ML24352A019
| ML24352A019 | |
| Person / Time | |
|---|---|
| Issue date: | 01/06/2025 |
| From: | James Chang, Coyne K, Enos-Sylla L, Christopher Hunter, Michelle Kichline, Pan Q NRC/RES/DRA |
| To: | |
| Shared Package | |
| ML24352A020 | List: |
| References | |
| RIL 2024-17 | |
| Download: ML24352A019 (81) | |
Text
RIL 2024-17 INTEGRATED HUMAN EVENT ANALYSIS SYSTEM FOR EVENT AND CONDITION ASSESSMENT (IDHEAS-ECA)
EVALUATIONS OF STANDARDIZED PLANT ANALYSIS RISK (SPAR)
MODEL HUMAN FAILURE EVENTS Date Published: January 2025 Prepared by:
C. Hunter K. Coyne J. Chang L. Enos-Sylla M. Kichline Q. Pan Christopher Hunter, NRC Project Manager Research Information Letter Office of Nuclear Regulatory Research
ii Disclaimer Legally binding regulatory requirements are stated only in laws, NRC regulations, licenses, including technical specifications, or orders; not in Research Information Letters (RILs). A RIL is not regulatory guidance, although NRCs regulatory offices may consider the information in a RIL to determine whether any regulatory actions are warranted.
iii TABLE OF CONTENTS
- 1. BACKGROUND.......................................................................................................... 1
- 2. PURPOSE.................................................................................................................. 1
- 3. EVALUATION OF SEVEN BASE SPAR MODEL HFEs............................................ 2 3.1 HFE Identification........................................................................................................... 2 3.2 Evaluation Process......................................................................................................... 3 3.3 IDHEAS-ECA Evaluations.............................................................................................. 3 3.3.1 Operators Fail to Initiate Feed and Bleed Cooling.............................................. 3 3.3.2 Operators Fail to Initiate Low-Pressure Recirculation........................................ 9 3.3.3 Operators Fail to Initiate High-Pressure Recirculation..................................... 13 3.3.4 Operators Fail to Trip the RCPs....................................................................... 17 3.3.5 Operators Fail to Initiate Reactor Depressurization.......................................... 20 3.3.6 Operators Fail to Vent the Containment........................................................... 27 3.3.7 Operators Fail to Initiate SPC........................................................................... 31
- 4. EVALUATION OF SPAR MODEL FLEX HFEs........................................................ 35 4.1 HFE Selection.............................................................................................................. 35 4.2 Evaluation Process....................................................................................................... 35 4.3 Base Case Scenario Description.................................................................................. 36 4.4 IDHEAS-ECA Evaluations............................................................................................ 37 4.4.1 Operators Fail to Declare ELAP....................................................................... 37 4.4.2 Operators Fail to Perform Deep Load Shed per FSGs..................................... 40 4.4.3 Operators Fail to Stage or Run or Load or Refuel 480V Portable FLEX DG.... 43 4.4.4 Operators Fail to Vent Containment during ELAP............................................ 47 4.4.5 Operators Fail to Stage or Run or Supply or Refill FLEX RPV Pump.............. 51 4.4.6 Operators Fail to Depressurize RPV during ELAP........................................... 56 4.4.7 Operators Fail to Start/Control RCIC Injection................................................. 59
- 5. BENCHMARKING ACTIVITIES............................................................................... 61 5.1 Base SPAR Model Benchmarking................................................................................ 61 5.2 Event Assessment Benchmarking................................................................................ 68 5.2.1 Failure of RCIC System for an Exposure Time of 3 Months............................. 68 5.2.2 Reactor Transient with a Failure of the AFW Pump to Start............................. 68 5.2.3 Insights from ECA Benchmarking..................................................................... 69
- 6.
SUMMARY
AND CONCLUSIONS........................................................................... 69
iv
- 7. RECOMMENDATIONS AND NEXT STEPS............................................................. 72
v ABBREVIATIONS AND ACRONYMS AC alternating current ADS automatic depressurization system AFW auxiliary feedwater AO auxiliary operator AOP abnormal operating procedure ATWS anticipate transient without scram B&W Babcock & Wilcox BDB beyond design basis BDBEE beyond design basis external event BWR boiling-water reactor CCDP conditional core damage probability CDP increase in core damage probability CCW component cooling water CDF core damage frequency CE Combustion Engineering CFM cognitive failure mode CRD control rod drive CSFST critical safety function status tree CSS containment spray system DC direct current DG diesel generator ECA event and condition assessment ECCS emergency core cooling systems EDG emergency diesel generator EF error factor ELAP extended loss of AC power EOP emergency operating procedure FIP final integrated plan FLEX diverse and flexible (mitigation strategies)
FV Fussell-Vesely GE General Electric HCTL heat capacity temperature limit HEP human error probability
vi HFE human failure event HPCI high-pressure coolant injection HPCS high-pressure core spray HRA human reliability analysis IC isolation condenser IDHEAS Integrated Human Event Analysis System INL Idaho National Laboratory ISLOCA interfacing-systems loss-of-coolant accident LOCA loss-of-coolant accident LOOP loss of offsite power LPCI low-pressure coolant injection LPCS low-pressure core spray MCR main control room MFW main feedwater NPP nuclear power plant NPSH net positive suction head NRC (U.S.) Nuclear Regulatory Commission NRR Office of Nuclear Reactor Regulation OTC once-through cooling PCPL primary containment pressure limit PIF performance influencing factor PORV power-operated relief valve PRA probabilistic risk assessment PRIB plant risk information e-books PSP primary suppression pressure PWR pressurized-water reactor RCIC reactor core isolation cooling RCP reactor coolant pump RCS reactor coolant system RES Office of Nuclear Regulatory Research RIL research information letter RPV reactor pressure vessel RWST refueling water storage tank SBO station blackout
vii SG steam generator SGTR steam generator tube rupture SI safety injection SPAR standardized plant analysis risk SPC suppression pool cooling SRA senior reactor analyst SRV safety relief valve TTC technical training center
1
- 1. BACKGROUND In 2019, the U.S. Nuclear Regulatory Commission (NRC) developed a new human reliability analysis (HRA) methodIntegrated Human Event Analysis System for Event and Condition Assessment (IDHEAS-ECA). The method was tested, piloted, and is documented in NUREG-2256, Integrated Human Event Analysis System for Event and Condition Assessment, (ML22300A117). The NRC has begun applying IDHEAS-ECA in various risk-informed activities. In addition, the NRC is exploring the transition from the use of the SPAR-H HRA method to the use of IDHEAS-ECA in risk assessments of initiating events and/or degraded conditions, which are also known as event and condition assessments (ECAs).
- 2. PURPOSE As part of the NRCs transition to using IDHEAS-ECA, the NRC is building a knowledge base of application examples. The initial activity for building this knowledge base was to identify and evaluate several of the most risk significant sets of human failure events (HFEs) that are commonly used in most standardized plant analysis risk (SPAR) models or that have been identified as risk significant during NRC-conducted ECAs. The results of this initial evaluation of seven base SPAR model HFEs is documented in Section 3. NRC risk analysts worked with IDHEAS-ECA developers to ensure the IDHEAS-ECA evaluations were properly performed and documented. In addition, working through additional application examples provided feedback to IDHEAS-ECA developers for potential method improvements. This work also included the evaluation of alternate technologies and scenario contexts within the SPAR models and explored how sensitive (or insensitive) the IDHEAS-ECA methodology is to different scenario details (e.g., timing) that result in varying human error probabilities (HEPs) using other HRA methods.
The second activity, described in Section 4, was to evaluate the SPAR HFEs associated with the implementation of a selection of the diverse and flexible (FLEX) mitigation strategies. These evaluations leveraged a previously performed pilot study on using IDHEAS-ECA to evaluate HFEs for selected extended loss of alternating current (AC) power (ELAP) scenarios documented in RIL 2022-13, Applying HRA to FLEX - Using IDHEAS-ECA - Volume 2, (ML21032A119). Although the pilot project calculated HEPs for some of the FLEX HFEs, certain elements such as the failure probability due to insufficient time (Pt) were not considered in most cases. In addition, the guidance on the use of the IDHEAS-ECA has changed since this effort was completed.
The third and final activity, described in Section 5, was to perform benchmarking studies and comparisons of the effects of the HEPs calculated using IDHEAS-ECA in the first two activities with the current SPAR model HEPs. In addition, some sample analyses were performed using the IDHEAS-ECA calculated HEPs in place of the base SPAR model HFEs in some postulated ECAs to determine if there is potential for significant changes and, therefore, are likely to affect risk-informed decisionmaking. Collectively, these activities also provided insights into the resource needs, impact, and benefits of using IDHEAS-ECA to recalculate HFEs in the SPAR models. Therefore, as part of this effort, these insights were evaluated to identify recommendations for future SPAR model enhancements.
The summary and conclusions of these evaluations are provided in Section 6 and recommendations and potential next steps are described in Section 7.
2 Note that the analyses provided in this report were reviewed by a group of regional Senior Reactor Analysts (SRAs), Office of Nuclear Reactor Regulation (NRR) counterparts, and Office of Nuclear Regulatory Research (RES) staff that have experience using IDHEAS-ECA. All comments and feedback were addressed and incorporated into the evaluations provided in this paper, as appropriate.
- 3. EVALUATION OF SEVEN BASE SPAR MODEL HFEs The following subsections provide the analysis and results for the IDHEAS-ECA evaluations of seven selected HFEs in the base SPAR models.
3.1 HFE Identification The current base SPAR models typically each contains 50-90 HFEs (internal events only).
About a third of these HFEs are common to plants of the same or similar technology type (i.e., pressurized-water reactors (PWRs) or boiling-water reactors (BWRs)). The initial effort described in this report focuses on these common HFEs that are typically the most risk significant in the base SPAR models.
To determine the HFEs selected for this initial evaluation, the plant risk information e-books (PRIBs) were reviewed to identify the common HFEs having the largest Fussell-Vesely (FV) importance measures.1,2 The evaluation identified the following HFEs to be evaluated using IDHEAS-ECA, as part of this initial effort:
PWRs HPI-XHE-XM-FAB - Operators Fail to Initiate Feed and Bleed Cooling (Section 3.3.1)
LPI-XHE-XM-RECIRC - Operators Fail to Initiate Low-Pressure Recirculation (Section 3.3.2)
HPI-XHE-XM-RECIRC - Operators Fail to Initiate High-Pressure Recirculation (Section 3.3.3)
RCS-XHE-XM-RCPTRIP - Operators Fail to Trip Reactor Coolant Pumps (RCPs)
(Section 3.3.4)
BWRs ADS-XHE-XM-MDEPR - Operators Fail to Initiate Reactor Depressurization (Section 3.3.5)
CVS-XHE-XM-VENT - Operators Fail to Vent Containment (Section 3.3.6)
RHR-XHE-XM-SPC - Operators Fail to Initiate Suppression Pool Cooling (SPC)
(Section 3.3.7) 1 The PRIBs list the risk significant systems, structures, and components (SSCs) and provide summary risk information for each operating nuclear power plant (NPP).
2 The FV importance measure provides the overall fractional contribution of cutsets containing the HFE of interest to the total core damage frequency (CDF).
3 3.2 Evaluation Process The IDHEAS-ECA evaluations provided in Section 3.3 of this report start with identifying a base case scenario for each HFE. The base case scenario is either the most likely scenario and/or the one requiring the least complicated operator response. The eight analysis steps outlined in the IDHEAS-ECA guidance (NUREG-2256) are incorporated into a streamlined documentation process to ensure consistency in evaluating the selected HFEs. In addition, potential variabilities due to differences in technology/design, initiating events, and scenario contexts are explored.
The key IDHEAS-ECA factors affecting uncertainty are discussed and the sensitivity of these factors' effects on the HEP are assessed. Note that the evaluations documented in this paper were limited to contexts expected during internal events only. Given the selection of an internal events base case for the evaluations documented in this report, analysts may need to revise these evaluations when used as starting point for IDHEAS-ECA evaluations needed to support future ECAs that considers contextual differences that arise with different scenarios of concern.
Therefore, it may be necessary to develop context-specific HFEs in certain cases to fully address this issue along with other variabilities and uncertainties discussed above. In addition, the guidance for crediting error recovery is still under development and, therefore, was not considered as part of the evaluations.
3.3 IDHEAS-ECA Evaluations The following subsections provide the IDHEAS-ECA evaluations for the selected SPAR model HFEs.
3.3.1 Operators Fail to Initiate Feed and Bleed Cooling HFE Name HPI-XHE-XM-FAB HFE Definition Operators fail to initiate feed and bleed cooling prior to core damage. The entire HFE is considered as a single critical task within the IDHEAS-ECA framework.
SPAR Model Application HPI-XHE-XM-FAB is a basic event in the feed and bleed cooling fault tree, which is queried in the event trees for multiple transients. These transients include general transients; loss of main feedwater (MFW); loss of condenser heat sink; losses of alternating current (AC)/direct current (DC) buses; losses of offsite power (LOOPs);
feedwater/steamline breaks; steam generator tube rupture (SGTR); and small loss-of-coolant accidents (LOCAs). The feed and bleed cooling fault tree is queried when there is a successful reactor trip, auxiliary feedwater (AFW) fails, and MFW cannot be restored.
Scenario Description/
Event Context The most risk significant scenarios that include the need for feed and bleed cooling are typically those where the initiating event results in the nonrecoverable loss of MFW (e.g., loss of MFW, loss of condenser heat sink, certain losses of AC or DC buses, and LOOP). Of these initiating events, the least complex initiating event is where both MFW and the condensate pumps are unavailable without the potential for recovery since this removes potential recovery options for the operators. The most likely initiating event that would result in this scenario is a LOOP and, therefore, LOOP is selected as the base case for this evaluation for a Westinghouse plant (i.e., the most common PWR).
When a reactor trip occurs due to the LOOP, the main control room (MCR) operators will enter procedure E-, Reactor Trip or Safety Injection (SI). Since there is no SI actuation or need to manually initiate an SI for this event, operators will transition to procedure ES-0.1, Reactor Trip Response, and will also begin monitoring the critical safety function status trees (CSFST). If narrow-range steam generator (SG) levels are too low and feedwater flow is insufficient, the scenario will be in a red path of the Heat Sink CSFST, which directs operators to enter procedure FR-H.1, Response to a Loss of Secondary Heat Sink. FR-H.1 directs operators to establish adequate feedwater
4 flow, but operators will be unable to do so unless flow from either the turbine-driven or motor-driven AFW pumps is available. In this HFE context, AFW flow is unavailable due to component failure(s) or failure of a critical support system, such as a train of onsite emergency AC power. If all SG levels drop below a certain limit (e.g., wide-range SG level less than 25 percent), operators are directed to immediately initiate feed and bleed cooling. The execution portion of initiating feed and bleed cooling are straightforward MCR actions initiate SI and open the pressurizer power-operated relief valves (PORVs).
Boundary Conditions The start of this HFE is a LOOP resulting in a subsequent reactor trip (i.e., T = 0). The base case scenario assumes that AFW is failed or unavailable from the beginning of the event. In addition, the base case scenario assumes that MFW and condensate injection are unavailable and are nonrecoverable. The end of this HFE is the failure to successfully initiate feed and bleed cooling prior to core damage.
Success Criteria Operators successfully initiate feed and bleed cooling within sufficient time to prevent core damage.
Key Cue(s)
- Feedwater flow rates (AFW and MFW)
- SG levels (Narrow and Wide Ranges)
Procedural Guidance
- E-, Reactor Trip or SI
- ES-0.1, Reactor Trip Response
- FR-H.1, Response to a Loss of Secondary Heat Sink CFM Selection Detection - This task requires the operators to detect the alarms and annunciators associated with the LOOP and subsequent reactor trip along with the failure of the AFW system. In addition, operators will need to monitor whether SG levels are adequate to maintain secondary decay heat removal.
Understanding - This task requires the operators to understand secondary decay heat removal cannot be maintained and, therefore, that they must initiate feed and bleed cooling to prevent core damage.
Decisionmaking - Decisionmaking is not required for this task because with correct understanding of the event, the procedure requires operators to initiate feed and bleed cooling. Operators are unlikely to be sidetracked by feedwater recovery activities due to the MFW and condensate unavailabilities caused by the LOOP. Therefore, this cognitive failure mode (CFM) is not applicable for this task.
Action Execution - This task requires the operators to manually actuate SI (if automatic actuation has not occurred) and open the pressurizer PORVs. Both actions are accomplished by simple switch manipulations from the MCR.
Interteam Coordination - Interteam coordination is not required for this task because multiple teams would not be involved. Therefore, this CFM is not applicable for this task.
Evaluation of PIFs for Applicable CFMs CFM1 -Failure of Detection (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because operators are routinely trained on loss of secondary decay heat removal events. In addition, this critical task is covered by plant procedures.
- Task Complexity - C1: Detection overload with multiple competing signals (1: Few
< 7); There are at least three potentially competing signals, including the annunciators/parameters associated with the (1.) LOOP, (2.) subsequent reactor trip, and (3.) AFW system failure. Note that multiple alarms associated with the same function (e.g., AFW) are considered to be one signal. Selection of this performance influencing factor (PIF) attribute increases the base probability of this CFM1 to 3x10-3. This selection may be conservative or nonconservative based on
5 an initial review of the limited amount of supporting data for this PIF attribute.
Further review of this data is needed to develop the appropriate guidance.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM2 - Failure of Understanding (Base Probability = 1x10-3)
- Scenario Familiarity - No impact because operators are trained on loss of secondary decay heat removal events. In addition, this critical task is covered by plant procedures.
- Information Completeness and Reliability - No impact because MCR feedwater flow and SG level indications are sufficient to diagnose loss of secondary decay heat removal events.
- Task Complexity - No impact because the requirement of feed and bleed cooling in the event of the loss of all feedwater is a fundamental plant operation concept that is specifically covered by plant procedures.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because the execution steps are routinely trained.
In addition, this critical task is covered by plant procedures.
- Task Complexity - No impact because the execution steps are straightforward (i.e., MCR switch manipulations) and proceduralized.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Using these assumptions, cognitive failure probability (Pc) is calculated as 4.1x10-3 by summing the probabilities of CFM1 (3x10-3), CFM2 (1x10-3), and CFM4 (1x10-4) probabilistically.
Timing Evaluation The time available (Tavail) was estimated from the time when the cue (low, wide-range SG level) becomes available to the time that feed and bleed has to be established to avoid core damage. Extensive timing information is not currently available to NRC analysts for this operator action. However, the following timing estimates from licensee PRAs were available through Idaho National Laboratory (INL):
Plant Treqd Tavail PWR 36 8 minutes 20 minutes PWR 5 7-8 minutes 25 minutes PWR 15 3 minutes 14.4 minutes PWR 19 2 minutes 34 minutes The Tavail values are likely conservative based on the limited applicable MELCOR calculations performed (e.g., NUREG-1953, Confirmatory Thermal-Hydraulic Analysis to Support Specific Success Criteria in the SPAR Models - Surry and Peach Bottom, (ML103230151)). Given these considerations, the base case HFE assumed that operators would have a minimum of 20 minutes (Tavail) to initiate SI and open the pressurizer PORVs once wide-range level on all SG levels reached the initiation criteria contained in FR-H.1. The time required (Treqd) values show high variability even though the execution procedures should be near identical. Discussions with NRC training staff indicate that less than 5 minutes is required to complete the execution, which also include verification steps. Therefore, Treqd of 5 minutes was selected for the base case HFE.
The current IDHEAS-ECA guidance recommends using a lognormal distribution for time estimates. For the evaluation of this base case HFE, the failure probability due to insufficient time (Pt) was calculated using a lognormal distribution for Treqd. Tavail is considered as conservative limit and, therefore, no distribution has been assigned. For
6 the evaluation of this base case HFE, Pt was calculated using an error factor (EF) of 2 for the lognormal distribution of Treqd, which is considered to be appropriate for actions performed from the MCR based on a preliminary analysis of timing data from MCR operators response to emergency events in nuclear power plant simulators, including NUREG/IA-0216, International HRA Empirical Study - Phase 1 Report, (ML093380283), NUREG-2156, The U.S. HRA Empirical Study - Assessment of HRA Method Predictions against Operating Crew Performance on a U.S. Nuclear Power Plant Simulator, (ML16179A124), EPRI NP-6937-L Operator Reliability Experiments Using Power Plant Simulators, Volume 3: Appendixes, and simulator data from other sources. This selection results in a Pt of 5.0x10-4. At the time of completing this analysis, the guidance on specifying the uncertainty bounds for time estimates in IDHEAS-ECA has not been finalized.
Error Recovery Error recovery credit is not provided for this task.
Calculated HEP HEP = 1 (1 Pc) (1 Pt) = 1 (1 - 4.1x10-3) (1 - 5.0x10-4) = 5x10-3 Technology Variability There are two additional PWR types that include this HFE in the SPAR models Combustion Engineering (CE) and Babcock & Wilcox (B&W) plants. A description of how MCR operators would respond, including procedure pathway, is provided below:
CE Plants - When a reactor trip (regardless of the specific initiating event) occurs, MCR operators will enter E-1, Standard Post Trip Actions. As part of this procedure, operators will verify whether there is sufficient SG level and feedwater flow to at least one SG. Operators are also directed to use the diagnostic flowchart in Attachment 1 of the procedure. This flow chart queries whether at least one SG has adequate feed flow. If the answer is no, operators are directed to enter E-6, Loss of All Feedwater Recovery. E-6 directs operators to continue to establish adequate feedwater flow. If all SG levels drop below a certain limit (e.g., wide-range SG level less than 25 percent), operators are directed to immediately initiate once-through cooling (OTC). The execution portion of initiating OTC is straightforward initiate SI if not already done and open the pressurizer PORVs.
B&W Plants - When a reactor trip (regardless of the specific initiating event) occurs, MCR operators will enter Emergency Operating Procedure (EOP)-1, Reactor Trip.
If all feedwater (MFW and AFW) is lost, operators are directed to enter EOP-3 Lack of Heat Transfer. If the subcooling margin decreases below 20°F, EOP-3 directs operators to initiate high-pressure injection cooling by entering Repetitive Task 7, High-Pressure Injection Cooling. The execution portion of initiating high-pressure injection cooling is straightforwardinitiate SI if not already done and open the pressurizer PORV and associated block valve.
Based on the similarities of cues and procedures for the three different PWR plant types, there is not expected to be significant differences in the evaluation of Pc for technology differences. However, there could be significant differences in Pt based on timing variabilities associated with the different technologies.
Initiating Event Variability Feed and bleed cooling is queried in most internal events event trees with the exception of medium and large LOCAs, interfacing-systems loss-of-coolant accidents (ISLOCAs),
station blackout (SBO), and anticipated transient without scram (ATWS) scenarios.
Many of these initiating events can be considered to be similar transients that will not significantly affect the operator response (e.g., procedure pathway), but rather account for different equipment unavailabilities. There could be timing differences from the most limiting case of loss of feedwater at T = 0 with no SI; however, any differences would result in additional time available for the operators. Therefore, given Pt is a small contributor to the base case scenario (i.e., approximately 10 percent), the evaluation of
7 HPI-XHE-XM-FAB is not expected to deviate significantly from the base case for these initiating events, which include:
- General Transient
- Loss of MFW
- Loss of Condenser Heat Sink
- Loss of Electrical Bus
- Loss of Service Water
- Loss of Component Cooling Water Additional initiating events that query feed and bleed cooling include:
- Small LOCA
- SGTR
- Main Steam Line Breaks (MSLB)
- Feedwater Line Break Based on discussions with NRCs Technical Support Center (TTC) staff, these initiating events are not expected to change the procedure pathway significantly since FR-H1 takes priority in all of these scenarios. There could be timing differences as a result of some scenarios; however, these differences would result in a longer time available to operators. Therefore, unless Pt is significant contributor for these other scenarios, reevaluation is not needed.
The most significant potential for variability for these other initiating events is whether the MFW or condensate systems are available to restore SG inventory. For initiators where MFW is available, the potential for recovery should be accounted for using another HFE. In addition, the potential dependency between that HFE and HPI-XHE-XM-FAB could be significant and should be evaluated in detail.
If either MFW recovery or condensate injection is possible, reevaluation of HPI-XHE-XM-FAB is likely to be needed because of the potential that operators may delay initiating feed and bleed cooling due to belief that attempts to establish injection into the SGs will occur in time to maintain core cooling. In these cases, it is recommended that the Decisionmaking CFM be evaluated. C25: Competing or conflicting goals is warranted. These changes would result in base case Pc increasing by an order of magnitude to 0.14. Thermal-hydraulic calculations for how the timing estimates would change for this scenario are not available; however, operators will depressurize the SGs, which will expend SG inventory and may decrease the time until SG level reaches the level requiring the initiation of feed and bleed cooling. However, the overall time to core damage may not be significantly affected since the depressurization and cooldown provides additional margin to thermal limits and, therefore, the time available to operators could be similar to the base case scenario. Assuming the base case Pt of 5.0x10-4 is still applicable, the overall HEP is calculated to be 0.14 for this more complex scenario, which is over an order of magnitude greater than the base case HEP. Specific guidance regarding how/when IDHEAS-ECA treats the potential for operator hesitancy needs to be developed. In addition, the underlying data for PIF attribute C25 needs to be evaluated further to determine if the impact on Pc is appropriate.
Additional Scenario Variability Similar to the discussion of the initiating event variability, the significant potential for variability is restoring MFW or condensate systems to provide SG inventory makeup. In some cases, the cutsets may have basic events that result in failures either directly or indirectly to either or both systems. However, analysts should review the dominant cutsets of analysis to see if any basic events may result in uncounted for complexities associated with cues, decisionmaking, and execution. Examples of scenario variabilities that could justify changes to the base case IDHEAS-ECA evaluation include:
8
- Cutsets with basic events that fail SG level instrumentation should be accounted for specifically by modifying the applicable Failure of Detection PIF. Simulator data from NUREG/IA-0216 and NUREG-2156 have shown that failed instrumentation can significantly affect crew response variability.
- Cutsets with basic events that could affect decisionmaking would require that the associated CFM should be evaluated.
- Cutsets that have operator actions that occur before the requirement for initiating feed and bleed cooling can change the boundary conditions for HPI-XHE-XM-FAB and, therefore, the HFE should be reevaluated to account for these differences.
Key Uncertainties The following key uncertainties were identified:
- The information available to select Tavail is limited. It is believed that the 20 minutes selected for the base case is conservative. However, the Pt for the base case is not a significant contributor to the overall HEP for the base case HFE.
- The selection of the appropriate EF for the timing estimates can have a significant effect on the Pt and the overall HEP. In general, the empirical studies referenced in the timing evaluations involved specific scenarios involving procedurally-driven MCR operator actions; however, these studies did not fully investigate the full range of scenario variabilities associated with the analyzed HFE and, therefore, the selection of the EF of 2 for Treqd is an uncertainty associated with this evaluation. The guidance for the selection of the EFs associated with timing estimates is still under development.
- The Decisionmaking CFM was determined to not be applicable for the base HFE because operators are not expected to delay the initiation of feed and bleed cooling when MFW and condensate systems are unavailable during a LOOP.
However, there is also possibility that operators could delay initiating feed and bleed cooling while attempting to restore AFW in the base case scenario. For example, the PWR EOPs may direct operators to attempt restoration of turbine-driven AFW pump after it has tripped. If operators believe restoration is likely prior to core damage, this could result in potential delay of the initiation of feed and bleed cooling. Operating experience is extremely limited regarding this issue; however, operators delayed initiation of feed and bleed cooling until after execution criteria were met while restoring AFW during a transient that occurred at Davis-Besse in 1985. Since this event, the operator training has greatly emphasized the necessity to initiate feed and bleed cooling when the execution criteria are reached. If analysts believe that there is the potential for operators to hesitate during this scenario, the Decisionmaking CFM should be selected, along with the PIF attribute C25: Competing or conflicting goals, which would result in Pc and the overall HEP increasing to 0.14. Specific guidance regarding how/when IDHEAS-ECA treats the potential for operator hesitancy needs to be developed.
In addition, the underlying data for PIF attribute C25 needs to be evaluated further to determine if the impact on Pc is appropriate.
- The selection of the PIF attribute C1: Detection overload with multiple competing signals (1: Few < 7) for the Detection CFM is potentially conservative or nonconservative. An initial review indicated that the limited supporting data may not support this PIF attribute as it is currently constituted (e.g., how signals are defined, how multiple indications and alarms are binned into a single signal, and the potential for decay of a signal as time passes). Further review of this data is needed to develop guidance associated with selection of this PIF attribute. If this PIF attribute is not selected, the Pc (and overall HEP) for this action would decrease to 1x10-3.
9 3.3.2 Operators Fail to Initiate Low-Pressure Recirculation HFE Name LPI-XHE-XM-RECIRC HFE Definition Operators fail to align low-pressure recirculation to maintain decay heat removal and prevent core damage. This entire HFE is considered as a single critical task within the IDHEAS-ECA framework.
SPAR Model Application LPI-XHE-XM-RECIRC is a basic event in the low-pressure recirculation fault tree, which is in the LOCA initiating event trees and consequential LOCAs when the reactor coolant system (RCS) is assumed to be sufficiently depressurized to allow low-pressure injection (either due to the LOCA or manual depressurization/cooldown).
Scenario Description/
Event Context The most risk significant scenarios in the base SPAR models associated with this HFE are medium and large LOCAs with successful early injection from low-pressure injection sources. Therefore, the base case evaluation will consider a large LOCA for a Westinghouse plant (i.e., the most common PWR) because the Tavail for this scenario is the most limiting.
When a reactor trip occurs due to a LOCA, the MCR operators will enter procedure E-0, Reactor Trip or SI. The LOCA will result in an SI actuation and operators are directed to transition to procedure E-1, Loss of Reactor or Secondary Coolant, upon their recognition that the cues for a LOCA exist (e.g., high containment pressure, temperature, radiation, sump level, or humidity). Once in E-1, operators have a continuous action step to transfer to ES-1.3, Transfer to Cold Leg Recirculation, when the refueling water storage tank (RWST) reaches its low level setpoint. The low RWST level setpoint is plant specific and is dependent on the size of the RWST and net positive suction head (NPSH) requirements of the ECCS pumps. ES-1.3 directs the execution portion of initiating cold leg recirculation and is performed from the MCR.
The execution steps are also plant specific depending on the type of ECCS pumps available and whether the SI/charging pumps are run in piggy-back mode. In addition, some plants have a semi-automatic recirculation switchover, which requires operator verification of the automatic actions, but limits the number of manual execution steps.
Boundary Conditions The start of this HFE is when the large LOCA occurs (i.e., T = 0). The base case scenario assumes the required number of accumulators inject and that the minimum number of low-pressure injection trains provide inventory makeup to the RCS. The end of this HFE is the failure of operators to initiate low-pressure recirculation to maintain adequate core cooling, which results in core damage.
Success Criteria Operators successfully initiate low-pressure recirculation to maintain core cooling prior to RWST emptying and in time to prevent core damage.
Key Cue(s)
- RWST Level
- RWST Low-Low Level Alarm Procedural Guidance
- E-0, Reactor Trip or SI
- E-1, Loss of Reactor of Secondary Coolant
- ES-1.3, Transfer to Cold Leg Recirculation CFM Selection Detection - This task requires the operators to detect the alarms and annunciators associated with the RWST low level.
Understanding - This task requires the operators to understand that the switchover of ECCS flow to low-pressure recirculation before the RWST empties is required to maintain decay heat removal and inventory control to prevent core damage.
Decisionmaking - Decisionmaking is not required for this task because with correct understanding of the event, procedures require operators to initiate the alignment of cold leg recirculation. Therefore, this CFM is not applicable for this task.
10 Action Execution - This task requires the operators to manually align low-pressure recirculation. This action is accomplished by simple switch manipulations from the MCR.
Interteam Coordination - Interteam coordination is not required for this task because multiple teams would not be involved. Therefore, this CFM is not applicable for this task.
Evaluation of PIFs for Applicable CFMs CFM1 -Failure of Detection (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because operators are routinely trained on large LOCA scenarios. In addition, this critical task is covered by plant procedures.
- Task Complexity - C1: Detection overload with multiple competing signals (1: Few
< 7); There are at least two potentially competing signals, including the annunciators/ parameters associated with the (1.) large LOCA and (2.) subsequent reactor trip. Selection of this PIF attribute increases the base probability of this CFM to 3x10-3. This selection may be conservative or nonconservative based on an initial review of the limited amount of supporting data for this PIF attribute. Further review of this data is needed to develop the appropriate guidance.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM2 - Failure of Understanding (Base Probability = 1x10-3)
- Scenario Familiarity - No impact because operators are trained on large LOCA scenarios. In addition, this critical task is covered by plant procedures.
- Information Completeness and Reliability - No impact because RWST level indications are sufficient to diagnose the need to align low-pressure recirculation.
- Task Complexity - No impact because the requirement to manually align low-pressure recirculation before the RWST empties during a LOCA is a fundamental plant operation concept that is specifically covered by plant procedures.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because the execution steps are routinely trained.
In addition, this critical task is covered by plant procedures.
- Task Complexity - C31: Straightforward procedure execution with many steps; ES-1.3 procedure covers several pages and covers multiple valve manipulations and potential pumps stops/restarts. Selection of this PIF attribute increases the base probability of this CFM to 1x10-3.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Using these assumptions, Pc is calculated as 5.0x10-3 by summing the probabilities of CFM1 (3x10-3), CFM2 (1x10-3), and CFM4 (1x10-3) probabilistically.
Timing Evaluation The Tavail was estimated from the time when the cue (low RWST level) becomes available to the time that RWST empties, which would result in air entrainment into the suction of the ECCS pumps and subsequent core damage. This is potentially conservative given operators could have additional time prior to core damage if all ECCS is secured prior to the RWST being fully empty (as directed by procedures).
Extensive timing information is not currently available to NRC analysts for this operator action. However, the following timing estimates from licensee PRAs were available through INL:
Plant Treqd Tavail PWR 36 14 minutes 17 minutes PWR 15 10 minutes 20 minutes PWR 19 10 minutes 17 minutes
11 From these three examples and the fact that the RWST capacities and containment sump geometries are very plant specific, it is expected that Pt could have significant plant-to-plant differences. In addition, some plants have fully manual actions, while some plants have semi-automatic functions. For example, plants like PWR 15 automatically trip the RHR pumps on low RWST level, which provides additional time for operators to manually align low-pressure recirculation. Whereas PWR 36s containment sump valves open automatically on low RWST level (but the RWST isolation valves remain open). However, the RHR pumps remain running, which reduces the time available to operators to align low-pressure recirculation prior to air ingestion from the RWST flow path into the RHR pumps. Given these considerations a Tavail of 17 minutes and Treq of 10 minutes was selected. However, sensitivity calculations varying the Tavail time are also provided. The Treqd is not expected to vary significantly for the plants that require fully (or mostly) manual action to align for low-pressure recirculation.
The current IDHEAS-ECA guidance recommends using a lognormal distribution for the time estimates. The selection of the Treqd of 10 minutes was assumed to be the median (i.e., 50th percentile) of the lognormal distribution. Tavail is treated as a single value with no distribution assigned. For the evaluation of this base case HFE, Pt was calculated using an EF of 2 for the lognormal distribution of Treqd, which is considered to be appropriate for actions performed from the MCR based on a preliminary analysis of timing data MCR operators response to emergency events in nuclear power plant simulators, including NUREG/IA-0216, NUREG-2156, EPRI NP-6937-L, and simulator data from other sources. This selection results in a Pt of 0.1. At the time of completing this analysis, the guidance on specifying the uncertainty bounds for time estimates in IDHEAS-ECA has not been finalized.
The following sensitivity calculations were performed varying the Tavail with the same Treqd of 10 minutes:
Tavail Pt 15 minutes 0.17 17 minutes 0.10 20 minutes 5.0x10-2 25 minutes 1.5x10-2 30 minutes 4.6x10-3 35 minutes 1.5x10-3 40 minutes 5.0x10-4 These results show that the Pt can be the dominant contributor for the base case scenario. Therefore, analysts will need to determine if the base case HFE is appropriate for large LOCA initiating events at the plant being evaluated.
Error Recovery Error recovery credit is not provided for this task.
Calculated HEP HEP = 1 (1 Pc) (1 Pt) = 1 (1 - 5.0x10-3) (1 - 0.1) = 0.1 Technology Variability A description of the differences associated with alignment of cold leg recirculation for the other two PWR types is provided below:
CE Plants - The alignment for recirculation at CE plants is typically either fully or semi-automatic. If manual actions are required, the procedural direction is provided in the LOCA EOP. The execution steps for the semi-automatic plants typically
12 involve operators manually opening the containment sump valves, closing the RWST isolation valves, and/or removing the lockout of the ECCS pump minimum recirculation valves to allow them to close. Note that some manual execution steps could be procedurally directed prior to reaching the recirculation actuation setpoint.
Both Tavail and Treqd can be significantly shorter from the base case HFE. Operators could have as little as 5 minutes available; however, the execution may only take a minute or two. Given these smaller times, Pt could be a significant contributor to the overall HEP for the base case scenario for CE plants that require manual action.
B&W Plants - The alignment for recirculation at five remaining B&W plants is either semi-automatic or fully manual. If manual actions are required, the procedural direction is provided in the EOPs. The execution steps typically involve operators manually opening the containment sump valves and closing the Borated Water Storage Tank isolation valves, and/or removing the lockout of the ECCS pump minimum recirculation valves to allow them to close. Both Tavail and Treqd can be significantly shorter from the base case HFE. Operators could have as little as 5 minutes available; however, the execution may only take a minute or two. Given these smaller times, Pt could be a significant contributor to the overall HEP for the base case scenario for B&W plants that require manual action.
Based on the similarities of cues and procedures for the three different PWR plant types, there is not expected to be significant differences in the evaluation of Pc for technology differences. However, there could be significant differences in Pt based on timing variabilities associated with the different technologies and plant-specific differences.
Initiating Event Variability Low-pressure recirculation is queried in all LOCA initiating events and consequential LOCA events event trees with the exception of ISLOCAs. It is not expected for Pc to be significantly different based on the initiating event even with a change in the boundary conditions. For example, most other initiating events that eventually require recirculation would have additional random failures, which would introduce competing signals (i.e., the selection of C1: Detection overload with multiple competing signals (1:
Few < 7) would be warranted). However, the boundary conditions for initiating low-pressure recirculation may have changed given an earlier successful operator action (e.g., successful initiation of feed and bleed cooling), which would render any potential change as not applicable.
Changes to the overall HEP will be dominated by how much Pt decreases for these other scenarios. However, some medium LOCA scenarios may not have significant additional time available to operators and, therefore, the base case HEP would be appropriate for use.
Additional Scenario Variability Analysts should review the dominant cutsets to see if any basic events may result in uncounted for complexities associated with detecting cues, decisionmaking, and execution. Examples of scenario variabilities that could justify changes to the base case IDHEAS-ECA evaluation include:
- Cutsets with basic events that affect RWST level instrumentation should be accounted for in the evaluation of the PIFs associated with the Detection CFM.
- Cutsets with basic events that could affect decisionmaking would require including the Decisionmaking CFM in the analysis.
- Cutsets that have operator actions that occur before the requirement for initiation of cold leg recirculation can change the boundary conditions and, therefore, the HFE should be reevaluated to account for these differences.
13
- Cutsets with ECCS train failures/unavailabilities could change the time until the cue is received and/or time available until the RWST empties and, therefore, the HFE may need to be reevaluated to account for these differences.
Key Uncertainties The following key uncertainties were identified:
- The Tavail estimates are very plant-specific and, therefore, the use of industry-wide HEPs for and low-pressure recirculation could under-or over-estimate the risk impact for applicable scenarios.
- The selection of the appropriate EF for the timing estimates can have a significant effect on the Pt and the overall HEP. In general, the empirical studies referenced in the timing evaluations involved specific scenarios involving procedurally-driven MCR operator actions; however, these studies did not fully investigate the full range of scenario variabilities associated with the analyzed HFE and, therefore, the selection of the EF of 2 for Treqd is an uncertainty associated with this evaluation. The guidance for the selection of the EFs associated with timing estimates is still under development.
- The selection of the PIF attribute C1: Detection overload with multiple competing signals (1: Few < 7) for the Detection CFM is potentially conservative or nonconservative. An initial review indicated that the limited supporting data may not support this PIF attribute as it is currently constituted (e.g., how signals are defined, how multiple indications and alarms are binned into a single signal, and the potential for decay of a signal as time passes). Further review of this data is needed to develop guidance associated with selection of this PIF attribute. If this PIF attribute is not selected, the Pc for this action would decrease to 2x10-3, but the overall HEP would be unaffected because Pt is the dominant contributor.
3.3.3 Operators Fail to Initiate High-Pressure Recirculation HFE Name HPI-XHE-XM-RECIRC HFE Definition Operators fail to align high-pressure recirculation to maintain decay heat removal and prevent core damage. This entire HFE is considered as a single critical task within the IDHEAS-ECA framework.
SPAR Model Application HPI-XHE-XM-RECIRC is a basic event in the high-pressure recirculation fault tree, which is in every PWR event tree except large LOCA, ISLOCAs, and reactor vessel rupture scenarios. In addition, high-pressure recirculation is not queried in medium LOCA event trees in some PWR SPAR models. The HPR fault tree is queried when (a)
AFW has failed and feed and bleed cooling is successful or (b) a small or medium LOCA has occurred (either due to an initiating event, stuck-open PORV, or failed RCP seals).
Scenario Description/
Event Context The most risk significant scenarios in the base SPAR models associated with these HFEs are medium LOCAs with break sizes that are insufficient to depressurize the RCS with successful early injection from high-pressure injection sources. Therefore, the base case evaluation will consider a medium LOCA for a Westinghouse plant (i.e.,
the most common PWR) because the Tavail for this scenario is the most limiting.
When a reactor trip occurs due to a LOCA, the MCR operators will enter procedure E-0, Reactor Trip or SI. The LOCA will result in an SI actuation and operators are directed to transition to procedure E-1, Loss of Reactor or Secondary Coolant, upon their recognition that the cues for a LOCA exist (e.g., high containment pressure, temperature, radiation, sump level, or humidity). Once in E-1, operators have a continuous action step to transfer to ES-1.3, Transfer to Cold Leg Recirculation, when the RWST reaches its low level setpoint. The low RWST level setpoint is plant specific and is dependent on the size of the RWST and NPSH requirements of the ECCS
14 pumps. ES-1.3 directs the execution portion of initiating cold leg recirculation and is performed from the MCR. The execution steps are also plant specific depending on the type of ECCS pumps available and whether the SI/charging pumps are run in piggy-back mode. In addition, some plants have a semi-automatic recirculation switchover, which requires operator verification of the automatic actions, but limits the number of manual execution steps.
Boundary Conditions The start of this HFE is when the medium LOCA occurs (i.e., T = 0). The base case assumes high-pressure injection is sufficient to provide adequate inventory makeup to the RCS. The end of this HFE is the failure of operators to initiate high-pressure recirculation to maintain adequate core cooling, which results in core damage.
Success Criteria Operators successfully initiate high-pressure recirculation to maintain core cooling prior to RWST emptying and in time to prevent core damage.
Key Cue(s)
- RWST Level
- RWST Low-Low Level Alarm Procedural Guidance
- E-0, Reactor Trip or SI
- E-1, Loss of Reactor of Secondary Coolant
- ES-1.3, Transfer to Cold Leg Recirculation CFM Selection Detection - This task requires the operators to detect the alarms and annunciators associated with the RWST low level.
Understanding - This task requires the operators to understand that the switchover of ECCS flow to high-pressure recirculation before the RWST empties is required to maintain decay heat removal and inventory control to prevent core damage.
Decisionmaking - Decisionmaking is not required for this task because with correct understanding of the event, procedures require operators to initiate the alignment of high-pressure recirculation. Therefore, this CFM is not applicable for this task.
Action Execution - This task requires the operators to manually align high-pressure recirculation. This action is accomplished by simple switch manipulations from the MCR.
Interteam Coordination - Interteam coordination is not required for this task because multiple teams would not be involved. Therefore, this CFM is not applicable for this task.
Evaluation of PIFs for Applicable CFMs CFM1 -Failure of Detection (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because operators are routinely trained on medium LOCA scenarios. In addition, this critical task is covered by plant procedures.
- Task Complexity - C1: Detection overload with multiple competing signals (1: Few
< 7); There are at least two potentially competing signals, including the annunciators/ parameters associated with the (1.) medium LOCA and (2.)
subsequent reactor trip. Selection of this PIF attribute increases the base probability of this CFM to 3x10-3. This selection may be conservative or nonconservative based on an initial review of the limited amount of supporting data for this PIF attribute.
Further review of this data is needed to develop the appropriate guidance.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM2 - Failure of Understanding (Base Probability = 1x10-3)
- Scenario Familiarity - No impact because operators are trained on medium LOCA scenarios. In addition, this critical task is covered by plant procedures.
- Information Completeness and Reliability - No impact because RWST level indications are sufficient to diagnose the need to align high-pressure recirculation.
15
- Task Complexity - No impact because the requirement to manually align high-pressure recirculation before the RWST empties during a LOCA is a fundamental plant operation concept that is specifically covered by plant procedures.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because the execution steps are routinely trained.
In addition, this critical task is covered by plant procedures.
- Task Complexity - C31: Straightforward procedure execution with many steps; ES-1.3 procedure covers several pages and covers multiple valve manipulations and potential pumps stops/restarts. Selection of this PIF attribute increases the base probability of this CFM to 1x10-3.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Using these assumptions, Pc is calculated as 5.0x10-3 by summing the probabilities of CFM1 (3x10-3), CFM2 (1x10-3), and CFM4 (1x10-3) probabilistically.
Timing Evaluation Since the execution steps for high-pressure recirculation are the same (or very similar) as those for low-pressure recirculation, the same Treqd of 10 minutes is assumed for this task. Timing information for medium LOCAs with break sizes that are insufficient to depressurize the RCS is not readily available. Sensitivity calculations show that Pt will be a negligible contributor to the overall HEP if Tavail is at least 40 minutes (i.e., Pt is approximately 10 percent or less of Pc if Tavail is 40 minutes or greater). In addition, Pt will not become the dominant contributor (i.e., greater than Pc) to the overall HEP unless Tavail is less than 30 minutes. It is expected that all medium LOCAs with Tavail values less than 30 minutes will result in RCS to depressurized and, therefore, high-pressure injection/recirculation would be insufficient to prevent core damage. For the purposes of this evaluation, the Tavail is assumed to be greater than 40 minutes for the base case evaluation and, therefore, Pt is assumed to be negligible for this task.
Error Recovery Error recovery credit is not provided for this task.
Calculated HEP HEP = 1 (1 Pc) (1 Pt) = 1 (1 - 5.0x10-3) (1 - 0) = 5x10-3 Technology Variability A description of the differences associated with alignment of high-pressure recirculation for the other two PWR types is provided below:
CE Plants - The alignment for recirculation at CE plants is typically either fully or semi-automatic. If manual actions are required, the procedural direction is provided in the LOCA EOP. The execution steps for the semi-automatic plants typically involve operators manually opening the containment sump valves, closing the RWST isolation valves, and/or removing the lockout of the ECCS pump minimum recirculation valves to allow them to close. Note that some manual execution steps could be procedurally directed prior to reaching the recirculation actuation setpoint.
Both Tavail and Treqd can be significantly shorter from the base case HFE. Operators could have as little as 5 minutes available; however, the execution may only take a minute or two. Given these smaller times, Pt could be a significant contributor to the overall HEP for the base case scenario for CE plants that require manual action.
B&W Plants - The alignment for recirculation at five remaining B&W plants is either semi-automatic or fully manual. If manual actions are required, the procedural direction is provided in the EOPs. The execution steps typically involve operators manually opening the containment sump valves and closing the Borated Water Storage Tank isolation valves, and/or removing the lockout of the ECCS pump minimum recirculation valves to allow them to close. Both Tavail and Treqd can be significantly shorter from the base case HFE. Operators could have as little as
16 5 minutes available; however, the execution may only take a minute or two. Given these smaller times, Pt could be a significant contributor to the overall HEP for the base case scenario for B&W plants that require manual action.
Based on the similarities of cues and procedures for the three different PWR plant types, there is not expected to be significant differences in the evaluation of Pc for technology differences. However, there could be significant differences in Pt based on timing variabilities associated with the different technologies and plant-specific differences.
Initiating Event Variability High-pressure recirculation is queried in all the LOCA initiating event and consequential LOCA events event trees with the exception of large LOCAs, ISLOCAs, and reactor vessel rupture scenarios. High-pressure recirculation is also queried in most internal event transient trees for sequences where feed and bleed cooling has been initiated. It is not expected for Pc to be significantly different based on the initiating event even with a change in the boundary conditions. For example, most other initiating events that eventually require recirculation would have additional random failures, which would introduce competing signals (i.e., the selection of C1: Detection overload with multiple competing signals (1: Few < 7) would be warranted). However, the boundary conditions for initiating cold leg recirculation may have changed given an earlier successful operator action (e.g., successful initiation of feed and bleed cooling), which would render any potential change as not applicable.
Significant changes to the overall HEP will be limited to scenarios where Tavail is 40 minutes or less. Small LOCA scenarios and transients where feed and bleed cooling is initiated are expected to have Tavail estimates greater than 40 minutes and therefore, Pt would be a negligible contributor to the overall HEP. For example, small LOCA scenarios at PWR 15 and PWR 19 would have a Tavail of approximately 118 minutes and 54 minutes, respectively. Some medium LOCA scenarios at certain plants may have Tavail estimates between 30-40 minutes. For these plants, Pt have a significant impact on the overall HEP.
Additional Scenario Variability Analysts should review the dominant cutsets to see if any basic events may result in uncounted for complexities associated with detecting cues, decisionmaking, and execution. Examples of scenario variabilities that could justify changes to the base case IDHEAS-ECA evaluation include:
- Cutsets with basic events that affect RWST level instrumentation should be accounted for in the evaluation of the PIFs associated with the Detection CFM.
- Cutsets with basic events that could affect decisionmaking would require including the Decisionmaking CFM in the analysis.
- Cutsets that have operator actions that occur before the requirement for initiation of cold leg recirculation can change the boundary conditions and, therefore, the HFE should be reevaluated to account for these differences.
- Cutsets with ECCS train failures/unavailabilities could change the time until the cue is received and/or time available until the RWST empties and, therefore, the HFE may need to be reevaluated to account for these differences.
Key Uncertainties The following key uncertainties were identified:
- The selection of the appropriate EF for the timing estimates can have a significant effect on the Pt and the overall HEP. In general, the empirical studies referenced in the timing evaluations involved specific scenarios involving procedurally-driven MCR operator actions; however, these studies did not fully investigate the full range of scenario variabilities associated with the analyzed HFE and, therefore, the selection of the EF of 2 for Treqd is an uncertainty
17 associated with this evaluation. The guidance for the selection of the EFs associated with timing estimates is still under development.
- The selection of the PIF attribute C1: Detection overload with multiple competing signals (1: Few < 7) for the Detection CFM is potentially conservative or nonconservative. An initial review indicated that the limited supporting data may not support this PIF attribute as it is currently constituted (e.g., how signals are defined, how multiple indications and alarms are binned into a single signal, and the potential for decay of a signal as time passes). Further review of this data is needed to develop guidance associated with selection of this PIF attribute. If this PIF attribute is not selected, the Pc for this action would decrease to 2x10-3, but the overall HEP would be unaffected because Pt is the dominant contributor.
3.3.4 Operators Fail to Trip the RCPs HFE Name RCS-XHE-XM-RCPTRIP HFE Definition Operators fail to trip the RCPs after loss of seal injection and thermal barrier cooling.
This entire HFE is considered as a single critical task within the IDHEAS-ECA framework.
SPAR Model Application RCS-XHE-XM-RCPTRIP is a basic event in the loss of RCP seal cooling fault tree, which is queried in the event trees for most initiating events except LOOPs and LOCAs.
Note that the LOOPs are not of concern since the RCPs are deenergized at the onset of the initiator. The loss of RCP seal cooling fault tree is queried when there is a successful reactor trip, AFW is successful, and the pressurizer PORVs successfully close (if opened).
Scenario Description/
Event Context The most risk significant scenarios that include the need to trip the RCPs are typically a loss of service water and/or component cooling water (CCW) initiating events that result in a loss of both seal injection and thermal barrier cooling to the RCPs. Note that some plants may not lose all RCP seal injection and thermal barrier cooling with a loss of CCW and, therefore, a loss of service water due to the simultaneous failure of the service water pumps is selected as the base case for this evaluation for a Westinghouse plant (i.e., the most common PWR). Note that service water systems have different names depending on the plant (e.g., nuclear service cooling water, raw cooling water, etc.).
When a loss of service water occurs, MCR operators will enter the associated abnormal occurrence procedure (AOP), which will direct them to manually trip the reactor and trip the RCPs. Note that the context for the failure to trip the RCPs HFE assumes that the operators have already identified a loss of service water and manually tripped the reactor.
Boundary Conditions The start of this HFE is a loss of service water initiating event (i.e., t = 0). Operators will be directed by procedures to manually trip the reactor and the RCPs. The base case scenario assumes the reactor successfully trips, AFW is successful, and the pressurizer PORVs reclose (if demanded). The end of this HFE is the failure of operators to trip of RCPs in sufficient time to prevent the catastrophic RCP seal failure resulting in a LOCA.
Success Criteria Operators successfully trip the RCPs prior to exceeding thermal limits for the seals.
Key Cue(s)
- Annunciators associated with loss of service water (e.g., service water pump trips, low service water system flow/pressure)
- High RCP temperature alarms Procedural Guidance
- AOP for Loss of Service Water
- E-0, Reactor Trip or SI
18
- ES-0.1, Reactor Trip Response CFM Selection Detection - This task requires the operators to detect the alarms and annunciators associated with a loss of service water.
Understanding - This task requires the operators to understand that a loss of service water will result in a loss of cooling to the RCPs and other SSCs and, therefore, the RCPs must be tripped to prevent a seal LOCA.
Decisionmaking - Decisionmaking is not required for this task because with correct understanding of the event, the procedure requires operators to manually trip the RCPs.
Action Execution - This task requires the operators to manually trip the RCPs. This action is accomplished by simple switch manipulations from the MCR.
Interteam Coordination - Interteam coordination is not required for this task because multiple teams would not be involved. Therefore, this CFM is not applicable for this task.
Evaluation of PIFs for Applicable CFMs CFM1 -Failure of Detection (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because operators are routinely trained on loss of service water events. In addition, this critical task is covered by plant procedures.
- Task Complexity - No impact because the base case scenario does not have competing signals. Note that multiple alarms associated with the same function (e.g., service water) are considered to be one signal.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM2 - Failure of Understanding (Base Probability = 1x10-3)
- Scenario Familiarity - No impact because operators are trained on loss of service water events. In addition, this critical task is covered by plant procedures.
- Information Completeness and Reliability - No impact because MCR alarms and annunciators are sufficient to diagnose loss of service water events.
- Task Complexity - No impact because the necessity of service water to maintain RCP seal injection and cooling is a fundamental plant operation concept that is specifically covered by plant procedures.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because the execution steps are routinely trained.
In addition, this critical task is covered by plant procedures.
- Task Complexity - No impact because the execution steps are straightforward (i.e., MCR switch manipulations) and proceduralized.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Using these assumptions, Pc is calculated as 1.2x10-3 by summing the probabilities of CFM1 (1x10-4), CFM2 (1x10-3), and CFM4 (1x10-4) probabilistically.
Timing Evaluation The Tavail was estimated from the time when the cue (loss of service water at t = 0) becomes available to the time that RCP seals are assumed to fail if operators do not trip the pumps. This time is 13 minutes, based on information provided in WCAP-15603, Revision 1, "WOG 2000 Reactor Coolant Pump Seal Leakage Model for Westinghouse PWRs" and associated NRC staff safety evaluation (ML031400376).
Note that different RCP and shutdown seal types could result in less or more time available prior to seal failure given a loss of all seal injection and cooling. Based on licensee information for PWR 19 and PWR 36, it is assumed that it would take operators 3 minutes to enter the applicable AOP and trip the reactor prior to reaching
19 the procedural step to trip the RCPs. Therefore, a Tavail of 10 minutes was selected for the base case HFE. The Treqd is estimated to be 1 minute based on licensee PRA information.
The current IDHEAS-ECA guidance recommends using a lognormal distribution for the time estimates. The selection of the Treqd of 1 minute was assumed to be the median (i.e., 50th percentile) of the lognormal distribution. Tavail is treated as a single value with no distribution assigned for the base case; the potential variabilities of other initiating events are considered and discussed in the Initiating Event Variability section. For the evaluation of this base case HFE, Pt was calculated using an EF of 2 for the lognormal distribution of Treqd, which is considered to be appropriate for actions performed from the MCR based on a preliminary analysis of timing data MCR operators response to emergency events in nuclear power plant simulators, including NUREG/IA-0216, NUREG-2156, EPRI NP-6937-L, and simulator data from other sources. This selection results in a Pt of 2.3x10-8. At the time of completing this analysis, the guidance on specifying the uncertainty bounds for time estimates in IDHEAS-ECA has not been finalized.
Error Recovery Error recovery credit is not provided for this task.
Calculated HEP HEP = 1 (1 Pc) (1 Pt) = 1 (1 - 1.2x10-3) (1 - 2.3x10-8) = 1x10-3 Technology Variability A description of the differences associated with the requirement to trip the RCPs for the other two PWR types is provided below:
CE Plants - If seal injection is available when CCW is lost, operators are directed to trip the RCPs within 10 minutes. However, this action is associated with preventing damage to the RCP motor and is not required to maintain RCP seal integrity. For scenarios where both seal injection and CCW are lost, operators are directed to the trip the RCPs within 3 minutes and isolate control bleed off to maintain RCP seal integrity. The exact time to RCP seal failure is currently unknown, but it is believed that to be approximately 20 minutes.
B&W Plants - Similar to Westinghouse plants, a loss of both RCP seal injection and cooling necessitates tripping the RCPs. The If at Any Time steps on a foldout page of the EOPs provides the conditions for tripping the RCPs. Therefore, the operators are directed to trip the RCPs when those conditions are met. Discussion with TTC staff indicate that operators would normally be expected to trip the RCPs within 5 minutes of the loss of seal injection and cooling. Licensee information for PWR 16 indicates that seal failure would not occur until 30 minutes.
Although there are some minor differences, there is not expected to be significant differences in the evaluation of Pc between the three PWR types. In addition, it is likely that the Pt estimates will be similar to the Westinghouse plants; however, plant-specific differences (i.e., when operators are procedurally directed to trip the RCPs and how long operators have until the RCP seals fail) could require the reevaluation of Pt.
Initiating Event Variability Other initiating events involving systems that would result in a loss of RCP seal cooling and injection prior to reactor trip (i.e., loss of CCW or equivalent system) will likely have an HEP similar to the base case evaluation as long as the procedure immediate actions direct the MCR operators to trip the RCPs immediately. Transient initiating events in which the reactor trips prior to the loss of the RCP seal cooling and injection will require modifications to the evaluation for this HFE. First, the selection of C1: Detection overload with multiple competing signals (1: Few < 7) for Detection (CFM1) Task Complexity may be warranted due the competing signals from the transient, subsequent reactor trip, and failure of systems associated with RCP seal cooling and injection. This
20 selection would result in Pc increasing to 2.1x10-3. In addition, unlike the base case where the AOP will direct operators to trip the reactor and the RCPs immediately, operators will enter E-0 and ES-0.1, which focus on post-trip immediate action steps initially. The procedural direction to trip the RCPs will come later (compared to the base case) and varies depending on the plant. There is not extensive information available for Tavail for these scenarios. It is estimated that operators would be directed to trip the RCPs as early as 5 minutes and as late as 10 minutes. Note that the alarms/annunciators associated with RCP bearing temperatures and seal leak-off rates may come in prior to the EOP guidance to trip the RCPs. The associated alarm/annunciator procedures may provide direction to trip the RCPs. However, operators may be too busy with the EOP steps to get to these procedures in the first 10 minutes of the event. Therefore, the cues and direction are not explicitly considered in the evaluation. Given this information, Tavail values of 8 and 3 minutes with the assumed Treqd of 1 minute results in a Pt of 4.0x10-7 and 5x10-3, respectively. Therefore, Pt can become a significant contributor for initiating events that result in reactor trip prior to a loss of RCP seal injection and cooling.
Additional Scenario Variability Analysts should review the dominant cutsets to see if any basic events may result in unaccounted for complexities associated with cues, decisionmaking, and execution.
Examples of scenario variabilities that could justify changes to the base case IDHEAS-ECA evaluation include:
- Cutsets with basic events that affect instrumentation associated with systems that provide RCP seal cooling and injection should be accounted for in the evaluation of the PIFs associated with the Detection CFM.
- Cutsets with basic events that affect instrumentation associated with RCP seal cooling and injection (e.g., bearing temperature alarms, seal injection flow, etc.)
should be accounted for in the evaluation of the PIFs associated with the Detection CFM.
- Cutsets with basic events that could affect decisionmaking would require including the Decisionmaking CFM in the analysis.
- Cutsets that have operator actions that occur before the requirement for tripping the RCPs can change the boundary conditions and, therefore, the HFE should be reevaluated to account for these differences.
Key Uncertainties The following key uncertainties were identified:
- The information available to select Treqd is limited. It is expected that Pt will be the dominant contributor for initiating events that result in reactor trip prior to a loss of RCP seal injection and cooling because the cue (i.e., the procedure step) for tripping the RCPs will be received later than a loss of RCP seal cooling and injection prior to a reactor trip. Therefore, precise information on Treqd is needed to ensure the HEP is appropriate.
- The selection of the appropriate EF for the timing estimates can have a significant effect on the Pt and the overall HEP. In general, the empirical studies referenced in the timing evaluations involved specific scenarios involving procedurally-driven MCR operator actions; however, these studies did not fully investigate the full range of scenario variabilities associated with the analyzed HFE and, therefore, the selection of the EF of 2 for Treqd is an uncertainty associated with this evaluation. The guidance for the selection of the EFs associated with timing estimates is still under development.
3.3.5 Operators Fail to Initiate Reactor Depressurization HFE Name ADS-XHE-XM-MDEPR
21 HFE Definition Operators fail to initiate reactor depressurization following a loss of all high-pressure injection or SPC prior to core damage. This entire HFE is considered as a single critical task within the IDHEAS-ECA framework.
SPAR Model Application ADS-XHE-XM-MDEPR is a basic event in the manual reactor depressurization fault tree, which is queried in all BWR event trees except those associated with some loss of reactor coolant scenarios (e.g., large LOCA, ISLOCAs, and reactor vessel rupture).
The manual reactor depressurization fault tree is queried when (1) there is a successful reactor trip, and (2) both reactor core isolation cooling (RCIC) and high-pressure coolant injection (HPCI) or high-pressure core spray (HPCS) fail to provide high-pressure injection. In addition, manual reactor depressurization is queried later in accident sequences when a source of high-pressure injection is successful, but SPC fails.
Scenario Description/
Event Context The most likely scenarios that require manual reactor depressurization include those initiating events that result in a loss of reactor feedwater (e.g., loss of feedwater, loss of condenser heat sink, and LOOP) or loss of AC/DC bus scenarios that can fail both reactor feedwater and either RCIC or HPCI. Based on past ECAs, the most likely risk significant scenario is typically a loss of condenser heat sink at a General Electric (GE)
Type 4 NPP (i.e., the most common BWR) and, therefore, is selected as the base case for this evaluation. This base case focuses on the requirement for early reactor depressurization given failure/inadequate initial high-pressure injection. The later depressurization requirement due to the failure of SPC is evaluated as part of the scenario variabilities.
When a loss of condenser heat sink resulting in a reactor trip occurs, MCR operators will enter the Reactor Pressure Vessel (RPV) Control EOP to control reactor water level and pressure. Operators will continue monitoring reactor water level and attempt to restore and maintain reactor water level in the normal post-trip level band using the preferred high-pressure injection systems. These preferred systems may include feedwater, RCIC, HPCI, and the control rod drive (CRD) pumps. In the base case scenario, feedwater, HPCI and RCIC are not available. Typically, the SPAR models do not credit CRD pumps as sufficient to be the sole source of high-pressure injection.
However, some SPAR models do provide credit where thermal-hydraulic calculations have shown that the CRD pumps are a sufficient source of early high-pressure injection. The availability of CRD injection early in the accident sequence will be evaluated as part of the scenario variabilities.
If the preferred high-pressure injection systems are unavailable or unable to maintain water level within the normal or expanded post-trip level band, operators will lower reactor pressure using an available pressure control system (e.g., turbine bypass valves, safety relieve valves, HPCI, RCIC, etc.) while maintaining a cooldown rate of less than 100°F per hour. It is assumed the turbine bypass valves are unavailable due to the main steam isolation valves being closed for the base case scenario. If operators are unable to maintain the minimum reactor water level (i.e., top of active fuel), they are directed by the RPV Control EOP to emergency depressurize the reactor by manually opening all available automatic depressurization system (ADS) valves. Note that operators are required to have at least one train of low-pressure injection running prior to performing the emergency depressurization. It is expected that the low-pressure coolant injection (LPCI) and low-pressure core spray (LPCS) pumps will be running due to reactor water level reaching the Level 1 setpoint, which results in an automatic start of these systems. If LPCI and LPCS are unavailable, operators will manually start another preferred injection system (e.g., RHR). If a preferred system is unavailable, operators will use an alternate source of injection (e.g., firewater, standby liquid control, etc.). As a SPAR model simplification, ADS-XHE-XM-MDEPR and the associated depressurization fault tree logic assumes that there is insufficient time available to perform the initial pressure reduction using normal systems prior to the requirement for
22 emergency depressurization using all available ADS valves. This modeling assumption is potentially conservative for some scenarios (e.g., scenarios where CRD flow is maximized may offer sufficient time for normal pressure reduction methods prior to reactor water level reaching the set point requiring emergency reactor depressurization for some plants).
Boundary Conditions The start of this HFE is when the loss of condenser heat sink results in a subsequent reactor trip (i.e., t = 0). The base case scenario assumes that RCIC and HPCI are failed or unavailable from the beginning of the event. In addition, CRD is assumed to be unavailable, but note that early CRD is not queried in most BWR SPAR models. Either LPCI and/or LPCS are assumed to have automatically started when reactor water level reaches the Level 1 setpoint. These systems are assumed to remain running throughout this scenario (i.e., it is not expected that operators would need to manually start a low-pressure injection system prior to initiating emergency depressurization).
The end of this HFE is the failure of operators to depressurize the reactor in time to allow for the low-pressure injection systems to prevent core damage.
Success Criteria Operators successfully depressurize the reactor within sufficient time to allow a low-pressure injection source to prevent core damage.
Key Cue(s)
- Reactor water level and associated annunciators
- Annunciators associated with failures of RCIC and HPCI (e.g., pump isolation trip, turbine trip, pump discharge low flow, etc.)
Procedural Guidance
- RPV Control EOP CFM Selection Detection - This task requires the operators to detect the alarms and annunciators associated with reactor water level and the failure of high-pressure injection (RCIC and HPCI).
Understanding - This task requires the operators to understand that without a source of high-pressure injection available, they must initiate a manual reactor depressurization to allow for a source of low-pressure injection to prevent core damage.
Decisionmaking - Decisionmaking is not required for this task because with correct understanding of the event, procedures require operators to initiate a manual reactor depressurization. Therefore, this CFM is not applicable for this task.
Action Execution - This task requires the operators to manually depressurize the reactor by opening the ADS valves. This action is accomplished by simple switch manipulations from the MCR.
Interteam Coordination - Interteam coordination is not required for this task because multiple teams would not be involved. Therefore, this CFM is not applicable for this task.
Evaluation of PIFs for Applicable CFMs CFM1 -Failure of Detection (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because operators are routinely trained on losses of high-pressure injection. In addition, this critical task is covered by plant procedures.
- Task Complexity - C1: Detection overload with multiple competing signals (1: Few
< 7); There are at least four potentially competing signals, including the annunciators/parameters associated with the (1.) transient, (2.) subsequent reactor trip, (3.) failure of RCIC, and (4.) failure of HPCI. Selection of this PIF attribute increases the base probability of this CFM to 3x10-3. This selection may be conservative or nonconservative based on an initial review of the limited amount of
23 supporting data for this PIF attribute. Further review of this data is needed to develop the appropriate guidance.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM2 - Failure of Understanding (Base Probability = 1x10-3)
- Scenario Familiarity - No impact because operators are trained on losses of high-pressure injection. In addition, this critical task is covered by plant procedures.
- Information Completeness and Reliability - No impact because reactor water level and indications of the failure of RCIC/HPCI are sufficient to diagnose a loss of high-pressure injection.
- Task Complexity - No impact because the requirement to manually depressurize the reactor when high-pressure injection is not available is a fundamental plant operation concept that is specifically covered by plant procedures.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because the execution steps are routinely trained.
In addition, this critical task is covered by plant procedures.
- Task Complexity - No impact because the execution steps are straightforward (i.e., MCR switch manipulations) and proceduralized.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Using these assumptions, Pc is calculated as 4.1x10-3 by summing the probabilities of CFM1 (3x10-3), CFM2 (1x10-3), and CFM4 (1x10-4) probabilistically.
Timing Evaluation The Tavail was estimated from the time when the cue (reactor water level reaches the requirement for emergency depressurization) becomes available to the time that depressurization is sufficient to allow for a low-pressure injection system to restore reactor inventory to prevent core damage. Extensive timing information is not currently available to NRC analysts for this operator action. However, timing estimates from the BWR 7 licensee PRA were available through INL. The licensee MAAP calculation for a transient with a loss of feedwater, assumed to initiate at t = 0, indicate that reactor water level will reach the emergency depressurization limit in approximately 25 minutes after the initiating event occurred (i.e., t = 25 minutes). Core damage would be reached approximately 21 minutes later (i.e., approximately 46 minutes after the initiating event occurred or t = 46 minutes). Therefore, a Tavail of 21 minutes, which is the time between reaching the emergency depressurization limit and core damage, was selected for the base case HFE. Note that this estimate does not account for the time needed to depressurize the reactor to allow for the low-pressure systems to inject. However, sensitivity calculations show that a Pt will be negligible contributor to the overall HEP if Tavail is at least 8 minutes (i.e., Pt is approximately 10 percent or less of Pc if Tavail is 8 minutes or greater). The time to depressurize is currently unknown; however, it is not expected to reduce the Tavail to less than 10 minutes.
The following table provides Treqd estimates for opening all ADS valves from the MCR (i.e., simple switch manipulations) from licensee PRA data available to INL:
Plant Treqd BWR 7 2.5 minutes BWR 25 2 minutes BWR 5 1 minute These estimates range from 1 to 2.5 minutes. Given this information, a Treqd of 2 minutes was selected for the base case HFE.
24 The current IDHEAS-ECA guidance recommends using a lognormal distribution for the time estimates. The selection of the Treqd of 2 minutes was assumed to be the median (i.e., 50th percentile) of the lognormal distribution. Tavail is treated as a single value with no distribution assigned for the base case; the potential variabilities of other initiating events are considered and discussed in the Initiating Event Variability section. For the evaluation of this base case HFE, Pt was calculated using an EF of 2 for the lognormal distribution of Treqd, which is considered to be appropriate for actions performed from the MCR based on a preliminary analysis of timing data MCR operators response to emergency events in nuclear power plant simulators, including NUREG/IA-0216, NUREG-2156, EPRI NP-6937-L, and simulator data from other sources. This selection results in a Pt of 1.2x10-8. At the time of completing this analysis, the guidance on specifying the uncertainty bounds for time estimates in IDHEAS-ECA has not been finalized.
Error Recovery Error recovery credit is not provided for this task.
Calculated HEP HEP = 1 (1 Pc) (1 Pt) = 1 (1 - 4.1x10-3) (1 - 1.2x10-8) = 4x10-3 Technology Variability There are two additional BWR types that include this HFE in the SPAR models. Since both of these types are GE plants, the cues and procedures for lowering reactor water level are expected to be the same (or similar) and, therefore, it is expected the MCR operators would respond similarly. These similarities would not likely result in significant differences in the evaluation of Pc for the other GE plants. A discussion of the differences associated with the other BWR plant types and their potential effects is provided below:
GE Type 2 - For the base case scenario, GE Type 2 plants with isolation condensers (ICs) could result in significant timing differences because although the ICs are assumed to fail in this scenario, they would operate for some time due to their semi-passive design. However, the IC(s) would eventually be rendered unavailable due to the failure of IC inventory makeup. Therefore, there could be significant differences in Pt based on an increased amount of time available to operators to perform the cooldown for the base case scenario. However, Pt is an insignificant contributor for the base case HFE. Additional time would be available for operators to perform the normal cooldown and may be sufficient to allow for the alignment of low-pressure injection prior to reaching the reactor water level that requires emergency depressurization. If an analyst believes that there is sufficient time to allow depressurization prior to reaching the emergency depressurization setpoint, the analyst may consider splitting the HFE into separate actions for (1) early depressurization and (2) emergency depressurization. In addition, although not expected to be substantial, reactor sizes differ based on plant type, which could also affect the timing available to operators and, therefore, should be considered.
GE Type 5/6 - The GE Type 5 and 6 plants that have HPCS (instead of HPCI) are not expected to result in a significant difference for the base case HFE because HPCS is assumed to be failed in this scenario. While not expected to be substantial, the reactor sizes differ based on plant type, which could also affect the timing available to operators and, therefore, should be considered. However, Pt is an insignificant contributor for the base case HFE.
Initiating Event Variability Reactor depressurization is queried in most internal events event trees with the exception of large LOCAs and ISLOCAs. Many of these initiating events can be considered to be similar transients that will not significantly affect the operator response but rather account for different equipment unavailabilities. The structure of the BWR procedure flowcharts result in a similar operator response regardless of the transient type. Therefore, the Pc values are likely to be the same. There could be timing
25 differences for these transients when compared to the base case scenario; however, any differences would result in additional time available for the operators. Therefore, given Pt is an insignificant contributor to the base case scenario, the evaluation of ADS-XHE-XM-MDEPR is not expected to deviate significantly from the base case for the following initiating events:
- General Transient
- Loss of Feedwater
- Loss of Electrical Bus
- Loss of Service Water Additional initiating events that query reactor depressurization include:
- Small LOCA
- Medium LOCA
- ATWS The SPAR models currently have separate HFEs for small (ADS-XHE-XM-MDEPR1) and medium LOCAs (ADS-XHE-XM-MDEPR2). The timing estimates from the BWR 7 licensee PRA show significant differences from the base case scenario, which will result in Pt becoming a significant contributor to the overall HEP for these other scenarios.
The following table provides the Pt results for these three initiating events with Treqd of 2 minutes with an EF of 2:
Initiating Event Tavail Pt Small LOCA 8 minutes 5.0x10-4 Medium LOCA (2-inch break) 7.6 minutes 7.7x10-4 Medium LOCA (4-inch break) 2.1 minutes 0.45 ATWS 13 minutes 4.5x10-6 These results for the small LOCA and ATWS show that Pt will be a minor contributor to the overall HEP. It is believed that the reactor will depressurize without operator action somewhere in the medium LOCA break-size range; however, it is not currently known at what break size this occurs. This analysis assumes that LOCAs larger than 4 inches will depressurize the reactor sufficiently to allow for low-pressure injection without manual depressurization. Given this assumption, the Tavail estimated for the 2-and 4-inch breaks are selected at the 5th (2.1 minutes) and 95th (7.6 minutes) percentiles of a normal distribution, respectively. This results in a Pt of 9.0x10-2 for medium LOCA scenarios. There is not expected to be significant differences in the evaluation of Pc for these scenarios. Therefore, the following overall HEPs were calculated:
Initiating Event Pc Pt HEP Small LOCA 4.1x10-3 5.0x10-4 4x10-3 Medium LOCA 4.1x10-3 9.0x10-2 9x10-2 ATWS 4.1x10-3 4.5x10-6 4x10-3 Additional Scenario Variability Early (Emergency) Depressurization - Analysts should review the dominant cutsets to see if any basic events may result in uncounted for complexities associated with cues, decisionmaking, and execution. Examples of scenario variabilities that could justify changes to the base case IDHEAS-ECA evaluation include:
- Cutsets with basic events that affect reactor water level instrumentation should be accounted for in the evaluation of the PIFs associated with the Detection CFM.
26
- Cutsets with basic events that could affect decisionmaking would require including the Decisionmaking CFM in the analysis.
- Cutsets that have operator actions that occur before the requirement for reactor depressurization can change the boundary conditions for ADS-XHE-XM-MDEPR and, therefore, the HFE should be reevaluated to account for these differences.
Later Depressurization - Reactor depressurization is queried in the BWR SPAR models when high-pressure injection is successful, but SPC fails. The same depressurization fault tree is queried in these scenarios. And the transient version of the HFE is utilized. The primary containment control EOP directs operators to emergency depressurize the reactor when the suppression pool reaches the heat capacity temperature limit (HCTL). The HCTL is the highest suppression pool temperature that allows emergency reactor depressurization without exceeding the primary containment pressure limit and the capacity of the suppression chamber that is required to be available when the reactor is pressurized. The current SPAR model only credits the success or failure of depressurization; it does not model scenarios where operators depressurize the reactor after the HCTL is reached that could potentially fail containment. There are currently no Tavail estimates available for this situation. However, due to conservatisms in the HCTL and the design pressure limit and the slow heat-up of the suppression pool, it is likely that operators would have at least 10 minutes to emergency depressurize the reactor after HCTL is reached without challenging the containment pressure limit. Sensitivity analyses show that with a minimum Tavail of 10 minutes and Treqd of 2 minutes (EF = 2) results in Pt of 6.7x10-5. Therefore, the HEP for this scenario is not expected to be significantly different that the base case HEP because Pt is a negligible contributor regardless.
Key Uncertainties The following key uncertainties were identified:
- The selection of the appropriate EF for the timing estimates can have a significant effect on the Pt and the overall HEP for certain scenario variabilities (e.g., medium LOCA). In general, the HRA empirical studies referenced in the timing evaluations involved specific scenarios involving procedurally-driven MCR operator actions; however, these studies did not fully investigate the full range of scenario variabilities associated with the analyzed HFE and, therefore, the selection of the EF of 2 for Treqd is an uncertainty associated with this evaluation.
The guidance for the selection of the EFs associated with timing estimates is still under development.
- Thermal-hydraulic analyses showing the medium LOCA break size for which the reactor will depressurize sufficiently without manual action to allow for low-pressure injection are not currently available. Therefore, the 95th percentile Tavail could be conservative or nonconservative.
- The selection of the PIF attribute C1: Detection overload with multiple competing signals (1: Few < 7) for the Detection CFM is potentially conservative or nonconservative. An initial review indicated that the limited supporting data may not support this PIF attribute as it is currently constituted (e.g., how signals are defined, how multiple indications and alarms are binned into a single signal, and the potential for decay of a signal as time passes). Further review of this data is needed to develop guidance associated with selection of this PIF attribute. If this PIF attribute is not selected, the Pc (and overall HEP) for this action would decrease to 1x10-3.
27 3.3.6 Operators Fail to Vent the Containment HFE Name CVS-XHE-XM-VENT HFE Definition Operators fail to vent containment. This entire HFE is considered as a single critical task within the IDHEAS-ECA framework.
SPAR Model Application CVS-XHE-XM-VENT is a basic event in the containment venting system fault tree, which is queried in all BWR event trees except those associated with ISLOCAs and reactor vessel rupture scenarios. The CVS fault tree is queried in the later portion of the event trees when SPC and containment spray system (CSS) have failed to maintain primary containment pressure and temperature.
Scenario Description/
Event Context All scenarios that lose the condenser heat sink will result in heat being rejected to the suppression pool via the safety relief valve(s) and the exhaust of the RCIC/HPCI turbines. LOCAs and steam line breaks inside the containment will result in additional heat rejected to the suppression pool. If the systems responsible for maintaining primary containment pressure and temperature fail or are unavailable, operators are directed to manually vent containment prior to it reaching its design limit. The dominant scenario containing CVS-XHE-XM-VENT differs by plant. Without a clear dominant scenario, a loss of condenser heat sink at a GE Type 4 NPP (i.e., the most common BWR) was selected as the base case for this evaluation.
When a loss of condenser heat sink resulting in a reactor trip occurs, MCR operators will enter the primary containment control EOP to monitor containment pressure. This EOP will direct operators to initiate containment venting through smaller capacity systems, such as the standby gas treatment system. The venting of these smaller systems is assumed to be insufficient to curb the primary containment pressure from increasing. Without other containment cooling systems, such as SPC or containment sprays, operators are directed to emergency depressurize the reactor when the suppression pool pressure cannot be maintained below the pressure suppression pressure (PSP) and then vent containment using larger capacity vent pathways prior to primary containment pressure increasing to its primary containment pressure limit (PCPL).
Boundary Conditions The start of this HFE is when the loss of condenser heat sink results in a subsequent reactor trip (i.e., t = 0). The base case scenario assumes that RCIC and HPCI are successful from the beginning of the event and the safety relief valves are rejecting heat to the suppression pool. SPC and containment spray are assumed to be unavailable or failed. The end of this HFE is failure to vent of primary containment prior to containment failure (i.e., before the ultimate containment failure pressure is reached).
Success Criteria Operators successfully vent containment prior to exceeding the PCPL. Note that this is conservative since containment failure will not occur until the ultimate containment pressure is exceeded.
Key Cue(s)
Suppression Pool Pressure Primary Containment Pressure Procedural Guidance Primary Containment Control Post Accident Containment Venting and Gas Control CFM Selection Detection - This task requires the operators to detect suppression pool pressure and primary containment pressure to determine whether containment needs to be vented.
Understanding - This task requires the operators to understand that containment needs to be vented, given the failure of other systems designed to maintain containment pressure and temperature, prior to it reaching its design limit.
28 Decisionmaking - Decisionmaking is not required for this task because with correct understanding of the event, procedures require operators to vent containment.
Therefore, this CFM is not applicable for this task.
Action Execution - This task requires the operators to manually vent containment.
This action has executions steps both in and outside the MCR.
Interteam Coordination - Interteam coordination is not required for this task because multiple teams would not be involved. Therefore, this CFM is not applicable for this task.
Evaluation of PIFs for Applicable CFMs CFM1 -Failure of Detection (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because operators are routinely trained on losses of containment pressure control. In addition, this critical task is covered by plant procedures.
- Task Complexity - C1: Detection overload with multiple competing signals (1: Few
< 7); There are at least five potentially competing signals, including the annunciators/ parameters associated with the (1.) transient, (2.) subsequent reactor trip, (3.) failure of SPC, (4.) failure of containment spray, and (5.) suppression pool and containment pressure. Selection of this PIF attribute increases the probability of CFM1 from the base probability of 1x10-4 (i.e., no PIF attributes are selected) to 3x10-3. This selection may be conservative or nonconservative based on an initial review of the limited amount of supporting data for this PIF attribute. Further review of this data is needed to develop the appropriate guidance.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM2 - Failure of Understanding (Base Probability = 1x10-3)
- Scenario Familiarity - No impact because operators are trained to maintain primary containment pressure below its design limit. In addition, this critical task is covered by plant procedures.
- Information Completeness and Reliability - No impact because primary containment pressure is sufficient to diagnose the need for venting containment.
- Task Complexity - No impact because the requirement to maintain primary containment pressure below its design limit is a fundamental plant operation concept that is specifically covered by plant procedures.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - Although the venting of containment is rarely performed; there is no impact because this critical task is covered by plant procedures.
- Task Complexity - C31: Straightforward procedure execution with many steps; the procedure covers several pages and covers multiple valve manipulations/
verifications. Selection of this PIF attribute increases the base probability of this CFM to 1x10-3.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Using these assumptions, Pc is calculated as 5x10-3 by summing the probabilities of CFM1 (3x103), CFM2 (1x10-3), and CFM4 (1x10-3) probabilistically.
Timing Evaluation The Tavail was estimated from the time when the cue (suppression pool pressure exceeds the PSP) becomes available to the time that primary containment pressure reaches the PCPL. Extensive timing information is not currently available to NRC analysts for this operator action. However, timing estimates from the BWR 7 licensee PRA were available through INL. The licensee MAAP calculations for a transient with a loss of feedwater indicate that suppression pool pressure will exceed the PSP in 16.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and the primary containment pressure will reach the PCPL in 26.4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after loss the feedwater. Therefore, a Tavail of 9.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> was selected for the base case
29 HFE. Note that this Tavail estimate is potentially nonconservative for this base case because a loss of condenser heat sink initiating event would put more heat into the suppression pool. However, it is believed that there would still be substantial time (i.e., several hours) for the base case scenario and, therefore, additional refinement of the Tavail was judged to be unnecessary. The time required to perform the execution 30 minutes. Therefore, a Treqd of 30 minutes was selected for the base case HFE.
The current IDHEAS-ECA guidance recommends using a lognormal distribution for the time estimates. The selection of the Treqd of 30 minutes was assumed to be the median (i.e., 50th percentile) of the lognormal distribution. Tavail is treated as a single value with no distribution assigned for the base case. For the evaluation of this base case HFE, Pt was calculated using an EF of 3 for the lognormal distribution of Treqd, because the execution includes steps outside of the MCR (e.g., manual valve operation). This EF selection is larger than the EF of 2 that is considered to be appropriate for actions performed from the MCR based on a preliminary analysis of timing data MCR operators response to emergency events in nuclear power plant simulators, including NUREG/IA-0216, NUREG-2156, EPRI NP-6937-L, and simulator data from other sources. This selection results in a Pt of 4.2x10-6. At the time of completing this analysis, the guidance on specifying the uncertainty bounds for time estimates in IDHEAS-ECA has not been finalized.
Error Recovery Error recovery credit is not provided for this task.
Calculated HEP HEP = 1 (1 Pc) (1 Pt) = 1 (1 - 5.0x10-3) (1 - 4.2x10-6) = 5x10-3 Technology Variability There are two additional BWR types that include this HFE in the SPAR models. Since both these types are GE plants, the cues and procedures for venting containment are expected to be the same (or similar) and, therefore, it is expected that the MCR operators would respond similarly. These similarities would not likely result in significant differences in the evaluation of Pc for the other GE plants. The timing estimates could be different; however, it is expected that the GE Type 2 and GE Type 5/6 plants would have the same or more time for similar scenarios that occur at GE Type 4 plants because less heat will be rejected to the suppression pool initially because of the ICs and HPCS, respectively. In addition, the Mark II and III primary containments are larger, which could also result in longer times until the PSP and PCPL are reached. Therefore, significant differences in the Pt for the other BWR types are not expected.
Note that there are expected to be plant-specific difference associated with execution of containment venting. Some plants will require longer execution times and more actions outside the MCR that are more labor-intensive. These differences could result in changes to both Pc and Pt.
Initiating Event Variability Containment venting is queried in most internal events event trees with the exception of ISLOCAs and RPV rupture scenarios. Many of these initiating events can be considered to be similar transients that will not significantly affect the operator response but rather account for different equipment unavailabilities. The structure of the BWR procedure flowcharts result in a similar operator response regardless of the transient type. Therefore, the Pc values are likely to be the same. There could be timing differences for these transients when compared to the base case scenario; however, any differences would result in additional time available for the operators. Therefore, given Pt is an insignificant contributor to the base case scenario, the evaluation of CVS-XHE-XM-VENT is not expected to deviate significantly from the base case for the following initiating events:
- General Transient
- Loss of Feedwater
- Loss of Electrical Bus
30
- Loss of Service Water Although, the LOCAs would result in timing changes, the licensee information for BWR 7 shows that a bounding scenario of a large LOCA still has a Tavail of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, which would result in a Pt of 1.7x10-5, which is still a negligible contributor to the overall HEP.
A SBO scenario could result in a loss of power to the containment vent valves and, therefore, require local operation that could increase Treqd and result in additional complexities that result in an increase in Pc as well. However, some plants have incorporated anticipatory containment venting into their EOPs. This results in operators being directed to maintain primary containment pressure control at a much lower primary containment pressure (e.g., 2 psig). It is expected that these plants would have a significantly longer Tavail for containment venting prior to reaching the PCPL. However, containment venting may be required earlier to maintain RCIC during SBO scenarios.
Additional Scenario Variability Analysts should review the dominant cutsets to see if any basic events may result in unaccounted for complexities associated with cues, decisionmaking, and execution.
Examples of scenarios variabilities that could justify changes to the base case IDHEAS-ECA evaluation include:
- Cutsets with basic events that affect suppression pool and primary containment pressure instrumentation should be accounted for in the evaluation of the PIFs associated with the Detection CFM.
- Cutsets with basic events that could affect decisionmaking would require including the Decisionmaking CFM in the analysis.
- Cutsets that have operator actions that occur before the need for containment venting can change the boundary conditions for CVS-XHE-XM-VENT and, therefore, the HFE should be reevaluated to account for these differences.
Key Uncertainties The following key uncertainties were identified:
- The selection of the appropriate EF for the timing estimates can have a significant effect on the Pt and the overall HEP for certain scenario variabilities. In general, the HRA empirical studies referenced in the timing evaluations involved specific scenarios involving procedurally-driven, MCR operator actions; however, these studies did not fully investigate the full range of scenario variabilities associated with the analyzed HFE and do not consider actions performed outside the MCR. Given the lack of data, an increased EF of 3 was selected for Treqd.
Using an EF of 3 is a common practice in human factors for time uncertainty of human tasks. The IDHEAS-ECA guidance for the selection of the EFs associated with timing estimates is still under development.
- The selection of the PIF attribute C1: Detection overload with multiple competing signals (1: Few < 7) for the Detection CFM is potentially conservative or nonconservative. An initial review indicated that the limited supporting data may not support this PIF attribute as it is currently constituted (e.g., how signals are defined, how multiple indications and alarms are binned into a single signal, and the potential for decay of a signal as time passes). Additionally, selection of C1 is potentially conservative since many of the competing signals would have occurred hours prior to the cue to vent containment (i.e., they are likely no longer competing). Further review of this data is needed to develop guidance associated with selection of this PIF attribute. If this PIF attribute is not selected CFM1 would decrease from 3x10-3 to 1x10-4 and the Pc (and overall HEP) for this action would decrease to 2x10-3.
31 3.3.7 Operators Fail to Initiate SPC HFE Name RHR-XHE-XM-SPC HFE Definition Operators fail to initiate SPC. This entire HFE is considered as a single critical task within the IDHEAS-ECA framework.
SPAR Model Application RHR-XHE-XM-SPC is a basic event in the SPC fault tree, which is queried in all BWR event trees except those associated with ISLOCAs and reactor vessel rupture scenarios. The SPC fault tree is queried when (1) there is a successful reactor trip, and (2) either RCIC or HPCI/HPCS successfully provides high-pressure injection. In addition, SPC can also be queried later in the event tree or as part of the RHR, shutdown cooling (SDC), and/or CSS fault trees in accident sequences when high-pressure injection fails, but operators successfully emergency depressurize the reactor and initiate a low-pressure injection source.
Scenario Description/
Event Context All scenarios that lose the condenser heat sink will result in heat being rejected to the suppression pool via the safety relief valve(s) (SRVs) and the exhaust of the RCIC/HPCI turbines. LOCAs and steam line breaks inside the containment will result in additional heat rejected to the suppression pool. The dominant scenario containing RHR-XHE-XM-SPC differs by plant. Without a clear dominant scenario, a loss of condenser heat sink at a GE Type 4 NPP (i.e., the most common BWR) was selected as the base case for this evaluation.
When a loss of condenser heat sink resulting in a reactor trip occurs, use of RCIC/HPCI and the SRVs will cause the suppression pool temperature to increase. As a result, MCR operators will enter the primary containment control EOP and monitor suppression pool temperature. This EOP will direct operators to initiate SPC using an RHR pump once the temperature limit is reached (e.g., 95°F). This temperature limit will be reached very quickly (likely within a few minutes or less) with the opening of the SRV(s) and operation of RCIC and/or HPCI.
Boundary Conditions The start of this HFE is when the loss of condenser heat sink results in a subsequent reactor trip (i.e., t = 0). The base case scenario assumes that RCIC and HPCI are successful from the beginning of the event. However, operation of the SRV(s) alone would likely result in the suppression pool temperature limit being reached quickly. The end of this HFE is the failure of operators to initiate SPC prior to one of the following parameters being reached:
- suppression pool HCTL,
- PCPL, or
- suppression pool temperature can no longer support RCIC/HPCI operation due to lack of adequate NPSH.
It is expected that the HCTL will be reached first for most (if not all) scenarios and, therefore, is selected as the end point for this HFE. Operators are procedurally directed to emergency depressurize the reactor when the HCTL is reached. However, it is unlikely that operators would perform this action as a result of increased suppression pool temperature if they have first failed to initiate SPC since the direction is in the same procedural pathway of the primary containment control EOP flowchart. Note that the operators may emergency depressurize for other reasons (e.g., failure of all high-pressure injection sources). If they fail to perform the emergency depressurization, additional time would be available for operators to initiate SPC; however, the primary containment could exceed the pressure limit if the reactor is depressurized after the HCTL is exceeded.
Success Criteria Operators successfully initiate SPC prior to suppression pool reaching its HCTL.
Key Cue(s)
- Suppression pool temperature
32
- Primary containment pressure
- HCTL Procedural Guidance
- Primary Containment Control CFM Selection Detection - This task requires the operators to detect suppression pool temperature to determine whether SPC needs to be initiated.
Understanding - This task requires the operators to understand that SPC is needed when heat from the SRV(s) or RCIC/HPCI is rejected to the suppression pool. Without SPC, suppression pool temperature will increase until it cannot support operation of the ECCS or emergency depressurization of the reactor. Ultimately, containment pressure (and temperature) will increase and could exceed its design limit.
Decisionmaking - Decisionmaking is not required for this task because with correct understanding of the event, procedures require operators to initiate SPC. Therefore, this CFM is not applicable for this task.
Action Execution - This task requires the operators to manually initiate SPC. This action is accomplished by simple switch manipulations from the MCR.
Interteam Coordination - Interteam coordination is not required for this task because multiple teams would not be involved. Therefore, this CFM is not applicable for this task.
Evaluation of PIFs for Applicable CFMs CFM1 -Failure of Detection (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because operators are routinely trained on losses of the condenser heat sink. In addition, this critical task is covered by plant procedures.
- Task Complexity - C1: Detection overload with multiple competing signals (1: Few
< 7); There are at least three potentially competing signals, including the annunciators/parameters associated with the (1.) transient (i.e., the loss of condenser heat sink), (2.) subsequent reactor trip, and (3.) increasing suppression pool temperature. Consideration of each system failure as a separate signal would not result in a different PIF attribute for this HFE. Selection of this PIF attribute increases the base probability of this CFM to 3x10-3. This selection may be conservative or nonconservative based on an initial review of the limited amount of supporting data for this PIF attribute. Further review of this data is needed to develop the appropriate guidance.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM2 - Failure of Understanding (Base Probability = 1x10-3)
- Scenario Familiarity - No impact because operators are trained to maintain appropriate suppression pool temperature. In addition, this critical task is covered by plant procedures.
- Information Completeness and Reliability - No impact because suppression pool temperature is sufficient to diagnose the need for SPC.
- Task Complexity - No impact because the requirement to maintain adequate suppression pool temperature is a fundamental plant operation concept that is specifically covered by plant procedures.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because the execution steps are routinely trained.
In addition, this critical task is covered by plant procedures.
33
- Task Complexity - No impact because the execution steps are straightforward (i.e., MCR switch manipulations) and proceduralized.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Using these assumptions, Pc is calculated as 4.1x10-3 by summing the probabilities of CFM1 (3x103), CFM2 (1x10-3), and CFM4 (1x10-4) probabilistically.
Timing Evaluation The Tavail was estimated from the time when the cue (the suppression pool temperature reaches the requirement to initiate SPC) becomes available to the time it reaches its HCTL. Extensive timing information is not currently available to NRC analysts for this operator action. However, timing estimates from the BWR 7 licensee PRA were available through INL. The licensee MAAP calculations estimate that the suppression pool will reach the EOP entry criteria of 95°F in approximately 35 minutes for most transients and reach its HCTL in 9.7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />. Therefore, the Tavail is estimated to be 9.1 hours1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for the base case evaluation. It is unclear if this licensee timing estimate includes a loss of condenser heat sink, which could put more heat into the suppression pool compared to transients that condenser remained available. However, it is believed that there would still be substantial time (i.e., several hours) for the base case scenario and, therefore, additional refinement of the Tavail was judged to be unnecessary. The Treqd was estimated to be approximately 7 minutes to implement the execution steps (e.g., starting an RHR and RHR service water pump and opening/throttling a couple valves from the MCR).
The current IDHEAS-ECA guidance recommends using a lognormal distribution for the time estimates. The selection of the Treqd of 7 minutes was assumed to be the median (i.e., 50th percentile) of the lognormal distribution. Tavail is treated as a single value with no distribution assigned for the base case. For the evaluation of this base case HFE, Pt was calculated using an EF of 2 for the lognormal distribution of Treqd, which is considered to be appropriate for actions performed from the MCR based on a preliminary analysis of timing data MCR operators response to emergency events in nuclear power plant simulators, including NUREG/IA-0216, NUREG-2156, EPRI NP-6937-L, and simulator data from other sources. This selection results in a negligible Pt. Sensitivity analyses show (assuming Treqd of 7 minutes) that Pt remains a negligible contributor to the overall HEP for Tavail values of 27 minutes or more. At the time of completing this analysis, the guidance on specifying the uncertainty bounds for time estimates in IDHEAS-ECA has not been finalized.
Error Recovery Error recovery credit is not provided for this task.
Calculated HEP HEP = 1 (1 Pc) (1 Pt) = 1 (1 - 4.1x10-3) (1 - 0) = 4x10-3 Technology Variability There are two additional BWR types that include this HFE in the SPAR models. Since both these types are GE plants, the cues and procedures for initiating SPC are expected to be the same (or similar) and, therefore, it is expected the MCR operators would respond similarly. These similarities would not likely result in significant differences in the evaluation of Pc for the other GE plants. The timing estimates could be different; however, it is expected that the GE Type 2 and GE Type 5/6 plants would have the same or more time for similar scenarios that occur at GE Type 4 plants because less heat will be rejected to the suppression pool initially because of the ICs and HPCS, respectively. Therefore, significant differences in the Pt for the other BWR types are not expected.
Initiating Event Variability SPC is queried in most internal events event trees with the exception of ISLOCAs and RPV rupture scenarios. Many of these initiating events can be considered to be similar transients that will not significantly affect the operator response but rather account for different equipment unavailabilities. The structure of the BWR procedure flowcharts result in a similar operator response regardless of the transient type. Therefore, the Pc
34 values are likely to be the same. There could be timing differences for these transients when compared to the base case scenario; however, any differences would result in additional time available for the operators. Therefore, given Pt is an insignificant contributor to the base case scenario. The evaluation of RHR-XHE-XM-SPC is not expected to deviate significantly from the base case for the following initiating events:
- General Transient
- Loss of Feedwater
- Loss of Electrical Bus
- Loss of Service Water Additional initiating events that query SPC that could result in significant changes to Tavail include:
- Small LOCA
- Medium LOCA
- Large LOCA
- ATWS Thermal-hydraulic calculations for BWR 7 indicate that the suppression pool would reach the HCTL in several hours and, therefore, Pt will remain an insignificant contributor to the overall HEP for these scenarios. The most limiting initiator is an ATWS with of loss of condenser heat sink, which will result in all the SRVs lifting. With the reactor pressure high, HCTL will be reached at a lower suppression pool temperature (e.g., 140°F). It is unknown if all BWRs would reach their HCTL prior to 20 minutes; however, thermal-hydraulic calculations for BWR 7 estimate that HCTL would be reached in 16 minutes during an ATWS with the condenser unavailable.
Assuming a Tavail of 16 minutes and the same Treqd of 7 minutes results in a Pt of 2.5x10-2. The overall HEP for ATWS scenarios would be estimated to be 3x10-2.
Additional Scenario Variability Analysts should review the dominant cutsets to see if any basic events may result in unaccounted for complexities associated with cues, decisionmaking, and execution.
Examples of scenarios variabilities that could justify changes to the base case IDHEAS-ECA evaluation include:
- Cutsets with basic events that affect suppression pool temperature instrumentation should be accounted for in the evaluation of the PIFs associated with the Detection CFM.
- Cutsets with basic events that could affect decisionmaking would require including the Decisionmaking CFM in the analysis.
- Cutsets that have operator actions that occur before the need for SPC can change the boundary conditions for RHR-XHE-XM-SPC and, therefore, the HFE should be reevaluated to account for these differences.
Key Uncertainties The following key uncertainty was identified:
- The selection of the appropriate EF for the timing estimates can have a significant effect on the Pt and the overall HEP for certain scenario variabilities. In general, the HRA empirical studies referenced in the timing evaluations involved specific scenarios involving procedurally-driven, MCR operator actions; however, these studies did not fully investigate the full range of scenario variabilities associated with the analyzed HFE and, therefore, the selection of the EF of 2 for Treqd is an uncertainty associated with this evaluation. The guidance for the selection of the EFs associated with timing estimates is still under development.
- The selection of the PIF attribute C1: Detection overload with multiple competing signals (1: Few < 7) for the Detection CFM is potentially conservative or nonconservative. An initial review indicated that the limited supporting data may
35 not support this PIF attribute as it is currently constituted (e.g., how signals are defined, how multiple indications and alarms are binned into a single signal, and the potential for decay of a signal as time passes). Further review of this data is needed to develop guidance associated with selection of this PIF attribute. If this PIF attribute is not selected, the Pc (and overall HEP) for this action would decrease to 1x10-3.
- 4. EVALUATION OF SPAR MODEL FLEX HFEs The NRC SPAR models have implemented modeling associated with crediting the FLEX mitigation strategies for ELAP scenarios. The existing FLEX HFEs have placeholder HEP values selected by INL without detailed technical evaluation. An HEP of 1x10-2 with a lognormal uncertainty distribution using an EF of 3 is used in most cases.
An expert elicitation was performed in 2018 on the FLEX HFEs, as documented in RIL 2022-13, Applying HRA to FLEX - Expert Elicitation - Volume 1, (ML20345A318). However, the HEP results were considered overly conservative by many stakeholders. In 2019, the NRC performed a pilot study on using IDHEAS-ECA to evaluate HFEs for selected ELAP scenarios, as documented in RIL 2022-13. Although the pilot project calculated HEPs for some of the FLEX HFEs, certain elements such as the failure probability due to insufficient time (Pt) were not considered in most cases. In addition, the guidance on the use of the IDHEAS-ECA has changed since this effort was completed.
4.1 HFE Selection The FLEX HFEs included in the SPAR models were evaluated using the IDHEAS-ECA method.
BWR 5 was used as the reference plant. In addition, the IDHEAS-ECA evaluations performed as part of the pilot project were used as a starting point for the evaluations provided in this report. The following BWR FLEX HFEs were included in these evaluations:
FLX-XHE-XE-ELAP - Operators Fail to Declare ELAP (Section 4.3.1)
FLX-XHE-XM-DLSHED - Operators Fail to Perform Deep DC Load Shed per FSGs (Section 4.3.2)
FLX-XHE-XM-480 - Operators Fail to Stage or Run or Load or Refuel 480V Portable FLEX Diesel Generator (DG) (Section 4.3.3)
FLX-XHE-XM-CVS - Operators Fail to Vent Containment during ELAP (Section 4.3.7)
FLX-XHE-XM-RPV - Operators Fail to Stage or Run or Supply or Refuel FLEX RPV Pump (Section 4.3.8)
FLX-XHE-XM-DEP - Operators Fail to Depressurize RPV during ELAP (Section 4.3.9)
RCI-XHE-XM-OPERATE - Operators Fail to Start/Control RCIC Injection (Section 4.3.10) 4.2 Evaluation Process The IDHEAS-ECA evaluations provided in Section 4.3 of this report start with identifying a representative scenario for each HFE based on the reference plant. For the purpose of these evaluations, the selected HFEs are evaluated in the context of a representative scenario involving a weather-related LOOP initiating event. Additional information on the base case scenario is provided in Section 4.3. The eight analysis steps outlined in NUREG-2256 are
36 incorporated into a streamlined documentation process to ensure consistency in evaluating the selected HFEs. Potential variabilities due to either different procedures and/or equipment is explored. In addition, the potential effects of an ELAP caused by hazards more severe than the representative scenario (e.g., beyond design basis earthquake) were considered as separate variabilities or uncertainties, when applicable. The key IDHEAS-ECA factors affecting uncertainty are discussed and the sensitivity of these factors' effects on the HEP are assessed.
The evaluations provided in this report were reviewed by a group of regional SRAs, NRR counterparts, and RES staff that have experience using the IDHEAS-ECA method. All comments and feedback were addressed and incorporated into the evaluations provided in this report, as appropriate.
4.3 Base Case Scenario Description The following figure shows the SBO/ELAP timelines for the reference plant. Note that the times labeled in the figure are taken from the reference plants FLEX final integrated plan (FIP) and typically represent when plant personnel are expected to start an action (e.g., transport FLEX equipment) or when an action is required to be completed (e.g., starting FLEX DGs prior to battery depletion). The estimates for Tavail and Treqd used by the IDHEAS-ECA evaluations are calculated using these times. Note that this event involves a number of sequential tasks and, therefore, operators performing earlier tasks either faster or slower than expected can impact the time availability for later tasks. However, to simplify the treatment of timing for these HEPs, the amount of time allotted for each discrete task is fixed and consistent with the reference plant's FLEX integrated plans.
Figure 1. BWR 5 SBO/ELAP Timeline
37 4.4 IDHEAS-ECA Evaluations The following subsections provide the IDHEAS-ECA evaluations for the FLEX SPAR model HFEs.
4.4.1 Operators Fail to Declare ELAP HFE Name FLX-XHE-XE-ELAP HFE Definition Operators fail to declare ELAP in sufficient time to implement FLEX strategies prior to battery depletion, which for the purpose of this analysis, is used as a surrogate for core damage. The entire HFE is considered as a single critical task within the IDHEAS-ECA framework.
SPAR Model Application FLX-XHE-XE-ELAP is the only basic event in the ELAP fault tree, which is queried in the SBO-ELAP event tree. An SBO sequence that has sufficient initial decay heat removal (e.g., RCIC, or HPCI/HPCS) without a LOCA will transfer to the SBO-ELAP event tree. A SBO coincident with a LOCA results in core damage if AC power is not restored prior to core uncovery.
Scenario Description/
Event Context The most risk significant LOOP initiating event (based on CDF contribution and conditional core damage probability (CCDP)) for most SPAR models is due to severe weather and, therefore, is selected as the base case scenario for this HFE. Note that the SPAR model weather-related LOOP initiating event encompasses weather events such as thunderstorms, hurricanes, tornadoes, winter storms, etc. For the purposes of this evaluation, the base case assumes a fast-moving thunderstorm that is not expected to generate significant onsite debris. In addition, the outside environmental conditions after the LOOP occurs is assumed to not significantly impact any required tasks. The effect of significant debris and adverse environmental conditions will be explored as potential variabilities to the base case scenario (e.g., transporting FLEX DGs).
If a weather-related LOOP and subsequent failure of the emergency diesel generators (EDGs) and other alternate safety-related AC power sources results in an SBO, operators will enter their associated loss of all AC power procedure after performing the reactor trip immediate actions. There are generally two different categories for plant procedures for declaring ELAP at U.S. NPPs:
- 1. Plant procedures that require the declaration of ELAP if AC power is not restored prior to a specific time. Operators can also declare ELAP earlier. This time limit is plant-specific and corresponds to the minimum time required to perform the deep DC load shedding. Deep load shedding extends the life of the safety-related batteries to provide time to connect and use the FLEX DG to provide sufficient power for battery charging and critical DC loads prior to loss of DC power.
- 2. Plant procedures that direct operators to determine if AC power can be restored within the normal SBO coping time prior to declaring ELAP. This determination requires the operators to estimate when AC power might be restored and may require assessment of uncertain or conflicting data. If the operators determination of the time to restore AC power is overly optimistic, this type of guidance could lead to the declaration of ELAP after the minimum time required to perform the deep DC load shedding. Therefore, this type of guidance could result in the eventual loss of DC power due to insufficient battery life prior to connecting the FLEX DG to restore battery charging and critical DC loads.
The first category of procedures (i.e., those that declare ELAP if AC power is not restored prior to exceeding a specific time) is more straightforward for the operators
38 and, therefore, the base case evaluation will focus on plants that use the first category of ELAP procedures. The use of the second category of ELAP procedures will be evaluated as part of the variabilities.
Boundary Conditions The start of this HFE is a LOOP resulting in a subsequent reactor trip (i.e., T = 0). The end of this HFE is the operators failing to declare ELAP in sufficient time to take mitigating actions to maintain DC power. These actions include shedding of DC loads to extend the life of the safety-related batteries and connection/use of the FLEX DG to provide sufficient power for battery charging and critical DC loads prior to loss of DC power.
Success Criteria Operators successfully declare ELAP in time to allow completion of DC load shedding to extend battery life until the FLEX DG can provide sufficient power for battery charging and critical DC loads.
Key Cue(s)
- Annunciators associated with loss of offsite power supply lines
- Annunciators associated with EDG and/or alternate AC source failures
- Safety-related bus voltages Procedural Guidance
- Loss of All AC Power Procedure with No EDG Available (or plant equivalent)
CFM Selection Detection - This task requires operators to detect that both the LOOP initiating event and the subsequent failure of the EDGs (and other alternate AC power source(s)) has resulted in an SBO. All required indications are available in the MCR.
Understanding - This task requires that operators understand that ELAP must be declared prior to the time limit directed in the SBO procedure to ensure that the FLEX mitigation strategies can be implemented in sufficient time to prevent core damage.
Decisionmaking - Decisionmaking is not required for this task because with correct understanding of the event, procedures require operators to declare ELAP. Therefore, this CFM is not applicable for this task.
Action Execution - Action Execution is not required for this task because the implementation portion of the FLEX support guidelines (FSGs) is covered by other HFEs. Therefore, this CFM is not applicable to this task.
Interteam Coordination - This task requires interteam coordination because the MCR crew will need to communicate with the transmission and distribution line operators on the status of recoverability of offsite power. The MCR crew will also communicate with auxiliary operators (AOs) on the recoverability of alternate AC power (e.g., EDGs).
However, AOs are considered as part of the same team as the MCR crew.
Evaluation of PIFs for Applicable CFMs CFM1 -Failure of Detection (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because operators are routinely trained on SBO events. In addition, this critical task is covered by plant procedures.
- Task Complexity - Although the context for the HFE would include a reactor trip, turbine trip, multiple system failures, and accompanying alarm conditions, these signals all arise from the same underlying condition (SBO) and are not considered to be competing. Therefore, there is no impact because the detection of SBO is obvious because: (a.) the alarms and annunciators are reinforcing in nature, (b.)
additional cues (e.g., significant reduction in plant noise) further aids operators in diagnosis that a SBO occurred, and (c.) plant procedures direct operators check AC power status. Note the collection of information on the status of offsite power and alternate AC power sources (e.g., EDGs) is considered in the Understanding CFM.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM2 - Failure of Understanding (Base Probability = 1x10-3)
39
- Scenario Familiarity - No impact because operators are trained on SBO events. In addition, this critical task is covered by plant procedures.
- Information Completeness and Reliability - No impact because for the base case HEP, plant procedures require operators to declare ELAP prior to reaching a specific time related to the minimum time needed to perform the deep DC load shed during an SBO. Although the MCR crew would be expected to receive information from the transmission and distribution line operators and AOs regarding the status of potential recovery of offsite power and/or the alternate AC power sources, this information is not necessary to understand the procedurally directed time limit for ELAP declaration.
- Task Complexity - No impact because the plant procedures clearly state that ELAP must be declared if AC power is not restored within a certain time limit.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM5 - Interteam Coordination (Base Probability = 1x10-3)
- Task Complexity - C41: Complexity of information communicated (1: simple),
should be selected because the information communicated between the MCR crew, and the transmission and distribution line operators (and AOs) associated with the expected times to recover AC power is considered to be simple. This selection increases the Interteam Coordination CFM failure probability from its base value of 1x10-3 to 1.5x10-3.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Using these assumptions, cognitive failure probability (Pc) is calculated as 2.6x10-3 by summing the probabilities of CFM1 (1x10-4), CFM2 (1x10-3) and CFM5 (1.5x10-3) probabilistically.
Timing Evaluation Pt was not evaluated for this HFE. The consideration of timing and its impacts are evaluated as part of the other FLEX HFEs, which include the action execution portion for implementing the FLEX mitigation strategies.
Error Recovery Error recovery credit is not provided for this task.
Calculated HEP HEP = 1 (1 Pc) (1 Pt) = 1 (1 - 2.6x10-3) (1 - 0) = 3x10-3 Plant Variabilities The main plant variability for this HFE is expected to come from plants that use the second category of ELAP procedures that direct operators to determine if safety-related AC power can be restored within the normal SBO coping time. For these plants, the Decisionmaking CFM should be evaluated because operators must decide if/when to declare ELAP based on information provided by transmission and distribution line operators and AOs. Specific guidance regarding how/when IDHEAS-ECA treats the potential for operator hesitancy needs to be developed.
The following PIFs (and associated PIF attributes) that were determined to not have an impact on the base case should be selected to account for the variabilities associated with plants that use the second category of ELAP procedures:
INF2: Information is unreliable or uncertain (1: low unreliable or uncertain),
should be selected for the Understanding CFM because the information provided by the transmission and distribution line operators and AOs about when AC power could be recovered has some judgement involved and, therefore, has some level of uncertainty associated with it. This selection increases the Understanding CFM failure probability from its base value of 1x10-3 to 1x10-2.
C25: Competing or conflicting goals, should be selected for the Decisionmaking CFM because although operators should prioritize the declaration of ELAP to
40 ensure that there is sufficient time to implement the FLEX mitigation strategies to ensure DC power is maintained long term, declaring ELAP significantly complicates future plant recovery actions. Therefore, these competing goals could be difficult to prioritize if time estimates for AC power recovery are close to the normal SBO coping time. This selection increases the Decisionmaking CFM failure probability from its base value of 1x10-3 to 0.14. The underlying data for this PIF attribute needs to be evaluated further to determine if the impact on Pc is appropriate.
These additional CFM and PIF selections result in the overall HEP for this HFE to increase to 0.15.
Hazard Variabilities The cause of the LOOP could affect the evaluation of this HFE, depending on the ELAP guidance category used by the plant. For example, a beyond design basis external event (BDBEE) may simplify the determination of whether offsite power could be restored in the short-term and could result in an earlier ELAP declaration. Whereas a plant-centered or switchyard-related LOOP could result in operators having greater belief that offsite power could be restored in the short-term and, therefore, delaying the ELAP declaration. These variabilities are not expected to affect this HFE for plants that use the first category of ELAP procedures. Although, it is noted that for some cases it may allow for additional time for the subsequent FLEX HFEs. Since operators still need to evaluate the recoverability of the EDGs and/or other alternate AC power source, it is expected that the Decisionmaking CFM should still be evaluated in plants that use the second category of ELAP procedures.
Key Uncertainties The following key uncertainties were identified:
- If analysts believe that operators may be hesitant to declare ELAP at plants with the first category of ELAP guidance by the required time (e.g., by conducting operator interviews), then Pc should be evaluated similar to plants with second category of ELAP guidance (i.e., the Decisionmaking CFM should be selected, along with PIF attributes INF2 and C25). Specific guidance regarding how/when IDHEAS-ECA treats the potential for operator hesitancy needs to be developed.
In addition, the underlying data for PIF attribute C25 needs to be evaluated further to determine if the impact on Pc is appropriate.
- There is potential that operators at plants that use the second category of ELAP guidance could determine that AC power can be recovered within the normal SBO coping time and, therefore, do not declare ELAP initially and later determine that AC power cannot be restored. If this were to occur, it could be too late for operators to shed the necessary DC loads to extend the life of the safety-related batteries to allow for the implementation of FLEX. This factor is (at least) partially accounted for in the selection of the PIF attribute INF2.
- Regardless of the type of ELAP guidance a plant has, there is potential that operators could get distracted and fail to declare ELAP in the required time.
Since the Pt is not evaluated as part of the HFE, this potential for error is not accounted for the overall HEP. However, unless the delay was significantly long (e.g., greater than 15 minutes), operators may still have sufficient time to implement the FLEX strategies.
4.4.2 Operators Fail to Perform Deep Load Shed per FSGs HFE Name FLX-XHE-XM-DLSHED HFE Definition Operators fail to perform DC load shed in sufficient time to implement the remaining FLEX strategies prior to battery depletion. The entire HFE is considered as a single critical task within the IDHEAS-ECA framework.
41 SPAR Model Application FLX-XHE-XM-DLSHED is only the basic event in the FLEX-DC-SHED fault tree, which is queried in the SBO-ELAP event tree. If operators successfully declare ELAP, the FLEX-DC-SHED fault tree will be queried. Note that many plants have DC load shedding activities directed by SBO procedures prior to declaring ELAP. However, additional load shedding is needed to extend the batteries sufficiently to allow for the successful implementation of the FLEX mitigation strategies. The initial load shedding actions are not typically including in the SPAR models for the applicable plants.
Scenario Description/
Event Context If operators successfully declare ELAP, the operators first action is to begin the DC load shed activities, which will extend battery life to allow sufficient time to align the FLEX DG to restore battery charging. If operators fail to perform the DC load shed in sufficient time, the SPAR models assume that DC power is lost, and core damage is assumed to occur.
Boundary Conditions The start of this HFE is a declaration of ELAP. The end of this HFE is the operator failure to complete the DC load shed in sufficient time to prevent the loss of DC power prior to the FLEX DG being able to provide battery charging. Load shedding must be completed in sufficient time to extend battery life sufficiently to allow connection of the FLEX generator (assessed in Section 4.4.3).
Success Criteria Operators successfully complete the DC load shed to extend battery life until the FLEX DG can provide battery charging.
Key Cue(s)
- ELAP Declaration Procedural Guidance
- ELAP DC Shed FSG CFM Selection Detection - Detection is not required for this task because declaration of ELAP triggers the implementation of the FSGs, including the DC load shed. Therefore, this CFM is not applicable for this task.
Understanding - Understanding is not required for this task because declaration of ELAP triggers the implementation of the FSGs, including the DC load shed. Therefore, this CFM is not applicable for this task.
Decisionmaking - Decisionmaking is not required for this task because declaration of ELAP triggers the implementation of the FSGs, including the DC load shed. Therefore, this CFM is not applicable for this task.
Action Execution - This task requires the operator to manually shed DC loads. These actions are typically accomplished by simple switch manipulations from inside and outside the MCR.
Interteam Coordination - Interteam coordination is not required for this task because multiple teams would not be involved. Load shed activities are performed by either MCR operators or AOs depending on the plant. Note that AOs are considered as part of the same team as the MCR crew. Therefore, this CFM is not applicable for this task.
42 Evaluation of PIFs for Applicable CFMs CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
Scenario Familiarity - No impact because operators are routinely trained on SBO events. In addition, this critical task is covered by plant procedures.
Task Complexity - C31: Straightforward procedure execution with many steps; the ELAP DC Load Shed FSG covers at least a few pages and covers many breaker openings. Selection of this PIF attribute increases the base probability of this CFM to 1x10-3.
Environmental Factors - ENV4: Poor Lighting for reading information or execution; some of the execution steps are likely to be performed in areas of poor lighting.
Selection of this PIF attribute applies a multiplier of 2 to the base CFM probability.
Staffing - STA2: Lack of backup or lack of peer check or cross-checking; the action is typically performed by only one operator with no 2nd checker. Selection of this PIF attribute applies a multiplier of 1.1 to the base CFM probability.
The other PIFs were determined to have a negligible impact on the base case HFE.
Using these assumptions, cognitive failure probability (Pc) is calculated as 2.1x10-3.
Timing Evaluation At BWR 5, ELAP declaration is required within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, and operators have 30 minutes to complete the deep load shed to extend the safety-related battery life from 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 7.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br />. Therefore, the Tavail is estimated to be 30 minutes. In addition, BWR 5 has the following five data points for the Treqd for this task (i.e., timed completion times from different operators):
10 minutes, 15 seconds 11 minutes, 45 seconds 13 minutes, 30 seconds 15 minutes, 26 seconds 16 minutes, 30 seconds Based on these completion times, the Treqd (i.e., median) is estimated to be 13.2 minutes.
The use of the EF of 2 selected for the previous examples provided in Section 4.3 is likely not justified since this HFE involves only action execution steps outside the MCR.
IDHEAS-ECA guidance directs the use available data to calculate EF when data is available. Therefore, the empirical data associated with the task completion times was used to calculate the EF of 1.4 for this HFE at the reference plant.
Using this EF, the Pt was calculated to 3.0x10-5. However, depending on the specific context for the sequence, the Pt estimate may have some conservatisms. For example, operators could declare ELAP prior to the time limit provided in their procedures, which would provide additional time to complete load shed. In addition, depending on how much of the load shed could be completed prior to 30 minutes (e.g., if the operators were able to shed a majority of large loads), there may be sufficient time margin for battery for the operators to successfully complete subsequent FLEX actions.
Error Recovery Error recovery credit is not provided for this task.
Calculated HEP HEP = 1 (1 Pc) (1 Pt) = 1 (1 - 2.1x10-3) (1 - 3.0x10-5) = 2x10-3 Plant Variabilities It is not expected that PIF selections for the base case scenario to change significantly between different plants and, therefore, Pc is likely to remain the same. However, there is the potential for significant plant-to-plant variabilities associated with the timing estimates (especially Treqd), which could lead to significant differences in the Pt and overall HEP between different plants and even between similar units. In addition, the EF used for this HFE at the reference plant could differ significantly at other plants.
43 Hazard Variabilities For most initiating events, there is not expected to be significant variabilities. However, for some significant hazards, such as a beyond design basis (BDB) seismic event, additional PIFs and their associated attributes may warrant selection. For example, MF8: Emotional stress (e.g., anxiety, frustration), should be selected if the analyst believes that operator performance could be negatively affected due to stresses caused by the event (e.g., concerns over their health, familys health and wellbeing, and future employment); this would result in a multiplier of 1.2. In addition, if the event results in debris and failed equipment or other structures (e.g., ladders), the action execution could become more physically demanding. If the analyst believes the increased demands could negatively affect operator performance, PD1: Physically strenuous possible exceeding physical limits, should be selected (PD1 results in a weighting multiplier of 1.5).
Key Uncertainties The following key uncertainties were identified:
- The selection of the appropriate EF for the timing estimates can have a significant effect on the Pt and the overall HEP. In general, the empirical studies referenced in the timing evaluations of other HFEs provided in this report involved specific scenarios involving procedurally-driven MCR operator actions.
The data available for actions performed outside the MCR is more limited. The EF of 1.4 for this HFE was calculated using the limited set of timing samples from the reference plant for this HFE. The guidance for the selection of the EFs associated with timing estimates is still under development.
- The Tavail used for the calculation for the reference plant was the most limiting. It is possible that operators could declare ELAP before the reaching the time limit provided in plant procedures in most scenarios. Therefore, additional time could be available and, therefore, affect the evaluation of Pt.
4.4.3 Operators Fail to Stage or Run or Load or Refuel 480V Portable FLEX DG HFE Name FLX-XHE-XM-480 HFE Definition Operators fail to transport, connect, and start the FLEX DG prior to depletion of the safety-related batteries resulting in a loss of all DC power. This HFE is comprised of the following three critical tasks within the IDHEAS-ECA framework:
Transporting the FLEX DG from the FLEX storage building to the required connection point, Connecting and starting the FLEX DG to maintain DC power and restart battery charging, and Refueling the FLEX DG to maintain function for the full mission time (at least 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> from the start of the event).
Note that there are different refueling plans depending on the site. This evaluation assumes that AOs will have to periodically monitor the fuel level of the FLEX DG and determine when refill is required. Different refueling plans are considered in the plant variabilities section.
SPAR Model Application FLX-XHE-XM-480 is a basic event in the FLEX-480 fault tree, which is queried in the SBO-ELAP event tree. If operators successfully declare ELAP and perform the deep DC load shed, the FLEX-480 fault tree will be queried.
Scenario Description/
Event Context If operators successfully declare ELAP, operators and plant personnel will begin implementing multiple FSGs concurrently. Following successful DC load shed, one of the more time critical actions will be to transport, connect, and start the FLEX DG to restore charging to the safety-related batteries and to maintain DC power for instrumentation and control purposes. If operators fail to connect and start the FLEX
44 DG prior to battery depletion, the SPAR models assume that core damage will occur as no credit is provided for maintaining core cooling and inventory without DC power.
Boundary Conditions The start of this HFE is a declaration of ELAP. The end of this HFE is when the failure to connect the FLEX DG prior to the depletion of the safety-related batteries that results in a loss of all DC power.
Success Criteria Operators successfully restore battery charging and DC power supply via the FLEX DG prior to battery depletion and maintain battery charging for the PRA mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
Key Cue(s)
- ELAP Declaration Procedural Guidance
- FSG Covering Connection of FLEX DG to Restore Battery Charging/DC Power
- FSG Covering Refueling of FLEX Equipment CFM Selection Detection - Detection is not required for the first two critical tasks because declaration of ELAP triggers the implementation of the FSGs, including the transporting, connecting, and starting of the FLEX DG. However, detection is required for the third critical task because an AO is required to monitor fuel level periodically. Therefore, this CFM is only applicable for the third critical task (i.e., refueling) associated with this HFE.
Understanding - Understanding is not required for the first two critical tasks because declaration of ELAP triggers the implementation of the FSGs, including the transporting, connecting, and starting of the FLEX DG. However, understanding is required for the third critical task because an AO will need to maintain situational awareness of FLEX DG fuel level and predict when actions to add fuel to the FLEX DG will need to be initiated. Therefore, this CFM is only applicable for the third critical task (i.e., refueling) associated with this HFE.
Decisionmaking - Decisionmaking is not required for the first two critical tasks because declaration of ELAP triggers the implementation of the FSGs, including the transporting, connecting, and starting of the FLEX DG. In addition, decisionmaking is not required for the third critical task because low fuel level for the FLEX DG would only lead the AO to add fuel to the FLEX DG. Therefore, this CFM is not applicable for the three critical tasks associated with this HFE.
Action Execution - These tasks require the AOs and other plant staff to transport, connect, and start the FLEX DG. In addition, operators must periodically refuel the DG.
These actions are accomplished outside the MCR.
Interteam Coordination - The first critical task (transporting the FLEX DG, cables, etc.) requires interteam coordination because communication between security personnel and AOs is likely needed while moving equipment through security doors and/or gates. It is not expected that interteam coordination is required for the other two critical tasks and, therefore, this CFM is not applicable to these tasks. The following table provides a breakdown of the applicable CFMs per critical task:
Critical Task Detection Understanding Decisionmaking Action Execution Interteam Coordination 1
N/A N/A N/A Yes Yes 2
N/A N/A N/A Yes N/A 3
Yes Yes N/A Yes N/A Evaluation of PIFs for Applicable CFMs Critical Task 1: Transporting the FLEX DG from the FLEX Storage Building to the Required Connection Point CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
45
- Scenario Familiarity - Although the transportation of the FLEX DG is rarely performed; there is no impact because this critical task is covered by plant procedures.
- Task Complexity - No impact because complexity of connecting the FLEX equipment to the tractor and driving the equipment to the required connection point is not expected to negatively affect the failure probability of this critical task.
- Training and Experience - TE2: Inadequate training practicality; recurring training is expected to consist of walkthroughs and discussion not the actual transportation of equipment. Selection of this PIF attribute applies a multiplier of 1.5 to the base CFM probability for this task.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM5 - Interteam Coordination (Base Probability = 1x10-3)
- Task Complexity - C41: Complexity of information communicated (1: simple),
should be selected because the information communicated between the security personnel and AOs while moving the FLEX DG and associated cables and other equipment is considered to be simple. This selection increases the Interteam Coordination CFM failure probability from its base value of 1x10-3 to 1.5x10-3.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Critical Task 2: Connecting and Starting the FLEX DG to Maintain DC Power and Restart Battery Charging CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - Although the connecting and starting of the FLEX DG is rarely performed; there is no impact because this critical task is covered by plant procedures.
- Task Complexity - C31: Straightforward procedure execution with many steps; the alignment of the FLEX DG FSG covers several pages and requires moving and connecting many cables and several breaker manipulations. Selection of this PIF attribute increases the base probability of this CFM to 1x10-3.
- Training and Experience - TE2: Inadequate training practicality; recurring training is expected to consist of walkthroughs and discussion not the actual performance of procedure steps for this task. Selection of this PIF attribute applies a multiplier of 1.5 to the base CFM probability for this task.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Critical Task 3: Refueling the FLEX DG to Maintain Function for the Full Mission Time CFM1 -Failure of Detection (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because detecting the fuel oil level of the FLEX DG is a basic concept.
- Task Complexity - No impact because detecting the fuel oil level of the FLEX DG is a simple task.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM2 - Failure of Understanding (Base Probability = 1x10-3)
- Scenario Familiarity - No impact because understanding that low fuel oil level of the FLEX DG requires refill is a basic concept.
- Information Completeness and Reliability - No impact because the fuel oil level indication is assumed to be sufficient for this task.
- Task Complexity - No impact because understanding that low fuel oil level of the FLEX DG requires refill is a simple task.
- The other PIFs were determined to have a negligible impact on the base case HFE.
46 CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - Although refueling the FLEX DG is rarely performed; there is no impact because this critical task is covered by plant procedures.
- Task Complexity - C31: Straightforward procedure execution with many steps; the refueling FSG covers multiple pages covering the moving of the refueling truck, connecting hoses, etc. Selection of this PIF attribute increases the base probability of this CFM to 1x10-3.
- Training and Experience - TE2: Inadequate training practicality; recurring training is expected to consist of walkthroughs and discussion not the actual performance of procedure steps for this task. Selection of this PIF attribute applies a multiplier of 1.5 to the base CFM probability for this task.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Using these assumptions, the cognitive failure probability (Pc) of 5.7x10-3 is calculated using the Pc estimates from the three critical tasks using the following formula:
Pc = 1 (1 Pc(Task 1)) (1 Pc(Task 2)) (1 Pc(Task 3)) = 1 (1 - 1.65x10-3) (1 - 1.5x10-3)
(1 - 2.6x10-3) = 5.7x10-3 Timing Evaluation At BWR 5, operators would have approximately 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for the base case scenario after ELAP declaration and successful deep load shed to restore charging to the safety-related batteries and to maintain DC power for instrumentation and control purposes.
Therefore, Tavail is estimated to be 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
The validation timings for BWR 5 determined that it took plant personnel approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 54 minutes to restore division 1 battery charging via panel 3AS1061 and 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 50 minutes to restore division 1 battery charging via panel 3BS1061, respectively. Note that only one panel will be used to restore battery charging and DC power. Given the close time estimates between the two panels, the longer time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 54 minutes was selected for this evaluation. Therefore, Treqd is estimated to be 1.9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br />.
There was only one timing estimate per panel in the BWR 5 validation timing and, therefore, no empirical data is available to determine an EF for this HFE. The limited operator data available indicates larger timing variability (i.e., EFs greater than 2) is typically associated with actions with increased cognitive demand (e.g., short Treqd). For the actions associated with this HFE, the analysis team concluded that main contributors to time variability were mustering of facility staff, conduct of pre-job briefs, and timing variations in the conduct of specific, well documented, action steps. The team concluded that an additional time of approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> would be sufficient to bound these actions for 95 percent of operator crews. Therefore, an EF of 2 is judged to be a reasonable estimate for this action. This selection results in a Pt of 3.2x10-3.
Note that the evaluation of Pt does not consider the refueling critical task because doing so would require the evaluation of this task as a separate HFE and is considered as an uncertainty associated with this evaluation.
Error Recovery Error recovery credit is not provided for this task.
Calculated HEP HEP = 1 (1 Pc) (1 Pt) = 1 (1 - 5.7x10-3) (1 - 3.2x10-3) = 9x10-3 Plant Variabilities Some PIF selections could change from the base case scenario between different plants. For example, the routing/connection of cables could require modifications such as cutting holes in fences or walls that may not be covered explicitly by procedures and, therefore, increase the overall task complexity. There is the potential for significant plant-to-plant variabilities associated with the timing estimates (especially Treqd), which
47 could lead to significant differences in the Pt and overall HEP between different plants and even between similar units.
Hazard Variabilities For some significant hazards, such as a BDB seismic event, additional PIFs and their associated attributes may warrant selection. For example, MF8: Emotional stress (e.g.,
anxiety, frustration), should be selected if the analyst believes that operator performance could be negatively affected due to stresses caused by the event (e.g., concerns over their health, familys health and wellbeing, and future employment);
this would result in a multiplier of 1.2. In addition, if the event results in debris and failed equipment or other structures (e.g., ladders) not cleared as part of debris removal for transporting of equipment, the action execution could become more physically demanding. If the analyst believes the increased demands could negatively affect operator performance, PD1: Physically strenuouspossible exceeding physical limits, should be selected (PD1 results in a weighting multiplier of 1.5). There is potential that a longer-lasting storm could affect the environmental conditions for all three critical tasks.
If this is the case, the analyst should consider the appropriate environmental PIF attributes (e.g., ENV6: very low visibility, ENV9: slippery surface, ENV10: strong winds, rain, or objects on physically demanding tasks, etc.).
If the initiating event results in significant debris, time for debris removal (typically assumed to be 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) needs to be considered in the evaluation of Pt. Specifically, debris removal will decrease the Tavail and could result in significant increase to the Pt.
For the reference plant, the Tavail would decrease to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> if debris removal was required, resulting in Pt of 3.9x10-2 (assuming an EF of 2).
Key Uncertainties The following key uncertainties were identified:
- The selection of the appropriate EF for the timing estimates can have a significant effect on the Pt and the overall HEP. In general, the empirical studies referenced in the timing evaluations of other HFEs provided in this report involved specific scenarios involving procedurally-driven MCR operator actions.
The data available for actions performed outside the MCR is more limited. The IDHEAS-ECA guidance for the selection of the EFs associated with timing estimates is still under development.
- The Pt evaluation does not include refueling. The evaluation of Pt for the refueling would require the separation of this task into a separate HFE. This separation was not pursued because the SPAR models include refueling as part this HFE.
This modeling choice is not expected to have a significant effect on the overall HEP because there is sufficient time and there is a high likelihood of the operators ability to recover the FLEX DG if it ran out of fuel.
- It is unknown whether the refueling task involves coordination with security personnel. If so, the Interteam Coordination CFM should be evaluated along with the selection of PIF attribute C41: Complexity of information communicated (1:
simple). This selection would result in Pc increasing to 7.2x10-3 and the overall HEP increasing to 1x10-2.
4.4.4 Operators Fail to Vent Containment during ELAP HFE Name FLX-XHE-XM-CVS HFE Definition Operators fail to vent containment during ELAP. This entire HFE is considered as a single critical task within the IDHEAS-ECA framework.
SPAR Model Application FLX-XHE-XM-CVS is a basic event in the FLEX-CVS fault tree, which is queried in the SBO-ELAP event tree. This fault tree is queried if operators successfully declare ELAP, perform deep DC load shed, and successfully transport and start the FLEX DG to maintain safety-related DC power and restart charging the safety-related batteries.
48 Scenario Description/
Event Context An SBO will result in a loss of condenser heat sink and reactor feedwater. Therefore, RCIC and/or HPCI, along with the SRVs, will discharge to the suppression pool.
Because SPC is unavailable, containment pressure will begin to increase. Plant procedures direct operators to vent containment when its pressure reaches 2 psig to maintain adequate core cooling. This anticipatory venting will prevent the suppression pool temperature from reaching 250°F. A BWR Owners Group study determined that RCIC functionality will be maintained when the suppression pool is below this temperature limit.
Boundary Conditions The start of this HFE is when the weather-related LOOP initiating event and subsequent SBO occurs (i.e., t = 0). The base case scenario assumes that RCIC is successful from the beginning of the event and the safety relief valves are rejecting heat to the suppression pool. The end of this HFE is failure to vent of primary containment in time to prevent the suppression pool temperature from reaching 250°F.
Success Criteria Operators successfully vent primary containment in time to prevent the suppression pool temperature from reaching 250°F and, therefore, maintaining RCIC and/or HPCI injection to the reactor.
Key Cue(s)
- Primary Containment Pressure Procedural Guidance
- Primary Containment Control
- Containment Venting Via the Torus Hardened Vent CFM Selection Detection - This task requires the operators to detect primary containment pressure to determine when containment needs to be vented.
Understanding - This task requires the operators to understand that containment needs to be vented to maintain successful RCIC system operation.
Decisionmaking - Decisionmaking is not required for this task because with correct understanding of the event, procedures require operators to vent containment.
Therefore, this CFM is not applicable for this task.
Action Execution - This task requires the operators to manually vent containment.
This action has executions steps both in and outside the MCR.
Interteam Coordination - Interteam coordination is not required for this task because multiple teams would not be involved. Therefore, this CFM is not applicable for this task.
49 Evaluation of PIFs for Applicable CFMs CFM1 -Failure of Detection (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because operators are routinely trained on containment pressure control during SBO scenarios. In addition, this critical task is covered by plant procedures.
- Task Complexity - C1: Detection overload with multiple competing signals (1: Few
< 7); There are at least two potentially competing signals, including the annunciators/ parameters associated with the (1.) LOOP and SBO and (2.)
containment pressure. Selection of this PIF attribute increases the probability of CFM1 from the base probability of 1x10-4 (i.e., no PIF attributes are selected) to 3x10-3. This selection may be conservative or nonconservative based on an initial review of the limited amount of supporting data for this PIF attribute. Further review of this data is needed to develop the appropriate guidance.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM2 - Failure of Understanding (Base Probability = 1x10-3)
- Scenario Familiarity - No impact because operators are trained to control primary containment pressure to maintain adequate core cooling. In addition, this critical task is covered by plant procedures.
- Information Completeness and Reliability - No impact because primary containment pressure is sufficient to diagnose the need for venting containment.
- Task Complexity - No impact because the requirement to control primary containment pressure to maintain adequate core cooling is specifically covered by plant procedures.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - Although the venting of containment is rarely performed; there is no impact because this critical task is covered by plant procedures.
- Task Complexity - C31: Straightforward procedure execution with many steps; the procedure covers several pages and covers multiple valve manipulations/
verifications. Selection of this PIF attribute increases the base probability of this CFM to 1x10-3. Note that this evaluation assumes that the containment vent valve will remain open.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Using these assumptions, Pc is calculated as 5x10-3 by summing the probabilities of CFM1 (3x103), CFM2 (1x10-3), and CFM4 (1x10-3) probabilistically.
Timing Evaluation The BWR 5 primary containment control flow chart directs operators to vent containment using the hardened vent when containment pressure reaches 2 psig to maintain adequate core cooling (i.e., maintain RCIC/HPCI functionality). This cue is expected to be reached within approximately 15 minutes during an SBO. RCIC/HPCI are assumed to fail when suppression pool temperature exceeds 250°F. MELCOR calculations for Duane Arnold documented NUREG-2236, Confirmatory Thermal-Hydraulic Analysis to Support Specific Success Criteria in the Standardized Plant Analysis Risk Models-Duane Arnold, (ML20300A225) indicate that this cue is expected to be reached in approximately 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> for the most applicable case. BWR 5 has a thermal power output approximately twice that of Duane Arnold. However, the suppression pool volume at BWR 5 is approximately double the size of suppression pool volume at Duane Arnold. A simplified heat balance calculation indicates that it will take approximately 9.9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> for the BWR 5 suppression pool reached 250°F. From these time estimates, the Tavail is calculated to be 9.7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> for this operator action.
Timing validations performed at BWR 5 on how long it would take operators to align the hardened containment venting system and start venting calculated 25.5 minutes (Unit 2) and 16.2 minutes (Unit 3) for operators to complete the procedural steps to
50 vent containment. A reactor operator, with an AO trainee to assist, is assigned with the alignment operations for both units. The combined time to perform all the required alignment procedure steps is 41.7 minutes, which is the Treqd for this action.
There was only one timing estimate in the BWR 5 validation timing and, therefore, no empirical data is available to determine an EF for this HFE. An EF of 3, which is considered bounding for most HFEs, was selected resulting in a Pt of 4.0x10-5.
Error Recovery Error recovery credit is not provided for this task.
Calculated HEP HEP = 1 (1 Pc) (1 Pt) = 1 (1 - 5.0x10-3) (1 - 4.0x10-5) = 5x10-3 Plant Variabilities For plants that will periodically open and close the vent valves maintain primary containment within a certain pressure band, an additional critical task should be included in this evaluation. It is expected this critical task requires the Detection, Understanding, and Action Execution CFMs. The Detection and Understanding CFM will likely remain at their base probabilities for this new critical task, while the C35:
Long-lasting action, repeated discontinuous control should be selected for Action Execution CFM. This change would result in Pc increasing to 2.6x10-2 and the overall HEP increasing to 3x10-2.
There is the potential for significant plant-to-plant variabilities associated with the timing estimates (especially Treqd), which could lead to significant differences in the Pt and overall HEP between different plants and even between similar units.
Hazard Variabilities For most initiating events, significant variabilities are not expected. However, for some significant hazards, such as a BDB seismic event, additional PIFs and their associated attributes may warrant selection. For example, MF8: Emotional stress (e.g., anxiety, frustration), should be selected if the analyst believes that operator performance could be negatively affected due to stresses caused by the event (e.g., concerns over their health, familys health and wellbeing, and future employment); this would result in a multiplier of 1.2. In addition, if the event results in debris and failed equipment or other structures (e.g., ladders), the action execution could become more physically demanding for plants that have execution steps outside the MCR. If the analyst believes the increased demands could negatively affect operator performance, PD1: Physically strenuouspossible exceeding physical limits, should be selected (PD1 results in a weighting multiplier of 1.5).
Key Uncertainties The following key uncertainties were identified:
- There are no thermal-hydraulic calculations available that provide the Tavail for the reference plant. Sensitivity calculations show that Pt will remain a negligible contributor to the overall HEP if Tavail is greater than 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />.
- The selection of the appropriate EF for the timing estimates can have a significant effect on the Pt and the overall HEP. In general, the empirical studies referenced in the timing evaluations of other HFEs provided in this report involved specific scenarios involving procedurally-driven MCR operator actions.
The data available for actions performed outside the MCR is more limited. The guidance for the selection of the EFs associated with timing estimates is still under development.
- The selection of the PIF attribute C1: Detection overload with multiple competing signals (1: Few < 7) for the Detection CFM is potentially conservative or nonconservative. An initial review indicated that the limited supporting data may not support this PIF attribute as it is currently constituted (e.g., how signals are defined, how multiple indications and alarms are binned into a single signal, and the potential for decay of a signal as time passes). Further review of this data is
51 needed to develop guidance associated with selection of this PIF attribute. If this PIF attribute is not selected, the Pc (and overall HEP) for this action would decrease to 2x10-3.
4.4.5 Operators Fail to Stage or Run or Supply or Refill FLEX RPV Pump HFE Name FLX-XHE-XM-RPV HFE Definition Operators fail to transport, connect, and start the FLEX RPV pump prior to core damage given RCIC and/HPCI can no longer provide adequate core cooling. This HFE is comprised of the following four critical tasks within the IDHEAS-ECA framework:
Transporting the FLEX RPV pump from the FLEX storage building to the required connection point, Connecting the FLEX RPV pump, Starting the FLEX RPV pump to restore core cooling after the failure of RCIC and/or HPCI, and Refueling the FLEX RPV pump to maintain function for the full mission time (at least 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> from the start of the event).
Note that there are different refueling plans depending on the site. This evaluation assumes that AOs will have to periodically monitor the fuel level of the FLEX RPV pump and determine when refill is required. Different refueling plans are considered in the plant variabilities section.
SPAR Model Application FLX-XHE-XM-RPV is a basic event in the FLEX-RPV fault tree, which is queried in the SBO-ELAP event tree. If operators successfully declare ELAP, perform the deep DC load shed, start the FLEX DG to maintain DC power, and vent containment, the FLEX-RPV fault tree will be queried.
Scenario Description/
Event Context Adequate core cooling must be provided via RCIC and/or HPCI while operators successfully declare ELAP, perform the deep load shed to extend batteries, and restore battery charging via the FLEX DG. In addition, RCIC and/or HPCI must provide core cooling while plant personnel move and connect the FLEX RPV pump. If RCIC and/or HPCI can no longer provide adequate core cooling after the FLEX RPV pump is connected, operators will start the pump to restore core cooling.
Boundary Conditions The start of this HFE is when personnel start transporting the FLEX RPV pump and hoses after completing the move of the FLEX DG and cables. The end of this HFE is when the failure to restore core cooling via the FLEX RPV pump prior to core damage given a loss of RCIC and/or HPCI.
Success Criteria Operators successfully restore core cooling via the FLEX RPV pump and maintain adequate core cooling for the PRA mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
Key Cue(s)
- ELAP Declaration
- Annunciators associated with failures of RCIC and/or HPCI (e.g., pump isolation trip, turbine trip, pump discharge low flow, etc.)
- Reactor Water Level Procedural Guidance
- FSG Covering Connection of FLEX RPV Pump
- FSG Covering Refueling of FLEX Equipment CFM Selection Detection - Detection is not required for the first two critical tasks because declaration of ELAP triggers the implementation of the FSGs, including the transporting and connecting of the FLEX RPV pump. However, detection is required for the third critical task. Specifically, operators must detect that RCIC and/or HPCI can no longer provided adequate core cooling. In addition, detection is required for the fourth critical task because an AO is required to monitor fuel level periodically. Therefore, this CFM is applicable for the third and fourth critical tasks associated with this HFE.
52 Understanding - Understanding is not required for the first two critical tasks because declaration of ELAP triggers the implementation of the FSGs, including the transporting and connecting the FLEX RPV pump. However, understanding is required for the third critical task. Once the FLEX RPV pump is connected, the start of the pump would likely be deferred until the MCR can perform an orderly transfer from HPCI/RCIC to the FLEX pump. For example, operators must understand that failures of RCIC and/or HPCI, or other system conditions that would compromise continued RPV makeup via HPCI or RCIC, require the FLEX RPV pump to be started and aligned to restore core cooling. In addition, understanding is required for the fourth critical task because an AO will need to maintain situational awareness of FLEX RPV pump fuel level and predict when actions to add fuel will need to be initiated. Therefore, this CFM is applicable for the third and fourth critical tasks associated with this HFE.
Decisionmaking - Decisionmaking is not required for the first two critical tasks because declaration of ELAP triggers the implementation of the FSGs, including the transporting and connecting the FLEX RPV pump. The third critical task does not require decisionmaking because the FLEX RPV pump is the only option to restore core cooling if RCIC and/or HPCI are failed/unavailable, and its use would be directed by procedures. In addition, decisionmaking is not required for the fourth critical task because an understanding of low fuel level for the FLEX RPV pump would direct the AO to add fuel. Therefore, this CFM is not applicable for the four critical tasks associated with this HFE.
Action Execution - These tasks require the AOs and other plant staff to transport, connect, and start the FLEX RPV pump. In addition, operators must periodically refuel the FLEX RPV pump. These actions are accomplished outside the MCR.
Interteam Coordination - The first critical task (transporting the FLEX RPV pump, hoses, etc.) requires interteam coordination because communication between security personnel and AOs is likely needed while moving equipment through security doors and/or gates. It is not expected that interteam coordination is required for the other three critical tasks and, therefore, this CFM is not applicable to these tasks. The following table provides a breakdown of the applicable CFMs per critical task:
Critical Task Detection Understanding Decisionmaking Action Execution Interteam Coordination 1
N/A N/A N/A Yes Yes 2
N/A N/A N/A Yes N/A 3
Yes Yes N/A Yes N/A 4
Yes Yes N/A Yes N/A Evaluation of PIFs for Applicable CFMs Critical Task 1: Transporting the FLEX RPV Pump from the FLEX Storage Building to the Required Connection Point CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - Although the transportation of the FLEX RPV pump is rarely performed; there is no impact because this critical task is covered by plant procedures.
- Task Complexity - No impact because complexity of connecting the FLEX equipment to the tractor and driving the equipment to the required connection point is not expected to negatively affect the failure probability of this critical task.
- Training and Experience - TE2: Inadequate training practicality; recurring training is expected to consist of walkthroughs and discussion not the actual transportation of equipment. Selection of this PIF attribute applies a multiplier of 1.5 to the base CFM probability for this task.
- The other PIFs were determined to have a negligible impact on the base case HFE.
53 CFM5 - Interteam Coordination (Base Probability = 1x10-3)
- Task Complexity - C41: Complexity of information communicated (1: simple),
should be selected because the information communicated between the security personnel and AOs while moving the FLEX RPV pump and associated hoses and other equipment is considered to be simple. This selection increases the Interteam Coordination CFM failure probability from its base value of 1x10-3 to 1.5x10-3.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Critical Task 2: Connecting the FLEX RPV Pump CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - Although the connecting of the FLEX RPV pump is rarely performed; there is no impact because this critical task is covered by plant procedures.
- Task Complexity - C31: Straightforward procedure execution with many steps; the alignment of the FLEX RPV pump FSG covers several pages and requires moving and connecting many cables and several breaker manipulations. Selection of this PIF attribute increases the base probability of this CFM to 1x10-3.
- Training and Experience - TE2: Inadequate training practicality; recurring training is expected to consist of walkthroughs and discussion not the actual performance of procedure steps for this task. Selection of this PIF attribute applies a multiplier of 1.5 to the base CFM probability for this task.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Critical Task 3: Starting the FLEX RPV Pump to Restore Core Cooling CFM1 -Failure of Detection (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because monitoring reactor water level along with RCIC and/HPCI operation is covered by plant procedures and is a fundamental concept.
- Task Complexity - No impact because potential RCIC and/or HPCI failures would occur sufficiently after the initiating event and other equipment failures (e.g., EDGs) such that there is not expected to be competing signals when operators are monitoring reactor water level.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM2 - Failure of Understanding (Base Probability = 1x10-3)
- Scenario Familiarity - No impact because understanding that core cooling must be switched to the FLEX RPV pump if RCIC and/or HPCI are no longer available is covered by plant procedures.
- Information Completeness and Reliability - No impact because the reactor water level and RCIC and/or HPCI alarms/annunciators are assumed to be sufficient for this task.
- Task Complexity - No impact because understanding that core cooling must be switched to the FLEX RPV pump if RCIC and/or HPCI are no longer available is covered by plant procedures.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because these pumps are started for periodic testing.
- Task Complexity - C35: Long-lasting action, repeated discontinuous control; operators will have to maintain adequate reactor water level by controlling the FLEX RPV pump flow rate. Operators must monitor reactor water level and control the
54 FLEX RPV pump flowrate for the PRA mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Selection of this PIF attribute increases the base probability of this CFM to 2x10-2.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Critical Task 4: Refueling the FLEX RPV Pump to Maintain Function for the Full Mission Time CFM1 -Failure of Detection (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because detecting the fuel oil level of the FLEX RPV pump is a basic concept.
- Task Complexity - No impact because detecting the fuel oil level of the FLEX RPV pump is a simple task.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM2 - Failure of Understanding (Base Probability = 1x10-3)
- Scenario Familiarity - No impact because understanding that low fuel oil level of the FLEX RPV pump requires refill is a basic concept.
- Information Completeness and Reliability - No impact because the fuel oil level indication is assumed to be sufficient for this task.
- Task Complexity - No impact because understanding that low fuel oil level of the FLEX RPV pump requires refill is a simple task.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - Although refueling the FLEX RPV pump is rarely performed; there is no impact because this critical task is covered by plant procedures.
- Task Complexity - C31: Straightforward procedure execution with many steps; the refueling FSG covers multiple pages covering the moving of the refueling truck, connecting hoses, etc. Selection of this PIF attribute increases the base probability of this CFM to 1x10-3.
- Training and Experience - TE2: Inadequate training practicality; recurring training is expected to consist of walkthroughs and discussion not the actual performance of procedure steps for this task. Selection of this PIF attribute applies a multiplier of 1.5 to the base CFM probability for this task.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Using these assumptions, the cognitive failure probability (Pc) of 2.6x10-2 is calculated using the Pc estimates from the three critical tasks using the following formula:
Pc = 1 (1 Pc(Task 1)) (1 Pc(Task 2)) (1 Pc(Task 3)) (1 Pc(Task 4))= 1 (1 - 1.65x10-3)
(1 - 1.5x10-3) (1 - 2.1x10-2) (1 - 2.6x10-3) = 2.7x10-2 Timing Evaluation Operators will not switch core cooling to the FLEX RPV pump unless issues with continual running of RCIC and/or HPCI develop. The time available for operators to initiate core cooling from FLEX RPV pump will depend on when the switch from RCIC and/or HPCI is made. The most limiting time would be earlier in the event when decay heat levels are higher. However, the FLEX RPV pump must be transported and connected first. The earliest the FLEX RPV pump will be available to provided core cooling is approximately 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP initiating event occurred and subsequent SBO began. Based on validation timings for BWR 5, 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> would likely provide sufficient time availability to transport and connect the FLEX RPV pump such that any Pt contribution to the failure of Critical Tasks 1 (transport) and 2 (connection) would be negligible. Note that if RCIC and/or HPCI fail prior to this time, it is assumed that there is insufficient time to transport and connect the FLEX RPV pump prior to core damage. Therefore, the timing evaluation for this HFE assumes that that the FLEX RPV pump has been successfully transported and connected.
55 It is expected that at least 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> would be available to operators after RCIC and/or HPCI is lost; this is 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> or more into the event assuming operators were maintaining reactor water level as directed by ELAP procedures. It is expected that it will take MCR operators approximately 5 minutes to depressurize the reactor to below the shutoff head of the FLEX RPV pump; however, this action will occur concurrently with the action starting the FLEX RPV pump performed by the AOs. Therefore, the Tavail to start the FLEX RPV pump will be a minimum of 55 minutes. It is expected to take the AOs approximately 20 minutes to start the FLEX RPV pump and restore core cooling.
Note that the potential time dependency (i.e., when both actions have the same time window) between the reactor depressurization and starting the FLEX RPV pump is not treated explicitly in this evaluation. There is potential that a delay in completing the first action (reactor depressurization) will result in insufficient time to perform the second action (starting the FLEX RPV pump). However, this potential time dependency is minimized because different personnel are performing each action.
There was only one timing estimate in the BWR 5 validation timing and, therefore, no empirical data is available to determine an EF for this HFE. Because of the limited availability of data associated with this type of action, a statistically based EF estimate was not possible. The team concluded that a time of approximately 40 minutes would be sufficient to bound these actions for 95 percent of operator crews. Therefore, an EF of 2 is judged to be a reasonable estimate for this action. This selection results in a Pt of 8.2x10-3.
Note that the evaluation of Pt does not consider the refueling critical task because doing so would require the evaluation of this task as a separate HFE and is considered as an uncertainty associated with this evaluation.
Error Recovery Error recovery credit is not provided for this task.
Calculated HEP HEP = 1 (1 Pc) (1 Pt) = 1 (1 - 2.7x10-2) (1 - 8.2x10-3) = 3x10-2 Plant Variabilities Some PIF selections could change from the base case scenario between different plants. For example, the routing/connection of hoses could require modifications such as cutting holes in fences or walls that may not be covered explicitly by procedures and, therefore, increase the overall task complexity. There is the potential for significant plant-to-plant variabilities associated with the timing estimates (especially Treqd), which could lead to significant differences in the Pt and overall HEP between different plants and even between similar units.
Hazard Variabilities For some significant hazards, such as a BDB seismic event, additional PIFs and their associated attributes may warrant selection. For example, MF8: Emotional stress (e.g.,
anxiety, frustration), should be selected if the analyst believes that operator performance could be negatively affected due to stresses caused by the event (e.g., concerns over their health, familys health and wellbeing, and future employment);
this would result in a multiplier of 1.2. In addition, if the event results in debris and failed equipment or other structures (e.g., ladders) not cleared as part of debris removal for transporting of equipment, the action execution could become more physically demanding. If the analyst believes the increased demands could negatively affect operator performance, PD1: Physically strenuouspossible exceeding physical limits, should be selected (PD1 results in a weighting multiplier of 1.5). There is potential that a longer-lasting storm could affect the environmental conditions for all three critical tasks.
If this is the case, the analyst should consider the appropriate environmental PIF attributes (e.g., ENV6: very low visibility, ENV9: slippery surface, ENV10: strong winds, rain, or objects on physically demanding tasks, etc.).
56 If the initiating event results in significant debris, time for debris removal (typically assumed to be 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) needs to be considered in the evaluation of Pt. Specifically, debris removal will decrease the Tavail and could result in significant increase to the Pt.
For the reference plant, the Tavail would decrease to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> if debris removal was required, resulting in Pt of 3.9x10-2 (assuming an EF of 2).
Key Uncertainties The following key uncertainties were identified:
- The selection of the appropriate EF for the timing estimates can have a significant effect on the Pt and the overall HEP. In general, the empirical studies referenced in the timing evaluations of other HFEs provided in this report involved specific scenarios involving procedurally-driven MCR operator actions.
The data available for actions performed outside the MCR is more limited. The IDHEAS-ECA guidance for the selection of the EFs associated with timing estimates is still under development.
- The Pt evaluation does not include refueling. The evaluation of Pt for the refueling would require the separation of this task into a separate HFE. This separation was not pursued because the SPAR models include refueling as part this HFE.
This modeling choice is not expected to have a significant effect on the overall HEP because there is sufficient time and there is a high likelihood of the operators ability to recover the FLEX DG if it ran out of fuel.
- It is unknown whether the refueling task involves coordination with security personnel. If so, the Interteam Coordination CFM should be evaluated along with the selection of PIF attribute C41: Complexity of information communicated (1:
simple). This selection would result in Pc increasing to 7.2x10-3 and the overall HEP increasing to 1x10-2.
4.4.6 Operators Fail to Depressurize RPV during ELAP HFE Name FLX-XHE-XM-DEP HFE Definition Operators fail to depressurize the reactor to below the shutoff head (150 psig) of the FLEX RPV pump. For the purposes of this evaluation, this evaluation assumes that operators have already performed the cooldown/depressurization to 200-300 psig, which is the prescribed reactor pressure band when operating RCIC during ELAP. This entire HFE is considered as a single critical task within the IDHEAS-ECA framework.
SPAR Model Application FLX-XHE-XM-DEP is a basic event in the FLEX-DEP fault tree, which is queried in the SBO-ELAP event tree. This fault tree is queried if operators successfully declare ELAP, perform deep DC load shed, and successfully transport and start the FLEX DG to maintain safety-related DC power and restart charging the safety-related batteries.
Scenario Description/
Event Context RCIC and/or HPCI must successfully maintain adequate reactor water level for at least 4-5 hours to provide time for operators to shed DC loads and transport, connect, and start the FLEX DG to maintain DC power. In addition, this initial operation time allows time for the FLEX RPV pump to be transported and connected. Note that operators are not expected to switch to the FLEX RPV pump unless RCIC and/or HPCI can no longer provide adequate core cooling (e.g., later pump failure to run or failure to control reactor water level resulting in flooding the pump turbine). If the need to switch to the FLEX RPV pump arises, operators must first depressurize the reactor to below its shutoff head (150 psig).
Boundary Conditions The start of this HFE is when RCIC and/or HPCI can no longer provide adequate core cooling. The end of this HFE is the failure to depressurize the reactor below the shutoff head of the FLEX RPV pump in time to restore reactor inventory makeup to prevent core damage.
Success Criteria Operators successfully depressurize the reactor below the shutoff head of the FLEX RPV pump in time to restore reactor inventory makeup to prevent core damage.
57 Key Cue(s)
Annunciators associated with failures of RCIC and HPCI (e.g., pump isolation trip, turbine trip, pump discharge low flow, etc.)
Reactor water level and associated annunciators Procedural Guidance
- ELAP Procedure CFM Selection Detection - This task requires operators to detect failures of RCIC and/or HPCI and lowering reactor water level.
Understanding - This task requires operators to understand that the RCIC and/or HPCI can no longer maintain adequate core cooling and, therefore, reactor pressure needs to be lowered to below the shutoff head of the FLEX RPV pump to restore core cooling and prevent core damage.
Decisionmaking - Decisionmaking is not required for this task because with correct understanding of the event, procedures require operators to depressurize the reactor below the shutoff head of the FLEX RPV pump if the pump is to be placed in service.
Therefore, this CFM is not applicable for either task associated with this HFE.
Action Execution - This task requires the operators to manually depressurize the reactor to below the shutoff head of the FLEX RPV pump. This action is accomplished by simple switch manipulations from the MCR.
Interteam Coordination - Interteam coordination is not required for either task because multiple teams would not be involved. Therefore, this CFM is not applicable for either task associated with this HFE.
Evaluation of PIFs for Applicable CFMs CFM1 -Failure of Detection (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because operators are routinely trained on identifying RCIC and/or HPCI failures and monitoring reactor water level. In addition, this critical task is covered by plant procedures.
- Task Complexity - No impact because there will be no competing signals when FLEX pump could be used to provide reactor inventory makeup (i.e., at least 4-5 hours into the event). Note that multiple alarms associated with the same function (e.g., RCIC) are considered to be one signal.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM2 - Failure of Understanding (Base Probability = 1x10-3)
- Scenario Familiarity - No impact because operators are trained that the switch to the FLEX RPV pump will be required if RCIC and/or HPCI are no longer able to provide adequate core cooling during an ELAP. In addition, this critical task is covered by plant procedures.
- Information Completeness and Reliability - No impact because the annunciators associated with RCIC and/or HPCI and reactor water level are sufficient to diagnose the need to switch to the FLEX RPV pump, which requires reactor depressurization below the pumps shutoff head.
- Task Complexity - No impact because the requirement to maintain adequate core cooling during ELAP is specifically covered by plant procedures.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because the execution steps are routinely trained.
In addition, this critical task is covered by plant procedures.
- Task Complexity - No impact because the execution steps are straightforward (i.e., MCR switch manipulations) and proceduralized.
- The other PIFs were determined to have a negligible impact on the base case HFE.
58 Using these assumptions, cognitive failure probability (Pc) is calculated as 1.2x10-3 by summing the probabilities of CFM1 (1x10-4), CFM2 (1x10-3), and CFM4 (1x10-4) probabilistically.
Timing Evaluation Operators will not switch core cooling to the FLEX RPV pump unless issues with continual running of RCIC and/or HPCI develop. The time available for operators to initiate core cooling from FLEX RPV pump will depend on when the switch from RCIC and/or HPCI is made. The most limiting time would be earlier in the event when decay heat levels are higher. However, the FLEX RPV pump must be transported and connected first. The earliest the FLEX RPV pump will be available to provided core cooling is approximately 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP initiating event occurred and subsequent SBO began. Note that if RCIC and/or HPCI fail prior to this time, there could be insufficient time to transport and connect the FLEX RPV pump prior to core damage. It is expected that at least 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> would be available to operators after RCIC and/or HPCI is lost 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> or more into the event assuming operators were maintaining reactor water level as directed by ELAP procedures. Therefore, the Tavail for MCR operators to depressurize the reactor to below the shutoff head of the FLEX RPV pump is 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. It is estimated this action will take less than 5 minutes to depressurize the reactor from maximum pressure of 300 psig to less than 150 psig (i.e., the shutoff head of FLEX RPV pump). Note that the potential time dependency (i.e., when both actions have the same time window) between the reactor depressurization and starting the FLEX RPV pump is not treated explicitly in this evaluation. There is potential that a delay in completing the first action (reactor depressurization) will result in insufficient time to perform the second action (starting the FLEX RPV pump). However, this potential time dependency is minimized because different personnel are performing each action.
The selection of the Treqd of 5 minutes was assumed to be the median (i.e., 50th percentile) of the lognormal distribution. Tavail is treated as a single value with no distribution assigned for the base case. For the evaluation of this base case HFE, Pt was calculated using an EF of 2 for the lognormal distribution of Treqd, which is considered to be appropriate for actions performed from the MCR based on a preliminary analysis of timing data of MCR operators response to emergency events in nuclear power plant simulators, including NUREG/IA-0216, NUREG-2156, EPRI NP-6937-L, and simulator data from other sources. This selection results in a Pt of 1.9x10-9. Sensitivity analyses show (assuming Treqd of 5 minutes) that Pt remains a negligible contributor to the overall HEP for Tavail values of 20 minutes or more. At the time of completing this analysis, the guidance on specifying the uncertainty bounds for time estimates in IDHEAS-ECA has not been finalized.
Error Recovery Error recovery credit is not provided for this task.
Calculated HEP HEP = 1 (1 Pc) (1 Pt) = 1 (1 - 1.2x10-3) (1 - 1.9x10-9) = 1x10-3 Plant Variabilities It is not expected that PIF selections for the base case scenario will change significantly between different plants. Therefore, Pc is likely to remain the same. In addition, it is not expected that other BWRs would have a significantly lower Tavail estimates and would have a similar Treqd values. Therefore, the Pt and overall HEP are expected to be the similar or the same between different BWRs.
Hazard Variabilities For most initiating events, significant variabilities are not expected. However, for some significant hazards, such as a BDB seismic event, additional PIFs and their associated attributes may warrant selection. For example, MF8: Emotional stress (e.g., anxiety, frustration), should be selected if the analyst believes that operator performance could be negatively affected due to stresses caused by the event (e.g., concerns over their
59 health, familys health and wellbeing, and future employment); this would result in a multiplier of 1.2.
Key Uncertainties The following key uncertainties were identified:
- There are no thermal-hydraulic calculations available that provide the Tavail for the reference plant. Sensitivity calculations show that Pt will remain a negligible contributor to the overall HEP if Tavail is greater than 20 minutes.
- The selection of the appropriate EF for the timing estimates can have a significant effect on the Pt and the overall HEP for certain scenario variabilities. In general, the HRA empirical studies referenced in the timing evaluations involved specific scenarios involving procedurally-driven, MCR operator actions; however, these studies did not fully investigate the full range of scenario variabilities associated with the analyzed HFE and, therefore, the selection of the EF of 2 for Treqd is an uncertainty associated with this evaluation. The guidance for the selection of the EFs associated with timing estimates is still under development.
4.4.7 Operators Fail to Start/Control RCIC Injection HFE Name RCI-XHE-XM-OPERATE HFE Definition Operators fails to control reactor water level using RCIC after the high reactor water level trip interlock is disabled. This interlock (along with several other RCIC interlocks) is disabled to a prevent spurious trip signal that would result in a loss of core cooling.
SPAR Model Application RCI-XHE-XM-OPERATE is a basic event in the FLEX-TDP fault tree, which is queried in the SBO-ELAP event tree. This fault tree is queried if operators successfully declare ELAP, perform deep DC load shed, and successfully transport and start the FLEX DG to maintain safety-related DC power and restart charging the safety-related batteries.
Scenario Description/
Event Context After an ELAP is declared, plant procedures direct operators to disable several interlocks associated with RCIC, including the high reactor water level trip. If this interlock is disabled, operators must control reactor water level to prevent overfilling of the reactor that could lead to RCIC failure.
Boundary Conditions The start of this HFE is when the operators disable the RCIC high reactor water level trip interlock. The end of this HFE is the failure of operators maintain reactor water level resulting in overfill water entering the RCIC pump turbine and subsequent failure.
Success Criteria Operator successfully maintain reactor water level using RCIC for the complete PRA mission time.
Key Cue(s)
- Reactor Water Level Procedural Guidance
- ELAP Procedure CFM Selection Detection - This task requires the operators to continuously monitor reactor water level.
Understanding - This task requires operators to understand that with RCIC high reactor water level interlocks disabled, they must maintain reactor water level to ensure adequate core cooling while preventing overfilling of the reactor vessel which would result in the subsequent failure of RCIC.
Decisionmaking - Decisionmaking is not required for this task because with correct understanding of the event, procedures require operators to maintain reactor water level. In addition, given the operators disabled the RCIC high reactor water level trip interlock, they know that overfilling the reactor would result in RCIC failure. Therefore, this CFM is not applicable for this task.
60 Action Execution - This task requires the operators to manually maintain reactor water level using RCIC. This action is accomplished by simple switch manipulations from the MCR.
Interteam Coordination - Interteam coordination is not required for this task because multiple teams would not be involved. Therefore, this CFM is not applicable for this task.
Evaluation of PIFs for Applicable CFMs CFM1 -Failure of Detection (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because operators are routinely trained on reactor water level control during SBO scenarios. In addition, this critical task is covered by plant procedures.
- Task Complexity - No impact because the RCIC interlocks will be tripped sufficiently after the initiating event and other equipment failures (e.g., EDGs) such that there is not expected to be competing signals when operators need to control reactor water level (i.e., the MCR operators focus at this point in the ELAP scenario will be on controlling reactor water level to maintain decay heat removal).
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM2 - Failure of Understanding (Base Probability = 1x10-3)
- Scenario Familiarity - No impact because operators are trained to control reactor water level. In addition, this critical task is covered by plant procedures.
- Information Completeness and Reliability - No impact because reactor water level indication is sufficient for controlling RCIC injection.
- Task Complexity - No impact because the need to maintain reactor water level is specifically covered by plant procedures.
- The other PIFs were determined to have a negligible impact on the base case HFE.
CFM4 - Failure of Action Execution (Base Probability = 1x10-4)
- Scenario Familiarity - No impact because controlling reactor water level is routinely trained. In addition, this critical task is covered by plant procedures.
- Task Complexity - C35: Long-lasting action, repeated discontinuous control; operators will have to maintain adequate reactor water level by controlling RCIC flow rate to ensure the reactor does not overfill resulting in the failure of RCIC.
Operators must monitor reactor water level and control RCIC flowrate for the PRA mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Selection of this PIF attribute increases the base probability of this CFM to 2x10-2.
- The other PIFs were determined to have a negligible impact on the base case HFE.
Using these assumptions, cognitive failure probability (Pc) is calculated as 2.1x10-2 by summing the probabilities of CFM1 (1x10-4), CFM2 (1x10-3), and CFM4 (2x10-2) probabilistically.
Timing Evaluation The IDHEAS-ECA timing model is not applicable for continuous control actions and, therefore, timing was not explicitly considered.
Error Recovery Error recovery credit is not provided for this task.
Calculated HEP HEP = 1 (1 Pc) (1 Pt) = 1 (1 - 2.1x10-2) (1 - N/A) = 2x10-2 Plant Variabilities No significant plant variabilities are expected for this task.
Hazard Variabilities For most initiating events, significant variabilities are not expected. However, for some significant hazards, such as a BDB seismic event, additional PIFs and their associated attributes may warrant selection. For example, MF8: Emotional stress (e.g., anxiety, frustration), should be selected if the analyst believes that operator performance could
61 be negatively affected due to stresses caused by the event (e.g., concerns over their health, familys health and wellbeing, and future employment); this would result in a multiplier of 1.2.
Key Uncertainties The following key uncertainties were identified:
- Timing considerations were not included as part of this evaluation because the IDHEAS-ECA timing model is not applicable to continuous control actions. It is recognized that timing aspects could have an effect on these types of actions.
However, it is believed the Pc is the dominant contributor for this action.
- 5. BENCHMARKING ACTIVITIES 5.1 Base SPAR Model Benchmarking The existing HEPs in the NRC SPAR models are industry average values based on the cutset level reviews performed by INL. This approach is similar to the use of industry-averaged data for reliability and availability component parameters used in SPAR models. NRC risk analysts determine whether HFE(s) need to be reevaluated for specific ECA applications. However, these reevaluations can be difficult because there are no base HRA evaluations in the SPAR models and there is often limited access to plant-specific data and documentation needed to perform a detailed HRA evaluation. In addition, the SPAR models often use a single HFE with a single HEP to address the multiple HFE contexts of different accident sequences. These modeling simplifications could result in under-or overestimating the risk of specific ECA scenarios. One observation is the plant-to-plant differences in the Tavail and Treqd dominate the HEP sensitivity for time-sensitive HFEs. The evaluations provided in this report use a single pair of Tavail and Treqd to calculate the Pt, which may not be representative for all plants.
The SPAR model CDFs were recalculated with the revaluated HFEs provided in Section 3.3.
Note that these calculations were only performed for at-power, internal events. A comparison of the base SPAR model and reevaluated HFEs are summarized in Table 5-1, below:
Table 5-1. Comparison of Base SPAR Model and IDHEAS-ECA Reevaluated HFEs HFE SPAR HEP Base Case IDHEAS-ECA HEP Ratio3 Notes HPI-XHE-XM-FAB (PWR) 2x10-2 5x10-3 0.25 A larger HEP of 0.14 was calculated for scenarios where MFW or condensate is potentially recoverable. In addition, some plants may have a reduced time window, which would result in higher Pt and, therefore, higher overall HEP (as compared to the base case). These additional sensitivities were not considered during this benchmarking exercise.
LPI-XHE-XM-RECIRC (PWR) 2x10-2 0.1 5
The base case HEP is not expected to change for scenarios other than medium and large LOCAs. The IDHEAS-ECA HEP for low-pressure recirculation is higher due to relatively short time window and, therefore, it is dominated by the Pt.
HPI-XHE-XM-RECIRC (PWR) 4x10-3 5x10-3 1.25 The SPAR and IDHEAS-ECA HEPs for high-pressure recirculation are very similar.
3 This ratio is calculated by dividing the Base Case IDHEAS-ECA HEP by the current SPAR HEP.
62 HFE SPAR HEP Base Case IDHEAS-ECA HEP Ratio3 Notes RCS-XHE-XM-RCPTRIP (PWR) 1x10-3 1x10-3 1
The SPAR and IDHEAS-ECA HEPs for tripping the RCPs are the same. However, the IDHEA-ECA base case HFE is for loss of service water scenarios that occur prior to the reactor trip. For scenarios where seal injection and cooling are lost after the reactor trip, the time window will be reduced resulting in a more significant influence of Pt and, therefore, a higher overall HEP (5x10-3).
ADS-XHE-XM-MDEPR (BWR) 5x10-4 4x10-3 8
Bounding case of medium LOCA will likely result in larger HEPs due to reduced time window resulting in dominant Pt contribution to the overall HEP (e.g., 9x10-2). The SPAR HEP is lower than can be calculated using IDHEAS-ECA without error recovery credit.
CVS-XHE-XM-VENT (BWR) 1x10-3 5x10-3 5
This HEP is not expected to increase significantly for other scenarios due to large Tavail estimates even for bounding scenarios such as a large LOCA. Pc contributions could increase the HEPs for plants with a lot of execution steps outside the MCR.
RHR-XHE-XM-SPC (BWR) 5x10-4 4x10-3 8
Bounding case of ATWS will likely result in larger HEPs due to reduced time window resulting in dominant Pt contribution to the overall HEP (e.g., 3x10-2). The SPAR HEP is lower than can be calculated using IDHEAS-ECA without error recovery credit.
The results of these recalculations are provided in the Tables 5-2 and 5-3, below:
Table 5-2. PWR SPAR Model Benchmarking Results PWR Plant CDFBase CDFIDHEAS CDF Ratio4 Notes 1
2.1E-05 5.1E-05 3.0E-05 2.4 Westinghouse plant; significant increase is due to most probable medium LOCA scenario querying low-pressure recirculation.
2 2.2E-05 5.2E-05 3.0E-05 2.4 Westinghouse plant; significant increase is due to most probable medium LOCA scenario querying low-pressure recirculation.
3 7.8E-06 1.8E-05 1.0E-05 2.3 Westinghouse plant; significant increase is due to most probable medium LOCA scenario querying low-pressure recirculation.
4 1.3E-05 2.3E-05 1.1E-05 1.9 Significant increase is due to most probable medium LOCA scenario querying low-pressure recirculation.
5 2.4E-05 3.5E-05 1.1E-05 1.5 Westinghouse plant; significant increase is due to most probable medium LOCA scenario querying low-pressure recirculation.
6 1.1E-06 1.5E-06 4.0E-07 1.3 Westinghouse plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
4 This ratio is calculated by dividing the CDFIDHEAS value by the CDFBASE value.
63 PWR Plant CDFBase CDFIDHEAS CDF Ratio4 Notes 7
3.5E-06 4.2E-06 6.3E-07 1.2 Westinghouse plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
8 3.7E-06 4.3E-06 6.3E-07 1.2 Westinghouse plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
9 1.7E-05 2.0E-05 2.5E-06 1.1 B&W plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
10 3.5E-06 3.9E-06 4.7E-07 1.1 Westinghouse plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
11 8.6E-06 9.6E-06 9.7E-07 1.1 Westinghouse plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
12 5.9E-06 6.4E-06 4.5E-07 1.1 Westinghouse plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
13 4.3E-06 4.6E-06 3.0E-07 1.1 Westinghouse plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
14 7.8E-06 8.3E-06 4.7E-07 1.1 B&W plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
15 4.5E-06 4.7E-06 2.4E-07 1.1 Westinghouse plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
16 7.8E-06 8.1E-06 3.8E-07 1.0 B&W plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
17 1.1E-05 1.2E-05 5.0E-07 1.0 CE plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
18 1.4E-05 1.4E-05 5.1E-07 1.0 Westinghouse plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
64 PWR Plant CDFBase CDFIDHEAS CDF Ratio4 Notes 19 5.3E-06 5.4E-06 1.6E-07 1.0 Westinghouse plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
20 4.1E-06 4.1E-06 7.5E-08 1.0 Westinghouse plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
21 1.1E-05 1.1E-05 1.2E-07 1.0 Westinghouse plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
22 1.1E-05 1.1E-05 0.0E+00 1.0 CE plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
23 2.1E-05 2.1E-05
-1.9E-09 1.0 Westinghouse plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
24 7.2E-06 7.2E-06
-3.0E-08 1.0 CE plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
25 7.6E-06 7.5E-06
-4.2E-08 1.0 Westinghouse plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
26 1.1E-05 1.1E-05
-7.9E-08 1.0 CE plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
27 2.1E-05 2.1E-05
-1.8E-07 1.0 Westinghouse plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
28 1.3E-05 1.2E-05
-1.1E-07 1.0 CE plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
29 1.0E-05 1.0E-05
-9.8E-08 1.0 CE plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
30 8.5E-06 8.4E-06
-1.0E-07 1.0 CE plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
31 2.0E-05 2.0E-05
-2.5E-07 1.0 Westinghouse plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
32 4.9E-05 4.8E-05
-8.0E-07 1.0 Westinghouse plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
33 1.1E-05 1.1E-05
-2.8E-07 1.0 CE plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
34 2.0E-05 2.0E-05
-5.2E-07 1.0 Westinghouse plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
35 1.8E-05 1.8E-05
-5.0E-07 1.0 Westinghouse plant; large LOCA risk increases significantly; however, the overall CDF impact is limited. Most probable medium LOCA scenario does not include low-pressure recirculation and, therefore, no associated CDF impact is present.
65 PWR Plant CDFBase CDFIDHEAS CDF Ratio4 Notes 36 5.3E-06 5.1E-06
-1.8E-07 1.0 The SPAR model for this Westinghouse plant assumes an auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact. However, operator action is required to isolate the RWST suction path to prevent air ingesting into the RHR pumps. INL has been notified of this modeling issue.
37 2.3E-06 2.2E-06
-9.2E-08 1.0 Westinghouse plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
38 3.5E-06 3.3E-06
-2.0E-07 0.9 Westinghouse plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
39 1.6E-06 1.4E-06
-1.6E-07 0.9 Westinghouse plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
40 9.8E-06 8.7E-06
-1.2E-06 0.9 Westinghouse plant that has auto-switchover for cold-leg recirculation, which significantly limits the overall CDF impact.
The results of the benchmarking calculations performed for the three PWR HEPs show more modest changes to the internal events CDF when compared to the BWR benchmarking results.5 The most significant differences come from PWRs that require manual switchover for cold-leg recirculation (e.g., PWR 1, PWR 2, PWR 3, PWR 4, PWR 5, etc.). Specifically, the differences are dominated by the HFE LPI-XHE-XM-RECIRC (operators fail to initiate low-pressure recirculation) for medium LOCA and stuck-open relief valve scenarios. Although significant differences are also present for large LOCA scenarios, the HEP increase does not result in a corresponding significant increase to the internal events CDF. The IDHEAS-ECA calculated HEP for HPI-XHE-XM-FAB (operators fail to initiate feed and bleed cooling) had a much smaller relative impact. Note that the IDHEAS HEP for RCS-XHE-XM-RCPTRIP (operators fail to trip the RCPs) was the same value as the base SPAR case.
Table 5-3. BWR SPAR Model Benchmarking Results BWR Plant CDFBase CDFIDHEAS CDF Ratio6 Notes 1
4.6E-06 3.1E-05 2.6E-05 6.7 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
2 4.1E-06 2.7E-05 2.3E-05 6.5 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
3 4.6E-06 2.8E-05 2.3E-05 6.0 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
4 4.7E-06 2.5E-05 2.1E-05 5.4 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
5 4.7E-06 2.5E-05 2.1E-05 5.4 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
5 Note that the IDHEAS-ECA evaluation for HFE RCS-XHE-XM-RCPTRIP (operators fail to trip the RCPs) resulted in the same HEP as the SPAR model (1x10-3).
6 This ratio is calculated by dividing the CDFIDHEAS value by the CDFBASE value.
66 BWR Plant CDFBase CDFIDHEAS CDF Ratio6 Notes 6
2.2E-06 1.1E-05 9.1E-06 5.2 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
7 5.1E-06 2.6E-05 2.1E-05 5.1 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
8 2.2E-06 1.1E-05 8.5E-06 4.8 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
9 5.1E-06 2.4E-05 1.9E-05 4.7 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
10 3.1E-06 1.3E-05 9.8E-06 4.1 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
11 6.2E-06 2.5E-05 1.9E-05 4.0 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
12 3.6E-06 1.4E-05 1.1E-05 4.0 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
13 3.3E-06 1.2E-05 8.4E-06 3.5 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
14 1.5E-05 5.2E-05 3.7E-05 3.5 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
15 1.1E-05 3.7E-05 2.6E-05 3.5 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
16 3.8E-06 1.3E-05 8.9E-06 3.4 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
17 3.9E-06 1.3E-05 9.0E-06 3.3 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
18 1.3E-05 3.4E-05 2.1E-05 2.6 GE Type 3/4 plants CDFs are sensitive to the HEP of ADS-XHE-XM-MDEPR (i.e., failures of RCIC and HPCI are dominant risk contributors).
19 3.2E-06 7.9E-06 4.8E-06 2.5 Plants with HPCS (GE Type 5/6) have reduced importance of ADS-XHE-XM-MDEPR.
20 3.3E-06 7.8E-06 4.5E-06 2.4 Plants with HPCS (GE Type 5/6) have reduced importance of ADS-XHE-XM-MDEPR.
21 2.4E-06 5.7E-06 3.2E-06 2.3 Plants with HPCS (GE Type 5/6) have reduced importance of ADS-XHE-XM-MDEPR.
22 2.1E-06 3.5E-06 1.4E-06 1.6 Plants with HPCS (GE Type 5/6) have reduced importance of ADS-XHE-XM-MDEPR.
23 6.3E-06 1.0E-05 3.7E-06 1.6 Plants with HPCS (GE Type 5/6) have reduced importance of ADS-XHE-XM-MDEPR.
24 9.6E-06 1.4E-05 4.5E-06 1.5 Plants with HPCS (GE Type 5/6) have reduced importance of ADS-XHE-XM-MDEPR.
25 9.3E-06 1.2E-05 2.2E-06 1.2 Plants with HPCS (GE Type 5/6) have reduced importance of ADS-XHE-XM-MDEPR.
67 BWR Plant CDFBase CDFIDHEAS CDF Ratio6 Notes 26 2.1E-05 2.4E-05 3.3E-06 1.2 GE Type 3/4 plant; however, early CRD is credited, which greatly reduces the importance of ADS-XHE-XM-MDEPR.
27 5.0E-06 5.2E-06 2.0E-07 1.0 Isolation condenser (GE Type 2) greatly reduces the importance of ADS-XHE-XM-MDEPR.
The results of the benchmarking calculations performed for the three BWR HEPs indicate the changes are dominated by the HFE ADS-XHE-XM-MDEPR (operators fail to initiate reactor depressurization). The impact of the higher HEP calculated using IDHEAS-ECA is dependent on the plant type, with GE Type 4 plants showing the greatest impact. The IDHEAS-ECA calculated HEPs for CVS-XHE-XM-VENT (operators fail to vent containment) and RHR-XHE-XM-SPC (operators fail to initiate SPC) had a much smaller relative impact.
In assessing the changes to HEP values and SPAR model CDF results associated with the use of IDHEAS-ECA derived HEP values, the analysis team had the following observations:
In all but one case, the IDHEAS-ECA derived HEP values were greater than the current SPAR model base values derived from geometric averaging of licensee PRA HEPs. The greatest increase was a factor of eight compared the base SPAR HEP. In general terms, an order of magnitude increase in the HEP is usually considered significant. Therefore, while some HEPs values had a large increase, these changes were not considered to be significant since all changes were less than a factor of 10.
The differences in SPAR HEPs with IDHEAS-ECA values does highlight an area of uncertainty associated with the HEP values. The analysis team noted that the data sources for the current SPAR HEP values has a large difference between the largest and smallest values (a factor of ~50). The wide range in licensee HEP values could be driven by a number of factors and uncertainties, including plant-specific differences, use of different HRA methods, changes in the assumed accident sequence context, or analyst-to-analyst variabilities.
In the cases where IDHEAS-ECA showed a large increase in the HEP value (e.g., a factor of 5-8), the changes for BWRs were generally driven by the selection PIF attribute C1:
Detection overload with multiple competing signals for the Detection CFM and the selection of the Understanding CFM. The difference for the PWR HFE was driven by the short time availability for aligning low-pressure recirculation during the bounding large LOCA scenario.
In Section 3, the analysis team identified several areas that can introduce variability or uncertainty in the IDHEAS-ECA results, including initiating event context, plant-specific design differences, and other sources of uncertainty including limited information on operator action time requirements and system time availability.
In some cases, increases in CDF associated with use of IDHEAS-ECA of up to a factor of 6-7 were noted, largely as a result of the initial selection of HFEs with a high risk significance for these evaluations. The highest changes in CDF were generally associated with changes in the BWR manual depressurization HFE, an action which generally has a very high Fussel-Vesely and Birnbaum importance measures. The analysis team recognized that the magnitude of the change in CDF may have an adverse impact on SPAR modeling benchmarking activities conducted routinely by Idaho National Lab. These benchmark checks are an important tool to establish the technical credibility of the SPAR models and help to ensure that the SPAR model reflects the as-built, as-operated plant. Therefore, to avoid significant impacts to the benchmarking activities, particularly in light of continuing
68 work to further refine and develop IDHEAS guidance, the analysis team does not recommend updating base SPAR HEPs using IDHEAS-ECA at this time.
Although the SPAR model benchmarking exercise with IDHEAS-ECA showed that the SPAR models, and HEP values, have a high degree of uncertainty, it is important to note that during actual event and condition assessments, several programmatic actions are taken to ensure the technical basis for SPAR model results. These activities include, but are not limited to, formal reviews performed under the IMC 0609, Significance Determination Process (SDP),(ML20267A146) (e.g., review by the Significance and Enforcement Review Panel, applicable only to SDP evaluations), opportunity for licensee engagement, peer reviews, and management reviews. In addition, when the NRC performs an ECA, additional information about plant procedures, design, training, and other factors often becomes available. These factors allow the agency to reach a well-supported technical determination despite uncertainties present in the base SPAR model.
5.2 Event Assessment Benchmarking Two examples that were based off past NRC event and condition assessments were performed to evaluate how different base SPAR model HEPs could affect these types of calculations.
These examples were chosen because they include IDHEAS-ECA evaluated HFEs that is a dominant contributor to either the change in core damage probability (CDP) or the conditional core damage probability (CCDP).
5.2.1 Failure of RCIC System for an Exposure Time of 3 Months A condition assessment of a RCIC system failure will result in dominant cutsets that include the HFE of the operators failing to initiate reactor depressurization (ADS-XHE-XM-MDEPR). An exposure time of 3 months was chosen to reflect the applicable quarterly surveillance testing schedule. This evaluation was performed for BWR 1 because it had the highest CDF increase in the base SPAR model benchmarking. Version 8.82 of the BWR 1 SPAR model was used.
The SAPHIRE calculations were performed for internal events only to allow for easier comparisons with the base SPAR model benchmarking.
A RCIC pump failure to run for a 3-month exposure time using the existing SPAR model HEP of 5x10-4 for ADS-XHE-XM-MDEPR results in an increase in core damage probability (CDP) of 2.7x10-6. The CDP increases approximately by a factor of 8 (2.2x10-5) when the IDHEAS-ECA calculated HEP of 4x10-3 is used.
5.2.2 Reactor Transient with a Failure of the AFW Pump to Start An initiating event assessment assuming a reactor trip with a concurrent failure of the motor-driven AFW pump will result in dominant cutsets that include the HFE of the operators failing to initiate feed and bleed cooling (HPI-XHE-XM-FAB). This evaluation was performed for PWR 35 because the known importance of feed and bleed cooling due to each unit only having two AFW pumps. Version 8.82 of the PWR 35 SPAR model was used.
A reactor trip with a concurrent failure of the motor-driven AFW pump to start using the existing SPAR model HEP of 2x10-2 for HPI-XHE-XM-FAB results in a CCDP of 3.5x10-5. The CCDP decreases by approximately by a factor of 0.9 (3.3x10-5) when the IDHEAS-ECA calculated HEP of 5x10-3 is used.
69 5.2.3 Insights from ECA Benchmarking The application of IDHEAS-ECA derived HEPs into typical examples of ECAs demonstrates that the change in HEP associated with use of IDHEAS-ECA can have a significant impact on the calculated risk metric results. This is not an unexpected result since the set of the HFEs selected for this pilot quantification effort were based on risk significance. However, this result should not be interpreted to imply that past NRC ECAs resulted in incorrect or inaccurate risk estimates. ECAs performed within the SDP (as implemented under IMC 0609) and the Accident Sequence Precursor Program undergo numerous process controls, peer reviews, and quality checks that assure ECA results reflect best available information and the as-built, as-operated reactor plant.
- 6.
SUMMARY
AND CONCLUSIONS The completion of the IDHEAS-ECA evaluation of the SPAR model HFEs documented in this report is a good start to building a knowledge base that analysts can leverage in future analyses. The exploration of potential technology and scenario differences will aid analysts in determining if the base case HEPs are appropriate for use in the risk assessment or if reevaluation of the HFE is needed. The documentation in these evaluations also can be used as a starting point for the analysis of different HFEs. It is important to note that that these evaluations were performed with the existing guidance and state of knowledge. These evaluations will be living in that they may be modified in the future as guidance is further developed (see recommendation on developing detailed desktop guide in Section 7) and new insights or information becomes available.
The analysis team performing the IDHEAS-ECA evaluations as part of this effort experienced some challenges. For the most part, the issues were resolved through discussions with method developers and the analysis team members. The following issues were the most notable experienced by the analysis team:
The procedure for evaluating Pt is unclear. Specifically, current guidance does not discuss the EF selection of two or three for Treqd in the examples provided in this report.
Enhanced guidance, including a discussion of the data that forms its basis, is needed, including the factors that may necessitate the use of alternative EFs for other HFEs.7 It is likely that additional work is required prior to developing this guidance. Additional guidance on how to treat the uncertainties associated with Tavail is also needed. The Tavail estimates in the HFE examples are treated as single values with no probabilistic distribution assigned. While in certain cases the use of single value is appropriate, there are uncertainties associated with Tavail estimates in most cases. These uncertainties include modeling issues, scenario variabilities, and binning issues (e.g., determining a single Tavail for a spectrum of LOCA break sizes). The treatment of the potential uncertainties with Tavail estimates in the same manner as Treqd (i.e., assuming a lognormal distribution and assigning an EF) is likely inappropriate. Therefore, guidance should be developed to address uncertainties associated with Tavail estimates, such as those derived from thermal-hydraulic calculations.
7 NUREG-2256 suggested using 0.28 as the shaping parameter of the lognormal distribution, which is equivalent to EF of 1.585. However, based on a review of recent empirical study results, this EF does not adequately reflect the actual timing variability measured for typical MCR actions.
70 Guidance on how/when IDHEAS-ECA treats the potential for operator hesitancy to perform action/execution (e.g., initiating feed and bleed cooling and declaration of ELAP) while attempting recovery activities needs to be developed. The operating experience is extremely limited in this area. However, even with a training focus over past decades to ensure operators do not to delay implementation of procedures steps when the execution criteria are met, there is some belief that operators may still delay execution of key procedure steps if recovery (e.g., AFW or AC power) is viewed as a better option.
The guidance for the selection of the certain PIF attributes is insufficient. Note that the PIF attributes determined as not applicable for the examples provided in this paper were not reviewed and, therefore, no determination on the sufficiency of the existing guidance for the selection of these attributes was made.
C1, Detection Overload with Multiple Competing Signals. There is currently no guidance on what constitutes a competing signal. In addition, the manner of counting the number of competing signals has a significant effect on how this PIF attribute is evaluated. If an analyst counts alarms/annunciators individually, the number of competing signals could result in the Detection (CFM1) Task Complexity PIF attribute having a dominant impact on the value of the Pc and the overall HEP. For example, a selection of at least 11 signals results in a Pc of at least 0.1. The approach used for counting signals used in this report was to bin alarms and indications available to the operators into broad functional categoriesthis reflects an experienced operators tendency to bin, or chunk, related information into a single item (e.g., all indicators associated with a reactor trip were counted as one signal).
However, it is not clear if the supporting IDHEAS data is consistent with this view.
Guidance on how much time between signals will result in them not be competing is also needed.
MF2, Time Pressure Due to Perceived Time Urgency. During the evaluations of the examples provided in this paper, the selection of this PIF attribute was considered. In the process of the evaluation, revised guidance was developed by IDHEAS method developers. This guidance stipulates that the following three conditions are needed for this PIF attribute to be applicable:
The HFE needs to be a time-critical action defined in the PRA model, There is a need or benefit for performing the critical task(s) faster than what the personnel are normally trained to do, and It is feasible for personnel to speed up performance of the critical task(s).
None of the examples provided in this paper met all three conditions for the PIF attribute to be selected. The preliminary guidance is under review and needs to be incorporated into the existing guidance documents when finalized.
MF8, Emotional Stress (e.g., anxiety, frustration). During the evaluations of the examples provided in this paper, the selection of this PIF attribute was considered.
However, an initial evaluation of the supporting data yielded unclear determination of when this PIF attribute should be selected. An explanation of the underlying data for all PIF attributes should be added to existing method documentation and guidance.
71 C25, Competing or conflicting goals. During the evaluation of the variabilities of two examples provided in this paper (operators fail to initiate feed and bleed cooling and declare ELAP), this PIF attribute was selected. A review of the underlying data for this PIF attribute is limited to a single expert elicitation source. An initial review performed by IDHEAS-ECA developers indicates that the base HEP of 0.14 for this PIF attribute may be overly conservative for most scenarios. Further review and additional guidance is needed on when this PIF attribute is selected and its effect.
In addition to building the knowledge base of properly documented IDHEAS-ECA evaluations, there is significant interest on how the base SPAR model HEPs compare to the values calculated in the IDHEAS-ECA evaluations. In addition, it would be valuable to understand if the use of a single HEP for the same HFE but in different event sequences is appropriate. Table 5-1 and Table 6-1 provide a comparison of the HEPs calculated using IDHEAS-ECA and the HEPs currently used in the SPAR models for the HFE examples evaluated:
Table 6-1. Comparison of Base SPAR Model and IDHEAS-ECA Reevaluated FLEX HFEs HFE SPAR HEP Base Case IDHEAS-ECA HEP Ratio Notes FLX-XHE-XE-ELAP 1x10-2 3x10-3 0.3 The IDHEAS-ECA HEP is almost an order of magnitude lower than the SPAR model placeholder value. The IDHEAS-ECA calculated HEP increases significantly (0.14) for the plants with procedures that direct operators to determine if AC power can be restored within the normal SBO coping time prior to declaring ELAP.
FLX-XHE-XM-DLSHED 1x10-2 2x10-3 0.2 The IDHEAS-ECA HEP is almost an order of magnitude lower than the SPAR model placeholder value.
FLX-XHE-XM-480 1x10-2 9x10-3 0.9 The SPAR model placeholder value and IDHEAS-ECA HEP for this HFE are similar.
FLX-XHE-XM-CVS 1x10-2 5x10-3 0.5 The SPAR model placeholder value and IDHEAS-ECA HEP for this HFE are similar.
FLX-XHE-XM-RPV 1x10-2 3x10-2 3
The SPAR model placeholder value and IDHEAS-ECA HEP for this HFE are similar. This HFE has continuous control action, which will result in minimum HEP in the 10-2 range using IDHEAS-ECA.
FLX-XHE-XM-DEP 1x10-2 1x10-3 0.1 The IDHEAS-ECA HEP is almost an order of magnitude lower than the SPAR model placeholder value.
RCI-XHE-XM-OPERATE 1x10-2 2x10-2 2
The SPAR model placeholder value and IDHEAS-ECA HEP for this HFE are similar. This HFE has continuous control action, which will result in a minimum HEP in the 10-2 range using IDHEAS-ECA.
The results show some differences between the SPAR model HEPs and those calculated using IDHEAS-ECA. Some of these quantitative differences increase or decrease when considering the HEPs calculated for the scenario and technological variabilities. These results show that the use of the generic HEPs for SPAR model of the similar plant type can over-or under-estimate the baseline risk for a specific plant and/or context. However, the determination of whether these HEPs would make a significant impact in NRC risk assessments is unclear.
For example, it is likely the existing SPAR model HEP for initiating low-pressure recirculation significantly underestimates the risk associated with the large LOCA scenarios for at least some
72 PWRs. However, the applicable sequence/cutset (i.e., a large LOCA initiating event with failure of operators to initiate low-pressure recirculation) is unlikely to impact an NRC risk assessment because large LOCAs have a relatively small initiating event frequency. Whereas some HFEs (e.g., failure to initiate feed bleed, failure to emergency depressurize, etc.) could affect NRC risk assessments, the impact could be limited (especially for conditional analyses). Additional work would be needed to fully explore the potential impacts.
These evaluations also highlighted areas where plant design or scenario variabilities may result in significant changes to the estimated HEP. For example, the HEP associated with initiation of feed and bleed can be significantly different depending on how the operators perceive the ability to recover main feedwater flow. These highlight potential areas for further modeling improvements in the SPAR models (e.g., to better align generic HFEs with their specific scenario context).
It is also important to note that the licensee plant information, especially the timing information, that was available to the analysis team for the evaluation of these HFE examples was very limited. Often the selection of the base case was a matter of convenience instead of true representation of the most likely scenario. Therefore, true upper and lower bounds for some of the HFE examples in this paper may be larger than the evaluations currently indicate.
The FLEX mitigation strategies are not currently credited in the base SPAR models. When FLEX has been credited in NRC ECAs, the results show that the credit is largely dominated by the reliability of the portable equipment. Therefore, it is not expected that potential changes to the FLEX HEPs will have great impact. However, a change in the HEPs associated with functions that are not affected by equipment reliability (e.g., declaration of ELAP, perform deep DC load shed) could result in differences that affect risk-informed decisionmaking.
Also note that without credit for error recovery, IDHEAS-ECA calculations result in a practical minimum HEP of 1x10-3. The guidance for crediting error recovery is still under development and was not considered as part of this evaluation. Therefore, future consideration of error recovery could lower some of the HEPs in these examples, especially for HFEs with significant time windows (e.g., containment venting) that would allow for additional personnel beyond the MCR crew (e.g., technical support center staff) to be considered in the evaluation.
- 7. RECOMMENDATIONS AND NEXT STEPS Overall, the analysis team recommends that NRC staff should consider use of IDHEAS-ECA for ECA activities when HFEs need to be adjusted or recalculated. However, to support increased usage of IDHEAS-ECA, the analysis team recommends that a detailed desktop guide be created to ensure the method can be applied in consistent manner. This guide needs to provide explicit guidance on CFM selection, PIF evaluation, and evaluation of Pt. Without such guidance, significant analyst-to-analyst variability is likely to occur in IDHEAS-ECA evaluations.
The development of this desktop guide needs to include a review of the underlying data to ensure the guidance for evaluating and selecting the PIF attributes is appropriate.
In addition to developing the desktop guide, training workshops should be developed and provided for NRC analysts. These training workshops could also be held for external stakeholders. It is recommended that these workshops be held after the desktop guide is completed.
73 Given the current HEPs for implementation of the FLEX mitigation strategies in SPAR models are placeholder values, the analysis team recommends that the IDHEAS-ECA calculated HEPs from the evaluations provided in this report be considered to replace the existing HEPs in the SPAR models. Although the impact of these revised FLEX HEPs will likely be limited since FLEX credit is largely dominated by hardware reliability, these HEPs have a stronger technical basis. In addition, the use of different HEPs for HFEs associated with functions that are unaffected by hardware reliability (e.g., ELAP declaration, deep DC load shed) could result in significant differences in some ECA results. Additional work will be needed to complete evaluations for some PWR-specific FLEX HFEs. However, this effort is not expected to be substantial as the existing evaluations can be heavily leveraged.
There have been discussions in the past about implementing a SPAR model upgrade effort to recalculate all SPAR model HEPs using IDHEAS-ECA. Based on the experience gained as a result of this pilot and benchmarking exercises, the team concluded that it is premature to embark on such a broad effort at this point. The information demands for IDHEAS-ECA quantification are very high and include detailed procedures, training programs, operator timing, and thermal hydraulic evaluations to establish system timing windows. Except for cases such as an ongoing ECAs where the licensee appreciates the benefits of providing this information, this information is difficult to obtain. In addition, benchmarking results indicate that in some cases widespread implementation of IDHEAS-ECA calculated HEPs could significantly impact SPAR model benchmarking metrics that are used to confirm the fidelity of the SPAR models. Instead, the team recommends that IDHEAS-ECA be used when necessary to recalculate an HEP for the purposes of ECAs but does not recommend a broad effort to requantify SPAR HEPs using IDHEAS-ECA (with the exception of inclusion of the FLEX HEPs noted above).
In performing these evaluations, the following additional issues that were not method specific were identified that should considered for future work:
There is minimal timing information available to NRC analysts to perform HRA evaluations. While plant information from the FLEX pilot study and some of the information that INL shared was valuable for the evaluations performed as part of this effort, the analysis team sometimes struggled to determine the appropriate timing information to be used. In some cases, the licensee information appeared to be incorrect. It would be very beneficial to expand T-H analysis calculations to include HRA considerations to build a knowledge base of operator timing information. Although the licensee may be able to provide timing information for NRC ECAs, having NRC calculations available would help to determine if such the information is appropriate. In other cases, timing may be estimated without sufficient basis and, therefore, a knowledge base would help ensure that the HRA evaluation assumptions are correct.
This activity could be combined with further verification of SPAR success criteria as was done in previous reports such as NUREG-1953, NUREG-2187, Confirmatory Thermal-Hydraulic Analysis to Support Specific Success Criteria in the Standardized Plant Analysis Risk ModelsByron Unit 1, (ML16021A423), and NUREG/CR-7177, Compendium of Analyses to Investigate Select Level 1 Probabilistic Risk Assessment End-State Definition and Success Criteria Modeling Issues, (ML14148A126).
The generic HEPs for the HFEs in the SPAR models represent a snapshot in time from approximately 20 years ago. In addition, the geometric mean HEPs were calculated from values from less than half of the plants in many cases. Strong consideration should be given to updating the HEPs from more current licensee HRA information. In addition, the plant population of HEPs should be increased to the maximum possible. Further, the
74 parameter uncertainty associated with this HFE data should be reflected in the base SPAR model HEPs to support uncertainty calculations.
The current SPAR model documentation that shows the HFEs being calculated using SPAR-H should be eliminated. This documentation results in significant confusion in how the HEPs were actually calculated and results in issues in the application of SPAR-H.
The use of the industry average HEPs aligns with our current process of calculating other parameters used in the SPAR models. SPAR model documentation should be updated to provide the details of this process.
In many cases, the SPAR models currently use a single HEP value to represent an HFE across multiple operational contexts. For example, a single HEP value for swap over from the RWST to the containment sump may be used for feed and bleed, high-pressure ECCS recirculation, or low-pressure ECCS recirculation. In several of the Section 3 pilot examples, the impact of differing accident sequence contexts was examined. Use of a single HEP value across multiple operational contexts may result in conservative or nonconservative results. Therefore, to increase the realism of the SPAR models, consideration should be given to a future SPAR model enhancement effort to adjust risk significant HEP values to reflect differing operational contexts when appropriate.