Enclosure 1 - PRA 08004, Human Error Probability for Recoveries Associated with the Fire Protection Triennial Inspection Finding Related to RHR-MO-25B

ML081540377
Person / Time
Site:	Cooper
Issue date:	05/08/2008
From:	Hitzel D, Nelson S Nebraska Public Power District (NPPD)
To:	NRC Region 4
References
PRA 08004
Download: ML081540377 (54)
v • d • e

Text

PRA 08004 Page 1 of 54 NEBRASKA PUBLIC POWER DISTRICT PRA 08004 Date: May 8, 2008 To: Dave Van Der Kamp (Licensing Manager) FOR INTRA-DISTRICT From: Steve Nelson (Risk Management) and Doug Hitzel (OSG) BUSINESS ONLY

Subject:

Human Error Probability for Recoveries Associated with the Fire Protection Triennial Inspection Finding Related to RHR-MO-25B Introduction On June 12, 2007, during the Fire Protection Triennial inspection conducted by the Nuclear Regulatory Commission (NRC), a walk down of manual operator actions, used for 10CFR50 Appendix R compliance, identified actions not able to be executed as written in the procedure. This is documented in CR-CNS-2007-04155 and associated condition reports addressed in the root cause investigation for CR-CNS-2007-04155. As part of the extent of condition review associated with this item, insufficient procedure guidance for opening of RHR-MO-25B (B Loop LPCI injection valve) was contained in procedure 5.4FIRE-S/D, Fire Induced Shutdown From Outside Control Room, Revision 14. The insufficient guidance contained in 5.4FIRE-S/D would have resulted in the operator having to diagnose lowering RPV water level. Recovery from the loss of RPV injection would occur by either opening RHR-MO-25B manually or restoring HPCI for long term hot shutdown mitigation.

In order to appropriately characterize the potential risk increase associated with this 5.4FIRE-S/D procedure deficiency, the Human Error Probabilities (HEPs) for either opening RHR-MO-25B or operating HPCI need to be evaluated.

It is the intent of this paper to present a best estimate of the expected plant response (albeit conservative) for this event and determine the human error probability (HEP) associated with restoration of HPCI, while follow the guidance contained in revision 14 of 5.4FIRE-S/D. It is also the intent of this paper to determine the HEP associated with recovery of RHR-MO-25B via manual operation.

Conclusion Restoration of HPCI is considered likely, due to the time available for diagnosis and action. Using guidance contained in revision 14 of procedure 5.4FIRE-S/D and engrained training associated with key RPV parameter maintenance (i.e. - RPV water level, RPV pressure, and power); the expected human failure probability (HEP) for recovery of HPCI is expected to be low(e.g. less than 1E-02).

Recovery of Alternate Shutdown Cooling mode of RHR by manual opening of RHR-MO-25B is considered another highly likely success path to avoid core damage.

The most limiting timing for these human actions would occur if cool down proceeds at the maximum rate allowed by the 5.4FIRE-S/D guidance. This maximizes decay heat and minimizes the time for diagnosis and actions.

PRA 08004 Page 2 of 54 Review of Expected Plant Response The Alternate Shutdown scenario begins with a fire in one of six areas Control Room, Computer Room, Cable Spreading Room, Cable Expansion Room, Auxiliary Relay Room, or R-903-NE corner.

The Operations staff enters Procedure 5.4FIRE, GENERAL FIRE PROCEDURE (ref 1) and , CONTROL ROOM SUPERVISOR, Step 2 directs, " Determine if fire has potential to adversely affect safe shutdown system operation per Procedure 5.4POST-FIRE". The Control Room Supervisor [CRS] then enters 5.4POST-FIRE, POST-FIRE OPERATIONAL INFORMATION, (ref 2) and compares the actual fire location to the locations listed in Attachment 1, FIRE AREA ACTIONS, then referring to the SAFE SHUTDOWN ACTIONS FOR AREA column he is directed to enter Procedure 5.4FIRE-SD, FIRE INDUCED SHUTDOWN FROM OUTSIDE CONTROL ROOM (ref 3

). Additionally step 4.5 of 5.4POST-FIRE (ref 2) directs, "If Attachment 1 requires Procedure 5.4FIRE-S/D entry, then exit this procedure."

Then after entering 5.4FIRE-SD the Shift Manager [SM] makes a determination concerning Control Room evacuation. Guidance is provided stating that Control Room evacuation is required based on either (1) Reports of spurious operation of components operated from Control Room, or (2) Control Room habitability due to fire in adjacent areas. (ref 3, Step 4.3) The decision to evacuate the Control Room is not made lightly or just because some system(s) are operating inappropriately, but the judgment of the Shift Manager in this determination will depend upon the situational analysis and fire affects. CNS Operator Training continually provides challenges to the Operations Staff to determine and take actions for failures in situations that include multiple failures well beyond "Design Transients" and/or "Design Accidents" and that the entire Operating Staff understands the significant differences of operations within the Control Room verses operations in a "outside Control Room Alternate Method".

The initial actions provided in Procedure 5.4FIRE-SD place responsibility upon the Shift Manager to make the decision to evacuate the Control Room, as discussed above. Then the remaining Operators are to perform actions to ensure Rx Scrammed, close MSIV's, inhibit ADS, Trip Main Turbine and 1 RFP and all but one Condensate Booster and Condensate Pump, if possible. Then the Operations staff and Secondary Alarm Station [SAS] operators will assemble at the Alternate Shutdown [ASD] locker and get required materials for their specific assignment. (ref 3, Section 4)

The actions contained within Procedure 5.4FIRE-SD, Attachment 1, ASD ROOMS ACTIONS, Section 2, SHIFT MANAGER/CONTROL ROOM SUPERVISOR ACTIONS AT ASD ROOM (ref 3), are those actions to place CNS in a sustainable lineup maintaining Hot Shutdown condition. The actions of the other 3 attachments, (Attachment 2, 3 and 4) are primarily built to support the Hot Shutdown Condition with few actions directly supporting Attachment 1, Section 3, PLANT COOLDOWN. The summary overview of actions taken within this procedure is:

The ASD Operator will transfer control of components on HPCI, ADS/REC, and RHR ASD Panels to ASD Room panels. This will prevent spurious operation and allow control of components required to operate systems. From ASD Room, he will operate HPCI to control RPV level and temperature/pressure, operate RHR Subsystem B in suppression pool cooling to restore and maintain suppression pool at desired temperature, secure REC

PRA 08004 Page 3 of 54 pumps and ensure coolant flow to HPCI fan cooling unit and RHR pumps, open ADS valves when desired for depressurization, and transfer RHR System from suppression pool cooling to LPCI injection for Alternate Shutdown Cooling (i.e. achieve cold shutdown operation by circulating suppression pool water through the RHR heat exchanger to the RPV and back to the suppression pool via 3 open Safety Relief valves [SRVs]).

Reactor Building Operator removes power from components required for RPV isolation.

The Operator then performs a valve line-up to ensure REC, RHR, and SW System valves are in their required positions to support Suppression Pool Cooling, HPCI operation and Alternate Shutdown Cooling.

Control Building Operator removes power from components to secure them or to fail them closed, operates breakers, as required, in Critical Switchgear Room 1G, and secures reliable and Control Building air headers.

DG Operator ensures proper operation of DG2 to supply power to Division 2 critical bus network and manually operates SW System components to ensure SW System remains available.

Plant Maintenance personnel will perform required repair activities necessary to achieve cold shutdown as directed by the Emergency Response Organization.

Depending upon the severity of the fire and its effects upon Control Room controls and instrumentation, the Shift Manager will most likely assume that unless the Control Room controls for most components (both Division 1 and Division 2) are rendered useless, that the transition back to the Control Room before entering a another change of status (stable hot shutdown operations to "Alternate Shutdown Cooling") that is challenging to the facility and Plant Technical Specifications (specifically plant cool down rate controls), is preferred. (ref 3, Attachment 1, Note 3 Step 3.1)

Staff Utilization As defined in Conduct Of Operations Procedure 2.0.3, CONDUCT OF OPERATIONS (ref 4, Section 10) , the minimum staffing for the operating crew in Modes 1, 2 & 3 is defined as two active Licensed SROs, Shift Manager [SM] and Control Room Supervisor [CRS], three active Licensed Control Room Operators (Reactor Operator [RO], Balance of Plant Operator [BOP],

and Work Control Operator [WCO]), three Non-Licensed Nuclear Plant Operators, and one Shift Technical Engineer [STE]. It further defines the Fire Brigade consisting of five people, three of which shall be Operations personnel with one of those being an active Licensed Operator designated as Fire Brigade Leader. The remaining two members may be from other departments.

The initial crew complement for ASD actions will require four operators with five operators available (not assigned to the fire brigade). The SM and/or CRS will go to the ASD Room (this position can be fulfilled by either of the two Senior Operators, but it is expected that the SM will assume the Emergency Director as soon as possible and the CRS will assume the ASD Operator (ref 3, Attachment 1, Note Step 2.1)). Two Control Room Operators and one Building Operator [Non-Licensed Operator] will be assigned the tasks of Reactor Building (Rx Bldg)

Actions (ref 3, Attachment 2), Control Building [Cont Bldg] Actions (ref 1, Attachment 3) and Diesel Generator [DG Op] Actions (ref 3, Attachment 4). The Shift Technical Engineer will go to the TSC to make notifications per Procedure 5.7.6, NOTIFICATION. (ref 3, Step 4.9)

The three operators, assigned to the Fire Brigade (ref 4, Step 10.1.6.3), are not available for

PRA 08004 Page 4 of 54 this plant event response for >30 minutes or until fire is extinguished, or they are relieved by auxiliary personal from the emergency organization.

Emergency Plan Actions:

The Shift Manager will be monitoring the fire and plant response, and if conditions warrant he will declare a NOUE utilizing Emergency Plan Implementing Procedure 5.7.1, EMERGENCY CLASSIFICATION, (ref 5) EAL 5.1.1 "Any fire within the Protected Area which takes longer than 10 minutes to extinguish." At this point, although not required per the Emergency Plan at a NOUE, the Emergency Response Organization may be activated if additional assistance is determined to be required the Shift Manager has an option to require Emergency Response Organization response at the NOUE at Step N/A-1 (ref 6). At that point he determines if ERO activation is desired to assist with the emergency. If an Alert is not previously declared by EAL 5.2.1 "A fire with a potential to cause degradation of a plant safety system required to be OPERABLE." The Shift Manager will assume the Emergency Director and declare an Alert using EAL 3.2.2, "Evacuation of Control Room Required or Anticipated With Control of Shutdown Systems Established From Local Stations". And based upon response of the facility he may upgrade to Site Area Emergency (SAE) using EAL 3.3.2, "Evacuation of The Control Room Accompanied By The Inability To Locally Control Shutdown Systems Within 15 Minutes". (ref 5, EALs 5.2.1, 3.2.2 & 3.3.2) The Emergency Response Organization will be in-place and actively supporting Shift Manager priorities within 60 minutes of declaration of the Alert or activation of the ERO callout, if performed at the NOUE, IAW EPIP 5.7.7, ACTIVATION OF TSC (ref 7, Step 2.3). It is noted that the 12-month average for TSC activation times as of 12/31/07 was 34 minutes, based upon reference 8.

The Shift Manager / Emergency Director will not delay Emergency Response declaration to determine if SAE applies. He will declare the Alert and make required notifications as soon as possible to ensure staffing of the Emergency Response Organization. If control of shutdown systems cannot be accomplished within 15 minutes, he will upgrade to SAE (ref 5, EAL 3.3.2).

The upgrade is structured not to be utilized just because all actions associated with ASD have not been completed. If the reactor successfully scrams, level and pressure are being controlled, and no significant impediments to the associated ASD activities are being encountered, the Alert emergency classification is appropriate. If impediments are being encountered in completing critical ASD functions and more than 15 minutes expire, then the upgrade to SAE is appropriate. (ref 5, EALs 3.2.2 & 3.3.2) The upgrade to SAE does not affect the staffing of the Emergency Response Organization [ERO] but explanation is provided for clarity.

Offsite notifications will be completed by the Shift Technical Engineer, from the TSC, per EPIP PROCEDURE 5.7.6, NOTIFICATION.

Initial Alternate Shutdown Actions:

The sequence of event and therefore the timing of the major actions steps of Procedure 5.4FIRE-SD vary depending upon [1] ability of operators to perform the Rx Scram prior to leaving the Control Room, [2] the exact scenario the operators are contending with. Based on recent time validations, assuming that scram actions occur before leaving the Control Room, the following systems are in service within the time listed (ref 9) (time is from order to

PRA 08004 Page 5 of 54 evacuate the Control Room) [NOTE - There are other actions, of this procedure, that are still not complete, and there are actions that are developed as "repairs" that may or may not be in progress but only those key system operations that support the stable Hot Shutdown mode are included in this provided timeline.]:

Diesel Generator # 2 is providing power to 4160 Buss 1G -- ~13 minutes HPCI is operating in Pressure Control/RPV makeup -- ~20 minutes Suppression Pool Cooling in service -- ~55 minutes.

When the plant is stable in a Hot Shutdown lineup, then Section 3, Plant Cooldown, will be considered. The ASD Operator will commence a forced cool down to ~200 psig using guidance in Section 2. HPCI will be providing makeup and steam draw from the Reactor vessel, RHR Suppression Pool Cooling will be in service with full cooling flow (RHR-MOV-66B, HX BYPASS VALVE will be CLOSED). The ASD Operator will operate HPCI to maintain Reactor Water Level in a range of about +3 to +40 inches as indicated by NBI-LI-185B, WIDE RANGE LEVEL, (~+163 to ~200 fuel zone zero) during the entire cool down process.

After the fire is out the Incident Commander will provide operators back to the active shift and they will assist the Rx Bldg Operator (ref 3, Attachment 1, Step 1 NOTE), this will also be done as additional operators become available via the emergency response callout. Additional operations support and TSC recovery action response becomes more viable after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> from evacuation of Control Room. It is expected that Section 3 will not be entered until at least 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after Control Room evacuation, due to assuming the minimum time required to stabilize the plant in Hot Shutdown (~1 1/2 hours [ref 9]) and cooldown to 200 psig (~2 hours) and not violate Plant Technical Specifications cooldown rate [ref 3, Attachment 1, Section 3, Note 3].

By this time the TSC will be fully functional, aware of activities and working with the Shift Manager (most likely now in ASD room supporting the CRS) to support plant priorities in a timely manner.

Environmental Factors During the time frame of the actions contained in Procedure 5.4FIRE-SD (ref 3) Attachment 1, Section 3 PLANT COOLDOWN placing Alternate Shutdown Cooling in service, the environment does not pose an additional abnormal challenge, exclusive of that challenge of operation outside Control Room.

There is either lighting, from the critical lighting panels fed from DG2.

There is not an adverse radiation environment, nor is the area normally highly contaminated.

The travel path is not encumbered, the valve actuator is located on top of the Angle Valve Room which is accessed via a permanent ladder from the R-9030NW floor area, and once the top of the ladder is attained, there is a cable run to step over, then the valve actuator is easily accessed.

It is estimated not to take more than 2 minutes to get to the actuator from the Motor Starter located R-903-W.

PRA 08004 Page 6 of 54 As it is considered to be taking place after at least 3 1/2 hours after initial exit from the Control Room there is no active barriers from the fire to overcome, including smoke.

There is no time pressure to initiate this set of actions, the "event" (fire) is now over and the plant is now in a stabilized environment without "significant unknown challenges" to plant conditions existing at this time.

The Hot Shutdown lineup (HPCI / RHR SPC) is operating properly from the ASD Room and is controllable, in that configuration, for a significant period of time.

Alternate Shutdown Actions When Entering Section 3, Plant Cooldown:

Section 3, PLANT COOLDOWN, will be preplanned and prestaged. This will consist of having additional personal briefed for these actions, which includes provisions for contingency actions [ref 10]. From reference 10 and reference 4 there is clear guidance delineating the requirement to have briefings during transient operations. It is reasonable to expect that the crew will stabilize the plant in a Hot Shutdown condition before conducting this brief, but it is also highly reasonable that Section 3, PLANT COOLDOWN [ref 3] will not be entered until such a brief occurs.

Procedure 0-HU-TOOLS, HUMAN PERFORMANCE TOOLS [ref 10], Attachment 8, PRE-JOB BRIEFS, states:

"Pre-job briefs are performed for all tasks or evolutions that have a potential impact on the plant outside of normal watch station rounds. Supervisors have the responsibility for determining which activities require pre-job briefings. Emergency situations requiring immediate action do not require pre-job; however, briefs are conducted as soon as the situation allows. Pre-job briefs are performed just prior to the task to the extent practical."

The format of the brief for this condition is specified in GOP 2.0.3, CONDUCT OF OPERATIONS [ref 4], Section 8, OPERATIONS POLICY DURING TRANSIENT OPERATIONS, as follows:

8.4.2 Briefs should use the following format:

8.4.2.1 Discuss plant status:

a. What got us here?

b. Where are we?

8.4.2.2 Discuss the critical parameters crucial to the transient in progress.

8.4.2.3 Ask for a status report from individual crew members.

8.4.2.4 State contingencies, inclusive of action points and lines in the sand and why they were chosen.

PRA 08004 Page 7 of 54 8.4.2.5 State priorities and why.

8.4.2.6 Ask if there are any questions.

8.4.2.7 Formally close the brief: "End of Brief".

With the requirement to discuss the evolution and how they got to this point (smart fire), it becomes more apparent that contingencies of the evolution will be discussed. With the actions of Section 3 are several main actions

1. Open RHR-MO-27B and RHR-MO-25B

2. Open SRVs to depressurize the Reactor

3. Secure HPCI when level is rising to > 50 inches, due to RHR injection

4. Continue to fill the Reactor Vessel to solid plant and recycle water via open SRVs and back via RHR injection (Alternate Shutdown Cooling).

The different actions and their contingencies will be discussed in detail at this point. And because of that discussion the team will:

1. Coordinate the Rx Bldg Operator and ASD Operator and

2. Maintain HPCI operation until RPV level is being affected by RHR LPCI injection. (ref 3, Attachment 1, Steps 3.1.3.5 - 3.1.3.7)

When the steps are implemented and RHR flow does not change, and level does not rise, the operator will close SRVs and continue to control HPCI (if not secured due to attaining >50 in, due to SRV swell, or less than 100 psig due to depressurization (ref 3, Attachment 1, Step 3.1.3.5)) and maintain Hot Shutdown while troubleshooting the lack of injection flow via the LPCI injection path.

LPCI injection failure is recognized by failing to see success in Step 3.1.3.6 "As RHR flow rises, throttle CLOSED RHR-MO-34B to maintain 6000 to 8000 gpm RHR flow. Maintain

<157 amps on RHR pump." This will become apparent to the operator that there issue with the injection pathway. The Operator will then have options to pursue to determine what failure is most probable and, from that, take action to remedy that issue.

RHR-MO-27B has control and position indication in the ASD room and the RHR flow path to the Suppression Pool is seen via RHR system flow.

As RHR-MO-25B does not indicate in the ASD room and it is one of two actions that has occurred within the RHR system, the logical choice is that it failed to operate.

o From the above facts the operator can choose any or all of the following actions to solve the problem with injection path flow while concurrently assessing the status of Reactor water level and making determination on HPCI restart (see below):

Choose to repeat the steps that operate the valve from the Starter.

Have the Rx Bldg Operator manually operate the Motor Operated Valve.

PRA 08004 Page 8 of 54

• Valve Operator has sufficient ruggedness to allow manual hand wheel operations with the differential pressure less than 165 psid.

• From receipt of call the Rx Bldg Operator would be near the vicinity of the valve Starter. That would mean it would take 2 minutes to arrive at valve. The valve is designed such that it requires ~9 hand-wheel turns to be capable of achieving approximately 1000 gpm injection flow rate and that at ~25% open the flow will be approximately 90% flow and the time required to achieve 25% open position will be less than 2.5 minutes. As the valve requires 225 turns to be full open, allowing for some fatigue, it is assumed to require a total opening time of approximately 11 minutes. (ref 11 and 12)

Contact TSC for assistance to determine failure and initiate repairs

• The TSC/OSC repetitively gets teams in the field (to the starter) in under 20 minutes (ref 8) o Teams are developed using a multi-disciplined approach and sent into the facility with the ability to diagnose and repair without having to return to TSC. The following represent the most probable activities the team would employ:

Manual Operation of the MOV.

Reassessment of breaker contactors (determining that more than one contactor would be needed to be depressed) is also evaluated.

• Qualified Electrician's and Engineers visually looking at the Starter the 3rd contactor would become a "known" condition.

• With the response time and determining a reasonable "long-path" solution, RHR-MO-25B failure to open will be resolved within 60 minutes.

During the time period from RHR-MO-25B failure to determination and correction of that failure, the Reactor critical parameters will be controlled with the following aspects in mind:

Maintaining 3 SRVs open removes inventory from the Rx Vessel That as pressure approaches 100 psig HPCI will be removed from service (if not already completed) removing the injection source.

Stopping cool down and restoring Hot Shutdown conditions (HPCI running maintaining pressure and level) with SPC in-service is a long term (operations perspective long term is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for this type of condition) success path.

That cool down rate is not to be violated.

That the steps to restore HPCI to operation are completely contained within 5.4FIRE-SD Attachment 1, Section 2, inclusive of those steps to reopen HPCI-MO-15 and HPCI-MO-

16. This allows the operator to utilize procedural guidance, developed specifically for this situation, by re-performing the appropriate steps of the procedure that is in hand and in use at this time.

o HPCI can be restored, if secured at Step 3.1.3.5 by performing following [all steps are contained within reference 3, Attachment 1] [it is assumed that the time to restore HPCI

PRA 08004 Page 9 of 54 is less than 5 minutes as all steps are contained within ASD room and all instructions are contained within Procedure 5.4FIRE-SD, ref 3]:

Restore HPCI Steam line (Step 2.4.1)

Initiation of HPCI (Step 2.8)

Initiate RPV Makeup and control RPV pressure/temperature (Step 2.10)

The above listing provides evidence to the operator that multiple inputs that will drive his decision to close SRVs should an immediate success not be apparent. This was proven in the Simulator review of this portion of the procedure on March 5, 2008. Once the SRVs are closed, reactor pressure will rise, due to decay heat, and the operator will assess the immediacy of restoration of HPCI based upon Reactor Water level. Once the determination to restart HPCI is made the ASD operator will return to the beginning of procedure and restore HPCI to operation, re-performing procedure steps he has been utilizing since beginning of scenario.

When he restores HPCI he will inject into the RPV and restore water level to the appropriate band (3 to 40 inches instrument zero), stabilize pressure, and await the results of the troubleshooting of the LPCI injection path.

With the restoration of HPCI and the continuation of Suppression Pool Cooling the ASD Operator will return to an operational strategy that he was previously utilizing, that is IAW Section 2 of EP 5.4FIRE-SD, with a lineup and operating methodology/strategy that he had been operating in over the last several hours. When the condition with RHR-MO-25B is diagnosed and the valve is opened, the re-transition to Section 3 is seamless and the process of developing the conditions for Alternate Shutdown Cooling can be re-commenced.

The identified 5.4FIRE-S/D procedure deficiency would not have affected any of the expected plant response until the alternate shutdown cooling alignment using the LPCI injection path is attempted to be aligned in Attachment 1, Section 3 of the procedure. Because of procedural direction to limit cool down rate, it is not anticipated that actions to open SRVs and align LPCI will occur until beyond 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> into the event.

At the point in the procedure when the operator is aligning to fill up the RPV with LPCI mode of RHR the key plant conditions associated with RPV level control are as follows:

1. Three SRVs are open and jumpers are installed to allow hands free operation of all three SRVs.

2. B-Loop of RHR is operating in SPC mode of operation.

3. B-Loop of RHR is lined up for LPCI injection, with the exception of the failed RHR-MO-25B valve.

4. HPCI turbine is secured and HPCI steam supply valves are closed.

5. Key RHR parameter indications and control are available at the ASD panel for the operator stationed at the ASD panel (CRS/SM). These include; RHR flow, RHR-MOV-MO27B (LPCI injection inboard) valve position/control, RHR-MOV-MO34B (valve position/control), and RHR-MOV-MO66 (B RHR HX Bypass) valve position/control. The ASD panel operator will not have RHR-MOV-MO25B valve position/control.

PRA 08004 Page 10 of 54

6. Key parameters for monitoring critical safety functions are available at the ASD panel or procedurally directed for monitoring from an instrument rack. RPV level indication is available at the ASD panel. RPV pressure is available at the ASD panel when HPCI steam supply isolation valves are open, but with HPCI secured the procedure directs dispatching an operator to Rack 25-5 to monitor RPV pressure and primary containment pressure.

Following the opening of SRVs and attempted alignment of RHR LPCI injection, the operator is directed to throttle closed RHR-MO-34B (SPC return valve) to limit flow and divert RHR flow to the RPV to fill the RPV completely. As the operator continues to monitor performance of critical safety functions (symptom oriented RPV level and pressure control), RPV water level not responding as expected will prompt actions to increase RPV injection, diagnose LPCI injection issue, limit inventory reduction, and restore/maintain RPV level via HPCI or recovery of the LPCI injection path.

Overview of Human Reliability Modeling for Recovery The operator recovery actions evaluated include four separate human error probability (HEP) calculations. These are separated to evaluate potentially different performance shaping factors and timing to support an event tree analysis for recovery from the RHR-MO-25B failure to open (due to inadequate procedure guidance only).

The Standardized Plant Analysis Risk - Human Reliability Analysis (SPAR-H) was chosen to analyze these human failure events. SPAR-H was chosen for the following reasons:

1. Provides eight performance shaping factors to sufficiently address the potential sequence specific impacts on the HEP.

2. It is the standard human reliability analysis process used in the Significant Determination Process (SDP) and provides plant specific details which may assist in providing a more realistic HEP.

3. Provides THERP like dependence model which can be used to address both subtask and event sequence dependence.

4. Provides a relatively simple HRA process, with adequate documentation to address important aspects of human error.

The term Joint HEP used in this HRA is in the context of the SPAR-H method. Joint HEP as defined in NUREG/CR-6883 is: a basic human failure event (HFE) that has both diagnosis and action parts. In pre-initiator situations, this could include a task such as trouble shoot and correct. A post initiator basic event could include operator recognizes the need to energize systems before implementing the correct configuration and then takes the appropriate action. The resulting basic event is then reviewed for dependency and modified accordingly.

See Figure A for an example of how these actions are utilized in the event tree analysis. The actions evaluated are:

1. HEP 1 - Operator Fails to Diagnose RPV Level Decrease - Diagnosis HEP only.

Failure of this action is assumed to go to core damage. Operators need to know nothing about RHR-MO-25B position for this diagnosis. Cues include RPV water level decreasing/not responding as expected and RHR flow rate not responding as expected.

2. HEP 2 - Operator Fails to take action to close SRVs before water level drops to TAF Indicated - Action HEP only. If the operator fails this action, it is still possible to

PRA 08004 Page 11 of 54 diagnose and manually open RHR-MO-25B. This action is required to be successful for HPCI mitigation in stable hot shutdown beyond 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

3. HEP 3 - Operator Fails to restore/maintain RPV level and pressure with HPCI - Joint HEP. This action is a joint HEP action involving the diagnosis for need/guidance to restore HPCI and action to perform the guidance contained in 5.4FIRE-S/D for long term HPCI operation. If the operator fails this action, it is still possible to diagnose and manually open RHR-MO-25B. Additional time for diagnosis and manually opening RHR-MO-25B is available following failure of this action, because SRV(s) have been successfully reclosed, extending the time for inventory loss to uncover the fuel.

4. HEP4 - Operator Fails to diagnose and open RHR-MO-25B to recover/maintain RPV water level with LPCI mode - Joint HEP. Failure of this action is assumed to go to core damage. Diagnosis is included and the limiting time assuming the operator failed to close the SRV(s) is utilized for both potential event tree paths. This is a conservative simplification, as additional time is available for diagnosis if the SRV(s) are closed and HPCI recovery failed.

The SPAR-H Human Reliability Analysis Method described in NUREG/CR-6883 is utilized to determine the overall HEP(s) associated with these actions.

Figure A shows the basic human error events utilized in this human reliability analysis. This event tree depicts how the human errors analyzed in this attachment are used to determine the risk increase of RHR-MO-25B failure to open due to inadequate procedure guidance. Use of a joint HEP for restoration of HPCI was chosen to capture the potential diagnosis failure to identify appropriate HPCI recovery actions after successful diagnosis that RPV water level is decreasing.

FIGURE A - EVENT TREE EXAMPLE FOR HRA RECOVERY ANALYSIS ASSOCIATED WITH INADEQUATE PROCEDURE GUIDANCE TO OPEN RHR-MO-25B

PRA 08004 Page 12 of 54 There may be multiple potential success paths for recovery from this event. There would be an extended amount of time and extra staff available when the RHR-MO-25B procedure deficiency would start impacting the critical safety function of adequate RPV injection. However, the two recoveries analyzed herein were chosen due to their perceived ease at identification and implementation. During the process of identifying the scope of potential recovery actions, the following questions regarding functional recovery were addressed (as noted in NUREG/CR-6883, Section 2.8, for consideration of recovery actions):

1) Can the crew diagnose the need for recovery? Yes, by the time the identified procedure error would be encountered the fire would be extinguished and the plant would be in a stable hot shutdown condition. The basis that the fire would be extinguished is from Appendix P of NUREG/CR-6850, which gives the average fire duration as ~ 13 minutes with 99% extinguished at ~ 60 minutes. All controls and indications necessary for diagnosis are available to the operator at the ASD panel. Procedure actions would require monitoring of key RPV parameters while performing steps in procedure 5.4FIRE-S/D to fill the RPV solid.

2) Can it be accomplished in the time available? Yes, from the time three SRVs are opened until the RPV water level lowers to an indicated level near the top of active fuel is greater than 40 minutes. Simulator evaluations showed that the diagnosis takes less than 10 minutes.

3) Can the equipment be put in functional condition by personnel? Yes, the procedure error does not impact equipment functionality. HPCI is only secured due to manual opening of the SRVs and the resulting lowering of RPV pressure. The operator simply needs to close the SRVs and restore HPCI operation per the procedure guidance already performed (i.e. - the same guidance the operator has been using successfully, over the proceeding 3 1/2 hours prior to RHR-MO-25B not opening). RHR-MO-25B is completely functional via motor or designed manual operation.

4) Can the crew gain access to the equipment? Yes, HPCI control would be accomplished via the ASD panel, as it had been for at least the previous 3 1/2 hours. RHR-MO-25B is located in the injection valve room on the 903 elevation of the reactor building. The

PRA 08004 Page 13 of 54 manual operator for this valve is located on top of the injection valve room in a poured concrete mezzanine area. Access to the manual operator is via a permanently installed ladder. There are no postulated fires requiring control room evacuation which would impact the ability of the operating staff from gaining access to any necessary equipment for these recoveries.

5) Is the required staff (with the right skills) available? Yes, the CRS/SM operating from the ASD panel is capable of restoring HPCI operation and maintaining RPV level and pressure. The entire on shift operating crew is available at the point when the procedure error would have an impact. Additionally, the ERO would have been staffed for hours prior to encountering this step in the procedure.

Based on the responses to these five questions, it is clear that functional recovery from the error contained in procedure 5.4FIRE-S/D is not only possible, but likely. A detailed evaluation of the performance shaping factors is then performed to determine quantitatively how likely these recoveries are.

Limiting Action Timing Analysis The Modular Accident Analysis Program (MAAP 4.0.5) and Cooper specific model were used to analyze the worst case conditions for plant response to minimize time to recovery from a failure to open RHR-MO-25B, while transitioning to Alternate Shutdown Cooling alignment.

The following is a summary of the MAAP 4.0.5 run assumptions and key results. Two MAAP runs were completed with similar input assumptions, the only difference being whether SRVs were closed at TAF indicated or left open. The second case involved leaving SRVs open was done to evaluate the minimum time available to recover RHR-MO-25B valve opening and restore injection via LPCI mode of RHR. No credit for reclosing SRVs to extend available time was taken for the RHR-MO-25B case.

Figures 1 through 5 are graphical representations of the key plant parameters vs. time for the first MAAP run (with SRVs closed at TAF indicated). Figures 6 through 10 are graphical representations of the key plant parameters vs. time for the second MAAP run (leave three SRVs open for the duration).

MAAP run description Reactor scram and MSIV closure occur at event initiation. HPCI is utilized in pressure control mode of operation and water level is restored/maintained at +10 inches instrument zero (This is 25 inches lower than normal water level).

Suppression pool cooling is manually initiated when suppression pool water temperature exceeds 95°F using a single RHR pump and heat exchanger with an 85°F Service Water temperature.

HPCI is allowed to depressurize the reactor based on parameter file steam flow and flow delivery curves with RPV pressure maintained between the low pressure isolation set-point and 200 psia.

PRA 08004 Page 14 of 54 At 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> into the event, HPCI is maintaining RPV water level and RPV pressure is at 150 psia, when 3 SRVs are manually opened. HPCI is assumed tripped when the SRVs are opened, although it is possible that HPCI may continue injecting down to an RPV pressure of 100 psig. From the time these SRVs are opened until RPV pressure reaches 100 psig is approximately 5 minutes.

These 3 SRVs are maintained open (cycling may occur due to differential pressure between the RPV and containment. These fluctuations are modeled in MAAP to reflect valve estimated response). It takes over 40 minutes from the time the SRVs are opened until RPV inventory is depleted to indicated top of active fuel (TAF).

Case 1: At TAF indicated (~ 3.73 hours8.449074e-4 days <br />0.0203 hours <br />1.207011e-4 weeks <br />2.77765e-5 months <br /> into the event) all SRVs are manually reclosed. This results in no water mass loss from the SRV until pressure rises to the spring set-point of the lowest set SRV. It takes approximately 50 minutes for the RPV pressure to rise to the relief valve set-point. In order to determine core damage timing, the MAAP run does not assume recovery of RPV injection. This provides the maximum time from closing the SRVs until HPCI injection must be recovered to prevent incipient core damage. Incipient core damage begins at ~6.4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, more than 2 1/2 (~ 2.67 hours7.75463e-4 days <br />0.0186 hours <br />1.107804e-4 weeks <br />2.54935e-5 months <br />) hours after the SRV(s) were closed at TAF indicated water level.

Case 2: SRVs are assumed to remain open as water level lowers below TAF indicated. In order to determine core damage timing, the MAAP run does not assume recovery of RPV injection. Incipient core damage begins at ~5.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, more than 2 1/2 hours after the SRVs were opened and the operator recognized RHR-MO-25B failed to open.

PRA 08004 Page 15 of 54 FIGURE 1 - CN080007 - FP-SDP-HPCI-7 1400 1200 1000 P r e s s u r e (p s ia )

800 600 400 200 0

0 3600 7200 10800 14400 18000 21600 25200 28800 Time (sec)

RPV PRESSURE (psia) HPCI trip RCIC trip

PRA 08004 Page 16 of 54 FIGURE 2 - CN080007 - FP-SDP-HPCI-7 60 50 L e v e l A b o v e B o tto m o f V e s s e l (ft) 40 30 20 10 0

0 3600 7200 10800 14400 18000 21600 25200 28800 Time (sec)

CORE SHROUD TAF MSCRWL MZIRWL BAF L1 L2 L3 L4 NORM L8

PRA 08004 Page 17 of 54 FIGURE 3 - CN080007 - FP-SDP-HPCI-7 300 14.2 14 250 13.8 200 13.6 T e m p e ra tu re (°F ) S P W a te r L e v e l (ft) 150 13.4 13.2 100 13 50 12.8 0 12.6 0

3600 7200 10800 14400 18000 21600 25200 28800 Time (sec)

DRYWELL WETWELL SUPPRESSION POOL HCTL HIGH PRESSURE SP WATER LEVEL

PRA 08004 Page 18 of 54 FIGURE 4 - CN080007 - FP-SDP-HPCI-7 60 50 40 P re s s u re (p s ia )

30 20 10 0

0 3600 7200 10800 14400 18000 21600 25200 28800 Time (sec)

DRYWELL WETWELL

PRA 08004 Page 19 of 54 FIGURE 5 - CN080007 - FP-SDP-HPCI-7 2.50E+06 2.00E+06 1.50E+06 F lo w ( lb m /h r )

1.00E+06 5.00E+05 0.00E+00 0

3600 7200 10800 14400 18000 21600 25200 28800 Time (sec)

SRV Steam Flow Break Flow (liq) Break Flow (gas) HPCI RCIC CRD DGFW LPCI CS HPCI STM FLow

PRA 08004 Page 20 of 54 Figure 6 - CN080008 - FP-SDP-HPCI-8 1400 1200 1000 P re s s u re (p s ia )

800 600 400 200 0

0 3600 7200 10800 14400 18000 21600 25200 28800 Time (sec)

RPV PRESSURE (psia) HPCI trip RCIC trip

PRA 08004 Page 21 of 54 Figure 7 - CN080008 - FP-SDP-HPCI-8 60 50 L e v e l A b o v e B o tto m o f V e s s e l (ft) 40 30 20 10 0

0 3600 7200 10800 14400 18000 21600 25200 28800 Time (sec)

CORE SHROUD TAF MSCRWL MZIRWL BAF L1 L2 L3 L4 NORM L8

PRA 08004 Page 22 of 54 Figure 8 - CN080008 - FP-SDP-HPCI-8 300 14.2 14 250 13.8 200 13.6 T e m p e ra tu re (°F ) S P W a te r L e v e l (ft) 150 13.4 13.2 100 13 50 12.8 0 12.6 0

3600 7200 10800 14400 18000 21600 25200 28800 Time (sec)

DRYWELL WETWELL SUPPRESSION POOL HCTL HIGH PRESSURE SP WATER LEVEL

PRA 08004 Page 23 of 54 Figure 9 - CN080008 - FP-SDP-HPCI-8 60 50 40 P re s s u re (p s ia )

30 20 10 0

0 3600 7200 10800 14400 18000 21600 25200 28800 Time (sec)

DRYWELL WETWELL

PRA 08004 Page 24 of 54 Figure 10 - CN080008 - FP-SDP-HPCI-8 2.50E+06 2.00E+06 1.50E+06 F lo w (lb m /h r) 1.00E+06 5.00E+05 0.00E+00 0

3600 7200 10800 14400 18000 21600 25200 28800 Time (sec)

SRV Steam Flow Break Flow (liq) Break Flow (gas) HPCI RCIC CRD DGFW LPCI CS HPCI STM FLow

PRA 08004 Page 25 of 54 Recovery Time Line Table 1 provides a summary level over view of the estimated durations for key activities and estimated time lines for accomplishing these actions. These estimates are used to provide a range of expected operator response times for the HRA associated with recovery actions for HPCI or RHR-MO-25B.

The estimated timing contained in Table 1 is based on the most recent time validation activities for procedure 5.4FIRE-S/D. These estimates where then compared to a limiting time scenario evaluated using thermal-hydraulic software for the Cooper PRA (MAAP 4.0.5). The details of the thermal-hydraulic analysis for this scenario are discussed in the Limiting Action Timing Analysis section.

Table 1 Recovery Activities and Duration Estimated Limiting Time Time Duration Activity Line (min) used Estimate (min) Time Line (min) for HRA t=0 (decision to t=0 A. Fire Response evacuate)

1. Scrams the reactor, closes MSIVs, trips main turbine, trips all but one train feed/condensate, inhibits ADS, and evacuates control room, assemble at the ASD locker and 2-5 2-5 N/A operators dispatched to perform actions in Attachments 2, 3, &4 of 5.4FIRE-S/D

2. SM calls for activation of ERO, if not already completed 3-15 5-20 N/A

3. Control/Trip HPCI if level > 40 5 7-10 N/A

3. CRS/SM establishes control of HPCI system and maintains hot shutdown RPV water level and pressure with 5-15 7-20 N/A HPCI in pressure control mode of operation and commences cool down.

4. Operators in the field have completed actions to allow 40-50 42-55 N/A SPC to be placed in service.

5. Fire is out and fire brigade members become available 10-20 30 N/A for other actions.

90 (maximizes

4. CRS/SM places B loop of RHR in SPC mode. 5-13 47-68 SP temperature) 180 (minimum

5. RPV cool down is complete (duration includes expected time results in cool down time) and CRS/SM opens 3 SRV(s), secures maximum decay 300-420 347-488 HPCI, and begins LPCI injection. Note cool down does not heat and limits commence until SPC is placed in service. recovery time available)

B. TSC Activation

1. TSC Activation 45 49-60 N/A C1. Diagnosis HEP1 (RPV water level decrease)

PRA 08004 Page 26 of 54 Estimated Limiting Time Time Duration Activity Line (min) used Estimate (min) Time Line (min) for HRA

1. Attempted transfer to cold shutdown. CRS/SM monitors RHR flow and RPV parameters. CRS/SM recognizes that RHR flow and RPV water level are not responding as 220 (40 minutes expected are available

2. CRS/SM makes decision it may be necessary to close from the time SRV(s) to limit inventory loss during low pressure injection 5-10 352-498 SRVs are open valve recovery. until shroud indicated water level at TAF)

C2. Execution HEP2 (Close SRVs)

The same 40 minutes that is available for HEP1is used for the action to close SRVs.

The diagnosis portion of the HEP2 action to

1. CRS/SM closes SRVs to minimize inventory loss by close the SRVs 1-2 353-500 placing ADS valve isolation switch to NORMAL. is HEP1.

Consideration is given for accomplishing both diagnosis and action within this total time available.

C3. Diagnosis and Execution HEP3 (Restart HPCI per procedure 5.4FIRE-S/D guidance and maintain stable hot shutdown conditions)

More than 2 1/2 hours are

1. CRS/SM recognizes need to re-establish injection via 5-10 (after RPV available from HPCI and loops back in procedure 5.4FIRE-S/D to the pressure is re- the time SRV(s) point of recognizing guidance for HPCI restoration. This is established - are closed with the same guidance the CRS/SM has been using over the estimated to re- water level at 368-530 past 3 1/2 hours to control RPV water level. established within TAF indicated 15-30 minutes until incipient

2. CRS/SM starts HPCI, restores/maintains RPV water following closure core damage.

level and pressure using HPCI in pressure control mode. of SRVs) This is the bounding time considered for this joint HEP.

C4. Diagnosis and Execution HEP4 (Operator manually opens RHR-MO-25B and restores water level via the LPCI injection path)

1. CRS/SM monitors RHR flow and RPV parameters, Diagnosis 5-10, 357-508

PRA 08004 Page 27 of 54 Estimated Limiting Time Time Duration Activity Line (min) used Estimate (min) Time Line (min) for HRA throttles closed on RHR-MO-34B to attempt filling the More than 2 1/2 RPV, has station operator verify RPV pressure, checks hours are RHR-MO27B position indication, and concludes RHR- available from MO-25B did not open. CRS/SM assigns personnel to the time SRV(s) troubleshoot and open RHR-MO-25B. are originally open until

2. Station operator proceeds from Reactor Building incipient core 903 west to the top of the injection valve room Estimated action damage. This concrete mezzanine area to check valve position at 10 -13 minutes total time is and manually open the valve if necessary. based on 2 considered minutes travel, bounding due to

3. Because RHR is already operating in SPC mode and 8 minutes to 367-521 the flow through RHR-MO-25B is expected to no credit for open the valve (10 operator action exceed required make-up when this gate valve is minutes total).

greater than 10 % open, without crediting to limit For a total time of inventory loss additional action to reduce flow through the SPC 15-23 minutes.

path. by closing the SRVs.

Determination of Probability of Failure to Recover The SPAR-H model was used to estimate the probability of failure to recover HPCI or RHR-MO-25B.

The recoveries will be considered in four separate HEPs per the SPAR-H method and as applied in Figure 1. The following are the details for each of the four HEPs evaluated for recovery from the procedure deficiency identified in 5.4FIRE-S/D, Revision 14.

HEP1, Operator Fails to Diagnose RPV Level Decrease Basic Event Summary HEP1

SUMMARY

Analysis Results: Diagnosis Failure Probability 1.0e-03 Plant:

Cooper Initiating Event:

Fire Requiring Control Room Evacuation Basic Event Context:

This basic event evaluates the probability of the operator failing to diagnose RPV water level decreasing, while performing operation to transfer from HPCI controlled hot shutdown conditions to

PRA 08004 Page 28 of 54 RHR controlled cold shutdown using the guidance contained in procedure 5.4FIRE-S/D, revision 14.

The guidance contained in Attachment 1, Section 3 of this procedure contained an error, which would have resulted in RHR-MO-25B not responding as expected. While operating in procedure 5.4FIRE-S/D, this section of the procedure would be performed by the CRS or SM from the ASD panel. At the ASD panel there is no indication of RHR-MO-25B (RHR Loop B Inboard LPCI Injection Valve) position.

The identified problem with the procedure guidance would not affect mitigation until at least 3 1/2 hours following the event initiation, due to cool down restrictions. Prior to entering Attachment 1, Section 3 of procedure 5.4FIRE-S/D it is anticipated that a pre-job brief would be held. The plant conditions are relatively stable following a steady cool down over the past few hours, while maintaining RPV water level and pressure with HPCI. Entering Section 3 of this attachment is a change is operating conditions which would warrant a briefing per procedure 0-HU-TOOLS. When Section 3 is entered the plant will be transitioning from a stable hot shutdown condition on HPCI to an infrequently used Alternate Shutdown Cooling alignment using RHR.

The fire will be extinguished by this time (reference NUREG/CR-6850, Appendix P) and full ERO staffing would be expected (although not necessary to evaluate successful recovery). When Section 3 of the Attachment is performed, the operator is aligning to fill up the RPV with LPCI mode of RHR and the key plant conditions associated with RPV level control are as follows:

1. Three SRVs are open and jumpers are installed to allow hands free operation of all three SRVs.

2. B-Loop of RHR is operating in SPC mode of operation.

3. B-Loop of RHR is lined up for LPCI injection, with the exception of the failed RHR-MO-25B valve (FAILURE DUE TO PROCEDURE DEFICIENCY).

4. HPCI turbine is secured and HPCI steam supply valves are closed.

5. Key RHR parameter indications and control are available at the ASD panel for the operator stationed at the ASD panel (CRS/SM). These include; RHR flow, RHR-MOV-MO27B (LPCI injection inboard) valve position/control, RHR-MOV-MO34B (valve position/control), and RHR-MOV-MO66 (B RHR HX Bypass) valve position/control. The ASD panel operator will not have RHR-MOV-MO25B valve position/control.

6. Key parameters for monitoring critical safety functions are available at the ASD panel or procedurally directed for monitoring from an instrument rack. RPV level indication is available at the ASD panel. RPV pressure is available at the ASD panel when HPCI steam supply isolation valves are open, but with HPCI secured the procedure directs dispatching an operator to Rack 25-5 to monitor RPV pressure and primary containment pressure.

PRA 08004 Page 29 of 54 HEP1 - DIAGNOSIS (ONLY)

PSFs PSF Levels Multiplier for Diagnosis Available Time Inadequate Time P(failure) = 1.0 Barely adequate time (~ 2/3 x nominal) 10 Nominal time 1 Extra time (between 1 and 2 x nominal X 0.1 and > 30 min)

Expansive time (> 2 x nominal and > 30 0.01 min)

Insufficient Information 1 The minimum time available from the time three SRV(s) are opened until RPV water level lowers to near TAF indicated is 40 minutes and more than 2 1/2 hours is available from the time SRV(s) are opened until core damage if no other action is taken. Observed simulator scenario showed a nominal total time from SRVs open until the operator had determined RPV level and RHR flow were not responding as expected of 10 minutes. This time frame is conservative, as the 10 minutes observed in the simulator scenario, included complete valve manipulations to diagnose that RHR-MO-25B had not opened.

The diagnosis of RHR-MO-25B position is not required for HEP1. Therefore, greater than 4 x nominal and > 30 minutes are available to diagnose. Extra time is selected, instead of expansive due to recovery time is less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for this at power HEP.

Stress Extreme 5 High X 2 Nominal 1 Insufficient Information 1 High stress level is selected based upon a more than nominal level of stress existing while operating from the ASD panel and loss of injection with minimal equipment readily available.

The consequences of this task represent a threat to plant safety. Extreme stress is clearly not justified for this diagnosis, due to the expected controlled nature and time available when the diagnosis would be required. The fire is out and the plant is in a relatively stable condition, with multiple resources available.

Complexity Highly complex 5 Moderately complex 2 Nominal X 1 Obvious diagnosis 0.1 Insufficient Information 1 RPV water level is one of the key parameters monitored by BWR operators, thus the complexity could be considered obvious. The complexity is conservatively considered Nominal because the key parameters the operator is monitoring would not respond as expected. The procedure direction will result in available parameters not responding as expected. With only one injection path available and RPV water level not increasing, coupled with the fact the operator will be monitoring RPV water level during the evolution the diagnosis is fairly simple.

PRA 08004 Page 30 of 54 Experience/Training Low 10 Nominal 1 High X 0.5 Insufficient Information 1 Experience/Training is considered High due to the fact that the individual performing this diagnosis at the ASD panel is the CRS or SM. Individuals in these positions are senior reactor operators with extensive training and experience. The action of diagnosing problems affecting RPV injection capabilities is something they have extensive knowledge and practice with in a wide range of potential scenarios. Additionally, operators are trained on procedure 5.4FIRE-S/D as part of SRO qualification (SKL0110102) and on a two year frequency for operator requalification training (TPP-201). Therefore, it is expected that the individuals tasked with this diagnosis would be familiar with operating at the ASD panel and possess more than enough training to proceed using available equipment, indications, and staff to identify this failure.

Procedures Not available 50 Incomplete 20 Available, but poor 5 Nominal X 1 Diagnostic/symptom oriented 0.5 Insufficient Information 1 Procedures are considered nominal for this diagnosis.

Procedure 5.4FIRE-S/D contains steps for controlling and monitoring RPV water level which readily enhance the ability to diagnose the loss of RPV injection and lowering RPV water level (Steps 3.1.3.6 - 3.1.3.10 and proceeding notes). These are the steps performed directly following the RHR-MO-25B failure to open. There is nothing contained in this procedure which would confuse or impede performance of this diagnosis. The identified procedure deficiency does not impede the diagnosis RPV water level decreasing. Although this deficiency may impede diagnosis of the exact reason RHR-MO-25B didnt open, the exact reason for the valve not opening is not required for this recovery.

Ergonomics/HMI Missing/Misleading 50 Poor 10 Nominal X 1 Good 0.5 Insufficient Information 1 Ergonomics are considered nominal for this diagnosis because key valve indications are available at the ASD panel, with the exception of RHR-MO-25B. Additionally, all key RPV parameters are monitored and available to the operator at the ASD panel. RPV level and RHR flow indications are available at the ASD panel. RPV pressure is available from the ASD panel when the HPCI steam supply isolation valves are open, but would most likely be reported via the operator dispatched to monitor this indication at Rack 25-5.

Fitness for Duty Unfit P(failure) = 1.0 Degraded Fitness 5 Nominal X 1 Insufficient Information 1 It is anticipated that the individual is able to carry out tasks.

PRA 08004 Page 31 of 54 Work Processes Poor 2 Nominal X 1 Good 0.8 Insufficient Information 1 Work processes should be considered good for this diagnosis based on implementation and proven use of human performance tools when plant conditions are expected to be significantly changed. It is expected that a full pre-job brief would be conducted prior to taking the plant to cold shut down via the Alternate Shutdown Cooling alignment. This would obviously enhance the ability to diagnose the fact that RHR-MO-25B didnt open. However, because of human performance cross cutting issues highlighted in the 2007 annual assessment letter from Dwight Chamberlain (NRC) to Stewart Minahan (NPPD) dated March 3, 2008 no credit will be given in this PSF for the expected brief. Work Processes are considered nominal for this HEP.

HEP1 - Diagnosis: 1.0E-2 x 0.1 x 2 x 1 x 0.5 x 1 x 1 x 1 x 1 = 1.0E-03 HEP1 (Diagnosis): 1.0E-03 HEP2, Operator fails to take action to close SRVs prior to water level dropping below TAF indicated Basic Event Summary HEP2

SUMMARY

Analysis Results: Action Failure Probability 5.0e-04 Plant:

Cooper Initiating Event:

Fire Requiring Control Room Evacuation Basic Event Context:

This basic event evaluates the probability of the operator failing to close the SRVs to prevent continued RPV inventory loss. This event is only considered after the operator has successfully diagnosed the RPV water level decrease. The diagnosis portion is evaluated in HEP1, Operator fails to diagnose RPV Level Decrease, therefore, this HEP only evaluates the action to close SRVs. This action is considered successful if completed prior to the time RPV water level drops below TAF indicated. Although longer times could be justified (e.g. - minimum steam cooling RPV water level or incipient core damage), given the significant amount of time available, if the operator fails to close the SRVs prior to indicated water level going below TAF it is assumed they will not close the SRVs.

PRA 08004 Page 32 of 54 Procedure 5.4FIRE-S/D, Attachment 1, Section 3 contains no specific guidance to close all SRVs.

However, one could argue that even symptom oriented procedures do not contain such specific guidance for this type of situation. It is recognized that procedure 5.4FIRE-S/D (event based) and EOPs (symptom based) were both developed to maintain critical safety functions (RPV water level and pressure control). Although procedure 5.4FIRE-S/D is not symptom based, the monitoring of key RPV parameters and maintaining RPV water level is engrained in the mentality of the senior operators (CRS/SM) taking this action. Procedures are not written to cover all possible failures and to do so, would likely make the procedures more difficult to follow and errors more likely.

Because the loss of injection to the RPV (due to the procedure deficiency) would be unexpected and no rule based actions are included in 5.4FIRE-S/D for RHR-MO-25B not opening; the operator would be in the knowledge-based realm to determine the action required to close the SRVs. The action required to close the SRVs is contained in 5.4FIRE-S/D by the reversal of step 3.1.3.2 of Attachment 1, Section 3, Revision 14. This step had the operator, Place ADS valve isolation switch to ISOL to OPEN ADS valves MS-71E, MS-71F, and MS-71G, immediately prior to attempting to open RHR-MO-25B. In order to close the SRVs, the operator must take the ADS isolation switch back to NORMAL. Once the switch is taken back to normal the SRVs will close and the inventory reduction is halted until RPV pressure raises to the point of SRVs lifting.

PRA 08004 Page 33 of 54 HEP2 - ACTION (ONLY)

PSFs PSF Levels Multiplier for Action Available Time Inadequate Time P(failure) = 1.0 Time available is ~ the time required 10 Nominal time 1 Time available >= 5x the time required X 0.1 Time available >= 50x the time required 0.01 Insufficient Information 1 The minimum time available from the time three SRV(s) are opened until RPV water level lowers to near TAF indicated is 40 minutes and more than 2 1/2 hours is available from the time SRV(s) are opened until core damage if no other action is taken. As noted previously, this HEP conservatively uses the 40 minutes available timing. Observed simulator scenario showed a nominal total time from SRVs open until the operator had determined RHR-MO-25B had not opened of ten minutes. The simulator scenario also showed that the operator diagnosed this and performed action to close SRVs within the same 10 minutes. If the full 10 minutes is used for diagnosis (HEP1) and it is assumed that it takes 1 - 2 minutes to perform this action, at least 15 times required action time is available, i.e. - (40 - 10)/2. Therefore, greater than 5 x is available to perform.

Stress/Stressors Extreme 5 High X 2 Nominal 1 Insufficient Information 1 High stress level is selected based upon a more than nominal level of stress existing while operating from the ASD panel and loss of injection with minimal equipment readily available.

The consequences of this task represent a threat to plant safety. Extreme stress is clearly not justified for this action, due to the expected controlled nature and time available when the action would be required. The fire is out and the plant is in a relatively stable condition, with multiple resources available.

Complexity Highly complex 5 Moderately complex 2 Nominal X 1 Insufficient Information 1 The complexity of this action is considered nominal. Since the operator just performed the step to open the SRVs, the guidance for closing SRVs requires little additional cognitive effort beyond that already expended to diagnose the problem.

The action of taking the switch back to NORMAL at the ASD panel is not difficult to perform.

Experience/Training Low 3 Nominal 1 High X 0.5 Insufficient Information 1 Experience/Training is considered High due to the fact that the individual performing this action at the ASD panel is the CRS or SM. Individuals in these positions are senior reactor operators with extensive training and experience. The action

PRA 08004 Page 34 of 54 to solve problems affecting RPV inventory challenges is something they have extensive knowledge and practice with in a wide range of potential scenarios. Additionally, operators are trained on procedure 5.4FIRE-S/D as part of SRO qualification (SKL0110102) and on a two year frequency for operator requalification training (TPP-201). Therefore, it is expected that the individuals tasked with this action would be familiar with operating at the ASD panel and possess more than enough experience/training to close the SRVs.

Procedures Not available 50 Incomplete 20 Available, but poor X 5 Nominal 1 Insufficient Information 1 Procedures are considered available, but poor for this action.

Procedure 5.4FIRE-S/D contains the step for opening the SRVs immediately prior to the step to open RHR-MO-25B. However, the procedure doesnt contain the steps to close the SRVs.

The reason the procedure is considered poor, is due to the operator having to enter the knowledge based realm to determine the action to reclose the SRVs. Entry into the knowledge based realm does not mean the procedure should be considered incomplete. The experience/training and procedure guidance for opening the SRVs minimizes the impact of lack of specific actions for re-closing the SRVs.

Ergonomics/HMI Missing/Misleading 50 Poor 10 Nominal X 1 Good 0.5 Insufficient Information 1 Ergonomics are considered nominal for this action because it involves a single switch manipulation at the ASD panel. There is no need to install or remove jumpers to complete this action.

Fitness for Duty Unfit P(failure) = 1.0 Degraded Fitness 5 Nominal X 1 Insufficient Information 1 It is anticipated that the individual is able to carry out tasks.

Work Processes Poor 5 Nominal X 1 Good 0.5 Insufficient Information 0.5 Work processes should be considered good for this action based on implementation and proven use of human performance tools when plant conditions are expected to be significantly changed. It is expected that a full pre-job brief would be conducted prior to taking the plant to cold shut down via the Alternate Shutdown Cooling alignment. This would obviously enhance the ability to discuss how to minimize RPV inventory loss if low pressure injection failed.

However, because of human performance cross cutting issues highlighted in the 2007 annual assessment letter from Dwight Chamberlain (NRC) to Stewart Minahan(NPPD) dated March 3, 2008 no credit will be given in this PSF for the expected brief.

PRA 08004 Page 35 of 54 Work Processes are considered nominal for this HEP.

HEP2 - Action: 1.0E-3 x 0.1 x 2 x 1 x 0.5 x 5 x 1 x 1 x 1 = 5.0E-04 HEP2 (ACTION): 5.0E-04 HEP3, Operator fails to restore/maintain RPV level and pressure with HPCI Basic Event Summary HEP3

SUMMARY

Analysis Results: Diagnosis Action Failure Probability 5.0e-03 1.0e-04 Total HEP 5.1e-03 Plant:

Cooper Initiating Event:

Fire Requiring Control Room Evacuation Basic Event Context:

This basic event evaluates the probability of the operator failing to restore HPCI to pressure control mode of operation. This event is only considered after the operator has successfully diagnosed the RPV water level decrease (HEP1) and has closed the SRVs to prevent continued RPV inventory loss (HEP2). This HEP is evaluated as a joint HEP, involving proper diagnosis for procedure direction to restore HPCI operation and performance of the actions once identified. The time available for diagnosis and action is the time from SRVs closed (HEP2) until RPV water level boils off to the point of incipient core damage. According to the Limiting Action Timing Analysis performed for this HEP, the time available is greater than 2 1/2 hours. This is the time it takes from when SRV(s) are reclosed until incipient core damage.

The senior reactor operator making this diagnosis and performing HPCI recovery actions from the ASD panel has been utilizing procedure 5.4FIRE-S/D guidance over the previous 3 1/2 hours to maintain RPV water level using HPCI pressure control mode. This action evaluates this same operators ability to loop back to the previously successful guidance contained in 5.4FIRE-S/D and continue utilizing HPCI beyond 24-hours if necessary. This operators experience and previous success must be acknowledged when determining the knowledge based diagnosis of determining appropriate procedure guidance to follow for maintaining RPV water level.

Once the diagnosis is complete, the actions necessary are fully contained in procedure 5.4FIRE-S/D and had previously been completed successfully in order to get to the identified procedure deficiency.

The action portion of this HEP is focused on the ability to follow the identified guidance contained in 5.4FIRE-S/D for HPCI control. It is noted that when attempting to determine the risk increase

PRA 08004 Page 36 of 54 associated with the 5.4FIRE-S/D procedure error for opening RHR-MO-25B, one must assume that all manual actions to control HPCI for the first 3 1/2 hours have been completed successfully.

HEP3 - DIAGNOSIS (JOINT)

PSFs PSF Levels Multiplier for Diagnosis Available Time Inadequate Time P(failure) = 1.0 Barely adequate time (~ 2/3 x nominal) 10 Nominal time 1 Extra time (between 1 and 2 x nominal X 0.1 and > 30 min)

Expansive time (> 2 x nominal and > 30 0.01 min)

Insufficient Information 1 The minimum time available from the time three SRV(s) are closed (HEP2) until RPV water level lowers to the point of incipient core damage is greater than 2 1/2 hours. Given that the operator would have been maintaining RPV water level and pressure with HPCI via the guidance contained in procedure 5.4FIRE-S/D over the previous 3 1/2 hours and a CRS/SM fully understands the importance of RPV level control; it is expected that returning to the guidance for HPCI control will occur in a relatively short period of time. It is reasonable to assume this determination would be made within 10 minutes of closing the SRVs, justifying the potential for Expansive time available. Greater than 15 x nominal and > 30 minutes are available to diagnose. However, credit is only given for extra time due to ambiguity contained in NUREG/CR-6883 regarding the interpretation of inordinate amount of time. Extra time is selected, instead of expansive due to recovery time is less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for this at power HEP.

Stress Extreme 5 High X 2 Nominal 1 Insufficient Information 1 High stress level is selected based upon a more than nominal level of stress existing while operating from the ASD panel and loss of injection with minimal equipment readily available.

The consequences of this task represent a threat to plant safety. Extreme stress is clearly not justified for this diagnosis, due to the expected controlled nature and time available when the diagnosis would be required. The fire is out and the plant is in a relatively stable condition, with multiple resources available.

Complexity Highly complex 5 Moderately complex 2 Nominal X 1 Obvious diagnosis 0.1 Insufficient Information 1 The complexity is considered Nominal because of the defined requirement to identify appropriate guidance for HPCI operation in the procedure, has been utilized over the prior 3 1/2 hours. From the operators point of view there are two readily available injection systems for maintaining RPV water

PRA 08004 Page 37 of 54 level, HPCI and RHR. Since, he has been following guidance for HPCI control, identified RPV inventory reduction, and closed SRVs, it is not considered difficult to find and utilize the steps in procedure 5.4FIRE-S/D. After all, he has been using these same steps over the past three hours..

Experience/Training Low 10 Nominal 1 High X 0.5 Insufficient Information 1 Experience/Training is considered High due to the fact that the individual performing this diagnosis at the ASD panel is the CRS or SM. Individuals in these positions are senior reactor operators with extensive training and experience. The action of diagnosing problems affecting RPV injection capabilities is something they have extensive knowledge and practice with in a wide range of potential scenarios. Additionally, operators are trained on procedure 5.4FIRE-S/D as part of SRO qualification (SKL0110102) and on a two year frequency for operator requalification training (TPP-201). Therefore, it is expected that the individuals tasked with this diagnosis would be familiar with operating at the ASD panel and possess more than enough training to proceed with using available guidance to restore HPCI operation.

Procedures Not available 50 Incomplete 20 Available, but poor X 5 Nominal 1 Diagnostic/symptom oriented 0.5 Insufficient Information 1 Procedures are considered Available, but poor for this diagnosis. Procedure 5.4FIRE-S/D contains steps for controlling and monitoring RPV water level using HPCI. The only reason the procedure is not considered nominal for this PSF, is due to the event based nature of it. The procedure guidance is clearly not incomplete. Given the knowledge-based realm for determining what guidance to follow includes previous success utilizing the guidance contained in 5.4FIRE-S/D, the expected procedure impact would be closer to nominal than incomplete. Additionally, HPCI operation could be based on skill alone, i.e. the operators probably dont need a procedure to start HPCI.

Ergonomics/HMI Missing/Misleading 50 Poor 10 Nominal X 1 Good 0.5 Insufficient Information 1 Ergonomics are considered nominal for this diagnosis because this diagnosis is focused on returning to appropriate procedure guidance. The procedure is available and has been utilized at the ASD panel.

Fitness for Duty Unfit P(failure) = 1.0 Degraded Fitness 5 Nominal X 1 Insufficient Information 1 It is anticipated that the individual is able to carry out tasks.

PRA 08004 Page 38 of 54 Work Processes Poor 2 Nominal X 1 Good 0.8 Insufficient Information 1 Work processes should be considered good for this diagnosis based on implementation and proven use of human performance tools when plant conditions are expected to be significantly changed. It is expected that a full pre-job brief would be conducted prior to taking the plant to cold shut down via the Alternate Shutdown Cooling alignment. This would obviously enhance the ability to diagnose the fact that RHR-MO-25B didnt open. However, because of human performance cross cutting issues highlighted in the 2007 annual assessment letter from Dwight Chamberlain (NRC) to Stewart Minahan (NPPD) dated March 3, 2008 no credit will be given in this PSF for the expected brief. Work Processes are considered nominal for this HEP.

HEP3 - ACTION (JOINT)

PSFs PSF Levels Multiplier for Action Available Time Inadequate Time P(failure) = 1.0 Time available is ~ the time required 10 Nominal time 1 Time available >= 5x the time required X 0.1 Time available >= 50x the time required 0.01 Insufficient Information 1 The minimum time available from the time three SRV(s) are closed (HEP2) until RPV water level lowers to the point of incipient core damage is greater than 2 1/2 hours. Even if it were assumed that it took 3 x nominal (10 minutes) to diagnose the appropriate procedure guidance, more than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> would be available to restore HPCI operation. The expected action time is 10 minutes. Therefore greater than 5 x nominal is available.

Stress/Stressors Extreme 5 High X 2 Nominal 1 Insufficient Information 1 High stress level is selected based upon a more than nominal level of stress existing while operating from the ASD panel and loss of injection with minimal equipment readily available.

The consequences of this task represent a threat to plant safety. Extreme stress is clearly not justified for this action, due to the expected controlled nature and time available when the action would be required. The fire is out and the plant is in a relatively stable condition, with multiple resources available.

Complexity Highly complex 5 Moderately complex 2 Nominal X 1 Insufficient Information 1 The complexity of this action is considered nominal. Since the operator just performed these steps successfully maintaining

PRA 08004 Page 39 of 54 RPV parameters over the previous 3 1/2 hours minimum. The complexity of performing these actions has not changed from the original time performed.

Experience/Training Low 3 Nominal 1 High X 0.5 Insufficient Information 1 Experience/Training is considered High due to the fact that the individual performing this action at the ASD panel is the CRS or SM. Individuals in these positions are senior reactor operators with extensive training and experience. The action to solve problems affecting RPV inventory challenges is something they have extensive knowledge and practice with in a wide range of potential scenarios. Additionally, operators are trained on procedure 5.4FIRE-S/D as part of SRO qualification (SKL0110102) and on a two year frequency for operator requalification training (TPP-201). Therefore, it is expected that the individual tasked with this action would be familiar with operating at the ASD panel and possess more than enough experience/training to restore HPCI operation.

Procedures Not available 50 Incomplete 20 Available, but poor 5 Nominal X 1 Insufficient Information 1 Procedures are considered nominal for this action. Procedure 5.4FIRE-S/D contains the steps for restoring and operating HPCI in pressure control mode. When this action is considered, the operator has already diagnosed the appropriate procedure guidance. The same guidance had been used successfully for the previous 3 1/2 hours to get to this action.

Ergonomics/HMI Missing/Misleading 50 Poor 10 Nominal X 1 Good 0.5 Insufficient Information 1 Ergonomics are considered nominal for this action because HPCI restoration can be completed from the ASD panel.

Fitness for Duty Unfit P(failure) = 1.0 Degraded Fitness 5 Nominal X 1 Insufficient Information 1 It is anticipated that the individual is able to carry out tasks.

Work Processes Poor 5 Nominal X 1 Good 0.5 Insufficient Information 0.5 Work processes should be considered good for this action based on implementation and proven use of human performance tools when plant conditions are expected to be significantly changed. It is expected that a full pre-job brief would be conducted prior to taking the plant to cold shut down via the Alternate Shutdown Cooling alignment. This

PRA 08004 Page 40 of 54 would obviously enhance the ability to discuss how to minimize RPV inventory loss if low pressure injection failed.

However, because of human performance cross cutting issues highlighted in the 2007 annual assessment letter from Dwight Chamberlain (NRC) to Stewart Minahan(NPPD) dated March 3, 2008 no credit will be given in this PSF for the expected brief.

Work Processes are considered nominal for this HEP.

HEP3 - Diagnosis: 1.0E-2 x 0.1 x 2 x 1 x 0.5 x 5 x 1 x 1 x 1 = 5.0E-03 HEP3 (DIAGNOSIS): 5.0E-03 HEP3 - Action: 1.0E-3 x 0.1 x 2 x 1 x 0.5 x 1 x 1 x 1 x 1 = 1.0E-04 HEP3 (ACTION): 1.0E-04 TOTAL HEP3 (JOINT): 5.1E-03 HEP4, Operator fails to open RHR-MO-25B and recover/maintain RPV water level via the LPCI injection path Basic Event Summary HEP4

SUMMARY

Analysis Results: Diagnosis Action Failure Probability 4.0e-03 1.0e-03 Total HEP 5.0e-03 Plant:

Cooper Initiating Event:

Fire Requiring Control Room Evacuation Basic Event Context:

This basic event evaluates the probability of the operator failing to open RHR-MO-25B manually and restore/maintain RPV water level via Alternate Shutdown Cooling as directed by procedure 5.4FIRE-S/D. This event is only considered for potential success after the operator has successfully diagnosed the RPV water level decrease (HEP1). This action is only required if the operator fails to close SRVs or restore HPCI. The diagnosis portion for this HEP is evaluated to include the cognitive aspects of diagnosing that the cause of the RPV water level decrease is that RHR-MO-25B did not open. The action portion of this HEP is to open RHR-MO-25B manually and restore/maintain RPV level via the LPCI injection path. This action is considered successful if completed prior to the time of incipient core damage.

PRA 08004 Page 41 of 54 Timing and Key Diagnosis Information:

According to the Limiting Action Timing Analysis performed for this HEP, the time available is greater than 2 1/2 hours from the time SRVs are opened until incipient core damage. This is the limiting time that is used for this HEP. It is noted that this HEP may also be used for the sequence involving successful closing of SRVs and failed HPCI restoration. This sequence would allow an additional 40 minutes added to the already 2 1/2 hours available for this HEP, but for simplification and conservatism the limiting timing associated with failure to close SRVs is utilized.

While operating in procedure 5.4FIRE-S/D, this section of the procedure would be performed by the CRS or SM from the ASD panel. At the ASD panel there is no indication of RHR-MO-25B (RHR Loop B Inboard LPCI Injection Valve) position.

The identified problem with the procedure guidance would not affect mitigation until at least 3 1/2 hours following the event initiation, due to cool down restrictions. Prior to entering Attachment 1, Section 3 of procedure 5.4FIRE-S/D it is anticipated that a pre-job brief would be held. The plant conditions are relatively stable following a steady cool down over the past few hours, while maintaining RPV water level and pressure with HPCI. Entering Section 3 of this attachment is a change is operating conditions which would warrant a briefing per procedure 0-HU-TOOLS. When Section 3 is entered the plant will be transitioning from a stable hot shutdown condition on HPCI to an infrequently used Alternate Shutdown Cooling alignment using RHR.

The fire will be extinguished by this time and full ERO staffing would be expected (although not necessary to evaluate successful recovery).

Key RHR parameter indications and control are available at the ASD panel for the operator stationed at the ASD panel (CRS/SM). These include; RHR flow, RHR-MOV-MO27B (LPCI injection inboard) valve position/control, RHR-MOV-MO34B (valve position/control), and RHR-MOV-MO66 (B RHR HX Bypass) valve position/control. The ASD panel operator will not have RHR-MOV-MO25B valve position/control.

Key parameters for monitoring critical safety functions are available at the ASD panel or procedurally directed for monitoring from an instrument rack. RPV level indication is available at the ASD panel.

RPV pressure is available at the ASD panel when HPCI steam supply isolation valves are open, but with HPCI secured the procedure directs dispatching an operator to Rack 25-5 to monitor RPV pressure and primary containment pressure. Diagnosis of RHR-MO-25B not opening from the ASD panel was demonstrated in a simulator exercise. The procedure guidance directs throttling of SPC flow to flood up the RPV, when the operator didnt get the RHR flow and RPV level responses expected, he continued to throttle the return path to the suppression pool until he determined that RHR-MO-25B was likely closed. This diagnosis was made within 10 minutes of opening the SRVs.

Procedure 5.4FIRE-S/D, Attachment 1, Section 3 contains guidance to align the LPCI injection path from the ASD panel. However, the situation of how to address the failure of RHR-MO-25B to open is not in the procedure. The action to open the MOV manually is a skill of the craft based action.

Although, this relatively simple action is considered skill-of-the-craft, which the operator would not

PRA 08004 Page 42 of 54 be expected to have procedure guidance at hand, the guidance is available in procedure 0.31MOV. It is expected that this action will be performed by a station operator.

Key Action Information:

RHR-MO-25B is a 24 inch gate valve, with a Limitorque Model SB-3 motor operator. The maximum expected differential pressure across this valve is expected to be approximately 165 psid. This differential pressure is based on the fact that RPV pressure will be around 50 psig greater than containment pressure while the SRVs solenoids are positioned to open the valves. RHR pump discharge pressure is expected to be approximately 215 psig at RHR-MO-25B while in SPC mode.

The torque required to overcome this differential pressure is estimated to be 161 ft-lbf. This is based on calculation NEDC 95-003 required motor operator torque to open this valve at the designed differential pressure of 165 psid and the Limitorque Vendor Manual (VM 986) information regarding hand wheel ratio and torque. From NEDC 95-003, the required torque output of the actuator to open this valve under maximum design basis conditions is 1073 ft-lbf. Per the vendor manual for an SB-3 actuator with an overall ratio of 37.28, the hand wheel ratio is 11.07 and the efficiency is 60%. This results in a total torque applied at the hand wheel of 161 ft-lbf (1073/(11.07*0.6) = 161).

Manual operation of Limitorque SB-3 motor operators is an included design consideration, with manual motor disengagement and gearing to allow increased ease of human operation.

The number of hand wheel turns to open this valve is approximately 225 and the expected duration to complete this action is less than 15 Minutes from the time the order is given to attempt manual opening. Since, RHR-MO-25B is a gate valve it is expected that sufficient flow for decay heat make-up to the RPV will be available at 10% valve stroke. Decay heat levels at this time after shut down are low enough that less than 200 gpm is required to make-up for boil off.

An independent walk down of the operators travel path and RHR-MO-25B manual operating position was completed for this HRA. The results of this walk down are summarized as follows:

RHR-MO-25B Human Factors Walk down Checklist

1. Access:

a. Permanent ladder - Located at Reactor Building 903 north. It has a total of 15 rungs and the floor elevation for manual operation of RHR-MO-25B is approximately 13 - 15 feet above 903 floor elevation (i.e. - on top of the injection valve room).

PRA 08004 Page 43 of 54

b. Valve operator location (general) - The manual valve operator for RHR-MO-25B is located on top of the injection valve room in a poured concrete mezzanine area.

c. Valve operator location relative to floor - The manual operating hand wheel for RHR-MO-25B is on the south side of the motor, above the injection valve room. The hand wheel is 24 in diameter and sits in the vertical plane. The bottom of the hand wheel is 1 foot and the top is 3 feet above the floor the operating personnel would be standing on. The hand wheel has a speed handle and three spokes.

d. Lighting (emergency and normal) - Normal lighting in the area of and the path to RHR-MO-25B is good. Appendix R emergency lighting is in the area at the top of the ladder for lighting the path. Additional Appendix R emergency lighting is directed toward RHR-MO-25B operator from the north side of the valve.

e. Tripping or fall hazards in area - In order to get to RHR-MO-25B personnel would have to climb a permanent ladder from Reactor Building 903 elevation (grade level) to approximately 13 feet above grade elevation. Once at the top of the ladder the station operator must climb over some conduit running north-south, and spanning a distance of

PRA 08004 Page 44 of 54 approximately six feet. This first obstacle is immediately encountered within approximately 6 feet of the top of the ladder.

Once on the other side of the conduit, the operator proceeds south approximately 10 feet and then he/she must go under a conduit east-west run, which is approximately 3 feet off the floor and spans a negligible travel path length. Continuing south another few feet a concrete beam, which forms a short tunnel will be encountered. This tunnel like structure is approximately 4 feet tall, 6 feet wide, and 6 feet travel path.

Once on the other side of this concrete beam, the operator will be in an open area with two similar MOV(s) extending above the floor he/she is standing.

PRA 08004 Page 45 of 54 As the station operator faces south the MOV to his right is RHR-MO-27B and the MOV to his left is RHR-MO-25B. Concrete square cut-outs exist around these MOV(s), presenting a potential fall/trip hazard if caution is not used. These cut outs are approximately 4 feet square and marked with yellow-magenta tape on the floor completely surrounding each square. A walking path exists between the two MOV(s) consisting of a path approximately 2 feet wide and 4 feet long (travel path); with the square cut-outs for the valves border this path.

2. Valve identification:

a. Location relative to similar motor operators - RHR-MO-27B is relatively close to this valve and the operator is similar.

b. Labeling - RHR-MO-25B is well labeled.

PRA 08004 Page 46 of 54

c. Valve location relative to operator (can the valve position be checked from the operating location?) - Valve position indicator directly above the manual hand wheel is clearly visible, but mechanically disconnected. The indicator reads zero stem travel (although this reading is meaningless. Monitoring the stem surface is the typical method used by Operators during periodic surveillances, they are accustomed to this method, and procedure 0.31MOV addresses the fact that local dial indicators are not a relied upon means for determining valve position. Stem indication at the top of the motor is covered by a pipe cap, providing no indication of valve position. The gland area of the valve is clearly visible by looking through the cut-out around the valve, down into the injection valve room. The stem portion in the yoke area immediately above the gland packing follower would begin to show a non-threaded (smooth) portion of the stem as the valve is opened and only threads (no smooth portion) if not open.

3. Operating characteristics:

a. Distance from floor to bottom and top of valve hand wheel - Bottom of hand wheel is 1 foot above the floor and top is 3 feet above the floor.

b. Interferences which may affect ability to apply torque to hand wheel - No interferences with manual operation.

c. Location relative to human interface -The valve hand wheel is in a good location to apply quite a bit of torque.

d. Labeling for disengagement of motor - Declutching mechanism handle has an arrow built into the handle itself, indicating the direction to push. It also has a red metal sign attached, describing manual operation.

PRA 08004 Page 47 of 54 HEP4 - DIAGNOSIS (JOINT)

PSFs PSF Levels Multiplier for Diagnosis Available Time Inadequate Time P(failure) = 1.0 Barely adequate time (~ 2/3 x nominal) 10 Nominal time 1 Extra time (between 1 and 2 x nominal X 0.1 and > 30 min)

Expansive time (> 2 x nominal and > 30 0.01 min)

Insufficient Information 1 The minimum time available from the time three SRV(s) are open RPV water level lowers to the point of incipient core damage is greater than 2 1/2 hours. This is the time assuming the operator takes no action to reclose SRV(s) to extend the time available. It is reasonable to assume this determination would be made within 30 minutes of opening the SRVs, simulator observed time was 10 minutes. Greater than 5 x nominal and > 30 minutes are available to diagnose. However, credit is only given for extra time due to ambiguity contained in NUREG/CR-6883 regarding the interpretation of inordinate amount of time. Extra time is selected, instead of expansive due to recovery time is less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for this at power HEP.

Stress Extreme 5 High X 2 Nominal 1 Insufficient Information 1 High stress level is selected based upon a more than nominal level of stress existing while operating from the ASD panel and loss of injection with minimal equipment readily available.

The consequences of this task represent a threat to plant safety. Extreme stress is clearly not justified for this diagnosis, due to the expected controlled nature and time available when the diagnosis would be required. The fire is out and the plant is in a relatively stable condition, with multiple resources available.

Complexity Highly complex 5 Moderately complex X 2 Nominal 1 Obvious diagnosis 0.1 Insufficient Information 1 The complexity is considered Moderate because of the defined requirement to identify that RHR-MO-25B did not open. The only reason this is not considered Nominal complexity is because there is some ambiguity in what needs to be diagnosed. The valve position indication for RHR-MO-25B is not available remotely at the ASD panel. However, procedure direction will result in available parameters not responding as expected. With only one injection path available and all other valve indications and key RPV parameters available this task clearly would not be very difficult.

Experience/Training Low 10 Nominal 1

PRA 08004 Page 48 of 54 High X 0.5 Insufficient Information 1 Experience/Training is considered High due to the fact that the individual performing this diagnosis at the ASD panel is the CRS or SM. Individuals in these positions are senior reactor operators with extensive training and experience. The action of diagnosing problems affecting RPV injection capabilities is something they have extensive knowledge and practice with in a wide range of potential scenarios. Additionally, operators are trained on procedure 5.4FIRE-S/D as part of SRO qualification (SKL0110102) and on a two year frequency for operator requalification training (TPP-201). Therefore, it is expected that the individuals tasked with this diagnosis would be familiar with operating at the ASD panel and possess more than enough training to proceed with using available equipment, indications, and staff to identify this failure Procedures Not available 50 Incomplete 20 Available, but poor 5 Nominal X 1 Diagnostic/symptom oriented 0.5 Insufficient Information 1 Procedures are considered nominal for this diagnosis.

Procedure 5.4FIRE-S/D contains steps for controlling and monitoring RPV water level which readily enhance the ability to diagnose the failure of RHR-MO-25B to open (Steps 3.1.3.6 -

3.1.3.10 and proceeding notes). These are the steps performed directly following the RHR-MO-25B failure to open.

There is nothing contained in this procedure which would confuse or impede performance of this diagnosis. The identified procedure deficiency does not impede the diagnosis of the valve failing to open. Although this deficiency may impede diagnosis of the exact reason RHR-MO-25B didnt open, the exact reason for the valve not opening is not required for this recovery.

Ergonomics/HMI Missing/Misleading 50 Poor 10 Nominal X 1 Good 0.5 Insufficient Information 1 Ergonomics are considered nominal for this diagnosis because key valve indications are available at the ASD panel, with the exception of RHR-MO-25B. Additionally, all key RPV parameters are monitored and available to the operator at the ASD panel. RPV level and RHR flow indications are available at the ASD panel. RPV pressure is available from the ASD panel when the HPCI steam supply isolation valves are open, but would most likely be reported via the operator dispatched to monitor this indication at Rack 25-5.

Fitness for Duty Unfit P(failure) = 1.0 Degraded Fitness 5 Nominal X 1 Insufficient Information 1 It is anticipated that the individual is able to carry out tasks.

Work Processes Poor 2 Nominal X 1

PRA 08004 Page 49 of 54 Good 0.8 Insufficient Information 1 Work processes should be considered good for this diagnosis based on implementation and proven use of human performance tools when plant conditions are expected to be significantly changed. It is expected that a full pre-job brief would be conducted prior to taking the plant to cold shut down via the Alternate Shutdown Cooling alignment. This would obviously enhance the ability to diagnose the fact that RHR-MO-25B didnt open. However, because of human performance cross cutting issues highlighted in the 2007 annual assessment letter from Dwight Chamberlain (NRC) to Stewart Minahan (NPPD) dated March 3, 2008 no credit will be given in this PSF for the expected brief. Work Processes are considered nominal for this HEP.

HEP4 - ACTION (JOINT)

PSFs PSF Levels Multiplier for Action Available Time Inadequate Time P(failure) = 1.0 Time available is ~ the time required 10 Nominal time 1 Time available >= 5x the time required X 0.1 Time available >= 50x the time required 0.01 Insufficient Information 1 The minimum time available from the time three SRV(s) are opened until incipient core damage is reached (assuming the SRVs are not re-closed) is greater than 2 1/2 hours. The estimated time to complete this action is less than 15 minutes.

With a nominal diagnosis time of 30 minutes, the joint nominal time is less than 45 minutes. This leaves 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> available to perform the action. Therefore, much greater than 5 x nominal required time is available to perform.

Stress/Stressors Extreme 5 High X 2 Nominal 1 Insufficient Information 1 High stress level is selected based upon a more than nominal level of stress existing while operating following a fire which caused control room evacuation and loss of injection with minimal equipment readily available. The consequences of this task represent a threat to plant safety. Extreme stress is clearly not justified for this action, due to the expected controlled nature and time available when the action would be required. The fire is out and the plant is in a relatively stable condition, with multiple resources available.

Complexity Highly complex 5 Moderately complex 2 Nominal X 1 Insufficient Information 1 The complexity of this action is considered nominal. There are few actions required to check the valve locally, disengage the motor, and open the valve manually.

Experience/Training Low 3

PRA 08004 Page 50 of 54 Nominal X 1 High 0.5 Insufficient Information 1 Experience/Training is considered Nominal due to the fact that the individual performing this action is a station operator. All operators receive training on the complete Watchstanding Principles (SKL008-01-01) lesson prior to becoming qualified.

This training has as an enabling objective to, Demonstrate proper method for manual operation of a limitorque valve.

The lesson plan provides good detail on manual operation of motor operated valves similar to RHR-MO-25B. Portions of this training are reviewed on a yearly basis. Although manual opening of large MOV(s) is not a common activity for which exposure in day-to-day operations would be expected, it is a relatively simple operation for which formal training has been received and reviewed on a periodic basis.

Procedures Not available 50 Incomplete 20 Available, but poor X 5 Nominal 1 Insufficient Information 1 The procedures available for operating RHR-MO-25B locally are Procedure 0.31MOV and Vendor manuals containing instructions for manual operation of Limitorque motor operators. These procedures are not component specific, but would apply to RHR-MO-25B operator. Procedures are considered Available, but poor for this action. This action is considered skill of the craft, but it would not be appropriate to consider procedures not available. The ERO would have this information available to assist if problems were encountered with this action.

Ergonomics/HMI Missing/Misleading 50 Poor 10 Nominal X 1 Good 0.5 Insufficient Information 1 Ergonomics are considered nominal for this action because it involves a single valve manipulation locally. The valve is relatively easy to get to and labeling is good. Although the location, indicators, and labeling associated with RHR-MO-25B do not enhance performance, they dont negatively affect a task typically expected to be carried out successfully by a station operator.

Fitness for Duty Unfit P(failure) = 1.0 Degraded Fitness 5 Nominal X 1 Insufficient Information 1 It is anticipated that the individual is able to carry out tasks.

Work Processes Poor 5 Nominal X 1 Good 0.5 Insufficient Information 0.5 Work processes should be considered good for this action based on implementation and proven use of human

PRA 08004 Page 51 of 54 performance tools when plant conditions are expected to be significantly changed. It is expected that a full pre-job brief would be conducted prior to taking the plant to cold shut down via the Alternate Shutdown Cooling alignment. This would obviously enhance the ability to discuss how to minimize RPV inventory loss if low pressure injection failed.

However, because of human performance cross cutting issues highlighted in the 2007 annual assessment letter from Dwight Chamberlain (NRC) to Stewart Minahan(NPPD) dated March 3, 2008 no credit will be given in this PSF for the expected brief.

Work Processes are considered nominal for this HEP.

HEP4 - Diagnosis: 1.0E-2 x 0.1 x 2 x 2 x 0.5 x 1 x 1 x 1 x 1 = 4.0E-03 HEP4 (DIAGNOSIS): 4.0E-03 HEP4 - Action: 1.0E-3 x 0.1 x 2 x 1 x 1 x 5 x 1 x 1 x 1 = 1.0E-03 HEP4 (ACTION): 1.0E-03 TOTAL HEP4 (JOINT): 5.0E-03 Complete HEP for Recovery and Dependency Analysis All actions evaluated are completely dependent on HEP1 (Diagnosis of RPV Level), but this dependency is addressed explicitly in the event tree (i.e. failure of HEP1 goes to core damage).

From Figure A, a possibility may exist where diagnosis of RHR-MO-25B failure to open and take action to manually open (HEP4) is dependent upon either HEP2 (action to close SRVs) or HEP3 (action to restore HPCI).

In evaluating the dependency of HEP2 failure to close SRVs on HEP4 the following answers to the dependency condition table were obtained.

Dependency Condition Table for HEP4 with respect to HEP2 Dependency Expected Overall Basis Condition Result Condition It is expected that the same crew would be operating Crew (same or that made failed to close SRVs prior to RPV water 7 = Low Same different) level dropping below the Top of Active Fuel (TAF) Dependence indicated.

Time (close in Not Close Since, close in time indicates that the two human time or not close action events occur within a few minutes of each in time) other, these are not considered close in time. The time for RPV water level to reach TAF indicated is 40 minutes after the SRVs were opened. The time available to diagnose and manually open RHR-MO-

PRA 08004 Page 52 of 54 25B from the time SRVs were opened is over 2 1/2 hours. More than a few minutes separate these actions.

A portion of the diagnosis that RHR-MO-25B didnt Location (same open and the action to manually open it would occur Different or different) locally at the valve. The HEP2 action to close SRVs is accomplished solely at the ASD panel.

The determination that RHR-MO-25B is closed uses Cues (additional RHR flow and valve indications as additional cues, Additional or no additional) where as HEP2 only requires RPV water decreasing indication.

For Low Dependence, the probability of failure of HEP4 with formal dependence on HEP2 is (1 + 19 x HEP4)/20 = (1 + 19 x 5.0E-03)/20 = 5.48E-02 In evaluating the dependency of HEP3 failure to restore HPCI on HEP4 the following answers to the dependency condition table were obtained.

Dependency Condition Table for HEP4 with respect to HEP3 Dependency Expected Overall Basis Condition Result Condition Crew (same or It is expected that the same crew would be operating Same different) that failed to restore HPCI.

These events are considered close in time, because it Time (close in is anticipated that RHR-MO-25B troubleshooting and time or not close Close HPCI restoration may occur in parallel. Additionally, in time) these actions have the same time available A portion of the diagnosis that RHR-MO-25B didnt 4 = High Location (same open and the action to manually open it would occur Dependence Different or different) locally at the valve. The HEP3 action to restore HPCI is accomplished solely at the ASD panel.

The determination that RHR-MO-25B is closed uses Cues (additional RHR flow and valve indications as additional cues, Additional or no additional) where as HEP3 only requires RPV water decreasing indication.

For High Dependence, the probability of failure of HEP4 with formal dependence on HEP3 is (1 +

HEP3)/2 = (1 + 5.1E-03)/2 = 5.03E-01 Figure B presents the final overall HEP for recovery from the procedure deficiency in procedure 5.4FIRE - S/D. This figure includes the formal dependency and concludes that the best estimate for the total human error probability is 3.59E-03. It is noted that even if complete dependency were assumed for HEP4 in relation to HEP2 and HEP3 the total HEP will still only be 6.59E-03.

PRA 08004 Page 54 of 54 Ref 3: Emergency Procedure 5.4FIRE-SD, FIRE INDUCED SHUTDOWN FROM OUTSIDE CONTROL ROOM, Rev 14, dated 3/26/2007 Ref 4: Conduct Of Operations Procedure 2.0.3, CONDUCT OF OPERATIONS, rev 57, dated 3/5/2007 Ref 5: Emergency Plan Implementing Procedure 5.7.1, EMERGENCY CLASSIFICATION, rev 35, dated 2/22/2007 Ref 6: Emergency Plan Implementing Procedure 5.7.2, EMERGENCY DIRECTOR EPIP, rev 22, dated 12/29/2005 Ref 7: Emergency Plan Implementing Procedure 5.7.7, ACTIVATION OF TSC, Rev 31, dated 6/16/2006 Ref 8: letter to Vas Bhardwaj and Demetrius Willis from John G. Austin; dated: March 26, 2008;

Subject:

TSC/OSC Activation Times Ref 9: CR-CNS-2007-06151, CA 003; Perform Timeline Validation of Procedures 5.4FIRE-SD and 5.4POST-FIRE, completed 3/24/2008 Ref 10: Administrative Procedure 0-HU-TOOLS, HUMAN PERFORMANCE TOOLS, ref 4, dated 12/13/2006 Ref 11: email from Duane Wenginger to Kent Sutton and Harry Hitzel dated March 4, 2008,

Subject:

RHR-MO25A/B flow per HWT.

Ref 12: email from Duane Wenginger to Virgil Furr and Harry Hitzel dated March 13, 2008,

Subject:

RHR-MOV-MO25A/B handwheel torque.