ML20149L125
| ML20149L125 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 02/20/1996 |
| From: | Joseph Sebrosky NRC (Affiliation Not Assigned) |
| To: | NRC (Affiliation Not Assigned) |
| References | |
| NUDOCS 9602230266 | |
| Download: ML20149L125 (22) | |
Text
agg a.
-m,e
- ._a ---a.-BA'---
.a ntrg 62-603 k
UNITED STATES NUCLEAR REGULATORY COMMISSION E
I WASHINGTON, D.C. 20066 4 001 February 20, 1996 APPLICANT: Westinghouse Electric Corporation PROJECT:
AP600
SUBJECT:
SlM4ARY OF MEETING TO DISCUSS PROBABILISTIC RISK ASSESSMENT (PRA)
FOR THE AP600 DESIGN i
l The Nuclear Regulatory Commission (NRC) staff and representatives of Westing-house Electric Corporation held a meeting at the NRC's office in Rockville, Maryland, on January 18, 1996. The purpose of the meeting was to discuss the shutdown risk and human reliability analysis and Westinghouse's approach for issues associated with the AP600 PRA. Attachment 1 is the list of the meeting attendees.
Attachments 2 and 3 were provided by Westinghouse during the meeting.
These i
Attachments contain questions that were asked by the NRC and Westinghouse's proposed responses. Attachment 2 contains the NRC's questions on the shutdown portion of Westinghouse's PRA which were submitted to Westinghouse in a November 9, 1995 letter. Attachment 3 contains the NRC's questions on the human reliability analysis portion of Westinghouse's PRA which were submitted in a November 21, 1995 letter. The proposed responses by Westinghouse in the
' Attachments served as discussion items during the meeting.
Each individual request for additional information (RAI) and Westinghouse's proposed response w6re discussed.
In some cases the staff found Westinghouse's response seceptable and in other cases the staff felt Westinghouse needed to provide additional information. After Westinghouse modifies the: responses,-as appropriate, they will formally submit the RAI responses.
Highlights of the discussion are summarized as follows:
Shutdown Risk PRA auestions:
Westinghouse identified RAls from the Reactor Systems Branch that were similar to the RAIs submitted from the Probabilistic Safety Assessment Branch.
In response to RAIs submitted from Reactor Systems, Westinghouse is preparing two reports, the Shutdown Evaluation report and the Adverse Systems Interaction report. Based on Westinghouse information, SPSB review of these reports is necessary to resolve some Shutdown PRA RAIs and Shutdown PRA Open Issues.
Westinghouse was not sure when these reports would be submitted for NRC review.
-Westinghouse proposed responses (Attachment 2) to the shutdown PRAs were also discussed.
From this discussion, the staff identified additional information that needs to be documented in the shutdown PRA.
Key areas include potential RCS drain down paths, maintenance assumptions particularly during hot standby, and boron dilution events.
00
,b
\\
9602230266 960220 h[ h[ hhh hh PDR ADOCK 05200003 PDR
. February 20, 1996 At the end of the meeting, the staff and Westinghouse discussed the additional RAls that were submitted to Westinghouse in a December 22, 1995 letter.
l Although Westinghouse did not have proposed responses to these questions, they were reviewed to ensure that Westinghouse understood the staff's concerns.
Human Reliability Analysis ouestions:
The staff questioned Westinghouse on their approach for modeling human error probabilities (HEP.
house, in some case)s, differed from the standard techniques used in the humanThe st error rate prediction (THERP) methodology. The staff proposed that Westing-house perform sensitivity analyses to assess the impact of using this " modi-fled" THERP methodology on the PRA results. Another concern that the staff had was that current'PRAs do not take the type of credit for shift technical advisor (STA) recovery actions that Westinghouse takes for in the AP600 analysis. The staff requested that Westinghouse document why the STA is given more credit or, in the sensitivity analyses discussed above, show why the STA recovery actions are not important. Westinghouse agreed to respond by either accepting the staff's recommendation for sensitivity analyses or by proposing a resolution path which will address the staff's concerns. The staff agreed to give feedback to Westinghouse on their proposed resolution path.
The schedule for the PRA review was also briefly discussed. The staff expressed a concern that they have not yet seen the fire portion of the PRA.
Westinghouse was not sure when this report would be submitted for NRC review.
original signed by:
Joseph M. Sebrosky, Project Manager Standardization Project Directorate Division of Reactor Program Management Office of Nuclear Reactor Regulation Docket No.52-003 Attachments: As stated cc w/ attachments:
See next page DISTRIBUTION:
See next page DOCU n
MENT NAME:
A:
PRAJAN
.ew. m
.we w.18. SUM
.w.
.n=
r - cm wei.n-n nu.ncw.- w - no em 0FFICE PM:PDST:DRPM_ l SCfSP3S;/kfSA P5'@ST:DRPM SC:PDST:DRPL NAME JSebrosky J 41 JFlack N "
T%(Von RArchitze1 K'/V DATE 02/h,/96 //
02/T[/95) 02/ W 96 02fp/96 0FFICIAL RECORD COPY
e Westinghouse Electric Corporation Docket No.52-003 cc: Mr. Nicholas J. Liparulo, Manager Mr. Frank A. Ross Nuclear Safety and Regulatory Analysis U.S. Department of Energy, NE-42 Nuclear and Advanced Technology Division Office of LWR Safety and Technology Westinghouse Electric Corporation 19901 Germantown Road l
i P.O. Box 355 Germantown, MD 20874 l
Pittsburgh, PA 15230 l
Mr. Ronald Simard, Director Mr. B. A. McIntyre Advanced Reactor Program Advanced Plant Safety & Licensing Nuclear Energy Institute l
Westinghouse Electric Corporation 1776 Eye Street, N.W.
Energy Systems Business Unit Suite 300 Box 355 Washington, DC 20006-3706 Pittsburgh, PA 15230 DSA, Inc.
Mr. John C. Butler Ms. Lynn Connor Advanced Plant Safety & Licensing Suite 610 Westinghouse Electric Corporation 3 Metro Center Energy Systems Business Unit Bethesda, MD 20814 Box 355 Pittsburgh, PA 15230 Mr. James E. Quinn, Projects Manager LMR and SBWR Programs Mr. M. D. Beaumont GE Nuclear Energy Nuclear and Advanced Technology Division 175 Curtner Avenue, M/C 165 Westinghouse Electric Corporation San Jose, CA 95125 One Montrose Metro l
11921 Rockville Pike Mr. John E. Leatherman, Manager Suite 350 SBWR Design Certification Rockville, MD 20852 GE Nuclear Energy, M/C 781 San Jose, CA 95125 Mr. Sterling Franks U.S. Department of Energy Barton Z. Cowan, Esq.
NE-42 Eckert Seamans Cherin & Mellott Washington, DC 20585 600 Grant Street 42nd Floor Pittsburgh, PA 15219 Mr. S. M. Modro Nuclear Systems Analysis Technologies Mr. Ed Rodwell, Manager Lockheed Idaho Technologies Company PWR Design Certification Post Office Box 1625 Electric Power Research Institute Idaho Falls, ID 83415 3412 Hillview Avenue Palo Alto, CA 94303 Mr. Charles Thompson, Nuclear Engineer AP600 Certification U.S. Department of Energy NE-451 Washington, DC 20585 I
WESTINGHOUSE /NRC AP600 MEETING ATTENDEES JANUARY 18, 1995 figiE ORGANIZATION CINDY HAAG WESTINGHOUSE ISAAC WALLACE WESTINGHOUSE MIKE CORLETTI WESTINGHOUSE SELIM SANCAKTAR WESTINGHOUSE NICK SALTOS NRC/DSSA/SPSB STEPHEN DINSMORE NRC/DSSA/SPSB MARIE P0HIDA (PART TIME)
NRC/DSSA/SPSB JOHN FLACK NRC/DSSA/SPSB DIANE JACKSON (PART TIME)
NRC/DRPM/PDST J0E SEBROSKY NRC/DRPM/PDST STEVE EIDE (PART TIME)
INEL NATHAN SIU (PART TIME)
INEL HAROLD BLACKMAN (PART TIME)
INEL l
l
^*
a l
l L-RESPONSE TO NRC FOLLOW-ON QUESTIONS SHUTDOWN PRA QUESTIONS 1.
Open item 19.1.3.3 1 requested Westinghouse to justify the low human error rate for inadvertent draining of reactor vessel inventory though the Normal Residual Heat Removal i
(RHR) system.. In response, Westinghouse quantified the likelihood of the operator overdraining the reactor coolant system during drain down operations to reach midloop conditions. Westinghouse also quantified the likelihood that a LOCA could occur by l
inadvertent opening of Normal RHR valve V024. The staff needs the following l
information to conclude that the frequency of overdraining the reactor vessel to reach midloop conditions is on the order of E-6 per year, which is much lower than current operating experience.
a.
Westinghouse should use operating experience to determine the frequency of the operator inadvertently overdraining the RCS during midloop, or justify that current operating experience is not applicable by describing any AP600 design improvements over current plants, b.
Westinghouse needs to add more information in the shutdown PRA about the available level instrumentation during the drain down process. A description of how the pressurizer wide range level instrumentation is connected to the RCS would be helpful.
c.
Westinghouse needs to clarify in the PRA how the two hot leg instruments are connected and clarify whether they share common reference legs.
d.
Westinghouse needs to document in the PRA the basis for the beta factor of 0.05 for the hot leg instruments. This value is not listed in Chapter 29 or Section 54.7 of the PRA.
e.
For drain down scenario 2, Westinghouse needs to justify the likelihood that the air operated valves fail to close on demand. Westinghouse needs to (1) document the testing interval for these valves and (2) calculate valve unavailability using
((standby failure rate)*(testing interval)/2) or a demand failure rate (such as IE-3 listed in Table 54-58).
RESPONSE
a.
Westinghouse will provide a comprehensive list of RCS drain connections and provide a qualitative discussion on how these drain paths have been considered in the PRA. The j
PRA explicitly models only one drain path (in the RNS) that results in overdraining of the i
RCS. However, Westinghouse has lumped overdraining of the RCS via the CVS letdown line with breaks in the letdown line, and therefore overdraining via this line has been considered in the PRA. AP600 design improvements over current plants are discussed in the SSAR.
l l
i l
uru r.
1 l
l l
l 1
I i
b.
SSAR section 5.4.7.2.1 discusses the AP600 design features that have been incorporated to address mid loop operation issues. In addition, the AP600 Shutdown Evaluation Report will include a more detailed description of the level instrumentation available during mid-loop operations as well as the operating procedures and automatic protection features that protect the plant during reduced inventory operations.
c.
Independent hot leg level instruments are provided on each AP600 hot leg. These are shown in the SSAR, Figure 5.1-5. As described in the response to 1.b the AP600 Shutdown Evaluation Report will include a more detailed description of the level instrumentation available during shutdown.
d The beta factor of 0.05 for the hot leg level instruments was taken from the URD, Chapter 1, Appendix A, Section A3 (Page A.A-29); 0.05 is the recommended generic beta factor for " failure to continue functioning or spurious operation" of components not specified in the URD, Table A31. Westinghouse will provide reference source of this beta factor in the shutdown PRA report, e.
Air-operated valves CVS-045 and CVS-047, modeled in drain down scenario #2, are to be tested quarterly but are expected to be used more often during normal operation.
Therefore, the failure probability of these valves failing to close on demand will be recalculated using a demand failure rate of 2.0E-03 from the Data Analysis section of the PRA.
l l
=
2.
With respect to Open item 19.1.3.3-2, Westinghouse responded in Section 54.3.2 of the PRA that the core damage contribution from the cool down period to 350*F and 400 psig is negligible compared to hot / cold shutdown and midloop/ vessel flange operations. In section l
54.3.2, Westinghouse justifies this assumption based on 1) the cool down period to hot l
shutdown of 350"F and 400 psig lasts only eight hours, and (2) all mitigating systems l
available when the reactor is at power are available except the accumulators. In order for l
the staff to conclude that this shutdown period does not need to be quantitatively evaluated, the staff is asking Westinghouse to:
a.
Modify this argument to indicate that the risk is low compared to the at-power risk. The argument that Westinghouse gave does not directly lead to the conclusion that the core damage risk is low compared to the risk from hot / cold shutdown and midloop/ vessel flange operations.
1 l
b.
Clarify in Section 54.3.2 of the PRA if all actuating signals that are available at full power are also available during this time period. In Table 54-2, it would be he!pful if an additional column was created for full power operation to allow for a simple comparison of available signals.
l l
c.
Document in Section 54.3.2 of the PRA and Table 54-8 if any maintenance can l
be performed on any system during this period. Document how these maintenance assumptions will be met (i.e., Tech. Specs., administrative controls, I
etc.).
shusr...
2 b
O
RESPONSE
2a.
If it is conservatively assumed that all accidents evaluated during power operation can occur during the first eight hours of shutdown, then, given the availability of all mitigating systems except the accumulators, the risk during this early shutdown period can be factored from the at power core damage frequency. As shown in Section 54.3.2, the estimated annual duration for this plant state is 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br />. Therefore, the estimated CDF during this shutdown mode is: [(2.43E-07 / 8760) x 22] = 6.10E 10; this is 0.25 of the at-power risk.
l This conservative estimate shows that the risk during the first eight hours of shutdown is very low; much conservatism is evidenced by the fact that ATWS events, which dominate the at-power CDF, are not applicable to the shutdown assessmerit.
b.
Table 54-2 of the Shutdown PRA will be revised to: 1) add a column for at power; and 2) include the actuating signals for all systems in the table.
c.
Availability (and corresponding maintenance restrictions) of the safety-related systems during shutdown operations are incorporated in the AP600 Technical Specifications. The Reliability Assurance Program specifies maintenance guidelines for RTNSS-important 4
systems and components including the Normal Residual Heat Removal, Component Cooling Water, and Service Water Systems, the Diverse Actuation System, the Non-Class IE DC and UPS System, and the Offsite Power, Main AC Power, and Onsite Standby Power Systems.
3.
In reference to open item 19.1.3.3-4, the shutdown PRA still does not clearly identify when automatic injection is available from the IRWST and when only manual injection is available (i.e., during draindown to midloop conditions). In Section 54.2.5 of the PRA, the PRA states, "The low hot leg level signal, used to monitor and control the reactor vessel water level during the drain down of the reactor coolant system for the midloop/ vessel flange shutdown phase, is available." The PRA goes on to state, "This instrumentation automatically actuates the IRWST MOVs on low level during the midloop/ vessel flange shutdown phase." However, the staff identified that in event tree RCS-OD (overdraining of the RCS during draindown to mid-loop), only manual actuation of the IRWST was credited. The IRWST success criteria summary for this event tree (IW2AO and IWRNS) stated that there were no automatic injection signals. The staff also identified that following a loss of offsite power without grid recovery, automatic IRWST injection was not credited. To resolve this inconsistency, the staff is asking Westinghouse ta:
a.
Document in Section 54.2.5 of the PRA (Actuating Signals and Systems Available) when IRWST automatic injection is available and when only manual IRWST injection is available during midloop/ vessel flange operation.
b.
Document in Table 54 2 (Systems Availability and Actuating Signals Type) when IRWST automatic injection is available and when only manual IRWST injection is available during midloop/ vessel flange operation.
3
~.
c.
Document in Table 54 2 for each available actuation signal what instrumentation is used to deliver the signal (PMS and/or DAS).
)
RESPONSE
The h6t leg level instrumentation was changed from nonsafety related to safety related. Therefore,
{
l actuation of the IRWST is automatic or manual on " low hot leg level" signal, for all reduced RCS l
inventory scenarios.
The current shutdown PRA conservatively models only manual IRWST injection for some scenarios based on modeling assumptions in the earlier version of the PRA. The current shutdown model reflects the following:
i) During mid-loop / vessel flange operation, given loss of RNS, loss of RNS support systems, or LOOP with grid recovery, IRWST injection is required to actuate automatically or manually; this function is modeled in fault tree IW2A.
ii) Given LOOP without grid recovery, only manual IRWST injection is credited; this is shown in
' fault tree IW2AP.
iii) During draining of the RCS to mid-loop, only manual IRWST injection is credited if overdraining occurs; this is shown in fault tree IW2AO.
iv) For all of the above events during reduced inventory, if IRWST normal injection path fails, then injection through RNS pump suction line (V023) is manually actuated; this is shown in fault tree IWRNS.
a.
Section 54.2.5 will be updated to clarify and reflect that both automatic and manual IRWST injection capabilities are available during all reduced inventory scenarios.
b.
Table 54-2 will also reflect that IRWST automatic and manual actuation are available during mid-loop / vessel flange operation.
c.
Table 54 2'will also show what PMS instrumentation is used to deliver the actuation signal.
4 i
i e
s
--=..
4.
In reference to open item 19.1.3.3-6 regarding shutdown maintenance, the staff asked Westinghouse to document all maintenance assumptions and provide cross reference to the SSAR. Westinghouse responded by clearly documenting testing and maintenance assumptions for specific systems in Table 54-8. In addition, Westinghouse stated that no test and maintenance activities will be conducted during midloop/ vessel flange conditions (Section 54.10.2 of the PRA). However, the staff found that Westinghouse provided no cross references to the SSAR. The staff also concluded that maintaining equipment l
availability (particularly the IRWST) during shutdown is necessary to achieve the low shutdown core damage frequency estimates. Therefore, the staff is requesting l
Westinghouse to:
\\
a.
State in Table 54-8, the maintenance assumptions individually for PMS and DAS.
Justify and document in the PRA how these maintenance assumptions will be met (i.e., Tech. Specs., etc.)
b.
Justify and document in the PRA how each maintenance assumption for each system in Table 54 8 will be met (i.e., Tech. Specs., etc.).
c.
Justify and document in the PRA how the requirement for no test and maintenance 1
activities during midloop/ flange operation will be met (i.e., Tech. Specs., etc.).
d.
Define and document the assumed " allowed" time to return to a filled condition given a Normal RHR component failure during midloop/ vessel flange operation, Document how this " allowed" time will be met (i.e., Tech. Specs., etc.),
e.
Clarify and document in the PRA if the " Normal RHR component failure" during midloop/ flange operation includes Normal RHR support systems such as CCS and SWS.
REPSONSE:
a&b Westinghouse will complete the Technical Specifications and document in the PRA (Table 54 8) the applicable Technical Specification numbers.
c.
Same as above.
d.
The Reliability Assurance Program does not specify an " allowed" time to return to a filled condition given an RNS, CCS or SWS component failure during mid loop operations. A failure of a component in these RTNSS important systems does not lead to a core damage i
scenario. Success criteria for these systems are such that failure of a single component (i.e. RNS, CCS, or SWS pump) does not result in a loss of core cooling. The quantification of the core damage frequency for the AP600 at shutdown does not credit a return to a filled condition given the loss of an RNS, CCS or SWS component.
e.
The RNS model during mid loop / vessel flange operation show CCS as a sub-tree of RNS, and SWS as a sub-tree of CCS, A statement to that effect will be added in Section 54.4.8.
1 i
l l
720.286 The staff is requesting Westinghouse to document in the PRA what AP600 l'
auxiliary and passive systems were examined to identify shutdown initiating events (Section 54.2.1, p. 54 2) and the results of this evaluation.
RESPONSE
l Passive systems were examined during the search for possible shutdown initiators; these l
systems / subsystems include: IRWST, CMT, accumulators, PRHR, PCS, and ADS; none of these was identified as possible shutdown initiators. Auxiliary or support systems were also examined:
CCS, SWS and instrument air; from these, CCS and SWS were identified as credible shutdown j
initiators. The above information will be added to Section $4.2.1.
l 7.
l 720.287 The staff is requesting Westinghouse to explain the screening process in more detail (Section 54.2.4, p. 54 4). Several screening criteria are mentioned.
However, the staff would like Westinghouse to document in the PRA how each of the "at power" initiating events was screened out.
RESPONSE
l The basis for screening out some internal at-power initiating events will be reflected in Section 54.2.4.
720.288 The staff agrees that losses of Normal RHR during refueling are expected to have a negligible addition to the total core damage frequency (Section 54.2.4 of the PRA). However, the concluding statement in that paragraph mentions all losses of water inventory rather than just boil off. Westinghouse needs to evaluate and document in the PRA the potential for LOCA and draining events applicable to the refueling mode.
l
RESPONSE
During mode 6, the refueling ce.vity is flooded with approximately 350,000 gallons of refueling water. The number of connections that are capable of draining the refueling cavity are limited and have administrative controls (i.e. locked closed manual valves) to prevent inadvertent draining of the refueling cavity. Other connections that could result in an inadvertent draining are smaller lines such that the amount of time necessary to drain the refueling cavity is very long (i.e., > 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />). Considering that the refueling operations and the refueling cavity water level are continuously monitored by personnel in the containment and the auxiliary building and given the i
long time it would take to significantly drain the cavity, inadvertent draining of the refueling cavity need not be quantified.
6
(
l.
t RESPONSE TO NRC FOLLOW.ON QUESTIONS HRA PRA QUESTIONS RAls ON THE HUMAN RELIABILITY ANALYSIS FOR POWER OPERATION RAls Reined to DSER Ooen item 19.1.3.1 17 1.
In page 30-2 of the revised HRA it is stated:
"Because of some degree of uncertainty in the data, in terms of estimates for human error probabilities, it is often useful to perform a sensitivity analysis of the operator actions, during which the estimated human error probabilities, stress levels, dependency levels, or other human performance factors are systematically changed to determine the effect on the human reliability analysis results."
The staff agrees with this statement but could not find such sensitivity analysis in Westinghouse's submittals. Such sensitivity analysis, combined with insights from the importance and uncertainty analyses, would be very helpful to understand.the plant's tolerance of human errors and to decide which (if any) human actions require more detailed analysis.
RESPONSE
The following three HRA sensitivity studies were performed wr the at-power PRA: a) all operator actions in the coremelt output file were set to 1.0; b) all operator actions modeled in the HRA were set to 0.1; and c) all operator actions in the coremelt output file were set to 0.0. Setting all operator actions to 1.0 is considered to be the most bounding HRA application, and the resulting core damage frequency of 2.78E-05 events per year is quite low and well below the safety goal of 1.0E 04 events per year. When all operator actions were set to 0.1, the increase in core damage frequency is insignificant.
For the low power and shutdown PRA, sensitivity studies were performed by: a) setting all human error probabilities (HEPs) to 0.5, the highest HEP used in the PRA; and b) setting all HEPs to 0.0. The sensitivity in setting all operator actions to 0.5 is considered to be bounding, and the resulting core damage frequency of 2.99E-06 is very low.
For the cases in which all HEPs were set to 0.0, the core damage frequencies decreased slightly; this indicates that perfect operator responses are not risk important at the level of plant risk obtained from the base cases.
The results of the above sensitivity studies provide sufficient information about the reliability of the plant when bounding human error probabilities are used; of significance is the finding that the AP600 meets the safety goals with minimal credit for operator actions. Therefore, no further insightswould come from conducting additional human error sensitivity studies.
1
2.
Several operator actions modeled in the ATWS event tree are required to be performed in a very short time. For example: (a) ATW-MAN 03 (manually trip the reactor through the PMS in one minute), (b) ATW MAN 04 (manually trip the reactor through the DAS in one minute, given that an earlier attempt to trip the reactor through the PMS fails), (c) ATW MAN 01 (manually step in control rods in one minute, using the Plant Control System, given that earlier attempts to trip the reactor through the PMS or DAS fail). These three actions have the same " time window" of one minute, defined in page 30-8 as the time from when cues are provided to the time when system failure is expected if no operator action is taken.
Westinghouse estimated that approximately one minute is needed to perform both ATW-MAN 03 and ATW MAN 04 (30 seconds each). Similarly, Westinghouse estimated that approximately one minute is needed to step-in the control rods (ATW-MAN 01) to provide
" sufficient" negative reactivity so that opening of the pressurizer safety valves can prevent RCS pressure from exceeding 3200 psig. Please provide the following information.
a.
What is the " net" time window to manually trip the reactor through DAS (action ATW-MAN 04), given that the attempt to manually trip the reactor through PMS (action ATW-MANO3) fails? What is the actual time needed to perform this action? What is the slack time for ATW MAN 04 assuming that this action follows an attempt by the operator to manually trip the reactor through PMS (action ATW MAN 03) and failed? How were dependencies evaluated? Please document your response by referring to specific subtasks and analyses and by stating clearly your assumptions.
b.
What is the " net" time window to manually step-in the control rods (action ATW.
MAN 01), given that the attempts to manually trip the reactor through PMS (action ATW-MAN 03) and through DAS (action ATW-MAN 04) have failed? What is the actual time needed to perform this action? What is the slack time for ATW MAN 01 assuming that this action follows the attempts by the operator to manually trip the reactor through both the PMS (action ATW-MAN 03) and the DAS (action ATW-MAN 04) have failed?
How were dependencies evaluated? Please document your response by referring to specific subtasks and analyses,and by stating clearly your assumptions.
c.
How were " mechanical faults," such as binding of rods within their channels and rod drive mechanisms failing to disengage, modeled in the AP600 PRA?
d.
Westinghouse estimated that approximately one minute is needed to step-in the control rods (ATW-MAN 01) to provide " sufficient" negative reactivity so that opening of both pressurizer safety valves can prevent RCS pressure from exceeding 3200 psig. Is this true even when an " adverse" moderator temperature coefficient (MTC) exists, such as at the beginning of fuel cycle? How is this modeled in the ATWS event tree? Please provide calculations of RCS pressure for the limiting transient (e.g., total loss of feedwater without turbine trip) assuming early core life MTCs. How was the failure of one safety valve to open modeled in the ATWS event tree?
r 2
RESPONSE
2a&b The " net" time window of 1 minute is estimated for the three operator actions (ATW MAN 01, ATW MANO3 and ATW MAN 04). ATW-MAN 03 and ATW-MAN 04 model the actions to trip the reactor through PMS and DAS, respectively; ATW MAN 01 models the action to initiate manual rod insertion. It is assumed that ATW-MAN 01 is required to be initiated within one minute after the initiation of a limiting event (from RCS peak pressure standpoint, and that, once initiated, the action is successful. These actions are skilled-based activities on which the operators are fully trained. The operators are expected to recognize the ATWS cues and execute actions ATW-MAN 03 and ATW-MAN 04 as immediate actions (without reference to procedures) within a few seconds from event initiation; if these fail, ATW MAN 01 is initiated immediately. In that regard, these actions are expected to be performed in a shorter actual time frame than assumed in the HRA.
The actions are expected to be conducted very quickly in three basic steps: a) operator recognizes ATWS and executes ATW-MAN 03; b) almost immediately, he recognizes the reactor is not tripped and he executes ATW-MAN 04; and c) he then recognizes that ATW.
MAN 03 and ATW-MAN 04 did not trip the reactor, and initiates manual rod insertion immediately. In other words, it is expected that, once the operator hits (or thinks he hits) the control for ATW-MANO3 and plant does not respond as expected (i.e., rod-bottom lights indication not obtained within several seconds), he immediately executes ATW MAN 04; action ATW MAN 01 is expected to be executed in a similar way. The rationale in outlining how these actions are expected to be performed is important to show that the actual times modeled in the HRA for these operator actions are conservative; the crew is not expected to stop to investigate why ATW MAN 03 failed before executing ATW-MAN 04; similarly, ATW-MAN 01 is expected to be initiated without stopping to investigate or recover from failure of ATW MAN 03 and ATW MAN 04. On the other hand, even if it is assumed that the operator attempts each action a few times in the hope of recovering an error, it is believed that the one minute time window is sufficient to allow for this; however, no credit is taken in the HRA for recovery of these actions that may be possible due to available slack time. The HRA conservatively assumes the operator takes 30 seconds to perform ATW MAN 03, and an additional 10 seconds to carry out ATW MAN 04. The analysis also conservatively assumes that ATW MAN 01 is initiated almost i minute after event initiation. For events other than the limiting event, more time would be available, in the HRA quantification, ATW MAN 04 is assigned a high dependency on ATW-MAN 03; and ATW MAN 01 is assigned a high dependency on ATW MAN 03 and ATW MAN 04. The dependency evaluation is performed according to the criteria in Section 30.7 of the HRA.
c.
Mechanical failure of control rods is discussed in Chapter 6 of the PRA; Section 6.6.2 provides the rationale or justification for excluding reactor trip failure due to mechanical faults l
from the ATWS event trees.
d.
The unfavorable exposure time (UET) is the period of time at the beginning of a cycle during which the pressurizer safety valve relief capacity is predicted to be insufficient to maintain RCS pressure below the ASME Service Level C stress limit (3200 psig), as a result of unfavorable reactivity feedback during an ATWS event. Peak RCS pressure during the limiting ATWS event occurs approximately two minutes after onset of the event. As 3
l j
indicated in Section 6.6.3 of the AP600 PRA, analyses performed in support of the AP600 core design indicate that the UET is zero (for the limiting transient) if one RCCA bank is inserted for one minute (at maximum insertion speed), assuming that insertion begins at about one minute after onset of the event. That is, if rod insertion is actuated within one minute following event initiation, there is no UET, so that, if the pressurizer safety valves operate, the RCS pressure will remain below 3200 psig.
Note that the UET is measured in units of time (generally days) from the beginning of the fuel cycle, and that the value of UET is a function of, among other parameters, whether or not manual actuation of control rod insertion occurs.
In the ATWS event trees, two success criteria related to adequacy of pressure relief are defined (see section 6.4.19 of'the AP600 PRA): PRES, which is applicable for sequences in which UET is zero (e.g., where manual rod insertion has succeeded); and PRESU, which is applicable for sequences in which the UET is non-zero (e.g., manual rod insertion has failed).
Both criteria require opening of both pressurizer safety valves. The calculation for PRESU additionally factors in a failure probability of 1.0 for that portion of the cycle to which the UET applies.
As indicated in the previous paragraph, failure of one pressurizer safety valve is considered as failure of top event PRES, regardless of time in cycle.
z 3.
Several assumptions about " time windows," used in the HRA, are not clear to the staff. For example, a " time window" of 30 minutes is assumed for events LPM MAN 01/ LPM-MAN 03/ LPM MAN 07 (operator failure to recognize the need for RCS depressurization). A 30 minute " time window" is also assumed for event ADN-MAN 01 (operator failure to perform RCS depressurization, given LPM MAN 01/ LPM MAN 03/ LPM MAN 07 success).
Does this imply that the total " time window" for depressurizing the RCS (i.e., recognizing the need for depressurization and manually actuating the ADS) is one hour? Does the 30 minute i
" time window" for task LPM MAN 01 imply that task ADN MAN 01 (actuate ADS) will not be successful if it is initiated after 30 minutes, even if the estimated actual time to complete task ADN-MAN 01 is 20 minutes? Is it true that the need to actuate ADS has been diagnosed when the 30 minute " time window" for task ADN MAN 01 begins? Westinghouse responses to same questions are also needed for the " time window" of 22 minutes for events LPM.
MAN 02/ LPM MAN 04/ LPM MAN 08 (operator failure to recognize the need for RCS depressurization during a medium or intermediate LOCA) in combination with the 30 minute
" time wirdow" for ADN MAN 01. Please explain.
RESPONSE
The time windows and actual time for these events will be re-examined based on updated success information. The modeling assumptions for these events will be described in the next HRA revision 4
4.
The " time window" estimates used in the HRA, could be significantly affected by the various thermal-hydraulic (T-H) uncertainties associated with passive system T-H modeling. Do the
" time windows" assumed in the HRA account for T H uncertainties? Please explain how the issue of T-H uncertainties and their potential impact on " time windows" has been addressed, or will be addressed, in the HRA.
RESPONSE
Many of the time windows in the HRA have been defined from MAAP4 analysis results. The acceptable time windows have been established with at least 600'F margin to the PCT limit.
In the MAAP4 benchmarking and T-H uncertainty resolution plan, the operator action times tha.t result in the least PCT margin are to be examined. The currently defined time windows in the HRA may be changed when MAAP4 code uncertainty or T H uncertainty is considered further.
5.
There seems to be a conflict between the operating philosophy as documented in the SSAR and the operating philosophy as modeled in the PRA. The PRA states that the operator does not need to do any significant knowledge based diagnosis and decision making (operators will only need to detect alarms, indications, etc., and then will be guided by the symptom-based procedures). On the contrary,~ in the SSAR (e.g., pages 18.8214 and 18.6-7) it is stated that operators will be thinking ahead of the plant. This implies that the operators will not just be detecting information and then acting, but that they will be proactive. These two operating philosophies require a very different HRA model. Operating experience has shown that, even when " symptomatic" procedures are used, operators do still diagnose and, in fact, will circumvent procedures, skip ahead to solutions (which Westinghouse plants also allow) when operators know what the event is. This is modeled best by Table 20-3 of the HRA Handbook which includes perception, discrimination, interpretation, diagnosis and first level decision making. Please respond to these comments.
RESPONSE
The THERP HRA Handbook states (on page 1210) that, with the advent and acceptance of symptom-based procedures, it is possible that the need to diagnose an unusual event may diminish in importance for PRA. The Handbook also states that the cognitive models recommended therein are based on then current written procedures that are not symptom based in most cases.
The Handbook has cited two examples in which the cognitive component (time-dependent diagnosis) and annunciator response rediagnosis are modeled; these are shown in Figures 21-2 and 21-5 of the Handbook. The incorporation of crew dependency in these models have resulted in HEPs well below 108 Westinghouse agrees with the THERP insight into the possible impact of the use of symptom-oriented procedures on the cognitive element of diagnosis. Therefore, time-dependent diagnosis (THERP Table 20 3) was excluded from the AP600 models. On the other hand, alarm response diagnosis in the AP600 has been modeled very conservatively by applying stress factors to the basic human error probabilities (BHEPs) from THERP Table 20-23; the HEPs in Table 20-23 include the effects of stress.
i
~
l If the cognitive (time-dependent) diagnosis were included in the AP600 models, the annunciator response rediagnosis would also be applicable because the alarm cues currently m<vi"8 would not clear (i.e., the analog process parameters will usually move before the j
dimete alami message system is able to recognize that an alarm message should clear).
Therefore, the cognitive error would be multiplied by the alarm response error resulting in diagnosis HEPs about one to three orders of magnitude smaller. In other wordt, the diagnosis models in the AP600 provide higher HEPs than would be produced by the models recommended in the Handbook.
6.
In the HRA quantification credit is often taken for separate recovery actions by the senior reactor operator (SRO) and the shift technical advisor (STA). The AP600 HRA is assuming a very low degree of dependence between recovery actions for a single subtask. One would i
argue that common operator training, communication and short time intervals provide strong sources of dependency between operators. For this reasor, the THERP methodology does not allow to take credit for more :han one recovery and only 4 iere are formal checks. Given that the AP600 PRA %s icwvery for every actMn by -
control room crew, will there be formal checks in the procedures for each step for both the 6dO and the STA? In addition, according to the HRA Handbook, the "one-of a-kind checking with alert factors" recovery probability of 8.lE 2 is applicable to normal operating conditions, only. Please explain.
RESPONSE
The AP600 emergency and abnormal operating procedures follow the same structure as the generic Westinghouse symptom-based ERGS. The procedures are generally designed with formal checks or verification which provided multiple opportunities for recovery of a single '
subtask.
THERP assumes high dependency between senior reactor operator (SRO) and reactor operator (RO), low to moderate dependency bet *cen shift supervisor (SS) and odier crew members, and (if the shift technical advisor (STA) is present) low to moderate dependency for STA diagnosis and high dependency for STA during task manipulation. For example, if a basic human error probability (BHEP) of 1.0E-03 is used for the RO's failure then, according to THERP, the SU HEP is 0.5, the SS HEP could be 0.05 or 0.15, and the STA HEP could be 0.05 or 0.15 (during diagnosis) and 0.5 (during action execution). Therefore, the total HEP for this subtask could range from 1.25E-6 (i.e.,1.0E-3 x 0.5 x 0.05 x 0.05) to 1.13E 5 (i.e.,
1.0E-3 x 0.5 x 0.15 x 0.15), if used for diagnosis; and from 1.25E 5 to 3.75E-5, if used for action execution. If moderate stress level is assigned during action execution, then the total HEP could increase by a factor of "2', ranging from 2.5E 5 to 7.5E-5; if high stress level is assigned, the HEP increases by a factor of "5", rar@.g from 6.25E 5 to 1.88E-04. (THERP diagnosis BHEPs are supposed to include stress level consideration for the event).
In the AP600, dependency assumed among operating crew members is applied as follows:
mderate dependency is assigned between SRO and RO; the THERP BHEP is multiplied by the stress PSF to estimate the RO's failure, and the estimated moderate dependency for the SRO is rounded to 0.1. Although a shift supervisor is expected to be on the AP600 operating crew, we have not taken credit directly for recovery by the SS. To be somewhat 6
~
4 d
conservative, we combined the SS recovery with that of the SRO and applied one moderate E
dependency value of 0.1 for both. In order to reflect some degree of variation for recovery among different classes of events, we select the BHEP of 8.lE-02 (from THERP Table 20-22) and modify it by the stress factor associated with the event; this modified HEP is used for l
STA recovery. This BHEP, although recon: mended by THERP for application to normal operating cceditions, is judged to be appropr, ate for emergency ope... ting conditions since it is modified by the stress factor assessed for the event, which, in most cases, is conservatively high stress level (a multiplier of "5"); therefore, the STA recovery is estimated to be 1.62E 1 (i.e.; 8.1E-02 x 2) for the few cases of moderate stress application, and 4.0SE-01 (i.e.; 8.lE-02 x 5) for high stress application.
l In the example cited above, the HEP for the AP600 will be 3.24E-05 (if the event is assigned 1
a moderate stress level) or 2.25E-04 (if the event is assigned a high stress level), regardless of the action being related to diagnosis or manipulation.
We believe that some differences exist in recovery during different accident conditions; we have attempted to reflect this difference by selecting a suitable BHEP of 8.lE-02 for the STA and modifying it by appropriate stress factors. As shown above, the recovery model, used in the AP600, will provide HEPs that are n:mrally higher than those obtained from THERP assumed dependency modeling. Morew this recovery is applied in the AP600 only if the event satisfies the specific time window and slack time criteria; if the time window is less than 10 minutes, or if the estimated slack time is less than 5 minutes (for time windows greater than 10 minutes), STA recovery is not credited in the HRA. (The HEP of 8.1E-02 and other HEPs from THERP Table 20-22 have been used for recovery during abnormal operating j
conditions in accepted HRAs performed by other organizations).
7.
The passive nature of the safety systems in the AP600 design, combined with the reliance of the design on advanced instrumentation and control (l&C), has the potential to change the operator's interactions with the plant (as compared with operating plants) during accident conditions. In addition, operators may intentionally choose to circumvent procedures to avoid economic consequences (e.g., avoid containment steaming, avoid thermal shock due to overcooling or avoid water hammer). Please perform at least a qualitative evaluation of errors of commission that could impact the performance and reliability of the plant during accident conditions. This, also recommended by EPRI in its Utility Requirements Document (URD), is needed to identify potential errors of commission (and their consequences) and ensure that appropriate design certification and operational " requirements" will be used to prevent such errors.
RESPONSE: This information is covered in the Adverse Systems Interaction Report.
7
8.
Westinghouse needs to evaluate the uncertainty associated with human error probability (HEP) estimates (e.g., present the HRA results in terms of a mean value and an associated error factor).
RESPONSE
The uncertainty analysis on the Level 1 PRA will provide the error factors for HRA events.
9.
Is event RNS-V024 (operator opens MOV 024 to replenish the IRWST inventory using the NRHR pumps) included in the revised PRA models? If yes, was its probability revised to address DSER concerns? Please explain.
RESPONSE
Event RNS-V024 (operator opens MOV-024 to replenish the IRWST inventory using NRHR pumps) is not included in the revised PRA models.
10.
The cues for LPM-MAN 02 (failure to recognize the need for RCS depressurization) and CMN MAN 01 (failure to actuate the CMTs) are identical (see page 30-26). Could the operator fail to diagnose the need for CMT actuation believing that only depressurization is needed? What would the operator do first? How does this affect the estimated " actual time" and the diagnosis of either one of these events?
RESPONSE
Actuation of the CMTs is procedurally performed first. Task dependency is incorporated into the modeling of LPM-MAN 02, CMN-MAN 01 and ADN-MAN 01. CMN-MAN 01 has a high dependency on LPM-MAN 02; and ADN MAN 01 has a moderate dependency on CMN-MAN 01. The defined time window for diagnosis is not separate from the time fo: action execution; the same time window is common to both components, it is believed that, once the operator recognizes the cues, very little time is taken for manual actuation of these systems.
8
l a
11.
The " actual time" it will take the operator to actuate the CMTs (event CMN-MAN 01) was estimated to be approximately 20 minutes during a small LOCA and only 8 minutes during a medium LOCA (see pages 30-26 to 30-28). Given that the operator will have to follow the same procedure and perform the same subtasks in both cases, what is the basis for the much shorter " actual time" during medium LOCAs?
RESPONSE
It is true that, by following the same procedure, the " actual time" to actuate the CMTs is the same for small LOCA and medium LOCA. Based on engineering judgement, we have allowed a longer " actual time" for the small LOCA case because of the much longer time window for small LOCA.
12.
Multiple alarms, close in time, could impact event diagnosis. By referring to the most risk important human actions, as determined by the importance analysis, please discuss how multiple alarms has been analyzed and accounted for in the HRA models.
RESPONSE
In the AP600 HRA, the primary cues for operator diagnosis are modeled with the assumption that an associated alarm is provided for each cue. The models reflect diagnosis success if the operator responds to N-out-of-N alarms, which translates to diagnosis failure if the operator does not respond to 1-out-of-N alarms. This modeling is conservative for many cases, since correct diagnosis can be made by responding to M-out-of-N alarms, where 15 M < N.
Based on human factors engineering (HFE) design requirements for the AP600 alarm system, the operators are expected to be presented with the diagnosis cucs, modeled in the HRA, in the highest priority, and be able to focus primarily on these cues. The AP600 alarm system addresses the problem of alarm avalanching and operator data overload by reducing the number of indications presented simultaneously during major disturbances. In that regard, highest priority messages are clearly indicated to the operators, and minor alarms are prioritized and elevated to a place (or level) of attention importance significance; those. active alarm messages which are not currently displayed shall be accessible and available to the operator upon his request.
l l
l l
l 9
I.
RAls ON THE HUMAN RELIABILITY ANALYSIS FOR SHUTDOWN OPERATION 1.
The time window for operator action RCS-MANOD2S (detect failure of automatic closure of air-operated valves CVS-V045 and -V047 and manually close them) is very. small (5 minutes).
The shutdown PRA, as the PRA for power operation, states that the operator does not need to do any significant knowledge based diagnosis and decision making (operators will only need to l
detect alarms, indications, etc., and then will be guided by the symptom-based procedures).
l Operating experience has shown that, even when " symptomatic" procedures are used, operators do still diagnose and, in fact, will circumvent procedures, skip ahead to solutions (which Westinghouse plants also allow) when operators know what the event is. This is modeled best by Table 20-3 of the HRA Handbook which includes perception, discrimination, interpretation, diagnosis and first level decision making. Please respond to these comments and re-quantify the probability of event RCS-MANOD2S as necessary, i
RESPONSE
Response to question 5 for at-power operation also applies to this question.
2.
Regarding DSER "open item 19.1.3.3-1, Operator action, RHN-MANDIV, represents the likelihood that the operator would inadvertently drain reactor coolant into the IRWST through Normal RHR valve V-024. The probability of RHN-MANDIV was assigned a value of IE-5 in Chapter 30 of the PRA. The corresponding task analysis for RHN MANDIV evaluated the likelihood that the operator selects the wrong control to align Normal RHR and fails to close the diversion path. This probability was then used as a frequency (IE-5 per year) in the shutdown PRA to represent the frequency of overdraining the Normal RHR system through inadvertent opening of V-024. This frequency is very low and suggests that a pipe rupture of l
Normal RHR is more likely than an inadvertent draindown event, a.
Please search for other potential reactor coolant drain down p.iths that the operator could l
create, considering that the reactor coolant system may be pressurized (i.e. during hot shutdown) and document this search in the shutdown PRA.
l b.
The task analyses for RHN-MANDIV only evaluates the likelihood of the operator selecting the wrong control (V-024) to align Normal RHR. The staff believes that other conditions could create an opportunity to create this drain path (i.e. valve testing, etc.).
Please use operating experience to obtain a frequency of inadvertent drain down events l
or justify in the shutdown PRA why operating experience is not applicable.
c.
Please explain why the failure probability of RHN MANDIV is used, also, as the frequency of overdraining the NRHR system.
d.
Same time windows are used in the task analysis of event RHN-MANDIV for both pressurized (i.e., hot shutdown) and non-pressurized (i.e., cold shutdown) conditions. A Qaindown event when the RCS is pressurized would drain the RCS faster than an event with the RCS non-pressurized. This may require separate analysis of same scenario for e
hot and cold shutdown conditions, respectively. In addition, please provide the following j
details in the shutdown PRA for each potential drain path:
l 10 i
i
4 i)
Define in the shutdown PRA what the term " time window" means for each scenario (time to core damage, time to core uncovery, etc.).
ii)
Define in the shutdown PR'A what the term " actual time" means for each scenario.
ii)
Develop time windows considering both pressurized and non-pressurized j
conditions.
RESPONSE
l a&b Westinghouse will provide a comprehensive list of RCS drain connections and provide a qualitative discussion on how these drain paths have been considered in the PRA. The PRA explicitly models only one drain path (in the RNS) that results in overdraining of the RCS.
However, Westinghouse has lumped overdraining of the RCS via the CVS letdown line with breaks in the letdown line, and therefore overdraining via this line has been considered in the PRA.
The failure probability of RHN-MANDIV is used only in the frequency of overdraining the
. c.
d(i)
The term " time window" is defined in the PRA as the time from which cues for a particular event are presented to the operating crew to the time loss of the specific plant function is likely to occur if the task is not performed.
d(ii)
The term " actual time" is defined in the PRA as the average time that it is likely to take the operating crew to diagnose and execute the actions for a defined task. Similar to the " time window" definition, the actual time is defined from the time at which the cues are presented to the operating crew.
d(iii) The operator actions used in the shutdown PRA are separated into the following three groups:
a) Most operator actions used in the shutdown PRA are also used in the at-power analysis.
Those operator actions were calculated primarily for the at-power scenario; therefore, the time l
windows for such operator actions are judged to be conservative for both pressurized and non-pressurized shutdown conditions.
b) Some operator actions are used only in non pressurized conditions; therefore, the time windows for such operator actions are based on scenarios when the plant is depressurized.
c) Two operator actions, namely, RHN-MAN 02 and RHN-MAN 03, are use in the loss of offsite power event trees for both pressurized and non-pressurized shutdown conditions. Each of these actions has an estimated time window of I hour for pressurized condition, and 30 minutes for non-pressurized condition. The 2-hour time window currently assigned to these operator actions will be changed; this correction will be reflected in the next revision of the HRA.
I1
.s 9
DISTRIBUTION w/ attachments:
Docket File PUBLIC PDST R/F DCrutchfield BGrimes TQuay RArchitzel WHuffman TKenyon DJackson JSebrosky DISTRIBUTION w/o attachments:
WRussell/FMiraglia, 0-12 G18 AThadani, 0-12 G18 RZimmerman, 0-12 G18 ACRS (11)
EJordan, T-4 D18 JMoore, 0-15 B18 WDean E NSaltbs,DO 0-10 E4 SDinsmore, 0-10 E4 MPohida, 0-10 E4 JFlack, T-10 F13 l
22013L
- - _ ~