ML20101M973: Difference between revisions

From kanterella
Jump to navigation Jump to search
(StriderTol Bot change)
(StriderTol Bot change)
 
Line 1: Line 1:
{{Adams
#REDIRECT [[NSD-NRC-96-4680, Provides Responses to RAI on AP600 Design Certification Program]]
| number = ML20101M973
| issue date = 04/01/1996
| title = Provides Responses to RAI on AP600 Design Certification Program
| author name = Mcintyre B
| author affiliation = WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
| addressee name = Quay T
| addressee affiliation = NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
| docket = 05200003
| license number =
| contact person =
| document report number = NSD-NRC-96-4680, NUDOCS 9604080179
| document type = CORRESPONDENCE-LETTERS, INCOMING CORRESPONDENCE
| page count = 81
}}
 
=Text=
{{#Wiki_filter:O i
Westinghouse                Energy Systems                                    su 355 l
Pmsburgh Pennsylvania 15230-0355 Electric Corporation NSD-NRC-96-4680 DCP/NRC0487                                        l Docket No.: STN-52-003
      ~
April 1,1996 Document Control Desk U.S. Nuclear Regulatory Commission Washington, D.C. 20555 ATTENTION:                T.R. QUAY
 
==SUBJECT:==
WESTINGHOUSE RESPONSES TO NRC REQUESTS FOR ADDITIONAL INFORMATION ON THE AP600
 
==Dear Mr. Quay:==
 
Enclosed are the Westinghouse responses to NRC requests for additional information on the AP600 Design Certification program. Enclosure I contains responses to 14 follow-on questions pertaining to Level 1 PRA Iluman Reliability Analysis. Enclosure 2 contains responses to 11 follow-on questions pertaining to the Level 1 low power and shutdown PRA assessment. Enclosure 3 contains responses to general PRA modeling questions. These follow-on questions were provided in NRC letters dated November 9,1995, November 21,1995, December 22,1995, and January -22,1996.
These responses close, from a Westinghouse perspective, the addressed questions. The NRC technical staff should review these responses.                                                                                    ;
A listing of the NRC requests for additional information responded to in this letter is contained in                    f Attachment A.
Please contact Cynthia L. IIaag on (412) 374-4277 if you have any questions concerning this transmittal, nff,'
Brian A. McIntyre,      anager Advanced Plant Safety and Licensing
      /nja Enclosure                                                                                                              j Attachment cc:      D. Jackson, NRC (1 copy enclosures / attachment)
J. Sebrosky, NRC (1 copy enclosures / attachment)
J. Flack, NRC (1 copy enclosure / attachment)                                                                -
N. J. Liparulo, Westinghouse (w/o enclosure / attachment) l 2726A
                                      "                                                                              b I 9604080179 960401                                                                                        /#
PDR      ADOCK 05200003                                                                                  pv%
A                        PDR                                                                                        l
 
Attachment A to NSD-NRC-96-4680 Enclosed Responses to NRC Requests for Additional Information Re: Level 1 PRA - HRA Questions (from NRC letter dated 11/21/95)                                                  '
As related to DSER 0119.1.3.1-17:
720.289            720.290 720.291            720.292 720.293            720.294 720.295            720.296 720.297            720.298 720.299            720.300                                      ,
HRA for shutdown operation:
720.301            720.302 Re: Shutdown PRA Questions from NRC letter dated 11/9/95:
1                  2 3                  4                                          i 720.286          720.287 720.288 Questions from NRC letter dated 12/22/95:
720.303          720.304 720.305          720.306 Re: PRA Modeling Questions (from NRC letter dated 1/22/96) 720.309            720.314 720.315            720.316 720.317            720.318 720.320            720.321 2726A 4
 
( -
1 Enclosure I to Westinghouse Letter NSD-NRC-%4680 April 1,1996 2726A
 
i NRC REQUEST FOR ADDmONAL INFORMATION M
Re:      RAI Related to DSER Open item 19.1.3.1-17 Question Y20.289 (#2946)
In page 30-2 of the revised HRA it is stated:
                                  "Because of some degree of uncertainty in the data, in terms of estimates for human error probabilities, it is often useful to perform a sensitivity analysis of the operator actions, during which the estimated human error probabilities, stress levels, dependency levels, or other human performance factors are systematically changed to determine the effect on the human reliability analysis results."
The staff agrees with this statement but could not find such sensitivity analysis in Westinghouse's submittals. Such sensitivity analysis, combined with insights from the importance and uncertainty analyses, would be very helpful to understand the plant's tolerance of human errors and to decide which (if any) human actions require more detailed analysis.
 
===Response===
Sensitivity studies are documented in Chapter 50 of the AP600 PRA. The following three HRA sensitivity studies were performed for the at-power PRA: a) all human error probabilities (HEPs) in the ceremelt output file were set to 1.0; b) all HEPs were set to 0.1; and c) all HEPs were set to 0.0. Setting all HEPs to 1.9 is considered to be the most bounding HRA application, and the resulting core damage frequency of 2.78E-05 even4 per year is quite low and well below the safety goal of 1.0E-04 events per year. When all HEPs were set to 0.1, the increase in core damage frequency was insignificant.
For the low-power and shutdown PRA, sensitivity studies were performed by; a) setting all human error probabilities (HEPs) to 0.5, the highest HEP used in the PRA; and b) setting all HEPs to 0.0. The sensitivity in setting all HEPs to 0.5 is considered to be bounding, and the resulting core damage frequency of 2.99E-06 is very low.
For the cases in which all HEPs were set to 0.0, the core damage frequencies decreased slightly; this indicates that perfect operator responses are not risk important at the level of plant risk thtained from the base cases.
The results of the above sensitivity studies provide sufficient information about the reliability of the plant when bounding human error probabilities are used; of significance is the finding that the AP600 meets the safety goals with minimal credit for operator actions. Therefore, no further insights would come from conducting additional human error sensitivity studies.
I l
i l
720.289-1
 
                                                                                                                                  )
NRC REQUEST FOR ADDITIONAL INFORMATION iini
[
Re:        RAI Related to DSER Open Item 19.1.3.1-17 Question 720.290 (#2947)
        ';everal ope ator actions modeled in the ATWS event tree are required to be performed in a very short time. For exemple: (a) ATW-MAN 03 (manually trip the reactor through the PMS in one minute), (b) ATW-MAN 04 (manaally trip the reactor through the DAS in one minute, given that an earlier attempt to trip the reactor through the PMS fails), (c) ATW-MAN 01 (manually step-in control rods in one minute, using the Plant Control System, given taat earlier attempts to trip the reactor through the PMS or DAS fail). 'Ihese three actions have the same " time  1 window" of one minute, defined in page 30-8 as the time from when cues are provided to the time when system                l failure is expected if no operator action is taken. Westinghouse estimated that approximately one minute is needed        l to perform both ATW-MAN 03 and ATW-MAN 04 (30 seconds each). Similarly, Westinghouse estimated that                        l' approximately one minute is needed to step-in the control rods (ATW-MAN 01) to provide " sufficient" negative reactivity so that opening of the pressurizer safety valves can prevent RCS pressure from exceeding 3200 psig.
Please provide the following information.
: a.              What is the " net" time window to manually trip the reactor through DAS (action ATW-MAN 04),
given that the attempt to manually trip the reactor through PMS (action ATW-MAN 03) fails? What          j is the actual time needed to perform this action? What is the slack time for ATW-MAN 04 assuming          !
that this action follows an attempt by the operatot to manually trip the reactor through PMS (action ATW-MANO3) and failed? How were dependencies evaluated? Please document your response by referring to specific subtasks and analyses and by stating clearly your assumptions.
: b.              What is the " net" time window to manually step-in the control rods (action ATW-MAN 01), given that the attempts to manually trip the reactor through PMS (action ATW-MANO3) and through DAS (action ATW-MAN 04) have failed? What is the actual time needed to perform this action? What is the slack time for ATWMAN01 assuming that this action follows the attempts by the operator to manually trip the reactor through both the PMS (action ATW-MAN 03) and the DAS (action ATW-MAN 04) have failed? How were dependencies evaluated? Please document your response by referring to specific subtasks and analyses and by stating clearly your assumptions.
: c.              How were " mechanical faults," such as binding of rods within their channels and rod drive mechanisms failing to disengage, modeled in the AP600 PRA?
I
: d.              Westinghouse estimated that approximately one minute is needed to step-in the control rods (ATW-        l MAN 01) to pmvide " sufficient" negative reactivity so that opening of both presurizer safety valves can prevent RCS pressure from exceeding 3200 psig. Is this true even when an ' adverse" moderator
                                                                                                                                ]
temperature coefficient (MTC) exists, such as at the beginning of fuel cycle? How is this modeled in the ATWS event tree? Please provide calculations of RCS pressure for the limiting transient (e.g.,
total loss of feedwater without turbine trip) assuming early core life MTCs. How was the failure of one safety valve to open modeled in the ATWS event tree?                                                l 1
W$$fl@                                                                                                        ,
 
4 '
NRC REQUEST FOR ADDITIONAL INFORMATION
      .        1.
 
===Response===
a&b        The " net" time window of I minute is estimated for the three operator actions (ATW-MAN 01, ATW.
MANO3 and ATW-MANN). ATW-MANO3 and ATW-MAN 04 model the actions to trip the reactor through PMS and DAS, respectively; ATW-MAN 01 models the action to initiate manual rod insertion.
It is assumed that ATW-MAN 01 is required to be initiated within one minute after the initiation of a limiting event (from RCS peak pressure standpoint, and that, once initiated, the action is successful.
These actions are skilled-based activities on which the operators are fully trained. The operators are expected to recognize the ATWS cues and execute actions ATW-MAN 03 and ATW-MAN 04 as immediate actions (without reference to procedures) within a few seconds from event initiation; if these fail, ATW-MAN 01 is initiated immediately In that regard, these actions are expected to be performed in a shorter actual time frame than assumed in the HRA.
The actions are expected to be conducted very quickly in three basic steps: a) operator recognizes ATWS and executes ATW-MANO3; b) almost immediately, he recognizes the reactor is not tripped and he executes ATW-MAN 04; and c) he then recognizes that ATW-MAN 03 and ATW-MAN 04 did not trip the reactor, and initiates manual rod insertion immediately. In other words, it is expected that, once the operator hits (or thinks he hits) the control for ATW-MAN 03 and the plant does not respond      ;
as expected (i.e., rod-bottom lights indication not obtained within several seconds), he immediately      l l
executes ATW-MAN 04; action ATW-MAN 01 is expected to be executed in a similar way. The rationale in outlining how these actions are expected to be performed is important to show that the        ;
actual times modeled in the HRA for these operator actions are conservative; the crew is not expected to stop to investigrie why ATW-MAN 03 failed before executing ATW-MAN 04; similarly ATW-MAN 01 is expected to be initiated without stopping to investigate or recover from failure of ATW-MAN 03 and ATW-MANN. On the other hand, even if it is assumed that the operator attempts each action a few times in the hope of recovering an error, it is believed that the one-minute time window is sufficient to allow for this; however, no credit is taken in the HRA for recovery of these actions that may be possible due to available slack time. The HRA conservatively assumes the operator takes 30 seconds to perform ATW-MAN 03, and an additional 10 seconds to carry out ATW-MAN 04. The analysis also conservatively assumes that ATW-MAN 01 is initiated almost I minute after event initiation. For events other than the limiting event, more time would be available.
It will be clarified in the HPA documentation in revision 7 of the PRA that the time window for ATW-MAN 01 requires that the action to step in the rods be initiated within 1 minute from the ATWS initiating event.
In the HRA quantification. ATW-MANN is assigned a high dependency on ATW-MANO3; and ATW-MAN 01 is assigned a high dependency on ATW-MAN 03 and ATW-MAN 04. The dependency evaluation is performed according to the criteria in Section 30.7 of the HRA.
: c.          Mechanical failure of control rods is discussed in Chapter 6 of the PRA; Section 6.6.2 provides the justification for excluding reactor trip failure due to mechanical faults from the ATWS event trees.
720,290-2 E
 
I t -
NRC REQUEST FOR ADDITIONAL INFORMATION                                                                              1
:4::austttt:1 M
: d.      The unfavorable exposure time (UET) is the period of time at the beginning of a cycle during which        !
the pressurizer safety valve relief capacity is predicted to be insufficient to maintain RCS pressure below the ASME Service Level C stress limit (3200 psig), as a result of unfavorable reactivity feedback during an ATWS event. The UET is measured in units of time (generally days) from the beginning of the fuel cycle, and the value of UET is a function of, among other parameters, whether or not manual actuation of control rod insertion occurs. As indicated in Section 6.6.3 of the AP600 PRA, analyses performed in support of the AP600 core design indicate that the UET is zero (for the limiting transient) if one RCCA bank is inserted for one minute (at maximum insertion speed),
assuming that insertion begins at about one minute after onset of the event. That is, if rod insertion is actuated within one minute following event initiation, there is no UET, so that, if the pressurizer safety valves operate, the RCS pressure will remain below 3200 psig. This is the peak RCS pressure, during the limiting ATWS event, which occurs approximately two minutes after onset of the event, as discussed in the analysis provided in the response to RAI 440.26 (Rev.1).
In the ATWS event trees, two success criteria related to adequacy of pressure relief are defined (see section 6.4.19 of the AP600 PRA): PRES, which is applicable for sequences in which UET is zero (e.g., where manual rod insertion has succeeded); and PRESU, which is applicable for sequences in which the UET is non-zero (e.g., manual rod insertion has failed). Both criteria require opening of both pressurizer safety valves. The calculation for PRESU additionally factors in a failure probability of 1.0 for that portion of the cycle to which the UET applies.
As indicated in the previous paragraph, failure of one pressurizer safety valve is considered as failure of top event PRES, regardless of time in cycle.
720.290-3
 
o 4
NRC REQUEST FOR ADDITIONAL INFORMATION Re:      RAI Related to DSER Open Item 19.1.3.1-17 E
1 Question 720.291 (#2948)
Several assumptions about " time windows," used in the HRA, are not clear to the staff. For example, a " time          l window" of 30 minutes is assumed for events LPM-MAN 01/ LPM-MAN 03/ LPM-MAN 07 (operator failure to recognize the need for RCS depressurization). A 30 minute " time window" is also assumed for event ADN-MAN 01 (operator failure to perform RCS depressurization, given LPM-MAN 01/ LPM-MAN 03/ LPM-MAN 07 success). Does this imply that the total " time window" for depressurizing the RCS (i.e., recognizing the need for depressurization and manually actuating the ADS) is one hour? Does the 30 minute " time window" for task LPM-MAN 01 imply that          i task ADN-MAN 01 (actuate ADS) will not be successful if it is initiated after 30 minutes, even if the estimated actual i time to complete task ADN-MAN 01 is 20 minutes? Is it true that the need to actuate ADS has been diagnosed when        I the 30 minute " time window " for task ADN-MAN 01 begins? Westinghouse responses to same questions are also needed for the " time window" of 22 minutes for events LPM-MAN 02/ LPM-MAN 04/ LPM-MAN 08 (operator failure            <
to recognize the need for RCS depressurization during a. medium or intermediate LOCA) in combination with the          1 30 minute " time window" for ADN-MAN 01. Please explain.
 
===Response===
l The response to this question is included in the sensitivity study documented in Attachment I to this RAI(720.291).
720.291-1 W Westinghouse
 
s l
l Attachment I to RAI 720.291                                    l AP600 Sensitivity Study of Selected Operator Actions Using Unmodified THERP                      ;
      . The operator actions for this sensitivity study are shown in Table A-1; they are selected based on one or more of the following three criteria:
: 1.        Operator action is included in the at-power dominant core damage cutsets, and also in the dominant risk increase and/or dominant risk decrease importance evaluation results shown in Chapter 33, Tables 33-6 and 33-7. Each operator action selected for risk increase importance has a contribution greater than 100% of the base case core damage frequency; and each operator action selected for risk decrease importance has a contribution greater than 0.2% of the base case core damage frequency.
: 2.        Operator action has a relatively short time-window (515 min).
: 3.        Special operator action (s) identified by the analysts,                                      l l
The operator action to actuate the CMTs (event CMN-MAN 01) is included in Table A-1 because              {
evaluation of this operator action is required for response to RAIs 720.298 and 720.299.                !
Note:      ATWS events are included in Chapter 33 as being important in both the dominant risk          l increase and risk decrease evaluations. However, the ATWS events are not included in the list of actions for this sensitivity study, since the ATWS HEPs are conservative.      ;
During the PRA update (revision 7), some operator actions are deleted from the PRA and, therefore, NOT included in the list of actions for this sensitivity study as requested by the NRC.
The basis or justification for eliminating these operator actions is as follows:                        l Revision 6 of the PRA documented several cases for recognizing the need to depressurize the reactor coolant system; namely, LPM-MAN 01, LPM-MAN 02, LPM-MANO3, LPM-MAN 04, LPM-MAN 07 and LPM-MAN 08. During the PRA update, upon review of the success criteria for the operator actions for RCS depressurization, it was determined that only two cases are required (LPM-MAN 01 and LPM-MAN 02); therefore, the other cases are not included in the list of operator actions in Table A-1. The revised success criteria for LPM-MAN 01 and LPM-MAN 02 are shown in Table A-3, and their revised HEPs are shown in Table A-2.
Upon review of the success criteria for operator action CVN-MAN 04 (Recognize the Need and Align CVCS to Spent Fuel Pool), it was determined that this operator action was not required to satisfy the success criteria for events modeled in the PRA. CVN-MAN 04 is deleted from the PRA and, therefore, excluded from Table A-1.
Upon review of the success criteria for operator action PSA-MAN 01 (Recognize the Need and Isolate the Accumulator Injection Line), it was determined that the operators cannot complete the action within the specified time window of 1 minute. Therefore, PSA-MAN 01 is assigned an HEP of 1.0. In that regard, PSA-MAN 01 is excluded from Table A-1.
I
 
4 The HEPs for the operator actions in the sensitivity study using the unmodified THERP application and the HEPs for these operator actions used in mvision 7 of the PRA am presented in Table A-2.
The results of this sensitivity study indicate that AP600 operator actions quantified by the              ,
unniodified THERP application have lower HEPs than the HEPs used in the PRA.                              l Table A-1: AP600 Sensitivity Study of Selected Operator Actions Using                          )
Unmodified THERP Event ID        Description                    Risk          PRA      Selection Reason /
Importance    Rev.6    Comment HEP LPM-MAN 01      Diagnosis for RCS              Risk increase;  2.20E-03  Risk increase and risk          i depressurization given        risk decrease            decrease importance;            !
transient or SLOCA                                                                      )
(HEP revised to 1.34E-03 in    l PRA Rev. 7)                    l LPM-MAN 02      Diagnosis for RCS              Risk increase; 6.50E-03  Risk increase and risk depressunzation given          risk decrease            decrease importance;            l MLOCA (HEP revised to 3.30E-03 in PRA Rev. 7)
ADN-MAN 01      Actuate ADS, given              Risk increase  4.93E-04  Risk increase importance;      1 transient or LOCA (HEP revised to 3.02E-03 in PRA Rev. 7)
RHN-MAN 01      Diagnosis and action to        Risk increase: 2.90E-03  Risk increase and risk align RNS                      risk decrease            decrease importance            l RCS-            Diagnosis and action to              N/A      1.39E-02  Short time window (5 min)      l MANOD2S        close CVS-V045 & -V046,                                                                  j if automatic closure fails                                                              j CIB-MAN 00 /    Diagnose SGTR;                        N/A      1.84E-03  Typical SGTR operator CIB-MAN 01      Isolate ruptured SG                            1.34E-03  action, similar to action in current plants; for comparison CIA-MAN 01      Diagnosis and acuon to                N/A      5.90E-03  Shon time window (10 min)      i isolate failed SG given SLB CMN-MAN 01      Actuate CMTs, given                  N/A      5.10E-03  Actuation of CMTs and/or transient or LOCA                                      ADS share common diagnosis modeled in LPM-      ,
MAN 01 or LPM-MAN 02          l 2
 
4 Table A-2: Sensitivity Results Compared with HEPs in PRA Event ID    Description                                      PRA Rev. 7 Unmodified HEP        THERP HEP LPM-MAN 01  Diagnosis for RCS depressunzation given transient 1.34E.03  1.00E-05 or SLOCA LPM MAN 02  Diagnosis for RCS depressurization given MLOCA    3.30E-03  3.20E-05 ADN-MAN 01  Actuate ADS given Transient or LOCA              3.02E-03  8.80E4M RHN-MAN 01  Diagnosis and action to align RNS                2.90E4)3  1.54E-03 RCS-        Diagnosis and action to close CVS-V045 & -V(M6,  1.39E-02  6.45E-03 MANOD2S      if automatic closure fails CIB-MAN 00 / Diagnose SGTR;                                    1.84E-03  2.16E-05 CIB-MAN 01    Isolate ruptured SG                              1.34E-03  1.33E-03 CIA-MAN 01  Diagnosis and action to isolate failed SG given  5.90E4)3  5.36E-03 SLB CMN-MAN 01    Actuate CMTs, given transient or LOCA            5.10E-03  2.72E-03 l
i I
i L                                                      e
 
4 l
A.1.0        Recornke the Need for RCS Depressurization The operatcr actions to recognize the need and perform RCS depressurization are modeled for various accident conditions with different operating status of the core makeup tanks (CMTs) and automatic depressurization system (ADS).
The operator actions are defined for two initiating event groups as follows:
l l
* Transient (loss of passive residual heat removal system) or small LOCA
* Medium LOCA.
Each initiating event is defined for cases with failure of CMT automatic actuation, and success of CMT automatic actuation with failed ADS automatic actuation; therefore, four cases are l        defined.
l The inputs used to define the different operator action cases are summarized in Table A-3, and details on quantification of the operator actions are provided in the subsections that follow.
I
* I l
l l
l l
i l
I N
 
                                                                                                                                        \
i 4
* q Table A-3: RCS DEPRESSURIZATION CASES & CHARACfERISTICS i
lainating      Diagnosis CMT Acsion    ADS Action Time        Estimated        Cues          Comments                      l Event          ID        ID            ID        Window      Actual time                                                  i Transient or - LPM-      CMN.          ADN-      30 min      18 minutes:      Transient:    Although the cues may be SLOCA          MAN 01    MAN 01        MAN 01    (for                          (failed        different for the transient (with failed  (Need for                          diagnosis &  (15 min for      PRHR: low      and SIDCA evenu, the          ,
CMT)          CMT and                            acdon)      dias. and        SG level &    diagnosis is based on the    '
ADS)                                            CMT              low SFW --    crew response to 2 actuados: 3      2 alarms)      alarms; therefore, the min, from                      evaluation is considered CMT              SLOCA:        to be the same for both actuadon, for    Gow PZR        inidators.
ADS              level: low                                    ,
actuation)      NR SG level    ADN-MAN 01 is                  l
                                                                                          .- 2 alarms)    dependent on                  J CMN-MAN 01                    l Response is essendally for bleed & feed; therefore, concunent CMT & ADS actuauon is espected Transient or  LPM-      N/A            ADN.      30 min        18 nusuces:    Transiest:    Despite the difference in SLOCA          MAN 01                  MAN 01    (for        (for dias. and  (failed        this case and the above (with CMT      (Need for                          diagnosis &  ADS              PRHR: low      (transient /SIDCA) case auto success  ADS)                                acdos)      actuauca)        SG level &    with regard to CMT
          & failed                                                                        low SFW -      status, the actions to ADS)                                                                            2 alarms)      diagnose and assante ADS are essentaally the same.
SIDCA:          Also, the time window, Gow PZR        actual time and cues are level; low    judged to be the same.
NR SG level    lherefore, same ids and
                                                                                            - 2 alarms)    HEPs are used ice both cases MIDCA          LPM-      CMN-          ADN-      20 mia        18 nunutes,      low PZR        ADN MAN 01 is (with failed  MAN 02    MAN 01        MAN 01    (for                          level: low    dependent on CMT)          (Need for                          diassosis &  (15 mia for      PZR pressure  CidN-MAN 01 CMT and                            action)      dias. and        - 2 alarms ADS)                                            CMT                              Response is essendally for
                                                                          -,                              bleed a feed; concuneet and 3 more                      CMT & ADS actuauon is mia for ADS                    espected
                                                                          .,.wm.)                                                      ,
l MIDCA          LPM-      N/A            ADN-      20 mia      18 musutes,      low PZR        Despite the difference in    I (with CMT      MAN 02                    MAN 01    (for        (for dias, and    level: low    this case assi the above    )
auto success  (Need far                            diagnosis &  ADS              PZR pressure  (MIDCA) case with            l
          & failed      ADS)                                medos)      acmauce)          - 2 alarms    regard to CMT status, the -  ,
ADS)                                                                                              actions to diagnose and      I actuale ADS are essesdally the same.
Also, the time window, actual time and cues are judged to be the same.
1herefore, same ids and HEPs are used for both cases l
5                                        .        .      -
 
A.1.1 Recognize the Need for RCS Depressurization and Actuate CMTs, given Transient
!            or SLOCA l
l LPM-MAN 01:            Recognize the Need for RCS Depressurization
,      CMN-MAN 01:            Actuate the CMTs This scenario models the operator response (during a transient or small LOCA) to diagnose the              I need for RCS depressurization and manually actuate the CMTs, given that automatic actuation of the CMTs failed.                                                                                        l As outlined in Lble A-3, for this scenario, the operators are also required to manually actuate
;      the ADS within the specified dme window of 30 minutes. The diagnosis of the event is common l      to both actions (actuate the CMTs and ADS); failure to actuate the ADS is assigned a high dependency on failure to actuate the CMTs within this time frame.                                          ;
                                                                                                                  )
i INPUTS-
: 1)    Time Window for these activities is 30 minutes.
I
: 2)    Assume diagnosis must be completed within 25 minutes from event initiation; and action execution can be completed in less than 5 minutes. THERP Table 20-3 is applied for the crew cognitive error.                                                                                i I
: 3)    Assume 2 high priority alarms are provided to which the crew is required to respond; Transient: (failed PRHR; low SG level & low SFW)
SLOCA: (low PZR level; low NR SG level).
: 4)      In the AP600, the STA function is an integral part of the crew response mechanism; i
therefore the STA is expected to be in the control room when the event occurs. However, to satisfy THERP, STA presence is credited after 10 minutes from the evem initiation.
: 5)      During diagnosis, no credit is taken for the STA function; this is believed to be conservative.
l
: 6)      During action execution, STA function is assigned a high dependency on the function of other crew members.
: 7)      SRO is assigned a high dependency on the RO.                                                        l
: 8)      A shift supervisor (SS)is assumed to be on duty. Conservatively and contrary to THERP, no credit is taken for the SS during diagnosis. However, in accordance with THERP,                  1 I
moderate dependency is assigned for the SS during action execution.
: 9)      A high stress level (dynamic tasks) is assigned for this task according to THERP 20-16,            !
j              ite m 5.
o
 
4
: 10)      Success criterion is I of 2 CMTs actuated; however, the HRA model conservatively assumes a success criterion of 2 CMTs actuated.
(Date) Diagnosis Error Calculadon:
Dl:          Failure to diagnose need for RCS depressurization within 25 minutes = 4.0E-03
[THERP 20-3 & Figure 12-4]                                                          ;
D2,03:
1 Failure to respond to lof 2 alarms = 1.6E-03 [THERP 20-23 (2)]                      }
D2 csao,;    High crew dependency assigned to SRO = 0.5 [THERP 20-4]
D2 = D2<,o, x D2<sao, = 1.6E-03 x 0.5 = 8.0E-04; (D,ap) = D1 x D2 < l.0E-05.
(Ange) Action Execution Calculation:
Al          a) Select 1 of 2 wrong controls to actuate CMTs (commission error) = 1.3E-03 x 2
                      = 2.6E-03 [THERP 20-12 (4)]
b) Omit steps to actuate 1 of 2 CMTs (omission error) = 3.8E-03 x 2 = 7.6E-03
[THERP 20-7 (2)]
c) Stress multiplier = 5 -
A1 3 03      =    (a + b) x c = 5.10E-02;
                  = (1 + 5.10E-02)/2 = 0.53 [THERP 20-17]
Alsao3 c
Al,ss,      = [1 + (6 x 5.10E-02)]/7 = 0.19 [THERP 20-17]
Al<su,      = (1 + 5.10E-02)/2 = 0.53 [THERP 20-17]
Al ge i        =  Al ,o, t  x Al sao, c  x Al(ss) x Al<su) = 2.72E-03.
(See Figure Al for THERP HRA Tree for this event).                                              ;
I COMPARISON:
Action                  Current AP600 HEPs            New THERP HEPs LPM-MANO1                1.34E-03                    1.00E-05 CMN-MANO1                5.10E-03                      2.72E-03 Totals                  6.44E-03                      2.73E-03 Note:        For this scenario, the operator action (ADN-MAN 01) to actuate the. ADS is assigned the high dependency HEP of 5.0E-01.
 
4 LPM-MAN 01, CMN MAN 01:
Diagnose Needfor RCS Depressurir.ation and Actuate CMTs, given Transient or SLOCA 4 8 oE*
o5 4 Ol  g\o @ (A OD D2              go  <*' e 3
0 l                %
l qds
                                                                \o  's g.h .o b' s, g,E' 2 ol h+
al E l' l
l Actuote CMTs      ------------
00
                                    +
4 ,,                                  F1  =  D1    x D2 < 1.0E-5 Foils to SRO Recover l
0.53 Falls to SS Recover 0.19 Foils to STA Recover S                                                                                  0.53                  !
l l
F2 = 2.72E-3 i l
i i
Total HEP = F1 + F2                              =    2.73E-3                                      i o _ . _ m i.n 4 ,,......n..,,,
Figure A1 8
 
A.1.2 Recognize the Need for RCS Depressudzation and Actuate the ADS, given Transient or SLOCA
:              LPM MAN 01:                                Recognize the Need for RCS Depressurization ADN MAN 01:                                Actuate the ADS                                                      t This scenario models the operator response (during a transient or small LOCA) to diagnose the need for RCS depressurization and manually actuate the ADS, given that automatic actuation of                    .
the CMTs succeeded and automatic actuation of the ADS failed.
1 As outlined in Table A-3, for this scenario, the operators are required to diagnose the event and actuate the ADS within the specified time window of 30 minutes.
INPUTS:
i
: 1)      Time Window for these activities is 30 minutes.
: 2)        Assume diagnosis must be completed within 25 minutes from event initiation; and action execution can be completed in less than 5 minutes. The same time division is used for this case and the case with failed CMT evaluated in Section 1.1, even though the                        ,
operators have more time to actuate the ADS in this case. THERP Table 20-3 is applied                    !
for the crew cognitive error.
I
: 3)        Assume 2 high priority alarms are provided to which the crew is mquired to respond;                      i Transient: (failed PRHR; low SG level & low SFW)
SLOCA: (low PZR level; low NR SG level).
: 4)        In the AP600, the STA function is an integral part of the crew msponse mechanism; therefom the STA is expected to be in the control room when the event occurs. However, to satisfy THERP, STA presence is credited after 10 minutes from the event initiation.
: 5)        During diagnosis, no credit is taken for the STA function; this is believed to be conservative.                                                                                          ,
1
: 6)        During action execution, STA function is assigned a high dependency on the function of                  i other crew members.
l
: 7)        SRO is assigned a high dependency on the RO.
i
: 8)        A shift supervisor (SS)is assumed to be on duty. Conservatively and contrary to THERP, no credit is taken for the SS during diagnosis. However, in accordance with THERP, moderate dependency is assigned for the SS during action execution.
: 9)        A high stress level (dynamic tasks) is assigned for this task according to THERP 20-16, ite m 5.
                                                                                  'l
 
                                .    -      ~ - . .- . . .        -
i l
: 10)    Assume ADS stage 1 is actuated first, and the other stages are sequentially actuated.
Actuating stage 2,3 or 4 is assigned a moderate dependency on failing the stage 1 action. ,
(Dur,) Diagnosis Error Calculation:
Dl:        Failure to diagnose need for RCS depressurization within 25 minutes = 4.0E-03
(                            [THERP 20-3 & Figure 12-4]
D2,,o3:    Failure to respond to lof 2 alarms = 1.6E-03 [THERP 20-23 (2)]
l                  D2<saox    High crew dependency assigned to SRO = 0.5 [THERP 20-4]
D2 = D2,03 x D2 sao, = 1.6E-03 x 0.5 = 8.0E-04; 1
l (Date) = DI x D2 < 1.0E-05.
l                  (Ausp) Action Execution Calculation:                                                              i l
Al          a) Select wrong controls to actuate stage 1 (commission error)            =  1.3E-03
[THERP 20-12 (4)]
;                              b) Select wrong control to actuate stage 2,3 or 4 (commission error) = (1.5E-01 x 3)
                                  = 4.5E-01 (moderate dependency application - THERP 20-18) i c) Omit steps to actuate stage 1 (omission errer) = 3.8E-03 [THERP 20-7 (2)]
l                              d) Omit steps to actuate stage 2,3 or 4 (omission error) = (1.5E-01 x 3) = 4.5E-01 (moderate dependency application - THERP 20-18) e) Stress multiplier = 5 Al yo3 c    a csao3 = [(a x b) + (c x d)] x e = (5.85E-04 + 1.71E-03) x 5 = 1.15E-02;
                              =  [l + (6 x 1.15E-02)]/7 = 0.15 [THERP 20-17]
l                  Alss3 c
Al<sw      =  (1 + 1.15E-02)/2 = 0.51 [THERP 20-17]
Alate      =  Algo 3,csao, x Al css) x Al(sw = 8.80E-04.
(See Figure A2 for THERP HRA Tree for this event).
l
;                  COMPARISON:
l l                  Action                  Current AP600 HEPs          New THERP HEPs LPM-MANO1                1.34E-03                    1.00E-05 ADN-MAN 01              3.02E-03                    8.80E-04 Totals                  4.36E-03                    8.90E-04 a
1h
 
O LPM. MAN 01, ADN MAN 01:
Diagnose Needfor RCS Depressurization and Actuate ADS, given Transient or SLOCA I
l p;/
D1  .oq*[f,5 9s oO
                                                                                  .d
                                                              /      q f4 d    *
                                                                                  \
V e/
f, V:$'bD go 8I E l' l
l o
Actuote ADS Stages        ------------                                                                      l 00                                                                  l
                                                +E4                                  F1 = D1 x D2 < 1.0 E - 5 0
                                                        +
                                                          / '3q E    Falls to SS Recover 0.15 Foils to 2 STA Recoverj 0.51 g
F2 = 8.80E-4 Total HEP = F1                            + F2 = 8.90E-4 itwpwnnsdocsiAP6Iwfl9.wpftap64taf2.epsl Figure A2 M
 
O l
A.1.3 Recognize the Need for RCS Depressurization and Actuate CMTs, given MLOCA                  )
l LPM-MAN 02:            Recognize the Need for RCS Depressurization                              l CMN-MAN 01:            Actuate the CMTs                                                        I This scenario models the operator response (during a medium LOCA) to diagnose the need for RCS depressurization and manually actuate the CMTs, given that automatic actuation of the CMTs failed.
As outlined in Table A-3, for this scenario, the operators are also required to manually actuate i the ADS within the specified time window of 20 minutes. The diagnosis of the event is common to both actions (actuate the CMTs and ADS); failure to actuate the ADS is assigned a high        I dependency on failure to actuate the CMTs within this timt frame.
INPUTS:
: 1)    Time Window for these activities is 20 minutes.
: 2)      Assume diagnosis must be completed within 15 minutes from event initiation; and action execution can be completed in less than 5 minutes. THERP Table 20-3 is applied for the crew cognitive error.
: 3)      Assume 2 high priority alarms are provided to which the crew is required to respond: a) low PZR level; and b) low PZR pressure.
: 4)      In the AP600, the STA function is an integral part of the crew response mechanism; therefore the ETA is expected to be in the control room when the event occurs. However, to satisfy THERP, STA presence is credited after 10 minutes from the event initiation.
: 5)      During diagnosis, no credit is taken for the STA function; this is believed to be conservative.
: 6)      During action execution, STA f:metion is assigned'a high dependency on the function of other crew members.
: 7)      SRO is assigned a high dependency on the RO.
: 8)      A shift supervisor (SS)is assumed to be on duty. Conservatively and contrary to THERP, no credit is taken for the SS during diagnosis. However, in accordance with THERP, moderate dependency is assigned for the SS during action execution.
: 9)      A high stress level (dynamic tasks) is assigned for this task according to THERP 20-16, ite m 5.
: 10)    Success criterion is I of 2 CMTs actuated; however, the HRA model conservatively assumes a success criterion of 2 CMTs actuated.
12,
 
(Duc,) Diagnosis Error Calculation:
DI:      Failure to diagnose need for RCS depressurization within 15 minutes = 4.0E-02
[THERP 20-3 & Figure 12-4]
D2gox    Failure to respond to lof 2 alarms = 1.6E-03 [THERP 20-23 (2)]
D2<smor  High crew dependency assigned to SRO = 0.5 [THERP 20-4]
D2 = D2(no, x D2,sao, = 1.6E-03 x 0.5 = 8.0E-04:
(D,mp) = D1 x D2 = 3.20E-05.
(Ange) Action Execution Calculation:
Al        a) Select 1 of 2 wrong controls to actuate CMTs (commission error) = 1.3E-03 x 2
                      = 2.6E-03 [THERP 20-12 (4)]
b) Omit steps to actuate 1 of 2 CMTs (omission error) = 3.8E r,3 x 2 = 7.6E-03
[THERP 20-7 (2)]
c) Stress multiplier = 5 A l<ao,  =    (a + b) x c = 5.10E-02:
Al<sgo3  =  (l + 5.10E-02)/2 = 0.53 [THERP 20-17]
Al ss, c
                  =  [1 + (6 x 5.10E-02)]/7 = 0.19 [THERP 20-17]
Alsu3 c
                  =  (1 + 5.10E-02)/2 = 0.53 [THERP 20-17]
A li g,  =  Al o, g x Al<sno, x Al ss) c  x Al su3 c    = 2.72E-03.
(See Figure A3 for THERP HRA Tree for this event).
COMPARISON:                                                                                    1 Action                Current AP600 HEPs            New THERP HEPs LPM-MAN 02            3.30E-03                      3.20E-05 CMN-MAN 01            5.10E-03                      2.72E-03 Totals                8.40E-03                      2.75E-03                                i Note:      For this scenario, the operator action (ADN-MAN 01) to actuate the ADS is assigned the high dependency HEP of 5.0E-01.                                                :
l 13
 
a LPM MAN 02, CMN-MAN 01:
Diagnose Needfor RCs Depressurization and Actuate CMTs, given MLOCA (d\  oE*
OI    giOS    0 4A 00 b
* l          \'o        ,,    g,  ,, s -                        j l
                                                                  . /
r l:                      %e:s*
4l                                                                    \
l                                                                    l l
Actuate CMTs                    ------------
SO
                                                      +
                                                                                                              = D1 x D2 = 3.20E-5 4't                  Foils to F1 SRO necover 0.53 Falls to SS Recover 0.19 Fails to STA Recover S                                                                                                          0.53 F2 = 2.72E-3 Total HEP = F1                                      + F2 = 2.75E-3 12 wim tr.\d ecs S AP4 f wt 19. wp f f ep6 4 tw3.eps /
Figure A3 l
 
A.1.4 Recognize the Need for RCS Depressurization and Actuate the ADS, given MLOCA LPM MAN 02:            Recognize the Need for RCS Depressurization ADN-MAN 01:            Actuate the ADS This scenario models the operator response (during a medium LOCA) to diagnose the need for RCS depressurization and manually actuate the ADS, given that automatic actuation c,f the CMTs succeeded and automatic actuation of the ADS failed.
As outlined in Table A-3, for this scenario, the operators are required to diagnose the event and actuate the ADS within the specified time window of 20 minutes.
INPUTS:
: 1)      Time Window for these activities is 20 minutes.
: 2)      Assume diagnosis must be completed within 15 minutes from event initiation; and action execution can be completed in less than 5 minutes. The same time division is used for this case and the case with failed CMT evaluated in Section 1.3, even though the operators have more time to actuate the ADS in this case. THERP Table 20-3 is applied for the crew cognitive error.
: 3)      Assume 2 high priority alarms am provided to which the crew is required to respond: a) low PZR level; and b) low PZR pressure.
: 4)      In the AP600, the STA function is an integral part of the crew response mechanism; therefore the STA is expected to be in the control room when the event occurs. However, to satisfy THERP, STA presence is credited after 10 minutes from the event initiation.
: 5)      During diagnosis, no credit is taken for the STA function; this is believed to be conservative.
: 6)      During action execution, STA function is assigned a high dependency on the function of other crew mcmbers.
: 7)      SRO is assigned a high dependency on the RO.
: 8)      A shift supervisor (SS) is assumed to be on duty. Conservatively and contrary to THERP, no credit is taken for the SS during diagnosis. However, in accordance with THERP, moderate dependency is assigned for the SS during action execution.
,        9)      A high stress level (dynamic tasks) is assigned for this task according to THERP 20-16, I
imm 5.
: 10)    Assume ADS stage 1 is actuated first, and the other stages are sequentially actuated.
Actuating stage 2,3 or 4 is assigned a moderate dependency on failing the stap 1 action.
l lb
 
u (Dure) Diagnosis Error Calculation:
DI:        Failure to diagnose need for RCS depressurization within 15 minutes = 4.0E-02
[THERP 20-3 & Figure 12-4]
D2,no3;    Failure to respond to lof 2 alarms = 1.6E-03 [THERP 20-23 (2)]
D2,saa,. High crew dependency assigned to SRO = 0.5 [THERP 20-4]
D2 = D2,03 x D2,sgo, = 1.6E-03 x 0.5 = 8.0E-04; (Di an) = D1 x D2 = 3.20E-05.
(Aure) Action Execution Calculation:
Al          a) Select wrong controls to actuate stage 1 (commission error)          =  1.3E-03
[THERP 20-12 (4)]
b) Select wrong contml to actuate stage 2,3 or 4 (commission error) = (1.5E-01 x 3)
                        = 4.5E-01 (moderate dependency application - THERP 20-18) c) Omit steps to actuate stage 1 (omission error) = 3.8E-03 [THERP 20-7 (2)]
d) Omit steps to actuate stage 2,3 or 4 (omission error) = (1.5E-01 x 3) = 4.5E-01 (moderate dependency application - THERP 20-18) e) Stress multiplier = 5 A lgo3, ,sao3 = [(a x b) + (c x d)] x e = (5.85E-04 + 1.71E-03) x 5 = 1.15E-02; Al,ss3      =  [1 + (6 x 1.15E-02)]n = 0.15 [THERP 20-17]
A1,sw      =  (1 + 1.15E-02)/2 = 0.51 [THERP 20-17]
A1,ap      =  Al<noia <sno> x A1,ss3 x Al<sw = 8.80E-04.
(See Figure A4 for THERP HRA Tree for this event).
COMPARISON:
Action                  Current AP600 HEPs          New THERP HEPs LPM-MAN 02              3.30E-03                    3.20E-05 ADN-MAN 01              3.02E-03                    8.80E-04 Totals                  6.32E-03                    9.12E-04
 
O 4
LPM MANO2, ADN-MAN 01:
Diagnose Needfor RCs Depressurization and Actuate ADS, given MLOCA l
pp*
l oS* sS                                                        '
Y \Y O V b
no                            l D2                5 59 e go                                    l 3
l        g p'* s '$g.bV O .b.' s, g o V ij                l              \0    's r& -l                    ?+* $
* l 2i E'l l
l r
Actuate ADS Stages                ------------
00 F1  =  D1 x D2 = 3.20E-5
                                                            + %o+
                                                                    /'c
                                                                      's ,
2      Folls to SS Recover 0.15 Falls to 2 STA Recoverj l
o.51                4 S                                                                                                              ;
l 1
F2 = 8.80E-4 1 Total HEP = F1                              + F2 = 9.12E-4 4 :wpenn idocs \ AP61wf 19.wpf t ap6 a twf d . eps f Figure A4
 
A.2          RHN-MAN 01 - Align Normal Residual Heat Removal System l
The RHN-MAN 01 operator action evaluates the probability of failure to recognize the need and failure to align the normal residual heat removal system during a loss of coolant accident, loss of offsite power, or transient. For this scenario, the plant is in reactor coolant system cooling mode.
Operator action RHN-MAN 01 is tied to the operator actions for diagnosis and actuation of the CMTs and/or ADS evaluated in Section 1.0. The AP600 emergency response guidelines are designed such that the operators are asked to; a) ensure CMT actuation in step 6 of AE-0 (Reactor Trip or Safety Injection; b) ensure ADS actuation in steps Ila through Ile; and ) align RNS to inject IRWST to RCS in step 1If. These steps are part of the "Immediate Action" steps in AE-0 consisting of steps 1 through 13. Therefore, the actions are expected to be performed very early in the event.
The diagnosis for determining the need for ADS actuation is also applicable to recognizing the need for RNS alignment; as stated above, ADS actuation and RNS alignment are substeps of AE-0, step 11 (Check if ADS Should Be Actuated). However, diagnosis is conservatively modeled in RHN-MAN 01 for recognizing the need for RNS alignment.
As shown in Table A-3, the time window of 20 minutes, for actuating CMTs and/or ADS during a medium LOCA, is the more limiting time window. Therefore, this same time window is applied to the evaluation for aligning the RNS.
INPUTS:                                                                                                                                                                                    i l
: 1)            Time Window for these activities is 20 minutes.                                                                                                                              ,
1
: 2)            Assume diagnosis must be completed within 15 minutes from event initiation; and action execution can be ompleted in less than 5 minutes. THERP Table 20-3 is applied for the crew so4ve error.
1
: 3)            Assume 3 high priority alanns are provided to which the crew is required to respond;                                                                                          I (i.e., ADS stage actuation alanns).
: 4)            In the AP600, STA function is an integral part of the crew response mechanism;                                                                                                l therefore the STA is expected to be in the control room when the event occurs.
However, to satisfy THERP, STA presence is credited after 10 minutes from the event initiation.
: 5)            During diagnosis, no credit is taken for the STA function; this is believed to be conservative.
1
: 6)            During action execution, STA function is assigned a high dependency on the function of other crew members.
(
08
: 7)        SRO is assigned a high dependency on the RO.
: 8)        A shift supervisor (SS) is assumed to be on duty. Conservatively and contrary to THERP, no credit is taken for the SS during diagnosis. However, in accordance with THERP, moderate dependency is assigned for the SS during action execution.
i
: 9)        A high stress level (dynamic tasks) is assigned for this task according to THERP 20-16, item 5.
(Dur,) Diagnosis Error Calculation:                                                          l l
DI:      Failure to diagnose need to align the RNS within 15 minutes = 4.0E-02
[THERP 20-3 & Figure 12-4]
D2(no3    Failure to respond to lof 3 alarms = 2.7E-03 [THERP 20-23 (3)]
D2,smo3:  High crew dependency assigned to SRO = 0.5 [THERP 20-4]
D2 = D2(no, x D2(sao3 = 1.35E-03; (Dep) = D1 x D2 = 5.40E-05.                              ,
(Aure) Action Execution Calculation:
Al        a) Set control to the wrong position to align RNS (commission er.7r) = 2.7E-03
[THERP 20-12 (9)]
b) Omit step to align RNS (omission error) = 3.8E-03 [THERP 20-7 (2)]
c) Stress multiplier = 5 Alao, c
                      =  (a + b) x c = 3.25E-02; A1(sao,  =  (1 + 3.25E-02)/2 = 0.52 [THERP 20-17]
                      =                                                                                  l Al<ss)        II + (6 x 3.25E-02)]/7 = 0.17 [THERP 20-17]
AIsu, c
                      =  (1 + 3.25E-02)/2 = 0.52 [THERP 20-17]
Alap      =  Al ao, c  x Al(sao3 x A l(ss3 x Al cm3 = 1.49E-03.
(See Figure A5 for THERP HRA Tree for this event).
COMPARISON:                                                                                  ,
Action                Current AP600 HEPs            New THERP HEPs l
RHN-MANO1              2.90E-03                      1.54E-03 l
l 4
n
 
RHN-MAN 01:                                          '
Align RNS gfs\0  O'' '
D1    .o9"      .,s 9s      (D o0 9
N      D2              go 5 *,p'.
3          3 l              0 1'a  b,                                        j
                                                                ,                          g , '. , % -
                                                                                  *++,
* s*
:& ll 8l                                                                  l 4l                                                                    -
Align RNS          ------------
                                            #O
                                                  +
4                                      F1      = D1 x D2 = 5.4E-4 Fails to SRO Recover 0.52 Fails to SS Recover 0.17 Fails to ST A Recover                  j l
S                                                                                                0.52 F2 = 1.49E-3 Total HEP = F1                                + F2 = 1.54E-3 1:wp ;r. 1:2cp iA P6 Iw!19. wpf ( Apeltwf 6.eps i Figure A5 72@
 
o 4
A.3          RCS-MANODS2 - Close AOVs CVS-V045 or -V047, Given Failure of Valves to Close Automatically The RCS-MANODS2 operator action evaluates the probability of failure to detect failure of automatic closure of air-operated valves CVS-V045 and V047, when low hot leg level is reached during draining of the system to mid-loop, and failure to manually close the valves.
For this scenario, the operator iniilates draining through the chemical and volume control system and stops monitoring the RCS level. The RCS drains down to low hot leg level. Air-operator valves CVS-V045 and -VO47 are required to close automatically upon receipt oflow hot leg level signals. If automatic close of the valves fail, the operators are required to close them.
INPUTS:
: 1)          Time Window for these activities is 5 minutes.
: 2)          Assume diagnosis must be completed within 3 minutes from when the low hot leg level setpoint is reached; and action execution can be completed in less than 1 minutes. THERP Table 20-3 is applied for the crew cognitive error.
: 3)          Assume I high priority alarm is provided to which the crew is required to respond; (i.e., low hot leg level alarm).
: 4)          In the' AP600, STA function is an integral part of the crew response mechanism; therefore the STA is expected to be in the control room when the event occurs. However, to satisfy THERP, STA presence is credited after 10 minutes from the event initiation. Therefore, no credit is taken for the STA function in this evaluation; this is believed to be conservative.
: 5)          SRO is assigned a high dependency on the RO.
: 6)          No credit is taken for the shift supervisor (SS) during this event. According the THERP Table 20-4, the shift supervisor may be credited from 5 minutes into the event.
: 7)          A high stress level (dynamic tasks) is assigned for this task according to THERP 20-16, item 5.
: 8)          It is assumed that the controls for closing the valves are located together, and would be operated at the same time by one operator; therefore total dependency is assumed among the actions to close the valves.
(Das,) Diagnosis Error Calculation:
DI:          Failure to diagnose need to close valves CVS-V045 & -47 within 3 minutes = 5.0E-01
[THERP 20-3 & Figure 12-4]
D2mox        Failure  to respond to lof I alarm = 2.7E-04 [THERP 20-23 (1)]
D2sao, c        High crew dependency assigned to SRO = 0.5 [THERP 20-4)                                      '
D2 = D2mo, x D2 csao, = 1.35E-04; (Dusp) = D1 x D2 = 6.75E-05.                                                                                l l
l 2\
 
i l
l (Aus,) Action Execution Calculation:
Al        a) Select wrong control to close CVS-VNS & -V047 (conunission error) = 1.2E-03        )
(THERP 20-2 (3)]                                                                  1 b) Omit action to close CVS-V045 & -VN7 (omission error) = 1.3E-03 [THERP 20-7 (1)]
c) Stress multiplier = 5                                                              l A l g o,  =  (a + b) x c = 1.25E-02; Al sno, e
                    =  (1 + 1.25E-02)/2 = 0.51 (THERP 20-17]
Alusp      =  Almo, x Al(sao3 = 6.38E-03.                                                        l l
(See Figure A6 for THERP HRA Tree for this event).                                                l COMPARISON:                                                                                      !
Action                Current AP600 HEPs            New THERP HEPs RCS-MANODS2            1.39E-02                      6.45E-03 I
l l
l i
l l
l l
.                                                                                                          l l
l t
l l
2 2.
 
e RCS.MANODS2:
Close CVS V045 or CVS V047 Vautomatic closurefails A'd  d' D1 9sog*[,A o
6 0c 5',9-D2          go W        W, l        S iW'*
so
                                                                                      \ .*~kp,    ,. s .%              <
l                go
* ti                  +*
al E! l                                                        ;
l s
Close CVS-V045 & -V047          ------------
                                                                                                                          )
So                                                                  l
                                                        +
                                                          /
F1    = D1 x D2 = 6.75E-5  ,
1
                                                            'E 3p';                                                        <
l 1
Falls to SRO Recover 0.51 S
l                                                                                                          F2 = 6.38E-3 l
l l
l Total HEP = F1 + F2 = 6.45E-3                                                                  j l                                                                                                                        j i:wpwin\does\AP41=fl9.wpf(sp6atwf7. ors)
I' Figure A6 4
f 23
 
A.4                      CIB-MAN 00/CIB MAN 01: Diagnose SGTR and Isolate Ruptured SG The CIB-MAN 00 & CIB-MAN 01 operator actions evaluate the probability of failure to diagnose a SGTR event and failure to isolate the faulted steam generator,                                  ,
INPUTS:
: 1)                      Time Window for these activities is 30 minutes.
: 2)                        Assume diagnosis must be completed within 20 minutes from event initiation; that leaves 10 minutes for action execution. THERP Table 20-3 is applied for the crew cognitive error.
: 3)                      Assume 2 high priority alarms are provided to which the crew is required to respond: a) high radiation alarm; and b) high SG level.
: 4)                      In the AP600, STA function is an integral part of the crew response mechanism; therefore die STA is expected to be in the control room when the event occurs. However, to satisfy THERP, STA presence is credited after 10 minutes from the event initiation.
: 5)                      During diagnosis, no credit is taken for the STA function; this is believed to be conservative.
: 6)                      During action execution, STA function is assigned a high dependency on the function of other crew members.
: 7)                      SRO is assigned a high dependency on the RO.
: 8)                      A shift supervisor (SS) is assumed to be on duty. Conservatively and contrary to THERP, no credit is taken for the SS during diagnosis. However, in accordance with THERP, moderate dependency is assigned for the SS during action execution.
: 9)                      A high stress level (dynamic tasks) is assigned for this task according to THERP 20-16, ite m 5.
(Das,) Diagnosis Error Calculation:
D1:                      Failure to diagnose SGTR within 20 minutes = 2.7E-02 [THERP 20-3 (3)]
D2rno,                  Failure to respond to lof 2 alarms = 1.6E-03 [THERP 20-23 (2)]
D2,sao,                  High crew dependency assigned to SRO = 0.5 [THERP 20-4]
D2 = D2,o3 x D2,ao) = 1.6E-03 x 0.5 = 8.0E-04; (Dusp) = D1 x D2 = 2.16E-05.
(Asa,) Action Execution Calculation:
Al                      a) Select wrong control for MSIV (commission error) = 1.3E-03
[TIIERP 20-12 (4)]
b) Omit step to close MSIV (omission error) = 3.8E-03 [THERP 20-7 (2)]
c) Stress multiplier = 5 Alcaoi                  =    (a + b) x c = 2.55E-02; A 1,3,o3                =    (1 + 2.55E-02)/2 = 0.51 [THERP 20-17)
      . - _ _ _ _ _ _ _ _ _                                          24
 
                  =  [l + (6 x 2.55E-02)]/7 = 0.16 [THdRP 20-17]
A1(ss>
                  =  (1 + 2.55E-02)/2 = 0.51 [THERP 20-17]
Al(sTA)
                  =
Aluse          Al o3 g x Al(sao> x Al ss3 c  x Al s743 c  = 1.06E-03.
1 A2:        a) Select wrong control for 2 of 2 blowdown valves (commission error); moderate l                    dependency applied = 1.3E-03 x 0.15 = 1.95E-04 [THERP 20-12 (4);
l                      & 20-18]
b) Omit steps to close 2 of 2 blowdown valves (omission error); moderate dependency applied = 3.8E-03 x 0.15 = 5.7E-04 [THERP 20-7 (2); & 20-18]
l                c) Stress multiplier = 5 A2 cao,    =    (a + b) x c = 3.825E-03; A2<saa,    =  0.5 [THERP 20-18]
A2 c33,    =  0.15 [THERP 20-18]
A2 s7,3    =  0.5 [THERP 20-18]
c A2nsp      =  A2 cno3 x M (sao,x M c333 x M(STA)
* l *43E-04.
A3:        a) Select wrong control for 2 of 2 feedwater valves (commission error); moderate    ,
dependency applied = 1.3E-03 x 0.15 = 1.95E-04 [THERP 20-12 (4);
                      & 20-18]
b) Omit steps to close 2 of 2 feedwater valves (omission error); moderate dependency applied = 3.8E-03 x 0.15 =.S.7E-04 [THERP 20-7 (2); & 20-18].
c) Stress multiplier = 5 A3mo3
                  =    (a + b) x c = 3.825E-03; A3csao,    =  0.5 [THERP 20-18]
                  =  0.15 [THERP 20-18]
A3<s33
                  =  0.5 [THERP 20-18]
A3cs743 A3nsp      =  A3cao, x A3 sao, c  x A3c333 x A3<s743 = 1.43E-04; Therefore, total action execution HEP (Assp) is: Ains, + Musp + A3ns, = 1.33E-03.
1 (See Figure A7 for THERP HRA Tree for this event).                                              l COMPARISON:
Action                  Current AP600 HEPs              New THERP HEPs l
CIB-MAN 00                1.84E-03                        2.16E-05 CIB MANO1                1.34E-03                        1.33E-03 Totals                    3.18E-03'                      l.35E-03                              l 1
                                                          ~2 $
 
v CIB MAN 00, CIB-MAN 01:
Diagnose SGTR and Isolate Ruptured SG
                                                                                    #h+^
01 l                                                                        e*$d*[1 oD D2              g.
                                                                                                            **e e p 3 l                                                                                  l'          so*fo% ', O nN'.        s9
                                                                                                        *>
* s*
* ll/
e E l'
?                                                                              l l
(Op.n usiv)            -------        -
                                                                  *O a#3p F1 = D1 x D2 = 2.16E-5 V
Falls to Recover (Open 1 of 2 blowdown volves)                fo                                      0.5 l                                                          J                                                  Foils to
;                                                            44                                        SS    p.,,,,,
J l
l                                                                                                                  0.16 Falls to l                                                                            SRO    "***'''                                          "''
(Open 1 of 2                                                                                                        STA    Recover teedwater volves)            +o                                            0.5 0.5 4                                                    Folls to                                        l SS De,#                                              p ,,,,,                                          j 0.15 F2 = 1.02E-3 1 1
rons i; SRO    Recover                                        Foils to j
Recover                    1 0.5 0.5 Falls to bb    Recover 0.15                                F3 = 1.44E-4 g
Felis to STA    p.,,,,,
0.5 l                                                                                                                        F4 = 1.44E-4 Total HEP = F1 + F2 + F3 + F4 = 1.33E-3 a s wpw nn\ doc e \ ape !WF19.gf (ap61 tw!r. eps)
Figure A7 I
l i
l t
 
o  .
l              A.5          CIA MAN 01: Recognize the Need and Isolate Failed SG given a Steam Line Break The CIA-MAN 01 operator action evaluates the probability of failure to recognize the need and failure to isolate the failed steam generator following a steam line break.
l INPUTS:
l                                                                                                                          !
l              1)          Time Window for these activities is 10 minutes.
l
: 2)            Assume diagnosis must be completed within 8 minutes from when the cues are presented to the crew; that leaves 2 minutes for action execution. THERP Table 20-3 is applied for the l                            crew cognitive error.
: 3)          Assume 2 high priority alarms are provided to which the crew is required to respond: a) low-2 SG NR level; and b) low steam line pressure.
: 4)            For this event, no credit is taken for the STA function. In the AP600, STA function is an integral part of the crew response mechanism; therefore the STA is expected to be in the      !
control room when the event occurs. However, to satisfy THERP, STA presence is credited      l after 10 minutes from the event initiation.                                                  I l
: 7)            SRO is assigned a high dependency on the RO.
l l
: 8)            A shift supervisor (SS) is assumed to be on duty. Conservatively and contrary to THERP,      j no credit is taken for the SS during diagnosis. However, in accordance with THERP,            <
moderate dependency is assigned for the SS during action execution.
: 9)            A high stress level (dynamic tasks) is assigned for this task according to THERP 20-16, ite m 5.
(Dea,) Diagnosis Error Calculation:
Dl:          Failure to diagnose SLB within 8 minutes = 2.7E-01 [THERP 20-3 (1)]
D2(ao,      Failure to respond to lof 2 alt.rms = 1.6E-03 [THERP 20-23 (3)]
D2ano,.      High crew dependency assigned to SRO = 0.5 [THERP 20-4]
D2 = D2rao, x D2csao, = 1.6E-03 x 0.5 = 8.0E-04.
(Dasp) = D1 x D2 = 2.16E-04.
l (Ana,) Action Execution Calculation:
Al          a) Select wrong control for 1 of 2 valves (commission error) = 1.3E-03 x 2 = 2.6E-03
[THERP 20-12 (4)]                                                                        j b) Omit step to close 1 of 2 valves (omission error) = 3.8E-03 x 2 = 7.6E-03                i l
!                                THERP 20-7 (2)]
c) Stress multiplier = 5
[                Alao, t
                              =  (a + b) x c = 5.lE-02;                                                                    l
! .              A1ano,      =  (1 + 5.1E-02)/2 = 0.53 [THERP 20-17]
                              =  [l + (6 x 5.1E-02)]/7 = 0.19 [THERP 20-17]
l            . A1asi
.                Ains,        =  Alcao, x Alano, x Alas, = 5.14E-03 I
l 77
 
(See Figure A8 for THERP HRA Tree for this event).
COMPARISON:
Action                Current AP600 HEPs          New THERP HEPs CIA-MAN 01            5.90E-03                    5.36E-03 l
i l
l 20
 
q I
i CIA MAN 01:                                        i Diagnose Steam Line Break andIsolate Failed SG                              l
                                                                                  , so*j'*p#'                                                )
D'9*}y'v' 00 02              so  # v. 3                          l
                                                                                      /            gv's    o                                I
                                                                                      /
y so *$'FoV'#gf' 6  l' r/                      s*o S + 5*                            ,
                                                                              *l                                                            l Ei
                                                                                !                                                            l l
(Close 2 of 2 Volves)                          ------------
l l
NO
                                                                        +                                        F1    =  D1 x D2 = 2.16E-4
                                                                          , 'es 2
Fails to SRO Recover 0.53                                          '
Foils to SS Recover 0.19 S
F2 = 5.14E-3 Total HEP = F1 + F2 = 5.36E-3 1
i i r wpw in idoc s ', A Pf> !WF 19. orp t (apd 2 t wl. eps J
                                                                                                                                              ]
Figure A8 i
_.                                                                                                  M
 
NRC REQUEST FOR ADDITIONAL INFORMATION i
REn[
Re:      RAI Related to DSER Open Item 19.1.3.1-17 Question 720.292 (#2949)
The " time window" estimates used in the HRA, could be significantly affected by the various thermal-hydraulic (T-H) uncertainties associated with passive system T-H modeling. Do the " time windows" assumed in the HRA account for T-H uncertainties? Please explain how the issue of T-H uncertainties and their potential impact on " time windows" has been addressed, or will be addressed, in the HRA.
 
===Response===
Many of the time windows in the HRA have been defined from MAAP4 analysis results. The acceptable time windows have been established with at least 600*F margin to the PCT limit. In the MAAP4 benchmarking and T-H uncenainty resolution plan, the operator action times that result in the least PCT margin are to be examined.
Revision 7 of the PRA wiil include time windows that provide additional margin (i.e., more consenatism) to bound the potential results of the uncertainty analyses.
I i
l l
l l
l I
i 720.292.i i            W Westinghouse t
 
NRC REQUEST FOR ADDITIONAL INFORMATION l
Re:      RAI Related to DSER Open Item 19.1.3.1-17 1
Question 720.293 (#2950)
There seems to be a conflict between the operating philosophy as documented in the SSAR and the operating philosophy as modeled in the PRA. The PRA states that the operator does not need to do any significant knowledge-based diagnosis and decision making (operators will only need to detect alarms, indications, etc., and then will be guided by the symptom-based procedures). On the contrary,in the SSAR (e.g., pages 18.8-14 and 18.6-7)it is stated l
that operators will be thinking ahead of the plant. This implies that the operators will not just be detecting        l information and then acting, but that they will be proactive. These two operating philosophies require a very          I different HRA model. Operating experience has shown that, even when " symptomatic" procedures are used,              !
operators do still diagnose and, in fact, will circumvent procedures, skip ahead to solutions (which Westinghouse      l plants also allow) when operators know what the event is. This is modeled best by Table 20-3 of the HRA Handbook which includes perception, discrimination, interpretation, diagnosis and first level decision making. Please  !
respond to these commems.                                                                                            l l
Response:                                                                                                            j The THERP HRA Handbook states (on page 12-10) that, with the advent and acceptance of symptom-based procedures, it is possible that the need to diagnose an unusual event may diminish in importance for PRA. He          ,
Handbook also states that the cognitive models recommended therein are based on then current written procedures        l that are not symptom-based in most cases.                                                                            j l
The Handbook has cited two examples in which the cognitive component (time-dependent diagnosis) and annunciator-response rediagnosis are modeled; these are shown in Figures 21-2 and 21-5 of the Handbook. The            ;
incorporation of crew dependency in these models have resulted in HEPs well below 105. Westinghouse agrees with        I the THERP insight into the possible impact of the use of symptom-oriented procedures on the cognitive element of diagnosis. Therefore, time-dependent diagnosis (THERP Table 20-3) was excluded from the AP600 models. On the other hand, alarm-response diagnosis in the AP600 has been modeled very conservatively by applying stress factors to the basic human error probabilities (BHEPs) from THERP Table 20-23; the HEPs in Table 20-23 include the effects of stress.
If the cognitive (time-dependent) diagnosis were included in the AP600 models, the annunciator response rediagnosis would also be applicable because the alarm cues currently modeled would not clear (i.e., the analog process parameters will usually move before the discrete alarm message system is able to recognize that an alarm message      j should clear). Berefore, the cognitive error would be multiplied by the alarm response error resulting in diagnosis HEPs about one to three orders of magnitude smaller. In other words, the diagnosis models in the AP600 provide higher HEPs than would be produced by the models recommended in the Handbook.
The inferences or conclusions cited above are supported by the results from a sensitivity study (incorporating THERP cognitive diagnosis) of selected operator actions. This analysis is documented in Attachment I to RAI 720.291 response.
720.293-1
 
l NRC REQUEST FOR ADDITIONAL INFORMATION fB          ;
Re:      RAI Related to DSER Open Item 19.1.3.1-17                                                                      l Question 720.294 (#2951)
In the HRA quantification credit is often taken for separate recovery actions by the senior reactor operator (SRO) l and the shift technical advisor (STA). The AP600 HRA is assuming a very low degree of dependence between                  I recovery actions for a single subtask. One would argue that common operator training, communication and short time intervals provide strong sources of dependency between operators. For this reason, the THERP methodology does not allow to take credit for more than one recovery and only if there are formal checks. Given that the AP600 i
PRA credits recovery for every action by the control room crew, will there be formal checks in the procedures for        I each step for both the SRO and the STA? In addition, according to the HRA Handbook, the "one-of-a-kind checking with alert factors" recovery probability of 8.lE-2 is applicable to normal operating conditions, only. Please explain.
1
 
===Response===
l l
The AP600 emergency and abnormal operating procedures follow the same structure as the generic Westinghouse Owners Group symptom-based ERGS. The procedures are generally designed with formal checks or verification which provided multiple opportunities for recovery of a single subtask.
THERP assumes high dependency between senior reactor operator (SRO) and reactor operator (RO), low to moderate dependency between shift supervisor (SS) 9nd n'% crew members, and (if the shift technical advisor (STA) is present) low to moderate depende.ncy for STA diagnosis and high dependency for STA during task manipulation.
Nr example, if a basic human error probability (BHEP) of 1.0E-03 is used for the RO's failure then, according to THERP, the SRO HEP is 0.5, f.he SS HEP could be 0.05 or 0.15, and the STA HEP could be 0.05 or 0.15 (during              i diagnosis) and 0.5 (during ardon execution). Therefore, the total HEP for this subtask could range from 1.25E-6          j (i.e.,1.0E-3 x 0.5 x 0.05 x 0.05) to 1.13E-5 (i.e.,1.0E-3 x d5 :: 0.15 x 0.15), if used for diagnosis; and from 1.25E-    l 5 to 3.75E-5, if used for acuon execution. If moderate stress level is assigned during action execution, then the total  l HEP could increase by a factor of "2', rangmg from 2.5E-5 to 7.5E-5; if high stress level is assigned, the HEP            l increases by a factor of "3", ranging from 6.25E-5 to 1.88E-04. (THERP diagnosis BHEPs are supposed to include stress level consideration for the event).
In the AP600, depen:lency assumed among operating crew members is applied as follows: moderate dependency is assigned between SRO and RO; the THERP BHEP is multiplied by the stress PSF to estimate the RO's failure,              l and the estimated moderate dependency for the SRO is rounded to 0.1. Although a shift supervisor is expected to be on the AP600 operativ crew, we have not taken credit directly for recovery by the SS. To be somewhat conservative, we combined the SS recovery with that of the SRO and applied one moderate dependency value of 0.1 for both. In order to reflect some degree of variation for recovery among different classes of events, we select      l l
the BHEP of 8.lE-02 (from THERP Table 20-22) and modify it by the stress factor associated with the event; this modified HEP is used for STA recovery. This BHEP, although recommended by THERP for application to normal                i operating conditions, is judged to be appropriate for emergency operating conditions since it is modified by the stress  ;
factor assessed for the event which, in most cases, is conservatively high stress level (a multiplier of "5"); therefore, the STA recovery is estimated to be 1.62E-1 (i.e.; 8.lE-02 x 2) for the few cases of moderate stress application, and    l 4.05E-01 (i.e.; 8.lE-02 x 5) for high stress application.
720.294-1
 
  ..                                                                                                                          1 l
l l
1 1
1 NRC REQUEST FOR ADDITIONAL INFORMATION 1
        +p+
:. y                                                                                                          '
1 l
In the example cited above, the HEP for the AP600 will be 3.24E-05 (if the event is assigned a moderate stress level) or 2.25E-04 (if the event is assigned a high stress level), regardless of the action being related to diagnosis or    ;
manipulaticn.
We believe that some differences exist in recovery during different accident conditions; we have attempted to reDect  I this difference by selecting a suitable BHEP of 8.lE-02 for the STA and modifying it by appropriate stress factors.
{
As shown above, the recovery model, used in the AP600, will provide HEPs that are generally higher than those          '
obtained from THERP assumed dependency modeling. Moreover, this recovery is applied in the AP600 only if the event satisnes the specific time window and slack time criteria; if the time window is less than 10 minutes, or if the ;
estimated slack time is less than 5 minutes (for time windows greater than 10 minutes), STA recovery is not credited    I in the HRA. (The HEP of 8.lE-02 and other HEPs from THERP Table 20-22 have been used for recovery during                l abnormal operating conditions in accepted HRAs perfonned by other organizations).                                      {
l The results of a sensitivity study of selected operator actions using the assumptions recommended in the THERP Handbook (without any modincation) support the inferences and conclusions cited above that the HEPs used in the        I AP600 PRA are conservative. This analysis is documented in Attachment I to RAI 720.291 response.
i l
1 I
720.294-2 g
 
l 4
NRC REQUEST FOR ADDITIONAL lNFORMATION
                                                                                                                          =t:1 hrist Re:      RAI Related to DSER Open Item 19.1.3.1-17 Question 720.295 (#2952)
The passive nature of the safety systems in the AP600 design, combined with the reliance of the design on advanced instrumentation and control (I&C), has the potential to change the operator's interactions with the plant (as compared with operating plants) during accident conditions. In addition, operators may intentionally choose to circumvent procedures to avoid economic consequences (e.g., avoid containment steaming, avoid thermal shock due to overcooling or avoid water hammer). Please perform at least a qualitative evaluation of errors of commission that could impact the performance and reliability of the plant during accident conditions. This, also recommended by EPRI in its Utility Requirements Document (URD), is needed to identify potential errors of commission (and their consequences) and ensure that appropriate design certification and operational " requirements" will be used to prevent such errors.
 
===Response===
This information is covered in the AP600 Adverse Systems Interaction Evaluation Report (WCAP-14477).
1 i
l l
{
720.29S-1
 
NRC REQUEST FOR ADDITIONAL INFORMATION Re:    RAI Related to DSER Open Item 19.1.3.1-17 Question 720.296 (#2953)
Westinghouse needs to es. 'nate the uncertainty associated with human error probability (HEP) estimates (e.g., present the HRA results in terms of a mean value and an associated c Tor factor).
 
===Response===
The uncertainty analysis on the Level 1 PRA, revision 7, will provide the error factors for HRA events.
I l
720.296-1
 
      ..                                                                                                                1
    ,  s e
i NRC REQUEST FOR ADDITIONAL INFORMATION II"  El Re:      RAI Related to DSER Open item 19.1.3.1-17 Question 720.297 (#2954) i Is event RNS-V024 (operator opens MOV 024 to replenish the IRWST inventory using the NRHR pumps) included in the revised PRA models? If yes, was its probability revised to address DSER concems? Please explain.
 
===Response===
Event RNS-V024 (operator opens MOV-024 to replenish the IRWST inventory using NRHR pumps) is not included  j in the revised PRA models.
I i
l l
l l
i 720.297-1 ggg 1
1
 
NRC REQUEST FOR ADDITIONAL INFORMATION Re:      RAI Related to DSER Open Item 19.1.3.1-17 Question 720.298 (#2955)
The cues for LPM MAN 02 (failure to recognize the need for RCS depressurization) and CMN-MAN 01 (failure to actuate the CMTs) are identical (see page 30-26). Cculd the operator fail to diagnose the need for CMT actuation believing that only depressurization is needed? What would the operator do first? How does this affect the estimated
          " actual time" and the diagnosis of either one of these events?
 
===Response===
No. The operator could not fail to diagnose the need for CMT actuation believing that only depressurization is needed.
Actuation of the CMTs is procedurally performed first. Task dependency is incorporated into the modeling of LPM-MAN 02 CMN-MAN 01 and ADN-MAN 01. The diagnosis event LPM-MAN 02 is common to CMN-MAN 01 and ADN-MAN 01, and ADN-MAN 01 has a high dependency on CMN-MAN 01. The defined time window for diagnosis is not separate from the time for action execution; the same time window is common to both components. It is believed that, once the operator recognizes the cues, very little time is taken for manual actuation of these systems.
l l
720.298-1 g
1 l
 
s s                                                                                                                        !
l l
l NRC REQUEST FOR ADDITIONAL INFORMATION 1
E          1 1
Re:        RAI Related to DSER Open Item 19.1.3.1-17 l
Question 720.299 (#2956)                                                                                            !
l The " actual time" it will take the operator to actuate the CMTs (event CMN-MAN 01) was estimated to be approximately 20 minutes during a small LOCA and only 8 minutes during a medium LOCA (see pages 30-26 to 30-28). Given that the operator will have to follow the same procedure and perform the same subtasks in both cases, what is the basis for the much shorter " actual time" during medium LOCAs?                                          ,
1 Response:                                                                                                          I It is true that, by following the same procedure, the " actual time" to actuate the CMTs is the same for small LOCA and medium LOCA. The operator actions to actuate the CMTs have been reevaluated, based on revised success criteria which indicate that the CMTs are expected to be manually actuated in approximately 15 minutes for any initiating event. Details of the CMT success criteria timing mechanism are provided in Attachment 1'(Table A-3) to RAI 720.291 response.
I 1
I l
l 1
720.299-1 l
l
 
l  .-
i-                                                                                                                                !
I 1
l i
NRC REQUEST FOR ADDITIONAL INFORMATION                                                                                j 1
                                                                                                                      + WaamartttS Re:      RAI Related to DSER Open Item 19.1.3.1 17 Question 720.300 (#2957) l Multiple alarms, close in time, could impact event diagnosis. By referring to the most risk important human actions, as determined by the importance analysis, please discuss how multiple alarms has been analyzed and accounted for      i in the HRA models.
                                                                                                                                  )
1
 
===Response===
In the AP600 HRA, the primary cues for operator diagnosis are modeled with the assumption that an associated alarm is provided for each cue. The models reflect diagnosis success if the operator responds to N-out-of-N alarms,    1 which translates to diagnosis failure if the operator does not respond to 1-out-of-N alarms. This modeling is          I conservative for many cases, since correct diagnosis can be made by responding to M-out-of-N alarms, where I s M<N.
Based on human factors engineering (HFE) design requirements for the AP600 alarm system, the operators are expected to be presented with the diagnosis cues, modeled in the HRA, in the highest priority, and be able to focus    l primarily on these cues. The AP600 alarm system addresses the problem of alann avalanching and operator data            l overload by reducing the number of indications presented simultaneously during major disturbances. In that regard,    j highest priority messages are clearly indicated to the operators, and minor alarms are prioritized and elevated to a place (or level) of attention based on importance significance', those active alarm messages which are not currently displayed shall be accessible and available to the operator upon his request.
The above information will be incorporated into assumption (b) of the HRA section of the PRA.
l i
i 720.300-1
 
U s+
NRC REQUEST FOR ADDITIONAL INFORMATION g,
l Re:      PRA Human Reliability Analysis for Shutdown Operation Out et.on 720.301 (#2958)
The time window for operator action RCS-MANOD2S (detect failure of automatic closure of air-operated valves CVS-VO45 and -VG47 and manually close them) is very small (5 minutes). The shutdown PRA, as the PRA for power operation, states that the operator does not need to do any significant knowledge-based diagnosis and decision making (operators will only need to detect alarms, indications, etc., and then will be guided by the symptom-based procedures). Operating experience has shown that, even when " symptomatic" procedures are used, ope.ators do still diagnose and, in fact, will circumvent procedures, skip ahead to solutions (which Westinghouse plants also allow) when operators know what tne event is. This is modeled best by Table 20-3 of the HRA Handbook which includea perception, discrimination, interpretation, diagnosis and first level decision making. Please respond to these comments and re-quantify the probability of event RCS-MANOD2S as necessary.
Responss:
Response to RAI 720.293 for at-power operation also applies to this question. Event RCS-MANODS2 was quantified for a sensitivity study using Table 20-3 and other assumptions recommended in the THERP Handbook; the evaluated HEP is lower than the HEP used in the shutdown PRA. Details on the sensitivity study are shown in Attachment I to RAI 720.291 response.
l I:
I
\
l 720.301 1
              .g g,                                                                                                              !
l l                                                                                                                                  l
 
s' e
e NRC REQUEST FOR ADDITIONAL INFORMATION Re:      PRA Human Reliability Analysis for Shutdown Operation Question 720.302 (#2959)
Regarding DSER open item 19.1.3.3-1, Operator action, RHN-MANDIV, represents the likelihood that the operator              l would inadvertently drain reactor coolant into the IRWST through Normal RHR valve V-024. The probability of RHN-MANDIV was assigned a value of IE-5 in Chapter 30 of the PRA. The corresponding task analysis for RHN-MANDIV evaluated the likelihood that the operator selects the wrong control to align Normal RHR and fails to close the diversion path. This probability was then used as a frequency (IE-5 per year)in the shutdown PRA to represent the frequency of overdraining the Normal RHR system through inadvertent opening of V-024. This frequency is very low and suggests that a pipe rupture of Normal RHR is more likely than an inadvertent draindown event.
: a. Please search for other potential reactor coolant drain down paths that the operator could create, considering    l that the reactor coolant system may be pressurized (i.e. during hot shutdown) and document this search in the shutdown PRA.
: b. The task analyses for RHN-MANDIV only evaluates the likelihood of the operator selecting the wrong                ,
control (V-024) to align Normal RHR. The staff believes that other conditions could create an opportunity        l to create this drain path (i.e., valve testing, etc.). Please use operating experience to obtain a frequency of inadvertent drain down events or justify in the shutdwn PRA why operating experience is not applicable.
: c. Please explain why the failure probability of RHN-MANDIV is used, also, as the frequency of overdraining the NRHR system.
: d. Same time windows are used in the task analysis of event RHN-MANDIV for both pressurized (i.e., hot shutdown) and non-pressurized (i.e., cold shutdown) conditions. A draindown event when the RCS is pressurized would drain the RCS faster than an event with the RCS non-pressurized. This may require separate analysis of same scenario for hot and cold shutdown conditions, respectively. In addition, please provide the following deails in the shutdown PRA for each potential drain path i) Define in the shutdown PRA what the term " time window" means for each scenario (time to core damage, time to core uncovery, etc.).
ii) Define in the shutdown PRA what the term " actual time" means for each scenario.
ii) Develop time windows considering both pressurized and non-pressurized conditic,ns.
 
===Response===
a&b      Westinghouse will provide a comprehensive list of RCS drain connections and provide a qualitative discussion on how these drain paths have been considered in the PRA. The PRA explicitly models only one drain path (in the RNS) that results in overdraining of the RCS. However, Westinghouse has lumped overdraining of the RCS via the CVS letdown line with breaks in the letdown line, and therefore 720.302-1
 
NRC REQUEST FOR ADDITIONAL INFORMATION
            = ..
overdraining via this line has been considered in the PRA. This information will be incorporated into the shutdown PRA.
: c. The failure probability of RHN-MANDIV is used only in the frequency of overdraining the reactor coolant system. This statement will be placed in the shutdown PRA.
Operator errors such as inadvertent actions, if determined to be risk significant from the PRA results, are further examined in the Human Factors Engineering process to ensure human factors / man-machine interface requirements are fully addressed to minimize or preclude such errors.
d(i)  The term " time window" is defined in the PRA as the time from which cues for a particular event are presented to the operating crew to the time when loss of the specific plant function is likely to occur if the task is not performed.
d(ii)  The term " actual time" is defined in the PRA as the average time that it is likely to take the operating crew to diagnose and execute the actions for a defined task. Similar to the " time window" definition, the actual time is defined from the time at which the cues are presented to the operating crew.
d(iii) The operator actions used in the shutdorn PRA are separated into the following three groups:
a) Most operatet mMas used in the shutdown PRA are also used in the at-power analysis. Those operator actions were calculcted primarily for the at-power scenario; therefore, the time windows for such operator actions are judged to be conservative for both pressurized and non-pressurized shutdown conditions.
b) Some operator actions are used only in non-pressurized conditions; therefore, the time windows for such operator actions are based on scenarios when the plant is depressurized.
c) Two operator actions, namely, RHN-MAN 02 and RHN-MAN 03, are used in the loss of offsite power event trees for both pressurized and non-pressurized shutdown conditions. Each of these actions has an estimated time window of I hour for pressurized condition, and 30 minutes for non-pressurized condition.
The 2-hour time window currently assigned to these operator actions will be changed; this correction will be reflected in the next revision of the HRA.
i 720.302 2 3 Westiligtlouse
 
F ,y                                          1
./
Enclosure 2 to Westinghouse Letter NSD-NRC-96-4680 l
April 1,1996          1 1
l l
l l
4 2726A
 
i l
NRC REQUEST FOR ADDITIONAL INFORMATION                                                                                    i l
g=
Re:        Shutdown PRA question from NRC letter dated November 9,1995                                                    ,
l Question 1 (#2939)                                                                                                        l l
Open item 19.1.3.3-1 requested Westinghouse to justify the low human error rate for inadvertent draining of reactor      ;
vessel inventory though the Normal Residual Heat Removal (RHR) system. In response, Westinghouse quantified              1 the likelihood of the operator overdraining the reactor coolant system during drain down operations to reach midloop conditions. Westinghouse also quantified the likelihood that a LOCA could occur by inadvertent opening of Normal          j RHR valve V024. The staff needs the following information to conclude that the frequency of overdraining the              i reactor vessel to reach midloop conditions is on the order of E 6 per year, which is much lower than current              ,
operating experience.
: a. Westinghouse should use operating experience to determine the frequency of the operator inadvertently overdraining the RCS during midloop, orjustify that current operating experience is not applicable by describing    )
any AP600 design improvements over current plants.
: b. Westinghouse needs to add more information in the shutdown PRA about the available level instrumentation during the drain down process. A description of how the pressurizer wide range level instrumentation is connected to the RCS would be helpful.
: c. Westinghouse needs to clarify in the PRA how the two hot leg instruments are connected and clarify whether they share common reference legs.
: d. Westinghouse needs to document in the PRA the basis for the beta factor of 0.05 for the hot leg instruments.
This value is not listed in Chapter 29 or Section 54.7 of the PRA.
: e. For drain down scenario 2, Westinghouse needs tojustify the likelihood that the air operated valves fail to close on demand. Westinghouse needs to (1) document the testing interval for these valves and (2) calculate valve unavailability using ((standby failure rate)*(testing interval)/2) or a demand failure rate (such as IE-3 listed in Table 54-58).
 
===Response===
: a. The AP600 has incomorated many design features that address mid-loop operations including features that reduce the probability of owdraining the RCS to a point where a loss of the normal residual heat removal            ,
system would occur. These features are described in SSAR section 5.4.7.2.1 and are described below:
* Imop Piping Offset - As described in SSAR subsection 5.3.4.1, the reactor coolant system hot legs and cold legs are vertically offset. This permits draining of the steam generators for nozzle dam insertion with hot leg level much higher than traditional designs. The reactor coolant system must be drained to a level which is sufficient to provide a vent path from the pressurizer to the steam generators. This is nominally 80 percent level in the hot leg. This loop piping offset also allows a reactor coolant pump to be replaced without removing a full core.
W85tiflgfl0088
 
NRC REQUEST FOR ADDITIONAL INFORMATION p . . .
* Step-nozzle Connection - The normal residual heat removal system employs a step-nozzle connection to the reactor coolant system hot leg. The step-nozzle connection has two effects on mid-loop operation. One effect is to substantially lower the RCS hot leg level at which a vortex occurs in the residual heat removal pump suction line due to the lower fluid velocity in the hot leg nozzle. This increases the margin from the nominal mid-loop level to the level where air entrainment into the pump suction begins.
Another effect of the step-nozzle is that, if a vortex should occur, the maximum air entrainment into the pump suction has been shown experimentally to be no greater than 5 percent. This level of air ingestion will make air binding of the pump much less likely.
* No Normal Residual Heat Removal Throttling During Mid Loop - The normal residual heat removal pumps are designed to minimize susceptibility to cavitation. The plant piping configuration, piping elevations and touting, and the pump net positive suction head characteristics allow the normal residual heat removal pumps to be started and operated at their full design flow rates with saturated conditions in the reactor coolant system. The normal residual heat removal system operates without the need for throttling a residual heat removal control valve when the level in the reactor coolant system is reduced to a mid-loop level. This eliminates the failure to throttle the residual heat removal pumps causing a loss of the residual heat removal system during mid-loop .
* Hot Leg Level Instrumentation - The AP600 reactor coolant system contains independent level instmmentation in each hot leg with indication in the main control room. In addition, the wide-range pressurizer level instrumentation used during cold plant operations is available to measure to the bottom of the hot legs. There is continuous level indication in the main control room from the normal level in the pressurizer to the range of the two narrow-range hot leg level instruments. Alarms are provided to alert the operator when the reactor coolant system hot leg level is approaching a low level. The isolation valves in the line used to drain the reactor coolant system automatically close on a low reactor coolant system level during shutdown operations to preclude overdraining the RCS. Operations required during mid-loop are performed by the operator in the main control room. The level monitoring and control features significantly improve the reliability of the AP600 heat removal system during mid-loop operations.
These design features contribute to the reduction in the probability of overdraining the RCS for the AP600 as compared to current plants.
Other design features have been incorporated in the AP600 design to address the consequences of a loss of the normal residual heat removal system due to overdraining and/or excessive air ingestion into the residual heat removal pumps. These features, addressed in SSAR section 5.4.7.2.1, are described below:
* Passive Core Cooling System - The passive core cooling system in-containment refueling water storage tank (IRWST) injection lines are available in the event of a loss of the normal residual heat l
removal system during reduced inventory operations. Upon a loss of water level in the hot leg, the operator would take actions to restore the water level with the nonsafety-related chemical and volume W85tiflgh0088 1
 
l l
NRC REQUEST FOR ADDITIONAL INFORMATION N
l                  control system makeup pumps. If the makeup pumps are not available and / or operable, the operator can actuate the safety-related IRWST injection valves to restore water level in the RCS and provide safety-related core cooling. In addition, the normal residual heat removal system contains a diverse means for gravity injection from the IRWST via the pump suction line to the IRWST. By opening valve RNS-V023, gravity injection can be provided to the RCS hot leg in the event of a loss of the normal residual heat removal system.
* ADS Valves - The automatic depressurization system first , second , and third-stage valves, connected to the top of the pressurizer, are open whenever the core makeup tanks are blocked during shutdown conditions while the reactor vessel upper internals are in place. This provides a vent path to preclude pressurization of the reactor coolant system during shutdown conditions when decay heat removal is lost. This also allows the IRWST automatically provide injection flow if it is actuated on a loss of decay heat removal.
Reactor Vessel Outlet Temperature - Reactor coolant system hot leg wide range temperature instruments are provided in each hot leg. The orientation of the wide range thermowell-mounted resistance temperature detectors enable measurement of the reactor coolant fluid in the hot leg when in reduced inventory conditions. In addition, at least two incore thermocouple channels are available to measure the core exit temperature during midloop residual heat removal operation. These two thermocouple channels are associated with separate electrie:! divisions.
* Self Venting Suction Line - The residual heat removal pump suction line is sloped continuously upward from the pump to the reactor coolant system hot leg with no local high points. This eliminates      i potential problems with refilling the pump suction line if a residual heat removal pump is stopped when    !
cavitating due to excessive air entrainment. With the self-venting suction line, the line will refill and the pumps can be immediately restarted once an adequate level in the hot leg is re-established.
In addition, Westinghouse has submitted emergency response guidelines for shutdown operations that will be used to implement shutdown emergency operating procedures. These procedures will guide the operator to recover from overdraining events. These design features contribute to the reduction in the calculated core damage frequency for the AP600 at shutdown as compared to current plants.
This information will be provided in the AP600 Shutdown Evaluation Report and will be referenced in the shutdown PRA.
b&c There are two safety-related RCS hot leg level channels, one located in each hot leg. These level indicators are provided primarily to monitor the RCS water level during mid-loop operation following shutdown operations. One level tap is located at the bottom of each hot leg and the other tap on the top of each hot leg as close to the steam generator as possible. These level instruments are independent, and do not share instrument lines.
During post-accident conditions, these instruments provide indication of the water level in the reactor vessel.
l              They provide reactor vessel level indication for a range from the bottom of the hot leg to approximately the elevation of the reactor vessel flange mating surface.
l 3 Westinghouse 1
1
 
NRC REQUEST FOR ADDITIONAL INFORMATION iiiin i4    1 Each level instrument reading is provided in the main control room and the remote shutdown workstation.
This instrumentation provides an accurate readout of the RCS level in the control room. Alarms are provided to alert the operator when the RCS level is approaching a low level. These transmitters also provide input to the PMS to initiate in-containment refueling water storage injection on a low level during mid-loop operations.
In addition, the wide-range pressurizer level instrumentation used during cold plant operations is available to measure to the bottom of the hot legs. This provides a continuous level indication in the main control room from the normal level in the pressurizer to the range of the two narrow-range hot leg level instruments.
This information will be provided in the AP600 Shutdown Evaluation Report and will be referenced in the shutdown PRA.
: d. The beta factor of 0.05 for the hot leg level instruments was taken from the URD, Chapter 1, Appendix A.
Section A3 (Page A.A-29); 0.05 is the recommended generic beta factor for " failure to continue functioning or spurious operation" of components not specified in the URD, Table A3-1. Westinghouse will provide this reference source for this beta factor in the shutdown PRA report.
: e. Air-operated valves CVS-045 and CVS-047, modeled in drain down scenario #2, are to be tested quarterly but are expected to be used more often during normal operation. Therefore, the failure probability of these valves failing to close on demand will be recalculated using a demand failure rate of 2.0E-03 from the Data Analysis section of the PRA.
W W-Westirighouse
 
n NRC REQUEST FOR ADDITIONAL INFORMATION E
N-      -
Re:        Shutdown PRA question from NRC letter dated November 9,1995 Question 2 (#2940)
With respect to Open item 19.1.3.3-2, Westinghouse responded in Section 54.3.2 of the PRA that the core damage contribution from the cool down period to 350"F and 400 psig is negligible compared to hot / cold shutdown and midloop/ vessel flange operations. In section 54.3.2, Westinghouse justifies this assumption based on 1) the cool down period to hot shutdown of 350'F and 400 psig lasts only eight hours, and (2) all mitigating systems available when the reactor is at power are available except the accumulators. In order for the staff to conclude that this shutdown period does not need to be quantitatively evaluated, the staff is asking Westinghouse to:
: a. Modify this argument to indicate that the risk is low compared to the at-power risk. The argument that Westinghouse gave does not directly lead to the conclusion that the core damage risk is low compared to the risk from hot / cold shutdown and midloop/ vessel flange operations.
: b. Clarify in Section 54.3.2 of the PRA if all actuating signals that are available at full power are also available  ;
during this time period. In Table 54-2, it would be helpful if an additional column was created for full          j power operation to allow for a simple comparison of available signals.                                            )
l
: c. Document in Section 54.3.2 of the PRA and Table 54-8 if any maintenance can be performed on any system during this period. Document how these maintenance assumptions will be met (i.e., Tech. Specs.,
administrative controls, etc.).
 
===Response===
l
: a. If it is conservatively assumed that all accidents evaluated during power operation can occur during the first            i eight hours of shutdown, then, given the availability of all mitigating systems except the accumulators, the risk        l during this early shutdown period can be factored from the at-power core damage frequency. As shown in Section 54.3.2, the estimated annual duration for this plant state is 22 hours. Therefore, the estimated CDF during this shutdown mode is: [(2.43E-07 / 8760) x 22] = 6.10E-10; this is 0.25 of the at-power risk. This conservative estimate shows that the risk during the first eight hours of shutdown is very low; much conservatism is evidenced by the fact that ATWS events, which are significant contributors to the at-power CDF, are not applicable to the shutdown assessment.
: b. Table 54-2 of the Shutdown PRA will be revised to: 1) add a column for at-power; and 2) include the actuating signals for all systems in the table.
W Westinghouse r
l
 
NRC REQUEST FOR ADDITIONAL INFORMATION
        =4        I
                ~
: c. Availability (and corresponding maintenance restrictions) of the safety-related systems during shutdown operations are incorporated in the AP600 Technical Specifications. The technical specifications do not allow for scheduled maintenance of the passive safety-related components in mode 3 (hot standby) with the exception of the accumulators, which are isolated during this mode when the RCS pressure is reduced to below 1000 psig to prevent their injection. Table Q2-1 summarizes the availability of the safety-related systems as captured in the AP600 Technical Specifications.
The Reliability Assurance Program specifies maintenance guidelines for RTNSS-important systems and components.
l i
1 2-2 W
Westinghouse I
 
1                                                                                                                                                                                                    .  .
l 1
1 NRC REQUEST FOR ADDITIONAL INFORMAllON i
l Table Q2 Technical Specification Requirements for Safety-Related Components MODE                  ADS                CMT              PRIIR                                  IRWST                            Cont.        Cont. Cooling MODE I - 4 (1)          10 of 10 paths      Both CMTs        PRilR l{X          Both IRWST injection paths                              Integrity  Both water flow paths Full power - Safe      OPERABLE            OPERABLE        OPERABLE            and both Containment recirc                                        OPERABLE shutdown                All paths closed                                        paths OPERABLE MODE 5                  9 of 10 paths      One CMT          PRIIR HX          One IRWST injection path and                            None        None RCS pressure            OPERABLE            OPERABLE          OPERABLE          one Containment recire path boundary closed        All paths closed                                        OPERABLE MODE 5                  Stages I,2, and 3 None                None              One IRWST injection path and                            Closure (2) Both water flow paths RCS pressure            open                                                    one Containment recire path                                        OPERABLE boundary open                                                                    OPERABLE MODE 5                  Stages I,2, and 3 None                None              One IRWST injection path and                            Closure (2) Both water flow paths RCS pressure            open                                                    one Containment recire path                                        OPERABLE boundary open.                                                                  OPERABLE reduced RCS inventory MODE 6                  Stages I,2, and 3 None                None              One IRWST injection path and                            Closure (2) Both water flow paths Reactor internals in    open                                                    one Containment recire path                                        OPERABLE place, refueling cavity                                                          OPERABLE not fu'l MODE 6                  None                None            None              None                                                    None      None Reactor internals removed, refueling cavity full 2-3
 
NRC REQUEST FOR ADDmONAL INFORMATION l                  E
' Notes:
(I) Both accumulators required in modes I-3, above 1000 psig. The accumulators are not required in modes 4-6.
(2) Containment closure is defined as the ability to close the containment prior to core uncovery following a loss of decay heat removal 2-4 3 Weshglaise
 
1 i
NRC REQUEST FOR ADDITIONAL INFORMATION                                                                                !
                                                                                                              .. _    l Re:      Shutdown PRA question from NRC letter dated November 9,1995                                                l Question 3 (#2941)
In reference to open item 19.1.3.3-4, the shutdown PRA still does not clearly identify when automatic injection is    ,
available from the IRWST and when only manual injection is available (i.e., during draindown to midloop              l conditions). In Section 54.2.5 of the PRA, the PRA states, "The low hot leg level signal, used to monitor and control l the reactor vessel water level during the drain down of the reactor coolant system for the midloop/ vessel flange    i shutdown phase, is available." The PRA goes on to state, "This instrumentation automatically actuates the IRWST MOVs on low level during the midloop/ vessel flange shutdown phase." However, the staff identified that in event tree RCS-OD (overdraining of the RCS during draindown to mid-loop), only manual actuation of the IRWST was credited. The IRWST success criteria summary for this event tree (IW2AO and IWRNS) stated that there were no automatic injection signals. The staff also identified that following a loss of offsite power without grid recovery, automatic IRWST injection was not credited. To resolve this inconsistency, the staff is asking Westinghouse to:
: a. Document in Section 54.2.5 of the PRA (Actuating Signals and Systems Available) when IRWST automatic injection is available and when only manual IRWST injection is available during midloop/ vessel flange operation.
: b. Document in Table 54-2 (Systems Availability and Actuating Signals Type) when IRWST automatic injection is available and when only manual IRWST injection is available during midloop/ vessel flange operation.
: c. Document in Table 54-2 for each available actuation signal what instrumentation is used to deliver the signal (PMS and/or DAS).
 
===Response===
The hot leg level instrumentation was changed from nonsafety-related to safety-related. Therefore, actuation of the IRWST is automatic or manual on " low hot leg level" signal, for all reduced RCS inventory scenarios.
The current shutdown PRA conservatively models only manual IRWST injection for some scenarios based on modeling assumptions in the earlier version of the PRA. 'Ihe current shutdown model reflects the following:
i) During mid-loop / vessel flange operation, given loss of RNS, loss of RNS support systems, or LOOP with grid recovery, IRWST injection is required to actuate automatically or manually; both actuations are modeled in fault tree IW2A.
ii) Given LOOP without grid recovery, only manual IRWST injection is modeled; this is shown in fault tree IW2AP.
Automatic injection is available, but not modeled.
iii) During draining of the RCS to mid-loop, only manual IRWST injection is modeled if overdraining occurs; this is shown in fault tree IW2AO. Automatic injection is available, but not modeled.
W85tiflgh0088
 
1 NRC REQUEST FOR ADDITIONAL INFORMATION E7        :n iv) For all of the above events during reduced inventory, if IRWST normal injection path fails, then injection through RNS pump suction line (V023) is manually actuated; this is shown in fault tree IWRNS.
: a. Section 54.2.5 will be updated to clarify and reflect that both automatic and manual IRWST injection capabilities are available during all reduced inventory scenarios. It will also be clarified that, conservatively IRWST automatic injection actuation was not modeled in most (reduced inventory) cases, even though it would be expected to be available.
: b. Table 54-2 will also reflect that IRWST automatic and manual actuation are available during mid. loop / vessel flange operation.
: c. Table 54-2 will also show what PMS instnunentation is used to deliver the actuation signal.
l l
l
 
l
  ~
\
i
!    NRC REQUEST FOR ADDITIONAL INFORMATION IRin Re:      Shutdown PRA question from NRC letter dated November 9,1995 Question 4 (#2942)
Westinghouse to document all maintenance assumptions and provide cross-reference to the SSAR. Westinghouse responded by clearly documenting testing and maintenance assumptions for specific systems in Table 54-8. In addition, Westinghouse stated that no test and maintenance activities will be conducted during midloop/ vessel flange conditions (Section 54.10.2 of the PRA). However, the staff found that Westinghouse provided no cross references to the SSAR. The staff alm concluded that maintaining equipment availability (particularly the IRWST) during shutdown is necessary to achieve the low shutdown core damage frequency estimates. Therefore, the staff is requesting Westinghouse to:
: a. State in Table 54-8, the maintenance assumptions individually for PMS and DAS. Justify and document in the PRA how these maintenance assumptions will be met (i.e., Tech. Specs., etc.)
: b. Justify and document in the PRA how each maintenance assumption for each system in Table 54-8 will be met (i.e., Tech. Specs., etc.).
: c. Justify and ' document in the PRA how the requirement for no test and maintenance activities during midloop/ flange operation will be met (i.e., Tech. Specs., etc.).
: d. Define and document the assumed " allowed" time to return to a filled condition given a Normal RHR component failure during midloop/ vessel flange operation. Document how this " allowed" time will be met (i.e., Tech. Specs., etc.).
l
: e. Clarify and document in the PRA if the " Normal RHR component failure" during midloop/ flange operation    j includes Normal RHR support systems such as CCS and SWS.                                                    l
 
===Response===
a,b,c    Westinghouse will complete the Technical Specifications and document in the PRA (Table 54-8) the applicable Technical Specification numbers.
: d.        The Reliability Assurance Program does not specify an " allowed" time to return to a filled condition given an RNS, CCS or SWS component failure during mid-loop operations. A failure of a component in these RTNSS-important systems does not lead to a core damage scenario. Success criteria for these systems are such that failure of a single component (i.e. RNS, CCS, or SWS pump) does not result in a loss of core cooling. The quantification of the core damage frequency for the AP600 at shutdown does not credit a return to a filled condition given the loss of an RNS, CCS or SWS component.
: e.        The RNS model during mid-loop / vessel flange operation show CCS as a subtree of RNS, and SWS as a subtree of CCS. A statement to that effect will be added in Section 54.4.8.
l l
r 3 W85tiflgh0088
 
NRC REQUEST FOR ADDmONAL INFORMATION
                                                                                                                            ;g ? "'4 Re:      Shutdown PRA question from NRC letter dated November 9.1995 Question 720.286 (#2943)
The staff is requesting Westinghouse to document in the PRA what AP600 auxiliary and passive systems were examined to identify shutdown initiating events (Section 54.2.1, p. 54-2) and the results of this evaluation.
 
===Response===
Passive systems were examined during the search for possible shutdown initiators in PRA, revision 6; none was identified. Auxiliary or support systems were also examined: CCS, SWS and instrument air; from these, CCS and SWS were identified as credible shutdown event initiators. Westinghouse will document the search for initiators that are unique to passive systems in the shutdown PRA; this evaluation will be similar to that conducted in the at-power PRA for passive system initiators. The above information will be added to Section 54.2.1.
l 720.286 1 i
l EN
 
NRC REQUEST FOR ADDITIONAL INFORMATION K.
                                                                                                              'L t*
Re:      Shutdown PRA question from NRC letter dated November 9,1995 Question 720.287 (#2944)
The staff is requesting Westinghouse to explain the screening process in more detail (Section 54.2.4, p. 54-4).
Several screening criteria are mentioned. However, the staff would like Westinghouse to document in the PRA how each of the "at power" initiating events was screened out.
 
===Response===
The basis for screening out some internal at-power initiating events will be reflected in Section 54.2.4.
l l
l l
720.287-1 W-Westinghouse
 
l 4
NRC REQUEST FOR ADDmONAL INFORMATION                                                                                      l 1
Re:      Shutdown PRA question from NRC letter dated November 9,1995 Question 720.288 (#2945)
The staff agrees that losses of Normal RHR during refueling are expected to have a negligible addition to the total      ,
core damage frequency (Section 54.2.4 of the PRA). However, the concluding statement in that paragraph mentions          I all losses of water inver. tory rather than just boil off. Westinghouse needs to evaluate and document in the PRA the    I potential for LOCA and draining events app'icable to the refueling mode.
l l
 
===Response===
l During mode 6, the refueling cavity is flooded with approximately 350,000 gallons of refueling water. The number          l of connections that are capable of draining the refueling cavity are limited and have administrative controls (i.e.,      I locked closed manual valves) to prevent inadvertent draining of the refueling cavity. Other connections that could        I I
result in an inadvertent draining are smaller lines such that the amount of time necessary to drain the refueling cavity is very long (i.e., > 24 hours). Considering that the refueling operations and the refueling cavity water level are continuously monitored by personnel in the containment and the auxiliary building, given the long time it would take to significantly drain the cavity, and given the spent fuel pool low level alarm is annunciated in the control room,      I inadvertent draining of the refueling cavity need not be quantified. Further details are provided in WCAP-14477,          1 AP600 Adverse Systems Interaction Evaluation Report, dated February 1996.
l l
l l
l l
l l
l                                                                                                                720.288-1 1
 
NRC REQUEST FOR ADDITIONAL INFORMATION 2::ttmitt::
Re:      Shutdown PRA question from NRC letter dated December 22,1995 Question 720.303 (#3007)
The following questions pertain to shutdown operation with the RCS open.
: a. According to the SSAR Chapter 6, Stages I,2, and 3 of ADS are manually opened PRIOR to initiating              l RCS draindown operations to midloop conditions. However, no information is provided in the shutdown PRA as to when ADS is opened prior to drain down operations. Please document in the shutdown PRA how this SSAR assumption will be met (i.e Tech. Specs., admin. controls, etc.)?
: b. During RCS draindown operation with Stages 1,2, and 3 open, if Normal RHR cooling is lost, the operator        I has to manually initiate gravity injection from the IRWST. If the operator actuates gravity injection AFTER the RCS begins to boil, could surge line flooding occur and cause gravity injection to stop? He staff          l requests Westinghouse to provide analyses verifying that surge line flooding is not a problem, assuming any RCS level.
 
===Response===
: a. He AP600 Technical Specifications will specify the requirements for the ADS valves to be open prior to entering a reduced inventory condition. This information will be included in the shutdown PRA.
: b. An evaluation of surge line flooding will be provided in the AP600 Shutdown Evaluation Report.
l l
720.303-1
 
NRC REQUEST FOR ADDITIONAL INFORMATION Re:      Shutdown PRA question from NRC letter dated December 22,1995 Question 720.304 (#3008)
In the sensitivity study for test and maintenance outages during drained conditions, only electrical components from the AC and DC power system were included. The staff requests Westinghouse to evaluate through sensitivity studies the impact of unscheduled maintenance of components from the PMS system, Normal RHR, and Normal RHR's suppon systems.
 
===Response===
Westinghouse will evaluate the impact of unscheduled maintenance of components from the PMS, RNS, and RNS support systems (CCW and SWS) during drained conditions. The results of this evaluation will be documented in Chapter 54 of the PRA.
720,304-1 I
l
 
l NRC REQUEST FOR ADDITIONAL INFORMATION                                                                                  l l
l
_  \
i Re:      Shutdown PRA question from NRC letter dated December 22.1995                                                  l Question 720.305 (#3009)
In the shutdown PRA, many of the potential boron dilution initiating events are discussed and dropped as being not significant. However, since the shutdown core damage frequency is 5.5E-8 per year, the staff cannot conclude that these initiators have frequencies less than this value. Based on previous screening calculations and the Surry shutdown PRA, the staff requests Westinghouse to quantify the following boron dilution events identified in the AP600 PRA:
: a. Chemical and Volume Control System (CVS) during hot shutdown using the DILUTE mode of operation.
l
: b. CVS water injection and boron dilution during plant startup.
: c. CVS water injection and boron dilution following a loss of offsite power event, with subsequent startup of the reactor coolant pumps,
: d. Steam generator tube rupture event with transfer of water to and from the primary circuit.
l
 
===Response===
The basis for excluding boron dilution events from the shutdown PRA quantification will be reexamined. These events will be included in the quantification if they are determined to be significant contributors to the shutdown core daraage frequency.
l l
720.305-1
 
b I
NRC REQUEST FOR ADDITIONAL INFORMATION I
                                                                                                                      . m.;
l                                                                                                                      Y        .
Re:      Shutdown PRA question from NRC letter dated December 22,1995 Question 720.306 (#3010)
The PRA clearly states that containment integrity is maintained during modes I through 4. However, the status of containment during modes 5 and 6 is unclear in the PRA (Section 54.2.5). The PRA states that during midloop operation, containment " closure" is maintained. However, midloop operation is only a subset of shutdown operations in mode 5 with the RCS open. Also, the term " closure" is not defined. The staff assumes that " closure" is different from containment integrity. The staff is concerned that the results of the PRA do not include the risk impact of a potentially open containment given a core damage event during mode 5. The staff needs this information since events occurring during midloop/ vessel flange operation account for over 90% of the shutdown core damage frequency. Therefore, Westinghouse is requested to provide the following information in the shutdown PRA:                i
: a. Westinghouse is requested to document in the PRA how the requirement for containment integrity will        l be maintained during Modes 1-4 (i.e. Tech. Specs., admin. controls, etc.).
: b. Westinghouse is reauested to document in the shutdown PRA the status of containment during cold shutdown (mode 5) when the RCS is completely intact. This explanation should include the status of the equipment and personnel hatches, penetrations for operating systems, and temporary instrument and      ;
I electrical penetrations. This explanation should also describe the operator's ability to close containment should a core damage event occur. Westinghouse is requested to document in the PRA how these assumptions will be met (i.e. Tech. Specs., admin. controls, etc.)
: c. Westinghouse is requested to document in the shutdown PRA the status of containment during cold shutdown up to when the refueling cavity is flooded with an open RCS (midloop operation / vessel flange operation is a subset of this phase of shutdown). This explanation should include the status of the equipment and personnel hatches, penetrations for operating systems, and temporary electrical and instrument penetrations. This explanation should also describe the operator's ability to close containment before steaming through an open RCS makes containment conditions intolerable to the operator. Westinghouse is requested to document in the PRA how these assumptions will be met (i.e.
Tech. Specs., admin. controls, etc.)                                                                        l l
: d. For both of the shutdown phases addressed above, Westinghouse is requested to identify in the shutdown PRA the probabilities assumed for containment isolation.
: e. For both of the shutdown phases addressed above, Westinghouse is requested to report the fraction of core damage scenarios occurring with an open containtnent and their combined frequencies.
 
===Response===
: a. The AP600 Technical Specifications will specify the requirements for containment status during all modes of operation including shutdown. This information will be referenced in the shutdown PRA. During Modes 1-4, containment integrity is required. In Modes 5 & 6, during reduced inventory operations and when the upper 1
720.306-1
 
  'u NRC REQUEST FOR ADDITIONAL INFORMATION internals are in place, containment closure capability is required. Containment closure capability is defined in the Technical Specifications as the capability to close the containment prior to core uncovery following a loss
.      of the normal decay heat removal capability through the normal residual heat removal system. Details on the containment status during each operating mode are summarized in Table Q2-1 of the response to shutdown PRA question 2c (of NRC letter dated Nov. 9.1995). This table will be provided in the AP600 Shutdown Evaluation Report and will be referenced in the shutdown PRA.                                                              i 1
,    b. As shown in Table Q2-1 in the response to shutdown PRA question 2e (of NRC letter dated Nov. 9,1995), there are no requirements for containment integrity or closure during Mode 5, when the RCS is intact.
: c. As shown in Table Q2-1 in the response to shutdown PRA question 2c (of NRC letter dated Nov. 9,1995),
during Mode 5, with the RCS pressure boundary open and/or during reduced inventory operations, and during Mode 6 with the upper internals in place, containment closure is required. As described above, containment closure capability is defined as the capability to close the containment prior to core uncovery following a loss of the normal decay heat removal system. Equipment hatches and personnel hatches, penetrations for operating systems, and any temporary electrical and instrument penetrations may be open during these conditions, provided that there is the capability to close the various hatches and penetrations within prescribed time limits, corresponding to the minimum time to core uncovery following loss of decay heat removal capability. De actions taken to close the containment hatches must consider the potential for a steam environment inside containment within the time that the RCS could reach saturation.
: d. He next revision of the shutdown PRA will assess the probabilities of failure of containment isolation during
                                                                                                                        ]
shutdown modes where containment closure is required.                                                          4
: c. The fraction of core damage frequency from events occurring with an open containment and their total frequency will be shown in the next revision of the shutdown PRA.
I 720.306-2 W-Westinghouse
 
e                                                                                                                                                            1 l
Enclosure 3 to Wcstinghouse Letter NSD-NRC-96 4680 April 1,1996 2?26A
 
e W
NRC REQUEST FOR ADDITIONAL INFORMATION v.-    :e:
t:        :
m Re:      PRA modeling question from NRC letter dated January 22,1996 Question 720.309 (#3040)
File IRW-ICl3.WLK (*.WLK files contain results) includes basic event REN-MAN 03 in the most important (" top")
cut set for subtree IRW-ICl3. A manually constructed IRRAS model (developed based on the fault trees contained in WCAP-13275, "AP600 Probabilistic Risk Assessment Fault Trees, Revision 1,1995) for IRW-ICl3 does not generate a cut set including this event. Is REN-MAN 03 correctly located in the IWF tree (which is fed by the IRW-ICl3 subtree)? Please explain.
l i
 
===Response===
The REN-MANO3 event was removed from the subtree IRW-ICl3 and placed higher up in the IWF tree. In revision 7 of the PRA, the REN-MANO3 event is the second cutset in the file, and it is correct in that locatiori in the tree,  l 1
1 720.309-1
 
e l
Y                                                                                                                          l 1
NRC REQUEST FOR ADDITIONAL INFORMATION l                                                                                                              l'    "'
i l l l
Re:      PRA modeling question from NRC letter dated January 22,1996                                                  l l
Question 720.314 (#3045)
;    Event tne ATWSC (page 4-153) sh:ws top event PRHR2 as being substituted with SFWA&PRTA. The l
Westingtouse XSRT.IN file (the *.IN files provide instructions to generate cut sets) includes SYS-SFWA and SYS-PR".'(and not SYS-PRTA). Should SYS-PRT or SYS-PRTA be used in the substitution for PRHR2? Are the cut sets in file ATWSC developed using SYS-PRT or SYS-PRTA?                                                            4 l                                                                                                                            l
 
===Response===
The fault tree SYS-PRTA is the correct tree for this situation and it was used to generate the cut!.ets. The          j typographical error was corrected, but the file that was submitted didn't reflect the correction. The correct .IN file l is used for revision 7 of the PRA.                                                                                    ,
l l
l l
I l
l I
i l
4 g                                                                                                    720.314 1 l
 
e I
NRC REQUEST FOR ADDITIONAL INFORMATION Re:      PRA modeling question from NRC letter dated January 22,1996 i
Question 720.315 (#3046)
The data for basic event CASMOD03 (IAS system, page 25-16) has been truncated (in printing). Are there any other contributors to the probability for CASMOD03, or is it the same as that for CASMOD02 (i.e.,2.31E-2)?
 
===Response===
He total for CASMOD03 is the came as for CASMOD02. No other events were truncated.
l 1
720,315 1
 
e l
l
  }
NRC REQUEST FOR ADDITIONAL thFORMATION mi: ._        1 Re:      PRA modeling question from NRC letter dated January 22,1996 1
Question 720.316 (#3047)                                                                                                l l                                                                                                                          l The following pairs of system tops appear at specific event tree nodes: CM2NURCN, CM2SURCL, CIB/SGHL, CSAX&ADF, CM2AB/RCT, SFWA&PRTA, CN2S11RCS. Based on the notation, it would be expee ed that the
    "&" implies an AND operation between the two top events, yet it appears that sometimes an OR operation is employed (e.g., for SFWA&PRTA). Please provide the logic used to treat each of these top event pair;.
 
===Response===
To simplify event tree pictures, occasionally multiple systems are combined under a single event tree node. In such cases, either:
I
* a new symbol is assigned and is defined for the combined systems or                                                                                                                l a special notation is used on the event tree branches to show explicitly the combined systems and the Booland logic (AND, OR) used to combine these systems.
If two systems (ASY and BSY) are combined under the same event tree node, then their combination is written either as ASY/BSY or as ASY&BSY.
ASY/BSY means ASY or BSY must fail for the node to fail.
ASY&BSY means ASY and BSY must fail for the node to fail.
l These are illustrated in Figure 720.316-1.
720.316 1
 
l                                                                                                  1 l r                                                                                                I l
t I
NRC REQUEST FOR ADDITIONAL INFORMATION 1
                                                                                                    )
i 1
Figure 720.216 1 Illustration of A/B and A&B Notation NODE 1    NODE 2                          NODE 1    NODE A      NODE B          l
                                                                                                    )
                                                                            ,            SUCCESS J
I
                                                                  ,-        l                      l l
l        l' BSY                )
                      ,          SUCCESS                          l                      FAILURE  I I                                          I eemis              l l                        AsvasY                                    l FAILURE                          l  ASY
                                                                  '                      FAILURE I
I J
1 1
NODE 1    NODE 2                          NODE 1    NODE A        NODE B
                      ,          SUCCESS                          ,                      SUCC C l                                            1                                l l                        egals              l l
lAST8857                                    l          i          TW % '
                      '                                              ASY FAILURE                          l          l                    l i          i                    i i
l' BSY FAILURE i
l
!                                                                                                    I s
i 1
m 720.316-2 O
i 1
 
!?
i NRC REQUEST FOR ADDITIONAL INFORMATION g    _;
I
:d 1
Re:      PRA modeling question from NRC letter dated January 22,1996 Q estion 720.317 (#3048)
Operator actions LPM-MAN 03 and LPM-MANGt are each shown in Chapters 26 and 28 with probabilities of 8.3E-2.
However, LPM-MANO3 is shown with a probability of 2.2E-3 in Chapters 30 and 33 (Table 33-6, page 33-45), and LPM-MAN 04 is shown with a probability of 6.5E-3 in Chapters 30 and 33 (Table 33-6, page 33-43). Are some of these values incorrect or are all of them used (under different conditions)? If the latter interpretation is correct, please provide the rules used to specify when each value should be used.
 
===Response===
The different values for LPM-MANO3 and LPM-MAN 04 were not correct. In revision 7 of the PRA, these two operator actions have been removed. Also, see the discussion in the response to open items for DSER 19.1.3.1-17, Attachment I to RAI 720.291 response.
i l
l 720.317-1 3
 
e 6
i l
NRC REQUEST FOR ADDITIONAL INFORMATION                                                                              l l
Re t
l l
l Re:      PRA modeling question from NRC letter dated January 22,1996 l
Question 720.318 (#3049)                                                                                          j The fault tree of Figure Il-51 (22AP fault tree with "P" indicating loss of offsite power) includes subtree IC22AB
("B" indicates station blackout). According to the apparent AP600 PRA naming convention, one would expect that subtree IC22AP should be used. Note that the ut sets for IC22AP are very different than those for IC22AB and this can affect a large number of systems / top events. Which subtree should be used? Please explain, i
Response:                                                                                                          1 1
Subtree IC22AP should be used in this situation. This error was corrected and is reflected in revision 7.          ,
I l
                                                                                                                    )
I l
l l
                                                                                                                    ]
l 720.318 1
 
i NRC REQUEST FOR ADDITIONAL INFORMATION
                                                                                                              -~_qg Re:      PRA modeling question from NRC letter dated January 22,1996                                                l Question 720.320 (#3051) l Events TRANS--AA. TRANS--BB, TRANS--CC and TRANS--DD are found in Westinghouse files ADU.WLK, 43AL.WLK,43ML.WLK,44AL.WLK and 44ML.WLK. However, the staff was unable to find these events in the                    ,
WCAP-13275 fault trees. What are these events? Are they basic events or do they involve logic (i.e., are they fault  l trees)? If they involve logic, please provide the logic and show Low they are used.                                  l
 
===Response===
These events are TRANSFER OUT gates. They were references to a TRANSFER IN gate that was deleted. The                i gates mentioned were left in the tree, but it has no affect on the tree. The transfer out events are not reflected in l revision 7 of the PRA.
l l
l l
l l
720.320 1
 
  )
I NRC REQUEST FOR ADDITIONAL INFORMATION
_  i Re:      PRA modeling question from NRC letter dated January 22,1996 Question 720.321 (#3052)
Operator action FWN-MAN 03 (probability = 1.03E-3) appears in the Westinghouse SFW-ICIP.WLK file. However, this event is not found in the related WCAP-13275 fault trees (pages 921 and 967). On the other hand, basic event FWN-MAN 02 (probability = 1.65E-4) does appear in these fault trees. The cut sets for SFW-ICIP generated from the WCAP-13275 fault trees (using IRRAS) match the associated cut sets in the Westinghouse SFW-ICIP.WLK file, except that the 5FW-ICIP.WLK results show FWN-MAN 03 in place of FWN-MAN 02. Based on the descriptions of the ev.ats, FWN-MANO3 appears to be more appropriate, since it is relevant to loss of power scenarios          !
(FWN-MAN 02 is relevant to loss of feedwater scenarios). Is this correct? Please explain.
 
===Response===
The correct operator acuon should have been FWN-MAN 03, not FWN-MAN 02. This error was corrected in the PRA and does not appear in revision 7.
l l
i l
720.321-1}}

Latest revision as of 23:54, 23 September 2022

Redirect to:

Retrieved from "https://kanterella.com/w/index.php?title=ML20101M973&oldid=3481668"