUE SAFETY FEATURES Impmvement insights stemming from HRA.
Appendix B of submittal reviews contributors to operator errors and provides following recommendations (Section 8.1.5):
Consider specific procedures and training for Reactor overfill transients.
Consider training emphasis that consistently successful performance of following actions can reduce Core Damage risk:
Operator injects fire water through Core Spray system during loss of AC power and unisolated LOCA outside containment events.
Operator inhibits ADS and controls level near TAF during ATWS with FW available and condenser failed and EMERV/SV closure.
Operator inhibits ADS during ATWS with FW failed and EMERV/SV closure.
Operator manually re-energizes bus IAl/IB and restarts at least one TBCCW pump following a loss of offsite power Operator trips reactor after TT failure (high level)
Operator secures or isolates condensate transfer header to reactor building within 1 or 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after condensate transfer supply line break in the reactor building.
Opemtor trips plant and isolates feedwater following line break in the trunion room.
Implemented human factor improvements Containment Vent modifications ar d associated procedure revisions.
20
Station Blackout technical basis document and integrated loss of offsite power procedure to pmvide: recovery of offsite or onsite power; for alignment and cross-ticing buses to critical equipment; and for startup and alignment of alternate AC capability.
Loss of all DC power procedure to be coordinated with the integrated loss of offsite power procedure A new Reactor overfill prevention system is to be installed for reactor overfill transients because of concern for operator responses to isolate MSIVs within the required time.
Enhancements under consideration.
Development of specific procedure and training on reactor overfill transients.
Operator Training should emphasize imponant actions listed in Section 8.1.5 were identified by the PRA as important in reducing core damage risk (listed under improvement insights above).
The alternate drywell spray source considered cross-tie of fire protection diesel water with manual operated valves. Because of high radiation from core damage, the required shielding to allow access would make the modification cost pmhibitive for the minimal affect on cooling core debris.
Procedure changes to improve operator response to internal flooding were recommended.
Portable DC generator and equipment necessary to supply essential DC loads 21 i
1 REFERENCES 1.
Embrey, D.E.," SLIM-MAUD: An Approach to Assessing Human Error Probabilities Using Structured Expert Judgmer"," NUREG/CR-3518, USNRC, March 1984.
2 Rose, E.A. et al., " Application of SLIM-MAUD: A Test of an Interactive Computer-Based Methods for Organizing Expert Assessment of Human Performance and Reliability," NUREG/CR-4016, USNRC, September 1985.
3.
USNRC, " Analysis of Core Damage Frequencies from Internal Events: Peach Bottom Unit 2," NUREG/CR-4550/Vol. 4. October 1986.
4.
Pickard, Lowe and Garrick, Inc, "Thme Mile Island Unit 1 Pmbabilistic Risk Assessment," prepared for GPU Nuclear Corp., PLG-0525, December 1986.
5.
USNRC, " Analysis of Core Damage Frequencies from Intemal Events: Grand Gulf-1," NUREG/CR-4550/Vol. 6, Rev.1.
6.
USNRC, " Analysis of Core Damage Frequencies from Internal Events: Surry, Unit-1," NUREG/CR-4550/Vol. 3, Rev 1.
i
}
F 22 l