ML20245E459
ML20245E459 | |
Person / Time | |
---|---|
Issue date: | 09/01/2020 |
From: | Susan Cooper, Carmen Franklin Office of Nuclear Regulatory Research |
To: | |
Carmen Franklin, Susan Cooper | |
Shared Package | |
ML20245E456 | List: |
References | |
Download: ML20245E459 (147) | |
Text
Research Information Letter 20-XX (Draft)
DRAFT - Flexible Coping Strategies (FLEX) HRA Using IDHEAS-ECA Volume 2 Date Published: TBA 2020 Prepared by:
iii
S. Cooper C. Franklin Title and Address of Institution(s) that completed this report Carmen Franklin, NRC Project Manager iv
Disclaimer Legally binding regulatory requirements are stated only in laws; NRC regulations; licenses, including technical specifications; or orders. Although the NRC staff may suggest a course or action in a RIL, these suggestions are not legally binding and the regulated community may use other approaches to satisfy regulatory requirements. Only unclassified information is published in this series.
v
ABSTRACT This report describes the human reliability analysis (HRA) of scenarios involving diverse and flexible coping strategies (FLEX) and associated equipment. The HRA method used for this project is the Integrated Human Event Analysis System for Event and Condition Assessment (IDHEAS-ECA). IDHEAS-ECA has been developed to focus on specific contexts, especially those that involve operator actions taken outside the main control room of a nuclear power plant. The basis for IDHEAS-ECA is The General Methodology of an Integrated Human Events Analysis System (IDHEAS-G) which addresses a broad set of contexts. Both industry and the Nuclear Regulatory Commission are beginning to incorporate FLEX strategies into probabilistic risk assessments (PRAs).
This FLEX HRA effort involved the following: 1) plant site visits to better understand FLEX strategies, associated equipment and operator actions; 2) selection and development of credible, HRA/PRA scenarios and associated human failure events; 3) training on IDHEAS-ECA and an associated software tool; 4) a workshop for HRA analysts to perform and/or finalize their HRA quantification using IDHEAS-ECA; and 5) final documentation of results. The results of this FLEX HRA effort will be used by the developers of IDHEAS-ECA to guide future developments.
Key Words Human reliability analysis (HRA)
FLEX Probabilistic risk assessment (PRA) vi
vii EXCUTIVE
SUMMARY
This report describes the human reliability analysis (HRA) method of scenarios involving the nuclear power industrys implementation of diverse and flexible coping strategies (FLEX). The HRA method used for this effort was the Integrated Human Event Analysis System for Event and Condition Assessment (IDHEAS-ECA).
Background
The U.S. Nuclear Regulatory Commission (NRC) and nuclear power industry have been using probabilistic risk assessment (PRA) to identify risk-significant vulnerabilities in plant design and operations and to risk-inform licensing decisions since the 1990s. The 1995 NRC PRA Policy Statement paved the way for the wide-spread use of PRA today. Subsequent rulemaking, regulatory guides (RGs), and NRC reports have reinforced the role of PRA in risk-informed decisionmaking1. In turn, the nuclear power industry has taken advantage of NRCs risk-informed guidance (e.g., RG 1.174 for plant-specific changes to the licensing basis, RG 1.177 for risk-informed technical specifications) to make modifications to their plants and operations.
Since the first PRA performed for the nuclear power industry (i.e., the Reactor Safety Study, WASH-1400, 1975), human reliability analysis (HRA) has been an important part of PRA. In particular, HRA must support PRA models in representing the as-operated aspect of nuclear power plants (NPPs). The first HRA method, the Technique for Human Error Rate Prediction (NUREG/CR-1278, 1983) supported not only the first U.S. PRA, but continues to be applied throughout the world for both nuclear and non-nuclear technologies.
However, many dozens of HRA methods have been developed in the intervening years, both in the U.S. and internationally. For example, multiple HRA methods were developed by following design and operational changes made following the Three Mile Island 2 accident in 1981. Other methods, especially internationally, were developed for specific reactor designs (e.g.,
MERMOS). More recent, or so-called second generation, HRA methods have been based on more recent advances in cognitive and behavioral science, offering better explanations for why do humans err? Examples of two such methods developed by the NRC include A Technique for Human Event Analysis (ATHEANA, 2000) and the Standardized Plant Analysis Risk-Human Reliability Analysis method (SPAR-H, 2005). The NRC also has developed context-specific HRA guidance (e.g., EPRI/NRC-RES Fire Human Reliability Analysis Guidelines, NUREG-1921) and performed HRA/PRA for regulatory purposes (e.g., rulemaking on pressurized thermal shock) and research (e.g., NRCs Office of Nuclear Regulatory Research site-wide, all hazards Level 3 PRA project). It should be noted that, with a few exceptions, the human error probabilities (HEPs) used in these HRA methods are directly or generally based on THERP.
The Development of IDHEAS-ECA Improvements to HRA and its application have continued since the flurry of HRA method development in the 1990s and early 2000s. For example, the U.S. NRC Commission, in its staff requirements memorandum (SRM) M061020, directed the Advisory Committee on Reactor Safeguards (ACRS) to, work with the [NRC] staff and external stakeholders to evaluate 1 Examples of such NRC reports include xxx for voluntary risk-inform, performance-based fire protection rulemaking; The Proposed Risk Management Regulatory Framework, NUREG-2150 [ref 1 in NUREG-2170]; Recommendations for Risk-Informing the Reactor Oversight Process, SECY-13-0137) viii
different human reliability models in an effort to propose a single model for agency use or guidance on which model(s) should be used in specific circumstances. In response to SRM M060120, the NRC staff evaluated several HRA methods by conducting two international collaborative research projects that compared the results obtained from the HRA methods to simulator experiments. Based on the results of the comparisons, the NRC staff identified areas for HRA improvement and decided to develop an enhanced HRA methodology to integrate the strengths of the existing HRA methods and improve HRA in the areas of application scope, scientific basis, variability, and data. The enhanced HRA methodology is referred to as The General Methodology of an Integrated Human Event Analysis System (IDHEAS-G). IDHEAS-G is intended to be a human-centered, general methodology used to develop application-specific HRA methods and consists of two parts: a cognition model of human performance and an HRA process that implements the cognition model.
Several companion documents to IDHEAS-G have been developed or are planned. For example, a cognitive basis framework was developed and documented in NUREG-2114, and the Integrated Human Event Analysis System for Data (IDHEAS-DATA) was created to develop HEPs, using a variety of sources (e.g., psychological literature, NPP simulator exercise).
Hence, IDHEAS-G is the first NRC HRA method developed since THERP that has a unique, underlying database.
The Integrated Human Event Analysis System for Event and Condition Assessment (IDHEAS-ECA) has been developed as an extension of The General Methodology of an Integrated Human Events Analysis System (IDHEAS-G - NUREG-2198) to address a broad set of contexts, especially those that involve operator actions taken outside the main control room of a nuclear power plant. In addition, the IDHEAS-ECA guidance is a streamlined version of that for IDHEAS-G, particularly for HRA qualitative analysis and quantification. IDHEAS-ECA address the context of beyond-design-basis external events (BDBEE) and the diverse and flexible coping strategies (FLEX) strategies implemented by the U.S. nuclear power industry.
HRA/PRA Application to FLEX Both the NRC and industry are beginning to modify PRA models to represent the implementation of FLEX. Some of the NRCs Standardized Plant Analysis Risk (SPAR) models have been updated to include FLEX strategies and some utilities have expanded their PRA models to include the use of FLEX equipment. Also, some utilities have requested licensing changes that involve using FLEX strategies or equipment for non-FLEX contexts (e.g., provide additional diesel generator redundancy in loss of offsite power scenarios).
Regarding HRA, specifically, the Electric Power Research Institute (EPRI) issued guidance for FLEX HRA in November 2018 (EPRI 3002013018) and NRCs Office of Nuclear Regulatory Research (RES) performed an expert elicitation to develop human error probabilities (HEPs) for FLEX scenarios in 2019 (Volume 1 of this report). Although there are several differences between the two reports, both reports lacked certain details regarding how FLEX has been implemented that are important to performing HRA.
As will be discussed later in this report, there are some challenges to modeling FLEX scenarios and non-FLEX scenarios involving FLEX equipment in PRA. For example, the information documenting FLEX implementation may not be directly applicable to HRA/PRA (e.g., timing information may be too conservative or not match a PRA end state, such as core damage).
NRCs FLEX HRA Using IDHEAS-ECA ix
The main objective of this effort was to perform HRA for credible and detailed scenarios involving FLEX strategies and associated equipment. A secondary objective was to perform this HRA using IDHEAS-ECA (as part of a larger piloting effort). In order to accomplish both of these objectives, this FLEX HRA effort took advantage of several important resources, such as:
- 1. The participation of both NRC and industry HRA analysts in both scenario development and HRA quantification activities
- 2. Two plant site visits - one boiling water reactor (BWR) and one pressurized water reactor (PWR) - attended by many of the HRA analysts and supported by several FLEX and operational experts (both plant-specific and industry-wide)
- 3. Support by FLEX and operational experts throughout the project to develop credible, detailed and PRA-relevant scenarios - one FLEX scenario for a seismic event and two non-FLEX scenarios involving use of FLEX equipment to provide redundant sources of electrical power and feedwater, respectively
- 4. Input from HRA analysts and FLEX/operational experts to develop qualitative HRA insights that served as a common understanding of FLEX strategies, associated equipment and operator actions
- 5. A face-to-face, FLEX HRA Workshop that facilitated the ultimate, common understanding of the scenarios and how to apply IDHEAS-ECA In addition, the NRCs FLEX HRA effort addressed not only a classic FLEX scenario for a beyond design basis external event, but also two non-FLEX scenarios (i.e., the initiating event is not an external event) that were of interest to industry.
Summary Results and Lessons Learned from NRCs FLEX HRA Using IDHEAS-ECA Overall, this FLEX HRA effort was successful in accomplishing its main and secondary objectives. Examples of key accomplishments are:
- Both NRC and industry HRA analysts learned more about FLEX equipment and utility preparations for using FLEX equipment that are important inputs to HRA/PRA.
- The combination of information collection during the site visits, inputs from industry FLEX experts, and traditional HRA/PRA constructs were sufficient2 to support the development of three scenarios that both NRC and industry analysts agreed were credible:
o One classic FLEX scenario for a seismic event o One non-FLEX scenario for a sunny day loss of all feedwater (and deployment of a FLEX pump) o One non-FLEX scenario for a sunny day station blackout (SBO) with a FLEX Plus diesel generator pre-staged while an emergency diesel generator was out-of-service for long-term maintenance
- The participating HRA analysts and NRCs technical team learned important lessons about how to perform HRA for FLEX, regardless of the HRA quantification method. (e.g.,
how to use industry-wide and plant-specific information about FLEX implementation such as the industry-wide use of common connections, plant-specific FLEX timelines and validations).
2 Supplemented by some key assumptions.
x
- Industry participation (both FLEX experts and HRA analysts) and interaction with NRC staff (both HRA analysts and NRCs FLEX HRA technical staff) throughout the project created a confidence in the process and results.
- The confidence in the scenario development approach also translated into a collegial environment for the workshop.
- Both NRC and industry HRA analysts judged that the IDHEAS-ECA human error probability (HEP) results to be credible and consistent with their qualitative assessment of individual human failure events (HFEs).
- Generally, the HEPs developed by the participating industry and NRC HRA analysts were consistent (within an order of magnitude). There were a few cases for which there were outlier results.
In addition, some important HRA/PRA insights were developed as a result of this effort, such as:
- Timing validation information that was developed to support FLEX implementation can be used but:
o It may be conservative (and PRA success criteria may require much shorter times for the completion of operator actions) o Because FLEX timing information has been developed for site-wide events, this information may represent the time needed to perform actions for more than one unit (whereas most PRAs are performed for a single unit) o It may not be directly applicable to PRA because the success criteria used for FLEX validation are different than PRA success criteria (e.g., a serious consequence such as core damage or component failure)
- PRA event trees may require additional modeling (e.g., additional branches and end states) to accommodate the use of FLEX equipment, especially if FLEX equipment is being used as backup equipment to front-line, safety systems in non-FLEX PRA scenarios (e.g., FLEX pumps used if all auxiliary feedwater (AFW) pumps fail - both before or after feed-and-bleed criteria have been reached).
- Thermal-hydraulic analyses may not have been performed to support crediting FLEX equipment (e.g., if one AFW pump runs for one hour then all AFW fails, how much more time do operators have until the feed and bleed success criteria are reached, compared to that if all AFW pumps failed at t=0?)
- For non-FLEX scenarios, HRA/PRA credit cannot be given unless appropriate supports for operator actions are provided. For example, modifications to Emergency Operating Procedures (EOPs) to include use of FLEX equipment must have strong and unambiguous guidance for deployment in order to obtain HRA credit (in addition to consideration of adequate time).
Regarding feedback on IDHEAS-ECA and its associated software, resolution of comments from the workshop and survey will be documented and published separately.3 3
At the time of this reports publication, documentation of comment resolution (and associated refinements to IDHEAS-ECA guidance and associated software tool) was still in progress. This documentation will be publicly available in ADAMS.
xi
ACKNOWLEDGEMENTS The authors would like to thank many groups and individuals who contributed their time, experience, and insights to this report.
Mary Presley (EPRI) offered the support of her organization, facilitating the participation of various members from industry through the Memorandum of Understanding (MOU) between the NRCs Office of Nuclear Regulatory Research (RES) and EPRI. This MOU also facilitated the exchange of information between NRC and industry participants. Mary also provided her insights from EPRIs previous FLEX HRA work and her participation in NRCs expert elicitation for FLEX HRA. In addition, EPRI provided support for one of the industry HRA analysts. Mary also helped to identify other industry HRA analysts who were willing to support this project and served as an observer for the FLEX HRA Workshop.
The authors also appreciate the support from representatives of the Boiling Water Reactor (BWR) and Pressurized Water Reactor (PWR) Owners Groups (BWROG and PWROG, respectively), including Greg Krueger (BWROG, retired) and Roy Linthicum (PWROG). Both the PWROG and BWROG assisted in identifying nuclear power plant (NPP) sites to host visits from the project team and in identifying FLEX and operational experts to support these site visits and other project activities. Roy Linthicum also provided support as an operational expert.
The authors are grateful for the time and wealth of experience provided by several industry and NRC FLEX and operational experts:
- Phil Amway, Exelon
- Randy Bunt, Southern Company
- Frank Gaber, Arizona Public Service
- Jim Lynde, Exelon
- Josh Miller, NRCs Office of Nuclear Reactor Regulation (NRR)
- Sue Sallade, Exelon (retired)
- William Webster, Dominion These subject matter experts were essential in helping the project team and HRA analysts to understand key aspects of FLEX strategies, associated equipment, and operator actions. Many of the experts participated in the plant site visits, helping to explain both site-specific and industry-generic features of FLEX. These experts also participated in numerous phone call meetings to support the development of scenarios. A few of these experts attended the FLEX HRA Workshop to provide additional FLEX and/or operational information needed during HRA quantification. Also, some of these experts provided the essential elements of the non-FLEX scenarios that were evaluated in this project.
The authors are also grateful for the time and effort from the industry and NRC HRA analysts who participated in this project:
- Frank Arner, NRC Region I
- Mark Averett, Florida Power & Light
- John Bretti, Entergy
- Scott Freeman, NRC Region II
- Kaydee Gunter, Jensen-Hughes
- Chris Hunter, NRC RES xii
These HRA analysts participated in phone calls to finalize scenario descriptions and associated HFE definitions, participated in remote training on IDHEAS-ECA, attended the face-to-face workshop at NRCs Headquarters to perform the HRA evaluations, and developed the final HRA analyses and associated documentation. Kaydee Gunter and Chris Hunter also provided specific HRA/PRA details for scenario descriptions (e.g., event trees).
The authors would like to thank additional NRC staff who provided their time and experience to understanding FLEX and related events. In particular, the authors would like to thank Mark King (NRR, Division of Reactor Oversight, Generic Communications and Operating Experience Branch) for searching out relevant operational experience and sharing his own experiences.
Lastly, the authors would like to express a special thanks to the staff at the two plant sites that were visited during this project. Plant managers as well as administrative, training, operations, and PRA staff worked to ensure that the site visits were a success and met project goals. In addition, both sites were gracious and responsive hosts (e.g., providing conference room space, accommodating last-minute requests).
xiii
TABLE OF CONTENTS 1 INTRODUCTION ................................................................................................................ 1-1 1.1 Background ................................................................................................................. 1-1 1.2 Objectives .................................................................................................................... 1-2 1.3 Technical Approach ..................................................................................................... 1-3 1.3.1 Information on FLEX Strategies, Equipment, and Associated Operator Actions.. 1-4 1.3.2 HRA Analysts ....................................................................................................... 1-5 1.3.3 FLEX and Operational Experts ............................................................................. 1-5 1.4 Scope and Limitations ................................................................................................. 1-6 1.5 Intended Audience.......................................................................................................1-7 1.6 Report Structure .......................................................................................................... 1-7 1.7 References .................................................................................................................. 1-8 2 PLANT SITE VISItS ........................................................................................................... 2-1 2.1 Selection of Plant Sites ................................................................................................2-2 2.2 Objectives of Plant Site Visits ...................................................................................... 2-2 2.3 Planning for Plant Site Visits ....................................................................................... 2-3 2.4 HRA Analyst Preparations Prior to Plant Site Visits .................................................... 2-4 2.5 Agenda and Attendees for Plant Site Visits ................................................................. 2-5 2.5.1 Plant Site Visit Agenda ......................................................................................... 2-5 2.5.2 Attendees for BWR Plant Site Visit ...................................................................... 2-5 2.5.3 Attendees for PWR Plant Site Visit ...................................................................... 2-6 2.6 Summary of HRA-Related Information Collected During Plant Site Visits................... 2-7 2.6.1 Summary of HRA/PRA-Relevant Notes for Plant Site Visit to a BWR.................. 2-7 2.6.2 Summary of HRA/PRA-Relevant Notes for a Plant Site Visit to a PWR............... 2-8 2.6.3 Summary of Combined HRA/PRA-Relevant Notes .............................................. 2-8 2.7 References ................................................................................................................ 2-20 3 HRA/PRA SCENARIO DEVELOpMENt ............................................................................ 3-1 3.1 General Process for Developing Scenarios ................................................................. 3-1 3.2 Selection of Scenarios and Associated HFEs ............................................................. 3-2 3.2.1 Selection of the FLEX Scenario ........................................................................... 3-2 3.2.2 Selection of the Non-FLEX Scenarios .................................................................. 3-3 3.3 General Assumptions .................................................................................................. 3-3 3.4 FLEX Scenario ............................................................................................................3-3 3.4.1 Development of the FLEX Scenario ..................................................................... 3-4 3.4.2 Specific Assumptions for the FLEX Scenario ....................................................... 3-4 3.4.3 HFEs for the FLEX Scenario ................................................................................ 3-6 3.4.4 Summary Description of the Base Case FLEX Scenario ..................................... 3-7 xiv
3.4.5 Summary Description of Two Variations on the FLEX Scenario .......................... 3-9 3.5 Development of Non-FLEX Scenarios ......................................................................... 3-9 3.5.1 Non-FLEX Scenario: Sunny Day Loss of All Feedwater .................................... 3-9 3.5.2 Non-FLEX Scenario: Sunny Day Station Blackout with One EDG Out-of-Service for Maintenance ................................................................................................................ 3-14 3.6 References ................................................................................................................ 3-19 4 IDHEAS-ECA TRAINING ................................................................................................... 4-1 4.1 Training Format and Logistics ..................................................................................... 4-1 4.2 Training Content .......................................................................................................... 4-1 4.3 References .................................................................................................................. 4-2 5 FLEX HRA WORkshop using IDHEAS-eCA .................................................................... 5-1 5.1 Purpose of Workshop .................................................................................................. 5-1 5.2 Pre-Workshop Activities .............................................................................................. 5-1 5.3 Workshop Logistics ..................................................................................................... 5-1 5.4 Summary of Workshop ................................................................................................ 5-2 5.5 Workshop Results ....................................................................................................... 5-3 5.6 References .................................................................................................................. 5-3 6 FLEX HRA ReSULtS Using IDHEAS-ECA ....................................................................... 6-1 6.1 High-Level Description of IDHEAS-ECA Guidance and Software Tool ....................... 6-1 6.2 High-Level Description of IDHEAS-ECA Results ........................................................ 6-1 6.3 Results for FLEX Scenario - Large Seismic Event and SBO ...................................... 6-3 6.3.1 Results for FLEX Scenario: Base Case HFE1 - Operators fail to declare ELAP . 6-3 6.3.2 Results for FLEX Scenario: Variation Cases for HFE1 - Operators fail to declare ELAP 6-5 6.3.3 Results for FLEX Scenario: HFE2, HFE3, and HFE4........................................... 6-7 6.4 Results for Non-FLEX Scenario - Sunny Day Loss of All Feedwater ....................... 6-11 6.5 Results for Non-FLEX Scenario - Sunny Day SBO .................................................. 6-13 6.6 Conclusions ............................................................................................................... 6-15 6.7 References ................................................................................................................ 6-15 7 HRA/PRA LeSSONS LEarNED AND NEXT STEPS ......................................................... 7-1 7.1 Overall Observations ................................................................................................... 7-1 7.2 Insights for HRA and PRA Modeling ........................................................................... 7-1 7.3 Potential Areas for Future Work .................................................................................. 7-3 7.4 References .................................................................................................................. 7-3 xv
ACRONYMS AC alternating current ACRS Advisory Committee on Reactor Safeguards ADAMS Agencywide Documents Access and Management System ADS automatic depressurization system AFW auxiliary feedwater AO auxiliary operator; field operator; equipment operator AOP abnormal operating procedure ARP annunciator response procedure ASP Accident Sequence Precursor (program)
ATHEANA A Technique for Human Event ANAlysis ATWS anticipated transient without scram BDB beyond-design-basis BDBEE beyond-design-basis external event BWR boiling water reactor BWROG Boiling Water Reactor Owners Group CBDT Cause-Based Decision Tree CCW component cooling water CDF core damage frequency CE Combustion Engineering CFM cognitive failure mode CS containment spray CSFST critical safety function status tree CT critical task CVCS chemical and volume control system xvi
DC direct current DHR decay heat removal ECA events and conditions assessment ECCS emergency core cooling system ED emergency director EdF Electricité de France EDG emergency diesel generator EDMG extensive damage mitigation guideline ELAP extended loss of AC power EO equipment operator; auxiliary operator; field operator EOC error of commission EOF emergency operations facility EOO error of omission EOP emergency operating procedure EP emergency preparedness EPRI Electric Power Research Institute ERF emergency response facility ERO emergency response organization ESW essential service water ET event tree FIP final integrated plan (for implementing FLEX)
FLEX diverse and flexible coping strategies FO field operator; auxiliary operator; equipment operator FRP fire response procedure FSG FLEX support guideline HCR/ORE Human Cognitive Reliability/Operator Reliability Experiment xvii
HCVS hardened containment vent systems HEART Human Error Assessment and Reduction Technique HEP human error probability HFE human failure event HMI human-machine interface HPI high pressure injection HPSI high pressure safety injection HPSR high pressure safety recirculation HRA human reliability analysis HVAC heating, ventilating, and air conditioning IAEA International Atomic Energy Agency IDHEAS Integrated Human Event Analysis System IDHEAS-ECA Integrated Human Event Analysis System for Event and Condition Assessment IDHEAS-G General Methodology of an Integrated Human Events Analysis System IE initiating event INPO Institute of Nuclear Power Operations IPE Individual Plant Examination JPM job performance measure LER licensee event report LLOCA large, loss-of-coolant accident LOCA loss-of-coolant accident LOOP loss of offsite power LPI low pressure injection LPSD low power and/or shutdown LPSI low pressure safety injection xviii
LPSR low pressure safety recirculation LWR light water reactor MCR main control room MLOCA medium loss-of-coolant accident MOV motor-operated valve MOU memorandum of understanding NARA Nuclear Action Reliability Assessment NEI Nuclear Energy Institute NPP nuclear power plant NRC Nuclear Regulatory Commission NRC-RES NRCs Office of Nuclear Regulatory Research NRR NRCs Office of Nuclear Reactor Regulation NSSS nuclear steam supply system NUREG Nuclear Regulatory Commission technical report OMA4 operator manual action (typically in response to a fire)
OSC operational support center PIF5 performance influencing factor PORV power-operated relief valve PRA6 probabilistic risk assessment; PSA PSA3 probabilistic safety assessment; PRA PSF2 performance shaping factor PTS pressurized thermal shock PWR pressurized water reactor 4
In 10 CFR 50, Appendix R, these are local manual action (outside the MCR). In fire PRA, these may be operator actions added in response to a fire, such as to address spurious indications or alarms.
5 Often PIF and PSF are used interchangeably.
6 PRA and PSA are often used interchangeably.
xix
PWROG Pressurized Water Reactor Owners Group RASP Risk Assessment Standardization Project RCIC reactor core isolation cooling system RCS reactor coolant system RHR residual heat removal RNO response not obtained RO reactor operator ROP Reactor Oversight Process RPS reactor protection system RPV reactor pressure vessel RT reactor trip RWST refueling water storage tank SAFER Strategic Alliance for FLEX Emergency Response SAMG severe accident management guideline SAT systematic approach to training SBO station blackout SD shutdown SE Safety Evaluation SG steam generator SGTR steam generator tube rupture SI safety injection SLC standby liquid control SLOCA small loss of coolant accident xx
SM7 shift manager; shift supervisor SME subject-matter expert SPAR Standardized Plant Analysis Risk SPAR-H Standardized Plant Analysis Risk-Human Reliability Analysis method SRA senior reactor analyst SRO senior reactor operator SS4 shift supervisor; shift manager SSC systems, structures, and components STA shift technical advisor SW service water TDAFW turbine-driven auxiliary feedwater THERP Technique for Human Error Rate Prediction TSA time sensitive action (for FLEX strategies)
TSC technical support center U.S. United States of America V&V verification and validation WOG Westinghouse Owners Group (now the Pressurized Water Reactor Owners Group, PWROG) 7 The supervisor in the MCR may be called a shift supervisor or shift manager, depending on the NPP.
Also, some NPPs have changed from using SS to SM. Consequently, older event reports (e.g.,
licensee event reports) may use SS to refer to the position now called SM.
xxi
1 INTRODUCTION The report describes an effort to perform HRA for contexts involving the implementation of diverse and flexible coping strategies (FLEX). The HRA was performed using the NRCs new HRA method, the Integrated Human Event Analysis System for Event and Condition Assessment (IDHEAS-ECA) [1], and its associated software tool [2]. The FLEX HRA approach, its results, and its ensuing insights are described in this report.
1.1 Background
Since the first PRA performed for the nuclear power industry (i.e., the Reactor Safety Study, WASH-1400, 1975), human reliability analysis (HRA) has been an important part of PRA. In particular, HRA must support PRA models in representing the as-operated aspect of nuclear power plants (NPPs). The first HRA method, the Technique for Human Error Rate Prediction (NUREG/CR-1278, 1983) supported not only the first U.S. PRA, but continues to be applied throughout the world for both nuclear and non-nuclear technologies.
Many dozens of HRA methods have been developed in the intervening years, both in the U.S.
and internationally. For example, multiple HRA methods were developed by following design and operational changes made following the Three Mile Island 2 accident in 1981 [ref]. Other methods, especially internationally, were developed for specific reactor designs (e.g.,
MERMOS). More recent, or so-called second generation, HRA methods have been based on more recent advances in cognitive and behavioral science, offering better explanations for why do humans err? Examples of two such methods developed by the NRC include A Technique for Human Event Analysis (ATHEANA, 2000) and the Standardized Plant Analysis Risk-Human Reliability Analysis method (SPAR-H, 2005). The NRC also has developed context-specific HRA guidance (e.g., EPRI/NRC-RES Fire Human Reliability Analysis Guidelines, NUREG-1921) and performed HRA/PRA for regulatory purposes (e.g., rulemaking on pressurized thermal shock) and research (e.g., NRCs Office of Nuclear Regulatory Research site-wide, all hazards Level 3 PRA project). It should be noted that, with a few exceptions, the human error probabilities (HEPs) used in these HRA methods are directly or generally based on THERP.
Improvements to HRA and its application have continued since the flurry of HRA method development in the 1990s and early 2000s. For example, the U.S. NRC Commission, in its staff requirements memorandum (SRM) M061020, directed the Advisory Committee on Reactor Safeguards (ACRS) to, work with the [NRC] staff and external stakeholders to evaluate different human reliability models in an effort to propose a single model for agency use or guidance on which model(s) should be used in specific circumstances. In response to SRM M060120, the NRC staff evaluated several HRA methods by conducting two international collaborative research projects that compared the results obtained from the HRA methods to simulator experiments (add references for international and US benchmarking studies). Based on the results of the comparisons, the NRC staff identified areas for HRA improvement and decided to develop an enhanced HRA methodology to integrate the strengths of the existing HRA methods and improve HRA in the areas of application scope, scientific basis, variability, and data. The enhanced HRA methodology is referred to as The General Methodology of an Integrated Human Event Analysis System (IDHEAS-G). IDHEAS-G is intended to be a human-1-1
centered, general methodology used to develop application-specific HRA methods and consists of two parts: a cognition model of human performance and an HRA process that implements the cognition model.
Several companion documents to IDHEAS-G have been developed or are planned. For example, a cognitive basis framework was developed and documented in NUREG-2114, and the Integrated Human Event Analysis System for data (IDHEAS-DATA) (add reference here) was created to develop HEPs, using a variety of sources (e.g., psychological literature, NPP simulator exercise). Hence, IDHEAS-G is the first NRC HRA method developed since THERP that has a unique, underlying database. Other data-driven methods of note are:
- EPRIs Human Cognitive Reliability/Operator Reliability Experiment (HCR/ORE) method that was developed in the 1980s using simulator experiments
- The Human Error Assessment and Reduction Technique (HEART) method developed in the United Kingdom, also in the 1980s
- Nuclear Action Reliability Assessment (NARA), which is an updated version of HEART, currently owned by Electricité de France (EdF)
- MERMOS created in the 1990s/2000s by EdF, originally from simulator data for its N4 reactors In all cases, the underlying databases for these HRA methods have not been reviewed and are not publicly available.8 In responding to the Great Japan Earthquake and, more specifically, the event at the Fukushima Daiichi NPP, both the NRC and industry are beginning to modify PRA models to represent the implementation of diverse and flexible coping strategies (FLEX). Regarding HRA, specifically, the Electric Power Research Institute (EPRI) issued guidance for FLEX HRA in November 2018 (EPRI 3002013018). Also, in 2018, NRCs Office of Nuclear Regulatory Research (RES) sponsored an expert elicitation project (Volume 1 of this report) to use an expert panel to: 1) estimate benchmarking HEPs for a representative set of FLEX actions, and 2) identify the factors impacting the HEPs. Although there are several differences between the two reports, both reports lacked certain details regarding how FLEX has been implemented that are important to performing HRA. The purpose of the expert elicitation project was to gain an understanding of human performance in implementing FLEX strategies and to use the expert judgments of the HEPs to inform development of a new FLEX HRA method the Integrated Human Event Analysis System for Event and Condition Assessment (IDHEAS-ECA) [1], and its associated software tool [2] for contexts involving the implementation of diverse and flexible coping strategies (FLEX).
1.2 Objectives The main objectives of this research effort were: 1) perform HRA/PRA for FLEX and non-FLEX scenarios using FLEX strategies and/or equipment, and 2) use IDHEAS-ECA [1, 2] to assess the HFEs within the FLEX and non-FLEX scenarios. This FLEX HRA was performed by a panel of HRA analysts representing both NRC and industry. Draft versions of the IDHEAS-ECA guidance [1] and associated software tool [2]9 were used by the HRA analysts to perform HRA 8
The underlying database for THERP still exists in paper form and was reviewed at the time of THERPs publication.
One of the original criticisms of THERP related to this underlying database.
9 The reader should be aware that both the guidance and software tool were updated following the workshop. However, the authors expect that these updates will not substantially change the results obtained with IDHEAS-ECA.
1-2
quantification. This trial use of IDHEAS-ECA10 is intended to provide feedback to the IDHEAS-ECA developers for later improvements.
In addition, there are several underlying objectives:
- To develop a set of credible HRA/PRA scenarios involving the use of FLEX equipment
- To facilitate a face-to-face workshop (as well as pre-meetings and follow-on meetings) for the HRA analysts to perform HRA quantification with IDHEAS-ECA
- To obtain feedback from both NRC and industry HRA analysts 1.3 Technical Approach The technical approach used for NRCs FLEX HRA effort was, to the extent possible, the same as that used to perform any HRA to support PRA. In addition, since NRCs Office of Regulatory Research (RES) and the Electric Power Research Institute (EPRI) agreed to use their Memorandum of Understanding (MOU) as a vehicle to bring in industry resources to support NRCs effort, the resulting technical approach took advantage of these resources, balanced with the need to meet NRC-internal schedules.
The technical approach used for this effort consisted of the following:
- Identification and collection of information on FLEX strategies, equipment and associated operator actions
- Identification of a group of HRA analysts to represent both NRC and industry to participate in this project
- Identification of a group of FLEX and operational experts to assist in the development and assessment of FLEX scenarios and associated operator actions
- Development of a set of credible HRA/PRA scenarios involving the use of FLEX equipment
- Identification and definition of human failure events (HFEs) associated with using FLEX equipment in each scenario
- Development of qualitative HRA analysis inputs for each HFE that is sufficiently detailed to support HRA quantification (independent of HRA quantification method)
- Support of training of HRA analysts on IDHEAS-ECA prior to the workshop
- Conduct of face-to-face workshop with HRA panelists to use IDHEAS-ECA to perform HRA for FLEX and non-FLEX scenarios and associated HFEs
- Support of HRA analysts in their final HRA quantification HFEs The first three bullets are expanded upon immediately below. Detailed discussion of the remaining technical approach is provided in later sections of this report. It should be noted that, as for traditional HRA, some tasks were performed iteratively or continuously throughout the project (e.g., whenever new information was collected, the understanding of FLEX strategies and associated scenarios were updated accordingly). Also, all activities were performed with the end goal of providing HRA analysts the necessary inputs to perform HRA quantification, regardless of the HRA approach or method.
10 The authors generally use the term IDHEAS-ECA to represent the combination of the IDHEAS-ECA guidance and software tool that was used in this effort. Occasionally, the discussion addresses either the guidance or software, in which case the phrases IDHEAS-ECA guidance, IHDEAS-ECA software tool or the like is used.
1-3
1.3.1 Information on FLEX Strategies, Equipment, and Associated Operator Actions As typical of HRA/PRA, information was collected and interpreted iteratively throughout this effort. Plant-specific and other proprietary information sharing was facilitated by EPRI due to the Memorandum of Understanding between NRCs RES and EPRI. In particular, EPRI provided a file sharing website where both general and plant-specific project information could be stored and shared.
Examples of information sources that the project team either used or were aware of before this project started include:
[2]
- Various reports on the Great Japan Earthquake (e.g., the Fukushima Daiichi event) [..]
- NRCs task force on Fukushima [ref]
- Recent Significance Determination Process evaluations involving FLEX equipment (examples?)
- Reviews of relevant operation experience [Vogtle loss of offsite power [ref], Turkey Point and Hurricane Andrew is there a publicly available reference?]
- NUREG/CR-7256, Effects of Environmental Conditions on Manual Actions for Flood Protection and Mitigation[ref]
After project initiation, there were many more sources of information that were used to inform the development of FLEX-related scenarios, such as:
- General industry reports and programs that have been used in implementing FLEX (e.g.,
SAT [ref])
- Conference calls with FLEX experts, both weekly and scenario-focused
- Face-to-face discussions with FLEX experts and utility staff during plant site visits
- Plant-specific information such as:
o Conduct of Operations o Procedures such as: Emergency Operating Procedures (EOPs), FLEX Support Guidelines (FSGs) o Final Integrated Plan (FIP) for FLEX mitigation strategies o FLEX Validation Plan o FLEX scenario scripts o FLEX Integrated Review for timing validations (e.g., spreadsheets with multiple, integrated timelines for all personnel actions) o Modified EOPs or contingency plans implemented by specific utilities for use of FLEX equipment in non-FLEX scenarios
- Plant site visits (discussed further in Section 2), including:
o Presentations by utility staff on their FLEX strategies, procedures, training, equipment, etc.
o Walkdowns of the FLEX building, FLEX equipment and FLEX actions o Simulator observations o Interviews of training staff and operators o Inputs from plant staff on their plant-specific PRA for FLEX 1-4
In addition, information typically used in HRA/PRA (e.g., emergency operating procedures (EOPs) - format, clarity, and content; success criteria and scenario timing information; training quality and frequency) was compared to that for FLEX in order to better understand any operator challenges in implementing FLEX strategies. Comparisons were also made between equipment and associated operational supports for FLEX strategies versus that for early efforts regarding Severe Accident Mitigation Guidelines (SAMGs) and Extensive Damage Mitigation Guidelines (EDMGs). Some of these information sources are discussed later in this report in the context of the plant site visits and scenario development efforts.
1.3.2 HRA Analysts Unlike a typical HRA/PRA, multiple HRA analysts were needed for this effort. The project team used two criteria to select HRA analysts for participation in this project: 1) HRA/PRA experience, and 2) a balance of NRC and industry analysts. Furthermore, the project team decided that a total number of six (6) analysts was preferable (especially in managing visit to plant sites, face-to-face interactions during the workshop, etc.).
For the NRC analysts, one senior HRA/PRA analyst who is responsible for Accident Sequence Precursor (ASP) analyses (among other responsibilities) was selected from RES. Two other NRC analysts (Senior Reactor Analysts (SRAs) from Regions I and II) were chosen for their experience with the NRCs Significance Determination Process (SDP).
The EPRI project manager asked industry for volunteers to support this effort. Two experienced HRA/PRA analysts who represented different nuclear utilities participated. In addition, EPRI support the participation of a third experienced HRA/PRA analyst from a consulting firm.
The specific tasks assigned to the HRA analysts were:
- Attend plant visits and/or review plant information relevant to scenarios to be addressed FLEX HRA Workshop
- Assist in collecting information and developing qualitative HRA
- Assist in revising HFE definitions and scenario descriptions (to be used as inputs in HRA quantification)
- Participate in training on IDHEAS-ECA
- Perform preliminary HRA assessments of scenarios and associated human failure events (HFEs) using IDHEAS-ECA
- Assist in collecting variations between NPPs on HRA-relevant factors regarding use of FLEX equipment
- Provide any needed follow-on inputs for final results and feedback on IDHEAS-ECA 1.3.3 FLEX and Operational Experts In a typical HRA/PRA, plant site staff (e.g., engineering, operations) provide the plant-specific information needed to develop and describe scenarios and quantify HFEs. Also, this particular project needed plant-specific information and industry-generic information on FLEX strategies.
This information was supplied by several experts on FLEX strategies and FLEX equipment. In addition, as in any HRA/PRA analysis, operational experts for the relevant scenarios were required. In most cases, the FLEX experts who supported this project also were operational experts (e.g., formerly Senior Reactor Operators (SROs)).
1-5
One staff member from the NRC who participated in most of the FLEX audits supported this effort on the plant site visits and, as needed, in the scenario development effort.
Industry volunteered many FLEX and operational experts to fill various roles in this effort. Plant-specific experts were provided during the plant site visits for presentations, discussions, tours, and walkdowns. Additional utility and owners group experts participated in the following ways:
- Initial presentations on FLEX
- Subject-matter experts representing various utilities, generally:
o during plant site visits o in understanding FLEX implementation, generally o in support of scenario development, generally and for specific scenarios o in understanding use of FLEX equipment in non-FLEX scenarios (including changes to plant-specific operations) o in support of HRA analyst understanding of scenarios - before and during FLEX HRA Workshop FLEX and operational experts who supported this project are identified in the Acknowledgements. However, the plant-specific subject-matter experts are not identified to protect proprietary information.
1.4 Scope and Limitations Three factors influenced the scope and limitations of this research effort:
- 1. Technical requirements for developing credible HRA/PRA scenarios,
- 2. Available resources (e.g., calendar time, personnel, existing technical inputs), and
- 3. Project schedule.
Some key limitations for this project include:
- There were no existing PRAs that were directly relevant to both the scenarios developed and the associated plant-specific features and capabilities.
- There were no existing technical calculations to support realistic definitions of some HRA/PRA success criteria.
- A PRA was not developed to support this effort.
- Existing HRA-relevant information for FLEX strategies (e.g., FLEX validation times) was not developed to support PRAs. As a result, some of this information may be conservative for HRA/PRA purposes.
- HRA analysts participating in this effort had limited time outside the FLEX HRA Workshop to perform HRA quantification with IDHEAS-ECA, mostly because of their normal job demands within the project schedule.
Project scope decisions were made to compensate for the limitations identified above and to take advantage of available resources. Scope decisions that are expected to be relevant to understanding the technical approach used and the project results include:
- To the extent possible, scenarios were based on relevant previous efforts to develop HRA/PRA scenarios for FLEX (e.g., EPRIs November 2018 report [3], NRCs expert elicitation [4]).
- The scenarios developed represent a single unit (even if the plant site has more than one unit).
1-6
- Two (2) nuclear power plant (NPPs) sites - a boiling water reactor (BWR) and a pressurized water reactor (PWR) - were the predominant sources of detailed HRA-relevant FLEX information.
- Information from a small group of PWR Owners Group and BWR Owners Group representatives, and FLEX experts (both NRC and industry) supplemented the plant-specific information from the two plant sites to provide a more generic operational understanding of FLEX strategies and equipment that was used in all scenarios.
- To use IDHEAS-ECA, HRA panelists were asked to assess operator actions in one (1) classic FLEX scenario, and two (2) non-FLEX scenarios.
- The FLEX scenario was modeled as a seismic event, so no environmental hazards were addressed. Also, debris removal was not explicitly addressed.
- As traditionally done in PRA, a 24-hour mission time11 was used for all scenarios.
- HRA panelists were asked to assess only those operator actions associated with FLEX strategies and equipment only, and not that already addressed by traditional HRA/PRA.
- FLEX validation timing information was used for all operator actions in the FLEX scenarios. In cases, the timing of operator actions was based on FLEX validation timing results for a site-wide response (e.g., the timing results represent actions for two units),
especially if the actions were taken by a single operator and all in the same location.
- Only a few variations of the base case scenarios were addressed.
- For the timing of plant behavior and associated parameters in the non-FLEX scenarios, assumptions were made in the absence of relevant thermal-hydraulic calculations.
- For the timing of operator actions in the non-FLEX scenarios, a combination of FLEX validation times and expert judgment12 was used.
- To the extent possible, HRA-relevant aspects of non-FLEX scenarios were based on actual plant modifications to emergency operating procedures (EOPs) and procedures, training, plant configurations, staffing, and other preparations at a specific plant.
Additional scope limitations and assumptions were made for individual scenarios, as described in Section 3.
1.5 Intended Audience The intended audience of this report on FLEX HRA using IDHEAS-ECA is U.S. Nuclear Regulatory Commission (NRC) and members of the nuclear power industry who perform HRA/PRA applications involving FLEX strategies and associated operator actions and equipment.
1.6 Report Structure This report is organized into the following sections and appendices:
- Section 1 (this section) is the introduction to the report, including the background and scope of this research.
- Section 2 describes visits to U.S. nuclear power plant (NPP) sites and information collected during those visits.
11 As for traditional PRA scenarios, the authors recognize that there are plant-to-plant differences in design and capabilities (for both installed and FLEX equipment) that result in different plant states at the end of the 24-hour mission time.
12 In such cases, the expert was either a plant-specific, currently licensed Senior Reactor Operator (SRO) or someone else with similar operational experience.
1-7
- Section 3 describes the HRA/PRA scenarios and how they were developed.
- Section 4 briefly describes training of IDHEAS-ECA.
- Section 6 highlights the HRA quantification results obtained using IDHEAS-ECA.
- Section 7 summarizes HRA/PRA lessons learned from this effort.
- Appendix A provides the summary notes from the plant site visits.
- Appendix D describes the Non-FLEX Scenario for a PWR - Station Blackout with Pre-Staged Portable Diesel Generators.
- Appendix E documents discussions on scenario variations.
1.7 References
- 1. NRC/RES IDHEAS-ECA Guidance (draft report)
- 2. IDHEAS-ECA Software tool
- 3. Electric Power Research Institute, Human Reliability Analysis (HRA) for Diverse and Flexible Mitigation Strategies (FLEX) and Use of Portable Equipment, EPRI 3002013018, November 2018.
- 4. NRCs expert elicitation for FLEX
- 5. U.S. Nuclear Regulatory Commission, A Proposed Risk Management Regulatory Framework, NUREG-2150, April 2012.
- 6. U.S. Nuclear Regulatory Commission, Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities; Final Policy Statement, Federal Register, Vol. 60, No.
158, August 16, 1995, pp. 42622-42629 (60 FR 42622).
- 7. U.S. Nuclear Regulatory Commission and the Electric Power Research Institute, EPRI/NRC-RES Fire Human Reliability Analysis Guidelines - Final Report, NUREG-1921/ EPRI 1023001, July 2012.
- 8. U.S. Nuclear Regulatory Commission and the Electric Power Research Institute, EPRI/NRC-RES Fire Human Reliability Analysis Guidelines - Qualitative Analysis for Main Control Room Abandonment Scenarios, NUREG-1921, Supplement 1/EPRI 3002009215, January 2020.13
- 9. U.S. Nuclear Regulatory Commission and the Electric Power Research Institute, EPRI/NRC-RES Fire Human Reliability Analysis Guidelines - Quanfication Guidance for Main Control Room Abandonment Scenarios, NUREG-1921, Supplement 2/EPRI 3002013023, June 2019.14 13 EPRI published the same report in August 2017.
14 This is EPRIs publication date for this report. A essentially identical version of this report will be published by the USNRC.
1-8
- 10. U.S. Nuclear Regulatory Commission, Technical Basis and Implementation Guidelines for a Technique for Human Event Analysis (ATHEANA), NUREG-1624, Rev. 1, May 2000.
- 11. U.S. Nuclear Regulatory Commission, ATHEANA Users Guide, NUREG-1880, June 2007.
12.
Collect references here initially; eventually all will go in last section of report - References.
- 1. The Great Japan Earthquake reports.
- 2.
- 3.
- 5. NRCs task force on Fukushima
- 6. Vogtle loss of offsite power
- 7. Turkey Point & hurricance Andrew]
- 8. NURE/CR-7256 - Environmental Factors report on operator actions
- 9. NEI 12.06
- 10. Systematic Approach to Training (SAT)
- 11. SPAR models
- 12. RASP handbook 1-9
2 PLANT SITE VISITS One of the early activities in this effort was visiting two NPP sites - one pressurized water reactor (PWR) design and one boiling water reactor (BWR) design. The two trips were made on September 17 - 19, 2019, and October 2-3, 2019.
The plant site visits were instrumental by providing:
- an opportunity to review site-specific FLEX procedures and walkdowns of FLEX strategies, equipment, staging locations, and operator actions - with the support of plant-specific operations staff and input from FLEX experts
- a basis for comparison to operator actions modeled in internal event Level 1 HRA (i.e.,
traditional HRA), and to other strategies, such as post-core damage response using the initially developed Severe Accident Management Guidelines (SAMGs) and security event response using the initially developed Extensive Damage Mitigation Guidelines (EDMGs)
- confirmation, especially from the HRA perspective, of the importance how FLEX strategies have been implemented (e.g., industry-wide standardization of fittings, color-coding of electrical cables, simple-to-use design of FLEX equipment)
- a vehicle for HRA analysts (both NRC and industry) to form a common understanding of FLEX strategies, equipment, and associated operator actions
- an opportunity for HRA analysts to communicate face-to-face with FLEX experts who have a broader knowledge of FLEX strategies, in order to understand:
o the underlying basis or purpose of FLEX strategies and how they are implemented o what similarities exist between U.S. NPPs with respect to implementation of FLEX o what variations exist between U.S. NPPs with respect to implementation of FLEX o how to best model operator actions associated with FLEX equipment in HRA/PRA
- a transparent means of collecting and interpreting HRA-relevant information, independent of the HRA quantification method, on FLEX strategies, associated equipment and operator actions As traditionally done when performing HRA, information collected during the plant site visits (e.g., plant walk-downs, interviews of operators and operator trainers, observations of simulator exercises) served as important input to later tasks in this project. In this project, such later tasks are the development of scenarios and associated HFEs and HRA. The thoroughness of the information collection during these plant site visits (limited by the duration of the visits and other availabilities) was important to establish confidence in the appropriate level of detail for the scenarios developed and the qualitative HRA inputs, both of which were needed to support HRA quantification efforts later, regardless of which HRA quantification method was used. Also, the qualitative HRA - both raw information and its understanding for HRA purposes - that was developed from the plant site visits was intentionally generic in nature (i.e., sufficient and relevant to HRA, regardless of quantification method used).
2-1
2.1 Selection of Plant Sites Industry representatives (e.g., owners group representatives) identified volunteer NPPs for the plant site visits and arranged for the sharing of plant-specific information before, during, and following the site visits. Per the MOU with RES, EPRI facilitated the transfer of plant-specific, proprietary information from participating utilities to the FLEX HRA project team.
Two NPP sites were selected for the visits - one PWR and one BWR. Both are two-unit sites.
Industry representatives selected the specific sites based on factors such as availability of on-site personnel (e.g., the NPP was not in an outage), and timing of the visit such that project milestones could be met.
It should be noted that plant-specific information from two other PWRs was used to develop two, parallel non-FLEX scenarios. Again, the specific NPPs and associated scenario inputs were provided voluntarily by industry participants in the project using the NRC-RES/EPRI MOU as the conduit to share information. However, because information from these two PWRs was limited, the general insights from the two plant site visits was used to fill in any gaps.
2.2 Objectives of Plant Site Visits The objectives of the plant site visits were communicated to the owners group representative, the utility hosts, and the HRA analysts who participated in the visits. In particular, the stated purpose of both visits was to better understand and confirm aspects of:
- 1. operator actions (both decisions and equipment manipulation) taken in response to an external event with extended loss of all AC power that include use of FLEX equipment,
- 2. operator actions taken in response to other initiating events (not external events) that would lead to use of FLEX equipment, and
- 3. contexts in which FLEX equipment may be used to provide redundancy or backup to frontline or safety equipment that is unavailable.
Note that information collected during the plant visits addressed both FLEX and non-FLEX (i.e.,
initiating event is not an external event) scenarios.
While the site visits were too short to collect all information typically needed for HRA, another important objective was to collect what information was readily available and to identify other potential sources of information. Examples of operator action information (for both FLEX and non-FLEX scenarios) that are typically needed for HRA include:
- timing of actions
- procedural support for both decision-making and equipment manipulation
- associated training
- communications and coordination
- tools and equipment
- travel time Another important objective of any HRA/PRA plant site visit is to interview and perform walkdowns with operators and operator trainers. While other plant staff may provide important 2-2
and useful information, it is important for HRA to reflect what operators know and how operators behave. Consequently, the following personnel are requested to support the plant site visits:
- Staff who are familiar with operations and operator training to provide information on operator actions for using FLEX equipment, including:
o Decisions and associated procedure paths to using FLEX equipment for both external events that involve Extended Loss of AC Power (ELAP) and non-external events o Specific tasks required to deploy FLEX equipment
- Staff who are familiar with procedures (e.g., EOPs, FLEX procedures) and how they are trained on and implemented with respect to use of FLEX equipment.
- Staff who are familiar with or have direct roles in decision-making for use of FLEX equipment (e.g., control room supervisors, Technical Support Center (TSC) decision makers).
- Staff who are familiar with the plant layout and equipment locations to assist, as necessary, the NRC/RES-industry team in performing walkdowns of certain operator actions associated with use of FLEX equipment.
- Staff who are familiar with demonstrations of use of FLEX equipment, including any timing information.
- Staff who are familiar with any realistic demonstrations of FLEX equipment (e.g., mini emergency drills (i.e., E-drills) for ELAP).
In all cases, the NPP is assumed to be at full-power at the start of the event and the operators have no prior warning of the event which causes a reactor trip.
2.3 Planning for Plant Site Visits Although accomplished in a short period of time, a significant amount of planning was required to make the plant site visits beneficial to the project. The need for HRA-relevant information was the overriding factor, balanced by the availability of plant site staff to support this need. In addition, both the FLEX experts and plant site staff had information about FLEX strategies and associated equipment that were considered important to share.
Examples of issues that needed to be addressed in planning the site visits are:
- When can plant site visits occur (taking into account availability of plant site staff, the FLEX HRA project schedule)?
- How long will the plant site visit be (e.g., 2 days was considered to be the minimum amount of time needed for HRA analysts to collect needed information)?
- Who is going on the trip (e.g., how many people can the plant site accommodate, what is the availability of HRA analysts)?
- What information can be provided before the trip (e.g., procedures)?
- What HRA information can be collected during the site visit (e.g., what plant staff are available for interviews and walkdowns)?
- Who and how many visitors can participate in plant walkdowns (e.g., too many total participants to be escorted for all walkdowns, security and health physics requirements 2-3
for certain plant locations is time consuming, HRA analysts have priority over other attendees)?
The NRC project team developed a list of candidate questions that the HRA analysts then reviewed and added their input. Also, certain plant-specific information was requested to be supplied prior to the site visit. To the extent possible, HRA analysts were asked to review this information provided prior to the plant site visit. This information also included:
- some preliminary descriptions of operator actions that were developed by industry FLEX experts and the NRC project team
- FLEX scenario script (i.e., a timeline).
Examples of information that were requested before the plant site visits included:
- Site validation plan
- Final integrated plan (FIP)
- Documentation of any mini E-drills or other realistic demonstrations of using FLEX equipment
- Any operational history of using FLEX equipment (including use of FLEX equipment as a source of redundancy) 2.4 HRA Analyst Preparations Prior to Plant Site Visits Several activities were performed to prepare the HRA analysts for the plant site visits.
The HRA analyst kick-off meeting for this project was conducted via Skype on September 12, 2019 (i.e., less than one week before the first plant site visit). Consequently, the kickoff meeting served as a vehicle for plant site visit prep, as well as an introduction to the project, its objectives, milestones, and key dates. The HRA analysts also were given access to EPRIs file sharing website where general FLEX and plant-specific FLEX information could be found.
Key discussion topics related to plant site visit preparation were:
- Preliminary list of FLEX scenario operator actions to be addressed
- Preliminary lists of assumptions for FLEX scenarios and for non-FLEX scenarios
- High-level description of a classic FLEX scenario
- Questions that HRA analysts would like to ask (e.g., how do FLEX strategies work at this plant site?)
The lists and the high-level description of the FLEX scenario noted above represented preliminary results from the scenario development team. The FLEX scenario script was provided by the hosts of both the BWR and PWR plant site visits. HRA analysts were encouraged to provide input to the agendas for the plant site visits and to participate in all interviews and discussion while on-site.
2-4
2.5 Agenda and Attendees for Plant Site Visits As in any plant site visit for HRA, it was important to make best use of the opportunities to talk to and observe plant personnel, and walkdown key operator actions and associated equipment for FLEX strategies. The section summarizes the general agenda for both plant site visits and the attendees for each visit.
2.5.1 Plant Site Visit Agenda The agenda for each site visit was developed by the NRC project team and the plant site visit host.
In general, the agenda for the plant site visits included the following:
- Day 1:
o Overview of site/plant and FLEX capability o Discussion of scenarios (with and without site personnel) o Walkdown of FLEX building (with operator)
- Day 2:
o Observation and/or discussion of FLEX-relevant simulator training (e.g., the BWR site visit included observation of simulator training in response to a seismic event followed by SBO) o Discussion of FLEX training, simulator training, etc.
o Plant walkdown (e.g., FLEX equipment travel paths, laydown areas) o Plant walkdown inside fence (e.g., FLEX equipment connections, load shed locations) o Summary of days activities The timing and order of activities were flexible, being dependent on when plant personnel (e.g.,
operators) and resources (e.g., ability to observe simulator exercises) were available and how long it took to get through security checkpoints.
For the BWR plant site visit, the time for security checkpoints was especially important because two escorts and a large group of visitors (e.g., more than 10) participated in walkdowns both inside and outside the plants protected area. Also, the BWR plant site visit included an additional half-day meeting to discuss FLEX scenario variations.
For the PWR plant site visit, it was not possible to observe simulator training. Instead, a video of a Combustion Engineering (CE) PWR FLEX scenario simulator exercise was viewed and discussed by the NRC project team, HRA analysts, and FLEX and operational experts. Also, the size of the group who participated in the in-plant walkdowns was limited to NRC project team members and HRA analysts, with only a few FLEX experts.
2.5.2 Attendees for BWR Plant Site Visit Plant site visits are valuable sources of HRA information. Consequently, it was important that the attendees of the plant site visits include some of the HRA analysts who would later perform HRA quantification. The attendance of FLEX experts, who provided additional information (both plant-specific and industry-wide), background, and history on FLEX strategies, represented an information source beyond that which is typical for HRA. In addition, since the NRC team was responsible for developing the scenarios and associated HFEs in collaboration with the FLEX 2-5
experts, the plant site visit provided a useful vehicle for the FLEX experts to understand modeling HRA/PRA needs.
Attendees for the BWR plant site visit were:
- Susan Cooper (USNRC - project team, technical lead)
- Carmen Franklin (USNRC - project team, project manager)
- Michelle Kichline (USNRC - project management)
- Mary Presley15 (EPRI - NRC/industry liaison, project manager and observer)
- Phil Amway (Exelon - FLEX expert)
- Randy Bunt (Southern - FLEX expert)
- Greg Krueger (NEI/Exelon - BWR Owners Group)
- Sue Sallade (Exelon - PWR Owners Group)
- Frank Arner (USNRC - HRA analyst)
- Kaydee Gunter (Jensen-Hughes - HRA analyst)
The roles of the plant site personnel who supported the site visit included:
- Operations (e.g., SROs - both active and management, field operator for walkdowns)
- Operator training and training development
- FLEX strategies In addition, utility managers offered support for the project and provided additional information at several points during site visit. In particular, a utility manager made it possible for the attendees to observe a simulator exercise for a FLEX scenario during the site visit.
2.5.3 Attendees for PWR Plant Site Visit As for the BWR plant site visit, the participation of HRA analysts and FLEX experts in the PWR plant site visit was critically important to later project tasks. This plant site visit provided information on some differences between BWR and PWR FLEX strategies, as well as plant-specific details. Also, additional information from and discussion with FLEX experts was beneficial to understanding HRA-relevant aspects of FLEX strategies and to developing scenarios for HRA evaluation.
Attendees for the PWR plant site visit were:
- Susan Cooper (USNRC - project team, technical lead)
- Carmen Franklin (USNRC - project team/project manager)
- Michelle Kichline (USNRC - project management)
- Mary Presley (EPRI - NRC/industry liaison, project manager and observer)
- Phil Amway (Exelon - FLEX expert)
- Randy Bunt (Southern - FLEX expert)
- Bill Webster (Dominion - FLEX expert/PRA)
- Kaydee Gunter (Jensen-Hughes - HRA analyst) 15 Participated only by phone in discussion of variations on the 3rd day.
2-6
The roles of the plant site personnel who supported the site visit included the following:
- Operations (e.g., SROs - both active and management)
- Operator training and training development
- Procedure development
- FLEX strategies In addition, utility managers (e.g., site vice president, licensing) offered support for the project and provided additional information at several points during the site visit.
2.6 Summary of HRA-Related Information Collected During Plant Site Visits Information collected during the plant site visits played an important role in later project tasks such as scenario development, development of qualitative HRA inputs, and final HRA quantification using IDHEAS-ECA. Also, the information and understanding developed from the site visits led to gathering and interpreting other information that was needed for later HRA tasks. Furthermore, the plant visits provided opportunities for the HRA analysts to communicate with the FLEX experts who also participated in the visits.
In both site visits, information relevant to at-power, internal event Level 1 HRA/PRA and post-core damage (i.e., Level 2 HRA/PRA) was collected and discussed, often to provide a comparison to how operator actions in FLEX strategies were supported by training and experience, procedures, cues and indications, human machine interface (HMI), timing validations, and so on. However, such comparisons are given predominantly in the second site visit notes and overall summary for both site visits.
This section discusses the notes16 from each of the two plant sites visited. Then, a summary that combines the notes from the two sites visits, as well additional HRA insights, is provided.
Appendix A provides more detailed notes on both plant site visits.
2.6.1 Summary of HRA/PRA-Relevant Notes for Plant Site Visit to a BWR The first plant site visit for this project was to a BWR NPP. Being the first site visit, this was the first opportunity for the NRC project team and HRA analysts to get in-person information about FLEX strategies, their implementation, and associated equipment. Also, this was the first opportunity to have face-to-face communications with FLEX experts.
Consequently, the first site visit provided probably the largest increase in understanding of FLEX. However, the number of notes taken during this site visit was fewer than that for the later, PWR plant site visit. Later, during the development of the FLEX scenario, additional HRA-relevant insights were captured that are based on this BWR. Therefore, the fewer notes for the BWR plant site visit should not be taken as an indication that less was learned from this site visit.
16 Notes on certain proprietary and plant-specific details of each plant sites FLEX strategies have not been documented in this report.
2-7
The notes taken below were developed by the NRC project team. A draft version of the notes was reviewed by the plant site hosts, FLEX experts, and other plant site visit attendees, including the HRA analysts who attended. When finalized, the plant site visit notes were distributed to be used in later steps of the project. The notes from the BWR site visit are presented below in these categories:
- Plant-specific highlights
- Other aspects of FLEX strategies
- Discussion of variations between NPPs Section A.1 provides more detailed notes for BWR plant site visit.
2.6.2 Summary of HRA/PRA-Relevant Notes for a Plant Site Visit to a PWR The second plant visit for this project was to a Westinghouse PWR NPP. Based on the success of the first plant site visit, the same general agenda and requests for information and personnel support were used for the second site visit.
Being the second site visit, the NRC project team and HRA analysts were prepared to ask more detailed questions of plant site personnel and the FLEX experts in attendance. Consequently, the number of notes taken for this visit is greater than that for the first site visit.
The notes taken below were developed by the NRC project team. A draft version of the notes was reviewed by the plant hosts, FLEX experts, and other site visit attendees, including the HRA analysts who attended. When finalized, the site visit notes were distributed to be used in later steps of the project.
The notes from the PWR site visit are presented below in these categories:
- Plant-specific highlights
- Overview of FLEX strategies (both plant-specific and, generally, industry-wide)
- Highlights of scenario discussions with plant personnel and FLEX experts
- Highlights from plant walkdowns and associated discussions
- Highlights from video of PWR FLEX simulator exercise and associated discussions Section A.2 provides more detailed notes for the PWR site visit.
2.6.3 Summary of Combined HRA/PRA-Relevant Notes The purpose of the combined HRA/PRA-relevant notes is to summarize aspects of FLEX strategies and associated equipment that are important to HRA/PRA. These notes are expected to be important inputs to the development of scenarios (see Section 3) and the HRA quantification using IDHEAS-ECA for both FLEX scenarios and non-FLEX scenarios (see Section 6).
These notes represent insights developed from the BWR and PWR plant sites, supplemented by discussions with FLEX experts on other specific NPP FLEX strategies. However, these insights cannot be considered "complete" on capturing all differences between U.S. NPPs with respect to FLEX strategies and equipment. Also, additional discussions were needed to develop HRA inputs for non-FLEX scenarios. (See Section 3.5 for discussion of non-FLEX scenarios.)
These summary notes capture important aspects regarding the following topics:
2-8
- Procedures for implementing FLEX strategies
- Skill-sets, training, and task analysis for FLEX actions
- Timing validations and timelines for FLEX
- Operator actions in FLEX strategies
- Use of FLEX equipment in non-FLEX scenarios
- Additional differences between NPPs with respect to FLEX strategies and equipment 2.6.3.1 PRA modeling for FLEX Strategies Overall, PRA modeling of FLEX is in its beginning stages. Some PRA modeling has been done for the PWR visited as part of this project. The NRCs Standardized Plant Analysis Risk (SPAR) models are beginning to include some modeling of FLEX. However, there were no existing PRA models that were directly relevant to support this project. As a result, some PRA modeling needs were identified in this project.
For example, both plant visits included discussions of the success criteria used for FLEX strategies, especially the timing validations for operator actions. Preliminarily, there appears to be a mismatch between the success criteria used for FLEX and that typical for PRAs. Namely, the event tree headings and end states for FLEX strategies do not correspond with core damage. For example, failure to deploy the FLEX DG before DC batteries fail does not equate to core damage. Even if the operator action of "blind feeding the SG" (for PWRs) fails immediately, it will take some time before core damage occurs.
Further investigation and discussions are needed to clarify this potential conservatism.
Although this potential conservatism is not within the scope of the FLEX HRA Project, some discussion of this issue will be pursued.
Also, there were no existing PRA models relevant to the two non-FLEX scenarios. In the absence of PRA logic models and associated engineering calculations, certain assumptions had to be made. Sections 3.5.1.2 and 3.5.2.2, respectively, provide the scenario-specific assumptions for each of the two non-FLEX scenarios.
2.6.3.2 HRA Feasibility Assessment for FLEX Strategies The concept of feasibility was formally defined for HRA/PRA in the "Joint EPRI/NRC-RES Fire HRA Guidelines," NUREG-1921 (July 2012) [ref]. This reliability-based definition is based on the deterministic definition provided in NUREG-1852, "Operator Manual Actions" [ref], which also addressed fire events. The definition of HRA feasibility was later expanded for main control room abandonment (MCRA) scenarios in fire events with Supplements 1 (August 2017) [ref]
and 2 (June 2019) [ref] to NUREG-1921.
The important HRA feasibility assessment criteria given in NUREG-1921 and its supplements are:
- HRA feasibility assessment should be made for both individual operator actions and across an entire scenario for all operator actions combined
- at both the individual HFE and scenario level, there must be:
o sufficient time to perform the operator action(s) o sufficient manpower to perform the operator action(s) 2-9
o available and sufficient primary cues o procedures and associated training for the operator action(s) o an accessible location for performing the operator action(s) (including travel paths) o available and accessible tools for performing the operator action(s) o operable components for the associated operator action(s) o a communication plan o a plan for command and control (C&C)
Additional guidance on each of these criteria are given in NUREG-1921 and its supplements.
Based on preliminary reviews of two plant-specific validations of FLEX strategies, it appears that the approach for the development and validation of FLEX strategies generally addresses the above feasibility assessment criteria. Consequently, it is assumed that operator actions addressed in the FLEX HRA project are feasible from the perspective of HRA. However, as in any HRA, the issue of HRA feasibility will be considered as a continuous step throughout the analysis.
Also, while HRA feasibility may have been adequately addressed for FLEX scenarios, the use of FLEX strategies, procedures, and equipment in non-FLEX scenarios may not be satisfied (especially, because the timing constraints for PRA success criteria may be significantly shorter).
2.6.3.3 Procedures for Implementing FLEX Strategies As with other aspects, there are some similarities and some differences between NPPs regarding procedural support for FLEX strategies.
All NPPs have FSGs (or at least one FSG). Most commonly, multiple FSGs are used. Also, all NPPs have a procedural link within their EOPs (usually the EOP that addresses station blackout (SBO)) that addresses the decision to declare ELAP and provides an entry point for the FSGs.
And, all NPPs will be following multiple procedures in parallel once the FSGs are entered (e.g.,
steps in EOPs will continue to be followed with respect to heat removal in parallel with FSGs related to damage assessment, debris removal, FLEX equipment deployment, etc.).
Style guides (that typically address human factors issues that HRA models) are used at NPPs for developing operations procedures (e.g., EOPs). Typically, these same style guides were used to develop FSGs so that there was a continuity in training. The use of procedure writing style guides for the development of FSGs is in stark contrast to the development of other non-EOP procedure sets. For example:
- Fire protection engineers were predominantly responsible for writing fire response procedures (FRPs). In fact, the initial FRPs differed so much in content and format from EOPs that some operators told HRA/PRA analysts that they would not use them. Some NPPs that are transitioning to NFPA-805 have since re-written their FRPs.
- By February 2019, all PWRs updated their Severe Accident Management Guidelines (SAMGs) into a common structure. When SAMGs were first developed, there were differences between NPPs with respect to their content, detail, and formatting. For example, initially, it was not typical for SAMGs to be formatted like EOPs and, with some exceptions, SAMGs for most NPPs did not provide the step-by-step guidance that FSGs contain.
2-10
For FLEX scenarios, differences between NPPs that have been identified so far include:
- differences in the procedural logic used for the decision to declare ELAP
- differences in the timing for the decision to declare ELAP (which is, in turn, related to plant-specific battery life and the availability of other power sources)
- differences in how many FSGs are used (e.g., most NPPs have multiple FSGs but there are NPPs that have only one FSG)
- while almost all NPPs have a severe weather procedure that addresses many hazards, some NPPs may have other hazard-specific procedures (e.g., procedure for a seismic event) which may be entered even before a reactor trip and entry in the EOPs and which may have transfers to FSGs In addition, some BWRs have adopted a BWROG procedure model that includes FLEX equipment directly into EOPs for reasons other than loss of all AC power (e.g., loss of a pump or water source). At present, few if any PWRs have adopted such a strategy. The PWROG is currently working on a similar approach for the PWR EOPs.
2.6.3.4 Skill-Sets, Training, and Task Analysis The operator actions required to respond to FLEX events involve skill-sets of two types: 1) those that are similar to that represented by human failure events already modeled in PRAs, and 2) those that are significantly different than those typically modeled in PRA.
Traditional PRAs represent mostly MCR operator actions; both decisionmaking and manipulation of equipment are represented. There are some actions taken outside the MCR, mostly involving manipulation of equipment at local plant stations. In SBO scenarios, field operators perform an SBO DC load shed. Similarly, FLEX scenarios include MCR operator actions - both decisions (e.g., deciding on transitions to another procedure) and manipulation of equipment. In addition, many NPPs require a FLEX (or deep) DC load shed which involves similar actions but for different DC loads and potentially different locations and associated panels.
Examples of actions that differ from those modeled in traditional PRAs include: 1) the operation of portable equipment such as FLEX pumps and diesel generators (DGs), 2) the removal of debris, and 3) the transport of portable equipment to appropriate laydown areas. Although these actions are discussed later in this section, some key aspects of these actions are important to understand in the context of training and skill-sets:
- Operation of portable equipment - As noted elsewhere in this report, the type of portable equipment selected industry-wide is more robust and simpler to operate than equipment typically operated in NPPs and modeled in PRA. Field operators (or equipment operators17) have the responsibility for operating FLEX portable equipment.
- Debris removal - Across the industry, debris removal is performed using large tractors and/or trucks with appropriate attachments. Again, this equipment is robust and simple to operate (and may be similar to trucks and tractors for personal home or farm use).
Hard cards are provided inside the equipment that explain how to operate this equipment. Consequently, a different, lesser skill-set is needed to operate this equipment and perform debris removal than for operation of permanently-installed or other portable equipment (i.e., field operator qualifications are not needed to perform this action). There are differences between NPPs on whether field operators, security personnel, or other plant staff are responsible for debris removal.
17 NPPs differ in how they label non-licensed operators who operate equipment outside the MCR.
2-11
- Transport of portable equipment - Portable equipment is transported to appropriate laydown areas by the same large tractors and/or trucks that are used for debris removal.
Also, the same personnel are responsible for transport as for debris removal (although, depending on the site, more personnel may be needed for debris removal than for transport). Again, a different, lesser skill-set is needed to perform these tasks as opposed to that needed to operate permanently-installed or other portable equipment.
Industry has developed operator action supports for these actions that are more unique for FLEX strategies. In particular, NEI 12-06 addresses Inherent FLEX Attributes That Enhance Human Reliability in the Event of a Beyond Design Basis Event in Attachment 5 to Appendix E of NEIs report. Attributes that were observed or discussed during the site visits include:
- Use of standardized equipment (i.e., minimal or no specialized equipment)
- Simple, straightforward tasks (i.e., only skill-set needed is that of a journeyman)
- Clear and color-coded labeling
- Procedures written with sufficient detail for user NEI 12-06 also identifies the use of the Systematic Approach to Training (SAT) as another attribute for enhancing human reliability. Consequently, most or all U.S. NPPs have developed training for FLEX actions using SAT, which also make training on FLEX actions consistent with how other operator training has been developed and implemented at US NPPs. SAT activities and the details of how to perform SAT originate in reports published by the Institute of Nuclear Power Operations (INPO) (e.g., ACAD 85-006, Supplement to ACAD 85-006)18 and U.S.
Department of Energy (DOE), primarily in the 1980s and 1990s. More recently, IAEA has published reports on SAT for use by the nuclear power industry worldwide. For example, IAEAs report, Nuclear Power Plant Personnel Training and its Evaluation - A Guidebook provides the following definition of SAT:
SAT is an approach to training that provides a logical progression from the identification of the competencies required to perform a job to the development and implementation of training to achieve these competencies, and the subsequent evaluation of this training. [IAEA TR380 series]
Also, a more recent IAEA report on experience in using SAT states that [SAT] is recognized world-wide as the international best practice for attaining and maintaining the qualification and competence of nuclear power plant personnel. [IAEA tr1057]
Both the more recent IAEA reports and the original INPO reports describe SAT as consisting of five activities or phases:
- 1. Analysis,
- 2. Design,
- 3. Development,
- 4. Implementation, and
- 5. Evaluation.
While all phases are critical to implementing SAT, the analysis phase is of particular importance to HRA. As described in IAEAs report, Analysis phase of systematic approach to training (SAT) for nuclear plant personnel [IAEA-TECDOC-1170], the analysis phase consists of some sort of job analysis. In particular, the Job and Task Analysis (JTA) is the predominant method used in US NPPs, having originated in military applications. According to this IAEA report, 18 These INPO documents provide all of the elements of SAT but describe the approach as the training system development (TSD) approach. INPO reports are proprietary.
2-12
[i]n the early 1980s, INPO conducted industry-wide generic JTAs for operations, maintenance, and technical support positions for PWRs and BWRs. These JTAs were then used by the nuclear power plants to develop plant specific analyses.
Consequently, the application of SAT implies that a task analysis has been performed for FLEX actions as part of developing appropriate training for each task. Also, the training development for FLEX actions is consistent with other NPP personnel training (e.g., that need to implement EOP actions), including that for MCR operators as represented in traditional HRA/PRA. This commonality between operator actions directed by EOPs and that for FLEX strategies implies an associated, common expectation of operator reliability.
In addition to the training efforts described above, the NPP industry developed standards for industry-common training that could be used by each site to support response to external events, including those that may exceed the design basis of plants. The working group that developed these standards is comprised of industry, INPO, NEI, and Owners Group personnel with expertise in training, operations, and other technical areas, as well as knowledge of planned industry changes to be made in response to the Fukushima Daiichi event. Products of this working group include:
- National Academy for Nuclear Training e-Learning (NANTeL)19 Modules
- FLEX Equipment Operating Aids
- Emergency Response Case Studies
- Guidelines for Training and Qualification of emergency response organization (ERO)
Personnel
- Decision-making Training for Emergency Responders
- Decision-Making Under Stress Training for Emergency Responders 2.6.3.5 Important Aspects Related to Timing Validations and Timelines Timing information on operator actions is important to HRA/PRA. For example, inputs for the time available and time required for operator actions are important in the determination of the feasibility 20of operator actions in HRA and are used as direct inputs in certain HRA quantification methods.
In addition, timelines of operator actions can be important to understanding an overall PRA scenario. Also, in certain PRA contexts, such as response to a fire that requires main control room abandonment (MCRA), timelines of multiple operator actions being performed in parallel and in sequence can be an extremely helpful tool for HRA and PRA analysts. NUREG-1921 Supplements 1 and 2 [refs x and y] provide examples of such timelines and describe how they are useful to HRA/PRA.
All NPPs performed validations of the FLEX actions using industry established guidance based on the required implementation time. In particular, NEI 12-06 [ref] provides guidance to reasonably assure required tasks, manual actions and decisions for FLEX strategies are feasible and may be executable within the time constraints identified in the Overall Integrated Plan (OIP)/Final Integrated Plan (FIP) or the sequence of events associated with the Mitigating Strategies Flood Hazard Information (MSFHI). Two processes are described in NEI 12-06:
19 NANTeL is a nationwide system that delivers nuclear power plant training courses to any computer with internet access.
20 It is important to understand that HRA feasibility is defined differently than feasibility in FLEX validations. There is some overlap of concepts but the definition of HRA feasibility is based on criteria, as described in Section 2.6.3.2.
2-13
- 1. validation process, and
- 2. verification process.
As described in NEI 12-06,
- Validation of FLEX strategies consists of validation of the feasibility of individual strategies described in the OIP/FIP using the graded approach as described in this document and in the integrated review of the FLEX strategies. The purpose of the integrated review is to ensure that adequate resources (personnel, equipment, materials) are available to implement the individual strategies to achieve the desired results.
- Verification is performed prior to validation and consists of verifying equipment capability and performance, equipment connections, tooling, plant modifications, and procedures/guidelines that were put into place as part of existing licensing processes such as the design change process, procurement process, or procedure/guideline development process. Therefore, additional verification is within the scope of this validation process.
The graded approach outlined in NEI 12-06 focuses on:
- Phase 2 of event response21
- Actions completed after the start of the event22
- Time sensitive actions (TSAs) (defined as tasks, manual actions or decisions that are identified as having time constraints in the Sequence of Events Timeline in the sites OIP/FIP).
The graded approach is used to identify the level of validation for TSAs as follows:
- Level A: Used for TSAs started within the first 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />
- Level B: Used for TSAs started between 6 and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after the event
- Level C: Used for other tasks or manual actions in the OIP/FIP that are not TSAs but are labor intensive or require significant coordination The time required for Level A TSAs is determined using simulations, talkthroughs or walkthroughs, or reasonable judgement using multiple teams. Timing validations for Level B TSAs are accomplished through talkthroughs or walkthroughs, or reasonable judgement without requirements for multiple crews. Validation of Level C TSAs is accomplished using reasonable judgment.
Based on the general descriptions of the validation process and plant-specific results documented in a sites OIP/FIP, timing information already developed for validating FLEX strategies may be useful for HRA/PRA for FLEX scenarios. For example, the timelines developed for TSAs provide a useful demonstration that HRA feasibility criteria of sufficient time and manpower have been evaluated as satisfied. The validations for specific operator actions may be sufficient as timing inputs to HRA, depending on how the operator actions are defined 21 Per NEI 12-06, Phase 2 is the period in which the plant transitions from installed plant equipment to on-site FLEX equipment and consumables to maintain or restore key functions. Phase 1 applies the initial time period when installed plant equipment is relied upon, and Phase 3 applies to the time period when additional capability and redundancy is supplied by off-site FLEX equipment until power, water, and coolant injection systems are restored or commissioned.
22 NEI 12-06 defines such actions as reactive actions.
2-14
and what, if any, conservative assumptions23 were used in performing the validation. Also, there may be operator actions that are taken for the entire site (e.g., actions for both Units 1 and 2 taken by a single operator within a single operator action definition) while the HRA/PRA addresses only a single unit on site.
2.6.3.6 Important Aspects Related to HRA/PRA for Operator Actions in FLEX Strategies Both plant site visits included discussions of specific operator actions of interest for FLEX strategies and associated equipment. Highlights from those discussions are captured here.
2.6.3.6.1 Debris Removal Plant site visit walkdowns, interviews, and discussions included the following key aspects with respect to debris removal:24
- Debris removal is only required for FLEX scenarios (i.e., is not needed for non-FLEX scenarios).
- Different NPPs will use different equipment, but in all cases this equipment is robust (e.g., large front loader or bulldozer style tractors and 3/4 ton or larger trucks)
- In contexts where deploying debris removal equipment might be delayed, such equipment is pre-staged (e.g., might pre-stage equipment to assure accessibility is not impacted with advance warning of a hurricane or flooding)
- Different NPPs have chosen different approaches on what plant staff (e.g., FOs versus security personnel) are responsible for debris removal (and often also transport of FLEX equipment).
- In all cases, the timing validations required for FLEX have been performed by NPPs to ensure that adequate personnel are available and knowledgeable to perform the necessary tasks at that time.
- However, commercial grade equipment is used for these tasks because such equipment is easier to operate than might be required for other local operator tasks. Also, hands on training is provided and "hard cards" with operating instructions are provided with the vehicles.
- All NPPs performed demonstrations to validate these actions.
While each NPP has performed an assessment of what debris might need to be removed, the amount of debris and associated time to remove it is considered uncertain in most NPP assessments. General guidance was provided on how to perform this assessment, with the expectation that a detailed debris assessment was not needed. The strategy used by many NPPs is to assign the most conservative estimated time for debris that can be tolerated in the overall timing validation. Consequently, there is variation between NPPs on the estimated times for debris removal that are not really related to the amount of debris expected. For example, some NPPs chose a longer time because they had more time available due to longer battery life and larger water resources.
2.6.3.6.2 Decision to Use FLEX Strategies Plant site visit simulator observations, interviews, and discussions included the following key aspects with respect to deciding to use FLEX strategies:
23 The validation may define a time constraint (typically called time available in HRA) that is not consistent with an HRA/PRA success criteria.
24 See also NEI 12-06, Appendix E, Attachment 5.
2-15
- For FLEX scenarios (i.e., accident scenarios initiated by an external event), almost all NPPs have proceduralized an explicit "declare ELAP" step.
- A few NPPs initiate actions for damage assessments and engaging offsite resources without declaring ELAP (in order to avoid the consequences of declaring a General Emergency too soon)
- The typical timeframe for declaring ELAP is 45 - 60 minutes with outliers as early as 15 minutes and as late as more than an hour.
Differences between NPPs on when this decision must be made are usually driven by plant-specific battery life, time needed to deploy FLEX equipment, when preferred water resources are depleted, and so forth.
There also are differences in the procedural logic for this decision. Many NPPs have procedures with wording such as "if no AC power is restored by 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, declare ELAP and..."
initiate certain FLEX Supporting Guidelines (FSGs). Other procedure wording includes, "If no AC power is expected to be restored by 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, declare ELAP by 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />."
In all cases, time is a key cue for this decision along with reports from the field on efforts to restore AC power on-site (e.g., successful start of an EDG) and from offsite power sources.
Potential differences between NPPs include:
- while most NPPs will make only one attempt to start an EDG from the MCR, the number of attempts to locally start an EDG will depend on the plant-specific design of the EDG (e.g., drain on batteries, limitations on air) and on how many field operators (FOs) or equipment operators (EOs) are available versus other FO responsibilities once FLEX strategies are initiated
- number of power sources beyond typical offsite power and on-site EDGs (e.g., cross-tie to another unit, alignment to dam power source, additional diesel generators (DGs) that are not FLEX DGs)
Because the decision to declare ELAP is embedded in most NPP emergency operating procedures (EOPs), the decision to declare ELAP for a non-FLEX scenario (e.g., a "sunny day Station Blackout (SBO) should be similar for a non-FLEX scenario.
The decision to use other FLEX equipment and associated strategies in non-FLEX scenarios (e.g., "sunny day loss of feedwater " (PWRs)) is different both between BWRs and PWRs (due to Owner's Group developments) and between specific NPPs. This is discussed further under "procedures" and "using FLEX equipment in non-FLEX scenarios."
2.6.3.6.3 DC Load Shed Per site visit interviews and discussions, most NPPs include a DC load shed in order to extend the life of DC batteries.
However, there are differences between NPPs on such load sheds:
- For most NPPs, EOPs already include a DC load shed as part of the NPP's SBO procedure (i.e., SBO load shed).
- Some NPPs may require an additional DC load shed as part of the FLEX strategy; this load shed is called either a "FLEX DC load shed" or "deep load shed."
- The amount equipment "shed" differs from NPP to NPP, depending on DC battery life and other available power sources.
2-16
- The number of electrical panels and locations with electrical panels for a FLEX load shed varies from NPP to NPP.
In most cases, the principal loads remaining after the SBO and FLEX load sheds are necessary instrumentation for operators to monitor important NPP parameters, including that needed to keep the turbine-driven reactor core isolation cooling system (RCIC) pump (for BWRs) or the turbine-driven auxiliary feedwater (AFW) pump (for PWRs) operating and removing decay heat.
Similarities between the two example NPPs include:
- The operator actions required for the FLEX load shed are essentially the same as that already addressed in traditional PRAs for SBO load sheds (i.e., breaker position changes).
- Training is provided for these operator actions.
- All NPPs have provided some type of operator aid for performing load shed. Our plant site visits provided two examples of such aids, i.e.,
o For one NPP, blue labels in electrical panels indicate which breakers are included in the "FLEX load shed."
o For the other NPP, the procedure provides a table that mimics the electrical panel, showing which position each breaker should have following load shed. In addition, bolding is used to highlight which breakers must be re-positioned.
Operators are trained to self-check the final breaker positions by comparing the bolded boxes in the procedure table to the breakers on the panel.
- Procedures include place-keeping aids (e.g., check boxes). Operators are trained to perform a single breaker re-positioning, followed by checking off the appropriate box in the procedure (as opposed to checking all boxes after all breaker manipulations).
- Timing validations for all aspects of deep load shed (e.g., travel time is included) have been performed.
2.6.3.6.4 Transport and Set-Up of FLEX Equipment Plant site visit walkdowns, interviews, and discussions indicated that there are some differences between NPPs with respect to transport and set-up of FLEX equipment.
For the two example NPPs:
- A separate FLEX building housed and sheltered FLEX equipment, vehicles for debris removal and transporting FLEX equipment, and related support equipment. The FLEX building is designed to shelter the equipment for all relevant external hazards.
- "Hard cards" were located on or near all of the equipment, providing instructions on how to use the equipment. These hard cards supplemented training on the equipment. (See also the discussion on debris removal since the same equipment is used for both debris removal and transport of FLEX equipment.)
- FLEX equipment is staged in a FLEX building such that the equipment can be transported in the order in which the FLEX strategy specifies.
- Large tractors or heavy duty trucks are used to transport the FLEX equipment. A tractor would first transport the FLEX DG. One a separate trip, the tractor transports the trailer with the needed cables for the FLEX DG. Similarly, the FLEX pump would be transported prior to the trailer with the hoses needed for the FLEX pumps.
- There are two laydown areas, two connection points, and associated paths (a primary and an alternate) for all FLEX equipment.
2-17
- Distances from the FLEX building to the laydown areas and connection points are not far. Traffic activity will be very limited, but on multi-unit sites, especially after the first 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, traffic could include 2-3 vehicles.25 For the majority of sites, there is significant visibility even with anticipated debris fields for travel areas. Also, most of this traffic is moving at 10 to 20 mph, mostly because of the condition of haul roads. For some vehicles, the tires are leak resistant or have been foam-filled which also limits the speeds at which vehicles can travel. Finally, it is expected practice that traffic be coordinated if multiple vehicles are in operation at the same time.
- Lay down areas are marked for each piece of FLEX equipment, outlined in blue paint.
The laydown areas must be maintained as accessible.
- After the equipment is positioned, FOs/EOs make the final connections needed.
FOs/EOs are trained on making these connections and gaining access to the connection points. The trailers with the cables or hoses have any necessary tools to gain entry to connection points. If necessary, security personnel are available to assist in getting through any security barriers at the entry points.
- FLEX DG cables are color-coded, using an industry standard, to ensure that the proper connections are made.
- FLEX pump hose connections are also standardized.
- Cables and hoses are of the proper length to facilitate deployment.
- Timing validations for all aspects of transport and set-up have been performed.
- For both NPPs visited (and likely for other NPPs), FOs/EOs were responsible to setting up the FLEX equipment.
Some differences between the two NPPs visited and other sites include:
- Not all NPPs have separate FLEX buildings. Some used diverse buildings, and some did not require debris equipment to be in a building. Such differences are based on plant-specific hazards and available resources on site.
- The two NPPs that were visited differed on the personnel used to transport the FLEX equipment. FOs/EOs were used at one NPP, while the other NPP used security personnel to accomplish transport. There are yet other sites that use maintenance personnel for the transport of FLEX equipment. Due to the simplicity of operating the transport vehicles, this difference is not considered to be important for HRA.26
- There may be differences between NPPs on how much additional set up (e.g.,
connection of hoses or cables) is required to ready the FLEX equipment for service.
When performing the HRA in these cases, there will be no contribution from transport (and maybe set up) for this FLEX equipment.
2.6.3.6.5 Operating FLEX Equipment in FLEX Scenarios Once FLEX equipment is transported and set-up, MCR operators must decide on using the equipment, then instructing FOs/EOs to start the equipment. This decision is procedurally directed from the FSGs. If, for example, an NPP's EDG was successfully repaired/restarted before a FLEX DG was put into service, then MCR operators can decide to change the strategy to using the permanently installed EDG. However, for some NPPs, there could be some 25 If resources are available, debris removal may continue while FLEX equipment is being transported.
26 For both plant sites, there was specific training on operating the debris removal equipment for the personnel responsible.
2-18
complications with "backing out" of the FSGs, depending on the electrical lineup following the FLEX load shed.
Finally, FOs/EOs/AOs start the FLEX equipment. In some cases, this is as simple as pushing a button.
2.6.3.7 Important Aspects Related to Using FLEX Equipment in Non-FLEX Scenarios Some NPPs have or are considering the use of FLEX equipment for non-FLEX scenarios (i.e.,
initiator is not an external event). Both the NRC and industry recognize that use of FLEX equipment in non-FLEX scenarios could be an enhancement to NPP safety.
Non-FLEX scenarios are included in the scope of the NRCs FLEX HRA project. Non-FLEX scenarios are discussed in more detail in the next section. However, there are some similarities and differences that can be preliminarily identified. For example:
- If a "sunny day27" loss of all AC power occurred, all NPPs should be able to use existing EOPs to transfer to FSGs relevant to using FLEX DGs in such scenarios.
- For "sunny day" losses of other functions (e.g., loss of feedwater for PWRs), the procedural links between EOPs and FSGs may not exist. Some BWRs have incorporated FLEX equipment directly into their EOPs. For these NPPs, the procedural links already exist, and FLEX equipment can be credited in these non-FLEX scenarios.
- For use of FLEX equipment in place of safety equipment during on-line maintenance of the safety equipment, all NPPs can be treated similarly as long as:
o FLEX equipment is pre-staged o Operators are briefed on the use of FLEX equipment (e.g., before every shift) o Just-in-time training for use of FLEX equipment is provided o Equipment functionality is demonstrated regularly 2.6.3.8 Additional Notes on FLEX Strategies The sub-sections above have identified various similarities and differences between NPPs with respect to implementing FLEX strategies and associated equipment. The notes in this section capture additional similarities and differences that did not fit under the topic headings above.
For example, U.S. NPPs have similar FLEX strategies that involve use of FLEX equipment.
Also, both BWRs and PWRs rely on the use of turbine-driven pumps to provide heat removal until FLEX equipment is running (or offsite power is restored).
Additional differences between NPPs include:
- how many external events must be addressed, and which external event (e.g., seismic event, hurricane or tornado) is considered most likely to result in an extended loss of all AC power (ELAP)
- the timing of when to declare ELAP
- the estimated time for debris removal
- the timing of when FLEX equipment is used
- whether FLEX equipment is pre-staged or must be transported before use 27 In other words, the loss of AC power occurs without an external hazard or event.
2-19
- whether DC load shed (both SBO and FLEX) is needed and, if needed, how many loads are shed These differences are linked to the capabilities and limitation of the NPP's permanently installed equipment (e.g., safety-related systems, batteries). Examples of NPP relevant capabilities are:
- DC battery life
- number of permanently installed emergency diesel generators (EDGs) or other DGs
- number of permanently installed pumps (e.g., auxiliary feedwater pumps for PWRs)
- alternate power sources (e.g., dams)
- whether preferred water sources (e.g., condensate storage tank) are seismically and/or missile protected Consequently, a NPP's FLEX strategy is inherently linked to its capabilities (i.e., the various aspects of a FLEX strategy should not be "mixed and matched"). For example, an NPP with a relatively short DC battery life might have a FLEX strategy that compensates for a shorter available time by:
- declaring ELAP earlier (e.g., 15 minutes after reactor trip)
- storing FLEX connecting cables or hoses at the location where they are needed (instead of in the FLEX building) 2.7 References
- 1. NRC/RES expert elicitation for FLEX
- 3. INPO ACAD 85-006
- 4. INPO ACAD 85-006 supplement.
- 5. IAEA tr1057 2-20
3 HRA/PRA SCENARIO DEVELOPMENT This section describes the process for scenario development and the resulting scenarios and associated HFEs. The majority of this projects effort, both in calendar time and time spent, was devoted to developing credible, sufficiently detailed scenarios for HRA evaluation. The results of this effort, along with that associated with the plant site visits, were important to supporting the HRA quantification performed for FLEX and non-FLEX scenarios using IDHEAS-ECA (see Section 6). In particular, the scenarios were developed and described in enough detail to support HRA quantification, regardless of what HRA quantification method is chosen.
This effort involved development of two different types of scenarios that required somewhat different development approaches:
- 1. A FLEX scenario that is initiated by an external event and requires implementation of FLEX strategies for successful mitigation.
- 2. Non-FLEX scenarios that are not initiated by an external event but that incorporate FLEX equipment in accident response 3.1 General Process for Developing Scenarios Although this project was performed without benefit of a larger PRA study, the general approach to the development of scenarios was similar to that for any HRA/PRA application. However, since the HRA evaluations performed in this project were not part of a larger PRA study, the scenario development efforts needed to include some PRA tasks related to accident sequence development, as well as HRA (therefore, requiring both HRA and PRA expertise). But, since project resources did not allow for the full development of a PRA, or even selected scenarios, this effort relied heavily on existing work, including relevant PRA models (e.g., event trees) that could be used as-is or adapted for the projects purposes. Also, in some cases, assumptions were made in the absence of PRA-relevant information (e.g., success criteria timing information). Despite these limitations, the project still had the overall aim of developing scenario (and associated HFE) information consistent with that needed for traditional HRA/PRA studies and for event analyses using the NRCs SPAR models. Also, the scenario and associated HFE descriptions were intended to be useful and relevant inputs for any HRA quantification method (i.e., not useful only to IDHEAS-ECA).
The need for an expanded approach to scenario and HFE development was not obvious at the start of this effort. Even though initial efforts were on understanding operational experience (e.g., the only SBO in the U.S. - a site-wide, shutdown event at Vogtle [ref NUREG]), the next steps taken were aimed at collecting information to populate typical HRA documentation formats (e.g., SPAR analyses). However, two things made it clear that the focus should be on understanding FLEX operationally (rather than being driven by the formats, scope, and terminology of existing HRA methods and documentation protocols):
- 1. FLEX strategies have been developed with different end states than that for a typical PRA (e.g., FLEX success criteria do not correlate with PRA system or plant functional success criteria so a FLEX failure is not a failure in PRA space), and
- 2. It was important for HRA analysts to not only understand FLEX operationally, but also compare and contrast FLEX actions with those they were more familiar with in at-power, internal events Level 1 PRAs.
Also, this effort involved development of two different types of scenarios that required somewhat different development approaches:
3-1
- 1. A FLEX scenario that is initiated by an external event and requires implementation of FLEX strategies for successful mitigation.
- 2. Non-FLEX scenarios that are not initiated by an external event but that incorporate FLEX equipment in accident response The NRC project team developed the scenarios with assistance from FLEX experts and other industry experts. The HRA analysts also were involved in scenario development, providing feedback on the credibility of the scenarios, completeness of the scenario descriptions, and priorities for the evaluation of associated HFEs. Development of credible scenarios, which was the most time-consuming portion of this project, essentially started when information collection began and ended during the FLEX HRA Workshop (as additional information or adjustments to understanding FLEX inputs were provided by FLEX experts as needed). The scenario and associated HFE descriptions were not considered complete until the HRA analysts agreed that their needs with respect to credibly and level of detail were met.
Additional discussion on how the scenarios were developed is given in the respective sections on the FLEX and non-FLEX scenarios.
3.2 Selection of Scenarios and Associated HFEs The scenarios and associated HFEs were selected with inputs from the NRC and industry.
Those who provided inputs included:
- both the NRC management and project teams
- EPRI project manager and industry liaison28
- members of the scenario development team (i.e., industry FLEX and operational experts)
- HRA analysts (both NRC and industry) who participated in the FLEX HRA Workshop Considerations on the selection of scenario and associated HFEs included:
- project objectives and schedule
- scope and limitations of previous HRA efforts for FLEX scenarios (e.g., EPRI FLEX HRA report [x] and NRCs expert elicitation [y])
- relevance to NRCs and industrys needs with respect to use of FLEX strategies in non-FLEX scenarios Because selections and reasons for selections were different for the FLEX scenario versus non-FLEX scenarios, further discussion on scenario and associated HFE selection is discussed separately below.
3.2.1 Selection of the FLEX Scenario A FLEX scenario was included in the scope of this project primarily to compare with and improve upon previous HRA efforts for FLEX scenarios and to be applicable to both BWRs and PWRs. In addition, the FLEX scenario was defined to be the same or similar to that used in these previous efforts in order to focus resources on developing more HRA-relevant details for use by the HRA analysts. In order to address these concerns, the FLEX scenario selected is for a BWR NPP such as that described in the EPRI FLEX HRA report [x].
28 In most places, the title EPRI project manager is used in this report.
3-2
3.2.2 Selection of the Non-FLEX Scenarios Two non-FLEX scenarios were selected for development. Additional non-FLEX scenarios, or variations on these two scenarios, were proposed. However, this effort addressed only two non-FLEX scenarios due limited resources and the general agreement that the scenarios selected were adequately representative of what both industry and the NRC were interested in with respect to non-FLEX scenarios.
3.3 General Assumptions There are several assumptions that were used for all three scenarios considered in the FLEX HRA project using IDHEAS-ECA. In some cases, these assumptions are related to the project scope and limitations described in Section 1.4.
In addition, this effort used these general assumptions that consistent with NEI 12-06 [ref] and are identified as boundary conditions in Section 1.3.1 of EPRIs FLEX HRA report [Ref]:
- All reactors on-site are initially operating at power.
- Each reactor is successfully shutdown when required (i.e., all rods inserted, no anticipated transient without scram (ATWS)).
- On-site staff are at site administrative minimum shift staffing levels.
- There are no independent, concurrent events (e.g., no active security threat).
- All personnel on-site are available to support site response.
- Spent fuel in dry storage is outside the scope of FLEX.
Note that, since the non-FLEX scenarios do not involve an external event, that the list above is not identical to that given in NEI 12-06 and EPRIs FLEX HRA report since these two documents deal with beyond-design-basis external events (BDBEE).
3.4 FLEX Scenario Development of the FLEX scenario for a BWR involved integrating a variety of inputs and iteration with the HRA analysts to ensure the FLEX scenario description and accompanying material were sufficient to support HRA quantification. Because there was no accompanying PRA effort, this effort borrowed some elements of a higher-level PRA in order to adequately describe the scenarios from an HRA perspective. For example, an event tree given in the EPRI FLEX HRA report [x] was used for the FLEX scenario in this effort.
Plant-specific information for the BWR NPP visited during this project also was critically important. Examples of such plant-specific information are:
- EOPs (e.g., the equivalent of E-0, the station blackout procedure)
- FLEX script (i.e., a type of timeline that shows plant behavior, operator responses, and procedure transitions and steps)
- Final Integrated Plan (FIP)
- FLEX staffing study (as represented by a spreadsheet showing an integrated timeline of all required personnel and their actions)
- Plant site visit notes (see Section 2 and Appendix A) 3-3
3.4.1 Development of the FLEX Scenario This section summarizes the development of the FLEX scenario for a BWR - a base case and two variations on this base case. Appendix B provides a more complete description of the FLEX scenario and its variations.
Several information sources were used to describe this scenario for the purposes of the HRA assessments. Before the FLEX HRA Workshop, all HRA analysts were provided with a write-up that identified high-level HFEs, assumptions, references to other materials that were available on the EPRI file sharing site, a discussion of key PSFs (or PIFs) that might be needed for performing HRA quantification, and an example event tree. The materials referenced and used to develop the write-up are the same as those used to develop the scenario, such as:
- Plant-specific FLEX scenario script
- Plant-specific FIP
- Plant-specific Validation Plan
- Plant-specific integrated timeline
- Combined plant site visit notes Because the NRC project team, FLEX experts, and most of the HRA analysts attended the plant site visits, recollections of these visits (e.g., observations of a seismic event response in the plant-specific simulator) aided in scenario discussions. In addition, FLEX experts attended the FLEX HRA Workshop and were able to clarify any questions during discussions of specific scenarios. Following the workshop, one of the FLEX experts provided some additional materials related to containment venting to support HRA quantification of the associated HFE.
3.4.2 Specific Assumptions for the FLEX Scenario Many of the assumptions adopted in prior FLEX HRA efforts also were considered important to this effort. For example, the traditional PRA scope that limits modeling to the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after plant trip was adopted. More general assumptions are given above (see Section 3.3). Also, while the full scenario description starting from reactor trip needs to be understood, the only HFEs considered in this effort are those specifically related to FLEX strategies and equipment (e.g., no operator actions associated with installed plant equipment or Phase 1 per NEI 12-06).
Additional assumptions used specifically for this FLEX scenario are:
- One of two divisional diesel generators is out-of-service for extensive maintenance (i.e.,
10 year rebuild of diesel engine).
- High Pressure Coolant Injection (HPCI) is out-of-service for extensive maintenance and is not available for injection.
- The plant has implemented procedures for FLEX mitigating strategies.
- There are two units on site.
- A large seismic event impacts all units on site.
o Operators know (from field reports and MCR indications) that there is widespread damage from this external event.
- Only one reactor and its associated response are modeled.
- The initiating event (i.e., seismic event) and reactor trip occur at t=0.
3-4
o There is no recovery of offsite power unit after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
- FLEX validation exercises and integrated timeline use the same starting point for the start time (or time delay) and the success criteria (or time available).29 This starting point is assumed to be t=0 (or reactor trip and time of the initiating event).
- FLEX validation times for operator actions are used as-is, even if they appear to apply to both units on site. (In some cases, it might be possible to separate Unit 1 and Unit 2 timing information. In other cases, it appears that a single operator will perform actions for both units.)
- The HRA/PRA model addresses accident progression out to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after the initiating event.
- Even if there is some warning prior to the initiating event, there is inadequate time to pre-stage FLEX equipment that requires transportation.
- According to the integrated timelines for the two-unit site, the following plant staff take on roles that are important to HRA:
o Inside the MCR:
Shift Manager (SM)
Control Room Supervisor (CRS)
Shift Technical Advisor (STA) 2 Reactor Operators (ROs) - 1 per unit Senior Reactor Operator (SRO) o Outside the MCR:
6 Equipment Operators (EOs)
Other plant staff (e.g. Instrumentation & Control (I&C) technicians, security personnel) assist the EOs in various tasks (e.g., debris removal, helping to deploy hoses).
o Vendors do the FLEX equipment testing (i.e., push button).
o Field operators observe this testing.
o Only field operators make connections (i.e., not security personnel).
o The SAT (Systematic Approach to Training) was used to determine type and frequency of training for FLEX (including that for deploying FLEX equipment).
- Regarding environmental influences:
o Operator actions in the MCR are not directly affected by environmental conditions.
o Actions related to debris removal are directly affected by environmental conditions following the seismic event.
o For other actions, alternate travel paths (because of debris) and flashlights (because of SBO) may be needed.
29 Definitions for FLEX timing terms are different than that for HRA/PRA. Using the timing parameter definitions in NUREG-1921 (i.e., EPRI/NRC-RES Fire HRA Guidelines), start time in FLEX is the time when a cue or procedure step occurs to start an operator action. In NUREG-1921, this time is called time delay (e.g., the time from t=0 that a cue occurs). Also, FLEX defines the success criteria as the time by which an operator action should be performed to be successful. In HRA/PRA, this definition is associated with the term time available.
3-5
For the base case FLEX scenario, the following was assumed:
- The modeled NPP has a relatively short battery life such that an Extended Loss of AC Power (ELAP) must be recognized at one hour after event initiation.
- There is definitive procedural guidance on the requirement for ELAP at one hour after event initiation.
For two variations on the base case FLEX scenario, the following was assumed:
- Variation #1: The modeled NPP has a longer battery life (e.g., approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />; more than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> but less than 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />).
Procedural guidance is more ambiguous than for the base case, i.e., IF AC power cannot be restored within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, declare ELAP within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of losing all AC power
- Variation #2: Same as #1 except that it is less obvious that power that power cannot be restored.
3.4.3 HFEs for the FLEX Scenario Given the limited resources for this project (e.g., project schedule, HRA analyst availability), the various teams providing inputs to this decision agreed to shorten this list to 5-6 operator actions for evaluation by HRA analysts. Considerations for selecting this shorter list of HFEs for the BWR FLEX scenario included experience from prior FLEX HRA efforts, relevance to both PWR and BWR FLEX strategies, what HFEs are currently included in SPAR models, and insights from the plant site visits. The resulting list of HFEs for the base case FLEX scenario is:
- 1. Operators fail to declare ELAP (or perform its equivalent)
- 3. Operators fail to deploy FLEX diesel generator
- 4. Operators fail to fail to initiate containment venting Note that this list does not include any actions related to debris removal and refueling. Also, operator actions related to use of a FLEX pump were omitted from the final list of HFEs to be evaluated. Insights from the two plant site visits were used to justify the exclusion of these operator actions. For example, it was agreed that the operator actions associated with using the FLEX pump were similar to that for the FLEX DG. So, no additional HRA/PRA insights would be gained by including both of these HFEs. Regarding actions associated with debris removal, it was agreed that this task, requiring only the skill set of a journeyman, was not suited for HRA modeling. Also, there is significant uncertainty in what effort (e.g., amount of debris, affected plant areas, time required for removal) would be needed for the task of debris removal. Finally, there was inadequate time and other resources to address refueling actions in this effort.
There was insufficient information and time to address the HFE associated with containment venting during the workshop. However, after FLEX experts provided additional information, some HRA analysts provided an assessment of the containment venting HFE after the workshop.
For the variation on the base case FLEX scenario, the only HFE assessed was operators fail to declare ELAP. The HFE is the only HFE that would be affected by the context of the defined variation.
3-6
3.4.4 Summary Description of the Base Case FLEX Scenario At a high level, the FLEX scenario for a BWR is modeled as a beyond-design-basis (BDB) external event that impacts all units at the site (although only one unit is modeled in this effort).
More specifically, the FLEX scenario modeled was a station blackout (SBO) (as modeled in a traditional PRA), but specifically caused by a seismic event and with FLEX strategies implemented that provide the plant with additional capabilities (e.g., portable diesel generators and pumps).
The assumptions specific to this BWR FLEX scenario (given above) are important to understanding this scenario and how it progresses (especially with respect to equipment out-of-service at the time of reactor trip).
The write-up provided to the HRA analysts summarizes this FLEX scenario in the following way:
- A seismic event occurs that damages the plants switchyard, causing a loss of offsite power.
- Reactor and turbine trips occur; operators enter their Emergency Operating Procedures (EOPs), beginning efforts to stabilize plant conditions.
- By 15 minutes after reactor trip, operators enter the procedure for the loss of offsite power, performing it in parallel with other EOPs. Also, an equipment operator is dispatched to try to determine why the remaining EDG did not start.
- Within the first hour after reactor trip:
o The equipment operator attempts to restart the EDG but determines that major repairs are needed.
o MCR operators start a reactor pressure vessel (RPV) cooldown and try to control RPV water level and pressure.
o MCR operators initiate containment venting.30 o MCR operators dispatch an equipment operator to perform SBO DC load shed.
o MCR operators receive reports that offsite power is not restored, and alternate power sources are unavailable.
- At (or before) 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after reactor trip:
o SBO DC load shed is complete.
o MCR operators make the procedure transfer (that is the equivalent of declaring ELAP), then proceed to guidance for using FLEX equipment, e.g.,
MCR operators dispatch an equipment operator to perform FLEX DC load shed.
FLEX guidance for assessing plant damage and travel paths is entered.
Debris removal is initiated.
Alternate communications are established.
- After 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, plant conditions begin to degrade, e.g.,
o Building heat up occurs due to loss of ventilation.
o The suppression pool heats up.
o Long-term RCIC operation (i.e., use of turbine-driven pump) is needed to maintain adequate core cooling.
- At 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, debris removal is complete.
30 This is the earliest that MCR operators can perform this action. However, the operators have 6-7 hours to do this.
The overall objective is to keep the suppression pool temperature below 2400 F.
3-7
- At 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, the FLEX DG deployment is started.
- At 5 1/2 hours:
o The FLEX pump deployment is started.
o Critical electrical loads are fed by the FLEX DG.
- At 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, the ERO is staffed and the Shift Manager turns over the Emergency Director (ED) function to the Technical Support Center (TSC).
- At 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, refueling of FLEX equipment is started.
- At 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />, the FLEX pump starts to inject into the RPV.
For each of the HFEs modeled for this scenario, HRA analysts referred to plant-specific procedural guidance, information from plant-specific walkdowns, and timing validation information to perform HRA assessments. The following are examples31 of information used by the HRA analysts to perform their evaluations:
- HFE - Operators fail to declare ELAP32 The plant-specific procedural guidance for this BWR is contained in the EOP for the loss of offsite power. This procedure consists of several sheets of flowcharts. Also, the initial sheet (i.e., Sheet 1) contains transfers to other sheets depending on how many EDGs are available for operation. Both Sheet 5 and Sheet 6 apply to the case of no EDGs available, with Sheet 6 explicitly labeled ELAP. In addition, there is a prominent Note next to this portion of the flowchart in Sheet 1, that defines ELAP as Extended loss of AC power (ELAP) exists when it is expected that no 4 kV bus will be re-powered within one hour. Discussions during the BWR plant site visit confirmed that training supports this determination. With the procedural guidance and training combined, this guidance in Sheet 1 was judged to be explicit with respect to HRA assessments. Sheet 6 (i.e., ELAP) consists of five parallel sections that are to be executed concurrently to address this plant condition (with references made to the relevant FSGs and other procedures needed for implementation). FLEX Strategies is one of the five sections (although FSGs are called out in other sections, as well).
- HFE - Operators fail to perform FLEX DC load shed FLEX DC load shed is identified in Sheet 6 (ELAP) of the BWRs plant-specific loss of offsite power procedure as a priority (red font coupled with a red arrow). A plant-specific FSG provides the procedural guidance for performing FLEX DC load shed. As the procedure shows, almost all of the breaker manipulations are performed in the same room. There are a few breaker manipulations to perform in two other locations.
Generally, fewer breaker manipulations are required for FLEX DC load shed, as compared to SBO DC load shed. It was noted in the BWR plant site visit walkdowns that the breakers that require manipulation for FLEX DC load shed are all marked with a FLEX blue tag for easy identification. For this reason, the FLEX DC load shed was judged to be similar in difficulty to the SBO DC load shed (and may be simpler due to fewer manipulations and the eye-catching, blue FLEX labels).
Further information on HFEs for the FLEX scenario is provided in Appendix B.
31 Other HFEs quantified for this scenario are discussed in Appendix B.
32 Note that, for this BWR, there is no actual declaration of ELAP. Rather, there is an important procedure transition that is tied to the plant-specific definition of ELAP and MCR operators will announce Exiting Sheet 5, entering Sheet 6 (ELAP).
3-8
3.4.5 Summary Description of Two Variations on the FLEX Scenario For the NRCs FLEX HRA workshop using IDHEAS-ECA, two variations on the FLEX scenario were considered, both being related to procedure guidance for the HFE of Operators fail to declare ELAP. Both variations were expected to represent more difficult decision making for MCR operators. (Additional discussion on variations for both the FLEX scenario and the two non-FLEX scenarios is provided in Appendix E.)
Specifically, for the first variation, the procedure is assumed to consist of the following:
IF AC power cannot be restored within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then declare ELAP Also, there is a note for the procedure step that states: The decision to declare ELAP must be made within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of loss of all AC power.
For the second variation, all conditions (including procedural guidance) are the same as for the first variation except that it is not as obvious that power cannot be restored.
3.5 Development of Non-FLEX Scenarios Non-FLEX scenarios are scenarios in which FLEX equipment is used as a backup or replacement for permanently installed equipment. Industry FLEX experts volunteered plant-specific non-FLEX implementations of FLEX strategies/equipment. For both non-FLEX scenarios, no scenario-specific HRA/PRA models were provided. Consequently, it was necessary to build PRA event trees and define success criteria for both HRA and PRA. For example, event trees and fault trees from the SPAR models were used to preliminarily describe the accident sequence of one of the non-FLEX scenarios. Also, the development of credible non-FLEX scenarios required making some assumptions (e.g., timing information that would ordinarily be developed in thermal-hydraulic calculations for PRA plant function or system success criteria). The HFEs selected for non-FLEX scenarios were scenario- and plant-specific, depending on the details of how FLEX equipment (and associated procedures) were used in these non-FLEX scenarios.
The basic attributes of the non-FLEX scenarios were based on plant-specific incorporation of FLEX strategies and/or equipment into plant procedures that are beyond that needed for response to a FLEX scenario. Consequently, further descriptions of the scenario development approach are given below for each non-FLEX scenario is separate sections.
3.5.1 Non-FLEX Scenario: Sunny Day Loss of All Feedwater The non-FLEX scenario for a sunny day (i.e., no external event) loss of all feedwater was developed through interactions between the project team and industry FLEX experts. Also, HRA analysts provided inputs on whether the scenario seemed credible and could be credited by HRA/PRA. SPAR models for a PWR loss of all feedwater were used as the basis for creating and understanding this non-FLEX scenario.
In addition, a substantial amount of plant-specific information was provided by industry FLEX experts in order to build this non-FLEX scenario. Some assumptions also were needed to complete the scenario. One such assumption for PRA success criteria was for the time when 3-9
feed-and-bleed (F&B) criteria would be met if a motor-driven AFW pump runs for one hour before failing.
3.5.1.1 Development of the Non-FLEX Scenario: Sunny Day Loss of All Feedwater This section summarizes the development of the non-FLEX scenario for a two-unit, Westinghouse PWR involving a loss of all feedwater without an external event (i.e., a sunny day loss of all feedwater). Other variations33 on this non-FLEX scenario were discussed during scenario development, but only one case for this non-FLEX scenario was considered. It should be noted that this non-FLEX scenario is important for a specific NPP due to its design and associated limitations or vulnerabilities. Appendix B provides a more complete description of this non-FLEX scenario (and Appendix E provides additional discussion on variations for both the FLEX scenario and the two non-FLEX scenarios).
Before the FLEX HRA Workshop, all HRA analysts were provided with a write-up that identified high-level HFEs, assumptions, references to other materials that were available on the EPRI file sharing site, a timeline that illustrated the procedure path for the scenario, a discussion of key PSFs (or PIFs) that might be needed for performing HRA quantification, and an example event tree from the SPAR model of a similar PWR. This writeup for the non-FLEX scenario for the sunny day loss of all feedwater was much more detailed and lengthier than the writeup for the FLEX scenario.
The materials used to develop this scenario and its associated write-up were mostly plant-specific, such as:
- 1. Plant-specific EOPs, including:
- a. 1ES-0.1 for Reactor Trip Response, Unit 1
- b. 1FR-H.1, Response to Loss of Secondary Heat Sink, Unit 1
- 2. Plant-specific FSGs, including:
- 3. An applicable Critical Safety Function Status Tree (CSFST) for Loss of Heat Sink There also were several discussions between the NRC project team and HRA analysts on this scenario, especially focused on credible and creditable operator actions. In addition, FLEX experts attended the FLEX HRA Workshop and were able to clarify any questions during discussions of specific scenarios.
3.5.1.2 Specific Assumptions for the Non-FLEX Scenario - Loss of All Feedwater Like the FLEX scenario, many of the assumptions used in traditional PRA studies (e.g., only the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after plant trip are modeled) are relevant to this non-FLEX scenario. In addition, any assumptions about FLEX equipment that were developed for the FLEX scenario were assumed to be applicable for this scenario, unless there were scenario-specific changes that the 33 In particular, use of the FLEX pump to feed the SG after F&B is performed (i.e., restoration of feedwater following successful F&B). However, definition of an associated PRA end state for this scenario was beyond the scope of this effort.
3-10
plant has made. Such assumptions would include training for use of FLEX equipment, FLEX human-machine interface (HMI), procedure support for deploying a FLEX pump, and so on.
Because this non-FLEX scenario is quite unique, there are more important assumptions to identify beyond the general assumptions given in Section 3.3. Also, while the full scenario description starting from reactor trip needs to be understood, only one HFE was considered in this effort.
Additional assumptions used in defining this non-FLEX scenario are:
- There are two units on site.
- Only one reactor and its associated response are modeled.
- The initiating event (i.e., loss of all feedwater) and reactor trip occur at t=0.
- All four condensate pumps have failed.
- 1A AFW pump is unavailable for short-term maintenance.
- AFW pumps for Unit 2 are NOT available for use via crosstie (but the crosstie itself is available for a FLEX pump to feed a SG).
- The plant has implemented procedures for FLEX mitigating strategies.
- The plant has modified its EOPs for loss of heat sink to include use of the FLEX pump (including reference to the applicable FSG for deploying the FLEX pump).
- Initial training on the modified FR-H.1 is performed for both MCR operators and field operators.
- The modified FR-H.1 is integrated into the normal MCR operator training cycle that includes simulator training every two years plus classroom training. The simulator training is not integrated with field operator (FO) training (e.g., operator trainers play the role of FO with respect to communications).
- The modified FR-H.1 is integrated into the normal FO training cycle with classroom training plus FLEX training on use of the FLEX pump.
- The guidance in the modified FR-H.1 provides clear and unambiguous instructions, e.g.,
o There are no instructions in NOTES or CAUTIONS.
o Any instructions embedded in a CAUTION do not have operators skipping procedure steps.
- FLEX validation exercises and integrated the timeline provide adequate assurance of HFE feasibility in the context of FLEX scenarios.
- Some simulator exercises for this non-FLEX scenario (i.e., loss of all feedwater simulator exercises that involve the use of the FLEX pump) have been performed.
- FLEX validation exercises and the integrated timeline use the same starting point for the start time (or time delay) and the success criteria (or time available).34 This starting point is assumed to be t=0 (or reactor trip and time of the initiating event).
- FLEX validation times for the operator action of interest are used as-is, even though this is a non-FLEX scenario
- There is no pre-staging of FLEX equipment.
34 Definitions for FLEX timing terms are different than that for HRA/PRA. Using the timing parameter definitions in NUREG-1921 (i.e., EPRI/NRC-RES Fire HRA Guidelines), start time in FLEX is the time when a cue or procedure step occurs to start an operator action. In NUREG-1921, this time is called time delay (e.g., the time from t=0 that a cue occurs). Also, FLEX defines the success criteria as the time by which an operator action should be performed to be successful. In HRA/PRA, this definition is associated with the term time available.
3-11
Additionally, there were several important assumptions made about timing. Some of these assumptions are consistent with that used in other HRA/PRAs (e.g., the average number of minutes per step that operators take to move through EOPs). Other assumptions relate to the fact that there was no larger PRA study to support timing information about plant conditions that are typically generated by thermal-hydraulic calculations. Examples of these timing assumptions are:
- 1-2 minutes per procedure step is generally assumed, unless the procedure explicitly indicates that operators need to perform tasks quickly (e.g., the caution in FR-H1 about performing F&B steps quickly). In cases when operators are expected to perform steps quickly (e.g., initial steps in E-0, F&B steps), approximately 1 minute or less per step is assumed.
- One (i.e., 1B AFW) AFW pump is assumed to run successfully for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after reactor trip due to loss of feedwater.
- It is assumed that it takes 20 minutes to satisfy that the red path criteria heat sink is met (in the Critical Safety Function Status Tree (CSFST)) after the 1B AFW pump fails to run (i.e., 80 minutes after reactor trip).
- After the 1B AFW pump fails to run, operators will try only once to re-start an AFW pump locally (and spend not more than about 10 minutes from dispatch to reporting back that the re-start did not work).
- The Shift Manager (SM) who decides to use the FLEX pump to feed an SG takes no more than about 15 minutes after reaching Step 3 in FR-H.1 (where a CAUTION states that the AFW crosstie with FLEX pump deployment should be used if feedwater restoration is not timely).
- Training reinforces the need for the SM to make a timely decision so that the FLEX pump can be deployed before F&B criteria are met.
- It is assumed that the decay heat removed while 1B AFW pump runs in the 1st hour after reactor trip is such that feed-and-bleed criteria are not reached until after the time needed to deploy the FLEX pump (including time needed to get to relevant steps in FR-H1.
o Specifically, the criteria for F&B conditions are reached later than 78 minutes after FR-H1 is entered (i.e., more than 158 minutes after reactor trip).
- It is assumed that deploying a FLEX pump for feeding a SG from the RWST takes one hour to perform from the time of dispatch.
Since some of these assumptions are critical to this non-FLEX scenario, they will be re-capped, as needed, in the non-FLEX scenario summary (Section 3.5.1.4) below.
3.5.1.3 HFEs for Non-FLEX Scenario - Loss of All Feedwater There was only one HFE evaluated for this scenario: Operators fail to recognize need for FLEX pump (using the modified FR-H1). This HFE represents the cognitive portion only of a larger HFE that the team originally defined: Operators fail to initiate use of FLEX pump. Although there are some differences between deploying a FLEX pump for a FLEX scenario and this loss of all feedwater scenario, the HRA analysts agreed that the HRA assessment would be similar in both cases. Consequently, the execution portion of the larger HFE was not addressed in this effort.
The success criteria for the larger HFE which represents all operator actions, both cognitive and execution, are completed before F&B criteria are reached. This time to when F&B criteria is 3-12
reached is plant-specific, depending on a variety of factors including how long the AFW pump runs before failing. (The modeling assumptions given above define the timing used in this effort.) Consequently, the HFE for the cognitive portion must be completed such that there is adequate time to deploy the FLEX from the time of FO dispatch.
3.5.1.4 Summary Description of the Non-FLEX Scenario - Loss of All Feedwater At a high level, the non-FLEX scenario for a PWR is modeled as a loss of all feedwater scenario without an external event (i.e., a sunny day loss of all feedwater) that affects only one unit at the plant site. More specifically, this non-FLEX scenario modeled was a loss of heat sink scenario, but with EOPs (specifically, FR-H.1) modified to include the option of using a FLEX pump to feed SGs.
The assumptions specific to this PWR non-FLEX scenario (given above) are important to understanding this scenario and how it progresses (especially with respect to equipment out-of-service at the time of reactor trip).
Appendix C provides a more detailed description of this scenario, including the specific procedure path that operators are expected to take. The following is a high-level summary of this non-FLEX scenario in timeline form:
- T=0 Reactor trip due to a transient, including loss of feedwater with 1B AFW pump start on auto-signal. Operators enter E-0.
- T= 2-5 minutes Operators reach Step 4 in E-0, then transfer to ES-0.1 (Reactor Trip Response). Per training, operators start monitoring the Critical Safety Function Status Tree following transition out of E-0.
- T=5-60 minutes Operators continue implementing ES-0.1. The SM arrives about 5 minutes after reactor trip and the STA arrives 10 minutes after reactor trip.
- T=60 minutes 1B AFW pump stops (e.g., fails to run).
- T= 80 minutes Operators enter FR-H1 via red path on loss of heat sink in Critical Safety Function Status Tree.
- T= 81-82 minutes Operators reach Step 2 in FR-H1. F&B criteria are NOT met, so operators go to the Response Not Obtained (RNO) column. In the RNO column, operators are directed to monitor for F&B conditions and go to Step 3.
- T= 82 minutes Operators go to Step 3. A caution between Step 3 directs operators to proceed to Step 5 to establish FW via AFW crosstie (and FLEX pump) if restoration of feed flow to any SG is not expected to be timely. The SM is responsible for deciding when/if the AFW crosstie and FLEX pump will be used. He/she begins assessing efforts to restore 1B AFW pump, as well as SG levels.
3-13
At FR-H.1 Step 3, sub-step i, the operators will be in the RNO column with adequate feed flow NOT verified. The RNO directs operators to Step 4 - Stop all RCPs (in order to reduce RCS heat input).
- T=83-98 minutes Operators continue to work through FR-H.1, reaching Step 5. The SM completes his assessment of feed flow restoration efforts and decides that the AF crosstie and FLEX pump should be used.
Operators go to Step 5, complete Steps 5a-5c, including dispatching field operator to implement FSG-3 to deploy the FLEX pump to feed an SG.
- T=98 minutes Operators reach Step 5, complete steps 5a-5c, including dispatching a field operator to implement FSG-3 to deploy the FLEX pump
- T=158 minutes FSG-3 and FSG-5 are implemented and FLEX pump is in operation, supplying feed flow to a SG (1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after operator dispatch in caution before Step 3 in FR-H1).
3.5.2 Non-FLEX Scenario: Sunny Day Station Blackout with One EDG Out-of-Service for Maintenance The non-FLEX scenario for a sunny day (i.e., no external event) station blackout (SBO) was developed similarly to that for the other non-FLEX scenario (e.g., through interactions between the project team and industry FLEX experts, with inputs from the HRA analysts on the credibility of the scenario).
Although a good amount of plant-specific information was used to develop this non-FLEX-scenario, some effort was made to make this scenario less plant-specific (and more generally applicable to other NPPs). For example, certain procedural guidance was assumed to be available for operator response to the SBO that the actual NPP does not have.
3.5.2.1 Development of Non-FLEX Scenario: Sunny Day Station Blackout with One EDG Out-of-Service for Maintenance This section summarizes the development of the non-FLEX scenario for a two-unit, Combustion Engineering (CE) PWR involving a loss of all AC power or Station Blackout (SBO) without an external event (i.e., a sunny day SBO). Only one case for this non-FLEX scenario was considered. It should be noted that this non-FLEX scenario is important for a specific NPP due to a specific plant configuration as well as its design and associated capabilities. Appendix D provides a more complete description of this non-FLEX scenario.
Before the FLEX HRA Workshop, all HRA analysts were provided with a write-up that identified high-level HFEs, assumptions, references to other materials that were available on the EPRI file sharing site, a timeline that illustrated the procedure path for the scenario, and a discussion of key PSFs (or PIFs) that might be needed for performing HRA quantification. This writeup for the non-FLEX scenario for the sunny day SBO contained some very detailed and specific assumptions, some of which were plant-specific and some that the HRA analysts thought were necessary to have a viable scenario to credit with HRA/PRA.
3-14
The materials referenced and used to develop the write-up are the same as those used to develop the scenario, such as:
- 1. Plant-specific EOPs, including:
o Standard Post-Trip Actions (i.e., E-0) o Station Blackout procedure
- 2. Other procedures, including plant-specific FSGs:
o Operations Maintenance Activities - Appendices C and D o Conduct of Operations o A contingency plan specific to using FLEX DGs in the specific plant configuration used for this scenario o FSGs related to operation of FLEX DGs
- 3. Communications with industry FLEX experts and Owners Group representatives with respect to the use of a contingency plan.
There also were several discussions between the NRC project team and HRA analysts on this scenario, especially focused on credible and creditable operator actions. A conference call with the NRC team, HRA analysts, and industry FLEX experts was crucial to getting agreement on how HRA could credit a contingency plan. FLEX experts attended the FLEX HRA Workshop and were able to clarify any questions during discussions of specific scenarios.
3.5.2.2 Specific Assumptions for the Non-FLEX Scenario - SBO with One EDG Out for Maintenance Like the FLEX scenario, many of the assumptions used in traditional PRA studies (e.g., only the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after plant trip are modeled) are relevant to this non-FLEX scenario. In addition, any assumptions about FLEX equipment that were developed for the FLEX scenario were assumed to be applicable for this scenario, unless there were scenario-specific changes that the plant had made. Such assumptions would include general training for use of FLEX equipment, FLEX human-machine interface (HMI), procedure support for deploying a FLEX pump, etc.
Because this non-FLEX scenario is quite unique, there are more important assumptions to identify beyond the general assumptions given in Section 3.3. Also, while the full scenario description starting from reactor trip needs to be understood, only one HFE was considered in this effort.
Additional assumptions used in defining this non-FLEX scenario are:
- There are two units on site.
- Only Unit 1 and its associated response are modeled.
- This NPP has a very long battery life.
- The initiating event (i.e., loss of all AC power) and reactor trip occur at t=0.
- 1B EDG is out-of-service for long-term repairs.
- The remaining EDG A fails to start.
- There is initial success of the turbine-driven auxiliary feedwater (AFW) pump.
- The pressurizer power-operated relief valve(s) (PORV(s)) successfully reclose given a demand.
- The reactor coolant pump (RCP) seals remain intact.
3-15
- Three portable diesel generators (4.16 kV - FLEX Plus)35 are deployed to their FLEX pad to ensure the ability to bring Unit 1 to cold shutdown in the event of a LOOP during the extended period that the Unit 1 train B EDG is inoperable.
o The three portable diesel generators are deployed and physically connected to the Unit 1 train B 4.16 kV AC FLEX connection box for the duration of the extended EDG B outage time.36 o A test run is performed to demonstrate parallel operation of the three portable DGs after equipment is staged.
o Routine inspections (start of shift and normal operator rounds during shift) of the portable DGs are performed by operations personnel to ensure normal standby conditions are maintained.
- Because the pre-staged FLEX DGs have a different configuration than that for response to an external event, the timing validations and associated staffing plan that the utility developed have limited applicability to this scenario.
- The FLEX DGs are connected when they are pre-staged with the exception of closing breakers to connect to the bus. Additional time is needed to sync the DGs.
- The total time elapsed from reactor trip until when connections between the FLEX DGs and 4160 V bus are completed and the FLEX DGs started and synched is less than 1 hour37 (when ELAP would need to be declared).
- The SM arrives in the MCR at 5 minutes after reactor trip. The STA arrives in the MCR 10 minutes after reactor trip, as required.
- A contingency plan was developed to put the pre-staged portable DGs into operation in the case of a potential loss of offsite power, coupled with failure of the Unit 1 EDG A.38
- Training, briefings, and walk downs are provided to the operators responsible for operating the portable DGs as part of the preparation for use of the generators.
o Operations crews are briefed on the implementing procedure.
o Designated operators will be familiar with instructions for starting and operating the portable DGs.
o Operations staff have received classroom training for FLEX strategies, which included the use of the portable DGs.
o Also, instructions for operating the FLEX DGs are given on a hard card that is stored with the FLEX DGs.
Key details of the plants contingency plan for the using the pre-staged FLEX DGs are:
- The contingency plan is written like a procedure with specified entry conditions (including cues) and instructions. For example, the contingency plan is written such that:
o The criteria for implementation include an AND statement (i.e., there are multiple criteria that must be satisfied before the plan should be implemented).
o There are no NOT statements.
o Direction for implementation is typical of that in EOPs (i.e., IF criteria for implementation are satisfied, THEN implement the plan); there are no judgments 35 These specific FLEX DGs are not those typically available for FLEX. Rather, these portable DGs are like the SAFER DGs that would be brought on-site in Phase 3 of FLEX (per NEI 12-06). Consequently, the plants ability to respond to an external event that requires FLEX strategies is not affected by deployment of the FLEX Plus DGs.
36 This configuration, as well as the associated equipment, is different than that used in response to a FLEX scenario.
37 Information is provided by plant-specific AOs.
38 Contingency plans (or standing orders) are typically used for plant configurations that are not normal.
3-16
needed for implementation (e.g., there are no statements such as Consider implementing).
- The contingency plan is stored in the MCR.
- There is an extra39 reactor operator (RO) in the MCR that is designated40 to implement the contingency plan which includes dispatch of an Auxiliary Operator (AO) to start the FLEX DGs.
- The additional RO designated to implementing the contingency plan is located in the MCR at all times, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> a day.
- There is no automatic actuation of any of the installed FLEX equipment. All FLEX DGs would be manually started and operated, if required, by a designated AO.
- Specific cues for this contingency plan that the designated RO will be monitoring are:
o Reactor trip o Indications of loss of offsite power (e.g., trouble alarm for 4.16 kV switchgear) o Out-of-service tag41 for U1 DG B o Indications that U1 DG A fails to start
- All MCR operators are briefed at every shift turnover on the contingency plan and associated plant configuration with the pre-staged FLEX DGs.
- Upon reactor trip, the MCR operators will perform immediate actions, as trained.
- In general, operators are trained on the strategies and hierarchy of procedures for LOOP that specify use of alternate power sources, including the portable DGs.
- In parallel with the performance of immediate actions, the designated RO will implement the contingency plan (if needed).
- The designated RO will dispatch the designated AO to perform the actions described in the contingency plan,42 which include several breaker manipulations and electrical connections, in addition to start of the FLEX DGs.
- The designated AO is available 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> per day, although he/she may be assigned other duties when not needed to operate the FLEX DGs. Also, a designated AO is available 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> per day on all shifts to perform necessary refueling operations.
- Starting from when dispatched, the time needed for the AO to perform tasks associated with putting the pre-staged FLEX DGs into service is assumed to be 30 minutes, including required travel time to performance locations after dispatch.
Since some of these assumptions are critical to this non-FLEX scenario, they will be re-capped, as needed, in the non-FLEX summary (Section 3.5.2.4) below.
3.5.2.3 HFEs for Non-FLEX Scenario -SBO with One EDG Out for Maintenance Although other HFEs were identified and briefly discussed, there was only one HFE evaluated for this scenario: Operators fail to connect and operate pre-staged portable FLEX Plus DGs.43 39 Extra means that there are more operators in the MCR than is required for minimum staffing.
40 The U.S. NPP industry generally refers to operators with such duties as designated. The distinction between designated and dedicated depends on how much time is available to take the action.
41 For this plant, a paper tag is used. Some plants may use magnets.
42 For this hybrid scenario, the specific steps that the AO must take are in Palo Verdes procedure Operation Maintenance Activities, specifically in the section on the FLEX DGs. This procedure is on EPRIs file share site.
43 We decided to eliminate adding loads to our discussions because we had inadequate information on the procedure guidance for this and how this would be implemented (including what steps would be taken by the AO and what the MCR operators would need to do).
3-17
This HFE consists of both cognition and execution aspects. The cognition portion of the HFE represents the responsibilities of the extra RO in the MCR. The execution portion represents the responsibilities of the designated AO.
The success criteria for this HFE for operators to put the FLEX Plus DGs into successful operation before ELAP would need to be declared.
3.5.2.4 Summary Description of Non-FLEX Scenario
Description:
SBO with One EDG out for maintenance Based on modeling assumptions typically used in HRA/PRA, the most likely core damage case for this non-FLEX scenario is a grid-related loss of offsite power (LOOP) initiating event and subsequent station blackout (SBO) due to the failure of all the EDGs.
The assumptions specific to this CE PWR non-FLEX scenario (given above) are important to understanding this scenario and how it progresses (especially with respect to equipment out-of-service and pre-staged at the time of reactor trip).
Appendix D provides a more detailed description of this scenario, including the specific procedure path that operators are expected to take. The following is a high-level summary of this non-FLEX scenario in timeline form:
- T=0 Reactor trip due to a sunny day LOOP (no ATWS); operators enter Standard Post Trip Actions (SPTA) procedure (i.e., E-0)
- T=0-5 minutes Operators reach Step 3 in E-0 and recognize that there are no EDGs running. The SM arrives in the MCR.
- T=5-8 minutes In parallel with MCR operators implementing steps in the SPTA, an AO will be dispatched to try to start 1A EDG locally.
Also, in parallel, the designated RO for the contingency plan follows the progress of the other MCR operators to Step 3 and notes that the 4.16 kV Switchgear Annunciator in combination with other entry conditions for the contingency plan. The designated RO begins implementing the contingency plan, including dispatch of the designated AO to perform necessary actions to put the FLEX DGs into service.
- T=10-14 minutes Operators reach Step 10 in E-0, then use the Diagnostic Actions flow chart. The second diamond in the flow asks if there is AC and DC power to at least one train. Since there is no AC power, operators follow the no path. The next question is whether at least one vital DC power train have power. Because the batteries have not depleted yet, there is DC power. The flow chart recommends that operators consider using the Blackout procedure then moves on to checking other critical parameters.
- T=15 minutes Operators enter Blackout procedure and perform its steps in parallel with EOP steps.
3-18
- T=38-40 minutes Designated AO completes actions to put FLEX DGs into operation; 4.16 kV bus is re-energized.
- T=40 min Operators exit Blackout procedure per Exit Conditions,44 Step 3a (At least one vital 4.16 kV bus is energized.).
- T= 40+ min Operators continue in EOPs to safety shutdown the reactor.
3.6 References 44 Exit Conditions would be applied as a continuous step.
3-19
4 IDHEAS-ECA TRAINING Prior to the FLEX HRA Workshop, training on the draft IDHEAS-ECA guidance [1] and software tool [2] was provided. All training materials can be found in the NRCs Agencywide Documents Access and Management System (ADAMS) library on the public side ADAMS (see Reference 3).
4.1 Training Format and Logistics IDHEAS-ECA training was provided after the plant site visits and approximately one month before the FLEX HRA Workshop during which IDHEAS-ECA was to be used. The training was scheduled to meet project deadlines so that information on IDHEAS-ECA was available in time for HRA quantification activities. The principal targets for this training were the NRC and industry HRA analysts. However, other project team members, including the FLEX experts, were invited to take the training.
Each HRA analyst was provided with an electronic copy of the draft IDHEAS-ECA Guidance report [1] and software [2] on October 30, 2019. Prior to the training sessions, the HRA analysts were asked to:
- review the draft IDHEAS-ECA guidance report
- download the IDHEAS-ECA software tool
- review a Loss of Component Cooling Water scenario and the crew-by-crew simulator performance for this scenario from the US HRA Empirical Study (NUREG-2156) [4]
The NRC hosted a virtual training via Skype on IDHEAS-ECA on November 6 and 14, 2019.
For scheduling purposes, the training was offered on two days to allow the analysts flexibility to attend either session. Each session was four hours and was facilitated by IDHEAS-ECA guidance author, Jing Xing and the IDHEAS-ECA software tool developer, James Chang. A follow-up Skype Meeting was offered on November 19, 2019 for any follow-up questions.
4.2 Training Content The IDHEAS-ECA training materials were prepared in four parts. The first half of the training course (Parts I and II) provided an introduction of the IDHEAS-ECA HRA method, step-by-step guidance and walk-through of the IDHEAS-ECA process. The second half of the training was conducted using IDHEAS-ECA itself to demonstrate certain features of the associated software tool.
More specifically, the high-level agenda for Parts I and II of the training included:
- The high level of detail needed to analyze and organize the three scenarios
- Illustrations of how the method aligns with software using the IDHEAS-ECA Worksheets for the qualitative analysis and the HEP quantification completed using the software tool
- Demonstrations of how IDHEAS-ECA models human failure through context of the HFEs, critical tasks and the 5 macro-cognitive functions (CFMs) and performance influencing factors (PIFs).
o As implemented in the software, the training displayed the PIFs affecting each CFM and addressed how to assess each PIF
- A breakdown of the 6-step IDHEAS-ECA process and a descriptions for each step (This process supports the information used to draft the qualitative worksheets.)
4-1
To supplement Parts I and II, Part III was a walk-through of the IDHEAS-ECA process with a Loss of Component Cooling Water and Reactor Coolant Pump Sealwater example scenario.
This scenario was used in the US HRA Empirical Study [4]. It was designed to have multiple concurrent component and control failures to increase the operators workload and to distract the operators attention to prevent a reactor coolant pump seal failure. This information from the US HRA Empirical Study [4] was used to explain the features and functionality of the IDHEAS-ECA guidance (especially its worksheets that are used to guide and document the HRA) and the associated software tool.
Part IV consisted of training materials discussing the functions and features of the software tool.
Training slides included screenshots of the following:
- Software tool design functions
- Visual interfaces for each response and display field (Fields requiring a user action versus those used for information display only were distinguished.)
- How to properly execute and identify actions within the software tool.
4.3 References
- 1. Draft IDHEAS-ECA guidance report
- 2. IDHEAS-ECA software tool
- 3. Training slides, ADAMS, [ref., ML20150A422]
- 4. US HRA Empirical Study, NUREG-2156 4-2
5 FLEX HRA WORKSHOP USING IDHEAS-ECA On December 3 - 5, 2019, the NRC hosted the FLEX HRA Workshop. The workshop was attended by the HRA panelists,45 FLEX experts, and the EPRI project manager. NRC project staff served various roles including host, facilitator, IHDEAS-ECA author, and project management.
5.1 Purpose of Workshop The purpose of the workshop was to support the HRA analysts in performing HRA quantification of scenarios involving FLEX strategies and equipment, using IDHEAS-ECA [1] and its associated software tool [2]. In addition, this was a face-to-face opportunity to clarify or modify any scenario and associated HFE descriptions. FLEX experts were in attendance to answer any questions regarding the scenarios and to provide realistic information for any needed modifications.
The workshop and follow-on conference calls on the HRA quantifications performed were intended to be the basis for HRA analysts using IDHEAS-ECA guidance [1] and the associated software tool [2].
5.2 Pre-Workshop Activities Prior to the workshop, HRA analysts participated in weekly teleconferences to review and develop scenario and associated HFE descriptions. A set of combined plant visit notes (with HRA insights), scenario descriptions, and related materials were provided. In addition, a common HRA qualitative analysis was developed for each scenario and provided to HRA analysts. This qualitative analysis was based on information collected throughout the project.
Ultimately, the HRA qualitative analysis was the basis for inputs to HRA quantification.
Examples of such qualitative HRA results are:
- Key features of FLEX equipment and strategies (e.g., as documented in plant site visit notes)
- Descriptions of scenarios, including timelines, event trees, scenario scripts, procedure paths, key assumptions (especially in the absence of a larger PRA study)
- Descriptions of HFEs, associated procedural guidance, cues, timing, and other performance shaping factors Although the NRC staff collected, interpreted, and documented this information, FLEX experts reviewed it for accuracy and completeness. Then, prior to the workshop, HRA panelists reviewed and discussed this information for its suitability for HRA quantification, regardless of the HRA quantification method or approach. The HRA panelists reached a consensus that this information was adequate for using IDHEAS-ECA.
5.3 Workshop Logistics The workshop was held in the training facility at NRCs headquarters office. The room was arranged so that HRA analysts could see all of the other analysts, as well as NRC project staff 45 Two HRA analysts participated by phone.
5-1
and FLEX experts. A projector and screen were used throughout the workshop to display relevant information for workshop discussions (e.g., plant-specific procedures).
The NRC technical lead served as the facilitator for the workshop. Although the workshop was not an expert elicitation like some prior efforts for FLEX HRA (see Volume 1 of this report), the same principles and concerns (e.g., controlling bias) were considered and addressed in the workshop.
All materials needed to describe the scenarios were available. For example, electronic files on EPRIs file sharing site were available via an NRC laptop and associated NRC-internal internet access. Electronic files could be projected on a large screen.
Any additional notes, questions, or assumptions that were identified were captured in notes (e.g., flipchart notes). A whiteboard and other typical conference room or classroom amenities also were used, as needed.
5.4 Summary of Workshop A few of the HRA analysts did some of the HRA quantification work prior to the workshop.
Other analysts did their first HRA quantification work during the workshop. In almost all cases, analysts used the workshop as an opportunity to refine their understanding of the scenarios and associated HFEs.
Over the 2 1/2 day workshop, each of the three scenarios and associated HFEs were discussed.
In general, the format for scenario discussion included:
- Review of the scenario and associated HFEs (Section 3 provides summary descriptions while Appendices B, C, and D provide full descriptions.)
- More lengthy discussions, as needed, to adequately describe the scenario, its variations, and associated HFEs
- If needed, supporting materials, such as plant-specific procedures, were consulted
- When needed, FLEX experts provided additional information on FLEX equipment, operations and procedures, and overall strategies
- HRA analyst independently selected items within the software tool (either from prior work or in real-time at the workshop), such as:
o Identification of critical tasks o Selection of CFMs o Selection of PIFs o HEPs
- HRA analyst evaluations using IDHEAS-ECA [1] were discussed, including reasons why certain choices were made.
- If needed, HRA analysts could make alterations to their analyses if new information, a different interpretation of information, or different guidance on how to use IDHEAS-ECA
[1] or its software tool [2] was provided.
- When needed, attending FLEX experts provided additional information on FLEX equipment, operations and procedures, and overall strategies.
The workshop provided an opportunity for the analysts to have in-depth explanations supporting the logic of their evaluations, and to explain how specific critical tasks were evaluated and why certain PIFs and attributes were selected for each scenario. Within these discussions, it provided clarity and an opportunity for analyst to bridge any gaps or misunderstandings of the 5-2
base scenarios and compare how each scenario was evaluated among the panelist and compare results. Also, the workshop included discussions of possible scenario variations that could result in the development of different HEP values with IDHEAS-ECA [1] and its software tool [2]. Subject matter experts participated in the workshop to provide the necessary information needed for analyst to complete their analyses.
At the beginning of the workshop, the facilitator attempted to lead the HRA analysts through how to fill out Worksheet A (and, to some extent, Worksheet B) in the IDHEAS-ECA guidance
[1] which is similar to, but not the same as, the general HRA qualitative analysis provided in the scenario descriptions. After spending some time on Worksheets A and B, the rest of the workshop was devoted to the equivalent of Worksheets C and D in the IDHEAS-ECA guidance
[1] (which parallels the input fields in the associated software tool [2]).
The author and developer of the IDHEAS-ECA guidance [1] and software tool [2] were also readily available during the workshop to assist analysts with questions. Although some analysts were inclined to change their IDHEAS-ECA input selections based on the group discussion, it was encouraged to capture the original selections and justify why the original selections were made and if they believed the HEP calculated were valid.
Some HRA analyst feedback on IDHEAS-ECA [1] was provided during workshop discussions.
A survey on IDHEAS-ECA [1] and its software tool [2] was provided at the end of the workshop.
5.5 Workshop Results The principal results of the workshop were:
- HRA quantification results using IDHEAS-ECA [1, 2] (See Section 6 for a summary of these results.)
- Survey responses and informal feedback during discussions High-level HRA results were captured by the workshop facilitator on a flipchart. These notes documented key scenario assumptions (especially new assumptions that were not developed prior to the workshop) and preliminary HRA results that were used by analysts to develop final documentation of their HRA quantification. In addition, detailed collaborative and individual results were noted throughout the workshop by the NRC technical support staff and EPRI project manager.
Some analysts were not able to complete the survey before the end of the workshop. These responses were supplied after the workshop. Resolution of comments from the surveys and informal discussions will be documented and published separately.46 5.6 References
- 1. Draft IDHEAS-ECA guidance report
- 2. IDHEAS-ECA software tool 46 At the time of this reports publication, documentation of comment resolution (and associated refinements to IDHEAS-ECA guidance and associated software tool) was still in progress. This documentation will be publicly available in ADAMS.
5-3
6 FLEX HRA RESULTS USING IDHEAS-ECA This section provides the HRA analysts results for the three scenarios evaluated using IDHEAS-ECA. The development of the results includes, Worksheets A-E referenced in IDHEAS-ECA guidance report [1], IDHEAS-ECA software tool [2] output reports, and notes from the workshop discussion which elaborates on the information captured in Section 3.
6.1 High-Level Description of IDHEAS-ECA Guidance and Software Tool The IDHEAS-ECA software tool [2] which produces HRA quantification results is based on the IDHEAS-ECA guidance report [1]. Consequently, a short description of IDHEAS-ECA [1] is given here, focusing on the terminology that is needed to develop HEPs with IDHEAS-ECA.
The IDHEAS-ECA HRA method [1] represents human actions in a PRA (i.e., human failure events (HFE)) using five macro cognitive functions: detection, understanding, decisionmaking, action and inter team coordination. In IDHEAS-ECA, the failure of a macro cognitive function is defined as the cognitive failure mode (CFM). These macro cognitive functions are based on the cognitive basis for HRA, which was published as NUREG-2114 [3]. IDHEAS-ECA [1] also incorporates the 20 performance influencing factors (PIFs) discussed in the IDHEAS-G [4]
methodology framework. In the IDHEAS-ECA methodology, PIFs are used to model the conditions, or context, that affect human performance of an action within this HRA method.
IDHEAS-ECA also identifies associated attributes which are characteristics of PIFs. The attributes describe the way the PIFs represent a challenge to macro cognitive functions for a critical task, thereby increasing the likelihood of error in the affected macro cognitive function(s).
Within IDHEAS-ECA, the PIFs and attributes are provided in a drop-down list with associated boxes for the user to select. In the IDHEAS-ECA HRA quantification results shown below, the CFM, PIF and PIF attributes are shown to document the basis for the resulting HEP.
There are base values for each cognitive failure mechanism built into the software tool. When there are no performance influencing factors or attributes selected, the base value of the macro cognitive function selected will be used to calculate the overall human error probability. The base values of each macro cognitive mechanism are shown in Table 6-1.
Table 6-1. Base HEP values for macro cognitive mechanisms Detection 1.00E-04 Understanding 1.00E-03 Deciding (Decision Making) 1.00E-03 Action 1.00E-04 Inter team (Teamwork) 1.00E-03 6.2 High-Level Description of IDHEAS-ECA Results HRA results are shown in Sections 6.3, 6.4, and 6.5, respectively, for each of the three scenarios identified and described in Section 3. For the FLEX scenario, multiple HFEs were identified and quantified. In contrast, the only HFE was quantified for each of the two non-FLEX scenarios. In the discussions below, there is a results table for each HFE addressed.
6-1
Within each table, results are shown for each of the HRA analysts who participated in the NRCs FLEX HRA project. The HRA analysts are identified as Subject A, Subject B, and so on, consistently throughout the results tables.
For each table presenting the HRA quantification results, the following information is provided for each analyst:
- the cognitive failure modes selected
- the performance influencing factors and attributes within the selected cognitive failure mechanism
- the overall human error probability of that HFE and any justification for PIF selections, if provided.
Timing data, Pt, was discussed during the workshop, but was not consistently used when applying IDHEAS-ECA (in part, because there was expansive time available for the operator actions being addressed). Also, in some cases, timing parameters were not clearly defined or known for the scenarios. Overall, HEP contributions from timing concerns were not considered to be a major contributing factor to the overall HEP.
Table 6-2, below, provides a roadmap to the results and associated tables that are given in subsequent sections. Table 6-2 also shows the scenario and associated HFE(s) that are addressed and the critical tasks for each HFE. For reader convenience, the specific table numbers for the HFE quantification results are shown.
Table 6-2 Roadmap for FLEX Scenario HFE Quantification Results Scenario HFEs Evaluated Critical Tasks Variations Table #
FLEX Fail to declare ELAP Same as HFE Case 1 6-3 Case 2 6-3a Case 3 6-3b Fail to perform FLEX Same as HFE None 6-4 DC Load Shed Fail to deploy FLEX Transport DG None 6-5 DG connect, start, and load DG Fail to perform Recognize, decide None 6-6 containment venting and execute containment venting Non-FLEX: Fail to recognize need Recognize need None 6-7 Sunny Day for FLEX pump for FLEX pump Loss of All and initiate pump Feedwater deployment Non-FLEX: Fail to understand Recognize need None 6-8 Sunny Day need for, connect and for FLEX Plus DG, SBO start FLEX Plus DG connect and start pre-staged DG to energize plant safety bus 6-2
6.3 Results for FLEX Scenario - Large Seismic Event and SBO Section 3.4 and Appendix B provide a detailed description of the BDBEE FLEX scenario for a BWR, involving a large seismic event and subsequent SBO. This section also identified many key scenario-specific assumptions and four HFEs to quantify for this FLEX scenario:
- 4. Operators fail to perform containment venting Each of these HFEs for the FLEX scenarios are addressed below.
6.3.1 Results for FLEX Scenario: Base Case HFE1 - Operators fail to declare ELAP For the first HFE in this scenario, operators fail to declare ELAP, Section 3.4.2 provides the following key assumptions for a base case FLEX scenario:
- The modeled NPP has a relatively short battery life such that an Extended Loss of AC Power (ELAP) must be recognized at one hour after event initiation.
- There is definitive procedural guidance on the requirement for ELAP at one hour after event initiation.
Table 6-3 provides the IDHEAS-ECA HRA quantification results for the HFE operators fail to declare ELAP for the base case FLEX scenario.
Table 6-3. Base Case HFE - Operators fail to declare ELAP in FLEX Scenario Analyst CFM Selection PIF and Attribute Justification Overall Selection HEP Subject A Detection No Impact; No PIF selection No justification 1.10E-3 Only base value used provided Decision Making No Impact; No PIF selection Only base value used Subject B Understanding No Impact; No PIF selection Shift manager has as 1.41E-01 Only base value used much info as possible about the scenario status.
Decision Making Task Complexity Analyst wants to competing or conflicting goals capture the issue that (C25) operators will try multiple ways to recover power. There is an uncertainty in how much time operators would spend waiting for additional information.
Decision Making Task Complexity Subject B originally 1.54E-1 competing or conflicting goals only selected Task (C25) Complexity under Decision Making during the workshop but felt the results 6-3
Analyst CFM Selection PIF and Attribute Justification Overall Selection HEP were unreasonably high. During the operator interviews/onsite visits it was said that this action was a simple decision. Therefore, the analyst changed the PIFs in the results above resulting in 1.41E-1. Authors thought this would be important to show the difference in HEP.
Subject C Detection No Impact; No PIF selection Operators can 1.1E-3 Only base value used acknowledge the situation that there is no power to any of the 4 safety buses Understanding No Impact; No PIF selection Operators understand Only base value used that during evaluation of loss of all AC power, the 1-hour time frame is set in stone and cannot be deviated from due to the importance of getting a FLEX generator deployed and started.
Subject D Detection No Impact; No PIF selection The cue is based on 1.10E-3 Only base value used the expectation that AC power to any 4.16 kV bus cannot be restored Decision Making No Impact; No PIF selection A decision must be Only base value used made.
Subject E Detection Multitask, Interruption, No justification 2.69E-3 Distraction provided Distraction by other on-going activities that demand attention (Moderate Effect Level) (**MT1; level 5)
Understanding Multitask, Interruption, No justification Distraction provided Distraction by other on-going activities that demand attention (**MT1; level 1)
Decision Making No Impact; No PIF selection No justification Only base value used provided 6-4
6.3.2 Results for FLEX Scenario: Variation Cases for HFE1 - Operators fail to declare ELAP Section 3.4.2 also provides the following key assumptions for the two variations on the base case FLEX scenario:
- Variation #1:
o The modeled NPP has a longer battery life than that for the base case (e.g.,
approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />; more than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> but less than 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />).
o Procedural guidance is more ambiguous than for the base case, i.e., IF AC power cannot be restored within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, declare ELAP within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of losing all AC power.
- Variation #2:
o The assumptions are the same as for Variation #1, except that it is less obvious that power cannot be restored.
Consequently, HRA analyst evaluation of the two variations on the base case FLEX scenario included consideration of these different scenario parameters, which resulted in the selection of different influencing factors than for the base case scenario. Tables 6-3a and 6-3b show the results for these two variations, including how the overall HEP is altered. It should be noted that the alphabetical identifier in parenthesis are the PIF codes used in the software tool.
For Variation #1, the principal difference between this variation and the base case is the more ambiguous procedural guidance (i.e., IF AC power cannot be restored within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, declare ELAP within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of losing all AC power). The results for this variation are shown below in Table 6-3a.
Table 6-3a. Variation #1 on Base Case HFE - Operators fail to declare ELAP in FLEX Scenario Analyst CFM Selection PIF and Attribute Justification Overall Selection HEP Subject A Decision Making Info Completeness and No justification 3E-2 Reliability Information is unreliable or uncertain (**INF2; Level 2)
Subject B Decision Making Info Completeness and No justification 3E-2 Reliability Information is unreliable or uncertain (**INF2; Level 2)
Subject C Decision Making No Impact; No PIF No justification provided 1.1E-3 selection Only base value used Subject D Decision Making Procedure and No justification provided 1.73E-3 Guidance Procedure requires judgement (PG2) 6-5
Analyst CFM Selection PIF and Attribute Justification Overall Selection HEP Detection No Impact; No PIF selection; Only base value used Subject E Decision Making No Impact; No PIF No justification provided 2.1E-3 selection; Understanding Only base value used Table 6-3b shows the results for variation #2 which is the same as Variation #1 except that it is less obvious that power cannot be restored (e.g., little damage onsite and reports on offsite damage are incomplete).
Table 6-3b Variation #2 on Base Case HFE - Operators fail to declare ELAP in FLEX Scenario Analyst CFM Selection PIF and Attribute Selection Justification Overall HEP Subject A No Information provided Subject B Decision Making Information Completeness No justification provided 8E-2 and Radiality Information is unreliable or uncertain (**INF2; Level 3)
Procedure and Guidance Procedure requires judgement (PG2)
Subject C Decision Making Task Complexity No justification provided 1.6E-2 Decision criteria are intermingled; ambiguous or difficult to assess (C32)
Procedure and Guidance Procedure requires judgement (PG2)
Subject D Detection No Impact; No PIF selection; 1.6E-3 Only base value used No justification provided Decision Making Procedure and Guidance Procedure requires No justification provided judgement (PG2)
Task Complexity Decision criteria is ambiguous or difficult to assess (C32) 6-6
Analyst CFM Selection PIF and Attribute Selection Justification Overall HEP Subject E Understanding Task Complexity No justification provided 1.02E-1 Ambiguity associated with assessing the situation (C15)
Detection No Impact; No PIF selection; Only base value used Decision Making Procedure and Guidance Procedure requires judgment (PG2) 6.3.3 Results for FLEX Scenario: HFE2, HFE3, and HFE4 Tables 6-4 through 6-6 show the results for the other three HFEs evaluated with IDHEAS-ECA
[1,2] for the FLEX scenario.
Table 7-2 shows the results for the second human failure event performed per the plant-specific FLEX procedure for FLEX DC load shed. For the specific BWR considered, all of the breakers that need to be manipulated have special FLEX labels that make them stand out from regular plant labels. Also, all of the breakers are in the same area, but at several different panels. The plant-specific procedure clearly identifies which breakers require manipulation and there are very few breakers to manipulate on each panel. As expected for such FLEX operator actions, there is no peer checker available for this action, but self-check is relatively easy to perform because there are so few manipulations required.
Table 6-4 HFE2: Operators fail FLEX DC load shed in FLEX Scenario Analyst CFM PIF and Attribute Selection Justification Overall Selection HEP Subject A Action Scenario Familiarity No justification provided 6.00E-03 Infrequently performed scenarios
(**SF3)
Task Complexity Straightforward procedure execution with many steps (C31)
Time pressure Due to perceived time urgency (MF2)
Subject B Action Task Complexity No justification provided 2.2E-03 Straightforward procedure with many steps (C31)
Environmental Very small breakers that Poor lighting for reading info or require operators to use a execution (ENV4) flashlight to read the breaker IDs 6-7
Analyst CFM PIF and Attribute Selection Justification Overall Selection HEP Training and Experience Selected this based on the Inadequate training frequency or definition of infrequent refreshment (**TE1; level 5) training. Analyst does not believe there is an issue with only training on this action once every couple of years Subject C Action Scenario Familiarity No justification provided 3.1E-03 Infrequently performed scenarios
(**SF3; level 1)
Staffing Lack of backup or peer check or cross-checking (STA2)
Time pressure Due to perceived time urgency (MF2)
Subject D Action Scenario Familiarity No justification provided 2.00E-03 Infrequently performed scenarios;
(**SF3; level 1)
Task Complexity Straightforward procedure execution with many steps (C31)
Subject E Action Scenario Familiarity No justification provided 2.00E-03 Infrequently performed scenarios;
(**SF3; level 1)
Task Complexity Straightforward procedure execution with many steps (C31)
The third HFE modeled for the FLEX scenario is Operators fail to deploy the FLEX DG. This HFE does not include debris removal (which would be modeled as a separate HFE) or the task of determining the best transportation and staging path (which also would be modeled in a different HFE, if at all). Therefore, it is assumed that the primary staging location is used. It also is assumed that a vendor normally tests the FLEX equipment, but the operators transport the equipment for the vendors for testing. In the workshop, the HRA analysts elected to quantify this HFE in two critical tasks: 1) operators fail to transport the FLEX DG and 2) operators fail to connect and start47 the FLEX DG. Tables 6-5a and 6-5b show the results of the third human failure event of deploying the FLEX diesel generator for these two critical tasks, respectively.
Table 6-5a HFE3: Operators fail to deploy FLEX DG in FLEX Scenario/Critical Task 1:
Fail to transport Analyst CFM PIF and Attribute Selection Justification Overall Selection HEP Subject A Action Scenario Familiarity No justification provided 1.0E-3 Infrequently performed scenarios;
(**SF3; level 1) 47 Two HRA analysts also addressed FLEX DG load but those results are not reported here.
6-8
Subject B Action Scenario Familiarity No justification provided 1.0E-3 Infrequently performed scenarios;
(**SF3; level 1)
Training and Experience Inadequate training frequency or refreshment (**TE1; level 1)
Subject C Action Scenario Familiarity No justification provided 1.0E-3 Infrequently performed scenarios;
(**SF3; level 1)
Subject D Teamwork No Impact; No PIF selection; No justification provided 1.0E-3 Only base value used Subject E Action Scenario Familiarity No justification provided 3.0E-3 Infrequently performed scenarios;
(**SF3; level 1)
Mental, Fatigue, Stress and Time Pressure Time pressure due to perceived time urgency (FS2)
Table 6-5b HFE3: Operators fail to deploy FLEX DG in FLEX Scenario/Critical Task 2:
Fail to connect and start FLEX DG Analyst CFM PIF and Attribute Selection Justification Overall Selection HEP Subject A Decision Scenario Familiarity This was selected for 1.2E-2 Making Infrequently performed the main control room scenarios; coordinating
(**SF3; level 1) implementation Action Scenario Familiarity No justification provided Infrequently performed scenarios;
(**SF3; level 1)
Task Complexity Straightforward procedure execution with many steps (C31)
Subject B Action Scenario Familiarity No justification provided 2E-3 Infrequently performed scenarios;
(**SF3; level 1)
Task Complexity Straightforward procedure execution with many steps (C31)
Subject C Action Scenario Familiarity No justification provided 6E-3 Infrequently performed scenarios;
(**SF3; level 1)
Task Complexity Straightforward procedure execution with many steps (C31)
Mental, Fatigue, Stress and Time Pressure 6-9
Analyst CFM PIF and Attribute Selection Justification Overall Selection HEP Time pressure due to perceived time urgency (FS2)
Subject D Action Task Complexity No justification provided 1E-3 Straightforward procedure execution with many steps (C31)
Subject E Action Scenario Familiarity No justification provided 6E-3 Infrequently performed scenarios;
(**SF3; level 1)
Task Complexity Straightforward procedure execution with many steps (C31)
Mental, Fatigue, Stress and Time Pressure Time pressure due to perceived time urgency (FS2)
Table 6-6 shows the results of the fourth HFE - Operators fail to perform containment venting.
For this HFE, the analysts chose to model only one critical task that encompassed failures of recognizing the need, deciding to perform, and executing containment venting. Also, this HFE was addressed after the workshop, because additional information was needed by the HRA analysts, and only two analysts provided results for this HFE.
Table 6-6 HFE4: Operators fail to perform containment venting in FLEX Scenarios Analyst CFM PIF and Attribute Selection Justification Overall Selection HEP Subject B Detection No Impact; No PIF selection; 2.10E-3 Only base value used Decision No Impact; No PIF selection; Making Only base value used Action Task Complexity No justification provided Straightforward Procedure execution with many steps (C31)
Subject D Detection No Impact; No PIF selection; 2.72E-2 Only base value used Understanding Scenario Familiarity No justification provided Infrequently performed scenarios (**SF3)
Decision No Impact; No PIF selection; Making Only base value used Action Scenario Familiarity No justifications provided Infrequently performed scenarios (**SF3)
Task Complexity 6-10
Straightforward Procedure execution with many steps (C31)
Procedure and Guidance Procedure design less than adequate (PG1)
Mental Fatigue, Stress and Time Pressure Time pressure due to perceived time urgency (FS2)
Teamwork Task Complexity Operators must Coordinate activities of multiple communicate the local diverse teams or organizations evacuation of Reactor (C44) Building and SBGTS Filter Train area.
Operators must coordinate with Chemistry to determine release rates.
6.4 Results for Non-FLEX Scenario - Sunny Day Loss of All Feedwater As stated in Section 3.5.1.3, there was only one HFE evaluated for this non-FLEX scenario:
Operators fail to recognize need for FLEX pump (using a modified loss of heat sink procedure, FR-H1). This HFE represents the cognitive portion only of a larger HFE that the team originally defined for the FLEX scenario: Operators fail to initiate use of FLEX pump. Although there are some differences between deploying a FLEX pump for a FLEX scenario and this non-FLEX loss of all feedwater scenario, the HRA analysts agreed that the HRA assessment of the execution portion of this HFE would be similar in both cases (i.e., the actions required for transporting and putting the FLEX pump are the same, regardless if it is a BDBEE FLEX scenario or a non-FLEX, sunny day loss of feedwater). Consequently, the execution portion of the larger HFE was not addressed in this effort.
Section 3.5.1.2 identified many key assumptions for this scenario. It is important to note that the HRA results, regardless of HRA method, for this HFE would be very different without these key assumptions.
Table 6-7 documents the IDHEAS-ECA [1, 2] results for this HFE. There were no variations on this scenario that were addressed.
Table 6-7 HFE: Operators fail recognize need for FLEX pump in non-FLEX, sunny day loss of FW scenario Analyst CFM PIF and Attribute Justification Overall Selection Selection HEP Subject A Detection Scenario Familiarity No justification provided 3.26E-3 Unpredictable dynamics in known scenarios (SF1)
Understanding No Impact; No PIF selection; No justification provided Only base value used 6-11
Analyst CFM PIF and Attribute Justification Overall Selection Selection HEP Decision Procedure and Guidance No justification provided Making The procedure requires some judgement (PG2)
Subject B Detection Task Complexity The shift manager must 1.59E-02 Detection is moderately make a timely decision to complex (C2) deploy the FLEX Mental Fatigue, Stress, Time equipment.
Pressure The crew needs to recover Time pressure due to feedwater before the perceived time urgency (MF2) conditions for feed and bleed.
Understanding No Impact; No PIF selection; Operators are routinely Only base value used trained on scenario Action Scenario Familiarity FLEX is a new strategy at Infrequently performed the plant and training which scenarios (**SF3) involves moving the Task Complexity equipment may not be straightforward procedure routinely trained on.
execution with many steps (C31)
Teamwork No Impact; No PIF selection; There should be some Only base value used longer-term team work between the main control room and the local operators to start and control the FW pump and level.
Subject C Detection Task Complexity No justification provided 4.19E-3 Detection demands for high attention (C3)
Understanding Procedure and Guidance Procedure requires judgement (PG2)
Decision Procedure and Guidance Making Procedure requires judgement (PG2)
Subject D Detection No Impact; No PIF selection; No justification provided 1.3E-2 Only base value used Understanding No Impact; No PIF selection; Only base value used Decision Task complexity Making Procedure transfer (multiple strategies to choose)
(C22)
Subject E Decision Procedure and Guidance No justification provided 1.69E-3 Making Procedure requires judgement (PG2) 6-12
6.5 Results for Non-FLEX Scenario - Sunny Day SBO Table 6-8 shows the results of the non-FLEX scenario in which a station blackout (SBO) occurs with the following key configuration:
- one EDG is out of service for an extended maintenance outage
In this scenario, as described in Section 3.5.2.4, a sunny day loss of offsite power (LOOP) occurs, followed by the failure of the remaining EDG. There are several key and very plant-specific features of this scenario that are described in Section 3.5.2.4 and in Section 3.5.2.2 where key assumptions are documented. For example, a unique procedure, referred to as a contingency plan, was developed in order to use the pre-staged, portable DGs. In order to credit use of the contingency plan (in parallel with normal main control room response using EOPs), a particularly key assumption is that there is an extra RO designated to implement this contingency plan in order to energize the emergency buses using the FLEX Plus DGs. The extra RO in the MCR is designated to identify the need to implement the contingency procedure, using control room indications, then to implement the procedure and dispatch a designated AO to put the FLEX Plus DGs into service.
Table 6-8 documents the IDHEAS-ECA [1, 2] results for this HFE. There were no variations on this scenario that were addressed. It is important to note that the HRA results, regardless of HRA method, for this HFE would be very different without thee key assumptions identified in Section 3.5.2.2.
Table 6-8 HFE/Critical Task: Operators fail to connect pre-staged, FLEX Plus DGs to energize plant safety bus in non-FLEX, SBO scenario Analyst CFM Selection PIF and Attribute Selection Justification Overall HEP Subject A Detection No Impact; No PIF selection No justification 3.13 E03 (CH) Only base value used provided Decision Making No Impact; No PIF selection Only base value used Action Task Complexity No justification Straightforward Procedure provided Execution (C31)
Scenario Familiarity Infrequently Performed Scenarios (**SF3; level 1)
Subject B Decision Making Scenario Familiarity No justification 2.5E-2 (KG) Infrequently performed scenarios
(**SF3; level 1) Removing PG3, HEP Procedure and Guidance increases to 1.36E-2.
Procedure lacks details This was a variation (PG3) captured from Subject B.
Action Scenario Familiarity Infrequently performed scenarios
(**SF3; level 1)
Task Complexity 6-13
Analyst CFM Selection PIF and Attribute Selection Justification Overall HEP Straightforward procedure execution (C31)
Procedure and Guidance Teamwork Task Complexity Complexity of information communicated (**C41) level 1 Mental Fatigue, Stress, Time Pressure Sustained(>30mins) high demanding cognitive activities requiring continuous attention Subject C Detection No impact; No PIF selection No justification 4.09E-3 (FA) Only base value used provided Understanding No impact; No PIF selection Only base value used Decision Making No impact; No PIF selection Only base value used Action Task Complexity Straightforward Procedure Execution (C31)
Scenario Familiarity Infrequently Performed Scenarios (**SF3) level 1 Subject D Detection No impact; No PIF selection 4.69E-3 (JB) Only base value used Understanding No PIF selection Only base value used Decision Making No PIF selection Only base value used Action Scenario Familiarity Infrequently Performed scenario
(**SF3; level 1)
Task Complexity Straightforward Procedure Execution (C31)
Human System Interface Similarity in Elements (HS18)
Staffing Lack of backup; lack of peer check (STA2)
Subject E Detection No Impact; No PIF selection No justification provided 1.1E-3 (MA) Only base value used Action Task Complexity Straightforward Procedure execution with many steps (C31)
The following comments were captured in notes for quantification of this HFE:
- Most analysts agreed that the HEP result would be higher if there was not an extra RO in the MCR designated to implement the contingency procedure. However, the analysts did not think that the task would always fail (HEP of 1.0) without an extra, designated MCR 6-14
operator. Some thought the biggest affect would be on timing if there was no designated AO.
- All the analysts thought their results were reasonable.
6.6 Conclusions Overall, the HRA analysts concluded that IDHEAS-ECA [1, 2] results were reasonable and within their understanding given the scenario descriptions and assumptions. Based on the influencing factors and attributes selected, there were only slight differences in the overall HEP values for most HFEs. The variation of PIF and attribute selections depends on a number of factors, including:
- the analysts comprehension and interpretation of the event and the details within the event
- the analysts ability to translate their understanding of the scenarios and associated HFEs into the appropriate inputs for the IDHEAS-ECA HRA method 6.7 References
- 1. NRC/RES IDHEAS-ECA Guidance (draft report)
- 2. IDHEAS-ECA Software tool
- 3. NUREG-2114
- 4. IDHEAS-G 6-15
7 HRA/PRA LESSONS LEARNED AND NEXT STEPS As noted in the previous section, this effort provided some initial feedback on the use of IDHEAS-ECA [1, 2] in FLEX contexts. In addition, this effort provided some lessons learned and insights regarding HRA and PRA modeling of FLEX and non-FLEX scenarios. Such lessons learned and insights could be beneficial to future related efforts regarding HRA/PRA for FLEX.
7.1 Overall Observations At a high level, this effort provided several benefits to both the NRC and industry. Examples of such benefits are:
- Both NRC and industry HRA analysts learned more about FLEX equipment and utility preparations for using FLEX equipment that are important inputs to HRA/PRA.
- HRA/PRA can adequately represent the positive affect of improvements in how FLEX strategies are implemented (e.g., better procedural support for the decision to declare ELAP) that have occurred since initial HRA efforts to address FLEX [3, 4].
- HRA/PRA is shown to be able to address the use of FLEX equipment in non-FLEX scenarios. However, non-FLEX scenarios require collaboration of FLEX and HRA/PRA experts for their development. (see Section 7.2 below on HRA and PRA modeling insights.)
- The combination of information collection during the site visits, inputs from industry FLEX experts, traditional HRA/PRA constructs, and several key assumptions were sufficient to support the development of three scenarios (1 FLEX, 2 non-FLEX) that both NRC and industry analysts agreed were credible.
- Generally, the HEPs developed by the participating industry and NRC HRA analysts were consistent (within an order of magnitude).
- Industry-wide and plant-specific information about FLEX implementation (e.g., industry-wide use of common connections, plant-specific FLEX timelines and validations) were helpful and important inputs to the scenario development and associated HRA.
- Industry participation (both FLEX experts and HRA analysts) and interaction with NRC staff (both HRA analysts and the NRCs FLEX HRA technical staff) throughout the project created a confidence in the process and results.
- The confidence in the scenario development approach also translated into a collegial environment for the workshop.
- The human error probabilities (HEPs) generated by IDHEAS-ECA were considered to be generally credible by both NRC and industry HRA analysts.
- Informal feedback from the NRC HRA analysts indicates that they are more open to using a new HRA tool than they might have been at the start of the project.
7.2 Insights for HRA and PRA Modeling Several important insights resulted from this effort related to HRA and PRA modeling. Three of the most important insights applied to both FLEX and non-FLEX scenarios. Namely:
7-1
- 1. The two plant site visits and associated industry materials on FLEX implementation allowed the HRA analysts to better understand how FLEX strategies were expected to be implemented by industry. However, it is likely that HRA/PRA analysts would need to confirm that FLEX implementation for another NPP is similar to the two NPPs visited in this project.
- 2. The level of detail in the developed scenarios was likely greater than that typical of an HRA/PRA. However, this detail was important for the HRA analysts to consider the scenarios as credible.
- 3. By design, the HRA analysts in this project were provided with the equivalent of the HRA qualitative analysis for each HFE (i.e., they did not need to develop their own qualitative understanding). Consequently, the principal variations between analysts were related to how individual analyst interpreted the qualitative analysis into the inputs required by IDHEAS-ECA [1, 2] for quantification. Previous studies (e.g., HRA Benchmarking studies [5, 6] have shown that differences in qualitative understanding can be an important source of analyst-to-analyst variability.
Some insights that are principally relevant to FLEX scenarios include:
- The definition of success criteria used for FLEX implementation (for example, see NEI 12-06 [7]) is different than that used in PRA. Consequently, PRAs for BDBEE FLEX scenarios would need to develop the appropriate success criteria (e.g., a serious consequence such as core damage or component failure).
- The timing validations for FLEX implementation may be conservative as compared to the timing information typically used in PRA.
- Because FLEX validation times are typically developed for site-wide events, these times may represent operator actions for more than one unit. If the FLEX PRA models only one unit, the HRA/PRA analyst will need to either separate timing contributions for each unit or accept a certain amount of conservatism in this timing input.
Similarly, there are a few insights that are specifically related to the development of non-FLEX scenarios. For example:
- Non-FLEX scenarios are likely to be very plant-specific, including:
o What initiating event and what failed plant function or system is important Importance likely will be determined by NPP-specific strengths or vulnerabilities in capability for event response
- In order to best represent what are considered safety improvements (e.g., modifying EOPs to include use of FLEX equipment) for non-FLEX scenarios, FLEX experts and HRA/PRA experts should work together in order to ensure that such modifications are effective in reducing plant risk, e.g.,
o procedural modifications should be feasible (e.g., adequate time, sufficient cues and staffing) and reliable from the HRA perspective o pre-staged FLEX equipment reliability should be considered (e.g., is there adequate testing that the equipment has been properly staged?)
- FLEX timing validation information may be insufficient for non-FLEX scenarios because the timeframe of response is shorter than that for a BDBEE, e.g.,
7-2
o The typical timeframe for deploying FLEX equipment (without consideration of preliminary tasks such as debris removal) is an hour or more.
o Most traditional PRA scenarios require response in less than an hour. For example, the two non-FLEX scenarios addressed in this report had the following timing constraints:
The FLEX pump must be deployed before the F&B criteria was reached.
In traditional PRAs, this time is about 45 minutes. The scenario that this report addressed was specifically designed to provide more time for deploying the pump.
The FLEX DGs needed to be operating before criteria for declaring ELAP were met. The scenario that this report addressed included pre-staging of the FLEX DGs in order to have FLEX DGs operating in enough time.
- Thermal-hydraulic (T-H) analyses may not have been performed to support crediting FLEX equipment in non-FLEX scenarios (e.g., if AFW pump runs for one hour then fails, how much more time do operators have until F&B success criteria are reached than if the AFW pump failed at t=0?)
7.3 Potential Areas for Future Work The insights mentioned above indicate some potentially beneficial areas for future work, such as development of:
- Full documentation of the HRA implications of ideal FLEX implementation (building on the plant site visit notes documented in Section 2).
- Checklists or other tools that NRC HRA analysts could use to determine how close to ideal a specific NPP is in order to evaluate HFEs for that plant.
- Additional guidance for intended IDHEAS-ECA users on how to translate an operational understanding of a FLEX or non-FLEX scenario into the IDHEAS-ECA terminology.
- Guidance on the differences between FLEX and non-FLEX scenarios and how they should be treated in HRA/PRA.
- Additional examples of IDHEAS-ECA [1, 2] application, including recommended PSF/PIF assessments for specific HFEs and scenario contexts (which would guide analysts to context-specific concerns and help in maintaining analyst-to-analyst consistency).
7.4 References
- 1. Draft IDHEAS-ECA Guidance (draft report)
- 2. IDHEAS-ECA Software tool
- 4. NRC expert elicitation
- 5. International HRA benchmarking study
- 6. U.S. Benchmarking study
- 7. NEI 12-06 7-3
APPENDIX A
SUMMARY
NOTES FROM THE PLANT SITE VISITS This appendix provides the summary notes from the two plant site visits conducted for this project.
A.1 Summary of HRA/PRA-Relevant Notes for the Plant Site Visit to a BWR As stated in Section 2.6.1, the first plant visit for this project was to a BWR NPP. Section 2.6.1 also stated that the first site visit provided probably the largest increase in understanding of FLEX but had fewer notes taken during this visit than that for the later, PWR plant site visit.
However, the fewer notes for the BWR plant site visit should not be taken as an indication that less was learned from this visit. In addition, the BWR plant visit was the source of many of the HRA/PRA-relevant insights that are documented in Section 2.6.3.
The notes taken below were developed by the NRC project team. A draft version of the notes was reviewed by the plant hosts, FLEX experts, and other site visit attendees, including the HRA analysts who attended. When finalized, the site visit notes were distributed to be used in later steps of the project. The notes from the BWR visit are presented below in these categories:
- Plant-specific highlights
- Other aspects of FLEX strategies The BWR plant visit also included a discussion of scenario variations, mostly for FLEX scenarios. Highlights of this discussion are given in Appendix E.
A.1.1 Overall Plant-Specific Highlights The following items were considered key takeaways from the BWR plant site visit:
- 1. Because of industry improvements, the decision to declare an extended loss of AC power (ELAP) (e.g., how transfers to FLEX Support Guidelines (FSGs) are incorporated into EOPs, wording of procedural guidance, FLEX scenario-specific training) is better supported than those decision that previous FLEX HRA efforts have addressed.
- 2. In a FLEX event (i.e., an external event that involves an extended Station Blackout (SBO)), keeping the turbine-driven pump in the reactor core isolation cooling (RCIC) system running is key. If operators can keep the RCIC running, then heat can be removed from the reactor and core uncovery can be prevented. The needed indications for monitoring RCIC operation are not lost in DC load sheds.
- 3. From the whole body of walkdowns and interviews, FLEX strategies and equipment, associated procedures and training, design (e.g., human factoring of interfaces such as the use of universal electrical connections across the U.S. NPP industry), are much more robust than that originally put into place for the response to security events (e.g.,
B.5.b equipment and associated Extensive Damage Mitigation Guidelines (EDMGs)).
- 4. As an additional resource in non-FLEX scenarios, the NPPs B.5.b pump is sheltered and located across the alley from plant buildings. Only hoses to connect to the pump are required to provide water. However, this pump is not protected from external hazards.
- 5. The BWR has installed a hardened vent as an additional way to remove decay heat.
A-1
- 6. The control room crew for both units is similar to that modeled for internal events Level 1 PRA (e.g., 1 Shift Manager, 2 Control Room Supervisors, 3 Reactor Operators, 1 Shift Technical Advisor).
- 7. Noted from walkdowns:
- a. Universal connectors make connecting easy.
- i. Blue tags are used to identify which breakers must be manipulated.
ii. Although there are multiple breakers and multiple cabinets that need to be manipulated, the total number of breakers is few.
iii. Operators can tell when a breaker is in the correct position; there is a feel to the endpoint.
- c. Field operators are adequately familiar with FLEX equipment and vehicles used to transport equipment because of training and other practice.
A.1.2 Highlights From Observing a BWR Simulator Exercise for a Seismic Event and SBO During the BWR plant visit, the FLEX HRA team had the unique opportunity to observe a simulator exercise for a beyond-design basis external event (BDBEE), including the use of FLEX procedures. The particular initiator was a seismic event followed by an SBO (which lead to using a seismic event for the FLEX scenario in this FLEX HRA effort - see Appendix B).
Overall, this was a very valuable experience for the HRA analysts for see how operators respond to a FLEX scenario.
Plant visit attendees not only observed the simulator exercise but were provided with explanations and insights on the exercise, as it progressed, from the plant escort and FLEX/operations experts. The simulator exercise was frozen at some point and the site visit attendees were invited onto the simulator floor to more closely view the EOP flowcharts being used and ask questions.
Examples of insights gained from observing this FLEX scenario in the BWR simulator are:
- Operators are very comfortable using flowchart EOPs
- Communications in the control room between operators were well-controlled (even if a lot of alarms were annunciating) o Crew briefs were performed to make certain everyone knew what the plant conditions were and what procedures were currently in use o Protocols were used to gain the attention of the whole crew for crew briefs
- Communications from the field (e.g., reports of damage from the seismic event) and offsite sources (e.g., reports on offsite power restoration) that are important inputs to the decision to declare ELAP were demonstrated
- Incorporation of the transition to FSGs for an SBO (i.e., declare ELAP) was accomplished easily and seamlessly o Operators systematically worked through the use of the flowcharts for an SBO o Operators worked methodically to obtain necessary information (e.g., how many EDGs are running) to make the proper choices within the flowcharts, including transition to FSGs (i.e., declare ELAP is not explicit with these procedures; this decision is implied by transition to FSGs)
A-2
A.1.3 Highlights From Discussions About FLEX Strategies To supplement the plant walkdowns and simulator observations, the BWR plant visit included considerable discussion on FLEX strategies, generally, and features of the site-specific implementation. Because this was the first face-to-face meeting for the various members (e.g.,
HRA analysts, FLEX experts, NRC technical staff) of the NRCs FLEX HRA project, the discussion ranged from basic descriptions of how the industry has implemented FLEX to details of site-specific design and operations that incorporate FLEX.
For example, there was considerable discussion about the BWRs specific EOPs and FSGs.
These discussions included:
o How BWR EOPs are constructed (e.g., flowcharts) o How BWR EOPs are implemented by the control room operators (e.g., what does the shift supervisor do? How many operators are needed to implement EOPs? What do board operators do? What is the role of the Shift Technical Advisor (STA)?)
o How do operators communicate while implementing BWR EOPs (both generally and for the specific BWR)?
o What are the entry points into FSGs?
o When in the FLEX scenario are FSGs entered (and are there differences depending on the type of external event)?
- Regarding the operators decision to declare ELAP:
o What is the procedural guidance for this decision (e.g., specific columns and notes in the flowchart)?
o What kinds of information will the control room crew receive to make the decision?
o What would be the timing of this information?
o Would operators wait for information (i.e., delay or hesitate) rather than make the decision?
The following additional observations were made during the BWR plant visit:
o The SBO procedure and operator training are consistent in that, after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> in an SBO condition, ELAP is declared.
o No actual declaration of ELAP is required; transition from the SBO procedure to FSGs is the equivalent.
- The success criteria identified in the FLEX Final Integrated Plans (FIPs) does not have the same basis as PRA success criteria:
o FLEX success criteria is tied to natural circulation and not core damage.
o FLEX validations (e.g., timing of operator actions) were not done with respect to core damage.
o Timing information in FIPs could be useful to HRA/PRA for FLEX but could be conservative in some cases (because FLEX success criteria is not tied to core damage).
- This NPP does not take credit for the BWR equivalent (e.g., blind feeding with RCIC) of a PWR blind-feeding steam generators (SGs).
A-3
A.2 Summary of HRA/PRA-Relevant Notes for the Plant Site Visit to a PWR As discussed in Section 2.6.2, the second site visit for this project was to a Westinghouse PWR NPP. Section 2.6.2 also noted that there are more notes for this visit because the experience of the first site visit made the NRC project team and HRA analysts more prepared to ask detailed questions of plant personnel and the FLEX experts in attendance. Consequently, the number of notes taken for this visit is greater than that for the first site visit. Also, like the BWR visit, the PWR visit was the source of HRA/PRA-relevant insights that are documented in Section 2.6.3.
The notes taken below were developed by the NRC project team. A draft version of the notes was reviewed by the plant hosts, FLEX experts, and other site visit attendees, including the HRA analysts who attended. When finalized, the site visit notes were distributed to be used in later steps of the project.
The notes from the PWR visit are presented below in these categories:
- Plant-specific highlights
- Overview of FLEX strategies (both plant-specific and, generally, industry-wide)
- Highlights of scenario discussions with plant personnel and FLEX experts
- Highlights from plant walkdowns and associated discussions
- Highlights from the video of the PWR FLEX simulator exercise and associated discussions A.2.1 Plant-Specific Highlights The following items were considered key takeaways from the PWR plant visit:
- 1. From discussion on the first day of the site visit:
- a. Security personnel remove debris and move FLEX equipment.
- 2. From walkdowns:
- a. Panels for FLEX load shed are mimicked in the procedure.
- b. Confirmed that the operator would check off breaker manipulations one-at-a-time, as they are performed.
- c. Confirmed that the operator would use the procedure's bolded boxes around "OPEN" breaker positions as a self-check on the correct positioning of the breakers.
- d. Connection points are accessible and have some similarities to what we saw in the BWR plant site visit.
- e. When asked about any "challenging operator actions, the "SRO escort did not identify any.
- f. When asked to compare FLEX actions to SBO or other EOP actions, the SRO escort again did not identify any challenges and said that FLEX actions are easier but are trained on less frequently.
- 3. Failure to strip all loads in a FLEX load shed may not significantly change battery life.
A.2.2 Overview of FLEX Strategies During the PWR plant visit, the following information was presented by plant personnel and supplemented by more general information from FLEX experts on implementing FLEX strategies:
- 1. FLEX equipment is construction industry grade that requires less training and skills than needed for equipment operators (EOs).
A-4
- 2. The systematic approach to training (SAT) (see, for example, References 1 and 2) was used to define training population, methods, and frequencies for FLEX.48
- a. NPPs may have an external event/severe weather procedure that will have steps to initiate plant assessment49
- c. ECA-0.0 (SBO procedure):
- i. The immediate action page provides conditions where initiation of FSGs may be directed ii. Includes an initial DC load shed (for this PWR, there are lots of panels, but the actions are not complicated and are well-trained) iii. Battery life is site-specific. Some sites have performed additional calculations for SBO load shed51 using more realistic assumptions, resulting in additional time for the functionality of batteries beyond the typical SBO load shed calculation (e.g., 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> versus 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> of battery life). This PWR uses 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> as battery life after SBO load shed.
- d. ELAP - many NPPs must do this by 60 minutes after reactor trip
- i. FSG-4 directs FLEX (or deep) DC load shed ii. For this PWR, FLEX load shedding involves cross-tying batteries, shedding all loads except for one train of instrumentation
- 4. For this PWR, the critical timeline in a FLEX event is to establish a backup source of electricity
- a. After successfully performing FSG-4 for FLEX deep DC load shed, there should be 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br /> of battery life remaining
- c. The phase rotation meter provides indication of a correct connection
- d. There is standardized rotation on connections
- e. This PWR did testing to make sure that phase rotation is correct 48 The use of SAT in developing operator supports for implementing FLEX strategies is generally industry-wide.
49 Plant assessment is performed for any event with consequences (i.e. the station will send out operators to assess the condition of the plant following the event like assessing the EDGs to see if they can be started and loaded which is the primary objective in ECA 0.0). The plant assessment to determine clear paths for implementing FLEX strategies is contained in FSG-5 for most PWRs. In addition to FSGs, the plant assessment for damaged conditions will be initiated by certain Abnormal Operating Procedures depending on the event.
50 This is the list of FSGs that PWRs use, based upon PWROG guidelines. They are initiated from ECA-0.0, LOSS OF AC POWER, or ARG-4, LOSS OF ALL AC POWER WHILE ON SHUTDOWN COOLING. ARG-4 and FSG-14 were added later under a separate project for shutdown ELAP.
FSG-1, Long Term RCS Inventory Control FSG-2, Alternate AFW/EFW Suction Source FSG-3, Alternate Low Pressure Feedwater FSG-4, ELAP DC Load Shed/Management FSG-5, Initial Assessment And FLEX Equipment Staging FSG-6, Alternate CST Makeup FSG-7, Loss Of Vital Instrumentation Or Control Power FSG-8, Alternate RCS Boration FSG-9, Low Decay Heat Temperature Control FSG-10, Passive RCS Injection Isolation FSG-11, Alternate SFP Makeup And Cooling FSG-12, Alternate Containment Cooling FSG-13, Transition From FLEX Equipment FSG-14, Shutdown RCS Makeup 51 Per NRC endorsed guidance on extended battery life calculations for batteries ML13241A188 [3].
A-5
- f. Dust covers protect the color coding on the connections (which may appear duller in color than the actual connections)
- g. This PWR has "glow-in-the-dark" labels that are reflective; many sites have "glow-in-the-dark" labels
- 5. Generally, FLEX events are not modeled beyond 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> in PRA. (SAFER equipment is expected to arrive by 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after event start.)
- 6. Communications capability is addressed
- 7. A staffing assessment was done
- 8. Heat removal for FLEX scenario:
- a. Phase I: Turbine-driven auxiliary feedwater (TDAFW) pump
- i. Can control (i.e., start and stop) the TDAFW pump from the MCR ii. For this PWR, there is no local indication of SG level; EOs must communicate with the MCR or auxiliary shutdown panel52
- b. Phase 2: transition to FLEX
- i. BDB (beyond design basis) pump uses water from the settling pond53 to supply the AFW system ii. Also, the pump can provide makeup to the spent fuel pool
- c. The TDAFW pump can operate only to ~350 lbs., after which there is inadequate steam pressure.
- 9. RCS injection
- a. Need water after 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> (before reflux boiling/loss of natural recirculation)
- b. Core damage is calculated to occur at approximately 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> if no injection is provided
- c. The PRA for this PWR assumes 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for core damage (i.e., no failure within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />)
- 10. Containment cooling - need cooling within 1 week
- 11. Spent Fuel Pool - 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to boiling A.2.3 Highlights of Scenario Discussions By the second site visit, the scenario development team had made some decisions about addressing both FLEX and non-FLEX scenarios in this project. During this visit, there was an opportunity to have face-to-face discussions about scenario development. Plant personnel who were available during these discussions offered additional, relevant plant-specific information.
The following are highlights from the scenario discussions on FLEX scripts, FLEX strategies and equipment:
- 1. FLEX strategies apply to the entire site (e.g., for this PWR, both Units 1 and 2 are addressed at the same time).
- a. For three-unit sites, the most compromised unit is addressed first.
52 One FLEX expert noted that most NPPs have local indications for SG level.
53 This PWRs Safety Evaluation (SE) prioritizes available water sources by cleanliness. The settling pond is one of the cleanest.
The Phase 2 FLEX strategy for reactor core cooling and decay heat removal provides an indefinite water supply for feeding the SGs by deploying the beyond-design basis (BDB) high capacity pump to take suction from the settling pond or the circulating water discharge canal. SG water injection using a portable BDB AFW pump is available through both primary and alternate connection locations when the TDAFW pump becomes unavailable.
A-6
- b. Site-wide staffing is per Emergency Plan (E-plan) requirements (see NEI 10-05
[4] which provides the E-plan requirements for staffing)
- 2. There are variations from site to site regarding the transport of FLEX equipment. At this PWR, security personnel are responsible for debris removal and moving FLEX equipment. (At the BWR plant, equipment operators had this responsibility.)
- 3. Regarding debris removal and its associated assessment:
- i. This FSG is shared in the MCR (i.e., 1 procedure for both units) ii. The first priority is debris removal on site iii. Other local roads (e.g., main access roads to the site) are cleared later.
(Such roads could be cleared in parallel with on-site debris removal, if there is extra equipment that is not used for transferring FLEX equipment.)
- b. Generally, it is not the size of the electrical source thats important; it is what plant functions are being restored
- c. This PWR uses:
- i. 120 V power directly (i.e., without going through battery chargers), then controls AFW locally ii. 480V power feeds battery chargers so instruments are powered via DC current
- 5. Generally, the TDAFW is a slow-moving system
- c. It can be set, then very little tweaking is needed; it is easy to adjust (e.g., 1/4 turn, then wait about 15 minutes for feedback)
- d. If the TDAFW has been running, it is easy to re-start (i.e., just turn 1 valve)
- e. Starting the TDAFW from scratch is more difficult
- 6. FSG-4: powers instruments in the MCR
- 7. FSG-7: powers the remote shutdown panel
- 8. Operator actions for FLEX scenarios:
- a. SRO/Operations - Once operators enter E-0, they sigh because they know where they are (i.e., EOPs are a comfort zone for most operators)
- i. Once you enter ECA-0.0, there are no maintenance activities ii. It will be much quieter in the MCR (e.g., there will be ~12 calls to the MCR for people to say where they were when they stopped their work; then there will be no more calls) iii. Without power to the plant, not much is going on (i.e., plant activities have stopped) iv. Human/resource requirements in FLEX are easier than day-to-day business requirements
- c. FLEX experts: The FLEX procedure structure makes water preferences known; the procedure directs which to use
- d. FLEX training:
- i. INPO looked at training for FLEX55 54 SRO/Operations - Most operators consider the worst scenario to be loss of instrument air 55 INPO review site performance related to training as part of IER 13-10 [5] implementation:
- a. Personnel responsible to perform emergency response duties have the knowledge, skills, and proficiency to execute their emergency response roles in accordance with established procedures and guidelines.
A-7
ii. For this PWR, some things are trained on every 3 years, and some are trained on every 4 years. Plus, there are bits and pieces of actions that are trained on more frequently.
iii. Across the U.S. NPPs, everyone had initial FLEX training56 iv. For this PWR, FLEX equipment is moved out of buildings yearly (by security). Also, the trucks are swapped out, so the fuel stays good and the truck tires do not rot.
- e. Regarding DC load shed:
- i. ECA-0.0 has entry into FSG-4 (each unit will have an FSG-4) ii. Actual load shedding is performed by 1 equipment operator (EO), using an attachment to the procedure iii. For this PWR, the procedure for FLEX DC load shed mimics the panel layout with respect to columns of breakers.
- 1. For this PWR, procedure writers/operations intentionally made these procedures different (e.g., ON positions for breakers are bolded)
- 2. Also, operators are trained on procedure place-keeping (e.g., do step, THEN sign off on the step in the procedure) iv. Having five times more breakers does not mean five times the HEP; because the procedure for this PWR has been designed to support these operator actions.
- v. Generally, there are standard conventions for breakers being ON/OFF.
vi. Typical training will reinforce operators to take their time.
vii. For this PWR, the expected time for operator action performance is not included in procedures. (It was included in the BWRs procedure.)
viii. For this PWR, the FLEX DC load shed procedural guidance has the operators going back to certain panels to flip more breakers (i.e., the same panels as those in the SBO DC load shed).
- 1. This is done to make sure the distribution is even between batteries (i.e., keep DC loads even on batteries).
ix. The loads that are shed might not be live loads. The load shed might be done in order to prevent equipment from operating later.
- 1. The loads that are shed are mostly instruments.
- 2. Battery life calculations include potential valve strokes, etc. that would occur if such loads were not preemptively shed.
- x. Also, if the operator fails to shed a load, the operators can still recover (e.g., if equipment starts, there is time to trip equipment)
- 1. If the operator flips off something that should be on, there will be lost instruments in the MCR (and MCR operators will see this).
- 2. Operators are trained to not correct an incorrectly positioned breaker. Instead, the operator needs to check with the MCR to confirm that it is ok to flip the breaker back on.
- 3. FLEX experts - Failures to strip load in load shed probably will not change battery life significantly.
xi. At some NPPs, the load shed may include stripping the batteries for the EDGs.
xii. As loads are shed, operators can see and will monitor battery voltage:
- b. Drills, exercises, and tabletops are integrated in conjunction with training to prepare personnel to execute their assigned emergency response duties and sustain high levels of performance.
56 There is a NANTel course on FLEX Basic and FLEX advanced.
A-8
- 1. There are indications in the MCR on what loads are on/off.
xiii. FLEX experts:
- 2. Even for a FLEX scenario with minimum debris removal, only an SBO load shed probably would be needed.
xiv. Deploying FLEX DG 480V is addressed in another procedure attachment
- 3. Once the FLEX DG is working, battery chargers and inverters will be working again (and some loads will be re-started)
- 9. On water sources:
- a. A tornado impact on the storage tank does not mean all the water is gone
- i. Some NPPs credited their storage tank; but some NPPs do not have protected condensate storage tanks (CSTs) so they will need alternate sources of water sooner.
- c. Most NPPs have more water than they are crediting
- 10. Scenarios to address include:
- b. Sunny day loss of function
- i. Many BWRs have FLEX in EOPs ii. In general, PWRs do NOT do this (but the PWORG is looking into this)
- 1. However, operators know that FSGs are available for implementation iii. NEI 12.06 [6] (e.g., Section 11.6) - contains procedure diagrams
A.2.4 Highlights from Plant Walkdowns and Associated Discussions The following are highlights from the plant-specific walkdowns and associated discussions of FLEX strategies and equipment:
- 1. From the walkdown of the FLEX building:
- a. Tractors are staged so they can be driven out of both doors (on opposite sides of the building), with buckets attached (and other grappling attachments are located near the edge of the dome).
- b. There are lots of portable lights available in the FLEX building.
- c. There are many similarities to the BWRs FLEX building with respect to the type and quantity of FLEX equipment and the staging of FLEX equipment.
- 2. From discussions after the FLEX building and outside fence walkdowns:
- a. Security personnel are responsible for operating the tractors to move FLEX equipment.
- i. For this PWR, it is assumed that 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> is needed for debris removal following a FLEX event.
ii. Security personnel are typically local residents and/or farmers (who already know how to operate tractors and, therefore, were insulted by the requirement to be trained on how to use tractors).
iii. There are hard cards on how to operator tractors with the equipment.
A-9
- d. The industry-wide requirement for timing validations is to do a demonstration using multiple crews if the time margin is less than 20%.
- e. Regarding staffing for a FLEX event, it is expected that there are no concurrent fire or security events.
[4] (i.e., December 2013 staffing study for Emergency Preparedness (EP) rule (2011) [8])
- i. The FLEX staffing study uses the same format and structure ii. The FLEX staffing study is identical for some aspects, so these aspects do not have to be done again
- i. Performance shaping factors ii. Estimated (or demonstrated) timing of operator actions57 iii. Different hazards
- h. For this PWR, most of the discharge fittings are the same size; suction sittings can be different sizes, but adapters are available.
- b. The operator would check off breaker manipulations one-at-a-time, as they are performed (i.e., good placekeeping)
- c. The operator would use the procedures bolded boxes around OPEN breaker positions as a self-check on the correct positioning of the breakers
- d. The operator would need to check with the MCR before correcting an incorrectly positioned breaker
- e. Connection points are accessible and have some similarities to what were seen during the BWR plant site visit
- f. There were no challenging operator actions
A.2.5 Highlights from Video of PWR FLEX Simulator Exercise and Associated Discussions During the PWR plant site visit, it was not possible to observe simulator exercises. In place of such observations, a video of a simulator exercise for an external event requiring FLEX strategies was viewed, then discussed by the host plants operational experts, the NRC project team, and the attending HRA analysts and FLEX experts. Because the simulator exercise video was for a Combustion Engineering (CE) PWR, there were some differences between that NPP and the visited Westinghouse PWR (e.g., procedure formats and names, number of FSGs developed for implementing FLEX strategies, redundancy of equipment in certain safety and support systems).
The following are highlights from the discussion of the simulator video, with comparisons to the PWR and BWR NPPs visited during this project:
- 1. The video shows that the CE PWR and the BWR NPP are similar on how updates are done among the MCR operators (e.g., the MCR operator announces Update! then 57 However, some timing validations represent operator actions for all units on site, whereas HRA/PRA typically models a single NPP.
A-10
everyone in the MCR holds up their hands to acknowledge that they are listening; after the updated information is provided, end of update is announced)
- a. Once done with E-0 initial steps and the first step in ECA-0.0 (which are focused on verifying reactor and turbine trips), the operators then started focusing on why the EDGs were not working, e.g.,
- i. ECA-0.0 directs operators to try to start of one EDG; if it does not start, then operators are instructed to move on to trouble-shooting
- b. The operators will continue to work through steps and other options in ECA-0.0.
(If there are enough equipment operators, then they will continue to trouble-shoot why the EDG did not start. For the PWR visited, there probably would not be enough operators if they only have the minimum number of staff because they will be needed elsewhere)
- i. The staffing study for the PWR visited shows that more staff available will be available after 30 mins for EDG trouble-shooting
- 3. According to one FLEX expert, at some sites, they have re-programmed operators on the timing of FSGs 4 and 5 in SBO training to make certain that they start implementing these FSGs within an hour.
- a. This training relates to not having confidence that EDGs will be restored in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />
- 4. Regarding ELAP:
- a. For this PWR, the procedure step is: *Step 20, check if AC power is restored within 45 minutes (e.g., has offsite power been restored, EDGs started, or other sources been aligned?)
- i.
- means continuous step ii. If the answer is no, then the operators go to the Response Not Obtained (RNO) column on the righthand side:
- 1. declare ELAP, initiate FSG-4 (load shed), initiate FSG-5 (initial assessment and FLEX equipment staging) iii. To determine whether power is restored, call the system operator; they are mandated to call at 35 minutes (i.e., the auxiliary operator calls using Satellite phone, as stated in the FLEX staffing study) iv. A plant-specific operations expert states that you dont have a choice on declaring ELAP at 45 minutes
- 5. What do operators do if offsite power is restored after FLEX equipment is already in use?
- a. For this PWR, the FLEX DC load shed includes stripping the 4 kV protection; FSG-13 provides instruction on how to restore offsite power
- b. However, once the FLEX DGs are working, operators would use the TSC to help in re-loading using offsite power
- c. Generically, guidance for this situation says that it is not preferable to power FLEX loads/trains with offsite power
- i. Also, you cannot mix and match power sources and loads ii. A plant-specific operations and PRA expert stated that the procedural direction is: FSG-13, Step 2 - Check with TSC
- d. The earlier you get back offsite power, the easier it is to restore. Also, if operators have progressed far into implementing FSGs with FLEX equipment working, then the plant state is stable and there is time to back out of FLEX equipment use
- f. Later, when SAFER equipment arrives, this equipment would power other buses/divisions
- 6. Notes on the severity of declaring ELAP:
- a. Many sites declare ELAP (i.e., make the decision that the plant is in an SBO) at the same time that a General Emergency is declared (i.e., the highest level of alert which is generally associated with the need to perform evacuations and with potential deaths)
- b. This PWR has a new, not yet implemented procedure that changes the criteria for declaring a General Emergency from just declaring ELAP to ELAP plus a red path (in critical safety function tree) for core cooling
- 1. As a result of this procedure change, the conditions for declaring a General Emergency would never be reached for a non-FLEX event that involves a loss of coolant accident (LOCA)
A.3 References
- 2. SAT reference - INPO ACAD 85-006
- 3. NRC-endorsed guidance for extended battery life calcs, ML13241A188
- 4. NEI 10-05
- 5. IER 13-10
- 6. NEI 12-06
- 7. NEI 12-01
A-12
APPENDIX B FLEX SCENARIO FOR A BWR This appendix captures the description of the FLEX scenario for a BWR that was assessed using the IDHEAS-ECA HRA method.
There were several pieces of information that were provided to the HRA analysts in order to perform HRA quantification. This appendix provides the following:
- FLEX scenario description
- HRA/PRA modeling for the FLEX scenario
- Key modeling assumptions
- Key timing information (including a FLEX scenario script)
- Illustrative assessments of plant site visit notes into preliminary IDHEAS-ECA assessments The HRA analysts also were asked to consider the understanding of FLEX summarized in the plant site visit notes, especially the combined notes, that are given in Section 2.
B.1 FLEX Scenario Description With a BWR at 100 percent power, a Beyond Design Basis (BDB) seismic event occurs that results in the loss of all offsite power.
At the time of the seismic event and subsequent reactor trip, the plant was in a normal full power lineup with equipment operable/functional with the following exceptions:
- 1. One of two divisional diesel generators is out-of-service for extensive maintenance (i.e., a 10 year rebuild of the diesel engine).
- 2. The high pressure coolant injection (HPCI) system is out-of- service for extensive maintenance and not available for injection.
The plant has implemented procedures for FLEX mitigating strategies.
This event is identical to a Station Blackout (SBO) event except that FLEX strategies have been implemented that provide the plant with additional capabilities (e.g., portable diesel generators and pumps).
In summary:
- A seismic event occurs that damages the plants switchyard, causing a loss of offsite power.
- Reactor and turbine trip occur; the operators enter their Emergency Operating Procedures (EOPs), beginning efforts to stabilize plant conditions.
- One Emergency Diesel Generator (EDG) is out of service for maintenance and the second EDG fails to start.
- By 15 minutes, the operators enter the procedure for the loss of offsite power, performing it in parallel with the EOPs. Also, an equipment operator is dispatched to try to determine why the EDG did not start.
- Within the first hour:
B-1
o The equipment operator attempts to restart the EDG but determines that major repairs are needed.
o Main Control Room (MCR) operators start a reactor pressure vessel (RPV) cooldown and try to control RPV water level and pressure.
o MCR operators initiate containment venting.
o MCR operators dispatch an equipment operator to perform SBO DC load shed.
o MCR operators receive reports that offsite power is not restored, and alternate power sources are unavailable.
- At (or before) 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after reactor trip:
o The SBO DC load shed is complete o MCR operators declare ELAP, then proceed to procedural guidance for using FLEX equipment, e.g.,
MCR operators dispatch an equipment operator to perform FLEX DC load shed.
FLEX guidance for assessing plant damage and travel paths is entered.
Debris removal is initiated.
Alternate communications are established.
- After 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, plant conditions begin to degrade, e.g.,
o Building heat up occurs due to loss of ventilation o The suppression pool heats up o Long-term RCIC operation (i.e., use of turbine-driven pump) is needed to maintain adequate core cooling
- At 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, debris removal is complete.
- At 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, start deploying FLEX DG.
- At 5 1/2 hours:
o Operators start deploying FLEX pump o Critical electrical loads are supported by the FLEX DG.
- At 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, the ERO is staffed and the Shift Manager turns over Emergency Director (ED) function to the Technical Support Center (TSC).
- At 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, operators start refueling FLEX equipment.
- At 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />, operators start using the FLEX pump to inject into the RPV.
B.2 HRA/PRA Modeling This FLEX scenario is an extension of the typical PRA modeling for an SBO in which the FLEX strategy and associated equipment is credited.
B.2.1 PRA Modeling For the purposes of this analysis, the event tree shown in Figure 1-6 of EPRIs Human Reliability Analysis (HRA) for Diverse and Flexible Mitigation Strategies (FLEX) and Use of Portable Equipment report [1] is generally applicable. This figure is replicated as Figure A-1 in this report.
B-2
Figure B-1 FLEX Scenario Event Tree from EPRIs FLEX HRA report [1]
B.2.2 HRA Modeling As stated in Section 3.4.3, the list of HFEs addressed for the base case FLEX scenario is:
- 1. Operators fail to declare ELAP (or perform its equivalent)
- 3. Operators fail to deploy the FLEX diesel generator
- 4. Operators fail to fail to initiate containment venting A longer list of HFEs was originally considered for the FLEX scenario. However, given the limited resources for this project (e.g., project schedule, HRA analyst availability), the various teams providing inputs to this decision agreed to shorten this list to 5-6 operator actions for evaluation by HRA analysts. Considerations for selecting this shorter list of HFEs for the BWR FLEX scenario included experience from prior FLEX HRA efforts, relevance to both PWR and BWR FLEX strategies, what HFEs are currently included in SPAR models, and insights from the plant site visits. Also, some aspects of FLEX operator actions (e.g., transportation of FLEX equipment) was considered to be similar with respect to HRA concerns.
As noted in Section 3.4.4, HRA analysts referred to BWR plant-specific information (e.g.,
procedural guidance, information from plant-specific walkdowns, and timing validation information) to perform HRA assessments for each of the HFEs modeled for this scenario.
However, virtually all of the plant visit notes given in Section 2 played a role in the HRA analyst assessments. Considerable time and effort were put into developing the notes, including reviews by both FLEX experts and HRA analysts for accuracy and consensus. Given the B-3
amount of time devoted to understanding the operator action-related aspects of the FLEX scenario, there was little formal documentation of HFE descriptions.
The following are examples of summary information used by the HRA analysts to perform their evaluations:
- HFE - Operators fail to declare ELAP58 The plant-specific procedural guidance for this BWR is contained in the EOP that specially addresses the loss of offsite power. This procedure consists of several sheets of flowcharts. Also, the initial sheet (i.e., Sheet 1) contains transfers to other sheets depending on how many EDGs are available for operation. Both Sheet 5 and Sheet 6 apply to the case of no EDGs available, with Sheet 6 explicitly labeled ELAP.
In addition, there is a prominent Note next to this portion of the flowchart in Sheet 1, that defines ELAP as Extended loss of AC power (ELAP) exists when it is expected that no 4 kV bus will be re-powered within one hour. Discussions during the BWR site visit confirmed that training supports this determination. With the procedural guidance and training combined, this guidance in Sheet 1 was judged to be explicit with respect to HRA assessments. Sheet 6 (i.e., ELAP) consists of five parallel sections that are to be executed concurrently to address this plant condition (with references made to the relevant FSGs and other procedures needed for implementation). FLEX Strategies is one of the five sections (although FSGs are called out in other sections, as well).
- HFE - Operators fail to perform FLEX DC load shed FLEX DC load shed is identified in Sheet 6 (ELAP) of the BWRs plant-specific loss of offsite power procedure as a priority (red font coupled with a red arrow). A plant-specific FSG provides the procedural guidance for performing FLEX DC load shed. As the procedure shows, almost all of the breaker manipulations are performed in the same room. There are a few breaker manipulations to perform in two other locations.
Generally, fewer breaker manipulations are required for the FLEX DC load shed, as compared to the SBO DC load shed. It was noted in the BWR site visit walkdowns that the breakers that require manipulation for FLEX DC load shed are all marked with a FLEX blue tag for easy identification. For this reason, the FLEX DC load shed was judged to be similar in difficulty to the SBO DC load shed (and may be simpler due to fewer manipulations and the eye-catching, blue FLEX labels).
- Operators fail to deploy FLEX diesel generator Deploying the FLEX DG involves: 1) transport of the DG from the FLEX Building to the appropriate laydown area via FSG-10, 2) AC electrical alignment via FSG-13, and 3) installation, starting, and adding of loads. At the BWR site, field operators are used for all three tasks (while security personnel are used for transporting FLEX equipment at the PWR site. In all cases, field operators are responsible for doing electrical alignment, then installing, starting and loading. Electrical connections are standardized for FLEX and the FLEX DG is supposed to be easy to operate (e.g., push button), by design.
Field operators are trained on all actions. The training content and frequency requirements were developed via the Systematic Approach to Training (SAT). Vendors perform the testing of FLEX DGs, while field operator observe the testing.
58 Note that, for this BWR, there is no actual declaration of ELAP. Rather, there is an important procedure transition that is tied to the plant-specific definition of ELAP and MCR operators will announce Exiting Sheet 5, entering Sheet 6 (ELAP).
B-4
- Operators fail to fail to initiate anticipatory containment venting The purpose of anticipatory containment venting is to prevent core damage and preserve RCIC operation. Following the hardened containment vent systems (HCVS) vent path procedures, operators will enter T-102, Primary Containment Control EOP, when drywell pressure reaches 2 psig. Containment pressure cannot be maintained below 2 psig because there is no power to Standby Gas Treatment as a result of declaring ELAP. Once containment pressure exceeds 2 psig AND pressure reduction is required to restore and maintain adequate core cooling (required for RCIC preservation strategy), then the operators are instructed to vent containment using procedure, T-200.
The operator is guided to the preferred vent path for ELAP: T-200J. The operators work through T-200J to steps for bursting the rupture disc, opening the containment vent values, and monitoring vent status.
B.3 Key Modeling Assumptions Sections 3.3 and 3.4.2 provide the general and FLEX scenario-specific assumptions, respectively.
In the materials provided before the FLEX HRA workshop, the HRA analysts were asked to focus on the following assumptions59 as being particularly significant to the modeling of this FLEX scenario:
- 1. The initiating event and reactor trip occur at t=0.
- 2. The initiating event impacts all units on site.
- 3. The reactor is at-power at the time of the initiating event.
- 4. The reactor successfully shuts down (i.e., no ATWS).
- 5. The spent fuel pool is outside the scope of analysis.
- 6. There are no independent, concurrent events (e.g., no security threat).
- 7. The staffing level is the minimum required.
- 8. FLEX validation exercises and associated timelines provide adequate assurance of HFE feasibility (e.g., time required and time available for operator actions). (This assumption applies to the base scenarios considered, as well as some of the scenario variations.)
- 9. FLEX validations exercises and associated timelines use the same starting point for the start time (or time delay) and the success criteria (or time available).
- 10. FLEX validation times for operator actions are used as-is, even if they appear to apply to both units on site. (In some cases, it might be possible to separate Unit 1 and Unit 2 timing information. In other cases, it appears that a single operator will perform actions for both units.)
- 11. The HRA/PRA model addresses accident progression out to 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />s60 after the initiating event.
- 12. Even if there is some warning prior to the initiating event, there is inadequate time to pre-stage FLEX equipment that requires transportation, etc.
59 Many of these assumptions are the same or similar to that in EPRIs FLEX HRA report [1].
60 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is the traditional PRA mission time. There will be plant-to-plant differences on what FLEX actions are needed within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
B-5
In addition, for the base case FLEX scenario, it is assumed that the operators know that there is widespread damage from the external event61 B.4 Scenario Timing Information There are several sources of scenario timing information that can be useful to HRA/PRA. For example, the description of the FLEX scenario given in Section B.1 outlines the key events as the FLEX scenario progresses. In addition, each NPP has developed an integrated timeline62 for FLEX that shows all key actions, and the associated plant staff who perform these actions, throughout the FLEX scenario. Also, as part of implementation of FLEX strategies, each NPP has performed time validations for time sensitive actions. Finally, scenario scripts are another way to present how the scenario unfolds, but with additional plant behavior and operational details. The next subsections discuss and/or present some of the timing information used by the HRA analysts in using IDHEAS-ECA.
B.4.1 Excerpts from Plant-Specific Integrated Timeline According to the integrated timeline for the two-unit site, the following plant staff take on roles that are important to HRA;
- Inside the MCR:
o Shift Manager o Control Room Supervisor (CRS) o Shift Technical Advisor (STA) o 2 Reactor Operators (ROs) - 1 per unit o Senior Reactor Operator (SRO)/RO
- Outside the MCR:
o 6 Equipment Operators (EOs)
Other plant staff (e.g., Instrumentation and Control (I&C) technicians, security personnel) assist the EOs in various tasks (e.g., debris removal, helping to deploy hoses).
B.4.2 FLEX Scenario Script Using the BWRs plant-specific FLEX scenario script, the scenario script shown in Table B-1 was developed. The scenario script was, in turn, used as the basis for the summary description of the FLEX scenario. A scenario script, such as that shown in Table B-1, can be an especially important information source if there is no opportunity to observe relevant simulator exercises.
61 One variation on the base case FLEX scenario is that there is less damage and less widespread damage.
62 These timelines are extensions of the integrated timelines developed for main control room abandonment scenarios for fire HRA/PRA that are described in NUREG-1921 Supplements 1 and 2 [x, y].
B-6
Table B-1 FLEX Scenario Script Sequence Condition Action Notes 1 A BDB seismic event 1. Turbine trip on load
- Rapid loss of occurs, causing reject (automatic) condenser vacuum T=0 significant damage to 2. Reactor Scram on
- MSIV closure plant switchyard Turbine Trip (automatic)
- RPV level drop due generator output that to void collapse is not readily recoverable.
2 Reactor Core 1. Operator at the controls Isolation Cooling provides scram report T= 0 - 5 (RCIC) system 2. Enter T-101 on low Rx minutes automatically starts water (+1) level/high on low reactor water pressure (1085 PSIG) level and injects into 3. Report of seismic event the RPV from the called into MCR.
Suppression Pool 4. Report of switchyard suction. damage; enter seismic procedure in parallel with EOPs
- 5. Initial plant stabilization
- a. Confirm Reactor S/D by observing all control rods fully inserted
- b. Stabilize RPV pressure using Safety Relief Valves (SRVs) below 925 PSIG Restore/maintain RPV level using RCIC in a band of +5 to +35 inches B-7
Table B-1 FLEX Scenario Script Sequence Condition Action Notes 3 Standby Emergency 1. Enter SE-11 Attachment SAE declaration Diesel Generator fails 1 for loss of offsite begins process of T= 0-15 to start and load power obtaining off-site minutes respective bus. Loss 2. Continue use of EOPs in support/staffing ERO.
of all AC power. parallel
- 3. Dispatch operator to the EDG that failed to start to determine cause of start failure (SE-11 Attachment B)
- 4. Dispatch operator for damage assessment (FSG-001)
- 5. Shift Manager recognizes Emergency Action Level (EAL) condition, declares Site Area Emergency (SAE)/activates Emergency Response Organization (ERO) 4 While attempting 1. Local manual start SBO and ELAP local manual D/G attempt is made, loud response is T = 15 - 60 start, Equipment knocking noise and large functionally the same minutes Operator reports loud oil leak observed, EDG for the initial actions.
knocking noise and emergency shutdown large oil leak from 2. RO reports that local one Emergency D/G manual start attempts of and unsuccessful the EDG are start of the second unsuccessful, major oil Emergency D/G. leak on one EDG
- 3. Unit Supervisor (US) continues with SE-11 Attachment 1 actions 5 Decay heat maintains Commence RPV cooldown Not time critical but high RPV pressure to 500 PSIG then maintain consistent with SBO T= 20 requiring SRV 200 to 300 PSIG at strategy. Maintaining minutes actuation 100°F/hour pressure at 200 to 300 PSIG preserves RCIC operation.
6 Battery chargers are Use SE-11 Attachment T to Prolong safety related no longer maintaining commence SBO DC Load battery life.
T = 15 - 45 battery charge due to Shed. Completion time is the loss of all AC time sensitive.
power.
B-8
Table B-1 FLEX Scenario Script Sequence Condition Action Notes 6 SRV actuation 1. US assigns actions to RCIC preservation complicates RPV defeat RCIC trips using 15 - 45 level control, other T-225 and T-229 minutes plant conditions
- Low RPV Pressure
- Extends battery life T = 60 started at T =15 complete
- Allows deep DC T= 60 complete but not 11 Sheet 6 load shed minutes sufficient for ELAP 2. Start ELAP DC Load
- Extends battery life conditions Shed 9 Limited pneumatic 1. Start equipment
- Communications T= 60 building heatup from (FSG-001)
- Equipment minutes loss of normal 2. Start debris removal qualification ventilation, RCIC (FSG-002)
- Long term heat up of 3. Start Alternate Radio pressure control Suppression Pool Antenna deployment
- RCIC preservation challenges long term (FSG-020)
RCIC operation 4. Start RB natural circulation (FSG-033)
- 5. Start Alignment of N2 to automatic depressurization system (ADS) SRVs (T-261 or FSG-044)
- 6. Line up to vent Containment (T-200, T-200J) 10 Suppression Pool If RCIC is needed for Maintain Suppression T= 60 temperature rise from adequate core cooling and Pool temperature less minutes RCIC operation Containment Pressure than 240°F to preserve or when challenges RCIC exceeds 2 PSIG, vent RCIC operation Containment operation containment (T-200, T-200J)
Pressure reaches 2 PSIG B-9
Table B-1 FLEX Scenario Script Sequence Condition Action Notes 11 Long term RCIC Defeat additional RCIC trips Maintain RCIC T = 60 - 90 operation is needed using FSG-043 injection minutes to maintain adequate
- Exhaust valve isolation core cooling
- Torus Suction valve isolation
- RCIC steam supply valve closure
- RCIC min flow valve closure
- RCIC Turbine Trips 12 ELAP DC Load Shed ELAP DC Load Shed is Extends battery life T = 90 started at T+60 complete minutes 13 Debris removal Complete debris removal FSG-001 used to T = 120 necessary to support select best pathway minutes deployment of FLEX with minimum debris (2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) equipment removal 14 Batteries have limited Start deployment of 480 volt Maintain power to availability, source of AC FLEX D/G to supply critical equipment T = 180 power to inverters, selected loads (FSG-010) needed for long term minutes instrumentation and coping (3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />) control power 15 Loss of normal Start establishing Battery Maintain equipment T = 195 - ventilation results in Room ventilation (FSG-031). qualification/prevent 270 minutes battery room heatup, Complete at T+270 hydrogen buildup (31/4 - 41/2 battery charging hours) results in production of hydrogen 16 Loss of cooling Start establishing Control Maintain Control Room results in heat up of Room ventilation (FSG-039) habitability T = 330 Control Room minutes (51/2 hours) 17 RCIC is the sole Commence deployment of Backup to RCIC T = 330 source of RPV portable FLEX pump (FSG- Makeup to Torus minutes makeup 040)
( 51/2 hours) 18 FLEX D/G Supply critical electrical Recharge batteries deployment started at loads with 480 volt AC FLEX Maintain power to vital T = 330 T+180 D/G equipment, controls minutes and indications (51/2 hours)
B-10
Table B-1 FLEX Scenario Script Sequence Condition Action Notes 19 ERO staffed 1. Shift Manager turns over
- ERO Command and ED function to TSC. Control to TSC T = 360 Typical ERO staffing Turnover checklist Objective is to minutes time is less than 60 includes: reduce (6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />) minutes but assumed
- Plant status and administrative 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> per NEI 12- trends burden from 01
- ERO Command and Control Room Control staff
- 2. Corporate ED briefs
- Command and TSC Control of plant retained by Control Room using Operating Procedures 20 RCIC heat load Complete RCIC Room Preserve RCIC T = 390 raises RCIC room ventilation using FSG-032 operation, maintain minutes temperatures with and FSG-033 room temperature (61/2 hours) loss of normal below 150°F ventilation 21 Fuel oil consumption Commence refueling FLEX Fuel oil tanks are T = 720 will require that FLEX equipment (FSG-050) maintained at greater minutes equipment be than 1/4 full. The (12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />) refueled on a periodic typical fuel oil tank basis volume contains enough fuel for 10 to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of operation at full load. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is considered he earliest that refueling would be required.
22 Prolonged RCIC Start injection to Torus Provides long term T = 1800 operation and (FSG-042) water supply for minutes containment venting indefinite coping.
(30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />) result in loss of Suppression Pool water inventory Break in Scenario - Plant has long term stability in this condition, but the scenario continues with the transition to the portable FLEX pump B-11
Table B-1 FLEX Scenario Script Sequence Condition Action Notes 23 RCIC trips and 1. Unit Supervisor enters
- Transition from T = 1800 cannot be restarted. alternate level control RCIC to low minutes RPV water level strategy pressure FLEX (30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />) continues to lower. 2. US directs operator to pump.
FLEX pump is lined inhibit the automatic
- FLEX pump up for injection and depressurization system discharge RPV pressure has (ADS) capability is <150 been reduced to 3. US directs RPV PSIG about 150 PSIG blowdown
- RPV blowdown is
- 4. US directs RPV injection required to allow using FLEX portable FLEX pump pump to maintain RPV injection water level.
- Plant is stable with injection using the FLEX portable pump and the FLEX generator suppling essential electrical loads.
End of Scenario B.4.3 HFE Timing Information and Plant-Specific FLEX Final Integrated Plan Standard HRA terminology for timing parameters (see, for example, Section 4.6.2 in NUREG-1921 [ref]) is used here, e.g.,
- Start time (T0) (or t=0). Typically, the start of the event, such as when reactor trip occurs.
- System time window (Tsw). The time from the start of the event until the action is no longer beneficial (typically, when irreversible damage occurs, such as core or component damage).
- Delay time (Tdelay). The time from the start (typically the initiating event) until the time at which the operators acknowledge the cue.
- Time available (Tavail). The time available for operator action(s); Tavail = Tsw - Tdelay
- Time required (Treqd). The time needed to complete the operator action(s), both cognitive and execution contributions.
The plants validation results are used as timing inputs. Consistent with NEI 12-06, the plant used a graded approach for performing validations of time sensitive actions (TSAs) (i.e., there is a time constraint on the maximum amount of time in which the action can be performed successfully), where:
Level A Used for TSAs started within the first 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Level B: Used for TSAs started between 6 and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after the event initiation Level C: Other tasks or manual actions in the OIP/FIP that are labor intensive or require significant coordination The FIP uses the following titles for documenting the NPPs validations along with how HRA analysts should interpret these titles into the timing parameters identified above:
B-12
- Start time - This heading appears to be equivalent to the delay time.
- Time constraint - This heading appears to be equivalent to the system time window.
- Success criteria - This heading appears to be equivalent to the time available.
- Results - This heading appears to be equivalent to the time required.
The analyst should be cautioned that interpreting the timing results for a plants validation plan may be complicated if the site is multi-unit. The validation plan results may be for both units, while this analysis is focused on a single unit. In some cases, unit-specific results may be available. In other cases (especially if a single field operator is performing both Unit 1 and Unit 2 actions), the timing data cannot be separated for a single unit. As noted in the Key Assumptions section, this analysis will use the final results reported in the NPPs FIP (which is typically for both units on site).
Perform debris removal The plants validation plan does not identify this action as time sensitive. In addition, the event timeline in the plants validation plan shows that this is action is not time constrained.
Initiate Containment Venting This action is identified as a Level A TSA in the plants validation plan. For Level A TSAs, a simulator or timed walkthrough is performed to develop results.
The time available (identified as success criteria in the validation results) is 45 minutes from t=15 minutes. The time required (identified as results) is approximately 42 minutes.
Declare ELAP.
This action is identified as a Level A TSA in the plants validation plan. For Level A TSAs, a simulator or timed walkthrough is performed to develop results.
The time available (identified as success criteria in the validation results) is 60 minutes (or 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />) from t=0. The time required (identified as results) is 40 minutes.
Perform FLEX DC Load Shed (or deep load shed)
This action is identified as a Level A TSA in the plants validation plan. For Level A TSAs, a simulator or timed walkthrough is performed to develop results.
The time available (identified as success criteria in the validation results) is 30 minutes from t=15 minutes (when the EO is dispatched). The time required (identified as results) is about 14 minutes.
Deploy FLEX diesel generators (DGs) (including transportation, installation, starting)
This action is identified as a Level A TSA in the plants validation plan. For Level A TSAs, a simulator or timed walkthrough is performed to develop results.
The time available (identified as success criteria in the validation results) is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, with EOs being dispatched to start this action at t=3 hours (i.e., action must be complete by t=7 hours).
The time required (identified as results) is about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and 16 minutes.
B-13
Deploy FLEX pump (including depressurization, if needed, transportation, etc.)
This action is identified as a Level A TSA in the plants validation plan. For Level A TSAs, a simulator or timed walkthrough is performed to develop results.
However, the particular action addressed in the plants validation plan is for feeding the spent fuel pool, which is not an action that is addressed in this report.
Refuel FLEX DG This action is not explicitly addressed in the plants validation plan.
Refuel FLEX pump This action is not explicitly addressed in the plants validation plan.
B.5 Preliminary IDHEAS-ECA evaluations The NRC technical team provided the HRA analysts with examples of how to interpret the site visit notes (Section 2) into the terminology used in IDHEAS-ECA [ref]. The notes shown below are that illustrative work.
B.5.1 Mapping Relevant HRA Information on FLEX to IDHEAS-ECA Context IDHEAS-ECA [x] discusses different contexts as part of applying this HRA method. Below are illustrative examples of how FLEX information, collected as part of the FLEX HRA project, could be mapped to these different types of contexts in IHDEAS-ECA. However, the HRA analysts participating in the FLEX HRA project were asked to perform their own analyses.
Environmental context. Operator actions performed in the MCR are not directly affected by environmental conditions. Operator actions performed outside of the MCR may be influenced by debris. Operator action for debris removal will be directly affected. For other actions, alternate travel paths may be needed, and flashlights will be needed.
System context. Initially, there will several calls to the MCR from field operators to report what work was stopped by the seismic event and associated loss of all AC power. After those calls, the MCR environment will be less busy than usual since, without AC power, most systems will not be running. The turbine-driven RCIC pump and associated indications will be the focus of MCR operators along with dispatch and communication with field operators who are clearing debris and deploying FLEX equipment.
Field operators will be outside the plant dealing first with debris removal, then deploying FLEX equipment. Operator actions performed inside the plant (e.g., DC load sheds) will require flashlights to see equipment to operate.
Personnel context. For MCR operators, the crew has worked as a cohesive crew for a long time. The MCR crew is experienced. The NPPs Conduct of Operations is followed, EOPs are being used, and FSGs are embedded in the EOPs for easy entry. Station Blackout (SBO) scenarios are practiced frequently in the simulator.
The field operators are trained on all operator actions required for this scenario (which are principally in the plants FSGs). Debris removal and transportation of FLEX equipment do not require extensive training, like actions that may typically be called out in EOPs.
B-14
Task context. For MCR operators, SBO scenarios are practiced frequently. Also, after SBO and FLEX DC load sheds (after which there is no other running equipment and few indications),
the principal responsibilities of the MCR operators is to keep the RCIC pump running and support the field operators in their actions.
For field operators, many of the operator actions (e.g., remove debris, transport FLEX equipment), required relatively unskilled labor. Other actions (e.g., FLEX DC load shed) are similar to actions that are practiced more frequently and may have associated job performance measures (e.g., SBO load shed). Also, FLEX actions have been supported by industry-wide efforts to make FLEX actions simple (e.g., color coding of electrical connections, common FLEX pump connections). Further, this NPP has added FLEX-specific tags on the breakers to be manipulated in the FLEX DC load shed action.
B.5.2 HFE Characterization and Performance Influencing Factors The HRA analysts participating in the FLEX HRA project were asked to use the site visit notes to identify relevant influencing factors63 for each of the HFEs identified above. The following performance influencing factors are considered by IDHEAS-ECA (see Reference Z, Table 2-1, page 2-3) under the high-level headings of Environment and situation, System, Personnel, and Task:
- 1. scenario familiarity,
- 2. task complexity and mental fatigue,
- 3. multi-tasking, interruptions and distractions,
- 4. key cues and indications,
- 5. time availability/urgency,
- 6. staffing,
- 7. procedures,
- 8. training and experience,
- 9. human-machine interface,
- 10. environment,
- 11. equipment and fitness needs,
- 12. communications,
- 13. teamwork and command and control, and
- 14. time pressure and stress.
B.6 References
- 1. EPRI, Human Reliability Analysis (HRA) for Diverse and Flexible Mitigation Strategies (FLEX) and Use of Portable Equipment - Examples and Guidance, 3002013018, November 2018.
- 2. Plant-specific information, such as:
- a. Procedure for Containment Venting
- b. Procedure for Containment Venting Via the Torus Hardened Vent
- c. Plant-specific FLEX Final Integrated Plan
- d. Plant-specific Validation Plan 63 The HRA analysts were told that the plant site visit notes (which were developed to be independent of HRA methods) contained discussions of performance shaping factors (PSFs) that may differ in definition from those described in the IDHEAS-ECA guidance [ref] and associated software tool [ref].
B-15
APPENDIX C NON-FLEX SCENARIO FOR A PWR: LOSS OF ALL FEEDWATER This appendix captures the description of the non-FLEX scenario involving the loss of all feedwater for a PWR that was used for the FLEX HRA project using IDHEAS-ECA.
There were several pieces of information that were provided to the HRA analysts in order to perform HRA quantification. This appendix provides the following:
- Non-FLEX scenario description
- HRA/PRA modeling for the non-FLEX scenario
- Key modeling assumptions
- Scenario timelines (for two cases)
- Preliminary assessment of influencing factors
- Procedure path (for two cases)
- Any additional notes made during the FLEX HRA Workshop that are relevant to HRA The HRA analysts also were asked to consider the understanding of the use of FLEX strategies and equipment (as summarized in the plant site visit notes given in Section 2) that may be relevant to this non-FLEX scenario.
C.1 Non-FLEX Scenario
Description:
Loss of All Feedwater With a Westinghouse PWR at 100 percent power, a loss of all feedwater occurs with 1A Auxiliary Feedwater pump out of service for maintenance.
C.1.1 Background With the plant at 100 percent power, the 1A AFW pump was undergoing monthly surveillance testing. During the test, the 1A AFW pump experienced a mechanical failure and tripped.
Operators responded to alarms and identified physical damage to the 1A AFW pump. The control room staff immediately declared the 1A AFW pump inoperable. The plant continued to operate at 100% power and there were no automatic or manual safety system responses initiated as a result of the failure. No other systems were impacted.
The licensee initiated an investigation to determine the cause and subsequent corrective actions required for the failure. As part of the investigation, a damage assessment identified that repairs could be made to the 1A AFW pump within the allowed outage time (AOT). Repair activities were initiated.
In addition, the licensee recently modified its loss of heat sink procedure, FR-H1, to provide guidance on the use of a FLEX pump to provide steam generator (SG) makeup.
C.1.2 Hypothetical Transient Event With the plant configuration and conditions described above, a hypothetical transient event occurs.
C-1
C.2 HRA/PRA Modeling This non-FLEX scenario is an extension of the typical PRA modeling for a loss of all feedwater with:
- one of two auxiliary feedwater pumps out of service for maintenance
- successful reactor trip/turbine trip
- remaining AFW pump (1B) fails
- Unit 2 AFW pump via crosstie is unavailable
- modifications to the loss of heat sink procedure (FR-H.1) to include the use of a FLEX pump C.2.1 PRA Modeling A loss of main feedwater event tree from NRCs SPAR models was used for the purposes of this project. This project also used a feedwater fault tree, modified to include FLEX pump credit following failures after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of operation of the motor-driven AFW pump. The event tree and fault tree are shown in Figures C-1 and C-2, respectively.
In addition, two different cases which respect to the timing of the AFW pump failure can be considered, both of which include use of FR-H1 modified to include use of a FLEX pump to provide feedwater from the refueling water storage tank (RWST):
- Case #1: The 1B AFW pump fails to start with entry into the loss of heat sink procedure, FR-H1, from E-0 (reactor trip/safety injection procedure), and
- Case #2: The 1B AFW pump fails to run (i.e., pump is assumed to fail 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after reactor trip) with entry into FR-H1 via the Critical Safety Function Status Tree, red path for loss of heat sink.
The implications of the two different cases are:
- Case #1: When the 1B AFW pump fails immediately, the FLEX pump will be available for injection AFTER the criteria for feed and bleed (F&B) is reached, and operators perform F&B, and
- Case #2: When the 1B AFW pump fails after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, there is more time available after entering FR-H1 to deploy the FLEX pump before F&B criteria are met. In this case, FW is restored by the FLEX pump, so F&B does not need to be performed.
For the FLEX HRA project, only Case #2 was evaluated.
C-2
Figure C-1. Loss of Main Feedwater Event Tree - SPAR model Figure C-2. Potential fault tree model - FLEX pump feed to SG after motor-driven AFW pump fails at 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
C.2.2 HRA Modeling For both cases discussed above, the following additional basic events and associated fault tree logic are needed to credit the FLEX pump:
- b. (Execution contribution) (Equipment or local) Operators fail to transport, set up, and start FLEX pump via FSG-3 (and FSG-5 per Step 2 of FSG-03)
- 2. FLEX pump fails to start (equipment reliability)
- 3. FLEX pump fails to run (equipment reliability)
So, there is only one HFE to model but with cognitive and execution contributions. The execution contribution should be identical to that for a FLEX scenario, except that there is no C-3
debris removal and, since a FLEX diesel generator is not needed for this scenario, the FLEX pump is the only equipment that needs to be deployed. Consequently, the only HFE contribution to assess is: Operators fail to initiate use of the FLEX pump.
The success criteria for the HFE is different depending on which scenario case is considered.
(See Scenario Timeline below.)
Critical Tasks - Operators fail to initiate use of FLEX pump (cognitive contribution)
The critical tasks for this HFE are developed based on the expected procedure path (which is given below):
- Operators reach Step 3 and read this CAUTION above Step 3:
If at any time it has been determined that restoration of feed flow to any SG is untimely or may be ineffective in heat sink restoration, then the AF crosstie should be implemented per Step 5.
- In parallel with other operator actions to implement FR-H1, the Shift Manager (SM) determines that restoration of feed flow to any SG will be untimely or ineffective, then transfers to Step 5 of FR-H1. This assessment would be based on an understanding of the current plant conditions, the AFW pump and other failures that have occurred, the status of efforts to restore feedwater, and the expected evolution of plant conditions in the future.
- Step 5, FR-H1 is implemented:
- a. SM has determined that restoration of feed flow will be untimely or ineffective.
- b. Check if the AF pump crosstie (to Unit 2) is available
- c. Dispatch field operator to align AF crosstie per 1FSG-3, Alternate Low Pressure Feedwater Critical Tasks - Operators fail to initiate use of FLEX pump (contribution from execution)
The execution contribution to this HFE is not developed; the critical tasks and associated performance influencing factors (PIFs) should be similar to that developed for the classic FLEX scenario. If time allows, HRA assessment of this HFE contribution could be performed as a variation on that for the classic FLEX scenario since different NPPs underlie the two different scenarios.
C.3 Key Modeling Assumptions The following assumptions were determined to be significant to the modeling of this event:
- The NPP has only two AFW pumps (neither of which are turbine-driven), and any cross-ties to AFW pumps on a second unit are unavailable.
- The 1A AFW pump is unavailable for short-term maintenance.
- The AFW pump for Unit 2 is NOT available for use via crosstie.
- All four condensate pumps have failed.
- 1-2 minutes per procedure step is generally assumed, unless the procedure explicitly indicates that operators need to perform tasks quickly (e.g., the caution in FR-H1 about performing F&B steps quickly). In cases when operators are expected to perform steps C-4
quickly (e.g., initial steps in E-0, F&B steps), approximately 1 minute or less per step is assumed.
- In the Case #1 scenario:64 o the time to satisfying the criteria for the red path on heat sink in the Critical Safety Function Status Tree is assumed to be 10 minutes after reactor trip (since the 1B AFW pump fails to start at t=0).
o the time to satisfying the criteria for F&B (i.e., low SG levels) after entering FR-H1 is about 40 minutes.
o the time to steam generator dry out is greater than the time needed to deploy the FLEX pump (including time needed to get to relevant steps in FR-H1);
consequently, the FLEX pump can be used to inject water in the SG after successful F&B.
- In Case #2:
o the time to satisfying the criteria for the red path on heat sink in the Critical Safety Function Status Tree is assumed to be 20 minutes after the 1B AFW pump fails to run (i.e., 80 minutes after reactor trip).
o the decay heat removed while 1B AFW pump runs in the 1st hour after reactor trip is such that feed-and-bleed criteria are not reached until after the time needed to deploy the FLEX pump (including time needed to get to relevant steps in FR-H1; specifically, F&B conditions are not reached until greater than 78 minutes after FR-H1 is entered (i.e., more than 158 minutes after reactor trip).
- The SM needs a minimum of ~7-8 minutes upon reaching Step 3, and the associated caution, in FR-H1 to assess feed flow restoration efforts and decide to use the AF crosstie and FLEX pump to feed a SG. This time is used for Case #1. For Case #2, fifteen (15) minutes is used.
- Deploying a FLEX pump for feeding a SG from the RWST takes one hour to perform from the time of dispatch.
- Initial training on the modified FR-H.1 is performed for both MCR operators and field operators.
- The modified FR-H.1 is integrated into the normal MCR operator training cycle that includes simulator training every two years plus classroom training. The simulator training is not integrated with FO training (e.g., operator trainers play the role of FO with respect communications).
- The modified FR-H.1 is integrated into the normal FO training cycle with classroom training plus FLEX training on use of the FLEX pump.
C.4 Non-FLEX Scenario Timeline There are two scenario timelines to consider - one each for the two cases described above.
C.4.1 Non-FLEX Scenario Timeline for Case #1: AFW pump trips at t=0 For this case, the success criteria for the HFE - Operators fail to initiate use of FLEX pump - is that all operator actions, both cognitive and execution, are completed before the steam generators dry out. This time will be plant-specific. However, the FLEX pump could be used to re-establish feedwater to a SG (before it assumed that the SG has not reached dry out conditions), but this would be AFTER feed and bleed (F&B) is performed.
64 This case was not evaluated in this project.
C-5
Note: Per the event tree shown in Figure C-1, this case is typically not addressed (i.e., if F&B is successful, the subsequent event tree headings and end states do not address restoration of FW). Consequently, it is not immediately apparent what PRA credit could be obtained by using the FLEX pump if typical PRA modeling is used. However, additional PRA modeling could be performed to show such potential credit.
- T=0 Reactor trip; operators enter E-0. Auto-start signal for 1B AFW pump occurs, but pump fails to start.
- T=2-5 minutes Operators reach Step 4 in E-0, then transfer to ES-0.1 (Reactor Trip Response). Per training, operators start monitoring the Critical Safety Function Status Tree following transition out of E-0.
The Shift Manager (SM) arrives in the MCR about 5 minutes after reactor trip.
- T= 5-10 minutes In parallel with implementation of ES-0.1, Operators recognize that, without any FW pumps running (i.e., all AFW pumps are failed), they will be on the red path for heat sink in the Critical Safety Function Status (CSFS) tree. Steam generator (SG) levels are dropping. Without FW, operators will be anticipating transition to FR-H1. The Shift Technical Advisor (STA) arrives (as required) and takes over his/her responsibilities, including monitoring the CSFS tree.
- T= 10 minutes SG levels drop below 10% narrow range (and less than 500 gpm AFW flow); conditions for red path on heat sink are met.
Operators transition immediately to FR-H1.
- T=11-12 minutes Operators reach Step 2 in FR-H1. Since the F&B criteria are NOT met, they continue to monitor for F&B conditions, trip all RCPs, and proceed to Step 3.
- T=12 minutes Operators reach Step 3 in FR-H1. A caution between Step 3 directs operators to proceed to Step 5 to establish FW via AFW crosstie (and FLEX pump) if restoration of feed flow to any SG is not expected to be timely. The SM is responsible for deciding when/if the AFW crosstie and FLEX pump will be used. He/she begins assessing efforts to restore 1B AFW pump, as well as SG levels.
- T=13-21 minutes Operators continue working through FR-H1. The SM completes the assessment of feed flow restoration efforts and decides that the AF crosstie and FLEX pump should be used. Operators go to Step 5, complete Steps 5a-5c, including dispatching field operator to implement FSG-3 to deploy the FLEX pump to feed an SG.
- T=50 minutes F&B criteria are met; operators immediately proceed to Step 15 to implement F&B (including the caution before Step 15 for implementing Steps 15 - 18 quickly).
C-6
- T= 51-55 minutes Operators implement Steps 15 - 18 for F&B.
- T= 81 minutes FSG-3 and FSG-5 are implemented and FLEX pump is in operation, supplying feed flow to an SG (1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after operator dispatch in caution before Step 3 in FR-H1).
C.4.2 Non-FLEX Scenario Timeline for Case #2: AFW fails to run after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of operation For this case, the success criteria for the HFE - Operators fail to initiate use of FLEX pump - is that all operator actions, both cognitive and execution, are completed before F&B criteria are reached. The time to when F&B criteria are reached is plant-specific, depending on a variety of factors including how long the AFW pump runs before failing. (See Key Modeling Assumptions above.
Note: This case can be addressed in PRA by using modified fault trees (FTs) such as that shown in Figures 2 and 3. PRA credit for using the FLEX pump and associated revised EOPs by comparing results of the modified FTs versus the original FTs (that do not include the FLEX pump).
- T=0 Reactor trip; operators enter E-0. AFW pump starts on auto-signal.
- T= 2-5 minutes Operators reach Step 4 in E-0, then transfer to ES-0.1 (Reactor Trip Response). Per training, operators start monitoring the Critical Safety Function Status Tree following transition out of E-0.
- T=5-60 minutes Operators continue implementing ES-0.1. The SM arrives about 5 minutes after reactor trip and the STA arrives 10 minutes after reactor trip.
- T=60 minutes 1B AFW pump stops (e.g., fail to run)
- T= 80 minutes Operators enter FR-H1 via red path on loss of heat sink in Critical Safety Function Status Tree.
- T= 81-82 minutes Operators reach Step 2 in FR-H1. F&B criteria are NOT met, so operators monitor for F&B conditions, trip RCPs, and go to Step 3.
- T= 82 minutes Operators go to Step 3. A caution before Step 3 directs operators to proceed to Step 5 to establish FW via AFW crosstie (and FLEX pump) if restoration of feed flow to any SG is not expected to be timely. The SM is responsible for deciding when/if the AFW crosstie and FLEX pump will be used. He/she begins assessing efforts to restore 1B AFW pump, as well as SG levels.
At Step 3, sub-step I, the operators will be in the RNO column with adequate feed flow NOT verified. The RNO directs operators to Step 4 - Stop all RCPs (in order to reduce RCS heat input).
C-7
- T=83-98 minutes Operator continue working through FR-H1. The SM completes his assessment of feed flow restoration efforts and decides that the AF crosstie and FLEX pump should be used. Operators go to Step 5, complete Steps 5a-5c, including dispatching field operator to implement FSG-3 to deploy the FLEX pump to feed an SG.
- T=98 minutes Operators reach Step 5, complete steps 5a-5c, including dispatching a field operator to implement FSG-3 to deploy the FLEX pump
- T=158 minutes FSG-3 and FSG-5 are implemented and the FLEX pump is in operation, supplying feed flow to an SG (1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after operator dispatch in caution before Step 3 in FR-H1).
C.4.3 Non-FLEX Scenario - Potential Variations Hypothetical variations on Case #1 that could result in PRA credit are:
- Case #1, Variation #1 - FLEX pump must be deployed in less than 38 minutes:
o The FLEX pump is pre-staged soon after the 1A AFW pump is declared inoperable.
o Standing orders/temporary procedure for starting the FLEX pump are put into place with an HRA-credited mechanism for implementation with E-0.
o The standing orders/temporary procedure are part of every shift turnover.
o The caution before Step 3 in FR-H1, and associated training, are modified such that an evaluation of feed flow restoration is not needed; instead, the SM dispatches field operators to complete final connections for the pre-staged FLEX pump in parallel with efforts to re-start the 1B AFW pump. Awareness of the time available (i.e., less than 38 minutes) is included in training for the SM and field operators. This potentially changes the task complexity (see discussion below) to NOT complex because SM/operators would be trained that there is no consequence to starting the process of deploying the FLEX pump. If normal AFW is restored before the FLEX pump is operated, there are no irreversible steps to overcome.
o Timing validations (e.g., walk-throughs) are performed for the field operator actions required to complete set-up and operation of the pre-staged FLEX pump.
Depending on plant-specific thermal hydraulic calculations, the timing in Scenario #2 also may require revision to obtain PRA credit. In such cases, it may be possible to meet the plant-specific timing requirements by implementing only one of the strategies suggested above (e.g.,
pre-staging the FLEX pump, further modifying FR-H1 and associated training) for Case #1.
C.5 Non-FLEX Scenario and HRA Influencing Factors There are some different influencing factors for each of the HFEs identified above. The following performance influencing factors are considered by the IDHEAS-ECA guidance (see Reference x, Table 2-1, page 2-3) under the high-level headings of Environment and situation, System, Personnel, and Task:
- 1. scenario familiarity, C-8
- 2. task complexity and mental fatigue,
- 3. multi-tasking, interruptions and distractions,
- 4. key cues and indications,
- 5. time availability/urgency,
- 6. staffing,
- 7. procedures,
- 8. training and experience,
- 9. human-machine interface,
- 10. environment,
- 11. equipment and fitness needs,
- 12. communications,
- 13. teamwork and command and control, and
- 14. time pressure and stress.
The discussion below is preliminary and illustrative of how particulars of the scenario and associated actions would be assessed with the factors above.
HFE: Operators fail to deploy FLEX pump (cognitive contribution)
This action is performed in the main control room (MCR) so there are no environmental conditions of concern. Similarly, MCR design features important to this action are the same as those considered in typical HRAs (and there are no concerns with respect to human-machine interface, no requirements for equipment, no fitness concerns). Also, because operator actions are performed in the MCR, standard protocols for controlling calls to the MCR and physically entering the MCR, there are no unusual requirements for multi-tasking, and no interruptions or distractions. Communications and command and control are unchanged from that typically addressed by HRA/PRA (i.e., there is no need to explicitly model these PIFs).
The following PIFs are assessed further: scenario familiarity, task complexity, key cues and indications, time availability/urgency, staffing, training and experience, and procedures.
Scenario familiarity. MCR operators routinely train on F&B scenarios in the simulator. All operators would be trained initially on the modified FR-H1. Following initial training, the frequency of MCR operator training for on FR-H1 is assumed to be every 2 years. Specific training on a loss of all FW scenario with use of a FLEX pump is probably less frequent. As part of implementing FLEX strategies, all field operators received initial training on deploying a FLEX pump. Field operators will continue to train on deploying FLEX equipment once every yyy years.
Task complexity. Under the current conditions, task complexity could be assessed as complex since the SM has to understand previous plant condition history, including AFW pump failures and efforts to start the AFW pump.
Key cues and indications. The key MCR indications for entering FR-H1 on the red path for heat sink in the Critical Safety Function Status Tree are: 1) the loss of FW (i.e., no feed flow to any SG) and 2) dropping SG levels (via narrow range indicators). The key indications and procedural cues for deploying the FLEX pump are:
- Step 2 in FR-H1, check if F&B is required, and associated SG WIDE RANGE level indications
- The caution before Step 3 in FR-H1 about using the AF crosstie (go to Step 5) if feed flow cannot be restored.
C-9
- Indications of loss of feedwater, decreasing SG levels, reports (e.g., calls from field operators) on unsuccessful attempts to start AFW pump.
- a. Decision by SM that heat sink restoration efforts are not available or are untimely
- c. Align AF crosstie per 1FSG-3, Alternate Low Pressure Feedwater Time availability/urgency. MCR operators are trained to be aware of the urgency to complete steps related to F&B. For example, the caution before Step 15 (Establish RCS Feed Path) in FR-H1 states: Steps 15 through 18 must be performed QUICKLY to establish RCS heat removal by RCS feed and bleed. If operators are trained similarly on making the decision to deploy the FLEX pump, there should be a similar awareness of time and urgency. (Note: This is a potential example of another variation.)
Staffing. Typical MCR staffing is expected for this event. The key is whether or when the SM arrives in the MCR since he/she must make an expeditious decision on whether to go to Step 5 in FR-H1 and use the AF crosstie with the FLEX pump providing feedwater to an SG.
Training and experience. Prior to modification of FR-H1 to incorporate the FLEX pump, operators were trained once every 2 years on F&B scenarios. Also, MCR and field operators received initial training on use of FLEX equipment in FLEX scenarios. Similarly, MCR operators received initial training on the modified FR-H1 and will receive continuous training on the new procedure.
Procedures. The key procedures/guidance for these scenarios are:
- E-0, Reactor Trip or Safety Injection
- ES-0.1, Reactor Trip Response
- ST-3, Heat Sink, Critical Safety Function Status Tree
- FR-H.1
- 0FSG-5 & 1FSG-5, Initial Assessment and FLEX Equipment Staging - site wide and specifically for Unit 1 1FSG-3 provides the steps needed to put the FLEX pump into service, including an instruction to dispatch a field operator to use 1FSG-5, Initial Assessment and FLEX Equipment Staging, Attachment C. Both of these FSGs are principally related to the execution portion of the HFE.
C.6 Non-FLEX Scenario - Procedure Paths In order to credit this non-FLEX scenario in HRA/PRA, a clear path through existing procedures must exist, along with supporting cues and indications. Procedure paths for both cases are given below (although only Case #2 was evaluated).
C.6.1 Non-FLEX Scenario - Procedure Path for Case #1 The procedure path for Case #1 is the same as it would be for a F&B scenario, except that the modified FR-H1 contains steps and a caution that serve as entry conditions to using the FLEX pump to feed a SG.
C-10
For Case #1, The procedure path that operators will take is:
- Enter E-0 on reactor trip
- Operators reach Step 4 in E-0, then transfer to ES-0.1 (Reactor Trip Response).
- In parallel, operators start monitoring the Critical Safety Function Status Tree.
- When plant conditions satisfy criteria for the red path on heat sink in the Critical Safety Function Status Tree; enter FR-H1
- FR-H1:
- Step 1: Check if secondary heat sink is required: YES (got to step 2)
- Step 2: Check if Bleed and Feed is required:
NOTE: Onset of natural circulation (indicated by rising loop delta T) may cause RCS pressure to rise Response Not Obtained (RNO) (at least not yet)
- Monitor for B&F
- IF B&F condition occurs, thenStep 15 (not yet)
- Continue with Step 3 Operators continue to monitor for F&B conditions and will transfer directly to Step 15 when the F&B criteria are met.
- Step 3: Try to establish AF flow to at least one SG:
CAUTION: If at any time it has been determined that restoration of feed flow to any SG is untimely or may be ineffective in heat sink restoration, then AF crosstie should be implemented per Step 5.
- a. (several substeps trying to establish feed flow) b.
- c.
- d.
- e.
- i. Check AF pumps - BOTH RUNNING; Response Not Obtained (RNO) column:
- IF NEITHER pump will start, THEN dispatch an operator to start one pump per..Local control of safe shutdown equipment
- IF at least one AF pump can NOT be started, THEN GO TO Step 4
- Step 4: Reduce RCS heat input
- a. Stop all RCPs
- Step 5: Crosstie Train A AF from Unit 2:
CAUTION: The AF crosstie should be implemented per Step 5 if other attempts to restore feed flow to the SG(s) will not prevent initiation of feed and bleed. Use of the AF crosstie requires invoking 50.54x.
NOTE: Aligning the AF crosstie will make the 2A AF pump inoperable when Unit 2 is in Modes 1, 2, or 3.
NOTE: If adequate AF flow becomes available then establish AF flow from the affected unit and secure the crosstie.
- a. Shift Manager has:
Determined other heat sink restoration efforts are not available Has implemented 10 CFR 50.54 (x)
Approved implementation of 1BFSG-3, Alternate low pressure feedwater for AF crosstie Initially, the SM may not have made this decision. If not, then the RNO directs operators to Step 6.
C-11
When the SM decides that feed flow will be untimely or ineffective, the operators will return to this step.
This step is to ensure that the crosstie feed path is available.
- d. Narrow range level in at least one SG - greater than 10%: NO Verify adequate feed flow: NO.
If adequate feed blow can NOT be verified, then go to Step 6
- Step 6: Prepare FW system for restoration:
- a. Check CD/CB pumps - at least one running: NO If no CD/DB pumps are running, then go to Step 13. Observe caution and notes prior to Step 13.
At this point in the procedures, operators are directed to Step 13 to use low pressure feed flow with the FLEX pump.
However, it is possible that the SM made the decision to go to this strategy via the NOTE before Step 3 before operators work through FR-H.1 to this step. The timeline for Case #1 has the SM making this decision at 21 minutes after t=0.
- Step 13: Try to establish feed flow from any available low pressure source to at least one SG:
CAUTION: Following block of auto SI,.
NOTE: Main steam isolation will occur.
NOTE: Low pressure feedwater source should not be used unless other sources are unavailable.
NOTE: Bleed and feed should not be initiated due to low level in SGs being depressurized, unless core exit temperatures are above 557o F and rising. Steps 15 thru 18 should be performed if core exit temperatures rise.
NOTE: If an additional SG feed source restores another SG narrow range level above 10% and feeding with low pressure source is no longer necessary to remove decay heat, then the low pressure source should be isolated from the feed line and steam flow from the associated SG should be stopped.
- a. Shift Manager has:
Implemented 10CFR50.54 (x)
Authorized implementation of:
- EDMG-1, Extensive Damage Mitigation Guideline, Attachment 15 If the SM has NOT made the decision (RNO), then the operators continue to Step 14.
However, the RNO also directs operators to return to Step 13 WHEN the SM makes this decision.
The timeline for Case #1 has the SM making this decision at 21 minutes after t=0. When the decision is made, operators proceed to Step 13b (immediately below).
C-12
- b. Align one of the following feedwater sources with the final isolation valve closed
- c. Check low pressure feedwater source - READY TO PROVIDE FLOW It has been assumed that 60 minutes are needed to implement Step 13. The RNO states that WHEN low pressure available and ready to provide flow, THEN RETURN TO Step 13a.
GO TO Step 14.
- Step 14: Check for loss of secondary heat sink:
- WIDE RANGE level in any THREE SGs - LESS THAN 27%
- CETCs - GREATER THAN 557o F AND RISING
- SG wide range level less than 27% is the F&B criteria. If it is met, operators go on to Step 15 to perform F&B.
- [skipped steps]
- If not, RNO directs operators to go back to Step 1 in FR-H.1.
- [skipped steps]
- Whether F&B criteria are met now or after returning to Step 1, the F&B criteria will be met before the FLEX pump is ready to provide flow. So, operators will end up at Step 15, performing F&B.
- Step 15: Establish RCS feed path
- Step 16: Verify RCS feed path
- Step 17: Establish RCS bleed path
- Step 18: Verify adequate RCS bleed path Next steps in FR-H.1 are aimed at verifying equipment status, instrument air, etc.
- Step 26: Try to establish AF to at least one SG:
AF pumps are still failed. RNO for Step 26f directs operators to go to Step 27
- Step 27: Prepare FW system for restoration This will not work either. The RNO for Step 27a directs operators back to Step 26.
When the FLEX pump is ready, the operators will return to Step 13a.
Until then, operators will continue performing Steps 26 and 27.
C.6.2 Non-FLEX Scenario - Procedure Path for Case #2 For Case #2, the procedure path starts off similarly to Case #1, but the procedure path ends differently for Case #2:
- Enter E-0 on reactor trip
- Operators reach Step 4 in E-0, then transfer to ES-0.1 (Reactor Trip Response).
- In parallel, operators start monitoring the Critical Safety Function Status Tree.
- When plant conditions satisfy criteria for the red path on heat sink in the Critical Safety Function Status Tree (20 minutes after the 1B AFW pump fails); enter FR-H1
- FR-H1:
- Step 1: Check if secondary heat sink is required: YES (got to step 2)
- Step 2: Check if Feed and Bleed is required:
NOTE: Onset of natural circulation (indicated by rising loop delta T) may cause RCS pressure to rise Response Not Obtained (RNO) (at least not yet)
- Monitor for F&B
- IF F&B condition occurs, thenStep 15 (not yet)
- Continue with Step 3 Operators continue to monitor for F&B conditions and will transfer directly to Step 15 when the F&B criteria are met.
- Step 3: Try to establish AF flow to at least one SG:
CAUTION: If at any time it has been determined that restoration of feed flow to any SG is untimely or may be ineffective in heat sink restoration, then AF crosstie should be implemented per Step 5.
- f. (several substeps trying to establish feed flow) g.
- h.
- i.
- j.
- j. Check AF pumps - BOTH RUNNING; RNO column:
- IF NEITHER pump will start, THEN dispatch an operator to start one pump per .Local control of safe shutdown equipment
- IF at least one AF pump can NOT be started, THEN GO TO Step 4
- Step 4: Reduce RCS heat input
- a. Stop all RCPs
- Step 5: Crosstie Train A AF from Unit 2:
CAUTION: The AF crosstie should be implemented per Step 5 if other attempts to restore feed flow to the SG(s) will not prevent initiation of feed and bleed. Use of the AF crosstie requires invoking 50.54x.
NOTE: Aligning the AF crosstie will make the 2A AF pump inoperable when Unit 2 is in Modes 1, 2, or 3.
NOTE: If adequate AF flow becomes available then establish AF flow from the affected unit and secure the crosstie.
- a. Shift Manager has:
Determined other heat sink restoration efforts are not available Has implemented 10 CFR 50.54 (x)
Approved implementation of 1BFSG-3, Alternate Low pressure feedwater for AF crosstie Initially, the SM may not have made this decision. If not, then the RNO directs operators to Step 6.
When the SM decides that feed flow will be untimely or ineffective, the operators will return to this step.
2A AF pump - available.
This step is to ensure that the crosstie feed path is available.
- d. Narrow range level in at least one SG - greater than 10%: NO Verify adequate feed flow: NO.
If adequate feed blow can NOT be verified, then go to Step 6
- Step 6: Prepare FW system for restoration:
- a. Check CD/CB pumps - at least one running: NO If no CD/DB pumps are running, then go to Step 13. Observe caution and notes prior to Step 13.
At this point in the procedures, operators are directed to Step 13 to use low pressure feed flow with the FLEX pump.
However, it is possible that the SM made the decision to go to this strategy via the NOTE before Step 3 before operators work through FR-H.1 to this step. The timeline for Case #1 has the SM making this decision at 21 minutes after t=0.
- Step 13: Try to establish feed flow from any available low pressure source to at least one SG:
CAUTION: Following block of auto SI,.
NOTE: Main steam isolation will occur.
NOTE: Low pressure feedwater source should not be used unless other sources are unavailable.
NOTE: Bleed and feed should not be initiated due to low level in SGs being depressurized, unless core exit temperatures are above 557o F and rising. Steps 15 thru 18 should be performed if core exit temperatures rise.
NOTE: If an additional SG feed source restores another SG narrow range level above 10% and feeding with low pressure source is no longer necessary to remove decay heat, then the low pressure source should be isolated from the feed line and steam flow from the associated SG should be stopped.
- a. Shift Manager has:
Implemented 10CFR50.54 (x)
Authorized implementation of:
- EDMG-1, Extensive Damage Mitigation Guideline, Attachment 15 If the SM has NOT made the decision (RNO), then the operators continue to Step 14.
However, the RNO also directs operators to return to Step 13 WHEN the SM makes this decision.
The timeline for Case #1 has the SM making this decision at 21 minutes after t=0. When the decision is made, operators proceed to Step 13b (immediately below).
- b. Align one of the following feedwater sources with the final isolation valve closed
- c. Check low pressure feedwater source - READY TO PROVIDE FLOW It has been assumed that 60 minutes are needed to C-15
implement Step 13. The RNO states that WHEN low pressure feedwater source is ready to provide flow, THEN RETURN TO Step 13c.
Otherwise, GO TO Step 14.
- Step 14: Check for loss of secondary heat sink:
- WIDE RANGE level in any THREE SGs - LESS THAN 27%
- CETCs - GREATHER THAN 557o F AND RISING
- Wide range SG level less than 27% is the F&B criteria. In this case, the F&B criteria are not met.
- The RNO directs operators back to Step 1.
- Eventually, the FLEX pump will be ready, and operators will return to Step 13a to use FLEX pump to feed a SG. The F&B criteria will never be reached (if the FLEX pump operation is successful).
Execution Contribution - Operators fails to deploy FLEX pump This action is identical to that for implementing FLEX strategies in response to an external event except no external event has occurred (so environmental factors are not a concern and no debris removal is required),
Factors important to this contribution to the HFE are:
- Field/equipment operators are trained on equipment operations, generally, on a xx/year basis. All field operators are given initial FLEX equipment training, then refresher training every 4 years.
- FLEX equipment is simpler to operator than other (e.g., nuclear-grade) equipment. So, while training may be less frequent, the FLEX equipment is easier to operate.
- FLEX connections have been standardized, US NPP industry-wide. Also, color-coding is used for FLEX DG connections to ensure that correct connections are made.
C.7 Additional Notes Made During the FLEX HRA Workshop The information documented above was provided to the HRA analysts prior to the workshop.
During the workshop, the HRA analysts identified these additional assumptions as being important to this scenario and associated HFE:
- Operators will try only once to re-start 2nd AFW pump locally
- No instructions in NOTES or CAUTIONS
- Instructions in CAUTION do not have operators skip steps
- Time to implement Step 3f is about 10 minutes to dispatch C.8 References
- 1. IDHEAS-ECA guidance report
- 2. ES-0.1, Reactor Trip Response
- 3. FR-H.1, Response to Loss of Secondary Heat Sink, Unit 1 C-16
- 4. FSG-3, Alternate Low Pressure Feedwater, Unit 1
- 5. FSG-5, Initial Assessment and FLEX Equipment Staging, Unit 0
- 6. FSG-5, Initial Assessment and FLEX Equipment Staging, Unit 1
- 7. E-mail from C. Hunter, WOG-1B, Heat Sink Unit 1 - Critical Safety Function Status Tree C-17
APPENDIX D NON-FLEX SCENARIO FOR A PWR: STATION BLACKOUT WITH PRE-STAGED PORTABLE DIESEL GENERATORS This appendix captures the description of the non-FLEX scenario involving a station blackout (SBO) with an emergency diesel generator (EDG) out-of-service for long-term maintenance, and three FLEX Plus diesel generators (DGs) pre-staged to replace the EDG.
There were several pieces of information that were provided to the HRA analysts in order to perform HRA quantification. This appendix provides the following:
- Non-FLEX scenario description
- HRA/PRA modeling for the non-FLEX scenario
- Key modeling assumptions
- Scenario timelines (for two cases)
- Potential variations
- Preliminary assessment of influencing factors
- Any additional notes made during the FLEX HRA Workshop that are relevant to HRA D.1 Non-FLEX Scenario
Description:
SBO with One EDG Out-Of-Service and Three Pre-Staged FLEX Plus DGs With a Combustion Engineering PWR at 100 percent power and three FLEX Plus diesel generator (DG) pre-staged to replace an emergency diesel generator (EDG) that is out-of-service, an SBO occurs.
D.1.1 Background With the plant at 100 percent power, the 1B emergency diesel generator (EDG) experienced a significant mechanical failure during the performance of a regularly scheduled monthly surveillance test. The Unit 1 control room staff immediately declared the 1B EDG inoperable.
The plant continued to operate at 100% power and there were no automatic or manual safety system responses initiated as a result of the failure. No other systems were impacted.
Operators responded to alarms and identified physical damage to the 1B EDG based on oil and metal debris on the room floor. The main control room (MCR) staff immediately declared the 1B EDG inoperable.
The licensee later investigated the cause and subsequent corrective actions required for the EDG failure. As a result, the licensee determined that repairs to the 1B EDG could not be completed within the technical specification (TS) allowed outage time (AOT).
In addition to the analysis and evaluations used to extend the allowed outage time (AOT),
several pieces of FLEX equipment, namely: three (3) FLEX Plus (i.e., three AC portable diesel generators and their connections to the Train B FLEX 4.16 kV AC connection box) related equipment were deployed, hooked up, tested and placed into standby conditions ready to be operated if required on a loss of offsite power (LOOP) during the entire repair time.
Details of the pre-staging and associated contingency plan are given below (after the References section).
D-1
D.1.2 Hypothetical SBO With the plant configuration and conditions described above, a hypothetical SBO occurs.
D.1.3 FLEX Equipment Pre-Staging and Contingency Plan Three portable diesel generators (4.16 kV - FLEX Plus) are deployed to their FLEX pad to ensure the ability to bring Unit 1 to cold shutdown in the event of a LOOP during the extended period that the Unit 1 train B EDG is inoperable. The three portable diesel generators operate in parallel as a set. The result is that the three portable diesel generators are sufficient to enable a cold shutdown of Unit 1 in the event of a LOOP with a single failure during the extended time period while the Unit 1 train B EDG is inoperable. The three portable diesel generators are deployed and physically connected to the Unit 1 train B 4.16 kV AC FLEX connection box for the duration of the extended EDG B outage time. This configuration, as well as the associated equipment, is different than that used in response to a FLEX scenario (see FLEX Support Guidelines (FSGs)).
The conditions described below are maintained during the entire duration of the Unit1 EDG B outage for repair and restoration.
Operation of the FLEX DGs locally A test run was performed to demonstrate parallel operation of the three portable DGs after equipment is staged. In particular, the staged FLEX DGs were connected up and started with their output breakers open and paralleled to ensure that they would load share in parallel.
Routine inspections (start of shift and normal operator rounds during shift) of the portable DGs are performed by operations personnel to ensure normal standby conditions are maintained including lubrication and fuel levels, standby temperatures, and general equipment condition.
There is an extra65 reactor operator (RO) in the MCR that is designated66 to implement the contingency plan, including dispatch of an Auxiliary Operator (AO) to start the FLEX DGs. There is no automatic actuation of any of the installed FLEX equipment. All FLEX DGs would be manually started and operated, if required, by a dedicated AO. The dedicated AO is available 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> per day, although he/she may be assigned other duties when not needed to operate the FLEX DGs. Also, a designated AO is available 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> per day on all shifts to perform necessary refueling operations.
Training, briefings, and walk downs are provided to the Operators responsible for operating the portable DGs as part of the preparation for use of the generators. Operations crews are briefed on the implementing procedure. Designated operators will be familiar with instructions for starting and operating the portable DGs. Operations staff has received classroom training for FLEX strategies, which included the use of the portable DGs. Also, instructions for operating the FLEX DGs are given on a hard card that is stored with the FLEX DGs.
65 Extra means that there are more operators in the MCR than is required for minimum staffing.
66 The U.S. NPP industry generally refers to operators with such duties as designated. The distinction between designated and dedicated depends on how much time is available to take the action. (R. Linthicum)
D-2
MCR response for pre-staged FLEX DG configuration In order to put the pre-staged FLEX DGs into operation, a contingency plan was developed for the potential loss of offsite power, coupled with failure of the U1 DG A. Contingency plans (or standing orders) are typically used for plant configurations that are not normal.
Key details of the plants contingency plan for the using the pre-staged FLEX DGs are:
- The contingency plan is written like a procedure with specified entry conditions (including cues) and instructions.
- The contingency plan is stored in the MCR.
- The contingency plan calls for the dispatch of a dedicated AO who is responsible for starting the FLEX DGs.
- Specific cues for this contingency plan are:
o Reactor trip o Indications of loss of offsite power (e.g., trouble alarm for 4.16 kV switchgear) o Out-of-service tag67 for U1 DG B o Indications that U1 DG A fails to start
- A reactor operator (RO) is dedicated to implementing the contingency plan.
- The dedicated RO is additional staff (i.e., above the minimum staff requirement for the MCR).
- All MCR operators are briefed at every shift turnover on the contingency plan and associated plant configuration with the pre-staged FLEX DGs.
- Upon reactor trip, the MCR operators will perform immediate actions, as trained.
- In general, operators are trained on the strategies and hierarchy of procedures for LOOP that specify use of alternate power sources, including the portable DGs.
- In parallel with the performance of immediate actions, the dedicated RO will implement the contingency plan (if needed).
- The dedicated RO will dispatch the designated AO to perform the actions described in the contingency plan,68 which include several breaker manipulations and electrical connections, in addition to start of the FLEX DGs.
D.2 HRA/PRA modeling for the non-FLEX scenario This non-FLEX scenario is an extension of the typical PRA modeling for a grid-related loss of offsite power (LOOP) initiating event and subsequent station blackout (SBO) due to the failure of all the EDGs. In general, this loss of all AC power scenario involves the following key events:
- 1B EDG out-of-service for long-term repairs
- Successful reactor trip/turbine trip
- Remaining EDG (1A) fails to start
- Initial success of the turbine-driven auxiliary feedwater (AFW) pump
- Pressurizer PORV(s) successfully reclose given a demand
- Reactor coolant pump (RCP) seals remain intact D.2.1 PRA Modeling Although this scenario is similar to an SBO scenario, this project did not use an SBO event tree and associated fault trees. Because of the contingency plan to use pre-staged FLEX 67 For this plant, a paper tag is used. Some plants may use magnets.
68 For this hybrid scenario, the specific steps that the AO must take are in Palo Verdes procedure Operation Maintenance Activities, specifically in the section on the FLEX DGs. This procedure is on EPRIs file share site.
D-3
equipment, the SBO event tree would need to be modified to represent the new operator actions and equipment.
It should be noted that, for a complete risk-informed analysis, there should be consideration of the potential for damage to the FLEX DGs while pre-staged (since they will not be in the FLEX building and protected from an external event) and of the potential unavailability of the FLEX DGs for use in implementing FLEX strategies should an external event occur. However, for this specific NPP, the FLEX DGs are not the same FLEX DGs used in a FLEX event.
D.2.2 Operator Actions and Human Failure Events The following additional basic events are needed to credit the FLEX DGs (and parallel events for the FLEX pump):
- 1. Operators fail to properly stage FLEX DG (treated similarly to a pre-initiator of failing to restore equipment to service following test or maintenance)
- 2. Operators fail to dispatch auxiliary operator (AO) to perform steps for starting FLEX DGs69 (post-initiator)
Note that there are only three human failure events (HFEs) to address:
- 3. (Post-initiator; outside MCR) Operator fails to manually start FLEX DGs2 This analysis does not explicitly address the decision to pre-stage FLEX equipment or the transport of FLEX equipment. Also, refueling of FLEX equipment is not addressed in this analysis.
Critical Tasks.
In principle, critical tasks need to be identified for each of the three HFEs identified. However, the pre-initiator HFE could be similar to that for setting up the FLEX DGs for an external event (which is addressed in the classic FLEX scenario). So, critical tasks are identified for the two post-initiator HFEs only.
Critical tasks for the HFE defined as Operator fails to dispatch AO to use maintenance procedure for starting FLEX DGs are:
- Designated RO fails to dispatch AO to align and start FLEX DGs Critical tasks for the HFE, defined as Operator fails to properly align and manually start FLEX DGs are:
69 In this specific scenario description, we are assuming that the contingency plan has all of the instructions needed.
However, we also are using some plant-specific information. For example, there are specific steps for breaker manipulations, electrical connections, and starting the FLEX DGs that are found in a plant-specific maintenance activities document.
D-4
- Designated AO fails to properly align breakers and make other electrical connections
- Designated AO fails to start FLEX DGs D.3 Key Modeling Assumptions The following assumptions were determined to be significant to the modeling of this event:
- 1B EDG is out-of-service for repair.
- 1A EDG fails to start after reactor trip due to grid-related LOOP.
- Reactor and turbine trip are successful, and no other significant failures occur.
- Because the pre-staged FLEX DGs have a different configuration than that for response to an external event, the timing validations and associated staffing plan that the utility developed have limited applicability to this scenario.
- The FLEX DGs are connected when they are pre-staged with the exception of closing breakers to connect to the bus. Additional time is needed to sync the DGs.
- The total time elapsed from reactor trip until when the connections between the FLEX DGs and 4160 V bus are completed, FLEX DGs started and synched is less than 1 hour70 (when ELAP would need to be declared).
- The additional RO designated to implement the contingency plan is located in the MCR at all times, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> a day.
- There is a designated AO for performing tasks associated with putting the pre-staged FLEX DGs into service. However, this AO can be assigned other duties so will not necessarily be located where the FLEX DGs are staged when the AO is dispatched.
- Starting from when dispatched, the time needed for the AO to perform tasks associated with putting the pre-staged FLEX DGs into service is assumed to be 30 minutes, including required travel time to performance locations after dispatch. (See Footnote 2.)
- The contingency plan is written such that:
o The criteria for implementation include an AND statement (i.e., there are multiple criteria that must be satisfied before the plan should be implemented).
o There are no NOT statements.
o Direction for implementation is typical of that in EOPs (i.e., IF criteria for implementation are satisfied, THEN implement the plan); there are no judgments needed for implementation (e.g., there are no statements such as Consider implementing..)
- Operator training is on a 4-year cycle for FLEX. Starting pumps and noting flow is part of training. Also, AOs tour FLEX buildings and talk through all of the FLEX equipment, including associated cables and hoses.
D.4 Scenario Timeline The sequence of events for the pre-staged, FLEX DGs in a LOOP is:
- T=0 Reactor trip due to a sunny day LOOP (no ATWS); operators enter Standard Post Trip Actions (SPTA) procedure (i.e., E-0)
- T=0-1 minutes 1A EDG fails to start (and 1B EDG is out-of-service for long term 70 Information provided by plant-specific AOs.
D-5
maintenance)
- T=0-5 minutes Operators reach Step 3 in SPTA and recognize that there are no EDGs running. The SM arrives in the MCR.
- T=5-8 minutes In parallel with MCR operators implementing steps in the SPTA, an AO will be dispatched to try to start 1A EDG locally.
Also, in parallel, the designated RO for the contingency plan follows the progress of the other MCR operators to Step 3, then notes that the 4.16 kV Switchgear Annunciator is in alarm. This annunciator is alarming in combination with other entry conditions for the contingency plan. The designated RO begins implementing the contingency plan, including the dispatch of the designated AO to perform necessary actions to put the FLEX DGs into service.
- T=10-14 minutes Operators reach Step 10 in the SPTA, then use the Diagnostic Actions flow chart. The second diamond in the flow asks if there is AC and DC power to at least one train. Since there is no AC power, operators follow the no path. The next question is whether at least one vital DC power train has power. Because the batteries have not depleted yet, there is DC power. The flow chart recommends that operators consider Blackout procedure then move on to checking other critical parameters.
- T=15 minutes Operators enter Blackout procedure and perform its steps in parallel with EOP steps.
- T=38-40 minutes Designated AO completes actions to put FLEX DGs into operation; 4.16 kV bus is re-energized.
- T=40 min Operators exit Blackout procedure per Exit Conditions,71 Step 3a (At least one vital 4.16 kV bus is energized.).
- T= 40+ min Operators continue in EOPs to safety shutdown the reactor.
D.5 Potential Variations Some potential variations to the described scenario above that could be evaluated with HRA are:
- Additional cues for the RO dedicated to the contingency plan and board operator, such as a color-coded magnet tag by the 1A EDG that reminds operators that the FLEX DGs are pre-staged72
- Additional human factoring of the contingency plan (formatting, logic)
- Added human factoring of the procedure for performing breaker manipulations and electrical connections
- Plant modifications to simplify electrical connections 71 Exit Conditions are applied as continuous steps.
72 If there is an additional cue for the board operator, then the HRA could credit the board operator in the detection of the alarm, in addition to the dedicated RO.
D-6
D.6 Preliminary Assessment of HRA Influencing Factors There are some different influencing factors for each of the HFEs identified above. The following performance influencing factors are considered by the IDHEAS-ECA Tool [x] (see Table 2-1, page 2-3) under the high-level headings of Environment and situation, System, Personnel, and Task:
- 1. scenario familiarity,
- 2. task complexity and mental fatigue,
- 3. multi-tasking, interruptions and distractions,
- 4. key cues and indications,
- 5. time availability/urgency,
- 6. staffing,
- 7. procedures,
- 8. training and experience,
- 9. human-machine interface,
- 10. environment,
- 11. equipment and fitness needs,
- 12. communications,
- 13. teamwork and command and control, and
- 14. time pressure and stress.
Pre-Initiator: Operators fail to properly connect up FLEX DG Factors important to this pre-initiator HFE are:
- Field/equipment operators are trained on equipment operations, generally, on a yearly basis. All field operators are given initial FLEX equipment training, then refresher training periodically afterward.
- Training, briefings, and walk downs are provided to the operators responsible for operating the portable DGs as part of the preparation for use of the generators.
- A test run was performed to demonstrate parallel operation of the 3 FLEX DGs after the equipment was staged.
In particular, the effectiveness of a functional test prior to restoring equipment to a stand-by condition is one of the most important factors in assigning an HEP for a pre-initiator HFE.
Environmental factors should not be a concern for this pre-initiator.
Post-initiator: Operator fails to dispatch AO to perform steps for starting FLEX DGs2 Because this action is performed in the MCR, is typical of other highly practiced operator actions, is performed by a dedicated RO, and is assumed to have more than adequate time for performance, the following PIFs are expected to be negligible in contribution: multitasking, staffing, environment, equipment and fitness needs, communications, teamwork and command and control, time pressure and stress.
Other PIFs are relevant, such as:
- Scenario familiarity and training, as it relates to preparations to use the contingency plan
- Task complexity, as it relates to how to enter the contingency plan and how to use the contingency plan
- Key cues and indications, as it relates to how the dedicated RO enters the contingency plan
- Time available/urgency - unknown D-7
- Procedures, as it relates to pre-determined or assumed features of the contingency plan
- Training and experience, as it relates to pre-job briefings, shift turnover briefings, and other training related to the contingency plan.
- Human-machine interface, as it relates to the cues (e.g., alarms, EDG tag-outs) for entering the contingency plan Post-initiator HFE: Operator fails to manually start FLEX DGs2 For this specific context, the dedicated RO in the MCR dispatches the dedicated AO, then the AO establishes communications locally and starts the FLEX DG(s). Unlike the context for an external event initiator, the FLEX DG has already been transported.
Since this scenario does not involve an external event, is performed by a dedicated AO, and uses typical communications, the following PIFs are not considered to be important:
multitasking, staffing, environment, equipment and fitness needs, communications, teamwork and command and control, time pressure and stress.
HMI issues for setting up and operating the FLEX DG are NOT the same as for FLEX scenarios.
The configuration of the pre-staged FLEX DGs is different than that used in a FLEX scenario.
As such some of the industry-wide measures73 to simplify the use of FLEX equipment may not apply to this HFE.
Other PIFs are relevant, such as:
- Scenario familiarity and training, as it relates to preparations to use the contingency plan2
- Task complexity, as it relates to how to use the contingency plan and the number and kind of steps that need to be performed2
- Key cues and indications, such as how the contingency plan is entered
- Time available/urgency, such as what operators are trained on and briefed daily
- Procedures, as it relates to pre-determined or assumed features of the contingency plan2
- Training and experience, as it relates to pre-job briefings, shift turnover briefings, and other training related to the contingency plan
- Human-machine interface, as it relates to the electrical panels and associated breakers and the electrical connections needed for the specific configuration with the pre-staged FLEX DGs Other HRA-relevant factors include:
- There is NO automatic actuation of any of the installed FLEX equipment. All FLEX equipment would be manually started and operated, if required, by the designated operations personnel. Also, a test run of the FLEX DG was performed as part of deploying the equipment.
- Routine inspections (start of shift and normal operator rounds during shift) of the portable DGs are performed by operations personnel to ensure normal standby conditions are maintained including lubrication and fuel levels, standby temperatures, and general equipment condition.
73 Examples of such measures are:
- FLEX equipment is simpler to operator than other (e.g., nuclear-grade) equipment. So, while training may be less frequent, the FLEX equipment is easier to operate.
- FLEX connections have been standardized, US NPP industry-wide. Also, color-coding is used for FLEX DG connections to ensure that correct connections are made.
D-8
- At the beginning of every shift, training, briefings, and walk downs are provided to the operators responsible for operating the portable DGs as part of the preparation for use of the generators. Operations crews are briefed on the implementing procedure.
Designated operators will be familiar with instructions for starting and operating the portable DGs. Operations staff have received classroom training for FLEX strategies, which included the use of the portable DGs.
D.7 Additional Notes Made During the Workshop The information documented above was provided to the HRA analysts prior to the workshop.
Several aspects of this scenario and associated HFEs were modified in the workshop.
For example, the modeling of operator actions was simplified to address these critical tasks:
- Implement contingency plan
- AO implements Appendix D Also, the FLEX experts at the workshop clarified that the specific portable DGs used in this scenario are similar to the SAFER equipment, rather than the typical FLEX DGs addressed in FSGs. In addition, the particular NPP represented in this scenario has both the SAFER-like portable DGs and the typical FLEX DGs.
As a result of the workshop discussion, it was decided to eliminate adding loads to the HRA assessment. The HRA analysts thought that there was inadequate information on the procedure guidance for this task and how an AO would implement such guidance (including what steps would be taken by the AO and what the MCR operators would need to do, either separately or in coordination).
D.8 References
- 1. IDHEAS-ECA guidance
- 2. E-O, Standard Post Trip Actions
- 3. Blackout procedure.
- 4. Operations Maintenance Activities - Operations Maintenance Activities procedure, Appendices D.and E.
- 5. FLEX Support Guidelines - Mode 1, 2, 3, or 4, Appendices Q and R.
- 6. Personal communications with Roy Linthicum (Exelon) and Jim Lynde (Exelon) on November 19, 2019.
- 7. Personal communications and e-mails with Jim Lynde (Exelon).
- 8. Personal communications and e-mails with F. Gaber (APS).
D-9
APPENDIX E VARIATIONS ON SCENARIOS Throughout this project, potential scenario variations were discussed. Although a few variations were addressed in this project, most variations that were discussed were not addressed (mostly due to inadequate resources). This appendix captures some of those discussions of potential scenario variations.
E.1 Variations in FLEX and Non-FLEX Scenarios Previous FLEX HRA efforts have recognized variations in FLEX scenario details can be an important impact on HRA results. Consequently, this effort continued consideration of potentially important scenario variations. In fact, the identification of variations was embedded in the effort to develop scenarios.
This section summarizes three categories of variations:
- 3. More generalized variations.
E.1.1 Identified Scenario-Specific Variations As stated above, the development of scenarios for this project naturally led the project team, FLEX experts, and HRA analysts to consider scenario variations. In all cases, iterations on defining scenarios for consideration involved discussion of variations such as:
- Different plant conditions
- Different plant configurations
- Different timing of plant conditions
- Different procedural guidance Examples of scenario variations that were identified (but not addressed) include:
- FLEX scenario:
o Seismic event with minimal or moderate damage to plant site
- Non-FLEX scenario - Sunny Day Loss of all feedwater o All AFW pumps are failed at t=0 and no FLEX pumps are pre-staged (i.e., there is inadequate time to deploy the FLEX pump before F&B criteria are reached) o All AFW pumps are failed at t=0 and one FLEX pump is pre-staged
- Non-FLEX scenario - Sunny Day Station Blackout o Additional cues for the RO dedicated to the contingency plan and board operator, such as a color-coded magnet tag by the 1A EDG that reminds operators that the FLEX DGs are pre-staged74 o Additional human factoring of contingency plan (e.g., procedure formatting and logic optimization with respect to HRA credit) o Added human factoring of the procedure for performing breaker manipulations and electrical connections o Plant modifications to simplify electrical connections for FLEX DGs 74 If there is an additional cue for the board operator, then the HRA could credit the board operator in the detection of the alarm, in addition to the dedicated RO.
E-1
E.1.2 Addressed Scenario-Specific Variations Due to limited resources, there were only two scenario variation addressed in this effort. Those variations were for the FLEX scenario and related to short versus long battery life and the associated procedural guidance for declaring ELAP. See Sections 3.4.5 and 6.3.2 for further details on these scenario variations.
E.2 Discussion of FLEX Scenario Variations Between NPPs Most attendees for the BWR plant site visit participated in an additional 1/2-day discussion on variations between U.S. NPPs with respect to FLEX strategy implementation. Both HRA analysts and FLEX experts participated in this discussion, and Mary Presley (EPRI) participated by phone.
The starting point for the discussion was the list of variations provided in Table 1-1 in EPRIs FLEX HRA report [x]. Additional variations that were discussed included:
o Some NPPs do both SBO and FLEX (or deep) DC load sheds o Some NPPs do FLEX DC load shed only o Some NPPs do SBO load shed only
- Different consequences due to FLEX DC load shed (e.g., more trains of instruments are unavailable with more loads shed)
- There can be a lot of conservatism in the battery life calculations. Some plants refined these calculations and other plants have not.
- NPPs can vary as to whether FLEX strategies for water, electricity, or containment venting are needed first. However, generally, electric power restoration is the first need.
- Differences between NPPs regarding on-site and offsite power resources, e.g.,
o This NPP has four (4) Emergency Diesel Generators (EDGs) shared between two units, three (3) offsite power sources, and an alternate power line
o Some NPPs explicitly declare ELAP o Some NPPs do not explicitly declare ELAP but make equivalent procedure transitions or take equivalent actions o There are differences in the procedure logic for declaring ELAP, e.g.:
Declare ELAP if NPP does not have AC power back by 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (or similar other time)
By 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, if operators do not have confidence that power will be restored by 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, declare ELAP
- Different NPPs have different policies on how much diesel fuel is in the FLEX diesel generator (DG) tanks, e.g.,
o This NPP keeps the FLEX DG tank 50-75% full (so refueling is not required for 10-12 hours) and have regular tests for degraded fuel o Another NPP keeps the FLEX DG fuel tank only 5% full due to fuel degradation concerns
o This NPP definitely could reverse before FLEX DC load shed; if offsite power was restored after FLEX DC load shed, operators would need support from the Technical Support Center (TSC)
E-2
- All PWRs have a deviation document that identifies how that NPP has deviated from the standard FSGs.
- Some NPPs may use hardened containment vent systems (HCVS) for RCIC preservation (anticipatory venting) [not sure if there are any challenges unique to FLEX]
o Are there other actions for RCIC preservation?
- Regarding communications equipment and other support functions:
o Some NPPs need to deploy portable fans for room cooling for switch gear and batteries. And, these actions must be done early so the batteries do not fail.
E.3 Categorizing and Characterizing Scenario Variations Follow-on discussions on scenario variations led to the idea of further categorizing or characterizing the variations. For example, would it be helpful to group NPPs by: 1) time when load shed is needed to extend battery life? 2) ease/number of steps to FLEX DC load shed? 3) how long to deploy FLEX equipment?
To this end, Table E-1 was developed to illustrate a potential way of organizing scenario variations, both FLEX and non-FLEX. This table should be viewed as a work in progress.
Table E-1 HRA for FLEX Project: Organizing variations within scenarios Scenarios75 High-level Next level Required operator Notes scenario scenario actions76 variations variations BDBE FLEX Large external Significant damage 1. Declare ELAP Most extensive scenario event with is evident both 2. Load shed77 damage with extensive onsite & offsite. 3. Remove debris78 associated largest damage onsite 4. Deploy, install and amount of debris
& offsite operate FLEX DG79 removal.
Less serious
- Key damage is 5. Deploy, install, and Less damage and external event offsite81 operate FLEX pump38 associated debris.
- Key damage is 6. Refuel FLEX equipment80 onsite 7. More.
Any non- Loss of all AC Damage is offsite82 1. Declare ELAP83 No debris.
FLEX power Damage is onsite41 2. Load shed36 initiating 3. Deploy, install and event operate FLEX DG38
76 Note that there are plant-to-plant variations on what and how many operator actions are required within the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after the initiator.
77 Note that there are plant-to-plant differences on load shedding.
78 Note that the HRA is not expected to model this activity.
79 There will be various plant-to-plant differences on what is needed for this operator action (e.g., some plants may have pre-staged FLEX equipment).
80 There will be plant-to-plant differences on when and how much refueling is needed for FLEX pumps (e.g., some plants will start event with almost full fuel tanks while others may start with only 5% full tanks).
81 This variation may not pose a challenging context for operators to decide to declare ELAP and use FLEX equipment. Consequently, this level of decomposition may not be important, except to recognize the possibility.
82 Scenario developers and HRA analysts should explore whether these differences are important. It may be similar to the less severe FLEX scenario.
83 Declare ELAP is placeholder for how operators would decide to use FLEX equipment in this scenario.
E-3
Scenarios75 High-level Next level Required operator Notes scenario scenario actions76 variations variations Internal flooding Debris or other environmental concerns that require plant staff to address and/or require additional time to address.
Fires Debris or other environmental concerns that require plant staff to address and/or require additional time to address.
Loss of injection Loss of injection 1. Decide to use FLEX Depending on the or feedwater Loss of other pump84 initiator, there may cooling systems 2. Remove debris be debris to contend (e.g., FW) 3. Deploy, install, and with or other Loss of heat Loss of service operate FLEX pump38 environmental sink water 4. Refuel FLEX equipment39 hazards that require Loss of cooling for OR85 plant staff to frontline systems 1. Decision to use address and/or Loss of cooling for EDMG/B.5.b pump require additional support systems 2. Align B.5.b pump time address.
- 3. Start B.5.b pump Other?
Use of FLEX FLEX generator Context for some 1. Operators fail to properly equipment staged to serve sort of reportable stage FLEX DG86 (latent during on- as redundant incident that would human error or pre-initiator line DG + FLEX DG be addressed, for HFE) maintenance operation example, by an 2. Operators fail to of front-line SDP start/operate FLEX DG equipment FLEX pump 1. Operators fail to properly (hypothetical staged to serve stage FLEX pump (latent trip with a as redundant human error or pre-initiator demand on pump + FLEX HFE) system pump operation 2. Operators fail to supported by start/operate of FLEX pump FLEX equipment) 84 Operators will need some sort of proceduralized way to decide on using a FLEX pump in this scenario.
85 May be out-of-scope for this effort. (But, the same HRA process and principles would be applicable.)
86 There are likely to be plant-specific differences on the details of these operator actions, depending on how FLEX equipment is staged, if there is a functional test after staging, when and how final connections are made, etc.
E-4