Text

NRC-RES/EPRI FIRE PRA METHODOLOGY Task 12 - Fire HRA Identification and Definition of Fire Human Failure Events NRC-RES Fire PRA Workshop Module IV August 5-9, 2019 Rockville, MD

Course Overview

1. Introduction to HRA

2. Overview of the EPRI/NRC Fire HRA Guidelines

3. Identification and definition of fire human failure events

4. Qualitative analysis

5. Fire HRA Application Experience

6. Quantitative analysis a) Screening b) Scoping c) Detailed EPRI approach & ATHEANA (detailed)

7. Recovery analysis

8. Dependency analysis

9. Uncertainty analysis Task 12: Fire HRA - Identification & Definition Slide 2 Fire PRA Workshop, 2019, Rockville, MD

Fire HRA Module Training Objectives 1:Be able to name the steps in the process for conducting a Fire HRA.

2:Be able to list the different categories of Fire HRA human failure events.

3:Demonstrate knowledge of ASME/ANS PRA Standard high level requirements (HLRs).

- For the HLRs associated with Identification and Definition 4:Be able to identify context and performance shaping factors used in the qualitative analysis of fire human failure events.

5:Be able to list the quantification methods available for HEPs.

6:Understand the concept and importance of addressing dependencies between fire HRA events.

Task 12: Fire HRA - Identification & Definition Slide 3 Fire PRA Workshop, 2019, Rockville, MD

Outline of the Identification/Definition Module What is Identification? Definition?

Applicable PRA Standard high level requirement Relationship to NUREG/CR 6850 tasks Categories of fire human failure events Steps for Identification Definition and fire context Feasibility - initial assessment Summary Task 12: Fire HRA - Identification & Definition Slide 4 Fire PRA Workshop, 2019, Rockville, MD

Introduction - What is Identification?

Human Reliability Analysis (HRA) starts with developing understanding of role(s) of operators in responding to an event Actions relevant to post-initiator (after a fire) response are identified via:

- Review of plant emergency and other operating procedures such as fire response procedures

- Review of PRA event trees, fault trees, and results (sequences and/or cutsets)

- Operator interviews Once relevant actions are understood, corresponding human failure events are identified for inclusion in the PRA models Task 12: Fire HRA - Identification & Definition Slide 5 Fire PRA Workshop, 2019, Rockville, MD

Introduction - Depiction of Identification Event Tree Seq. #

1 X.XXE-YY Accident Sequences 2 X.XXE-YY Initiating 3 X.XXE-YY Event 4 X.XXE-YY &/or Cutset 5 X.XXE-YY Equations 6 X.XXE-YY 7 X.XXE-YY Total = X.XXE-YY Human Fault Tree with Action Hardware Components &

HFE Operator Actions, (HEP = 0.05)

Comp 1 Reflecting 0.0015 System Success Criteria Task 12: Fire HRA - Identification & Definition Slide 6 Fire PRA Workshop, 2019, Rockville, MD

PRA Standard Requirements for Identification Relevant HLRs from Internal-Events Section (Ch. 2 of Standard)

HLR-HR-E A systematic review of the relevant procedures shall be used to identify the set of operator responses required for each of the accident sequences Relevant HLRs from Fire Section (Ch. 4 of Standard)

HLR-HRA-A (from the HRA element)

The fire PRA shall identify human actions relevant to the sequences in the Fire PRA plant response model HLR-ES-C (from the Equipment Selection element)

The fire PRA shall identify instrumentation whose failure including spurious operation would impact the reliability of operator actions associated with that portion of the plant design to be credited in the fire PRA.

Task 12: Fire HRA - Identification & Definition Slide 7 Fire PRA Workshop, 2019, Rockville, MD

Introduction - What is Definition?

After HFE Identification, Definition gives the initial basis for justifying inclusion of the action in the PRA model.

Consists of objective, qualitative data:

- Procedures

- Cues (the prompts to initiate actions)

Alarms, indications, and/or procedure steps

- Timing (time available and time required)

- Staffing (may require more than for internal event response)

Provides input to the subsequent qualitative analysis of the factors affecting human reliability Requires initial feasibility evaluation Task 12: Fire HRA - Identification & Definition Slide 8 Fire PRA Workshop, 2019, Rockville, MD

PRA Standard Requirements for Definition Relevant HLRs from Internal-Events Section (Ch. 2 of Standard)

HLR-HR-F Human failure events shall be defined that represent the impact of not properly performing the required responses, consistent with the structure and level of detail of the accident sequences.

Relevant HLRs from Fire Section (Ch. 4 of Standard)

HLR-HRA-B The fire PRA shall include events where appropriate in the fire PRA that represent the impacts of incorrect human response associated with the identified human actions.

Task 12: Fire HRA - Identification & Definition Slide 9 Fire PRA Workshop, 2019, Rockville, MD

Fire HRA Process Steps NUREG/CR-6850 Task Fire HRA Process Step Task 2 - Component Selection Identification of previously existing HFEs & potential response to spurious actuations/signals Task 5 - Fire-Induced Risk Model Identification & Definition of Fire Response Actions Task 12 - Fire HRA Qualitative Analysis: starts with context definition Task 7 - First/Screening Quant. Quantification -

typically screening Task 8 - Scoping Quantification Quantification -

typically scoping Tasks 11/14 - Detailed Scenario Quantification & Dependency Quantification could be screening, scoping or detailed HRA Task 15 - Uncertainty Uncertainty Task 12: Fire HRA - Identification & Definition Slide 10 Fire PRA Workshop, 2019, Rockville, MD

Categories of Fire Operator Actions

1. Existing operator actions from the internal events PRA

- From the Level1/LERF PRA model used to develop the FPRA

- To be modified for fire effects

2. Fire response actions

- New actions contained in the fire procedures

- New actions to address recovery of spurious actuation

- MCR abandonment is a subset of fire response actions

3. HFEs corresponding to undesired operator responses

- New actions to address undesired operator actions in response to spurious indications per fires (Ch. 4) in the ASME/ANS combined PRA standard

- Errors of Commission (EOCs) are specifically addressed in FPRA Task 12: Fire HRA - Identification & Definition Slide 11 Fire PRA Workshop, 2019, Rockville, MD

Identification of Fire PRA HFEs (General)

Review plant response and PRA model:

Review Event Tree Sequences with applicable procedure/s:

- Understand operator requirements to control plant response Functions or systems manually initiated, controlled, or isolated

- Typically a function of the initiating event Review System Fault Trees with applicable procedure/s:

- Understand what is required of operators in controlling system or component response Functions manually initiated or controlled Potential recovery (e.g., align standby or alternate)

- Can be independent of initiating event Review PRA Results sequences and cutsets Discussions with operators to confirm operator response Task 12: Fire HRA - Identification & Definition Slide 12 Fire PRA Workshop, 2019, Rockville, MD

Identification of Fire PRA HFEs (General continued)

Review ET sequences, system FT, and PRA results to:

1. Understand what the operators are doing

2. Identify cue(s), procedure steps, and time window

3. Identify procedural path leading to the step with cue

4. Document the PRA context from event or fault tree

- Initiating event

- Preceding operator actions in the sequence

- Hardware/system successes and failures Good Practice (collect if the data is available)

- Identify secondary cues or alternate success paths

- Examples: Critical Safety Function Status Trees (CSFST), alarms or indications.

Task 12: Fire HRA - Identification & Definition Slide 13 Fire PRA Workshop, 2019, Rockville, MD

Review of Plant Operations and PRA Data Best Practice for HRA analysts to confirm with plant operations personnel at the start of the HRA:

- Staffing during fire (number of operators and roles)

- Procedural usage for fire (EOPs, AOPs, and Fire Response)

- Main control room (MCR) staff interaction with fire brigade

- Expected MCR staff response after detection of fire

- Review of plant-specific fire history for insights Review of PRA Information:

- Additional information, beyond event and fault trees

- Success criteria: Determine time window (time available)

- Internal events HRA: to understand initial model basis Task 12: Fire HRA - Identification & Definition Slide 14 Fire PRA Workshop, 2019, Rockville, MD

Identification:

Operator Actions in Internal Events PRA Identify fire-induced initiating events included the FPRA

- Done in NUREG/CR-6850 (EPRI 1011989) Tasks 2 & 5

- Examples of actions carried into the FPRA General transients which may include spurious SI actuation Loss of support system(s), e.g., loss of instrument air or loss of electrical bus LOCA (e.g., due to spuriously opened relief valve)

Station blackout Identify operator actions modeled as delineating the plant response to the fire-induced initiators.

- In event trees, fault trees, and in cutset recovery Includes manual start of safe shutdown components

- Sometimes these are not pre-existing in the current PRA Task 12: Fire HRA - Identification & Definition Slide 15 Fire PRA Workshop, 2019, Rockville, MD

Fire HFEs from Internal Events PRA - Examples INCLUDE Open a steam dump or steam relief valve and conduct a post-LOCA cooldown Manual start of an emergency diesel generator Manual start of auxiliary feedwater following automatic actuation failure Manually align a back-up power supply EXCLUDE Actions associated with internal events initiated not included in FPRA, for example:

- Operators fails to diagnosis SGTR or RPV rupture Task 12: Fire HRA - Identification & Definition Slide 16 Fire PRA Workshop, 2019, Rockville, MD

Identification:

Fire Response Operator Actions Required in response to a fire, as directed by the fire procedure(s), such as

- Mitigate or prevent damage to equipment (e.g., pump dead-heading from fire-induced spurious valve closure)

- Mitigate the effects of spurious indications or actuations (e.g., shut off above pump)

- Abandon main control room and perform safe shutdown outside the main control room Identification process can be

- Iterative as required in fire PRA strategy Often not credited during initial quantification

- Comprehensive based on fire procedure/s Examples on next slide Task 12: Fire HRA - Identification & Definition Slide 17 Fire PRA Workshop, 2019, Rockville, MD

Fire Response Action Examples Identify protected instrumentation channels (to mitigate spurious indications)

Defeat solid state protection system (to prevent spurious safety injection)

Control auxiliary feedwater locally by throttling valves manually and starting / stopping pumps Place remote shutdown location back-up indication panels in service Obtain steam generator level locally De-energize all ADS valves Close HPCI steam supply valve locally Align 4 kV bus by locally operating breakers Task 12: Fire HRA - Identification & Definition Slide 18 Fire PRA Workshop, 2019, Rockville, MD

Identification:

MCR Abandonment Actions MCR abandonment actions are a sub-set of fire response Operators will abandon if control room becomes uninhabitable, or due to loss of required control Identification process can be

- Iterative as required in fire PRA (e.g. if additional spurious actuations are identified requiring mitigation)

- Comprehensive based on review of the MCR abandonment procedure Some FPRAs credit scenarios where the operators remain in the control room for monitoring and announcing; but perform local actions

- In this case the fire specific scenario is to be identified and defined by the FPRA analyst

- HRA analysts identify the procedure guidance operators will follow Task 12: Fire HRA - Identification & Definition Slide 19 Fire PRA Workshop, 2019, Rockville, MD

Identification: HFEs Corresponding to Undesired Operator Response to Spurious Signals An undesired operator action is a well intentioned operator action, taken in response to a spurious indication, that unintentionally exacerbates the scenario

- Operators are generally trained to (1) believe their instrumentation and (2) follow their procedures Identified within the context of the accident progression

- Review annunciator response procedures

- Review emergency operating procedures Defined in terms of their impact on the function, system, train or component.

- Although these actions are well-intended and not operator errors as such, the undesired consequences have the same impact as an error

& are therefore modeled as HFEs Task 12: Fire HRA - Identification & Definition Slide 20 Fire PRA Workshop, 2019, Rockville, MD

Identification and Definition of Factors for Undesired Operator Response to Spurious Signals Cue parameter/s

- Single or multiple (redundant or diverse)

Cue (procedural) hierarchy

- Continuously monitored or procedurally checked only Cue verification

- Required for immediate actions Degree of redundancy/diversity for a given parameter

- Redundant/diverse channels mitigate consequences of single spurious indication Task 12: Fire HRA - Identification & Definition Slide 21 Fire PRA Workshop, 2019, Rockville, MD

Examples of Potential HFEs from a Review of Annunciator Procedures to Identify Undesired Operator Responses Spurious Undesired Action Consequence Annunciator ESW PUMP MOTOR Place the affected One train of service water stopped.

INSTANT TRIP pumps control ESW pump can be restarted.

switch in LOCKOUT.

CCW PUMP MOTOR Place the affected Stopping one CCW pump increases INSTANT TRIP pumps control operating temp. on many switch in LOCKOUT. components.

CCW pump can be restarted.

EAST RHR PUMP Immediately open 1- Loss of RHR pump in Recirc. Mode.

SUCTION VALVES IMO-310, East RHR RHR pump will cavitate and cannot NOT FULL OPEN Pump Suction, or 1- be restarted.

ICM-305.

RHR PUMPS MOTOR Place pump control Delay start of RHR if not on or halts INSTANT TRIP switch in LOCK- RHR if on.

OUT. RHR pump can be manually started.

Task 12: Fire HRA - Identification & Definition Slide 22 Fire PRA Workshop, 2019, Rockville, MD

Human Failure Event Definition (General)

Define a set of HFEs as unavailabilities of functions, systems or components as appropriate to the level of detail in the accident sequence and system models Include in the definition:

- Accident sequence specific timing of cues, and time window for successful completion, and

- Accident sequence specific procedural guidance (e.g., AOPs, and EOPs), and

- The availability of cues and other indications for detection and evaluation errors, and

- The specific detailed tasks (e.g., component level) required to achieve the goal of the response. (Cat III)

Cognitive and execution elements Task 12: Fire HRA - Identification & Definition Slide 23 Fire PRA Workshop, 2019, Rockville, MD

Definition during Fire PRA Tasks HFE Definition starts during Identification with:

- Cues/alarm or other indications, Procedure, Staffing, Time available Feasibility evaluation initially done during Definition, then expanded as HFE is developed The HFE Definition sets the Context for the HRA evaluation Fire PRA Context typically varies with NUREG/CR-6850 (EPRI 1011989) task

- Context starts in Definition & continues during Qualitative Analysis

- Task 7a - Screening HEPs often use qualitative info from Definition

- Task 12 - Scoping HRA often uses qualitative info (context and PSF) associated with the scoping HRA trees

- Task 14 - For risk significant HFEs perform Detailed HRA using qualitative context & PSFs associated with the detailed quant. method Task 12: Fire HRA - Identification & Definition Slide 24 Fire PRA Workshop, 2019, Rockville, MD

Definition during a Fire PRA Definition of existing internal events HFEs should be reviewed and revised for fire-specific impacts New fire response HFEs require definition Definitions should include:

- Fire impact on instrumentation and indications used for detection, diagnosis and decision-making

- Fire impact on timing of (1) cues, (2) response, (3) execution, and on (4) time available

- Fire impact on success criteria

- Fire impact on manpower resources, which affect recovery

- Fire impact on local actions, e.g., accessibility, environment, lighting Some data may not be initially available, but will be filled in during Qualitative Analysis Task 12: Fire HRA - Identification & Definition Slide 25 Fire PRA Workshop, 2019, Rockville, MD

Initial Assessment of Feasibility Purpose: To decide whether an operator action can be accomplished or not, given the plant-specific and scenario-specific fire impacts.

Feasibility Evaluation - Set HEP to 1.0 for any of the following (as the action would not be feasible)

- Failed instrumentation (so no cues for operator action)

- Insufficient time available to complete action

- Insufficient manpower

- Procedural guidance does not exist

- Other Factors that may preclude credit Fire is in same location as required actions Inaccessible tools or equipment Feasibility is like a continuous action step that is re-visited as the NUREG-6850/EPRI 1011989 tasks progress.

Task 12: Fire HRA - Identification & Definition Slide 26 Fire PRA Workshop, 2019, Rockville, MD

Identification and Definition Summary HFE Identification finds where operator actions occur

- In the plant response to initiating events included in the PRA model

- Result is a list of operator actions modeled in the Fire PRA Identification consists of:

- Review plant operating procedures and understand operator response

- Review PRA Event trees, Fault trees, Results and Success Criteria HFE Definition gives the initial justification for inclusion of the action in the FPRA and provides input to Qualitative Analysis Definition consists of documenting objective, qualitative data that make-up the success criteria for the operator action.

- How do operators recognize the need for action? (Procedures, Cues)

- How do operators respond to the demand for action?

(Timing, Staffing, Tasks)

Initial Feasibility Evaluation is the first Go/No-Go check Task 12: Fire HRA - Identification & Definition Slide 27 Fire PRA Workshop, 2019, Rockville, MD

Course Overview

1. Introduction to HRA

2. Overview of the EPRI/NRC Fire HRA Guidelines

3. Identification and definition of fire human failure events

4. Qualitative analysis - - NEXT!

5. Fire HRA Insights and Issues

6. Quantitative analysis a) Screening b) Scoping c) Detailed EPRI approach & ATHEANA (detailed)

7. Recovery analysis

8. Dependency analysis

9. Uncertainty analysis Task 12: Fire HRA - Identification & Definition Slide 28 Fire PRA Workshop, 2019, Rockville, MD

Example of Identification of Potential Undesired Response to Spurious Cable Failures Task 12: Fire HRA - Identification & Definition Slide 29 Fire PRA Workshop, 2019, Rockville, MD

EOC Identification - HFEs Corresponding to Undesired Operator Response to Spurious Signals Review procedures linking an alarm to actions that could be taken by the operators Assumptions

- Fire-induced alarm appears when the plant is at full power Compile table of cues assumed to be false and the postulated Errors of Commission EOC screening question: are the operators instructed to verify that the alarm is true before taking action?

- May or may not be direct, redundant indications in the MCR so field verification might be required Task 12: Fire HRA - Identification & Definition Slide 30 Fire PRA Workshop, 2019, Rockville, MD

EOC Identification Steps (continued)

Common EOCs

- Causing a system to become unavailable

- Changing a valve alignment Applicability of EOC

- False cue applies to fire zones where the instrument cables are routed

- If routing is unknown False cue is assumed to occur in all fire zones to evaluate EOC consequences from a risk standpoint If risk is shown to be high with this assumption, then cable routing analysis can be performed.

Task 12: Fire HRA - Identification & Definition Slide 31 Fire PRA Workshop, 2019, Rockville, MD

Example EOC Evaluation Matrix Equipment Alarm Cited in Related Operated Desired Failed Equipment Add to Basic Event Description EOC Issue Recommended Modeling ID Procedure Procedure Component Position Position Comments Model?

2LT9389-2 Containment 57B15 2LT9389-2 SPURIOUS HV-9389 Available Unavailable Isolates sources Operator Long term action; Sump Yes Emer Sump HIGH LEVEL SIGNAL DUE of water to sump opens sump valve control needed only Level HI TO FIRE - ESFAS INPUT drain valves if LOCA occurs.

Recoverable.

2EI1651-2 Standby Power 57B55 Imported recovery HS-1770-2 Available Unavailable HS-1770-2 locks DG B is Screened. Alarm validated No Sys Train B event out DG B shutdown by by diverse means; no Inoperable operator action detrimental actions taken.

2PT0352-3 Containment 57B52 2PT0352-3 FALSE LOW HV-6494 Available Unavailable High pressure Make Train B Multiple conflicting No Spray Train B PRESS SIGNAL DUE TO assumes LOCA; containment indications inhibit Inoperable FIRE - ESFAS SIGNAL apply cooling via spray operator from taking UNAVAIL containment unavailable action; would verify spray alarms.

Task 12: Fire HRA - Identification & Definition Slide 32 Fire PRA Workshop, 2019, Rockville, MD