Responds to RAI Re Plant IPE Rept & GL 88-20

ML20117K612
Person / Time
Site:	Prairie Island
Issue date:	09/05/1996
From:	Wadley M NORTHERN STATES POWER CO.
To:	NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
GL-88-20, TAC-M74454, TAC-M74455, NUDOCS 9609120048
Download: ML20117K612 (38)
v • d • e

Text

!

Northern States Power Company Prairie Island Nuclear Generating Plant 1717 Wakonade Dr. East Welch, Minnesota 55089 September 5,1996 Generic Letter 88-20 U S Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555 PRAIRIE ISLAND NUCLEAR GENERATING PLANT Docket Nos.50-282 License Nos. DPR-42 50-306 DPR-60 Response to Request for Additional Information Related to the Prairie Island Individual Plant Examination Reoort (TAC Nos. M74454 and M74455)

We submitted for NRC staff review the Prairie Island Individual Plant Examination Report (IPE) and a subsequent response to a Request for Additional Information, both ,

in response to Generic Letter 88-20. On August 2,1996 the NRC issued another

]

Request for Additional Information regarding our submittals. Attachments 2 and 3 to this letter provide the information requested.

In this letter we have made no new Nuclear Regulatory Commission commitments.

Please contact Jack Leveille (612-388-1121, Ext. 4662) if you have any questions ,

related to this letter.

kNLM Michael D Wadley bh L i

l Plant Manager '

Prairie Island Nuclear Generating Plant c: Regional Administrator- Region Ill, NRC Senior Resident inspector, NRC NRR Project Manager, NRC J E Silberg Attachments:

If$oo$05000292 PDR P

1) Affidavit M"'~

2) Response to Request for AdditionalInformation Related to the Prairie Island Individual Plant Examination Report /

3) Detailed HRA Using Swain /; g'7,77 [/

e l >

l .

1 l i UNITED STATES NUCLEAR REGULATORY COMMISSION NORTHERN STATES POWER COMPANY PRAIRIE ISLAND NUCLEAR GENERATING PLANT DOCKET NO. 50-282 50-306

GENERIC LETTER 88-20, INDIVIDUAL PLANT EXAMINATION l

FOR SEVERE ACCIDENTVULNERABILITIES - 10 CFR 50.54(f)

Northern States Power Company, a Minnesota corporation, with this letter is submitting information requested by NRC Generic Letter 88-20.

This letter contains no restricted or other defense information.

NORTHERN STATES POWER COMPANY BY /YlA {L O Michael D Wadley Plant Manager Prairie Island Nucle r Generating Plant On this day ok before me a notary public in and for said County, personally appiarpfiMichael D Wadley, Plant' Manager, Prairie Island Nuclear Generating Plant; and being first duly sworn Mcknowledged that he is authorized to execute this document on behalf of Northern States Power Company, that he knows the contents thereof, and that to the best of his kno edge,information, an belie the stat nt ade in it are true nd that it is not interposed for delay.

/

- t/

v - -

NOTAAYPUOUCAmmEtts HOMEP98 COUNTY WyCounisoien Eq*esJan.31, togs w-:: ::::.:.::::::.:::::: : :::::::;a l GL8820-5. DOC

l

• l 1

1 l

Response to Request for Additional Information Related to the i Prairie Island Individual Plant Examination Report

1. Additional information is needed regarding the relationship between the I screening analysis for post-initiator events and consideration of dependencies. It appears that for events receiving human reliability analysis (RRA) beyond the screening analysis (presumably in surviving cutsets), important dependencies were considered and appropriately treated. However, it is not clear that dependencies related to events set at screening values during initial quantification were taken into account. This issue exists because of the relatively low screening l values assigned. Table 3.3-10 lists 17 human actions and many have i l screening values of 1.0E-3 to 1.0E-4 assigned. Such low levels could l easily lead to cutsets being truncated, particularly if multiple human i actions appear in a cutset. In other words, when such low screening i values are used, it is insufficient to only consider dependencies after initial quantification. It is unclear from the response to the staff's RAI, dated December 21, 1995, whether dependencies were considered prior to the truncation of non-dominant cutsets.

i

! (a) Please describe how potential dependencies between events in the fault and event trees were handled for the initial quantification.

! In order to determine if dependencies existed between any operator actions that were included in the fault trees or were added from the I event trees during sequence quantification, each operator action was I examined when it was calculated to determine which operator actions were i dependent due to the same cognitive process. Those actions that were determined to use the same cognitive process were given large screening values to ensure that they were not truncated from the final core damage l sequence equation. The final values of these operator actions were then j l later set to the values which appear in Tables 3.3-3, 3.3-4 and 3.3-10. '

Those operator actions that were judged to not use the same cognitive process were left at their screening values or were given detailed HRA treatment depending on their affect on the overall CDF. It should be j noted that of the 17 human actions that are listed in Table 3.3-10, 11 do appear in the final CDF or containment failure sequence equations.

The 6 that do not are listed below:

APNL17XXXY - Operator Fails To Transfer Power To Panel 117 When Required j APNL217XXY - Operator Fails To Transfer Power To Panel 217 When Required LFL11XXXXY - Operator Fails To Align Filter Train 11 LVA31198XY - Operator Fails To Close CV-31198 SOPCLTOAFY - Operator Fails To Align Cooling Water To AF Pumps (Condensate Supply Lost)

SVMALTRETY - Operator Fails To Manually Align Alt. Return Path For CL Train A And/Or B A review of the IPE logic modeling for these events shows that they are unlikely to ever be involved in risk significant sequences, since they must fail in combination with failures of highly reliable components i

l-________. .- --

l e Attachment 2 Pega 2 of 8 ,

I i (tanks, DC panels, AC inverters backed by an alternate AC source, i filters, etc).

(b) Presumably, all of the human actions modeled in the fault and l event trees were assigned screening values during the initial quantification. Were sequences containing human actions with screening values eliminated without potential dependencies ever being considered? If so, please discuss the potential impact such exclusion may have had on the results of the IPE and provide the l basis for assuming that it was unnecessary to take such i

dependencies into account (if this was the case).

See the response to part (a) above as to the treatment of dependencies.

2. The submittal and the response to the RAI indicate that five human actions received detailed analysis with Techniques for Human Error Rate Prediction (THERP) (NUREG/CR-1278), but no examples demonstrating the derivation of the HEPs for these events were provided. Table 3.4-6 1

, indicates that diagnosis time was not assumed to be applicable for at  ;

l least two of these events, including transfer to low head and transfer

! to high head recirculation. Clearly, the available response time is limited for these events, particularly for the high head case during a i medium loss-of-coolant accident (LOCA), where actions are required

( outside the control room. Apparently,

• piggy-backing" of the high head pumps on the low head pumps is required in the scenarios requiring high ,

head recirculation and some of these actions must take place outside the control room.

l (a) For all five events receiving detailed quantification with THERP, i please provide detailed illustrations of how the human error l probabilities (HEPs) were derived. Please note which tables from THERP or ASEP (NUREG/CR-4772, Accident Sequence Evaluation Program l (ASEP) HRA Procedure) were used to obtain the relevant HEPs and provide the basis for why the resulting values are appropriate.

I i A copy of the actual calculations performed for the IPE are included as l

Attachment 3. The calculations reference the tables that were used and provide the basis for all aspects of the calculations.

l (b) For the events with limited time available (particularly the

switchover to recircustir.n events), please provide the rationale

[ for why the annunciator response model from THERP or ASEP would be

! appropriate and illustrate how the impact of available time was l factored into the resulting HEPs.

The rationale for the use of the annunciator response model is provided in Attachment 3. Available time was initially considered in the calculations for the five events analyzed with THERP by reviewing the timing that was determined for the ASEP calculation. This information was used as the starting point for the THERP calculations and is

provided in the table included in the response to Question 2c. The timing assumptions for the THERP calculations are included in the

• Attacivwnt 2

, Paga 3 of 8 s

attachment. Even though the annunciator response model was used in the calculation for the three switchover to recirculation events, the time based claw response model was used to calculate the initial diagnosis l error included in the calculation for medium and large LOCA events. The l time based crew response model was not included in the calculation for switchover to recirculation during a small LOCA due to the large amount of time available to diagnose that a small LOCA is occurring prior to i the RWST low level alarm coming in. The alarm response model for the l SGTR event is appropriate because the operators are well trained to l associate the condenser air ejector radiation monitor Ligh alarm with a SGTR.

l (c) For all five events please report the amount of time assumed to be l available and the time assumed to be necessary to complete the l actions. Some of this information was included in the response to i Question 8 of the RAI, but was incomplete. Please complete the l table. Also, please describe how time was considered in determining the HEPs, and describe the actions required for success. In particular, for those actions requiring ex-control room activities, describe the actions required and the times assumed to be needed.

Table 1 below provides information on the five specific post-initiator human events that were analyzed using THERP. As stated in the response to HRA Question 8 in the first RAI on the Prairie Island IPE, the table below best fits the analysis that was done using the ASEP methodology.

A similar concept was used for the more realistic THERP calculations, except multiple diagnosis errors could apply to one human error ,

probability calculation and tne annunciator response model was used. In l an attempt to fulfill your request, the conservative times used in the ASEP calculation for the five human events of interest are provided in the table below. Some of the values given in the table were calculated l for this response because the exact value was not necessary for the particular calculation when it was being performed. For example, it was sufficient to know that the diagnosis time for a small LOCA is large and it wasn't necessary to know it was 74 minutes. The information provided

! in the table is for your information and may not necessarily match the l assumptions used in the THERP calculations. The ASEP calculations were superseded by the more realistic THERP calculations. The timing used in the THERP calculations is given in the Attachment 3.

l l

l

l

+

l Attachment 2 j Paga 4 of 8 )

( . I

4 The equation used for t.he timing portion of the ASEP analysis is given j below.  !

1 To = T - T o - T.

where, To - Time available for diagnosis T, = Latest time event can be completed T o - Time compelling signal is received T - Time required to complete action TABLE 1 l l

Task To T. Ta Ta Value Basis Value Basis Value Basis Value 3 asis Small LOCA Transfer to 162 A 246 B 10 C >74 D,E  !

Recirc Medium LOCA Transfer to 41 A 67 B 10 C >16 D,E Recire Large LOCA Transfer To 21 A 31 B 6 C >4 D,E Recirc C/D & Depr RCS to 0 F 49 G 38 H 11 D Prevent SG Overfill ,

C/D after SG Overfill, 24 I 384 B 214 J 146 D I But Prior To Depleting  ;

RWST Inventory I All times in the table are in minutes, i 1

Notes for Basis Column (letters below correspond to letter in the table):

A. This is the amount of time af ter the initiating event that the low RWST  ;

level annunciator alarms. The values are based on a MAAP runs, except for the i medium LOCA time, which is based on a hand calculation. In reality, there are signs that a LOCA is taking place prior to the alarm coming in.

B. This is the amount of time after the initiating event that the RWST is emptied if two RHR pumps (large LOCA only), two SI pumps and two containment spray pumps (medium and large LOCA only) or two SI pumps only (small LOCA) are drawing water from the RWST at all times. This gives the shortest times for draw down of the RWST inventory.

C. Estimate based on ASEP Table 8-1 (NUREG/CR-4772) and consultation with previously SRO licensed Engineer. l D. Value calculated from other three values in the same row as described in response to HRA Question 8 of the first RAI. l E. This value represents a conservative estimate of the amount of time the operator has to diagnose that a LOCA is taking place, because it only takes into account Mme af ter the low RWST level annunciator alarms.

F. Alarm R-15 is received early in the accident. The operators are trained to associate the alarm with a tube leak.

G. Estimate of when steam generator overfill occurs based on the results of a MAAP run. .

H. From an ASEP calculation, where estimated time to complete all actions is based on a table top walk through of the required steps by a previously SRO licensed engineer. This was one of the few instances in our ASEP calculations that we did not strictly follow ASEP table 8-1 for timing considerations and i

-- . _ . . ~ --. -. , . - - .

Attachment 2 e Psga 5 of 8 gave heavier weight to an experienced engineer's estimate. The estimate is conservative when compared to the estimate of 30 minutes for the same actions provided in the Prairie Island ' Design Basis Document For The Accident Analysis Topical DBD", DBD-TOP-01.

I. It may have been more appropriate to use zero for the reason described in Note F. However, since there is so much time available, 24 minutes was considered to be a conservative estimate (following ASEP methodology) of the time when the point in the procedure is reached that directs the operator to EOP procedure IE-3. They are directed to this procedure because the condenser air ejector radiation would not be at normal levels, J. Assumed 180 minutes to cool down from post trip temperature and pressure to shutdown cooling temperature and pressure. An additional 34 minutes performing actions associated with procedure 1E-3 was assumed.

The last part of this question concerned ex-control room activities.

With respect to the five events included in the table above, only one (transfer to high head recirculation) requires operator action outside the control room for success. The operators follow a single emergency procedure to accomplish the transfer to recirculation function, l regardless of RCS pressure. Although there are some outplant housekeeping actions in that procedure, success does not hinge on the

( success of those housekeeping actions. There are no other actions that must be performed outside the control room to accomplish the switchover to low head recirculation activity or the SGTR activities discussed above. All valves that must change position for successful switchover to low head recirculation can be operated from the control room.

However, in establishing high head recirculation, the breaker for the RHR Supply To SI Pump Isolation Valves for at least one train must be turned "on" locally at the Motor Control Center (MCC). The MCC is located in the Auxiliary Building. This is discussed further in the

! response to Question 2d.

The control room actions for transfer to high head recirculation for the IPE were based on procedure 1ES1.2, Rev. 7 and are summarized below up to the point that SI re-initiation occurs after the switchover:

1. Stop Spent Fuel Pool Ventilation System and notify out clant

onerator to place four Mcc breakers to on (this is the only ex-I control room action required for success).

2. Reset SI.

l 3. Check if both trains of safeguard pumps are available for recirculation.

i 4. Stop one train of safeguards pumps.

l 5. Close SI Test Line To RWST Valves.

6. Open Sump B To RHR Isolation Valves For Idle RHR Pump.

7. Close RWST To RHR Isolation Valve For Idle RHR Pump.

8. Verify RHR To Reactor Vessel Nozzle Valves are open.

9. Start idle RHR Pump.

10. Check if RCS pressure is less than 100 psig. (If no then skip to step 13) i 11. (Skipped]

i 12. (Skipped)

13. Close SI Pump Suction Isolation Valve For Idle SI Pump 2

- _ _ - . = . . . - - . . - _ ~ _ . . . ~ _ . . . . ~ - . .- . .. . _ _

AttacNnent 2

, Paga 6 of 8

14. Open RHR Supply To Idle SI Pump Isolation Valve

15. Start Idle SI Pump.

The actions for low head recirculation were the same as above up to Step 9 when low pressure injection is reinitiated (the activity is considered successful at that point), except that the action to notify the out plant operator is not necessary for success.

(d) The HEP for switching over to recirculation during a medium LOCA

! apparently includes actions outside the control room. Be sure to discuss the basis for the relatively low HEP (0.0027) assigned to I this event.

As described in the response to Question 2c, there is one set of actions l that must be performed outside the control room to successfully j switchover to high head recirculation. High head recirculation is i assumed to be required for small and medium LOCAs. The required set of l actions is to unlock and place the MCC breakers that supply power to the l RHR To SI Pump Isolation Valves to "ON". This is part of che first step l of the procedure for transfer to recirculation, and is performed by an out plant operator normally located at the Auxiliary Building Control j Station. The MCC is within approximately 50 to 60 feet of the Auxiliary j Building Control Station and there is a direct path with no obstructions to the MCC. The cubicles that need to be turned on are painted red (all the others are gray) and the key to unlock each MCC breaker is in a box attached to the cubicle. This action can easily be accomplished within l the 10 - 25 minutes timeframe required for a medium LOCA. The action l

does not need to be completed until the valve is opened which is just prior to restarting the SI pump. Restarting the SI pump is the last action needed to begin SI flow. The details of the calculation performed to determine the HEP for this event are provided in Attachment 3.

For all the transfer to recirculation events, the calculations are performed assuming switchover must be completed by the time the RWST is empty in order for the action to be successful. From a timing standpoint, it is only necessary to stop the pumps that are injecting by then so they are not damaged. It would be acceptable for injection to be reestablished shortly after that. Therefore, from a timing standpoint, there is more time than our calculations show to complete the local actions that are necessary for switchover to high head recirculation.

(e) In illustrating the derivation of the HEPs for the five events, please make it clear which factors drive the differences between the obtained HEPs.

I

! The major differences between the HEP calculations for the three j switchover to recirculation events have to do with the actions necessary

to establish recirculation, whether the duration of the accident is sufficient to take credit for recovery, and the amount of time between the low RWST alarm and the RWST being pumped dry if no action is taken.

. Attachment 2 Pa3a 7 of 8 The shortest time between the low RWST alarm and the RWST becoming empty occurs in the case of a large LOCA. However, there are fewer actions required to perform switchover to low head recirculation, and no outplant operator actions are necessary. It takes more time to initiate high head recirculation for small and medium LOCAs, but there is also more time to perform the activity after the low RWST alarm comes in.

The details of these calculations are provided in Attachment 3.

The main differences between the HEP calculations for the SGTR actions is that one event (SGTRXXEC3Y) is conditional on the other (SGTRXXXCDY) ,

and that SGTRXXEC3Y has much more time available for operator success than SGTRXXXCDY has. The details of these calculations are provided in Attachment 3.

3. The response to the RAI suggests in the answer to Question 15 that the annunciator response model was applied to events other than the five discussed in Question 2 above. Please list which events were quantified with the annunciator response model and which were quantified with the time-based crew response model. Also, please provide the timing parameters assumed in quantifying all response type events and discuss reasons for assuming that the annunciator response model was appropriate for events with less than 30 minutes diagnosis time.

The human actions given in Table 3.3-3 of the IPE report were reviewed for this question. The only events listed in that table that used the annunciator response model were the five events discussed in the response to Question 2.

They include the two events to cool down and depressurize the RCS to stop a steam generator tube rupture (SGTRXXXCDY and SGTRXXEC3Y) and the three events involved in switchover to sump recirculation (HRECIRCSMY, HRECIRCXXY, and RRECIRCXXY). The calculation of the HEP for all five events are included as Attachment 3. All the other events in the table were calculated using the time based crew response model. See the response to Question 2b for a discussion of events calculated using the annunciator response model with less than 30 minutes diagnosis time .

4. The submittal and response to the RAI indicate that all recovery values were derived from NSAC-161. However, it can be argued the nature of the grouping of different recoveries in NSAC-161 is fairly " coarse". In fact, in many cases the grouping appears to be

• mixing apples and oranges". Please provide a discussion of the derivation process for recovery HEPs (cover at least two examples in detail) and provide the rationale for assuming the values in NSAC-161 are appropriate. This question does not imply that the HEPs listed for the recovery events are necessarily unreasonable. The issue is the basis for the selected HEPs.

The two example HEPs selected are from Table 3.3-4 of the IPE submittal and are recovery actions BMC93XXRCV (Failure To Locally Recover Either MV-32093 Or MV-32094) and LOCLRECXXV (Failure To Recover Cooling Water System). For both of these recoveries, MAAP runs were performed to analyze the time available for the performance of these recovery actions. In the case of BMC93XXRCV, MAAP runs indicate that core damage occurs approximately 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the small LOCA initiating event occurs, the Refueling Water Storage Tank (RWST) is pumped empty and I

- . . . - . ._. - _ -. . ~ . . . - - - . - - - - . ~ . _ _ - __

l .

Attachment 2 l Page 8 of 8 l .

l l

\ .

recirculation fails. This is an ample amount of time to locally open j either of the Component Cooling (CC) water motor operated supply valves to the RHR heat exchangers using the handwheels located on each valve.

The valves are both located in easily accessible locations that do not require ladders or scaffolding. Control room indication is available to l indicate if the valves have not opened. The data from NSAC-161 were l examined to judge the applicability of the failures to Prairie Island.

Of the 6 valve failures in the database that are attributable to motor operated valve failures, 4 of the events were recovered within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> while the remaining two events involved replacing failed motors which necessitated recovery times outside the 6.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> core damage envelope.

In this case, a value of 0.25 (from NSAC-161, Figure 3.2-2) as the i probability of failure to recover either of two valves is deemed to be l acceptable and conservative.

! In the case of LOCLRECXXV, a specific MAAP case modeling the loss of I cooling water was not available. Therefore, it was conservatively equated with a loss of all feedwater, as main feedwater and bleed and feed would be lost following failure of all cooling water, but Auxiliary Feedwater (AFW) would be available to provide secondary cooling which would lengthen the time to core damage. MAAP runs indicate that core damage occurs approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> following a loss of all feedwater.

The cutsets for the cooling water fault tree were reviewed to determine the most likely means to fail the cooling water system. Strainer plugging and pump failures to run were determined to be the most likely

, failures. Strainer plugging is easily recovered by use of the strainer l backwash system (not credited in the IPE to simplify the modeling) which either runs automatically or can be performed manually. Pump failure to run would cause a standby pump to be started and a work order to be ,

L written to repair the failed equipment. Using these criteria, a cooling l l water system recovery value of 0.52 (derived from NSAC-161, Figure 3.1- )

4) is deemed appropriate. '

l l i l

4 I

4 j

n---_c. . . - . ~ . . . . - - -. - . _ _ - . - - - . . - . . . - - . . _ . - . . ~ . . . - . - . . . _ _

\+

&~

l

[

• • • • • • • • • • • • • • Attachment 3 ************** ,

Detailed HRA Using Swain The following pages are a copy of actual calculations performed for the Prairie Island IPE. The calculations are for all events in which the THERP  ;

methodology was applied (five events). As a part of the verification of the calculations a few minor errors were identified. A sensitivity study was performed which confirmed the errors have an insignificant effect on the IPE results (the estimated CDF changed from 5.0E-5 to 4.9E-5 when the two errors noted in Table 4-1 of the calculation were corrected) . The errors were noted and handled in accordance with our departmental procedures. For your convenience, the attached copy of the calculations includes the verifier's comments.

1 l

4

c-

' VERIFICATION FORM

~ ~-

No^om States Power Company NUCL,E,.A..R..

m- ANALYSIS DEPARTMI. -

V 5 / M A . ' M '. o o / l 1 Document Verified hen ll9l }lEA M1i^ c <SM Oh Sheet l of Y Verified By

• Date //~2~O l j - 1 VERIFICATION METHOD l

l C Comparison With Alternate Calculation l

^

Comment O Comparison With Previous Calculation Comment l

l l

0 Verified Design Methodology and Assumptions 1

i Comment

[ Verified Traccability, Correctness and Assupmtions Used To Determine input and Output Comment Yo r/ OI eA /rt  !<

O Other Comment FINDINGS 0At hon- C o h l e rts s N V't. t at.ft t L t -e 3 e el s'A %PE le e c ree b? V o f' c e ku kki os , for no/ s as i <-

L~- e,.

r l s './ t* / Y e #~ If /1 e b (')9 t

h /' cat A$. ( ekY

[ C h . f* ) P l~ /* f C A C C t. / 4 ll VM l4 L P AfW PXA c z,s h h .

1 l

l l

PRAIRIE ISLAND l DETAILED HUMAN ERROR USING SWAIN l V.SMR.94.001 L

Table of Contents l

1 W ll '(o 95 -

l Verification (precedes this page) /Page/

l l

l Table of Contents (this page) 1 Page TENERA Transmittal Letter 1Page Purpose, Calculations & Summary 24 Pages l

1 1

The detailed human error calculations in this file were performed by Dennis W Henneke, TENERA. The Purpose, Calculations and Summary section of this file was prepared by Dennis Henneke. The file was assembled by Craig Nierode, NSP.

i l

r

\

l

• l

, ~.

l '.

l OTENERA l

January 26,1994 l

Craig Nierode Northern States Power Company Renaissance Square 8,411 Nicollet Mall l Minneapolis, MN 55401 1

Dear Craig,

1 I have attached printouts and Word Perfect 5.1 files for the following calculations:  !

1) Re-Analysis of HRA using the NUREG/CR-1278.

2) Bayesian Update of SGTR initiating Event Frequency

3) Human Factors Review for Pi PRA HRA.

l Please note that there were some minor changes for each of these from the drafts that I had {

l previously sent to you. Most important of the changes are some minor changes in the HEP  ;

values for the HRA. Please note these changes as shown on Table 4-1 of this calculation. '

1 I

Thank you for the opportunity to assist you in these areas. Please give me a call if you have l any questions on any of these calculations, or need any additional assistance. )

1 Sincerely, l 1 r  !

Dennis W., Henneke l

Senior Engineer '

attachments: (3) l l

cc: D. Blanchard J

hr< I Triangle Executive Park. One Copley Parkway Suite 21E Morrisville, North Carolino 27560, (919) 460-0200, Telecopy:(919) 460-0010

PI HR. Jsing NUREG/CR-1278 Re-analysis of HEPS using NUREG/CR-1278 for the Prairie Island PRA HRA 1.0 PURPOSE The purpose of this calculation is to re-analyze several Human Error Probabilities (HEPs) for the Prairie Island PRA, using the me6odology described in NUREG/CR-1278, The Handbook for Human Reliability Annivsis with Ernehnsin on Nuclear Power Plant Annlications. This analysis is preformed on the most important HEPs for the PRA, and will result in more accurate analysis of the actions than was originally performed for the HEPs using the ASEP HRA procedure.

2.0 METHODOLOGY The general methodology used for this analysis is provided in NUREG/CR-1278 (referred to below as "the Handbook," and is commonly used in the. industry for PRA/IPE HRA. The analysis is similar to the ASEP methodology used for the initial HRA, except that more l detailed analysis is performed for:

l l - The types of procedures used (with or without signoffs, etc.)

I - Verification steps j

- Crew size and expected crew ramaaaaa timing l

- Errors of omission and errors.of commission (based upon the type of controls)

- Timing

- Expected Stress l

- Conditional HEPs (depend <mce between operator actions) l i Although the handbook methodology is not fully discussed here, a discussion of several of the l key areas is presented below.

l Control Room Crew Resnonse ,

Teble Ib2 of the Handbook provides nominal crew response expected following an accident.

The PI expected crew response is close to this nominal response with the following exceptions and differences. The ROs (2) are expected to respond to an accident within one minute of the initiating event. The Shift Supervisor is also expected to respond within one

' minute. This agrees with the Table 18-2. There are no additional SROs expected for response to an accident, other than the STA/ Shift Manager. The Shift Manager /STA is required by Procedure 5AWI 3.1.2 to be available to be in the control room within 10 minutes j of notification. Therefore the nominal arpa tad response time for the STA of 15 minutes is ,

reasonable. However, the Shift Manager is expected to initially perform both the duties of the j STA and the Emergency Directors (ED) position. The Shift Manager will pass the ED duty f

hM Page 1 January 26,1994

i .,

PI HR. Using NUREG/CR-1278 4

. to one of several personnel, including the plant manger, when they arrive. This line of j succession is described in the Emergency Plan Implementing Procedure, F3-1. This succession is expected to occur within one hour.

i. I i Conditional HEPs )

! Based upon the discussion above, the control room staffis expected to have 2 ROs, the SS, 1 and the STA/ Shift Manager. The expected dependencies between the operators will change as  :

the accident progresses. The SS is responsible for calling for RO actions and follow along j j, using the procedure. This relationship is expected to continue throughout the accident. The l l Shift Manager will initially be performing both the STA function and the ED function, but is j expected to eventually perform only the STA function at one hour. Based upon these i relationships, and the guidelines provide in the hdbook, chapter 18, the following dependence is assumed for the analysis

1 i

! Table 1

{ Operator Dependency _.

Control Room Crew Dependence with primary RO 4

Second RO Full dependence unless actions of first RO affect parameters monitored by second RO.

Then medium dependency is assumed.

Shift Supervisor Medium dependency due to SS functioning to call out procedural steps.

j STA/ Shift Manager . No credit is given for STA within first 15 minutes. medium dependency assumed for J first hour due to dual role of SD/STA.

After I hour, a low dependency is assumed.

f l l Emergency Coordinator No recovery credit taken for ED l Technical Support Center No recovery credit taken for TSC 4

Stress i ,

The Handbook methodology provide guidelines for stress in Table 18-1. In all cases, the crew for PI is assumed to be skilled, not novice. Three stress levels are assumed. For non-LOCAs longer than I hour, an optimum stress level is assumed. For LOCAs longer than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, and non-LOCAs shorter than I hour, Moderately high stress is mumed. For LOCAs l less than I hour after the initiating event, an extremely high stress is essumed, i

These stress levels are conservative, but consistent with guidelines provided in Chapter 18 of the Handbook.

s-  ;

4 hM Page 2 January 26,1994

PI Him Using NUREG/CR-1278 3.0 ANALYSIS The following sections provide the HRA for each of the HEPs reanalyzed using the Handbook methodology. Each HEP has a corresponding Human Error tree that represents the possible 1 human error sequences for each HEP. Since these operator actions were previously analyzed j using the ASEP methodology, much of the detailed information for each action is not l presented below. This information includes description of each action, timing, and key  :

parameters for the HEPs. This information is referenced when used in the calculations below.

~

11 HRECIRCSMY:

The discussion for this action is provided in the initial ASEP HRA calculation. The ASEP HRA includes discussion on timing, operator actions required, etc.

The Operator Action Event Tree for the analysis using the Handbook methodology is provided in Figure 1. This figure provides the flow for expected critical actions for this HEP.

These actions are similar to the actions discussed in the ASEP HRA, except that the actions are broken out into more detail, and recovery from additional control room crew is credited.

A discussion for each critical action is provided below. . Please note that for simplification, stress multipliers are shown on the HRA event tree, where applied. This representation, although not standard, helps in showing where stress multipliers are used in the HRA modeling.

Q - Diannosis Failure: Operator fails to diagnosis the need for performing recirculation per ES-1.2. Annunciator Response 3 -

Model used for operator fails to respond to low RWST Alarm for small LOCA, since several hours are available for response. NUREG-1278, Table 11-13, item la: .

Di = 0.0001 (10). /  ;

L - Failure to Use Procedures: Failure to use an Abnormal Operating Procedure.

Following a Low RWST alarm, the operator can ,

use the EOP, or attempt to perform the actions by memory. This HEP represents the probability that the operator attempts to complete the actions without using the written procedure. The HEP is calculated from Table 16-1, item 4:

P = 0.005 (10).

i

/

E - Failure to call for Local Action: RO fails to perform step 1.C of ES 1.2, call for local action to close breakers for four valves.

Errors of omission per item of instruction, Table s

hM Page 3 January 26,1994 l

1

. i PI HRn Using NUREG/CR-1278 1

l 15-3, item 4, procedure without checkoffs, > 10 items:

Fi = 0.01 (3). -

1 For F i., use Table 15-3, item 5, omission of step j when written procedures are available but not used (for sequences where the operator is attempting to complete the actions without using the written procedures):

Fi , = 0.05 (5) /

Li - Failure of Local Action: Auxiliary building operator fails to close 2 breakers per step IC of ES 1.2. Actions are local.

Actions are performed from memory based upon oral instructions. Only 2 actions are critical. Use Table 15-1, item 4a,' failure to recall item Niorder of recall not important.

L i= L ,i = 0.03 x 2 actions = 0.06 (5) -

E3 - Failure to nerform lineuo: Failure of RO to perform steps 4,6,7,9,14, and 15 of ES 1.2. Steps 5 and 13 are also critical but are interlocked and are immediately verified by performance of steps 6 and 14 respectively.

Failure to perform a step is assumed to include l error of omission and error of commission. Error of omission is from Table 15-3, item 4, procedure without checkoffs, > 10 items = 0.01 (3). Error of commission is taken from Table 13-3, item 3 =

l 0.001 (3). Total HEP =

F3 = (0.01 + 0.001) x 6 steps = 0.066 (3) /

For F3, when a procedure is not used, Error of Omission is taken from Table 15-3, item 5 = 0.05 (5).

F3 , = (0.05 + 0.001) x 6 steps = 0.31 -

F - Failure to status SI flow- Following completion of the alignment of recirculation, step 16 verifles SI flow to the vessel. At this point the operators should be able to verify if the previous steps were performed in error. This action is used to recover lineup errors, s

O M ERA Page 4 January 26,1994 t

l_-_______ _ _ _ _ _ - - _ _ _ _ _ _ _ - _

. __ --- - . . _. .~. - - . .._. . - - . _ - -- _- _, __ _ .-

', t PI Hu Using NUREG/CR-1278

- including errors by the AO. This action is included in Small LOCA due to the long time

! frame available for recirculation alignment. This HEP is taken from Table 15-3, item 4:

l F = 0.01 (3) -

l Failure to perform this step when a procedure is not used is taken from Table 15-3, item 5:

F. = 0.05 (5) -

S - Stress: Stress in this scenario is considered Moderately High. The actions occur several hours after a LOCA. The task load at this time is moderate, but the threat stress may be high. Use Table 17-1, item 4, step by step procedure, moderately high stress. Multiply all' actions by: e-S = 2.0. /

l ,

Recovery of actions- Recovery by Shift Supervisor (SS); since the shift supervisor is acting as one of the crew during the emergency response including calling out procedural steps, etc., the recovery by SS is assumed to have a medium dependency with the

?

ROs. The conditional HEPs (CHEPs) for the SS are taken from Table 7-3, either item 3a or 3b (depending upon the BHEP). These are:

R, = 0.15 (3.5) -

Ri , = 0.19 (2.8) - '

Rn = 0.15 (3.5) -

i Recovery by the Shift Manager; Since the Shift ,

, Manager is acting as the STA, and the actions are at longer than one hour, a low dependency is assumed. CHEPs are taken from Table 7-3, items 2a or 2b, depending upon the BHEP. These

- CHEPs are:

R2 = 0.05 (3.2) -

!. R2 . = 0.10 (2.5) -

1 R3 = 0.05 (3.2) -

2 l Recovery oflocal actions by the RO; Since the l , , .

hM Page 5 January 26,1994 1

PI HRn Using NUREG/CR-1278 RO is monitoring the valve breaker status for local l AO actions, the RO recovery actions are i

considered to have a Medium dependency (please l note that this is also conservative) on the AO l actions. No recovery by the SS is credited for local actions. The CHEP is taken from Table 7-3, item 3b:

R = 0.19 (2.8) /

3 L

Total HEP: The total HEP for this actions is:

! BHEP = D x S +

i l Pi x S x {(F i, x R i , x R2 .) 4{ Li , x R2 . x FJ + (F3 , x F. x R i , x R26)} +

S x {(Fi x Ri x R2 ) +( Li x ; . F 4) + (F x F4x R i x R 2 3

                                                                                                                                  ' E;
                                            .,     /                                             p u 6 a . I ' ", .y-
                                    = 030001 x 2 +               ,       <        .p         s         /

W 0.005, x 2 x {(0.05 x 0.19 x 0.10) + (0.06 x 0.19 x 0.05) + (0.31 l x 0.05 x,0.I5 x,0.05)} + s y f f f 2'x {(0.01 x 0.15 x 0.05) + (0.06 x 0.05 x 0.01) + (0.066 x 0.01 x 0.1,5 x 0.05)} ge-f g ,, .a..,e 1 < - / . 4

                                    = 0.0002 + 1.6x10-5 + 2.2x10 = 3.6x10" 4,3 s - y +r e.n ~ p n A ff s Based on discussions in NUREG/CR-1278, Table 7-2, assume an error factor of 10. "" "e - 744                                     l
                                               -                                                               U n, /A:n sie             ;

erro r kd / nh W ber ejpJ In ' I f*f ug l WYere l ore Me pg l 'U*d In -// s r,,, ' .

                                                                                                           A 4p.6,                     l ll'2-g '
                                                                                                              /         0lftc Obf f /)           e
                                                                                                    '^
                                                                                                                            $!#e h lm //c         p,

• b /le eed a f e eIce4/;,

l e' n., % , " '- is rpg ;, '-f' ok l. f 1, p,N ( 1 EE Page 6 January 26,1994 i l l

I l , t PI Him Using NUREG/CR-1278 Figure 1 i l HRA Event Tree for HRECIRCSMY l 1 l S I l L Pg l l l l Fia

                                                                                                            ~

3 la la Ria g F4 F3a 4a 2a R2 R2 8 F4a 2a p4 R 1b 8 Rg g a 2b 2 . l s S I i i , i 4 4 , *% ~ l l M ERA Page 7 January 26,1994 1

y .m<# az. -.2.m - PI HRn Using NUREG/CR-1278 j . l 11 HRECIRCXXY: The Human Error Event Tree for this action is provided in Figure 2. This action is similar to the action above for small LOCA except the timing for this action is much shorter: } p,,, nes y e m .1 Ao r h ca mp r * ' 41 minutes to 33% RWST level 4 f>,ppooy w , g,, w , / , u A* e 67 minutes to RWST empty i; < . a e r + h c- .r-% *

e e n 4.r #~ ( m - m , f - a- e .r>. s .r n A.)

j. This timing introduces additional requirements for diagnosis within the first 41 minutes. M "v.gf

] Figure 2 transfers to Figure 1, at point Pi since the actions performed are identical for each i HEP. The differences for the BHEP values are discussed below. 1

Q - Dimonosis Failure

Failure of the operator to diagnose a LOCA prior to the Low

] RWST Level Alarm. Since the alarm will occur at 41 minutes, i it is conservatively assumed the operator has 30 minutes to l diagnose the LOCA in order to anticipate the RWST low level l alarm. From Table 12-4 at 30 minutes, nominal value, the 4 diagnosis error is: f Di = 0.001 / i i D, - Monitor RWST Level: Operator fails to monitor the RWST Level to anticipate low level alarm. RO is trained to monitor RWST level, and is reminded in j several places in the procedures about the RWST level including: St6p 26 of IE-1, Caution in IES-1.1, and on the information page in all E-1 Series procedures. The failure to monitor the RWST level is estimated from Table 15-3, item 4: D2 = 0.01 (3) / D. - Alarm Resnonse: Control Room RO fails to respond to low level RWST Alarm. Annunciator Response Model Used for Operator fails to respond to low RWST Alarm for Medium LOCA. Since alarm will occur , at approximately 41 minutes following the LOCA, there will probably be several other alarms occurring at the same time. Without a full alarm response, the timing of these alarms is unknown. It is conservatively assumed that 3 other alarms occur near in time to the RWST low level alarm. Thus the BHEP is taken from NUREG-1278, Table 11-13, item 4d, D 3 = Da = 0.004 (10). / For the sequence where the Diagnosis is performed correctly, and the RWST level is monitored, it is assumed that the operator s-EE Page 8 January 26,1994

l e - PI Hlw Using NUREG/CR-1278 l will fail to respond to the alarm with a probability of 0. Therefore: D3 = 0.0 / \ l l Rig & Ry - Recoverv- Failure of the SS and STA to recover for RWST low level.  ! l Since the actions for low level RWST are taken at greater than l 15 minutes but less that I hour, a medium dependency for both l the SS and STA/ Shift Manager are assumed based upon l discussions above. The CHEPs are taken from Table 7-3, item l 3a: 1 Ri o = Ru = 0.15 (3.5) / Differences for SLOCA: The following differences are assumed for a medium LOCA HEP, using figure 1 for the Small LOCA HEP: l l R2; due to the timing of the event, with less than I hour - available for the entire action, a medium dependency is assumed l l for the STA/ Shift manager (see general discussions above). l Therefore: l R2 = R 3= 0.15 (3.5) / l l R2 . = 0.19 (2.8) , l S;' Due to the short time available, it is assumed a high stress is l present throughout the event. The stress factor is taken from Table 18-1, item 6: S = 5.0 / l l Total HEP: The total HEP for this actions is: l BHEP = Di x D3 x R i , x Ru X S + - D2 x D 3, x Ri , x Ru xS+ DxS+ 3 ! Pi x S x {(F i, x R i , x R2 ,) +( Li , x R2 . x F.) + (F3 , x F. x Ri , x R)}+ 3 S x {(Fi x Ri x R2) +( Li X R2 x F4 ) + (F3 x F4 x Ri x R2))

                                        /         /               /          /

l , =,0.001 x 0.004 x).15 x 0.15_x 5 + i 0.01 x 0.004 x 0.15 x 0.I5 x 5 +

                                ' 0.0 x 5 +                                        y s 0.005 x 5 x {(0.05 x 0.19 x 0.19) + (0.06 x 0.19 x 0.05) + (0.31 1                               v x 0.05 x 0.15 x 0.15)} +

i

                                   ,              Q nt) un o . l *f but                       O H+ 1T l

l O M ERA Page 9 <, L, ,, e /y,/ January 26,1994 l n n nce ,,, . ,,

PI HRn Using NUREG/CR-1278 f . 5 x {(0.01 x 0.15 x 0.15) + (0.06 x 0.15 x 0.01) + (0.066 x 0.01 v x 0.15 x 0.15)} g f ,,s j,,g,,,, g

                                                                       /

4.3

                                                                                              ,                     g
                                                /               /            /
                                          = 4.5x104 + 4.5x104+ 0.0 + 6.8x10 + 1.6x10
                                          = 1.7x10 '

Based on discussions in NUREG/CR-1278, Table 7-2, assume an error factor of 10. si. u & 1 tyro Y /*eb* o l' c .

                                                                                                            //-) 9I i

i l t EE Page 10 January 26,1994 l

f ? .. - PI HR,. Using NUREG/CR-1278 Figure 2 HRA Event Tree for HRECIRCXXY l D g l L l l l D D 2 2

                                    + - _ _ _ _ _ - . . . _

D D3 3. n id Transfer to P in s " 2d l , Figure 1 for i l Small LOCA I 2d s i

                                                                                                                   \

l 1 f i l t 1 1 l . l *s s. hM Page 11 January 26,1994

PI Hu Using NUREG/CR-1278 M RRECIRCXXY The Operator Action Event Tree for RRECIRCXXY is provided in Figure 3. This figure provides the flow for expected critical actions for this HEP. These actions are similar to the actions discussed in the ASEP HRA, except that the actions are broken out into more detail, and recovery from additional control room crew is credited. A discussion for each critical action is provided below. . The diagnosis portion of Figure 3 is similar to what is presented in Figure 2 for medium LOCA. The difference between the two diagnosis is the time available. A Low RWST level is expected at 21 minutes for a Large LOCA, as compared to 41 minutes for a medium LOCA. This results in a higher initial diagnosis failure (D i) and no credit for STA recovery.

 ,         The latter is a conservative measure, but assuming the STA is not available for the first 15 minutes, it is unlikely that the STA would be able to diagnose the need to monitor the RWST within 6 minutes. Additionally, since only 10 minutes are available to align recirculation following a low RWST level alarm, no procedural recoveries (checking SI flow) are credited for large LOCA.                                                                               e Q - Dimenosis of LOCA:                Failure of the operator to diagnose a LOCA prior to the Low RWST Level Alarm. Since the alarm will occur at 21 minutes, it is conservatively assumed the operator has 15 minutes to diagnose the LOCA in order to anticipate                ;

the RWST low level alarm. From Figure 12-4 at 15 minutes, nominal value, the diagnosis error is: t . D i = 0.02 (10) / E - RO Fails to Alien Recirc: Operator fails to align low pressure recirculation per procedure IES-1.2. All actions for recirculation are in the control room. Critical procedural steps include steps 4,6,7, and 9 of ES 1.2. Step 5 is also critical but is interlocked and are immediately verified by performance of step 6. Failure to perform a step is assumed to include , error of omission and error of commission. Error of omission is from Table 15-3, item 4, procedure without checkoffs, > 10 items = 0.01 (3). Error of commission is taken from Table 13-3, item 3 = 0.001 (3). Total HEP = F, = (0.01 + 0.001) x 4 steps = 0.044 (3) / For Fu, when a procedure is not used, Error of Omission

                                                 . is taken from Table 15-3, item 5 = 0.05 (5).

l l hM Page 12 January 26,1994

e ~. PI Hu Using NUREG/CR-1278 Fi , = (0.05 + 0.001) x 4 steps = 0.20 / l l All other values used in the Medium LOCA analysis above are the same for the Large LOCA analysis. Total HEP: The total HEP for this actions is:

                                                                                                               )

BHEP = Di x D3 x Ri , x Ru xS+ D2x D ,3 x R ,i x Ra, x S + , e ^4 ,, ng/ W ,9f l', ' j. DxS+ 3 r "p .

                                                                                          )                           ,

Pi x S x F ,i x R ,i x R 2.) +  ! l SxF i xR i xR 2

   .                                             /         /           l     l /
                                            = 0.02 x 0.004 x 0.15 x 1.0 x 5 +

0.01 x 0.004 x 0.15'x 1.0'x 5'+

                                         /.0x5+

0

                                        / 0.005 x 5 x 0.20 x 0.19 x 0.15) + -

l 5 x (0.044 x 0.15 x 0.15) l l / / / / l = 6.0x10-5 + 3.0x10-5 + 0.0 + 1.4x10" + 5.0x10-'

                                            = 5.2x10-' /

Based on discussions in NUREG/CR-1278, Table 7-2, assume an error factor of 5. t l I e

                       $                                                                                              1 I

i M ERA Page 13 January 26,1994

PI H. Using NUREG/CR-1278

           ,                                                        Figure 3 HRA Event Tree For RRECIRCXXY Dg 32                D 2

D 3 0 3, g S R 2d p1 R 1d E ' 1 F j, R 2d I E 1a g ) - R E 2 2a S S 5 M Page 14 January 26,1994

l

                                                                                                               )

o PI H. Using NUREG/CR-1278 1 l

                                                                                                               \

l .

3.4 SGTRXXXCDY

Figure 4 provides the HRA event tree for the event SGTRXXXCDY. This event is described fully in the ASEP HRA analysis, including timing. The following BHEPs are used to l l calculate the HEP for this event. Q - Alarm Response: Failure of the RO to diagnose a SGTR, by responding to the High Radiation Condenser Ejector Alarm. Based upon the timing of the event, the operator has approximately 15 to 38 minutes to initiate an RCS cooldown to equalize pressure l between the RCS and the SG. The operator will get a High Radiation Alarm almost immediately. The operators are well trained on this alarm, which directs the operators to the SGTR procedure. The diagnosis failure is assumed to be failure to J respond to the High Radiation Alarm. The ASEP Analysis conservatively assumed that this alarm was one of three alarms. , Without additional analysis, the alarms response can not be fully l l verified. Therefore this conservative assumption is also assumed l here. The HEP is derived from Table 11-13, item 3c; ( s k u ge o. co a. D, = 0.02 (10). y // W 1 I

Ei - RCS Cooldown: RO Fails to initiate RCS Cooldown per IE-3, step 13. This action is one of two critical steps in the SGTR procedure to prevent Sfs Overfill. This BHEP includes Errors of omission and commission. Omission error is taken from Table 15-3, item 4 = 0.01 (3). Commission is taken from Table 13-3, item 3 = l l 0.001 (3). The HEP is: i l Fi = 0.01 + 0.001 = 0.011 (3) /

1 E, - RCS Deoress.: RO Fails to depressurize the RCS pressure in order to minimize

the break flow and refill the pressurizer, per step 19 or 20 of IE- ,

! 3. This action is similar to F i. The HEP equals: is F2 = 0.011 (3) / Ri - SS Recoverv: Based upon discussions above, recovery CHEP is taken from i Table 7-3, item 3a for medium dependence: Ri = 0.15 (3.5) / i R, - STA Recoverv: Based upon discussions above, recovery CHEP is taken from i Table 7-3, item 3a for medium dependence: OTDIERA Page 15 January 26,1994 1

s - PI HR.. Using NUREG/CR-1278 R2 = 0.15 (3.5) Please note that no STA/ Shift Manager recovery is credited for j the alarm response since this response is required within the first , 15 minutes (15 to 38 minutes). As discussed under the crew response section above, no credit is given for the Shift Manager within the first 15 minutes following an initiating event. S - Stress: Stress is assumed to be moderately high for the first hour of an

  .                                      SGTR event. From Table 18-1, item 3, the stress factor for this event is:

g%1 u j< ; /e n

• i S = 2.0 g ff.3. g Total HEP: The total HEP for this actions is:

y Q // 2 9 f HEP = D1 x R x S + FxRxRxS+ i 2 F2 xRi xR 2 XS

                                               .cox J
                                          = 0.02 x 0.15 x 2 +

i 0.011 x 0.15 x 0.15 x 2 + 0.011 x 0.15 x 0.15 x 2 ca t-y / /

                                          = 6.0x10-' + 5.0x10" + 5.0x10 d
                                          " N OK10^'    '-~r<-w          y n, /4 J,4e-3,                   7A,    n. n f , , m, ,

Based upon Table 7-2 of the Handbook, the above HEP is assigned an error factor of 5. '^ *

                                                                                                                 '"* " % f,,q.      ,
                                                                                                                #* ^ '* 7 <             ;
                                                                                                              * ^d 4,, g,g <, l .

• dap , e, W N .2 pf

                       *s l

s hM Page 16 January 26,1994

b- - O PI E Using NUREG/CR-1278

         .                                 Figure 4 HRA Event Tree for SGTRXXXCDY Di F1                               Ri
                 /                                                                   .

2 Ri L L h Ri

                                   .                 L l

S R2 L L 4 S i, L d i E Page 17 January 26,1994

PI HA.. Using NUREG/CR-1278

3.5 SGTRXXEC3Y

As seen in Figure 3.1-7 of the Draft IPE Report, this HEP follows directly failure of the operators to perform initial RCS Depressurization, HEP event SGTRXXXCDY. As such, we can expect some direct correlation between these two events. Figure 4 shows 3 sequences where the operator could initially fail to performed cooldown. Given this initial failure, and an overfill event, the operator now has a number of hours to correct these mistakes. However, the operator also has to depressurize the RCS fully in order to stop the primary to

 .           secondary side leak (due to the stuck open secondary relief). The resulting Operator Action Event Tree includes the initial sequences in Figure 4, plus additional procedural recovery steps, and additional operator response requirements.

The complicating factor for this event is the treatment of conditional HEPs (CHEPS). Given an operator fails to perform a first step correctly, what is ti:e probability that they will fail to perform subsequent steps correctly? In some cases, we can expect a " common-cause influence" where several human errors occur due to the same cause. In other cases, we might expect an initial failure to result in a feedback that results in the operator better performing the next step. Chapter 10 and Appendix A of the Handbook discuss the various dependency models and how to treat these dependent HEPs. For this analysis, we will use the following rules to assign dependency between events:

1) The SS and STA/ Shift Manager dependency will remain the same as discussed above. Recovery by the SS and STA will only be credited once per HEP sequence, even though several RO failures may have occurred.

}

2) The dependency between multiple RO actions will be accounted for using Table 10-1 of the Handbook. This table accounts for timing of the events, feedback, functional relationships, stress, etc. Once the dependency has been _

established, then the CHEP is assigned using Table 7-3 of the handbook.

3) No more than 3 RO actions / recoveries will be credited and evaluated for any HEP sequence.

The res,ulting HRA event tree for this analysis is provided in Figure 5 below. These events for these are discussed below: Similar Events: The following events are the same as for the HEP SGTRXXXCDY discussed above: r y u b e. . C') d- & //- > - W D i = 0.02 Fi = 0.011 F2 = 0.011 Ri = 0.15 S = 2.0 s hM Page 18 January 26,1994

       ,                                 ~                                                    -.
     ~

PI H. Using NUREG/CR-1278

           . Please note that stress is not applied for sequences where RHR is being aligned, since these are several hours after the initiating event.

D3 - Hinh SG Alarm: RO Fails to respond to high SG Alarm. This will occur much later than the High Radiation Alarm associated with D i . It is not in the same control board location, and is not associated with the same actions / controls. The same RO will respond to the alarm. There fore a low dependence is assigned: D2= 0.10(2.5)

                                                                                 /

D, - RWST Level: RO fails to respond to the RWST level decreasing. The operator 2 will be aware of Safety Injection flow, due to procedural i monitoring and failure to be able to reset SI. RWST level will i be steadily decreasing. This level indication is in a different l control board location from the previous alarms. The timing is later than the two alarms above, and a different RO will be monitoring the RWST level as the SG level and condenser _.; l radiation. For conservatism, a low dependency is assumed. i D3= 0.10 (2.5) > i Ei: - Go To ECA-3.1: Operator fails to transfer to ECA-3.1 per IE-3, step 22. This i step asks the operator to determine if SI can be terminated. If i not, the operator is asked to transfer to IECA-3.1. The RO will j perform this step much later than step 13 for HEP Fi . This step j will be performed by the same RO using the same procedure. This HEP is estimated using a medium dependency from Table 7-3.: Fi , = 0.15 (3.5) / Eis- Verifv SI not reauired: Operator fails to correctly verify SI is required per IE-0, step 25, given the operator has previously terminated SI, and has failed to cooldown the SGs. This step will be performed closely in time , and by the same operators as for Step 22 for Fi .. Therefore a

                     '$                          high dependence is assumed for this HEP. This HEP is estimated from Table 7-3 as:

F = 0.5 (2) / Ei,- RCS Cooldown: Operator fails to cooldown the SGs per step 10 of IECA-3.1, given an initial failure to cooldown and a subsequent successful transfer to procedure IECA-3.1. This action has a negative conditional in that the RO is asked to perform actions similar to actions already failed. There is also a positive conditional in that hM Page 19 January 26,1994

i w e l PI IL Using NUREG/CR-1278 the RO has now realized the scenario, and has transferred to a different procedure to correct the mistake. The action is not performed closely in time with the initial cooldown, and is ) performed using a different procedure. The same operator is j performing the action. Therefore, a medium level of dependence is assumed (conservatively). The HEP is estimated from Table 7-3 as: Fi , = 0.015 (3.5) / F3- Deoressurize RCS: Operator fails to initially depressurize the RCS per step 15 of IECA-3.1, given an initial failure to depressurize the RCS, and a subsequent successful transfer to procedure IECA-3.1. This event is very similar to F ,i above, and is also estimated using a medium dependency: F3= 0.015 (3.5) / E3 - Fully Deoressurize: Operator fails to fully depressurize the RCS to RHR conditions per step 21 of IECA-3.1. This action is performed given the operator has initially depressurized the RCS in an attempt to equalize the RCS and ruptured SG. Although the action has some dynamic characteristics for controlling RCS pressure and , temperature, the action is estimated based upon step-by-step l HEPS due to the long time available and positive feedback a'vailable once the initial cooldown is initiated. This BHEP includes errors of omission and commission. Omission error is taken from Table 15-3, item 4 = 0.01 (3). Commission is taken from Table 13-3, item 3 = 0.001 (3). The HEP is: F3 = 0.01 + 0.001 = 0.011 (3) E3- Verifv RHR: Operator fails to perform step 31 of IECA-3.1, verify RCS pressure and temperature adequate for RHR conditions. This HEP is an error of omission only. This action is required given , an initial operator failure to *J1y depressurize the RCS. This action will be performed by ine same RO using the same procedure, but will be performed much latter in the sequence than step 21 for event F3 . Therefore, a medium dependency is

 .                                    assumed. The HEP is estimated from Table 7-3 as:

Fu = 0.15 (3.5) / F - Local AO RHR Actions: Local AO fails to perform RHR line-up actions per I procedure steps 3,4, and 5 of IECA-3.1, Attachment D. I The local Auxiliary building AO will be requested by the l ?  %- hM Page 20 January 26,1994

 'I                                                            PI H. Using NUREG/CR-1278 RO to perform these steps per procedure. The actions are       )

considered step by step actions, given a procedure. For i conservatism, it is assumed the operator fails to correctly i use the procedure. The HEP includes error of omission I and error of commission. The omission HEP is estimated from Table 15-3, item 3 - Error of omission per item, short list. The error of commission is estimated from Tables 13-3 and 14-1. Steps 3 and 4 require breakers to be powered up. The HEP for this event is from Table 13-3, item 11, select wrong circuit breaker = 0.003. Step 5 requires a valve to be closed. The HEP for this actions is taken from Table 14-1, item 2 = 0.003. This gives a total HEP for this action: l F = (0.01 x 3 actions) + (0.003 x 2 actions) + 0.003 = 0.039 (5) l L - CR RHR Actions: CR operator fails to align RHR alignment per steps 6,7, 8,9, j 10,13,14,15, and 17 of Procedure ECA-31., Attachment D. These steps are the 9 critical steps in aligning RHR (per train), all of which are performed from the control room. The HEPs for these actions include errors of omission and commission.  ; Omission error is taken from Table 15-3, item 4 = 0.01 (3). Commission is taken from Table 13-3, item 3 = 0.001 (3). The HEP is: 7 7 g li o W J Fi= (0.01 + 0.001) x 9 actions = 0.099 (3) / i F, - Verifv RHR- Operator fails to verify RHR flow per step 19 of IECA-3.1, Attachment D. This action is required given the operator fails to perform RHR lineup correctly. The action is performed closely in time with the previous alignment steps, using the same procedure. However, the actions performed for RHR alignment will probably include both ROs, which means that both ROs may be performing flow and cooldown checks for verification. For , I conservatism, a medium dependency is assumed. This HEP is I

                's            estimated using Table 7-3 as:                                         l F. = 0.15 (3.5)      /

i R, - STA Recoverv: Based upon discussions above, recovery CHEP is taken from , Table 7-3, item 3a for low dependence: l R2 = 0.05 (3.2) f s. TDERA Page 21 January 26,1994  : i

• PI HI Using NUREG/CR-1278

          . R, - Recovery of Local Actions:          RO fails to recover AO actions. The control room RO will be checking the auxiliary building operator actions based upon indication from the control room. The HEP l                                                     for this event is based upon RO failure to perform verification steps in Attachment D of IECA-3.1. This HEP is estimated from Table 15-3, item 2:

l R3 = 0.003 (3) .'" l l r Total HEP: The total HEP for this actions is: HEP = (Di x D2 x D 3x R ix R 2X S) + l (Fi x Fi , x Fi x R, x R2 x S) + (Fi x Fi , x D3 x Ri x R2x S) + (F2 x Fi , x F x R ix R 2X S) + i (F2 x F2 . x D3 x R x R 2X S) + . (F3 x F3 , x D3 x Ri x R2 x 8) + , j (F, x R3 x R, x R2) + l (F x F x D3 x R i x ~R2) 3 l

                                                        , o o 1-                   ./     /           ./                              l
                                         =
                                                ' (0.02,x 0.1 x 0.1 x 0.15 x,0.05 x 2) +,                                             ;
                                                  '(0.0.lj x 0.15 x 0.5,x 0.15,x 0.5'5 x 21+
                                       .on'70.0_lj xi.15 x 0.1 x 0.1,5,x 0.65 x 2) +
                                  @'" ,.        / (0g0.15 x 0.5 x 0.15 x 0.d5 x 2J +
                                                    -TO.0ll x 0.15 x 0.T x 0.IIx 0.6S' x 2) +

) @,...ir

                                        ,r       /(0.6ll x 0.15 x 0.T x 0.15 x,0.65) +

l (0.039 x 0.063' x 0.15 x 0.05) + l (0.0V9 x 0.15 x 01x 0.15 x 0.05) p .s c- 7 4 / tr c-7 ,?ff / GA' Ytr 4

                                         =            3.0x10 + 1.2x10-5 + 2.5x104 + 1.2x10 5 + 2.5x10                  +

4 1.3x10

                                                                  + 8.8x104 + 1.1x10 5
                                                                       /              /
                                         =            4.5x10*5
                                                                                       *Y             F +ffs v* lfl^*   T' W 3 . cP d ~ T                               u.1eJ Based upon Table 7-2, the EF for this HEP is estimated at 10.                  "7[y '       ,j, 7 .e/    feca"/*      \

a rterv L e l  ;$ it J j') y fi i

                                           .g -

OTBIERA Page 22 January 26,1994

• PI H. Using NUREG/CR-1278 l

Figure 5 l l HRA Event Tree for SGTRXXEC3Y l D j

                                                               +------

l. D 1 2

                                                  /

1a D 3 ib 2 / ic , D F 1a 3 , g 2 s Fa2 R1

                         +------
                                        y             D 3

E 1 R 2 s

                +------

R 3 0 3 "1 2 s R1 1 8 F6 0 3 2 2 s ,

                                              \

R 1

               's                             R 2

l i

                                      .s.

M ERA Page 23 January 26,1994

f I e

   ~/                                                                            PI HI       Using NUREG/CR-1278 l

\ 4.0

SUMMARY

AND CONCLUSIONS The results for the re-analyzed HEPs in Section 3.0 are presented in Table 4-1. This Table i presents the Median HEP, Error Factor, and the resulting Mean HEP. Since HEP SGTRXXEC3Y is used in sequence with SGTRXXXCDY, a conditional HEP is presented. This conditional HEP is calculated as SGTRXXEC3Y divided by SGTRXXXCDY. 1 i Table 4-1  ! I HEP Values for Re-analyzed Events Operator Action Mean HEP Median HEP l ! HRECIRCSMY 1.2x10 / 4.4x10" (10) - 1 HRECIRCXXY 2.7x10 3 / 1.7x10-' (5) - 4,- l RRECIRCXXY 8.4x10-3 / 5.2x10~' (5)' - SGTRXXXCDY 1.1x10 2 t/ 7.0x10-' (5) A ' SGTRXXEC3Y 4.5x10-5 (5) (Conditional) [(7.2x10 0.0065) < 9

                                                                       #                                          c,..,
                                                                       ]

Qfer il lU Ae } ll-79 C \ E-y } \ AH ? 9f \ l

                                        ..we . v .t.J I.,                             hu /x l       vs.3+Lec....J -.u-                     +L. -e< W E P s c,1ranscoY of 1.6 E 3(p.se a),

l j b e c.-e s a c F3 os,5 ,, ,,,,, 64.c , f .r.

                                                                                         ~fb o*J TeWJe</ wlut Op.) de terred meJie~ v Ive e sbleI'Jt4 Ebe              P It hart - con.f e r -w//s e st,TRuEc3 Y .4 3.? E fQ.s. a2), +Le m e..
                                               ?ida *4 10. E* "

r b / W //<'^ //t be.. s I E d ' esc-3 4 e r r.c oteceraep e/ S(,T R O E G Y ;s Jef. Jc t 6- +le p erfo<-. -cr .f S C,i Rv vv C o y / + t, 4 t,.s1 HEP for Sr.1RhfclY is: hemAm f r/o r ca lc e le Noel, ,4 /sa 5 '

                    . 3,g g.g

• lle e rro r % une c f

         # 'E'b of4 / gj// / e g,4ft.f yys ,

g ,g, y ,b. s w e r e ret.I M'I L 4*b 'A enor n.h /. r 16 rg m q' . P5h ut h 5'- & //-;> 9 j-

                                '< f       L l3/ %

s O M ERA Page 24 January 26,1994}}