Text

Plant TER on IPE Front End Analysis
	ML20149L649
Person / Time
Site:	Duane Arnold
Issue date:	08/31/1995
From:	Thomas W; SCIENCE & ENGINEERING ASSOCIATES, INC.
To:	; NRC
Shared Package
ML20149L652	List: ML20149L649; ML20149L654; ML20149L874;
References
	CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-94-553-014, SEA-94-553-014-A:3, SEA-94-553-14, SEA-94-553-14-A:3, NUDOCS 9608070136
	Download: ML20149L649 (39)
	v • d • e

- _..

SEA 94-553-014-A:3 August 31,1995 l

)

b Duane Amold Nuclear Power Plant Technical Evaluation Report on the individual Plant Examination Front End Analysis l

i NRC-04-91-066, Task 14 l

I Willard Thomas Science and Engineering Associates, Inc.

Prepared for the Nuclear Regulatory Commission

.< -a -s

l

\\

TABLE OF CONTENTS E. E X E C U TIV E S U M M A R Y.......................................

1 E.1 Plant Characte rization...................................

1 E.2 Licensee's IPE Process 2

E.3 Front-End Analysis.....................................

2 4

E.4 Gene ric issues........................................

4 E.5 Vulnerabilities and Plant improvements......................

5 E.6 Ob se rvations.........................................

6

1. I N TR O D U CTI O N............................................

7 1.1 Re view P roce s s.......................................

7 1.2 Plant Characterization...................................

7

2. TEC H NIC AL REVI EW........................................

9

~

2.1 Lice ns e e's l P E P ro ce s s..................................

9 2.1.1 Comoleteness and Methodoloav......................

9 2.1.2 Multi-Unit Effects and As-Built. As-Ocerated Status........

9 i

2.1.3 Licensee Particioation and Peer Review................ 10 2.2 Accident Sequence Delineation and System Analysis............ 10 2.2.1 Initiatin a Eve nts................................. " 11 2.2.2 Even t Tre e s.................................... 13 2.2.3 Syste ms An alysis................................ 14 2.2.4 System Decendencies 14 2.3 Quantitative Process.................................... 15 2.3.1 Quantification of Accident Seauence Frecuencies......... 15 2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvses 16 2.3.3 Use of Plant-Soecific Data 16 2.3.4 U s e of G e n e ric Data.............................

18 2.3.5 Common-Cause Quantification 19 2.4 Inte rf a ce is s u e s....................................... 21 2.4.1 Front End and Back-End Interfaces................... 22 2.4.2 H u ma n Fact o rs I nt e rf a ce s.......................... 22 2.5 Evaluation of Decay Heat Removal and Other Safety issues....... 22 2.5.1 Exa min ation of D H R.............................. 22 2.5.2 Dive rse M e an s of D H R............................ 23 2.5.3 U nia u e Fe at u re s of D H R........................... 23 2.5.4 Other GSI/USIs Addressed in the Submittal............. 24 2.6 Internal Flooding....................................... 24 2.6.1 Intemal Floodino Methodoloav....................... 24 2.6.2 Intemal Floodina Results........................... 25 2.7 Core Damage Sequence Results........................... 25 2.7.1 Dominant Core Damaoe Seauences 25 2.7.2 Vulne rabilitie s................................... 28 2.7.3 Pronosed Imorovements and Modificationg.............. 28 ii

m a

b

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS 30

{

4. DATA

SUMMARY

SHEETS 31 b

REFERENCES................................................

35 J

4 i

i 1

i I

i ill i

i 1

. =. -. - - _ -

4 LIST OF TABLES 4

i Table 2-1. Plant Specific Component Failure Data...................... 18 Table 2-2. Generic Component Failure Data 19 Table 2-3. Comparison of Common-Cause Failure Factors................ 21 Table 2-4. Accident Types and Their Contribution to Core Damage Frequency.. 26 Table 2-5. Initiating Events and Their Contribution to Core Damage Frequency.. 26 l

Table 2-6. Top 8 Dominant Event Tree Core Damage Sequences........... 27 i

iv

E. EXECUTIVE

SUMMARY

This report summarizes the results of our review of the front-end portion of the Individual Plant Examination (IPE) for the Duane Arnold nuclear plant. This review is based on information contained in the IPE submittal [lPE Submittal) along with the licensee's responses [RAI Responses) to a request for additional information (RAl).

t in responding to the RAI, the licensee states that the original IPE analysis, as described in the IPE submittal, has been updated. The licensee response to the RAI i

describes the results of Revision 3 of the Probabilistic Safety Assessment (PSA) model, including updated accident sequences and dominant core damage contributors.

To the extent possible, the IPE results and findings reported in this review are based j

on Revision 3 of the PSA as reported in the RAI responses.

E.1 Plant Characterization 4

The Duane Arnold nuclear plant consists of a single unit boiling water reactor (BWR)-

l 1

4, Mark 1 plant located in Linn County, Iowa. The plant power ratings are 1,658 1

megawatt thermal (MWt) and 541 net megawatt electric (MWe). Duane Arnold began commercial operation on February 1,1975.

Design features at Duane Arnold that impact the core damage frequency (CDF) relative to other BWRs are as follows:

Hardened wetwell vent. Installation of a hardened wetwell vent was expected to be finished shortly after completion of the IPE submittal. This design feature tends to reduce the CDF. Credit for this hardened vent was taken in the l

analysis.

i l

Diverse means for establishina for alternate vessel iniection. Alternate vessel injection can be supplied from 5 different sources, specifically by the appropriate lineup of equipment in (1) the emergency service water system (ESW), (2) the general service water system (GSW), (3) the residual heat removal service 3

water (RHRSW) system, (4) the fire water system, or (5) the well water system.

This design feature tends to reduce the CDF.

Reliable design of offsite oower sunolv system. The offsite power switchyard has a diverse dual ring bus arrangement that helps to minimize the possibility of losing the supply of offsite power. In addition, essentialloads are normally operated from the startup transformer, thereby eliminating the need for a " fast transfer" on loss of the main generator. This design feature tends to reduce the i

CDF.

d Large air accumulators for feedwater reaulatina valves. The feedwater regulating valves have large air accumulators installed. Consequently, an 1

4 J

- ~ - -

extended loss of the extemal instrument air supply would be required to fail these valves. This design feature tends to reduce the CDF.

Ability of eauioment to ooerate without heatina. ventilatina. and air conditionina

=

(HVAC) for extended oeriods. Most of the equipment located in the reactor building can operate without HVAC for extended periods. Plant analyses have been performed to demonstrate that the large rooms in the reactor building have sufficient heat capacity to significantly limit the temperature rise in the absence of room cooling. This design feature tends to reduce the CDF.

2 Haltina of deoressurization in Emeraenev Ooeratina Procedures (EOPst The Duane Arnold EOPs specify halting depressurization at 200 psig when turbine-driven systems are available but low pressure injection systems are not. This design feature tends to reduce the CDF.

E.2 Licensee's IPE Process The Duane Arnold IPE is a Level 2 PRA. The methodology chosen for the Duane Amold IPE front-end analysis was a Level 1 PRA. The small event tree /large fault tree technique with fault tree linking was used to quantify core damage sequences.

4 Licensee engineering and plant staff were involved in the IPE since its inception, and directed all aspects of the analysis. The IPE was completely quantified by licensee staff. Work performed by consultants was closely controlled and was done in such a way that technology transfer to the licensee was maximized.

j

\\

An independent in-house review committee was created to review the information contained in the initial preparation of the system notebooks. Other independent in-house reviews were also conducted by the licensee as various portiens of the project were performed. Finally, two consultants, J. H. Moody of Moody Consulting and G. W.

Parry of Halliburton NUS performed an independent external review of the IPE.

Revision 3 of the PSA appears to reflect the plant design and operation as of December 1994. The original IPE described in the submittal reflected the plant design 1

and operation as of startup from the 1992 refueling outage.

The IPE submittal does not indicate whether the licensee plans to maintain a "living" PRA.

E.3 Front-End Analysis The methodology chosen for the Duane Amold IPE front-end analysis was a Level 1 PRA. The small event tree /large fault tree technique with fault tree linking was used to quantify core damage sequences.

2 1

~

66re damage is defined to occur when the vessel water level is below or$e-third of the Tore height and decreasing. The system success criteria are based on the UFSAR, '

i operations manual descriptions, and realistic calculations. The realistic calculations are based on General Electric (GE) studies and plant-specific Modular Accident l

Analysis Program (MAAP) analyses.

The IPE quantified at least 16 initiating events among 5 general LOCA categories,6 generic transients, and 3 specialinitiating events representing support system failures.

It appears that plant-specific data were used where possible to quantify initiating events. Plant-specific data were exclusively used to quantify the unavailabilities of equipment due to testing and maintenance activities.

For Revision 3 of the analysis, plant specific failure data were used for the high pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) systems.' It is not known if the Revision 3 analysis also used plant-specific failure data for other systems.'

The IPE has taken credit for restoration / repair of selected items of equipment, specifically diesel generators, power conversion system (PCS) equipment, and RHR equipment. Based on a review of event importance measures, it appears that the overall CDF has been reduced by no more than approximately 20% as a result of credit for repair activities.

l The beta factor method was used to model common cause failures.

A formal mathematical propagation of statistical uncertainty (that would present the results of this study in terms of probability density functions) was not performed on the analysis results. The submittal describes a sensitivity analysis related to the quantification of human error rates.

The CDF estimate for Duane Arnold in the Revision 3 model is 1.50E-05/yr. Core damage contributions by accident type are listed below.

I I

' in the originalIPE analysis, a comparison was made between Duane Amold plant-specific data and failure rate data reported by the commercial nuclear power industry to the Nuclear Power Reliability Data System (NPRDS). As stated in the submittal, the Duane Arnold plant experienced failure rates as low or lower than reflected in the corresponding NPRDS data for all components analyzed in conjunction with the IPE. The licensee used this finding as the basis to use generic data exclusively for component failures. Thus, no plant-specific data were used in the original IPE to quantify equipment unavailabilities due to component failures.

3

J j.

i i

isoss of Offsite Power (LOSP)

'42%

OAnticipated Transient Without Scram (A1WS) 22 %

Transients

.17%

i Special Events 16%

i LOCA 3%-

3 9tation blackout appears to represent 40% of the overall CDF.

I The internal initiating events that contribute most to the CDF and their percent i

contribution are listed below:"

r LOSP 42%

Turbine Trip w/subseq. ATWS 13%

i Main Steam isolation Valve (MSIV) Closure w/ subseq. ATWS 7%

Manual Shutdown 6%

l Loss of Division i DC 6%

l Turbine Trip w/ Bypass (no subseq. ATWS) 6%

i Loss of River Water 5%

l Loss of Division 11 DC 5%

- j Excluding initiators, the most important events based on the Fussell Vesely importance j

measure are (in decreasing order of importance):

i Failure to recover offsite-power within 30 minutes L

Failure to recover emergency AC power within 30 minutes Failure to recover offsite power within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Failure to recover emergency AC power within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months i

Failure of operators to depressurize reactor vessel to 50 psig on high drywell-temperature The IPE.directly coupled each Level 1 sequence to the back-end analysis through directly linked event trees. These trees and their linking include preventive or i

mitigative features as well as timing considerations.

E.4 Generic lesues i

The submittal addresses decay heat removal (DHR) and its contribution to CDF.

)

The IPE used both quantitative design objectives from the NRC staff and qualitative insights from past A-45 studies as input for the DHR analysis. The overall CDF contribution of related to DHR failures as represented by the original IPE analysis was i

s 2

)

Only the most dominant initiating event contributors to CDF are listed here. The data in this table

{

were extracted from Figure A-4 and Table B-3 of the RAI Responses. A complete set of initiating event i

contributors to CDF can be extracted from Table B-3 of the RAI Responses.

i l

4 v

n

~.

m e

l estimated to be 5.9E-06/yr using the NRC definition of DHR-related sequences in the A-45 study. The licensee notes that this DHR CDF contribution is below the acceptance level set by the NRC staff in NUREG 1289 of 3.0E-05/yr, and much lower than the 3.0E-04/yr level set for corrective action.

4 The submittal states that no vulnerabilities exist to adversely affect the operators' 3

ability to accomplish the DHR function during an accident. Finally, the submittal compares DHR vulnerability insights from A-45 studies with their applicability to Duane Arnold.

The IPE submittal does not propose to resolve any generic safety issues or unresolved safety issues (USl/GSis) other than DHR.

j E.5 Vulnembilities and Plant improvements l

The licensee used the following criteria to search for vulnerabilities:

Are there any new or unusual means by which core damage or containment failure occur as compared to those identified in other PRAs?

Do the results suggest that the Duane Arnold CDF would not be able to me t

=

the NRC's safety goal for core damage?

i Are there any single failures of components that lead directly to a core damage state? This does not include the common cause failure of multiple components of similar types.

Based or the above criteria, the licensee conciuded that there are no vulnerabilities at Duane /mid, either in the original IPE or in the subsequent IPE revisions.

t Two plant modifications were identified during the revision of the original IPE analysis that significantly reduce the potential for flooding-related accidents in the control j

building. These modifications change portions of the control building fire protection

~

system from a " wet" pipe system to a " dry" pipe system. Credit for this modification was credited in the Revision 3 PSA analysis.

The submittal states that no specific improvements to either hardware or procedure were deemed to be necessary as a result of the (original) IPE. However, the licensee identified several potentialimprovements and evaluations in conjunction with the original IPE process, though no specific plans for their implementation are described in the submittal. ihotential improvements and evaluations related to the front-end analysis are summarized below:

Dquelop an AOP or EOP to address totalloss of 125 VDC J

5

Evaluate the existing EOP guidance that directs operators to terminate vessel injection from sources external to the containment if the drywell pressure reaches 53 psia Maintain heightened awareness of the operations staff regarding the timely use of the standby liquid control system in AMS scenarios Test diesel fire pump capability for vessel injection and evaluate DC reserve moed to accomplish this action Evaluate the benefits of resetting the ADS timer instead of immediately locking out the automatic initiation of ADS Finally, it is noted that the 4PE took credit for a hardened containment vent that was expected to be completed at the end of 1992, shortly after completion of the IPE submittal.

E.6 Observations The licensee appears to have analyzed the design and operations of the Duane Arnold to discover instances of particular vulnerability to core damage. It also appbars that the licensee has: developed an overall appreciation of severe accident behavior; gained an understanding of the most likely severe accidents at Duane Arnold; gained a quantitative understanding of the overall frequency of core damage; and implemented changes to the plant to help prevent and mitigate severe accidents.

Strengths of the IPE are as follows. The avaluation and identification of plant-specific

)

initiating events is thorough compared to some other IPE/PRA studies. The IPE goes j

beyond the bounds of some other BWR IPEiPRA studies by considering and modeling 1

common cause failures between the HPCI and RCIC systems.

One potential weakness of the IPE was identified. It is not clear from the available IPE documentation whether plant-specific component failure data were used for any systems other than RCIC and HPCI. Also, it is not clear how plant-specific component failure data for RCIC and HPCI were used in the analysis.

Significant level-one IPE findings are as follows:

Intemal flooding is a negligible contributor to CDF. The low CDF contribution of internal flooding can be at least partially attributed to two plant modifications that significantly reduce the potential for flooding-related accidents in the control building. These plant modifications were identified during a revision of the original IPE analysis.

6

3 t

l i

1. INTRODUCTION 1.1 Review Process This report summarizes the results of our review of the front-end portion of the l

Individual Plant Examination (IPE) for the Duane Arnold nuclear plant. This review is based on information contained in the IPE submittal [lPE Submittal) along with the licensee's responses [RAI Responses) to a request for additional information (RAI).

In responding to the RAI, the licensee states that the original IPE analysis, as l

described in the IPE submittal, has been updated. The licensee response to the RAI describes the results of Revision 3 of the Probabilistic Safety Assessment (PSA) i

{

model, including updated accident sequences and dominant core damage contributors.

j To the extent possible, the IPE results and findings reported in this review are based i-on Revision 3 of the PSA as reported in the RAI responses.

I 1.2 Plant Characterfzation i

l The Duane Arnold nuclear plant consists of a single unit BWR-4, Mark 1 plant located i

in Linn County, Iowa. The plant power ratings are 1,658 MWt and 541 r.et MWe.

Bechtel provided engineering support and construction management. Duane Arnoid j

began commercial operation on February 1,1975. There are a number of other BWR-i 4 Mark 1 plants similar to Duane Arnold, for example Browns Ferry, Cooper, Hatch, i.

and Peach Bottom. [p.1-3 of submittal,1.1-1 of UFSAR]

Design features at Duane Arnold that impact the core damage frequency (CDF) relative to other BWRs are as follows:

i Hardened wetwell vent. Installation of a hardened wetwell vent was expected I:

to be finished shortly after completion of the IPE submittal. This design feature l

tends to redure the CDF. Credit for this hardened vent was taken in the i

analysis. [ submittal transmittal letter, p. 4-51 of submittal) i Diverse means for establishina for alternate vessel inlection. Alternate vessel i

injection can be supplied from 5 different sources, specifically by the appropriate lineup of equipment in (1) the emergency service water system (ESW), (2) the L

general service water system (GSW), (3) the residual heat removal service water (RHRSW) system, (4) the fire water system, or (5) the well water system.

This design feature tends to reduce the CDF. [pp. 1-3, 3-179, 3-209, 3-279, 3-378,6-2 of submittal]

Reliable desian of offsite oower suoolv system. The offsite power switchyard has a diverse dual ring bus arrangement that helps to minimize the possibility of j

losing the supply of offsite power. In addition, essentialloads are normally l

operated from the startup transformer, thereby eliminating the need for a " fast 4

l 7

4

,v y

y

transfer" on loss of the main generator. This design feature tends to reduce the CDF. [p. 6-1 of submittal]

Laroe air accumulators for feedwater reaulatina valves. The feedwater

~

regulating valves have large air accumulators installed. Consequently, an extended loss of the extemalinstrument air supply would be required to fail these valves. This design feature tends to reduce the CDF. [p. 6-1 of submittal]

Ability of eautoment to ooerate without heatina. ventilatina. and air conditionina

~

(HVAC) for extended oeriods. Most of the equipment located in the reactor building can operate without HVAC for extended periods. Plant analyses have been performed to demonstrate that the large rooms in the reactor building have sufficient heat capacity to significantly limit the temperature rise in the absence of room cooling. This design feature tends to reduce the CDF. [p. 6 2 of submittal]

Haltino of deoressurization in Emeraencv Ooeratina Procedures (EOPs). The Duane Arnold EOPs specify halting depressurization at 200 psig when turbine-driven systems are available but low pressure injection systems are not. This design feature tends to reduce the CDF. [p. 6-2 of submittal]

8 i

~

2. TECHNICAL REVIEW 2.1 Licensee's IPE Process 4

We reviewed the process used by the licensee with respect to: completeness and 4

methodology; multi-unit effects and as-built, as-operated status; and licensee participation and peer review.

2.1.1 Comoleteness and Methodoloov.

The Duane Arnold IPE is a Level 2 PRA. The IPE was performed to satisfy the requests of Generic Letter 88-20. [p.1-1 of submittal)

A completeness check was made to determine whether the submittal provided the information to satisfy the requests made in NUREG-1335. The submittalis complete with the type of information suggested in NUREG-1335.

l i

The methodology chosen for the Duane Arnold IPE front-end analysis was a Level 1 PRA. The small event tree /large fault tree technique with fault tree linking was used to quantify core damage sequences. Intersystem dependencies are discussed and ~

tables of system dependencies are provided in the submittal. Data for quantification of the models are provided.

2.1.2 Multi-Unit Effects and As-Built. As-Ooerated Status.

The Duane Arnold plant is a single unit site; therefore, multi-unit considerations do not j

apply to this plant.

1

)

A number of items of plant-specific documentation were used to support the analysis, including: the Updated Final Safety Analysis Report (UFSAR), Emergency Operating Procedures (EOPs), system diagrams, scram reports, shutdown reports, and Licensee Event Reports (LERs). Because the system analysts were located on site, they could verify the accuracy of plant-specific documentation by virtue of their access to systems, system engineers, operators, and the plant simulator. Personnel from the licensee's Systems Engineering organization developed system notebooks and fault tree models for the systems they had cognizance over. [pp. 2-13,2-14,5-6 of submittal]

i Several categories of plant walkdowns were performed to support the iPE. Initially, general walkdowns were completed for areas outside the containment. These introductory walkdowns included members of the licensee's PRA group and i

consultants. A licensee analyst and consultant involved in human error probability (HEP) analyses participated in a human error analysis walkdown. An internal flooding walkdown was performed by two members of the licensee's PRA group and a consulting engineer. [pp. 2-14,2-15 of submittal) 9

Revision 3 of the PSA appears to reflect the plant design and operation as of I

December,1994. The original IPE described in the submittal reflected the plant design and operation as of startup from the 1992 refueling outage. [ transmittal letter, l

pp.1-2,2-5 of submittal] [RAI Responses, p. A-6) a The IPE submittal does not indicate whether the licensee plans to maintain a "living" i

PRA.

j 2.1.3 Licensee Particioation and Peer Review, Licensee engineering and plant staff were involved in the IPE since its inception, and j

directed all aspects of the analysis. Licensee system engineers maintained ownership and responsibility for the system fault trees. In addition, the IPE was completely j

quantified by licensee staff. Work performed by consultants was closely controlled and j

j was done in such a way that technology transfer to the licensee was maximized.

l Consulting services were provided by: ERIN Engineering, Gabor, Kenton &

j Associates, and Chicago Bridge & Iron (back-end analysis). [pp. 1-2, 2-1, 4-7, 5-3 of i

submittal]

j An independent in house review committee was created to review the information i

i contained in the initial preparation of the system notebooks. Comments were t

generated, recorded and resolved. This in-house review insured that the plant design and operation were realistically accounted for at the earliest stages of the project. The i

in-house review committed consisted of approximately 15 individuals from the following licensee organizations: Engineering, Technical Support, Emergency Planning, Training

]~

Center / Simulator, Operations, and Licensing. [p. 5-4 of submittal)

Other independent in house reviews were also conducted by the licensee as various portions of the project were performed. Where feasible, work provided by the

{

consultant companies was reviewed independently within their respective i

organizations, in addition, an in-house review of the completed IPE submittal was i-performed by licensee personnel. Finally, two consultants, J. H. Moody of Moody

- Consulting and G. W. Parry of Halliburton NUS performed an independent external 1

l review of the IPE. Section 5.3.2.2 of the submittal summarizes the technical j

comments and resolutions related to the final licensee and independent external review activities. [pp. 5 5 to 5-46 of submittal) 2.2 Accident Sequence Delineation and System Analysis l

This section of the report documents our review of both the accident sequence delineation and the evaluation of system performance and system dependencies

{.

provided in the submittal.

4 1

10 L

2.2.1 Initiatina Events.

The IPE initiating event groups were developed from plant-specific analyses and

. reviews of various documentation, including: the Duane Arnold UFSAR, various Electric Power Research Institute (EPRI) reports, Licensee Event Reports (LERs), and NRC-sponsored reports of other PRAs (such as NUREG 1150). The initiating events I

included in the analysis are listed below: [pp.1 -15, 3-2, 3-5, 3-7 of submittal] [RAI Responses)

Transients:

Turbine trip with bypass Loss of feedwater Main steam isolation valve (MSIV) closure Loss of condenser vacuum Inadvertent open relief valve (IORV)

Loss of offsite power (LOSP)

Special Initiators:

Loss of river water Loss of instrument air Loss of Division I 125 VDC Loss of Division ll 125 VDC LOCAs:

Large LOCA Medium LOCA Small LOCA ISLOCA (3 separate categories)

Break outside containment (at least 3 separate categories)

The submittal also lists ATWS as an initiating event. However, an ATWS does not j

represent an initiating event, but rather an accident condition subsequent to a transient initiating event. [pp.1-15,3-7 of submittal)

As noted above, the IPE analyzed both ISLOCAs and break outside containment (BOC) events. In an ISLOCA, the interfacing system has a design pressure lower than that of the primary system. A BOC represents a break in a high pressure system attached to the primary system where the break is outside containment. [RAI Responses]

A large LOCA was assumed to be beyond the capacity of the HPCI or condensate systems, while a medium LOCA or IORV was assumed to be within the capacity of the HPCI system. A small LOCA was assumed to be within the capacity of either the RCIC or HPCI system. [pp. 3-3,3-4 of submittal)

Loss of reactor building closed cooling water (RBCCW) would cause a plant shutdown and might also result in additional leakage of the recirculation pump seals, as seal 11

cooling for these pumps is provided by the RBCCW system. However, this event was not included as an separate initiating event because the licensee judged that the increased seal leakage would be well within the capabilities of all makeup systems credited in the IPE. Loss of RBCCW is encompassed in the quantification of scenarios involving turbine trip. [RAI Responses)

Failure of a 250 VDC bus was not included as an initiating event because it will not initiate a transient, even though it will cause HPCI to become unavailable. Loss of an AC bus also was not included as an initiating event; a screening analysis performed by the licensee indicates that the CDF contribution from AC bus loss initiating events would be less than 1E-08/yr. Loss of well water was not included as a separate initiating event, as it is principally used for drywell cooling and is encompassed in the quantification of manual shutdown events. [RAI Responses)

The licensee excluded HVAC failures as separate initiating events. Loss of Reactor Building HVAC would not necessarily lead to a reactor scram, as the standby gas treatment system would maintain the Reactor Building at negative pressure, and separate room coolers would provide local cooling. Loss of individual room coolers evidently would not result in a plant scram or shutdown, as standby safety-related HVAC equipment is available to provide cooling to the residual heat removal (RHR),

RCIC, HPCI, and core spray systems during accident conditions. The Turbine Building does not contain any safety-related equipment, and thus loss of Turbine Building HVAC is encompassed in the quantification of scenarios involving MSIV closure and loss of condenser vacuum. Control Building HVAC was not considered in the IPE as an initiator because of HVAC system redundancy and lack of observed j

failures in the operating experience data base. Note ' hat the control building includes t

the control room and switchgear areas. The licensee states that loss of Control Building HVAC may be separated out as unique manual shutdown initiator in the future in Revision 4 of the IPE. [RAI Responses)

It appears that plant-data were used where possible to quantify the transient initiating events. The LOSP quantification includes site-specific information combined with Nuclear Management and Resource Council (NUMARC) methodology. The large LOCA frequency is based on a Brunswick PRA, while the medium and small LOCA frequencies are based on WASH-1400. The ISLOCA frequency is based on plant specific models and generic data, using NSAC/154 as guidance. Plant specific considerations were combined with generic data to develop frequencies for the special initiating events.

The initiating events for loss of feedwater and less of 125 VDC are quantified with values approximately a factor of 5 lower than corresponding generic data used in some other BWR IPE/PRA studies. The remaining initiating events appear to be consistent with other BWR IPE/PRA studies. [p. 3-7 of submittal] [RAI Responses, Table B-1) 12

t Generic data and methods were used to quantify flood-related initiating events, l

Including the WASH-1400 method of estimating pipe rupture frequencies using individual component and pipe segment data. [RAI Responses) 2.2.2 Event Trees, i

The following event trees were used in the analysis: [pp. 3-9 to 3-114 of submittal)

[RAI Responses, p. A-4)

Transients (7 event trees):

4 Manual shutdown Turbine trip with bypass Loss of feedwater Main steam isolation valve (MSIV) closure Loss of condenser vacuum Inadvertent open relief valve (IORV)

Loss of offsite power (LOSP)

Special Initiators (3 event trees):

Loss of river water Loss of instrument air Loss of Division ll 125 VDC LOCAs (5 event trees):

Large LOCA Medium LOCA Small LOCA ISLOCA Break outside containment (BOC)

ATWS (4 event trees):

Turbine trip with bypass Loss of feedwater Main steam isolation valve (MSIV) closure j

Loss of condenser vacuum Three separate ISLOCA events were analyzed, specifically overpressurization of the core spray pump discharge lines, the RHR pump discharge lines, and the RHR shutdown cooling line. In the ISLOCA analysis, it is pessimistically assumed that the i

line break occurs in one of the ECCS comer rooms and disables all of the equipment in that room. It is also assumed that the effects of a leak in the piping, which is much more likely than a rupture, will have the same effects as a rupture. The train associated with the failed piping is also assumed to be unavailable to perform it j

intended function. The analysis of break outside containment (BOC) events included consideration of components associated with the main steam, HPCI, and reactor water cleanup (RWCU) systems. [pp. 3-69, 3-70, 3-114 of submittal] [RAI Responses]

i 13

Core damage is defined to occur when the vessel water level is below one-third of the core height and decreasing. The system success criteria are based on the UFSAR, operations manual dJscriptions, and realistic calculations. The realistic calculations are based on GE studies and plant-specific MAAP analyses. The mission time for the j

analysis is 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . [pp. 2-5, 3-13, 5-11 of submittal] [RAI Responses]

For ATWS events, the licensee assumed that standby liquid control (SLC) initiation may be delayed for a relatively long period of time (i.e. hours) if sufficient turbine bypass capability exists (i.e., >25%) and feedwater can be controlled. However, success of any ATWS sequence ultimately requires SLC injection. [pp. 3-6, 3-7, 3-29 of Appendix D of RAI Responses)[pp. 3-94 to 3-98 of submittal]

The IPE assumes that controlled containment venting using the hardened vent pipe has a negligible impact on the probability of vesselinjection failure. This assumption is based on the availability of multiple injection sources taking suction from external sources and credit for LPCI and core spray when containment venting was controlled at high pressure. [RAI Responses, pp. 6-1 to 6-7) 2.2.3 Svstems Analvsis.

Systems descriptions are included in Subsection 3.2.1 of the submittal. The system descriptions provide information in a number of technical areas, for example: system function, system interfaces and dependencies, success criteria, and system fault tree modeling assumptions. The system descriptions also contain simplified schematics that show major equipment items and important flow and configuration information. A total of 18 systems are described, including HPCI, RCIC, core spray, RHR, electrical power, and cooling water. [pp. 3-118 to 3-307 of submittal]

2.2.4 Syjitem Deoendencies.

The IPE addressed and considered dependencies in the following categories:

Instrumentation and control, motive power, isolation, direct equipment cooling, instrument air, and HVAC. A separate support system dependency matrix is provided for each of the 18 systems presented in the system descriptions. Each of these 18 dependency matrices identify dependencies for individual system components. [pp. 3-118 to 3-307 of submittal]

A summary system dependency matrix is presented in Table 3.2-19 of the submittal.

This summary dependency matrix identifies dependencies for the various front-line functions and systems. In addition, Table 3.2-20 of the submittal presents a summary of component cooling dependencies, including HVAC dependencies. [pp. 3-320 to 3-332 of submittal]

HVAC was eliminated as a required support system for RHR and core spray pumps based on room heat-up calculations, tests, and operating experience. Extemal RHR 14

n pump seal cooling was also eliminated as a required dependency based on licensee discussions with the pump manufacturer, Byron Jackson. [RAI Responses) j Based on plant-specific room heatop calculations and proceduralized actions, the IPE -

' assumed that opening of room doors by plant personnel could provide adequate ventilation for the RCIC and HPCI systems for long-term operation. The licensee i

states that HVAC for the ESW or RHRSW pumps is only needed to minimize long-term degradation of the pumps and motors, but is not needed during the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months accident analysis mission time. [RAI Responses)

Loss of control room ventilation was screened out based on several considerations, including room heatup calculations that show acceptable temperature rises for personnel and equipment, proceduralized recovery methods, and the transfer of control room functions to the remote shutdown panel. If random failure of control room HVAC had been included in the IPE as a required support system during the accident mission time, the CDF would increase by 1%. [RAI Responses) 1 In summary, it appears that the IPE has addressed and analyzed all the important system dependencies.

2.3 Quantitative Process This section of the report summarizes our review of the process by which the IPE quantified core damage accident sequences. It also summarizes our review of the data base, including consideration given to plant-specific data, in the IPE. The i

uncertainty and/or sensitivity analyses that were performed were also reviewed.

1 2.3.1 Quantification of Accident Seouence Frecuencies.

The IPE used the small event tree /large fault tree technique with fault tree linking to quantify core damage sequences. Fault tree models were developed for systems

. depicted in the event tree top logic and their support systems. The event tree headings are generally functional, although a few system headings are used. The CAFTA software was used to build and maintain system models. A code developed j

by the licensee (SEQUENCE) was used to link CAFTA-generated cutsets into accident sequences. The submittal states that all system models and sequences were quantified with a truncation value of 3.0E-11/yr. [pp. 3-424 to 3-426 of submittal) i Credit was taken for recovery of offsite power in the IPE. Non-recovery data were generated from information contained in NUREG-1032. For early periods (up to about two hours), the IPE offsite power non-recovery data are consistent with average j

industry experience as reported in an Electric Power Research Institute (EPRI)-

sponsored study [NSAC 147). However, at longer periods, the IPE data are somewhat i

more optimistic than the average industry data. For example, at 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , the IPE uses a non-recovery probability of approximately 0.035, whereas average industry 15

experience suggests a value of approximately 0.06. The IPE also took credit for other recovery actions, including; extension of battery life from 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months to approximately 8 4

hours via load shedding; opening of doors to restore HPCl/RCIC room ventilation; and bypass of HPCl/RCIC isolation circuitry to avoid isolation on high temperature or high turbine exhaust back pressure. [pp.3 50 to 3-55, 3-82 to 3-93, 3-439, 3-440 of submittal] [RAI Responses)

The IPE has also taken credit for restoration / repair of selected items of equipment, specifically diesel generators, power conversion system (PCS) eq)pment, and RHR equipment. The quantification of diesel generator repair appears to be based on data from an NRC-sponsored survey of LERs involving diesel generators [NUREG/CR-1362]. The available documentation on the IPE does not specifically identify the specific types of PCS or RHR equipment that was considered for repair. The repair of l

PCS and RHR equipment appears to be based on an exponential model discussed in WASH-1400 and used in PRA studies for Shoreham {Shoreham PRA] and Limerick

[ Limerick PRA]. Based on a review of event importance measures, it appears that the overall CDF has been reduced by no more than approximately 20% as a result of.

credit for repair activities. [pp.16-1 to 16-13, Table 36-1 of RAI Responses) i The fault trees used to model HPCI and RCIC during station blackout conditions include additional failures to account for sequence-dependent accident conditions,'for i

example high room temperature, battery depletion, and multiple starts. Time-phased models were developed such that the progressively increasing probability of system failure with increasing mission time could be accounted for. [RAI Responses) a 2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvses.

The submittal does not identify the statistical significance (point value, mean, etc.) of the data used for initiating event frequencies and fault tree bottom events. The initiating event frequencies for small and medium LOCAs are based on WASH-1400 and appear to represent median values. Point estimates are reported for the accident sequence frequencies and total CDF. A formal mathematical propagation of statistical uncertainty (that would present the results of this study in terms of probability density functions) was not performed on the analysis results. Subsection 3.4.1 of the submittal describes a sensitivity analysis related to the quantification of human error rates. [pp. 3-7,3 440 to 3-443 of submittal) 2.3.3 Use of Plant-Soecific Data.

As previously noted in Subsection 2.2.1 of this report, plant data were used to support the development of the initiating events. Also, plant-specific data were exclusively used to quantify unavailabilities of equipment due to testing or maintenance. The test / maintenance unavailabilities were modeled at the system / train level. The test / maintenance unavailability data are summarized in Table 3.3-4 of the submittal.

[pp. 3-348, 3-350 of submittal]

16

Plant-specific component failure data were also gathered in conjunction with the IPE l

analysis. A comparison was made between the Duane Arnold plant-specific data and

)

failure rate data reported by the remaining commercial nuclear power industry to the Nuclear Power Reliability Data System (NPRDS). As stated in the submittal, the Duane Amold plant experienced failure rates as low or lower than reflected in the I

corresponding NPRDS data for all components analyzed in conjunction with the IPE.

l The licensee used this finding as the basis to use generic data exclusively for l

component failures in the original IPE analysis reported in the submittal. However, the l

licensee states that the Revision 3 update of the PSA has included plant-specific failure data for HPCI and RCIC. It is not clear if Revision 3 of the analysis has utilized i

plant-specific failure data for components in systems other than RCIC and HPCI.

l Also, the available documentation does not provide any discussion of the use of plant-l specific HPCI and RCIC data in the Revis!on 3 analysis, for example the components j:

involved and applicable failure modes. The available documentation also does not state whether the plant-specific RCIC and HPCI data were used to perform a Bayesian i

update of generic data in the Revision 3 aclysis. [pp. 3-348, 3-349 of submittal][RAI Responses)

Table 2-1 of this review compares Duane old plant-specific failure data for selected components to values typically used in P \\ 1d IPE studies, using the NPRDS data cited in the submittal for comparison. Thec. Jata were identified through inspection of Table 3.3 3 of the submittal. As is shown in Table 2-1, the Duane Amold plant-specific data are with one exception substantially lower than the corresponding NPRDS data. A number of the Duane Arnold components listed in Table 2-1 have failure rates of zero. However, the submittal does not state the time interval over which plant-specific data were collected. [p. 3-349 of submittal]

The data shown in Table 2-1 are expressed in terms of a " failure rate", presumably per hour. However, the relationship of the submittal plant-specific " failure rate" data to the i

" demand" and "run" failure data that must be used to quantify fault tree bottom events is not clear. Consequently, it was not possible to directly compare the Duane Arnold plant-specif.c data with other typical sources of component failure data, for example NUREG/CR-4550.

17

= - -. - - -.

i s

Table 2-1. Plant-Specific Component Failure Data' l

Component Duane Amold Plant-NPRDS Data Cited in i

Specific Data Submittal br@ - HPCI 0.0 (pump) 2.01E-06 (pump) 0.0 (turbine) 1.74E-05 (turbine)

Pump - RCIC 0.0 (pump) 2.63E-06 (pump) i 0.0 (turbine) 1.67E-05 (turbine)

Pump - Emergency Service 2.82E-06 2.39E-05 Water Pump - RHR 0.0 9.44E-06 Relief Valve 0.0 2.53E-06 Check Valve 6.01 E-37 3.36E-06 MOV 1.03E 06 4.14E-06 Battery 0.0 (125 V) 3.45E-06 (125 V) 0.0 (250 V) 1.65E-06 (250 V)

~

Battery Charger 0.0 (125 VDC) 1.85E-05 (125 V) 0.0 (250 VDC) 1.82E-05 (250 V)

Diesel Generator Engine 0.0 6.70E-05 Diesel Generator Breaker 1.27E-05 8.45E-06 Notes: (1) Data appear to represent "per hour" failure rates.

2.3.4 Use of Generic Data.

Ten different published sources of generic data were used, including the PSA Procedures Guide [NUREG/CR-2815), NUREG/CR-4550, and several other PRA studies. The PSA Procedures Guide [NUREG/CR-2815] was used as the highest priority source of generic data. The generic component failure data used in the IPE as derived from the ten published data sources are summarized in Table 3.3-1 of the submittal. Also, it appears that unidentified sources of generic data were used to derive estimates for certain miscellaneous failures, for example failures of turbine speed controllers, sluice gates, and lubrication systems. Table 3.3.2 of the submittal lists this additional set of generic data. [pp. 3-333 to 3-347 of submittal]

We performed a comparison of IPE generic component failure data listed in the submittal to generic values used in the NUREG/CR-4550 studies [NUREG/CR-4550, Methodology). This comparison is summarized in Table 2-2.

18

i Table 2-2. Generic Component Failure Data' Component Submittal Value NUREG/CR-4550 Mean Value Estimate Turbine Driven Pump 3E-02 Fall to Start 3E-02 Fail to Start 1E-04 Fall to Run SE-03 Fail to Run a

i Motor Driven 3E-03 Fall to Start 3E-03 Fail to Stari Pump 1E-04 Fall to Run 3E-05 Fail to Run Motor Operated Valve 3E-03 Fall to Open 3E-03 Fail to Operate 3E-03 Fail to Close Check Valve 1E-04 Fall to Open 1E-04 Fail to Open 1E-04 Fall to Close 1E-03 Fail to Close l

Battery Charger 5.5E-06 Loss of Output 1E-06 Fail to Operate Battery 2E-06 Loss of Output 1E-06 Failure (unspecified mode) inverter 6'E-05 Loss of Output 1E-04 Failure (unspecified mode)

Circuit Breaker 3E-03 Fail to Open (control 3E-03 Fail to Transfer breaker) f 1E-03 Fall to Close (4,160 VAC control breaker)

Diesel Generator 3E-02 Fail to Start 3E-02 Fail to Start 3E-03 Fail to Run 2E-03 Fail to Run Notes: (1) Failures to start, open, close, operate, or transfer are probabilities of failure on dernand. The i

other failures represent frequencies expressed per hour.

Except in three instances, the IPE component failure data listed in Table 2-2 are l

consistent with NUREG/CR-4550 data. The IPE data for turbine pump "run" failures are more than an order of magnitude lower than the NUREG/CR-4550 generic data.

Also, the IPE data for failure of a check valve to close on demand are an order of magnitude lower than the NUREG/CR-4550 data. On the other hand, the IPE data for motor driven pump "run" failures are a factor of 3 higher than the NUREG/CR-4550 data.

Finally, as previously noted in Section 2.2.1 of this report, generic data were used to l

support the development of the initiating events.

2.3.5 Common-Cause Quantification.

The identification of common cause groups was based on several activities, including l

reviews of other PRAs, reviews of operating experience data, and initial quantifications 19 l

~. - - - -

L

'of the Level 1 models. The estimation of common-cause failure probabilities was based on the beta factor method. The beta factor data were derived from several sources, including: [EPRI 3967), [NUREG/CR 4780), and NUREG 0666). Precursor events that have occurred at other BWRs were used to support the quantification of l

}

common cause failures of safety relief valves (SRVs) as used in the depressurization l

i function. Engineering judgment was also used in the quantification process. Common l

cause events quantified with these data were added to the fault tree models.

Components included in the common cause analysis include pumps, valves, batteries, diesel generators, and HVAC fans. [pp. 3-418 to 3-423 of submittal] [RAI Responses, p.11-1 to 11-13]

Table 3.3-20 of the submittal lists the IPE common cause beta factors. This table does not list the specific component failure mode (s) applicable to the listed beta factors.. Also, in the case of certain component groups, it is not clear as to the number of components in the group assumed to fail. For example, there are 4 RHR service water (RHRSW) pumps divided between two trains, and it is not clear if the beta factor represents failure of all four pumps or some smaller set of pumps. Transformer and circuit breaker common cause failures were not explicitly modeled, but assumed to be part of their associated major component failures.8 it is notable that the IPE has modeled the common cause failure of the HPCI and RCIC pumps, which is not

~

commonly done in BWR IPE/PRA studies. [pp. 3-422,5-37 of submittal] [RAI Responses)

We performed a comparison of IPE common-cause beta factors listed in the submittal with generic values used in the NUREG/CR-4550 studies [NUREG/CR 4530, Methodology). This comparison is summarized in Table 2-3. [p. 3-422 of submittal)

The comparison data in Table 2-3 show that the IPE common cause be.ta factors for the listed components are generally consistent with generic beta factors contained in NUREG/CR-4550. The IPE beta factors for the RHR and core spray pumps are a

- factor of 3 lower than the NUREG/CR-4550 data. On the other hand, the IPE beta factor for the diesel generators is a factor of two higher than the NUREG/CR-4550 data.

8 For Revision 4 of the PSA, consideration is being given to explicitly separating out circuit breakers associated with the ernergency diesel generators. [RAI Responses) 20

Table 2-3. Comparison of Common-Cause Failure Factors Component IPE Beta Factor NUREG/CR-4550 Mean Value Beta Factor Pump - River Water 0.0375 0.056 Fail to Start (2 i

Supply component group) 0.0096 Fail to Start (4 j

component group)

Pump - RHR Service 0.03 0.056 Fail to Start (2 Water component group) 0.0096 Fail to Start (4 component group) l Pump - RHR 0.05 0.15 Fail to Start (2 component group) i l

Pump - Core Spray 0.05 0.15 Fail to Start (2 component group)

Valve - MOV 0.08 (cooling water) 0.088 Fail to Operate (2 i

component group)

Safety Relief Valves 0.22 0.22 Fail to Open (2 component group) 0.12 Fail to Open (4 2

component group)

Diesel Generator 0.077 0.038 Fall to Start (2 component group) 2.4 Interface issues This section of the report summarizes our review of the interfaces between the front-end and back-end analyses, and the interfaces between the front-end and human factors analyses. The focue of the review was on significant interfaces that affect the ability to prevent core damage.

e 21 J

s'

4 2.4.1 Front-End and Back-End interfaces.

Effects of containment failure on centinued vessel.njection were accounted for, including direct environmental effects from energy and steam release. Also, a i

containment break and rapid containment depressurization could lead to flashing of the suppression pool water and loss of adequate net positive suction head (NPSH) for pumps taking suction from the suppression pool. Consequently, the analysis did not take credit for the low pressure coolant injection (LPCI) and core spray flow following a rapid containment depressurization, but instead required the use of external water systems. On the other hand, the analysis did take credit for LPCI and core spray when venting was controlled at high pressure, based on various experimental results, operating experience, and calculations. [RAI Responses, pp. 6-1 to 6-7)

The IPE directly coupled each Level 1 sequence to the back-end analysis through directly linked event trees. These trees anc' their linking include preventive or mitigative features as well as timing considerations. [pp.1 -21, 4-74 of submittal) 2.4.2 Human Factors Interfaces.

f Human actions important to the analysis as determined from the Fussell-Vesely importance ranking include: failure to recover offsite power within 30 minutes, failur'e to recover emergency AC power within 30 minutes, failure to recover offsite power within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , and failure to recover emergency AC power within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . [RAI Responses, Table 36-2, Table B-1)

The IPE took credit for several types of recovery actions, including; extension of battery life via load shedding; opening of doors to restore HPCl/RCIC room ventilation; and bypass of HPCl/RCIC isolation circuitry to avoid isolation on high temperature or high turbine exhaust back pressure. In addition, the IPE has taken credit for restoration of selected items of equipment, for example diesel generators and RHR equipment. [pp. 3-50 to 3 53,3-55, 3-82 to 3-93 of submittal] [RAI Responses, p.16-3 to 16-6]

2.5 Evaluation of Decay Heat Removal and Other Safety Issues This section of the report summe:lzes our review of the evaluation of Decay Heat Removal (DHR) provided in the submittal. Other GSI/USis, if they were addressed in the submittal, were also reviewed.

2.5.1 Examination of DHR.

Section 3.4.3 of the submittal describes the licensee's analysis of DHR. The IPE used both quantitative design objectives from the NRC staff and qualitative insights from past A-45 studies as input for the analysis. [pp. 3-446 to 3-456 of submittal]

22 l

1 The overall CDF contribution of related to DHR failures as represented by the original j

IPE analysis was estimated to be 5.9E-06/yr using the NRC definition of DHR-related j

sequences in the A-45 study [NUREG-1289]. The licensee notes that this DHR CDF i

contribution is below the acceptance level set by the NRC staff in NUREG-1289 of 3.0E-05/yr, and much lower than the 3.0E-04/yr level set for corrective action. [p. 3-l 455 of submittal)

}

The total DHR CDF contribution of 5.9E-06/yr discussed above represents the sum of the CDF contributions from loss of containment heat removal and loss of inventory accidents. The DHR contribution of sequences involving loss of containment heat i

removal contribute was estimated to be 1.8E-06/yr, or 23% of the total CDF. The CDF contribution from loss of inventory accidents was estimated to be approximately 4.1E-06/yr, or about 52% of the total CDF. [p. 3-455 of submittal]

1 j

The submittal states that no vulnerabilities exist to adversely affect the operators' 4

. ability to accomplish the DHR function during an accident. Finally, it is noted that Table 3.4-2 of the submittal compares DHR vulnerability insights from A-45 studies i

with their applicability to Duane Arnold. [pp. 3-455,3-456 of submittal]

i 2.5.2 Diverse Means of DHR.

l The IPE evaluated the diverse means for accomplishing DHR, including: use of power j

conversion system, RCIC, HPCI, and use of low pressure injection by opening safety

-l relief valves. Containment heat removal was also addressed. [pp. 3-449 to 3-452 of l

submittal]

2.5.3 Uniaue Features of DHR.

The unique features at Duane Arnold that directly impact the ability to provide DHR

)

are as follows:

i Hardened wetwell vent. Installation of a hardened wetwell vent was expected e

to be finished shortly after completion of the IPE submittal. This design feature tends to reduce the CDF. Credit for this hardened vent was taken in the analysis. [ submittal transmittal letter, p. 4-51 of eub littal]

Diverse means for establishina for alternate vessel inlaction. Alternate vessel injection can be supplied from 5 different sources, specifically by the appropriate lineup of equipment in (1) the emergency service water system (ESW), (2) the general service water system (GSW), (3) the residual heat removal service water (RHRSW) system, (4) the fire water sijsf an, or (5) the well water. system.

This design feature tends to reduce the CDF. [pp. 1-3, 3-179, 3-209, 3-279, 3-378,6-2 of submittal]

23

._____.m Reliable desian of offsite oower sunolv system. The offsite power switchyard has a diverse dual ring bus arrangement that helps to minimize the possibility of losing the supply of offsite power. In addition, essentialloads are normally operated from the startup transformer, thereby eliminating the need for a " fast transfer" on loss of the main generator. This design feature tends to reduce the CDF [p. 6-1 of submittal]

Hattina of deoressurization in Emergencv Ooerating Procedures (EOPst The Duane Amold EOPs specify halting depressurization at 200 psig when turbine-driven systems are available but low pressure injection systems are not. This design feature tends to reduce the CDF. [p. 6-2 of submittal]

2.5.4 Other GSI/USIs Addressed in the Submittal.

The licensee does not propose to resolve any GSI/USIs other than DHR with the IPE I

submittal. [p. 3-457 of submittal]

2.6 Intemal Flooding This section of the report summarizes our reviews of the process used to model intemal flooding and of the results of the analysis of internal flooding.

2.6.1 Internal Flooding Methodoloav.

An initial screening analysis was performed to evaluate the facility from three overlapping perspectives, specifically the following: [RAI Responses]

Flooding sources, Target areas (plant areas that are essential to plant safety and if flooded would j

seriously degrade the ability to prevent core damage), and Operating experience and plant-specific features.

Flooding sequences remaining after the screening process were quantified using existing logic models that were appropriately modified to account for equipment disabled due to the postulated flooding conditions.

Previous plant-specific studies were used to support the IPE flooding analysis, specifically a high-energy line break analysis, the Duane Amold Fire Hazards Analysis, and a study to analyze flooding-related vulnerabilities. The study to analyze flooding-related vulnerabilities was performed in response to a request made of utilities by the institute of Nuclear Power Operations (INPO). [pp. 3-428 to 3-431 of submittal] (RA!-

Responses]

Plant walkdowns were used to support the flooding analysis. Various flooding sources were considered, including tank ruptures, tank overfilling, hose and pipe ruptures, and 24

pump seal leaks. The analysis accounted for adverse effects from water immersion and spray. Flood barriers and floor drains were accounted for. Generic data and methods were used to quantify flood-related initiating events, including the WASH-1400 method of estimating pipe rupture frequencies using individual component and pipe segment data. [ p. 3-427 of submittal] [RAI Responses) 2.6.2 Internal Floodina Results, The CDF contribution from intemal flooding was estimated to be 2.3E-08/yr. The most dominant flooding sequence has a CDF contribution of 8.3E-09/yr, and involves the rupture of condensate piping in the turbine building. The second dominant sequence involve the rupture of circulating water piping in the turbine building, while the third most dominant sequence involves rupture of general service water components in the reactor building. The two most dominant sequences have CDF contributions of 7.1E-09/yr and 6.6E-09/yr, respectively. [RAI Responses)

While revising the original IPE analysis, the licensee identified two plant modifications-that significantly reduce the potential for flooding-related accidents in the control building. These modifications change portions of the control building fire protection system from a " wet" pipe system to a " dry" pipe system. Credit for these modifications was credited in the Revision 3 PSA analysis. The flooding analysis results reporte'd above are based on the Revision 3 PSA enalysis. One of the two modifications resulted in a CDF reduction of 9.7E-06/yr, while the other modification resulted in a CDF reduction of 8.25E-06/yr. The available documentation does not report the combined CDF reduction from both modifications. [pp. 3-5, 3-9, 3-12 of RAI Responses) 2.7 Core Damage Sequence Results This section of the report reviews the dominant core damage sequences reported in the submittal. The reporting of core damage sequences-whether systemic or functional-is reviewed for consistency with the screening criteria of NUREG-1335.

The definition of vulnerability provided in the submittal is reviewed. Vulnerabilities, enhancements, and plant hardware and procedural modifications, as reported in the submittal, are reviewed.

2.7.1 Dominant Core Damaae Seauences.

The IPE utilized functional event trees. The reporting of results in the submittal is consistent with the Generic Letter 88-20 screening criteria for functional sequences.

The point value CDF estimate for Duane Amold in the Revision 3 model is 1.50E-05/yr. The CDF contribution from intemal flooding was estimated to be 2.3E-08/yr.

[pp. 3-437 to 3-444 of submittal] [RAI Responses) 25

Table 2-4 below lists the accident types that contributed the most to the CDF, and I

their percent contribution, as presented in Figure 1.4-3 of the submittal. Station blackout appears to represent 40% of the overall CDF. [RAI Responses)

Table 2-4. Accident Types and Their Contribution to Core Damage Frequency Accident Type CDF Contribution Percent Contribution (pr yr.)

to CDF 4

j LOSP 6.3E-06 42 ATWS 3.3E-06 22 Transients 2.6E-06 17 Special Events 2.4E-06 16 LOCA 4.5 E-07 3

initiating events that contributed the most to the CDF, and their percent contribution, are listed below in Table 2-5. [RAI Responses, Fig. A-5]

Table 2-5. Initiating Events and Their Contribution to Core Damage Frequency' Initiating Event CDF Contribution / '

% Cont.

yr.

to CDF LOSP 6.3E-06 42 Turbine Trip w/ Bypass and subseq. ATWS 2.0E-06 13 MS!V Closure and subseq. ATWS 1.0E-06 7

Manual Shutdown 9E-07 6

Loss of Division I DC 9E-07 6

Turbine Trip w/ Bypass (no subseq. ATWS) 9E-07 6

Loss of River Water 8E-07 5

Loss of Division 11 DC 7E-07 5

The 8 most dominant event tree core damage sequences are listed below in Table 2-6 of this report. [RAI Responses)

Only the most dominant initiating event contributors to CDF are listed here. The data in this table were extracted from Figure A-4 and Table B 3 of the RAI Responses. A complete set of initiating event contributors to CDF can be extracted from Table B-3 of the RAI Responses.

26

Table 2-6. Top 8 Dominant Event Tree Core Damage Sequences i

Initiating Event Dominant Subsequent

% Contribution Failures in Sequence to Total CDF Loss of Offsite Power Failure of emergency onsite power 10 resulting in a station blackout, failure to recover offsite AC power at 30

]

min., failure of HPCI and RCIC Loss of Offsite Power Failure of emergency onsite power 9

i resulting in a station blackout, failure of RCIC after 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months of operation, failure of altemate low pressure injection (no AC power recovery during sequence)

Loss of Offsite Power Failure of emergency onsite power 8

resulting in a station blackout, failure of RCIC/HPCI after 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months of operation, failure of alternate low pressure injection (no AC power recovery during sequence)

Manual shutdown Switchgear room HVAC failures 5

defeat high pressure injection and inhibit depressurization Turbine Trip with Bypass Switchgear room HVAC failures 5

defeat high pressure injection and inhibit depressurization Loss of Division 1 DC Failure of Division 11 DC resulting in 4

loss of all high pressure injection and inability to depressurize Loss of Division 11 DC Failure of Division i DC resulting in 4

loss of all high pressure injection and inability to depressurize Turbine Trip Failure to scram, main condenser 3

unavailable, failure to control HPCI, failure of both early and late standby liquid control (SLC) injection 27

t I

Excluding initiators, the most important events based on the Fussell Vesely importance measure are (in decreasing order of importance): [RAI Responses, Table B-1) j Failure to recover offsite power within 30 minutes Failure to recover emergency AC power within 30 minutes a

Failure to recover offsite power within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Failure to recover emergency AC power within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months i

j 2.7.2 Vulnerabilities The licensee used the following criteria to search for vulnerabilities:

1 Are there any new or unusual means by which core damage or containment failure occur as compared to those identified in other PRAs?

i Do the results suggest that the Duane Arnold CDF would not be able to meet i

i the NRC's safety goal for core damage?

Are there any single failures of components that lead directly to a core damage

=

state? This does not include the common cause failure of multiple components of similar types.

i Based on the above criteria, the licensee concluded that there are no vulnerabilities at Duane Arnold, either in the original IPE or in the subsequent IPE revisions. However, the licensee notes that many insights were gained through the vulnerability evaluation process. [pp. 3-444 of submittal] [RAI Responses, p. A-2]

2.7.3 Prooosed Imorovements and Modifications.

i As previously noted in Section 2.6.2 of this report, two plant modifications were identified during the revision of the original IPE analysis that significantly reduce the potential for flooding-related accidents in the control building. These modifications

- change the control building fire protection system from a " wet" pipe system to a " dry" pips system. Credit for these modifications was credited in the Revision 3 PSA i

analysis. [RAI Responses)

The submittal states that no specific improvements to either hardware or procedure were deemed to be'necessary as a result of the (original) IPE. However, the licensee identified several potential improvements and evaluations in conjunction with the original IPE process, though no specific plans for their implementation are described in the submittal. These potentialimprovements and evaluations are summarized below:

[ transmittal letter, pp. 6-1 to 6-12 of submittal)

Develop an AOP or EOP to address total loss of 125 VDC 28

i Evaluate the existing EOP guidance that directs operators to terminate vessel

' injection from sources external to the containment if the drywell pressure reaches 53 psia Maintain heightened awareness of the operations staff regarding the timely use a

of the standby liquid control system in ATWS scenarios l

Test diesel fire pump capability for vesselinjection and evaluate DC reserve i

need to accomplish this action Evaluate the appropriateness of terminating water injection to the containment under any circumstances for which core degradation may be aggravated Prioritize injection systems for use in degraded core conditions Evaluate the use of drywell sprays as a means to control the drywell l-temperature to avoid premature containment failure Provide guidance to operators related to the protection of containment and

=

cooling debris using methods that do not require venting -

Evaluate the benefits of resetting the ADS timer instead of immediately locking out the automatic initiation of ADS Finally, it is noted that the original IPE took credit for a hardened containment vent that was expected to be completed at the end of 1992, shortly after completion of the IPE submittal. [ transmittal letter, p. 4-51 of submittal) 29

4 9

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS This section of the report provides an overall evaluation of the quality of the IPE based

)

on this review. Strengths and weaknesses of the IPE are summarized. Insights from the IPE are presented.

All of the major aspects that affect the CDF were addressed in the IPE. The analysis addresses the plant-specific characteristics of the Duane Arnold plant, those that impact the CDF both positively and negatively.

Strengths of the IPE are as follows. The evaluation and identification of plant-specific initiating events is thorough compared to some other IPE/PRA studies. The IPE goes beyond the bounds of some other BWR IPE/PRA studies by considering and modeling common cause failures between the HPCI and RCIC systems.

One potential weakness of the IPE was identified. It is not clear from the available IPE documentation whether plant-specific component failure data were used for any systems other than RCIC and HPCI. Also, it is not clear how plant-specific component failure data for RCIC and HPCI were used in the analysis.

Signti! cant findings on the front-end portion of the IPE are as follows:

intemal flooding is a negligible contributor to CDF. The low CDF contribution of

=

'nternal flooding can be at least partially attributed to two plant modifications that significantly reduce the potential for flooding-related accidents in the control building. These plant modifications were identified during a revision of the original IPE analysis.

30

i.

1

4. DATA

SUMMARY

SHEETS l

This section of the report provides a summary of information from our review.

l Overall CDF i

The mean CDF estimate for Duane Arnold is 1.50E-05/yr. The CDF contribution from i

intemal flooding was estimated to be 2.3E-08/yr.

i 5

y Dominant initiatina Events Contributina to CDF 5

LOSP 42%

l-Turbine Trip w/ Bypass and subseq. ATWS 13%

J MSIV Closure and subseq. ATWS 7%

Manual Shutdown 6%

l Loss of Division I DC 6%

l Turbine Trip w/ Bypass (no subseq. ATWS) 6%

Loss of River Water 5%

j' Loss of Division ll DC 5%

i Dominant Hardware Failures and Ooerator Errors Contributina to CDF i

Based on the Fussell-Vesely importance measure, dominant hardware failures 1

l contributing to CDF are: [RAI Responses, Table B-1]

1 i

Failure of reactivity control (scram) i Common cause failure of both diesel generators i

Failure of attemate low pressure injection (fire pump)

?.

i Based on the Fussell-Vesely importance measure, dominant human errors and recovery factors contributing to CDF are: [RAI Responses, Table 36-2, B-1]

Failure to recover offsite power within 30 minutes Failure to recover emergency AC power within 30 minutes Failure to recover offsite power within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Failure to recover emergency AC power within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months i

i i

Only the most dominant initiating event contributors to CDF are listed here. The data in this table 8

j were extracted from Figure A-4 and Table B-3 of the RAI Responses. A complete set of initiating event contributors to CDF can be extracted from Table B-3 of the RA: Responses.

i I

31 l

5

Dominant Accident Classes Contributina to CDF LOSP 42%

ATWS 22 %

Transients 17%

Special Events 16%

LOCA 3%

Station blackout appears to represent 40% of the overall CDF.

Deslan Characteristics Imoortant for CDF Hardened wetwell vent. Installation of a hardened wetwell vent was expected to be finished shortly after completion of the IPE submittal. This design feature tends to reduce the CDF. Credit for this hardened vent was taken in the analysis. [ submittal transmittal letter, p. 4-51 of submittal]

Diverse means for establishina for alternate vessel iniection. Alternate vessel injection can be supplied from 5 different sources, specifically by the appropriate lineup of equipment in (1) the emergency service water system (ESW), (2) the general service water system (GSW), (3) the residual heat removal service water (RHRSW) system, (4) the fire water system, or (5) the well water system.

-This design feature tends to reduce the CDF. [pp. 1-3, 3-179, 3-209, 3-279, 3-378,6-2 of submittal]

Reliable design of offsite oower sunolv system. The offsite power switchyard

=

has a diverse dual ring bus arrangement that helps to minimize the possibility of losing the supply of offsite power. In addition, essential loads are normally operated from the startup transformer, thereby eliminating the need for a " fast transfer" on loss of the main generator. This design feature tends to reduce the CDF. [p. 6-1 of submittal]

Large air accumulators for feedwater regulatina valves. The feedwater regulating valves have large air accumulators 1.nstalled. Consequently, an extended loss of the extemalinstrument air supply would be required to fail these valves. This design feature tends to reduce the CDF. (p. 6-1 of submittal]

Ability of eauioment to onerate without heatina. ventilatina. and air conditionina (HVAC) for extended oeriods. Most of the equipment located in the reactor

. building can operate.without HVAC for extended periods. Plant analyses have been performed to demonstrate that the large rooms in the reactor building have sufficient heat capacity to significantly limit the temperature rise in the absence of room cooling. This design feature tends to reduce the CDF. [p. 6-2 of submittal) 32

Haltina of deoressurization in Emeraencv Ooeratina Procedures (EOPst The q

Duane Amold EOPs specify halting depressurization at 200 psig when turbine-driven systems are available but low pressure injection systems are not. This design feature tends to reduce the CDF. [p. 6-2 of submittal)

Modifications l

As previously noted in Section 2.6.2, a plant modification was identified during the revision of the original IPE analysis that significantly reduces the potential for flooding-related accidents in the control building. This modification changes the control building fire protection system from a " wet" pipe system to a " dry" pipe system. Credit for this modification was credited in the Revision 3 PSA analysis. [RAI Responses)

The submittal states that no specific improvements to either hardware or procedure were deemed to be necessary as a result of the (original) IPE. However, the licensee identified several potential improvements and evaluations in conjunction with the j

original IPE process, though no specific plans for their implementation are described in the submittal. These potentialimprovements and evaluations are summarized below:

[ transmittal letter, pp. 6-1 to 6-12 of submittal) 1 Develop an AOP or EOP to address total loss of 125 VDC Evaluate the existing EOP guidance that directs operators to terminate vessel i

injection from sources external to the containment if the drywell pressure reaches 53 psia Maintain heightened awareness of the operations staff regarding the timely use i

of the standby liquid control system in ATWS scenarios Test diesel fire pump capability for vassel injection and evaluate DC reserve need to accomplish this action Evaluate the appropriateness of terminating water injection to the containment under any circumstances for which core degradation may be aggravated Prioritize injection systems for use in degraded core conditions a

Evaluate the use of drywell sprays as a means to control the drywell temperature to avoid premature containment failure Provide guidance to. operators related to the protection of containment and cooling debris using methods that do not require venting Evaluate the benefits of resetting the ADS timer instead of immediately locking out the automatic initiation of ADS 33

-. ~.. ---.

e Finally, it is noted that the original IPE took credit for a hardened containment vent that was expected to be completed at the end of 1992, shortly after completion of the IPE submittal. [ transmittal letter, p. 4-51 of submittal]

Other USl/GSis Addressed i

The submittal does not propose to resolve any GSI/USis other than DHR.

Sionificant PRA Findinas Significant findings on the front-end portion of the IPE are as follows:

Intemal flooding is a negligible contributor to CDF. The low CDF contribution of intemal flooding can be at least partially attributed to two plant modifications that significantly reduce the potential for flooding-related accidents in the control building. These plant modifications were identified during a revision of the original IPE analysis, l

R 34

1 i

REFERENCES

)

[lPE Submittal] Duane Arnold IPE Submittal, November 30,1992.

[ Limerick PRA) Limerick Generating Station Probabilistic Risk Assessment, Philadelphia Electric Company, Docket 50-352,353, March 1981.

[NSAC 147] Losses of Offsite -Power at U. S. Nuclear Power Plants Through 1989, i

EPRI (Nuclear Safety Analysis Center), NSAC-147, March 1990.

[NUREG 0666] A Probabilistic Safety Analysis of DC Power Supply Requirements for Nuclear Power Plants, NUREG-0666, April 1981.

[NUREG 1032] Evaluation of Station Blackout Accidents at Nuclear Power Plants:

Technical Findings Related to Unresolved Safety issue A-44, Final Report, NUREG-1032, June 1988.

[NUREG 1289] Regulatory and Backfit Analysis: Unresolved Safety issue A-45, Shutdown Decay Heat Removal Requirements, NUREG-1289, November 1988.

[NUREG/CR-1362] Data Summaries of Licensee Event Reports of Diesel Generators at U. S. Commercial Nuclear Power Plants, January 1976 to December 31,1978, NUREG/CR-1362, March 1980.

[NUREG/CR 4550 Methodology) NUREG/CR-4550, Vol.1, Rev.1, Analysis of Core Damage Frequency: Internal Events Methodology, January 1990.

[NUREG/CR 4780] Procedures for Treating Common Cause Failures in Safety and Reliability Studies, NUREG/CR-4780, Vol.1, February 1988 and Vol. 2, January 1989.

[EPRI 3967] Classification and Analysis of Reactor Operating Experience involving Dependent Failures. EPRI NP-3967, June 1985.

[RAI Responses] NG-95-1979, Letter from J. F. Franz, IES Utilities Inc., to W. T.

Russell, NRC, June 26,1995.

[Shoreham PRA) Shoreham Nuclear Power Station Probabilisite Risk Assessment, Long Island Lighting Company, Docket 50-322, June 1983.

35

i l

DUANE ARNOLD NUCLEAR POWER PLANT

)

i TECHNICAL EVALUATION REPORT l

(HRA)

A

l 4

CONCORD ASSOCIATES. INC.

CM 9341s14 j

Systems Performance Engineers i

.l DUANE ARNOLD ENERGY CENTER TECHNICAL EVALUATION REPORT ON THE l

}

IPE SUBMITTAL i

HUMAN RELIABILITY ANALYSIS 1

l FINAL REPORT 4

i 1

i By l

P.M. Haas i

i l

i

]

Prepared for:

I U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Systems Technology i

Draft Report June,1993 Final Report August,1995

't i

11915 Cheviot Drive 725 Pellissippi Parkway 6201 Picketts Lake Drive i

Herndon,VA 22070 Knoxville, TN 37932 Acworth,GA 30101 (703) 318-9262 (615) 675-0930 (404) 917-0690 kSOS MCVO

%, 74-

i 4

CA/TR-93-019-14 s

DUANE ARNOLD ENERGY CENTER TECHNICAL EVALUATION REPORT ON THE IPE SUBMITTAL l

HUMAN RELIABILITY ANALYSIS l

FINAL REPORT By:

4 P. M. Haas Prepared for:

j i

U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Systems Technology Draft Report June,1993 Final Repon August,1995 CONCORD ASSOCIATES. INC.

Systems Perfonnance Engineers 725 Pellissippi Parkway Knoxville, TN 37932 Contract No. NRC-04-91-069 Task Order No.14

~..

.~.

_ _ =

u

\\

TABLE OF CONTENTS J

E. EXECUTIVE

SUMMARY

1 E.1 Plant Characterization................................

1 E.2 Licensee IPE Process................................

1 4

j E.3 Human Reliability Analysis.............................

2 E.3.1 Pre-Initiator Human Actions........................

2 E.3.2 Post-Initiator Human Actions.......................

2 E.4 Generic Issues and CPI..............................

3 E.5 Vulnerabilities and Plant Improvements.....................

3 E.6 Observations 3

1. INTRODUCTION.........................................

6 1.1 HRA Review Process................................

6 1.2 Plant Characterization................................

6

2. TECHNICAL REVIEW.....................................

8 2.1 Licensee IPE Process................................

8 2.1.1 Completeness and Methodology 8

2.1.2 Multi-Unit Effects and As-Built, As-Operated Status.........

8 2.1.3 Licensee Participation and Peer Review.................

9 2.1.3.1 Licensee Participation......................

9 2.1.3.2 Peer Review............................

9 l

2.2 Pre-Initiator Human Actions...........................

10 2.2.1 Pre-InitiatorHuman Actions Considered 10 2.2.2 Process for Identification and Selection of Pre-Initiator Human Action s...................................

10 2.2.3 Screening Process for Pre-Initiator Human Actions.......... 11 2.2.4 Quantification of Pre-Initiator Human Actions............. 11 2.3 Post-Initiator Human Actions 14 2.3.1 Types of Post-Initiator Human Actions Considered.......... 14 2.3.2 Process for Identification and Selection of Post-Initiator Human A cdo n s.................................... 15 2.3.3 Screening Process for Post-Initiator Response Actions........ 15 2.3.4 Quantification of Post-Initiator Human Actions............ 15 2.3.4.1 Performance Shaping Factors Considered.......... 16 2.3.4.2 Dependency Among Multiple Actions 18 2.3.5 Human Actions in the Flooding Analysis................ 19 2.3.6 Human Actions in the Level 2 Analysis................. 19 2.3.7 GSI/USI and CPI Recommendations................... 21 2.4 Vulnerabilities, Insights and Enhancements................... 21 2.4.1 Vulnerabilities................................ 21 2.4.2 Insights Related to Human Performance................. 22 2.4.3 Human-Performance-Related Enhancements 23

s TABLE OF CONTENTS (Cont'd) d i

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS................ 28 1

4. DATA

SUMMARY

SHEETS..........

...................... 30 4

REFERENCES.............................................

31 s

i I

j i

TJ 4

4 i

j J

i 1

l F

l E. EXECUTIVE

SUMMARY

I i

J.

This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Duane Arnold Energy Center i

(DAEC) Individual Plant Examination (IPE) submitted by Iowa Electric Light and Power i

Company to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to

)

assist NRC staff in their evaluation of the IPE and conclusions regarding whether the submittal meets the intent of Generic Letter 88-20.

E.1 Plant Characterization The DAEC is a single-unit facility with a boiling water reactor (BWR-4) and a Mark I type containment. The plant is rated at 1,658 megawatts thermal,541 net megawatts electric.

Commercial operation was initiated February 1,1975. Similar plants in operation include Browns Ferry 1,2,3, Hatch 1,2, Brunswick 1,2, Hope Creek 1,2, Fitzpatrick, and Vermont Yankee. The front-end reviewer identified several " unique" features significant to core damage frequency (CDF), including several with human performance implications:

i o Hardened wetwell vent

)

Diverse means for establishing alternate vessel injection j

e Ability of equipment to operate without HVAC for extended periods of time i

e Halting of depressurization in EOPs i

)

In general, the important operator actions for DAEC are typical of those in other BWRs:

failure to inhibit the automatic depressurization system (ADS) and, if necessary to then j

depressurize by manually initiating the ADS system, during an anticipated transient without j

scram (ATWS) sequence; failure to inject standby liquid control (SLC); failure to vent the j

torus. Operator actions to recover offsite power and emergency AC power are important contributors to CDF, but are treated with an industry data-based model that includes operator action and equipment failure rather than as speci5c operator actions. Containment venting is i

a significant operator action for the Level 2 analysis that is treated as a top event in the containment event trees (CETs).

(

E.2 Licensee IPE Process j.

L The HRA approach employed by the licensee was generally complete in scope. Both pre-i initiator human actions (actions during maintenance, test, etc.) that could cause failure of j

important equipment on demand during an accic'ent and post-initiator human actions (those i

taken in response to an accident event) were addressed. The licensee used documentation review, plant walkdowns and discussion with plant personnel to help assure that the HRA

{

model represents the as-built, as-operated plant. The IPE represented the plant as of April, i

1992, with the exception that the hardened vent from the suppression pool, which was l

scheduled for completion soon after the submittal, was included in the models. As part of its J

1 a

4 b

,e,.-

e-w

5 response to the NRC request for additional information, the licensee submitted results from an updated version of the IPE (PRA). We did not review the complete updated submittal.

This review is based on the original submittal, with limited exceptions that are specifically noted in this report. DAEC personnel were involved in the development of the IPE; and an independent review process by the licensee, including a review of the HRA by an independent contractor, helped to assure that the HRA techniques were properly implemented. The licensee identified important human actions using sensitivity studies and importance measures (risk achievement and Fussel-Vesely). Potential human-performance related enhancements were identified and discussed in the IPE, though no specific l

enhancements were identified that were incorporated.

E.3 Human Reliability Analysis l

E.3.1 Pre-Inietnr Human Actions.

i l

The DAEC HRA addressed pre-initiator errors in maintenance, test and surveillance actions

~

by incorporating human error into the systems analysis (fault trees) as a' specific cause for system unavailability. Both restoration errors and calibration errors were addressed. The i

licensee's process for identification and selection of pre-initiator human errors included i

review of procedures and discussion with operations and maintenance sta' f. No numerical f

4 screening was performed to eliminate less important actions from the model. A qualitative screening that included review of procedures, discussion with plant staff, review of plant data, and review of other PRAs identified eight basic pre-initiator actions associated with several different functions important to the PRA that were included in the model. These eight actions (some with multiple basic events) were quantified and included as basic events in fault trees. The actions were quantified using the Accident Sequence Evaluation Program (ASEP) pre-initiator HRA model (Ref.1). The licensee's analysis followed closely the guidance provided in Reference 1 for the ASEP screening model for pre-initiator human actions. Recovery factors credited were justified by the licensee. Human related dependencies that could lead to common cause failures were addressed in the common cause analysis or were assumed to be incorporated into equipment failure data.

E.3.2 Post-Initiator Human Actions.

The post-initiator HRA addressed both response-type and recovery-type actions. The process employed by the licensee to identify and select the post-initiator actiuns to be quantified included review of procedures and discussion with operations / training staff. No numerical screening was employed; all post-initiator actions identified as important from in the sequence analysis were quantified. Both response-type and recovery-type actions were quantified using four different HRA techniques. The Risk Methods Integration and Evaluation Program (RMIEP) HRA methodology (Ref. 2) and the EPRI Opemtor Reliability Experiments (ORE) methodology (Ref. 3) were the primary methods chosen. Both of these techniques use time reliability correlations based on simulator data. Coarse !creening techniques were used in some cases where " detailed" analysis was not felt to be warranted. Plant-specific 2

l

consideration of performance shaping factors and dependencies influencing human error were included in the analysis consistent with the constraints and guidance of the selected methodologies. Dependencies among multiple human actions were treated in a manner generally consistent with other accepted PRAs. Quantitative results, i.e., HEPs, were generally consistent with result: in other PRAs.

E.4 Generic Issues and CPI The licensee addressed Unresolved Safety Issue A-45, Decay Heat Removal. The front-end reviewers identified several unique DAEC features associated with the ability to assure decay heat removal. Human actions are associated with most of these features.

The licensee addressed recommendations of the Containm6nt Performance Improvement (CPI)

Program. Probably most significant to human performance is that the BWR Owners Group Revision 4 of the Emergency Procedures Guidelines has been incorporated into the DAEC EOPs.

E.5 Vulnerabilities and Plant Improvements The licensee used three criteria to identify a vulnerability:

1. Are there any new or unusual means by which core damage or containment failure occur as compared to those identified in other PRAs?

2. Do the results suggest that the DAEC core damage frequency would not be able to meet the NRC's safety goal for core damage?

3. Are there any single failures of components that lead directly to a core damage state?

This does not include the common cause failure of multiple components of similar types.

No vulnerabilities were identified in the IPE using these criteria. There were significant

" insights" developed relating to systems, components or actions which influenced the results of the IPE to a greater level than other events. Potential human-performance-related enhancements were identified and reviewed by the licensee. No specific enhancements were identified as being implemented.

E.6 Observations The following observations are pertinent to NRC staff's determination of whether the licensee's submittal meets the intent of Generic Letter 88-20:

(1) The submittal and supporting documentation indicates that utility personnel were involved in the HRA, and that the walkdowns and documentation reviews 3

i constituted a viable process for confirming that the HRA portions of the IPE i

represent the as-built, as-operated plant.

S

{

(2) The licensee performed an in-house peer review that provides some assurance that the HRA techniques have been correctly applied and that documentation is accurate.

(3) The licensee's analysis of pre-initiator human actions was reasonably complete.

l Identification and selection of human actions to be quantified included review of calibration, test and maintenance procedures and discussion with plant personnel.

Both calibration and restoration errors were included. The quantification process properly employed the ASEP screening approach for pre-initiator human actions.

l This approach is a relatively coarse HRA technique, but has been used in other i

accepted PRAs. A pre-initiator action was identified as one of the most important human actions.

i (4) The treatment of post-initiator human actions was complete in scope. It included l

both response-type and recovery-type actions. The process for identification and i'

selection of post-initiator human actions included review of procedures and discussion with plant operations and training staff. The licensee's process for quantification post-initiator actions employed four different approaches - two

" detailed" techniques and two " screening" techniques. Justification was provided by the licensee for selection of the particular method. The licensee's process i

properly implemented the guidance of the four methods. Plant-specific performance shaping factors were considered, consistent with the capabilities and I

guidance for the methods selected. Sequence-specific impacts and dependencies among multiple human actions were addressed. Quantitative results were generally consistent with the range of results in other accepted PRAs.

s I

(5) The licensee's level 2 analysis included a relatively large number of operator actions compared to most PRAs. The licensee provided a discussion of a rationale for determination of Level 2 HEPs. While the licensee's arguments have some i

validity, it should be noted that PRAs usually have taken relatively limited credit I

for operator action in the Level 2 analysis because of the general uncertainties assaciated with the operator response and with the application of existing HRA l

techniques to post-core-melt conditions. In our view, the licensee's credit for i

operator action in the level 2 analysis should be accepted with caution.

(6) The licensee used sensitivity studies and importance calculations to identify operator actions important to risk. Importance calculations were provided using Risk Achievement Worth and Fussel-Vesely importance measures.

(7) The licensee employed a systematic process to screen for vulnerabilities and identify potential enhancements. No vulnerabilities were identified. A number of potential i-human-performance-related enhancements (improvements to training or procedures) 4 a

G

}

i i

i r

v 1

i t

were identified and reviewed in the submittal. No specific enhancements were identif% related to those die"< cons, f

I i

r f

l a

1 I

i I

a J

f 1

I 1

l 4

S b

(

5

1. INTRODUCTION

'Ihis Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Duane Amold Energy Center (DAEC) Individual Plant Examination (IPE) submitted by Iowa Electric Light and Power Company to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to assist N7 1 staff in their evaluation of the IPE and conclusions regarding whether the submitta' meets the intent of Generic Letter 88-20.

1.1 HRA Review Process The HR A review was a " document-only" proces's which consisted of essentialh four steps:

(1) Comprehensive review of ' IPE submittal focusing on information pertinent to HRA.

(2) Preparation of a draft TER summarizing preliminary findings and conclusions, noting specific issues for which additional information was required from the licensee, and formulating requests to the licensee for the necessary additional information.

(3) Review of preliminary findings, conclusions and proposed requests for additional information (RAIs) with NRC staff and with " front-end" and "back-end" reviewers

)

I (4) Review of licensee responses to the NRC requests for additional information, and preparation of this final TER modifying the draft to incorporate results of the additional information provided by the licensee and finalize conclusions.

Finding end conclusions are limited to those that could be supported by the document-only review. No visit to the site was conducted. No discussions were held with plant personnel i

or IPE/HRA analysts, either during the initial review of the submittal, nor after receipt of licensee responses to NRC RAIs. No review of detailed " Tier 2" informaticn was

~

performed, except for selected details provided by the licensee in direct response to NRC RAIs. In general it was not possible, and it was not the intent of the review, to reproduce results or verify in detail the licensee's HRA quantification process. The review addressed the reasonableness of the overall approach with regard to its ability to permit the licensee to meet the goals of Generic Letter 88-20.

1.2 Plant Characterization The DAEC is a single-unit facility viith a boiling water reactor (BWR-4) and a Mark I type containment. The plant is rated at 1,658 megawatts thermal,541 net megawatts electric.

Commercial operation was initiated February 1,1975. Similar plants in operation include Browns Ferry 1,2,3, Hatch 1,2, Brunswick 1,2, Hope Creek 1,2, Fitzpat icz, and Vermont 6

i I

Yankee. The front-end reviewer identified several " unique" features significant to core I

damage frequency (CDF), including several with human performance implications:

e Hardened wetwell vent. Installation of a hardened wetwell was expected to be

]

finished shonly after completion of the IPE. Credit for the hardened vent was taken j

in the IPE. Operator action to vent is an important operator action.

L i

e Diverse means for amhlishine alternate va=1 iniection. Alternate vessel injection j

can be provided (with operator action to align equipment) from five different sources:

i (1) the emergency service water (ESW) system, (2) the general service water (GSW) i system, (3) the residual heat removal service water (RHRSW) system, (4) the fire l

water system, and (5) the well water system.

I

.e Ability of eauinment to onerate without HVAC for extended neriods of time. The submittal notes a lack of dependence on heating, ventilation and air conditioning (HVAC) systems, though operator actions are required to provide backup room cooling are important in a number of sequences.

e Haltine of deoressurization in EOPs. The DAEC emergency operating procedures r

(EOPs) specify halting depressurization at 200 psig when turbine-driven systems are available but low pressure injection systems are not.

In general, the important operator actions for DAEC ze typical of those in other BWRs:

failure to inhibit the automatic depressurization syrtem (ADS) and, if necessary to then depressurize by manually initiating the ADS system, during an anticipated transient without scram (ATWS) sequence; failure to inject standby liquid control (SLC); failure to vent the I

torus. Opentor actions to recover offsite power and emergency AC power are important contributors to CDF, but are treated with an industry data-based model that includes operator action and equipment failure rather than as specific operator actions. Containment venting is a significant operator action for the I.evel 2 analysis that is treated as a top event in the containment event trees (CETs).

7

2. TECHNICAL REVIEW 2.1 Licensee IPE Process 2.1.1 Comoleteness and Methodology.

The submittal information on the HRA process was generally complete in scope. Some additional information and clarification was required from the licensee. That information/

cladfication was obtained from the licensee in response to an NRC request for addit onal i

information (RAI). The HRA approach employed by the licertsee addressed both pre-initiator human actions (actions during maintenance, test, etc.) that cotdd cause failure of important equipment on demand during an accident, and post-initiator human actions (those taken in response to an accident event). Pre-initiator human actions were quantified using the nominal pre-initiator HRA procedure from the Accident Sequence Evaluation Program (Ref.1).

Some plant-specific performance shaping factors were considered in the pre-initiator analysis.

Post-initiator human actions were quantified using four different HRA approaches, primarily the Risk Methods Integration and Evaluation Program (RMIEP) HRA approach and the Electric Power Research Institute Operator Reliability Experiments (EPRI/ ORE) approach.

Both response-type actions (anticipated actions in response te an accident event such as those designated in emergency operating procedures), and recovery-type actions (those involving alternative responses or recovery of failed equipment) were addressed. Plant-specific assessment was made of several performance shaping factors that influence likelihood of human error in response-type actions. Potential error recovery mechanisms also were considered. Dependency among multiple actions in the same sequence were addressed.

2.1.2 Multi-Unit Effects and As-Built. As-Ooerated Status.

Duane Arnold is a single unit site; multi-unit effects are not an issue.

Information on licensee actions to assure that the IPE represents the as-built, as-operated plant is provided in Section 1.2 of the submittal, "Familianzation", and in Section 2.4 "Information Assembly". Section 1.2 of the submittal states that the IPE model represents the plant as of April,1992, with the exception that the installation of the hard pipe vent from the suppression pool, which was scheduled for later in 1992, was included in the models.

That section also contains a brief summary of major plant design features and key plant safety features and safety systems, includir.g a tabulated comparison of DAEC features to the two most comparable NUREG-ll50 plants (Peach Bottom and Grand Gulf). In Section 2.4 of the submittal, significant insights from the review of the Peach Bottom study are discussed as they relate to DAEC. Section 2.4 also provides a further summary of DAEC design features and discusses positive or negative aspects of those features with respect to k y safety functions such as inventory makeup and pressure control, or with regard to major accidents such station blackout.

8

d i

A listing is provided in the submittal (Section 2.4.3) of the plant documents (and some i

generic industry sources) used in the information assembly and plant f=Neization phase, and of the general type of information taken from each source. The submittal states that a number of means were used to confirm that the documents listed were accurate and up to date. One of the primary means was to use system engineers to prepare the system l

descriptions, success criteria and major insights. Systems engineers should have thorough and current knowledge of design features and operating practice. The submittal notes that the IPE system analysts were located at the plant site and therefore had ready access to plant l

systems, to systems engineers, to operators, and to the plant simulator to verify accumcy of i

the documentation used.

Similarly, there is a brief statement in Section 2.4.4 that many types of walkdowns were i

conducted thrauthout the IPE, including, apparently:

"First introductory or general" walkdowns for areas outside containment e A human error analysis walkdown e An internal flooding walkdown.

The noting of a walkdown conducted specifically for human error analysis (whether separate or in conjunction with other walkdowns) was a positive sign from the perspective of the HRA analysis. The walkdo en included the DAEC analyst responsible for the HEP derivation and the consultant respousfole for HEP guidelines.

The listing of documents, the brief statements on verification approach, and the comments on the walkdowns suggest that the licensee had a reasonably thorough approach to assuring that the IPE represented the as-built, as-operated plant.

2.1.3 Licensee Particination and Peer Review.

2.1.3.1 Licensee Particination. The summary materialin Section 5 of the submittal suggests that the DAEC IPE organization and internal review was structured to effectively meet the goals of GL 88-20 ind the guidance in NUREG-1335 regarding involvement of the plant staff outside of the IPE team. The IPE team was formulated as part of the Safety Analysis Group, which reports through the Supervisor of Mechanical Engineering and the Manager of Engineering to the Vice President for Nuclear. The group included one. individual with a DAEC SRO license and one with SP.C ceMfication on another BWR. It also included individuals with previous PRA experience, as well as fairly broad nuclear industry engineering and operations experience. No s} ecific experience in HRA was cited. The system notebooks and fault trees were prepared by personnel in the Systems Engineering Group who were responsible for specific systems.

2.1.3.2 Peer Review. An independent internal review committee was established which involved approximately 15 members from various departments throughout the plant, including Engineering, Technical Support, Emergency Planning, Training Center, Operations, and 9

2 l

Licensing. No direct HRA or human factors qualifications or experience were cited in any of these internal groups. Consulting support was provided by ERIN Engineering and Research and by Gabor, Kenton & Associates. No specific HRA qualifications were cited though we assume this expertise was provided by ERIN.

An iQdent external review was provided by James H. Moody of Moody Consulting and by Dr. G.W. Parry of Halliburton NUS. Dr. Parry is highly qualified and experienced in HRA, though qualifications are not cited in the submittal. The substantial (approximately 38 page) presentation of specific critical review comments and responses from the DAEC staff is a notable strength of the IPE submittal. Many comments are included regarding the HRA.

Indeed, some of the information about the HRA that was presented only in these comments probably should have been presented earlier in the text of the submittal. However, the iadaaandant review by internal staff and external consultants appears to have been an important contribution to the effectiveness of the IPE, and presentation of the results was a significant positive contribution to the submittal.

2.2 Pre Initiator Human Actions Errors in performance of pre-initiator human actions, such as failure to restore or properly align equipment after testing or maintenance or calibration of system logic instrumentation, may cause components, trains, or entire systems o be unavailable on demand during an accident, and thus may significantly impact plant risk. Our resiew of the HRA portion of the

.IPE examines the licensee's HRA process to determine what consideration was given to pre-initiator human events, how potential events were identified, the effectiveness of quantitative and/or qualitative screening process (es) employed, and the processes for accounting for plant-specific performance shaping factors, recovery factors, and dependencies among multiple actions.

i 2.2.1 Pre-Initiator Human Actions Considered.

The DAEC HRA addressed human errors in maintenance, test and surveillance, and calibration by incorporating human error into the systems analysis (fault trees) as a specific cause for system unavailability. Both restoration (realignment of equipment after maintenance, test or calibration) and calibration of instrumentation were addressed.

2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions.

The key concerns of the NRC staff review regarding the process for identification and selection of pre-initiator human events are: (a) whether maintenance, test and calibration procedures for the systems and components modeled were reviewed by the systems analyst (s),

and (b) whether discussions were held with appropriate plant personnel (e.g., maintenance, training, operations) on the interpretation and implementation of the plant's test, maintenance and calibration procedures to identify and understand the specific actions and the specific components manipulated when performing the maintenance, test, or calibration tasks.

10

, ~.

j-i The submittal provides a r==mbly complete but general summary of the process followed in the systems analysis. The discussion includes general statements indicating that the process for identification of pre-initiator actions included review of procedures and discussion with operations and maintenance personnel. For example, the submittal states that the draft l

systems notebooks were reviewed by operations and maintenance personnel "as available".

Systems data included training manuals and operating procedures. The systems notebooks included documentation of test and maintenance programs. These general statements provide some indication that identification of pre-initiator human errors was an integral part of a i

structured process followed in performing the systems analysis, though there is limited i

specific narrative information in the submittal. In response to an NRC RAI, the licensee

{

indicated that the process for identifying pre-initiator human actions was the same approach specified in NUREG/CR-4550 (Ref. 4). That reference, which describes the HRA process i

used in the NUREG-ll50 studies, indicates that in the evaluation of pre-initiator actions l

calibration, test, and maintenance procedures were reviewed for each front-line and support i

system. The evaluation included identifying: (1) sensors that require calibration and if miscalibration precludes system operation or prevents the operator from diagnosing system condition, and (2) systems and components removed from service during test or maintenance j

hut which could be left in an inoperable state. Based on the licensee's statement that this process was followed, in particular that each front-line and support system was examined, it j

appears that the licensee's process for identification of pre-initiator human actions was

{

rManhly complete.

2.2.3 Screenine Process for Pre-Initiator Human Actions.

i l-No numerical screening process was employed to eliminate pre-initiator human errors from j

detailed quantification. All pre-initiator errors identified as important from the (qualitative) l systems analysis were quantified and included in the IPE model.

I 2.2.4 Ouantification of Pre-Initiator Human Actions.

The submittal identifies eight pre-initiator operator actions, in some cases represented as multiple different basic events, that were quantified using the Accident Sequence Evaluation Program (ASEP) Procedure for Screening HRA of Pre-Accident Tasks. (Ref.1) These eight operator actions are summarized in Table 2-1 below. The ASEP value of 0.03 was used for the basic human error probability (BHEP) for failing to perform a critical action. This value represents an HEP of 0.02 for an error of omission (EOM) and 0.01 for an error of l

commission (ECOM). In the ASEP screening procedure, this basic HEP can be modified j

(reduced) to account for impacts of four plant-specific performance shaping factors or i

recovery factors:

e The presence of a " compelling" signal, e.g., a control room alarm e A post-maintenance or post-calibration check that, if performed correctly, will recover the error -

11

Table 2-1 Pre-Initiator Human Actions Included in the IPE Model 1

1 PRA SEQUENCE OPERATOR ACTION HEP FUNCTION DESCRIPTION High Pressure Injection HPCI auto reset not reset 2.7E-05 Operator fails to take action to 2.7E-05 empty drain pot RCIC mechanical overspeed trip not 2.7E-05 reset following test and maintenance I.ow Pressure Injection Operator fails to notice low basin 8.0E-0-4 water level Reactivity Control Operator fails to respond to low 2.7E-05 (ATWS Re>ponse) level indication in the SLC tank Tour by operator fails to uncover 2.7E-05 low level in tank (once per day)

Level / Pressure Miscalibration of level 8.0E-05 Instrumentation instrumentation used to initiate the HPCI/RCIC/LPCI/CS pumps Miscalibration of pressure 8.0E-05 intrumentation used to initiate the HPCI/RCIC/LPCI/CS/Recire. pumps

A second check is performed with a written checkoff list i

A shiftly or daily check of component status using a written checkoff list.

e The DAEC pre-initiator HRA applied the ASEP screening process in accordance with the guidance of Reference 1. In six of the eight cases, the HEP was set to (a median of) 1.0E-05 per ASEP guidance (mean of 2.75E-05) because a compelling signal was determined to exist.

In the other two cases credit was taken for a post-calibration test and a second checker to reduce the HEP by a factor of 0.01 and 0.1, respectively, to 3.0E-05 (mean of 8.0E-04).

The licensee states in the response to the NRC RAI that members of the plant operating staff were interviewed to obtain plant-specific information on the recovery factors and that credit was taken on the basis of the interview responses.

12

The ASEP pre-initiator screening approach uses a very simplified treatment of some aspects i

of dependency, i.e. either zero dependence or complete dependence. Human actions on cowyei.cnts in series are assumed to have zero dependence. Actions on components in i

parallel are assumed to have complete dependence, unless testing / maintenance is scheduled to l

assure that parallel trains or components are tested / restored on different shifts, in which case i

zero dependence is applied. In a response to an NRC RAI, the licensee indicated that the

)

ena*Maration of dependencies for pre-initiator human actions focused on depe4=ies among i

equipment that could be induced by human erTor. Such dapandencies were considered by reviewing unique features of DAEC identified from review of procedures, surveillance testing 2

and equipment, by reviewing DAEC experience, and by reviewing pre-initiator human errors identified in other PRAs. Specific features of DAEC that were identified as requiring "special attention" were:

i e The river water system l-e The low pressure interlock on the LPCI/CS injection valves e The diesel generators e The DC buses and batteries e The ESW system e The control building cooling o The RPV water level system.

Three types of dependencies were considered to be important to capture in the IPE model:

1) Dependencies that would affect multiple trains, such as errors that would:

Defeat multiple trains of DC power and inhibit recovery Fail multiple componehts through common cause maintenance or testing error, e.g., diesel generators or LPCI injection motor operated valves.

2) Dependencies that can cause an initiating event and inhibit effective response, e.g.,

loss of all river water or loss of DC bus.

1

3) Latent dependencies that defeat multiple channels of instrumentation and therefore lend to the inability of effective post-initiator operator action. These include:

Common mode miscalibration of the low RPV pressure interlock Common mode miscalibration of RPV water level instruments.

The licensee states that with the exception of the common mode miscalibration failure noted previously (CS and LPCI pressure interlocks) that the dependency analysis performed for the IPE, including the common cause analysis, adequately addressed (quantifled) :. e impact of these dependencies induced by pre-initiator human errors. The human errors wee not modeled explicitly, but were assumed to be included in the failure data. Examples identified by the licensee in which human and hardware failures probabilities combined were based on actual operating experience data included: SLC squib valve maintenance failures, ADS valve failures, emergency diesel generator (EDG) alignment failures, and pre-existing containment 13

i 1

. leakage. The licensee's common cause analysis is reviewed in more detail by the NRC front j

end reviewers. It was not possible for us to determine from this document-only review whether the specific data and common cause analysis justify the licensee's assumption that j

common cause failures due to pre-initiator human errors were appropriately addressed.

i This pre-imtiator HRA quantification overall is a relatively coarse screening approach. In only one case, which was not described in detail, did the licensee state that a detailed plant-l specific analysis was performed. A more detailed analysis of plant-specific condidons impacting human performance is preferred, but it is not possible without performing our own j

in-depth assessment to judge whether the coarse screening values are appropriate for the 1-spectfic conditions at DAEC.

I 2.3 Post-Initiator Human Actions l

Human errors in responding to an accident initiator, e.g., by not recognizing and diagnosing the situation properly or failing to perform required activities as directed by procedures, can have a significant effect on plant risk, and in some cases have been shown to be dominant contributors to core damage frequency (CDF). These errors are referred to as post-initiator human errors. The NRC staff review determines the types of post-initiator errors considered a

l by the licensee, and evaluates the processes used to identify and select, screen, and quantify post-initiator errors, includihg issues'such as the means for evaluating timing, dependency i

among human actions, and other plant-specific performance shaping factors.

2.3.1 Tvoes of Post-Initiator Human Actions Considered.

l There are two important types of post-initiator actions considered in most PRAs: response-1 type actions, which include those human actions performed in response to the first level l

directives of the emergency operating procedures / instructions (EOPs, or EOIs); and, l

recoverv-type actions, which include those performed to recover a specific failure or fault j

(primarily equipment failure / fault) such as recovery of offsite power or recovery of a front-line safety system that was unavailable on demand earlier in the event. The DAEC HRA addressed both response-type and recovery-type actions per the above descriptions.

1

- However, the licensee clarified in a response to an NRC RAI that the quantification process is the same for both types. The licensee notes (correctly) that there are different uses of the term recovery actions in different PRAs and different HRA techniques. The licensee employs a broad definition that encompasses all post-initiator operator actions, including both response-type and recovery-type as described. No non-proceduralized recovery actions are credited. All post-initiator actions are directed by Emergency Operating Procedures (EOPs) or auxiliary procedures.

Recovery-type a etions were not added to cutsets after the initial quantification, as is commonly done. The licensee states that an " iterative" process was used in which human i

actions identified as resulting in substantial benefit were investigated (quantified) and incorporated directly into the IPE models, i.e., into fault trees and event trees. A problem 14

I with incorporating recovery actions (in the narrower sense of actions in response to previous failures) into fault / event trees is that they usually are cutset-specific. Incorporating an action into a fault tree, for example, can result in that recovery action occurring every time that fault tree appears in the model, not just in the context of the cutset(s) in which the recovery action is logical and probable, unless special care is taken to eliminate the action where it is unlikely. Thus the credit for that action can be overestimated. It is not possible to determine from this document-only review whether the quantitative impact is significant for the DAEC analysis.

2.3.2 Process for Identification and Selection of Post-Initiator Human Actions.

The primary thrust of our review related to this question is to assure that the process used by the licensee to identify and select post-initiator actions is systematic and thorough enough to provide reasonable assurance that important actions were not inappropriately precluded from examination. Key issues are whether: (1) the process included review of plant procedures associated with the accident sequences delineated and the systems modeled; and, (2) discussions were held with appropriate plant personnel (e.g., operators, shift supervisors, training, operations) on the interpretation and implementation of plant procedures to identify and understand the specific actions and the specific components manipulated when responding to the accident sequences modeled.

The submittal provides limited direct discussion of the process for identification of human errors to be included in the IPE model. However, the discussions of accident sequence analysis in Section 3.1 of the submittal and of the overall IPE process in Section 2.4 on information assembly indicate that review of operating procedures, discussion with plant operations and training personnel, walkdowns, and simulator exercises all provided input to i

assure completeness in identifying important post-initiator actions. A general comparisen of actions selected with those actions treated in other BWR PRAs identified no significant omissions.

2.3.3 Screening Process for Post-Initiator Resnonse Actions.

The submittal does not discuss any numerical screening process for post-initiator human errors. The submittal does indicate that a sequence truncation value of 1.0E-11/yr was used to eliminate unimportant sequences.

2.3.4 Ouantification of Post-Initiator Human Actions.

Post-initiator response actions were quantified using one of four methods:

1) Risk Methods Integration and Evaluation Program (RMIEP) HRA procedure (Ref. 2)

2) An EPRI " detailed" model described in EPRI-NP-6560-L (Ref. 3) i 15 l

~

~ - - -.

1 1

i j

3) An EPRI " screening methodology" from EPRI Research Project 3206-03 (Ref. 5)

4) The ASEP post accident screening procedure (Ref. 6)

The licensee indicates that*the above listing is in order of preference. More important actions (with regard to either core damage frequency or public risk) were treated with one of the two more detailed methods; less imponant actions with the EPRI or ASEP screening techniques.

The basis for determination of importance was engineering judgement based on experience with past PRAs and HRAs. The more detailed methods were preferred by the licensee primarily because they are based on (simulator) data rather than analytic models. Both

" detailed" approaches employ time reliability correlations. The RMIEP correlations used data based on simulator exercises performed on the 12Salle simulator; the EPRI correlations are based on simulator exercises performed under as part of the Operator Reliability Experiments l

(ORE) program sponsored by EPRI at different simulators. For those actions warranting l

" detailed" analysis, the RMIEP method was the licensee's preferred choice, unless there is a hmitation in the RMIEP data such that the data are not applicable to the specific DAEC action. For example, some DAEC actions were not well represented by the RMIEP groups of actions comprising the data set for a time reliability correlation; or, in some cases, the time available for opeator action was beyond the limit of applicability of the RMIEP correlations.

.l 2.3.4.1 Performance Shaoine Factors Considered. Performance shaping factors influencing the likelihood of human error in post-initiator actions were identified and evaluated in accordance with the HRA techniques selected. In both the RMIEP methodology and the detailed EPRI method, each human action is treated as consisting of a " diagnosis" portion, which includes cognitive processes of diagnosis, detection, decision making, etc., and an t

" execution" portion, which is the physical action involved. The diagnosis portion usually is l

the dominant contributor to the total HEP. In the RMIEP methodology, simulator data from different " groups" of operator actions are included in a time reliability correlation for each i

group. Sequence-specific and action-specific performance shaping factors are implicitly incorporated into the time reliability correlation. Assignment of a particular action to a specific RMIEP group involves, at least indirectly, a qualitative assessment of those sequence-specific or action-specific factors. In response to an NRC RAI, the licensee indicated th, '. the selection of the appropriate RMIEP group for DAEC-specific actions included, fu t example, the specific performance requirements of the action, the procedural guidance, adverse environmental impacts, and qualitative insights from operator interviews.

In some cases, the DAEC-specific actions are very similar to actions in one of the RMIEP groupings; in other cases, judgment is applied to select the "best" match; and in still other cases, it was determined that none of the RMIEP groups was appropriate, and the EPRI method was used.

The EPRI method also uses time reliability correlations - one for each of three different categorizations of operator actions. The EPRI categorizations are based on the " cue structure" of the action, i.e., the particular relationship between the timing of the initiation of the disturbance, the first alarm or cue, and the cue for exceeding a plant limit.

16

_~ - _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _. _ _

1 1

1 In both the RMIEP and the detailed EPRI method, the primary performance shaping factor determining the HEP for the diagnostic phase is the time available for the crew to complete the cognitive response relative to the time required. The correlations provide the estimated 4'

j.

HEP for the crew to respond within the time available. The total time available typically is determined from plant-specific thermal hydraulic (e.g., MAAP) analysis. For the DAEC analysis, only a limited number of MAAP runs had been completed at the time the HRA was performed, and available time was in most cases was based on engineering judgment. In response to an NRC RAI the licensee provided results of subsequent MAAP runs that the licensee states confirmed the engineering judgment (or in some cases showed the judgment to i

be conservative). Time available for a particular action can be sequence dependent.

i i

The licensee's response to an NRC RAI provided a reasonably complete summary of the process used to obtain the estimated time required for the operator action. These estimates were determined primarily from judgment of operators and training staff. Where actual operating data were available, e.g., for recovery of AC power, data were the preferred source. In some cases simulator data was used to confirm operator judgment. However, the primary source of time estimates was a group consisting of two Senior Reactor Operators, one Operations Shift Supervisor, and one Operations Trainer who was an Assistant Operations Superintendent at the time of the IPE. Estimates were obtained from what appears to be a structured interview process. At least two of the four individuals were involved in providing each time estimate. For each action, the scenario containing the operator action was documented and reviewed with the interviewees. Time estimates provided by the interviewees were then discussed with engineering personnel to provide further validation. The licensee indicates that due to this thorough interview and review process, operator estimates of time did not need to be adjusted (e.g., multiplied by a factor of 2). Certainly use of a structured interview' approach which uses more than one " expert" and provides context of the accident scenario for the judgment can reduce bias and uncertainty in subjective estimates. In our view, the licensee's approach for estimating times was effective.

As part ofits response to the NRC RAI the licensee provided a table showing examples of actions for which the time available, and consequently the HEP, varied depending on the sequence in which the action appeared. For example, time available for operator action to inhibit ADS actuation is 3 minutes for ATWS cases with no high pressure makeup,16 minutes for ATWS cases with high pressure makeup, and 23 minutes when required in non-ATWS sequences. The respective HEPs for these three cases were 3.2E-01,1.4E-02, and 5.8E-03 respectively.

As stated above, both the RMIEP and the detailed EPRI method include quantification of the

" execution" phase of the action. The RMIEP methodology recommends, and the DAEC analysis used, the THERP Handbook (Ref. 7) to obtain estimates of the error probability for the action phase. Very limited information about the THERP quantification is provided in the submittal or in the licensee's response to the NRC RAI. The latter does note that the following performance shaping factors were considered in the THERP assessments:

17 l

I

o Complexity of the action (e.g., turning switches as opposed to manipulating valves locally) i e Time available to perform the action i

e Stress level and the existing environmental conditions e The use of symptom based procedures that require a continual feedback from the symptoms to the required action.

i The licensee's response also indicated that, consist with general findings in other PRAs, the

" cognitive" portion of the action usually dominates the HEP, but that in some cases the action phase contributed a significant fraction of the total HEP for the DAEC post-initiator actions.

~

The EPRI methodology does not include a technique for estimating the HEP for the action -

j phase but recommends use of one of the existing approaches such as THERP. The licensee does not state specifically which technique was used, but we assume it was THERP, since j

that was the technique used for the RMIEP approach, and no other technique is discussed.

j i

2.3.4.2 Deoendency Amone Multiole Actions. The submittal did not discuss consideration of dependencies among post-initiator human actions. In response to an NRC RAI, the i

licensee consideration of dependencies was an important part of the DAEC HRA, and that

~

three aspects of dependency m post-minator actions were addressed:

i l

j

1) Imeic model deydencies. A single human action that causes the failure of multiple systems was included directly in the logic model (fault tree) as a common basic event.

l An example is the alternate alignment of switchgear room cooling, which affects all AC power and therefore appears in the support system for all systems using power from the switchgear room.

l

2) Time limitation deoendencies. Multiple actions required in a relatively short time l

result in a high stress environment for all of those actions. The licensee provided i

several examples of conditional HEPs that were increased to account for dependency on failure of preceding actions close in time.

i

3) Cognitive deoendencies. This refers to the dependency of operator error in cognitive i

action on the context of the specific accident sequence and the symptoms presented to the operator. The licensee states that these dependencies result from the phenomena that are occurring during the sequence, multiple actions occurring during an accident, and failures that may occur. As noted previously, the licensee tabulated a number of f

examples of multiple HEP values assigned to essentially the same action in different j

sequences in order to account for sequence-specific " cognitive dependencies".

1 18 I

4 I

In further discussing treatment of multiple actions in an accident sequence, the licensee states that the system fault tree models were solved for every different set of conditions to produce a uniquely labeled cut set file that is stored for use under those specific conditions in the event tree. For multiple actions, the determination of dependency rested on whether or not the same symptoms were used for multiple actions. If multiple actions were required per the symptom-based procedures for a single set of symptoms, then the actions were assumed to be completely dependent (failure of one action results in the failure of all actions). If different actions have different symptoms (and therefore likely have different functions) the actions were assumed to be independent. The licensee states that a review of cut sets was performed to identify potential dependencies among multiple operator actions. In some cases it was judged that dependency of second and third actions was very high, "usually between 0.5 and 1.0. In other cases it was judged that dependencies were sufficiently addressed by using an HEP of 0.1 for the multiple actions. The details providing the specific bases for these judgments was not stated in general by the licensee, but was provided by examples. Making such quantitative adjustments on a case-by-case basis is a reasonable approach to treating dapaa%cies, and the magnitude of these adjustments is generally consistent with more "proceduralized' dependency models, such as the THERP dependency model. Finally, the licensee noted that a sensitivity study was performed as pan of integrating the HRA into the overall model and that in this sensitivity study all HEPs below 0.1 were set to 0.1. The results of this sensitivity study are discussed further in Section 2.4.2 below. With regard to the issue of dependency, the licensee notes that this study helped to identify (bring to the top) cutsets with multiple human actions. Those cutsets were then evaluated by the licensee and judgments were made on a case-by-case basis regarding the appropriateness of the dependency treatment.

In summary, the licensee addressed key aspects of dependency among post-initiator human actions and employed what appears to be a reasonably thorough, subjective assessment on a case-by-case basis to determine the degree of dependency. Quantitative adjustments to HEPs based on the subjective assessment of degree of dependency generally are consistent with quantitative treatment in dependency models in other PRAs, e.g., the THERP dependency model.

2.3.5 Human Actions in the Floodine Analysis.

There does not appear to have been any quantitative analysis of human action as part of the internal flooding analysis. The flooding analysis consisted of what the licensee considered conservative screening analysis. No flooding scenarios were identified with a CDF contribution significant enough to warrant detailed analysis.

2.3.6 Human Actions in the Level 2 Analysis.

The submittal indicated that credit was taken in the Level 2 analysis for operator action, but provided very little information on the process for analyzing and quantifying the HEPs. Our review of the listed HEPs suggested that the HEP values were somcwhat low for post-core-19

.~

i L

i melt actions, e.g.,1E42 or IE-04. In response to an NRC RAI, the licensee stated that the i

. Level 2 HEPs were derived using the same process as for Level 1 HEPs. Presumably, this means that one of the four techniques noted previously was applied, but specifics are not l

given. The licensee provided a comparison of specific actions that were credited in both the level 1 and the Level 2 analysis. The comparison showed that for the same/similar actions, the Level 2 HEPs were higher to account for higher stress under post-core-melt conditions.

Funher, the licensee noted several factors which provide additional justification / rationale for i

the licensee's belief that the Level 2 HEPs are reasonable and why some of the values l

presented in the submittal may have appeared low:

i e Time available for operator action tends to be much longer for level 2 actions.

e The HEPs actually tsed in the IPE logic models for the Level 2 action are conditional on the action not hating beer; taken previously in the level 1 model. The tabated values in the submittal were in many cases the combined HEP for failure in both Level 1 and level 2. (One might argue that if the operator action failed prior to core damage, that the probability of failure post-core-damage is highly dependent and may be very high, e.g., approaching 1.0.)

e All Level 2 actions credited are proceduralized in the EOPs or AOPs. The DAEC procedures for those actions extend continuously through core damage.

With regard to the last bullet above, it should be noted that the DAEC procedures are based on BWROG Emergency Procedure Guidelines. They are not unique; that is, most BWR EOPs include some actions that are intended to prevent core damage which continue to be required / effective after initiation of core damage. Presumably operators will continue to follow the procedures and, in fact, will not necessarily be aware of precisely when core damage was initiated. Not all of the actions credited by the licensee are of this type, i.e., are simple extensions of actions from the Level 1 analysis. For example, credit is taken for operator action to flood containment, with an HEP of 3.2E-03. The time available for this action is listed as 1-4 hours. The HEP value is typical, or perhaps more conservative than, values that would be expected for Level 1 actions with that amount of time.

In summary, the licensee did take credit for selected operator actions in the Level 2 analysis.

'All actions credited are proceduralized in the EOPs or AOPs. The quantification of Level 2 actions was performed in the same manner as quantification for Level 1 actions. It appears that some adjustment (increase) in HEPs was made to account for increased stress during level 2 conditions. The licensee provided a discussion of a rationale for determination of level 2 HEPs. While the licensee's arguments have some validity, it should be noted that PRAs usually have taken relatively limited credit for operator action in the Level 2 analysis because of the general uncertainties associated with the operator response and with the application of existing HRA techniques to post-core-melt conditions. In our view, the licensee's credit for operator action in the Level 2 analysis should be accepted with caution.

20

I l

2.3.7 GSI/USI and CPI Recommendations.

Review of the submittal discussions of Generic Safety Issues (GSIs) and Unresolved Safety Issues (USIs) is primarily the focus of the front-end reviewer. Review of submittal discussions of any licensee actions in response to Containment Performance Improvement i

(CPI) recommendations is performed pdmarily by the back-end (Level 2) reviewer. If the licensee's discussion of these issues has particular significance to the HRA or human performance issues, those points are included in this review. The licensee addressed Unresolved Safety Issue A-45, Diverse Means of Decay Heat Removal (DHR). The front-end reviewer noted several unique DAEC features that impact the ability to provide DHR:

e Hardened wetwell vent. Installation of a hardened wetwell vent was expected to be finished shortly after completion of the IPE submittal and was credited in the IPE l

submittal. Operator action to vent (HEP =2.3E-03) is listed as an important operator action.

e Diverse means for establishine alternate vessel iniection. Alternate vessel injection is i

available from five different sources. Operator action is required to align alternate sources.

e Reliable design of offsite oower sunolv system. The offsite power switchyard has a diverse dual ring bus arrangement that helps to minimize the possibility of losing i

offsite power. In addition, essential loads are normally operated from the startup transformer, thereby eliminating the need for a " fast transfer" on loss of the main generator, e Halting of deoressurization in EOPs. The DAEC EOPs specify halting depressurization at 200 psig when the turbine-driven systems are available but low pressure injection systems are not.

The licensee addressed recommendations of the Containment Performance Improvement (CPI)

Program. Probably most significant to human performance is that the BWR Owners Group Revision 4 of the Emergency Procedures Guidelines has been incorporated into the DAEC EOPs.

2.4 Vulnerabilities, Insights and Enhancements 2.4.1 Vulnerabilities.

The licensee used three criteria to identify a vulnerability:

1. Are there any new or unusual means by which core damage or containment failure occur as compared to those identified in other PRAs?

21

1 4

2. Do the results suggest that the DAEC core damage frequency would not be able to i

meet the NRC's safety goal for core damage?

l l

3. Are there any single failures of components that lead directly to a core damage state?

t This does not include the common cause failure of multiple components of similar

)

types.

j i

)

No vulnerabilities were identified in the IPE using these criteria. There were significant

" insights" developed relating to systems, components or actions which influenced the results j

of the IPE to a greater level than other events. Human performance related insights are dirW below.

1 j

2.4.2 Inshts Reinted to Human P&formance.

i

Ihe licensee reported sensitivity studies and importance calculations that provided insights on i

the importance of human actions to plant risk. Using the screening criteria suggested in i

NUREG-1335, the licensee identified five reportable sequences. As indicated previously,' a sensitivity study was performed in which all HEPs below 0.1 were set to 0.1. (Values at or above 0.1 were left unchanged.) This sensitivity study was responsive to the NUREG-1335 i

request that the licensee identify sequences which were below the sequence cutoff limit (for reporting) but would have been above the cutoff were it not for credit taken for human i

action. An additional 28 sequences (beyond the five initially identified) would have been reportable if the HEPs were increased to this relatively high value. Three operator actions in particular were identified as important by the licensee as a result of examining the additional sequences. These three actions are associated with failure to depressurize and failure to initiate containment heat removal:

Ooerators Fail to Manually Deoressurize - Per the EPGs, when a signal is received in the control room that starts the automatic ADS initiation sequence, the operators immediately defeat the automatic initiation signal by locking out ADS. There is a 120 second delay

.between the signal and actual initiation. If it becomes necessary to actually depressurize, the operators will have to do so manually. The human error event examined (OOPAF-MANUAL-DEP) is the failure to perform this manual depressurization. The operators have one hour to perform the action. It is a proceduralized and practiced action. The licensee's quantification estimated the HEP to be 2.lE-4. In the sensitivity study, this error accounted for 23% of the additional contribution to core damage frequency. A potential solution is the possibility of resetting the 120 second timer rather than immediately locking out the automatic initiation of ADS. The specific recommendation in the submittal was to evaluate the benefits of resetting the timer vs.

immediately locking out the automatic initiation. No other action was identified.

Ooerators Fail to initiate Containment Heat Removal - The remaining 77% of the increased contribution to CDF was due to two actions related to failure to establish containment heat removal, either by failing to initiate torus cooling 22

a d

(LOPAF-TORUS-COOL) or failing to vent containment via torus vent l

(VOPAF-TORUS-VENT). Both actions are proceduralized, practiced actions performed from the control room with several hours available for completion. Estimated HEPs are i

1E-4 for cooling and 2E-3 for venting. The licensee concludes that the low human error rates are expected and justifiable. No action of enhancement / improvement is mcommended.

In response to an NRC RAI, the licensee provided a listing of importance calculations based on two measures of importance:

i l

1) Risk Achievement Worth (RAW) - also referred to as risk increase ratio, the RAW is the increase in core damage and plant damage state frequencies if the basic event i

probability is set to 1.0 divided by the base core damage frequency, i

l

2) Fussel-Vesely (FV) Importance - 1.0 minus the ratio of CDF with the HEP set to 0.0 to the base CDF.

4 As part of its response to the NRC RAI the licensee submitted information on a revised version of the DAEC PRA (Revision 3) that has been performed since the IPE was submitted. The revised version reflects refinements in modeling of accident sequences and inccrporation of plant modifications. The overall CDF estimate increased from 7.8E-06/yr in the original submittal to 1.5E-05/yr in the Rev. 3 PRA. The distribution of contributions from various accident initiators changed somewhat, though loss of offsite power and turbine trip with' ATWS are still the dominant initiating sequences. The licensee provided a listing of importance calculations using both of the above measures for all basic elements and a sorted listing of human errors ranked by each of the above measures. Tables 2-2 and 2-3 below list the top ten ranked human actions by RAW and FV measures, respectively using the revised.

Apparently, these are data for the revised PRA.

Note the pre-initiator human error cited previously associated with the low pressure permissive instrumentation that has the highest RAW. Other actions with high risk achievement wonh are typical of important actions in other BWR PRAs - failure to inhibit ADS, depressurization (manual initiation of ADS), initiation of torus cooling, and level control. Note also the importance of alternate control building cooling cited previously.

Recovery actions, primarily associated with loss of offsite power / station blackout, appear as i

the dominant human actions per the Fussel-Vesely criterion, which is consistent with the fact that these actions appear in virtually all such sequences, and loss of offsite power is the dominant initiating event contributor.

2.4.3. Human-Performance-Related Enhancements.

Section 6 of the submittal discusses at a general level unique safety features of DAEC and potential plant or operational improvements considered as a result of IPE insights. The five 23

I i

j Table 2-1 Top Ten Ranked Human Actions (Risk Achievement Worth)

HEP ID DESCRIPTION

}gy g

I-LOPRESPERM Miscalibration of low pressure peranssive instrm=at= tion 8.0E-05 182.0 0-OPMANDEP-U Operator fails te msnually initiate ADS 2.1E-04 152.7 L-IFFORCOOLY Operator fails to align torus cooling (transients and LOCAs) 1.0E 06 99.2 P-TT-LOOP 1-LOOP within 24 hrs of event initiation and no recov. within 1/2 hr 4.4E-05 55.8 P-OPALTCLNGU Operator fails to align alternate control bldg cooling per AOP 915 3.1E-03 30.4 l

V-OFTORVENTU Operator fails to vent the torus 2.3E-03 22.1 NOT-TR2-TR2 Suceers of operators to depressurtze RPV to 50psig on hi DW temp 5.0E-03 2.3 FTPE-L1-L1-Failure of adequate level / power control 1.5E-02 2.1 FTPE-L2-L2-Failua of RPV level above 1/3 core height 1.6E42 2.1 l

FTPE-X-X-Failure of operator to inhibit ADS 1.4E-02 2.0 i

4 Table 2-2 Top Ten Ranked Human Actions (Fussel-Vesely)

FV HEP ID DESCRIPTION

}g2 linsemice FTPE-I-I-Failure of recovery of offsite power within 30 minutes 3.9E-01 4.23E-01 FTPE-O-O--

Failure of emergency AC power recovery within 30 minutes 9.0E-01 4.22E-01 FTPE-12 Failure of recovery of offsite power at 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months 5.4E-01 4.04E FTPE 02 Failure of emergency AC power recovery at 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months 7.2E-01 2.82E-01 FTPE-I4-I4-Failure of recovery of offsite power at 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months 4.8E-01 2.53E-01 FTPE-04,~

Failure of emergency AC power recovery at 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months 7.2E-01 2.52E41 FTPE-06 Failure of emergency AC power recovery at 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months 7.9E-01 2.36E 01 FTPE-16-I6-Failure of recovery of offsite power at 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months 6.0E-01 2.36E-01 FTPE-VI-VI-Failure of alternate low pressure injection (fire pump) 9.0E-01 1.25E-01 FTPE-09 Failure of emergency AC power recovery at 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months 7.6E-01 1.03E-01 24

l l

l

" reportable" sequences, which (in the original submittal) contribute 47% of the total CDF, i

are briefly reviewed with a focus on key factors that dominate or adversely affect the i

sequence. The front-end reviewer discusses the changes in important sequences between the original submittal and the revised PRA. For the purposes of the HRA review, the essential issue is that the licensee gained from the IPE results an understanding of important operator actions and used results of the IPE to identify potential enhancements. Most of the I

enhancements / improvements discussed are human-related - (procedures, training, etc.). The three important operator actions discussed above in Section 2.4.2 are reviewed again, with some consideration given to potential enhancements, but no enhancements were recommended l

related to those actions. Results from the back-end analysis and potential strategies for j

improvement also are reviewed.

The five " reportable" sequences, major adverse factors, and potential improvements or strategies discussed in the submittal am as follows:

Loss of All 125V DC (Scouence TDC-27)

Major Adverse Factors - no procedures exist for simultaneous loss of both divisions. Potential Improvements / Strategies - (1) develop AOPs or EOPs; (2) use EHC panel power to manually jack open the TBVs in order to depressurize, taking local control of the RCIC system, using portable generators to power essential DC loads Action - not specified.

Loss of Decav Heat Removal (TC-3)

Major Adverse Factors - EOPs direct operators to terminate injection to the containment from sources outside of containment, irrespective of coolability. In this sequence, containment heat removal is not available. When operators defeat injection, primary containment temperatures and pressures will increase rapidly, to the point where SRVs will close and render low pressure injection ineffective.

Potential Improvements / Strategies - evaluate for future inclusion in Accident Management Guidelines or EOPs Action - future consideration.

I ATWS with Failure of SLC (TITC-8"A Major Adverse Factors - Failure to SCRAM (dominated by common cause equipment failures) and operator failure to initiate SLC injection within 40 minutes Potential Improvements / Strategies " maintain heightened awareness" of operations staff to the importance of SLC injection in ATWS scenarios (i.e., training?)

25

Action - nothing specific identified.

i Station Blackout for Greater than 15 Hours (TE-1231 Major Adverse Factors - Without electric power, loss of core cooling will result in core damage Potential Improvements / Strategies - provide a source of water not dependent on electric power (diesel fire pump) and provide adequate DC reserve; involves testing and training operators, possibly additional equipment Action - none specified Imss of Offsite Power with Erly HPCI/RCIC Failure (TE-34)

Major Adverse Factors - common cause failure of both steam driven high pressure injection systems Potential Improvements / Strategies - none identified Several insights from the back-end analysis are identified, all of which involve human-related factors and/or possible improvements / strategies:

' 1) Containment Iniection - There is a set of low frequency severe accidents in which containment may be at elevated pressures and for which EOP-directed termination of injection could lead to core damage and containment challenge. The prudence of terminating injection under such circumstances was identified as the possible improvement / strategy. No specific action was identified.

2) Ex-Vessel Recoverv - Potential considerations in future accident management plans were identified related to: (a) prioritization of use of injection systems (Containment System or Drywell Spray vs. LPCI) in response to degraded core conditions, and (b) possible changes to EOPs to allow use of DW Spray Initiation prior to RPV breach for some accidents and to remove ambiguity regarding diversion of injection sources away from the RPV when reactor water level is low.

t

3) Shell Inteerity: Use of DW Spray - Possible relaxation of EOP restrictions on the use of DW sprays may be a future accident management consideration. DW sprays offer

- an additional alternative for control of drywell temperature to avoid premature containment failure.

4) Containment Floodine - A recommended future accident management strategy is to provide guidance to the operators on protecting containment and cooling debris using 26

methods that do not require venting of the RPV and avoid using the DW vent when a

possible. Current EPG guidance can result in the highest potential consequences at the earliest possible time for containment flooding sequences.

i a

2 4

I

e 27

l l

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS The intent of the IPE is summarized in four specific objectives for the licensee identified in Generic letter 88-20 and NUREG-1335:

(1)

Develop an appreciation of severe accident behavior.

(2)

Understand the most likely severe accident sequences that could occur at its plant.

(3)

Gain a more quantitative understanding of the overall probability of core damage and mdioactive material releases.

(4)

If necessary, reduce the overall probability of core damage and radioactive material release by appropriate modifications to procedures and hardware that would prevent or mitigate severe accidents.

With specific regard to the HRA, these objectives could be restated as follows:

(1)

Develop an overall appreciation of human performance in severe accidents; how human actions can impact positively or negatively the course of severe accidents, and what factors influence human performance.

(2)

Identify and understand the operator actions important to the most likely accident sequences and the impact of operator action in those sequences; understand how human actions affect or help determine which sequences are important.

(3)

Gain a more quantitative understanding of the quantitative impact of human performance on the overall probability of core damage and radioactive material release.

(4)

Identify potential vulnerabilities and enhancements, and if necessary/ appropriate, implement reasonable human-performance-related enhancements.

The following observations and conclusions are pertinent to NRC staff's determination of whether the licensee's submittal meets the intent of Generic Letter 88-20:

1) The submittal and supporting documentation indicates that utility personnel were involved in the HRA, and that the walkdowns and documentation reviews constituted a viable process for confirming that the HRA portions of the IPE represent the as-built, as-operated plant (at least for the post-initiator error evaluation).

2) The licensee performed an in-house peer review that provides some assurance that the HRA techniques have been correctly applied and that documentation is accurate.

28

3) The licensee's analysis of pre-initiator human actions was reasonably complete in scope. Identification and selection of human actions to be quantified included review of calibration, test and maintenance procedures and discussion with plant personnel.

Both calibration and restoration errors were included. No numerical screening was employed. All actions identified as imponant from the systems review were quantified. The quantification process employed the ASEP screening approach for pre-initiator human actions. This approach is a relatively coarse HRA technique, but has been used in other accepted PRAs. The licensee followed the guidance of the ASEP documentation and, within the constraints of the simplified approach, addressed some performance shaping factors and dependencies. A pre-initiator action was identified as one of the most important human actions.

4) Tie treatment of post-initiator human actions included both response-type and recovery-type actions. The process for identification and selection of post-initiator human actions included review of procedures and discussion with plant operations and training staff. No numerical screening was performed. The licensee's process for quantification post-initiator actions employed four different approaches - two

" detailed" techniques and two " screening" techniques. Justification was provided by the licensee for selection of the particular method. The licensee's process followed the guidance of the four methods. Plant-specific performance shaping factors were considered, consistent with the capabilities and guidance for the methods selected.

Sequence-specific impacts and dependencies among multiple human actions were addressed. Quantitative results were generally consistent with the range of results in other accepted PRAs.

5) The licensee's Level 2 analysis included a relatively large number of operator actions compared to most PRAs. The licensee provided a discussion of a rationale for determination of Level 2 HEPs. While the licensee's arguments have some validity, it should be noted that PRAs usually have taken relatively limited credit for operator action in the I.evel 2 analysis because of the general uncertainties associated with the operator response and with the application of existing HRA techniques to post-core-melt conditions. In our view, the licensee's credit for operator action in the I.evel 2 analysis should be accepted with caution.

6) The licensee used sensitivity studies and importance calculations to identify operator actions important to risk. Importance calcuhtions were provided using Risk i

Achievement Worth and Fussel-Vesely importance measures.

7) The licensee employed a systematic process to screen for vulnerabilities and identify potential enhancements. No vulnerabilities were identified. A number of potential human-performance-related enhancements (improvements to training or procedures) were identified and reviewed in the submittal. No specific enhancements were identified as having been implemented or scheduled for implementation.

29

4. DATA

SUMMARY

SHEETS Important Operator Actions / Errors:

Top ten ranked human actions based on Risk Achievement Worth (RAW):

HEP ID DESCRIPTION HEE EML I-LOPRESPERM Miscalibration of low pressure permissive instrumentation 8.0E-05 182.0 0 OPMANDEP-U Operator fails to manually initiate ADS 2.1E-04 152.7 L-IPTORCOOLY Operator fails to align torus cooling (transients and LOCAs) 1.0E-06 99.2 P-TT-LOOP 1-LOOP within 24 hrs of event initiation and no recov. within 1/2 hr 4.4E-05 55.8 P-OPALTCLNGU Operator fails to align alternate control bldg cooling per AOP 915 3.1E-03 30.4 V-OPTORVENTU Operator fails to vent the torus 2.3E-03 22.1 NOT-TR2-TR2 Success of operators to depressurize RPV to 50psig on hi DW temp 5.0E-03 2.3 FTPE-L1-L1-Failure of adequate level / power control 1.5E-02 2.1 FTPE-L2-L2-Failure of RPV level above 1/3 core height 1.6E-02 2.1 FTPE-X-X-Failure of operator to inhibit ADS 1.4E-02 2.0 Top ten ranked human actions based on Fussel-Vesely (FV) Importance:

HEPTD DESCRIPTION IIEE Imoortance FTPE-I-I-Failure of recovery of offsite power within 30 minutes 3.9E-01 4.23E-01 FTPE-O-Failure of emergency AC power recovery within 30 min.

9.0E-01 4.22E-01 FTPE-12 tailure of recovery of offsite power at 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months 5.4E-01 4.04E-01 FTPE-02 Failure of emergency AC power recovery at 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months 7.2E-01 2.82E-01 FTPE-14-I4-Failure of recovery of offsite power at 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months 4.8E-01 2.53E-01 FTPE-04 Failure of emergency AC power recovery at 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months 7.2E-01 2.52E-01 FTPE-06-Failure of emergency AC power recovery at 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months 7.9E-01 2.36E-01 FTPE 16 Failure of recovery of offsite power at 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months 6.0E-01 2.36E-01 FTPE VI-VI-Failure of altemate low pressure injection (fire pump) 9.0E-01 1.25E-01 FTPE-09 Failure of emergency AC power recovery at 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months 7.6E-01 1.03E-01 Human-Performance Related Enhancernents:

A number of potential human-performance-related enhancements were identified from the IPE study and were discussed in the IPE submittal. No specific enhancements to be incorporated were identified by the licensee.

30

m_--

t i

REFERENCES i

1. Swain, A.D., " Accident Sequence Evaluation Program Human Reliability Analysis Procedure," Chapter 4, "ASEP Screening HRA for Pre-Accident Tasks,"

NUREG/CR-4772, February,1987.

2. Weston, L.M., et al., Recovery Actions in PSA for the Risk Methods Integration and l

Evaluation Program (RMIEP)," NUREG/CR-4834, Vol.1, June,1987.

?

l

3. Spurgin, A.J., et al., "A Human Reliability Analysis Approach Using Measurements 4

for Individual Plant Examination," NP-6560-L, Electric Power Research Institute, j

December,1989.

4. D.M. Ericson, Jr., Editor, " Analysis of Core Damage Frequency: Internal Events Methodology," NUREG/CR-4550, Vol.1, Rev.1, p 1-8, January,1990.

)

j

5. Moieni, P., et al., "Modeling of Recovery Actions in PRA," EPRI Rescerch Project 3206-03, January,1991 (DRAFT), cited in the IPE submittal, j

6. Swain, A.D., " Accident Sequence Evaluation Program Human Reliability Analysis

)

Procedure," Chapter 7, "ASEP Screening HRA for Post-Accident Tasks,"

l NUREG/CR-4772, February,1987.

t

7. Swain, A.D. and H.E. Guttmann, " Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications," NUREG/CR-1278-F, August,1983.

l

)

\\

i i

!~

5

}

4 i

a 31 4

I

, ~.

s a

O DUANE ARNOLD NUCEAR POWER PLANT TECHNICAL EVALUATION REPORT (BACK-END)

ML20149L649

Contents

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML20149L649

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search