ML20196G283
| ML20196G283 | |
| Person / Time | |
|---|---|
| Site: | Fort Calhoun  |
| Issue date: | 05/08/1997 |
| From: | Gambhir S OMAHA PUBLIC POWER DISTRICT |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| LIC-97-041, LIC-97-41, TAC-M74412, NUDOCS 9705160016 | |
| Download: ML20196G283 (12) | |
Text
y eum Omaha PublicPowerDistrict 444 South 16th StreetMall Omaha NE68102-2247 May 8, 1997 LIC-97-041 U. S Nuclear Regulatory Commission j
Attn: Document Control Desk Mail Station P1-137 Washington, DC 20555 References; 1.
Docket No. 50-285 1
2.
Letter from NRC (L. R. Wharton) to OPPD (T. L. Patterson),
" Fort Calhoun Station, Unit No.1 - Review of Individual Plant Examination (IPE) Submittal - Internal Events (TAC No. M74412)"
dated December 9, 1996 3.
" Technical Evaluation Report on the IPE Submittal Human Reliability Analysis " CA/TR-96-019-40. Final Report dated September 5, 1996 4.
Letter from OPPD (T. L. Patterson) to NRC (Document Control Desk) dated November 30, 1995 (LIC-95-0223) j 5.
Letter from NRC (S. D. Bloom) to OPPD (T. L. Patterson) dated September 12, 1995 (TAC No. M74412)
SUBJECT:
NRC Identified Weakness in the Human Reliability Analysis (HRA) of the Fort Calhoun Station (FCS) Individual Plant Examination (IPE)
In this letter, Omaha Public Power District (OPPD) submits additional information to support the HRA portion of the FCS IPE and requests that the NRC reevaluate this portion of the IPE taking into consideration the enclosed information. This additional information is intended to resolve the NRC's reservation regarding the HRA portion of the FCS IPE and allow OPPD to use Probabilistic Risk Assessment (PRA) in support of risk-based regulatory applications beyond those associated with Generic Letter 88-20.
The reservation was stated in Reference 2 as:
"The staff has identified a weakness in the HRA portion of the IPE and believes that application of the IPE in support of risk-based regulatory applications, beyond those associated with Generic Letter 88-20. require [s] additional treatment in that area."
i I
l IllllLllLillll~lll'Illl
/* U i
1sonsa 9705160016 970508 PDR ADOCK 05000285 l
e5 5124 Employment with Equal Opportunty
U.S. Nuclear Regulatory Commission LIC-97-041 Page 2 Although the NRC Safety Evaluation Report (SER) (Reference 2) of the FCS IPE submittal for internal events and internal flood included the above reservation, the SER concluded: "your IPE is complete with regard to the information requested...the IPE results are reasonable.
. the Fort Calhoun IPE has met the intent of Generic Letter 88-20."
To gain a better understanding of the NRC's concern. OPPD reviewed the Technical Evaluation Report (Reference 3), which summarizes the evaluation results of the HRA portions of the IPE. (Some of the issues raised in Reference 3 were also the subject of References 4 and 5.) The enclosure summarizes each of the NRC staff's concerns as OPPD understands them and provides detailed information to address these concerns. This information supplements the Reference 4 response to the NRC Request for Additional Information (Reference 5).
As explained in the enclosure, the HRA portion of the FCS IPE accurately reflects the risk-significant aspects of human performance at FCS; therefore, additional treatment in the area of HRA to allow use of the IPE for risk-based applications beyond those associated with Generic Letter 88-20 is unwarranted.
OPPD remains committed to using the FCS PRA (i.e., the IPE) for making risk-informed decisions regarding the safe operation of FCS.
OPPD's participation in the Combustion Engineering Owner's Group - Probabilistic Safety Assessment Working Group, which is advancing the use of PRA to support risk-informed decisions and requests for changes to regulations, is an integral part of this commitment.
The recent issuance of Revision 1 of the FCS PRA demonstrates OPPD's intention to keep the FCS PRA representative of current FCS design and operation.
If you should have any additional questions, please contact me.
Singerely,
)@9M l
S.K. Gambhir Division Manager -
Engineering & Operations Support SKG/mle Enclosure c:
Winston & Strawn E. W. Merschoff, NRC Regional Administrator Region IV L. R. Wharton. NRC Project Manager W. C. Walker, NRC Senior Resident Inspector
l t
l
)
L l
LIC-97-041 Enclosure Page 1 Additional Information Concerning the Fort Calhoun Station Individual Plant Examination (IPE) 1 Human Reliability Analysis (HRA)
Omaha Public Power District (OPPD) has carefully reviewed the findings of the Technical Evaluation Report (Reference 3), which provides the bases for the conclusions reached in the NRC Safety Evaluation Report (Reference 2) regarding
-l the HRA portions of the Fort Calhoun Station (FCS) IPE.
Based on numerous i
statements made in Reference 3 and additional discussions with the NRC and NRC contractor staff. OPPD concludes that the NRC staff has the following concerns:
Relative _to Pre-Initiatar_Erm cs (1)
There is insufficient description of the process used to identify what would be included in the model.
(2)
The model does not sufficiently account for FCS-specific human factors characteristics.
(3)
The screening values for the pre-initiator errors were too low.
potentially leading to the exclusion of components that have poor FCS-i specific performance.
Re.lative_to_ East-Initiator Errors (1)
There is insufficient description of the process used to identify what would be included in the model.
(2)
The classification of these errors appears arbitrary, requires skilled judgment, and is without sufficient guidance to ensure that future revisions of the IPE will be performed in a consistent manner.
(3)
The model does not seem to have considered FCS-specific performance shaping factors.
OPPD believes that the HRA portion of the IPE is an excellent product, which accurately reflects the risk-significant aspects of human performance at FCS.
l The following sections eddress each of the NRC concerns in detail.
i l
i
LIC-97-041 Enclosure I
Page 2 Pre Initiator Errors (1)
There is insufficient description of the process used to identify what would be included in the model.
Question 16 of Reference 5 and OPPD's response (Reference 4) is most repre entative of this concern addressed in prior correspondence.
Admittedly, the response only partially reflected the total process used in identifying what pre-initiator errors should be included in the IPE model and how they should be refiected 10 the model.
First, it must be understood that an underlying j
principle was used in evaluating what should be in the model, whether a pre-or l
post-initiat.or human error That is, the identification process was performed l
using input from individuals who truly understand the detailed plant design and operational practices for FCS. This knowledge, exemplified by a former senior reactor operator (SRO) and Operations Training Supervisor who was (and remains) an integral member of OPPD's PRA staff, was combined with the assistance of our HRA consultant and the systems analysts to identify and quantify the HRA events in the model.
With regard to possible pre-initiator human errors. FCS is an unusual plant. Its early vintage and overall simplicity result in the fact that FCS has few trip, isolation, or other protective circuits that can be miscalibrated or otherwise be adversely affected such that risk-significant equipment would be made inoperable.
Additionally, there is typically redundant or diverse instrumentation so that inoperable equipment can easily be detected and recovered (such as by manually starting a " defeated" auto-start signal).
Furthermore, FCS uses air-operated valves for many applications where other plants use motor-operated valves. Air-operated valves normally fail in their accident positions and hence are less vulnerable to latent errors such as defeating control circuits or leaving motor breaker.s inoperable.
With the above as background, the PRA staff focused the identification of potentially important pre-initiator human errors by identifying " critical" instrumentation and associated equipment with the following characteristics: (a) the equipment and instrumentation are relied upon in responding to a potential severe accident, (b) there is little redundancy or diversity present, and (c) any undesired status of the equipment would not be easily detected and recovered.
l
LIC-97-041 Enclosure Page 3 This identification process was conducted using the expertise of individual system analysts including knowledge (and review where necessary) of plant procedures and practices pertaining to maintenance and testing performed at FCS.
Review of the identified events and ultimately the quantification process was carried out in an interactive manner primarily between the former SRO on the PRA staff and OPPD's HRA consultant. This was done on an event-by-event basis. The
" product" of this process was instrumentation or equipment inoperabilities that could occur and realistically remain undetected and not be so easily recovered such that the impact on the risk profile for FCS could be important.
These i
became the identified pre-initiator human errors worthy of modeling in the FCS PRA, and include:
diesels inadvertently left in off-auto start status e
pressurizer pressure miscalibrated such that safeguards systems do not e
adequately respond containment high pressure instrumentation miscalibrated such that safeguards e
systems do not adequately respond safety injection tank pressure miscalibrated such that injection does not occur when required recirculation actuation miscalibrated such that safety injection pumps lose suction primary safety relief valve lift settings miscalibrated diversion drain paths in high pressure safety injection (HPSI) system left open such that the HPSI function could be defeated auxiliary feedwater (AFW) actuation miscalibrated so as to defeat auto-start e
of the system l
failure to remove reactor protection system (RPS) jumper during testing Note that a system like AFW, while a risk important system in the plant, has only one set of signals that auto-start the system (low steam generator level). Thus, even if miscalibrated, it is not likely to go undetected since there are different level sensors that could be used to recognize lowering levels in the steam generators, as well as diverse indications of lack of secondary heat removal.
In such cases, AFW could be easily manually started from the control room. Additionally, diesel-driven AFW Pump FW-54, is independent from the rest of the AFW pumps and has no protective " stops ~on the equipment (in fact, protective " stops" that did exist were removed because of early PRA insights regarding the risk-significance of FW-54). Considerstions such as these tend to make the overall significance of the pre-initiator errors small.
LIC-97-041 Enclosure Page 4 In addition to the above, failure data used for individual components in the model include failures that may have been caused by latent maintenance and testing errors, as well as random hardware failures.
Hence these errors (and their probabilities) are inherently included in the model, thereby capturing the individual train / component types of pre-initiator errors.
Collectively, these individual train / component errors, along with the above identified potentially risk-significant errors (some of which tend to have more of a common-cause effect), constitute the pre-initiators in the FCS PRA model.
Finally, and as part of OPPD's corrective actions following a recent diesel generator event. OPPD has examined the potential for pre-initiator events in risk i
dominant equipment independent of the PRA.
No new events have been identified since the diesel generator event.
In conclusion, a rigorous identification and screening process was used to ascertain which events should be included in the PRA model.
More importantly, this process has resulted in the PRA " capturing" the potentially risk-significant pre-initiator errors appropriate for FCS.
This was largely done based on qualitative and knowledgeable judgments of persons familiar with the plant design and operation practices. OPPD contends that this process is far better, and more efficient, than individually modeling numerous pre-initiator events and then
" calculating them away" based on probability factors used within any specific HRA technique.
(2)
The model does not sufficiently account for FCS specific human factors characteristics.
Question 18 of the NRC's RAI (Referena G) and OPPD's response (Reference 4) is most representative of this concern addressed in prior correspondence.
In Reference 4, OPPD stated that any performance shaping factors were not generically identified, but that each event was reviewed "on its own merit" with regard to what factors would apply or otherwise be appropriate to consider. The determination of such factors was based on applicable procedure reviews and, in some cases, walkthroughs or simulations. As shown in the response to concern (1) above, there was a relatively small number of events that had to be analyzed and quantifiec as part of the PRA model.
Hence, rather than identifying a pre-established set of performance shaping factors to be considered. each of the above events was reviewed and discussed within its own context.
This included what activities had to be performed and
LIC-97-041 Enclosure l
Page 5 L
the level of complexity involved, what procedures were used, the clarity of those l
procedures, the location and environment in which the required activities are j
J normally performed, whether. independent checks are made of the activity, and Whether post-testing is performed to ensure functionality. As such..these were
.the performance shaping factors that were considered in evaluating the l
probabilistic potential of each error.
I In OPPD's estimation, the result is appropriate consideration of the FCS-specific j
factors that would most -influence the. probabilities of the identified pre-q l
initiator errors, once again " capturing" the risk-significant errors potentially
.l 1mportant to the present or future use of the FCS PRA.
]
i i
(3)
The screening values for the pre initiator errors were too low, j
potentially leading to the exclusion of components that have poor FCS-specific performance.
Question 17 of Reference 5 and OPPD's response (Reference 4) is most representative of this concern addressed in prior correspondence.
It is true that the 0.003 screening value was used for many of the identified pre-initiator events.
As stated in Reference 4. OPPD believes this is justliied based on typical values found for similar events in prior PRAs and related reports at the time.
Additionally FCS's maintenance and testing philosophy and procedures include such features as independent checks, post-activity testing, verification checks of equipment status on a routine basis, etc. - in other words, all the features that would support the use of such a screening value.
Nevertheless, each event was at least d' u ussed to ensure that the use of such a value could be supported as being conservative.
Our assessment was that more effort than this would not have improved the quality or accuracy of the PRA model.
Furthermore, use of the above screening value is supperted by the independent review led by Duke Engineering and Services that was performed during the latter phase of the PRA's development.
During that review, a sampling of the FCS pre-initiator error probabilities was compared to other PRA. NSAC, and ASEP/THERP evaluations.
Our 0.003 screening i
L value compared quite favorably with the 0.005 to 1E-5 range of values found in l
these other studies for similar events.
Based on the above. OPPD does not believe that any important accident sequences
}
or significant component insights were inadvertently eliminated.
)
LIC-97-041
)
Enclosure Page 6 Rostdnitiator_Errots (1)
There is an insufficient description of the process used to identify what would be included in the model.
l (2)
The classification of these errors appears arbitrary,- requires skilled j
l judgment, and is without sufficient guidance to ensure that future 1
revisions of the IPE will De performed in a consistent manner.
(3)
The model does not seem to have considered FCS specific performance i
shaping factors.
i These concerns are perhaps best discussed as a single group by explaining the L
process and considerations used in identifying and quantifying the post-initiator errors in the FCS PRA. While none of the RAI questions explicitly coincide with l
the first concern, statements made in Reference 3 cite this as a general issue.
For example. Reference 3. Section E.3.2. page E3 includes the observation "...the licensee provides no explicit descriptions of the process used to identify post-
~
initiator human actions for analysis." Reference 3. Section 2.3.2 page 15. 2nd paragraph includes a similar statement. Related statements questioning the roles of licensee personnel and the content of review comments on the HRA task are included in Sections 2.1.3.1 and 2.1.3.2 of Reference 3.
Questions 21 through 26 of the RAI (Reference 5) relate to aspects of the 2nd and 3rd concerns.
In addition to OPPD's response (Reference 4) to the RAI the following overall picture of the post-initiator analysis process is offered.
i The information sources used to identify post-initiator errors that should be 1
included in the model primarily included the FCS Emergency Operating Procedures.
Abnormal Operating Procedures, knowledge of operator training and simulator exercises, plant walkthroughs, and of course, the detailed knowledge of the plant design and operational practices inherent in the former SR0's prior training and experience.
The post-initiator events identified to be included in the model were based largely on the expected procedural responses to events as they might occur based on application of the symptom-based procedures used at FCS as well as the training of the operation staff at the plant.
Pragmatically, the inclusion of j
events in the model was an iterative process of initial modeling, examination of
{
resultant sequence cutsets iterations on the modeling, and finally adding
{
reco m ry events, as is the common practice in many PRAs.
1 j
i
\\
l LIC-97-041 l
Enclosure l
Page 7 l
l The evaluation of the probabilities of these post-initiator errors always considered the sequence context. This context included such factors as:
what is working?
what has failed?
l what indications (symptoms) are likely being used by the operators to discern i
I plant status?
what procedures are likely being used for this set of conditions?
what training tendencies apply?
what priorities may exist in the operators' response?
l how difficult are the required actions and where must they be performed?
what cues are available to take the right action and how independent are l
those cues?
what is the level of dependency among the decision-makers?
l what dependencies may exist among the desired activities to be performed?
how much time is available to perform the activity and how long will it take?
l This combined, integrated thought process was applied to all the post-initiator events and captured, albeit in a limited way, by the HRA technique used.
In this j
context " limited" is used because current HRA techniques typically assess a probability, relying explicitly on just a few of all the possible factors that are at least qualitatively judged when performing a HRA.
In our case, probabilities were determined largely on the basis of first categorizing the desired action as a "model type" fer quantification purposes.
These model types included a verification model (for actions that are simply verification actions in the control room), a rule-based model (these are actions to be taken by typically following the procedural and training guidance supplied to the operator staff). a model for other in-control room actions not fitting either the verification or rule-based models and typically involving a judgmental response by the operators, an ex-control room response model, and a slip model l
(this one is often more component-specific). To illustrate this categorization i
process, examples of each model include:
operator fails to trip reactor manually - verification model failure to initiate feed and bleed (different values for small break LOCA.
during steam generator tube rupture (SGTR) different transients..) - rule-based model failure to align flow to emergency feedwater storage tank (EFWST) given instrument failure "other" model
LIC-97-041 Enclosure Page 8 failure to line-up makeup flow to the EFWST within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> - ex-control room response model operator fails to control auxiliary feedwater (AFW) flow - slip model e
While most of the identified post-initiator errors were reasonably easy to categorize, some naturally exhibited the characteristics of more than one model.
In such cases, the best combined judgment of the former SR0 and HRA consultant was used.
Particularly, in the case of " slips", it was judged whether the diagnostic reasons for error would be sufficiently small (e.g., many cues exist and procedural guidance is clear) such that the error would most likely be dominated by failures in carrying out the desired activity.
Based on the model categorizations, different models and time reliability response curves were used.
These models inherently apply some of the factors considered above.
- However, they also account for the time available vs. time to perform the desired action, level of dependency among the decision-makers, and other performance shaping f6ctors (PSFs), which attempt to " quantify" the multiplying factor to be applied to account for all the other context factors discussed above.
While this (as in any HRA technique) was performed on a largely judgmental basis, these judgments and the resulting quantitative results are recorded on individual record sheets for each event. Even though these record sheets may not record all the " thinking" that went into the quantification of each event, they are a record of the results of the " thinking" process, and hence are a documented starting point for future reviews or revisions of the post-initiator probabilities.
Particular concern was raised in the NRC staff review about the event " failure to lineup makeup flow to the EFWST within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />" because of its originally assigned relatively high failure probability and the fact that this may have artificially raised the frequency of the "TX" sequence, thereby masking other potentially important insights. We agree that the original assessment was too conservative.
This was largely due to the inherent bias placed on ex-control room activities; something which was not properly balanced by, in this case. the long time available to discern and carry-out the desired result. This has since been corrected in Revision 1 of the FCS PRA.
1
LIC-97-041 Enclosure j
Page 9 i
The HRA was reviewed as part of the independent review led by Duke Engineering and Services.
Comments received can be categorized into four groups:
(1)
Some operator error probabilities seem low compared with similar events at other plants (2)
Credit for HVAC recovery may be optimistic (3)
Occurrence of multiple operator actions appearing in a single cutset R
should be checked for dependencies among the actions (4)
A sensitivity analysis for the HRA values should be considered i
i In response. OPPD re-examined the HRA results and made any appropriate adjustments, removed the HVAC recovery events as it was later determined that the concerns for HVAC loss were not realistic, subsequently removed or otherwise l
combined multiple operator actions appearing together in order to delete or properly assess dependencies among the events, and performed a HRA sensitivity analysis on the final results as reported in Section 3.4.5 of the IPE Submittal.
l In conclusion, a justifiable identification process was used to ascertain which events should be included in the PRA model. Knowledgeable judgments of a former l
SR0 intimately familiar with the plant design and operation practices, augmented by walkthroughs and discussions with other plant staff if necessary, were used I
to understand the qualitative factors that had to be considered in quantifying the post-initiator errors. This was done in the context of the sequence cutsets involving the post-initiator events to be quantified. As indicated above. FCS-specific factors were qualitatively considered and quantified (albeit with judgment) using PSF multipliers.
While judgment played an important part in categorization and quantification of events, that judgment was provided by the same personnel resulting in a consistent evaluation proe ss, which OPPD believes l
" captures" the most risk-significant errors applicable to FCS.
An independent l
review of the HRA was performed and tne comments received were addressed before l
finalizing the submittal.
I In addition, and as part of OPPD's "living" PRA concept. OPPD has recently l
completed a review audit of the human error events in the PRA model.
Besides taking care of clerical / administrative issues associated with clean-up of the computer files, this audit performed a "re-thinking" of the events in the model to make sure the results are self-consistent and appear reasonable. The results of this audit will be applied to the next revision of the FCS PRA model.
J f
l LIC-97-041 Enclosure Page 10 i
One final observation is worthy of note in this discussion.
It is recognized that the OPPD approach, particularly in the area of assessing post-initiator human errors, has been largely based on the knowledge and experience of the former. SR0 in addition to the interaction of this individual with the HRA l
l consultant.
The goal of this approach was to achieve the right relative probabilities for these events as well as reasonable absolute values, given the j
limitations and uncertainties of any HRA technique.
l 0 PPD believes that our reliance on this two-person team is a strength of the FCS HRA in that the process coupled both the operational experience and perspectives of a former SRO, with the PRA modeling perspective of our HRA consultant. Should OPPD ever lose the services of both individuals, the record sheets provide a l
starting point from which to continue the processes and judgmental bases in any future HRA updates.
OPPD is confident that the present HRA appropriately captures the more risk-significant events for FCS. The same PRA staff, using the same judgments applied in the original model, are being utilized to update the PRA and carry out risk-informed applications.
OPPD reviews the' applicability of the existing HRA i
values pertaining to each specific application.
As they are identified. OPPD 1
will address those specific HRA concerns not already captured by the current model that are important to the specific application. Hence, application of the FCS PRA should not require significant additional treatment in the area of HRA.
i i
d i
h t
i